diff --git a/.gitignore b/.gitignore index 0792920a8baf..26986d60c19a 100644 --- a/.gitignore +++ b/.gitignore @@ -41,6 +41,9 @@ massif-* # Generated documentation: /apidoc +# PSA Crypto compliance test repo, cloned by test_psa_compliance.py +/psa-arch-tests + # Editor navigation files: /GPATH /GRTAGS diff --git a/.travis.yml b/.travis.yml index 39ae19c19099..cdb68ac42fc7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,7 @@ -language: c -compiler: gcc +# Declare python as our language. This way we get our chosen Python version, +# and pip is available. Gcc and clang are available anyway. +language: python +python: 3.5 sudo: false cache: ccache @@ -16,10 +18,6 @@ jobs: - libnewlib-arm-none-eabi - gcc-arm-linux-gnueabi - libc6-dev-armel-cross - language: python # Needed to get pip for Python 3 - python: 3.5 # version from Ubuntu 16.04 - install: - - pip install mypy==0.780 pylint==2.4.4 script: - tests/scripts/all.sh -k 'check_*' - tests/scripts/all.sh -k test_default_out_of_box @@ -32,11 +30,16 @@ jobs: - name: Windows os: windows + # The language 'python' is currently unsupported on the + # Windows Build Environment. And 'generic' causes the job to get stuck + # on "Booting virtual machine". + language: c before_install: - choco install python --version=3.5.4 env: # Add the directory where the Choco packages go - PATH=/c/Python35:/c/Python35/Scripts:$PATH + - PYTHON=python.exe script: - type perl; perl --version - type python; python --version @@ -53,6 +56,9 @@ env: - SEED=1 - secure: "FrI5d2s+ckckC17T66c8jm2jV6i2DkBPU5nyWzwbedjmEBeocREfQLd/x8yKpPzLDz7ghOvr+/GQvsPPn0dVkGlNzm3Q+hGHc/ujnASuUtGrcuMM+0ALnJ3k4rFr9xEvjJeWb4SmhJO5UCAZYvTItW4k7+bj9L+R6lt3TzQbXzg=" +install: + - $PYTHON scripts/min_requirements.py + addons: apt: packages: diff --git a/BRANCHES.md b/BRANCHES.md index a63f07034151..60218b099a3b 100644 --- a/BRANCHES.md +++ b/BRANCHES.md @@ -62,7 +62,7 @@ had to break ABI compatibility in an LTS branch, but we occasionally had to increase code size for a security fix.) For contributors, see the [Backwards Compatibility section of -CONTRIBUTING](CONTRIBUTING.md#cackwords-compatibility). +CONTRIBUTING](CONTRIBUTING.md#backwards-compatibility). ## Current Branches diff --git a/CMakeLists.txt b/CMakeLists.txt index 556e93a21f10..efa4dbcdf828 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -43,10 +43,15 @@ endif() set(MBEDTLS_DIR ${CMAKE_CURRENT_SOURCE_DIR}) option(ENABLE_PROGRAMS "Build mbed TLS programs." ON) -option(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL "Building TLS 1.3 stack." ON) +option(MBEDTLS_SSL_PROTO_TLS1_3 "Building TLS 1.3 stack." ON) option(UNSAFE_BUILD "Allow unsafe builds. These builds ARE NOT SECURE." OFF) option(MBEDTLS_FATAL_WARNINGS "Compiler warnings treated as errors" ON) +if(WIN32) + option(GEN_FILES "Generate the auto-generated files as needed" OFF) +else() + option(GEN_FILES "Generate the auto-generated files as needed" ON) +endif() string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${CMAKE_C_COMPILER_ID}") string(REGEX MATCH "GNU" CMAKE_COMPILER_IS_GNU "${CMAKE_C_COMPILER_ID}") @@ -136,6 +141,22 @@ function(link_to_source base_name) endif() endfunction(link_to_source) +# Get the filename without the final extension (i.e. convert "a.b.c" to "a.b") +function(get_name_without_last_ext dest_var full_name) + # Split into a list on '.' (but a cmake list is just a ';'-separated string) + string(REPLACE "." ";" ext_parts "${full_name}") + # Remove the last item if there are more than one + list(LENGTH ext_parts ext_parts_len) + if (${ext_parts_len} GREATER "1") + math(EXPR ext_parts_last_item "${ext_parts_len} - 1") + list(REMOVE_AT ext_parts ${ext_parts_last_item}) + endif() + # Convert back to a string by replacing separators with '.' + string(REPLACE ";" "." no_ext_name "${ext_parts}") + # Copy into the desired variable + set(${dest_var} ${no_ext_name} PARENT_SCOPE) +endfunction(get_name_without_last_ext) + string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${CMAKE_C_COMPILER_ID}") include(CheckCCompilerFlag) @@ -315,7 +336,7 @@ configure_package_config_file( write_basic_package_version_file( "cmake/MbedTLSConfigVersion.cmake" COMPATIBILITY SameMajorVersion - VERSION 3.0.0) + VERSION 3.1.0) install( FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake" diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b3a9547a5127..dcaa3603b93b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -52,8 +52,7 @@ It would be highly appreciated if contributions are backported to LTS branches i The list of maintained branches can be found in the [Current Branches section of BRANCHES.md](BRANCHES.md#current-branches). -Currently maintained LTS branches are: -1. [mbedtls-2.7](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.7) +The only currently maintained LTS branch is: 1. [mbedtls-2.16](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.16) diff --git a/ChangeLog b/ChangeLog index ebf8a36add88..71ba44deb4a1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,184 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS 3.1.0 branch released 2021-12-17 + +API changes + * New error code for GCM: MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL. + Alternative GCM implementations are expected to verify + the length of the provided output buffers and to return the + MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the buffer length is too small. + * You can configure groups for a TLS key exchange with the new function + mbedtls_ssl_conf_groups(). It extends mbedtls_ssl_conf_curves(). + * Declare a number of structure fields as public: the fields of + mbedtls_ecp_curve_info, the fields describing the result of ASN.1 and + X.509 parsing, and finally the field fd of mbedtls_net_context on + POSIX/Unix-like platforms. + +Requirement changes + * Sign-magnitude and one's complement representations for signed integers are + not supported. Two's complement is the only supported representation. + +New deprecations + * Deprecate mbedtls_ssl_conf_curves() in favor of the more generic + mbedtls_ssl_conf_groups(). + +Removals + * Remove the partial support for running unit tests via Greentea on Mbed OS, + which had been unmaintained since 2018. + +Features + * Enable support for Curve448 via the PSA API. Contributed by + Archana Madhavan in #4626. Fixes #3399 and #4249. + * The identifier of the CID TLS extension can be configured by defining + MBEDTLS_TLS_EXT_CID at compile time. + * Implement the PSA multipart AEAD interface, currently supporting + ChaChaPoly and GCM. + * Warn if errors from certain functions are ignored. This is currently + supported on GCC-like compilers and on MSVC and can be configured through + the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled + (where supported) for critical functions where ignoring the return + value is almost always a bug. Enable the new configuration option + MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This + is currently implemented in the AES, DES and md modules, and will be + extended to other modules in the future. + * Add missing PSA macros declared by PSA Crypto API 1.0.0: + PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL. + * Add support for CCM*-no-tag cipher to the PSA. + Currently only 13-byte long IV's are supported. + For decryption a minimum of 16-byte long input is expected. + These restrictions may be subject to change. + * Add new API mbedtls_ct_memcmp for constant time buffer comparison. + * Add functions to get the IV and block size from cipher_info structs. + * Add functions to check if a cipher supports variable IV or key size. + * Add the internal implementation of and support for CCM to the PSA multipart + AEAD interface. + * Mbed TLS provides a minimum viable implementation of the TLS 1.3 + protocol. See docs/architecture/tls13-support.md for the definition of + the TLS 1.3 Minimum Viable Product (MVP). The MBEDTLS_SSL_PROTO_TLS1_3 + configuration option controls the enablement of the support. The APIs + mbedtls_ssl_conf_min_version() and mbedtls_ssl_conf_max_version() allow + to select the 1.3 version of the protocol to establish a TLS connection. + * Add PSA API definition for ARIA. + +Security + * Zeroize several intermediate variables used to calculate the expected + value when verifying a MAC or AEAD tag. This hardens the library in + case the value leaks through a memory disclosure vulnerability. For + example, a memory disclosure vulnerability could have allowed a + man-in-the-middle to inject fake ciphertext into a DTLS connection. + * In psa_aead_generate_nonce(), do not read back from the output buffer. + This fixes a potential policy bypass or decryption oracle vulnerability + if the output buffer is in memory that is shared with an untrusted + application. + * In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back + from the output buffer. This fixes a potential policy bypass or decryption + oracle vulnerability if the output buffer is in memory that is shared with + an untrusted application. + * Fix a double-free that happened after mbedtls_ssl_set_session() or + mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED + (out of memory). After that, calling mbedtls_ssl_session_free() + and mbedtls_ssl_free() would cause an internal session buffer to + be free()'d twice. + +Bugfix + * Stop using reserved identifiers as local variables. Fixes #4630. + * The GNU makefiles invoke python3 in preference to python except on Windows. + The check was accidentally not performed when cross-compiling for Windows + on Linux. Fix this. Fixes #4774. + * Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or + PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type. + * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935. + * Don't use the obsolete header path sys/fcntl.h in unit tests. + These header files cause compilation errors in musl. + Fixes #4969. + * Fix missing constraints on x86_64 and aarch64 assembly code + for bignum multiplication that broke some bignum operations with + (at least) Clang 12. + Fixes #4116, #4786, #4917, #4962. + * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled. + * Failures of alternative implementations of AES or DES single-block + functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT, + MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored. + This does not concern the implementation provided with Mbed TLS, + where this function cannot fail, or full-module replacements with + MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092. + * Some failures of HMAC operations were ignored. These failures could only + happen with an alternative implementation of the underlying hash module. + * Fix the error returned by psa_generate_key() for a public key. Fixes #4551. + * Fix compile-time or run-time errors in PSA + AEAD functions when ChachaPoly is disabled. Fixes #5065. + * Remove PSA'a AEAD finish/verify output buffer limitation for GCM. + The requirement of minimum 15 bytes for output buffer in + psa_aead_finish() and psa_aead_verify() does not apply to the built-in + implementation of GCM. + * Move GCM's update output buffer length verification from PSA AEAD to + the built-in implementation of the GCM. + The requirement for output buffer size to be equal or greater then + input buffer size is valid only for the built-in implementation of GCM. + Alternative GCM implementations can process whole blocks only. + * Fix the build of sample programs when neither MBEDTLS_ERROR_C nor + MBEDTLS_ERROR_STRERROR_DUMMY is enabled. + * Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length. + This algorithm now accepts only the same salt length for verification + that it produces when signing, as documented. Use the new algorithm + PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946. + * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved + for algorithm values that fully encode the hashing step, as per the PSA + Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and + PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers + all algorithms that can be used with psa_{sign,verify}_hash(), including + these two. + * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries + not to list other shared libraries they need. + * Fix a bug in mbedtls_gcm_starts() when the bit length of the iv + exceeds 2^32. Fixes #4884. + * Fix an uninitialized variable warning in test_suite_ssl.function with GCC + version 11. + * Fix the build when no SHA2 module is included. Fixes #4930. + * Fix the build when only the bignum module is included. Fixes #4929. + * Fix a potential invalid pointer dereference and infinite loop bugs in + pkcs12 functions when the password is empty. Fix the documentation to + better describe the inputs to these functions and their possible values. + Fixes #5136. + * The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC + operations psa_mac_compute() and psa_mac_sign_setup(). + * The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC + operations psa_mac_verify() and psa_mac_verify_setup(). + +Changes + * Explicitly mark the fields mbedtls_ssl_session.exported and + mbedtls_ssl_config.respect_cli_pref as private. This was an + oversight during the run-up to the release of Mbed TLS 3.0. + The fields were never intended to be public. + * Implement multi-part CCM API. + The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(), + mbedtls_ccm_update_ad(), mbedtls_ccm_update(), mbedtls_ccm_finish() + were introduced in mbedTLS 3.0 release, however their implementation was + postponed until now. + Implemented functions support chunked data input for both CCM and CCM* + algorithms. + * Remove MBEDTLS_SSL_EXPORT_KEYS, making it always on and increasing the + code size by about 80B on an M0 build. This option only gated an ability + to set a callback, but was deemed unnecessary as it was yet another define + to remember when writing tests, or test configurations. Fixes #4653. + * Improve the performance of base64 constant-flow code. The result is still + slower than the original non-constant-flow implementation, but much faster + than the previous constant-flow implementation. Fixes #4814. + * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations. + For CCM* encryption/decryption without authentication, input + length will be ignored. + * Indicate in the error returned if the nonce length used with + ChaCha20-Poly1305 is invalid, and not just unsupported. + * The mbedcrypto library includes a new source code module constant_time.c, + containing various functions meant to resist timing side channel attacks. + This module does not have a separate configuration option, and functions + from this module will be included in the build as required. Currently + most of the interface of this module is private and may change at any + time. + * The generated configuration-independent files are now automatically + generated by the CMake build system on Unix-like systems. This is not + yet supported when cross-compiling. + = Mbed TLS 3.0.0 branch released 2021-07-07 API changes diff --git a/ChangeLog.d/add_psa_m_aead.txt b/ChangeLog.d/add_psa_m_aead.txt deleted file mode 100644 index fa4e7ac61b30..000000000000 --- a/ChangeLog.d/add_psa_m_aead.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Implement the PSA multipart AEAD interface, currently supporting - ChaChaPoly and GCM. diff --git a/ChangeLog.d/base64-ranges.txt b/ChangeLog.d/base64-ranges.txt deleted file mode 100644 index e3f3862bfb18..000000000000 --- a/ChangeLog.d/base64-ranges.txt +++ /dev/null @@ -1,4 +0,0 @@ -Changes - * Improve the performance of base64 constant-flow code. The result is still - slower than the original non-constant-flow implementation, but much faster - than the previous constant-flow implementation. Fixes #4814. diff --git a/ChangeLog.d/check-return.txt b/ChangeLog.d/check-return.txt deleted file mode 100644 index 045b1805ec2d..000000000000 --- a/ChangeLog.d/check-return.txt +++ /dev/null @@ -1,17 +0,0 @@ -Bugfix - * Failures of alternative implementations of AES or DES single-block - functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT, - MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored. - This does not concern the implementation provided with Mbed TLS, - where this function cannot fail, or full-module replacements with - MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092. - -Features - * Warn if errors from certain functions are ignored. This is currently - supported on GCC-like compilers and on MSVC and can be configured through - the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled - (where supported) for critical functions where ignoring the return - value is almost always a bug. Enable the new configuration option - MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This - is currently implemented in the AES and DES modules, and will be extended - to other modules in the future. diff --git a/ChangeLog.d/chunked_ccm.txt b/ChangeLog.d/chunked_ccm.txt deleted file mode 100644 index 67faecca5e9c..000000000000 --- a/ChangeLog.d/chunked_ccm.txt +++ /dev/null @@ -1,8 +0,0 @@ -Changes - * Implement multi-part CCM API. - The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(), - mbedtls_ccm_update_ad(), mbedtls_ccm_update(), mbedtls_ccm_finish() - were introduced in mbedTLS 3.0 release, however their implementation was - postponed until now. - Implemented functions support chunked data input for both CCM and CCM* - algorithms. diff --git a/ChangeLog.d/do-not-use-obsolete-header.txt b/ChangeLog.d/do-not-use-obsolete-header.txt deleted file mode 100644 index 9a57ef16b24e..000000000000 --- a/ChangeLog.d/do-not-use-obsolete-header.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Don't use the obsolete header path sys/fcntl.h in unit tests. - These header files cause compilation errors in musl. - Fixes #4969. - diff --git a/ChangeLog.d/fix-cipher-output-size-macros.txt b/ChangeLog.d/fix-cipher-output-size-macros.txt deleted file mode 100644 index 4a4b971c83b5..000000000000 --- a/ChangeLog.d/fix-cipher-output-size-macros.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or - PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type. - diff --git a/ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt b/ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt deleted file mode 100644 index 6dc47244fed2..000000000000 --- a/ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled. diff --git a/ChangeLog.d/fix-psa_gen_key-status.txt b/ChangeLog.d/fix-psa_gen_key-status.txt deleted file mode 100644 index 78609882f9e3..000000000000 --- a/ChangeLog.d/fix-psa_gen_key-status.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix the error returned by psa_generate_key() for a public key. Fixes #4551. diff --git a/ChangeLog.d/issue4630.txt b/ChangeLog.d/issue4630.txt deleted file mode 100644 index 0bc4b99e5920..000000000000 --- a/ChangeLog.d/issue4630.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Stop using reserved identifiers as local variables. Fixes #4630. diff --git a/ChangeLog.d/issue5065.txt b/ChangeLog.d/issue5065.txt deleted file mode 100644 index 943ee47d91e3..000000000000 --- a/ChangeLog.d/issue5065.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix compile-time or run-time errors in PSA - AEAD functions when ChachaPoly is disabled. Fixes #5065. diff --git a/ChangeLog.d/makefile-python-windows.txt b/ChangeLog.d/makefile-python-windows.txt deleted file mode 100644 index 57ccc1a39a55..000000000000 --- a/ChangeLog.d/makefile-python-windows.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * The GNU makefiles invoke python3 in preference to python except on Windows. - The check was accidentally not performed when cross-compiling for Windows - on Linux. Fix this. Fixes #4774. diff --git a/ChangeLog.d/muladdc-memory.txt b/ChangeLog.d/muladdc-memory.txt deleted file mode 100644 index 218be5a60544..000000000000 --- a/ChangeLog.d/muladdc-memory.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix missing constraints on x86_64 and aarch64 assembly code - for bignum multiplication that broke some bignum operations with - (at least) Clang 12. - Fixes #4116, #4786, #4917, #4962. diff --git a/ChangeLog.d/no-strerror.txt b/ChangeLog.d/no-strerror.txt deleted file mode 100644 index 69743a871570..000000000000 --- a/ChangeLog.d/no-strerror.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix the build of sample programs when neither MBEDTLS_ERROR_C nor - MBEDTLS_ERROR_STRERROR_DUMMY is enabled. diff --git a/ChangeLog.d/psa_cipher_update_ecp.txt b/ChangeLog.d/psa_cipher_update_ecp.txt deleted file mode 100644 index 1c3fbc6b18b2..000000000000 --- a/ChangeLog.d/psa_cipher_update_ecp.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935. diff --git a/ChangeLog.d/psa_curve448_key_support.txt b/ChangeLog.d/psa_curve448_key_support.txt deleted file mode 100644 index d1870ed1d05b..000000000000 --- a/ChangeLog.d/psa_curve448_key_support.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Enable support for Curve448 via the PSA API. Contributed by - Archana Madhavan in #4626. Fixes #3399 and #4249. diff --git a/ChangeLog.d/psa_gcm_buffer_limitation.txt b/ChangeLog.d/psa_gcm_buffer_limitation.txt deleted file mode 100644 index 0c07e2415405..000000000000 --- a/ChangeLog.d/psa_gcm_buffer_limitation.txt +++ /dev/null @@ -1,16 +0,0 @@ -Bugfix - * Remove PSA'a AEAD finish/verify output buffer limitation for GCM. - The requirement of minimum 15 bytes for output buffer in - psa_aead_finish() and psa_aead_verify() does not apply to the built-in - implementation of GCM. - * Move GCM's update output buffer length verification from PSA AEAD to - the built-in implementation of the GCM. - The requirement for output buffer size to be equal or greater then - input buffer size is valid only for the built-in implementation of GCM. - Alternative GCM implementations can process whole blocks only. - -API changes - * New error code for GCM: MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL. - Alternative GCM implementations are expected to verify - the length of the provided output buffers and to return the - MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the buffer length is too small. diff --git a/ChangeLog.d/remove-ssl-export-keys.txt b/ChangeLog.d/remove-ssl-export-keys.txt deleted file mode 100644 index 1a4b31dcaad1..000000000000 --- a/ChangeLog.d/remove-ssl-export-keys.txt +++ /dev/null @@ -1,5 +0,0 @@ -Changes - * Remove MBEDTLS_SSL_EXPORT_KEYS, making it always on and increasing the - code size by about 80B on an M0 build. This option only gated an ability - to set a callback, but was deemed unnecessary as it was yet another define - to remember when writing tests, or test configurations. Fixes #4653. diff --git a/ChangeLog.d/session_export_private.txt b/ChangeLog.d/session_export_private.txt deleted file mode 100644 index 5475824181fc..000000000000 --- a/ChangeLog.d/session_export_private.txt +++ /dev/null @@ -1,5 +0,0 @@ -Changes - * Explicitly mark the fields mbedtls_ssl_session.exported and - mbedtls_ssl_config.respect_cli_pref as private. This was an - oversight during the run-up to the release of Mbed TLS 3.0. - The fields were never intended to be public. diff --git a/ChangeLog.d/tls_ext_cid-config.txt b/ChangeLog.d/tls_ext_cid-config.txt deleted file mode 100644 index b7b1e72443e2..000000000000 --- a/ChangeLog.d/tls_ext_cid-config.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * The identifier of the CID TLS extension can be configured by defining - MBEDTLS_TLS_EXT_CID at compile time. diff --git a/Makefile b/Makefile index 6e1012a0ab16..0e313d8a82bd 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,8 @@ DESTDIR=/usr/local PREFIX=mbedtls_ PERL ?= perl -MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL=y -export MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +MBEDTLS_SSL_PROTO_TLS1_3=y +export MBEDTLS_SSL_PROTO_TLS1_3 .SILENT: diff --git a/docs/.gitignore b/docs/.gitignore index 33ae5acf64c3..23f832b734c1 100644 --- a/docs/.gitignore +++ b/docs/.gitignore @@ -1,3 +1,2 @@ *.html *.pdf -!PSACryptoDriverModelSpec.pdf diff --git a/docs/PSACryptoDriverModelSpec.pdf b/docs/PSACryptoDriverModelSpec.pdf deleted file mode 100644 index cf11380e8401..000000000000 Binary files a/docs/PSACryptoDriverModelSpec.pdf and /dev/null differ diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-support.md similarity index 85% rename from docs/architecture/tls13-experimental.md rename to docs/architecture/tls13-support.md index 88d0b73ddcbc..9e9aad3db831 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-support.md @@ -1,71 +1,19 @@ -TLS 1.3 Experimental Developments -================================= +TLS 1.3 support +=============== Overview -------- -Mbed TLS doesn't support the TLS 1.3 protocol yet, but a prototype is in development. -Stable parts of this prototype that can be independently tested are being successively -upstreamed under the guard of the following macro: +Mbed TLS provides a minimum viable implementation of the TLS 1.3 protocol +defined in the "MVP definition" section below. The TLS 1.3 support enablement +is controlled by the MBEDTLS_SSL_PROTO_TLS1_3 configuration option. -``` -MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -``` - -This macro will likely be renamed to `MBEDTLS_SSL_PROTO_TLS1_3` once a minimal viable -implementation of the TLS 1.3 protocol is available. - -See the [documentation of `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`](../../include/mbedtls/mbedtls_config.h) -for more information. - -Status ------- - -The following lists which parts of the TLS 1.3 prototype have already been upstreamed -together with their level of testing: - -* TLS 1.3 record protection mechanisms - - The record protection routines `mbedtls_ssl_{encrypt|decrypt}_buf()` have been extended - to support the modified TLS 1.3 record protection mechanism, including modified computation - of AAD, IV, and the introduction of a flexible padding. - - Those record protection routines have unit tests in `test_suite_ssl` alongside the - tests for the other record protection routines. - - TODO: Add some test vectors from RFC 8448. - -- The HKDF key derivation function on which the TLS 1.3 key schedule is based, - is already present as an independent module controlled by `MBEDTLS_HKDF_C` - independently of the development of the TLS 1.3 prototype. - -- The TLS 1.3-specific HKDF-based key derivation functions (see RFC 8446): - * HKDF-Expand-Label - * Derive-Secret - - Secret evolution - * The traffic {Key,IV} generation from secret - Those functions are implemented in `library/ssl_tls13_keys.c` and - tested in `test_suite_ssl` using test vectors from RFC 8448 and - https://tls13.ulfheim.net/. - -- New TLS Message Processing Stack (MPS) - - The TLS 1.3 prototype is developed alongside a rewrite of the TLS messaging layer, - encompassing low-level details such as record parsing, handshake reassembly, and - DTLS retransmission state machine. - - MPS has the following components: - - Layer 1 (Datagram handling) - - Layer 2 (Record handling) - - Layer 3 (Message handling) - - Layer 4 (Retransmission State Machine) - - Reader (Abstracted pointer arithmetic and reassembly logic for incoming data) - - Writer (Abstracted pointer arithmetic and fragmentation logic for outgoing data) - - Of those components, the following have been upstreamed - as part of `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`: - - - Reader ([`library/mps_reader.h`](../../library/mps_reader.h)) +The development of the TLS 1.3 protocol is based on the TLS 1.3 prototype +located at https://github.com/hannestschofenig/mbedtls. The prototype is +itself based on a version of the development branch that we aim to keep as +recent as possible (ideally the head) by merging regularly commits of the +development branch into the prototype. The section "Prototype upstreaming +status" below describes what remains to be upstreamed. MVP definition @@ -133,17 +81,23 @@ MVP definition (1) This is just for comparison. - (2) The MVP sends one shared secret corresponding to the configured preferred - group. The preferred group is the group of the first curve in the list of - allowed curves as defined by the configuration. The allowed curves are - by default ordered as follow: `secp256r1`, `x25519`, `secp384r1` - and finally `secp521r1`. This default order is aligned with the - list of mandatory-to-implement groups (in absence of an application - profile standard specifying otherwise) defined in section 9.1 of the - specification. The list of allowed curves can be changed through the - `mbedtls_ssl_conf_curves()` API. - - (3) The MVP proposes only TLS 1.3 and does not support version negociation. + (2) The MVP sends only one shared secret corresponding to the configured + preferred group. This could end up with connection failure if the + server does not support our preferred curve, as the MVP does not implement + HelloRetryRequest. The preferred group is the group of the first curve in + the list of allowed curves as defined by the configuration. The allowed + curves are by default ordered as follows: `x25519`, `secp256r1`, + `secp384r1` and finally `secp521r1`. Note that, in the absence of an + application profile standard specifying otherwise, section 9.1 of the + specification rather promotes curve `secp256r1` to be supported over + curve `x25519`. The MVP would, however, rather keep the preference order + currently promoted by Mbed TLS as this applies to TLS 1.2 as well, and + changing the order only for TLS1.3 would be potentially difficult. + In the unlikely event a server does not support curve `x25519` but does + support curve `secp256r1`, curve `secp256r1` can be set as the preferred + curve through the `mbedtls_ssl_conf_curves()` API. + + (3) The MVP proposes only TLS 1.3 and does not support version negotiation. Out-of-protocol fallback is supported though if the Mbed TLS library has been built to support both TLS 1.3 and TLS 1.2: just set the maximum of the minor version of the SSL configuration to @@ -212,7 +166,7 @@ MVP definition (1) Some support has already been upstreamed but it is incomplete. (2) Key exchange configuration options for TLS 1.3 will likely to be organized around the notion of key exchange mode along the line - of the MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_NONE/PSK/PSK_EPHEMERAL/EPHEMERAL + of the MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE/PSK/PSK_EPHEMERAL/EPHEMERAL runtime configuration macros. - Quality considerations @@ -225,6 +179,41 @@ MVP definition response to the MVP ClientHello, server sending a CertificateRequest message ... + +Prototype upstreaming status +---------------------------- + +The following summarizes which parts of the TLS 1.3 prototype remain to be +upstreamed: + +- Ephemeral only handshake on client side: client authentication, + HelloRetryRequest support, version negotiation. + +- Ephemeral only handshake server side. + +- Pre-shared keys, session resumption and 0-RTT data (both client and server + side). + +- New TLS Message Processing Stack (MPS) + + The TLS 1.3 prototype is developed alongside a rewrite of the TLS messaging layer, + encompassing low-level details such as record parsing, handshake reassembly, and + DTLS retransmission state machine. + + MPS has the following components: + - Layer 1 (Datagram handling) + - Layer 2 (Record handling) + - Layer 3 (Message handling) + - Layer 4 (Retransmission State Machine) + - Reader (Abstracted pointer arithmetic and reassembly logic for incoming data) + - Writer (Abstracted pointer arithmetic and fragmentation logic for outgoing data) + + Of those components, the following have been upstreamed + as part of `MBEDTLS_SSL_PROTO_TLS1_3`: + + - Reader ([`library/mps_reader.h`](../../library/mps_reader.h)) + + Coding rules checklist for TLS 1.3 ---------------------------------- diff --git a/docs/getting_started.md b/docs/getting_started.md index 70c5ff442bb0..fdbf0e9bae1a 100644 --- a/docs/getting_started.md +++ b/docs/getting_started.md @@ -76,7 +76,7 @@ void import_a_key(const uint8_t *key, size_t key_len) { psa_status_t status; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_id_t key; + psa_key_id_t key_id; printf("Import an AES key...\t"); fflush(stdout); @@ -95,7 +95,7 @@ void import_a_key(const uint8_t *key, size_t key_len) psa_set_key_bits(&attributes, 128); /* Import the key */ - status = psa_import_key(&attributes, key, key_len, &key); + status = psa_import_key(&attributes, key, key_len, &key_id); if (status != PSA_SUCCESS) { printf("Failed to import key\n"); return; @@ -106,7 +106,7 @@ void import_a_key(const uint8_t *key, size_t key_len) psa_reset_key_attributes(&attributes); /* Destroy the key */ - psa_destroy_key(key); + psa_destroy_key(key_id); mbedtls_psa_crypto_free(); } @@ -135,7 +135,7 @@ void sign_a_message_using_rsa(const uint8_t *key, size_t key_len) 0xa9, 0xe8, 0xcc, 0xac, 0xd0, 0xf6, 0x54, 0x5c}; uint8_t signature[PSA_SIGNATURE_MAX_SIZE] = {0}; size_t signature_length; - psa_key_id_t key; + psa_key_id_t key_id; printf("Sign a message...\t"); fflush(stdout); @@ -154,14 +154,14 @@ void sign_a_message_using_rsa(const uint8_t *key, size_t key_len) psa_set_key_bits(&attributes, 1024); /* Import the key */ - status = psa_import_key(&attributes, key, key_len, &key); + status = psa_import_key(&attributes, key, key_len, &key_id); if (status != PSA_SUCCESS) { printf("Failed to import key\n"); return; } /* Sign message using the key */ - status = psa_sign_hash(key, PSA_ALG_RSA_PKCS1V15_SIGN_RAW, + status = psa_sign_hash(key_id, PSA_ALG_RSA_PKCS1V15_SIGN_RAW, hash, sizeof(hash), signature, sizeof(signature), &signature_length); @@ -176,7 +176,7 @@ void sign_a_message_using_rsa(const uint8_t *key, size_t key_len) psa_reset_key_attributes(&attributes); /* Destroy the key */ - psa_destroy_key(key); + psa_destroy_key(key_id); mbedtls_psa_crypto_free(); } @@ -213,7 +213,7 @@ void encrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len) size_t iv_len; uint8_t output[block_size]; size_t output_len; - psa_key_id_t key; + psa_key_id_t key_id; psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; printf("Encrypt with cipher...\t"); @@ -232,7 +232,7 @@ void encrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len) psa_set_key_algorithm(&attributes, alg); psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); psa_set_key_bits(&attributes, 128); - status = psa_import_key(&attributes, key, key_len, &key); + status = psa_import_key(&attributes, key, key_len, &key_id); if (status != PSA_SUCCESS) { printf("Failed to import a key\n"); return; @@ -240,7 +240,7 @@ void encrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len) psa_reset_key_attributes(&attributes); /* Encrypt the plaintext */ - status = psa_cipher_encrypt_setup(&operation, key, alg); + status = psa_cipher_encrypt_setup(&operation, key_id, alg); if (status != PSA_SUCCESS) { printf("Failed to begin cipher operation\n"); return; @@ -268,7 +268,7 @@ void encrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len) psa_cipher_abort(&operation); /* Destroy the key */ - psa_destroy_key(key); + psa_destroy_key(key_id); mbedtls_psa_crypto_free(); } @@ -298,7 +298,7 @@ void decrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len) uint8_t iv[block_size] = ENCRYPTED_WITH_IV; uint8_t output[block_size]; size_t output_len; - psa_key_id_t key; + psa_key_id_t key_id; printf("Decrypt with cipher...\t"); fflush(stdout); @@ -316,7 +316,7 @@ void decrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len) psa_set_key_algorithm(&attributes, alg); psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); psa_set_key_bits(&attributes, 128); - status = psa_import_key(&attributes, key, key_len, &key); + status = psa_import_key(&attributes, key, key_len, &key_id); if (status != PSA_SUCCESS) { printf("Failed to import a key\n"); return; @@ -324,7 +324,7 @@ void decrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len) psa_reset_key_attributes(&attributes); /* Decrypt the ciphertext */ - status = psa_cipher_decrypt_setup(&operation, key, alg); + status = psa_cipher_decrypt_setup(&operation, key_id, alg); if (status != PSA_SUCCESS) { printf("Failed to begin cipher operation\n"); return; @@ -352,7 +352,7 @@ void decrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len) psa_cipher_abort(&operation); /* Destroy the key */ - psa_destroy_key(key); + psa_destroy_key(key_id); mbedtls_psa_crypto_free(); } @@ -702,7 +702,7 @@ This example shows how to authenticate and encrypt a message: size_t output_length = 0; size_t tag_length = 16; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_id_t key; + psa_key_id_t key_id; printf("Authenticate encrypt...\t"); fflush(stdout); @@ -726,11 +726,11 @@ This example shows how to authenticate and encrypt a message: psa_set_key_algorithm(&attributes, PSA_ALG_CCM); psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); psa_set_key_bits(&attributes, 128); - status = psa_import_key(&attributes, key, sizeof(key), &key); + status = psa_import_key(&attributes, key, sizeof(key), &key_id); psa_reset_key_attributes(&attributes); /* Authenticate and encrypt */ - status = psa_aead_encrypt(key, PSA_ALG_CCM, + status = psa_aead_encrypt(key_id, PSA_ALG_CCM, nonce, sizeof(nonce), additional_data, sizeof(additional_data), input_data, sizeof(input_data), @@ -747,7 +747,7 @@ This example shows how to authenticate and encrypt a message: free(output_data); /* Destroy the key */ - psa_destroy_key(key); + psa_destroy_key(key_id); mbedtls_psa_crypto_free(); ``` @@ -773,7 +773,7 @@ This example shows how to authenticate and decrypt a message: size_t output_size = 0; size_t output_length = 0; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_id_t key; + psa_key_id_t key_id; printf("Authenticate decrypt...\t"); fflush(stdout); @@ -797,7 +797,7 @@ This example shows how to authenticate and decrypt a message: psa_set_key_algorithm(&attributes, PSA_ALG_CCM); psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); psa_set_key_bits(&attributes, 128); - status = psa_import_key(&attributes, key_data, sizeof(key_data), &key); + status = psa_import_key(&attributes, key_data, sizeof(key_data), &key_id); if (status != PSA_SUCCESS) { printf("Failed to import a key\n"); return; @@ -805,7 +805,7 @@ This example shows how to authenticate and decrypt a message: psa_reset_key_attributes(&attributes); /* Authenticate and decrypt */ - status = psa_aead_decrypt(key, PSA_ALG_CCM, + status = psa_aead_decrypt(key_id, PSA_ALG_CCM, nonce, sizeof(nonce), additional_data, sizeof(additional_data), input_data, sizeof(input_data), @@ -822,7 +822,7 @@ This example shows how to authenticate and decrypt a message: free(output_data); /* Destroy the key */ - psa_destroy_key(key); + psa_destroy_key(key_id); mbedtls_psa_crypto_free(); ``` @@ -848,7 +848,7 @@ Mbed Crypto provides a simple way to generate a key or key pair. size_t exported_length = 0; static uint8_t exported[PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits)]; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_id_t key; + psa_key_id_t key_id; printf("Generate a key pair...\t"); fflush(stdout); @@ -867,14 +867,14 @@ Mbed Crypto provides a simple way to generate a key or key pair. psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)); psa_set_key_bits(&attributes, key_bits); - status = psa_generate_key(&attributes, &key); + status = psa_generate_key(&attributes, &key_id); if (status != PSA_SUCCESS) { printf("Failed to generate key\n"); return; } psa_reset_key_attributes(&attributes); - status = psa_export_public_key(key, exported, sizeof(exported), + status = psa_export_public_key(key_id, exported, sizeof(exported), &exported_length); if (status != PSA_SUCCESS) { printf("Failed to export public key %ld\n", status); @@ -884,7 +884,7 @@ Mbed Crypto provides a simple way to generate a key or key pair. printf("Exported a public key\n"); /* Destroy the key */ - psa_destroy_key(key); + psa_destroy_key(key_id); mbedtls_psa_crypto_free(); ``` diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md index 6ec2dcaa1b85..4a78e47e7e99 100644 --- a/docs/use-psa-crypto.md +++ b/docs/use-psa-crypto.md @@ -12,9 +12,8 @@ Compile-time: enabling `MBEDTLS_USE_PSA_CRYPTO` requires `MBEDTLS_ECP_RESTARTABLE` and `MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER` to be disabled. -Effect: `MBEDTLS_USE_PSA_CRYPTO` currently has no effect on TLS 1.3 (which is -itself experimental and only partially supported so far): TLS 1.3 always uses -the legacy APIs even when this option is set. +Effect: `MBEDTLS_USE_PSA_CRYPTO` has no effect on TLS 1.3 for which PSA +cryptography is mandatory. Stability: any API that's only available when `MBEDTLS_USE_PSA_CRYPTO` is defined is considered experimental and may change in incompatible ways at any @@ -157,11 +156,6 @@ Parts that are not covered yet This is only a high-level overview, grouped by theme -TLS: 1.3 experimental support ------------------------------ - -No part of the experimental support for TLS 1.3 is covered at the moment. - TLS: key exchanges / asymmetric crypto -------------------------------------- diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index 4ff18a37ce28..1c2be1a46a33 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -22,7 +22,7 @@ */ /** - * @mainpage mbed TLS v3.0.0 source code documentation + * @mainpage mbed TLS v3.1.0 source code documentation * * This documentation describes the internal structure of mbed TLS. It was * automatically generated from specially formatted comment blocks in diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 7a214c994e04..ea7afca31646 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8 # identify the project. Note that if you do not use Doxywizard you need # to put quotes around the project name if it contains spaces. -PROJECT_NAME = "mbed TLS v3.0.0" +PROJECT_NAME = "mbed TLS v3.1.0" # The PROJECT_NUMBER tag can be used to enter a project or revision number. # This could be handy for archiving the generated documentation or diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index becbfae1d9c1..e381c118384f 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -511,10 +511,6 @@ int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx, * \brief This function performs an AES-CTR encryption or decryption * operation. * - * This function performs the operation defined in the \p mode - * parameter (encrypt/decrypt), on the input data buffer - * defined in the \p input parameter. - * * Due to the nature of CTR, you must use the same key schedule * for both encryption and decryption operations. Therefore, you * must use the context initialized with mbedtls_aes_setkey_enc() diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 23f85ba01e28..cef6566c3f5c 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -37,7 +37,7 @@ * Major, Minor, Patchlevel */ #define MBEDTLS_VERSION_MAJOR 3 -#define MBEDTLS_VERSION_MINOR 0 +#define MBEDTLS_VERSION_MINOR 1 #define MBEDTLS_VERSION_PATCH 0 /** @@ -45,9 +45,9 @@ * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x03000000 -#define MBEDTLS_VERSION_STRING "3.0.0" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 3.0.0" +#define MBEDTLS_VERSION_NUMBER 0x03010000 +#define MBEDTLS_VERSION_STRING "3.1.0" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 3.1.0" #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) #define _CRT_SECURE_NO_DEPRECATE 1 diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index 6f991fefbdf4..1be1689df178 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -198,6 +198,7 @@ int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length, * \param ctx The CCM context to use for encryption. This must be * initialized and bound to a key. * \param length The length of the input data in Bytes. + * For tag length = 0, input length is ignored. * \param iv The initialization vector (nonce). This must be a readable * buffer of at least \p iv_len Bytes. * \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12, @@ -279,6 +280,7 @@ int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, * \param ctx The CCM context to use for decryption. This must be * initialized and bound to a key. * \param length The length of the input data in Bytes. + * For tag length = 0, input length is ignored. * \param iv The initialization vector (nonce). This must be a readable * buffer of at least \p iv_len Bytes. * \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12, diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 125e45ab7a09..e39b51c63e4d 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -598,9 +598,16 @@ #error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && ( !defined(MBEDTLS_HKDF_C) && \ - !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) ) -#error "MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL defined, but not all prerequisites" +/* + * HKDF is mandatory for TLS 1.3. + * Otherwise support for at least one ciphersuite mandates either SHA_256 or + * SHA_384. + */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + ( ( !defined(MBEDTLS_HKDF_C) ) || \ + ( !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA384_C) ) || \ + ( !defined(MBEDTLS_PSA_CRYPTO_C) ) ) +#error "MBEDTLS_SSL_PROTO_TLS1_3 defined, but not all prerequisites" #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ @@ -637,7 +644,7 @@ #error "MBEDTLS_SSL_SRV_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SSL_TLS_C) && !defined(MBEDTLS_SSL_PROTO_TLS1_2) && !defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_TLS_C) && !defined(MBEDTLS_SSL_PROTO_TLS1_2) && !defined(MBEDTLS_SSL_PROTO_TLS1_3) #error "MBEDTLS_SSL_TLS_C defined, but no protocols are active" #endif @@ -771,16 +778,16 @@ #error "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ - defined(MBEDTLS_ZERO_RTT) && \ - ( !defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_ZERO_RTT) && \ + ( !defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ) #error "ZeroRTT requires MBEDTLS_ZERO_RTT and MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED to be defined." #endif -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) && \ - !defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -#error "MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE defined, but not all prerequesites." +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) && \ + !defined(MBEDTLS_SSL_PROTO_TLS1_3) +#error "MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE defined, but not all prerequesites." #endif /* @@ -797,17 +804,17 @@ */ /* Encrypt-then-Mac extension is not applicable to TLS 1.3 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) #error "Encrypt-then-Mac extension is not applicable to TLS 1.3" #endif /* Key derivation works differently in TLS 1.3 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) #error "Extended master secret extension is not applicable to TLS 1.3" #endif /* Secure renegotiation support in TLS 1.3 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_SSL_RENEGOTIATION) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_RENEGOTIATION) #error "Renegotiation is not supported in TLS 1.3" #endif @@ -815,13 +822,13 @@ * Hence, when TLS 1.3 is used then MBEDTLS_SSL_SESSION_TICKETS cannot be enabled. * */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) #error "RFC 5077 is not supported with TLS 1.3" #endif /* JPAKE extension does not work with TLS 1.3 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_ECJPAKE_C) #error " JPAKE extension does not work with TLS 1.3" #endif @@ -829,7 +836,7 @@ /* The following C processor directives are not applicable to TLS 1.3 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) #error "No ECDH-ECDSA ciphersuite available in TLS 1.3" #endif @@ -837,31 +844,31 @@ /* The following functionality is not yet supported with this TLS 1.3 implementation. */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)) #error "RSA-based ciphersuites not supported with this TLS 1.3 implementation" #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK) #error "DHE-PSK-based ciphersuites not supported with this TLS 1.3 implementation" #endif /* Caching in TLS 1.3 works differently than in TLS 1.2 * Hence, SSL Cache MUST NOT be enabled. */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_SSL_CACHE_C) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_CACHE_C) #error "SSL Caching not supported with TLS 1.3" #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_SSL_NEW_SESSION_TICKET) && defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_NEW_SESSION_TICKET) && defined(MBEDTLS_SSL_SESSION_TICKETS) #error "The new session ticket concept is only available with TLS 1.3 and is not compatible with RFC 5077-style session tickets." #endif /* Either SHA-256 or SHA-512 must be enabled. * */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && ( !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && ( !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) ) #error "With TLS 1.3 SHA-256 and/or SHA-384 must be enabled" #endif @@ -869,7 +876,7 @@ #error "MBEDTLS_PSK_MAX_LEN needs to be set to 48 bytes" #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && !defined(MBEDTLS_HKDF_C) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && !defined(MBEDTLS_HKDF_C) #error "MBEDTLS_HKDF_C is required for TLS 1_3 to work. " #endif #if defined(MBEDTLS_SSL_DTLS_SRTP) && ( !defined(MBEDTLS_SSL_PROTO_DTLS) ) diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index b4630f63cdb8..c04097dad3e3 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -140,9 +140,15 @@ typedef enum { MBEDTLS_CIPHER_AES_128_CCM, /**< AES cipher with 128-bit CCM mode. */ MBEDTLS_CIPHER_AES_192_CCM, /**< AES cipher with 192-bit CCM mode. */ MBEDTLS_CIPHER_AES_256_CCM, /**< AES cipher with 256-bit CCM mode. */ + MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG, /**< AES cipher with 128-bit CCM_STAR_NO_TAG mode. */ + MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG, /**< AES cipher with 192-bit CCM_STAR_NO_TAG mode. */ + MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG, /**< AES cipher with 256-bit CCM_STAR_NO_TAG mode. */ MBEDTLS_CIPHER_CAMELLIA_128_CCM, /**< Camellia cipher with 128-bit CCM mode. */ MBEDTLS_CIPHER_CAMELLIA_192_CCM, /**< Camellia cipher with 192-bit CCM mode. */ MBEDTLS_CIPHER_CAMELLIA_256_CCM, /**< Camellia cipher with 256-bit CCM mode. */ + MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG, /**< Camellia cipher with 128-bit CCM_STAR_NO_TAG mode. */ + MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG, /**< Camellia cipher with 192-bit CCM_STAR_NO_TAG mode. */ + MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG, /**< Camellia cipher with 256-bit CCM_STAR_NO_TAG mode. */ MBEDTLS_CIPHER_ARIA_128_ECB, /**< Aria cipher with 128-bit key and ECB mode. */ MBEDTLS_CIPHER_ARIA_192_ECB, /**< Aria cipher with 192-bit key and ECB mode. */ MBEDTLS_CIPHER_ARIA_256_ECB, /**< Aria cipher with 256-bit key and ECB mode. */ @@ -161,6 +167,9 @@ typedef enum { MBEDTLS_CIPHER_ARIA_128_CCM, /**< Aria cipher with 128-bit key and CCM mode. */ MBEDTLS_CIPHER_ARIA_192_CCM, /**< Aria cipher with 192-bit key and CCM mode. */ MBEDTLS_CIPHER_ARIA_256_CCM, /**< Aria cipher with 256-bit key and CCM mode. */ + MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG, /**< Aria cipher with 128-bit key and CCM_STAR_NO_TAG mode. */ + MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG, /**< Aria cipher with 192-bit key and CCM_STAR_NO_TAG mode. */ + MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG, /**< Aria cipher with 256-bit key and CCM_STAR_NO_TAG mode. */ MBEDTLS_CIPHER_AES_128_OFB, /**< AES 128-bit cipher in OFB mode. */ MBEDTLS_CIPHER_AES_192_OFB, /**< AES 192-bit cipher in OFB mode. */ MBEDTLS_CIPHER_AES_256_OFB, /**< AES 256-bit cipher in OFB mode. */ @@ -187,6 +196,7 @@ typedef enum { MBEDTLS_MODE_GCM, /**< The GCM cipher mode. */ MBEDTLS_MODE_STREAM, /**< The stream cipher mode. */ MBEDTLS_MODE_CCM, /**< The CCM cipher mode. */ + MBEDTLS_MODE_CCM_STAR_NO_TAG, /**< The CCM*-no-tag cipher mode. */ MBEDTLS_MODE_XTS, /**< The XTS cipher mode. */ MBEDTLS_MODE_CHACHAPOLY, /**< The ChaCha-Poly cipher mode. */ MBEDTLS_MODE_KW, /**< The SP800-38F KW mode */ @@ -497,6 +507,80 @@ static inline const char *mbedtls_cipher_info_get_name( return( info->MBEDTLS_PRIVATE(name) ); } +/** + * \brief This function returns the size of the IV or nonce + * for the cipher info structure, in bytes. + * + * \param info The cipher info structure. This may be \c NULL. + * + * \return The recommended IV size. + * \return \c 0 for ciphers not using an IV or a nonce. + * \return \c 0 if \p info is \c NULL. + */ +static inline size_t mbedtls_cipher_info_get_iv_size( + const mbedtls_cipher_info_t *info ) +{ + if( info == NULL ) + return( 0 ); + + return( (size_t) info->MBEDTLS_PRIVATE(iv_size) ); +} + +/** + * \brief This function returns the block size of the given + * cipher info structure in bytes. + * + * \param info The cipher info structure. This may be \c NULL. + * + * \return The block size of the cipher. + * \return \c 1 if the cipher is a stream cipher. + * \return \c 0 if \p info is \c NULL. + */ +static inline size_t mbedtls_cipher_info_get_block_size( + const mbedtls_cipher_info_t *info ) +{ + if( info == NULL ) + return( 0 ); + + return( (size_t) info->MBEDTLS_PRIVATE(block_size) ); +} + +/** + * \brief This function returns a non-zero value if the key length for + * the given cipher is variable. + * + * \param info The cipher info structure. This may be \c NULL. + * + * \return Non-zero if the key length is variable, \c 0 otherwise. + * \return \c 0 if the given pointer is \c NULL. + */ +static inline int mbedtls_cipher_info_has_variable_key_bitlen( + const mbedtls_cipher_info_t *info ) +{ + if( info == NULL ) + return( 0 ); + + return( info->MBEDTLS_PRIVATE(flags) & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ); +} + +/** + * \brief This function returns a non-zero value if the IV size for + * the given cipher is variable. + * + * \param info The cipher info structure. This may be \c NULL. + * + * \return Non-zero if the IV size is variable, \c 0 otherwise. + * \return \c 0 if the given pointer is \c NULL. + */ +static inline int mbedtls_cipher_info_has_variable_iv_size( + const mbedtls_cipher_info_t *info ) +{ + if( info == NULL ) + return( 0 ); + + return( info->MBEDTLS_PRIVATE(flags) & MBEDTLS_CIPHER_VARIABLE_IV_LEN ); +} + /** * \brief This function initializes a \p cipher_context as NONE. * @@ -573,11 +657,13 @@ int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx, #endif /* MBEDTLS_USE_PSA_CRYPTO */ /** - * \brief This function returns the block size of the given cipher. + * \brief This function returns the block size of the given cipher + * in bytes. * - * \param ctx The context of the cipher. This must be initialized. + * \param ctx The context of the cipher. * * \return The block size of the underlying cipher. + * \return \c 1 if the cipher is a stream cipher. * \return \c 0 if \p ctx has not been initialized. */ static inline unsigned int mbedtls_cipher_get_block_size( diff --git a/include/mbedtls/cmac.h b/include/mbedtls/cmac.h index 3e599b9dc9e1..21ce88276442 100644 --- a/include/mbedtls/cmac.h +++ b/include/mbedtls/cmac.h @@ -67,9 +67,17 @@ struct mbedtls_cmac_context_t #endif /* !MBEDTLS_CMAC_ALT */ /** - * \brief This function sets the CMAC key, and prepares to authenticate + * \brief This function starts a new CMAC computation + * by setting the CMAC key, and preparing to authenticate * the input data. - * Must be called with an initialized cipher context. + * It must be called with an initialized cipher context. + * + * Once this function has completed, data can be supplied + * to the CMAC computation by calling + * mbedtls_cipher_cmac_update(). + * + * To start a CMAC computation using the same key as a previous + * CMAC computation, use mbedtls_cipher_cmac_finish(). * * \note When the CMAC implementation is supplied by an alternate * implementation (through #MBEDTLS_CMAC_ALT), some ciphers @@ -95,9 +103,15 @@ int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx, * \brief This function feeds an input buffer into an ongoing CMAC * computation. * - * It is called between mbedtls_cipher_cmac_starts() or - * mbedtls_cipher_cmac_reset(), and mbedtls_cipher_cmac_finish(). - * Can be called repeatedly. + * The CMAC computation must have previously been started + * by calling mbedtls_cipher_cmac_starts() or + * mbedtls_cipher_cmac_reset(). + * + * Call this function as many times as needed to input the + * data to be authenticated. + * Once all of the required data has been input, + * call mbedtls_cipher_cmac_finish() to obtain the result + * of the CMAC operation. * * \param ctx The cipher context used for the CMAC operation. * \param input The buffer holding the input data. @@ -111,12 +125,13 @@ int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx, const unsigned char *input, size_t ilen ); /** - * \brief This function finishes the CMAC operation, and writes - * the result to the output buffer. + * \brief This function finishes an ongoing CMAC operation, and + * writes the result to the output buffer. * - * It is called after mbedtls_cipher_cmac_update(). - * It can be followed by mbedtls_cipher_cmac_reset() and - * mbedtls_cipher_cmac_update(), or mbedtls_cipher_free(). + * It should be followed either by + * mbedtls_cipher_cmac_reset(), which starts another CMAC + * operation with the same key, or mbedtls_cipher_free(), + * which clears the cipher context. * * \param ctx The cipher context used for the CMAC operation. * \param output The output buffer for the CMAC checksum result. @@ -129,12 +144,14 @@ int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx, unsigned char *output ); /** - * \brief This function prepares the authentication of another - * message with the same key as the previous CMAC - * operation. - * - * It is called after mbedtls_cipher_cmac_finish() - * and before mbedtls_cipher_cmac_update(). + * \brief This function starts a new CMAC operation with the same + * key as the previous one. + * + * It should be called after finishing the previous CMAC + * operation with mbedtls_cipher_cmac_finish(). + * After calling this function, + * call mbedtls_cipher_cmac_update() to supply the new + * CMAC operation with data. * * \param ctx The cipher context used for the CMAC operation. * diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 3b01b78d2991..68dda0f395b7 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -56,6 +56,12 @@ extern "C" { #define PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW PSA_WANT_ALG_RSA_PKCS1V15_SIGN #endif +#if defined(PSA_WANT_ALG_RSA_PSS_ANY_SALT) && !defined(PSA_WANT_ALG_RSA_PSS) +#define PSA_WANT_ALG_RSA_PSS PSA_WANT_ALG_RSA_PSS_ANY_SALT +#elif !defined(PSA_WANT_ALG_RSA_PSS_ANY_SALT) && defined(PSA_WANT_ALG_RSA_PSS) +#define PSA_WANT_ALG_RSA_PSS_ANY_SALT PSA_WANT_ALG_RSA_PSS +#endif + /****************************************************************/ @@ -87,6 +93,10 @@ extern "C" { #if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) #define MBEDTLS_PSA_BUILTIN_ALG_ECDSA 1 #define MBEDTLS_ECDSA_C +#define MBEDTLS_ECP_C +#define MBEDTLS_BIGNUM_C +#define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_WRITE_C #endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDSA */ #endif /* PSA_WANT_ALG_ECDSA */ @@ -219,6 +229,8 @@ extern "C" { #define MBEDTLS_PK_PARSE_C #define MBEDTLS_PK_WRITE_C #define MBEDTLS_PK_C +#define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_WRITE_C #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR */ #endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */ @@ -231,6 +243,8 @@ extern "C" { #define MBEDTLS_PK_PARSE_C #define MBEDTLS_PK_WRITE_C #define MBEDTLS_PK_C +#define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_WRITE_C #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY */ #endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */ @@ -267,6 +281,18 @@ extern "C" { #endif /* PSA_HAVE_SOFT_KEY_TYPE_AES || PSA_HAVE_SOFT_BLOCK_MODE */ #endif /* PSA_WANT_KEY_TYPE_AES */ +#if defined(PSA_WANT_KEY_TYPE_ARIA) +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA) +#define PSA_HAVE_SOFT_KEY_TYPE_ARIA 1 +#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA */ +#if defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \ + defined(PSA_HAVE_SOFT_BLOCK_MODE) || \ + defined(PSA_HAVE_SOFT_BLOCK_AEAD) +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA 1 +#define MBEDTLS_ARIA_C +#endif /* PSA_HAVE_SOFT_KEY_TYPE_ARIA || PSA_HAVE_SOFT_BLOCK_MODE */ +#endif /* PSA_WANT_KEY_TYPE_ARIA */ + #if defined(PSA_WANT_KEY_TYPE_CAMELLIA) #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA) #define PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA 1 @@ -301,6 +327,7 @@ extern "C" { * PSA_HAVE_SOFT_BLOCK_CIPHER, which can be used in any of these * situations. */ #if defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \ defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \ defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) #define PSA_HAVE_SOFT_BLOCK_CIPHER 1 @@ -381,6 +408,7 @@ extern "C" { #if defined(PSA_WANT_ALG_CCM) #if !defined(MBEDTLS_PSA_ACCEL_ALG_CCM) || \ defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \ defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) #define MBEDTLS_PSA_BUILTIN_ALG_CCM 1 #define MBEDTLS_CCM_C @@ -390,6 +418,7 @@ extern "C" { #if defined(PSA_WANT_ALG_GCM) #if !defined(MBEDTLS_PSA_ACCEL_ALG_GCM) || \ defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \ defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) #define MBEDTLS_PSA_BUILTIN_ALG_GCM 1 #define MBEDTLS_GCM_C @@ -397,10 +426,12 @@ extern "C" { #endif /* PSA_WANT_ALG_GCM */ #if defined(PSA_WANT_ALG_CHACHA20_POLY1305) +#if !defined(MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305) #if defined(PSA_WANT_KEY_TYPE_CHACHA20) #define MBEDTLS_CHACHAPOLY_C #define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1 #endif /* PSA_WANT_KEY_TYPE_CHACHA20 */ +#endif /* !MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305 */ #endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */ #if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) @@ -629,6 +660,11 @@ extern "C" { #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1 #endif +#if defined(MBEDTLS_ARIA_C) +#define PSA_WANT_KEY_TYPE_ARIA 1 +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA 1 +#endif + #if defined(MBEDTLS_CAMELLIA_C) #define PSA_WANT_KEY_TYPE_CAMELLIA 1 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA 1 @@ -660,7 +696,7 @@ extern "C" { #endif #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) || \ - defined(MBEDTLS_CAMELLIA_C) + defined(MBEDTLS_ARIA_C) || defined(MBEDTLS_CAMELLIA_C) #define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1 #define PSA_WANT_ALG_ECB_NO_PADDING 1 #endif diff --git a/include/mbedtls/constant_time.h b/include/mbedtls/constant_time.h new file mode 100644 index 000000000000..c5de57a01f08 --- /dev/null +++ b/include/mbedtls/constant_time.h @@ -0,0 +1,45 @@ +/** + * Constant-time functions + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef MBEDTLS_CONSTANT_TIME_H +#define MBEDTLS_CONSTANT_TIME_H + +#include <stddef.h> + + +/** Constant-time buffer comparison without branches. + * + * This is equivalent to the standard memcmp function, but is likely to be + * compiled to code using bitwise operation rather than a branch. + * + * This function can be used to write constant-time code by replacing branches + * with bit operations using masks. + * + * \param a Pointer to the first buffer. + * \param b Pointer to the second buffer. + * \param n The number of bytes to compare in the buffer. + * + * \return Zero if the content of the two buffer is the same, + * otherwise non-zero. + */ +int mbedtls_ct_memcmp( const void *a, + const void *b, + size_t n ); + +#endif /* MBEDTLS_CONSTANT_TIME_H */ diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index b2a2e3256444..5b26084d45a7 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -130,10 +130,8 @@ typedef enum /** * The number of supported curves, plus one for #MBEDTLS_ECP_DP_NONE. - * - * \note Montgomery curves are currently excluded. */ -#define MBEDTLS_ECP_DP_MAX 12 +#define MBEDTLS_ECP_DP_MAX 14 /* * Curve types diff --git a/include/mbedtls/entropy.h b/include/mbedtls/entropy.h index 128ec8252940..fede05ffa165 100644 --- a/include/mbedtls/entropy.h +++ b/include/mbedtls/entropy.h @@ -124,7 +124,7 @@ typedef struct mbedtls_entropy_context * -1 after free. */ #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) mbedtls_sha512_context MBEDTLS_PRIVATE(accumulator); -#else +#elif defined(MBEDTLS_ENTROPY_SHA256_ACCUMULATOR) mbedtls_sha256_context MBEDTLS_PRIVATE(accumulator); #endif int MBEDTLS_PRIVATE(source_count); /* Number of entries used in source. */ diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 9aaf243d53d1..0716817946fc 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1494,29 +1494,26 @@ //#define MBEDTLS_SSL_PROTO_TLS1_2 /** - * \def MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL + * \def MBEDTLS_SSL_PROTO_TLS1_3 * - * This macro is used to selectively enable experimental parts - * of the code that contribute to the ongoing development of - * the prototype TLS 1.3 and DTLS 1.3 implementation, and provide - * no other purpose. + * Enable support for TLS 1.3. * - * \warning TLS 1.3 and DTLS 1.3 aren't yet supported in Mbed TLS, - * and no feature exposed through this macro is part of the - * public API. In particular, features under the control - * of this macro are experimental and don't come with any - * stability guarantees. + * \note The support for TLS 1.3 is not comprehensive yet, in particular + * pre-shared keys are not supported. + * See docs/architecture/tls13-support.md for a description of the TLS + * 1.3 support that this option enables. + * + * Uncomment this macro to enable the support for TLS 1.3. * - * Uncomment this macro to enable experimental and partial - * functionality specific to TLS 1.3. */ -#define MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +#define MBEDTLS_SSL_PROTO_TLS1_3 -/* \def MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE +/** + * \def MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE * * Enable TLS 1.3 middlebox compatibility mode. * - * As specified in Section D.4 of RFC 8449, TLS 1.3 offers a compatibility + * As specified in Section D.4 of RFC 8446, TLS 1.3 offers a compatibility * mode to make a TLS 1.3 connection more likely to pass through middle boxes * expecting TLS 1.2 traffic. * @@ -1526,12 +1523,12 @@ * you know that middlebox compatibility issues won't occur, it is therefore * recommended to set this option. * - * Comment to disable compatibility mode for TLS 1.3. - * - * Requires: MBEDTLS_SSL_PROTO_TLS1_3 + * Comment to disable compatibility mode for TLS 1.3. If + * MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any + * effect on the build. * */ -#define MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE +#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE /** * \def MBEDTLS_SSL_EARLY_DATA_MAX_DELAY @@ -1587,7 +1584,6 @@ */ #define MBEDTLS_SSL_NEW_SESSION_TICKET - /** * \def MBEDTLS_SSL_PROTO_DTLS * diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h index fa2b152f9677..2b668f55e3ea 100644 --- a/include/mbedtls/md.h +++ b/include/mbedtls/md.h @@ -29,6 +29,7 @@ #include <stddef.h> #include "mbedtls/build_info.h" +#include "mbedtls/platform_util.h" /** The selected feature is not available. */ #define MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE -0x5080 @@ -181,6 +182,7 @@ void mbedtls_md_free( mbedtls_md_context_t *ctx ); * failure. * \return #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure. */ +MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_md_setup( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac ); /** @@ -202,6 +204,7 @@ int mbedtls_md_setup( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_inf * \return \c 0 on success. * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure. */ +MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_md_clone( mbedtls_md_context_t *dst, const mbedtls_md_context_t *src ); @@ -251,6 +254,7 @@ const char *mbedtls_md_get_name( const mbedtls_md_info_t *md_info ); * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification * failure. */ +MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_md_starts( mbedtls_md_context_t *ctx ); /** @@ -269,6 +273,7 @@ int mbedtls_md_starts( mbedtls_md_context_t *ctx ); * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification * failure. */ +MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_md_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen ); /** @@ -289,6 +294,7 @@ int mbedtls_md_update( mbedtls_md_context_t *ctx, const unsigned char *input, si * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification * failure. */ +MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_md_finish( mbedtls_md_context_t *ctx, unsigned char *output ); /** @@ -309,6 +315,7 @@ int mbedtls_md_finish( mbedtls_md_context_t *ctx, unsigned char *output ); * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification * failure. */ +MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_md( const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen, unsigned char *output ); @@ -330,6 +337,7 @@ int mbedtls_md( const mbedtls_md_info_t *md_info, const unsigned char *input, si * the file pointed by \p path. * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info was NULL. */ +MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path, unsigned char *output ); #endif /* MBEDTLS_FS_IO */ @@ -352,6 +360,7 @@ int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path, * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification * failure. */ +MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key, size_t keylen ); @@ -374,6 +383,7 @@ int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key, * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification * failure. */ +MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen ); @@ -395,6 +405,7 @@ int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx, const unsigned char *inpu * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification * failure. */ +MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_md_hmac_finish( mbedtls_md_context_t *ctx, unsigned char *output); /** @@ -412,6 +423,7 @@ int mbedtls_md_hmac_finish( mbedtls_md_context_t *ctx, unsigned char *output); * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification * failure. */ +MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx ); /** @@ -436,11 +448,13 @@ int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx ); * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification * failure. */ +MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_md_hmac( const mbedtls_md_info_t *md_info, const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char *output ); /* Internal use */ +MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_md_process( mbedtls_md_context_t *ctx, const unsigned char *data ); #ifdef __cplusplus diff --git a/include/mbedtls/pkcs12.h b/include/mbedtls/pkcs12.h index cded903f4e45..1b87aea925e1 100644 --- a/include/mbedtls/pkcs12.h +++ b/include/mbedtls/pkcs12.h @@ -56,11 +56,13 @@ extern "C" { * \brief PKCS12 Password Based function (encryption / decryption) * for cipher-based and mbedtls_md-based PBE's * - * \param pbe_params an ASN1 buffer containing the pkcs-12PbeParams structure - * \param mode either MBEDTLS_PKCS12_PBE_ENCRYPT or MBEDTLS_PKCS12_PBE_DECRYPT + * \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure + * \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or + * #MBEDTLS_PKCS12_PBE_DECRYPT * \param cipher_type the cipher used - * \param md_type the mbedtls_md used - * \param pwd the password used (may be NULL if no password is used) + * \param md_type the mbedtls_md used + * \param pwd Latin1-encoded password used. This may only be \c NULL when + * \p pwdlen is 0. No null terminator should be used. * \param pwdlen length of the password (may be 0) * \param input the input data * \param len data length @@ -81,18 +83,24 @@ int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode, * to produce pseudo-random bits for a particular "purpose". * * Depending on the given id, this function can produce an - * encryption/decryption key, an nitialization vector or an + * encryption/decryption key, an initialization vector or an * integrity key. * * \param data buffer to store the derived data in - * \param datalen length to fill - * \param pwd password to use (may be NULL if no password is used) - * \param pwdlen length of the password (may be 0) - * \param salt salt buffer to use - * \param saltlen length of the salt - * \param mbedtls_md mbedtls_md type to use during the derivation - * \param id id that describes the purpose (can be MBEDTLS_PKCS12_DERIVE_KEY, - * MBEDTLS_PKCS12_DERIVE_IV or MBEDTLS_PKCS12_DERIVE_MAC_KEY) + * \param datalen length of buffer to fill + * \param pwd The password to use. For compliance with PKCS#12 §B.1, this + * should be a BMPString, i.e. a Unicode string where each + * character is encoded as 2 bytes in big-endian order, with + * no byte order mark and with a null terminator (i.e. the + * last two bytes should be 0x00 0x00). + * \param pwdlen length of the password (may be 0). + * \param salt Salt buffer to use This may only be \c NULL when + * \p saltlen is 0. + * \param saltlen length of the salt (may be zero) + * \param mbedtls_md mbedtls_md type to use during the derivation + * \param id id that describes the purpose (can be + * #MBEDTLS_PKCS12_DERIVE_KEY, #MBEDTLS_PKCS12_DERIVE_IV or + * #MBEDTLS_PKCS12_DERIVE_MAC_KEY) * \param iterations number of iterations * * \return 0 if successful, or a MD, BIGNUM type error. diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index 36e3718e6cfb..5d2fefc36f83 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -42,10 +42,6 @@ extern "C" { /* Internal helper macros for deprecating API constants. */ #if !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_DEPRECATED_WARNING) -/* Deliberately don't (yet) export MBEDTLS_DEPRECATED here - * to avoid conflict with other headers which define and use - * it, too. We might want to move all these definitions here at - * some point for uniformity. */ #define MBEDTLS_DEPRECATED __attribute__((deprecated)) MBEDTLS_DEPRECATED typedef char const * mbedtls_deprecated_string_constant_t; #define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) \ @@ -53,8 +49,8 @@ MBEDTLS_DEPRECATED typedef char const * mbedtls_deprecated_string_constant_t; MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t; #define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( VAL ) \ ( (mbedtls_deprecated_numeric_constant_t) ( VAL ) ) -#undef MBEDTLS_DEPRECATED #else /* MBEDTLS_DEPRECATED_WARNING */ +#define MBEDTLS_DEPRECATED #define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) VAL #define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( VAL ) VAL #endif /* MBEDTLS_DEPRECATED_WARNING */ diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 80bcd721c0f6..c54c035c37e2 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -51,6 +51,9 @@ static inline psa_key_type_t mbedtls_psa_translate_cipher_type( case MBEDTLS_CIPHER_AES_128_CCM: case MBEDTLS_CIPHER_AES_192_CCM: case MBEDTLS_CIPHER_AES_256_CCM: + case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG: + case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG: + case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG: case MBEDTLS_CIPHER_AES_128_GCM: case MBEDTLS_CIPHER_AES_192_GCM: case MBEDTLS_CIPHER_AES_256_GCM: @@ -66,6 +69,9 @@ static inline psa_key_type_t mbedtls_psa_translate_cipher_type( /* case MBEDTLS_CIPHER_ARIA_128_CCM: case MBEDTLS_CIPHER_ARIA_192_CCM: case MBEDTLS_CIPHER_ARIA_256_CCM: + case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG: + case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG: + case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG: case MBEDTLS_CIPHER_ARIA_128_GCM: case MBEDTLS_CIPHER_ARIA_192_GCM: case MBEDTLS_CIPHER_ARIA_256_GCM: @@ -90,6 +96,8 @@ static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode( return( PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, taglen ) ); case MBEDTLS_MODE_CCM: return( PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, taglen ) ); + case MBEDTLS_MODE_CCM_STAR_NO_TAG: + return PSA_ALG_CCM_STAR_NO_TAG; case MBEDTLS_MODE_CBC: if( taglen == 0 ) return( PSA_ALG_CBC_NO_PADDING ); diff --git a/include/mbedtls/sha256.h b/include/mbedtls/sha256.h index 9e6f59dc4b76..0cbbac11f2e2 100644 --- a/include/mbedtls/sha256.h +++ b/include/mbedtls/sha256.h @@ -167,6 +167,9 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, * for SHA-256, \c 28 bytes for SHA-224. * \param is224 Determines which function to use. This must be * either \c 0 for SHA-256, or \c 1 for SHA-224. + * + * \return \c 0 on success. + * \return A negative error code on failure. */ int mbedtls_sha256( const unsigned char *input, size_t ilen, diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 7f344d3e0b19..90f4d6df724e 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_SSL_H #define MBEDTLS_SSL_H +#include "mbedtls/platform_util.h" #include "mbedtls/private_access.h" #include "mbedtls/build_info.h" @@ -172,23 +173,14 @@ #define MBEDTLS_ERR_LAST 0x7F80 /**< This definition points to the last error code to have a correct parsing in error.c */ -/* - * TLS 1.3 NamedGroup values - */ -#define MBEDTLS_SSL_TLS13_NAMED_GROUP_SEC256R1 0x0017 -#define MBEDTLS_SSL_TLS13_NAMED_GROUP_SEC384R1 0x0018 -#define MBEDTLS_SSL_TLS13_NAMED_GROUP_SEC521R1 0x0019 -#define MBEDTLS_SSL_TLS13_NAMED_GROUP_X25519 0x001D -#define MBEDTLS_SSL_TLS13_NAMED_GROUP_X448 0x001E - /* * Constants from RFC 8446 for TLS 1.3 PSK modes * * Those are used in the Pre-Shared Key Exchange Modes extension. * See Section 4.2.9 in RFC 8446. */ -#define MBEDTLS_SSL_TLS13_PSK_MODE_PURE 0 /* Pure PSK-based exchange */ -#define MBEDTLS_SSL_TLS13_PSK_MODE_ECDHE 1 /* PSK+ECDHE-based exchange */ +#define MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE 0 /* Pure PSK-based exchange */ +#define MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE 1 /* PSK+ECDHE-based exchange */ /* * TLS 1.3 NamedGroup values @@ -208,18 +200,28 @@ * } NamedGroup; * */ + /* Elliptic Curve Groups (ECDHE) */ -#define MBEDTLS_SSL_TLS13_NAMED_GROUP_SECP256R1 0x0017 -#define MBEDTLS_SSL_TLS13_NAMED_GROUP_SECP384R1 0x0018 -#define MBEDTLS_SSL_TLS13_NAMED_GROUP_SECP521R1 0x0019 -#define MBEDTLS_SSL_TLS13_NAMED_GROUP_X25519 0x001D -#define MBEDTLS_SSL_TLS13_NAMED_GROUP_X448 0x001E +#define MBEDTLS_SSL_IANA_TLS_GROUP_NONE 0 +#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 0x0012 +#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 0x0013 +#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 0x0014 +#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 0x0015 +#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 0x0016 +#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 0x0017 +#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 0x0018 +#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 0x0019 +#define MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 0x001A +#define MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 0x001B +#define MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 0x001C +#define MBEDTLS_SSL_IANA_TLS_GROUP_X25519 0x001D +#define MBEDTLS_SSL_IANA_TLS_GROUP_X448 0x001E /* Finite Field Groups (DHE) */ -#define MBEDTLS_SSL_TLS13_NAMED_GROUP_FFDHE2048 0x0100 -#define MBEDTLS_SSL_TLS13_NAMED_GROUP_FFDHE3072 0x0101 -#define MBEDTLS_SSL_TLS13_NAMED_GROUP_FFDHE4096 0x0102 -#define MBEDTLS_SSL_TLS13_NAMED_GROUP_FFDHE6144 0x0103 -#define MBEDTLS_SSL_TLS13_NAMED_GROUP_FFDHE8192 0x0104 +#define MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 0x0100 +#define MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072 0x0101 +#define MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096 0x0102 +#define MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144 0x0103 +#define MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192 0x0104 /* * TLS 1.3 Key Exchange Modes @@ -228,28 +230,28 @@ * mbedtls_ssl_conf_tls13_key_exchange_modes(). */ -#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_NONE 0 -#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK ( 1u << 0 ) /*!< Pure-PSK TLS 1.3 key exchange, - * encompassing both externally agreed PSKs - * as well as resumption PSKs. */ -#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ( 1u << 1 ) /*!< Pure-Ephemeral TLS 1.3 key exchanges, - * including for example ECDHE and DHE - * key exchanges. */ -#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ( 1u << 2 ) /*!< PSK-Ephemeral TLS 1.3 key exchanges, - * using both a PSK and an ephemeral - * key exchange. */ +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE 0 +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ( 1u << 0 ) /*!< Pure-PSK TLS 1.3 key exchange, + * encompassing both externally agreed PSKs + * as well as resumption PSKs. */ +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ( 1u << 1 ) /*!< Pure-Ephemeral TLS 1.3 key exchanges, + * including for example ECDHE and DHE + * key exchanges. */ +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ( 1u << 2 ) /*!< PSK-Ephemeral TLS 1.3 key exchanges, + * using both a PSK and an ephemeral + * key exchange. */ /* Convenience macros for sets of key exchanges. */ -#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL \ - ( MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK | \ - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL | \ - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ) /*!< All TLS 1.3 key exchanges */ -#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL \ - ( MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK | \ - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) /*!< All PSK-based TLS 1.3 key exchanges */ -#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL \ - ( MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL | \ - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) /*!< All ephemeral TLS 1.3 key exchanges */ +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL \ + ( MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK | \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL | \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ) /*!< All TLS 1.3 key exchanges */ +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL \ + ( MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK | \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) /*!< All PSK-based TLS 1.3 key exchanges */ +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL \ + ( MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL | \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) /*!< All ephemeral TLS 1.3 key exchanges */ /* * Various constants @@ -261,7 +263,7 @@ */ #define MBEDTLS_SSL_MAJOR_VERSION_3 3 #define MBEDTLS_SSL_MINOR_VERSION_3 3 /*!< TLS v1.2 */ -#define MBEDTLS_SSL_MINOR_VERSION_4 4 /*!< TLS v1.3 (experimental) */ +#define MBEDTLS_SSL_MINOR_VERSION_4 4 /*!< TLS v1.3 */ #define MBEDTLS_SSL_TRANSPORT_STREAM 0 /*!< TLS */ #define MBEDTLS_SSL_TRANSPORT_DATAGRAM 1 /*!< DTLS */ @@ -442,75 +444,40 @@ #define MBEDTLS_SSL_SIG_RSA 1 #define MBEDTLS_SSL_SIG_ECDSA 3 - /* - * TLS 1.3 signature algorithms - * RFC 8446, Section 4.2.2 - */ - -/* RSASSA-PKCS1-v1_5 algorithms */ -#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA256 0x0401 -#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA384 0x0501 -#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA512 0x0601 - -/* ECDSA algorithms */ -#define MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256 0x0403 -#define MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384 0x0503 -#define MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512 0x0603 - -/* RSASSA-PSS algorithms with public key OID rsaEncryption */ -#define MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA256 0x0804 -#define MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA384 0x0805 -#define MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA512 0x0806 - -/* EdDSA algorithms */ -#define MBEDTLS_TLS13_SIG_ED25519 0x0807 -#define MBEDTLS_TLS13_SIG_ED448 0x0808 - -/* RSASSA-PSS algorithms with public key OID RSASSA-PSS */ -#define MBEDTLS_TLS13_SIG_RSA_PSS_PSS_SHA256 0x0809 -#define MBEDTLS_TLS13_SIG_RSA_PSS_PSS_SHA384 0x080A -#define MBEDTLS_TLS13_SIG_RSA_PSS_PSS_SHA512 0x080B - -/* LEGACY ALGORITHMS */ -#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA1 0x0201 -#define MBEDTLS_TLS13_SIG_ECDSA_SHA1 0x0203 - -#define MBEDTLS_TLS13_SIG_NONE 0x0 - /* * TLS 1.3 signature algorithms * RFC 8446, Section 4.2.2 */ /* RSASSA-PKCS1-v1_5 algorithms */ -#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA256 0x0401 -#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA384 0x0501 -#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA512 0x0601 +#define MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256 0x0401 +#define MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384 0x0501 +#define MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512 0x0601 /* ECDSA algorithms */ -#define MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256 0x0403 -#define MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384 0x0503 -#define MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512 0x0603 +#define MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256 0x0403 +#define MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384 0x0503 +#define MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512 0x0603 /* RSASSA-PSS algorithms with public key OID rsaEncryption */ -#define MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA256 0x0804 -#define MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA384 0x0805 -#define MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA512 0x0806 +#define MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256 0x0804 +#define MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384 0x0805 +#define MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512 0x0806 /* EdDSA algorithms */ -#define MBEDTLS_TLS13_SIG_ED25519 0x0807 -#define MBEDTLS_TLS13_SIG_ED448 0x0808 +#define MBEDTLS_TLS1_3_SIG_ED25519 0x0807 +#define MBEDTLS_TLS1_3_SIG_ED448 0x0808 /* RSASSA-PSS algorithms with public key OID RSASSA-PSS */ -#define MBEDTLS_TLS13_SIG_RSA_PSS_PSS_SHA256 0x0809 -#define MBEDTLS_TLS13_SIG_RSA_PSS_PSS_SHA384 0x080A -#define MBEDTLS_TLS13_SIG_RSA_PSS_PSS_SHA512 0x080B +#define MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA256 0x0809 +#define MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA384 0x080A +#define MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA512 0x080B /* LEGACY ALGORITHMS */ -#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA1 0x0201 -#define MBEDTLS_TLS13_SIG_ECDSA_SHA1 0x0203 +#define MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA1 0x0201 +#define MBEDTLS_TLS1_3_SIG_ECDSA_SHA1 0x0203 -#define MBEDTLS_TLS13_SIG_NONE 0x0 +#define MBEDTLS_TLS1_3_SIG_NONE 0x0 /* * Client Certificate Types @@ -575,7 +542,7 @@ #define MBEDTLS_SSL_HS_NEW_SESSION_TICKET 4 #define MBEDTLS_SSL_HS_END_OF_EARLY_DATA 5 // NEW IN TLS 1.3 #define MBEDTLS_SSL_HS_HELLO_RETRY_REQUEST 6 // NEW IN TLS 1.3 (RESERVED) -#define MBEDTLS_SSL_HS_ENCRYPTED_EXTENSION 8 // NEW IN TLS 1.3 +#define MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS 8 // NEW IN TLS 1.3 #define MBEDTLS_SSL_HS_CERTIFICATE 11 #define MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE 12 #define MBEDTLS_SSL_HS_CERTIFICATE_REQUEST 13 @@ -686,6 +653,8 @@ union mbedtls_ssl_premaster_secret #define MBEDTLS_PREMASTER_SIZE sizeof( union mbedtls_ssl_premaster_secret ) +#define MBEDTLS_TLS1_3_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE + /* Length in number of bytes of the TLS sequence number */ #define MBEDTLS_SSL_SEQUENCE_NUMBER_LEN 8 @@ -719,7 +688,7 @@ typedef enum MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET, MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET_FLUSH, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT, -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) MBEDTLS_SSL_HELLO_RETRY_REQUEST, MBEDTLS_SSL_SECOND_CLIENT_HELLO, MBEDTLS_SSL_SECOND_SERVER_HELLO, @@ -729,15 +698,15 @@ typedef enum MBEDTLS_SSL_ENCRYPTED_EXTENSIONS, MBEDTLS_SSL_HANDSHAKE_FINISH_ACK, MBEDTLS_SSL_CLIENT_NEW_SESSION_TICKET, -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO, MBEDTLS_SSL_SERVER_CCS_AFTER_HRR, -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ MBEDTLS_SSL_EARLY_APP_DATA -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ } mbedtls_ssl_states; @@ -867,7 +836,7 @@ typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert; typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_ZERO_RTT) && defined(MBEDTLS_SSL_CLI_C) #define MBEDTLS_SSL_EARLY_DATA_NOT_SENT 0 #define MBEDTLS_SSL_EARLY_DATA_REJECTED 1 @@ -892,9 +861,9 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; * of 0-RTT and the server has accepted it. */ int mbedtls_ssl_get_early_data_status( mbedtls_ssl_context *ssl ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_ZERO_RTT && MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_ZERO_RTT && MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_SSL_NEW_SESSION_TICKET) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_NEW_SESSION_TICKET) typedef enum { @@ -903,7 +872,7 @@ typedef enum allow_psk_resumption = 4, } mbedtls_ssl_ticket_flags; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_SSL_NEW_SESSION_TICKET */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_NEW_SESSION_TICKET */ /** * \brief Callback type: server-side session cache getter @@ -1188,13 +1157,14 @@ typedef void mbedtls_ssl_async_cancel_t( mbedtls_ssl_context *ssl ); typedef struct { - unsigned char client_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; - unsigned char server_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; - unsigned char exporter_master_secret [ MBEDTLS_MD_MAX_SIZE ]; + unsigned char client_application_traffic_secret_N[ MBEDTLS_TLS1_3_MD_MAX_SIZE ]; + unsigned char server_application_traffic_secret_N[ MBEDTLS_TLS1_3_MD_MAX_SIZE ]; + unsigned char exporter_master_secret [ MBEDTLS_TLS1_3_MD_MAX_SIZE ]; #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) - unsigned char resumption_master_secret [ MBEDTLS_MD_MAX_SIZE ]; + unsigned char resumption_master_secret [ MBEDTLS_TLS1_3_MD_MAX_SIZE ]; #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ -} mbedtls_ssl_tls1_3_application_secrets; +} mbedtls_ssl_tls13_application_secrets; + #if defined(MBEDTLS_SSL_DTLS_SRTP) #define MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH 255 @@ -1243,14 +1213,9 @@ mbedtls_dtls_srtp_info; */ struct mbedtls_ssl_session { -#if defined(MBEDTLS_HAVE_TIME) - mbedtls_time_t MBEDTLS_PRIVATE(start); /*!< starting time */ -#endif /* MBEDTLS_HAVE_TIME */ - int MBEDTLS_PRIVATE(ciphersuite); /*!< chosen ciphersuite */ - int MBEDTLS_PRIVATE(compression); /*!< chosen compression */ - size_t MBEDTLS_PRIVATE(id_len); /*!< session id length */ - unsigned char MBEDTLS_PRIVATE(id)[32]; /*!< session identifier */ - unsigned char MBEDTLS_PRIVATE(master)[48]; /*!< the master secret */ +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + unsigned char MBEDTLS_PRIVATE(mfl_code); /*!< MaxFragmentLength negotiated by peer */ +#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ unsigned char MBEDTLS_PRIVATE(exported); @@ -1259,7 +1224,14 @@ struct mbedtls_ssl_session * to be studied whether one of them can be removed. */ unsigned char MBEDTLS_PRIVATE(minor_ver); /*!< The TLS version used in the session. */ - mbedtls_ssl_tls1_3_application_secrets MBEDTLS_PRIVATE(app_secrets); +#if defined(MBEDTLS_HAVE_TIME) + mbedtls_time_t MBEDTLS_PRIVATE(start); /*!< starting time */ +#endif /* MBEDTLS_HAVE_TIME */ + int MBEDTLS_PRIVATE(ciphersuite); /*!< chosen ciphersuite */ + int MBEDTLS_PRIVATE(compression); /*!< chosen compression */ + size_t MBEDTLS_PRIVATE(id_len); /*!< session id length */ + unsigned char MBEDTLS_PRIVATE(id)[32]; /*!< session identifier */ + unsigned char MBEDTLS_PRIVATE(master)[48]; /*!< the master secret */ #if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) @@ -1280,7 +1252,7 @@ struct mbedtls_ssl_session uint32_t MBEDTLS_PRIVATE(ticket_lifetime); /*!< ticket lifetime hint */ #endif /* ( MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C ) || MBEDTLS_SSL_NEW_SESSION_TICKET */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_SSL_NEW_SESSION_TICKET) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_NEW_SESSION_TICKET) unsigned int MBEDTLS_PRIVATE(endpoint) : 1; /*!< 0: client, 1: server */ mbedtls_ssl_ticket_flags MBEDTLS_PRIVATE(ticket_flags); /*!< Ticket flags */ uint32_t MBEDTLS_PRIVATE(ticket_age_add); /*!< Randomly generated value used to obscure the age of the ticket */ @@ -1296,17 +1268,13 @@ struct mbedtls_ssl_session time_t MBEDTLS_PRIVATE(ticket_received); /*!< time ticket was received */ #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_CLI_C */ uint32_t MBEDTLS_PRIVATE(max_early_data_size); /*!< max data allowed */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_SSL_NEW_SESSION_TICKET */ - -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - unsigned char MBEDTLS_PRIVATE(mfl_code); /*!< MaxFragmentLength negotiated by peer */ -#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_NEW_SESSION_TICKET */ #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) int MBEDTLS_PRIVATE(encrypt_then_mac); /*!< flag for EtM activation */ #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_ZERO_RTT) && defined(MBEDTLS_SSL_SRV_C) /*!< Early data indication: * 0 -- MBEDTLS_SSL_EARLY_DATA_DISABLED (for no early data), and @@ -1314,7 +1282,11 @@ struct mbedtls_ssl_session */ int MBEDTLS_PRIVATE(process_early_data); /*!< Indication about using early data or not on the server side */ #endif /* MBEDTLS_ZERO_RTT && MBEDTLS_SSL_SRV_C */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + mbedtls_ssl_tls13_application_secrets MBEDTLS_PRIVATE(app_secrets); +#endif }; /* @@ -1333,14 +1305,14 @@ mbedtls_tls_prf_types; typedef enum { MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET = 0, -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_EARLY_SECRET, - MBEDTLS_SSL_KEY_EXPORT_TLS13_EARLY_EXPORTER_SECRET, - MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_HANDSHAKE_TRAFFIC_SECRET, - MBEDTLS_SSL_KEY_EXPORT_TLS13_SERVER_HANDSHAKE_TRAFFIC_SECRET, - MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_APPLICATION_TRAFFIC_SECRET, - MBEDTLS_SSL_KEY_EXPORT_TLS13_SERVER_APPLICATION_TRAFFIC_SECRET, -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET, + MBEDTLS_SSL_KEY_EXPORT_TLS1_3_EARLY_EXPORTER_SECRET, + MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET, + MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET, + MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET, + MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET, +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ } mbedtls_ssl_key_export_type; /** @@ -1376,7 +1348,64 @@ typedef struct mbedtls_ssl_mps mbedtls_ssl_mps; */ struct mbedtls_ssl_config { - /* Group items by size (largest first) to minimize padding overhead */ + + /* Group items mostly by size. This helps to reduce memory wasted to + * padding. It also helps to keep smaller fields early in the structure, + * so that elements tend to be in the 128-element direct access window + * on Arm Thumb, which reduces the code size. */ + + unsigned char MBEDTLS_PRIVATE(max_major_ver); /*!< max. major version used */ + unsigned char MBEDTLS_PRIVATE(max_minor_ver); /*!< max. minor version used */ + unsigned char MBEDTLS_PRIVATE(min_major_ver); /*!< min. major version used */ + unsigned char MBEDTLS_PRIVATE(min_minor_ver); /*!< min. minor version used */ + + /* + * Flags (could be bit-fields to save RAM, but separate bytes make + * the code smaller on architectures with an instruction for direct + * byte access). + */ + + uint8_t MBEDTLS_PRIVATE(endpoint); /*!< 0: client, 1: server */ + uint8_t MBEDTLS_PRIVATE(transport); /*!< 0: stream (TLS), 1: datagram (DTLS)*/ + uint8_t MBEDTLS_PRIVATE(authmode); /*!< MBEDTLS_SSL_VERIFY_XXX */ + /* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE */ + uint8_t MBEDTLS_PRIVATE(allow_legacy_renegotiation); /*!< MBEDTLS_LEGACY_XXX */ +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + uint8_t MBEDTLS_PRIVATE(mfl_code); /*!< desired fragment length indicator + (MBEDTLS_SSL_MAX_FRAG_LEN_XXX) */ +#endif +#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) + uint8_t MBEDTLS_PRIVATE(encrypt_then_mac); /*!< negotiate encrypt-then-mac? */ +#endif +#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) + uint8_t MBEDTLS_PRIVATE(extended_ms); /*!< negotiate extended master secret? */ +#endif +#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) + uint8_t MBEDTLS_PRIVATE(anti_replay); /*!< detect and prevent replay? */ +#endif +#if defined(MBEDTLS_SSL_RENEGOTIATION) + uint8_t MBEDTLS_PRIVATE(disable_renegotiation); /*!< disable renegotiation? */ +#endif +#if ( ( defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) ) || \ + ( defined(MBEDTLS_SSL_NEW_SESSION_TICKET) ) ) + uint8_t MBEDTLS_PRIVATE(session_tickets); /*!< use session tickets? */ +#endif +#if defined(MBEDTLS_SSL_SRV_C) + uint8_t MBEDTLS_PRIVATE(cert_req_ca_list); /*!< enable sending CA list in + Certificate Request messages? */ + uint8_t MBEDTLS_PRIVATE(respect_cli_pref); /*!< pick the ciphersuite according to + the client's preferences rather + than ours? */ +#endif +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + uint8_t MBEDTLS_PRIVATE(ignore_unexpected_cid); /*!< Should DTLS record with + * with unexpected CID + * lead to failure. */ +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ +#if defined(MBEDTLS_SSL_DTLS_SRTP) + uint8_t MBEDTLS_PRIVATE(dtls_srtp_mki_support); /* support having mki_value + in the use_srtp extension? */ +#endif /* * Pointers @@ -1385,10 +1414,10 @@ struct mbedtls_ssl_config /** Allowed ciphersuites for (D)TLS 1.2 (0-terminated) */ const int *MBEDTLS_PRIVATE(ciphersuite_list); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /** Allowed TLS 1.3 key exchange modes. */ int MBEDTLS_PRIVATE(tls13_kex_modes); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /** Callback for printing debug output */ void (*MBEDTLS_PRIVATE(f_dbg))(void *, int, const char *, int, const char *); @@ -1422,7 +1451,9 @@ struct mbedtls_ssl_config void *MBEDTLS_PRIVATE(p_psk); /*!< context for PSK callback */ #endif -#if (defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) || (defined(MBEDTLS_SSL_COOKIE_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL))) && defined(MBEDTLS_SSL_SRV_C) +#if (defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) || \ + (defined(MBEDTLS_SSL_COOKIE_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3))) \ + && defined(MBEDTLS_SSL_SRV_C) /** Callback to create & write a cookie for ClientHello veirifcation */ int (*MBEDTLS_PRIVATE(f_cookie_write))( void *, unsigned char **, unsigned char *, const unsigned char *, size_t ); @@ -1432,7 +1463,9 @@ struct mbedtls_ssl_config void *MBEDTLS_PRIVATE(p_cookie); /*!< context for the cookie callbacks */ #endif -#if ((defined(MBEDTLS_SSL_SESSION_TICKETS) || (defined(MBEDTLS_SSL_NEW_SESSION_TICKET) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)) ) && defined(MBEDTLS_SSL_SRV_C)) +#if ((defined(MBEDTLS_SSL_SESSION_TICKETS) || \ + (defined(MBEDTLS_SSL_NEW_SESSION_TICKET) && defined(MBEDTLS_SSL_PROTO_TLS1_3)) ) \ + && defined(MBEDTLS_SSL_SRV_C)) /** Callback to create & write a session ticket */ int (*MBEDTLS_PRIVATE(f_ticket_write))( void *, const mbedtls_ssl_session *, unsigned char *, const unsigned char *, size_t *, uint32_t * ); @@ -1441,9 +1474,9 @@ struct mbedtls_ssl_config void *MBEDTLS_PRIVATE(p_ticket); /*!< context for the ticket callbacks */ #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) unsigned int MBEDTLS_PRIVATE(rr_config); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) size_t MBEDTLS_PRIVATE(cid_len); /*!< The length of CIDs for incoming DTLS records. */ @@ -1473,15 +1506,17 @@ struct mbedtls_ssl_config #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) const int *MBEDTLS_PRIVATE(sig_hashes); /*!< allowed signature hashes */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) const uint16_t *MBEDTLS_PRIVATE(tls13_sig_algs); /*!< allowed signature algorithms for TLS 1.3 */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) const mbedtls_ecp_group_id *MBEDTLS_PRIVATE(curve_list); /*!< allowed curves */ #endif + const uint16_t *MBEDTLS_PRIVATE(group_list); /*!< allowed IANA NamedGroups */ + #if defined(MBEDTLS_DHM_C) mbedtls_mpi MBEDTLS_PRIVATE(dhm_P); /*!< prime modulus for DHM */ mbedtls_mpi MBEDTLS_PRIVATE(dhm_G); /*!< generator for DHM */ @@ -1547,7 +1582,7 @@ struct mbedtls_ssl_config #endif /* MBEDTLS_SSL_DTLS_SRTP */ /* - * Numerical settings (int then char) + * Numerical settings (int) */ uint32_t MBEDTLS_PRIVATE(read_timeout); /*!< timeout for mbedtls_ssl_read (ms) */ @@ -1570,58 +1605,6 @@ struct mbedtls_ssl_config #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) unsigned int MBEDTLS_PRIVATE(dhm_min_bitlen); /*!< min. bit length of the DHM prime */ #endif - - unsigned char MBEDTLS_PRIVATE(max_major_ver); /*!< max. major version used */ - unsigned char MBEDTLS_PRIVATE(max_minor_ver); /*!< max. minor version used */ - unsigned char MBEDTLS_PRIVATE(min_major_ver); /*!< min. major version used */ - unsigned char MBEDTLS_PRIVATE(min_minor_ver); /*!< min. minor version used */ - - /* - * Flags (bitfields) - */ - - unsigned int MBEDTLS_PRIVATE(endpoint) : 1; /*!< 0: client, 1: server */ - unsigned int MBEDTLS_PRIVATE(transport) : 1; /*!< stream (TLS) or datagram (DTLS) */ - unsigned int MBEDTLS_PRIVATE(authmode) : 2; /*!< MBEDTLS_SSL_VERIFY_XXX */ - /* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE */ - unsigned int MBEDTLS_PRIVATE(allow_legacy_renegotiation) : 2 ; /*!< MBEDTLS_LEGACY_XXX */ -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - unsigned int MBEDTLS_PRIVATE(mfl_code) : 3; /*!< desired fragment length */ -#endif -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - unsigned int MBEDTLS_PRIVATE(encrypt_then_mac) : 1 ; /*!< negotiate encrypt-then-mac? */ -#endif -#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) - unsigned int MBEDTLS_PRIVATE(extended_ms) : 1; /*!< negotiate extended master secret? */ -#endif -#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - unsigned int MBEDTLS_PRIVATE(anti_replay) : 1; /*!< detect and prevent replay? */ -#endif -#if defined(MBEDTLS_SSL_RENEGOTIATION) - unsigned int MBEDTLS_PRIVATE(disable_renegotiation) : 1; /*!< disable renegotiation? */ -#endif -#if ( ( defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) ) || \ - ( defined(MBEDTLS_SSL_NEW_SESSION_TICKET) ) ) - unsigned int MBEDTLS_PRIVATE(session_tickets) : 1; /*!< use session tickets? */ -#endif - -#if defined(MBEDTLS_SSL_SRV_C) - unsigned int MBEDTLS_PRIVATE(cert_req_ca_list) : 1; /*!< enable sending CA list in - Certificate Request messages? */ - unsigned int MBEDTLS_PRIVATE(respect_cli_pref) : 1; /*!< pick the ciphersuite according to - the client's preferences rather - than ours */ -#endif - -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - unsigned int MBEDTLS_PRIVATE(ignore_unexpected_cid) : 1; /*!< Determines whether DTLS - * record with unexpected CID - * should lead to failure. */ -#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -#if defined(MBEDTLS_SSL_DTLS_SRTP) - unsigned int MBEDTLS_PRIVATE(dtls_srtp_mki_support) : 1; /* support having mki_value - in the use_srtp extension */ -#endif }; struct mbedtls_ssl_context @@ -1687,7 +1670,7 @@ struct mbedtls_ssl_context * This pointer owns the transform * it references. */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /*! The application data transform in TLS 1.3. * This pointer owns the transform it references. */ mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_application); @@ -1699,7 +1682,7 @@ struct mbedtls_ssl_context mbedtls_ssl_mps *mps; #endif /* MBEDTLS_SSL_USE_MPS */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* * Timers @@ -1722,7 +1705,6 @@ struct mbedtls_ssl_context unsigned char *MBEDTLS_PRIVATE(in_cid); /*!< The start of the CID; * (the end is marked by in_len). */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ - unsigned char *MBEDTLS_PRIVATE(in_len); /*!< two-bytes message length field */ unsigned char *MBEDTLS_PRIVATE(in_iv); /*!< ivlen-byte IV */ unsigned char *MBEDTLS_PRIVATE(in_msg); /*!< message contents (in_iv+ivlen) */ @@ -1737,10 +1719,10 @@ struct mbedtls_ssl_context #if defined(MBEDTLS_SSL_PROTO_DTLS) uint16_t MBEDTLS_PRIVATE(in_epoch); /*!< DTLS epoch for incoming records */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) uint16_t MBEDTLS_PRIVATE(rec_epoch); /*!< DTLS epoch received */ uint16_t MBEDTLS_PRIVATE(out_epoch); /*!< DTLS epoch for outgoing records */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ size_t MBEDTLS_PRIVATE(next_record_offset); /*!< offset of the next record in datagram (equal to in_left if none) */ @@ -1824,10 +1806,10 @@ struct mbedtls_ssl_context const char *MBEDTLS_PRIVATE(alpn_chosen); /*!< negotiated protocol */ #endif /* MBEDTLS_SSL_ALPN */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_SSL_PROTO_DTLS) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_PROTO_DTLS) uint8_t record_numbers_sent[8]; /*<! Record number list for sent acks */ uint8_t record_numbers_received[8]; /*<! Record number list for received acks */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_SSL_PROTO_DTLS */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_DTLS_SRTP) /* * use_srtp extension @@ -1838,9 +1820,8 @@ struct mbedtls_ssl_context /* * Information for DTLS hello verify */ -#if ( defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) || \ - ( defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ - defined(MBEDTLS_SSL_COOKIE_C) ) ) \ +#if ( defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) || \ + ( defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_COOKIE_C) ) ) \ && defined(MBEDTLS_SSL_SRV_C) unsigned char *MBEDTLS_PRIVATE(cli_id); /*!< transport-level ID of the client */ size_t MBEDTLS_PRIVATE(cli_id_len); /*!< length of cli_id */ @@ -1889,13 +1870,13 @@ struct mbedtls_ssl_context #endif /* MBEDTLS_SSL_CLI_C */ #endif /* MBEDTLS_ZERO_RTT */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_ZERO_RTT) && defined(MBEDTLS_SSL_CLI_C) /* * early data request state */ int MBEDTLS_PRIVATE(early_data_status); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_ZERO_RTT && MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_ZERO_RTT && MBEDTLS_SSL_CLI_C */ /** Callback to export key block and master secret */ mbedtls_ssl_export_keys_t *MBEDTLS_PRIVATE(f_export_keys); @@ -2041,7 +2022,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); * \param early_data_callback Callback function when early data is received (server * only). */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_ZERO_RTT) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_ZERO_RTT) void mbedtls_ssl_conf_early_data( mbedtls_ssl_config* conf, int early_data, size_t max_early_data, int(*early_data_callback)( mbedtls_ssl_context*, @@ -2052,7 +2033,7 @@ void mbedtls_ssl_conf_early_data( mbedtls_ssl_config* conf, int early_data, int mbedtls_ssl_set_early_data( mbedtls_ssl_context* ssl, const unsigned char* buffer, size_t len ); #endif /* MBEDTLS_SSL_CLI_C */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_ZERO_RTT */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_ZERO_RTT */ #if defined(MBEDTLS_X509_CRT_PARSE_C) /** @@ -2075,7 +2056,7 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, void *p_vrfy ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /** * \brief Configure signature algorithms (Optional). * @@ -2091,7 +2072,7 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, */ void mbedtls_ssl_conf_signature_algorithms( mbedtls_ssl_config *conf, const uint16_t *sig_algs ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ /** * \brief Set the random number generator callback @@ -2664,10 +2645,11 @@ typedef int mbedtls_ssl_cookie_check_t( void *ctx, const unsigned char *cookie, size_t clen, const unsigned char *info, size_t ilen ); -#if (defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) || (defined(MBEDTLS_SSL_COOKIE_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL))) && defined(MBEDTLS_SSL_SRV_C) - +#if (defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) || \ + (defined(MBEDTLS_SSL_COOKIE_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3))) \ + && defined(MBEDTLS_SSL_SRV_C) -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /** * \brief Configures cookie handling * (Server only.) @@ -2691,7 +2673,7 @@ void mbedtls_ssl_conf_cookies(mbedtls_ssl_config* conf, mbedtls_ssl_cookie_check_t* f_cookie_check, void* p_cookie, unsigned int rr_conf); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) /** @@ -2751,7 +2733,9 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, const unsigned char *info, size_t ilen ); -#endif /* ( MBEDTLS_SSL_DTLS_HELLO_VERIFY || (MBEDTLS_SSL_COOKIE_C && MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) ) && MBEDTLS_SSL_SRV_C */ +#endif /* ( MBEDTLS_SSL_DTLS_HELLO_VERIFY || + (MBEDTLS_SSL_COOKIE_C && MBEDTLS_SSL_PROTO_TLS1_3) ) + && MBEDTLS_SSL_SRV_C */ #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) /** @@ -3068,7 +3052,7 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session, void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, const int *ciphersuites ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /** * \brief Set the supported key exchange modes for TLS 1.3 connections. * @@ -3083,20 +3067,20 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, * * \param conf The SSL configuration the change should apply to. * \param kex_modes A bitwise combination of one or more of the following: - * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK + * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK * This flag enables pure-PSK key exchanges. - * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL + * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL * This flag enables combined PSK-ephemeral key exchanges. - * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL + * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL * This flag enables pure-ephemeral key exchanges. * For convenience, the following pre-defined macros are * available for combinations of the above: - * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL + * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL * Includes all of pure-PSK, PSK-ephemeral and pure-ephemeral. - * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL + * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL * Includes both pure-PSK and combined PSK-ephemeral * key exchanges, but excludes pure-ephemeral key exchanges. - * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL + * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL * Includes both pure-ephemeral and combined PSK-ephemeral * key exchanges. * @@ -3113,7 +3097,7 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config* conf, const int kex_modes ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) #define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0 @@ -3281,7 +3265,7 @@ int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf, mbedtls_pk_context *pk_key ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /** * \brief Set the supported key exchange modes for TLS 1.3 connections. * @@ -3311,21 +3295,21 @@ int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf, * The SSL configuration the change should apply to. * \param key_exchange_mode * A bitwise combination of one or more of the following: - * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK + * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK * This flag enables pure-PSK key exchanges. - * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL + * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL * This flag enables combined PSK-ephemeral key exchanges. - * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL + * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL * This flag enables pure-ephemeral key exchanges. * * \note For convenience, the following pre-defined macros are available * for all combinations of the above: - * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL + * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL * Includes all of pure-PSK, PSK-ephemeral and pure-ephemeral. - * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL + * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL * Includes both pure-PSK and combined PSK-ephemeral key exchanges, * but excludes pure-ephemeral key exchanges. - * - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL + * - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL * Includes both pure-ephemeral and combined PSK-ephemeral key exchanges, * * \note If a PSK-based key exchange mode shall be supported, applications @@ -3343,9 +3327,9 @@ int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf, int mbedtls_ssl_conf_tls13_key_exchange( mbedtls_ssl_config* conf, const int key_exchange_mode ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /** * \brief Set meta-data for server-provided tickets. @@ -3369,7 +3353,7 @@ int mbedtls_ssl_conf_ticket_meta(mbedtls_ssl_config* conf, int mbedtls_ssl_conf_ticket_meta(mbedtls_ssl_config* conf, const uint32_t ticket_age_add); #endif /* MBEDTLS_HAVE_TIME */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) /** @@ -3584,6 +3568,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_ECP_C) +#if !defined(MBEDTLS_DEPRECATED_REMOVED) /** * \brief Set the allowed curves in order of preference. * @@ -3597,6 +3582,8 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, * Both sides: limits the set of curves accepted for use in * ECDHE and in the peer's end-entity certificate. * + * \deprecated Superseeded by mbedtls_ssl_conf_groups(). + * * \note This has no influence on which curves are allowed inside the * certificate chains, see \c mbedtls_ssl_conf_cert_profile() * for that. For the end-entity certificate however, the key @@ -3623,26 +3610,50 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, * \param curves Ordered list of allowed curves, * terminated by MBEDTLS_ECP_DP_NONE. */ -void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, - const mbedtls_ecp_group_id *curves ); +void MBEDTLS_DEPRECATED mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, + const mbedtls_ecp_group_id *curves ); +#endif /* MBEDTLS_DEPRECATED_REMOVED */ #endif /* MBEDTLS_ECP_C */ /** -* \brief Set the named groups/curves in order of preference for use -* in the key share extension. -* -* \note This list should be ordered by decreasing preference -* (preferred curve first). -* -* \param conf SSL configuration -* \param curves Ordered list of allowed curves, -* terminated by MBEDTLS_ECP_DP_NONE. -*/ - -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_ECP_C) -void mbedtls_ssl_conf_key_share_curves(mbedtls_ssl_config* conf, - const mbedtls_ecp_group_id* curve_list); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_SSL_CLI_C && MBEDTLS_ECP_C */ + * \brief Set the allowed groups in order of preference. + * + * On server: This only affects the choice of key agreement mechanism + * + * On client: this affects the list of groups offered for any + * use. The server can override our preference order. + * + * Both sides: limits the set of groups accepted for use in + * key sharing. + * + * \note This function replaces the deprecated mbedtls_ssl_conf_curves(), + * which only allows ECP curves to be configured. + * + * \note The most recent invocation of either mbedtls_ssl_conf_curves() + * or mbedtls_ssl_conf_groups() nullifies all previous invocations + * of both. + * + * \note This list should be ordered by decreasing preference + * (preferred group first). + * + * \note When this function is not called, a default list is used, + * consisting of all supported curves at 255 bits and above, + * and all supported finite fields at 2048 bits and above. + * The order favors groups with the lowest resource usage. + * + * \note New minor versions of Mbed TLS will not remove items + * from the default list unless serious security concerns require it. + * New minor versions of Mbed TLS may change the order in + * keeping with the general principle of favoring the lowest + * resource usage. + * + * \param conf SSL configuration + * \param groups List of allowed groups ordered by preference, terminated by 0. + * Must contain valid IANA NamedGroup IDs (provided via either an integer + * or using MBEDTLS_TLS1_3_NAMED_GROUP_XXX macros). + */ +void mbedtls_ssl_conf_groups( mbedtls_ssl_config *conf, + const uint16_t *groups ); #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /** @@ -3677,19 +3688,19 @@ void mbedtls_ssl_conf_key_share_curves(mbedtls_ssl_config* conf, void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, const int *hashes ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /** * \brief Configure allowed signature algorithms for use in TLS 1.3 * * \param conf The SSL configuration to use. * \param sig_algs List of allowed IANA values for TLS 1.3 signature algorithms, - * terminated by \c MBEDTLS_TLS13_SIG_NONE. The list must remain + * terminated by \c MBEDTLS_TLS1_3_SIG_NONE. The list must remain * available throughout the lifetime of the conf object. Supported - * values are available as \c MBEDTLS_TLS13_SIG_XXXX + * values are available as \c MBEDTLS_TLS1_3_SIG_XXXX */ void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf, const uint16_t* sig_algs ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -4275,7 +4286,7 @@ uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl ); */ const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /** * \brief Return the negotiated key exchange mode id @@ -4286,7 +4297,7 @@ const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl ); */ mbedtls_key_exchange_type_t mbedtls_ssl_get_key_exchange(const mbedtls_ssl_context* ssl); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /** * \brief Return the current TLS version diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 0edba1d203c3..dc9b1f20daee 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -388,7 +388,7 @@ const int *mbedtls_ssl_list_ciphersuites( void ); const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string( const char *ciphersuite_name ); const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuite_id ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /** * \brief Returns the size of the hash function output given the ciphersuite * @@ -397,7 +397,7 @@ const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuit * \return Size of output in bytes, -1 in case of error */ unsigned int mbedtls_hash_size_for_ciphersuite(const mbedtls_ssl_ciphersuite_t* ciphersuite); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_PK_C) mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info ); diff --git a/include/mbedtls/ssl_ticket.h b/include/mbedtls/ssl_ticket.h index 1d63ffc87ad4..0f9a63bc4811 100644 --- a/include/mbedtls/ssl_ticket.h +++ b/include/mbedtls/ssl_ticket.h @@ -62,9 +62,9 @@ typedef struct unsigned char MBEDTLS_PRIVATE(active); /*!< index of the currently active key */ uint32_t MBEDTLS_PRIVATE(ticket_lifetime); /*!< lifetime of tickets in seconds */ -#if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) && defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_ssl_ticket_flags MBEDTLS_PRIVATE(flags); /*!< ticket flags */ -#endif /* MBEDTLS_SSL_NEW_SESSION_TICKET && MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_NEW_SESSION_TICKET && MBEDTLS_SSL_PROTO_TLS1_3 */ /** Callback for getting (pseudo-)random numbers */ int (*MBEDTLS_PRIVATE(f_rng))(void *, unsigned char *, size_t); diff --git a/include/psa/crypto.h b/include/psa/crypto.h index b3ef3631d420..1643b2e352f2 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -153,10 +153,10 @@ static void psa_set_key_id( psa_key_attributes_t *attributes, * the owner of a key. * * \param[out] attributes The attribute structure to write to. - * \param owner_id The key owner identifier. + * \param owner The key owner identifier. */ static void mbedtls_set_key_owner_id( psa_key_attributes_t *attributes, - mbedtls_key_owner_id_t owner_id ); + mbedtls_key_owner_id_t owner ); #endif /** Set the location of a persistent key. @@ -2990,7 +2990,9 @@ psa_status_t psa_verify_message( mbedtls_svc_key_id_t key, * \param key Identifier of the key to use for the operation. * It must be an asymmetric key pair. The key must * allow the usage #PSA_KEY_USAGE_SIGN_HASH. - * \param alg A signature algorithm that is compatible with + * \param alg A signature algorithm (PSA_ALG_XXX + * value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + * is true), that is compatible with * the type of \p key. * \param[in] hash The hash or message to sign. * \param hash_length Size of the \p hash buffer in bytes. @@ -3043,7 +3045,9 @@ psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key, * must be a public key or an asymmetric key pair. The * key must allow the usage * #PSA_KEY_USAGE_VERIFY_HASH. - * \param alg A signature algorithm that is compatible with + * \param alg A signature algorithm (PSA_ALG_XXX + * value such that #PSA_ALG_IS_SIGN_HASH(\p alg) + * is true), that is compatible with * the type of \p key. * \param[in] hash The hash or message whose signature is to be * verified. @@ -3682,6 +3686,7 @@ psa_status_t psa_key_derivation_output_bytes( * The following key types defined in this specification follow this scheme: * * - #PSA_KEY_TYPE_AES; + * - #PSA_KEY_TYPE_ARIA; * - #PSA_KEY_TYPE_CAMELLIA; * - #PSA_KEY_TYPE_DERIVE; * - #PSA_KEY_TYPE_HMAC; diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index 8075caf660f3..e11e239cf351 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -112,21 +112,4 @@ typedef struct #define MBEDTLS_PSA_AEAD_OPERATION_INIT {0, 0, 0, 0, {0}} -/* - * BEYOND THIS POINT, TEST DRIVER DECLARATIONS ONLY. - */ -#if defined(PSA_CRYPTO_DRIVER_TEST) - -typedef mbedtls_psa_mac_operation_t mbedtls_transparent_test_driver_mac_operation_t; -typedef mbedtls_psa_mac_operation_t mbedtls_opaque_test_driver_mac_operation_t; - -#define MBEDTLS_TRANSPARENT_TEST_DRIVER_MAC_OPERATION_INIT MBEDTLS_PSA_MAC_OPERATION_INIT -#define MBEDTLS_OPAQUE_TEST_DRIVER_MAC_OPERATION_INIT MBEDTLS_PSA_MAC_OPERATION_INIT - -typedef mbedtls_psa_aead_operation_t mbedtls_transparent_test_driver_aead_operation_t; - -#define MBEDTLS_TRANSPARENT_TEST_DRIVER_AEAD_OPERATION_INIT MBEDTLS_PSA_AEAD_OPERATION_INIT - -#endif /* PSA_CRYPTO_DRIVER_TEST */ - #endif /* PSA_CRYPTO_BUILTIN_COMPOSITES_H */ diff --git a/include/psa/crypto_builtin_primitives.h b/include/psa/crypto_builtin_primitives.h index 31f4aa6d55b4..d3cf33a9ddf3 100644 --- a/include/psa/crypto_builtin_primitives.h +++ b/include/psa/crypto_builtin_primitives.h @@ -61,21 +61,23 @@ typedef struct psa_algorithm_t MBEDTLS_PRIVATE(alg); union { - unsigned MBEDTLS_PRIVATE(dummy); /* Make the union non-empty even with no supported algorithms. */ -#if defined(MBEDTLS_MD5_C) - mbedtls_md5_context MBEDTLS_PRIVATE(md5); + unsigned dummy; /* Make the union non-empty even with no supported algorithms. */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5) + mbedtls_md5_context md5; #endif -#if defined(MBEDTLS_RIPEMD160_C) - mbedtls_ripemd160_context MBEDTLS_PRIVATE(ripemd160); +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160) + mbedtls_ripemd160_context ripemd160; #endif -#if defined(MBEDTLS_SHA1_C) - mbedtls_sha1_context MBEDTLS_PRIVATE(sha1); +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1) + mbedtls_sha1_context sha1; #endif -#if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_context MBEDTLS_PRIVATE(sha256); +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224) + mbedtls_sha256_context sha256; #endif -#if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_context MBEDTLS_PRIVATE(sha512); +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384) + mbedtls_sha512_context sha512; #endif } MBEDTLS_PRIVATE(ctx); } mbedtls_psa_hash_operation_t; @@ -112,29 +114,4 @@ typedef struct { #define MBEDTLS_PSA_CIPHER_OPERATION_INIT {0, 0, 0, {0}} -/* - * BEYOND THIS POINT, TEST DRIVER DECLARATIONS ONLY. - */ -#if defined(PSA_CRYPTO_DRIVER_TEST) - -typedef mbedtls_psa_hash_operation_t mbedtls_transparent_test_driver_hash_operation_t; - -#define MBEDTLS_TRANSPARENT_TEST_DRIVER_HASH_OPERATION_INIT MBEDTLS_PSA_HASH_OPERATION_INIT - -typedef mbedtls_psa_cipher_operation_t - mbedtls_transparent_test_driver_cipher_operation_t; - -typedef struct { - unsigned int initialised : 1; - mbedtls_transparent_test_driver_cipher_operation_t ctx; -} mbedtls_opaque_test_driver_cipher_operation_t; - -#define MBEDTLS_TRANSPARENT_TEST_DRIVER_CIPHER_OPERATION_INIT \ - MBEDTLS_PSA_CIPHER_OPERATION_INIT - -#define MBEDTLS_OPAQUE_TEST_DRIVER_CIPHER_OPERATION_INIT \ - { 0, MBEDTLS_TRANSPARENT_TEST_DRIVER_CIPHER_OPERATION_INIT } - -#endif /* PSA_CRYPTO_DRIVER_TEST */ - #endif /* PSA_CRYPTO_BUILTIN_PRIMITIVES_H */ diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index 64d8c5816921..6476e3cffb86 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -111,6 +111,7 @@ #define PSA_WANT_KEY_TYPE_DERIVE 1 #define PSA_WANT_KEY_TYPE_HMAC 1 #define PSA_WANT_KEY_TYPE_AES 1 +#define PSA_WANT_KEY_TYPE_ARIA 1 #define PSA_WANT_KEY_TYPE_CAMELLIA 1 #define PSA_WANT_KEY_TYPE_CHACHA20 1 #define PSA_WANT_KEY_TYPE_DES 1 diff --git a/include/psa/crypto_driver_common.h b/include/psa/crypto_driver_common.h index 1b6f3225678c..26363c6b2f3e 100644 --- a/include/psa/crypto_driver_common.h +++ b/include/psa/crypto_driver_common.h @@ -42,6 +42,9 @@ * of these types. */ #include "crypto_types.h" #include "crypto_values.h" +/* Include size definitions which are used to size some arrays in operation + * structures. */ +#include <psa/crypto_sizes.h> /** For encrypt-decrypt functions, whether the operation is an encryption * or a decryption. */ diff --git a/include/psa/crypto_driver_contexts_composites.h b/include/psa/crypto_driver_contexts_composites.h index 957986c22f29..3f1c8af4b819 100644 --- a/include/psa/crypto_driver_contexts_composites.h +++ b/include/psa/crypto_driver_contexts_composites.h @@ -36,11 +36,59 @@ #include "psa/crypto_driver_common.h" +/* Include the context structure definitions for the Mbed TLS software drivers */ +#include "psa/crypto_builtin_composites.h" + /* Include the context structure definitions for those drivers that were * declared during the autogeneration process. */ -/* Include the context structure definitions for the Mbed TLS software drivers */ -#include "psa/crypto_builtin_composites.h" +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) +#include <libtestdriver1/include/psa/crypto.h> +#endif + +#if defined(PSA_CRYPTO_DRIVER_TEST) +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_MAC) +typedef libtestdriver1_mbedtls_psa_mac_operation_t + mbedtls_transparent_test_driver_mac_operation_t; +typedef libtestdriver1_mbedtls_psa_mac_operation_t + mbedtls_opaque_test_driver_mac_operation_t; + +#define MBEDTLS_TRANSPARENT_TEST_DRIVER_MAC_OPERATION_INIT \ + LIBTESTDRIVER1_MBEDTLS_PSA_MAC_OPERATION_INIT +#define MBEDTLS_OPAQUE_TEST_DRIVER_MAC_OPERATION_INIT \ + LIBTESTDRIVER1_MBEDTLS_PSA_MAC_OPERATION_INIT + +#else +typedef mbedtls_psa_mac_operation_t + mbedtls_transparent_test_driver_mac_operation_t; +typedef mbedtls_psa_mac_operation_t + mbedtls_opaque_test_driver_mac_operation_t; + +#define MBEDTLS_TRANSPARENT_TEST_DRIVER_MAC_OPERATION_INIT \ + MBEDTLS_PSA_MAC_OPERATION_INIT +#define MBEDTLS_OPAQUE_TEST_DRIVER_MAC_OPERATION_INIT \ + MBEDTLS_PSA_MAC_OPERATION_INIT + +#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 && LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_MAC */ + +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD) +typedef libtestdriver1_mbedtls_psa_aead_operation_t + mbedtls_transparent_test_driver_aead_operation_t; + +#define MBEDTLS_TRANSPARENT_TEST_DRIVER_AEAD_OPERATION_INIT \ + LIBTESTDRIVER1_MBEDTLS_PSA_AEAD_OPERATION_INIT +#else +typedef mbedtls_psa_aead_operation_t + mbedtls_transparent_test_driver_aead_operation_t; + +#define MBEDTLS_TRANSPARENT_TEST_DRIVER_AEAD_OPERATION_INIT \ + MBEDTLS_PSA_AEAD_OPERATION_INIT + +#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 && LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_AEAD */ + +#endif /* PSA_CRYPTO_DRIVER_TEST */ /* Define the context to be used for an operation that is executed through the * PSA Driver wrapper layer as the union of all possible driver's contexts. diff --git a/include/psa/crypto_driver_contexts_primitives.h b/include/psa/crypto_driver_contexts_primitives.h index 104d4bdb6d61..2bb01ed432f7 100644 --- a/include/psa/crypto_driver_contexts_primitives.h +++ b/include/psa/crypto_driver_contexts_primitives.h @@ -35,11 +35,59 @@ #include "psa/crypto_driver_common.h" +/* Include the context structure definitions for the Mbed TLS software drivers */ +#include "psa/crypto_builtin_primitives.h" + /* Include the context structure definitions for those drivers that were * declared during the autogeneration process. */ -/* Include the context structure definitions for the Mbed TLS software drivers */ -#include "psa/crypto_builtin_primitives.h" +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) +#include <libtestdriver1/include/psa/crypto.h> +#endif + +#if defined(PSA_CRYPTO_DRIVER_TEST) + +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER) +typedef libtestdriver1_mbedtls_psa_cipher_operation_t + mbedtls_transparent_test_driver_cipher_operation_t; + +#define MBEDTLS_TRANSPARENT_TEST_DRIVER_CIPHER_OPERATION_INIT \ + LIBTESTDRIVER1_MBEDTLS_PSA_CIPHER_OPERATION_INIT +#else +typedef mbedtls_psa_cipher_operation_t + mbedtls_transparent_test_driver_cipher_operation_t; + +#define MBEDTLS_TRANSPARENT_TEST_DRIVER_CIPHER_OPERATION_INIT \ + MBEDTLS_PSA_CIPHER_OPERATION_INIT +#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 && + LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER */ + +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_HASH) +typedef libtestdriver1_mbedtls_psa_hash_operation_t + mbedtls_transparent_test_driver_hash_operation_t; + +#define MBEDTLS_TRANSPARENT_TEST_DRIVER_HASH_OPERATION_INIT \ + LIBTESTDRIVER1_MBEDTLS_PSA_HASH_OPERATION_INIT +#else +typedef mbedtls_psa_hash_operation_t + mbedtls_transparent_test_driver_hash_operation_t; + +#define MBEDTLS_TRANSPARENT_TEST_DRIVER_HASH_OPERATION_INIT \ + MBEDTLS_PSA_HASH_OPERATION_INIT +#endif /* MBEDTLS_TEST_LIBTESTDRIVER1 && + LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_HASH */ + +typedef struct { + unsigned int initialised : 1; + mbedtls_transparent_test_driver_cipher_operation_t ctx; +} mbedtls_opaque_test_driver_cipher_operation_t; + +#define MBEDTLS_OPAQUE_TEST_DRIVER_CIPHER_OPERATION_INIT \ + { 0, MBEDTLS_TRANSPARENT_TEST_DRIVER_CIPHER_OPERATION_INIT } + +#endif /* PSA_CRYPTO_DRIVER_TEST */ /* Define the context to be used for an operation that is executed through the * PSA Driver wrapper layer as the union of all possible driver's contexts. diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 2c0b1067c8d5..1f68925ff6c6 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -31,6 +31,7 @@ #include "mbedtls/platform_util.h" +#include "crypto_types.h" #include "crypto_compat.h" #ifdef __cplusplus diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h index 4c67f10afa2d..9bbcb34446e3 100644 --- a/include/psa/crypto_sizes.h +++ b/include/psa/crypto_sizes.h @@ -79,6 +79,38 @@ PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 64 : \ 0) +/** The input block size of a hash algorithm, in bytes. + * + * Hash algorithms process their input data in blocks. Hash operations will + * retain any partial blocks until they have enough input to fill the block or + * until the operation is finished. + * This affects the output from psa_hash_suspend(). + * + * \param alg A hash algorithm (\c PSA_ALG_XXX value such that + * PSA_ALG_IS_HASH(\p alg) is true). + * + * \return The block size in bytes for the specified hash algorithm. + * If the hash algorithm is not recognized, return 0. + * An implementation can return either 0 or the correct size for a + * hash algorithm that it recognizes, but does not support. + */ +#define PSA_HASH_BLOCK_LENGTH(alg) \ + ( \ + PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 64 : \ + PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 64 : \ + PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 64 : \ + PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 64 : \ + PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 64 : \ + PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 128 : \ + PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 128 : \ + PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 128 : \ + PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 128 : \ + PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 144 : \ + PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 136 : \ + PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 104 : \ + PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 72 : \ + 0) + /** \def PSA_HASH_MAX_SIZE * * Maximum size of a hash. @@ -89,7 +121,7 @@ /* Note: for HMAC-SHA-3, the block size is 144 bytes for HMAC-SHA3-226, * 136 bytes for HMAC-SHA3-256, 104 bytes for SHA3-384, 72 bytes for * HMAC-SHA3-512. */ -#if defined(MBEDTLS_SHA512_C) +#if defined(PSA_WANT_ALG_SHA_512) || defined(PSA_WANT_ALG_SHA_384) #define PSA_HASH_MAX_SIZE 64 #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128 #else @@ -959,7 +991,8 @@ (alg) == PSA_ALG_CBC_PKCS7) ? PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \ (key_type) == PSA_KEY_TYPE_CHACHA20 && \ (alg) == PSA_ALG_STREAM_CIPHER ? 12 : \ - 0) + (alg) == PSA_ALG_CCM_STAR_NO_TAG ? 13 : \ + 0) /** The maximum IV size for all supported cipher algorithms, in bytes. * diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 26894156c5f9..2c61e53cf9a7 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -186,9 +186,6 @@ typedef struct { uint8_t *MBEDTLS_PRIVATE(info); size_t MBEDTLS_PRIVATE(info_length); - psa_mac_operation_t MBEDTLS_PRIVATE(hmac); - uint8_t MBEDTLS_PRIVATE(prk)[PSA_HASH_MAX_SIZE]; - uint8_t MBEDTLS_PRIVATE(output_block)[PSA_HASH_MAX_SIZE]; #if PSA_HASH_MAX_SIZE > 0xff #error "PSA_HASH_MAX_SIZE does not fit in uint8_t" #endif @@ -196,6 +193,9 @@ typedef struct uint8_t MBEDTLS_PRIVATE(block_number); unsigned int MBEDTLS_PRIVATE(state) : 2; unsigned int MBEDTLS_PRIVATE(info_set) : 1; + uint8_t MBEDTLS_PRIVATE(output_block)[PSA_HASH_MAX_SIZE]; + uint8_t MBEDTLS_PRIVATE(prk)[PSA_HASH_MAX_SIZE]; + struct psa_mac_operation_s MBEDTLS_PRIVATE(hmac); } psa_hkdf_key_derivation_t; #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */ diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index daef9416cce8..5a903f86abcf 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -466,6 +466,10 @@ */ #define PSA_KEY_TYPE_AES ((psa_key_type_t)0x2400) +/** Key for a cipher, AEAD or MAC algorithm based on the + * ARIA block cipher. */ +#define PSA_KEY_TYPE_ARIA ((psa_key_type_t)0x2406) + /** Key for a cipher or MAC algorithm based on DES or 3DES (Triple-DES). * * The size of the key can be 64 bits (single DES), 128 bits (2-key 3DES) or @@ -843,6 +847,9 @@ (PSA_ALG_IS_KEY_DERIVATION(alg) && \ (alg) & PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG) +/** An invalid algorithm identifier value. */ +#define PSA_ALG_NONE ((psa_algorithm_t)0) + #define PSA_ALG_HASH_MASK ((psa_algorithm_t)0x000000ff) /** MD5 */ #define PSA_ALG_MD5 ((psa_algorithm_t)0x02000003) @@ -886,7 +893,7 @@ * algorithm parametrized with any supported hash. * * That is, suppose that `PSA_xxx_SIGNATURE` is one of the following macros: - * - #PSA_ALG_RSA_PKCS1V15_SIGN, #PSA_ALG_RSA_PSS, + * - #PSA_ALG_RSA_PKCS1V15_SIGN, #PSA_ALG_RSA_PSS, #PSA_ALG_RSA_PSS_ANY_SALT, * - #PSA_ALG_ECDSA, #PSA_ALG_DETERMINISTIC_ECDSA. * Then you may create and use a key as follows: * - Set the key usage field using #PSA_ALG_ANY_HASH, for example: @@ -1195,6 +1202,17 @@ */ #define PSA_ALG_CCM ((psa_algorithm_t)0x05500100) +/** The CCM* cipher mode without authentication. + * + * This is CCM* as specified in IEEE 802.15.4 §7, with a tag length of 0. + * For CCM* with a nonzero tag length, use the AEAD algorithm #PSA_ALG_CCM. + * + * The underlying block cipher is determined by the key type. + * + * Currently only 13-byte long IV's are supported. + */ +#define PSA_ALG_CCM_STAR_NO_TAG ((psa_algorithm_t)0x04c01300) + /** The GCM authenticated encryption algorithm. * * The underlying block cipher is determined by the key type. @@ -1341,6 +1359,7 @@ (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PKCS1V15_SIGN_BASE) #define PSA_ALG_RSA_PSS_BASE ((psa_algorithm_t)0x06000300) +#define PSA_ALG_RSA_PSS_ANY_SALT_BASE ((psa_algorithm_t)0x06001300) /** RSA PSS signature with hashing. * * This is the signature scheme defined by RFC 8017 @@ -1361,9 +1380,72 @@ */ #define PSA_ALG_RSA_PSS(hash_alg) \ (PSA_ALG_RSA_PSS_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) -#define PSA_ALG_IS_RSA_PSS(alg) \ + +/** RSA PSS signature with hashing with relaxed verification. + * + * This algorithm has the same behavior as #PSA_ALG_RSA_PSS when signing, + * but allows an arbitrary salt length (including \c 0) when verifying a + * signature. + * + * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that + * #PSA_ALG_IS_HASH(\p hash_alg) is true). + * This includes #PSA_ALG_ANY_HASH + * when specifying the algorithm in a usage policy. + * + * \return The corresponding RSA PSS signature algorithm. + * \return Unspecified if \p hash_alg is not a supported + * hash algorithm. + */ +#define PSA_ALG_RSA_PSS_ANY_SALT(hash_alg) \ + (PSA_ALG_RSA_PSS_ANY_SALT_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) + +/** Whether the specified algorithm is RSA PSS with standard salt. + * + * \param alg An algorithm value or an algorithm policy wildcard. + * + * \return 1 if \p alg is of the form + * #PSA_ALG_RSA_PSS(\c hash_alg), + * where \c hash_alg is a hash algorithm or + * #PSA_ALG_ANY_HASH. 0 otherwise. + * This macro may return either 0 or 1 if \p alg is not + * a supported algorithm identifier or policy. + */ +#define PSA_ALG_IS_RSA_PSS_STANDARD_SALT(alg) \ (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PSS_BASE) +/** Whether the specified algorithm is RSA PSS with any salt. + * + * \param alg An algorithm value or an algorithm policy wildcard. + * + * \return 1 if \p alg is of the form + * #PSA_ALG_RSA_PSS_ANY_SALT_BASE(\c hash_alg), + * where \c hash_alg is a hash algorithm or + * #PSA_ALG_ANY_HASH. 0 otherwise. + * This macro may return either 0 or 1 if \p alg is not + * a supported algorithm identifier or policy. + */ +#define PSA_ALG_IS_RSA_PSS_ANY_SALT(alg) \ + (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PSS_ANY_SALT_BASE) + +/** Whether the specified algorithm is RSA PSS. + * + * This includes any of the RSA PSS algorithm variants, regardless of the + * constraints on salt length. + * + * \param alg An algorithm value or an algorithm policy wildcard. + * + * \return 1 if \p alg is of the form + * #PSA_ALG_RSA_PSS(\c hash_alg) or + * #PSA_ALG_RSA_PSS_ANY_SALT_BASE(\c hash_alg), + * where \c hash_alg is a hash algorithm or + * #PSA_ALG_ANY_HASH. 0 otherwise. + * This macro may return either 0 or 1 if \p alg is not + * a supported algorithm identifier or policy. + */ +#define PSA_ALG_IS_RSA_PSS(alg) \ + (PSA_ALG_IS_RSA_PSS_STANDARD_SALT(alg) || \ + PSA_ALG_IS_RSA_PSS_ANY_SALT(alg)) + #define PSA_ALG_ECDSA_BASE ((psa_algorithm_t)0x06000600) /** ECDSA signature with hashing. * @@ -1521,20 +1603,24 @@ * file. */ #define PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg) 0 -/** Whether the specified algorithm is a hash-and-sign algorithm. +/** Whether the specified algorithm is a signature algorithm that can be used + * with psa_sign_hash() and psa_verify_hash(). * - * Hash-and-sign algorithms are asymmetric (public-key) signature algorithms - * structured in two parts: first the calculation of a hash in a way that - * does not depend on the key, then the calculation of a signature from the - * hash value and the key. + * This encompasses all strict hash-and-sign algorithms categorized by + * PSA_ALG_IS_HASH_AND_SIGN(), as well as algorithms that follow the + * paradigm more loosely: + * - #PSA_ALG_RSA_PKCS1V15_SIGN_RAW (expects its input to be an encoded hash) + * - #PSA_ALG_ECDSA_ANY (doesn't specify what kind of hash the input is) * - * \param alg An algorithm identifier (value of type #psa_algorithm_t). + * \param alg An algorithm identifier (value of type psa_algorithm_t). * - * \return 1 if \p alg is a hash-and-sign algorithm, 0 otherwise. - * This macro may return either 0 or 1 if \p alg is not a supported - * algorithm identifier. + * \return 1 if alg is a signature algorithm that can be used to sign a + * hash. 0 if alg is a signature algorithm that can only be used + * to sign a message. 0 if alg is not a signature algorithm. + * This macro can return either 0 or 1 if alg is not a + * supported algorithm identifier. */ -#define PSA_ALG_IS_HASH_AND_SIGN(alg) \ +#define PSA_ALG_IS_SIGN_HASH(alg) \ (PSA_ALG_IS_RSA_PSS(alg) || PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || \ PSA_ALG_IS_ECDSA(alg) || PSA_ALG_IS_HASH_EDDSA(alg) || \ PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg)) @@ -1551,7 +1637,37 @@ * supported algorithm identifier. */ #define PSA_ALG_IS_SIGN_MESSAGE(alg) \ - (PSA_ALG_IS_HASH_AND_SIGN(alg) || (alg) == PSA_ALG_PURE_EDDSA ) + (PSA_ALG_IS_SIGN_HASH(alg) || (alg) == PSA_ALG_PURE_EDDSA ) + +/** Whether the specified algorithm is a hash-and-sign algorithm. + * + * Hash-and-sign algorithms are asymmetric (public-key) signature algorithms + * structured in two parts: first the calculation of a hash in a way that + * does not depend on the key, then the calculation of a signature from the + * hash value and the key. Hash-and-sign algorithms encode the hash + * used for the hashing step, and you can call #PSA_ALG_SIGN_GET_HASH + * to extract this algorithm. + * + * Thus, for a hash-and-sign algorithm, + * `psa_sign_message(key, alg, input, ...)` is equivalent to + * ``` + * psa_hash_compute(PSA_ALG_SIGN_GET_HASH(alg), input, ..., hash, ...); + * psa_sign_hash(key, alg, hash, ..., signature, ...); + * ``` + * Most usefully, separating the hash from the signature allows the hash + * to be calculated in multiple steps with psa_hash_setup(), psa_hash_update() + * and psa_hash_finish(). Likewise psa_verify_message() is equivalent to + * calculating the hash and then calling psa_verify_hash(). + * + * \param alg An algorithm identifier (value of type #psa_algorithm_t). + * + * \return 1 if \p alg is a hash-and-sign algorithm, 0 otherwise. + * This macro may return either 0 or 1 if \p alg is not a supported + * algorithm identifier. + */ +#define PSA_ALG_IS_HASH_AND_SIGN(alg) \ + (PSA_ALG_IS_SIGN_HASH(alg) && \ + ((alg) & PSA_ALG_HASH_MASK) != 0) /** Get the hash used by a hash-and-sign signature algorithm. * @@ -1573,7 +1689,6 @@ */ #define PSA_ALG_SIGN_GET_HASH(alg) \ (PSA_ALG_IS_HASH_AND_SIGN(alg) ? \ - ((alg) & PSA_ALG_HASH_MASK) == 0 ? /*"raw" algorithm*/ 0 : \ ((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH : \ 0) @@ -2064,6 +2179,9 @@ #define PSA_KEY_LOCATION_VENDOR_FLAG ((psa_key_location_t)0x800000) +/** The null key identifier. + */ +#define PSA_KEY_ID_NULL ((psa_key_id_t)0) /** The minimum value for a key identifier chosen by the application. */ #define PSA_KEY_ID_USER_MIN ((psa_key_id_t)0x00000001) diff --git a/library/.gitignore b/library/.gitignore index 6fde1f5e777a..f6619d273c9a 100644 --- a/library/.gitignore +++ b/library/.gitignore @@ -6,3 +6,5 @@ libmbed* # Automatically generated files /error.c /version_features.c +/ssl_debug_helpers_generated.c +/ssl_debug_helpers_generated.h diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 1f2f6220cd72..c4a33303a586 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -24,6 +24,7 @@ set(src_crypto chachapoly.c cipher.c cipher_wrap.c + constant_time.c cmac.c ctr_drbg.c des.c @@ -76,6 +77,7 @@ set(src_crypto sha1.c sha256.c sha512.c + ssl_debug_helpers_generated.c threading.c timing.c version.c @@ -117,6 +119,60 @@ set(src_tls mps_transform.c ) +if(GEN_FILES) + find_package(Perl REQUIRED) + + file(GLOB error_headers ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/*.h) + add_custom_command( + OUTPUT + ${CMAKE_CURRENT_BINARY_DIR}/error.c + COMMAND + ${PERL_EXECUTABLE} + ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_errors.pl + ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls + ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files + ${CMAKE_CURRENT_BINARY_DIR}/error.c + DEPENDS + ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_errors.pl + ${error_headers} + ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/error.fmt + ) + + add_custom_command( + OUTPUT + ${CMAKE_CURRENT_BINARY_DIR}/version_features.c + COMMAND + ${PERL_EXECUTABLE} + ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_features.pl + ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls + ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files + ${CMAKE_CURRENT_BINARY_DIR}/version_features.c + DEPENDS + ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_features.pl + ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/mbedtls_config.h + ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/version_features.fmt + ) + + add_custom_command( + OUTPUT + ${CMAKE_CURRENT_BINARY_DIR}/ssl_debug_helpers_generated.h + ${CMAKE_CURRENT_BINARY_DIR}/ssl_debug_helpers_generated.c + COMMAND + ${MBEDTLS_PYTHON_EXECUTABLE} + ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_ssl_debug_helpers.py + --mbedtls-root ${CMAKE_CURRENT_SOURCE_DIR}/.. + ${CMAKE_CURRENT_BINARY_DIR} + DEPENDS + ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_ssl_debug_helpers.py + ${error_headers} + ) +else() + link_to_source(error.c) + link_to_source(version_features.c) + link_to_source(ssl_debug_helpers_generated.c) + link_to_source(ssl_debug_helpers_generated.h) +endif() + if(CMAKE_COMPILER_IS_GNUCC) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes") endif(CMAKE_COMPILER_IS_GNUCC) @@ -204,7 +260,7 @@ endif(USE_STATIC_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY) add_library(${mbedcrypto_target} SHARED ${src_crypto}) - set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.0.0 SOVERSION 10) + set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.1.0 SOVERSION 11) target_link_libraries(${mbedcrypto_target} PUBLIC ${libs}) if(TARGET everest) @@ -217,11 +273,11 @@ if(USE_SHARED_MBEDTLS_LIBRARY) endif() add_library(${mbedx509_target} SHARED ${src_x509}) - set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.0.0 SOVERSION 4) + set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.1.0 SOVERSION 4) target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target}) add_library(${mbedtls_target} SHARED ${src_tls}) - set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.0.0 SOVERSION 16) + set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.1.0 SOVERSION 17) target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target}) endif(USE_SHARED_MBEDTLS_LIBRARY) diff --git a/library/Makefile b/library/Makefile index b28dbd4af6e9..4c97dc9bac5b 100644 --- a/library/Makefile +++ b/library/Makefile @@ -24,6 +24,12 @@ endif PERL ?= perl +ifdef WINDOWS +PYTHON ?= python +else +PYTHON ?= $(shell if type python3 >/dev/null 2>/dev/null; then echo python3; else echo python; fi) +endif + # if were running on Windows build for Windows ifdef WINDOWS WINDOWS_BUILD=1 @@ -41,9 +47,9 @@ LOCAL_CFLAGS += -fPIC -fpic endif endif -SOEXT_TLS=so.16 +SOEXT_TLS=so.17 SOEXT_X509=so.4 -SOEXT_CRYPTO=so.10 +SOEXT_CRYPTO=so.11 # Set AR_DASH= (empty string) to use an ar implementation that does not accept # the - prefix for command line options (e.g. llvm-ar) @@ -84,6 +90,7 @@ OBJS_CRYPTO= \ cipher.o \ cipher_wrap.o \ cmac.o \ + constant_time.o \ ctr_drbg.o \ des.o \ dhm.o \ @@ -135,6 +142,7 @@ OBJS_CRYPTO= \ sha1.o \ sha256.o \ sha512.o \ + ssl_debug_helpers_generated.o \ threading.o \ timing.o \ version.o \ @@ -198,6 +206,14 @@ static: libmbedcrypto.a libmbedx509.a libmbedtls.a shared: libmbedcrypto.$(DLEXT) libmbedx509.$(DLEXT) libmbedtls.$(DLEXT) +# Windows builds under Mingw can fail if make tries to create archives in the same +# directory at the same time - see https://bugs.launchpad.net/gcc-arm-embedded/+bug/1848002. +# This forces builds of the .a files to be serialised. +ifdef WINDOWS +libmbedtls.a: | libmbedx509.a +libmbedx509.a: | libmbedcrypto.a +endif + # tls libmbedtls.a: $(OBJS_TLS) echo " AR $@" @@ -211,7 +227,7 @@ endif libmbedtls.$(SOEXT_TLS): $(OBJS_TLS) libmbedx509.so echo " LD $@" - $(CC) -shared -Wl,-soname,$@ -L. -lmbedcrypto -lmbedx509 $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS_TLS) + $(CC) -shared -Wl,-soname,$@ -o $@ $(OBJS_TLS) -L. -lmbedx509 -lmbedcrypto $(LOCAL_LDFLAGS) $(LDFLAGS) libmbedtls.so: libmbedtls.$(SOEXT_TLS) echo " LN $@ -> $<" @@ -219,11 +235,11 @@ libmbedtls.so: libmbedtls.$(SOEXT_TLS) libmbedtls.dylib: $(OBJS_TLS) libmbedx509.dylib echo " LD $@" - $(CC) -dynamiclib -L. -lmbedcrypto -lmbedx509 $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS_TLS) + $(CC) -dynamiclib -o $@ $(OBJS_TLS) -L. -lmbedx509 -lmbedcrypto $(LOCAL_LDFLAGS) $(LDFLAGS) libmbedtls.dll: $(OBJS_TLS) libmbedx509.dll echo " LD $@" - $(CC) -shared -Wl,-soname,$@ -Wl,--out-implib,$@.a -o $@ $(OBJS_TLS) -lws2_32 -lwinmm -lgdi32 -L. -lmbedcrypto -lmbedx509 -static-libgcc $(LOCAL_LDFLAGS) $(LDFLAGS) + $(CC) -shared -Wl,-soname,$@ -Wl,--out-implib,$@.a -o $@ $(OBJS_TLS) -lws2_32 -lwinmm -lgdi32 -L. -lmbedx509 -lmbedcrypto -static-libgcc $(LOCAL_LDFLAGS) $(LDFLAGS) # x509 libmbedx509.a: $(OBJS_X509) @@ -238,7 +254,7 @@ endif libmbedx509.$(SOEXT_X509): $(OBJS_X509) libmbedcrypto.so echo " LD $@" - $(CC) -shared -Wl,-soname,$@ -L. -lmbedcrypto $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS_X509) + $(CC) -shared -Wl,-soname,$@ -o $@ $(OBJS_X509) -L. -lmbedcrypto $(LOCAL_LDFLAGS) $(LDFLAGS) libmbedx509.so: libmbedx509.$(SOEXT_X509) echo " LN $@ -> $<" @@ -246,7 +262,7 @@ libmbedx509.so: libmbedx509.$(SOEXT_X509) libmbedx509.dylib: $(OBJS_X509) libmbedcrypto.dylib echo " LD $@" - $(CC) -dynamiclib -L. -lmbedcrypto $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS_X509) + $(CC) -dynamiclib -o $@ $(OBJS_X509) -L. -lmbedcrypto $(LOCAL_LDFLAGS) $(LDFLAGS) libmbedx509.dll: $(OBJS_X509) libmbedcrypto.dll echo " LD $@" @@ -265,7 +281,7 @@ endif libmbedcrypto.$(SOEXT_CRYPTO): $(OBJS_CRYPTO) echo " LD $@" - $(CC) -shared -Wl,-soname,$@ $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS_CRYPTO) + $(CC) -shared -Wl,-soname,$@ -o $@ $(OBJS_CRYPTO) $(LOCAL_LDFLAGS) $(LDFLAGS) libmbedcrypto.so: libmbedcrypto.$(SOEXT_CRYPTO) echo " LN $@ -> $<" @@ -273,7 +289,7 @@ libmbedcrypto.so: libmbedcrypto.$(SOEXT_CRYPTO) libmbedcrypto.dylib: $(OBJS_CRYPTO) echo " LD $@" - $(CC) -dynamiclib $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS_CRYPTO) + $(CC) -dynamiclib -o $@ $(OBJS_CRYPTO) $(LOCAL_LDFLAGS) $(LDFLAGS) libmbedcrypto.dll: $(OBJS_CRYPTO) echo " LD $@" @@ -284,7 +300,9 @@ libmbedcrypto.dll: $(OBJS_CRYPTO) $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -o $@ -c $< .PHONY: generated_files -GENERATED_FILES = error.c version_features.c +GENERATED_FILES = \ + error.c version_features.c \ + ssl_debug_helpers_generated.c ssl_debug_helpers_generated.h generated_files: $(GENERATED_FILES) error.c: ../scripts/generate_errors.pl @@ -294,6 +312,13 @@ error.c: echo " Gen $@" $(PERL) ../scripts/generate_errors.pl +ssl_debug_helpers_generated.c: | ssl_debug_helpers_generated.h +ssl_debug_helpers_generated.h: ../scripts/generate_ssl_debug_helpers.py +ssl_debug_helpers_generated.h: $(filter-out %config%,$(wildcard ../include/mbedtls/*.h)) +ssl_debug_helpers_generated.h: + echo " Gen $@" + $(PYTHON) ../scripts/generate_ssl_debug_helpers.py --mbedtls-root .. . + version_features.c: ../scripts/generate_features.pl version_features.c: ../scripts/data_files/version_features.fmt ## The generated file only depends on the options that are present in mbedtls_config.h, diff --git a/library/base64.c b/library/base64.c index a516c1d4a3d5..83daa0bcc67f 100644 --- a/library/base64.c +++ b/library/base64.c @@ -22,7 +22,7 @@ #if defined(MBEDTLS_BASE64_C) #include "mbedtls/base64.h" -#include "base64_invasive.h" +#include "constant_time_internal.h" #include <stdint.h> @@ -38,41 +38,6 @@ #define BASE64_SIZE_T_MAX ( (size_t) -1 ) /* SIZE_T_MAX is not standard */ -/* Return 0xff if low <= c <= high, 0 otherwise. - * - * Constant flow with respect to c. - */ -MBEDTLS_STATIC_TESTABLE -unsigned char mbedtls_base64_mask_of_range( unsigned char low, - unsigned char high, - unsigned char c ) -{ - /* low_mask is: 0 if low <= c, 0x...ff if low > c */ - unsigned low_mask = ( (unsigned) c - low ) >> 8; - /* high_mask is: 0 if c <= high, 0x...ff if c > high */ - unsigned high_mask = ( (unsigned) high - c ) >> 8; - return( ~( low_mask | high_mask ) & 0xff ); -} - -/* Given a value in the range 0..63, return the corresponding Base64 digit. - * The implementation assumes that letters are consecutive (e.g. ASCII - * but not EBCDIC). - */ -MBEDTLS_STATIC_TESTABLE -unsigned char mbedtls_base64_enc_char( unsigned char val ) -{ - unsigned char digit = 0; - /* For each range of values, if val is in that range, mask digit with - * the corresponding value. Since val can only be in a single range, - * only at most one masking will change digit. */ - digit |= mbedtls_base64_mask_of_range( 0, 25, val ) & ( 'A' + val ); - digit |= mbedtls_base64_mask_of_range( 26, 51, val ) & ( 'a' + val - 26 ); - digit |= mbedtls_base64_mask_of_range( 52, 61, val ) & ( '0' + val - 52 ); - digit |= mbedtls_base64_mask_of_range( 62, 62, val ) & '+'; - digit |= mbedtls_base64_mask_of_range( 63, 63, val ) & '/'; - return( digit ); -} - /* * Encode a buffer into base64 format */ @@ -113,12 +78,12 @@ int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen, C2 = *src++; C3 = *src++; - *p++ = mbedtls_base64_enc_char( ( C1 >> 2 ) & 0x3F ); - *p++ = mbedtls_base64_enc_char( ( ( ( C1 & 3 ) << 4 ) + ( C2 >> 4 ) ) + *p++ = mbedtls_ct_base64_enc_char( ( C1 >> 2 ) & 0x3F ); + *p++ = mbedtls_ct_base64_enc_char( ( ( ( C1 & 3 ) << 4 ) + ( C2 >> 4 ) ) & 0x3F ); - *p++ = mbedtls_base64_enc_char( ( ( ( C2 & 15 ) << 2 ) + ( C3 >> 6 ) ) + *p++ = mbedtls_ct_base64_enc_char( ( ( ( C2 & 15 ) << 2 ) + ( C3 >> 6 ) ) & 0x3F ); - *p++ = mbedtls_base64_enc_char( C3 & 0x3F ); + *p++ = mbedtls_ct_base64_enc_char( C3 & 0x3F ); } if( i < slen ) @@ -126,12 +91,12 @@ int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen, C1 = *src++; C2 = ( ( i + 1 ) < slen ) ? *src++ : 0; - *p++ = mbedtls_base64_enc_char( ( C1 >> 2 ) & 0x3F ); - *p++ = mbedtls_base64_enc_char( ( ( ( C1 & 3 ) << 4 ) + ( C2 >> 4 ) ) + *p++ = mbedtls_ct_base64_enc_char( ( C1 >> 2 ) & 0x3F ); + *p++ = mbedtls_ct_base64_enc_char( ( ( ( C1 & 3 ) << 4 ) + ( C2 >> 4 ) ) & 0x3F ); if( ( i + 1 ) < slen ) - *p++ = mbedtls_base64_enc_char( ( ( C2 & 15 ) << 2 ) & 0x3F ); + *p++ = mbedtls_ct_base64_enc_char( ( ( C2 & 15 ) << 2 ) & 0x3F ); else *p++ = '='; *p++ = '='; @@ -143,35 +108,6 @@ int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen, return( 0 ); } -/* Given a Base64 digit, return its value. - * If c is not a Base64 digit ('A'..'Z', 'a'..'z', '0'..'9', '+' or '/'), - * return -1. - * - * The implementation assumes that letters are consecutive (e.g. ASCII - * but not EBCDIC). - * - * The implementation is constant-flow (no branch or memory access depending - * on the value of c) unless the compiler inlines and optimizes a specific - * access. - */ -MBEDTLS_STATIC_TESTABLE -signed char mbedtls_base64_dec_value( unsigned char c ) -{ - unsigned char val = 0; - /* For each range of digits, if c is in that range, mask val with - * the corresponding value. Since c can only be in a single range, - * only at most one masking will change val. Set val to one plus - * the desired value so that it stays 0 if c is in none of the ranges. */ - val |= mbedtls_base64_mask_of_range( 'A', 'Z', c ) & ( c - 'A' + 0 + 1 ); - val |= mbedtls_base64_mask_of_range( 'a', 'z', c ) & ( c - 'a' + 26 + 1 ); - val |= mbedtls_base64_mask_of_range( '0', '9', c ) & ( c - '0' + 52 + 1 ); - val |= mbedtls_base64_mask_of_range( '+', '+', c ) & ( c - '+' + 62 + 1 ); - val |= mbedtls_base64_mask_of_range( '/', '/', c ) & ( c - '/' + 63 + 1 ); - /* At this point, val is 0 if c is an invalid digit and v+1 if c is - * a digit with the value v. */ - return( val - 1 ); -} - /* * Decode a base64-formatted buffer */ @@ -224,7 +160,7 @@ int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen, { if( equals != 0 ) return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER ); - if( mbedtls_base64_dec_value( src[i] ) < 0 ) + if( mbedtls_ct_base64_dec_value( src[i] ) < 0 ) return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER ); } n++; @@ -259,7 +195,7 @@ int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen, if( *src == '=' ) ++equals; else - x |= mbedtls_base64_dec_value( *src ); + x |= mbedtls_ct_base64_dec_value( *src ); if( ++accumulated_digits == 4 ) { diff --git a/library/base64_invasive.h b/library/base64_invasive.h deleted file mode 100644 index 9e264719d4f8..000000000000 --- a/library/base64_invasive.h +++ /dev/null @@ -1,55 +0,0 @@ -/** - * \file base_invasive.h - * - * \brief Base64 module: interfaces for invasive testing only. - * - * The interfaces in this file are intended for testing purposes only. - * They SHOULD NOT be made available in library integrations except when - * building the library for testing. - */ -/* - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#ifndef MBEDTLS_BASE64_INVASIVE_H -#define MBEDTLS_BASE64_INVASIVE_H - -#include "common.h" - -#if defined(MBEDTLS_TEST_HOOKS) -/* Return 0xff if low <= c <= high, 0 otherwise. - * - * Constant flow with respect to c. - */ -unsigned char mbedtls_base64_mask_of_range( unsigned char low, - unsigned char high, - unsigned char c ); - -/* Given a value in the range 0..63, return the corresponding Base64 digit. - * - * Operates in constant time (no branches or memory access depending on val). - */ -unsigned char mbedtls_base64_enc_char( unsigned char val ); - -/* Given a Base64 digit, return its value. - * If c is not a Base64 digit ('A'..'Z', 'a'..'z', '0'..'9', '+' or '/'), - * return -1. - * - * Operates in constant time (no branches or memory access depending on c). - */ -signed char mbedtls_base64_dec_value( unsigned char c ); -#endif /* MBEDTLS_TEST_HOOKS */ - -#endif /* MBEDTLS_SSL_INVASIVE_H */ diff --git a/library/bignum.c b/library/bignum.c index 42ec7ac3141d..e47e25917d9d 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -41,7 +41,9 @@ #include "bn_mul.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" +#include "constant_time_internal.h" +#include <limits.h> #include <string.h> #if defined(MBEDTLS_PLATFORM_C) @@ -268,162 +270,6 @@ void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y ) memcpy( Y, &T, sizeof( mbedtls_mpi ) ); } -/** - * Select between two sign values in constant-time. - * - * This is functionally equivalent to second ? a : b but uses only bit - * operations in order to avoid branches. - * - * \param[in] a The first sign; must be either +1 or -1. - * \param[in] b The second sign; must be either +1 or -1. - * \param[in] second Must be either 1 (return b) or 0 (return a). - * - * \return The selected sign value. - */ -static int mpi_safe_cond_select_sign( int a, int b, unsigned char second ) -{ - /* In order to avoid questions about what we can reasonnably assume about - * the representations of signed integers, move everything to unsigned - * by taking advantage of the fact that a and b are either +1 or -1. */ - unsigned ua = a + 1; - unsigned ub = b + 1; - - /* second was 0 or 1, mask is 0 or 2 as are ua and ub */ - const unsigned mask = second << 1; - - /* select ua or ub */ - unsigned ur = ( ua & ~mask ) | ( ub & mask ); - - /* ur is now 0 or 2, convert back to -1 or +1 */ - return( (int) ur - 1 ); -} - -/* - * Conditionally assign dest = src, without leaking information - * about whether the assignment was made or not. - * dest and src must be arrays of limbs of size n. - * assign must be 0 or 1. - */ -static void mpi_safe_cond_assign( size_t n, - mbedtls_mpi_uint *dest, - const mbedtls_mpi_uint *src, - unsigned char assign ) -{ - size_t i; - - /* MSVC has a warning about unary minus on unsigned integer types, - * but this is well-defined and precisely what we want to do here. */ -#if defined(_MSC_VER) -#pragma warning( push ) -#pragma warning( disable : 4146 ) -#endif - - /* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */ - const mbedtls_mpi_uint mask = -assign; - -#if defined(_MSC_VER) -#pragma warning( pop ) -#endif - - for( i = 0; i < n; i++ ) - dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask ); -} - -/* - * Conditionally assign X = Y, without leaking information - * about whether the assignment was made or not. - * (Leaking information about the respective sizes of X and Y is ok however.) - */ -int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign ) -{ - int ret = 0; - size_t i; - mbedtls_mpi_uint limb_mask; - MPI_VALIDATE_RET( X != NULL ); - MPI_VALIDATE_RET( Y != NULL ); - - /* MSVC has a warning about unary minus on unsigned integer types, - * but this is well-defined and precisely what we want to do here. */ -#if defined(_MSC_VER) -#pragma warning( push ) -#pragma warning( disable : 4146 ) -#endif - - /* make sure assign is 0 or 1 in a time-constant manner */ - assign = (assign | (unsigned char)-assign) >> (sizeof( assign ) * 8 - 1); - /* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */ - limb_mask = -assign; - -#if defined(_MSC_VER) -#pragma warning( pop ) -#endif - - MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) ); - - X->s = mpi_safe_cond_select_sign( X->s, Y->s, assign ); - - mpi_safe_cond_assign( Y->n, X->p, Y->p, assign ); - - for( i = Y->n; i < X->n; i++ ) - X->p[i] &= ~limb_mask; - -cleanup: - return( ret ); -} - -/* - * Conditionally swap X and Y, without leaking information - * about whether the swap was made or not. - * Here it is not ok to simply swap the pointers, which whould lead to - * different memory access patterns when X and Y are used afterwards. - */ -int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char swap ) -{ - int ret, s; - size_t i; - mbedtls_mpi_uint limb_mask; - mbedtls_mpi_uint tmp; - MPI_VALIDATE_RET( X != NULL ); - MPI_VALIDATE_RET( Y != NULL ); - - if( X == Y ) - return( 0 ); - - /* MSVC has a warning about unary minus on unsigned integer types, - * but this is well-defined and precisely what we want to do here. */ -#if defined(_MSC_VER) -#pragma warning( push ) -#pragma warning( disable : 4146 ) -#endif - - /* make sure swap is 0 or 1 in a time-constant manner */ - swap = (swap | (unsigned char)-swap) >> (sizeof( swap ) * 8 - 1); - /* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */ - limb_mask = -swap; - -#if defined(_MSC_VER) -#pragma warning( pop ) -#endif - - MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) ); - - s = X->s; - X->s = mpi_safe_cond_select_sign( X->s, Y->s, swap ); - Y->s = mpi_safe_cond_select_sign( Y->s, s, swap ); - - - for( i = 0; i < X->n; i++ ) - { - tmp = X->p[i]; - X->p[i] = ( X->p[i] & ~limb_mask ) | ( Y->p[i] & limb_mask ); - Y->p[i] = ( Y->p[i] & ~limb_mask ) | ( tmp & limb_mask ); - } - -cleanup: - return( ret ); -} - /* * Set value from integer */ @@ -1246,107 +1092,6 @@ int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y ) return( 0 ); } -/** Decide if an integer is less than the other, without branches. - * - * \param x First integer. - * \param y Second integer. - * - * \return 1 if \p x is less than \p y, 0 otherwise - */ -static unsigned ct_lt_mpi_uint( const mbedtls_mpi_uint x, - const mbedtls_mpi_uint y ) -{ - mbedtls_mpi_uint ret; - mbedtls_mpi_uint cond; - - /* - * Check if the most significant bits (MSB) of the operands are different. - */ - cond = ( x ^ y ); - /* - * If the MSB are the same then the difference x-y will be negative (and - * have its MSB set to 1 during conversion to unsigned) if and only if x<y. - */ - ret = ( x - y ) & ~cond; - /* - * If the MSB are different, then the operand with the MSB of 1 is the - * bigger. (That is if y has MSB of 1, then x<y is true and it is false if - * the MSB of y is 0.) - */ - ret |= y & cond; - - - ret = ret >> ( biL - 1 ); - - return (unsigned) ret; -} - -/* - * Compare signed values in constant time - */ -int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, const mbedtls_mpi *Y, - unsigned *ret ) -{ - size_t i; - /* The value of any of these variables is either 0 or 1 at all times. */ - unsigned cond, done, X_is_negative, Y_is_negative; - - MPI_VALIDATE_RET( X != NULL ); - MPI_VALIDATE_RET( Y != NULL ); - MPI_VALIDATE_RET( ret != NULL ); - - if( X->n != Y->n ) - return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; - - /* - * Set sign_N to 1 if N >= 0, 0 if N < 0. - * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0. - */ - X_is_negative = ( X->s & 2 ) >> 1; - Y_is_negative = ( Y->s & 2 ) >> 1; - - /* - * If the signs are different, then the positive operand is the bigger. - * That is if X is negative (X_is_negative == 1), then X < Y is true and it - * is false if X is positive (X_is_negative == 0). - */ - cond = ( X_is_negative ^ Y_is_negative ); - *ret = cond & X_is_negative; - - /* - * This is a constant-time function. We might have the result, but we still - * need to go through the loop. Record if we have the result already. - */ - done = cond; - - for( i = X->n; i > 0; i-- ) - { - /* - * If Y->p[i - 1] < X->p[i - 1] then X < Y is true if and only if both - * X and Y are negative. - * - * Again even if we can make a decision, we just mark the result and - * the fact that we are done and continue looping. - */ - cond = ct_lt_mpi_uint( Y->p[i - 1], X->p[i - 1] ); - *ret |= cond & ( 1 - done ) & X_is_negative; - done |= cond; - - /* - * If X->p[i - 1] < Y->p[i - 1] then X < Y is true if and only if both - * X and Y are positive. - * - * Again even if we can make a decision, we just mark the result and - * the fact that we are done and continue looping. - */ - cond = ct_lt_mpi_uint( X->p[i - 1], Y->p[i - 1] ); - *ret |= cond & ( 1 - done ) & ( 1 - X_is_negative ); - done |= cond; - } - - return( 0 ); -} - /* * Compare signed values */ @@ -2207,7 +1952,7 @@ static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi * so d[n] == 1 and we want to set A to the result of the subtraction * which is d - (2^biL)^n, i.e. the n least significant limbs of d. * This exactly corresponds to a conditional assignment. */ - mpi_safe_cond_assign( n, A->p, d, (unsigned char) d[n] ); + mbedtls_ct_mpi_uint_cond_assign( n, A->p, d, (unsigned char) d[n] ); } /* @@ -2227,42 +1972,6 @@ static void mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N, mpi_montmul( A, &U, N, mm, T ); } -/* - * Constant-flow boolean "equal" comparison: - * return x == y - * - * This function can be used to write constant-time code by replacing branches - * with bit operations - it can be used in conjunction with - * mbedtls_ssl_cf_mask_from_bit(). - * - * This function is implemented without using comparison operators, as those - * might be translated to branches by some compilers on some platforms. - */ -static size_t mbedtls_mpi_cf_bool_eq( size_t x, size_t y ) -{ - /* diff = 0 if x == y, non-zero otherwise */ - const size_t diff = x ^ y; - - /* MSVC has a warning about unary minus on unsigned integer types, - * but this is well-defined and precisely what we want to do here. */ -#if defined(_MSC_VER) -#pragma warning( push ) -#pragma warning( disable : 4146 ) -#endif - - /* diff_msb's most significant bit is equal to x != y */ - const size_t diff_msb = ( diff | (size_t) -diff ); - -#if defined(_MSC_VER) -#pragma warning( pop ) -#endif - - /* diff1 = (x != y) ? 1 : 0 */ - const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 ); - - return( 1 ^ diff1 ); -} - /** * Select an MPI from a table without leaking the index. * @@ -2285,7 +1994,7 @@ static int mpi_select( mbedtls_mpi *R, const mbedtls_mpi *T, size_t T_size, size for( size_t i = 0; i < T_size; i++ ) { MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( R, &T[i], - (unsigned char) mbedtls_mpi_cf_bool_eq( i, idx ) ) ); + (unsigned char) mbedtls_ct_size_bool_eq( i, idx ) ) ); } cleanup: diff --git a/library/ccm.c b/library/ccm.c index 15efff79f079..e06267856929 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -150,9 +150,20 @@ static int ccm_calculate_first_block_if_ready(mbedtls_ccm_context *ctx) if( !(ctx->state & CCM_STATE__STARTED) || !(ctx->state & CCM_STATE__LENGHTS_SET) ) return 0; - if( ctx->tag_len == 0 && \ - ( ctx->mode == MBEDTLS_CCM_ENCRYPT || ctx->mode == MBEDTLS_CCM_DECRYPT ) ) - return( MBEDTLS_ERR_CCM_BAD_INPUT ); + /* CCM expects non-empty tag. + * CCM* allows empty tag. For CCM* without tag, ignore plaintext length. + */ + if( ctx->tag_len == 0 ) + { + if( ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT || ctx->mode == MBEDTLS_CCM_STAR_DECRYPT ) + { + ctx->plaintext_len = 0; + } + else + { + return( MBEDTLS_ERR_CCM_BAD_INPUT ); + } + } /* * First block: @@ -342,7 +353,10 @@ int mbedtls_ccm_update( mbedtls_ccm_context *ctx, return MBEDTLS_ERR_CCM_BAD_INPUT; } - if( ctx->processed + input_len > ctx->plaintext_len ) + /* Check against plaintext length only if performing operation with + * authentication + */ + if( ctx->tag_len != 0 && ctx->processed + input_len > ctx->plaintext_len ) { return MBEDTLS_ERR_CCM_BAD_INPUT; } diff --git a/library/cipher.c b/library/cipher.c index dc801894b749..03e84c6c8548 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -29,6 +29,7 @@ #include "cipher_wrap.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" +#include "mbedtls/constant_time.h" #include <stdlib.h> #include <string.h> @@ -74,27 +75,6 @@ #define CIPHER_VALIDATE( cond ) \ MBEDTLS_INTERNAL_VALIDATE( cond ) -#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) -/* Compare the contents of two buffers in constant time. - * Returns 0 if the contents are bitwise identical, otherwise returns - * a non-zero value. - * This is currently only used by GCM and ChaCha20+Poly1305. - */ -static int mbedtls_constant_time_memcmp( const void *v1, const void *v2, - size_t len ) -{ - const unsigned char *p1 = (const unsigned char*) v1; - const unsigned char *p2 = (const unsigned char*) v2; - size_t i; - unsigned char diff; - - for( diff = 0, i = 0; i < len; i++ ) - diff |= p1[i] ^ p2[i]; - - return( (int)diff ); -} -#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ - static int supported_init = 0; const int *mbedtls_cipher_list( void ) @@ -424,6 +404,31 @@ int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx, } #endif +#if defined(MBEDTLS_CCM_C) + if( MBEDTLS_MODE_CCM_STAR_NO_TAG == ctx->cipher_info->mode ) + { + int set_lengths_result; + int ccm_star_mode; + + set_lengths_result = mbedtls_ccm_set_lengths( + (mbedtls_ccm_context *) ctx->cipher_ctx, + 0, 0, 0 ); + if( set_lengths_result != 0 ) + return set_lengths_result; + + if( ctx->operation == MBEDTLS_DECRYPT ) + ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT; + else if( ctx->operation == MBEDTLS_ENCRYPT ) + ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT; + else + return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; + + return( mbedtls_ccm_starts( (mbedtls_ccm_context *) ctx->cipher_ctx, + ccm_star_mode, + iv, iv_len ) ); + } +#endif + if ( actual_iv_size != 0 ) { memcpy( ctx->iv, iv, actual_iv_size ); @@ -560,6 +565,15 @@ int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *i } #endif +#if defined(MBEDTLS_CCM_C) + if( ctx->cipher_info->mode == MBEDTLS_MODE_CCM_STAR_NO_TAG ) + { + return( mbedtls_ccm_update( (mbedtls_ccm_context *) ctx->cipher_ctx, + input, ilen, + output, ilen, olen ) ); + } +#endif + #if defined(MBEDTLS_CHACHAPOLY_C) if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 ) { @@ -947,6 +961,7 @@ int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx, MBEDTLS_MODE_OFB == ctx->cipher_info->mode || MBEDTLS_MODE_CTR == ctx->cipher_info->mode || MBEDTLS_MODE_GCM == ctx->cipher_info->mode || + MBEDTLS_MODE_CCM_STAR_NO_TAG == ctx->cipher_info->mode || MBEDTLS_MODE_XTS == ctx->cipher_info->mode || MBEDTLS_MODE_STREAM == ctx->cipher_info->mode ) { @@ -1160,6 +1175,12 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, } #endif /* MBEDTLS_USE_PSA_CRYPTO */ + /* Status to return on a non-authenticated algorithm. It would make sense + * to return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT or perhaps + * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, but at the time I write this our + * unit tests assume 0. */ + ret = 0; + #if defined(MBEDTLS_GCM_C) if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode ) { @@ -1179,10 +1200,11 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, } /* Check the tag in "constant-time" */ - if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 ) - return( MBEDTLS_ERR_CIPHER_AUTH_FAILED ); - - return( 0 ); + if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 ) + { + ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; + goto exit; + } } #endif /* MBEDTLS_GCM_C */ @@ -1201,14 +1223,17 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, } /* Check the tag in "constant-time" */ - if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 ) - return( MBEDTLS_ERR_CIPHER_AUTH_FAILED ); - - return( 0 ); + if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 ) + { + ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; + goto exit; + } } #endif /* MBEDTLS_CHACHAPOLY_C */ - return( 0 ); +exit: + mbedtls_platform_zeroize( check_tag, tag_len ); + return( ret ); } #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ diff --git a/library/cipher_wrap.c b/library/cipher_wrap.c index 5776d5e45d40..7da7d9d5229f 100644 --- a/library/cipher_wrap.c +++ b/library/cipher_wrap.c @@ -639,6 +639,39 @@ static const mbedtls_cipher_info_t aes_256_ccm_info = { 16, &ccm_aes_info }; + +static const mbedtls_cipher_info_t aes_128_ccm_star_no_tag_info = { + MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG, + MBEDTLS_MODE_CCM_STAR_NO_TAG, + 128, + "AES-128-CCM*-NO-TAG", + 12, + MBEDTLS_CIPHER_VARIABLE_IV_LEN, + 16, + &ccm_aes_info +}; + +static const mbedtls_cipher_info_t aes_192_ccm_star_no_tag_info = { + MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG, + MBEDTLS_MODE_CCM_STAR_NO_TAG, + 192, + "AES-192-CCM*-NO-TAG", + 12, + MBEDTLS_CIPHER_VARIABLE_IV_LEN, + 16, + &ccm_aes_info +}; + +static const mbedtls_cipher_info_t aes_256_ccm_star_no_tag_info = { + MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG, + MBEDTLS_MODE_CCM_STAR_NO_TAG, + 256, + "AES-256-CCM*-NO-TAG", + 12, + MBEDTLS_CIPHER_VARIABLE_IV_LEN, + 16, + &ccm_aes_info +}; #endif /* MBEDTLS_CCM_C */ #endif /* MBEDTLS_AES_C */ @@ -1014,6 +1047,39 @@ static const mbedtls_cipher_info_t camellia_256_ccm_info = { 16, &ccm_camellia_info }; + +static const mbedtls_cipher_info_t camellia_128_ccm_star_no_tag_info = { + MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG, + MBEDTLS_MODE_CCM_STAR_NO_TAG, + 128, + "CAMELLIA-128-CCM*-NO-TAG", + 12, + MBEDTLS_CIPHER_VARIABLE_IV_LEN, + 16, + &ccm_camellia_info +}; + +static const mbedtls_cipher_info_t camellia_192_ccm_star_no_tag_info = { + MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG, + MBEDTLS_MODE_CCM_STAR_NO_TAG, + 192, + "CAMELLIA-192-CCM*-NO-TAG", + 12, + MBEDTLS_CIPHER_VARIABLE_IV_LEN, + 16, + &ccm_camellia_info +}; + +static const mbedtls_cipher_info_t camellia_256_ccm_star_no_tag_info = { + MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG, + MBEDTLS_MODE_CCM_STAR_NO_TAG, + 256, + "CAMELLIA-256-CCM*-NO-TAG", + 12, + MBEDTLS_CIPHER_VARIABLE_IV_LEN, + 16, + &ccm_camellia_info +}; #endif /* MBEDTLS_CCM_C */ #endif /* MBEDTLS_CAMELLIA_C */ @@ -1390,6 +1456,39 @@ static const mbedtls_cipher_info_t aria_256_ccm_info = { 16, &ccm_aria_info }; + +static const mbedtls_cipher_info_t aria_128_ccm_star_no_tag_info = { + MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG, + MBEDTLS_MODE_CCM_STAR_NO_TAG, + 128, + "ARIA-128-CCM*-NO-TAG", + 12, + MBEDTLS_CIPHER_VARIABLE_IV_LEN, + 16, + &ccm_aria_info +}; + +static const mbedtls_cipher_info_t aria_192_ccm_star_no_tag_info = { + MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG, + MBEDTLS_MODE_CCM_STAR_NO_TAG, + 192, + "ARIA-192-CCM*-NO-TAG", + 12, + MBEDTLS_CIPHER_VARIABLE_IV_LEN, + 16, + &ccm_aria_info +}; + +static const mbedtls_cipher_info_t aria_256_ccm_star_no_tag_info = { + MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG, + MBEDTLS_MODE_CCM_STAR_NO_TAG, + 256, + "ARIA-256-CCM*-NO-TAG", + 12, + MBEDTLS_CIPHER_VARIABLE_IV_LEN, + 16, + &ccm_aria_info +}; #endif /* MBEDTLS_CCM_C */ #endif /* MBEDTLS_ARIA_C */ @@ -2055,6 +2154,9 @@ const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] = { MBEDTLS_CIPHER_AES_128_CCM, &aes_128_ccm_info }, { MBEDTLS_CIPHER_AES_192_CCM, &aes_192_ccm_info }, { MBEDTLS_CIPHER_AES_256_CCM, &aes_256_ccm_info }, + { MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG, &aes_128_ccm_star_no_tag_info }, + { MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG, &aes_192_ccm_star_no_tag_info }, + { MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG, &aes_256_ccm_star_no_tag_info }, #endif #endif /* MBEDTLS_AES_C */ @@ -2086,6 +2188,9 @@ const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] = { MBEDTLS_CIPHER_CAMELLIA_128_CCM, &camellia_128_ccm_info }, { MBEDTLS_CIPHER_CAMELLIA_192_CCM, &camellia_192_ccm_info }, { MBEDTLS_CIPHER_CAMELLIA_256_CCM, &camellia_256_ccm_info }, + { MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG, &camellia_128_ccm_star_no_tag_info }, + { MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG, &camellia_192_ccm_star_no_tag_info }, + { MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG, &camellia_256_ccm_star_no_tag_info }, #endif #endif /* MBEDTLS_CAMELLIA_C */ @@ -2117,6 +2222,9 @@ const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] = { MBEDTLS_CIPHER_ARIA_128_CCM, &aria_128_ccm_info }, { MBEDTLS_CIPHER_ARIA_192_CCM, &aria_192_ccm_info }, { MBEDTLS_CIPHER_ARIA_256_CCM, &aria_256_ccm_info }, + { MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG, &aria_128_ccm_star_no_tag_info }, + { MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG, &aria_192_ccm_star_no_tag_info }, + { MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG, &aria_256_ccm_star_no_tag_info }, #endif #endif /* MBEDTLS_ARIA_C */ diff --git a/library/common.h b/library/common.h index 9b10ec8fbbdb..a630fcc45682 100644 --- a/library/common.h +++ b/library/common.h @@ -87,7 +87,7 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c * big-endian order (MSB first). * * \param data Base address of the memory to get the four bytes from. - * \param offset Offset from \p base of the first and most significant + * \param offset Offset from \p data of the first and most significant * byte of the four bytes to build the 32 bits unsigned * integer from. */ @@ -107,7 +107,7 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c * \param n 32 bits unsigned integer to put in memory. * \param data Base address of the memory where to put the 32 * bits unsigned integer in. - * \param offset Offset from \p base where to put the most significant + * \param offset Offset from \p data where to put the most significant * byte of the 32 bits unsigned integer \p n. */ #ifndef MBEDTLS_PUT_UINT32_BE @@ -125,7 +125,7 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c * little-endian order (LSB first). * * \param data Base address of the memory to get the four bytes from. - * \param offset Offset from \p base of the first and least significant + * \param offset Offset from \p data of the first and least significant * byte of the four bytes to build the 32 bits unsigned * integer from. */ @@ -145,7 +145,7 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c * \param n 32 bits unsigned integer to put in memory. * \param data Base address of the memory where to put the 32 * bits unsigned integer in. - * \param offset Offset from \p base where to put the least significant + * \param offset Offset from \p data where to put the least significant * byte of the 32 bits unsigned integer \p n. */ #ifndef MBEDTLS_PUT_UINT32_LE @@ -163,7 +163,7 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c * little-endian order (LSB first). * * \param data Base address of the memory to get the two bytes from. - * \param offset Offset from \p base of the first and least significant + * \param offset Offset from \p data of the first and least significant * byte of the two bytes to build the 16 bits unsigned * integer from. */ @@ -181,7 +181,7 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c * \param n 16 bits unsigned integer to put in memory. * \param data Base address of the memory where to put the 16 * bits unsigned integer in. - * \param offset Offset from \p base where to put the least significant + * \param offset Offset from \p data where to put the least significant * byte of the 16 bits unsigned integer \p n. */ #ifndef MBEDTLS_PUT_UINT16_LE @@ -197,7 +197,7 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c * big-endian order (MSB first). * * \param data Base address of the memory to get the two bytes from. - * \param offset Offset from \p base of the first and most significant + * \param offset Offset from \p data of the first and most significant * byte of the two bytes to build the 16 bits unsigned * integer from. */ @@ -215,7 +215,7 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c * \param n 16 bits unsigned integer to put in memory. * \param data Base address of the memory where to put the 16 * bits unsigned integer in. - * \param offset Offset from \p base where to put the most significant + * \param offset Offset from \p data where to put the most significant * byte of the 16 bits unsigned integer \p n. */ #ifndef MBEDTLS_PUT_UINT16_BE @@ -226,12 +226,84 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c } #endif +/** + * Get the unsigned 24 bits integer corresponding to three bytes in + * big-endian order (MSB first). + * + * \param data Base address of the memory to get the three bytes from. + * \param offset Offset from \p data of the first and most significant + * byte of the three bytes to build the 24 bits unsigned + * integer from. + */ +#ifndef MBEDTLS_GET_UINT24_BE +#define MBEDTLS_GET_UINT24_BE( data , offset ) \ + ( \ + ( (uint32_t) ( data )[( offset ) ] << 16 ) \ + | ( (uint32_t) ( data )[( offset ) + 1] << 8 ) \ + | ( (uint32_t) ( data )[( offset ) + 2] ) \ + ) +#endif + +/** + * Put in memory a 24 bits unsigned integer in big-endian order. + * + * \param n 24 bits unsigned integer to put in memory. + * \param data Base address of the memory where to put the 24 + * bits unsigned integer in. + * \param offset Offset from \p data where to put the most significant + * byte of the 24 bits unsigned integer \p n. + */ +#ifndef MBEDTLS_PUT_UINT24_BE +#define MBEDTLS_PUT_UINT24_BE( n, data, offset ) \ +{ \ + ( data )[( offset ) ] = MBEDTLS_BYTE_2( n ); \ + ( data )[( offset ) + 1] = MBEDTLS_BYTE_1( n ); \ + ( data )[( offset ) + 2] = MBEDTLS_BYTE_0( n ); \ +} +#endif + +/** + * Get the unsigned 24 bits integer corresponding to three bytes in + * little-endian order (LSB first). + * + * \param data Base address of the memory to get the three bytes from. + * \param offset Offset from \p data of the first and least significant + * byte of the three bytes to build the 24 bits unsigned + * integer from. + */ +#ifndef MBEDTLS_GET_UINT24_LE +#define MBEDTLS_GET_UINT24_LE( data, offset ) \ + ( \ + ( (uint32_t) ( data )[( offset ) ] ) \ + | ( (uint32_t) ( data )[( offset ) + 1] << 8 ) \ + | ( (uint32_t) ( data )[( offset ) + 2] << 16 ) \ + ) +#endif + +/** + * Put in memory a 24 bits unsigned integer in little-endian order. + * + * \param n 24 bits unsigned integer to put in memory. + * \param data Base address of the memory where to put the 24 + * bits unsigned integer in. + * \param offset Offset from \p data where to put the least significant + * byte of the 24 bits unsigned integer \p n. + */ +#ifndef MBEDTLS_PUT_UINT24_LE +#define MBEDTLS_PUT_UINT24_LE( n, data, offset ) \ +{ \ + ( data )[( offset ) ] = MBEDTLS_BYTE_0( n ); \ + ( data )[( offset ) + 1] = MBEDTLS_BYTE_1( n ); \ + ( data )[( offset ) + 2] = MBEDTLS_BYTE_2( n ); \ +} +#endif + /** * Get the unsigned 64 bits integer corresponding to eight bytes in * big-endian order (MSB first). * * \param data Base address of the memory to get the eight bytes from. - * \param offset Offset from \p base of the first and most significant + * \param offset Offset from \p data of the first and most significant * byte of the eight bytes to build the 64 bits unsigned * integer from. */ @@ -255,7 +327,7 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c * \param n 64 bits unsigned integer to put in memory. * \param data Base address of the memory where to put the 64 * bits unsigned integer in. - * \param offset Offset from \p base where to put the most significant + * \param offset Offset from \p data where to put the most significant * byte of the 64 bits unsigned integer \p n. */ #ifndef MBEDTLS_PUT_UINT64_BE @@ -277,7 +349,7 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c * little-endian order (LSB first). * * \param data Base address of the memory to get the eight bytes from. - * \param offset Offset from \p base of the first and least significant + * \param offset Offset from \p data of the first and least significant * byte of the eight bytes to build the 64 bits unsigned * integer from. */ @@ -301,7 +373,7 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c * \param n 64 bits unsigned integer to put in memory. * \param data Base address of the memory where to put the 64 * bits unsigned integer in. - * \param offset Offset from \p base where to put the least significant + * \param offset Offset from \p data where to put the least significant * byte of the 64 bits unsigned integer \p n. */ #ifndef MBEDTLS_PUT_UINT64_LE diff --git a/library/constant_time.c b/library/constant_time.c new file mode 100644 index 000000000000..d8870ae7f33e --- /dev/null +++ b/library/constant_time.c @@ -0,0 +1,801 @@ +/** + * Constant-time functions + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + /* + * The following functions are implemented without using comparison operators, as those + * might be translated to branches by some compilers on some platforms. + */ + +#include "common.h" +#include "constant_time_internal.h" +#include "mbedtls/constant_time.h" +#include "mbedtls/error.h" +#include "mbedtls/platform_util.h" + +#if defined(MBEDTLS_BIGNUM_C) +#include "mbedtls/bignum.h" +#endif + +#if defined(MBEDTLS_SSL_TLS_C) +#include "ssl_misc.h" +#endif + +#if defined(MBEDTLS_RSA_C) +#include "mbedtls/rsa.h" +#endif + +#if defined(MBEDTLS_BASE64_C) +#include "constant_time_invasive.h" +#endif + +#include <string.h> + +int mbedtls_ct_memcmp( const void *a, + const void *b, + size_t n ) +{ + size_t i; + volatile const unsigned char *A = (volatile const unsigned char *) a; + volatile const unsigned char *B = (volatile const unsigned char *) b; + volatile unsigned char diff = 0; + + for( i = 0; i < n; i++ ) + { + /* Read volatile data in order before computing diff. + * This avoids IAR compiler warning: + * 'the order of volatile accesses is undefined ..' */ + unsigned char x = A[i], y = B[i]; + diff |= x ^ y; + } + + return( (int)diff ); +} + +unsigned mbedtls_ct_uint_mask( unsigned value ) +{ + /* MSVC has a warning about unary minus on unsigned, but this is + * well-defined and precisely what we want to do here */ +#if defined(_MSC_VER) +#pragma warning( push ) +#pragma warning( disable : 4146 ) +#endif + return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) ); +#if defined(_MSC_VER) +#pragma warning( pop ) +#endif +} + +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) + +size_t mbedtls_ct_size_mask( size_t value ) +{ + /* MSVC has a warning about unary minus on unsigned integer types, + * but this is well-defined and precisely what we want to do here. */ +#if defined(_MSC_VER) +#pragma warning( push ) +#pragma warning( disable : 4146 ) +#endif + return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) ); +#if defined(_MSC_VER) +#pragma warning( pop ) +#endif +} + +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ + +#if defined(MBEDTLS_BIGNUM_C) + +mbedtls_mpi_uint mbedtls_ct_mpi_uint_mask( mbedtls_mpi_uint value ) +{ + /* MSVC has a warning about unary minus on unsigned, but this is + * well-defined and precisely what we want to do here */ +#if defined(_MSC_VER) +#pragma warning( push ) +#pragma warning( disable : 4146 ) +#endif + return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) ); +#if defined(_MSC_VER) +#pragma warning( pop ) +#endif +} + +#endif /* MBEDTLS_BIGNUM_C */ + +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) + +/** Constant-flow mask generation for "less than" comparison: + * - if \p x < \p y, return all-bits 1, that is (size_t) -1 + * - otherwise, return all bits 0, that is 0 + * + * This function can be used to write constant-time code by replacing branches + * with bit operations using masks. + * + * \param x The first value to analyze. + * \param y The second value to analyze. + * + * \return All-bits-one if \p x is less than \p y, otherwise zero. + */ +static size_t mbedtls_ct_size_mask_lt( size_t x, + size_t y ) +{ + /* This has the most significant bit set if and only if x < y */ + const size_t sub = x - y; + + /* sub1 = (x < y) ? 1 : 0 */ + const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 ); + + /* mask = (x < y) ? 0xff... : 0x00... */ + const size_t mask = mbedtls_ct_size_mask( sub1 ); + + return( mask ); +} + +size_t mbedtls_ct_size_mask_ge( size_t x, + size_t y ) +{ + return( ~mbedtls_ct_size_mask_lt( x, y ) ); +} + +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ + +#if defined(MBEDTLS_BASE64_C) + +/* Return 0xff if low <= c <= high, 0 otherwise. + * + * Constant flow with respect to c. + */ +MBEDTLS_STATIC_TESTABLE +unsigned char mbedtls_ct_uchar_mask_of_range( unsigned char low, + unsigned char high, + unsigned char c ) +{ + /* low_mask is: 0 if low <= c, 0x...ff if low > c */ + unsigned low_mask = ( (unsigned) c - low ) >> 8; + /* high_mask is: 0 if c <= high, 0x...ff if c > high */ + unsigned high_mask = ( (unsigned) high - c ) >> 8; + return( ~( low_mask | high_mask ) & 0xff ); +} + +#endif /* MBEDTLS_BASE64_C */ + +unsigned mbedtls_ct_size_bool_eq( size_t x, + size_t y ) +{ + /* diff = 0 if x == y, non-zero otherwise */ + const size_t diff = x ^ y; + + /* MSVC has a warning about unary minus on unsigned integer types, + * but this is well-defined and precisely what we want to do here. */ +#if defined(_MSC_VER) +#pragma warning( push ) +#pragma warning( disable : 4146 ) +#endif + + /* diff_msb's most significant bit is equal to x != y */ + const size_t diff_msb = ( diff | (size_t) -diff ); + +#if defined(_MSC_VER) +#pragma warning( pop ) +#endif + + /* diff1 = (x != y) ? 1 : 0 */ + const unsigned diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 ); + + return( 1 ^ diff1 ); +} + +#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) + +/** Constant-flow "greater than" comparison: + * return x > y + * + * This is equivalent to \p x > \p y, but is likely to be compiled + * to code using bitwise operation rather than a branch. + * + * \param x The first value to analyze. + * \param y The second value to analyze. + * + * \return 1 if \p x greater than \p y, otherwise 0. + */ +static unsigned mbedtls_ct_size_gt( size_t x, + size_t y ) +{ + /* Return the sign bit (1 for negative) of (y - x). */ + return( ( y - x ) >> ( sizeof( size_t ) * 8 - 1 ) ); +} + +#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ + +#if defined(MBEDTLS_BIGNUM_C) + +unsigned mbedtls_ct_mpi_uint_lt( const mbedtls_mpi_uint x, + const mbedtls_mpi_uint y ) +{ + mbedtls_mpi_uint ret; + mbedtls_mpi_uint cond; + + /* + * Check if the most significant bits (MSB) of the operands are different. + */ + cond = ( x ^ y ); + /* + * If the MSB are the same then the difference x-y will be negative (and + * have its MSB set to 1 during conversion to unsigned) if and only if x<y. + */ + ret = ( x - y ) & ~cond; + /* + * If the MSB are different, then the operand with the MSB of 1 is the + * bigger. (That is if y has MSB of 1, then x<y is true and it is false if + * the MSB of y is 0.) + */ + ret |= y & cond; + + + ret = ret >> ( sizeof( mbedtls_mpi_uint ) * 8 - 1 ); + + return (unsigned) ret; +} + +#endif /* MBEDTLS_BIGNUM_C */ + +unsigned mbedtls_ct_uint_if( unsigned condition, + unsigned if1, + unsigned if0 ) +{ + unsigned mask = mbedtls_ct_uint_mask( condition ); + return( ( mask & if1 ) | (~mask & if0 ) ); +} + +#if defined(MBEDTLS_BIGNUM_C) + +/** Select between two sign values without branches. + * + * This is functionally equivalent to `condition ? if1 : if0` but uses only bit + * operations in order to avoid branches. + * + * \note if1 and if0 must be either 1 or -1, otherwise the result + * is undefined. + * + * \param condition Condition to test. + * \param if1 The first sign; must be either +1 or -1. + * \param if0 The second sign; must be either +1 or -1. + * + * \return \c if1 if \p condition is nonzero, otherwise \c if0. + * */ +static int mbedtls_ct_cond_select_sign( unsigned char condition, + int if1, + int if0 ) +{ + /* In order to avoid questions about what we can reasonably assume about + * the representations of signed integers, move everything to unsigned + * by taking advantage of the fact that if1 and if0 are either +1 or -1. */ + unsigned uif1 = if1 + 1; + unsigned uif0 = if0 + 1; + + /* condition was 0 or 1, mask is 0 or 2 as are uif1 and uif0 */ + const unsigned mask = condition << 1; + + /* select uif1 or uif0 */ + unsigned ur = ( uif0 & ~mask ) | ( uif1 & mask ); + + /* ur is now 0 or 2, convert back to -1 or +1 */ + return( (int) ur - 1 ); +} + +void mbedtls_ct_mpi_uint_cond_assign( size_t n, + mbedtls_mpi_uint *dest, + const mbedtls_mpi_uint *src, + unsigned char condition ) +{ + size_t i; + + /* MSVC has a warning about unary minus on unsigned integer types, + * but this is well-defined and precisely what we want to do here. */ +#if defined(_MSC_VER) +#pragma warning( push ) +#pragma warning( disable : 4146 ) +#endif + + /* all-bits 1 if condition is 1, all-bits 0 if condition is 0 */ + const mbedtls_mpi_uint mask = -condition; + +#if defined(_MSC_VER) +#pragma warning( pop ) +#endif + + for( i = 0; i < n; i++ ) + dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask ); +} + +#endif /* MBEDTLS_BIGNUM_C */ + +#if defined(MBEDTLS_BASE64_C) + +unsigned char mbedtls_ct_base64_enc_char( unsigned char value ) +{ + unsigned char digit = 0; + /* For each range of values, if value is in that range, mask digit with + * the corresponding value. Since value can only be in a single range, + * only at most one masking will change digit. */ + digit |= mbedtls_ct_uchar_mask_of_range( 0, 25, value ) & ( 'A' + value ); + digit |= mbedtls_ct_uchar_mask_of_range( 26, 51, value ) & ( 'a' + value - 26 ); + digit |= mbedtls_ct_uchar_mask_of_range( 52, 61, value ) & ( '0' + value - 52 ); + digit |= mbedtls_ct_uchar_mask_of_range( 62, 62, value ) & '+'; + digit |= mbedtls_ct_uchar_mask_of_range( 63, 63, value ) & '/'; + return( digit ); +} + +signed char mbedtls_ct_base64_dec_value( unsigned char c ) +{ + unsigned char val = 0; + /* For each range of digits, if c is in that range, mask val with + * the corresponding value. Since c can only be in a single range, + * only at most one masking will change val. Set val to one plus + * the desired value so that it stays 0 if c is in none of the ranges. */ + val |= mbedtls_ct_uchar_mask_of_range( 'A', 'Z', c ) & ( c - 'A' + 0 + 1 ); + val |= mbedtls_ct_uchar_mask_of_range( 'a', 'z', c ) & ( c - 'a' + 26 + 1 ); + val |= mbedtls_ct_uchar_mask_of_range( '0', '9', c ) & ( c - '0' + 52 + 1 ); + val |= mbedtls_ct_uchar_mask_of_range( '+', '+', c ) & ( c - '+' + 62 + 1 ); + val |= mbedtls_ct_uchar_mask_of_range( '/', '/', c ) & ( c - '/' + 63 + 1 ); + /* At this point, val is 0 if c is an invalid digit and v+1 if c is + * a digit with the value v. */ + return( val - 1 ); +} + +#endif /* MBEDTLS_BASE64_C */ + +#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) + +/** Shift some data towards the left inside a buffer. + * + * `mbedtls_ct_mem_move_to_left(start, total, offset)` is functionally + * equivalent to + * ``` + * memmove(start, start + offset, total - offset); + * memset(start + offset, 0, total - offset); + * ``` + * but it strives to use a memory access pattern (and thus total timing) + * that does not depend on \p offset. This timing independence comes at + * the expense of performance. + * + * \param start Pointer to the start of the buffer. + * \param total Total size of the buffer. + * \param offset Offset from which to copy \p total - \p offset bytes. + */ +static void mbedtls_ct_mem_move_to_left( void *start, + size_t total, + size_t offset ) +{ + volatile unsigned char *buf = start; + size_t i, n; + if( total == 0 ) + return; + for( i = 0; i < total; i++ ) + { + unsigned no_op = mbedtls_ct_size_gt( total - offset, i ); + /* The first `total - offset` passes are a no-op. The last + * `offset` passes shift the data one byte to the left and + * zero out the last byte. */ + for( n = 0; n < total - 1; n++ ) + { + unsigned char current = buf[n]; + unsigned char next = buf[n+1]; + buf[n] = mbedtls_ct_uint_if( no_op, current, next ); + } + buf[total-1] = mbedtls_ct_uint_if( no_op, buf[total-1], 0 ); + } +} + +#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ + +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) + +void mbedtls_ct_memcpy_if_eq( unsigned char *dest, + const unsigned char *src, + size_t len, + size_t c1, + size_t c2 ) +{ + /* mask = c1 == c2 ? 0xff : 0x00 */ + const size_t equal = mbedtls_ct_size_bool_eq( c1, c2 ); + const unsigned char mask = (unsigned char) mbedtls_ct_size_mask( equal ); + + /* dest[i] = c1 == c2 ? src[i] : dest[i] */ + for( size_t i = 0; i < len; i++ ) + dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask ); +} + +void mbedtls_ct_memcpy_offset( unsigned char *dest, + const unsigned char *src, + size_t offset, + size_t offset_min, + size_t offset_max, + size_t len ) +{ + size_t offsetval; + + for( offsetval = offset_min; offsetval <= offset_max; offsetval++ ) + { + mbedtls_ct_memcpy_if_eq( dest, src + offsetval, len, + offsetval, offset ); + } +} + +int mbedtls_ct_hmac( mbedtls_md_context_t *ctx, + const unsigned char *add_data, + size_t add_data_len, + const unsigned char *data, + size_t data_len_secret, + size_t min_data_len, + size_t max_data_len, + unsigned char *output ) +{ + /* + * This function breaks the HMAC abstraction and uses the md_clone() + * extension to the MD API in order to get constant-flow behaviour. + * + * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means + * concatenation, and okey/ikey are the XOR of the key with some fixed bit + * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx. + * + * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to + * minlen, then cloning the context, and for each byte up to maxlen + * finishing up the hash computation, keeping only the correct result. + * + * Then we only need to compute HASH(okey + inner_hash) and we're done. + */ + const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info ); + /* TLS 1.2 only supports SHA-384, SHA-256, SHA-1, MD-5, + * all of which have the same block size except SHA-384. */ + const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64; + const unsigned char * const ikey = ctx->hmac_ctx; + const unsigned char * const okey = ikey + block_size; + const size_t hash_size = mbedtls_md_get_size( ctx->md_info ); + + unsigned char aux_out[MBEDTLS_MD_MAX_SIZE]; + mbedtls_md_context_t aux; + size_t offset; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + mbedtls_md_init( &aux ); + +#define MD_CHK( func_call ) \ + do { \ + ret = (func_call); \ + if( ret != 0 ) \ + goto cleanup; \ + } while( 0 ) + + MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) ); + + /* After hmac_start() of hmac_reset(), ikey has already been hashed, + * so we can start directly with the message */ + MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) ); + MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) ); + + /* For each possible length, compute the hash up to that point */ + for( offset = min_data_len; offset <= max_data_len; offset++ ) + { + MD_CHK( mbedtls_md_clone( &aux, ctx ) ); + MD_CHK( mbedtls_md_finish( &aux, aux_out ) ); + /* Keep only the correct inner_hash in the output buffer */ + mbedtls_ct_memcpy_if_eq( output, aux_out, hash_size, + offset, data_len_secret ); + + if( offset < max_data_len ) + MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) ); + } + + /* The context needs to finish() before it starts() again */ + MD_CHK( mbedtls_md_finish( ctx, aux_out ) ); + + /* Now compute HASH(okey + inner_hash) */ + MD_CHK( mbedtls_md_starts( ctx ) ); + MD_CHK( mbedtls_md_update( ctx, okey, block_size ) ); + MD_CHK( mbedtls_md_update( ctx, output, hash_size ) ); + MD_CHK( mbedtls_md_finish( ctx, output ) ); + + /* Done, get ready for next time */ + MD_CHK( mbedtls_md_hmac_reset( ctx ) ); + +#undef MD_CHK + +cleanup: + mbedtls_md_free( &aux ); + return( ret ); +} + +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ + +#if defined(MBEDTLS_BIGNUM_C) + +#define MPI_VALIDATE_RET( cond ) \ + MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA ) + +/* + * Conditionally assign X = Y, without leaking information + * about whether the assignment was made or not. + * (Leaking information about the respective sizes of X and Y is ok however.) + */ +int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, + const mbedtls_mpi *Y, + unsigned char assign ) +{ + int ret = 0; + size_t i; + mbedtls_mpi_uint limb_mask; + MPI_VALIDATE_RET( X != NULL ); + MPI_VALIDATE_RET( Y != NULL ); + + /* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */ + limb_mask = mbedtls_ct_mpi_uint_mask( assign );; + + MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) ); + + X->s = mbedtls_ct_cond_select_sign( assign, Y->s, X->s ); + + mbedtls_ct_mpi_uint_cond_assign( Y->n, X->p, Y->p, assign ); + + for( i = Y->n; i < X->n; i++ ) + X->p[i] &= ~limb_mask; + +cleanup: + return( ret ); +} + +/* + * Conditionally swap X and Y, without leaking information + * about whether the swap was made or not. + * Here it is not ok to simply swap the pointers, which whould lead to + * different memory access patterns when X and Y are used afterwards. + */ +int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, + mbedtls_mpi *Y, + unsigned char swap ) +{ + int ret, s; + size_t i; + mbedtls_mpi_uint limb_mask; + mbedtls_mpi_uint tmp; + MPI_VALIDATE_RET( X != NULL ); + MPI_VALIDATE_RET( Y != NULL ); + + if( X == Y ) + return( 0 ); + + /* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */ + limb_mask = mbedtls_ct_mpi_uint_mask( swap ); + + MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) ); + + s = X->s; + X->s = mbedtls_ct_cond_select_sign( swap, Y->s, X->s ); + Y->s = mbedtls_ct_cond_select_sign( swap, s, Y->s ); + + + for( i = 0; i < X->n; i++ ) + { + tmp = X->p[i]; + X->p[i] = ( X->p[i] & ~limb_mask ) | ( Y->p[i] & limb_mask ); + Y->p[i] = ( Y->p[i] & ~limb_mask ) | ( tmp & limb_mask ); + } + +cleanup: + return( ret ); +} + +/* + * Compare signed values in constant time + */ +int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, + const mbedtls_mpi *Y, + unsigned *ret ) +{ + size_t i; + /* The value of any of these variables is either 0 or 1 at all times. */ + unsigned cond, done, X_is_negative, Y_is_negative; + + MPI_VALIDATE_RET( X != NULL ); + MPI_VALIDATE_RET( Y != NULL ); + MPI_VALIDATE_RET( ret != NULL ); + + if( X->n != Y->n ) + return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; + + /* + * Set sign_N to 1 if N >= 0, 0 if N < 0. + * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0. + */ + X_is_negative = ( X->s & 2 ) >> 1; + Y_is_negative = ( Y->s & 2 ) >> 1; + + /* + * If the signs are different, then the positive operand is the bigger. + * That is if X is negative (X_is_negative == 1), then X < Y is true and it + * is false if X is positive (X_is_negative == 0). + */ + cond = ( X_is_negative ^ Y_is_negative ); + *ret = cond & X_is_negative; + + /* + * This is a constant-time function. We might have the result, but we still + * need to go through the loop. Record if we have the result already. + */ + done = cond; + + for( i = X->n; i > 0; i-- ) + { + /* + * If Y->p[i - 1] < X->p[i - 1] then X < Y is true if and only if both + * X and Y are negative. + * + * Again even if we can make a decision, we just mark the result and + * the fact that we are done and continue looping. + */ + cond = mbedtls_ct_mpi_uint_lt( Y->p[i - 1], X->p[i - 1] ); + *ret |= cond & ( 1 - done ) & X_is_negative; + done |= cond; + + /* + * If X->p[i - 1] < Y->p[i - 1] then X < Y is true if and only if both + * X and Y are positive. + * + * Again even if we can make a decision, we just mark the result and + * the fact that we are done and continue looping. + */ + cond = mbedtls_ct_mpi_uint_lt( X->p[i - 1], Y->p[i - 1] ); + *ret |= cond & ( 1 - done ) & ( 1 - X_is_negative ); + done |= cond; + } + + return( 0 ); +} + +#endif /* MBEDTLS_BIGNUM_C */ + +#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) + +int mbedtls_ct_rsaes_pkcs1_v15_unpadding( unsigned char *input, + size_t ilen, + unsigned char *output, + size_t output_max_len, + size_t *olen ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t i, plaintext_max_size; + + /* The following variables take sensitive values: their value must + * not leak into the observable behavior of the function other than + * the designated outputs (output, olen, return value). Otherwise + * this would open the execution of the function to + * side-channel-based variants of the Bleichenbacher padding oracle + * attack. Potential side channels include overall timing, memory + * access patterns (especially visible to an adversary who has access + * to a shared memory cache), and branches (especially visible to + * an adversary who has access to a shared code cache or to a shared + * branch predictor). */ + size_t pad_count = 0; + unsigned bad = 0; + unsigned char pad_done = 0; + size_t plaintext_size = 0; + unsigned output_too_large; + + plaintext_max_size = ( output_max_len > ilen - 11 ) ? ilen - 11 + : output_max_len; + + /* Check and get padding length in constant time and constant + * memory trace. The first byte must be 0. */ + bad |= input[0]; + + + /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00 + * where PS must be at least 8 nonzero bytes. */ + bad |= input[1] ^ MBEDTLS_RSA_CRYPT; + + /* Read the whole buffer. Set pad_done to nonzero if we find + * the 0x00 byte and remember the padding length in pad_count. */ + for( i = 2; i < ilen; i++ ) + { + pad_done |= ((input[i] | (unsigned char)-input[i]) >> 7) ^ 1; + pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; + } + + + /* If pad_done is still zero, there's no data, only unfinished padding. */ + bad |= mbedtls_ct_uint_if( pad_done, 0, 1 ); + + /* There must be at least 8 bytes of padding. */ + bad |= mbedtls_ct_size_gt( 8, pad_count ); + + /* If the padding is valid, set plaintext_size to the number of + * remaining bytes after stripping the padding. If the padding + * is invalid, avoid leaking this fact through the size of the + * output: use the maximum message size that fits in the output + * buffer. Do it without branches to avoid leaking the padding + * validity through timing. RSA keys are small enough that all the + * size_t values involved fit in unsigned int. */ + plaintext_size = mbedtls_ct_uint_if( + bad, (unsigned) plaintext_max_size, + (unsigned) ( ilen - pad_count - 3 ) ); + + /* Set output_too_large to 0 if the plaintext fits in the output + * buffer and to 1 otherwise. */ + output_too_large = mbedtls_ct_size_gt( plaintext_size, + plaintext_max_size ); + + /* Set ret without branches to avoid timing attacks. Return: + * - INVALID_PADDING if the padding is bad (bad != 0). + * - OUTPUT_TOO_LARGE if the padding is good but the decrypted + * plaintext does not fit in the output buffer. + * - 0 if the padding is correct. */ + ret = - (int) mbedtls_ct_uint_if( + bad, - MBEDTLS_ERR_RSA_INVALID_PADDING, + mbedtls_ct_uint_if( output_too_large, + - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE, + 0 ) ); + + /* If the padding is bad or the plaintext is too large, zero the + * data that we're about to copy to the output buffer. + * We need to copy the same amount of data + * from the same buffer whether the padding is good or not to + * avoid leaking the padding validity through overall timing or + * through memory or cache access patterns. */ + bad = mbedtls_ct_uint_mask( bad | output_too_large ); + for( i = 11; i < ilen; i++ ) + input[i] &= ~bad; + + /* If the plaintext is too large, truncate it to the buffer size. + * Copy anyway to avoid revealing the length through timing, because + * revealing the length is as bad as revealing the padding validity + * for a Bleichenbacher attack. */ + plaintext_size = mbedtls_ct_uint_if( output_too_large, + (unsigned) plaintext_max_size, + (unsigned) plaintext_size ); + + /* Move the plaintext to the leftmost position where it can start in + * the working buffer, i.e. make it start plaintext_max_size from + * the end of the buffer. Do this with a memory access trace that + * does not depend on the plaintext size. After this move, the + * starting location of the plaintext is no longer sensitive + * information. */ + mbedtls_ct_mem_move_to_left( input + ilen - plaintext_max_size, + plaintext_max_size, + plaintext_max_size - plaintext_size ); + + /* Finally copy the decrypted plaintext plus trailing zeros into the output + * buffer. If output_max_len is 0, then output may be an invalid pointer + * and the result of memcpy() would be undefined; prevent undefined + * behavior making sure to depend only on output_max_len (the size of the + * user-provided output buffer), which is independent from plaintext + * length, validity of padding, success of the decryption, and other + * secrets. */ + if( output_max_len != 0 ) + memcpy( output, input + ilen - plaintext_max_size, plaintext_max_size ); + + /* Report the amount of data we copied to the output buffer. In case + * of errors (bad padding or output too large), the value of *olen + * when this function returns is not specified. Making it equivalent + * to the good case limits the risks of leaking the padding validity. */ + *olen = plaintext_size; + + return( ret ); +} + +#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ diff --git a/library/constant_time_internal.h b/library/constant_time_internal.h new file mode 100644 index 000000000000..053cf123cc31 --- /dev/null +++ b/library/constant_time_internal.h @@ -0,0 +1,326 @@ +/** + * Constant-time functions + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef MBEDTLS_CONSTANT_TIME_INTERNAL_H +#define MBEDTLS_CONSTANT_TIME_INTERNAL_H + +#include "common.h" + +#if defined(MBEDTLS_BIGNUM_C) +#include "mbedtls/bignum.h" +#endif + +#if defined(MBEDTLS_SSL_TLS_C) +#include "ssl_misc.h" +#endif + +#include <stddef.h> + + +/** Turn a value into a mask: + * - if \p value == 0, return the all-bits 0 mask, aka 0 + * - otherwise, return the all-bits 1 mask, aka (unsigned) -1 + * + * This function can be used to write constant-time code by replacing branches + * with bit operations using masks. + * + * \param value The value to analyze. + * + * \return Zero if \p value is zero, otherwise all-bits-one. + */ +unsigned mbedtls_ct_uint_mask( unsigned value ); + +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) + +/** Turn a value into a mask: + * - if \p value == 0, return the all-bits 0 mask, aka 0 + * - otherwise, return the all-bits 1 mask, aka (size_t) -1 + * + * This function can be used to write constant-time code by replacing branches + * with bit operations using masks. + * + * \param value The value to analyze. + * + * \return Zero if \p value is zero, otherwise all-bits-one. + */ +size_t mbedtls_ct_size_mask( size_t value ); + +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ + +#if defined(MBEDTLS_BIGNUM_C) + +/** Turn a value into a mask: + * - if \p value == 0, return the all-bits 0 mask, aka 0 + * - otherwise, return the all-bits 1 mask, aka (mbedtls_mpi_uint) -1 + * + * This function can be used to write constant-time code by replacing branches + * with bit operations using masks. + * + * \param value The value to analyze. + * + * \return Zero if \p value is zero, otherwise all-bits-one. + */ +mbedtls_mpi_uint mbedtls_ct_mpi_uint_mask( mbedtls_mpi_uint value ); + +#endif /* MBEDTLS_BIGNUM_C */ + +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) + +/** Constant-flow mask generation for "greater or equal" comparison: + * - if \p x >= \p y, return all-bits 1, that is (size_t) -1 + * - otherwise, return all bits 0, that is 0 + * + * This function can be used to write constant-time code by replacing branches + * with bit operations using masks. + * + * \param x The first value to analyze. + * \param y The second value to analyze. + * + * \return All-bits-one if \p x is greater or equal than \p y, + * otherwise zero. + */ +size_t mbedtls_ct_size_mask_ge( size_t x, + size_t y ); + +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ + +/** Constant-flow boolean "equal" comparison: + * return x == y + * + * This is equivalent to \p x == \p y, but is likely to be compiled + * to code using bitwise operation rather than a branch. + * + * \param x The first value to analyze. + * \param y The second value to analyze. + * + * \return 1 if \p x equals to \p y, otherwise 0. + */ +unsigned mbedtls_ct_size_bool_eq( size_t x, + size_t y ); + +#if defined(MBEDTLS_BIGNUM_C) + +/** Decide if an integer is less than the other, without branches. + * + * This is equivalent to \p x < \p y, but is likely to be compiled + * to code using bitwise operation rather than a branch. + * + * \param x The first value to analyze. + * \param y The second value to analyze. + * + * \return 1 if \p x is less than \p y, otherwise 0. + */ +unsigned mbedtls_ct_mpi_uint_lt( const mbedtls_mpi_uint x, + const mbedtls_mpi_uint y ); + +#endif /* MBEDTLS_BIGNUM_C */ + +/** Choose between two integer values without branches. + * + * This is equivalent to `condition ? if1 : if0`, but is likely to be compiled + * to code using bitwise operation rather than a branch. + * + * \param condition Condition to test. + * \param if1 Value to use if \p condition is nonzero. + * \param if0 Value to use if \p condition is zero. + * + * \return \c if1 if \p condition is nonzero, otherwise \c if0. + */ +unsigned mbedtls_ct_uint_if( unsigned condition, + unsigned if1, + unsigned if0 ); + +#if defined(MBEDTLS_BIGNUM_C) + +/** Conditionally assign a value without branches. + * + * This is equivalent to `if ( condition ) dest = src`, but is likely + * to be compiled to code using bitwise operation rather than a branch. + * + * \param n \p dest and \p src must be arrays of limbs of size n. + * \param dest The MPI to conditionally assign to. This must point + * to an initialized MPI. + * \param src The MPI to be assigned from. This must point to an + * initialized MPI. + * \param condition Condition to test, must be 0 or 1. + */ +void mbedtls_ct_mpi_uint_cond_assign( size_t n, + mbedtls_mpi_uint *dest, + const mbedtls_mpi_uint *src, + unsigned char condition ); + +#endif /* MBEDTLS_BIGNUM_C */ + +#if defined(MBEDTLS_BASE64_C) + +/** Given a value in the range 0..63, return the corresponding Base64 digit. + * + * The implementation assumes that letters are consecutive (e.g. ASCII + * but not EBCDIC). + * + * \param value A value in the range 0..63. + * + * \return A base64 digit converted from \p value. + */ +unsigned char mbedtls_ct_base64_enc_char( unsigned char value ); + +/** Given a Base64 digit, return its value. + * + * If c is not a Base64 digit ('A'..'Z', 'a'..'z', '0'..'9', '+' or '/'), + * return -1. + * + * The implementation assumes that letters are consecutive (e.g. ASCII + * but not EBCDIC). + * + * \param c A base64 digit. + * + * \return The value of the base64 digit \p c. + */ +signed char mbedtls_ct_base64_dec_value( unsigned char c ); + +#endif /* MBEDTLS_BASE64_C */ + +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) + +/** Conditional memcpy without branches. + * + * This is equivalent to `if ( c1 == c2 ) memcpy(dest, src, len)`, but is likely + * to be compiled to code using bitwise operation rather than a branch. + * + * \param dest The pointer to conditionally copy to. + * \param src The pointer to copy from. Shouldn't overlap with \p dest. + * \param len The number of bytes to copy. + * \param c1 The first value to analyze in the condition. + * \param c2 The second value to analyze in the condition. + */ +void mbedtls_ct_memcpy_if_eq( unsigned char *dest, + const unsigned char *src, + size_t len, + size_t c1, size_t c2 ); + +/** Copy data from a secret position with constant flow. + * + * This function copies \p len bytes from \p src_base + \p offset_secret to \p + * dst, with a code flow and memory access pattern that does not depend on \p + * offset_secret, but only on \p offset_min, \p offset_max and \p len. + * Functionally equivalent to `memcpy(dst, src + offset_secret, len)`. + * + * \param dest The destination buffer. This must point to a writable + * buffer of at least \p len bytes. + * \param src The base of the source buffer. This must point to a + * readable buffer of at least \p offset_max + \p len + * bytes. Shouldn't overlap with \p dest. + * \param offset The offset in the source buffer from which to copy. + * This must be no less than \p offset_min and no greater + * than \p offset_max. + * \param offset_min The minimal value of \p offset. + * \param offset_max The maximal value of \p offset. + * \param len The number of bytes to copy. + */ +void mbedtls_ct_memcpy_offset( unsigned char *dest, + const unsigned char *src, + size_t offset, + size_t offset_min, + size_t offset_max, + size_t len ); + +/** Compute the HMAC of variable-length data with constant flow. + * + * This function computes the HMAC of the concatenation of \p add_data and \p + * data, and does with a code flow and memory access pattern that does not + * depend on \p data_len_secret, but only on \p min_data_len and \p + * max_data_len. In particular, this function always reads exactly \p + * max_data_len bytes from \p data. + * + * \param ctx The HMAC context. It must have keys configured + * with mbedtls_md_hmac_starts() and use one of the + * following hashes: SHA-384, SHA-256, SHA-1 or MD-5. + * It is reset using mbedtls_md_hmac_reset() after + * the computation is complete to prepare for the + * next computation. + * \param add_data The first part of the message whose HMAC is being + * calculated. This must point to a readable buffer + * of \p add_data_len bytes. + * \param add_data_len The length of \p add_data in bytes. + * \param data The buffer containing the second part of the + * message. This must point to a readable buffer + * of \p max_data_len bytes. + * \param data_len_secret The length of the data to process in \p data. + * This must be no less than \p min_data_len and no + * greater than \p max_data_len. + * \param min_data_len The minimal length of the second part of the + * message, read from \p data. + * \param max_data_len The maximal length of the second part of the + * message, read from \p data. + * \param output The HMAC will be written here. This must point to + * a writable buffer of sufficient size to hold the + * HMAC value. + * + * \retval 0 on success. + * \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED + * The hardware accelerator failed. + */ +int mbedtls_ct_hmac( mbedtls_md_context_t *ctx, + const unsigned char *add_data, + size_t add_data_len, + const unsigned char *data, + size_t data_len_secret, + size_t min_data_len, + size_t max_data_len, + unsigned char *output ); + +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ + +#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) + +/** This function performs the unpadding part of a PKCS#1 v1.5 decryption + * operation (EME-PKCS1-v1_5 decoding). + * + * \note The return value from this function is a sensitive value + * (this is unusual). #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE shouldn't happen + * in a well-written application, but 0 vs #MBEDTLS_ERR_RSA_INVALID_PADDING + * is often a situation that an attacker can provoke and leaking which + * one is the result is precisely the information the attacker wants. + * + * \param input The input buffer which is the payload inside PKCS#1v1.5 + * encryption padding, called the "encoded message EM" + * by the terminology. + * \param ilen The length of the payload in the \p input buffer. + * \param output The buffer for the payload, called "message M" by the + * PKCS#1 terminology. This must be a writable buffer of + * length \p output_max_len bytes. + * \param olen The address at which to store the length of + * the payload. This must not be \c NULL. + * \param output_max_len The length in bytes of the output buffer \p output. + * + * \return \c 0 on success. + * \return #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE + * The output buffer is too small for the unpadded payload. + * \return #MBEDTLS_ERR_RSA_INVALID_PADDING + * The input doesn't contain properly formatted padding. + */ +int mbedtls_ct_rsaes_pkcs1_v15_unpadding( unsigned char *input, + size_t ilen, + unsigned char *output, + size_t output_max_len, + size_t *olen ); + +#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ + +#endif /* MBEDTLS_CONSTANT_TIME_INTERNAL_H */ diff --git a/library/constant_time_invasive.h b/library/constant_time_invasive.h new file mode 100644 index 000000000000..4620ca137999 --- /dev/null +++ b/library/constant_time_invasive.h @@ -0,0 +1,51 @@ +/** + * \file constant_time_invasive.h + * + * \brief Constant-time module: interfaces for invasive testing only. + * + * The interfaces in this file are intended for testing purposes only. + * They SHOULD NOT be made available in library integrations except when + * building the library for testing. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef MBEDTLS_CONSTANT_TIME_INVASIVE_H +#define MBEDTLS_CONSTANT_TIME_INVASIVE_H + +#include "common.h" + +#if defined(MBEDTLS_TEST_HOOKS) + +/** Turn a value into a mask: + * - if \p low <= \p c <= \p high, + * return the all-bits 1 mask, aka (unsigned) -1 + * - otherwise, return the all-bits 0 mask, aka 0 + * + * \param low The value to analyze. + * \param high The value to analyze. + * \param c The value to analyze. + * + * \return All-bits-one if \p low <= \p c <= \p high, otherwise zero. + */ +unsigned char mbedtls_ct_uchar_mask_of_range( unsigned char low, + unsigned char high, + unsigned char c ); + +#endif /* MBEDTLS_TEST_HOOKS */ + +#endif /* MBEDTLS_CONSTANT_TIME_INVASIVE_H */ diff --git a/library/ecdh.c b/library/ecdh.c index ddd4ef545ee9..d1680b5cce7b 100644 --- a/library/ecdh.c +++ b/library/ecdh.c @@ -728,10 +728,11 @@ int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen, #endif } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) static int ecdh_tls13_make_params_internal( mbedtls_ecdh_context_mbed *ctx, - size_t *olen, int point_format, unsigned char *buf, size_t blen, + size_t *out_len, int point_format, + unsigned char *buf, size_t buf_len, int ( *f_rng )( void *, unsigned char *, size_t), void *p_rng ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -744,20 +745,20 @@ static int ecdh_tls13_make_params_internal( mbedtls_ecdh_context_mbed *ctx, return( ret ); ret = mbedtls_ecp_point_write_binary( &ctx->grp, &ctx->Q, point_format, - olen, buf, blen ); + out_len, buf, buf_len ); if( ret != 0 ) return( ret ); return( 0 ); } -int mbedtls_ecdh_tls13_make_params( mbedtls_ecdh_context *ctx, size_t *olen, - unsigned char *buf, size_t blen, +int mbedtls_ecdh_tls13_make_params( mbedtls_ecdh_context *ctx, size_t *out_len, + unsigned char *buf, size_t buf_len, int ( *f_rng )( void *, unsigned char *, size_t ), void *p_rng ) { ECDH_VALIDATE_RET( ctx != NULL ); - ECDH_VALIDATE_RET( olen != NULL ); + ECDH_VALIDATE_RET( out_len != NULL ); ECDH_VALIDATE_RET( buf != NULL ); ECDH_VALIDATE_RET( f_rng != NULL ); @@ -768,8 +769,8 @@ int mbedtls_ecdh_tls13_make_params( mbedtls_ecdh_context *ctx, size_t *olen, #endif #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) - return( ecdh_tls13_make_params_internal( ctx, olen, ctx->point_format, - buf, blen, f_rng, p_rng ) ); + return( ecdh_tls13_make_params_internal( ctx, out_len, ctx->point_format, + buf, buf_len, f_rng, p_rng ) ); #else switch( ctx->var ) { @@ -778,9 +779,9 @@ int mbedtls_ecdh_tls13_make_params( mbedtls_ecdh_context *ctx, size_t *olen, return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ); #endif case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0: - return( ecdh_tls13_make_params_internal( &ctx->ctx.mbed_ecdh, olen, - ctx->point_format, buf, blen, - f_rng, p_rng ) ); + return( ecdh_tls13_make_params_internal( &ctx->ctx.mbed_ecdh, + out_len, ctx->point_format, + buf, buf_len, f_rng, p_rng ) ); default: return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; } @@ -860,6 +861,6 @@ int mbedtls_ecdh_tls13_read_public( mbedtls_ecdh_context *ctx, #endif } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_ECDH_C */ diff --git a/library/ecdh_misc.h b/library/ecdh_misc.h index d0f338a8378f..37cb6d8ef471 100644 --- a/library/ecdh_misc.h +++ b/library/ecdh_misc.h @@ -27,7 +27,7 @@ #if defined(MBEDTLS_ECDH_C) -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /* * Setup context without Everest @@ -50,7 +50,7 @@ int mbedtls_ecdh_tls13_read_public( mbedtls_ecdh_context *ctx, const unsigned char *buf, size_t buf_len ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_ECDH_C */ diff --git a/library/gcm.c b/library/gcm.c index 6d625642ebde..8505cf4e07b5 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -254,6 +254,7 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, size_t i; const unsigned char *p; size_t use_len, olen = 0; + uint64_t iv_bits; GCM_VALIDATE_RET( ctx != NULL ); GCM_VALIDATE_RET( iv != NULL ); @@ -278,7 +279,8 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, else { memset( work_buf, 0x00, 16 ); - MBEDTLS_PUT_UINT32_BE( iv_len * 8, work_buf, 12 ); + iv_bits = (uint64_t)iv_len * 8; + MBEDTLS_PUT_UINT64_BE( iv_bits, work_buf, 8 ); p = iv; while( iv_len > 0 ) diff --git a/library/mps_all.h b/library/mps_all.h index 6ea785a817d8..c006a5d7b42c 100644 --- a/library/mps_all.h +++ b/library/mps_all.h @@ -24,7 +24,7 @@ #ifndef MBEDTLS_MPS_ALL_H #define MBEDTLS_MPS_ALL_H -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_SSL_USE_MPS) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_USE_MPS) #include "mps_common.h" #include "mps_allocator.h" diff --git a/library/mps_reader.c b/library/mps_reader.c index cee2e7ff59b2..59ec82190804 100644 --- a/library/mps_reader.c +++ b/library/mps_reader.c @@ -21,7 +21,7 @@ #include "common.h" -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #include "mps_reader.h" #include "mps_common.h" @@ -712,4 +712,4 @@ int mbedtls_mps_reader_check_done( mbedtls_mps_reader_ext const *rd_ext ) MBEDTLS_MPS_TRACE_RETURN( 0 ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/mps_trace.c b/library/mps_trace.c index 6026a07163b1..e8b4e1b9e9d4 100644 --- a/library/mps_trace.c +++ b/library/mps_trace.c @@ -21,7 +21,7 @@ #include "common.h" -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #include "mps_common.h" @@ -124,4 +124,4 @@ void mbedtls_mps_trace_indent( int level, mbedtls_mps_trace_type ty ) } #endif /* MBEDTLS_MPS_ENABLE_TRACE */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/nist_kw.c b/library/nist_kw.c index e2ab2566f598..1aea0b634575 100644 --- a/library/nist_kw.c +++ b/library/nist_kw.c @@ -34,6 +34,7 @@ #include "mbedtls/nist_kw.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" +#include "mbedtls/constant_time.h" #include <stdint.h> #include <string.h> @@ -52,26 +53,6 @@ #define KW_SEMIBLOCK_LENGTH 8 #define MIN_SEMIBLOCKS_COUNT 3 -/* constant-time buffer comparison */ -static inline unsigned char mbedtls_nist_kw_safer_memcmp( const void *a, const void *b, size_t n ) -{ - size_t i; - volatile const unsigned char *A = (volatile const unsigned char *) a; - volatile const unsigned char *B = (volatile const unsigned char *) b; - volatile unsigned char diff = 0; - - for( i = 0; i < n; i++ ) - { - /* Read volatile data in order before computing diff. - * This avoids IAR compiler warning: - * 'the order of volatile accesses is undefined ..' */ - unsigned char x = A[i], y = B[i]; - diff |= x ^ y; - } - - return( diff ); -} - /*! The 64-bit default integrity check value (ICV) for KW mode. */ static const unsigned char NIST_KW_ICV1[] = {0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6}; /*! The 32-bit default integrity check value (ICV) for KWP mode. */ @@ -398,7 +379,7 @@ int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx, goto cleanup; /* Check ICV in "constant-time" */ - diff = mbedtls_nist_kw_safer_memcmp( NIST_KW_ICV1, A, KW_SEMIBLOCK_LENGTH ); + diff = mbedtls_ct_memcmp( NIST_KW_ICV1, A, KW_SEMIBLOCK_LENGTH ); if( diff != 0 ) { @@ -447,7 +428,7 @@ int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx, } /* Check ICV in "constant-time" */ - diff = mbedtls_nist_kw_safer_memcmp( NIST_KW_ICV2, A, KW_SEMIBLOCK_LENGTH / 2 ); + diff = mbedtls_ct_memcmp( NIST_KW_ICV2, A, KW_SEMIBLOCK_LENGTH / 2 ); if( diff != 0 ) { diff --git a/library/pkcs12.c b/library/pkcs12.c index 8f64bc6395f6..a90d1f90ce5c 100644 --- a/library/pkcs12.c +++ b/library/pkcs12.c @@ -134,6 +134,9 @@ int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode, mbedtls_cipher_context_t cipher_ctx; size_t olen = 0; + if( pwd == NULL && pwdlen != 0 ) + return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA ); + cipher_info = mbedtls_cipher_info_from_type( cipher_type ); if( cipher_info == NULL ) return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); @@ -186,12 +189,23 @@ static void pkcs12_fill_buffer( unsigned char *data, size_t data_len, unsigned char *p = data; size_t use_len; - while( data_len > 0 ) + if( filler != NULL && fill_len != 0 ) { - use_len = ( data_len > fill_len ) ? fill_len : data_len; - memcpy( p, filler, use_len ); - p += use_len; - data_len -= use_len; + while( data_len > 0 ) + { + use_len = ( data_len > fill_len ) ? fill_len : data_len; + memcpy( p, filler, use_len ); + p += use_len; + data_len -= use_len; + } + } + else + { + /* If either of the above are not true then clearly there is nothing + * that this function can do. The function should *not* be called + * under either of those circumstances, as you could end up with an + * incorrect output but for safety's sake, leaving the check in as + * otherwise we could end up with memory corruption.*/ } } @@ -208,6 +222,8 @@ int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen, unsigned char hash_output[MBEDTLS_MD_MAX_SIZE]; unsigned char *p; unsigned char c; + int use_password = 0; + int use_salt = 0; size_t hlen, use_len, v, i; @@ -218,6 +234,15 @@ int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen, if( datalen > 128 || pwdlen > 64 || saltlen > 64 ) return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA ); + if( pwd == NULL && pwdlen != 0 ) + return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA ); + + if( salt == NULL && saltlen != 0 ) + return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA ); + + use_password = ( pwd && pwdlen != 0 ); + use_salt = ( salt && saltlen != 0 ); + md_info = mbedtls_md_info_from_type( md_type ); if( md_info == NULL ) return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE ); @@ -235,8 +260,15 @@ int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen, memset( diversifier, (unsigned char) id, v ); - pkcs12_fill_buffer( salt_block, v, salt, saltlen ); - pkcs12_fill_buffer( pwd_block, v, pwd, pwdlen ); + if( use_salt != 0 ) + { + pkcs12_fill_buffer( salt_block, v, salt, saltlen ); + } + + if( use_password != 0 ) + { + pkcs12_fill_buffer( pwd_block, v, pwd, pwdlen ); + } p = data; while( datalen > 0 ) @@ -248,11 +280,17 @@ int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen, if( ( ret = mbedtls_md_update( &md_ctx, diversifier, v ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md_update( &md_ctx, salt_block, v ) ) != 0 ) - goto exit; + if( use_salt != 0 ) + { + if( ( ret = mbedtls_md_update( &md_ctx, salt_block, v )) != 0 ) + goto exit; + } - if( ( ret = mbedtls_md_update( &md_ctx, pwd_block, v ) ) != 0 ) - goto exit; + if( use_password != 0) + { + if( ( ret = mbedtls_md_update( &md_ctx, pwd_block, v )) != 0 ) + goto exit; + } if( ( ret = mbedtls_md_finish( &md_ctx, hash_output ) ) != 0 ) goto exit; @@ -280,22 +318,28 @@ int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen, if( ++hash_block[i - 1] != 0 ) break; - // salt_block += B - c = 0; - for( i = v; i > 0; i-- ) + if( use_salt != 0 ) { - j = salt_block[i - 1] + hash_block[i - 1] + c; - c = MBEDTLS_BYTE_1( j ); - salt_block[i - 1] = MBEDTLS_BYTE_0( j ); + // salt_block += B + c = 0; + for( i = v; i > 0; i-- ) + { + j = salt_block[i - 1] + hash_block[i - 1] + c; + c = MBEDTLS_BYTE_1( j ); + salt_block[i - 1] = MBEDTLS_BYTE_0( j ); + } } - // pwd_block += B - c = 0; - for( i = v; i > 0; i-- ) + if( use_password != 0 ) { - j = pwd_block[i - 1] + hash_block[i - 1] + c; - c = MBEDTLS_BYTE_1( j ); - pwd_block[i - 1] = MBEDTLS_BYTE_0( j ); + // pwd_block += B + c = 0; + for( i = v; i > 0; i-- ) + { + j = pwd_block[i - 1] + hash_block[i - 1] + c; + c = MBEDTLS_BYTE_1( j ); + pwd_block[i - 1] = MBEDTLS_BYTE_0( j ); + } } } diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 25560854a792..829ed452b081 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -103,9 +103,9 @@ static int key_type_is_raw_bytes( psa_key_type_t type ) typedef struct { - mbedtls_psa_random_context_t rng; unsigned initialized : 1; unsigned rng_state : 2; + mbedtls_psa_random_context_t rng; } psa_global_data_t; static psa_global_data_t global_data; @@ -324,15 +324,11 @@ psa_status_t mbedtls_to_psa_error( int ret ) /* Key management */ /****************************************************************/ -/* For now the MBEDTLS_PSA_ACCEL_ guards are also used here since the - * current test driver in key_management.c is using this function - * when accelerators are used for ECC key pair and public key. - * Once that dependency is resolved these guards can be removed. - */ #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve, size_t bits, int bits_is_sloppy ) @@ -428,9 +424,10 @@ mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve, return( MBEDTLS_ECP_DP_NONE ); } #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || - * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || - * defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || - * defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) */ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */ psa_status_t psa_validate_unstructured_key_bit_size( psa_key_type_t type, size_t bits ) @@ -448,6 +445,12 @@ psa_status_t psa_validate_unstructured_key_bit_size( psa_key_type_t type, return( PSA_ERROR_INVALID_ARGUMENT ); break; #endif +#if defined(PSA_WANT_KEY_TYPE_ARIA) + case PSA_KEY_TYPE_ARIA: + if( bits != 128 && bits != 192 && bits != 256 ) + return( PSA_ERROR_INVALID_ARGUMENT ); + break; +#endif #if defined(PSA_WANT_KEY_TYPE_CAMELLIA) case PSA_KEY_TYPE_CAMELLIA: if( bits != 128 && bits != 192 && bits != 256 ) @@ -617,8 +620,8 @@ static psa_algorithm_t psa_key_policy_algorithm_intersection( return( alg1 ); /* If the policies are from the same hash-and-sign family, check * if one is a wildcard. If so the other has the specific algorithm. */ - if( PSA_ALG_IS_HASH_AND_SIGN( alg1 ) && - PSA_ALG_IS_HASH_AND_SIGN( alg2 ) && + if( PSA_ALG_IS_SIGN_HASH( alg1 ) && + PSA_ALG_IS_SIGN_HASH( alg2 ) && ( alg1 & ~PSA_ALG_HASH_MASK ) == ( alg2 & ~PSA_ALG_HASH_MASK ) ) { if( PSA_ALG_SIGN_GET_HASH( alg1 ) == PSA_ALG_ANY_HASH ) @@ -720,7 +723,7 @@ static int psa_key_algorithm_permits( psa_key_type_t key_type, /* If policy_alg is a hash-and-sign with a wildcard for the hash, * and requested_alg is the same hash-and-sign family with any hash, * then requested_alg is compliant with policy_alg. */ - if( PSA_ALG_IS_HASH_AND_SIGN( requested_alg ) && + if( PSA_ALG_IS_SIGN_HASH( requested_alg ) && PSA_ALG_SIGN_GET_HASH( policy_alg ) == PSA_ALG_ANY_HASH ) { return( ( policy_alg & ~PSA_ALG_HASH_MASK ) == @@ -2187,7 +2190,7 @@ psa_status_t psa_hash_verify( psa_hash_operation_t *operation, const uint8_t *hash, size_t hash_length ) { - uint8_t actual_hash[MBEDTLS_MD_MAX_SIZE]; + uint8_t actual_hash[PSA_HASH_MAX_SIZE]; size_t actual_hash_length; psa_status_t status = psa_hash_finish( operation, @@ -2207,6 +2210,7 @@ psa_status_t psa_hash_verify( psa_hash_operation_t *operation, status = PSA_ERROR_INVALID_SIGNATURE; exit: + mbedtls_platform_zeroize( actual_hash, sizeof( actual_hash ) ); if( status != PSA_SUCCESS ) psa_hash_abort(operation); @@ -2230,7 +2234,7 @@ psa_status_t psa_hash_compare( psa_algorithm_t alg, const uint8_t *input, size_t input_length, const uint8_t *hash, size_t hash_length ) { - uint8_t actual_hash[MBEDTLS_MD_MAX_SIZE]; + uint8_t actual_hash[PSA_HASH_MAX_SIZE]; size_t actual_hash_length; if( !PSA_ALG_IS_HASH( alg ) ) @@ -2241,12 +2245,18 @@ psa_status_t psa_hash_compare( psa_algorithm_t alg, actual_hash, sizeof(actual_hash), &actual_hash_length ); if( status != PSA_SUCCESS ) - return( status ); + goto exit; if( actual_hash_length != hash_length ) - return( PSA_ERROR_INVALID_SIGNATURE ); + { + status = PSA_ERROR_INVALID_SIGNATURE; + goto exit; + } if( mbedtls_psa_safer_memcmp( hash, actual_hash, actual_hash_length ) != 0 ) - return( PSA_ERROR_INVALID_SIGNATURE ); - return( PSA_SUCCESS ); + status = PSA_ERROR_INVALID_SIGNATURE; + +exit: + mbedtls_platform_zeroize( actual_hash, sizeof( actual_hash ) ); + return( status ); } psa_status_t psa_hash_clone( const psa_hash_operation_t *source_operation, @@ -2638,7 +2648,7 @@ static psa_status_t psa_sign_verify_check_alg( int input_is_message, if( ! PSA_ALG_IS_SIGN_MESSAGE( alg ) ) return( PSA_ERROR_INVALID_ARGUMENT ); - if ( PSA_ALG_IS_HASH_AND_SIGN( alg ) ) + if ( PSA_ALG_IS_SIGN_HASH( alg ) ) { if( ! PSA_ALG_IS_HASH( PSA_ALG_SIGN_GET_HASH( alg ) ) ) return( PSA_ERROR_INVALID_ARGUMENT ); @@ -2646,7 +2656,7 @@ static psa_status_t psa_sign_verify_check_alg( int input_is_message, } else { - if( ! PSA_ALG_IS_HASH_AND_SIGN( alg ) ) + if( ! PSA_ALG_IS_SIGN_HASH( alg ) ) return( PSA_ERROR_INVALID_ARGUMENT ); } @@ -2796,7 +2806,7 @@ psa_status_t psa_sign_message_builtin( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - if ( PSA_ALG_IS_HASH_AND_SIGN( alg ) ) + if ( PSA_ALG_IS_SIGN_HASH( alg ) ) { size_t hash_length; uint8_t hash[PSA_HASH_MAX_SIZE]; @@ -2843,7 +2853,7 @@ psa_status_t psa_verify_message_builtin( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - if ( PSA_ALG_IS_HASH_AND_SIGN( alg ) ) + if ( PSA_ALG_IS_SIGN_HASH( alg ) ) { size_t hash_length; uint8_t hash[PSA_HASH_MAX_SIZE]; @@ -2903,8 +2913,7 @@ psa_status_t psa_sign_hash_builtin( return( PSA_ERROR_INVALID_ARGUMENT ); } } - else - if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) ) + else if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) ) { if( PSA_ALG_IS_ECDSA( alg ) ) { @@ -2974,8 +2983,7 @@ psa_status_t psa_verify_hash_builtin( return( PSA_ERROR_INVALID_ARGUMENT ); } } - else - if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) ) + else if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) ) { if( PSA_ALG_IS_ECDSA( alg ) ) { @@ -3065,10 +3073,10 @@ psa_status_t psa_asymmetric_encrypt( mbedtls_svc_key_id_t key, goto exit; } -#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) ) { +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) mbedtls_rsa_context *rsa = NULL; status = mbedtls_psa_rsa_load_representation( slot->attr.type, slot->key.data, @@ -3082,9 +3090,11 @@ psa_status_t psa_asymmetric_encrypt( mbedtls_svc_key_id_t key, status = PSA_ERROR_BUFFER_TOO_SMALL; goto rsa_exit; } -#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */ if( alg == PSA_ALG_RSA_PKCS1V15_CRYPT ) { +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) status = mbedtls_to_psa_error( mbedtls_rsa_pkcs1_encrypt( rsa, mbedtls_psa_get_random, @@ -3092,12 +3102,14 @@ psa_status_t psa_asymmetric_encrypt( mbedtls_svc_key_id_t key, input_length, input, output ) ); +#else + status = PSA_ERROR_NOT_SUPPORTED; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT */ } else -#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) if( PSA_ALG_IS_RSA_OAEP( alg ) ) { +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) status = mbedtls_to_psa_error( psa_rsa_oaep_set_padding_mode( alg, rsa ) ); if( status != PSA_SUCCESS ) @@ -3111,23 +3123,26 @@ psa_status_t psa_asymmetric_encrypt( mbedtls_svc_key_id_t key, input_length, input, output ) ); +#else + status = PSA_ERROR_NOT_SUPPORTED; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP */ } else -#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP */ { status = PSA_ERROR_INVALID_ARGUMENT; - goto rsa_exit; } +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) rsa_exit: if( status == PSA_SUCCESS ) *output_length = mbedtls_rsa_get_len( rsa ); mbedtls_rsa_free( rsa ); mbedtls_free( rsa ); - } - else #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */ + } + else { status = PSA_ERROR_NOT_SUPPORTED; } @@ -3173,10 +3188,10 @@ psa_status_t psa_asymmetric_decrypt( mbedtls_svc_key_id_t key, goto exit; } -#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR ) { +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) mbedtls_rsa_context *rsa = NULL; status = mbedtls_psa_rsa_load_representation( slot->attr.type, slot->key.data, @@ -3190,10 +3205,12 @@ psa_status_t psa_asymmetric_decrypt( mbedtls_svc_key_id_t key, status = PSA_ERROR_INVALID_ARGUMENT; goto rsa_exit; } +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) if( alg == PSA_ALG_RSA_PKCS1V15_CRYPT ) { +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) status = mbedtls_to_psa_error( mbedtls_rsa_pkcs1_decrypt( rsa, mbedtls_psa_get_random, @@ -3202,12 +3219,14 @@ psa_status_t psa_asymmetric_decrypt( mbedtls_svc_key_id_t key, input, output, output_size ) ); +#else + status = PSA_ERROR_NOT_SUPPORTED; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT */ } else -#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) if( PSA_ALG_IS_RSA_OAEP( alg ) ) { +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) status = mbedtls_to_psa_error( psa_rsa_oaep_set_padding_mode( alg, rsa ) ); if( status != PSA_SUCCESS ) @@ -3222,20 +3241,24 @@ psa_status_t psa_asymmetric_decrypt( mbedtls_svc_key_id_t key, input, output, output_size ) ); +#else + status = PSA_ERROR_NOT_SUPPORTED; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP */ } else -#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP */ { status = PSA_ERROR_INVALID_ARGUMENT; } +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) rsa_exit: mbedtls_rsa_free( rsa ); mbedtls_free( rsa ); - } - else #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */ + } + else { status = PSA_ERROR_NOT_SUPPORTED; } @@ -3339,8 +3362,8 @@ psa_status_t psa_cipher_generate_iv( psa_cipher_operation_t *operation, size_t *iv_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - - *iv_length = 0; + uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE]; + size_t default_iv_length; if( operation->id == 0 ) { @@ -3354,28 +3377,38 @@ psa_status_t psa_cipher_generate_iv( psa_cipher_operation_t *operation, goto exit; } - if( iv_size < operation->default_iv_length ) + default_iv_length = operation->default_iv_length; + if( iv_size < default_iv_length ) { status = PSA_ERROR_BUFFER_TOO_SMALL; goto exit; } - status = psa_generate_random( iv, operation->default_iv_length ); + if( default_iv_length > PSA_CIPHER_IV_MAX_SIZE ) + { + status = PSA_ERROR_GENERIC_ERROR; + goto exit; + } + + status = psa_generate_random( local_iv, default_iv_length ); if( status != PSA_SUCCESS ) goto exit; status = psa_driver_wrapper_cipher_set_iv( operation, - iv, - operation->default_iv_length ); + local_iv, default_iv_length ); exit: if( status == PSA_SUCCESS ) { + memcpy( iv, local_iv, default_iv_length ); + *iv_length = default_iv_length; operation->iv_set = 1; - *iv_length = operation->default_iv_length; } else + { + *iv_length = 0; psa_cipher_abort( operation ); + } return( status ); } @@ -3516,50 +3549,67 @@ psa_status_t psa_cipher_encrypt( mbedtls_svc_key_id_t key, { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_slot_t *slot; - psa_key_type_t key_type; - size_t iv_length; - - *output_length = 0; + psa_key_slot_t *slot = NULL; + uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE]; + size_t default_iv_length = 0; if( ! PSA_ALG_IS_CIPHER( alg ) ) - return( PSA_ERROR_INVALID_ARGUMENT ); + { + status = PSA_ERROR_INVALID_ARGUMENT; + goto exit; + } status = psa_get_and_lock_key_slot_with_policy( key, &slot, PSA_KEY_USAGE_ENCRYPT, alg ); if( status != PSA_SUCCESS ) - return( status ); + goto exit; psa_key_attributes_t attributes = { .core = slot->attr }; - key_type = slot->attr.type; - iv_length = PSA_CIPHER_IV_LENGTH( key_type, alg ); + default_iv_length = PSA_CIPHER_IV_LENGTH( slot->attr.type, alg ); + if( default_iv_length > PSA_CIPHER_IV_MAX_SIZE ) + { + status = PSA_ERROR_GENERIC_ERROR; + goto exit; + } - if( iv_length > 0 ) + if( default_iv_length > 0 ) { - if( output_size < iv_length ) + if( output_size < default_iv_length ) { status = PSA_ERROR_BUFFER_TOO_SMALL; goto exit; } - status = psa_generate_random( output, iv_length ); + status = psa_generate_random( local_iv, default_iv_length ); if( status != PSA_SUCCESS ) goto exit; } status = psa_driver_wrapper_cipher_encrypt( &attributes, slot->key.data, slot->key.bytes, - alg, input, input_length, - output, output_size, output_length ); + alg, local_iv, default_iv_length, input, input_length, + output + default_iv_length, output_size - default_iv_length, + output_length ); exit: unlock_status = psa_unlock_key_slot( slot ); + if( status == PSA_SUCCESS ) + status = unlock_status; - return( ( status == PSA_SUCCESS ) ? unlock_status : status ); + if( status == PSA_SUCCESS ) + { + if( default_iv_length > 0 ) + memcpy( output, local_iv, default_iv_length ); + *output_length += default_iv_length; + } + else + *output_length = 0; + + return( status ); } psa_status_t psa_cipher_decrypt( mbedtls_svc_key_id_t key, @@ -3572,24 +3622,30 @@ psa_status_t psa_cipher_decrypt( mbedtls_svc_key_id_t key, { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_slot_t *slot; - - *output_length = 0; + psa_key_slot_t *slot = NULL; if( ! PSA_ALG_IS_CIPHER( alg ) ) - return( PSA_ERROR_INVALID_ARGUMENT ); + { + status = PSA_ERROR_INVALID_ARGUMENT; + goto exit; + } status = psa_get_and_lock_key_slot_with_policy( key, &slot, PSA_KEY_USAGE_DECRYPT, alg ); if( status != PSA_SUCCESS ) - return( status ); + goto exit; psa_key_attributes_t attributes = { .core = slot->attr }; - if( input_length < PSA_CIPHER_IV_LENGTH( slot->attr.type, alg ) ) + if( alg == PSA_ALG_CCM_STAR_NO_TAG && input_length < PSA_BLOCK_CIPHER_BLOCK_LENGTH( slot->attr.type ) ) + { + status = PSA_ERROR_INVALID_ARGUMENT; + goto exit; + } + else if ( input_length < PSA_CIPHER_IV_LENGTH( slot->attr.type, alg ) ) { status = PSA_ERROR_INVALID_ARGUMENT; goto exit; @@ -3602,8 +3658,13 @@ psa_status_t psa_cipher_decrypt( mbedtls_svc_key_id_t key, exit: unlock_status = psa_unlock_key_slot( slot ); + if( status == PSA_SUCCESS ) + status = unlock_status; - return( ( status == PSA_SUCCESS ) ? unlock_status : status ); + if( status != PSA_SUCCESS ) + *output_length = 0; + + return( status ); } @@ -3647,13 +3708,15 @@ static psa_status_t psa_aead_check_nonce_length( psa_algorithm_t alg, case PSA_ALG_CHACHA20_POLY1305: if( nonce_length == 12 ) return( PSA_SUCCESS ); + else if( nonce_length == 8 ) + return( PSA_ERROR_NOT_SUPPORTED ); break; #endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */ default: - break; + return( PSA_ERROR_NOT_SUPPORTED ); } - return( PSA_ERROR_NOT_SUPPORTED ); + return( PSA_ERROR_INVALID_ARGUMENT ); } psa_status_t psa_aead_encrypt( mbedtls_svc_key_id_t key, @@ -3855,6 +3918,7 @@ psa_status_t psa_aead_generate_nonce( psa_aead_operation_t *operation, size_t *nonce_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + uint8_t local_nonce[PSA_AEAD_NONCE_MAX_SIZE]; size_t required_nonce_size; *nonce_length = 0; @@ -3871,6 +3935,15 @@ psa_status_t psa_aead_generate_nonce( psa_aead_operation_t *operation, goto exit; } + /* For CCM, this size may not be correct according to the PSA + * specification. The PSA Crypto 1.0.1 specification states: + * + * CCM encodes the plaintext length pLen in L octets, with L the smallest + * integer >= 2 where pLen < 2^(8L). The nonce length is then 15 - L bytes. + * + * However this restriction that L has to be the smallest integer is not + * applied in practice, and it is not implementable here since the + * plaintext length may or may not be known at this time. */ required_nonce_size = PSA_AEAD_NONCE_LENGTH( operation->key_type, operation->alg ); if( nonce_size < required_nonce_size ) @@ -3879,15 +3952,18 @@ psa_status_t psa_aead_generate_nonce( psa_aead_operation_t *operation, goto exit; } - status = psa_generate_random( nonce, required_nonce_size ); + status = psa_generate_random( local_nonce, required_nonce_size ); if( status != PSA_SUCCESS ) goto exit; - status = psa_aead_set_nonce( operation, nonce, required_nonce_size ); + status = psa_aead_set_nonce( operation, local_nonce, required_nonce_size ); exit: if( status == PSA_SUCCESS ) + { + memcpy( nonce, local_nonce, required_nonce_size ); *nonce_length = required_nonce_size; + } else psa_aead_abort( operation ); @@ -4033,6 +4109,13 @@ psa_status_t psa_aead_update_ad( psa_aead_operation_t *operation, operation->ad_remaining -= input_length; } +#if defined(PSA_WANT_ALG_CCM) + else if( operation->alg == PSA_ALG_CCM ) + { + status = PSA_ERROR_BAD_STATE; + goto exit; + } +#endif /* PSA_WANT_ALG_CCM */ status = psa_driver_wrapper_aead_update_ad( operation, input, input_length ); @@ -4090,6 +4173,13 @@ psa_status_t psa_aead_update( psa_aead_operation_t *operation, operation->body_remaining -= input_length; } +#if defined(PSA_WANT_ALG_CCM) + else if( operation->alg == PSA_ALG_CCM ) + { + status = PSA_ERROR_BAD_STATE; + goto exit; + } +#endif /* PSA_WANT_ALG_CCM */ status = psa_driver_wrapper_aead_update( operation, input, input_length, output, output_size, @@ -4752,6 +4842,9 @@ psa_status_t psa_key_derivation_output_key( const psa_key_attributes_t *attribut if( psa_get_key_bits( attributes ) == 0 ) return( PSA_ERROR_INVALID_ARGUMENT ); + if( operation->alg == PSA_ALG_NONE ) + return( PSA_ERROR_BAD_STATE ); + if( ! operation->can_output_key ) return( PSA_ERROR_NOT_PERMITTED ); @@ -5789,11 +5882,9 @@ void mbedtls_psa_crypto_free( void ) * In particular, this sets all state indicator to the value * indicating "uninitialized". */ mbedtls_platform_zeroize( &global_data, sizeof( global_data ) ); -#if defined(MBEDTLS_PSA_CRYPTO_SE_C) - /* Unregister all secure element drivers, so that we restart from - * a pristine state. */ - psa_unregister_all_se_drivers( ); -#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ + + /* Terminate drivers */ + psa_driver_wrapper_free( ); } #if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) @@ -5842,11 +5933,10 @@ psa_status_t psa_crypto_init( void ) if( status != PSA_SUCCESS ) goto exit; -#if defined(MBEDTLS_PSA_CRYPTO_SE_C) - status = psa_init_all_se_drivers( ); + /* Init drivers */ + status = psa_driver_wrapper_init( ); if( status != PSA_SUCCESS ) goto exit; -#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ #if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) status = psa_crypto_load_transaction( ); diff --git a/library/psa_crypto_aead.c b/library/psa_crypto_aead.c index c7f7352fbdcb..714d950a1494 100644 --- a/library/psa_crypto_aead.c +++ b/library/psa_crypto_aead.c @@ -119,6 +119,8 @@ static psa_status_t psa_aead_setup( #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */ default: + (void) status; + (void) key_buffer; return( PSA_ERROR_NOT_SUPPORTED ); } @@ -214,6 +216,11 @@ psa_status_t mbedtls_psa_aead_encrypt( #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */ { (void) tag; + (void) nonce; + (void) nonce_length; + (void) additional_data; + (void) additional_data_length; + (void) plaintext; return( PSA_ERROR_NOT_SUPPORTED ); } @@ -321,6 +328,11 @@ psa_status_t mbedtls_psa_aead_decrypt( else #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */ { + (void) nonce; + (void) nonce_length; + (void) additional_data; + (void) additional_data_length; + (void) plaintext; return( PSA_ERROR_NOT_SUPPORTED ); } @@ -346,13 +358,6 @@ psa_status_t mbedtls_psa_aead_encrypt_setup( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; -#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) - if( operation->alg == PSA_ALG_CCM ) - { - return( PSA_ERROR_NOT_SUPPORTED ); - } -#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ - status = psa_aead_setup( operation, attributes, key_buffer, key_buffer_size, alg ); @@ -373,13 +378,6 @@ psa_status_t mbedtls_psa_aead_decrypt_setup( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; -#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) - if( operation->alg == PSA_ALG_CCM ) - { - return( PSA_ERROR_NOT_SUPPORTED ); - } -#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ - status = psa_aead_setup( operation, attributes, key_buffer, key_buffer_size, alg ); @@ -409,6 +407,18 @@ psa_status_t mbedtls_psa_aead_set_nonce( } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) + if( operation->alg == PSA_ALG_CCM ) + { + status = mbedtls_to_psa_error( + mbedtls_ccm_starts( &operation->ctx.ccm, + operation->is_encrypt ? + MBEDTLS_CCM_ENCRYPT : MBEDTLS_CCM_DECRYPT, + nonce, + nonce_length ) ); + } + else +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) if( operation->alg == PSA_ALG_CHACHA20_POLY1305 ) { @@ -432,7 +442,9 @@ psa_status_t mbedtls_psa_aead_set_nonce( else #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */ { + ( void ) operation; ( void ) nonce; + ( void ) nonce_length; return ( PSA_ERROR_NOT_SUPPORTED ); } @@ -446,11 +458,21 @@ psa_status_t mbedtls_psa_aead_set_lengths( size_t ad_length, size_t plaintext_length ) { - /* Nothing here yet, work is currently done in PSA Core, however support - * for CCM will require this function. */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) + if( operation->alg == PSA_ALG_CCM ) + { + return( mbedtls_to_psa_error( + mbedtls_ccm_set_lengths( &operation->ctx.ccm, + ad_length, + plaintext_length, + operation->tag_length ) ) ); + + } +#else /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ ( void ) operation; ( void ) ad_length; ( void ) plaintext_length; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ return ( PSA_SUCCESS ); } @@ -471,6 +493,14 @@ psa_status_t mbedtls_psa_aead_update_ad( } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) + if( operation->alg == PSA_ALG_CCM ) + { + status = mbedtls_to_psa_error( + mbedtls_ccm_update_ad( &operation->ctx.ccm, input, input_length ) ); + } + else +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) if( operation->alg == PSA_ALG_CHACHA20_POLY1305 ) { @@ -518,6 +548,20 @@ psa_status_t mbedtls_psa_aead_update( } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) + if( operation->alg == PSA_ALG_CCM ) + { + if( output_size < input_length ) + return( PSA_ERROR_BUFFER_TOO_SMALL ); + + status = mbedtls_to_psa_error( + mbedtls_ccm_update( &operation->ctx.ccm, + input, input_length, + output, output_size, + &update_output_length ) ); + } + else +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) if( operation->alg == PSA_ALG_CHACHA20_POLY1305 ) { @@ -533,8 +577,10 @@ psa_status_t mbedtls_psa_aead_update( else #endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */ { + ( void ) operation; ( void ) input; - ( void ) input_length; + ( void ) output; + ( void ) output_size; return ( PSA_ERROR_NOT_SUPPORTED ); } @@ -571,6 +617,20 @@ psa_status_t mbedtls_psa_aead_finish( } else #endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) + if( operation->alg == PSA_ALG_CCM ) + { + /* tag must be big enough to store a tag of size passed into set + * lengths. */ + if( tag_size < operation->tag_length ) + return( PSA_ERROR_BUFFER_TOO_SMALL ); + + status = mbedtls_to_psa_error( + mbedtls_ccm_finish( &operation->ctx.ccm, + tag, operation->tag_length ) ); + } + else +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) if( operation->alg == PSA_ALG_CHACHA20_POLY1305 ) { diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index 2268fc58507a..ae30e5fb617d 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -31,30 +31,6 @@ #include <string.h> -#if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DES) ) ) -#define BUILTIN_KEY_TYPE_DES 1 -#endif - -#if ( defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && \ - defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING) ) ) -#define BUILTIN_ALG_CBC_NO_PADDING 1 -#endif - -#if ( defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && \ - defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7) ) ) -#define BUILTIN_ALG_CBC_PKCS7 1 -#endif - -#if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20) ) ) -#define BUILTIN_KEY_TYPE_CHACHA20 1 -#endif - const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( psa_algorithm_t alg, psa_key_type_t key_type, @@ -92,6 +68,9 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( case PSA_ALG_CBC_PKCS7: mode = MBEDTLS_MODE_CBC; break; + case PSA_ALG_CCM_STAR_NO_TAG: + mode = MBEDTLS_MODE_CCM_STAR_NO_TAG; + break; case PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 0 ): mode = MBEDTLS_MODE_CCM; break; @@ -115,6 +94,9 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( case PSA_KEY_TYPE_AES: cipher_id_tmp = MBEDTLS_CIPHER_ID_AES; break; + case PSA_KEY_TYPE_ARIA: + cipher_id_tmp = MBEDTLS_CIPHER_ID_ARIA; + break; case PSA_KEY_TYPE_DES: /* key_bits is 64 for Single-DES, 128 for two-key Triple-DES, * and 192 for three-key Triple-DES. */ @@ -144,9 +126,9 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( (int) key_bits, mode ) ); } -#if defined(MBEDTLS_PSA_BUILTIN_CIPHER) || defined(PSA_CRYPTO_DRIVER_TEST) +#if defined(MBEDTLS_PSA_BUILTIN_CIPHER) -static psa_status_t cipher_setup( +static psa_status_t psa_cipher_setup( mbedtls_psa_cipher_operation_t *operation, const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, @@ -173,7 +155,7 @@ static psa_status_t cipher_setup( if( ret != 0 ) goto exit; -#if defined(BUILTIN_KEY_TYPE_DES) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) if( key_type == PSA_KEY_TYPE_DES && key_bits == 128 ) { /* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */ @@ -193,8 +175,8 @@ static psa_status_t cipher_setup( if( ret != 0 ) goto exit; -#if defined(BUILTIN_ALG_CBC_NO_PADDING) || \ - defined(BUILTIN_ALG_CBC_PKCS7) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) switch( alg ) { case PSA_ALG_CBC_NO_PADDING: @@ -212,7 +194,8 @@ static psa_status_t cipher_setup( } if( ret != 0 ) goto exit; -#endif /* BUILTIN_ALG_CBC_NO_PADDING || BUILTIN_ALG_CBC_PKCS7 */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING || + MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 */ operation->block_length = ( PSA_ALG_IS_STREAM_CIPHER( alg ) ? 1 : PSA_BLOCK_CIPHER_BLOCK_LENGTH( key_type ) ); @@ -222,30 +205,31 @@ static psa_status_t cipher_setup( return( mbedtls_to_psa_error( ret ) ); } -static psa_status_t cipher_encrypt_setup( +psa_status_t mbedtls_psa_cipher_encrypt_setup( mbedtls_psa_cipher_operation_t *operation, const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg ) { - return( cipher_setup( operation, attributes, - key_buffer, key_buffer_size, - alg, MBEDTLS_ENCRYPT ) ); + return( psa_cipher_setup( operation, attributes, + key_buffer, key_buffer_size, + alg, MBEDTLS_ENCRYPT ) ); } -static psa_status_t cipher_decrypt_setup( +psa_status_t mbedtls_psa_cipher_decrypt_setup( mbedtls_psa_cipher_operation_t *operation, const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg ) { - return( cipher_setup( operation, attributes, - key_buffer, key_buffer_size, - alg, MBEDTLS_DECRYPT ) ); + return( psa_cipher_setup( operation, attributes, + key_buffer, key_buffer_size, + alg, MBEDTLS_DECRYPT ) ); } -static psa_status_t cipher_set_iv( mbedtls_psa_cipher_operation_t *operation, - const uint8_t *iv, size_t iv_length ) +psa_status_t mbedtls_psa_cipher_set_iv( + mbedtls_psa_cipher_operation_t *operation, + const uint8_t *iv, size_t iv_length ) { if( iv_length != operation->iv_length ) return( PSA_ERROR_INVALID_ARGUMENT ); @@ -359,12 +343,10 @@ static psa_status_t psa_cipher_update_ecb( return( status ); } -static psa_status_t cipher_update( mbedtls_psa_cipher_operation_t *operation, - const uint8_t *input, - size_t input_length, - uint8_t *output, - size_t output_size, - size_t *output_length ) +psa_status_t mbedtls_psa_cipher_update( + mbedtls_psa_cipher_operation_t *operation, + const uint8_t *input, size_t input_length, + uint8_t *output, size_t output_size, size_t *output_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; size_t expected_output_size; @@ -411,10 +393,9 @@ static psa_status_t cipher_update( mbedtls_psa_cipher_operation_t *operation, return( status ); } -static psa_status_t cipher_finish( mbedtls_psa_cipher_operation_t *operation, - uint8_t *output, - size_t output_size, - size_t *output_length ) +psa_status_t mbedtls_psa_cipher_finish( + mbedtls_psa_cipher_operation_t *operation, + uint8_t *output, size_t output_size, size_t *output_length ) { psa_status_t status = PSA_ERROR_GENERIC_ERROR; uint8_t temp_output_buffer[MBEDTLS_MAX_BLOCK_LENGTH]; @@ -450,7 +431,8 @@ static psa_status_t cipher_finish( mbedtls_psa_cipher_operation_t *operation, return( status ); } -static psa_status_t cipher_abort( mbedtls_psa_cipher_operation_t *operation ) +psa_status_t mbedtls_psa_cipher_abort( + mbedtls_psa_cipher_operation_t *operation ) { /* Sanity check (shouldn't happen: operation->alg should * always have been initialized to a valid value). */ @@ -462,95 +444,100 @@ static psa_status_t cipher_abort( mbedtls_psa_cipher_operation_t *operation ) return( PSA_SUCCESS ); } -static psa_status_t cipher_encrypt( const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *output, - size_t output_size, - size_t *output_length ) +psa_status_t mbedtls_psa_cipher_encrypt( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, + const uint8_t *input, + size_t input_length, + uint8_t *output, + size_t output_size, + size_t *output_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT; - size_t olength, accumulated_length; + size_t update_output_length, finish_output_length; - status = cipher_encrypt_setup( &operation, attributes, - key_buffer, key_buffer_size, alg ); + status = mbedtls_psa_cipher_encrypt_setup( &operation, attributes, + key_buffer, key_buffer_size, + alg ); if( status != PSA_SUCCESS ) goto exit; - accumulated_length = 0; - if( operation.iv_length > 0 ) + if( iv_length > 0 ) { - status = cipher_set_iv( &operation, output, operation.iv_length ); + status = mbedtls_psa_cipher_set_iv( &operation, iv, iv_length ); if( status != PSA_SUCCESS ) goto exit; - - accumulated_length = operation.iv_length; } - status = cipher_update( &operation, input, input_length, - output + operation.iv_length, - output_size - operation.iv_length, - &olength ); + status = mbedtls_psa_cipher_update( &operation, input, input_length, + output, output_size, + &update_output_length ); if( status != PSA_SUCCESS ) goto exit; - accumulated_length += olength; - - status = cipher_finish( &operation, output + accumulated_length, - output_size - accumulated_length, &olength ); + status = mbedtls_psa_cipher_finish( &operation, + output + update_output_length, + output_size - update_output_length, + &finish_output_length ); if( status != PSA_SUCCESS ) goto exit; - *output_length = accumulated_length + olength; + *output_length = update_output_length + finish_output_length; exit: if( status == PSA_SUCCESS ) - status = cipher_abort( &operation ); + status = mbedtls_psa_cipher_abort( &operation ); else - cipher_abort( &operation ); + mbedtls_psa_cipher_abort( &operation ); + return( status ); } -static psa_status_t cipher_decrypt( const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *output, - size_t output_size, - size_t *output_length ) +psa_status_t mbedtls_psa_cipher_decrypt( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *input, + size_t input_length, + uint8_t *output, + size_t output_size, + size_t *output_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT; size_t olength, accumulated_length; - status = cipher_decrypt_setup( &operation, attributes, - key_buffer, key_buffer_size, alg ); + status = mbedtls_psa_cipher_decrypt_setup( &operation, attributes, + key_buffer, key_buffer_size, + alg ); if( status != PSA_SUCCESS ) goto exit; if( operation.iv_length > 0 ) { - status = cipher_set_iv( &operation, input, operation.iv_length ); + status = mbedtls_psa_cipher_set_iv( &operation, + input, operation.iv_length ); if( status != PSA_SUCCESS ) goto exit; } - status = cipher_update( &operation, input + operation.iv_length, - input_length - operation.iv_length, - output, output_size, &olength ); + status = mbedtls_psa_cipher_update( &operation, input + operation.iv_length, + input_length - operation.iv_length, + output, output_size, &olength ); if( status != PSA_SUCCESS ) goto exit; accumulated_length = olength; - status = cipher_finish( &operation, output + accumulated_length, - output_size - accumulated_length, &olength ); + status = mbedtls_psa_cipher_finish( &operation, output + accumulated_length, + output_size - accumulated_length, + &olength ); if( status != PSA_SUCCESS ) goto exit; @@ -558,181 +545,12 @@ static psa_status_t cipher_decrypt( const psa_key_attributes_t *attributes, exit: if ( status == PSA_SUCCESS ) - status = cipher_abort( &operation ); + status = mbedtls_psa_cipher_abort( &operation ); else - cipher_abort( &operation ); - return( status ); -} -#endif /* MBEDTLS_PSA_BUILTIN_CIPHER || PSA_CRYPTO_DRIVER_TEST */ - -#if defined(MBEDTLS_PSA_BUILTIN_CIPHER) -psa_status_t mbedtls_psa_cipher_encrypt_setup( - mbedtls_psa_cipher_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg ) -{ - return( cipher_encrypt_setup( - operation, attributes, key_buffer, key_buffer_size, alg ) ); -} - -psa_status_t mbedtls_psa_cipher_decrypt_setup( - mbedtls_psa_cipher_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg ) -{ - return( cipher_decrypt_setup( - operation, attributes, key_buffer, key_buffer_size, alg ) ); -} - -psa_status_t mbedtls_psa_cipher_set_iv( mbedtls_psa_cipher_operation_t *operation, - const uint8_t *iv, - size_t iv_length ) -{ - return( cipher_set_iv( operation, iv, iv_length ) ); -} - -psa_status_t mbedtls_psa_cipher_update( mbedtls_psa_cipher_operation_t *operation, - const uint8_t *input, - size_t input_length, - uint8_t *output, - size_t output_size, - size_t *output_length ) -{ - return( cipher_update( operation, input, input_length, - output, output_size, output_length ) ); -} - -psa_status_t mbedtls_psa_cipher_finish( mbedtls_psa_cipher_operation_t *operation, - uint8_t *output, - size_t output_size, - size_t *output_length ) -{ - return( cipher_finish( operation, output, output_size, output_length ) ); -} - -psa_status_t mbedtls_psa_cipher_abort( mbedtls_psa_cipher_operation_t *operation ) -{ - return( cipher_abort( operation ) ); -} + mbedtls_psa_cipher_abort( &operation ); -psa_status_t mbedtls_psa_cipher_encrypt( const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *output, - size_t output_size, - size_t *output_length ) -{ - return( cipher_encrypt( attributes, key_buffer, key_buffer_size, - alg, input, input_length, - output, output_size, output_length ) ); -} - -psa_status_t mbedtls_psa_cipher_decrypt( const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *output, - size_t output_size, - size_t *output_length ) -{ - return( cipher_decrypt( attributes, key_buffer, key_buffer_size, - alg, input, input_length, - output, output_size, output_length ) ); + return( status ); } #endif /* MBEDTLS_PSA_BUILTIN_CIPHER */ -/* - * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY. - */ - -#if defined(PSA_CRYPTO_DRIVER_TEST) -psa_status_t mbedtls_transparent_test_driver_cipher_encrypt_setup( - mbedtls_psa_cipher_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg ) -{ - return( cipher_encrypt_setup( - operation, attributes, key_buffer, key_buffer_size, alg ) ); -} - -psa_status_t mbedtls_transparent_test_driver_cipher_decrypt_setup( - mbedtls_psa_cipher_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg ) -{ - return( cipher_decrypt_setup( - operation, attributes, key_buffer, key_buffer_size, alg ) ); -} - -psa_status_t mbedtls_transparent_test_driver_cipher_set_iv( - mbedtls_psa_cipher_operation_t *operation, - const uint8_t *iv, size_t iv_length ) -{ - return( cipher_set_iv( operation, iv, iv_length ) ); -} - -psa_status_t mbedtls_transparent_test_driver_cipher_update( - mbedtls_psa_cipher_operation_t *operation, - const uint8_t *input, size_t input_length, - uint8_t *output, size_t output_size, size_t *output_length ) -{ - return( cipher_update( operation, input, input_length, - output, output_size, output_length ) ); -} - -psa_status_t mbedtls_transparent_test_driver_cipher_finish( - mbedtls_psa_cipher_operation_t *operation, - uint8_t *output, size_t output_size, size_t *output_length ) -{ - return( cipher_finish( operation, output, output_size, output_length ) ); -} - -psa_status_t mbedtls_transparent_test_driver_cipher_abort( - mbedtls_psa_cipher_operation_t *operation ) -{ - return( cipher_abort( operation ) ); -} - -psa_status_t mbedtls_transparent_test_driver_cipher_encrypt( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *output, - size_t output_size, - size_t *output_length ) -{ - return( cipher_encrypt( attributes, key_buffer, key_buffer_size, - alg, input, input_length, - output, output_size, output_length ) ); -} - -psa_status_t mbedtls_transparent_test_driver_cipher_decrypt( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *output, - size_t output_size, - size_t *output_length ) -{ - return( cipher_decrypt( attributes, key_buffer, key_buffer_size, - alg, input, input_length, - output, output_size, output_length ) ); -} -#endif /* PSA_CRYPTO_DRIVER_TEST */ - #endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/library/psa_crypto_cipher.h b/library/psa_crypto_cipher.h index 5971e8d3f0cf..fae98473c48e 100644 --- a/library/psa_crypto_cipher.h +++ b/library/psa_crypto_cipher.h @@ -213,16 +213,12 @@ psa_status_t mbedtls_psa_cipher_abort( mbedtls_psa_cipher_operation_t *operation * \param[in] alg The cipher algorithm to compute * (\c PSA_ALG_XXX value such that * #PSA_ALG_IS_CIPHER(\p alg) is true). - * \param[in] input Buffer containing the message to encrypt. - * \param[in] input_length Size of the \p input buffer in bytes. + * \param[in] iv Buffer containing the IV for encryption. The + * IV has been generated by the core. + * \param[in] iv_length Size of the \p iv in bytes. + * \param[in] input Buffer containing the message to encrypt. + * \param[in] input_length Size of the \p input buffer in bytes. * \param[in,out] output Buffer where the output is to be written. - * The core has generated and written the IV - * at the beginning of this buffer before - * this function is called. The size of the IV - * is PSA_CIPHER_IV_LENGTH( key_type, alg ) where - * \c key_type is the type of the key identified - * by \p key and \p alg is the cipher algorithm - * to compute. * \param[in] output_size Size of the \p output buffer in bytes. * \param[out] output_length On success, the number of bytes that make up * the returned output. Initialized to zero @@ -235,7 +231,7 @@ psa_status_t mbedtls_psa_cipher_abort( mbedtls_psa_cipher_operation_t *operation * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p output buffer is too small. * \retval #PSA_ERROR_INVALID_ARGUMENT - * The size of \p iv is not acceptable for the chosen algorithm, + * The size \p iv_length is not acceptable for the chosen algorithm, * or the chosen algorithm does not use an IV. * The total input size passed to this operation is not valid for * this particular algorithm. For example, the algorithm is a based @@ -249,6 +245,8 @@ psa_status_t mbedtls_psa_cipher_encrypt( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, @@ -304,60 +302,4 @@ psa_status_t mbedtls_psa_cipher_decrypt( const psa_key_attributes_t *attributes, size_t output_size, size_t *output_length ); -/* - * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY. - */ - -#if defined(PSA_CRYPTO_DRIVER_TEST) -psa_status_t mbedtls_transparent_test_driver_cipher_encrypt_setup( - mbedtls_psa_cipher_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg ); - -psa_status_t mbedtls_transparent_test_driver_cipher_decrypt_setup( - mbedtls_psa_cipher_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg ); - -psa_status_t mbedtls_transparent_test_driver_cipher_set_iv( - mbedtls_psa_cipher_operation_t *operation, - const uint8_t *iv, size_t iv_length ); - -psa_status_t mbedtls_transparent_test_driver_cipher_update( - mbedtls_psa_cipher_operation_t *operation, - const uint8_t *input, size_t input_length, - uint8_t *output, size_t output_size, size_t *output_length ); - -psa_status_t mbedtls_transparent_test_driver_cipher_finish( - mbedtls_psa_cipher_operation_t *operation, - uint8_t *output, size_t output_size, size_t *output_length ); - -psa_status_t mbedtls_transparent_test_driver_cipher_abort( - mbedtls_psa_cipher_operation_t *operation ); - -psa_status_t mbedtls_transparent_test_driver_cipher_encrypt( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *output, - size_t output_size, - size_t *output_length ); - -psa_status_t mbedtls_transparent_test_driver_cipher_decrypt( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *output, - size_t output_size, - size_t *output_length ); -#endif /* PSA_CRYPTO_DRIVER_TEST */ - #endif /* PSA_CRYPTO_CIPHER_H */ diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c index cfc77fbb5b9f..8d86478624cb 100644 --- a/library/psa_crypto_driver_wrappers.c +++ b/library/psa_crypto_driver_wrappers.c @@ -67,6 +67,44 @@ #include "psa_crypto_se.h" #endif +psa_status_t psa_driver_wrapper_init( void ) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + +#if defined(MBEDTLS_PSA_CRYPTO_SE_C) + status = psa_init_all_se_drivers( ); + if( status != PSA_SUCCESS ) + return( status ); +#endif + +#if defined(PSA_CRYPTO_DRIVER_TEST) + status = mbedtls_test_transparent_init( ); + if( status != PSA_SUCCESS ) + return( status ); + + status = mbedtls_test_opaque_init( ); + if( status != PSA_SUCCESS ) + return( status ); +#endif + + (void) status; + return( PSA_SUCCESS ); +} + +void psa_driver_wrapper_free( void ) +{ +#if defined(MBEDTLS_PSA_CRYPTO_SE_C) + /* Unregister all secure element drivers, so that we restart from + * a pristine state. */ + psa_unregister_all_se_drivers( ); +#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ + +#if defined(PSA_CRYPTO_DRIVER_TEST) + mbedtls_test_transparent_free( ); + mbedtls_test_opaque_free( ); +#endif +} + /* Start delegation functions */ psa_status_t psa_driver_wrapper_sign_message( const psa_key_attributes_t *attributes, @@ -835,6 +873,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, @@ -856,6 +896,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( key_buffer, key_buffer_size, alg, + iv, + iv_length, input, input_length, output, @@ -872,6 +914,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( key_buffer, key_buffer_size, alg, + iv, + iv_length, input, input_length, output, @@ -889,6 +933,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( key_buffer, key_buffer_size, alg, + iv, + iv_length, input, input_length, output, @@ -903,6 +949,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( (void)key_buffer; (void)key_buffer_size; (void)alg; + (void)iv; + (void)iv_length; (void)input; (void)input_length; (void)output; @@ -1059,6 +1107,7 @@ psa_status_t psa_driver_wrapper_cipher_encrypt_setup( default: /* Key is declared with a lifetime not known to us */ (void)status; + (void)operation; (void)key_buffer; (void)key_buffer_size; (void)alg; @@ -1130,6 +1179,7 @@ psa_status_t psa_driver_wrapper_cipher_decrypt_setup( default: /* Key is declared with a lifetime not known to us */ (void)status; + (void)operation; (void)key_buffer; (void)key_buffer_size; (void)alg; @@ -2076,6 +2126,7 @@ psa_status_t psa_driver_wrapper_mac_sign_setup( default: /* Key is declared with a lifetime not known to us */ (void) status; + (void) operation; (void) key_buffer; (void) key_buffer_size; (void) alg; @@ -2147,6 +2198,7 @@ psa_status_t psa_driver_wrapper_mac_verify_setup( default: /* Key is declared with a lifetime not known to us */ (void) status; + (void) operation; (void) key_buffer; (void) key_buffer_size; (void) alg; diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index 0873b738d824..e09e4ed70eac 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -25,6 +25,12 @@ #include "psa/crypto.h" #include "psa/crypto_driver_common.h" +/* + * Initialization and termination functions + */ +psa_status_t psa_driver_wrapper_init( void ); +void psa_driver_wrapper_free( void ); + /* * Signature functions */ @@ -113,6 +119,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c index 144ba1c1b39a..db6682c6dce8 100644 --- a/library/psa_crypto_ecp.c +++ b/library/psa_crypto_ecp.c @@ -40,36 +40,10 @@ #include <mbedtls/ecp.h> #include <mbedtls/error.h> -#if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) ) ) -#define BUILTIN_KEY_TYPE_ECC_KEY_PAIR 1 -#endif - -#if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) ) ) -#define BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY 1 -#endif - -#if ( defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && \ - defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) && \ - defined(MBEDTLS_ECDSA_C) ) ) -#define BUILTIN_ALG_ECDSA 1 -#endif - -#if ( defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && \ - defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) && \ - defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECDSA_DETERMINISTIC) ) ) -#define BUILTIN_ALG_DETERMINISTIC_ECDSA 1 -#endif - -#if defined(BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ - defined(BUILTIN_ALG_ECDSA) || \ - defined(BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) psa_status_t mbedtls_psa_ecp_load_representation( psa_key_type_t type, size_t curve_bits, @@ -181,16 +155,16 @@ psa_status_t mbedtls_psa_ecp_load_representation( return( status ); } -#endif /* defined(BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || - * defined(BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || - * defined(BUILTIN_ALG_ECDSA) || - * defined(BUILTIN_ALG_DETERMINISTIC_ECDSA) || +#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || + * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || * defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */ -#if defined(BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) -static psa_status_t ecp_import_key( +psa_status_t mbedtls_psa_ecp_import_key( const psa_key_attributes_t *attributes, const uint8_t *data, size_t data_length, uint8_t *key_buffer, size_t key_buffer_size, @@ -281,7 +255,7 @@ psa_status_t mbedtls_psa_ecp_export_key( psa_key_type_t type, } } -static psa_status_t ecp_export_public_key( +psa_status_t mbedtls_psa_ecp_export_public_key( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, uint8_t *data, size_t data_size, size_t *data_length ) @@ -305,11 +279,11 @@ static psa_status_t ecp_export_public_key( return( status ); } -#endif /* defined(BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || - * defined(BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || + * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */ -#if defined(BUILTIN_KEY_TYPE_ECC_KEY_PAIR) -static psa_status_t ecp_generate_key( +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) +psa_status_t mbedtls_psa_ecp_generate_key( const psa_key_attributes_t *attributes, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length ) { @@ -351,15 +325,15 @@ static psa_status_t ecp_generate_key( return( status ); } -#endif /* defined(BUILTIN_KEY_TYPE_ECC_KEY_PAIR) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) */ /****************************************************************/ /* ECDSA sign/verify */ /****************************************************************/ -#if defined(BUILTIN_ALG_ECDSA) || \ - defined(BUILTIN_ALG_DETERMINISTIC_ECDSA) -static psa_status_t ecdsa_sign_hash( +#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) +psa_status_t mbedtls_psa_ecdsa_sign_hash( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, @@ -391,7 +365,7 @@ static psa_status_t ecdsa_sign_hash( if( PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) ) { -#if defined(BUILTIN_ALG_DETERMINISTIC_ECDSA) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg ); const mbedtls_md_info_t *md_info = mbedtls_md_info_from_psa( hash_alg ); mbedtls_md_type_t md_alg = mbedtls_md_get_type( md_info ); @@ -404,7 +378,7 @@ static psa_status_t ecdsa_sign_hash( #else ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; goto cleanup; -#endif /* defined(BUILTIN_ALG_DETERMINISTIC_ECDSA) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ } else { @@ -433,7 +407,7 @@ static psa_status_t ecdsa_sign_hash( return( mbedtls_to_psa_error( ret ) ); } -static psa_status_t ecdsa_verify_hash( +psa_status_t mbedtls_psa_ecdsa_verify_hash( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, @@ -492,177 +466,7 @@ static psa_status_t ecdsa_verify_hash( return( mbedtls_to_psa_error( ret ) ); } -#endif /* defined(BUILTIN_ALG_ECDSA) || \ - * defined(BUILTIN_ALG_DETERMINISTIC_ECDSA) */ - -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) - -psa_status_t mbedtls_psa_ecp_import_key( - const psa_key_attributes_t *attributes, - const uint8_t *data, size_t data_length, - uint8_t *key_buffer, size_t key_buffer_size, - size_t *key_buffer_length, size_t *bits ) -{ - return( ecp_import_key( attributes, data, data_length, - key_buffer, key_buffer_size, - key_buffer_length, bits ) ); -} - -psa_status_t mbedtls_psa_ecp_export_public_key( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - uint8_t *data, size_t data_size, size_t *data_length ) -{ - return( ecp_export_public_key( attributes, key_buffer, key_buffer_size, - data, data_size, data_length ) ); -} - -#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || - * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */ - -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) -psa_status_t mbedtls_psa_ecp_generate_key( - const psa_key_attributes_t *attributes, - uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length ) -{ - return( ecp_generate_key( attributes, key_buffer, key_buffer_size, - key_buffer_length ) ); -} -#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) */ - - -#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) - -psa_status_t mbedtls_psa_ecdsa_sign_hash( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, - uint8_t *signature, size_t signature_size, size_t *signature_length ) -{ - - return( ecdsa_sign_hash( attributes, - key_buffer, key_buffer_size, - alg, hash, hash_length, - signature, signature_size, signature_length ) ); -} - -psa_status_t mbedtls_psa_ecdsa_verify_hash( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, - const uint8_t *signature, size_t signature_length ) -{ - return( ecdsa_verify_hash( attributes, - key_buffer, key_buffer_size, - alg, hash, hash_length, - signature, signature_length ) ); -} - -#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ -/* - * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY. - */ - -#if defined(PSA_CRYPTO_DRIVER_TEST) - -#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) - -psa_status_t mbedtls_test_driver_ecp_import_key( - const psa_key_attributes_t *attributes, - const uint8_t *data, size_t data_length, - uint8_t *key_buffer, size_t key_buffer_size, - size_t *key_buffer_length, size_t *bits ) -{ - return( ecp_import_key( attributes, data, data_length, - key_buffer, key_buffer_size, - key_buffer_length, bits ) ); -} - -psa_status_t mbedtls_test_driver_ecp_export_public_key( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - uint8_t *data, size_t data_size, size_t *data_length ) -{ - return( ecp_export_public_key( attributes, key_buffer, key_buffer_size, - data, data_size, data_length ) ); -} - -#endif /* defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) */ - -#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) && \ - defined(MBEDTLS_GENPRIME) -psa_status_t mbedtls_transparent_test_driver_ecp_generate_key( - const psa_key_attributes_t *attributes, - uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length ) -{ - return( ecp_generate_key( attributes, key_buffer, key_buffer_size, - key_buffer_length ) ); -} -#endif /* defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) && - defined(MBEDTLS_GENPRIME) */ - -#if defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) || \ - defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) - -psa_status_t mbedtls_transparent_test_driver_ecdsa_sign_hash( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, - uint8_t *signature, size_t signature_size, size_t *signature_length ) -{ - -#if defined(MBEDTLS_ECDSA_C) - return( ecdsa_sign_hash( attributes, - key_buffer, key_buffer_size, - alg, hash, hash_length, - signature, signature_size, signature_length ) ); -#else - (void)attributes; - (void)key_buffer; - (void)key_buffer_size; - (void)alg; - (void)hash; - (void)hash_length; - (void)signature; - (void)signature_size; - (void)signature_length; - return( PSA_ERROR_NOT_SUPPORTED ); -#endif -} - -psa_status_t mbedtls_transparent_test_driver_ecdsa_verify_hash( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, - const uint8_t *signature, size_t signature_length ) -{ -#if defined(MBEDTLS_ECDSA_C) - return( ecdsa_verify_hash( attributes, - key_buffer, key_buffer_size, - alg, hash, hash_length, - signature, signature_length ) ); -#else - (void)attributes; - (void)key_buffer; - (void)key_buffer_size; - (void)alg; - (void)hash; - (void)hash_length; - (void)signature; - (void)signature_length; - return( PSA_ERROR_NOT_SUPPORTED ); -#endif -} - -#endif /* defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) || - * defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) */ - -#endif /* PSA_CRYPTO_DRIVER_TEST */ - #endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/library/psa_crypto_ecp.h b/library/psa_crypto_ecp.h index dc9e887effeb..429c062719b3 100644 --- a/library/psa_crypto_ecp.h +++ b/library/psa_crypto_ecp.h @@ -218,39 +218,4 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash( const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, const uint8_t *signature, size_t signature_length ); -/* - * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY. - */ - -#if defined(PSA_CRYPTO_DRIVER_TEST) - -psa_status_t mbedtls_test_driver_ecp_import_key( - const psa_key_attributes_t *attributes, - const uint8_t *data, size_t data_length, - uint8_t *key_buffer, size_t key_buffer_size, - size_t *key_buffer_length, size_t *bits ); - -psa_status_t mbedtls_test_driver_ecp_export_public_key( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - uint8_t *data, size_t data_size, size_t *data_length ); - -psa_status_t mbedtls_transparent_test_driver_ecp_generate_key( - const psa_key_attributes_t *attributes, - uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length ); - -psa_status_t mbedtls_transparent_test_driver_ecdsa_sign_hash( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, - uint8_t *signature, size_t signature_size, size_t *signature_length ); - -psa_status_t mbedtls_transparent_test_driver_ecdsa_verify_hash( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, - const uint8_t *signature, size_t signature_length ); - -#endif /* PSA_CRYPTO_DRIVER_TEST */ - #endif /* PSA_CRYPTO_ECP_H */ diff --git a/library/psa_crypto_hash.c b/library/psa_crypto_hash.c index 92dcbba96b17..536c6c1188dd 100644 --- a/library/psa_crypto_hash.c +++ b/library/psa_crypto_hash.c @@ -29,37 +29,6 @@ #include <mbedtls/error.h> #include <string.h> -/* Use builtin defines specific to this compilation unit, since the test driver - * relies on the software driver. */ -#if( defined(MBEDTLS_PSA_BUILTIN_ALG_MD5) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && defined(MBEDTLS_PSA_ACCEL_ALG_MD5) ) ) -#define BUILTIN_ALG_MD5 1 -#endif -#if( defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160) ) ) -#define BUILTIN_ALG_RIPEMD160 1 -#endif -#if( defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1) ) ) -#define BUILTIN_ALG_SHA_1 1 -#endif -#if( defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && defined(MBEDTLS_PSA_ACCEL_ALG_SHA_224) ) ) -#define BUILTIN_ALG_SHA_224 1 -#endif -#if( defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && defined(MBEDTLS_PSA_ACCEL_ALG_SHA_256) ) ) -#define BUILTIN_ALG_SHA_256 1 -#endif -#if( defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384) ) ) -#define BUILTIN_ALG_SHA_384 1 -#endif -#if( defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512) ) ) -#define BUILTIN_ALG_SHA_512 1 -#endif - #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \ @@ -105,10 +74,8 @@ const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg ) * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ -/* Implement the PSA driver hash interface on top of mbed TLS if either the - * software driver or the test driver requires it. */ -#if defined(MBEDTLS_PSA_BUILTIN_HASH) || defined(PSA_CRYPTO_DRIVER_TEST) -static psa_status_t hash_abort( +#if defined(MBEDTLS_PSA_BUILTIN_HASH) +psa_status_t mbedtls_psa_hash_abort( mbedtls_psa_hash_operation_t *operation ) { switch( operation->alg ) @@ -118,37 +85,37 @@ static psa_status_t hash_abort( * in use. It's ok to call abort on such an object, and there's * nothing to do. */ break; -#if defined(BUILTIN_ALG_MD5) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5) case PSA_ALG_MD5: mbedtls_md5_free( &operation->ctx.md5 ); break; #endif -#if defined(BUILTIN_ALG_RIPEMD160) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160) case PSA_ALG_RIPEMD160: mbedtls_ripemd160_free( &operation->ctx.ripemd160 ); break; #endif -#if defined(BUILTIN_ALG_SHA_1) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1) case PSA_ALG_SHA_1: mbedtls_sha1_free( &operation->ctx.sha1 ); break; #endif -#if defined(BUILTIN_ALG_SHA_224) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224) case PSA_ALG_SHA_224: mbedtls_sha256_free( &operation->ctx.sha256 ); break; #endif -#if defined(BUILTIN_ALG_SHA_256) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256) case PSA_ALG_SHA_256: mbedtls_sha256_free( &operation->ctx.sha256 ); break; #endif -#if defined(BUILTIN_ALG_SHA_384) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384) case PSA_ALG_SHA_384: mbedtls_sha512_free( &operation->ctx.sha512 ); break; #endif -#if defined(BUILTIN_ALG_SHA_512) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512) case PSA_ALG_SHA_512: mbedtls_sha512_free( &operation->ctx.sha512 ); break; @@ -160,7 +127,7 @@ static psa_status_t hash_abort( return( PSA_SUCCESS ); } -static psa_status_t hash_setup( +psa_status_t mbedtls_psa_hash_setup( mbedtls_psa_hash_operation_t *operation, psa_algorithm_t alg ) { @@ -174,43 +141,43 @@ static psa_status_t hash_setup( switch( alg ) { -#if defined(BUILTIN_ALG_MD5) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5) case PSA_ALG_MD5: mbedtls_md5_init( &operation->ctx.md5 ); ret = mbedtls_md5_starts( &operation->ctx.md5 ); break; #endif -#if defined(BUILTIN_ALG_RIPEMD160) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160) case PSA_ALG_RIPEMD160: mbedtls_ripemd160_init( &operation->ctx.ripemd160 ); ret = mbedtls_ripemd160_starts( &operation->ctx.ripemd160 ); break; #endif -#if defined(BUILTIN_ALG_SHA_1) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1) case PSA_ALG_SHA_1: mbedtls_sha1_init( &operation->ctx.sha1 ); ret = mbedtls_sha1_starts( &operation->ctx.sha1 ); break; #endif -#if defined(BUILTIN_ALG_SHA_224) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224) case PSA_ALG_SHA_224: mbedtls_sha256_init( &operation->ctx.sha256 ); ret = mbedtls_sha256_starts( &operation->ctx.sha256, 1 ); break; #endif -#if defined(BUILTIN_ALG_SHA_256) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256) case PSA_ALG_SHA_256: mbedtls_sha256_init( &operation->ctx.sha256 ); ret = mbedtls_sha256_starts( &operation->ctx.sha256, 0 ); break; #endif -#if defined(BUILTIN_ALG_SHA_384) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384) case PSA_ALG_SHA_384: mbedtls_sha512_init( &operation->ctx.sha512 ); ret = mbedtls_sha512_starts( &operation->ctx.sha512, 1 ); break; #endif -#if defined(BUILTIN_ALG_SHA_512) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512) case PSA_ALG_SHA_512: mbedtls_sha512_init( &operation->ctx.sha512 ); ret = mbedtls_sha512_starts( &operation->ctx.sha512, 0 ); @@ -224,11 +191,11 @@ static psa_status_t hash_setup( if( ret == 0 ) operation->alg = alg; else - hash_abort( operation ); + mbedtls_psa_hash_abort( operation ); return( mbedtls_to_psa_error( ret ) ); } -static psa_status_t hash_clone( +psa_status_t mbedtls_psa_hash_clone( const mbedtls_psa_hash_operation_t *source_operation, mbedtls_psa_hash_operation_t *target_operation ) { @@ -236,43 +203,43 @@ static psa_status_t hash_clone( { case 0: return( PSA_ERROR_BAD_STATE ); -#if defined(BUILTIN_ALG_MD5) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5) case PSA_ALG_MD5: mbedtls_md5_clone( &target_operation->ctx.md5, &source_operation->ctx.md5 ); break; #endif -#if defined(BUILTIN_ALG_RIPEMD160) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160) case PSA_ALG_RIPEMD160: mbedtls_ripemd160_clone( &target_operation->ctx.ripemd160, &source_operation->ctx.ripemd160 ); break; #endif -#if defined(BUILTIN_ALG_SHA_1) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1) case PSA_ALG_SHA_1: mbedtls_sha1_clone( &target_operation->ctx.sha1, &source_operation->ctx.sha1 ); break; #endif -#if defined(BUILTIN_ALG_SHA_224) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224) case PSA_ALG_SHA_224: mbedtls_sha256_clone( &target_operation->ctx.sha256, &source_operation->ctx.sha256 ); break; #endif -#if defined(BUILTIN_ALG_SHA_256) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256) case PSA_ALG_SHA_256: mbedtls_sha256_clone( &target_operation->ctx.sha256, &source_operation->ctx.sha256 ); break; #endif -#if defined(BUILTIN_ALG_SHA_384) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384) case PSA_ALG_SHA_384: mbedtls_sha512_clone( &target_operation->ctx.sha512, &source_operation->ctx.sha512 ); break; #endif -#if defined(BUILTIN_ALG_SHA_512) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512) case PSA_ALG_SHA_512: mbedtls_sha512_clone( &target_operation->ctx.sha512, &source_operation->ctx.sha512 ); @@ -288,7 +255,7 @@ static psa_status_t hash_clone( return( PSA_SUCCESS ); } -static psa_status_t hash_update( +psa_status_t mbedtls_psa_hash_update( mbedtls_psa_hash_operation_t *operation, const uint8_t *input, size_t input_length ) @@ -297,43 +264,43 @@ static psa_status_t hash_update( switch( operation->alg ) { -#if defined(BUILTIN_ALG_MD5) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5) case PSA_ALG_MD5: ret = mbedtls_md5_update( &operation->ctx.md5, input, input_length ); break; #endif -#if defined(BUILTIN_ALG_RIPEMD160) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160) case PSA_ALG_RIPEMD160: ret = mbedtls_ripemd160_update( &operation->ctx.ripemd160, input, input_length ); break; #endif -#if defined(BUILTIN_ALG_SHA_1) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1) case PSA_ALG_SHA_1: ret = mbedtls_sha1_update( &operation->ctx.sha1, input, input_length ); break; #endif -#if defined(BUILTIN_ALG_SHA_224) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224) case PSA_ALG_SHA_224: ret = mbedtls_sha256_update( &operation->ctx.sha256, input, input_length ); break; #endif -#if defined(BUILTIN_ALG_SHA_256) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256) case PSA_ALG_SHA_256: ret = mbedtls_sha256_update( &operation->ctx.sha256, input, input_length ); break; #endif -#if defined(BUILTIN_ALG_SHA_384) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384) case PSA_ALG_SHA_384: ret = mbedtls_sha512_update( &operation->ctx.sha512, input, input_length ); break; #endif -#if defined(BUILTIN_ALG_SHA_512) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512) case PSA_ALG_SHA_512: ret = mbedtls_sha512_update( &operation->ctx.sha512, input, input_length ); @@ -348,7 +315,7 @@ static psa_status_t hash_update( return( mbedtls_to_psa_error( ret ) ); } -static psa_status_t hash_finish( +psa_status_t mbedtls_psa_hash_finish( mbedtls_psa_hash_operation_t *operation, uint8_t *hash, size_t hash_size, @@ -375,37 +342,37 @@ static psa_status_t hash_finish( switch( operation->alg ) { -#if defined(BUILTIN_ALG_MD5) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5) case PSA_ALG_MD5: ret = mbedtls_md5_finish( &operation->ctx.md5, hash ); break; #endif -#if defined(BUILTIN_ALG_RIPEMD160) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160) case PSA_ALG_RIPEMD160: ret = mbedtls_ripemd160_finish( &operation->ctx.ripemd160, hash ); break; #endif -#if defined(BUILTIN_ALG_SHA_1) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1) case PSA_ALG_SHA_1: ret = mbedtls_sha1_finish( &operation->ctx.sha1, hash ); break; #endif -#if defined(BUILTIN_ALG_SHA_224) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224) case PSA_ALG_SHA_224: ret = mbedtls_sha256_finish( &operation->ctx.sha256, hash ); break; #endif -#if defined(BUILTIN_ALG_SHA_256) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256) case PSA_ALG_SHA_256: ret = mbedtls_sha256_finish( &operation->ctx.sha256, hash ); break; #endif -#if defined(BUILTIN_ALG_SHA_384) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384) case PSA_ALG_SHA_384: ret = mbedtls_sha512_finish( &operation->ctx.sha512, hash ); break; #endif -#if defined(BUILTIN_ALG_SHA_512) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512) case PSA_ALG_SHA_512: ret = mbedtls_sha512_finish( &operation->ctx.sha512, hash ); break; @@ -422,7 +389,7 @@ static psa_status_t hash_finish( return( status ); } -static psa_status_t hash_compute( +psa_status_t mbedtls_psa_hash_compute( psa_algorithm_t alg, const uint8_t *input, size_t input_length, @@ -435,183 +402,24 @@ static psa_status_t hash_compute( psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; *hash_length = hash_size; - status = hash_setup( &operation, alg ); + status = mbedtls_psa_hash_setup( &operation, alg ); if( status != PSA_SUCCESS ) goto exit; - status = hash_update( &operation, input, input_length ); + status = mbedtls_psa_hash_update( &operation, input, input_length ); if( status != PSA_SUCCESS ) goto exit; - status = hash_finish( &operation, hash, hash_size, hash_length ); + status = mbedtls_psa_hash_finish( &operation, hash, hash_size, hash_length ); if( status != PSA_SUCCESS ) goto exit; exit: - abort_status = hash_abort( &operation ); + abort_status = mbedtls_psa_hash_abort( &operation ); if( status == PSA_SUCCESS ) return( abort_status ); else return( status ); } -#endif /* MBEDTLS_PSA_BUILTIN_HASH || PSA_CRYPTO_DRIVER_TEST */ - -#if defined(MBEDTLS_PSA_BUILTIN_HASH) -psa_status_t mbedtls_psa_hash_compute( - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *hash, - size_t hash_size, - size_t *hash_length) -{ - return( hash_compute( alg, input, input_length, - hash, hash_size, hash_length ) ); -} - -psa_status_t mbedtls_psa_hash_setup( - mbedtls_psa_hash_operation_t *operation, - psa_algorithm_t alg ) -{ - return( hash_setup( operation, alg ) ); -} - -psa_status_t mbedtls_psa_hash_clone( - const mbedtls_psa_hash_operation_t *source_operation, - mbedtls_psa_hash_operation_t *target_operation ) -{ - return( hash_clone( source_operation, target_operation ) ); -} - -psa_status_t mbedtls_psa_hash_update( - mbedtls_psa_hash_operation_t *operation, - const uint8_t *input, - size_t input_length ) -{ - return( hash_update( operation, input, input_length ) ); -} - -psa_status_t mbedtls_psa_hash_finish( - mbedtls_psa_hash_operation_t *operation, - uint8_t *hash, - size_t hash_size, - size_t *hash_length ) -{ - return( hash_finish( operation, hash, hash_size, hash_length ) ); -} - -psa_status_t mbedtls_psa_hash_abort( - mbedtls_psa_hash_operation_t *operation ) -{ - return( hash_abort( operation ) ); -} #endif /* MBEDTLS_PSA_BUILTIN_HASH */ - /* - * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY. - */ -#if defined(PSA_CRYPTO_DRIVER_TEST) - -static int is_hash_accelerated( psa_algorithm_t alg ) -{ - switch( alg ) - { -#if defined(MBEDTLS_PSA_ACCEL_ALG_MD5) - case PSA_ALG_MD5: - return( 1 ); -#endif -#if defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160) - case PSA_ALG_RIPEMD160: - return( 1 ); -#endif -#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1) - case PSA_ALG_SHA_1: - return( 1 ); -#endif -#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_224) - case PSA_ALG_SHA_224: - return( 1 ); -#endif -#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_256) - case PSA_ALG_SHA_256: - return( 1 ); -#endif -#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384) - case PSA_ALG_SHA_384: - return( 1 ); -#endif -#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512) - case PSA_ALG_SHA_512: - return( 1 ); -#endif - default: - return( 0 ); - } -} - -psa_status_t mbedtls_transparent_test_driver_hash_compute( - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *hash, - size_t hash_size, - size_t *hash_length) -{ - if( is_hash_accelerated( alg ) ) - return( hash_compute( alg, input, input_length, - hash, hash_size, hash_length ) ); - else - return( PSA_ERROR_NOT_SUPPORTED ); -} - -psa_status_t mbedtls_transparent_test_driver_hash_setup( - mbedtls_transparent_test_driver_hash_operation_t *operation, - psa_algorithm_t alg ) -{ - if( is_hash_accelerated( alg ) ) - return( hash_setup( operation, alg ) ); - else - return( PSA_ERROR_NOT_SUPPORTED ); -} - -psa_status_t mbedtls_transparent_test_driver_hash_clone( - const mbedtls_transparent_test_driver_hash_operation_t *source_operation, - mbedtls_transparent_test_driver_hash_operation_t *target_operation ) -{ - if( is_hash_accelerated( source_operation->alg ) ) - return( hash_clone( source_operation, target_operation ) ); - else - return( PSA_ERROR_BAD_STATE ); -} - -psa_status_t mbedtls_transparent_test_driver_hash_update( - mbedtls_transparent_test_driver_hash_operation_t *operation, - const uint8_t *input, - size_t input_length ) -{ - if( is_hash_accelerated( operation->alg ) ) - return( hash_update( operation, input, input_length ) ); - else - return( PSA_ERROR_BAD_STATE ); -} - -psa_status_t mbedtls_transparent_test_driver_hash_finish( - mbedtls_transparent_test_driver_hash_operation_t *operation, - uint8_t *hash, - size_t hash_size, - size_t *hash_length ) -{ - if( is_hash_accelerated( operation->alg ) ) - return( hash_finish( operation, hash, hash_size, hash_length ) ); - else - return( PSA_ERROR_BAD_STATE ); -} - -psa_status_t mbedtls_transparent_test_driver_hash_abort( - mbedtls_transparent_test_driver_hash_operation_t *operation ) -{ - return( hash_abort( operation ) ); -} - -#endif /* PSA_CRYPTO_DRIVER_TEST */ - #endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/library/psa_crypto_hash.h b/library/psa_crypto_hash.h index 66556439f07b..7091dc5a7bc5 100644 --- a/library/psa_crypto_hash.h +++ b/library/psa_crypto_hash.h @@ -231,42 +231,4 @@ psa_status_t mbedtls_psa_hash_finish( psa_status_t mbedtls_psa_hash_abort( mbedtls_psa_hash_operation_t *operation ); -/* - * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY. - */ - -#if defined(PSA_CRYPTO_DRIVER_TEST) - -psa_status_t mbedtls_transparent_test_driver_hash_compute( - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *hash, - size_t hash_size, - size_t *hash_length); - -psa_status_t mbedtls_transparent_test_driver_hash_setup( - mbedtls_transparent_test_driver_hash_operation_t *operation, - psa_algorithm_t alg ); - -psa_status_t mbedtls_transparent_test_driver_hash_clone( - const mbedtls_transparent_test_driver_hash_operation_t *source_operation, - mbedtls_transparent_test_driver_hash_operation_t *target_operation ); - -psa_status_t mbedtls_transparent_test_driver_hash_update( - mbedtls_transparent_test_driver_hash_operation_t *operation, - const uint8_t *input, - size_t input_length ); - -psa_status_t mbedtls_transparent_test_driver_hash_finish( - mbedtls_transparent_test_driver_hash_operation_t *operation, - uint8_t *hash, - size_t hash_size, - size_t *hash_length ); - -psa_status_t mbedtls_transparent_test_driver_hash_abort( - mbedtls_transparent_test_driver_hash_operation_t *operation ); - -#endif /* PSA_CRYPTO_DRIVER_TEST */ - #endif /* PSA_CRYPTO_HASH_H */ diff --git a/library/psa_crypto_mac.c b/library/psa_crypto_mac.c index 2c079d434fb7..dcf065a67265 100644 --- a/library/psa_crypto_mac.c +++ b/library/psa_crypto_mac.c @@ -30,41 +30,7 @@ #include <mbedtls/error.h> #include <string.h> -/* Use builtin defines specific to this compilation unit, since the test driver - * relies on the software driver. */ -#if( defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && defined(MBEDTLS_PSA_ACCEL_ALG_CMAC) ) ) -#define BUILTIN_ALG_CMAC 1 -#endif -#if( defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && defined(MBEDTLS_PSA_ACCEL_ALG_HMAC) ) ) -#define BUILTIN_ALG_HMAC 1 -#endif - -#if defined(BUILTIN_ALG_HMAC) -static size_t psa_get_hash_block_size( psa_algorithm_t alg ) -{ - switch( alg ) - { - case PSA_ALG_MD5: - return( 64 ); - case PSA_ALG_RIPEMD160: - return( 64 ); - case PSA_ALG_SHA_1: - return( 64 ); - case PSA_ALG_SHA_224: - return( 64 ); - case PSA_ALG_SHA_256: - return( 64 ); - case PSA_ALG_SHA_384: - return( 128 ); - case PSA_ALG_SHA_512: - return( 128 ); - default: - return( 0 ); - } -} - +#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) static psa_status_t psa_hmac_abort_internal( mbedtls_psa_hmac_operation_t *hmac ) { @@ -81,7 +47,7 @@ static psa_status_t psa_hmac_setup_internal( uint8_t ipad[PSA_HMAC_MAX_HASH_BLOCK_SIZE]; size_t i; size_t hash_size = PSA_HASH_LENGTH( hash_alg ); - size_t block_size = psa_get_hash_block_size( hash_alg ); + size_t block_size = PSA_HASH_BLOCK_LENGTH( hash_alg ); psa_status_t status; hmac->alg = hash_alg; @@ -150,10 +116,10 @@ static psa_status_t psa_hmac_finish_internal( uint8_t *mac, size_t mac_size ) { - uint8_t tmp[MBEDTLS_MD_MAX_SIZE]; + uint8_t tmp[PSA_HASH_MAX_SIZE]; psa_algorithm_t hash_alg = hmac->alg; size_t hash_size = 0; - size_t block_size = psa_get_hash_block_size( hash_alg ); + size_t block_size = PSA_HASH_BLOCK_LENGTH( hash_alg ); psa_status_t status; status = psa_hash_finish( &hmac->hash_ctx, tmp, sizeof( tmp ), &hash_size ); @@ -183,9 +149,9 @@ static psa_status_t psa_hmac_finish_internal( mbedtls_platform_zeroize( tmp, hash_size ); return( status ); } -#endif /* BUILTIN_ALG_HMAC */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */ -#if defined(BUILTIN_ALG_CMAC) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) static psa_status_t cmac_setup( mbedtls_psa_mac_operation_t *operation, const psa_key_attributes_t *attributes, const uint8_t *key_buffer ) @@ -221,11 +187,10 @@ static psa_status_t cmac_setup( mbedtls_psa_mac_operation_t *operation, exit: return( mbedtls_to_psa_error( ret ) ); } -#endif /* BUILTIN_ALG_CMAC */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */ -/* Implement the PSA driver MAC interface on top of mbed TLS if either the - * software driver or the test driver requires it. */ -#if defined(BUILTIN_ALG_HMAC) || defined(BUILTIN_ALG_CMAC) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) /* Initialize this driver's MAC operation structure. Once this function has been * called, mbedtls_psa_mac_abort can run and will do the right thing. */ @@ -237,15 +202,15 @@ static psa_status_t mac_init( operation->alg = alg; -#if defined(BUILTIN_ALG_CMAC) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC ) { mbedtls_cipher_init( &operation->ctx.cmac ); status = PSA_SUCCESS; } else -#endif /* BUILTIN_ALG_CMAC */ -#if defined(BUILTIN_ALG_HMAC) +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) if( PSA_ALG_IS_HMAC( operation->alg ) ) { /* We'll set up the hash operation later in psa_hmac_setup_internal. */ @@ -253,8 +218,9 @@ static psa_status_t mac_init( status = PSA_SUCCESS; } else -#endif /* BUILTIN_ALG_HMAC */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */ { + (void) operation; status = PSA_ERROR_NOT_SUPPORTED; } @@ -263,7 +229,7 @@ static psa_status_t mac_init( return( status ); } -static psa_status_t mac_abort( mbedtls_psa_mac_operation_t *operation ) +psa_status_t mbedtls_psa_mac_abort( mbedtls_psa_mac_operation_t *operation ) { if( operation->alg == 0 ) { @@ -273,20 +239,20 @@ static psa_status_t mac_abort( mbedtls_psa_mac_operation_t *operation ) return( PSA_SUCCESS ); } else -#if defined(BUILTIN_ALG_CMAC) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC ) { mbedtls_cipher_free( &operation->ctx.cmac ); } else -#endif /* BUILTIN_ALG_CMAC */ -#if defined(BUILTIN_ALG_HMAC) +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) if( PSA_ALG_IS_HMAC( operation->alg ) ) { psa_hmac_abort_internal( &operation->ctx.hmac ); } else -#endif /* BUILTIN_ALG_HMAC */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */ { /* Sanity check (shouldn't happen: operation->alg should * always have been initialized to a valid value). */ @@ -306,11 +272,11 @@ static psa_status_t mac_abort( mbedtls_psa_mac_operation_t *operation ) return( PSA_ERROR_BAD_STATE ); } -static psa_status_t mac_setup( mbedtls_psa_mac_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg ) +static psa_status_t psa_mac_setup( mbedtls_psa_mac_operation_t *operation, + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; @@ -322,7 +288,7 @@ static psa_status_t mac_setup( mbedtls_psa_mac_operation_t *operation, if( status != PSA_SUCCESS ) return( status ); -#if defined(BUILTIN_ALG_CMAC) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) if( PSA_ALG_FULL_LENGTH_MAC( alg ) == PSA_ALG_CMAC ) { /* Key buffer size for CMAC is dictated by the key bits set on the @@ -331,8 +297,8 @@ static psa_status_t mac_setup( mbedtls_psa_mac_operation_t *operation, status = cmac_setup( operation, attributes, key_buffer ); } else -#endif /* BUILTIN_ALG_CMAC */ -#if defined(BUILTIN_ALG_HMAC) +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) if( PSA_ALG_IS_HMAC( alg ) ) { status = psa_hmac_setup_internal( &operation->ctx.hmac, @@ -341,7 +307,7 @@ static psa_status_t mac_setup( mbedtls_psa_mac_operation_t *operation, PSA_ALG_HMAC_GET_HASH( alg ) ); } else -#endif /* BUILTIN_ALG_HMAC */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */ { (void) attributes; (void) key_buffer; @@ -350,12 +316,34 @@ static psa_status_t mac_setup( mbedtls_psa_mac_operation_t *operation, } if( status != PSA_SUCCESS ) - mac_abort( operation ); + mbedtls_psa_mac_abort( operation ); return( status ); } -static psa_status_t mac_update( +psa_status_t mbedtls_psa_mac_sign_setup( + mbedtls_psa_mac_operation_t *operation, + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg ) +{ + return( psa_mac_setup( operation, attributes, + key_buffer, key_buffer_size, alg ) ); +} + +psa_status_t mbedtls_psa_mac_verify_setup( + mbedtls_psa_mac_operation_t *operation, + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg ) +{ + return( psa_mac_setup( operation, attributes, + key_buffer, key_buffer_size, alg ) ); +} + +psa_status_t mbedtls_psa_mac_update( mbedtls_psa_mac_operation_t *operation, const uint8_t *input, size_t input_length ) @@ -363,7 +351,7 @@ static psa_status_t mac_update( if( operation->alg == 0 ) return( PSA_ERROR_BAD_STATE ); -#if defined(BUILTIN_ALG_CMAC) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC ) { return( mbedtls_to_psa_error( @@ -371,15 +359,15 @@ static psa_status_t mac_update( input, input_length ) ) ); } else -#endif /* BUILTIN_ALG_CMAC */ -#if defined(BUILTIN_ALG_HMAC) +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) if( PSA_ALG_IS_HMAC( operation->alg ) ) { return( psa_hmac_update_internal( &operation->ctx.hmac, input, input_length ) ); } else -#endif /* BUILTIN_ALG_HMAC */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */ { /* This shouldn't happen if `operation` was initialized by * a setup function. */ @@ -389,11 +377,11 @@ static psa_status_t mac_update( } } -static psa_status_t mac_finish_internal( mbedtls_psa_mac_operation_t *operation, - uint8_t *mac, - size_t mac_size ) +static psa_status_t psa_mac_finish_internal( + mbedtls_psa_mac_operation_t *operation, + uint8_t *mac, size_t mac_size ) { -#if defined(BUILTIN_ALG_CMAC) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) if( PSA_ALG_FULL_LENGTH_MAC( operation->alg ) == PSA_ALG_CMAC ) { uint8_t tmp[PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE]; @@ -404,15 +392,15 @@ static psa_status_t mac_finish_internal( mbedtls_psa_mac_operation_t *operation, return( mbedtls_to_psa_error( ret ) ); } else -#endif /* BUILTIN_ALG_CMAC */ -#if defined(BUILTIN_ALG_HMAC) +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) if( PSA_ALG_IS_HMAC( operation->alg ) ) { return( psa_hmac_finish_internal( &operation->ctx.hmac, mac, mac_size ) ); } else -#endif /* BUILTIN_ALG_HMAC */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */ { /* This shouldn't happen if `operation` was initialized by * a setup function. */ @@ -423,7 +411,7 @@ static psa_status_t mac_finish_internal( mbedtls_psa_mac_operation_t *operation, } } -static psa_status_t mac_sign_finish( +psa_status_t mbedtls_psa_mac_sign_finish( mbedtls_psa_mac_operation_t *operation, uint8_t *mac, size_t mac_size, @@ -434,15 +422,14 @@ static psa_status_t mac_sign_finish( if( operation->alg == 0 ) return( PSA_ERROR_BAD_STATE ); - status = mac_finish_internal( operation, mac, mac_size ); - + status = psa_mac_finish_internal( operation, mac, mac_size ); if( status == PSA_SUCCESS ) *mac_length = mac_size; return( status ); } -static psa_status_t mac_verify_finish( +psa_status_t mbedtls_psa_mac_verify_finish( mbedtls_psa_mac_operation_t *operation, const uint8_t *mac, size_t mac_length ) @@ -457,7 +444,7 @@ static psa_status_t mac_verify_finish( if( mac_length > sizeof( actual_mac ) ) return( PSA_ERROR_INVALID_ARGUMENT ); - status = mac_finish_internal( operation, actual_mac, mac_length ); + status = psa_mac_finish_internal( operation, actual_mac, mac_length ); if( status != PSA_SUCCESS ) goto cleanup; @@ -470,7 +457,7 @@ static psa_status_t mac_verify_finish( return( status ); } -static psa_status_t mac_compute( +psa_status_t mbedtls_psa_mac_compute( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, @@ -484,314 +471,29 @@ static psa_status_t mac_compute( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; mbedtls_psa_mac_operation_t operation = MBEDTLS_PSA_MAC_OPERATION_INIT; - status = mac_setup( &operation, - attributes, key_buffer, key_buffer_size, - alg ); + status = psa_mac_setup( &operation, + attributes, key_buffer, key_buffer_size, + alg ); if( status != PSA_SUCCESS ) goto exit; if( input_length > 0 ) { - status = mac_update( &operation, input, input_length ); + status = mbedtls_psa_mac_update( &operation, input, input_length ); if( status != PSA_SUCCESS ) goto exit; } - status = mac_finish_internal( &operation, mac, mac_size ); + status = psa_mac_finish_internal( &operation, mac, mac_size ); if( status == PSA_SUCCESS ) *mac_length = mac_size; exit: - mac_abort( &operation ); + mbedtls_psa_mac_abort( &operation ); return( status ); } -#endif /* BUILTIN_ALG_HMAC || BUILTIN_ALG_CMAC */ - -#if defined(MBEDTLS_PSA_BUILTIN_MAC) -psa_status_t mbedtls_psa_mac_compute( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *mac, - size_t mac_size, - size_t *mac_length ) -{ - return( mac_compute( attributes, key_buffer, key_buffer_size, alg, - input, input_length, - mac, mac_size, mac_length ) ); -} - -psa_status_t mbedtls_psa_mac_sign_setup( - mbedtls_psa_mac_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg ) -{ - return( mac_setup( operation, attributes, - key_buffer, key_buffer_size, alg ) ); -} - -psa_status_t mbedtls_psa_mac_verify_setup( - mbedtls_psa_mac_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg ) -{ - return( mac_setup( operation, attributes, - key_buffer, key_buffer_size, alg ) ); -} - -psa_status_t mbedtls_psa_mac_update( - mbedtls_psa_mac_operation_t *operation, - const uint8_t *input, - size_t input_length ) -{ - return( mac_update( operation, input, input_length ) ); -} - -psa_status_t mbedtls_psa_mac_sign_finish( - mbedtls_psa_mac_operation_t *operation, - uint8_t *mac, - size_t mac_size, - size_t *mac_length ) -{ - return( mac_sign_finish( operation, mac, mac_size, mac_length ) ); -} - -psa_status_t mbedtls_psa_mac_verify_finish( - mbedtls_psa_mac_operation_t *operation, - const uint8_t *mac, - size_t mac_length ) -{ - return( mac_verify_finish( operation, mac, mac_length ) ); -} - -psa_status_t mbedtls_psa_mac_abort( - mbedtls_psa_mac_operation_t *operation ) -{ - return( mac_abort( operation ) ); -} -#endif /* MBEDTLS_PSA_BUILTIN_MAC */ - - /* - * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY. - */ -#if defined(PSA_CRYPTO_DRIVER_TEST) - -static int is_mac_accelerated( psa_algorithm_t alg ) -{ -#if defined(MBEDTLS_PSA_ACCEL_ALG_HMAC) - if( PSA_ALG_IS_HMAC( alg ) ) - return( 1 ); -#endif - - switch( PSA_ALG_FULL_LENGTH_MAC( alg ) ) - { -#if defined(MBEDTLS_PSA_ACCEL_ALG_CMAC) - case PSA_ALG_CMAC: - return( 1 ); -#endif - default: - return( 0 ); - } -} - -psa_status_t mbedtls_transparent_test_driver_mac_compute( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *mac, - size_t mac_size, - size_t *mac_length ) -{ - if( is_mac_accelerated( alg ) ) - return( mac_compute( attributes, key_buffer, key_buffer_size, alg, - input, input_length, - mac, mac_size, mac_length ) ); - else - return( PSA_ERROR_NOT_SUPPORTED ); -} - -psa_status_t mbedtls_transparent_test_driver_mac_sign_setup( - mbedtls_transparent_test_driver_mac_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg ) -{ - if( is_mac_accelerated( alg ) ) - return( mac_setup( operation, attributes, - key_buffer, key_buffer_size, alg ) ); - else - return( PSA_ERROR_NOT_SUPPORTED ); -} - -psa_status_t mbedtls_transparent_test_driver_mac_verify_setup( - mbedtls_transparent_test_driver_mac_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg ) -{ - if( is_mac_accelerated( alg ) ) - return( mac_setup( operation, attributes, - key_buffer, key_buffer_size, alg ) ); - else - return( PSA_ERROR_NOT_SUPPORTED ); -} - -psa_status_t mbedtls_transparent_test_driver_mac_update( - mbedtls_transparent_test_driver_mac_operation_t *operation, - const uint8_t *input, - size_t input_length ) -{ - if( is_mac_accelerated( operation->alg ) ) - return( mac_update( operation, input, input_length ) ); - else - return( PSA_ERROR_BAD_STATE ); -} - -psa_status_t mbedtls_transparent_test_driver_mac_sign_finish( - mbedtls_transparent_test_driver_mac_operation_t *operation, - uint8_t *mac, - size_t mac_size, - size_t *mac_length ) -{ - if( is_mac_accelerated( operation->alg ) ) - return( mac_sign_finish( operation, mac, mac_size, mac_length ) ); - else - return( PSA_ERROR_BAD_STATE ); -} - -psa_status_t mbedtls_transparent_test_driver_mac_verify_finish( - mbedtls_transparent_test_driver_mac_operation_t *operation, - const uint8_t *mac, - size_t mac_length ) -{ - if( is_mac_accelerated( operation->alg ) ) - return( mac_verify_finish( operation, mac, mac_length ) ); - else - return( PSA_ERROR_BAD_STATE ); -} - -psa_status_t mbedtls_transparent_test_driver_mac_abort( - mbedtls_transparent_test_driver_mac_operation_t *operation ) -{ - return( mac_abort( operation ) ); -} - -psa_status_t mbedtls_opaque_test_driver_mac_compute( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *mac, - size_t mac_size, - size_t *mac_length ) -{ - /* Opaque driver testing is not implemented yet through this mechanism. */ - (void) attributes; - (void) key_buffer; - (void) key_buffer_size; - (void) alg; - (void) input; - (void) input_length; - (void) mac; - (void) mac_size; - (void) mac_length; - return( PSA_ERROR_NOT_SUPPORTED ); -} - -psa_status_t mbedtls_opaque_test_driver_mac_sign_setup( - mbedtls_opaque_test_driver_mac_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg ) -{ - /* Opaque driver testing is not implemented yet through this mechanism. */ - (void) operation; - (void) attributes; - (void) key_buffer; - (void) key_buffer_size; - (void) alg; - return( PSA_ERROR_NOT_SUPPORTED ); -} - -psa_status_t mbedtls_opaque_test_driver_mac_verify_setup( - mbedtls_opaque_test_driver_mac_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg ) -{ - /* Opaque driver testing is not implemented yet through this mechanism. */ - (void) operation; - (void) attributes; - (void) key_buffer; - (void) key_buffer_size; - (void) alg; - return( PSA_ERROR_NOT_SUPPORTED ); -} - -psa_status_t mbedtls_opaque_test_driver_mac_update( - mbedtls_opaque_test_driver_mac_operation_t *operation, - const uint8_t *input, - size_t input_length ) -{ - /* Opaque driver testing is not implemented yet through this mechanism. */ - (void) operation; - (void) input; - (void) input_length; - return( PSA_ERROR_NOT_SUPPORTED ); -} - -psa_status_t mbedtls_opaque_test_driver_mac_sign_finish( - mbedtls_opaque_test_driver_mac_operation_t *operation, - uint8_t *mac, - size_t mac_size, - size_t *mac_length ) -{ - /* Opaque driver testing is not implemented yet through this mechanism. */ - (void) operation; - (void) mac; - (void) mac_size; - (void) mac_length; - return( PSA_ERROR_NOT_SUPPORTED ); -} - -psa_status_t mbedtls_opaque_test_driver_mac_verify_finish( - mbedtls_opaque_test_driver_mac_operation_t *operation, - const uint8_t *mac, - size_t mac_length ) -{ - /* Opaque driver testing is not implemented yet through this mechanism. */ - (void) operation; - (void) mac; - (void) mac_length; - return( PSA_ERROR_NOT_SUPPORTED ); -} - -psa_status_t mbedtls_opaque_test_driver_mac_abort( - mbedtls_opaque_test_driver_mac_operation_t *operation ) -{ - /* Opaque driver testing is not implemented yet through this mechanism. */ - (void) operation; - return( PSA_ERROR_NOT_SUPPORTED ); -} - -#endif /* PSA_CRYPTO_DRIVER_TEST */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_CMAC */ #endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/library/psa_crypto_mac.h b/library/psa_crypto_mac.h index 9b81e73e028d..a821e7411642 100644 --- a/library/psa_crypto_mac.h +++ b/library/psa_crypto_mac.h @@ -273,100 +273,4 @@ psa_status_t mbedtls_psa_mac_verify_finish( psa_status_t mbedtls_psa_mac_abort( mbedtls_psa_mac_operation_t *operation ); -/* - * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY. - */ - -#if defined(PSA_CRYPTO_DRIVER_TEST) - -psa_status_t mbedtls_transparent_test_driver_mac_compute( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *mac, - size_t mac_size, - size_t *mac_length ); - -psa_status_t mbedtls_transparent_test_driver_mac_sign_setup( - mbedtls_transparent_test_driver_mac_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg ); - -psa_status_t mbedtls_transparent_test_driver_mac_verify_setup( - mbedtls_transparent_test_driver_mac_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg ); - -psa_status_t mbedtls_transparent_test_driver_mac_update( - mbedtls_transparent_test_driver_mac_operation_t *operation, - const uint8_t *input, - size_t input_length ); - -psa_status_t mbedtls_transparent_test_driver_mac_sign_finish( - mbedtls_transparent_test_driver_mac_operation_t *operation, - uint8_t *mac, - size_t mac_size, - size_t *mac_length ); - -psa_status_t mbedtls_transparent_test_driver_mac_verify_finish( - mbedtls_transparent_test_driver_mac_operation_t *operation, - const uint8_t *mac, - size_t mac_length ); - -psa_status_t mbedtls_transparent_test_driver_mac_abort( - mbedtls_transparent_test_driver_mac_operation_t *operation ); - -psa_status_t mbedtls_opaque_test_driver_mac_compute( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *mac, - size_t mac_size, - size_t *mac_length ); - -psa_status_t mbedtls_opaque_test_driver_mac_sign_setup( - mbedtls_opaque_test_driver_mac_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg ); - -psa_status_t mbedtls_opaque_test_driver_mac_verify_setup( - mbedtls_opaque_test_driver_mac_operation_t *operation, - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg ); - -psa_status_t mbedtls_opaque_test_driver_mac_update( - mbedtls_opaque_test_driver_mac_operation_t *operation, - const uint8_t *input, - size_t input_length ); - -psa_status_t mbedtls_opaque_test_driver_mac_sign_finish( - mbedtls_opaque_test_driver_mac_operation_t *operation, - uint8_t *mac, - size_t mac_size, - size_t *mac_length ); - -psa_status_t mbedtls_opaque_test_driver_mac_verify_finish( - mbedtls_opaque_test_driver_mac_operation_t *operation, - const uint8_t *mac, - size_t mac_length ); - -psa_status_t mbedtls_opaque_test_driver_mac_abort( - mbedtls_opaque_test_driver_mac_operation_t *operation ); - -#endif /* PSA_CRYPTO_DRIVER_TEST */ - #endif /* PSA_CRYPTO_MAC_H */ diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 2c357c91ce12..df524e1bcbbc 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -41,38 +41,12 @@ #include <mbedtls/pk.h> #include "pk_wrap.h" -#if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) ) ) -#define BUILTIN_KEY_TYPE_RSA_KEY_PAIR 1 -#endif - -#if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) ) ) -#define BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY 1 -#endif - -#if ( defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && \ - defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) && \ - defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V15) ) ) -#define BUILTIN_ALG_RSA_PKCS1V15_SIGN 1 -#endif - -#if ( defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \ - ( defined(PSA_CRYPTO_DRIVER_TEST) && \ - defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS) && \ - defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21) ) ) -#define BUILTIN_ALG_RSA_PSS 1 -#endif - #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \ - defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ - defined(BUILTIN_ALG_RSA_PSS) || \ - defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \ - defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) + defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) /* Mbed TLS doesn't support non-byte-aligned key sizes (i.e. key sizes * that are not a multiple of 8) well. For example, there is only @@ -148,15 +122,15 @@ psa_status_t mbedtls_psa_rsa_load_representation( } #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || - * defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) || - * defined(BUILTIN_ALG_RSA_PSS) || - * defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || - * defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ + * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || + * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || + * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || + * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ -#if defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \ - defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) -static psa_status_t rsa_import_key( +psa_status_t mbedtls_psa_rsa_import_key( const psa_key_attributes_t *attributes, const uint8_t *data, size_t data_length, uint8_t *key_buffer, size_t key_buffer_size, @@ -248,7 +222,7 @@ psa_status_t mbedtls_psa_rsa_export_key( psa_key_type_t type, #endif /* MBEDTLS_PK_WRITE_C */ } -static psa_status_t rsa_export_public_key( +psa_status_t mbedtls_psa_rsa_export_public_key( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, uint8_t *data, size_t data_size, size_t *data_length ) @@ -272,10 +246,10 @@ static psa_status_t rsa_export_public_key( return( status ); } -#endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || - * defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || + * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ -#if defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \ +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \ defined(MBEDTLS_GENPRIME) static psa_status_t psa_rsa_read_exponent( const uint8_t *domain_parameters, size_t domain_parameters_size, @@ -303,7 +277,7 @@ static psa_status_t psa_rsa_read_exponent( const uint8_t *domain_parameters, return( PSA_SUCCESS ); } -static psa_status_t rsa_generate_key( +psa_status_t mbedtls_psa_rsa_generate_key( const psa_key_attributes_t *attributes, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length ) { @@ -334,14 +308,15 @@ static psa_status_t rsa_generate_key( return( status ); } -#endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) +#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) * defined(MBEDTLS_GENPRIME) */ /****************************************************************/ /* Sign/verify hashes */ /****************************************************************/ -#if defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) || defined(BUILTIN_ALG_RSA_PSS) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) /* Decode the hash algorithm from alg and store the mbedtls encoding in * md_alg. Verify that the hash length is acceptable. */ @@ -373,7 +348,7 @@ static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg, return( PSA_SUCCESS ); } -static psa_status_t rsa_sign_hash( +psa_status_t mbedtls_psa_rsa_sign_hash( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, @@ -401,7 +376,7 @@ static psa_status_t rsa_sign_hash( goto exit; } -#if defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) ) { ret = mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15, @@ -418,8 +393,8 @@ static psa_status_t rsa_sign_hash( } } else -#endif /* BUILTIN_ALG_RSA_PKCS1V15_SIGN */ -#if defined(BUILTIN_ALG_RSA_PSS) +#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) if( PSA_ALG_IS_RSA_PSS( alg ) ) { ret = mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg ); @@ -436,7 +411,7 @@ static psa_status_t rsa_sign_hash( } } else -#endif /* BUILTIN_ALG_RSA_PSS */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */ { status = PSA_ERROR_INVALID_ARGUMENT; goto exit; @@ -453,7 +428,28 @@ static psa_status_t rsa_sign_hash( return( status ); } -static psa_status_t rsa_verify_hash( +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) +static int rsa_pss_expected_salt_len( psa_algorithm_t alg, + const mbedtls_rsa_context *rsa, + size_t hash_length ) +{ + if( PSA_ALG_IS_RSA_PSS_ANY_SALT( alg ) ) + return( MBEDTLS_RSA_SALT_LEN_ANY ); + /* Otherwise: standard salt length, i.e. largest possible salt length + * up to the hash length. */ + int klen = (int) mbedtls_rsa_get_len( rsa ); // known to fit + int hlen = (int) hash_length; // known to fit + int room = klen - 2 - hlen; + if( room < 0 ) + return( 0 ); // there is no valid signature in this case anyway + else if( room > hlen ) + return( hlen ); + else + return( room ); +} +#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */ + +psa_status_t mbedtls_psa_rsa_verify_hash( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, @@ -481,7 +477,7 @@ static psa_status_t rsa_verify_hash( goto exit; } -#if defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) ) { ret = mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15, @@ -496,22 +492,25 @@ static psa_status_t rsa_verify_hash( } } else -#endif /* BUILTIN_ALG_RSA_PKCS1V15_SIGN */ -#if defined(BUILTIN_ALG_RSA_PSS) +#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) if( PSA_ALG_IS_RSA_PSS( alg ) ) { ret = mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg ); if( ret == 0 ) { - ret = mbedtls_rsa_rsassa_pss_verify( rsa, - md_alg, - (unsigned int) hash_length, - hash, - signature ); + int slen = rsa_pss_expected_salt_len( alg, rsa, hash_length ); + ret = mbedtls_rsa_rsassa_pss_verify_ext( rsa, + md_alg, + (unsigned) hash_length, + hash, + md_alg, + slen, + signature ); } } else -#endif /* BUILTIN_ALG_RSA_PSS */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */ { status = PSA_ERROR_INVALID_ARGUMENT; goto exit; @@ -531,176 +530,7 @@ static psa_status_t rsa_verify_hash( return( status ); } -#endif /* defined(BUILTIN_ALG_RSA_PKCS1V15_SIGN) || - * defined(BUILTIN_ALG_RSA_PSS) */ - -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \ - defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) - -psa_status_t mbedtls_psa_rsa_import_key( - const psa_key_attributes_t *attributes, - const uint8_t *data, size_t data_length, - uint8_t *key_buffer, size_t key_buffer_size, - size_t *key_buffer_length, size_t *bits ) -{ - return( rsa_import_key( attributes, data, data_length, - key_buffer, key_buffer_size, - key_buffer_length, bits ) ); -} - -psa_status_t mbedtls_psa_rsa_export_public_key( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - uint8_t *data, size_t data_size, size_t *data_length ) -{ - return( rsa_export_public_key( attributes, key_buffer, key_buffer_size, - data, data_size, data_length ) ); -} - -#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || - * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ - -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \ - defined(MBEDTLS_GENPRIME) -psa_status_t mbedtls_psa_rsa_generate_key( - const psa_key_attributes_t *attributes, - uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length ) -{ - return( rsa_generate_key( attributes, key_buffer, key_buffer_size, - key_buffer_length ) ); -} -#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) - * defined(MBEDTLS_GENPRIME) */ - -#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) -psa_status_t mbedtls_psa_rsa_sign_hash( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, - uint8_t *signature, size_t signature_size, size_t *signature_length ) -{ - return( rsa_sign_hash( - attributes, - key_buffer, key_buffer_size, - alg, hash, hash_length, - signature, signature_size, signature_length ) ); -} - -psa_status_t mbedtls_psa_rsa_verify_hash( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, - const uint8_t *signature, size_t signature_length ) -{ - return( rsa_verify_hash( - attributes, - key_buffer, key_buffer_size, - alg, hash, hash_length, - signature, signature_length ) ); -} #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */ -/* - * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY. - */ - -#if defined(PSA_CRYPTO_DRIVER_TEST) - -#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) - -psa_status_t mbedtls_test_driver_rsa_import_key( - const psa_key_attributes_t *attributes, - const uint8_t *data, size_t data_length, - uint8_t *key_buffer, size_t key_buffer_size, - size_t *key_buffer_length, size_t *bits ) -{ - return( rsa_import_key( attributes, data, data_length, - key_buffer, key_buffer_size, - key_buffer_length, bits ) ); -} - -psa_status_t mbedtls_test_driver_rsa_export_public_key( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - uint8_t *data, size_t data_size, size_t *data_length ) -{ - return( rsa_export_public_key( attributes, key_buffer, key_buffer_size, - data, data_size, data_length ) ); -} - -#endif /* defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) */ - -#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) -psa_status_t mbedtls_transparent_test_driver_rsa_generate_key( - const psa_key_attributes_t *attributes, - uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length ) -{ - return( rsa_generate_key( attributes, key_buffer, key_buffer_size, - key_buffer_length ) ); -} -#endif /* defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) */ - -#if defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) || \ - defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS) -psa_status_t mbedtls_transparent_test_driver_rsa_sign_hash( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, - uint8_t *signature, size_t signature_size, size_t *signature_length ) -{ -#if defined(MBEDTLS_RSA_C) && \ - (defined(MBEDTLS_PKCS1_V15) || defined(MBEDTLS_PKCS1_V21)) - return( rsa_sign_hash( - attributes, - key_buffer, key_buffer_size, - alg, hash, hash_length, - signature, signature_size, signature_length ) ); -#else - (void)attributes; - (void)key_buffer; - (void)key_buffer_size; - (void)alg; - (void)hash; - (void)hash_length; - (void)signature; - (void)signature_size; - (void)signature_length; - return( PSA_ERROR_NOT_SUPPORTED ); -#endif -} - -psa_status_t mbedtls_transparent_test_driver_rsa_verify_hash( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, - const uint8_t *signature, size_t signature_length ) -{ -#if defined(MBEDTLS_RSA_C) && \ - (defined(MBEDTLS_PKCS1_V15) || defined(MBEDTLS_PKCS1_V21)) - return( rsa_verify_hash( - attributes, - key_buffer, key_buffer_size, - alg, hash, hash_length, - signature, signature_length ) ); -#else - (void)attributes; - (void)key_buffer; - (void)key_buffer_size; - (void)alg; - (void)hash; - (void)hash_length; - (void)signature; - (void)signature_length; - return( PSA_ERROR_NOT_SUPPORTED ); -#endif -} -#endif /* defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) || - * defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS) */ - -#endif /* PSA_CRYPTO_DRIVER_TEST */ - #endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/library/psa_crypto_rsa.h b/library/psa_crypto_rsa.h index 55406843d3d4..bea762c7c604 100644 --- a/library/psa_crypto_rsa.h +++ b/library/psa_crypto_rsa.h @@ -211,40 +211,4 @@ psa_status_t mbedtls_psa_rsa_verify_hash( const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, const uint8_t *signature, size_t signature_length ); - -/* - * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY. - */ - -#if defined(PSA_CRYPTO_DRIVER_TEST) - -psa_status_t mbedtls_test_driver_rsa_import_key( - const psa_key_attributes_t *attributes, - const uint8_t *data, size_t data_length, - uint8_t *key_buffer, size_t key_buffer_size, - size_t *key_buffer_length, size_t *bits ); - -psa_status_t mbedtls_test_driver_rsa_export_public_key( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - uint8_t *data, size_t data_size, size_t *data_length ); - -psa_status_t mbedtls_transparent_test_driver_rsa_generate_key( - const psa_key_attributes_t *attributes, - uint8_t *key, size_t key_size, size_t *key_length ); - -psa_status_t mbedtls_transparent_test_driver_rsa_sign_hash( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, - uint8_t *signature, size_t signature_size, size_t *signature_length ); - -psa_status_t mbedtls_transparent_test_driver_rsa_verify_hash( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, size_t key_buffer_size, - psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, - const uint8_t *signature, size_t signature_length ); - -#endif /* PSA_CRYPTO_DRIVER_TEST */ - #endif /* PSA_CRYPTO_RSA_H */ diff --git a/library/rsa.c b/library/rsa.c index e818e6daebe2..36f487f3a777 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -44,6 +44,8 @@ #include "mbedtls/oid.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" +#include "constant_time_internal.h" +#include "mbedtls/constant_time.h" #include <string.h> @@ -72,22 +74,6 @@ #define RSA_VALIDATE( cond ) \ MBEDTLS_INTERNAL_VALIDATE( cond ) -#if defined(MBEDTLS_PKCS1_V15) -/* constant-time buffer comparison */ -static inline int mbedtls_safer_memcmp( const void *a, const void *b, size_t n ) -{ - size_t i; - const unsigned char *A = (const unsigned char *) a; - const unsigned char *B = (const unsigned char *) b; - unsigned char diff = 0; - - for( i = 0; i < n; i++ ) - diff |= A[i] ^ B[i]; - - return( diff ); -} -#endif /* MBEDTLS_PKCS1_V15 */ - int mbedtls_rsa_import( mbedtls_rsa_context *ctx, const mbedtls_mpi *N, const mbedtls_mpi *P, const mbedtls_mpi *Q, @@ -1473,97 +1459,6 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, #endif /* MBEDTLS_PKCS1_V21 */ #if defined(MBEDTLS_PKCS1_V15) -/** Turn zero-or-nonzero into zero-or-all-bits-one, without branches. - * - * \param value The value to analyze. - * \return Zero if \p value is zero, otherwise all-bits-one. - */ -static unsigned all_or_nothing_int( unsigned value ) -{ - /* MSVC has a warning about unary minus on unsigned, but this is - * well-defined and precisely what we want to do here */ -#if defined(_MSC_VER) -#pragma warning( push ) -#pragma warning( disable : 4146 ) -#endif - return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) ); -#if defined(_MSC_VER) -#pragma warning( pop ) -#endif -} - -/** Check whether a size is out of bounds, without branches. - * - * This is equivalent to `size > max`, but is likely to be compiled to - * to code using bitwise operation rather than a branch. - * - * \param size Size to check. - * \param max Maximum desired value for \p size. - * \return \c 0 if `size <= max`. - * \return \c 1 if `size > max`. - */ -static unsigned size_greater_than( size_t size, size_t max ) -{ - /* Return the sign bit (1 for negative) of (max - size). */ - return( ( max - size ) >> ( sizeof( size_t ) * 8 - 1 ) ); -} - -/** Choose between two integer values, without branches. - * - * This is equivalent to `cond ? if1 : if0`, but is likely to be compiled - * to code using bitwise operation rather than a branch. - * - * \param cond Condition to test. - * \param if1 Value to use if \p cond is nonzero. - * \param if0 Value to use if \p cond is zero. - * \return \c if1 if \p cond is nonzero, otherwise \c if0. - */ -static unsigned if_int( unsigned cond, unsigned if1, unsigned if0 ) -{ - unsigned mask = all_or_nothing_int( cond ); - return( ( mask & if1 ) | (~mask & if0 ) ); -} - -/** Shift some data towards the left inside a buffer without leaking - * the length of the data through side channels. - * - * `mem_move_to_left(start, total, offset)` is functionally equivalent to - * ``` - * memmove(start, start + offset, total - offset); - * memset(start + offset, 0, total - offset); - * ``` - * but it strives to use a memory access pattern (and thus total timing) - * that does not depend on \p offset. This timing independence comes at - * the expense of performance. - * - * \param start Pointer to the start of the buffer. - * \param total Total size of the buffer. - * \param offset Offset from which to copy \p total - \p offset bytes. - */ -static void mem_move_to_left( void *start, - size_t total, - size_t offset ) -{ - volatile unsigned char *buf = start; - size_t i, n; - if( total == 0 ) - return; - for( i = 0; i < total; i++ ) - { - unsigned no_op = size_greater_than( total - offset, i ); - /* The first `total - offset` passes are a no-op. The last - * `offset` passes shift the data one byte to the left and - * zero out the last byte. */ - for( n = 0; n < total - 1; n++ ) - { - unsigned char current = buf[n]; - unsigned char next = buf[n+1]; - buf[n] = if_int( no_op, current, next ); - } - buf[total-1] = if_int( no_op, buf[total-1], 0 ); - } -} - /* * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function */ @@ -1576,23 +1471,8 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, size_t output_max_len ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t ilen, i, plaintext_max_size; + size_t ilen; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; - /* The following variables take sensitive values: their value must - * not leak into the observable behavior of the function other than - * the designated outputs (output, olen, return value). Otherwise - * this would open the execution of the function to - * side-channel-based variants of the Bleichenbacher padding oracle - * attack. Potential side channels include overall timing, memory - * access patterns (especially visible to an adversary who has access - * to a shared memory cache), and branches (especially visible to - * an adversary who has access to a shared code cache or to a shared - * branch predictor). */ - size_t pad_count = 0; - unsigned bad = 0; - unsigned char pad_done = 0; - size_t plaintext_size = 0; - unsigned output_too_large; RSA_VALIDATE_RET( ctx != NULL ); RSA_VALIDATE_RET( output_max_len == 0 || output != NULL ); @@ -1600,9 +1480,6 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, RSA_VALIDATE_RET( olen != NULL ); ilen = ctx->len; - plaintext_max_size = ( output_max_len > ilen - 11 ? - ilen - 11 : - output_max_len ); if( ctx->padding != MBEDTLS_RSA_PKCS_V15 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); @@ -1615,98 +1492,8 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, if( ret != 0 ) goto cleanup; - /* Check and get padding length in constant time and constant - * memory trace. The first byte must be 0. */ - bad |= buf[0]; - - - /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00 - * where PS must be at least 8 nonzero bytes. */ - bad |= buf[1] ^ MBEDTLS_RSA_CRYPT; - - /* Read the whole buffer. Set pad_done to nonzero if we find - * the 0x00 byte and remember the padding length in pad_count. */ - for( i = 2; i < ilen; i++ ) - { - pad_done |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1; - pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; - } - - - /* If pad_done is still zero, there's no data, only unfinished padding. */ - bad |= if_int( pad_done, 0, 1 ); - - /* There must be at least 8 bytes of padding. */ - bad |= size_greater_than( 8, pad_count ); - - /* If the padding is valid, set plaintext_size to the number of - * remaining bytes after stripping the padding. If the padding - * is invalid, avoid leaking this fact through the size of the - * output: use the maximum message size that fits in the output - * buffer. Do it without branches to avoid leaking the padding - * validity through timing. RSA keys are small enough that all the - * size_t values involved fit in unsigned int. */ - plaintext_size = if_int( bad, - (unsigned) plaintext_max_size, - (unsigned) ( ilen - pad_count - 3 ) ); - - /* Set output_too_large to 0 if the plaintext fits in the output - * buffer and to 1 otherwise. */ - output_too_large = size_greater_than( plaintext_size, - plaintext_max_size ); - - /* Set ret without branches to avoid timing attacks. Return: - * - INVALID_PADDING if the padding is bad (bad != 0). - * - OUTPUT_TOO_LARGE if the padding is good but the decrypted - * plaintext does not fit in the output buffer. - * - 0 if the padding is correct. */ - ret = - (int) if_int( bad, - MBEDTLS_ERR_RSA_INVALID_PADDING, - if_int( output_too_large, - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE, - 0 ) ); - - /* If the padding is bad or the plaintext is too large, zero the - * data that we're about to copy to the output buffer. - * We need to copy the same amount of data - * from the same buffer whether the padding is good or not to - * avoid leaking the padding validity through overall timing or - * through memory or cache access patterns. */ - bad = all_or_nothing_int( bad | output_too_large ); - for( i = 11; i < ilen; i++ ) - buf[i] &= ~bad; - - /* If the plaintext is too large, truncate it to the buffer size. - * Copy anyway to avoid revealing the length through timing, because - * revealing the length is as bad as revealing the padding validity - * for a Bleichenbacher attack. */ - plaintext_size = if_int( output_too_large, - (unsigned) plaintext_max_size, - (unsigned) plaintext_size ); - - /* Move the plaintext to the leftmost position where it can start in - * the working buffer, i.e. make it start plaintext_max_size from - * the end of the buffer. Do this with a memory access trace that - * does not depend on the plaintext size. After this move, the - * starting location of the plaintext is no longer sensitive - * information. */ - mem_move_to_left( buf + ilen - plaintext_max_size, - plaintext_max_size, - plaintext_max_size - plaintext_size ); - - /* Finally copy the decrypted plaintext plus trailing zeros into the output - * buffer. If output_max_len is 0, then output may be an invalid pointer - * and the result of memcpy() would be undefined; prevent undefined - * behavior making sure to depend only on output_max_len (the size of the - * user-provided output buffer), which is independent from plaintext - * length, validity of padding, success of the decryption, and other - * secrets. */ - if( output_max_len != 0 ) - memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size ); - - /* Report the amount of data we copied to the output buffer. In case - * of errors (bad padding or output too large), the value of *olen - * when this function returns is not specified. Making it equivalent - * to the good case limits the risks of leaking the padding validity. */ - *olen = plaintext_size; + ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding( buf, ilen, + output, output_max_len, olen ); cleanup: mbedtls_platform_zeroize( buf, sizeof( buf ) ); @@ -2100,7 +1887,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) ); MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) ); - if( mbedtls_safer_memcmp( verif, sig, ctx->len ) != 0 ) + if( mbedtls_ct_memcmp( verif, sig, ctx->len ) != 0 ) { ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED; goto cleanup; @@ -2109,9 +1896,13 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, memcpy( sig, sig_try, ctx->len ); cleanup: + mbedtls_platform_zeroize( sig_try, ctx->len ); + mbedtls_platform_zeroize( verif, ctx->len ); mbedtls_free( sig_try ); mbedtls_free( verif ); + if( ret != 0 ) + memset( sig, '!', ctx->len ); return( ret ); } #endif /* MBEDTLS_PKCS1_V15 */ @@ -2372,8 +2163,8 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, * Compare */ - if( ( ret = mbedtls_safer_memcmp( encoded, encoded_expected, - sig_len ) ) != 0 ) + if( ( ret = mbedtls_ct_memcmp( encoded, encoded_expected, + sig_len ) ) != 0 ) { ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; goto cleanup; diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 7f00c8edb6dc..f2d7af9b76fa 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -52,22 +52,22 @@ static const int ciphersuite_preference[] = #if defined(MBEDTLS_SSL_CIPHERSUITES) MBEDTLS_SSL_CIPHERSUITES, #else -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /* TLS 1.3 ciphersuites */ MBEDTLS_TLS1_3_AES_128_GCM_SHA256, MBEDTLS_TLS1_3_AES_256_GCM_SHA384, MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS1_3_AES_128_CCM_SHA256, MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256, -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* Chacha-Poly ephemeral suites */ MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256, -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* All AES-256 ephemeral suites */ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, @@ -83,9 +83,9 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8, -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) MBEDTLS_TLS1_3_AES_256_GCM_SHA384, -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* All CAMELLIA-256 ephemeral suites */ MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, @@ -118,11 +118,11 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8, -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) MBEDTLS_TLS1_3_AES_128_GCM_SHA256, MBEDTLS_TLS1_3_AES_128_CCM_SHA256, MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256, -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* All CAMELLIA-128 ephemeral suites */ MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, @@ -303,7 +303,7 @@ static const int ciphersuite_preference[] = static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = { -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_AES_C) #if defined(MBEDTLS_GCM_C) #if defined(MBEDTLS_SHA384_C) @@ -347,7 +347,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4, 0 }, #endif /* MBEDTLS_CHACHAPOLY_C && MBEDTLS_SHA256_C */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_CHACHAPOLY_C) && \ defined(MBEDTLS_SHA256_C) && \ @@ -2077,7 +2077,7 @@ int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name ) return( cur->id ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) unsigned int mbedtls_hash_size_for_ciphersuite(const mbedtls_ssl_ciphersuite_t* ciphersuite) { /* We assume that the input parameter, ciphersuite, is not NULL. */ @@ -2093,7 +2093,7 @@ unsigned int mbedtls_hash_size_for_ciphersuite(const mbedtls_ssl_ciphersuite_t* return( 0 ); } } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_PK_C) mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info ) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 5cc1e6ebb411..e10aa4a15a26 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -19,8 +19,6 @@ #include "common.h" -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - #if defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_PLATFORM_C) @@ -35,9 +33,11 @@ #include "ssl_misc.h" #include "mbedtls/debug.h" #include "mbedtls/error.h" +#include "mbedtls/constant_time.h" #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "mbedtls/psa_util.h" +#include "psa/crypto.h" #endif /* MBEDTLS_USE_PSA_CRYPTO */ #include <string.h> @@ -52,49 +52,11 @@ #include "mbedtls/platform_util.h" #endif -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) -static int ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ) -{ - if( conf->psk_identity == NULL || - conf->psk_identity_len == 0 ) - { - return( 0 ); - } - - if( conf->psk != NULL && conf->psk_len != 0 ) - return( 1 ); - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) - return( 1 ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - - return( 0 ); -} - -#if defined(MBEDTLS_USE_PSA_CRYPTO) -static int ssl_conf_has_static_raw_psk( mbedtls_ssl_config const *conf ) -{ - if( conf->psk_identity == NULL || - conf->psk_identity_len == 0 ) - { - return( 0 ); - } - - if( conf->psk != NULL && conf->psk_len != 0 ) - return( 1 ); - - return( 0 ); -} -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ - #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) -static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl, - unsigned char *buf, - const unsigned char *end, - size_t *olen ) +int mbedtls_ssl_write_hostname_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + const unsigned char *end, + size_t *olen ) { unsigned char *p = buf; size_t hostname_len; @@ -160,6 +122,46 @@ static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +static int ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ) +{ + if( conf->psk_identity == NULL || + conf->psk_identity_len == 0 ) + { + return( 0 ); + } + + if( conf->psk != NULL && conf->psk_len != 0 ) + return( 1 ); + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) + return( 1 ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + + return( 0 ); +} + +#if defined(MBEDTLS_USE_PSA_CRYPTO) +static int ssl_conf_has_static_raw_psk( mbedtls_ssl_config const *conf ) +{ + if( conf->psk_identity == NULL || + conf->psk_identity_len == 0 ) + { + return( 0 ); + } + + if( conf->psk != NULL && conf->psk_len != 0 ) + return( 1 ); + + return( 0 ); +} +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + #if defined(MBEDTLS_SSL_RENEGOTIATION) static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, unsigned char *buf, @@ -311,27 +313,32 @@ static int ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, unsigned char *elliptic_curve_list = p + 6; size_t elliptic_curve_len = 0; const mbedtls_ecp_curve_info *info; - const mbedtls_ecp_group_id *grp_id; - + const uint16_t *group_list = mbedtls_ssl_get_groups( ssl ); *olen = 0; + /* Check there is room for header */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); - if( ssl->conf->curve_list == NULL ) + if( group_list == NULL ) return( MBEDTLS_ERR_SSL_BAD_CONFIG ); - for( grp_id = ssl->conf->curve_list; - *grp_id != MBEDTLS_ECP_DP_NONE; - grp_id++ ) + for( ; *group_list != 0; group_list++ ) { - info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); + info = mbedtls_ecp_curve_info_from_tls_id( *group_list ); if( info == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) ); return( MBEDTLS_ERR_SSL_BAD_CONFIG ); } + + /* Check there is room for another curve */ + MBEDTLS_SSL_CHK_BUF_PTR( elliptic_curve_list, end, elliptic_curve_len + 2 ); + + MBEDTLS_PUT_UINT16_BE( *group_list, elliptic_curve_list, elliptic_curve_len ); elliptic_curve_len += 2; if( elliptic_curve_len > MBEDTLS_SSL_MAX_CURVE_LIST_LEN ) @@ -346,19 +353,6 @@ static int ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, if( elliptic_curve_len == 0 ) return( MBEDTLS_ERR_SSL_BAD_CONFIG ); - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + elliptic_curve_len ); - - elliptic_curve_len = 0; - - for( grp_id = ssl->conf->curve_list; - *grp_id != MBEDTLS_ECP_DP_NONE; - grp_id++ ) - { - info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); - elliptic_curve_list[elliptic_curve_len++] = MBEDTLS_BYTE_1( info->tls_id ); - elliptic_curve_list[elliptic_curve_len++] = MBEDTLS_BYTE_0( info->tls_id ); - } - MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES, p, 0 ); p += 2; @@ -1178,10 +1172,10 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if( ( ret = ssl_write_hostname_ext( ssl, p + 2 + ext_len, - end, &olen ) ) != 0 ) + if( ( ret = mbedtls_ssl_write_hostname_ext( ssl, p + 2 + ext_len, + end, &olen ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_hostname_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_hostname_ext", ret ); return( ret ); } ext_len += olen; @@ -1366,9 +1360,9 @@ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, /* Check verify-data in constant-time. The length OTOH is no secret */ if( len != 1 + ssl->verify_data_len * 2 || buf[0] != ssl->verify_data_len * 2 || - mbedtls_ssl_safer_memcmp( buf + 1, + mbedtls_ct_memcmp( buf + 1, ssl->own_verify_data, ssl->verify_data_len ) != 0 || - mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len, + mbedtls_ct_memcmp( buf + 1 + ssl->verify_data_len, ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); @@ -3091,7 +3085,11 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) { size_t sig_len, hashlen; - unsigned char hash[64]; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char hash[PSA_HASH_MAX_SIZE]; +#else + unsigned char hash[MBEDTLS_MD_MAX_SIZE]; +#endif mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); @@ -4307,5 +4305,6 @@ int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) return( ret ); } -#endif /* MBEDTLS_SSL_CLI_C */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + +#endif /* MBEDTLS_SSL_CLI_C */ diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c index 986b1410b005..358169e87638 100644 --- a/library/ssl_cookie.c +++ b/library/ssl_cookie.c @@ -36,6 +36,7 @@ #include "ssl_misc.h" #include "mbedtls/error.h" #include "mbedtls/platform_util.h" +#include "mbedtls/constant_time.h" #include <string.h> @@ -216,15 +217,20 @@ int mbedtls_ssl_cookie_check( void *p_ctx, #if defined(MBEDTLS_THREADING_C) if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) - return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_SSL_INTERNAL_ERROR, - MBEDTLS_ERR_THREADING_MUTEX_ERROR ) ); + { + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_SSL_INTERNAL_ERROR, + MBEDTLS_ERR_THREADING_MUTEX_ERROR ); + } #endif if( ret != 0 ) - return( ret ); + goto exit; - if( mbedtls_ssl_safer_memcmp( cookie + 4, ref_hmac, sizeof( ref_hmac ) ) != 0 ) - return( -1 ); + if( mbedtls_ct_memcmp( cookie + 4, ref_hmac, sizeof( ref_hmac ) ) != 0 ) + { + ret = -1; + goto exit; + } #if defined(MBEDTLS_HAVE_TIME) cur_time = (unsigned long) mbedtls_time( NULL ); @@ -238,8 +244,13 @@ int mbedtls_ssl_cookie_check( void *p_ctx, ( (unsigned long) cookie[3] ); if( ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout ) - return( -1 ); + { + ret = -1; + goto exit; + } - return( 0 ); +exit: + mbedtls_platform_zeroize( ref_hmac, sizeof( ref_hmac ) ); + return( ret ); } #endif /* MBEDTLS_SSL_COOKIE_C */ diff --git a/library/ssl_invasive.h b/library/ssl_invasive.h deleted file mode 100644 index babbc2768c3c..000000000000 --- a/library/ssl_invasive.h +++ /dev/null @@ -1,100 +0,0 @@ -/** - * \file ssl_invasive.h - * - * \brief SSL module: interfaces for invasive testing only. - * - * The interfaces in this file are intended for testing purposes only. - * They SHOULD NOT be made available in library integrations except when - * building the library for testing. - */ -/* - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#ifndef MBEDTLS_SSL_INVASIVE_H -#define MBEDTLS_SSL_INVASIVE_H - -#include "common.h" -#include "mbedtls/md.h" - -#if defined(MBEDTLS_TEST_HOOKS) && \ - defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) -/** \brief Compute the HMAC of variable-length data with constant flow. - * - * This function computes the HMAC of the concatenation of \p add_data and \p - * data, and does with a code flow and memory access pattern that does not - * depend on \p data_len_secret, but only on \p min_data_len and \p - * max_data_len. In particular, this function always reads exactly \p - * max_data_len bytes from \p data. - * - * \param ctx The HMAC context. It must have keys configured - * with mbedtls_md_hmac_starts() and use one of the - * following hashes: SHA-384, SHA-256, SHA-1 or MD-5. - * It is reset using mbedtls_md_hmac_reset() after - * the computation is complete to prepare for the - * next computation. - * \param add_data The additional data prepended to \p data. This - * must point to a readable buffer of \p add_data_len - * bytes. - * \param add_data_len The length of \p add_data in bytes. - * \param data The data appended to \p add_data. This must point - * to a readable buffer of \p max_data_len bytes. - * \param data_len_secret The length of the data to process in \p data. - * This must be no less than \p min_data_len and no - * greater than \p max_data_len. - * \param min_data_len The minimal length of \p data in bytes. - * \param max_data_len The maximal length of \p data in bytes. - * \param output The HMAC will be written here. This must point to - * a writable buffer of sufficient size to hold the - * HMAC value. - * - * \retval 0 - * Success. - * \retval MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED - * The hardware accelerator failed. - */ -int mbedtls_ssl_cf_hmac( - mbedtls_md_context_t *ctx, - const unsigned char *add_data, size_t add_data_len, - const unsigned char *data, size_t data_len_secret, - size_t min_data_len, size_t max_data_len, - unsigned char *output ); - -/** \brief Copy data from a secret position with constant flow. - * - * This function copies \p len bytes from \p src_base + \p offset_secret to \p - * dst, with a code flow and memory access pattern that does not depend on \p - * offset_secret, but only on \p offset_min, \p offset_max and \p len. - * - * \param dst The destination buffer. This must point to a writable - * buffer of at least \p len bytes. - * \param src_base The base of the source buffer. This must point to a - * readable buffer of at least \p offset_max + \p len - * bytes. - * \param offset_secret The offset in the source buffer from which to copy. - * This must be no less than \p offset_min and no greater - * than \p offset_max. - * \param offset_min The minimal value of \p offset_secret. - * \param offset_max The maximal value of \p offset_secret. - * \param len The number of bytes to copy. - */ -void mbedtls_ssl_cf_memcpy_offset( unsigned char *dst, - const unsigned char *src_base, - size_t offset_secret, - size_t offset_min, size_t offset_max, - size_t len ); -#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ - -#endif /* MBEDTLS_SSL_INVASIVE_H */ diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 39c8fb5fd5ed..52e1c10558b8 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -51,7 +51,7 @@ #include "mbedtls/ecjpake.h" #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_SSL_USE_MPS) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_USE_MPS) #include "mps.h" #endif @@ -66,7 +66,7 @@ #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) || \ - ( defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && !defined(MBEDTLS_SSL_USE_MPS) ) + ( defined(MBEDTLS_SSL_PROTO_TLS1_3) && !defined(MBEDTLS_SSL_USE_MPS) ) #define MBEDTLS_SSL_LEGACY_MSG_LAYER_REQUIRED #endif @@ -86,9 +86,9 @@ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 -#elif defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#elif defined(MBEDTLS_SSL_PROTO_TLS1_3) #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_4 -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_4 #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 @@ -97,18 +97,18 @@ #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_4 #else #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* Shorthand for restartable ECC */ #if defined(MBEDTLS_ECP_RESTARTABLE) && \ defined(MBEDTLS_SSL_CLI_C) && \ - (defined(MBEDTLS_SSL_PROTO_TLS1_2) || defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)) && \ + (defined(MBEDTLS_SSL_PROTO_TLS1_2) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) && \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED #endif @@ -283,9 +283,9 @@ /* Maximum amount of early data to buffer on the server. */ #define MBEDTLS_SSL_MAX_EARLY_DATA 1024 -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #define MBEDTLS_SIGNATURE_SCHEMES_SIZE 20 -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* * Check that we obey the standard's message size bounds */ @@ -331,8 +331,6 @@ + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) ) #endif -#define MBEDTLS_TLS1_3_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE - #define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32 #define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32 @@ -554,25 +552,84 @@ typedef struct unsigned char binder_key [ MBEDTLS_TLS1_3_MD_MAX_SIZE ]; unsigned char client_early_traffic_secret [ MBEDTLS_TLS1_3_MD_MAX_SIZE ]; unsigned char early_exporter_master_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ]; -} mbedtls_ssl_tls1_3_early_secrets; +} mbedtls_ssl_tls13_early_secrets; typedef struct { unsigned char client_handshake_traffic_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ]; unsigned char server_handshake_traffic_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ]; -} mbedtls_ssl_tls1_3_handshake_secrets; +} mbedtls_ssl_tls13_handshake_secrets; /* * This structure contains the parameters only needed during handshake. */ struct mbedtls_ssl_handshake_params { + /* Frequently-used boolean or byte fields (placed early to take + * advantage of smaller code size for indirect access on Arm Thumb) */ + uint8_t max_major_ver; /*!< max. major version client*/ + uint8_t max_minor_ver; /*!< max. minor version client*/ + uint8_t resume; /*!< session resume indicator*/ + uint8_t cli_exts; /*!< client extension presence*/ + +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + uint8_t sni_authmode; /*!< authmode from SNI callback */ +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) || \ + ( defined(MBEDTLS_SSL_NEW_SESSION_TICKET) && defined(MBEDTLS_SSL_PROTO_TLS1_3) ) + uint8_t new_session_ticket; /*!< use NewSessionTicket? */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS || + ( MBEDTLS_SSL_NEW_SESSION_TICKET && MBEDTLS_SSL_PROTO_TLS1_3 ) */ + +#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) + uint8_t extended_ms; /*!< use Extended Master Secret? */ +#endif + +#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) + uint8_t async_in_progress; /*!< an asynchronous operation is in progress */ +#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ + +#if defined(MBEDTLS_SSL_PROTO_DTLS) + unsigned char retransmit_state; /*!< Retransmission state */ +#endif + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) + unsigned char group_list_heap_allocated; +#endif + +#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) + uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */ + enum { /* this complements ssl->state with info on intra-state operations */ + ssl_ecrs_none = 0, /*!< nothing going on (yet) */ + ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */ + ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */ + ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */ + ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */ + } ecrs_state; /*!< current (or last) operation */ + mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */ + size_t ecrs_n; /*!< place for saving a length */ +#endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) + size_t pmslen; /*!< premaster length */ +#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) */ + + mbedtls_ssl_ciphersuite_t const *ciphersuite_info; + + void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); +#if defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) + void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *); + void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int); +#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) */ + mbedtls_ssl_tls_prf_cb *tls_prf; + /* * Handshake specific crypto variables */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) unsigned int key_exchange; /* Indication of the key exchange algorithm being negotiated*/ - int tls1_3_kex_modes; /*!< key exchange modes for TLS 1.3 */ + int tls13_kex_modes; /*!< key exchange modes for TLS 1.3 */ #if defined(MBEDTLS_X509_CRT_PARSE_C) int received_signature_schemes_list[MBEDTLS_SIGNATURE_SCHEMES_SIZE]; /*!< Received signature algorithms */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -583,18 +640,24 @@ struct mbedtls_ssl_handshake_params #if defined(MBEDTLS_SSL_SRV_C) int hello_retry_requests_sent; /*!< Number of Hello Retry Request messages sent by the server. */ #endif /* MBEDTLS_SSL_SRV_C */ -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) int ccs_sent; /* Number of CCS messages sent */ -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */ #endif + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) + const uint16_t *group_list; +#endif + #if defined(MBEDTLS_DHM_C) mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */ #endif + /* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due * to guards also being in ssl_srv.c and ssl_cli.c. There is a gap * in functionality that access to ecdh_ctx structure is needed for @@ -618,10 +681,12 @@ struct mbedtls_ssl_handshake_params size_t ecjpake_cache_len; /*!< Length of cached data */ #endif #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ + #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */ #endif + #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_key_id_t psk_opaque; /*!< Opaque PSK from the callback */ @@ -629,52 +694,68 @@ struct mbedtls_ssl_handshake_params unsigned char *psk; /*!< PSK from the callback */ size_t psk_len; /*!< Length of PSK from callback */ #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + +#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) + mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */ +#endif + #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - int sni_authmode; /*!< authmode from SNI callback */ mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */ mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */ mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */ #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) - int ecrs_enabled; /*!< Handshake supports EC restart? */ - mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */ - enum { /* this complements ssl->state with info on intra-state operations */ - ssl_ecrs_none = 0, /*!< nothing going on (yet) */ - ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */ - ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */ - ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */ - ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */ - } ecrs_state; /*!< current (or last) operation */ - mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */ - size_t ecrs_n; /*!< place for saving a length */ -#endif #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */ #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ -#if (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)) + struct + { + size_t total_bytes_buffered; /*!< Cumulative size of heap allocated + * buffers used for message buffering. */ + + uint8_t seen_ccs; /*!< Indicates if a CCS message has + * been seen in the current flight. */ + + struct mbedtls_ssl_hs_buffer + { + unsigned is_valid : 1; + unsigned is_fragmented : 1; + unsigned is_complete : 1; + unsigned char *data; + size_t data_len; + } hs[MBEDTLS_SSL_MAX_BUFFERED_HS]; + + struct + { + unsigned char *data; + size_t len; + unsigned epoch; + } future_record; + + } buffering; + +#if (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) /* Prior to TLS 1.3 cookies were only used with DTLS. In TLS 1.3 a cookie * mechanism has been introduced. */ unsigned char* verify_cookie; /*!< Cli: HelloVerifyRequest cookie Srv: unused */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) size_t verify_cookie_len; #else unsigned char verify_cookie_len; /*!< Cli: cookie length Srv: flag for sending a cookie */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL*/ -#endif /* MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +#endif /* MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_PROTO_DTLS) unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */ unsigned int in_msg_seq; /*!< Incoming handshake sequence number */ uint32_t retransmit_timeout; /*!< Current value of timeout */ - unsigned char retransmit_state; /*!< Retransmission state */ mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */ mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */ unsigned char *cur_msg_p; /*!< Position in current message */ @@ -697,48 +778,22 @@ struct mbedtls_ssl_handshake_params * \c peer_cid. */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ - struct - { - size_t total_bytes_buffered; /*!< Cumulative size of heap allocated - * buffers used for message buffering. */ - - uint8_t seen_ccs; /*!< Indicates if a CCS message has - * been seen in the current flight. */ - - struct mbedtls_ssl_hs_buffer - { - unsigned is_valid : 1; - unsigned is_fragmented : 1; - unsigned is_complete : 1; - unsigned char *data; - size_t data_len; - } hs[MBEDTLS_SSL_MAX_BUFFERED_HS]; - - struct - { - unsigned char *data; - size_t len; - unsigned epoch; - } future_record; - - } buffering; - uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */ #endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) int epoch_handshake; int epoch_earlydata; /*! TLS 1.3 transforms for 0-RTT and encrypted handshake messages. * Those pointers own the transforms they reference. */ mbedtls_ssl_transform *transform_handshake; mbedtls_ssl_transform *transform_earlydata; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* * Checksum contexts */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) || defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_hash_operation_t fin_sha256_psa; @@ -753,20 +808,22 @@ struct mbedtls_ssl_handshake_params mbedtls_sha512_context fin_sha512; #endif #endif -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 || MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - - void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); -#if defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) - void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *); - void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int); -#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) */ - - mbedtls_ssl_tls_prf_cb *tls_prf; +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 || MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_USE_MPS) mbedtls_mps_handshake_out hs_msg_out; #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + uint16_t offered_group_id; /* The NamedGroup value for the group + * that is being used for ephemeral + * key exchange. + * + * On the client: Defaults to the first + * entry in the client's group list, + * but can be overwritten by the HRR. */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + /* * State-local variables used during the processing * of a specific handshake state. @@ -780,16 +837,18 @@ struct mbedtls_ssl_handshake_params /* Buffer holding digest of the handshake up to * but excluding the outgoing finished message. */ - unsigned char digest[MBEDTLS_MD_MAX_SIZE]; + unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE]; size_t digest_len; } finished_out; /* Incoming Finished message */ struct { + uint8_t preparation_done; + /* Buffer holding digest of the handshake up to but * excluding the peer's incoming finished message. */ - unsigned char digest[MBEDTLS_MD_MAX_SIZE]; + unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE]; size_t digest_len; } finished_in; @@ -865,23 +924,11 @@ struct mbedtls_ssl_handshake_params /* End of state-local variables. */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - uint16_t offered_group_id; /* The NamedGroup value for the group - * that is being used for ephemeral - * key exchange. - * - * On the client: Defaults to the first - * entry in the client's group list, - * but can be overwritten by the HRR. */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - - mbedtls_ssl_ciphersuite_t const *ciphersuite_info; - unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN + MBEDTLS_SERVER_HELLO_RANDOM_LEN]; /*!< random bytes */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_ECDSA_C) unsigned char certificate_request_context_len; @@ -894,7 +941,7 @@ struct mbedtls_ssl_handshake_params #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ #if defined(MBEDTLS_ZERO_RTT) - mbedtls_ssl_tls1_3_early_secrets early_secrets; + mbedtls_ssl_tls13_early_secrets early_secrets; /*!< Early data indication: 0 -- MBEDTLS_SSL_EARLY_DATA_DISABLED (for no early data), and @@ -903,18 +950,13 @@ struct mbedtls_ssl_handshake_params int early_data; #endif /* MBEDTLS_ZERO_RTT */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) - size_t pmslen; /*!< premaster length */ unsigned char premaster[MBEDTLS_PREMASTER_SIZE]; /*!< premaster secret */ #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) */ - int resume; /*!< session resume indicator*/ - int max_major_ver; /*!< max. major version client*/ - int max_minor_ver; /*!< max. minor version client*/ - int cli_exts; /*!< client extension presence*/ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) int extensions_present; /*!< extension presence; Each bitfield represents an extension and defined as \c MBEDTLS_SSL_EXT_XXX */ @@ -924,21 +966,10 @@ struct mbedtls_ssl_handshake_params unsigned char early [MBEDTLS_TLS1_3_MD_MAX_SIZE]; unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE]; unsigned char app [MBEDTLS_TLS1_3_MD_MAX_SIZE]; - } tls1_3_master_secrets; + } tls13_master_secrets; - mbedtls_ssl_tls1_3_handshake_secrets tls13_hs_secrets; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - -#if (defined(MBEDTLS_SSL_SESSION_TICKETS) || (defined(MBEDTLS_SSL_NEW_SESSION_TICKET) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL))) - int new_session_ticket; /*!< use NewSessionTicket? */ -#endif /* MBEDTLS_SSL_SESSION_TICKETS || ( MBEDTLS_SSL_NEW_SESSION_TICKET && MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ) */ -#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) - int extended_ms; /*!< use Extended Master Secret? */ -#endif - -#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) - unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */ -#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ + mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) /** Asynchronous operation context. This field is meant for use by the @@ -1218,28 +1249,16 @@ void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl, void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl, mbedtls_ssl_transform *transform ); +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) +int mbedtls_ssl_write_hostname_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + const unsigned char *end, + size_t *olen ); +#endif + int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ); int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ); void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -/** - * \brief TLS 1.3 client side state machine entry - * - * \param ssl SSL context - */ -int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ); - -/** - * \brief TLS 1.3 server side state machine entry - * - * \param ssl SSL context - */ -int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ); -#endif - -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -void mbedtls_ssl_handshake_wrapup_tls13( mbedtls_ssl_context *ssl ); -#endif int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ); @@ -1345,16 +1364,14 @@ int mbedtls_ssl_flush_output(mbedtls_ssl_context* ssl); int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ); #endif /* MBEDTLS_SSL_USE_MPS */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -int mbedtls_ssl_read_certificate_process(mbedtls_ssl_context* ssl); -int mbedtls_ssl_write_certificate_process(mbedtls_ssl_context* ssl); -int mbedtls_ssl_finished_in_process( mbedtls_ssl_context* ssl ); -int mbedtls_ssl_finished_out_process( mbedtls_ssl_context* ssl ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +int mbedtls_ssl_tls13_read_certificate_process(mbedtls_ssl_context* ssl); +int mbedtls_ssl_tls13_write_certificate_process(mbedtls_ssl_context* ssl); -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) -int mbedtls_ssl_write_change_cipher_spec_process( mbedtls_ssl_context* ssl ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) +int mbedtls_ssl_tls13_write_change_cipher_spec_process( mbedtls_ssl_context* ssl ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ); @@ -1365,14 +1382,14 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ); int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ); #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_ZERO_RTT) && defined(MBEDTLS_SSL_CLI_C) /* parse early data extension */ int ssl_parse_encrypted_extensions_early_data_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_ZERO_RTT && MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_ZERO_RTT && MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /* * Helper functions around EarlyData @@ -1389,8 +1406,8 @@ static inline int mbedtls_ssl_conf_tls13_0rtt_enabled( mbedtls_ssl_context *ssl return( 0 ); } -int mbedtls_ssl_read_certificate_verify_process(mbedtls_ssl_context* ssl); -int mbedtls_ssl_write_certificate_verify_process(mbedtls_ssl_context* ssl); +int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl); +int mbedtls_ssl_tls13_write_certificate_verify_process(mbedtls_ssl_context *ssl); int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, int endpoint, @@ -1404,38 +1421,48 @@ int mbedtls_ssl_mps_remap_error( int ret ); int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ); -int mbedtls_ssl_write_encrypted_extension(mbedtls_ssl_context* ssl); +int mbedtls_ssl_tls13_write_encrypted_extension(mbedtls_ssl_context* ssl); -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) -int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context* ssl); -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) +int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context* ssl); +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) -int mbedtls_ssl_write_pre_shared_key_ext(mbedtls_ssl_context* ssl, - unsigned char* buf, unsigned char* end, - size_t* olen, - size_t* binder_list_length, - int part ); +int mbedtls_ssl_tls13_write_pre_shared_key_ext( + mbedtls_ssl_context* ssl, + unsigned char* buf, unsigned char* end, + size_t* olen, + size_t* binder_list_length, + int part ); #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) -int mbedtls_ssl_parse_signature_algorithms_ext(mbedtls_ssl_context* ssl, const unsigned char* buf, size_t len); -int mbedtls_ssl_check_signature_scheme(const mbedtls_ssl_context* ssl, int signature_scheme); +int mbedtls_ssl_tls13_parse_signature_algorithms_ext( + mbedtls_ssl_context* ssl, + const unsigned char* buf, size_t len ); +int mbedtls_ssl_tls13_check_signature_scheme( + const mbedtls_ssl_context* ssl, int signature_scheme ); #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_ZERO_RTT) -int mbedtls_ssl_write_early_data_ext(mbedtls_ssl_context* ssl, unsigned char* buf, const unsigned char *end, size_t* olen); +int mbedtls_ssl_tls13_write_early_data_ext( + mbedtls_ssl_context* ssl, + unsigned char* buf, const unsigned char *end, size_t* olen); #endif /* MBEDTLS_ZERO_RTT */ #if (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) -int mbedtls_ssl_parse_supported_groups_ext(mbedtls_ssl_context* ssl, const unsigned char* buf, size_t len); +int mbedtls_ssl_tls13_parse_supported_groups_ext( + mbedtls_ssl_context* ssl, + const unsigned char* buf, size_t len); #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) -int mbedtls_ssl_parse_new_session_ticket_server(mbedtls_ssl_context* ssl, unsigned char* buf, size_t len); +int mbedtls_ssl_tls13_parse_new_session_ticket_server( + mbedtls_ssl_context *ssl, unsigned char *buf, size_t len); #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) -int mbedtls_ssl_parse_client_psk_identity_ext(mbedtls_ssl_context* ssl, const unsigned char* buf, size_t len); +int mbedtls_ssl_tls13_parse_client_psk_identity_ext( + mbedtls_ssl_context *ssl, + const unsigned char *buf, size_t len); #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, const mbedtls_ssl_ciphersuite_t *ciphersuite_info ); @@ -1631,8 +1658,6 @@ int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt* cert, #endif /* MBEDTLS_X509_CRT_PARSE_C */ -void mbedtls_ssl_write_wire_version( int major, int minor, int transport, - unsigned char ver[2] ); void mbedtls_ssl_write_version( int major, int minor, int transport, unsigned char ver[2] ); void mbedtls_ssl_read_version( int *major, int *minor, int transport, @@ -1640,13 +1665,13 @@ void mbedtls_ssl_read_version( int *major, int *minor, int transport, void mbedtls_ssl_remove_hs_psk( mbedtls_ssl_context *ssl ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) static inline size_t mbedtls_ssl_hdr_len(const mbedtls_ssl_context* ssl) { ((void) ssl); return(5); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl ) { @@ -1703,26 +1728,6 @@ void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ); int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src ); -/* constant-time buffer comparison */ -static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n ) -{ - size_t i; - volatile const unsigned char *A = (volatile const unsigned char *) a; - volatile const unsigned char *B = (volatile const unsigned char *) b; - volatile unsigned char diff = 0; - - for( i = 0; i < n; i++ ) - { - /* Read volatile data in order before computing diff. - * This avoids IAR compiler warning: - * 'the order of volatile accesses is undefined ..' */ - unsigned char x = A[i], y = B[i]; - diff |= x ^ y; - } - - return( diff ); -} - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */ int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, @@ -1821,7 +1826,53 @@ int mbedtls_ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ); void mbedtls_ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +/** + * ssl utils functions for checking configuration. + */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf ) +{ + if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 && + conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) + { + return( 1 ); + } + return( 0 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf ) +{ + if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && + conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) + { + return( 1 ); + } + return( 0 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) +static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf ) +{ + if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && + conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) + { + return( 1 ); + } + return( 0 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_ECDH_C) /** * \brief This function generates an EC key pair and exports its @@ -1844,7 +1895,7 @@ void mbedtls_ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl ); * operations was reached: see \c mbedtls_ecp_set_max_ops(). * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. */ -int mbedtls_ecdh_make_tls_13_params( mbedtls_ecdh_context *ctx, size_t *olen, +int mbedtls_ecdh_make_tls13_params( mbedtls_ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); @@ -1869,7 +1920,7 @@ int mbedtls_ecdh_make_tls_13_params( mbedtls_ecdh_context *ctx, size_t *olen, * \return An \c MBEDTLS_ERR_ECP_XXX error code on failure. * */ -int mbedtls_ecdh_read_tls_13_params( mbedtls_ecdh_context *ctx, +int mbedtls_ecdh_read_tls13_params( mbedtls_ecdh_context *ctx, const unsigned char **buf, const unsigned char *end ); @@ -1896,7 +1947,7 @@ int mbedtls_ecdh_read_tls_13_params( mbedtls_ecdh_context *ctx, * operations was reached: see \c mbedtls_ecp_set_max_ops(). * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure. */ -int mbedtls_ecdh_make_tls_13_public( mbedtls_ecdh_context *ctx, size_t *olen, +int mbedtls_ecdh_make_tls13_public( mbedtls_ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); @@ -1916,7 +1967,7 @@ int mbedtls_ecdh_make_tls_13_public( mbedtls_ecdh_context *ctx, size_t *olen, * \return \c 0 on success. * \return An \c MBEDTLS_ERR_ECP_XXX error code on failure. */ -int mbedtls_ecdh_read_tls_13_public( mbedtls_ecdh_context *ctx, +int mbedtls_ecdh_read_tls13_public( mbedtls_ecdh_context *ctx, const unsigned char *buf, size_t blen ); #endif /* MBEDTLS_ECDH_C */ @@ -1939,9 +1990,9 @@ int mbedtls_ecdh_read_tls_13_public( mbedtls_ecdh_context *ctx, * failure. * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid. */ -int mbedtls_ecp_tls_13_read_point( const mbedtls_ecp_group *grp, - mbedtls_ecp_point *pt, - const unsigned char **buf, size_t len ); +int mbedtls_ecp_tls13_read_point( const mbedtls_ecp_group *grp, + mbedtls_ecp_point *pt, + const unsigned char **buf, size_t len ); /** * \brief This function exports a point as defined in TLS 1.3. @@ -1964,10 +2015,10 @@ int mbedtls_ecp_tls_13_read_point( const mbedtls_ecp_group *grp, * is too small to hold the exported point. * \return Another negative error code on other kinds of failure. */ -int mbedtls_ecp_tls_13_write_point( const mbedtls_ecp_group *grp, - const mbedtls_ecp_point *pt, - int format, size_t *olen, - unsigned char *buf, size_t blen ); +int mbedtls_ecp_tls13_write_point( const mbedtls_ecp_group *grp, + const mbedtls_ecp_point *pt, + int format, size_t *olen, + unsigned char *buf, size_t blen ); /** @@ -1988,11 +2039,30 @@ int mbedtls_ecp_tls_13_write_point( const mbedtls_ecp_group *grp, * buffer is too small to hold the exported group. * \return Another negative error code on other kinds of failure. */ -int mbedtls_ecp_tls_13_write_group( const mbedtls_ecp_group *grp, - size_t *olen, - unsigned char *buf, size_t blen ); +int mbedtls_ecp_tls13_write_group( const mbedtls_ecp_group *grp, + size_t *olen, + unsigned char *buf, size_t blen ); #endif /* MBEDTLS_ECP_C */ +int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl ); +int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl ); +void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ); + +/** + * \brief TLS 1.3 client side state machine entry + * + * \param ssl SSL context + */ +int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ); + +/** + * \brief TLS 1.3 server side state machine entry + * + * \param ssl SSL context + */ +int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ); + + /* * Helper functions around key exchange modes. */ @@ -2005,31 +2075,31 @@ static inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes( mbedtls_ssl_conte static inline int mbedtls_ssl_conf_tls13_psk_enabled( mbedtls_ssl_context *ssl ) { return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl, - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK ) ); + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ) ); } static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( mbedtls_ssl_context *ssl ) { return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl, - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) ); + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) ); } static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled( mbedtls_ssl_context *ssl ) { return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl, - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ) ); + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ) ); } static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled( mbedtls_ssl_context *ssl ) { return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl, - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) ); + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) ); } static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context *ssl ) { return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl, - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL ) ); + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) ); } static inline int mbedtls_ssl_tls13_kex_check( mbedtls_ssl_context *ssl, @@ -2041,13 +2111,13 @@ static inline int mbedtls_ssl_tls13_kex_check( mbedtls_ssl_context *ssl, static inline int mbedtls_ssl_tls13_kex_with_psk( mbedtls_ssl_context *ssl ) { return( mbedtls_ssl_tls13_kex_check( ssl, - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL ) ); + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) ); } static inline int mbedtls_ssl_tls13_kex_with_ephemeral( mbedtls_ssl_context *ssl ) { return( mbedtls_ssl_tls13_kex_check( ssl, - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) ); + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) ); } /** @@ -2060,109 +2130,59 @@ static inline int mbedtls_ssl_tls13_kex_with_ephemeral( mbedtls_ssl_context *ssl * \return 0 if at least one of the key exchange modes is supported, * !=0 otherwise. */ -static inline unsigned mbedtls_ssl_tls1_3_check_kex_modes( mbedtls_ssl_context *ssl, - int kex_modes_mask ) +static inline unsigned mbedtls_ssl_tls13_check_kex_modes( mbedtls_ssl_context *ssl, + int kex_modes_mask ) { - return( ( ssl->handshake->tls1_3_kex_modes & kex_modes_mask ) == 0 ); + return( ( ssl->handshake->tls13_kex_modes & kex_modes_mask ) == 0 ); } -static inline int mbedtls_ssl_tls1_3_psk_enabled( mbedtls_ssl_context *ssl ) +static inline int mbedtls_ssl_tls13_psk_enabled( mbedtls_ssl_context *ssl ) { - return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl, - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK ) ); + return( ! mbedtls_ssl_tls13_check_kex_modes( ssl, + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ) ); } -static inline int mbedtls_ssl_tls1_3_psk_ephemeral_enabled( +static inline int mbedtls_ssl_tls13_psk_ephemeral_enabled( mbedtls_ssl_context *ssl ) { - return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl, - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) ); + return( ! mbedtls_ssl_tls13_check_kex_modes( ssl, + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) ); } -static inline int mbedtls_ssl_tls1_3_ephemeral_enabled( mbedtls_ssl_context *ssl ) +static inline int mbedtls_ssl_tls13_ephemeral_enabled( mbedtls_ssl_context *ssl ) { - return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl, - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ) ); + return( ! mbedtls_ssl_tls13_check_kex_modes( ssl, + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ) ); } -static inline int mbedtls_ssl_tls1_3_some_ephemeral_enabled( mbedtls_ssl_context *ssl ) +static inline int mbedtls_ssl_tls13_some_ephemeral_enabled( mbedtls_ssl_context *ssl ) { - return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl, - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) ); + return( ! mbedtls_ssl_tls13_check_kex_modes( ssl, + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) ); } -static inline int mbedtls_ssl_tls1_3_some_psk_enabled( mbedtls_ssl_context *ssl ) +static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl ) { - return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl, - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL ) ); -} - -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - -/** - * ssl utils functions for checking configuration. - */ - -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf ) -{ - if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && - conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && - conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 && - conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) - { - return( 1 ); - } - return( 0 ); + return( ! mbedtls_ssl_tls13_check_kex_modes( ssl, + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) -static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf ) -{ - if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && - conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && - conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && - conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) - { - return( 1 ); - } - return( 0 ); -} -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ - -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf ) -{ - if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && - conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && - conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && - conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) - { - return( 1 ); - } - return( 0 ); -} -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL*/ - -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) /* * Helper functions for NamedGroup. */ static inline int mbedtls_ssl_tls13_named_group_is_ecdhe( uint16_t named_group ) { - return( named_group == MBEDTLS_SSL_TLS13_NAMED_GROUP_SECP256R1 || - named_group == MBEDTLS_SSL_TLS13_NAMED_GROUP_SECP384R1 || - named_group == MBEDTLS_SSL_TLS13_NAMED_GROUP_SECP521R1 || - named_group == MBEDTLS_SSL_TLS13_NAMED_GROUP_X25519 || - named_group == MBEDTLS_SSL_TLS13_NAMED_GROUP_X448 ); + return( named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 || + named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 || + named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 || + named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 || + named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 ); } static inline int mbedtls_ssl_tls13_named_group_is_dhe( uint16_t named_group ) { - return( named_group >= MBEDTLS_SSL_TLS13_NAMED_GROUP_FFDHE2048 && - named_group <= MBEDTLS_SSL_TLS13_NAMED_GROUP_FFDHE8192 ); + return( named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 && + named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192 ); } static inline void mbedtls_ssl_handshake_set_state( mbedtls_ssl_context *ssl, @@ -2188,10 +2208,10 @@ static inline void mbedtls_ssl_handshake_set_state( mbedtls_ssl_context *ssl, /* * Fetch TLS 1.3 handshake message header */ -int mbedtls_ssl_tls1_3_fetch_handshake_msg( mbedtls_ssl_context *ssl, - unsigned hs_type, - unsigned char **buf, - size_t *buf_len ); +int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl, + unsigned hs_type, + unsigned char **buf, + size_t *buf_len ); /* * Write TLS 1.3 handshake message header @@ -2199,7 +2219,23 @@ int mbedtls_ssl_tls1_3_fetch_handshake_msg( mbedtls_ssl_context *ssl, int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl, unsigned hs_type, unsigned char **buf, - size_t *buflen ); + size_t *buf_len ); + +/* + * Handler of TLS 1.3 server certificate message + */ +int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl ); + +/* + * Generic handler of Certificate Verify + */ +int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl ); + +/* + * Write of dummy-CCS's for middlebox compatibility + */ +int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl ); + /* * Write TLS 1.3 handshake message tail */ @@ -2217,10 +2253,10 @@ void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, /* * Update checksum of handshake messages. */ -void mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, - unsigned hs_type, - unsigned char const *msg, - size_t msg_len ); +void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, + unsigned hs_type, + unsigned char const *msg, + size_t msg_len ); #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* @@ -2229,11 +2265,11 @@ void mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, - size_t *olen); + size_t *out_len); #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* Get handshake transcript */ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, @@ -2242,4 +2278,27 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, size_t dst_len, size_t *olen ); +/* + * Return supported groups. + * + * In future, invocations can be changed to ssl->conf->group_list + * when mbedtls_ssl_conf_curves() is deleted. + * + * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group + * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to + * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked. + * + */ +static inline const void *mbedtls_ssl_get_groups( const mbedtls_ssl_context *ssl ) +{ + #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C) + return( ssl->conf->group_list ); + #else + if( ( ssl->handshake != NULL ) && ( ssl->handshake->group_list != NULL ) ) + return( ssl->handshake->group_list ); + else + return( ssl->conf->group_list ); + #endif +} + #endif /* ssl_misc.h */ diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 95a4556d5fcf..b1dbf0dfcf2a 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -39,8 +39,9 @@ #include "mbedtls/error.h" #include "mbedtls/platform_util.h" #include "mbedtls/version.h" +#include "constant_time_internal.h" +#include "mbedtls/constant_time.h" -#include "ssl_invasive.h" #include "ssl_misc.h" #if defined(MBEDTLS_SSL_USE_MPS) @@ -313,8 +314,7 @@ void mbedtls_ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl ) * Encryption/decryption functions */ -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) || defined(MBEDTLS_SSL_PROTO_TLS1_3) static size_t ssl_compute_padding_length( size_t len, size_t granularity ) @@ -396,8 +396,7 @@ static int ssl_parse_inner_plaintext( unsigned char const *content, return( 0 ); } -#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID || - MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID || MBEDTLS_SSL_PROTO_TLS1_3 */ /* `add_data` must have size 13 Bytes if the CID extension is disabled, * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */ @@ -442,7 +441,7 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data, unsigned char *cur = add_data; size_t ad_len_field = rec->data_len; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) { /* In TLS 1.3, the AAD contains the length of the TLSCiphertext, @@ -451,7 +450,7 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data, ad_len_field += taglen; } else -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ { ((void) minor_ver); ((void) taglen); @@ -747,7 +746,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, * since they apply to different versions of the protocol. There * is hence no risk of double-addition of the inner plaintext. */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) { size_t padding = @@ -764,7 +763,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, rec->type = MBEDTLS_SSL_MSG_APPLICATION_DATA; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) /* @@ -819,16 +818,25 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_PROTO_TLS1_2) unsigned char mac[MBEDTLS_SSL_MAC_ADD]; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; ssl_extract_add_data_from_record( add_data, &add_data_len, rec, transform->minor_ver, - transform->taglen); - /* TODO: CHECK! */ - /* mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data, */ - /* add_data_len ); */ - /* mbedtls_md_hmac_update( &transform->md_ctx_enc, data, rec->data_len ); */ - /* mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac ); */ - /* mbedtls_md_hmac_reset( &transform->md_ctx_enc ); */ + transform->taglen ); + + ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data, + add_data_len ); + if( ret != 0 ) + goto hmac_failed_etm_disabled; + ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, data, rec->data_len ); + if( ret != 0 ) + goto hmac_failed_etm_disabled; + ret = mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac ); + if( ret != 0 ) + goto hmac_failed_etm_disabled; + ret = mbedtls_md_hmac_reset( &transform->md_ctx_enc ); + if( ret != 0 ) + goto hmac_failed_etm_disabled; memcpy( data + rec->data_len, mac, transform->maclen ); #endif @@ -839,6 +847,14 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, rec->data_len += transform->maclen; post_avail -= transform->maclen; auth_done++; + + hmac_failed_etm_disabled: + mbedtls_platform_zeroize( mac, transform->maclen ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_hmac_xxx", ret ); + return( ret ); + } } #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ @@ -1081,18 +1097,34 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data, add_data_len ); - mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data, - add_data_len ); - mbedtls_md_hmac_update( &transform->md_ctx_enc, - data, rec->data_len ); - mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac ); - mbedtls_md_hmac_reset( &transform->md_ctx_enc ); + ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data, + add_data_len ); + if( ret != 0 ) + goto hmac_failed_etm_enabled; + ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, + data, rec->data_len ); + if( ret != 0 ) + goto hmac_failed_etm_enabled; + ret = mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac ); + if( ret != 0 ) + goto hmac_failed_etm_enabled; + ret = mbedtls_md_hmac_reset( &transform->md_ctx_enc ); + if( ret != 0 ) + goto hmac_failed_etm_enabled; memcpy( data + rec->data_len, mac, transform->maclen ); rec->data_len += transform->maclen; post_avail -= transform->maclen; auth_done++; + + hmac_failed_etm_enabled: + mbedtls_platform_zeroize( mac, transform->maclen ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "HMAC calculation failed", ret ); + return( ret ); + } } #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ } @@ -1115,242 +1147,6 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, return( 0 ); } -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) -/* - * Turn a bit into a mask: - * - if bit == 1, return the all-bits 1 mask, aka (size_t) -1 - * - if bit == 0, return the all-bits 0 mask, aka 0 - * - * This function can be used to write constant-time code by replacing branches - * with bit operations using masks. - * - * This function is implemented without using comparison operators, as those - * might be translated to branches by some compilers on some platforms. - */ -static size_t mbedtls_ssl_cf_mask_from_bit( size_t bit ) -{ - /* MSVC has a warning about unary minus on unsigned integer types, - * but this is well-defined and precisely what we want to do here. */ -#if defined(_MSC_VER) -#pragma warning( push ) -#pragma warning( disable : 4146 ) -#endif - return -bit; -#if defined(_MSC_VER) -#pragma warning( pop ) -#endif -} - -/* - * Constant-flow mask generation for "less than" comparison: - * - if x < y, return all bits 1, that is (size_t) -1 - * - otherwise, return all bits 0, that is 0 - * - * This function can be used to write constant-time code by replacing branches - * with bit operations using masks. - * - * This function is implemented without using comparison operators, as those - * might be translated to branches by some compilers on some platforms. - */ -static size_t mbedtls_ssl_cf_mask_lt( size_t x, size_t y ) -{ - /* This has the most significant bit set if and only if x < y */ - const size_t sub = x - y; - - /* sub1 = (x < y) ? 1 : 0 */ - const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 ); - - /* mask = (x < y) ? 0xff... : 0x00... */ - const size_t mask = mbedtls_ssl_cf_mask_from_bit( sub1 ); - - return( mask ); -} - -/* - * Constant-flow mask generation for "greater or equal" comparison: - * - if x >= y, return all bits 1, that is (size_t) -1 - * - otherwise, return all bits 0, that is 0 - * - * This function can be used to write constant-time code by replacing branches - * with bit operations using masks. - * - * This function is implemented without using comparison operators, as those - * might be translated to branches by some compilers on some platforms. - */ -static size_t mbedtls_ssl_cf_mask_ge( size_t x, size_t y ) -{ - return( ~mbedtls_ssl_cf_mask_lt( x, y ) ); -} - -/* - * Constant-flow boolean "equal" comparison: - * return x == y - * - * This function can be used to write constant-time code by replacing branches - * with bit operations - it can be used in conjunction with - * mbedtls_ssl_cf_mask_from_bit(). - * - * This function is implemented without using comparison operators, as those - * might be translated to branches by some compilers on some platforms. - */ -static size_t mbedtls_ssl_cf_bool_eq( size_t x, size_t y ) -{ - /* diff = 0 if x == y, non-zero otherwise */ - const size_t diff = x ^ y; - - /* MSVC has a warning about unary minus on unsigned integer types, - * but this is well-defined and precisely what we want to do here. */ -#if defined(_MSC_VER) -#pragma warning( push ) -#pragma warning( disable : 4146 ) -#endif - - /* diff_msb's most significant bit is equal to x != y */ - const size_t diff_msb = ( diff | -diff ); - -#if defined(_MSC_VER) -#pragma warning( pop ) -#endif - - /* diff1 = (x != y) ? 1 : 0 */ - const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 ); - - return( 1 ^ diff1 ); -} - -/* - * Constant-flow conditional memcpy: - * - if c1 == c2, equivalent to memcpy(dst, src, len), - * - otherwise, a no-op, - * but with execution flow independent of the values of c1 and c2. - * - * This function is implemented without using comparison operators, as those - * might be translated to branches by some compilers on some platforms. - */ -static void mbedtls_ssl_cf_memcpy_if_eq( unsigned char *dst, - const unsigned char *src, - size_t len, - size_t c1, size_t c2 ) -{ - /* mask = c1 == c2 ? 0xff : 0x00 */ - const size_t equal = mbedtls_ssl_cf_bool_eq( c1, c2 ); - const unsigned char mask = (unsigned char) mbedtls_ssl_cf_mask_from_bit( equal ); - - /* dst[i] = c1 == c2 ? src[i] : dst[i] */ - for( size_t i = 0; i < len; i++ ) - dst[i] = ( src[i] & mask ) | ( dst[i] & ~mask ); -} - -/* - * Compute HMAC of variable-length data with constant flow. - * - * Only works with MD-5, SHA-1, SHA-256 and SHA-384. - * (Otherwise, computation of block_size needs to be adapted.) - */ -MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac( - mbedtls_md_context_t *ctx, - const unsigned char *add_data, size_t add_data_len, - const unsigned char *data, size_t data_len_secret, - size_t min_data_len, size_t max_data_len, - unsigned char *output ) -{ - /* - * This function breaks the HMAC abstraction and uses the md_clone() - * extension to the MD API in order to get constant-flow behaviour. - * - * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means - * concatenation, and okey/ikey are the XOR of the key with some fixed bit - * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx. - * - * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to - * minlen, then cloning the context, and for each byte up to maxlen - * finishing up the hash computation, keeping only the correct result. - * - * Then we only need to compute HASH(okey + inner_hash) and we're done. - */ - const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info ); - /* TLS 1.2 only supports SHA-384, SHA-256, SHA-1, MD-5, - * all of which have the same block size except SHA-384. */ - const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64; - const unsigned char * const ikey = ctx->hmac_ctx; - const unsigned char * const okey = ikey + block_size; - const size_t hash_size = mbedtls_md_get_size( ctx->md_info ); - - unsigned char aux_out[MBEDTLS_MD_MAX_SIZE]; - mbedtls_md_context_t aux; - size_t offset; - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - - mbedtls_md_init( &aux ); - -#define MD_CHK( func_call ) \ - do { \ - ret = (func_call); \ - if( ret != 0 ) \ - goto cleanup; \ - } while( 0 ) - - MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) ); - - /* After hmac_start() of hmac_reset(), ikey has already been hashed, - * so we can start directly with the message */ - MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) ); - MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) ); - - /* For each possible length, compute the hash up to that point */ - for( offset = min_data_len; offset <= max_data_len; offset++ ) - { - MD_CHK( mbedtls_md_clone( &aux, ctx ) ); - MD_CHK( mbedtls_md_finish( &aux, aux_out ) ); - /* Keep only the correct inner_hash in the output buffer */ - mbedtls_ssl_cf_memcpy_if_eq( output, aux_out, hash_size, - offset, data_len_secret ); - - if( offset < max_data_len ) - MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) ); - } - - /* The context needs to finish() before it starts() again */ - MD_CHK( mbedtls_md_finish( ctx, aux_out ) ); - - /* Now compute HASH(okey + inner_hash) */ - MD_CHK( mbedtls_md_starts( ctx ) ); - MD_CHK( mbedtls_md_update( ctx, okey, block_size ) ); - MD_CHK( mbedtls_md_update( ctx, output, hash_size ) ); - MD_CHK( mbedtls_md_finish( ctx, output ) ); - - /* Done, get ready for next time */ - MD_CHK( mbedtls_md_hmac_reset( ctx ) ); - -#undef MD_CHK - -cleanup: - mbedtls_md_free( &aux ); - return( ret ); -} - -/* - * Constant-flow memcpy from variable position in buffer. - * - functionally equivalent to memcpy(dst, src + offset_secret, len) - * - but with execution flow independent from the value of offset_secret. - */ -MBEDTLS_STATIC_TESTABLE void mbedtls_ssl_cf_memcpy_offset( - unsigned char *dst, - const unsigned char *src_base, - size_t offset_secret, - size_t offset_min, size_t offset_max, - size_t len ) -{ - size_t offset; - - for( offset = offset_min; offset <= offset_max; offset++ ) - { - mbedtls_ssl_cf_memcpy_if_eq( dst, src_base + offset, len, - offset, offset_secret ); - } -} -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ - int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, mbedtls_ssl_transform *transform, mbedtls_record *rec ) @@ -1588,7 +1384,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, * * Afterwards, we know that data + data_len is followed by at * least maclen Bytes, which justifies the call to - * mbedtls_ssl_safer_memcmp() below. + * mbedtls_ct_memcmp() below. * * Further, we still know that data_len > minlen */ rec->data_len -= transform->maclen; @@ -1599,12 +1395,20 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, /* Calculate expected MAC. */ MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data, add_data_len ); - mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data, - add_data_len ); - mbedtls_md_hmac_update( &transform->md_ctx_dec, + ret = mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data, + add_data_len ); + if( ret != 0 ) + goto hmac_failed_etm_enabled; + ret = mbedtls_md_hmac_update( &transform->md_ctx_dec, data, rec->data_len ); - mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect ); - mbedtls_md_hmac_reset( &transform->md_ctx_dec ); + if( ret != 0 ) + goto hmac_failed_etm_enabled; + ret = mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect ); + if( ret != 0 ) + goto hmac_failed_etm_enabled; + ret = mbedtls_md_hmac_reset( &transform->md_ctx_dec ); + if( ret != 0 ) + goto hmac_failed_etm_enabled; MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len, transform->maclen ); @@ -1612,13 +1416,23 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, transform->maclen ); /* Compare expected MAC with MAC at the end of the record. */ - if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect, - transform->maclen ) != 0 ) + if( mbedtls_ct_memcmp( data + rec->data_len, mac_expect, + transform->maclen ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); - return( MBEDTLS_ERR_SSL_INVALID_MAC ); + ret = MBEDTLS_ERR_SSL_INVALID_MAC; + goto hmac_failed_etm_enabled; } auth_done++; + + hmac_failed_etm_enabled: + mbedtls_platform_zeroize( mac_expect, transform->maclen ); + if( ret != 0 ) + { + if( ret != MBEDTLS_ERR_SSL_INVALID_MAC ) + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_hmac_xxx", ret ); + return( ret ); + } } #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ @@ -1674,7 +1488,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, if( auth_done == 1 ) { - const size_t mask = mbedtls_ssl_cf_mask_ge( + const size_t mask = mbedtls_ct_size_mask_ge( rec->data_len, padlen + 1 ); correct &= mask; @@ -1694,7 +1508,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, } #endif - const size_t mask = mbedtls_ssl_cf_mask_ge( + const size_t mask = mbedtls_ct_size_mask_ge( rec->data_len, transform->maclen + padlen + 1 ); correct &= mask; @@ -1728,18 +1542,18 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, /* pad_count += (idx >= padding_idx) && * (check[idx] == padlen - 1); */ - const size_t mask = mbedtls_ssl_cf_mask_ge( idx, padding_idx ); - const size_t equal = mbedtls_ssl_cf_bool_eq( check[idx], - padlen - 1 ); + const size_t mask = mbedtls_ct_size_mask_ge( idx, padding_idx ); + const size_t equal = mbedtls_ct_size_bool_eq( check[idx], + padlen - 1 ); pad_count += mask & equal; } - correct &= mbedtls_ssl_cf_bool_eq( pad_count, padlen ); + correct &= mbedtls_ct_size_bool_eq( pad_count, padlen ); #if defined(MBEDTLS_SSL_DEBUG_ALL) if( padlen > 0 && correct == 0 ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) ); #endif - padlen &= mbedtls_ssl_cf_mask_from_bit( correct ); + padlen &= mbedtls_ct_size_mask( correct ); #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ @@ -1803,20 +1617,20 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, const size_t max_len = rec->data_len + padlen; const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0; - ret = mbedtls_ssl_cf_hmac( &transform->md_ctx_dec, - add_data, add_data_len, - data, rec->data_len, min_len, max_len, - mac_expect ); + ret = mbedtls_ct_hmac( &transform->md_ctx_dec, + add_data, add_data_len, + data, rec->data_len, min_len, max_len, + mac_expect ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cf_hmac", ret ); - return( ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ct_hmac", ret ); + goto hmac_failed_etm_disabled; } - mbedtls_ssl_cf_memcpy_offset( mac_peer, data, - rec->data_len, - min_len, max_len, - transform->maclen ); + mbedtls_ct_memcpy_offset( mac_peer, data, + rec->data_len, + min_len, max_len, + transform->maclen ); #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_SSL_DEBUG_ALL) @@ -1824,8 +1638,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", mac_peer, transform->maclen ); #endif - if( mbedtls_ssl_safer_memcmp( mac_peer, mac_expect, - transform->maclen ) != 0 ) + if( mbedtls_ct_memcmp( mac_peer, mac_expect, + transform->maclen ) != 0 ) { #if defined(MBEDTLS_SSL_DEBUG_ALL) MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); @@ -1833,6 +1647,12 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, correct = 0; } auth_done++; + + hmac_failed_etm_disabled: + mbedtls_platform_zeroize( mac_peer, transform->maclen ); + mbedtls_platform_zeroize( mac_expect, transform->maclen ); + if( ret != 0 ) + return( ret ); } /* @@ -1849,7 +1669,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) { /* Remove inner padding and infer true content type. */ @@ -1859,7 +1679,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, if( ret != 0 ) return( MBEDTLS_ERR_SSL_INVALID_RECORD ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) if( rec->cid_len != 0 ) @@ -2733,8 +2553,15 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ) /* Skip writing the record content type to after the encryption, * as it may change when using the CID extension. */ - mbedtls_ssl_write_wire_version( ssl->major_ver, ssl->minor_ver, - ssl->conf->transport, ssl->out_hdr + 1 ); + int minor_ver = ssl->minor_ver; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + /* TLS 1.3 still uses the TLS 1.2 version identifier + * for backwards compatibility. */ + if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) + minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + mbedtls_ssl_write_version( ssl->major_ver, minor_ver, + ssl->conf->transport, ssl->out_hdr + 1 ); memcpy( ssl->out_ctr, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN ); MBEDTLS_PUT_UINT16_BE( len, ssl->out_len, 0); @@ -2749,8 +2576,8 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ) rec.data_offset = ssl->out_msg - rec.buf; memcpy( &rec.ctr[0], ssl->out_ctr, sizeof( rec.ctr ) ); - mbedtls_ssl_write_wire_version( ssl->major_ver, ssl->minor_ver, - ssl->conf->transport, rec.ver ); + mbedtls_ssl_write_version( ssl->major_ver, minor_ver, + ssl->conf->transport, rec.ver ); rec.type = ssl->out_msgtype; #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -3743,17 +3570,19 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network", rec->buf, rec->buf_len ); - /* In TLS 1.3, always treat ChangeCipherSpec records + /* + * In TLS 1.3, always treat ChangeCipherSpec records * as unencrypted. The only thing we do with them is - * check the length and content and ignore them. */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + * check the length and content and ignore them. + */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( ssl->transform_in != NULL && ssl->transform_in->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) { if( rec->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) done = 1; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ if( !done && ssl->transform_in != NULL ) { @@ -3786,8 +3615,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt", rec->buf + rec->data_offset, rec->data_len ); -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) || defined(MBEDTLS_SSL_PROTO_TLS1_3) /* We have already checked the record content type * in ssl_parse_record_header(), failing or silently * dropping the record in the case of an unknown type. @@ -3800,8 +3628,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) ); return( MBEDTLS_ERR_SSL_INVALID_RECORD ); } -#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID || - MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID || MBEDTLS_SSL_PROTO_TLS1_3 */ if( rec->data_len == 0 ) { @@ -4812,18 +4639,20 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ) } #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) { -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode" ) ); +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode" ) ); return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); #else - MBEDTLS_SSL_DEBUG_MSG( 1, ( "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode" ) ); return( MBEDTLS_ERR_SSL_INVALID_RECORD ); -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ } if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) @@ -5196,12 +5025,12 @@ size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl ) int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl ) { -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) { return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) /* @@ -5362,19 +5191,19 @@ static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) static int ssl_handle_hs_message_post_handshake_tls12( mbedtls_ssl_context *ssl ); #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) static int ssl_handle_hs_message_post_handshake_tls13( mbedtls_ssl_context *ssl ); #endif static int ssl_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl ) { /* Check protocol version and dispatch accordingly. */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) { return( ssl_handle_hs_message_post_handshake_tls13( ssl ) ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) if( ssl->minor_ver <= MBEDTLS_SSL_MINOR_VERSION_3 ) @@ -5387,7 +5216,7 @@ static int ssl_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) && defined(MBEDTLS_SSL_CLI_C) static int ssl_check_new_session_ticket( mbedtls_ssl_context *ssl ) @@ -5442,7 +5271,7 @@ static int ssl_handle_hs_message_post_handshake_tls13( mbedtls_ssl_context *ssl /* Fail in all other cases. */ return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) static int ssl_handle_hs_message_post_handshake_tls12( mbedtls_ssl_context *ssl ) @@ -6137,19 +5966,6 @@ void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform ) mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) ); } -void mbedtls_ssl_write_wire_version( int major, int minor, int transport, - unsigned char ver[2] ) -{ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - /* TLS 1.3 still uses the TLS 1.3 version identifier - * for backwards compatibility. */ - if( minor == MBEDTLS_SSL_MINOR_VERSION_4 ) - minor = MBEDTLS_SSL_MINOR_VERSION_3; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - - mbedtls_ssl_write_version( major, minor, transport, ver ); -} - /* * Convert version numbers to/from wire format * and, for DTLS, to/from TLS equivalent. diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 440c65ab7c0f..737b750ad1d2 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -36,6 +36,8 @@ #include "mbedtls/debug.h" #include "mbedtls/error.h" #include "mbedtls/platform_util.h" +#include "constant_time_internal.h" +#include "mbedtls/constant_time.h" #include <string.h> @@ -198,7 +200,7 @@ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, /* Check verify-data in constant-time. The length OTOH is no secret */ if( len != 1 + ssl->verify_data_len || buf[0] != ssl->verify_data_len || - mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data, + mbedtls_ct_memcmp( buf + 1, ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); @@ -3038,14 +3040,16 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, * } ServerECDHParams; */ const mbedtls_ecp_curve_info **curve = NULL; - const mbedtls_ecp_group_id *gid; + const uint16_t *group_list = mbedtls_ssl_get_groups( ssl ); int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len = 0; /* Match our preference list against the offered curves */ - for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) + if( group_list == NULL ) + return( MBEDTLS_ERR_SSL_BAD_CONFIG ); + for( ; *group_list != 0; group_list++ ) for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) - if( (*curve)->grp_id == *gid ) + if( (*curve)->tls_id == *group_list ) goto curve_matching_done; curve_matching_done: @@ -3096,7 +3100,11 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, { size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed; size_t hashlen = 0; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char hash[PSA_HASH_MAX_SIZE]; +#else unsigned char hash[MBEDTLS_MD_MAX_SIZE]; +#endif int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; /* @@ -3569,16 +3577,7 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl, diff |= peer_pms[1] ^ ver[1]; /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */ - /* MSVC has a warning about unary minus on unsigned, but this is - * well-defined and precisely what we want to do here */ -#if defined(_MSC_VER) -#pragma warning( push ) -#pragma warning( disable : 4146 ) -#endif - mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) ); -#if defined(_MSC_VER) -#pragma warning( pop ) -#endif + mask = mbedtls_ct_uint_mask( diff ); /* * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding @@ -3661,7 +3660,7 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha /* Identity is not a big secret since clients send it in the clear, * but treat it carefully anyway, just in case */ if( n != ssl->conf->psk_identity_len || - mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 ) + mbedtls_ct_memcmp( ssl->conf->psk_identity, *p, n ) != 0 ) { ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; } diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b4bfbf04ac41..b721e49719c3 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -38,6 +38,7 @@ #include "mbedtls/error.h" #include "mbedtls/platform_util.h" #include "mbedtls/version.h" +#include "mbedtls/constant_time.h" #include "ssl_misc.h" #if defined(MBEDTLS_SSL_USE_MPS) @@ -187,6 +188,10 @@ int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst, mbedtls_ssl_session_free( dst ); memcpy( dst, src, sizeof( mbedtls_ssl_session ) ); +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) + dst->ticket = NULL; +#endif + #if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) @@ -507,19 +512,37 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) goto exit; - mbedtls_md_hmac_starts( &md_ctx, secret, slen ); - mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb ); - mbedtls_md_hmac_finish( &md_ctx, tmp ); + ret = mbedtls_md_hmac_starts( &md_ctx, secret, slen ); + if( ret != 0 ) + goto exit; + ret = mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb ); + if( ret != 0 ) + goto exit; + ret = mbedtls_md_hmac_finish( &md_ctx, tmp ); + if( ret != 0 ) + goto exit; for( i = 0; i < dlen; i += md_len ) { - mbedtls_md_hmac_reset ( &md_ctx ); - mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb ); - mbedtls_md_hmac_finish( &md_ctx, h_i ); + ret = mbedtls_md_hmac_reset ( &md_ctx ); + if( ret != 0 ) + goto exit; + ret = mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb ); + if( ret != 0 ) + goto exit; + ret = mbedtls_md_hmac_finish( &md_ctx, h_i ); + if( ret != 0 ) + goto exit; - mbedtls_md_hmac_reset ( &md_ctx ); - mbedtls_md_hmac_update( &md_ctx, tmp, md_len ); - mbedtls_md_hmac_finish( &md_ctx, tmp ); + ret = mbedtls_md_hmac_reset ( &md_ctx ); + if( ret != 0 ) + goto exit; + ret = mbedtls_md_hmac_update( &md_ctx, tmp, md_len ); + if( ret != 0 ) + goto exit; + ret = mbedtls_md_hmac_finish( &md_ctx, tmp ); + if( ret != 0 ) + goto exit; k = ( i + md_len > dlen ) ? dlen % md_len : md_len; @@ -577,7 +600,7 @@ static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char * #endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SHA256_C) static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t ); @@ -690,7 +713,7 @@ int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ) return( ret ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) && \ defined(MBEDTLS_USE_PSA_CRYPTO) @@ -844,14 +867,14 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, memcpy( transform->randbytes, randbytes, sizeof( transform->randbytes ) ); #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) { /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform * generation separate. This should never happen. */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* * Get various info structures @@ -1082,8 +1105,12 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, For AEAD-based ciphersuites, there is nothing to do here. */ if( mac_key_len != 0 ) { - mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len ); - mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len ); + ret = mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len ); + if( ret != 0 ) + goto end; + ret = mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len ); + if( ret != 0 ) + goto end; } #endif #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ @@ -2536,7 +2563,7 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, { ((void) ciphersuite_info); -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) || defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SHA384_C) if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) ssl->handshake->update_checksum = ssl_update_checksum_sha384; @@ -2578,7 +2605,7 @@ void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) } #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) static void ssl_update_checksum_start_tls13( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { @@ -2629,7 +2656,7 @@ static void ssl_update_checksum_start_tls13( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_DEBUG_HANDSHAKE_HASHES */ #endif /* MBEDTLS_SHA512_C */ } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) static void ssl_update_checksum_start_tls12( mbedtls_ssl_context* ssl, @@ -2680,7 +2707,7 @@ static void ssl_update_checksum_sha384_tls12( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SHA256_C) static void ssl_update_checksum_sha256_tls13( mbedtls_ssl_context* ssl, @@ -2775,7 +2802,7 @@ exit:; } #endif /* MBEDTLS_SHA512_C */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) @@ -3139,7 +3166,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - unsigned int hash_len; + unsigned int hash_len = 12; unsigned char buf[SSL_MAX_HASH_LEN]; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) ); @@ -3149,7 +3176,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); - return( ret ); + goto exit; } if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) @@ -3157,16 +3184,16 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); - return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; + goto exit; } - hash_len = 12; - if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED ) { mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); - return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; + goto exit; } if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len ) @@ -3174,16 +3201,18 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + ret = MBEDTLS_ERR_SSL_DECODE_ERROR; + goto exit; } - if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), + if( mbedtls_ct_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), buf, hash_len ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + goto exit; } #if defined(MBEDTLS_SSL_RENEGOTIATION) @@ -3212,7 +3241,9 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) ); - return( 0 ); +exit: + mbedtls_platform_zeroize( buf, hash_len ); + return( ret ); } #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) */ @@ -3220,7 +3251,7 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) { memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) || defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) handshake->fin_sha256_psa = psa_hash_operation_init(); @@ -3239,7 +3270,7 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) mbedtls_sha512_starts( &handshake->fin_sha512, 1 ); #endif #endif -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 || MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 || MBEDTLS_SSL_PROTO_TLS1_3 */ handshake->update_checksum = ssl_update_checksum_start; @@ -3379,6 +3410,52 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) } #endif +/* + * curve_list is translated to IANA TLS group identifiers here because + * mbedtls_ssl_conf_curves returns void and so can't return + * any error codes. + */ +#if defined(MBEDTLS_ECP_C) +#if !defined(MBEDTLS_DEPRECATED_REMOVED) + /* Heap allocate and translate curve_list from internal to IANA group ids */ + if ( ssl->conf->curve_list != NULL ) + { + size_t length; + const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list; + + for( length = 0; ( curve_list[length] != MBEDTLS_ECP_DP_NONE ) && + ( length < MBEDTLS_ECP_DP_MAX ); length++ ) {} + + /* Leave room for zero termination */ + uint16_t *group_list = mbedtls_calloc( length + 1, sizeof(uint16_t) ); + if ( group_list == NULL ) + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + + for( size_t i = 0; i < length; i++ ) + { + const mbedtls_ecp_curve_info *info = + mbedtls_ecp_curve_info_from_grp_id( curve_list[i] ); + if ( info == NULL ) + { + mbedtls_free( group_list ); + return( MBEDTLS_ERR_SSL_BAD_CONFIG ); + } + group_list[i] = info->tls_id; + } + + group_list[length] = 0; + + ssl->handshake->group_list = group_list; + ssl->handshake->group_list_heap_allocated = 1; + } + else + { + ssl->handshake->group_list = ssl->conf->group_list; + ssl->handshake->group_list_heap_allocated = 0; + } +#endif /* MBEDTLS_DEPRECATED_REMOVED */ +#endif /* MBEDTLS_ECP_C */ + return( 0 ); } @@ -3421,7 +3498,7 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl ) static int ssl_conf_version_check( const mbedtls_ssl_context *ssl ) { -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) ) { if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) @@ -3442,7 +3519,7 @@ static int ssl_conf_version_check( const mbedtls_ssl_context *ssl ) } #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) if( mbedtls_ssl_conf_is_hybrid_tls12_tls13( ssl->conf ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" ) ); @@ -3544,7 +3621,7 @@ static int ssl_mps_init( mbedtls_ssl_context *ssl ) if( ret != 0 ) goto exit; -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) ret = mps_l2_config_add_type( &ssl->mps->l2, MBEDTLS_MPS_MSG_CCS, MBEDTLS_MPS_SPLIT_DISABLED, MBEDTLS_MPS_PACK_DISABLED, @@ -3552,7 +3629,7 @@ static int ssl_mps_init( mbedtls_ssl_context *ssl ) MBEDTLS_MPS_IGNORE_DROP ); if( ret != 0 ) goto exit; -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ ret = mps_l2_config_add_type( &ssl->mps->l2, MBEDTLS_MPS_MSG_APP, MBEDTLS_MPS_SPLIT_ENABLED, @@ -3664,7 +3741,7 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, mbedtls_ssl_reset_in_out_pointers( ssl ); #endif /* MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( mbedtls_ssl_conf_is_tls13_only(conf) ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -3697,7 +3774,7 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, ssl->in_iv = ssl->in_buf + 13; ssl->in_msg = ssl->in_buf + 13; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ } #endif /* !MBEDTLS_SSL_USE_MPS */ @@ -3709,9 +3786,9 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, goto error; /* Initialize ticket structure */ -#if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) && defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) && defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) ssl->session_negotiate->ticket = NULL; -#endif /* ( MBEDTLS_SSL_NEW_SESSION_TICKET && MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* ( MBEDTLS_SSL_NEW_SESSION_TICKET && MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_USE_MPS) ret = ssl_mps_init( ssl ); @@ -3853,7 +3930,7 @@ void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl, ((void) partial); #endif /* MBEDTLS_SSL_LEGACY_MSG_LAYER_REQUIRED */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if !defined(MBEDTLS_SSL_USE_MPS) mbedtls_ssl_transform_free( ssl->transform_application ); mbedtls_free( ssl->transform_application ); @@ -3879,7 +3956,7 @@ void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl, ssl->early_data_buf = NULL; ssl->early_data_len = 0; #endif /* MBEDTLS_ZERO_RTT && MBEDTLS_SSL_CLI_C */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ } int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ) @@ -4101,13 +4178,13 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, conf->ciphersuite_list = ciphersuites; } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config *conf, const int kex_modes ) { - conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL; + conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_X509_CRT_PARSE_C) void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf, @@ -4501,28 +4578,47 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, conf->sig_hashes = hashes; } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /* Configure allowed signature algorithms for use in TLS 1.3 */ void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf, const uint16_t* sig_algs ) { conf->tls13_sig_algs = sig_algs; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_ECP_C) +#if !defined(MBEDTLS_DEPRECATED_REMOVED) /* * Set the allowed elliptic curves + * + * mbedtls_ssl_setup() takes the provided list + * and translates it to a list of IANA TLS group identifiers, + * stored in ssl->handshake->group_list. + * */ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curve_list ) { conf->curve_list = curve_list; + conf->group_list = NULL; } - +#endif /* MBEDTLS_DEPRECATED_REMOVED */ #endif /* MBEDTLS_ECP_C */ +/* + * Set the allowed groups + */ +void mbedtls_ssl_conf_groups( mbedtls_ssl_config *conf, + const uint16_t *group_list ) +{ +#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) + conf->curve_list = NULL; +#endif + conf->group_list = group_list; +} + #if defined(MBEDTLS_X509_CRT_PARSE_C) int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) { @@ -4885,7 +4981,7 @@ const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl ) } } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_key_exchange_type_t mbedtls_ssl_get_key_exchange( const mbedtls_ssl_context* ssl ) { if( ssl == NULL || ssl->session == NULL ) @@ -4893,7 +4989,7 @@ mbedtls_key_exchange_type_t mbedtls_ssl_get_key_exchange( const mbedtls_ssl_cont return ( ssl->handshake->key_exchange ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl ) { @@ -5369,7 +5465,7 @@ static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session, } #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /* Serialization of TLS 1.3 sessions: * * struct { @@ -5491,7 +5587,7 @@ static size_t ssl_session_save_tls13( const mbedtls_ssl_session *session, return( used ); } #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ static int ssl_session_save( const mbedtls_ssl_session *session, unsigned char omit_header, @@ -5539,14 +5635,14 @@ static int ssl_session_save( const mbedtls_ssl_session *session, } #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) case MBEDTLS_SSL_MINOR_VERSION_4: { size_t remaining_len = used <= buf_len ? buf_len - used : 0; used += ssl_session_save_tls13( session, p, remaining_len ); break; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ default: return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); @@ -5777,7 +5873,7 @@ static int ssl_session_load_tls12( mbedtls_ssl_session *session, } #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if !defined(MBEDTLS_SSL_NEW_SESSION_TICKET) static size_t ssl_session_load_tls13( mbedtls_ssl_session *session, const unsigned char *buf, @@ -5897,7 +5993,7 @@ static size_t ssl_session_load_tls13( mbedtls_ssl_session *session, return( 0 ); } #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ static int ssl_session_load( mbedtls_ssl_session *session, @@ -5943,13 +6039,13 @@ static int ssl_session_load( mbedtls_ssl_session *session, } #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) case MBEDTLS_SSL_MINOR_VERSION_4: /* TLS 1.3 */ { size_t remaining_len = ( end - p ); return( ssl_session_load_tls13( session, p, remaining_len ) ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ default: return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -6036,10 +6132,10 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) ) ret = mbedtls_ssl_tls13_handshake_client_step( ssl ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) ) @@ -6050,10 +6146,10 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_SRV_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) ) ret = mbedtls_ssl_tls13_handshake_server_step( ssl ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) ) @@ -6294,6 +6390,14 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) if( handshake == NULL ) return; +#if defined(MBEDTLS_ECP_C) +#if !defined(MBEDTLS_DEPRECATED_REMOVED) + if ( ssl->handshake->group_list_heap_allocated ) + mbedtls_free( (void*) handshake->group_list ); + handshake->group_list = NULL; +#endif /* MBEDTLS_DEPRECATED_REMOVED */ +#endif /* MBEDTLS_ECP_C */ + #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 ) { @@ -6381,8 +6485,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) mbedtls_pk_free( &handshake->peer_pubkey ); #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ -#if defined(MBEDTLS_SSL_PROTO_DTLS) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_free( handshake->verify_cookie ); #endif @@ -6396,6 +6499,14 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) psa_destroy_key( handshake->ecdh_psa_privkey ); #endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + mbedtls_ssl_transform_free( handshake->transform_handshake ); + mbedtls_ssl_transform_free( handshake->transform_earlydata ); + mbedtls_free( handshake->transform_earlydata ); + mbedtls_free( handshake->transform_handshake ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + + #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) /* If the buffers are too big - reallocate. Because of the way Mbed TLS * processes datagrams and the fact that a datagram is allowed to have @@ -6405,13 +6516,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) mbedtls_ssl_get_output_buflen( ssl ) ); #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - mbedtls_ssl_transform_free( handshake->transform_earlydata ); - mbedtls_free( handshake->transform_earlydata ); - mbedtls_ssl_transform_free( handshake->transform_handshake ); - mbedtls_free( handshake->transform_handshake ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - + /* mbedtls_platform_zeroize MUST be last one in this function */ mbedtls_platform_zeroize( handshake, sizeof( mbedtls_ssl_handshake_params ) ); } @@ -7094,8 +7199,7 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) } #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ - !defined(MBEDTLS_SSL_USE_MPS) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && !defined(MBEDTLS_SSL_USE_MPS) mbedtls_ssl_transform_free( ssl->transform_application ); mbedtls_free( ssl->transform_application ); ssl->transform_application = NULL; @@ -7115,10 +7219,10 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) mbedtls_free( ssl->session_negotiate ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_ssl_transform_free( ssl->transform_application ); mbedtls_free( ssl->transform_application ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ if( ssl->session ) { @@ -7134,9 +7238,8 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) } #endif -#if ( defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) || \ - ( defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ - defined(MBEDTLS_SSL_COOKIE_C) ) ) \ +#if ( defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) || \ + ( defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_COOKIE_C) ) ) \ && defined(MBEDTLS_SSL_SRV_C) mbedtls_free( ssl->cli_id ); #endif @@ -7184,41 +7287,39 @@ static int ssl_preset_default_hashes[] = { }; #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_ECP_C) /* The selection should be the same as mbedtls_x509_crt_profile_default in * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters: * curves with a lower resource usage come first. * See the documentation of mbedtls_ssl_conf_curves() for what we promise * about this list. */ -static mbedtls_ecp_group_id ssl_preset_default_curves[] = { +static uint16_t ssl_preset_default_groups[] = { #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) - MBEDTLS_ECP_DP_CURVE25519, + MBEDTLS_SSL_IANA_TLS_GROUP_X25519, #endif #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) - MBEDTLS_ECP_DP_SECP256R1, + MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, #endif #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) - MBEDTLS_ECP_DP_SECP384R1, + MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, #endif #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) - MBEDTLS_ECP_DP_CURVE448, + MBEDTLS_SSL_IANA_TLS_GROUP_X448, #endif #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) - MBEDTLS_ECP_DP_SECP521R1, + MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, #endif #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) - MBEDTLS_ECP_DP_BP256R1, + MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, #endif #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) - MBEDTLS_ECP_DP_BP384R1, + MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, #endif #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) - MBEDTLS_ECP_DP_BP512R1, + MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, #endif - MBEDTLS_ECP_DP_NONE + MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; -#endif static int ssl_preset_suiteb_ciphersuites[] = { #if defined(MBEDTLS_AES_C) && defined(MBEDTLS_GCM_C) @@ -7232,14 +7333,14 @@ static int ssl_preset_suiteb_ciphersuites[] = { #endif /* MBEDTLS_SHA512_C */ #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ MBEDTLS_SSL_PROTO_TLS1_2 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SHA256_C) MBEDTLS_TLS1_3_AES_128_GCM_SHA256, #endif /* MBEDTLS_SHA256_C */ #if defined(MBEDTLS_SHA512_C) MBEDTLS_TLS1_3_AES_256_GCM_SHA384, #endif /* MBEDTLS_SHA512_C */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_AES_C && MBEDTLS_GCM_C */ 0 }; @@ -7252,55 +7353,61 @@ static int ssl_preset_suiteb_hashes[] = { MBEDTLS_MD_NONE }; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) static uint16_t ssl_preset_default_sig_algs[] = { /* ECDSA algorithms */ #if defined(MBEDTLS_ECDSA_C) #if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) - MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256, + MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, #endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ -#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) - MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384, -#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ +#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) + MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, +#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ #if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) - MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512, + MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512, #endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ #endif /* MBEDTLS_ECDSA_C */ /* RSA algorithms */ #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA256, + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, #endif + MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, - MBEDTLS_TLS13_SIG_NONE + MBEDTLS_TLS1_3_SIG_NONE }; static uint16_t ssl_preset_suiteb_sig_algs[] = { /* ECDSA algorithms */ #if defined(MBEDTLS_ECDSA_C) #if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) - MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256, + MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, #endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ -#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) - MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384, -#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ +#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) + MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, +#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ #endif /* MBEDTLS_ECDSA_C */ - MBEDTLS_TLS13_SIG_NONE + + /* RSA algorithms */ +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, +#endif + MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, + + MBEDTLS_TLS1_3_SIG_NONE }; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif -#if defined(MBEDTLS_ECP_C) -static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = { +static uint16_t ssl_preset_suiteb_groups[] = { #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) - MBEDTLS_ECP_DP_SECP256R1, -#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ + MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, +#endif #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) - MBEDTLS_ECP_DP_SECP384R1, -#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ - MBEDTLS_ECP_DP_NONE + MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, +#endif + MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; -#endif /* MBEDTLS_ECP_C */ /* * Load default in mbedtls_ssl_config @@ -7380,12 +7487,12 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, } #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /* * Allow all TLS 1.3 key exchange modes by default. */ - conf->tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* * Preset-specific defaults @@ -7409,14 +7516,15 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) conf->sig_hashes = ssl_preset_suiteb_hashes; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) conf->tls13_sig_algs = ssl_preset_suiteb_sig_algs; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif -#if defined(MBEDTLS_ECP_C) - conf->curve_list = ssl_preset_suiteb_curves; +#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) + conf->curve_list = NULL; #endif + conf->group_list = ssl_preset_suiteb_groups; break; /* @@ -7446,14 +7554,15 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) conf->sig_hashes = ssl_preset_default_hashes; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) conf->tls13_sig_algs = ssl_preset_default_sig_algs; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_ECP_C) - conf->curve_list = ssl_preset_default_curves; +#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) + conf->curve_list = NULL; #endif + conf->group_list = ssl_preset_default_groups; #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) conf->dhm_min_bitlen = 1024; @@ -7677,14 +7786,17 @@ unsigned char mbedtls_ssl_hash_from_md_alg( int md ) */ int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ) { - const mbedtls_ecp_group_id *gid; + const uint16_t *group_list = mbedtls_ssl_get_groups( ssl ); - if( ssl->conf->curve_list == NULL ) + if( group_list == NULL ) return( -1 ); + uint16_t tls_id = mbedtls_ecp_curve_info_from_grp_id(grp_id)->tls_id; - for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) - if( *gid == grp_id ) + for( ; *group_list != 0; group_list++ ) + { + if( *group_list == tls_id ) return( 0 ); + } return( -1 ); } @@ -7861,7 +7973,7 @@ int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, goto exit; } - if( ( status = psa_hash_finish( &hash_operation, hash, MBEDTLS_MD_MAX_SIZE, + if( ( status = psa_hash_finish( &hash_operation, hash, PSA_HASH_MAX_SIZE, hashlen ) ) != PSA_SUCCESS ) { MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_finish", status ); @@ -7951,7 +8063,7 @@ int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) && defined(MBEDTLS_SSL_PROTO_TLS1_3) static void ssl_update_checksum_start( mbedtls_ssl_context* ssl, const unsigned char* buf, size_t len ) { @@ -7979,7 +8091,7 @@ static void ssl_update_checksum_sha256( mbedtls_ssl_context* ssl, ssl_update_checksum_sha256_tls12( ssl, buf, len ); } -#elif defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#elif defined(MBEDTLS_SSL_PROTO_TLS1_3) static void ssl_update_checksum_start( mbedtls_ssl_context* ssl, const unsigned char* buf, size_t len ) { @@ -8018,8 +8130,7 @@ static void ssl_update_checksum_sha256( mbedtls_ssl_context* ssl, } -#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) \ - && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER && MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_USE_PSA_CRYPTO) int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 46a47d9b5d6b..cd160990af8b 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -21,7 +21,7 @@ #include "common.h" -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #define SSL_DONT_FORCE_FLUSH 0 #define SSL_FORCE_FLUSH 1 @@ -41,6 +41,8 @@ #include "ecdh_misc.h" #include "ssl_misc.h" #include "ssl_tls13_keys.h" +#include "ssl_debug_helpers_generated.h" + #if defined(MBEDTLS_SSL_USE_MPS) #include "mps_all.h" #endif /* MBEDTLS_SSL_USE_MPS */ @@ -77,11 +79,11 @@ static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, - size_t *olen ) + size_t *out_len ) { unsigned char *p = buf; - *olen = 0; + *out_len = 0; MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported versions extension" ) ); @@ -117,7 +119,7 @@ static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl, ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); - *olen = 7; + *out_len = 7; return( 0 ); } @@ -141,9 +143,9 @@ static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) /* For ticket handling, we need to populate the version - * and the endpoint information into the session structure - * since only session information is available in that API. - */ + * and the endpoint information into the session structure + * since only session information is available in that API. + */ ssl->session_negotiate->minor_ver = ssl->minor_ver; ssl->session_negotiate->endpoint = ssl->conf->endpoint; #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ @@ -176,39 +178,38 @@ static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl, * 'elliptic_curves' and only contained elliptic curve groups. */ static int ssl_tls13_write_named_group_list_ecdhe( mbedtls_ssl_context *ssl, - unsigned char *buf, - unsigned char *end, - size_t *olen ) + unsigned char *buf, + unsigned char *end, + size_t *out_len ) { unsigned char *p = buf; - *olen = 0; + *out_len = 0; - if( ssl->conf->curve_list == NULL ) + const uint16_t *group_list = mbedtls_ssl_get_groups( ssl ); + + if( group_list == NULL ) return( MBEDTLS_ERR_SSL_BAD_CONFIG ); - for ( const mbedtls_ecp_group_id *grp_id = ssl->conf->curve_list; - *grp_id != MBEDTLS_ECP_DP_NONE; - grp_id++ ) + for ( ; *group_list != 0; group_list++ ) { - const mbedtls_ecp_curve_info *info; - info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); - if( info == NULL ) + const mbedtls_ecp_curve_info *curve_info; + curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list ); + if( curve_info == NULL ) continue; - if( !mbedtls_ssl_tls13_named_group_is_ecdhe( info->tls_id ) ) + if( !mbedtls_ssl_tls13_named_group_is_ecdhe( *group_list ) ) continue; MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2); - MBEDTLS_PUT_UINT16_BE( info->tls_id, p, 0 ); + MBEDTLS_PUT_UINT16_BE( *group_list, p, 0 ); p += 2; MBEDTLS_SSL_DEBUG_MSG( 3, ( "NamedGroup: %s ( %x )", - mbedtls_ecp_curve_info_from_tls_id( info->tls_id )->name, - info->tls_id ) ); + curve_info->name, *group_list ) ); } - *olen = p - buf; + *out_len = p - buf; return( 0 ); } @@ -216,12 +217,12 @@ static int ssl_tls13_write_named_group_list_ecdhe( mbedtls_ssl_context *ssl, static int ssl_tls13_write_named_group_list_ecdhe( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, - size_t *olen ) + size_t *out_len ) { ((void) ssl); ((void) buf); ((void) end); - *olen = 0; + *out_len = 0; return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); } #endif /* MBEDTLS_ECDH_C */ @@ -229,12 +230,12 @@ static int ssl_tls13_write_named_group_list_ecdhe( mbedtls_ssl_context *ssl, static int ssl_tls13_write_named_group_list_dhe( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, - size_t *olen ) + size_t *out_len ) { ((void) ssl); ((void) buf); ((void) end); - *olen = 0; + *out_len = 0; MBEDTLS_SSL_DEBUG_MSG( 3, ( "write_named_group_dhe is not implemented" ) ); return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); } @@ -242,15 +243,15 @@ static int ssl_tls13_write_named_group_list_dhe( mbedtls_ssl_context *ssl, static int ssl_tls13_write_supported_groups_ext( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, - size_t *olen ) + size_t *out_len ) { unsigned char *p = buf ; - unsigned char *named_group_list_ptr; /* Start of named_group_list */ - size_t named_group_list_len; /* Length of named_group_list */ + unsigned char *named_group_list; /* Start of named_group_list */ + size_t named_group_list_len; /* Length of named_group_list */ size_t output_len = 0; int ret_ecdhe, ret_dhe; - *olen = 0; + *out_len = 0; if( !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) return( 0 ); @@ -258,14 +259,14 @@ static int ssl_tls13_write_supported_groups_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_groups extension" ) ); /* Check if we have space for header and length fields: - * - extension_type (2 bytes) - * - extension_data_length (2 bytes) + * - extension_type (2 bytes) + * - extension_data_length (2 bytes) * - named_group_list_length (2 bytes) */ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 ); p += 6; - named_group_list_ptr = p; + named_group_list = p; ret_ecdhe = ssl_tls13_write_named_group_list_ecdhe( ssl, p, end, &output_len ); if( ret_ecdhe != 0 ) { @@ -288,7 +289,7 @@ static int ssl_tls13_write_supported_groups_ext( mbedtls_ssl_context *ssl, } /* Length of named_group_list*/ - named_group_list_len = p - named_group_list_ptr; + named_group_list_len = p - named_group_list; if( named_group_list_len == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "No group available." ) ); @@ -304,7 +305,7 @@ static int ssl_tls13_write_supported_groups_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "Supported groups extension", buf + 4, named_group_list_len + 2 ); - *olen = p - buf; + *out_len = p - buf; ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS; @@ -320,7 +321,7 @@ static int ssl_tls13_generate_and_write_ecdh_key_exchange( uint16_t named_group, unsigned char *buf, unsigned char *end, - size_t *olen ) + size_t *out_len ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const mbedtls_ecp_curve_info *curve_info = @@ -338,9 +339,9 @@ static int ssl_tls13_generate_and_write_ecdh_key_exchange( return( ret ); } - ret = mbedtls_ecdh_tls13_make_params( &ssl->handshake->ecdh_ctx, olen, - buf, end - buf, - ssl->conf->f_rng, ssl->conf->p_rng ); + ret = mbedtls_ecdh_tls13_make_params( &ssl->handshake->ecdh_ctx, out_len, + buf, end - buf, + ssl->conf->f_rng, ssl->conf->p_rng ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_tls13_make_params", ret ); @@ -360,20 +361,19 @@ static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_ECDH_C) + const uint16_t *group_list = mbedtls_ssl_get_groups( ssl ); /* Pick first available ECDHE group compatible with TLS 1.3 */ - if( ssl->conf->curve_list == NULL ) + if( group_list == NULL ) return( MBEDTLS_ERR_SSL_BAD_CONFIG ); - for ( const mbedtls_ecp_group_id *grp_id = ssl->conf->curve_list; - *grp_id != MBEDTLS_ECP_DP_NONE; - grp_id++ ) + for ( ; *group_list != 0; group_list++ ) { - const mbedtls_ecp_curve_info *info; - info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); - if( info != NULL && - mbedtls_ssl_tls13_named_group_is_ecdhe( info->tls_id ) ) + const mbedtls_ecp_curve_info *curve_info; + curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list ); + if( curve_info != NULL && + mbedtls_ssl_tls13_named_group_is_ecdhe( *group_list ) ) { - *group_id = info->tls_id; + *group_id = *group_list; return( 0 ); } } @@ -406,15 +406,15 @@ static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl, static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, - size_t *olen ) + size_t *out_len ) { unsigned char *p = buf; - unsigned char *client_shares_ptr; /* Start of client_shares */ - size_t client_shares_len; /* Length of client_shares */ + unsigned char *client_shares; /* Start of client_shares */ + size_t client_shares_len; /* Length of client_shares */ uint16_t group_id; int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; - *olen = 0; + *out_len = 0; if( !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) return( 0 ); @@ -446,12 +446,12 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl, * type of KEM, and dispatch to the corresponding crypto. And * only one key share entry is allowed. */ - client_shares_ptr = p; + client_shares = p; #if defined(MBEDTLS_ECDH_C) if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) ) { /* Pointer to group */ - unsigned char *group_ptr = p; + unsigned char *group = p; /* Length of key_exchange */ size_t key_exchange_len; @@ -469,9 +469,9 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl, return( ret ); /* Write group */ - MBEDTLS_PUT_UINT16_BE( group_id, group_ptr, 0 ); + MBEDTLS_PUT_UINT16_BE( group_id, group, 0 ); /* Write key_exchange_length */ - MBEDTLS_PUT_UINT16_BE( key_exchange_len, group_ptr, 2 ); + MBEDTLS_PUT_UINT16_BE( key_exchange_len, group, 2 ); } else #endif /* MBEDTLS_ECDH_C */ @@ -483,7 +483,7 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); /* Length of client_shares */ - client_shares_len = p - client_shares_ptr; + client_shares_len = p - client_shares; if( client_shares_len == 0) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "No key share defined." ) ); @@ -500,9 +500,9 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl, ssl->handshake->offered_group_id = group_id; /* Output the total length of key_share extension. */ - *olen = p - buf; + *out_len = p - buf; - MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *olen ); + MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *out_len ); ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE; @@ -632,20 +632,20 @@ static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl, return( ret ); } -static int ssl_reset_ecdhe_share( mbedtls_ssl_context *ssl ) +static int ssl_tls13_reset_ecdhe_share( mbedtls_ssl_context *ssl ) { mbedtls_ecdh_free( &ssl->handshake->ecdh_ctx ); return( 0 ); } -static int ssl_reset_key_share( mbedtls_ssl_context *ssl ) +static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl ) { uint16_t group_id = ssl->handshake->offered_group_id; if( group_id == 0 ) return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) ) - return( ssl_reset_ecdhe_share( ssl ) ); + return( ssl_tls13_reset_ecdhe_share( ssl ) ); else if( 0 /* other KEMs? */ ) { /* Do something */ @@ -656,2722 +656,2660 @@ static int ssl_reset_key_share( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -/* - * - * STATE HANDLING: Write Early-Data - * +/* Write cipher_suites + * CipherSuite cipher_suites<2..2^16-2>; */ +static int ssl_tls13_write_client_hello_cipher_suites( + mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *out_len ) +{ + unsigned char *p = buf; + const int *ciphersuite_list; + unsigned char *cipher_suites; /* Start of the cipher_suites list */ + size_t cipher_suites_len; - /* - * Overview - */ + *out_len = 0 ; - /* Main state-handling entry point; orchestrates the other functions. */ -int ssl_write_early_data_process( mbedtls_ssl_context* ssl ); + /* + * Ciphersuite list + * + * This is a list of the symmetric cipher options supported by + * the client, specifically the record protection algorithm + * ( including secret key length ) and a hash to be used with + * HKDF, in descending order of client preference. + */ + ciphersuite_list = ssl->conf->ciphersuite_list; -#define SSL_EARLY_DATA_WRITE 0 -#define SSL_EARLY_DATA_SKIP 1 -static int ssl_write_early_data_coordinate( mbedtls_ssl_context* ssl ); + /* Check there is space for the cipher suite list length (2 bytes). */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); + p += 2; -#if defined(MBEDTLS_ZERO_RTT) -static int ssl_write_early_data_prepare( mbedtls_ssl_context* ssl ); + /* Write cipher_suites */ + cipher_suites = p; + for ( size_t i = 0; ciphersuite_list[i] != 0; i++ ) + { + int cipher_suite = ciphersuite_list[i]; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; -/* Write early-data message */ -static int ssl_write_early_data_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ); + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite ); + if( ciphersuite_info == NULL ) + continue; + if( !( MBEDTLS_SSL_MINOR_VERSION_4 >= ciphersuite_info->min_minor_ver && + MBEDTLS_SSL_MINOR_VERSION_4 <= ciphersuite_info->max_minor_ver ) ) + continue; + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x, %s", + (unsigned int) cipher_suite, + ciphersuite_info->name ) ); + + /* Check there is space for the cipher suite identifier (2 bytes). */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); + MBEDTLS_PUT_UINT16_BE( cipher_suite, p, 0 ); + p += 2; + +#if defined(MBEDTLS_ZERO_RTT) + /* For ZeroRTT we only add a single ciphersuite. */ + break; #endif /* MBEDTLS_ZERO_RTT */ + } -/* Update the state after handling the outgoing early-data message. */ -static int ssl_write_early_data_postprocess( mbedtls_ssl_context* ssl ); + /* Write the cipher_suites length in number of bytes */ + cipher_suites_len = p - cipher_suites; + MBEDTLS_PUT_UINT16_BE( cipher_suites_len, buf, 0 ); + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "client hello, got %" MBEDTLS_PRINTF_SIZET " cipher suites", + cipher_suites_len/2 ) ); + + /* Output the total length of cipher_suites field. */ + *out_len = p - buf; + + return( 0 ); +} + +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) /* - * Implementation + * ssl_tls13_write_max_fragment_length_ext(): + * + * enum{ + * 2^9( 1 ), 2^10( 2 ), 2^11( 3 ), 2^12( 4 ), ( 255 ) + * } MaxFragmentLength; + * */ - -int ssl_write_early_data_process( mbedtls_ssl_context* ssl ) +static int ssl_tls13_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + const unsigned char *end, + size_t *out_len ) { - int ret; -#if defined(MBEDTLS_SSL_USE_MPS) - mbedtls_writer *msg; - unsigned char *buf; - mbedtls_mps_size_t buf_len, msg_len; -#endif /* MBEDTLS_SSL_USE_MPS */ - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write early data" ) ); + unsigned char *p = buf; - MBEDTLS_SSL_PROC_CHK_NEG( ssl_write_early_data_coordinate( ssl ) ); - if( ret == SSL_EARLY_DATA_WRITE ) + *out_len = 0; + + if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { -#if defined(MBEDTLS_ZERO_RTT) + return( 0 ); + } - MBEDTLS_SSL_PROC_CHK( ssl_write_early_data_prepare( ssl ) ); + if( end < p || (size_t)( end - p ) < 5 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } -#if defined(MBEDTLS_SSL_USE_MPS) - MBEDTLS_SSL_PROC_CHK( mbedtls_mps_write_application( &ssl->mps->l4, - &msg ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding max_fragment_length extension" ) ); - /* Request write-buffer */ - MBEDTLS_SSL_PROC_CHK( mbedtls_writer_get( msg, MBEDTLS_MPS_SIZE_MAX, - &buf, &buf_len ) ); + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0 ); + MBEDTLS_PUT_UINT16_BE( 1, p, 2 ); + p += 4; - MBEDTLS_SSL_PROC_CHK( ssl_write_early_data_write( - ssl, buf, buf_len, &msg_len ) ); + *p++ = ssl->conf->mfl_code; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Maximum fragment length = %d", ssl->conf->mfl_code ) ); - /* Commit message */ - MBEDTLS_SSL_PROC_CHK( mbedtls_writer_commit_partial( msg, - buf_len - msg_len ) ); + *out_len = 5; + return( 0 ); +} +#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ - MBEDTLS_SSL_PROC_CHK( mbedtls_mps_dispatch( &ssl->mps->l4 ) ); - /* Update state */ - MBEDTLS_SSL_PROC_CHK( ssl_write_early_data_postprocess( ssl ) ); +#if defined(MBEDTLS_SSL_ALPN) +/* + * ssl_tls13_write_alpn_ext() structure: + * + * opaque ProtocolName<1..2^8-1>; + * + * struct { + * ProtocolName protocol_name_list<2..2^16-1> + * } ProtocolNameList; + * + */ +static int ssl_tls13_write_alpn_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + const unsigned char *end, + size_t *out_len ) +{ + unsigned char *p = buf; + size_t alpnlen = 0; + const char **cur; -#else /* MBEDTLS_SSL_USE_MPS */ + *out_len = 0; - /* Write early-data to message buffer. */ - MBEDTLS_SSL_PROC_CHK( ssl_write_early_data_write( ssl, ssl->out_msg, - MBEDTLS_SSL_OUT_CONTENT_LEN, - &ssl->out_msglen ) ); + if( ssl->conf->alpn_list == NULL ) + { + return( 0 ); + } - ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; + for ( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) + alpnlen += MBEDTLS_BYTE_0( strlen( *cur ) ) + 1; - /* Update state */ - MBEDTLS_SSL_PROC_CHK( ssl_write_early_data_postprocess( ssl ) ); + if( end < p || (size_t)( end - p ) < 6 + alpnlen ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } - /* Dispatch message */ - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); -#endif /* MBEDTLS_SSL_USE_MPS */ + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ALPN, p, 0 ); + p += 2; -#else /* MBEDTLS_ZERO_RTT */ - ((void) buf); - ((void) buf_len); - ((void) msg); - ((void) msg_len); - /* Should never happen */ - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + /* + * opaque ProtocolName<1..2^8-1>; + * + * struct { + * ProtocolName protocol_name_list<2..2^16-1> + * } ProtocolNameList; + */ -#endif /* MBEDTLS_ZERO_RTT */ - } - else + /* Skip writing extension and list length for now */ + p += 4; + + for ( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) { - /* Update state */ - MBEDTLS_SSL_PROC_CHK( ssl_write_early_data_postprocess( ssl ) ); + *p = MBEDTLS_BYTE_0( strlen( *cur ) ); + memcpy( p + 1, *cur, *p ); + p += 1 + *p; } -cleanup: + *out_len = p - buf; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write early data" ) ); - return( ret ); + /* List length = out_len - 2 ( ext_type ) - 2 ( ext_len ) - 2 ( list_len ) */ + MBEDTLS_PUT_UINT16_BE( *out_len - 6, buf, 4 ); + + /* Extension length = out_len - 2 ( ext_type ) - 2 ( ext_len ) */ + MBEDTLS_PUT_UINT16_BE( *out_len - 4, buf, 2 ); + + return( 0 ); } +#endif /* MBEDTLS_SSL_ALPN */ -#if defined(MBEDTLS_ZERO_RTT) +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +/* + * ssl_tls13_write_psk_key_exchange_modes_ext() structure: + * + * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode; + * + * struct { + * PskKeyExchangeMode ke_modes<1..255>; + * } PskKeyExchangeModes; + */ -static int ssl_write_early_data_coordinate( mbedtls_ssl_context* ssl ) +static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *out_len ) { - if( ssl->handshake->early_data != MBEDTLS_SSL_EARLY_DATA_ON ) - return( SSL_EARLY_DATA_SKIP ); + unsigned char *p; + int num_modes = 0; - return( SSL_EARLY_DATA_WRITE ); -} + /* Skip writing extension if no PSK key exchange mode + * is enabled in the config. */ + if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) ) + { + *out_len = 0; + return( 0 ); + } -static int ssl_write_early_data_prepare( mbedtls_ssl_context* ssl ) -{ - int ret; - mbedtls_ssl_key_set traffic_keys; + /* Require 7 bytes of data, otherwise fail, even if extension might be shorter. */ + if( (size_t)( end - buf ) < 7 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Not enough buffer" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } - const unsigned char *psk; - size_t psk_len; - const unsigned char *psk_identity; - size_t psk_identity_len; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding psk_key_exchange_modes extension" ) ); - mbedtls_ssl_transform *transform_earlydata; + /* Extension Type */ + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, buf, 0 ); - /* From RFC 8446: - * "The PSK used to encrypt the - * early data MUST be the first PSK listed in the client's - * 'pre_shared_key' extension." - */ + /* Skip extension length (2 byte) and PSK mode list length (1 byte) for now. */ + p = buf + 5; - if( mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len, - &psk_identity, &psk_identity_len ) != 0 ) + if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) ) { - /* This should never happen: We can only have gone past - * ssl_write_early_data_coordinate() if we have offered a PSK. */ - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } + *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE; + num_modes++; - if( ( ret = mbedtls_ssl_set_hs_psk( ssl, psk, psk_len ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_set_hs_psk", ret ); - return( ret ); + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) ); } - /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret. */ - ret = mbedtls_ssl_tls1_3_key_schedule_stage_early( ssl ); - if( ret != 0 ) + if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) ) { - MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret ); - return( ret ); + *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE; + num_modes++; + + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) ); } - /* Derive 0-RTT key material */ - ret = mbedtls_ssl_tls1_3_generate_early_data_keys( - ssl, &traffic_keys ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls1_3_generate_early_data_keys", ret ); - return( ret ); - } - - transform_earlydata = - mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) ); - if( transform_earlydata == NULL ) - return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); - - ret = mbedtls_ssl_tls13_populate_transform( - transform_earlydata, - ssl->conf->endpoint, - ssl->session_negotiate->ciphersuite, - &traffic_keys, - ssl ); - if( ret != 0 ) - return( ret ); - -#if defined(MBEDTLS_SSL_USE_MPS) - /* Register transform with MPS. */ - ret = mbedtls_mps_add_key_material( &ssl->mps->l4, - transform_earlydata, - &ssl->handshake->epoch_earlydata ); - if( ret != 0 ) - return( ret ); - - /* Use new transform for outgoing data. */ - ret = mbedtls_mps_set_outgoing_keys( &ssl->mps->l4, - ssl->handshake->epoch_earlydata ); - if( ret != 0 ) - return( ret ); -#else /* MBEDTLS_SSL_USE_MPS */ - - /* Activate transform */ - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to 0-RTT keys for outbound traffic" ) ); - ssl->handshake->transform_earlydata = transform_earlydata; - mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_earlydata ); - -#endif /* MBEDTLS_SSL_USE_MPS */ - - return( 0 ); -} - -static int ssl_write_early_data_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ) -{ - if( ssl->early_data_len > buflen ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); - return ( MBEDTLS_ERR_SSL_ALLOC_FAILED ); - } - else - { - memcpy( buf, ssl->early_data_buf, ssl->early_data_len ); - -#if defined(MBEDTLS_SSL_USE_MPS) - *olen = ssl->early_data_len; - MBEDTLS_SSL_DEBUG_BUF( 3, "Early Data", buf, ssl->early_data_len ); -#else - buf[ssl->early_data_len] = MBEDTLS_SSL_MSG_APPLICATION_DATA; - *olen = ssl->early_data_len + 1; - - MBEDTLS_SSL_DEBUG_BUF( 3, "Early Data", ssl->out_msg, *olen ); -#endif /* MBEDTLS_SSL_USE_MPS */ - } - - return( 0 ); -} - -#else /* MBEDTLS_ZERO_RTT */ - -static int ssl_write_early_data_coordinate( mbedtls_ssl_context* ssl ) -{ - ((void) ssl); - return( SSL_EARLY_DATA_SKIP ); -} - -#endif /* MBEDTLS_ZERO_RTT */ - -static int ssl_write_early_data_postprocess( mbedtls_ssl_context* ssl ) -{ - /* Clear PSK we've used for the 0-RTT. */ - mbedtls_ssl_remove_hs_psk( ssl ); + /* Add extension length: PSK mode list length byte + actual PSK mode list length */ + buf[2] = 0; + buf[3] = num_modes + 1; + /* Add PSK mode list length */ + buf[4] = num_modes; - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO ); + *out_len = p - buf; + ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES; return ( 0 ); } +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ /* + * mbedtls_ssl_tls13_write_pre_shared_key_ext() structure: * - * STATE HANDLING: Write End-of-Early-Data + * struct { + * opaque identity<1..2^16-1>; + * uint32 obfuscated_ticket_age; + * } PskIdentity; + * + * opaque PskBinderEntry<32..255>; + * + * struct { + * select ( Handshake.msg_type ) { * + * case client_hello: + * PskIdentity identities<7..2^16-1>; + * PskBinderEntry binders<33..2^16-1>; + * + * case server_hello: + * uint16 selected_identity; + * }; + * + * } PreSharedKeyExtension; + * + * + * part = 0 ==> everything up to the PSK binder list, + * returning the binder list length in `binder_list_length`. + * part = 1 ==> the PSK binder list */ - /* - * Overview - */ - - /* Main state-handling entry point; orchestrates the other functions. */ -int ssl_write_end_of_early_data_process( mbedtls_ssl_context* ssl ); - -#define SSL_END_OF_EARLY_DATA_WRITE 0 -#define SSL_END_OF_EARLY_DATA_SKIP 1 -static int ssl_write_end_of_early_data_coordinate( mbedtls_ssl_context* ssl ); - -/* Update the state after handling the outgoing end-of-early-data message. */ -static int ssl_write_end_of_early_data_postprocess( mbedtls_ssl_context* ssl ); +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) -/* - * Implementation - */ +#define SSL_WRITE_PSK_EXT_PARTIAL 0 +#define SSL_WRITE_PSK_EXT_ADD_PSK_BINDERS 1 -int ssl_write_end_of_early_data_process( mbedtls_ssl_context* ssl ) +int mbedtls_ssl_tls13_write_pre_shared_key_ext( + mbedtls_ssl_context *ssl, + unsigned char *buf, unsigned char *end, + size_t *bytes_written, + size_t *total_ext_len, + int part ) { int ret; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write EndOfEarlyData" ) ); + unsigned char *p = (unsigned char *) buf; + const mbedtls_ssl_ciphersuite_t *suite_info; + const int *ciphersuites; + int hash_len; + const unsigned char *psk; + size_t psk_len; + const unsigned char *psk_identity; + size_t psk_identity_len; - MBEDTLS_SSL_PROC_CHK_NEG( ssl_write_end_of_early_data_coordinate( ssl ) ); - if( ret == SSL_END_OF_EARLY_DATA_WRITE ) - { - unsigned char *buf; - size_t buf_len; + *total_ext_len = 0; + *bytes_written = 0; - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl, - MBEDTLS_SSL_HS_END_OF_EARLY_DATA, &buf, &buf_len ) ); + if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) ) + return( 0 ); - mbedtls_ssl_tls13_add_hs_hdr_to_checksum( - ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0 ); + /* Check if we have any PSKs to offer. If so, return the first. + * + * NOTE: Ultimately, we want to be able to offer multiple PSKs, + * in which case we want to iterate over them here. + * + * As it stands, however, we only ever offer one, chosen + * by the following heuristic: + * - If a ticket has been configured, offer the corresponding PSK. + * - If no ticket has been configured by an external PSK has been + * configured, offer that. + * - Otherwise, skip the PSK extension. + */ - MBEDTLS_SSL_PROC_CHK( ssl_write_end_of_early_data_postprocess( ssl ) ); - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl, buf_len, 0 ) ); - } - else + if( mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len, + &psk_identity, &psk_identity_len ) != 0 ) { - /* Update state */ - MBEDTLS_SSL_PROC_CHK( ssl_write_end_of_early_data_postprocess( ssl ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip pre_shared_key extensions" ) ); + return( 0 ); } -cleanup: - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write EndOfEarlyData" ) ); - return( ret ); -} - -static int ssl_write_end_of_early_data_coordinate( mbedtls_ssl_context* ssl ) -{ - ((void) ssl); - -#if defined(MBEDTLS_ZERO_RTT) - if( ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON ) + /* + * Ciphersuite list + */ + ciphersuites = ssl->conf->ciphersuite_list; + for ( int i = 0; ciphersuites[i] != 0; i++ ) { - if( ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_ACCEPTED ) - return( SSL_END_OF_EARLY_DATA_WRITE ); - - /* - * RFC 8446: - * "If the server does not send an "early_data" - * extension in EncryptedExtensions, then the client MUST NOT send an - * EndOfEarlyData message." - */ - - MBEDTLS_SSL_DEBUG_MSG( 4, ( "skip EndOfEarlyData, server rejected" ) ); - } -#endif /* MBEDTLS_ZERO_RTT */ + suite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); - return( SSL_END_OF_EARLY_DATA_SKIP ); -} + if( suite_info == NULL ) + continue; -static int ssl_write_end_of_early_data_postprocess( mbedtls_ssl_context* ssl ) -{ -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) - if( ssl_write_end_of_early_data_coordinate( ssl ) != SSL_END_OF_EARLY_DATA_WRITE ) - { - mbedtls_ssl_handshake_set_state( ssl, - MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED ); - return( 0 ); + /* In this implementation we only add one pre-shared-key extension. */ + ssl->session_negotiate->ciphersuite = ciphersuites[i]; + ssl->handshake->ciphersuite_info = suite_info; + break; } -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE ); - return( 0 ); -} - - -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) -static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen ) -{ - unsigned char *p = buf; - size_t hostname_len; - *olen = 0; + hash_len = mbedtls_hash_size_for_ciphersuite( suite_info ); + if( hash_len == -1 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - if( !mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) ) - return; + size_t const ext_type_bytes = 2; + size_t const ext_len_bytes = 2; + size_t const psk_identities_len_bytes = 2; + size_t const psk_identity_len_bytes = 2; + size_t const psk_identity_bytes = psk_identity_len; + size_t const obfuscated_ticket_bytes = 4; + size_t const psk_binders_len_bytes = 2; + size_t const psk_binder_len_bytes = 1; + size_t const psk_binder_bytes = hash_len; - if( ssl->hostname == NULL ) - return; + size_t const psk_binder_list_bytes = psk_binders_len_bytes + + psk_binder_len_bytes + + psk_binder_bytes; - MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", - ssl->hostname ) ); + size_t const ext_len = psk_identities_len_bytes + + psk_identity_len_bytes + + psk_identity_bytes + + obfuscated_ticket_bytes + + psk_binder_list_bytes; - hostname_len = strlen( ssl->hostname ); + size_t const ext_len_total = ext_type_bytes + + ext_len_bytes + + ext_len; - if( end < p || (size_t)( end - p ) < hostname_len + 9 ) + if( part == SSL_WRITE_PSK_EXT_PARTIAL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); - return; - } + uint32_t obfuscated_ticket_age = 0; - /* - * struct { - * NameType name_type; - * select ( name_type ) { - * case host_name: HostName; - * } name; - * } ServerName; - * - * enum { - * host_name( 0 ), ( 255 ) - * } NameType; - * - * opaque HostName<1..2^16-1>; - * - * struct { - * ServerName server_name_list<1..2^16-1> - * } ServerNameList; - */ - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "client hello, adding pre_shared_key extension, " + "omitting PSK binder list" ) ); - *p++ = (unsigned char)( ( ( hostname_len + 5 ) >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( ( hostname_len + 5 ) ) & 0xFF ); + /* Write extension up to but excluding the PSK binders list - *p++ = (unsigned char)( ( ( hostname_len + 3 ) >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( ( hostname_len + 3 ) ) & 0xFF ); - - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); - *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( hostname_len ) & 0xFF ); - - memcpy( p, ssl->hostname, hostname_len ); - - *olen = hostname_len + 9; -} -#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ + * The length (excluding the extension header) includes: + * + * - 2 bytes for total length of identities + * - 2 bytes for length of first identity value + * - identity value ( of length len; min( len )>=1 ) + * - 4 bytes for obfuscated_ticket_age + * ... + * - 2 bytes for total length of psk binders + * - 1 byte for length of first psk binder value + * - 32 or 48 bytes (for SHA256/384) for PSK binder value + * ... + * + * Note: Currently we assume we have only one PSK credential + * configured per server. + */ -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + /* ext_length + Extension Type ( 2 bytes ) + Extension Length ( 2 bytes ) */ + if( end < p || (size_t)( end - p ) < ext_len_total ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too short" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } -/* - * ssl_write_max_fragment_length_ext(): - * - * enum{ - * 2^9( 1 ), 2^10( 2 ), 2^11( 3 ), 2^12( 4 ), ( 255 ) - * } MaxFragmentLength; - * - */ -static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, - unsigned char *buf, - const unsigned char *end, - size_t *olen ) -{ - unsigned char *p = buf; + /* Extension Type */ + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 ); - *olen = 0; + /* Extension Length */ + MBEDTLS_PUT_UINT16_BE( ext_len, p, 2 ); - if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) - { - return( 0 ); - } + /* 2 bytes length field for array of PskIdentity */ + MBEDTLS_PUT_UINT16_BE( psk_identity_len + 4 + 2, p, 4 ); - if( end < p || (size_t)( end - p ) < 5 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); - return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); - } + /* 2 bytes length field for psk_identity */ + MBEDTLS_PUT_UINT16_BE( psk_identity_len, p, 6 ); + p += 8; - MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding max_fragment_length extension" ) ); + /* actual psk_identity */ + memcpy( p, psk_identity, psk_identity_len ); + p += psk_identity_len; - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); +#if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) - *p++ = 0x00; - *p++ = 1; + /* Calculate obfuscated_ticket_age (omitted for external PSKs). */ + if( ssl->session_negotiate->ticket_age_add > 0 ) + { + /* TODO: Should we somehow fail if TIME is disabled here? + * TODO: Use Mbed TLS' time abstraction? */ +#if defined(MBEDTLS_HAVE_TIME) + time_t now = time( NULL ); - *p++ = ssl->conf->mfl_code; - MBEDTLS_SSL_DEBUG_MSG( 3, ( "Maximum fragment length = %d", ssl->conf->mfl_code ) ); + if( !( ssl->session_negotiate->ticket_received <= now && + now - ssl->session_negotiate->ticket_received < 7 * 86400 * 1000 ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket expired" ) ); + /* TBD: We would have to fall back to another PSK */ + return( MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ); + } - *olen = 5; - return( 0 ); -} -#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ + obfuscated_ticket_age = + (uint32_t)( now - ssl->session_negotiate->ticket_received ) + + ssl->session_negotiate->ticket_age_add; + MBEDTLS_SSL_DEBUG_MSG( 4, ( "obfuscated_ticket_age: %u", + obfuscated_ticket_age ) ); +#endif /* MBEDTLS_HAVE_TIME */ + } +#endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ -#if defined(MBEDTLS_SSL_ALPN) -/* - * ssl_write_alpn_ext() structure: - * - * opaque ProtocolName<1..2^8-1>; - * - * struct { - * ProtocolName protocol_name_list<2..2^16-1> - * } ProtocolNameList; - * - */ -static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl, - unsigned char *buf, - const unsigned char* end, - size_t *olen ) -{ - unsigned char *p = buf; - size_t alpnlen = 0; - const char **cur; + /* add obfuscated ticket age */ + MBEDTLS_PUT_UINT32_BE( obfuscated_ticket_age, p, 0 ); + p += 4; - *olen = 0; + *bytes_written = ext_len_total - psk_binder_list_bytes; + *total_ext_len = ext_len_total; - if( ssl->conf->alpn_list == NULL ) - { - return( 0 ); + ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY; } - - for ( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) - alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1; - - if( end < p || (size_t)( end - p ) < 6 + alpnlen ) + else if( part == SSL_WRITE_PSK_EXT_ADD_PSK_BINDERS ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); - return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); - } + int psk_type; - MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); + unsigned char transcript[MBEDTLS_MD_MAX_SIZE]; + size_t transcript_len; - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding PSK binder list" ) ); - /* - * opaque ProtocolName<1..2^8-1>; - * - * struct { - * ProtocolName protocol_name_list<2..2^16-1> - * } ProtocolNameList; - */ + /* 2 bytes length field for array of psk binders */ + MBEDTLS_PUT_UINT16_BE( hash_len + 1, p, 0 ); + p += 2; - /* Skip writing extension and list length for now */ - p += 4; + /* 1 bytes length field for next psk binder */ + *p++ = MBEDTLS_BYTE_0( hash_len ); - for ( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) - { - *p = (unsigned char)( strlen( *cur ) & 0xFF ); - memcpy( p + 1, *cur, *p ); - p += 1 + *p; - } + if( ssl->handshake->resume == 1 ) + psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION; + else + psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; - *olen = p - buf; + /* Get current state of handshake transcript. */ + ret = mbedtls_ssl_get_handshake_transcript( ssl, suite_info->mac, + transcript, sizeof( transcript ), + &transcript_len ); + if( ret != 0 ) + return( ret ); - /* List length = olen - 2 ( ext_type ) - 2 ( ext_len ) - 2 ( list_len ) */ - buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); - buf[5] = (unsigned char)( ( *olen - 6 ) & 0xFF ); + ret = mbedtls_ssl_tls13_create_psk_binder( ssl, + suite_info->mac, + psk, psk_len, psk_type, + transcript, p ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_create_psk_binder", ret ); + return( ret ); + } - /* Extension length = olen - 2 ( ext_type ) - 2 ( ext_len ) */ - buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); - buf[3] = (unsigned char)( ( *olen - 4 ) & 0xFF ); + *bytes_written = psk_binder_list_bytes; + } return( 0 ); } -#endif /* MBEDTLS_SSL_ALPN */ -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) -/* - * ssl_write_psk_key_exchange_modes_ext() structure: - * - * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode; - * - * struct { - * PskKeyExchangeMode ke_modes<1..255>; - * } PskKeyExchangeModes; - */ -static int ssl_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen ) +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + + +static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *out_len ) { - unsigned char *p; - int num_modes = 0; + unsigned char *p = buf; - /* Skip writing extension if no PSK key exchange mode - * is enabled in the config. */ - if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) ) + *out_len = 0; + + if( ssl->handshake->verify_cookie == NULL ) { - *olen = 0; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "no cookie to send; skip extension" ) ); return( 0 ); } - /* Require 7 bytes of data, otherwise fail, even if extension might be shorter. */ - if( (size_t)( end - buf ) < 7 ) + MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", + ssl->handshake->verify_cookie, + ssl->handshake->verify_cookie_len ); + + if( end < p || + (size_t)( end - p ) < ( ssl->handshake->verify_cookie_len + 4 ) ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Not enough buffer" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); } - MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding psk_key_exchange_modes extension" ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding cookie extension" ) ); /* Extension Type */ - buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES >> 8 ) & 0xFF ); - buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES >> 0 ) & 0xFF ); + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_COOKIE, p, 0 ); - /* Skip extension length (2 byte) and PSK mode list length (1 byte) for now. */ - p = buf + 5; - - if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) ) - { - *p++ = MBEDTLS_SSL_TLS13_PSK_MODE_PURE; - num_modes++; - - MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) ); - } + /* Extension Length */ + MBEDTLS_PUT_UINT16_BE( ssl->handshake->verify_cookie_len + 2, p, 2 ); - if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) ) - { - *p++ = MBEDTLS_SSL_TLS13_PSK_MODE_ECDHE; - num_modes++; + /* Cookie Length */ + MBEDTLS_PUT_UINT16_BE( ssl->handshake->verify_cookie_len, p, 4 ); + p += 6; - MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) ); - } + /* Cookie */ + memcpy( p, ssl->handshake->verify_cookie, ssl->handshake->verify_cookie_len ); - /* Add extension length: PSK mode list length byte + actual PSK mode list length */ - buf[2] = 0; - buf[3] = num_modes + 1; - /* Add PSK mode list length */ - buf[4] = num_modes; + *out_len = ssl->handshake->verify_cookie_len + 6; - *olen = p - buf; - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES; - return ( 0 ); + return( 0 ); } -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ +/* + * Functions for writing ClientHello message. + */ /* - * mbedtls_ssl_write_pre_shared_key_ext() structure: - * - * struct { - * opaque identity<1..2^16-1>; - * uint32 obfuscated_ticket_age; - * } PskIdentity; - * - * opaque PskBinderEntry<32..255>; - * - * struct { - * select ( Handshake.msg_type ) { - * - * case client_hello: - * PskIdentity identities<7..2^16-1>; - * PskBinderEntry binders<33..2^16-1>; - * - * case server_hello: - * uint16 selected_identity; - * }; - * - * } PreSharedKeyExtension; - * + * Structure of ClientHello message: * - * part = 0 ==> everything up to the PSK binder list, - * returning the binder list length in `binder_list_length`. - * part = 1 ==> the PSK binder list + * struct { + * ProtocolVersion legacy_version = 0x0303; // TLS v1.2 + * Random random; + * opaque legacy_session_id<0..32>; + * CipherSuite cipher_suites<2..2^16-2>; + * opaque legacy_compression_methods<1..2^8-1>; + * Extension extensions<8..2^16-1>; + * } ClientHello; */ +static int ssl_tls13_write_client_hello_body( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *len_without_binders, + size_t *out_len ) +{ -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + int ret; + unsigned char *p_extensions_len; /* Pointer to extensions length */ + size_t output_len; /* Length of buffer used by function */ + size_t extensions_len; /* Length of the list of extensions*/ -#define SSL_WRITE_PSK_EXT_PARTIAL 0 -#define SSL_WRITE_PSK_EXT_ADD_PSK_BINDERS 1 - -int mbedtls_ssl_write_pre_shared_key_ext( mbedtls_ssl_context *ssl, - unsigned char* buf, unsigned char* end, - size_t *bytes_written, - size_t *total_ext_len, - int part ) -{ - int ret; - unsigned char *p = (unsigned char *) buf; - const mbedtls_ssl_ciphersuite_t *suite_info; - const int *ciphersuites; - int hash_len; - const unsigned char *psk; - size_t psk_len; - const unsigned char *psk_identity; - size_t psk_identity_len; + /* Buffer management */ + unsigned char *p = buf; - *total_ext_len = 0; - *bytes_written = 0; + *out_len = 0; - if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) ) - return( 0 ); + /* No validation needed here. It has been done by ssl_conf_check() */ + ssl->major_ver = ssl->conf->min_major_ver; + ssl->minor_ver = ssl->conf->min_minor_ver; - /* Check if we have any PSKs to offer. If so, return the first. - * - * NOTE: Ultimately, we want to be able to offer multiple PSKs, - * in which case we want to iterate over them here. + /* + * Write legacy_version + * ProtocolVersion legacy_version = 0x0303; // TLS v1.2 * - * As it stands, however, we only ever offer one, chosen - * by the following heuristic: - * - If a ticket has been configured, offer the corresponding PSK. - * - If no ticket has been configured by an external PSK has been - * configured, offer that. - * - Otherwise, skip the PSK extension. + * For TLS 1.3 we use the legacy version number {0x03, 0x03} + * instead of the true version number. */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); + MBEDTLS_PUT_UINT16_BE( 0x0303, p, 0 ); + p += 2; - if( mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len, - &psk_identity, &psk_identity_len ) != 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip pre_shared_key extensions" ) ); - return( 0 ); - } + /* Write the random bytes ( random ).*/ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, MBEDTLS_CLIENT_HELLO_RANDOM_LEN ); + memcpy( p, ssl->handshake->randbytes, MBEDTLS_CLIENT_HELLO_RANDOM_LEN ); + MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", + p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN ); + p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN; /* - * Ciphersuite list + * Write legacy_session_id + * + * Versions of TLS before TLS 1.3 supported a "session resumption" feature + * which has been merged with pre-shared keys in this version. A client + * which has a cached session ID set by a pre-TLS 1.3 server SHOULD set + * this field to that value. In compatibility mode, this field MUST be + * non-empty, so a client not offering a pre-TLS 1.3 session MUST generate + * a new 32-byte value. This value need not be random but SHOULD be + * unpredictable to avoid implementations fixating on a specific value + * ( also known as ossification ). Otherwise, it MUST be set as a zero-length + * vector ( i.e., a zero-valued single byte length field ). */ - ciphersuites = ssl->conf->ciphersuite_list; - for ( int i = 0; ciphersuites[i] != 0; i++ ) - { - suite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + MBEDTLS_SSL_CHK_BUF_PTR( p, end, ssl->session_negotiate->id_len + 1 ); + *p++ = (unsigned char)ssl->session_negotiate->id_len; + memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len ); + p += ssl->session_negotiate->id_len; - if( suite_info == NULL ) - continue; + MBEDTLS_SSL_DEBUG_BUF( 3, "session id", ssl->session_negotiate->id, + ssl->session_negotiate->id_len ); +#else + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 ); + *p++ = 0; /* session id length set to zero */ +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ - /* In this implementation we only add one pre-shared-key extension. */ - ssl->session_negotiate->ciphersuite = ciphersuites[i]; - ssl->handshake->ciphersuite_info = suite_info; - break; - } + /* Write cipher_suites */ + ret = ssl_tls13_write_client_hello_cipher_suites( ssl, p, end, &output_len ); + if( ret != 0 ) + return( ret ); + p += output_len; - hash_len = mbedtls_hash_size_for_ciphersuite( suite_info ); - if( hash_len == -1 ) - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + /* Write legacy_compression_methods + * + * For every TLS 1.3 ClientHello, this vector MUST contain exactly + * one byte set to zero, which corresponds to the 'null' compression + * method in prior versions of TLS. + */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); + *p++ = 1; + *p++ = MBEDTLS_SSL_COMPRESS_NULL; - size_t const ext_type_bytes = 2; - size_t const ext_len_bytes = 2; - size_t const psk_identities_len_bytes = 2; - size_t const psk_identity_len_bytes = 2; - size_t const psk_identity_bytes = psk_identity_len; - size_t const obfuscated_ticket_bytes = 4; - size_t const psk_binders_len_bytes = 2; - size_t const psk_binder_len_bytes = 1; - size_t const psk_binder_bytes = hash_len; + /* Write extensions */ - size_t const psk_binder_list_bytes = psk_binders_len_bytes + - psk_binder_len_bytes + - psk_binder_bytes; + /* Keeping track of the included extensions */ + ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE; - size_t const ext_len = psk_identities_len_bytes + - psk_identity_len_bytes + - psk_identity_bytes + - obfuscated_ticket_bytes + - psk_binder_list_bytes; + /* First write extensions, then the total length */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); + p_extensions_len = p; + p += 2; - size_t const ext_len_total = ext_type_bytes + - ext_len_bytes + - ext_len; + /* Write supported_versions extension + * + * Supported Versions Extension is mandatory with TLS 1.3. + */ + ret = ssl_tls13_write_supported_versions_ext( ssl, p, end, &output_len ); + if( ret != 0 ) + return( ret ); + p += output_len; - if( part == SSL_WRITE_PSK_EXT_PARTIAL ) - { - uint32_t obfuscated_ticket_age = 0; + /* For TLS / DTLS 1.3 we need to support the use of cookies + * ( if the server provided them ) */ + ret = ssl_tls13_write_cookie_ext( ssl, p, end, &output_len ); + if( ret != 0 ) + return( ret ); + p += output_len; - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "client hello, adding pre_shared_key extension, " - "omitting PSK binder list" ) ); +#if defined(MBEDTLS_SSL_ALPN) + ret = ssl_tls13_write_alpn_ext( ssl, p, end, &output_len ); + if( ret != 0 ) + return( ret ); + p += output_len; +#endif /* MBEDTLS_SSL_ALPN */ - /* Write extension up to but excluding the PSK binders list +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + ret = ssl_tls13_write_max_fragment_length_ext( ssl, p, end, &output_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_max_fragment_length_ext", ret ); + return( ret ); + } + p += output_len; +#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ - * The length (excluding the extension header) includes: - * - * - 2 bytes for total length of identities - * - 2 bytes for length of first identity value - * - identity value ( of length len; min( len )>=1 ) - * - 4 bytes for obfuscated_ticket_age - * ... - * - 2 bytes for total length of psk binders - * - 1 byte for length of first psk binder value - * - 32 or 48 bytes (for SHA256/384) for PSK binder value - * ... - * - * Note: Currently we assume we have only one PSK credential - * configured per server. - */ +#if defined(MBEDTLS_ZERO_RTT) + ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, p, end, &output_len ); + if( ret != 0 ) + return( ret ); + p += output_len; +#endif /* MBEDTLS_ZERO_RTT */ - /* ext_length + Extension Type ( 2 bytes ) + Extension Length ( 2 bytes ) */ - if( end < p || (size_t)( end - p ) < ext_len_total ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too short" ) ); - return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); - } +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + /* For PSK-based ciphersuites we don't really need the SNI extension */ + ret = mbedtls_ssl_write_hostname_ext( ssl, p, end, &output_len ); + if( ret != 0 ) + return( ret ); + p += output_len; +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ - /* Extension Type */ - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_PRE_SHARED_KEY >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_PRE_SHARED_KEY >> 0 ) & 0xFF ); +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + /* For PSK-based key exchange we need the pre_shared_key extension + * and the psk_key_exchange_modes extension. + * + * The pre_shared_key extension MUST be the last extension in the + * ClientHello. Servers MUST check that it is the last extension and + * otherwise fail the handshake with an "illegal_parameter" alert. + * + * Add the psk_key_exchange_modes extension. + */ + ret = ssl_tls13_write_psk_key_exchange_modes_ext( ssl, p, end, &output_len ); + if( ret != 0 ) + return( ret ); + p += output_len; +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ - /* Extension Length */ - *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( ext_len >> 0 ) & 0xFF ); +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + /* Write supported_groups extension + * + * It is REQUIRED for ECDHE cipher_suites. + */ + ret = ssl_tls13_write_supported_groups_ext( ssl, p, end, &output_len ); + if( ret != 0 ) + return( ret ); + p += output_len; - /* 2 bytes length field for array of PskIdentity */ - *p++ = (unsigned char)( ( ( psk_identity_len + 4 + 2 ) >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( ( psk_identity_len + 4 + 2 ) >> 0 ) & 0xFF ); + /* Write key_share extension + * + * We need to send the key shares under three conditions: + * 1) A certificate-based ciphersuite is being offered. In this case + * supported_groups and supported_signature extensions have been + * successfully added. + * 2) A PSK-based ciphersuite with ECDHE is offered. In this case the + * psk_key_exchange_modes has been added as the last extension. + * 3) Or, in case all ciphers are supported ( which includes #1 and #2 + * from above ) + */ + ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len ); + if( ret != 0 ) + return( ret ); + p += output_len; - /* 2 bytes length field for psk_identity */ - *p++ = (unsigned char)( ( ( psk_identity_len ) >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( ( psk_identity_len ) >> 0 ) & 0xFF ); + /* Write signature_algorithms extension + * + * It is REQUIRED for certificate authenticated cipher_suites. + */ + ret = mbedtls_ssl_tls13_write_sig_alg_ext( ssl, p, end, &output_len ); + if( ret != 0 ) + return( ret ); + p += output_len; - /* actual psk_identity */ - memcpy( p, psk_identity, psk_identity_len ); - p += psk_identity_len; +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) + *len_without_binders = 0; +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + { + size_t bytes_written; + /* We need to save the pointer to the pre-shared key extension + * because it has to be updated later. */ + ret = mbedtls_ssl_tls13_write_pre_shared_key_ext( ssl, p, end, + &bytes_written, + &output_len, + SSL_WRITE_PSK_EXT_PARTIAL ); + if( ret != 0 ) + return( ret ); - /* Calculate obfuscated_ticket_age (omitted for external PSKs). */ - if( ssl->session_negotiate->ticket_age_add > 0 ) - { - /* TODO: Should we somehow fail if TIME is disabled here? - * TODO: Use Mbed TLS' time abstraction? */ -#if defined(MBEDTLS_HAVE_TIME) - time_t now = time( NULL ); + *len_without_binders = ( p - buf ) + bytes_written; + p += output_len; + } +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ - if( !( ssl->session_negotiate->ticket_received <= now && - now - ssl->session_negotiate->ticket_received < 7 * 86400 * 1000 ) ) - { - MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket expired" ) ); - /* TBD: We would have to fall back to another PSK */ - return( MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ); - } + /* Write the length of the list of extensions. */ + extensions_len = p - p_extensions_len - 2; + MBEDTLS_PUT_UINT16_BE( extensions_len, p_extensions_len, 0 ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %" MBEDTLS_PRINTF_SIZET , + extensions_len ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p_extensions_len, extensions_len ); - obfuscated_ticket_age = - (uint32_t)( now - ssl->session_negotiate->ticket_received ) + - ssl->session_negotiate->ticket_age_add; + *out_len = p - buf; + return( 0 ); +} - MBEDTLS_SSL_DEBUG_MSG( 4, ( "obfuscated_ticket_age: %u", - obfuscated_ticket_age ) ); -#endif /* MBEDTLS_HAVE_TIME */ - } -#endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ +static int ssl_tls13_finalize_client_hello( mbedtls_ssl_context *ssl ) +{ +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO ); +#else + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_EARLY_APP_DATA ); +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ - /* add obfuscated ticket age */ - *p++ = ( obfuscated_ticket_age >> 24 ) & 0xFF; - *p++ = ( obfuscated_ticket_age >> 16 ) & 0xFF; - *p++ = ( obfuscated_ticket_age >> 8 ) & 0xFF; - *p++ = ( obfuscated_ticket_age >> 0 ) & 0xFF; + return( 0 ); +} - *bytes_written = ext_len_total - psk_binder_list_bytes; - *total_ext_len = ext_len_total; +static int ssl_tls13_prepare_client_hello( mbedtls_ssl_context *ssl ) +{ + int ret; - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY; - } - else if( part == SSL_WRITE_PSK_EXT_ADD_PSK_BINDERS ) + if( ssl->conf->f_rng == NULL ) { - int psk_type; - - unsigned char transcript[MBEDTLS_MD_MAX_SIZE]; - size_t transcript_len; - - MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding PSK binder list" ) ); - - /* 2 bytes length field for array of psk binders */ - *p++ = (unsigned char)( ( ( hash_len + 1 ) >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( ( hash_len + 1 ) >> 0 ) & 0xFF ); - - /* 1 bytes length field for next psk binder */ - *p++ = (unsigned char)( ( hash_len ) & 0xFF ); - - if( ssl->handshake->resume == 1 ) - psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION; - else - psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided" ) ); + return( MBEDTLS_ERR_SSL_NO_RNG ); + } - /* Get current state of handshake transcript. */ - ret = mbedtls_ssl_get_handshake_transcript( ssl, suite_info->mac, - transcript, sizeof( transcript ), - &transcript_len ); - if( ret != 0 ) - return( ret ); + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, + ssl->handshake->randbytes, + MBEDTLS_CLIENT_HELLO_RANDOM_LEN ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); + return( ret ); + } - ret = mbedtls_ssl_tls1_3_create_psk_binder( ssl, - suite_info->mac, - psk, psk_len, psk_type, - transcript, p ); - if( ret != 0 ) +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + /* + * Create a session identifier for the purpose of middlebox compatibility + * only if one has not been created already. + */ + if( ssl->session_negotiate->id_len == 0 ) + { + /* Creating a session id with 32 byte length */ + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, + ssl->session_negotiate->id, 32 ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_create_psk_binder", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "creating session id failed", ret ); return( ret ); } - - *bytes_written = psk_binder_list_bytes; + ssl->session_negotiate->id_len = 32; } +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ return( 0 ); } - -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ - - -static int ssl_write_cookie_ext( mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen ) +/* + * Write ClientHello handshake message. + * Handler for MBEDTLS_SSL_CLIENT_HELLO + */ +static int ssl_tls13_write_client_hello( mbedtls_ssl_context *ssl ) { - unsigned char *p = buf; + int ret = 0; + unsigned char *buf; + size_t buf_len, msg_len; + size_t len_without_binders; - *olen = 0; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); - if( ssl->handshake->verify_cookie == NULL ) + if( ssl->handshake->state_local.cli_hello_out.preparation_done == 0 ) { - MBEDTLS_SSL_DEBUG_MSG( 3, ( "no cookie to send; skip extension" ) ); - return( 0 ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_client_hello( ssl ) ); + ssl->handshake->state_local.cli_hello_out.preparation_done = 1; } - MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", - ssl->handshake->verify_cookie, - ssl->handshake->verify_cookie_len ); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( + ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, + &buf, &buf_len ) ); - if( end < p || - (size_t)( end - p ) < ( ssl->handshake->verify_cookie_len + 4 ) ) + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_client_hello_body( ssl, buf, + buf + buf_len, + &len_without_binders, + &msg_len ) ); + + mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl, + MBEDTLS_SSL_HS_CLIENT_HELLO, + msg_len ); + ssl->handshake->update_checksum( ssl, buf, len_without_binders ); + +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + /* Patch the PSK binder after updating the HS checksum. */ { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); - return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + size_t dummy0, dummy1; + mbedtls_ssl_tls13_write_pre_shared_key_ext( ssl, + buf + len_without_binders, + buf + msg_len, + &dummy0, &dummy1, + SSL_WRITE_PSK_EXT_ADD_PSK_BINDERS ); + + /* Manually update the checksum with ClientHello using dummy PSK binders. */ + ssl->handshake->update_checksum( ssl, buf + len_without_binders, + msg_len - len_without_binders ); } +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ - MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding cookie extension" ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_client_hello( ssl ) ); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl, + buf_len, + msg_len ) ); - /* Extension Type */ - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_COOKIE >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_COOKIE ) & 0xFF ); +cleanup: - /* Extension Length */ - *p++ = (unsigned char)( ( ( ssl->handshake->verify_cookie_len + 2 ) >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( ssl->handshake->verify_cookie_len + 2 ) & 0xFF ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); + return( ret ); +} - /* Cookie Length */ - *p++ = (unsigned char)( ( ssl->handshake->verify_cookie_len >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ssl->handshake->verify_cookie_len & 0xFF ); - /* Cookie */ - memcpy( p, ssl->handshake->verify_cookie, ssl->handshake->verify_cookie_len ); - *olen = ssl->handshake->verify_cookie_len + 6; +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) +static int ssl_tls13_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) +{ + /* + * server should use the extension only if we did, + * and if so the server's value should match ours ( and len is always 1 ) + */ + if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || + len != 1 || + buf[0] != ssl->conf->mfl_code ) + { + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } return( 0 ); } +#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) /* - * Functions for writing ClientHello message. - */ -/* Write cipher_suites - * CipherSuite cipher_suites<2..2^16-2>; + * struct { + * opaque identity<1..2^16-1>; + * uint32 obfuscated_ticket_age; + * } PskIdentity; + * + * opaque PskBinderEntry<32..255>; + * + * struct { + * select ( Handshake.msg_type ) { + * case client_hello: + * PskIdentity identities<7..2^16-1>; + * PskBinderEntry binders<33..2^16-1>; + * case server_hello: + * uint16 selected_identity; + * }; + * + * } PreSharedKeyExtension; + * */ -static int ssl_tls13_write_client_hello_cipher_suites( - mbedtls_ssl_context *ssl, - unsigned char *buf, - unsigned char *end, - size_t *olen ) + +static int ssl_tls13_parse_server_psk_identity_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { - unsigned char *p = buf; - const int *ciphersuite_list; - unsigned char *cipher_suites_ptr; /* Start of the cipher_suites list */ - size_t cipher_suites_len; + int ret = 0; + size_t selected_identity; - *olen = 0 ; + const unsigned char *psk; + size_t psk_len; + const unsigned char *psk_identity; + size_t psk_identity_len; - /* - * Ciphersuite list + + /* Check which PSK we've offered. * - * This is a list of the symmetric cipher options supported by - * the client, specifically the record protection algorithm - * ( including secret key length ) and a hash to be used with - * HKDF, in descending order of client preference. + * NOTE: Ultimately, we want to offer multiple PSKs, and in this + * case, we need to iterate over them here. */ - ciphersuite_list = ssl->conf->ciphersuite_list; - - /* Check there is space for the cipher suite list length (2 bytes). */ - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); - p += 2; + if( mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len, + &psk_identity, &psk_identity_len ) != 0 ) + { + /* If we haven't offered a PSK, the server must not send + * a PSK identity extension. */ + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } - /* Write cipher_suites */ - cipher_suites_ptr = p; - for ( size_t i = 0; ciphersuite_list[i] != 0; i++ ) + if( len != (size_t) 2 ) { - int cipher_suite = ciphersuite_list[i]; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad psk_identity extension in server hello message" ) ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } - ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite ); - if( ciphersuite_info == NULL ) - continue; - if( !( MBEDTLS_SSL_MINOR_VERSION_4 >= ciphersuite_info->min_minor_ver && - MBEDTLS_SSL_MINOR_VERSION_4 <= ciphersuite_info->max_minor_ver ) ) - continue; + selected_identity = MBEDTLS_GET_UINT16_BE( buf, 0 ); - MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x, %s", - (unsigned int) cipher_suite, - ciphersuite_info->name ) ); + /* We have offered only one PSK, so the only valid choice + * for the server is PSK index 0. + * + * This will change once we support multiple PSKs. */ + if( selected_identity > 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server's chosen PSK identity out of range" ) ); - /* Check there is space for the cipher suite identifier (2 bytes). */ - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); - MBEDTLS_PUT_UINT16_BE( cipher_suite, p, 0 ); - p += 2; + if( ( ret = mbedtls_ssl_send_alert_message( ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ) ) != 0 ) + { + return( ret ); + } -#if defined(MBEDTLS_ZERO_RTT) - /* For ZeroRTT we only add a single ciphersuite. */ - break; -#endif /* MBEDTLS_ZERO_RTT */ + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } - /* Write the cipher_suites length in number of bytes */ - cipher_suites_len = p - cipher_suites_ptr; - MBEDTLS_PUT_UINT16_BE( cipher_suites_len, buf, 0 ); - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "client hello, got %" MBEDTLS_PRINTF_SIZET " cipher suites", - cipher_suites_len/2 ) ); + /* Set the chosen PSK + * + * TODO: We don't have to do this in case we offered 0-RTT and the + * server accepted it, because in this case we've already + * set the handshake PSK. */ + ret = mbedtls_ssl_set_hs_psk( ssl, psk, psk_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_set_hs_psk", ret ); + return( ret ); + } - /* Output the total length of cipher_suites field. */ - *olen = p - buf; + ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY; + return( 0 ); +} + +#endif + +#if defined(MBEDTLS_ZERO_RTT) +/* Early Data Extension +* +* struct {} Empty; +* +* struct { +* select (Handshake.msg_type) { +* case new_session_ticket: uint32 max_early_data_size; +* case client_hello: Empty; +* case encrypted_extensions: Empty; +* }; +* } EarlyDataIndication; +* +* This function only handles the case of the EncryptedExtensions message. +*/ +static int ssl_tls13_parse_encrypted_extensions_early_data_ext( + mbedtls_ssl_context *ssl, + const unsigned char *buf, size_t len ) +{ + if( ssl->handshake->early_data != MBEDTLS_SSL_EARLY_DATA_ON ) + { + /* The server must not send the EarlyDataIndication if the + * client hasn't indicated the use of 0-RTT. */ + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } + + if( len != 0 ) + { + /* The message must be empty. */ + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } + + /* Nothing to parse */ + ((void) buf); + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_ACCEPTED; return( 0 ); } -/* - * Structure of ClientHello message: - * - * struct { - * ProtocolVersion legacy_version = 0x0303; // TLS v1.2 - * Random random; - * opaque legacy_session_id<0..32>; - * CipherSuite cipher_suites<2..2^16-2>; - * opaque legacy_compression_methods<1..2^8-1>; - * Extension extensions<8..2^16-1>; - * } ClientHello; - */ -static int ssl_tls13_write_client_hello_body( mbedtls_ssl_context *ssl, - unsigned char *buf, - unsigned char *end, - size_t *len_without_binders, - size_t *olen ) +int mbedtls_ssl_get_early_data_status( mbedtls_ssl_context *ssl ) { + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - int ret; - unsigned char *extensions_len_ptr; /* Pointer to extensions length */ - size_t output_len; /* Length of buffer used by function */ - size_t extensions_len; /* Length of the list of extensions*/ + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - /* Buffer management */ - unsigned char *p = buf; + return( ssl->early_data_status ); +} - *olen = 0; +int mbedtls_ssl_set_early_data( mbedtls_ssl_context *ssl, + const unsigned char *buffer, size_t len ) +{ + if( buffer == NULL || len == 0 ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - /* No validation needed here. It has been done by ssl_conf_check() */ - ssl->major_ver = ssl->conf->min_major_ver; - ssl->minor_ver = ssl->conf->min_minor_ver; + ssl->early_data_buf = buffer; + ssl->early_data_len = len; + return( 0 ); +} +#endif /* MBEDTLS_ZERO_RTT */ - /* - * Write legacy_version - * ProtocolVersion legacy_version = 0x0303; // TLS v1.2 - * - * For TLS 1.3 we use the legacy version number {0x03, 0x03} - * instead of the true version number. - */ - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); - MBEDTLS_PUT_UINT16_BE( 0x0303, p, 0 ); - p += 2; +#if defined(MBEDTLS_SSL_ALPN) +static int ssl_tls13_parse_alpn_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, size_t len ) +{ + size_t list_len, name_len; + const char **p; - /* Write the random bytes ( random ).*/ - MBEDTLS_SSL_CHK_BUF_PTR( p, end, MBEDTLS_CLIENT_HELLO_RANDOM_LEN ); - memcpy( p, ssl->handshake->randbytes, MBEDTLS_CLIENT_HELLO_RANDOM_LEN ); - MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", - p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN ); - p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN; + /* If we didn't send it, the server shouldn't send it */ + if( ssl->conf->alpn_list == NULL ) + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); /* - * Write legacy_session_id + * opaque ProtocolName<1..2^8-1>; * - * Versions of TLS before TLS 1.3 supported a "session resumption" feature - * which has been merged with pre-shared keys in this version. A client - * which has a cached session ID set by a pre-TLS 1.3 server SHOULD set - * this field to that value. In compatibility mode, this field MUST be - * non-empty, so a client not offering a pre-TLS 1.3 session MUST generate - * a new 32-byte value. This value need not be random but SHOULD be - * unpredictable to avoid implementations fixating on a specific value - * ( also known as ossification ). Otherwise, it MUST be set as a zero-length - * vector ( i.e., a zero-valued single byte length field ). + * struct { + * ProtocolName protocol_name_list<2..2^16-1> + * } ProtocolNameList; + * + * the "ProtocolNameList" MUST contain exactly one "ProtocolName" */ -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) - /* Write session id length */ - MBEDTLS_SSL_CHK_BUF_PTR( p, end, ssl->session_negotiate->id_len + 1 ); - *p++ = (unsigned char)ssl->session_negotiate->id_len; - /* Write session id */ - memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len ); - p += ssl->session_negotiate->id_len; + /* Min length is 2 ( list_len ) + 1 ( name_len ) + 1 ( name ) */ + if( len < 4 ) + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - MBEDTLS_SSL_DEBUG_MSG( 3, ( "session id len.: %" MBEDTLS_PRINTF_SIZET, - ssl->session_negotiate->id_len ) ); - MBEDTLS_SSL_DEBUG_BUF( 3, "session id", ssl->session_negotiate->id, - ssl->session_negotiate->id_len ); -#else - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 ); - *p++ = 0; /* session id length set to zero */ -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ + list_len = MBEDTLS_GET_UINT16_BE( buf, 0 ); + if( list_len != len - 2 ) + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - /* Write cipher_suites */ - ret = ssl_tls13_write_client_hello_cipher_suites( ssl, p, end, &output_len ); - if( ret != 0 ) - return( ret ); - p += output_len; + name_len = buf[2]; + if( name_len != list_len - 1 ) + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - /* Write legacy_compression_methods - * - * For every TLS 1.3 ClientHello, this vector MUST contain exactly - * one byte set to zero, which corresponds to the 'null' compression - * method in prior versions of TLS. - */ - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); - *p++ = 1; - *p++ = MBEDTLS_SSL_COMPRESS_NULL; + /* Check that the server chosen protocol was in our list and save it */ + for ( p = ssl->conf->alpn_list; *p != NULL; p++ ) + { + if( name_len == strlen( *p ) && + memcmp( buf + 3, *p, name_len ) == 0 ) + { + ssl->alpn_chosen = *p; + return( 0 ); + } + } - /* Write extensions */ + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); +} +#endif /* MBEDTLS_SSL_ALPN */ - /* Keeping track of the included extensions */ - ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE; +/* + * + * Handler for MBEDTLS_SSL_SERVER_HELLO + * + */ - /* First write extensions, then the total length */ - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); - extensions_len_ptr = p; - p += 2; +/* Returns a negative value on failure, and otherwise + * - SSL_SERVER_HELLO_COORDINATE_HELLO or + * - SSL_SERVER_HELLO_COORDINATE_HRR + * to indicate which message is expected and to be parsed next. */ +#define SSL_SERVER_HELLO_COORDINATE_HELLO 0 +#define SSL_SERVER_HELLO_COORDINATE_HRR 1 +static int ssl_tls13_server_hello_is_hrr( mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end ) +{ + static const unsigned char magic_hrr_string[MBEDTLS_SERVER_HELLO_RANDOM_LEN] = + { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, + 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, + 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, + 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33 ,0x9C }; - /* Write supported_versions extension + /* Check whether this message is a HelloRetryRequest ( HRR ) message. + * + * Server Hello and HRR are only distinguished by Random set to the + * special value of the SHA-256 of "HelloRetryRequest". + * + * struct { + * ProtocolVersion legacy_version = 0x0303; + * Random random; + * opaque legacy_session_id_echo<0..32>; + * CipherSuite cipher_suite; + * uint8 legacy_compression_method = 0; + * Extension extensions<6..2^16-1>; + * } ServerHello; * - * Supported Versions Extension is mandatory with TLS 1.3. */ - ret = ssl_tls13_write_supported_versions_ext( ssl, p, end, &output_len ); - if( ret != 0 ) - return( ret ); - p += output_len; + MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 + sizeof( magic_hrr_string ) ); - /* For TLS / DTLS 1.3 we need to support the use of cookies - * ( if the server provided them ) */ - ret = ssl_write_cookie_ext( ssl, p, end, &output_len ); - if( ret != 0 ) - return( ret ); - p += output_len; + if( memcmp( buf + 2, magic_hrr_string, sizeof( magic_hrr_string ) ) == 0 ) + { + return( SSL_SERVER_HELLO_COORDINATE_HRR ); + } -#if defined(MBEDTLS_SSL_ALPN) - ret = ssl_write_alpn_ext( ssl, p, end, &output_len ); - if( ret != 0 ) - return( ret ); - p += output_len; -#endif /* MBEDTLS_SSL_ALPN */ + return( SSL_SERVER_HELLO_COORDINATE_HELLO ); +} -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - ret = ssl_write_max_fragment_length_ext( ssl, p, end, &output_len ); - if( ret != 0 ) +/* Fetch and preprocess + * Returns a negative value on failure, and otherwise + * - SSL_SERVER_HELLO_COORDINATE_HELLO or + * - SSL_SERVER_HELLO_COORDINATE_HRR + */ +#if defined(MBEDTLS_SSL_USE_MPS) +static int ssl_tls13_server_hello_coordinate( mbedtls_ssl_context *ssl, + mbedtls_mps_handshake_in *msg, + unsigned char **buf, + size_t *buf_len ) +{ + int ret = 0; + unsigned char *peak; + + MBEDTLS_SSL_PROC_CHK_NEG( mbedtls_mps_read( &ssl->mps->l4 ) ); + +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + if( ret == MBEDTLS_MPS_MSG_CCS ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_max_fragment_length_ext", ret ); - return( ret ); + MBEDTLS_SSL_PROC_CHK( mbedtls_mps_read_consume( &ssl->mps->l4 ) ); + return( MBEDTLS_ERR_SSL_WANT_READ ); } - p += output_len; -#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ -#if defined(MBEDTLS_ZERO_RTT) - ret = mbedtls_ssl_write_early_data_ext( ssl, p, end, &output_len ); - if( ret != 0 ) - return( ret ); - p += output_len; -#endif /* MBEDTLS_ZERO_RTT */ + if( ret != MBEDTLS_MPS_MSG_HS ) + return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - /* For PSK-based ciphersuites we don't really need the SNI extension */ - ssl_write_hostname_ext( ssl, p, end, &output_len ); - p += output_len; -#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ + MBEDTLS_SSL_PROC_CHK( mbedtls_mps_read_handshake( &ssl->mps->l4, + msg ) ); -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) - /* For PSK-based key exchange we need the pre_shared_key extension - * and the psk_key_exchange_modes extension. - * - * The pre_shared_key extension MUST be the last extension in the - * ClientHello. Servers MUST check that it is the last extension and - * otherwise fail the handshake with an "illegal_parameter" alert. - * - * Add the psk_key_exchange_modes extension. - */ - ret = ssl_write_psk_key_exchange_modes_ext( ssl, p, end, &output_len ); - if( ret != 0 ) - return( ret ); - p += output_len; -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + if( msg->type != MBEDTLS_SSL_HS_SERVER_HELLO ) + return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - /* Write supported_groups extension - * - * It is REQUIRED for ECDHE cipher_suites. - */ - ret = ssl_tls13_write_supported_groups_ext( ssl, p, end, &output_len ); - if( ret != 0 ) - return( ret ); - p += output_len; + ret = mbedtls_mps_reader_get( msg->handle, + msg->length, + &peak, + NULL ); - /* Write key_share extension - * - * We need to send the key shares under three conditions: - * 1) A certificate-based ciphersuite is being offered. In this case - * supported_groups and supported_signature extensions have been - * successfully added. - * 2) A PSK-based ciphersuite with ECDHE is offered. In this case the - * psk_key_exchange_modes has been added as the last extension. - * 3) Or, in case all ciphers are supported ( which includes #1 and #2 - * from above ) - */ - ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len ); - if( ret != 0 ) - return( ret ); - p += output_len; + if( ret == MBEDTLS_ERR_MPS_READER_OUT_OF_DATA ) + { + MBEDTLS_SSL_PROC_CHK( mbedtls_mps_read_pause( &ssl->mps->l4 ) ); + ret = MBEDTLS_ERR_SSL_WANT_READ; + } + else + { + ret = ssl_tls13_server_hello_is_hrr( ssl, peak, peak + msg->length ); + switch( ret ) + { + case SSL_SERVER_HELLO_COORDINATE_HELLO: + MBEDTLS_SSL_DEBUG_MSG( 2, ( "received ServerHello message" ) ); + break; + case SSL_SERVER_HELLO_COORDINATE_HRR: + MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) ); + break; + default: + goto cleanup; + } - /* Write signature_algorithms extension - * - * It is REQUIRED for certificate authenticated cipher_suites. - */ - ret = mbedtls_ssl_tls13_write_sig_alg_ext( ssl, p, end, &output_len ); - if( ret != 0 ) - return( ret ); - p += output_len; + *buf = peak; + *buf_len = msg->length; + } -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +cleanup: - *len_without_binders = 0; -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + return( ret ); +} +#else /* MBEDTLS_SSL_USE_MPS */ +static int ssl_tls13_server_hello_coordinate( mbedtls_ssl_context *ssl, + unsigned char **buf, + size_t *buf_len ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_read_record( ssl, 0 ) ); + + /* TBD: If we do an HRR, keep track of the number + * of ClientHello's we sent, and fail if it + * exceeds the configured threshold. */ + + if( ( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) || + ( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) ) { - size_t bytes_written; - /* We need to save the pointer to the pre-shared key extension - * because it has to be updated later. */ - ret = mbedtls_ssl_write_pre_shared_key_ext( ssl, p, end, - &bytes_written, - &output_len, - SSL_WRITE_PSK_EXT_PARTIAL ); - if( ret != 0 ) - return( ret ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected message" ) ); - *len_without_binders = ( p - buf ) + bytes_written; - p += output_len; + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, + MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + } + + *buf = ssl->in_msg + 4; + *buf_len = ssl->in_hslen - 4; + + ret = ssl_tls13_server_hello_is_hrr( ssl, *buf, *buf + *buf_len ); + switch( ret ) + { + case SSL_SERVER_HELLO_COORDINATE_HELLO: + MBEDTLS_SSL_DEBUG_MSG( 2, ( "received ServerHello message" ) ); + break; + case SSL_SERVER_HELLO_COORDINATE_HRR: + MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) ); + break; + } + +cleanup: + + return( ret ); +} +#endif /* MBEDTLS_SSL_USE_MPS */ + +static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ssl, + const unsigned char **buf, + const unsigned char *end ) +{ + const unsigned char *p = *buf; + size_t legacy_session_id_echo_len; + + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 ); + legacy_session_id_echo_len = *p++ ; + + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len ); + + /* legacy_session_id_echo */ + if( ssl->session_negotiate->id_len != legacy_session_id_echo_len || + memcmp( ssl->session_negotiate->id, p , legacy_session_id_echo_len ) != 0 ) + { + MBEDTLS_SSL_DEBUG_BUF( 3, "Expected Session ID", + ssl->session_negotiate->id, + ssl->session_negotiate->id_len ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Received Session ID", p, + legacy_session_id_echo_len ); + + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); + + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ - /* Write the length of the list of extensions. */ - extensions_len = p - extensions_len_ptr - 2; - MBEDTLS_PUT_UINT16_BE( extensions_len, extensions_len_ptr, 0 ); - MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %" MBEDTLS_PRINTF_SIZET , - extensions_len ) ); - MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", extensions_len_ptr, extensions_len ); + p += legacy_session_id_echo_len; + *buf = p; - *olen = p - buf; + MBEDTLS_SSL_DEBUG_BUF( 3, "Session ID", ssl->session_negotiate->id, + ssl->session_negotiate->id_len ); return( 0 ); } -static int ssl_tls13_finalize_client_hello( mbedtls_ssl_context *ssl ) +static int ssl_tls13_cipher_suite_is_offered( mbedtls_ssl_context *ssl, + int cipher_suite ) { -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO ); -#else - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_EARLY_APP_DATA ); -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ + const int *ciphersuite_list = ssl->conf->ciphersuite_list; + /* Check whether we have offered this ciphersuite */ + for ( size_t i = 0; ciphersuite_list[i] != 0; i++ ) + { + if( ciphersuite_list[i] == cipher_suite ) + { + return( 1 ); + } + } return( 0 ); } -static int ssl_tls13_prepare_client_hello( mbedtls_ssl_context* ssl ) +/* Parse ServerHello message and configure context + * + * struct { + * ProtocolVersion legacy_version = 0x0303; // TLS 1.2 + * Random random; + * opaque legacy_session_id_echo<0..32>; + * CipherSuite cipher_suite; + * uint8 legacy_compression_method = 0; + * Extension extensions<6..2^16-1>; + * } ServerHello; + */ +static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end ) { - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + const unsigned char *p = buf; + size_t extensions_len; + const unsigned char *extensions_end; + uint16_t cipher_suite; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; - if( ssl->conf->f_rng == NULL ) + /* + * Check there is space for minimal fields + * + * - legacy_version ( 2 bytes) + * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes) + * - legacy_session_id_echo ( 1 byte ), minimum size + * - cipher_suite ( 2 bytes) + * - legacy_compression_method ( 1 byte ) + */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6 ); + + MBEDTLS_SSL_DEBUG_BUF( 4, "server hello", p, end - p ); + MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", p, 2 ); + + /* ... + * ProtocolVersion legacy_version = 0x0303; // TLS 1.2 + * ... + * with ProtocolVersion defined as: + * uint16 ProtocolVersion; + */ + if( !( p[0] == MBEDTLS_SSL_MAJOR_VERSION_3 && + p[1] == MBEDTLS_SSL_MINOR_VERSION_3 ) ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided" ) ); - return( MBEDTLS_ERR_SSL_NO_RNG ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION, + MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION ); + return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION ); } + p += 2; - if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, - ssl->handshake->randbytes, - MBEDTLS_CLIENT_HELLO_RANDOM_LEN ) ) != 0 ) + /* ... + * Random random; + * ... + * with Random defined as: + * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN]; + */ + memcpy( &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p, + MBEDTLS_SERVER_HELLO_RANDOM_LEN ); + MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", + p, MBEDTLS_SERVER_HELLO_RANDOM_LEN ); + p += MBEDTLS_SERVER_HELLO_RANDOM_LEN; + + /* ... + * opaque legacy_session_id_echo<0..32>; + * ... + */ + if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); - return( ret ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) - /* Determine whether session id has not been created already */ - if( ssl->session_negotiate->id_len == 0 ) + /* ... + * CipherSuite cipher_suite; + * ... + * with CipherSuite defined as: + * uint8 CipherSuite[2]; + */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); + cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 ); + p += 2; + + + /* + * Check whether this ciphersuite is supported and offered. + * Via the force_ciphersuite version we may have instructed the client + * to use a different ciphersuite. + */ + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite ); + if( ciphersuite_info == NULL || + ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) == 0 ) { - /* Creating a session id with 32 byte length */ - if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, - ssl->session_negotiate->id, 32 ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "creating session id failed", ret ); - return( ret ); - } + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite(%04x) not found or not offered", + cipher_suite ) ); + + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } - ssl->session_negotiate->id_len = 32; -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ - return( 0 ); -} + /* Configure ciphersuites */ + mbedtls_ssl_optimize_checksum( ssl, ciphersuite_info ); -/* - * Write ClientHello handshake message. - * Handler for MBEDTLS_SSL_CLIENT_HELLO - */ -static int ssl_tls13_write_client_hello( mbedtls_ssl_context *ssl ) -{ - int ret = 0; - unsigned char *buf; - size_t buf_len, msg_len; - size_t len_without_binders; + ssl->handshake->ciphersuite_info = ciphersuite_info; + ssl->session_negotiate->ciphersuite = cipher_suite; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: ( %04x ) - %s", + cipher_suite, ciphersuite_info->name ) ); - if( ssl->handshake->state_local.cli_hello_out.preparation_done == 0 ) +#if defined(MBEDTLS_HAVE_TIME) + ssl->session_negotiate->start = time( NULL ); +#endif /* MBEDTLS_HAVE_TIME */ + + /* ... + * uint8 legacy_compression_method = 0; + * ... + */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 ); + if( p[0] != 0 ) { - MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_client_hello( ssl ) ); - ssl->handshake->state_local.cli_hello_out.preparation_done = 1; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } + p++; - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( - ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, - &buf, &buf_len ) ); + /* ... + * Extension extensions<6..2^16-1>; + * ... + * struct { + * ExtensionType extension_type; (2 bytes) + * opaque extension_data<0..2^16-1>; + * } Extension; + */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); + extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 ); + p += 2; - MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_client_hello_body( ssl, buf, - buf + buf_len, - &len_without_binders, - &msg_len ) ); + /* Check extensions do not go beyond the buffer of data. */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len ); + extensions_end = p + extensions_len; - mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl, - MBEDTLS_SSL_HS_CLIENT_HELLO, - msg_len ); - ssl->handshake->update_checksum( ssl, buf, len_without_binders ); + MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len ); -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) - /* Patch the PSK binder after updating the HS checksum. */ + while( p < extensions_end ) { - size_t dummy0, dummy1; - mbedtls_ssl_write_pre_shared_key_ext( ssl, - buf + len_without_binders, - buf + msg_len, - &dummy0, &dummy1, - SSL_WRITE_PSK_EXT_ADD_PSK_BINDERS ); + unsigned int extension_type; + size_t extension_data_len; - /* Manually update the checksum with ClientHello using dummy PSK binders. */ - ssl->handshake->update_checksum( ssl, buf + len_without_binders, - msg_len - len_without_binders ); - } -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 ); + extension_type = MBEDTLS_GET_UINT16_BE( p, 0 ); + extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 ); + p += 4; - MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_client_hello( ssl ) ); - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl, - buf_len, - msg_len ) ); + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); -cleanup: + switch( extension_type ) + { + case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "found supported_versions extension" ) ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); - return( ret ); -} + ret = ssl_tls13_parse_supported_versions_ext( ssl, + p, + p + extension_data_len ); + if( ret != 0 ) + return( ret ); + break; + +#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) + case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) ); + if( ( ret = ssl_tls13_parse_server_psk_identity_ext( + ssl, p, extension_data_len ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( + 1, ( "ssl_tls13_parse_server_psk_identity_ext" ), ret ); + return( ret ); + } + break; +#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ + +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + case MBEDTLS_TLS_EXT_KEY_SHARE: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) ); + if( ( ret = ssl_tls13_parse_key_share_ext( ssl, + p, p + extension_data_len ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "ssl_tls13_parse_key_share_ext", + ret ); + return( ret ); + } + break; +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + default: + MBEDTLS_SSL_DEBUG_MSG( + 3, + ( "unknown extension found: %u ( ignoring )", + extension_type ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, + MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); + return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); + } -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) -static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len ) -{ - /* - * server should use the extension only if we did, - * and if so the server's value should match ours ( and len is always 1 ) - */ - if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || - len != 1 || - buf[0] != ssl->conf->mfl_code ) - { - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + p += extension_data_len; } return( 0 ); } -#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ - -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) -/* - * struct { - * opaque identity<1..2^16-1>; - * uint32 obfuscated_ticket_age; - * } PskIdentity; - * - * opaque PskBinderEntry<32..255>; - * - * struct { - * select ( Handshake.msg_type ) { - * case client_hello: - * PskIdentity identities<7..2^16-1>; - * PskBinderEntry binders<33..2^16-1>; - * case server_hello: - * uint16 selected_identity; - * }; - * - * } PreSharedKeyExtension; - * - */ -static int ssl_parse_server_psk_identity_ext( mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len ) +static int ssl_tls13_hrr_parse( mbedtls_ssl_context *ssl, + const unsigned char *buf, size_t buf_len ) { - int ret = 0; - size_t selected_identity; + int ret; /* return value */ + int i; /* scratch value */ + const unsigned char *msg_end = buf + buf_len; /* pointer to the end of the buffer for length checks */ - const unsigned char *psk; - size_t psk_len; - const unsigned char *psk_identity; - size_t psk_identity_len; + size_t ext_len; /* stores length of all extensions */ + unsigned int ext_id; /* id of an extension */ + const unsigned char *ext; /* pointer to an individual extension */ + unsigned int ext_size; /* size of an individual extension */ + const mbedtls_ssl_ciphersuite_t *suite_info; /* pointer to ciphersuite */ - /* Check which PSK we've offered. +#if defined(MBEDTLS_SSL_COOKIE_C) + size_t cookie_len; + unsigned char *cookie; +#endif /* MBEDTLS_SSL_COOKIE_C */ + + /* Check for minimal length */ + /* struct { + * ProtocolVersion legacy_version = 0x0303; + * Random random; + * opaque legacy_session_id_echo<0..32>; + * CipherSuite cipher_suite; + * uint8 legacy_compression_method = 0; + * Extension extensions<6..2 ^ 16 - 1>; + * } ServerHello; * - * NOTE: Ultimately, we want to offer multiple PSKs, and in this - * case, we need to iterate over them here. + * + * 38 = 32 ( random bytes ) + 2 ( ciphersuite ) + 2 ( version ) + + * 1 ( legacy_compression_method ) + 1 ( minimum for legacy_session_id_echo ) */ - if( mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len, - &psk_identity, &psk_identity_len ) != 0 ) + if( buf_len < 38 ) { - /* If we haven't offered a PSK, the server must not send - * a PSK identity extension. */ - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message - min size not reached" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } - if( len != (size_t) 2 ) + MBEDTLS_SSL_DEBUG_BUF( 4, "hello retry request", buf, buf_len ); + + MBEDTLS_SSL_DEBUG_BUF( 3, "hello retry request, version", buf + 0, 2 ); + mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, + ssl->conf->transport, buf + 0 ); + + /* The version field must contain 0x303 */ + if( buf[0] != 0x03 || buf[1] != 0x03 ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad psk_identity extension in server hello message" ) ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION, + MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION ); + return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION ); } - selected_identity = ( (size_t) buf[0] << 8 ) | (size_t) buf[1]; + /* skip version */ + buf += 2; - /* We have offered only one PSK, so the only valid choice - * for the server is PSK index 0. - * - * This will change once we support multiple PSKs. */ - if( selected_identity > 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server's chosen PSK identity out of range" ) ); + /* Internally we use the correct 1.3 version */ + ssl->major_ver = 0x03; + ssl->minor_ver = 0x04; - if( ( ret = mbedtls_ssl_send_alert_message( ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ) ) != 0 ) - { - return( ret ); - } + /* store server-provided random values */ + memcpy( ssl->handshake->randbytes + 32, buf, 32 ); + MBEDTLS_SSL_DEBUG_BUF( 3, "hello retry request, random bytes", buf + 2, 32 ); - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - } + /* skip random bytes */ + buf += 32; - /* Set the chosen PSK - * - * TODO: We don't have to do this in case we offered 0-RTT and the - * server accepted it, because in this case we've already - * set the handshake PSK. */ - ret = mbedtls_ssl_set_hs_psk( ssl, psk, psk_len ); - if( ret != 0 ) + if( ssl_tls13_check_server_hello_session_id_echo( ssl, &buf, msg_end ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_set_hs_psk", ret ); - return( ret ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); } - ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY; - return( 0 ); -} + /* read server-selected ciphersuite, which follows random bytes */ + i = MBEDTLS_GET_UINT16_BE( buf, 0 ); -#endif + /* skip ciphersuite */ + buf += 2; -#if defined(MBEDTLS_ZERO_RTT) -/* Early Data Extension -* -* struct {} Empty; -* -* struct { -* select (Handshake.msg_type) { -* case new_session_ticket: uint32 max_early_data_size; -* case client_hello: Empty; -* case encrypted_extensions: Empty; -* }; -* } EarlyDataIndication; -* -* This function only handles the case of the EncryptedExtensions message. -*/ -int ssl_parse_encrypted_extensions_early_data_ext( mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len ) -{ - if( ssl->handshake->early_data != MBEDTLS_SSL_EARLY_DATA_ON ) - { - /* The server must not send the EarlyDataIndication if the - * client hasn't indicated the use of 0-RTT. */ - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - } + /* TBD: Check whether we have offered this ciphersuite */ + /* Via the force_ciphersuite version we may have instructed the client */ + /* to use a difference ciphersuite. */ - if( len != 0 ) + /* Configure ciphersuites */ + ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); + + if( ssl->handshake->ciphersuite_info == NULL ) { - /* The message must be empty. */ - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, + MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - /* Nothing to parse */ - ((void) buf); - - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_ACCEPTED; - return( 0 ); -} - -int mbedtls_ssl_get_early_data_status( mbedtls_ssl_context *ssl ) -{ - if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + mbedtls_ssl_optimize_checksum( ssl, ssl->handshake->ciphersuite_info ); - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + ssl->session_negotiate->ciphersuite = i; - return( ssl->early_data_status ); -} + suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); + if( suite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } -int mbedtls_ssl_set_early_data( mbedtls_ssl_context *ssl, - const unsigned char *buffer, size_t len ) -{ - if( buffer == NULL || len == 0 ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "hello retry request, chosen ciphersuite: ( %04x ) - %s", i, suite_info->name ) ); - ssl->early_data_buf = buffer; - ssl->early_data_len = len; - return( 0 ); -} -#endif /* MBEDTLS_ZERO_RTT */ +#if defined(MBEDTLS_HAVE_TIME) + ssl->session_negotiate->start = time( NULL ); +#endif /* MBEDTLS_HAVE_TIME */ -#if defined(MBEDTLS_SSL_ALPN) -static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, - const unsigned char *buf, size_t len ) -{ - size_t list_len, name_len; - const char **p; + i = 0; + while ( 1 ) + { + if( ssl->conf->ciphersuite_list[i] == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } - /* If we didn't send it, the server shouldn't send it */ - if( ssl->conf->alpn_list == NULL ) - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + if( ssl->conf->ciphersuite_list[i++] == + ssl->session_negotiate->ciphersuite ) + { + break; + } + } - /* - * opaque ProtocolName<1..2^8-1>; - * - * struct { - * ProtocolName protocol_name_list<2..2^16-1> - * } ProtocolNameList; - * - * the "ProtocolNameList" MUST contain exactly one "ProtocolName" - */ + /* Ensure that compression method is set to zero */ + if( buf[0] != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } - /* Min length is 2 ( list_len ) + 1 ( name_len ) + 1 ( name ) */ - if( len < 4 ) - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + /* skip compression */ + buf++; - list_len = ( buf[0] << 8 ) | buf[1]; - if( list_len != len - 2 ) + /* Are we reading beyond the message buffer? */ + if( ( buf + 2 ) > msg_end ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR ); return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } - name_len = buf[2]; - if( name_len != list_len - 1 ) + ext_len = MBEDTLS_GET_UINT16_BE( buf, 0 ); + buf += 2; /* skip extension length */ + + /* Are we reading beyond the message buffer? */ + if( ( buf + ext_len ) > msg_end ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR ); return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } - /* Check that the server chosen protocol was in our list and save it */ - for ( p = ssl->conf->alpn_list; *p != NULL; p++ ) + ext = buf; + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "hello retry request, total extension length: %" MBEDTLS_PRINTF_SIZET , ext_len ) ); + + MBEDTLS_SSL_DEBUG_BUF( 3, "extensions", ext, ext_len ); + + while ( ext_len ) { - if( name_len == strlen( *p ) && - memcmp( buf + 3, *p, name_len ) == 0 ) + ext_id = MBEDTLS_GET_UINT16_BE( ext, 0 ); + ext_size = MBEDTLS_GET_UINT16_BE( ext, 2 ); + + if( ext_size + 4 > ext_len ) { - ssl->alpn_chosen = *p; - return( 0 ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } - } - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); -} -#endif /* MBEDTLS_SSL_ALPN */ + switch( ext_id ) + { +#if defined(MBEDTLS_SSL_COOKIE_C) + case MBEDTLS_TLS_EXT_COOKIE: -/* - * - * Handler for MBEDTLS_SSL_SERVER_HELLO - * - */ + /* Retrieve length field of cookie */ + if( ext_size >= 2 ) + { + cookie = (unsigned char *) ( ext + 4 ); + cookie_len = MBEDTLS_GET_UINT16_BE( cookie, 0 ); + cookie += 2; + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad HRR message - cookie length mismatch" ) ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } -/* Returns a negative value on failure, and otherwise - * - SSL_SERVER_HELLO_COORDINATE_HELLO or - * - SSL_SERVER_HELLO_COORDINATE_HRR - * to indicate which message is expected and to be parsed next. */ -#define SSL_SERVER_HELLO_COORDINATE_HELLO 0 -#define SSL_SERVER_HELLO_COORDINATE_HRR 1 -static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl, - const unsigned char *buf, - const unsigned char *end ) -{ - static const unsigned char magic_hrr_string[MBEDTLS_SERVER_HELLO_RANDOM_LEN] = - { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, - 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, - 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, - 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33 ,0x9C }; + if( ( cookie_len + 2 ) != ext_size ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad HRR message - cookie length mismatch" ) ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } - /* Check whether this message is a HelloRetryRequest ( HRR ) message. - * - * Server Hello and HRR are only distinguished by Random set to the - * special value of the SHA-256 of "HelloRetryRequest". - * - * struct { - * ProtocolVersion legacy_version = 0x0303; - * Random random; - * opaque legacy_session_id_echo<0..32>; - * CipherSuite cipher_suite; - * uint8 legacy_compression_method = 0; - * Extension extensions<6..2^16-1>; - * } ServerHello; - * - */ - MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 + sizeof( magic_hrr_string ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", cookie, cookie_len ); - if( memcmp( buf + 2, magic_hrr_string, sizeof( magic_hrr_string ) ) == 0 ) - { - return( SSL_SERVER_HELLO_COORDINATE_HRR ); - } + mbedtls_free( ssl->handshake->verify_cookie ); - return( SSL_SERVER_HELLO_COORDINATE_HELLO ); -} + ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); + if( ssl->handshake->verify_cookie == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed ( %" MBEDTLS_PRINTF_SIZET " bytes )", cookie_len ) ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } -/* Fetch and preprocess - * Returns a negative value on failure, and otherwise - * - SSL_SERVER_HELLO_COORDINATE_HELLO or - * - SSL_SERVER_HELLO_COORDINATE_HRR - */ -#if defined(MBEDTLS_SSL_USE_MPS) -static int ssl_tls13_server_hello_coordinate( mbedtls_ssl_context* ssl, - mbedtls_mps_handshake_in *msg, - unsigned char **buf, - size_t *buflen ) -{ - int ret = 0; - unsigned char *peak; + memcpy( ssl->handshake->verify_cookie, cookie, cookie_len ); + ssl->handshake->verify_cookie_len = (unsigned char) cookie_len; + break; +#endif /* MBEDTLS_SSL_COOKIE_C */ - MBEDTLS_SSL_PROC_CHK_NEG( mbedtls_mps_read( &ssl->mps->l4 ) ); + case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_versions extension" ) ); -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) - if( ret == MBEDTLS_MPS_MSG_CCS ) - { - MBEDTLS_SSL_PROC_CHK( mbedtls_mps_read_consume( &ssl->mps->l4 ) ); - return( MBEDTLS_ERR_SSL_WANT_READ ); - } -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ + ret = ssl_tls13_parse_supported_versions_ext( ssl, ext + 4, ext + 4 + ext_size ); + if( ret != 0 ) + return( ret ); + break; - if( ret != MBEDTLS_MPS_MSG_HS ) - return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); +#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) + case MBEDTLS_TLS_EXT_KEY_SHARE: + { + /* Variables for parsing the key_share */ + const uint16_t *group_list; + const mbedtls_ecp_curve_info *curve_info = NULL; + int tls_id; + int found = 0; - MBEDTLS_SSL_PROC_CHK( mbedtls_mps_read_handshake( &ssl->mps->l4, - msg ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "key_share extension", ext + 4, ext_size ); - if( msg->type != MBEDTLS_SSL_HS_SERVER_HELLO ) - return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + /* Read selected_group */ + tls_id = MBEDTLS_GET_UINT16_BE( ext, 4 ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_group ( %d )", tls_id ) ); - ret = mbedtls_mps_reader_get( msg->handle, - msg->length, - &peak, - NULL ); + /* Upon receipt of this extension in a HelloRetryRequest, the + * client MUST first verify that the selected_group field + * corresponds to a group which was provided in the + * "supported_groups" extension in the original ClientHello. + * The supported_group was based on the configured list of + * groups. + * + * If the server provided a key share that was not sent in the + * ClientHello then the client MUST abort the handshake with an + * "illegal_parameter" alert. */ + for( group_list = mbedtls_ssl_get_groups( ssl ); + *group_list != 0; group_list++ ) + { + if( !mbedtls_ssl_tls13_named_group_is_ecdhe( *group_list ) ) + continue; - if( ret == MBEDTLS_ERR_MPS_READER_OUT_OF_DATA ) - { - MBEDTLS_SSL_PROC_CHK( mbedtls_mps_read_pause( &ssl->mps->l4 ) ); - ret = MBEDTLS_ERR_SSL_WANT_READ; - } - else - { - ret = ssl_server_hello_is_hrr( ssl, peak, peak + msg->length ); - switch( ret ) - { - case SSL_SERVER_HELLO_COORDINATE_HELLO: - MBEDTLS_SSL_DEBUG_MSG( 2, ( "received ServerHello message" ) ); - break; - case SSL_SERVER_HELLO_COORDINATE_HRR: - MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) ); + curve_info = + mbedtls_ecp_curve_info_from_tls_id( *group_list ); + + if( ( curve_info == NULL ) || + ( curve_info->tls_id != tls_id ) ) + continue; + + /* We found a match */ + found = 1; + break; + } + + /* Client MUST verify that the selected_group field does not + * correspond to a group which was provided in the "key_share" + * extension in the original ClientHello. If the server sent an + * HRR message with a key share already provided in the + * ClientHello then the client MUST abort the handshake with + * an "illegal_parameter" alert. */ + if( found == 0 || tls_id == ssl->handshake->offered_group_id ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid key share in HRR" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } + + /* Remember server's preference for next ClientHello */ + ssl->handshake->offered_group_id = tls_id; break; + } + +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ default: - goto cleanup; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d ( ignoring )", ext_id ) ); } - *buf = peak; - *buflen = msg->length; - } + /* Jump to next extension */ + ext_len -= 4 + ext_size; + ext += 4 + ext_size; -cleanup: + if( ext_len > 0 && ext_len < 4 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } - return( ret ); + } + + return( 0 ); } -#else /* MBEDTLS_SSL_USE_MPS */ -static int ssl_tls13_server_hello_coordinate( mbedtls_ssl_context *ssl, - unsigned char **buf, - size_t *buf_len ) + +static int ssl_tls13_finalize_server_hello( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_ssl_key_set traffic_keys; + mbedtls_ssl_transform *transform_handshake = NULL; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + + /* Determine the key exchange mode: + * 1) If both the pre_shared_key and key_share extensions were received + * then the key exchange mode is PSK with EPHEMERAL. + * 2) If only the pre_shared_key extension was received then the key + * exchange mode is PSK-only. + * 3) If only the key_share extension was received then the key + * exchange mode is EPHEMERAL-only. + */ + switch( handshake->extensions_present & + ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ) ) + { + /* Only the pre_shared_key extension was received */ + case MBEDTLS_SSL_EXT_PRE_SHARED_KEY: + handshake->key_exchange = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; + break; + + /* Only the key_share extension was received */ + case MBEDTLS_SSL_EXT_KEY_SHARE: + handshake->key_exchange = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; + break; + + /* Both the pre_shared_key and key_share extensions were received */ + case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ): + handshake->key_exchange = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; + break; - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_read_record( ssl, 0 ) ); + /* Neither pre_shared_key nor key_share extension was received */ + default: + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unknown key exchange." ) ); + ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + goto cleanup; + } - /* TBD: If we do an HRR, keep track of the number - * of ClientHello's we sent, and fail if it - * exceeds the configured threshold. */ + /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret. + * + * TODO: We don't have to do this in case we offered 0-RTT and the + * server accepted it. In this case, we could skip generating + * the early secret. */ + ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_key_schedule_stage_early_data", + ret ); + goto cleanup; + } - if( ( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) || - ( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) ) + /* Compute handshake secret */ + ret = mbedtls_ssl_tls13_key_schedule_stage_handshake( ssl ); + if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected message" ) ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_derive_master_secret", ret ); + goto cleanup; + } - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, - MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); - return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + /* Next evolution in key schedule: Establish handshake secret and + * key material. */ + ret = mbedtls_ssl_tls13_generate_handshake_keys( ssl, &traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_generate_handshake_keys", + ret ); + goto cleanup; } - *buf = ssl->in_msg + 4; - *buf_len = ssl->in_hslen - 4; + transform_handshake = mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) ); + if( transform_handshake == NULL ) + { + ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; + goto cleanup; + } - ret = ssl_server_hello_is_hrr( ssl, *buf, *buf + *buf_len ); - switch( ret ) + ret = mbedtls_ssl_tls13_populate_transform( transform_handshake, + ssl->conf->endpoint, + ssl->session_negotiate->ciphersuite, + &traffic_keys, + ssl ); + if( ret != 0 ) { - case SSL_SERVER_HELLO_COORDINATE_HELLO: - MBEDTLS_SSL_DEBUG_MSG( 2, ( "received ServerHello message" ) ); - break; - case SSL_SERVER_HELLO_COORDINATE_HRR: - MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) ); - break; + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret ); + goto cleanup; } -cleanup: +#if !defined(MBEDTLS_SSL_USE_MPS) + handshake->transform_handshake = transform_handshake; + mbedtls_ssl_set_inbound_transform( ssl, transform_handshake ); +#else /* MBEDTLS_SSL_USE_MPS */ + ret = mbedtls_mps_add_key_material( &ssl->mps->l4, + transform_handshake, + &handshake->epoch_handshake ); + if( ret != 0 ) + return( ret ); - return( ret ); -} + ret = mbedtls_mps_set_incoming_keys( &ssl->mps->l4, + handshake->epoch_handshake ); + if( ret != 0 ) + return( ret ); #endif /* MBEDTLS_SSL_USE_MPS */ -static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ssl, - const unsigned char **buf, - const unsigned char *end ) -{ - const unsigned char *p = *buf; - size_t legacy_session_id_echo_len; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) ); + ssl->session_in = ssl->session_negotiate; - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 ); - legacy_session_id_echo_len = *p++ ; + /* + * State machine update + */ + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS ); - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len ); +cleanup: - /* legacy_session_id_echo */ - if( ssl->session_negotiate->id_len != legacy_session_id_echo_len || - memcmp( ssl->session_negotiate->id, p , legacy_session_id_echo_len ) != 0 ) + mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) ); + if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_BUF( 3, "Expected Session ID", - ssl->session_negotiate->id, - ssl->session_negotiate->id_len ); - MBEDTLS_SSL_DEBUG_BUF( 3, "Received Session ID", p, - legacy_session_id_echo_len ); - - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); + mbedtls_free( transform_handshake ); - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); } - - p += legacy_session_id_echo_len; - *buf = p; - - MBEDTLS_SSL_DEBUG_BUF( 3, "Session ID", ssl->session_negotiate->id, - ssl->session_negotiate->id_len ); - return( 0 ); + return( ret ); } - -static int ssl_tls13_cipher_suite_is_offered( mbedtls_ssl_context *ssl, - int cipher_suite ) +static int ssl_tls13_hrr_postprocess( mbedtls_ssl_context *ssl ) { - const int *ciphersuite_list = ssl->conf->ciphersuite_list; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - /* Check whether we have offered this ciphersuite */ - for ( size_t i = 0; ciphersuite_list[i] != 0; i++ ) + if( ssl->handshake->hello_retry_requests_received > 0 ) { - if( ciphersuite_list[i] == cipher_suite ) - { - return( 1 ); - } + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Multiple HRRs received" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); } + + ssl->handshake->hello_retry_requests_received++; + +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + /* If not offering early data, the client sends a dummy CCS record + * immediately before its second flight. This may either be before + * its second ClientHello or before its encrypted handshake flight. */ + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO ); +#else + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ + + mbedtls_ssl_session_reset_msg_layer( ssl, 0 ); + + /* Reset everything that's going to be re-generated in the new ClientHello. + * + * Currently, we're always resetting the key share, even if the server + * was fine with it. Once we have separated key share generation from + * key share writing, we can confine this to the case where the server + * requested a different share. */ + ret = ssl_tls13_reset_key_share( ssl ); + if( ret != 0 ) + return( ret ); + return( 0 ); } -/* Parse ServerHello message and configure context - * - * struct { - * ProtocolVersion legacy_version = 0x0303; // TLS 1.2 - * Random random; - * opaque legacy_session_id_echo<0..32>; - * CipherSuite cipher_suite; - * uint8 legacy_compression_method = 0; - * Extension extensions<6..2^16-1>; - * } ServerHello; +/* + * Wait and parse ServerHello handshake message. + * Handler for MBEDTLS_SSL_SERVER_HELLO */ -static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, - const unsigned char *buf, - const unsigned char *end ) +static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - const unsigned char *p = buf; - size_t extensions_len; - const unsigned char *extensions_end; - uint16_t cipher_suite; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; - - /* - * Check there is space for minimal fields - * - * - legacy_version ( 2 bytes) - * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes) - * - legacy_session_id_echo ( 1 byte ), minimum size - * - cipher_suite ( 2 bytes) - * - legacy_compression_method ( 1 byte ) - */ - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6 ); - - MBEDTLS_SSL_DEBUG_BUF( 4, "server hello", p, end - p ); - MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", p, 2 ); - - /* ... - * ProtocolVersion legacy_version = 0x0303; // TLS 1.2 - * ... - * with ProtocolVersion defined as: - * uint16 ProtocolVersion; - */ - if( !( p[0] == MBEDTLS_SSL_MAJOR_VERSION_3 && - p[1] == MBEDTLS_SSL_MINOR_VERSION_3 ) ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION, - MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION ); - return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION ); - } - p += 2; +#if defined(MBEDTLS_SSL_USE_MPS) + mbedtls_mps_handshake_in msg; +#endif + unsigned char *buf = NULL; + size_t buf_len = 0; - /* ... - * Random random; - * ... - * with Random defined as: - * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN]; - */ - memcpy( &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p, - MBEDTLS_SERVER_HELLO_RANDOM_LEN ); - MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", - p, MBEDTLS_SERVER_HELLO_RANDOM_LEN ); - p += MBEDTLS_SERVER_HELLO_RANDOM_LEN; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> %s", __func__ ) ); - /* ... - * opaque legacy_session_id_echo<0..32>; - * ... + /* Coordination step + * - Fetch record + * - Make sure it's either a ServerHello or a HRR. + * - Switch processing routine in case of HRR */ - if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 ) - { - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - } - /* ... - * CipherSuite cipher_suite; - * ... - * with CipherSuite defined as: - * uint8 CipherSuite[2]; - */ - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); - cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 ); - p += 2; + ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; + ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE; +#if defined(MBEDTLS_SSL_USE_MPS) + ret = ssl_tls13_server_hello_coordinate( ssl, &msg, &buf, &buf_len ); +#else /* MBEDTLS_SSL_USE_MPS */ + ret = ssl_tls13_server_hello_coordinate( ssl, &buf, &buf_len ); +#endif /* MBEDTLS_SSL_USE_MPS */ - /* - * Check whether this ciphersuite is supported and offered. - * Via the force_ciphersuite version we may have instructed the client - * to use a different ciphersuite. + /* Parsing step + * We know what message to expect by now and call + * the respective parsing function. */ - ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite ); - if( ciphersuite_info == NULL || - ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) == 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite(%04x) not found or not offered", - cipher_suite ) ); - - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - } + if( ret == SSL_SERVER_HELLO_COORDINATE_HELLO ) + { + MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf, + buf + buf_len ) ); + mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, + MBEDTLS_SSL_HS_SERVER_HELLO, + buf, buf_len ); - /* Configure ciphersuites */ - mbedtls_ssl_optimize_checksum( ssl, ciphersuite_info ); +#if defined(MBEDTLS_SSL_USE_MPS) + MBEDTLS_SSL_PROC_CHK( mbedtls_mps_reader_commit( msg.handle ) ); + MBEDTLS_SSL_PROC_CHK( mbedtls_mps_read_consume( &ssl->mps->l4 ) ); +#endif /* MBEDTLS_SSL_USE_MPS */ - ssl->handshake->ciphersuite_info = ciphersuite_info; - ssl->session_negotiate->ciphersuite = cipher_suite; + MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_server_hello( ssl ) ); + } + else if( ret == SSL_SERVER_HELLO_COORDINATE_HRR ) + { + MBEDTLS_SSL_PROC_CHK( ssl_tls13_hrr_parse( ssl, buf, buf_len ) ); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_reset_transcript_for_hrr( ssl ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: ( %04x ) - %s", - cipher_suite, ciphersuite_info->name ) ); + mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, + MBEDTLS_SSL_HS_SERVER_HELLO, + buf, buf_len ); -#if defined(MBEDTLS_HAVE_TIME) - ssl->session_negotiate->start = time( NULL ); -#endif /* MBEDTLS_HAVE_TIME */ +#if defined(MBEDTLS_SSL_USE_MPS) + MBEDTLS_SSL_PROC_CHK( mbedtls_mps_reader_commit( msg.handle ) ); + MBEDTLS_SSL_PROC_CHK( mbedtls_mps_read_consume( &ssl->mps->l4 ) ); +#endif /* MBEDTLS_SSL_USE_MPS */ - /* ... - * uint8 legacy_compression_method = 0; - * ... - */ - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 ); - if( p[0] != 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_hrr_postprocess( ssl ) ); } - p++; - /* ... - * Extension extensions<6..2^16-1>; - * ... - * struct { - * ExtensionType extension_type; (2 bytes) - * opaque extension_data<0..2^16-1>; - * } Extension; - */ - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); - extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 ); - p += 2; - /* Check extensions do not go beyond the buffer of data. */ - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len ); - extensions_end = p + extensions_len; +cleanup: - MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s", __func__ ) ); + return( ret ); +} - while( p < extensions_end ) - { - unsigned int extension_type; - size_t extension_data_len; +/* + * + * EncryptedExtensions message + * + * The EncryptedExtensions message contains any extensions which + * should be protected, i.e., any which are not needed to establish + * the cryptographic context. + */ - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 ); - extension_type = MBEDTLS_GET_UINT16_BE( p, 0 ); - extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 ); - p += 4; +/* + * Overview + */ - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); +/* Main entry point; orchestrates the other functions */ +static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl ); - switch( extension_type ) - { - case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "found supported_versions extension" ) ); +static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end ); +static int ssl_tls13_postprocess_encrypted_extensions( mbedtls_ssl_context *ssl ); - ret = ssl_tls13_parse_supported_versions_ext( ssl, - p, - p + extension_data_len ); - if( ret != 0 ) - return( ret ); - break; -#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) - case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) ); - if( ( ret = ssl_parse_server_psk_identity_ext( - ssl, p, extension_data_len ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( - 1, ( "ssl_parse_server_psk_identity_ext" ), ret ); - return( ret ); - } - break; -#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ +/* + * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS + */ +static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl ) +{ + int ret; + unsigned char *buf; + size_t buf_len; -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - case MBEDTLS_TLS_EXT_KEY_SHARE: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) ); - if( ( ret = ssl_tls13_parse_key_share_ext( ssl, - p, p + extension_data_len ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, - "ssl_tls13_parse_key_share_ext", - ret ); - return( ret ); - } - break; -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse encrypted extensions" ) ); - default: - MBEDTLS_SSL_DEBUG_MSG( - 3, - ( "unknown extension found: %u ( ignoring )", - extension_type ) ); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl, + MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, + &buf, &buf_len ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, - MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); - return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); - } + /* Process the message contents */ + MBEDTLS_SSL_PROC_CHK( + ssl_tls13_parse_encrypted_extensions( ssl, buf, buf + buf_len ) ); - p += extension_data_len; - } + mbedtls_ssl_tls13_add_hs_msg_to_checksum( + ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, buf_len ); - return( 0 ); -} +#if defined(MBEDTLS_SSL_USE_MPS) + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_mps_hs_consume_full_hs_msg( ssl ) ); +#endif /* MBEDTLS_SSL_USE_MPS */ -static int ssl_hrr_parse( mbedtls_ssl_context* ssl, - const unsigned char* buf, size_t buflen ) -{ - int ret; /* return value */ - int i; /* scratch value */ - const unsigned char* msg_end = buf + buflen; /* pointer to the end of the buffer for length checks */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_encrypted_extensions( ssl ) ); - size_t ext_len; /* stores length of all extensions */ - unsigned int ext_id; /* id of an extension */ - const unsigned char* ext; /* pointer to an individual extension */ - unsigned int ext_size; /* size of an individual extension */ +cleanup: - const mbedtls_ssl_ciphersuite_t* suite_info; /* pointer to ciphersuite */ + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse encrypted extensions" ) ); + return( ret ); -#if defined(MBEDTLS_SSL_COOKIE_C) - size_t cookie_len; - unsigned char *cookie; -#endif /* MBEDTLS_SSL_COOKIE_C */ +} - /* Check for minimal length */ - /* struct { - * ProtocolVersion legacy_version = 0x0303; - * Random random; - * opaque legacy_session_id_echo<0..32>; - * CipherSuite cipher_suite; - * uint8 legacy_compression_method = 0; - * Extension extensions<6..2 ^ 16 - 1>; - * } ServerHello; - * - * - * 38 = 32 ( random bytes ) + 2 ( ciphersuite ) + 2 ( version ) + - * 1 ( legacy_compression_method ) + 1 ( minimum for legacy_session_id_echo ) - */ - if( buflen < 38 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message - min size not reached" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, - MBEDTLS_ERR_SSL_DECODE_ERROR ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - } +/* Parse EncryptedExtensions message + * struct { + * Extension extensions<0..2^16-1>; + * } EncryptedExtensions; + */ +static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end ) +{ + int ret = 0; + size_t extensions_len; + const unsigned char *p = buf; + const unsigned char *extensions_end; - MBEDTLS_SSL_DEBUG_BUF( 4, "hello retry request", buf, buflen ); + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); + extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 ); + p += 2; - MBEDTLS_SSL_DEBUG_BUF( 3, "hello retry request, version", buf + 0, 2 ); - mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, - ssl->conf->transport, buf + 0 ); + MBEDTLS_SSL_DEBUG_BUF( 3, "encrypted extensions", p, extensions_len ); + extensions_end = p + extensions_len; + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len ); - /* The version field must contain 0x303 */ - if( buf[0] != 0x03 || buf[1] != 0x03 ) + while( p < extensions_end ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION, - MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION ); - return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION ); - } - - /* skip version */ - buf += 2; + unsigned int extension_type; + size_t extension_data_len; - /* Internally we use the correct 1.3 version */ - ssl->major_ver = 0x03; - ssl->minor_ver = 0x04; + /* + * struct { + * ExtensionType extension_type; (2 bytes) + * opaque extension_data<0..2^16-1>; + * } Extension; + */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 ); + extension_type = MBEDTLS_GET_UINT16_BE( p, 0 ); + extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 ); + p += 4; - /* store server-provided random values */ - memcpy( ssl->handshake->randbytes + 32, buf, 32 ); - MBEDTLS_SSL_DEBUG_BUF( 3, "hello retry request, random bytes", buf + 2, 32 ); + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); - /* skip random bytes */ - buf += 32; + /* The client MUST check EncryptedExtensions for the + * presence of any forbidden extensions and if any are found MUST abort + * the handshake with an "unsupported_extension" alert. + */ + switch( extension_type ) + { - if( ssl_tls13_check_server_hello_session_id_echo( ssl, &buf, msg_end ) != 0 ) - { - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); - /* read server-selected ciphersuite, which follows random bytes */ - i = ( buf[0] << 8 ) | buf[1]; + ret = ssl_tls13_parse_max_fragment_length_ext( ssl, p, + extension_data_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_parse_max_fragment_length_ext", ret ); + return( ret ); + } - /* skip ciphersuite */ - buf += 2; + break; +#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ - /* TBD: Check whether we have offered this ciphersuite */ - /* Via the force_ciphersuite version we may have instructed the client */ - /* to use a difference ciphersuite. */ + case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extensions supported groups" ) ); + break; - /* Configure ciphersuites */ - ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); +#if defined(MBEDTLS_SSL_ALPN) + case MBEDTLS_TLS_EXT_ALPN: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); - if( ssl->handshake->ciphersuite_info == NULL ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, - MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - } + ret = ssl_tls13_parse_alpn_ext( ssl, p, extension_data_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_parse_alpn_ext", ret ); + return( ret ); + } - mbedtls_ssl_optimize_checksum( ssl, ssl->handshake->ciphersuite_info ); + break; +#endif /* MBEDTLS_SSL_ALPN */ - ssl->session_negotiate->ciphersuite = i; +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + case MBEDTLS_TLS_EXT_SERVERNAME: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found server_name extension" ) ); - suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); - if( suite_info == NULL ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } + /* The server_name extension should be an empty extension */ - MBEDTLS_SSL_DEBUG_MSG( 3, ( "hello retry request, chosen ciphersuite: ( %04x ) - %s", i, suite_info->name ) ); + break; +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ -#if defined(MBEDTLS_HAVE_TIME) - ssl->session_negotiate->start = time( NULL ); -#endif /* MBEDTLS_HAVE_TIME */ +#if defined(MBEDTLS_ZERO_RTT) + case MBEDTLS_TLS_EXT_EARLY_DATA: + MBEDTLS_SSL_DEBUG_MSG(3, ( "found early_data extension" )); - i = 0; - while ( 1 ) - { - if( ssl->conf->ciphersuite_list[i] == 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } + ret = ssl_tls13_parse_encrypted_extensions_early_data_ext( + ssl, p, extension_data_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_parse_encrypted_extensions_early_data_ext", ret ); + return( ret ); + } + break; +#endif /* MBEDTLS_ZERO_RTT */ - if( ssl->conf->ciphersuite_list[i++] == - ssl->session_negotiate->ciphersuite ) - { - break; + default: + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "unsupported extension found: %u ", extension_type) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, \ + MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); + return ( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); + break; } - } - /* Ensure that compression method is set to zero */ - if( buf[0] != 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + p += extension_data_len; } - /* skip compression */ - buf++; - - /* Are we reading beyond the message buffer? */ - if( ( buf + 2 ) > msg_end ) + /* Check that we consumed all the message. */ + if( p != end ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_SSL_DEBUG_MSG( 1, ( "EncryptedExtension lengths misaligned" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \ MBEDTLS_ERR_SSL_DECODE_ERROR ); return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } - ext_len = ( ( buf[0] << 8 ) | ( buf[1] ) ); - buf += 2; /* skip extension length */ + return( ret ); +} - /* Are we reading beyond the message buffer? */ - if( ( buf + ext_len ) > msg_end ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, - MBEDTLS_ERR_SSL_DECODE_ERROR ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - } +static int ssl_tls13_postprocess_encrypted_extensions( mbedtls_ssl_context *ssl ) +{ + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST ); + return( 0 ); +} - ext = buf; +/* + * + * STATE HANDLING: Write Early-Data + * + */ - MBEDTLS_SSL_DEBUG_MSG( 3, ( "hello retry request, total extension length: %" MBEDTLS_PRINTF_SIZET , ext_len ) ); + /* + * Overview + */ - MBEDTLS_SSL_DEBUG_BUF( 3, "extensions", ext, ext_len ); + /* Main state-handling entry point; orchestrates the other functions. */ +int ssl_tls13_write_early_data_process( mbedtls_ssl_context *ssl ); - while ( ext_len ) - { - ext_id = ( ( ext[0] << 8 ) | ( ext[1] ) ); - ext_size = ( ( ext[2] << 8 ) | ( ext[3] ) ); +#define SSL_EARLY_DATA_WRITE 0 +#define SSL_EARLY_DATA_SKIP 1 +static int ssl_tls13_write_early_data_coordinate( mbedtls_ssl_context *ssl ); - if( ext_size + 4 > ext_len ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, - MBEDTLS_ERR_SSL_DECODE_ERROR ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - } +#if defined(MBEDTLS_ZERO_RTT) +static int ssl_tls13_write_early_data_prepare( mbedtls_ssl_context *ssl ); - switch( ext_id ) - { -#if defined(MBEDTLS_SSL_COOKIE_C) - case MBEDTLS_TLS_EXT_COOKIE: +/* Write early-data message */ +static int ssl_tls13_write_early_data_write( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buf_len, + size_t *out_len ); +#endif /* MBEDTLS_ZERO_RTT */ - /* Retrieve length field of cookie */ - if( ext_size >= 2 ) - { - cookie = (unsigned char *) ( ext + 4 ); - cookie_len = ( cookie[0] << 8 ) | cookie[1]; - cookie += 2; - } - else - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad HRR message - cookie length mismatch" ) ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - } +/* Update the state after handling the outgoing early-data message. */ +static int ssl_tls13_write_early_data_postprocess( mbedtls_ssl_context *ssl ); - if( ( cookie_len + 2 ) != ext_size ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad HRR message - cookie length mismatch" ) ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - } +/* + * Implementation + */ - MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", cookie, cookie_len ); +int ssl_tls13_write_early_data_process( mbedtls_ssl_context *ssl ) +{ + int ret; +#if defined(MBEDTLS_SSL_USE_MPS) + mbedtls_writer *msg; + unsigned char *buf; + mbedtls_mps_size_t buf_len, msg_len; +#endif /* MBEDTLS_SSL_USE_MPS */ + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write early data" ) ); - mbedtls_free( ssl->handshake->verify_cookie ); + MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_early_data_coordinate( ssl ) ); + if( ret == SSL_EARLY_DATA_WRITE ) + { +#if defined(MBEDTLS_ZERO_RTT) - ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); - if( ssl->handshake->verify_cookie == NULL ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed ( %" MBEDTLS_PRINTF_SIZET " bytes )", cookie_len ) ); - return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); - } + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_early_data_prepare( ssl ) ); - memcpy( ssl->handshake->verify_cookie, cookie, cookie_len ); - ssl->handshake->verify_cookie_len = (unsigned char) cookie_len; - break; -#endif /* MBEDTLS_SSL_COOKIE_C */ +#if defined(MBEDTLS_SSL_USE_MPS) + MBEDTLS_SSL_PROC_CHK( mbedtls_mps_write_application( &ssl->mps->l4, + &msg ) ); - case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_versions extension" ) ); + /* Request write-buffer */ + MBEDTLS_SSL_PROC_CHK( mbedtls_writer_get( msg, MBEDTLS_MPS_SIZE_MAX, + &buf, &buf_len ) ); - ret = ssl_tls13_parse_supported_versions_ext( ssl, ext + 4, ext + 4 + ext_size ); - if( ret != 0 ) - return( ret ); - break; + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_early_data_write( + ssl, buf, buf_len, &msg_len ) ); -#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) - case MBEDTLS_TLS_EXT_KEY_SHARE: - { - /* Variables for parsing the key_share */ - const mbedtls_ecp_group_id* grp_id; - const mbedtls_ecp_curve_info *curve_info = NULL; - int tls_id; - int found = 0; + /* Commit message */ + MBEDTLS_SSL_PROC_CHK( mbedtls_writer_commit_partial( msg, + buf_len - msg_len ) ); - MBEDTLS_SSL_DEBUG_BUF( 3, "key_share extension", ext + 4, ext_size ); + MBEDTLS_SSL_PROC_CHK( mbedtls_mps_dispatch( &ssl->mps->l4 ) ); - /* Read selected_group */ - tls_id = ( ( ext[4] << 8 ) | ( ext[5] ) ); - MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_group ( %d )", tls_id ) ); + /* Update state */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_early_data_postprocess( ssl ) ); - /* Upon receipt of this extension in a HelloRetryRequest, the client - * MUST first verify that the selected_group field corresponds to a - * group which was provided in the "supported_groups" extension in the - * original ClientHello. - * The supported_group was based on the info in ssl->conf->curve_list. - * - * If the server provided a key share that was not sent in the ClientHello - * then the client MUST abort the handshake with an "illegal_parameter" alert. */ - for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) - { - curve_info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); - if( curve_info == NULL || curve_info->tls_id != tls_id ) - continue; +#else /* MBEDTLS_SSL_USE_MPS */ - /* We found a match */ - found = 1; - break; - } + /* Write early-data to message buffer. */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_early_data_write( ssl, ssl->out_msg, + MBEDTLS_SSL_OUT_CONTENT_LEN, + &ssl->out_msglen ) ); - /* Client MUST verify that the selected_group field does not - * correspond to a group which was provided in the "key_share" - * extension in the original ClientHello. If the server sent an - * HRR message with a key share already provided in the - * ClientHello then the client MUST abort the handshake with - * an "illegal_parameter" alert. */ - if( found == 0 || tls_id == ssl->handshake->offered_group_id ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid key share in HRR" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - } + ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; - /* Remember server's preference for next ClientHello */ - ssl->handshake->offered_group_id = tls_id; - break; - } + /* Update state */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_early_data_postprocess( ssl ) ); -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ - default: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d ( ignoring )", ext_id ) ); - } + /* Dispatch message */ + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ); - /* Jump to next extension */ - ext_len -= 4 + ext_size; - ext += 4 + ext_size; +#endif /* MBEDTLS_SSL_USE_MPS */ - if( ext_len > 0 && ext_len < 4 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - } +#else /* MBEDTLS_ZERO_RTT */ + ((void) buf); + ((void) buf_len); + ((void) msg); + ((void) msg_len); + /* Should never happen */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); +#endif /* MBEDTLS_ZERO_RTT */ + } + else + { + /* Update state */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_early_data_postprocess( ssl ) ); } - return( 0 ); +cleanup: + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write early data" ) ); + return( ret ); } -static int ssl_tls13_finalize_server_hello( mbedtls_ssl_context *ssl ) +#if defined(MBEDTLS_ZERO_RTT) + +static int ssl_tls13_write_early_data_coordinate( mbedtls_ssl_context *ssl ) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_ssl_key_set traffic_keys; - mbedtls_ssl_transform *transform_handshake = NULL; - mbedtls_ssl_handshake_params *handshake = ssl->handshake; + if( ssl->handshake->early_data != MBEDTLS_SSL_EARLY_DATA_ON ) + return( SSL_EARLY_DATA_SKIP ); - /* Determine the key exchange mode: - * 1) If both the pre_shared_key and key_share extensions were received - * then the key exchange mode is PSK with EPHEMERAL. - * 2) If only the pre_shared_key extension was received then the key - * exchange mode is PSK-only. - * 3) If only the key_share extension was received then the key - * exchange mode is EPHEMERAL-only. - */ - switch( handshake->extensions_present & - ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ) ) - { - /* Only the pre_shared_key extension was received */ - case MBEDTLS_SSL_EXT_PRE_SHARED_KEY: - handshake->key_exchange = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK; - break; + return( SSL_EARLY_DATA_WRITE ); +} - /* Only the key_share extension was received */ - case MBEDTLS_SSL_EXT_KEY_SHARE: - handshake->key_exchange = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL; - break; +static int ssl_tls13_write_early_data_prepare( mbedtls_ssl_context *ssl ) +{ + int ret; + mbedtls_ssl_key_set traffic_keys; - /* Both the pre_shared_key and key_share extensions were received */ - case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ): - handshake->key_exchange = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; - break; + const unsigned char *psk; + size_t psk_len; + const unsigned char *psk_identity; + size_t psk_identity_len; - /* Neither pre_shared_key nor key_share extension was received */ - default: - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unknown key exchange." ) ); - ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; - goto cleanup; - } + mbedtls_ssl_transform *transform_earlydata; - /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret. - * - * TODO: We don't have to do this in case we offered 0-RTT and the - * server accepted it. In this case, we could skip generating - * the early secret. */ - ret = mbedtls_ssl_tls1_3_key_schedule_stage_early( ssl ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_key_schedule_stage_early_data", - ret ); - goto cleanup; - } + /* From RFC 8446: + * "The PSK used to encrypt the + * early data MUST be the first PSK listed in the client's + * 'pre_shared_key' extension." + */ - /* Compute handshake secret */ - ret = mbedtls_ssl_tls13_key_schedule_stage_handshake( ssl ); - if( ret != 0 ) + if( mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len, + &psk_identity, &psk_identity_len ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_derive_master_secret", ret ); - goto cleanup; + /* This should never happen: We can only have gone past + * ssl_tls13_write_early_data_coordinate() if we have offered a PSK. */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - /* Next evolution in key schedule: Establish handshake secret and - * key material. */ - ret = mbedtls_ssl_tls13_generate_handshake_keys( ssl, &traffic_keys ); - if( ret != 0 ) + if( ( ret = mbedtls_ssl_set_hs_psk( ssl, psk, psk_len ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_generate_handshake_keys", - ret ); - goto cleanup; + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_set_hs_psk", ret ); + return( ret ); } - transform_handshake = mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) ); - if( transform_handshake == NULL ) + /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret. */ + ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl ); + if( ret != 0 ) { - ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; - goto cleanup; + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_tls13_key_schedule_stage_early", ret ); + return( ret ); } - ret = mbedtls_ssl_tls13_populate_transform( transform_handshake, - ssl->conf->endpoint, - ssl->session_negotiate->ciphersuite, - &traffic_keys, - ssl ); + /* Derive 0-RTT key material */ + ret = mbedtls_ssl_tls13_generate_early_data_keys( + ssl, &traffic_keys ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret ); - goto cleanup; + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_tls13_generate_early_data_keys", ret ); + return( ret ); } -#if !defined(MBEDTLS_SSL_USE_MPS) - handshake->transform_handshake = transform_handshake; - mbedtls_ssl_set_inbound_transform( ssl, transform_handshake ); -#else /* MBEDTLS_SSL_USE_MPS */ - ret = mbedtls_mps_add_key_material( &ssl->mps->l4, - transform_handshake, - &handshake->epoch_handshake ); - if( ret != 0 ) - return( ret ); + transform_earlydata = + mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) ); + if( transform_earlydata == NULL ) + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); - ret = mbedtls_mps_set_incoming_keys( &ssl->mps->l4, - handshake->epoch_handshake ); + ret = mbedtls_ssl_tls13_populate_transform( + transform_earlydata, + ssl->conf->endpoint, + ssl->session_negotiate->ciphersuite, + &traffic_keys, + ssl ); if( ret != 0 ) return( ret ); -#endif /* MBEDTLS_SSL_USE_MPS */ - - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) ); - ssl->session_in = ssl->session_negotiate; - /* - * State machine update - */ - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS ); - -cleanup: - - mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) ); +#if defined(MBEDTLS_SSL_USE_MPS) + /* Register transform with MPS. */ + ret = mbedtls_mps_add_key_material( &ssl->mps->l4, + transform_earlydata, + &ssl->handshake->epoch_earlydata ); if( ret != 0 ) - { - mbedtls_free( transform_handshake ); - - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } - return( ret ); -} -static int ssl_hrr_postprocess( mbedtls_ssl_context* ssl ) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - - if( ssl->handshake->hello_retry_requests_received > 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Multiple HRRs received" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } - - ssl->handshake->hello_retry_requests_received++; - -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) - /* If not offering early data, the client sends a dummy CCS record - * immediately before its second flight. This may either be before - * its second ClientHello or before its encrypted handshake flight. */ - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO ); -#else - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ - - mbedtls_ssl_session_reset_msg_layer( ssl, 0 ); + return( ret ); - /* Reset everything that's going to be re-generated in the new ClientHello. - * - * Currently, we're always resetting the key share, even if the server - * was fine with it. Once we have separated key share generation from - * key share writing, we can confine this to the case where the server - * requested a different share. */ - ret = ssl_reset_key_share( ssl ); + /* Use new transform for outgoing data. */ + ret = mbedtls_mps_set_outgoing_keys( &ssl->mps->l4, + ssl->handshake->epoch_earlydata ); if( ret != 0 ) return( ret ); - - return( 0 ); -} - -static int ssl_tls1_3_process_server_hello( mbedtls_ssl_context *ssl ) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; -#if defined(MBEDTLS_SSL_USE_MPS) - mbedtls_mps_handshake_in msg; -#endif - unsigned char *buf = NULL; - size_t buf_len = 0; - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> %s", __func__ ) ); - - /* Coordination step - * - Fetch record - * - Make sure it's either a ServerHello or a HRR. - * - Switch processing routine in case of HRR - */ - - ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; - ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE; - -#if defined(MBEDTLS_SSL_USE_MPS) - ret = ssl_tls13_server_hello_coordinate( ssl, &msg, &buf, &buf_len ); #else /* MBEDTLS_SSL_USE_MPS */ - ret = ssl_tls13_server_hello_coordinate( ssl, &buf, &buf_len ); -#endif /* MBEDTLS_SSL_USE_MPS */ - /* Parsing step - * We know what message to expect by now and call - * the respective parsing function. - */ - - if( ret == SSL_SERVER_HELLO_COORDINATE_HELLO ) - { - MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf, - buf + buf_len ) ); - mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len ); - -#if defined(MBEDTLS_SSL_USE_MPS) - MBEDTLS_SSL_PROC_CHK( mbedtls_mps_reader_commit( msg.handle ) ); - MBEDTLS_SSL_PROC_CHK( mbedtls_mps_read_consume( &ssl->mps->l4 ) ); + /* Activate transform */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to 0-RTT keys for outbound traffic" ) ); + ssl->handshake->transform_earlydata = transform_earlydata; + mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_earlydata ); + #endif /* MBEDTLS_SSL_USE_MPS */ - MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_server_hello( ssl ) ); + return( 0 ); +} + +static int ssl_tls13_write_early_data_write( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buf_len, + size_t *out_len ) +{ + if( ssl->early_data_len > buf_len ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return ( MBEDTLS_ERR_SSL_ALLOC_FAILED ); } - else if( ret == SSL_SERVER_HELLO_COORDINATE_HRR ) + else { - MBEDTLS_SSL_PROC_CHK( ssl_hrr_parse( ssl, buf, buf_len ) ); - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_reset_transcript_for_hrr( ssl ) ); - - mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len ); + memcpy( buf, ssl->early_data_buf, ssl->early_data_len ); #if defined(MBEDTLS_SSL_USE_MPS) - MBEDTLS_SSL_PROC_CHK( mbedtls_mps_reader_commit( msg.handle ) ); - MBEDTLS_SSL_PROC_CHK( mbedtls_mps_read_consume( &ssl->mps->l4 ) ); -#endif /* MBEDTLS_SSL_USE_MPS */ + *out_len = ssl->early_data_len; + MBEDTLS_SSL_DEBUG_BUF( 3, "Early Data", buf, ssl->early_data_len ); +#else + buf[ssl->early_data_len] = MBEDTLS_SSL_MSG_APPLICATION_DATA; + *out_len = ssl->early_data_len + 1; - MBEDTLS_SSL_PROC_CHK( ssl_hrr_postprocess( ssl ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Early Data", ssl->out_msg, *out_len ); +#endif /* MBEDTLS_SSL_USE_MPS */ } + return( 0 ); +} -cleanup: +#else /* MBEDTLS_ZERO_RTT */ - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s", __func__ ) ); - return( ret ); +static int ssl_tls13_write_early_data_coordinate( mbedtls_ssl_context *ssl ) +{ + ((void) ssl); + return( SSL_EARLY_DATA_SKIP ); +} + +#endif /* MBEDTLS_ZERO_RTT */ + +static int ssl_tls13_write_early_data_postprocess( mbedtls_ssl_context *ssl ) +{ + /* Clear PSK we've used for the 0-RTT. */ + mbedtls_ssl_remove_hs_psk( ssl ); + + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO ); + return ( 0 ); } /* * - * EncryptedExtensions message + * STATE HANDLING: Write End-of-Early-Data * - * The EncryptedExtensions message contains any extensions which - * should be protected, i.e., any which are not needed to establish - * the cryptographic context. */ -/* - * Overview - */ + /* + * Overview + */ -/* Main entry point; orchestrates the other functions */ -static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl ); + /* Main state-handling entry point; orchestrates the other functions. */ +int ssl_tls13_write_end_of_early_data_process( mbedtls_ssl_context *ssl ); -static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context* ssl, - const unsigned char* buf, - const unsigned char *end ); -static int ssl_tls13_postprocess_encrypted_extensions( mbedtls_ssl_context *ssl ); +#define SSL_END_OF_EARLY_DATA_WRITE 0 +#define SSL_END_OF_EARLY_DATA_SKIP 1 +static int ssl_tls13_write_end_of_early_data_coordinate( mbedtls_ssl_context *ssl ); +/* Update the state after handling the outgoing end-of-early-data message. */ +static int ssl_tls13_write_end_of_early_data_postprocess( mbedtls_ssl_context *ssl ); /* - * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS + * Implementation */ -static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl ) + +int ssl_tls13_write_end_of_early_data_process( mbedtls_ssl_context *ssl ) { int ret; - unsigned char *buf; - size_t buf_len; - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse encrypted extensions" ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write EndOfEarlyData" ) ); - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg( - ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSION, - &buf, &buf_len ) ); + MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_end_of_early_data_coordinate( ssl ) ); + if( ret == SSL_END_OF_EARLY_DATA_WRITE ) + { + unsigned char *buf; + size_t buf_len; - /* Process the message contents */ - MBEDTLS_SSL_PROC_CHK( - ssl_tls13_parse_encrypted_extensions( ssl, buf, buf + buf_len ) ); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl, + MBEDTLS_SSL_HS_END_OF_EARLY_DATA, &buf, &buf_len ) ); - mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSION, buf, buf_len ); -#if defined(MBEDTLS_SSL_USE_MPS) - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_mps_hs_consume_full_hs_msg( ssl ) ); -#endif /* MBEDTLS_SSL_USE_MPS */ + mbedtls_ssl_tls13_add_hs_hdr_to_checksum( + ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0 ); - MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_encrypted_extensions( ssl ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_end_of_early_data_postprocess( ssl ) ); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl, buf_len, 0 ) ); + } + else + { + /* Update state */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_end_of_early_data_postprocess( ssl ) ); + } cleanup: - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse encrypted extensions" ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write EndOfEarlyData" ) ); return( ret ); - } -/* Parse EncryptedExtensions message - * struct { - * Extension extensions<0..2^16-1>; - * } EncryptedExtensions; - */ -static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl, - const unsigned char *buf, - const unsigned char *end ) +static int ssl_tls13_write_end_of_early_data_coordinate( mbedtls_ssl_context *ssl ) { - int ret = 0; - size_t extensions_len; - const unsigned char *p = buf; - const unsigned char *extensions_end; - - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); - extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 ); - p += 2; - - MBEDTLS_SSL_DEBUG_BUF( 3, "encrypted extensions", p, extensions_len ); - extensions_end = p + extensions_len; - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len ); + ((void) ssl); - while( p < extensions_end ) +#if defined(MBEDTLS_ZERO_RTT) + if( ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON ) { - unsigned int extension_type; - size_t extension_data_len; + if( ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_ACCEPTED ) + return( SSL_END_OF_EARLY_DATA_WRITE ); /* - * struct { - * ExtensionType extension_type; (2 bytes) - * opaque extension_data<0..2^16-1>; - * } Extension; - */ - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 ); - extension_type = MBEDTLS_GET_UINT16_BE( p, 0 ); - extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 ); - p += 4; - - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); - - /* The client MUST check EncryptedExtensions for the - * presence of any forbidden extensions and if any are found MUST abort - * the handshake with an "unsupported_extension" alert. + * RFC 8446: + * "If the server does not send an "early_data" + * extension in EncryptedExtensions, then the client MUST NOT send an + * EndOfEarlyData message." */ - switch( extension_type ) - { - -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); - - ret = ssl_parse_max_fragment_length_ext( ssl, p, - extension_data_len ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_max_fragment_length_ext", ret ); - return( ret ); - } - - break; -#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ - - case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extensions supported groups" ) ); - break; - -#if defined(MBEDTLS_SSL_ALPN) - case MBEDTLS_TLS_EXT_ALPN: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); - - ret = ssl_parse_alpn_ext( ssl, p, extension_data_len ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_alpn_ext", ret ); - return( ret ); - } - - break; -#endif /* MBEDTLS_SSL_ALPN */ - -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - case MBEDTLS_TLS_EXT_SERVERNAME: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found server_name extension" ) ); - - /* The server_name extension should be an empty extension */ - - break; -#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ - -#if defined(MBEDTLS_ZERO_RTT) - case MBEDTLS_TLS_EXT_EARLY_DATA: - MBEDTLS_SSL_DEBUG_MSG(3, ( "found early_data extension" )); - - ret = ssl_parse_encrypted_extensions_early_data_ext( - ssl, p, extension_data_len ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_early_data_ext", ret ); - return( ret ); - } - break; -#endif /* MBEDTLS_ZERO_RTT */ - default: - MBEDTLS_SSL_DEBUG_MSG( - 3, ( "unsupported extension found: %u ", extension_type) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, \ - MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); - return ( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); - break; - } - - p += extension_data_len; - } - - /* Check that we consumed all the message. */ - if( p != end ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "EncryptedExtension lengths misaligned" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \ - MBEDTLS_ERR_SSL_DECODE_ERROR ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + MBEDTLS_SSL_DEBUG_MSG( 4, ( "skip EndOfEarlyData, server rejected" ) ); } +#endif /* MBEDTLS_ZERO_RTT */ - return( ret ); + return( SSL_END_OF_EARLY_DATA_SKIP ); } -static int ssl_tls13_postprocess_encrypted_extensions( mbedtls_ssl_context *ssl ) +static int ssl_tls13_write_end_of_early_data_postprocess( mbedtls_ssl_context *ssl ) { - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST ); +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + if( ssl_tls13_write_end_of_early_data_coordinate( ssl ) != SSL_END_OF_EARLY_DATA_WRITE ) + { + mbedtls_ssl_handshake_set_state( ssl, + MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE ); return( 0 ); } @@ -3384,7 +3322,7 @@ static int ssl_tls13_postprocess_encrypted_extensions( mbedtls_ssl_context *ssl */ /* Main entry point; orchestrates the other functions */ -static int ssl_tls1_3_process_certificate_request( mbedtls_ssl_context *ssl ); +static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl ); /* Coordination: * Deals with the ambiguity of not knowing if a CertificateRequest @@ -3395,21 +3333,21 @@ static int ssl_tls1_3_process_certificate_request( mbedtls_ssl_context *ssl ); */ #define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0 #define SSL_CERTIFICATE_REQUEST_SKIP 1 -static int ssl_certificate_request_coordinate( mbedtls_ssl_context* ssl ); +static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl ); #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -static int ssl_certificate_request_parse( mbedtls_ssl_context* ssl, - unsigned char const* buf, - size_t buflen ); +static int ssl_tls13_certificate_request_parse( mbedtls_ssl_context *ssl, + unsigned char const *buf, + size_t buf_len ); #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ -static int ssl_certificate_request_postprocess( mbedtls_ssl_context* ssl ); +static int ssl_tls13_certificate_request_postprocess( mbedtls_ssl_context *ssl ); /* * Implementation */ /* Main entry point; orchestrates the other functions */ -static int ssl_tls1_3_process_certificate_request( mbedtls_ssl_context *ssl ) +static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl ) { int ret = 0; @@ -3419,22 +3357,22 @@ static int ssl_tls1_3_process_certificate_request( mbedtls_ssl_context *ssl ) * - Fetch record * - Make sure it's either a CertificateRequest or a ServerHelloDone */ - MBEDTLS_SSL_PROC_CHK_NEG( ssl_certificate_request_coordinate( ssl ) ); + MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) ); #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) if( ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST ) { unsigned char *buf; - size_t buflen; + size_t buf_len; - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg( + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, - &buf, &buflen ) ); + &buf, &buf_len ) ); - MBEDTLS_SSL_PROC_CHK( ssl_certificate_request_parse( ssl, buf, buflen ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_certificate_request_parse( ssl, buf, buf_len ) ); - mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, buflen ); + mbedtls_ssl_tls13_add_hs_msg_to_checksum( + ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, buf_len ); #if defined(MBEDTLS_SSL_USE_MPS) MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_mps_hs_consume_full_hs_msg( ssl ) ); #endif @@ -3452,7 +3390,7 @@ static int ssl_tls1_3_process_certificate_request( mbedtls_ssl_context *ssl ) } /* Update state */ - MBEDTLS_SSL_PROC_CHK( ssl_certificate_request_postprocess( ssl ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_certificate_request_postprocess( ssl ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", ssl->client_auth ? "a" : "no" ) ); @@ -3467,7 +3405,7 @@ static int ssl_tls1_3_process_certificate_request( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_USE_MPS) -static int ssl_certificate_request_coordinate( mbedtls_ssl_context* ssl ) +static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl ) { int ret; mbedtls_mps_handshake_in msg; @@ -3500,7 +3438,7 @@ static int ssl_certificate_request_coordinate( mbedtls_ssl_context* ssl ) #else /* MBEDTLS_SSL_USE_MPS */ -static int ssl_certificate_request_coordinate( mbedtls_ssl_context* ssl ) +static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl ) { int ret; @@ -3535,17 +3473,17 @@ static int ssl_certificate_request_coordinate( mbedtls_ssl_context* ssl ) #endif /* MBEDTLS_SSL_USE_MPS */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -static int ssl_certificate_request_parse( mbedtls_ssl_context* ssl, - const unsigned char* buf, - size_t buflen ) +static int ssl_tls13_certificate_request_parse( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t buf_len ) { int ret; - const unsigned char* p; - const unsigned char* ext; + const unsigned char *p; + const unsigned char *ext; size_t ext_len = 0; size_t context_len = 0; - if( buflen < 1 ) + if( buf_len < 1 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, @@ -3577,7 +3515,7 @@ static int ssl_certificate_request_parse( mbedtls_ssl_context* ssl, * 3 bytes */ - if( buflen < (size_t) ( 3 + context_len ) ) + if( buf_len < (size_t) ( 3 + context_len ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, @@ -3607,7 +3545,7 @@ static int ssl_certificate_request_parse( mbedtls_ssl_context* ssl, /* * Parse extensions */ - ext_len = ( (size_t) p[0] << 8 ) | ( (size_t) p[1] ); + ext_len = MBEDTLS_GET_UINT16_BE( p, 0 ); /* At least one extension needs to be present, * namely signature_algorithms ext. */ @@ -3625,8 +3563,8 @@ static int ssl_certificate_request_parse( mbedtls_ssl_context* ssl, ext = p; /* jump to extensions */ while( ext_len ) { - size_t ext_id = ( ( size_t ) ext[0] << 8 ) | ( ( size_t ) ext[1] ); - size_t ext_size = ( ( size_t ) ext[2] << 8 ) | ( ( size_t ) ext[3] ); + size_t ext_id = MBEDTLS_GET_UINT16_BE( ext, 0 ); + size_t ext_size = MBEDTLS_GET_UINT16_BE( ext, 2 ); if( ext_size + 4 > ext_len ) { @@ -3642,11 +3580,11 @@ static int ssl_certificate_request_parse( mbedtls_ssl_context* ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); - if( ( ret = mbedtls_ssl_parse_signature_algorithms_ext( ssl, - ext + 4, (size_t) ext_size ) ) != 0 ) + if( ( ret = mbedtls_ssl_tls13_parse_signature_algorithms_ext( + ssl, ext + 4, (size_t) ext_size ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_parse_signature_algorithms_ext", ret ); + "mbedtls_ssl_tls13_parse_signature_algorithms_ext", ret ); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, ret ); return( ret ); @@ -3677,66 +3615,88 @@ static int ssl_certificate_request_parse( mbedtls_ssl_context* ssl, #endif /* ( MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */ -static int ssl_certificate_request_postprocess( mbedtls_ssl_context* ssl ) +static int ssl_tls13_certificate_request_postprocess( mbedtls_ssl_context *ssl ) { mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE ); + return( 0 ); } /* * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE */ -static int ssl_tls1_3_process_server_certificate( mbedtls_ssl_context *ssl ) +static int ssl_tls13_process_server_certificate( mbedtls_ssl_context *ssl ) { - return( mbedtls_ssl_read_certificate_process( ssl ) ); + int ret; + + ret = mbedtls_ssl_tls13_process_certificate( ssl ); + if( ret != 0 ) + return( ret ); + + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY ); + + return( 0 ); } /* * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY */ -static int ssl_tls1_3_process_certificate_verify( mbedtls_ssl_context *ssl ) +static int ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl ) { - return( mbedtls_ssl_read_certificate_verify_process( ssl ) ); + int ret; + + ret = mbedtls_ssl_tls13_process_certificate_verify( ssl ); + if( ret != 0 ) + return( ret ); + + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); + return( 0 ); } /* * Handler for MBEDTLS_SSL_SERVER_FINISHED */ -static int ssl_tls1_3_process_server_finished( mbedtls_ssl_context *ssl ) +static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl ) { - return( mbedtls_ssl_finished_in_process( ssl ) ); + int ret; + + ret = mbedtls_ssl_tls13_process_finished_message( ssl ); + if( ret != 0 ) + return( ret ); + + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_END_OF_EARLY_DATA ); + + return( 0 ); } /* * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE */ -static int ssl_tls1_3_write_client_certificate( mbedtls_ssl_context *ssl ) +static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl ) { - return( mbedtls_ssl_write_certificate_process( ssl ) ); + return( mbedtls_ssl_tls13_write_certificate_process( ssl ) ); } /* * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY */ -static int ssl_tls1_3_write_client_certificate_verify( mbedtls_ssl_context *ssl ) +static int ssl_tls13_write_client_certificate_verify( mbedtls_ssl_context *ssl ) { - return( mbedtls_ssl_write_certificate_verify_process( ssl ) ); + return( mbedtls_ssl_tls13_write_certificate_verify_process( ssl ) ); } /* * Handler for MBEDTLS_SSL_CLIENT_FINISHED */ -static int ssl_tls1_3_write_client_finished( mbedtls_ssl_context *ssl ) +static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) ); - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS ); - return( mbedtls_ssl_finished_out_process( ssl ) ); + return( mbedtls_ssl_tls13_write_finished_message( ssl ) ); } /* * Handler for MBEDTLS_SSL_FLUSH_BUFFERS */ -static int ssl_tls1_3_flush_buffers( mbedtls_ssl_context *ssl ) +static int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP ); @@ -3747,7 +3707,7 @@ static int ssl_tls1_3_flush_buffers( mbedtls_ssl_context *ssl ) /* * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP */ -static int ssl_tls1_3_handshake_wrapup( mbedtls_ssl_context *ssl ) +static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for outbound traffic" ) ); @@ -3765,11 +3725,15 @@ static int ssl_tls1_3_handshake_wrapup( mbedtls_ssl_context *ssl ) if( ret != 0 ) return( ret ); #else + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) ); mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application ); + + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for outbound traffic" ) ); mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application ); #endif /* MBEDTLS_SSL_USE_MPS */ - mbedtls_ssl_handshake_wrapup_tls13( ssl ); + mbedtls_ssl_tls13_handshake_wrapup( ssl ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); return( 0 ); @@ -3783,9 +3747,9 @@ static int ssl_tls1_3_handshake_wrapup( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) -static int ssl_new_session_ticket_early_data_ext_parse( mbedtls_ssl_context* ssl, - const unsigned char* buf, - size_t ext_size ) +static int ssl_tls13_new_session_ticket_early_data_ext_parse( + mbedtls_ssl_context *ssl, + const unsigned char *buf, size_t ext_size ) { /* From RFC 8446: * @@ -3800,9 +3764,7 @@ static int ssl_new_session_ticket_early_data_ext_parse( mbedtls_ssl_context* ssl if( ext_size == 4 && ssl->session != NULL ) { - ssl->session->max_early_data_size = - ( (uint32_t) buf[0] << 24 ) | ( (uint32_t) buf[1] << 16 ) | - ( (uint32_t) buf[2] << 8 ) | ( (uint32_t) buf[3] ); + ssl->session->max_early_data_size = MBEDTLS_GET_UINT32_BE( buf, 0 ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket->max_early_data_size: %u", ssl->session->max_early_data_size ) ); ssl->session->ticket_flags |= allow_early_data; @@ -3812,9 +3774,9 @@ static int ssl_new_session_ticket_early_data_ext_parse( mbedtls_ssl_context* ssl return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } -static int ssl_new_session_ticket_extensions_parse( mbedtls_ssl_context* ssl, - const unsigned char* buf, - size_t buf_remain ) +static int ssl_tls13_new_session_ticket_extensions_parse( + mbedtls_ssl_context *ssl, + const unsigned char *buf, size_t buf_remain ) { int ret; unsigned int ext_id; @@ -3828,8 +3790,8 @@ static int ssl_new_session_ticket_extensions_parse( mbedtls_ssl_context* ssl, return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - ext_id = ( ( (unsigned) buf[0] << 8 ) | ( (unsigned) buf[1] ) ); - ext_size = ( ( (size_t) buf[2] << 8 ) | ( (size_t) buf[3] ) ); + ext_id = MBEDTLS_GET_UINT16_BE( buf, 0 ); + ext_size = MBEDTLS_GET_UINT16_BE( buf, 2 ); buf += 4; buf_remain -= 4; @@ -3842,11 +3804,11 @@ static int ssl_new_session_ticket_extensions_parse( mbedtls_ssl_context* ssl, if( ext_id == MBEDTLS_TLS_EXT_EARLY_DATA ) { - ret = ssl_new_session_ticket_early_data_ext_parse( ssl, buf, - ext_size ); + ret = ssl_tls13_new_session_ticket_early_data_ext_parse( ssl, buf, + ext_size ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_new_session_ticket_early_data_ext_parse", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_new_session_ticket_early_data_ext_parse", ret ); return( ret ); } } @@ -3859,9 +3821,9 @@ static int ssl_new_session_ticket_extensions_parse( mbedtls_ssl_context* ssl, return( 0 ); } -static int ssl_new_session_ticket_parse( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen ) +static int ssl_tls13_new_session_ticket_parse( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buf_len ) { int ret; size_t ticket_len, ext_len; @@ -3888,27 +3850,21 @@ static int ssl_new_session_ticket_parse( mbedtls_ssl_context* ssl, + 2 /* ticket length */ + 2; /* extension length */ - if( used > buflen ) + if( used > buf_len ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } /* Ticket lifetime */ - ssl->session->ticket_lifetime = - ( (unsigned) buf[i] << 24 ) | ( (unsigned) buf[i + 1] << 16 ) | - ( (unsigned) buf[i + 2] << 8 ) | ( (unsigned) buf[i + 3] << 0 ); + ssl->session->ticket_lifetime = MBEDTLS_GET_UINT32_BE( buf, i ); i += 4; MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket->lifetime: %u", ssl->session->ticket_lifetime ) ); /* Ticket Age Add */ - ssl->session->ticket_age_add = - ( (unsigned) buf[i] << 24 ) | - ( (unsigned) buf[i + 1] << 16 ) | - ( (unsigned) buf[i + 2] << 8 ) | - ( (unsigned) buf[i + 3] << 0 ); + ssl->session->ticket_age_add = MBEDTLS_GET_UINT32_BE( buf, i ); i += 4; MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket->ticket_age_add: %u", @@ -3919,7 +3875,7 @@ static int ssl_new_session_ticket_parse( mbedtls_ssl_context* ssl, used += ticket_nonce_len; - if( used > buflen ) + if( used > buf_len ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); return( MBEDTLS_ERR_SSL_DECODE_ERROR ); @@ -3942,12 +3898,12 @@ static int ssl_new_session_ticket_parse( mbedtls_ssl_context* ssl, i += ticket_nonce_len; /* Ticket */ - ticket_len = ( (size_t) buf[i] << 8 ) | ( (size_t) buf[i + 1] ); + ticket_len = MBEDTLS_GET_UINT16_BE( buf, i ); i += 2; used += ticket_len; - if( used > buflen ) + if( used > buf_len ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); return( MBEDTLS_ERR_SSL_DECODE_ERROR ); @@ -3978,12 +3934,11 @@ static int ssl_new_session_ticket_parse( mbedtls_ssl_context* ssl, /* Ticket Extension */ - ext_len = ( (size_t) buf[ i + 0 ] << 8 ) | - ( (size_t) buf[ i + 1 ] ); + ext_len = MBEDTLS_GET_UINT16_BE( buf, i ); i += 2; used += ext_len; - if( used != buflen ) + if( used != buf_len ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); return( MBEDTLS_ERR_SSL_DECODE_ERROR ); @@ -3991,10 +3946,10 @@ static int ssl_new_session_ticket_parse( mbedtls_ssl_context* ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "ticket->extension", &buf[i], ext_len ); - ret = ssl_new_session_ticket_extensions_parse( ssl, &buf[i], ext_len ); + ret = ssl_tls13_new_session_ticket_extensions_parse( ssl, &buf[i], ext_len ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_new_session_ticket_extensions_parse", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_new_session_ticket_extensions_parse", ret ); return( ret ); } i += ext_len; @@ -4028,7 +3983,7 @@ static int ssl_new_session_ticket_parse( mbedtls_ssl_context* ssl, * HKDF-Expand-Label( resumption_master_secret, * "resumption", ticket_nonce, Hash.length ) */ - ret = mbedtls_ssl_tls1_3_hkdf_expand_label( suite_info->mac, + ret = mbedtls_ssl_tls13_hkdf_expand_label( suite_info->mac, ssl->session->app_secrets.resumption_master_secret, hash_length, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ), @@ -4056,37 +4011,37 @@ static int ssl_new_session_ticket_parse( mbedtls_ssl_context* ssl, return( 0 ); } -static int ssl_new_session_ticket_postprocess( mbedtls_ssl_context* ssl ) +static int ssl_tls13_new_session_ticket_postprocess( mbedtls_ssl_context *ssl ) { mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); return( 0 ); } -/* The ssl_new_session_ticket_process( ) function is used by the +/* The ssl_tls13_new_session_ticket_process( ) function is used by the * client to process the NewSessionTicket message, which contains * the ticket and meta-data provided by the server in a post- * handshake message. */ -static int ssl_new_session_ticket_process( mbedtls_ssl_context* ssl ) +static int ssl_tls13_new_session_ticket_process( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - unsigned char* buf; - size_t buflen; + unsigned char *buf; + size_t buf_len; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg( + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, - &buf, &buflen ) ); + &buf, &buf_len ) ); - MBEDTLS_SSL_PROC_CHK( ssl_new_session_ticket_parse( ssl, buf, buflen ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_new_session_ticket_parse( ssl, buf, buf_len ) ); #if defined(MBEDTLS_SSL_USE_MPS) MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_mps_hs_consume_full_hs_msg( ssl ) ); #endif /* MBEDTLS_SSL_USE_MPS */ - MBEDTLS_SSL_PROC_CHK( ssl_new_session_ticket_postprocess( ssl ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_new_session_ticket_postprocess( ssl ) ); cleanup: @@ -4108,7 +4063,9 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls1_3 client state: %d", ssl->state ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls13 client state: %s(%d)", + mbedtls_ssl_states_str( ssl->state ), + ssl->state ) ); if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) return( ret ); @@ -4128,7 +4085,7 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) break; case MBEDTLS_SSL_EARLY_APP_DATA: - ret = ssl_write_early_data_process( ssl ); + ret = ssl_tls13_write_early_data_process( ssl ); break; /* @@ -4140,27 +4097,29 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) * Finished */ case MBEDTLS_SSL_SERVER_HELLO: - ret = ssl_tls1_3_process_server_hello( ssl ); + ret = ssl_tls13_process_server_hello( ssl ); break; case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: ret = ssl_tls13_process_encrypted_extensions( ssl ); break; +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) case MBEDTLS_SSL_CERTIFICATE_REQUEST: - ret = ssl_tls1_3_process_certificate_request( ssl ); + ret = ssl_tls13_process_certificate_request( ssl ); break; case MBEDTLS_SSL_SERVER_CERTIFICATE: - ret = ssl_tls1_3_process_server_certificate( ssl ); + ret = ssl_tls13_process_server_certificate( ssl ); break; case MBEDTLS_SSL_CERTIFICATE_VERIFY: - ret = ssl_tls1_3_process_certificate_verify( ssl ); + ret = ssl_tls13_process_certificate_verify( ssl ); break; +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ case MBEDTLS_SSL_SERVER_FINISHED: - ret = ssl_tls1_3_process_server_finished( ssl ); + ret = ssl_tls13_process_server_finished( ssl ); break; /* @@ -4170,19 +4129,19 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) * (Finished) */ case MBEDTLS_SSL_END_OF_EARLY_DATA: - ret = ssl_write_end_of_early_data_process( ssl ); + ret = ssl_tls13_write_end_of_early_data_process( ssl ); break; case MBEDTLS_SSL_CLIENT_CERTIFICATE: - ret = ssl_tls1_3_write_client_certificate( ssl ); + ret = ssl_tls13_write_client_certificate( ssl ); break; case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY: - ret = ssl_tls1_3_write_client_certificate_verify( ssl ); + ret = ssl_tls13_write_client_certificate_verify( ssl ); break; case MBEDTLS_SSL_CLIENT_FINISHED: - ret = ssl_tls1_3_write_client_finished( ssl ); + ret = ssl_tls13_write_client_finished( ssl ); break; /* @@ -4190,7 +4149,7 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) */ case MBEDTLS_SSL_CLIENT_NEW_SESSION_TICKET: - ret = ssl_new_session_ticket_process( ssl ); + ret = ssl_tls13_new_session_ticket_process( ssl ); if( ret != 0 ) break; @@ -4200,25 +4159,24 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) /* * Injection of dummy-CCS's for middlebox compatibility */ -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: - ret = mbedtls_ssl_write_change_cipher_spec_process( ssl ); + ret = mbedtls_ssl_tls13_write_change_cipher_spec_process( ssl ); break; -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ /* * Internal intermediate states */ case MBEDTLS_SSL_FLUSH_BUFFERS: - ret = ssl_tls1_3_flush_buffers( ssl ); + ret = ssl_tls13_flush_buffers( ssl ); break; case MBEDTLS_SSL_HANDSHAKE_WRAPUP: - - ret = ssl_tls1_3_handshake_wrapup( ssl ); + ret = ssl_tls13_handshake_wrapup( ssl ); break; default: @@ -4231,4 +4189,4 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_CLI_C */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 53cd5b19a16e..8b1ca778a5c6 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -21,7 +21,7 @@ #if defined(MBEDTLS_SSL_TLS_C) -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #define SSL_DONT_FORCE_FLUSH 0 #define SSL_FORCE_FLUSH 1 @@ -29,6 +29,9 @@ #include "mbedtls/ssl_ticket.h" #include "mbedtls/debug.h" #include "mbedtls/error.h" +#include "mbedtls/oid.h" +#include "mbedtls/platform.h" +#include "mbedtls/constant_time.h" #include "mbedtls/ssl.h" #include "mbedtls/hkdf.h" #include <string.h> @@ -41,21 +44,11 @@ #include "ecp_internal.h" -#include "mbedtls/oid.h" - -#if defined(MBEDTLS_PLATFORM_C) -#include "mbedtls/platform.h" -#else -#include <stdlib.h> -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif /* MBEDTLS_PLATFORM_C */ - #if defined(MBEDTLS_SSL_USE_MPS) -int mbedtls_ssl_tls1_3_fetch_handshake_msg( mbedtls_ssl_context *ssl, - unsigned hs_type, - unsigned char **buf, - size_t *buflen ) +int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl, + unsigned hs_type, + unsigned char **buf, + size_t *buf_len ) { int ret; mbedtls_mps_handshake_in msg; @@ -86,7 +79,7 @@ int mbedtls_ssl_tls1_3_fetch_handshake_msg( mbedtls_ssl_context *ssl, MBEDTLS_SSL_PROC_CHK( ret ); /* *buf already set in mbedtls_mps_reader_get() */ - *buflen = msg.length; + *buf_len = msg.length; } cleanup: @@ -113,7 +106,7 @@ int mbedtls_ssl_mps_hs_consume_full_hs_msg( mbedtls_ssl_context *ssl ) int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl, unsigned hs_type, unsigned char **buf, - size_t *buflen ) + size_t *buf_len ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_mps_handshake_out * const msg = &ssl->handshake->hs_msg_out; @@ -125,7 +118,7 @@ int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl, MBEDTLS_SSL_PROC_CHK( mbedtls_writer_get( msg->handle, MBEDTLS_MPS_SIZE_MAX, - buf, buflen ) ); + buf, buf_len ) ); cleanup: return( ret ); @@ -147,10 +140,10 @@ int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl, } #else /* MBEDTLS_SSL_USE_MPS */ -int mbedtls_ssl_tls1_3_fetch_handshake_msg( mbedtls_ssl_context *ssl, - unsigned hs_type, - unsigned char **buf, - size_t *buflen ) +int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl, + unsigned hs_type, + unsigned char **buf, + size_t *buf_len ) { int ret; @@ -177,8 +170,8 @@ int mbedtls_ssl_tls1_3_fetch_handshake_msg( mbedtls_ssl_context *ssl, * uint24 length; * ... */ - *buf = ssl->in_msg + 4; - *buflen = ssl->in_hslen - 4; + *buf = ssl->in_msg + 4; + *buf_len = ssl->in_hslen - 4; cleanup: @@ -211,12 +204,12 @@ int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl, size_t msg_len ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t msg_len_with_header; + size_t msg_with_header_len; ((void) buf_len); /* Add reserved 4 bytes for handshake header */ - msg_len_with_header = msg_len + 4; - ssl->out_msglen = msg_len_with_header; + msg_with_header_len = msg_len + 4; + ssl->out_msglen = msg_with_header_len; MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_handshake_msg_ext( ssl, 0 ) ); cleanup: @@ -225,10 +218,10 @@ int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_USE_MPS */ -void mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, - unsigned hs_type, - unsigned char const *msg, - size_t msg_len ) +void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, + unsigned hs_type, + unsigned char const *msg, + size_t msg_len ) { mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl, hs_type, msg_len ); ssl->handshake->update_checksum( ssl, msg, msg_len ); @@ -249,177 +242,6 @@ void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, ssl->handshake->update_checksum( ssl, hs_hdr, sizeof( hs_hdr ) ); } -/* - * - * STATE HANDLING: Write ChangeCipherSpec - * - */ - -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) - - /* Main entry point; orchestrates the other functions */ -int mbedtls_ssl_write_change_cipher_spec_process( mbedtls_ssl_context* ssl ); - -#define SSL_WRITE_CCS_NEEDED 0 -#define SSL_WRITE_CCS_SKIP 1 -static int ssl_write_change_cipher_spec_coordinate( mbedtls_ssl_context* ssl ); - -#if !defined(MBEDTLS_SSL_USE_MPS) -static int ssl_write_change_cipher_spec_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ); -#endif /* !MBEDTLS_SSL_USE_MPS */ -static int ssl_write_change_cipher_spec_postprocess( mbedtls_ssl_context* ssl ); - - -/* - * Implementation - */ - -int mbedtls_ssl_write_change_cipher_spec_process( mbedtls_ssl_context* ssl ) -{ - int ret; - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) ); - - MBEDTLS_SSL_PROC_CHK_NEG( ssl_write_change_cipher_spec_coordinate( ssl ) ); - - if( ret == SSL_WRITE_CCS_NEEDED ) - { -#if defined(MBEDTLS_SSL_USE_MPS) - - MBEDTLS_SSL_PROC_CHK( mbedtls_mps_flush( &ssl->mps->l4 ) ); - MBEDTLS_SSL_PROC_CHK( mbedtls_mps_write_ccs( &ssl->mps->l4 ) ); - MBEDTLS_SSL_PROC_CHK( mbedtls_mps_dispatch( &ssl->mps->l4 ) ); - MBEDTLS_SSL_PROC_CHK( ssl_write_change_cipher_spec_postprocess( ssl ) ); - -#else /* MBEDTLS_SSL_USE_MPS */ - /* Make sure we can write a new message. */ - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) ); - - /* Write CCS message */ - MBEDTLS_SSL_PROC_CHK( ssl_write_change_cipher_spec_write( ssl, ssl->out_msg, - MBEDTLS_SSL_OUT_CONTENT_LEN, - &ssl->out_msglen ) ); - - ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; - - /* Update state */ - MBEDTLS_SSL_PROC_CHK( ssl_write_change_cipher_spec_postprocess( ssl ) ); - - /* Dispatch message */ - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ); - -#endif /* MBEDTLS_SSL_USE_MPS */ - } - else - { - /* Update state */ - MBEDTLS_SSL_PROC_CHK( ssl_write_change_cipher_spec_postprocess( ssl ) ); - } - -cleanup: - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) ); - return( ret ); -} - -static int ssl_write_change_cipher_spec_coordinate( mbedtls_ssl_context* ssl ) -{ -#if !defined(MBEDTLS_SSL_SRV_C) - ( ( void ) ssl ); -#endif /* !MBEDTLS_SSL_SRV_C */ - int ret = SSL_WRITE_CCS_NEEDED; - -#if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) - { - if( ssl->state == MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO ) - { - /* Only transmit the CCS if we have not done so - * earlier already after the HRR. - */ - if( ssl->handshake->hello_retry_requests_sent == 0 ) - ret = SSL_WRITE_CCS_NEEDED; - else - ret = SSL_WRITE_CCS_SKIP; - } - } -#endif /* MBEDTLS_SSL_SRV_C */ - return( ret ); -} - -#if !defined(MBEDTLS_SSL_USE_MPS) -static int ssl_write_change_cipher_spec_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ) -{ - ((void) ssl); - - if( buflen < 1 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); - return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); - } - - buf[0] = 1; - *olen = 1; - return( 0 ); -} -#endif /* !MBEDTLS_SSL_USE_MPS */ - -static int ssl_write_change_cipher_spec_postprocess( mbedtls_ssl_context* ssl ) -{ - -#if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) - { - switch( ssl->state ) - { - case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO: - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS ); - ssl->handshake->ccs_sent++; - break; - - case MBEDTLS_SSL_SERVER_CCS_AFTER_HRR: - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SECOND_CLIENT_HELLO ); - ssl->handshake->ccs_sent++; - break; - - default: - MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } - } -#endif /* MBEDTLS_SSL_SRV_C */ - -#if defined(MBEDTLS_SSL_CLI_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) - { - switch( ssl->state ) - { - case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_EARLY_APP_DATA ); - break; - case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); - break; - case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE ); - break; - default: - MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } - } -#endif /* MBEDTLS_SSL_CLI_C */ - - return( 0 ); -} -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ - #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* @@ -440,15 +262,15 @@ static int ssl_write_change_cipher_spec_postprocess( mbedtls_ssl_context* ssl ) * Only if we handle at least one key exchange that needs signatures. */ int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen ) + unsigned char *buf, + unsigned char *end, + size_t *out_len ) { unsigned char *p = buf; - unsigned char *supported_sig_alg_ptr; /* Start of supported_signature_algorithms */ - size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */ + unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */ + size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */ - *olen = 0; + *out_len = 0; /* Skip the extension on the client if all allowed key exchanges * are PSK-based. */ @@ -473,9 +295,9 @@ int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl, /* * Write supported_signature_algorithms */ - supported_sig_alg_ptr = p; + supported_sig_alg = p; for( const uint16_t *sig_alg = ssl->conf->tls13_sig_algs; - *sig_alg != MBEDTLS_TLS13_SIG_NONE; sig_alg++ ) + *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) { MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 ); @@ -484,7 +306,7 @@ int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl, } /* Length of supported_signature_algorithms */ - supported_sig_alg_len = p - supported_sig_alg_ptr; + supported_sig_alg_len = p - supported_sig_alg; if( supported_sig_alg_len == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "No signature algorithms defined." ) ); @@ -499,87 +321,54 @@ int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl, MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len, buf, 4 ); /* Output the total length of signature algorithms extension. */ - *olen = p - buf; + *out_len = p - buf; ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG; return( 0 ); } -int mbedtls_ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t buf_len ) -{ - size_t sig_alg_list_size; /* size of receive signature algorithms list */ - const unsigned char *p; /* pointer to individual signature algorithm */ - const unsigned char *end = buf + buf_len; /* end of buffer */ - const uint16_t *sig_alg; /* iterate through configured signature schemes */ - int signature_scheme; /* store received signature algorithm scheme */ - uint32_t common_idx = 0; /* iterate through received_signature_schemes_list */ - - if( buf_len < 2 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad signature_algorithms extension" ) ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - } - - sig_alg_list_size = ( ( size_t) buf[0] << 8 ) | ( (size_t) buf[1] ); - if( sig_alg_list_size + 2 != buf_len || - sig_alg_list_size % 2 != 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad signature_algorithms extension" ) ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - } - memset( ssl->handshake->received_signature_schemes_list, - 0, sizeof( ssl->handshake->received_signature_schemes_list ) ); - - for( p = buf + 2; p < end && common_idx + 1 < MBEDTLS_SIGNATURE_SCHEMES_SIZE; p += 2 ) - { - signature_scheme = ( (int) p[0] << 8 ) | ( ( int ) p[1] ); - - MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x", signature_scheme ) ); - - for( sig_alg = ssl->conf->tls13_sig_algs; - *sig_alg != MBEDTLS_TLS13_SIG_NONE; sig_alg++ ) - { - if( *sig_alg == signature_scheme ) - { - ssl->handshake->received_signature_schemes_list[common_idx] = signature_scheme; - common_idx++; - break; - } - } - } - - if( common_idx == 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithm in common" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } - - ssl->handshake->received_signature_schemes_list[common_idx] = - MBEDTLS_TLS13_SIG_NONE; - - return( 0 ); -} -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +/* + * STATE HANDLING: Read CertificateVerify + */ +/* Macro to express the maximum length of the verify structure. + * + * The structure is computed per TLS 1.3 specification as: + * - 64 bytes of octet 32, + * - 33 bytes for the context string + * (which is either "TLS 1.3, client CertificateVerify" + * or "TLS 1.3, server CertificateVerify"), + * - 1 byte for the octet 0x0, which serves as a separator, + * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate) + * (depending on the size of the transcript_hash) + * + * This results in a total size of + * - 130 bytes for a SHA256-based transcript hash, or + * (64 + 33 + 1 + 32 bytes) + * - 146 bytes for a SHA384-based transcript hash. + * (64 + 33 + 1 + 48 bytes) + * + */ +#define SSL_VERIFY_STRUCT_MAX_SIZE ( 64 + \ + 33 + \ + 1 + \ + MBEDTLS_TLS1_3_MD_MAX_SIZE \ + ) /* - * The ssl_create_verify_structure() creates the verify structure. + * The ssl_tls13_create_verify_structure() creates the verify structure. * As input, it requires the transcript hash. * * The caller has to ensure that the buffer has size at least - * MBEDTLS_SSL_VERIFY_STRUCT_MAX_SIZE bytes. + * SSL_VERIFY_STRUCT_MAX_SIZE bytes. */ -static void ssl_create_verify_structure( unsigned char *transcript_hash, - size_t transcript_hash_len, - unsigned char *verify_buffer, - size_t *verify_buffer_len, - int from ) +static void ssl_tls13_create_verify_structure( const unsigned char *transcript_hash, + size_t transcript_hash_len, + unsigned char *verify_buffer, + size_t *verify_buffer_len, + int from ) { - size_t idx = 0; + size_t idx; /* RFC 8446, Section 4.4.3: * @@ -590,12 +379,8 @@ static void ssl_create_verify_structure( unsigned char *transcript_hash, * - A single 0 byte which serves as the separator * - The content to be signed */ - - uint8_t const verify_padding_val = 0x20; - size_t const verify_padding_len = 64; - - memset( verify_buffer + idx, verify_padding_val, verify_padding_len ); - idx += verify_padding_len; + memset( verify_buffer, 0x20, 64 ); + idx = 64; if( from == MBEDTLS_SSL_IS_CLIENT ) { @@ -616,1402 +401,1393 @@ static void ssl_create_verify_structure( unsigned char *transcript_hash, *verify_buffer_len = idx; } -/* - * - * STATE HANDLING: CertificateVerify - * - */ - -/* - * Overview - */ +static int ssl_tls13_sig_alg_is_offered( const mbedtls_ssl_context *ssl, + uint16_t sig_alg ) +{ + const uint16_t *tls13_sig_alg = ssl->conf->tls13_sig_algs; -/* Main entry point: orchestrates the other functions. */ -int mbedtls_ssl_write_certificate_verify_process( mbedtls_ssl_context* ssl ); + for( ; *tls13_sig_alg != MBEDTLS_TLS1_3_SIG_NONE ; tls13_sig_alg++ ) + { + if( *tls13_sig_alg == sig_alg ) + return( 1 ); + } + return( 0 ); +} +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -/* Coordinate: Check whether a certificate verify message should be sent. +/* Coordinate: Check whether a certificate verify message is expected. * Returns a negative value on failure, and otherwise - * - SSL_WRITE_CERTIFICATE_VERIFY_SKIP - * - SSL_WRITE_CERTIFICATE_VERIFY_SEND - * to indicate if the CertificateVerify message should be sent or not. + * - SSL_CERTIFICATE_VERIFY_SKIP + * - SSL_CERTIFICATE_VERIFY_READ + * to indicate if the CertificateVerify message should be present or not. */ -#define SSL_WRITE_CERTIFICATE_VERIFY_SKIP 0 -#define SSL_WRITE_CERTIFICATE_VERIFY_SEND 1 -static int ssl_write_certificate_verify_coordinate( mbedtls_ssl_context* ssl ); -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -static int ssl_certificate_verify_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ); -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ -static int ssl_certificate_verify_postprocess( mbedtls_ssl_context* ssl ); +#define SSL_CERTIFICATE_VERIFY_SKIP 0 +#define SSL_CERTIFICATE_VERIFY_READ 1 +static int ssl_tls13_read_certificate_verify_coordinate( mbedtls_ssl_context *ssl ) +{ + if( mbedtls_ssl_tls13_kex_with_psk( ssl ) ) + return( SSL_CERTIFICATE_VERIFY_SKIP ); -/* - * Implementation - */ - -int mbedtls_ssl_write_certificate_verify_process( mbedtls_ssl_context* ssl ) -{ - int ret = 0; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); - - /* Coordination step: Check if we need to send a CertificateVerify */ - MBEDTLS_SSL_PROC_CHK_NEG( ssl_write_certificate_verify_coordinate( ssl ) ); - - if( ret == SSL_WRITE_CERTIFICATE_VERIFY_SEND ) - { - unsigned char *buf; - size_t buf_len, msg_len; - - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl, - MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) ); - - MBEDTLS_SSL_PROC_CHK( ssl_certificate_verify_write( - ssl, buf, buf_len, &msg_len ) ); - - mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, msg_len ); - /* Update state */ - MBEDTLS_SSL_PROC_CHK( ssl_certificate_verify_postprocess( ssl ) ); - - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( - ssl, buf_len, msg_len ) ); - } - else - { - MBEDTLS_SSL_PROC_CHK( ssl_certificate_verify_postprocess( ssl ) ); - } - -cleanup: +#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); +#else + if( ssl->session_negotiate->peer_cert == NULL ) + return( SSL_CERTIFICATE_VERIFY_SKIP ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); - return( ret ); + return( SSL_CERTIFICATE_VERIFY_READ ); +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ } -static int ssl_write_certificate_verify_coordinate( mbedtls_ssl_context* ssl ) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +/* Parse and validate CertificateVerify message + * + * Note: The size of the hash buffer is assumed to be large enough to + * hold the transcript given the selected hash algorithm. + * No bounds-checking is done inside the function. + */ +static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end, + const unsigned char *verify_buffer, + size_t verify_buffer_len ) { - int have_own_cert = 1; - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + const unsigned char *p = buf; + uint16_t algorithm; + size_t signature_len; + mbedtls_pk_type_t sig_alg; + mbedtls_md_type_t md_alg; + unsigned char verify_hash[MBEDTLS_MD_MAX_SIZE]; + size_t verify_hash_len; - if( mbedtls_ssl_tls13_kex_with_psk( ssl ) ) - { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); - return( SSL_WRITE_CERTIFICATE_VERIFY_SKIP ); - } + void const *options = NULL; +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + mbedtls_pk_rsassa_pss_options rsassa_pss_options; +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ -#if !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) - MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); -#else - if( mbedtls_ssl_own_cert( ssl ) == NULL ) - have_own_cert = 0; + /* + * struct { + * SignatureScheme algorithm; + * opaque signature<0..2^16-1>; + * } CertificateVerify; + */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); + algorithm = MBEDTLS_GET_UINT16_BE( p, 0 ); + p += 2; - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + /* RFC 8446 section 4.4.3 + * + * If the CertificateVerify message is sent by a server, the signature algorithm + * MUST be one offered in the client's "signature_algorithms" extension unless + * no valid certificate chain can be produced without unsupported algorithms + * + * RFC 8446 section 4.4.2.2 + * + * If the client cannot construct an acceptable chain using the provided + * certificates and decides to abort the handshake, then it MUST abort the handshake + * with an appropriate certificate-related alert (by default, "unsupported_certificate"). + * + * Check if algorithm is an offered signature algorithm. + */ + if( ! ssl_tls13_sig_alg_is_offered( ssl, algorithm ) ) { - if( ssl->client_auth == 0 || - have_own_cert == 0 || - ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ) - { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); - return( SSL_WRITE_CERTIFICATE_VERIFY_SKIP ); - } + /* algorithm not in offered signature algorithms list */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not " + "offered.", + ( unsigned int ) algorithm ) ); + goto error; } - if( have_own_cert == 0 && - ssl->client_auth == 1 && - ssl->conf->authmode != MBEDTLS_SSL_VERIFY_NONE ) + /* We currently only support ECDSA-based signatures */ + switch( algorithm ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate" ) ); - return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); + case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: + md_alg = MBEDTLS_MD_SHA256; + sig_alg = MBEDTLS_PK_ECDSA; + break; + case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384: + md_alg = MBEDTLS_MD_SHA384; + sig_alg = MBEDTLS_PK_ECDSA; + break; + case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512: + md_alg = MBEDTLS_MD_SHA512; + sig_alg = MBEDTLS_PK_ECDSA; + break; +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Certificate Verify: using RSA PSS" ) ); + md_alg = MBEDTLS_MD_SHA256; + sig_alg = MBEDTLS_PK_RSASSA_PSS; + break; +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ + default: + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) ); + goto error; } + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )", + ( unsigned int ) algorithm ) ); + /* - * Check whether the signature scheme corresponds to the key we are using + * Check the certificate's key type matches the signature alg */ - if( mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ) != - MBEDTLS_SSL_SIG_ECDSA ) + if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) ) { - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "Certificate Verify: Only ECDSA signature algorithm is currently supported." ) ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) ); + goto error; } - /* Calculate the transcript hash */ - ret = mbedtls_ssl_get_handshake_transcript( ssl, - ssl->handshake->ciphersuite_info->mac, - ssl->handshake->state_local.certificate_verify_out.handshake_hash, - sizeof( ssl->handshake->state_local.certificate_verify_out.handshake_hash ), - &ssl->handshake->state_local.certificate_verify_out.handshake_hash_len ); - if( ret != 0 ) - return( ret ); + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); + signature_len = MBEDTLS_GET_UINT16_BE( p, 0 ); + p += 2; + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len ); - MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", - ssl->handshake->state_local.certificate_verify_out.handshake_hash, - ssl->handshake->state_local.certificate_verify_out.handshake_hash_len); + /* Hash verify buffer with indicated hash function */ + switch( md_alg ) + { +#if defined(MBEDTLS_SHA256_C) + case MBEDTLS_MD_SHA256: + verify_hash_len = 32; + ret = mbedtls_sha256( verify_buffer, verify_buffer_len, verify_hash, 0 ); + break; +#endif /* MBEDTLS_SHA256_C */ - return( SSL_WRITE_CERTIFICATE_VERIFY_SEND ); -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ -} +#if defined(MBEDTLS_SHA384_C) + case MBEDTLS_MD_SHA384: + verify_hash_len = 48; + ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 1 ); + break; +#endif /* MBEDTLS_SHA384_C */ +#if defined(MBEDTLS_SHA512_C) + case MBEDTLS_MD_SHA512: + verify_hash_len = 64; + ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 0 ); + break; +#endif /* MBEDTLS_SHA512_C */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -static int ssl_certificate_verify_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ) -{ - int ret; - size_t n = 0; - unsigned char verify_buffer[ MBEDTLS_SSL_VERIFY_STRUCT_MAX_SIZE ]; - const int *sig_scheme; /* iterate through configured signature schemes */ - size_t verify_buffer_len; - mbedtls_pk_context *own_key; - size_t own_key_size; - unsigned int md_alg; - int sig_alg; - unsigned char verify_hash[ MBEDTLS_MD_MAX_SIZE ]; - size_t verify_hash_len; - unsigned char *p; - const mbedtls_md_info_t *md_info; - /* Verify whether we can use signature algorithm */ - int signature_scheme_client; - unsigned char * const end = buf + buflen; + default: + ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + break; + } - p = buf; - if( buflen < 2 + MBEDTLS_MD_MAX_SIZE ) + if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too short" ) ); - return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + MBEDTLS_SSL_DEBUG_RET( 1, "hash computation error", ret ); + goto error; } - /* Create verify structure */ - ssl_create_verify_structure( - ssl->handshake->state_local.certificate_verify_out.handshake_hash, - ssl->handshake->state_local.certificate_verify_out.handshake_hash_len, - verify_buffer, - &verify_buffer_len, - ssl->conf->endpoint ); - - /* - * struct { - * SignatureScheme algorithm; - * opaque signature<0..2^16-1>; - * } CertificateVerify; - */ - - /* Determine size of key */ - own_key = mbedtls_ssl_own_key( ssl ); - if( own_key != NULL) + MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len ); +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + if( sig_alg == MBEDTLS_PK_RSASSA_PSS ) { - own_key_size = mbedtls_pk_get_bitlen( own_key ); - switch( own_key_size) + const mbedtls_md_info_t *md_info; + rsassa_pss_options.mgf1_hash_id = md_alg; + if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL ) { - case 256: - md_alg = MBEDTLS_MD_SHA256; - sig_alg = MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256; - break; - case 384: - md_alg = MBEDTLS_MD_SHA384; - sig_alg = MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384; - break; - default: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown key size: %" MBEDTLS_PRINTF_SIZET " bits", - own_key_size ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } + rsassa_pss_options.expected_salt_len = mbedtls_md_get_size( md_info ); + options = (const void*) &rsassa_pss_options; } - else +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ + + if( ( ret = mbedtls_pk_verify_ext( sig_alg, options, + &ssl->session_negotiate->peer_cert->pk, + md_alg, verify_hash, verify_hash_len, + p, signature_len ) ) == 0 ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + return( 0 ); } + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret ); - signature_scheme_client = MBEDTLS_TLS13_SIG_NONE; +error: + /* RFC 8446 section 4.4.3 + * + * If the verification fails, the receiver MUST terminate the handshake + * with a "decrypt_error" alert. + */ + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - for( sig_scheme = ssl->handshake->received_signature_schemes_list; - *sig_scheme != MBEDTLS_TLS13_SIG_NONE; sig_scheme++ ) +} +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + +int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl ) +{ + +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE]; + size_t verify_buffer_len; + unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; + size_t transcript_len; + unsigned char *buf; + size_t buf_len; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); + + MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_read_certificate_verify_coordinate( ssl ) ); + if( ret == SSL_CERTIFICATE_VERIFY_SKIP ) { - if( *sig_scheme == sig_alg ) - { - signature_scheme_client = *sig_scheme; - break; - } + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); + ret = 0; + goto cleanup; } - - if( signature_scheme_client == MBEDTLS_TLS13_SIG_NONE ) + else if( ret != SSL_CERTIFICATE_VERIFY_READ ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + goto cleanup; } - *(p++) = (unsigned char)( ( signature_scheme_client >> 8 ) & 0xFF ); - *(p++) = (unsigned char)( ( signature_scheme_client >> 0 ) & 0xFF ); - - /* Hash verify buffer with indicated hash function */ - md_info = mbedtls_md_info_from_type( md_alg ); - if( md_info == NULL ) - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + MBEDTLS_SSL_PROC_CHK( + mbedtls_ssl_tls13_fetch_handshake_msg( ssl, + MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) ); - ret = mbedtls_md( md_info, verify_buffer, verify_buffer_len, verify_hash ); + ret = mbedtls_ssl_get_handshake_transcript( ssl, + ssl->handshake->ciphersuite_info->mac, + transcript, sizeof( transcript ), + &transcript_len ); if( ret != 0 ) - return( ret ); - - verify_hash_len = mbedtls_md_get_size( md_info ); - MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len ); - - if( ( ret = mbedtls_pk_sign( own_key, md_alg, - verify_hash, verify_hash_len, - p + 2, (size_t)( end - ( p + 2 ) ), &n, - ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); - return( ret ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, + MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + goto cleanup; } - p[0] = (unsigned char)( n >> 8 ); - p[1] = (unsigned char)( n >> 0 ); + MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", transcript, transcript_len ); - p += 2 + n; - - *olen = (size_t)( p - buf ); - return( ret ); -} -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ + /* Create verify structure */ + ssl_tls13_create_verify_structure( transcript, + transcript_len, + verify_buffer, + &verify_buffer_len, + ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ? + MBEDTLS_SSL_IS_SERVER : + MBEDTLS_SSL_IS_CLIENT ); + + /* Process the message contents */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_verify( ssl, buf, + buf + buf_len, verify_buffer, verify_buffer_len ) ); + + mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, + MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, buf_len ); +#if defined(MBEDTLS_SSL_USE_MPS) + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_mps_hs_consume_full_hs_msg( ssl ) ); +#endif -static int ssl_certificate_verify_postprocess( mbedtls_ssl_context* ssl ) -{ - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) - { - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); - } - else - { - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); - } +cleanup: - return( 0 ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_process_certificate_verify", ret ); + return( ret ); +#else + ((void) ssl); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ } /* * - * STATE HANDLING: Read CertificateVerify - * - */ - -/* - * Overview - */ - -/* Main entry point; orchestrates the other functions */ -int mbedtls_ssl_read_certificate_verify_process( mbedtls_ssl_context* ssl ); - -/* Coordinate: Check whether a certificate verify message is expected. - * Returns a negative value on failure, and otherwise - * - SSL_CERTIFICATE_VERIFY_SKIP - * - SSL_CERTIFICATE_VERIFY_READ - * to indicate if the CertificateVerify message should be present or not. - */ -#define SSL_CERTIFICATE_VERIFY_SKIP 0 -#define SSL_CERTIFICATE_VERIFY_READ 1 -static int ssl_read_certificate_verify_coordinate( mbedtls_ssl_context* ssl ); - -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) -/* Parse and validate CertificateVerify message + * STATE HANDLING: Incoming Certificate * - * Note: The size of the hash buffer is assumed to be large enough to - * hold the transcript given the selected hash algorithm. - * No bounds-checking is done inside the function. */ -static int ssl_read_certificate_verify_parse( mbedtls_ssl_context* ssl, - unsigned char const* buf, - size_t buflen, - unsigned char const* hash, - size_t hashlen ); -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -/* Update handshake state machine */ -static int ssl_read_certificate_verify_postprocess( mbedtls_ssl_context* ssl ); - -/* - * Implementation +/* Coordination: Check if a certificate is expected. + * Returns a negative error code on failure, and otherwise + * SSL_CERTIFICATE_EXPECTED or + * SSL_CERTIFICATE_SKIP + * indicating whether a Certificate message is expected or not. */ +#define SSL_CERTIFICATE_EXPECTED 0 +#define SSL_CERTIFICATE_SKIP 1 -int mbedtls_ssl_read_certificate_verify_process( mbedtls_ssl_context* ssl ) +static int ssl_tls13_read_certificate_coordinate( mbedtls_ssl_context *ssl ) { - int ret; - unsigned char verify_buffer[ MBEDTLS_SSL_VERIFY_STRUCT_MAX_SIZE ]; - size_t verify_buffer_len; - unsigned char transcript[ MBEDTLS_MD_MAX_SIZE ]; - size_t transcript_len; - - /* Coordination step */ - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); - - MBEDTLS_SSL_PROC_CHK_NEG( ssl_read_certificate_verify_coordinate( ssl ) ); +#if defined(MBEDTLS_SSL_SRV_C) + int authmode = ssl->conf->authmode; +#endif /* MBEDTLS_SSL_SRV_C */ -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) // TBD: double-check - if( ret == SSL_CERTIFICATE_VERIFY_READ ) +#if defined(MBEDTLS_SSL_SRV_C) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { - unsigned char *buf; - size_t buflen; - - /* Need to calculate the hash of the transcript first - * before reading the message since otherwise it gets - * included in the transcript - */ - ret = mbedtls_ssl_get_handshake_transcript( ssl, - ssl->handshake->ciphersuite_info->mac, - transcript, sizeof( transcript ), - &transcript_len ); - if( ret != 0 ) - return( ret ); - - MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", transcript, - transcript_len ); - - /* Create verify structure */ - ssl_create_verify_structure( transcript, - transcript_len, - verify_buffer, - &verify_buffer_len, - !ssl->conf->endpoint ); - - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg( ssl, - MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buflen ) ); - - - /* Process the message contents */ - MBEDTLS_SSL_PROC_CHK( ssl_read_certificate_verify_parse( ssl, buf, buflen, - verify_buffer, - verify_buffer_len ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) ); - mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, buflen ); #if defined(MBEDTLS_SSL_USE_MPS) - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_mps_hs_consume_full_hs_msg( ssl ) ); -#endif - } - else -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ - if( ret == SSL_CERTIFICATE_VERIFY_SKIP ) - { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); - } - else - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + { + int ret; + ret = mbedtls_mps_set_incoming_keys( &ssl->mps->l4, + ssl->handshake->epoch_handshake ); + if( ret != 0 ) + return( ret ); + } +#else + mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake ); +#endif /* MBEDTLS_SSL_USE_MPS */ } +#endif /* MBEDTLS_SSL_SRV_C */ - /* Update state machine and handshake checksum state. - * - * The manual update of the checksum state only needs to be - * done manually here because we couldn't have it done automatically - * when reading the message. - */ - MBEDTLS_SSL_PROC_CHK( ssl_read_certificate_verify_postprocess( ssl ) ); - -cleanup: - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); - return( ret ); -} - -static int ssl_read_certificate_verify_coordinate( mbedtls_ssl_context* ssl ) -{ if( mbedtls_ssl_tls13_kex_with_psk( ssl ) ) - return( SSL_CERTIFICATE_VERIFY_SKIP ); + return( SSL_CERTIFICATE_SKIP ); -#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) + ( ( void )authmode ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #else - if( ssl->session_negotiate->peer_cert == NULL ) - return( SSL_CERTIFICATE_VERIFY_SKIP ); +#if defined(MBEDTLS_SSL_SRV_C) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + { + /* If SNI was used, overwrite authentication mode + * from the configuration. */ +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) + authmode = ssl->handshake->sni_authmode; +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ - return( SSL_CERTIFICATE_VERIFY_READ ); -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + if( authmode == MBEDTLS_SSL_VERIFY_NONE ) + { + /* NOTE: Is it intentional that we set verify_result + * to SKIP_VERIFY on server-side only? */ + ssl->session_negotiate->verify_result = + MBEDTLS_X509_BADCERT_SKIP_VERIFY; + return( SSL_CERTIFICATE_SKIP ); + } + } +#endif /* MBEDTLS_SSL_SRV_C */ + + return( SSL_CERTIFICATE_EXPECTED ); +#endif /* !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ } +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +/* + * Structure of Certificate message: + * + * enum { + * X509(0), + * RawPublicKey(2), + * (255) + * } CertificateType; + * + * struct { + * select (certificate_type) { + * case RawPublicKey: + * * From RFC 7250 ASN.1_subjectPublicKeyInfo * + * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>; + * case X509: + * opaque cert_data<1..2^24-1>; + * }; + * Extension extensions<0..2^16-1>; + * } CertificateEntry; + * + * struct { + * opaque certificate_request_context<0..2^8-1>; + * CertificateEntry certificate_list<0..2^24-1>; + * } Certificate; + * + */ -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) -static int ssl_read_certificate_verify_parse( mbedtls_ssl_context* ssl, - unsigned char const* buf, - size_t buflen, - unsigned char const* verify_buffer, - size_t verify_buffer_len ) +/* Parse certificate chain send by the peer. */ +static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, + unsigned char const *buf, + unsigned char const *end ) { - int ret; - int signature_scheme; - size_t sig_len; - mbedtls_pk_type_t sig_alg; - mbedtls_md_type_t md_alg; - unsigned char verify_hash[ MBEDTLS_MD_MAX_SIZE ]; - size_t verify_hash_len; - - void const *opts_ptr = NULL; -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - mbedtls_pk_rsassa_pss_options opts; -#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t certificate_request_context_len = 0; + size_t certificate_list_len = 0; + const unsigned char *p = buf; + const unsigned char *certificate_list_end; - /* - * struct { - * SignatureScheme algorithm; - * opaque signature<0..2^16-1>; - * } CertificateVerify; - * - */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 ); + certificate_request_context_len = p[0]; + p++; - if( buflen < 2 ) +#if defined(MBEDTLS_SSL_SRV_C) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - } + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, + certificate_request_context_len + 3 ); - signature_scheme = ( buf[0] << 8 ) | buf[1]; + /* check whether we got an empty certificate message */ + if( memcmp( p + certificate_request_context_len , "\0\0\0", 3 ) == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "client has no certificate - empty certificate message received" ) ); - /* We currently only support ECDSA-based signatures */ - switch( signature_scheme ) - { - case MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256: - md_alg = MBEDTLS_MD_SHA256; - sig_alg = MBEDTLS_PK_ECDSA; - break; - case MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384: - md_alg = MBEDTLS_MD_SHA384; - sig_alg = MBEDTLS_PK_ECDSA; - break; - case MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512: - md_alg = MBEDTLS_MD_SHA512; - sig_alg = MBEDTLS_PK_ECDSA; - break; -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - case MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA256: - MBEDTLS_SSL_DEBUG_MSG( 4, ( "Certificate Verify: using RSA" ) ); - md_alg = MBEDTLS_MD_SHA256; - sig_alg = MBEDTLS_PK_RSASSA_PSS; - break; -#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ - default: - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; + if( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) + return( 0 ); + else + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "client certificate required" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REQUIRED, + MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); + return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); + } + } } +#endif /* MBEDTLS_SSL_SRV_C */ - MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )", - signature_scheme ) ); - - buflen -= 2; - buf += 2; - - /* - * Signature - */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 3 ); + certificate_list_len = MBEDTLS_GET_UINT24_BE( p, 0 ); + p += 3; - /* - * Check the certificate's key type matches the signature alg + /* In theory, the certificate list can be up to 2^24 Bytes, but we don't + * support anything beyond 2^16 = 64K. */ - if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) ) + if( ( ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) && + ( certificate_request_context_len != 0 ) ) + || + ( certificate_list_len >= 0x10000 ) ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) ); - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } - if( buflen < 2 ) + /* In case we tried to reuse a session but it failed */ + if( ssl->session_negotiate->peer_cert != NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert ); + mbedtls_free( ssl->session_negotiate->peer_cert ); } - sig_len = ( buf[0] << 8 ) | buf[1]; - buf += 2; - buflen -= 2; - - if( buflen != sig_len ) + if( ( ssl->session_negotiate->peer_cert = + mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed", + sizeof( mbedtls_x509_crt ) ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, + MBEDTLS_ERR_SSL_ALLOC_FAILED ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); } - /* Hash verify buffer with indicated hash function */ -#if defined(MBEDTLS_SHA256_C) - if( md_alg == MBEDTLS_MD_SHA256 ) + mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert ); + + certificate_list_end = p + certificate_list_len; + while( p < certificate_list_end ) { - verify_hash_len = 32; - if( ( ret = mbedtls_sha256( verify_buffer, - verify_buffer_len, verify_hash, 0 /* 0 for SHA-256 instead of SHA-224 */ ) ) != 0 ) + size_t cert_data_len, extensions_len; + + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 ); + cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 ); + p += 3; + + /* In theory, the CRT can be up to 2^24 Bytes, but we don't support + * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code, + * check that we have a minimum of 128 bytes of data, this is not + * clear why we need that though. + */ + if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha256_ret", ret ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } - } - else -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA512_C) - if( md_alg == MBEDTLS_MD_SHA384 ) - { - verify_hash_len = 48; - if( ( ret = mbedtls_sha512( verify_buffer, - verify_buffer_len, - verify_hash, - 1 ) ) != 0 ) + + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len ); + ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert, + p, cert_data_len ); + + switch( ret ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha512_ret", ret ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + case 0: /*ok*/ + case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: + /* Ignore certificate with an unknown algorithm: maybe a + prior certificate was already trusted. */ + break; + + case MBEDTLS_ERR_X509_ALLOC_FAILED: + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, + MBEDTLS_ERR_X509_ALLOC_FAILED ); + MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); + return( ret ); + + case MBEDTLS_ERR_X509_UNKNOWN_VERSION: + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, + MBEDTLS_ERR_X509_UNKNOWN_VERSION ); + MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); + return( ret ); + + default: + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, + ret ); + MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); + return( ret ); } - } - else -#endif /* MBEDTLS_SHA512_C */ - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + + p += cert_data_len; + + /* Certificate extensions length */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 ); + extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 ); + p += 2; + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len ); + p += extensions_len; } - MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len ); -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - if( sig_alg == MBEDTLS_PK_RSASSA_PSS ) + /* Check that all the message is consumed. */ + if( p != end ) { - const mbedtls_md_info_t* md_info; - opts.mgf1_hash_id = md_alg; - if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL ) - { - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } - opts.expected_salt_len = mbedtls_md_get_size( md_info ); - opts_ptr = (const void*) &opts; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \ + MBEDTLS_ERR_SSL_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } -#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ - if( ( ret = mbedtls_pk_verify_ext( - sig_alg, - opts_ptr, - &ssl->session_negotiate->peer_cert->pk, - md_alg, - verify_hash, - verify_hash_len, - buf, - sig_len ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret ); - return( ret ); - } + MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert ); - return( 0 ); + return( ret ); } -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ - +#else +static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end ) +{ + ((void) ssl); + ((void) buf); + ((void) end); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); +} +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ -static int ssl_read_certificate_verify_postprocess( mbedtls_ssl_context* ssl ) +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +/* Validate certificate chain sent by the server. */ +static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl ) { + int ret = 0; + int authmode = ssl->conf->authmode; + mbedtls_x509_crt *ca_chain; + mbedtls_x509_crl *ca_crl; + uint32_t verify_result = 0; + + /* If SNI was used, overwrite authentication mode + * from the configuration. */ +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) + authmode = ssl->handshake->sni_authmode; +#endif + + /* + * If the client hasn't sent a certificate ( i.e. it sent + * an empty certificate chain ), this is reflected in the peer CRT + * structure being unset. + * Check for that and handle it depending on the + * server's authentication mode. + */ #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) - { - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); - } - else -#endif /* MBEDTLS_SSL_SRV_C */ + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && + ssl->session_negotiate->peer_cert == NULL ) { - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); - } + MBEDTLS_SSL_DEBUG_MSG( 1, ( "client has no certificate" ) ); - return( 0 ); -} + /* The client was asked for a certificate but didn't send + one. The client should know what's going on, so we + don't send an alert. */ + /* Note that for authmode == VERIFY_NONE we don't end up in this + * routine in the first place, because ssl_tls13_read_certificate_coordinate + * will return CERTIFICATE_SKIP. */ + ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; + if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) + return( 0 ); + else + return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); + } +#endif /* MBEDTLS_SSL_SRV_C */ -/* - * - * STATE HANDLING: Outgoing Certificate - * - */ + if( authmode == MBEDTLS_SSL_VERIFY_NONE ) + { + /* NOTE: This happens on client-side only, with the + * server-side case of VERIFY_NONE being handled earlier + * and leading to `ssl->verify_result` being set to + * MBEDTLS_X509_BADCERT_SKIP_VERIFY -- + * is this difference intentional? */ + return( 0 ); + } -/* - * Overview - */ +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + if( ssl->handshake->sni_ca_chain != NULL ) + { + ca_chain = ssl->handshake->sni_ca_chain; + ca_crl = ssl->handshake->sni_ca_crl; + } + else +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ + { + ca_chain = ssl->conf->ca_chain; + ca_crl = ssl->conf->ca_crl; + } -/* Main state-handling entry point; orchestrates the other functions. */ -int mbedtls_ssl_write_certificate_process( mbedtls_ssl_context* ssl ); + /* + * Main check: verify certificate + */ + ret = mbedtls_x509_crt_verify_with_profile( + ssl->session_negotiate->peer_cert, + ca_chain, ca_crl, + ssl->conf->cert_profile, + ssl->hostname, + &verify_result, + ssl->conf->f_vrfy, ssl->conf->p_vrfy ); -/* Check if a certificate should be written, and if yes, - * if it is available. - * Returns a negative error code on failure ( such as no certificate - * being available on the server ), and otherwise - * SSL_WRITE_CERTIFICATE_AVAILABLE or - * SSL_WRITE_CERTIFICATE_SKIP - * indicating that a Certificate message should be written based - * on the configured certificate, or whether it should be silently skipped. - */ + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret ); + } -#define SSL_WRITE_CERTIFICATE_AVAILABLE 0 -#define SSL_WRITE_CERTIFICATE_SKIP 1 -static int ssl_write_certificate_coordinate( mbedtls_ssl_context* ssl ); -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) -/* Write certificate message based on the configured certificate */ -static int ssl_write_certificate_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ); -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -/* Update the state after handling the outgoing certificate message. */ -static int ssl_write_certificate_postprocess( mbedtls_ssl_context* ssl ); + /* + * Secondary checks: always done, but change 'ret' only if it was 0 + */ -/* - * Implementation - */ +#if defined(MBEDTLS_ECP_C) + { + const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk; -int mbedtls_ssl_write_certificate_process( mbedtls_ssl_context* ssl ) -{ - int ret; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); + /* If certificate uses an EC key, make sure the curve is OK */ + if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) && + mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 ) + { + ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY; - /* Coordination: Check if we need to send a certificate. */ - MBEDTLS_SSL_PROC_CHK_NEG( ssl_write_certificate_coordinate( ssl ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( EC key curve )" ) ); + if( ret == 0 ) + ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; + } + } +#endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - if( ret == SSL_WRITE_CERTIFICATE_AVAILABLE ) + if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert, + ssl->handshake->key_exchange, + !ssl->conf->endpoint, + &verify_result ) != 0 ) { - unsigned char *buf; - size_t buf_len, msg_len; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) ); + if( ret == 0 ) + ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; + } - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl, - MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len ) ); + /* mbedtls_x509_crt_verify_with_profile is supposed to report a + * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, + * with details encoded in the verification flags. All other kinds + * of error codes, including those from the user provided f_vrfy + * functions, are treated as fatal and lead to a failure of + * ssl_tls13_parse_certificate even if verification was optional. */ + if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && + ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || + ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE ) ) + { + ret = 0; + } - MBEDTLS_SSL_PROC_CHK( ssl_write_certificate_write( - ssl, buf, buf_len, &msg_len ) ); + if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); + ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; + } - mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, msg_len ); + if( ret != 0 ) + { + /* The certificate may have been rejected for several reasons. + Pick one and send the corresponding alert. Which alert to send + may be a subject of debate in some cases. */ + if( verify_result & MBEDTLS_X509_BADCERT_OTHER ) + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret ); + else if( verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH ) + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret ); + else if( verify_result & ( MBEDTLS_X509_BADCERT_KEY_USAGE | + MBEDTLS_X509_BADCERT_EXT_KEY_USAGE | + MBEDTLS_X509_BADCERT_NS_CERT_TYPE | + MBEDTLS_X509_BADCERT_BAD_PK | + MBEDTLS_X509_BADCERT_BAD_KEY ) ) + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret ); + else if( verify_result & MBEDTLS_X509_BADCERT_EXPIRED ) + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret ); + else if( verify_result & MBEDTLS_X509_BADCERT_REVOKED ) + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret ); + else if( verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret ); + else + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret ); + } - MBEDTLS_SSL_PROC_CHK( ssl_write_certificate_postprocess( ssl ) ); - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( - ssl, buf_len, msg_len ) ); +#if defined(MBEDTLS_DEBUG_C) + if( verify_result != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x", + ssl->session_negotiate->verify_result ) ); } else -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); - MBEDTLS_SSL_PROC_CHK( ssl_write_certificate_postprocess( ssl ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) ); } +#endif /* MBEDTLS_DEBUG_C */ -cleanup: - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) ); + ssl->session_negotiate->verify_result = verify_result; return( ret ); } - - -static int ssl_write_certificate_coordinate( mbedtls_ssl_context* ssl ) +#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl ) { -#if defined(MBEDTLS_SSL_SRV_C) - int have_own_cert = 1; -#endif /* MBEDTLS_SSL_SRV_C */ - -#if defined(MBEDTLS_SSL_CLI_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "Switch to handshake traffic keys for outbound traffic" ) ); - -#if defined(MBEDTLS_SSL_USE_MPS) - { - int ret; + ((void) ssl); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); +} +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ - /* Use new transform for outgoing data. */ - ret = mbedtls_mps_set_outgoing_keys( &ssl->mps->l4, - ssl->handshake->epoch_handshake ); - if( ret != 0 ) - return( ret ); - } -#else - mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake ); -#endif /* MBEDTLS_SSL_USE_MPS */ - } -#endif /* MBEDTLS_SSL_CLI_C */ +int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); - /* For PSK and ECDHE-PSK ciphersuites there is no certificate to exchange. */ - if( mbedtls_ssl_tls13_kex_with_psk( ssl ) ) + /* Coordination: + * Check if we expect a certificate, and if yes, + * check if a non-empty certificate has been sent. */ + MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_read_certificate_coordinate( ssl ) ); +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) + if( ret == SSL_CERTIFICATE_EXPECTED ) { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); - return( SSL_WRITE_CERTIFICATE_SKIP ); - } + unsigned char *buf; + size_t buf_len; -#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); -#else + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( + ssl, MBEDTLS_SSL_HS_CERTIFICATE, + &buf, &buf_len ) ); -#if defined(MBEDTLS_SSL_CLI_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + /* Parse the certificate chain sent by the peer. */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf, + buf + buf_len ) ); + /* Validate the certificate chain and set the verification results. */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) ); + + mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE, + buf, buf_len ); +#if defined(MBEDTLS_SSL_USE_MPS) + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_mps_hs_consume_full_hs_msg( ssl ) ); +#endif /* MBEDTLS_SSL_USE_MPS */ + + } + else +#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ + if( ret == SSL_CERTIFICATE_SKIP ) { - /* The client MUST send a Certificate message if and only - * if the server has requested client authentication via a - * CertificateRequest message. - * - * client_auth indicates whether the server had requested - * client authentication. - */ - if( ssl->client_auth == 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); - return( SSL_WRITE_CERTIFICATE_SKIP ); - } + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); + ret = 0; } -#endif /* MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + else { - if( have_own_cert == 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; } -#endif /* MBEDTLS_SSL_SRV_C */ - return( SSL_WRITE_CERTIFICATE_AVAILABLE ); -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -} +cleanup: + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); + return( ret ); +} +/* + * + * STATE HANDLING: Incoming Finished message. + */ +/* + * Implementation + */ -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) -static int ssl_write_certificate_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ) +static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl ) { - size_t i=0, n, total_len; - const mbedtls_x509_crt* crt; - unsigned char* start; + int ret; - /* TODO: Add bounds checks! Only then remove the next line. */ - ((void) buflen ); + ret = mbedtls_ssl_tls13_calculate_verify_data( ssl, + ssl->handshake->state_local.finished_in.digest, + sizeof( ssl->handshake->state_local.finished_in.digest ), + &ssl->handshake->state_local.finished_in.digest_len, + ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ? + MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_calculate_verify_data", ret ); + return( ret ); + } - /* empty certificate_request_context with length 0 */ - buf[i] = 0; - /* Skip length of certificate_request_context and - * the length of CertificateEntry - */ - i += 1; + return( 0 ); +} -#if defined(MBEDTLS_SSL_CLI_C) - /* If the server requests client authentication but no suitable - * certificate is available, the client MUST send a - * Certificate message containing no certificates - * ( i.e., with the "certificate_list" field having length 0 ). - * - * authmode indicates whether the client configuration required authentication. +static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end ) +{ + /* + * struct { + * opaque verify_data[Hash.length]; + * } Finished; */ - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && ( ( mbedtls_ssl_own_cert( ssl ) == NULL ) || ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ) ) + const unsigned char *expected_verify_data = + ssl->handshake->state_local.finished_in.digest; + size_t expected_verify_data_len = + ssl->handshake->state_local.finished_in.digest_len; + /* Structural validation */ + if( (size_t)( end - buf ) != expected_verify_data_len ) { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write empty client certificate" ) ); - buf[i] = 0; - buf[i + 1] = 0; - buf[i + 2] = 0; - i += 3; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); - goto empty_cert; + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } -#endif /* MBEDTLS_SSL_CLI_C */ - start = &buf[i]; - crt = mbedtls_ssl_own_cert( ssl ); - MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) ); - - i += 3; + MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (self-computed):", + expected_verify_data, + expected_verify_data_len ); + MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (received message):", buf, + expected_verify_data_len ); - while ( crt != NULL ) + /* Semantic validation */ + if( mbedtls_ct_memcmp( buf, + expected_verify_data, + expected_verify_data_len ) != 0 ) { - n = crt->raw.len; - if( n > buflen - 3 - i ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %" MBEDTLS_PRINTF_SIZET " > %d", - i + 3 + n, MBEDTLS_SSL_OUT_CONTENT_LEN ) ); - return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); - } + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); - buf[i] = (unsigned char)( n >> 16 ); - buf[i + 1] = (unsigned char)( n >> 8 ); - buf[i + 2] = (unsigned char)( n ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + return( 0 ); +} - i += 3; memcpy( buf + i, crt->raw.p, n ); - i += n; crt = crt->next; +#if defined(MBEDTLS_SSL_CLI_C) +static int ssl_tls13_postprocess_server_finished_message( mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_ssl_key_set traffic_keys; + mbedtls_ssl_transform *transform_application = NULL; - /* Currently, we don't have any certificate extensions defined. - * Hence, we are sending an empty extension with length zero. - */ - buf[i] = 0; - buf[i + 1] = 0; - i += 2; + ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_tls13_key_schedule_stage_application", ret ); + goto cleanup; } - total_len = &buf[i] - start - 3; - *start++ = (unsigned char)( ( total_len ) >> 16 ); - *start++ = (unsigned char)( ( total_len ) >> 8 ); - *start++ = (unsigned char)( ( total_len ) ); -#if defined(MBEDTLS_SSL_CLI_C) -empty_cert: -#endif /* MBEDTLS_SSL_CLI_C */ + ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_tls13_generate_application_keys", ret ); + goto cleanup; + } - *olen = i; + transform_application = + mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) ); + if( transform_application == NULL ) + { + ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; + goto cleanup; + } - return( 0 ); -} -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + ret = mbedtls_ssl_tls13_populate_transform( + transform_application, + ssl->conf->endpoint, + ssl->session_negotiate->ciphersuite, + &traffic_keys, + ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret ); + goto cleanup; + } +#if !defined(MBEDTLS_SSL_USE_MPS) + ssl->transform_application = transform_application; +#else /* MBEDTLS_SSL_USE_MPS */ + ret = mbedtls_mps_add_key_material( &ssl->mps->l4, + transform_application, + &ssl->epoch_application ); + if( ret != 0 ) + goto cleanup; +#endif /* MBEDTLS_SSL_USE_MPS */ +cleanup: -/* Update the state after handling the outgoing certificate message. */ -static int ssl_write_certificate_postprocess( mbedtls_ssl_context* ssl ) -{ -#if defined(MBEDTLS_SSL_CLI_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) ); + if( ret != 0 ) { - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY ); - return( 0 ); + mbedtls_free( transform_application ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); } - else + return( ret ); +} #endif /* MBEDTLS_SSL_CLI_C */ +static int ssl_tls13_postprocess_finished_message( mbedtls_ssl_context *ssl ) +{ #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + int ret; + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + { + /* Compute resumption_master_secret */ + ret = mbedtls_ssl_tls13_generate_resumption_master_secret( ssl ); + if( ret != 0 ) { - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY ); - return( 0 ); + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_tls13_generate_resumption_master_secret ", ret ); + return( ret ); } + + return( 0 ); + } #endif /* MBEDTLS_SSL_SRV_C */ +#if defined(MBEDTLS_SSL_CLI_C) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + return( ssl_tls13_postprocess_server_finished_message( ssl ) ); + } +#endif /* MBEDTLS_SSL_CLI_C */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - - -/* - * - * STATE HANDLING: Incoming Certificate - * - */ - -/* - * Overview - */ - -/* Main state-handling entry point; orchestrates the other functions. */ -int mbedtls_ssl_read_certificate_process( mbedtls_ssl_context* ssl ); - -/* Coordination: Check if a certificate is expected. - * Returns a negative error code on failure, and otherwise - * SSL_CERTIFICATE_EXPECTED or - * SSL_CERTIFICATE_SKIP - * indicating whether a Certificate message is expected or not. - */ -#define SSL_CERTIFICATE_EXPECTED 0 -#define SSL_CERTIFICATE_SKIP 1 -static int ssl_read_certificate_coordinate( mbedtls_ssl_context* ssl ); - -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -/* Parse certificate chain send by the peer. */ -static int ssl_read_certificate_parse( mbedtls_ssl_context* ssl, - unsigned char const* buf, - size_t buflen ); -/* Validate certificate chain sent by the peer. */ -static int ssl_read_certificate_validate( mbedtls_ssl_context* ssl ); - -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ - -/* Update the state after handling the incoming certificate message. */ -static int ssl_read_certificate_postprocess( mbedtls_ssl_context* ssl ); - -/* - * Implementation - */ - -int mbedtls_ssl_read_certificate_process( mbedtls_ssl_context* ssl ) +int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl ) { - int ret; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); - - /* Coordination: - * Check if we expect a certificate, and if yes, - * check if a non-empty certificate has been sent. */ - MBEDTLS_SSL_PROC_CHK_NEG( ssl_read_certificate_coordinate( ssl ) ); -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) - if( ret == SSL_CERTIFICATE_EXPECTED ) - { - unsigned char *buf; - size_t buflen; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char *buf; + size_t buf_len; - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg( ssl, - MBEDTLS_SSL_HS_CERTIFICATE, - &buf, &buflen ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished message" ) ); - /* Parse the certificate chain sent by the peer. */ - MBEDTLS_SSL_PROC_CHK( ssl_read_certificate_parse( ssl, buf, buflen ) ); - /* Validate the certificate chain and set the verification results. */ - MBEDTLS_SSL_PROC_CHK( ssl_read_certificate_validate( ssl ) ); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl, + MBEDTLS_SSL_HS_FINISHED, + &buf, &buf_len ) ); + /* Preprocessing step: Compute handshake digest */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) ); + + MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buf_len ) ); + mbedtls_ssl_tls13_add_hs_msg_to_checksum( + ssl, MBEDTLS_SSL_HS_FINISHED, buf, buf_len ); - mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, buflen ); #if defined(MBEDTLS_SSL_USE_MPS) - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_mps_hs_consume_full_hs_msg( ssl ) ); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_mps_hs_consume_full_hs_msg( ssl ) ); #endif /* MBEDTLS_SSL_USE_MPS */ - } - else -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ - if( ret == SSL_CERTIFICATE_SKIP ) - { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); - } - else - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } - - /* Update state */ - MBEDTLS_SSL_PROC_CHK( ssl_read_certificate_postprocess( ssl ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_finished_message( ssl ) ); cleanup: - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished message" ) ); return( ret ); } -static int ssl_read_certificate_coordinate( mbedtls_ssl_context* ssl ) -{ -#if defined(MBEDTLS_SSL_SRV_C) - int authmode = ssl->conf->authmode; -#endif /* MBEDTLS_SSL_SRV_C */ - -#if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) ); +/* + * + * STATE HANDLING: Write and send Finished message. + * + */ +/* + * Implement + */ -#if defined(MBEDTLS_SSL_USE_MPS) - { - int ret; - ret = mbedtls_mps_set_incoming_keys( &ssl->mps->l4, - ssl->handshake->epoch_handshake ); - if( ret != 0 ) - return( ret ); - } -#else - mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake ); -#endif /* MBEDTLS_SSL_USE_MPS */ - } -#endif /* MBEDTLS_SSL_SRV_C */ +static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl ) +{ + int ret; - if( mbedtls_ssl_tls13_kex_with_psk( ssl ) ) - return( SSL_CERTIFICATE_SKIP ); + /* Compute transcript of handshake up to now. */ + ret = mbedtls_ssl_tls13_calculate_verify_data( ssl, + ssl->handshake->state_local.finished_out.digest, + sizeof( ssl->handshake->state_local.finished_out.digest ), + &ssl->handshake->state_local.finished_out.digest_len, + ssl->conf->endpoint ); -#if !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) - ( ( void )authmode ); - MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); -#else -#if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( ret != 0 ) { - /* If SNI was used, overwrite authentication mode - * from the configuration. */ -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) - authmode = ssl->handshake->sni_authmode; -#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ - - if( authmode == MBEDTLS_SSL_VERIFY_NONE ) - { - /* NOTE: Is it intentional that we set verify_result - * to SKIP_VERIFY on server-side only? */ - ssl->session_negotiate->verify_result = - MBEDTLS_X509_BADCERT_SKIP_VERIFY; - return( SSL_CERTIFICATE_SKIP ); - } + MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret ); + return( ret ); } -#endif /* MBEDTLS_SSL_SRV_C */ - return( SSL_CERTIFICATE_EXPECTED ); -#endif /* !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ + return( 0 ); } -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -/* Write certificate message based on the configured certificate */ -static int ssl_read_certificate_parse( mbedtls_ssl_context* ssl, - unsigned char const* buf, - size_t buflen ) +static int ssl_tls13_finalize_finished_message( mbedtls_ssl_context *ssl ) { - int ret; - size_t i, n, certificate_request_context_len; + int ret = 0; +#if defined(MBEDTLS_SSL_CLI_C) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + /* Compute resumption_master_secret */ + ret = mbedtls_ssl_tls13_generate_resumption_master_secret( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_tls13_generate_resumption_master_secret ", ret ); + return ( ret ); + } + + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS ); + } + else +#endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) - int authmode = ssl->conf->authmode; - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { - /* read certificate request context length */ - certificate_request_context_len = (size_t) buf[0]; + mbedtls_ssl_key_set traffic_keys; + mbedtls_ssl_transform *transform_application; - /* verify message length */ - if( buflen < 3 + certificate_request_context_len + 1 ) + ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl ); + if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, - MBEDTLS_ERR_SSL_DECODE_ERROR ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_tls13_key_schedule_stage_application", ret ); + return( ret ); } - /* check whether we got an empty certificate message */ - if( memcmp( buf + 1 + certificate_request_context_len , "\0\0\0", 3 ) == 0 ) + ret = mbedtls_ssl_tls13_generate_application_keys( + ssl, &traffic_keys ); + if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "client has no certificate - empty certificate message received" ) ); - - ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; - if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) - return( 0 ); - else - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "client certificate required" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REQUIRED, - MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); - return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); - } + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_tls13_generate_application_keys", ret ); + return( ret ); } + + transform_application = + mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) ); + if( transform_application == NULL ) + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + + ret = mbedtls_ssl_tls13_populate_transform( + transform_application, ssl->conf->endpoint, + ssl->session_negotiate->ciphersuite, + &traffic_keys, ssl ); + if( ret != 0 ) + return( ret ); + +#if !defined(MBEDTLS_SSL_USE_MPS) + ssl->transform_application = transform_application; +#else /* MBEDTLS_SSL_USE_MPS */ + /* Register transform with MPS. */ + ret = mbedtls_mps_add_key_material( &ssl->mps->l4, + transform_application, + &ssl->epoch_application ); + if( ret != 0 ) + return( ret ); +#endif /* MBEDTLS_SSL_USE_MPS */ + + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_EARLY_APP_DATA ); } + else #endif /* MBEDTLS_SSL_SRV_C */ - - if( buflen < 3 + 3 ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, - MBEDTLS_ERR_SSL_DECODE_ERROR ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + /* Should never happen */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - i = 0; + return( 0 ); +} - /* length information of certificate_request_context */ - certificate_request_context_len = buf[i + 1]; +static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *out_len ) +{ + size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len; + /* + * struct { + * opaque verify_data[Hash.length]; + * } Finished; + */ + MBEDTLS_SSL_CHK_BUF_PTR( buf, end, verify_data_len ); - /* skip certificate_request_context */ - i += certificate_request_context_len + 1; + memcpy( buf, ssl->handshake->state_local.finished_out.digest, + verify_data_len ); - n = ( buf[i + 1] << 8 ) | buf[i + 2]; + *out_len = verify_data_len; + return( 0 ); +} - if( buf[i] != 0 || - buflen != ( n + 3 + certificate_request_context_len + 1 ) ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, - MBEDTLS_ERR_SSL_DECODE_ERROR ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - } +/* Main entry point: orchestrates the other functions */ +int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char *buf; + size_t buf_len, msg_len; - /* In case we tried to reuse a session but it failed */ - if( ssl->session_negotiate->peer_cert != NULL ) - { - mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert ); - mbedtls_free( ssl->session_negotiate->peer_cert ); - } + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished message" ) ); - if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1, - sizeof( mbedtls_x509_crt ) ) ) == NULL ) + if( !ssl->handshake->state_local.finished_out.preparation_done ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed", - sizeof( mbedtls_x509_crt ) ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, - MBEDTLS_ERR_SSL_ALLOC_FAILED ); - return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_finished_message( ssl ) ); + ssl->handshake->state_local.finished_out.preparation_done = 1; } - mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert ); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl, + MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len ) ); - i += 3; + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_finished_message_body( + ssl, buf, buf + buf_len, &msg_len ) ); - while ( i < buflen ) - { - if( buf[i] != 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } + mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED, + buf, msg_len ); - n = ( ( unsigned int )buf[i + 1] << 8 ) - | ( unsigned int )buf[i + 2]; - i += 3; + MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_finished_message( ssl ) ); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl, + buf_len, msg_len ) ); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) ); - if( n < 128 || i + n > buflen ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, - MBEDTLS_ERR_SSL_DECODE_ERROR ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - } +cleanup: - ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert, - buf + i, n ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished message" ) ); + return( ret ); +} - switch( ret ) - { - case 0: /*ok*/ - case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: - /* Ignore certificate with an unknown algorithm: maybe a - prior certificate was already trusted. */ - break; +void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ) +{ - case MBEDTLS_ERR_X509_ALLOC_FAILED: - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR, - MBEDTLS_ERR_X509_ALLOC_FAILED ); - MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); - return( ret ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) ); - case MBEDTLS_ERR_X509_UNKNOWN_VERSION: - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, - MBEDTLS_ERR_X509_UNKNOWN_VERSION ); - MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); - return( ret ); + /* + * Free the previous session and switch to the current one. + */ + if( ssl->session ) + { + mbedtls_ssl_session_free( ssl->session ); + mbedtls_free( ssl->session ); + } + ssl->session = ssl->session_negotiate; + ssl->session_negotiate = NULL; - default: - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, - ret ); - MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); - return( ret ); - } + MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) ); +} - i += n; +/* + * + * STATE HANDLING: Write ChangeCipherSpec + * + */ +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) - /* length information of certificate extensions */ - n = ( buf[i] << 8 ) | buf[i + 1]; +#define SSL_WRITE_CCS_NEEDED 0 +#define SSL_WRITE_CCS_SKIP 1 +static int ssl_tls13_write_change_cipher_spec_coordinate( mbedtls_ssl_context *ssl ) +{ +#if !defined(MBEDTLS_SSL_SRV_C) + ( ( void ) ssl ); +#endif /* !MBEDTLS_SSL_SRV_C */ + int ret = SSL_WRITE_CCS_NEEDED; - /* we ignore the certificate extension right now */ - i += 2 + n; +#if defined(MBEDTLS_SSL_SRV_C) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + { + if( ssl->state == MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO ) + { + /* Only transmit the CCS if we have not done so + * earlier already after the HRR. + */ + if( ssl->handshake->hello_retry_requests_sent == 0 ) + ret = SSL_WRITE_CCS_NEEDED; + else + ret = SSL_WRITE_CCS_SKIP; + } } +#endif /* MBEDTLS_SSL_SRV_C */ + return( ret ); +} - MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert ); +#if !defined(MBEDTLS_SSL_USE_MPS) +static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *olen ) +{ + ((void) ssl); + + MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 ); + buf[0] = 1; + *olen = 1; return( 0 ); } -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ +#endif /* !MBEDTLS_SSL_USE_MPS */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -static int ssl_read_certificate_validate( mbedtls_ssl_context* ssl ) +static int ssl_tls13_write_change_cipher_spec_postprocess( mbedtls_ssl_context *ssl ) { - int ret = 0; - int authmode = ssl->conf->authmode; - mbedtls_x509_crt* ca_chain; - mbedtls_x509_crl* ca_crl; - - /* If SNI was used, overwrite authentication mode - * from the configuration. */ -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) - authmode = ssl->handshake->sni_authmode; -#endif - /* - * If the client hasn't sent a certificate ( i.e. it sent - * an empty certificate chain ), this is reflected in the peer CRT - * structure being unset. - * Check for that and handle it depending on the - * server's authentication mode. - */ #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && - ssl->session_negotiate->peer_cert == NULL ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "client has no certificate" ) ); + switch( ssl->state ) + { + case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO: + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS ); + ssl->handshake->ccs_sent++; + break; - /* The client was asked for a certificate but didn't send - one. The client should know what's going on, so we - don't send an alert. */ + case MBEDTLS_SSL_SERVER_CCS_AFTER_HRR: + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SECOND_CLIENT_HELLO ); + ssl->handshake->ccs_sent++; + break; - /* Note that for authmode == VERIFY_NONE we don't end up in this - * routine in the first place, because ssl_read_certificate_coordinate - * will return CERTIFICATE_SKIP. */ - ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; - if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) - return( 0 ); - else - return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); + default: + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } } #endif /* MBEDTLS_SSL_SRV_C */ - - if( authmode == MBEDTLS_SSL_VERIFY_NONE ) +#if defined(MBEDTLS_SSL_CLI_C) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { - /* NOTE: This happens on client-side only, with the - * server-side case of VERIFY_NONE being handled earlier - * and leading to `ssl->verify_result` being set to - * MBEDTLS_X509_BADCERT_SKIP_VERIFY -- - * is this difference intentional? */ - return( 0 ); + switch( ssl->state ) + { + case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_EARLY_APP_DATA ); + break; + case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); + break; + case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE ); + break; + default: + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } } +#endif /* MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if( ssl->handshake->sni_ca_chain != NULL ) - { - ca_chain = ssl->handshake->sni_ca_chain; - ca_crl = ssl->handshake->sni_ca_crl; - } - else -#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ - { - ca_chain = ssl->conf->ca_chain; - ca_crl = ssl->conf->ca_crl; - } + return( 0 ); +} - /* - * Main check: verify certificate - */ - ret = mbedtls_x509_crt_verify_with_profile( - ssl->session_negotiate->peer_cert, - ca_chain, ca_crl, - ssl->conf->cert_profile, - ssl->hostname, - &ssl->session_negotiate->verify_result, - ssl->conf->f_vrfy, ssl->conf->p_vrfy ); +int mbedtls_ssl_tls13_write_change_cipher_spec_process( mbedtls_ssl_context *ssl ) +{ + int ret; - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret ); - } + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) ); - /* - * Secondary checks: always done, but change 'ret' only if it was 0 - */ + MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_change_cipher_spec_coordinate( ssl ) ); -#if defined(MBEDTLS_ECP_C) + if( ret == SSL_WRITE_CCS_NEEDED ) { - const mbedtls_pk_context* pk = &ssl->session_negotiate->peer_cert->pk; +#if defined(MBEDTLS_SSL_USE_MPS) - /* If certificate uses an EC key, make sure the curve is OK */ - if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) && - mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 ) - { - ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY; + MBEDTLS_SSL_PROC_CHK( mbedtls_mps_flush( &ssl->mps->l4 ) ); + MBEDTLS_SSL_PROC_CHK( mbedtls_mps_write_ccs( &ssl->mps->l4 ) ); + MBEDTLS_SSL_PROC_CHK( mbedtls_mps_dispatch( &ssl->mps->l4 ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_change_cipher_spec_postprocess( ssl ) ); - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( EC key curve )" ) ); - if( ret == 0 ) - ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; - } - } -#endif /* MBEDTLS_ECP_C */ +#else /* MBEDTLS_SSL_USE_MPS */ + /* Make sure we can write a new message. */ + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) ); - if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert, - ssl->handshake->key_exchange, /* ciphersuite_info, */ - !ssl->conf->endpoint, - &ssl->session_negotiate->verify_result ) != 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) ); - if( ret == 0 ) - ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; - } + /* Write CCS message */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_change_cipher_spec_body( + ssl, ssl->out_msg, + ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN, + &ssl->out_msglen ) ); - /* mbedtls_x509_crt_verify_with_profile is supposed to report a - * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, - * with details encoded in the verification flags. All other kinds - * of error codes, including those from the user provided f_vrfy - * functions, are treated as fatal and lead to a failure of - * ssl_parse_certificate even if verification was optional. */ - if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && - ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || - ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE ) ) - { - ret = 0; - } + ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; - if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); - ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; - } + /* Update state */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_change_cipher_spec_postprocess( ssl ) ); - if( ret != 0 ) - { - /* The certificate may have been rejected for several reasons. - Pick one and send the corresponding alert. Which alert to send - may be a subject of debate in some cases. */ - if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER ) - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret ); - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH ) - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret ); - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE ) - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret ); - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE ) - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret ); - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE ) - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret ); - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK ) - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret ); - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY ) - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret ); - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED ) - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret ); - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED ) - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret ); - else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret ); - else - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret ); - } + /* Dispatch message */ + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ); -#if defined(MBEDTLS_DEBUG_C) - if( ssl->session_negotiate->verify_result != 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x", - ssl->session_negotiate->verify_result ) ); +#endif /* MBEDTLS_SSL_USE_MPS */ } else { - MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) ); + /* Update state */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_change_cipher_spec_postprocess( ssl ) ); } -#endif /* MBEDTLS_DEBUG_C */ +cleanup: + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) ); return( ret ); } -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ + +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) -static int ssl_read_certificate_postprocess( mbedtls_ssl_context* ssl ) +int mbedtls_ssl_tls13_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t buf_len ) { -#if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + size_t sig_alg_list_size; /* size of receive signature algorithms list */ + const unsigned char *p; /* pointer to individual signature algorithm */ + const unsigned char *end = buf + buf_len; /* end of buffer */ + const uint16_t *sig_alg; /* iterate through configured signature schemes */ + int signature_scheme; /* store received signature algorithm scheme */ + uint32_t common_idx = 0; /* iterate through received_signature_schemes_list */ + + if( buf_len < 2 ) { - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad signature_algorithms extension" ) ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } - else -#endif /* MBEDTLS_SSL_SRV_C */ + + sig_alg_list_size = MBEDTLS_GET_UINT16_BE( buf, 0 ); + if( sig_alg_list_size + 2 != buf_len || + sig_alg_list_size % 2 != 0 ) { - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad signature_algorithms extension" ) ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } - return( 0 ); -} + memset( ssl->handshake->received_signature_schemes_list, + 0, sizeof( ssl->handshake->received_signature_schemes_list ) ); -void mbedtls_ssl_handshake_wrapup_tls13( mbedtls_ssl_context *ssl ) -{ + for( p = buf + 2; p < end && common_idx + 1 < MBEDTLS_SIGNATURE_SCHEMES_SIZE; p += 2 ) + { + signature_scheme = MBEDTLS_GET_UINT16_BE( p, 0 ); - MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) ); + MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x", signature_scheme ) ); + for( sig_alg = ssl->conf->tls13_sig_algs; + *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) + { + if( *sig_alg == signature_scheme ) + { + ssl->handshake->received_signature_schemes_list[common_idx] = signature_scheme; + common_idx++; + break; + } + } + } - /* - * Free the previous session and switch in the current one - */ - if( ssl->session ) + if( common_idx == 0 ) { - - mbedtls_ssl_session_free( ssl->session ); - mbedtls_free( ssl->session ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithm in common" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); } - ssl->session = ssl->session_negotiate; - ssl->session_negotiate = NULL; - MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) ); + ssl->handshake->received_signature_schemes_list[common_idx] = + MBEDTLS_TLS1_3_SIG_NONE; + + return( 0 ); } +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ /* * - * STATE HANDLING: Outgoing Finished + * STATE HANDLING: Write CertificateVerify * */ @@ -2019,179 +1795,273 @@ void mbedtls_ssl_handshake_wrapup_tls13( mbedtls_ssl_context *ssl ) * Overview */ -/* Main entry point: orchestrates the other functions */ -int mbedtls_ssl_finished_out_process( mbedtls_ssl_context* ssl ); - -static int ssl_finished_out_prepare( mbedtls_ssl_context* ssl ); -static int ssl_finished_out_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ); -static int ssl_finished_out_postprocess( mbedtls_ssl_context* ssl ); +/* Main entry point: orchestrates the other functions. */ +int mbedtls_ssl_tls13_write_certificate_verify_process( mbedtls_ssl_context *ssl ); +/* Coordinate: Check whether a certificate verify message should be sent. + * Returns a negative value on failure, and otherwise + * - SSL_WRITE_CERTIFICATE_VERIFY_SKIP + * - SSL_WRITE_CERTIFICATE_VERIFY_SEND + * to indicate if the CertificateVerify message should be sent or not. + */ +#define SSL_WRITE_CERTIFICATE_VERIFY_SKIP 0 +#define SSL_WRITE_CERTIFICATE_VERIFY_SEND 1 +static int ssl_tls13_write_certificate_verify_coordinate( mbedtls_ssl_context *ssl ); +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +static int ssl_tls13_certificate_verify_write( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buf_len, + size_t *out_len ); +#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ +static int ssl_tls13_certificate_verify_postprocess( mbedtls_ssl_context *ssl ); /* * Implementation */ - -int mbedtls_ssl_finished_out_process( mbedtls_ssl_context* ssl ) +int mbedtls_ssl_tls13_write_certificate_verify_process( mbedtls_ssl_context *ssl ) { - int ret; - unsigned char *buf; - size_t buf_len, msg_len; + int ret = 0; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) ); + /* Coordination step: Check if we need to send a CertificateVerify */ + MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_certificate_verify_coordinate( ssl ) ); - if( !ssl->handshake->state_local.finished_out.preparation_done ) + if( ret == SSL_WRITE_CERTIFICATE_VERIFY_SEND ) { - MBEDTLS_SSL_PROC_CHK( ssl_finished_out_prepare( ssl ) ); - ssl->handshake->state_local.finished_out.preparation_done = 1; - } + unsigned char *buf; + size_t buf_len, msg_len; - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl, - MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len ) ); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl, + MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) ); - MBEDTLS_SSL_PROC_CHK( ssl_finished_out_write( - ssl, buf, buf_len, &msg_len ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_certificate_verify_write( + ssl, buf, buf_len, &msg_len ) ); - mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_FINISHED, buf, msg_len ); + mbedtls_ssl_tls13_add_hs_msg_to_checksum( + ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, msg_len ); + /* Update state */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_certificate_verify_postprocess( ssl ) ); - MBEDTLS_SSL_PROC_CHK( ssl_finished_out_postprocess( ssl ) ); - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( - ssl, buf_len, msg_len ) ); - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) ); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( + ssl, buf_len, msg_len ) ); + } + else + { + MBEDTLS_SSL_PROC_CHK( ssl_tls13_certificate_verify_postprocess( ssl ) ); + } cleanup: - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); return( ret ); } -static int ssl_finished_out_prepare( mbedtls_ssl_context* ssl ) +static int ssl_tls13_write_certificate_verify_coordinate( mbedtls_ssl_context *ssl ) { + int have_own_cert = 1; int ret; - /* Compute transcript of handshake up to now. */ - ret = mbedtls_ssl_tls1_3_calc_finished( ssl, - ssl->handshake->state_local.finished_out.digest, - sizeof( ssl->handshake->state_local.finished_out.digest ), - &ssl->handshake->state_local.finished_out.digest_len, - ssl->conf->endpoint ); + if( mbedtls_ssl_tls13_kex_with_psk( ssl ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); + return( SSL_WRITE_CERTIFICATE_VERIFY_SKIP ); + } - if( ret != 0 ) +#if !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); +#else + if( mbedtls_ssl_own_cert( ssl ) == NULL ) + have_own_cert = 0; + + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { - MBEDTLS_SSL_DEBUG_RET( 1, "calc_finished failed", ret ); - return( ret ); + if( ssl->client_auth == 0 || + have_own_cert == 0 || + ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); + return( SSL_WRITE_CERTIFICATE_VERIFY_SKIP ); + } } - return( 0 ); + if( have_own_cert == 0 && + ssl->client_auth == 1 && + ssl->conf->authmode != MBEDTLS_SSL_VERIFY_NONE ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate" ) ); + return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); + } + + /* + * Check whether the signature scheme corresponds to the key we are using + */ + if( mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ) != + MBEDTLS_SSL_SIG_ECDSA ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "Certificate Verify: Only ECDSA signature algorithm is currently supported." ) ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + + /* Calculate the transcript hash */ + ret = mbedtls_ssl_get_handshake_transcript( ssl, + ssl->handshake->ciphersuite_info->mac, + ssl->handshake->state_local.certificate_verify_out.handshake_hash, + sizeof( ssl->handshake->state_local.certificate_verify_out.handshake_hash ), + &ssl->handshake->state_local.certificate_verify_out.handshake_hash_len ); + if( ret != 0 ) + return( ret ); + + MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", + ssl->handshake->state_local.certificate_verify_out.handshake_hash, + ssl->handshake->state_local.certificate_verify_out.handshake_hash_len); + + return( SSL_WRITE_CERTIFICATE_VERIFY_SEND ); +#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ } -static int ssl_finished_out_postprocess( mbedtls_ssl_context* ssl ) + +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +static int ssl_tls13_certificate_verify_write( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buf_len, + size_t *out_len ) { - int ret = 0; + int ret; + size_t n = 0; + unsigned char verify_buffer[ MBEDTLS_SSL_VERIFY_STRUCT_MAX_SIZE ]; + const int *sig_scheme; /* iterate through configured signature schemes */ + size_t verify_buffer_len; + mbedtls_pk_context *own_key; + size_t own_key_size; + unsigned int md_alg; + int sig_alg; + unsigned char verify_hash[ MBEDTLS_MD_MAX_SIZE ]; + size_t verify_hash_len; + unsigned char *p; + const mbedtls_md_info_t *md_info; + /* Verify whether we can use signature algorithm */ + int signature_scheme_client; + unsigned char * const end = buf + buf_len; -#if defined(MBEDTLS_SSL_CLI_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + p = buf; + if( buf_len < 2 + MBEDTLS_MD_MAX_SIZE ) { - /* Compute resumption_master_secret */ - ret = mbedtls_ssl_tls1_3_generate_resumption_master_secret( ssl ); - if( ret != 0 ) + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too short" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } + + /* Create verify structure */ + ssl_tls13_create_verify_structure( + ssl->handshake->state_local.certificate_verify_out.handshake_hash, + ssl->handshake->state_local.certificate_verify_out.handshake_hash_len, + verify_buffer, + &verify_buffer_len, + ssl->conf->endpoint ); + + /* + * struct { + * SignatureScheme algorithm; + * opaque signature<0..2^16-1>; + * } CertificateVerify; + */ + + /* Determine size of key */ + own_key = mbedtls_ssl_own_key( ssl ); + if( own_key != NULL) + { + own_key_size = mbedtls_pk_get_bitlen( own_key ); + switch( own_key_size) { - MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls1_3_generate_resumption_master_secret ", ret ); - return ( ret ); + case 256: + md_alg = MBEDTLS_MD_SHA256; + sig_alg = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256; + break; + case 384: + md_alg = MBEDTLS_MD_SHA384; + sig_alg = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384; + break; + default: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown key size: %" MBEDTLS_PRINTF_SIZET " bits", + own_key_size ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS ); } else -#endif /* MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { - mbedtls_ssl_key_set traffic_keys; - mbedtls_ssl_transform *transform_application; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - ret = mbedtls_ssl_tls1_3_key_schedule_stage_application( ssl ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls1_3_key_schedule_stage_application", ret ); - return( ret ); - } + signature_scheme_client = MBEDTLS_TLS1_3_SIG_NONE; - ret = mbedtls_ssl_tls1_3_generate_application_keys( - ssl, &traffic_keys ); - if( ret != 0 ) + for( sig_scheme = ssl->handshake->received_signature_schemes_list; + *sig_scheme != MBEDTLS_TLS1_3_SIG_NONE; sig_scheme++ ) + { + if( *sig_scheme == sig_alg ) { - MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls1_3_generate_application_keys", ret ); - return( ret ); + signature_scheme_client = *sig_scheme; + break; } + } - transform_application = - mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) ); - if( transform_application == NULL ) - return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + if( signature_scheme_client == MBEDTLS_TLS1_3_SIG_NONE ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - ret = mbedtls_ssl_tls13_populate_transform( - transform_application, ssl->conf->endpoint, - ssl->session_negotiate->ciphersuite, - &traffic_keys, ssl ); - if( ret != 0 ) - return( ret ); + MBEDTLS_PUT_UINT16_BE( signature_scheme_client, p, 0 ); + p += 2; -#if !defined(MBEDTLS_SSL_USE_MPS) - ssl->transform_application = transform_application; -#else /* MBEDTLS_SSL_USE_MPS */ - /* Register transform with MPS. */ - ret = mbedtls_mps_add_key_material( &ssl->mps->l4, - transform_application, - &ssl->epoch_application ); - if( ret != 0 ) - return( ret ); -#endif /* MBEDTLS_SSL_USE_MPS */ + /* Hash verify buffer with indicated hash function */ + md_info = mbedtls_md_info_from_type( md_alg ); + if( md_info == NULL ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_EARLY_APP_DATA ); - } - else -#endif /* MBEDTLS_SSL_SRV_C */ + ret = mbedtls_md( md_info, verify_buffer, verify_buffer_len, verify_hash ); + if( ret != 0 ) + return( ret ); + + verify_hash_len = mbedtls_md_get_size( md_info ); + MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len ); + + if( ( ret = mbedtls_pk_sign( own_key, md_alg, + verify_hash, verify_hash_len, + p + 2, (size_t)( end - ( p + 2 ) ), &n, + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) { - /* Should never happen */ - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); + return( ret ); } - return( 0 ); + MBEDTLS_PUT_UINT16_BE( n, p, 0 ); + p += 2 + n; + + *out_len = (size_t)( p - buf ); + return( ret ); } +#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ -static int ssl_finished_out_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ) +static int ssl_tls13_certificate_verify_postprocess( mbedtls_ssl_context *ssl ) { - size_t finished_len = ssl->handshake->state_local.finished_out.digest_len; - - /* Note: Even if DTLS is used, the current message writing functions - * write TLS headers, and it is only at sending time that the actual - * DTLS header is generated. That's why we unconditionally shift by - * 4 bytes here as opposed to mbedtls_ssl_hs_hdr_len( ssl ). */ - - if( buflen < finished_len ) - return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); - - memcpy( buf, ssl->handshake->state_local.finished_out.digest, - ssl->handshake->state_local.finished_out.digest_len ); + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); + } + else + { + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); + } - *olen = finished_len; return( 0 ); } /* * - * STATE HANDLING: Incoming Finished + * STATE HANDLING: Outgoing Certificate * */ @@ -2199,191 +2069,261 @@ static int ssl_finished_out_write( mbedtls_ssl_context* ssl, * Overview */ -/* Main entry point: orchestrates the other functions */ -int mbedtls_ssl_finished_in_process( mbedtls_ssl_context* ssl ); +/* Main state-handling entry point; orchestrates the other functions. */ +int mbedtls_ssl_tls13_write_certificate_process( mbedtls_ssl_context *ssl ); + +/* Check if a certificate should be written, and if yes, + * if it is available. + * Returns a negative error code on failure ( such as no certificate + * being available on the server ), and otherwise + * SSL_WRITE_CERTIFICATE_AVAILABLE or + * SSL_WRITE_CERTIFICATE_SKIP + * indicating that a Certificate message should be written based + * on the configured certificate, or whether it should be silently skipped. + */ -static int ssl_finished_in_preprocess( mbedtls_ssl_context* ssl ); -static int ssl_finished_in_postprocess( mbedtls_ssl_context* ssl ); -static int ssl_finished_in_parse( mbedtls_ssl_context* ssl, - const unsigned char* buf, - size_t buflen ); +#define SSL_WRITE_CERTIFICATE_AVAILABLE 0 +#define SSL_WRITE_CERTIFICATE_SKIP 1 +static int ssl_tls13_write_certificate_coordinate( mbedtls_ssl_context *ssl ); +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +/* Write certificate message based on the configured certificate */ +static int ssl_tls13_write_certificate_write( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buf_len, + size_t *out_len ); +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +/* Update the state after handling the outgoing certificate message. */ +static int ssl_tls13_write_certificate_postprocess( mbedtls_ssl_context *ssl ); /* * Implementation */ -int mbedtls_ssl_finished_in_process( mbedtls_ssl_context* ssl ) +int mbedtls_ssl_tls13_write_certificate_process( mbedtls_ssl_context *ssl ) { - int ret = 0; - unsigned char *buf; - size_t buflen; + int ret; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) ); + /* Coordination: Check if we need to send a certificate. */ + MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_certificate_coordinate( ssl ) ); - /* Preprocessing step: Compute handshake digest */ - MBEDTLS_SSL_PROC_CHK( ssl_finished_in_preprocess( ssl ) ); - - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg( - ssl, MBEDTLS_SSL_HS_FINISHED, - &buf, &buflen ) ); - MBEDTLS_SSL_PROC_CHK( ssl_finished_in_parse( ssl, buf, buflen ) ); - mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_FINISHED, buf, buflen ); -#if defined(MBEDTLS_SSL_USE_MPS) - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_mps_hs_consume_full_hs_msg( ssl ) ); -#endif /* MBEDTLS_SSL_USE_MPS */ - MBEDTLS_SSL_PROC_CHK( ssl_finished_in_postprocess( ssl ) ); +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + if( ret == SSL_WRITE_CERTIFICATE_AVAILABLE ) + { + unsigned char *buf; + size_t buf_len, msg_len; -cleanup: + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl, + MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len ) ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) ); - return( ret ); -} + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_write( + ssl, buf, buf_len, &msg_len ) ); -static int ssl_finished_in_preprocess( mbedtls_ssl_context* ssl ) -{ - int ret; + mbedtls_ssl_tls13_add_hs_msg_to_checksum( + ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, msg_len ); - ret = mbedtls_ssl_tls1_3_calc_finished( ssl, - ssl->handshake->state_local.finished_in.digest, - sizeof( ssl->handshake->state_local.finished_in.digest ), - &ssl->handshake->state_local.finished_in.digest_len, - ssl->conf->endpoint ^ 1 ); - if( ret != 0 ) + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_postprocess( ssl ) ); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( + ssl, buf_len, msg_len ) ); + } + else +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_calc_finished", ret ); - return( ret ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_postprocess( ssl ) ); } - return( 0 ); +cleanup: + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) ); + return( ret ); } -static int ssl_finished_in_parse( mbedtls_ssl_context* ssl, - const unsigned char* buf, - size_t buflen ) + +static int ssl_tls13_write_certificate_coordinate( mbedtls_ssl_context *ssl ) { - /* Structural validation */ - if( buflen != ssl->handshake->state_local.finished_in.digest_len ) +#if defined(MBEDTLS_SSL_SRV_C) + int have_own_cert = 1; +#endif /* MBEDTLS_SSL_SRV_C */ + +#if defined(MBEDTLS_SSL_CLI_C) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "Switch to handshake traffic keys for outbound traffic" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, - MBEDTLS_ERR_SSL_DECODE_ERROR ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - } +#if defined(MBEDTLS_SSL_USE_MPS) + { + int ret; - MBEDTLS_SSL_DEBUG_BUF( 4, "Hash (self-computed):", - ssl->handshake->state_local.finished_in.digest, - ssl->handshake->state_local.finished_in.digest_len ); - MBEDTLS_SSL_DEBUG_BUF( 4, "Hash (received message):", buf, - ssl->handshake->state_local.finished_in.digest_len ); + /* Use new transform for outgoing data. */ + ret = mbedtls_mps_set_outgoing_keys( &ssl->mps->l4, + ssl->handshake->epoch_handshake ); + if( ret != 0 ) + return( ret ); + } +#else + mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake ); +#endif /* MBEDTLS_SSL_USE_MPS */ + } +#endif /* MBEDTLS_SSL_CLI_C */ - /* Semantic validation */ - if( mbedtls_ssl_safer_memcmp( buf, - ssl->handshake->state_local.finished_in.digest, - ssl->handshake->state_local.finished_in.digest_len ) != 0 ) + /* For PSK and ECDHE-PSK ciphersuites there is no certificate to exchange. */ + if( mbedtls_ssl_tls13_kex_with_psk( ssl ) ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); - - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); + return( SSL_WRITE_CERTIFICATE_SKIP ); } - return( 0 ); -} -#if defined(MBEDTLS_SSL_CLI_C) -static int ssl_finished_in_postprocess_cli( mbedtls_ssl_context *ssl ) -{ - int ret = 0; - mbedtls_ssl_key_set traffic_keys; - mbedtls_ssl_transform *transform_application; +#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); +#else - ret = mbedtls_ssl_tls1_3_key_schedule_stage_application( ssl ); - if( ret != 0 ) +#if defined(MBEDTLS_SSL_CLI_C) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { - MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls1_3_key_schedule_stage_application", ret ); - return( ret ); + /* The client MUST send a Certificate message if and only + * if the server has requested client authentication via a + * CertificateRequest message. + * + * client_auth indicates whether the server had requested + * client authentication. + */ + if( ssl->client_auth == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); + return( SSL_WRITE_CERTIFICATE_SKIP ); + } } - - ret = mbedtls_ssl_tls1_3_generate_application_keys( - ssl, &traffic_keys ); - if( ret != 0 ) +#endif /* MBEDTLS_SSL_CLI_C */ +#if defined(MBEDTLS_SSL_SRV_C) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { - MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls1_3_generate_application_keys", ret ); - return( ret ); + if( have_own_cert == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } } +#endif /* MBEDTLS_SSL_SRV_C */ - transform_application = - mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) ); - if( transform_application == NULL ) - return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + return( SSL_WRITE_CERTIFICATE_AVAILABLE ); +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +} - ret = mbedtls_ssl_tls13_populate_transform( - transform_application, - ssl->conf->endpoint, - ssl->session_negotiate->ciphersuite, - &traffic_keys, - ssl ); - if( ret != 0 ) + + +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +static int ssl_tls13_write_certificate_write( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buf_len, + size_t *out_len ) +{ + size_t i=0, n, total_len; + const mbedtls_x509_crt *crt; + unsigned char *start; + + /* TODO: Add bounds checks! Only then remove the next line. */ + ((void) buf_len ); + + /* empty certificate_request_context with length 0 */ + buf[i] = 0; + /* Skip length of certificate_request_context and + * the length of CertificateEntry + */ + i += 1; + +#if defined(MBEDTLS_SSL_CLI_C) + /* If the server requests client authentication but no suitable + * certificate is available, the client MUST send a + * Certificate message containing no certificates + * ( i.e., with the "certificate_list" field having length 0 ). + * + * authmode indicates whether the client configuration required authentication. + */ + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && ( ( mbedtls_ssl_own_cert( ssl ) == NULL ) || ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ) ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret ); - return( ret ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write empty client certificate" ) ); + buf[i] = 0; + buf[i + 1] = 0; + buf[i + 2] = 0; + i += 3; + + goto empty_cert; } +#endif /* MBEDTLS_SSL_CLI_C */ -#if !defined(MBEDTLS_SSL_USE_MPS) - ssl->transform_application = transform_application; -#else /* MBEDTLS_SSL_USE_MPS */ - ret = mbedtls_mps_add_key_material( &ssl->mps->l4, - transform_application, - &ssl->epoch_application ); - if( ret != 0 ) - return( ret ); -#endif /* MBEDTLS_SSL_USE_MPS */ + start = &buf[i]; + crt = mbedtls_ssl_own_cert( ssl ); + MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) ); - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_END_OF_EARLY_DATA ); - return( 0 ); -} -#endif /* MBEDTLS_SSL_CLI_C */ + i += 3; -static int ssl_finished_in_postprocess( mbedtls_ssl_context* ssl ) -{ -#if defined(MBEDTLS_SSL_SRV_C) - int ret; - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + while ( crt != NULL ) { - /* Compute resumption_master_secret */ - ret = mbedtls_ssl_tls1_3_generate_resumption_master_secret( ssl ); - if( ret != 0 ) + n = crt->raw.len; + if( n > buf_len - 3 - i ) { - MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls1_3_generate_resumption_master_secret ", ret ); - return( ret ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %" MBEDTLS_PRINTF_SIZET " > %d", + i + 3 + n, MBEDTLS_SSL_OUT_CONTENT_LEN ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); } - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP ); - return( 0 ); + MBEDTLS_PUT_UINT24_BE( n, buf, i ); + i += 3; memcpy( buf + i, crt->raw.p, n ); + i += n; crt = crt->next; + + /* Currently, we don't have any certificate extensions defined. + * Hence, we are sending an empty extension with length zero. + */ + buf[i] = 0; + buf[i + 1] = 0; + i += 2; } -#endif /* MBEDTLS_SSL_SRV_C */ + total_len = &buf[i] - start - 3; + MBEDTLS_PUT_UINT24_BE( total_len, start, 0 ); + +#if defined(MBEDTLS_SSL_CLI_C) +empty_cert: +#endif /* MBEDTLS_SSL_CLI_C */ + + *out_len = i; + + return( 0 ); +} +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +/* Update the state after handling the outgoing certificate message. */ +static int ssl_tls13_write_certificate_postprocess( mbedtls_ssl_context *ssl ) +{ #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { - return( ssl_finished_in_postprocess_cli( ssl ) ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY ); + return( 0 ); } + else #endif /* MBEDTLS_SSL_CLI_C */ +#if defined(MBEDTLS_SSL_SRV_C) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + { + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_SRV_C */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } #if defined(MBEDTLS_ZERO_RTT) -void mbedtls_ssl_conf_early_data( mbedtls_ssl_config* conf, int early_data, - size_t max_early_data, - int(*early_data_callback)( mbedtls_ssl_context*, - const unsigned char*, - size_t ) ) +void mbedtls_ssl_conf_early_data( + mbedtls_ssl_config *conf, + int early_data, size_t max_early_data, + int(*early_data_callback)( mbedtls_ssl_context*, + const unsigned char*, + size_t ) ) { #if !defined(MBEDTLS_SSL_SRV_C) ( ( void ) max_early_data ); @@ -2413,7 +2353,7 @@ void mbedtls_ssl_conf_early_data( mbedtls_ssl_config* conf, int early_data, #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) void mbedtls_ssl_conf_signature_algorithms( mbedtls_ssl_config *conf, - const uint16_t* sig_algs ) + const uint16_t *sig_algs ) { /* TODO: Add available algorithm check */ conf->tls13_sig_algs = sig_algs; @@ -2433,14 +2373,14 @@ void mbedtls_ssl_conf_signature_algorithms( mbedtls_ssl_config *conf, * } EarlyDataIndication; */ #if defined(MBEDTLS_ZERO_RTT) -int mbedtls_ssl_write_early_data_ext( mbedtls_ssl_context *ssl, - unsigned char *buf, - const unsigned char *end, - size_t *olen ) +int mbedtls_ssl_tls13_write_early_data_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + const unsigned char *end, + size_t *out_len ) { unsigned char *p = buf; - *olen = 0; + *out_len = 0; #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) @@ -2463,7 +2403,7 @@ int mbedtls_ssl_write_early_data_ext( mbedtls_ssl_context *ssl, return( 0 ); if( ssl->conf->tls13_kex_modes != - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK || + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK || ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_DISABLED ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write early_data extension" ) ); @@ -2499,14 +2439,12 @@ int mbedtls_ssl_write_early_data_ext( mbedtls_ssl_context *ssl, ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_ON; /* Write extension header */ - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EARLY_DATA >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EARLY_DATA ) & 0xFF ); + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_EARLY_DATA, p, 0 ); /* Write total extension length */ - *p++ = 0; - *p++ = 0; + MBEDTLS_PUT_UINT16_BE( 0, p, 2 ); - *olen = 4; + *out_len = 4; return( 0 ); } #endif /* MBEDTLS_ZERO_RTT */ @@ -2520,8 +2458,8 @@ typedef mbedtls_ecdh_context mbedtls_ecdh_context_mbed; #define ECDH_VALIDATE_RET( cond ) \ MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA ) -static int ecdh_make_tls_13_params_internal( mbedtls_ecdh_context_mbed *ctx, - size_t *olen, int point_format, +static int ecdh_make_tls13_params_internal( mbedtls_ecdh_context_mbed *ctx, + size_t *out_len, int point_format, unsigned char *buf, size_t blen, int (*f_rng)(void *, unsigned char *, @@ -2556,21 +2494,21 @@ static int ecdh_make_tls_13_params_internal( mbedtls_ecdh_context_mbed *ctx, #endif /* MBEDTLS_ECP_RESTARTABLE */ ret = mbedtls_ecp_point_write_binary( &ctx->grp, &ctx->Q, point_format, - olen, buf, blen ); + out_len, buf, blen ); if( ret != 0 ) return( ret ); return( 0 ); } -int mbedtls_ecdh_make_tls_13_params( mbedtls_ecdh_context *ctx, size_t *olen, +int mbedtls_ecdh_make_tls13_params( mbedtls_ecdh_context *ctx, size_t *out_len, unsigned char *buf, size_t blen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int restart_enabled = 0; ECDH_VALIDATE_RET( ctx != NULL ); - ECDH_VALIDATE_RET( olen != NULL ); + ECDH_VALIDATE_RET( out_len != NULL ); ECDH_VALIDATE_RET( buf != NULL ); ECDH_VALIDATE_RET( f_rng != NULL ); @@ -2581,18 +2519,18 @@ int mbedtls_ecdh_make_tls_13_params( mbedtls_ecdh_context *ctx, size_t *olen, #endif #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) - return( ecdh_make_tls_13_params_internal( ctx, olen, ctx->point_format, buf, blen, + return( ecdh_make_tls13_params_internal( ctx, out_len, ctx->point_format, buf, blen, f_rng, p_rng, restart_enabled ) ); #else switch( ctx->var ) { #if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED) case MBEDTLS_ECDH_VARIANT_EVEREST: - return( mbedtls_everest_make_params( &ctx->ctx.everest_ecdh, olen, + return( mbedtls_everest_make_params( &ctx->ctx.everest_ecdh, out_len, buf, blen, f_rng, p_rng ) ); #endif case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0: - return( ecdh_make_tls_13_params_internal( &ctx->ctx.mbed_ecdh, olen, + return( ecdh_make_tls13_params_internal( &ctx->ctx.mbed_ecdh, out_len, ctx->point_format, buf, blen, f_rng, p_rng, restart_enabled ) ); @@ -2631,7 +2569,7 @@ int mbedtls_ecdh_import_public_raw( mbedtls_ecdh_context *ctx, ECDH_VALIDATE_RET( end != NULL ); #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) - return( ecdh_read_tls_13_params_internal( ctx, buf, end ) ); + return( ecdh_read_tls13_params_internal( ctx, buf, end ) ); #else switch( ctx->var ) { @@ -2649,8 +2587,8 @@ int mbedtls_ecdh_import_public_raw( mbedtls_ecdh_context *ctx, #endif } -static int ecdh_make_tls_13_public_internal( mbedtls_ecdh_context_mbed *ctx, - size_t *olen, int point_format, +static int ecdh_make_tls13_public_internal( mbedtls_ecdh_context_mbed *ctx, + size_t *out_len, int point_format, unsigned char *buf, size_t blen, int (*f_rng)(void *, unsigned char *, @@ -2683,21 +2621,21 @@ static int ecdh_make_tls_13_public_internal( mbedtls_ecdh_context_mbed *ctx, return( ret ); #endif /* MBEDTLS_ECP_RESTARTABLE */ - return mbedtls_ecp_tls_13_write_point( &ctx->grp, &ctx->Q, point_format, olen, + return mbedtls_ecp_tls13_write_point( &ctx->grp, &ctx->Q, point_format, out_len, buf, blen ); } /* * Setup and export the client public value */ -int mbedtls_ecdh_make_tls_13_public( mbedtls_ecdh_context *ctx, size_t *olen, +int mbedtls_ecdh_make_tls13_public( mbedtls_ecdh_context *ctx, size_t *out_len, unsigned char *buf, size_t blen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int restart_enabled = 0; ECDH_VALIDATE_RET( ctx != NULL ); - ECDH_VALIDATE_RET( olen != NULL ); + ECDH_VALIDATE_RET( out_len != NULL ); ECDH_VALIDATE_RET( buf != NULL ); ECDH_VALIDATE_RET( f_rng != NULL ); @@ -2706,18 +2644,18 @@ int mbedtls_ecdh_make_tls_13_public( mbedtls_ecdh_context *ctx, size_t *olen, #endif #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) - return( ecdh_make_tls_13_public_internal( ctx, olen, ctx->point_format, buf, blen, + return( ecdh_make_tls13_public_internal( ctx, out_len, ctx->point_format, buf, blen, f_rng, p_rng, restart_enabled ) ); #else switch( ctx->var ) { #if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED) case MBEDTLS_ECDH_VARIANT_EVEREST: - return( mbedtls_everest_make_public( &ctx->ctx.everest_ecdh, olen, + return( mbedtls_everest_make_public( &ctx->ctx.everest_ecdh, out_len, buf, blen, f_rng, p_rng ) ); #endif case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0: - return( ecdh_make_tls_13_public_internal( &ctx->ctx.mbed_ecdh, olen, + return( ecdh_make_tls13_public_internal( &ctx->ctx.mbed_ecdh, out_len, ctx->point_format, buf, blen, f_rng, p_rng, restart_enabled ) ); @@ -2727,13 +2665,13 @@ int mbedtls_ecdh_make_tls_13_public( mbedtls_ecdh_context *ctx, size_t *olen, #endif } -static int ecdh_read_tls_13_public_internal( mbedtls_ecdh_context_mbed *ctx, +static int ecdh_read_tls13_public_internal( mbedtls_ecdh_context_mbed *ctx, const unsigned char *buf, size_t blen ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const unsigned char *p = buf; - if( ( ret = mbedtls_ecp_tls_13_read_point( &ctx->grp, &ctx->Qp, &p, + if( ( ret = mbedtls_ecp_tls13_read_point( &ctx->grp, &ctx->Qp, &p, blen ) ) != 0 ) return( ret ); @@ -2746,14 +2684,14 @@ static int ecdh_read_tls_13_public_internal( mbedtls_ecdh_context_mbed *ctx, /* * Parse and import the client's TLS 1.3 public value */ -int mbedtls_ecdh_read_tls_13_public( mbedtls_ecdh_context *ctx, +int mbedtls_ecdh_read_tls13_public( mbedtls_ecdh_context *ctx, const unsigned char *buf, size_t blen ) { ECDH_VALIDATE_RET( ctx != NULL ); ECDH_VALIDATE_RET( buf != NULL ); #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) - return( ecdh_read_tls_13_public_internal( ctx, buf, blen ) ); + return( ecdh_read_tls13_public_internal( ctx, buf, blen ) ); #else switch( ctx->var ) { @@ -2763,7 +2701,7 @@ int mbedtls_ecdh_read_tls_13_public( mbedtls_ecdh_context *ctx, buf, blen ) ); #endif case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0: - return( ecdh_read_tls_13_public_internal( &ctx->ctx.mbed_ecdh, + return( ecdh_read_tls13_public_internal( &ctx->ctx.mbed_ecdh, buf, blen ) ); default: return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; @@ -2776,9 +2714,9 @@ int mbedtls_ecdh_read_tls_13_public( mbedtls_ecdh_context *ctx, #define ECP_VALIDATE_RET( cond ) \ MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA ) -int mbedtls_ecp_tls_13_read_point( const mbedtls_ecp_group *grp, - mbedtls_ecp_point *pt, - const unsigned char **buf, size_t buf_len ) +int mbedtls_ecp_tls13_read_point( const mbedtls_ecp_group *grp, + mbedtls_ecp_point *pt, + const unsigned char **buf, size_t buf_len ) { unsigned char data_len; const unsigned char *buf_start; @@ -2790,7 +2728,7 @@ int mbedtls_ecp_tls_13_read_point( const mbedtls_ecp_group *grp, if( buf_len < 3 ) return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); - data_len = ( *( *buf ) << 8 ) | *( *buf+1 ); + data_len = MBEDTLS_GET_UINT16_BE( *buf, 0 ); *buf += 2; if( data_len < 1 || data_len > buf_len - 2 ) @@ -2805,14 +2743,14 @@ int mbedtls_ecp_tls_13_read_point( const mbedtls_ecp_group *grp, return( mbedtls_ecp_point_read_binary( grp, pt, buf_start, data_len ) ); } -int mbedtls_ecp_tls_13_write_point( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt, - int format, size_t *olen, - unsigned char *buf, size_t blen ) +int mbedtls_ecp_tls13_write_point( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt, + int format, size_t *out_len, + unsigned char *buf, size_t blen ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; ECP_VALIDATE_RET( grp != NULL ); ECP_VALIDATE_RET( pt != NULL ); - ECP_VALIDATE_RET( olen != NULL ); + ECP_VALIDATE_RET( out_len != NULL ); ECP_VALIDATE_RET( buf != NULL ); ECP_VALIDATE_RET( format == MBEDTLS_ECP_PF_UNCOMPRESSED || format == MBEDTLS_ECP_PF_COMPRESSED ); @@ -2821,13 +2759,12 @@ int mbedtls_ecp_tls_13_write_point( const mbedtls_ecp_group *grp, const mbedtls_ return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); if( ( ret = mbedtls_ecp_point_write_binary( grp, pt, format, - olen, buf + 2, blen - 2) ) != 0 ) + out_len, buf + 2, blen - 2) ) != 0 ) return( ret ); // Length - *buf++ = (unsigned char)( ( *olen >> 8 ) & 0xFF ); - *buf++ = (unsigned char)( ( *olen ) & 0xFF ); - *olen += 2; + MBEDTLS_PUT_UINT16_BE( *out_len, buf, 0 ); + *out_len += 2; return( 0 ); } @@ -2835,29 +2772,29 @@ int mbedtls_ecp_tls_13_write_point( const mbedtls_ecp_group *grp, const mbedtls_ /* * Write the ECParameters record corresponding to a group (TLS 1.3) */ -int mbedtls_ecp_tls_13_write_group( const mbedtls_ecp_group *grp, size_t *olen, +int mbedtls_ecp_tls13_write_group( const mbedtls_ecp_group *grp, size_t *out_len, unsigned char *buf, size_t blen ) { const mbedtls_ecp_curve_info *curve_info; ECP_VALIDATE_RET( grp != NULL ); ECP_VALIDATE_RET( buf != NULL ); - ECP_VALIDATE_RET( olen != NULL ); + ECP_VALIDATE_RET( out_len != NULL ); if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( grp->id ) ) == NULL ) return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); - *olen = 2; - if( blen < *olen ) + *out_len = 2; + if( blen < *out_len ) return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL ); // Two bytes for named curve - buf[0] = curve_info->tls_id >> 8; - buf[1] = curve_info->tls_id & 0xFF; + MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, buf, 0 ); return( 0 ); } #endif /* MBEDTLS_ECP_C */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 3eefea268972..99a414a0e145 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -19,7 +19,7 @@ #include "common.h" -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #include <stdint.h> #include <string.h> @@ -42,7 +42,7 @@ #define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ .name = string, -struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels = +struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels = { /* This seems to work in C, despite the string literal being one * character too long due to the 0-termination. */ @@ -69,24 +69,24 @@ struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels = * 255 Bytes, so we require `desired_length` to be at most * 255. This allows us to save a few Bytes of code by * hardcoding the writing of the high bytes. - * - (label, llen): label + label length, without "tls13 " prefix - * The label length MUST be less than or equal to - * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN - * It is the caller's responsibility to ensure this. - * All (label, label length) pairs used in TLS 1.3 - * can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(). - * - (ctx, clen): context + context length - * The context length MUST be less than or equal to - * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN - * It is the caller's responsibility to ensure this. + * - (label, label_len): label + label length, without "tls13 " prefix + * The label length MUST be less than or equal to + * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN + * It is the caller's responsibility to ensure this. + * All (label, label length) pairs used in TLS 1.3 + * can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(). + * - (ctx, ctx_len): context + context length + * The context length MUST be less than or equal to + * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN + * It is the caller's responsibility to ensure this. * - dst: Target buffer for HkdfLabel structure, * This MUST be a writable buffer of size * at least SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN Bytes. - * - dlen: Pointer at which to store the actual length of - * the HkdfLabel structure on success. + * - dst_len: Pointer at which to store the actual length of + * the HkdfLabel structure on success. */ -static const char tls1_3_label_prefix[6] = "tls13 "; +static const char tls13_label_prefix[6] = "tls13 "; #define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( label_len, context_len ) \ ( 2 /* expansion length */ \ @@ -97,20 +97,20 @@ static const char tls1_3_label_prefix[6] = "tls13 "; #define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \ SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \ - sizeof(tls1_3_label_prefix) + \ + sizeof(tls13_label_prefix) + \ MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN, \ MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN ) -static void ssl_tls1_3_hkdf_encode_label( +static void ssl_tls13_hkdf_encode_label( size_t desired_length, - const unsigned char *label, size_t llen, - const unsigned char *ctx, size_t clen, - unsigned char *dst, size_t *dlen ) + const unsigned char *label, size_t label_len, + const unsigned char *ctx, size_t ctx_len, + unsigned char *dst, size_t *dst_len ) { size_t total_label_len = - sizeof(tls1_3_label_prefix) + llen; + sizeof(tls13_label_prefix) + label_len; size_t total_hkdf_lbl_len = - SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( total_label_len, clen ); + SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( total_label_len, ctx_len ); unsigned char *p = dst; @@ -118,7 +118,7 @@ static void ssl_tls1_3_hkdf_encode_label( * We're hardcoding the high byte to 0 here assuming that we never use * TLS 1.3 HKDF key expansion to more than 255 Bytes. */ #if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255 -#error "The implementation of ssl_tls1_3_hkdf_encode_label() is not fit for the \ +#error "The implementation of ssl_tls13_hkdf_encode_label() is not fit for the \ value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN" #endif @@ -127,32 +127,32 @@ static void ssl_tls1_3_hkdf_encode_label( /* Add label incl. prefix */ *p++ = MBEDTLS_BYTE_0( total_label_len ); - memcpy( p, tls1_3_label_prefix, sizeof(tls1_3_label_prefix) ); - p += sizeof(tls1_3_label_prefix); - memcpy( p, label, llen ); - p += llen; + memcpy( p, tls13_label_prefix, sizeof(tls13_label_prefix) ); + p += sizeof(tls13_label_prefix); + memcpy( p, label, label_len ); + p += label_len; /* Add context value */ - *p++ = MBEDTLS_BYTE_0( clen ); - if( clen != 0 ) - memcpy( p, ctx, clen ); + *p++ = MBEDTLS_BYTE_0( ctx_len ); + if( ctx_len != 0 ) + memcpy( p, ctx, ctx_len ); /* Return total length to the caller. */ - *dlen = total_hkdf_lbl_len; + *dst_len = total_hkdf_lbl_len; } -int mbedtls_ssl_tls1_3_hkdf_expand_label( +int mbedtls_ssl_tls13_hkdf_expand_label( mbedtls_md_type_t hash_alg, - const unsigned char *secret, size_t slen, - const unsigned char *label, size_t llen, - const unsigned char *ctx, size_t clen, - unsigned char *buf, size_t blen ) + const unsigned char *secret, size_t secret_len, + const unsigned char *label, size_t label_len, + const unsigned char *ctx, size_t ctx_len, + unsigned char *buf, size_t buf_len ) { - const mbedtls_md_info_t *md; + const mbedtls_md_info_t *md_info; unsigned char hkdf_label[ SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN ]; size_t hkdf_label_len; - if( llen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN ) + if( label_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN ) { /* Should never happen since this is an internal * function, and we know statically which labels @@ -160,32 +160,32 @@ int mbedtls_ssl_tls1_3_hkdf_expand_label( return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - if( clen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN ) + if( ctx_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN ) { /* Should not happen, as above. */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - if( blen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN ) + if( buf_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN ) { /* Should not happen, as above. */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - md = mbedtls_md_info_from_type( hash_alg ); - if( md == NULL ) + md_info = mbedtls_md_info_from_type( hash_alg ); + if( md_info == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - ssl_tls1_3_hkdf_encode_label( blen, - label, llen, - ctx, clen, - hkdf_label, - &hkdf_label_len ); + ssl_tls13_hkdf_encode_label( buf_len, + label, label_len, + ctx, ctx_len, + hkdf_label, + &hkdf_label_len ); - return( mbedtls_hkdf_expand( md, - secret, slen, + return( mbedtls_hkdf_expand( md_info, + secret, secret_len, hkdf_label, hkdf_label_len, - buf, blen ) ); + buf, buf_len ) ); } /* @@ -204,41 +204,41 @@ int mbedtls_ssl_tls1_3_hkdf_expand_label( * by the function caller. Note that we generate server and client side * keys in a single function call. */ -int mbedtls_ssl_tls1_3_make_traffic_keys( +int mbedtls_ssl_tls13_make_traffic_keys( mbedtls_md_type_t hash_alg, const unsigned char *client_secret, - const unsigned char *server_secret, - size_t slen, size_t key_len, size_t iv_len, + const unsigned char *server_secret, size_t secret_len, + size_t key_len, size_t iv_len, mbedtls_ssl_key_set *keys ) { int ret = 0; - ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg, - client_secret, slen, + ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, + client_secret, secret_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), NULL, 0, keys->client_write_key, key_len ); if( ret != 0 ) return( ret ); - ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg, - server_secret, slen, + ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, + server_secret, secret_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), NULL, 0, keys->server_write_key, key_len ); if( ret != 0 ) return( ret ); - ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg, - client_secret, slen, + ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, + client_secret, secret_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), NULL, 0, keys->client_write_iv, iv_len ); if( ret != 0 ) return( ret ); - ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg, - server_secret, slen, + ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, + server_secret, secret_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), NULL, 0, keys->server_write_iv, iv_len ); @@ -251,32 +251,32 @@ int mbedtls_ssl_tls1_3_make_traffic_keys( return( 0 ); } -int mbedtls_ssl_tls1_3_derive_secret( +int mbedtls_ssl_tls13_derive_secret( mbedtls_md_type_t hash_alg, - const unsigned char *secret, size_t slen, - const unsigned char *label, size_t llen, - const unsigned char *ctx, size_t clen, + const unsigned char *secret, size_t secret_len, + const unsigned char *label, size_t label_len, + const unsigned char *ctx, size_t ctx_len, int ctx_hashed, - unsigned char *dstbuf, size_t buflen ) + unsigned char *dstbuf, size_t dstbuf_len ) { int ret; unsigned char hashed_context[ MBEDTLS_MD_MAX_SIZE ]; - const mbedtls_md_info_t *md; - md = mbedtls_md_info_from_type( hash_alg ); - if( md == NULL ) + const mbedtls_md_info_t *md_info; + md_info = mbedtls_md_info_from_type( hash_alg ); + if( md_info == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); if( ctx_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED ) { - ret = mbedtls_md( md, ctx, clen, hashed_context ); + ret = mbedtls_md( md_info, ctx, ctx_len, hashed_context ); if( ret != 0 ) return( ret ); - clen = mbedtls_md_get_size( md ); + ctx_len = mbedtls_md_get_size( md_info ); } else { - if( clen > sizeof(hashed_context) ) + if( ctx_len > sizeof(hashed_context) ) { /* This should never happen since this function is internal * and the code sets `ctx_hashed` correctly. @@ -285,17 +285,17 @@ int mbedtls_ssl_tls1_3_derive_secret( return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - memcpy( hashed_context, ctx, clen ); + memcpy( hashed_context, ctx, ctx_len ); } - return( mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg, - secret, slen, - label, llen, - hashed_context, clen, - dstbuf, buflen ) ); + return( mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, + secret, secret_len, + label, label_len, + hashed_context, ctx_len, + dstbuf, dstbuf_len ) ); } -int mbedtls_ssl_tls1_3_evolve_secret( +int mbedtls_ssl_tls13_evolve_secret( mbedtls_md_type_t hash_alg, const unsigned char *secret_old, const unsigned char *input, size_t input_len, @@ -306,25 +306,26 @@ int mbedtls_ssl_tls1_3_evolve_secret( unsigned char tmp_secret[ MBEDTLS_MD_MAX_SIZE ] = { 0 }; unsigned char tmp_input [ MBEDTLS_SSL_TLS1_3_MAX_IKM_SIZE ] = { 0 }; - const mbedtls_md_info_t *md; - md = mbedtls_md_info_from_type( hash_alg ); - if( md == NULL ) + const mbedtls_md_info_t *md_info; + md_info = mbedtls_md_info_from_type( hash_alg ); + if( md_info == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - hlen = mbedtls_md_get_size( md ); + hlen = mbedtls_md_get_size( md_info ); /* For non-initial runs, call Derive-Secret( ., "derived", "") * on the old secret. */ if( secret_old != NULL ) { - MBEDTLS_SSL_PROC_CHK( - mbedtls_ssl_tls1_3_derive_secret( - hash_alg, - secret_old, hlen, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( derived ), - NULL, 0, /* context */ - MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, - tmp_secret, hlen ) ); + ret = mbedtls_ssl_tls13_derive_secret( + hash_alg, + secret_old, hlen, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( derived ), + NULL, 0, /* context */ + MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, + tmp_secret, hlen ); + if( ret != 0 ) + goto cleanup; } if( input != NULL ) @@ -340,12 +341,12 @@ int mbedtls_ssl_tls1_3_evolve_secret( /* HKDF-Extract takes a salt and input key material. * The salt is the old secret, and the input key material * is the input secret (PSK / ECDHE). */ - MBEDTLS_SSL_PROC_CHK( mbedtls_hkdf_extract( md, - tmp_secret, hlen, - tmp_input, ilen, - secret_new ) ); - - ret = 0; + ret = mbedtls_hkdf_extract( md_info, + tmp_secret, hlen, + tmp_input, ilen, + secret_new ); + if( ret != 0 ) + goto cleanup; cleanup: @@ -354,11 +355,11 @@ int mbedtls_ssl_tls1_3_evolve_secret( return( ret ); } -int mbedtls_ssl_tls1_3_derive_early_secrets( +int mbedtls_ssl_tls13_derive_early_secrets( mbedtls_md_type_t md_type, unsigned char const *early_secret, unsigned char const *transcript, size_t transcript_len, - mbedtls_ssl_tls1_3_early_secrets *derived ) + mbedtls_ssl_tls13_early_secrets *derived ) { int ret; mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type ); @@ -384,7 +385,7 @@ int mbedtls_ssl_tls1_3_derive_early_secrets( */ /* Create client_early_traffic_secret */ - ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + ret = mbedtls_ssl_tls13_derive_secret( md_type, early_secret, md_size, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_e_traffic ), transcript, transcript_len, @@ -395,7 +396,7 @@ int mbedtls_ssl_tls1_3_derive_early_secrets( return( ret ); /* Create early exporter */ - ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + ret = mbedtls_ssl_tls13_derive_secret( md_type, early_secret, md_size, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( e_exp_master ), transcript, transcript_len, @@ -408,11 +409,11 @@ int mbedtls_ssl_tls1_3_derive_early_secrets( return( 0 ); } -int mbedtls_ssl_tls1_3_derive_handshake_secrets( +int mbedtls_ssl_tls13_derive_handshake_secrets( mbedtls_md_type_t md_type, unsigned char const *handshake_secret, unsigned char const *transcript, size_t transcript_len, - mbedtls_ssl_tls1_3_handshake_secrets *derived ) + mbedtls_ssl_tls13_handshake_secrets *derived ) { int ret; mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type ); @@ -442,7 +443,7 @@ int mbedtls_ssl_tls1_3_derive_handshake_secrets( * Derive-Secret( ., "c hs traffic", ClientHello...ServerHello ) */ - ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + ret = mbedtls_ssl_tls13_derive_secret( md_type, handshake_secret, md_size, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_hs_traffic ), transcript, transcript_len, @@ -457,7 +458,7 @@ int mbedtls_ssl_tls1_3_derive_handshake_secrets( * Derive-Secret( ., "s hs traffic", ClientHello...ServerHello ) */ - ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + ret = mbedtls_ssl_tls13_derive_secret( md_type, handshake_secret, md_size, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( s_hs_traffic ), transcript, transcript_len, @@ -470,11 +471,11 @@ int mbedtls_ssl_tls1_3_derive_handshake_secrets( return( 0 ); } -int mbedtls_ssl_tls1_3_derive_application_secrets( +int mbedtls_ssl_tls13_derive_application_secrets( mbedtls_md_type_t md_type, unsigned char const *application_secret, unsigned char const *transcript, size_t transcript_len, - mbedtls_ssl_tls1_3_application_secrets *derived ) + mbedtls_ssl_tls13_application_secrets *derived ) { int ret; mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type ); @@ -503,7 +504,7 @@ int mbedtls_ssl_tls1_3_derive_application_secrets( * */ - ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + ret = mbedtls_ssl_tls13_derive_secret( md_type, application_secret, md_size, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_ap_traffic ), transcript, transcript_len, @@ -513,7 +514,7 @@ int mbedtls_ssl_tls1_3_derive_application_secrets( if( ret != 0 ) return( ret ); - ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + ret = mbedtls_ssl_tls13_derive_secret( md_type, application_secret, md_size, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( s_ap_traffic ), transcript, transcript_len, @@ -523,7 +524,7 @@ int mbedtls_ssl_tls1_3_derive_application_secrets( if( ret != 0 ) return( ret ); - ret = mbedtls_ssl_tls1_3_derive_secret( md_type, + ret = mbedtls_ssl_tls13_derive_secret( md_type, application_secret, md_size, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( exp_master ), transcript, transcript_len, @@ -536,11 +537,42 @@ int mbedtls_ssl_tls1_3_derive_application_secrets( return( 0 ); } -#if defined(MBEDTLS_ZERO_RTT) -/* Early Data Key Derivation for TLS 1.3 */ -int mbedtls_ssl_tls1_3_generate_early_data_keys( - mbedtls_ssl_context *ssl, - mbedtls_ssl_key_set *traffic_keys ) +#if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) +/* Generate resumption_master_secret for use with the ticket exchange. + * + * This is not integrated with mbedtls_ssl_tls13_derive_application_secrets() + * because it uses the transcript hash up to and including ClientFinished. */ +int mbedtls_ssl_tls13_derive_resumption_master_secret( + mbedtls_md_type_t md_type, + unsigned char const *application_secret, + unsigned char const *transcript, size_t transcript_len, + mbedtls_ssl_tls13_application_secrets *derived ) +{ + int ret; + mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type ); + size_t const md_size = mbedtls_md_get_size( md_info ); + + /* We should never call this function with an unknown hash, + * but add an assertion anyway. */ + if( md_info == 0 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + ret = mbedtls_ssl_tls13_derive_secret( md_type, + application_secret, md_size, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_master ), + transcript, transcript_len, + MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, + derived->resumption_master_secret, + md_size ); + + if( ret != 0 ) + return( ret ); + + return( 0 ); +} + +int mbedtls_ssl_tls13_generate_resumption_master_secret( + mbedtls_ssl_context *ssl ) { int ret = 0; @@ -551,16 +583,8 @@ int mbedtls_ssl_tls1_3_generate_early_data_keys( unsigned char transcript[MBEDTLS_MD_MAX_SIZE]; size_t transcript_len; - mbedtls_cipher_info_t const *cipher_info; - size_t keylen, ivlen; - MBEDTLS_SSL_DEBUG_MSG( 2, - ( "=> mbedtls_ssl_tls1_3_generate_early_data_keys" ) ); - - cipher_info = mbedtls_cipher_info_from_type( - ssl->handshake->ciphersuite_info->cipher ); - keylen = cipher_info->key_bitlen / 8; - ivlen = cipher_info->iv_size; + ( "=> mbedtls_ssl_tls13_generate_resumption_master_secret" ) ); md_type = ssl->handshake->ciphersuite_info->mac; md_info = mbedtls_md_info_from_type( md_type ); @@ -570,367 +594,548 @@ int mbedtls_ssl_tls1_3_generate_early_data_keys( transcript, sizeof( transcript ), &transcript_len ); if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_handshake_transcript", ret ); return( ret ); - } - ret = mbedtls_ssl_tls1_3_derive_early_secrets( md_type, - ssl->handshake->tls1_3_master_secrets.early, - transcript, transcript_len, - &ssl->handshake->early_secrets ); + ret = mbedtls_ssl_tls13_derive_resumption_master_secret( md_type, + ssl->handshake->tls13_master_secrets.app, + transcript, transcript_len, + &ssl->session_negotiate->app_secrets ); if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_derive_early_secrets", ret ); return( ret ); - } - MBEDTLS_SSL_DEBUG_BUF( 4, "client_early_traffic_secret", - ssl->handshake->early_secrets.client_early_traffic_secret, - md_size ); + /* Erase master secrets */ + mbedtls_platform_zeroize( &ssl->handshake->tls13_master_secrets, + sizeof( ssl->handshake->tls13_master_secrets ) ); -#if defined(MBEDTLS_SSL_EXPORT_KEYS) - if( ssl->f_export_keys != NULL ) - { - ssl->f_export_keys( ssl->p_export_keys, - MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_EARLY_SECRET, - ssl->handshake->early_secrets.client_early_traffic_secret, - md_size, - ssl->handshake->randbytes + 32, - ssl->handshake->randbytes, - MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); - } -#endif /* MBEDTLS_SSL_EXPORT_KEYS */ + MBEDTLS_SSL_DEBUG_BUF( 4, "Resumption master secret", + ssl->session_negotiate->app_secrets.resumption_master_secret, + md_size ); - ret = mbedtls_ssl_tls1_3_make_traffic_keys( md_type, - ssl->handshake->early_secrets.client_early_traffic_secret, - ssl->handshake->early_secrets.client_early_traffic_secret, - md_size, keylen, ivlen, traffic_keys ); + MBEDTLS_SSL_DEBUG_MSG( 2, + ( "<= mbedtls_ssl_tls13_generate_resumption_master_secret" ) ); + return( 0 ); +} +#else /* MBEDTLS_SSL_NEW_SESSION_TICKET */ +int mbedtls_ssl_tls13_generate_resumption_master_secret( + mbedtls_ssl_context *ssl ) +{ + /* Erase master secrets */ + mbedtls_platform_zeroize( &ssl->handshake->tls13_master_secrets, + sizeof( ssl->handshake->tls13_master_secrets ) ); + return( 0 ); +} +#endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ + +int mbedtls_ssl_tls13_key_schedule_stage_application( + mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + mbedtls_md_type_t const md_type = handshake->ciphersuite_info->mac; +#if defined(MBEDTLS_DEBUG_C) + mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type ); + size_t const md_size = mbedtls_md_get_size( md_info ); +#endif /* MBEDTLS_DEBUG_C */ + + /* + * Compute MasterSecret + */ + ret = mbedtls_ssl_tls13_evolve_secret( md_type, + handshake->tls13_master_secrets.handshake, + NULL, 0, + handshake->tls13_master_secrets.app ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_make_traffic_keys", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret ); return( ret ); } - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls1_3_generate_early_data_keys" ) ); + MBEDTLS_SSL_DEBUG_BUF( 4, "Master secret", + handshake->tls13_master_secrets.app, md_size ); + + return( 0 ); +} + +static int ssl_tls13_calc_finished_core( mbedtls_md_type_t md_type, + unsigned char const *base_key, + unsigned char const *transcript, + unsigned char *dst ) +{ + const mbedtls_md_info_t * const md_info = mbedtls_md_info_from_type( md_type ); + size_t const md_size = mbedtls_md_get_size( md_info ); + unsigned char finished_key[MBEDTLS_MD_MAX_SIZE]; + int ret; + + /* We should never call this function with an unknown hash, + * but add an assertion anyway. */ + if( md_info == 0 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + /* TLS 1.3 Finished message + * + * struct { + * opaque verify_data[Hash.length]; + * } Finished; + * + * verify_data = + * HMAC( finished_key, + * Hash( Handshake Context + + * Certificate* + + * CertificateVerify* ) + * ) + * + * finished_key = + * HKDF-Expand-Label( BaseKey, "finished", "", Hash.length ) + */ + + ret = mbedtls_ssl_tls13_hkdf_expand_label( + md_type, base_key, md_size, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( finished ), + NULL, 0, + finished_key, md_size ); + if( ret != 0 ) + goto exit; + + ret = mbedtls_md_hmac( md_info, finished_key, md_size, transcript, md_size, dst ); + if( ret != 0 ) + goto exit; + +exit: + + mbedtls_platform_zeroize( finished_key, sizeof( finished_key ) ); return( ret ); } -#endif /* MBEDTLS_ZERO_RTT */ -/* mbedtls_ssl_tls1_3_generate_handshake_keys() generates keys necessary for - * protecting the handshake messages, as described in Section 7 of TLS 1.3. */ -int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, - mbedtls_ssl_key_set *traffic_keys ) +int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl, + unsigned char *dst, + size_t dst_len, + size_t *actual_len, + int from ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_md_type_t md_type; - mbedtls_md_info_t const *md_info; - size_t md_size; - unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; size_t transcript_len; - mbedtls_cipher_info_t const *cipher_info; - size_t keylen, ivlen; - - mbedtls_ssl_handshake_params *handshake = ssl->handshake; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info; - mbedtls_ssl_tls1_3_handshake_secrets *tls13_hs_secrets = &handshake->tls13_hs_secrets; - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls1_3_generate_handshake_keys" ) ); + unsigned char *base_key = NULL; + size_t base_key_len = 0; + mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets = + &ssl->handshake->tls13_hs_secrets; - cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher ); - keylen = cipher_info->key_bitlen / 8; - ivlen = cipher_info->iv_size; + mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac; + const mbedtls_md_info_t* const md_info = + mbedtls_md_info_from_type( md_type ); + size_t const md_size = mbedtls_md_get_size( md_info ); - md_type = ciphersuite_info->mac; - md_info = mbedtls_md_info_from_type( md_type ); - md_size = mbedtls_md_get_size( md_info ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_calculate_verify_data" ) ); - ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, - transcript, - sizeof( transcript ), - &transcript_len ); - if( ret != 0 ) + if( from == MBEDTLS_SSL_IS_CLIENT ) { - MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_get_handshake_transcript", - ret ); - return( ret ); + base_key = tls13_hs_secrets->client_handshake_traffic_secret; + base_key_len = sizeof( tls13_hs_secrets->client_handshake_traffic_secret ); } - - ret = mbedtls_ssl_tls1_3_derive_handshake_secrets( md_type, - handshake->tls1_3_master_secrets.handshake, - transcript, transcript_len, - tls13_hs_secrets ); - if( ret != 0 ) + else { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_derive_early_secrets", ret ); - return( ret ); + base_key = tls13_hs_secrets->server_handshake_traffic_secret; + base_key_len = sizeof( tls13_hs_secrets->server_handshake_traffic_secret ); } - MBEDTLS_SSL_DEBUG_BUF( 4, "Client handshake traffic secret", - tls13_hs_secrets->client_handshake_traffic_secret, - md_size ); - - MBEDTLS_SSL_DEBUG_BUF( 4, "Server handshake traffic secret", - tls13_hs_secrets->server_handshake_traffic_secret, - md_size ); - - /* - * Export client handshake traffic secret - */ - if( ssl->f_export_keys != NULL ) + if( dst_len < md_size ) { - ssl->f_export_keys( ssl->p_export_keys, - MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_HANDSHAKE_TRAFFIC_SECRET, - tls13_hs_secrets->client_handshake_traffic_secret, - md_size, - ssl->handshake->randbytes + 32, - ssl->handshake->randbytes, - MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); - - ssl->f_export_keys( ssl->p_export_keys, - MBEDTLS_SSL_KEY_EXPORT_TLS13_SERVER_HANDSHAKE_TRAFFIC_SECRET, - tls13_hs_secrets->server_handshake_traffic_secret, - md_size, - ssl->handshake->randbytes + 32, - ssl->handshake->randbytes, - MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); + ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + goto exit; } - ret = mbedtls_ssl_tls1_3_make_traffic_keys( md_type, - tls13_hs_secrets->client_handshake_traffic_secret, - tls13_hs_secrets->server_handshake_traffic_secret, - md_size, keylen, ivlen, traffic_keys ); + ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, + transcript, sizeof( transcript ), + &transcript_len ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_make_traffic_keys", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_handshake_transcript", ret ); goto exit; } + MBEDTLS_SSL_DEBUG_BUF( 4, "handshake hash", transcript, transcript_len ); - MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_key", - traffic_keys->client_write_key, - traffic_keys->key_len); - - MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_key", - traffic_keys->server_write_key, - traffic_keys->key_len); - - MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_iv", - traffic_keys->client_write_iv, - traffic_keys->iv_len); - - MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_iv", - traffic_keys->server_write_iv, - traffic_keys->iv_len); + ret = ssl_tls13_calc_finished_core( md_type, base_key, transcript, dst ); + if( ret != 0 ) + goto exit; + *actual_len = md_size; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls1_3_generate_handshake_keys" ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "verify_data for finished message", dst, md_size ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_calculate_verify_data" ) ); exit: - + /* Erase handshake secrets */ + mbedtls_platform_zeroize( base_key, base_key_len ); + mbedtls_platform_zeroize( transcript, sizeof( transcript ) ); return( ret ); } -/* Generate application traffic keys since any records following a 1-RTT Finished message - * MUST be encrypted under the application traffic key. +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +/* mbedtls_ssl_tls13_create_psk_binder(): + * + * 0 + * | + * v + * PSK -> HKDF-Extract = Early Secret + * | + * +------> Derive-Secret( ., + * | "ext binder" | + * | "res binder", + * | "" ) + * | = binder_key + * ... */ -int mbedtls_ssl_tls1_3_generate_application_keys( - mbedtls_ssl_context *ssl, - mbedtls_ssl_key_set *traffic_keys ) +int mbedtls_ssl_tls13_create_psk_binder( mbedtls_ssl_context *ssl, + const mbedtls_md_type_t md_type, + unsigned char const *psk, size_t psk_len, + int psk_type, + unsigned char const *transcript, + unsigned char *result ) { int ret = 0; + unsigned char binder_key[MBEDTLS_MD_MAX_SIZE]; + unsigned char early_secret[MBEDTLS_MD_MAX_SIZE]; + mbedtls_md_info_t const *md_info = mbedtls_md_info_from_type( md_type ); + size_t const md_size = mbedtls_md_get_size( md_info ); - /* Address at which to store the application secrets */ - mbedtls_ssl_tls1_3_application_secrets * const app_secrets = - &ssl->session_negotiate->app_secrets; - - /* Holding the transcript up to and including the ServerFinished */ - unsigned char transcript[MBEDTLS_MD_MAX_SIZE]; - size_t transcript_len; - - /* Variables relating to the hash for the chosen ciphersuite. */ - mbedtls_md_type_t md_type; - mbedtls_md_info_t const *md_info; - size_t md_size; +#if !defined(MBEDTLS_DEBUG_C) + ssl = NULL; /* make sure we don't use it except for debug */ + ((void) ssl); +#endif - /* Variables relating to the cipher for the chosen ciphersuite. */ - mbedtls_cipher_info_t const *cipher_info; - size_t keylen, ivlen; + /* We should never call this function with an unknown hash, + * but add an assertion anyway. */ + if( md_info == 0 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive application traffic keys" ) ); + /* + * 0 + * | + * v + * PSK -> HKDF-Extract = Early Secret + * | + * +-----> Derive-Secret(., "ext binder" | "res binder", "") + * | = binder_key + * v + */ - /* Extract basic information about hash and ciphersuite */ + ret = mbedtls_ssl_tls13_evolve_secret( md_type, + NULL, /* Old secret */ + psk, psk_len, /* Input */ + early_secret ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret ); + goto exit; + } - cipher_info = mbedtls_cipher_info_from_type( - ssl->handshake->ciphersuite_info->cipher ); - keylen = cipher_info->key_bitlen / 8; - ivlen = cipher_info->iv_size; + if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION ) + { + ret = mbedtls_ssl_tls13_derive_secret( md_type, + early_secret, md_size, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_binder ), + NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, + binder_key, md_size ); + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Derive Early Secret with 'res binder'" ) ); + } + else + { + ret = mbedtls_ssl_tls13_derive_secret( md_type, + early_secret, md_size, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( ext_binder ), + NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, + binder_key, md_size ); + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Derive Early Secret with 'ext binder'" ) ); + } - md_type = ssl->handshake->ciphersuite_info->mac; - md_info = mbedtls_md_info_from_type( md_type ); - md_size = mbedtls_md_get_size( md_info ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_derive_secret", ret ); + goto exit; + } - /* Compute current handshake transcript. It's the caller's responsiblity - * to call this at the right time, that is, after the ServerFinished. */ + /* + * The binding_value is computed in the same way as the Finished message + * but with the BaseKey being the binder_key. + */ - ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, - transcript, sizeof( transcript ), - &transcript_len ); + ret = ssl_tls13_calc_finished_core( md_type, binder_key, transcript, result ); if( ret != 0 ) - return( ret ); + goto exit; - /* Compute application secrets from master secret and transcript hash. */ + MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder", result, md_size ); - ret = mbedtls_ssl_tls1_3_derive_application_secrets( md_type, - ssl->handshake->tls1_3_master_secrets.app, - transcript, transcript_len, - app_secrets ); - if( ret != 0 ) +exit: + + mbedtls_platform_zeroize( early_secret, sizeof( early_secret ) ); + mbedtls_platform_zeroize( binder_key, sizeof( binder_key ) ); + return( ret ); +} +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + +int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, + int endpoint, + int ciphersuite, + mbedtls_ssl_key_set const *traffic_keys, + mbedtls_ssl_context *ssl /* DEBUG ONLY */ ) +{ + int ret; + mbedtls_cipher_info_t const *cipher_info; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + unsigned char const *key_enc; + unsigned char const *iv_enc; + unsigned char const *key_dec; + unsigned char const *iv_dec; + +#if !defined(MBEDTLS_DEBUG_C) + ssl = NULL; /* make sure we don't use it except for those cases */ + (void) ssl; +#endif + + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite ); + if( ciphersuite_info == NULL ) { - MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls1_3_derive_application_secrets", ret ); - return( ret ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found", + ciphersuite ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - /* Derive first epoch of IV + Key for application traffic. */ + cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher ); + if( cipher_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found", + ciphersuite_info->cipher ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } - ret = mbedtls_ssl_tls1_3_make_traffic_keys( md_type, - app_secrets->client_application_traffic_secret_N, - app_secrets->server_application_traffic_secret_N, - md_size, keylen, ivlen, traffic_keys ); - if( ret != 0 ) + /* + * Setup cipher contexts in target transform + */ + + if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc, + cipher_info ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_make_traffic_keys", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); return( ret ); } - MBEDTLS_SSL_DEBUG_BUF( 4, "Client application traffic secret", - app_secrets->client_application_traffic_secret_N, - md_size ); + if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec, + cipher_info ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); + return( ret ); + } - MBEDTLS_SSL_DEBUG_BUF( 4, "Server application traffic secret", - app_secrets->server_application_traffic_secret_N, - md_size ); +#if defined(MBEDTLS_SSL_SRV_C) + if( endpoint == MBEDTLS_SSL_IS_SERVER ) + { + key_enc = traffic_keys->server_write_key; + key_dec = traffic_keys->client_write_key; + iv_enc = traffic_keys->server_write_iv; + iv_dec = traffic_keys->client_write_iv; + } + else +#endif /* MBEDTLS_SSL_SRV_C */ +#if defined(MBEDTLS_SSL_CLI_C) + if( endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + key_enc = traffic_keys->client_write_key; + key_dec = traffic_keys->server_write_key; + iv_enc = traffic_keys->client_write_iv; + iv_dec = traffic_keys->server_write_iv; + } + else +#endif /* MBEDTLS_SSL_CLI_C */ + { + /* should not happen */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - /* - * Export client/server application traffic secret 0 - */ -#if defined(MBEDTLS_SSL_EXPORT_KEYS) - if( ssl->f_export_keys != NULL ) + memcpy( transform->iv_enc, iv_enc, traffic_keys->iv_len ); + memcpy( transform->iv_dec, iv_dec, traffic_keys->iv_len ); + + if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, + key_enc, cipher_info->key_bitlen, + MBEDTLS_ENCRYPT ) ) != 0 ) { - ssl->f_export_keys( ssl->p_export_keys, - MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_APPLICATION_TRAFFIC_SECRET, - app_secrets->client_application_traffic_secret_N, md_size, - ssl->handshake->randbytes + 32, - ssl->handshake->randbytes, - MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); + return( ret ); + } - ssl->f_export_keys( ssl->p_export_keys, - MBEDTLS_SSL_KEY_EXPORT_TLS13_SERVER_APPLICATION_TRAFFIC_SECRET, - app_secrets->server_application_traffic_secret_N, md_size, - ssl->handshake->randbytes + 32, - ssl->handshake->randbytes, - MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); + if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, + key_dec, cipher_info->key_bitlen, + MBEDTLS_DECRYPT ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); + return( ret ); } -#endif /* MBEDTLS_SSL_EXPORT_KEYS */ - MBEDTLS_SSL_DEBUG_BUF( 4, "client application_write_key:", - traffic_keys->client_write_key, keylen ); - MBEDTLS_SSL_DEBUG_BUF( 4, "server application write key", - traffic_keys->server_write_key, keylen ); - MBEDTLS_SSL_DEBUG_BUF( 4, "client application write IV", - traffic_keys->client_write_iv, ivlen ); - MBEDTLS_SSL_DEBUG_BUF( 4, "server application write IV", - traffic_keys->server_write_iv, ivlen ); + /* + * Setup other fields in SSL transform + */ + + if( ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) != 0 ) + transform->taglen = 8; + else + transform->taglen = 16; + + transform->ivlen = traffic_keys->iv_len; + transform->maclen = 0; + transform->fixed_ivlen = transform->ivlen; + transform->minor_ver = MBEDTLS_SSL_MINOR_VERSION_4; + + /* We add the true record content type (1 Byte) to the plaintext and + * then pad to the configured granularity. The mimimum length of the + * type-extended and padded plaintext is therefore the padding + * granularity. */ + transform->minlen = + transform->taglen + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive application traffic keys" ) ); return( 0 ); } -#if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) -/* Generate resumption_master_secret for use with the ticket exchange. - * - * This is not integrated with mbedtls_ssl_tls1_3_derive_application_secrets() - * because it uses the transcript hash up to and including ClientFinished. */ -int mbedtls_ssl_tls1_3_derive_resumption_master_secret( - mbedtls_md_type_t md_type, - unsigned char const *application_secret, - unsigned char const *transcript, size_t transcript_len, - mbedtls_ssl_tls1_3_application_secrets *derived ) +int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ) { - int ret; - mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type ); - size_t const md_size = mbedtls_md_get_size( md_info ); + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_md_type_t md_type; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; - /* We should never call this function with an unknown hash, - * but add an assertion anyway. */ - if( md_info == 0 ) + if( handshake->ciphersuite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher suite info not found" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - ret = mbedtls_ssl_tls1_3_derive_secret( md_type, - application_secret, md_size, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_master ), - transcript, transcript_len, - MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, - derived->resumption_master_secret, - md_size ); + md_type = handshake->ciphersuite_info->mac; + ret = mbedtls_ssl_tls13_evolve_secret( md_type, NULL, + handshake->psk, handshake->psk_len, + handshake->tls13_master_secrets.early ); if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret ); return( ret ); + } return( 0 ); } -int mbedtls_ssl_tls1_3_generate_resumption_master_secret( - mbedtls_ssl_context *ssl ) +/* mbedtls_ssl_tls13_generate_handshake_keys() generates keys necessary for + * protecting the handshake messages, as described in Section 7 of TLS 1.3. */ +int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, + mbedtls_ssl_key_set *traffic_keys ) { - int ret = 0; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_md_type_t md_type; mbedtls_md_info_t const *md_info; size_t md_size; - unsigned char transcript[MBEDTLS_MD_MAX_SIZE]; + unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; size_t transcript_len; - MBEDTLS_SSL_DEBUG_MSG( 2, - ( "=> mbedtls_ssl_tls1_3_generate_resumption_master_secret" ) ); + mbedtls_cipher_info_t const *cipher_info; + size_t key_len, iv_len; - md_type = ssl->handshake->ciphersuite_info->mac; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info; + mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets = &handshake->tls13_hs_secrets; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) ); + + cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher ); + key_len = cipher_info->key_bitlen >> 3; + iv_len = cipher_info->iv_size; + + md_type = ciphersuite_info->mac; md_info = mbedtls_md_info_from_type( md_type ); md_size = mbedtls_md_get_size( md_info ); ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, - transcript, sizeof( transcript ), + transcript, + sizeof( transcript ), &transcript_len ); if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_get_handshake_transcript", + ret ); return( ret ); + } - ret = mbedtls_ssl_tls1_3_derive_resumption_master_secret( md_type, - ssl->handshake->tls1_3_master_secrets.app, - transcript, transcript_len, - &ssl->session_negotiate->app_secrets ); + ret = mbedtls_ssl_tls13_derive_handshake_secrets( md_type, + handshake->tls13_master_secrets.handshake, + transcript, transcript_len, tls13_hs_secrets ); if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_derive_handshake_secrets", + ret ); return( ret ); + } - MBEDTLS_SSL_DEBUG_BUF( 4, "Resumption master secret", - ssl->session_negotiate->app_secrets.resumption_master_secret, - md_size ); + MBEDTLS_SSL_DEBUG_BUF( 4, "Client handshake traffic secret", + tls13_hs_secrets->client_handshake_traffic_secret, + md_size ); - MBEDTLS_SSL_DEBUG_MSG( 2, - ( "<= mbedtls_ssl_tls1_3_generate_resumption_master_secret" ) ); - return( 0 ); -} -#else /* MBEDTLS_SSL_NEW_SESSION_TICKET */ -int mbedtls_ssl_tls1_3_generate_resumption_master_secret( - mbedtls_ssl_context *ssl ) -{ - ((void) ssl); - return( 0 ); + MBEDTLS_SSL_DEBUG_BUF( 4, "Server handshake traffic secret", + tls13_hs_secrets->server_handshake_traffic_secret, + md_size ); + + /* + * Export client handshake traffic secret + */ + if( ssl->f_export_keys != NULL ) + { + ssl->f_export_keys( ssl->p_export_keys, + MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET, + tls13_hs_secrets->client_handshake_traffic_secret, + md_size, + ssl->handshake->randbytes + 32, + ssl->handshake->randbytes, + MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); + + ssl->f_export_keys( ssl->p_export_keys, + MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET, + tls13_hs_secrets->server_handshake_traffic_secret, + md_size, + ssl->handshake->randbytes + 32, + ssl->handshake->randbytes, + MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); + } + + ret = mbedtls_ssl_tls13_make_traffic_keys( md_type, + tls13_hs_secrets->client_handshake_traffic_secret, + tls13_hs_secrets->server_handshake_traffic_secret, + md_size, key_len, iv_len, traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret ); + goto exit; + } + + MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_key", + traffic_keys->client_write_key, + traffic_keys->key_len); + + MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_key", + traffic_keys->server_write_key, + traffic_keys->key_len); + + MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_iv", + traffic_keys->client_write_iv, + traffic_keys->iv_len); + + MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_iv", + traffic_keys->server_write_iv, + traffic_keys->iv_len); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_generate_handshake_keys" ) ); + +exit: + + return( ret ); } -#endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl ) { @@ -979,19 +1184,18 @@ int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl ) /* * Compute the Handshake secret */ - - ret = mbedtls_ssl_tls1_3_evolve_secret( md_type, - handshake->tls1_3_master_secrets.early, - ecdhe, ephemeral_len, - handshake->tls1_3_master_secrets.handshake ); + ret = mbedtls_ssl_tls13_evolve_secret( md_type, + handshake->tls13_master_secrets.early, + ecdhe, ephemeral_len, + handshake->tls13_master_secrets.handshake ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_evolve_secret", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret ); return( ret ); } MBEDTLS_SSL_DEBUG_BUF( 4, "Handshake secret", - handshake->tls1_3_master_secrets.handshake, md_size ); + handshake->tls13_master_secrets.handshake, md_size ); #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) mbedtls_platform_zeroize( ecdhe, sizeof( ecdhe ) ); @@ -999,385 +1203,208 @@ int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl ) return( 0 ); } -int mbedtls_ssl_tls1_3_key_schedule_stage_application( - mbedtls_ssl_context *ssl ) -{ - int ret = 0; - mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac; -#if defined(MBEDTLS_DEBUG_C) - mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type ); - size_t const md_size = mbedtls_md_get_size( md_info ); -#endif /* MBEDTLS_DEBUG_C */ - - /* - * Compute MasterSecret - */ - - ret = mbedtls_ssl_tls1_3_evolve_secret( md_type, - ssl->handshake->tls1_3_master_secrets.handshake, - NULL, 0, - ssl->handshake->tls1_3_master_secrets.app ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_evolve_secret", ret ); - return( ret ); - } - - MBEDTLS_SSL_DEBUG_BUF( 4, "Master secret", - ssl->handshake->tls1_3_master_secrets.app, md_size ); - - return( 0 ); -} - -static int ssl_tls1_3_calc_finished_core( mbedtls_md_type_t md_type, - unsigned char const *base_key, - unsigned char const *transcript, - unsigned char *dst ) +/* Generate application traffic keys since any records following a 1-RTT Finished message + * MUST be encrypted under the application traffic key. + */ +int mbedtls_ssl_tls13_generate_application_keys( + mbedtls_ssl_context *ssl, + mbedtls_ssl_key_set *traffic_keys ) { - const mbedtls_md_info_t* const md_info = mbedtls_md_info_from_type( md_type ); - size_t const md_size = mbedtls_md_get_size( md_info ); - unsigned char finished_key[MBEDTLS_MD_MAX_SIZE]; - int ret; - - /* We should never call this function with an unknown hash, - * but add an assertion anyway. */ - if( md_info == 0 ) - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - - /* TLS 1.3 Finished message - * - * struct { - * opaque verify_data[Hash.length]; - * } Finished; - * - * verify_data = - * HMAC( finished_key, - * Hash( Handshake Context + - * Certificate* + - * CertificateVerify* ) - * ) - * - * finished_key = - * HKDF-Expand-Label( BaseKey, "finished", "", Hash.length ) - */ - - ret = mbedtls_ssl_tls1_3_hkdf_expand_label( - md_type, base_key, md_size, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( finished ), - NULL, 0, - finished_key, md_size ); - if( ret != 0 ) - goto exit; - - ret = mbedtls_md_hmac( md_info, finished_key, md_size, transcript, md_size, dst ); - if( ret != 0 ) - goto exit; - -exit: - - mbedtls_platform_zeroize( finished_key, sizeof( finished_key ) ); - return( ret ); -} + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; -int mbedtls_ssl_tls1_3_calc_finished( mbedtls_ssl_context* ssl, - unsigned char* dst, - size_t dst_len, - size_t *actual_len, - int from ) -{ - int ret; + /* Address at which to store the application secrets */ + mbedtls_ssl_tls13_application_secrets * const app_secrets = + &ssl->session_negotiate->app_secrets; - unsigned char transcript[MBEDTLS_MD_MAX_SIZE]; + /* Holding the transcript up to and including the ServerFinished */ + unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; size_t transcript_len; - unsigned char const *base_key = NULL; - - mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac; - const mbedtls_md_info_t* const md = mbedtls_md_info_from_type( md_type ); - size_t const md_size = mbedtls_md_get_size( md ); - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls1_3_calc_finished" ) ); - - if( dst_len < md_size ) - return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); - - ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, - transcript, sizeof( transcript ), - &transcript_len ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_handshake_transcript", ret ); - return( ret ); - } - MBEDTLS_SSL_DEBUG_BUF( 4, "handshake hash", transcript, transcript_len ); - - if( from == MBEDTLS_SSL_IS_CLIENT ) - base_key = ssl->handshake->tls13_hs_secrets.client_handshake_traffic_secret; - else - base_key = ssl->handshake->tls13_hs_secrets.server_handshake_traffic_secret; - - ret = ssl_tls1_3_calc_finished_core( md_type, base_key, transcript, dst ); - if( ret != 0 ) - return( ret ); - *actual_len = md_size; - - MBEDTLS_SSL_DEBUG_BUF( 3, "verify_data for finished message", dst, md_size ); - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls1_3_calc_finished" ) ); - return( 0 ); -} + /* Variables relating to the hash for the chosen ciphersuite. */ + mbedtls_md_type_t md_type; + mbedtls_md_info_t const *md_info; + size_t md_size; -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) -/* mbedtls_ssl_tls1_3_create_psk_binder(): - * - * 0 - * | - * v - * PSK -> HKDF-Extract = Early Secret - * | - * +------> Derive-Secret( ., - * | "ext binder" | - * | "res binder", - * | "" ) - * | = binder_key - * ... - */ + /* Variables relating to the cipher for the chosen ciphersuite. */ + mbedtls_cipher_info_t const *cipher_info; + size_t key_len, iv_len; -int mbedtls_ssl_tls1_3_create_psk_binder( mbedtls_ssl_context *ssl, - const mbedtls_md_type_t md_type, - unsigned char const *psk, size_t psk_len, - int psk_type, - unsigned char const *transcript, - unsigned char *result ) -{ - int ret = 0; - unsigned char binder_key[MBEDTLS_MD_MAX_SIZE]; - unsigned char early_secret[MBEDTLS_MD_MAX_SIZE]; - mbedtls_md_info_t const *md_info = mbedtls_md_info_from_type( md_type ); - size_t const md_size = mbedtls_md_get_size( md_info ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive application traffic keys" ) ); -#if !defined(MBEDTLS_DEBUG_C) - ssl = NULL; /* make sure we don't use it except for debug */ - ((void) ssl); -#endif + /* Extract basic information about hash and ciphersuite */ - /* We should never call this function with an unknown hash, - * but add an assertion anyway. */ - if( md_info == 0 ) - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + cipher_info = mbedtls_cipher_info_from_type( + handshake->ciphersuite_info->cipher ); + key_len = cipher_info->key_bitlen / 8; + iv_len = cipher_info->iv_size; - /* - * 0 - * | - * v - * PSK -> HKDF-Extract = Early Secret - * | - * +-----> Derive-Secret(., "ext binder" | "res binder", "") - * | = binder_key - * v - */ + md_type = handshake->ciphersuite_info->mac; + md_info = mbedtls_md_info_from_type( md_type ); + md_size = mbedtls_md_get_size( md_info ); + + /* Compute current handshake transcript. It's the caller's responsiblity + * to call this at the right time, that is, after the ServerFinished. */ - ret = mbedtls_ssl_tls1_3_evolve_secret( md_type, - NULL, /* Old secret */ - psk, psk_len, /* Input */ - early_secret ); + ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, + transcript, sizeof( transcript ), + &transcript_len ); if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_evolve_secret", ret ); - goto exit; - } + goto cleanup; - if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION ) - { - ret = mbedtls_ssl_tls1_3_derive_secret( md_type, - early_secret, md_size, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_binder ), - NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, - binder_key, md_size ); - MBEDTLS_SSL_DEBUG_MSG( 4, ( "Derive Early Secret with 'res binder'" ) ); - } - else + /* Compute application secrets from master secret and transcript hash. */ + + ret = mbedtls_ssl_tls13_derive_application_secrets( md_type, + handshake->tls13_master_secrets.app, + transcript, transcript_len, + app_secrets ); + if( ret != 0 ) { - ret = mbedtls_ssl_tls1_3_derive_secret( md_type, - early_secret, md_size, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( ext_binder ), - NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, - binder_key, md_size ); - MBEDTLS_SSL_DEBUG_MSG( 4, ( "Derive Early Secret with 'ext binder'" ) ); + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_tls13_derive_application_secrets", ret ); + goto cleanup; } + /* Derive first epoch of IV + Key for application traffic. */ + + ret = mbedtls_ssl_tls13_make_traffic_keys( md_type, + app_secrets->client_application_traffic_secret_N, + app_secrets->server_application_traffic_secret_N, + md_size, key_len, iv_len, traffic_keys ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_derive_secret", ret ); - goto exit; + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret ); + goto cleanup; } + MBEDTLS_SSL_DEBUG_BUF( 4, "Client application traffic secret", + app_secrets->client_application_traffic_secret_N, + md_size ); + + MBEDTLS_SSL_DEBUG_BUF( 4, "Server application traffic secret", + app_secrets->server_application_traffic_secret_N, + md_size ); + /* - * The binding_value is computed in the same way as the Finished message - * but with the BaseKey being the binder_key. + * Export client/server application traffic secret 0 */ + if( ssl->f_export_keys != NULL ) + { + ssl->f_export_keys( ssl->p_export_keys, + MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET, + app_secrets->client_application_traffic_secret_N, md_size, + handshake->randbytes + 32, + handshake->randbytes, + MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by + a new constant for TLS 1.3! */ ); - ret = ssl_tls1_3_calc_finished_core( md_type, binder_key, transcript, result ); - if( ret != 0 ) - goto exit; + ssl->f_export_keys( ssl->p_export_keys, + MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET, + app_secrets->server_application_traffic_secret_N, md_size, + handshake->randbytes + 32, + handshake->randbytes, + MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by + a new constant for TLS 1.3! */ ); + } - MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder", result, md_size ); + MBEDTLS_SSL_DEBUG_BUF( 4, "client application_write_key:", + traffic_keys->client_write_key, key_len ); + MBEDTLS_SSL_DEBUG_BUF( 4, "server application write key", + traffic_keys->server_write_key, key_len ); + MBEDTLS_SSL_DEBUG_BUF( 4, "client application write IV", + traffic_keys->client_write_iv, iv_len ); + MBEDTLS_SSL_DEBUG_BUF( 4, "server application write IV", + traffic_keys->server_write_iv, iv_len ); -exit: + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive application traffic keys" ) ); - mbedtls_platform_zeroize( early_secret, sizeof( early_secret ) ); - mbedtls_platform_zeroize( binder_key, sizeof( binder_key ) ); + cleanup: + /* randbytes is not used again */ + mbedtls_platform_zeroize( ssl->handshake->randbytes, + sizeof( ssl->handshake->randbytes ) ); + mbedtls_platform_zeroize( transcript, sizeof( transcript ) ); return( ret ); } -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ -int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, - int endpoint, - int ciphersuite, - mbedtls_ssl_key_set const *traffic_keys, - mbedtls_ssl_context *ssl /* DEBUG ONLY */ ) +#if defined(MBEDTLS_ZERO_RTT) +/* Early Data Key Derivation for TLS 1.3 */ +int mbedtls_ssl_tls13_generate_early_data_keys( + mbedtls_ssl_context *ssl, + mbedtls_ssl_key_set *traffic_keys ) { - int ret; - mbedtls_cipher_info_t const *cipher_info; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; - unsigned char const *key_enc; - unsigned char const *iv_enc; - unsigned char const *key_dec; - unsigned char const *iv_dec; - -#if !defined(MBEDTLS_DEBUG_C) - ssl = NULL; /* make sure we don't use it except for those cases */ - (void) ssl; -#endif - - ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite ); - if( ciphersuite_info == NULL ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found", - ciphersuite ) ); - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - } + int ret = 0; - cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher ); - if( cipher_info == NULL ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found", - ciphersuite_info->cipher ) ); - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - } + mbedtls_md_type_t md_type; + mbedtls_md_info_t const *md_info; + size_t md_size; - /* - * Setup cipher contexts in target transform - */ + unsigned char transcript[MBEDTLS_MD_MAX_SIZE]; + size_t transcript_len; - if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc, - cipher_info ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); - return( ret ); - } + mbedtls_cipher_info_t const *cipher_info; + size_t key_len, iv_len; - if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec, - cipher_info ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); - return( ret ); - } + MBEDTLS_SSL_DEBUG_MSG( 2, + ( "=> mbedtls_ssl_tls13_generate_early_data_keys" ) ); -#if defined(MBEDTLS_SSL_SRV_C) - if( endpoint == MBEDTLS_SSL_IS_SERVER ) - { - key_enc = traffic_keys->server_write_key; - key_dec = traffic_keys->client_write_key; - iv_enc = traffic_keys->server_write_iv; - iv_dec = traffic_keys->client_write_iv; - } - else -#endif /* MBEDTLS_SSL_SRV_C */ -#if defined(MBEDTLS_SSL_CLI_C) - if( endpoint == MBEDTLS_SSL_IS_CLIENT ) - { - key_enc = traffic_keys->client_write_key; - key_dec = traffic_keys->server_write_key; - iv_enc = traffic_keys->client_write_iv; - iv_dec = traffic_keys->server_write_iv; - } - else -#endif /* MBEDTLS_SSL_CLI_C */ - { - /* should not happen */ - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } + cipher_info = mbedtls_cipher_info_from_type( + ssl->handshake->ciphersuite_info->cipher ); + key_len = cipher_info->key_bitlen / 8; + iv_len = cipher_info->iv_size; - memcpy( transform->iv_enc, iv_enc, traffic_keys->iv_len ); - memcpy( transform->iv_dec, iv_dec, traffic_keys->iv_len ); + md_type = ssl->handshake->ciphersuite_info->mac; + md_info = mbedtls_md_info_from_type( md_type ); + md_size = mbedtls_md_get_size( md_info ); - if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, - key_enc, cipher_info->key_bitlen, - MBEDTLS_ENCRYPT ) ) != 0 ) + ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, + transcript, sizeof( transcript ), + &transcript_len ); + if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_handshake_transcript", ret ); return( ret ); } - if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, - key_dec, cipher_info->key_bitlen, - MBEDTLS_DECRYPT ) ) != 0 ) + ret = mbedtls_ssl_tls13_derive_early_secrets( md_type, + ssl->handshake->tls13_master_secrets.early, + transcript, transcript_len, + &ssl->handshake->early_secrets ); + if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_derive_early_secrets", ret ); return( ret ); } - /* - * Setup other fields in SSL transform - */ - - if( ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) != 0 ) - transform->taglen = 8; - else - transform->taglen = 16; - - transform->ivlen = traffic_keys->iv_len; - transform->maclen = 0; - transform->fixed_ivlen = transform->ivlen; - transform->minor_ver = MBEDTLS_SSL_MINOR_VERSION_4; - - /* We add the true record content type (1 Byte) to the plaintext and - * then pad to the configured granularity. The mimimum length of the - * type-extended and padded plaintext is therefore the padding - * granularity. */ - transform->minlen = - transform->taglen + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY; - - return( 0 ); -} - -int mbedtls_ssl_tls1_3_key_schedule_stage_early( mbedtls_ssl_context *ssl ) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_md_type_t md_type; - mbedtls_ssl_handshake_params *handshake = ssl->handshake; + MBEDTLS_SSL_DEBUG_BUF( 4, "client_early_traffic_secret", + ssl->handshake->early_secrets.client_early_traffic_secret, + md_size ); - if( handshake->ciphersuite_info == NULL ) +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + if( ssl->f_export_keys != NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher suite info not found" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + ssl->f_export_keys( ssl->p_export_keys, + MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET, + ssl->handshake->early_secrets.client_early_traffic_secret, + md_size, + ssl->handshake->randbytes + 32, + ssl->handshake->randbytes, + MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); } +#endif /* MBEDTLS_SSL_EXPORT_KEYS */ - md_type = handshake->ciphersuite_info->mac; - - ret = mbedtls_ssl_tls1_3_evolve_secret( - md_type, - NULL, /* No old secret */ - handshake->psk, handshake->psk_len, - handshake->tls1_3_master_secrets.early ); + ret = mbedtls_ssl_tls13_make_traffic_keys( md_type, + ssl->handshake->early_secrets.client_early_traffic_secret, + ssl->handshake->early_secrets.client_early_traffic_secret, + md_size, key_len, iv_len, traffic_keys ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_evolve_secret", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret ); return( ret ); } - return( 0 ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_generate_early_data_keys" ) ); + return( ret ); } +#endif /* MBEDTLS_ZERO_RTT */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 595da119168a..094eb56186ed 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -34,54 +34,54 @@ MBEDTLS_PREMASTER_SIZE : MBEDTLS_MD_MAX_SIZE ) /* This requires MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) to be defined at - * the point of use. See e.g. the definition of mbedtls_ssl_tls1_3_labels_union + * the point of use. See e.g. the definition of mbedtls_ssl_tls13_labels_union * below. */ -#define MBEDTLS_SSL_TLS1_3_LABEL_LIST \ - MBEDTLS_SSL_TLS1_3_LABEL( finished , "finished" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( resumption , "resumption" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( traffic_upd , "traffic upd" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( exporter , "exporter" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( key , "key" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( iv , "iv" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( c_hs_traffic, "c hs traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( c_ap_traffic, "c ap traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( c_e_traffic , "c e traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( s_hs_traffic, "s hs traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( s_ap_traffic, "s ap traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( s_e_traffic , "s e traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( e_exp_master, "e exp master" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( res_master , "res master" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( exp_master , "exp master" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( ext_binder , "ext binder" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( res_binder , "res binder" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( derived , "derived" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( client_cv , "TLS 1.3, client CertificateVerify" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( server_cv , "TLS 1.3, server CertificateVerify" ) +#define MBEDTLS_SSL_TLS1_3_LABEL_LIST \ + MBEDTLS_SSL_TLS1_3_LABEL( finished , "finished" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( resumption , "resumption" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( traffic_upd , "traffic upd" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( exporter , "exporter" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( key , "key" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( iv , "iv" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( c_hs_traffic, "c hs traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( c_ap_traffic, "c ap traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( c_e_traffic , "c e traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( s_hs_traffic, "s hs traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( s_ap_traffic, "s ap traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( s_e_traffic , "s e traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( e_exp_master, "e exp master" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( res_master , "res master" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( exp_master , "exp master" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( ext_binder , "ext binder" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( res_binder , "res binder" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( derived , "derived" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( client_cv , "TLS 1.3, client CertificateVerify" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( server_cv , "TLS 1.3, server CertificateVerify" ) #define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ const unsigned char name [ sizeof(string) - 1 ]; -union mbedtls_ssl_tls1_3_labels_union +union mbedtls_ssl_tls13_labels_union { MBEDTLS_SSL_TLS1_3_LABEL_LIST }; -struct mbedtls_ssl_tls1_3_labels_struct +struct mbedtls_ssl_tls13_labels_struct { MBEDTLS_SSL_TLS1_3_LABEL_LIST }; #undef MBEDTLS_SSL_TLS1_3_LABEL -extern const struct mbedtls_ssl_tls1_3_labels_struct mbedtls_ssl_tls1_3_labels; +extern const struct mbedtls_ssl_tls13_labels_struct mbedtls_ssl_tls13_labels; #define MBEDTLS_SSL_TLS1_3_LBL_LEN( LABEL ) \ - sizeof(mbedtls_ssl_tls1_3_labels.LABEL) + sizeof(mbedtls_ssl_tls13_labels.LABEL) #define MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( LABEL ) \ - mbedtls_ssl_tls1_3_labels.LABEL, \ + mbedtls_ssl_tls13_labels.LABEL, \ MBEDTLS_SSL_TLS1_3_LBL_LEN( LABEL ) #define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN \ - sizeof( union mbedtls_ssl_tls1_3_labels_union ) + sizeof( union mbedtls_ssl_tls13_labels_union ) /* The maximum length of HKDF contexts used in the TLS 1.3 standard. * Since contexts are always hashes of message transcripts, this can @@ -93,7 +93,7 @@ extern const struct mbedtls_ssl_tls1_3_labels_struct mbedtls_ssl_tls1_3_labels; * by HKDF-Expand-Label. * * Warning: If this ever needs to be increased, the implementation - * ssl_tls1_3_hkdf_encode_label() in ssl_tls13_keys.c needs to be + * ssl_tls13_hkdf_encode_label() in ssl_tls13_keys.c needs to be * adjusted since it currently assumes that HKDF key expansion * is never used with more than 255 Bytes of output. */ #define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN 255 @@ -123,38 +123,40 @@ extern const struct mbedtls_ssl_tls1_3_labels_struct mbedtls_ssl_tls1_3_labels; ) /** - * \brief The \c HKDF-Expand-Label function from - * the TLS 1.3 standard RFC 8446. + * \brief The \c HKDF-Expand-Label function from + * the TLS 1.3 standard RFC 8446. * * <tt> - * HKDF-Expand-Label( Secret, Label, Context, Length ) = + * HKDF-Expand-Label( Secret, Label, Context, Length ) = * HKDF-Expand( Secret, HkdfLabel, Length ) * </tt> * - * \param hash_alg The identifier for the hash algorithm to use. - * \param secret The \c Secret argument to \c HKDF-Expand-Label. - * This must be a readable buffer of length \p slen Bytes. - * \param slen The length of \p secret in Bytes. - * \param label The \c Label argument to \c HKDF-Expand-Label. - * This must be a readable buffer of length \p llen Bytes. - * \param llen The length of \p label in Bytes. - * \param ctx The \c Context argument to \c HKDF-Expand-Label. - * This must be a readable buffer of length \p clen Bytes. - * \param clen The length of \p context in Bytes. - * \param buf The destination buffer to hold the expanded secret. - * This must be a writable buffer of length \p blen Bytes. - * \param blen The desired size of the expanded secret in Bytes. - * - * \returns \c 0 on success. - * \return A negative error code on failure. + * \param hash_alg The identifier for the hash algorithm to use. + * \param secret The \c Secret argument to \c HKDF-Expand-Label. + * This must be a readable buffer of length + * \p secret_len Bytes. + * \param secret_len The length of \p secret in Bytes. + * \param label The \c Label argument to \c HKDF-Expand-Label. + * This must be a readable buffer of length + * \p label_len Bytes. + * \param label_len The length of \p label in Bytes. + * \param ctx The \c Context argument to \c HKDF-Expand-Label. + * This must be a readable buffer of length \p ctx_len Bytes. + * \param ctx_len The length of \p context in Bytes. + * \param buf The destination buffer to hold the expanded secret. + * This must be a writable buffer of length \p buf_len Bytes. + * \param buf_len The desired size of the expanded secret in Bytes. + * + * \returns \c 0 on success. + * \return A negative error code on failure. */ -int mbedtls_ssl_tls1_3_hkdf_expand_label( +int mbedtls_ssl_tls13_hkdf_expand_label( mbedtls_md_type_t hash_alg, - const unsigned char *secret, size_t slen, - const unsigned char *label, size_t llen, - const unsigned char *ctx, size_t clen, - unsigned char *buf, size_t blen ); + const unsigned char *secret, size_t secret_len, + const unsigned char *label, size_t label_len, + const unsigned char *ctx, size_t ctx_len, + unsigned char *buf, size_t buf_len ); /** * \brief This function is part of the TLS 1.3 key schedule. @@ -171,10 +173,12 @@ int mbedtls_ssl_tls1_3_hkdf_expand_label( * \param hash_alg The identifier for the hash algorithm to be used * for the HKDF-based expansion of the secret. * \param client_secret The client traffic secret. - * This must be a readable buffer of size \p slen Bytes + * This must be a readable buffer of size + * \p secret_len Bytes * \param server_secret The server traffic secret. - * This must be a readable buffer of size \p slen Bytes - * \param slen Length of the secrets \p client_secret and + * This must be a readable buffer of size + * \p secret_len Bytes + * \param secret_len Length of the secrets \p client_secret and * \p server_secret in Bytes. * \param key_len The desired length of the key to be extracted in Bytes. * \param iv_len The desired length of the IV to be extracted in Bytes. @@ -185,11 +189,11 @@ int mbedtls_ssl_tls1_3_hkdf_expand_label( * \returns A negative error code on failure. */ -int mbedtls_ssl_tls1_3_make_traffic_keys( +int mbedtls_ssl_tls13_make_traffic_keys( mbedtls_md_type_t hash_alg, const unsigned char *client_secret, - const unsigned char *server_secret, - size_t slen, size_t key_len, size_t iv_len, + const unsigned char *server_secret, size_t secret_len, + size_t key_len, size_t iv_len, mbedtls_ssl_key_set *keys ); @@ -209,15 +213,17 @@ int mbedtls_ssl_tls1_3_make_traffic_keys( * \param hash_alg The identifier for the hash function used for the * applications of HKDF. * \param secret The \c Secret argument to the \c Derive-Secret function. - * This must be a readable buffer of length \p slen Bytes. - * \param slen The length of \p secret in Bytes. + * This must be a readable buffer of length + * \p secret_len Bytes. + * \param secret_len The length of \p secret in Bytes. * \param label The \c Label argument to the \c Derive-Secret function. - * This must be a readable buffer of length \p llen Bytes. - * \param llen The length of \p label in Bytes. + * This must be a readable buffer of length + * \p label_len Bytes. + * \param label_len The length of \p label in Bytes. * \param ctx The hash of the \c Messages argument to the * \c Derive-Secret function, or the \c Messages argument - * itself, depending on \p context_already_hashed. - * \param clen The length of \p hash. + * itself, depending on \p ctx_hashed. + * \param ctx_len The length of \p ctx in Bytes. * \param ctx_hashed This indicates whether the \p ctx contains the hash of * the \c Messages argument in the application of the * \c Derive-Secret function @@ -227,24 +233,24 @@ int mbedtls_ssl_tls1_3_make_traffic_keys( * (value MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED). * \param dstbuf The target buffer to write the output of * \c Derive-Secret to. This must be a writable buffer of - * size \p buflen Bytes. - * \param buflen The length of \p dstbuf in Bytes. + * size \p dtsbuf_len Bytes. + * \param dstbuf_len The length of \p dstbuf in Bytes. * * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls1_3_derive_secret( +int mbedtls_ssl_tls13_derive_secret( mbedtls_md_type_t hash_alg, - const unsigned char *secret, size_t slen, - const unsigned char *label, size_t llen, - const unsigned char *ctx, size_t clen, + const unsigned char *secret, size_t secret_len, + const unsigned char *label, size_t label_len, + const unsigned char *ctx, size_t ctx_len, int ctx_hashed, - unsigned char *dstbuf, size_t buflen ); + unsigned char *dstbuf, size_t dstbuf_len ); /** * \brief Derive TLS 1.3 early data key material from early secret. * - * This is a small wrapper invoking mbedtls_ssl_tls1_3_derive_secret() + * This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret() * with the appropriate labels. * * <tt> @@ -261,11 +267,11 @@ int mbedtls_ssl_tls1_3_derive_secret( * * \note To obtain the actual key and IV for the early data traffic, * the client secret derived by this function need to be - * further processed by mbedtls_ssl_tls1_3_make_traffic_keys(). + * further processed by mbedtls_ssl_tls13_make_traffic_keys(). * * \note The binder key, which is also generated from the early secret, * is omitted here. Its calculation is part of the separate routine - * mbedtls_ssl_tls1_3_create_psk_binder(). + * mbedtls_ssl_tls13_create_psk_binder(). * * \param md_type The hash algorithm associated with the PSK for which * early data key material is being derived. @@ -283,16 +289,16 @@ int mbedtls_ssl_tls1_3_derive_secret( * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls1_3_derive_early_secrets( +int mbedtls_ssl_tls13_derive_early_secrets( mbedtls_md_type_t md_type, unsigned char const *early_secret, unsigned char const *transcript, size_t transcript_len, - mbedtls_ssl_tls1_3_early_secrets *derived ); + mbedtls_ssl_tls13_early_secrets *derived ); /** * \brief Derive TLS 1.3 handshake key material from the handshake secret. * - * This is a small wrapper invoking mbedtls_ssl_tls1_3_derive_secret() + * This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret() * with the appropriate labels from the standard. * * <tt> @@ -310,7 +316,7 @@ int mbedtls_ssl_tls1_3_derive_early_secrets( * * \note To obtain the actual key and IV for the encrypted handshake traffic, * the client and server secret derived by this function need to be - * further processed by mbedtls_ssl_tls1_3_make_traffic_keys(). + * further processed by mbedtls_ssl_tls13_make_traffic_keys(). * * \param md_type The hash algorithm associated with the ciphersuite * that's being used for the connection. @@ -328,16 +334,16 @@ int mbedtls_ssl_tls1_3_derive_early_secrets( * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls1_3_derive_handshake_secrets( +int mbedtls_ssl_tls13_derive_handshake_secrets( mbedtls_md_type_t md_type, unsigned char const *handshake_secret, unsigned char const *transcript, size_t transcript_len, - mbedtls_ssl_tls1_3_handshake_secrets *derived ); + mbedtls_ssl_tls13_handshake_secrets *derived ); /** * \brief Derive TLS 1.3 application key material from the master secret. * - * This is a small wrapper invoking mbedtls_ssl_tls1_3_derive_secret() + * This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret() * with the appropriate labels from the standard. * * <tt> @@ -359,7 +365,7 @@ int mbedtls_ssl_tls1_3_derive_handshake_secrets( * * \note To obtain the actual key and IV for the (0-th) application traffic, * the client and server secret derived by this function need to be - * further processed by mbedtls_ssl_tls1_3_make_traffic_keys(). + * further processed by mbedtls_ssl_tls13_make_traffic_keys(). * * \param md_type The hash algorithm associated with the ciphersuite * that's being used for the connection. @@ -378,16 +384,16 @@ int mbedtls_ssl_tls1_3_derive_handshake_secrets( * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls1_3_derive_application_secrets( +int mbedtls_ssl_tls13_derive_application_secrets( mbedtls_md_type_t md_type, unsigned char const *master_secret, unsigned char const *transcript, size_t transcript_len, - mbedtls_ssl_tls1_3_application_secrets *derived ); + mbedtls_ssl_tls13_application_secrets *derived ); /** * \brief Derive TLS 1.3 resumption master secret from the master secret. * - * This is a small wrapper invoking mbedtls_ssl_tls1_3_derive_secret() + * This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret() * with the appropriate labels from the standard. * * \param md_type The hash algorithm used in the application for which @@ -408,11 +414,11 @@ int mbedtls_ssl_tls1_3_derive_application_secrets( * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls1_3_derive_resumption_master_secret( +int mbedtls_ssl_tls13_derive_resumption_master_secret( mbedtls_md_type_t md_type, unsigned char const *application_secret, unsigned char const *transcript, size_t transcript_len, - mbedtls_ssl_tls1_3_application_secrets *derived ); + mbedtls_ssl_tls13_application_secrets *derived ); /** * \brief Compute the next secret in the TLS 1.3 key schedule @@ -444,7 +450,7 @@ int mbedtls_ssl_tls1_3_derive_resumption_master_secret( * * Each of the three secrets in turn is the basis for further * key derivations, such as the derivation of traffic keys and IVs; - * see e.g. mbedtls_ssl_tls1_3_make_traffic_keys(). + * see e.g. mbedtls_ssl_tls13_make_traffic_keys(). * * This function implements one step in this evolution of secrets: * @@ -482,7 +488,7 @@ int mbedtls_ssl_tls1_3_derive_resumption_master_secret( * \returns A negative error code on failure. */ -int mbedtls_ssl_tls1_3_evolve_secret( +int mbedtls_ssl_tls13_evolve_secret( mbedtls_md_type_t hash_alg, const unsigned char *secret_old, const unsigned char *input, size_t input_len, @@ -493,7 +499,7 @@ int mbedtls_ssl_tls1_3_evolve_secret( * * Early Data -> Handshake -> Application * - * Small wrappers around mbedtls_ssl_tls1_3_evolve_secret(). + * Small wrappers around mbedtls_ssl_tls13_evolve_secret(). */ /** @@ -504,7 +510,7 @@ int mbedtls_ssl_tls1_3_evolve_secret( * with states Initial -> Early -> Handshake -> Application, and * this function represents the Initial -> Early transition. * - * In the early stage, mbedtls_ssl_tls1_3_generate_early_data_keys() + * In the early stage, mbedtls_ssl_tls13_generate_early_data_keys() * can be used to derive the 0-RTT traffic keys. * * \param ssl The SSL context to operate on. @@ -512,8 +518,7 @@ int mbedtls_ssl_tls1_3_evolve_secret( * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls1_3_key_schedule_stage_early_data( - mbedtls_ssl_context *ssl ); +int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ); /** * \brief Transition into handshake stage of TLS 1.3 key schedule. @@ -522,7 +527,7 @@ int mbedtls_ssl_tls1_3_key_schedule_stage_early_data( * with states Initial -> Early -> Handshake -> Application, and * this function represents the Early -> Handshake transition. * - * In the handshake stage, mbedtls_ssl_tls1_3_generate_handshake_keys() + * In the handshake stage, mbedtls_ssl_tls13_generate_handshake_keys() * can be used to derive the handshake traffic keys. * * \param ssl The SSL context to operate on. This must be in key schedule @@ -531,8 +536,7 @@ int mbedtls_ssl_tls1_3_key_schedule_stage_early_data( * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls13_key_schedule_stage_handshake( - mbedtls_ssl_context *ssl ); +int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl ); /** * \brief Transition into application stage of TLS 1.3 key schedule. @@ -550,36 +554,35 @@ int mbedtls_ssl_tls13_key_schedule_stage_handshake( * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls1_3_key_schedule_stage_application( - mbedtls_ssl_context *ssl ); +int mbedtls_ssl_tls13_key_schedule_stage_application( mbedtls_ssl_context *ssl ); /* * Convenience functions combining * - * mbedtls_ssl_tls1_3_key_schedule_stage_xxx() + * mbedtls_ssl_tls13_key_schedule_stage_xxx() * * with * - * mbedtls_ssl_tls1_3_make_traffic_keys() + * mbedtls_ssl_tls13_make_traffic_keys() * * Those functions assume that the key schedule has been moved * to the correct stage via * - * mbedtls_ssl_tls1_3_key_schedule_stage_xxx(). + * mbedtls_ssl_tls13_key_schedule_stage_xxx(). */ /** * \brief Compute traffic keys for 0-RTT. * * \param ssl The SSL context to operate on. This must be in key schedule stage - * \c Early, see mbedtls_ssl_tls1_3_key_schedule_stage_early_data(). + * \c Early, see mbedtls_ssl_tls13_key_schedule_stage_early_data(). * \param traffic_keys The address at which to store the 0-RTT traffic key * keys. This must be writable but may be uninitialized. * * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls1_3_generate_early_data_keys( +int mbedtls_ssl_tls13_generate_early_data_keys( mbedtls_ssl_context *ssl, mbedtls_ssl_key_set *traffic_keys ); /** @@ -594,48 +597,49 @@ int mbedtls_ssl_tls1_3_generate_early_data_keys( * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls13_generate_handshake_keys( - mbedtls_ssl_context* ssl, mbedtls_ssl_key_set *traffic_keys ); +int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, + mbedtls_ssl_key_set *traffic_keys ); /** * \brief Compute TLS 1.3 application traffic keys. * * \param ssl The SSL context to operate on. This must be in * key schedule stage \c Application, see - * mbedtls_ssl_tls1_3_key_schedule_stage_application(). + * mbedtls_ssl_tls13_key_schedule_stage_application(). * \param traffic_keys The address at which to store the application traffic key * keys. This must be writable but may be uninitialized. * * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls1_3_generate_application_keys( - mbedtls_ssl_context* ssl, mbedtls_ssl_key_set *traffic_keys ); +int mbedtls_ssl_tls13_generate_application_keys( + mbedtls_ssl_context *ssl, mbedtls_ssl_key_set *traffic_keys ); /** * \brief Compute TLS 1.3 resumption master secret. * * \param ssl The SSL context to operate on. This must be in * key schedule stage \c Application, see - * mbedtls_ssl_tls1_3_key_schedule_stage_application(). + * mbedtls_ssl_tls13_key_schedule_stage_application(). * * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls1_3_generate_resumption_master_secret( +int mbedtls_ssl_tls13_generate_resumption_master_secret( mbedtls_ssl_context* ssl ); /** - * \brief Calculate content of TLS 1.3 Finished message. + * \brief Calculate the verify_data value for the client or server TLS 1.3 + * Finished message. * * \param ssl The SSL context to operate on. This must be in * key schedule stage \c Handshake, see - * mbedtls_ssl_tls1_3_key_schedule_stage_application(). - * \param dst The address at which to write the Finished content. + * mbedtls_ssl_tls13_key_schedule_stage_application(). + * \param dst The address at which to write the verify_data value. * \param dst_len The size of \p dst in bytes. * \param actual_len The address at which to store the amount of data * actually written to \p dst upon success. - * \param from The endpoint the Finished message originates from: + * \param which The message to calculate the `verify_data` for: * - #MBEDTLS_SSL_IS_CLIENT for the Client's Finished message * - #MBEDTLS_SSL_IS_SERVER for the Server's Finished message * @@ -646,11 +650,11 @@ int mbedtls_ssl_tls1_3_generate_resumption_master_secret( * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls1_3_calc_finished( mbedtls_ssl_context* ssl, - unsigned char* dst, - size_t dst_len, - size_t *actual_len, - int from ); +int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl, + unsigned char *dst, + size_t dst_len, + size_t *actual_len, + int which ); #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #define MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL 0 @@ -679,7 +683,7 @@ int mbedtls_ssl_tls1_3_calc_finished( mbedtls_ssl_context* ssl, * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls1_3_create_psk_binder( mbedtls_ssl_context *ssl, +int mbedtls_ssl_tls13_create_psk_binder( mbedtls_ssl_context *ssl, const mbedtls_md_type_t md_type, unsigned char const *psk, size_t psk_len, int psk_type, @@ -725,7 +729,7 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, * * Early -> Handshake -> Application * - * Small wrappers around mbedtls_ssl_tls1_3_evolve_secret(). + * Small wrappers around mbedtls_ssl_tls13_evolve_secret(). */ /** @@ -740,6 +744,6 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, * \returns \c 0 on success. * \returns A negative error code on failure. */ -int mbedtls_ssl_tls1_3_key_schedule_stage_early( mbedtls_ssl_context *ssl ); +int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ); #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 1bb42ace9996..c0393889611b 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -19,7 +19,7 @@ #include "common.h" -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #define SSL_DONT_FORCE_FLUSH 0 #define SSL_FORCE_FLUSH 1 @@ -29,9 +29,12 @@ #include "mbedtls/debug.h" #include "mbedtls/ssl.h" #include "mbedtls/error.h" +#include "mbedtls/constant_time.h" #include "ssl_misc.h" #include "ssl_tls13_keys.h" +#include "ssl_debug_helpers_generated.h" + #if defined(MBEDTLS_SSL_USE_MPS) #include "mps_all.h" #endif /* MBEDTLS_SSL_USE_MPS */ @@ -63,7 +66,7 @@ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) -static int ssl_write_sni_server_ext( +static int ssl_tls13_write_sni_server_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t buflen, @@ -86,12 +89,10 @@ static int ssl_write_sni_server_ext( } /* Write extension header */ - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SERVERNAME, p, 0 ); /* Write total extension length */ - *p++ = 0; - *p++ = 0; + MBEDTLS_PUT_UINT16_BE( 0, p, 2 ); *olen = 4; @@ -123,21 +124,21 @@ static int ssl_write_sni_server_ext( #if ( defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) ) /* Generate and export a single key share. For hybrid KEMs, this can * be called multiple times with the different components of the hybrid. */ -static int ssl_key_share_encapsulate( mbedtls_ssl_context *ssl, - uint16_t named_group, - unsigned char* buf, - unsigned char* end, - size_t* olen ) +static int ssl_tls13_key_share_encapsulate( mbedtls_ssl_context *ssl, + uint16_t named_group, + unsigned char *buf, + unsigned char *end, + size_t *olen ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; if( mbedtls_ssl_tls13_named_group_is_ecdhe( named_group ) ) { - ret = mbedtls_ecdh_make_tls_13_params( &ssl->handshake->ecdh_ctx, + ret = mbedtls_ecdh_make_tls13_params( &ssl->handshake->ecdh_ctx, olen, buf, end - buf, ssl->conf->f_rng, ssl->conf->p_rng ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_tls_13_params", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_tls13_params", ret ); return( ret ); } @@ -154,11 +155,11 @@ static int ssl_key_share_encapsulate( mbedtls_ssl_context *ssl, return( ret ); } -static int ssl_write_key_shares_ext( +static int ssl_tls13_write_key_shares_ext( mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen ) + unsigned char *buf, + unsigned char *end, + size_t *olen ) { unsigned char *key_share_entry = buf + 4; unsigned char *key_share = buf + 8; @@ -178,27 +179,24 @@ static int ssl_write_key_shares_ext( /* When we introduce PQC-ECDHE hybrids, we'll want to call this * function multiple times. */ - ret = ssl_key_share_encapsulate( ssl, ssl->handshake->offered_group_id, - key_share, end, &share_len ); + ret = ssl_tls13_key_share_encapsulate( ssl, ssl->handshake->offered_group_id, + key_share, end, &share_len ); if( ret != 0 ) return( ret ); /* Write group ID */ - *key_share_entry++ = ( ssl->handshake->offered_group_id >> 8 ) & 0xFF; - *key_share_entry++ = ( ssl->handshake->offered_group_id >> 0 ) & 0xFF; + MBEDTLS_PUT_UINT16_BE( ssl->handshake->offered_group_id, key_share_entry, 0 ); /* Write key share length */ - *key_share_entry++ = ( share_len >> 8 ) & 0xFF; - *key_share_entry++ = ( share_len >> 0 ) & 0xFF; + MBEDTLS_PUT_UINT16_BE( share_len, key_share_entry, 2 ); + key_share_entry += 4; ext_len = share_len + 4; /* Write extension header */ - *buf++ = (unsigned char)( ( MBEDTLS_TLS_EXT_KEY_SHARE >> 8 ) & 0xFF ); - *buf++ = (unsigned char)( ( MBEDTLS_TLS_EXT_KEY_SHARE ) & 0xFF ); + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 ); /* Write total extension length */ - *buf++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); - *buf++ = (unsigned char)( ( ext_len ) & 0xFF ); + MBEDTLS_PUT_UINT16_BE( ext_len, buf, 2 ); *olen = ext_len + 4; /* 4 bytes for fixed header + length of key share */ return( 0 ); @@ -217,7 +215,7 @@ static int ssl_write_key_shares_ext( * NamedGroup named_group_list<2..2^16-1>; * } NamedGroupList; */ -int mbedtls_ssl_parse_supported_groups_ext( +int mbedtls_ssl_tls13_parse_supported_groups_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { @@ -226,8 +224,7 @@ int mbedtls_ssl_parse_supported_groups_ext( const mbedtls_ecp_curve_info *curve_info, **curves; MBEDTLS_SSL_DEBUG_BUF( 3, "supported_groups extension", buf, len ); - - list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); + list_size = MBEDTLS_GET_UINT16_BE( buf, 0 ); if( list_size + 2 != len || list_size % 2 != 0 ) return( MBEDTLS_ERR_SSL_DECODE_ERROR ); @@ -255,7 +252,7 @@ int mbedtls_ssl_parse_supported_groups_ext( p = buf + 2; while ( list_size > 0 && our_size > 1 ) { - uint16_t tls_grp_id = p[0] << 8 | p[1]; + uint16_t tls_grp_id = MBEDTLS_GET_UINT16_BE( p, 0 ); curve_info = mbedtls_ecp_curve_info_from_tls_id( tls_grp_id ); /* mbedtls_ecp_curve_info_from_tls_id() uses the mbedtls_ecp_curve_info @@ -279,9 +276,9 @@ int mbedtls_ssl_parse_supported_groups_ext( #endif /* MBEDTLS_ECDH_C || ( MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_ZERO_RTT) -static int ssl_parse_early_data_ext( mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len ) +static int ssl_tls13_parse_early_data_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { ((void) ssl); ((void) buf); @@ -305,9 +302,9 @@ static int ssl_parse_early_data_ext( mbedtls_ssl_context *ssl, /* TODO: Code for MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED missing */ /* - * ssl_parse_key_shares_ext() verifies whether the information in the extension - * is correct and stores the provided key shares. Whether this is an acceptable - * key share depends on the selected ciphersuite. + * ssl_tls13_parse_key_shares_ext() verifies whether the information in the + * extension is correct and stores the provided key shares. Whether this is an + * acceptable key share depends on the selected ciphersuite. * * Possible return values are: * - 0: Successful processing of the client provided key share extension. @@ -317,9 +314,9 @@ static int ssl_parse_early_data_ext( mbedtls_ssl_context *ssl, * - Another negative return value for fatal errors. */ -static int ssl_parse_key_shares_ext( mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len ) +static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { int ret = 0; unsigned char const *p = buf; @@ -342,7 +339,7 @@ static int ssl_parse_key_shares_ext( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } - total_ext_len = ( (size_t) p[0] << 8 ) | p[1]; + total_ext_len = MBEDTLS_GET_UINT16_BE( p, 0 ); p += 2; len -= 2; @@ -379,11 +376,11 @@ static int ssl_parse_key_shares_ext( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } - their_group = ((size_t) p[0] << 8) | (size_t) p[1]; + their_group = MBEDTLS_GET_UINT16_BE( p, 0 ); p += 2; len -= 2; - cur_share_len = ((size_t) p[0] << 8) | (size_t) p[1]; + cur_share_len = MBEDTLS_GET_UINT16_BE( p, 0 ); p += 2; len -= 2; @@ -471,7 +468,7 @@ static int ssl_parse_key_shares_ext( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) -int mbedtls_ssl_parse_new_session_ticket_server( +int mbedtls_ssl_tls13_parse_new_session_ticket_server( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) @@ -515,7 +512,7 @@ int mbedtls_ssl_parse_new_session_ticket_server( else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) ); else - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ticket_parse", ret ); return( ret ); } @@ -530,7 +527,7 @@ int mbedtls_ssl_parse_new_session_ticket_server( #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) -int mbedtls_ssl_parse_client_psk_identity_ext( +int mbedtls_ssl_tls13_parse_client_psk_identity_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) @@ -555,7 +552,7 @@ int mbedtls_ssl_parse_client_psk_identity_ext( #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ /* Read length of array of identities */ - item_array_length = ( buf[0] << 8 ) | buf[1]; + item_array_length = MBEDTLS_GET_UINT16_BE( buf, 0 ); length_so_far = item_array_length + 2; if( length_so_far > len ) { @@ -568,7 +565,7 @@ int mbedtls_ssl_parse_client_psk_identity_ext( while( sum < item_array_length + 2 ) { /* Read to psk identity length */ - item_length = ( buf[0] << 8 ) | buf[1]; + item_length = MBEDTLS_GET_UINT16_BE( buf, 0 ); sum = sum + 2 + item_length; if( sum > len ) @@ -599,7 +596,7 @@ int mbedtls_ssl_parse_client_psk_identity_ext( /* Identity is not a big secret since clients send it in the clear, * but treat it carefully anyway, just in case */ if( item_length != ssl->conf->psk_identity_len || - mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, buf, item_length ) != 0 ) + mbedtls_ct_memcmp( ssl->conf->psk_identity, buf, item_length ) != 0 ) { ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; } @@ -631,7 +628,7 @@ int mbedtls_ssl_parse_client_psk_identity_ext( memcpy( ssl->session_negotiate->ticket, buf, item_length ); ssl->session_negotiate->ticket_len = item_length; - ret = mbedtls_ssl_parse_new_session_ticket_server( ssl, + ret = mbedtls_ssl_tls13_parse_new_session_ticket_server( ssl, ssl->session_negotiate->ticket, item_length ); if( ret == 0 ) @@ -809,7 +806,7 @@ int mbedtls_ssl_parse_client_psk_identity_ext( return( ret ); /* read length of psk binder array */ - item_array_length = ( buf[0] << 8 ) | buf[1]; + item_array_length = MBEDTLS_GET_UINT16_BE( buf, 0 ); length_so_far += item_array_length; buf += 2; @@ -840,7 +837,7 @@ int mbedtls_ssl_parse_client_psk_identity_ext( else psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; - ret = mbedtls_ssl_tls1_3_create_psk_binder( ssl, + ret = mbedtls_ssl_tls13_create_psk_binder( ssl, ssl->handshake->ciphersuite_info->mac, psk, psk_len, psk_type, transcript, server_computed_binder ); @@ -857,8 +854,7 @@ int mbedtls_ssl_parse_client_psk_identity_ext( MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( received ): ", buf, item_length ); - if( mbedtls_ssl_safer_memcmp( server_computed_binder, buf, - item_length ) != 0 ) + if( mbedtls_ct_memcmp( server_computed_binder, buf, item_length ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received psk binder does not match computed psk binder." ) ); @@ -903,10 +899,10 @@ int mbedtls_ssl_parse_client_psk_identity_ext( * } PreSharedKeyExtension; */ -static int ssl_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen ) +static int ssl_tls13_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *olen ) { unsigned char *p = (unsigned char*)buf; size_t selected_identity; @@ -929,20 +925,17 @@ static int ssl_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl, } /* Extension Type */ - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_PRE_SHARED_KEY >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_PRE_SHARED_KEY ) & 0xFF ); + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 ); /* Extension Length */ - *p++ = (unsigned char)( ( 2 >> 8 ) & 0xFF ); - *p++ = (unsigned char)( 2 & 0xFF ); + MBEDTLS_PUT_UINT16_BE( 2, p, 2 ); /* NOTE: This will need to be adjusted once we support multiple PSKs * being offered by the client. */ selected_identity = 0; /* Write selected_identity */ - *p++ = (unsigned char)( ( selected_identity >> 8 ) & 0xFF ); - *p++ = (unsigned char)( selected_identity & 0xFF ); + MBEDTLS_PUT_UINT16_BE( selected_identity, p, 4 ); *olen = 6; @@ -975,10 +968,10 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_COOKIE_C) void mbedtls_ssl_conf_cookies( mbedtls_ssl_config *conf, - mbedtls_ssl_cookie_write_t *f_cookie_write, - mbedtls_ssl_cookie_check_t *f_cookie_check, - void *p_cookie, - unsigned int rr_config ) + mbedtls_ssl_cookie_write_t *f_cookie_write, + mbedtls_ssl_cookie_check_t *f_cookie_check, + void *p_cookie, + unsigned int rr_config ) { conf->f_cookie_write = f_cookie_write; conf->f_cookie_check = f_cookie_check; @@ -988,9 +981,9 @@ void mbedtls_ssl_conf_cookies( mbedtls_ssl_config *conf, #endif /* MBEDTLS_SSL_COOKIE_C */ #if defined(MBEDTLS_SSL_COOKIE_C) -static int ssl_parse_cookie_ext( mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len ) +static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { int ret = 0; size_t cookie_len; @@ -1001,7 +994,7 @@ static int ssl_parse_cookie_ext( mbedtls_ssl_context *ssl, { if( len >= 2 ) { - cookie_len = ( buf[0] << 8 ) | buf[1]; + cookie_len = MBEDTLS_GET_UINT16_BE( buf, 0 ); buf += 2; } else @@ -1043,9 +1036,9 @@ static int ssl_parse_cookie_ext( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) -static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len ) +static int ssl_tls13_parse_servername_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { int ret; size_t servername_list_size, hostname_len; @@ -1059,7 +1052,7 @@ static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "Parse ServerName extension" ) ); - servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); + servername_list_size = MBEDTLS_GET_UINT16_BE( buf, 0 ); if( servername_list_size + 2 != len ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); @@ -1069,7 +1062,7 @@ static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, p = buf + 2; while ( servername_list_size > 0 ) { - hostname_len = ( ( p[1] << 8 ) | p[2] ); + hostname_len = MBEDTLS_GET_UINT16_BE( p, 1 ); if( hostname_len + 3 > servername_list_size ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); @@ -1082,7 +1075,7 @@ static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, ssl, p + 3, hostname_len ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "sni_wrapper", ret ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME ); return( MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME ); @@ -1107,7 +1100,7 @@ static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_ZERO_RTT) /* - static int ssl_parse_early_data_ext( mbedtls_ssl_context *ssl, + static int ssl_tls13_parse_early_data_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { @@ -1119,9 +1112,9 @@ static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_ZERO_RTT */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) -static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len ) +static int ssl_tls13_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { if( len != 1 ) return( MBEDTLS_ERR_SSL_DECODE_ERROR ); @@ -1143,9 +1136,9 @@ static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, * PskKeyExchangeMode ke_modes<1..255>; * } PskKeyExchangeModes; */ -static int ssl_parse_key_exchange_modes_ext( mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len ) +static int ssl_tls13_parse_key_exchange_modes_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { size_t ke_modes_len; int ke_modes = 0; @@ -1168,18 +1161,18 @@ static int ssl_parse_key_exchange_modes_ext( mbedtls_ssl_context *ssl, { switch( *buf ) { - case MBEDTLS_SSL_TLS13_PSK_MODE_PURE: - ke_modes |= MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK; + case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE: + ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; break; - case MBEDTLS_SSL_TLS13_PSK_MODE_ECDHE: - ke_modes |= MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; + case MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE: + ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; break; default: return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } } - ssl->handshake->tls1_3_kex_modes = ke_modes; + ssl->handshake->tls13_kex_modes = ke_modes; return( 0 ); } #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ @@ -1194,10 +1187,10 @@ static int ssl_parse_key_exchange_modes_ext( mbedtls_ssl_context *ssl, * }; * } SupportedVersions; */ -static int ssl_write_supported_version_ext( mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen ) +static int ssl_tls13_write_supported_version_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *olen ) { unsigned char *p = buf; *olen = 0; @@ -1213,17 +1206,14 @@ static int ssl_write_supported_version_ext( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); } - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS ) & 0xFF ); + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 ); /* length */ - *p++ = 0x00; - *p++ = 2; + MBEDTLS_PUT_UINT16_BE( 2, p, 2 ); /* For TLS 1.3 and for DTLS 1.3 we use 0x0304 */ - *p++ = 0x03; - *p++ = 0x04; - MBEDTLS_SSL_DEBUG_MSG( 3, ( "version [%d:%d]", *( p-2 ), *( p-1 ) ) ); + MBEDTLS_PUT_UINT16_BE( 0x0304, p, 4 ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "version [3:4]" ) ); *olen = 6; @@ -1240,9 +1230,9 @@ static int ssl_write_supported_version_ext( mbedtls_ssl_context *ssl, * }; * } SupportedVersions; */ -static int ssl_parse_supported_versions_ext( mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len ) +static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { size_t list_len; int tls13_supported = 0; @@ -1307,8 +1297,8 @@ static int ssl_parse_supported_versions_ext( mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_ALPN) -static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, - const unsigned char *buf, size_t len ) +static int ssl_tls13_parse_alpn_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, size_t len ) { const unsigned char *end const = buf + len; size_t list_len; @@ -1331,7 +1321,7 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, if( len < 2 ) return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - list_len = ( buf[0] << 8 ) | buf[1]; + list_len = MBEDTLS_GET_UINT16_BE( buf, 0 ); if( list_len != len - 2 ) return( MBEDTLS_ERR_SSL_DECODE_ERROR ); @@ -1380,29 +1370,29 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) /* Main state-handling entry point; orchestrates the other functions. */ -static int ssl_write_new_session_ticket_process( mbedtls_ssl_context* ssl ); +static int ssl_tls13_write_new_session_ticket_process( mbedtls_ssl_context *ssl ); #define SSL_NEW_SESSION_TICKET_SKIP 0 #define SSL_NEW_SESSION_TICKET_WRITE 1 -static int ssl_write_new_session_ticket_coordinate( mbedtls_ssl_context* ssl ); +static int ssl_tls13_write_new_session_ticket_coordinate( mbedtls_ssl_context *ssl ); -static int ssl_write_new_session_ticket_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ); +static int ssl_tls13_write_new_session_ticket_write( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen, + size_t *olen ); /* Update the state after handling the incoming end of early data message. */ -static int ssl_write_new_session_ticket_postprocess( mbedtls_ssl_context* ssl ); +static int ssl_tls13_write_new_session_ticket_postprocess( mbedtls_ssl_context *ssl ); /* * Implementation */ -static int ssl_write_new_session_ticket_process( mbedtls_ssl_context *ssl ) +static int ssl_tls13_write_new_session_ticket_process( mbedtls_ssl_context *ssl ) { int ret = 0; - MBEDTLS_SSL_PROC_CHK_NEG( ssl_write_new_session_ticket_coordinate( ssl ) ); + MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_new_session_ticket_coordinate( ssl ) ); if( ret == SSL_NEW_SESSION_TICKET_WRITE ) { @@ -1412,11 +1402,11 @@ static int ssl_write_new_session_ticket_process( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, &buf, &buf_len ) ); - MBEDTLS_SSL_PROC_CHK( ssl_write_new_session_ticket_write( + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_new_session_ticket_write( ssl, buf, buf_len, &msg_len ) ); MBEDTLS_SSL_PROC_CHK( - ssl_write_new_session_ticket_postprocess( ssl ) ); + ssl_tls13_write_new_session_ticket_postprocess( ssl ) ); MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl, buf_len, msg_len ) ); @@ -1424,7 +1414,7 @@ static int ssl_write_new_session_ticket_process( mbedtls_ssl_context *ssl ) else { MBEDTLS_SSL_PROC_CHK( - ssl_write_new_session_ticket_postprocess( ssl ) ); + ssl_tls13_write_new_session_ticket_postprocess( ssl ) ); } cleanup: @@ -1432,7 +1422,7 @@ static int ssl_write_new_session_ticket_process( mbedtls_ssl_context *ssl ) return( ret ); } -static int ssl_write_new_session_ticket_coordinate( mbedtls_ssl_context* ssl ) +static int ssl_tls13_write_new_session_ticket_coordinate( mbedtls_ssl_context *ssl ) { /* Check whether the use of session tickets is enabled */ if( ssl->conf->session_tickets == 0 ) @@ -1444,7 +1434,7 @@ static int ssl_write_new_session_ticket_coordinate( mbedtls_ssl_context* ssl ) } -static int ssl_write_new_session_ticket_postprocess( mbedtls_ssl_context* ssl ) +static int ssl_tls13_write_new_session_ticket_postprocess( mbedtls_ssl_context *ssl ) { mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET_FLUSH ); return( 0 ); @@ -1477,10 +1467,10 @@ static int ssl_write_new_session_ticket_postprocess( mbedtls_ssl_context* ssl ) * - certificate of the peer (peer_cert) * */ -static int ssl_write_new_session_ticket_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ) +static int ssl_tls13_write_new_session_ticket_write( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen, + size_t *olen ) { int ret; size_t tlen; @@ -1529,10 +1519,8 @@ static int ssl_write_new_session_ticket_write( mbedtls_ssl_context* ssl, return( ret ); } - *(p++) = ( ssl->session->ticket_age_add >> 24 ) & 0xFF; - *(p++) = ( ssl->session->ticket_age_add >> 16 ) & 0xFF; - *(p++) = ( ssl->session->ticket_age_add >> 8 ) & 0xFF; - *(p++) = ( ssl->session->ticket_age_add >> 0 ) & 0xFF; + MBEDTLS_PUT_UINT32_BE( ssl->session->ticket_age_add, p, 0 ); + p += 4; MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket->ticket_age_add: %u", ssl->session->ticket_age_add ) ); @@ -1556,7 +1544,7 @@ static int ssl_write_new_session_ticket_write( mbedtls_ssl_context* ssl, * HKDF-Expand-Label( resumption_master_secret, * "resumption", ticket_nonce, Hash.length ) */ - ret = mbedtls_ssl_tls1_3_hkdf_expand_label( suite_info->mac, + ret = mbedtls_ssl_tls13_hkdf_expand_label( suite_info->mac, ssl->session->app_secrets.resumption_master_secret, hash_length, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ), @@ -1591,18 +1579,15 @@ static int ssl_write_new_session_ticket_write( mbedtls_ssl_context* ssl, } /* Ticket lifetime */ - *(ticket_lifetime_ptr++) = ( ssl->session->ticket_lifetime >> 24 ) & 0xFF; - *(ticket_lifetime_ptr++) = ( ssl->session->ticket_lifetime >> 16 ) & 0xFF; - *(ticket_lifetime_ptr++) = ( ssl->session->ticket_lifetime >> 8 ) & 0xFF; - *(ticket_lifetime_ptr++) = ( ssl->session->ticket_lifetime >> 0 ) & 0xFF; + MBEDTLS_PUT_UINT16_BE( ssl->session->ticket_lifetime, + ticket_lifetime_ptr, 0 ); + ticket_lifetime_ptr += 4; MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket->ticket_lifetime: %d", ssl->session->ticket_lifetime ) ); /* Ticket Length */ - p[0] = (unsigned char)( ( tlen >> 8 ) & 0xFF ); - p[1] = (unsigned char)( ( tlen >> 0 ) & 0xFF ); - + MBEDTLS_PUT_UINT16_BE( tlen, p, 0 ); p += 2 + tlen; /* Ticket Extensions @@ -1610,8 +1595,8 @@ static int ssl_write_new_session_ticket_write( mbedtls_ssl_context* ssl, * Note: We currently don't have any extensions. * Set length to zero. */ - *(p++) = ( ext_len >> 8 ) & 0xFF; - *(p++) = ( ext_len >> 0 ) & 0xFF; + MBEDTLS_PUT_UINT16_BE( ext_len, p, 0 ); + p += 2; MBEDTLS_SSL_DEBUG_MSG( 3, ( "NewSessionTicket (extension_length): %" MBEDTLS_PRINTF_SIZET , ext_len ) ); @@ -1638,39 +1623,39 @@ static int ssl_write_new_session_ticket_write( mbedtls_ssl_context* ssl, */ /* Main state-handling entry point; orchestrates the other functions. */ -int ssl_read_end_of_early_data_process( mbedtls_ssl_context* ssl ); +int ssl_tls13_read_end_of_early_data_process( mbedtls_ssl_context *ssl ); #define SSL_END_OF_EARLY_DATA_SKIP 0 #define SSL_END_OF_EARLY_DATA_EXPECT 1 -static int ssl_read_end_of_early_data_coordinate( mbedtls_ssl_context* ssl ); +static int ssl_tls13_read_end_of_early_data_coordinate( mbedtls_ssl_context *ssl ); #if defined(MBEDTLS_ZERO_RTT) -static int ssl_end_of_early_data_fetch( mbedtls_ssl_context* ssl ); +static int ssl_tls13_end_of_early_data_fetch( mbedtls_ssl_context *ssl ); #endif /* MBEDTLS_ZERO_RTT */ /* Update the state after handling the incoming end of early data message. */ -static int ssl_read_end_of_early_data_postprocess( mbedtls_ssl_context* ssl ); +static int ssl_tls13_read_end_of_early_data_postprocess( mbedtls_ssl_context *ssl ); /* * Implementation */ -int ssl_read_end_of_early_data_process( mbedtls_ssl_context* ssl ) +int ssl_tls13_read_end_of_early_data_process( mbedtls_ssl_context *ssl ) { int ret; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse end_of_early_data" ) ); - MBEDTLS_SSL_PROC_CHK_NEG( ssl_read_end_of_early_data_coordinate( ssl ) ); + MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_read_end_of_early_data_coordinate( ssl ) ); if( ret == SSL_END_OF_EARLY_DATA_EXPECT ) { #if defined(MBEDTLS_ZERO_RTT) #if defined(MBEDTLS_SSL_USE_MPS) - MBEDTLS_SSL_PROC_CHK( ssl_end_of_early_data_fetch( ssl ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_end_of_early_data_fetch( ssl ) ); MBEDTLS_SSL_PROC_CHK( mbedtls_mps_read_consume( &ssl->mps->l4 ) ); #else /* MBEDTLS_SSL_USE_MPS */ - MBEDTLS_SSL_PROC_CHK( ssl_end_of_early_data_fetch( ssl ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_end_of_early_data_fetch( ssl ) ); #endif /* MBEDTLS_SSL_USE_MPS */ mbedtls_ssl_tls13_add_hs_hdr_to_checksum( @@ -1686,7 +1671,7 @@ int ssl_read_end_of_early_data_process( mbedtls_ssl_context* ssl ) } /* Postprocessing step: Update state machine */ - MBEDTLS_SSL_PROC_CHK( ssl_read_end_of_early_data_postprocess( ssl ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_read_end_of_early_data_postprocess( ssl ) ); cleanup: @@ -1698,7 +1683,7 @@ int ssl_read_end_of_early_data_process( mbedtls_ssl_context* ssl ) #if defined(MBEDTLS_ZERO_RTT) #if defined(MBEDTLS_SSL_USE_MPS) -static int ssl_end_of_early_data_fetch( mbedtls_ssl_context *ssl ) +static int ssl_tls13_end_of_early_data_fetch( mbedtls_ssl_context *ssl ) { int ret; mbedtls_mps_handshake_in msg; @@ -1727,7 +1712,7 @@ static int ssl_end_of_early_data_fetch( mbedtls_ssl_context *ssl ) return( ret ); } #else /* MBEDTLS_SSL_USE_MPS */ -static int ssl_end_of_early_data_fetch( mbedtls_ssl_context *ssl ) +static int ssl_tls13_end_of_early_data_fetch( mbedtls_ssl_context *ssl ) { int ret; @@ -1756,13 +1741,13 @@ static int ssl_end_of_early_data_fetch( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_ZERO_RTT */ #if !defined(MBEDTLS_ZERO_RTT) -static int ssl_read_end_of_early_data_coordinate( mbedtls_ssl_context* ssl ) +static int ssl_tls13_read_end_of_early_data_coordinate( mbedtls_ssl_context *ssl ) { ((void) ssl); return( SSL_END_OF_EARLY_DATA_SKIP ); } #else /* MBEDTLS_ZERO_RTT */ -static int ssl_read_end_of_early_data_coordinate( mbedtls_ssl_context* ssl ) +static int ssl_tls13_read_end_of_early_data_coordinate( mbedtls_ssl_context *ssl ) { if( ssl->handshake->early_data != MBEDTLS_SSL_EARLY_DATA_ON ) return( SSL_END_OF_EARLY_DATA_SKIP ); @@ -1771,7 +1756,7 @@ static int ssl_read_end_of_early_data_coordinate( mbedtls_ssl_context* ssl ) } #endif /* MBEDTLS_ZERO_RTT */ -static int ssl_read_end_of_early_data_postprocess( mbedtls_ssl_context* ssl ) +static int ssl_tls13_read_end_of_early_data_postprocess( mbedtls_ssl_context *ssl ) { mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE ); return ( 0 ); @@ -1788,44 +1773,44 @@ static int ssl_read_end_of_early_data_postprocess( mbedtls_ssl_context* ssl ) */ /* Main state-handling entry point; orchestrates the other functions. */ -int ssl_read_early_data_process( mbedtls_ssl_context* ssl ); +int ssl_tls13_read_early_data_process( mbedtls_ssl_context *ssl ); #define SSL_EARLY_DATA_SKIP 0 #define SSL_EARLY_DATA_EXPECT 1 #if defined(MBEDTLS_ZERO_RTT) #if defined(MBEDTLS_SSL_USE_MPS) -static int ssl_early_data_fetch( mbedtls_ssl_context* ssl, - mbedtls_mps_reader **reader ); +static int ssl_tls13_early_data_fetch( mbedtls_ssl_context *ssl, + mbedtls_mps_reader **reader ); #else -static int ssl_early_data_fetch( mbedtls_ssl_context* ssl, - unsigned char** buf, - size_t* buflen ); +static int ssl_tls13_early_data_fetch( mbedtls_ssl_context *ssl, + unsigned char **buf, + size_t *buflen ); #endif /* MBEDTLS_SSL_USE_MPS */ #endif /* MBEDTLS_ZERO_RTT */ -static int ssl_read_early_data_coordinate( mbedtls_ssl_context* ssl ); +static int ssl_tls13_read_early_data_coordinate( mbedtls_ssl_context *ssl ); #if defined(MBEDTLS_ZERO_RTT) /* Parse early data send by the peer. */ -static int ssl_read_early_data_parse( mbedtls_ssl_context* ssl, - unsigned char const* buf, +static int ssl_tls13_read_early_data_parse( mbedtls_ssl_context *ssl, + unsigned char const *buf, size_t buflen ); #endif /* MBEDTLS_ZERO_RTT */ /* Update the state after handling the incoming early data message. */ -static int ssl_read_early_data_postprocess( mbedtls_ssl_context* ssl ); +static int ssl_tls13_read_early_data_postprocess( mbedtls_ssl_context *ssl ); /* * Implementation */ -int ssl_read_early_data_process( mbedtls_ssl_context* ssl ) +int ssl_tls13_read_early_data_process( mbedtls_ssl_context *ssl ) { int ret; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse early data" ) ); - MBEDTLS_SSL_PROC_CHK_NEG( ssl_read_early_data_coordinate( ssl ) ); + MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_read_early_data_coordinate( ssl ) ); if( ret == SSL_EARLY_DATA_EXPECT ) { @@ -1837,19 +1822,19 @@ int ssl_read_early_data_process( mbedtls_ssl_context* ssl ) #endif /* MBEDTLS_SSL_USE_MPS */ #if defined(MBEDTLS_SSL_USE_MPS) - MBEDTLS_SSL_PROC_CHK( ssl_early_data_fetch( ssl, &rd ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_early_data_fetch( ssl, &rd ) ); MBEDTLS_SSL_PROC_CHK( mbedtls_mps_reader_get( rd, MBEDTLS_MPS_SIZE_MAX, &buf, &buflen ) ); - MBEDTLS_SSL_PROC_CHK( ssl_read_early_data_parse( ssl, buf, buflen ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_read_early_data_parse( ssl, buf, buflen ) ); MBEDTLS_SSL_PROC_CHK( mbedtls_mps_reader_commit( rd ) ); MBEDTLS_SSL_PROC_CHK( mbedtls_mps_read_consume( &ssl->mps->l4 ) ); #else /* MBEDTLS_SSL_USE_MPS */ - MBEDTLS_SSL_PROC_CHK( ssl_early_data_fetch( ssl, &buf, &buflen ) ); - MBEDTLS_SSL_PROC_CHK( ssl_read_early_data_parse( ssl, buf, buflen ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_early_data_fetch( ssl, &buf, &buflen ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_read_early_data_parse( ssl, buf, buflen ) ); #endif /* MBEDTLS_SSL_USE_MPS */ @@ -1865,7 +1850,7 @@ int ssl_read_early_data_process( mbedtls_ssl_context* ssl ) } else { - MBEDTLS_SSL_PROC_CHK( ssl_read_early_data_postprocess( ssl ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_read_early_data_postprocess( ssl ) ); } cleanup: @@ -1876,8 +1861,8 @@ int ssl_read_early_data_process( mbedtls_ssl_context* ssl ) #if defined(MBEDTLS_ZERO_RTT) #if defined(MBEDTLS_SSL_USE_MPS) -static int ssl_early_data_fetch( mbedtls_ssl_context *ssl, - mbedtls_mps_reader **rd ) +static int ssl_tls13_early_data_fetch( mbedtls_ssl_context *ssl, + mbedtls_mps_reader **rd ) { int ret; MBEDTLS_SSL_PROC_CHK_NEG( mbedtls_mps_read( &ssl->mps->l4 ) ); @@ -1892,9 +1877,9 @@ static int ssl_early_data_fetch( mbedtls_ssl_context *ssl, return( ret ); } #else /* MBEDTLS_SSL_USE_MPS */ -static int ssl_early_data_fetch( mbedtls_ssl_context *ssl, - unsigned char **buf, - size_t *buflen ) +static int ssl_tls13_early_data_fetch( mbedtls_ssl_context *ssl, + unsigned char **buf, + size_t *buflen ) { int ret; @@ -1923,13 +1908,13 @@ static int ssl_early_data_fetch( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_ZERO_RTT */ #if !defined(MBEDTLS_ZERO_RTT) -static int ssl_read_early_data_coordinate( mbedtls_ssl_context* ssl ) +static int ssl_tls13_read_early_data_coordinate( mbedtls_ssl_context *ssl ) { ((void) ssl); return( SSL_EARLY_DATA_SKIP ); } #else /* MBEDTLS_ZERO_RTT */ -static int ssl_read_early_data_coordinate( mbedtls_ssl_context* ssl ) +static int ssl_tls13_read_early_data_coordinate( mbedtls_ssl_context *ssl ) { int ret; @@ -1975,9 +1960,9 @@ static int ssl_read_early_data_coordinate( mbedtls_ssl_context* ssl ) #endif /* MBEDTLS_SSL_USE_MPS */ } -static int ssl_read_early_data_parse( mbedtls_ssl_context* ssl, - unsigned char const* buf, - size_t buflen ) +static int ssl_tls13_read_early_data_parse( mbedtls_ssl_context *ssl, + unsigned char const *buf, + size_t buflen ) { /* Check whether we have enough buffer space. */ if( buflen <= ssl->conf->max_early_data ) @@ -2002,7 +1987,7 @@ static int ssl_read_early_data_parse( mbedtls_ssl_context* ssl, } #endif /* MBEDTLS_ZERO_RTT */ -static int ssl_read_early_data_postprocess( mbedtls_ssl_context* ssl ) +static int ssl_tls13_read_early_data_postprocess( mbedtls_ssl_context *ssl ) { mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_END_OF_EARLY_DATA ); return ( 0 ); @@ -2037,16 +2022,16 @@ static int ssl_read_early_data_postprocess( mbedtls_ssl_context* ssl ) */ /* Main entry point from the state machine; orchestrates the otherfunctions. */ -static int ssl_client_hello_process( mbedtls_ssl_context* ssl ); +static int ssl_tls13_client_hello_process( mbedtls_ssl_context *ssl ); -static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen ); +static int ssl_tls13_client_hello_parse( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen ); /* Update the handshake state machine */ /* TODO: At the moment, this doesn't update the state machine - why? */ -static int ssl_client_hello_postprocess( mbedtls_ssl_context* ssl, - int hrr_required ); +static int ssl_tls13_client_hello_postprocess( mbedtls_ssl_context *ssl, + int hrr_required ); /* * Implementation @@ -2055,24 +2040,24 @@ static int ssl_client_hello_postprocess( mbedtls_ssl_context* ssl, #define SSL_CLIENT_HELLO_OK 0 #define SSL_CLIENT_HELLO_HRR_REQUIRED 1 -static int ssl_client_hello_process( mbedtls_ssl_context* ssl ) +static int ssl_tls13_client_hello_process( mbedtls_ssl_context *ssl ) { int ret = 0; int hrr_required = SSL_CLIENT_HELLO_OK; - unsigned char* buf = NULL; + unsigned char *buf = NULL; size_t buflen = 0; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg( + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, &buf, &buflen ) ); mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, buflen ); - MBEDTLS_SSL_PROC_CHK_NEG( ssl_client_hello_parse( ssl, buf, buflen ) ); + MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_client_hello_parse( ssl, buf, buflen ) ); hrr_required = ret; #if defined(MBEDTLS_SSL_USE_MPS) @@ -2080,7 +2065,7 @@ static int ssl_client_hello_process( mbedtls_ssl_context* ssl ) #endif /* MBEDTLS_SSL_USE_MPS */ MBEDTLS_SSL_DEBUG_MSG( 1, ( "postprocess" ) ); - MBEDTLS_SSL_PROC_CHK( ssl_client_hello_postprocess( ssl, hrr_required ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_client_hello_postprocess( ssl, hrr_required ) ); cleanup: @@ -2088,7 +2073,7 @@ static int ssl_client_hello_process( mbedtls_ssl_context* ssl ) return( ret ); } -static void ssl_debug_print_client_hello_exts( mbedtls_ssl_context *ssl ) +static void ssl_tls13_debug_print_client_hello_exts( mbedtls_ssl_context *ssl ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Extensions:" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "- KEY_SHARE_EXTENSION ( %s )", @@ -2136,56 +2121,56 @@ static void ssl_debug_print_client_hello_exts( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_ZERO_RTT*/ } -static int ssl_client_hello_has_exts( mbedtls_ssl_context *ssl, - int ext_id_mask ) +static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl, + int ext_id_mask ) { int masked = ssl->handshake->extensions_present & ext_id_mask; return( masked == ext_id_mask ); } -static int ssl_client_hello_has_psk_extensions( mbedtls_ssl_context *ssl ) +static int ssl_tls13_client_hello_has_psk_extensions( mbedtls_ssl_context *ssl ) { - return( ssl_client_hello_has_exts( ssl, + return( ssl_tls13_client_hello_has_exts( ssl, MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) ); } -static int ssl_client_hello_has_key_share_extensions( mbedtls_ssl_context *ssl ) +static int ssl_tls13_client_hello_has_key_share_extensions( mbedtls_ssl_context *ssl ) { - return( ssl_client_hello_has_exts( ssl, + return( ssl_tls13_client_hello_has_exts( ssl, MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | MBEDTLS_SSL_EXT_KEY_SHARE ) ); } -static int ssl_client_hello_has_cert_extensions( mbedtls_ssl_context *ssl ) +static int ssl_tls13_client_hello_has_cert_extensions( mbedtls_ssl_context *ssl ) { - return( ssl_client_hello_has_exts( ssl, + return( ssl_tls13_client_hello_has_exts( ssl, MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | MBEDTLS_SSL_EXT_KEY_SHARE | MBEDTLS_SSL_EXT_SIG_ALG ) ); } -static int ssl_check_psk_key_exchange( mbedtls_ssl_context *ssl ) +static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl ) { - if( !ssl_client_hello_has_psk_extensions( ssl ) ) + if( !ssl_tls13_client_hello_has_psk_extensions( ssl ) ) return( 0 ); /* Test whether pure PSK is offered by client and supported by us. */ if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) && - mbedtls_ssl_tls1_3_psk_enabled( ssl ) ) + mbedtls_ssl_tls13_psk_enabled( ssl ) ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "Using a PSK key exchange" ) ); - ssl->handshake->key_exchange = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK; + ssl->handshake->key_exchange = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; return( 1 ); } /* Test whether PSK-ephemeral is offered by client and supported by us. */ if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) && - mbedtls_ssl_tls1_3_psk_ephemeral_enabled( ssl ) && - ssl_client_hello_has_key_share_extensions( ssl ) ) + mbedtls_ssl_tls13_psk_ephemeral_enabled( ssl ) && + ssl_tls13_client_hello_has_key_share_extensions( ssl ) ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "Using a ECDHE-PSK key exchange" ) ); - ssl->handshake->key_exchange = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; + ssl->handshake->key_exchange = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; return( 1 ); } @@ -2193,20 +2178,20 @@ static int ssl_check_psk_key_exchange( mbedtls_ssl_context *ssl ) return( 0 ); } -static int ssl_check_certificate_key_exchange( mbedtls_ssl_context *ssl ) +static int ssl_tls13_check_certificate_key_exchange( mbedtls_ssl_context *ssl ) { if( !mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) ) return( 0 ); - if( !ssl_client_hello_has_cert_extensions( ssl ) ) + if( !ssl_tls13_client_hello_has_cert_extensions( ssl ) ) return( 0 ); - ssl->handshake->key_exchange = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL; + ssl->handshake->key_exchange = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; return( 1 ); } #if defined(MBEDTLS_ZERO_RTT) -static int ssl_check_use_0rtt_handshake( mbedtls_ssl_context *ssl ) +static int ssl_tls13_check_use_0rtt_handshake( mbedtls_ssl_context *ssl ) { /* Check if the user has enabled 0-RTT in the config */ if( !mbedtls_ssl_conf_tls13_0rtt_enabled( ssl ) ) @@ -2219,7 +2204,7 @@ static int ssl_check_use_0rtt_handshake( mbedtls_ssl_context *ssl ) /* If the client has indicated the use of 0-RTT but not sent * the PSK extensions, that's not conformant (and there's no * way to continue from here). */ - if( !ssl_client_hello_has_psk_extensions( ssl ) ) + if( !ssl_tls13_client_hello_has_psk_extensions( ssl ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "Client indicated 0-RTT without offering PSK extensions" ) ); @@ -2232,9 +2217,9 @@ static int ssl_check_use_0rtt_handshake( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_ZERO_RTT*/ -static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen ) +static int ssl_tls13_client_hello_parse( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen ) { int ret; size_t i, j; @@ -2246,13 +2231,13 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, unsigned char *ext = NULL; unsigned char *ext_psk_ptr = NULL; - const int* ciphersuites; - const mbedtls_ssl_ciphersuite_t* ciphersuite_info; + const int *ciphersuites; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; int hrr_required = 0; ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE; - ssl->handshake->key_exchange = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_NONE; + ssl->handshake->key_exchange = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE; /* TBD: Refactor */ orig_buf = buf; @@ -2326,7 +2311,7 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, memcpy( &ssl->session_negotiate->id[0], buf, sess_len ); /* write session id */ buf += sess_len; - ciph_len = ( buf[0] << 8 ) | ( buf[1] ); + ciph_len = MBEDTLS_GET_UINT16_BE( buf, 0 ); /* Length check */ if( buf + ciph_len > end ) @@ -2381,7 +2366,7 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } - ext_len = ( buf[0] << 8 ) | ( buf[1] ); + ext_len = MBEDTLS_GET_UINT16_BE( buf, 0 ); if( ( ext_len > 0 && ext_len < 4 ) || buf + 2 + ext_len > end ) @@ -2414,8 +2399,8 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } - ext_id = ( ( (size_t) ext[0] << 8 ) | ( (size_t) ext[1] << 0 ) ); - ext_size = ( ( (size_t) ext[2] << 8 ) | ( (size_t) ext[3] << 0 ) ); + ext_id = MBEDTLS_GET_UINT16_BE( ext, 0 ); + ext_size = MBEDTLS_GET_UINT16_BE( ext, 2 ); if( ext_size + 4 > ext_len ) { @@ -2428,10 +2413,10 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) case MBEDTLS_TLS_EXT_SERVERNAME: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); - ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); + ret = ssl_tls13_parse_servername_ext( ssl, ext + 4, ext_size ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_servername_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_parse_servername_ext", ret ); return( ret ); } ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SERVERNAME; @@ -2442,7 +2427,7 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, case MBEDTLS_TLS_EXT_COOKIE: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found cookie extension" ) ); - ret = ssl_parse_cookie_ext( ssl, ext + 4, ext_size ); + ret = ssl_tls13_parse_cookie_ext( ssl, ext + 4, ext_size ); /* if cookie verification failed then we return a hello retry message */ if( ret == MBEDTLS_ERR_SSL_HRR_REQUIRED ) @@ -2474,10 +2459,10 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, case MBEDTLS_TLS_EXT_EARLY_DATA: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found early_data extension" ) ); - ret = ssl_parse_early_data_ext( ssl, ext + 4, ext_size ); + ret = ssl_tls13_parse_early_data_ext( ssl, ext + 4, ext_size ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_early_data_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_parse_early_data_ext", ret ); return( ret ); } @@ -2495,11 +2480,11 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, * indicates the named groups which the client supports, * ordered from most preferred to least preferred. */ - ret = mbedtls_ssl_parse_supported_groups_ext( ssl, ext + 4, + ret = mbedtls_ssl_tls13_parse_supported_groups_ext( ssl, ext + 4, ext_size ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_parse_supported_groups_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_parse_supported_groups_ext", ret ); return( ret ); } @@ -2511,10 +2496,10 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found psk key exchange modes extension" ) ); - ret = ssl_parse_key_exchange_modes_ext( ssl, ext + 4, ext_size ); + ret = ssl_tls13_parse_key_exchange_modes_ext( ssl, ext + 4, ext_size ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_key_exchange_modes_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_parse_key_exchange_modes_ext", ret ); return( ret ); } @@ -2533,7 +2518,7 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, * contains the endpoint's cryptographic parameters for * ECDHE/DHE key establishment methods. */ - ret = ssl_parse_key_shares_ext( ssl, ext + 4, ext_size ); + ret = ssl_tls13_parse_key_shares_ext( ssl, ext + 4, ext_size ); if( ret == MBEDTLS_ERR_SSL_HRR_REQUIRED ) { hrr_required = 1; @@ -2551,10 +2536,10 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); - ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); + ret = ssl_tls13_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_max_fragment_length_ext" ), ret ); + MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_tls13_parse_max_fragment_length_ext" ), ret ); return( ret ); } ssl->handshake->extensions_present |= MAX_FRAGMENT_LENGTH_EXTENSION; @@ -2564,10 +2549,10 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported versions extension" ) ); - ret = ssl_parse_supported_versions_ext( ssl, ext + 4, ext_size ); + ret = ssl_tls13_parse_supported_versions_ext( ssl, ext + 4, ext_size ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_supported_versions_ext" ), ret ); + MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_tls13_parse_supported_versions_ext" ), ret ); return( ret ); } ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS; @@ -2577,10 +2562,10 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, case MBEDTLS_TLS_EXT_ALPN: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); - ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ); + ret = ssl_tls13_parse_alpn_ext( ssl, ext + 4, ext_size ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_alpn_ext" ), ret ); + MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_tls13_parse_alpn_ext" ), ret ); return( ret ); } ssl->handshake->extensions_present |= ALPN_EXTENSION; @@ -2591,10 +2576,10 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, case MBEDTLS_TLS_EXT_SIG_ALG: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); - ret = mbedtls_ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); + ret = mbedtls_ssl_tls13_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "ssl_parse_supported_signature_algorithms_server_ext ( %d )", ret ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_tls13_parse_signature_algorithms_ext ( %d )", ret ) ); return( ret ); } ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG; @@ -2640,8 +2625,7 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, for ( j = 0, p = ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) #endif /* MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE */ { - if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || - p[1] != ( ( ciphersuites[i] ) & 0xFF ) ) + if( MBEDTLS_GET_UINT16_BE( p, 0 ) != ciphersuites[i] ) continue; ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); @@ -2654,7 +2638,7 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, goto have_ciphersuite; /* - if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], + if( ( ret = ssl_tls13_ciphersuite_match( ssl, ciphersuites[i], &ciphersuite_info ) ) != 0 ) return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); @@ -2676,7 +2660,7 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, ssl->handshake->ciphersuite_info = ciphersuite_info; /* List all the extensions we have received */ - ssl_debug_print_client_hello_exts( ssl ); + ssl_tls13_debug_print_client_hello_exts( ssl ); /* * Determine the key exchange algorithm to use. @@ -2693,10 +2677,10 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, * 3 ) Certificate Mode */ - ssl->handshake->key_exchange = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_NONE; + ssl->handshake->key_exchange = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE; - if( !ssl_check_psk_key_exchange( ssl ) && - !ssl_check_certificate_key_exchange( ssl ) ) + if( !ssl_tls13_check_psk_key_exchange( ssl ) && + !ssl_tls13_check_certificate_key_exchange( ssl ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello message misses mandatory extensions." ) ); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION , @@ -2705,7 +2689,7 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, } #if defined(MBEDTLS_ZERO_RTT) - ret = ssl_check_use_0rtt_handshake( ssl ); + ret = ssl_tls13_check_use_0rtt_handshake( ssl ); if( ret != 0 ) return( ret ); #endif /* MBEDTLS_ZERO_RTT */ @@ -2713,12 +2697,12 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, /* If we've settled on a PSK-based exchange, parse PSK identity ext */ if( mbedtls_ssl_tls13_kex_with_psk( ssl ) ) { - ret = mbedtls_ssl_parse_client_psk_identity_ext( ssl, - ext_psk_ptr, - ext_len_psk_ext ); + ret = mbedtls_ssl_tls13_parse_client_psk_identity_ext( ssl, + ext_psk_ptr, + ext_len_psk_ext ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), + MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_tls13_parse_client_psk_identity" ), ret ); return( ret ); } @@ -2744,8 +2728,8 @@ static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, return( 0 ); } -static int ssl_client_hello_postprocess( mbedtls_ssl_context* ssl, - int hrr_required ) +static int ssl_tls13_client_hello_postprocess( mbedtls_ssl_context *ssl, + int hrr_required ) { int ret = 0; #if defined(MBEDTLS_ZERO_RTT) @@ -2777,11 +2761,11 @@ static int ssl_client_hello_postprocess( mbedtls_ssl_context* ssl, return( 0 ); } - ret = mbedtls_ssl_tls1_3_key_schedule_stage_early( ssl ); + ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret ); + "mbedtls_ssl_tls13_key_schedule_stage_early", ret ); return( ret ); } @@ -2792,12 +2776,12 @@ static int ssl_client_hello_postprocess( mbedtls_ssl_context* ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "Generate 0-RTT keys" ) ); - ret = mbedtls_ssl_tls1_3_generate_early_data_keys( + ret = mbedtls_ssl_tls13_generate_early_data_keys( ssl, &traffic_keys ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls1_3_generate_early_data_keys", ret ); + "mbedtls_ssl_tls13_generate_early_data_keys", ret ); return( ret ); } @@ -2837,10 +2821,10 @@ static int ssl_client_hello_postprocess( mbedtls_ssl_context* ssl, #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) -static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, - unsigned char *buf, - size_t buflen, - size_t *olen ) +static int ssl_tls13_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen, + size_t *olen ) { unsigned char *p = buf; @@ -2862,15 +2846,9 @@ static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_PTR( p, buf + buflen, 5 ); - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) - & 0xFF ); - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) - & 0xFF ); - - *p++ = 0x00; - *p++ = 1; - - *p++ = ssl->session_negotiate->mfl_code; + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0 ); + MBEDTLS_PUT_UINT16_BE( 1, p, 2 ); + p[4] = ssl->session_negotiate->mfl_code; *olen = 5; @@ -2881,8 +2859,9 @@ static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_ALPN) -static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl, - unsigned char *buf, size_t buflen, size_t *olen ) +static int ssl_tls13_write_alpn_ext( + mbedtls_ssl_context *ssl, + unsigned char *buf, size_t buflen, size_t *olen ) { *olen = 0; @@ -2906,18 +2885,13 @@ static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl, * 6 . 6 protocol name length * 7 . 7+n protocol name */ - buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); - buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ALPN, buf, 0 ); *olen = 7 + strlen( ssl->alpn_chosen ); - buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); - buf[3] = (unsigned char)( ( *olen - 4 ) & 0xFF ); - - buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); - buf[5] = (unsigned char)( ( *olen - 6 ) & 0xFF ); - - buf[6] = (unsigned char)( ( *olen - 7 ) & 0xFF ); + MBEDTLS_PUT_UINT16_BE( *olen - 4, buf, 2 ); + MBEDTLS_PUT_UINT16_BE( *olen - 6, buf, 4 ); + buf[6] = MBEDTLS_BYTE_0( *olen - 7 ); memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 ); return ( 0 ); @@ -2940,18 +2914,16 @@ static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl, */ /* Main entry point; orchestrates the other functions */ -static int ssl_encrypted_extensions_process( mbedtls_ssl_context* ssl ); +static int ssl_tls13_encrypted_extensions_process( mbedtls_ssl_context *ssl ); -static int ssl_encrypted_extensions_prepare( mbedtls_ssl_context* ssl ); -static int ssl_encrypted_extensions_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ); -static int ssl_encrypted_extensions_postprocess( mbedtls_ssl_context* ssl ); +static int ssl_tls13_encrypted_extensions_prepare( mbedtls_ssl_context *ssl ); +static int ssl_tls13_encrypted_extensions_write( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen, + size_t *olen ); +static int ssl_tls13_encrypted_extensions_postprocess( mbedtls_ssl_context *ssl ); - - -static int ssl_encrypted_extensions_process( mbedtls_ssl_context* ssl ) +static int ssl_tls13_encrypted_extensions_process( mbedtls_ssl_context *ssl ) { int ret; unsigned char *buf; @@ -2961,21 +2933,21 @@ static int ssl_encrypted_extensions_process( mbedtls_ssl_context* ssl ) if( ssl->handshake->state_local.encrypted_extensions_out.preparation_done == 0 ) { - MBEDTLS_SSL_PROC_CHK( ssl_encrypted_extensions_prepare( ssl ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_encrypted_extensions_prepare( ssl ) ); ssl->handshake->state_local.encrypted_extensions_out.preparation_done = 1; } MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl, - MBEDTLS_SSL_HS_ENCRYPTED_EXTENSION, &buf, &buf_len ) ); + MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, &buf, &buf_len ) ); - MBEDTLS_SSL_PROC_CHK( ssl_encrypted_extensions_write( + MBEDTLS_SSL_PROC_CHK( ssl_tls13_encrypted_extensions_write( ssl, buf, buf_len, &msg_len ) ); - mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( - ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSION, buf, msg_len ); + mbedtls_ssl_tls13_add_hs_msg_to_checksum( + ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len ); /* Update state */ - MBEDTLS_SSL_PROC_CHK( ssl_encrypted_extensions_postprocess( ssl ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_encrypted_extensions_postprocess( ssl ) ); MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl, buf_len, msg_len ) ); @@ -2986,7 +2958,7 @@ static int ssl_encrypted_extensions_process( mbedtls_ssl_context* ssl ) return( ret ); } -static int ssl_encrypted_extensions_prepare( mbedtls_ssl_context* ssl ) +static int ssl_tls13_encrypted_extensions_prepare( mbedtls_ssl_context *ssl ) { int ret; mbedtls_ssl_key_set traffic_keys; @@ -2996,7 +2968,7 @@ static int ssl_encrypted_extensions_prepare( mbedtls_ssl_context* ssl ) ret = mbedtls_ssl_tls13_key_schedule_stage_handshake( ssl ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_derive_master_secret", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_key_schedule_stage_handshake", ret ); return( ret ); } @@ -3005,7 +2977,7 @@ static int ssl_encrypted_extensions_prepare( mbedtls_ssl_context* ssl ) if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_tls1_3_generate_handshake_keys", ret ); + "mbedtls_ssl_tls13_generate_handshake_keys", ret ); return( ret ); } @@ -3057,10 +3029,10 @@ static int ssl_encrypted_extensions_prepare( mbedtls_ssl_context* ssl ) return( 0 ); } -static int ssl_encrypted_extensions_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ) +static int ssl_tls13_encrypted_extensions_write( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen, + size_t *olen ) { int ret; size_t n, enc_ext_len; @@ -3084,28 +3056,28 @@ static int ssl_encrypted_extensions_write( mbedtls_ssl_context* ssl, p += 2; #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - ret = ssl_write_sni_server_ext( ssl, p, end - p, &n ); + ret = ssl_tls13_write_sni_server_ext( ssl, p, end - p, &n ); if( ret != 0 ) return( ret ); p += n; #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ #if defined(MBEDTLS_SSL_ALPN) - ret = ssl_write_alpn_ext( ssl, p, end - p, &n ); + ret = ssl_tls13_write_alpn_ext( ssl, p, end - p, &n ); if( ret != 0 ) return( ret ); p += n; #endif /* MBEDTLS_SSL_ALPN */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - ret = ssl_write_max_fragment_length_ext( ssl, p, end - p, &n ); + ret = ssl_tls13_write_max_fragment_length_ext( ssl, p, end - p, &n ); if( ret != 0 ) return( ret ); p += n; #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_ZERO_RTT) - ret = mbedtls_ssl_write_early_data_ext( ssl, p, end, &n ); + ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, p, end, &n ); if( ret != 0 ) return( ret ); p += n; @@ -3114,13 +3086,12 @@ static int ssl_encrypted_extensions_write( mbedtls_ssl_context* ssl, *olen = p - buf; enc_ext_len = (size_t)( ( p - len ) - 2 ); - len[0] = (unsigned char)( ( enc_ext_len >> 8 ) & 0xFF ); - len[1] = (unsigned char)( ( enc_ext_len >> 0 ) & 0xFF ); + MBEDTLS_PUT_UINT16_BE( enc_ext_len, len, 0 ); return( 0 ); } -static int ssl_encrypted_extensions_postprocess( mbedtls_ssl_context* ssl ) +static int ssl_tls13_encrypted_extensions_postprocess( mbedtls_ssl_context *ssl ) { mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST ); return( 0 ); @@ -3144,33 +3115,33 @@ static int ssl_encrypted_extensions_postprocess( mbedtls_ssl_context* ssl ) */ /* Main entry point; orchestrates the other functions */ -static int ssl_write_hello_retry_request_process( mbedtls_ssl_context* ssl ); +static int ssl_tls13_write_hello_retry_request_process( mbedtls_ssl_context *ssl ); -static int ssl_write_hello_retry_request_coordinate( mbedtls_ssl_context* ssl ); -static int ssl_write_hello_retry_request_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ); -static int ssl_write_hello_retry_request_postprocess( mbedtls_ssl_context* ssl ); +static int ssl_tls13_write_hello_retry_request_coordinate( mbedtls_ssl_context *ssl ); +static int ssl_tls13_write_hello_retry_request_write( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen, + size_t *olen ); +static int ssl_tls13_write_hello_retry_request_postprocess( mbedtls_ssl_context *ssl ); -static int ssl_write_hello_retry_request_process( mbedtls_ssl_context *ssl ) +static int ssl_tls13_write_hello_retry_request_process( mbedtls_ssl_context *ssl ) { int ret; unsigned char *buf; size_t buf_len, msg_len; - MBEDTLS_SSL_PROC_CHK( ssl_write_hello_retry_request_coordinate( ssl ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_hello_retry_request_coordinate( ssl ) ); MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len ) ); - MBEDTLS_SSL_PROC_CHK( ssl_write_hello_retry_request_write( + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_hello_retry_request_write( ssl, buf, buf_len, &msg_len ) ); - mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( + mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len ); - MBEDTLS_SSL_PROC_CHK( ssl_write_hello_retry_request_postprocess( ssl ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_hello_retry_request_postprocess( ssl ) ); MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl, buf_len, msg_len ) ); @@ -3180,7 +3151,7 @@ static int ssl_write_hello_retry_request_process( mbedtls_ssl_context *ssl ) } -static int ssl_write_hello_retry_request_coordinate( mbedtls_ssl_context *ssl ) +static int ssl_tls13_write_hello_retry_request_coordinate( mbedtls_ssl_context *ssl ) { if( ssl->handshake->hello_retry_requests_sent > 1 ) { @@ -3191,18 +3162,18 @@ static int ssl_write_hello_retry_request_coordinate( mbedtls_ssl_context *ssl ) return( 0 ); } -static int ssl_reset_ecdhe_share( mbedtls_ssl_context *ssl ) +static int ssl_tls13_reset_ecdhe_share( mbedtls_ssl_context *ssl ) { mbedtls_ecdh_free( &ssl->handshake->ecdh_ctx ); return( 0 ); } -static int ssl_reset_key_share( mbedtls_ssl_context *ssl ) +static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl ) { uint16_t group_id = ssl->handshake->offered_group_id; if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) ) - return( ssl_reset_ecdhe_share( ssl ) ); + return( ssl_tls13_reset_ecdhe_share( ssl ) ); else if( 0 /* other KEMs? */ ) { /* Do something */ @@ -3211,7 +3182,7 @@ static int ssl_reset_key_share( mbedtls_ssl_context *ssl ) return( 0 ); } -static int ssl_write_hello_retry_request_postprocess( mbedtls_ssl_context *ssl ) +static int ssl_tls13_write_hello_retry_request_postprocess( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -3223,25 +3194,25 @@ static int ssl_write_hello_retry_request_postprocess( mbedtls_ssl_context *ssl ) * was fine with it. Once we have separated key share generation from * key share writing, we can confine this to the case where the server * requested a different share. */ - ret = ssl_reset_key_share( ssl ); + ret = ssl_tls13_reset_key_share( ssl ); if( ret != 0 ) return( ret ); -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HRR ); #else mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ return( 0 ); } -static int ssl_write_hrr_key_share_ext( mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen ) +static int ssl_tls13_write_hrr_key_share_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *olen ) { - const mbedtls_ecp_group_id *gid; + const uint16_t *group_list; const mbedtls_ecp_curve_info **curve = NULL; size_t total_len = 0; @@ -3278,18 +3249,18 @@ static int ssl_write_hrr_key_share_ext( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); /* Write extension header */ - *buf++ = (unsigned char)( ( MBEDTLS_TLS_EXT_KEY_SHARE >> 8 ) & 0xFF ); - *buf++ = (unsigned char)( ( MBEDTLS_TLS_EXT_KEY_SHARE >> 0 ) & 0xFF ); + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 ); /* Write extension length */ - *buf++ = 0; - *buf++ = 2; + MBEDTLS_PUT_UINT16_BE( 2, buf, 2 ); + buf += 4; /* Find common curve */ - for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) + for( group_list = mbedtls_ssl_get_groups( ssl ); + *group_list != 0; group_list++ ) { for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) { - if( (*curve)->grp_id == *gid ) + if( (*curve)->tls_id == *group_list ) goto curve_matching_done; } } @@ -3302,18 +3273,17 @@ static int ssl_write_hrr_key_share_ext( mbedtls_ssl_context *ssl, } /* Write selected group */ - *buf++ = (*curve)->tls_id >> 8; - *buf++ = (*curve)->tls_id & 0xFF; + MBEDTLS_PUT_UINT16_BE( (*curve)->tls_id, buf, 0 ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "NamedGroup in HRR: %s", (*curve)->name ) ); *olen = total_len; return( 0 ); } -static int ssl_write_hello_retry_request_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ) +static int ssl_tls13_write_hello_retry_request_write( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen, + size_t *olen ) { int ret; unsigned char *p = buf; @@ -3366,9 +3336,9 @@ static int ssl_write_hello_retry_request_write( mbedtls_ssl_context* ssl, p += ssl->session_negotiate->id_len; /* write ciphersuite (2 bytes) */ - *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); - *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); - MBEDTLS_SSL_DEBUG_BUF( 3, "ciphersuite", p-2, 2 ); + MBEDTLS_PUT_UINT16_BE( ssl->session_negotiate->ciphersuite, p, 0 ); + MBEDTLS_SSL_DEBUG_BUF( 3, "ciphersuite", p, 2 ); + p += 2; /* write legacy_compression_method (0) */ *p++ = 0x0; @@ -3390,12 +3360,12 @@ static int ssl_write_hello_retry_request_write( mbedtls_ssl_context* ssl, */ /* Write extension header */ - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_COOKIE >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_COOKIE >> 0 ) & 0xFF ); + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_COOKIE, p, 0 ); + p += 2; /* Skip writing the extension and the cookie length */ ext_len_byte = p; - p = p + 4; + p += 4; /* If we get here, f_cookie_check is not null */ if( ssl->conf->f_cookie_write == NULL ) @@ -3418,12 +3388,10 @@ static int ssl_write_hello_retry_request_write( mbedtls_ssl_context* ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "Cookie", ext_len_byte + 4, ext_length ); /* Write extension length */ - *ext_len_byte++ = (unsigned char)( ( ( ext_length + 2 ) >> 8 ) & 0xFF ); - *ext_len_byte++ = (unsigned char)( ( ext_length + 2 ) & 0xFF ); + MBEDTLS_PUT_UINT16_BE( ext_length + 2, ext_len_byte, 0 ); /* Write cookie length */ - *ext_len_byte++ = (unsigned char)( ( ext_length >> 8 ) & 0xFF ); - *ext_len_byte = (unsigned char)( ext_length & 0xFF ); + MBEDTLS_PUT_UINT16_BE( ext_length, ext_len_byte, 2 ); /* 2 bytes for extension type, * 2 bytes for extension length field, @@ -3432,10 +3400,10 @@ static int ssl_write_hello_retry_request_write( mbedtls_ssl_context* ssl, #endif /* MBEDTLS_SSL_COOKIE_C */ /* Add supported_version extension */ - if( ( ret = ssl_write_supported_version_ext( ssl, p, end, - &ext_length ) ) != 0 ) + if( ( ret = ssl_tls13_write_supported_version_ext( ssl, p, end, + &ext_length ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_version_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_supported_version_ext", ret ); return( ret ); } @@ -3443,17 +3411,16 @@ static int ssl_write_hello_retry_request_write( mbedtls_ssl_context* ssl, p += ext_length; /* Add key_share extension, if necessary */ - ret = ssl_write_hrr_key_share_ext( ssl, p, end, &ext_length ); + ret = ssl_tls13_write_hrr_key_share_ext( ssl, p, end, &ext_length ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_hrr_key_share_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_hrr_key_share_ext", ret ); return( ret ); } total_ext_len += ext_length; p += ext_length; - *extension_start++ = (unsigned char)( ( total_ext_len >> 8 ) & 0xFF ); - *extension_start++ = (unsigned char)( ( total_ext_len >> 0 ) & 0xFF ); + MBEDTLS_PUT_UINT16_BE( total_ext_len, extension_start, 0 ); *olen = p - buf; @@ -3472,17 +3439,17 @@ static int ssl_write_hello_retry_request_write( mbedtls_ssl_context* ssl, */ /* Main entry point; orchestrates the other functions */ -static int ssl_server_hello_process( mbedtls_ssl_context* ssl ); +static int ssl_tls13_server_hello_process( mbedtls_ssl_context *ssl ); /* ServerHello handling sub-routines */ -static int ssl_server_hello_prepare( mbedtls_ssl_context* ssl ); -static int ssl_server_hello_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ); -static int ssl_server_hello_postprocess( mbedtls_ssl_context* ssl ); +static int ssl_tls13_server_hello_prepare( mbedtls_ssl_context *ssl ); +static int ssl_tls13_server_hello_write( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen, + size_t *olen ); +static int ssl_tls13_server_hello_postprocess( mbedtls_ssl_context *ssl ); -static int ssl_server_hello_process( mbedtls_ssl_context* ssl ) { +static int ssl_tls13_server_hello_process( mbedtls_ssl_context *ssl ) { int ret = 0; unsigned char *buf; @@ -3492,23 +3459,24 @@ static int ssl_server_hello_process( mbedtls_ssl_context* ssl ) { /* Preprocessing */ - /* This might lead to ssl_process_server_hello() being called multiple - * times. The implementation of ssl_process_server_hello_preprocess() - * must either be safe to be called multiple times, or we need to add - * state to omit this call once we're calling ssl_process_server_hello() - * multiple times. */ - MBEDTLS_SSL_PROC_CHK( ssl_server_hello_prepare( ssl ) ); + /* This might lead to ssl_tls13_process_server_hello() being called + * multiple times. The implementation of + * ssl_tls13_process_server_hello_preprocess() must either be safe to be + * called multiple times, or we need to add state to omit this call once + * we're calling ssl_tls13_process_server_hello() multiple times. + */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_server_hello_prepare( ssl ) ); MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len ) ); - MBEDTLS_SSL_PROC_CHK( ssl_server_hello_write( ssl, buf, buf_len, - &msg_len ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_server_hello_write( ssl, buf, buf_len, + &msg_len ) ); - mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( + mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len ); - MBEDTLS_SSL_PROC_CHK( ssl_server_hello_postprocess( ssl ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_server_hello_postprocess( ssl ) ); MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl, buf_len, msg_len ) ); @@ -3521,13 +3489,13 @@ static int ssl_server_hello_process( mbedtls_ssl_context* ssl ) { /* IMPORTANT: This function can currently be called multiple times * in case the call to mbedtls_ssl_flush_output( ) that - * follows it in ssl_process_server_hello( ) fails. + * follows it in ssl_tls13_process_server_hello( ) fails. * * Make sure that the preparations in this function * can safely be repeated multiple times, or add logic - * to ssl_process_server_hello( ) to never call it twice. + * to ssl_tls13_process_server_hello( ) to never call it twice. */ -static int ssl_server_hello_prepare( mbedtls_ssl_context* ssl ) +static int ssl_tls13_server_hello_prepare( mbedtls_ssl_context *ssl ) { int ret; @@ -3548,10 +3516,10 @@ static int ssl_server_hello_prepare( mbedtls_ssl_context* ssl ) return( 0 ); } -static int ssl_server_hello_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ) +static int ssl_tls13_server_hello_write( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen, + size_t *olen ) { int ret=0; /* Extensions */ @@ -3562,14 +3530,14 @@ static int ssl_server_hello_write( mbedtls_ssl_context* ssl, * extension list must be kept to write * the total extension list size in the end. */ - unsigned char* extension_start; + unsigned char *extension_start; size_t cur_ext_len; /* Size of the current extension */ size_t total_ext_len; /* Size of list of extensions */ size_t rand_bytes_len; /* Buffer management */ - unsigned char* start = buf; - unsigned char* end = buf + buflen; + unsigned char *start = buf; + unsigned char *end = buf + buflen; rand_bytes_len = 32; @@ -3607,10 +3575,12 @@ static int ssl_server_hello_write( mbedtls_ssl_context* ssl, buflen -= ssl->session_negotiate->id_len; /* write selected ciphersuite ( 2 bytes ) */ - *buf++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); - *buf++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); + MBEDTLS_PUT_UINT16_BE( ssl->session_negotiate->ciphersuite, buf, 0 ); + buf += 2; buflen -= 2; - MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s ( id=%d )", mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ), ssl->session_negotiate->ciphersuite ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s ( id=%d )", + mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ), + ssl->session_negotiate->ciphersuite ) ); /* write legacy_compression_method ( 0 ) */ *buf++ = 0x0; @@ -3624,11 +3594,11 @@ static int ssl_server_hello_write( mbedtls_ssl_context* ssl, #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) if( mbedtls_ssl_tls13_kex_with_psk( ssl ) ) { - ret = ssl_write_server_pre_shared_key_ext( ssl, buf, end, - &cur_ext_len ); + ret = ssl_tls13_write_server_pre_shared_key_ext( ssl, buf, end, + &cur_ext_len ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_server_pre_shared_key_ext", + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_server_pre_shared_key_ext", ret ); return( ret ); } @@ -3641,9 +3611,9 @@ static int ssl_server_hello_write( mbedtls_ssl_context* ssl, #if ( defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) ) if( mbedtls_ssl_tls13_kex_with_ephemeral( ssl ) ) { - if( ( ret = ssl_write_key_shares_ext( ssl, buf, end, &cur_ext_len ) ) != 0 ) + if( ( ret = ssl_tls13_write_key_shares_ext( ssl, buf, end, &cur_ext_len ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_key_shares_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_key_shares_ext", ret ); return( ret ); } @@ -3653,9 +3623,9 @@ static int ssl_server_hello_write( mbedtls_ssl_context* ssl, #endif /* ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ /* Add supported_version extension */ - if( ( ret = ssl_write_supported_version_ext( ssl, buf, end, &cur_ext_len ) ) != 0 ) + if( ( ret = ssl_tls13_write_supported_version_ext( ssl, buf, end, &cur_ext_len ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_version_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_supported_version_ext", ret ); return( ret ); } @@ -3665,8 +3635,7 @@ static int ssl_server_hello_write( mbedtls_ssl_context* ssl, MBEDTLS_SSL_DEBUG_BUF( 4, "server hello extensions", extension_start, total_ext_len ); /* Write length information */ - *extension_start++ = (unsigned char)( ( total_ext_len >> 8 ) & 0xFF ); - *extension_start++ = (unsigned char)( ( total_ext_len ) & 0xFF ); + MBEDTLS_PUT_UINT16_BE( total_ext_len, extension_start, 0 ); buflen -= 2 + total_ext_len; *olen = buf - start; @@ -3676,13 +3645,13 @@ static int ssl_server_hello_write( mbedtls_ssl_context* ssl, return( ret ); } -static int ssl_server_hello_postprocess( mbedtls_ssl_context* ssl ) +static int ssl_tls13_server_hello_postprocess( mbedtls_ssl_context *ssl ) { -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) if( ssl->handshake->ccs_sent > 1 ) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO ); else -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ { mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS ); } @@ -3696,7 +3665,7 @@ static int ssl_server_hello_postprocess( mbedtls_ssl_context* ssl ) */ /* Main entry point; orchestrates the other functions */ -static int ssl_certificate_request_process( mbedtls_ssl_context* ssl ); +static int ssl_tls13_certificate_request_process( mbedtls_ssl_context *ssl ); /* Coordination: * Check whether a CertificateRequest message should be written. @@ -3708,27 +3677,27 @@ static int ssl_certificate_request_process( mbedtls_ssl_context* ssl ); */ #define SSL_CERTIFICATE_REQUEST_SEND 0 #define SSL_CERTIFICATE_REQUEST_SKIP 1 -static int ssl_certificate_request_coordinate( mbedtls_ssl_context* ssl ); +static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context* ssl ); #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -static int ssl_certificate_request_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ); +static int ssl_tls13_certificate_request_write( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen, + size_t *olen ); #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ -static int ssl_certificate_request_postprocess( mbedtls_ssl_context* ssl ); +static int ssl_tls13_certificate_request_postprocess( mbedtls_ssl_context *ssl ); /* * Implementation */ -static int ssl_certificate_request_process( mbedtls_ssl_context* ssl ) +static int ssl_tls13_certificate_request_process( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); /* Coordination step: Check if we need to send a CertificateRequest */ - MBEDTLS_SSL_PROC_CHK_NEG( ssl_certificate_request_coordinate( ssl ) ); + MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) ); #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) if( ret == SSL_CERTIFICATE_REQUEST_SEND ) @@ -3739,15 +3708,15 @@ static int ssl_certificate_request_process( mbedtls_ssl_context* ssl ) MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, &buf, &buf_len ) ); - MBEDTLS_SSL_PROC_CHK( ssl_certificate_request_write( + MBEDTLS_SSL_PROC_CHK( ssl_tls13_certificate_request_write( ssl, buf, buf_len, &msg_len ) ); - mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( + mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len ); /* TODO: Logically this should come at the end, but the non-MPS msg * layer impl'n of mbedtls_ssl_tls13_finish_handshake_msg() can fail. */ - MBEDTLS_SSL_PROC_CHK( ssl_certificate_request_postprocess( ssl ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_certificate_request_postprocess( ssl ) ); MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl, buf_len, msg_len ) ); @@ -3759,7 +3728,7 @@ static int ssl_certificate_request_process( mbedtls_ssl_context* ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); /* Update state */ - MBEDTLS_SSL_PROC_CHK( ssl_certificate_request_postprocess( ssl ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_certificate_request_postprocess( ssl ) ); } else { @@ -3773,7 +3742,7 @@ static int ssl_certificate_request_process( mbedtls_ssl_context* ssl ) return( ret ); } -static int ssl_certificate_request_coordinate( mbedtls_ssl_context* ssl ) +static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl ) { int authmode; @@ -3801,15 +3770,15 @@ static int ssl_certificate_request_coordinate( mbedtls_ssl_context* ssl ) #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ } -static int ssl_certificate_request_write( mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen ) +static int ssl_tls13_certificate_request_write( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen, + size_t *olen ) { int ret; size_t ext_size; - unsigned char* p; - unsigned char* end = buf + buflen; + unsigned char *p; + unsigned char *end = buf + buflen; p = buf; @@ -3850,9 +3819,8 @@ static int ssl_certificate_request_write( mbedtls_ssl_context* ssl, return( ret ); /* length field for all extensions */ - *p++ = (unsigned char)( ( ext_size >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( ext_size >> 0 ) & 0xFF ); - p += ext_size; + MBEDTLS_PUT_UINT16_BE( ext_size, p, 0 ); + p += 2 + ext_size; *olen = p - buf; @@ -3860,7 +3828,7 @@ static int ssl_certificate_request_write( mbedtls_ssl_context* ssl, } -static int ssl_certificate_request_postprocess( mbedtls_ssl_context* ssl ) +static int ssl_tls13_certificate_request_postprocess( mbedtls_ssl_context *ssl ) { /* next state */ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE ); @@ -3877,7 +3845,9 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls13 server state: %s(%d)", + mbedtls_ssl_states_str( ssl->state ), + ssl->state ) ); #if !defined(MBEDTLS_SSL_USE_MPS) if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) @@ -3891,9 +3861,9 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) ssl->handshake->hello_retry_requests_sent = 0; mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) ssl->handshake->ccs_sent = 0; -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ break; @@ -3906,19 +3876,19 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) ssl->session_negotiate->endpoint = ssl->conf->endpoint; #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ - ret = ssl_client_hello_process( ssl ); + ret = ssl_tls13_client_hello_process( ssl ); if( ret != 0 ) - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_client_hello_process", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_client_hello_process", ret ); break; /* ----- WRITE EARLY APP DATA ----*/ case MBEDTLS_SSL_EARLY_APP_DATA: - ret = ssl_read_early_data_process( ssl ); + ret = ssl_tls13_read_early_data_process( ssl ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_read_early_data_process", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_read_early_data_process", ret ); return ( ret ); } @@ -3928,10 +3898,10 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) case MBEDTLS_SSL_HELLO_RETRY_REQUEST: - ret = ssl_write_hello_retry_request_process( ssl ); + ret = ssl_tls13_write_hello_retry_request_process( ssl ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_hello_retry_request", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_hello_retry_request", ret ); return( ret ); } @@ -3939,24 +3909,24 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) /* ----- WRITE CHANGE CIPHER SPEC ----*/ -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) case MBEDTLS_SSL_SERVER_CCS_AFTER_HRR: - ret = mbedtls_ssl_write_change_cipher_spec_process( ssl ); + ret = mbedtls_ssl_tls13_write_change_cipher_spec_process( ssl ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_change_cipher_spec_process", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_write_change_cipher_spec_process", ret ); return( ret ); } break; -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ /* ----- READ 2nd CLIENT HELLO ----*/ case MBEDTLS_SSL_SECOND_CLIENT_HELLO: - ret = ssl_client_hello_process( ssl ); + ret = ssl_tls13_client_hello_process( ssl ); switch( ret ) { @@ -3980,7 +3950,7 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) /* ----- WRITE SERVER HELLO ----*/ case MBEDTLS_SSL_SERVER_HELLO: - ret = ssl_server_hello_process( ssl ); + ret = ssl_tls13_server_hello_process( ssl ); if( ret != 0 ) break; @@ -3989,70 +3959,86 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) /* ----- WRITE CHANGE CIPHER SPEC ----*/ -#if defined(MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE) +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO: - ret = mbedtls_ssl_write_change_cipher_spec_process(ssl); + ret = mbedtls_ssl_tls13_write_change_cipher_spec_process(ssl); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_change_cipher_spec_process", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_write_change_cipher_spec_process", ret ); return( ret ); } break; -#endif /* MBEDTLS_SSL_TLS13_COMPATIBILITY_MODE */ +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ /* ----- WRITE ENCRYPTED EXTENSIONS ----*/ case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: - ret = ssl_encrypted_extensions_process( ssl ); + ret = ssl_tls13_encrypted_extensions_process( ssl ); break; /* ----- WRITE CERTIFICATE REQUEST ----*/ case MBEDTLS_SSL_CERTIFICATE_REQUEST: - ret = ssl_certificate_request_process( ssl ); + ret = ssl_tls13_certificate_request_process( ssl ); break; /* ----- WRITE SERVER CERTIFICATE ----*/ case MBEDTLS_SSL_SERVER_CERTIFICATE: - ret = mbedtls_ssl_write_certificate_process( ssl ); + ret = mbedtls_ssl_tls13_write_certificate_process( ssl ); break; /* ----- WRITE SERVER CERTIFICATE VERIFY ----*/ case MBEDTLS_SSL_CERTIFICATE_VERIFY: - ret = mbedtls_ssl_write_certificate_verify_process( ssl ); + ret = mbedtls_ssl_tls13_write_certificate_verify_process( ssl ); break; /* ----- WRITE FINISHED ----*/ case MBEDTLS_SSL_SERVER_FINISHED: - ret = mbedtls_ssl_finished_out_process( ssl ); + ret = mbedtls_ssl_tls13_write_finished_message( ssl ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_EARLY_APP_DATA ); break; /* ----- READ CLIENT CERTIFICATE ----*/ case MBEDTLS_SSL_CLIENT_CERTIFICATE: - ret = mbedtls_ssl_read_certificate_process( ssl ); + ret = mbedtls_ssl_tls13_process_certificate( ssl ); + if( ret == 0 ) + { + mbedtls_ssl_handshake_set_state( + ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY ); + } break; /* ----- READ CLIENT CERTIFICATE VERIFY ----*/ case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY: - ret = mbedtls_ssl_read_certificate_verify_process( ssl ); + ret = mbedtls_ssl_tls13_process_certificate_verify( ssl ); + if( ret == 0 ) + { + mbedtls_ssl_handshake_set_state( + ssl, MBEDTLS_SSL_CLIENT_FINISHED ); + } break; case MBEDTLS_SSL_END_OF_EARLY_DATA: - ret = ssl_read_end_of_early_data_process( ssl ); + ret = ssl_tls13_read_end_of_early_data_process( ssl ); break; /* ----- READ FINISHED ----*/ case MBEDTLS_SSL_CLIENT_FINISHED: - ret = mbedtls_ssl_finished_in_process( ssl ); + ret = mbedtls_ssl_tls13_process_finished_message( ssl ); + if( ret == 0 ) + { + mbedtls_ssl_handshake_set_state( + ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP ); + } break; case MBEDTLS_SSL_HANDSHAKE_WRAPUP: @@ -4075,7 +4061,7 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application ); #endif /* MBEDTLS_SSL_USE_MPS */ - mbedtls_ssl_handshake_wrapup_tls13( ssl ); + mbedtls_ssl_tls13_handshake_wrapup( ssl ); mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET ); break; @@ -4084,10 +4070,10 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) - ret = ssl_write_new_session_ticket_process( ssl ); + ret = ssl_tls13_write_new_session_ticket_process( ssl ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_new_session_ticket ", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_new_session_ticket ", ret ); return( ret ); } #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ @@ -4111,4 +4097,4 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_SRV_C */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/programs/.gitignore b/programs/.gitignore index 61558c0ccede..c4777d10acec 100644 --- a/programs/.gitignore +++ b/programs/.gitignore @@ -56,6 +56,7 @@ ssl/ssl_server2 test/benchmark test/cpp_dummy_build test/cpp_dummy_build.cpp +test/dlopen test/ecp-bench test/query_compile_time_config test/selftest diff --git a/programs/Makefile b/programs/Makefile index 7f9d11e80daa..1ebf8d241e46 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -17,6 +17,12 @@ LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} \ -lmbedx509$(SHARED_SUFFIX) \ -lmbedcrypto$(SHARED_SUFFIX) +ifeq ($(shell uname -s),Linux) +DLOPEN_LDFLAGS ?= -ldl +else +DLOPEN_LDFLAGS ?= +endif + include ../3rdparty/Makefile.inc LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES) @@ -55,6 +61,18 @@ else PYTHON ?= $(shell if type python3 >/dev/null 2>/dev/null; then echo python3; else echo python; fi) endif +# Only build the dlopen test in shared library builds, and not when building +# for Windows. +ifdef BUILD_DLOPEN +# Don't override the value +else ifdef WINDOWS_BUILD +BUILD_DLOPEN = +else ifdef SHARED +BUILD_DLOPEN = y +else +BUILD_DLOPEN = +endif + ## The following assignment is the list of base names of applications that ## will be built on Windows. Extra Linux/Unix/POSIX-only applications can ## be declared by appending with `APPS += ...` afterwards. @@ -118,6 +136,10 @@ ifdef PTHREAD APPS += ssl/ssl_pthread_server endif +ifdef BUILD_DLOPEN +APPS += test/dlopen +endif + ifdef TEST_CPP APPS += test/cpp_dummy_build endif @@ -344,6 +366,15 @@ test/cpp_dummy_build$(EXEXT): test/cpp_dummy_build.cpp $(DEP) echo " CXX test/cpp_dummy_build.cpp" $(CXX) $(LOCAL_CXXFLAGS) $(CXXFLAGS) test/cpp_dummy_build.cpp $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ +ifdef BUILD_DLOPEN +test/dlopen$(EXEXT): test/dlopen.c $(DEP) + echo " CC test/dlopen.c" +# Do not link any test objects (that would bring in a static dependency on +# libmbedcrypto at least). Do not link with libmbed* (that would defeat the +# purpose of testing dynamic loading). + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/dlopen.c $(LDFLAGS) $(DLOPEN_LDFLAGS) -o $@ +endif + test/query_config.o: test/query_config.c test/query_config.h $(DEP) echo " CC test/query_config.c" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -c test/query_config.c -o $@ @@ -405,6 +436,7 @@ ifndef WINDOWS rm -f $(EXES) -rm -f ssl/ssl_pthread_server$(EXEXT) -rm -f test/cpp_dummy_build.cpp test/cpp_dummy_build$(EXEXT) + -rm -f test/dlopen$(EXEXT) else if exist *.o del /Q /F *.o if exist *.exe del /Q /F *.exe diff --git a/programs/aes/crypt_and_hash.c b/programs/aes/crypt_and_hash.c index 5ed2ece7028d..74ea88c3caa2 100644 --- a/programs/aes/crypt_and_hash.c +++ b/programs/aes/crypt_and_hash.c @@ -277,10 +277,27 @@ int main( int argc, char *argv[] ) p = argv[2]; - mbedtls_md_starts( &md_ctx ); - mbedtls_md_update( &md_ctx, buffer, 8 ); - mbedtls_md_update( &md_ctx, (unsigned char *) p, strlen( p ) ); - mbedtls_md_finish( &md_ctx, digest ); + if( mbedtls_md_starts( &md_ctx ) != 0 ) + { + mbedtls_fprintf( stderr, "mbedtls_md_starts() returned error\n" ); + goto exit; + } + if( mbedtls_md_update( &md_ctx, buffer, 8 ) != 0 ) + { + mbedtls_fprintf( stderr, "mbedtls_md_update() returned error\n" ); + goto exit; + } + if( mbedtls_md_update( &md_ctx, ( unsigned char * ) p, strlen( p ) ) + != 0 ) + { + mbedtls_fprintf( stderr, "mbedtls_md_update() returned error\n" ); + goto exit; + } + if( mbedtls_md_finish( &md_ctx, digest ) != 0 ) + { + mbedtls_fprintf( stderr, "mbedtls_md_finish() returned error\n" ); + goto exit; + } memcpy( IV, digest, 16 ); @@ -302,10 +319,30 @@ int main( int argc, char *argv[] ) for( i = 0; i < 8192; i++ ) { - mbedtls_md_starts( &md_ctx ); - mbedtls_md_update( &md_ctx, digest, 32 ); - mbedtls_md_update( &md_ctx, key, keylen ); - mbedtls_md_finish( &md_ctx, digest ); + if( mbedtls_md_starts( &md_ctx ) != 0 ) + { + mbedtls_fprintf( stderr, + "mbedtls_md_starts() returned error\n" ); + goto exit; + } + if( mbedtls_md_update( &md_ctx, digest, 32 ) != 0 ) + { + mbedtls_fprintf( stderr, + "mbedtls_md_update() returned error\n" ); + goto exit; + } + if( mbedtls_md_update( &md_ctx, key, keylen ) != 0 ) + { + mbedtls_fprintf( stderr, + "mbedtls_md_update() returned error\n" ); + goto exit; + } + if( mbedtls_md_finish( &md_ctx, digest ) != 0 ) + { + mbedtls_fprintf( stderr, + "mbedtls_md_finish() returned error\n" ); + goto exit; + } } @@ -328,7 +365,11 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_md_hmac_starts( &md_ctx, digest, 32 ); + if( mbedtls_md_hmac_starts( &md_ctx, digest, 32 ) != 0 ) + { + mbedtls_fprintf( stderr, "mbedtls_md_hmac_starts() returned error\n" ); + goto exit; + } /* * Encrypt and write the ciphertext. @@ -350,7 +391,11 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_md_hmac_update( &md_ctx, output, olen ); + if( mbedtls_md_hmac_update( &md_ctx, output, olen ) != 0 ) + { + mbedtls_fprintf( stderr, "mbedtls_md_hmac_update() returned error\n" ); + goto exit; + } if( fwrite( output, 1, olen, fout ) != olen ) { @@ -364,7 +409,11 @@ int main( int argc, char *argv[] ) mbedtls_fprintf( stderr, "mbedtls_cipher_finish() returned error\n" ); goto exit; } - mbedtls_md_hmac_update( &md_ctx, output, olen ); + if( mbedtls_md_hmac_update( &md_ctx, output, olen ) != 0 ) + { + mbedtls_fprintf( stderr, "mbedtls_md_hmac_update() returned error\n" ); + goto exit; + } if( fwrite( output, 1, olen, fout ) != olen ) { @@ -375,7 +424,11 @@ int main( int argc, char *argv[] ) /* * Finally write the HMAC. */ - mbedtls_md_hmac_finish( &md_ctx, digest ); + if( mbedtls_md_hmac_finish( &md_ctx, digest ) != 0 ) + { + mbedtls_fprintf( stderr, "mbedtls_md_hmac_finish() returned error\n" ); + goto exit; + } if( fwrite( digest, 1, mbedtls_md_get_size( md_info ), fout ) != mbedtls_md_get_size( md_info ) ) { @@ -444,10 +497,26 @@ int main( int argc, char *argv[] ) for( i = 0; i < 8192; i++ ) { - mbedtls_md_starts( &md_ctx ); - mbedtls_md_update( &md_ctx, digest, 32 ); - mbedtls_md_update( &md_ctx, key, keylen ); - mbedtls_md_finish( &md_ctx, digest ); + if( mbedtls_md_starts( &md_ctx ) != 0 ) + { + mbedtls_fprintf( stderr, "mbedtls_md_starts() returned error\n" ); + goto exit; + } + if( mbedtls_md_update( &md_ctx, digest, 32 ) != 0 ) + { + mbedtls_fprintf( stderr, "mbedtls_md_update() returned error\n" ); + goto exit; + } + if( mbedtls_md_update( &md_ctx, key, keylen ) != 0 ) + { + mbedtls_fprintf( stderr, "mbedtls_md_update() returned error\n" ); + goto exit; + } + if( mbedtls_md_finish( &md_ctx, digest ) != 0 ) + { + mbedtls_fprintf( stderr, "mbedtls_md_finish() returned error\n" ); + goto exit; + } } if( mbedtls_cipher_setkey( &cipher_ctx, @@ -471,7 +540,11 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_md_hmac_starts( &md_ctx, digest, 32 ); + if( mbedtls_md_hmac_starts( &md_ctx, digest, 32 ) != 0 ) + { + mbedtls_fprintf( stderr, "mbedtls_md_hmac_starts() returned error\n" ); + goto exit; + } /* * Decrypt and write the plaintext. @@ -488,7 +561,11 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_md_hmac_update( &md_ctx, buffer, ilen ); + if( mbedtls_md_hmac_update( &md_ctx, buffer, ilen ) != 0 ) + { + mbedtls_fprintf( stderr, "mbedtls_md_hmac_update() returned error\n" ); + goto exit; + } if( mbedtls_cipher_update( &cipher_ctx, buffer, ilen, output, &olen ) != 0 ) { @@ -506,7 +583,11 @@ int main( int argc, char *argv[] ) /* * Verify the message authentication code. */ - mbedtls_md_hmac_finish( &md_ctx, digest ); + if( mbedtls_md_hmac_finish( &md_ctx, digest ) != 0 ) + { + mbedtls_fprintf( stderr, "mbedtls_md_hmac_finish() returned error\n" ); + goto exit; + } if( fread( buffer, 1, mbedtls_md_get_size( md_info ), fin ) != mbedtls_md_get_size( md_info ) ) { @@ -529,7 +610,11 @@ int main( int argc, char *argv[] ) /* * Write the final block of data */ - mbedtls_cipher_finish( &cipher_ctx, output, &olen ); + if( mbedtls_cipher_finish( &cipher_ctx, output, &olen ) != 0 ) + { + mbedtls_fprintf( stderr, "mbedtls_cipher_finish() returned error\n" ); + goto exit; + } if( fwrite( output, 1, olen, fout ) != olen ) { diff --git a/programs/fuzz/common.c b/programs/fuzz/common.c index ac39ee22f3b4..e12ee3b8a0a4 100644 --- a/programs/fuzz/common.c +++ b/programs/fuzz/common.c @@ -1,4 +1,5 @@ #include "common.h" +#include <limits.h> #include <stdio.h> #include <string.h> #include <stdlib.h> diff --git a/programs/psa/CMakeLists.txt b/programs/psa/CMakeLists.txt index 23e85fea75a5..26ca73c185ce 100644 --- a/programs/psa/CMakeLists.txt +++ b/programs/psa/CMakeLists.txt @@ -4,6 +4,25 @@ set(executables psa_constant_names ) +if(GEN_FILES) + add_custom_command( + OUTPUT + ${CMAKE_CURRENT_BINARY_DIR}/psa_constant_names_generated.c + COMMAND + ${MBEDTLS_PYTHON_EXECUTABLE} + ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_psa_constants.py + ${CMAKE_CURRENT_BINARY_DIR} + WORKING_DIRECTORY + ${CMAKE_CURRENT_SOURCE_DIR}/../.. + DEPENDS + ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_psa_constants.py + ${CMAKE_CURRENT_SOURCE_DIR}/../../include/psa/crypto_values.h + ${CMAKE_CURRENT_SOURCE_DIR}/../../include/psa/crypto_extra.h + ) +else() + link_to_source(psa_constant_names_generated.c) +endif() + foreach(exe IN LISTS executables) add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>) target_link_libraries(${exe} ${mbedcrypto_target}) @@ -11,6 +30,11 @@ foreach(exe IN LISTS executables) endforeach() target_include_directories(psa_constant_names PRIVATE ${CMAKE_CURRENT_BINARY_DIR}) +if(GEN_FILES) + add_custom_target(generate_psa_constant_names_generated_c + DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/psa_constant_names_generated.c) + add_dependencies(psa_constant_names generate_psa_constant_names_generated_c) +endif() install(TARGETS ${executables} DESTINATION "bin" diff --git a/programs/ssl/CMakeLists.txt b/programs/ssl/CMakeLists.txt index def9c7cf6c19..280bbcf3d297 100644 --- a/programs/ssl/CMakeLists.txt +++ b/programs/ssl/CMakeLists.txt @@ -18,23 +18,38 @@ set(executables ssl_server2 ) +if(GEN_FILES) + # Inform CMake that the following file will be generated as part of the build + # process, so it doesn't complain that it doesn't exist yet. Starting from + # CMake 3.20, this will no longer be necessary as CMake will automatically + # propagate this information across the tree, for now it's only visible + # inside the same directory, so we need to propagate manually. + set_source_files_properties( + ${CMAKE_CURRENT_BINARY_DIR}/../test/query_config.c + PROPERTIES GENERATED TRUE) +endif() + foreach(exe IN LISTS executables) set(extra_sources "") if(exe STREQUAL "ssl_client2" OR exe STREQUAL "ssl_server2") list(APPEND extra_sources - ${CMAKE_CURRENT_SOURCE_DIR}/../test/query_config.c) + ssl_test_lib.c + ${CMAKE_CURRENT_SOURCE_DIR}/../test/query_config.h + ${CMAKE_CURRENT_BINARY_DIR}/../test/query_config.c) endif() add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test> ${extra_sources}) target_link_libraries(${exe} ${libs}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include) + if(exe STREQUAL "ssl_client2" OR exe STREQUAL "ssl_server2") + if(GEN_FILES) + add_dependencies(${exe} generate_query_config_c) + endif() + target_include_directories(${exe} + PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../test) + endif() endforeach() -set_property(TARGET ssl_client2 APPEND PROPERTY SOURCES - ssl_test_lib.c ${CMAKE_CURRENT_SOURCE_DIR}/../test/query_config.c) -set_property(TARGET ssl_server2 APPEND PROPERTY SOURCES - ssl_test_lib.c ${CMAKE_CURRENT_SOURCE_DIR}/../test/query_config.c) - if(THREADS_FOUND) add_executable(ssl_pthread_server ssl_pthread_server.c $<TARGET_OBJECTS:mbedtls_test>) target_include_directories(ssl_pthread_server PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 424d018b9897..d02bd9df2bab 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -21,6 +21,10 @@ #include "ssl_test_lib.h" +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#include "test/psa_crypto_helpers.h" +#endif + #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) int main( void ) { @@ -66,7 +70,7 @@ int main( void ) #define DFL_ECJPAKE_PW NULL #define DFL_EC_MAX_OPS -1 #define DFL_FORCE_CIPHER 0 -#define DFL_TLS13_KEX_MODES MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL +#define DFL_TLS1_3_KEX_MODES MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL #define DFL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION_DISABLED #define DFL_ALLOW_LEGACY -2 #define DFL_RENEGOTIATE 0 @@ -208,13 +212,13 @@ int main( void ) #define USAGE_TICKETS "" #endif /* MBEDTLS_SSL_SESSION_TICKETS */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /* Support for EAP-TLS 1.3 has not been implemented yet. */ #define USAGE_EAP_TLS "" #else #define USAGE_EAP_TLS \ " eap_tls=%%d default: 0 (disabled)\n" -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #define USAGE_NSS_KEYLOG \ " nss_keylog=%%d default: 0 (disabled)\n" \ @@ -271,7 +275,7 @@ int main( void ) #define USAGE_CURVES "" #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #define USAGE_SIG_ALGS \ " sig_algs=a,b,c,d default: \"default\" (library default)\n" \ @@ -346,39 +350,29 @@ int main( void ) #define USAGE_SERIALIZATION "" #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -#define USAGE_FORCE_VERSION \ - " force_version=%%s default: \"\" (none)\n" \ - " options: tls1_2, tls1_3, dtls1_2, dtls1_3\n" -#else -#define USAGE_FORCE_VERSION \ - " force_version=%%s default: \"\" (none)\n" \ - " options: tls1_2, dtls1_2\n" -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - -#if defined(MBEDTLS_ZERO_RTT) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_ZERO_RTT) && defined(MBEDTLS_SSL_PROTO_TLS1_3) #define USAGE_EARLY_DATA \ " early_data=%%d default: 0 (disabled)\n" \ " options: 0 (disabled), 1 (enabled)\n" #else #define USAGE_EARLY_DATA "" -#endif /* MBEDTLS_ZERO_RTT && MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_ZERO_RTT && MBEDTLS_SSL_PROTO_TLS1_3 */ -#if defined(MBEDTLS_ECP_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_ECP_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) #define USAGE_NAMED_GROUP \ " named_groups=%%s default: secp256r1\n" \ " options: secp256r1, secp384r1, secp521r1, all\n" #else #define USAGE_NAMED_GROUP "" -#endif /* MBEDTLS_ECP_C && MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_ECP_C && MBEDTLS_SSL_PROTO_TLS1_3 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -#define USAGE_TLS13_KEX_MODES \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +#define USAGE_TLS1_3_KEY_EXCHANGE_MODES \ " tls13_kex_modes=%%s default: all\n" \ " options: psk, psk_ephemeral, ephemeral, ephemeral_all, psk_all, all\n" #else -#define USAGE_TLS13_KEX_MODES "" -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#define USAGE_TLS1_3_KEY_EXCHANGE_MODES "" +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* USAGE is arbitrarily split to stay under the portable string literal * length limit: 4095 bytes in C99. */ @@ -444,20 +438,21 @@ int main( void ) USAGE_DHMLEN \ "\n" -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -#define TLS1_3_VERSION_OPTIONS ", tls1_3" -#else /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +#define TLS1_3_VERSION_OPTIONS ", tls13, dtls13" +#else #define TLS1_3_VERSION_OPTIONS "" -#endif /* !MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif #define USAGE4 \ " allow_sha1=%%d default: 0\n" \ - " min_version=%%s default: (library default: tls1_2)\n" \ - " max_version=%%s default: (library default: tls1_2)\n" \ - USAGE_FORCE_VERSION \ - "\n" \ + " min_version=%%s default: (library default: tls12)\n" \ + " max_version=%%s default: (library default: tls12)\n" \ + " force_version=%%s default: \"\" (none)\n" \ + " options: tls12, dtls12" TLS1_3_VERSION_OPTIONS \ + "\n\n" \ " force_ciphersuite=<name> default: all enabled\n" \ - USAGE_TLS13_KEX_MODES \ + USAGE_TLS1_3_KEY_EXCHANGE_MODES \ " query_config=<name> return 0 if the specified\n" \ " configuration macro is defined and 1\n" \ " otherwise. The expansion of the macro\n" \ @@ -502,9 +497,9 @@ struct options const char *ecjpake_pw; /* the EC J-PAKE password */ int ec_max_ops; /* EC consecutive operations limit */ int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) int tls13_kex_modes; /* supported TLS 1.3 key exchange modes */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ int renegotiation; /* enable / disable renegotiation */ int allow_legacy; /* allow legacy renegotiation */ int renegotiate; /* attempt renegotiation? */ @@ -601,23 +596,23 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, } #endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_ECP_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_ECP_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) static uint16_t ssl_tls13_sig_algs_for_test[] = { #if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) - MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256, + MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, #endif #if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) - MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384, + MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, #endif #if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) - MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512, + MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512, #endif #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA256, + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, #endif - MBEDTLS_TLS13_SIG_NONE + MBEDTLS_TLS1_3_SIG_NONE }; -#endif /* MBEDTLS_ECP_C && MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_ECP_C && MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) int report_cid_usage( mbedtls_ssl_context *ssl, @@ -705,11 +700,10 @@ int main( int argc, char *argv[] ) mbedtls_net_context server_fd; io_ctx_t io_ctx; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) uint16_t sig_alg_list[SIG_ALG_LIST_SIZE]; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && - MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ unsigned char buf[MAX_REQUEST_SIZE + 1]; @@ -734,7 +728,7 @@ int main( int argc, char *argv[] ) #endif #if defined(MBEDTLS_ECP_C) - mbedtls_ecp_group_id curve_list[CURVE_LIST_SIZE]; + uint16_t group_list[CURVE_LIST_SIZE]; const mbedtls_ecp_curve_info *curve_cur; #endif #if defined(MBEDTLS_SSL_DTLS_SRTP) @@ -758,12 +752,11 @@ int main( int argc, char *argv[] ) mbedtls_ssl_context ssl; mbedtls_ssl_config conf; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ - defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_ECP_C) /* list of named groups */ mbedtls_ecp_group_id named_groups_list[NAMED_GROUPS_LIST_SIZE]; char *start; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_ECP_C */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_ECP_C */ #if defined(MBEDTLS_ZERO_RTT) char early_data[] = "early data test"; @@ -826,13 +819,13 @@ int main( int argc, char *argv[] ) mbedtls_ssl_init( &ssl ); mbedtls_ssl_config_init( &conf ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_ECP_C) memset( (void *) named_groups_list, MBEDTLS_ECP_DP_NONE, sizeof( named_groups_list ) ); #endif /* MBEDTLS_ECP_C */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ memset( &saved_session, 0, sizeof( mbedtls_ssl_session ) ); rng_init( &rng ); @@ -918,9 +911,9 @@ int main( int argc, char *argv[] ) opt.ecjpake_pw = DFL_ECJPAKE_PW; opt.ec_max_ops = DFL_EC_MAX_OPS; opt.force_ciphersuite[0]= DFL_FORCE_CIPHER; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - opt.tls13_kex_modes = DFL_TLS13_KEX_MODES; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + opt.tls13_kex_modes = DFL_TLS1_3_KEX_MODES; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ opt.renegotiation = DFL_RENEGOTIATION; opt.allow_legacy = DFL_ALLOW_LEGACY; opt.renegotiate = DFL_RENEGOTIATE; @@ -1170,12 +1163,11 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "curves" ) == 0 ) opt.curves = q; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) else if( strcmp( p, "sig_algs" ) == 0 ) opt.sig_algs = q; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && - MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ else if( strcmp( p, "etm" ) == 0 ) { switch( atoi( q ) ) @@ -1185,7 +1177,7 @@ int main( int argc, char *argv[] ) default: goto usage; } } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_ZERO_RTT) else if( strcmp( p, "early_data" ) == 0 ) { @@ -1211,43 +1203,43 @@ int main( int argc, char *argv[] ) else if( strcmp( p, "tls13_kex_modes" ) == 0 ) { if( strcmp( q, "psk" ) == 0 ) - opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK; + opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; else if( strcmp(q, "psk_ephemeral" ) == 0 ) - opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; + opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; else if( strcmp(q, "ephemeral" ) == 0 ) - opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL; + opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; else if( strcmp(q, "ephemeral_all" ) == 0 ) - opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL; + opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL; else if( strcmp( q, "psk_all" ) == 0 ) - opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL; + opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; else if( strcmp( q, "all" ) == 0 ) - opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL; + opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; else goto usage; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ else if( strcmp( p, "min_version" ) == 0 ) { - if( strcmp( q, "tls1_2" ) == 0 || - strcmp( q, "dtls1_2" ) == 0 ) + if( strcmp( q, "tls12" ) == 0 || + strcmp( q, "dtls12" ) == 0 ) opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - else if( strcmp( q, "tls1_3" ) == 0 || - strcmp( q, "dtls1_3" ) == 0 ) - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + else if( strcmp( q, "tls13" ) == 0 || + strcmp( q, "dtls13" ) == 0 ) + opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ else goto usage; } else if( strcmp( p, "max_version" ) == 0 ) { - if( strcmp( q, "tls1_2" ) == 0 || - strcmp( q, "dtls1_2" ) == 0 ) + if( strcmp( q, "tls12" ) == 0 || + strcmp( q, "dtls12" ) == 0 ) opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - else if( strcmp( q, "tls1_3" ) == 0 || - strcmp( q, "dtls1_3" ) == 0 ) - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + else if( strcmp( q, "tls13" ) == 0 || + strcmp( q, "dtls13" ) == 0 ) + opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ else goto usage; } @@ -1262,37 +1254,30 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "force_version" ) == 0 ) { - if( strcmp( q, "tls1_2" ) == 0 ) + if( strcmp( q, "tls12" ) == 0 ) { opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - else if( strcmp( q, "tls1_3" ) == 0 ) - { - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4; - } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - else if( strcmp( q, "dtls1_2" ) == 0 ) + else if( strcmp( q, "dtls12" ) == 0 ) { opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM; } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - else if( strcmp( q, "dtls1_3" ) == 0 ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + else if( strcmp( q, "tls13" ) == 0 ) { opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4; - opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM; } - else if( strcmp( q, "tls1_3" ) == 0 ) + else if( strcmp( q, "dtls13" ) == 0 ) { opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4; + opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ else goto usage; } @@ -1384,7 +1369,7 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "eap_tls" ) == 0 ) { -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_printf( "Error: eap_tls is not supported in TLS 1.3.\n" ); goto usage; #else @@ -1575,7 +1560,7 @@ int main( int argc, char *argv[] ) if( strcmp( p, "none" ) == 0 ) { - curve_list[0] = MBEDTLS_ECP_DP_NONE; + group_list[0] = 0; } else if( strcmp( p, "default" ) != 0 ) { @@ -1592,7 +1577,7 @@ int main( int argc, char *argv[] ) if( ( curve_cur = mbedtls_ecp_curve_info_from_name( q ) ) != NULL ) { - curve_list[i++] = curve_cur->grp_id; + group_list[i++] = curve_cur->tls_id; } else { @@ -1618,19 +1603,19 @@ int main( int argc, char *argv[] ) goto exit; } - curve_list[i] = MBEDTLS_ECP_DP_NONE; + group_list[i] = 0; } } #endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( opt.sig_algs != NULL ) { p = (char *) opt.sig_algs; i = 0; - /* Leave room for a final MBEDTLS_TLS13_SIG_NONE in signature algorithm list (sig_alg_list). */ + /* Leave room for a final MBEDTLS_TLS1_3_SIG_NONE in signature algorithm list (sig_alg_list). */ while( i < SIG_ALG_LIST_SIZE - 1 && *p != '\0' ) { q = p; @@ -1643,15 +1628,23 @@ int main( int argc, char *argv[] ) if( strcmp( q, "ecdsa_secp256r1_sha256" ) == 0 ) { - sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256; + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256; } else if( strcmp( q, "ecdsa_secp384r1_sha384" ) == 0 ) { - sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384; + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384; } else if( strcmp( q, "ecdsa_secp521r1_sha512" ) == 0 ) { - sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512; + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512; + } + else if( strcmp( q, "rsa_pss_rsae_sha256" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256; + } + else if( strcmp( q, "rsa_pkcs1_sha256" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256; } else { @@ -1660,6 +1653,8 @@ int main( int argc, char *argv[] ) mbedtls_printf( "ecdsa_secp256r1_sha256 " ); mbedtls_printf( "ecdsa_secp384r1_sha384 " ); mbedtls_printf( "ecdsa_secp521r1_sha512 " ); + mbedtls_printf( "rsa_pss_rsae_sha256 " ); + mbedtls_printf( "rsa_pkcs1_sha256 " ); mbedtls_printf( "\n" ); goto exit; } @@ -1672,10 +1667,9 @@ int main( int argc, char *argv[] ) goto exit; } - sig_alg_list[i] = MBEDTLS_TLS13_SIG_NONE; + sig_alg_list[i] = MBEDTLS_TLS1_3_SIG_NONE; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && - MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) @@ -1697,7 +1691,7 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_SSL_ALPN */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_ECP_C) if( opt.named_groups_string != NULL ) { p = (char *)opt.named_groups_string; @@ -1736,67 +1730,7 @@ int main( int argc, char *argv[] ) if( i == 0 ) goto usage; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_ECP_C */ - -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_ECP_C) - if( opt.sig_algs != NULL ) - { - p = (char *) opt.sig_algs; - i = 0; - - /* Leave room for a final NULL in signature algorithm list */ - while( i < SIG_ALG_LIST_SIZE - 1 && *p != '\0' ) - { - q = p; - - /* Terminate the current string */ - while( *p != ',' && *p != '\0' ) - p++; - if( *p == ',' ) - *p++ = '\0'; - - if( strcmp( q, "ecdsa_secp256r1_sha256" ) == 0 ) - { - sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256; - } - else if( strcmp( q, "ecdsa_secp384r1_sha384" ) == 0 ) - { - sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384; - } - else if( strcmp( q, "ecdsa_secp521r1_sha512" ) == 0 ) - { - sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512; - } - else - { - mbedtls_printf( "unknown signature algorithm %s\n", q ); - mbedtls_printf( "supported signature algorithms: " ); -#if defined(MBEDTLS_ECDSA_C) -#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) - mbedtls_printf( "ecdsa_secp256r1_sha256 " ); -#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ -#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) - mbedtls_printf( "ecdsa_secp384r1_sha384 " ); -#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ -#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_SHA512_C) - mbedtls_printf( "ecdsa_secp521r1_sha512 " ); -#endif /* MBEDTLS_SHA512_C && MBEDTLS_SHA512_C */ -#endif /* MBEDTLS_ECDSA_C */ - mbedtls_printf( "\n" ); - goto exit; - } - } - - if( i == ( SIG_ALG_LIST_SIZE - 1 ) && *p != '\0' ) - { - mbedtls_printf( "signature algorithm list too long, maximum %d", - SIG_ALG_LIST_SIZE - 1 ); - goto exit; - } - - sig_alg_list[i] = MBEDTLS_TLS13_SIG_NONE; - } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_ECP_C */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_ECP_C */ /* * 0. Initialize the RNG and the session data @@ -1955,9 +1889,9 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_ssl_conf_signature_algorithms( &conf, ssl_tls13_sig_algs_for_test ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 ) @@ -2084,9 +2018,9 @@ int main( int argc, char *argv[] ) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_ssl_conf_tls13_key_exchange_modes( &conf, opt.tls13_kex_modes ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ if( opt.allow_legacy != DFL_ALLOW_LEGACY ) mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy ); @@ -2118,28 +2052,28 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_ECP_C) -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( named_groups_list[0] != MBEDTLS_ECP_DP_NONE ) mbedtls_ssl_conf_curves(&conf, named_groups_list); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ if( opt.curves != NULL && strcmp( opt.curves, "default" ) != 0 ) { - mbedtls_ssl_conf_curves( &conf, curve_list ); + mbedtls_ssl_conf_groups( &conf, group_list ); } #endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_ECP_C) if( opt.sig_algs != NULL ) { mbedtls_ssl_conf_signature_algorithms( &conf, sig_alg_list ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_ECP_C */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_ECP_C */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( opt.sig_algs != NULL ) mbedtls_ssl_conf_sig_algs( &conf, sig_alg_list ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -2189,11 +2123,11 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_ZERO_RTT) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_ZERO_RTT) mbedtls_ssl_conf_early_data( &conf, opt.early_data, 0, NULL ); mbedtls_ssl_set_early_data( &ssl, (const unsigned char*) early_data, strlen( early_data ) ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_ZERO_RTT */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_ZERO_RTT */ if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { @@ -2527,10 +2461,10 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_SSL_DTLS_SRTP */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_ZERO_RTT) && defined(MBEDTLS_SSL_CLI_C) mbedtls_printf( "early data status = %d\n", mbedtls_ssl_get_early_data_status( &ssl ) ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_ZERO_RTT && MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_ZERO_RTT && MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_X509_CRT_PARSE_C) /* @@ -2806,7 +2740,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " connection was reset by peer\n" ); ret = 0; goto reconnect; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) case MBEDTLS_ERR_SSL_CONN_EOF: mbedtls_printf( " connnection eof \n" ); @@ -2822,7 +2756,7 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ default: mbedtls_printf( " mbedtls_ssl_read returned -0x%x\n", (unsigned int) -ret ); @@ -3249,16 +3183,16 @@ int main( int argc, char *argv[] ) goto exit; } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) // Configure key exchange mode to use PSK-ephemeral mbedtls_ssl_conf_tls13_key_exchange_modes( - &conf, MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + &conf, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_ZERO_RTT) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_ZERO_RTT) mbedtls_ssl_set_early_data( &ssl, (const unsigned char*) early_data, strlen( early_data ) ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_ZERO_RTT */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_ZERO_RTT */ if( ( ret = mbedtls_net_connect( &server_fd, @@ -3296,11 +3230,11 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_ZERO_RTT) && defined(MBEDTLS_SSL_CLI_C) mbedtls_printf( "early data status, reconnect = %d\n", mbedtls_ssl_get_early_data_status( &ssl ) ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_ZERO_RTT && MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_ZERO_RTT && MBEDTLS_SSL_CLI_C */ goto send_request; } @@ -3321,6 +3255,19 @@ int main( int argc, char *argv[] ) mbedtls_net_free( &server_fd ); + mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); + mbedtls_ssl_session_free( &saved_session ); + + if( session_data != NULL ) + mbedtls_platform_zeroize( session_data, session_data_len ); + mbedtls_free( session_data ); +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) + if( context_buf != NULL ) + mbedtls_platform_zeroize( context_buf, context_buf_len ); + mbedtls_free( context_buf ); +#endif + #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt_free( &clicert ); mbedtls_x509_crt_free( &cacert ); @@ -3351,23 +3298,25 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED && MBEDTLS_USE_PSA_CRYPTO */ - mbedtls_ssl_session_free( &saved_session ); - mbedtls_ssl_free( &ssl ); - mbedtls_ssl_config_free( &conf ); - rng_free( &rng ); - if( session_data != NULL ) - mbedtls_platform_zeroize( session_data, session_data_len ); - mbedtls_free( session_data ); -#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) - if( context_buf != NULL ) - mbedtls_platform_zeroize( context_buf, context_buf_len ); - mbedtls_free( context_buf ); -#endif - #if defined(MBEDTLS_USE_PSA_CRYPTO) + const char* message = mbedtls_test_helper_is_psa_leaking(); + if( message ) + { + if( ret == 0 ) + ret = 1; + mbedtls_printf( "PSA memory leak detected: %s\n", message); + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + + /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto + * resources are freed by rng_free(). */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ + !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) mbedtls_psa_crypto_free( ); #endif + rng_free( &rng ); + #if defined(MBEDTLS_TEST_HOOKS) if( test_hooks_failure_detected( ) ) { diff --git a/programs/ssl/ssl_context_info.c b/programs/ssl/ssl_context_info.c index 5ad91203211b..62c3cc52b707 100644 --- a/programs/ssl/ssl_context_info.c +++ b/programs/ssl/ssl_context_info.c @@ -20,6 +20,7 @@ #define MBEDTLS_ALLOW_PRIVATE_ACCESS #include "mbedtls/build_info.h" +#include "mbedtls/debug.h" #include <stdio.h> #include <stdlib.h> @@ -161,6 +162,7 @@ void printf_dbg( const char *str, ... ) } } +MBEDTLS_PRINTF_ATTRIBUTE( 1, 2 ) void printf_err( const char *str, ... ) { va_list args; @@ -219,7 +221,13 @@ void parse_arguments( int argc, char *argv[] ) error_exit(); } - if( ( b64_file = fopen( argv[i], "r" ) ) == NULL ) + if( NULL != b64_file ) + { + printf_err( "Cannot specify more than one file with -f\n" ); + error_exit( ); + } + + if( ( b64_file = fopen( argv[i], "r" )) == NULL ) { printf_err( "Cannot find file \"%s\"\n", argv[i] ); error_exit(); @@ -461,7 +469,8 @@ size_t read_next_b64_code( uint8_t **b64, size_t *max_len ) } else if( len > *max_len ) { - printf_err( "The code found is too large by %u bytes.\n", len - *max_len ); + printf_err( "The code found is too large by %" MBEDTLS_PRINTF_SIZET " bytes.\n", + len - *max_len ); len = pad = 0; } else if( len % 4 != 0 ) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 9d55c8958668..e98522a8beaa 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -65,6 +65,10 @@ int main( void ) #include <windows.h> #endif +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#include "test/psa_crypto_helpers.h" +#endif + /* Size of memory to be allocated for the heap, when using the library's memory * management and MBEDTLS_MEMORY_BUFFER_ALLOC_C is enabled. */ #define MEMORY_HEAP_SIZE 120000 @@ -96,7 +100,7 @@ int main( void ) #define DFL_ECJPAKE_PW NULL #define DFL_PSK_LIST NULL #define DFL_FORCE_CIPHER 0 -#define DFL_TLS13_KEX_MODES MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL +#define DFL_TLS1_3_KEX_MODES MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL #define DFL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION_DISABLED #define DFL_ALLOW_LEGACY -2 #define DFL_RENEGOTIATE 0 @@ -289,12 +293,12 @@ int main( void ) #define USAGE_TICKETS "" #endif /* MBEDTLS_SSL_SESSION_TICKETS || MBEDTLS_SSL_NEW_SESSION_TICKET */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #define USAGE_EAP_TLS "" #else #define USAGE_EAP_TLS \ " eap_tls=%%d default: 0 (disabled)\n" -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #define USAGE_NSS_KEYLOG \ " nss_keylog=%%d default: 0 (disabled)\n" \ @@ -353,7 +357,7 @@ int main( void ) #define USAGE_ALPN "" #endif /* MBEDTLS_SSL_ALPN */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_COOKIE_C) #define USAGE_COOKIES \ " cookies=0/1/2/-1 default: 1\n" \ @@ -369,7 +373,7 @@ int main( void ) #else #define USAGE_COOKIES "" #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) #define USAGE_ANTI_REPLAY \ @@ -457,7 +461,7 @@ int main( void ) #define USAGE_CURVES "" #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #define USAGE_SIG_ALGS \ " sig_algs=a,b,c,d default: \"default\" (library default: ecdsa_secp256r1_sha256)\n" \ @@ -480,13 +484,13 @@ int main( void ) #define USAGE_SERIALIZATION "" #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -#define USAGE_TLS13_KEX_MODES \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +#define USAGE_TLS1_3_KEY_EXCHANGE_MODES \ " tls13_kex_modes=%%s default: all\n" \ " options: psk, psk_ephemeral, ephemeral, ephemeral_all, psk_all, all\n" #else -#define USAGE_TLS13_KEX_MODES "" -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#define USAGE_TLS1_3_KEY_EXCHANGE_MODES "" +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* USAGE is arbitrarily split to stay under the portable string literal @@ -547,23 +551,23 @@ int main( void ) USAGE_SIG_ALGS \ "\n" -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -#define TLS1_3_VERSION_OPTIONS ", tls1_3" -#else /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +#define TLS1_3_VERSION_OPTIONS ", tls13" +#else /* MBEDTLS_SSL_PROTO_TLS1_3 */ #define TLS1_3_VERSION_OPTIONS "" -#endif /* !MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* !MBEDTLS_SSL_PROTO_TLS1_3 */ #define USAGE4 \ USAGE_SSL_ASYNC \ USAGE_SNI \ " allow_sha1=%%d default: 0\n" \ - " min_version=%%s default: (library default: tls1_2)\n" \ - " max_version=%%s default: (library default: tls1_2)\n" \ + " min_version=%%s default: (library default: tls12)\n" \ + " max_version=%%s default: (library default: tls12)\n" \ " force_version=%%s default: \"\" (none)\n" \ - " options: tls1_2, dtls1_2" TLS1_3_VERSION_OPTIONS \ + " options: tls12, dtls12" TLS1_3_VERSION_OPTIONS \ "\n\n" \ " force_ciphersuite=<name> default: all enabled\n" \ - USAGE_TLS13_KEX_MODES \ + USAGE_TLS1_3_KEY_EXCHANGE_MODES \ " query_config=<name> return 0 if the specified\n" \ " configuration macro is defined and 1\n" \ " otherwise. The expansion of the macro\n" \ @@ -571,25 +575,6 @@ int main( void ) USAGE_SERIALIZATION \ " acceptable ciphersuite names:\n" -#define USAGE5 \ - " arc4=%%d default: (library default: 0)\n" \ - " allow_sha1=%%d default: 0\n" \ - " min_version=%%s default: (library default: tls1)\n" \ - " max_version=%%s default: (library default: tls1_3)\n" \ - " force_version=%%s default: \"\" (none)\n" \ - " options: ssl3, tls1, tls1_1, tls1_2, tls1_3, dtls1, dtls1_2, dtls1_3\n" \ - "\n" \ - " version_suites=a,b,c,d,e per-version ciphersuites\n" \ - " in order from ssl3 to tls1_3\n" \ - " default: all enabled\n" \ - " force_ciphersuite=<name> default: all enabled\n" \ - " query_config=<name> return 0 if the specified\n" \ - " configuration macro is defined and 1\n" \ - " otherwise. The expansion of the macro\n" \ - " is printed if it is defined\n" \ - USAGE_SERIALIZATION \ - " acceptable ciphersuite names:\n" - #define ALPN_LIST_SIZE 10 #define CURVE_LIST_SIZE 20 #define SIG_ALG_LIST_SIZE 5 @@ -648,9 +633,9 @@ struct options char *psk_list; /* list of PSK id/key pairs for callback */ const char *ecjpake_pw; /* the EC J-PAKE password */ int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) int tls13_kex_modes; /* supported TLS 1.3 key exchange modes */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ int renegotiation; /* enable / disable renegotiation */ int allow_legacy; /* allow legacy renegotiation */ int renegotiate; /* attempt renegotiation? */ @@ -1405,12 +1390,12 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_COOKIE_C) mbedtls_ssl_cookie_ctx cookie_ctx; #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_ECP_C) /* list of named groups */ mbedtls_ecp_group_id named_groups_list[NAMED_GROUPS_LIST_SIZE]; /* list of signature algorithms */ char *start; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_ECP_C */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_ECP_C */ #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -1453,7 +1438,7 @@ int main( int argc, char *argv[] ) sni_entry *sni_info = NULL; #endif #if defined(MBEDTLS_ECP_C) - mbedtls_ecp_group_id curve_list[CURVE_LIST_SIZE]; + uint16_t group_list[CURVE_LIST_SIZE]; const mbedtls_ecp_curve_info * curve_cur; #endif #if defined(MBEDTLS_SSL_ALPN) @@ -1474,11 +1459,10 @@ int main( int argc, char *argv[] ) size_t context_buf_len = 0; #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) uint16_t sig_alg_list[SIG_ALG_LIST_SIZE]; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && - MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ int i; char *p, *q; @@ -1547,7 +1531,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_ALPN) memset( (void *) alpn_list, 0, sizeof( alpn_list ) ); #endif -#if defined(MBEDTLS_ECP_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_ECP_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) memset((void *)named_groups_list, MBEDTLS_ECP_DP_NONE, sizeof(named_groups_list)); #endif @@ -1584,11 +1568,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( USAGE1 ); mbedtls_printf( USAGE2 ); mbedtls_printf( USAGE3 ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - mbedtls_printf( USAGE5 ); -#else mbedtls_printf( USAGE4 ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ list = mbedtls_ssl_list_ciphersuites(); while( *list ) @@ -1646,9 +1626,9 @@ int main( int argc, char *argv[] ) opt.psk_list = DFL_PSK_LIST; opt.ecjpake_pw = DFL_ECJPAKE_PW; opt.force_ciphersuite[0]= DFL_FORCE_CIPHER; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - opt.tls13_kex_modes = DFL_TLS13_KEX_MODES; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + opt.tls13_kex_modes = DFL_TLS1_3_KEX_MODES; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ opt.renegotiation = DFL_RENEGOTIATION; opt.allow_legacy = DFL_ALLOW_LEGACY; opt.renegotiate = DFL_RENEGOTIATE; @@ -1841,12 +1821,11 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "curves" ) == 0 ) opt.curves = q; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) else if( strcmp( p, "sig_algs" ) == 0 ) opt.sig_algs = q; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && && \ - MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ else if( strcmp( p, "renegotiation" ) == 0 ) { opt.renegotiation = (atoi( q )) ? @@ -1896,7 +1875,7 @@ int main( int argc, char *argv[] ) if( opt.exchanges < 0 ) goto usage; } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_ZERO_RTT) else if( strcmp( p, "early_data" ) == 0 ) { @@ -1920,48 +1899,47 @@ int main( int argc, char *argv[] ) else if( strcmp( p, "sig_algs" ) == 0 ) opt.sig_algs = q; #endif /* MBEDTLS_ECP_C */ - else if( strcmp( p, "tls13_kex_modes" ) == 0 ) { if( strcmp( q, "psk" ) == 0 ) - opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK; + opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; else if( strcmp(q, "psk_ephemeral" ) == 0 ) - opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; + opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; else if( strcmp(q, "ephemeral" ) == 0 ) - opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL; + opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; else if( strcmp(q, "ephemeral_all" ) == 0 ) - opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL; + opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL; else if( strcmp( q, "psk_all" ) == 0 ) - opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL; + opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; else if( strcmp( q, "all" ) == 0 ) - opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL; + opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; else goto usage; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ else if( strcmp( p, "min_version" ) == 0 ) { - if( strcmp( q, "tls1_2" ) == 0 || - strcmp( q, "dtls1_2" ) == 0 ) + if( strcmp( q, "tls12" ) == 0 || + strcmp( q, "dtls12" ) == 0 ) opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - else if( strcmp( q, "tls1_3" ) == 0 || - strcmp( q, "dtls1_3" ) == 0 ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + else if( strcmp( q, "tls13" ) == 0 || + strcmp( q, "dtls13" ) == 0 ) opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ else goto usage; } else if( strcmp( p, "max_version" ) == 0 ) { - if( strcmp( q, "tls1_2" ) == 0 || - strcmp( q, "dtls1_2" ) == 0 ) + if( strcmp( q, "tls12" ) == 0 || + strcmp( q, "dtls12" ) == 0 ) opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - else if( strcmp( q, "tls1_3" ) == 0 || - strcmp( q, "dtls1_3" ) == 0 ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + else if( strcmp( q, "tls13" ) == 0 || + strcmp( q, "dtls13" ) == 0 ) opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ else goto usage; } @@ -1976,37 +1954,30 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "force_version" ) == 0 ) { - if( strcmp( q, "tls1_2" ) == 0 ) + if( strcmp( q, "tls12" ) == 0 ) { opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - else if( strcmp( q, "tls1_3" ) == 0 ) - { - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4; - } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - else if( strcmp( q, "dtls1_2" ) == 0 ) + else if( strcmp( q, "dtls12" ) == 0 ) { opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM; } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - else if( strcmp( q, "dtls1_3" ) == 0 ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + else if( strcmp( q, "tls13" ) == 0 ) { opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4; - opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM; } - else if( strcmp( q, "tls1_3" ) == 0 ) + else if( strcmp( q, "dtls13" ) == 0 ) { opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4; opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4; + opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ else goto usage; } @@ -2106,13 +2077,13 @@ int main( int argc, char *argv[] ) else if( strcmp( p, "cookies" ) == 0 ) { opt.cookies = atoi( q ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( opt.cookies < -1 || opt.cookies > 2 ) goto usage; #else if( opt.cookies < -1 || opt.cookies > 1 ) goto usage; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ } else if( strcmp( p, "anti_replay" ) == 0 ) { @@ -2173,7 +2144,7 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "eap_tls" ) == 0 ) { -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_printf( "Error: eap_tls is not supported in TLS 1.3.\n" ); goto usage; #else @@ -2384,7 +2355,7 @@ int main( int argc, char *argv[] ) if( strcmp( p, "none" ) == 0 ) { - curve_list[0] = MBEDTLS_ECP_DP_NONE; + group_list[0] = 0; } else if( strcmp( p, "default" ) != 0 ) { @@ -2401,7 +2372,7 @@ int main( int argc, char *argv[] ) if( ( curve_cur = mbedtls_ecp_curve_info_from_name( q ) ) != NULL ) { - curve_list[i++] = curve_cur->grp_id; + group_list[i++] = curve_cur->tls_id; } else { @@ -2427,19 +2398,19 @@ int main( int argc, char *argv[] ) goto exit; } - curve_list[i] = MBEDTLS_ECP_DP_NONE; + group_list[i] = 0; } } #endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( opt.sig_algs != NULL ) { p = (char *) opt.sig_algs; i = 0; - /* Leave room for a final MBEDTLS_TLS13_SIG_NONE in signature algorithm list (sig_alg_list). */ + /* Leave room for a final MBEDTLS_TLS1_3_SIG_NONE in signature algorithm list (sig_alg_list). */ while( i < SIG_ALG_LIST_SIZE - 1 && *p != '\0' ) { q = p; @@ -2452,15 +2423,15 @@ int main( int argc, char *argv[] ) if( strcmp( q, "ecdsa_secp256r1_sha256" ) == 0 ) { - sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256; + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256; } else if( strcmp( q, "ecdsa_secp384r1_sha384" ) == 0 ) { - sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384; + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384; } else if( strcmp( q, "ecdsa_secp521r1_sha512" ) == 0 ) { - sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512; + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512; } else { @@ -2481,16 +2452,15 @@ int main( int argc, char *argv[] ) goto exit; } - sig_alg_list[i] = MBEDTLS_TLS13_SIG_NONE; + sig_alg_list[i] = MBEDTLS_TLS1_3_SIG_NONE; } else { /* Configure default signature algorithm */ - sig_alg_list[0] = MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256; - sig_alg_list[1] = MBEDTLS_TLS13_SIG_NONE; + sig_alg_list[0] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256; + sig_alg_list[1] = MBEDTLS_TLS1_3_SIG_NONE; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && - MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) @@ -2512,7 +2482,7 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_SSL_ALPN */ - #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && defined(MBEDTLS_ECP_C) + #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_ECP_C) if( opt.named_groups_string != NULL ) { p = (char *)opt.named_groups_string; @@ -2557,7 +2527,7 @@ int main( int argc, char *argv[] ) if( i == 0 ) goto usage; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && MBEDTLS_ECP_C */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_ECP_C */ /* @@ -2929,7 +2899,7 @@ int main( int argc, char *argv[] ) } #endif -#if defined(MBEDTLS_ECP_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_ECP_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) if( named_groups_list[0] != MBEDTLS_ECP_DP_NONE ) mbedtls_ssl_conf_curves( &conf, named_groups_list ); #endif @@ -2984,7 +2954,7 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_SSL_SESSION_TICKETS || MBEDTLS_SSL_NEW_SESSION_TICKET */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_COOKIE_C) if( opt.cookies > 0 ) { @@ -3056,14 +3026,14 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_dtls_badmac_limit( &conf, opt.badmac_limit ); } #endif /* MBEDTLS_SSL_PROTO_DTLS */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_ssl_conf_tls13_key_exchange_modes( &conf, opt.tls13_kex_modes ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ if( opt.allow_legacy != DFL_ALLOW_LEGACY ) mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy ); @@ -3198,30 +3168,30 @@ int main( int argc, char *argv[] ) #endif #if defined(MBEDTLS_ECP_C) -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /* Configure default name groups */ if (named_groups_list[0] != MBEDTLS_ECP_DP_NONE) mbedtls_ssl_conf_curves( &conf, named_groups_list ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* Configure default curves */ if( opt.curves != NULL && strcmp( opt.curves, "default" ) != 0 ) { - mbedtls_ssl_conf_curves( &conf, curve_list ); + mbedtls_ssl_conf_groups( &conf, group_list ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /* Configure default signature algorithms */ if( opt.sig_algs != NULL && strcmp( opt.sig_algs, "default" ) != 0 ) { mbedtls_ssl_conf_signature_algorithms( &conf, sig_alg_list ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( opt.sig_algs != NULL ) mbedtls_ssl_conf_sig_algs( &conf, sig_alg_list ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) @@ -3448,7 +3418,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout ); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_COOKIE_C) if( ( ret = mbedtls_ssl_set_client_transport_id( &ssl, client_ip, cliip_len ) ) != 0 ) @@ -3458,7 +3428,7 @@ int main( int argc, char *argv[] ) goto exit; } #endif /* MBEDTLS_SSL_COOKIE_C */ -#else /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#else /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { @@ -3471,7 +3441,7 @@ int main( int argc, char *argv[] ) } } #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( opt.ecjpake_pw != DFL_ECJPAKE_PW ) @@ -4285,9 +4255,35 @@ int main( int argc, char *argv[] ) mbedtls_net_free( &client_fd ); mbedtls_net_free( &listen_fd ); -#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) - mbedtls_dhm_free( &dhm ); + mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); + +#if defined(MBEDTLS_SSL_CACHE_C) + mbedtls_ssl_cache_free( &cache ); #endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_ssl_ticket_free( &ticket_ctx ); +#endif +#if defined(MBEDTLS_SSL_COOKIE_C) + mbedtls_ssl_cookie_free( &cookie_ctx ); +#endif + +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) + if( context_buf != NULL ) + mbedtls_platform_zeroize( context_buf, context_buf_len ); + mbedtls_free( context_buf ); +#endif + +#if defined(SNI_OPTION) + sni_free( sni_info ); +#endif + +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + ret = psk_free( psk_info ); + if( ( ret != 0 ) && ( opt.query_config_mode == DFL_QUERY_CONFIG_MODE ) ) + mbedtls_printf( "Failed to list of opaque PSKs - error was %d\n", ret ); +#endif + #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt_free( &cacert ); mbedtls_x509_crt_free( &srvcert ); @@ -4299,6 +4295,11 @@ int main( int argc, char *argv[] ) psa_destroy_key( key_slot2 ); #endif #endif + +#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) + mbedtls_dhm_free( &dhm ); +#endif + #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) for( i = 0; (size_t) i < ssl_async_keys.slots_used; i++ ) { @@ -4310,17 +4311,6 @@ int main( int argc, char *argv[] ) } } #endif -#if defined(SNI_OPTION) - sni_free( sni_info ); -#endif -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) - ret = psk_free( psk_info ); - if( ( ret != 0 ) && ( opt.query_config_mode == DFL_QUERY_CONFIG_MODE ) ) - mbedtls_printf( "Failed to list of opaque PSKs - error was %d\n", ret ); -#endif -#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) - mbedtls_dhm_free( &dhm ); -#endif #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) && \ defined(MBEDTLS_USE_PSA_CRYPTO) @@ -4341,32 +4331,27 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED && MBEDTLS_USE_PSA_CRYPTO */ - mbedtls_ssl_free( &ssl ); - mbedtls_ssl_config_free( &conf ); - rng_free( &rng ); - -#if defined(MBEDTLS_SSL_CACHE_C) - mbedtls_ssl_cache_free( &cache ); -#endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) || defined(MBEDTLS_SSL_NEW_SESSION_TICKET) - mbedtls_ssl_ticket_free( &ticket_ctx ); -#endif -#if defined(MBEDTLS_SSL_COOKIE_C) - mbedtls_ssl_cookie_free( &cookie_ctx ); -#endif - - mbedtls_free( buf ); - -#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) - if( context_buf != NULL ) - mbedtls_platform_zeroize( context_buf, context_buf_len ); - mbedtls_free( context_buf ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + const char* message = mbedtls_test_helper_is_psa_leaking(); + if( message ) + { + if( ret == 0 ) + ret = 1; + mbedtls_printf( "PSA memory leak detected: %s\n", message); + } #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) + /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto + * resources are freed by rng_free(). */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ + !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) mbedtls_psa_crypto_free( ); #endif + rng_free( &rng ); + + mbedtls_free( buf ); + #if defined(MBEDTLS_TEST_HOOKS) /* Let test hooks detect errors such as resource leaks. * Don't do it in query_config mode, because some test code prints diff --git a/programs/ssl/ssl_test_common_source.c b/programs/ssl/ssl_test_common_source.c index 06e8a7db8f01..3cb40c124116 100644 --- a/programs/ssl/ssl_test_common_source.c +++ b/programs/ssl/ssl_test_common_source.c @@ -69,22 +69,22 @@ void nss_keylog_export( void *p_expkey, case MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET: strcpy(label, "CLIENT RANDOM "); break; - case MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_EARLY_SECRET: + case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET: strcpy(label, "CLIENT_EARLY_TRAFFIC_SECRET "); break; - case MBEDTLS_SSL_KEY_EXPORT_TLS13_EARLY_EXPORTER_SECRET: + case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_EARLY_EXPORTER_SECRET: strcpy(label, "EARLY_EXPORTER_SECRET "); break; - case MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_HANDSHAKE_TRAFFIC_SECRET: + case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET: strcpy(label, "CLIENT_HANDSHAKE_TRAFFIC_SECRET "); break; - case MBEDTLS_SSL_KEY_EXPORT_TLS13_SERVER_HANDSHAKE_TRAFFIC_SECRET: + case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET: strcpy(label, "SERVER_HANDSHAKE_TRAFFIC_SECRET "); break; - case MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_APPLICATION_TRAFFIC_SECRET: + case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET: strcpy(label, "CLIENT_TRAFFIC_SECRET_0 "); break; - case MBEDTLS_SSL_KEY_EXPORT_TLS13_SERVER_APPLICATION_TRAFFIC_SECRET: + case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET: strcpy(label, "SERVER_TRAFFIC_SECRET_0 "); break; } diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt index a0a1b763cca2..c3e7d2e98e20 100644 --- a/programs/test/CMakeLists.txt +++ b/programs/test/CMakeLists.txt @@ -27,15 +27,51 @@ if(TEST_CPP) target_link_libraries(cpp_dummy_build ${mbedcrypto_target}) endif() +if(USE_SHARED_MBEDTLS_LIBRARY AND + NOT ${CMAKE_SYSTEM_NAME} MATCHES "[Ww][Ii][Nn]") + add_executable(dlopen "dlopen.c") + target_include_directories(dlopen PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../include) + target_link_libraries(dlopen ${CMAKE_DL_LIBS}) +endif() + +if(GEN_FILES) + find_package(Perl REQUIRED) + + add_custom_command( + OUTPUT + ${CMAKE_CURRENT_BINARY_DIR}/query_config.c + COMMAND + ${PERL} + ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_query_config.pl + ${CMAKE_CURRENT_SOURCE_DIR}/../../include/mbedtls/mbedtls_config.h + ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/data_files/query_config.fmt + ${CMAKE_CURRENT_BINARY_DIR}/query_config.c + DEPENDS + ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_query_config.pl + ${CMAKE_CURRENT_SOURCE_DIR}/../../include/mbedtls/mbedtls_config.h + ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/data_files/query_config.fmt + ) + # this file will also be used in another directory, so create a target, see + # https://gitlab.kitware.com/cmake/community/-/wikis/FAQ#how-can-i-add-a-dependency-to-a-source-file-which-is-generated-in-a-subdirectory + add_custom_target(generate_query_config_c + DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/query_config.c) +else() + link_to_source(query_config.c) +endif() + foreach(exe IN LISTS executables_libs executables_mbedcrypto) set(extra_sources "") if(exe STREQUAL "query_compile_time_config") list(APPEND extra_sources - ${CMAKE_CURRENT_SOURCE_DIR}/query_config.c) + ${CMAKE_CURRENT_SOURCE_DIR}/query_config.h + ${CMAKE_CURRENT_BINARY_DIR}/query_config.c) endif() add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test> ${extra_sources}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include) + if(exe STREQUAL "query_compile_time_config") + target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}) + endif() # This emulates "if ( ... IN_LIST ... )" which becomes available in CMake 3.3 list(FIND executables_libs ${exe} exe_index) diff --git a/programs/test/dlopen.c b/programs/test/dlopen.c new file mode 100644 index 000000000000..3b88df4cf3e9 --- /dev/null +++ b/programs/test/dlopen.c @@ -0,0 +1,112 @@ +/* + * Test dynamic loading of libmbed* + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "mbedtls/build_info.h" + +#include "mbedtls/platform.h" +#if !defined(MBEDTLS_PLATFORM_C) +#include <stdio.h> +#include <stdlib.h> +#define mbedtls_fprintf fprintf +#define mbedtls_printf printf +#define mbedtls_exit exit +#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS +#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE +#endif + +#if defined(MBEDTLS_X509_CRT_PARSE_C) +#include "mbedtls/x509_crt.h" +#endif + +#if defined(__APPLE__) +#define SO_SUFFIX ".dylib" +#else +#define SO_SUFFIX ".so" +#endif + +#define CRYPTO_SO_FILENAME "libmbedcrypto" SO_SUFFIX +#define X509_SO_FILENAME "libmbedx509" SO_SUFFIX +#define TLS_SO_FILENAME "libmbedtls" SO_SUFFIX + +#include <dlfcn.h> + +#define CHECK_DLERROR( function, argument ) \ + do \ + { \ + char *CHECK_DLERROR_error = dlerror ( ); \ + if( CHECK_DLERROR_error != NULL ) \ + { \ + fprintf( stderr, "Dynamic loading error for %s(%s): %s\n", \ + function, argument, CHECK_DLERROR_error ); \ + mbedtls_exit( MBEDTLS_EXIT_FAILURE ); \ + } \ + } \ + while( 0 ) + +int main( void ) +{ +#if defined(MBEDTLS_MD_C) || defined(MBEDTLS_SSL_TLS_C) + unsigned n; +#endif + +#if defined(MBEDTLS_SSL_TLS_C) + void *tls_so = dlopen( TLS_SO_FILENAME, RTLD_NOW ); + CHECK_DLERROR( "dlopen", TLS_SO_FILENAME ); + const int *( *ssl_list_ciphersuites )( void ) = + dlsym( tls_so, "mbedtls_ssl_list_ciphersuites" ); + CHECK_DLERROR( "dlsym", "mbedtls_ssl_list_ciphersuites" ); + const int *ciphersuites = ssl_list_ciphersuites( ); + for( n = 0; ciphersuites[n] != 0; n++ ) + /* nothing to do, we're just counting */; + mbedtls_printf( "dlopen(%s): %u ciphersuites\n", + TLS_SO_FILENAME, n ); + dlclose( tls_so ); + CHECK_DLERROR( "dlclose", TLS_SO_FILENAME ); +#endif /* MBEDTLS_SSL_TLS_C */ + +#if defined(MBEDTLS_X509_CRT_PARSE_C) + void *x509_so = dlopen( X509_SO_FILENAME, RTLD_NOW ); + CHECK_DLERROR( "dlopen", X509_SO_FILENAME ); + const mbedtls_x509_crt_profile *profile = + dlsym( x509_so, "mbedtls_x509_crt_profile_default" ); + CHECK_DLERROR( "dlsym", "mbedtls_x509_crt_profile_default" ); + mbedtls_printf( "dlopen(%s): Allowed md mask: %08x\n", + X509_SO_FILENAME, (unsigned) profile->allowed_mds ); + dlclose( x509_so ); + CHECK_DLERROR( "dlclose", X509_SO_FILENAME ); +#endif /* MBEDTLS_X509_CRT_PARSE_C */ + +#if defined(MBEDTLS_MD_C) + void *crypto_so = dlopen( CRYPTO_SO_FILENAME, RTLD_NOW ); + CHECK_DLERROR( "dlopen", CRYPTO_SO_FILENAME ); + const int *( *md_list )( void ) = + dlsym( crypto_so, "mbedtls_md_list" ); + CHECK_DLERROR( "dlsym", "mbedtls_md_list" ); + const int *mds = md_list( ); + for( n = 0; mds[n] != 0; n++ ) + /* nothing to do, we're just counting */; + mbedtls_printf( "dlopen(%s): %u hashes\n", + CRYPTO_SO_FILENAME, n ); + dlclose( crypto_so ); + CHECK_DLERROR( "dlclose", CRYPTO_SO_FILENAME ); +#endif /* MBEDTLS_MD_C */ + + return( 0 ); +} + diff --git a/programs/test/dlopen_demo.sh b/programs/test/dlopen_demo.sh new file mode 100755 index 000000000000..2dde3ebedabd --- /dev/null +++ b/programs/test/dlopen_demo.sh @@ -0,0 +1,46 @@ +#!/bin/sh + +# Run the shared library dynamic loading demo program. +# This is only expected to work when Mbed TLS is built as a shared library. + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e -u + +program_dir="${0%/*}" +program="$program_dir/dlopen" +top_dir="$program_dir/../.." +library_dir="$top_dir/library" + +# ELF-based Unix-like (Linux, *BSD, Solaris, ...) +if [ -n "${LD_LIBRARY_PATH-}" ]; then + LD_LIBRARY_PATH="$library_dir:$LD_LIBRARY_PATH" +else + LD_LIBRARY_PATH="$library_dir" +fi +export LD_LIBRARY_PATH + +# OSX/macOS +if [ -n "${DYLD_LIBRARY_PATH-}" ]; then + DYLD_LIBRARY_PATH="$library_dir:$DYLD_LIBRARY_PATH" +else + DYLD_LIBRARY_PATH="$library_dir" +fi +export DYLD_LIBRARY_PATH + +echo "Running dynamic loading test program: $program" +echo "Loading libraries from: $library_dir" +"$program" diff --git a/programs/test/query_compile_time_config.c b/programs/test/query_compile_time_config.c index a6eaf6159082..6d92de3100a4 100644 --- a/programs/test/query_compile_time_config.c +++ b/programs/test/query_compile_time_config.c @@ -29,13 +29,14 @@ #endif #define USAGE \ - "usage: %s <MBEDTLS_CONFIG>\n\n" \ + "usage: %s [ <MBEDTLS_CONFIG> | -l ]\n\n" \ "This program takes one command line argument which corresponds to\n" \ "the string representation of a Mbed TLS compile time configuration.\n" \ "The value 0 will be returned if this configuration is defined in the\n" \ "Mbed TLS build and the macro expansion of that configuration will be\n" \ - "printed (if any). Otherwise, 1 will be returned.\n" - + "printed (if any). Otherwise, 1 will be returned.\n" \ + "-l\tPrint all available configuration.\n" +#include <string.h> #include "query_config.h" int main( int argc, char *argv[] ) @@ -46,5 +47,11 @@ int main( int argc, char *argv[] ) return( MBEDTLS_EXIT_FAILURE ); } + if( strcmp( argv[1], "-l" ) == 0 ) + { + list_config(); + return( 0 ); + } + return( query_config( argv[1] ) ); } diff --git a/programs/test/query_config.h b/programs/test/query_config.h index 0fad886d1472..290100f36fe2 100644 --- a/programs/test/query_config.h +++ b/programs/test/query_config.h @@ -35,4 +35,12 @@ */ int query_config( const char *config ); +/** List all enabled configuration symbols + * + * \note This function is defined in `programs/test/query_config.c` + * which is automatically generated by + * `scripts/generate_query_config.pl`. + */ +void list_config( void ); + #endif /* MBEDTLS_PROGRAMS_TEST_QUERY_CONFIG_H */ diff --git a/scripts/basic.requirements.txt b/scripts/basic.requirements.txt new file mode 100644 index 000000000000..1be3d0c235e1 --- /dev/null +++ b/scripts/basic.requirements.txt @@ -0,0 +1,5 @@ +# Python modules required to build Mbed TLS in ordinary conditions. + +# Required to (re-)generate source files. Not needed if the generated source +# files are already present and up-to-date. +-r driver.requirements.txt diff --git a/scripts/ci.requirements.txt b/scripts/ci.requirements.txt new file mode 100644 index 000000000000..209ae3d8ff55 --- /dev/null +++ b/scripts/ci.requirements.txt @@ -0,0 +1,12 @@ +# Python package requirements for Mbed TLS testing. + +-r driver.requirements.txt + +# Use a known version of Pylint, because new versions tend to add warnings +# that could start rejecting our code. +# 2.4.4 is the version in Ubuntu 20.04. It supports Python >=3.5. +pylint == 2.4.4 + +# Use the earliest version of mypy that works with our code base. +# See https://github.com/ARMmbed/mbedtls/pull/3953 . +mypy >= 0.780 diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py new file mode 100755 index 000000000000..85393d031c13 --- /dev/null +++ b/scripts/code_size_compare.py @@ -0,0 +1,226 @@ +#!/usr/bin/env python3 + +""" +Purpose + +This script is for comparing the size of the library files from two +different Git revisions within an Mbed TLS repository. +The results of the comparison is formatted as csv and stored at a +configurable location. +Note: must be run from Mbed TLS root. +""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import argparse +import os +import subprocess +import sys + +class CodeSizeComparison: + """Compare code size between two Git revisions.""" + + def __init__(self, old_revision, new_revision, result_dir): + """ + old_revision: revision to compare against + new_revision: + result_dir: directory for comparision result + """ + self.repo_path = "." + self.result_dir = os.path.abspath(result_dir) + os.makedirs(self.result_dir, exist_ok=True) + + self.csv_dir = os.path.abspath("code_size_records/") + os.makedirs(self.csv_dir, exist_ok=True) + + self.old_rev = old_revision + self.new_rev = new_revision + self.git_command = "git" + self.make_command = "make" + + @staticmethod + def check_repo_path(): + if not all(os.path.isdir(d) for d in ["include", "library", "tests"]): + raise Exception("Must be run from Mbed TLS root") + + @staticmethod + def validate_revision(revision): + result = subprocess.check_output(["git", "rev-parse", "--verify", + revision + "^{commit}"], shell=False) + return result + + def _create_git_worktree(self, revision): + """Make a separate worktree for revision. + Do not modify the current worktree.""" + + if revision == "current": + print("Using current work directory.") + git_worktree_path = self.repo_path + else: + print("Creating git worktree for", revision) + git_worktree_path = os.path.join(self.repo_path, "temp-" + revision) + subprocess.check_output( + [self.git_command, "worktree", "add", "--detach", + git_worktree_path, revision], cwd=self.repo_path, + stderr=subprocess.STDOUT + ) + return git_worktree_path + + def _build_libraries(self, git_worktree_path): + """Build libraries in the specified worktree.""" + + my_environment = os.environ.copy() + subprocess.check_output( + [self.make_command, "-j", "lib"], env=my_environment, + cwd=git_worktree_path, stderr=subprocess.STDOUT, + ) + + def _gen_code_size_csv(self, revision, git_worktree_path): + """Generate code size csv file.""" + + csv_fname = revision + ".csv" + if revision == "current": + print("Measuring code size in current work directory.") + else: + print("Measuring code size for", revision) + result = subprocess.check_output( + ["size library/*.o"], cwd=git_worktree_path, shell=True + ) + size_text = result.decode() + csv_file = open(os.path.join(self.csv_dir, csv_fname), "w") + for line in size_text.splitlines()[1:]: + data = line.split() + csv_file.write("{}, {}\n".format(data[5], data[3])) + + def _remove_worktree(self, git_worktree_path): + """Remove temporary worktree.""" + if git_worktree_path != self.repo_path: + print("Removing temporary worktree", git_worktree_path) + subprocess.check_output( + [self.git_command, "worktree", "remove", "--force", + git_worktree_path], cwd=self.repo_path, + stderr=subprocess.STDOUT + ) + + def _get_code_size_for_rev(self, revision): + """Generate code size csv file for the specified git revision.""" + + # Check if the corresponding record exists + csv_fname = revision + ".csv" + if (revision != "current") and \ + os.path.exists(os.path.join(self.csv_dir, csv_fname)): + print("Code size csv file for", revision, "already exists.") + else: + git_worktree_path = self._create_git_worktree(revision) + self._build_libraries(git_worktree_path) + self._gen_code_size_csv(revision, git_worktree_path) + self._remove_worktree(git_worktree_path) + + def compare_code_size(self): + """Generate results of the size changes between two revisions, + old and new. Measured code size results of these two revisions + must be available.""" + + old_file = open(os.path.join(self.csv_dir, self.old_rev + ".csv"), "r") + new_file = open(os.path.join(self.csv_dir, self.new_rev + ".csv"), "r") + res_file = open(os.path.join(self.result_dir, "compare-" + self.old_rev + + "-" + self.new_rev + ".csv"), "w") + + res_file.write("file_name, this_size, old_size, change, change %\n") + print("Generating comparision results.") + + old_ds = {} + for line in old_file.readlines()[1:]: + cols = line.split(", ") + fname = cols[0] + size = int(cols[1]) + if size != 0: + old_ds[fname] = size + + new_ds = {} + for line in new_file.readlines()[1:]: + cols = line.split(", ") + fname = cols[0] + size = int(cols[1]) + new_ds[fname] = size + + for fname in new_ds: + this_size = new_ds[fname] + if fname in old_ds: + old_size = old_ds[fname] + change = this_size - old_size + change_pct = change / old_size + res_file.write("{}, {}, {}, {}, {:.2%}\n".format(fname, \ + this_size, old_size, change, float(change_pct))) + else: + res_file.write("{}, {}\n".format(fname, this_size)) + return 0 + + def get_comparision_results(self): + """Compare size of library/*.o between self.old_rev and self.new_rev, + and generate the result file.""" + self.check_repo_path() + self._get_code_size_for_rev(self.old_rev) + self._get_code_size_for_rev(self.new_rev) + return self.compare_code_size() + +def main(): + parser = argparse.ArgumentParser( + description=( + """This script is for comparing the size of the library files + from two different Git revisions within an Mbed TLS repository. + The results of the comparison is formatted as csv, and stored at + a configurable location. + Note: must be run from Mbed TLS root.""" + ) + ) + parser.add_argument( + "-r", "--result-dir", type=str, default="comparison", + help="directory where comparison result is stored, \ + default is comparison", + ) + parser.add_argument( + "-o", "--old-rev", type=str, help="old revision for comparison.", + required=True, + ) + parser.add_argument( + "-n", "--new-rev", type=str, default=None, + help="new revision for comparison, default is the current work \ + directory, including uncommited changes." + ) + comp_args = parser.parse_args() + + if os.path.isfile(comp_args.result_dir): + print("Error: {} is not a directory".format(comp_args.result_dir)) + parser.exit() + + validate_res = CodeSizeComparison.validate_revision(comp_args.old_rev) + old_revision = validate_res.decode().replace("\n", "") + + if comp_args.new_rev is not None: + validate_res = CodeSizeComparison.validate_revision(comp_args.new_rev) + new_revision = validate_res.decode().replace("\n", "") + else: + new_revision = "current" + + result_dir = comp_args.result_dir + size_compare = CodeSizeComparison(old_revision, new_revision, result_dir) + return_code = size_compare.get_comparision_results() + sys.exit(return_code) + + +if __name__ == "__main__": + main() diff --git a/scripts/data_files/query_config.fmt b/scripts/data_files/query_config.fmt index ffa816eceeb3..8b0057cb00b8 100644 --- a/scripts/data_files/query_config.fmt +++ b/scripts/data_files/query_config.fmt @@ -99,6 +99,10 @@ #define MACRO_NAME_TO_STR(macro) \ mbedtls_printf( "%s", strlen( #macro "" ) > 0 ? #macro "\n" : "" ) +#define STRINGIFY(macro) #macro +#define OUTPUT_MACRO_NAME_VALUE(macro) mbedtls_printf( #macro "%s\n", \ + ( STRINGIFY(macro) "" )[0] != 0 ? "=" STRINGIFY(macro) : "" ) + #if defined(_MSC_VER) /* * Visual Studio throws the warning 4003 because many Mbed TLS feature macros @@ -118,6 +122,10 @@ CHECK_CONFIG /* If the symbol is not found, return an error */ return( 1 ); } +void list_config( void ) +{ + LIST_CONFIG +} #if defined(_MSC_VER) #pragma warning(pop) #endif /* _MSC_VER */ diff --git a/scripts/driver.requirements.txt b/scripts/driver.requirements.txt new file mode 100644 index 000000000000..17569bb170ed --- /dev/null +++ b/scripts/driver.requirements.txt @@ -0,0 +1,10 @@ +# Python package requirements for driver implementers. + +# Use the version of Jinja that's in Ubuntu 20.04. +# See https://github.com/ARMmbed/mbedtls/pull/5067#discussion_r738794607 . +# Note that Jinja 3.0 drops support for Python 3.5, so we need to support +# Jinja 2.x as long as we're still using Python 3.5 anywhere. +Jinja2 >= 2.10.1 +# Jinja2 >=2.10, <<3.0 needs a separate package for type annotations +types-Jinja2 + diff --git a/scripts/generate_query_config.pl b/scripts/generate_query_config.pl index e3bbaa0745a2..b2ce8fc4c634 100755 --- a/scripts/generate_query_config.pl +++ b/scripts/generate_query_config.pl @@ -14,7 +14,8 @@ # information is used to automatically generate the body of the query_config() # function by using the template in scripts/data_files/query_config.fmt. # -# Usage: ./scripts/generate_query_config.pl without arguments +# Usage: scripts/generate_query_config.pl without arguments, or +# generate_query_config.pl config_file template_file output_file # # Copyright The Mbed TLS Contributors # SPDX-License-Identifier: Apache-2.0 @@ -33,15 +34,24 @@ use strict; -my $config_file = "./include/mbedtls/mbedtls_config.h"; +my ($config_file, $query_config_format_file, $query_config_file); -my $query_config_format_file = "./scripts/data_files/query_config.fmt"; -my $query_config_file = "./programs/test/query_config.c"; +if( @ARGV ) { + die "Invalid number of arguments - usage: $0 [CONFIG_FILE TEMPLATE_FILE OUTPUT_FILE]" if scalar @ARGV != 3; + ($config_file, $query_config_format_file, $query_config_file) = @ARGV; -unless( -f $config_file && -f $query_config_format_file ) { - chdir '..' or die; - -f $config_file && -f $query_config_format_file - or die "Without arguments, must be run from root or a subdirectory\n"; + -f $config_file or die "No such file: $config_file"; + -f $query_config_format_file or die "No such file: $query_config_format_file"; +} else { + $config_file = "./include/mbedtls/mbedtls_config.h"; + $query_config_format_file = "./scripts/data_files/query_config.fmt"; + $query_config_file = "./programs/test/query_config.c"; + + unless( -f $config_file && -f $query_config_format_file ) { + chdir '..' or die; + -f $config_file && -f $query_config_format_file + or die "No arguments supplied, must be run from project root or a first-level subdirectory\n"; + } } # Excluded macros from the generated query_config.c. For example, macros that @@ -58,6 +68,7 @@ # This variable will contain the string to replace in the CHECK_CONFIG of the # format file my $config_check = ""; +my $list_config = ""; while (my $line = <CONFIG_FILE>) { if ($line =~ /^(\/\/)?\s*#\s*define\s+(MBEDTLS_\w+).*/) { @@ -74,6 +85,11 @@ $config_check .= " }\n"; $config_check .= "#endif /* $name */\n"; $config_check .= "\n"; + + $list_config .= "#if defined($name)\n"; + $list_config .= " OUTPUT_MACRO_NAME_VALUE($name);\n"; + $list_config .= "#endif /* $name */\n"; + $list_config .= "\n"; } } @@ -85,6 +101,7 @@ # Replace the body of the query_config() function with the code we just wrote $query_config_format =~ s/CHECK_CONFIG/$config_check/g; +$query_config_format =~ s/LIST_CONFIG/$list_config/g; # Rewrite the query_config.c file open(QUERY_CONFIG_FILE, ">$query_config_file") or die "Opening destination file '$query_config_file': $!"; diff --git a/scripts/generate_ssl_debug_helpers.py b/scripts/generate_ssl_debug_helpers.py new file mode 100755 index 000000000000..19fac656c69f --- /dev/null +++ b/scripts/generate_ssl_debug_helpers.py @@ -0,0 +1,335 @@ +#!/usr/bin/env python3 + +"""Generate library/ssl_debug_helps_generated.c + +The code generated by this module includes debug helper functions that can not be +implemented by fixed codes. + +""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import re +import os +import textwrap +import argparse +from mbedtls_dev import build_tree + + +def remove_c_comments(string): + """ + Remove C style comments from input string + """ + string_pattern = r"(?P<string>\".*?\"|\'.*?\')" + comment_pattern = r"(?P<comment>/\*.*?\*/|//[^\r\n]*$)" + pattern = re.compile(string_pattern + r'|' + comment_pattern, + re.MULTILINE | re.DOTALL) + + def replacer(match): + if match.lastgroup == 'comment': + return "" + return match.group() + return pattern.sub(replacer, string) + + +class CondDirectiveNotMatch(Exception): + pass + + +def preprocess_c_source_code(source, *classes): + """ + Simple preprocessor for C source code. + + Only processses condition directives without expanding them. + Yield object according to the classes input. Most match firstly + + If the directive pair does not match , raise CondDirectiveNotMatch. + + Assume source code does not include comments and compile pass. + + """ + + pattern = re.compile(r"^[ \t]*#[ \t]*" + + r"(?P<directive>(if[ \t]|ifndef[ \t]|ifdef[ \t]|else|endif))" + + r"[ \t]*(?P<param>(.*\\\n)*.*$)", + re.MULTILINE) + stack = [] + + def _yield_objects(s, d, p, st, end): + """ + Output matched source piece + """ + nonlocal stack + start_line, end_line = '', '' + if stack: + start_line = '#{} {}'.format(d, p) + if d == 'if': + end_line = '#endif /* {} */'.format(p) + elif d == 'ifdef': + end_line = '#endif /* defined({}) */'.format(p) + else: + end_line = '#endif /* !defined({}) */'.format(p) + has_instance = False + for cls in classes: + for instance in cls.extract(s, st, end): + if has_instance is False: + has_instance = True + yield pair_start, start_line + yield instance.span()[0], instance + if has_instance: + yield start, end_line + + for match in pattern.finditer(source): + + directive = match.groupdict()['directive'].strip() + param = match.groupdict()['param'] + start, end = match.span() + + if directive in ('if', 'ifndef', 'ifdef'): + stack.append((directive, param, start, end)) + continue + + if not stack: + raise CondDirectiveNotMatch() + + pair_directive, pair_param, pair_start, pair_end = stack.pop() + yield from _yield_objects(source, + pair_directive, + pair_param, + pair_end, + start) + + if directive == 'endif': + continue + + if pair_directive == 'if': + directive = 'if' + param = "!( {} )".format(pair_param) + elif pair_directive == 'ifdef': + directive = 'ifndef' + param = pair_param + else: + directive = 'ifdef' + param = pair_param + + stack.append((directive, param, start, end)) + assert not stack, len(stack) + + +class EnumDefinition: + """ + Generate helper functions around enumeration. + + Currently, it generate translation function from enum value to string. + Enum definition looks like: + [typedef] enum [prefix name] { [body] } [suffix name]; + + Known limitation: + - the '}' and ';' SHOULD NOT exist in different macro blocks. Like + ``` + enum test { + .... + #if defined(A) + .... + }; + #else + .... + }; + #endif + ``` + """ + + @classmethod + def extract(cls, source_code, start=0, end=-1): + enum_pattern = re.compile(r'enum\s*(?P<prefix_name>\w*)\s*' + + r'{\s*(?P<body>[^}]*)}' + + r'\s*(?P<suffix_name>\w*)\s*;', + re.MULTILINE | re.DOTALL) + + for match in enum_pattern.finditer(source_code, start, end): + yield EnumDefinition(source_code, + span=match.span(), + group=match.groupdict()) + + def __init__(self, source_code, span=None, group=None): + assert isinstance(group, dict) + prefix_name = group.get('prefix_name', None) + suffix_name = group.get('suffix_name', None) + body = group.get('body', None) + assert prefix_name or suffix_name + assert body + assert span + # If suffix_name exists, it is a typedef + self._prototype = suffix_name if suffix_name else 'enum ' + prefix_name + self._name = suffix_name if suffix_name else prefix_name + self._body = body + self._source = source_code + self._span = span + + def __repr__(self): + return 'Enum({},{})'.format(self._name, self._span) + + def __str__(self): + return repr(self) + + def span(self): + return self._span + + def generate_tranlation_function(self): + """ + Generate function for translating value to string + """ + translation_table = [] + + for line in self._body.splitlines(): + + if line.strip().startswith('#'): + # Preprocess directive, keep it in table + translation_table.append(line.strip()) + continue + + if not line.strip(): + continue + + for field in line.strip().split(','): + if not field.strip(): + continue + member = field.strip().split()[0] + translation_table.append( + '{space}[{member}] = "{member}",'.format(member=member, + space=' '*8) + ) + + body = textwrap.dedent('''\ + const char *{name}_str( {prototype} in ) + {{ + const char * in_to_str[]= + {{ + {translation_table} + }}; + + if( in > ( sizeof( in_to_str )/sizeof( in_to_str[0]) - 1 ) || + in_to_str[ in ] == NULL ) + {{ + return "UNKOWN_VAULE"; + }} + return in_to_str[ in ]; + }} + ''') + body = body.format(translation_table='\n'.join(translation_table), + name=self._name, + prototype=self._prototype) + prototype = 'const char *{name}_str( {prototype} in );\n' + prototype = prototype.format(name=self._name, + prototype=self._prototype) + return body, prototype + + +OUTPUT_C_TEMPLATE = '''\ +/* Automatically generated by generate_ssl_debug_helpers.py. DO NOT EDIT. */ + +#include "common.h" + +#if defined(MBEDTLS_DEBUG_C) + +#include "ssl_debug_helpers_generated.h" + +{functions} + +#endif /* MBEDTLS_DEBUG_C */ +/* End of automatically generated file. */ + +''' + +OUTPUT_H_TEMPLATE = '''\ +/* Automatically generated by generate_ssl_debug_helpers.py. DO NOT EDIT. */ +#ifndef MBEDTLS_SSL_DEBUG_HELPERS_H +#define MBEDTLS_SSL_DEBUG_HELPERS_H + +#include "common.h" + +#if defined(MBEDTLS_DEBUG_C) + +#include "mbedtls/ssl.h" +#include "ssl_misc.h" + +{functions} + +#endif /* MBEDTLS_DEBUG_C */ + +#endif /* SSL_DEBUG_HELPERS_H */ + +/* End of automatically generated file. */ + +''' + + +def generate_ssl_debug_helpers(output_directory, mbedtls_root): + """ + Generate functions of debug helps + """ + mbedtls_root = os.path.abspath(mbedtls_root or build_tree.guess_mbedtls_root()) + with open(os.path.join(mbedtls_root, 'include/mbedtls/ssl.h')) as f: + source_code = remove_c_comments(f.read()) + + definitions = dict() + prototypes = dict() + for start, instance in preprocess_c_source_code(source_code, EnumDefinition): + if start in definitions: + continue + if isinstance(instance, EnumDefinition): + definition, prototype = instance.generate_tranlation_function() + else: + definition = instance + prototype = instance + definitions[start] = definition + prototypes[start] = prototype + + function_definitions = [str(v) for _, v in sorted(definitions.items())] + function_prototypes = [str(v) for _, v in sorted(prototypes.items())] + if output_directory == sys.stdout: + sys.stdout.write(OUTPUT_H_TEMPLATE.format( + functions='\n'.join(function_prototypes))) + sys.stdout.write(OUTPUT_C_TEMPLATE.format( + functions='\n'.join(function_definitions))) + else: + with open(os.path.join(output_directory, 'ssl_debug_helpers_generated.c'), 'w') as f: + f.write(OUTPUT_C_TEMPLATE.format( + functions='\n'.join(function_definitions))) + + with open(os.path.join(output_directory, 'ssl_debug_helpers_generated.h'), 'w') as f: + f.write(OUTPUT_H_TEMPLATE.format( + functions='\n'.join(function_prototypes))) + + +def main(): + """ + Command line entry + """ + parser = argparse.ArgumentParser() + parser.add_argument('--mbedtls-root', nargs='?', default=None, + help='root directory of mbedtls source code') + parser.add_argument('output_directory', nargs='?', + default='library', help='source/header files location') + + args = parser.parse_args() + + generate_ssl_debug_helpers(args.output_directory, args.mbedtls_root) + return 0 + + +if __name__ == '__main__': + sys.exit(main()) diff --git a/scripts/maintainer.requirements.txt b/scripts/maintainer.requirements.txt new file mode 100644 index 000000000000..b149921a242a --- /dev/null +++ b/scripts/maintainer.requirements.txt @@ -0,0 +1,10 @@ +# Python packages that are only useful to Mbed TLS maintainers. + +-r ci.requirements.txt + +# For source code analyses +clang + +# For building some test vectors +pycryptodomex +pycryptodome-test-vectors diff --git a/scripts/make_generated_files.bat b/scripts/make_generated_files.bat index e4465d8f09f1..d3a8b364541b 100644 --- a/scripts/make_generated_files.bat +++ b/scripts/make_generated_files.bat @@ -4,6 +4,7 @@ perl scripts\generate_errors.pl || exit /b 1 perl scripts\generate_query_config.pl || exit /b 1 perl scripts\generate_features.pl || exit /b 1 +python scripts\generate_ssl_debug_helpers.py || exit /b 1 perl scripts\generate_visualc_files.pl || exit /b 1 python scripts\generate_psa_constants.py || exit /b 1 python tests\scripts\generate_psa_tests.py || exit /b 1 diff --git a/scripts/mbedtls_dev/build_tree.py b/scripts/mbedtls_dev/build_tree.py index 772410473d5d..3920d0ed6c02 100644 --- a/scripts/mbedtls_dev/build_tree.py +++ b/scripts/mbedtls_dev/build_tree.py @@ -17,12 +17,15 @@ # limitations under the License. import os +import inspect + def looks_like_mbedtls_root(path: str) -> bool: """Whether the given directory looks like the root of the Mbed TLS source tree.""" return all(os.path.isdir(os.path.join(path, subdir)) for subdir in ['include', 'library', 'programs', 'tests']) + def chdir_to_root() -> None: """Detect the root of the Mbed TLS source tree and change to it. @@ -36,3 +39,22 @@ def chdir_to_root() -> None: os.chdir(d) return raise Exception('Mbed TLS source tree not found') + + +def guess_mbedtls_root(): + """Guess mbedTLS source code directory. + + Return the first possible mbedTLS root directory + """ + dirs = set({}) + for frame in inspect.stack(): + path = os.path.dirname(frame.filename) + for d in ['.', os.path.pardir] \ + + [os.path.join(*([os.path.pardir]*i)) for i in range(2, 10)]: + d = os.path.abspath(os.path.join(path, d)) + if d in dirs: + continue + dirs.add(d) + if looks_like_mbedtls_root(d): + return d + raise Exception('Mbed TLS source tree not found') diff --git a/scripts/mbedtls_dev/macro_collector.py b/scripts/mbedtls_dev/macro_collector.py index f9ef5f91503d..bf82f13dc54d 100644 --- a/scripts/mbedtls_dev/macro_collector.py +++ b/scripts/mbedtls_dev/macro_collector.py @@ -233,6 +233,27 @@ def __init__(self, include_intermediate: bool = False) -> None: self.key_types_from_group = {} #type: Dict[str, str] self.algorithms_from_hash = {} #type: Dict[str, str] + @staticmethod + def algorithm_tester(name: str) -> str: + """The predicate for whether an algorithm is built from the given constructor. + + The given name must be the name of an algorithm constructor of the + form ``PSA_ALG_xxx`` which is used as ``PSA_ALG_xxx(yyy)`` to build + an algorithm value. Return the corresponding predicate macro which + is used as ``predicate(alg)`` to test whether ``alg`` can be built + as ``PSA_ALG_xxx(yyy)``. The predicate is usually called + ``PSA_ALG_IS_xxx``. + """ + prefix = 'PSA_ALG_' + assert name.startswith(prefix) + midfix = 'IS_' + suffix = name[len(prefix):] + if suffix in ['DSA', 'ECDSA']: + midfix += 'RANDOMIZED_' + elif suffix == 'RSA_PSS': + suffix += '_STANDARD_SALT' + return prefix + midfix + suffix + def record_algorithm_subtype(self, name: str, expansion: str) -> None: """Record the subtype of an algorithm constructor. @@ -308,12 +329,7 @@ def read_line(self, line): self.algorithms.add(name) self.record_algorithm_subtype(name, expansion) elif name.startswith('PSA_ALG_') and parameter == 'hash_alg': - if name in ['PSA_ALG_DSA', 'PSA_ALG_ECDSA']: - # A naming irregularity - tester = name[:8] + 'IS_RANDOMIZED_' + name[8:] - else: - tester = name[:8] + 'IS_' + name[8:] - self.algorithms_from_hash[name] = tester + self.algorithms_from_hash[name] = self.algorithm_tester(name) elif name.startswith('PSA_KEY_USAGE_') and not parameter: self.key_usage_flags.add(name) else: diff --git a/scripts/mbedtls_dev/test_case.py b/scripts/mbedtls_dev/test_case.py index d01e1432b63d..6a46e4209b22 100644 --- a/scripts/mbedtls_dev/test_case.py +++ b/scripts/mbedtls_dev/test_case.py @@ -83,8 +83,6 @@ def write(self, out: typing_util.Writable) -> None: out.write('depends_on:' + ':'.join(self.dependencies) + '\n') out.write(self.function + ':' + ':'.join(self.arguments) + '\n') - - def write_data_file(filename: str, test_cases: Iterable[TestCase], caller: Optional[str] = None) -> None: diff --git a/scripts/min_requirements.py b/scripts/min_requirements.py new file mode 100755 index 000000000000..eecab1c1e1c4 --- /dev/null +++ b/scripts/min_requirements.py @@ -0,0 +1,138 @@ +#!/usr/bin/env python3 +"""Install all the required Python packages, with the minimum Python version. +""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import argparse +import os +import re +import subprocess +import sys +import tempfile +import typing + +from typing import List, Optional +from mbedtls_dev import typing_util + +def pylint_doesn_t_notice_that_certain_types_are_used_in_annotations( + _list: List[typing.Any], +) -> None: + pass + + +class Requirements: + """Collect and massage Python requirements.""" + + def __init__(self) -> None: + self.requirements = [] #type: List[str] + + def adjust_requirement(self, req: str) -> str: + """Adjust a requirement to the minimum specified version.""" + # allow inheritance #pylint: disable=no-self-use + # If a requirement specifies a minimum version, impose that version. + req = re.sub(r'>=|~=', r'==', req) + return req + + def add_file(self, filename: str) -> None: + """Add requirements from the specified file. + + This method supports a subset of pip's requirement file syntax: + * One requirement specifier per line, which is passed to + `adjust_requirement`. + * Comments (``#`` at the beginning of the line or after whitespace). + * ``-r FILENAME`` to include another file. + """ + for line in open(filename): + line = line.strip() + line = re.sub(r'(\A|\s+)#.*', r'', line) + if not line: + continue + m = re.match(r'-r\s+', line) + if m: + nested_file = os.path.join(os.path.dirname(filename), + line[m.end(0):]) + self.add_file(nested_file) + continue + self.requirements.append(self.adjust_requirement(line)) + + def write(self, out: typing_util.Writable) -> None: + """List the gathered requirements.""" + for req in self.requirements: + out.write(req + '\n') + + def install( + self, + pip_general_options: Optional[List[str]] = None, + pip_install_options: Optional[List[str]] = None, + ) -> None: + """Call pip to install the requirements.""" + if pip_general_options is None: + pip_general_options = [] + if pip_install_options is None: + pip_install_options = [] + with tempfile.TemporaryDirectory() as temp_dir: + # This is more complicated than it needs to be for the sake + # of Windows. Use a temporary file rather than the command line + # to avoid quoting issues. Use a temporary directory rather + # than NamedTemporaryFile because with a NamedTemporaryFile on + # Windows, the subprocess can't open the file because this process + # has an exclusive lock on it. + req_file_name = os.path.join(temp_dir, 'requirements.txt') + with open(req_file_name, 'w') as req_file: + self.write(req_file) + subprocess.check_call([sys.executable, '-m', 'pip'] + + pip_general_options + + ['install'] + pip_install_options + + ['-r', req_file_name]) + +DEFAULT_REQUIREMENTS_FILE = 'ci.requirements.txt' + +def main() -> None: + """Command line entry point.""" + parser = argparse.ArgumentParser(description=__doc__) + parser.add_argument('--no-act', '-n', + action='store_true', + help="Don't act, just print what will be done") + parser.add_argument('--pip-install-option', + action='append', dest='pip_install_options', + help="Pass this option to pip install") + parser.add_argument('--pip-option', + action='append', dest='pip_general_options', + help="Pass this general option to pip") + parser.add_argument('--user', + action='append_const', dest='pip_install_options', + const='--user', + help="Install to the Python user install directory" + " (short for --pip-install-option --user)") + parser.add_argument('files', nargs='*', metavar='FILE', + help="Requirement files" + " (default: {} in the script's directory)" \ + .format(DEFAULT_REQUIREMENTS_FILE)) + options = parser.parse_args() + if not options.files: + options.files = [os.path.join(os.path.dirname(__file__), + DEFAULT_REQUIREMENTS_FILE)] + reqs = Requirements() + for filename in options.files: + reqs.add_file(filename) + reqs.write(sys.stdout) + if not options.no_act: + reqs.install(pip_general_options=options.pip_general_options, + pip_install_options=options.pip_install_options) + +if __name__ == '__main__': + main() diff --git a/tests/.gitignore b/tests/.gitignore index fa901cbe5b9c..15fce6888b2e 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -18,3 +18,5 @@ include/test/instrument_record_status.h src/*.o src/drivers/*.o src/libmbed* + +libtestdriver1/* diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 7329a121c572..cda52aa8c016 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -13,10 +13,48 @@ if(NOT MBEDTLS_PYTHON_EXECUTABLE) message(FATAL_ERROR "Cannot build test suites without Python 3") endif() -# Enable definition of various functions used throughout the testsuite -# (gethostname, strdup, fileno...) even when compiling with -std=c99. Harmless -# on non-POSIX platforms. -add_definitions("-D_POSIX_C_SOURCE=200809L") +# generated .data files will go there +file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/suites) + +# Get base names for generated files (starting at "suites/") +execute_process( + COMMAND + ${MBEDTLS_PYTHON_EXECUTABLE} + ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_psa_tests.py + --list-for-cmake + --directory suites + WORKING_DIRECTORY + ${CMAKE_CURRENT_SOURCE_DIR}/.. + OUTPUT_VARIABLE + base_generated_data_files) + +# Derive generated file paths in the build directory +set(generated_data_files "") +foreach(file ${base_generated_data_files}) + list(APPEND generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/${file}) +endforeach() + +if(GEN_FILES) + add_custom_command( + OUTPUT + ${generated_data_files} + WORKING_DIRECTORY + ${CMAKE_CURRENT_SOURCE_DIR}/.. + COMMAND + ${MBEDTLS_PYTHON_EXECUTABLE} + ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_psa_tests.py + --directory ${CMAKE_CURRENT_BINARY_DIR}/suites + DEPENDS + ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_psa_tests.py + ${CMAKE_CURRENT_SOURCE_DIR}/../include/psa/crypto_config.h + ${CMAKE_CURRENT_SOURCE_DIR}/../include/psa/crypto_values.h + ${CMAKE_CURRENT_SOURCE_DIR}/../include/psa/crypto_extra.h + ) +else() + foreach(file ${base_generated_data_files}) + link_to_source(${file}) + endforeach() +endif() # Test suites caught by SKIP_TEST_SUITES are built but not executed. # "foo" as a skip pattern skips "test_suite_foo" and "test_suite_foo.bar" @@ -32,10 +70,52 @@ function(add_test_suite suite_name) set(data_name ${suite_name}) endif() + # Get the test names of the tests with generated .data files + # from the generated_data_files list in parent scope. + set(generated_data_names "") + foreach(generated_data_file ${generated_data_files}) + # Get the plain filename + get_filename_component(generated_data_name ${generated_data_file} NAME) + # Remove the ".data" extension + get_name_without_last_ext(generated_data_name ${generated_data_name}) + # Remove leading "test_suite_" + string(SUBSTRING ${generated_data_name} 11 -1 generated_data_name) + list(APPEND generated_data_names ${generated_data_name}) + endforeach() + + if(";${generated_data_names};" MATCHES ";${data_name};") + set(data_file + ${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data) + else() + set(data_file + ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${data_name}.data) + endif() + add_custom_command( - OUTPUT test_suite_${data_name}.c - COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_test_code.py -f ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function -d ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${data_name}.data -t ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function -p ${CMAKE_CURRENT_SOURCE_DIR}/suites/host_test.function -s ${CMAKE_CURRENT_SOURCE_DIR}/suites --helpers-file ${CMAKE_CURRENT_SOURCE_DIR}/suites/helpers.function -o . - DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_test_code.py ${mbedtls_target} ${CMAKE_CURRENT_SOURCE_DIR}/suites/helpers.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/host_test.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${data_name}.data + OUTPUT + # The output filename of generate_test_code.py is derived from the -d + # input argument. + test_suite_${data_name}.c + COMMAND + ${MBEDTLS_PYTHON_EXECUTABLE} + ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_test_code.py + -f ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function + -d ${data_file} + -t ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function + -p ${CMAKE_CURRENT_SOURCE_DIR}/suites/host_test.function + -s ${CMAKE_CURRENT_SOURCE_DIR}/suites + --helpers-file ${CMAKE_CURRENT_SOURCE_DIR}/suites/helpers.function + -o . + DEPENDS + ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_test_code.py + ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function + ${data_file} + ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function + ${CMAKE_CURRENT_SOURCE_DIR}/suites/host_test.function + ${CMAKE_CURRENT_SOURCE_DIR}/suites/helpers.function + ${mbedtls_target} + BYPRODUCTS + test_suite_${data_name}.datax ) add_executable(test_suite_${data_name} test_suite_${data_name}.c $<TARGET_OBJECTS:mbedtls_test>) @@ -61,6 +141,11 @@ function(add_test_suite suite_name) endif() endfunction(add_test_suite) +# Enable definition of various functions used throughout the testsuite +# (gethostname, strdup, fileno...) even when compiling with -std=c99. Harmless +# on non-POSIX platforms. +add_definitions("-D_POSIX_C_SOURCE=200809L") + if(CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_CLANG) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-unused-function") endif(CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_CLANG) @@ -137,6 +222,7 @@ add_test_suite(pk) add_test_suite(pkcs1_v15) add_test_suite(pkcs1_v21) add_test_suite(pkcs5) +add_test_suite(pkcs12) add_test_suite(pkparse) add_test_suite(pkwrite) add_test_suite(poly1305) @@ -177,5 +263,5 @@ if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR}) link_to_source(data_files) link_to_source(scripts) link_to_source(ssl-opt.sh) - link_to_source(suites) + link_to_source(opt-testcases) endif() diff --git a/tests/Makefile b/tests/Makefile index 5833e6160d7e..20b3941f6a38 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -175,9 +175,10 @@ $(BINARIES): %$(EXEXT): %.c $(MBEDLIBS) $(TEST_OBJS_DEPS) $(MBEDTLS_TEST_OBJS) clean: ifndef WINDOWS - rm -rf $(BINARIES) *.c *.datax TESTS + rm -rf $(BINARIES) *.c *.datax rm -f src/*.o src/drivers/*.o src/libmbed* rm -f include/test/instrument_record_status.h + rm -rf libtestdriver1 else if exist *.c del /Q /F *.c if exist *.exe del /Q /F *.exe @@ -186,9 +187,6 @@ else if exist src/drivers/*.o del /Q /F src/drivers/*.o if exist src/libmbed* del /Q /F src/libmed* if exist include/test/instrument_record_status.h del /Q /F include/test/instrument_record_status.h -ifneq ($(wildcard TESTS/.*),) - rmdir /Q /S TESTS -endif endif neat: clean @@ -204,39 +202,50 @@ check: $(BINARIES) test: check -# Create separate targets for generating embedded tests. -EMBEDDED_TESTS := $(addprefix embedded_,$(APPS)) - -# Generate test code for target. - -.SECONDEXPANSION: -$(EMBEDDED_TESTS): embedded_%: suites/$$(firstword $$(subst ., ,$$*)).function suites/%.data scripts/generate_test_code.py suites/helpers.function suites/main_test.function suites/target_test.function - echo " Gen ./TESTS/mbedtls/$*/$*.c" - $(PYTHON) scripts/generate_test_code.py -f suites/$(firstword $(subst ., ,$*)).function \ - -d suites/$*.data \ - -t suites/main_test.function \ - -p suites/target_test.function \ - -s suites \ - --helpers-file suites/helpers.function \ - -o ./TESTS/mbedtls/$* - -generate-target-tests: $(EMBEDDED_TESTS) - -define copy_header_to_target -TESTS/mbedtls/$(1)/$(2): include/test/$(2) - echo " Copy ./$$@" -ifndef WINDOWS - mkdir -p $$(@D) - cp $$< $$@ -else - mkdir $$(@D) - copy $$< $$@ -endif - +# Generate test library + +# Perl code that is executed to transform each original line from a library +# source file into the corresponding line in the test driver copy of the +# library. Add a LIBTESTDRIVER1_/libtestdriver1_ to mbedtls_xxx and psa_xxx +# symbols. +define libtestdriver1_rewrite := + s!^(\s*#\s*include\s*[\"<])(mbedtls|psa)/!$${1}libtestdriver1/include/$${2}/!; \ + next if /^\s*#\s*include/; \ + s/\b(?=MBEDTLS_|PSA_)/LIBTESTDRIVER1_/g; \ + s/\b(?=mbedtls_|psa_)/libtestdriver1_/g; endef -$(foreach app, $(APPS), $(foreach file, $(notdir $(wildcard include/test/*.h)), \ - $(eval $(call copy_header_to_target,$(app),$(file))))) -$(addprefix embedded_,$(filter test_suite_psa_%, $(APPS))): embedded_%: $(patsubst TESTS/mbedtls/%, include/test/%, $(wildcard include/test/*. include/test/*/*.h)) + +libtestdriver1.a: + # Copy the library and fake a 3rdparty Makefile include. + rm -Rf ./libtestdriver1 + mkdir ./libtestdriver1 + cp -Rf ../library ./libtestdriver1 + cp -Rf ../include ./libtestdriver1 + cp -Rf ../scripts ./libtestdriver1 + mkdir ./libtestdriver1/3rdparty + touch ./libtestdriver1/3rdparty/Makefile.inc + + # Set the test driver base (minimal) configuration. + cp ./include/test/drivers/config_test_driver.h ./libtestdriver1/include/mbedtls/mbedtls_config.h + + # Set the PSA cryptography configuration for the test library. + # It is set from the copied include/psa/crypto_config.h of the Mbed TLS + # library the test library is intended to be linked with extended by + # ./include/test/drivers/crypto_config_test_driver_extension.h to + # mirror the PSA_ACCEL_* macros. + mv ./libtestdriver1/include/psa/crypto_config.h ./libtestdriver1/include/psa/crypto_config.h.bak + head -n -1 ./libtestdriver1/include/psa/crypto_config.h.bak > ./libtestdriver1/include/psa/crypto_config.h + cat ./include/test/drivers/crypto_config_test_driver_extension.h >> ./libtestdriver1/include/psa/crypto_config.h + echo "#endif /* PSA_CRYPTO_CONFIG_H */" >> ./libtestdriver1/include/psa/crypto_config.h + + # Prefix MBEDTLS_* PSA_* symbols with LIBTESTDRIVER1_ as well as + # mbedtls_* psa_* symbols with libtestdriver1_ to avoid symbol clash + # when this test driver library is linked with the Mbed TLS library. + perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/library/*.[ch] + perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/include/*/*.h + + $(MAKE) -C ./libtestdriver1/library CFLAGS="-I../../ $(CFLAGS)" LDFLAGS="$(LDFLAGS)" libmbedcrypto.a + cp ./libtestdriver1/library/libmbedcrypto.a ../library/libtestdriver1.a ifdef RECORD_PSA_STATUS_COVERAGE_LOG include/test/instrument_record_status.h: ../include/psa/crypto.h Makefile diff --git a/tests/compat.sh b/tests/compat.sh index 9ebf6bf19498..456d0512be54 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -67,7 +67,7 @@ else fi # default values for options -MODES="tls1_2 dtls1_2" +MODES="tls12 dtls12" VERIFIES="NO YES" TYPES="ECDSA RSA PSK" FILTER="" @@ -155,17 +155,17 @@ log() { # is_dtls <mode> is_dtls() { - test "$1" = "dtls1_2" + test "$1" = "dtls12" } # minor_ver <mode> minor_ver() { case "$1" in - tls1_2|dtls1_2) + tls12|dtls12) echo 3 ;; - tls1_3) + tls13) echo 4 ;; *) @@ -225,7 +225,7 @@ filter_ciphersuites() # supports from the s_server help. (The s_client help isn't # accurate as of 1.0.2g: it supports DTLS 1.2 but doesn't list it. # But the s_server help seems to be accurate.) - if ! $OPENSSL_CMD s_server -help 2>&1 | grep -q "^ *-$MODE "; then + if ! $OPENSSL_CMD s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then M_CIPHERS="" O_CIPHERS="" fi @@ -641,15 +641,18 @@ setup_arguments() { G_MODE="" case "$MODE" in - "tls1_2") + "tls12") G_PRIO_MODE="+VERS-TLS1.2" + O_MODE="tls1_2" ;; - "tls1_3") + "tls13") G_PRIO_MODE="+VERS-TLS1.3" + O_MODE="tls1_3" ;; - "dtls1_2") + "dtls12") G_PRIO_MODE="+VERS-DTLS1.2" G_MODE="-u" + O_MODE="dtls1_2" ;; *) echo "error: invalid mode: $MODE" >&2 @@ -665,12 +668,12 @@ setup_arguments() if [ `minor_ver "$MODE"` -ge 4 ] then - O_SERVER_ARGS="-accept $PORT -ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256 --$MODE" + O_SERVER_ARGS="-accept $PORT -ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256 --$O_MODE" M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE" G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}${G_PRIO_MODE}" else M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE" - O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$MODE" + O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$O_MODE" G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE" fi @@ -697,7 +700,7 @@ setup_arguments() fi M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE" - O_CLIENT_ARGS="-connect localhost:$PORT -$MODE" + O_CLIENT_ARGS="-connect localhost:$PORT -$O_MODE" G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE" G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL" diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index e86706c8a923..c0ad9b059e90 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1087,6 +1087,44 @@ cert_md5.crt: cert_md5.csr $(MBEDTLS_CERT_WRITE) request_file=$< serial=6 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20000101121212 not_after=20300101121212 md=MD5 version=3 output_file=$@ all_final += cert_md5.crt +# TLSv1.3 test certificates +ecdsa_secp256r1.key: ec_256_prv.pem + cp $< $@ + +ecdsa_secp256r1.csr: ecdsa_secp256r1.key + $(OPENSSL) req -new -subj "/C=NL/O=PolarSSL/CN=localhost" \ + -key $< -out $@ +all_intermediate += ecdsa_secp256r1.csr +ecdsa_secp256r1.crt: ecdsa_secp256r1.csr + $(OPENSSL) x509 -req -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) \ + -set_serial 77 -days 3653 -sha384 -in $< -out $@ +all_final += ecdsa_secp256r1.crt ecdsa_secp256r1.key +tls13_certs: ecdsa_secp256r1.crt ecdsa_secp256r1.key + +ecdsa_secp384r1.key: ec_384_prv.pem + cp $< $@ +ecdsa_secp384r1.csr: ecdsa_secp384r1.key + $(OPENSSL) req -new -subj "/C=NL/O=PolarSSL/CN=localhost" \ + -key $< -out $@ +all_intermediate += ecdsa_secp384r1.csr +ecdsa_secp384r1.crt: ecdsa_secp384r1.csr + $(OPENSSL) x509 -req -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) \ + -set_serial 77 -days 3653 -sha384 -in $< -out $@ +all_final += ecdsa_secp384r1.crt ecdsa_secp384r1.key +tls13_certs: ecdsa_secp384r1.crt ecdsa_secp384r1.key + +ecdsa_secp521r1.key: ec_521_prv.pem + cp $< $@ +ecdsa_secp521r1.csr: ecdsa_secp521r1.key + $(OPENSSL) req -new -subj "/C=NL/O=PolarSSL/CN=localhost" \ + -key $< -out $@ +all_intermediate += ecdsa_secp521r1.csr +ecdsa_secp521r1.crt: ecdsa_secp521r1.csr + $(OPENSSL) x509 -req -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) \ + -set_serial 77 -days 3653 -sha384 -in $< -out $@ +all_final += ecdsa_secp521r1.crt ecdsa_secp521r1.key +tls13_certs: ecdsa_secp521r1.crt ecdsa_secp521r1.key + ################################################################ #### Diffie-Hellman parameters ################################################################ diff --git a/tests/data_files/ecdsa_secp256r1.crt b/tests/data_files/ecdsa_secp256r1.crt new file mode 100644 index 000000000000..634d24c55986 --- /dev/null +++ b/tests/data_files/ecdsa_secp256r1.crt @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBejCCAQACAU0wCgYIKoZIzj0EAwMwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoM +CFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBMB4XDTIxMTEz +MDAzMDgwMVoXDTMxMTIwMTAzMDgwMVowNDELMAkGA1UEBhMCTkwxETAPBgNVBAoM +CFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjO +PQMBBwNCAAR3cmVvgUs5knnV4fF4H6xvCZo8XKGw41NRg0sItl4LVyWQza+PdpNh +vPNKz8EeXgdOhCa93gS+bmU5RUSWF95FMAoGCCqGSM49BAMDA2gAMGUCMA06tTwD +M1t8Chka41h1JKu4d0RsGk0MoinT9MxTAE/61ScZh5lKspOKrcavJ0maUQIxAIuj +rarmd8+OyftTRp6Wpwwfpskdb7nm44YX6eZu/Odjfq/RAdhIcn4P9QXtOgVrbw== +-----END CERTIFICATE----- diff --git a/tests/data_files/ecdsa_secp256r1.key b/tests/data_files/ecdsa_secp256r1.key new file mode 100644 index 000000000000..e42dd4a6c605 --- /dev/null +++ b/tests/data_files/ecdsa_secp256r1.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIEnJqMGMS4hWOMQxzx3xyZQTFgm1gNT9Q6DKsX2y8T7uoAoGCCqGSM49 +AwEHoUQDQgAEd3Jlb4FLOZJ51eHxeB+sbwmaPFyhsONTUYNLCLZeC1clkM2vj3aT +YbzzSs/BHl4HToQmvd4Evm5lOUVElhfeRQ== +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/ecdsa_secp384r1.crt b/tests/data_files/ecdsa_secp384r1.crt new file mode 100644 index 000000000000..ff986a7d9c4e --- /dev/null +++ b/tests/data_files/ecdsa_secp384r1.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBlzCCAR0CAU0wCgYIKoZIzj0EAwMwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoM +CFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBMB4XDTIxMTEz +MDAzMDgwMVoXDTMxMTIwMTAzMDgwMVowNDELMAkGA1UEBhMCTkwxETAPBgNVBAoM +CFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3QwdjAQBgcqhkjOPQIBBgUrgQQA +IgNiAATZxmK1C6KcpHmQRQ4EOur08MabFWdtES9iKnHJMFmvmZaRxWgNK0TREVed +sS9KQTou1cRfz7Z7W2PgC5Hr5Z0JprGsLAxCgqoSMX7VkU+Zm8SIuxMug0LMNvLK +XjN5x0cwCgYIKoZIzj0EAwMDaAAwZQIwNypsq0ahwMM7aFSS+RSTloH1D1+gIztz +Yq54Reth6gdh1IO5R5aNZi/YP3uVcI1mAjEAisjjz7vCeKwor+HCq9cBc2rzIlkY +5O6q4SCSgkqiCTnyFIqCassED9NPqho3KYM1 +-----END CERTIFICATE----- diff --git a/tests/data_files/ecdsa_secp384r1.key b/tests/data_files/ecdsa_secp384r1.key new file mode 100644 index 000000000000..7890759b427b --- /dev/null +++ b/tests/data_files/ecdsa_secp384r1.key @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDA/XY2b4oC1aWzFzJ+Uz4r35rYd1lkrKrKzpMYHRQQX7DJ9zcrtfBAF +PXGaBXTwp2qgBwYFK4EEACKhZANiAATZxmK1C6KcpHmQRQ4EOur08MabFWdtES9i +KnHJMFmvmZaRxWgNK0TREVedsS9KQTou1cRfz7Z7W2PgC5Hr5Z0JprGsLAxCgqoS +MX7VkU+Zm8SIuxMug0LMNvLKXjN5x0c= +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/ecdsa_secp521r1.crt b/tests/data_files/ecdsa_secp521r1.crt new file mode 100644 index 000000000000..a08850cba679 --- /dev/null +++ b/tests/data_files/ecdsa_secp521r1.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBvjCCAUMCAU0wCgYIKoZIzj0EAwMwPjELMAkGA1UEBhMCTkwxETAPBgNVBAoM +CFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0IEVDIENBMB4XDTIxMTEz +MDAzMDgwMVoXDTMxMTIwMTAzMDgwMVowNDELMAkGA1UEBhMCTkwxETAPBgNVBAoM +CFBvbGFyU1NMMRIwEAYDVQQDDAlsb2NhbGhvc3QwgZswEAYHKoZIzj0CAQYFK4EE +ACMDgYYABAAd4ULVT2nrA47kt6+dPKB3Nv2c9xnrNU1ph57n88E2+w+/nwj4a+X6 +Eo7BoFHT5sZD6Fraj/rPNmPCYL0shEtvVgDO6OSKnmXQnK3YnyNd7gXzuKZGvnFf +H2fVtDTg/yOh/Afvd0AZPkDu/287zf12WqkVUDNST+TyBfVETiksTC9qwTAKBggq +hkjOPQQDAwNpADBmAjEAlC7039gDSgm9Ba8cCnZLWucXbtCbhRGSvVcoElYke/pu +iwHkD1rVlnUmW3UKG587AjEAkIngapC9Hyc6MePmyafLYoLmbhDJMdR2DM4o+x8e +2ZXUu7uLPTdWBDxmu6plRNis +-----END CERTIFICATE----- diff --git a/tests/data_files/ecdsa_secp521r1.key b/tests/data_files/ecdsa_secp521r1.key new file mode 100644 index 000000000000..144bb44b74db --- /dev/null +++ b/tests/data_files/ecdsa_secp521r1.key @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIBsbatB7t55zINpZhg6ijgVShPYFjyed5mbgbUNdKve9oo2Z+ke33Q +lj4WsAcweO6LijjZZqWC9G0Z/5XfOtloWq6gBwYFK4EEACOhgYkDgYYABAAd4ULV +T2nrA47kt6+dPKB3Nv2c9xnrNU1ph57n88E2+w+/nwj4a+X6Eo7BoFHT5sZD6Fra +j/rPNmPCYL0shEtvVgDO6OSKnmXQnK3YnyNd7gXzuKZGvnFfH2fVtDTg/yOh/Afv +d0AZPkDu/287zf12WqkVUDNST+TyBfVETiksTC9qwQ== +-----END EC PRIVATE KEY----- diff --git a/tests/docker/bionic/Dockerfile b/tests/docker/bionic/Dockerfile index 41789c677cbd..50f5a7fba8b2 100644 --- a/tests/docker/bionic/Dockerfile +++ b/tests/docker/bionic/Dockerfile @@ -160,7 +160,3 @@ RUN cd /tmp \ ENV GNUTLS_NEXT_CLI=/usr/local/gnutls-3.7.2/bin/gnutls-cli ENV GNUTLS_NEXT_SERV=/usr/local/gnutls-3.7.2/bin/gnutls-serv - -RUN pip3 install --no-cache-dir \ - mbed-host-tests \ - mock diff --git a/tests/dtls13.bash b/tests/dtls13.bash index b5d1c4eaacb8..0339c3cd86f4 100644 --- a/tests/dtls13.bash +++ b/tests/dtls13.bash @@ -560,8 +560,8 @@ echo "*** Default Ciphersuite (PSK, DTLS 1.3) *** " echo "" run_test "PSK" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ 0 \ -s "Protocol is DTLSv1.3" @@ -570,8 +570,8 @@ echo "*** Default Ciphersuite (Public Key, DTLS 1.3) *** " echo "" run_test "ECDHE-ECDSA (server auth only)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 key_exchange_modes=ecdhe_ecdsa" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com key_exchange_modes=ecdhe_ecdsa" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 key_exchange_modes=ecdhe_ecdsa" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com key_exchange_modes=ecdhe_ecdsa" \ 0 \ -s "Certificate verification was skipped" \ -c "subject name : CN=server.example.com" \ @@ -587,8 +587,8 @@ echo "" # - the PSK-based ciphersuite exchange is executed # - AES-128-CCM is negotiated run_test "TLS_AES_128_CCM_SHA256 with PSK" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 force_ciphersuite=TLS_AES_128_CCM_SHA256 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 force_ciphersuite=TLS_AES_128_CCM_SHA256 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ 0 \ -s "Protocol is DTLSv1.3" \ -s "Ciphersuite is TLS_AES_128_CCM_SHA256" @@ -596,8 +596,8 @@ run_test "TLS_AES_128_CCM_SHA256 with PSK" \ # - the PSK-based ciphersuite exchange is executed # - AES-128-GCM is negotiated run_test "TLS_AES_128_GCM_SHA256 with PSK" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 force_ciphersuite=TLS_AES_128_GCM_SHA256 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 force_ciphersuite=TLS_AES_128_GCM_SHA256 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ 0 \ -s "Protocol is DTLSv1.3" \ -s "Ciphersuite is TLS_AES_128_GCM_SHA256" @@ -606,8 +606,8 @@ run_test "TLS_AES_128_GCM_SHA256 with PSK" \ # - the PSK-based ciphersuite exchange is executed # - AES-128-CCM-8 is negotiated run_test "TLS_AES_128_CCM_8_SHA256 with PSK" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 force_ciphersuite=TLS_AES_128_CCM_8_SHA256 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 force_ciphersuite=TLS_AES_128_CCM_8_SHA256 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ 0 \ -s "Protocol is DTLSv1.3" \ -s "Ciphersuite is TLS_AES_128_CCM_8_SHA256" @@ -616,8 +616,8 @@ run_test "TLS_AES_128_CCM_8_SHA256 with PSK" \ # - the PSK-based ciphersuite exchange is executed # - AES-256-GCM is negotiated run_test "TLS_AES_256_GCM_SHA384 with PSK" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 force_ciphersuite=TLS_AES_256_GCM_SHA384 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 force_ciphersuite=TLS_AES_256_GCM_SHA384 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk" \ 0 \ -s "Protocol is DTLSv1.3" \ -s "Ciphersuite is TLS_AES_256_GCM_SHA384" @@ -630,8 +630,8 @@ echo "" # - the PSK-ECDHE-based ciphersuite exchange is executed # - AES-128-CCM is negotiated run_test "TLS_AES_128_CCM_SHA256 with PSK-ECDHE" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk_dhe" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 force_ciphersuite=TLS_AES_128_CCM_SHA256 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk_dhe" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk_dhe" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 force_ciphersuite=TLS_AES_128_CCM_SHA256 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk_dhe" \ 0 \ -s "Protocol is DTLSv1.3" \ -s "Ciphersuite is TLS_AES_128_CCM_SHA256" @@ -639,8 +639,8 @@ run_test "TLS_AES_128_CCM_SHA256 with PSK-ECDHE" \ # - the PSK-ECDHE-based ciphersuite exchange is executed # - AES-128-GCM is negotiated run_test "TLS_AES_128_GCM_SHA256 with PSK-ECDHE" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk_dhe" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 force_ciphersuite=TLS_AES_128_GCM_SHA256 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk_dhe" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk_dhe" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 force_ciphersuite=TLS_AES_128_GCM_SHA256 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk_dhe" \ 0 \ -s "Protocol is DTLSv1.3" \ -s "Ciphersuite is TLS_AES_128_GCM_SHA256" @@ -648,8 +648,8 @@ run_test "TLS_AES_128_GCM_SHA256 with PSK-ECDHE" \ # - the PSK-ECDHE-based ciphersuite exchange is executed # - AES-128-CCM-8 is negotiated run_test "TLS_AES_128_CCM_8_SHA256 with PSK-ECDHE" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk_dhe" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 force_ciphersuite=TLS_AES_128_CCM_8_SHA256 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk_dhe" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk_dhe" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 force_ciphersuite=TLS_AES_128_CCM_8_SHA256 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk_dhe" \ 0 \ -s "Protocol is DTLSv1.3" \ -s "Ciphersuite is TLS_AES_128_CCM_8_SHA256" @@ -657,8 +657,8 @@ run_test "TLS_AES_128_CCM_8_SHA256 with PSK-ECDHE" \ # - the PSK-ECDHE-based ciphersuite exchange is executed # - AES-256-GCM is negotiated run_test "TLS_AES_256_GCM_SHA384 with PSK-ECDHE" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk_dhe" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 force_ciphersuite=TLS_AES_256_GCM_SHA384 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk_dhe" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk_dhe" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 force_ciphersuite=TLS_AES_256_GCM_SHA384 psk=010203 psk_identity=0a0b0c key_exchange_modes=psk_dhe" \ 0 \ -s "Protocol is DTLSv1.3" \ -s "Ciphersuite is TLS_AES_256_GCM_SHA384" @@ -675,8 +675,8 @@ echo "" # - the ECDHE-ECDSA-based ciphersuite exchange is executed # - AES-128-CCM is negotiated run_test "TLS_AES_128_CCM_SHA256 with ECDHE-ECDSA (server auth only)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 key_exchange_modes=ecdhe_ecdsa" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_SHA256 key_exchange_modes=ecdhe_ecdsa" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 key_exchange_modes=ecdhe_ecdsa" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_SHA256 key_exchange_modes=ecdhe_ecdsa" \ 0 \ -s "Certificate verification was skipped" \ -c "subject name : CN=server.example.com" \ @@ -687,8 +687,8 @@ run_test "TLS_AES_128_CCM_SHA256 with ECDHE-ECDSA (server auth only)" \ # - the ECDHE-ECDSA-based ciphersuite exchange is executed # - AES-128-GCM is negotiated run_test "TLS_AES_128_GCM_SHA256 with ECDHE-ECDSA (server auth only)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 key_exchange_modes=ecdhe_ecdsa" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_128_GCM_SHA256 key_exchange_modes=ecdhe_ecdsa" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 key_exchange_modes=ecdhe_ecdsa" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_128_GCM_SHA256 key_exchange_modes=ecdhe_ecdsa" \ 0 \ -s "Certificate verification was skipped" \ -c "subject name : CN=server.example.com" \ @@ -699,8 +699,8 @@ run_test "TLS_AES_128_GCM_SHA256 with ECDHE-ECDSA (server auth only)" \ # - the ECDHE-ECDSA-based ciphersuite exchange is executed # - AES-128-CCM-8 is negotiated run_test "TLS_AES_128_CCM_8_SHA256 with ECDHE-ECDSA (server auth only)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 key_exchange_modes=ecdhe_ecdsa" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_8_SHA256 key_exchange_modes=ecdhe_ecdsa" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 key_exchange_modes=ecdhe_ecdsa" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_8_SHA256 key_exchange_modes=ecdhe_ecdsa" \ 0 \ -s "Certificate verification was skipped" \ -c "subject name : CN=server.example.com" \ @@ -711,8 +711,8 @@ run_test "TLS_AES_128_CCM_8_SHA256 with ECDHE-ECDSA (server auth only)" \ # - the ECDHE-ECDSA-based ciphersuite exchange is executed # - AES-256-GCM is negotiated run_test "TLS_AES_256_GCM_SHA384 with ECDHE-ECDSA (server auth only)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 key_exchange_modes=ecdhe_ecdsa" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_256_GCM_SHA384 key_exchange_modes=ecdhe_ecdsa" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 key_exchange_modes=ecdhe_ecdsa" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_256_GCM_SHA384 key_exchange_modes=ecdhe_ecdsa" \ 0 \ -s "Certificate verification was skipped" \ -c "subject name : CN=server.example.com" \ @@ -733,8 +733,8 @@ echo "" # - the ECDHE-ECDSA-based ciphersuite exchange is executed # - AES-128-CCM is negotiated run_test "TLS_AES_128_CCM_SHA256 with ECDHE-ECDSA (mutual auth)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 auth_mode=required key_exchange_modes=ecdhe_ecdsa" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_SHA256 key_exchange_modes=ecdhe_ecdsa" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 auth_mode=required key_exchange_modes=ecdhe_ecdsa" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_SHA256 key_exchange_modes=ecdhe_ecdsa" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -s "subject name : CN=client.example.com" \ @@ -746,8 +746,8 @@ run_test "TLS_AES_128_CCM_SHA256 with ECDHE-ECDSA (mutual auth)" \ # - the ECDHE-ECDSA-based ciphersuite exchange is executed # - AES-128-GCM is negotiated run_test "TLS_AES_128_GCM_SHA256 with ECDHE-ECDSA (mutual auth)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 auth_mode=required key_exchange_modes=ecdhe_ecdsa" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_128_GCM_SHA256 key_exchange_modes=ecdhe_ecdsa" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 auth_mode=required key_exchange_modes=ecdhe_ecdsa" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_128_GCM_SHA256 key_exchange_modes=ecdhe_ecdsa" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -s "subject name : CN=client.example.com" \ @@ -759,8 +759,8 @@ run_test "TLS_AES_128_GCM_SHA256 with ECDHE-ECDSA (mutual auth)" \ # - the ECDHE-ECDSA-based ciphersuite exchange is executed # - AES-128-CCM-8 is negotiated run_test "TLS_AES_128_CCM_8_SHA256 with ECDHE-ECDSA (mutual auth)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 auth_mode=required key_exchange_modes=ecdhe_ecdsa" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_8_SHA256 key_exchange_modes=ecdhe_ecdsa" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 auth_mode=required key_exchange_modes=ecdhe_ecdsa" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_8_SHA256 key_exchange_modes=ecdhe_ecdsa" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -s "subject name : CN=client.example.com" \ @@ -772,8 +772,8 @@ run_test "TLS_AES_128_CCM_8_SHA256 with ECDHE-ECDSA (mutual auth)" \ # - the ECDHE-ECDSA-based ciphersuite exchange is executed # - AES-256-GCM is negotiated run_test "TLS_AES_256_GCM_SHA384 with ECDHE-ECDSA (mutual auth)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 auth_mode=required key_exchange_modes=ecdhe_ecdsa" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_256_GCM_SHA384 key_exchange_modes=ecdhe_ecdsa" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 auth_mode=required key_exchange_modes=ecdhe_ecdsa" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_256_GCM_SHA384 key_exchange_modes=ecdhe_ecdsa" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -s "subject name : CN=client.example.com" \ @@ -798,8 +798,8 @@ echo "" # - Server accepts the lack of client authentication run_test "TLS_AES_128_GCM_SHA256 with ECDHE-ECDSA (empty client certificate)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 auth_mode=optional key_exchange_modes=ecdhe_ecdsa" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_128_GCM_SHA256 key_exchange_modes=ecdhe_ecdsa auth_mode=none" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 auth_mode=optional key_exchange_modes=ecdhe_ecdsa" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_128_GCM_SHA256 key_exchange_modes=ecdhe_ecdsa auth_mode=none" \ 0 \ -s "client has no certificate" \ -c "subject name : CN=server.example.com" \ @@ -814,8 +814,8 @@ run_test "TLS_AES_128_GCM_SHA256 with ECDHE-ECDSA (empty client certificate)" # - Server accepts the lack of client authentication run_test "TLS_AES_128_CCM_SHA256 with ECDHE-ECDSA (empty client certificate)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 auth_mode=optional key_exchange_modes=ecdhe_ecdsa" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_SHA256 key_exchange_modes=ecdhe_ecdsa auth_mode=none" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 auth_mode=optional key_exchange_modes=ecdhe_ecdsa" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_SHA256 key_exchange_modes=ecdhe_ecdsa auth_mode=none" \ 0 \ -s "client has no certificate" \ -c "subject name : CN=server.example.com" \ @@ -837,8 +837,8 @@ run_test "TLS_AES_128_CCM_SHA256 with ECDHE-ECDSA (empty client certificate)" # - Server **DOES NOT** accept the lack of client authentication run_test "TLS_AES_128_GCM_SHA256 with ECDHE-ECDSA (empty client certificate), failed auth due to missing client-side authentication" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 auth_mode=required key_exchange_modes=ecdhe_ecdsa" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_128_GCM_SHA256 key_exchange_modes=ecdhe_ecdsa auth_mode=none" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 auth_mode=required key_exchange_modes=ecdhe_ecdsa" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_128_GCM_SHA256 key_exchange_modes=ecdhe_ecdsa auth_mode=none" \ 1 \ -s "mbedtls_ssl_parse_certificate() returned -29824 (-0x7480)" \ -s "client has no certificate" \ @@ -851,8 +851,8 @@ run_test "TLS_AES_128_GCM_SHA256 with ECDHE-ECDSA (empty client certificate), # - Server **DOES NOT** accept the lack of client authentication run_test "TLS_AES_128_CCM_SHA256 with ECDHE-ECDSA (empty client certificate), failed auth due to missing client-side authentication" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 auth_mode=required key_exchange_modes=ecdhe_ecdsa" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_SHA256 key_exchange_modes=ecdhe_ecdsa auth_mode=none" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 auth_mode=required key_exchange_modes=ecdhe_ecdsa" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_SHA256 key_exchange_modes=ecdhe_ecdsa auth_mode=none" \ 1 \ -s "mbedtls_ssl_parse_certificate() returned -29824 (-0x7480)" \ -s "client has no certificate" \ @@ -871,8 +871,8 @@ echo "" # - the ECDHE-ECDSA-based ciphersuite exchange is executed # - AES-256-GCM is negotiated run_test "TLS_AES_256_GCM_SHA384 with ECDHE-ECDSA (server auth only)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 key_exchange_modes=ecdhe_ecdsa ca_file=certs/ca.crt crt_file=certs/server.crt key_file=certs/server.key" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=localhost force_ciphersuite=TLS_AES_256_GCM_SHA384 key_exchange_modes=ecdhe_ecdsa ca_file=certs/ca.crt crt_file=none key_file=none" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 key_exchange_modes=ecdhe_ecdsa ca_file=certs/ca.crt crt_file=certs/server.crt key_file=certs/server.key" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=localhost force_ciphersuite=TLS_AES_256_GCM_SHA384 key_exchange_modes=ecdhe_ecdsa ca_file=certs/ca.crt crt_file=none key_file=none" \ 0 \ -s "Verifying peer X.509 certificate... failed" \ -s "Certificate verification was skipped" \ @@ -894,8 +894,8 @@ echo "" # - the ECDHE-ECDSA-based ciphersuite exchange is executed # - AES-128-CCM is negotiated run_test "TLS_AES_128_CCM_SHA256 with ECDHE-ECDSA (mutual auth) with ticket" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 auth_mode=required key_exchange_modes=all tickets=1" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_SHA256 key_exchange_modes=ecdhe_ecdsa reconnect=1 tickets=1" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 auth_mode=required key_exchange_modes=all tickets=1" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_SHA256 key_exchange_modes=ecdhe_ecdsa reconnect=1 tickets=1" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -s "subject name : CN=client.example.com" \ @@ -912,8 +912,8 @@ run_test "TLS_AES_128_CCM_SHA256 with ECDHE-ECDSA (mutual auth) with ticket" # - the ECDHE-ECDSA-based ciphersuite exchange is executed # - AES-128-GCM is negotiated run_test "TLS_AES_128_GCM_SHA256 with ECDHE-ECDSA (mutual auth) with ticket" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 auth_mode=required key_exchange_modes=all tickets=1" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_128_GCM_SHA256 key_exchange_modes=ecdhe_ecdsa reconnect=1 tickets=1" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 auth_mode=required key_exchange_modes=all tickets=1" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_128_GCM_SHA256 key_exchange_modes=ecdhe_ecdsa reconnect=1 tickets=1" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -s "subject name : CN=client.example.com" \ @@ -930,8 +930,8 @@ run_test "TLS_AES_128_GCM_SHA256 with ECDHE-ECDSA (mutual auth) with ticket" # - the ECDHE-ECDSA-based ciphersuite exchange is executed # - AES-128-CCM-8 is negotiated run_test "TLS_AES_128_CCM_8_SHA256 with ECDHE-ECDSA (mutual auth) with ticket" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 auth_mode=required key_exchange_modes=all tickets=1" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_8_SHA256 key_exchange_modes=ecdhe_ecdsa reconnect=1 tickets=1" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 auth_mode=required key_exchange_modes=all tickets=1" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_8_SHA256 key_exchange_modes=ecdhe_ecdsa reconnect=1 tickets=1" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -s "subject name : CN=client.example.com" \ @@ -948,8 +948,8 @@ run_test "TLS_AES_128_CCM_8_SHA256 with ECDHE-ECDSA (mutual auth) with ticket # - the ECDHE-ECDSA-based ciphersuite exchange is executed # - AES-256-GCM is negotiated run_test "TLS_AES_256_GCM_SHA384 with ECDHE-ECDSA (mutual auth) with ticket" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 auth_mode=required key_exchange_modes=all tickets=1" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_256_GCM_SHA384 key_exchange_modes=ecdhe_ecdsa reconnect=1 tickets=1" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 auth_mode=required key_exchange_modes=all tickets=1" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_256_GCM_SHA384 key_exchange_modes=ecdhe_ecdsa reconnect=1 tickets=1" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -s "subject name : CN=client.example.com" \ @@ -972,8 +972,8 @@ echo "" # - the ECDHE-ECDSA-based ciphersuite exchange is executed # - AES-256-GCM is negotiated run_test "TLS_AES_256_GCM_SHA384 with ECDHE-ECDSA (server auth only) with ticket" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 key_exchange_modes=all tickets=1 ca_file=certs/ca.crt crt_file=certs/server.crt key_file=certs/server.key" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=localhost force_ciphersuite=TLS_AES_256_GCM_SHA384 key_exchange_modes=ecdhe_ecdsa ca_file=certs/ca.crt crt_file=none key_file=none reconnect=1 tickets=1" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 key_exchange_modes=all tickets=1 ca_file=certs/ca.crt crt_file=certs/server.crt key_file=certs/server.key" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=localhost force_ciphersuite=TLS_AES_256_GCM_SHA384 key_exchange_modes=ecdhe_ecdsa ca_file=certs/ca.crt crt_file=none key_file=none reconnect=1 tickets=1" \ 0 \ -s "Verifying peer X.509 certificate... failed" \ -s "Certificate verification was skipped" \ @@ -1000,8 +1000,8 @@ echo "" # - the PSK-based ciphersuite exchange is executed # - AES-256-GCM with SHA384 is negotiated run_test "TLS_AES_256_GCM_SHA384 with external PSK (+early data)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 early_data=enabled key_exchange_modes=psk psk=010203 psk_identity=0a0b0c" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 force_ciphersuite=TLS_AES_256_GCM_SHA384 key_exchange_modes=psk early_data=enabled psk=010203 psk_identity=0a0b0c" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 early_data=enabled key_exchange_modes=psk psk=010203 psk_identity=0a0b0c" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 force_ciphersuite=TLS_AES_256_GCM_SHA384 key_exchange_modes=psk early_data=enabled psk=010203 psk_identity=0a0b0c" \ 0 \ -s "found early_data extension" \ -s "Derive Early Secret with 'ext binder'" \ @@ -1016,8 +1016,8 @@ run_test "TLS_AES_256_GCM_SHA384 with external PSK (+early data)" \ # - the PSK-based ciphersuite exchange is executed # - AES-128-CCM with SHA256 is negotiated run_test "TLS_AES_128_CCM_SHA256 with external PSK (+early data)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 early_data=enabled key_exchange_modes=psk psk=010203 psk_identity=0a0b0c" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 force_ciphersuite=TLS_AES_128_CCM_SHA256 key_exchange_modes=psk early_data=enabled psk=010203 psk_identity=0a0b0c" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 early_data=enabled key_exchange_modes=psk psk=010203 psk_identity=0a0b0c" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 force_ciphersuite=TLS_AES_128_CCM_SHA256 key_exchange_modes=psk early_data=enabled psk=010203 psk_identity=0a0b0c" \ 0 \ -s "found early_data extension" \ -s "Derive Early Secret with 'ext binder'" \ @@ -1033,8 +1033,8 @@ run_test "TLS_AES_128_CCM_SHA256 with external PSK (+early data)" \ # - the PSK-based ciphersuite exchange is executed # - AES-128-GCM with SHA256 is negotiated run_test "TLS_AES_128_GCM_SHA256 with external PSK (+early data)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 early_data=enabled key_exchange_modes=psk psk=010203 psk_identity=0a0b0c" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 force_ciphersuite=TLS_AES_128_GCM_SHA256 key_exchange_modes=psk early_data=enabled psk=010203 psk_identity=0a0b0c" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 early_data=enabled key_exchange_modes=psk psk=010203 psk_identity=0a0b0c" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 force_ciphersuite=TLS_AES_128_GCM_SHA256 key_exchange_modes=psk early_data=enabled psk=010203 psk_identity=0a0b0c" \ 0 \ -s "found early_data extension" \ -s "Derive Early Secret with 'ext binder'" \ @@ -1049,8 +1049,8 @@ run_test "TLS_AES_128_GCM_SHA256 with external PSK (+early data)" \ # - the PSK-based ciphersuite exchange is executed # - AES-128-CCM-8 with SHA256 is negotiated run_test "TLS_AES_128_CCM_8_SHA256 with external PSK (+early data)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 early_data=enabled key_exchange_modes=psk psk=010203 psk_identity=0a0b0c" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 force_ciphersuite=TLS_AES_128_CCM_8_SHA256 key_exchange_modes=psk early_data=enabled psk=010203 psk_identity=0a0b0c" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 early_data=enabled key_exchange_modes=psk psk=010203 psk_identity=0a0b0c" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 force_ciphersuite=TLS_AES_128_CCM_8_SHA256 key_exchange_modes=psk early_data=enabled psk=010203 psk_identity=0a0b0c" \ 0 \ -s "found early_data extension" \ -s "Derive Early Secret with 'ext binder'" \ @@ -1073,8 +1073,8 @@ echo "" # - AES-128-CCM-8 is negotiated # - HRR is initiated run_test "TLS_AES_128_CCM_8_SHA256 with ECDHE-ECDSA (mutual auth)" \ - "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 auth_mode=required key_exchange_modes=ecdhe_ecdsa tickets=0 cookies=2" \ - "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls1_3 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_8_SHA256 key_exchange_modes=ecdhe_ecdsa" \ + "$P_SRV $MBEDTLS_DEBUG_LEVEL force_version=dtls13 auth_mode=required key_exchange_modes=ecdhe_ecdsa tickets=0 cookies=2" \ + "$P_CLI $MBEDTLS_DEBUG_LEVEL force_version=dtls13 server_name=server.example.com force_ciphersuite=TLS_AES_128_CCM_8_SHA256 key_exchange_modes=ecdhe_ecdsa" \ 0 \ -s "Cookie extension missing. Need to send a HRR." \ -s "write hello retry request" \ diff --git a/tests/include/test/drivers/aead.h b/tests/include/test/drivers/aead.h index 24215601a6ad..33e1f50cdc39 100644 --- a/tests/include/test/drivers/aead.h +++ b/tests/include/test/drivers/aead.h @@ -75,34 +75,34 @@ psa_status_t mbedtls_test_transparent_aead_decrypt( uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length ); psa_status_t mbedtls_test_transparent_aead_encrypt_setup( - mbedtls_psa_aead_operation_t *operation, + mbedtls_transparent_test_driver_aead_operation_t *operation, const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg ); psa_status_t mbedtls_test_transparent_aead_decrypt_setup( - mbedtls_psa_aead_operation_t *operation, + mbedtls_transparent_test_driver_aead_operation_t *operation, const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg ); psa_status_t mbedtls_test_transparent_aead_set_nonce( - mbedtls_psa_aead_operation_t *operation, + mbedtls_transparent_test_driver_aead_operation_t *operation, const uint8_t *nonce, size_t nonce_length ); psa_status_t mbedtls_test_transparent_aead_set_lengths( - mbedtls_psa_aead_operation_t *operation, + mbedtls_transparent_test_driver_aead_operation_t *operation, size_t ad_length, size_t plaintext_length ); psa_status_t mbedtls_test_transparent_aead_update_ad( - mbedtls_psa_aead_operation_t *operation, + mbedtls_transparent_test_driver_aead_operation_t *operation, const uint8_t *input, size_t input_length ); psa_status_t mbedtls_test_transparent_aead_update( - mbedtls_psa_aead_operation_t *operation, + mbedtls_transparent_test_driver_aead_operation_t *operation, const uint8_t *input, size_t input_length, uint8_t *output, @@ -110,7 +110,7 @@ psa_status_t mbedtls_test_transparent_aead_update( size_t *output_length ); psa_status_t mbedtls_test_transparent_aead_finish( - mbedtls_psa_aead_operation_t *operation, + mbedtls_transparent_test_driver_aead_operation_t *operation, uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length, @@ -119,7 +119,7 @@ psa_status_t mbedtls_test_transparent_aead_finish( size_t *tag_length ); psa_status_t mbedtls_test_transparent_aead_verify( - mbedtls_psa_aead_operation_t *operation, + mbedtls_transparent_test_driver_aead_operation_t *operation, uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length, @@ -127,7 +127,7 @@ psa_status_t mbedtls_test_transparent_aead_verify( size_t tag_length ); psa_status_t mbedtls_test_transparent_aead_abort( - mbedtls_psa_aead_operation_t *operation ); + mbedtls_transparent_test_driver_aead_operation_t *operation ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_TEST_DRIVERS_AEAD_H */ diff --git a/tests/include/test/drivers/cipher.h b/tests/include/test/drivers/cipher.h index 142f3b7655a2..33a5e66579ca 100644 --- a/tests/include/test/drivers/cipher.h +++ b/tests/include/test/drivers/cipher.h @@ -53,6 +53,7 @@ psa_status_t mbedtls_test_transparent_cipher_encrypt( const psa_key_attributes_t *attributes, const uint8_t *key, size_t key_length, psa_algorithm_t alg, + const uint8_t *iv, size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, size_t output_size, size_t *output_length); @@ -98,6 +99,7 @@ psa_status_t mbedtls_test_opaque_cipher_encrypt( const psa_key_attributes_t *attributes, const uint8_t *key, size_t key_length, psa_algorithm_t alg, + const uint8_t *iv, size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, size_t output_size, size_t *output_length); diff --git a/tests/include/test/drivers/config_test_driver.h b/tests/include/test/drivers/config_test_driver.h new file mode 100644 index 000000000000..b9ba5fb5f002 --- /dev/null +++ b/tests/include/test/drivers/config_test_driver.h @@ -0,0 +1,57 @@ +/* + * Mbed TLS configuration for PSA test driver libraries. It includes: + * . the minimum set of modules needed by the PSA core. + * . the Mbed TLS configuration options that may need to be additionally + * enabled for the purpose of a specific test. + * . the PSA configuration file for the Mbed TLS library and its test drivers. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef MBEDTLS_CONFIG_H +#define MBEDTLS_CONFIG_H + +#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) +#define _CRT_SECURE_NO_DEPRECATE 1 +#endif + +#define MBEDTLS_PSA_CRYPTO_C +#define MBEDTLS_PSA_CRYPTO_CONFIG + +/* PSA core mandatory configuration options */ +#define MBEDTLS_CIPHER_C +#define MBEDTLS_AES_C +#define MBEDTLS_SHA224_C +#define MBEDTLS_SHA256_C +#define MBEDTLS_PSA_BUILTIN_ALG_SHA_256 1 +#define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_ENTROPY_C + +/* + * Configuration options that may need to be additionally enabled for the + * purpose of a specific set of tests. + */ +//#define MBEDTLS_SHA1_C +//#define MBEDTLS_SHA384_C +//#define MBEDTLS_SHA512_C +//#define MBEDTLS_PEM_PARSE_C +//#define MBEDTLS_BASE64_C + +#include "mbedtls/config_psa.h" +#include "mbedtls/check_config.h" + +#endif /* MBEDTLS_CONFIG_H */ diff --git a/tests/include/test/drivers/crypto_config_test_driver_extension.h b/tests/include/test/drivers/crypto_config_test_driver_extension.h new file mode 100644 index 000000000000..927009ad9644 --- /dev/null +++ b/tests/include/test/drivers/crypto_config_test_driver_extension.h @@ -0,0 +1,222 @@ +/** + * This file is intended to be used to build PSA test driver libraries. It is + * intended to be appended by the test build system to the crypto_config.h file + * of the Mbed TLS library the test library will be linked to. It mirrors the + * PSA_ACCEL_* macros defining the cryptographic operations the test library + * supports. + */ + +#if defined(PSA_WANT_ALG_CBC_NO_PADDING) +#if defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING) +#undef MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING +#else +#define MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_CBC_PKCS7) +#if defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7) +#undef MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7 +#else +#define MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_CFB) +#if defined(MBEDTLS_PSA_ACCEL_ALG_CFB) +#undef MBEDTLS_PSA_ACCEL_ALG_CFB +#else +#define MBEDTLS_PSA_ACCEL_ALG_CFB 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_CTR) +#if defined(MBEDTLS_PSA_ACCEL_ALG_CTR) +#undef MBEDTLS_PSA_ACCEL_ALG_CTR +#else +#define MBEDTLS_PSA_ACCEL_ALG_CTR 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) +#if defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) +#undef MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA +#else +#define MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_ECDSA) +#if defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) +#undef MBEDTLS_PSA_ACCEL_ALG_ECDSA +#else +#define MBEDTLS_PSA_ACCEL_ALG_ECDSA 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_MD5) +#if defined(MBEDTLS_PSA_ACCEL_ALG_MD5) +#undef MBEDTLS_PSA_ACCEL_ALG_MD5 +#else +#define MBEDTLS_PSA_ACCEL_ALG_MD5 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_OFB) +#if defined(MBEDTLS_PSA_ACCEL_ALG_OFB) +#undef MBEDTLS_PSA_ACCEL_ALG_OFB +#else +#define MBEDTLS_PSA_ACCEL_ALG_OFB 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_RIPEMD160) +#if defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160) +#undef MBEDTLS_PSA_ACCEL_ALG_RIPEMD160 +#else +#define MBEDTLS_PSA_ACCEL_ALG_RIPEMD160 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) +#if defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) +#undef MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN +#else +#define MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_RSA_PSS) +#if defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS) +#undef MBEDTLS_PSA_ACCEL_ALG_RSA_PSS +#else +#define MBEDTLS_PSA_ACCEL_ALG_RSA_PSS 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_SHA_1) +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1) +#undef MBEDTLS_PSA_ACCEL_ALG_SHA_1 +#else +#define MBEDTLS_PSA_ACCEL_ALG_SHA_1 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_SHA_224) +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_224) +#undef MBEDTLS_PSA_ACCEL_ALG_SHA_224 +#else +#define MBEDTLS_PSA_ACCEL_ALG_SHA_224 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_SHA_256) +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_256) +#undef MBEDTLS_PSA_ACCEL_ALG_SHA_256 +#else +#define MBEDTLS_PSA_ACCEL_ALG_SHA_256 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_SHA_384) +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384) +#undef MBEDTLS_PSA_ACCEL_ALG_SHA_384 +#else +#define MBEDTLS_PSA_ACCEL_ALG_SHA_384 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_SHA_512) +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512) +#undef MBEDTLS_PSA_ACCEL_ALG_SHA_512 +#else +#define MBEDTLS_PSA_ACCEL_ALG_SHA_512 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_XTS) +#if defined(MBEDTLS_PSA_ACCEL_ALG_XTS) +#undef MBEDTLS_PSA_ACCEL_ALG_XTS +#else +#define MBEDTLS_PSA_ACCEL_ALG_XTS 1 +#endif +#endif + +#if defined(PSA_WANT_KEY_TYPE_AES) +#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES) +#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_AES +#else +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_AES 1 +#endif +#endif + +#if defined(PSA_WANT_KEY_TYPE_ARIA) +#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA) +#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA +#else +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA 1 +#endif +#endif + +#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) +#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA) +#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA +#else +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA 1 +#endif +#endif + +#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) +#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) +#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR +#else +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR 1 +#endif +#endif + +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) +#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) +#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR +#else +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR 1 +#endif +#endif + +#define MBEDTLS_PSA_ACCEL_ALG_CBC_MAC 1 +#define MBEDTLS_PSA_ACCEL_ALG_CCM 1 +#define MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305 1 +#define MBEDTLS_PSA_ACCEL_ALG_CMAC 1 +#define MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING 1 +#define MBEDTLS_PSA_ACCEL_ALG_ECDH 1 +#define MBEDTLS_PSA_ACCEL_ALG_GCM 1 +#define MBEDTLS_PSA_ACCEL_ALG_HKDF 1 +#define MBEDTLS_PSA_ACCEL_ALG_HMAC 1 +#define MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP 1 +#define MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT 1 +#define MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER 1 +#define MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF 1 +#define MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS 1 + +#if defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) +#define MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256 1 +#define MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384 1 +#define MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512 1 +#define MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255 1 +#define MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448 1 +#define MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192 1 +#define MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224 1 +#define MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256 1 +#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192 1 +#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224 1 +#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256 1 +#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384 1 +#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521 1 +#endif + +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DERIVE 1 +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_HMAC 1 +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20 1 +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_DES 1 +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY 1 +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RAW_DATA 1 +#define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY 1 diff --git a/tests/include/test/drivers/hash.h b/tests/include/test/drivers/hash.h index d202c8bf066e..b05fcd79f1de 100644 --- a/tests/include/test/drivers/hash.h +++ b/tests/include/test/drivers/hash.h @@ -70,7 +70,7 @@ psa_status_t mbedtls_test_transparent_hash_finish( size_t *hash_length ); psa_status_t mbedtls_test_transparent_hash_abort( - mbedtls_psa_hash_operation_t *operation ); + mbedtls_transparent_test_driver_hash_operation_t *operation ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_TEST_DRIVERS_HASH_H */ diff --git a/tests/include/test/drivers/key_management.h b/tests/include/test/drivers/key_management.h index d147568cdc9c..ba1e04ab7148 100644 --- a/tests/include/test/drivers/key_management.h +++ b/tests/include/test/drivers/key_management.h @@ -66,6 +66,11 @@ size_t mbedtls_test_opaque_size_function( extern mbedtls_test_driver_key_management_hooks_t mbedtls_test_driver_key_management_hooks; +psa_status_t mbedtls_test_transparent_init( void ); +void mbedtls_test_transparent_free( void ); +psa_status_t mbedtls_test_opaque_init( void ); +void mbedtls_test_opaque_free( void ); + psa_status_t mbedtls_test_transparent_generate_key( const psa_key_attributes_t *attributes, uint8_t *key, size_t key_size, size_t *key_length ); @@ -120,6 +125,5 @@ psa_status_t mbedtls_test_opaque_copy_key( size_t target_key_buffer_size, size_t *target_key_buffer_length); - #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_TEST_DRIVERS_KEY_MANAGEMENT_H */ diff --git a/tests/include/test/psa_crypto_helpers.h b/tests/include/test/psa_crypto_helpers.h index 8a8c37e008aa..f5622e2d2d1f 100644 --- a/tests/include/test/psa_crypto_helpers.h +++ b/tests/include/test/psa_crypto_helpers.h @@ -28,7 +28,6 @@ #include "test/psa_helpers.h" #include <psa/crypto.h> -#include <psa_crypto_slot_management.h> #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "mbedtls/psa_util.h" diff --git a/tests/include/test/psa_exercise_key.h b/tests/include/test/psa_exercise_key.h index aa0aeb5afd26..18333a9372de 100644 --- a/tests/include/test/psa_exercise_key.h +++ b/tests/include/test/psa_exercise_key.h @@ -52,6 +52,30 @@ #undef KNOWN_SUPPORTED_HASH_ALG #endif +/** \def KNOWN_MBEDTLS_SUPPORTED_HASH_ALG + * + * A hash algorithm that is known to be supported by Mbed TLS APIs. + * + * This is used in some smoke tests where the hash algorithm is used as + * part of another algorithm like a signature algorithm and the hashing is + * completed through an Mbed TLS hash API, not the PSA one. + */ +#if defined(MBEDTLS_MD5_C) +#define KNOWN_MBEDTLS_SUPPORTED_HASH_ALG PSA_ALG_MD5 +/* MBEDTLS_RIPEMD160_C omitted. This is necessary for the sake of + * exercise_signature_key() because Mbed TLS doesn't support RIPEMD160 + * in RSA PKCS#1v1.5 signatures. A RIPEMD160-only configuration would be + * implausible anyway. */ +#elif defined(MBEDTLS_SHA1_C) +#define KNOWN_MBEDTLS_SUPPORTED_HASH_ALG PSA_ALG_SHA_1 +#elif defined(MBEDTLS_SHA256_C) +#define KNOWN_MBEDTLS_SUPPORTED_HASH_ALG PSA_ALG_SHA_256 +#elif defined(MBEDTLS_SHA512_C) +#define KNOWN_MBEDTLS_SUPPORTED_HASH_ALG PSA_ALG_SHA_512 +#else +#undef KNOWN_MBEDLTS_SUPPORTED_HASH_ALG +#endif + /** \def KNOWN_SUPPORTED_BLOCK_CIPHER * * A block cipher that is known to be supported. diff --git a/tests/opt-testcases/tls13-compat.sh b/tests/opt-testcases/tls13-compat.sh new file mode 100755 index 000000000000..ed606860d997 --- /dev/null +++ b/tests/opt-testcases/tls13-compat.sh @@ -0,0 +1,3476 @@ +#!/bin/sh + +# tls13-compat.sh +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Purpose +# +# List TLS1.3 compat test cases. They are generated by +# `generate_tls13_compat_tests.py -a`. +# +# PLEASE DO NOT EDIT THIS FILE. IF NEEDED, PLEASE MODIFY `generate_tls13_compat_tests.py` +# AND REGENERATE THIS FILE. +# +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-SECP256R1:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-SECP384R1:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-SECP521R1:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,x25519,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=x25519,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,x25519,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-X25519:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=x25519,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,x448,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=x448,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,x448,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-X448:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=x448,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-SECP256R1:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-SECP384R1:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-SECP521R1:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,x25519,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,x25519,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-X25519:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,x448,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,x448,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-X448:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp256r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-SECP256R1:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp256r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp384r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-SECP384R1:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp384r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-SECP521R1:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,x25519,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=x25519,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,x25519,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-X25519:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=x25519,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,x448,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=x448,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,x448,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-X448:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=x448,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-SECP256R1:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-SECP384R1:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-SECP521R1:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,x25519,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=x25519" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,x25519,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-X25519:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=x25519" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_128_GCM_SHA256,x448,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=x448" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_128_GCM_SHA256,x448,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-128-GCM:+GROUP-X448:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=x448" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp256r1,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp256r1,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP256R1:+SHA384:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp384r1,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp384r1,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP384R1:+SHA384:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp521r1,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp521r1,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP521R1:+SHA384:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,x25519,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 curves=x25519,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,x25519,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-X25519:+SHA384:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 curves=x25519,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,x448,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 curves=x448,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,x448,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-X448:+SHA384:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 curves=x448,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp256r1,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp256r1,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP256R1:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp384r1,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp384r1,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP384R1:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp521r1,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp521r1,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP521R1:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,x25519,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,x25519,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-X25519:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,x448,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,x448,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-X448:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp256r1,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 curves=secp256r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp256r1,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP256R1:+SHA384:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 curves=secp256r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp384r1,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 curves=secp384r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp384r1,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP384R1:+SHA384:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 curves=secp384r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp521r1,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp521r1,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP521R1:+SHA384:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,x25519,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 curves=x25519,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,x25519,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-X25519:+SHA384:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 curves=x25519,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,x448,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 curves=x448,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,x448,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-X448:+SHA384:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 curves=x448,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp256r1,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp256r1,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP256R1:+SHA384:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp384r1,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp384r1,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP384R1:+SHA384:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp521r1,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp521r1,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP521R1:+SHA384:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,x25519,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 curves=x25519" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,x25519,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-X25519:+SHA384:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 curves=x25519" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,x448,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 curves=x448" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,x448,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-X448:+SHA384:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 curves=x448" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-SECP256R1:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-SECP384R1:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-SECP521R1:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=x25519,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-X25519:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=x25519,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,x448,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=x448,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,x448,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-X448:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=x448,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-SECP256R1:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-SECP384R1:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-SECP521R1:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-X25519:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,x448,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,x448,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-X448:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp256r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-SECP256R1:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp256r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp384r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-SECP384R1:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp384r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-SECP521R1:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=x25519,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-X25519:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=x25519,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,x448,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=x448,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,x448,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-X448:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=x448,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,secp256r1,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,secp256r1,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-SECP256R1:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,secp384r1,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,secp384r1,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-SECP384R1:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,secp521r1,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,secp521r1,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-SECP521R1:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,x25519,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=x25519" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,x25519,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-X25519:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=x25519" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_CHACHA20_POLY1305_SHA256,x448,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=x448" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_CHACHA20_POLY1305_SHA256,x448,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+CHACHA20-POLY1305:+GROUP-X448:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=x448" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-SECP256R1:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-SECP384R1:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-SECP521R1:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,x25519,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=x25519,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,x25519,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-X25519:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=x25519,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,x448,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=x448,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,x448,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-X448:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=x448,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-SECP256R1:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-SECP384R1:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-SECP521R1:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,x25519,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,x25519,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-X25519:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,x448,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,x448,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-X448:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp256r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-SECP256R1:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp256r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp384r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-SECP384R1:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp384r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-SECP521R1:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,x25519,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=x25519,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,x25519,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-X25519:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=x25519,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,x448,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=x448,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,x448,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-X448:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=x448,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-SECP256R1:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-SECP384R1:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-SECP521R1:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,x25519,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=x25519" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,x25519,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-X25519:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=x25519" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_SHA256,x448,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=x448" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_SHA256,x448,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-128-CCM:+GROUP-X448:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=x448" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-SECP256R1:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-SECP384R1:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-SECP521R1:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,x25519,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=x25519,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,x25519,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-X25519:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=x25519,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,x448,ecdsa_secp256r1_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=x448,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,x448,ecdsa_secp256r1_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-X448:+SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 curves=x448,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0403 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-SECP256R1:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-SECP384R1:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-SECP521R1:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,x25519,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,x25519,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-X25519:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,x448,ecdsa_secp384r1_sha384" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,x448,ecdsa_secp384r1_sha384" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-X448:+SHA256:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0503 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp256r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-SECP256R1:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp256r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp384r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-SECP384R1:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp384r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-SECP521R1:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,x25519,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=x25519,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,x25519,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-X25519:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=x25519,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,x448,ecdsa_secp521r1_sha512" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=x448,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,x448,ecdsa_secp521r1_sha512" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-X448:+SHA256:+SIGN-ECDSA-SECP521R1-SHA512:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 curves=x448,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0603 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,secp256r1,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,secp256r1,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-SECP256R1:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp256r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,secp384r1,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,secp384r1,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-SECP384R1:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp384r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,secp521r1,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,secp521r1,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-SECP521R1:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: secp521r1" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,x25519,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=x25519" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,x25519,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-X25519:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=x25519" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->O: TLS_AES_128_CCM_8_SHA256,x448,rsa_pss_rsae_sha256" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=x448" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,x448,rsa_pss_rsae_sha256" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AEAD:+AES-128-CCM-8:+GROUP-X448:+SHA256:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 curves=x448" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "ECDH curve: x448" \ + -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "Verifying peer X.509 certificate... ok" diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index ec2e0fd388a7..2fdc4a85c862 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -292,7 +292,8 @@ cleanup() -iname CMakeFiles -exec rm -rf {} \+ -o \ \( -iname cmake_install.cmake -o \ -iname CTestTestfile.cmake -o \ - -iname CMakeCache.txt \) -exec rm -f {} \+ + -iname CMakeCache.txt -o \ + -path './cmake/*.cmake' \) -exec rm -f {} \+ # Recover files overwritten by in-tree CMake builds rm -f include/Makefile include/mbedtls/Makefile programs/*/Makefile @@ -998,7 +999,16 @@ component_test_psa_crypto_rsa_no_genprime() { component_test_ref_configs () { msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=gcc cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . tests/scripts/test-ref-configs.pl } @@ -1069,7 +1079,7 @@ component_test_no_ctr_drbg_classic () { tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' msg "test: Full minus CTR_DRBG, classic crypto - compat.sh (subset)" - tests/compat.sh -m tls1_2 -t 'ECDSA PSK' -V NO -p OpenSSL + tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL } component_test_no_ctr_drbg_use_psa () { @@ -1091,7 +1101,7 @@ component_test_no_ctr_drbg_use_psa () { tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)" - tests/compat.sh -m tls1_2 -t 'ECDSA PSK' -V NO -p OpenSSL + tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL } component_test_no_hmac_drbg_classic () { @@ -1118,7 +1128,7 @@ component_test_no_hmac_drbg_classic () { # To save time, only test one protocol version, since this part of # the protocol is identical in (D)TLS up to 1.2. msg "test: Full minus HMAC_DRBG, classic crypto - compat.sh (ECDSA)" - tests/compat.sh -m tls1_2 -t 'ECDSA' + tests/compat.sh -m tls12 -t 'ECDSA' } component_test_no_hmac_drbg_use_psa () { @@ -1145,7 +1155,7 @@ component_test_no_hmac_drbg_use_psa () { # To save time, only test one protocol version, since this part of # the protocol is identical in (D)TLS up to 1.2. msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)" - tests/compat.sh -m tls1_2 -t 'ECDSA' + tests/compat.sh -m tls12 -t 'ECDSA' } component_test_psa_external_rng_no_drbg_classic () { @@ -1295,7 +1305,7 @@ component_test_psa_collect_statuses () { component_test_full_cmake_clang () { msg "build: cmake, full config, clang" # ~ 50s scripts/config.py full - CC=clang cmake -D CMAKE_BUILD_TYPE:String=Check -D ENABLE_TESTING=On . + CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release -D ENABLE_TESTING=On . make msg "test: main suites (full config, clang)" # ~ 5s @@ -1521,6 +1531,7 @@ component_test_no_use_psa_crypto_full_cmake_asan() { scripts/config.py set MBEDTLS_ECP_RESTARTABLE # not using PSA, so enable restartable ECC scripts/config.py unset MBEDTLS_PSA_CRYPTO_C scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C @@ -1543,15 +1554,176 @@ component_test_no_use_psa_crypto_full_cmake_asan() { env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' } -component_test_psa_crypto_config_basic() { - # Test the library excluding all Mbed TLS cryptographic support for which - # we have an accelerator support. Acceleration is faked with the - # transparent test driver. - msg "test: full + MBEDTLS_PSA_CRYPTO_CONFIG + as much acceleration as supported" - scripts/config.py full - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG +component_test_psa_crypto_config_accel_ecdsa () { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA" + + # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having + # partial support for cipher operations in the driver test library. + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + + # SHA384 needed for some ECDSA signature tests. + scripts/config.py -f tests/include/test/drivers/config_test_driver.h set MBEDTLS_SHA384_C + scripts/config.py -f tests/include/test/drivers/config_test_driver.h set MBEDTLS_SHA512_C + + loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA KEY_TYPE_ECC_KEY_PAIR KEY_TYPE_ECC_PUBLIC_KEY" + loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) + make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + + # Restore test driver base configuration + scripts/config.py -f tests/include/test/drivers/config_test_driver.h unset MBEDTLS_SHA384_C + scripts/config.py -f tests/include/test/drivers/config_test_driver.h unset MBEDTLS_SHA512_C + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + + loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" + make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" + + unset loc_accel_flags + unset loc_accel_list + + if_build_succeeded not grep mbedtls_ecdsa_ library/ecdsa.o + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA" + make test +} + +component_test_psa_crypto_config_accel_rsa_signature () { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature" + + # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having + # partial support for cipher operations in the driver test library. + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + + # It seems it is not possible to remove only the support for RSA signature + # in the library. Thus we have to remove all RSA support (signature and + # encryption/decryption). AS there is no driver support for asymmetric + # encryption/decryption so far remove RSA encryption/decryption from the + # application algorithm list. + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_OAEP + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + + # Make sure both the library and the test library support the SHA hash + # algorithms and only those ones (SHA256 is included by default). That way: + # - the test library can compute the RSA signatures even in the case of a + # composite RSA signature algorithm based on a SHA hash (no other hash + # used in the unit tests). + # - the dependency of RSA signature tests on PSA_WANT_ALG_SHA_xyz is + # fulfilled as the hash SHA algorithm is supported by the library, and + # thus the tests are run, not skipped. + # - when testing a signature key with an algorithm wildcard built from + # PSA_ALG_ANY_HASH as algorithm to test with the key, the chosen hash + # algorithm based on the hashes supported by the library is also + # supported by the test library. + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_MD5 + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RIPEMD160_C + + scripts/config.py -f tests/include/test/drivers/config_test_driver.h set MBEDTLS_SHA1_C + scripts/config.py -f tests/include/test/drivers/config_test_driver.h set MBEDTLS_SHA512_C + # We need PEM parsing in the test library as well to support the import + # of PEM encoded RSA keys. + scripts/config.py -f tests/include/test/drivers/config_test_driver.h set MBEDTLS_PEM_PARSE_C + scripts/config.py -f tests/include/test/drivers/config_test_driver.h set MBEDTLS_BASE64_C + + loc_accel_list="ALG_RSA_PKCS1V15_SIGN ALG_RSA_PSS KEY_TYPE_RSA_KEY_PAIR KEY_TYPE_RSA_PUBLIC_KEY" + loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) + make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + + # Restore test driver base configuration + scripts/config.py -f tests/include/test/drivers/config_test_driver.h unset MBEDTLS_SHA1_C + scripts/config.py -f tests/include/test/drivers/config_test_driver.h unset MBEDTLS_SHA512_C + scripts/config.py -f tests/include/test/drivers/config_test_driver.h unset MBEDTLS_PEM_PARSE_C + scripts/config.py -f tests/include/test/drivers/config_test_driver.h unset MBEDTLS_BASE64_C + + + # Mbed TLS library build + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + + # Remove RSA support and its dependencies + scripts/config.py unset MBEDTLS_PKCS1_V15 + scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED + scripts/config.py unset MBEDTLS_RSA_C + scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT + + scripts/config.py unset MBEDTLS_MD5_C + scripts/config.py unset MBEDTLS_RIPEMD160_C + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1 + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_1 + scripts/config.py unset MBEDTLS_SSL_CBC_RECORD_SPLITTING + + loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" + make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" + + unset loc_accel_flags + unset loc_accel_list + + if_build_succeeded not grep mbedtls_rsa_rsassa_pkcs1_v15_sign library/rsa.o + if_build_succeeded not grep mbedtls_rsa_rsassa_pss_sign_ext library/rsa.o + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated RSA signature" + make test +} + +component_test_psa_crypto_config_accel_hash () { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" + + # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having + # partial support for cipher operations in the driver test library. + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + + loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512" + loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) + make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + scripts/config.py unset MBEDTLS_MD5_C + scripts/config.py unset MBEDTLS_RIPEMD160_C + scripts/config.py unset MBEDTLS_SHA1_C + # Don't unset MBEDTLS_SHA256_C as it is needed by PSA crypto core. + scripts/config.py unset MBEDTLS_SHA384_C + scripts/config.py unset MBEDTLS_SHA512_C + # Unset MBEDTLS_SSL_PROTO_SSL3, MBEDTLS_SSL_PROTO_TLS1 and MBEDTLS_SSL_PROTO_TLS1_1 as they depend on MBEDTLS_SHA1_C + scripts/config.py unset MBEDTLS_SSL_PROTO_SSL3 + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1 + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_1 + # Unset MBEDTLS_SSL_CBC_RECORD_SPLITTING as it depends on MBEDTLS_SSL_PROTO_TLS1 in the default configuration. + scripts/config.py unset MBEDTLS_SSL_CBC_RECORD_SPLITTING + loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" + make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" + + unset loc_accel_flags + unset loc_accel_list + + if_build_succeeded not grep mbedtls_sha512_init library/sha512.o + if_build_succeeded not grep mbedtls_sha1_init library/sha1.o + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" + make test +} + +component_test_psa_crypto_config_accel_cipher () { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated cipher" + + loc_accel_list="ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB ALG_OFB ALG_XTS KEY_TYPE_DES" + loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) + make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG # There is no intended accelerator support for ALG STREAM_CIPHER and # ALG_ECB_NO_PADDING. Therefore, asking for them in the build implies the @@ -1560,26 +1732,25 @@ component_test_psa_crypto_config_basic() { # PSA configuration options. scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_CMAC - # Don't test DES encryption as: - # 1) It is not an issue if we don't test all cipher types here. - # 2) That way we don't have to modify in psa_crypto.c the compilation - # guards MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES for the code they guard to be - # available to the test driver. Modifications that we would need to - # revert when we move to compile the test driver separately. - # We also disable MBEDTLS_DES_C as the dependencies on DES in PSA test - # suites are still based on MBEDTLS_DES_C and not PSA_WANT_KEY_TYPE_DES. - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_KEY_TYPE_DES + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 + scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR + scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB + scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB + scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS scripts/config.py unset MBEDTLS_DES_C - loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST_ALL" - loc_cflags="${loc_cflags} '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" - loc_cflags="${loc_cflags} -I../tests/include -O2" + loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" + make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" - make CC=gcc CFLAGS="$loc_cflags" LDFLAGS="$ASAN_CFLAGS" - unset loc_cflags + unset loc_accel_flags + unset loc_accel_list - msg "test: full + MBEDTLS_PSA_CRYPTO_CONFIG" + if_build_succeeded not grep mbedtls_des* library/des.o + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" make test } @@ -1696,8 +1867,8 @@ component_build_psa_accel_alg_hkdf() { scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_HKDF_C - # Make sure to unset TLS1_3_EXPERIMENTAL since it requires HKDF_C and will not build properly without it. - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL + # Make sure to unset TLS1_3 since it requires HKDF_C and will not build properly without it. + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # Need to define the correct symbol and include the test driver header path in order to build with the test driver make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HKDF -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" } @@ -1951,7 +2122,8 @@ component_build_no_std_function () { scripts/config.py set MBEDTLS_PLATFORM_NO_STD_FUNCTIONS scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT - make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os' + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Check . + make } component_build_no_ssl_srv () { @@ -1984,7 +2156,7 @@ component_test_memory_buffer_allocator_backtrace () { scripts/config.py set MBEDTLS_PLATFORM_MEMORY scripts/config.py set MBEDTLS_MEMORY_BACKTRACE scripts/config.py set MBEDTLS_MEMORY_DEBUG - CC=gcc cmake . + CC=gcc cmake -DCMAKE_BUILD_TYPE:String=Release . make msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE" @@ -1995,7 +2167,7 @@ component_test_memory_buffer_allocator () { msg "build: default config with memory buffer allocator" scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C scripts/config.py set MBEDTLS_PLATFORM_MEMORY - CC=gcc cmake . + CC=gcc cmake -DCMAKE_BUILD_TYPE:String=Release . make msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C" @@ -2104,7 +2276,7 @@ component_test_ssl_alloc_buffer_and_mfl () { scripts/config.py set MBEDTLS_MEMORY_DEBUG scripts/config.py set MBEDTLS_SSL_MAX_FRAGMENT_LENGTH scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH - CC=gcc cmake . + CC=gcc cmake -DCMAKE_BUILD_TYPE:String=Release . make msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH" @@ -2131,7 +2303,7 @@ component_test_when_no_ciphersuites_have_mac () { component_test_no_date_time () { msg "build: default config without MBEDTLS_HAVE_TIME_DATE" scripts/config.py unset MBEDTLS_HAVE_TIME_DATE - CC=gcc cmake + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Check . make msg "test: !MBEDTLS_HAVE_TIME_DATE - main suites" @@ -2174,7 +2346,8 @@ component_test_malloc_0_null () { component_test_tls13 () { msg "build: TLS 1.3 (ASanDbg) " - scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL + scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE scripts/config.py set MBEDTLS_SSL_USE_MPS scripts/config.py set MBEDTLS_RSA_C scripts/config.py set MBEDTLS_X509_RSASSA_PSS_SUPPORT @@ -2183,7 +2356,7 @@ component_test_tls13 () { make msg "test: TLS 1.3 compat.sh" - if_build_succeeded tests/compat.sh -m tls1_3 -t ECDSA + if_build_succeeded tests/compat.sh -m tls13 -t ECDSA msg "test: TLS 1.3 ssl-opt.sh" if_build_succeeded tests/ssl-opt.sh -f "TLS 1.3" @@ -2191,7 +2364,8 @@ component_test_tls13 () { component_test_tls13_no_mps () { msg "build: TLS 1.3 without MPS (ASanDbg) " - scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL + scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE scripts/config.py unset MBEDTLS_SSL_USE_MPS scripts/config.py set MBEDTLS_RSA_C scripts/config.py set MBEDTLS_X509_RSASSA_PSS_SUPPORT @@ -2200,7 +2374,37 @@ component_test_tls13_no_mps () { make msg "test: TLS 1.3 without MPS compat.sh" - if_build_succeeded tests/compat.sh -m tls1_3 -t ECDSA + if_build_succeeded tests/compat.sh -m tls13 -t ECDSA + + msg "test: TLS 1.3 without MPS ssl-opt.sh" + if_build_succeeded tests/ssl-opt.sh -f "TLS 1.3" +} + +component_test_tls13_no_compatibility_mode () { + msg "build: TLS 1.3 (ASanDbg) without TLS 1.2 compatibility mode" + scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py unset MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE + scripts/config.py set MBEDTLS_SSL_USE_MPS + scripts/config.py set MBEDTLS_RSA_C + scripts/config.py set MBEDTLS_X509_RSASSA_PSS_SUPPORT + scripts/config.pl set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 + cmake CC=gcc CMAKE_BUILD_TYPE=ASanDbg . + make + + msg "test: TLS 1.3 ssl-opt.sh" + if_build_succeeded tests/ssl-opt.sh -f "TLS 1.3" +} + +component_test_tls13_no_mps_no_compatibility_mode () { + msg "build: TLS 1.3 without MPS (ASanDbg) and without TLS 1.2 compatibility mode" + scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py unset MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE + scripts/config.py unset MBEDTLS_SSL_USE_MPS + scripts/config.py set MBEDTLS_RSA_C + scripts/config.py set MBEDTLS_X509_RSASSA_PSS_SUPPORT + scripts/config.pl set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 + cmake CC=gcc CMAKE_BUILD_TYPE=ASanDbg . + make msg "test: TLS 1.3 without MPS ssl-opt.sh" if_build_succeeded tests/ssl-opt.sh -f "TLS 1.3" @@ -2208,7 +2412,8 @@ component_test_tls13_no_mps () { component_test_tls13_with_padding () { msg "build: TLS 1.3 (ASanDbg) " - scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL + scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE scripts/config.py set MBEDTLS_SSL_USE_MPS scripts/config.py set MBEDTLS_RSA_C scripts/config.py set MBEDTLS_X509_RSASSA_PSS_SUPPORT @@ -2217,7 +2422,7 @@ component_test_tls13_with_padding () { make msg "test: TLS 1.3 compat.sh" - if_build_succeeded tests/compat.sh -m tls1_3 -t ECDSA + if_build_succeeded tests/compat.sh -m tls13 -t ECDSA msg "test: TLS 1.3 ssl-opt.sh" if_build_succeeded tests/ssl-opt.sh -f "TLS 1.3" @@ -2225,7 +2430,8 @@ component_test_tls13_with_padding () { component_test_tls13_no_mps_with_padding () { msg "build: TLS 1.3 without MPS (ASanDbg) " - scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL + scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE scripts/config.py unset MBEDTLS_SSL_USE_MPS scripts/config.py set MBEDTLS_RSA_C scripts/config.py set MBEDTLS_X509_RSASSA_PSS_SUPPORT @@ -2234,7 +2440,7 @@ component_test_tls13_no_mps_with_padding () { make msg "test: TLS 1.3 without MPS compat.sh" - if_build_succeeded tests/compat.sh -m tls1_3 -t ECDSA + if_build_succeeded tests/compat.sh -m tls13 -t ECDSA msg "test: TLS 1.3 without MPS ssl-opt.sh" if_build_succeeded tests/ssl-opt.sh -f "TLS 1.3" @@ -2242,7 +2448,8 @@ component_test_tls13_no_mps_with_padding () { component_test_tls13_client_only () { msg "build: TLS 1.3 client-only (ASanDbg) " - scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL + scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE scripts/config.py set MBEDTLS_SSL_USE_MPS scripts/config.py unset MBEDTLS_SSL_SRV_C scripts/config.py set MBEDTLS_SSL_CLI_C @@ -2257,7 +2464,8 @@ component_test_tls13_client_only () { component_test_tls13_client_only_no_mps () { msg "build: TLS 1.3 client-only (ASanDbg) " - scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL + scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE scripts/config.py unset MBEDTLS_SSL_USE_MPS scripts/config.py unset MBEDTLS_SSL_SRV_C scripts/config.py set MBEDTLS_SSL_CLI_C @@ -2272,7 +2480,8 @@ component_test_tls13_client_only_no_mps () { component_test_tls13_server_only () { msg "build: TLS 1.3 server-only (ASanDbg) " - scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL + scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE scripts/config.py set MBEDTLS_SSL_USE_MPS scripts/config.py set MBEDTLS_SSL_SRV_C scripts/config.py unset MBEDTLS_SSL_CLI_C @@ -2287,7 +2496,8 @@ component_test_tls13_server_only () { component_test_tls13_server_only_no_mps () { msg "build: TLS 1.3 server-only (ASanDbg) " - scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL + scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE scripts/config.py unset MBEDTLS_SSL_USE_MPS scripts/config.py set MBEDTLS_SSL_SRV_C scripts/config.py unset MBEDTLS_SSL_CLI_C @@ -2394,6 +2604,7 @@ component_test_make_shared () { msg "build/test: make shared" # ~ 40s make SHARED=1 all check ldd programs/util/strerror | grep libmbedcrypto + programs/test/dlopen_demo.sh } component_test_cmake_shared () { @@ -2402,6 +2613,7 @@ component_test_cmake_shared () { make ldd programs/util/strerror | grep libmbedcrypto make test + programs/test/dlopen_demo.sh } test_build_opt () { @@ -2440,7 +2652,8 @@ component_build_mbedtls_config_file () { } component_test_m32_o0 () { - # Build once with -O0, to compile out the i386 specific inline assembly + # Build without optimization, so as to use portable C code (in a 32-bit + # build) and not the i386-specific inline assembly. msg "build: i386, make, gcc -O0 (ASan build)" # ~ 30s scripts/config.py full make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O0" LDFLAGS="-m32 $ASAN_CFLAGS" @@ -2455,19 +2668,20 @@ support_test_m32_o0 () { esac } -component_test_m32_o1 () { - # Build again with -O1, to compile in the i386 specific inline assembly - msg "build: i386, make, gcc -O1 (ASan build)" # ~ 30s +component_test_m32_o2 () { + # Build with optimization, to use the i386 specific inline assembly + # and go faster for tests. + msg "build: i386, make, gcc -O2 (ASan build)" # ~ 30s scripts/config.py full - make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O1" LDFLAGS="-m32 $ASAN_CFLAGS" + make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" - msg "test: i386, make, gcc -O1 (ASan build)" + msg "test: i386, make, gcc -O2 (ASan build)" make test - msg "test ssl-opt.sh, i386, make, gcc-O1" + msg "test ssl-opt.sh, i386, make, gcc-O2" tests/ssl-opt.sh } -support_test_m32_o1 () { +support_test_m32_o2 () { support_test_m32_o0 "$@" } @@ -2576,7 +2790,7 @@ component_test_no_x509_info () { scripts/config.pl full scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests scripts/config.pl set MBEDTLS_X509_REMOVE_INFO - make CFLAGS='-Werror -O1' + make CFLAGS='-Werror -O2' msg "test: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s make test @@ -2742,12 +2956,42 @@ component_test_valgrind () { fi } +support_test_cmake_out_of_source () { + distrib_id="" + distrib_ver="" + distrib_ver_minor="" + distrib_ver_major="" + + # Attempt to parse lsb-release to find out distribution and version. If not + # found this should fail safe (test is supported). + if [[ -f /etc/lsb-release ]]; then + + while read -r lsb_line; do + case "$lsb_line" in + "DISTRIB_ID"*) distrib_id=${lsb_line/#DISTRIB_ID=};; + "DISTRIB_RELEASE"*) distrib_ver=${lsb_line/#DISTRIB_RELEASE=};; + esac + done < /etc/lsb-release + + distrib_ver_major="${distrib_ver%%.*}" + distrib_ver="${distrib_ver#*.}" + distrib_ver_minor="${distrib_ver%%.*}" + fi + + # Running the out of source CMake test on Ubuntu 16.04 using more than one + # processor (as the CI does) can create a race condition whereby the build + # fails to see a generated file, despite that file actually having been + # generated. This problem appears to go away with 18.04 or newer, so make + # the out of source tests unsupported on Ubuntu 16.04. + [ "$distrib_id" != "Ubuntu" ] || [ "$distrib_ver_major" -gt 16 ] +} + component_test_cmake_out_of_source () { msg "build: cmake 'out-of-source' build" MBEDTLS_ROOT_DIR="$PWD" mkdir "$OUT_OF_SOURCE_DIR" cd "$OUT_OF_SOURCE_DIR" - cmake "$MBEDTLS_ROOT_DIR" + cmake -D CMAKE_BUILD_TYPE:String=Check "$MBEDTLS_ROOT_DIR" make msg "test: cmake 'out-of-source' build" @@ -2835,6 +3079,26 @@ component_test_zeroize () { unset gdb_disable_aslr } +component_test_psa_compliance () { + msg "build: make, default config (out-of-box), libmbedcrypto.a only" + make -C library libmbedcrypto.a + + msg "unit test: test_psa_compliance.py" + ./tests/scripts/test_psa_compliance.py +} + +support_test_psa_compliance () { + # psa-compliance-tests only supports CMake >= 3.10.0 + ver="$(cmake --version)" + ver="${ver#cmake version }" + ver_major="${ver%%.*}" + + ver="${ver#*.}" + ver_minor="${ver%%.*}" + + [ "$ver_major" -eq 3 ] && [ "$ver_minor" -ge 10 ] +} + component_check_python_files () { msg "Lint: Python scripts" tests/scripts/check-python-files.sh diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh index 0399484d5fd6..b35da3d68e02 100755 --- a/tests/scripts/check-generated-files.sh +++ b/tests/scripts/check-generated-files.sh @@ -118,6 +118,7 @@ check() check scripts/generate_errors.pl library/error.c check scripts/generate_query_config.pl programs/test/query_config.c check scripts/generate_features.pl library/version_features.c +check scripts/generate_ssl_debug_helpers.py library/ssl_debug_helpers_generated.h library/ssl_debug_helpers_generated.c # generate_visualc_files enumerates source files (library/*.c). It doesn't # care about their content, but the files must exist. So it must run after # the step that creates or updates these files. diff --git a/tests/scripts/check_names.py b/tests/scripts/check_names.py index ac2490fc1e25..8bb4923b7792 100755 --- a/tests/scripts/check_names.py +++ b/tests/scripts/check_names.py @@ -457,111 +457,158 @@ def parse_enum_consts(self, include, exclude=None): return enum_consts - def parse_identifiers(self, include, exclude=None): + IGNORED_CHUNK_REGEX = re.compile('|'.join([ + r'/\*.*?\*/', # block comment entirely on one line + r'//.*', # line comment + r'(?P<string>")(?:[^\\\"]|\\.)*"', # string literal + ])) + + def strip_comments_and_literals(self, line, in_block_comment): + """Strip comments and string literals from line. + + Continuation lines are not supported. + + If in_block_comment is true, assume that the line starts inside a + block comment. + + Return updated values of (line, in_block_comment) where: + * Comments in line have been replaced by a space (or nothing at the + start or end of the line). + * String contents have been removed. + * in_block_comment indicates whether the line ends inside a block + comment that continues on the next line. + """ + + # Terminate current multiline comment? + if in_block_comment: + m = re.search(r"\*/", line) + if m: + in_block_comment = False + line = line[m.end(0):] + else: + return '', True + + # Remove full comments and string literals. + # Do it all together to handle cases like "/*" correctly. + # Note that continuation lines are not supported. + line = re.sub(self.IGNORED_CHUNK_REGEX, + lambda s: '""' if s.group('string') else ' ', + line) + + # Start an unfinished comment? + # (If `/*` was part of a complete comment, it's already been removed.) + m = re.search(r"/\*", line) + if m: + in_block_comment = True + line = line[:m.start(0)] + + return line, in_block_comment + + IDENTIFIER_REGEX = re.compile('|'.join([ + # Match " something(a" or " *something(a". Functions. + # Assumptions: + # - function definition from return type to one of its arguments is + # all on one line + # - function definition line only contains alphanumeric, asterisk, + # underscore, and open bracket + r".* \**(\w+) *\( *\w", + # Match "(*something)(". + r".*\( *\* *(\w+) *\) *\(", + # Match names of named data structures. + r"(?:typedef +)?(?:struct|union|enum) +(\w+)(?: *{)?$", + # Match names of typedef instances, after closing bracket. + r"}? *(\w+)[;[].*", + ])) + # The regex below is indented for clarity. + EXCLUSION_LINES = re.compile("|".join([ + r"extern +\"C\"", + r"(typedef +)?(struct|union|enum)( *{)?$", + r"} *;?$", + r"$", + r"//", + r"#", + ])) + + def parse_identifiers_in_file(self, header_file, identifiers): """ Parse all lines of a header where a function/enum/struct/union/typedef identifier is declared, based on some regex and heuristics. Highly dependent on formatting style. - Args: - * include: A List of glob expressions to look for files through. - * exclude: A List of glob expressions for excluding files. - - Returns a List of Match objects with identifiers. + Append found matches to the list ``identifiers``. """ - identifier_regex = re.compile( - # Match " something(a" or " *something(a". Functions. - # Assumptions: - # - function definition from return type to one of its arguments is - # all on one line - # - function definition line only contains alphanumeric, asterisk, - # underscore, and open bracket - r".* \**(\w+) *\( *\w|" - # Match "(*something)(". - r".*\( *\* *(\w+) *\) *\(|" - # Match names of named data structures. - r"(?:typedef +)?(?:struct|union|enum) +(\w+)(?: *{)?$|" - # Match names of typedef instances, after closing bracket. - r"}? *(\w+)[;[].*" - ) - # The regex below is indented for clarity. - exclusion_lines = re.compile( - r"^(" - r"extern +\"C\"|" # pylint: disable=bad-continuation - r"(typedef +)?(struct|union|enum)( *{)?$|" - r"} *;?$|" - r"$|" - r"//|" - r"#" - r")" - ) - files = self.get_files(include, exclude) - self.log.debug("Looking for identifiers in {} files".format(len(files))) + with open(header_file, "r", encoding="utf-8") as header: + in_block_comment = False + # The previous line variable is used for concatenating lines + # when identifiers are formatted and spread across multiple + # lines. + previous_line = "" - identifiers = [] - for header_file in files: - with open(header_file, "r", encoding="utf-8") as header: - in_block_comment = False - # The previous line variable is used for concatenating lines - # when identifiers are formatted and spread across multiple - # lines. - previous_line = "" + for line_no, line in enumerate(header): + line, in_block_comment = \ + self.strip_comments_and_literals(line, in_block_comment) - for line_no, line in enumerate(header): - # Skip parsing this line if a block comment ends on it, - # but don't skip if it has just started -- there is a chance - # it ends on the same line. - if re.search(r"/\*", line): - in_block_comment = not in_block_comment - if re.search(r"\*/", line): - in_block_comment = not in_block_comment - continue + if self.EXCLUSION_LINES.match(line): + previous_line = "" + continue - if in_block_comment: - previous_line = "" - continue + # If the line contains only space-separated alphanumeric + # characters (or underscore, asterisk, or open parenthesis), + # and nothing else, high chance it's a declaration that + # continues on the next line + if re.search(r"^([\w\*\(]+\s+)+$", line): + previous_line += line + continue - if exclusion_lines.search(line): - previous_line = "" - continue + # If previous line seemed to start an unfinished declaration + # (as above), concat and treat them as one. + if previous_line: + line = previous_line.strip() + " " + line.strip() + "\n" + previous_line = "" - # If the line contains only space-separated alphanumeric - # characters (or underscore, asterisk, or, open bracket), - # and nothing else, high chance it's a declaration that - # continues on the next line - if re.search(r"^([\w\*\(]+\s+)+$", line): - previous_line += line - continue + # Skip parsing if line has a space in front = heuristic to + # skip function argument lines (highly subject to formatting + # changes) + if line[0] == " ": + continue + + identifier = self.IDENTIFIER_REGEX.search(line) - # If previous line seemed to start an unfinished declaration - # (as above), concat and treat them as one. - if previous_line: - line = previous_line.strip() + " " + line.strip() + "\n" - previous_line = "" + if not identifier: + continue - # Skip parsing if line has a space in front = heuristic to - # skip function argument lines (highly subject to formatting - # changes) - if line[0] == " ": + # Find the group that matched, and append it + for group in identifier.groups(): + if not group: continue - identifier = identifier_regex.search(line) + identifiers.append(Match( + header_file, + line, + line_no, + identifier.span(), + group)) - if not identifier: - continue + def parse_identifiers(self, include, exclude=None): + """ + Parse all lines of a header where a function/enum/struct/union/typedef + identifier is declared, based on some regex and heuristics. Highly + dependent on formatting style. - # Find the group that matched, and append it - for group in identifier.groups(): - if not group: - continue + Args: + * include: A List of glob expressions to look for files through. + * exclude: A List of glob expressions for excluding files. - identifiers.append(Match( - header_file, - line, - line_no, - identifier.span(), - group)) + Returns a List of Match objects with identifiers. + """ + + files = self.get_files(include, exclude) + self.log.debug("Looking for identifiers in {} files".format(len(files))) + + identifiers = [] + for header_file in files: + self.parse_identifiers_in_file(header_file, identifiers) return identifiers @@ -779,7 +826,8 @@ def check_for_typos(self): match.name for match in self.parse_result["macros"] + self.parse_result["enum_consts"]} - typo_exclusion = re.compile(r"XXX|__|_$|^MBEDTLS_.*CONFIG_FILE$") + typo_exclusion = re.compile(r"XXX|__|_$|^MBEDTLS_.*CONFIG_FILE$|" + r"MBEDTLS_TEST_LIBTESTDRIVER*") for name_match in self.parse_result["mbed_words"]: found = name_match.name in all_caps_names diff --git a/tests/scripts/check_test_cases.py b/tests/scripts/check_test_cases.py index fe11f20c0fae..f9ae36c13d2b 100755 --- a/tests/scripts/check_test_cases.py +++ b/tests/scripts/check_test_cases.py @@ -133,6 +133,9 @@ def walk_all(self): ssl_opt_sh = os.path.join(directory, 'ssl-opt.sh') if os.path.exists(ssl_opt_sh): self.walk_ssl_opt_sh(ssl_opt_sh) + for ssl_opt_file_name in glob.glob(os.path.join(directory, 'opt-testcases', + '*.sh')): + self.walk_ssl_opt_sh(ssl_opt_file_name) class DescriptionChecker(TestDescriptionExplorer): """Check all test case descriptions. diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py index 4c8143ff09ec..0d9cb36716ec 100755 --- a/tests/scripts/generate_psa_tests.py +++ b/tests/scripts/generate_psa_tests.py @@ -96,7 +96,7 @@ def hack_dependencies_not_implemented(dependencies: List[str]) -> None: if _implemented_dependencies is None: _implemented_dependencies = \ read_implemented_dependencies('include/psa/crypto_config.h') - if not all(dep.lstrip('!') in _implemented_dependencies + if not all((dep.lstrip('!') in _implemented_dependencies or 'PSA_WANT' not in dep) for dep in dependencies): dependencies.append('DEPENDENCY_NOT_IMPLEMENTED_YET') @@ -155,30 +155,8 @@ def test_case_for_key_type_not_supported( tc.set_arguments([key_type] + list(args)) return tc -def test_case_for_key_type_invalid_argument( - verb: str, key_type: str, bits: int, - dependencies: List[str], - *args: str, - param_descr: str = '' -) -> test_case.TestCase: - """Return one test case exercising a key creation method - for an invalid argument when key is public. - """ - hack_dependencies_not_implemented(dependencies) - tc = test_case.TestCase() - short_key_type = re.sub(r'PSA_(KEY_TYPE|ECC_FAMILY)_', r'', key_type) - adverb = 'not' if dependencies else 'never' - if param_descr: - adverb = param_descr + ' ' + adverb - tc.set_description('PSA {} {} {}-bit invalid argument' - .format(verb, short_key_type, bits)) - tc.set_function(verb + '_invalid_argument') - tc.set_dependencies(dependencies) - tc.set_arguments([key_type] + list(args)) - return tc - class NotSupported: - """Generate test cases for when something is not supported or argument is inavlid.""" + """Generate test cases for when something is not supported.""" def __init__(self, info: Information) -> None: self.constructors = info.constructors @@ -193,13 +171,11 @@ def test_cases_for_key_type_not_supported( param: Optional[int] = None, param_descr: str = '', ) -> Iterator[test_case.TestCase]: - """Return test cases exercising key creation when the given type is unsupported - or argument is invalid. + """Return test cases exercising key creation when the given type is unsupported. If param is present and not None, emit test cases conditioned on this parameter not being supported. If it is absent or None, emit test cases - conditioned on the base type not being supported. If key is public emit test - case for invalid argument. + conditioned on the base type not being supported. """ if kt.name in self.ALWAYS_SUPPORTED: # Don't generate test cases for key types that are always supported. @@ -227,14 +203,9 @@ def test_cases_for_key_type_not_supported( # supported or not depending on implementation capabilities, # only generate the test case once. continue - if kt.name.endswith('_PUBLIC_KEY'): - yield test_case_for_key_type_invalid_argument( - 'generate', kt.expression, bits, - finish_family_dependencies(generate_dependencies, bits), - str(bits), - param_descr=param_descr, - ) - else: + # For public key we expect that key generation fails with + # INVALID_ARGUMENT. It is handled by KeyGenerate class. + if not kt.name.endswith('_PUBLIC_KEY'): yield test_case_for_key_type_not_supported( 'generate', kt.expression, bits, finish_family_dependencies(generate_dependencies, bits), @@ -261,6 +232,79 @@ def test_cases_for_not_supported(self) -> Iterator[test_case.TestCase]: yield from self.test_cases_for_key_type_not_supported( kt, 0, param_descr='curve') +def test_case_for_key_generation( + key_type: str, bits: int, + dependencies: List[str], + *args: str, + result: str = '' +) -> test_case.TestCase: + """Return one test case exercising a key generation. + """ + hack_dependencies_not_implemented(dependencies) + tc = test_case.TestCase() + short_key_type = re.sub(r'PSA_(KEY_TYPE|ECC_FAMILY)_', r'', key_type) + tc.set_description('PSA {} {}-bit' + .format(short_key_type, bits)) + tc.set_dependencies(dependencies) + tc.set_function('generate_key') + tc.set_arguments([key_type] + list(args) + [result]) + + return tc + +class KeyGenerate: + """Generate positive and negative (invalid argument) test cases for key generation.""" + + def __init__(self, info: Information) -> None: + self.constructors = info.constructors + + ECC_KEY_TYPES = ('PSA_KEY_TYPE_ECC_KEY_PAIR', + 'PSA_KEY_TYPE_ECC_PUBLIC_KEY') + + @staticmethod + def test_cases_for_key_type_key_generation( + kt: crypto_knowledge.KeyType + ) -> Iterator[test_case.TestCase]: + """Return test cases exercising key generation. + + All key types can be generated except for public keys. For public key + PSA_ERROR_INVALID_ARGUMENT status is expected. + """ + result = 'PSA_SUCCESS' + + import_dependencies = [psa_want_symbol(kt.name)] + if kt.params is not None: + import_dependencies += [psa_want_symbol(sym) + for i, sym in enumerate(kt.params)] + if kt.name.endswith('_PUBLIC_KEY'): + # The library checks whether the key type is a public key generically, + # before it reaches a point where it needs support for the specific key + # type, so it returns INVALID_ARGUMENT for unsupported public key types. + generate_dependencies = [] + result = 'PSA_ERROR_INVALID_ARGUMENT' + else: + generate_dependencies = import_dependencies + if kt.name == 'PSA_KEY_TYPE_RSA_KEY_PAIR': + generate_dependencies.append("MBEDTLS_GENPRIME") + for bits in kt.sizes_to_test(): + yield test_case_for_key_generation( + kt.expression, bits, + finish_family_dependencies(generate_dependencies, bits), + str(bits), + result + ) + + def test_cases_for_key_generation(self) -> Iterator[test_case.TestCase]: + """Generate test cases that exercise the generation of keys.""" + for key_type in sorted(self.constructors.key_types): + if key_type in self.ECC_KEY_TYPES: + continue + kt = crypto_knowledge.KeyType(key_type) + yield from self.test_cases_for_key_type_key_generation(kt) + for curve_family in sorted(self.constructors.ecc_curves): + for constr in self.ECC_KEY_TYPES: + kt = crypto_knowledge.KeyType(constr, [curve_family]) + yield from self.test_cases_for_key_type_key_generation(kt) + class StorageKey(psa_storage.Key): """Representation of a key for storage format testing.""" @@ -682,6 +726,8 @@ def write_test_data_file(self, basename: str, test_case.write_data_file(filename, test_cases) TARGETS = { + 'test_suite_psa_crypto_generate_key.generated': + lambda info: KeyGenerate(info).test_cases_for_key_generation(), 'test_suite_psa_crypto_not_supported.generated': lambda info: NotSupported(info).test_cases_for_not_supported(), 'test_suite_psa_crypto_storage_format.current': @@ -699,6 +745,10 @@ def main(args): parser = argparse.ArgumentParser(description=__doc__) parser.add_argument('--list', action='store_true', help='List available targets and exit') + parser.add_argument('--list-for-cmake', action='store_true', + help='Print \';\'-separated list of available targets and exit') + parser.add_argument('--directory', metavar='DIR', + help='Output directory (default: tests/suites)') parser.add_argument('targets', nargs='*', metavar='TARGET', help='Target file to generate (default: all; "-": none)') options = parser.parse_args(args) @@ -708,6 +758,11 @@ def main(args): for name in sorted(generator.TARGETS): print(generator.filename_for(name)) return + # List in a cmake list format (i.e. ';'-separated) + if options.list_for_cmake: + print(';'.join(generator.filename_for(name) + for name in sorted(generator.TARGETS)), end='') + return if options.targets: # Allow "-" as a special case so you can run # ``generate_psa_tests.py - $targets`` and it works uniformly whether diff --git a/tests/scripts/generate_test_code.py b/tests/scripts/generate_test_code.py index 7382fb6ecb7c..f5750aacfa2d 100755 --- a/tests/scripts/generate_test_code.py +++ b/tests/scripts/generate_test_code.py @@ -106,10 +106,6 @@ Platform file contains platform specific setup code and test case dispatch code. For example, host_test.function reads test data file from host's file system and dispatches tests. -In case of on-target target_test.function tests are not dispatched -on target. Target code is kept minimum and only test functions are -dispatched. Test case dispatch is done on the host using tools like -Greentea. Template file: --------- diff --git a/tests/scripts/generate_tls13_compat_tests.py b/tests/scripts/generate_tls13_compat_tests.py new file mode 100755 index 000000000000..a6d2fe77bde8 --- /dev/null +++ b/tests/scripts/generate_tls13_compat_tests.py @@ -0,0 +1,439 @@ +#!/usr/bin/env python3 + +# generate_tls13_compat_tests.py +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +""" +Generate TLSv1.3 Compat test cases + +""" + +import sys +import os +import abc +import argparse +import itertools +from collections import namedtuple +# pylint: disable=useless-super-delegation + +# define certificates configuration entry +Certificate = namedtuple("Certificate", ['cafile', 'certfile', 'keyfile']) +# define the certificate parameters for signature algorithms +CERTIFICATES = { + 'ecdsa_secp256r1_sha256': Certificate('data_files/test-ca2.crt', + 'data_files/ecdsa_secp256r1.crt', + 'data_files/ecdsa_secp256r1.key'), + 'ecdsa_secp384r1_sha384': Certificate('data_files/test-ca2.crt', + 'data_files/ecdsa_secp384r1.crt', + 'data_files/ecdsa_secp384r1.key'), + 'ecdsa_secp521r1_sha512': Certificate('data_files/test-ca2.crt', + 'data_files/ecdsa_secp521r1.crt', + 'data_files/ecdsa_secp521r1.key'), + 'rsa_pss_rsae_sha256': Certificate('data_files/test-ca_cat12.crt', + 'data_files/server2-sha256.crt', 'data_files/server2.key' + ) +} + +CIPHER_SUITE_IANA_VALUE = { + "TLS_AES_128_GCM_SHA256": 0x1301, + "TLS_AES_256_GCM_SHA384": 0x1302, + "TLS_CHACHA20_POLY1305_SHA256": 0x1303, + "TLS_AES_128_CCM_SHA256": 0x1304, + "TLS_AES_128_CCM_8_SHA256": 0x1305 +} + +SIG_ALG_IANA_VALUE = { + "ecdsa_secp256r1_sha256": 0x0403, + "ecdsa_secp384r1_sha384": 0x0503, + "ecdsa_secp521r1_sha512": 0x0603, + 'rsa_pss_rsae_sha256': 0x0804, +} + +NAMED_GROUP_IANA_VALUE = { + 'secp256r1': 0x17, + 'secp384r1': 0x18, + 'secp521r1': 0x19, + 'x25519': 0x1d, + 'x448': 0x1e, +} + +class TLSProgram(metaclass=abc.ABCMeta): + """ + Base class for generate server/client command. + """ + + def __init__(self, ciphersuite, signature_algorithm, named_group, compat_mode=True): + self._ciphers = [] + self._sig_algs = [] + self._named_groups = [] + self.add_ciphersuites(ciphersuite) + self.add_named_groups(named_group) + self.add_signature_algorithms(signature_algorithm) + self._compat_mode = compat_mode + + # add_ciphersuites should not override by sub class + def add_ciphersuites(self, *ciphersuites): + self._ciphers.extend( + [cipher for cipher in ciphersuites if cipher not in self._ciphers]) + + # add_signature_algorithms should not override by sub class + def add_signature_algorithms(self, *signature_algorithms): + self._sig_algs.extend( + [sig_alg for sig_alg in signature_algorithms if sig_alg not in self._sig_algs]) + + # add_signature_algorithms should not override by sub class + def add_named_groups(self, *named_groups): + self._named_groups.extend( + [named_group for named_group in named_groups if named_group not in self._named_groups]) + + @abc.abstractmethod + def pre_checks(self): + return [] + + @abc.abstractmethod + def cmd(self): + pass + + @abc.abstractmethod + def post_checks(self): + return [] + + +class OpenSSLServ(TLSProgram): + """ + Generate test commands for OpenSSL server. + """ + + NAMED_GROUP = { + 'secp256r1': 'P-256', + 'secp384r1': 'P-384', + 'secp521r1': 'P-521', + 'x25519': 'X25519', + 'x448': 'X448', + } + + def cmd(self): + ret = ['$O_NEXT_SRV_NO_CERT'] + for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._sig_algs): + ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)] + ret += ['-accept $SRV_PORT'] + ciphersuites = ','.join(self._ciphers) + signature_algorithms = ','.join(self._sig_algs) + named_groups = ','.join( + map(lambda named_group: self.NAMED_GROUP[named_group], self._named_groups)) + ret += ["-ciphersuites {ciphersuites}".format(ciphersuites=ciphersuites), + "-sigalgs {signature_algorithms}".format( + signature_algorithms=signature_algorithms), + "-groups {named_groups}".format(named_groups=named_groups)] + ret += ['-msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache'] + if not self._compat_mode: + ret += ['-no_middlebox'] + + return ' '.join(ret) + + def pre_checks(self): + return ["requires_openssl_tls1_3"] + + def post_checks(self): + return ['-c "HTTP/1.0 200 ok"'] + + +class GnuTLSServ(TLSProgram): + """ + Generate test commands for GnuTLS server. + """ + + CIPHER_SUITE = { + 'TLS_AES_256_GCM_SHA384': [ + 'AES-256-GCM', + 'SHA384', + 'AEAD'], + 'TLS_AES_128_GCM_SHA256': [ + 'AES-128-GCM', + 'SHA256', + 'AEAD'], + 'TLS_CHACHA20_POLY1305_SHA256': [ + 'CHACHA20-POLY1305', + 'SHA256', + 'AEAD'], + 'TLS_AES_128_CCM_SHA256': [ + 'AES-128-CCM', + 'SHA256', + 'AEAD'], + 'TLS_AES_128_CCM_8_SHA256': [ + 'AES-128-CCM-8', + 'SHA256', + 'AEAD']} + + SIGNATURE_ALGORITHM = { + 'ecdsa_secp256r1_sha256': ['SIGN-ECDSA-SECP256R1-SHA256'], + 'ecdsa_secp521r1_sha512': ['SIGN-ECDSA-SECP521R1-SHA512'], + 'ecdsa_secp384r1_sha384': ['SIGN-ECDSA-SECP384R1-SHA384'], + 'rsa_pss_rsae_sha256': ['SIGN-RSA-PSS-RSAE-SHA256']} + + NAMED_GROUP = { + 'secp256r1': ['GROUP-SECP256R1'], + 'secp384r1': ['GROUP-SECP384R1'], + 'secp521r1': ['GROUP-SECP521R1'], + 'x25519': ['GROUP-X25519'], + 'x448': ['GROUP-X448'], + } + + def pre_checks(self): + return ["requires_gnutls_tls1_3", + "requires_gnutls_next_no_ticket", + "requires_gnutls_next_disable_tls13_compat", ] + + def post_checks(self): + return ['-c "HTTP/1.0 200 OK"'] + + def cmd(self): + ret = ['$G_NEXT_SRV_NO_CERT', '--http', + '--disable-client-cert', '--debug=4'] + + for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._sig_algs): + ret += ['--x509certfile {cert} --x509keyfile {key}'.format( + cert=cert, key=key)] + + priority_string_list = [] + + def update_priority_string_list(items, map_table): + for item in items: + for i in map_table[item]: + if i not in priority_string_list: + yield i + priority_string_list.extend(update_priority_string_list( + self._sig_algs, self.SIGNATURE_ALGORITHM)) + priority_string_list.extend( + update_priority_string_list(self._ciphers, self.CIPHER_SUITE)) + priority_string_list.extend(update_priority_string_list( + self._named_groups, self.NAMED_GROUP)) + priority_string_list = ['NONE'] + sorted(priority_string_list) + ['VERS-TLS1.3'] + + priority_string = ':+'.join(priority_string_list) + priority_string += ':%NO_TICKETS' + if not self._compat_mode: + priority_string += [':%DISABLE_TLS13_COMPAT_MODE'] + + ret += ['--priority={priority_string}'.format( + priority_string=priority_string)] + ret = ' '.join(ret) + return ret + + +class MbedTLSCli(TLSProgram): + """ + Generate test commands for mbedTLS client. + """ + + CIPHER_SUITE = { + 'TLS_AES_256_GCM_SHA384': 'TLS1-3-AES-256-GCM-SHA384', + 'TLS_AES_128_GCM_SHA256': 'TLS1-3-AES-128-GCM-SHA256', + 'TLS_CHACHA20_POLY1305_SHA256': 'TLS1-3-CHACHA20-POLY1305-SHA256', + 'TLS_AES_128_CCM_SHA256': 'TLS1-3-AES-128-CCM-SHA256', + 'TLS_AES_128_CCM_8_SHA256': 'TLS1-3-AES-128-CCM-8-SHA256'} + + def cmd(self): + ret = ['$P_CLI'] + ret += ['server_addr=127.0.0.1', 'server_port=$SRV_PORT', + 'debug_level=4', 'force_version=tls13'] + ret += ['ca_file={cafile}'.format( + cafile=CERTIFICATES[self._sig_algs[0]].cafile)] + + if self._ciphers: + ciphers = ','.join( + map(lambda cipher: self.CIPHER_SUITE[cipher], self._ciphers)) + ret += ["force_ciphersuite={ciphers}".format(ciphers=ciphers)] + + if self._sig_algs: + ret += ['sig_algs={sig_algs}'.format( + sig_algs=','.join(self._sig_algs))] + for sig_alg in self._sig_algs: + if sig_alg in ('ecdsa_secp256r1_sha256', + 'ecdsa_secp384r1_sha384', + 'ecdsa_secp521r1_sha512'): + self.add_named_groups(sig_alg.split('_')[1]) + + if self._named_groups: + named_groups = ','.join(self._named_groups) + ret += ["curves={named_groups}".format(named_groups=named_groups)] + + ret = ' '.join(ret) + return ret + + def pre_checks(self): + ret = ['requires_config_enabled MBEDTLS_DEBUG_C', + 'requires_config_enabled MBEDTLS_SSL_CLI_C', + 'requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3', + 'requires_config_disabled MBEDTLS_USE_PSA_CRYPTO'] + + if self._compat_mode: + ret += ['requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE'] + + if 'rsa_pss_rsae_sha256' in self._sig_algs: + ret.append( + 'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT') + return ret + + def post_checks(self): + check_strings = ["ECDH curve: {group}".format(group=self._named_groups[0]), + "server hello, chosen ciphersuite: ( {:04x} ) - {}".format( + CIPHER_SUITE_IANA_VALUE[self._ciphers[0]], + self.CIPHER_SUITE[self._ciphers[0]]), + "Certificate Verify: Signature algorithm ( {:04x} )".format( + SIG_ALG_IANA_VALUE[self._sig_algs[0]]), + "Verifying peer X.509 certificate... ok", ] + return ['-c "{}"'.format(i) for i in check_strings] + + +SERVER_CLASSES = {'OpenSSL': OpenSSLServ, 'GnuTLS': GnuTLSServ} +CLIENT_CLASSES = {'mbedTLS': MbedTLSCli} + + +def generate_compat_test(server=None, client=None, cipher=None, sig_alg=None, named_group=None): + """ + Generate test case with `ssl-opt.sh` format. + """ + name = 'TLS 1.3 {client[0]}->{server[0]}: {cipher},{named_group},{sig_alg}'.format( + client=client, server=server, cipher=cipher, sig_alg=sig_alg, named_group=named_group) + server_object = SERVER_CLASSES[server](cipher, sig_alg, named_group) + client_object = CLIENT_CLASSES[client](cipher, sig_alg, named_group) + + cmd = ['run_test "{}"'.format(name), '"{}"'.format( + server_object.cmd()), '"{}"'.format(client_object.cmd()), '0'] + cmd += server_object.post_checks() + cmd += client_object.post_checks() + prefix = ' \\\n' + (' '*9) + cmd = prefix.join(cmd) + return '\n'.join(server_object.pre_checks() + client_object.pre_checks() + [cmd]) + + +SSL_OUTPUT_HEADER = '''#!/bin/sh + +# {filename} +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Purpose +# +# List TLS1.3 compat test cases. They are generated by +# `generate_tls13_compat_tests.py -a`. +# +# PLEASE DO NOT EDIT THIS FILE. IF NEEDED, PLEASE MODIFY `generate_tls13_compat_tests.py` +# AND REGENERATE THIS FILE. +# +''' + + +def main(): + """ + Main function of this program + """ + parser = argparse.ArgumentParser() + + parser.add_argument('-o', '--output', nargs='?', + default=None, help='Output file path if `-a` was set') + + parser.add_argument('-a', '--generate-all-tls13-compat-tests', action='store_true', + default=False, help='Generate all available tls13 compat tests') + + parser.add_argument('--list-ciphers', action='store_true', + default=False, help='List supported ciphersuites') + + parser.add_argument('--list-sig-algs', action='store_true', + default=False, help='List supported signature algorithms') + + parser.add_argument('--list-named-groups', action='store_true', + default=False, help='List supported named groups') + + parser.add_argument('--list-servers', action='store_true', + default=False, help='List supported TLS servers') + + parser.add_argument('--list-clients', action='store_true', + default=False, help='List supported TLS Clients') + + parser.add_argument('server', choices=SERVER_CLASSES.keys(), nargs='?', + default=list(SERVER_CLASSES.keys())[0], + help='Choose TLS server program for test') + parser.add_argument('client', choices=CLIENT_CLASSES.keys(), nargs='?', + default=list(CLIENT_CLASSES.keys())[0], + help='Choose TLS client program for test') + parser.add_argument('cipher', choices=CIPHER_SUITE_IANA_VALUE.keys(), nargs='?', + default=list(CIPHER_SUITE_IANA_VALUE.keys())[0], + help='Choose cipher suite for test') + parser.add_argument('sig_alg', choices=SIG_ALG_IANA_VALUE.keys(), nargs='?', + default=list(SIG_ALG_IANA_VALUE.keys())[0], + help='Choose cipher suite for test') + parser.add_argument('named_group', choices=NAMED_GROUP_IANA_VALUE.keys(), nargs='?', + default=list(NAMED_GROUP_IANA_VALUE.keys())[0], + help='Choose cipher suite for test') + + args = parser.parse_args() + + def get_all_test_cases(): + for cipher, sig_alg, named_group, server, client in \ + itertools.product(CIPHER_SUITE_IANA_VALUE.keys(), SIG_ALG_IANA_VALUE.keys(), + NAMED_GROUP_IANA_VALUE.keys(), SERVER_CLASSES.keys(), + CLIENT_CLASSES.keys()): + yield generate_compat_test(cipher=cipher, sig_alg=sig_alg, named_group=named_group, + server=server, client=client) + + if args.generate_all_tls13_compat_tests: + if args.output: + with open(args.output, 'w', encoding="utf-8") as f: + f.write(SSL_OUTPUT_HEADER.format( + filename=os.path.basename(args.output))) + f.write('\n\n'.join(get_all_test_cases())) + f.write('\n') + else: + print('\n'.join(get_all_test_cases())) + return 0 + + if args.list_ciphers or args.list_sig_algs or args.list_named_groups \ + or args.list_servers or args.list_clients: + if args.list_ciphers: + print(*CIPHER_SUITE_IANA_VALUE.keys()) + if args.list_sig_algs: + print(*SIG_ALG_IANA_VALUE.keys()) + if args.list_named_groups: + print(*NAMED_GROUP_IANA_VALUE.keys()) + if args.list_servers: + print(*SERVER_CLASSES.keys()) + if args.list_clients: + print(*CLIENT_CLASSES.keys()) + return 0 + + print(generate_compat_test(server=args.server, client=args.client, sig_alg=args.sig_alg, + cipher=args.cipher, named_group=args.named_group)) + return 0 + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/tests/scripts/mbedtls_test.py b/tests/scripts/mbedtls_test.py deleted file mode 100755 index 64f12bbb31aa..000000000000 --- a/tests/scripts/mbedtls_test.py +++ /dev/null @@ -1,382 +0,0 @@ -#!/usr/bin/env python3 - -# Greentea host test script for Mbed TLS on-target test suite testing. -# -# Copyright The Mbed TLS Contributors -# SPDX-License-Identifier: Apache-2.0 -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -""" -Mbed TLS on-target test suite tests are implemented as Greentea -tests. Greentea tests are implemented in two parts: target test and -host test. Target test is a C application that is built for the -target platform and executes on the target. Host test is a Python -class derived from mbed_host_tests.BaseHostTest. Target communicates -with the host over serial for the test data and sends back the result. - -Python tool mbedgt (Greentea) is responsible for flashing the test -binary on to the target and dynamically loading this host test module. - -Greentea documentation can be found here: -https://github.com/ARMmbed/greentea -""" - - -import re -import os -import binascii - -from mbed_host_tests import BaseHostTest, event_callback # type: ignore # pylint: disable=import-error - - -class TestDataParserError(Exception): - """Indicates error in test data, read from .data file.""" - pass - - -class TestDataParser: - """ - Parses test name, dependencies, test function name and test parameters - from the data file. - """ - - def __init__(self): - """ - Constructor - """ - self.tests = [] - - def parse(self, data_file): - """ - Data file parser. - - :param data_file: Data file path - """ - with open(data_file, 'r') as data_f: - self.__parse(data_f) - - @staticmethod - def __escaped_split(inp_str, split_char): - """ - Splits inp_str on split_char except when escaped. - - :param inp_str: String to split - :param split_char: Split character - :return: List of splits - """ - split_colon_fn = lambda x: re.sub(r'\\' + split_char, split_char, x) - if len(split_char) > 1: - raise ValueError('Expected split character. Found string!') - out = list(map(split_colon_fn, re.split(r'(?<!\\)' + split_char, inp_str))) - out = [x for x in out if x] - return out - - def __parse(self, data_f): - """ - Parses data file using supplied file object. - - :param data_f: Data file object - :return: - """ - for line in data_f: - line = line.strip() - if not line: - continue - # Read test name - name = line - - # Check dependencies - dependencies = [] - line = next(data_f).strip() - match = re.search('depends_on:(.*)', line) - if match: - dependencies = [int(x) for x in match.group(1).split(':')] - line = next(data_f).strip() - - # Read test vectors - line = line.replace('\\n', '\n') - parts = self.__escaped_split(line, ':') - function_name = int(parts[0]) - args = parts[1:] - args_count = len(args) - if args_count % 2 != 0: - err_str_fmt = "Number of test arguments({}) should be even: {}" - raise TestDataParserError(err_str_fmt.format(args_count, line)) - grouped_args = [(args[i * 2], args[(i * 2) + 1]) - for i in range(int(len(args)/2))] - self.tests.append((name, function_name, dependencies, - grouped_args)) - - def get_test_data(self): - """ - Returns test data. - """ - return self.tests - - -class MbedTlsTest(BaseHostTest): - """ - Host test for Mbed TLS unit tests. This script is loaded at - run time by Greentea for executing Mbed TLS test suites. Each - communication from the target is received in this object as - an event, which is then handled by the event handler method - decorated by the associated event. Ex: @event_callback('GO'). - - Target test sends requests for dispatching next test. It reads - tests from the intermediate data file and sends test function - identifier, dependency identifiers, expression identifiers and - the test data in binary form. Target test checks dependencies - , evaluate integer constant expressions and dispatches the test - function with received test parameters. After test function is - finished, target sends the result. This class handles the result - event and prints verdict in the form that Greentea understands. - - """ - # status/error codes from suites/helpers.function - DEPENDENCY_SUPPORTED = 0 - KEY_VALUE_MAPPING_FOUND = DEPENDENCY_SUPPORTED - DISPATCH_TEST_SUCCESS = DEPENDENCY_SUPPORTED - - KEY_VALUE_MAPPING_NOT_FOUND = -1 # Expression Id not found. - DEPENDENCY_NOT_SUPPORTED = -2 # Dependency not supported. - DISPATCH_TEST_FN_NOT_FOUND = -3 # Test function not found. - DISPATCH_INVALID_TEST_DATA = -4 # Invalid parameter type. - DISPATCH_UNSUPPORTED_SUITE = -5 # Test suite not supported/enabled. - - def __init__(self): - """ - Constructor initialises test index to 0. - """ - super(MbedTlsTest, self).__init__() - self.tests = [] - self.test_index = -1 - self.dep_index = 0 - self.suite_passed = True - self.error_str = dict() - self.error_str[self.DEPENDENCY_SUPPORTED] = \ - 'DEPENDENCY_SUPPORTED' - self.error_str[self.KEY_VALUE_MAPPING_NOT_FOUND] = \ - 'KEY_VALUE_MAPPING_NOT_FOUND' - self.error_str[self.DEPENDENCY_NOT_SUPPORTED] = \ - 'DEPENDENCY_NOT_SUPPORTED' - self.error_str[self.DISPATCH_TEST_FN_NOT_FOUND] = \ - 'DISPATCH_TEST_FN_NOT_FOUND' - self.error_str[self.DISPATCH_INVALID_TEST_DATA] = \ - 'DISPATCH_INVALID_TEST_DATA' - self.error_str[self.DISPATCH_UNSUPPORTED_SUITE] = \ - 'DISPATCH_UNSUPPORTED_SUITE' - - def setup(self): - """ - Setup hook implementation. Reads test suite data file and parses out - tests. - """ - binary_path = self.get_config_item('image_path') - script_dir = os.path.split(os.path.abspath(__file__))[0] - suite_name = os.path.splitext(os.path.basename(binary_path))[0] - data_file = ".".join((suite_name, 'datax')) - data_file = os.path.join(script_dir, '..', 'mbedtls', - suite_name, data_file) - if os.path.exists(data_file): - self.log("Running tests from %s" % data_file) - parser = TestDataParser() - parser.parse(data_file) - self.tests = parser.get_test_data() - self.print_test_info() - else: - self.log("Data file not found: %s" % data_file) - self.notify_complete(False) - - def print_test_info(self): - """ - Prints test summary read by Greentea to detect test cases. - """ - self.log('{{__testcase_count;%d}}' % len(self.tests)) - for name, _, _, _ in self.tests: - self.log('{{__testcase_name;%s}}' % name) - - @staticmethod - def align_32bit(data_bytes): - """ - 4 byte aligns input byte array. - - :return: - """ - data_bytes += bytearray((4 - (len(data_bytes))) % 4) - - @staticmethod - def hex_str_bytes(hex_str): - """ - Converts Hex string representation to byte array - - :param hex_str: Hex in string format. - :return: Output Byte array - """ - if hex_str[0] != '"' or hex_str[len(hex_str) - 1] != '"': - raise TestDataParserError("HEX test parameter missing '\"':" - " %s" % hex_str) - hex_str = hex_str.strip('"') - if len(hex_str) % 2 != 0: - raise TestDataParserError("HEX parameter len should be mod of " - "2: %s" % hex_str) - - data_bytes = binascii.unhexlify(hex_str) - return data_bytes - - @staticmethod - def int32_to_big_endian_bytes(i): - """ - Coverts i to byte array in big endian format. - - :param i: Input integer - :return: Output bytes array in big endian or network order - """ - data_bytes = bytearray([((i >> x) & 0xff) for x in [24, 16, 8, 0]]) - return data_bytes - - def test_vector_to_bytes(self, function_id, dependencies, parameters): - """ - Converts test vector into a byte array that can be sent to the target. - - :param function_id: Test Function Identifier - :param dependencies: Dependency list - :param parameters: Test function input parameters - :return: Byte array and its length - """ - data_bytes = bytearray([len(dependencies)]) - if dependencies: - data_bytes += bytearray(dependencies) - data_bytes += bytearray([function_id, len(parameters)]) - for typ, param in parameters: - if typ in ('int', 'exp'): - i = int(param, 0) - data_bytes += b'I' if typ == 'int' else b'E' - self.align_32bit(data_bytes) - data_bytes += self.int32_to_big_endian_bytes(i) - elif typ == 'char*': - param = param.strip('"') - i = len(param) + 1 # + 1 for null termination - data_bytes += b'S' - self.align_32bit(data_bytes) - data_bytes += self.int32_to_big_endian_bytes(i) - data_bytes += bytearray(param, encoding='ascii') - data_bytes += b'\0' # Null terminate - elif typ == 'hex': - binary_data = self.hex_str_bytes(param) - data_bytes += b'H' - self.align_32bit(data_bytes) - i = len(binary_data) - data_bytes += self.int32_to_big_endian_bytes(i) - data_bytes += binary_data - length = self.int32_to_big_endian_bytes(len(data_bytes)) - return data_bytes, length - - def run_next_test(self): - """ - Fetch next test information and execute the test. - - """ - self.test_index += 1 - self.dep_index = 0 - if self.test_index < len(self.tests): - name, function_id, dependencies, args = self.tests[self.test_index] - self.run_test(name, function_id, dependencies, args) - else: - self.notify_complete(self.suite_passed) - - def run_test(self, name, function_id, dependencies, args): - """ - Execute the test on target by sending next test information. - - :param name: Test name - :param function_id: function identifier - :param dependencies: Dependencies list - :param args: test parameters - :return: - """ - self.log("Running: %s" % name) - - param_bytes, length = self.test_vector_to_bytes(function_id, - dependencies, args) - self.send_kv( - ''.join('{:02x}'.format(x) for x in length), - ''.join('{:02x}'.format(x) for x in param_bytes) - ) - - @staticmethod - def get_result(value): - """ - Converts result from string type to integer - :param value: Result code in string - :return: Integer result code. Value is from the test status - constants defined under the MbedTlsTest class. - """ - try: - return int(value) - except ValueError: - ValueError("Result should return error number. " - "Instead received %s" % value) - - @event_callback('GO') - def on_go(self, _key, _value, _timestamp): - """ - Sent by the target to start first test. - - :param _key: Event key - :param _value: Value. ignored - :param _timestamp: Timestamp ignored. - :return: - """ - self.run_next_test() - - @event_callback("R") - def on_result(self, _key, value, _timestamp): - """ - Handle result. Prints test start, finish required by Greentea - to detect test execution. - - :param _key: Event key - :param value: Value. ignored - :param _timestamp: Timestamp ignored. - :return: - """ - int_val = self.get_result(value) - name, _, _, _ = self.tests[self.test_index] - self.log('{{__testcase_start;%s}}' % name) - self.log('{{__testcase_finish;%s;%d;%d}}' % (name, int_val == 0, - int_val != 0)) - if int_val != 0: - self.suite_passed = False - self.run_next_test() - - @event_callback("F") - def on_failure(self, _key, value, _timestamp): - """ - Handles test execution failure. That means dependency not supported or - Test function not supported. Hence marking test as skipped. - - :param _key: Event key - :param value: Value. ignored - :param _timestamp: Timestamp ignored. - :return: - """ - int_val = self.get_result(value) - if int_val in self.error_str: - err = self.error_str[int_val] - else: - err = 'Unknown error' - # For skip status, do not write {{__testcase_finish;...}} - self.log("Error: %s" % err) - self.run_next_test() diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index dd24db79fbab..c63b51130695 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -29,12 +29,12 @@ my %configs = ( 'config-ccm-psk-tls1_2.h' => { - 'compat' => '-m tls1_2 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', + 'compat' => '-m tls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', }, 'config-no-entropy.h' => { }, 'config-suite-b.h' => { - 'compat' => "-m tls1_2 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS", + 'compat' => "-m tls12 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS", }, 'config-symmetric-only.h' => { }, diff --git a/tests/scripts/test_psa_compliance.py b/tests/scripts/test_psa_compliance.py new file mode 100755 index 000000000000..ea52c93eba4c --- /dev/null +++ b/tests/scripts/test_psa_compliance.py @@ -0,0 +1,146 @@ +#!/usr/bin/env python3 +"""Run the PSA Cryto API compliance test suite. +Clone the repo and check out the commit specified by PSA_ARCH_TEST_REPO and PSA_ARCH_TEST_REF, +then complie and run the test suite. The clone is stored at <Mbed TLS root>/psa-arch-tests. +Known defects in either the test suite or mbedtls - identified by their test number - are ignored, +while unexpected failures AND successes are reported as errors, +to help keep the list of known defects as up to date as possible. +""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import os +import re +import shutil +import subprocess +import sys + +# PSA Compliance tests we expect to fail due to known defects in Mbed TLS (or the test suite) +# The test numbers correspond to the numbers used by the console output of the test suite. +# Test number 2xx corresponds to the files in the folder +# psa-arch-tests/api-tests/dev_apis/crypto/test_c0xx +EXPECTED_FAILURES = { + # Multipart CCM is not supported. + # - Tracked in issue #3721 + 252, 253, 254, 255, 256, 257, 258, 259, 261, + + # psa_hash_suspend() and psa_hash_resume() are not supported. + # - Tracked in issue #3274 + 262, 263 +} + +# We currently use a fork of ARM-software/psa-arch-tests, with a couple of downstream patches +# that allow it to build with MbedTLS 3, and fixes a couple of issues in the compliance test suite. +# These fixes allow the tests numbered 216, 248 and 249 to complete successfully. +# +# Once all the fixes are upstreamed, this fork should be replaced with an upstream commit/tag. +# - Tracked in issue #5145 +# +# Web URL: https://github.com/bensze01/psa-arch-tests/tree/fixes-for-mbedtls-3 +PSA_ARCH_TESTS_REPO = 'https://github.com/bensze01/psa-arch-tests.git' +PSA_ARCH_TESTS_REF = 'fixes-for-mbedtls-3' + +#pylint: disable=too-many-branches,too-many-statements +def main(): + mbedtls_dir = os.getcwd() + + if not os.path.exists('library/libmbedcrypto.a'): + subprocess.check_call(['make', '-C', 'library', 'libmbedcrypto.a']) + + psa_arch_tests_dir = 'psa-arch-tests' + os.makedirs(psa_arch_tests_dir, exist_ok=True) + try: + os.chdir(psa_arch_tests_dir) + + # Reuse existing local clone + subprocess.check_call(['git', 'init']) + subprocess.check_call(['git', 'fetch', PSA_ARCH_TESTS_REPO, PSA_ARCH_TESTS_REF]) + subprocess.check_call(['git', 'checkout', 'FETCH_HEAD']) + + build_dir = 'api-tests/build' + try: + shutil.rmtree(build_dir) + except FileNotFoundError: + pass + os.mkdir(build_dir) + os.chdir(build_dir) + + #pylint: disable=bad-continuation + subprocess.check_call([ + 'cmake', '..', + '-GUnix Makefiles', + '-DTARGET=tgt_dev_apis_stdc', + '-DTOOLCHAIN=HOST_GCC', + '-DSUITE=CRYPTO', + '-DPSA_CRYPTO_LIB_FILENAME={}/library/libmbedcrypto.a'.format(mbedtls_dir), + '-DPSA_INCLUDE_PATHS={}/include'.format(mbedtls_dir) + ]) + subprocess.check_call(['cmake', '--build', '.']) + + proc = subprocess.Popen(['./psa-arch-tests-crypto'], + bufsize=1, stdout=subprocess.PIPE, universal_newlines=True) + + test_re = re.compile( + '^TEST: (?P<test_num>[0-9]*)|' + '^TEST RESULT: (?P<test_result>FAILED|PASSED)' + ) + test = -1 + unexpected_successes = set(EXPECTED_FAILURES) + expected_failures = [] + unexpected_failures = [] + for line in proc.stdout: + print(line, end='') + match = test_re.match(line) + if match is not None: + groupdict = match.groupdict() + test_num = groupdict['test_num'] + if test_num is not None: + test = int(test_num) + elif groupdict['test_result'] == 'FAILED': + try: + unexpected_successes.remove(test) + expected_failures.append(test) + print('Expected failure, ignoring') + except KeyError: + unexpected_failures.append(test) + print('ERROR: Unexpected failure') + elif test in unexpected_successes: + print('ERROR: Unexpected success') + proc.wait() + + print() + print('***** test_psa_compliance.py report ******') + print() + print('Expected failures:', ', '.join(str(i) for i in expected_failures)) + print('Unexpected failures:', ', '.join(str(i) for i in unexpected_failures)) + print('Unexpected successes:', ', '.join(str(i) for i in sorted(unexpected_successes))) + print() + if unexpected_successes or unexpected_failures: + if unexpected_successes: + print('Unexpected successes encountered.') + print('Please remove the corresponding tests from ' + 'EXPECTED_FAILURES in tests/scripts/compliance_test.py') + print() + print('FAILED') + return 1 + else: + print('SUCCESS') + return 0 + finally: + os.chdir(mbedtls_dir) + +if __name__ == '__main__': + sys.exit(main()) diff --git a/tests/src/drivers/hash.c b/tests/src/drivers/hash.c index b1880f778e82..44e0e805910d 100644 --- a/tests/src/drivers/hash.c +++ b/tests/src/drivers/hash.c @@ -24,6 +24,10 @@ #include "test/drivers/hash.h" +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) +#include "libtestdriver1/library/psa_crypto_hash.h" +#endif + mbedtls_test_driver_hash_hooks_t mbedtls_test_driver_hash_hooks = MBEDTLS_TEST_DRIVER_HASH_INIT; @@ -41,10 +45,26 @@ psa_status_t mbedtls_test_transparent_hash_compute( } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_HASH) mbedtls_test_driver_hash_hooks.driver_status = - mbedtls_transparent_test_driver_hash_compute( + libtestdriver1_mbedtls_psa_hash_compute( alg, input, input_length, hash, hash_size, hash_length ); +#elif defined(MBEDTLS_PSA_BUILTIN_HASH) + mbedtls_test_driver_hash_hooks.driver_status = + mbedtls_psa_hash_compute( + alg, input, input_length, + hash, hash_size, hash_length ); +#else + (void) alg; + (void) input; + (void) input_length; + (void) hash; + (void) hash_size; + (void) hash_length; + mbedtls_test_driver_hash_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_hash_hooks.driver_status ); @@ -63,8 +83,18 @@ psa_status_t mbedtls_test_transparent_hash_setup( } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_HASH) + mbedtls_test_driver_hash_hooks.driver_status = + libtestdriver1_mbedtls_psa_hash_setup( operation, alg ); +#elif defined(MBEDTLS_PSA_BUILTIN_HASH) mbedtls_test_driver_hash_hooks.driver_status = - mbedtls_transparent_test_driver_hash_setup( operation, alg ); + mbedtls_psa_hash_setup( operation, alg ); +#else + (void) operation; + (void) alg; + mbedtls_test_driver_hash_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_hash_hooks.driver_status ); @@ -83,9 +113,19 @@ psa_status_t mbedtls_test_transparent_hash_clone( } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_HASH) mbedtls_test_driver_hash_hooks.driver_status = - mbedtls_transparent_test_driver_hash_clone( source_operation, - target_operation ); + libtestdriver1_mbedtls_psa_hash_clone( source_operation, + target_operation ); +#elif defined(MBEDTLS_PSA_BUILTIN_HASH) + mbedtls_test_driver_hash_hooks.driver_status = + mbedtls_psa_hash_clone( source_operation, target_operation ); +#else + (void) source_operation; + (void) target_operation; + mbedtls_test_driver_hash_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_hash_hooks.driver_status ); @@ -105,9 +145,20 @@ psa_status_t mbedtls_test_transparent_hash_update( } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_HASH) mbedtls_test_driver_hash_hooks.driver_status = - mbedtls_transparent_test_driver_hash_update( + libtestdriver1_mbedtls_psa_hash_update( operation, input, input_length ); +#elif defined(MBEDTLS_PSA_BUILTIN_HASH) + mbedtls_test_driver_hash_hooks.driver_status = + mbedtls_psa_hash_update( operation, input, input_length ); +#else + (void) operation; + (void) input; + (void) input_length; + mbedtls_test_driver_hash_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_hash_hooks.driver_status ); @@ -128,9 +179,21 @@ psa_status_t mbedtls_test_transparent_hash_finish( } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_HASH) mbedtls_test_driver_hash_hooks.driver_status = - mbedtls_transparent_test_driver_hash_finish( + libtestdriver1_mbedtls_psa_hash_finish( operation, hash, hash_size, hash_length ); +#elif defined(MBEDTLS_PSA_BUILTIN_HASH) + mbedtls_test_driver_hash_hooks.driver_status = + mbedtls_psa_hash_finish( operation, hash, hash_size, hash_length ); +#else + (void) operation; + (void) hash; + (void) hash_size; + (void) hash_length; + mbedtls_test_driver_hash_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_hash_hooks.driver_status ); @@ -148,8 +211,17 @@ psa_status_t mbedtls_test_transparent_hash_abort( } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_HASH) + mbedtls_test_driver_hash_hooks.driver_status = + libtestdriver1_mbedtls_psa_hash_abort( operation ); +#elif defined(MBEDTLS_PSA_BUILTIN_HASH) mbedtls_test_driver_hash_hooks.driver_status = - mbedtls_transparent_test_driver_hash_abort( operation ); + mbedtls_psa_hash_abort( operation ); +#else + (void) operation; + mbedtls_test_driver_hash_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_hash_hooks.driver_status ); diff --git a/tests/src/drivers/test_driver_aead.c b/tests/src/drivers/test_driver_aead.c index 6befe7cc0f5a..b5619603fdf7 100644 --- a/tests/src/drivers/test_driver_aead.c +++ b/tests/src/drivers/test_driver_aead.c @@ -46,6 +46,7 @@ psa_status_t mbedtls_test_transparent_aead_encrypt( } else { +#if defined(MBEDTLS_PSA_BUILTIN_AEAD) mbedtls_test_driver_aead_hooks.driver_status = mbedtls_psa_aead_encrypt( attributes, key_buffer, key_buffer_size, @@ -54,6 +55,22 @@ psa_status_t mbedtls_test_transparent_aead_encrypt( additional_data, additional_data_length, plaintext, plaintext_length, ciphertext, ciphertext_size, ciphertext_length ); +#else + (void) attributes; + (void) key_buffer; + (void) key_buffer_size; + (void) alg; + (void) nonce; + (void) nonce_length; + (void) additional_data; + (void) additional_data_length; + (void) plaintext; + (void) plaintext_length; + (void) ciphertext; + (void) ciphertext_size; + (void) ciphertext_length; + mbedtls_test_driver_aead_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_aead_hooks.driver_status ); @@ -77,6 +94,7 @@ psa_status_t mbedtls_test_transparent_aead_decrypt( } else { +#if defined(MBEDTLS_PSA_BUILTIN_AEAD) mbedtls_test_driver_aead_hooks.driver_status = mbedtls_psa_aead_decrypt( attributes, key_buffer, key_buffer_size, @@ -85,6 +103,22 @@ psa_status_t mbedtls_test_transparent_aead_decrypt( additional_data, additional_data_length, ciphertext, ciphertext_length, plaintext, plaintext_size, plaintext_length ); +#else + (void) attributes; + (void) key_buffer; + (void) key_buffer_size; + (void) alg; + (void) nonce; + (void) nonce_length; + (void) additional_data; + (void) additional_data_length; + (void) ciphertext; + (void) ciphertext_length; + (void) plaintext; + (void) plaintext_size; + (void) plaintext_length; + mbedtls_test_driver_aead_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_aead_hooks.driver_status ); @@ -105,9 +139,18 @@ psa_status_t mbedtls_test_transparent_aead_encrypt_setup( } else { +#if defined(MBEDTLS_PSA_BUILTIN_AEAD) mbedtls_test_driver_aead_hooks.driver_status = mbedtls_psa_aead_encrypt_setup( operation, attributes, key_buffer, key_buffer_size, alg ); +#else + (void) operation; + (void) attributes; + (void) key_buffer; + (void) key_buffer_size; + (void) alg; + mbedtls_test_driver_aead_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_aead_hooks.driver_status ); @@ -128,9 +171,18 @@ psa_status_t mbedtls_test_transparent_aead_decrypt_setup( } else { +#if defined(MBEDTLS_PSA_BUILTIN_AEAD) mbedtls_test_driver_aead_hooks.driver_status = mbedtls_psa_aead_decrypt_setup( operation, attributes, key_buffer, key_buffer_size, alg ); +#else + (void) operation; + (void) attributes; + (void) key_buffer; + (void) key_buffer_size; + (void) alg; + mbedtls_test_driver_aead_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_aead_hooks.driver_status ); @@ -150,8 +202,15 @@ psa_status_t mbedtls_test_transparent_aead_set_nonce( } else { +#if defined(MBEDTLS_PSA_BUILTIN_AEAD) mbedtls_test_driver_aead_hooks.driver_status = mbedtls_psa_aead_set_nonce( operation, nonce, nonce_length ); +#else + (void) operation; + (void) nonce; + (void) nonce_length; + mbedtls_test_driver_aead_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_aead_hooks.driver_status ); @@ -171,9 +230,16 @@ psa_status_t mbedtls_test_transparent_aead_set_lengths( } else { +#if defined(MBEDTLS_PSA_BUILTIN_AEAD) mbedtls_test_driver_aead_hooks.driver_status = mbedtls_psa_aead_set_lengths( operation, ad_length, plaintext_length ); +#else + (void) operation; + (void) ad_length; + (void) plaintext_length; + mbedtls_test_driver_aead_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_aead_hooks.driver_status ); @@ -193,8 +259,15 @@ psa_status_t mbedtls_test_transparent_aead_update_ad( } else { +#if defined(MBEDTLS_PSA_BUILTIN_AEAD) mbedtls_test_driver_aead_hooks.driver_status = mbedtls_psa_aead_update_ad( operation, input, input_length ); +#else + (void) operation; + (void) input; + (void) input_length; + mbedtls_test_driver_aead_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_aead_hooks.driver_status ); @@ -217,9 +290,19 @@ psa_status_t mbedtls_test_transparent_aead_update( } else { +#if defined(MBEDTLS_PSA_BUILTIN_AEAD) mbedtls_test_driver_aead_hooks.driver_status = mbedtls_psa_aead_update( operation, input, input_length, output, output_size, output_length ); +#else + (void) operation; + (void) input; + (void) input_length; + (void) output; + (void) output_size; + (void) output_length; + mbedtls_test_driver_aead_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_aead_hooks.driver_status ); @@ -243,10 +326,21 @@ psa_status_t mbedtls_test_transparent_aead_finish( } else { +#if defined(MBEDTLS_PSA_BUILTIN_AEAD) mbedtls_test_driver_aead_hooks.driver_status = mbedtls_psa_aead_finish( operation, ciphertext, ciphertext_size, ciphertext_length, tag, tag_size, tag_length ); +#else + (void) operation; + (void) ciphertext; + (void) ciphertext_size; + (void) ciphertext_length; + (void) tag; + (void) tag_size; + (void) tag_length; + mbedtls_test_driver_aead_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_aead_hooks.driver_status ); @@ -272,6 +366,7 @@ psa_status_t mbedtls_test_transparent_aead_verify( uint8_t check_tag[PSA_AEAD_TAG_MAX_SIZE]; size_t check_tag_length; +#if defined(MBEDTLS_PSA_BUILTIN_AEAD) mbedtls_test_driver_aead_hooks.driver_status = mbedtls_psa_aead_finish( operation, plaintext, @@ -280,6 +375,13 @@ psa_status_t mbedtls_test_transparent_aead_verify( check_tag, sizeof( check_tag ), &check_tag_length ); +#else + (void) operation; + (void) plaintext; + (void) plaintext_size; + (void) plaintext_length; + mbedtls_test_driver_aead_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif if( mbedtls_test_driver_aead_hooks.driver_status == PSA_SUCCESS ) { @@ -308,8 +410,13 @@ psa_status_t mbedtls_test_transparent_aead_abort( } else { +#if defined(MBEDTLS_PSA_BUILTIN_AEAD) mbedtls_test_driver_aead_hooks.driver_status = mbedtls_psa_aead_abort( operation ); +#else + (void) operation; + mbedtls_test_driver_aead_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_aead_hooks.driver_status ); diff --git a/tests/src/drivers/test_driver_cipher.c b/tests/src/drivers/test_driver_cipher.c index 89a7b5994495..353640807fd9 100644 --- a/tests/src/drivers/test_driver_cipher.c +++ b/tests/src/drivers/test_driver_cipher.c @@ -30,6 +30,10 @@ #include "test/random.h" +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) +#include "libtestdriver1/library/psa_crypto_cipher.h" +#endif + #include <string.h> mbedtls_test_driver_cipher_hooks_t mbedtls_test_driver_cipher_hooks = @@ -40,6 +44,8 @@ psa_status_t mbedtls_test_transparent_cipher_encrypt( const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, @@ -64,12 +70,21 @@ psa_status_t mbedtls_test_transparent_cipher_encrypt( if( mbedtls_test_driver_cipher_hooks.forced_status != PSA_SUCCESS ) return( mbedtls_test_driver_cipher_hooks.forced_status ); - psa_generate_random( output, PSA_CIPHER_IV_LENGTH( attributes->core.type, alg ) ); - - return( mbedtls_transparent_test_driver_cipher_encrypt( +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER) + return( libtestdriver1_mbedtls_psa_cipher_encrypt( + (const libtestdriver1_psa_key_attributes_t *)attributes, + key_buffer, key_buffer_size, + alg, iv, iv_length, input, input_length, + output, output_size, output_length ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_CIPHER) + return( mbedtls_psa_cipher_encrypt( attributes, key_buffer, key_buffer_size, - alg, input, input_length, + alg, iv, iv_length, input, input_length, output, output_size, output_length ) ); +#endif + + return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t mbedtls_test_transparent_cipher_decrypt( @@ -101,10 +116,21 @@ psa_status_t mbedtls_test_transparent_cipher_decrypt( if( mbedtls_test_driver_cipher_hooks.forced_status != PSA_SUCCESS ) return( mbedtls_test_driver_cipher_hooks.forced_status ); - return( mbedtls_transparent_test_driver_cipher_decrypt( +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER) + return( libtestdriver1_mbedtls_psa_cipher_decrypt( + (const libtestdriver1_psa_key_attributes_t *)attributes, + key_buffer, key_buffer_size, + alg, input, input_length, + output, output_size, output_length ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_CIPHER) + return( mbedtls_psa_cipher_decrypt( attributes, key_buffer, key_buffer_size, alg, input, input_length, output, output_size, output_length ) ); +#endif + + return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t mbedtls_test_transparent_cipher_encrypt_setup( @@ -124,8 +150,18 @@ psa_status_t mbedtls_test_transparent_cipher_encrypt_setup( if( mbedtls_test_driver_cipher_hooks.forced_status != PSA_SUCCESS ) return( mbedtls_test_driver_cipher_hooks.forced_status ); - return ( mbedtls_transparent_test_driver_cipher_encrypt_setup( - operation, attributes, key, key_length, alg ) ); +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER) + return( libtestdriver1_mbedtls_psa_cipher_encrypt_setup( + operation, + (const libtestdriver1_psa_key_attributes_t *)attributes, + key, key_length, alg ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_CIPHER) + return( mbedtls_psa_cipher_encrypt_setup( + operation, attributes, key, key_length, alg ) ); +#endif + + return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t mbedtls_test_transparent_cipher_decrypt_setup( @@ -139,8 +175,18 @@ psa_status_t mbedtls_test_transparent_cipher_decrypt_setup( if( mbedtls_test_driver_cipher_hooks.forced_status != PSA_SUCCESS ) return( mbedtls_test_driver_cipher_hooks.forced_status ); - return ( mbedtls_transparent_test_driver_cipher_decrypt_setup( - operation, attributes, key, key_length, alg ) ); +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER) + return( libtestdriver1_mbedtls_psa_cipher_decrypt_setup( + operation, + (const libtestdriver1_psa_key_attributes_t *)attributes, + key, key_length, alg ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_CIPHER) + return( mbedtls_psa_cipher_decrypt_setup( + operation, attributes, key, key_length, alg ) ); +#endif + + return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t mbedtls_test_transparent_cipher_abort( @@ -148,10 +194,12 @@ psa_status_t mbedtls_test_transparent_cipher_abort( { mbedtls_test_driver_cipher_hooks.hits++; - if( operation->alg == 0 ) - return( PSA_SUCCESS ); - - mbedtls_transparent_test_driver_cipher_abort( operation ); +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER) + libtestdriver1_mbedtls_psa_cipher_abort( operation ); +#elif defined(MBEDTLS_PSA_BUILTIN_CIPHER) + mbedtls_psa_cipher_abort( operation ); +#endif /* Wiping the entire struct here, instead of member-by-member. This is * useful for the test suite, since it gives a chance of catching memory @@ -172,8 +220,15 @@ psa_status_t mbedtls_test_transparent_cipher_set_iv( if( mbedtls_test_driver_cipher_hooks.forced_status != PSA_SUCCESS ) return( mbedtls_test_driver_cipher_hooks.forced_status ); - return( mbedtls_transparent_test_driver_cipher_set_iv( +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER) + return( libtestdriver1_mbedtls_psa_cipher_set_iv( operation, iv, iv_length ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_CIPHER) + return( mbedtls_psa_cipher_set_iv( operation, iv, iv_length ) ); +#endif + + return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t mbedtls_test_transparent_cipher_update( @@ -202,9 +257,18 @@ psa_status_t mbedtls_test_transparent_cipher_update( if( mbedtls_test_driver_cipher_hooks.forced_status != PSA_SUCCESS ) return( mbedtls_test_driver_cipher_hooks.forced_status ); - return( mbedtls_transparent_test_driver_cipher_update( +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER) + return( libtestdriver1_mbedtls_psa_cipher_update( operation, input, input_length, output, output_size, output_length ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_CIPHER) + return( mbedtls_psa_cipher_update( + operation, input, input_length, + output, output_size, output_length ) ); +#endif + + return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t mbedtls_test_transparent_cipher_finish( @@ -231,8 +295,16 @@ psa_status_t mbedtls_test_transparent_cipher_finish( if( mbedtls_test_driver_cipher_hooks.forced_status != PSA_SUCCESS ) return( mbedtls_test_driver_cipher_hooks.forced_status ); - return( mbedtls_transparent_test_driver_cipher_finish( +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER) + return( libtestdriver1_mbedtls_psa_cipher_finish( + operation, output, output_size, output_length ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_CIPHER) + return( mbedtls_psa_cipher_finish( operation, output, output_size, output_length ) ); +#endif + + return( PSA_ERROR_NOT_SUPPORTED ); } /* @@ -242,6 +314,7 @@ psa_status_t mbedtls_test_opaque_cipher_encrypt( const psa_key_attributes_t *attributes, const uint8_t *key, size_t key_length, psa_algorithm_t alg, + const uint8_t *iv, size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, size_t output_size, size_t *output_length) { @@ -249,6 +322,8 @@ psa_status_t mbedtls_test_opaque_cipher_encrypt( (void) key; (void) key_length; (void) alg; + (void) iv; + (void) iv_length; (void) input; (void) input_length; (void) output; diff --git a/tests/src/drivers/test_driver_key_management.c b/tests/src/drivers/test_driver_key_management.c index 61ebc8aa1aba..5028073a6279 100644 --- a/tests/src/drivers/test_driver_key_management.c +++ b/tests/src/drivers/test_driver_key_management.c @@ -29,9 +29,13 @@ #include "mbedtls/error.h" #include "test/drivers/key_management.h" - #include "test/random.h" +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) +#include "libtestdriver1/library/psa_crypto_ecp.h" +#include "libtestdriver1/library/psa_crypto_rsa.h" +#endif + #include <string.h> mbedtls_test_driver_key_management_hooks_t @@ -56,6 +60,38 @@ const uint8_t mbedtls_test_driver_ecdsa_pubkey[65] = 0xbc, 0x25, 0x16, 0xc3, 0xd2, 0x70, 0x2d, 0x79, 0x2f, 0x13, 0x1a, 0x92, 0x20, 0x95, 0xfd, 0x6c }; +psa_status_t mbedtls_test_transparent_init( void ) +{ + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) + status = libtestdriver1_psa_crypto_init( ); + if( status != PSA_SUCCESS ) + return( status ); +#endif + + (void)status; + return( PSA_SUCCESS ); +} + +void mbedtls_test_transparent_free( void ) +{ +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) + libtestdriver1_mbedtls_psa_crypto_free( ); +#endif + + return; +} + +psa_status_t mbedtls_test_opaque_init( void ) +{ + return( PSA_SUCCESS ); +} + +void mbedtls_test_opaque_free( void ) +{ + return; +} /* * This macro returns the base size for the key context when SE does not @@ -173,27 +209,34 @@ psa_status_t mbedtls_test_transparent_generate_key( return( PSA_SUCCESS ); } - /* Copied from psa_crypto.c */ -#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) - if ( PSA_KEY_TYPE_IS_ECC( psa_get_key_type( attributes ) ) - && PSA_KEY_TYPE_IS_KEY_PAIR( psa_get_key_type( attributes ) ) ) + if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type( attributes ) ) + && PSA_KEY_TYPE_IS_KEY_PAIR( psa_get_key_type( attributes ) ) ) { - return( mbedtls_transparent_test_driver_ecp_generate_key( +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) + return( libtestdriver1_mbedtls_psa_ecp_generate_key( + (const libtestdriver1_psa_key_attributes_t *)attributes, + key, key_size, key_length ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) + return( mbedtls_psa_ecp_generate_key( attributes, key, key_size, key_length ) ); +#endif } - else -#endif /* defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) */ - -#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) - if ( psa_get_key_type( attributes ) == PSA_KEY_TYPE_RSA_KEY_PAIR ) - return( mbedtls_transparent_test_driver_rsa_generate_key( - attributes, key, key_size, key_length ) ); - else -#endif /* defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) */ + else if( psa_get_key_type( attributes ) == PSA_KEY_TYPE_RSA_KEY_PAIR ) { - (void)attributes; - return( PSA_ERROR_NOT_SUPPORTED ); +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) + return( libtestdriver1_mbedtls_psa_rsa_generate_key( + (const libtestdriver1_psa_key_attributes_t *)attributes, + key, key_size, key_length ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) + return( mbedtls_psa_rsa_generate_key( + attributes, key, key_size, key_length ) ); +#endif } + + (void)attributes; + return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t mbedtls_test_opaque_generate_key( @@ -221,45 +264,56 @@ psa_status_t mbedtls_test_transparent_import_key( if( mbedtls_test_driver_key_management_hooks.forced_status != PSA_SUCCESS ) return( mbedtls_test_driver_key_management_hooks.forced_status ); - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_type_t type = psa_get_key_type( attributes ); -#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) if( PSA_KEY_TYPE_IS_ECC( type ) ) { - status = mbedtls_test_driver_ecp_import_key( - attributes, - data, data_length, - key_buffer, key_buffer_size, - key_buffer_length, bits ); - } - else +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + ( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) ) + return( libtestdriver1_mbedtls_psa_ecp_import_key( + (const libtestdriver1_psa_key_attributes_t *)attributes, + data, data_length, + key_buffer, key_buffer_size, + key_buffer_length, bits ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) + return( mbedtls_psa_ecp_import_key( + attributes, + data, data_length, + key_buffer, key_buffer_size, + key_buffer_length, bits ) ); #endif -#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) - if( PSA_KEY_TYPE_IS_RSA( type ) ) - { - status = mbedtls_test_driver_rsa_import_key( - attributes, - data, data_length, - key_buffer, key_buffer_size, - key_buffer_length, bits ); } - else -#endif + else if( PSA_KEY_TYPE_IS_RSA( type ) ) { - status = PSA_ERROR_NOT_SUPPORTED; - (void)data; - (void)data_length; - (void)key_buffer; - (void)key_buffer_size; - (void)key_buffer_length; - (void)bits; - (void)type; +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + ( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) ) + return( libtestdriver1_mbedtls_psa_rsa_import_key( + (const libtestdriver1_psa_key_attributes_t *)attributes, + data, data_length, + key_buffer, key_buffer_size, + key_buffer_length, bits ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) + return( mbedtls_psa_rsa_import_key( + attributes, + data, data_length, + key_buffer, key_buffer_size, + key_buffer_length, bits ) ); +#endif } - return( status ); + (void)data; + (void)data_length; + (void)key_buffer; + (void)key_buffer_size; + (void)key_buffer_length; + (void)bits; + (void)type; + + return( PSA_ERROR_NOT_SUPPORTED ); } @@ -298,40 +352,58 @@ psa_status_t mbedtls_test_opaque_import_key( memcpy( key_buffer_temp, data, data_length ); *key_buffer_length = data_length; } -#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) else if( PSA_KEY_TYPE_IS_ECC( type ) ) { - status = mbedtls_test_driver_ecp_import_key( +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + ( defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) ) + status = libtestdriver1_mbedtls_psa_ecp_import_key( + (const libtestdriver1_psa_key_attributes_t *)attributes, + data, data_length, + key_buffer_temp, key_buffer_size, + key_buffer_length, bits ); +#elif defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) + status = mbedtls_psa_ecp_import_key( attributes, data, data_length, - key_buffer_temp, - key_buffer_size, + key_buffer_temp, key_buffer_size, key_buffer_length, bits ); +#else + status = PSA_ERROR_NOT_SUPPORTED; +#endif if( status != PSA_SUCCESS ) goto exit; } - else -#endif -#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) - if( PSA_KEY_TYPE_IS_RSA( type ) ) + else if( PSA_KEY_TYPE_IS_RSA( type ) ) { - status = mbedtls_test_driver_rsa_import_key( +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + ( defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \ + defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) ) + status = libtestdriver1_mbedtls_psa_rsa_import_key( + (const libtestdriver1_psa_key_attributes_t *)attributes, + data, data_length, + key_buffer_temp, key_buffer_size, + key_buffer_length, bits ); +#elif defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) + status = mbedtls_psa_rsa_import_key( attributes, data, data_length, - key_buffer_temp, - key_buffer_size, + key_buffer_temp, key_buffer_size, key_buffer_length, bits ); +#else + status = PSA_ERROR_NOT_SUPPORTED; +#endif if( status != PSA_SUCCESS ) goto exit; } else -#endif { status = PSA_ERROR_INVALID_ARGUMENT; goto exit; } + status = mbedtls_test_opaque_wrap_key( key_buffer_temp, *key_buffer_length, key_buffer, key_buffer_size, key_buffer_length ); exit: @@ -439,39 +511,48 @@ psa_status_t mbedtls_test_transparent_export_public_key( return( PSA_SUCCESS ); } - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_type_t key_type = psa_get_key_type( attributes ); -#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) if( PSA_KEY_TYPE_IS_ECC( key_type ) ) { - status = mbedtls_test_driver_ecp_export_public_key( - attributes, - key_buffer, key_buffer_size, - data, data_size, data_length ); - } - else +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + ( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) ) + return( libtestdriver1_mbedtls_psa_ecp_export_public_key( + (const libtestdriver1_psa_key_attributes_t *)attributes, + key_buffer, key_buffer_size, + data, data_size, data_length ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) + return( mbedtls_psa_ecp_export_public_key( + attributes, + key_buffer, key_buffer_size, + data, data_size, data_length ) ); #endif -#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) - if( PSA_KEY_TYPE_IS_RSA( key_type ) ) - { - status = mbedtls_test_driver_rsa_export_public_key( - attributes, - key_buffer, key_buffer_size, - data, data_size, data_length ); } - else -#endif + else if( PSA_KEY_TYPE_IS_RSA( key_type ) ) { - status = PSA_ERROR_NOT_SUPPORTED; - (void)key_buffer; - (void)key_buffer_size; - (void)key_type; +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + ( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) ) + return( libtestdriver1_mbedtls_psa_rsa_export_public_key( + (const libtestdriver1_psa_key_attributes_t *)attributes, + key_buffer, key_buffer_size, + data, data_size, data_length ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) + return( mbedtls_psa_rsa_export_public_key( + attributes, + key_buffer, key_buffer_size, + data, data_size, data_length ) ); +#endif } - return( status ); + (void)key_buffer; + (void)key_buffer_size; + (void)key_type; + + return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t mbedtls_test_opaque_export_public_key( @@ -489,34 +570,55 @@ psa_status_t mbedtls_test_opaque_export_public_key( if( key_buffer_temp == NULL ) return( PSA_ERROR_INSUFFICIENT_MEMORY ); - #if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) if( PSA_KEY_TYPE_IS_ECC( key_type ) ) { status = mbedtls_test_opaque_unwrap_key( key, key_length, key_buffer_temp, key_length, data_length ); if( status == PSA_SUCCESS ) - status = mbedtls_test_driver_ecp_export_public_key( - attributes, - key_buffer_temp, *data_length, - data, data_size, data_length ); + { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + ( defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) ) + status = libtestdriver1_mbedtls_psa_ecp_export_public_key( + (const libtestdriver1_psa_key_attributes_t *)attributes, + key_buffer_temp, *data_length, + data, data_size, data_length ); +#elif defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) + status = mbedtls_psa_ecp_export_public_key( + attributes, + key_buffer_temp, *data_length, + data, data_size, data_length ); +#else + status = PSA_ERROR_NOT_SUPPORTED; +#endif + } } - else - #endif - #if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \ - defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) - if( PSA_KEY_TYPE_IS_RSA( key_type ) ) + else if( PSA_KEY_TYPE_IS_RSA( key_type ) ) { status = mbedtls_test_opaque_unwrap_key( key, key_length, key_buffer_temp, key_length, data_length ); if( status == PSA_SUCCESS ) - status = mbedtls_test_driver_rsa_export_public_key( - attributes, - key_buffer_temp, *data_length, - data, data_size, data_length ); + { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + ( defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \ + defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) ) + status = libtestdriver1_mbedtls_psa_rsa_export_public_key( + (const libtestdriver1_psa_key_attributes_t *)attributes, + key_buffer_temp, *data_length, + data, data_size, data_length ); +#elif defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \ + defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) + status = mbedtls_psa_rsa_export_public_key( + attributes, + key_buffer_temp, *data_length, + data, data_size, data_length ); +#else + status = PSA_ERROR_NOT_SUPPORTED; +#endif + } } else - #endif { status = PSA_ERROR_NOT_SUPPORTED; (void)key; diff --git a/tests/src/drivers/test_driver_mac.c b/tests/src/drivers/test_driver_mac.c index 3b766dcb5318..f909785dfd17 100644 --- a/tests/src/drivers/test_driver_mac.c +++ b/tests/src/drivers/test_driver_mac.c @@ -24,6 +24,10 @@ #include "test/drivers/mac.h" +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) +#include "libtestdriver1/library/psa_crypto_mac.h" +#endif + mbedtls_test_driver_mac_hooks_t mbedtls_test_driver_mac_hooks = MBEDTLS_TEST_DRIVER_MAC_INIT; @@ -47,11 +51,32 @@ psa_status_t mbedtls_test_transparent_mac_compute( } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_MAC) + mbedtls_test_driver_mac_hooks.driver_status = + libtestdriver1_mbedtls_psa_mac_compute( + (const libtestdriver1_psa_key_attributes_t *)attributes, + key_buffer, key_buffer_size, alg, + input, input_length, + mac, mac_size, mac_length ); +#elif defined(MBEDTLS_PSA_BUILTIN_MAC) mbedtls_test_driver_mac_hooks.driver_status = - mbedtls_transparent_test_driver_mac_compute( + mbedtls_psa_mac_compute( attributes, key_buffer, key_buffer_size, alg, input, input_length, mac, mac_size, mac_length ); +#else + (void) attributes; + (void) key_buffer; + (void) key_buffer_size; + (void) alg; + (void) input; + (void) input_length; + (void) mac; + (void) mac_size; + (void) mac_length; + mbedtls_test_driver_mac_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_mac_hooks.driver_status ); @@ -73,9 +98,25 @@ psa_status_t mbedtls_test_transparent_mac_sign_setup( } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_MAC) mbedtls_test_driver_mac_hooks.driver_status = - mbedtls_transparent_test_driver_mac_sign_setup( + libtestdriver1_mbedtls_psa_mac_sign_setup( + operation, + (const libtestdriver1_psa_key_attributes_t *)attributes, + key_buffer, key_buffer_size, alg ); +#elif defined(MBEDTLS_PSA_BUILTIN_MAC) + mbedtls_test_driver_mac_hooks.driver_status = + mbedtls_psa_mac_sign_setup( operation, attributes, key_buffer, key_buffer_size, alg ); +#else + (void) operation; + (void) attributes; + (void) key_buffer; + (void) key_buffer_size; + (void) alg; + mbedtls_test_driver_mac_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_mac_hooks.driver_status ); @@ -97,9 +138,25 @@ psa_status_t mbedtls_test_transparent_mac_verify_setup( } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_MAC) + mbedtls_test_driver_mac_hooks.driver_status = + libtestdriver1_mbedtls_psa_mac_verify_setup( + operation, + (const libtestdriver1_psa_key_attributes_t *)attributes, + key_buffer, key_buffer_size, alg ); +#elif defined(MBEDTLS_PSA_BUILTIN_MAC) mbedtls_test_driver_mac_hooks.driver_status = - mbedtls_transparent_test_driver_mac_verify_setup( + mbedtls_psa_mac_verify_setup( operation, attributes, key_buffer, key_buffer_size, alg ); +#else + (void) operation; + (void) attributes; + (void) key_buffer; + (void) key_buffer_size; + (void) alg; + mbedtls_test_driver_mac_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_mac_hooks.driver_status ); @@ -119,9 +176,21 @@ psa_status_t mbedtls_test_transparent_mac_update( } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_MAC) + mbedtls_test_driver_mac_hooks.driver_status = + libtestdriver1_mbedtls_psa_mac_update( + operation, input, input_length ); +#elif defined(MBEDTLS_PSA_BUILTIN_MAC) mbedtls_test_driver_mac_hooks.driver_status = - mbedtls_transparent_test_driver_mac_update( + mbedtls_psa_mac_update( operation, input, input_length ); +#else + (void) operation; + (void) input; + (void) input_length; + mbedtls_test_driver_mac_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_mac_hooks.driver_status ); @@ -142,9 +211,22 @@ psa_status_t mbedtls_test_transparent_mac_sign_finish( } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_MAC) + mbedtls_test_driver_mac_hooks.driver_status = + libtestdriver1_mbedtls_psa_mac_sign_finish( + operation, mac, mac_size, mac_length ); +#elif defined(MBEDTLS_PSA_BUILTIN_MAC) mbedtls_test_driver_mac_hooks.driver_status = - mbedtls_transparent_test_driver_mac_sign_finish( + mbedtls_psa_mac_sign_finish( operation, mac, mac_size, mac_length ); +#else + (void) operation; + (void) mac; + (void) mac_size; + (void) mac_length; + mbedtls_test_driver_mac_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_mac_hooks.driver_status ); @@ -164,9 +246,21 @@ psa_status_t mbedtls_test_transparent_mac_verify_finish( } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_MAC) mbedtls_test_driver_mac_hooks.driver_status = - mbedtls_transparent_test_driver_mac_verify_finish( + libtestdriver1_mbedtls_psa_mac_verify_finish( operation, mac, mac_length ); +#elif defined(MBEDTLS_PSA_BUILTIN_MAC) + mbedtls_test_driver_mac_hooks.driver_status = + mbedtls_psa_mac_verify_finish( + operation, mac, mac_length ); +#else + (void) operation; + (void) mac; + (void) mac_length; + mbedtls_test_driver_mac_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_mac_hooks.driver_status ); @@ -184,8 +278,17 @@ psa_status_t mbedtls_test_transparent_mac_abort( } else { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_MAC) + mbedtls_test_driver_mac_hooks.driver_status = + libtestdriver1_mbedtls_psa_mac_abort( operation ); +#elif defined(MBEDTLS_PSA_BUILTIN_MAC) mbedtls_test_driver_mac_hooks.driver_status = - mbedtls_transparent_test_driver_mac_abort( operation ); + mbedtls_psa_mac_abort( operation ); +#else + (void) operation; + mbedtls_test_driver_mac_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; +#endif } return( mbedtls_test_driver_mac_hooks.driver_status ); @@ -211,11 +314,16 @@ psa_status_t mbedtls_test_opaque_mac_compute( } else { - mbedtls_test_driver_mac_hooks.driver_status = - mbedtls_opaque_test_driver_mac_compute( - attributes, key_buffer, key_buffer_size, alg, - input, input_length, - mac, mac_size, mac_length ); + (void) attributes; + (void) key_buffer; + (void) key_buffer_size; + (void) alg; + (void) input; + (void) input_length; + (void) mac; + (void) mac_size; + (void) mac_length; + mbedtls_test_driver_mac_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; } return( mbedtls_test_driver_mac_hooks.driver_status ); @@ -237,9 +345,12 @@ psa_status_t mbedtls_test_opaque_mac_sign_setup( } else { - mbedtls_test_driver_mac_hooks.driver_status = - mbedtls_opaque_test_driver_mac_sign_setup( - operation, attributes, key_buffer, key_buffer_size, alg ); + (void) operation; + (void) attributes; + (void) key_buffer; + (void) key_buffer_size; + (void) alg; + mbedtls_test_driver_mac_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; } return( mbedtls_test_driver_mac_hooks.driver_status ); @@ -261,9 +372,12 @@ psa_status_t mbedtls_test_opaque_mac_verify_setup( } else { - mbedtls_test_driver_mac_hooks.driver_status = - mbedtls_opaque_test_driver_mac_verify_setup( - operation, attributes, key_buffer, key_buffer_size, alg ); + (void) operation; + (void) attributes; + (void) key_buffer; + (void) key_buffer_size; + (void) alg; + mbedtls_test_driver_mac_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; } return( mbedtls_test_driver_mac_hooks.driver_status ); @@ -283,9 +397,10 @@ psa_status_t mbedtls_test_opaque_mac_update( } else { - mbedtls_test_driver_mac_hooks.driver_status = - mbedtls_opaque_test_driver_mac_update( - operation, input, input_length ); + (void) operation; + (void) input; + (void) input_length; + mbedtls_test_driver_mac_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; } return( mbedtls_test_driver_mac_hooks.driver_status ); @@ -306,9 +421,11 @@ psa_status_t mbedtls_test_opaque_mac_sign_finish( } else { - mbedtls_test_driver_mac_hooks.driver_status = - mbedtls_opaque_test_driver_mac_sign_finish( - operation, mac, mac_size, mac_length ); + (void) operation; + (void) mac; + (void) mac_size; + (void) mac_length; + mbedtls_test_driver_mac_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; } return( mbedtls_test_driver_mac_hooks.driver_status ); @@ -328,9 +445,10 @@ psa_status_t mbedtls_test_opaque_mac_verify_finish( } else { - mbedtls_test_driver_mac_hooks.driver_status = - mbedtls_opaque_test_driver_mac_verify_finish( - operation, mac, mac_length ); + (void) operation; + (void) mac; + (void) mac_length; + mbedtls_test_driver_mac_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; } return( mbedtls_test_driver_mac_hooks.driver_status ); @@ -348,8 +466,8 @@ psa_status_t mbedtls_test_opaque_mac_abort( } else { - mbedtls_test_driver_mac_hooks.driver_status = - mbedtls_opaque_test_driver_mac_abort( operation ); + (void) operation; + mbedtls_test_driver_mac_hooks.driver_status = PSA_ERROR_NOT_SUPPORTED; } return( mbedtls_test_driver_mac_hooks.driver_status ); diff --git a/tests/src/drivers/test_driver_signature.c b/tests/src/drivers/test_driver_signature.c index 2d58756aa5af..ef6d135eb8c1 100644 --- a/tests/src/drivers/test_driver_signature.c +++ b/tests/src/drivers/test_driver_signature.c @@ -29,13 +29,21 @@ #include "psa_crypto_rsa.h" #include "mbedtls/ecp.h" +#include "test/drivers/hash.h" #include "test/drivers/signature.h" +#include "test/drivers/hash.h" #include "mbedtls/md.h" #include "mbedtls/ecdsa.h" #include "test/random.h" +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) +#include "libtestdriver1/library/psa_crypto_ecp.h" +#include "libtestdriver1/library/psa_crypto_hash.h" +#include "libtestdriver1/library/psa_crypto_rsa.h" +#endif + #include <string.h> mbedtls_test_driver_signature_hooks_t @@ -54,58 +62,70 @@ psa_status_t sign_hash( size_t signature_size, size_t *signature_length ) { -#if defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) || \ - defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS) if( attributes->core.type == PSA_KEY_TYPE_RSA_KEY_PAIR ) { - return( mbedtls_transparent_test_driver_rsa_sign_hash( - attributes, - key_buffer, key_buffer_size, - alg, hash, hash_length, - signature, signature_size, signature_length ) ); - } - else -#endif /* defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) || - * defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS) */ - -#if defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) || \ - defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) - if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) ) - { - if( -#if defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) - PSA_ALG_IS_ECDSA( alg ) -#else - PSA_ALG_IS_RANDOMIZED_ECDSA( alg ) -#endif - ) + if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) || + PSA_ALG_IS_RSA_PSS( alg) ) { - return( mbedtls_transparent_test_driver_ecdsa_sign_hash( +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + ( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ) + return( libtestdriver1_mbedtls_psa_rsa_sign_hash( + (const libtestdriver1_psa_key_attributes_t *) attributes, + key_buffer, key_buffer_size, + alg, hash, hash_length, + signature, signature_size, signature_length ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) + return( mbedtls_psa_rsa_sign_hash( attributes, key_buffer, key_buffer_size, alg, hash, hash_length, signature, signature_size, signature_length ) ); +#endif } else { return( PSA_ERROR_INVALID_ARGUMENT ); } } - else -#endif /* defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) || - * defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) */ + else if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) ) { - (void)attributes; - (void)key_buffer; - (void)key_buffer_size; - (void)alg; - (void)hash; - (void)hash_length; - (void)signature; - (void)signature_size; - (void)signature_length; - return( PSA_ERROR_NOT_SUPPORTED ); + if( PSA_ALG_IS_ECDSA( alg ) ) + { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + ( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) ) + return( libtestdriver1_mbedtls_psa_ecdsa_sign_hash( + (const libtestdriver1_psa_key_attributes_t *) attributes, + key_buffer, key_buffer_size, + alg, hash, hash_length, + signature, signature_size, signature_length ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) + return( mbedtls_psa_ecdsa_sign_hash( + attributes, + key_buffer, key_buffer_size, + alg, hash, hash_length, + signature, signature_size, signature_length ) ); +#endif + } + else + { + return( PSA_ERROR_INVALID_ARGUMENT ); + } } + + (void)attributes; + (void)key_buffer; + (void)key_buffer_size; + (void)alg; + (void)hash; + (void)hash_length; + (void)signature; + (void)signature_size; + (void)signature_length; + return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t verify_hash( @@ -118,52 +138,69 @@ psa_status_t verify_hash( const uint8_t *signature, size_t signature_length ) { -#if defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) || \ - defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS) if( PSA_KEY_TYPE_IS_RSA( attributes->core.type ) ) { - return( mbedtls_transparent_test_driver_rsa_verify_hash( - attributes, - key_buffer, key_buffer_size, - alg, hash, hash_length, - signature, signature_length ) ); + if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) || + PSA_ALG_IS_RSA_PSS( alg) ) + { +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + ( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ) + return( libtestdriver1_mbedtls_psa_rsa_verify_hash( + (const libtestdriver1_psa_key_attributes_t *) attributes, + key_buffer, key_buffer_size, + alg, hash, hash_length, + signature, signature_length ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) + return( mbedtls_psa_rsa_verify_hash( + attributes, + key_buffer, key_buffer_size, + alg, hash, hash_length, + signature, signature_length ) ); +#endif + } + else + { + return( PSA_ERROR_INVALID_ARGUMENT ); + } } - else -#endif /* defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN) || - * defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS) */ - -#if defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) || \ - defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) - if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) ) + else if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) ) { if( PSA_ALG_IS_ECDSA( alg ) ) { - return( mbedtls_transparent_test_driver_ecdsa_verify_hash( +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + ( defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) ) + return( libtestdriver1_mbedtls_psa_ecdsa_verify_hash( + (const libtestdriver1_psa_key_attributes_t *) attributes, + key_buffer, key_buffer_size, + alg, hash, hash_length, + signature, signature_length ) ); +#elif defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) + return( mbedtls_psa_ecdsa_verify_hash( attributes, key_buffer, key_buffer_size, alg, hash, hash_length, signature, signature_length ) ); +#endif } else { return( PSA_ERROR_INVALID_ARGUMENT ); } } - else -#endif /* defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) || - * defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) */ - { - (void)attributes; - (void)key_buffer; - (void)key_buffer_size; - (void)alg; - (void)hash; - (void)hash_length; - (void)signature; - (void)signature_length; - - return( PSA_ERROR_NOT_SUPPORTED ); - } + + (void)attributes; + (void)key_buffer; + (void)key_buffer_size; + (void)alg; + (void)hash; + (void)hash_length; + (void)signature; + (void)signature_length; + return( PSA_ERROR_NOT_SUPPORTED ); } psa_status_t mbedtls_test_transparent_signature_sign_message( @@ -198,16 +235,26 @@ psa_status_t mbedtls_test_transparent_signature_sign_message( return( PSA_SUCCESS ); } - status = mbedtls_transparent_test_driver_hash_compute( +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_HASH) + status = libtestdriver1_mbedtls_psa_hash_compute( PSA_ALG_SIGN_GET_HASH( alg ), input, input_length, hash, sizeof( hash ), &hash_length ); - +#elif defined(MBEDTLS_PSA_BUILTIN_HASH) + status = mbedtls_psa_hash_compute( + PSA_ALG_SIGN_GET_HASH( alg ), input, input_length, + hash, sizeof( hash ), &hash_length ); +#else + (void) input; + (void) input_length; + status = PSA_ERROR_NOT_SUPPORTED; +#endif if( status != PSA_SUCCESS ) return status; - return sign_hash( attributes, key_buffer, key_buffer_size, - alg, hash, hash_length, - signature, signature_size, signature_length ); + return( sign_hash( attributes, key_buffer, key_buffer_size, + alg, hash, hash_length, + signature, signature_size, signature_length ) ); } psa_status_t mbedtls_test_opaque_signature_sign_message( @@ -253,16 +300,26 @@ psa_status_t mbedtls_test_transparent_signature_verify_message( if( mbedtls_test_driver_signature_verify_hooks.forced_status != PSA_SUCCESS ) return( mbedtls_test_driver_signature_verify_hooks.forced_status ); - status = mbedtls_transparent_test_driver_hash_compute( +#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ + defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_HASH) + status = libtestdriver1_mbedtls_psa_hash_compute( PSA_ALG_SIGN_GET_HASH( alg ), input, input_length, hash, sizeof( hash ), &hash_length ); - +#elif defined(MBEDTLS_PSA_BUILTIN_HASH) + status = mbedtls_psa_hash_compute( + PSA_ALG_SIGN_GET_HASH( alg ), input, input_length, + hash, sizeof( hash ), &hash_length ); +#else + (void) input; + (void) input_length; + status = PSA_ERROR_NOT_SUPPORTED; +#endif if( status != PSA_SUCCESS ) return status; - return verify_hash( attributes, key_buffer, key_buffer_size, - alg, hash, hash_length, - signature, signature_length ); + return( verify_hash( attributes, key_buffer, key_buffer_size, + alg, hash, hash_length, + signature, signature_length ) ); } psa_status_t mbedtls_test_opaque_signature_verify_message( @@ -309,9 +366,9 @@ psa_status_t mbedtls_test_transparent_signature_sign_hash( return( PSA_SUCCESS ); } - return sign_hash( attributes, key_buffer, key_buffer_size, + return( sign_hash( attributes, key_buffer, key_buffer_size, alg, hash, hash_length, - signature, signature_size, signature_length ); + signature, signature_size, signature_length ) ); } psa_status_t mbedtls_test_opaque_signature_sign_hash( diff --git a/tests/src/psa_crypto_helpers.c b/tests/src/psa_crypto_helpers.c index d9d841abd5d8..299b6d125da6 100644 --- a/tests/src/psa_crypto_helpers.c +++ b/tests/src/psa_crypto_helpers.c @@ -22,6 +22,7 @@ #include <test/helpers.h> #include <test/macros.h> +#include <psa_crypto_slot_management.h> #include <test/psa_crypto_helpers.h> #if defined(MBEDTLS_PSA_CRYPTO_C) diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c index 923d2c136afb..c1e76c85ef6a 100644 --- a/tests/src/psa_exercise_key.c +++ b/tests/src/psa_exercise_key.c @@ -29,6 +29,7 @@ #include <psa/crypto.h> #include <test/asn1_helpers.h> +#include <psa_crypto_slot_management.h> #include <test/psa_crypto_helpers.h> #if defined(MBEDTLS_PSA_CRYPTO_SE_C) @@ -306,10 +307,10 @@ static int exercise_signature_key( mbedtls_svc_key_id_t key, psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg ); /* If the policy allows signing with any hash, just pick one. */ - if( PSA_ALG_IS_HASH_AND_SIGN( alg ) && hash_alg == PSA_ALG_ANY_HASH ) + if( PSA_ALG_IS_SIGN_HASH( alg ) && hash_alg == PSA_ALG_ANY_HASH ) { - #if defined(KNOWN_SUPPORTED_HASH_ALG) - hash_alg = KNOWN_SUPPORTED_HASH_ALG; + #if defined(KNOWN_MBEDTLS_SUPPORTED_HASH_ALG) + hash_alg = KNOWN_MBEDTLS_SUPPORTED_HASH_ALG; alg ^= PSA_ALG_ANY_HASH ^ hash_alg; #else TEST_ASSERT( ! "No hash algorithm for hash-and-sign testing" ); @@ -642,7 +643,7 @@ int mbedtls_test_psa_exported_key_sanity_check( TEST_EQUAL( exported_length, PSA_BITS_TO_BYTES( bits ) ); else -#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_PARSE_C) +#if defined(MBEDTLS_ASN1_PARSE_C) if( type == PSA_KEY_TYPE_RSA_KEY_PAIR ) { uint8_t *p = (uint8_t*) exported; @@ -689,7 +690,7 @@ int mbedtls_test_psa_exported_key_sanity_check( TEST_ASSERT( exported_length <= PSA_EXPORT_KEY_PAIR_MAX_SIZE ); } else -#endif /* MBEDTLS_RSA_C */ +#endif /* MBEDTLS_ASN1_PARSE_C */ #if defined(MBEDTLS_ECP_C) if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( type ) ) @@ -702,7 +703,7 @@ int mbedtls_test_psa_exported_key_sanity_check( else #endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_RSA_C) +#if defined(MBEDTLS_ASN1_PARSE_C) if( type == PSA_KEY_TYPE_RSA_PUBLIC_KEY ) { uint8_t *p = (uint8_t*) exported; @@ -730,7 +731,7 @@ int mbedtls_test_psa_exported_key_sanity_check( PSA_EXPORT_PUBLIC_KEY_MAX_SIZE ); } else -#endif /* MBEDTLS_RSA_C */ +#endif /* MBEDTLS_ASN1_PARSE_C */ #if defined(MBEDTLS_ECP_C) if( PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY( type ) ) @@ -925,7 +926,7 @@ psa_key_usage_t mbedtls_test_psa_usage_to_exercise( psa_key_type_t type, { if( PSA_ALG_IS_MAC( alg ) || PSA_ALG_IS_SIGN( alg ) ) { - if( PSA_ALG_IS_HASH_AND_SIGN( alg ) ) + if( PSA_ALG_IS_SIGN_HASH( alg ) ) { if( PSA_ALG_SIGN_GET_HASH( alg ) ) return( PSA_KEY_TYPE_IS_PUBLIC_KEY( type ) ? diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 422e52291b20..bfcdefe66efd 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -45,6 +45,7 @@ fi : ${P_SRV:=../programs/ssl/ssl_server2} : ${P_CLI:=../programs/ssl/ssl_client2} : ${P_PXY:=../programs/test/udp_proxy} +: ${P_QUERY:=../programs/test/query_compile_time_config} : ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system : ${GNUTLS_CLI:=gnutls-cli} : ${GNUTLS_SERV:=gnutls-serv} @@ -80,18 +81,20 @@ fi if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key" + O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www " O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client" else O_NEXT_SRV=false + O_NEXT_SRV_NO_CERT=false O_NEXT_CLI=false fi if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key" - G_NEXT_SRV_RSA="$GNUTLS_NEXT_SERV --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key" + G_NEXT_SRV_NO_CERT="$GNUTLS_NEXT_SERV" else G_NEXT_SRV=false - G_NEXT_SRV_RSA=false + G_NEXT_SRV_NO_CERT=false fi if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then @@ -193,10 +196,7 @@ esac # testing. Skip non-boolean options (with something other than spaces # and a comment after "#define SYMBOL"). The variable contains a # space-separated list of symbols. -CONFIGS_ENABLED=" $(<"$CONFIG_H" \ - sed -n 's!^ *#define *\([A-Za-z][0-9A-Z_a-z]*\) *\(/*\)*!\1!p' | - tr '\n' ' ')" - +CONFIGS_ENABLED=" $(echo `$P_QUERY -l` )" # Skip next test; use this macro to skip tests which are legitimate # in theory and expected to be re-introduced at some point, but # aren't expected to succeed at the moment due to problems outside @@ -208,7 +208,7 @@ skip_next_test() { # skip next test if the flag is not enabled in mbedtls_config.h requires_config_enabled() { case $CONFIGS_ENABLED in - *" $1 "*) :;; + *" $1"[\ =]*) :;; *) SKIP_NEXT="YES";; esac } @@ -216,7 +216,7 @@ requires_config_enabled() { # skip next test if the flag is enabled in mbedtls_config.h requires_config_disabled() { case $CONFIGS_ENABLED in - *" $1 "*) SKIP_NEXT="YES";; + *" $1"[\ =]*) SKIP_NEXT="YES";; esac } @@ -1231,8 +1231,8 @@ run_test() { run_test_psa() { requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSA-supported ciphersuite: $1" \ - "$P_SRV debug_level=3 force_version=tls1_2" \ - "$P_CLI debug_level=3 force_version=tls1_2 force_ciphersuite=$1" \ + "$P_SRV debug_level=3 force_version=tls12" \ + "$P_CLI debug_level=3 force_version=tls12 force_ciphersuite=$1" \ 0 \ -c "Successfully setup PSA-based decryption cipher context" \ -c "Successfully setup PSA-based encryption cipher context" \ @@ -1254,8 +1254,8 @@ run_test_psa() { run_test_psa_force_curve() { requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSA - ECDH with $1" \ - "$P_SRV debug_level=4 force_version=tls1_2 curves=$1" \ - "$P_CLI debug_level=4 force_version=tls1_2 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 curves=$1" \ + "$P_SRV debug_level=4 force_version=tls12 curves=$1" \ + "$P_CLI debug_level=4 force_version=tls12 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 curves=$1" \ 0 \ -c "Successfully setup PSA-based decryption cipher context" \ -c "Successfully setup PSA-based encryption cipher context" \ @@ -1287,8 +1287,8 @@ run_test_memory_after_hanshake_with_mfl() MEMORY_USAGE_LIMIT="$(( ( MEMORY_USAGE_LIMIT * 110 ) / 100 ))" run_test "Handshake memory usage (MFL $1)" \ - "$P_SRV debug_level=3 auth_mode=required force_version=tls1_2" \ - "$P_CLI debug_level=3 force_version=tls1_2 \ + "$P_SRV debug_level=3 auth_mode=required force_version=tls12" \ + "$P_CLI debug_level=3 force_version=tls12 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM max_frag_len=$1" \ 0 \ @@ -1306,8 +1306,8 @@ run_tests_memory_after_hanshake() # first test with default MFU is to get reference memory usage MEMORY_USAGE_MFL_16K=0 run_test "Handshake memory usage initial (MFL 16384 - default)" \ - "$P_SRV debug_level=3 auth_mode=required force_version=tls1_2" \ - "$P_CLI debug_level=3 force_version=tls1_2 \ + "$P_SRV debug_level=3 auth_mode=required force_version=tls12" \ + "$P_CLI debug_level=3 force_version=tls12 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM" \ 0 \ @@ -1458,12 +1458,13 @@ fi if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT" + O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT" O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT" fi if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT" - G_NEXT_SRV_RSA="$G_NEXT_SRV_RSA -p $SRV_PORT" + G_NEXT_SRV_NO_CERT="$G_NEXT_SRV_NO_CERT -p $SRV_PORT" fi if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then @@ -1488,174 +1489,21 @@ trap cleanup INT TERM HUP # TLS 1.3 specific tests # -# ===================================================================== # -# == TLS 1.3 tests, all possible ciphersuites against OpenSSL server == # -# == Key exhange: ECDHE-ECDSA curve x25519 == # -# == Client and server authentication with ECDSA-SECP256R1-SHA256 == # -# ===================================================================== # - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_openssl_with_tls1_3 -run_test "TLS 1.3 m->O AES_128_GCM_SHA256 , ECDSA_SECP256R1_SHA256" \ - "$O_SRV -ciphersuites TLS_AES_128_GCM_SHA256 -CAfile data_files/test-ca_cat12.crt -Verify 10" \ - "$P_CLI key_file=data_files/cli2.key crt_file=data_files/cli2.crt debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256" \ - 0 \ - -c "ECDH curve: x25519" \ - -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ - -c "Certificate Verify: Signature algorithm ( 0403 )" \ - -c "Verifying peer X.509 certificate... ok" \ - -c "got a certificate request" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_openssl_with_tls1_3 -run_test "TLS 1.3 m->O AES_256_GCM_SHA384 , ECDSA_SECP256R1_SHA256" \ - "$O_SRV -ciphersuites TLS_AES_256_GCM_SHA384 -CAfile data_files/test-ca_cat12.crt -Verify 10" \ - "$P_CLI key_file=data_files/cli2.key crt_file=data_files/cli2.crt debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-256-GCM-SHA384" \ - 0 \ - -c "ECDH curve: x25519" \ - -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ - -c "Certificate Verify: Signature algorithm ( 0403 )" \ - -c "Verifying peer X.509 certificate... ok" \ - -c "got a certificate request" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_openssl_with_tls1_3 -run_test "TLS 1.3 m->O CHACHA20_POLY1305_SHA256, ECDSA_SECP256R1_SHA256" \ - "$O_SRV -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -CAfile data_files/test-ca_cat12.crt -Verify 10" \ - "$P_CLI key_file=data_files/cli2.key crt_file=data_files/cli2.crt debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256" \ - 0 \ - -c "ECDH curve: x25519" \ - -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ - -c "Certificate Verify: Signature algorithm ( 0403 )" \ - -c "Verifying peer X.509 certificate... ok" \ - -c "got a certificate request" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_openssl_with_tls1_3 -run_test "TLS 1.3 m->O AES_128_CCM_SHA256 , ECDSA_SECP256R1_SHA256" \ - "$O_SRV -ciphersuites TLS_AES_128_CCM_SHA256 -CAfile data_files/test-ca_cat12.crt -Verify 10" \ - "$P_CLI key_file=data_files/cli2.key crt_file=data_files/cli2.crt debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \ - 0 \ - -c "ECDH curve: x25519" \ - -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ - -c "Certificate Verify: Signature algorithm ( 0403 )" \ - -c "Verifying peer X.509 certificate... ok" \ - -c "got a certificate request" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_openssl_with_tls1_3 -run_test "TLS 1.3 m->O AES_128_CCM_8_SHA256 , ECDSA_SECP256R1_SHA256" \ - "$O_SRV -ciphersuites TLS_AES_128_CCM_8_SHA256 -CAfile data_files/test-ca_cat12.crt -Verify 10" \ - "$P_CLI key_file=data_files/cli2.key crt_file=data_files/cli2.crt debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \ - 0 \ - -c "ECDH curve: x25519" \ - -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ - -c "Certificate Verify: Signature algorithm ( 0403 )" \ - -c "Verifying peer X.509 certificate... ok" \ - -c "got a certificate request" - -# ===================================================================== # -# == TLS 1.3 tests, all possible ciphersuites against OpenSSL server == # -# == Key exhange: ECDHE-ECDSA curve x25519 == # -# == Server authentication with RSA_PSS_RSAE_SHA256 == # -# == No client authentication (not supported) == # -# ===================================================================== # - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT -requires_openssl_with_tls1_3 -run_test "TLS 1.3 m->O AES_128_GCM_SHA256 , RSA_PSS_RSAE_SHA256" \ - "$O_SRV_RSA -ciphersuites TLS_AES_128_GCM_SHA256" \ - "$P_CLI debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256" \ - 0 \ - -c "ECDH curve: x25519" \ - -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ - -c "Certificate Verify: Signature algorithm ( 0804 )" \ - -c "Verifying peer X.509 certificate... ok" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT -requires_openssl_with_tls1_3 -run_test "TLS 1.3 m->O AES_256_GCM_SHA384 , RSA_PSS_RSAE_SHA256" \ - "$O_SRV_RSA -ciphersuites TLS_AES_256_GCM_SHA384" \ - "$P_CLI debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-256-GCM-SHA384" \ - 0 \ - -c "ECDH curve: x25519" \ - -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ - -c "Certificate Verify: Signature algorithm ( 0804 )" \ - -c "Verifying peer X.509 certificate... ok" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT -requires_openssl_with_tls1_3 -run_test "TLS 1.3 m->O CHACHA20_POLY1305_SHA256, RSA_PSS_RSAE_SHA256" \ - "$O_SRV_RSA -ciphersuites TLS_CHACHA20_POLY1305_SHA256" \ - "$P_CLI debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256" \ - 0 \ - -c "ECDH curve: x25519" \ - -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ - -c "Certificate Verify: Signature algorithm ( 0804 )" \ - -c "Verifying peer X.509 certificate... ok" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT -requires_openssl_with_tls1_3 -run_test "TLS 1.3 m->O AES_128_CCM_SHA256 , RSA_PSS_RSAE_SHA256" \ - "$O_SRV_RSA -ciphersuites TLS_AES_128_CCM_SHA256" \ - "$P_CLI debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \ - 0 \ - -c "ECDH curve: x25519" \ - -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ - -c "Certificate Verify: Signature algorithm ( 0804 )" \ - -c "Verifying peer X.509 certificate... ok" - -# Test OpenSSL server TLS_AES_128_CCM_8_SHA256 + ECDSA-SECP256R1-SHA256 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT -requires_openssl_with_tls1_3 -run_test "TLS 1.3 m->O AES_128_CCM_8_SHA256 , RSA_PSS_RSAE_SHA256" \ - "$O_SRV_RSA -ciphersuites TLS_AES_128_CCM_8_SHA256" \ - "$P_CLI debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \ - 0 \ - -c "ECDH curve: x25519" \ - -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ - -c "Certificate Verify: Signature algorithm ( 0804 )" \ - -c "Verifying peer X.509 certificate... ok" - #==========================================================================# #= TLS 1.3 server tests, all possible ciphersuites against OpenSSL client =# #= Key exhange: ECDHE-ECDSA curve x25519 =# #= Client and server authentication with ECDSA-SECP256R1-SHA256 =# #==========================================================================# -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_openssl_with_tls1_3 run_test "TLS 1.3 O->m AES_128_GCM_SHA256 , ECDSA_SECP256R1_SHA256" \ "$P_SRV ca_file=data_files/test-ca_cat12.crt auth_mode=required \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ - debug_level=4 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256" \ + debug_level=4 force_version=tls13 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256" \ "$O_CLI -ciphersuites TLS_AES_128_GCM_SHA256 \ -cert data_files/cli2.crt -key data_files/cli2.key" \ 0 \ @@ -1664,14 +1512,15 @@ run_test "TLS 1.3 O->m AES_128_GCM_SHA256 , ECDSA_SECP256R1_SHA256" \ -s "Certificate Verify: Signature algorithm ( 0403 )" \ -s "Verifying peer X.509 certificate... ok" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_openssl_with_tls1_3 run_test "TLS 1.3 O->m AES_256_GCM_SHA384 , ECDSA_SECP256R1_SHA256" \ "$P_SRV ca_file=data_files/test-ca_cat12.crt auth_mode=required \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ - debug_level=4 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384" \ + debug_level=4 force_version=tls13 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384" \ "$O_CLI -ciphersuites TLS_AES_256_GCM_SHA384 \ -cert data_files/cli2.crt -key data_files/cli2.key" \ 0 \ @@ -1680,14 +1529,15 @@ run_test "TLS 1.3 O->m AES_256_GCM_SHA384 , ECDSA_SECP256R1_SHA256" \ -s "Certificate Verify: Signature algorithm ( 0403 )" \ -s "Verifying peer X.509 certificate... ok" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_openssl_with_tls1_3 run_test "TLS 1.3 O->m CHACHA20_POLY1305_SHA256, ECDSA_SECP256R1_SHA256" \ "$P_SRV ca_file=data_files/test-ca_cat12.crt auth_mode=required \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ - debug_level=4 force_version=tls1_3 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256" \ + debug_level=4 force_version=tls13 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256" \ "$O_CLI -ciphersuites TLS_CHACHA20_POLY1305_SHA256 \ -cert data_files/cli2.crt -key data_files/cli2.key" \ 0 \ @@ -1696,14 +1546,15 @@ run_test "TLS 1.3 O->m CHACHA20_POLY1305_SHA256, ECDSA_SECP256R1_SHA256" \ -s "Certificate Verify: Signature algorithm ( 0403 )" \ -s "Verifying peer X.509 certificate... ok" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_openssl_with_tls1_3 run_test "TLS 1.3 O->m AES_128_CCM_SHA256 , ECDSA_SECP256R1_SHA256" \ "$P_SRV ca_file=data_files/test-ca_cat12.crt auth_mode=required \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ - debug_level=4 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \ + debug_level=4 force_version=tls13 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \ "$O_CLI -ciphersuites TLS_AES_128_CCM_SHA256 \ -cert data_files/cli2.crt -key data_files/cli2.key" \ 0 \ @@ -1712,14 +1563,15 @@ run_test "TLS 1.3 O->m AES_128_CCM_SHA256 , ECDSA_SECP256R1_SHA256" \ -s "Certificate Verify: Signature algorithm ( 0403 )" \ -s "Verifying peer X.509 certificate... ok" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_openssl_with_tls1_3 run_test "TLS 1.3 O->m AES_128_CCM_8_SHA256 , ECDSA_SECP256R1_SHA256" \ "$P_SRV ca_file=data_files/test-ca_cat12.crt auth_mode=required \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ - debug_level=4 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \ + debug_level=4 force_version=tls13 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \ "$O_CLI -ciphersuites TLS_AES_128_CCM_8_SHA256 \ -cert data_files/cli2.crt -key data_files/cli2.key" \ 0 \ @@ -1728,231 +1580,19 @@ run_test "TLS 1.3 O->m AES_128_CCM_8_SHA256 , ECDSA_SECP256R1_SHA256" \ -s "Certificate Verify: Signature algorithm ( 0403 )" \ -s "Verifying peer X.509 certificate... ok" -#==============================================================================# -#= TLS 1.3 client tests, all possible ciphersuites against GnuTLS next server =# -#= Key exhange: ECDHE-ECDSA curve SECP256R1 =# -#= Client and server authentication with ECDSA-SECP256R1-SHA256 =# -#==============================================================================# - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_gnutls_next -run_test "TLS 1.3 m->G AES_128_GCM_SHA256 , ECDSA_SECP256R1_SHA256" \ - "$G_NEXT_SRV --priority=NONE:+AES-128-GCM:+SHA256:+GROUP-SECP256R1:+ECDHE-ECDSA:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3" \ - "$P_CLI debug_level=4 key_file=data_files/cli2.key crt_file=data_files/cli2.crt force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256" \ - 0 \ - -s "Ephemeral EC Diffie-Hellman parameters" \ - -s "Using curve: SECP256R1" \ - -s "Version: TLS1.3" \ - -s "Cipher: AES-128-GCM" \ - -s "Client Signature: ECDSA-SECP256R1-SHA256" \ - -s "Server Signature: ECDSA-SECP256R1-SHA256" \ - -c "ECDH curve: secp256r1" \ - -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ - -c "Certificate Verify: Signature algorithm ( 0403 )" \ - -c "Verifying peer X.509 certificate... ok" \ - -c "got a certificate request" - -# Use the NORMAL priority for the GnuTLS here as when trying to define -# TLS_AES_256_GCM_SHA384 as the only ciphersuite supported by the GnuTLS -# server, the connection fails. -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_gnutls_next -run_test "TLS 1.3 m->G AES_256_GCM_SHA384 , ECDSA_SECP256R1_SHA256" \ - "$G_NEXT_SRV --debug 5 --priority=NORMAL" \ - "$P_CLI debug_level=4 key_file=data_files/cli2.key crt_file=data_files/cli2.crt debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-256-GCM-SHA384" \ - 0 \ - -s "Ephemeral EC Diffie-Hellman parameters" \ - -s "Using curve: X25519" \ - -s "Version: TLS1.3" \ - -s "Cipher: AES-256-GCM" \ - -s "Client Signature: ECDSA-SECP256R1-SHA256" \ - -s "Server Signature: ECDSA-SECP256R1-SHA256" \ - -c "ECDH curve: x25519" \ - -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ - -c "Certificate Verify: Signature algorithm ( 0403 )" \ - -c "Verifying peer X.509 certificate... ok" \ - -c "got a certificate request" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_gnutls_next -run_test "TLS 1.3 m->G CHACHA20_POLY1305_SHA256, ECDSA_SECP256R1_SHA256" \ - "$G_NEXT_SRV --priority=NONE:+CHACHA20-POLY1305:+SHA256:+GROUP-SECP256R1:+ECDHE-ECDSA:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3" \ - "$P_CLI debug_level=4 key_file=data_files/cli2.key crt_file=data_files/cli2.crt force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256" \ - 0 \ - -s "Using curve: SECP256R1" \ - -s "Version: TLS1.3" \ - -s "Cipher: CHACHA20-POLY1305" \ - -s "Client Signature: ECDSA-SECP256R1-SHA256" \ - -s "Server Signature: ECDSA-SECP256R1-SHA256" \ - -c "ECDH curve: secp256r1" \ - -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ - -c "Certificate Verify: Signature algorithm ( 0403 )" \ - -c "Verifying peer X.509 certificate... ok" \ - -c "got a certificate request" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_gnutls_next -run_test "TLS 1.3 m->G AES_128_CCM_SHA256 , ECDSA_SECP256R1_SHA256" \ - "$G_NEXT_SRV --priority=NONE:+AES-128-CCM:+SHA256:+GROUP-SECP256R1:+ECDHE-ECDSA:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3" \ - "$P_CLI debug_level=4 key_file=data_files/cli2.key crt_file=data_files/cli2.crt force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \ - 0 \ - -s "Using curve: SECP256R1" \ - -s "Version: TLS1.3" \ - -s "Cipher: AES-128-CCM" \ - -s "Client Signature: ECDSA-SECP256R1-SHA256" \ - -s "Server Signature: ECDSA-SECP256R1-SHA256" \ - -c "ECDH curve: secp256r1" \ - -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ - -c "Certificate Verify: Signature algorithm ( 0403 )" \ - -c "Verifying peer X.509 certificate... ok" \ - -c "got a certificate request" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_gnutls_next -run_test "TLS 1.3 m->G AES_128_CCM_8_SHA256 , ECDSA_SECP256R1_SHA256" \ - "$G_NEXT_SRV --priority=NONE:+AES-128-CCM-8:+SHA256:+GROUP-SECP256R1:+ECDHE-ECDSA:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3" \ - "$P_CLI debug_level=4 key_file=data_files/cli2.key crt_file=data_files/cli2.crt force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \ - 0 \ - -s "Using curve: SECP256R1" \ - -s "Version: TLS1.3" \ - -s "Cipher: AES-128-CCM-8" \ - -s "Client Signature: ECDSA-SECP256R1-SHA256" \ - -s "Server Signature: ECDSA-SECP256R1-SHA256" \ - -c "ECDH curve: secp256r1" \ - -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ - -c "Certificate Verify: Signature algorithm ( 0403 )" \ - -c "Verifying peer X.509 certificate... ok" \ - -c "got a certificate request" - -# ========================================================================= # -# == TLS 1.3 tests, all possible ciphersuites against GnuTLS next server == # -# == Key exhange: ECDHE-ECDSA curve SECP256R1 == # -# == Server authentication with RSA_PSS_RSAE_SHA256 == # -# == No client authentication (not supported) == # -# ========================================================================= # - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT -requires_gnutls_next -run_test "TLS 1.3 m->G AES_128_GCM_SHA256 , RSA_PSS_RSAE_SHA256" \ - "$G_NEXT_SRV_RSA --disable-client-cert --priority=NONE:+AES-128-GCM:+SHA256:+GROUP-SECP256R1:+ECDHE-ECDSA:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3" \ - "$P_CLI debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256" \ - 0 \ - -s "Ephemeral EC Diffie-Hellman parameters" \ - -s "Using curve: SECP256R1" \ - -s "Version: TLS1.3" \ - -s "Cipher: AES-128-GCM" \ - -S "Client Signature:" \ - -s "Server Signature: RSA-PSS-RSAE-SHA256" \ - -c "ECDH curve: secp256r1" \ - -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ - -c "Certificate Verify: Signature algorithm ( 0804 )" \ - -c "Verifying peer X.509 certificate... ok" - -# Use the NORMAL priority for the GnuTLS here as when trying to define -# TLS_AES_256_GCM_SHA384 as the only ciphersuite supported by the GnuTLS -# server, the connection fails. -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT -requires_gnutls_next -run_test "TLS 1.3 m->G AES_256_GCM_SHA384 , RSA_PSS_RSAE_SHA256" \ - "$G_NEXT_SRV_RSA --disable-client-cert --priority=NORMAL" \ - "$P_CLI debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-256-GCM-SHA384" \ - 0 \ - -s "Ephemeral EC Diffie-Hellman parameters" \ - -s "Using curve: X25519" \ - -s "Version: TLS1.3" \ - -s "Cipher: AES-256-GCM" \ - -S "Client Signature:" \ - -s "Server Signature: RSA-PSS-RSAE-SHA256" \ - -c "ECDH curve: x25519" \ - -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \ - -c "Certificate Verify: Signature algorithm ( 0804 )" \ - -c "Verifying peer X.509 certificate... ok" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT -requires_gnutls_next -run_test "TLS 1.3 m->G CHACHA20_POLY1305_SHA256, RSA_PSS_RSAE_SHA256" \ - "$G_NEXT_SRV_RSA --disable-client-cert --priority=NONE:+CHACHA20-POLY1305:+SHA256:+GROUP-SECP256R1:+ECDHE-ECDSA:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3" \ - "$P_CLI debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256" \ - 0 \ - -s "Using curve: SECP256R1" \ - -s "Version: TLS1.3" \ - -s "Cipher: CHACHA20-POLY1305" \ - -S "Client Signature:" \ - -s "Server Signature: RSA-PSS-RSAE-SHA256" \ - -c "ECDH curve: secp256r1" \ - -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \ - -c "Certificate Verify: Signature algorithm ( 0804 )" \ - -c "Verifying peer X.509 certificate... ok" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT -requires_gnutls_next -run_test "TLS 1.3 m->G AES_128_CCM_SHA256 , RSA_PSS_RSAE_SHA256" \ - "$G_NEXT_SRV_RSA --disable-client-cert --priority=NONE:+AES-128-CCM:+SHA256:+GROUP-SECP256R1:+ECDHE-ECDSA:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3" \ - "$P_CLI debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \ - 0 \ - -s "Using curve: SECP256R1" \ - -s "Version: TLS1.3" \ - -s "Cipher: AES-128-CCM" \ - -S "Client Signature:" \ - -s "Server Signature: RSA-PSS-RSAE-SHA256" \ - -c "ECDH curve: secp256r1" \ - -c "server hello, chosen ciphersuite: ( 1304 ) - TLS1-3-AES-128-CCM-SHA256" \ - -c "Certificate Verify: Signature algorithm ( 0804 )" \ - -c "Verifying peer X.509 certificate... ok" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT -requires_gnutls_next -run_test "TLS 1.3 m->G AES_128_CCM_8_SHA256 , RSA_PSS_RSAE_SHA256" \ - "$G_NEXT_SRV_RSA --disable-client-cert --priority=NONE:+AES-128-CCM-8:+SHA256:+GROUP-SECP256R1:+ECDHE-ECDSA:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+VERS-TLS1.3" \ - "$P_CLI debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \ - 0 \ - -s "Using curve: SECP256R1" \ - -s "Version: TLS1.3" \ - -s "Cipher: AES-128-CCM-8" \ - -S "Client Signature:" \ - -s "Server Signature: RSA-PSS-RSAE-SHA256" \ - -c "ECDH curve: secp256r1" \ - -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \ - -c "Certificate Verify: Signature algorithm ( 0804 )" \ - -c "Verifying peer X.509 certificate... ok" - #==============================================================================# #= TLS 1.3 server tests, all possible ciphersuites against GnuTLS next client =# #= Key exhange: ECDHE-ECDSA curve SECP256R1 =# #= Client and server authentication with ECDSA-SECP256R1-SHA256 =# #==============================================================================# -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_gnutls_next run_test "TLS 1.3 G->m AES_128_GCM_SHA256 , ECDSA_SECP256R1_SHA256" \ - "$P_SRV ca_file=data_files/test-ca_cat12.crt auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key debug_level=4 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256" \ + "$P_SRV ca_file=data_files/test-ca_cat12.crt auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key debug_level=4 force_version=tls13 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256" \ "$G_NEXT_CLI --x509certfile data_files/cli2.crt --x509keyfile data_files/cli2.key --priority NONE:+AES-128-GCM:+SHA256:+GROUP-SECP256R1:+ECDHE-ECDSA:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3 localhost" \ 0 \ -s "ECDH curve: secp256r1" \ @@ -1960,12 +1600,13 @@ run_test "TLS 1.3 G->m AES_128_GCM_SHA256 , ECDSA_SECP256R1_SHA256" \ -s "Certificate Verify: Signature algorithm ( 0403 )" \ -s "Verifying peer X.509 certificate... ok" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_gnutls_next run_test "TLS 1.3 G->m AES_256_GCM_SHA384 , ECDSA_SECP256R1_SHA256" \ - "$P_SRV ca_file=data_files/test-ca_cat12.crt auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key debug_level=4 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384" \ + "$P_SRV ca_file=data_files/test-ca_cat12.crt auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key debug_level=4 force_version=tls13 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384" \ "$G_NEXT_CLI --x509certfile data_files/cli2.crt --x509keyfile data_files/cli2.key --priority NONE:+AES-256-GCM:+SHA384:+GROUP-SECP256R1:+ECDHE-ECDSA:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3 localhost" \ 0 \ -s "ECDH curve: secp256r1" \ @@ -1973,12 +1614,13 @@ run_test "TLS 1.3 G->m AES_256_GCM_SHA384 , ECDSA_SECP256R1_SHA256" \ -s "Certificate Verify: Signature algorithm ( 0403 )" \ -s "Verifying peer X.509 certificate... ok" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_gnutls_next run_test "TLS 1.3 G->m CHACHA20_POLY1305_SHA256, ECDSA_SECP256R1_SHA256" \ - "$P_SRV ca_file=data_files/test-ca_cat12.crt auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key debug_level=4 force_version=tls1_3 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256" \ + "$P_SRV ca_file=data_files/test-ca_cat12.crt auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key debug_level=4 force_version=tls13 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256" \ "$G_NEXT_CLI --x509certfile data_files/cli2.crt --x509keyfile data_files/cli2.key --priority NONE:+CHACHA20-POLY1305:+SHA256:+GROUP-SECP256R1:+ECDHE-ECDSA:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3 localhost" \ 0 \ -s "ECDH curve: secp256r1" \ @@ -1986,12 +1628,13 @@ run_test "TLS 1.3 G->m CHACHA20_POLY1305_SHA256, ECDSA_SECP256R1_SHA256" \ -s "Certificate Verify: Signature algorithm ( 0403 )" \ -s "Verifying peer X.509 certificate... ok" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_gnutls_next run_test "TLS 1.3 G->m AES_128_CCM_SHA256 , ECDSA_SECP256R1_SHA256" \ - "$P_SRV ca_file=data_files/test-ca_cat12.crt auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key debug_level=4 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \ + "$P_SRV ca_file=data_files/test-ca_cat12.crt auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key debug_level=4 force_version=tls13 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \ "$G_NEXT_CLI --x509certfile data_files/cli2.crt --x509keyfile data_files/cli2.key --priority NONE:+AES-128-CCM:+SHA256:+GROUP-SECP256R1:+ECDHE-ECDSA:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3 localhost" \ 0 \ -s "ECDH curve: secp256r1" \ @@ -1999,12 +1642,13 @@ run_test "TLS 1.3 G->m AES_128_CCM_SHA256 , ECDSA_SECP256R1_SHA256" \ -s "Certificate Verify: Signature algorithm ( 0403 )" \ -s "Verifying peer X.509 certificate... ok" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_gnutls_next run_test "TLS 1.3 G->m AES_128_CCM_8_SHA256 , ECDSA_SECP256R1_SHA256" \ - "$P_SRV ca_file=data_files/test-ca_cat12.crt auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key debug_level=4 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \ + "$P_SRV ca_file=data_files/test-ca_cat12.crt auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key debug_level=4 force_version=tls13 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \ "$G_NEXT_CLI --x509certfile data_files/cli2.crt --x509keyfile data_files/cli2.key --priority NONE:+AES-128-CCM-8:+SHA256:+GROUP-SECP256R1:+ECDHE-ECDSA:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3 localhost" \ 0 \ -s "ECDH curve: secp256r1" \ @@ -2015,116 +1659,127 @@ run_test "TLS 1.3 G->m AES_128_CCM_8_SHA256 , ECDSA_SECP256R1_SHA256" \ # =========================================================================== # # =========================================================================== # -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3, HRR proposing secp256r1" \ + "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ + debug_level=2 force_version=tls13 curves=secp256r1" \ + "$P_CLI debug_level=2 force_version=tls13" \ + 0 \ + -s "Protocol is TLSv1.3" \ + -c "received HelloRetryRequest message" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, default suite, PSK" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ 0 \ -s "Protocol is TLSv1.3" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, default suite, ECDHE-ECDSA, SRV auth" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 tls13_kex_modes=ephemeral" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost tls13_kex_modes=ephemeral" \ + nbio=2 debug_level=5 force_version=tls13 tls13_kex_modes=ephemeral" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 server_name=localhost tls13_kex_modes=ephemeral" \ 0 \ -s "Certificate verification was skipped" \ -c "subject name : C=NL, O=PolarSSL, CN=localhost" \ -c "Protocol is TLSv1.3" \ -c "Verifying peer X.509 certificate... ok" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-CCM-SHA256, PSK" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ 0 \ -s "Protocol is TLSv1.3" \ -s "Ciphersuite is TLS1-3-AES-128-CCM-SHA256" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-GCM-SHA256, PSK" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ 0 \ -s "Protocol is TLSv1.3" \ -s "Ciphersuite is TLS1-3-AES-128-GCM-SHA256" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-CCM-8-SHA256, PSK" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ 0 \ -s "Protocol is TLSv1.3" \ -s "Ciphersuite is TLS1-3-AES-128-CCM-8-SHA256" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-256-GCM-SHA384, PSK" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ 0 \ -s "Protocol is TLSv1.3" \ -s "Ciphersuite is TLS1-3-AES-256-GCM-SHA384" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-CCM-SHA256, PSK-ECDHE" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ 0 \ -s "Protocol is TLSv1.3" \ -s "Ciphersuite is TLS1-3-AES-128-CCM-SHA256" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-GCM-SHA256, PSK-ECDHE" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ + nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ 0 \ -s "Protocol is TLSv1.3" \ -s "Ciphersuite is TLS1-3-AES-128-GCM-SHA256" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-CCM-8-SHA256, PSK-ECDHE" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ 0 \ -s "Protocol is TLSv1.3" \ -s "Ciphersuite is TLS1-3-AES-128-CCM-8-SHA256" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-256-GCM-SHA384, PSK-ECDHE" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ 0 \ -s "Protocol is TLSv1.3" \ -s "Ciphersuite is TLS1-3-AES-256-GCM-SHA384" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-CCM-SHA256, ECDHE-ECDSA, SRV auth" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 tls13_kex_modes=ephemeral" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 tls13_kex_modes=ephemeral" \ + nbio=2 debug_level=5 force_version=tls13 tls13_kex_modes=ephemeral" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 tls13_kex_modes=ephemeral" \ 0 \ -s "Certificate verification was skipped" \ -c "subject name : C=NL, O=PolarSSL, CN=localhost" \ @@ -2132,13 +1787,13 @@ run_test "TLS 1.3, TLS1-3-AES-128-CCM-SHA256, ECDHE-ECDSA, SRV auth" \ -c "Ciphersuite is TLS1-3-AES-128-CCM-SHA256" \ -c "Verifying peer X.509 certificate... ok" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-GCM-SHA256, ECDHE-ECDSA, SRV auth" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 tls13_kex_modes=ephemeral" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 tls13_kex_modes=ephemeral" \ + nbio=2 debug_level=5 force_version=tls13 tls13_kex_modes=ephemeral" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 tls13_kex_modes=ephemeral" \ 0 \ -s "Certificate verification was skipped" \ -c "subject name : C=NL, O=PolarSSL, CN=localhost" \ @@ -2146,13 +1801,13 @@ run_test "TLS 1.3, TLS1-3-AES-128-GCM-SHA256, ECDHE-ECDSA, SRV auth" \ -c "Ciphersuite is TLS1-3-AES-128-GCM-SHA256" \ -c "Verifying peer X.509 certificate... ok" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-CCM-8-SHA256, ECDHE-ECDSA, SRV auth" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 tls13_kex_modes=ephemeral" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 tls13_kex_modes=ephemeral" \ + nbio=2 debug_level=5 force_version=tls13 tls13_kex_modes=ephemeral" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 tls13_kex_modes=ephemeral" \ 0 \ -s "Certificate verification was skipped" \ -c "subject name : C=NL, O=PolarSSL, CN=localhost" \ @@ -2160,13 +1815,13 @@ run_test "TLS 1.3, TLS1-3-AES-128-CCM-8-SHA256, ECDHE-ECDSA, SRV auth" \ -c "Ciphersuite is TLS1-3-AES-128-CCM-8-SHA256" \ -c "Verifying peer X.509 certificate... ok" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-256-GCM-SHA384, ECDHE-ECDSA, SRV auth" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 tls13_kex_modes=ephemeral" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 tls13_kex_modes=ephemeral" \ + nbio=2 debug_level=5 force_version=tls13 tls13_kex_modes=ephemeral" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 tls13_kex_modes=ephemeral" \ 0 \ -s "Certificate verification was skipped" \ -c "subject name : C=NL, O=PolarSSL, CN=localhost" \ @@ -2174,14 +1829,14 @@ run_test "TLS 1.3, TLS1-3-AES-256-GCM-SHA384, ECDHE-ECDSA, SRV auth" \ -c "Ciphersuite is TLS1-3-AES-256-GCM-SHA384" \ -c "Verifying peer X.509 certificate... ok" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-CCM-SHA256, ECDHE-ECDSA, CLI+SRV auth" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 auth_mode=required tls13_kex_modes=ephemeral" \ + nbio=2 debug_level=5 force_version=tls13 auth_mode=required tls13_kex_modes=ephemeral" \ "$P_CLI crt_file=data_files/cli2.crt key_file=data_files/cli2.key \ - nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 tls13_kex_modes=ephemeral" \ + nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 tls13_kex_modes=ephemeral" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -s "subject name : C=NL, O=PolarSSL, CN=PolarSSL Test Client 2" \ @@ -2190,14 +1845,14 @@ run_test "TLS 1.3, TLS1-3-AES-128-CCM-SHA256, ECDHE-ECDSA, CLI+SRV auth" \ -c "Ciphersuite is TLS1-3-AES-128-CCM-SHA256" \ -c "Verifying peer X.509 certificate... ok" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-GCM-SHA256, ECDHE-ECDSA, CLI+SRV auth" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 auth_mode=required tls13_kex_modes=ephemeral" \ + nbio=2 debug_level=5 force_version=tls13 auth_mode=required tls13_kex_modes=ephemeral" \ "$P_CLI crt_file=data_files/cli2.crt key_file=data_files/cli2.key \ - nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 tls13_kex_modes=ephemeral" \ + nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 tls13_kex_modes=ephemeral" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -s "subject name : C=NL, O=PolarSSL, CN=PolarSSL Test Client 2" \ @@ -2206,14 +1861,14 @@ run_test "TLS 1.3, TLS1-3-AES-128-GCM-SHA256, ECDHE-ECDSA, CLI+SRV auth" \ -c "Ciphersuite is TLS1-3-AES-128-GCM-SHA256" \ -c "Verifying peer X.509 certificate... ok" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-CCM-8-SHA256, ECDHE-ECDSA, CLI+SRV auth" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 auth_mode=required tls13_kex_modes=ephemeral" \ + nbio=2 debug_level=5 force_version=tls13 auth_mode=required tls13_kex_modes=ephemeral" \ "$P_CLI crt_file=data_files/cli2.crt key_file=data_files/cli2.key \ - nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 tls13_kex_modes=ephemeral" \ + nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 tls13_kex_modes=ephemeral" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -s "subject name : C=NL, O=PolarSSL, CN=PolarSSL Test Client 2" \ @@ -2222,12 +1877,12 @@ run_test "TLS 1.3, TLS1-3-AES-128-CCM-8-SHA256, ECDHE-ECDSA, CLI+SRV auth" \ -c "Ciphersuite is TLS1-3-AES-128-CCM-8-SHA256" \ -c "Verifying peer X.509 certificate... ok" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS1-3-AES-256-GCM-SHA384 with ECDHE-ECDSA (mutual auth)" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 auth_mode=required tls13_kex_modes=ephemeral" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 tls13_kex_modes=ephemeral" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 auth_mode=required tls13_kex_modes=ephemeral" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 tls13_kex_modes=ephemeral" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -s "subject name : C=NL, O=PolarSSL, CN=PolarSSL Test Client 2" \ @@ -2238,14 +1893,14 @@ run_test "TLS1-3-AES-256-GCM-SHA384 with ECDHE-ECDSA (mutual auth)" \ # Server asks client for authentication with certificate request message, # client responds with empty certificate -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-GCM-SHA256, ECDHE-ECDSA, empty client certificate, accepted" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 auth_mode=optional tls13_kex_modes=ephemeral" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 tls13_kex_modes=ephemeral auth_mode=none" \ + nbio=2 debug_level=5 force_version=tls13 auth_mode=optional tls13_kex_modes=ephemeral" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 tls13_kex_modes=ephemeral auth_mode=none" \ 0 \ -s "client has no certificate" \ -c "subject name : C=NL, O=PolarSSL, CN=localhost" \ @@ -2255,26 +1910,26 @@ run_test "TLS 1.3, TLS1-3-AES-128-GCM-SHA256, ECDHE-ECDSA, empty client certi -c "write empty client certificate" # - Server does NOT accept the lack of client authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-CCM-SHA256, ECDHE-ECDSA, empty client certificate, rejected" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 auth_mode=required tls13_kex_modes=ephemeral" \ - "$P_CLI debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 tls13_kex_modes=ephemeral auth_mode=none" \ + nbio=2 debug_level=5 force_version=tls13 auth_mode=required tls13_kex_modes=ephemeral" \ + "$P_CLI debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 tls13_kex_modes=ephemeral auth_mode=none" \ 1 \ -s "empty certificate message received" \ -s "client has no certificate" \ -c "write empty client certificate" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-256-GCM-SHA384, ECDHE-ECDSA, SRV auth" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 tls13_kex_modes=ephemeral" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 tls13_kex_modes=ephemeral" \ + nbio=2 debug_level=5 force_version=tls13 tls13_kex_modes=ephemeral" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 tls13_kex_modes=ephemeral" \ 0 \ -s "Verifying peer X.509 certificate... failed" \ -s "Certificate verification was skipped" \ @@ -2283,15 +1938,15 @@ run_test "TLS 1.3, TLS1-3-AES-256-GCM-SHA384, ECDHE-ECDSA, SRV auth" \ -c "Verifying peer X.509 certificate... ok" \ -c "subject name : C=NL, O=PolarSSL, CN=localhost" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-CCM-SHA256, ECDHE-ECDSA, CLI+SRV auth, with ticket" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 auth_mode=required tls13_kex_modes=all tickets=1" \ + nbio=2 debug_level=5 force_version=tls13 auth_mode=required tls13_kex_modes=all tickets=1" \ "$P_CLI crt_file=data_files/cli2.crt key_file=data_files/cli2.key \ - nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 tls13_kex_modes=all reconnect=1 tickets=1" \ + nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 tls13_kex_modes=all reconnect=1 tickets=1" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -s "subject name : C=NL, O=PolarSSL, CN=PolarSSL Test Client 2" \ @@ -2305,15 +1960,15 @@ run_test "TLS 1.3, TLS1-3-AES-128-CCM-SHA256, ECDHE-ECDSA, CLI+SRV auth, with -c "found pre_shared_key extension" \ -s "<= write new session ticket" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-GCM-SHA256, ECDHE-ECDSA, CLI+SRV auth, with ticket" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 auth_mode=required tls13_kex_modes=all tickets=1" \ + nbio=2 debug_level=5 force_version=tls13 auth_mode=required tls13_kex_modes=all tickets=1" \ "$P_CLI crt_file=data_files/cli2.crt key_file=data_files/cli2.key \ - nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 tls13_kex_modes=all reconnect=1 tickets=1" \ + nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 tls13_kex_modes=all reconnect=1 tickets=1" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -s "subject name : C=NL, O=PolarSSL, CN=PolarSSL Test Client 2" \ @@ -2327,15 +1982,15 @@ run_test "TLS 1.3, TLS1-3-AES-128-GCM-SHA256, ECDHE-ECDSA, CLI+SRV auth, with -c "found pre_shared_key extension" \ -s "<= write new session ticket" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-CCM-8-SHA256, ECDHE-ECDSA, CLI+SRV auth, with ticket" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 auth_mode=required tls13_kex_modes=all tickets=1" \ + nbio=2 debug_level=5 force_version=tls13 auth_mode=required tls13_kex_modes=all tickets=1" \ "$P_CLI crt_file=data_files/cli2.crt key_file=data_files/cli2.key \ - nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 tls13_kex_modes=all reconnect=1 tickets=1" \ + nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 tls13_kex_modes=all reconnect=1 tickets=1" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -s "subject name : C=NL, O=PolarSSL, CN=PolarSSL Test Client 2" \ @@ -2349,15 +2004,15 @@ run_test "TLS 1.3, TLS1-3-AES-128-CCM-8-SHA256, ECDHE-ECDSA, CLI+SRV auth, wi -c "found pre_shared_key extension" \ -s "<= write new session ticket" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-256-GCM-SHA384, ECDHE-ECDSA, CLI+SRV auth, with ticket" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 auth_mode=required tls13_kex_modes=all tickets=1" \ + nbio=2 debug_level=5 force_version=tls13 auth_mode=required tls13_kex_modes=all tickets=1" \ "$P_CLI crt_file=data_files/cli2.crt key_file=data_files/cli2.key \ - nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 tls13_kex_modes=all reconnect=1 tickets=1" \ + nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 tls13_kex_modes=all reconnect=1 tickets=1" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -s "subject name : C=NL, O=PolarSSL, CN=PolarSSL Test Client 2" \ @@ -2371,14 +2026,14 @@ run_test "TLS 1.3, TLS1-3-AES-256-GCM-SHA384, ECDHE-ECDSA, CLI+SRV auth, with -c "found pre_shared_key extension" \ -s "<= write new session ticket" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-256-GCM-SHA384 with ECDHE-ECDSA (server auth only) with ticket" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 tls13_kex_modes=all tickets=1" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 tls13_kex_modes=all reconnect=1 tickets=1" \ + nbio=2 debug_level=5 force_version=tls13 tls13_kex_modes=all tickets=1" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 tls13_kex_modes=all reconnect=1 tickets=1" \ 0 \ -s "Verifying peer X.509 certificate... failed" \ -s "Certificate verification was skipped" \ @@ -2392,14 +2047,14 @@ run_test "TLS 1.3, TLS1-3-AES-256-GCM-SHA384 with ECDHE-ECDSA (server auth on -c "found pre_shared_key extension" \ -s "<= write new session ticket" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_ZERO_RTT run_test "TLS 1.3, TLS1-3-AES-256-GCM-SHA384, ext PSK, early data" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 early_data=-1 tls13_kex_modes=psk psk=010203 psk_identity=0a0b0c" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 early_data=-1 tls13_kex_modes=psk psk=010203 psk_identity=0a0b0c" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ 0 \ -s "found early_data extension" \ -s "Derive Early Secret with 'ext binder'" \ @@ -2411,14 +2066,14 @@ run_test "TLS 1.3, TLS1-3-AES-256-GCM-SHA384, ext PSK, early data" \ -s "<= parse early data" \ -s "<= parse end_of_early_data" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_ZERO_RTT run_test "TLS 1.3, TLS1-3-AES-128-CCM-SHA256, ext PSK, early data" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 early_data=-1 tls13_kex_modes=psk psk=010203 psk_identity=0a0b0c" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 early_data=-1 tls13_kex_modes=psk psk=010203 psk_identity=0a0b0c" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ 0 \ -s "found early_data extension" \ -s "Derive Early Secret with 'ext binder'" \ @@ -2430,14 +2085,14 @@ run_test "TLS 1.3, TLS1-3-AES-128-CCM-SHA256, ext PSK, early data" \ -s "<= parse early data" \ -s "<= parse end_of_early_data" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_ZERO_RTT run_test "TLS 1.3, TLS1-3-AES-128-GCM-SHA256, ext PSK, early data" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 early_data=-1 tls13_kex_modes=psk psk=010203 psk_identity=0a0b0c" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 early_data=-1 tls13_kex_modes=psk psk=010203 psk_identity=0a0b0c" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ 0 \ -s "found early_data extension" \ -s "Derive Early Secret with 'ext binder'" \ @@ -2449,14 +2104,14 @@ run_test "TLS 1.3, TLS1-3-AES-128-GCM-SHA256, ext PSK, early data" \ -s "<= parse early data" \ -s "<= parse end_of_early_data" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_ZERO_RTT run_test "TLS 1.3, TLS1-3-AES-128-CCM-8-SHA256, ext PSK, early data" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 early_data=-1 tls13_kex_modes=psk psk=010203 psk_identity=0a0b0c" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 early_data=-1 tls13_kex_modes=psk psk=010203 psk_identity=0a0b0c" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ 0 \ -s "found early_data extension" \ -s "Derive Early Secret with 'ext binder'" \ @@ -2468,15 +2123,15 @@ run_test "TLS 1.3, TLS1-3-AES-128-CCM-8-SHA256, ext PSK, early data" \ -s "<= parse early data" \ -s "<= parse end_of_early_data" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_ZERO_RTT run_test "TLS 1.3, TLS1-3-AES-256-GCM-SHA384, ECDHE-ECDSA, client tries early data without PSK, and falls back to 1-RTT" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=4 force_version=tls1_3" \ - "$P_CLI nbio=2 debug_level=4 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 early_data=1" \ + nbio=2 debug_level=4 force_version=tls13" \ + "$P_CLI nbio=2 debug_level=4 force_version=tls13 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 early_data=1" \ 0 \ -s "Protocol is TLSv1.3" \ -c "<= skip write early_data extension" \ @@ -2484,15 +2139,15 @@ run_test "TLS 1.3, TLS1-3-AES-256-GCM-SHA384, ECDHE-ECDSA, client tries early -c "Ciphersuite is TLS1-3-AES-256-GCM-SHA384" \ -c "early data status = 0" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-CCM-8-SHA256, ECDHE-ECDSA, CLI+SRV auth, HRR enforcing cookie" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 auth_mode=required tls13_kex_modes=ephemeral tickets=0 cookies=2" \ + nbio=2 debug_level=5 force_version=tls13 auth_mode=required tls13_kex_modes=ephemeral tickets=0 cookies=2" \ "$P_CLI crt_file=data_files/cli2.crt key_file=data_files/cli2.key \ - nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 tls13_kex_modes=ephemeral" \ + nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 tls13_kex_modes=ephemeral" \ 0 \ -s "Cookie extension missing. Need to send a HRR." \ -s "Skip key_share extension in HRR" \ @@ -2507,14 +2162,14 @@ run_test "TLS 1.3, TLS1-3-AES-128-CCM-8-SHA256, ECDHE-ECDSA, CLI+SRV auth, HR # configure client to initially sent incorrect group, which will be corrected with HRR from the server -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-CCM-SHA256 with ECDHE-ECDSA, SRV auth, HRR enforcing group" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key \ - nbio=2 debug_level=5 force_version=tls1_3 tls13_kex_modes=ephemeral named_groups=secp256r1 cookies=1 tickets=0" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 tls13_kex_modes=ephemeral named_groups=secp384r1,secp256r1" \ + nbio=2 debug_level=5 force_version=tls13 tls13_kex_modes=ephemeral named_groups=secp256r1 cookies=1 tickets=0" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 tls13_kex_modes=ephemeral named_groups=secp384r1,secp256r1" \ 0 \ -s "no matching key share" \ -s "write hello retry request" \ @@ -2554,36 +2209,36 @@ run_test "TLS 1.3 m->O, TLS1-3-AES-128-GCM-SHA256 with ECDHE-ECDSA, SRV auth, -c "HTTP/1.0 200 ok" # test early data status - not sent -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_ZERO_RTT run_test "TLS 1.3, TLS1-3-AES-256-GCM-SHA384, ext PSK, early data status - not sent" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 psk=010203 psk_identity=0a0b0c" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 psk=010203 psk_identity=0a0b0c" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 psk=010203 psk_identity=0a0b0c" \ 0 \ -c "early data status = 0" \ # test early data status - accepted -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_ZERO_RTT run_test "TLS 1.3, TLS1-3-AES-256-GCM-SHA384, ext PSK, early data status - accepted" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 early_data=-1 tls13_kex_modes=psk psk=010203 psk_identity=0a0b0c" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 early_data=-1 tls13_kex_modes=psk psk=010203 psk_identity=0a0b0c" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \ 0 \ -c "early data status = 2" \ -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-CCM-8-SHA256, ClientHello message misses mandatory extensions" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 tls13_kex_modes=psk" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 tls13_kex_modes=psk" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 tls13_kex_modes=psk" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 tls13_kex_modes=psk" \ 1 \ -s "ClientHello message misses mandatory extensions." \ -s "send alert message" \ @@ -2591,24 +2246,26 @@ run_test "TLS 1.3, TLS1-3-AES-128-CCM-8-SHA256, ClientHello message misses ma -c "got an alert message, type: \\[2:109]" # Test OpenSSL server using RSA certificate -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_openssl run_test "TLS 1.3, TLS1-3-AES-128-GCM-SHA256, RSA-certificate, OpenSSL server" \ "$O_SRV_RSA" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256" \ 0 \ -c "Certificate Verify: using RSA" # Test OpenSSL server with resumption -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_openssl_with_tls1_3 run_test "TLS 1.3, TLS1-3-AES-128-GCM-SHA256, resumption, OpenSSL server" \ "$O_SRV" \ - "$P_CLI debug_level=5 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 reconnect=1 tickets=1" \ + "$P_CLI debug_level=5 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 reconnect=1 tickets=1" \ 0 \ -c "Verifying peer X.509 certificate... ok" \ -c "got ticket" \ @@ -2618,29 +2275,30 @@ run_test "TLS 1.3, TLS1-3-AES-128-GCM-SHA256, resumption, OpenSSL server" \ -c "skip parse certificate$" # Test OpenSSL server with resumption and reject early data -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_openssl_with_tls1_3 run_test "TLS 1.3, TLS1-3-AES-128-GCM-SHA256, reject early data, OpenSSL server" \ "$O_SRV" \ - "$P_CLI debug_level=5 force_version=tls1_3 server_name=localhost \ + "$P_CLI debug_level=5 force_version=tls13 server_name=localhost \ force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 reconnect=1 tickets=1 \ early_data=1" \ 0 \ -c "=> write early data" \ - -c "=> mbedtls_ssl_tls1_3_generate_early_data_keys" \ + -c "=> mbedtls_ssl_tls13_generate_early_data_keys" \ -c "skip EndOfEarlyData, server rejected" \ -c "early data status, reconnect = 1" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_ALPN run_test "TLS 1.3, ALPN" \ - "$P_SRV nbio=2 debug_level=5 force_version=tls1_3 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk alpn=abc,1234" \ - "$P_CLI nbio=2 debug_level=5 force_version=tls1_3 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk alpn=1234" \ + "$P_SRV nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk alpn=abc,1234" \ + "$P_CLI nbio=2 debug_level=5 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk alpn=1234" \ 0 \ -s "Protocol is TLSv1.3" \ -s "found alpn extension" \ @@ -2648,12 +2306,12 @@ run_test "TLS 1.3, ALPN" \ -c "Application Layer Protocol is 1234" \ -s "Application Layer Protocol is 1234" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3, TLS1-3-AES-128-CCM-SHA256, ECDHE-ECDSA, mismatched sig_algs" \ - "$P_SRV nbio=2 debug_level=4 force_version=tls1_3 tls13_kex_modes=ephemeral sig_algs=ecdsa_secp384r1_sha384" \ - "$P_CLI nbio=2 debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 tls13_kex_modes=ephemeral sig_algs=ecdsa_secp256r1_sha256" \ + "$P_SRV nbio=2 debug_level=4 force_version=tls13 tls13_kex_modes=ephemeral sig_algs=ecdsa_secp384r1_sha384" \ + "$P_CLI nbio=2 debug_level=4 force_version=tls13 server_name=localhost force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 tls13_kex_modes=ephemeral sig_algs=ecdsa_secp256r1_sha256" \ 1 \ -s "found signature_algorithms extension" \ -c "got an alert message, type: \\[2:40]" @@ -2668,7 +2326,7 @@ run_test "TLS 1.3, TLS1-3-AES-128-CCM-SHA256, ECDHE-ECDSA, mismatched sig_alg # - things work with all ciphersuites active (used with config-full in all.sh) # - the expected parameters are selected # ("signature_algorithm ext: 6" means SHA-512 (highest common hash)) -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Default" \ "$P_SRV debug_level=3" \ "$P_CLI" \ @@ -2680,7 +2338,7 @@ run_test "Default" \ -S "error" \ -C "error" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Default, DTLS" \ "$P_SRV dtls=1" \ "$P_CLI dtls=1" \ @@ -2688,7 +2346,7 @@ run_test "Default, DTLS" \ -s "Protocol is DTLSv1.2" \ -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "TLS client auth: required" \ "$P_SRV auth_mode=required" \ "$P_CLI" \ @@ -2698,7 +2356,7 @@ run_test "TLS client auth: required" \ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "TLS: password protected client key" \ "$P_SRV auth_mode=required" \ "$P_CLI crt_file=data_files/server5.crt key_file=data_files/server5.key.enc key_pwd=PolarSSLTest" \ @@ -2707,7 +2365,7 @@ run_test "TLS: password protected client key" \ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "TLS: password protected server key" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key.enc key_pwd=PolarSSLTest" \ "$P_CLI" \ @@ -2717,7 +2375,7 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_SHA256_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "TLS: password protected server key, two certificates" \ "$P_SRV \ key_file=data_files/server5.key.enc key_pwd=PolarSSLTest crt_file=data_files/server5.crt \ @@ -2726,7 +2384,7 @@ run_test "TLS: password protected server key, two certificates" \ 0 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "CA callback on client" \ "$P_SRV debug_level=3" \ "$P_CLI ca_callback=1 debug_level=3 " \ @@ -2739,7 +2397,7 @@ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "CA callback on server" \ "$P_SRV auth_mode=required" \ "$P_CLI ca_callback=1 debug_level=3 crt_file=data_files/server5.crt \ @@ -2755,7 +2413,7 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Opaque key for client authentication" \ "$P_SRV auth_mode=required crt_file=data_files/server5.crt \ key_file=data_files/server5.key" \ @@ -2809,48 +2467,48 @@ run_test "Opaque key for client/server authentication" \ # Test ciphersuites which we expect to be fully supported by PSA Crypto # and check that we don't fall back to Mbed TLS' internal crypto primitives. -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa_force_curve "secp521r1" requires_config_enabled MBEDTLS_ECP_DP_BP512R1_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa_force_curve "brainpoolP512r1" requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa_force_curve "secp384r1" requires_config_enabled MBEDTLS_ECP_DP_BP384R1_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa_force_curve "brainpoolP384r1" requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa_force_curve "secp256r1" requires_config_enabled MBEDTLS_ECP_DP_SECP256K1_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa_force_curve "secp256k1" requires_config_enabled MBEDTLS_ECP_DP_BP256R1_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa_force_curve "brainpoolP256r1" requires_config_enabled MBEDTLS_ECP_DP_SECP224R1_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa_force_curve "secp224r1" ## SECP224K1 is buggy via the PSA API ## (https://github.com/ARMmbed/mbedtls/issues/3541), @@ -2860,15 +2518,15 @@ run_test_psa_force_curve "secp224r1" #requires_config_enabled MBEDTLS_ECP_DP_SECP224K1_ENABLED #run_test_psa_force_curve "secp224k1" requires_config_enabled MBEDTLS_ECP_DP_SECP192R1_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa_force_curve "secp192r1" requires_config_enabled MBEDTLS_ECP_DP_SECP192K1_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test_psa_force_curve "secp192k1" # Test current time in ServerHello requires_config_enabled MBEDTLS_HAVE_TIME -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "ServerHello contains gmt_unix_time" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ @@ -2877,7 +2535,7 @@ run_test "ServerHello contains gmt_unix_time" \ -F "check_server_hello_time" # Test for uniqueness of IVs in AEAD ciphersuites -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Unique IV in GCM" \ "$P_SRV exchanges=20 debug_level=4" \ "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \ @@ -2886,7 +2544,7 @@ run_test "Unique IV in GCM" \ -U "IV used" # Tests for certificate verification callback -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Configuration-specific CRT verification callback" \ "$P_SRV debug_level=3" \ "$P_CLI context_crt_cb=0 debug_level=3" \ @@ -2897,7 +2555,7 @@ run_test "Configuration-specific CRT verification callback" \ -C "Use context-specific verification callback" \ -C "error" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context-specific CRT verification callback" \ "$P_SRV debug_level=3" \ "$P_CLI context_crt_cb=1 debug_level=3" \ @@ -2908,46 +2566,46 @@ run_test "Context-specific CRT verification callback" \ -C "Use configuration-specific verification callback" \ -C "error" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SHA-1 forbidden by default in server certificate" \ "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \ "$P_CLI debug_level=2 allow_sha1=0" \ 1 \ -c "The certificate is signed with an unacceptable hash" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SHA-1 explicitly allowed in server certificate" \ "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \ "$P_CLI allow_sha1=1" \ 0 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SHA-256 allowed by default in server certificate" \ "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \ "$P_CLI allow_sha1=0" \ 0 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SHA-1 forbidden by default in client certificate" \ "$P_SRV auth_mode=required allow_sha1=0" \ "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \ 1 \ -s "The certificate is signed with an unacceptable hash" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SHA-1 explicitly allowed in client certificate" \ "$P_SRV auth_mode=required allow_sha1=1" \ "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \ 0 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SHA-256 allowed by default in client certificate" \ "$P_SRV auth_mode=required allow_sha1=0" \ "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \ 0 # Tests for datagram packing -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS: multiple records in same datagram, client and server" \ "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \ "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \ @@ -2955,7 +2613,7 @@ run_test "DTLS: multiple records in same datagram, client and server" \ -c "next record in same datagram" \ -s "next record in same datagram" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS: multiple records in same datagram, client only" \ "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \ "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \ @@ -2963,7 +2621,7 @@ run_test "DTLS: multiple records in same datagram, client only" \ -s "next record in same datagram" \ -C "next record in same datagram" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS: multiple records in same datagram, server only" \ "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \ "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \ @@ -2971,7 +2629,7 @@ run_test "DTLS: multiple records in same datagram, server only" \ -S "next record in same datagram" \ -c "next record in same datagram" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS: multiple records in same datagram, neither client nor server" \ "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \ "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \ @@ -2982,7 +2640,7 @@ run_test "DTLS: multiple records in same datagram, neither client nor server" # Tests for Context serialization requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, client serializes, CCM" \ "$P_SRV dtls=1 serialize=0 exchanges=2" \ "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ @@ -2991,7 +2649,7 @@ run_test "Context serialization, client serializes, CCM" \ -S "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, client serializes, ChaChaPoly" \ "$P_SRV dtls=1 serialize=0 exchanges=2" \ "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \ @@ -3000,7 +2658,7 @@ run_test "Context serialization, client serializes, ChaChaPoly" \ -S "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, client serializes, GCM" \ "$P_SRV dtls=1 serialize=0 exchanges=2" \ "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \ @@ -3010,7 +2668,7 @@ run_test "Context serialization, client serializes, GCM" \ requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, client serializes, with CID" \ "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \ "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \ @@ -3019,7 +2677,7 @@ run_test "Context serialization, client serializes, with CID" \ -S "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, server serializes, CCM" \ "$P_SRV dtls=1 serialize=1 exchanges=2" \ "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ @@ -3028,7 +2686,7 @@ run_test "Context serialization, server serializes, CCM" \ -s "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, server serializes, ChaChaPoly" \ "$P_SRV dtls=1 serialize=1 exchanges=2" \ "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \ @@ -3037,7 +2695,7 @@ run_test "Context serialization, server serializes, ChaChaPoly" \ -s "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, server serializes, GCM" \ "$P_SRV dtls=1 serialize=1 exchanges=2" \ "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \ @@ -3047,7 +2705,7 @@ run_test "Context serialization, server serializes, GCM" \ requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, server serializes, with CID" \ "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \ "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \ @@ -3056,7 +2714,7 @@ run_test "Context serialization, server serializes, with CID" \ -s "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, both serialize, CCM" \ "$P_SRV dtls=1 serialize=1 exchanges=2" \ "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ @@ -3065,7 +2723,7 @@ run_test "Context serialization, both serialize, CCM" \ -s "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, both serialize, ChaChaPoly" \ "$P_SRV dtls=1 serialize=1 exchanges=2" \ "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \ @@ -3074,7 +2732,7 @@ run_test "Context serialization, both serialize, ChaChaPoly" \ -s "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, both serialize, GCM" \ "$P_SRV dtls=1 serialize=1 exchanges=2" \ "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \ @@ -3084,7 +2742,7 @@ run_test "Context serialization, both serialize, GCM" \ requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, both serialize, with CID" \ "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \ "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \ @@ -3093,7 +2751,7 @@ run_test "Context serialization, both serialize, with CID" \ -s "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, re-init, client serializes, CCM" \ "$P_SRV dtls=1 serialize=0 exchanges=2" \ "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ @@ -3102,7 +2760,7 @@ run_test "Context serialization, re-init, client serializes, CCM" \ -S "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, re-init, client serializes, ChaChaPoly" \ "$P_SRV dtls=1 serialize=0 exchanges=2" \ "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \ @@ -3111,7 +2769,7 @@ run_test "Context serialization, re-init, client serializes, ChaChaPoly" \ -S "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, re-init, client serializes, GCM" \ "$P_SRV dtls=1 serialize=0 exchanges=2" \ "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \ @@ -3121,7 +2779,7 @@ run_test "Context serialization, re-init, client serializes, GCM" \ requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, re-init, client serializes, with CID" \ "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \ "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \ @@ -3130,7 +2788,7 @@ run_test "Context serialization, re-init, client serializes, with CID" \ -S "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, re-init, server serializes, CCM" \ "$P_SRV dtls=1 serialize=2 exchanges=2" \ "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ @@ -3139,7 +2797,7 @@ run_test "Context serialization, re-init, server serializes, CCM" \ -s "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, re-init, server serializes, ChaChaPoly" \ "$P_SRV dtls=1 serialize=2 exchanges=2" \ "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \ @@ -3148,7 +2806,7 @@ run_test "Context serialization, re-init, server serializes, ChaChaPoly" \ -s "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, re-init, server serializes, GCM" \ "$P_SRV dtls=1 serialize=2 exchanges=2" \ "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \ @@ -3158,7 +2816,7 @@ run_test "Context serialization, re-init, server serializes, GCM" \ requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, re-init, server serializes, with CID" \ "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \ "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \ @@ -3167,7 +2825,7 @@ run_test "Context serialization, re-init, server serializes, with CID" \ -s "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, re-init, both serialize, CCM" \ "$P_SRV dtls=1 serialize=2 exchanges=2" \ "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ @@ -3176,7 +2834,7 @@ run_test "Context serialization, re-init, both serialize, CCM" \ -s "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, re-init, both serialize, ChaChaPoly" \ "$P_SRV dtls=1 serialize=2 exchanges=2" \ "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \ @@ -3185,7 +2843,7 @@ run_test "Context serialization, re-init, both serialize, ChaChaPoly" \ -s "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, re-init, both serialize, GCM" \ "$P_SRV dtls=1 serialize=2 exchanges=2" \ "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \ @@ -3195,7 +2853,7 @@ run_test "Context serialization, re-init, both serialize, GCM" \ requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Context serialization, re-init, both serialize, with CID" \ "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \ "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \ @@ -3204,7 +2862,7 @@ run_test "Context serialization, re-init, both serialize, with CID" \ -s "Deserializing connection..." requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Saving the serialized context to a file" \ "$P_SRV dtls=1 serialize=1 context_file=context_srv.txt" \ "$P_CLI dtls=1 serialize=1 context_file=context_cli.txt" \ @@ -3221,7 +2879,7 @@ rm -f context_cli.txt # changed once the CID extension is implemented. requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli enabled, Srv disabled" \ "$P_SRV debug_level=3 dtls=1 cid=0" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \ @@ -3238,7 +2896,7 @@ run_test "Connection ID: Cli enabled, Srv disabled" \ -c "Use of Connection ID was rejected by the server" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli disabled, Srv enabled" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \ "$P_CLI debug_level=3 dtls=1 cid=0" \ @@ -3254,7 +2912,7 @@ run_test "Connection ID: Cli disabled, Srv enabled" \ -s "Use of Connection ID was not offered by client" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef" \ @@ -3275,7 +2933,7 @@ run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty" \ -c "Use of Connection ID has been negotiated" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID, 3D: Cli+Srv enabled, Cli+Srv CID nonempty" \ -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \ "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead" \ @@ -3299,7 +2957,7 @@ run_test "Connection ID, 3D: Cli+Srv enabled, Cli+Srv CID nonempty" \ -s "ignoring unexpected CID" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID, MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \ -p "$P_PXY mtu=800" \ "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \ @@ -3321,7 +2979,7 @@ run_test "Connection ID, MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \ -c "Use of Connection ID has been negotiated" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID, 3D+MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \ -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \ "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \ @@ -3345,7 +3003,7 @@ run_test "Connection ID, 3D+MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \ -s "ignoring unexpected CID" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, Cli CID empty" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \ "$P_CLI debug_level=3 dtls=1 cid=1" \ @@ -3366,7 +3024,7 @@ run_test "Connection ID: Cli+Srv enabled, Cli CID empty" \ -c "Use of Connection ID has been negotiated" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, Srv CID empty" \ "$P_SRV debug_level=3 dtls=1 cid=1" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \ @@ -3387,7 +3045,7 @@ run_test "Connection ID: Cli+Srv enabled, Srv CID empty" \ -c "Use of Connection ID has been negotiated" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty" \ "$P_SRV debug_level=3 dtls=1 cid=1" \ "$P_CLI debug_level=3 dtls=1 cid=1" \ @@ -3406,7 +3064,7 @@ run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty" \ -C "Use of Connection ID has been negotiated" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CCM-8" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ @@ -3427,7 +3085,7 @@ run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CCM-8 -c "Use of Connection ID has been negotiated" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CCM-8" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \ "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ @@ -3448,7 +3106,7 @@ run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CCM-8" \ -c "Use of Connection ID has been negotiated" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CCM-8" \ "$P_SRV debug_level=3 dtls=1 cid=1" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ @@ -3469,7 +3127,7 @@ run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CCM-8" \ -c "Use of Connection ID has been negotiated" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CCM-8" \ "$P_SRV debug_level=3 dtls=1 cid=1" \ "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ @@ -3488,7 +3146,7 @@ run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CCM-8" \ -C "Use of Connection ID has been negotiated" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CBC" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ @@ -3509,7 +3167,7 @@ run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CBC" -c "Use of Connection ID has been negotiated" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CBC" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \ "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ @@ -3530,7 +3188,7 @@ run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CBC" \ -c "Use of Connection ID has been negotiated" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CBC" \ "$P_SRV debug_level=3 dtls=1 cid=1" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ @@ -3551,7 +3209,7 @@ run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CBC" \ -c "Use of Connection ID has been negotiated" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CBC" \ "$P_SRV debug_level=3 dtls=1 cid=1" \ "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ @@ -3571,7 +3229,7 @@ run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CBC" \ requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, renegotiate without change of CID" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \ @@ -3587,7 +3245,7 @@ run_test "Connection ID: Cli+Srv enabled, renegotiate without change of CID" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, renegotiate with different CID" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \ @@ -3603,7 +3261,7 @@ run_test "Connection ID: Cli+Srv enabled, renegotiate with different CID" \ requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate with different CID" \ "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead cid_val_renego=beef renegotiation=1" \ "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \ @@ -3619,7 +3277,7 @@ run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate with differ requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate with different CID" \ -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \ "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \ @@ -3638,7 +3296,7 @@ run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate with different requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, renegotiate without CID" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \ @@ -3654,7 +3312,7 @@ run_test "Connection ID: Cli+Srv enabled, renegotiate without CID" \ requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate without CID" \ "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \ "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \ @@ -3670,7 +3328,7 @@ run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate without CID requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate without CID" \ -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \ "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \ @@ -3689,7 +3347,7 @@ run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate without CID" \ requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, CID on renegotiation" \ "$P_SRV debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \ "$P_CLI debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \ @@ -3703,7 +3361,7 @@ run_test "Connection ID: Cli+Srv enabled, CID on renegotiation" \ requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID, no packing: Cli+Srv enabled, CID on renegotiation" \ "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \ "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \ @@ -3717,7 +3375,7 @@ run_test "Connection ID, no packing: Cli+Srv enabled, CID on renegotiation" \ requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID, 3D+MTU: Cli+Srv enabled, CID on renegotiation" \ -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \ "$P_SRV debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \ @@ -3734,7 +3392,7 @@ run_test "Connection ID, 3D+MTU: Cli+Srv enabled, CID on renegotiation" \ requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, Cli disables on renegotiation" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \ @@ -3751,7 +3409,7 @@ run_test "Connection ID: Cli+Srv enabled, Cli disables on renegotiation" \ requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID, 3D: Cli+Srv enabled, Cli disables on renegotiation" \ -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \ @@ -3771,7 +3429,7 @@ run_test "Connection ID, 3D: Cli+Srv enabled, Cli disables on renegotiation" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID: Cli+Srv enabled, Srv disables on renegotiation" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \ "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \ @@ -3788,7 +3446,7 @@ run_test "Connection ID: Cli+Srv enabled, Srv disables on renegotiation" \ requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Connection ID, 3D: Cli+Srv enabled, Srv disables on renegotiation" \ -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \ "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \ @@ -3811,7 +3469,7 @@ run_test "Connection ID, 3D: Cli+Srv enabled, Srv disables on renegotiation" # larger than the buffer. requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 513 run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=512" \ "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \ @@ -3826,7 +3484,7 @@ run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=512" \ requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 1025 run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=1024" \ "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \ @@ -3841,7 +3499,7 @@ run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=1024" # Tests for Encrypt-then-MAC extension -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Encrypt then MAC: default" \ "$P_SRV debug_level=3 \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ @@ -3854,7 +3512,7 @@ run_test "Encrypt then MAC: default" \ -c "using encrypt then mac" \ -s "using encrypt then mac" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Encrypt then MAC: client enabled, server disabled" \ "$P_SRV debug_level=3 etm=0 \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ @@ -3867,7 +3525,7 @@ run_test "Encrypt then MAC: client enabled, server disabled" \ -C "using encrypt then mac" \ -S "using encrypt then mac" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Encrypt then MAC: client enabled, aead cipher" \ "$P_SRV debug_level=3 etm=1 \ force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \ @@ -3880,7 +3538,7 @@ run_test "Encrypt then MAC: client enabled, aead cipher" \ -C "using encrypt then mac" \ -S "using encrypt then mac" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Encrypt then MAC: client disabled, server enabled" \ "$P_SRV debug_level=3 etm=1 \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ @@ -3895,7 +3553,7 @@ run_test "Encrypt then MAC: client disabled, server enabled" \ # Tests for Extended Master Secret extension -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Extended Master Secret: default" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ @@ -3907,7 +3565,7 @@ run_test "Extended Master Secret: default" \ -c "session hash for extended master secret" \ -s "session hash for extended master secret" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Extended Master Secret: client enabled, server disabled" \ "$P_SRV debug_level=3 extended_ms=0" \ "$P_CLI debug_level=3 extended_ms=1" \ @@ -3919,7 +3577,7 @@ run_test "Extended Master Secret: client enabled, server disabled" \ -C "session hash for extended master secret" \ -S "session hash for extended master secret" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Extended Master Secret: client disabled, server enabled" \ "$P_SRV debug_level=3 extended_ms=1" \ "$P_CLI debug_level=3 extended_ms=0" \ @@ -3933,7 +3591,7 @@ run_test "Extended Master Secret: client disabled, server enabled" \ # Test sending and receiving empty application data records -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Encrypt then MAC: empty application data record" \ "$P_SRV auth_mode=none debug_level=4 etm=1" \ "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \ @@ -3942,7 +3600,7 @@ run_test "Encrypt then MAC: empty application data record" \ -s "dumping 'input payload after decrypt' (0 bytes)" \ -c "0 bytes written in 1 fragments" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Encrypt then MAC: disabled, empty application data record" \ "$P_SRV auth_mode=none debug_level=4 etm=0" \ "$P_CLI auth_mode=none etm=0 request_size=0" \ @@ -3950,7 +3608,7 @@ run_test "Encrypt then MAC: disabled, empty application data record" \ -s "dumping 'input payload after decrypt' (0 bytes)" \ -c "0 bytes written in 1 fragments" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Encrypt then MAC, DTLS: empty application data record" \ "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \ "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \ @@ -3959,7 +3617,7 @@ run_test "Encrypt then MAC, DTLS: empty application data record" \ -s "dumping 'input payload after decrypt' (0 bytes)" \ -c "0 bytes written in 1 fragments" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Encrypt then MAC, DTLS: disabled, empty application data record" \ "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \ "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \ @@ -3969,11 +3627,11 @@ run_test "Encrypt then MAC, DTLS: disabled, empty application data record" \ # Tests for CBC 1/n-1 record splitting -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "CBC Record splitting: TLS 1.2, no splitting" \ "$P_SRV" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - request_size=123 force_version=tls1_2" \ + request_size=123 force_version=tls12" \ 0 \ -s "Read from client: 123 bytes read" \ -S "Read from client: 1 bytes read" \ @@ -3981,7 +3639,7 @@ run_test "CBC Record splitting: TLS 1.2, no splitting" \ # Tests for Session Tickets -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using tickets: basic" \ "$P_SRV debug_level=3 tickets=1" \ "$P_CLI debug_level=3 tickets=1 reconnect=1" \ @@ -3996,7 +3654,7 @@ run_test "Session resume using tickets: basic" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using tickets: cache disabled" \ "$P_SRV debug_level=3 tickets=1 cache_max=0" \ "$P_CLI debug_level=3 tickets=1 reconnect=1" \ @@ -4011,7 +3669,7 @@ run_test "Session resume using tickets: cache disabled" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using tickets: timeout" \ "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \ "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \ @@ -4026,7 +3684,7 @@ run_test "Session resume using tickets: timeout" \ -S "a session has been resumed" \ -C "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using tickets: session copy" \ "$P_SRV debug_level=3 tickets=1 cache_max=0" \ "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_mode=0" \ @@ -4041,7 +3699,7 @@ run_test "Session resume using tickets: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using tickets: openssl server" \ "$O_SRV" \ "$P_CLI debug_level=3 tickets=1 reconnect=1" \ @@ -4051,7 +3709,7 @@ run_test "Session resume using tickets: openssl server" \ -c "parse new session ticket" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using tickets: openssl client" \ "$P_SRV debug_level=3 tickets=1" \ "( $O_CLI -sess_out $SESSION; \ @@ -4066,7 +3724,7 @@ run_test "Session resume using tickets: openssl client" \ # Tests for Session Tickets with DTLS -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using tickets, DTLS: basic" \ "$P_SRV debug_level=3 dtls=1 tickets=1" \ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \ @@ -4081,7 +3739,7 @@ run_test "Session resume using tickets, DTLS: basic" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using tickets, DTLS: cache disabled" \ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \ @@ -4096,7 +3754,7 @@ run_test "Session resume using tickets, DTLS: cache disabled" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using tickets, DTLS: timeout" \ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_delay=2" \ @@ -4111,7 +3769,7 @@ run_test "Session resume using tickets, DTLS: timeout" \ -S "a session has been resumed" \ -C "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using tickets, DTLS: session copy" \ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_mode=0" \ @@ -4126,7 +3784,7 @@ run_test "Session resume using tickets, DTLS: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using tickets, DTLS: openssl server" \ "$O_SRV -dtls" \ "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ @@ -4153,7 +3811,7 @@ run_test "Session resume using tickets, DTLS: openssl client" \ # Tests for Session Resume based on session-ID and cache -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache: tickets enabled on client" \ "$P_SRV debug_level=3 tickets=0" \ "$P_CLI debug_level=3 tickets=1 reconnect=1" \ @@ -4168,7 +3826,7 @@ run_test "Session resume using cache: tickets enabled on client" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache: tickets enabled on server" \ "$P_SRV debug_level=3 tickets=1" \ "$P_CLI debug_level=3 tickets=0 reconnect=1" \ @@ -4183,7 +3841,7 @@ run_test "Session resume using cache: tickets enabled on server" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache: cache_max=0" \ "$P_SRV debug_level=3 tickets=0 cache_max=0" \ "$P_CLI debug_level=3 tickets=0 reconnect=1" \ @@ -4193,7 +3851,7 @@ run_test "Session resume using cache: cache_max=0" \ -S "a session has been resumed" \ -C "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache: cache_max=1" \ "$P_SRV debug_level=3 tickets=0 cache_max=1" \ "$P_CLI debug_level=3 tickets=0 reconnect=1" \ @@ -4203,7 +3861,7 @@ run_test "Session resume using cache: cache_max=1" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache: timeout > delay" \ "$P_SRV debug_level=3 tickets=0" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \ @@ -4213,7 +3871,7 @@ run_test "Session resume using cache: timeout > delay" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache: timeout < delay" \ "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ @@ -4223,7 +3881,7 @@ run_test "Session resume using cache: timeout < delay" \ -S "a session has been resumed" \ -C "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache: no timeout" \ "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ @@ -4233,7 +3891,7 @@ run_test "Session resume using cache: no timeout" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache: session copy" \ "$P_SRV debug_level=3 tickets=0" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_mode=0" \ @@ -4243,7 +3901,7 @@ run_test "Session resume using cache: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache: openssl client" \ "$P_SRV debug_level=3 tickets=0" \ "( $O_CLI -sess_out $SESSION; \ @@ -4256,7 +3914,7 @@ run_test "Session resume using cache: openssl client" \ -S "session successfully restored from ticket" \ -s "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache: openssl server" \ "$O_SRV" \ "$P_CLI debug_level=3 tickets=0 reconnect=1" \ @@ -4267,7 +3925,7 @@ run_test "Session resume using cache: openssl server" \ # Tests for Session Resume based on session-ID and cache, DTLS -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache, DTLS: tickets enabled on client" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 skip_close_notify=1" \ @@ -4282,7 +3940,7 @@ run_test "Session resume using cache, DTLS: tickets enabled on client" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache, DTLS: tickets enabled on server" \ "$P_SRV dtls=1 debug_level=3 tickets=1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \ @@ -4297,7 +3955,7 @@ run_test "Session resume using cache, DTLS: tickets enabled on server" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache, DTLS: cache_max=0" \ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \ @@ -4307,7 +3965,7 @@ run_test "Session resume using cache, DTLS: cache_max=0" \ -S "a session has been resumed" \ -C "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache, DTLS: cache_max=1" \ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \ @@ -4317,7 +3975,7 @@ run_test "Session resume using cache, DTLS: cache_max=1" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache, DTLS: timeout > delay" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=0" \ @@ -4327,7 +3985,7 @@ run_test "Session resume using cache, DTLS: timeout > delay" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache, DTLS: timeout < delay" \ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \ @@ -4337,7 +3995,7 @@ run_test "Session resume using cache, DTLS: timeout < delay" \ -S "a session has been resumed" \ -C "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache, DTLS: no timeout" \ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \ @@ -4347,7 +4005,7 @@ run_test "Session resume using cache, DTLS: no timeout" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache, DTLS: session copy" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_mode=0" \ @@ -4372,7 +4030,7 @@ run_test "Session resume using cache, DTLS: openssl client" \ -S "session successfully restored from ticket" \ -s "a session has been resumed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Session resume using cache, DTLS: openssl server" \ "$O_SRV -dtls" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ @@ -4384,7 +4042,7 @@ run_test "Session resume using cache, DTLS: openssl server" \ # Tests for Max Fragment Length extension requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: enabled, default" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ @@ -4399,7 +4057,7 @@ run_test "Max fragment length: enabled, default" \ -C "found max_fragment_length extension" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: enabled, default, larger message" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \ @@ -4417,7 +4075,7 @@ run_test "Max fragment length: enabled, default, larger message" \ -s "1 bytes read" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length, DTLS: enabled, default, larger message" \ "$P_SRV debug_level=3 dtls=1" \ "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \ @@ -4437,7 +4095,7 @@ run_test "Max fragment length, DTLS: enabled, default, larger message" \ # content length configuration.) requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: disabled, larger message" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \ @@ -4451,7 +4109,7 @@ run_test "Max fragment length: disabled, larger message" \ -s "1 bytes read" requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length, DTLS: disabled, larger message" \ "$P_SRV debug_level=3 dtls=1" \ "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \ @@ -4464,7 +4122,7 @@ run_test "Max fragment length, DTLS: disabled, larger message" \ requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: used by client" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=4096" \ @@ -4480,7 +4138,7 @@ run_test "Max fragment length: used by client" \ requires_max_content_len 1024 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: client 512, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ "$P_CLI debug_level=3 max_frag_len=512" \ @@ -4496,7 +4154,7 @@ run_test "Max fragment length: client 512, server 1024" \ requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: client 512, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ "$P_CLI debug_level=3 max_frag_len=512" \ @@ -4512,7 +4170,7 @@ run_test "Max fragment length: client 512, server 2048" \ requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: client 512, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ "$P_CLI debug_level=3 max_frag_len=512" \ @@ -4528,7 +4186,7 @@ run_test "Max fragment length: client 512, server 4096" \ requires_max_content_len 1024 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: client 1024, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ "$P_CLI debug_level=3 max_frag_len=1024" \ @@ -4544,7 +4202,7 @@ run_test "Max fragment length: client 1024, server 512" \ requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: client 1024, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ "$P_CLI debug_level=3 max_frag_len=1024" \ @@ -4560,7 +4218,7 @@ run_test "Max fragment length: client 1024, server 2048" \ requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: client 1024, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ "$P_CLI debug_level=3 max_frag_len=1024" \ @@ -4576,7 +4234,7 @@ run_test "Max fragment length: client 1024, server 4096" \ requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: client 2048, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ "$P_CLI debug_level=3 max_frag_len=2048" \ @@ -4592,7 +4250,7 @@ run_test "Max fragment length: client 2048, server 512" \ requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: client 2048, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ "$P_CLI debug_level=3 max_frag_len=2048" \ @@ -4608,7 +4266,7 @@ run_test "Max fragment length: client 2048, server 1024" \ requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: client 2048, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ "$P_CLI debug_level=3 max_frag_len=2048" \ @@ -4624,7 +4282,7 @@ run_test "Max fragment length: client 2048, server 4096" \ requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: client 4096, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ "$P_CLI debug_level=3 max_frag_len=4096" \ @@ -4640,7 +4298,7 @@ run_test "Max fragment length: client 4096, server 512" \ requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: client 4096, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ "$P_CLI debug_level=3 max_frag_len=4096" \ @@ -4656,7 +4314,7 @@ run_test "Max fragment length: client 4096, server 1024" \ requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: client 4096, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ "$P_CLI debug_level=3 max_frag_len=4096" \ @@ -4672,7 +4330,7 @@ run_test "Max fragment length: client 4096, server 2048" \ requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: used by server" \ "$P_SRV debug_level=3 max_frag_len=4096" \ "$P_CLI debug_level=3" \ @@ -4689,7 +4347,7 @@ run_test "Max fragment length: used by server" \ requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: gnutls server" \ "$G_SRV" \ "$P_CLI debug_level=3 max_frag_len=4096" \ @@ -4701,7 +4359,7 @@ run_test "Max fragment length: gnutls server" \ requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: client, message just fits" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \ @@ -4719,7 +4377,7 @@ run_test "Max fragment length: client, message just fits" \ requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: client, larger message" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \ @@ -4738,7 +4396,7 @@ run_test "Max fragment length: client, larger message" \ requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Max fragment length: DTLS client, larger message" \ "$P_SRV debug_level=3 dtls=1" \ "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \ @@ -4756,7 +4414,7 @@ run_test "Max fragment length: DTLS client, larger message" \ # Tests for renegotiation # Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: none, for reference" \ "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2" \ @@ -4771,7 +4429,7 @@ run_test "Renegotiation: none, for reference" \ -S "write hello request" requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: client-initiated" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ @@ -4786,7 +4444,7 @@ run_test "Renegotiation: client-initiated" \ -S "write hello request" requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: server-initiated" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ @@ -4804,7 +4462,7 @@ run_test "Renegotiation: server-initiated" \ # the server did not parse the Signature Algorithm extension. This test is valid only if an MD # algorithm stronger than SHA-1 is enabled in mbedtls_config.h requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ @@ -4823,7 +4481,7 @@ run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \ # the server did not parse the Signature Algorithm extension. This test is valid only if an MD # algorithm stronger than SHA-1 is enabled in mbedtls_config.h requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ @@ -4839,7 +4497,7 @@ run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \ -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated? requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: double" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ @@ -4855,7 +4513,7 @@ run_test "Renegotiation: double" \ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "Renegotiation with max fragment length: client 2048, server 512" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1 max_frag_len=512" \ @@ -4879,7 +4537,7 @@ run_test "Renegotiation with max fragment length: client 2048, server 512" \ -s "write hello request" requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: client-initiated, server-rejected" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ @@ -4896,7 +4554,7 @@ run_test "Renegotiation: client-initiated, server-rejected" \ -c "failed" requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: server-initiated, client-rejected, default" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \ @@ -4913,7 +4571,7 @@ run_test "Renegotiation: server-initiated, client-rejected, default" \ -S "failed" requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: server-initiated, client-rejected, not enforced" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ renego_delay=-1 auth_mode=optional" \ @@ -4932,7 +4590,7 @@ run_test "Renegotiation: server-initiated, client-rejected, not enforced" \ # delay 2 for 1 alert record + 1 application data record requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: server-initiated, client-rejected, delay 2" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ renego_delay=2 auth_mode=optional" \ @@ -4950,7 +4608,7 @@ run_test "Renegotiation: server-initiated, client-rejected, delay 2" \ -S "failed" requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: server-initiated, client-rejected, delay 0" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ renego_delay=0 auth_mode=optional" \ @@ -4967,7 +4625,7 @@ run_test "Renegotiation: server-initiated, client-rejected, delay 0" \ -s "SSL - An unexpected message was received from our peer" requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: server-initiated, client-accepted, delay 0" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ renego_delay=0 auth_mode=optional" \ @@ -4985,7 +4643,7 @@ run_test "Renegotiation: server-initiated, client-accepted, delay 0" \ -S "failed" requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: periodic, just below period" \ "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ @@ -5004,7 +4662,7 @@ run_test "Renegotiation: periodic, just below period" \ # one extra exchange to be able to complete renego requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: periodic, just above period" \ "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \ @@ -5022,7 +4680,7 @@ run_test "Renegotiation: periodic, just above period" \ -S "failed" requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: periodic, two times period" \ "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \ @@ -5040,7 +4698,7 @@ run_test "Renegotiation: periodic, two times period" \ -S "failed" requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: periodic, above period, disabled" \ "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \ @@ -5058,7 +4716,7 @@ run_test "Renegotiation: periodic, above period, disabled" \ -S "failed" requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: nbio, client-initiated" \ "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \ "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \ @@ -5073,7 +4731,7 @@ run_test "Renegotiation: nbio, client-initiated" \ -S "write hello request" requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: nbio, server-initiated" \ "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \ "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \ @@ -5088,7 +4746,7 @@ run_test "Renegotiation: nbio, server-initiated" \ -s "write hello request" requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: openssl server, client-initiated" \ "$O_SRV -www" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ @@ -5102,7 +4760,7 @@ run_test "Renegotiation: openssl server, client-initiated" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: gnutls server strict, client-initiated" \ "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ @@ -5116,7 +4774,7 @@ run_test "Renegotiation: gnutls server strict, client-initiated" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: gnutls server unsafe, client-initiated default" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ @@ -5130,7 +4788,7 @@ run_test "Renegotiation: gnutls server unsafe, client-initiated default" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \ @@ -5145,7 +4803,7 @@ run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \ @@ -5159,7 +4817,7 @@ run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \ -c "HTTP/1.0 200 [Oo][Kk]" requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: DTLS, client-initiated" \ "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \ "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \ @@ -5174,7 +4832,7 @@ run_test "Renegotiation: DTLS, client-initiated" \ -S "write hello request" requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: DTLS, server-initiated" \ "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \ "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \ @@ -5190,7 +4848,7 @@ run_test "Renegotiation: DTLS, server-initiated" \ -s "write hello request" requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: DTLS, renego_period overflow" \ "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \ "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \ @@ -5206,7 +4864,7 @@ run_test "Renegotiation: DTLS, renego_period overflow" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renegotiation: DTLS, gnutls server, client-initiated" \ "$G_SRV -u --mtu 4096" \ "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \ @@ -5221,7 +4879,7 @@ run_test "Renegotiation: DTLS, gnutls server, client-initiated" \ # Test for the "secure renegotation" extension only (no actual renegotiation) requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renego ext: gnutls server strict, client default" \ "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3" \ @@ -5231,7 +4889,7 @@ run_test "Renego ext: gnutls server strict, client default" \ -c "HTTP/1.0 200 [Oo][Kk]" requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renego ext: gnutls server unsafe, client default" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3" \ @@ -5241,7 +4899,7 @@ run_test "Renego ext: gnutls server unsafe, client default" \ -c "HTTP/1.0 200 [Oo][Kk]" requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renego ext: gnutls server unsafe, client break legacy" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 allow_legacy=-1" \ @@ -5251,7 +4909,7 @@ run_test "Renego ext: gnutls server unsafe, client break legacy" \ -C "HTTP/1.0 200 [Oo][Kk]" requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renego ext: gnutls client strict, server default" \ "$P_SRV debug_level=3" \ "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \ @@ -5260,7 +4918,7 @@ run_test "Renego ext: gnutls client strict, server default" \ -s "server hello, secure renegotiation extension" requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renego ext: gnutls client unsafe, server default" \ "$P_SRV debug_level=3" \ "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \ @@ -5269,7 +4927,7 @@ run_test "Renego ext: gnutls client unsafe, server default" \ -S "server hello, secure renegotiation extension" requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Renego ext: gnutls client unsafe, server break legacy" \ "$P_SRV debug_level=3 allow_legacy=-1" \ "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \ @@ -5280,7 +4938,7 @@ run_test "Renego ext: gnutls client unsafe, server break legacy" \ # Tests for silently dropping trailing extra bytes in .der certificates requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DER format: no trailing bytes" \ "$P_SRV crt_file=data_files/server5-der0.crt \ key_file=data_files/server5.key" \ @@ -5289,7 +4947,7 @@ run_test "DER format: no trailing bytes" \ -c "Handshake was completed" \ requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DER format: with a trailing zero byte" \ "$P_SRV crt_file=data_files/server5-der1a.crt \ key_file=data_files/server5.key" \ @@ -5298,7 +4956,7 @@ run_test "DER format: with a trailing zero byte" \ -c "Handshake was completed" \ requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DER format: with a trailing random byte" \ "$P_SRV crt_file=data_files/server5-der1b.crt \ key_file=data_files/server5.key" \ @@ -5307,7 +4965,7 @@ run_test "DER format: with a trailing random byte" \ -c "Handshake was completed" \ requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DER format: with 2 trailing random bytes" \ "$P_SRV crt_file=data_files/server5-der2.crt \ key_file=data_files/server5.key" \ @@ -5316,7 +4974,7 @@ run_test "DER format: with 2 trailing random bytes" \ -c "Handshake was completed" \ requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DER format: with 4 trailing random bytes" \ "$P_SRV crt_file=data_files/server5-der4.crt \ key_file=data_files/server5.key" \ @@ -5325,7 +4983,7 @@ run_test "DER format: with 4 trailing random bytes" \ -c "Handshake was completed" \ requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DER format: with 8 trailing random bytes" \ "$P_SRV crt_file=data_files/server5-der8.crt \ key_file=data_files/server5.key" \ @@ -5334,7 +4992,7 @@ run_test "DER format: with 8 trailing random bytes" \ -c "Handshake was completed" \ requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DER format: with 9 trailing random bytes" \ "$P_SRV crt_file=data_files/server5-der9.crt \ key_file=data_files/server5.key" \ @@ -5345,7 +5003,7 @@ run_test "DER format: with 9 trailing random bytes" \ # Tests for auth_mode, there are duplicated tests using ca callback for authentication # When updating these tests, modify the matching authentication tests accordingly -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: server badcert, client required" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -5356,7 +5014,7 @@ run_test "Authentication: server badcert, client required" \ -c "! mbedtls_ssl_handshake returned" \ -c "X509 - Certificate verification failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: server badcert, client optional" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -5367,7 +5025,7 @@ run_test "Authentication: server badcert, client optional" \ -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: server goodcert, client optional, no trusted CA" \ "$P_SRV" \ "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \ @@ -5379,7 +5037,7 @@ run_test "Authentication: server goodcert, client optional, no trusted CA" \ -C "X509 - Certificate verification failed" \ -C "SSL - No CA Chain is set, but required to operate" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: server goodcert, client required, no trusted CA" \ "$P_SRV" \ "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \ @@ -5398,7 +5056,7 @@ run_test "Authentication: server goodcert, client required, no trusted CA" \ # different means to have the server ignoring the client's supported curve list. requires_config_enabled MBEDTLS_ECP_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \ "$P_SRV debug_level=1 key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ka.crt" \ @@ -5409,7 +5067,7 @@ run_test "Authentication: server ECDH p256v1, client required, p256v1 unsuppo -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage requires_config_enabled MBEDTLS_ECP_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \ "$P_SRV debug_level=1 key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ka.crt" \ @@ -5419,7 +5077,7 @@ run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsuppo -c "! Certificate verification flags"\ -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: server badcert, client none" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -5430,7 +5088,7 @@ run_test "Authentication: server badcert, client none" \ -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: client SHA256, server required" \ "$P_SRV auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server6.crt \ @@ -5440,7 +5098,7 @@ run_test "Authentication: client SHA256, server required" \ -c "Supported Signature Algorithm found: 4," \ -c "Supported Signature Algorithm found: 5," -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: client SHA384, server required" \ "$P_SRV auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server6.crt \ @@ -5450,7 +5108,7 @@ run_test "Authentication: client SHA384, server required" \ -c "Supported Signature Algorithm found: 4," \ -c "Supported Signature Algorithm found: 5," -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: client has no cert, server required (TLS)" \ "$P_SRV debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=none \ @@ -5467,7 +5125,7 @@ run_test "Authentication: client has no cert, server required (TLS)" \ -c "! mbedtls_ssl_handshake returned" \ -s "No client certification received from the client, but required by the authentication mode" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: client badcert, server required" \ "$P_SRV debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ @@ -5489,7 +5147,7 @@ run_test "Authentication: client badcert, server required" \ # detect that its write end of the connection is closed and abort # before reading the alert message. -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: client cert not trusted, server required" \ "$P_SRV debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ @@ -5507,7 +5165,7 @@ run_test "Authentication: client cert not trusted, server required" \ -c "! mbedtls_ssl_handshake returned" \ -s "X509 - Certificate verification failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: client badcert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ @@ -5525,7 +5183,7 @@ run_test "Authentication: client badcert, server optional" \ -C "! mbedtls_ssl_handshake returned" \ -S "X509 - Certificate verification failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: client badcert, server none" \ "$P_SRV debug_level=3 auth_mode=none" \ "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ @@ -5543,7 +5201,7 @@ run_test "Authentication: client badcert, server none" \ -C "! mbedtls_ssl_handshake returned" \ -S "X509 - Certificate verification failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: client no cert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ "$P_CLI debug_level=3 crt_file=none key_file=none" \ @@ -5560,7 +5218,7 @@ run_test "Authentication: client no cert, server optional" \ -C "! mbedtls_ssl_handshake returned" \ -S "X509 - Certificate verification failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: openssl client no cert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ "$O_CLI" \ @@ -5571,7 +5229,7 @@ run_test "Authentication: openssl client no cert, server optional" \ -S "! mbedtls_ssl_handshake returned" \ -S "X509 - Certificate verification failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: client no cert, openssl server optional" \ "$O_SRV -verify 10" \ "$P_CLI debug_level=3 crt_file=none key_file=none" \ @@ -5582,7 +5240,7 @@ run_test "Authentication: client no cert, openssl server optional" \ -c "skip write certificate verify" \ -C "! mbedtls_ssl_handshake returned" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: client no cert, openssl server required" \ "$O_SRV -Verify 10" \ "$P_CLI debug_level=3 crt_file=none key_file=none" \ @@ -5605,7 +5263,7 @@ MAX_IM_CA='8' # are in place so that the semantics are consistent with the test description. requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: server max_int chain, client default" \ "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \ key_file=data_files/dir-maxpath/09.key" \ @@ -5615,7 +5273,7 @@ run_test "Authentication: server max_int chain, client default" \ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: server max_int+1 chain, client default" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ key_file=data_files/dir-maxpath/10.key" \ @@ -5625,7 +5283,7 @@ run_test "Authentication: server max_int+1 chain, client default" \ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: server max_int+1 chain, client optional" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ key_file=data_files/dir-maxpath/10.key" \ @@ -5636,7 +5294,7 @@ run_test "Authentication: server max_int+1 chain, client optional" \ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: server max_int+1 chain, client none" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ key_file=data_files/dir-maxpath/10.key" \ @@ -5647,7 +5305,7 @@ run_test "Authentication: server max_int+1 chain, client none" \ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: client max_int+1 chain, server default" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \ "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \ @@ -5657,7 +5315,7 @@ run_test "Authentication: client max_int+1 chain, server default" \ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: client max_int+1 chain, server optional" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \ "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \ @@ -5667,7 +5325,7 @@ run_test "Authentication: client max_int+1 chain, server optional" \ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: client max_int+1 chain, server required" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \ @@ -5677,7 +5335,7 @@ run_test "Authentication: client max_int+1 chain, server required" \ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: client max_int chain, server required" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \ @@ -5687,7 +5345,7 @@ run_test "Authentication: client max_int chain, server required" \ # Tests for CA list in CertificateRequest messages -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: send CA list in CertificateRequest (default)" \ "$P_SRV debug_level=3 auth_mode=required" \ "$P_CLI crt_file=data_files/server6.crt \ @@ -5695,7 +5353,7 @@ run_test "Authentication: send CA list in CertificateRequest (default)" \ 0 \ -s "requested DN" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: do not send CA list in CertificateRequest" \ "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \ "$P_CLI crt_file=data_files/server6.crt \ @@ -5703,7 +5361,7 @@ run_test "Authentication: do not send CA list in CertificateRequest" \ 0 \ -S "requested DN" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication: send CA list in CertificateRequest, client self signed" \ "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \ "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ @@ -5720,7 +5378,7 @@ run_test "Authentication: send CA list in CertificateRequest, client self sig # When updating these tests, modify the matching authentication tests accordingly requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication, CA callback: server badcert, client required" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -5733,7 +5391,7 @@ run_test "Authentication, CA callback: server badcert, client required" \ -c "X509 - Certificate verification failed" requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication, CA callback: server badcert, client optional" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -5754,7 +5412,7 @@ run_test "Authentication, CA callback: server badcert, client optional" \ requires_config_enabled MBEDTLS_ECP_C requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication, CA callback: server ECDH p256v1, client required, p256v1 unsupported" \ "$P_SRV debug_level=1 key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ka.crt" \ @@ -5767,7 +5425,7 @@ run_test "Authentication, CA callback: server ECDH p256v1, client required, p requires_config_enabled MBEDTLS_ECP_C requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication, CA callback: server ECDH p256v1, client optional, p256v1 unsupported" \ "$P_SRV debug_level=1 key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ka.crt" \ @@ -5779,7 +5437,7 @@ run_test "Authentication, CA callback: server ECDH p256v1, client optional, p -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication, CA callback: client SHA256, server required" \ "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server6.crt \ @@ -5791,7 +5449,7 @@ run_test "Authentication, CA callback: client SHA256, server required" \ -c "Supported Signature Algorithm found: 5," requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication, CA callback: client SHA384, server required" \ "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server6.crt \ @@ -5803,7 +5461,7 @@ run_test "Authentication, CA callback: client SHA384, server required" \ -c "Supported Signature Algorithm found: 5," requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication, CA callback: client badcert, server required" \ "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ @@ -5827,7 +5485,7 @@ run_test "Authentication, CA callback: client badcert, server required" \ # before reading the alert message. requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication, CA callback: client cert not trusted, server required" \ "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ @@ -5847,7 +5505,7 @@ run_test "Authentication, CA callback: client cert not trusted, server requir -s "X509 - Certificate verification failed" requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication, CA callback: client badcert, server optional" \ "$P_SRV ca_callback=1 debug_level=3 auth_mode=optional" \ "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ @@ -5869,7 +5527,7 @@ run_test "Authentication, CA callback: client badcert, server optional" \ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication, CA callback: server max_int chain, client default" \ "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \ key_file=data_files/dir-maxpath/09.key" \ @@ -5881,7 +5539,7 @@ run_test "Authentication, CA callback: server max_int chain, client default" requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication, CA callback: server max_int+1 chain, client default" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ key_file=data_files/dir-maxpath/10.key" \ @@ -5893,7 +5551,7 @@ run_test "Authentication, CA callback: server max_int+1 chain, client default requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication, CA callback: server max_int+1 chain, client optional" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ key_file=data_files/dir-maxpath/10.key" \ @@ -5906,7 +5564,7 @@ run_test "Authentication, CA callback: server max_int+1 chain, client optiona requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication, CA callback: client max_int+1 chain, server optional" \ "$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \ "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \ @@ -5918,7 +5576,7 @@ run_test "Authentication, CA callback: client max_int+1 chain, server optiona requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication, CA callback: client max_int+1 chain, server required" \ "$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \ @@ -5930,7 +5588,7 @@ run_test "Authentication, CA callback: client max_int+1 chain, server require requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Authentication, CA callback: client max_int chain, server required" \ "$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \ @@ -5942,19 +5600,19 @@ run_test "Authentication, CA callback: client max_int chain, server required" # Tests for certificate selection based on SHA verson requires_config_disabled MBEDTLS_X509_REMOVE_INFO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ crt_file2=data_files/server5-sha1.crt \ key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_2" \ + "$P_CLI force_version=tls12" \ 0 \ -c "signed using.*ECDSA with SHA256" \ -C "signed using.*ECDSA with SHA1" requires_config_disabled MBEDTLS_X509_REMOVE_INFO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SNI: no SNI callback" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ @@ -5964,7 +5622,7 @@ run_test "SNI: no SNI callback" \ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "SNI: matching cert 1" \ "$P_SRV debug_level=3 \ @@ -5976,7 +5634,7 @@ run_test "SNI: matching cert 1" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "SNI: matching cert 2" \ "$P_SRV debug_level=3 \ @@ -5988,7 +5646,7 @@ run_test "SNI: matching cert 2" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "SNI: no matching cert" \ "$P_SRV debug_level=3 \ @@ -6002,7 +5660,7 @@ run_test "SNI: no matching cert" \ -c "mbedtls_ssl_handshake returned" \ -c "SSL - A fatal alert message was received from our peer" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SNI: client auth no override: optional" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -6016,7 +5674,7 @@ run_test "SNI: client auth no override: optional" \ -C "skip write certificate verify" \ -S "skip parse certificate verify" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SNI: client auth override: none -> optional" \ "$P_SRV debug_level=3 auth_mode=none \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -6030,7 +5688,7 @@ run_test "SNI: client auth override: none -> optional" \ -C "skip write certificate verify" \ -S "skip parse certificate verify" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SNI: client auth override: optional -> none" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -6044,7 +5702,7 @@ run_test "SNI: client auth override: optional -> none" \ -c "skip write certificate verify" \ -s "skip parse certificate verify" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SNI: CA no override" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -6063,7 +5721,7 @@ run_test "SNI: CA no override" \ -s "! The certificate is not correctly signed by the trusted CA" \ -S "The certificate has been revoked (is on a CRL)" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SNI: CA override" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -6082,7 +5740,7 @@ run_test "SNI: CA override" \ -S "! The certificate is not correctly signed by the trusted CA" \ -S "The certificate has been revoked (is on a CRL)" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SNI: CA override with CRL" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -6103,7 +5761,7 @@ run_test "SNI: CA override with CRL" \ # Tests for SNI and DTLS -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "SNI: DTLS, no SNI callback" \ "$P_SRV debug_level=3 dtls=1 \ @@ -6114,7 +5772,7 @@ run_test "SNI: DTLS, no SNI callback" \ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "SNI: DTLS, matching cert 1" \ "$P_SRV debug_level=3 dtls=1 \ @@ -6126,7 +5784,7 @@ run_test "SNI: DTLS, matching cert 1" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "SNI: DTLS, matching cert 2" \ "$P_SRV debug_level=3 dtls=1 \ @@ -6138,7 +5796,7 @@ run_test "SNI: DTLS, matching cert 2" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SNI: DTLS, no matching cert" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -6151,7 +5809,7 @@ run_test "SNI: DTLS, no matching cert" \ -c "mbedtls_ssl_handshake returned" \ -c "SSL - A fatal alert message was received from our peer" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SNI: DTLS, client auth no override: optional" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -6165,7 +5823,7 @@ run_test "SNI: DTLS, client auth no override: optional" \ -C "skip write certificate verify" \ -S "skip parse certificate verify" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SNI: DTLS, client auth override: none -> optional" \ "$P_SRV debug_level=3 auth_mode=none dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -6179,7 +5837,7 @@ run_test "SNI: DTLS, client auth override: none -> optional" \ -C "skip write certificate verify" \ -S "skip parse certificate verify" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SNI: DTLS, client auth override: optional -> none" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -6193,7 +5851,7 @@ run_test "SNI: DTLS, client auth override: optional -> none" \ -c "skip write certificate verify" \ -s "skip parse certificate verify" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SNI: DTLS, CA no override" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -6212,7 +5870,7 @@ run_test "SNI: DTLS, CA no override" \ -s "! The certificate is not correctly signed by the trusted CA" \ -S "The certificate has been revoked (is on a CRL)" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SNI: DTLS, CA override" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -6231,7 +5889,7 @@ run_test "SNI: DTLS, CA override" \ -S "! The certificate is not correctly signed by the trusted CA" \ -S "The certificate has been revoked (is on a CRL)" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SNI: DTLS, CA override with CRL" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \ @@ -6252,7 +5910,7 @@ run_test "SNI: DTLS, CA override with CRL" \ # Tests for non-blocking I/O: exercise a variety of handshake flows -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Non-blocking I/O: basic handshake" \ "$P_SRV nbio=2 tickets=0 auth_mode=none" \ "$P_CLI nbio=2 tickets=0" \ @@ -6261,7 +5919,7 @@ run_test "Non-blocking I/O: basic handshake" \ -C "mbedtls_ssl_handshake returned" \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Non-blocking I/O: client auth" \ "$P_SRV nbio=2 tickets=0 auth_mode=required" \ "$P_CLI nbio=2 tickets=0" \ @@ -6270,7 +5928,7 @@ run_test "Non-blocking I/O: client auth" \ -C "mbedtls_ssl_handshake returned" \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Non-blocking I/O: ticket" \ "$P_SRV nbio=2 tickets=1 auth_mode=none" \ "$P_CLI nbio=2 tickets=1" \ @@ -6279,7 +5937,7 @@ run_test "Non-blocking I/O: ticket" \ -C "mbedtls_ssl_handshake returned" \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Non-blocking I/O: ticket + client auth" \ "$P_SRV nbio=2 tickets=1 auth_mode=required" \ "$P_CLI nbio=2 tickets=1" \ @@ -6288,7 +5946,7 @@ run_test "Non-blocking I/O: ticket + client auth" \ -C "mbedtls_ssl_handshake returned" \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Non-blocking I/O: ticket + client auth + resume" \ "$P_SRV nbio=2 tickets=1 auth_mode=required" \ "$P_CLI nbio=2 tickets=1 reconnect=1" \ @@ -6297,7 +5955,7 @@ run_test "Non-blocking I/O: ticket + client auth + resume" \ -C "mbedtls_ssl_handshake returned" \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Non-blocking I/O: ticket + resume" \ "$P_SRV nbio=2 tickets=1 auth_mode=none" \ "$P_CLI nbio=2 tickets=1 reconnect=1" \ @@ -6306,7 +5964,7 @@ run_test "Non-blocking I/O: ticket + resume" \ -C "mbedtls_ssl_handshake returned" \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Non-blocking I/O: session-id resume" \ "$P_SRV nbio=2 tickets=0 auth_mode=none" \ "$P_CLI nbio=2 tickets=0 reconnect=1" \ @@ -6317,7 +5975,7 @@ run_test "Non-blocking I/O: session-id resume" \ # Tests for event-driven I/O: exercise a variety of handshake flows -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Event-driven I/O: basic handshake" \ "$P_SRV event=1 tickets=0 auth_mode=none" \ "$P_CLI event=1 tickets=0" \ @@ -6326,7 +5984,7 @@ run_test "Event-driven I/O: basic handshake" \ -C "mbedtls_ssl_handshake returned" \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Event-driven I/O: client auth" \ "$P_SRV event=1 tickets=0 auth_mode=required" \ "$P_CLI event=1 tickets=0" \ @@ -6335,7 +5993,7 @@ run_test "Event-driven I/O: client auth" \ -C "mbedtls_ssl_handshake returned" \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Event-driven I/O: ticket" \ "$P_SRV event=1 tickets=1 auth_mode=none" \ "$P_CLI event=1 tickets=1" \ @@ -6344,7 +6002,7 @@ run_test "Event-driven I/O: ticket" \ -C "mbedtls_ssl_handshake returned" \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Event-driven I/O: ticket + client auth" \ "$P_SRV event=1 tickets=1 auth_mode=required" \ "$P_CLI event=1 tickets=1" \ @@ -6353,7 +6011,7 @@ run_test "Event-driven I/O: ticket + client auth" \ -C "mbedtls_ssl_handshake returned" \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Event-driven I/O: ticket + client auth + resume" \ "$P_SRV event=1 tickets=1 auth_mode=required" \ "$P_CLI event=1 tickets=1 reconnect=1" \ @@ -6362,7 +6020,7 @@ run_test "Event-driven I/O: ticket + client auth + resume" \ -C "mbedtls_ssl_handshake returned" \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Event-driven I/O: ticket + resume" \ "$P_SRV event=1 tickets=1 auth_mode=none" \ "$P_CLI event=1 tickets=1 reconnect=1" \ @@ -6371,7 +6029,7 @@ run_test "Event-driven I/O: ticket + resume" \ -C "mbedtls_ssl_handshake returned" \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Event-driven I/O: session-id resume" \ "$P_SRV event=1 tickets=0 auth_mode=none" \ "$P_CLI event=1 tickets=0 reconnect=1" \ @@ -6380,49 +6038,49 @@ run_test "Event-driven I/O: session-id resume" \ -C "mbedtls_ssl_handshake returned" \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Event-driven I/O, DTLS: basic handshake" \ "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \ "$P_CLI dtls=1 event=1 tickets=0" \ 0 \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Event-driven I/O, DTLS: client auth" \ "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \ "$P_CLI dtls=1 event=1 tickets=0" \ 0 \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Event-driven I/O, DTLS: ticket" \ "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \ "$P_CLI dtls=1 event=1 tickets=1" \ 0 \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Event-driven I/O, DTLS: ticket + client auth" \ "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \ "$P_CLI dtls=1 event=1 tickets=1" \ 0 \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \ "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \ "$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \ 0 \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Event-driven I/O, DTLS: ticket + resume" \ "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \ "$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \ 0 \ -c "Read from server: .* bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Event-driven I/O, DTLS: session-id resume" \ "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \ "$P_CLI dtls=1 event=1 tickets=0 reconnect=1 skip_close_notify=1" \ @@ -6434,7 +6092,7 @@ run_test "Event-driven I/O, DTLS: session-id resume" \ # within the same datagram as the Finished messages. In this situation, the # server MUST NOT idle on the underlying transport after handshake completion, # because the ApplicationData request has already been queued internally. -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \ -p "$P_PXY pack=50" \ "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \ @@ -6444,7 +6102,7 @@ run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \ # Tests for version negotiation -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Version check: all -> 1.2" \ "$P_SRV" \ "$P_CLI" \ @@ -6454,7 +6112,7 @@ run_test "Version check: all -> 1.2" \ -s "Protocol is TLSv1.2" \ -c "Protocol is TLSv1.2" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Not supported version check: cli TLS 1.0" \ "$P_SRV" \ "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.0" \ @@ -6464,7 +6122,7 @@ run_test "Not supported version check: cli TLS 1.0" \ -S "Protocol is TLSv1.0" \ -C "Handshake was completed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Not supported version check: cli TLS 1.1" \ "$P_SRV" \ "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.1" \ @@ -6474,7 +6132,7 @@ run_test "Not supported version check: cli TLS 1.1" \ -S "Protocol is TLSv1.1" \ -C "Handshake was completed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Not supported version check: srv max TLS 1.0" \ "$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" \ "$P_CLI" \ @@ -6484,7 +6142,7 @@ run_test "Not supported version check: srv max TLS 1.0" \ -S "Version: TLS1.0" \ -C "Protocol is TLSv1.0" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Not supported version check: srv max TLS 1.1" \ "$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1" \ "$P_CLI" \ @@ -6496,7 +6154,7 @@ run_test "Not supported version check: srv max TLS 1.1" \ # Tests for ALPN extension -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "ALPN: none" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ @@ -6509,7 +6167,7 @@ run_test "ALPN: none" \ -C "Application Layer Protocol is" \ -S "Application Layer Protocol is" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "ALPN: client only" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 alpn=abc,1234" \ @@ -6522,7 +6180,7 @@ run_test "ALPN: client only" \ -c "Application Layer Protocol is (none)" \ -S "Application Layer Protocol is" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "ALPN: server only" \ "$P_SRV debug_level=3 alpn=abc,1234" \ "$P_CLI debug_level=3" \ @@ -6535,7 +6193,7 @@ run_test "ALPN: server only" \ -C "Application Layer Protocol is" \ -s "Application Layer Protocol is (none)" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "ALPN: both, common cli1-srv1" \ "$P_SRV debug_level=3 alpn=abc,1234" \ "$P_CLI debug_level=3 alpn=abc,1234" \ @@ -6548,7 +6206,7 @@ run_test "ALPN: both, common cli1-srv1" \ -c "Application Layer Protocol is abc" \ -s "Application Layer Protocol is abc" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "ALPN: both, common cli2-srv1" \ "$P_SRV debug_level=3 alpn=abc,1234" \ "$P_CLI debug_level=3 alpn=1234,abc" \ @@ -6561,7 +6219,7 @@ run_test "ALPN: both, common cli2-srv1" \ -c "Application Layer Protocol is abc" \ -s "Application Layer Protocol is abc" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "ALPN: both, common cli1-srv2" \ "$P_SRV debug_level=3 alpn=abc,1234" \ "$P_CLI debug_level=3 alpn=1234,abcde" \ @@ -6574,7 +6232,7 @@ run_test "ALPN: both, common cli1-srv2" \ -c "Application Layer Protocol is 1234" \ -s "Application Layer Protocol is 1234" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "ALPN: both, no common" \ "$P_SRV debug_level=3 alpn=abc,123" \ "$P_CLI debug_level=3 alpn=1234,abcde" \ @@ -6591,7 +6249,7 @@ run_test "ALPN: both, no common" \ # Tests for keyUsage in leaf certificates, part 1: # server-side certificate/suite selection -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \ "$P_SRV key_file=data_files/server2.key \ crt_file=data_files/server2.ku-ds.crt" \ @@ -6600,7 +6258,7 @@ run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \ -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \ "$P_SRV key_file=data_files/server2.key \ crt_file=data_files/server2.ku-ke.crt" \ @@ -6608,7 +6266,7 @@ run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \ 0 \ -c "Ciphersuite is TLS-RSA-WITH-" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage srv: RSA, keyAgreement -> fail" \ "$P_SRV key_file=data_files/server2.key \ crt_file=data_files/server2.ku-ka.crt" \ @@ -6616,7 +6274,7 @@ run_test "keyUsage srv: RSA, keyAgreement -> fail" \ 1 \ -C "Ciphersuite is " -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ds.crt" \ @@ -6625,7 +6283,7 @@ run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \ -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ka.crt" \ @@ -6633,7 +6291,7 @@ run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \ 0 \ -c "Ciphersuite is TLS-ECDH-" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ke.crt" \ @@ -6644,7 +6302,7 @@ run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \ # Tests for keyUsage in leaf certificates, part 2: # client-side checking of server cert -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \ "$O_SRV -key data_files/server2.key \ -cert data_files/server2.ku-ds_ke.crt" \ @@ -6655,7 +6313,7 @@ run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \ "$O_SRV -key data_files/server2.key \ -cert data_files/server2.ku-ds_ke.crt" \ @@ -6666,7 +6324,7 @@ run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage cli: KeyEncipherment, RSA: OK" \ "$O_SRV -key data_files/server2.key \ -cert data_files/server2.ku-ke.crt" \ @@ -6677,7 +6335,7 @@ run_test "keyUsage cli: KeyEncipherment, RSA: OK" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \ "$O_SRV -key data_files/server2.key \ -cert data_files/server2.ku-ke.crt" \ @@ -6688,7 +6346,7 @@ run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \ -c "Processing of the Certificate handshake message failed" \ -C "Ciphersuite is TLS-" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \ "$O_SRV -key data_files/server2.key \ -cert data_files/server2.ku-ke.crt" \ @@ -6700,7 +6358,7 @@ run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \ -c "Ciphersuite is TLS-" \ -c "! Usage does not match the keyUsage extension" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \ "$O_SRV -key data_files/server2.key \ -cert data_files/server2.ku-ds.crt" \ @@ -6711,7 +6369,7 @@ run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage cli: DigitalSignature, RSA: fail" \ "$O_SRV -key data_files/server2.key \ -cert data_files/server2.ku-ds.crt" \ @@ -6722,7 +6380,7 @@ run_test "keyUsage cli: DigitalSignature, RSA: fail" \ -c "Processing of the Certificate handshake message failed" \ -C "Ciphersuite is TLS-" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \ "$O_SRV -key data_files/server2.key \ -cert data_files/server2.ku-ds.crt" \ @@ -6737,7 +6395,7 @@ run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \ # Tests for keyUsage in leaf certificates, part 3: # server-side checking of client cert -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server2.key \ @@ -6746,7 +6404,7 @@ run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \ -S "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server2.key \ @@ -6755,7 +6413,7 @@ run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \ -s "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \ "$P_SRV debug_level=1 auth_mode=required" \ "$O_CLI -key data_files/server2.key \ @@ -6764,7 +6422,7 @@ run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \ -s "bad certificate (usage extensions)" \ -s "Processing of the Certificate handshake message failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -6773,7 +6431,7 @@ run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \ -S "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -6784,28 +6442,28 @@ run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \ # Tests for extendedKeyUsage, part 1: server-side certificate/suite selection -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "extKeyUsage srv: serverAuth -> OK" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.eku-srv.crt" \ "$P_CLI" \ 0 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.eku-srv.crt" \ "$P_CLI" \ 0 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.eku-cs_any.crt" \ "$P_CLI" \ 0 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "extKeyUsage srv: codeSign -> fail" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.eku-cli.crt" \ @@ -6814,7 +6472,7 @@ run_test "extKeyUsage srv: codeSign -> fail" \ # Tests for extendedKeyUsage, part 2: client-side checking of server cert -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "extKeyUsage cli: serverAuth -> OK" \ "$O_SRV -key data_files/server5.key \ -cert data_files/server5.eku-srv.crt" \ @@ -6824,7 +6482,7 @@ run_test "extKeyUsage cli: serverAuth -> OK" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ "$O_SRV -key data_files/server5.key \ -cert data_files/server5.eku-srv_cli.crt" \ @@ -6834,7 +6492,7 @@ run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ "$O_SRV -key data_files/server5.key \ -cert data_files/server5.eku-cs_any.crt" \ @@ -6844,7 +6502,7 @@ run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "extKeyUsage cli: codeSign -> fail" \ "$O_SRV -key data_files/server5.key \ -cert data_files/server5.eku-cs.crt" \ @@ -6856,7 +6514,7 @@ run_test "extKeyUsage cli: codeSign -> fail" \ # Tests for extendedKeyUsage, part 3: server-side checking of client cert -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "extKeyUsage cli-auth: clientAuth -> OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -6865,7 +6523,7 @@ run_test "extKeyUsage cli-auth: clientAuth -> OK" \ -S "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -6874,7 +6532,7 @@ run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \ -S "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -6883,7 +6541,7 @@ run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \ -S "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -6892,7 +6550,7 @@ run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \ -s "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \ "$P_SRV debug_level=1 auth_mode=required" \ "$O_CLI -key data_files/server5.key \ @@ -6903,7 +6561,7 @@ run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \ # Tests for DHM parameters loading -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DHM parameters: reference" \ "$P_SRV" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ @@ -6912,7 +6570,7 @@ run_test "DHM parameters: reference" \ -c "value of 'DHM: P ' (2048 bits)" \ -c "value of 'DHM: G ' (2 bits)" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DHM parameters: other parameters" \ "$P_SRV dhm_file=data_files/dhparams.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ @@ -6923,7 +6581,7 @@ run_test "DHM parameters: other parameters" \ # Tests for DHM client-side size checking -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DHM size: server default, client default, OK" \ "$P_SRV" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ @@ -6931,7 +6589,7 @@ run_test "DHM size: server default, client default, OK" \ 0 \ -C "DHM prime too short:" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DHM size: server default, client 2048, OK" \ "$P_SRV" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ @@ -6939,7 +6597,7 @@ run_test "DHM size: server default, client 2048, OK" \ 0 \ -C "DHM prime too short:" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DHM size: server 1024, client default, OK" \ "$P_SRV dhm_file=data_files/dhparams.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ @@ -6947,7 +6605,7 @@ run_test "DHM size: server 1024, client default, OK" \ 0 \ -C "DHM prime too short:" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DHM size: server 999, client 999, OK" \ "$P_SRV dhm_file=data_files/dh.999.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ @@ -6955,7 +6613,7 @@ run_test "DHM size: server 999, client 999, OK" \ 0 \ -C "DHM prime too short:" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DHM size: server 1000, client 1000, OK" \ "$P_SRV dhm_file=data_files/dh.1000.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ @@ -6963,7 +6621,7 @@ run_test "DHM size: server 1000, client 1000, OK" \ 0 \ -C "DHM prime too short:" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DHM size: server 1000, client default, rejected" \ "$P_SRV dhm_file=data_files/dh.1000.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ @@ -6971,7 +6629,7 @@ run_test "DHM size: server 1000, client default, rejected" \ 1 \ -c "DHM prime too short:" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DHM size: server 1000, client 1001, rejected" \ "$P_SRV dhm_file=data_files/dh.1000.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ @@ -6979,7 +6637,7 @@ run_test "DHM size: server 1000, client 1001, rejected" \ 1 \ -c "DHM prime too short:" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DHM size: server 999, client 1000, rejected" \ "$P_SRV dhm_file=data_files/dh.999.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ @@ -6987,7 +6645,7 @@ run_test "DHM size: server 999, client 1000, rejected" \ 1 \ -c "DHM prime too short:" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DHM size: server 998, client 999, rejected" \ "$P_SRV dhm_file=data_files/dh.998.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ @@ -6995,7 +6653,7 @@ run_test "DHM size: server 998, client 999, rejected" \ 1 \ -c "DHM prime too short:" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DHM size: server default, client 2049, rejected" \ "$P_SRV" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ @@ -7005,7 +6663,7 @@ run_test "DHM size: server default, client 2049, rejected" \ # Tests for PSK callback -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: psk, no callback" \ "$P_SRV psk=abc123 psk_identity=foo" \ "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ @@ -7016,10 +6674,10 @@ run_test "PSK callback: psk, no callback" \ -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: opaque psk on client, no callback" \ "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \ - "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ + "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ -c "skip PMS generation for opaque PSK"\ @@ -7031,10 +6689,10 @@ run_test "PSK callback: opaque psk on client, no callback" \ -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: opaque psk on client, no callback, SHA-384" \ "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \ - "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ + "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ -c "skip PMS generation for opaque PSK"\ @@ -7046,10 +6704,10 @@ run_test "PSK callback: opaque psk on client, no callback, SHA-384" \ -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: opaque psk on client, no callback, EMS" \ "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \ - "$P_CLI extended_ms=1 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ + "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ -c "skip PMS generation for opaque PSK"\ @@ -7061,10 +6719,10 @@ run_test "PSK callback: opaque psk on client, no callback, EMS" \ -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \ "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \ - "$P_CLI extended_ms=1 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ + "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ -c "skip PMS generation for opaque PSK"\ @@ -7076,10 +6734,10 @@ run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \ -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: raw psk on client, static opaque on server, no callback" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ - "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ + "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=foo psk=abc123" \ 0 \ -C "skip PMS generation for opaque PSK"\ @@ -7091,10 +6749,10 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: raw psk on client, static opaque on server, no callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \ - "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ + "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \ + "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123" \ 0 \ -C "skip PMS generation for opaque PSK"\ @@ -7106,11 +6764,11 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS" \ - "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 \ + "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ - "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ + "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=foo psk=abc123 extended_ms=1" \ 0 \ -c "session hash for extended master secret"\ @@ -7122,11 +6780,11 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS, SHA384" \ - "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 \ + "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ - "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ + "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123 extended_ms=1" \ 0 \ -c "session hash for extended master secret"\ @@ -7138,10 +6796,10 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback" \ - "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ - "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ + "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ -C "skip PMS generation for opaque PSK"\ @@ -7153,10 +6811,10 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \ - "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ + "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \ + "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=def psk=beef" \ 0 \ -C "skip PMS generation for opaque PSK"\ @@ -7168,11 +6826,11 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS" \ - "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 \ + "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ - "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ + "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=abc psk=dead extended_ms=1" \ 0 \ -c "session hash for extended master secret"\ @@ -7184,11 +6842,11 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS, SHA384" \ - "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 \ + "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ - "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ + "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=abc psk=dead extended_ms=1" \ 0 \ -c "session hash for extended master secret"\ @@ -7200,10 +6858,10 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: raw psk on client, mismatching static raw PSK on server, opaque PSK from callback" \ - "$P_SRV extended_ms=0 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ - "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ + "$P_SRV extended_ms=0 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ -C "skip PMS generation for opaque PSK"\ @@ -7215,10 +6873,10 @@ run_test "PSK callback: raw psk on client, mismatching static raw PSK on serv -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, opaque PSK from callback" \ - "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ - "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ + "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ -C "skip PMS generation for opaque PSK"\ @@ -7230,10 +6888,10 @@ run_test "PSK callback: raw psk on client, mismatching static opaque PSK on s -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, raw PSK from callback" \ - "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ - "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ + "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ -C "skip PMS generation for opaque PSK"\ @@ -7244,10 +6902,10 @@ run_test "PSK callback: raw psk on client, mismatching static opaque PSK on s -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on server, opaque PSK from callback" \ - "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ - "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ + "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ -C "skip PMS generation for opaque PSK"\ @@ -7258,15 +6916,15 @@ run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on s -S "SSL - Verification of the message MAC failed" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: raw psk on client, matching opaque PSK on server, wrong opaque PSK from callback" \ - "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,abc123 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ - "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ + "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,abc123 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 1 \ -s "SSL - Verification of the message MAC failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: no psk, no callback" \ "$P_SRV" \ "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ @@ -7276,7 +6934,7 @@ run_test "PSK callback: no psk, no callback" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: callback overrides other settings" \ "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \ "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ @@ -7286,7 +6944,7 @@ run_test "PSK callback: callback overrides other settings" \ -s "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: first id matches" \ "$P_SRV psk_list=abc,dead,def,beef" \ "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ @@ -7296,7 +6954,7 @@ run_test "PSK callback: first id matches" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: second id matches" \ "$P_SRV psk_list=abc,dead,def,beef" \ "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ @@ -7306,7 +6964,7 @@ run_test "PSK callback: second id matches" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: no match" \ "$P_SRV psk_list=abc,dead,def,beef" \ "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ @@ -7316,7 +6974,7 @@ run_test "PSK callback: no match" \ -s "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "PSK callback: wrong key" \ "$P_SRV psk_list=abc,dead,def,beef" \ "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ @@ -7329,7 +6987,7 @@ run_test "PSK callback: wrong key" \ # Tests for EC J-PAKE requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "ECJPAKE: client not configured" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ @@ -7344,7 +7002,7 @@ run_test "ECJPAKE: client not configured" \ -S "SSL - The handshake negotiation failed" requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "ECJPAKE: server not configured" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 ecjpake_pw=bla \ @@ -7360,7 +7018,7 @@ run_test "ECJPAKE: server not configured" \ -s "SSL - The handshake negotiation failed" requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "ECJPAKE: working, TLS" \ "$P_SRV debug_level=3 ecjpake_pw=bla" \ "$P_CLI debug_level=3 ecjpake_pw=bla \ @@ -7379,7 +7037,7 @@ run_test "ECJPAKE: working, TLS" \ server_needs_more_time 1 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "ECJPAKE: password mismatch, TLS" \ "$P_SRV debug_level=3 ecjpake_pw=bla" \ "$P_CLI debug_level=3 ecjpake_pw=bad \ @@ -7388,7 +7046,7 @@ run_test "ECJPAKE: password mismatch, TLS" \ -C "re-using cached ecjpake parameters" \ -s "SSL - Verification of the message MAC failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED run_test "ECJPAKE: working, DTLS" \ "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \ @@ -7398,7 +7056,7 @@ run_test "ECJPAKE: working, DTLS" \ -c "re-using cached ecjpake parameters" \ -S "SSL - Verification of the message MAC failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED run_test "ECJPAKE: working, DTLS, no cookie" \ "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \ @@ -7409,7 +7067,7 @@ run_test "ECJPAKE: working, DTLS, no cookie" \ -S "SSL - Verification of the message MAC failed" server_needs_more_time 1 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED run_test "ECJPAKE: password mismatch, DTLS" \ "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \ @@ -7420,7 +7078,7 @@ run_test "ECJPAKE: password mismatch, DTLS" \ -s "SSL - Verification of the message MAC failed" # for tests with configs/config-thread.h -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED run_test "ECJPAKE: working, DTLS, nolog" \ "$P_SRV dtls=1 ecjpake_pw=bla" \ @@ -7431,7 +7089,7 @@ run_test "ECJPAKE: working, DTLS, nolog" \ # Test for ClientHello without extensions requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "ClientHello without extensions" \ "$P_SRV debug_level=3" \ "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \ @@ -7440,14 +7098,14 @@ run_test "ClientHello without extensions" \ # Tests for mbedtls_ssl_get_bytes_avail() -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "mbedtls_ssl_get_bytes_avail: no extra data" \ "$P_SRV" \ "$P_CLI request_size=100" \ 0 \ -s "Read from client: 100 bytes read$" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "mbedtls_ssl_get_bytes_avail: extra data" \ "$P_SRV" \ "$P_CLI request_size=500" \ @@ -7456,42 +7114,42 @@ run_test "mbedtls_ssl_get_bytes_avail: extra data" \ # Tests for small client packets -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Small client packet TLS 1.2 BlockCipher" \ "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_2 \ + "$P_CLI request_size=1 force_version=tls12 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 1 bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \ "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_2 \ + "$P_CLI request_size=1 force_version=tls12 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ 0 \ -s "Read from client: 1 bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \ "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_2 \ + "$P_CLI request_size=1 force_version=tls12 \ force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ 0 \ -s "Read from client: 1 bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Small client packet TLS 1.2 AEAD" \ "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_2 \ + "$P_CLI request_size=1 force_version=tls12 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ 0 \ -s "Read from client: 1 bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Small client packet TLS 1.2 AEAD shorter tag" \ "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_2 \ + "$P_CLI request_size=1 force_version=tls12 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ 0 \ -s "Read from client: 1 bytes read" @@ -7500,16 +7158,16 @@ run_test "Small client packet TLS 1.2 AEAD shorter tag" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS run_test "Small client packet DTLS 1.2" \ - "$P_SRV dtls=1 force_version=dtls1_2" \ + "$P_SRV dtls=1 force_version=dtls12" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Small client packet DTLS 1.2, without EtM" \ - "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \ + "$P_SRV dtls=1 force_version=dtls12 etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ @@ -7517,42 +7175,42 @@ run_test "Small client packet DTLS 1.2, without EtM" \ # Tests for small server packets -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Small server packet TLS 1.2 BlockCipher" \ "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1_2 \ + "$P_CLI force_version=tls12 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -c "Read from server: 1 bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \ "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1_2 \ + "$P_CLI force_version=tls12 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ 0 \ -c "Read from server: 1 bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \ "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1_2 \ + "$P_CLI force_version=tls12 \ force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ 0 \ -c "Read from server: 1 bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Small server packet TLS 1.2 AEAD" \ "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1_2 \ + "$P_CLI force_version=tls12 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ 0 \ -c "Read from server: 1 bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Small server packet TLS 1.2 AEAD shorter tag" \ "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1_2 \ + "$P_CLI force_version=tls12 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ 0 \ -c "Read from server: 1 bytes read" @@ -7560,18 +7218,18 @@ run_test "Small server packet TLS 1.2 AEAD shorter tag" \ # Tests for small server packets in DTLS requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Small server packet DTLS 1.2" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls12" \ "$P_CLI dtls=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -c "Read from server: 1 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Small server packet DTLS 1.2, without EtM" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls12 etm=0" \ "$P_CLI dtls=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ @@ -7584,97 +7242,97 @@ fragments_for_write() { echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))" } -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Large client packet TLS 1.2 BlockCipher" \ "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1_2 \ + "$P_CLI request_size=16384 force_version=tls12 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ -s "Read from client: $MAX_CONTENT_LEN bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \ "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \ + "$P_CLI request_size=16384 force_version=tls12 etm=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: $MAX_CONTENT_LEN bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \ "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1_2 \ + "$P_CLI request_size=16384 force_version=tls12 \ force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ 0 \ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ -s "Read from client: $MAX_CONTENT_LEN bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Large client packet TLS 1.2 AEAD" \ "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1_2 \ + "$P_CLI request_size=16384 force_version=tls12 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ 0 \ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ -s "Read from client: $MAX_CONTENT_LEN bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Large client packet TLS 1.2 AEAD shorter tag" \ "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1_2 \ + "$P_CLI request_size=16384 force_version=tls12 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ 0 \ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ -s "Read from client: $MAX_CONTENT_LEN bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 # The tests below fail when the server's OUT_CONTENT_LEN is less than 16384. run_test "Large server packet TLS 1.2 BlockCipher" \ "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_2 \ + "$P_CLI force_version=tls12 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -c "Read from server: 16384 bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \ "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_2 etm=0 \ + "$P_CLI force_version=tls12 etm=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "16384 bytes written in 1 fragments" \ -c "Read from server: 16384 bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \ "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_2 \ + "$P_CLI force_version=tls12 \ force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ 0 \ -c "Read from server: 16384 bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ "$P_SRV response_size=16384 trunc_hmac=1" \ - "$P_CLI force_version=tls1_2 \ + "$P_CLI force_version=tls12 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "16384 bytes written in 1 fragments" \ -c "Read from server: 16384 bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Large server packet TLS 1.2 AEAD" \ "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_2 \ + "$P_CLI force_version=tls12 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ 0 \ -c "Read from server: 16384 bytes read" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Large server packet TLS 1.2 AEAD shorter tag" \ "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_2 \ + "$P_CLI force_version=tls12 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ 0 \ -c "Read from server: 16384 bytes read" @@ -7684,7 +7342,7 @@ run_test "Large server packet TLS 1.2 AEAD shorter tag" \ # Force the use of a curve that supports restartable ECC (secp256r1). requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED run_test "EC restart: TLS, default" \ "$P_SRV curves=secp256r1 auth_mode=required" \ @@ -7698,7 +7356,7 @@ run_test "EC restart: TLS, default" \ -C "mbedtls_pk_sign.*4b00" requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED run_test "EC restart: TLS, max_ops=0" \ "$P_SRV curves=secp256r1 auth_mode=required" \ @@ -7712,7 +7370,7 @@ run_test "EC restart: TLS, max_ops=0" \ -C "mbedtls_pk_sign.*4b00" requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED run_test "EC restart: TLS, max_ops=65535" \ "$P_SRV curves=secp256r1 auth_mode=required" \ @@ -7726,7 +7384,7 @@ run_test "EC restart: TLS, max_ops=65535" \ -C "mbedtls_pk_sign.*4b00" requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED run_test "EC restart: TLS, max_ops=1000" \ "$P_SRV curves=secp256r1 auth_mode=required" \ @@ -7740,7 +7398,7 @@ run_test "EC restart: TLS, max_ops=1000" \ -c "mbedtls_pk_sign.*4b00" requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED run_test "EC restart: TLS, max_ops=1000, badsign" \ "$P_SRV curves=secp256r1 auth_mode=required \ @@ -7759,7 +7417,7 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \ -c "X509 - Certificate verification failed" requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ "$P_SRV curves=secp256r1 auth_mode=required \ @@ -7778,7 +7436,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ -C "X509 - Certificate verification failed" requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ "$P_SRV curves=secp256r1 auth_mode=required \ @@ -7797,7 +7455,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ -C "X509 - Certificate verification failed" requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED run_test "EC restart: DTLS, max_ops=1000" \ "$P_SRV curves=secp256r1 auth_mode=required dtls=1" \ @@ -7811,7 +7469,7 @@ run_test "EC restart: DTLS, max_ops=1000" \ -c "mbedtls_pk_sign.*4b00" requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED run_test "EC restart: TLS, max_ops=1000 no client auth" \ "$P_SRV curves=secp256r1" \ @@ -7824,7 +7482,7 @@ run_test "EC restart: TLS, max_ops=1000 no client auth" \ -C "mbedtls_pk_sign.*4b00" requires_config_enabled MBEDTLS_ECP_RESTARTABLE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED run_test "EC restart: TLS, max_ops=1000, ECDHE-PSK" \ "$P_SRV curves=secp256r1 psk=abc123" \ @@ -7839,7 +7497,7 @@ run_test "EC restart: TLS, max_ops=1000, ECDHE-PSK" \ # Tests of asynchronous private key support in SSL requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: sign, delay=0" \ "$P_SRV \ async_operations=s async_private_delay1=0 async_private_delay2=0" \ @@ -7849,7 +7507,7 @@ run_test "SSL async private: sign, delay=0" \ -s "Async resume (slot [0-9]): sign done, status=0" requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: sign, delay=1" \ "$P_SRV \ async_operations=s async_private_delay1=1 async_private_delay2=1" \ @@ -7860,7 +7518,7 @@ run_test "SSL async private: sign, delay=1" \ -s "Async resume (slot [0-9]): sign done, status=0" requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: sign, delay=2" \ "$P_SRV \ async_operations=s async_private_delay1=2 async_private_delay2=2" \ @@ -7874,7 +7532,7 @@ run_test "SSL async private: sign, delay=2" \ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_config_disabled MBEDTLS_X509_REMOVE_INFO -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: sign, SNI" \ "$P_SRV debug_level=3 \ async_operations=s async_private_delay1=0 async_private_delay2=0 \ @@ -7889,7 +7547,7 @@ run_test "SSL async private: sign, SNI" \ -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example" requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: decrypt, delay=0" \ "$P_SRV \ async_operations=d async_private_delay1=0 async_private_delay2=0" \ @@ -7899,7 +7557,7 @@ run_test "SSL async private: decrypt, delay=0" \ -s "Async resume (slot [0-9]): decrypt done, status=0" requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: decrypt, delay=1" \ "$P_SRV \ async_operations=d async_private_delay1=1 async_private_delay2=1" \ @@ -7910,7 +7568,7 @@ run_test "SSL async private: decrypt, delay=1" \ -s "Async resume (slot [0-9]): decrypt done, status=0" requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: decrypt RSA-PSK, delay=0" \ "$P_SRV psk=abc123 \ async_operations=d async_private_delay1=0 async_private_delay2=0" \ @@ -7921,7 +7579,7 @@ run_test "SSL async private: decrypt RSA-PSK, delay=0" \ -s "Async resume (slot [0-9]): decrypt done, status=0" requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: decrypt RSA-PSK, delay=1" \ "$P_SRV psk=abc123 \ async_operations=d async_private_delay1=1 async_private_delay2=1" \ @@ -7933,7 +7591,7 @@ run_test "SSL async private: decrypt RSA-PSK, delay=1" \ -s "Async resume (slot [0-9]): decrypt done, status=0" requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: sign callback not present" \ "$P_SRV \ async_operations=d async_private_delay1=1 async_private_delay2=1" \ @@ -7947,7 +7605,7 @@ run_test "SSL async private: sign callback not present" \ -s "Successful connection" requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: decrypt callback not present" \ "$P_SRV debug_level=1 \ async_operations=s async_private_delay1=1 async_private_delay2=1" \ @@ -7962,7 +7620,7 @@ run_test "SSL async private: decrypt callback not present" \ # key1: ECDSA, key2: RSA; use key1 from slot 0 requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: slot 0 used with key1" \ "$P_SRV \ async_operations=s async_private_delay1=1 \ @@ -7976,7 +7634,7 @@ run_test "SSL async private: slot 0 used with key1" \ # key1: ECDSA, key2: RSA; use key2 from slot 0 requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: slot 0 used with key2" \ "$P_SRV \ async_operations=s async_private_delay2=1 \ @@ -7990,7 +7648,7 @@ run_test "SSL async private: slot 0 used with key2" \ # key1: ECDSA, key2: RSA; use key2 from slot 1 requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: slot 1 used with key2" \ "$P_SRV \ async_operations=s async_private_delay1=1 async_private_delay2=1 \ @@ -8004,7 +7662,7 @@ run_test "SSL async private: slot 1 used with key2" \ # key1: ECDSA, key2: RSA; use key2 directly requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: fall back to transparent key" \ "$P_SRV \ async_operations=s async_private_delay1=1 \ @@ -8015,7 +7673,7 @@ run_test "SSL async private: fall back to transparent key" \ -s "Async sign callback: no key matches this certificate." requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: sign, error in start" \ "$P_SRV \ async_operations=s async_private_delay1=1 async_private_delay2=1 \ @@ -8028,7 +7686,7 @@ run_test "SSL async private: sign, error in start" \ -s "! mbedtls_ssl_handshake returned" requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: sign, cancel after start" \ "$P_SRV \ async_operations=s async_private_delay1=1 async_private_delay2=1 \ @@ -8040,7 +7698,7 @@ run_test "SSL async private: sign, cancel after start" \ -s "Async cancel" requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: sign, error in resume" \ "$P_SRV \ async_operations=s async_private_delay1=1 async_private_delay2=1 \ @@ -8053,7 +7711,7 @@ run_test "SSL async private: sign, error in resume" \ -s "! mbedtls_ssl_handshake returned" requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: decrypt, error in start" \ "$P_SRV \ async_operations=d async_private_delay1=1 async_private_delay2=1 \ @@ -8066,7 +7724,7 @@ run_test "SSL async private: decrypt, error in start" \ -s "! mbedtls_ssl_handshake returned" requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: decrypt, cancel after start" \ "$P_SRV \ async_operations=d async_private_delay1=1 async_private_delay2=1 \ @@ -8078,7 +7736,7 @@ run_test "SSL async private: decrypt, cancel after start" \ -s "Async cancel" requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: decrypt, error in resume" \ "$P_SRV \ async_operations=d async_private_delay1=1 async_private_delay2=1 \ @@ -8091,7 +7749,7 @@ run_test "SSL async private: decrypt, error in resume" \ -s "! mbedtls_ssl_handshake returned" requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: cancel after start then operate correctly" \ "$P_SRV \ async_operations=s async_private_delay1=1 async_private_delay2=1 \ @@ -8104,7 +7762,7 @@ run_test "SSL async private: cancel after start then operate correctly" \ -s "Successful connection" requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: error in resume then operate correctly" \ "$P_SRV \ async_operations=s async_private_delay1=1 async_private_delay2=1 \ @@ -8117,7 +7775,7 @@ run_test "SSL async private: error in resume then operate correctly" \ # key1: ECDSA, key2: RSA; use key1 through async, then key2 directly requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: cancel after start then fall back to transparent key" \ "$P_SRV \ async_operations=s async_private_delay1=1 async_private_error=-2 \ @@ -8136,7 +7794,7 @@ run_test "SSL async private: cancel after start then fall back to transparent # key1: ECDSA, key2: RSA; use key1 through async, then key2 directly requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: sign, error in resume then fall back to transparent key" \ "$P_SRV \ async_operations=s async_private_delay1=1 async_private_error=-3 \ @@ -8153,7 +7811,7 @@ run_test "SSL async private: sign, error in resume then fall back to transpar requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: renegotiation: client-initiated, sign" \ "$P_SRV \ async_operations=s async_private_delay1=1 async_private_delay2=1 \ @@ -8165,7 +7823,7 @@ run_test "SSL async private: renegotiation: client-initiated, sign" \ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: renegotiation: server-initiated, sign" \ "$P_SRV \ async_operations=s async_private_delay1=1 async_private_delay2=1 \ @@ -8177,7 +7835,7 @@ run_test "SSL async private: renegotiation: server-initiated, sign" \ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: renegotiation: client-initiated, decrypt" \ "$P_SRV \ async_operations=d async_private_delay1=1 async_private_delay2=1 \ @@ -8190,7 +7848,7 @@ run_test "SSL async private: renegotiation: client-initiated, decrypt" \ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "SSL async private: renegotiation: server-initiated, decrypt" \ "$P_SRV \ async_operations=d async_private_delay1=1 async_private_delay2=1 \ @@ -8207,7 +7865,7 @@ requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CIPHER_MODE_CBC requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Force a non ECC ciphersuite in the client side" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \ @@ -8221,7 +7879,7 @@ requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CIPHER_MODE_CBC requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Force a non ECC ciphersuite in the server side" \ "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \ "$P_CLI debug_level=3" \ @@ -8233,7 +7891,7 @@ requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CIPHER_MODE_CBC requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Force an ECC ciphersuite in the client side" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ @@ -8247,7 +7905,7 @@ requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CIPHER_MODE_CBC requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Force an ECC ciphersuite in the server side" \ "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ "$P_CLI debug_level=3" \ @@ -8257,7 +7915,7 @@ run_test "Force an ECC ciphersuite in the server side" \ # Tests for DTLS HelloVerifyRequest -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS cookie: enabled" \ "$P_SRV dtls=1 debug_level=2" \ "$P_CLI dtls=1 debug_level=2" \ @@ -8269,7 +7927,7 @@ run_test "DTLS cookie: enabled" \ -s "hello verification requested" \ -S "SSL - The requested feature is not available" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS cookie: disabled" \ "$P_SRV dtls=1 debug_level=2 cookies=0" \ "$P_CLI dtls=1 debug_level=2" \ @@ -8281,7 +7939,7 @@ run_test "DTLS cookie: disabled" \ -S "hello verification requested" \ -S "SSL - The requested feature is not available" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS cookie: default (failing)" \ "$P_SRV dtls=1 debug_level=2 cookies=-1" \ "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \ @@ -8294,7 +7952,7 @@ run_test "DTLS cookie: default (failing)" \ -s "SSL - The requested feature is not available" requires_ipv6 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS cookie: enabled, IPv6" \ "$P_SRV dtls=1 debug_level=2 server_addr=::1" \ "$P_CLI dtls=1 debug_level=2 server_addr=::1" \ @@ -8306,7 +7964,7 @@ run_test "DTLS cookie: enabled, IPv6" \ -s "hello verification requested" \ -S "SSL - The requested feature is not available" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS cookie: enabled, nbio" \ "$P_SRV dtls=1 nbio=2 debug_level=2" \ "$P_CLI dtls=1 nbio=2 debug_level=2" \ @@ -8321,7 +7979,7 @@ run_test "DTLS cookie: enabled, nbio" \ # Tests for client reconnecting from the same port with DTLS not_with_valgrind # spurious resend -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS client reconnect from same port: reference" \ "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \ "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000" \ @@ -8331,7 +7989,7 @@ run_test "DTLS client reconnect from same port: reference" \ -S "Client initiated reconnection from same port" not_with_valgrind # spurious resend -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS client reconnect from same port: reconnect" \ "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \ "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000 reconnect_hard=1" \ @@ -8341,7 +7999,7 @@ run_test "DTLS client reconnect from same port: reconnect" \ -s "Client initiated reconnection from same port" not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts) -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \ "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \ "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \ @@ -8350,7 +8008,7 @@ run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" -s "Client initiated reconnection from same port" only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \ "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \ "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \ @@ -8358,7 +8016,7 @@ run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \ -S "The operation timed out" \ -s "Client initiated reconnection from same port" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS client reconnect from same port: no cookies" \ "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \ "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \ @@ -8366,7 +8024,7 @@ run_test "DTLS client reconnect from same port: no cookies" \ -s "The operation timed out" \ -S "Client initiated reconnection from same port" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS client reconnect from same port: attacker-injected" \ -p "$P_PXY inject_clihlo=1" \ "$P_SRV dtls=1 exchanges=2 debug_level=1" \ @@ -8378,21 +8036,21 @@ run_test "DTLS client reconnect from same port: attacker-injected" \ # Tests for various cases of client authentication with DTLS # (focused on handshake flows and message parsing) -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS client auth: required" \ "$P_SRV dtls=1 auth_mode=required" \ "$P_CLI dtls=1" \ 0 \ -s "Verifying peer X.509 certificate... ok" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS client auth: optional, client has no cert" \ "$P_SRV dtls=1 auth_mode=optional" \ "$P_CLI dtls=1 crt_file=none key_file=none" \ 0 \ -s "! Certificate was missing" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS client auth: none, client has no cert" \ "$P_SRV dtls=1 auth_mode=none" \ "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \ @@ -8400,7 +8058,7 @@ run_test "DTLS client auth: none, client has no cert" \ -c "skip write certificate$" \ -s "! Certificate verification was skipped" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS wrong PSK: badmac alert" \ "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \ "$P_CLI dtls=1 psk=abc124" \ @@ -8411,7 +8069,7 @@ run_test "DTLS wrong PSK: badmac alert" \ # Tests for receiving fragmented handshake messages with DTLS requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reassembly: no fragmentation (gnutls server)" \ "$G_SRV -u --mtu 2048 -a" \ "$P_CLI dtls=1 debug_level=2" \ @@ -8420,7 +8078,7 @@ run_test "DTLS reassembly: no fragmentation (gnutls server)" \ -C "error" requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reassembly: some fragmentation (gnutls server)" \ "$G_SRV -u --mtu 512" \ "$P_CLI dtls=1 debug_level=2" \ @@ -8429,7 +8087,7 @@ run_test "DTLS reassembly: some fragmentation (gnutls server)" \ -C "error" requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reassembly: more fragmentation (gnutls server)" \ "$G_SRV -u --mtu 128" \ "$P_CLI dtls=1 debug_level=2" \ @@ -8438,7 +8096,7 @@ run_test "DTLS reassembly: more fragmentation (gnutls server)" \ -C "error" requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \ "$G_SRV -u --mtu 128" \ "$P_CLI dtls=1 nbio=2 debug_level=2" \ @@ -8448,7 +8106,7 @@ run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \ "$G_SRV -u --mtu 256" \ "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \ @@ -8463,7 +8121,7 @@ run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ "$G_SRV -u --mtu 256" \ "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \ @@ -8476,7 +8134,7 @@ run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ -C "error" \ -s "Extra-header:" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reassembly: no fragmentation (openssl server)" \ "$O_SRV -dtls -mtu 2048" \ "$P_CLI dtls=1 debug_level=2" \ @@ -8484,7 +8142,7 @@ run_test "DTLS reassembly: no fragmentation (openssl server)" \ -C "found fragmented DTLS handshake message" \ -C "error" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reassembly: some fragmentation (openssl server)" \ "$O_SRV -dtls -mtu 768" \ "$P_CLI dtls=1 debug_level=2" \ @@ -8492,7 +8150,7 @@ run_test "DTLS reassembly: some fragmentation (openssl server)" \ -c "found fragmented DTLS handshake message" \ -C "error" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reassembly: more fragmentation (openssl server)" \ "$O_SRV -dtls -mtu 256" \ "$P_CLI dtls=1 debug_level=2" \ @@ -8500,7 +8158,7 @@ run_test "DTLS reassembly: more fragmentation (openssl server)" \ -c "found fragmented DTLS handshake message" \ -C "error" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ "$O_SRV -dtls -mtu 256" \ "$P_CLI dtls=1 nbio=2 debug_level=2" \ @@ -8524,7 +8182,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 4096 run_test "DTLS fragmenting: none (for reference)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8546,7 +8204,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: server only (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8572,7 +8230,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 4096 run_test "DTLS fragmenting: server only (more) (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8594,7 +8252,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=none \ @@ -8623,7 +8281,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \ -p "$P_PXY mtu=1110" \ @@ -8646,7 +8304,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8675,7 +8333,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \ -p "$P_PXY mtu=1110" \ @@ -8697,7 +8355,7 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 4096 run_test "DTLS fragmenting: none (for reference) (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8718,7 +8376,7 @@ run_test "DTLS fragmenting: none (for reference) (MTU)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 4096 run_test "DTLS fragmenting: client (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8739,7 +8397,7 @@ run_test "DTLS fragmenting: client (MTU)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: server (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8760,7 +8418,7 @@ run_test "DTLS fragmenting: server (MTU)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: both (MTU=1024)" \ -p "$P_PXY mtu=1024" \ @@ -8787,7 +8445,7 @@ requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: both (MTU=512)" \ -p "$P_PXY mtu=512" \ @@ -8820,7 +8478,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU: auto-reduction (not valgrind)" \ -p "$P_PXY mtu=508" \ @@ -8846,7 +8504,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU: auto-reduction (with valgrind)" \ -p "$P_PXY mtu=508" \ @@ -8871,7 +8529,7 @@ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \ -p "$P_PXY mtu=1024" \ @@ -8902,7 +8560,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \ -p "$P_PXY mtu=512" \ @@ -8927,7 +8585,7 @@ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \ -p "$P_PXY mtu=1024" \ @@ -8955,7 +8613,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \ -p "$P_PXY mtu=512" \ @@ -8993,7 +8651,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, resumed handshake" \ -p "$P_PXY mtu=1450" \ @@ -9024,7 +8682,7 @@ requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_CHACHAPOLY_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ -p "$P_PXY mtu=512" \ @@ -9058,7 +8716,7 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \ -p "$P_PXY mtu=512" \ @@ -9092,7 +8750,7 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CCM_C -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ -p "$P_PXY mtu=1024" \ @@ -9127,7 +8785,7 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CIPHER_MODE_CBC requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ -p "$P_PXY mtu=1024" \ @@ -9161,7 +8819,7 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CIPHER_MODE_CBC -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ -p "$P_PXY mtu=1024" \ @@ -9192,7 +8850,7 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C client_needs_more_time 2 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU + 3d" \ -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \ @@ -9218,7 +8876,7 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C client_needs_more_time 2 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \ -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \ @@ -9245,14 +8903,14 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_gnutls -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ "$G_SRV -u" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ - mtu=512 force_version=dtls1_2" \ + mtu=512 force_version=dtls12" \ 0 \ -c "fragmenting handshake message" \ -C "error" @@ -9270,13 +8928,13 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_gnutls requires_not_i686 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ - mtu=512 force_version=dtls1_2" \ + mtu=512 force_version=dtls12" \ "$G_CLI -u --insecure 127.0.0.1" \ 0 \ -s "fragmenting handshake message" @@ -9285,14 +8943,14 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ "$O_SRV -dtls1_2 -verify 10" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ - mtu=512 force_version=dtls1_2" \ + mtu=512 force_version=dtls12" \ 0 \ -c "fragmenting handshake message" \ -C "error" @@ -9301,13 +8959,13 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ - mtu=512 force_version=dtls1_2" \ + mtu=512 force_version=dtls12" \ "$O_CLI -dtls1_2" \ 0 \ -s "fragmenting handshake message" @@ -9322,7 +8980,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 client_needs_more_time 4 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ @@ -9330,7 +8988,7 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ + hs_timeout=250-60000 mtu=512 force_version=dtls12" \ 0 \ -c "fragmenting handshake message" \ -C "error" @@ -9341,14 +8999,14 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 client_needs_more_time 4 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ + hs_timeout=250-60000 mtu=512 force_version=dtls12" \ "$G_NEXT_CLI -u --insecure 127.0.0.1" \ 0 \ -s "fragmenting handshake message" @@ -9364,7 +9022,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 client_needs_more_time 4 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ @@ -9372,7 +9030,7 @@ run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ + hs_timeout=250-60000 mtu=512 force_version=dtls12" \ 0 \ -c "fragmenting handshake message" \ -C "error" @@ -9383,14 +9041,14 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 client_needs_more_time 4 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ + hs_timeout=250-60000 mtu=512 force_version=dtls12" \ "$O_CLI -dtls1_2" \ 0 \ -s "fragmenting handshake message" @@ -9931,7 +9589,7 @@ run_test "DTLS-SRTP all profiles supported. mki used. gnutls server." \ # Tests for specific things with "unreliable" UDP connection not_with_valgrind # spurious resend due to timeout -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: reference" \ -p "$P_PXY" \ "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \ @@ -9950,7 +9608,7 @@ run_test "DTLS proxy: reference" \ -c "HTTP/1.0 200 OK" not_with_valgrind # spurious resend due to timeout -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: duplicate every packet" \ -p "$P_PXY duplicate=1" \ "$P_SRV dtls=1 dgram_packing=0 debug_level=2 hs_timeout=10000-20000" \ @@ -9964,7 +9622,7 @@ run_test "DTLS proxy: duplicate every packet" \ -s "Extra-header:" \ -c "HTTP/1.0 200 OK" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: duplicate every packet, server anti-replay off" \ -p "$P_PXY duplicate=1" \ "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=0" \ @@ -9979,7 +9637,7 @@ run_test "DTLS proxy: duplicate every packet, server anti-replay off" \ -s "Extra-header:" \ -c "HTTP/1.0 200 OK" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: multiple records in same datagram" \ -p "$P_PXY pack=50" \ "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \ @@ -9988,7 +9646,7 @@ run_test "DTLS proxy: multiple records in same datagram" \ -c "next record in same datagram" \ -s "next record in same datagram" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: multiple records in same datagram, duplicate every packet" \ -p "$P_PXY pack=50 duplicate=1" \ "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \ @@ -9997,7 +9655,7 @@ run_test "DTLS proxy: multiple records in same datagram, duplicate every pack -c "next record in same datagram" \ -s "next record in same datagram" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \ -p "$P_PXY bad_ad=1" \ "$P_SRV dtls=1 dgram_packing=0 debug_level=1" \ @@ -10010,7 +9668,7 @@ run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \ -S "too many records with bad MAC" \ -S "Verification of the message MAC failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \ -p "$P_PXY bad_ad=1" \ "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=1" \ @@ -10023,7 +9681,7 @@ run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \ -s "too many records with bad MAC" \ -s "Verification of the message MAC failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \ -p "$P_PXY bad_ad=1" \ "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2" \ @@ -10036,7 +9694,7 @@ run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \ -S "too many records with bad MAC" \ -S "Verification of the message MAC failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\ -p "$P_PXY bad_ad=1" \ "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2 exchanges=2" \ @@ -10049,7 +9707,7 @@ run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\ -s "too many records with bad MAC" \ -s "Verification of the message MAC failed" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: delay ChangeCipherSpec" \ -p "$P_PXY delay_ccs=1" \ "$P_SRV dtls=1 debug_level=1 dgram_packing=0" \ @@ -10062,7 +9720,7 @@ run_test "DTLS proxy: delay ChangeCipherSpec" \ # Tests for reordering support with DTLS -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reordering: Buffer out-of-order handshake message on client" \ -p "$P_PXY delay_srv=ServerHello" \ "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ @@ -10079,7 +9737,7 @@ run_test "DTLS reordering: Buffer out-of-order handshake message on client" \ -S "Injecting buffered CCS message" \ -S "Remember CCS message" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reordering: Buffer out-of-order handshake message fragment on client" \ -p "$P_PXY delay_srv=ServerHello" \ "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ @@ -10103,7 +9761,7 @@ run_test "DTLS reordering: Buffer out-of-order handshake message fragment on # in size, so that the bound below ensures that the certificate can be reassembled # while keeping the ServerKeyExchange. requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \ -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \ "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ @@ -10126,7 +9784,7 @@ run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling nex # when dropping it first. requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 900 requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \ -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \ "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ @@ -10144,7 +9802,7 @@ run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling nex -S "Injecting buffered CCS message" \ -S "Remember CCS message" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reordering: Buffer out-of-order handshake message on server" \ -p "$P_PXY delay_cli=Certificate" \ "$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2 \ @@ -10161,7 +9819,7 @@ run_test "DTLS reordering: Buffer out-of-order handshake message on server" \ -S "Injecting buffered CCS message" \ -S "Remember CCS message" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reordering: Buffer out-of-order CCS message on client"\ -p "$P_PXY delay_srv=NewSessionTicket" \ "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ @@ -10178,7 +9836,7 @@ run_test "DTLS reordering: Buffer out-of-order CCS message on client"\ -S "Injecting buffered CCS message" \ -S "Remember CCS message" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reordering: Buffer out-of-order CCS message on server"\ -p "$P_PXY delay_cli=ClientKeyExchange" \ "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ @@ -10195,7 +9853,7 @@ run_test "DTLS reordering: Buffer out-of-order CCS message on server"\ -s "Injecting buffered CCS message" \ -s "Remember CCS message" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reordering: Buffer encrypted Finished message" \ -p "$P_PXY delay_ccs=1" \ "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ @@ -10225,7 +9883,7 @@ run_test "DTLS reordering: Buffer encrypted Finished message" \ # handshake, omitting CRTs. requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 190 requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 230 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \ -p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \ "$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \ @@ -10240,7 +9898,7 @@ run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragme # Tests for "randomly unreliable connection": try a variety of flows and peers client_needs_more_time 2 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ @@ -10252,7 +9910,7 @@ run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \ -c "HTTP/1.0 200 OK" client_needs_more_time 2 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, \"short\" RSA handshake" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \ @@ -10263,7 +9921,7 @@ run_test "DTLS proxy: 3d, \"short\" RSA handshake" \ -c "HTTP/1.0 200 OK" client_needs_more_time 2 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \ @@ -10273,7 +9931,7 @@ run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \ -c "HTTP/1.0 200 OK" client_needs_more_time 2 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, FS, client auth" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=required" \ @@ -10283,7 +9941,7 @@ run_test "DTLS proxy: 3d, FS, client auth" \ -c "HTTP/1.0 200 OK" client_needs_more_time 2 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, FS, ticket" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \ @@ -10293,7 +9951,7 @@ run_test "DTLS proxy: 3d, FS, ticket" \ -c "HTTP/1.0 200 OK" client_needs_more_time 2 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \ @@ -10303,7 +9961,7 @@ run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \ -c "HTTP/1.0 200 OK" client_needs_more_time 2 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, max handshake, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \ @@ -10314,7 +9972,7 @@ run_test "DTLS proxy: 3d, max handshake, nbio" \ -c "HTTP/1.0 200 OK" client_needs_more_time 4 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, min handshake, resumption" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ @@ -10329,7 +9987,7 @@ run_test "DTLS proxy: 3d, min handshake, resumption" \ -c "HTTP/1.0 200 OK" client_needs_more_time 4 -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ @@ -10345,7 +10003,7 @@ run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \ client_needs_more_time 4 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ @@ -10361,7 +10019,7 @@ run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \ client_needs_more_time 4 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ @@ -10377,7 +10035,7 @@ run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \ client_needs_more_time 4 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ @@ -10394,7 +10052,7 @@ run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \ client_needs_more_time 4 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ @@ -10417,7 +10075,7 @@ run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \ skip_next_test client_needs_more_time 6 not_with_valgrind # risk of non-mbedtls peer timing out -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, openssl server" \ -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ "$O_SRV -dtls1 -mtu 2048" \ @@ -10428,7 +10086,7 @@ run_test "DTLS proxy: 3d, openssl server" \ skip_next_test # see above client_needs_more_time 8 not_with_valgrind # risk of non-mbedtls peer timing out -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, openssl server, fragmentation" \ -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ "$O_SRV -dtls1 -mtu 768" \ @@ -10439,7 +10097,7 @@ run_test "DTLS proxy: 3d, openssl server, fragmentation" \ skip_next_test # see above client_needs_more_time 8 not_with_valgrind # risk of non-mbedtls peer timing out -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ "$O_SRV -dtls1 -mtu 768" \ @@ -10450,7 +10108,7 @@ run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \ requires_gnutls client_needs_more_time 6 not_with_valgrind # risk of non-mbedtls peer timing out -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, gnutls server" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_SRV -u --mtu 2048 -a" \ @@ -10462,7 +10120,7 @@ run_test "DTLS proxy: 3d, gnutls server" \ requires_gnutls_next client_needs_more_time 8 not_with_valgrind # risk of non-mbedtls peer timing out -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, gnutls server, fragmentation" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_NEXT_SRV -u --mtu 512" \ @@ -10474,7 +10132,7 @@ run_test "DTLS proxy: 3d, gnutls server, fragmentation" \ requires_gnutls_next client_needs_more_time 8 not_with_valgrind # risk of non-mbedtls peer timing out -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_NEXT_SRV -u --mtu 512" \ @@ -10483,7 +10141,7 @@ run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \ -s "Extra-header:" \ -c "Extra-header:" -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "export keys functionality" \ "$P_SRV eap_tls=1 debug_level=3" \ "$P_CLI eap_tls=1 debug_level=3" \ @@ -10507,69 +10165,219 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3: Test gnutls tls1_3 feature" \ - "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE" \ + "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert " \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ 0 \ -s "Version: TLS1.3" \ -c "Version: TLS1.3" requires_openssl_tls1_3 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_disabled MBEDTLS_USE_PSA_CRYPTO -run_test "TLS 1.3: Test client hello msg work - openssl" \ - "$O_NEXT_SRV -tls1_3 -msg -no_middlebox" \ - "$P_CLI debug_level=3 min_version=tls1_3 max_version=tls1_3" \ - 0 \ - -s "ServerHello" \ - -c "tls1_3 client state: 0" \ - -c "tls1_3 client state: 2" \ - -c "tls1_3 client state: 26" \ - -c "tls1_3 client state: 5" \ - -c "tls1_3 client state: 3" \ - -c "tls1_3 client state: 9" \ - -c "tls1_3 client state: 13" \ - -c "tls1_3 client state: 7" \ - -c "tls1_3 client state: 25" \ - -c "tls1_3 client state: 11" \ - -c "tls1_3 client state: 14" \ - -c "tls1_3 client state: 15" \ - -c "<= ssl_tls1_3_process_server_hello" \ +run_test "TLS 1.3: minimal feature sets - openssl" \ + "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI debug_level=3 min_version=tls13 max_version=tls13" \ + 0 \ + -c "tls13 client state: MBEDTLS_SSL_HELLO_REQUEST(0)" \ + -c "tls13 client state: MBEDTLS_SSL_SERVER_HELLO(2)" \ + -c "tls13 client state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS(26)" \ + -c "tls13 client state: MBEDTLS_SSL_CERTIFICATE_REQUEST(5)" \ + -c "tls13 client state: MBEDTLS_SSL_SERVER_CERTIFICATE(3)" \ + -c "tls13 client state: MBEDTLS_SSL_CERTIFICATE_VERIFY(9)" \ + -c "tls13 client state: MBEDTLS_SSL_SERVER_FINISHED(13)" \ + -c "tls13 client state: MBEDTLS_SSL_CLIENT_CERTIFICATE(7)" \ + -c "tls13 client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY(25)" \ + -c "tls13 client state: MBEDTLS_SSL_CLIENT_FINISHED(11)" \ + -c "tls13 client state: MBEDTLS_SSL_FLUSH_BUFFERS(14)" \ + -c "tls13 client state: MBEDTLS_SSL_HANDSHAKE_WRAPUP(15)" \ + -c "<= ssl_tls13_process_server_hello" \ -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ -c "ECDH curve: x25519" \ - -c "=> ssl_tls1_3_process_server_hello" \ - -c "<= parse encrypted extensions" + -c "=> ssl_tls13_process_server_hello" \ + -c "<= parse encrypted extensions" \ + -c "Certificate verification flags clear" \ + -c "=> parse certificate verify" \ + -c "<= parse certificate verify" \ + -c "mbedtls_ssl_tls13_process_certificate_verify() returned 0" \ + -c "<= parse finished message" \ + -c "HTTP/1.0 200 ok" requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_gnutls_next_no_ticket +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_disabled MBEDTLS_USE_PSA_CRYPTO -run_test "TLS 1.3: Test client hello msg work - gnutls" \ - "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%DISABLE_TLS13_COMPAT_MODE --debug=4" \ - "$P_CLI debug_level=3 min_version=tls1_3 max_version=tls1_3" \ - 1 \ - -c "tls1_3 client state: 0" \ - -c "tls1_3 client state: 2" \ - -c "tls1_3 client state: 26" \ - -c "tls1_3 client state: 5" \ - -c "tls1_3 client state: 3" \ - -c "tls1_3 client state: 9" \ - -c "tls1_3 client state: 13" \ - -c "tls1_3 client state: 7" \ - -c "tls1_3 client state: 25" \ - -c "<= ssl_tls1_3_process_server_hello" \ +run_test "TLS 1.3: minimal feature sets - gnutls" \ + "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \ + "$P_CLI debug_level=3 min_version=tls13 max_version=tls13" \ + 0 \ + -s "SERVER HELLO was queued" \ + -c "tls13 client state: MBEDTLS_SSL_HELLO_REQUEST(0)" \ + -c "tls13 client state: MBEDTLS_SSL_SERVER_HELLO(2)" \ + -c "tls13 client state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS(26)" \ + -c "tls13 client state: MBEDTLS_SSL_CERTIFICATE_REQUEST(5)" \ + -c "tls13 client state: MBEDTLS_SSL_SERVER_CERTIFICATE(3)" \ + -c "tls13 client state: MBEDTLS_SSL_CERTIFICATE_VERIFY(9)" \ + -c "tls13 client state: MBEDTLS_SSL_SERVER_FINISHED(13)" \ + -c "tls13 client state: MBEDTLS_SSL_CLIENT_CERTIFICATE(7)" \ + -c "tls13 client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY(25)" \ + -c "tls13 client state: MBEDTLS_SSL_CLIENT_FINISHED(11)" \ + -c "tls13 client state: MBEDTLS_SSL_FLUSH_BUFFERS(14)" \ + -c "tls13 client state: MBEDTLS_SSL_HANDSHAKE_WRAPUP(15)" \ + -c "<= ssl_tls13_process_server_hello" \ -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ -c "ECDH curve: x25519" \ - -c "=> ssl_tls1_3_process_server_hello" \ - -c "<= parse encrypted extensions" + -c "=> ssl_tls13_process_server_hello" \ + -c "<= parse encrypted extensions" \ + -c "Certificate verification flags clear" \ + -c "=> parse certificate verify" \ + -c "<= parse certificate verify" \ + -c "mbedtls_ssl_tls13_process_certificate_verify() returned 0" \ + -c "<= parse finished message" \ + -c "HTTP/1.0 200 OK" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_gnutls_tls1_3 +run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.0" \ + "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0 -d 4" \ + "$P_CLI min_version=tls13 max_version=tls13 debug_level=4" \ + 1 \ + -s "Client's version: 3.3" \ + -S "Version: TLS1.0" \ + -C "Protocol is TLSv1.0" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_gnutls_tls1_3 +run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.1" \ + "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1 -d 4" \ + "$P_CLI min_version=tls13 max_version=tls13 debug_level=4" \ + 1 \ + -s "Client's version: 3.3" \ + -S "Version: TLS1.1" \ + -C "Protocol is TLSv1.1" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_gnutls_tls1_3 +run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.2" \ + "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 -d 4" \ + "$P_CLI min_version=tls13 max_version=tls13 debug_level=4" \ + 1 \ + -s "Client's version: 3.3" \ + -S "Version: TLS1.2" \ + -C "Protocol is TLSv1.2" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_openssl_next +run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.0" \ + "$O_NEXT_SRV -msg -tls1" \ + "$P_CLI min_version=tls13 max_version=tls13 debug_level=4" \ + 1 \ + -s "fatal protocol_version" \ + -S "Version: TLS1.0" \ + -C "Protocol : TLSv1.0" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_openssl_next +run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.1" \ + "$O_NEXT_SRV -msg -tls1_1" \ + "$P_CLI min_version=tls13 max_version=tls13 debug_level=4" \ + 1 \ + -s "fatal protocol_version" \ + -S "Version: TLS1.1" \ + -C "Protocol : TLSv1.1" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +skip_handshake_stage_check +requires_openssl_next +run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.2" \ + "$O_NEXT_SRV -msg -tls1_2" \ + "$P_CLI min_version=tls13 max_version=tls13 debug_level=4" \ + 1 \ + -s "fatal protocol_version" \ + -S "Version: TLS1.2" \ + -C "Protocol : TLSv1.2" + +for i in $(ls opt-testcases/*.sh) +do + . $i +done + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +run_test "TLS 1.3 m->O both peers do not support middlebox compatibility" \ + "$O_NEXT_SRV -msg -tls1_3 -no_middlebox -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI debug_level=3 min_version=tls13 max_version=tls13" \ + 0 \ + -c "HTTP/1.0 200 ok" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +run_test "TLS 1.3 m->O server with middlebox compat support, not client" \ + "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI debug_level=3 min_version=tls13 max_version=tls13" \ + 1 + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +run_test "TLS 1.3 m->G both peers do not support middlebox compatibility" \ + "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert" \ + "$P_CLI debug_level=3 min_version=tls13 max_version=tls13" \ + 0 \ + -c "HTTP/1.0 200 OK" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +run_test "TLS 1.3 m->G server with middlebox compat support, not client" \ + "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \ + "$P_CLI debug_level=3 min_version=tls13 max_version=tls13" \ + 1 # Test heap memory usage after handshake requires_config_enabled MBEDTLS_MEMORY_DEBUG requires_config_enabled MBEDTLS_MEMORY_BUFFER_ALLOC_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_max_content_len 16384 run_tests_memory_after_hanshake # Final report diff --git a/tests/suites/target_test.function b/tests/suites/target_test.function deleted file mode 100644 index 637a79d5eef4..000000000000 --- a/tests/suites/target_test.function +++ /dev/null @@ -1,449 +0,0 @@ -#line 2 "suites/target_test.function" - -#include "greentea-client/test_env.h" - -/** - * \brief Increments pointer and asserts that it does not overflow. - * - * \param p Pointer to byte array - * \param start Pointer to start of byte array - * \param len Length of byte array - * \param step Increment size - * - */ -#define INCR_ASSERT(p, start, len, step) do \ -{ \ - TEST_HELPER_ASSERT( ( p ) >= ( start ) ); \ - TEST_HELPER_ASSERT( sizeof( *( p ) ) == sizeof( *( start ) ) ); \ - /* <= is checked to support use inside a loop where \ - pointer is incremented after reading data. */ \ - TEST_HELPER_ASSERT( (uint32_t)( ( ( p ) - ( start ) ) + ( step ) ) <= ( len ) );\ - ( p ) += ( step ); \ -} \ -while( 0 ) - - -/** - * \brief 4 byte align unsigned char pointer - * - * \param p Pointer to byte array - * \param start Pointer to start of byte array - * \param len Length of byte array - * - */ -#define ALIGN_32BIT(p, start, len) do \ -{ \ - uint32_t align = ( - (uintptr_t)( p ) ) % 4; \ - INCR_ASSERT( ( p ), ( start ), ( len ), align );\ -} \ -while( 0 ) - - -/** - * \brief Verify dependencies. Dependency identifiers are - * encoded in the buffer as 8 bit unsigned integers. - * - * \param count Number of dependencies. - * \param dep_p Pointer to buffer. - * - * \return DEPENDENCY_SUPPORTED if success else DEPENDENCY_NOT_SUPPORTED. - */ -int verify_dependencies( uint8_t count, uint8_t * dep_p ) -{ - uint8_t i; - for ( i = 0; i < count; i++ ) - { - if ( dep_check( (int)(dep_p[i]) ) != DEPENDENCY_SUPPORTED ) - return( DEPENDENCY_NOT_SUPPORTED ); - } - return( DEPENDENCY_SUPPORTED ); -} - -/** - * \brief Receives hex string on serial interface, and converts to a byte. - * - * \param none - * - * \return unsigned int8 - */ -uint8_t receive_byte() -{ - uint8_t byte; - uint8_t c[3]; - size_t len; - - c[0] = greentea_getc(); - c[1] = greentea_getc(); - c[2] = '\0'; - - TEST_HELPER_ASSERT( mbedtls_test_unhexify( &byte, sizeof( byte ), - c, &len ) == 0 ); - TEST_HELPER_ASSERT( len != 2 ); - - return( byte ); -} - -/** - * \brief Receives unsigned integer on serial interface. - * Integers are encoded in network order, and sent as hex ascii string. - * - * \param none - * - * \return unsigned int - */ -uint32_t receive_uint32() -{ - uint32_t value; - size_t len; - const uint8_t c_be[8] = { greentea_getc(), - greentea_getc(), - greentea_getc(), - greentea_getc(), - greentea_getc(), - greentea_getc(), - greentea_getc(), - greentea_getc() - }; - const uint8_t c[9] = { c_be[6], c_be[7], c_be[4], c_be[5], c_be[2], - c_be[3], c_be[0], c_be[1], '\0' }; - - TEST_HELPER_ASSERT( mbedtls_test_unhexify( (uint8_t*)&value, sizeof( value ), - c, &len ) == 0 ); - TEST_HELPER_ASSERT( len != 8 ); - - return( value ); -} - -/** - * \brief Parses out an unsigned 32 int value from the byte array. - * Integers are encoded in network order. - * - * \param p Pointer to byte array - * - * \return unsigned int - */ -uint32_t parse_uint32( uint8_t * p ) -{ - uint32_t value; - value = *p++ << 24; - value |= *p++ << 16; - value |= *p++ << 8; - value |= *p; - return( value ); -} - - -/** - * \brief Receives test data on serial as greentea key,value pair: - * {{<length>;<byte array>}} - * - * \param data_len Out pointer to hold received data length. - * - * \return Byte array. - */ -uint8_t * receive_data( uint32_t * data_len ) -{ - uint32_t i = 0, errors = 0; - char c; - uint8_t * data = NULL; - - /* Read opening braces */ - i = 0; - while ( i < 2 ) - { - c = greentea_getc(); - /* Ignore any prevous CR LF characters */ - if ( c == '\n' || c == '\r' ) - continue; - i++; - if ( c != '{' ) - return( NULL ); - } - - /* Read data length */ - *data_len = receive_uint32(); - data = (uint8_t *)malloc( *data_len ); - TEST_HELPER_ASSERT( data != NULL ); - - greentea_getc(); // read ';' received after key i.e. *data_len - - for( i = 0; i < *data_len; i++ ) - data[i] = receive_byte(); - - /* Read closing braces */ - for( i = 0; i < 2; i++ ) - { - c = greentea_getc(); - if ( c != '}' ) - { - errors++; - break; - } - } - - if ( errors ) - { - free( data ); - data = NULL; - *data_len = 0; - } - - return( data ); -} - -/** - * \brief Parse the received byte array and count the number of arguments - * to the test function passed as type hex. - * - * \param count Parameter count - * \param data Received Byte array - * \param data_len Byte array length - * - * \return count of hex params - */ -uint32_t find_hex_count( uint8_t count, uint8_t * data, uint32_t data_len ) -{ - uint32_t i = 0, sz = 0; - char c; - uint8_t * p = NULL; - uint32_t hex_count = 0; - - p = data; - - for( i = 0; i < count; i++ ) - { - c = (char)*p; - INCR_ASSERT( p, data, data_len, 1 ); - - /* Align p to 4 bytes for int, expression, string len or hex length */ - ALIGN_32BIT( p, data, data_len ); - - /* Network to host conversion */ - sz = (int32_t)parse_uint32( p ); - - INCR_ASSERT( p, data, data_len, sizeof( int32_t ) ); - - if ( c == 'H' || c == 'S' ) - { - INCR_ASSERT( p, data, data_len, sz ); - hex_count += ( c == 'H' )?1:0; - } - } - - return( hex_count ); -} - -/** - * \brief Parses received byte array for test parameters. - * - * \param count Parameter count - * \param data Received Byte array - * \param data_len Byte array length - * \param error Parsing error out variable. - * - * \return Array of parsed parameters allocated on heap. - * Note: Caller has the responsibility to delete - * the memory after use. - */ -void ** parse_parameters( uint8_t count, uint8_t * data, uint32_t data_len, - int * error ) -{ - uint32_t i = 0, hex_count = 0; - char c; - void ** params = NULL; - void ** cur = NULL; - uint8_t * p = NULL; - - hex_count = find_hex_count(count, data, data_len); - - params = (void **)malloc( sizeof( void *) * ( count + hex_count ) ); - TEST_HELPER_ASSERT( params != NULL ); - cur = params; - - p = data; - - /* Parameters */ - for( i = 0; i < count; i++ ) - { - c = (char)*p; - INCR_ASSERT( p, data, data_len, 1 ); - - /* Align p to 4 bytes for int, expression, string len or hex length */ - ALIGN_32BIT( p, data, data_len ); - - /* Network to host conversion */ - *( (int32_t *)p ) = (int32_t)parse_uint32( p ); - - switch( c ) - { - case 'E': - { - if ( get_expression( *( (int32_t *)p ), (int32_t *)p ) ) - { - *error = KEY_VALUE_MAPPING_NOT_FOUND; - goto exit; - } - } /* Intentional fall through */ - case 'I': - { - *cur++ = (void *)p; - INCR_ASSERT( p, data, data_len, sizeof( int32_t ) ); - } - break; - case 'H': /* Intentional fall through */ - case 'S': - { - uint32_t * sz = (uint32_t *)p; - INCR_ASSERT( p, data, data_len, sizeof( int32_t ) ); - *cur++ = (void *)p; - if ( c == 'H' ) - *cur++ = (void *)sz; - INCR_ASSERT( p, data, data_len, ( *sz ) ); - } - break; - default: - { - *error = DISPATCH_INVALID_TEST_DATA; - goto exit; - } - break; - } - } - -exit: - if ( *error ) - { - free( params ); - params = NULL; - } - - return( params ); -} - -/** - * \brief Sends greentea key and int value pair to host. - * - * \param key key string - * \param value integer value - * - * \return void - */ -void send_key_integer( char * key, int value ) -{ - char str[50]; - snprintf( str, sizeof( str ), "%d", value ); - greentea_send_kv( key, str ); -} - -/** - * \brief Sends test setup failure to the host. - * - * \param failure Test set failure - * - * \return void - */ -void send_failure( int failure ) -{ - send_key_integer( "F", failure ); -} - -/** - * \brief Sends test status to the host. - * - * \param status Test status (PASS=0/FAIL=!0) - * - * \return void - */ -void send_status( int status ) -{ - send_key_integer( "R", status ); -} - - -/** - * \brief Embedded implementation of execute_tests(). - * Ignores command line and received test data - * on serial. - * - * \param argc not used - * \param argv not used - * - * \return Program exit status. - */ -int execute_tests( int args, const char ** argv ) -{ - int ret = 0; - uint32_t data_len = 0; - uint8_t count = 0, function_id; - void ** params = NULL; - uint8_t * data = NULL, * p = NULL; - - GREENTEA_SETUP( 800, "mbedtls_test" ); - greentea_send_kv( "GO", " " ); - - while ( 1 ) - { - ret = 0; - mbedtls_test_info_reset( ); - data_len = 0; - - data = receive_data( &data_len ); - if ( data == NULL ) - continue; - p = data; - - do - { - /* Read dependency count */ - count = *p; - TEST_HELPER_ASSERT( count < data_len ); - INCR_ASSERT( p, data, data_len, sizeof( uint8_t ) ); - ret = verify_dependencies( count, p ); - if ( ret != DEPENDENCY_SUPPORTED ) - break; - - if ( count ) - INCR_ASSERT( p, data, data_len, count ); - - /* Read function id */ - function_id = *p; - INCR_ASSERT( p, data, data_len, sizeof( uint8_t ) ); - if ( ( ret = check_test( function_id ) ) != DISPATCH_TEST_SUCCESS ) - break; - - /* Read number of parameters */ - count = *p; - INCR_ASSERT( p, data, data_len, sizeof( uint8_t ) ); - - /* Parse parameters if present */ - if ( count ) - { - params = parse_parameters( count, p, data_len - ( p - data ), &ret ); - if ( ret ) - break; - } - - ret = dispatch_test( function_id, params ); - } - while ( 0 ); - - if ( data ) - { - free( data ); - data = NULL; - } - - if ( params ) - { - free( params ); - params = NULL; - } - - if ( ret ) - send_failure( ret ); - else - send_status( mbedtls_test_info.result ); - } - return( 0 ); -} - diff --git a/tests/suites/test_suite_base64.function b/tests/suites/test_suite_base64.function index 67fbb675059c..7baa3d501c80 100644 --- a/tests/suites/test_suite_base64.function +++ b/tests/suites/test_suite_base64.function @@ -1,6 +1,7 @@ /* BEGIN_HEADER */ #include "mbedtls/base64.h" -#include "base64_invasive.h" +#include "constant_time_internal.h" +#include "constant_time_invasive.h" #include <test/constant_flow.h> #if defined(MBEDTLS_TEST_HOOKS) @@ -24,7 +25,7 @@ void mask_of_range( int low_arg, int high_arg ) { mbedtls_test_set_step( c ); TEST_CF_SECRET( &c, sizeof( c ) ); - unsigned char m = mbedtls_base64_mask_of_range( low, high, c ); + unsigned char m = mbedtls_ct_uchar_mask_of_range( low, high, c ); TEST_CF_PUBLIC( &c, sizeof( c ) ); TEST_CF_PUBLIC( &m, sizeof( m ) ); if( low <= c && c <= high ) @@ -42,7 +43,7 @@ void enc_chars( ) { mbedtls_test_set_step( value ); TEST_CF_SECRET( &value, sizeof( value ) ); - unsigned char digit = mbedtls_base64_enc_char( value ); + unsigned char digit = mbedtls_ct_base64_enc_char( value ); TEST_CF_PUBLIC( &value, sizeof( value ) ); TEST_CF_PUBLIC( &digit, sizeof( digit ) ); TEST_EQUAL( digit, base64_digits[value] ); @@ -66,7 +67,7 @@ void dec_chars( ) else expected = p - base64_digits; TEST_CF_SECRET( &c, sizeof( c ) ); - signed char actual = mbedtls_base64_dec_value( c ); + signed char actual = mbedtls_ct_base64_dec_value( c ); TEST_CF_PUBLIC( &c, sizeof( c ) ); TEST_CF_PUBLIC( &actual, sizeof( actual ) ); TEST_EQUAL( actual, expected ); diff --git a/tests/suites/test_suite_ccm.data b/tests/suites/test_suite_ccm.data index 591e0d90675a..61e6e9b9910e 100644 --- a/tests/suites/test_suite_ccm.data +++ b/tests/suites/test_suite_ccm.data @@ -1744,3 +1744,11 @@ mbedtls_ccm_unexpected_ad::MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50d CCM encrypt, unexpected ciphertext/plaintext data, NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16) depends_on:MBEDTLS_AES_C mbedtls_ccm_unexpected_text:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa" + +CCM* encrypt, no auth NIST VADT AES-256 #1 (P=24, N=13) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_star_no_tag:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886df3ba3e6da3a1389":"30d56ff2a25b83fee791110fcaea48e41db7c7f098a81000":"72a60f345a1978fb40f28a2fa4":"55f068c0bbba8b598013dd1841fd740fda2902322148ab5e" + +CCM* decrypt, no auth NIST DVPT AES-128 #15 (P=24, N=13) +depends_on:MBEDTLS_AES_C +mbedtls_ccm_star_no_tag:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"90929a4b0ac65b350ad1591611fe4829":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2cb":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697" diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index e48b1f990a31..a7ba0dea2050 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -231,6 +231,31 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void mbedtls_ccm_star_no_tag( int cipher_id, int mode, data_t * key, + data_t * msg, data_t * iv, data_t * result ) +{ + mbedtls_ccm_context ctx; + uint8_t *output = NULL; + size_t olen; + + mbedtls_ccm_init( &ctx ); + TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 ); + TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) ); + TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, 0, msg->len, 0 ) ); + + ASSERT_ALLOC( output, msg->len ); + TEST_EQUAL( 0, mbedtls_ccm_update( &ctx, msg->x, msg->len, output, msg->len, &olen ) ); + TEST_EQUAL( result->len, olen ); + ASSERT_COMPARE( output, olen, result->x, result->len ); + + TEST_EQUAL( 0, mbedtls_ccm_finish( &ctx, NULL, 0 ) ); +exit: + mbedtls_free(output); + mbedtls_ccm_free( &ctx ); +} +/* END_CASE */ + /* BEGIN_CASE */ void mbedtls_ccm_auth_decrypt( int cipher_id, data_t * key, data_t * msg, data_t * iv, diff --git a/tests/suites/test_suite_cipher.aes.data b/tests/suites/test_suite_cipher.aes.data index c8fbca290b05..8c2ba3c2215d 100644 --- a/tests/suites/test_suite_cipher.aes.data +++ b/tests/suites/test_suite_cipher.aes.data @@ -790,6 +790,318 @@ AES-256 OFB - Encrypt and decrypt 32 bytes in multiple parts 1 depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:16:16:-1:16:16:16:16 +AES-128 CCM*-NO-TAG - Encrypt and decrypt 0 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:"AES-128-CCM*-NO-TAG":128:0:-1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 1 byte +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:"AES-128-CCM*-NO-TAG":128:1:-1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 2 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:"AES-128-CCM*-NO-TAG":128:2:-1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 7 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:"AES-128-CCM*-NO-TAG":128:7:-1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 8 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:"AES-128-CCM*-NO-TAG":128:8:-1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 9 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:"AES-128-CCM*-NO-TAG":128:9:-1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 15 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:"AES-128-CCM*-NO-TAG":128:15:-1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 16 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:"AES-128-CCM*-NO-TAG":128:16:-1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 17 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:"AES-128-CCM*-NO-TAG":128:17:-1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 31 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:"AES-128-CCM*-NO-TAG":128:31:-1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 32 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:"AES-128-CCM*-NO-TAG":128:32:-1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 33 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:"AES-128-CCM*-NO-TAG":128:33:-1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 47 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:"AES-128-CCM*-NO-TAG":128:47:-1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 48 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:"AES-128-CCM*-NO-TAG":128:48:-1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 49 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:"AES-128-CCM*-NO-TAG":128:49:-1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 0 bytes in multiple parts +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:128:0:0:-1:0:0:0:0 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 1 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:128:1:0:-1:1:0:1:0 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 2 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:128:0:1:-1:0:1:0:1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 1 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:128:16:0:-1:16:0:16:0 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 2 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:128:0:16:-1:0:16:0:16 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 3 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:128:1:15:-1:1:15:1:15 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 4 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:128:15:1:-1:15:1:15:1 + +AES-128 CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 1 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:128:15:7:-1:15:7:15:7 + +AES-128-CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 2 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:128:16:6:-1:16:6:16:6 + +AES-128-CCM*-NO-TAG - Encrypt and decrypt 23 bytes in multiple parts 1 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:128:17:6:-1:17:6:17:6 + +AES-128-CCM*-NO-TAG - Encrypt and decrypt 32 bytes in multiple parts 1 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:128:16:16:-1:16:16:16:16 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 0 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:"AES-192-CCM*-NO-TAG":192:0:-1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 1 byte +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:"AES-192-CCM*-NO-TAG":192:1:-1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 2 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:"AES-192-CCM*-NO-TAG":192:2:-1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 7 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:"AES-192-CCM*-NO-TAG":192:7:-1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 8 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:"AES-192-CCM*-NO-TAG":192:8:-1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 9 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:"AES-192-CCM*-NO-TAG":192:9:-1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 15 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:"AES-192-CCM*-NO-TAG":192:15:-1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 16 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:"AES-192-CCM*-NO-TAG":192:16:-1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 17 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:"AES-192-CCM*-NO-TAG":192:17:-1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 31 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:"AES-192-CCM*-NO-TAG":192:31:-1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 32 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:"AES-192-CCM*-NO-TAG":192:32:-1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 33 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:"AES-192-CCM*-NO-TAG":192:33:-1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 47 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:"AES-192-CCM*-NO-TAG":192:47:-1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 48 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:"AES-192-CCM*-NO-TAG":192:48:-1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 49 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:"AES-192-CCM*-NO-TAG":192:49:-1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 0 bytes in multiple parts +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:192:0:0:-1:0:0:0:0 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 1 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:192:1:0:-1:1:0:1:0 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 2 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:192:0:1:-1:0:1:0:1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 1 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:192:16:0:-1:16:0:16:0 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 2 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:192:0:16:-1:0:16:0:16 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 3 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:192:1:15:-1:1:15:1:15 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 4 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:192:15:1:-1:15:1:15:1 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 1 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:192:15:7:-1:15:7:15:7 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 2 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:192:16:6:-1:16:6:16:6 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 23 bytes in multiple parts 1 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:192:17:6:-1:17:6:17:6 + +AES-192-CCM*-NO-TAG - Encrypt and decrypt 32 bytes in multiple parts 1 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:192:16:16:-1:16:16:16:16 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 0 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:"AES-256-CCM*-NO-TAG":256:0:-1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 1 byte +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:"AES-256-CCM*-NO-TAG":256:1:-1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 2 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:"AES-256-CCM*-NO-TAG":256:2:-1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 7 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:"AES-256-CCM*-NO-TAG":256:7:-1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 8 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:"AES-256-CCM*-NO-TAG":256:8:-1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 9 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:"AES-256-CCM*-NO-TAG":256:9:-1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 15 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:"AES-256-CCM*-NO-TAG":256:15:-1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 16 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:"AES-256-CCM*-NO-TAG":256:16:-1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 17 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:"AES-256-CCM*-NO-TAG":256:17:-1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 31 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:"AES-256-CCM*-NO-TAG":256:31:-1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 32 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:"AES-256-CCM*-NO-TAG":256:32:-1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 33 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:"AES-256-CCM*-NO-TAG":256:33:-1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 47 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:"AES-256-CCM*-NO-TAG":256:47:-1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 48 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:"AES-256-CCM*-NO-TAG":256:48:-1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 49 bytes +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:"AES-256-CCM*-NO-TAG":256:49:-1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 0 bytes in multiple parts +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:256:0:0:-1:0:0:0:0 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 1 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:256:1:0:-1:1:0:1:0 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 2 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:256:0:1:-1:0:1:0:1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 1 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:256:16:0:-1:16:0:16:0 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 2 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:256:0:16:-1:0:16:0:16 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 3 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:256:1:15:-1:1:15:1:15 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 4 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:256:15:1:-1:15:1:15:1 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 1 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:256:15:7:-1:15:7:15:7 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 2 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:256:16:6:-1:16:6:16:6 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 23 bytes in multiple parts 1 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:256:17:6:-1:17:6:17:6 + +AES-256-CCM*-NO-TAG - Encrypt and decrypt 32 bytes in multiple parts 1 +depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:256:16:16:-1:16:16:16:16 + AES-128 XTS - Encrypt and decrypt 16 bytes depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:16:-1 @@ -1894,6 +2206,54 @@ AES-256-ECB crypt Decrypt NIST KAT #4 PSA depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_AES_C test_vec_crypt:MBEDTLS_CIPHER_AES_256_ECB:MBEDTLS_DECRYPT:"0000000000000000000000000000000000000000000000000000000000000000":"":"5c9d844ed46f9885085e5d6a4f94c7d7":"014730f80ac625fe84f026c60bfd547d":0:1 +AES-128-CCM*-NO-TAG crypt Encrypt NIST VPT AES-128 #15 +depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_AES_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:MBEDTLS_ENCRYPT:"7301c907b9d2aaac355c5416ff25c59b":"7304b65b6dab466273862c88b9":"484300aa3a506afcd313b49ead8d":"928ca58b0d373dc50c52afac787c":0:0 + +AES-128-CCM*-NO-TAG crypt Decrypt NIST DVPT AES-128 #15 +depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_AES_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:MBEDTLS_DECRYPT:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2cb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697":0:0 + +AES-192-CCM*-NO-TAG crypt Encrypt NIST VTT AES-192 #1 +depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_AES_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:MBEDTLS_ENCRYPT:"11fd45743d946e6d37341fec49947e8c70482494a8f07fcc":"c6aeebcb146cfafaae66f78aab":"ee7e6075ba52846de5d6254959a18affc4faf59c8ef63489":"137d9da59baf5cbfd46620c5f298fc766de10ac68e774edf":0:0 + +AES-192-CCM*-NO-TAG crypt Decrypt NIST DVPT AES-192 #15 +depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_AES_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:MBEDTLS_DECRYPT:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"5a8aa485c316e9403aff859fbb":"a5b7d8cca2069908d1ed88e6a9fe2c9bede3131dad54671e":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697":0:0 + +AES-256-CCM*-NO-TAG crypt Encrypt NIST VADT AES-256 #1 +depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_AES_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:MBEDTLS_ENCRYPT:"26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886df3ba3e6da3a1389":"72a60f345a1978fb40f28a2fa4":"30d56ff2a25b83fee791110fcaea48e41db7c7f098a81000":"55f068c0bbba8b598013dd1841fd740fda2902322148ab5e":0:0 + +AES-256-CCM*-NO-TAG crypt Decrypt NIST DVPT AES-256 #13 +depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_AES_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:MBEDTLS_DECRYPT:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"a544218dadd3c10583db49cf39":"63e00d30e4b08fd2a1cc8d70fab327b2368e77a93be4f412":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e":0:0 + +AES-128-CCM*-NO-TAG crypt Encrypt NIST VPT AES-128 #15 PSA +depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_AES_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:MBEDTLS_ENCRYPT:"7301c907b9d2aaac355c5416ff25c59b":"7304b65b6dab466273862c88b9":"484300aa3a506afcd313b49ead8d":"928ca58b0d373dc50c52afac787c":0:1 + +AES-128-CCM*-NO-TAG crypt Decrypt NIST DVPT AES-128 #15 PSA +depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_AES_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:MBEDTLS_DECRYPT:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2cb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697":0:1 + +AES-192-CCM*-NO-TAG crypt Encrypt NIST VTT AES-192 #1 PSA +depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_AES_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:MBEDTLS_ENCRYPT:"11fd45743d946e6d37341fec49947e8c70482494a8f07fcc":"c6aeebcb146cfafaae66f78aab":"ee7e6075ba52846de5d6254959a18affc4faf59c8ef63489":"137d9da59baf5cbfd46620c5f298fc766de10ac68e774edf":0:1 + +AES-192-CCM*-NO-TAG crypt Decrypt NIST DVPT AES-192 #15 PSA +depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_AES_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:MBEDTLS_DECRYPT:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"5a8aa485c316e9403aff859fbb":"a5b7d8cca2069908d1ed88e6a9fe2c9bede3131dad54671e":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697":0:1 + +AES-256-CCM*-NO-TAG crypt Encrypt NIST VADT AES-256 #1 PSA +depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_AES_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:MBEDTLS_ENCRYPT:"26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886df3ba3e6da3a1389":"72a60f345a1978fb40f28a2fa4":"30d56ff2a25b83fee791110fcaea48e41db7c7f098a81000":"55f068c0bbba8b598013dd1841fd740fda2902322148ab5e":0:1 + +AES-256-CCM*-NO-TAG crypt Decrypt NIST DVPT AES-256 #13 PSA +depends_on:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_AES_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:MBEDTLS_DECRYPT:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"a544218dadd3c10583db49cf39":"63e00d30e4b08fd2a1cc8d70fab327b2368e77a93be4f412":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e":0:1 + Cipher Corner Case behaviours depends_on:MBEDTLS_AES_C cipher_special_behaviours: diff --git a/tests/suites/test_suite_cipher.aria.data b/tests/suites/test_suite_cipher.aria.data index 2c50a21fc7bf..c1e19909bcb8 100644 --- a/tests/suites/test_suite_cipher.aria.data +++ b/tests/suites/test_suite_cipher.aria.data @@ -1,3 +1,339 @@ Aria CBC Decrypt empty buffer depends_on:MBEDTLS_ARIA_C:MBEDTLS_CIPHER_MODE_CBC dec_empty_buf:MBEDTLS_CIPHER_ARIA_128_CBC:0:0 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 0 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:"ARIA-128-CCM*-NO-TAG":128:0:-1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 1 byte +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:"ARIA-128-CCM*-NO-TAG":128:1:-1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 2 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:"ARIA-128-CCM*-NO-TAG":128:2:-1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 7 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:"ARIA-128-CCM*-NO-TAG":128:7:-1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 8 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:"ARIA-128-CCM*-NO-TAG":128:8:-1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 9 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:"ARIA-128-CCM*-NO-TAG":128:9:-1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 15 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:"ARIA-128-CCM*-NO-TAG":128:15:-1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 16 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:"ARIA-128-CCM*-NO-TAG":128:16:-1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 17 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:"ARIA-128-CCM*-NO-TAG":128:17:-1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 31 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:"ARIA-128-CCM*-NO-TAG":128:31:-1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 32 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:"ARIA-128-CCM*-NO-TAG":128:32:-1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 33 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:"ARIA-128-CCM*-NO-TAG":128:33:-1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 47 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:"ARIA-128-CCM*-NO-TAG":128:47:-1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 48 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:"ARIA-128-CCM*-NO-TAG":128:48:-1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 49 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:"ARIA-128-CCM*-NO-TAG":128:49:-1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 0 bytes in multiple parts +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:128:0:0:-1:0:0:0:0 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:128:1:0:-1:1:0:1:0 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 2 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:128:0:1:-1:0:1:0:1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:128:16:0:-1:16:0:16:0 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 2 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:128:0:16:-1:0:16:0:16 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 3 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:128:1:15:-1:1:15:1:15 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 4 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:128:15:1:-1:15:1:15:1 + +ARIA-128 CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:128:15:7:-1:15:7:15:7 + +ARIA-128-CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 2 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:128:16:6:-1:16:6:16:6 + +ARIA-128-CCM*-NO-TAG - Encrypt and decrypt 23 bytes in multiple parts 1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:128:17:6:-1:17:6:17:6 + +ARIA-128-CCM*-NO-TAG - Encrypt and decrypt 32 bytes in multiple parts 1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:128:16:16:-1:16:16:16:16 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 0 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:"ARIA-192-CCM*-NO-TAG":192:0:-1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 1 byte +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:"ARIA-192-CCM*-NO-TAG":192:1:-1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 2 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:"ARIA-192-CCM*-NO-TAG":192:2:-1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 7 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:"ARIA-192-CCM*-NO-TAG":192:7:-1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 8 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:"ARIA-192-CCM*-NO-TAG":192:8:-1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 9 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:"ARIA-192-CCM*-NO-TAG":192:9:-1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 15 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:"ARIA-192-CCM*-NO-TAG":192:15:-1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 16 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:"ARIA-192-CCM*-NO-TAG":192:16:-1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 17 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:"ARIA-192-CCM*-NO-TAG":192:17:-1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 31 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:"ARIA-192-CCM*-NO-TAG":192:31:-1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 32 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:"ARIA-192-CCM*-NO-TAG":192:32:-1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 33 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:"ARIA-192-CCM*-NO-TAG":192:33:-1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 47 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:"ARIA-192-CCM*-NO-TAG":192:47:-1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 48 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:"ARIA-192-CCM*-NO-TAG":192:48:-1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 49 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:"ARIA-192-CCM*-NO-TAG":192:49:-1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 0 bytes in multiple parts +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:192:0:0:-1:0:0:0:0 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:192:1:0:-1:1:0:1:0 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 2 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:192:0:1:-1:0:1:0:1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:192:16:0:-1:16:0:16:0 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 2 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:192:0:16:-1:0:16:0:16 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 3 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:192:1:15:-1:1:15:1:15 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 4 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:192:15:1:-1:15:1:15:1 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:192:15:7:-1:15:7:15:7 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 2 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:192:16:6:-1:16:6:16:6 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 23 bytes in multiple parts 1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:192:17:6:-1:17:6:17:6 + +ARIA-192-CCM*-NO-TAG - Encrypt and decrypt 32 bytes in multiple parts 1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:192:16:16:-1:16:16:16:16 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 0 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:"ARIA-256-CCM*-NO-TAG":256:0:-1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 1 byte +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:"ARIA-256-CCM*-NO-TAG":256:1:-1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 2 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:"ARIA-256-CCM*-NO-TAG":256:2:-1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 7 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:"ARIA-256-CCM*-NO-TAG":256:7:-1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 8 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:"ARIA-256-CCM*-NO-TAG":256:8:-1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 9 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:"ARIA-256-CCM*-NO-TAG":256:9:-1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 15 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:"ARIA-256-CCM*-NO-TAG":256:15:-1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 16 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:"ARIA-256-CCM*-NO-TAG":256:16:-1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 17 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:"ARIA-256-CCM*-NO-TAG":256:17:-1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 31 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:"ARIA-256-CCM*-NO-TAG":256:31:-1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 32 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:"ARIA-256-CCM*-NO-TAG":256:32:-1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 33 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:"ARIA-256-CCM*-NO-TAG":256:33:-1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 47 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:"ARIA-256-CCM*-NO-TAG":256:47:-1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 48 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:"ARIA-256-CCM*-NO-TAG":256:48:-1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 49 bytes +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:"ARIA-256-CCM*-NO-TAG":256:49:-1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 0 bytes in multiple parts +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:256:0:0:-1:0:0:0:0 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:256:1:0:-1:1:0:1:0 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 2 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:256:0:1:-1:0:1:0:1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:256:16:0:-1:16:0:16:0 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 2 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:256:0:16:-1:0:16:0:16 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 3 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:256:1:15:-1:1:15:1:15 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 4 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:256:15:1:-1:15:1:15:1 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:256:15:7:-1:15:7:15:7 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 2 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:256:16:6:-1:16:6:16:6 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 23 bytes in multiple parts 1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:256:17:6:-1:17:6:17:6 + +ARIA-256-CCM*-NO-TAG - Encrypt and decrypt 32 bytes in multiple parts 1 +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:256:16:16:-1:16:16:16:16 + +ARIA-128-CCM*-NO-TAG crypt Encrypt +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:MBEDTLS_ENCRYPT:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000003020100A0A1A2A3A4A5":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"6781f39fdf8d1c44165fc40ee2fb11f1d6e2ddc8c6512b":0:0 + +ARIA-128-CCM*-NO-TAG crypt Decrypt +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:MBEDTLS_DECRYPT:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000003020100A0A1A2A3A4A5":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"6781f39fdf8d1c44165fc40ee2fb11f1d6e2ddc8c6512b":0:0 + +ARIA-192-CCM*-NO-TAG crypt Encrypt +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:MBEDTLS_ENCRYPT:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECFC0C1C2C3C4C5C6C7":"00000003020100A0A1A2A3A4A5":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"993df86214d98ae70582c784903702e349dd64ece488c2":0:0 + +ARIA-192-CCM*-NO-TAG crypt Decrypt +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:MBEDTLS_DECRYPT:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECFC0C1C2C3C4C5C6C7":"00000003020100A0A1A2A3A4A5":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"993df86214d98ae70582c784903702e349dd64ece488c2":0:0 + +ARIA-256-CCM*-NO-TAG crypt Encrypt +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:MBEDTLS_ENCRYPT:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000003020100A0A1A2A3A4A5":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"5fdd984a6aa77c1d9a204c08f28172c4b4528bee27c41f":0:0 + +ARIA-256-CCM*-NO-TAG crypt Decrypt +depends_on:MBEDTLS_ARIA_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:MBEDTLS_DECRYPT:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000003020100A0A1A2A3A4A5":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"5fdd984a6aa77c1d9a204c08f28172c4b4528bee27c41f":0:0 diff --git a/tests/suites/test_suite_cipher.camellia.data b/tests/suites/test_suite_cipher.camellia.data index 3e7bffa45b23..31fe92286f59 100644 --- a/tests/suites/test_suite_cipher.camellia.data +++ b/tests/suites/test_suite_cipher.camellia.data @@ -765,3 +765,339 @@ enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_256_CBC:256:17:6:-1:16:0:16:0 CAMELLIA Encrypt and decrypt 32 bytes in multiple parts 1 [#5] depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_256_CBC:256:16:16:-1:16:16:0:32 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 0 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:"CAMELLIA-128-CCM*-NO-TAG":128:0:-1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 1 byte +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:"CAMELLIA-128-CCM*-NO-TAG":128:1:-1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 2 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:"CAMELLIA-128-CCM*-NO-TAG":128:2:-1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 7 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:"CAMELLIA-128-CCM*-NO-TAG":128:7:-1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 8 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:"CAMELLIA-128-CCM*-NO-TAG":128:8:-1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 9 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:"CAMELLIA-128-CCM*-NO-TAG":128:9:-1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 15 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:"CAMELLIA-128-CCM*-NO-TAG":128:15:-1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 16 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:"CAMELLIA-128-CCM*-NO-TAG":128:16:-1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 17 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:"CAMELLIA-128-CCM*-NO-TAG":128:17:-1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 31 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:"CAMELLIA-128-CCM*-NO-TAG":128:31:-1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 32 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:"CAMELLIA-128-CCM*-NO-TAG":128:32:-1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 33 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:"CAMELLIA-128-CCM*-NO-TAG":128:33:-1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 47 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:"CAMELLIA-128-CCM*-NO-TAG":128:47:-1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 48 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:"CAMELLIA-128-CCM*-NO-TAG":128:48:-1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 49 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:"CAMELLIA-128-CCM*-NO-TAG":128:49:-1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 0 bytes in multiple parts +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:128:0:0:-1:0:0:0:0 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:128:1:0:-1:1:0:1:0 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 2 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:128:0:1:-1:0:1:0:1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:128:16:0:-1:16:0:16:0 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 2 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:128:0:16:-1:0:16:0:16 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 3 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:128:1:15:-1:1:15:1:15 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 4 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:128:15:1:-1:15:1:15:1 + +CAMELLIA-128 CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:128:15:7:-1:15:7:15:7 + +CAMELLIA-128-CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 2 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:128:16:6:-1:16:6:16:6 + +CAMELLIA-128-CCM*-NO-TAG - Encrypt and decrypt 23 bytes in multiple parts 1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:128:17:6:-1:17:6:17:6 + +CAMELLIA-128-CCM*-NO-TAG - Encrypt and decrypt 32 bytes in multiple parts 1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:128:16:16:-1:16:16:16:16 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 0 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:"CAMELLIA-192-CCM*-NO-TAG":192:0:-1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 1 byte +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:"CAMELLIA-192-CCM*-NO-TAG":192:1:-1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 2 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:"CAMELLIA-192-CCM*-NO-TAG":192:2:-1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 7 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:"CAMELLIA-192-CCM*-NO-TAG":192:7:-1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 8 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:"CAMELLIA-192-CCM*-NO-TAG":192:8:-1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 9 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:"CAMELLIA-192-CCM*-NO-TAG":192:9:-1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 15 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:"CAMELLIA-192-CCM*-NO-TAG":192:15:-1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 16 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:"CAMELLIA-192-CCM*-NO-TAG":192:16:-1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 17 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:"CAMELLIA-192-CCM*-NO-TAG":192:17:-1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 31 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:"CAMELLIA-192-CCM*-NO-TAG":192:31:-1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 32 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:"CAMELLIA-192-CCM*-NO-TAG":192:32:-1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 33 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:"CAMELLIA-192-CCM*-NO-TAG":192:33:-1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 47 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:"CAMELLIA-192-CCM*-NO-TAG":192:47:-1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 48 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:"CAMELLIA-192-CCM*-NO-TAG":192:48:-1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 49 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:"CAMELLIA-192-CCM*-NO-TAG":192:49:-1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 0 bytes in multiple parts +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:192:0:0:-1:0:0:0:0 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:192:1:0:-1:1:0:1:0 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 2 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:192:0:1:-1:0:1:0:1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:192:16:0:-1:16:0:16:0 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 2 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:192:0:16:-1:0:16:0:16 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 3 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:192:1:15:-1:1:15:1:15 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 4 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:192:15:1:-1:15:1:15:1 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:192:15:7:-1:15:7:15:7 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 2 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:192:16:6:-1:16:6:16:6 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 23 bytes in multiple parts 1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:192:17:6:-1:17:6:17:6 + +CAMELLIA-192-CCM*-NO-TAG - Encrypt and decrypt 32 bytes in multiple parts 1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:192:16:16:-1:16:16:16:16 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 0 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:"CAMELLIA-256-CCM*-NO-TAG":256:0:-1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 1 byte +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:"CAMELLIA-256-CCM*-NO-TAG":256:1:-1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 2 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:"CAMELLIA-256-CCM*-NO-TAG":256:2:-1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 7 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:"CAMELLIA-256-CCM*-NO-TAG":256:7:-1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 8 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:"CAMELLIA-256-CCM*-NO-TAG":256:8:-1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 9 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:"CAMELLIA-256-CCM*-NO-TAG":256:9:-1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 15 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:"CAMELLIA-256-CCM*-NO-TAG":256:15:-1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 16 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:"CAMELLIA-256-CCM*-NO-TAG":256:16:-1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 17 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:"CAMELLIA-256-CCM*-NO-TAG":256:17:-1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 31 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:"CAMELLIA-256-CCM*-NO-TAG":256:31:-1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 32 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:"CAMELLIA-256-CCM*-NO-TAG":256:32:-1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 33 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:"CAMELLIA-256-CCM*-NO-TAG":256:33:-1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 47 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:"CAMELLIA-256-CCM*-NO-TAG":256:47:-1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 48 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:"CAMELLIA-256-CCM*-NO-TAG":256:48:-1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 49 bytes +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:"CAMELLIA-256-CCM*-NO-TAG":256:49:-1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 0 bytes in multiple parts +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:256:0:0:-1:0:0:0:0 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:256:1:0:-1:1:0:1:0 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 1 bytes in multiple parts 2 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:256:0:1:-1:0:1:0:1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:256:16:0:-1:16:0:16:0 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 2 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:256:0:16:-1:0:16:0:16 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 3 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:256:1:15:-1:1:15:1:15 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 16 bytes in multiple parts 4 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:256:15:1:-1:15:1:15:1 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:256:15:7:-1:15:7:15:7 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 22 bytes in multiple parts 2 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:256:16:6:-1:16:6:16:6 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 23 bytes in multiple parts 1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:256:17:6:-1:17:6:17:6 + +CAMELLIA-256-CCM*-NO-TAG - Encrypt and decrypt 32 bytes in multiple parts 1 +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +enc_dec_buf_multipart:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:256:16:16:-1:16:16:16:16 + +CAMELLIA-128-CCM*-NO-TAG crypt Encrypt +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:MBEDTLS_ENCRYPT:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000003020100A0A1A2A3A4A5":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"BA737185E719310492F38A5F1251DA55FAFBC949848A0D":0:0 + +CAMELLIA-128-CCM*-NO-TAG crypt Decrypt +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG:MBEDTLS_DECRYPT:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000003020100A0A1A2A3A4A5":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"BA737185E719310492F38A5F1251DA55FAFBC949848A0D":0:0 + +CAMELLIA-192-CCM*-NO-TAG crypt Encrypt +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:MBEDTLS_ENCRYPT:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECFC0C1C2C3C4C5C6C7":"00000003020100A0A1A2A3A4A5":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"c3ceaa2a68fb31d8347a83950f25f3a7956b8a284a5b35":0:0 + +CAMELLIA-192-CCM*-NO-TAG crypt Decrypt +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG:MBEDTLS_DECRYPT:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECFC0C1C2C3C4C5C6C7":"00000003020100A0A1A2A3A4A5":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"c3ceaa2a68fb31d8347a83950f25f3a7956b8a284a5b35":0:0 + +CAMELLIA-256-CCM*-NO-TAG crypt Encrypt +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:MBEDTLS_ENCRYPT:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000003020100A0A1A2A3A4A5":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"933f749801d0e1262cd101831defd8366ab2a22e7c03cd":0:0 + +CAMELLIA-256-CCM*-NO-TAG crypt Decrypt +depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C +test_vec_crypt:MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG:MBEDTLS_DECRYPT:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000003020100A0A1A2A3A4A5":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"933f749801d0e1262cd101831defd8366ab2a22e7c03cd":0:0 diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index c809d9a28090..fd2985b5e725 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -18,7 +18,7 @@ static int check_cipher_info( mbedtls_cipher_type_t type, const mbedtls_cipher_info_t *info ) { - size_t key_bitlen; + size_t key_bitlen, block_size, iv_size; TEST_ASSERT( info != NULL ); TEST_EQUAL( type, mbedtls_cipher_info_get_type( info ) ); @@ -33,8 +33,14 @@ static int check_cipher_info( mbedtls_cipher_type_t type, TEST_ASSERT( mbedtls_cipher_info_from_string( info->name ) == info ); key_bitlen = mbedtls_cipher_info_get_key_bitlen( info ); + block_size = mbedtls_cipher_info_get_block_size( info ); + iv_size = mbedtls_cipher_info_get_iv_size( info ); if( info->type == MBEDTLS_CIPHER_NULL ) + { TEST_ASSERT( key_bitlen == 0 ); + TEST_ASSERT( block_size == 1 ); + TEST_ASSERT( iv_size == 0 ); + } else if( info->mode == MBEDTLS_MODE_XTS ) { TEST_ASSERT( key_bitlen == 256 || @@ -44,14 +50,28 @@ static int check_cipher_info( mbedtls_cipher_type_t type, else if( ! strncmp( info->name, "DES-EDE3-", 9 ) ) { TEST_ASSERT( key_bitlen == 192 ); + TEST_ASSERT( ! mbedtls_cipher_info_has_variable_key_bitlen( info ) ); + TEST_ASSERT( block_size == 8 ); } else if( ! strncmp( info->name, "DES-EDE-", 8 ) ) { TEST_ASSERT( key_bitlen == 128 ); + TEST_ASSERT( ! mbedtls_cipher_info_has_variable_key_bitlen( info ) ); + TEST_ASSERT( block_size == 8 ); } else if( ! strncmp( info->name, "DES-", 4 ) ) { TEST_ASSERT( key_bitlen == 64 ); + TEST_ASSERT( ! mbedtls_cipher_info_has_variable_key_bitlen( info ) ); + TEST_ASSERT( block_size == 8 ); + } + else if( ! strncmp( info->name, "AES", 3 ) ) + { + TEST_ASSERT( key_bitlen == 128 || + key_bitlen == 192 || + key_bitlen == 256 ); + TEST_ASSERT( ! mbedtls_cipher_info_has_variable_key_bitlen( info ) ); + TEST_ASSERT( block_size == 16 ); } else { @@ -60,6 +80,23 @@ static int check_cipher_info( mbedtls_cipher_type_t type, key_bitlen == 256 ); } + if( strstr( info->name, "-ECB" ) != NULL ) + { + TEST_ASSERT( iv_size == 0 ); + TEST_ASSERT( ! mbedtls_cipher_info_has_variable_iv_size( info ) ); + } + else if( strstr( info->name, "-CBC" ) != NULL || + strstr( info->name, "-CTR" ) != NULL ) + { + TEST_ASSERT( iv_size == block_size ); + TEST_ASSERT( ! mbedtls_cipher_info_has_variable_iv_size( info ) ); + } + else if( strstr( info->name, "-GCM" ) != NULL ) + { + TEST_ASSERT( iv_size == block_size - 4 ); + TEST_ASSERT( mbedtls_cipher_info_has_variable_iv_size( info ) ); + } + return( 1 ); exit: @@ -161,9 +198,10 @@ void cipher_invalid_param_unconditional( ) (void)valid_mode; /* In some configurations this is unused */ mbedtls_cipher_init( &valid_ctx ); - mbedtls_cipher_setup( &valid_ctx, valid_info ); mbedtls_cipher_init( &invalid_ctx ); + TEST_ASSERT( mbedtls_cipher_setup( &valid_ctx, valid_info ) == 0 ); + /* mbedtls_cipher_setup() */ TEST_ASSERT( mbedtls_cipher_setup( &valid_ctx, NULL ) == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); @@ -343,7 +381,7 @@ exit: void enc_dec_buf( int cipher_id, char * cipher_string, int key_len, int length_val, int pad_mode ) { - size_t length = length_val, outlen, total_len, i, block_size; + size_t length = length_val, outlen, total_len, i, block_size, iv_len; unsigned char key[64]; unsigned char iv[16]; unsigned char ad[13]; @@ -401,8 +439,14 @@ void enc_dec_buf( int cipher_id, char * cipher_string, int key_len, memset( decbuf, 0, sizeof( decbuf ) ); memset( tag, 0, sizeof( tag ) ); - TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx_dec, iv, sizeof( iv ) ) ); - TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx_enc, iv, sizeof( iv ) ) ); + if( NULL != strstr( cipher_info->name, "CCM*-NO-TAG") ) + iv_len = 13; /* For CCM, IV length is expected to be between 7 and 13 bytes. + * For CCM*-NO-TAG, IV length must be exactly 13 bytes long. */ + else + iv_len = sizeof(iv); + + TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx_dec, iv, iv_len ) ); + TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx_enc, iv, iv_len ) ); TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_dec ) ); TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_enc ) ); @@ -597,6 +641,7 @@ void enc_dec_buf_multipart( int cipher_id, int key_len, int first_length_val, size_t second_length = second_length_val; size_t length = first_length + second_length; size_t block_size; + size_t iv_len; unsigned char key[32]; unsigned char iv[16]; @@ -641,8 +686,14 @@ void enc_dec_buf_multipart( int cipher_id, int key_len, int first_length_val, (void) pad_mode; #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ - TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx_dec, iv, 16 ) ); - TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx_enc, iv, 16 ) ); + if( NULL != strstr( cipher_info->name, "CCM*-NO-TAG") ) + iv_len = 13; /* For CCM, IV length is expected to be between 7 and 13 bytes. + * For CCM*-NO-TAG, IV length must be exactly 13 bytes long. */ + else + iv_len = sizeof(iv); + + TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx_dec, iv, iv_len ) ); + TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx_enc, iv, iv_len ) ); TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_dec ) ); TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_enc ) ); diff --git a/tests/suites/test_suite_pkcs12.data b/tests/suites/test_suite_pkcs12.data new file mode 100644 index 000000000000..a8c4bab35aed --- /dev/null +++ b/tests/suites/test_suite_pkcs12.data @@ -0,0 +1,35 @@ +PKCS#12 derive key : MD5: Zero length password and hash +depends_on:MBEDTLS_MD5_C +pkcs12_derive_key:MBEDTLS_MD_MD5:48:"":USE_GIVEN_INPUT:"":USE_GIVEN_INPUT:3:"6afdcbd5ebf943272134f1c3de2dc11b6afdcbd5ebf943272134f1c3de2dc11b6afdcbd5ebf943272134f1c3de2dc11b":0 + +PKCS#12 derive key: MD5: NULL password and hash +depends_on:MBEDTLS_MD5_C +pkcs12_derive_key:MBEDTLS_MD_MD5:48:"":USE_NULL_INPUT:"":USE_NULL_INPUT:3:"6afdcbd5ebf943272134f1c3de2dc11b6afdcbd5ebf943272134f1c3de2dc11b6afdcbd5ebf943272134f1c3de2dc11b":0 + +PKCS#12 derive key: MD5: Zero length password +depends_on:MBEDTLS_MD5_C +pkcs12_derive_key:MBEDTLS_MD_MD5:48:"":USE_GIVEN_INPUT:"0123456789abcdef":USE_GIVEN_INPUT:3:"832d8502114fcccfd3de0c2b2863b1c45fb92a8db2ed1e704727b324adc267bdd66ae4918a81fa2d1ba15febfb9e6c4e":0 + +PKCS#12 derive key: MD5: NULL password +depends_on:MBEDTLS_MD5_C +pkcs12_derive_key:MBEDTLS_MD_MD5:48:"":USE_NULL_INPUT:"0123456789abcdef":USE_GIVEN_INPUT:3:"832d8502114fcccfd3de0c2b2863b1c45fb92a8db2ed1e704727b324adc267bdd66ae4918a81fa2d1ba15febfb9e6c4e":0 + +PKCS#12 derive key: MD5: Invalid length NULL password +depends_on:MBEDTLS_MD5_C +pkcs12_derive_key:MBEDTLS_MD_MD5:48:"0123456789abcdef":USE_NULL_INPUT:"0123456789abcdef":USE_GIVEN_INPUT:3:"":MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA + +PKCS#12 derive key: MD5: Zero length salt +depends_on:MBEDTLS_MD5_C +pkcs12_derive_key:MBEDTLS_MD_MD5:48:"0123456789abcdef":USE_GIVEN_INPUT:"":USE_GIVEN_INPUT:3:"832d8502114fcccfd3de0c2b2863b1c45fb92a8db2ed1e704727b324adc267bdd66ae4918a81fa2d1ba15febfb9e6c4e":0 + +PKCS#12 derive key: MD5: NULL salt +depends_on:MBEDTLS_MD5_C +pkcs12_derive_key:MBEDTLS_MD_MD5:48:"0123456789abcdef":USE_GIVEN_INPUT:"":USE_NULL_INPUT:3:"832d8502114fcccfd3de0c2b2863b1c45fb92a8db2ed1e704727b324adc267bdd66ae4918a81fa2d1ba15febfb9e6c4e":0 + +PKCS#12 derive key: MD5: Invalid length NULL salt +depends_on:MBEDTLS_MD5_C +pkcs12_derive_key:MBEDTLS_MD_MD5:48:"0123456789abcdef":USE_GIVEN_INPUT:"0123456789abcdef":USE_NULL_INPUT:3:"":MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA + +PKCS#12 derive key: MD5: Valid password and salt +depends_on:MBEDTLS_MD5_C +pkcs12_derive_key:MBEDTLS_MD_MD5:48:"0123456789abcdef":USE_GIVEN_INPUT:"0123456789abcdef":USE_GIVEN_INPUT:3:"46559deeee036836ab1b633ec620178d4c70eacf42f72a2ad7360c812efa09ca3d7567b489a109050345c2dc6a262995":0 diff --git a/tests/suites/test_suite_pkcs12.function b/tests/suites/test_suite_pkcs12.function new file mode 100644 index 000000000000..54dc042c3d3a --- /dev/null +++ b/tests/suites/test_suite_pkcs12.function @@ -0,0 +1,69 @@ +/* BEGIN_HEADER */ +#include "mbedtls/pkcs12.h" +#include "common.h" + +typedef enum +{ + USE_NULL_INPUT = 0, + USE_GIVEN_INPUT = 1, +} input_usage_method_t; + +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_PKCS12_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE */ +void pkcs12_derive_key( int md_type, int key_size_arg, + data_t *password_arg, int password_usage, + data_t *salt_arg, int salt_usage, + int iterations, + data_t* expected_output, int expected_status ) + +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char *output_data = NULL; + + unsigned char *password = NULL; + size_t password_len = 0; + unsigned char *salt = NULL; + size_t salt_len = 0; + size_t key_size = key_size_arg; + + if( password_usage == USE_GIVEN_INPUT ) + password = password_arg->x; + + password_len = password_arg->len; + + if( salt_usage == USE_GIVEN_INPUT ) + salt = salt_arg->x; + + salt_len = salt_arg->len; + + ASSERT_ALLOC( output_data, key_size ); + + ret = mbedtls_pkcs12_derivation( output_data, + key_size, + password, + password_len, + salt, + salt_len, + md_type, + MBEDTLS_PKCS12_DERIVE_KEY, + iterations ); + + TEST_EQUAL( ret, expected_status ); + + if( expected_status == 0 ) + { + ASSERT_COMPARE( expected_output->x, expected_output->len, + output_data, key_size ); + } + +exit: + mbedtls_free( output_data ); + +} +/* END_CASE */ diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 820bed7da5fd..c45f9f0880f9 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -912,11 +912,19 @@ PSA key policy: asymmetric signature, sign | verify, key usage extension depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_MD_C asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):32:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE -PSA key policy: asymmetric signature, wrong algorithm family +PSA key policy: asymmetric signature, wrong alg family (PSS std/any salt) +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR +asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE + +PSA key policy: asymmetric signature, wrong alg family (PSS any/std salt) +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR +asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE + +PSA key policy: asymmetric signature, wrong alg family (RSA v15/PSS) depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE -PSA key policy: asymmetric signature, wildcard in policy, wrong algorithm family +PSA key policy: asymmetric signature, wildcard in policy, wrong alg family depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):0:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE @@ -952,39 +960,47 @@ PSA key policy: asymmetric signature, neither sign nor verify depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_MD_C asymmetric_signature_key_policy:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):32:0 -PSA key policy: asymmetric signature for message, sign | verify +PSA key policy: msg asymmetric signature, sign | verify depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE -PSA key policy: asymmetric signature for message, wrong algorithm family +PSA key policy: msg asymmetric signature, wrong alg family (PSS std/any salt) +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR +asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):0:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE + +PSA key policy: msg asymmetric signature, wrong alg family (PSS any/std salt) +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR +asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):0:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE + +PSA key policy: msg asymmetric signature, wrong alg family (RSA v15/PSS) depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):0:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE -PSA key policy: asymmetric signature for message, wildcard in policy, wrong algorithm family +PSA key policy: msg asymmetric signature, wildcard in policy, wrong alg family depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):0:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE -PSA key policy: asymmetric signature for message, wildcard in policy, ECDSA SHA-256 +PSA key policy: msg asymmetric signature, wildcard in policy, ECDSA SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256 asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_ECDSA(PSA_ALG_SHA_256):32:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE -PSA key policy: asymmetric signature for message, wildcard in policy, PKCS#1v1.5 SHA-256 +PSA key policy: msg asymmetric signature, wildcard in policy, PKCS#1v1.5 SHA-256 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):32:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE -PSA key policy: asymmetric signature for message, wrong hash algorithm +PSA key policy: msg asymmetric signature, wrong hash algorithm depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384):0:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE -PSA key policy: asymmetric signature for message, alg=0 in policy +PSA key policy: msg asymmetric signature, alg=0 in policy depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):0:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE -PSA key policy: asymmetric signature for message, sign but not verify +PSA key policy: msg asymmetric signature, sign but not verify depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):1:PSA_KEY_USAGE_SIGN_MESSAGE -PSA key policy: asymmetric signature for message, verify but not sign +PSA key policy: msg asymmetric signature, verify but not sign depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR asymmetric_signature_key_policy:PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):1:PSA_KEY_USAGE_VERIFY_MESSAGE @@ -1608,11 +1624,11 @@ depends_on:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_HMAC mac_setup:PSA_KEY_TYPE_HMAC:"000102030405060708090a0b0c0d0e0f":PSA_ALG_CMAC:PSA_ERROR_INVALID_ARGUMENT PSA MAC setup: algorithm known but not supported, long key -depends_on:!MBEDTLS_MD5_C +depends_on:!PSA_WANT_ALG_MD5 mac_setup:PSA_KEY_TYPE_HMAC:"000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f":PSA_ALG_HMAC(PSA_ALG_MD5):PSA_ERROR_NOT_SUPPORTED PSA MAC setup: algorithm known but not supported, short key -depends_on:!MBEDTLS_MD5_C +depends_on:!PSA_WANT_ALG_MD5 mac_setup:PSA_KEY_TYPE_HMAC:"000102030405060708":PSA_ALG_HMAC(PSA_ALG_MD5):PSA_ERROR_NOT_SUPPORTED PSA MAC: bad order function calls @@ -1895,6 +1911,7 @@ PSA symmetric encrypt: AES-CBC-nopad, input too short depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_AES cipher_encrypt_fail:PSA_ALG_CBC_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee223":PSA_ERROR_INVALID_ARGUMENT +PSA symmetric encrypt: AES-ECB, 0 bytes, good depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES cipher_encrypt_alg_without_iv:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"" @@ -1946,6 +1963,10 @@ PSA symmetric encrypt validation: 3-key 3DES-CBC-nopad, 8 bytes, good depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_DES cipher_encrypt_validation:PSA_ALG_CBC_NO_PADDING:PSA_KEY_TYPE_DES:"01020407080b0d0ec1c2c4c7c8cbcdce31323437383b3d3e":"eda4011239bc3ac9" +PSA symmetric encrypt validation: CCM*-no-tag, 15 bytes, good +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +cipher_encrypt_validation:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"d24a3d3dde8c84830280cb87abad0bb3":"6bc1bee22e409f96e93d7e11739317" + PSA symmetric encrypt multipart: AES-ECB, 0 bytes, good depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES cipher_encrypt_multipart:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"":0:0:0:"":PSA_SUCCESS @@ -2006,6 +2027,10 @@ PSA symmetric encrypt multipart: 3-key 3DES-ECB, 8 bytes, good depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_DES cipher_encrypt_multipart:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_DES:"01020407080b0d0ec1c2c4c7c8cbcdce31323437383b3d3e":"":"c78e2b38139610e3":8:8:0:"817ca7d69b80d86a":PSA_SUCCESS +PSA symmetric encrypt multipart: CCM*-no-tag, AES, 24 bytes, good +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +cipher_encrypt_multipart:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"d24a3d3dde8c84830280cb87abad0bb3":"f1100035bb24a8d26004e0e24b":"7c86135ed9c2a515aaae0e9a208133897269220f30870006":10:10:14:"1faeb0ee2ca2cd52f0aa3966578344f24e69b742c4ab37ab":PSA_SUCCESS + PSA cipher decrypt: without initialization depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES cipher_decrypt_fail:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"":"":"":PSA_ERROR_BAD_STATE @@ -2038,6 +2063,10 @@ PSA symmetric decrypt: AES-CBC-nopad, input too short (5 bytes) depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_AES cipher_decrypt_fail:PSA_ALG_CBC_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee223":PSA_ERROR_INVALID_ARGUMENT +PSA symetric decrypt: CCM*-no-tag, input too short (15 bytes) +depends_on:MBEDTLS_AES_C +cipher_decrypt_fail:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"19ebfde2d5468ba0a3031bde629b11fd":"5a8aa485c316e9":"2a2a2a2a2a2a2a2a":PSA_ERROR_INVALID_ARGUMENT + PSA symmetric decrypt: AES-ECB, 0 bytes, good depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES cipher_decrypt:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"":"" @@ -2086,6 +2115,10 @@ PSA symmetric decrypt: 3-key 3DES-ECB, 8 bytes, good depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_DES cipher_decrypt:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_DES:"01020407080b0d0ec1c2c4c7c8cbcdce31323437383b3d3e":"":"817ca7d69b80d86a":"c78e2b38139610e3" +PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15 +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2cb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697" + PSA symmetric decrypt multipart: AES-ECB, 0 bytes, good depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES cipher_decrypt_multipart:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"":0:0:0:"":PSA_SUCCESS @@ -2146,6 +2179,10 @@ PSA symmetric decrypt multipart: 3-key 3DES-ECB, 8 bytes, good depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_DES cipher_decrypt_multipart:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_DES:"01020407080b0d0ec1c2c4c7c8cbcdce31323437383b3d3e":"":"817ca7d69b80d86a":8:8:0:"c78e2b38139610e3":PSA_SUCCESS +PSA symmetric decrypt multipart: CCM*-no-tag, 24 bytes, good +depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_DES +cipher_decrypt_multipart:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"197afb02ffbd8f699dacae87094d5243":"5a8aa485c316e9403aff859fbb":"4a550134f94455979ec4bf89ad2bd80d25a77ae94e456134":10:10:14:"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697":PSA_SUCCESS + PSA symmetric encrypt/decrypt: AES-ECB, 16 bytes, good depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES cipher_verify_output:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e117393172a" @@ -2166,6 +2203,22 @@ PSA symmetric encrypt/decrypt: AES-CTR depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES cipher_verify_output:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e117393172a" +PSA symmetric encrypt/decrypt: CCM*-no-tag, AES +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +cipher_verify_output:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e117393172a" + +CCM*-no-tag encrypt, iv_length = 14, bad +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +cipher_encrypt_validate_iv_length:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":14:PSA_ERROR_INVALID_ARGUMENT + +CCM*-no-tag encrypt, iv_length = 13, good +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +cipher_encrypt_validate_iv_length:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":13:PSA_SUCCESS + +CCM*-no-tag encrypt, iv_length = 12, bad +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +cipher_encrypt_validate_iv_length:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":12:PSA_ERROR_INVALID_ARGUMENT + PSA symmetric encryption multipart: AES-ECB, 16+16 bytes depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES cipher_encrypt_multipart:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"6bc1bee22e409f96e93d7e117393172a5434f378a597bcef1389318c7fc865ef":16:16:16:"3ad77bb40d7a3660a89ecaf32466ef9755ed5e9e066820fa52c729886d18854c":PSA_SUCCESS @@ -2484,19 +2537,19 @@ aead_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WI PSA AEAD decrypt: AES-CCM, invalid nonce length 6 depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES -aead_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"48c090693056":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":PSA_ERROR_NOT_SUPPORTED +aead_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"48c090693056":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":PSA_ERROR_INVALID_ARGUMENT PSA AEAD decrypt: AES-CCM, invalid nonce length 14 depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES -aead_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"48c0906930561e0ab0ef4cd97200":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":PSA_ERROR_NOT_SUPPORTED +aead_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"48c0906930561e0ab0ef4cd97200":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":PSA_ERROR_INVALID_ARGUMENT PSA AEAD decrypt: AES-CCM_8, invalid nonce length 6 depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES -aead_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 8 ):"48c090693056":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":PSA_ERROR_NOT_SUPPORTED +aead_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 8 ):"48c090693056":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":PSA_ERROR_INVALID_ARGUMENT PSA AEAD decrypt: AES-CCM_8, invalid nonce length 14 depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES -aead_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 8 ):"48c0906930561e0ab0ef4cd97200":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":PSA_ERROR_NOT_SUPPORTED +aead_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 8 ):"48c0906930561e0ab0ef4cd97200":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":PSA_ERROR_INVALID_ARGUMENT PSA AEAD encrypt/decrypt, AES-GCM, 19 bytes #1 depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES @@ -2652,11 +2705,11 @@ aead_decrypt:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_AEAD_WI PSA AEAD decrypt: AES-GCM, nonce=0 (bad) depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES -aead_decrypt:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"":PSA_ERROR_NOT_SUPPORTED +aead_decrypt:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"":PSA_ERROR_INVALID_ARGUMENT PSA AEAD decrypt: AES-GCM, nonce=0 (bad), TAG=12 depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES -aead_decrypt:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 12 ):"":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"":PSA_ERROR_NOT_SUPPORTED +aead_decrypt:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, 12 ):"":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"":PSA_ERROR_INVALID_ARGUMENT PSA AEAD decrypt: AES-GCM, invalid tag length 18 depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES @@ -2768,11 +2821,11 @@ aead_decrypt:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495 PSA AEAD decrypt: ChaCha20-Poly1305 (nonce=11, too short) depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20 -aead_decrypt:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_CHACHA20_POLY1305:"0700000040414243444546":"":"a0784d7a4716f3feb4f64e7f4b39bf04":"":PSA_ERROR_NOT_SUPPORTED +aead_decrypt:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_CHACHA20_POLY1305:"0700000040414243444546":"":"a0784d7a4716f3feb4f64e7f4b39bf04":"":PSA_ERROR_INVALID_ARGUMENT PSA AEAD decrypt: ChaCha20-Poly1305 (nonce=13, too long) depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20 -aead_decrypt:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_CHACHA20_POLY1305:"07000000404142434445464700":"":"a0784d7a4716f3feb4f64e7f4b39bf04":"":PSA_ERROR_NOT_SUPPORTED +aead_decrypt:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_CHACHA20_POLY1305:"07000000404142434445464700":"":"a0784d7a4716f3feb4f64e7f4b39bf04":"":PSA_ERROR_INVALID_ARGUMENT PSA AEAD encrypt/decrypt: invalid algorithm (CTR) depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C @@ -2782,6 +2835,78 @@ PSA AEAD encrypt/decrypt: invalid algorithm (ChaCha20) depends_on:MBEDTLS_CHACHA20_C aead_encrypt_decrypt:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_STREAM_CIPHER:"":"":"":PSA_ERROR_NOT_SUPPORTED +PSA Multipart AEAD encrypt: AES - CCM, 23 bytes (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_encrypt:PSA_KEY_TYPE_AES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CCM:"00412B4EA9CDBE3C9696766CFA":"0BE1A88BACE018B1":"08E8CF97D820EA258460E96AD9CF5289054D895CEAC47C":1:"4CB97F86A2A4689A877947AB8091EF5386A6FFBDD080F8120333D1FCB691F3406CBF531F83A4D8" + +PSA Multipart AEAD encrypt: AES - CCM, 24 bytes (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_encrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":1:"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9" + +PSA Multipart AEAD encrypt: AES - CCM, 24 bytes, T = 4 (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_encrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,4):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":1:"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6643b4f39" + +PSA Multipart AEAD encrypt: AES - CCM, 24 bytes, T = 6 (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_encrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,6):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":1:"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b63fdffcd729bc" + +PSA Multipart AEAD encrypt: AES - CCM, 24 bytes, T = 8 (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_encrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,8):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":1:"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b64cf2c3bf5f220776" + +PSA Multipart AEAD encrypt: AES - CCM, 24 bytes, T = 10 (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_encrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,10):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":1:"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b69613343621327defd18e" + +PSA Multipart AEAD encrypt: AES - CCM, 24 bytes, T = 12 (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_encrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,12):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":1:"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b69a2e5d8faee3138fa5cf9846" + +PSA Multipart AEAD encrypt: AES - CCM, 24 bytes, T = 14 (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_encrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,14):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":1:"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6c99af01cdb6aa76df73c8646c27f" + +PSA Multipart AEAD encrypt: AES - CCM, 24 bytes, T = 16 (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_encrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,16):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":1:"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9" + +PSA Multipart AEAD decrypt: AES - CCM, 39 bytes (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_decrypt:PSA_KEY_TYPE_AES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CCM:"00412B4EA9CDBE3C9696766CFA":"0BE1A88BACE018B1":"4CB97F86A2A4689A877947AB8091EF5386A6FFBDD080F8120333D1FCB691F3406CBF531F83A4D8":1:"08E8CF97D820EA258460E96AD9CF5289054D895CEAC47C" + +PSA Multipart AEAD decrypt, AES - CCM, 40 bytes (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9":1:"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef" + +PSA Multipart AEAD decrypt: AES - CCM, 24 bytes, T = 4 (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,4):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6643b4f39":1:"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef" + +PSA Multipart AEAD decrypt: AES - CCM, 24 bytes, T = 6 (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,6):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b63fdffcd729bc":1:"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef" + +PSA Multipart AEAD decrypt: AES - CCM, 24 bytes, T = 8 (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,8):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b64cf2c3bf5f220776":1:"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef" + +PSA Multipart AEAD decrypt: AES - CCM, 24 bytes, T = 10 (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,10):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b69613343621327defd18e":1:"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef" + +PSA Multipart AEAD decrypt: AES - CCM, 24 bytes, T = 12 (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,12):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b69a2e5d8faee3138fa5cf9846":1:"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef" + +PSA Multipart AEAD decrypt: AES - CCM, 24 bytes, T = 14 (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,14):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6c99af01cdb6aa76df73c8646c27f":1:"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef" + +PSA Multipart AEAD decrypt: AES - CCM, 24 bytes, T = 16 (lengths set) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_decrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,16):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9":1:"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef" + PSA Multipart AEAD encrypt, AES-GCM, 128 bytes #1 depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_multipart_encrypt:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":0:"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c872814365847fe0b7b7fbed325953df344a96" @@ -3214,6 +3339,46 @@ PSA Multipart AEAD decrypt: ChaCha20 - Poly1305 (good tag, zero - length input) depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20 aead_multipart_decrypt:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_CHACHA20_POLY1305:"070000004041424344454647":"":"a0784d7a4716f3feb4f64e7f4b39bf04":1:"" +PSA Multipart AEAD verify: AES - CCM, invalid signature +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_verify:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26d56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9":"7c0a61c9f825a48671ea05910748c8ef":1:PSA_ERROR_INVALID_SIGNATURE + +PSA Multipart AEAD verify: AES - CCM, invalid signature, T = 4 +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_verify:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,4):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6643b4f38":"0748c8ef":1:PSA_ERROR_INVALID_SIGNATURE + +PSA Multipart AEAD verify: AES - CCM, T = 4, tag is truncated tag for T = 16 +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_verify:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,4):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d":"0748c8ef":1:PSA_ERROR_INVALID_SIGNATURE + +PSA Multipart AEAD verify: AES - CCM, invalid tag length 0 +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_verify:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,0):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"":1:PSA_ERROR_INVALID_ARGUMENT + +PSA Multipart AEAD verify: AES - CCM, invalid tag length 2 +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_verify:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,2):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"c8ef":1:PSA_ERROR_INVALID_ARGUMENT + +PSA Multipart AEAD verify: AES - CCM, invalid tag length 15 +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_verify:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,15):"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"0a61c9f825a48671ea05910748c8ef":1:PSA_ERROR_INVALID_ARGUMENT + +PSA Multipart AEAD verify: AES - CCM, T = 16, but passing 15 bytes +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_verify:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"0a61c9f825a48671ea05910748c8ef":1:PSA_ERROR_INVALID_SIGNATURE + +PSA Multipart AEAD verify: AES - CCM, T = 16, but passing 17 bytes +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_verify:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"532b0a61c9f825a48671ea05910748c8ef":1:PSA_ERROR_INVALID_SIGNATURE + +PSA Multipart AEAD verify: AES - CCM, T = 16 but passing 0 bytes (valid buffer) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_verify:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"":1:PSA_ERROR_INVALID_SIGNATURE + +PSA Multipart AEAD verify: AES - CCM, T = 16 but passing 0 bytes (NULL buffer) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_verify:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":"":0:PSA_ERROR_INVALID_SIGNATURE + PSA Multipart AEAD verify, AES - GCM, invalid signature depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_multipart_verify:PSA_KEY_TYPE_AES:"fe96eab10ff48c7942025422583d0377":PSA_ALG_GCM:"97ce3f848276783599c6875de324361e":"127628b6dcbce6fc8a8ef60798eb67b2088415635119697d20bb878c24d9c6f9c29e148521cb5e0feff892c7855d4f1c0bfb32ad33420976714dce87a0bbc18e4378bd1ef35197d0ca73051148f1199010f63caf122df5f71ad8d9c71df3eb2fbe3b2529d0ba657570358d3776f687bdb9c96d5e0e9e00c4b42d5d7a268d6a08":"12195120056ca3cac70d583603a476821bac6c57c9733b81cfb83538dc9e850f8bdf46065069591c23ebcbc6d1e2523375fb7efc80c09507fa25477ed07cee54fc4eb90168b3ef988f651fc40652474a644b1b311decf899660aef2347bb081af48950f06ebf799911e37120de94c55c20e5f0a77119be06e2b6e557f872fa0f":"6bac793bdc2190a195122c98544ccf56":1:PSA_ERROR_INVALID_SIGNATURE @@ -3246,6 +3411,22 @@ PSA Multipart AEAD verify: ChaCha20 - Poly1305 (RFC7539, bad tag) depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20 aead_multipart_verify:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_CHACHA20_POLY1305:"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"1ae10b594f09e26a7e902ecbd0600690":1:PSA_ERROR_INVALID_SIGNATURE +PSA Multipart Nonce Generation: AES - CCM, NONCE = (Req 13 / Expect 13) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_generate_nonce:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:13:13:"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":PSA_SUCCESS + +PSA Multipart Nonce Generation: AES - CCM, NONCE = (Req 12 / Expect 0) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_generate_nonce:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:12:0:"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":PSA_ERROR_BUFFER_TOO_SMALL + +PSA Multipart Nonce Generation: AES - CCM, NONCE = (Req 0 / Expect 0) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_generate_nonce:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:0:0:"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":PSA_ERROR_BUFFER_TOO_SMALL + +PSA Multipart Nonce Generation: AES - CCM, NONCE = (Req 16 / Expect 13) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_generate_nonce:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:16:13:"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":PSA_SUCCESS + PSA Multipart Nonce Generation, AES - GCM, NONCE = (Req 12 / Expect 12) depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_multipart_generate_nonce:PSA_KEY_TYPE_AES:"aa740abfadcda779220d3b406c5d7ec09a77fe9d94104539":PSA_ALG_GCM:12:12:"290322092d57479e20f6281e331d95a9":"e7fb0631eebf9bdba87045b33650c4ce":PSA_SUCCESS @@ -3278,11 +3459,35 @@ PSA Multipart Nonce Generation: ChaCha20 - Poly1305, NONCE = (Req 16 / Expect 12 depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20 aead_multipart_generate_nonce:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_CHACHA20_POLY1305:16:12:"":"":PSA_SUCCESS -PSA Multipart Set Nonce, AES - GCM, NONCE = 0 (NULL) +PSA Multipart Set Nonce: AES - CCM, NONCE = 0 (NULL) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_set_nonce:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:0:"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":PSA_ERROR_INVALID_ARGUMENT + +PSA Multipart Set Nonce: AES - CCM, NONCE = 0 (NON-NULL) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_set_nonce:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:-1:"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":PSA_ERROR_INVALID_ARGUMENT + +PSA Multipart Set Nonce: AES - CCM, NONCE = 6 (too small) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_set_nonce:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:6:"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":PSA_ERROR_INVALID_ARGUMENT + +PSA Multipart Set Nonce: AES - CCM, NONCE = 14 (too long) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_set_nonce:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:14:"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":PSA_ERROR_INVALID_ARGUMENT + +PSA Multipart Set Nonce: AES - CCM_8, NONCE = 6 (too small) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_set_nonce:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,8):6:"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":PSA_ERROR_INVALID_ARGUMENT + +PSA Multipart Set Nonce: AES - CCM_8, NONCE = 14 (too long) +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_set_nonce:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,8):14:"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6":PSA_ERROR_INVALID_ARGUMENT + +PSA Multipart Set Nonce, AES - GCM, NONCE = 0 (NULL) (too small) depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_multipart_set_nonce:PSA_KEY_TYPE_AES:"aa740abfadcda779220d3b406c5d7ec09a77fe9d94104539":PSA_ALG_GCM:0:"":"":PSA_ERROR_INVALID_ARGUMENT -PSA Multipart Set Nonce, AES - GCM, NONCE = 0 (Non-NULL) +PSA Multipart Set Nonce, AES - GCM, NONCE = 0 (Non-NULL) (too small) depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_multipart_set_nonce:PSA_KEY_TYPE_AES:"aa740abfadcda779220d3b406c5d7ec09a77fe9d94104539":PSA_ALG_GCM:-1:"":"":PSA_ERROR_INVALID_ARGUMENT @@ -3294,11 +3499,11 @@ PSA Multipart Set Nonce, AES - GCM, NONCE = 20 depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_multipart_set_nonce:PSA_KEY_TYPE_AES:"aa740abfadcda779220d3b406c5d7ec09a77fe9d94104539":PSA_ALG_GCM:20:"290322092d57479e20f6281e331d95a9":"e7fb0631eebf9bdba87045b33650c4ce":PSA_SUCCESS -PSA Multipart Set Nonce, AES - GCM_12, NONCE = 0 (NULL) +PSA Multipart Set Nonce, AES - GCM_12, NONCE = 0 (NULL) (too small) depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_multipart_set_nonce:PSA_KEY_TYPE_AES:"aa740abfadcda779220d3b406c5d7ec09a77fe9d94104539":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM,12):0:"":"":PSA_ERROR_INVALID_ARGUMENT -PSA Multipart Set Nonce, AES - GCM_12, NONCE = 0 (Non-NULL) +PSA Multipart Set Nonce, AES - GCM_12, NONCE = 0 (Non-NULL) (too small) depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_multipart_set_nonce:PSA_KEY_TYPE_AES:"aa740abfadcda779220d3b406c5d7ec09a77fe9d94104539":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM,12):-1:"":"":PSA_ERROR_INVALID_ARGUMENT @@ -3310,7 +3515,7 @@ PSA Multipart Set Nonce, AES - GCM_12, NONCE = 20 depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_multipart_set_nonce:PSA_KEY_TYPE_AES:"aa740abfadcda779220d3b406c5d7ec09a77fe9d94104539":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM,12):20:"290322092d57479e20f6281e331d95a9":"e7fb0631eebf9bdba87045b33650c4ce":PSA_SUCCESS -PSA Multipart Set Nonce: ChaCha20 - Poly1305, NONCE = 11 +PSA Multipart Set Nonce: ChaCha20 - Poly1305, NONCE = 11 (too small) depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20 aead_multipart_set_nonce:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_CHACHA20_POLY1305:11:"50515253c0c1c2c3c4c5c6c7":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":PSA_ERROR_INVALID_ARGUMENT @@ -3318,18 +3523,26 @@ PSA Multipart Set Nonce: ChaCha20 - Poly1305, NONCE = 12 depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20 aead_multipart_set_nonce:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_CHACHA20_POLY1305:12:"50515253c0c1c2c3c4c5c6c7":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":PSA_SUCCESS -PSA Multipart Set Nonce: ChaCha20 - Poly1305, NONCE = 13 +PSA Multipart Set Nonce: ChaCha20 - Poly1305, NONCE = 13 (too big) depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20 aead_multipart_set_nonce:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_CHACHA20_POLY1305:13:"50515253c0c1c2c3c4c5c6c7":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":PSA_ERROR_INVALID_ARGUMENT -PSA Multipart Set Nonce: ChaCha20 - Poly1305, NONCE = 0 (NULL) +PSA Multipart Set Nonce: ChaCha20 - Poly1305, NONCE = 0 (NULL) (too small) depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20 aead_multipart_set_nonce:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_CHACHA20_POLY1305:0:"":"":PSA_ERROR_INVALID_ARGUMENT -PSA Multipart Set Nonce: ChaCha20 - Poly1305, NONCE = 0 (Non-NULL) +PSA Multipart Set Nonce: ChaCha20 - Poly1305, NONCE = 0 (Non-NULL) (too small) depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20 aead_multipart_set_nonce:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_CHACHA20_POLY1305:-1:"":"":PSA_ERROR_INVALID_ARGUMENT +PSA AEAD output buffer test: AES - CCM, IN = 40 BUF = 39 +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_update_buffer_test:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:39:"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26d56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9":PSA_ERROR_BUFFER_TOO_SMALL + +PSA AEAD output buffer test: AES - CCM, IN = 40 BUF = 0 +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_update_buffer_test:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:0:"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26d56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9":PSA_ERROR_BUFFER_TOO_SMALL + PSA AEAD output buffer test: AES - GCM, IN = 16, BUF = 15 depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_multipart_update_buffer_test:PSA_KEY_TYPE_AES:"fbc0b4c56a714c83217b2d1bcadd2ed2e9efb0dcac6cc19f":PSA_ALG_GCM:15:"5f4b43e811da9c470d6a9b01":"":"d2ae38c4375954835d75b8e4c2f9bbb4":PSA_ERROR_BUFFER_TOO_SMALL @@ -3346,6 +3559,18 @@ PSA AEAD output buffer test: ChaCha20 - Poly1305 IN = 130, BUF = 0 depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20 aead_multipart_update_buffer_test:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_CHACHA20_POLY1305:0:"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b61161ae10b594f09e26a7e902ecbd0600691":PSA_ERROR_BUFFER_TOO_SMALL +PSA AEAD finish buffer test: AES - CCM, BUF = 0, TAG = 20 +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_finish_buffer_test:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:0:20:"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26d56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9":PSA_SUCCESS + +PSA AEAD finish buffer test: AES - CCM, BUF = 0, TAG = 15 +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_finish_buffer_test:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:0:15:"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26d56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9":PSA_ERROR_BUFFER_TOO_SMALL + +PSA AEAD finish buffer test: AES - CCM, BUF = 0, TAG = 0 +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_finish_buffer_test:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:0:0:"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"26d56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9":PSA_ERROR_BUFFER_TOO_SMALL + PSA AEAD finish buffer test: AES - GCM, BUF = 8, TAG = 16 depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_multipart_finish_buffer_test:PSA_KEY_TYPE_AES:"fbc0b4c56a714c83217b2d1bcadd2ed2e9efb0dcac6cc19f":PSA_ALG_GCM:8:16:"5f4b43e811da9c470d6a9b01":"":"d2ae38c4375954835d75b8e4c2f9bbb4":PSA_SUCCESS @@ -3386,6 +3611,10 @@ PSA AEAD setup: invalid algorithm (ChaCha20 - Poly1305 with short tag) depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20 aead_multipart_setup:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305,12):PSA_ERROR_NOT_SUPPORTED +PSA AEAD setup: AES - CCM, invalid tag length 18 +depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES +aead_multipart_setup:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM,18):PSA_ERROR_INVALID_ARGUMENT + PSA Multipart State Checks, AES - GCM depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_multipart_state_test:PSA_KEY_TYPE_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":PSA_ALG_GCM:"000102030405060708090A0B0C0D0E0F":"000102030405060708090A0B":"0C0D0E0F101112131415161718191A1B1C1D1E" @@ -3406,6 +3635,10 @@ PSA signature size: RSA keypair, 1024 bits, PSS depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR signature_size:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_ALG_RSA_PSS( PSA_ALG_SHA_256 ):128 +PSA signature size: RSA keypair, 1024 bits, PSS-any-salt +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR +signature_size:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_ALG_RSA_PSS_ANY_SALT( PSA_ALG_SHA_256 ):128 + PSA signature size: RSA keypair, 1023 bits, PKCS#1 v1.5 raw depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR signature_size:PSA_KEY_TYPE_RSA_KEY_PAIR:1023:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:128 @@ -3422,6 +3655,10 @@ PSA import/exercise RSA keypair, PSS-SHA-256 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C import_and_exercise_key:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256) +PSA import/exercise RSA keypair, PSS-any-salt-SHA-256 +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +import_and_exercise_key:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256) + PSA import/exercise RSA public key, PKCS#1 v1.5 raw depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C import_and_exercise_key:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:1024:PSA_ALG_RSA_PKCS1V15_SIGN_RAW @@ -3430,6 +3667,10 @@ PSA import/exercise RSA public key, PSS-SHA-256 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C import_and_exercise_key:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256) +PSA import/exercise RSA public key, PSS-any-salt-SHA-256 +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +import_and_exercise_key:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_KEY_TYPE_RSA_PUBLIC_KEY:1024:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256) + PSA import/exercise: ECP SECP256R1 keypair, ECDSA depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 import_and_exercise_key:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_ALG_ECDSA_ANY @@ -3463,7 +3704,7 @@ depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TY sign_hash_deterministic:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f" PSA sign hash: deterministic ECDSA SECP256R1 SHA-384 -depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_MD_C +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_MD_C:MBEDLTS_PSA_BUILTIN_ALG_SHA_384 sign_hash_deterministic:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_384 ):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca" PSA sign hash: deterministic ECDSA SECP384R1 SHA-256 @@ -3490,10 +3731,18 @@ PSA sign hash: RSA PSS SHA-256, wrong hash length (0 bytes) depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C sign_hash_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":127:PSA_ERROR_INVALID_ARGUMENT +PSA sign hash: RSA PSS-any-salt SHA-256, wrong hash length (0 bytes) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +sign_hash_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):"":127:PSA_ERROR_INVALID_ARGUMENT + PSA sign hash: RSA PSS SHA-256, wrong hash length (129 bytes) depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C sign_hash_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":127:PSA_ERROR_INVALID_ARGUMENT +PSA sign hash: RSA PSS-any-salt SHA-256, wrong hash length (129 bytes) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +sign_hash_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":127:PSA_ERROR_INVALID_ARGUMENT + PSA sign hash: deterministic ECDSA SECP256R1 SHA-256, output buffer too small depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_ERROR_BUFFER_TOO_SMALL @@ -3538,6 +3787,10 @@ PSA sign/verify hash: RSA PSS SHA-256, 32 bytes (hash size) depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C sign_verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" +PSA sign/verify hash: RSA PSS-any-salt SHA-256, 32 bytes (hash size) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +sign_verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" + PSA sign/verify hash: randomized ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 sign_verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" @@ -3547,11 +3800,11 @@ depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TY sign_verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b" PSA sign/verify hash: randomized ECDSA SECP256R1 SHA-384 -depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 sign_verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA( PSA_ALG_SHA_384 ):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f" PSA sign/verify hash: deterministic ECDSA SECP256R1 SHA-384 -depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_MD_C +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 sign_verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_384 ):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f" PSA sign/verify hash: randomized ECDSA SECP384R1 SHA-256 @@ -3571,7 +3824,7 @@ depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311" PSA verify hash: RSA PKCS#1 v1.5 SHA-256, wrong hash length -depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_1:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_1:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_SHA_1 verify_hash_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_1):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_ERROR_INVALID_ARGUMENT PSA verify hash: RSA PKCS#1 v1.5 SHA-256, wrong signature (same size) @@ -3594,18 +3847,86 @@ PSA verify hash: RSA PKCS#1 v1.5 SHA-256, wrong signature (leading junk) depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C verify_hash_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"21a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311":PSA_ERROR_INVALID_SIGNATURE -PSA verify hash: RSA PSS SHA-256, good signature, 32 bytes (hash size) +PSA verify hash: RSA-1024 PSS SHA-256, slen=0 (bad) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +verify_hash_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"abc4b612c6b71e13fa5965b2e25ee6adec5b1f211b2db158e9f3c4547d6cbef909a73dfb474b8caaf6c8fcafa10ec0bbadfd1883289ce33ad08ad533c61ea004fef4d9b76a1efc267efd066ae8918cb8e994faad30ff5e340e14c941926ba7ca9422b86e8055df1c1b90a5959a59cc7a5fc15cbd0d848cd40f7857b7629b668b":PSA_ERROR_INVALID_SIGNATURE + +PSA verify hash: RSA-1024 PSS-any-salt SHA-256, slen=0 +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +verify_hash:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"abc4b612c6b71e13fa5965b2e25ee6adec5b1f211b2db158e9f3c4547d6cbef909a73dfb474b8caaf6c8fcafa10ec0bbadfd1883289ce33ad08ad533c61ea004fef4d9b76a1efc267efd066ae8918cb8e994faad30ff5e340e14c941926ba7ca9422b86e8055df1c1b90a5959a59cc7a5fc15cbd0d848cd40f7857b7629b668b" + +PSA verify hash: RSA-1024 PSS SHA-256, slen=31 (bad) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +verify_hash_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"797914eadbbe8293a7b0fe29d2db9fb246b519128d46d3ec93142a1a08a2992ba5325ad9b5ce55344b37996dbb81eb89628263cae4e3fc0e947dec0b8b0c7b0ee94bca02dd287f9cc619e2d88fb2279fb2a8f8301271c58009bb1223f3cfa730cb852947685678cfdef2968c82a9b8bffd8c0d518476b1ea2a5ad6c100045d8e":PSA_ERROR_INVALID_SIGNATURE + +PSA verify hash: RSA-1024 PSS-any-salt SHA-256, slen=31 +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +verify_hash:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"797914eadbbe8293a7b0fe29d2db9fb246b519128d46d3ec93142a1a08a2992ba5325ad9b5ce55344b37996dbb81eb89628263cae4e3fc0e947dec0b8b0c7b0ee94bca02dd287f9cc619e2d88fb2279fb2a8f8301271c58009bb1223f3cfa730cb852947685678cfdef2968c82a9b8bffd8c0d518476b1ea2a5ad6c100045d8e" + +PSA verify hash: RSA-1024 PSS SHA-256, slen=32 +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +verify_hash:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"6b201c50637962338d1b218c1d26f031205a0e3c47bc4c54856aa037e5a332d2981e80a51648e902e46046e5507a255c4c73f5ff40d5a54c0a11d2eca7804e1767b20ea12c945a23f5473181d379689c1ba634a2c47c0a8ec90c922ca6466ae9e9fb92871c9043b5858ae34828bceb4ead82db8f21a18ebe1d95b469bbdef1df" + +PSA verify hash: RSA-1024 PSS-any-salt SHA-256, slen=32 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C -verify_hash:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"1967ae568cc071dfebeeca76b11d40bd1ec5af241c50b3dcceff21f4536c0693a7179a8d5d163a7625fefd37c161127800edeebc24fa73ca772096827bd3f75e8ccf2c64f07b7171b5c99022a4d73b760f34a385ccff0bd5ed7997d2a29d2847acb0767f93a2a404bc046c97de66d95dc9f7646fdb216b627b2ea0de8afcefb7" +verify_hash:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"6b201c50637962338d1b218c1d26f031205a0e3c47bc4c54856aa037e5a332d2981e80a51648e902e46046e5507a255c4c73f5ff40d5a54c0a11d2eca7804e1767b20ea12c945a23f5473181d379689c1ba634a2c47c0a8ec90c922ca6466ae9e9fb92871c9043b5858ae34828bceb4ead82db8f21a18ebe1d95b469bbdef1df" + +PSA verify hash: RSA-1024 PSS SHA-256, slen=94 (bad) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +verify_hash_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"44a09fa66f1b2e790474960e90517e418747cfcd18423dff957516a598569d74f26ef1eae4a200d12d801e16fc6fde375330c79c0d8430825e0a7f69c664faefccfa25e7fbfc68af02af0f67fe4c49f68f6abc68c8f66d3fd77fc838961f4415827340c66e39c79ed7dae0738c08ce8272aebe50c72e31994b9b6db640b51800":PSA_ERROR_INVALID_SIGNATURE + +PSA verify hash: RSA-1024 PSS-any-salt SHA-256, slen=94 +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +verify_hash:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"44a09fa66f1b2e790474960e90517e418747cfcd18423dff957516a598569d74f26ef1eae4a200d12d801e16fc6fde375330c79c0d8430825e0a7f69c664faefccfa25e7fbfc68af02af0f67fe4c49f68f6abc68c8f66d3fd77fc838961f4415827340c66e39c79ed7dae0738c08ce8272aebe50c72e31994b9b6db640b51800" + +PSA verify hash: RSA-1024 PSS SHA-512, slen=61 (bad) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_512:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_SHA_512 +verify_hash_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_512):"ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f":"23f5b30c8d612d8f31206c177ac2023c4f44754d03c7ff67daff99f24fa369b3e5f7c15b228a4417a1ff1c93fb8d645d619c2f4f559ac6c7f7bac20ba9df32353d19941265a4e74261adaf45d48682c0bc86cea6128f11ad172ff461fb1d97bded615861843996e2a98e7b8313b695519d001ae35305d6cbf3c0ee6c7ab06d1a":PSA_ERROR_INVALID_SIGNATURE + +PSA verify hash: RSA-1024 PSS-any-salt SHA-512, slen=61 +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_512:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_SHA_512 +verify_hash:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_512):"ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f":"23f5b30c8d612d8f31206c177ac2023c4f44754d03c7ff67daff99f24fa369b3e5f7c15b228a4417a1ff1c93fb8d645d619c2f4f559ac6c7f7bac20ba9df32353d19941265a4e74261adaf45d48682c0bc86cea6128f11ad172ff461fb1d97bded615861843996e2a98e7b8313b695519d001ae35305d6cbf3c0ee6c7ab06d1a" + +PSA verify hash: RSA-1024 PSS SHA-512, slen=62 +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_512:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_SHA_512 +verify_hash:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_512):"ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f":"6b215d77cf88b2d08be53b4f3ac6e72ebfbf7e0dc6c1e77b238cfb661c247a011b8746709fbefe4bc05d37343391683e9489d720ecbb7df37f4e36967918958996939461703465c2014a4c12faf875f8def70070e55b765b165c7e9c6f2eb05c98351b1e82219c31a2fb3ddce05f8988f552ff92f0b3471f63c0e53824c550a4" + +PSA verify hash: RSA-1024 PSS-any-salt SHA-512, slen=62 +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_512:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_SHA_512 +verify_hash:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_512):"ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f":"6b215d77cf88b2d08be53b4f3ac6e72ebfbf7e0dc6c1e77b238cfb661c247a011b8746709fbefe4bc05d37343391683e9489d720ecbb7df37f4e36967918958996939461703465c2014a4c12faf875f8def70070e55b765b165c7e9c6f2eb05c98351b1e82219c31a2fb3ddce05f8988f552ff92f0b3471f63c0e53824c550a4" + +PSA verify hash: RSA-528 PSS SHA-512, slen=0 +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_512:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_SHA_512 +verify_hash:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"304a024300e31c246d46485984261fd174cab3d4357344602ecd793c47dbe54252d37bb350bc634359b19515542080e4724a4b672291be57c7648f51629eaef234e847d99cc65f0203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_512):"ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f":"a14ad0fef77d36c28658a66129ee632e40e1032003eefe7fcda8e52b06675a051c80b2ca1cb99ed0762e90c9a48c434cd1063638eed7895a9c770e5435af750a1955" + +PSA verify hash: RSA-528 PSS-any-salt SHA-512, slen=0 +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_512:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_SHA_512 +verify_hash:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"304a024300e31c246d46485984261fd174cab3d4357344602ecd793c47dbe54252d37bb350bc634359b19515542080e4724a4b672291be57c7648f51629eaef234e847d99cc65f0203010001":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_512):"ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f":"a14ad0fef77d36c28658a66129ee632e40e1032003eefe7fcda8e52b06675a051c80b2ca1cb99ed0762e90c9a48c434cd1063638eed7895a9c770e5435af750a1955" + +PSA verify hash: RSA-520 PSS SHA-512 (hash too large) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_512:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_SHA_512 +verify_hash_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"3049024200d5a06f86e5b9d87428540165ca966fa8893a62e2a59d0bfd7617780bb039f9165a373a8e119d0766f8de556710f33f67019153bad8223775e797d451d48206f3bf0203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_512):"ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f":"deaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddead42":PSA_ERROR_INVALID_ARGUMENT + +PSA verify hash: RSA-520 PSS-any-salt SHA-512 (hash too large) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_512:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_SHA_512 +verify_hash_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"3049024200d5a06f86e5b9d87428540165ca966fa8893a62e2a59d0bfd7617780bb039f9165a373a8e119d0766f8de556710f33f67019153bad8223775e797d451d48206f3bf0203010001":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_512):"ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f":"deaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddeaddead42":PSA_ERROR_INVALID_ARGUMENT PSA verify hash: RSA PSS SHA-256, wrong hash length (0 bytes) depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C verify_hash_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"34c011b625c32d992f4ab8fcfa52b616ea66270b5b75a4fc71af712f9b8806bcdd374ce50eafcbb489562b93347885f93c2de1d404c45cacccefceb112ff6ffdfe4264f91d66320bbbe09304b851b8ad6280bbccc571eebcd49c7db5dfa399a6289e1978407904598751613d9870770cdd8507e3dc7b46851dbf05ae1df2988d":PSA_ERROR_INVALID_ARGUMENT +PSA verify hash: RSA PSS-any-salt SHA-256, wrong hash length (0 bytes) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +verify_hash_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):"":"34c011b625c32d992f4ab8fcfa52b616ea66270b5b75a4fc71af712f9b8806bcdd374ce50eafcbb489562b93347885f93c2de1d404c45cacccefceb112ff6ffdfe4264f91d66320bbbe09304b851b8ad6280bbccc571eebcd49c7db5dfa399a6289e1978407904598751613d9870770cdd8507e3dc7b46851dbf05ae1df2988d":PSA_ERROR_INVALID_ARGUMENT + PSA verify hash: RSA PSS SHA-256, wrong hash length (129 bytes) depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C verify_hash_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"1491cead330b4ad5b092f8351518141ac11d0888591572669c1e79d6e932c488acd62d44479b0e14cd91a048778bc02398a772ad6bdb4f7764780cf0afe70293d0cac86f2695a1dcb54568bb37d7086f9e86f95a6802d2ee5a4facaa762beff5261bb2816b62cb5af86404974c3f6b67985ac1fbfdf46d6de54f6e29d9274308":PSA_ERROR_INVALID_ARGUMENT +PSA verify hash: RSA PSS-any-salt SHA-256, wrong hash length (129 bytes) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +verify_hash_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"1491cead330b4ad5b092f8351518141ac11d0888591572669c1e79d6e932c488acd62d44479b0e14cd91a048778bc02398a772ad6bdb4f7764780cf0afe70293d0cac86f2695a1dcb54568bb37d7086f9e86f95a6802d2ee5a4facaa762beff5261bb2816b62cb5af86404974c3f6b67985ac1fbfdf46d6de54f6e29d9274308":PSA_ERROR_INVALID_ARGUMENT + PSA verify hash: ECDSA SECP256R1, good depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_hash:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f" @@ -3651,7 +3972,7 @@ depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TY sign_message_deterministic:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"616263":"36e5b5a7da1c9c265dc447de3a5a704fcb8c03f7a3749dde48d84c9bf736fc1ed48d8b3660e7d3cbc6b1870730b7ce2a043f69e37ccb340b98d1e65184e03548" PSA sign message: deterministic ECDSA SECP256R1 SHA-384 -depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_MD_C +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_MD_C:MBEDLTS_PSA_BUILTIN_ALG_SHA_384 sign_message_deterministic:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"616263":"7ea712a20e3a8cbe0c6e64195362ba7635bbe78af51ddedd7a5fd858395250c592654c35d3b0614ae0e3b329c25cf5b4a5fcb243af3e3ad15c8446fe401be066" PSA sign message: deterministic ECDSA SECP384R1 SHA-256 @@ -3722,6 +4043,10 @@ PSA sign/verify message: RSA PSS SHA-256 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C sign_verify_message:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"616263" +PSA sign/verify message: RSA PSS-any-salt SHA-256 +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +sign_verify_message:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):"616263" + PSA sign/verify message: RSA PSS SHA-256, 0 bytes depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C sign_verify_message:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"" @@ -3767,7 +4092,7 @@ depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAI sign_verify_message:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"616263" PSA sign/verify message: deterministic ECDSA SECP256R1 SHA-384 -depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_MD_C +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_MD_C:MBEDLTS_PSA_BUILTIN_ALG_SHA_384 sign_verify_message:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"616263" PSA sign/verify message: randomized ECDSA SECP384R1 SHA-256 @@ -3786,22 +4111,46 @@ PSA verify message with keypair: RSA PKCS#1 v1.5 SHA-256, good signature depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C verify_message:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311" -PSA verify message: RSA PSS SHA-256, good signature, 0 bytes +PSA verify message: RSA-1024 PSS SHA-256, slen=0 (bad) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +verify_message_fail:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"616263":"abc4b612c6b71e13fa5965b2e25ee6adec5b1f211b2db158e9f3c4547d6cbef909a73dfb474b8caaf6c8fcafa10ec0bbadfd1883289ce33ad08ad533c61ea004fef4d9b76a1efc267efd066ae8918cb8e994faad30ff5e340e14c941926ba7ca9422b86e8055df1c1b90a5959a59cc7a5fc15cbd0d848cd40f7857b7629b668b":PSA_ERROR_INVALID_SIGNATURE + +PSA verify message: RSA-1024 PSS-any-salt SHA-256, slen=0 +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +verify_message:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):"616263":"abc4b612c6b71e13fa5965b2e25ee6adec5b1f211b2db158e9f3c4547d6cbef909a73dfb474b8caaf6c8fcafa10ec0bbadfd1883289ce33ad08ad533c61ea004fef4d9b76a1efc267efd066ae8918cb8e994faad30ff5e340e14c941926ba7ca9422b86e8055df1c1b90a5959a59cc7a5fc15cbd0d848cd40f7857b7629b668b" + +PSA verify message: RSA-1024 PSS SHA-256, slen=32 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C -verify_message:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"50c06249deb97228e277b51d3e3542a6e5c140d6f6d1cb8a3dff53b5ce6e6fcb39d0767703174135208adf5d75399dd7525702b275153e7605ec38b65d33337bb9bbeb8c392ee22e3e9c0dafa43074a8205e17df2106bedd7bf6f1ada702aeb2ce04864c0ca9ec31964f9a957d8ebb9abc82454ad37c541e9b4d9842436c14a4" +verify_message:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"616263":"6b201c50637962338d1b218c1d26f031205a0e3c47bc4c54856aa037e5a332d2981e80a51648e902e46046e5507a255c4c73f5ff40d5a54c0a11d2eca7804e1767b20ea12c945a23f5473181d379689c1ba634a2c47c0a8ec90c922ca6466ae9e9fb92871c9043b5858ae34828bceb4ead82db8f21a18ebe1d95b469bbdef1df" + +PSA verify message: RSA-1024 PSS-any-salt SHA-256, slen=32 +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +verify_message:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):"616263":"6b201c50637962338d1b218c1d26f031205a0e3c47bc4c54856aa037e5a332d2981e80a51648e902e46046e5507a255c4c73f5ff40d5a54c0a11d2eca7804e1767b20ea12c945a23f5473181d379689c1ba634a2c47c0a8ec90c922ca6466ae9e9fb92871c9043b5858ae34828bceb4ead82db8f21a18ebe1d95b469bbdef1df" PSA verify message: RSA PSS SHA-256, good signature, 32 bytes (hash size) depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C verify_message:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"6b65e1fdc900dce8a2b82130ae8ccfac27b6d0eb5f2c0c1085b80f34ceaaf064c8ff237e74a24a3c6fb7a842f172e5146315616281bbbeeae90febaab139a212decf1c68923f2a48e242b1fd72105e3a3f2329c30d78abe8673335ad08c5ba1aa515360bb5660050f1994bb08d3dd17e3407a379403bafa4e229b3c851283f6d" +PSA verify message: RSA PSS-any-salt SHA-256, good signature, 32 bytes (hash size) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +verify_message:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"6b65e1fdc900dce8a2b82130ae8ccfac27b6d0eb5f2c0c1085b80f34ceaaf064c8ff237e74a24a3c6fb7a842f172e5146315616281bbbeeae90febaab139a212decf1c68923f2a48e242b1fd72105e3a3f2329c30d78abe8673335ad08c5ba1aa515360bb5660050f1994bb08d3dd17e3407a379403bafa4e229b3c851283f6d" + PSA verify message: RSA PSS SHA-256, good signature, 128 bytes (signature size) depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C verify_message:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"29b65db0936b7fe408bda672077b0bc5e176177ba9a550fb548c292f7b4af1bb6475e0a979ba43dd644780801fabe5b62a1359cf7692918f30013e90c2362235765abc2078905d13b345dd689bf15e4e94ca51535d12f0675d5f13e9f254ba7696f0096d62deb023d106e9a96a5da3162bead6a745c8b9000868d2f9a447d5c5" +PSA verify message: RSA-any-salt PSS SHA-256, good signature, 128 bytes (signature size) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +verify_message:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"29b65db0936b7fe408bda672077b0bc5e176177ba9a550fb548c292f7b4af1bb6475e0a979ba43dd644780801fabe5b62a1359cf7692918f30013e90c2362235765abc2078905d13b345dd689bf15e4e94ca51535d12f0675d5f13e9f254ba7696f0096d62deb023d106e9a96a5da3162bead6a745c8b9000868d2f9a447d5c5" + PSA verify message: RSA PSS SHA-256, good signature, 129 bytes depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C verify_message:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"43286cc0fc599603fbb0cd1fd70c3a17b08d2adf4f90202dddfa4b9d74be8c720bbb1c714665466de6452d401ca061b68225785ff387c2615f03c81351cc3838cd3014a031a4f4c9f70bba06f504c6a9942ac2dbfed2329e590d526a9be26b4025a6d7c4151b4e795cfe756c9a8a5e8fa9228a6f5f6f427a5a070e5c0ea69830" +PSA verify message: RSA PSS-any-salt SHA-256, good signature, 129 bytes +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +verify_message:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":"43286cc0fc599603fbb0cd1fd70c3a17b08d2adf4f90202dddfa4b9d74be8c720bbb1c714665466de6452d401ca061b68225785ff387c2615f03c81351cc3838cd3014a031a4f4c9f70bba06f504c6a9942ac2dbfed2329e590d526a9be26b4025a6d7c4151b4e795cfe756c9a8a5e8fa9228a6f5f6f427a5a070e5c0ea69830" + PSA verify message: ECDSA SECP256R1 SHA-256, good depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ALG_SHA_256:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256 verify_message:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"616263":"0f8c19f5affea6d593a33e176aa52717bff8d5875165fc63e80a2d65580d295789db5ffb5397ba4c67834e2731ee268ea6f7e83846fbb02145b35442db18cf0b" @@ -3879,11 +4228,11 @@ depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBL asymmetric_encrypt:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"746869730069730061006c6162656c00":128:PSA_SUCCESS PSA encrypt: RSA OAEP-SHA-384, good -depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 asymmetric_encrypt:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_384):"0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e":"":128:PSA_SUCCESS PSA encrypt: RSA OAEP-SHA-384, good, with label -depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 asymmetric_encrypt:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_384):"0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e":"746869730069730061006c6162656c00":128:PSA_SUCCESS PSA encrypt: RSA PKCS#1 v1.5, key pair @@ -3903,7 +4252,7 @@ depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBED asymmetric_encrypt:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PKCS1V15_CRYPT:"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee":0:PSA_ERROR_INVALID_ARGUMENT PSA encrypt: RSA OAEP-SHA-384, input too large -depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 asymmetric_encrypt:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_384):"0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"":0:PSA_ERROR_INVALID_ARGUMENT PSA encrypt: invalid algorithm @@ -3931,7 +4280,7 @@ depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_ asymmetric_encrypt_decrypt:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"746869730069730061006c6162656c00" PSA encrypt-decrypt: RSA OAEP-SHA-384 -depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 asymmetric_encrypt_decrypt:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_384):"0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e":"" PSA decrypt: RSA PKCS#1 v1.5: good #1 @@ -3967,7 +4316,7 @@ depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_ asymmetric_decrypt:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256):"46edc9984a6d4b7c7fd88fda9ea91ddbd30b28a0793cc75a9fcdd94d867c69090a697d46a6f336a3e48a122dd3ee3b51566b445ff78adb613d09b7d8c59c25a27d8cf7f5e36455f2e71ff6c6ee98d5740e66b23794acc72906561951c2be5064f6a250646ab627ecbfa48c02f82c29fe9b8c8e6be8eb752432124974373b542c":"746869730069730061006c6162656c00":"74686973206973206e6f2073717565616d697368206f7373696672616765" PSA decrypt: RSA OAEP-SHA-384, 30 bytes -depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C +depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_C:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 asymmetric_decrypt:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_384):"0df6750b8fed749359c016887d2cf097cc512c065526a91a7ee9b345a1bfff833737e7326e54d03f6bb65971962885a7661a16858d53ea55821052f4c7798d395b5c5495332fd4174451a1a437f36c27f446b96f309ff1cb6837274aa8ae2b51a8a479d736d25b8d2ca8ab96fe589553a3e52818b7df75544eb5469977b29aa4":"":"74686973206973206e6f2073717565616d697368206f7373696672616765" PSA decrypt: RSA OAEP-SHA-256, 30 bytes, wrong label (should be empty) @@ -4089,7 +4438,7 @@ PSA key derivation: HKDF-SHA-256, bad key type, key output depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 # Whether we get NOT_PERMITTED or BAD_STATE for the output is an implementation # detail. -derive_input:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_RAW_DATA:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_INFO:PSA_KEY_TYPE_NONE:"":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_RAW_DATA:PSA_ERROR_NOT_PERMITTED +derive_input:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_RAW_DATA:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_INFO:PSA_KEY_TYPE_NONE:"":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_RAW_DATA:PSA_ERROR_BAD_STATE PSA key derivation: HKDF-SHA-256, direct secret, direct output depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 @@ -4768,6 +5117,10 @@ PSA generate key: RSA, 1024 bits, good, sign (PSS SHA-256) depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_GENPRIME:MBEDTLS_MD_C generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_SUCCESS:0 +PSA generate key: RSA, 1024 bits, good, sign (PSS-any-salt SHA-256) +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_GENPRIME:MBEDTLS_MD_C +generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_SUCCESS:0 + PSA generate key: RSA, 512 bits, good, encrypt (PKCS#1 v1.5) depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_GENPRIME generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:512:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_SUCCESS:0 diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 591c2960def2..638a85c936f5 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1422,7 +1422,7 @@ void asymmetric_signature_key_policy( int policy_usage_arg, else TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); - if( PSA_ALG_IS_HASH_AND_SIGN( exercise_alg ) && + if( PSA_ALG_IS_SIGN_HASH( exercise_alg ) && PSA_ALG_IS_HASH( PSA_ALG_SIGN_GET_HASH( exercise_alg ) ) ) { status = psa_sign_message( key, exercise_alg, @@ -2863,6 +2863,40 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void cipher_encrypt_validate_iv_length( int alg, int key_type, data_t* key_data, + data_t *input, int iv_length, + int expected_result ) +{ + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + size_t output_buffer_size = 0; + unsigned char *output = NULL; + + output_buffer_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE( key_type, alg, input->len ); + ASSERT_ALLOC( output, output_buffer_size ); + + PSA_ASSERT( psa_crypto_init( ) ); + + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_type( &attributes, key_type ); + + PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, + &key ) ); + PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); + TEST_EQUAL( expected_result, psa_cipher_set_iv( &operation, output, + iv_length ) ); + +exit: + psa_cipher_abort( &operation ); + mbedtls_free( output ); + psa_destroy_key( key ); + PSA_DONE( ); +} +/* END_CASE */ + /* BEGIN_CASE */ void cipher_encrypt_alg_without_iv( int alg_arg, int key_type_arg, @@ -2873,6 +2907,9 @@ void cipher_encrypt_alg_without_iv( int alg_arg, mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; psa_algorithm_t alg = alg_arg; + psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; + uint8_t iv[1] = { 0x5a }; + size_t iv_length; unsigned char *output = NULL; size_t output_buffer_size = 0; size_t output_length = 0; @@ -2890,6 +2927,14 @@ void cipher_encrypt_alg_without_iv( int alg_arg, PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, &key ) ); + PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); + TEST_EQUAL( psa_cipher_set_iv( &operation, iv, sizeof( iv ) ), + PSA_ERROR_BAD_STATE ); + PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); + TEST_EQUAL( psa_cipher_generate_iv( &operation, iv, sizeof( iv ), + &iv_length ), + PSA_ERROR_BAD_STATE ); + PSA_ASSERT( psa_cipher_encrypt( key, alg, input->x, input->len, output, output_buffer_size, &output_length ) ); TEST_ASSERT( output_length <= @@ -4039,12 +4084,13 @@ void aead_multipart_generate_nonce( int key_type_arg, data_t *key_data, TEST_EQUAL( actual_nonce_length, PSA_AEAD_NONCE_LENGTH( key_type, alg ) ); - TEST_ASSERT( actual_nonce_length < PSA_AEAD_NONCE_MAX_SIZE ); + TEST_ASSERT( actual_nonce_length <= PSA_AEAD_NONCE_MAX_SIZE ); if( expected_status == PSA_SUCCESS ) { - /* Ensure we can still complete operation. */ + PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, + input_data->len ) ); PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, additional_data->len ) ); @@ -4157,6 +4203,8 @@ void aead_multipart_set_nonce( int key_type_arg, data_t *key_data, if( expected_status == PSA_SUCCESS ) { /* Ensure we can still complete operation. */ + PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, + input_data->len ) ); PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, additional_data->len ) ); @@ -4235,6 +4283,9 @@ void aead_multipart_update_buffer_test( int key_type_arg, data_t *key_data, PSA_ASSERT( status ); + PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, + input_data->len ) ); + PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, @@ -4323,6 +4374,9 @@ void aead_multipart_finish_buffer_test( int key_type_arg, data_t *key_data, PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); + PSA_ASSERT( psa_aead_set_lengths( &operation, additional_data->len, + input_data->len ) ); + PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, additional_data->len ) ); @@ -4408,6 +4462,20 @@ void aead_multipart_verify( int key_type_arg, data_t *key_data, PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) ); + status = psa_aead_set_lengths( &operation, additional_data->len, + input_data->len ); + + if( status != PSA_SUCCESS ) + { + /* Invalid tag lengths are detected in CCM at this point, as they + * would be written into the first block. They should really be + * detected in psa_aead_encrypt/decrypt_setup, and will be fixed + * to do so in the future, until that point, this is a + * workaround.*/ + TEST_EQUAL( status, expected_status ); + goto exit; + } + PSA_ASSERT( psa_aead_update_ad( &operation, additional_data->x, additional_data->len ) ); @@ -5900,7 +5968,7 @@ void derive_input( int alg_arg, if( output_key_type != PSA_KEY_TYPE_NONE ) { psa_reset_key_attributes( &attributes ); - psa_set_key_type( &attributes, PSA_KEY_TYPE_RAW_DATA ); + psa_set_key_type( &attributes, output_key_type ); psa_set_key_bits( &attributes, 8 ); actual_output_status = psa_key_derivation_output_key( &attributes, &operation, diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.data b/tests/suites/test_suite_psa_crypto_driver_wrappers.data index ead7a699d2f9..ea6c9b32c4c6 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.data +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.data @@ -90,11 +90,11 @@ depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_ validate_key:PSA_SUCCESS:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_SUCCESS validate key through transparent driver: fallback private key -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:PSA_WANT_ECC_SECP_R1_256 +depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256 validate_key:PSA_ERROR_NOT_SUPPORTED:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_SUCCESS validate key through transparent driver: fallback public key -depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:PSA_WANT_ECC_SECP_R1_256 +depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256 validate_key:PSA_ERROR_NOT_SUPPORTED:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_SUCCESS validate key through transparent driver: error @@ -110,7 +110,7 @@ depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDT export_key:PSA_SUCCESS:"":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"047772656f814b399279d5e1f1781fac6f099a3c5ca1b0e35351834b08b65e0b572590cdaf8f769361bcf34acfc11e5e074e8426bdde04be6e653945449617de45":PSA_SUCCESS export_key private to public through driver: fallback -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:PSA_WANT_ECC_SECP_R1_256 +depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:MBEDTLS_PK_WRITE_C:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256 export_key:PSA_ERROR_NOT_SUPPORTED:"":PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"047772656f814b399279d5e1f1781fac6f099a3c5ca1b0e35351834b08b65e0b572590cdaf8f769361bcf34acfc11e5e074e8426bdde04be6e653945449617de45":PSA_SUCCESS export_key private to public through driver: error @@ -126,11 +126,11 @@ depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES cipher_encrypt_validation:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e11739317" PSA symmetric encrypt validation: AES-CTR, 16 bytes, fallback -depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_CIPHER +depends_on:MBEDTLS_PSA_BUILTIN_ALG_CTR:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES cipher_encrypt_validation:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e117393172a" PSA symmetric encrypt validation: AES-CTR, 15 bytes, fallback -depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_CIPHER +depends_on:MBEDTLS_PSA_BUILTIN_ALG_CTR:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES cipher_encrypt_validation:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"6bc1bee22e409f96e93d7e11739317" PSA symmetric encrypt multipart: AES-CTR, 16 bytes, good @@ -162,7 +162,7 @@ depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES cipher_decrypt:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"396ee84fb75fdbb5c2b13c7fe5a654aa":"dd3b5e5319b7591daab1e1a92687feb2":0:PSA_SUCCESS:PSA_SUCCESS PSA symmetric decrypt: AES-CTR, 16 bytes, fallback -depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_CIPHER +depends_on:MBEDTLS_PSA_BUILTIN_ALG_CTR:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES cipher_decrypt:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"396ee84fb75fdbb5c2b13c7fe5a654aa":"dd3b5e5319b7591daab1e1a92687feb2":0:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS PSA symmetric decrypt: AES-CTR, 16 bytes, fake diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index bc6ff347165f..64adba97d8e7 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -312,7 +312,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ECC_SECP_R1_256 */ +/* BEGIN_CASE */ void validate_key( int force_status_arg, int key_type_arg, data_t *key_input, @@ -348,7 +348,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ECC_SECP_R1_256 */ +/* BEGIN_CASE */ void export_key( int force_status_arg, data_t *fake_output, int key_in_type_arg, @@ -872,6 +872,39 @@ void cipher_entry_points( int alg_arg, int key_type_arg, PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, &key ) ); + /* + * Test encrypt failure + * First test that if we don't force a driver error, encryption is + * successfull, then force driver error. + */ + status = psa_cipher_encrypt( + key, alg, input->x, input->len, + output, output_buffer_size, &function_output_length ); + TEST_EQUAL( mbedtls_test_driver_cipher_hooks.hits, 1 ); + TEST_EQUAL( status, PSA_SUCCESS ); + mbedtls_test_driver_cipher_hooks.hits = 0; + + mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR; + /* Set the output buffer in a given state. */ + for( size_t i = 0; i < output_buffer_size; i++ ) + output[i] = 0xa5; + + status = psa_cipher_encrypt( + key, alg, input->x, input->len, + output, output_buffer_size, &function_output_length ); + TEST_EQUAL( mbedtls_test_driver_cipher_hooks.hits, 1 ); + TEST_EQUAL( status, PSA_ERROR_GENERIC_ERROR ); + /* + * Check that the output buffer is still in the same state. + * This will fail if the output buffer is used by the core to pass the IV + * it generated to the driver (and is not restored). + */ + for( size_t i = 0; i < output_buffer_size; i++ ) + { + TEST_EQUAL( output[i], 0xa5 ); + } + mbedtls_test_driver_cipher_hooks.hits = 0; + /* Test setup call, encrypt */ mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR; status = psa_cipher_encrypt_setup( &operation, key, alg ); @@ -923,10 +956,23 @@ void cipher_entry_points( int alg_arg, int key_type_arg, mbedtls_test_driver_cipher_hooks.hits = 0; mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR; + /* Set the output buffer in a given state. */ + for( size_t i = 0; i < 16; i++ ) + output[i] = 0xa5; + status = psa_cipher_generate_iv( &operation, output, 16, &function_output_length ); /* When generating the IV fails, it should call abort too */ TEST_EQUAL( mbedtls_test_driver_cipher_hooks.hits, 2 ); TEST_EQUAL( status, mbedtls_test_driver_cipher_hooks.forced_status ); + /* + * Check that the output buffer is still in the same state. + * This will fail if the output buffer is used by the core to pass the IV + * it generated to the driver (and is not restored). + */ + for( size_t i = 0; i < 16; i++ ) + { + TEST_EQUAL( output[i], 0xa5 ); + } /* Failure should prevent further operations from executing on the driver */ mbedtls_test_driver_cipher_hooks.hits = 0; status = psa_cipher_update( &operation, diff --git a/tests/suites/test_suite_psa_crypto_generate_key.function b/tests/suites/test_suite_psa_crypto_generate_key.function new file mode 100644 index 000000000000..dbe9a0ecf9ac --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_generate_key.function @@ -0,0 +1,49 @@ +/* BEGIN_HEADER */ + +#include "psa/crypto.h" +#include "test/psa_crypto_helpers.h" + +#define INVALID_KEY_ID mbedtls_svc_key_id_make( 0, 0xfedcba98 ) + +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_PSA_CRYPTO_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE */ +void generate_key( int key_type_arg, int bits_arg, int expected_status_arg) +{ + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + mbedtls_svc_key_id_t key_id = INVALID_KEY_ID; + + // key lifetiem, usage flags, algorithm are irrelevant for this test + psa_key_type_t key_type = key_type_arg; + size_t bits = bits_arg; + psa_status_t expected_status = expected_status_arg; + + PSA_ASSERT( psa_crypto_init( ) ); + psa_set_key_type( &attributes, key_type ); + psa_set_key_bits( &attributes, bits ); + TEST_EQUAL( psa_generate_key( &attributes, &key_id ), + expected_status ); + + // Verify attributes of the created key on success + if ( expected_status == PSA_SUCCESS ) + { + psa_reset_key_attributes(&attributes); + PSA_ASSERT( psa_get_key_attributes( key_id, &attributes ) ); + TEST_EQUAL( psa_get_key_lifetime( &attributes ), PSA_KEY_LIFETIME_VOLATILE ); + TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 0 ); + TEST_EQUAL( psa_get_key_algorithm( &attributes ), 0 ); + TEST_EQUAL( psa_get_key_type( &attributes ), key_type ); + TEST_EQUAL( psa_get_key_bits( &attributes ), bits ); + } + +exit: + psa_reset_key_attributes(&attributes); + psa_destroy_key( key_id ); + PSA_DONE( ); +} +/* END_CASE */ diff --git a/tests/suites/test_suite_psa_crypto_metadata.data b/tests/suites/test_suite_psa_crypto_metadata.data index a3668fcc944c..83763c55d99c 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.data +++ b/tests/suites/test_suite_psa_crypto_metadata.data @@ -130,6 +130,18 @@ AEAD: CCM-AES-256 depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM aead_algorithm:PSA_ALG_CCM:ALG_IS_AEAD_ON_BLOCK_CIPHER:16:PSA_KEY_TYPE_AES:256 +AEAD: CCM-ARIA-128 +depends_on:PSA_WANT_KEY_TYPE_ARIA:PSA_WANT_ALG_CCM +aead_algorithm:PSA_ALG_CCM:ALG_IS_AEAD_ON_BLOCK_CIPHER:16:PSA_KEY_TYPE_ARIA:128 + +AEAD: CCM-ARIA-192 +depends_on:PSA_WANT_KEY_TYPE_ARIA:PSA_WANT_ALG_CCM +aead_algorithm:PSA_ALG_CCM:ALG_IS_AEAD_ON_BLOCK_CIPHER:16:PSA_KEY_TYPE_ARIA:192 + +AEAD: CCM-ARIA-256 +depends_on:PSA_WANT_KEY_TYPE_ARIA:PSA_WANT_ALG_CCM +aead_algorithm:PSA_ALG_CCM:ALG_IS_AEAD_ON_BLOCK_CIPHER:16:PSA_KEY_TYPE_ARIA:256 + AEAD: CCM-CAMELLIA-128 depends_on:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CCM aead_algorithm:PSA_ALG_CCM:ALG_IS_AEAD_ON_BLOCK_CIPHER:16:PSA_KEY_TYPE_CAMELLIA:128 @@ -154,6 +166,18 @@ AEAD: GCM-AES-256 depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM aead_algorithm:PSA_ALG_GCM:ALG_IS_AEAD_ON_BLOCK_CIPHER:16:PSA_KEY_TYPE_AES:256 +AEAD: GCM-ARIA-128 +depends_on:PSA_WANT_KEY_TYPE_ARIA:PSA_WANT_ALG_GCM +aead_algorithm:PSA_ALG_GCM:ALG_IS_AEAD_ON_BLOCK_CIPHER:16:PSA_KEY_TYPE_ARIA:128 + +AEAD: GCM-ARIA-192 +depends_on:PSA_WANT_KEY_TYPE_ARIA:PSA_WANT_ALG_GCM +aead_algorithm:PSA_ALG_GCM:ALG_IS_AEAD_ON_BLOCK_CIPHER:16:PSA_KEY_TYPE_ARIA:192 + +AEAD: GCM-ARIA-256 +depends_on:PSA_WANT_KEY_TYPE_ARIA:PSA_WANT_ALG_GCM +aead_algorithm:PSA_ALG_GCM:ALG_IS_AEAD_ON_BLOCK_CIPHER:16:PSA_KEY_TYPE_ARIA:256 + AEAD: GCM-CAMELLIA-128 depends_on:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_GCM aead_algorithm:PSA_ALG_GCM:ALG_IS_AEAD_ON_BLOCK_CIPHER:16:PSA_KEY_TYPE_CAMELLIA:128 @@ -172,27 +196,31 @@ aead_algorithm:PSA_ALG_CHACHA20_POLY1305:0:16:PSA_KEY_TYPE_CHACHA20:256 Asymmetric signature: RSA PKCS#1 v1.5 raw depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN -asymmetric_signature_algorithm:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:ALG_IS_RSA_PKCS1V15_SIGN | ALG_IS_HASH_AND_SIGN +asymmetric_signature_algorithm:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:ALG_IS_RSA_PKCS1V15_SIGN | ALG_IS_SIGN_HASH Asymmetric signature: RSA PKCS#1 v1.5 SHA-256 depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256 -asymmetric_signature_algorithm:PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_256 ):ALG_IS_RSA_PKCS1V15_SIGN | ALG_IS_HASH_AND_SIGN +asymmetric_signature_algorithm:PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_256 ):ALG_IS_RSA_PKCS1V15_SIGN | ALG_IS_SIGN_HASH | ALG_IS_HASH_AND_SIGN Asymmetric signature: RSA PSS SHA-256 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256 -asymmetric_signature_algorithm:PSA_ALG_RSA_PSS( PSA_ALG_SHA_256 ):ALG_IS_RSA_PSS | ALG_IS_HASH_AND_SIGN +asymmetric_signature_algorithm:PSA_ALG_RSA_PSS( PSA_ALG_SHA_256 ):ALG_IS_RSA_PSS | ALG_IS_RSA_PSS_STANDARD_SALT | ALG_IS_SIGN_HASH | ALG_IS_HASH_AND_SIGN + +Asymmetric signature: RSA PSS-any-salt SHA-256 +depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256 +asymmetric_signature_algorithm:PSA_ALG_RSA_PSS_ANY_SALT( PSA_ALG_SHA_256 ):ALG_IS_RSA_PSS | ALG_IS_RSA_PSS_ANY_SALT | ALG_IS_SIGN_HASH | ALG_IS_HASH_AND_SIGN Asymmetric signature: randomized ECDSA (no hashing) depends_on:PSA_WANT_ALG_ECDSA -asymmetric_signature_algorithm:PSA_ALG_ECDSA_ANY:ALG_IS_ECDSA | ALG_IS_RANDOMIZED_ECDSA | ALG_IS_HASH_AND_SIGN +asymmetric_signature_algorithm:PSA_ALG_ECDSA_ANY:ALG_IS_ECDSA | ALG_IS_RANDOMIZED_ECDSA | ALG_IS_SIGN_HASH Asymmetric signature: SHA-256 + randomized ECDSA depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256 -asymmetric_signature_algorithm:PSA_ALG_ECDSA( PSA_ALG_SHA_256 ):ALG_IS_ECDSA | ALG_IS_RANDOMIZED_ECDSA | ALG_IS_HASH_AND_SIGN +asymmetric_signature_algorithm:PSA_ALG_ECDSA( PSA_ALG_SHA_256 ):ALG_IS_ECDSA | ALG_IS_RANDOMIZED_ECDSA | ALG_IS_SIGN_HASH | ALG_IS_HASH_AND_SIGN Asymmetric signature: SHA-256 + deterministic ECDSA using SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256 -asymmetric_signature_algorithm:PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):ALG_IS_ECDSA | ALG_IS_DETERMINISTIC_ECDSA | ALG_ECDSA_IS_DETERMINISTIC | ALG_IS_HASH_AND_SIGN +asymmetric_signature_algorithm:PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):ALG_IS_ECDSA | ALG_IS_DETERMINISTIC_ECDSA | ALG_ECDSA_IS_DETERMINISTIC | ALG_IS_SIGN_HASH | ALG_IS_HASH_AND_SIGN Asymmetric signature: pure EdDSA depends_on:PSA_WANT_ALG_EDDSA @@ -200,11 +228,11 @@ asymmetric_signature_algorithm:PSA_ALG_PURE_EDDSA:0 Asymmetric signature: Ed25519ph depends_on:PSA_WANT_ALG_EDDSA -asymmetric_signature_algorithm:PSA_ALG_ED25519PH:ALG_IS_HASH_EDDSA | ALG_IS_HASH_AND_SIGN +asymmetric_signature_algorithm:PSA_ALG_ED25519PH:ALG_IS_HASH_EDDSA | ALG_IS_SIGN_HASH | ALG_IS_HASH_AND_SIGN Asymmetric signature: Ed448ph depends_on:PSA_WANT_ALG_EDDSA -asymmetric_signature_algorithm:PSA_ALG_ED448PH:ALG_IS_HASH_EDDSA | ALG_IS_HASH_AND_SIGN +asymmetric_signature_algorithm:PSA_ALG_ED448PH:ALG_IS_HASH_EDDSA | ALG_IS_SIGN_HASH | ALG_IS_HASH_AND_SIGN Asymmetric signature: RSA PKCS#1 v1.5 with wildcard hash depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN @@ -212,7 +240,11 @@ asymmetric_signature_wildcard:PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_ANY_HASH ):ALG_ Asymmetric signature: RSA PSS with wildcard hash depends_on:PSA_WANT_ALG_RSA_PSS -asymmetric_signature_wildcard:PSA_ALG_RSA_PSS( PSA_ALG_ANY_HASH ):ALG_IS_RSA_PSS +asymmetric_signature_wildcard:PSA_ALG_RSA_PSS( PSA_ALG_ANY_HASH ):ALG_IS_RSA_PSS | ALG_IS_RSA_PSS_STANDARD_SALT + +Asymmetric signature: RSA PSS-any-salt with wildcard hash +depends_on:PSA_WANT_ALG_RSA_PSS +asymmetric_signature_wildcard:PSA_ALG_RSA_PSS_ANY_SALT( PSA_ALG_ANY_HASH ):ALG_IS_RSA_PSS | ALG_IS_RSA_PSS_ANY_SALT Asymmetric signature: randomized ECDSA with wildcard hash depends_on:PSA_WANT_ALG_ECDSA @@ -295,6 +327,10 @@ Block cipher key type: AES depends_on:PSA_WANT_KEY_TYPE_AES block_cipher_key_type:PSA_KEY_TYPE_AES:16 +Block cipher key type: ARIA +depends_on:PSA_WANT_KEY_TYPE_ARIA +block_cipher_key_type:PSA_KEY_TYPE_ARIA:16 + Block cipher key type: DES depends_on:PSA_WANT_KEY_TYPE_DES block_cipher_key_type:PSA_KEY_TYPE_DES:8 diff --git a/tests/suites/test_suite_psa_crypto_metadata.function b/tests/suites/test_suite_psa_crypto_metadata.function index 9f4fc75495e1..092780c4db33 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.function +++ b/tests/suites/test_suite_psa_crypto_metadata.function @@ -22,25 +22,29 @@ #define ALG_IS_STREAM_CIPHER ( 1u << 3 ) #define ALG_IS_RSA_PKCS1V15_SIGN ( 1u << 4 ) #define ALG_IS_RSA_PSS ( 1u << 5 ) -#define ALG_IS_DSA ( 1u << 6 ) -#define ALG_DSA_IS_DETERMINISTIC ( 1u << 7 ) -#define ALG_IS_DETERMINISTIC_DSA ( 1u << 8 ) -#define ALG_IS_RANDOMIZED_DSA ( 1u << 9 ) -#define ALG_IS_ECDSA ( 1u << 10 ) -#define ALG_ECDSA_IS_DETERMINISTIC ( 1u << 11 ) -#define ALG_IS_DETERMINISTIC_ECDSA ( 1u << 12 ) -#define ALG_IS_RANDOMIZED_ECDSA ( 1u << 13 ) -#define ALG_IS_HASH_EDDSA ( 1u << 14 ) -#define ALG_IS_HASH_AND_SIGN ( 1u << 15 ) -#define ALG_IS_RSA_OAEP ( 1u << 16 ) -#define ALG_IS_HKDF ( 1u << 17 ) -#define ALG_IS_FFDH ( 1u << 18 ) -#define ALG_IS_ECDH ( 1u << 19 ) -#define ALG_IS_WILDCARD ( 1u << 20 ) -#define ALG_IS_RAW_KEY_AGREEMENT ( 1u << 21 ) -#define ALG_IS_AEAD_ON_BLOCK_CIPHER ( 1u << 22 ) -#define ALG_IS_TLS12_PRF ( 1u << 23 ) -#define ALG_IS_TLS12_PSK_TO_MS ( 1u << 24 ) +#define ALG_IS_RSA_PSS_ANY_SALT ( 1u << 6 ) +#define ALG_IS_RSA_PSS_STANDARD_SALT ( 1u << 7 ) +#define ALG_IS_DSA ( 1u << 8 ) +#define ALG_DSA_IS_DETERMINISTIC ( 1u << 9 ) +#define ALG_IS_DETERMINISTIC_DSA ( 1u << 10 ) +#define ALG_IS_RANDOMIZED_DSA ( 1u << 11 ) +#define ALG_IS_ECDSA ( 1u << 12 ) +#define ALG_ECDSA_IS_DETERMINISTIC ( 1u << 13 ) +#define ALG_IS_DETERMINISTIC_ECDSA ( 1u << 14 ) +#define ALG_IS_RANDOMIZED_ECDSA ( 1u << 15 ) +#define ALG_IS_HASH_EDDSA ( 1u << 16 ) +#define ALG_IS_SIGN_HASH ( 1u << 17 ) +#define ALG_IS_HASH_AND_SIGN ( 1u << 18 ) +#define ALG_IS_RSA_OAEP ( 1u << 19 ) +#define ALG_IS_HKDF ( 1u << 20 ) +#define ALG_IS_FFDH ( 1u << 21 ) +#define ALG_IS_ECDH ( 1u << 22 ) +#define ALG_IS_WILDCARD ( 1u << 23 ) +#define ALG_IS_RAW_KEY_AGREEMENT ( 1u << 24 ) +#define ALG_IS_AEAD_ON_BLOCK_CIPHER ( 1u << 25 ) +#define ALG_IS_TLS12_PRF ( 1u << 26 ) +#define ALG_IS_TLS12_PSK_TO_MS ( 1u << 27 ) +#define ALG_FLAG_MASK_PLUS_ONE ( 1u << 28 ) /* must be last! */ /* Flags for key type classification macros. There is a flag for every * key type classification macro PSA_KEY_TYPE_IS_xxx except for some that @@ -49,26 +53,43 @@ #define KEY_TYPE_IS_VENDOR_DEFINED ( 1u << 0 ) #define KEY_TYPE_IS_UNSTRUCTURED ( 1u << 1 ) #define KEY_TYPE_IS_PUBLIC_KEY ( 1u << 2 ) -#define KEY_TYPE_IS_KEY_PAIR ( 1u << 3 ) +#define KEY_TYPE_IS_KEY_PAIR ( 1u << 3 ) #define KEY_TYPE_IS_RSA ( 1u << 4 ) #define KEY_TYPE_IS_DSA ( 1u << 5 ) #define KEY_TYPE_IS_ECC ( 1u << 6 ) #define KEY_TYPE_IS_DH ( 1u << 7 ) +#define KEY_TYPE_FLAG_MASK_PLUS_ONE ( 1u << 8 ) /* must be last! */ /* Flags for lifetime classification macros. There is a flag for every * lifetime classification macro PSA_KEY_LIFETIME_IS_xxx. The name of the * flag is the name of the classification macro without the PSA_ prefix. */ #define KEY_LIFETIME_IS_VOLATILE ( 1u << 0 ) #define KEY_LIFETIME_IS_READ_ONLY ( 1u << 1 ) +#define KEY_LIFETIME_FLAG_MASK_PLUS_ONE ( 1u << 2 ) /* must be last! */ -#define TEST_CLASSIFICATION_MACRO( flag, alg, flags ) \ - do \ - { \ - if( ( flags ) & ( flag ) ) \ - TEST_ASSERT( PSA_##flag( alg ) ); \ - else \ - TEST_ASSERT( ! PSA_##flag( alg ) ); \ - } \ +/* Check that in the value of flags, the bit flag (which should be a macro + * expanding to a number of the form 1 << k) is set if and only if + * PSA_##flag(alg) is true. + * + * Only perform this check if cond is true. Typically cond is 1, but it can + * be different if the value of the flag bit is only specified under specific + * conditions. + * + * Unconditionally mask flag into the ambient variable + * classification_flags_tested. + */ +#define TEST_CLASSIFICATION_MACRO( cond, flag, alg, flags ) \ + do \ + { \ + if( cond ) \ + { \ + if( ( flags ) & ( flag ) ) \ + TEST_ASSERT( PSA_##flag( alg ) ); \ + else \ + TEST_ASSERT( ! PSA_##flag( alg ) ); \ + } \ + classification_flags_tested |= ( flag ); \ + } \ while( 0 ) /* Check the parity of value. @@ -95,44 +116,55 @@ int has_even_parity( uint32_t value ) void algorithm_classification( psa_algorithm_t alg, unsigned flags ) { - TEST_CLASSIFICATION_MACRO( ALG_IS_VENDOR_DEFINED, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_HMAC, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_BLOCK_CIPHER_MAC, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_STREAM_CIPHER, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_RSA_PKCS1V15_SIGN, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_RSA_PSS, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_DSA, alg, flags ); - if ( PSA_ALG_IS_DSA( alg ) ) - TEST_CLASSIFICATION_MACRO( ALG_DSA_IS_DETERMINISTIC, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_DETERMINISTIC_DSA, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_RANDOMIZED_DSA, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_ECDSA, alg, flags ); - if ( PSA_ALG_IS_ECDSA( alg ) ) - TEST_CLASSIFICATION_MACRO( ALG_ECDSA_IS_DETERMINISTIC, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_DETERMINISTIC_ECDSA, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_RANDOMIZED_ECDSA, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_HASH_EDDSA, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_HASH_AND_SIGN, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_RSA_OAEP, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_HKDF, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_WILDCARD, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_ECDH, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_FFDH, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_RAW_KEY_AGREEMENT, alg, flags ); - TEST_CLASSIFICATION_MACRO( ALG_IS_AEAD_ON_BLOCK_CIPHER, alg, flags ); + unsigned classification_flags_tested = 0; + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_VENDOR_DEFINED, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_HMAC, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_BLOCK_CIPHER_MAC, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_STREAM_CIPHER, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_RSA_PKCS1V15_SIGN, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_RSA_PSS, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_RSA_PSS_ANY_SALT, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_RSA_PSS_STANDARD_SALT, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_DSA, alg, flags ); + TEST_CLASSIFICATION_MACRO( PSA_ALG_IS_DSA( alg ), + ALG_DSA_IS_DETERMINISTIC, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_DETERMINISTIC_DSA, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_RANDOMIZED_DSA, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_ECDSA, alg, flags ); + TEST_CLASSIFICATION_MACRO( PSA_ALG_IS_ECDSA( alg ), + ALG_ECDSA_IS_DETERMINISTIC, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_DETERMINISTIC_ECDSA, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_RANDOMIZED_ECDSA, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_HASH_EDDSA, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_SIGN_HASH, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_HASH_AND_SIGN, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_RSA_OAEP, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_HKDF, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_WILDCARD, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_ECDH, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_FFDH, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_RAW_KEY_AGREEMENT, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_AEAD_ON_BLOCK_CIPHER, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_TLS12_PRF, alg, flags ); + TEST_CLASSIFICATION_MACRO( 1, ALG_IS_TLS12_PSK_TO_MS, alg, flags ); + TEST_EQUAL( classification_flags_tested, ALG_FLAG_MASK_PLUS_ONE - 1 ); exit: ; } void key_type_classification( psa_key_type_t type, unsigned flags ) { + unsigned classification_flags_tested = 0; + /* Macros tested based on the test case parameter */ - TEST_CLASSIFICATION_MACRO( KEY_TYPE_IS_VENDOR_DEFINED, type, flags ); - TEST_CLASSIFICATION_MACRO( KEY_TYPE_IS_UNSTRUCTURED, type, flags ); - TEST_CLASSIFICATION_MACRO( KEY_TYPE_IS_PUBLIC_KEY, type, flags ); - TEST_CLASSIFICATION_MACRO( KEY_TYPE_IS_KEY_PAIR, type, flags ); - TEST_CLASSIFICATION_MACRO( KEY_TYPE_IS_RSA, type, flags ); - TEST_CLASSIFICATION_MACRO( KEY_TYPE_IS_ECC, type, flags ); - TEST_CLASSIFICATION_MACRO( KEY_TYPE_IS_DH, type, flags ); + TEST_CLASSIFICATION_MACRO( 1, KEY_TYPE_IS_VENDOR_DEFINED, type, flags ); + TEST_CLASSIFICATION_MACRO( 1, KEY_TYPE_IS_UNSTRUCTURED, type, flags ); + TEST_CLASSIFICATION_MACRO( 1, KEY_TYPE_IS_PUBLIC_KEY, type, flags ); + TEST_CLASSIFICATION_MACRO( 1, KEY_TYPE_IS_KEY_PAIR, type, flags ); + TEST_CLASSIFICATION_MACRO( 1, KEY_TYPE_IS_RSA, type, flags ); + TEST_CLASSIFICATION_MACRO( 1, KEY_TYPE_IS_DSA, type, flags ); + TEST_CLASSIFICATION_MACRO( 1, KEY_TYPE_IS_ECC, type, flags ); + TEST_CLASSIFICATION_MACRO( 1, KEY_TYPE_IS_DH, type, flags ); + TEST_EQUAL( classification_flags_tested, KEY_TYPE_FLAG_MASK_PLUS_ONE - 1 ); /* Macros with derived semantics */ TEST_EQUAL( PSA_KEY_TYPE_IS_ASYMMETRIC( type ), @@ -351,6 +383,7 @@ void hmac_algorithm( int alg_arg, TEST_ASSERT( PSA_ALG_IS_HASH( hash_alg ) ); TEST_EQUAL( PSA_ALG_HMAC( hash_alg ), alg ); + TEST_ASSERT( block_size == PSA_HASH_BLOCK_LENGTH( alg ) ); TEST_ASSERT( block_size <= PSA_HMAC_MAX_HASH_BLOCK_SIZE ); test_mac_algorithm( alg_arg, ALG_IS_HMAC, length, @@ -487,7 +520,9 @@ void asymmetric_signature_algorithm( int alg_arg, int classification_flags ) /* BEGIN_CASE */ void asymmetric_signature_wildcard( int alg_arg, int classification_flags ) { - classification_flags |= ALG_IS_HASH_AND_SIGN | ALG_IS_WILDCARD; + classification_flags |= ALG_IS_WILDCARD; + classification_flags |= ALG_IS_SIGN_HASH; + classification_flags |= ALG_IS_HASH_AND_SIGN; test_asymmetric_signature_algorithm( alg_arg, classification_flags ); /* Any failure of this test function comes from * asymmetric_signature_algorithm. Pacify -Werror=unused-label. */ @@ -691,9 +726,12 @@ void lifetime( int lifetime_arg, int classification_flags, psa_key_persistence_t persistence = persistence_arg; psa_key_location_t location = location_arg; unsigned flags = classification_flags; + unsigned classification_flags_tested = 0; - TEST_CLASSIFICATION_MACRO( KEY_LIFETIME_IS_VOLATILE, lifetime, flags ); - TEST_CLASSIFICATION_MACRO( KEY_LIFETIME_IS_READ_ONLY, lifetime, flags ); + TEST_CLASSIFICATION_MACRO( 1, KEY_LIFETIME_IS_VOLATILE, lifetime, flags ); + TEST_CLASSIFICATION_MACRO( 1, KEY_LIFETIME_IS_READ_ONLY, lifetime, flags ); + TEST_EQUAL( classification_flags_tested, + KEY_LIFETIME_FLAG_MASK_PLUS_ONE - 1 ); TEST_EQUAL( PSA_KEY_LIFETIME_GET_PERSISTENCE( lifetime ), persistence ); TEST_EQUAL( PSA_KEY_LIFETIME_GET_LOCATION( lifetime ), location ); diff --git a/tests/suites/test_suite_psa_crypto_not_supported.function b/tests/suites/test_suite_psa_crypto_not_supported.function index 0665230d72b8..e3253d84059a 100644 --- a/tests/suites/test_suite_psa_crypto_not_supported.function +++ b/tests/suites/test_suite_psa_crypto_not_supported.function @@ -50,22 +50,3 @@ exit: PSA_DONE( ); } /* END_CASE */ - -/* BEGIN_CASE */ -void generate_invalid_argument( int key_type, int bits ) -{ - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - mbedtls_svc_key_id_t key_id = INVALID_KEY_ID; - - PSA_ASSERT( psa_crypto_init( ) ); - psa_set_key_type( &attributes, key_type ); - psa_set_key_bits( &attributes, bits ); - TEST_EQUAL( psa_generate_key( &attributes, &key_id ), - PSA_ERROR_INVALID_ARGUMENT ); - TEST_ASSERT( mbedtls_svc_key_id_equal( key_id, MBEDTLS_SVC_KEY_ID_INIT ) ); - -exit: - psa_destroy_key( key_id ); - PSA_DONE( ); -} -/* END_CASE */ diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.data b/tests/suites/test_suite_psa_crypto_se_driver_hal.data index a57e9b360aab..2bcf4e4b7bc1 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal.data +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.data @@ -78,6 +78,21 @@ import_key_smoke:PSA_KEY_TYPE_AES:PSA_ALG_CCM:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" Key import smoke test: AES-GCM import_key_smoke:PSA_KEY_TYPE_AES:PSA_ALG_GCM:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" +Key import smoke test: ARIA-CTR +import_key_smoke:PSA_KEY_TYPE_ARIA:PSA_ALG_CTR:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +Key import smoke test: ARIA-CBC +import_key_smoke:PSA_KEY_TYPE_ARIA:PSA_ALG_CBC_NO_PADDING:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +Key import smoke test: ARIA-CMAC +import_key_smoke:PSA_KEY_TYPE_ARIA:PSA_ALG_CMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +Key import smoke test: ARIA-CCM +import_key_smoke:PSA_KEY_TYPE_ARIA:PSA_ALG_CCM:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + +Key import smoke test: ARIA-GCM +import_key_smoke:PSA_KEY_TYPE_ARIA:PSA_ALG_GCM:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + Key import smoke test: CAMELLIA-CTR import_key_smoke:PSA_KEY_TYPE_CAMELLIA:PSA_ALG_CTR:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 72df57db292a..16a202a15356 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -236,7 +236,7 @@ depends_on:MBEDTLS_SHA384_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_ handshake_cipher:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:0 Handshake, PSK-WITH-AES-128-CBC-SHA -depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C handshake_psk_cipher:"TLS-PSK-WITH-AES-128-CBC-SHA":MBEDTLS_PK_RSA:"abc123":0 DTLS Handshake, tls1_2 @@ -264,7 +264,7 @@ depends_on:MBEDTLS_SHA384_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_ handshake_cipher:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:1 DTLS Handshake, PSK-WITH-AES-128-CBC-SHA -depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS +depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SHA1_C handshake_psk_cipher:"TLS-PSK-WITH-AES-128-CBC-SHA":MBEDTLS_PK_RSA:"abc123":1 DTLS Handshake with serialization, tls1_2 @@ -619,19 +619,19 @@ SSL SET_HOSTNAME memory leak: call ssl_set_hostname twice ssl_set_hostname_twice:"server0":"server1" SSL session serialization: Wrong major version -depends_on:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_session_serialize_version_check:1:0:0:0 SSL session serialization: Wrong minor version -depends_on:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_session_serialize_version_check:0:1:0:0 SSL session serialization: Wrong patch version -depends_on:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_session_serialize_version_check:0:0:1:0 SSL session serialization: Wrong config -depends_on:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_session_serialize_version_check:0:0:0:1 Record crypt, AES-128-CBC, 1.2, SHA-384 @@ -2367,7 +2367,7 @@ depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C ssl_crypt_record:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0 Record crypt, AES-128-GCM, 1.3 -depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_GCM_C +depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_GCM_C ssl_crypt_record:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0 Record crypt, AES-128-GCM, 1.2, CID 4+4 @@ -2395,7 +2395,7 @@ depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C ssl_crypt_record:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0 Record crypt, AES-192-GCM, 1.3 -depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_GCM_C +depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_GCM_C ssl_crypt_record:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0 Record crypt, AES-192-GCM, 1.2, CID 4+4 @@ -2423,7 +2423,7 @@ depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C ssl_crypt_record:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0 Record crypt, AES-256-GCM, 1.3 -depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_GCM_C +depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_GCM_C ssl_crypt_record:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0 Record crypt, AES-256-GCM, 1.2, CID 4+4 @@ -2523,7 +2523,7 @@ depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0 Record crypt, AES-128-CCM, 1.3 -depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_CCM_C +depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_CCM_C ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0 Record crypt, AES-128-CCM, 1.2, CID 4+4 @@ -2551,7 +2551,7 @@ depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C ssl_crypt_record:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0 Record crypt, AES-192-CCM, 1.3 -depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_CCM_C +depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_CCM_C ssl_crypt_record:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0 Record crypt, AES-192-CCM, 1.2, CID 4+4 @@ -2579,7 +2579,7 @@ depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0 Record crypt, AES-256-CCM, 1.3 -depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_CCM_C +depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_CCM_C ssl_crypt_record:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0 Record crypt, AES-256-CCM, 1.2, CID 4+4 @@ -2743,7 +2743,7 @@ depends_on:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_2 ssl_crypt_record:MBEDTLS_CIPHER_CHACHA20_POLY1305:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0 Record crypt, ChachaPoly, 1.3 -depends_on:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_3 ssl_crypt_record:MBEDTLS_CIPHER_CHACHA20_POLY1305:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0 Record crypt, little space, ChachaPoly @@ -2751,7 +2751,7 @@ depends_on:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_2 ssl_crypt_record_small:MBEDTLS_CIPHER_CHACHA20_POLY1305:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0 Record crypt, little space, ChachaPoly, 1.3 -depends_on:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_CHACHAPOLY_C:MBEDTLS_SSL_PROTO_TLS1_3 ssl_crypt_record_small:MBEDTLS_CIPHER_CHACHA20_POLY1305:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0 Record crypt, little space, ChachaPoly, CID 4+4 @@ -4495,7 +4495,7 @@ depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0 Record crypt, little space, AES-128-GCM, 1.3 -depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_GCM_C +depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_GCM_C ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0 Record crypt, little space, AES-128-GCM, 1.2, CID 4+4 @@ -4523,7 +4523,7 @@ depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0 Record crypt, little space, AES-192-GCM, 1.3 -depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_GCM_C +depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_GCM_C ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0 Record crypt, little space, AES-192-GCM, 1.2, CID 4+4 @@ -4551,7 +4551,7 @@ depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_GCM_C ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0 Record crypt, little space, AES-256-GCM, 1.3 -depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_GCM_C +depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_GCM_C ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_GCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0 Record crypt, little space, AES-256-GCM, 1.2, CID 4+4 @@ -4651,7 +4651,7 @@ depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0 Record crypt, little space, AES-128-CCM, 1.3 -depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_CCM_C +depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_CCM_C ssl_crypt_record_small:MBEDTLS_CIPHER_AES_128_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0 Record crypt, little space, AES-128-CCM, 1.2, CID 4+4 @@ -4679,7 +4679,7 @@ depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0 Record crypt, little space, AES-192-CCM, 1.3 -depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_CCM_C +depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_CCM_C ssl_crypt_record_small:MBEDTLS_CIPHER_AES_192_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0 Record crypt, little space, AES-192-CCM, 1.2, CID 4+4 @@ -4707,7 +4707,7 @@ depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0 Record crypt, little space, AES-256-CCM, 1.3 -depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL:MBEDTLS_CCM_C +depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_CCM_C ssl_crypt_record_small:MBEDTLS_CIPHER_AES_256_CCM:MBEDTLS_MD_MD5:0:0:MBEDTLS_SSL_MINOR_VERSION_4:0:0 Record crypt, little space, AES-256-CCM, 1.2, CID 4+4 @@ -5893,137 +5893,137 @@ ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:255 SSL TLS 1.3 Key schedule: Secret evolution #1 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Initial secret to Early Secret -depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL -ssl_tls1_3_key_evolution:MBEDTLS_MD_SHA256:"":"":"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a" +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls13_key_evolution:MBEDTLS_MD_SHA256:"":"":"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a" SSL TLS 1.3 Key schedule: Secret evolution #2 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Early secret to Handshake Secret -ssl_tls1_3_key_evolution:MBEDTLS_MD_SHA256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":"df4a291baa1eb7cfa6934b29b474baad2697e29f1f920dcc77c8a0a088447624":"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a" +ssl_tls13_key_evolution:MBEDTLS_MD_SHA256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":"df4a291baa1eb7cfa6934b29b474baad2697e29f1f920dcc77c8a0a088447624":"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a" SSL TLS 1.3 Key schedule: Secret evolution #3 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Handshake secret to Master Secret -ssl_tls1_3_key_evolution:MBEDTLS_MD_SHA256:"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a":"":"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d" +ssl_tls13_key_evolution:MBEDTLS_MD_SHA256:"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a":"":"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d" SSL TLS 1.3 Key schedule: HKDF Expand Label #1 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Server handshake traffic secret -> Server traffic key # HKDF-Expand-Label(server_handshake_secret, "key", "", 16) -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":tls1_3_label_key:"":16:"844780a7acad9f980fa25c114e43402a" +ssl_tls13_hkdf_expand_label:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":tls13_label_key:"":16:"844780a7acad9f980fa25c114e43402a" SSL TLS 1.3 Key schedule: HKDF Expand Label #2 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Server handshake traffic secret -> Server traffic IV # HKDF-Expand-Label(server_handshake_secret, "iv", "", 12) -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":tls1_3_label_iv:"":12:"4c042ddc120a38d1417fc815" +ssl_tls13_hkdf_expand_label:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":tls13_label_iv:"":12:"4c042ddc120a38d1417fc815" SSL TLS 1.3 Key schedule: HKDF Expand Label #3 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Client handshake traffic secret -> Client traffic key # HKDF-Expand-Label(client_handshake_secret, "key", "", 16) -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":tls1_3_label_key:"":16:"7154f314e6be7dc008df2c832baa1d39" +ssl_tls13_hkdf_expand_label:MBEDTLS_MD_SHA256:"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":tls13_label_key:"":16:"7154f314e6be7dc008df2c832baa1d39" SSL TLS 1.3 Key schedule: HKDF Expand Label #4 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Client handshake traffic secret -> Client traffic IV # HKDF-Expand-Label(client_handshake_secret, "iv", "", 12) -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":tls1_3_label_iv:"":12:"71abc2cae4c699d47c600268" +ssl_tls13_hkdf_expand_label:MBEDTLS_MD_SHA256:"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":tls13_label_iv:"":12:"71abc2cae4c699d47c600268" SSL TLS 1.3 Key schedule: HKDF Expand Label #5 (RFC 8448) # Vector from RFC 8448 # Server handshake traffic secret -> Server traffic IV # HKDF-Expand-Label(server_handshake_secret, "iv", "", 12) -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b67b7d690cc16c4e75e54213cb2d37b4e9c912bcded9105d42befd59d391ad38":tls1_3_label_iv:"":12:"5d313eb2671276ee13000b30" +ssl_tls13_hkdf_expand_label:MBEDTLS_MD_SHA256:"b67b7d690cc16c4e75e54213cb2d37b4e9c912bcded9105d42befd59d391ad38":tls13_label_iv:"":12:"5d313eb2671276ee13000b30" SSL TLS 1.3 Key schedule: HKDF Expand Label #6 (RFC 8448) # Vector from RFC 8448 # Server handshake traffic secret -> Server traffic Key # HKDF-Expand-Label(server_handshake_secret, "key", "", 16) -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b67b7d690cc16c4e75e54213cb2d37b4e9c912bcded9105d42befd59d391ad38":tls1_3_label_key:"":16:"3fce516009c21727d0f2e4e86ee403bc" +ssl_tls13_hkdf_expand_label:MBEDTLS_MD_SHA256:"b67b7d690cc16c4e75e54213cb2d37b4e9c912bcded9105d42befd59d391ad38":tls13_label_key:"":16:"3fce516009c21727d0f2e4e86ee403bc" SSL TLS 1.3 Key schedule: HKDF Expand Label #7 (RFC 8448) # Vector from RFC 8448 # Client handshake traffic secret -> Client traffic IV # HKDF-Expand-Label(client_handshake_secret, "iv", "", 12) -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":tls1_3_label_iv:"":12:"5bd3c71b836e0b76bb73265f" +ssl_tls13_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":tls13_label_iv:"":12:"5bd3c71b836e0b76bb73265f" SSL TLS 1.3 Key schedule: HKDF Expand Label #8 (RFC 8448) # Vector from RFC 8448 # Client handshake traffic secret -> Client traffic Key # HKDF-Expand-Label(client_handshake_secret, "key", "", 16) -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":tls1_3_label_key:"":16:"dbfaa693d1762c5b666af5d950258d01" +ssl_tls13_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":tls13_label_key:"":16:"dbfaa693d1762c5b666af5d950258d01" SSL TLS 1.3 Key schedule: HKDF Expand Label #9 (RFC 8448) # Calculation of finished_key -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"2faac08f851d35fea3604fcb4de82dc62c9b164a70974d0462e27f1ab278700f":tls1_3_label_finished:"":32:"5ace394c26980d581243f627d1150ae27e37fa52364e0a7f20ac686d09cd0e8e" +ssl_tls13_hkdf_expand_label:MBEDTLS_MD_SHA256:"2faac08f851d35fea3604fcb4de82dc62c9b164a70974d0462e27f1ab278700f":tls13_label_finished:"":32:"5ace394c26980d581243f627d1150ae27e37fa52364e0a7f20ac686d09cd0e8e" SSL TLS 1.3 Key schedule: HKDF Expand Label #10 (RFC 8448) # Calculation of resumption key -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"7df235f2031d2a051287d02b0241b0bfdaf86cc856231f2d5aba46c434ec196c":tls1_3_label_resumption:"0000":32:"4ecd0eb6ec3b4d87f5d6028f922ca4c5851a277fd41311c9e62d2c9492e1c4f3" +ssl_tls13_hkdf_expand_label:MBEDTLS_MD_SHA256:"7df235f2031d2a051287d02b0241b0bfdaf86cc856231f2d5aba46c434ec196c":tls13_label_resumption:"0000":32:"4ecd0eb6ec3b4d87f5d6028f922ca4c5851a277fd41311c9e62d2c9492e1c4f3" SSL TLS 1.3 Key schedule: Traffic key generation #1 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Client/Server handshake traffic secrets -> Client/Server traffic {Key,IV} -ssl_tls1_3_traffic_key_generation:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":12:16:"844780a7acad9f980fa25c114e43402a":"4c042ddc120a38d1417fc815":"7154f314e6be7dc008df2c832baa1d39":"71abc2cae4c699d47c600268" +ssl_tls13_traffic_key_generation:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":12:16:"844780a7acad9f980fa25c114e43402a":"4c042ddc120a38d1417fc815":"7154f314e6be7dc008df2c832baa1d39":"71abc2cae4c699d47c600268" SSL TLS 1.3 Key schedule: Traffic key generation #2 (RFC 8448) # Vector RFC 8448 # Client/Server handshake traffic secrets -> Client/Server traffic {Key,IV} -ssl_tls1_3_traffic_key_generation:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":12:16:"844780a7acad9f980fa25c114e43402a":"4c042ddc120a38d1417fc815":"7154f314e6be7dc008df2c832baa1d39":"71abc2cae4c699d47c600268" +ssl_tls13_traffic_key_generation:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":12:16:"844780a7acad9f980fa25c114e43402a":"4c042ddc120a38d1417fc815":"7154f314e6be7dc008df2c832baa1d39":"71abc2cae4c699d47c600268" SSL TLS 1.3 Key schedule: Derive-Secret( ., "derived", "") # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Derive-Secret( Early-Secret, "derived", "") # Tests the case where context isn't yet hashed (empty string here, # but still needs to be hashed) -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":tls1_3_label_derived:"":32:MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED:"6f2615a108c702c5678f54fc9dbab69716c076189c48250cebeac3576c3611ba" +ssl_tls13_derive_secret:MBEDTLS_MD_SHA256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":tls13_label_derived:"":32:MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED:"6f2615a108c702c5678f54fc9dbab69716c076189c48250cebeac3576c3611ba" SSL TLS 1.3 Key schedule: Derive-Secret( ., "s ap traffic", hash) #1 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Derive-Secret( MasterSecret, "s ap traffic", hash) # Tests the case where context is already hashed -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d":tls1_3_label_s_ap_traffic:"22844b930e5e0a59a09d5ac35fc032fc91163b193874a265236e568077378d8b":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"3fc35ea70693069a277956afa23b8f4543ce68ac595f2aace05cd7a1c92023d5" +ssl_tls13_derive_secret:MBEDTLS_MD_SHA256:"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d":tls13_label_s_ap_traffic:"22844b930e5e0a59a09d5ac35fc032fc91163b193874a265236e568077378d8b":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"3fc35ea70693069a277956afa23b8f4543ce68ac595f2aace05cd7a1c92023d5" SSL TLS 1.3 Key schedule: Derive-Secret( ., "c e traffic", hash) # Vector from RFC 8448 -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"9b2188e9b2fc6d64d71dc329900e20bb41915000f678aa839cbb797cb7d8332c":tls1_3_label_c_e_traffic:"08ad0fa05d7c7233b1775ba2ff9f4c5b8b59276b7f227f13a976245f5d960913":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"3fbbe6a60deb66c30a32795aba0eff7eaa10105586e7be5c09678d63b6caab62" +ssl_tls13_derive_secret:MBEDTLS_MD_SHA256:"9b2188e9b2fc6d64d71dc329900e20bb41915000f678aa839cbb797cb7d8332c":tls13_label_c_e_traffic:"08ad0fa05d7c7233b1775ba2ff9f4c5b8b59276b7f227f13a976245f5d960913":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"3fbbe6a60deb66c30a32795aba0eff7eaa10105586e7be5c09678d63b6caab62" SSL TLS 1.3 Key schedule: Derive-Secret( ., "e exp master", hash) # Vector from RFC 8448 -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"9b2188e9b2fc6d64d71dc329900e20bb41915000f678aa839cbb797cb7d8332c":tls1_3_label_e_exp_master:"08ad0fa05d7c7233b1775ba2ff9f4c5b8b59276b7f227f13a976245f5d960913":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"b2026866610937d7423e5be90862ccf24c0e6091186d34f812089ff5be2ef7df" +ssl_tls13_derive_secret:MBEDTLS_MD_SHA256:"9b2188e9b2fc6d64d71dc329900e20bb41915000f678aa839cbb797cb7d8332c":tls13_label_e_exp_master:"08ad0fa05d7c7233b1775ba2ff9f4c5b8b59276b7f227f13a976245f5d960913":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"b2026866610937d7423e5be90862ccf24c0e6091186d34f812089ff5be2ef7df" SSL TLS 1.3 Key schedule: Derive-Secret( ., "c hs traffic", hash) # Vector from RFC 8448 -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":tls1_3_label_c_hs_traffic:"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"2faac08f851d35fea3604fcb4de82dc62c9b164a70974d0462e27f1ab278700f" +ssl_tls13_derive_secret:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":tls13_label_c_hs_traffic:"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"2faac08f851d35fea3604fcb4de82dc62c9b164a70974d0462e27f1ab278700f" SSL TLS 1.3 Key schedule: Derive-Secret( ., "s hs traffic", hash) # Vector from RFC 8448 -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":tls1_3_label_s_hs_traffic:"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"fe927ae271312e8bf0275b581c54eef020450dc4ecffaa05a1a35d27518e7803" +ssl_tls13_derive_secret:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":tls13_label_s_hs_traffic:"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"fe927ae271312e8bf0275b581c54eef020450dc4ecffaa05a1a35d27518e7803" SSL TLS 1.3 Key schedule: Derive-Secret( ., "c ap traffic", hash) # Vector from RFC 8448 -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_c_ap_traffic:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1" +ssl_tls13_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls13_label_c_ap_traffic:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1" SSL TLS 1.3 Key schedule: Derive-Secret( ., "s ap traffic", hash) #2 # Vector from RFC 8448 -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_s_ap_traffic:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691" +ssl_tls13_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls13_label_s_ap_traffic:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691" SSL TLS 1.3 Key schedule: Derive-Secret( ., "exp master", hash) # Vector from RFC 8448 -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_exp_master:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4" +ssl_tls13_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls13_label_exp_master:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4" SSL TLS 1.3 Key schedule: Derive-Secret( ., "res master", hash) # Vector from RFC 8448 -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_res_master:"c3c122e0bd907a4a3ff6112d8fd53dbf89c773d9552e8b6b9d56d361b3a97bf6":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"5e95bdf1f89005ea2e9aa0ba85e728e3c19c5fe0c699e3f5bee59faebd0b5406" +ssl_tls13_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls13_label_res_master:"c3c122e0bd907a4a3ff6112d8fd53dbf89c773d9552e8b6b9d56d361b3a97bf6":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"5e95bdf1f89005ea2e9aa0ba85e728e3c19c5fe0c699e3f5bee59faebd0b5406" SSL TLS 1.3 Key schedule: Early secrets derivation helper # Vector from RFC 8448 -ssl_tls1_3_derive_early_secrets:MBEDTLS_MD_SHA256:"9b2188e9b2fc6d64d71dc329900e20bb41915000f678aa839cbb797cb7d8332c":"08ad0fa05d7c7233b1775ba2ff9f4c5b8b59276b7f227f13a976245f5d960913":"3fbbe6a60deb66c30a32795aba0eff7eaa10105586e7be5c09678d63b6caab62":"b2026866610937d7423e5be90862ccf24c0e6091186d34f812089ff5be2ef7df" +ssl_tls13_derive_early_secrets:MBEDTLS_MD_SHA256:"9b2188e9b2fc6d64d71dc329900e20bb41915000f678aa839cbb797cb7d8332c":"08ad0fa05d7c7233b1775ba2ff9f4c5b8b59276b7f227f13a976245f5d960913":"3fbbe6a60deb66c30a32795aba0eff7eaa10105586e7be5c09678d63b6caab62":"b2026866610937d7423e5be90862ccf24c0e6091186d34f812089ff5be2ef7df" SSL TLS 1.3 Key schedule: Handshake secrets derivation helper # Vector from RFC 8448 -ssl_tls1_3_derive_handshake_secrets:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03":"2faac08f851d35fea3604fcb4de82dc62c9b164a70974d0462e27f1ab278700f":"fe927ae271312e8bf0275b581c54eef020450dc4ecffaa05a1a35d27518e7803" +ssl_tls13_derive_handshake_secrets:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03":"2faac08f851d35fea3604fcb4de82dc62c9b164a70974d0462e27f1ab278700f":"fe927ae271312e8bf0275b581c54eef020450dc4ecffaa05a1a35d27518e7803" SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #1 # - Server App Key: 0b6d22c8ff68097ea871c672073773bf @@ -6033,7 +6033,7 @@ SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #1 # - App data payload: 70696e67 # - Complete record: 1703030015c74061535eb12f5f25a781957874742ab7fb305dd5 # - Padding used: No (== granularity 1) -ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"70696e67":"c74061535eb12f5f25a781957874742ab7fb305dd5" +ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"70696e67":"c74061535eb12f5f25a781957874742ab7fb305dd5" SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2 # - Server App Key: 0b6d22c8ff68097ea871c672073773bf @@ -6043,7 +6043,7 @@ SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2 # - App data payload: 706f6e67 # - Complete record: 1703030015370e5f168afa7fb16b663ecdfca3dbb81931a90ca7 # - Padding used: No (== granularity 1) -ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"706f6e67":"370e5f168afa7fb16b663ecdfca3dbb81931a90ca7" +ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"706f6e67":"370e5f168afa7fb16b663ecdfca3dbb81931a90ca7" SSL TLS 1.3 Record Encryption RFC 8448 Example #1 # Application Data record sent by Client in 1-RTT example of RFC 8448, Section 3 @@ -6061,7 +6061,7 @@ SSL TLS 1.3 Record Encryption RFC 8448 Example #1 # 62 97 4e 1f 5a 62 92 a2 97 70 14 bd 1e 3d ea e6 # 3a ee bb 21 69 49 15 e4 # - Padding used: No (== granularity 1) -ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"a23f7054b62c94d0affafe8228ba55cbefacea42f914aa66bcab3f2b9819a8a5b46b395bd54a9a20441e2b62974e1f5a6292a2977014bd1e3deae63aeebb21694915e4" +ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"a23f7054b62c94d0affafe8228ba55cbefacea42f914aa66bcab3f2b9819a8a5b46b395bd54a9a20441e2b62974e1f5a6292a2977014bd1e3deae63aeebb21694915e4" SSL TLS 1.3 Record Encryption RFC 8448 Example #2 # Application Data record sent by Server in 1-RTT example of RFC 8448, Section 3 @@ -6079,21 +6079,21 @@ SSL TLS 1.3 Record Encryption RFC 8448 Example #2 # fc c4 9c 4b f2 e5 f0 a2 1c 00 47 c2 ab f3 32 54 # 0d d0 32 e1 67 c2 95 5d # - Padding used: No (== granularity 1) -ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"2e937e11ef4ac740e538ad36005fc4a46932fc3225d05f82aa1b36e30efaf97d90e6dffc602dcb501a59a8fcc49c4bf2e5f0a21c0047c2abf332540dd032e167c2955d" +ssl_tls13_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"2e937e11ef4ac740e538ad36005fc4a46932fc3225d05f82aa1b36e30efaf97d90e6dffc602dcb501a59a8fcc49c4bf2e5f0a21c0047c2abf332540dd032e167c2955d" SSL TLS 1.3 Key schedule: Application secrets derivation helper # Vector from RFC 8448 -ssl_tls1_3_derive_application_secrets:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1":"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691":"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4" +ssl_tls13_derive_application_secrets:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1":"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691":"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4" SSL TLS 1.3 Key schedule: Resumption secrets derivation helper # Vector from RFC 8448 -ssl_tls1_3_derive_resumption_secrets:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":"c3c122e0bd907a4a3ff6112d8fd53dbf89c773d9552e8b6b9d56d361b3a97bf6":"5e95bdf1f89005ea2e9aa0ba85e728e3c19c5fe0c699e3f5bee59faebd0b5406" +ssl_tls13_derive_resumption_secrets:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":"c3c122e0bd907a4a3ff6112d8fd53dbf89c773d9552e8b6b9d56d361b3a97bf6":"5e95bdf1f89005ea2e9aa0ba85e728e3c19c5fe0c699e3f5bee59faebd0b5406" SSL TLS 1.3 Key schedule: PSK binder # Vector from RFC 8448 # For the resumption PSK, see Section 3, 'generate resumption secret "tls13 resumption"' # For all other data, see Section 4, 'construct a ClientHello handshake message:' -ssl_tls1_3_create_psk_binder:MBEDTLS_MD_SHA256:"4ecd0eb6ec3b4d87f5d6028f922ca4c5851a277fd41311c9e62d2c9492e1c4f3":MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:"63224b2e4573f2d3454ca84b9d009a04f6be9e05711a8396473aefa01e924a14":"3add4fb2d8fdf822a0ca3cf7678ef5e88dae990141c5924d57bb6fa31b9e5f9d" +ssl_tls13_create_psk_binder:MBEDTLS_MD_SHA256:"4ecd0eb6ec3b4d87f5d6028f922ca4c5851a277fd41311c9e62d2c9492e1c4f3":MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:"63224b2e4573f2d3454ca84b9d009a04f6be9e05711a8396473aefa01e924a14":"3add4fb2d8fdf822a0ca3cf7678ef5e88dae990141c5924d57bb6fa31b9e5f9d" SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE @@ -6115,83 +6115,83 @@ depends_on:!MBEDTLS_SHA256_C ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_SHA256:"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef":"test tls_prf label":"7f9998393198a02c8d731ccc2ef90b2c":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE Session serialization, save-load: no ticket, no cert -depends_on:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_save_load:0:"" Session serialization, save-load: small ticket, no cert -depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_save_load:42:"" Session serialization, save-load: large ticket, no cert -depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_save_load:1023:"" Session serialization, save-load: no ticket, cert -depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_save_load:0:"data_files/server5.crt" Session serialization, save-load: small ticket, cert -depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_save_load:42:"data_files/server5.crt" Session serialization, save-load: large ticket, cert -depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_save_load:1023:"data_files/server5.crt" Session serialization, load-save: no ticket, no cert -depends_on:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_load_save:0:"" Session serialization, load-save: small ticket, no cert -depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_load_save:42:"" Session serialization, load-save: large ticket, no cert -depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_load_save:1023:"" Session serialization, load-save: no ticket, cert -depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_load_save:0:"data_files/server5.crt" Session serialization, load-save: small ticket, cert -depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_load_save:42:"data_files/server5.crt" Session serialization, load-save: large ticket, cert -depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_load_save:1023:"data_files/server5.crt" Session serialization, save buffer size: no ticket, no cert -depends_on:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_save_buf_size:0:"" Session serialization, save buffer size: small ticket, no cert -depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_save_buf_size:42:"" Session serialization, save buffer size: large ticket, no cert -depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_save_buf_size:1023:"" Session serialization, save buffer size: no ticket, cert -depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_save_buf_size:0:"data_files/server5.crt" Session serialization, save buffer size: small ticket, cert -depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_save_buf_size:42:"data_files/server5.crt" Session serialization, save buffer size: large ticket, cert -depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_save_buf_size:1023:"data_files/server5.crt" Session serialization, load buffer size: no ticket, no cert -depends_on:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_load_buf_size:0:"" Session serialization, load buffer size: small ticket, no cert -depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_load_buf_size:42:"" Session serialization, load buffer size: large ticket, no cert @@ -6199,7 +6199,7 @@ depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C ssl_serialize_session_load_buf_size:1023:"" Session serialization, load buffer size: no ticket, cert -depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:!MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_load_buf_size:0:"data_files/server5.crt" Session serialization, load buffer size: small ticket, cert @@ -6237,3 +6237,9 @@ ssl_cf_memcpy_offset:0:255:32 # we could get this with 255-bytes plaintext and untruncated SHA-384 Constant-flow memcpy from offset: large ssl_cf_memcpy_offset:100:339:48 + +Test configuration of groups for DHE through mbedtls_ssl_conf_curves() +conf_curve: + +Test configuration of groups for DHE through mbedtls_ssl_conf_groups() +conf_group: diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 7f22f1abfe50..dadecdb45f90 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -10,14 +10,14 @@ #include <psa/crypto.h> -#include <ssl_invasive.h> +#include <constant_time_internal.h> #include <test/constant_flow.h> enum { #define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ - tls1_3_label_ ## name, + tls13_label_ ## name, MBEDTLS_SSL_TLS1_3_LABEL_LIST #undef MBEDTLS_SSL_TLS1_3_LABEL }; @@ -1323,14 +1323,14 @@ static int build_transforms( mbedtls_ssl_transform *t_in, { case MBEDTLS_MODE_GCM: case MBEDTLS_MODE_CCM: -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( ver == MBEDTLS_SSL_MINOR_VERSION_4 ) { t_out->fixed_ivlen = 12; t_in->fixed_ivlen = 12; } else -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ { t_out->fixed_ivlen = 4; t_in->fixed_ivlen = 4; @@ -2236,8 +2236,8 @@ exit: void ssl_mock_sanity( ) { enum { MSGLEN = 105 }; - unsigned char message[MSGLEN]; - unsigned char received[MSGLEN]; + unsigned char message[MSGLEN] = { 0 }; + unsigned char received[MSGLEN] = { 0 }; mbedtls_mock_socket socket; mbedtls_mock_socket_init( &socket ); @@ -3254,7 +3254,7 @@ void ssl_crypt_record( int cipher_type, int hash_id, } #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( t_enc->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) { /* TLS 1.3 hides the real content type and @@ -3262,7 +3262,7 @@ void ssl_crypt_record( int cipher_type, int hash_id, * for protected records. Double-check this. */ TEST_ASSERT( rec.type == MBEDTLS_SSL_MSG_APPLICATION_DATA ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* Decrypt record with t_dec */ ret = mbedtls_ssl_decrypt_buf( &ssl, t_dec, &rec ); @@ -3418,7 +3418,7 @@ void ssl_crypt_record_small( int cipher_type, int hash_id, } #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( t_enc->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) { /* TLS 1.3 hides the real content type and @@ -3426,7 +3426,7 @@ void ssl_crypt_record_small( int cipher_type, int hash_id, * for protected records. Double-check this. */ TEST_ASSERT( rec.type == MBEDTLS_SSL_MSG_APPLICATION_DATA ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ /* Decrypt record with t_dec */ TEST_ASSERT( mbedtls_ssl_decrypt_buf( &ssl, t_dec, &rec ) == 0 ); @@ -3669,23 +3669,23 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ -void ssl_tls1_3_hkdf_expand_label( int hash_alg, - data_t *secret, - int label_idx, - data_t *ctx, - int desired_length, - data_t *expected ) +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ +void ssl_tls13_hkdf_expand_label( int hash_alg, + data_t *secret, + int label_idx, + data_t *ctx, + int desired_length, + data_t *expected ) { unsigned char dst[ 100 ]; unsigned char const *lbl = NULL; size_t lbl_len; -#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ - if( label_idx == (int) tls1_3_label_ ## name ) \ - { \ - lbl = mbedtls_ssl_tls1_3_labels.name; \ - lbl_len = sizeof( mbedtls_ssl_tls1_3_labels.name ); \ +#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ + if( label_idx == (int) tls13_label_ ## name ) \ + { \ + lbl = mbedtls_ssl_tls13_labels.name; \ + lbl_len = sizeof( mbedtls_ssl_tls13_labels.name ); \ } MBEDTLS_SSL_TLS1_3_LABEL_LIST #undef MBEDTLS_SSL_TLS1_3_LABEL @@ -3695,7 +3695,7 @@ MBEDTLS_SSL_TLS1_3_LABEL_LIST TEST_ASSERT( (size_t) desired_length <= sizeof(dst) ); TEST_ASSERT( (size_t) desired_length == expected->len ); - TEST_ASSERT( mbedtls_ssl_tls1_3_hkdf_expand_label( + TEST_ASSERT( mbedtls_ssl_tls13_hkdf_expand_label( (mbedtls_md_type_t) hash_alg, secret->x, secret->len, lbl, lbl_len, @@ -3707,16 +3707,16 @@ MBEDTLS_SSL_TLS1_3_LABEL_LIST } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ -void ssl_tls1_3_traffic_key_generation( int hash_alg, - data_t *server_secret, - data_t *client_secret, - int desired_iv_len, - int desired_key_len, - data_t *expected_server_write_key, - data_t *expected_server_write_iv, - data_t *expected_client_write_key, - data_t *expected_client_write_iv ) +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ +void ssl_tls13_traffic_key_generation( int hash_alg, + data_t *server_secret, + data_t *client_secret, + int desired_iv_len, + int desired_key_len, + data_t *expected_server_write_key, + data_t *expected_server_write_iv, + data_t *expected_client_write_key, + data_t *expected_client_write_iv ) { mbedtls_ssl_key_set keys; @@ -3727,7 +3727,7 @@ void ssl_tls1_3_traffic_key_generation( int hash_alg, TEST_ASSERT( expected_client_write_key->len == expected_server_write_key->len && expected_client_write_key->len == (size_t) desired_key_len ); - TEST_ASSERT( mbedtls_ssl_tls1_3_make_traffic_keys( + TEST_ASSERT( mbedtls_ssl_tls13_make_traffic_keys( (mbedtls_md_type_t) hash_alg, client_secret->x, server_secret->x, @@ -3754,24 +3754,24 @@ void ssl_tls1_3_traffic_key_generation( int hash_alg, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ -void ssl_tls1_3_derive_secret( int hash_alg, - data_t *secret, - int label_idx, - data_t *ctx, - int desired_length, - int already_hashed, - data_t *expected ) +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ +void ssl_tls13_derive_secret( int hash_alg, + data_t *secret, + int label_idx, + data_t *ctx, + int desired_length, + int already_hashed, + data_t *expected ) { unsigned char dst[ 100 ]; unsigned char const *lbl = NULL; size_t lbl_len; -#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ - if( label_idx == (int) tls1_3_label_ ## name ) \ - { \ - lbl = mbedtls_ssl_tls1_3_labels.name; \ - lbl_len = sizeof( mbedtls_ssl_tls1_3_labels.name ); \ +#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ + if( label_idx == (int) tls13_label_ ## name ) \ + { \ + lbl = mbedtls_ssl_tls13_labels.name; \ + lbl_len = sizeof( mbedtls_ssl_tls13_labels.name ); \ } MBEDTLS_SSL_TLS1_3_LABEL_LIST #undef MBEDTLS_SSL_TLS1_3_LABEL @@ -3781,7 +3781,7 @@ MBEDTLS_SSL_TLS1_3_LABEL_LIST TEST_ASSERT( (size_t) desired_length <= sizeof(dst) ); TEST_ASSERT( (size_t) desired_length == expected->len ); - TEST_ASSERT( mbedtls_ssl_tls1_3_derive_secret( + TEST_ASSERT( mbedtls_ssl_tls13_derive_secret( (mbedtls_md_type_t) hash_alg, secret->x, secret->len, lbl, lbl_len, @@ -3794,14 +3794,14 @@ MBEDTLS_SSL_TLS1_3_LABEL_LIST } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ -void ssl_tls1_3_derive_early_secrets( int hash_alg, - data_t *secret, - data_t *transcript, - data_t *traffic_expected, - data_t *exporter_expected ) +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ +void ssl_tls13_derive_early_secrets( int hash_alg, + data_t *secret, + data_t *transcript, + data_t *traffic_expected, + data_t *exporter_expected ) { - mbedtls_ssl_tls1_3_early_secrets secrets; + mbedtls_ssl_tls13_early_secrets secrets; /* Double-check that we've passed sane parameters. */ mbedtls_md_type_t md_type = (mbedtls_md_type_t) hash_alg; @@ -3813,7 +3813,7 @@ void ssl_tls1_3_derive_early_secrets( int hash_alg, traffic_expected->len == md_size && exporter_expected->len == md_size ); - TEST_ASSERT( mbedtls_ssl_tls1_3_derive_early_secrets( + TEST_ASSERT( mbedtls_ssl_tls13_derive_early_secrets( md_type, secret->x, transcript->x, transcript->len, &secrets ) == 0 ); @@ -3824,14 +3824,14 @@ void ssl_tls1_3_derive_early_secrets( int hash_alg, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ -void ssl_tls1_3_derive_handshake_secrets( int hash_alg, - data_t *secret, - data_t *transcript, - data_t *client_expected, - data_t *server_expected ) +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ +void ssl_tls13_derive_handshake_secrets( int hash_alg, + data_t *secret, + data_t *transcript, + data_t *client_expected, + data_t *server_expected ) { - mbedtls_ssl_tls1_3_handshake_secrets secrets; + mbedtls_ssl_tls13_handshake_secrets secrets; /* Double-check that we've passed sane parameters. */ mbedtls_md_type_t md_type = (mbedtls_md_type_t) hash_alg; @@ -3843,7 +3843,7 @@ void ssl_tls1_3_derive_handshake_secrets( int hash_alg, client_expected->len == md_size && server_expected->len == md_size ); - TEST_ASSERT( mbedtls_ssl_tls1_3_derive_handshake_secrets( + TEST_ASSERT( mbedtls_ssl_tls13_derive_handshake_secrets( md_type, secret->x, transcript->x, transcript->len, &secrets ) == 0 ); @@ -3854,15 +3854,15 @@ void ssl_tls1_3_derive_handshake_secrets( int hash_alg, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ -void ssl_tls1_3_derive_application_secrets( int hash_alg, - data_t *secret, - data_t *transcript, - data_t *client_expected, - data_t *server_expected, - data_t *exporter_expected ) +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ +void ssl_tls13_derive_application_secrets( int hash_alg, + data_t *secret, + data_t *transcript, + data_t *client_expected, + data_t *server_expected, + data_t *exporter_expected ) { - mbedtls_ssl_tls1_3_application_secrets secrets; + mbedtls_ssl_tls13_application_secrets secrets; /* Double-check that we've passed sane parameters. */ mbedtls_md_type_t md_type = (mbedtls_md_type_t) hash_alg; @@ -3875,7 +3875,7 @@ void ssl_tls1_3_derive_application_secrets( int hash_alg, server_expected->len == md_size && exporter_expected->len == md_size ); - TEST_ASSERT( mbedtls_ssl_tls1_3_derive_application_secrets( + TEST_ASSERT( mbedtls_ssl_tls13_derive_application_secrets( md_type, secret->x, transcript->x, transcript->len, &secrets ) == 0 ); @@ -3888,13 +3888,13 @@ void ssl_tls1_3_derive_application_secrets( int hash_alg, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ -void ssl_tls1_3_derive_resumption_secrets( int hash_alg, - data_t *secret, - data_t *transcript, - data_t *resumption_expected ) +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ +void ssl_tls13_derive_resumption_secrets( int hash_alg, + data_t *secret, + data_t *transcript, + data_t *resumption_expected ) { - mbedtls_ssl_tls1_3_application_secrets secrets; + mbedtls_ssl_tls13_application_secrets secrets; /* Double-check that we've passed sane parameters. */ mbedtls_md_type_t md_type = (mbedtls_md_type_t) hash_alg; @@ -3905,7 +3905,7 @@ void ssl_tls1_3_derive_resumption_secrets( int hash_alg, transcript->len == md_size && resumption_expected->len == md_size ); - TEST_ASSERT( mbedtls_ssl_tls1_3_derive_resumption_master_secret( + TEST_ASSERT( mbedtls_ssl_tls13_derive_resumption_master_secret( md_type, secret->x, transcript->x, transcript->len, &secrets ) == 0 ); @@ -3914,12 +3914,12 @@ void ssl_tls1_3_derive_resumption_secrets( int hash_alg, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ -void ssl_tls1_3_create_psk_binder( int hash_alg, - data_t *psk, - int psk_type, - data_t *transcript, - data_t *binder_expected ) +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ +void ssl_tls13_create_psk_binder( int hash_alg, + data_t *psk, + int psk_type, + data_t *transcript, + data_t *binder_expected ) { unsigned char binder[ MBEDTLS_MD_MAX_SIZE ]; @@ -3931,7 +3931,7 @@ void ssl_tls1_3_create_psk_binder( int hash_alg, transcript->len == md_size && binder_expected->len == md_size ); - TEST_ASSERT( mbedtls_ssl_tls1_3_create_psk_binder( + TEST_ASSERT( mbedtls_ssl_tls13_create_psk_binder( NULL, /* SSL context for debugging only */ md_type, psk->x, psk->len, @@ -3944,17 +3944,17 @@ void ssl_tls1_3_create_psk_binder( int hash_alg, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ -void ssl_tls1_3_record_protection( int ciphersuite, - int endpoint, - int ctr, - int padding_used, - data_t *server_write_key, - data_t *server_write_iv, - data_t *client_write_key, - data_t *client_write_iv, - data_t *plaintext, - data_t *ciphertext ) +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ +void ssl_tls13_record_protection( int ciphersuite, + int endpoint, + int ctr, + int padding_used, + data_t *server_write_key, + data_t *server_write_iv, + data_t *client_write_key, + data_t *client_write_iv, + data_t *plaintext, + data_t *ciphertext ) { mbedtls_ssl_key_set keys; mbedtls_ssl_transform transform_send; @@ -4042,15 +4042,15 @@ void ssl_tls1_3_record_protection( int ciphersuite, } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ -void ssl_tls1_3_key_evolution( int hash_alg, - data_t *secret, - data_t *input, - data_t *expected ) +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ +void ssl_tls13_key_evolution( int hash_alg, + data_t *secret, + data_t *input, + data_t *expected ) { unsigned char secret_new[ MBEDTLS_MD_MAX_SIZE ]; - TEST_ASSERT( mbedtls_ssl_tls1_3_evolve_secret( + TEST_ASSERT( mbedtls_ssl_tls13_evolve_secret( (mbedtls_md_type_t) hash_alg, secret->len ? secret->x : NULL, input->len ? input->x : NULL, input->len, @@ -4332,7 +4332,7 @@ void ssl_session_serialize_version_check( int corrupt_major, corrupt_config == 1 }; mbedtls_ssl_session_init( &session ); - ssl_populate_session_tls12( &session, 0, NULL ); + TEST_ASSERT( ssl_populate_session_tls12( &session, 0, NULL ) == 0 ); /* Infer length of serialized session. */ TEST_ASSERT( mbedtls_ssl_session_save( &session, @@ -4653,7 +4653,7 @@ void resize_buffers_renegotiate_mfl( int mfl, int legacy_renegotiation, void ssl_cf_hmac( int hash ) { /* - * Test the function mbedtls_ssl_cf_hmac() against a reference + * Test the function mbedtls_ct_hmac() against a reference * implementation. */ mbedtls_md_context_t ctx, ref_ctx; @@ -4712,10 +4712,10 @@ void ssl_cf_hmac( int hash ) /* Get the function's result */ TEST_CF_SECRET( &in_len, sizeof( in_len ) ); - TEST_EQUAL( 0, mbedtls_ssl_cf_hmac( &ctx, add_data, sizeof( add_data ), - data, in_len, - min_in_len, max_in_len, - out ) ); + TEST_EQUAL( 0, mbedtls_ct_hmac( &ctx, add_data, sizeof( add_data ), + data, in_len, + min_in_len, max_in_len, + out ) ); TEST_CF_PUBLIC( &in_len, sizeof( in_len ) ); TEST_CF_PUBLIC( out, out_len ); @@ -4762,8 +4762,8 @@ void ssl_cf_memcpy_offset( int offset_min, int offset_max, int len ) mbedtls_test_set_step( (int) secret ); TEST_CF_SECRET( &secret, sizeof( secret ) ); - mbedtls_ssl_cf_memcpy_offset( dst, src, secret, - offset_min, offset_max, len ); + mbedtls_ct_memcpy_offset( dst, src, secret, + offset_min, offset_max, len ); TEST_CF_PUBLIC( &secret, sizeof( secret ) ); TEST_CF_PUBLIC( dst, len ); @@ -4881,3 +4881,72 @@ exit: } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_ECP_C:!MBEDTLS_DEPRECATED_REMOVED:!MBEDTLS_DEPRECATED_WARNING:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED */ +void conf_curve() +{ + + mbedtls_ecp_group_id curve_list[] = { MBEDTLS_ECP_DP_SECP192R1, + MBEDTLS_ECP_DP_SECP224R1, + MBEDTLS_ECP_DP_SECP256R1, + MBEDTLS_ECP_DP_NONE }; + mbedtls_ecp_group_id iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, + MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, + MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, + MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; + + mbedtls_ssl_config conf; + mbedtls_ssl_config_init( &conf ); + + mbedtls_ssl_conf_max_version( &conf, 3, 3 ); + mbedtls_ssl_conf_min_version( &conf, 3, 3 ); + mbedtls_ssl_conf_curves( &conf, curve_list ); + + mbedtls_ssl_context ssl; + mbedtls_ssl_init( &ssl ); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); + + TEST_ASSERT( ssl.handshake != NULL && ssl.handshake->group_list != NULL ); + TEST_ASSERT( ssl.conf != NULL && ssl.conf->group_list == NULL ); + + TEST_EQUAL( ssl.handshake->group_list[ARRAY_LENGTH( iana_tls_group_list ) - 1], MBEDTLS_SSL_IANA_TLS_GROUP_NONE ); + + for( size_t i = 0; i < ARRAY_LENGTH( iana_tls_group_list ); i++ ) + TEST_EQUAL( iana_tls_group_list[i], ssl.handshake->group_list[i] ); + + mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_DEPRECATED_REMOVED */ +void conf_group() +{ + uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, + MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, + MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, + MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; + + mbedtls_ssl_config conf; + mbedtls_ssl_config_init( &conf ); + + mbedtls_ssl_conf_max_version( &conf, 3, 3 ); + mbedtls_ssl_conf_min_version( &conf, 3, 3 ); + + mbedtls_ssl_conf_groups( &conf, iana_tls_group_list ); + + mbedtls_ssl_context ssl; + mbedtls_ssl_init( &ssl ); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); + + TEST_ASSERT( ssl.conf != NULL && ssl.conf->group_list != NULL ); + + TEST_EQUAL( ssl.conf->group_list[ARRAY_LENGTH( iana_tls_group_list ) - 1], MBEDTLS_SSL_IANA_TLS_GROUP_NONE ); + + for( size_t i = 0; i < ARRAY_LENGTH( iana_tls_group_list ); i++ ) + TEST_EQUAL( iana_tls_group_list[i], ssl.conf->group_list[i] ); + + mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); +} +/* END_CASE */ diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data index 0b5e426bb045..0ce4a2e41a57 100644 --- a/tests/suites/test_suite_version.data +++ b/tests/suites/test_suite_version.data @@ -1,8 +1,8 @@ Check compiletime library version -check_compiletime_version:"3.0.0" +check_compiletime_version:"3.1.0" Check runtime library version -check_runtime_version:"3.0.0" +check_runtime_version:"3.1.0" Check for MBEDTLS_VERSION_C check_feature:"MBEDTLS_VERSION_C":0