From 07c22c6708bd4c651cfd0fd5dd4cd75a28cbdd25 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Fri, 23 Jun 2023 23:19:40 +0100 Subject: [PATCH 001/222] Reword the description of mbedtls_net_free() This makes it clearer that the context itself is not being freed. Signed-off-by: David Horstmann --- include/mbedtls/net_sockets.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/net_sockets.h b/include/mbedtls/net_sockets.h index 14316fbed..9f9e2adcf 100644 --- a/include/mbedtls/net_sockets.h +++ b/include/mbedtls/net_sockets.h @@ -283,16 +283,16 @@ int mbedtls_net_recv_timeout(void *ctx, unsigned char *buf, size_t len, uint32_t timeout); /** - * \brief Closes down the connection and free associated data + * \brief Close down the connection and clear the context * * \param ctx The context to close */ void mbedtls_net_close(mbedtls_net_context *ctx); /** - * \brief Gracefully shutdown the connection and free associated data + * \brief Gracefully shutdown the connection and clear the context * - * \param ctx The context to free + * \param ctx The context to gracefully shutdown */ void mbedtls_net_free(mbedtls_net_context *ctx); From 98083c6a173ecdcd2eb9ffc03275f22dc46b4811 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Sun, 25 Jun 2023 23:27:45 +0100 Subject: [PATCH 002/222] Add support for SHA-3 in PSA Signed-off-by: Dave Rodgman --- include/mbedtls/config_psa.h | 14 +++++++ include/psa/crypto_builtin_primitives.h | 7 +++- include/psa/crypto_config.h | 1 + library/psa_crypto_hash.c | 52 +++++++++++++++++++++++++ 4 files changed, 73 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index b7e89472f..b1d386236 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -113,6 +113,10 @@ extern "C" { #define PSA_WANT_ALG_SHA_512 1 #endif +#if defined(MBEDTLS_SHA3_C) +#define PSA_WANT_ALG_SHA_3 1 +#endif + /****************************************************************/ /* Require built-in implementations based on PSA requirements */ @@ -270,6 +274,11 @@ extern "C" { #define MBEDTLS_SHA512_C #endif +#if defined(PSA_WANT_ALG_SHA_3) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_3) +#define MBEDTLS_PSA_BUILTIN_ALG_SHA_3 1 +#define MBEDTLS_SHA3_C +#endif + #if defined(PSA_WANT_ALG_PBKDF2_HMAC) #if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC) #define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC 1 @@ -865,6 +874,11 @@ extern "C" { #define PSA_WANT_ALG_SHA_512 1 #endif +#if defined(MBEDTLS_SHA3_C) +#define MBEDTLS_PSA_BUILTIN_ALG_SHA_3 1 +#define PSA_WANT_ALG_SHA_3 1 +#endif + #if defined(MBEDTLS_AES_C) #define PSA_WANT_KEY_TYPE_AES 1 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1 diff --git a/include/psa/crypto_builtin_primitives.h b/include/psa/crypto_builtin_primitives.h index f3e438dd7..ea7da9a1d 100644 --- a/include/psa/crypto_builtin_primitives.h +++ b/include/psa/crypto_builtin_primitives.h @@ -45,6 +45,7 @@ #include "mbedtls/sha1.h" #include "mbedtls/sha256.h" #include "mbedtls/sha512.h" +#include "mbedtls/sha3.h" #if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160) || \ @@ -52,7 +53,8 @@ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512) + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_3) #define MBEDTLS_PSA_BUILTIN_HASH #endif @@ -76,6 +78,9 @@ typedef struct { #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384) mbedtls_sha512_context sha512; +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_3) + mbedtls_sha3_context sha3; #endif } MBEDTLS_PRIVATE(ctx); } mbedtls_psa_hash_operation_t; diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index 9da28de8b..e79f21775 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -86,6 +86,7 @@ #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_SHA_384 1 #define PSA_WANT_ALG_SHA_512 1 +#define PSA_WANT_ALG_SHA_3 1 #define PSA_WANT_ALG_STREAM_CIPHER 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 diff --git a/library/psa_crypto_hash.c b/library/psa_crypto_hash.c index ddf70949c..44df5526f 100644 --- a/library/psa_crypto_hash.c +++ b/library/psa_crypto_hash.c @@ -73,6 +73,14 @@ psa_status_t mbedtls_psa_hash_abort( case PSA_ALG_SHA_512: mbedtls_sha512_free(&operation->ctx.sha512); break; +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_3) + case PSA_ALG_SHA3_224: + case PSA_ALG_SHA3_256: + case PSA_ALG_SHA3_384: + case PSA_ALG_SHA3_512: + mbedtls_sha3_free(&operation->ctx.sha3); + break; #endif default: return PSA_ERROR_BAD_STATE; @@ -134,6 +142,24 @@ psa_status_t mbedtls_psa_hash_setup( mbedtls_sha512_init(&operation->ctx.sha512); ret = mbedtls_sha512_starts(&operation->ctx.sha512, 0); break; +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_3) + case PSA_ALG_SHA3_224: + mbedtls_sha3_init(&operation->ctx.sha3); + ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_224); + break; + case PSA_ALG_SHA3_256: + mbedtls_sha3_init(&operation->ctx.sha3); + ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_256); + break; + case PSA_ALG_SHA3_384: + mbedtls_sha3_init(&operation->ctx.sha3); + ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_384); + break; + case PSA_ALG_SHA3_512: + mbedtls_sha3_init(&operation->ctx.sha3); + ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_512); + break; #endif default: return PSA_ALG_IS_HASH(alg) ? @@ -196,6 +222,15 @@ psa_status_t mbedtls_psa_hash_clone( mbedtls_sha512_clone(&target_operation->ctx.sha512, &source_operation->ctx.sha512); break; +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_3) + case PSA_ALG_SHA3_224: + case PSA_ALG_SHA3_256: + case PSA_ALG_SHA3_384: + case PSA_ALG_SHA3_512: + mbedtls_sha3_clone(&target_operation->ctx.sha3, + &source_operation->ctx.sha3); + break; #endif default: (void) source_operation; @@ -256,6 +291,15 @@ psa_status_t mbedtls_psa_hash_update( ret = mbedtls_sha512_update(&operation->ctx.sha512, input, input_length); break; +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_3) + case PSA_ALG_SHA3_224: + case PSA_ALG_SHA3_256: + case PSA_ALG_SHA3_384: + case PSA_ALG_SHA3_512: + ret = mbedtls_sha3_update(&operation->ctx.sha3, + input, input_length); + break; #endif default: (void) input; @@ -326,6 +370,14 @@ psa_status_t mbedtls_psa_hash_finish( case PSA_ALG_SHA_512: ret = mbedtls_sha512_finish(&operation->ctx.sha512, hash); break; +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_3) + case PSA_ALG_SHA3_224: + case PSA_ALG_SHA3_256: + case PSA_ALG_SHA3_384: + case PSA_ALG_SHA3_512: + ret = mbedtls_sha3_finish(&operation->ctx.sha3, hash, hash_size); + break; #endif default: (void) hash; From e43076700e877523207204e2918563a9311a47df Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Sun, 25 Jun 2023 23:27:53 +0100 Subject: [PATCH 003/222] Add PSA SHA-3 tests Signed-off-by: Dave Rodgman --- tests/suites/test_suite_psa_crypto_hash.data | 64 +++++++++++++++++++ .../test_suite_psa_crypto_metadata.data | 16 +++++ 2 files changed, 80 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_hash.data b/tests/suites/test_suite_psa_crypto_hash.data index 9f5133988..90af79668 100644 --- a/tests/suites/test_suite_psa_crypto_hash.data +++ b/tests/suites/test_suite_psa_crypto_hash.data @@ -158,6 +158,70 @@ PSA hash finish: SHA-512 Test Vector NIST CAVS #8 depends_on:PSA_WANT_ALG_SHA_512 hash_finish:PSA_ALG_SHA_512:"990d1ae71a62d7bda9bfdaa1762a68d296eee72a4cd946f287a898fbabc002ea941fd8d4d991030b4d27a637cce501a834bb95eab1b7889a3e784c7968e67cbf552006b206b68f76d9191327524fcc251aeb56af483d10b4e0c6c5e599ee8c0fe4faeca8293844a8547c6a9a90d093f2526873a19ad4a5e776794c68c742fb834793d2dfcb7fea46c63af4b70fd11cb6e41834e72ee40edb067b292a794990c288d5007e73f349fb383af6a756b8301ad6e5e0aa8cd614399bb3a452376b1575afa6bdaeaafc286cb064bb91edef97c632b6c1113d107fa93a0905098a105043c2f05397f702514439a08a9e5ddc196100721d45c8fc17d2ed659376f8a00bd5cb9a0860e26d8a29d8d6aaf52de97e9346033d6db501a35dbbaf97c20b830cd2d18c2532f3a59cc497ee64c0e57d8d060e5069b28d86edf1adcf59144b221ce3ddaef134b3124fbc7dd000240eff0f5f5f41e83cd7f5bb37c9ae21953fe302b0f6e8b68fa91c6ab99265c64b2fd9cd4942be04321bb5d6d71932376c6f2f88e02422ba6a5e2cb765df93fd5dd0728c6abdaf03bce22e0678a544e2c3636f741b6f4447ee58a8fc656b43ef817932176adbfc2e04b2c812c273cd6cbfa4098f0be036a34221fa02643f5ee2e0b38135f2a18ecd2f16ebc45f8eb31b8ab967a1567ee016904188910861ca1fa205c7adaa194b286893ffe2f4fbe0384c2aef72a4522aeafd3ebc71f9db71eeeef86c48394a1c86d5b36c352cc33a0a2c800bc99e62fd65b3a2fd69e0b53996ec13d8ce483ce9319efd9a85acefabdb5342226febb83fd1daf4b24265f50c61c6de74077ef89b6fecf9f29a1f871af1e9f89b2d345cda7499bd45c42fa5d195a1e1a6ba84851889e730da3b2b916e96152ae0c92154b49719841db7e7cc707ba8a5d7b101eb4ac7b629bb327817910fff61580b59aab78182d1a2e33473d05b00b170b29e331870826cfe45af206aa7d0246bbd8566ca7cfb2d3c10bfa1db7dd48dd786036469ce7282093d78b5e1a5b0fc81a54c8ed4ceac1e5305305e78284ac276f5d7862727aff246e17addde50c670028d572cbfc0be2e4f8b2eb28fa68ad7b4c6c2a239c460441bfb5ea049f23b08563b4e47729a59e5986a61a6093dbd54f8c36ebe87edae01f251cb060ad1364ce677d7e8d5a4a4ca966a7241cc360bc2acb280e5f9e9c1b032ad6a180a35e0c5180b9d16d026c865b252098cc1d99ba7375ca31c7702c0d943d5e3dd2f6861fa55bd46d94b67ed3e52eccd8dd06d968e01897d6de97ed3058d91dd":"8e4bc6f8b8c60fe4d68c61d9b159c8693c3151c46749af58da228442d927f23359bd6ccd6c2ec8fa3f00a86cecbfa728e1ad60b821ed22fcd309ba91a4138bc9" +PSA hash finish: SHA3-224 Test Vector NIST "" +depends_on:PSA_WANT_ALG_SHA_3 +hash_finish:PSA_ALG_SHA3_224:"":"6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7" + +PSA hash finish: SHA3-256 Test Vector NIST "" +depends_on:PSA_WANT_ALG_SHA_3 +hash_finish:PSA_ALG_SHA3_256:"616263":"3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532" + +PSA hash finish: SHA3-384 Test Vector NIST "" +depends_on:PSA_WANT_ALG_SHA_3 +hash_finish:PSA_ALG_SHA3_384:"":"0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac3713831264adb47fb6bd1e058d5f004" + +PSA hash finish: SHA3-512 Test Vector NIST "" +depends_on:PSA_WANT_ALG_SHA_3 +hash_finish:PSA_ALG_SHA3_512:"":"a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26" + +PSA hash finish: SHA3-224 Test Vector NIST "abc" +depends_on:PSA_WANT_ALG_SHA_3 +hash_finish:PSA_ALG_SHA3_224:"616263":"e642824c3f8cf24ad09234ee7d3c766fc9a3a5168d0c94ad73b46fdf" + +PSA hash finish: SHA3-256 Test Vector NIST "abc" +depends_on:PSA_WANT_ALG_SHA_3 +hash_finish:PSA_ALG_SHA3_256:"616263":"3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532" + +PSA hash finish: SHA3-384 Test Vector NIST "abc" +depends_on:PSA_WANT_ALG_SHA_3 +hash_finish:PSA_ALG_SHA3_384:"616263":"ec01498288516fc926459f58e2c6ad8df9b473cb0fc08c2596da7cf0e49be4b298d88cea927ac7f539f1edf228376d25" + +PSA hash finish: SHA3-512 Test Vector NIST "abc" +depends_on:PSA_WANT_ALG_SHA_3 +hash_finish:PSA_ALG_SHA3_512:"616263":"b751850b1a57168a5693cd924b6b096e08f621827444f70d884f5d0240d2712e10e116e9192af3c91a7ec57647e3934057340b4cf408d5a56592f8274eec53f0" + +PSA hash finish: SHA3-224 Test Vector NIST 448 bits: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" +depends_on:PSA_WANT_ALG_SHA_3 +hash_finish:PSA_ALG_SHA3_224:"6162636462636465636465666465666765666768666768696768696a68696a6b696a6b6c6a6b6c6d6b6c6d6e6c6d6e6f6d6e6f706e6f7071":"8a24108b154ada21c9fd5574494479ba5c7e7ab76ef264ead0fcce33" + +PSA hash finish: SHA3-256 Test Vector NIST 448 bits: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" +depends_on:PSA_WANT_ALG_SHA_3 +hash_finish:PSA_ALG_SHA3_256:"6162636462636465636465666465666765666768666768696768696a68696a6b696a6b6c6a6b6c6d6b6c6d6e6c6d6e6f6d6e6f706e6f7071":"41c0dba2a9d6240849100376a8235e2c82e1b9998a999e21db32dd97496d3376" + +PSA hash finish: SHA3-384 Test Vector NIST 448 bits: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" +depends_on:PSA_WANT_ALG_SHA_3 +hash_finish:PSA_ALG_SHA3_384:"6162636462636465636465666465666765666768666768696768696a68696a6b696a6b6c6a6b6c6d6b6c6d6e6c6d6e6f6d6e6f706e6f7071":"991c665755eb3a4b6bbdfb75c78a492e8c56a22c5c4d7e429bfdbc32b9d4ad5aa04a1f076e62fea19eef51acd0657c22" + +PSA hash finish: SHA3-512 Test Vector NIST 448 bits: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" +depends_on:PSA_WANT_ALG_SHA_3 +hash_finish:PSA_ALG_SHA3_512:"6162636462636465636465666465666765666768666768696768696a68696a6b696a6b6c6a6b6c6d6b6c6d6e6c6d6e6f6d6e6f706e6f7071":"04a371e84ecfb5b8b77cb48610fca8182dd457ce6f326a0fd3d7ec2f1e91636dee691fbe0c985302ba1b0d8dc78c086346b533b49c030d99a27daf1139d6e75e" + +PSA hash finish: SHA3-224 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" +depends_on:PSA_WANT_ALG_SHA_3 +hash_finish:PSA_ALG_SHA3_224:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"543e6868e1666c1a643630df77367ae5a62a85070a51c14cbf665cbc" + +PSA hash finish: SHA3-256 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" +depends_on:PSA_WANT_ALG_SHA_3 +hash_finish:PSA_ALG_SHA3_256:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"916f6061fe879741ca6469b43971dfdb28b1a32dc36cb3254e812be27aad1d18" + +PSA hash finish: SHA3-384 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" +depends_on:PSA_WANT_ALG_SHA_3 +hash_finish:PSA_ALG_SHA3_384:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"79407d3b5916b59c3e30b09822974791c313fb9ecc849e406f23592d04f625dc8c709b98b43b3852b337216179aa7fc7" + +PSA hash finish: SHA3-512 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" +depends_on:PSA_WANT_ALG_SHA_3 +hash_finish:PSA_ALG_SHA3_512:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"afebb2ef542e6579c50cad06d2e578f9f8dd6881d7dc824d26360feebf18a4fa73e3261122948efcfd492e74e82e2189ed0fb440d187f382270cb455f21dd185" + PSA hash finish: MD5 Test vector RFC1321 #1 depends_on:PSA_WANT_ALG_MD5 hash_finish:PSA_ALG_MD5:"":"d41d8cd98f00b204e9800998ecf8427e" diff --git a/tests/suites/test_suite_psa_crypto_metadata.data b/tests/suites/test_suite_psa_crypto_metadata.data index a41d83ad8..2f3fe3270 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.data +++ b/tests/suites/test_suite_psa_crypto_metadata.data @@ -26,6 +26,22 @@ Hash: SHA-2 SHA-512 depends_on:PSA_WANT_ALG_SHA_512 hash_algorithm:PSA_ALG_SHA_512:64 +Hash: SHA-3 SHA3-224 +depends_on:PSA_WANT_ALG_SHA_3 +hash_algorithm:PSA_ALG_SHA3_224:28 + +Hash: SHA-3 SHA3-256 +depends_on:PSA_WANT_ALG_SHA_3 +hash_algorithm:PSA_ALG_SHA3_256:32 + +Hash: SHA-3 SHA3-384 +depends_on:PSA_WANT_ALG_SHA_3 +hash_algorithm:PSA_ALG_SHA3_384:48 + +Hash: SHA-3 SHA3-512 +depends_on:PSA_WANT_ALG_SHA_3 +hash_algorithm:PSA_ALG_SHA3_512:64 + MAC: HMAC-MD5 depends_on:PSA_WANT_ALG_HMAC:PSA_WANT_ALG_MD5 hmac_algorithm:PSA_ALG_HMAC( PSA_ALG_MD5 ):16:64 From f66cd61daa4bc37dadb519108663780457867adc Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Jun 2023 11:02:12 +0100 Subject: [PATCH 004/222] Use more standard PSA macro names Signed-off-by: Dave Rodgman --- include/mbedtls/config_psa.h | 34 +++++++++++--- include/psa/crypto_builtin_primitives.h | 10 ++++- include/psa/crypto_config.h | 5 ++- library/psa_crypto_hash.c | 60 ++++++++++++++++++++++--- 4 files changed, 96 insertions(+), 13 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index b1d386236..4a05318a7 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -114,7 +114,10 @@ extern "C" { #endif #if defined(MBEDTLS_SHA3_C) -#define PSA_WANT_ALG_SHA_3 1 +#define PSA_WANT_ALG_SHA3_224 1 +#define PSA_WANT_ALG_SHA3_256 1 +#define PSA_WANT_ALG_SHA3_384 1 +#define PSA_WANT_ALG_SHA3_512 1 #endif @@ -274,8 +277,23 @@ extern "C" { #define MBEDTLS_SHA512_C #endif -#if defined(PSA_WANT_ALG_SHA_3) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_3) -#define MBEDTLS_PSA_BUILTIN_ALG_SHA_3 1 +#if defined(PSA_WANT_ALG_SHA3_224) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_3_224) +#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_224 1 +#define MBEDTLS_SHA3_C +#endif + +#if defined(PSA_WANT_ALG_SHA3_256) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_3_256) +#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_256 1 +#define MBEDTLS_SHA3_C +#endif + +#if defined(PSA_WANT_ALG_SHA3_384) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_3_384) +#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_384 1 +#define MBEDTLS_SHA3_C +#endif + +#if defined(PSA_WANT_ALG_SHA3_512) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_3_512) +#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_512 1 #define MBEDTLS_SHA3_C #endif @@ -875,8 +893,14 @@ extern "C" { #endif #if defined(MBEDTLS_SHA3_C) -#define MBEDTLS_PSA_BUILTIN_ALG_SHA_3 1 -#define PSA_WANT_ALG_SHA_3 1 +#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_224 1 +#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_256 1 +#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_384 1 +#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_512 1 +#define PSA_WANT_ALG_SHA3_224 1 +#define PSA_WANT_ALG_SHA3_256 1 +#define PSA_WANT_ALG_SHA3_384 1 +#define PSA_WANT_ALG_SHA3_512 1 #endif #if defined(MBEDTLS_AES_C) diff --git a/include/psa/crypto_builtin_primitives.h b/include/psa/crypto_builtin_primitives.h index ea7da9a1d..b6bd484b9 100644 --- a/include/psa/crypto_builtin_primitives.h +++ b/include/psa/crypto_builtin_primitives.h @@ -54,7 +54,10 @@ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_3) + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) #define MBEDTLS_PSA_BUILTIN_HASH #endif @@ -79,7 +82,10 @@ typedef struct { defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384) mbedtls_sha512_context sha512; #endif -#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_3) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) mbedtls_sha3_context sha3; #endif } MBEDTLS_PRIVATE(ctx); diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index e79f21775..cc15fe79f 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -86,7 +86,10 @@ #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_SHA_384 1 #define PSA_WANT_ALG_SHA_512 1 -#define PSA_WANT_ALG_SHA_3 1 +#define PSA_WANT_ALG_SHA3_224 1 +#define PSA_WANT_ALG_SHA3_256 1 +#define PSA_WANT_ALG_SHA3_384 1 +#define PSA_WANT_ALG_SHA3_512 1 #define PSA_WANT_ALG_STREAM_CIPHER 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 diff --git a/library/psa_crypto_hash.c b/library/psa_crypto_hash.c index 44df5526f..ed933c00b 100644 --- a/library/psa_crypto_hash.c +++ b/library/psa_crypto_hash.c @@ -74,11 +74,22 @@ psa_status_t mbedtls_psa_hash_abort( mbedtls_sha512_free(&operation->ctx.sha512); break; #endif -#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_3) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) case PSA_ALG_SHA3_224: +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) case PSA_ALG_SHA3_256: +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) case PSA_ALG_SHA3_384: +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) case PSA_ALG_SHA3_512: +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) mbedtls_sha3_free(&operation->ctx.sha3); break; #endif @@ -143,19 +154,25 @@ psa_status_t mbedtls_psa_hash_setup( ret = mbedtls_sha512_starts(&operation->ctx.sha512, 0); break; #endif -#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_3) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) case PSA_ALG_SHA3_224: mbedtls_sha3_init(&operation->ctx.sha3); ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_224); break; +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) case PSA_ALG_SHA3_256: mbedtls_sha3_init(&operation->ctx.sha3); ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_256); break; +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) case PSA_ALG_SHA3_384: mbedtls_sha3_init(&operation->ctx.sha3); ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_384); break; +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) case PSA_ALG_SHA3_512: mbedtls_sha3_init(&operation->ctx.sha3); ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_512); @@ -223,11 +240,22 @@ psa_status_t mbedtls_psa_hash_clone( &source_operation->ctx.sha512); break; #endif -#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_3) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) case PSA_ALG_SHA3_224: +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) case PSA_ALG_SHA3_256: +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) case PSA_ALG_SHA3_384: +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) case PSA_ALG_SHA3_512: +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) mbedtls_sha3_clone(&target_operation->ctx.sha3, &source_operation->ctx.sha3); break; @@ -292,11 +320,22 @@ psa_status_t mbedtls_psa_hash_update( input, input_length); break; #endif -#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_3) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) case PSA_ALG_SHA3_224: +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) case PSA_ALG_SHA3_256: +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) case PSA_ALG_SHA3_384: +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) case PSA_ALG_SHA3_512: +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) ret = mbedtls_sha3_update(&operation->ctx.sha3, input, input_length); break; @@ -371,11 +410,22 @@ psa_status_t mbedtls_psa_hash_finish( ret = mbedtls_sha512_finish(&operation->ctx.sha512, hash); break; #endif -#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_3) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) case PSA_ALG_SHA3_224: +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) case PSA_ALG_SHA3_256: +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) case PSA_ALG_SHA3_384: +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) case PSA_ALG_SHA3_512: +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) ret = mbedtls_sha3_finish(&operation->ctx.sha3, hash, hash_size); break; #endif From 09822a35f55dbc15729b17dcf0ae5f853a48182b Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Jun 2023 11:11:23 +0100 Subject: [PATCH 005/222] code style Signed-off-by: Dave Rodgman --- include/psa/crypto_builtin_primitives.h | 6 +++--- include/psa/crypto_config.h | 6 +++--- library/psa_crypto_hash.c | 22 +++++++++++----------- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/include/psa/crypto_builtin_primitives.h b/include/psa/crypto_builtin_primitives.h index b6bd484b9..00363e439 100644 --- a/include/psa/crypto_builtin_primitives.h +++ b/include/psa/crypto_builtin_primitives.h @@ -83,9 +83,9 @@ typedef struct { mbedtls_sha512_context sha512; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) mbedtls_sha3_context sha3; #endif } MBEDTLS_PRIVATE(ctx); diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index cc15fe79f..4e7aba5d0 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -86,10 +86,10 @@ #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_SHA_384 1 #define PSA_WANT_ALG_SHA_512 1 -#define PSA_WANT_ALG_SHA3_224 1 +#define PSA_WANT_ALG_SHA3_224 1 #define PSA_WANT_ALG_SHA3_256 1 -#define PSA_WANT_ALG_SHA3_384 1 -#define PSA_WANT_ALG_SHA3_512 1 +#define PSA_WANT_ALG_SHA3_384 1 +#define PSA_WANT_ALG_SHA3_512 1 #define PSA_WANT_ALG_STREAM_CIPHER 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 diff --git a/library/psa_crypto_hash.c b/library/psa_crypto_hash.c index ed933c00b..dad182616 100644 --- a/library/psa_crypto_hash.c +++ b/library/psa_crypto_hash.c @@ -87,9 +87,9 @@ psa_status_t mbedtls_psa_hash_abort( case PSA_ALG_SHA3_512: #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) mbedtls_sha3_free(&operation->ctx.sha3); break; #endif @@ -253,9 +253,9 @@ psa_status_t mbedtls_psa_hash_clone( case PSA_ALG_SHA3_512: #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) mbedtls_sha3_clone(&target_operation->ctx.sha3, &source_operation->ctx.sha3); break; @@ -336,9 +336,9 @@ psa_status_t mbedtls_psa_hash_update( defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) - ret = mbedtls_sha3_update(&operation->ctx.sha3, - input, input_length); - break; + ret = mbedtls_sha3_update(&operation->ctx.sha3, + input, input_length); + break; #endif default: (void) input; @@ -426,8 +426,8 @@ psa_status_t mbedtls_psa_hash_finish( defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512) - ret = mbedtls_sha3_finish(&operation->ctx.sha3, hash, hash_size); - break; + ret = mbedtls_sha3_finish(&operation->ctx.sha3, hash, hash_size); + break; #endif default: (void) hash; From 12cd44b9b3ef09b1a3bf65771d222ec6c9f79fa9 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Jun 2023 11:27:37 +0100 Subject: [PATCH 006/222] Fix test dependencies Signed-off-by: Dave Rodgman --- tests/suites/test_suite_psa_crypto_hash.data | 32 +++++++++---------- .../test_suite_psa_crypto_metadata.data | 8 ++--- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_hash.data b/tests/suites/test_suite_psa_crypto_hash.data index 90af79668..75689c962 100644 --- a/tests/suites/test_suite_psa_crypto_hash.data +++ b/tests/suites/test_suite_psa_crypto_hash.data @@ -159,67 +159,67 @@ depends_on:PSA_WANT_ALG_SHA_512 hash_finish:PSA_ALG_SHA_512:"990d1ae71a62d7bda9bfdaa1762a68d296eee72a4cd946f287a898fbabc002ea941fd8d4d991030b4d27a637cce501a834bb95eab1b7889a3e784c7968e67cbf552006b206b68f76d9191327524fcc251aeb56af483d10b4e0c6c5e599ee8c0fe4faeca8293844a8547c6a9a90d093f2526873a19ad4a5e776794c68c742fb834793d2dfcb7fea46c63af4b70fd11cb6e41834e72ee40edb067b292a794990c288d5007e73f349fb383af6a756b8301ad6e5e0aa8cd614399bb3a452376b1575afa6bdaeaafc286cb064bb91edef97c632b6c1113d107fa93a0905098a105043c2f05397f702514439a08a9e5ddc196100721d45c8fc17d2ed659376f8a00bd5cb9a0860e26d8a29d8d6aaf52de97e9346033d6db501a35dbbaf97c20b830cd2d18c2532f3a59cc497ee64c0e57d8d060e5069b28d86edf1adcf59144b221ce3ddaef134b3124fbc7dd000240eff0f5f5f41e83cd7f5bb37c9ae21953fe302b0f6e8b68fa91c6ab99265c64b2fd9cd4942be04321bb5d6d71932376c6f2f88e02422ba6a5e2cb765df93fd5dd0728c6abdaf03bce22e0678a544e2c3636f741b6f4447ee58a8fc656b43ef817932176adbfc2e04b2c812c273cd6cbfa4098f0be036a34221fa02643f5ee2e0b38135f2a18ecd2f16ebc45f8eb31b8ab967a1567ee016904188910861ca1fa205c7adaa194b286893ffe2f4fbe0384c2aef72a4522aeafd3ebc71f9db71eeeef86c48394a1c86d5b36c352cc33a0a2c800bc99e62fd65b3a2fd69e0b53996ec13d8ce483ce9319efd9a85acefabdb5342226febb83fd1daf4b24265f50c61c6de74077ef89b6fecf9f29a1f871af1e9f89b2d345cda7499bd45c42fa5d195a1e1a6ba84851889e730da3b2b916e96152ae0c92154b49719841db7e7cc707ba8a5d7b101eb4ac7b629bb327817910fff61580b59aab78182d1a2e33473d05b00b170b29e331870826cfe45af206aa7d0246bbd8566ca7cfb2d3c10bfa1db7dd48dd786036469ce7282093d78b5e1a5b0fc81a54c8ed4ceac1e5305305e78284ac276f5d7862727aff246e17addde50c670028d572cbfc0be2e4f8b2eb28fa68ad7b4c6c2a239c460441bfb5ea049f23b08563b4e47729a59e5986a61a6093dbd54f8c36ebe87edae01f251cb060ad1364ce677d7e8d5a4a4ca966a7241cc360bc2acb280e5f9e9c1b032ad6a180a35e0c5180b9d16d026c865b252098cc1d99ba7375ca31c7702c0d943d5e3dd2f6861fa55bd46d94b67ed3e52eccd8dd06d968e01897d6de97ed3058d91dd":"8e4bc6f8b8c60fe4d68c61d9b159c8693c3151c46749af58da228442d927f23359bd6ccd6c2ec8fa3f00a86cecbfa728e1ad60b821ed22fcd309ba91a4138bc9" PSA hash finish: SHA3-224 Test Vector NIST "" -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_224 hash_finish:PSA_ALG_SHA3_224:"":"6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7" PSA hash finish: SHA3-256 Test Vector NIST "" -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_256 hash_finish:PSA_ALG_SHA3_256:"616263":"3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532" PSA hash finish: SHA3-384 Test Vector NIST "" -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_384 hash_finish:PSA_ALG_SHA3_384:"":"0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac3713831264adb47fb6bd1e058d5f004" PSA hash finish: SHA3-512 Test Vector NIST "" -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_512 hash_finish:PSA_ALG_SHA3_512:"":"a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26" PSA hash finish: SHA3-224 Test Vector NIST "abc" -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_224 hash_finish:PSA_ALG_SHA3_224:"616263":"e642824c3f8cf24ad09234ee7d3c766fc9a3a5168d0c94ad73b46fdf" PSA hash finish: SHA3-256 Test Vector NIST "abc" -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_256 hash_finish:PSA_ALG_SHA3_256:"616263":"3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532" PSA hash finish: SHA3-384 Test Vector NIST "abc" -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_384 hash_finish:PSA_ALG_SHA3_384:"616263":"ec01498288516fc926459f58e2c6ad8df9b473cb0fc08c2596da7cf0e49be4b298d88cea927ac7f539f1edf228376d25" PSA hash finish: SHA3-512 Test Vector NIST "abc" -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_512 hash_finish:PSA_ALG_SHA3_512:"616263":"b751850b1a57168a5693cd924b6b096e08f621827444f70d884f5d0240d2712e10e116e9192af3c91a7ec57647e3934057340b4cf408d5a56592f8274eec53f0" PSA hash finish: SHA3-224 Test Vector NIST 448 bits: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_224 hash_finish:PSA_ALG_SHA3_224:"6162636462636465636465666465666765666768666768696768696a68696a6b696a6b6c6a6b6c6d6b6c6d6e6c6d6e6f6d6e6f706e6f7071":"8a24108b154ada21c9fd5574494479ba5c7e7ab76ef264ead0fcce33" PSA hash finish: SHA3-256 Test Vector NIST 448 bits: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_256 hash_finish:PSA_ALG_SHA3_256:"6162636462636465636465666465666765666768666768696768696a68696a6b696a6b6c6a6b6c6d6b6c6d6e6c6d6e6f6d6e6f706e6f7071":"41c0dba2a9d6240849100376a8235e2c82e1b9998a999e21db32dd97496d3376" PSA hash finish: SHA3-384 Test Vector NIST 448 bits: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_384 hash_finish:PSA_ALG_SHA3_384:"6162636462636465636465666465666765666768666768696768696a68696a6b696a6b6c6a6b6c6d6b6c6d6e6c6d6e6f6d6e6f706e6f7071":"991c665755eb3a4b6bbdfb75c78a492e8c56a22c5c4d7e429bfdbc32b9d4ad5aa04a1f076e62fea19eef51acd0657c22" PSA hash finish: SHA3-512 Test Vector NIST 448 bits: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_512 hash_finish:PSA_ALG_SHA3_512:"6162636462636465636465666465666765666768666768696768696a68696a6b696a6b6c6a6b6c6d6b6c6d6e6c6d6e6f6d6e6f706e6f7071":"04a371e84ecfb5b8b77cb48610fca8182dd457ce6f326a0fd3d7ec2f1e91636dee691fbe0c985302ba1b0d8dc78c086346b533b49c030d99a27daf1139d6e75e" PSA hash finish: SHA3-224 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_224 hash_finish:PSA_ALG_SHA3_224:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"543e6868e1666c1a643630df77367ae5a62a85070a51c14cbf665cbc" PSA hash finish: SHA3-256 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_256 hash_finish:PSA_ALG_SHA3_256:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"916f6061fe879741ca6469b43971dfdb28b1a32dc36cb3254e812be27aad1d18" PSA hash finish: SHA3-384 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_384 hash_finish:PSA_ALG_SHA3_384:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"79407d3b5916b59c3e30b09822974791c313fb9ecc849e406f23592d04f625dc8c709b98b43b3852b337216179aa7fc7" PSA hash finish: SHA3-512 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_512 hash_finish:PSA_ALG_SHA3_512:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"afebb2ef542e6579c50cad06d2e578f9f8dd6881d7dc824d26360feebf18a4fa73e3261122948efcfd492e74e82e2189ed0fb440d187f382270cb455f21dd185" PSA hash finish: MD5 Test vector RFC1321 #1 diff --git a/tests/suites/test_suite_psa_crypto_metadata.data b/tests/suites/test_suite_psa_crypto_metadata.data index 2f3fe3270..b461dc48e 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.data +++ b/tests/suites/test_suite_psa_crypto_metadata.data @@ -27,19 +27,19 @@ depends_on:PSA_WANT_ALG_SHA_512 hash_algorithm:PSA_ALG_SHA_512:64 Hash: SHA-3 SHA3-224 -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_224 hash_algorithm:PSA_ALG_SHA3_224:28 Hash: SHA-3 SHA3-256 -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_256 hash_algorithm:PSA_ALG_SHA3_256:32 Hash: SHA-3 SHA3-384 -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_384 hash_algorithm:PSA_ALG_SHA3_384:48 Hash: SHA-3 SHA3-512 -depends_on:PSA_WANT_ALG_SHA_3 +depends_on:PSA_WANT_ALG_SHA_3_512 hash_algorithm:PSA_ALG_SHA3_512:64 MAC: HMAC-MD5 From 16985d5f9813f3ffdfa48425becf3b42255f1a4b Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Jun 2023 11:28:33 +0100 Subject: [PATCH 007/222] Fix test dependencies Signed-off-by: Dave Rodgman --- tests/suites/test_suite_psa_crypto_hash.data | 32 +++++++++---------- .../test_suite_psa_crypto_metadata.data | 8 ++--- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_hash.data b/tests/suites/test_suite_psa_crypto_hash.data index 75689c962..1133c398d 100644 --- a/tests/suites/test_suite_psa_crypto_hash.data +++ b/tests/suites/test_suite_psa_crypto_hash.data @@ -159,67 +159,67 @@ depends_on:PSA_WANT_ALG_SHA_512 hash_finish:PSA_ALG_SHA_512:"990d1ae71a62d7bda9bfdaa1762a68d296eee72a4cd946f287a898fbabc002ea941fd8d4d991030b4d27a637cce501a834bb95eab1b7889a3e784c7968e67cbf552006b206b68f76d9191327524fcc251aeb56af483d10b4e0c6c5e599ee8c0fe4faeca8293844a8547c6a9a90d093f2526873a19ad4a5e776794c68c742fb834793d2dfcb7fea46c63af4b70fd11cb6e41834e72ee40edb067b292a794990c288d5007e73f349fb383af6a756b8301ad6e5e0aa8cd614399bb3a452376b1575afa6bdaeaafc286cb064bb91edef97c632b6c1113d107fa93a0905098a105043c2f05397f702514439a08a9e5ddc196100721d45c8fc17d2ed659376f8a00bd5cb9a0860e26d8a29d8d6aaf52de97e9346033d6db501a35dbbaf97c20b830cd2d18c2532f3a59cc497ee64c0e57d8d060e5069b28d86edf1adcf59144b221ce3ddaef134b3124fbc7dd000240eff0f5f5f41e83cd7f5bb37c9ae21953fe302b0f6e8b68fa91c6ab99265c64b2fd9cd4942be04321bb5d6d71932376c6f2f88e02422ba6a5e2cb765df93fd5dd0728c6abdaf03bce22e0678a544e2c3636f741b6f4447ee58a8fc656b43ef817932176adbfc2e04b2c812c273cd6cbfa4098f0be036a34221fa02643f5ee2e0b38135f2a18ecd2f16ebc45f8eb31b8ab967a1567ee016904188910861ca1fa205c7adaa194b286893ffe2f4fbe0384c2aef72a4522aeafd3ebc71f9db71eeeef86c48394a1c86d5b36c352cc33a0a2c800bc99e62fd65b3a2fd69e0b53996ec13d8ce483ce9319efd9a85acefabdb5342226febb83fd1daf4b24265f50c61c6de74077ef89b6fecf9f29a1f871af1e9f89b2d345cda7499bd45c42fa5d195a1e1a6ba84851889e730da3b2b916e96152ae0c92154b49719841db7e7cc707ba8a5d7b101eb4ac7b629bb327817910fff61580b59aab78182d1a2e33473d05b00b170b29e331870826cfe45af206aa7d0246bbd8566ca7cfb2d3c10bfa1db7dd48dd786036469ce7282093d78b5e1a5b0fc81a54c8ed4ceac1e5305305e78284ac276f5d7862727aff246e17addde50c670028d572cbfc0be2e4f8b2eb28fa68ad7b4c6c2a239c460441bfb5ea049f23b08563b4e47729a59e5986a61a6093dbd54f8c36ebe87edae01f251cb060ad1364ce677d7e8d5a4a4ca966a7241cc360bc2acb280e5f9e9c1b032ad6a180a35e0c5180b9d16d026c865b252098cc1d99ba7375ca31c7702c0d943d5e3dd2f6861fa55bd46d94b67ed3e52eccd8dd06d968e01897d6de97ed3058d91dd":"8e4bc6f8b8c60fe4d68c61d9b159c8693c3151c46749af58da228442d927f23359bd6ccd6c2ec8fa3f00a86cecbfa728e1ad60b821ed22fcd309ba91a4138bc9" PSA hash finish: SHA3-224 Test Vector NIST "" -depends_on:PSA_WANT_ALG_SHA_3_224 +depends_on:PSA_WANT_ALG_SHA3_224 hash_finish:PSA_ALG_SHA3_224:"":"6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7" PSA hash finish: SHA3-256 Test Vector NIST "" -depends_on:PSA_WANT_ALG_SHA_3_256 +depends_on:PSA_WANT_ALG_SHA3_256 hash_finish:PSA_ALG_SHA3_256:"616263":"3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532" PSA hash finish: SHA3-384 Test Vector NIST "" -depends_on:PSA_WANT_ALG_SHA_3_384 +depends_on:PSA_WANT_ALG_SHA3_384 hash_finish:PSA_ALG_SHA3_384:"":"0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac3713831264adb47fb6bd1e058d5f004" PSA hash finish: SHA3-512 Test Vector NIST "" -depends_on:PSA_WANT_ALG_SHA_3_512 +depends_on:PSA_WANT_ALG_SHA3_512 hash_finish:PSA_ALG_SHA3_512:"":"a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26" PSA hash finish: SHA3-224 Test Vector NIST "abc" -depends_on:PSA_WANT_ALG_SHA_3_224 +depends_on:PSA_WANT_ALG_SHA3_224 hash_finish:PSA_ALG_SHA3_224:"616263":"e642824c3f8cf24ad09234ee7d3c766fc9a3a5168d0c94ad73b46fdf" PSA hash finish: SHA3-256 Test Vector NIST "abc" -depends_on:PSA_WANT_ALG_SHA_3_256 +depends_on:PSA_WANT_ALG_SHA3_256 hash_finish:PSA_ALG_SHA3_256:"616263":"3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532" PSA hash finish: SHA3-384 Test Vector NIST "abc" -depends_on:PSA_WANT_ALG_SHA_3_384 +depends_on:PSA_WANT_ALG_SHA3_384 hash_finish:PSA_ALG_SHA3_384:"616263":"ec01498288516fc926459f58e2c6ad8df9b473cb0fc08c2596da7cf0e49be4b298d88cea927ac7f539f1edf228376d25" PSA hash finish: SHA3-512 Test Vector NIST "abc" -depends_on:PSA_WANT_ALG_SHA_3_512 +depends_on:PSA_WANT_ALG_SHA3_512 hash_finish:PSA_ALG_SHA3_512:"616263":"b751850b1a57168a5693cd924b6b096e08f621827444f70d884f5d0240d2712e10e116e9192af3c91a7ec57647e3934057340b4cf408d5a56592f8274eec53f0" PSA hash finish: SHA3-224 Test Vector NIST 448 bits: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" -depends_on:PSA_WANT_ALG_SHA_3_224 +depends_on:PSA_WANT_ALG_SHA3_224 hash_finish:PSA_ALG_SHA3_224:"6162636462636465636465666465666765666768666768696768696a68696a6b696a6b6c6a6b6c6d6b6c6d6e6c6d6e6f6d6e6f706e6f7071":"8a24108b154ada21c9fd5574494479ba5c7e7ab76ef264ead0fcce33" PSA hash finish: SHA3-256 Test Vector NIST 448 bits: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" -depends_on:PSA_WANT_ALG_SHA_3_256 +depends_on:PSA_WANT_ALG_SHA3_256 hash_finish:PSA_ALG_SHA3_256:"6162636462636465636465666465666765666768666768696768696a68696a6b696a6b6c6a6b6c6d6b6c6d6e6c6d6e6f6d6e6f706e6f7071":"41c0dba2a9d6240849100376a8235e2c82e1b9998a999e21db32dd97496d3376" PSA hash finish: SHA3-384 Test Vector NIST 448 bits: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" -depends_on:PSA_WANT_ALG_SHA_3_384 +depends_on:PSA_WANT_ALG_SHA3_384 hash_finish:PSA_ALG_SHA3_384:"6162636462636465636465666465666765666768666768696768696a68696a6b696a6b6c6a6b6c6d6b6c6d6e6c6d6e6f6d6e6f706e6f7071":"991c665755eb3a4b6bbdfb75c78a492e8c56a22c5c4d7e429bfdbc32b9d4ad5aa04a1f076e62fea19eef51acd0657c22" PSA hash finish: SHA3-512 Test Vector NIST 448 bits: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" -depends_on:PSA_WANT_ALG_SHA_3_512 +depends_on:PSA_WANT_ALG_SHA3_512 hash_finish:PSA_ALG_SHA3_512:"6162636462636465636465666465666765666768666768696768696a68696a6b696a6b6c6a6b6c6d6b6c6d6e6c6d6e6f6d6e6f706e6f7071":"04a371e84ecfb5b8b77cb48610fca8182dd457ce6f326a0fd3d7ec2f1e91636dee691fbe0c985302ba1b0d8dc78c086346b533b49c030d99a27daf1139d6e75e" PSA hash finish: SHA3-224 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" -depends_on:PSA_WANT_ALG_SHA_3_224 +depends_on:PSA_WANT_ALG_SHA3_224 hash_finish:PSA_ALG_SHA3_224:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"543e6868e1666c1a643630df77367ae5a62a85070a51c14cbf665cbc" PSA hash finish: SHA3-256 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" -depends_on:PSA_WANT_ALG_SHA_3_256 +depends_on:PSA_WANT_ALG_SHA3_256 hash_finish:PSA_ALG_SHA3_256:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"916f6061fe879741ca6469b43971dfdb28b1a32dc36cb3254e812be27aad1d18" PSA hash finish: SHA3-384 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" -depends_on:PSA_WANT_ALG_SHA_3_384 +depends_on:PSA_WANT_ALG_SHA3_384 hash_finish:PSA_ALG_SHA3_384:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"79407d3b5916b59c3e30b09822974791c313fb9ecc849e406f23592d04f625dc8c709b98b43b3852b337216179aa7fc7" PSA hash finish: SHA3-512 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" -depends_on:PSA_WANT_ALG_SHA_3_512 +depends_on:PSA_WANT_ALG_SHA3_512 hash_finish:PSA_ALG_SHA3_512:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"afebb2ef542e6579c50cad06d2e578f9f8dd6881d7dc824d26360feebf18a4fa73e3261122948efcfd492e74e82e2189ed0fb440d187f382270cb455f21dd185" PSA hash finish: MD5 Test vector RFC1321 #1 diff --git a/tests/suites/test_suite_psa_crypto_metadata.data b/tests/suites/test_suite_psa_crypto_metadata.data index b461dc48e..2bc559c6b 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.data +++ b/tests/suites/test_suite_psa_crypto_metadata.data @@ -27,19 +27,19 @@ depends_on:PSA_WANT_ALG_SHA_512 hash_algorithm:PSA_ALG_SHA_512:64 Hash: SHA-3 SHA3-224 -depends_on:PSA_WANT_ALG_SHA_3_224 +depends_on:PSA_WANT_ALG_SHA3_224 hash_algorithm:PSA_ALG_SHA3_224:28 Hash: SHA-3 SHA3-256 -depends_on:PSA_WANT_ALG_SHA_3_256 +depends_on:PSA_WANT_ALG_SHA3_256 hash_algorithm:PSA_ALG_SHA3_256:32 Hash: SHA-3 SHA3-384 -depends_on:PSA_WANT_ALG_SHA_3_384 +depends_on:PSA_WANT_ALG_SHA3_384 hash_algorithm:PSA_ALG_SHA3_384:48 Hash: SHA-3 SHA3-512 -depends_on:PSA_WANT_ALG_SHA_3_512 +depends_on:PSA_WANT_ALG_SHA3_512 hash_algorithm:PSA_ALG_SHA3_512:64 MAC: HMAC-MD5 From 5734bb99cc18a0db9b31f67f87c299d2f5cbbda0 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Jun 2023 18:23:08 +0100 Subject: [PATCH 008/222] Fix PSA_HMAC_MAX_HASH_BLOCK_SIZE and PSA_HASH_MAX_SIZE definitions Signed-off-by: Dave Rodgman --- include/psa/crypto_sizes.h | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h index 8cc965b09..dd99c0d92 100644 --- a/include/psa/crypto_sizes.h +++ b/include/psa/crypto_sizes.h @@ -125,28 +125,43 @@ * This macro expands to a compile-time constant integer. This value * is the maximum size of a hash in bytes. */ -/* Note: for HMAC-SHA-3, the block size is 144 bytes for HMAC-SHA3-226, +/* Note: for HMAC-SHA-3, the block size is 144 bytes for HMAC-SHA3-224, * 136 bytes for HMAC-SHA3-256, 104 bytes for SHA3-384, 72 bytes for * HMAC-SHA3-512. */ /* Note: PSA_HASH_MAX_SIZE should be kept in sync with MBEDTLS_MD_MAX_SIZE, * see the note on MBEDTLS_MD_MAX_SIZE for details. */ -#if defined(PSA_WANT_ALG_SHA_512) -#define PSA_HASH_MAX_SIZE 64 +#if defined(PSA_WANT_ALG_SHA3_224) +#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 144 +#elif defined(PSA_WANT_ALG_SHA3_256) +#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 136 +#elif defined(PSA_WANT_ALG_SHA_512) #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128 #elif defined(PSA_WANT_ALG_SHA_384) -#define PSA_HASH_MAX_SIZE 48 #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128 +#elif defined(PSA_WANT_ALG_SHA3_384) +#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 104 +#elif defined(PSA_WANT_ALG_SHA3_512) +#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 72 #elif defined(PSA_WANT_ALG_SHA_256) -#define PSA_HASH_MAX_SIZE 32 #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64 #elif defined(PSA_WANT_ALG_SHA_224) -#define PSA_HASH_MAX_SIZE 28 #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64 #else /* SHA-1 or smaller */ -#define PSA_HASH_MAX_SIZE 20 #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64 #endif +#if defined(PSA_WANT_ALG_SHA_512) || defined(PSA_WANT_ALG_SHA3_512) +#define PSA_HASH_MAX_SIZE 64 +#elif defined(PSA_WANT_ALG_SHA_384) || defined(PSA_WANT_ALG_SHA3_384) +#define PSA_HASH_MAX_SIZE 48 +#elif defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA3_256) +#define PSA_HASH_MAX_SIZE 32 +#elif defined(PSA_WANT_ALG_SHA_224) || defined(PSA_WANT_ALG_SHA3_224) +#define PSA_HASH_MAX_SIZE 28 +#else /* SHA-1 or smaller */ +#define PSA_HASH_MAX_SIZE 20 +#endif + /** \def PSA_MAC_MAX_SIZE * * Maximum size of a MAC. From 47a2ac1c253b90f9c57b9ba5cf3ae110a4068042 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 26 Jun 2023 18:39:42 +0100 Subject: [PATCH 009/222] Fix incorrectly named macro Signed-off-by: Dave Rodgman --- include/mbedtls/config_psa.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 4a05318a7..45fcddf3d 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -277,22 +277,22 @@ extern "C" { #define MBEDTLS_SHA512_C #endif -#if defined(PSA_WANT_ALG_SHA3_224) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_3_224) +#if defined(PSA_WANT_ALG_SHA3_224) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_224) #define MBEDTLS_PSA_BUILTIN_ALG_SHA3_224 1 #define MBEDTLS_SHA3_C #endif -#if defined(PSA_WANT_ALG_SHA3_256) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_3_256) +#if defined(PSA_WANT_ALG_SHA3_256) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_256) #define MBEDTLS_PSA_BUILTIN_ALG_SHA3_256 1 #define MBEDTLS_SHA3_C #endif -#if defined(PSA_WANT_ALG_SHA3_384) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_3_384) +#if defined(PSA_WANT_ALG_SHA3_384) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_384) #define MBEDTLS_PSA_BUILTIN_ALG_SHA3_384 1 #define MBEDTLS_SHA3_C #endif -#if defined(PSA_WANT_ALG_SHA3_512) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_3_512) +#if defined(PSA_WANT_ALG_SHA3_512) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_512) #define MBEDTLS_PSA_BUILTIN_ALG_SHA3_512 1 #define MBEDTLS_SHA3_C #endif From 4506e7de616d221c184cd0f9c5b14d2f4d06b71f Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Tue, 27 Jun 2023 12:20:32 +0100 Subject: [PATCH 010/222] Move clarification to a separate note Signed-off-by: David Horstmann --- include/mbedtls/net_sockets.h | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/net_sockets.h b/include/mbedtls/net_sockets.h index 9f9e2adcf..1096d66d9 100644 --- a/include/mbedtls/net_sockets.h +++ b/include/mbedtls/net_sockets.h @@ -283,16 +283,24 @@ int mbedtls_net_recv_timeout(void *ctx, unsigned char *buf, size_t len, uint32_t timeout); /** - * \brief Close down the connection and clear the context + * \brief Closes down the connection and free associated data * * \param ctx The context to close + * + * \note This function frees and clears data associated with the + * context but does not free the memory pointed to by \p ctx. + * This memory is the responsibility of the caller. */ void mbedtls_net_close(mbedtls_net_context *ctx); /** - * \brief Gracefully shutdown the connection and clear the context + * \brief Gracefully shutdown the connection and free associated data * - * \param ctx The context to gracefully shutdown + * \param ctx The context to free + * + * \note This function frees and clears data associated with the + * context but does not free the memory pointed to by \p ctx. + * This memory is the responsibility of the caller. */ void mbedtls_net_free(mbedtls_net_context *ctx); From b9f8974c6cc89b2273e2334e274d651d2339148a Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 25 Apr 2023 04:48:15 -0400 Subject: [PATCH 011/222] Document mbedtls_calloc zeroization Signed-off-by: Andrzej Kurek --- include/mbedtls/mbedtls_config.h | 2 +- include/mbedtls/platform.h | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index e15104216..bb2d66deb 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3680,7 +3680,7 @@ /* Platform options */ //#define MBEDTLS_PLATFORM_STD_MEM_HDR /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */ -//#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */ +//#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined. Please note that it should zeroize the buffer after allocation. */ //#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_SETBUF setbuf /**< Default setbuf to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */ diff --git a/include/mbedtls/platform.h b/include/mbedtls/platform.h index 768c756b9..490cedb4a 100644 --- a/include/mbedtls/platform.h +++ b/include/mbedtls/platform.h @@ -135,6 +135,7 @@ extern "C" { /* * The function pointers for calloc and free. + * mbedtls_calloc will allocate and zeroize the buffer. */ #if defined(MBEDTLS_PLATFORM_MEMORY) #if defined(MBEDTLS_PLATFORM_FREE_MACRO) && \ From c08ccd00f3592477fe50945b7958d4b4956039c9 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 25 Apr 2023 05:19:42 -0400 Subject: [PATCH 012/222] Add a test for calloc zeroization Signed-off-by: Andrzej Kurek --- include/mbedtls/mbedtls_config.h | 2 +- tests/suites/test_suite_platform.data | 3 +++ tests/suites/test_suite_platform.function | 14 ++++++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index bb2d66deb..7e87946a9 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3680,7 +3680,7 @@ /* Platform options */ //#define MBEDTLS_PLATFORM_STD_MEM_HDR /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */ -//#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined. Please note that it should zeroize the buffer after allocation. */ +//#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined. Please note that it should zeroize the allocated buffer. */ //#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_SETBUF setbuf /**< Default setbuf to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */ diff --git a/tests/suites/test_suite_platform.data b/tests/suites/test_suite_platform.data index 4276b8fb7..64992820c 100644 --- a/tests/suites/test_suite_platform.data +++ b/tests/suites/test_suite_platform.data @@ -4,3 +4,6 @@ time_get_milliseconds: Time: get seconds time_get_seconds: + +Check mbedtls_calloc zeroization +check_mbedtls_calloc_zeroization: \ No newline at end of file diff --git a/tests/suites/test_suite_platform.function b/tests/suites/test_suite_platform.function index 61681b878..82c656d2d 100644 --- a/tests/suites/test_suite_platform.function +++ b/tests/suites/test_suite_platform.function @@ -120,3 +120,17 @@ void time_delay_seconds(int delay_secs) goto exit; } /* END_CASE */ + +/* BEGIN_CASE */ +void check_mbedtls_calloc_zeroization() +{ + unsigned int buf_size = 256; + unsigned char *buf; + buf = mbedtls_calloc(buf_size, sizeof(unsigned char)); + for (unsigned int i = 0; i < buf_size; i++) { + TEST_EQUAL(buf[i], 0); + } +exit: + mbedtls_free(buf); +} +/* END_CASE */ \ No newline at end of file From 2d981f092e5b27db9a2379101973816c526fa2b9 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 27 Apr 2023 09:19:35 -0400 Subject: [PATCH 013/222] Extend mbedtls_calloc and mbedtls_free documentation Co-authored-by: Gilles Peskine Signed-off-by: Andrzej Kurek --- include/mbedtls/mbedtls_config.h | 23 +++++++++++++++++++---- include/mbedtls/platform.h | 3 ++- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 7e87946a9..a08f9d865 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3680,8 +3680,23 @@ /* Platform options */ //#define MBEDTLS_PLATFORM_STD_MEM_HDR /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */ -//#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined. Please note that it should zeroize the allocated buffer. */ -//#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */ +/** \def MBEDTLS_PLATFORM_STD_CALLOC + * + * Default allocator to use, can be undefined. + * It should initialize the allocated buffer memory to zeroes. + * The size of the buffer is the product of the two parameters. + * The behavior is undefined if the product of the two parameters overflows size_t. + * If the product is 0, the function may either return NULL or a valid pointer to an array of size 0 which is a valid input to the deallocation function. + * The corresponding deallocation function is MBEDTLS_PLATFORM_STD_FREE. + */ +//#define MBEDTLS_PLATFORM_STD_CALLOC calloc +/** \def MBEDTLS_PLATFORM_STD_FREE + * + * Default free to use, can be undefined. + * NULL is a valid parameter, and the function must do nothing. + * A non-null parameter will always be a pointer previously returned by MBEDTLS_PLATFORM_STD_CALLOC and not yet freed. + */ +//#define MBEDTLS_PLATFORM_STD_FREE free //#define MBEDTLS_PLATFORM_STD_SETBUF setbuf /**< Default setbuf to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ @@ -3697,8 +3712,8 @@ /* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */ /* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */ -//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */ -//#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */ +//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined. See MBEDTLS_PLATFORM_STD_CALLOC for requirements. */ +//#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined. See MBEDTLS_PLATFORM_STD_FREE for requirements. */ //#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf /**< Default setbuf macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ diff --git a/include/mbedtls/platform.h b/include/mbedtls/platform.h index 490cedb4a..fb7bc1b6a 100644 --- a/include/mbedtls/platform.h +++ b/include/mbedtls/platform.h @@ -135,7 +135,8 @@ extern "C" { /* * The function pointers for calloc and free. - * mbedtls_calloc will allocate and zeroize the buffer. + * please see MBEDTLS_PLATFORM_STD_CALLOC and MBEDTLS_PLATFORM_STD_FREE + * in mbedtls_config.h for more information about behaviour and requirements. */ #if defined(MBEDTLS_PLATFORM_MEMORY) #if defined(MBEDTLS_PLATFORM_FREE_MACRO) && \ From 9032711dc7dad879348fb2850cdbda0e81fe13f2 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 27 Apr 2023 09:30:18 -0400 Subject: [PATCH 014/222] Move the calloc buffer initialization test to selftest.c This way it's more in line with the 2.28 version. Signed-off-by: Andrzej Kurek --- programs/test/selftest.c | 45 +++++++++++++++++++++-- tests/suites/test_suite_platform.data | 3 -- tests/suites/test_suite_platform.function | 14 ------- 3 files changed, 41 insertions(+), 21 deletions(-) diff --git a/programs/test/selftest.c b/programs/test/selftest.c index f896d4f9d..d3127553d 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -73,23 +73,49 @@ static int calloc_self_test(int verbose) void *empty2 = mbedtls_calloc(0, 1); void *buffer1 = mbedtls_calloc(1, 1); void *buffer2 = mbedtls_calloc(1, 1); + unsigned int buf_size = 256; + unsigned char *buffer3 = mbedtls_calloc(buf_size, sizeof(unsigned char)); if (empty1 == NULL && empty2 == NULL) { if (verbose) { - mbedtls_printf(" CALLOC(0): passed (NULL)\n"); + mbedtls_printf(" CALLOC(0,1): passed (NULL)\n"); } } else if (empty1 == NULL || empty2 == NULL) { if (verbose) { - mbedtls_printf(" CALLOC(0): failed (mix of NULL and non-NULL)\n"); + mbedtls_printf(" CALLOC(0,1): failed (mix of NULL and non-NULL)\n"); } ++failures; } else if (empty1 == empty2) { if (verbose) { - mbedtls_printf(" CALLOC(0): passed (same non-null)\n"); + mbedtls_printf(" CALLOC(0,1): passed (same non-null)\n"); } } else { if (verbose) { - mbedtls_printf(" CALLOC(0): passed (distinct non-null)\n"); + mbedtls_printf(" CALLOC(0,1): passed (distinct non-null)\n"); + } + } + + mbedtls_free(empty1); + mbedtls_free(empty2); + + empty1 = mbedtls_calloc(1, 0); + empty2 = mbedtls_calloc(1, 0); + if (empty1 == NULL && empty2 == NULL) { + if (verbose) { + mbedtls_printf(" CALLOC(1,0): passed (NULL)\n"); + } + } else if (empty1 == NULL || empty2 == NULL) { + if (verbose) { + mbedtls_printf(" CALLOC(1,0): failed (mix of NULL and non-NULL)\n"); + } + ++failures; + } else if (empty1 == empty2) { + if (verbose) { + mbedtls_printf(" CALLOC(1,0): passed (same non-null)\n"); + } + } else { + if (verbose) { + mbedtls_printf(" CALLOC(1,0): passed (distinct non-null)\n"); } } @@ -122,6 +148,16 @@ static int calloc_self_test(int verbose) } } + for (unsigned int i = 0; i < buf_size; i++) { + if (buffer3[i] != 0) { + ++failures; + if (verbose) { + mbedtls_printf(" CALLOC(%u): failed (memory not initialized to 0)\n", buf_size); + } + break; + } + } + if (verbose) { mbedtls_printf("\n"); } @@ -129,6 +165,7 @@ static int calloc_self_test(int verbose) mbedtls_free(empty2); mbedtls_free(buffer1); mbedtls_free(buffer2); + mbedtls_free(buffer3); return failures; } #endif /* MBEDTLS_SELF_TEST */ diff --git a/tests/suites/test_suite_platform.data b/tests/suites/test_suite_platform.data index 64992820c..4276b8fb7 100644 --- a/tests/suites/test_suite_platform.data +++ b/tests/suites/test_suite_platform.data @@ -4,6 +4,3 @@ time_get_milliseconds: Time: get seconds time_get_seconds: - -Check mbedtls_calloc zeroization -check_mbedtls_calloc_zeroization: \ No newline at end of file diff --git a/tests/suites/test_suite_platform.function b/tests/suites/test_suite_platform.function index 82c656d2d..61681b878 100644 --- a/tests/suites/test_suite_platform.function +++ b/tests/suites/test_suite_platform.function @@ -120,17 +120,3 @@ void time_delay_seconds(int delay_secs) goto exit; } /* END_CASE */ - -/* BEGIN_CASE */ -void check_mbedtls_calloc_zeroization() -{ - unsigned int buf_size = 256; - unsigned char *buf; - buf = mbedtls_calloc(buf_size, sizeof(unsigned char)); - for (unsigned int i = 0; i < buf_size; i++) { - TEST_EQUAL(buf[i], 0); - } -exit: - mbedtls_free(buf); -} -/* END_CASE */ \ No newline at end of file From ecaf6fb8b264c2d4676c32c5abb1630a608d8fcb Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 4 May 2023 17:07:57 -0400 Subject: [PATCH 015/222] Documentation and cosmetic fixes Signed-off-by: Andrzej Kurek --- include/mbedtls/mbedtls_config.h | 10 +++++----- include/mbedtls/platform.h | 2 +- programs/test/selftest.c | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index a08f9d865..7aea34ce6 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3683,18 +3683,18 @@ /** \def MBEDTLS_PLATFORM_STD_CALLOC * * Default allocator to use, can be undefined. - * It should initialize the allocated buffer memory to zeroes. + * It must initialize the allocated buffer memory to zeroes. * The size of the buffer is the product of the two parameters. - * The behavior is undefined if the product of the two parameters overflows size_t. + * The calloc function returns either a null pointer or a pointer to the allocated space. * If the product is 0, the function may either return NULL or a valid pointer to an array of size 0 which is a valid input to the deallocation function. - * The corresponding deallocation function is MBEDTLS_PLATFORM_STD_FREE. + * The corresponding deallocation function is #MBEDTLS_PLATFORM_STD_FREE. */ //#define MBEDTLS_PLATFORM_STD_CALLOC calloc /** \def MBEDTLS_PLATFORM_STD_FREE * * Default free to use, can be undefined. * NULL is a valid parameter, and the function must do nothing. - * A non-null parameter will always be a pointer previously returned by MBEDTLS_PLATFORM_STD_CALLOC and not yet freed. + * A non-null parameter will always be a pointer previously returned by #MBEDTLS_PLATFORM_STD_CALLOC and not yet freed. */ //#define MBEDTLS_PLATFORM_STD_FREE free //#define MBEDTLS_PLATFORM_STD_SETBUF setbuf /**< Default setbuf to use, can be undefined */ @@ -3710,7 +3710,7 @@ //#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" /**< Seed file to read/write with default implementation */ -/* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */ +/* To use the following function macros, MBEDTLS_PLATFORM_C must be enabled. */ /* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */ //#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined. See MBEDTLS_PLATFORM_STD_CALLOC for requirements. */ //#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined. See MBEDTLS_PLATFORM_STD_FREE for requirements. */ diff --git a/include/mbedtls/platform.h b/include/mbedtls/platform.h index fb7bc1b6a..87e880fbb 100644 --- a/include/mbedtls/platform.h +++ b/include/mbedtls/platform.h @@ -135,7 +135,7 @@ extern "C" { /* * The function pointers for calloc and free. - * please see MBEDTLS_PLATFORM_STD_CALLOC and MBEDTLS_PLATFORM_STD_FREE + * Please see MBEDTLS_PLATFORM_STD_CALLOC and MBEDTLS_PLATFORM_STD_FREE * in mbedtls_config.h for more information about behaviour and requirements. */ #if defined(MBEDTLS_PLATFORM_MEMORY) diff --git a/programs/test/selftest.c b/programs/test/selftest.c index d3127553d..88c018855 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -74,7 +74,7 @@ static int calloc_self_test(int verbose) void *buffer1 = mbedtls_calloc(1, 1); void *buffer2 = mbedtls_calloc(1, 1); unsigned int buf_size = 256; - unsigned char *buffer3 = mbedtls_calloc(buf_size, sizeof(unsigned char)); + unsigned char *buffer3 = mbedtls_calloc(buf_size, 1); if (empty1 == NULL && empty2 == NULL) { if (verbose) { From e35f3a23bef66e578d4c605e4729b221d948679d Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 4 May 2023 17:29:55 -0400 Subject: [PATCH 016/222] Add a calloc selftest for more than a page Signed-off-by: Andrzej Kurek --- programs/test/selftest.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/programs/test/selftest.c b/programs/test/selftest.c index 88c018855..cc5e00ed3 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -73,8 +73,10 @@ static int calloc_self_test(int verbose) void *empty2 = mbedtls_calloc(0, 1); void *buffer1 = mbedtls_calloc(1, 1); void *buffer2 = mbedtls_calloc(1, 1); - unsigned int buf_size = 256; - unsigned char *buffer3 = mbedtls_calloc(buf_size, 1); + unsigned int buffer_3_size = 256; + unsigned int buffer_4_size = 4097; /* Allocate more than the usual page size */ + unsigned char *buffer3 = mbedtls_calloc(buffer_3_size, 1); + unsigned char *buffer4 = mbedtls_calloc(buffer_4_size, 1); if (empty1 == NULL && empty2 == NULL) { if (verbose) { @@ -148,11 +150,23 @@ static int calloc_self_test(int verbose) } } - for (unsigned int i = 0; i < buf_size; i++) { + for (unsigned int i = 0; i < buffer_3_size; i++) { if (buffer3[i] != 0) { ++failures; if (verbose) { - mbedtls_printf(" CALLOC(%u): failed (memory not initialized to 0)\n", buf_size); + mbedtls_printf(" CALLOC(%u): failed (memory not initialized to 0)\n", + buffer_3_size); + } + break; + } + } + + for (unsigned int i = 0; i < buffer_4_size; i++) { + if (buffer4[i] != 0) { + ++failures; + if (verbose) { + mbedtls_printf(" CALLOC(%u): failed (memory not initialized to 0)\n", + buffer_4_size); } break; } @@ -166,6 +180,7 @@ static int calloc_self_test(int verbose) mbedtls_free(buffer1); mbedtls_free(buffer2); mbedtls_free(buffer3); + mbedtls_free(buffer4); return failures; } #endif /* MBEDTLS_SELF_TEST */ From 84356a16e9dd0bd0ba30ef0742cb985767116249 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Sat, 6 May 2023 08:33:56 -0400 Subject: [PATCH 017/222] Add a description of how mbedtls_calloc is determined Signed-off-by: Andrzej Kurek --- include/mbedtls/mbedtls_config.h | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 7aea34ce6..4f389e081 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3680,9 +3680,39 @@ /* Platform options */ //#define MBEDTLS_PLATFORM_STD_MEM_HDR /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */ + +/* An overview of how the value of mbedtls_calloc is determined: + * + * if !MBEDTLS_PLATFORM_MEMORY + * mbedtls_calloc = calloc + * if MBEDTLS_PLATFORM_MEMORY + * if (MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO): + * mbedtls_calloc = MBEDTLS_PLATFORM_CALLOC_MACRO + * if !(MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO): + * Dynamic setup via mbedtls_platform_set_calloc_free is now possible with a default value MBEDTLS_PLATFORM_STD_CALLOC. + * How is MBEDTLS_PLATFORM_STD_CALLOC handled? + * if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS: + * MBEDTLS_PLATFORM_STD_CALLOC is not set to anything; + * MBEDTLS_PLATFORM_STD_MEM_HDR can be included if present; + * if !MBEDTLS_PLATFORM_NO_STD_FUNCTIONS: + * if MBEDTLS_PLATFORM_STD_CALLOC is present: + * User-defined MBEDTLS_PLATFORM_STD_CALLOC is respected; + * if !MBEDTLS_PLATFORM_STD_CALLOC: + * MBEDTLS_PLATFORM_STD_CALLOC = calloc + * + * At this point the presence of MBEDTLS_PLATFORM_STD_CALLOC is checked. + * if !MBEDTLS_PLATFORM_STD_CALLOC + * MBEDTLS_PLATFORM_STD_CALLOC = uninitialized_calloc + * + * mbedtls_calloc = MBEDTLS_PLATFORM_STD_CALLOC. + * + * Defining MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_STD_CALLOC at the same time is not possible. + * MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO must both be defined or undefined at the same time. + * MBEDTLS_PLATFORM_STD_CALLOC and MBEDTLS_PLATFORM_STD_FREE do not have to be defined at the same time, as, if they are used, dynamic setup of these functions is possible. See the tree above to see how are they handled in all cases. + */ /** \def MBEDTLS_PLATFORM_STD_CALLOC * - * Default allocator to use, can be undefined. + * Default allocator to use, can be undefined. See the description above for details. * It must initialize the allocated buffer memory to zeroes. * The size of the buffer is the product of the two parameters. * The calloc function returns either a null pointer or a pointer to the allocated space. From aae3208c29ef88c6a44797e3fafc62c4ab8fccea Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Sat, 6 May 2023 08:52:50 -0400 Subject: [PATCH 018/222] Add an mbedtls_calloc(SIZE_MAX/2, SIZE_MAX/2) test It should return NULL and not a valid pointer. Signed-off-by: Andrzej Kurek --- include/mbedtls/mbedtls_config.h | 5 +++-- programs/test/selftest.c | 13 ++++++++++++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 4f389e081..55b94ced7 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3708,7 +3708,8 @@ * * Defining MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_STD_CALLOC at the same time is not possible. * MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO must both be defined or undefined at the same time. - * MBEDTLS_PLATFORM_STD_CALLOC and MBEDTLS_PLATFORM_STD_FREE do not have to be defined at the same time, as, if they are used, dynamic setup of these functions is possible. See the tree above to see how are they handled in all cases. + * MBEDTLS_PLATFORM_STD_CALLOC and MBEDTLS_PLATFORM_STD_FREE do not have to be defined at the same time, as, if they are used, + * dynamic setup of these functions is possible. See the tree above to see how are they handled in all cases. */ /** \def MBEDTLS_PLATFORM_STD_CALLOC * @@ -3722,7 +3723,7 @@ //#define MBEDTLS_PLATFORM_STD_CALLOC calloc /** \def MBEDTLS_PLATFORM_STD_FREE * - * Default free to use, can be undefined. + * Default free to use, can be undefined. See the description above for more details (same principles as for MBEDTLS_PLATFORM_STD_CALLOC apply). * NULL is a valid parameter, and the function must do nothing. * A non-null parameter will always be a pointer previously returned by #MBEDTLS_PLATFORM_STD_CALLOC and not yet freed. */ diff --git a/programs/test/selftest.c b/programs/test/selftest.c index cc5e00ed3..933d06b21 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -77,7 +77,10 @@ static int calloc_self_test(int verbose) unsigned int buffer_4_size = 4097; /* Allocate more than the usual page size */ unsigned char *buffer3 = mbedtls_calloc(buffer_3_size, 1); unsigned char *buffer4 = mbedtls_calloc(buffer_4_size, 1); - +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Walloc-size-larger-than=" + unsigned char *buffer5 = mbedtls_calloc(SIZE_MAX/2, SIZE_MAX/2); +#pragma GCC diagnostic pop if (empty1 == NULL && empty2 == NULL) { if (verbose) { mbedtls_printf(" CALLOC(0,1): passed (NULL)\n"); @@ -172,6 +175,13 @@ static int calloc_self_test(int verbose) } } + if (buffer5 != NULL) { + ++failures; + if (verbose) { + mbedtls_printf(" CALLOC(SIZE_MAX/2, SIZE_MAX/2): failed (returned a valid pointer)\n"); + } + } + if (verbose) { mbedtls_printf("\n"); } @@ -181,6 +191,7 @@ static int calloc_self_test(int verbose) mbedtls_free(buffer2); mbedtls_free(buffer3); mbedtls_free(buffer4); + mbedtls_free(buffer5); return failures; } #endif /* MBEDTLS_SELF_TEST */ From 60de0b198a2ef6caf1abfd3273f4f7dde70dd727 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 9 May 2023 16:38:04 -0400 Subject: [PATCH 019/222] Move the overallocation test to test suites This way the compiler does not complain about an overly large allocation made. Signed-off-by: Andrzej Kurek --- programs/test/selftest.c | 13 +------------ tests/suites/test_suite_platform.data | 3 +++ tests/suites/test_suite_platform.function | 12 ++++++++++++ 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/programs/test/selftest.c b/programs/test/selftest.c index 933d06b21..cc5e00ed3 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -77,10 +77,7 @@ static int calloc_self_test(int verbose) unsigned int buffer_4_size = 4097; /* Allocate more than the usual page size */ unsigned char *buffer3 = mbedtls_calloc(buffer_3_size, 1); unsigned char *buffer4 = mbedtls_calloc(buffer_4_size, 1); -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Walloc-size-larger-than=" - unsigned char *buffer5 = mbedtls_calloc(SIZE_MAX/2, SIZE_MAX/2); -#pragma GCC diagnostic pop + if (empty1 == NULL && empty2 == NULL) { if (verbose) { mbedtls_printf(" CALLOC(0,1): passed (NULL)\n"); @@ -175,13 +172,6 @@ static int calloc_self_test(int verbose) } } - if (buffer5 != NULL) { - ++failures; - if (verbose) { - mbedtls_printf(" CALLOC(SIZE_MAX/2, SIZE_MAX/2): failed (returned a valid pointer)\n"); - } - } - if (verbose) { mbedtls_printf("\n"); } @@ -191,7 +181,6 @@ static int calloc_self_test(int verbose) mbedtls_free(buffer2); mbedtls_free(buffer3); mbedtls_free(buffer4); - mbedtls_free(buffer5); return failures; } #endif /* MBEDTLS_SELF_TEST */ diff --git a/tests/suites/test_suite_platform.data b/tests/suites/test_suite_platform.data index 4276b8fb7..4d5745076 100644 --- a/tests/suites/test_suite_platform.data +++ b/tests/suites/test_suite_platform.data @@ -4,3 +4,6 @@ time_get_milliseconds: Time: get seconds time_get_seconds: + +Check mbedtls_calloc overallocation +check_mbedtls_calloc_overallocation:SIZE_MAX/2:SIZE_MAX/2 diff --git a/tests/suites/test_suite_platform.function b/tests/suites/test_suite_platform.function index 61681b878..bc397357f 100644 --- a/tests/suites/test_suite_platform.function +++ b/tests/suites/test_suite_platform.function @@ -120,3 +120,15 @@ void time_delay_seconds(int delay_secs) goto exit; } /* END_CASE */ + +/* BEGIN_CASE */ +void check_mbedtls_calloc_overallocation(intmax_t num, intmax_t size) +{ + unsigned char *buf; + buf = mbedtls_calloc((size_t) num, (size_t) size); + TEST_ASSERT(buf == NULL); + +exit: + mbedtls_free(buf); +} +/* END_CASE */ From 04bfe5797b953c43fb3f3213e7e9b54c084065b3 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 27 Jun 2023 10:02:09 -0400 Subject: [PATCH 020/222] Disable asan errors on null allocation in all.sh Such error was raised in platform tests, and it's a valid test case. Signed-off-by: Andrzej Kurek --- tests/scripts/all.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 45f7e982f..46d249d66 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -189,6 +189,9 @@ pre_initialize_variables () { # default to -O2, use -Ox _after_ this if you want another level ASAN_CFLAGS='-O2 -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' + # Platform tests have an allocation that returns null + export ASAN_OPTIONS="allocator_may_return_null=1" + # Gather the list of available components. These are the functions # defined in this script whose name starts with "component_". # Parse the script with sed. This way we get the functions in the order From 2b3c06edb3b055e2fb81e574d992d718e75873c8 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 3 Jul 2023 06:52:37 -0400 Subject: [PATCH 021/222] Enable certain documented defines only when generating doxygen Avoid an "unrecognized define" error. Signed-off-by: Andrzej Kurek --- doxygen/mbedtls.doxyfile | 1 + include/mbedtls/mbedtls_config.h | 2 ++ include/mbedtls/platform.h | 9 +++++++++ 3 files changed, 12 insertions(+) diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 393fd41ad..4c95c61e7 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -51,4 +51,5 @@ PREDEFINED = "MBEDTLS_CHECK_RETURN_CRITICAL=" \ "MBEDTLS_CHECK_RETURN_TYPICAL=" \ "MBEDTLS_CHECK_RETURN_OPTIONAL=" \ "MBEDTLS_PRINTF_ATTRIBUTE(a,b)=" \ + "__DOXYGEN__" \ diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 55b94ced7..ddbef7a66 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3711,6 +3711,7 @@ * MBEDTLS_PLATFORM_STD_CALLOC and MBEDTLS_PLATFORM_STD_FREE do not have to be defined at the same time, as, if they are used, * dynamic setup of these functions is possible. See the tree above to see how are they handled in all cases. */ + /** \def MBEDTLS_PLATFORM_STD_CALLOC * * Default allocator to use, can be undefined. See the description above for details. @@ -3721,6 +3722,7 @@ * The corresponding deallocation function is #MBEDTLS_PLATFORM_STD_FREE. */ //#define MBEDTLS_PLATFORM_STD_CALLOC calloc + /** \def MBEDTLS_PLATFORM_STD_FREE * * Default free to use, can be undefined. See the description above for more details (same principles as for MBEDTLS_PLATFORM_STD_CALLOC apply). diff --git a/include/mbedtls/platform.h b/include/mbedtls/platform.h index 87e880fbb..3fc1fd0c1 100644 --- a/include/mbedtls/platform.h +++ b/include/mbedtls/platform.h @@ -130,6 +130,15 @@ extern "C" { #endif #endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */ +/* Enable certain documented defines only when generating doxygen to avoid + * an "unrecognized define" error. */ +#if defined(__DOXYGEN__) && !defined(MBEDTLS_PLATFORM_STD_CALLOC) +#define MBEDTLS_PLATFORM_STD_CALLOC +#endif + +#if defined(__DOXYGEN__) && !defined(MBEDTLS_PLATFORM_STD_FREE) +#define MBEDTLS_PLATFORM_STD_FREE +#endif /** \} name SECTION: Module settings */ From cf669b058b92d706367db91263b7f9bacb75178d Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 3 Jul 2023 09:49:07 -0400 Subject: [PATCH 022/222] Add a dummy usage of a pointer in tests This way clang with O1 doesn't optimize it. Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_platform.function | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/suites/test_suite_platform.function b/tests/suites/test_suite_platform.function index bc397357f..c65d011f0 100644 --- a/tests/suites/test_suite_platform.function +++ b/tests/suites/test_suite_platform.function @@ -126,6 +126,8 @@ void check_mbedtls_calloc_overallocation(intmax_t num, intmax_t size) { unsigned char *buf; buf = mbedtls_calloc((size_t) num, (size_t) size); + /* Dummy usage of the pointer to prevent optimizing it */ + mbedtls_printf("calloc pointer : %p\n", buf); TEST_ASSERT(buf == NULL); exit: From 4d69b29076cfc36210fe1ca52066ba595cb032cd Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 9 May 2023 10:50:44 +0800 Subject: [PATCH 023/222] Update server5-selfsigned.crt Signed-off-by: Jerry Yu --- tests/data_files/Makefile | 12 ++++++++++++ tests/data_files/server5-selfsigned.crt | 20 ++++++++++---------- 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 2ad5c2af6..c0556a65e 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -416,6 +416,18 @@ server5-ss-forgeca.crt: server5.key $(FAKETIME) '2015-09-01 14:08:43' $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" -set_serial 77 -config $(test_ca_config_file) -extensions noext_ca -days 3650 -sha256 -key $< -out $@ all_final += server5-ss-forgeca.crt +server5-selfsigned.crt: server5.key + openssl req -x509 -key server5.key \ + -sha256 -days 3650 -nodes \ + -addext basicConstraints=critical,CA:FALSE \ + -addext keyUsage=critical,digitalSignature \ + -addext subjectKeyIdentifier=hash \ + -addext authorityKeyIdentifier=none \ + -set_serial 0x53a2cb4b124ead837da894b2 \ + -subj "/CN=selfsigned/OU=testing/O=PolarSSL/C=NL" \ + -out $@ +all_final += server5-selfsigned.crt + parse_input/server5-othername.crt.der: server5.key $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions othername_san -days 3650 -sha256 -key $< -outform der -out $@ diff --git a/tests/data_files/server5-selfsigned.crt b/tests/data_files/server5-selfsigned.crt index cb5564751..0eafe7025 100644 --- a/tests/data_files/server5-selfsigned.crt +++ b/tests/data_files/server5-selfsigned.crt @@ -1,12 +1,12 @@ -----BEGIN CERTIFICATE----- -MIIBzTCCAXKgAwIBAgIMU6LLSxJOrYN9qJSyMAoGCCqGSM49BAMCMEcxEzARBgNV -BAMTCnNlbGZzaWduZWQxEDAOBgNVBAsTB3Rlc3RpbmcxETAPBgNVBAoTCFBvbGFy -U1NMMQswCQYDVQQGEwJOTDAiGA8yMDE0MDYxOTExMzY0M1oYDzIwMjQwNjE4MTEz -NjQzWjBHMRMwEQYDVQQDEwpzZWxmc2lnbmVkMRAwDgYDVQQLEwd0ZXN0aW5nMREw -DwYDVQQKEwhQb2xhclNTTDELMAkGA1UEBhMCTkwwWTATBgcqhkjOPQIBBggqhkjO -PQMBBwNCAAQ3zFbZdgkeWnI+x1kt/yBu7nz5BpF00K0UtfdoIllikk7lANgjEf/q -L9I0XV0WvYqIwmt3DVXNiioO+gHItO3/o0AwPjAMBgNVHRMBAf8EAjAAMA8GA1Ud -DwEB/wQFAwMHgAAwHQYDVR0OBBYEFLZtURgXjmWq8uzV8wHkbFLCNB1bMAoGCCqG -SM49BAMCA0kAMEYCIQCf/bzFoge0pCOIrtHrABgc1+Cl9kjlsICpduXhdHUMOwIh -AOJ+nBHfaEGyF4PRJvn/jMDeIaH1zisinVzC2v+JQOWq +MIIBxzCCAW2gAwIBAgIMU6LLSxJOrYN9qJSyMAoGCCqGSM49BAMCMEcxEzARBgNV +BAMMCnNlbGZzaWduZWQxEDAOBgNVBAsMB3Rlc3RpbmcxETAPBgNVBAoMCFBvbGFy +U1NMMQswCQYDVQQGEwJOTDAeFw0yMzA1MDkwMjQ5NTdaFw0zMzA1MDYwMjQ5NTda +MEcxEzARBgNVBAMMCnNlbGZzaWduZWQxEDAOBgNVBAsMB3Rlc3RpbmcxETAPBgNV +BAoMCFBvbGFyU1NMMQswCQYDVQQGEwJOTDBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA2CMR/+ov0jRd +XRa9iojCa3cNVc2KKg76Aci07f+jPzA9MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/ +BAQDAgeAMB0GA1UdDgQWBBRQYaWP1AfZ14IBDOVlf4xjRqcTvjAKBggqhkjOPQQD +AgNIADBFAiAXiJxDrd5aLzGB/Uc3kYBIBuSUIMGvol2c8EvwmF3zmQIhAPFrKMgA +s2awzo/PBB5gFTkDub88wRYwS1R9JPYCXUO0 -----END CERTIFICATE----- From affc294dfe127840aa1b2eec8602461cf2ba70f0 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 9 May 2023 14:07:56 +0800 Subject: [PATCH 024/222] Add the rule and update server6-ss-child.crt Signed-off-by: Jerry Yu --- tests/data_files/Makefile | 11 ++++++++++ tests/data_files/server6-ss-child.crt | 22 +++++++++---------- .../server6-ss-child.crt.openssl.v3_ext | 4 ++++ 3 files changed, 26 insertions(+), 11 deletions(-) create mode 100644 tests/data_files/server6-ss-child.crt.openssl.v3_ext diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index c0556a65e..495dc0252 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1410,6 +1410,17 @@ server6.crt: server6.csr $(test_ca_crt_file_ec) $(test_ca_key_file_ec) -extfile server5.crt.openssl.v3_ext -set_serial 10 -days 3650 -sha256 -in $< -out $@ all_final += server6.crt +server6-ss-child.csr : server6.key + $(OPENSSL) req -new -subj "/CN=selfsigned-child/OU=testing/O=PolarSSL/C=NL" \ + -key $< -out $@ +all_intermediate += server6-ss-child.csr +server6-ss-child.crt: server6-ss-child.csr server5-selfsigned.crt server5.key server6-ss-child.crt.openssl.v3_ext + $(OPENSSL) x509 -req -CA server5-selfsigned.crt -CAkey server5.key \ + -extfile server6-ss-child.crt.openssl.v3_ext \ + -set_serial 0x53a2cb5822399474a7ec79ec \ + -days 3650 -sha256 -in $< -out $@ +all_final += server6-ss-child.crt + ################################################################ ### Generate certificates for CRT write check tests ################################################################ diff --git a/tests/data_files/server6-ss-child.crt b/tests/data_files/server6-ss-child.crt index 3c6fd4d1b..fc28f34c2 100644 --- a/tests/data_files/server6-ss-child.crt +++ b/tests/data_files/server6-ss-child.crt @@ -1,13 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIB8jCCAZmgAwIBAgIMU6LLWCI5lHSn7HnsMAoGCCqGSM49BAMCMEcxEzARBgNV -BAMTCnNlbGZzaWduZWQxEDAOBgNVBAsTB3Rlc3RpbmcxETAPBgNVBAoTCFBvbGFy -U1NMMQswCQYDVQQGEwJOTDAiGA8yMDE0MDYxOTExMzY1NloYDzIwMjQwNjE4MTEz -NjU2WjBNMRkwFwYDVQQDExBzZWxmc2lnbmVkLWNoaWxkMRAwDgYDVQQLEwd0ZXN0 -aW5nMREwDwYDVQQKEwhQb2xhclNTTDELMAkGA1UEBhMCTkwwWTATBgcqhkjOPQIB -BggqhkjOPQMBBwNCAASBWTF2SST6Fa2roDFuDu0zEfqRJVXBsMGcA3I+mLotpHI3 -iR9DN40fjjrY8FfoL0/JAKT323MPssYElNFAOzjjo2EwXzAMBgNVHRMBAf8EAjAA -MA8GA1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFDxZrEo+LvwCNi/afcvLnHqyiZlT -MB8GA1UdIwQYMBaAFLZtURgXjmWq8uzV8wHkbFLCNB1bMAoGCCqGSM49BAMCA0cA -MEQCIAMlQ59/NW7S0hP1cu5OTD2zqT087bEmnIfOTBYfj8UFAiBBrrz2dipODVYx -vvTsQmSCzjrm+JtQQoWa+cdnAG3w5g== +MIIB7jCCAZSgAwIBAgIMU6LLWCI5lHSn7HnsMAoGCCqGSM49BAMCMEcxEzARBgNV +BAMMCnNlbGZzaWduZWQxEDAOBgNVBAsMB3Rlc3RpbmcxETAPBgNVBAoMCFBvbGFy +U1NMMQswCQYDVQQGEwJOTDAeFw0yMzA1MDkwNjA2NDJaFw0zMzA1MDYwNjA2NDJa +ME0xGTAXBgNVBAMMEHNlbGZzaWduZWQtY2hpbGQxEDAOBgNVBAsMB3Rlc3Rpbmcx +ETAPBgNVBAoMCFBvbGFyU1NMMQswCQYDVQQGEwJOTDBZMBMGByqGSM49AgEGCCqG +SM49AwEHA0IABIFZMXZJJPoVraugMW4O7TMR+pElVcGwwZwDcj6Yui2kcjeJH0M3 +jR+OOtjwV+gvT8kApPfbcw+yxgSU0UA7OOOjYDBeMAwGA1UdEwEB/wQCMAAwDgYD +VR0PAQH/BAQDAgeAMB0GA1UdDgQWBBR+ZY8+MwMU5eG+YLLghX+M52ArezAfBgNV +HSMEGDAWgBRQYaWP1AfZ14IBDOVlf4xjRqcTvjAKBggqhkjOPQQDAgNIADBFAiAl +Y2yXg5sZunmo+McUBzvSao1wRxw+9XBSM+Dph5gfhgIhAPlI+lSvD4mzlBzn01Mg +0tMpKHbY34iadcMWBUgibMiA -----END CERTIFICATE----- diff --git a/tests/data_files/server6-ss-child.crt.openssl.v3_ext b/tests/data_files/server6-ss-child.crt.openssl.v3_ext new file mode 100644 index 000000000..dd9cdaa73 --- /dev/null +++ b/tests/data_files/server6-ss-child.crt.openssl.v3_ext @@ -0,0 +1,4 @@ +basicConstraints = critical,CA:false +keyUsage=critical,digitalSignature +subjectKeyIdentifier=hash + From 5a1dbf3d6e166ca9ec11736d02b78ee472580bcb Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 29 May 2023 10:19:09 +0800 Subject: [PATCH 025/222] Fix the rule for server5-ss-forgeca.crt Signed-off-by: Pengyu Lv --- tests/data_files/Makefile | 2 +- tests/data_files/server5-ss-forgeca.crt | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 495dc0252..6d9cb68be 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -413,7 +413,7 @@ all_final += server5-ss-expired.crt # try to forge a copy of test-int-ca3 with different key server5-ss-forgeca.crt: server5.key - $(FAKETIME) '2015-09-01 14:08:43' $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" -set_serial 77 -config $(test_ca_config_file) -extensions noext_ca -days 3650 -sha256 -key $< -out $@ + $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" -set_serial 77 -config $(test_ca_config_file) -extensions noext_ca -days 3650 -sha256 -key $< -out $@ all_final += server5-ss-forgeca.crt server5-selfsigned.crt: server5.key diff --git a/tests/data_files/server5-ss-forgeca.crt b/tests/data_files/server5-ss-forgeca.crt index 2265bf576..cf5bd6db9 100644 --- a/tests/data_files/server5-ss-forgeca.crt +++ b/tests/data_files/server5-ss-forgeca.crt @@ -1,11 +1,11 @@ -----BEGIN CERTIFICATE----- -MIIBlDCCATmgAwIBAgIBTTAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G +MIIBkzCCATmgAwIBAgIBTTAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G A1UECgwIbWJlZCBUTFMxKDAmBgNVBAMMH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp -YXRlIENBIDMwHhcNMTUwOTAxMTEwODQzWhcNMjUwODI5MTEwODQzWjBKMQswCQYD +YXRlIENBIDMwHhcNMjMwNTE3MDkxNDIxWhcNMzMwNTE0MDkxNDIxWjBKMQswCQYD VQQGEwJVSzERMA8GA1UECgwIbWJlZCBUTFMxKDAmBgNVBAMMH21iZWQgVExTIFRl c3QgaW50ZXJtZWRpYXRlIENBIDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ3 zFbZdgkeWnI+x1kt/yBu7nz5BpF00K0UtfdoIllikk7lANgjEf/qL9I0XV0WvYqI -wmt3DVXNiioO+gHItO3/oxAwDjAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0kA -MEYCIQDBFcXh+IloVYbMiHfCFhw6cYJsj7PZXuTdDMMkNbyJNAIhALz7fBVAMYz9 -/g48bLdYT47LOc9QNuaboLIxsq5RseJL +wmt3DVXNiioO+gHItO3/oxAwDjAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0gA +MEUCIQD0f3GH9cEJ7cJWPIfwAL/1cGREqO//O/1XggWZv/clnQIgQmlMzGzuUDHq +/mTgGQ9ceSAB9B9im9rcgY6DRFZULnY= -----END CERTIFICATE----- From 0f381fd02f59c02f79baa8458df1d1f097ae1cb2 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 12 May 2023 18:20:56 +0800 Subject: [PATCH 026/222] Update test-ca2.ku-*.crt Signed-off-by: Jerry Yu --- tests/data_files/Makefile | 27 ++++++++++++++++--- tests/data_files/test-ca2.ku-crl.crt | 20 +++++++------- .../test-ca2.ku-crl.crt.openssl.v3_ext | 4 +++ tests/data_files/test-ca2.ku-crt.crt | 20 +++++++------- .../test-ca2.ku-crt.crt.openssl.v3_ext | 4 +++ tests/data_files/test-ca2.ku-crt_crl.crt | 20 +++++++------- .../test-ca2.ku-crt_crl.crt.openssl.v3_ext | 4 +++ tests/data_files/test-ca2.ku-ds.crt | 20 +++++++------- .../test-ca2.ku-ds.crt.openssl.v3_ext | 4 +++ 9 files changed, 79 insertions(+), 44 deletions(-) create mode 100644 tests/data_files/test-ca2.ku-crl.crt.openssl.v3_ext create mode 100644 tests/data_files/test-ca2.ku-crt.crt.openssl.v3_ext create mode 100644 tests/data_files/test-ca2.ku-crt_crl.crt.openssl.v3_ext create mode 100644 tests/data_files/test-ca2.ku-ds.crt.openssl.v3_ext diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 6d9cb68be..9e3391075 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -168,13 +168,28 @@ test_ca_crt_file_ec = test-ca2.crt test_ca_key_file_ec = test-ca2.key test-ca2.req.sha256: $(test_ca_key_file_ec) - $(MBEDTLS_CERT_REQ) output_file=$@ filename=$(test_ca_key_file_ec) subject_name="C=NL,O=PolarSSL,CN=Polarssl Test EC CA" md=SHA256 + $(MBEDTLS_CERT_REQ) output_file=$@ filename=$(test_ca_key_file_ec) \ + subject_name="C=NL,O=PolarSSL,CN=Polarssl Test EC CA" md=SHA256 all_intermediate += test-ca2.req.sha256 test-ca2.crt: $(test_ca_key_file_ec) test-ca2.req.sha256 - $(MBEDTLS_CERT_WRITE) is_ca=1 serial=13926223505202072808 request_file=test-ca2.req.sha256 selfsign=1 issuer_name="C=NL,O=PolarSSL,CN=Polarssl Test EC CA" issuer_key=$(test_ca_key_file_ec) not_before=20190210144400 not_after=20290210144400 md=SHA256 version=3 output_file=$@ + $(MBEDTLS_CERT_WRITE) is_ca=1 serial=13926223505202072808 selfsign=1 \ + request_file=test-ca2.req.sha256 \ + issuer_name="C=NL,O=PolarSSL,CN=Polarssl Test EC CA" \ + issuer_key=$(test_ca_key_file_ec) \ + not_before=20190210144400 not_after=20290210144400 \ + md=SHA256 version=3 output_file=$@ all_final += test-ca2.crt +test-ca2.ku-%.crt: test-ca2.ku-%.crt.openssl.v3_ext $(test_ca_key_file_ec) test-ca2.req.sha256 + $(OPENSSL) x509 -req -in test-ca2.req.sha256 -extfile $< \ + -signkey $(test_ca_key_file_ec) -days 3653 -out $@ + +all_final += test-ca2.ku-crl.crt \ + test-ca2.ku-crt.crt \ + test-ca2.ku-crt_crl.crt \ + test-ca2.ku-ds.crt + test-ca2-future.crt: $(test_ca_key_file_ec) test-ca2.req.sha256 $(MBEDTLS_CERT_WRITE) is_ca=1 serial=13926223505202072808 request_file=test-ca2.req.sha256 selfsign=1 \ issuer_name="C=NL,O=PolarSSL,CN=Polarssl Test EC CA" issuer_key=$(test_ca_key_file_ec) \ @@ -199,10 +214,14 @@ $(test_ca_ec_cat): all_final += $(test_ca_ec_cat) parse_input/test-ca-any_policy.crt: $(test_ca_key_file_rsa) test-ca.req.sha256 - $(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_any_policy_ca -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.req.sha256 -out $@ + $(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_any_policy_ca \ + -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" \ + -set_serial 0 -days 3653 -sha256 -in test-ca.req.sha256 -out $@ parse_input/test-ca-any_policy_ec.crt: $(test_ca_key_file_ec) test-ca.req_ec.sha256 - $(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_any_policy_ca -key $(test_ca_key_file_ec) -set_serial 0 -days 3653 -sha256 -in test-ca.req_ec.sha256 -out $@ + $(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_any_policy_ca \ + -key $(test_ca_key_file_ec) -set_serial 0 -days 3653 -sha256 \ + -in test-ca.req_ec.sha256 -out $@ parse_input/test-ca-any_policy_with_qualifier.crt: $(test_ca_key_file_rsa) test-ca.req.sha256 $(OPENSSL) req -x509 -config $(test_ca_config_file) -extensions v3_any_policy_qualifier_ca -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.req.sha256 -out $@ diff --git a/tests/data_files/test-ca2.ku-crl.crt b/tests/data_files/test-ca2.ku-crl.crt index 4fb40838c..303a2c00b 100644 --- a/tests/data_files/test-ca2.ku-crl.crt +++ b/tests/data_files/test-ca2.ku-crl.crt @@ -1,12 +1,12 @@ -----BEGIN CERTIFICATE----- -MIIBzDCCAVOgAwIBAgIJAP6mZLzh0IPSMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT -Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF -QyBDQTAeFw0xNDA0MDkxMTIzMzhaFw0yNDA0MDYxMTIzMzhaMD4xCzAJBgNVBAYT -Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF -QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu -ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy -aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqMdMBswDAYDVR0TBAUwAwEB/zAL -BgNVHQ8EBAMCAQIwCgYIKoZIzj0EAwIDZwAwZAIwZOCKY0EHXYzI4cQsFnfOrxm1 -ufvNeZ4ZcSZWrkTBazW2OBCuCP9SLznec3SFOUvvAjAKe/qycfxkHivjieCEG1Kt -m2D4QKSJELUhTHr4zdkeqbzgui0y3iouaoyWsKvetNg= +MIIB2DCCAV6gAwIBAgIUN3DAVq0Kn9k3FPUPZGW2d3rZn28wCgYIKoZIzj0EAwIw +PjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xh +cnNzbCBUZXN0IEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1ow +PjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xh +cnNzbCBUZXN0IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+H +Vv78ibopQ0tO4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqr +Id240xxuWLjK6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeox0wGzAMBgNV +HRMEBTADAQH/MAsGA1UdDwQEAwIBAjAKBggqhkjOPQQDAgNoADBlAjAxoq/Q4PEA +8SDd3cQaVIwx8oJVEzfJo1BB2w1LnjvUXZrQydjNXMU4Jgorm/2/uLgCMQCyI6cZ +EAIgKPYlT6/zJHBj45qejs527OfI4Xn+kQ7OvHQtHaCAzQw4h7Jfx+gXaUo= -----END CERTIFICATE----- diff --git a/tests/data_files/test-ca2.ku-crl.crt.openssl.v3_ext b/tests/data_files/test-ca2.ku-crl.crt.openssl.v3_ext new file mode 100644 index 000000000..4bc5d3c24 --- /dev/null +++ b/tests/data_files/test-ca2.ku-crl.crt.openssl.v3_ext @@ -0,0 +1,4 @@ +basicConstraints = CA:true +subjectKeyIdentifier=none +keyUsage = cRLSign + diff --git a/tests/data_files/test-ca2.ku-crt.crt b/tests/data_files/test-ca2.ku-crt.crt index edacc64c9..5cad7b2fc 100644 --- a/tests/data_files/test-ca2.ku-crt.crt +++ b/tests/data_files/test-ca2.ku-crt.crt @@ -1,12 +1,12 @@ -----BEGIN CERTIFICATE----- -MIIBzTCCAVOgAwIBAgIJAODh6PAeD9/vMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT -Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF -QyBDQTAeFw0xNDA0MDkxMTIzNTRaFw0yNDA0MDYxMTIzNTRaMD4xCzAJBgNVBAYT -Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF -QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu -ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy -aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqMdMBswDAYDVR0TBAUwAwEB/zAL -BgNVHQ8EBAMCAgQwCgYIKoZIzj0EAwIDaAAwZQIwGGlbynd1jU3WkUx6Irhk9Lob -z2B+1eIO6+eu3En8B3rh8Ipfxo0e0hpfaRFYP1MUAjEAjxxBchRWJAzZ6/47Wg/7 -UoasRINgP5B/uJhTnftS1bqyuWHastb4LW5/YLOvPbMQ +MIIB2DCCAV6gAwIBAgIUYDcYIJ6EBbKafKeXLgPLE+RsJZowCgYIKoZIzj0EAwIw +PjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xh +cnNzbCBUZXN0IEVDIENBMB4XDTIzMDUxMjEwMzEwNVoXDTMzMDUxMjEwMzEwNVow +PjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xh +cnNzbCBUZXN0IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+H +Vv78ibopQ0tO4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqr +Id240xxuWLjK6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeox0wGzAMBgNV +HRMEBTADAQH/MAsGA1UdDwQEAwICBDAKBggqhkjOPQQDAgNoADBlAjBwsfyYiZB6 +PpDgIbYRbZ4VT9GGFNE3L4C1IH8RNwzvywLvQfVp3ocRAkzEoRpmKAsCMQDOGm48 +d7zKl7IzmBuOWXYlukWDDWwpNI67z7g0JawfypKIxcPTZFiQXVtDdTdkrGY= -----END CERTIFICATE----- diff --git a/tests/data_files/test-ca2.ku-crt.crt.openssl.v3_ext b/tests/data_files/test-ca2.ku-crt.crt.openssl.v3_ext new file mode 100644 index 000000000..997c8930b --- /dev/null +++ b/tests/data_files/test-ca2.ku-crt.crt.openssl.v3_ext @@ -0,0 +1,4 @@ +basicConstraints = CA:true +subjectKeyIdentifier=none +keyUsage = keyCertSign + diff --git a/tests/data_files/test-ca2.ku-crt_crl.crt b/tests/data_files/test-ca2.ku-crt_crl.crt index ac74e402a..4c69582f3 100644 --- a/tests/data_files/test-ca2.ku-crt_crl.crt +++ b/tests/data_files/test-ca2.ku-crt_crl.crt @@ -1,12 +1,12 @@ -----BEGIN CERTIFICATE----- -MIIBzDCCAVOgAwIBAgIJAPejOupCJS65MAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT -Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF -QyBDQTAeFw0xNDA0MDkxMTIyMjVaFw0yNDA0MDYxMTIyMjVaMD4xCzAJBgNVBAYT -Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF -QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu -ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy -aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqMdMBswDAYDVR0TBAUwAwEB/zAL -BgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDZwAwZAIwMKLVXB4YBQ0Ha4dEvFPcJtau -TS5Vd4UqG3xQ10YcJogweuqaGHSFgdnEUfoX+4p5AjApMnYXFfUjSmlyfJmTaswO -gaR5sUnnw33NA9j1ercem3asCYz6a8T0zo8/rR33XVU= +MIIB2TCCAV6gAwIBAgIUd5f42F4ahjkx9AIN035pcF4WFikwCgYIKoZIzj0EAwIw +PjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xh +cnNzbCBUZXN0IEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1ow +PjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xh +cnNzbCBUZXN0IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+H +Vv78ibopQ0tO4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqr +Id240xxuWLjK6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeox0wGzAMBgNV +HRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDAgNpADBmAjEA6IUvQwSw +vEkHjU9YNsPcUsJf0UTHUW1T8mNbgk+zCl6fzeU73oCXH6zoi5q6vLgjAjEAv63C +xknmJJ4H3Zlc+O5GlcX9VQNZDn1xV7hf2yW1Gf7wLTnSWTf5bXATaIQ6QLO1 -----END CERTIFICATE----- diff --git a/tests/data_files/test-ca2.ku-crt_crl.crt.openssl.v3_ext b/tests/data_files/test-ca2.ku-crt_crl.crt.openssl.v3_ext new file mode 100644 index 000000000..0fd73a25a --- /dev/null +++ b/tests/data_files/test-ca2.ku-crt_crl.crt.openssl.v3_ext @@ -0,0 +1,4 @@ +basicConstraints = CA:true +subjectKeyIdentifier=none +keyUsage = keyCertSign, cRLSign + diff --git a/tests/data_files/test-ca2.ku-ds.crt b/tests/data_files/test-ca2.ku-ds.crt index c28e17b22..2907aa734 100644 --- a/tests/data_files/test-ca2.ku-ds.crt +++ b/tests/data_files/test-ca2.ku-ds.crt @@ -1,12 +1,12 @@ -----BEGIN CERTIFICATE----- -MIIBzDCCAVOgAwIBAgIJAPOkPR3wsvm5MAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT -Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF -QyBDQTAeFw0xNDA0MDkxMTI0MTNaFw0yNDA0MDYxMTI0MTNaMD4xCzAJBgNVBAYT -Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF -QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu -ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy -aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqMdMBswDAYDVR0TBAUwAwEB/zAL -BgNVHQ8EBAMCB4AwCgYIKoZIzj0EAwIDZwAwZAIwGRCmU/rWNjW13g8ITuq3pMXb -jgwTFJHVlbMDiFJwUrRvytPV9doJOfzJ8nAQ0cZ1AjAbJ8QAV2e+DmYZpWc/p6Ug -nQdac59ev+lH+ju6wET3jNDjUthUPrdgqa54+UWQ5r4= +MIIB2TCCAV6gAwIBAgIUb5xsO6FEmAz+XpGFHpW7ODFvup0wCgYIKoZIzj0EAwIw +PjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xh +cnNzbCBUZXN0IEVDIENBMB4XDTIzMDUxNzA3MTAzN1oXDTMzMDUxNzA3MTAzN1ow +PjELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xh +cnNzbCBUZXN0IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+H +Vv78ibopQ0tO4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqr +Id240xxuWLjK6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeox0wGzAMBgNV +HRMEBTADAQH/MAsGA1UdDwQEAwIHgDAKBggqhkjOPQQDAgNpADBmAjEA44HVvGYv +meA3SpaNJmubLKjsQlGNnEUUo1IO0NBP5yWG0dRFkX8NQ0bzH/1n6FJcAjEAm9wj +xdmEPUr6PY54c0IQJNeeF76L1/+EszXrSDQ7TLv1YC4d4uMNmqwR9EGuUX+/ -----END CERTIFICATE----- diff --git a/tests/data_files/test-ca2.ku-ds.crt.openssl.v3_ext b/tests/data_files/test-ca2.ku-ds.crt.openssl.v3_ext new file mode 100644 index 000000000..08e49d475 --- /dev/null +++ b/tests/data_files/test-ca2.ku-ds.crt.openssl.v3_ext @@ -0,0 +1,4 @@ +basicConstraints = CA:true +subjectKeyIdentifier=none +keyUsage = digitalSignature + From 55ee7f8e133b0c5cd5570e6a12c5fe097bb50f86 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 29 May 2023 11:02:42 +0800 Subject: [PATCH 027/222] Add rule for server2-badsign.crt Signed-off-by: Pengyu Lv --- tests/data_files/Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 9e3391075..35bae2429 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1605,6 +1605,10 @@ server2-sha256.crt: server2.req.sha256 $(MBEDTLS_CERT_WRITE) request_file=server2.req.sha256 serial=2 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA256 version=3 output_file=$@ all_final += server2-sha256.crt +server2-badsign.crt: server2.crt + { head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@ +all_final += server2-badsign.crt + # server3* parse_input/server3.crt server3.crt: server3.key From 0063599e6f4a8fc7326599b44d1d718a019164a2 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 18 May 2023 14:40:27 +0800 Subject: [PATCH 028/222] Add rules to generate server2.ku-*.crt Signed-off-by: Pengyu Lv --- tests/data_files/Makefile | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 35bae2429..1b80cee97 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1605,6 +1605,21 @@ server2-sha256.crt: server2.req.sha256 $(MBEDTLS_CERT_WRITE) request_file=server2.req.sha256 serial=2 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA256 version=3 output_file=$@ all_final += server2-sha256.crt +server2.ku-ka.crt: SERVER2_CRT_SERIAL=42 +server2.ku-ka.crt: SERVER2_KEY_USAGE=key_agreement +server2.ku-ke.crt: SERVER2_CRT_SERIAL=43 +server2.ku-ke.crt: SERVER2_KEY_USAGE=key_encipherment +server2.ku-ds.crt: SERVER2_CRT_SERIAL=44 +server2.ku-ds.crt: SERVER2_KEY_USAGE=digital_signature +server2.ku-ds_ke.crt: SERVER2_CRT_SERIAL=48 +server2.ku-ds_ke.crt: SERVER2_KEY_USAGE=digital_signature,key_encipherment +server2.ku-%.crt: server2.req.sha256 + $(MBEDTLS_CERT_WRITE) request_file=server2.req.sha256 serial=$(SERVER2_CRT_SERIAL) \ + issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) \ + key_usage="$(SERVER2_KEY_USAGE)" \ + not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@ +all_final += server2.ku-ka.crt server2.ku-ke.crt server2.ku-ds.crt server2.ku-ds_ke.crt + server2-badsign.crt: server2.crt { head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@ all_final += server2-badsign.crt From 5b91dc7265574721f55e409aa14b446f0bfacdf3 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 18 May 2023 14:41:32 +0800 Subject: [PATCH 029/222] Update server2.ku-*.crt Signed-off-by: Pengyu Lv --- tests/data_files/server2.ku-ds.crt | 27 +++++++++++++-------------- tests/data_files/server2.ku-ds_ke.crt | 27 +++++++++++++-------------- tests/data_files/server2.ku-ka.crt | 27 +++++++++++++-------------- tests/data_files/server2.ku-ke.crt | 27 +++++++++++++-------------- 4 files changed, 52 insertions(+), 56 deletions(-) diff --git a/tests/data_files/server2.ku-ds.crt b/tests/data_files/server2.ku-ds.crt index 3bd07d0fb..d1e1251d9 100644 --- a/tests/data_files/server2.ku-ds.crt +++ b/tests/data_files/server2.ku-ds.crt @@ -1,21 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDijCCAnKgAwIBAgIBLDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN -MTQwNDA5MDg0NDUxWhcNMjQwNDA2MDg0NDUxWjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +MIIDRzCCAi+gAwIBAgIBLDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya -HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaOBnzCBnDAJ -BgNVHRMEAjAAMB0GA1UdDgQWBBSlBehkuNzfYA9QEk1gqGSvTYtDkzBjBgNVHSME -XDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAP -BgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAsG -A1UdDwQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAc4kubASrFXFtplkYp6FUcnUn -Pf/6laS1htI+3y+q1UHWe2PcagZtCHTCUGBSWLeUIiaIBheaIRqv+4sSFVuXB7hV -0PGXpO5btth4R8BHzGqCdObKvPujp5BDq3xgcAFicA3HUMNsJoTDv/RYXY7je1Q5 -ntVyVPeji0AWMUYQjcqHTQQPGBgdJrRTMaYglZh15IhJ16ICNd9rWIeBA0h/+r0y -QuFEBz0nfe7Dvpqct7gJCv+7/5tCujx4LT17z7oK8BZN5SePAGU2ykJsUXk8ZICT -ongaQQVQwS6/GJ6A5V8ecaUvFrTby1h9+2sOW8n2NRGiaaG5gkvxVeayemcmOQ== +HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNdMFswCQYD +VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw +FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3 +DQEBBQUAA4IBAQCcDy5VWW133eL1TesUkejziAz9QNBHvWkKNs0jF6+fRgWgFP5Y +EE87rQX0Z1XiyTDB4LdKfivRi3TMD7EX8o6q9C3H/ilu5anrgha8WziMrtv/s9IF +QjpyHdnXGoXmA9uDqQLtucR5yep3ux4mlwS8GG3IUkpkdysNOrVvSARm0ZagQ9tn +YZyEjGd8wP3jKYNJAB2OdnvX9OqBmEyvSmMucSidkMkdLrUcjmOtz+AkqoRGewwc +eClstlp8NEuP37q2KLYtbQMpio1Kzsr3PCey1UImKNjauypS2Dpzl1RnmBw+c5En +SdLMa+ns3odRhF0IvENDhz/mKZJvwtoz/NBz -----END CERTIFICATE----- diff --git a/tests/data_files/server2.ku-ds_ke.crt b/tests/data_files/server2.ku-ds_ke.crt index ebee7e1c3..eb23245d8 100644 --- a/tests/data_files/server2.ku-ds_ke.crt +++ b/tests/data_files/server2.ku-ds_ke.crt @@ -1,21 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDijCCAnKgAwIBAgIBMDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN -MTQwNDA5MTAwMjQ5WhcNMjQwNDA2MTAwMjQ5WjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +MIIDRzCCAi+gAwIBAgIBMDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya -HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaOBnzCBnDAJ -BgNVHRMEAjAAMB0GA1UdDgQWBBSlBehkuNzfYA9QEk1gqGSvTYtDkzBjBgNVHSME -XDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAP -BgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAsG -A1UdDwQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAnW7+h85xBP2KJzFSpWfGirVe -ApdC9bX0Z1sVMmD486N+ty9W6BP6kJRxLDX0fOuRc3x7mCy5qZg/Yj40+yQSoA0w -bTNwJjuR8iMqWIqLw9hWR+E9T4lYLZWyGJVjlVTkO4i5wifwhoJE9Doohh/6crn5 -ImWgEkgT/wDVIHoamciO6KU36d0iAEEP2eYgxv2/sVHvjjsseTdvYh3D3VuOmQtS -uUvFxc6H5kYoq/yodJWDaOn3RS8pEpDsiW+abcWyxNTPtHFroJV7e9aaVmhlRSzw -sYDyD/ZyIlavoPSEiD3LTT/Tp6BIpz+zb4WHOHLEvUCsZputqxPVcNoEAi9xuA== +HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNdMFswCQYD +VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw +FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3 +DQEBBQUAA4IBAQB6u7D3tAsB75aZEcUfv2XyeLX4P99mzx2yOBSsPaIDTRyv0XoT +vbgUA7viX/F7I8b2kc6ihRXSu/98c7Vr/uSm0LfV3VMgoAXBCWNg/5c/N3c0YnZ2 +imuv0yeXw5cJI3iYQJmllawdrGgOslfPuO7kqrFt3uGaylITpVLQ7w7iDpPbAFM8 +kPpO6CMyCFi6miQYoZchTTP9X3dpbpNdB2FlSVT55J6TIvH5x4t7XCFJuvYYJxrf +8I3UFR3OnBR625zUHXJ6uV8yHG5ze+4K2n9CHcyX7zuZ+bB0e8wIS6Xf99M+1ApF +ESvXwHI0Fu8s/PJ+leD28CRJQMuAOJIYBMnS -----END CERTIFICATE----- diff --git a/tests/data_files/server2.ku-ka.crt b/tests/data_files/server2.ku-ka.crt index 90f7c4a99..ce97e8272 100644 --- a/tests/data_files/server2.ku-ka.crt +++ b/tests/data_files/server2.ku-ka.crt @@ -1,21 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDijCCAnKgAwIBAgIBKjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN -MTQwNDA5MDg0NDIzWhcNMjQwNDA2MDg0NDIzWjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +MIIDRzCCAi+gAwIBAgIBKjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya -HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaOBnzCBnDAJ -BgNVHRMEAjAAMB0GA1UdDgQWBBSlBehkuNzfYA9QEk1gqGSvTYtDkzBjBgNVHSME -XDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAP -BgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAsG -A1UdDwQEAwIDCDANBgkqhkiG9w0BAQUFAAOCAQEAriPloIWfu7U8d1hls97C7OBI -OiE2xFh2UmuN/9hTK2CyW6MtBf8aG3l4jQDrsutHO0gUyoR67ug4yj+s+0S/zETZ -q6mPo7cBbVwjhGciQRiYgufFpdnbXR05HDgOVPK7qqjL6UOZnbu5caIEvIJgdwXn -n8WB9x/Ii4/2S9ysmRdRhDBYekzgH3Ac2UnHJTMh1XaSL817MW6B9BDKHt4xa7pW -cplDzrFKYbmxSSxzALE4Dr+zRvmDx4bcYpBkRRfOhnnR1caQBgaZzPcX/Vu+vw8e -qs2nyBW5RBu8MBCBU1DpqOSo6jl0QTpuq3NzQZIouG9fyckqDJS5ibrxQTutPw== +HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNdMFswCQYD +VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw +FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDgYDVR0PAQH/BAQDAgMIMA0GCSqGSIb3 +DQEBBQUAA4IBAQAxJDMtlqpFHKw5ymqzgfnm0aY51PZOXpsPfoed7Vz2PzSB2eJ0 +JQc+QuLhippy8hnPmPZg/HQ/gedbxFKPiIiYEh86GvnBFozQ+c8sE0h6tJgVOJJi +ADUNeVJoq03WIroTMqAB0uW0rHB+OFm7uRwIDFr2gWVrKZKg/KsDrxtng2wPOgbU +xvPRtNyaOZjV0GjuBhWxpPTxXw27e5Mq3MS5B9piZgPXmam5lZdOe0LNrbQShfmP +4mk4drjdQaUrL3JLpLt8S4oihZU+dOHkYdZVHSAuuGikZK7qPfEdP/yrZTCgtY54 +vXxv47xT9L+pWtiTosBmsy/ewvWprVJIxLh3 -----END CERTIFICATE----- diff --git a/tests/data_files/server2.ku-ke.crt b/tests/data_files/server2.ku-ke.crt index 8daa0c13d..21e6cf040 100644 --- a/tests/data_files/server2.ku-ke.crt +++ b/tests/data_files/server2.ku-ke.crt @@ -1,21 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDijCCAnKgAwIBAgIBKzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN -MTQwNDA5MDg0NDM5WhcNMjQwNDA2MDg0NDM5WjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +MIIDRzCCAi+gAwIBAgIBKzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya -HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaOBnzCBnDAJ -BgNVHRMEAjAAMB0GA1UdDgQWBBSlBehkuNzfYA9QEk1gqGSvTYtDkzBjBgNVHSME -XDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAP -BgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAsG -A1UdDwQEAwIFIDANBgkqhkiG9w0BAQUFAAOCAQEAqreLAIuxeLGKbhoEROYRqXxO -ndaC6uDcpxhgmEW7B2DW6ZtX8155v3ov61MuMas8fEQjD5STDP9qERxNTePnhW3m -kDZd2jUBE3ioHhTBv47i1PYU+DRe42kY6z0jUmNPK8TsTKfdbqTGXg9THe1KYB7q -hdljqGS08IgBl/q2lK2OOSycu27xhfb9Mo0BcLBab92WgyBu+cFPQsKiL4mD7QyJ -+73Ndb21EuANUjsRDQ3NPklssJcyJB2v85eekwk1acZUG21no3wdTvjxhVE/Xrdz -zUP9WkvAVfUrwGjUzG4YHE8wkHO7xKbKixNt+nQmDhe+tHVbztZjVwFJ8010gg== +HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNdMFswCQYD +VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw +FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDgYDVR0PAQH/BAQDAgUgMA0GCSqGSIb3 +DQEBBQUAA4IBAQCeNpH2eSUXpq0CPlE6P1/bJW2f0vKFWMnZ6B3eFCdMCcKJ6LYV +BA1Dn5G5HEW4mBMJfyMwD5sklyEzQDCgIDjws+BRUflMr71AerfesHIGdW4jAw10 +aWwFMeszzZ54ZahX2GHPcwWfTccSf9tpSaRMlNBEIz8lfb2iEZ2HR9eAmAqYgtR1 +RbYcsNfC0oBYOCTRmvXi+wpGcUWn+VbIv6rHrQYnWXiPAuPJUqIpM0x9q0kT6NCi +LfdhaVV2DPnvBYGRcXX78JK5/MQt/sv4JSefRpvxpVQCmbo0amz7hUMHGCflAbro +FpyBlfcpj0lSRoaU9x0mCYzqwDYd+4NJZUGT -----END CERTIFICATE----- From b078607f04ad987207bbfafe7a77550f14c0cedf Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 18 May 2023 17:18:36 +0800 Subject: [PATCH 030/222] cert_write: Support write any for extended key usage Signed-off-by: Pengyu Lv --- programs/x509/cert_write.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index e58f52853..40b1871f3 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -530,6 +530,8 @@ usage: SET_OID(ext_key_usage->buf, MBEDTLS_OID_TIME_STAMPING); } else if (strcmp(q, "OCSPSigning") == 0) { SET_OID(ext_key_usage->buf, MBEDTLS_OID_OCSP_SIGNING); + } else if (strcmp(q, "any") == 0) { + SET_OID(ext_key_usage->buf, MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE); } else { mbedtls_printf("Invalid argument for option %s\n", p); goto usage; From 1ca5c0eae91bd1db2bcf79ea26f2f2fb779aafcc Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 18 May 2023 15:20:12 +0800 Subject: [PATCH 031/222] Add rules to generate server5.[e]ku-*.crt Signed-off-by: Pengyu Lv --- tests/data_files/Makefile | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 1b80cee97..0a32b3b64 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1418,6 +1418,32 @@ server5.req.ku.sha1: server5.key $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 all_final += server5.req.ku.sha1 +server5.ku-ds.crt: SERVER5_CRT_SERIAL=45 +server5.ku-ds.crt: SERVER5_KEY_USAGE=digital_signature +server5.ku-ka.crt: SERVER5_CRT_SERIAL=46 +server5.ku-ka.crt: SERVER5_KEY_USAGE=key_agreement +server5.ku-ke.crt: SERVER5_CRT_SERIAL=47 +server5.ku-ke.crt: SERVER5_KEY_USAGE=key_encipherment +server5.eku-cs.crt: SERVER5_CRT_SERIAL=58 +server5.eku-cs.crt: SERVER5_EXT_KEY_USAGE=codeSigning +server5.eku-cs_any.crt: SERVER5_CRT_SERIAL=59 +server5.eku-cs_any.crt: SERVER5_EXT_KEY_USAGE=codeSigning,any +server5.eku-cli.crt: SERVER5_CRT_SERIAL=60 +server5.eku-cli.crt: SERVER5_EXT_KEY_USAGE=clientAuth +server5.eku-srv_cli.crt: SERVER5_CRT_SERIAL=61 +server5.eku-srv_cli.crt: SERVER5_EXT_KEY_USAGE=serverAuth,clientAuth +server5.eku-srv.crt: SERVER5_CRT_SERIAL=62 +server5.eku-srv.crt: SERVER5_EXT_KEY_USAGE=serverAuth +server5.ku-%.crt: SERVER5_EXT_OPTS=key_usage=$(SERVER5_KEY_USAGE) +server5.eku-%.crt: SERVER5_EXT_OPTS=ext_key_usage=$(SERVER5_EXT_KEY_USAGE) +server5.%.crt: server5.key + $(MBEDTLS_CERT_WRITE) \ + subject_key=$< subject_name="C=NL,O=PolarSSL,CN=localhost" serial=$(SERVER5_CRT_SERIAL) \ + issuer_crt=$(test_ca_crt_file_ec) issuer_key=$(test_ca_key_file_ec) $(SERVER5_EXT_OPTS) \ + not_before=20190210144406 not_after=20290210144406 md=SHA256 version=3 output_file=$@ +all_final += server5.ku-ka.crt server5.ku-ke.crt server5.ku-ds.crt +all_final += server5.eku-cs.crt server5.eku-cs_any.crt server5.eku-cli.crt server5.eku-srv_cli.crt server5.eku-srv.crt + # server6* server6.csr: server6.key From d9ba29733e23800d215a29611bb6dbb7e083baa2 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 18 May 2023 15:21:11 +0800 Subject: [PATCH 032/222] Update server5.[e]ku-*.crt Signed-off-by: Pengyu Lv --- tests/data_files/server5.eku-cli.crt | 22 +++++++++++----------- tests/data_files/server5.eku-cs.crt | 22 +++++++++++----------- tests/data_files/server5.eku-cs_any.crt | 22 +++++++++++----------- tests/data_files/server5.eku-srv.crt | 22 +++++++++++----------- tests/data_files/server5.eku-srv_cli.crt | 22 +++++++++++----------- tests/data_files/server5.ku-ds.crt | 23 +++++++++++------------ tests/data_files/server5.ku-ka.crt | 23 +++++++++++------------ tests/data_files/server5.ku-ke.crt | 23 +++++++++++------------ 8 files changed, 88 insertions(+), 91 deletions(-) diff --git a/tests/data_files/server5.eku-cli.crt b/tests/data_files/server5.eku-cli.crt index 8aa2e44a0..8d0455983 100644 --- a/tests/data_files/server5.eku-cli.crt +++ b/tests/data_files/server5.eku-cli.crt @@ -1,13 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIB5DCCAWmgAwIBAgIBPDAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN -MTQwNDEwMTcyMTIxWhcNMjQwNDA3MTcyMTIxWjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG -CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA -2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jYjBgMAkGA1UdEwQCMAAwHQYD -VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r -y3i1Gbx+JMnb+zZ8MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAoGCCqGSM49BAMCA2kA -MGYCMQCzHyEvd56zm1AzfDBi3psz3rDL/m0RN2WnbRBQJxIJqjwEXOrKazko9m9q -owgau88CMQDuI0fsq5tnyiHPaDSAE21/6hlrCR6deNbwzB94OuPIbx1wIas9D1jc -//iSmKtbl8Y= +MIIB6zCCAW6gAwIBAgIBPDAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe +Fw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDQxCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C +AQYIKoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO +5QDYIxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6NlMGMwCQYDVR0TBAIwADAd +BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wHwYDVR0jBBgwFoAUnW0gJEkB +PyvLeLUZvH4kydv7NnwwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwDAYIKoZIzj0E +AwIFAANpADBmAjEAoC1Xxg8Xt3tvM2ZER4jCRv7iSYPWGgNtcYNJj3G0lb0PYi1l +Nd0cqdGxydhm7RJLAjEApAE8koD1ccIPnSFTagT7shOSz1/lOU4wwAWswcwolzt3 +xrvFlMoTeJx3sS3Zqdr8 -----END CERTIFICATE----- diff --git a/tests/data_files/server5.eku-cs.crt b/tests/data_files/server5.eku-cs.crt index db97b403e..c00bc3bec 100644 --- a/tests/data_files/server5.eku-cs.crt +++ b/tests/data_files/server5.eku-cs.crt @@ -1,13 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIB4zCCAWmgAwIBAgIBOjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN -MTQwNDEwMTcyMDQxWhcNMjQwNDA3MTcyMDQxWjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG -CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA -2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jYjBgMAkGA1UdEwQCMAAwHQYD -VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r -y3i1Gbx+JMnb+zZ8MBMGA1UdJQQMMAoGCCsGAQUFBwMDMAoGCCqGSM49BAMCA2gA -MGUCMQC294oVK6fUjH/abI1xzytTusi8dl7518L0Y19q8zi9K19OtxzPK09h7xyy -gaJRvpUCMFS6hYhrht38yqwwhSVlnmTMVtira58mEUhL6v7Qzw1sz/Dm4aXkW3s6 -JQV1kqqbRw== +MIIB6jCCAW6gAwIBAgIBOjAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe +Fw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDQxCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C +AQYIKoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO +5QDYIxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6NlMGMwCQYDVR0TBAIwADAd +BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wHwYDVR0jBBgwFoAUnW0gJEkB +PyvLeLUZvH4kydv7NnwwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwMwDAYIKoZIzj0E +AwIFAANoADBlAjBlMU7Fh18cel20P3rY7esvtPLDHQQKWSCO91XHHkZi1zRPq2px +nwVHayXnOS3CPRsCMQCQDYTyVMS8oEIrm0XPI6HrbCMUq2bhPwaYpelU/asOzYI3 +gOjGCDFHtyedJHVK0rs= -----END CERTIFICATE----- diff --git a/tests/data_files/server5.eku-cs_any.crt b/tests/data_files/server5.eku-cs_any.crt index 8fa8632dd..912d929b1 100644 --- a/tests/data_files/server5.eku-cs_any.crt +++ b/tests/data_files/server5.eku-cs_any.crt @@ -1,13 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIB6TCCAW+gAwIBAgIBOzAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN -MTQwNDEwMTcyMDU4WhcNMjQwNDA3MTcyMDU4WjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG -CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA -2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jaDBmMAkGA1UdEwQCMAAwHQYD -VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r -y3i1Gbx+JMnb+zZ8MBkGA1UdJQQSMBAGCCsGAQUFBwMDBgRVHSUAMAoGCCqGSM49 -BAMCA2gAMGUCMQCSYaq/9IKOTkzIrU/eOtpha/3af3JwT6vKh4N3cSX62ksMz0GT -Uxmq4UGMBt4VmBkCMBGpYqof6hS1o92ltNRpDSHuVQ+nke1lOsoQ1plZp4SI+bY1 -bUD/WrUSLlwikZAeng== +MIIB8DCCAXSgAwIBAgIBOzAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe +Fw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDQxCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C +AQYIKoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO +5QDYIxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6NrMGkwCQYDVR0TBAIwADAd +BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wHwYDVR0jBBgwFoAUnW0gJEkB +PyvLeLUZvH4kydv7NnwwHAYDVR0lAQH/BBIwEAYIKwYBBQUHAwMGBFUdJQAwDAYI +KoZIzj0EAwIFAANoADBlAjEA89+l8gNC0H75Tzdz/75W6EjGSzZ3m50S4cK5jD6+ +ZZLpRcbIqPqMT2MNkCm7ImNpAjAlTkFLVCGnTNX/q7QWOrx8aPXXAeZtY5NFxd66 +EJJb+YHTQ80hZhLWX8/QaAJjniU= -----END CERTIFICATE----- diff --git a/tests/data_files/server5.eku-srv.crt b/tests/data_files/server5.eku-srv.crt index 64312f6c4..b173afcda 100644 --- a/tests/data_files/server5.eku-srv.crt +++ b/tests/data_files/server5.eku-srv.crt @@ -1,13 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIB5DCCAWmgAwIBAgIBPjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN -MTQwNDEwMTcyMTU0WhcNMjQwNDA3MTcyMTU0WjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG -CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA -2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jYjBgMAkGA1UdEwQCMAAwHQYD -VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r -y3i1Gbx+JMnb+zZ8MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAoGCCqGSM49BAMCA2kA -MGYCMQDQzjWB0xZs/8IsqJb7owYYtCiT17939Uuc/1yBF69pJRy7KV/qJlHNvlVu -qwWVTx0CMQDNW/0dlX1gU6ashrZv5Ly4sijg/g645fFpfMKCNXysEb9xiBeEj5de -2x5sX/0OSx4= +MIIB6jCCAW6gAwIBAgIBPjAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe +Fw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDQxCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C +AQYIKoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO +5QDYIxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6NlMGMwCQYDVR0TBAIwADAd +BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wHwYDVR0jBBgwFoAUnW0gJEkB +PyvLeLUZvH4kydv7NnwwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEwDAYIKoZIzj0E +AwIFAANoADBlAjEAh+l47FmXR/nUxD8bfnS3sT+QTgc8pXUEqh/gXUs2xINVSoL+ +ZewgcNb2UanzCNheAjAnUY4b0M9YHp/eJjls5RzGX6JXtcWwn9JvO1HqMQnHthcy +hPEQ3lW7XG0DIQS1drk= -----END CERTIFICATE----- diff --git a/tests/data_files/server5.eku-srv_cli.crt b/tests/data_files/server5.eku-srv_cli.crt index 9f58fedd2..be2531ee2 100644 --- a/tests/data_files/server5.eku-srv_cli.crt +++ b/tests/data_files/server5.eku-srv_cli.crt @@ -1,13 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIB7DCCAXOgAwIBAgIBPTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN -MTQwNDEwMTcyMTQyWhcNMjQwNDA3MTcyMTQyWjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG -CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA -2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jbDBqMAkGA1UdEwQCMAAwHQYD -VR0OBBYEFFBhpY/UB9nXggEM5WV/jGNGpxO+MB8GA1UdIwQYMBaAFJ1tICRJAT8r -y3i1Gbx+JMnb+zZ8MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggq -hkjOPQQDAgNnADBkAjAmQjJxxC82ZhBpH/GQkOQXDmaaV/JHRHGok1cWn3j3Xj8A -fqRZkp8JihpGIMse208CMFCMdNAfNd1tv+oPuynoK5Oh6/YlASX/otJT68voEIAN -SmsT1m9VPQMIyUo/3RtYjg== +MIIB8zCCAXigAwIBAgIBPTAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe +Fw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDQxCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C +AQYIKoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO +5QDYIxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6NvMG0wCQYDVR0TBAIwADAd +BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wHwYDVR0jBBgwFoAUnW0gJEkB +PyvLeLUZvH4kydv7NnwwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC +MAwGCCqGSM49BAMCBQADZwAwZAIwHu/xjSqHK91yEM+KgEFGU8Xc3o9rEVrCBFeW +ChIa3slZZdG4OuIm06Tsabf0pBLHAjBYKjoUwWEuDOOQKbbJZG8gKDzMAgEpe/RW +wAjY7i6CzZ1NKfFQ9fQdwA+yjq2fnlg= -----END CERTIFICATE----- diff --git a/tests/data_files/server5.ku-ds.crt b/tests/data_files/server5.ku-ds.crt index 58dd0714b..dafff9b3d 100644 --- a/tests/data_files/server5.ku-ds.crt +++ b/tests/data_files/server5.ku-ds.crt @@ -1,14 +1,13 @@ -----BEGIN CERTIFICATE----- -MIICLTCCAbKgAwIBAgIBLTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN -MTQwNDA5MDg0ODM1WhcNMjQwNDA2MDg0ODM1WjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG -CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA -2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgaowgacwCQYDVR0TBAIwADAd -BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB -PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh -clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAsG -A1UdDwQEAwIHgDAKBggqhkjOPQQDAgNpADBmAjEAzp4DkFMq7eDB0x5FeS9gYDaG -Ol8rVnWlRTLQzHZBQjKp+TcBdHZaBPoi8LyXtWA4AjEA6OWhsuTcv/qXOscQT0rL -eEh8wcCQeJK1uNd78lNvx3W0Pcxdb6cd7AhaAKgXL+r4 +MIIB4zCCAWagAwIBAgIBLTAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe +Fw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDQxCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C +AQYIKoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO +5QDYIxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6NdMFswCQYDVR0TBAIwADAd +BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wHwYDVR0jBBgwFoAUnW0gJEkB +PyvLeLUZvH4kydv7NnwwDgYDVR0PAQH/BAQDAgeAMAwGCCqGSM49BAMCBQADaQAw +ZgIxALHO0QR+4vz+fj4WwBQMa55oJDlp1J0PpqoJYKTf6DRx5rNuZxSbNu2wJQWz +MJ9ekQIxAMPo/Rhu4e9KRkEf9rYU9Ynd7t9/PCsXw4JZuxZfToURDsrAI/Pnqc0H +4+FA/EuPJA== -----END CERTIFICATE----- diff --git a/tests/data_files/server5.ku-ka.crt b/tests/data_files/server5.ku-ka.crt index 2447326c2..74a423524 100644 --- a/tests/data_files/server5.ku-ka.crt +++ b/tests/data_files/server5.ku-ka.crt @@ -1,14 +1,13 @@ -----BEGIN CERTIFICATE----- -MIICKzCCAbKgAwIBAgIBLjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN -MTQwNDA5MDg0ODUwWhcNMjQwNDA2MDg0ODUwWjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG -CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA -2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgaowgacwCQYDVR0TBAIwADAd -BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB -PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh -clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAsG -A1UdDwQEAwIDCDAKBggqhkjOPQQDAgNnADBkAjACzKQ88/NvngMQBFc9rC484+gO -BRkXP28BqRcj8sBt3EfmEGH23BuhkZuB1OFZuMICMC4/pHgbOQtaY9WZPUROUVVZ -OuO6XsVbhiE0rb/mumqmUwuOrCtC/KFdvFZol4BNGA== +MIIB4jCCAWagAwIBAgIBLjAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe +Fw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDQxCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C +AQYIKoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO +5QDYIxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6NdMFswCQYDVR0TBAIwADAd +BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wHwYDVR0jBBgwFoAUnW0gJEkB +PyvLeLUZvH4kydv7NnwwDgYDVR0PAQH/BAQDAgMIMAwGCCqGSM49BAMCBQADaAAw +ZQIwCVbbPiS8MJUOz8JBmgLHojKDaJOd4lSfSak0GSl02UjT8OiNyRzA+FlFWO94 +YMjyAjEA14/ubZ1ZW3/0hkiFHzhTD2SXbTfYbhDZSq2PR+9sBlUrrx1GhzWw/cOD +3jZd4DQO -----END CERTIFICATE----- diff --git a/tests/data_files/server5.ku-ke.crt b/tests/data_files/server5.ku-ke.crt index 41ae5ada3..6b4e74e24 100644 --- a/tests/data_files/server5.ku-ke.crt +++ b/tests/data_files/server5.ku-ke.crt @@ -1,14 +1,13 @@ -----BEGIN CERTIFICATE----- -MIICKzCCAbKgAwIBAgIBLzAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN -MTQwNDA5MDg0OTA0WhcNMjQwNDA2MDg0OTA0WjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG -CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA -2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgaowgacwCQYDVR0TBAIwADAd -BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB -PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh -clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAsG -A1UdDwQEAwIFIDAKBggqhkjOPQQDAgNnADBkAjAMl0Cjv9f45bHeJTul5XpYeJeT -52ZaOLTa/uTLy948EnEIi6sj3nFb9fvsUbsOOjECMAXAMY64KOqzixefz3y3XS/d -9miyeArPOmXU2JJ3LGuNbqqj9IbABawB1OD8v8gRmg== +MIIB4TCCAWagAwIBAgIBLzAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJzc2wgVGVzdCBFQyBDQTAe +Fw0xOTAyMTAxNDQ0MDZaFw0yOTAyMTAxNDQ0MDZaMDQxCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C +AQYIKoZIzj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO +5QDYIxH/6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6NdMFswCQYDVR0TBAIwADAd +BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wHwYDVR0jBBgwFoAUnW0gJEkB +PyvLeLUZvH4kydv7NnwwDgYDVR0PAQH/BAQDAgUgMAwGCCqGSM49BAMCBQADZwAw +ZAIwezTY0tigIg6u1dFl90LHYcZ+lJK4BO5Y6U9pn952NFo24NsL8qnG4nxwsL3M +VvV7AjBQ+oZyKSyNp8XRAHYC6lERH7/Gh7HrVWyTRo9iPPL6tE4x/jE7jL9ifgl+ +F6982sk= -----END CERTIFICATE----- From e025cb2096c104d96ef51090ecc2ffe18ccf0e1f Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 18 May 2023 10:10:39 +0800 Subject: [PATCH 033/222] Add rules to generate cert_example_multi_nocn.crt Signed-off-by: Pengyu Lv --- tests/data_files/Makefile | 16 ++++++++++++++++ tests/data_files/test-ca.opensslconf | 5 +++++ 2 files changed, 21 insertions(+) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 0a32b3b64..5a56828b0 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -60,6 +60,14 @@ test-ca.key.der: $(test_ca_key_file_rsa) $(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER -passin "pass:$(test_ca_pwd_rsa)" all_final += test-ca.key.der +# This is only used for generating cert_example_multi_nocn.crt +test-ca_nocn.crt: $(test_ca_key_file_rsa) + $(MBEDTLS_CERT_WRITE) is_ca=1 serial=3 selfsign=1 \ + subject_key=$(test_ca_key_file_rsa) subject_pwd=$(test_ca_pwd_rsa) subject_name="C=NL" \ + issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) issuer_name="C=NL" \ + not_before=20190210144400 not_after=20290210144400 md=SHA1 version=3 output_file=$@ +all_intermediate += test-ca_nocn.crt + test-ca-sha1.crt: $(test_ca_key_file_rsa) test-ca.req.sha256 $(MBEDTLS_CERT_WRITE) is_ca=1 serial=3 request_file=test-ca.req.sha256 selfsign=1 issuer_name="C=NL,O=PolarSSL,CN=PolarSSL Test CA" issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144400 not_after=20290210144400 md=SHA1 version=3 output_file=$@ all_final += test-ca-sha1.crt @@ -99,6 +107,14 @@ parse_input/cert_example_multi.crt cert_example_multi.crt: cert_example_multi.cs -passin "pass:$(test_ca_pwd_rsa)" -set_serial 17 -days 3653 -sha256 \ -in $< > $@ +cert_example_multi_nocn.csr: rsa_pkcs1_1024_clear.pem + $(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name='C=NL' +all_intermediate += cert_example_multi_nocn.csr + +cert_example_multi_nocn.crt: cert_example_multi_nocn.csr test-ca_nocn.crt + $(OPENSSL) x509 -req -CA test-ca_nocn.crt -CAkey $(test_ca_key_file_rsa) -extfile $(test_ca_config_file) -extensions ext_multi_nocn -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0xf7c67ff8e9a963f9 -days 3653 -sha1 -in $< > $@ +all_final += cert_example_multi_nocn.crt + parse_input/test_csr_v3_keyUsage.csr.der: rsa_pkcs1_1024_clear.pem $(OPENSSL) req -new -subj '/CN=etcd' -config $(test_ca_config_file) -key rsa_pkcs1_1024_clear.pem -outform DER -out $@ -reqexts csr_ext_v3_keyUsage parse_input/test_csr_v3_subjectAltName.csr.der: rsa_pkcs1_1024_clear.pem diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf index 434876c83..0340e9e27 100644 --- a/tests/data_files/test-ca.opensslconf +++ b/tests/data_files/test-ca.opensslconf @@ -41,6 +41,11 @@ DNS.3=*.example.org [multiple_san] subjectAltName=@alt_names +[ext_multi_nocn] +basicConstraints = CA:false +keyUsage = digitalSignature, nonRepudiation, keyEncipherment +subjectAltName = DNS:www.shotokan-braunschweig.de,DNS:www.massimo-abate.eu,IP:192.168.1.1,IP:192.168.69.144 + [hw_module_name] hwtype = OID:1.3.6.1.4.1.17.3 hwserial = OCT:123456 From 0d545a18157f047771934e3cd55c546eb081fb90 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 18 May 2023 10:11:30 +0800 Subject: [PATCH 034/222] Update cert_example_multi_nocn.crt Signed-off-by: Pengyu Lv --- tests/data_files/cert_example_multi_nocn.crt | 23 +++++++++++--------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/tests/data_files/cert_example_multi_nocn.crt b/tests/data_files/cert_example_multi_nocn.crt index 1634846e1..08bf63c9d 100644 --- a/tests/data_files/cert_example_multi_nocn.crt +++ b/tests/data_files/cert_example_multi_nocn.crt @@ -1,13 +1,16 @@ -----BEGIN CERTIFICATE----- -MIIB/TCCAWagAwIBAgIJAPfGf/jpqWP5MA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNV -BAYTAk5MMB4XDTE0MDEyMjEwMDQzM1oXDTI0MDEyMjEwMDQzM1owDTELMAkGA1UE -BhMCTkwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2pt -WZftTslU5A3uzqB9oB6q6A7CuxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNz -UnlGGrqgVyt2FjGzqK/nOJsIi2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ -81kybdHg6G3eUu1mtKkL2kCVAgMBAAGjZTBjMAkGA1UdEwQCMAAwCwYDVR0PBAQD +MIICfjCCAWagAwIBAgIJAPfGf/jpqWP5MA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNV +BAYTAk5MMB4XDTIzMDUxODAyMDUwMVoXDTMzMDUxODAyMDUwMVowDTELMAkGA1UE +BhMCTkwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMc4ksXD9HAQCGv4EzXs +8wEciiUPlYI2HqoelhJVGqz4e3UzC3BXM5zZlfFNTEQ3yL7EoD/kZDzT88kCQz3D +fFuOeaoJhK6CEzcKv4VpvSo1Ymyx/uSs4EKyQXx75J0nFJssB2uOQz0/bHY6Rpoc +cA0lnbwIx0D82AI3Yv996/wtAgMBAAGjZTBjMAkGA1UdEwQCMAAwCwYDVR0PBAQD AgXgMEkGA1UdEQRCMECCHHd3dy5zaG90b2thbi1icmF1bnNjaHdlaWcuZGWCFHd3 -dy5tYXNzaW1vLWFiYXRlLmV1hwTAqAEBhwTAqEWQMA0GCSqGSIb3DQEBBQUAA4GB -ABjx1ytrqCyFC5/0cjWnbLK9vsvLny2ZikDewfRxqJ5zAxGWLqHOr1SmUmu2DrvB -bkT9g5z19+iMhPnzJz1x7Q2m7WTIJTuUPK+hKZJATDLNhZ86h5Nkw8k9YzKcOrPm -EIqsy55CSgLU0ntljqSBvSb4ifrF1NnIWej2lSfN6r+3 +dy5tYXNzaW1vLWFiYXRlLmV1hwTAqAEBhwTAqEWQMA0GCSqGSIb3DQEBBQUAA4IB +AQAuomKlMLwSkP3zvGuA9awDdITM/uCzfd77yi60zMNtFHDMu2YZ2npQSl0czab6 +/8fX9goaU8V3cx4KXSLMx7i9AsP1r559Uo3c/4oTZd3xBsElMAn/TXiuujZ2RwdL +RcMOJerlThOE0dtNdniJj7lPaan70CELP/CUn8KgeWgztQJj4ghfUwnLn6RnpLfl +YyM/Xq2YbwnQWHXSe3CPTy5RCWalt3SgZf6IDcD6CNq1Q2l14iR78OWnlxGTFmjP +ez3OzxNT2BZz0AiP0WvTbUtvfuxw9G3fHHe5ClsAopIA3tD246jHOAlqAnOEBC/x +IABbWjY/briP9U4R6x+mg2ck -----END CERTIFICATE----- From 0efdfcbfd3ca6bdcf42d94bde297913b6884ea01 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 18 May 2023 11:14:23 +0800 Subject: [PATCH 035/222] Update v1 crt files Signed-off-by: Jerry Yu --- tests/data_files/Makefile | 44 ++++++++++++++++- tests/data_files/server1-v1.crt | 34 +++++++------- tests/data_files/server2-v1-chain.crt | 68 +++++++++++++-------------- tests/data_files/server2-v1.crt | 34 +++++++------- tests/data_files/test-ca-v1.crt | 34 +++++++------- 5 files changed, 127 insertions(+), 87 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 5a56828b0..107eb67d3 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1628,8 +1628,13 @@ server1.v1.der.openssl: server1.v1.crt.openssl crl.pem: $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_config_file) $(OPENSSL) ca -gencrl -batch -cert $(test_ca_crt) -keyfile $(test_ca_key_file_rsa) -key $(test_ca_pwd_rsa) -config $(test_ca_server1_config_file) -md sha1 -crldays 3653 -out $@ -crl-futureRevocationDate.pem: $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_config_file) test-ca.server1.future-crl.db test-ca.server1.future-crl.opensslconf - $(FAKETIME) '2028-12-31' $(OPENSSL) ca -gencrl -config test-ca.server1.future-crl.opensslconf -crldays 365 -passin "pass:$(test_ca_pwd_rsa)" -out $@ +crl-futureRevocationDate.pem: $(test_ca_crt) $(test_ca_key_file_rsa) \ + $(test_ca_config_file) \ + test-ca.server1.future-crl.db \ + test-ca.server1.future-crl.opensslconf + $(FAKETIME) -f '+10y' $(OPENSSL) ca -gencrl \ + -config test-ca.server1.future-crl.opensslconf -crldays 365 \ + -passin "pass:$(test_ca_pwd_rsa)" -out $@ server1_all: crl.pem crl-futureRevocationDate.pem server1.crt server1.noauthid.crt server1.crt.openssl server1.v1.crt server1.v1.crt.openssl server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.crt.openssl server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.crt.openssl server1.der server1.der.openssl server1.v1.der server1.v1.der.openssl server1.key_usage.der server1.key_usage.der.openssl server1.cert_type.der server1.cert_type.der.openssl @@ -1922,6 +1927,41 @@ pkcs7_data_cert_signeddata_sha256.der: pkcs7_data_cert_signed_sha256.der dd if=pkcs7_data_cert_signed_sha256.der of=$@ skip=19 bs=1 all_final += pkcs7_data_cert_signeddata_sha256.der +# - test-ca-v1.crt: v1 "CA", signs +# server1-v1.crt: v1 "intermediate CA", signs +# server2-v1*.crt: EE cert (without of with chain in same file) + +test-ca-v1.crt: $(test_ca_key_file_rsa) test-ca.req.sha256 + $(MBEDTLS_CERT_WRITE) is_ca=1 serial_hex=53a2b68e05400e555c9395e5 \ + request_file=test-ca.req.sha256 \ + selfsign=1 issuer_name="CN=PolarSSL Test CA v1,OU=testing,O=PolarSSL,C=NL" \ + issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) \ + not_before=20190210144400 not_after=20290210144400 md=SHA256 version=1 \ + output_file=$@ +all_final += test-ca-v1.crt + +server1-v1.crt: server1.key test-ca-v1.crt + $(MBEDTLS_CERT_WRITE) subject_key=$< serial_hex=53a2b6c704cd4d8ebc800bc1\ + subject_name="CN=server1/int-ca-v1,OU=testing,O=PolarSSL,C=NL" \ + issuer_crt=test-ca-v1.crt issuer_key=$(test_ca_key_file_rsa) \ + issuer_pwd=$(test_ca_pwd_rsa) \ + not_before=20190210144406 not_after=20290210144406 \ + md=SHA256 version=1 \ + output_file=$@ +all_final += server1-v1.crt + +server2-v1.crt: server2.key server1-v1.crt + $(MBEDTLS_CERT_WRITE) subject_key=$< serial_hex=53a2b6d9235dbc4573f9b76c\ + subject_name="CN=server2,OU=testing,O=PolarSSL,C=NL" \ + issuer_crt=server1-v1.crt issuer_key=server1.key \ + not_before=20190210144406 not_after=20290210144406 \ + md=SHA256 version=1 \ + output_file=$@ +all_final += server2-v1.crt + +server2-v1-chain.crt: server2-v1.crt server1-v1.crt + cat $^ > $@ + ################################################################ #### Diffie-Hellman parameters ################################################################ diff --git a/tests/data_files/server1-v1.crt b/tests/data_files/server1-v1.crt index 47f1fff1c..8ca90078b 100644 --- a/tests/data_files/server1-v1.crt +++ b/tests/data_files/server1-v1.crt @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDITCCAgkCDFOitscEzU2OvIALwTANBgkqhkiG9w0BAQsFADBQMRwwGgYDVQQD -ExNQb2xhclNTTCBUZXN0IENBIHYxMRAwDgYDVQQLEwd0ZXN0aW5nMREwDwYDVQQK -EwhQb2xhclNTTDELMAkGA1UEBhMCTkwwIhgPMjAxNDA2MTkxMDA5MTFaGA8yMDI0 -MDYxODEwMDkxMVowTjEaMBgGA1UEAxMRc2VydmVyMS9pbnQtY2EtdjExEDAOBgNV -BAsTB3Rlc3RpbmcxETAPBgNVBAoTCFBvbGFyU1NMMQswCQYDVQQGEwJOTDCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6J -v7joRZDb7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVB -Q3dfOXwJBEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYEl -XwqxU8YwfhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk -65Wb3P5BXhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZP -cG6ezr1YieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEA -ATANBgkqhkiG9w0BAQsFAAOCAQEAPJl3fbVeTJ6gVAvCoLYM8JY5U7ZhrCCdBghw -WuZBS/TWwf4WLP0G/ZtTyTOENcT0gWHf0/VnXtNPw2/yBjWsLtTXxN2XQlEVf3j/ -WcQxWgSESYdx/sT/uTW6qihuONPWkTQizmx7OG6vBuGx3g54s9/oeJKXOraNqud3 -G4KBrytOazliMfoKO2hnzaeydpaDtb2tZX8apN/6KqQpTAcXsWrZRW9XEHWq2sNz -IR1nIE1F/9gnqi9Xy0HQprteLRUvM4tEQ35m4H20eS5Y9gJlE/DqXmMQ7aiU8DgP -krj+Z18pcrssO+Etv0BOiPjmU9TWWpDMj34ef7U/OH5qJxkSrA== +MIIDHTCCAgUCDFOitscEzU2OvIALwTANBgkqhkiG9w0BAQsFADBQMRwwGgYDVQQD +DBNQb2xhclNTTCBUZXN0IENBIHYxMRAwDgYDVQQLDAd0ZXN0aW5nMREwDwYDVQQK +DAhQb2xhclNTTDELMAkGA1UEBhMCTkwwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEw +MTQ0NDA2WjBOMRowGAYDVQQDDBFzZXJ2ZXIxL2ludC1jYS12MTEQMA4GA1UECwwH +dGVzdGluZzERMA8GA1UECgwIUG9sYXJTU0wxCzAJBgNVBAYTAk5MMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/uOhF +kNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFDd185 +fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVfCrFT +xjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTrlZvc +/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9wbp7O +vViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQABMA0G +CSqGSIb3DQEBCwUAA4IBAQBrdYAEzdH6ryyYaolYvp8Fvq0wZxp6Bdcxvi0LUGmb +TdWcNrPU9IYASc5QSrSWPj0c9vhLVbDZAONfn92thi7C2zQXok2Q3jW038ycNSXN +lVxFkdY4GYa3E6Og1LVIySyzfyyNuHKKWbB5wZCWbzOgu2Q1MHSNvPhKjbDhyGtT +Mq3Qy6TyzUFbXMRBixcJC/Cy4zsqvWBanVtBmwlvgE4Q50CUgybzSEIL5j+aPLuW +aj8j2NRB2+7vPeoWd8ry5YxEKB3DRuXHHyyFnT5O8MpWuCl764qFMc8S/i7yVcmZ +egZQw0dCmE5J4EGX0BEQEM24ll2e8SxL351hbCQ+EfvF -----END CERTIFICATE----- diff --git a/tests/data_files/server2-v1-chain.crt b/tests/data_files/server2-v1-chain.crt index 84bb6b2b9..8ac003b30 100644 --- a/tests/data_files/server2-v1-chain.crt +++ b/tests/data_files/server2-v1-chain.crt @@ -1,38 +1,38 @@ -----BEGIN CERTIFICATE----- -MIIDFTCCAf0CDFOittkjXbxFc/m3bDANBgkqhkiG9w0BAQsFADBOMRowGAYDVQQD -ExFzZXJ2ZXIxL2ludC1jYS12MTEQMA4GA1UECxMHdGVzdGluZzERMA8GA1UEChMI -UG9sYXJTU0wxCzAJBgNVBAYTAk5MMCIYDzIwMTQwNjE5MTAwOTI5WhgPMjAyNDA2 -MTgxMDA5MjlaMEQxEDAOBgNVBAMTB3NlcnZlcjIxEDAOBgNVBAsTB3Rlc3Rpbmcx -ETAPBgNVBAoTCFBvbGFyU1NMMQswCQYDVQQGEwJOTDCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCI -p+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj -+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ -4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYva -i0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P -6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAATANBgkqhkiG9w0B -AQsFAAOCAQEAivCCMBfC5YNeozwp8vAWpiRUakhtO8ysvCfQsZD4tWLlSkrjoUtG -3RNd9gDVDGb852GswtNMKHJC1AeZuXdh3eBoDBNTXnR/9UkHgWNBy5f+JH2irYrc -ps5ofpYJZe7K6xQjl+RLc8nfUUaVfS3dJnyLr9k5kg4in48p+hEF6oXDBu2zdufF -53k/U98FTvFkVisEDFzLXyKX0fAZxfMk4qnEoBflH4fEXfkuuaBUVdoGGIMRLNAW -GIyRxr+zj+OJL+ZjjAkY4JqtEuUuLjODn//DHI/MkqE0LANOvbb4akpgZsyvSSO3 -o38d1wQHw5+bO+YDqdfIdQXguU5mtS1xAw== +MIIDETCCAfkCDFOittkjXbxFc/m3bDANBgkqhkiG9w0BAQsFADBOMRowGAYDVQQD +DBFzZXJ2ZXIxL2ludC1jYS12MTEQMA4GA1UECwwHdGVzdGluZzERMA8GA1UECgwI +UG9sYXJTU0wxCzAJBgNVBAYTAk5MMB4XDTE5MDIxMDE0NDQwNloXDTI5MDIxMDE0 +NDQwNlowRDEQMA4GA1UEAwwHc2VydmVyMjEQMA4GA1UECwwHdGVzdGluZzERMA8G +A1UECgwIUG9sYXJTU0wxCzAJBgNVBAYTAk5MMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r +lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2 +2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ +Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i +GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb +y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABMA0GCSqGSIb3DQEBCwUA +A4IBAQBmzdRQV8c0AbT8+IlPf7EpzfdhBwBtDj7N8GPEHL+NqS1hHt7TH3L7jBN3 +CqLUgrAP1LFmQrjW5IPZYNZEA+LxMMjAehvOH71pBsFGvQOpx2CwmqM86s9FIgIa +zob7L34+xVEZfmR09PsLiT7gF13ht0HkvVZ2haBU0k3vV97aEVvPtbqrlR6RfLrZ +8nXBFt5CkzGxepS4wBCW4TrGXxpMJ0WnnhcLJVnExUd6YbzGP+ewXCKegD1wDX6z +UsEVGDQV97u3tszF43kx0nu/Q5DYMCqJV0kpIsMB467xPnNqyMdGtTbZq2Is8oj6 +VA+fctBdN0CW4jo+qkOif0l/F8Az -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIDITCCAgkCDFOitscEzU2OvIALwTANBgkqhkiG9w0BAQsFADBQMRwwGgYDVQQD -ExNQb2xhclNTTCBUZXN0IENBIHYxMRAwDgYDVQQLEwd0ZXN0aW5nMREwDwYDVQQK -EwhQb2xhclNTTDELMAkGA1UEBhMCTkwwIhgPMjAxNDA2MTkxMDA5MTFaGA8yMDI0 -MDYxODEwMDkxMVowTjEaMBgGA1UEAxMRc2VydmVyMS9pbnQtY2EtdjExEDAOBgNV -BAsTB3Rlc3RpbmcxETAPBgNVBAoTCFBvbGFyU1NMMQswCQYDVQQGEwJOTDCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6J -v7joRZDb7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVB -Q3dfOXwJBEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYEl -XwqxU8YwfhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk -65Wb3P5BXhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZP -cG6ezr1YieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEA -ATANBgkqhkiG9w0BAQsFAAOCAQEAPJl3fbVeTJ6gVAvCoLYM8JY5U7ZhrCCdBghw -WuZBS/TWwf4WLP0G/ZtTyTOENcT0gWHf0/VnXtNPw2/yBjWsLtTXxN2XQlEVf3j/ -WcQxWgSESYdx/sT/uTW6qihuONPWkTQizmx7OG6vBuGx3g54s9/oeJKXOraNqud3 -G4KBrytOazliMfoKO2hnzaeydpaDtb2tZX8apN/6KqQpTAcXsWrZRW9XEHWq2sNz -IR1nIE1F/9gnqi9Xy0HQprteLRUvM4tEQ35m4H20eS5Y9gJlE/DqXmMQ7aiU8DgP -krj+Z18pcrssO+Etv0BOiPjmU9TWWpDMj34ef7U/OH5qJxkSrA== +MIIDHTCCAgUCDFOitscEzU2OvIALwTANBgkqhkiG9w0BAQsFADBQMRwwGgYDVQQD +DBNQb2xhclNTTCBUZXN0IENBIHYxMRAwDgYDVQQLDAd0ZXN0aW5nMREwDwYDVQQK +DAhQb2xhclNTTDELMAkGA1UEBhMCTkwwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEw +MTQ0NDA2WjBOMRowGAYDVQQDDBFzZXJ2ZXIxL2ludC1jYS12MTEQMA4GA1UECwwH +dGVzdGluZzERMA8GA1UECgwIUG9sYXJTU0wxCzAJBgNVBAYTAk5MMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/uOhF +kNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFDd185 +fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVfCrFT +xjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTrlZvc +/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9wbp7O +vViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQABMA0G +CSqGSIb3DQEBCwUAA4IBAQBrdYAEzdH6ryyYaolYvp8Fvq0wZxp6Bdcxvi0LUGmb +TdWcNrPU9IYASc5QSrSWPj0c9vhLVbDZAONfn92thi7C2zQXok2Q3jW038ycNSXN +lVxFkdY4GYa3E6Og1LVIySyzfyyNuHKKWbB5wZCWbzOgu2Q1MHSNvPhKjbDhyGtT +Mq3Qy6TyzUFbXMRBixcJC/Cy4zsqvWBanVtBmwlvgE4Q50CUgybzSEIL5j+aPLuW +aj8j2NRB2+7vPeoWd8ry5YxEKB3DRuXHHyyFnT5O8MpWuCl764qFMc8S/i7yVcmZ +egZQw0dCmE5J4EGX0BEQEM24ll2e8SxL351hbCQ+EfvF -----END CERTIFICATE----- diff --git a/tests/data_files/server2-v1.crt b/tests/data_files/server2-v1.crt index 7ef7968f5..990cd4b52 100644 --- a/tests/data_files/server2-v1.crt +++ b/tests/data_files/server2-v1.crt @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDFTCCAf0CDFOittkjXbxFc/m3bDANBgkqhkiG9w0BAQsFADBOMRowGAYDVQQD -ExFzZXJ2ZXIxL2ludC1jYS12MTEQMA4GA1UECxMHdGVzdGluZzERMA8GA1UEChMI -UG9sYXJTU0wxCzAJBgNVBAYTAk5MMCIYDzIwMTQwNjE5MTAwOTI5WhgPMjAyNDA2 -MTgxMDA5MjlaMEQxEDAOBgNVBAMTB3NlcnZlcjIxEDAOBgNVBAsTB3Rlc3Rpbmcx -ETAPBgNVBAoTCFBvbGFyU1NMMQswCQYDVQQGEwJOTDCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCI -p+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj -+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ -4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYva -i0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P -6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAATANBgkqhkiG9w0B -AQsFAAOCAQEAivCCMBfC5YNeozwp8vAWpiRUakhtO8ysvCfQsZD4tWLlSkrjoUtG -3RNd9gDVDGb852GswtNMKHJC1AeZuXdh3eBoDBNTXnR/9UkHgWNBy5f+JH2irYrc -ps5ofpYJZe7K6xQjl+RLc8nfUUaVfS3dJnyLr9k5kg4in48p+hEF6oXDBu2zdufF -53k/U98FTvFkVisEDFzLXyKX0fAZxfMk4qnEoBflH4fEXfkuuaBUVdoGGIMRLNAW -GIyRxr+zj+OJL+ZjjAkY4JqtEuUuLjODn//DHI/MkqE0LANOvbb4akpgZsyvSSO3 -o38d1wQHw5+bO+YDqdfIdQXguU5mtS1xAw== +MIIDETCCAfkCDFOittkjXbxFc/m3bDANBgkqhkiG9w0BAQsFADBOMRowGAYDVQQD +DBFzZXJ2ZXIxL2ludC1jYS12MTEQMA4GA1UECwwHdGVzdGluZzERMA8GA1UECgwI +UG9sYXJTU0wxCzAJBgNVBAYTAk5MMB4XDTE5MDIxMDE0NDQwNloXDTI5MDIxMDE0 +NDQwNlowRDEQMA4GA1UEAwwHc2VydmVyMjEQMA4GA1UECwwHdGVzdGluZzERMA8G +A1UECgwIUG9sYXJTU0wxCzAJBgNVBAYTAk5MMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r +lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2 +2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ +Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i +GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb +y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABMA0GCSqGSIb3DQEBCwUA +A4IBAQBmzdRQV8c0AbT8+IlPf7EpzfdhBwBtDj7N8GPEHL+NqS1hHt7TH3L7jBN3 +CqLUgrAP1LFmQrjW5IPZYNZEA+LxMMjAehvOH71pBsFGvQOpx2CwmqM86s9FIgIa +zob7L34+xVEZfmR09PsLiT7gF13ht0HkvVZ2haBU0k3vV97aEVvPtbqrlR6RfLrZ +8nXBFt5CkzGxepS4wBCW4TrGXxpMJ0WnnhcLJVnExUd6YbzGP+ewXCKegD1wDX6z +UsEVGDQV97u3tszF43kx0nu/Q5DYMCqJV0kpIsMB467xPnNqyMdGtTbZq2Is8oj6 +VA+fctBdN0CW4jo+qkOif0l/F8Az -----END CERTIFICATE----- diff --git a/tests/data_files/test-ca-v1.crt b/tests/data_files/test-ca-v1.crt index e5a3b1cde..2f10f6d86 100644 --- a/tests/data_files/test-ca-v1.crt +++ b/tests/data_files/test-ca-v1.crt @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDIzCCAgsCDFOito4FQA5VXJOV5TANBgkqhkiG9w0BAQsFADBQMRwwGgYDVQQD -ExNQb2xhclNTTCBUZXN0IENBIHYxMRAwDgYDVQQLEwd0ZXN0aW5nMREwDwYDVQQK -EwhQb2xhclNTTDELMAkGA1UEBhMCTkwwIhgPMjAxNDA2MTkxMDA4MTRaGA8yMDI0 -MDYxODEwMDgxNFowUDEcMBoGA1UEAxMTUG9sYXJTU0wgVGVzdCBDQSB2MTEQMA4G -A1UECxMHdGVzdGluZzERMA8GA1UEChMIUG9sYXJTU0wxCzAJBgNVBAYTAk5MMIIB -IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwN83/Be74JadP4beljJ9RKUW -oM0h8ZnU7OrLfBhYCJSl7JvFi98aHpk4mYcee8CNOd84XXB4B9Oe2ZPouXJRxc6j -MFKp8udAcBTLRKJyC8LlQPk+5aYOs/nsSmPAuCkAdJxXO6ilBJBx8b2D2T/WpeI8 -Ko/vJ2DDxp/LuuxgfbfmhDK+T/tYJiIDW9S01fv145YucMDkLr38Lu7iQVXANC59 -JHJpy0exFECDfWf0hvYxq/F5pLK1LhL5hBfwYm8nPhNYsVQNIZpzN6Ewz2+S3Pbp -/KzbLijRfgJLI6AV8jhlZAnqDG6OGxegccizm8mr6cPyz4eWj4ACMp6ZWG+i1QID -AQABMA0GCSqGSIb3DQEBCwUAA4IBAQBoXC5AlXI5azyOPvmNse2qHhO7BrXOEjH+ -9g5P/VsrVADhsUGv6x0A2oLoWXtOjGDIWWH53BWHkCUCu4T5D5C6+I47rXWl4pAr -J+h+tQVZo6J0AJxfPse/NnrjsboUSWhunmo/iTrU6S4KJBguIKP6T1DZoD/8EYgU -x+fXDmvRO+MTesWDiY+p+FHEzsu3b9EBtG9dUiR/zzXi/ktFCfrgstKGSuW6+j7m -lcduTxsogi6Uc3tWKtn6qpSGR0uBoCz6emFO7Smmy/tIyVA88lH0+3UnxOvu4TAK -uvjYkOcZqhprDiMfhxBB7pxbfiviEANTbgSfCtZewSNz2RUJ9ocy +MIIDHzCCAgcCDFOito4FQA5VXJOV5TANBgkqhkiG9w0BAQsFADBQMRwwGgYDVQQD +DBNQb2xhclNTTCBUZXN0IENBIHYxMRAwDgYDVQQLDAd0ZXN0aW5nMREwDwYDVQQK +DAhQb2xhclNTTDELMAkGA1UEBhMCTkwwHhcNMTkwMjEwMTQ0NDAwWhcNMjkwMjEw +MTQ0NDAwWjBQMRwwGgYDVQQDDBNQb2xhclNTTCBUZXN0IENBIHYxMRAwDgYDVQQL +DAd0ZXN0aW5nMREwDwYDVQQKDAhQb2xhclNTTDELMAkGA1UEBhMCTkwwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx +mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny +50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n +YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL +R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu +KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAEw +DQYJKoZIhvcNAQELBQADggEBAAtVAWmbymwKDj9v8m7SVLHF0mw4i3gBFVPJqYRQ +y9CnUD68kUr4qK7wyQIv/gDRYuqZVNnBq4Jwzm+tPEBHpYAF5H/7Mynpb4h+uZ3a +6kaWURXKzx53ZuFHLu1FuRov+SZU3ZtXClTYFKeyDb+fcth/8thR9V59v7ZE7zlb +8zbyL+dqfyxvmxZCUzHbNKVrliiUUFXfW53T+B7Ysxner5mnqM1aPxckhXVHEJ47 +TBoIhpBoJ/HmHCiWz8BeoowSpG7u+QOezIKk8l5Pd2f8MeqwyaqIeAy0lh2nP7pB +UtWET/0bsdiPn8SR9B3hWpKUDRvnHDDZuZiKtrdDEqsD04M= -----END CERTIFICATE----- From 4ca9520582dd457a6fe6ad64ebf2ac7370779994 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 18 May 2023 17:32:29 +0800 Subject: [PATCH 036/222] Update server1-nospace.crt Signed-off-by: Jerry Yu --- tests/data_files/Makefile | 10 ++++++++++ tests/data_files/server1-nospace.crt | 25 ++++++++++++------------- 2 files changed, 22 insertions(+), 13 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 107eb67d3..0ca345b30 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1570,6 +1570,16 @@ server1.ca.der: server1.ca.crt $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ all_final += server1.ca.crt server1.ca_noauthid.crt server1.ca.der +server1-nospace.crt: server1.key test-ca.crt + $(MBEDTLS_CERT_WRITE) subject_key=$< serial=31\ + subject_name="C=NL,O=PolarSSL,CN=polarssl.example" \ + issuer_crt=test-ca.crt issuer_key=$(test_ca_key_file_rsa) \ + issuer_pwd=$(test_ca_pwd_rsa) \ + not_before=20190210144406 not_after=20290210144406 \ + md=SHA256 version=3 authority_identifier=1 \ + output_file=$@ +all_final += server1-nospace.crt + server1_ca.crt: server1.crt $(test_ca_crt) cat server1.crt $(test_ca_crt) > $@ all_final += server1_ca.crt diff --git a/tests/data_files/server1-nospace.crt b/tests/data_files/server1-nospace.crt index 932c236a5..4c3cb9019 100644 --- a/tests/data_files/server1-nospace.crt +++ b/tests/data_files/server1-nospace.crt @@ -1,21 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDhDCCAmygAwIBAgIBHzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN -MTQwMzI2MDkyMzEyWhcNMjQwMzIzMDkyMzEyWjA7MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEHBvbGFyc3NsLmV4YW1wbGUwggEiMA0G +MIIDPjCCAiagAwIBAgIBHzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA7MQswCQYDVQQGEwJOTDERMA8G +A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEHBvbGFyc3NsLmV4YW1wbGUwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpAh89QGrVVVOL/TbugmUuFWFeib+4 6EWQ2+6IFlLT8UNQR5YSWWSHa/0r4Eb5c77dz5LhkVvtZqBviSl5RYDQg2rVQUN3 Xzl8CQRHgrBXOXDto+wVGR6oMwhHwQVCqf1Mw7Tf3QYfTRBRQGdzEw9A+G2BJV8K sVPGMH4VOaz5Wu5/kp6mBVvnE5eFtSOS2dQkBtUJJYl1B92mGo8/CRm+rWUsZOuV m9z+QV4XptpsW2nMAroULBYknErczdD3Umdz8S2gI/1+9DHKLXDKiQsE2y6mT3Bu ns69WIniU1meblqSZeKIPwyUGaPd5eidlRPtKdurcBLcWsprF6tSglSxAgMBAAGj -gZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQUH3TWPynBdHRFOwUSLD2ovUNZAqYw -YwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNVBAYT -Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBD -QYIBADANBgkqhkiG9w0BAQsFAAOCAQEAXs4vQqlIlxrMbE6IwAHLcGJuz17Ru/en -H9bUnnSh1pxa+NHMKZHBG3GT0iaxsVtXf56/tXH4+HL7ntJjrczGN1PbhMGPyt94 -556ZgDxkHT9k7KjPAIs9BrjFHvl9NyIZzcbwkiC0qGvdzjSfe3AiSYuhXI/9/Hog -uUwReH+T2U/ICEHQ5O8aV5nvpgqL3EeEmyx3bu+YXtZMWQUYzX+ya4TnKVPdqwbf -ebr6v1hLXrUFl6rZ3wEJ6MqUW3SGZRkCVNZUOD6Ky3+EiLwYFhuKGdFqSS0JAAD7 -ZO3yPu5hu3BhAQYavK4Yyfi9IQmubBqxopPwyzjG1HPw2lj+oapH0w== +TTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFB901j8pwXR0RTsFEiw9qL1DWQKmMB8G +A1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBCwUAA4IB +AQC8fX3ZiHu6GoYBB5Vo1l6CXXDhHB6r43Pp+BHoOCouiiy4useiPLu5S84gmNoC +v8ZR+b9lAaysCMHAbth9vgtW+aXckBY6xKo8CsmGXcqZqujD6qrDif5q6UpXa4Oe +fr6ITkecY4Z9oN/aN5el5zzUd5zkoyQDI5Bn1gMdvV7AwM7Haq+5gTFwM7HJnphz +GZ8GLxWU1dWeAfsGm58ey6J28OjIkmfP3yL/kBKMhiQZydbH9Y8Yal7YwhayXxES +i7YwhNmPcGAgDBm5Sno7BvHiIqsNX1sssC3aZUaZvldJGY+4Y9fFZHenBwTREj/S +CnEgazC2RJ3kYg3mP/QhE0US -----END CERTIFICATE----- From b5ac935e44dccb38e3b9e318aef3fce9074642ad Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Wed, 17 May 2023 15:02:08 +0800 Subject: [PATCH 037/222] Add rules to generate server9*.crt Except for server9-bad-saltlen.crt and server9-bad-mgfhash.crt. Signed-off-by: Pengyu Lv --- tests/data_files/Makefile | 41 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 0ca345b30..e5d9e1a2d 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -532,6 +532,46 @@ test-int-ca3-badsign.crt: test-int-ca3.crt { head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@ all_final += test-int-ca3-badsign.crt +# server9* + +server9.csr: server9.key + $(OPENSSL) req -new -subj "/C=NL/O=PolarSSL/CN=localhost" \ + -key $< -out $@ +server9.crt: server9-sha1.crt + cp $< $@ +all_final += server9.crt +all_intermediate += server9.csr server9-sha1.crt + +server9-%.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa \ + -passin "pass:$(test_ca_pwd_rsa)" -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) \ + -set_serial $(SERVER9_CRT_SERIAL) -days 3653 \ + -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:max \ + -sigopt rsa_mgf1_md:$(@:server9-%.crt=%) -$(@:server9-%.crt=%) \ + -in $< -out $@ +server9-sha1.crt: SERVER9_CRT_SERIAL=22 +server9-sha224.crt: SERVER9_CRT_SERIAL=23 +server9-sha256.crt: SERVER9_CRT_SERIAL=24 +server9-sha384.crt: SERVER9_CRT_SERIAL=25 +server9-sha512.crt: SERVER9_CRT_SERIAL=26 +all_final += server9-sha224.crt server9-sha256.crt server9-sha384.crt server9-sha512.crt + +server9-defaults.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa \ + -passin "pass:$(test_ca_pwd_rsa)" -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) \ + -set_serial 72 -days 3653 \ + -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:max -sha1 \ + -in $< -o $@ +all_final += server9-defaults.crt + +server9-badsign.crt: server9.crt + { head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@ +all_final += server9-badsign.crt + +server9-with-ca.crt: server9.crt $(test_ca_crt) + cat $^ > $@ +all_final += server9-with-ca.crt + # server10* server10.crt: server10.key test-int-ca3.crt test-int-ca3.key @@ -1482,6 +1522,7 @@ server6-ss-child.crt: server6-ss-child.csr server5-selfsigned.crt server5.key se -days 3650 -sha256 -in $< -out $@ all_final += server6-ss-child.crt + ################################################################ ### Generate certificates for CRT write check tests ################################################################ From 8c40c573b2ac678efd34ba02e6e6e8791784891d Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 29 May 2023 14:49:17 +0800 Subject: [PATCH 038/222] Add server9-bad-{mgfhash,saltlen}.crt Signed-off-by: Jerry Yu Signed-off-by: Pengyu Lv --- tests/data_files/Makefile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index e5d9e1a2d..6239c97ed 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -572,6 +572,25 @@ server9-with-ca.crt: server9.crt $(test_ca_crt) cat $^ > $@ all_final += server9-with-ca.crt +# FIXME: this file expected a bad-saltlen, but it create a good saltlen. +server9-bad-saltlen.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa \ + -passin "pass:$(test_ca_pwd_rsa)" -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) \ + -set_serial 24 -days 3653 \ + -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:max \ + -sigopt rsa_mgf1_md:sha256 -sha256 \ + -in $< -out $@ +all_final += server9-bad-saltlen.crt + +server9-bad-mgfhash.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa) + $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa \ + -passin "pass:$(test_ca_pwd_rsa)" -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) \ + -set_serial 24 -days 3653 \ + -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:max \ + -sigopt rsa_mgf1_md:sha224 -sha256 \ + -in $< -out $@ +all_final += server9-bad-mgfhash.crt + # server10* server10.crt: server10.key test-int-ca3.crt test-int-ca3.key From 4ad45c01b90955f2704da1fa5d22434fd95e3a21 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 29 May 2023 15:15:02 +0800 Subject: [PATCH 039/222] Update server9*.crt Signed-off-by: Pengyu Lv --- tests/data_files/server9-bad-mgfhash.crt | 37 ++++---- tests/data_files/server9-bad-saltlen.crt | 37 ++++---- tests/data_files/server9-badsign.crt | 26 +++--- tests/data_files/server9-defaults.crt | 27 +++--- tests/data_files/server9-sha224.crt | 37 ++++---- tests/data_files/server9-sha256.crt | 37 ++++---- tests/data_files/server9-sha384.crt | 37 ++++---- tests/data_files/server9-sha512.crt | 37 ++++---- tests/data_files/server9-with-ca.crt | 110 ++++++----------------- tests/data_files/server9.crt | 26 +++--- 10 files changed, 178 insertions(+), 233 deletions(-) diff --git a/tests/data_files/server9-bad-mgfhash.crt b/tests/data_files/server9-bad-mgfhash.crt index 34ef69e03..ad299423b 100644 --- a/tests/data_files/server9-bad-mgfhash.crt +++ b/tests/data_files/server9-bad-mgfhash.crt @@ -1,20 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDWzCCAhKgAwIBAgIBGDA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAaEa -MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgSiBAICAN4wOzELMAkGA1UEBhMCTkwx -ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X -DTE0MDEyMDEzNTc0NVoXDTI0MDExODEzNTc0NVowNDELMAkGA1UEBhMCTkwxETAP -BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN -AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C -uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI -i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV -AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy -36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ -BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg -VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAaEaMBgGCSqG -SIb3DQEBCDALBglghkgBZQMEAgSiBAICAN4DggEBAIfliohNjz4CLGbHWgWRBFQ3 -Difn027ZnULTvokT67ii1sJzESzqaIakyyu8GRwfoFRNh/rbGfe4C6e9SkwKbnDg -WE9SWbK6ukIQbMy69C+CVqFlRUHbONw/dmcneAWyZYGx/2Sf4D5kkpIWNDBeKuaV -H69XPZCeN3QAACmdAfo4NYW0I69a1OSaUrTyGT1nBOrzQ8Y0aJBnCJAte49bhQEW -KJv0kMj+8ZG1X0RoSdklf3GqdLUbsfJ2txu14GGAxy4C1gl2JWzoBHN5LMLf0cZ9 -uEYui7N/5bkSv8KXdbGvSzgn6zZ0MiCJMiiGEf0L1FxBiBCVsK4C2idpiZH+e28= +MIIDYzCCAhagAwIBAgIBGDBCBgkqhkiG9w0BAQowNaAPMA0GCWCGSAFlAwQCAQUA +oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCBAUAogQCAgDeMDsxCzAJBgNVBAYT +Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD +QTAeFw0yMzA1MTcwODM5NDhaFw0zMzA1MTcwODM5NDhaMDQxCzAJBgNVBAYTAk5M +MREwDwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQDdEYqfmbqwaMoq6jtqbVmX7U7JVOQN7s6gfaAe +qugOwrsTQNuKEo6JEySlxfX62PWQ18jKy8X+kx2v2hIjc1J5Rhq6oFcrdhYxs6iv +5zibCItjmToKJe5F0hhYurmTGu3UWJpjGzf89xQIn4VlSfNZMm3R4Oht3lLtZrSp +C9pAlQIDAQABo4GSMIGPMB0GA1UdDgQWBBTu88f1HxWlTUeJwdMiY7Lfp869UTBj +BgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMC +TkwxETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENB +ggEDMAkGA1UdEwQCMAAwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgEFAKEc +MBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgQFAKIEAgIA3gOCAQEAaQlf1GPhvPHp +hFgTdIB5x5zACVb4a4ONuySVckfMpWk2nlkRSu3Kgv4j8l/jfNpfr+we4lG72xEn +FV3em8dEzxvXd5jXCfR/hWJKYVoWh0055qWw7FpG20vRFKttU8UFclL7KvMs4InZ +vDpbPs5EwBQXTg/manL9TD9t/zqWAUJj1yHWiIISYzfWmsaoTi8jNxSR1+lkmPPP +ZWQwyUJrh82Mw3VwNGxXOfpGIwmjXPia8MafjjH/RtHNx7ukCk+6q1ZlH57NolZJ +dlQTJv21+vxyYr6GZdHXzdJwWMnFSof6VGwayNzetSnVhJb0SQqTBt8Vu5xQtXGa +QcCjGyCAIg== -----END CERTIFICATE----- diff --git a/tests/data_files/server9-bad-saltlen.crt b/tests/data_files/server9-bad-saltlen.crt index f4da8832f..78298e98b 100644 --- a/tests/data_files/server9-bad-saltlen.crt +++ b/tests/data_files/server9-bad-saltlen.crt @@ -1,20 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDWzCCAhKgAwIBAgIBGDA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAaEa -MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4wOzELMAkGA1UEBhMCTkwx -ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X -DTE0MDEyMDEzNTc0NVoXDTI0MDExODEzNTc0NVowNDELMAkGA1UEBhMCTkwxETAP -BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN -AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C -uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI -i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV -AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy -36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ -BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg -VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAaEaMBgGCSqG -SIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4DggEBAE7T54cyUf0ByNr34JaojFam -hV0T9QSc4wJ17sX67rxYIorXU8MynaneJzFxD9utOD3dq2TON18VswhT2McDgefl -XMwivCC0nWod8Pk638QaHxbaqC7XSq0QRBfOMXwV7knLNxI8smc9UJaco39VEcGD -yCkq4By/VCWTpvJ+1hx4zZ8WoXpFJFM5m5y9oEz4lgNv/6Wu7ILztyOk2yJiSR8r -YooC4zVeUOZuDO6At/NXZuSvmKmr+tfFrFA1AA/7yR5odQbqFVNSJ+u0x1Jv8Ra6 -JXA4cXsnaDaRe+Wm0L0p+2PtQWXE5npXYIbFHAA9EOC3Ab8oaP9M/F6yQMa/2is= +MIIDYzCCAhagAwIBAgIBGDBCBgkqhkiG9w0BAQowNaAPMA0GCWCGSAFlAwQCAQUA +oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogQCAgDeMDsxCzAJBgNVBAYT +Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD +QTAeFw0yMzA1MTcwODMzNDJaFw0zMzA1MTcwODMzNDJaMDQxCzAJBgNVBAYTAk5M +MREwDwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQDdEYqfmbqwaMoq6jtqbVmX7U7JVOQN7s6gfaAe +qugOwrsTQNuKEo6JEySlxfX62PWQ18jKy8X+kx2v2hIjc1J5Rhq6oFcrdhYxs6iv +5zibCItjmToKJe5F0hhYurmTGu3UWJpjGzf89xQIn4VlSfNZMm3R4Oht3lLtZrSp +C9pAlQIDAQABo4GSMIGPMB0GA1UdDgQWBBTu88f1HxWlTUeJwdMiY7Lfp869UTBj +BgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMC +TkwxETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENB +ggEDMAkGA1UdEwQCMAAwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgEFAKEc +MBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIEAgIA3gOCAQEALIe0VtQaT92x +fNkzIdRHkv+3C6P4URzFP9cBMm+ulX86ld/Szl4J2eUywtzQz22UZE5ZT23xutCx +pUC3AZyzRNiDAdsPvofvf88MJtxDROe7v/MgmXqKxx2t+/N62Mf2mzd9Wu9ibBcO +DrawRQtlUgUkwlzdTtWUxu/VYMEhdeXMPHRSzX0ODAQOA9EydR/BvPmuvMYIvb8M +L1ifzupTm+W92v6kB1AmEXjtvcPEba6rvfZylKISJPmRH3wTdt1+s/1j/PjdUfIa +WbjiucXRSk3NBsza+w5cS4CQu3dbZaY2lBhBkoWvxZm+XU4mfxmjCW6jl59NAmMD +X7c2Uua8SA== -----END CERTIFICATE----- diff --git a/tests/data_files/server9-badsign.crt b/tests/data_files/server9-badsign.crt index 9e565419e..8656b1a47 100644 --- a/tests/data_files/server9-badsign.crt +++ b/tests/data_files/server9-badsign.crt @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- MIIDBTCCAeegAwIBAgIBFjATBgkqhkiG9w0BAQowBqIEAgIA6jA7MQswCQYDVQQG -EwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3Qg -Q0EwHhcNMTQwMTIwMTMzODE2WhcNMjQwMTE4MTMzODE2WjA0MQswCQYDVQQGEwJO -TDERMA8GA1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkq +EwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3Qg +Q0EwHhcNMjMwNTE3MDgwNDAwWhcNMzMwNTE3MDgwNDAwWjA0MQswCQYDVQQGEwJO +TDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEA3RGKn5m6sGjKKuo7am1Zl+1OyVTkDe7OoH2g HqroDsK7E0DbihKOiRMkpcX1+tj1kNfIysvF/pMdr9oSI3NSeUYauqBXK3YWMbOo r+c4mwiLY5k6CiXuRdIYWLq5kxrt1FiaYxs3/PcUCJ+FZUnzWTJt0eDobd5S7Wa0 -qQvaQJUCAwEAAaOBkjCBjzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTu88f1HxWlTUeJ -wdMiY7Lfp869UTBjBgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0w -OzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xh -clNTTCBUZXN0IENBggEAMBMGCSqGSIb3DQEBCjAGogQCAgDqA4IBAQDAog/jXydR -vDIugTzBXtfVK0CEX8iyQ4cVzQmXWSne8204v943K5D2hktSBkjdQUdcnVvVgLR6 -te50jV89ptN/NofX+fo9fhSRN9vGgQVWzOOFiO0zcThy749pirJu1Kq5OJdthIyW -Pu0UCz5G0k3kTp0JPevGlsNc8S9Ak1tFuB0IPJjrbfODWHS2LDuO+dB6gpkNTdrj -88ogYtBsN4D5gsXBRUfobXokUwejBwLrD6XwyQx+0bMwSCxgHEhxvuUkx1vdlXGw -JG3aF92u8mIxoKSAPaPdqy930mQvmpUWcN5Y1IMbtEGoQCKMYgosFcazJpJcjnX1 -o4Hl/lqjwCFG +qQvaQJUCAwEAAaOBkjCBjzAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy36fOvVEw +YwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNVBAYT +Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD +QYIBAzAJBgNVHRMEAjAAMBMGCSqGSIb3DQEBCjAGogQCAgDqA4IBAQC2DLHQ05x6 +imJNztE/Tnk/lPQ01Pw6Girdbk4bgxcGwGj+1u5wAIHNpJ50TOggg3HxTyb7p344 +/tVMxz7nrHZQ5ASdn2kDCyCmEqhmj48isWAIml+7J9cBeImJoEfYqjtqtoVkGxFy +SuoZAQWkkqDpyFhKhIjLQ8JuSE6wWMX/kc6TFSSxepnZU1SFOXfCiaVr5tFQzBP7 +loppIANLjKeMjpOdU86PmRQ2LyzaCH1OMnjVndeqNmZt0NyzZ18cFPvm6+DVVVuP +Q+6nReShCdAlU+dJqsqj8JsQneNMTxjv4OBoXVmE/kZTj/DBTtwmxkVi7K4aYMFi +UYUZ4RiwG1/0 -----END CERTIFICATE----- diff --git a/tests/data_files/server9-defaults.crt b/tests/data_files/server9-defaults.crt index 4ce5c8732..8613f5237 100644 --- a/tests/data_files/server9-defaults.crt +++ b/tests/data_files/server9-defaults.crt @@ -1,19 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIDBjCCAe6gAwIBAgIBSDANBgkqhkiG9w0BAQowADA7MQswCQYDVQQGEwJOTDER -MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN -MTQwNjA1MTU1NjUzWhcNMjQwNjAyMTU1NjUzWjA0MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0B +MIIC+TCCAeGgAwIBAgIBSDANBgkqhkiG9w0BAQowADA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MjMwNTE3MDcxMDM3WhcNMzMwNTE3MDcxMDM3WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEA3RGKn5m6sGjKKuo7am1Zl+1OyVTkDe7OoH2gHqroDsK7 E0DbihKOiRMkpcX1+tj1kNfIysvF/pMdr9oSI3NSeUYauqBXK3YWMbOor+c4mwiL Y5k6CiXuRdIYWLq5kxrt1FiaYxs3/PcUCJ+FZUnzWTJt0eDobd5S7Wa0qQvaQJUC -AwEAAaOBnzCBnDAJBgNVHRMEAjAAMB0GA1UdDgQWBBTu88f1HxWlTUeJwdMiY7Lf -p869UTBjBgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkG -A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBU -ZXN0IENBggEAMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQowAAOCAQEAGUdim4uy -/rBDFMF8qhjH1qsv0o8ON4HgP3YXbdKdIMfd+p5KtoqHQnrkixWxaIvfORnR4mGm -f8H5BimwIkNLxy7zS88TVDOYel8g7B2yl0nq4biki83NStNBYZJjxKT0ud5O5mGd -jHdy9vTEc7h8q+SHzRdgpNFXyKY5OQYng1LHco8h1UR8/nmPMuDtocHMnmMXu68a -69+TtZxx90/V4gJZOoL1iCi8HEsKoJzm/L8ji54OYt7FxgFfE3VmLsXeMaWYO8GS -BUxh5kqZ25O8hQXK5ywfuVK83Do/SsoClbgx9mboybseGVFIJaxs9e66GFDMoI3B -09JqWv4DoLNnwg== +AwEAAaOBkjCBjzAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy36fOvVEwYwYDVR0j +BFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREw +DwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBDQYIBAzAJ +BgNVHRMEAjAAMA0GCSqGSIb3DQEBCjAAA4IBAQASsc5y7sDP4prOLGAl2EB5d+Gg +w/Vk9+g3KXpeIUCL6gmECNLENmmBe6zZR8/Ax6R1hUe/Cbflepxsx627Eg29NCZK +Bo/AQoz658kwEzr4jhF8M6y9sdsf5/OauoRxDLcMEywIkgmuFvZIpyEwXix6arsK +mNWnW0FwSr2NaXozD7OquGwTEAvAbtei+5JAeVvvGi1u32D2JPVHk3zv05LXtx8b +8bEmzZLthFk3GbSkGHC3K5rjNgTMwY0BhNBW6qFyY5mL0bHVDbZQxD9RRwDifGty +fTo7odJDAHU1xucWF6dOU5nAqiFKlc3eITdBKt+d10yBSr7qXciHkHpAzCvh -----END CERTIFICATE----- diff --git a/tests/data_files/server9-sha224.crt b/tests/data_files/server9-sha224.crt index 1b05f313a..ed648c8c0 100644 --- a/tests/data_files/server9-sha224.crt +++ b/tests/data_files/server9-sha224.crt @@ -1,20 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDWzCCAhKgAwIBAgIBFzA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCBKEa -MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgSiBAICAOIwOzELMAkGA1UEBhMCTkwx -ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X -DTE0MDEyMDEzNTczNloXDTI0MDExODEzNTczNlowNDELMAkGA1UEBhMCTkwxETAP -BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN -AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C -uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI -i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV -AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy -36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ -BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg -VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCBKEaMBgGCSqG -SIb3DQEBCDALBglghkgBZQMEAgSiBAICAOIDggEBADJExjfWWvL28lgj+GGgviqo -PHZLxI0pLQUnFJQ9Kpu6jxfICseBF00Z6BJE/RcYDpIie5GDt/8u/i6xB6Li29Pm -g5nANgd/Y3fFnW7d0ydVjiSnetlPuf/jTlWQl6mQTH2xqYu8J8d3JRxQdRiDYbVm -uywW2d6rksiqm6dPD5l4A5DcemcYo8f/1Ifj5WNDCV8/OHex+AnW2ccDvWAnVgSR -B2VpOXJzVFuBsuf4tGVm/2TUMSB6NcvFc6TeJk1kzbZxii4QjKXtH1SfrVP59iEe -l17NYAEWARjBpQWBiutRG+QM2et0sNiUBuWxTkvd0eSgencNysVAOsZqrqaX3CY= +MIIDYzCCAhagAwIBAgIBFzBCBgkqhkiG9w0BAQowNaAPMA0GCWCGSAFlAwQCBAUA +oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCBAUAogQCAgDiMDsxCzAJBgNVBAYT +Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD +QTAeFw0yMzA1MTcwNzEwMzdaFw0zMzA1MTQwNzEwMzdaMDQxCzAJBgNVBAYTAk5M +MREwDwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQDdEYqfmbqwaMoq6jtqbVmX7U7JVOQN7s6gfaAe +qugOwrsTQNuKEo6JEySlxfX62PWQ18jKy8X+kx2v2hIjc1J5Rhq6oFcrdhYxs6iv +5zibCItjmToKJe5F0hhYurmTGu3UWJpjGzf89xQIn4VlSfNZMm3R4Oht3lLtZrSp +C9pAlQIDAQABo4GSMIGPMAkGA1UdEwQCMAAwHQYDVR0OBBYEFO7zx/UfFaVNR4nB +0yJjst+nzr1RMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7 +MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFy +U1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgQFAKEc +MBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgQFAKIEAgIA4gOCAQEAjG73ZOe2pQn6 +jqiTHALGM0IG8BBCamo3gzbCjZPz3ZnTpZii1pQSFPGEBaKCgrtKrjvoP21ZDUnq +3HjTUzGtGbHk3h+UJcVYgFuONidguUDaALGtXIPWUlqBBeJL+Y+01zJRnMpC2hV7 +JUOM3es02te8RM6srCdW1fP9x+Lx4G2Kjj7kEzKafEbwFesS4LbBXsWkID8xDPHO +DLKvg66tPeksDBT4n7f7H51eNlyIwwMDKTc+N9Ri5OeW1HOqtbyo/yJlHvQqnCld +E8gW+AVoeZmN6n/4yemnCEkFRqgbRSIGVoPmOY9d/FfGLmClcaZFPcH+w1JDhF71 +3egYnUY/9g== -----END CERTIFICATE----- diff --git a/tests/data_files/server9-sha256.crt b/tests/data_files/server9-sha256.crt index 7d0aa3956..ef37b3f6a 100644 --- a/tests/data_files/server9-sha256.crt +++ b/tests/data_files/server9-sha256.crt @@ -1,20 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDWzCCAhKgAwIBAgIBGDA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAaEa -MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4wOzELMAkGA1UEBhMCTkwx -ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X -DTE0MDEyMDEzNTc0NVoXDTI0MDExODEzNTc0NVowNDELMAkGA1UEBhMCTkwxETAP -BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN -AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C -uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI -i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV -AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy -36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ -BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg -VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAaEaMBgGCSqG -SIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4DggEBAH0+knqkcLaxeDkenBQgd4Qg -3ZyAhtpiLU689mw+3cXB/uzFrCIxEL5aGh1eSj+DszB+FtsZ06ux7JVQqVOA2Wm9 -yLxC6wF8OOYj0nBa91BWLhRAHLhmIdWsVk7Hl9KojZd4TwV2N+ZEV/BLxyoRvK4H -V4xCpzgDSiTPe8Etk4r+0akbr6bsOUBayPb7MGLHubZKq8NsFAmmynp+fPmHd3SE -0ooJdiZ1MmKPKLE5Og/hXCI8qeiXQUR6oQ7b2XONsrI2HIj2SA9dA5qmHwE5PbMu -zqxQ3R83boqLXbkFORn+UiYLmffqdoWuNy00BHMCrxRA9DUv+WyN4npLMF8rOJw= +MIIDYzCCAhagAwIBAgIBFzBCBgkqhkiG9w0BAQowNaAPMA0GCWCGSAFlAwQCAQUA +oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogQCAgDeMDsxCzAJBgNVBAYT +Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD +QTAeFw0yMzA1MTcwNzEwMzdaFw0zMzA1MTQwNzEwMzdaMDQxCzAJBgNVBAYTAk5M +MREwDwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQDdEYqfmbqwaMoq6jtqbVmX7U7JVOQN7s6gfaAe +qugOwrsTQNuKEo6JEySlxfX62PWQ18jKy8X+kx2v2hIjc1J5Rhq6oFcrdhYxs6iv +5zibCItjmToKJe5F0hhYurmTGu3UWJpjGzf89xQIn4VlSfNZMm3R4Oht3lLtZrSp +C9pAlQIDAQABo4GSMIGPMAkGA1UdEwQCMAAwHQYDVR0OBBYEFO7zx/UfFaVNR4nB +0yJjst+nzr1RMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7 +MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFy +U1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgEFAKEc +MBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIEAgIA3gOCAQEAXcWlfbIjRJX3 +eCkj03eKLvhawFndN6mWMOTVvr20Vdhhn57wngSKYgtsbOZhpT+pIXTTpxhku7uS +Pg6NDU0W13xbrcIsYxkZRcN6AYcnV0NxnhdfkmxwDjLyohgm8IdgvHb04r73OP0j +KmnZfJJpnxkVGD8NFGj2hBCR7ynbVBAfJegl0Lruxc4AlrniG6MW9xfkmE3EfOQg +dwZv3UuhxzEhLmR933BCijwfhBVfyzarGjDtZjQYNwWKhRl+OXM+L14Ofq7htSxz +kSM5KJfCAzLFNd6N2YU84IhqwTS4CZ/bE1HchEYPtXm97bj8Vldrfv2up/4Rc0kF +a8P+xLLmug== -----END CERTIFICATE----- diff --git a/tests/data_files/server9-sha384.crt b/tests/data_files/server9-sha384.crt index aaa63e6ed..2ea0108d4 100644 --- a/tests/data_files/server9-sha384.crt +++ b/tests/data_files/server9-sha384.crt @@ -1,20 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDWzCCAhKgAwIBAgIBGTA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAqEa -MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiBAICAM4wOzELMAkGA1UEBhMCTkwx -ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X -DTE0MDEyMDEzNTc1OFoXDTI0MDExODEzNTc1OFowNDELMAkGA1UEBhMCTkwxETAP -BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN -AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C -uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI -i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV -AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy -36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ -BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg -VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCAqEaMBgGCSqG -SIb3DQEBCDALBglghkgBZQMEAgKiBAICAM4DggEBABf8Gyq2VYuN1EBW1nOapDQp -B/KuafNW2GEJ7FmQKNyA7MIj1Yqo2MtJ6/OQojRQ3F5rnO4yjmvIPsXeQaMxJBiI -aaoAlLpH++F+oXMq/0aS0WSZrSLrsh2Fpay9cBDGwek2rDOX9kM+ZcPzGitVwWKX -TnOW22hpcl7u95CpZH+JZTcto5nL3tTyV9pIy+tSKQQfjPB+G0TAZCsOkbCGPLug -qdjvqFQwOf15VxQMj7NRiXjlqJvsx+I7B2AIhrs4DzQMEyiWq9S/PzpQuFU5v/Kg -s2iMLJ5ygv5aN3PYqGlE1ZmvgyRp5h/LaTGI2L6lzRTnecOhtPv30N2tyaDAEfo= +MIIDYzCCAhagAwIBAgIBFzBCBgkqhkiG9w0BAQowNaAPMA0GCWCGSAFlAwQCAgUA +oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogQCAgDOMDsxCzAJBgNVBAYT +Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD +QTAeFw0yMzA1MTcwNzEwMzdaFw0zMzA1MTQwNzEwMzdaMDQxCzAJBgNVBAYTAk5M +MREwDwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQDdEYqfmbqwaMoq6jtqbVmX7U7JVOQN7s6gfaAe +qugOwrsTQNuKEo6JEySlxfX62PWQ18jKy8X+kx2v2hIjc1J5Rhq6oFcrdhYxs6iv +5zibCItjmToKJe5F0hhYurmTGu3UWJpjGzf89xQIn4VlSfNZMm3R4Oht3lLtZrSp +C9pAlQIDAQABo4GSMIGPMAkGA1UdEwQCMAAwHQYDVR0OBBYEFO7zx/UfFaVNR4nB +0yJjst+nzr1RMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7 +MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFy +U1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgIFAKEc +MBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIFAKIEAgIAzgOCAQEAmTU2HqAA7gbB +tJlDAve8nGbdCim4YjRXWceHGCpoFIWrs6onlHCvnZ2Wr8iPk+wnd7ShIpp8vGb/ +476y8pfaA2n8vYWhQKDCTTUXJN4tUc7i8Uz4RGdK48vHVvZCtCT/8MmPPouOIZcU +/Kkenw2jv5R/CpiirVUsjNx6BYcdu1zzEU+uoBLom6sZ6LGRlIB0prFWcxrVjfzx +2C8ZxMW8NWj6EQipQJ2U+CCycA2HkbCmt3FnEXmN5OWThvnKdshoPkMn2HwhAOzn +cjZQhQT3WSufvZ9bYe7HZ5e1e7k6aMXBvW89ECxc12mZfSjlYmlvfHZuO8D2sP2i +RidkcXFMxQ== -----END CERTIFICATE----- diff --git a/tests/data_files/server9-sha512.crt b/tests/data_files/server9-sha512.crt index a211b921d..4abdf6813 100644 --- a/tests/data_files/server9-sha512.crt +++ b/tests/data_files/server9-sha512.crt @@ -1,20 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDWzCCAhKgAwIBAgIBGjA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCA6Ea -MBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgOiBAICAL4wOzELMAkGA1UEBhMCTkwx -ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4X -DTE0MDEyMDEzNTgxMloXDTI0MDExODEzNTgxMlowNDELMAkGA1UEBhMCTkwxETAP -BgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN -AQEBBQADgY0AMIGJAoGBAN0Rip+ZurBoyirqO2ptWZftTslU5A3uzqB9oB6q6A7C -uxNA24oSjokTJKXF9frY9ZDXyMrLxf6THa/aEiNzUnlGGrqgVyt2FjGzqK/nOJsI -i2OZOgol7kXSGFi6uZMa7dRYmmMbN/z3FAifhWVJ81kybdHg6G3eUu1mtKkL2kCV -AgMBAAGjgZIwgY8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy -36fOvVEwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJ -BgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wg -VGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCGSAFlAwQCA6EaMBgGCSqG -SIb3DQEBCDALBglghkgBZQMEAgOiBAICAL4DggEBACdVozFq6rUiXo+ib5Y2oPsR -6xxl4Ydn3LpUoYrPpTOrhcXJWW/tOLHGuCF/mSRfUzKaMIfL418cZHYnvumvuttu -6z3tp5E1VsiZCU2MWJnzjKSxFBOss43AmpJHHoapGFZu2pxObBPqegAKHYkKWOLk -tJDj47PurWgEek9j1nL7Pc1tVf59fm/ySp4fWkXLLvQiKid1516VioLyacUvK3zU -6Egz8jMt7D5c9KpaExLRTANVsThqO5/dmR36bOwm3Hpbde7DNdgxru41tiLMqJs/ -5pX3ceaJ1XQ/l0idj5/9ipvqHHUguyk7H22HwQHQdSD9oIha8kEM3P6CjpfE7yY= +MIIDYzCCAhagAwIBAgIBFzBCBgkqhkiG9w0BAQowNaAPMA0GCWCGSAFlAwQCAwUA +oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAwUAogQCAgC+MDsxCzAJBgNVBAYT +Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD +QTAeFw0yMzA1MTcwNzEwMzdaFw0zMzA1MTQwNzEwMzdaMDQxCzAJBgNVBAYTAk5M +MREwDwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQDdEYqfmbqwaMoq6jtqbVmX7U7JVOQN7s6gfaAe +qugOwrsTQNuKEo6JEySlxfX62PWQ18jKy8X+kx2v2hIjc1J5Rhq6oFcrdhYxs6iv +5zibCItjmToKJe5F0hhYurmTGu3UWJpjGzf89xQIn4VlSfNZMm3R4Oht3lLtZrSp +C9pAlQIDAQABo4GSMIGPMAkGA1UdEwQCMAAwHQYDVR0OBBYEFO7zx/UfFaVNR4nB +0yJjst+nzr1RMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7 +MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFy +U1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgMFAKEc +MBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgMFAKIEAgIAvgOCAQEAVut9oL/0V/vo +f9VKxAZfyy0zFy+LOHzV1H5qQaPKJnXIAUp/sDtvOjugqHKjamg6dCIVy292Yxcx +rW8WcMR1Bj9MQ5Qrv++TZ0a1e0qet1GYxj4MQkU30XlJq/Jh7ede9Vh/yBxKTQq7 +oaJ6fOTFWcz1JZDrZrKffBOqIp5jQWPARilUDN6FiRNYV3/14aWVGnNbqGfoY8CC +WvpC0iAvrQxjdQQf6nIYrzcGNzvrpRbhpzBPUyUIrM1o+nyiNAJPlyncjFwmfw9g +80FP1XnRIIKmlTTG7ivkjHKzE6WXZSQPjArg0jxQAX1uLKJGFhu+ueKyoPOHQXS0 +O1z3OQn3+w== -----END CERTIFICATE----- diff --git a/tests/data_files/server9-with-ca.crt b/tests/data_files/server9-with-ca.crt index 0478cff85..51c0ada84 100644 --- a/tests/data_files/server9-with-ca.crt +++ b/tests/data_files/server9-with-ca.crt @@ -1,99 +1,39 @@ -----BEGIN CERTIFICATE----- MIIDBTCCAeegAwIBAgIBFjATBgkqhkiG9w0BAQowBqIEAgIA6jA7MQswCQYDVQQG -EwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3Qg -Q0EwHhcNMTQwMTIwMTMzODE2WhcNMjQwMTE4MTMzODE2WjA0MQswCQYDVQQGEwJO -TDERMA8GA1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkq +EwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3Qg +Q0EwHhcNMjMwNTE3MDgwNDAwWhcNMzMwNTE3MDgwNDAwWjA0MQswCQYDVQQGEwJO +TDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEA3RGKn5m6sGjKKuo7am1Zl+1OyVTkDe7OoH2g HqroDsK7E0DbihKOiRMkpcX1+tj1kNfIysvF/pMdr9oSI3NSeUYauqBXK3YWMbOo r+c4mwiLY5k6CiXuRdIYWLq5kxrt1FiaYxs3/PcUCJ+FZUnzWTJt0eDobd5S7Wa0 -qQvaQJUCAwEAAaOBkjCBjzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTu88f1HxWlTUeJ -wdMiY7Lfp869UTBjBgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0w -OzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xh -clNTTCBUZXN0IENBggEAMBMGCSqGSIb3DQEBCjAGogQCAgDqA4IBAQDAog/jXydR -vDIugTzBXtfVK0CEX8iyQ4cVzQmXWSne8204v943K5D2hktSBkjdQUdcnVvVgLR6 -te50jV89ptN/NofX+fo9fhSRN9vGgQVWzOOFiO0zcThy749pirJu1Kq5OJdthIyW -Pu0UCz5G0k3kTp0JPevGlsNc8S9Ak1tFuB0IPJjrbfODWHS2LDuO+dB6gpkNTdrj -88ogYtBsN4D5gsXBRUfobXokUwejBwLrD6XwyQx+0bMwSCxgHEhxvuUkx1vdlXGw -JG3aF92u8mIxoKSAPaPdqy930mQvmpUWcN5Y1IMbtEGoQCKMYgosFcazJpJcjnX1 -o4Hl/lqjwCEG +qQvaQJUCAwEAAaOBkjCBjzAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy36fOvVEw +YwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNVBAYT +Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD +QYIBAzAJBgNVHRMEAjAAMBMGCSqGSIb3DQEBCjAGogQCAgDqA4IBAQC2DLHQ05x6 +imJNztE/Tnk/lPQ01Pw6Girdbk4bgxcGwGj+1u5wAIHNpJ50TOggg3HxTyb7p344 +/tVMxz7nrHZQ5ASdn2kDCyCmEqhmj48isWAIml+7J9cBeImJoEfYqjtqtoVkGxFy +SuoZAQWkkqDpyFhKhIjLQ8JuSE6wWMX/kc6TFSSxepnZU1SFOXfCiaVr5tFQzBP7 +loppIANLjKeMjpOdU86PmRQ2LyzaCH1OMnjVndeqNmZt0NyzZ18cFPvm6+DVVVuP +Q+6nReShCdAlU+dJqsqj8JsQneNMTxjv4OBoXVmE/kZTj/DBTtwmxkVi7K4aYMFi +UYUZ4RiwG1/7 -----END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 0 (0x0) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=NL, O=PolarSSL, CN=PolarSSL Test CA - Validity - Not Before: Feb 12 14:44:00 2011 GMT - Not After : Feb 12 14:44:00 2021 GMT - Subject: C=NL, O=PolarSSL, CN=PolarSSL Test CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:c0:df:37:fc:17:bb:e0:96:9d:3f:86:de:96:32: - 7d:44:a5:16:a0:cd:21:f1:99:d4:ec:ea:cb:7c:18: - 58:08:94:a5:ec:9b:c5:8b:df:1a:1e:99:38:99:87: - 1e:7b:c0:8d:39:df:38:5d:70:78:07:d3:9e:d9:93: - e8:b9:72:51:c5:ce:a3:30:52:a9:f2:e7:40:70:14: - cb:44:a2:72:0b:c2:e5:40:f9:3e:e5:a6:0e:b3:f9: - ec:4a:63:c0:b8:29:00:74:9c:57:3b:a8:a5:04:90: - 71:f1:bd:83:d9:3f:d6:a5:e2:3c:2a:8f:ef:27:60: - c3:c6:9f:cb:ba:ec:60:7d:b7:e6:84:32:be:4f:fb: - 58:26:22:03:5b:d4:b4:d5:fb:f5:e3:96:2e:70:c0: - e4:2e:bd:fc:2e:ee:e2:41:55:c0:34:2e:7d:24:72: - 69:cb:47:b1:14:40:83:7d:67:f4:86:f6:31:ab:f1: - 79:a4:b2:b5:2e:12:f9:84:17:f0:62:6f:27:3e:13: - 58:b1:54:0d:21:9a:73:37:a1:30:cf:6f:92:dc:f6: - e9:fc:ac:db:2e:28:d1:7e:02:4b:23:a0:15:f2:38: - 65:64:09:ea:0c:6e:8e:1b:17:a0:71:c8:b3:9b:c9: - ab:e9:c3:f2:cf:87:96:8f:80:02:32:9e:99:58:6f: - a2:d5 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:TRUE - X509v3 Subject Key Identifier: - B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF - X509v3 Authority Key Identifier: - keyid:B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF - DirName:/C=NL/O=PolarSSL/CN=PolarSSL Test CA - serial:00 - - Signature Algorithm: sha1WithRSAEncryption - b8:fd:54:d8:00:54:90:8b:25:b0:27:dd:95:cd:a2:f7:84:07: - 1d:87:89:4a:c4:78:11:d8:07:b5:d7:22:50:8e:48:eb:62:7a: - 32:89:be:63:47:53:ff:b6:be:f1:2e:8c:54:c0:99:3f:a0:b9: - 37:23:72:5f:0d:46:59:8f:d8:47:cd:97:4c:9f:07:0c:12:62: - 09:3a:24:e4:36:d9:e9:2c:da:38:d0:73:75:61:d7:c1:6c:26: - 8b:9b:e0:d5:dc:67:ed:8c:6b:33:d7:74:22:3c:4c:db:b5:8d: - 2a:ce:2c:0d:08:59:05:09:05:a6:39:9f:b3:67:1b:e2:83:e5: - e1:8f:53:f6:67:93:c7:f9:6f:76:44:58:12:e8:3a:d4:97:e7: - e9:c0:3e:a8:7a:72:3d:87:53:1f:e5:2c:84:84:e7:9a:9e:7f: - 66:d9:1f:9b:f5:13:48:b0:4d:14:d1:de:b2:24:d9:78:7d:f5: - 35:cc:58:19:d1:d2:99:ef:4d:73:f8:1f:89:d4:5a:d0:52:ce: - 09:f5:b1:46:51:6a:00:8e:3b:cc:6f:63:01:00:99:ed:9d:a6: - 08:60:cd:32:18:d0:73:e0:58:71:d9:e5:d2:53:d7:8d:d0:ca: - e9:5d:2a:0a:0d:5d:55:ec:21:50:17:16:e6:06:4a:cd:5e:de: - f7:e0:e9:54 -----BEGIN CERTIFICATE----- -MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN -MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G -A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G +MIIDRDCCAiygAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G +A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny 50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj -gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH -/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV -BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz -dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ -SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H -DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF -pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf -m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ -7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA== +UzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68 +x/3/MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEB +BQUAA4IBAQCz557ZZmWv5UTTHebzTyVzku5ldpcicJPqKHP3xZ4tPPY52JQyJg/T +hsRB44yTyNo3/jo9or2KgVnc+/nCmnlvTq22a/j26DtKZ7wD9MWxunpkqRwExtA/ +G816msrl6X6m50WwdLXTvaVJGXCYp8TPVLx5YY3WPIVoX0CPN7Hs9iNJNiEWo4Qf +7dAqjWBB/QpusmWhjaDSc4+cFhT24Yo9HuS1yrkUTrBtJaj0AykTsiyFm6SBVDNH +9XIxCgYy9QrYbDKNtJXhuevpN0yUMV/aUnIkU2wTTouhOzZisjNk0sS1guqmSHzf +hlf8qotOhNvFXpEsCGwZUywayo7c4DtO -----END CERTIFICATE----- diff --git a/tests/data_files/server9.crt b/tests/data_files/server9.crt index a6f9fbc76..26567aee9 100644 --- a/tests/data_files/server9.crt +++ b/tests/data_files/server9.crt @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- MIIDBTCCAeegAwIBAgIBFjATBgkqhkiG9w0BAQowBqIEAgIA6jA7MQswCQYDVQQG -EwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3Qg -Q0EwHhcNMTQwMTIwMTMzODE2WhcNMjQwMTE4MTMzODE2WjA0MQswCQYDVQQGEwJO -TDERMA8GA1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkq +EwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3Qg +Q0EwHhcNMjMwNTE3MDgwNDAwWhcNMzMwNTE3MDgwNDAwWjA0MQswCQYDVQQGEwJO +TDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEA3RGKn5m6sGjKKuo7am1Zl+1OyVTkDe7OoH2g HqroDsK7E0DbihKOiRMkpcX1+tj1kNfIysvF/pMdr9oSI3NSeUYauqBXK3YWMbOo r+c4mwiLY5k6CiXuRdIYWLq5kxrt1FiaYxs3/PcUCJ+FZUnzWTJt0eDobd5S7Wa0 -qQvaQJUCAwEAAaOBkjCBjzAJBgNVHRMEAjAAMB0GA1UdDgQWBBTu88f1HxWlTUeJ -wdMiY7Lfp869UTBjBgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0w -OzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xh -clNTTCBUZXN0IENBggEAMBMGCSqGSIb3DQEBCjAGogQCAgDqA4IBAQDAog/jXydR -vDIugTzBXtfVK0CEX8iyQ4cVzQmXWSne8204v943K5D2hktSBkjdQUdcnVvVgLR6 -te50jV89ptN/NofX+fo9fhSRN9vGgQVWzOOFiO0zcThy749pirJu1Kq5OJdthIyW -Pu0UCz5G0k3kTp0JPevGlsNc8S9Ak1tFuB0IPJjrbfODWHS2LDuO+dB6gpkNTdrj -88ogYtBsN4D5gsXBRUfobXokUwejBwLrD6XwyQx+0bMwSCxgHEhxvuUkx1vdlXGw -JG3aF92u8mIxoKSAPaPdqy930mQvmpUWcN5Y1IMbtEGoQCKMYgosFcazJpJcjnX1 -o4Hl/lqjwCEG +qQvaQJUCAwEAAaOBkjCBjzAdBgNVHQ4EFgQU7vPH9R8VpU1HicHTImOy36fOvVEw +YwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNVBAYT +Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD +QYIBAzAJBgNVHRMEAjAAMBMGCSqGSIb3DQEBCjAGogQCAgDqA4IBAQC2DLHQ05x6 +imJNztE/Tnk/lPQ01Pw6Girdbk4bgxcGwGj+1u5wAIHNpJ50TOggg3HxTyb7p344 +/tVMxz7nrHZQ5ASdn2kDCyCmEqhmj48isWAIml+7J9cBeImJoEfYqjtqtoVkGxFy +SuoZAQWkkqDpyFhKhIjLQ8JuSE6wWMX/kc6TFSSxepnZU1SFOXfCiaVr5tFQzBP7 +loppIANLjKeMjpOdU86PmRQ2LyzaCH1OMnjVndeqNmZt0NyzZ18cFPvm6+DVVVuP +Q+6nReShCdAlU+dJqsqj8JsQneNMTxjv4OBoXVmE/kZTj/DBTtwmxkVi7K4aYMFi +UYUZ4RiwG1/7 -----END CERTIFICATE----- From 59f392cd4d5c1498ec34258c1eb0ccf1a99e372c Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 19 May 2023 23:07:09 +0800 Subject: [PATCH 040/222] upgrade server9-bad-saltlen.crt Upgrade scripts ```python import subprocess from asn1crypto import pem, x509,core output_filename="server9-bad-saltlen.crt" tmp_filename="server9-bad-saltlen.crt.tmp" tmp1_filename="server9-bad-saltlen.crt.tmp1" subprocess.check_call(rf''' openssl x509 -req -extfile server5.crt.openssl.v3_ext \ -passin "pass:PolarSSLTest" -CA test-ca.crt -CAkey test-ca.key \ -set_serial 24 -days 3650 \ -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:max \ -sigopt rsa_mgf1_md:sha256 -sha256 \ -in server9.csr -out {output_filename} ''',shell=True) with open(output_filename,'rb') as f: _,_,der_bytes=pem.unarmor(f.read()) target_certificate=x509.Certificate.load(der_bytes) with open(tmp_filename,'wb') as f: f.write(target_certificate['tbs_certificate'].dump()) subprocess.check_call(rf'openssl dgst -sign test-ca.key -passin "pass:PolarSSLTest" \ -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 \ -sigopt rsa_mgf1_md:sha256 -out {tmp1_filename} {tmp_filename}', shell=True) with open(tmp1_filename,'rb') as f: signature_value= core.OctetBitString(f.read()) with open(output_filename,'wb') as f: target_certificate['signature_value']=signature_value f.write(pem.armor('CERTIFICATE',target_certificate.dump())) ``` Signed-off-by: Jerry Yu --- tests/data_files/Makefile | 10 ++-------- tests/data_files/server9-bad-saltlen.crt | 24 ++++++++++++------------ 2 files changed, 14 insertions(+), 20 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 6239c97ed..5225774b3 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -572,15 +572,9 @@ server9-with-ca.crt: server9.crt $(test_ca_crt) cat $^ > $@ all_final += server9-with-ca.crt -# FIXME: this file expected a bad-saltlen, but it create a good saltlen. +# FIXME: This file needs special sequence. It should be update manually server9-bad-saltlen.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa) - $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa \ - -passin "pass:$(test_ca_pwd_rsa)" -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) \ - -set_serial 24 -days 3653 \ - -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:max \ - -sigopt rsa_mgf1_md:sha256 -sha256 \ - -in $< -out $@ -all_final += server9-bad-saltlen.crt + false server9-bad-mgfhash.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa) $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa \ diff --git a/tests/data_files/server9-bad-saltlen.crt b/tests/data_files/server9-bad-saltlen.crt index 78298e98b..45bf20e27 100644 --- a/tests/data_files/server9-bad-saltlen.crt +++ b/tests/data_files/server9-bad-saltlen.crt @@ -2,20 +2,20 @@ MIIDYzCCAhagAwIBAgIBGDBCBgkqhkiG9w0BAQowNaAPMA0GCWCGSAFlAwQCAQUA oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogQCAgDeMDsxCzAJBgNVBAYT Ak5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBD -QTAeFw0yMzA1MTcwODMzNDJaFw0zMzA1MTcwODMzNDJaMDQxCzAJBgNVBAYTAk5M +QTAeFw0yMzA1MjIwNzMwMDZaFw0zMzA1MTkwNzMwMDZaMDQxCzAJBgNVBAYTAk5M MREwDwYDVQQKDAhQb2xhclNTTDESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDdEYqfmbqwaMoq6jtqbVmX7U7JVOQN7s6gfaAe qugOwrsTQNuKEo6JEySlxfX62PWQ18jKy8X+kx2v2hIjc1J5Rhq6oFcrdhYxs6iv 5zibCItjmToKJe5F0hhYurmTGu3UWJpjGzf89xQIn4VlSfNZMm3R4Oht3lLtZrSp -C9pAlQIDAQABo4GSMIGPMB0GA1UdDgQWBBTu88f1HxWlTUeJwdMiY7Lfp869UTBj -BgNVHSMEXDBagBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMC -TkwxETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENB -ggEDMAkGA1UdEwQCMAAwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgEFAKEc -MBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIEAgIA3gOCAQEALIe0VtQaT92x -fNkzIdRHkv+3C6P4URzFP9cBMm+ulX86ld/Szl4J2eUywtzQz22UZE5ZT23xutCx -pUC3AZyzRNiDAdsPvofvf88MJtxDROe7v/MgmXqKxx2t+/N62Mf2mzd9Wu9ibBcO -DrawRQtlUgUkwlzdTtWUxu/VYMEhdeXMPHRSzX0ODAQOA9EydR/BvPmuvMYIvb8M -L1ifzupTm+W92v6kB1AmEXjtvcPEba6rvfZylKISJPmRH3wTdt1+s/1j/PjdUfIa -WbjiucXRSk3NBsza+w5cS4CQu3dbZaY2lBhBkoWvxZm+XU4mfxmjCW6jl59NAmMD -X7c2Uua8SA== +C9pAlQIDAQABo4GSMIGPMAkGA1UdEwQCMAAwHQYDVR0OBBYEFO7zx/UfFaVNR4nB +0yJjst+nzr1RMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7 +MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFy +U1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgEFAKEc +MBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIEAgIA3gOCAQEAlQo9OnchZbLQ +PTXs9NgXDoQb4JvUG/Fsq09/e8ivWaHkE7mKeNRrP8qMdAw914Bs1NQf9F75CWJe +5YtmLcE5gSbVj3qa6zVuQWEcrseKz6wpAFLsHKbF6kKfUgcI56xmD2DhhIHny+5B +9ObM0RQpCmAYXjU2CvknXeBzpX2cGOLD/Nexk1oBF6PI0rDUBqg3cexsJ5XfJwYg +tkjkZ321s9N09BsioauH6d9x9/Ysz7Qp7Bqpb1E7dV4bDuT5vwPWwPIUAav897Vt +s0uMZHoVasj57UwqDv8tm0db6f2VOL7r5GBMjbp6newW8Me47uXSBXKy8tFJMolj +yKuEQkKKyA== -----END CERTIFICATE----- From 736d2bb7150082900b3407c8cc9c66275c8bc17b Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 29 May 2023 15:32:31 +0800 Subject: [PATCH 041/222] Update crl-rsa-pss-*.pem manually The rules will be in a seperate PR. Signed-off-by: Pengyu Lv --- tests/data_files/crl-rsa-pss-sha1-badsign.pem | 22 +++++++-------- tests/data_files/crl-rsa-pss-sha1.pem | 22 +++++++-------- tests/data_files/crl-rsa-pss-sha224.pem | 28 +++++++++---------- tests/data_files/crl-rsa-pss-sha256.pem | 28 +++++++++---------- tests/data_files/crl-rsa-pss-sha384.pem | 28 +++++++++---------- tests/data_files/crl-rsa-pss-sha512.pem | 28 +++++++++---------- 6 files changed, 78 insertions(+), 78 deletions(-) diff --git a/tests/data_files/crl-rsa-pss-sha1-badsign.pem b/tests/data_files/crl-rsa-pss-sha1-badsign.pem index 7e2a59677..d236910d9 100644 --- a/tests/data_files/crl-rsa-pss-sha1-badsign.pem +++ b/tests/data_files/crl-rsa-pss-sha1-badsign.pem @@ -1,14 +1,14 @@ -----BEGIN X509 CRL----- MIICJDCCAQYCAQEwEwYJKoZIhvcNAQEKMAaiBAICAOowOzELMAkGA1UEBhMCTkwx -ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBFw0x -NDAxMjAxMzQ2MzVaFw0yNDAxMTgxMzQ2MzVaMCgwEgIBChcNMTMwOTI0MTYyODM4 -WjASAgEWFw0xNDAxMjAxMzQzMDVaoGcwZTBjBgNVHSMEXDBagBS0WuSls97SUva5 -1aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NM -MRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMBMGCSqGSIb3DQEBCjAGogQC -AgDqA4IBAQB8ZBX0BEgRcx0lfk1ctELRu1AYoJ5BnsmQpq23Ca4YIP2yb2kTN1ZS -4fR4SgYcNctgo2JJiNiUkCu1ZnRUOJUy8UlEio0+aeumTNz6CbeJEDhr5NC3oiV0 -MzvLn9rJVLPetOT9UrvvIy8iz5Pn1d8mu5rkt9BKQRq9NQx8riKnSIoTc91NLCMo -mkCCB55DVbazODSWK19e6yQ0JS454RglOsqRtLJ/EDbi6lCsLXotFt3GEGMrob1O -7Qck1Z59boaHxGYFEVnx90+4M3/qikVtwZdcBjLEmfuwYvszFw8J2y6Xwmg/HtUa -y6li0JzWNHtkKUlCv2+SESZbD3NU8GQY +ETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBFw0y +MzA1MTcwODA3NDlaFw0zMzA1MTcwODA3NDlaMCgwEgIBChcNMjMwNTE3MDgwNzQ5 +WjASAgEWFw0yMzA1MTcwODA3NDlaoGcwZTBjBgNVHSMEXDBagBS0WuSls97SUva5 +1aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NM +MRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMBMGCSqGSIb3DQEBCjAGogQC +AgDqA4IBAQCMUepEfAXs1G3hDE7rcIPT/AFv/oLQSVwRE8O2G5r4j0CgzN6CSGNi +8qfFVX6f7ds+QM4pxAXk5FH4QJJkev0ZBQxmA/ZDLEFmmCEfPMsA69nG//Xeq+Xz +ZOqJpAewmXoP2UUxV5rRpAIr9g9NvDkTT012eQEpoGkJlpxOln1VW+Dk24PCZFWf +Nf8GMUzUsXfXm7ZdCeuc8ZDYNma0nWAMR9Jw6qaEhyH4Fd/scFvXiF/i4cpVp8Rk +M71wSrCC0pkFzw4/bYMnf0aHle/lNg5e78SAT+/6PA8pXL7Urc0IufOfxCGwqY27 +IXSTrZJj4WeQMk289pIccMHj5DUSo4u0 -----END X509 CRL----- diff --git a/tests/data_files/crl-rsa-pss-sha1.pem b/tests/data_files/crl-rsa-pss-sha1.pem index 59ca4f703..c129c0c81 100644 --- a/tests/data_files/crl-rsa-pss-sha1.pem +++ b/tests/data_files/crl-rsa-pss-sha1.pem @@ -1,14 +1,14 @@ -----BEGIN X509 CRL----- MIICJDCCAQYCAQEwEwYJKoZIhvcNAQEKMAaiBAICAOowOzELMAkGA1UEBhMCTkwx -ETAPBgNVBAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBFw0x -NDAxMjAxMzQ2MzVaFw0yNDAxMTgxMzQ2MzVaMCgwEgIBChcNMTMwOTI0MTYyODM4 -WjASAgEWFw0xNDAxMjAxMzQzMDVaoGcwZTBjBgNVHSMEXDBagBS0WuSls97SUva5 -1aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NM -MRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMBMGCSqGSIb3DQEBCjAGogQC -AgDqA4IBAQB8ZBX0BEgRcx0lfk1ctELRu1AYoJ5BnsmQpq23Ca4YIP2yb2kTN1ZS -4fR4SgYcNctgo2JJiNiUkCu1ZnRUOJUy8UlEio0+aeumTNz6CbeJEDhr5NC3oiV0 -MzvLn9rJVLPetOT9UrvvIy8iz5Pn1d8mu5rkt9BKQRq9NQx8riKnSIoTc91NLCMo -mkCCB55DVbazODSWK19e6yQ0JS454RglOsqRtLJ/EDbi6lCsLXotFt3GEGMrob1O -7Qck1Z59boaHxGYFEVnx90+4M3/qikVtwZdcBjLEmfuwYvszFw8J2y6Xwmg/HtUa -y6li0JzWNHtkKUlCv2+SESZbD3NU8GQZ +ETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBFw0y +MzA1MTcwODA3NDlaFw0zMzA1MTcwODA3NDlaMCgwEgIBChcNMjMwNTE3MDgwNzQ5 +WjASAgEWFw0yMzA1MTcwODA3NDlaoGcwZTBjBgNVHSMEXDBagBS0WuSls97SUva5 +1aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NM +MRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMBMGCSqGSIb3DQEBCjAGogQC +AgDqA4IBAQCMUepEfAXs1G3hDE7rcIPT/AFv/oLQSVwRE8O2G5r4j0CgzN6CSGNi +8qfFVX6f7ds+QM4pxAXk5FH4QJJkev0ZBQxmA/ZDLEFmmCEfPMsA69nG//Xeq+Xz +ZOqJpAewmXoP2UUxV5rRpAIr9g9NvDkTT012eQEpoGkJlpxOln1VW+Dk24PCZFWf +Nf8GMUzUsXfXm7ZdCeuc8ZDYNma0nWAMR9Jw6qaEhyH4Fd/scFvXiF/i4cpVp8Rk +M71wSrCC0pkFzw4/bYMnf0aHle/lNg5e78SAT+/6PA8pXL7Urc0IufOfxCGwqY27 +IXSTrZJj4WeQMk289pIccMHj5DUSo4uO -----END X509 CRL----- diff --git a/tests/data_files/crl-rsa-pss-sha224.pem b/tests/data_files/crl-rsa-pss-sha224.pem index a51d5d911..1108b3ddb 100644 --- a/tests/data_files/crl-rsa-pss-sha224.pem +++ b/tests/data_files/crl-rsa-pss-sha224.pem @@ -1,16 +1,16 @@ -----BEGIN X509 CRL----- -MIICejCCATECAQEwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgShGjAYBgkq -hkiG9w0BAQgwCwYJYIZIAWUDBAIEogQCAgDiMDsxCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBDQRcNMTQwMTIw -MTM1NjA2WhcNMjQwMTE4MTM1NjA2WjAoMBICAQoXDTEzMDkyNDE2MjgzOFowEgIB -FhcNMTQwMTIwMTM0MzA1WqBnMGUwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/r -PrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcG -A1UEAxMQUG9sYXJTU0wgVGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCG -SAFlAwQCBKEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgSiBAICAOIDggEBAEJI -i9sQOzMvvOTksN48+X+kk/wkLMKRGI222lqU6y6tP1LX3OE/+KN8gPXR+lCC+e0v -TsRTJkpKEcmHZoP/8kOtZnLb9PdITKGMQnZ+dmn5MFEzZI/zyrYWuJTuK1Q83w0e -Mc88cAhu8i4PTk/WnsWDphK1Q2YRupmmwWSUpp1Z2rpR+YSCedC01TVrtSUJUBw9 -NSqKDhyWYJIbS6/bFaERswC8xlMRhyLHUvikjmAK36TbIdhTnEffHOPW75sEOEEB -f0A3VtlZ7y5yt2/a6vOauJCivxKt/PutdHfBqH43QQmoVLWC2FmT9ADTJwcsZB3D -a6JSqCIMRCQY2JOUn0A= +MIICgjCCATUCAQEwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgQFAKEcMBoG +CSqGSIb3DQEBCDANBglghkgBZQMEAgQFAKIEAgIA4jA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTIz +MDUxNzA4MDc0OVoXDTMzMDUxNzA4MDc0OVowKDASAgEKFw0yMzA1MTcwODA3NDla +MBICARYXDTIzMDUxNzA4MDc0OVqgZzBlMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnV +ppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wx +GTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzAN +BglghkgBZQMEAgQFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgQFAKIEAgIA +4gOCAQEANsElK5qMavcgBXsqgysCIIwEPj+dXdBOwXW17HWh2jcSwAssFNRxhiIc +PoUjj2fNlbOWXLPoxXBitgkJ31UAYCteGSv3j5P3WEuriVwCG889JEoMWn9U4+f9 +f5jSVNfynyiAOiwpA0TrOhZOAs9SEj742S1pzhsb9yaOXeQXNnDv8HYe3uX9/D9w +ynot+/EwCYEuvK8XQ6qnV6588NHEAd9x+OcV9pxWrmUE8Muz1KffBwD5+SOW+Taj +4fKQPcKJoRXOKyLXpOz7yMl/6fCf6h3Qj/H4YI/2gsWI0iduKoXDsuQkMEdPTZvk +7P88YK3/4MReaZS3sDyhhUrojELPXw== -----END X509 CRL----- diff --git a/tests/data_files/crl-rsa-pss-sha256.pem b/tests/data_files/crl-rsa-pss-sha256.pem index f16a49118..26f7935cc 100644 --- a/tests/data_files/crl-rsa-pss-sha256.pem +++ b/tests/data_files/crl-rsa-pss-sha256.pem @@ -1,16 +1,16 @@ -----BEGIN X509 CRL----- -MIICejCCATECAQEwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgGhGjAYBgkq -hkiG9w0BAQgwCwYJYIZIAWUDBAIBogQCAgDeMDsxCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBDQRcNMTQwMTIw -MTM1NjE2WhcNMjQwMTE4MTM1NjE2WjAoMBICAQoXDTEzMDkyNDE2MjgzOFowEgIB -FhcNMTQwMTIwMTM0MzA1WqBnMGUwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/r -PrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcG -A1UEAxMQUG9sYXJTU0wgVGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCG -SAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiBAICAN4DggEBAEZ4 -oqp9i5eXrN6aCSTaU1j07MVTFW/U1jQAq6GseB6bEvoEXFMUHJsgAObqCK9flfEC -FEqXqWSo33hhPU7AKKttbDLjUYRNnQAPRUnRIl1/a1+UjqgKchWWD9ityeW8ICxo -IdATX9reYmPDLIMqTC7zuflYkvrvdEOuBORQP5mn4j8t84MSQF/p4qzaU0XxLo4X -ckzZCcHpa45AApCDjJMd9onhFVCYsykiYrF9NQFO8TI4lQ5jv79GoufEzvhY1SPB -r1xz4sMpfyaoPaa3SM2/nD65E5jzXell2u2VWNGKv4zAQP0E5yGel+1rklBltadb -XLdJyyak33CLBKu+nJc= +MIICgjCCATUCAQEwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgEFAKEcMBoG +CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIEAgIA3jA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTIz +MDUxNzA4MDc0OVoXDTMzMDUxNzA4MDc0OVowKDASAgEKFw0yMzA1MTcwODA3NDla +MBICARYXDTIzMDUxNzA4MDc0OVqgZzBlMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnV +ppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wx +GTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzAN +BglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIEAgIA +3gOCAQEAHLzvRF0RVQL48ZGVFnTk1nsOHXVHS0UVMItsILurXJ4XrOgN1I7iTzu2 +wYNtgr+T15jwsPdgU+Gg3127vb2Djm0IUX0dCfYpSFRUv8BjaK962ZPjM0rkWhC6 +JUTWSLMAMy4ScqcoC7e4vuN2h4kPOzlvDBIhzWKA03+taAtuIOWjXZu2/Cyeggxs +oXARKI8BEv4b94xwiFJMoMuzcYAkuDIH4MRYANVgOS/zncCRS9D5ZerfoBt70LKX +nzJtT4a0XoxbUJeU8MZ0fR5aAHUQulAPA9CMmBsHkSx7pzAAhCwx/vXbnWPyhA6G +XG6gCKcDR5PZQvQNgi29SLlhRTT5TA== -----END X509 CRL----- diff --git a/tests/data_files/crl-rsa-pss-sha384.pem b/tests/data_files/crl-rsa-pss-sha384.pem index 50f7e4cd2..45431f013 100644 --- a/tests/data_files/crl-rsa-pss-sha384.pem +++ b/tests/data_files/crl-rsa-pss-sha384.pem @@ -1,16 +1,16 @@ -----BEGIN X509 CRL----- -MIICejCCATECAQEwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgKhGjAYBgkq -hkiG9w0BAQgwCwYJYIZIAWUDBAICogQCAgDOMDsxCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBDQRcNMTQwMTIw -MTM1NjI4WhcNMjQwMTE4MTM1NjI4WjAoMBICAQoXDTEzMDkyNDE2MjgzOFowEgIB -FhcNMTQwMTIwMTM0MzA1WqBnMGUwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/r -PrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcG -A1UEAxMQUG9sYXJTU0wgVGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCG -SAFlAwQCAqEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiBAICAM4DggEBAAco -SntUGDLBOAu0IIZaVea5Nt1NMsMcppC0hWPuH1LKAwyUODBqpT+0+AuALK0eIdYR -a7mAB+cv2fFwmwxnQWJ1Fvx4ft/N2AAfB83VRKpSo3xR8bxloHfTWKmyxJHmH9j1 -EYmLS86rj3Nhjf4m/YlQQ3Im5HwOgSgBOE8glq5D+0Wmsi9LsNEZXEzMw7TMUgbs -y9o/ghYF/shKU4mewK3DeM9gQiTcH5A4ISXR87hBQ08AKJRAG1CLvTyzqWiUUY+k -q8iZDYF17sHrPi2yn8q9c4zdxiaWDGDdL0Lh90wXGTAageoGEq25TMuL5FpX+u1u -KUH/xf1jEnNzbYNGiZw= +MIICgjCCATUCAQEwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgIFAKEcMBoG +CSqGSIb3DQEBCDANBglghkgBZQMEAgIFAKIEAgIAzjA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTIz +MDUxNzA4MDc1MFoXDTMzMDUxNzA4MDc1MFowKDASAgEKFw0yMzA1MTcwODA3NTBa +MBICARYXDTIzMDUxNzA4MDc1MFqgZzBlMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnV +ppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wx +GTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzAN +BglghkgBZQMEAgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIFAKIEAgIA +zgOCAQEAnZvMo3nmKXPV+q4m1CdMA7jUtdanJBHDAv2+LZLq4T1QpyN+nmLEB1yX +ARN8/5Px47zm7XyZw6HI1Il34MjblAKIPBVXoswj4YLRceijwiG1bxkh1Kz3lcV0 +GCNPNo7tMPii9iATWlVzWBCzx2rLmt/ys0DtNRCMISOYGW1HkyuO28dwA6nUJwSS +Ddjr3iilavnBdpzddH9AiN5Fm0sfrFBANx79Qyp0/r8hqrv7rT33maeRKj3S4e9G +zpO6uHPAh9Obo93DxpKpXoMwxDiHv+bwHPO4J1YOiryy/KZmHhzUMPfvP09pGg9f +zGO/bOyiHGH0Lf4F9JVMxpfitdbtwg== -----END X509 CRL----- diff --git a/tests/data_files/crl-rsa-pss-sha512.pem b/tests/data_files/crl-rsa-pss-sha512.pem index 0f1d6510b..71f2b7cd5 100644 --- a/tests/data_files/crl-rsa-pss-sha512.pem +++ b/tests/data_files/crl-rsa-pss-sha512.pem @@ -1,16 +1,16 @@ -----BEGIN X509 CRL----- -MIICejCCATECAQEwPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQMEAgOhGjAYBgkq -hkiG9w0BAQgwCwYJYIZIAWUDBAIDogQCAgC+MDsxCzAJBgNVBAYTAk5MMREwDwYD -VQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVzdCBDQRcNMTQwMTIw -MTM1NjM4WhcNMjQwMTE4MTM1NjM4WjAoMBICAQoXDTEzMDkyNDE2MjgzOFowEgIB -FhcNMTQwMTIwMTM0MzA1WqBnMGUwYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/r -PrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcG -A1UEAxMQUG9sYXJTU0wgVGVzdCBDQYIBADA+BgkqhkiG9w0BAQowMaANMAsGCWCG -SAFlAwQCA6EaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgOiBAICAL4DggEBAB9F -ywBfxOjetxNbCFhOYoPY2jvFCFVdlowMGuxEhX/LktqiBXqRc2r5naQSzuHqO8Iq -1zACtiDLri0CvgSHlravBNeY4c2wj//ueFE89tY5pK9E6vZp7cV+RfMx2YfGPAA2 -t7tWZ2rJWzELg8cZ8hpjSwFH7JmgJzjE5gi2gADhBYO6Vv5S3SOgqNjiN1OM31AU -p6GHK5Y1jurF5Zwzs+w3wXoXgpOxxwEC4eiS86c9kNSudwTLvDTU0bYEQE1cF+K0 -sB8QWABFJfuO5kjD2w3rWgmAiOKsZoxd1xrda+WD3JhDXnoVq3oVBIVlWVz6YID8 -enMfMvwScA5AImzu9xA= +MIICgjCCATUCAQEwQgYJKoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgMFAKEcMBoG +CSqGSIb3DQEBCDANBglghkgBZQMEAgMFAKIEAgIAvjA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTIz +MDUxNzA4MDc1MFoXDTMzMDUxNzA4MDc1MFowKDASAgEKFw0yMzA1MTcwODA3NTBa +MBICARYXDTIzMDUxNzA4MDc1MFqgZzBlMGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnV +ppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wx +GTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQMwQgYJKoZIhvcNAQEKMDWgDzAN +BglghkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgMFAKIEAgIA +vgOCAQEAtMPpQMet9BfMRLg0AW9QfL3QkktV7xk++BqYFOYynBiqxjQH4AKu3wU8 +eiGd3+2xNpQd2/sG7UUNo1Vnl9gCHRiT4bje6+CdvvqaZKSgpmsiztbgBAYORriF +flKOKOOQTxaikqJ4t7vp727JmstADuyizTgOBE0k3V1glas8B0G122YheeHF02S4 ++33Nss4hbfbTilR0RccOaqiXzF9bkFsTlD5KgyUFZbFtdy+1zHZLnRUAJA1HmDeP +r5p2mJxKwXmZzLnw/FPa8fUH665TKYk08AuIpN+VHdPwiBoYHJ2YZJWgM+1qHq1y +tlyoAOC6beqsh9OfxcQZaEiWbUI9yQ== -----END X509 CRL----- From 19e949e64437e091de4764e58fb96496b635955a Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 8 Jun 2023 09:20:16 +0800 Subject: [PATCH 042/222] Fix typo and long line format Signed-off-by: Pengyu Lv --- tests/data_files/Makefile | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 5225774b3..fb61ba894 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -112,7 +112,9 @@ cert_example_multi_nocn.csr: rsa_pkcs1_1024_clear.pem all_intermediate += cert_example_multi_nocn.csr cert_example_multi_nocn.crt: cert_example_multi_nocn.csr test-ca_nocn.crt - $(OPENSSL) x509 -req -CA test-ca_nocn.crt -CAkey $(test_ca_key_file_rsa) -extfile $(test_ca_config_file) -extensions ext_multi_nocn -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0xf7c67ff8e9a963f9 -days 3653 -sha1 -in $< > $@ + $(OPENSSL) x509 -req -CA test-ca_nocn.crt -CAkey $(test_ca_key_file_rsa) \ + -extfile $(test_ca_config_file) -extensions ext_multi_nocn -passin "pass:$(test_ca_pwd_rsa)" \ + -set_serial 0xf7c67ff8e9a963f9 -days 3653 -sha1 -in $< > $@ all_final += cert_example_multi_nocn.crt parse_input/test_csr_v3_keyUsage.csr.der: rsa_pkcs1_1024_clear.pem @@ -448,7 +450,9 @@ all_final += server5-ss-expired.crt # try to forge a copy of test-int-ca3 with different key server5-ss-forgeca.crt: server5.key - $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" -set_serial 77 -config $(test_ca_config_file) -extensions noext_ca -days 3650 -sha256 -key $< -out $@ + $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" \ + -set_serial 77 -config $(test_ca_config_file) -extensions noext_ca \ + -days 3650 -sha256 -key $< -out $@ all_final += server5-ss-forgeca.crt server5-selfsigned.crt: server5.key @@ -561,7 +565,7 @@ server9-defaults.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) \ -set_serial 72 -days 3653 \ -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:max -sha1 \ - -in $< -o $@ + -in $< -out $@ all_final += server9-defaults.crt server9-badsign.crt: server9.crt From 49c56e651da520e306ef1f3bb00a34cd601b0f85 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Tue, 4 Jul 2023 15:56:59 +0800 Subject: [PATCH 043/222] Add target for parse_input/cert_example_multi_nocn.crt Signed-off-by: Pengyu Lv --- tests/data_files/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index fb61ba894..aa72a847f 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -111,7 +111,7 @@ cert_example_multi_nocn.csr: rsa_pkcs1_1024_clear.pem $(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name='C=NL' all_intermediate += cert_example_multi_nocn.csr -cert_example_multi_nocn.crt: cert_example_multi_nocn.csr test-ca_nocn.crt +parse_input/cert_example_multi_nocn.crt cert_example_multi_nocn.crt: cert_example_multi_nocn.csr test-ca_nocn.crt $(OPENSSL) x509 -req -CA test-ca_nocn.crt -CAkey $(test_ca_key_file_rsa) \ -extfile $(test_ca_config_file) -extensions ext_multi_nocn -passin "pass:$(test_ca_pwd_rsa)" \ -set_serial 0xf7c67ff8e9a963f9 -days 3653 -sha1 -in $< > $@ From b687c03183a43fa684f111d3dbaf666955eeb8e5 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Tue, 4 Jul 2023 16:01:01 +0800 Subject: [PATCH 044/222] Fix the command for server9-sha*.crt The new command could generate parse_input/server9-sha*.crt correctly. Signed-off-by: Pengyu Lv --- tests/data_files/Makefile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index aa72a847f..60ec0c255 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -541,7 +541,7 @@ all_final += test-int-ca3-badsign.crt server9.csr: server9.key $(OPENSSL) req -new -subj "/C=NL/O=PolarSSL/CN=localhost" \ -key $< -out $@ -server9.crt: server9-sha1.crt +parse_input/server9.crt server9.crt: server9-sha1.crt cp $< $@ all_final += server9.crt all_intermediate += server9.csr server9-sha1.crt @@ -551,13 +551,13 @@ server9-%.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) \ -set_serial $(SERVER9_CRT_SERIAL) -days 3653 \ -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:max \ - -sigopt rsa_mgf1_md:$(@:server9-%.crt=%) -$(@:server9-%.crt=%) \ + -sigopt rsa_mgf1_md:$(@F:server9-%.crt=%) -$(@F:server9-%.crt=%) \ -in $< -out $@ server9-sha1.crt: SERVER9_CRT_SERIAL=22 -server9-sha224.crt: SERVER9_CRT_SERIAL=23 -server9-sha256.crt: SERVER9_CRT_SERIAL=24 -server9-sha384.crt: SERVER9_CRT_SERIAL=25 -server9-sha512.crt: SERVER9_CRT_SERIAL=26 +parse_input/server9-sha224.crt server9-sha224.crt: SERVER9_CRT_SERIAL=23 +parse_input/server9-sha256.crt server9-sha256.crt: SERVER9_CRT_SERIAL=24 +parse_input/server9-sha384.crt server9-sha384.crt: SERVER9_CRT_SERIAL=25 +parse_input/server9-sha512.crt server9-sha512.crt: SERVER9_CRT_SERIAL=26 all_final += server9-sha224.crt server9-sha256.crt server9-sha384.crt server9-sha512.crt server9-defaults.crt: server9.csr $(test_ca_crt) $(test_ca_key_file_rsa) From 026235c4ec17e52e88b0b6b5a7fb40247a6a2e9e Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 5 Jul 2023 08:32:43 -0400 Subject: [PATCH 045/222] Disable msan errors on null allocation in all.sh Such error was raised in platform tests, and it's a valid test case. Signed-off-by: Andrzej Kurek --- tests/scripts/all.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 46d249d66..604b457c3 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -191,6 +191,7 @@ pre_initialize_variables () { # Platform tests have an allocation that returns null export ASAN_OPTIONS="allocator_may_return_null=1" + export MSAN_OPTIONS="allocator_may_return_null=1" # Gather the list of available components. These are the functions # defined in this script whose name starts with "component_". From 548894fea1e6ef8046ed4e16ee90dc1a0b5208ca Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 5 Jul 2023 08:50:25 -0400 Subject: [PATCH 046/222] Add msan and asan env variables to .travis.yml This way the CI tests don't fail on a null allocation. Signed-off-by: Andrzej Kurek --- .travis.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.travis.yml b/.travis.yml index bf5ccd96e..8313317b2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -32,6 +32,10 @@ jobs: packages: - clang-10 - gnutls-bin + env: + # Platform tests have an allocation that returns null + - ASAN_OPTIONS="allocator_may_return_null=1" + - MSAN_OPTIONS="allocator_may_return_null=1" script: # Do a manual build+test sequence rather than using all.sh, # because there's no all.sh component that does what we want, @@ -89,6 +93,10 @@ jobs: apt: packages: - gcc + env: + # Platform tests have an allocation that returns null + - ASAN_OPTIONS="allocator_may_return_null=1" + - MSAN_OPTIONS="allocator_may_return_null=1" script: # Do a manual build+test sequence rather than using all.sh. # @@ -115,6 +123,10 @@ jobs: packages: - clang - gnutls-bin + env: + # Platform tests have an allocation that returns null + - ASAN_OPTIONS="allocator_may_return_null=1" + - MSAN_OPTIONS="allocator_may_return_null=1" script: # Do a manual build+test sequence rather than using all.sh. # From 527f48f14d8b11f674903cb4b02e172771593f9a Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 5 Jul 2023 18:57:30 +0100 Subject: [PATCH 047/222] Add OID definitions for SHA3 Signed-off-by: Dave Rodgman --- include/mbedtls/oid.h | 9 +++++++++ library/oid.c | 24 ++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index e333ba11b..f89420589 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -270,6 +270,15 @@ #define MBEDTLS_OID_DIGEST_ALG_RIPEMD160 MBEDTLS_OID_TELETRUST "\x03\x02\x01" /**< id-ripemd160 OBJECT IDENTIFIER :: { iso(1) identified-organization(3) teletrust(36) algorithm(3) hashAlgorithm(2) ripemd160(1) } */ +#define MBEDTLS_OID_DIGEST_ALG_SHA3_224 MBEDTLS_OID_NIST_ALG "\x02\x07" /**< id-sha3-224 OBJECT IDENTIFIER ::= joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-224(7) } */ + +#define MBEDTLS_OID_DIGEST_ALG_SHA3_256 MBEDTLS_OID_NIST_ALG "\x02\x08" /**< id-sha3-256 OBJECT IDENTIFIER ::= joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-256(8) } */ + +#define MBEDTLS_OID_DIGEST_ALG_SHA3_384 MBEDTLS_OID_NIST_ALG "\x02\x09" /**< id-sha3-384 OBJECT IDENTIFIER ::= joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-384(9) } */ + +#define MBEDTLS_OID_DIGEST_ALG_SHA3_512 MBEDTLS_OID_NIST_ALG "\x02\x0a" /**< id-sha3-512 OBJECT IDENTIFIER ::= joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-512(10) } */ + + #define MBEDTLS_OID_HMAC_SHA1 MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */ #define MBEDTLS_OID_HMAC_SHA224 MBEDTLS_OID_RSA_COMPANY "\x02\x08" /**< id-hmacWithSHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 8 } */ diff --git a/library/oid.c b/library/oid.c index 47a311b94..9ea41cbae 100644 --- a/library/oid.c +++ b/library/oid.c @@ -760,6 +760,30 @@ static const oid_md_alg_t oid_md_alg[] = OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_RIPEMD160, "id-ripemd160", "RIPEMD-160"), MBEDTLS_MD_RIPEMD160, }, +#endif +#if defined(MBEDTLS_MD_CAN_SHA3_224) + { + OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_224, "id-sha3-224", "SHA-3-224"), + MBEDTLS_MD_SHA3_224, + }, +#endif +#if defined(MBEDTLS_MD_CAN_SHA3_256) + { + OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_256, "id-sha3-256", "SHA-3-256"), + MBEDTLS_MD_SHA3_256, + }, +#endif +#if defined(MBEDTLS_MD_CAN_SHA3_384) + { + OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_384, "id-sha3-384", "SHA-3-384"), + MBEDTLS_MD_SHA3_384, + }, +#endif +#if defined(MBEDTLS_MD_CAN_SHA3_512) + { + OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_512, "id-sha3-512", "SHA-3-512"), + MBEDTLS_MD_SHA3_512, + }, #endif { NULL_OID_DESCRIPTOR, From 3a498a6ccbe7b821012ba2404b03ccd45fa14628 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 5 Jul 2023 18:58:04 +0100 Subject: [PATCH 048/222] Add SHA-3 cases in mbedtls_md_type_from_psa_alg, mbedtls_md_psa_alg_from_type Signed-off-by: Dave Rodgman --- library/md.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/library/md.c b/library/md.c index a29d876e9..b04e36445 100644 --- a/library/md.c +++ b/library/md.c @@ -816,6 +816,22 @@ psa_algorithm_t mbedtls_md_psa_alg_from_type(mbedtls_md_type_t md_type) #if defined(MBEDTLS_MD_CAN_SHA512) case MBEDTLS_MD_SHA512: return PSA_ALG_SHA_512; +#endif +#if defined(MBEDTLS_MD_CAN_SHA3_224) + case MBEDTLS_MD_SHA3_224: + return PSA_ALG_SHA3_224; +#endif +#if defined(MBEDTLS_MD_CAN_SHA3_256) + case MBEDTLS_MD_SHA3_256: + return PSA_ALG_SHA3_256; +#endif +#if defined(MBEDTLS_MD_CAN_SHA3_384) + case MBEDTLS_MD_SHA3_384: + return PSA_ALG_SHA3_384; +#endif +#if defined(MBEDTLS_MD_CAN_SHA3_512) + case MBEDTLS_MD_SHA3_512: + return PSA_ALG_SHA3_512; #endif default: return PSA_ALG_NONE; @@ -852,6 +868,22 @@ mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa_alg) #if defined(MBEDTLS_MD_CAN_SHA512) case PSA_ALG_SHA_512: return MBEDTLS_MD_SHA512; +#endif +#if defined(MBEDTLS_MD_CAN_SHA3_224) + case PSA_ALG_SHA3_224: + return MBEDTLS_MD_SHA3_224; +#endif +#if defined(MBEDTLS_MD_CAN_SHA3_256) + case PSA_ALG_SHA3_256: + return MBEDTLS_MD_SHA3_256; +#endif +#if defined(MBEDTLS_MD_CAN_SHA3_384) + case PSA_ALG_SHA3_384: + return MBEDTLS_MD_SHA3_384; +#endif +#if defined(MBEDTLS_MD_CAN_SHA3_512) + case PSA_ALG_SHA3_512: + return MBEDTLS_MD_SHA3_512; #endif default: return MBEDTLS_MD_NONE; From 7bb7602a6630d2e33b6d6cdcfff95befb28e6fc3 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 5 Jul 2023 19:03:21 +0100 Subject: [PATCH 049/222] Add OID tests for SHA-3 Signed-off-by: Dave Rodgman --- tests/suites/test_suite_oid.data | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/suites/test_suite_oid.data b/tests/suites/test_suite_oid.data index 00f6e0b4d..cc23c5b66 100644 --- a/tests/suites/test_suite_oid.data +++ b/tests/suites/test_suite_oid.data @@ -82,6 +82,22 @@ OID hash id - id-sha512 depends_on:MBEDTLS_MD_CAN_SHA512 oid_get_md_alg_id:"608648016503040203":MBEDTLS_MD_SHA512 +OID hash id - id-sha3-224 +depends_on:MBEDTLS_MD_CAN_SHA3_224 +oid_get_md_alg_id:"608648016503040207":MBEDTLS_MD_SHA3_224 + +OID hash id - id-sha3-256 +depends_on:MBEDTLS_MD_CAN_SHA3_256 +oid_get_md_alg_id:"608648016503040208":MBEDTLS_MD_SHA3_256 + +OID hash id - id-sha3-384 +depends_on:MBEDTLS_MD_CAN_SHA3_384 +oid_get_md_alg_id:"608648016503040209":MBEDTLS_MD_SHA3_384 + +OID hash id - id-sha3-512 +depends_on:MBEDTLS_MD_CAN_SHA3_512 +oid_get_md_alg_id:"60864801650304020a":MBEDTLS_MD_SHA3_512 + OID hash id - id-ripemd160 depends_on:MBEDTLS_MD_CAN_RIPEMD160 oid_get_md_alg_id:"2b24030201":MBEDTLS_MD_RIPEMD160 From c0a0990b6e176ff0d7efd90424242662a6597d0a Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 5 Jul 2023 19:15:53 +0100 Subject: [PATCH 050/222] Improve testing of md/PSA alg identifier macro conversions Signed-off-by: Dave Rodgman --- tests/suites/test_suite_md.function | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/suites/test_suite_md.function b/tests/suites/test_suite_md.function index ac9516ab8..2768707e9 100644 --- a/tests/suites/test_suite_md.function +++ b/tests/suites/test_suite_md.function @@ -28,6 +28,11 @@ void mbedtls_md_list() TEST_EQUAL(0, mbedtls_md_starts(&ctx)); TEST_EQUAL(0, mbedtls_md_finish(&ctx, out)); mbedtls_md_free(&ctx); + + /* Ensure that we can convert to and from a psa_algorithm_t */ + psa_algorithm_t p = mbedtls_md_psa_alg_from_type(*md_type_ptr); + TEST_ASSERT(p != PSA_ALG_NONE); + TEST_EQUAL(*md_type_ptr, mbedtls_md_type_from_psa_alg(p)); } exit: From 76814b6207b141de1137a5c77b372ede829e1858 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 5 Jul 2023 19:38:21 +0100 Subject: [PATCH 051/222] fix missing include Signed-off-by: Dave Rodgman --- tests/suites/test_suite_md.function | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/suites/test_suite_md.function b/tests/suites/test_suite_md.function index 2768707e9..75087e7ee 100644 --- a/tests/suites/test_suite_md.function +++ b/tests/suites/test_suite_md.function @@ -1,5 +1,6 @@ /* BEGIN_HEADER */ #include "mbedtls/md.h" +#include "../library/md_psa.h" /* END_HEADER */ /* BEGIN_DEPENDENCIES From 852b6c30b787f28a1fc085b7ccf3b776b0fa09f5 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 5 Jul 2023 19:47:08 +0100 Subject: [PATCH 052/222] Support MBEDTLS_MD_SHA3_xxx_VIA_PSA Signed-off-by: Dave Rodgman --- include/mbedtls/md.h | 21 +++++++++++++++++++++ library/md.c | 16 ++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h index f717618d2..de4f8758e 100644 --- a/include/mbedtls/md.h +++ b/include/mbedtls/md.h @@ -85,6 +85,26 @@ #define MBEDTLS_MD_RIPEMD160_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_224) +#define MBEDTLS_MD_CAN_SHA3_224 +#define MBEDTLS_MD_SHA3_224_VIA_PSA +#define MBEDTLS_MD_SOME_PSA +#endif +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_256) +#define MBEDTLS_MD_CAN_SHA3_256 +#define MBEDTLS_MD_SHA3_256_VIA_PSA +#define MBEDTLS_MD_SOME_PSA +#endif +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_384) +#define MBEDTLS_MD_CAN_SHA3_384 +#define MBEDTLS_MD_SHA3_384_VIA_PSA +#define MBEDTLS_MD_SOME_PSA +#endif +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_512) +#define MBEDTLS_MD_CAN_SHA3_512 +#define MBEDTLS_MD_SHA3_512_VIA_PSA +#define MBEDTLS_MD_SOME_PSA +#endif #endif /* MBEDTLS_PSA_CRYPTO_C */ /* Built-in implementations */ @@ -117,6 +137,7 @@ #define MBEDTLS_MD_CAN_SHA3_256 #define MBEDTLS_MD_CAN_SHA3_384 #define MBEDTLS_MD_CAN_SHA3_512 +#define MBEDTLS_MD_SOME_LEGACY #endif #if defined(MBEDTLS_RIPEMD160_C) #define MBEDTLS_MD_CAN_RIPEMD160 diff --git a/library/md.c b/library/md.c index b04e36445..4223c865b 100644 --- a/library/md.c +++ b/library/md.c @@ -258,6 +258,22 @@ static psa_algorithm_t psa_alg_of_md(const mbedtls_md_info_t *info) #if defined(MBEDTLS_MD_SHA512_VIA_PSA) case MBEDTLS_MD_SHA512: return PSA_ALG_SHA_512; +#endif +#if defined(MBEDTLS_MD_SHA3_224_VIA_PSA) + case MBEDTLS_MD_SHA3_224: + return PSA_ALG_SHA3_224; +#endif +#if defined(MBEDTLS_MD_SHA3_256_VIA_PSA) + case MBEDTLS_MD_SHA3_256: + return PSA_ALG_SHA3_256; +#endif +#if defined(MBEDTLS_MD_SHA3_384_VIA_PSA) + case MBEDTLS_MD_SHA3_384: + return PSA_ALG_SHA3_384; +#endif +#if defined(MBEDTLS_MD_SHA3_512_VIA_PSA) + case MBEDTLS_MD_SHA3_512: + return PSA_ALG_SHA3_512; #endif default: return PSA_ALG_NONE; From f324a74fab4969f1037d715bb3f9905a40aa0b73 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 5 Jul 2023 19:55:15 +0100 Subject: [PATCH 053/222] Add tests for MBEDTLS_MD_SHA3_xxx_VIA_PSA Signed-off-by: Dave Rodgman --- tests/suites/test_suite_md.psa.data | 48 +++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/tests/suites/test_suite_md.psa.data b/tests/suites/test_suite_md.psa.data index 5266f187f..cd24add46 100644 --- a/tests/suites/test_suite_md.psa.data +++ b/tests/suites/test_suite_md.psa.data @@ -85,3 +85,51 @@ md_psa_dynamic_dispatch:MBEDTLS_MD_SHA512:MBEDTLS_ERR_MD_BAD_INPUT_DATA:MBEDTLS_ PSA dispatch SHA512 legacy+driver depends_on:MBEDTLS_SHA512_C:MBEDTLS_MD_SHA512_VIA_PSA md_psa_dynamic_dispatch:MBEDTLS_MD_SHA512:0:MBEDTLS_MD_ENGINE_PSA + +PSA dispatch SHA3-224 legacy only +depends_on:MBEDTLS_SHA3_224_C:!MBEDTLS_MD_SHA3_224_VIA_PSA +md_psa_dynamic_dispatch:MBEDTLS_MD_SHA3_224:0:MBEDTLS_MD_ENGINE_LEGACY + +PSA dispatch SHA3-224 driver only +depends_on:!MBEDTLS_SHA3_224_C:MBEDTLS_MD_SHA3_224_VIA_PSA +md_psa_dynamic_dispatch:MBEDTLS_MD_SHA3_224:MBEDTLS_ERR_MD_BAD_INPUT_DATA:MBEDTLS_MD_ENGINE_PSA + +PSA dispatch SHA3-224 legacy+driver +depends_on:MBEDTLS_SHA3_224_C:MBEDTLS_MD_SHA3_224_VIA_PSA +md_psa_dynamic_dispatch:MBEDTLS_MD_SHA3_224:0:MBEDTLS_MD_ENGINE_PSA + +PSA dispatch SHA3-256 legacy only +depends_on:MBEDTLS_SHA3_256_C:!MBEDTLS_MD_SHA3_256_VIA_PSA +md_psa_dynamic_dispatch:MBEDTLS_MD_SHA3_256:0:MBEDTLS_MD_ENGINE_LEGACY + +PSA dispatch SHA3-256 driver only +depends_on:!MBEDTLS_SHA3_256_C:MBEDTLS_MD_SHA3_256_VIA_PSA +md_psa_dynamic_dispatch:MBEDTLS_MD_SHA3_256:MBEDTLS_ERR_MD_BAD_INPUT_DATA:MBEDTLS_MD_ENGINE_PSA + +PSA dispatch SHA3-256 legacy+driver +depends_on:MBEDTLS_SHA3_256_C:MBEDTLS_MD_SHA3_256_VIA_PSA +md_psa_dynamic_dispatch:MBEDTLS_MD_SHA3_256:0:MBEDTLS_MD_ENGINE_PSA + +PSA dispatch SHA3-384 legacy only +depends_on:MBEDTLS_SHA3_384_C:!MBEDTLS_MD_SHA3_384_VIA_PSA +md_psa_dynamic_dispatch:MBEDTLS_MD_SHA3_384:0:MBEDTLS_MD_ENGINE_LEGACY + +PSA dispatch SHA3-384 driver only +depends_on:!MBEDTLS_SHA3_384_C:MBEDTLS_MD_SHA3_384_VIA_PSA +md_psa_dynamic_dispatch:MBEDTLS_MD_SHA3_384:MBEDTLS_ERR_MD_BAD_INPUT_DATA:MBEDTLS_MD_ENGINE_PSA + +PSA dispatch SHA3-384 legacy+driver +depends_on:MBEDTLS_SHA3_384_C:MBEDTLS_MD_SHA3_384_VIA_PSA +md_psa_dynamic_dispatch:MBEDTLS_MD_SHA3_384:0:MBEDTLS_MD_ENGINE_PSA + +PSA dispatch SHA3-512 legacy only +depends_on:MBEDTLS_SHA3_512_C:!MBEDTLS_MD_SHA3_512_VIA_PSA +md_psa_dynamic_dispatch:MBEDTLS_MD_SHA3_512:0:MBEDTLS_MD_ENGINE_LEGACY + +PSA dispatch SHA3-512 driver only +depends_on:!MBEDTLS_SHA3_512_C:MBEDTLS_MD_SHA3_512_VIA_PSA +md_psa_dynamic_dispatch:MBEDTLS_MD_SHA3_512:MBEDTLS_ERR_MD_BAD_INPUT_DATA:MBEDTLS_MD_ENGINE_PSA + +PSA dispatch SHA3-512 legacy+driver +depends_on:MBEDTLS_SHA3_512_C:MBEDTLS_MD_SHA3_512_VIA_PSA +md_psa_dynamic_dispatch:MBEDTLS_MD_SHA3_512:0:MBEDTLS_MD_ENGINE_PSA From 0c2d1afaf328f840959db099b7d668474e948db8 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 5 Jul 2023 20:23:09 +0100 Subject: [PATCH 054/222] Fix free before pointers initialised Signed-off-by: Dave Rodgman --- tests/suites/test_suite_md.function | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_md.function b/tests/suites/test_suite_md.function index 75087e7ee..03b18640b 100644 --- a/tests/suites/test_suite_md.function +++ b/tests/suites/test_suite_md.function @@ -386,7 +386,6 @@ exit: void md_psa_dynamic_dispatch(int md_type, int pre_psa_ret, int post_psa_engine) { const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_type); - TEST_ASSERT(md_info != NULL); mbedtls_md_context_t ctx1, ctx2; /* Intentionally no PSA init here! (Will be done later.) */ @@ -394,6 +393,8 @@ void md_psa_dynamic_dispatch(int md_type, int pre_psa_ret, int post_psa_engine) mbedtls_md_init(&ctx1); mbedtls_md_init(&ctx2); + TEST_ASSERT(md_info != NULL); + /* Before PSA crypto init */ TEST_EQUAL(pre_psa_ret, mbedtls_md_setup(&ctx1, md_info, 0)); TEST_EQUAL(pre_psa_ret, mbedtls_md_setup(&ctx2, md_info, 0)); From 6cc1734f3e7ac9e1de336937d41cfa6ec308873f Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 5 Jul 2023 20:27:45 +0100 Subject: [PATCH 055/222] Fix test dependency Signed-off-by: Dave Rodgman --- tests/suites/test_suite_md.function | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/suites/test_suite_md.function b/tests/suites/test_suite_md.function index 03b18640b..384b408c8 100644 --- a/tests/suites/test_suite_md.function +++ b/tests/suites/test_suite_md.function @@ -30,10 +30,12 @@ void mbedtls_md_list() TEST_EQUAL(0, mbedtls_md_finish(&ctx, out)); mbedtls_md_free(&ctx); +#if defined MBEDTLS_PSA_CRYPTO_C /* Ensure that we can convert to and from a psa_algorithm_t */ psa_algorithm_t p = mbedtls_md_psa_alg_from_type(*md_type_ptr); TEST_ASSERT(p != PSA_ALG_NONE); TEST_EQUAL(*md_type_ptr, mbedtls_md_type_from_psa_alg(p)); +#endif } exit: From 8dda131a0ad44805f56ea8e6ddb7e5f68f4279bb Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 6 Jul 2023 09:30:37 +0100 Subject: [PATCH 056/222] Test OID lookup for every hash algorithm Signed-off-by: Dave Rodgman --- tests/suites/test_suite_md.function | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_md.function b/tests/suites/test_suite_md.function index 384b408c8..7a1089123 100644 --- a/tests/suites/test_suite_md.function +++ b/tests/suites/test_suite_md.function @@ -1,6 +1,8 @@ /* BEGIN_HEADER */ #include "mbedtls/md.h" #include "../library/md_psa.h" +#include "mbedtls/oid.h" +#include "mbedtls/asn1.h" /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -30,12 +32,23 @@ void mbedtls_md_list() TEST_EQUAL(0, mbedtls_md_finish(&ctx, out)); mbedtls_md_free(&ctx); -#if defined MBEDTLS_PSA_CRYPTO_C +#if defined(MBEDTLS_PSA_CRYPTO_C) /* Ensure that we can convert to and from a psa_algorithm_t */ psa_algorithm_t p = mbedtls_md_psa_alg_from_type(*md_type_ptr); TEST_ASSERT(p != PSA_ALG_NONE); TEST_EQUAL(*md_type_ptr, mbedtls_md_type_from_psa_alg(p)); #endif + +#if defined(MBEDTLS_OID_C) + mbedtls_asn1_buf asn1; + /* Check that we have an OID definition */ + TEST_EQUAL(mbedtls_oid_get_oid_by_md((mbedtls_md_type_t) *md_type_ptr, + (const char **) &asn1.p, &asn1.len), 0); + /* Check that this OID definition maps back to the correct mbedtls_md_type_t */ + mbedtls_md_type_t m; + TEST_EQUAL(mbedtls_oid_get_md_alg(&asn1, &m), 0); + TEST_EQUAL(m, *md_type_ptr); +#endif } exit: From f14a5c3fcb54ae2dae758c39ee3137eca19d88de Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Fri, 14 Jul 2023 06:15:15 -0400 Subject: [PATCH 057/222] Improve the documentation of MBEDTLS_PLATFORM_MEMORY Introduce requests from review comments. Signed-off-by: Andrzej Kurek --- include/mbedtls/mbedtls_config.h | 75 +++++++++++++++++--------------- 1 file changed, 40 insertions(+), 35 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index ddbef7a66..d0f8c4655 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -172,15 +172,47 @@ * This allows different allocators (self-implemented or provided) to be * provided to the platform abstraction layer. * - * Enabling MBEDTLS_PLATFORM_MEMORY without the + * Enabling #MBEDTLS_PLATFORM_MEMORY without the * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and * free() function pointer at runtime. * - * Enabling MBEDTLS_PLATFORM_MEMORY and specifying + * Enabling #MBEDTLS_PLATFORM_MEMORY and specifying * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the * alternate function at compile time. * + * An overview of how the value of mbedtls_calloc is determined: + * + * - if !MBEDTLS_PLATFORM_MEMORY + * - mbedtls_calloc = calloc + * - if MBEDTLS_PLATFORM_MEMORY + * - if (MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO): + * - mbedtls_calloc = MBEDTLS_PLATFORM_CALLOC_MACRO + * - if !(MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO): + * - Dynamic setup via mbedtls_platform_set_calloc_free is now possible with a default value MBEDTLS_PLATFORM_STD_CALLOC. + * - How is MBEDTLS_PLATFORM_STD_CALLOC handled? + * - if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS: + * - MBEDTLS_PLATFORM_STD_CALLOC is not set to anything; + * - MBEDTLS_PLATFORM_STD_MEM_HDR can be included if present; + * - if !MBEDTLS_PLATFORM_NO_STD_FUNCTIONS: + * - if MBEDTLS_PLATFORM_STD_CALLOC is present: + * - User-defined MBEDTLS_PLATFORM_STD_CALLOC is respected; + * - if !MBEDTLS_PLATFORM_STD_CALLOC: + * - MBEDTLS_PLATFORM_STD_CALLOC = calloc + * + * - At this point the presence of MBEDTLS_PLATFORM_STD_CALLOC is checked. + * - if !MBEDTLS_PLATFORM_STD_CALLOC + * - MBEDTLS_PLATFORM_STD_CALLOC = uninitialized_calloc + * + * - mbedtls_calloc = MBEDTLS_PLATFORM_STD_CALLOC. + * + * Defining MBEDTLS_PLATFORM_CALLOC_MACRO and #MBEDTLS_PLATFORM_STD_CALLOC at the same time is not possible. + * MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO must both be defined or undefined at the same time. + * #MBEDTLS_PLATFORM_STD_CALLOC and #MBEDTLS_PLATFORM_STD_FREE do not have to be defined at the same time, as, if they are used, + * dynamic setup of these functions is possible. See the tree above to see how are they handled in all cases. + * An uninitialized #MBEDTLS_PLATFORM_STD_CALLOC always fails, returning a null pointer. + * An uninitialized #MBEDTLS_PLATFORM_STD_FREE does not do anything. + * * Requires: MBEDTLS_PLATFORM_C * * Enable this layer to allow use of alternative memory allocators. @@ -3681,53 +3713,26 @@ /* Platform options */ //#define MBEDTLS_PLATFORM_STD_MEM_HDR /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */ -/* An overview of how the value of mbedtls_calloc is determined: - * - * if !MBEDTLS_PLATFORM_MEMORY - * mbedtls_calloc = calloc - * if MBEDTLS_PLATFORM_MEMORY - * if (MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO): - * mbedtls_calloc = MBEDTLS_PLATFORM_CALLOC_MACRO - * if !(MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO): - * Dynamic setup via mbedtls_platform_set_calloc_free is now possible with a default value MBEDTLS_PLATFORM_STD_CALLOC. - * How is MBEDTLS_PLATFORM_STD_CALLOC handled? - * if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS: - * MBEDTLS_PLATFORM_STD_CALLOC is not set to anything; - * MBEDTLS_PLATFORM_STD_MEM_HDR can be included if present; - * if !MBEDTLS_PLATFORM_NO_STD_FUNCTIONS: - * if MBEDTLS_PLATFORM_STD_CALLOC is present: - * User-defined MBEDTLS_PLATFORM_STD_CALLOC is respected; - * if !MBEDTLS_PLATFORM_STD_CALLOC: - * MBEDTLS_PLATFORM_STD_CALLOC = calloc - * - * At this point the presence of MBEDTLS_PLATFORM_STD_CALLOC is checked. - * if !MBEDTLS_PLATFORM_STD_CALLOC - * MBEDTLS_PLATFORM_STD_CALLOC = uninitialized_calloc - * - * mbedtls_calloc = MBEDTLS_PLATFORM_STD_CALLOC. - * - * Defining MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_STD_CALLOC at the same time is not possible. - * MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO must both be defined or undefined at the same time. - * MBEDTLS_PLATFORM_STD_CALLOC and MBEDTLS_PLATFORM_STD_FREE do not have to be defined at the same time, as, if they are used, - * dynamic setup of these functions is possible. See the tree above to see how are they handled in all cases. - */ - /** \def MBEDTLS_PLATFORM_STD_CALLOC * - * Default allocator to use, can be undefined. See the description above for details. + * Default allocator to use, can be undefined. * It must initialize the allocated buffer memory to zeroes. * The size of the buffer is the product of the two parameters. * The calloc function returns either a null pointer or a pointer to the allocated space. * If the product is 0, the function may either return NULL or a valid pointer to an array of size 0 which is a valid input to the deallocation function. + * An uninitialized #MBEDTLS_PLATFORM_STD_CALLOC always fails, returning a null pointer. + * See the description of #MBEDTLS_PLATFORM_MEMORY for more details. * The corresponding deallocation function is #MBEDTLS_PLATFORM_STD_FREE. */ //#define MBEDTLS_PLATFORM_STD_CALLOC calloc /** \def MBEDTLS_PLATFORM_STD_FREE * - * Default free to use, can be undefined. See the description above for more details (same principles as for MBEDTLS_PLATFORM_STD_CALLOC apply). + * Default free to use, can be undefined. * NULL is a valid parameter, and the function must do nothing. * A non-null parameter will always be a pointer previously returned by #MBEDTLS_PLATFORM_STD_CALLOC and not yet freed. + * An uninitialized #MBEDTLS_PLATFORM_STD_FREE does not do anything. + * See the description of #MBEDTLS_PLATFORM_MEMORY for more details (same principles as for MBEDTLS_PLATFORM_STD_CALLOC apply). */ //#define MBEDTLS_PLATFORM_STD_FREE free //#define MBEDTLS_PLATFORM_STD_SETBUF setbuf /**< Default setbuf to use, can be undefined */ From fc6ed4ddad41e6ca10e807bb1b5aac34752ece87 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 14 Jul 2023 17:33:09 +0800 Subject: [PATCH 058/222] code_size_compare: add a parser to generate code size with size tool This commit splits CodeSizeBase as a separate class to prepare a parser as CodeSizeGenerator. The benefit is we can extend the tool of code size measurement in order to generate more types of code size record. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 0ed28999b..3c0f83d9a 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -125,17 +125,18 @@ class CodeSizeInfo: # pylint: disable=too-few-public-methods print(comb) sys.exit(1) -class SizeEntry: # pylint: disable=too-few-public-methods - """Data Structure to only store information of code size.""" - def __init__(self, text, data, bss, dec): - self.text = text - self.data = data - self.bss = bss - self.total = dec # total <=> dec -class CodeSizeBase: +class CodeSizeGeneratorWithSize: """Code Size Base Class for size record saving and writing.""" + class SizeEntry: # pylint: disable=too-few-public-methods + """Data Structure to only store information of code size.""" + def __init__(self, text, data, bss, dec): + self.text = text + self.data = data + self.bss = bss + self.total = dec # total <=> dec + def __init__(self) -> None: """ Variable code_size is used to store size info for any revisions. code_size: (data format) @@ -157,7 +158,8 @@ class CodeSizeBase: size_record = {} for line in size_text.splitlines()[1:]: data = line.split() - size_record[data[5]] = SizeEntry(data[0], data[1], data[2], data[3]) + size_record[data[5]] = CodeSizeGeneratorWithSize.SizeEntry(\ + data[0], data[1], data[2], data[3]) if revision in self.code_size: self.code_size[revision].update({mod: size_record}) else: @@ -180,7 +182,8 @@ class CodeSizeBase: if mod: size_record[data[0]] = \ - SizeEntry(data[1], data[2], data[3], data[4]) + CodeSizeGeneratorWithSize.SizeEntry(\ + data[1], data[2], data[3], data[4]) # check if we hit record for the end of a module m = re.match(r'.?TOTALS', line) @@ -247,7 +250,7 @@ class CodeSizeBase: output.write("{} {}\n".format(fname, new_size)) -class CodeSizeComparison(CodeSizeBase): +class CodeSizeComparison: """Compare code size between two Git revisions.""" def __init__( @@ -278,6 +281,7 @@ class CodeSizeComparison(CodeSizeBase): self.make_command = code_size_info.make_command self.fname_suffix = "-" + code_size_info.arch + "-" +\ code_size_info.config + self.code_size_generator = CodeSizeGeneratorWithSize() @staticmethod def validate_revision(revision: str) -> bytes: @@ -336,12 +340,12 @@ class CodeSizeComparison(CodeSizeBase): self._handle_called_process_error(e, git_worktree_path) size_text = result.decode("utf-8") - self.set_size_record(revision, mod, size_text) + self.code_size_generator.set_size_record(revision, mod, size_text) print("Generating code size csv for", revision) csv_file = open(os.path.join(self.csv_dir, revision + self.fname_suffix + ".csv"), "w") - self.write_size_record(revision, csv_file) + self.code_size_generator.write_size_record(revision, csv_file) def _remove_worktree(self, git_worktree_path: str) -> None: """Remove temporary worktree.""" @@ -361,7 +365,8 @@ class CodeSizeComparison(CodeSizeBase): if (revision != "current") and \ os.path.exists(os.path.join(self.csv_dir, csv_fname)): print("Code size csv file for", revision, "already exists.") - self.read_size_record(revision, os.path.join(self.csv_dir, csv_fname)) + self.code_size_generator.read_size_record(revision,\ + os.path.join(self.csv_dir, csv_fname)) else: git_worktree_path = self._create_git_worktree(revision) self._build_libraries(git_worktree_path) @@ -380,7 +385,7 @@ class CodeSizeComparison(CodeSizeBase): print("\nGenerating comparison results between",\ self.old_rev, "and", self.new_rev) - self.write_comparison(self.old_rev, self.new_rev, res_file) + self.code_size_generator.write_comparison(self.old_rev, self.new_rev, res_file) return 0 From 15c43f34073f6315bc006de4c992ab19a6cbaa28 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 17 Jul 2023 11:17:12 +0800 Subject: [PATCH 059/222] code_size_compare: add a base class as CodeSizeGenerator Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 64 +++++++++++++++++++++++++++++++++++- 1 file changed, 63 insertions(+), 1 deletion(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 3c0f83d9a..a5625c32a 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -126,7 +126,44 @@ class CodeSizeInfo: # pylint: disable=too-few-public-methods sys.exit(1) -class CodeSizeGeneratorWithSize: +class CodeSizeGenerator: + """ A generator based on size measurement tool for library objects. + + This is an abstract class. To use it, derive a class that implements + size_generator_write_record and size_generator_write_comparison methods, + then call both of them with proper arguments. + """ + def size_generator_write_record( + self, + revision: str, + code_size_text: typing.Dict, + output_file: str + ) -> None: + """Write size record into a file. + + revision: Git revision.(E.g: commit) + code_size_text: text output (utf-8) from code size measurement tool. + output_file: file which the code size record is written to. + """ + raise NotImplementedError + + def size_generator_write_comparison( + self, + old_rev: str, + new_rev: str, + output_stream + ) -> None: + """Write a comparision result into a stream between two revisions. + + old_rev: old git revision to compared with. + new_rev: new git revision to compared with. + output_stream: stream which the code size record is written to. + (E.g: file / sys.stdout) + """ + raise NotImplementedError + + +class CodeSizeGeneratorWithSize(CodeSizeGenerator): """Code Size Base Class for size record saving and writing.""" class SizeEntry: # pylint: disable=too-few-public-methods @@ -249,6 +286,31 @@ class CodeSizeGeneratorWithSize: else: output.write("{} {}\n".format(fname, new_size)) + def size_generator_write_record( + self, + revision: str, + code_size_text: typing.Dict, + output_file: str + ) -> None: + """Write size record into a specified file based on Git revision and + output from `size` tool.""" + for mod, size_text in code_size_text.items(): + self.set_size_record(revision, mod, size_text) + + print("Generating code size csv for", revision) + output = open(output_file, "w") + self.write_size_record(revision, output) + + def size_generator_write_comparison( + self, + old_rev: str, + new_rev: str, + output_stream + ) -> None: + """Write a comparision result into a stream between two revisions.""" + output = open(output_stream, "w") + self.write_comparison(old_rev, new_rev, output) + class CodeSizeComparison: """Compare code size between two Git revisions.""" From e0e276046bda6a1feb8121b44a565cee2bfd9543 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 14 Jul 2023 17:37:45 +0800 Subject: [PATCH 060/222] code_size_compare: add CodeSizeCalculator to calculate code size CodeSizeCalculator is aimed to calculate code size based on a Git revision and code size measurement tool. The output of code size is in utf-8 encoding. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 223 +++++++++++++++++++++-------------- 1 file changed, 132 insertions(+), 91 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index a5625c32a..01d93cad0 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -126,6 +126,123 @@ class CodeSizeInfo: # pylint: disable=too-few-public-methods sys.exit(1) +class CodeSizeCalculator: + """ A calculator to calculate code size of library objects based on + Git revision and code size measurement tool. + """ + + def __init__( + self, + revision: str, + make_cmd: str, + ) -> None: + """ + revision: Git revision.(E.g: commit) + make_cmd: command to build library objects. + """ + self.repo_path = "." + self.git_command = "git" + self.make_clean = 'make clean' + + self.revision = revision + self.make_cmd = make_cmd + + @staticmethod + def validate_revision(revision: str) -> bytes: + result = subprocess.check_output(["git", "rev-parse", "--verify", + revision + "^{commit}"], shell=False) + return result + + def _create_git_worktree(self, revision: str) -> str: + """Make a separate worktree for revision. + Do not modify the current worktree.""" + + if revision == "current": + print("Using current work directory") + git_worktree_path = self.repo_path + else: + print("Creating git worktree for", revision) + git_worktree_path = os.path.join(self.repo_path, "temp-" + revision) + subprocess.check_output( + [self.git_command, "worktree", "add", "--detach", + git_worktree_path, revision], cwd=self.repo_path, + stderr=subprocess.STDOUT + ) + + return git_worktree_path + + def _build_libraries(self, git_worktree_path: str) -> None: + """Build libraries in the specified worktree.""" + + my_environment = os.environ.copy() + try: + subprocess.check_output( + self.make_clean, env=my_environment, shell=True, + cwd=git_worktree_path, stderr=subprocess.STDOUT, + ) + subprocess.check_output( + self.make_cmd, env=my_environment, shell=True, + cwd=git_worktree_path, stderr=subprocess.STDOUT, + ) + except subprocess.CalledProcessError as e: + self._handle_called_process_error(e, git_worktree_path) + + def _gen_raw_code_size(self, revision, git_worktree_path): + """Calculate code size with measurement tool in UTF-8 encoding.""" + if revision == "current": + print("Measuring code size in current work directory") + else: + print("Measuring code size for", revision) + + res = {} + for mod, st_lib in MBEDTLS_STATIC_LIB.items(): + try: + result = subprocess.check_output( + ["size", st_lib, "-t"], cwd=git_worktree_path, + universal_newlines=True + ) + res[mod] = result + except subprocess.CalledProcessError as e: + self._handle_called_process_error(e, git_worktree_path) + + return res + + def _remove_worktree(self, git_worktree_path: str) -> None: + """Remove temporary worktree.""" + if git_worktree_path != self.repo_path: + print("Removing temporary worktree", git_worktree_path) + subprocess.check_output( + [self.git_command, "worktree", "remove", "--force", + git_worktree_path], cwd=self.repo_path, + stderr=subprocess.STDOUT + ) + + def _handle_called_process_error(self, e: subprocess.CalledProcessError, + git_worktree_path: str) -> None: + """Handle a CalledProcessError and quit the program gracefully. + Remove any extra worktrees so that the script may be called again.""" + + # Tell the user what went wrong + print("The following command: {} failed and exited with code {}" + .format(e.cmd, e.returncode)) + print("Process output:\n {}".format(str(e.output, "utf-8"))) + + # Quit gracefully by removing the existing worktree + self._remove_worktree(git_worktree_path) + sys.exit(-1) + + def cal_libraries_code_size(self) -> typing.Dict: + """Calculate code size of libraries by measurement tool.""" + + revision = self.revision + git_worktree_path = self._create_git_worktree(revision) + self._build_libraries(git_worktree_path) + res = self._gen_raw_code_size(revision, git_worktree_path) + self._remove_worktree(git_worktree_path) + + return res + + class CodeSizeGenerator: """ A generator based on size measurement tool for library objects. @@ -328,7 +445,6 @@ class CodeSizeComparison: result_dir: directory for comparison result. code_size_info: an object containing information to build library. """ - super().__init__() self.repo_path = "." self.result_dir = os.path.abspath(result_dir) os.makedirs(self.result_dir, exist_ok=True) @@ -345,47 +461,7 @@ class CodeSizeComparison: code_size_info.config self.code_size_generator = CodeSizeGeneratorWithSize() - @staticmethod - def validate_revision(revision: str) -> bytes: - result = subprocess.check_output(["git", "rev-parse", "--verify", - revision + "^{commit}"], shell=False) - return result - - def _create_git_worktree(self, revision: str) -> str: - """Make a separate worktree for revision. - Do not modify the current worktree.""" - - if revision == "current": - print("Using current work directory") - git_worktree_path = self.repo_path - else: - print("Creating git worktree for", revision) - git_worktree_path = os.path.join(self.repo_path, "temp-" + revision) - subprocess.check_output( - [self.git_command, "worktree", "add", "--detach", - git_worktree_path, revision], cwd=self.repo_path, - stderr=subprocess.STDOUT - ) - - return git_worktree_path - - def _build_libraries(self, git_worktree_path: str) -> None: - """Build libraries in the specified worktree.""" - - my_environment = os.environ.copy() - try: - subprocess.check_output( - self.make_clean, env=my_environment, shell=True, - cwd=git_worktree_path, stderr=subprocess.STDOUT, - ) - subprocess.check_output( - self.make_command, env=my_environment, shell=True, - cwd=git_worktree_path, stderr=subprocess.STDOUT, - ) - except subprocess.CalledProcessError as e: - self._handle_called_process_error(e, git_worktree_path) - - def _gen_code_size_csv(self, revision: str, git_worktree_path: str) -> None: + def _gen_code_size_csv(self, revision: str) -> None: """Generate code size csv file.""" if revision == "current": @@ -393,31 +469,13 @@ class CodeSizeComparison: else: print("Measuring code size for", revision) - for mod, st_lib in MBEDTLS_STATIC_LIB.items(): - try: - result = subprocess.check_output( - ["size", st_lib, "-t"], cwd=git_worktree_path - ) - except subprocess.CalledProcessError as e: - self._handle_called_process_error(e, git_worktree_path) - size_text = result.decode("utf-8") + code_size_text = CodeSizeCalculator(revision, self.make_command).\ + cal_libraries_code_size() - self.code_size_generator.set_size_record(revision, mod, size_text) - - print("Generating code size csv for", revision) - csv_file = open(os.path.join(self.csv_dir, revision + - self.fname_suffix + ".csv"), "w") - self.code_size_generator.write_size_record(revision, csv_file) - - def _remove_worktree(self, git_worktree_path: str) -> None: - """Remove temporary worktree.""" - if git_worktree_path != self.repo_path: - print("Removing temporary worktree", git_worktree_path) - subprocess.check_output( - [self.git_command, "worktree", "remove", "--force", - git_worktree_path], cwd=self.repo_path, - stderr=subprocess.STDOUT - ) + csv_file = os.path.join(self.csv_dir, revision + + self.fname_suffix + ".csv") + self.code_size_generator.size_generator_write_record(revision,\ + code_size_text, csv_file) def _get_code_size_for_rev(self, revision: str) -> None: """Generate code size csv file for the specified git revision.""" @@ -430,24 +488,21 @@ class CodeSizeComparison: self.code_size_generator.read_size_record(revision,\ os.path.join(self.csv_dir, csv_fname)) else: - git_worktree_path = self._create_git_worktree(revision) - self._build_libraries(git_worktree_path) - self._gen_code_size_csv(revision, git_worktree_path) - self._remove_worktree(git_worktree_path) + self._gen_code_size_csv(revision) def _gen_code_size_comparison(self) -> int: """Generate results of the size changes between two revisions, old and new. Measured code size results of these two revisions must be available.""" - res_file = open(os.path.join(self.result_dir, "compare-" + - self.old_rev + "-" + self.new_rev + - self.fname_suffix + - ".csv"), "w") + res_file = os.path.join(self.result_dir, "compare-" + + self.old_rev + "-" + self.new_rev + + self.fname_suffix + ".csv") print("\nGenerating comparison results between",\ self.old_rev, "and", self.new_rev) - self.code_size_generator.write_comparison(self.old_rev, self.new_rev, res_file) + self.code_size_generator.size_generator_write_comparison(\ + self.old_rev, self.new_rev, res_file) return 0 @@ -459,20 +514,6 @@ class CodeSizeComparison: self._get_code_size_for_rev(self.new_rev) return self._gen_code_size_comparison() - def _handle_called_process_error(self, e: subprocess.CalledProcessError, - git_worktree_path: str) -> None: - """Handle a CalledProcessError and quit the program gracefully. - Remove any extra worktrees so that the script may be called again.""" - - # Tell the user what went wrong - print("The following command: {} failed and exited with code {}" - .format(e.cmd, e.returncode)) - print("Process output:\n {}".format(str(e.output, "utf-8"))) - - # Quit gracefully by removing the existing worktree - self._remove_worktree(git_worktree_path) - sys.exit(-1) - def main(): parser = argparse.ArgumentParser(description=(__doc__)) group_required = parser.add_argument_group( @@ -509,11 +550,11 @@ def main(): print("Error: {} is not a directory".format(comp_args.result_dir)) parser.exit() - validate_res = CodeSizeComparison.validate_revision(comp_args.old_rev) + validate_res = CodeSizeCalculator.validate_revision(comp_args.old_rev) old_revision = validate_res.decode().replace("\n", "") if comp_args.new_rev is not None: - validate_res = CodeSizeComparison.validate_revision(comp_args.new_rev) + validate_res = CodeSizeCalculator.validate_revision(comp_args.new_rev) new_revision = validate_res.decode().replace("\n", "") else: new_revision = "current" From 5e9130a5e9ed156400ce56efc4a0e7c86c59185a Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 17 Jul 2023 11:55:54 +0800 Subject: [PATCH 061/222] code_size_compare: simplify methods in CodeSizeComparison Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 56 ++++++++++++++---------------------- 1 file changed, 22 insertions(+), 34 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 01d93cad0..8cd1b2775 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -92,12 +92,11 @@ class CodeSizeInfo: # pylint: disable=too-few-public-methods arch: architecture to measure code size on. config: configuration type to measure code size with. sys_arch: host architecture. - make_command: command to build library (Inferred from arch and config). """ self.arch = arch self.config = config self.sys_arch = sys_arch - self.make_command = self.set_make_command() + self.make_cmd = self.set_make_command() def set_make_command(self) -> str: """Infer build command based on architecture and configuration.""" @@ -456,63 +455,52 @@ class CodeSizeComparison: self.new_rev = new_revision self.git_command = "git" self.make_clean = 'make clean' - self.make_command = code_size_info.make_command + self.make_cmd = code_size_info.make_cmd self.fname_suffix = "-" + code_size_info.arch + "-" +\ code_size_info.config self.code_size_generator = CodeSizeGeneratorWithSize() - def _gen_code_size_csv(self, revision: str) -> None: - """Generate code size csv file.""" + def cal_code_size(self, revision: str): + """Calculate code size of library objects in a UTF-8 encoding""" - if revision == "current": - print("Measuring code size in current work directory") - else: - print("Measuring code size for", revision) - - code_size_text = CodeSizeCalculator(revision, self.make_command).\ + return CodeSizeCalculator(revision, self.make_cmd).\ cal_libraries_code_size() - csv_file = os.path.join(self.csv_dir, revision + - self.fname_suffix + ".csv") - self.code_size_generator.size_generator_write_record(revision,\ - code_size_text, csv_file) - - def _get_code_size_for_rev(self, revision: str) -> None: - """Generate code size csv file for the specified git revision.""" + def gen_code_size_report(self, revision): + """Generate code size record and write it into a file.""" + output_file = os.path.join(self.csv_dir,\ + revision + self.fname_suffix + ".csv") # Check if the corresponding record exists - csv_fname = revision + self.fname_suffix + ".csv" - if (revision != "current") and \ - os.path.exists(os.path.join(self.csv_dir, csv_fname)): + if (revision != "current") and os.path.exists(output_file): print("Code size csv file for", revision, "already exists.") - self.code_size_generator.read_size_record(revision,\ - os.path.join(self.csv_dir, csv_fname)) + self.code_size_generator.read_size_record(revision, output_file) else: - self._gen_code_size_csv(revision) + self.code_size_generator.size_generator_write_record(revision,\ + self.cal_code_size(revision), output_file) - def _gen_code_size_comparison(self) -> int: - """Generate results of the size changes between two revisions, + def gen_code_size_comparison(self) -> int: + """Generate results of code size changes between two revisions, old and new. Measured code size results of these two revisions must be available.""" - res_file = os.path.join(self.result_dir, "compare-" + - self.old_rev + "-" + self.new_rev + - self.fname_suffix + ".csv") + output_file = os.path.join(self.result_dir, "compare-" + + self.old_rev + "-" + self.new_rev + + self.fname_suffix + ".csv") print("\nGenerating comparison results between",\ self.old_rev, "and", self.new_rev) self.code_size_generator.size_generator_write_comparison(\ - self.old_rev, self.new_rev, res_file) - + self.old_rev, self.new_rev, output_file) return 0 def get_comparision_results(self) -> int: """Compare size of library/*.o between self.old_rev and self.new_rev, and generate the result file.""" build_tree.check_repo_path() - self._get_code_size_for_rev(self.old_rev) - self._get_code_size_for_rev(self.new_rev) - return self._gen_code_size_comparison() + self.gen_code_size_report(self.old_rev) + self.gen_code_size_report(self.new_rev) + return self.gen_code_size_comparison() def main(): parser = argparse.ArgumentParser(description=(__doc__)) From 923f943a3e992fda89ea6c31ac611085ceda9783 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 17 Jul 2023 12:43:00 +0800 Subject: [PATCH 062/222] code_size_compare: introduce SimpleNamespace to store info We use SimpleNamespace class to store all the information used to measure code size of objects in library. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 127 +++++++++++++++++++++-------------- 1 file changed, 76 insertions(+), 51 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 8cd1b2775..8f3730f24 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -31,6 +31,7 @@ import sys import typing from enum import Enum +from types import SimpleNamespace from mbedtls_dev import typing_util from mbedtls_dev import build_tree @@ -72,7 +73,7 @@ def detect_arch() -> str: print("Unknown host architecture, cannot auto-detect arch.") sys.exit(1) -class CodeSizeInfo: # pylint: disable=too-few-public-methods +class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods """Gather information used to measure code size. It collects information about architecture, configuration in order to @@ -87,25 +88,23 @@ class CodeSizeInfo: # pylint: disable=too-few-public-methods "-a " + SupportedArch.ARMV8_M.value + " -c " + SupportedConfig.TFM_MEDIUM.value, ] - def __init__(self, arch: str, config: str, sys_arch: str) -> None: + def __init__(self, size_version: SimpleNamespace) -> None: """ - arch: architecture to measure code size on. - config: configuration type to measure code size with. - sys_arch: host architecture. + size_version: SimpleNamespace containing info for code size measurement. + size_version.arch: architecture to measure code size on. + size_version.config: configuration type to measure code size with. + size_version.host_arch: host architecture. """ - self.arch = arch - self.config = config - self.sys_arch = sys_arch - self.make_cmd = self.set_make_command() + self.size_version = size_version - def set_make_command(self) -> str: + def infer_make_command(self) -> str: """Infer build command based on architecture and configuration.""" - if self.config == SupportedConfig.DEFAULT.value and \ - self.arch == self.sys_arch: + if self.size_version.config == SupportedConfig.DEFAULT.value and \ + self.size_version.arch == self.size_version.host_arch: return 'make -j lib CFLAGS=\'-Os \' ' - elif self.arch == SupportedArch.ARMV8_M.value and \ - self.config == SupportedConfig.TFM_MEDIUM.value: + elif self.size_version.arch == SupportedArch.ARMV8_M.value and \ + self.size_version.config == SupportedConfig.TFM_MEDIUM.value: return \ 'make -j lib CC=armclang \ CFLAGS=\'--target=arm-arm-none-eabi -mcpu=cortex-m33 -Os \ @@ -113,13 +112,13 @@ class CodeSizeInfo: # pylint: disable=too-few-public-methods -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE=\\\"' + CONFIG_TFM_MEDIUM_PSA_CRYPTO_H + '\\\" \'' else: print("Unsupported combination of architecture: {} and configuration: {}" - .format(self.arch, self.config)) + .format(self.size_version.arch, self.size_version.config)) print("\nPlease use supported combination of architecture and configuration:") - for comb in CodeSizeInfo.SupportedArchConfig: + for comb in CodeSizeBuildInfo.SupportedArchConfig: print(comb) print("\nFor your system, please use:") - for comb in CodeSizeInfo.SupportedArchConfig: - if "default" in comb and self.sys_arch not in comb: + for comb in CodeSizeBuildInfo.SupportedArchConfig: + if "default" in comb and self.size_version.host_arch not in comb: continue print(comb) sys.exit(1) @@ -433,16 +432,14 @@ class CodeSizeComparison: def __init__( self, - old_revision: str, - new_revision: str, + old_size_version: SimpleNamespace, + new_size_version: SimpleNamespace, result_dir: str, - code_size_info: CodeSizeInfo ) -> None: """ old_revision: revision to compare against. new_revision: result_dir: directory for comparison result. - code_size_info: an object containing information to build library. """ self.repo_path = "." self.result_dir = os.path.abspath(result_dir) @@ -451,57 +448,73 @@ class CodeSizeComparison: self.csv_dir = os.path.abspath("code_size_records/") os.makedirs(self.csv_dir, exist_ok=True) - self.old_rev = old_revision - self.new_rev = new_revision + self.old_size_version = old_size_version + self.new_size_version = new_size_version + self.old_size_version.make_cmd = \ + CodeSizeBuildInfo(self.old_size_version).infer_make_command() + self.new_size_version.make_cmd = \ + CodeSizeBuildInfo(self.new_size_version).infer_make_command() self.git_command = "git" self.make_clean = 'make clean' - self.make_cmd = code_size_info.make_cmd - self.fname_suffix = "-" + code_size_info.arch + "-" +\ - code_size_info.config self.code_size_generator = CodeSizeGeneratorWithSize() - def cal_code_size(self, revision: str): + @staticmethod + def cal_code_size(size_version: SimpleNamespace): """Calculate code size of library objects in a UTF-8 encoding""" - return CodeSizeCalculator(revision, self.make_cmd).\ + return CodeSizeCalculator(size_version.revision, size_version.make_cmd).\ cal_libraries_code_size() - def gen_code_size_report(self, revision): + @staticmethod + def gen_file_name(old_size_version, new_size_version=None): + if new_size_version: + return '{}-{}-{}-{}-{}-{}.csv'\ + .format(old_size_version.revision[:7], + old_size_version.arch, old_size_version.config, + new_size_version.revision[:7], + new_size_version.arch, new_size_version.config) + else: + return '{}-{}-{}.csv'\ + .format(old_size_version.revision[:7], + old_size_version.arch, old_size_version.config) + + def gen_code_size_report(self, size_version: SimpleNamespace): """Generate code size record and write it into a file.""" - output_file = os.path.join(self.csv_dir,\ - revision + self.fname_suffix + ".csv") + output_file = os.path.join(self.csv_dir, self.gen_file_name(size_version)) # Check if the corresponding record exists - if (revision != "current") and os.path.exists(output_file): - print("Code size csv file for", revision, "already exists.") - self.code_size_generator.read_size_record(revision, output_file) + if (size_version.revision != "current") and os.path.exists(output_file): + print("Code size csv file for", size_version.revision, "already exists.") + self.code_size_generator.read_size_record(size_version.revision, output_file) else: - self.code_size_generator.size_generator_write_record(revision,\ - self.cal_code_size(revision), output_file) + self.code_size_generator.size_generator_write_record(\ + size_version.revision, self.cal_code_size(size_version), + output_file) def gen_code_size_comparison(self) -> int: """Generate results of code size changes between two revisions, old and new. Measured code size results of these two revisions must be available.""" - output_file = os.path.join(self.result_dir, "compare-" + - self.old_rev + "-" + self.new_rev + - self.fname_suffix + ".csv") + output_file = os.path.join(self.result_dir,\ + self.gen_file_name(self.old_size_version, self.new_size_version)) print("\nGenerating comparison results between",\ - self.old_rev, "and", self.new_rev) + self.old_size_version.revision, "and", self.new_size_version.revision) self.code_size_generator.size_generator_write_comparison(\ - self.old_rev, self.new_rev, output_file) + self.old_size_version.revision, self.new_size_version.revision,\ + output_file) return 0 def get_comparision_results(self) -> int: """Compare size of library/*.o between self.old_rev and self.new_rev, and generate the result file.""" build_tree.check_repo_path() - self.gen_code_size_report(self.old_rev) - self.gen_code_size_report(self.new_rev) + self.gen_code_size_report(self.old_size_version) + self.gen_code_size_report(self.new_size_version) return self.gen_code_size_comparison() + def main(): parser = argparse.ArgumentParser(description=(__doc__)) group_required = parser.add_argument_group( @@ -547,13 +560,25 @@ def main(): else: new_revision = "current" - code_size_info = CodeSizeInfo(comp_args.arch, comp_args.config, - detect_arch()) - print("Measure code size for architecture: {}, configuration: {}\n" - .format(code_size_info.arch, code_size_info.config)) - result_dir = comp_args.result_dir - size_compare = CodeSizeComparison(old_revision, new_revision, result_dir, - code_size_info) + old_size_version = SimpleNamespace( + version="old", + revision=old_revision, + config=comp_args.config, + arch=comp_args.arch, + host_arch=detect_arch(), + make_cmd='', + ) + new_size_version = SimpleNamespace( + version="new", + revision=new_revision, + config=comp_args.config, + arch=comp_args.arch, + host_arch=detect_arch(), + make_cmd='', + ) + + size_compare = CodeSizeComparison(old_size_version, new_size_version,\ + comp_args.result_dir) return_code = size_compare.get_comparision_results() sys.exit(return_code) From 802af160b44b1e5993043aa7a0d0468c8a641d01 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 17 Jul 2023 14:04:30 +0800 Subject: [PATCH 063/222] code_size_compare: support to measure code size with multiple tools For time being, code_size_compare.py only supports `size`. This commit builds up foundation to extend code size measurement with other tools. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 68 ++++++++++++++++++++++++------------ 1 file changed, 46 insertions(+), 22 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 8f3730f24..6b2b3a9c4 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -88,20 +88,25 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods "-a " + SupportedArch.ARMV8_M.value + " -c " + SupportedConfig.TFM_MEDIUM.value, ] - def __init__(self, size_version: SimpleNamespace) -> None: + def __init__( + self, + size_version: SimpleNamespace, + host_arch: str + ) -> None: """ size_version: SimpleNamespace containing info for code size measurement. size_version.arch: architecture to measure code size on. size_version.config: configuration type to measure code size with. - size_version.host_arch: host architecture. + host_arch: host architecture. """ self.size_version = size_version + self.host_arch = host_arch def infer_make_command(self) -> str: """Infer build command based on architecture and configuration.""" if self.size_version.config == SupportedConfig.DEFAULT.value and \ - self.size_version.arch == self.size_version.host_arch: + self.size_version.arch == self.host_arch: return 'make -j lib CFLAGS=\'-Os \' ' elif self.size_version.arch == SupportedArch.ARMV8_M.value and \ self.size_version.config == SupportedConfig.TFM_MEDIUM.value: @@ -118,7 +123,7 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods print(comb) print("\nFor your system, please use:") for comb in CodeSizeBuildInfo.SupportedArchConfig: - if "default" in comb and self.size_version.host_arch not in comb: + if "default" in comb and self.host_arch not in comb: continue print(comb) sys.exit(1) @@ -133,10 +138,12 @@ class CodeSizeCalculator: self, revision: str, make_cmd: str, + measure_cmd: str ) -> None: """ revision: Git revision.(E.g: commit) - make_cmd: command to build library objects. + make_cmd: command to build objects in library. + measure_cmd: command to measure code size for objects in library. """ self.repo_path = "." self.git_command = "git" @@ -144,6 +151,7 @@ class CodeSizeCalculator: self.revision = revision self.make_cmd = make_cmd + self.measure_cmd = measure_cmd @staticmethod def validate_revision(revision: str) -> bytes: @@ -196,8 +204,8 @@ class CodeSizeCalculator: for mod, st_lib in MBEDTLS_STATIC_LIB.items(): try: result = subprocess.check_output( - ["size", st_lib, "-t"], cwd=git_worktree_path, - universal_newlines=True + [self.measure_cmd + ' ' + st_lib], cwd=git_worktree_path, + shell=True, universal_newlines=True ) res[mod] = result except subprocess.CalledProcessError as e: @@ -434,6 +442,7 @@ class CodeSizeComparison: self, old_size_version: SimpleNamespace, new_size_version: SimpleNamespace, + code_size_common: SimpleNamespace, result_dir: str, ) -> None: """ @@ -450,33 +459,46 @@ class CodeSizeComparison: self.old_size_version = old_size_version self.new_size_version = new_size_version + self.code_size_common = code_size_common self.old_size_version.make_cmd = \ - CodeSizeBuildInfo(self.old_size_version).infer_make_command() + CodeSizeBuildInfo(self.old_size_version,\ + self.code_size_common.host_arch).infer_make_command() self.new_size_version.make_cmd = \ - CodeSizeBuildInfo(self.new_size_version).infer_make_command() + CodeSizeBuildInfo(self.new_size_version,\ + self.code_size_common.host_arch).infer_make_command() self.git_command = "git" self.make_clean = 'make clean' - self.code_size_generator = CodeSizeGeneratorWithSize() + self.code_size_generator = self.__init_code_size_generator__(\ + self.code_size_common.measure_cmd) @staticmethod - def cal_code_size(size_version: SimpleNamespace): + def __init_code_size_generator__(measure_cmd): + if re.match(r'size', measure_cmd.strip()): + return CodeSizeGeneratorWithSize() + else: + print("Error: unsupported tool:", measure_cmd.strip().split(' ')[0]) + sys.exit(1) + + + def cal_code_size(self, size_version: SimpleNamespace): """Calculate code size of library objects in a UTF-8 encoding""" - return CodeSizeCalculator(size_version.revision, size_version.make_cmd).\ - cal_libraries_code_size() + return CodeSizeCalculator(size_version.revision, size_version.make_cmd,\ + self.code_size_common.measure_cmd).cal_libraries_code_size() - @staticmethod - def gen_file_name(old_size_version, new_size_version=None): + def gen_file_name(self, old_size_version, new_size_version=None): if new_size_version: - return '{}-{}-{}-{}-{}-{}.csv'\ + return '{}-{}-{}-{}-{}-{}-{}.csv'\ .format(old_size_version.revision[:7], old_size_version.arch, old_size_version.config, new_size_version.revision[:7], - new_size_version.arch, new_size_version.config) + new_size_version.arch, new_size_version.config, + self.code_size_common.measure_cmd.strip().split(' ')[0]) else: - return '{}-{}-{}.csv'\ + return '{}-{}-{}-{}.csv'\ .format(old_size_version.revision[:7], - old_size_version.arch, old_size_version.config) + old_size_version.arch, old_size_version.config, + self.code_size_common.measure_cmd.strip().split(' ')[0]) def gen_code_size_report(self, size_version: SimpleNamespace): """Generate code size record and write it into a file.""" @@ -565,7 +587,6 @@ def main(): revision=old_revision, config=comp_args.config, arch=comp_args.arch, - host_arch=detect_arch(), make_cmd='', ) new_size_version = SimpleNamespace( @@ -573,12 +594,15 @@ def main(): revision=new_revision, config=comp_args.config, arch=comp_args.arch, - host_arch=detect_arch(), make_cmd='', ) + code_size_common = SimpleNamespace( + host_arch=detect_arch(), + measure_cmd='size -t', + ) size_compare = CodeSizeComparison(old_size_version, new_size_version,\ - comp_args.result_dir) + code_size_common, comp_args.result_dir) return_code = size_compare.get_comparision_results() sys.exit(return_code) From 9b174e90d3786ba6ef3f14c822e39d2f9ad8a7f8 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 17 Jul 2023 17:59:53 +0800 Subject: [PATCH 064/222] code_size_compare: generate text,data as comparison result Previously we used dec(total) as comparison result of code size measurement. However, it's not accurate because dec(total) is the sum of text, data and bss. Now we show text,data instead since those are sections we care about in code size perspective specifically for TF-M. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 48 +++++++++++++++++++++++++----------- 1 file changed, 34 insertions(+), 14 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 6b2b3a9c4..e679af0a5 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -300,7 +300,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): def __init__(self) -> None: """ Variable code_size is used to store size info for any revisions. code_size: (data format) - {revision: {module: {file_name: SizeEntry, + {revision: {module: {file_name: [text, data, bss, dec], etc ... }, etc ... @@ -318,8 +318,9 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): size_record = {} for line in size_text.splitlines()[1:]: data = line.split() - size_record[data[5]] = CodeSizeGeneratorWithSize.SizeEntry(\ - data[0], data[1], data[2], data[3]) + # file_name: SizeEntry(text, data, bss, dec) + size_record[data[5]] = CodeSizeGeneratorWithSize.SizeEntry( + data[0], data[1], data[2], data[3]) if revision in self.code_size: self.code_size[revision].update({mod: size_record}) else: @@ -341,8 +342,8 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): continue if mod: - size_record[data[0]] = \ - CodeSizeGeneratorWithSize.SizeEntry(\ + # file_name: SizeEntry(text, data, bss, dec) + size_record[data[0]] = CodeSizeGeneratorWithSize.SizeEntry( data[1], data[2], data[3], data[4]) # check if we hit record for the end of a module @@ -390,24 +391,43 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): ) -> None: """Write comparison result into a file. - Writing Format: file_name current(total) old(total) change(Byte) change_pct(%) + Writing Format: file_name current(text,data) old(text,data)\ + change(text,data) change_pct%(text,data) """ - output.write("{:<30} {:>7} {:>7} {:>7} {:>7}\n" - .format("filename", "current", "old", "change", "change%")) - for mod, fname, size_entry in self._size_reader_helper(new_rev, output): - new_size = int(size_entry.total) + + def cal_size_section_variation(mod, fname, size_entry, attr): + new_size = int(size_entry.__dict__[attr]) # check if we have the file in old revision if fname in self.code_size[old_rev][mod]: - old_size = int(self.code_size[old_rev][mod][fname].total) + old_size = int(self.code_size[old_rev][mod][fname].__dict__[attr]) change = new_size - old_size if old_size != 0: change_pct = change / old_size else: change_pct = 0 - output.write("{:<30} {:>7} {:>7} {:>7} {:>7.2%}\n" - .format(fname, new_size, old_size, change, change_pct)) + return [new_size, old_size, change, change_pct] else: - output.write("{} {}\n".format(fname, new_size)) + return [new_size] + + output.write("{:<30} {:<18} {:<14} {:<17} {:<18}\n" + .format("filename", "current(text,data)", "old(text,data)",\ + "change(text,data)", "change%(text,data)")) + for mod, fname, size_entry in self._size_reader_helper(new_rev, output): + text_vari = cal_size_section_variation(mod, fname, size_entry, 'text') + data_vari = cal_size_section_variation(mod, fname, size_entry, 'data') + + if len(text_vari) != 1: + output.write("{:<30} {:<18} {:<14} {:<17} {:<18}\n" + .format(fname,\ + str(text_vari[0]) + "," + str(data_vari[0]),\ + str(text_vari[1]) + "," + str(data_vari[1]),\ + str(text_vari[2]) + "," + str(data_vari[2]),\ + "{:.2%}".format(text_vari[3]) + "," +\ + "{:.2%}".format(data_vari[3]))) + else: + output.write("{:<30} {:<18}\n" + .format(fname,\ + str(text_vari[0]) + "," + str(data_vari[0]))) def size_generator_write_record( self, From b664cb75695869800b24eef629175ee5d223eec0 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 18 Jul 2023 12:28:35 +0800 Subject: [PATCH 065/222] code_size_compare: add --markdown to show result in a markdown table The option --markdown supports to only show the files that have changed in a markdown table between two commits. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 82 ++++++++++++++++++++++++------------ 1 file changed, 54 insertions(+), 28 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index e679af0a5..e42a6603b 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -274,7 +274,8 @@ class CodeSizeGenerator: self, old_rev: str, new_rev: str, - output_stream + output_stream, + with_markdown=False ) -> None: """Write a comparision result into a stream between two revisions. @@ -282,6 +283,8 @@ class CodeSizeGenerator: new_rev: new git revision to compared with. output_stream: stream which the code size record is written to. (E.g: file / sys.stdout) + with_markdown: write comparision result in a markdown table. + (Default: False) """ raise NotImplementedError @@ -359,11 +362,13 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): def _size_reader_helper( self, revision: str, - output: typing_util.Writable + output: typing_util.Writable, + with_markdown=False ) -> typing.Iterator[tuple]: """A helper function to peel code_size based on revision.""" for mod, file_size in self.code_size[revision].items(): - output.write("\n" + mod + "\n") + if not with_markdown: + output.write("\n" + mod + "\n") for fname, size_entry in file_size.items(): yield mod, fname, size_entry @@ -376,18 +381,20 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): Writing Format: file_name text data bss total(dec) """ - output.write("{:<30} {:>7} {:>7} {:>7} {:>7}\n" - .format("filename", "text", "data", "bss", "total")) + format_string = "{:<30} {:>7} {:>7} {:>7} {:>7}\n" + output.write(format_string.format("filename", + "text", "data", "bss", "total")) for _, fname, size_entry in self._size_reader_helper(revision, output): - output.write("{:<30} {:>7} {:>7} {:>7} {:>7}\n" - .format(fname, size_entry.text, size_entry.data,\ - size_entry.bss, size_entry.total)) + output.write(format_string.format(fname, + size_entry.text, size_entry.data, + size_entry.bss, size_entry.total)) def write_comparison( self, old_rev: str, new_rev: str, - output: typing_util.Writable + output: typing_util.Writable, + with_markdown: bool ) -> None: """Write comparison result into a file. @@ -409,25 +416,38 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): else: return [new_size] - output.write("{:<30} {:<18} {:<14} {:<17} {:<18}\n" - .format("filename", "current(text,data)", "old(text,data)",\ - "change(text,data)", "change%(text,data)")) - for mod, fname, size_entry in self._size_reader_helper(new_rev, output): - text_vari = cal_size_section_variation(mod, fname, size_entry, 'text') - data_vari = cal_size_section_variation(mod, fname, size_entry, 'data') + if with_markdown: + format_string = "| {:<30} | {:<18} | {:<14} | {:<17} | {:<18} |\n" + else: + format_string = "{:<30} {:<18} {:<14} {:<17} {:<18}\n" + + output.write(format_string.format("filename", "current(text,data)",\ + "old(text,data)", "change(text,data)", "change%(text,data)")) + if with_markdown: + output.write(format_string + .format("----:", "----:", "----:", "----:", "----:")) + + for mod, fname, size_entry in\ + self._size_reader_helper(new_rev, output, with_markdown): + text_vari = cal_size_section_variation(mod, fname, + size_entry, 'text') + data_vari = cal_size_section_variation(mod, fname, + size_entry, 'data') if len(text_vari) != 1: - output.write("{:<30} {:<18} {:<14} {:<17} {:<18}\n" - .format(fname,\ - str(text_vari[0]) + "," + str(data_vari[0]),\ - str(text_vari[1]) + "," + str(data_vari[1]),\ - str(text_vari[2]) + "," + str(data_vari[2]),\ - "{:.2%}".format(text_vari[3]) + "," +\ - "{:.2%}".format(data_vari[3]))) + # skip the files that haven't changed in code size if we write + # comparison result in a markdown table. + if with_markdown and text_vari[2] == 0 and data_vari[2] == 0: + continue + output.write(format_string.format(fname,\ + str(text_vari[0]) + "," + str(data_vari[0]),\ + str(text_vari[1]) + "," + str(data_vari[1]),\ + str(text_vari[2]) + "," + str(data_vari[2]),\ + "{:.2%}".format(text_vari[3]) + "," +\ + "{:.2%}".format(data_vari[3]))) else: - output.write("{:<30} {:<18}\n" - .format(fname,\ - str(text_vari[0]) + "," + str(data_vari[0]))) + output.write("{:<30} {:<18}\n".format(fname,\ + str(text_vari[0]) + "," + str(data_vari[0]))) def size_generator_write_record( self, @@ -448,11 +468,12 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): self, old_rev: str, new_rev: str, - output_stream + output_stream, + with_markdown=False ) -> None: """Write a comparision result into a stream between two revisions.""" output = open(output_stream, "w") - self.write_comparison(old_rev, new_rev, output) + self.write_comparison(old_rev, new_rev, output, with_markdown) class CodeSizeComparison: @@ -545,7 +566,7 @@ class CodeSizeComparison: self.old_size_version.revision, "and", self.new_size_version.revision) self.code_size_generator.size_generator_write_comparison(\ self.old_size_version.revision, self.new_size_version.revision,\ - output_file) + output_file, self.code_size_common.with_markdown) return 0 def get_comparision_results(self) -> int: @@ -587,6 +608,10 @@ def main(): choices=list(map(lambda s: s.value, SupportedConfig)), help="specify configuration type for code size comparison,\ default is the current MbedTLS configuration.") + group_optional.add_argument( + '--markdown', action='store_true', dest='markdown', + help="Show comparision of code size in a markdown table\ + (only show the files that have changed).") comp_args = parser.parse_args() if os.path.isfile(comp_args.result_dir): @@ -619,6 +644,7 @@ def main(): code_size_common = SimpleNamespace( host_arch=detect_arch(), measure_cmd='size -t', + with_markdown=comp_args.markdown ) size_compare = CodeSizeComparison(old_size_version, new_size_version,\ From 227576aaa4b18bd8e7408fdac9ad9df824535fc9 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 18 Jul 2023 14:35:05 +0800 Subject: [PATCH 066/222] code_size_compare: add option --stdout to show result in sys.stdout Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index e42a6603b..0bd914396 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -275,7 +275,7 @@ class CodeSizeGenerator: old_rev: str, new_rev: str, output_stream, - with_markdown=False + result_options: SimpleNamespace ) -> None: """Write a comparision result into a stream between two revisions. @@ -283,8 +283,9 @@ class CodeSizeGenerator: new_rev: new git revision to compared with. output_stream: stream which the code size record is written to. (E.g: file / sys.stdout) - with_markdown: write comparision result in a markdown table. - (Default: False) + result_options: SimpleNamespace containing options for comparison result. + with_markdown: write comparision result in a markdown table. (Default: False) + stdout: direct comparison result into sys.stdout. (Default: False) """ raise NotImplementedError @@ -469,11 +470,14 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): old_rev: str, new_rev: str, output_stream, - with_markdown=False + result_options: SimpleNamespace ) -> None: """Write a comparision result into a stream between two revisions.""" - output = open(output_stream, "w") - self.write_comparison(old_rev, new_rev, output, with_markdown) + if result_options.stdout: + output = sys.stdout + else: + output = open(output_stream, "w") + self.write_comparison(old_rev, new_rev, output, result_options.with_markdown) class CodeSizeComparison: @@ -484,7 +488,6 @@ class CodeSizeComparison: old_size_version: SimpleNamespace, new_size_version: SimpleNamespace, code_size_common: SimpleNamespace, - result_dir: str, ) -> None: """ old_revision: revision to compare against. @@ -492,7 +495,7 @@ class CodeSizeComparison: result_dir: directory for comparison result. """ self.repo_path = "." - self.result_dir = os.path.abspath(result_dir) + self.result_dir = os.path.abspath(code_size_common.result_options.result_dir) os.makedirs(self.result_dir, exist_ok=True) self.csv_dir = os.path.abspath("code_size_records/") @@ -566,7 +569,7 @@ class CodeSizeComparison: self.old_size_version.revision, "and", self.new_size_version.revision) self.code_size_generator.size_generator_write_comparison(\ self.old_size_version.revision, self.new_size_version.revision,\ - output_file, self.code_size_common.with_markdown) + output_file, self.code_size_common.result_options) return 0 def get_comparision_results(self) -> int: @@ -612,6 +615,10 @@ def main(): '--markdown', action='store_true', dest='markdown', help="Show comparision of code size in a markdown table\ (only show the files that have changed).") + group_optional.add_argument( + '--stdout', action='store_true', dest='stdout', + help="Set this option to direct comparison result into sys.stdout.\ + (Default: file)") comp_args = parser.parse_args() if os.path.isfile(comp_args.result_dir): @@ -642,13 +649,17 @@ def main(): make_cmd='', ) code_size_common = SimpleNamespace( + result_options=SimpleNamespace( + result_dir=comp_args.result_dir, + with_markdown=comp_args.markdown, + stdout=comp_args.stdout, + ), host_arch=detect_arch(), measure_cmd='size -t', - with_markdown=comp_args.markdown ) size_compare = CodeSizeComparison(old_size_version, new_size_version,\ - code_size_common, comp_args.result_dir) + code_size_common) return_code = size_compare.get_comparision_results() sys.exit(return_code) From 8dc913899db0179916d06a0602824ecf36370d32 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Mon, 24 Jul 2023 10:44:00 +0100 Subject: [PATCH 067/222] Fix server1.crt.der in makefile Signed-off-by: Agathiyan Bragadeesh --- tests/data_files/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index eff44d8ac..f21ad561c 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1449,7 +1449,7 @@ server1.der: server1.crt $(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@ server1.commas.crt: server1.key parse_input/server1.req.commas.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) $(MBEDTLS_CERT_WRITE) request_file=parse_input/server1.req.commas.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20190210144406 not_after=20290210144406 md=SHA1 version=3 output_file=$@ -all_final += server1.crt server1.noauthid.crt server1.crt.der server1.commas.crt +all_final += server1.crt server1.noauthid.crt parse_input/server1.crt.der server1.commas.crt parse_input/server1.key_usage.crt: parse_input/server1.req.sha256 server1.key_usage.crt: server1.req.sha256 From 21127f709546fe5d08d6f683e5ebc21a3a214510 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 19 Jul 2023 12:09:45 +0800 Subject: [PATCH 068/222] code_size_compare: add logging module and tweak prompt message Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 164 +++++++++++++++++--------- scripts/mbedtls_dev/logging_util.py | 55 +++++++++ tests/scripts/audit-validity-dates.py | 36 +----- 3 files changed, 163 insertions(+), 92 deletions(-) create mode 100644 scripts/mbedtls_dev/logging_util.py diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 0bd914396..dc41d262d 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -24,6 +24,7 @@ Note: must be run from Mbed TLS root. # limitations under the License. import argparse +import logging import os import re import subprocess @@ -32,8 +33,9 @@ import typing from enum import Enum from types import SimpleNamespace -from mbedtls_dev import typing_util from mbedtls_dev import build_tree +from mbedtls_dev import logging_util +from mbedtls_dev import typing_util class SupportedArch(Enum): """Supported architecture for code size measurement.""" @@ -91,7 +93,8 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods def __init__( self, size_version: SimpleNamespace, - host_arch: str + host_arch: str, + logger: logging.Logger, ) -> None: """ size_version: SimpleNamespace containing info for code size measurement. @@ -101,6 +104,7 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods """ self.size_version = size_version self.host_arch = host_arch + self.logger = logger def infer_make_command(self) -> str: """Infer build command based on architecture and configuration.""" @@ -116,16 +120,20 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods -DMBEDTLS_CONFIG_FILE=\\\"' + CONFIG_TFM_MEDIUM_MBEDCRYPTO_H + '\\\" \ -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE=\\\"' + CONFIG_TFM_MEDIUM_PSA_CRYPTO_H + '\\\" \'' else: - print("Unsupported combination of architecture: {} and configuration: {}" - .format(self.size_version.arch, self.size_version.config)) - print("\nPlease use supported combination of architecture and configuration:") + self.logger.error("Unsupported combination of architecture: {} " \ + "and configuration: {}.\n" + .format(self.size_version.arch, + self.size_version.config)) + self.logger.info("Please use supported combination of " \ + "architecture and configuration:") for comb in CodeSizeBuildInfo.SupportedArchConfig: - print(comb) - print("\nFor your system, please use:") + self.logger.info(comb) + self.logger.info("") + self.logger.info("For your system, please use:") for comb in CodeSizeBuildInfo.SupportedArchConfig: if "default" in comb and self.host_arch not in comb: continue - print(comb) + self.logger.info(comb) sys.exit(1) @@ -138,7 +146,8 @@ class CodeSizeCalculator: self, revision: str, make_cmd: str, - measure_cmd: str + measure_cmd: str, + logger: logging.Logger, ) -> None: """ revision: Git revision.(E.g: commit) @@ -152,6 +161,7 @@ class CodeSizeCalculator: self.revision = revision self.make_cmd = make_cmd self.measure_cmd = measure_cmd + self.logger = logger @staticmethod def validate_revision(revision: str) -> bytes: @@ -159,19 +169,21 @@ class CodeSizeCalculator: revision + "^{commit}"], shell=False) return result - def _create_git_worktree(self, revision: str) -> str: + def _create_git_worktree(self) -> str: """Make a separate worktree for revision. Do not modify the current worktree.""" - if revision == "current": - print("Using current work directory") + if self.revision == "current": + self.logger.debug("Using current work directory.") git_worktree_path = self.repo_path else: - print("Creating git worktree for", revision) - git_worktree_path = os.path.join(self.repo_path, "temp-" + revision) + self.logger.debug("Creating git worktree for {}." + .format(self.revision)) + git_worktree_path = os.path.join(self.repo_path, + "temp-" + self.revision) subprocess.check_output( [self.git_command, "worktree", "add", "--detach", - git_worktree_path, revision], cwd=self.repo_path, + git_worktree_path, self.revision], cwd=self.repo_path, stderr=subprocess.STDOUT ) @@ -180,6 +192,8 @@ class CodeSizeCalculator: def _build_libraries(self, git_worktree_path: str) -> None: """Build libraries in the specified worktree.""" + self.logger.debug("Building objects of library for {}." + .format(self.revision)) my_environment = os.environ.copy() try: subprocess.check_output( @@ -193,12 +207,12 @@ class CodeSizeCalculator: except subprocess.CalledProcessError as e: self._handle_called_process_error(e, git_worktree_path) - def _gen_raw_code_size(self, revision, git_worktree_path): + def _gen_raw_code_size(self, git_worktree_path: str) -> typing.Dict: """Calculate code size with measurement tool in UTF-8 encoding.""" - if revision == "current": - print("Measuring code size in current work directory") - else: - print("Measuring code size for", revision) + + self.logger.debug("Measuring code size for {} by `{}`." + .format(self.revision, + self.measure_cmd.strip().split(' ')[0])) res = {} for mod, st_lib in MBEDTLS_STATIC_LIB.items(): @@ -216,7 +230,8 @@ class CodeSizeCalculator: def _remove_worktree(self, git_worktree_path: str) -> None: """Remove temporary worktree.""" if git_worktree_path != self.repo_path: - print("Removing temporary worktree", git_worktree_path) + self.logger.debug("Removing temporary worktree {}." + .format(git_worktree_path)) subprocess.check_output( [self.git_command, "worktree", "remove", "--force", git_worktree_path], cwd=self.repo_path, @@ -229,9 +244,8 @@ class CodeSizeCalculator: Remove any extra worktrees so that the script may be called again.""" # Tell the user what went wrong - print("The following command: {} failed and exited with code {}" - .format(e.cmd, e.returncode)) - print("Process output:\n {}".format(str(e.output, "utf-8"))) + self.logger.error(e, exc_info=True) + self.logger.error("Process output:\n {}".format(str(e.output, "utf-8"))) # Quit gracefully by removing the existing worktree self._remove_worktree(git_worktree_path) @@ -240,10 +254,9 @@ class CodeSizeCalculator: def cal_libraries_code_size(self) -> typing.Dict: """Calculate code size of libraries by measurement tool.""" - revision = self.revision - git_worktree_path = self._create_git_worktree(revision) + git_worktree_path = self._create_git_worktree() self._build_libraries(git_worktree_path) - res = self._gen_raw_code_size(revision, git_worktree_path) + res = self._gen_raw_code_size(git_worktree_path) self._remove_worktree(git_worktree_path) return res @@ -256,6 +269,9 @@ class CodeSizeGenerator: size_generator_write_record and size_generator_write_comparison methods, then call both of them with proper arguments. """ + def __init__(self, logger: logging.Logger) -> None: + self.logger = logger + def size_generator_write_record( self, revision: str, @@ -301,7 +317,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): self.bss = bss self.total = dec # total <=> dec - def __init__(self) -> None: + def __init__(self, logger: logging.Logger) -> None: """ Variable code_size is used to store size info for any revisions. code_size: (data format) {revision: {module: {file_name: [text, data, bss, dec], @@ -312,6 +328,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): etc ... } """ + super().__init__(logger) self.code_size = {} #type: typing.Dict[str, typing.Dict] def set_size_record(self, revision: str, mod: str, size_text: str) -> None: @@ -458,10 +475,11 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): ) -> None: """Write size record into a specified file based on Git revision and output from `size` tool.""" + self.logger.debug("Generating code size csv for {}.".format(revision)) + for mod, size_text in code_size_text.items(): self.set_size_record(revision, mod, size_text) - print("Generating code size csv for", revision) output = open(output_file, "w") self.write_size_record(revision, output) @@ -473,6 +491,9 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): result_options: SimpleNamespace ) -> None: """Write a comparision result into a stream between two revisions.""" + self.logger.debug("Generating comparison results between {} and {}." + .format(old_rev, new_rev)) + if result_options.stdout: output = sys.stdout else: @@ -488,6 +509,7 @@ class CodeSizeComparison: old_size_version: SimpleNamespace, new_size_version: SimpleNamespace, code_size_common: SimpleNamespace, + logger: logging.Logger, ) -> None: """ old_revision: revision to compare against. @@ -501,36 +523,40 @@ class CodeSizeComparison: self.csv_dir = os.path.abspath("code_size_records/") os.makedirs(self.csv_dir, exist_ok=True) + self.logger = logger + self.old_size_version = old_size_version self.new_size_version = new_size_version self.code_size_common = code_size_common - self.old_size_version.make_cmd = \ - CodeSizeBuildInfo(self.old_size_version,\ - self.code_size_common.host_arch).infer_make_command() - self.new_size_version.make_cmd = \ - CodeSizeBuildInfo(self.new_size_version,\ - self.code_size_common.host_arch).infer_make_command() + self.old_size_version.make_cmd = CodeSizeBuildInfo( + self.old_size_version, self.code_size_common.host_arch, + self.logger).infer_make_command() + self.new_size_version.make_cmd = CodeSizeBuildInfo( + self.new_size_version, self.code_size_common.host_arch, + self.logger).infer_make_command() self.git_command = "git" self.make_clean = 'make clean' - self.code_size_generator = self.__init_code_size_generator__(\ - self.code_size_common.measure_cmd) + self.code_size_generator = self.__generate_size_parser() - @staticmethod - def __init_code_size_generator__(measure_cmd): - if re.match(r'size', measure_cmd.strip()): - return CodeSizeGeneratorWithSize() + def __generate_size_parser(self): + if re.match(r'size', self.code_size_common.measure_cmd.strip()): + return CodeSizeGeneratorWithSize(self.logger) else: - print("Error: unsupported tool:", measure_cmd.strip().split(' ')[0]) + self.logger.error("Unsupported measurement tool: `{}`." + .format(self.code_size_common.measure_cmd + .strip().split(' ')[0])) sys.exit(1) def cal_code_size(self, size_version: SimpleNamespace): """Calculate code size of library objects in a UTF-8 encoding""" - return CodeSizeCalculator(size_version.revision, size_version.make_cmd,\ - self.code_size_common.measure_cmd).cal_libraries_code_size() + return CodeSizeCalculator(size_version.revision, size_version.make_cmd, + self.code_size_common.measure_cmd, + self.logger).cal_libraries_code_size() def gen_file_name(self, old_size_version, new_size_version=None): + """Generate a literal string as csv file name.""" if new_size_version: return '{}-{}-{}-{}-{}-{}-{}.csv'\ .format(old_size_version.revision[:7], @@ -547,11 +573,17 @@ class CodeSizeComparison: def gen_code_size_report(self, size_version: SimpleNamespace): """Generate code size record and write it into a file.""" - output_file = os.path.join(self.csv_dir, self.gen_file_name(size_version)) + self.logger.info("Start to generate code size record for {}." + .format(size_version.revision)) + output_file = os.path.join(self.csv_dir, + self.gen_file_name(size_version)) # Check if the corresponding record exists - if (size_version.revision != "current") and os.path.exists(output_file): - print("Code size csv file for", size_version.revision, "already exists.") - self.code_size_generator.read_size_record(size_version.revision, output_file) + if size_version.revision != "current" and \ + os.path.exists(output_file): + self.logger.debug("Code size csv file for {} already exists." + .format(size_version.revision)) + self.code_size_generator.read_size_record( + size_version.revision, output_file) else: self.code_size_generator.size_generator_write_record(\ size_version.revision, self.cal_code_size(size_version), @@ -562,14 +594,18 @@ class CodeSizeComparison: old and new. Measured code size results of these two revisions must be available.""" - output_file = os.path.join(self.result_dir,\ - self.gen_file_name(self.old_size_version, self.new_size_version)) + self.logger.info("Start to generate comparision result between "\ + "{} and {}." + .format(self.old_size_version.revision, + self.new_size_version.revision)) + output_file = os.path.join( + self.result_dir, + self.gen_file_name(self.old_size_version, self.new_size_version)) + + self.code_size_generator.size_generator_write_comparison( + self.old_size_version.revision, self.new_size_version.revision, + output_file, self.code_size_common.result_options) - print("\nGenerating comparison results between",\ - self.old_size_version.revision, "and", self.new_size_version.revision) - self.code_size_generator.size_generator_write_comparison(\ - self.old_size_version.revision, self.new_size_version.revision,\ - output_file, self.code_size_common.result_options) return 0 def get_comparision_results(self) -> int: @@ -619,10 +655,17 @@ def main(): '--stdout', action='store_true', dest='stdout', help="Set this option to direct comparison result into sys.stdout.\ (Default: file)") + group_optional.add_argument( + '--verbose', action='store_true', dest='verbose', + help="Show logs in detail for code size measurement. (Default: False)") comp_args = parser.parse_args() + logger = logging.getLogger() + logging_util.configure_logger(logger) + logger.setLevel(logging.DEBUG if comp_args.verbose else logging.INFO) + if os.path.isfile(comp_args.result_dir): - print("Error: {} is not a directory".format(comp_args.result_dir)) + logger.error("{} is not a directory".format(comp_args.result_dir)) parser.exit() validate_res = CodeSizeCalculator.validate_revision(comp_args.old_rev) @@ -658,11 +701,16 @@ def main(): measure_cmd='size -t', ) + logger.info("Measure code size between {}:{}-{} and {}:{}-{} by `{}`." + .format(old_size_version.revision, old_size_version.config, + old_size_version.arch, + new_size_version.revision, old_size_version.config, + new_size_version.arch, + code_size_common.measure_cmd.strip().split(' ')[0])) size_compare = CodeSizeComparison(old_size_version, new_size_version,\ - code_size_common) + code_size_common, logger) return_code = size_compare.get_comparision_results() sys.exit(return_code) - if __name__ == "__main__": main() diff --git a/scripts/mbedtls_dev/logging_util.py b/scripts/mbedtls_dev/logging_util.py new file mode 100644 index 000000000..962361a49 --- /dev/null +++ b/scripts/mbedtls_dev/logging_util.py @@ -0,0 +1,55 @@ +"""Auxiliary functions used for logging module. +""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import logging +import sys + +def configure_logger( + logger: logging.Logger, + logger_format="[%(levelname)s]: %(message)s" + ) -> None: + """ + Configure the logging.Logger instance so that: + - Format is set to any logger_format. + Default: "[%(levelname)s]: %(message)s" + - loglevel >= WARNING are printed to stderr. + - loglevel < WARNING are printed to stdout. + """ + class MaxLevelFilter(logging.Filter): + # pylint: disable=too-few-public-methods + def __init__(self, max_level, name=''): + super().__init__(name) + self.max_level = max_level + + def filter(self, record: logging.LogRecord) -> bool: + return record.levelno <= self.max_level + + log_formatter = logging.Formatter(logger_format) + + # set loglevel >= WARNING to be printed to stderr + stderr_hdlr = logging.StreamHandler(sys.stderr) + stderr_hdlr.setLevel(logging.WARNING) + stderr_hdlr.setFormatter(log_formatter) + + # set loglevel <= INFO to be printed to stdout + stdout_hdlr = logging.StreamHandler(sys.stdout) + stdout_hdlr.addFilter(MaxLevelFilter(logging.INFO)) + stdout_hdlr.setFormatter(log_formatter) + + logger.addHandler(stderr_hdlr) + logger.addHandler(stdout_hdlr) diff --git a/tests/scripts/audit-validity-dates.py b/tests/scripts/audit-validity-dates.py index 5506e40e7..623fd2352 100755 --- a/tests/scripts/audit-validity-dates.py +++ b/tests/scripts/audit-validity-dates.py @@ -24,7 +24,6 @@ from tests/data_files/ and tests/suites/*.data files by default. """ import os -import sys import re import typing import argparse @@ -43,6 +42,7 @@ from generate_test_code import FileWrapper import scripts_path # pylint: disable=unused-import from mbedtls_dev import build_tree +from mbedtls_dev import logging_util def check_cryptography_version(): match = re.match(r'^[0-9]+', cryptography.__version__) @@ -393,38 +393,6 @@ def list_all(audit_data: AuditData): loc)) -def configure_logger(logger: logging.Logger) -> None: - """ - Configure the logging.Logger instance so that: - - Format is set to "[%(levelname)s]: %(message)s". - - loglevel >= WARNING are printed to stderr. - - loglevel < WARNING are printed to stdout. - """ - class MaxLevelFilter(logging.Filter): - # pylint: disable=too-few-public-methods - def __init__(self, max_level, name=''): - super().__init__(name) - self.max_level = max_level - - def filter(self, record: logging.LogRecord) -> bool: - return record.levelno <= self.max_level - - log_formatter = logging.Formatter("[%(levelname)s]: %(message)s") - - # set loglevel >= WARNING to be printed to stderr - stderr_hdlr = logging.StreamHandler(sys.stderr) - stderr_hdlr.setLevel(logging.WARNING) - stderr_hdlr.setFormatter(log_formatter) - - # set loglevel <= INFO to be printed to stdout - stdout_hdlr = logging.StreamHandler(sys.stdout) - stdout_hdlr.addFilter(MaxLevelFilter(logging.INFO)) - stdout_hdlr.setFormatter(log_formatter) - - logger.addHandler(stderr_hdlr) - logger.addHandler(stdout_hdlr) - - def main(): """ Perform argument parsing. @@ -457,7 +425,7 @@ def main(): # start main routine # setup logger logger = logging.getLogger() - configure_logger(logger) + logging_util.configure_logger(logger) logger.setLevel(logging.DEBUG if args.verbose else logging.ERROR) td_auditor = TestDataAuditor(logger) From 386c2f9e93745d8fb06b894f2c96533f519e29ab Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Thu, 20 Jul 2023 15:32:15 +0800 Subject: [PATCH 069/222] code_size_compare: clean up code to make it more readable Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 158 +++++++++++++++++++---------------- 1 file changed, 86 insertions(+), 72 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index dc41d262d..01d7b165c 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -45,8 +45,8 @@ class SupportedArch(Enum): X86_64 = 'x86_64' X86 = 'x86' -CONFIG_TFM_MEDIUM_MBEDCRYPTO_H = "../configs/tfm_mbedcrypto_config_profile_medium.h" -CONFIG_TFM_MEDIUM_PSA_CRYPTO_H = "../configs/crypto_config_profile_medium.h" +CONFIG_TFM_MEDIUM_MBEDCRYPTO_H = '../configs/tfm_mbedcrypto_config_profile_medium.h' +CONFIG_TFM_MEDIUM_PSA_CRYPTO_H = '../configs/crypto_config_profile_medium.h' class SupportedConfig(Enum): """Supported configuration for code size measurement.""" DEFAULT = 'default' @@ -63,13 +63,13 @@ DETECT_ARCH_CMD = "cc -dM -E - < /dev/null" def detect_arch() -> str: """Auto-detect host architecture.""" cc_output = subprocess.check_output(DETECT_ARCH_CMD, shell=True).decode() - if "__aarch64__" in cc_output: + if '__aarch64__' in cc_output: return SupportedArch.AARCH64.value - if "__arm__" in cc_output: + if '__arm__' in cc_output: return SupportedArch.AARCH32.value - if "__x86_64__" in cc_output: + if '__x86_64__' in cc_output: return SupportedArch.X86_64.value - if "__x86__" in cc_output: + if '__x86__' in cc_output: return SupportedArch.X86.value else: print("Unknown host architecture, cannot auto-detect arch.") @@ -83,11 +83,11 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods """ SupportedArchConfig = [ - "-a " + SupportedArch.AARCH64.value + " -c " + SupportedConfig.DEFAULT.value, - "-a " + SupportedArch.AARCH32.value + " -c " + SupportedConfig.DEFAULT.value, - "-a " + SupportedArch.X86_64.value + " -c " + SupportedConfig.DEFAULT.value, - "-a " + SupportedArch.X86.value + " -c " + SupportedConfig.DEFAULT.value, - "-a " + SupportedArch.ARMV8_M.value + " -c " + SupportedConfig.TFM_MEDIUM.value, + '-a ' + SupportedArch.AARCH64.value + ' -c ' + SupportedConfig.DEFAULT.value, + '-a ' + SupportedArch.AARCH32.value + ' -c ' + SupportedConfig.DEFAULT.value, + '-a ' + SupportedArch.X86_64.value + ' -c ' + SupportedConfig.DEFAULT.value, + '-a ' + SupportedArch.X86.value + ' -c ' + SupportedConfig.DEFAULT.value, + '-a ' + SupportedArch.ARMV8_M.value + ' -c ' + SupportedConfig.TFM_MEDIUM.value, ] def __init__( @@ -107,11 +107,13 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods self.logger = logger def infer_make_command(self) -> str: - """Infer build command based on architecture and configuration.""" + """Infer make command based on architecture and configuration.""" + # make command by default if self.size_version.config == SupportedConfig.DEFAULT.value and \ - self.size_version.arch == self.host_arch: + self.size_version.arch == self.host_arch: return 'make -j lib CFLAGS=\'-Os \' ' + # make command for TF-M elif self.size_version.arch == SupportedArch.ARMV8_M.value and \ self.size_version.config == SupportedConfig.TFM_MEDIUM.value: return \ @@ -119,6 +121,7 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods CFLAGS=\'--target=arm-arm-none-eabi -mcpu=cortex-m33 -Os \ -DMBEDTLS_CONFIG_FILE=\\\"' + CONFIG_TFM_MEDIUM_MBEDCRYPTO_H + '\\\" \ -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE=\\\"' + CONFIG_TFM_MEDIUM_PSA_CRYPTO_H + '\\\" \'' + # unsupported combinations else: self.logger.error("Unsupported combination of architecture: {} " \ "and configuration: {}.\n" @@ -164,10 +167,11 @@ class CodeSizeCalculator: self.logger = logger @staticmethod - def validate_revision(revision: str) -> bytes: + def validate_revision(revision: str) -> str: result = subprocess.check_output(["git", "rev-parse", "--verify", - revision + "^{commit}"], shell=False) - return result + revision + "^{commit}"], shell=False, + universal_newlines=True) + return result[:7] def _create_git_worktree(self) -> str: """Make a separate worktree for revision. @@ -199,15 +203,17 @@ class CodeSizeCalculator: subprocess.check_output( self.make_clean, env=my_environment, shell=True, cwd=git_worktree_path, stderr=subprocess.STDOUT, + universal_newlines=True ) subprocess.check_output( self.make_cmd, env=my_environment, shell=True, cwd=git_worktree_path, stderr=subprocess.STDOUT, + universal_newlines=True ) except subprocess.CalledProcessError as e: self._handle_called_process_error(e, git_worktree_path) - def _gen_raw_code_size(self, git_worktree_path: str) -> typing.Dict: + def _gen_raw_code_size(self, git_worktree_path: str) -> typing.Dict[str, str]: """Calculate code size with measurement tool in UTF-8 encoding.""" self.logger.debug("Measuring code size for {} by `{}`." @@ -245,13 +251,13 @@ class CodeSizeCalculator: # Tell the user what went wrong self.logger.error(e, exc_info=True) - self.logger.error("Process output:\n {}".format(str(e.output, "utf-8"))) + self.logger.error("Process output:\n {}".format(e.output)) # Quit gracefully by removing the existing worktree self._remove_worktree(git_worktree_path) sys.exit(-1) - def cal_libraries_code_size(self) -> typing.Dict: + def cal_libraries_code_size(self) -> typing.Dict[str, str]: """Calculate code size of libraries by measurement tool.""" git_worktree_path = self._create_git_worktree() @@ -290,7 +296,7 @@ class CodeSizeGenerator: self, old_rev: str, new_rev: str, - output_stream, + output_stream: str, result_options: SimpleNamespace ) -> None: """Write a comparision result into a stream between two revisions. @@ -331,7 +337,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): super().__init__(logger) self.code_size = {} #type: typing.Dict[str, typing.Dict] - def set_size_record(self, revision: str, mod: str, size_text: str) -> None: + def _set_size_record(self, revision: str, mod: str, size_text: str) -> None: """Store size information for target revision and high-level module. size_text Format: text data bss dec hex filename @@ -390,7 +396,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): for fname, size_entry in file_size.items(): yield mod, fname, size_entry - def write_size_record( + def _write_size_record( self, revision: str, output: typing_util.Writable @@ -407,7 +413,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): size_entry.text, size_entry.data, size_entry.bss, size_entry.total)) - def write_comparison( + def _write_comparison( self, old_rev: str, new_rev: str, @@ -439,13 +445,15 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): else: format_string = "{:<30} {:<18} {:<14} {:<17} {:<18}\n" - output.write(format_string.format("filename", "current(text,data)",\ - "old(text,data)", "change(text,data)", "change%(text,data)")) + output.write(format_string + .format("filename", + "current(text,data)", "old(text,data)", + "change(text,data)", "change%(text,data)")) if with_markdown: output.write(format_string .format("----:", "----:", "----:", "----:", "----:")) - for mod, fname, size_entry in\ + for mod, fname, size_entry in \ self._size_reader_helper(new_rev, output, with_markdown): text_vari = cal_size_section_variation(mod, fname, size_entry, 'text') @@ -457,15 +465,18 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): # comparison result in a markdown table. if with_markdown and text_vari[2] == 0 and data_vari[2] == 0: continue - output.write(format_string.format(fname,\ - str(text_vari[0]) + "," + str(data_vari[0]),\ - str(text_vari[1]) + "," + str(data_vari[1]),\ - str(text_vari[2]) + "," + str(data_vari[2]),\ - "{:.2%}".format(text_vari[3]) + "," +\ - "{:.2%}".format(data_vari[3]))) + output.write( + format_string + .format(fname, + str(text_vari[0]) + "," + str(data_vari[0]), + str(text_vari[1]) + "," + str(data_vari[1]), + str(text_vari[2]) + "," + str(data_vari[2]), + "{:.2%}".format(text_vari[3]) + "," + + "{:.2%}".format(data_vari[3]))) else: - output.write("{:<30} {:<18}\n".format(fname,\ - str(text_vari[0]) + "," + str(data_vari[0]))) + output.write("{:<30} {:<18}\n" + .format(fname, + str(text_vari[0]) + "," + str(data_vari[0]))) def size_generator_write_record( self, @@ -478,16 +489,16 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): self.logger.debug("Generating code size csv for {}.".format(revision)) for mod, size_text in code_size_text.items(): - self.set_size_record(revision, mod, size_text) + self._set_size_record(revision, mod, size_text) output = open(output_file, "w") - self.write_size_record(revision, output) + self._write_size_record(revision, output) def size_generator_write_comparison( self, old_rev: str, new_rev: str, - output_stream, + output_stream: str, result_options: SimpleNamespace ) -> None: """Write a comparision result into a stream between two revisions.""" @@ -498,7 +509,8 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): output = sys.stdout else: output = open(output_stream, "w") - self.write_comparison(old_rev, new_rev, output, result_options.with_markdown) + self._write_comparison(old_rev, new_rev, output, + result_options.with_markdown) class CodeSizeComparison: @@ -516,8 +528,8 @@ class CodeSizeComparison: new_revision: result_dir: directory for comparison result. """ - self.repo_path = "." - self.result_dir = os.path.abspath(code_size_common.result_options.result_dir) + self.result_dir = os.path.abspath( + code_size_common.result_options.result_dir) os.makedirs(self.result_dir, exist_ok=True) self.csv_dir = os.path.abspath("code_size_records/") @@ -528,14 +540,14 @@ class CodeSizeComparison: self.old_size_version = old_size_version self.new_size_version = new_size_version self.code_size_common = code_size_common + # infer make command self.old_size_version.make_cmd = CodeSizeBuildInfo( self.old_size_version, self.code_size_common.host_arch, self.logger).infer_make_command() self.new_size_version.make_cmd = CodeSizeBuildInfo( self.new_size_version, self.code_size_common.host_arch, self.logger).infer_make_command() - self.git_command = "git" - self.make_clean = 'make clean' + # initialize size parser with corresponding measurement tool self.code_size_generator = self.__generate_size_parser() def __generate_size_parser(self): @@ -548,29 +560,38 @@ class CodeSizeComparison: sys.exit(1) - def cal_code_size(self, size_version: SimpleNamespace): + def cal_code_size( + self, + size_version: SimpleNamespace + ) -> typing.Dict[str, str]: """Calculate code size of library objects in a UTF-8 encoding""" return CodeSizeCalculator(size_version.revision, size_version.make_cmd, self.code_size_common.measure_cmd, self.logger).cal_libraries_code_size() - def gen_file_name(self, old_size_version, new_size_version=None): + def gen_file_name( + self, + old_size_version: SimpleNamespace, + new_size_version=None + ) -> str: """Generate a literal string as csv file name.""" if new_size_version: return '{}-{}-{}-{}-{}-{}-{}.csv'\ - .format(old_size_version.revision[:7], - old_size_version.arch, old_size_version.config, - new_size_version.revision[:7], - new_size_version.arch, new_size_version.config, - self.code_size_common.measure_cmd.strip().split(' ')[0]) + .format(old_size_version.revision, old_size_version.arch, + old_size_version.config, + new_size_version.revision, new_size_version.arch, + new_size_version.config, + self.code_size_common.measure_cmd.strip()\ + .split(' ')[0]) else: return '{}-{}-{}-{}.csv'\ - .format(old_size_version.revision[:7], - old_size_version.arch, old_size_version.config, - self.code_size_common.measure_cmd.strip().split(' ')[0]) + .format(old_size_version.revision, old_size_version.arch, + old_size_version.config, + self.code_size_common.measure_cmd.strip()\ + .split(' ')[0]) - def gen_code_size_report(self, size_version: SimpleNamespace): + def gen_code_size_report(self, size_version: SimpleNamespace) -> None: """Generate code size record and write it into a file.""" self.logger.info("Start to generate code size record for {}." @@ -585,11 +606,11 @@ class CodeSizeComparison: self.code_size_generator.read_size_record( size_version.revision, output_file) else: - self.code_size_generator.size_generator_write_record(\ - size_version.revision, self.cal_code_size(size_version), - output_file) + self.code_size_generator.size_generator_write_record( + size_version.revision, self.cal_code_size(size_version), + output_file) - def gen_code_size_comparison(self) -> int: + def gen_code_size_comparison(self) -> None: """Generate results of code size changes between two revisions, old and new. Measured code size results of these two revisions must be available.""" @@ -606,15 +627,13 @@ class CodeSizeComparison: self.old_size_version.revision, self.new_size_version.revision, output_file, self.code_size_common.result_options) - return 0 - - def get_comparision_results(self) -> int: + def get_comparision_results(self) -> None: """Compare size of library/*.o between self.old_rev and self.new_rev, and generate the result file.""" build_tree.check_repo_path() self.gen_code_size_report(self.old_size_version) self.gen_code_size_report(self.new_size_version) - return self.gen_code_size_comparison() + self.gen_code_size_comparison() def main(): @@ -668,24 +687,21 @@ def main(): logger.error("{} is not a directory".format(comp_args.result_dir)) parser.exit() - validate_res = CodeSizeCalculator.validate_revision(comp_args.old_rev) - old_revision = validate_res.decode().replace("\n", "") - + old_revision = CodeSizeCalculator.validate_revision(comp_args.old_rev) if comp_args.new_rev is not None: - validate_res = CodeSizeCalculator.validate_revision(comp_args.new_rev) - new_revision = validate_res.decode().replace("\n", "") + new_revision = CodeSizeCalculator.validate_revision(comp_args.new_rev) else: new_revision = "current" old_size_version = SimpleNamespace( - version="old", + version='old', revision=old_revision, config=comp_args.config, arch=comp_args.arch, make_cmd='', ) new_size_version = SimpleNamespace( - version="new", + version='new', revision=new_revision, config=comp_args.config, arch=comp_args.arch, @@ -707,10 +723,8 @@ def main(): new_size_version.revision, old_size_version.config, new_size_version.arch, code_size_common.measure_cmd.strip().split(' ')[0])) - size_compare = CodeSizeComparison(old_size_version, new_size_version,\ - code_size_common, logger) - return_code = size_compare.get_comparision_results() - sys.exit(return_code) + CodeSizeComparison(old_size_version, new_size_version, + code_size_common, logger).get_comparision_results() if __name__ == "__main__": main() From 5b64e4c7e0bdbc71ab3c0cb546ac19b674f51e96 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Thu, 20 Jul 2023 15:09:51 +0800 Subject: [PATCH 070/222] code_size_compare: clean up comments Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 155 +++++++++++++++++++++-------------- 1 file changed, 94 insertions(+), 61 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 01d7b165c..7141fb277 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -97,10 +97,13 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods logger: logging.Logger, ) -> None: """ - size_version: SimpleNamespace containing info for code size measurement. - size_version.arch: architecture to measure code size on. - size_version.config: configuration type to measure code size with. - host_arch: host architecture. + :param size_version: + SimpleNamespace containing info for code size measurement. + - size_version.arch: architecture to measure code size on. + - size_version.config: configuration type to measure code size + with. + :param host_arch: host architecture. + :param logger: logging module """ self.size_version = size_version self.host_arch = host_arch @@ -141,7 +144,7 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods class CodeSizeCalculator: - """ A calculator to calculate code size of library objects based on + """ A calculator to calculate code size of library/*.o based on Git revision and code size measurement tool. """ @@ -153,9 +156,10 @@ class CodeSizeCalculator: logger: logging.Logger, ) -> None: """ - revision: Git revision.(E.g: commit) - make_cmd: command to build objects in library. - measure_cmd: command to measure code size for objects in library. + :param revision: Git revision.(E.g: commit) + :param make_cmd: command to build library/*.o. + :param measure_cmd: command to measure code size for library/*.o. + :param logger: logging module """ self.repo_path = "." self.git_command = "git" @@ -174,8 +178,8 @@ class CodeSizeCalculator: return result[:7] def _create_git_worktree(self) -> str: - """Make a separate worktree for revision. - Do not modify the current worktree.""" + """Create a separate worktree for revision. + If revision is current, use current worktree instead.""" if self.revision == "current": self.logger.debug("Using current work directory.") @@ -194,9 +198,9 @@ class CodeSizeCalculator: return git_worktree_path def _build_libraries(self, git_worktree_path: str) -> None: - """Build libraries in the specified worktree.""" + """Build library/*.o in the specified worktree.""" - self.logger.debug("Building objects of library for {}." + self.logger.debug("Building library/*.o for {}." .format(self.revision)) my_environment = os.environ.copy() try: @@ -214,7 +218,7 @@ class CodeSizeCalculator: self._handle_called_process_error(e, git_worktree_path) def _gen_raw_code_size(self, git_worktree_path: str) -> typing.Dict[str, str]: - """Calculate code size with measurement tool in UTF-8 encoding.""" + """Measure code size by a tool and return in UTF-8 encoding.""" self.logger.debug("Measuring code size for {} by `{}`." .format(self.revision, @@ -258,7 +262,12 @@ class CodeSizeCalculator: sys.exit(-1) def cal_libraries_code_size(self) -> typing.Dict[str, str]: - """Calculate code size of libraries by measurement tool.""" + """Do a complete round to calculate code size of library/*.o + by measurement tool. + + :return A dictionary of measured code size + - typing.Dict[mod: str] + """ git_worktree_path = self._create_git_worktree() self._build_libraries(git_worktree_path) @@ -269,13 +278,16 @@ class CodeSizeCalculator: class CodeSizeGenerator: - """ A generator based on size measurement tool for library objects. + """ A generator based on size measurement tool for library/*.o. This is an abstract class. To use it, derive a class that implements size_generator_write_record and size_generator_write_comparison methods, then call both of them with proper arguments. """ def __init__(self, logger: logging.Logger) -> None: + """ + :param logger: logging module + """ self.logger = logger def size_generator_write_record( @@ -286,9 +298,11 @@ class CodeSizeGenerator: ) -> None: """Write size record into a file. - revision: Git revision.(E.g: commit) - code_size_text: text output (utf-8) from code size measurement tool. - output_file: file which the code size record is written to. + :param revision: Git revision.(E.g: commit) + :param code_size_text: + string output (utf-8) from measurement tool of code size. + - typing.Dict[mod: str] + :param output_file: file which the code size record is written to. """ raise NotImplementedError @@ -301,13 +315,15 @@ class CodeSizeGenerator: ) -> None: """Write a comparision result into a stream between two revisions. - old_rev: old git revision to compared with. - new_rev: new git revision to compared with. - output_stream: stream which the code size record is written to. - (E.g: file / sys.stdout) - result_options: SimpleNamespace containing options for comparison result. - with_markdown: write comparision result in a markdown table. (Default: False) - stdout: direct comparison result into sys.stdout. (Default: False) + :param old_rev: old Git revision to compared with. + :param new_rev: new Git revision to compared with. + :param output_stream: stream which the code size record is written to. + :param result_options: + SimpleNamespace containing options for comparison result. + - result_options.with_markdown: write comparision result in a + markdown table. (Default: False) + - result_options.stdout: direct comparison result into + sys.stdout. (Default: False) """ raise NotImplementedError @@ -325,14 +341,15 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): def __init__(self, logger: logging.Logger) -> None: """ Variable code_size is used to store size info for any revisions. - code_size: (data format) - {revision: {module: {file_name: [text, data, bss, dec], - etc ... - }, - etc ... - }, - etc ... - } + :param code_size: + Data Format as following: + {revision: {module: {file_name: [text, data, bss, dec], + etc ... + }, + etc ... + }, + etc ... + } """ super().__init__(logger) self.code_size = {} #type: typing.Dict[str, typing.Dict] @@ -501,7 +518,11 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): output_stream: str, result_options: SimpleNamespace ) -> None: - """Write a comparision result into a stream between two revisions.""" + """Write a comparision result into a stream between two revisions. + + By default, it's written into a file called output_stream. + Once result_options.stdout is set, it's written into sys.stdout instead. + """ self.logger.debug("Generating comparison results between {} and {}." .format(old_rev, new_rev)) @@ -524,9 +545,14 @@ class CodeSizeComparison: logger: logging.Logger, ) -> None: """ - old_revision: revision to compare against. - new_revision: - result_dir: directory for comparison result. + :param old_size_version: SimpleNamespace containing old version info + to compare code size with. + :param new_size_version: SimpleNamespace containing new version info + to take as comparision base. + :param code_size_common: SimpleNamespace containing common info for + both old and new size version, + measurement tool and result options. + :param logger: logging module """ self.result_dir = os.path.abspath( code_size_common.result_options.result_dir) @@ -551,6 +577,7 @@ class CodeSizeComparison: self.code_size_generator = self.__generate_size_parser() def __generate_size_parser(self): + """Generate a parser for the corresponding measurement tool.""" if re.match(r'size', self.code_size_common.measure_cmd.strip()): return CodeSizeGeneratorWithSize(self.logger) else: @@ -564,7 +591,7 @@ class CodeSizeComparison: self, size_version: SimpleNamespace ) -> typing.Dict[str, str]: - """Calculate code size of library objects in a UTF-8 encoding""" + """Calculate code size of library/*.o in a UTF-8 encoding""" return CodeSizeCalculator(size_version.revision, size_version.make_cmd, self.code_size_common.measure_cmd, @@ -612,8 +639,12 @@ class CodeSizeComparison: def gen_code_size_comparison(self) -> None: """Generate results of code size changes between two revisions, - old and new. Measured code size results of these two revisions - must be available.""" + old and new. + + - Measured code size results of these two revisions must be available. + - The result is directed into either file / stdout depending on + the option, code_size_common.result_options.stdout. (Default: file) + """ self.logger.info("Start to generate comparision result between "\ "{} and {}." @@ -628,8 +659,8 @@ class CodeSizeComparison: output_file, self.code_size_common.result_options) def get_comparision_results(self) -> None: - """Compare size of library/*.o between self.old_rev and self.new_rev, - and generate the result file.""" + """Compare size of library/*.o between self.old_size_version and + self.old_size_version and generate the result file.""" build_tree.check_repo_path() self.gen_code_size_report(self.old_size_version) self.gen_code_size_report(self.new_size_version) @@ -642,41 +673,43 @@ def main(): 'required arguments', 'required arguments to parse for running ' + os.path.basename(__file__)) group_required.add_argument( - "-o", "--old-rev", type=str, required=True, - help="old revision for comparison.") + '-o', '--old-rev', type=str, required=True, + help='old revision for comparison.') group_optional = parser.add_argument_group( 'optional arguments', 'optional arguments to parse for running ' + os.path.basename(__file__)) group_optional.add_argument( - "-r", "--result-dir", type=str, default="comparison", - help="directory where comparison result is stored, \ - default is comparison") + '-r', '--result-dir', type=str, default='comparison', + help='directory where comparison result is stored. ' + '(Default: comparison)') group_optional.add_argument( - "-n", "--new-rev", type=str, default=None, - help="new revision for comparison, default is the current work \ - directory, including uncommitted changes.") + '-n', '--new-rev', type=str, default=None, + help='new revision as comparison base. ' + '(Default is the current work directory, including uncommitted ' + 'changes.)') group_optional.add_argument( - "-a", "--arch", type=str, default=detect_arch(), + '-a', '--arch', type=str, default=detect_arch(), choices=list(map(lambda s: s.value, SupportedArch)), - help="specify architecture for code size comparison, default is the\ - host architecture.") + help='Specify architecture for code size comparison. ' + '(Default is the host architecture.)') group_optional.add_argument( - "-c", "--config", type=str, default=SupportedConfig.DEFAULT.value, + '-c', '--config', type=str, default=SupportedConfig.DEFAULT.value, choices=list(map(lambda s: s.value, SupportedConfig)), - help="specify configuration type for code size comparison,\ - default is the current MbedTLS configuration.") + help='Specify configuration type for code size comparison. ' + '(Default is the current MbedTLS configuration.)') group_optional.add_argument( '--markdown', action='store_true', dest='markdown', - help="Show comparision of code size in a markdown table\ - (only show the files that have changed).") + help='Show comparision of code size in a markdown table. ' + '(Only show the files that have changed).') group_optional.add_argument( '--stdout', action='store_true', dest='stdout', - help="Set this option to direct comparison result into sys.stdout.\ - (Default: file)") + help='Set this option to direct comparison result into sys.stdout. ' + '(Default: file)') group_optional.add_argument( '--verbose', action='store_true', dest='verbose', - help="Show logs in detail for code size measurement. (Default: False)") + help='Show logs in detail for code size measurement. ' + '(Default: False)') comp_args = parser.parse_args() logger = logging.getLogger() From 955671b0ef2b7faed11054c718189d7d3cd029e9 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 21 Jul 2023 12:08:27 +0800 Subject: [PATCH 071/222] code_size_compare: replace SimpleNameSpace to a clearer data struct Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 377 ++++++++++++++++++++--------------- 1 file changed, 220 insertions(+), 157 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 7141fb277..9b58d5093 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -32,7 +32,6 @@ import sys import typing from enum import Enum -from types import SimpleNamespace from mbedtls_dev import build_tree from mbedtls_dev import logging_util from mbedtls_dev import typing_util @@ -45,6 +44,7 @@ class SupportedArch(Enum): X86_64 = 'x86_64' X86 = 'x86' + CONFIG_TFM_MEDIUM_MBEDCRYPTO_H = '../configs/tfm_mbedcrypto_config_profile_medium.h' CONFIG_TFM_MEDIUM_PSA_CRYPTO_H = '../configs/crypto_config_profile_medium.h' class SupportedConfig(Enum): @@ -52,6 +52,7 @@ class SupportedConfig(Enum): DEFAULT = 'default' TFM_MEDIUM = 'tfm-medium' + # Static library MBEDTLS_STATIC_LIB = { 'CRYPTO': 'library/libmbedcrypto.a', @@ -59,6 +60,70 @@ MBEDTLS_STATIC_LIB = { 'TLS': 'library/libmbedtls.a', } +class CodeSizeDistinctInfo: # pylint: disable=too-few-public-methods + """Data structure to store possibly distinct information for code size + comparison.""" + def __init__( #pylint: disable=too-many-arguments + self, + version: str, + git_rev: str, + arch: str, + config: str, + make_cmd: str, + ) -> None: + """ + :param: version: which version to compare with for code size. + :param: git_rev: Git revision to calculate code size. + :param: arch: architecture to measure code size on. + :param: config: Configuration type to calculate code size. + (See SupportedConfig) + :param: make_cmd: make command to build library/*.o. + """ + self.version = version + self.git_rev = git_rev + self.arch = arch + self.config = config + self.make_cmd = make_cmd + + +class CodeSizeCommonInfo: # pylint: disable=too-few-public-methods + """Data structure to store common information for code size comparison.""" + def __init__( + self, + host_arch: str, + measure_cmd: str, + ) -> None: + """ + :param host_arch: host architecture. + :param measure_cmd: command to measure code size for library/*.o. + """ + self.host_arch = host_arch + self.measure_cmd = measure_cmd + + +class CodeSizeResultInfo: # pylint: disable=too-few-public-methods + """Data structure to store result options for code size comparison.""" + def __init__( + self, + record_dir: str, + comp_dir: str, + with_markdown=False, + stdout=False, + ) -> None: + """ + :param record_dir: directory to store code size record. + :param comp_dir: directory to store results of code size comparision. + :param with_markdown: write comparision result into a markdown table. + (Default: False) + :param stdout: direct comparison result into sys.stdout. + (Default False) + """ + self.record_dir = record_dir + self.comp_dir = comp_dir + self.with_markdown = with_markdown + self.stdout = stdout + + DETECT_ARCH_CMD = "cc -dM -E - < /dev/null" def detect_arch() -> str: """Auto-detect host architecture.""" @@ -92,20 +157,20 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods def __init__( self, - size_version: SimpleNamespace, + size_dist_info: CodeSizeDistinctInfo, host_arch: str, logger: logging.Logger, ) -> None: """ - :param size_version: - SimpleNamespace containing info for code size measurement. - - size_version.arch: architecture to measure code size on. - - size_version.config: configuration type to measure code size - with. + :param size_dist_info: + CodeSizeDistinctInfo containing info for code size measurement. + - size_dist_info.arch: architecture to measure code size on. + - size_dist_info.config: configuration type to measure + code size with. :param host_arch: host architecture. :param logger: logging module """ - self.size_version = size_version + self.size_dist_info = size_dist_info self.host_arch = host_arch self.logger = logger @@ -113,12 +178,12 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods """Infer make command based on architecture and configuration.""" # make command by default - if self.size_version.config == SupportedConfig.DEFAULT.value and \ - self.size_version.arch == self.host_arch: + if self.size_dist_info.config == SupportedConfig.DEFAULT.value and \ + self.size_dist_info.arch == self.host_arch: return 'make -j lib CFLAGS=\'-Os \' ' # make command for TF-M - elif self.size_version.arch == SupportedArch.ARMV8_M.value and \ - self.size_version.config == SupportedConfig.TFM_MEDIUM.value: + elif self.size_dist_info.arch == SupportedArch.ARMV8_M.value and \ + self.size_dist_info.config == SupportedConfig.TFM_MEDIUM.value: return \ 'make -j lib CC=armclang \ CFLAGS=\'--target=arm-arm-none-eabi -mcpu=cortex-m33 -Os \ @@ -128,8 +193,8 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods else: self.logger.error("Unsupported combination of architecture: {} " \ "and configuration: {}.\n" - .format(self.size_version.arch, - self.size_version.config)) + .format(self.size_dist_info.arch, + self.size_dist_info.config)) self.logger.info("Please use supported combination of " \ "architecture and configuration:") for comb in CodeSizeBuildInfo.SupportedArchConfig: @@ -150,13 +215,13 @@ class CodeSizeCalculator: def __init__( self, - revision: str, + git_rev: str, make_cmd: str, measure_cmd: str, logger: logging.Logger, ) -> None: """ - :param revision: Git revision.(E.g: commit) + :param git_rev: Git revision. (E.g: commit) :param make_cmd: command to build library/*.o. :param measure_cmd: command to measure code size for library/*.o. :param logger: logging module @@ -165,33 +230,33 @@ class CodeSizeCalculator: self.git_command = "git" self.make_clean = 'make clean' - self.revision = revision + self.git_rev = git_rev self.make_cmd = make_cmd self.measure_cmd = measure_cmd self.logger = logger @staticmethod - def validate_revision(revision: str) -> str: + def validate_git_revision(git_rev: str) -> str: result = subprocess.check_output(["git", "rev-parse", "--verify", - revision + "^{commit}"], shell=False, - universal_newlines=True) + git_rev + "^{commit}"], + shell=False, universal_newlines=True) return result[:7] def _create_git_worktree(self) -> str: - """Create a separate worktree for revision. - If revision is current, use current worktree instead.""" + """Create a separate worktree for Git revision. + If Git revision is current, use current worktree instead.""" - if self.revision == "current": + if self.git_rev == "current": self.logger.debug("Using current work directory.") git_worktree_path = self.repo_path else: self.logger.debug("Creating git worktree for {}." - .format(self.revision)) + .format(self.git_rev)) git_worktree_path = os.path.join(self.repo_path, - "temp-" + self.revision) + "temp-" + self.git_rev) subprocess.check_output( [self.git_command, "worktree", "add", "--detach", - git_worktree_path, self.revision], cwd=self.repo_path, + git_worktree_path, self.git_rev], cwd=self.repo_path, stderr=subprocess.STDOUT ) @@ -201,7 +266,7 @@ class CodeSizeCalculator: """Build library/*.o in the specified worktree.""" self.logger.debug("Building library/*.o for {}." - .format(self.revision)) + .format(self.git_rev)) my_environment = os.environ.copy() try: subprocess.check_output( @@ -221,7 +286,7 @@ class CodeSizeCalculator: """Measure code size by a tool and return in UTF-8 encoding.""" self.logger.debug("Measuring code size for {} by `{}`." - .format(self.revision, + .format(self.git_rev, self.measure_cmd.strip().split(' ')[0])) res = {} @@ -292,13 +357,13 @@ class CodeSizeGenerator: def size_generator_write_record( self, - revision: str, + git_rev: str, code_size_text: typing.Dict, output_file: str ) -> None: """Write size record into a file. - :param revision: Git revision.(E.g: commit) + :param git_rev: Git revision. (E.g: commit) :param code_size_text: string output (utf-8) from measurement tool of code size. - typing.Dict[mod: str] @@ -311,15 +376,15 @@ class CodeSizeGenerator: old_rev: str, new_rev: str, output_stream: str, - result_options: SimpleNamespace + result_options: CodeSizeResultInfo ) -> None: - """Write a comparision result into a stream between two revisions. + """Write a comparision result into a stream between two Git revisions. :param old_rev: old Git revision to compared with. :param new_rev: new Git revision to compared with. :param output_stream: stream which the code size record is written to. :param result_options: - SimpleNamespace containing options for comparison result. + CodeSizeResultInfo containing options for comparison result. - result_options.with_markdown: write comparision result in a markdown table. (Default: False) - result_options.stdout: direct comparison result into @@ -340,22 +405,22 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): self.total = dec # total <=> dec def __init__(self, logger: logging.Logger) -> None: - """ Variable code_size is used to store size info for any revisions. + """ Variable code_size is used to store size info for any Git revisions. :param code_size: Data Format as following: - {revision: {module: {file_name: [text, data, bss, dec], - etc ... - }, - etc ... - }, + {git_rev: {module: {file_name: [text, data, bss, dec], + etc ... + }, + etc ... + }, etc ... } """ super().__init__(logger) self.code_size = {} #type: typing.Dict[str, typing.Dict] - def _set_size_record(self, revision: str, mod: str, size_text: str) -> None: - """Store size information for target revision and high-level module. + def _set_size_record(self, git_rev: str, mod: str, size_text: str) -> None: + """Store size information for target Git revision and high-level module. size_text Format: text data bss dec hex filename """ @@ -365,12 +430,12 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): # file_name: SizeEntry(text, data, bss, dec) size_record[data[5]] = CodeSizeGeneratorWithSize.SizeEntry( data[0], data[1], data[2], data[3]) - if revision in self.code_size: - self.code_size[revision].update({mod: size_record}) + if git_rev in self.code_size: + self.code_size[git_rev].update({mod: size_record}) else: - self.code_size[revision] = {mod: size_record} + self.code_size[git_rev] = {mod: size_record} - def read_size_record(self, revision: str, fname: str) -> None: + def read_size_record(self, git_rev: str, fname: str) -> None: """Read size information from csv file and write it into code_size. fname Format: filename text data bss dec @@ -393,21 +458,21 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): # check if we hit record for the end of a module m = re.match(r'.?TOTALS', line) if m: - if revision in self.code_size: - self.code_size[revision].update({mod: size_record}) + if git_rev in self.code_size: + self.code_size[git_rev].update({mod: size_record}) else: - self.code_size[revision] = {mod: size_record} + self.code_size[git_rev] = {mod: size_record} mod = "" size_record = {} def _size_reader_helper( self, - revision: str, + git_rev: str, output: typing_util.Writable, with_markdown=False ) -> typing.Iterator[tuple]: - """A helper function to peel code_size based on revision.""" - for mod, file_size in self.code_size[revision].items(): + """A helper function to peel code_size based on Git revision.""" + for mod, file_size in self.code_size[git_rev].items(): if not with_markdown: output.write("\n" + mod + "\n") for fname, size_entry in file_size.items(): @@ -415,7 +480,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): def _write_size_record( self, - revision: str, + git_rev: str, output: typing_util.Writable ) -> None: """Write size information to a file. @@ -425,7 +490,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): format_string = "{:<30} {:>7} {:>7} {:>7} {:>7}\n" output.write(format_string.format("filename", "text", "data", "bss", "total")) - for _, fname, size_entry in self._size_reader_helper(revision, output): + for _, fname, size_entry in self._size_reader_helper(git_rev, output): output.write(format_string.format(fname, size_entry.text, size_entry.data, size_entry.bss, size_entry.total)) @@ -445,7 +510,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): def cal_size_section_variation(mod, fname, size_entry, attr): new_size = int(size_entry.__dict__[attr]) - # check if we have the file in old revision + # check if we have the file in old Git revision if fname in self.code_size[old_rev][mod]: old_size = int(self.code_size[old_rev][mod][fname].__dict__[attr]) change = new_size - old_size @@ -497,28 +562,28 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): def size_generator_write_record( self, - revision: str, + git_rev: str, code_size_text: typing.Dict, output_file: str ) -> None: """Write size record into a specified file based on Git revision and output from `size` tool.""" - self.logger.debug("Generating code size csv for {}.".format(revision)) + self.logger.debug("Generating code size csv for {}.".format(git_rev)) for mod, size_text in code_size_text.items(): - self._set_size_record(revision, mod, size_text) + self._set_size_record(git_rev, mod, size_text) output = open(output_file, "w") - self._write_size_record(revision, output) + self._write_size_record(git_rev, output) def size_generator_write_comparison( self, old_rev: str, new_rev: str, output_stream: str, - result_options: SimpleNamespace + result_options: CodeSizeResultInfo ) -> None: - """Write a comparision result into a stream between two revisions. + """Write a comparision result into a stream between two Git revisions. By default, it's written into a file called output_stream. Once result_options.stdout is set, it's written into sys.stdout instead. @@ -537,133 +602,139 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): class CodeSizeComparison: """Compare code size between two Git revisions.""" - def __init__( + def __init__( #pylint: disable=too-many-arguments self, - old_size_version: SimpleNamespace, - new_size_version: SimpleNamespace, - code_size_common: SimpleNamespace, + old_size_dist_info: CodeSizeDistinctInfo, + new_size_dist_info: CodeSizeDistinctInfo, + size_common_info: CodeSizeCommonInfo, + result_options: CodeSizeResultInfo, logger: logging.Logger, ) -> None: """ - :param old_size_version: SimpleNamespace containing old version info - to compare code size with. - :param new_size_version: SimpleNamespace containing new version info - to take as comparision base. - :param code_size_common: SimpleNamespace containing common info for - both old and new size version, - measurement tool and result options. + :param old_size_dist_info: CodeSizeDistinctInfo containing old distinct + info to compare code size with. + :param new_size_dist_info: CodeSizeDistinctInfo containing new distinct + info to take as comparision base. + :param size_common_info: CodeSizeCommonInfo containing common info for + both old and new size distinct info and + measurement tool. + :param result_options: CodeSizeResultInfo containing results options for + code size record and comparision. :param logger: logging module """ - self.result_dir = os.path.abspath( - code_size_common.result_options.result_dir) - os.makedirs(self.result_dir, exist_ok=True) - - self.csv_dir = os.path.abspath("code_size_records/") - os.makedirs(self.csv_dir, exist_ok=True) self.logger = logger - self.old_size_version = old_size_version - self.new_size_version = new_size_version - self.code_size_common = code_size_common + self.old_size_dist_info = old_size_dist_info + self.new_size_dist_info = new_size_dist_info + self.size_common_info = size_common_info # infer make command - self.old_size_version.make_cmd = CodeSizeBuildInfo( - self.old_size_version, self.code_size_common.host_arch, + self.old_size_dist_info.make_cmd = CodeSizeBuildInfo( + self.old_size_dist_info, self.size_common_info.host_arch, self.logger).infer_make_command() - self.new_size_version.make_cmd = CodeSizeBuildInfo( - self.new_size_version, self.code_size_common.host_arch, + self.new_size_dist_info.make_cmd = CodeSizeBuildInfo( + self.new_size_dist_info, self.size_common_info.host_arch, self.logger).infer_make_command() # initialize size parser with corresponding measurement tool self.code_size_generator = self.__generate_size_parser() + self.result_options = result_options + self.csv_dir = os.path.abspath(self.result_options.record_dir) + os.makedirs(self.csv_dir, exist_ok=True) + self.comp_dir = os.path.abspath(self.result_options.comp_dir) + os.makedirs(self.comp_dir, exist_ok=True) + def __generate_size_parser(self): """Generate a parser for the corresponding measurement tool.""" - if re.match(r'size', self.code_size_common.measure_cmd.strip()): + if re.match(r'size', self.size_common_info.measure_cmd.strip()): return CodeSizeGeneratorWithSize(self.logger) else: self.logger.error("Unsupported measurement tool: `{}`." - .format(self.code_size_common.measure_cmd + .format(self.size_common_info.measure_cmd .strip().split(' ')[0])) sys.exit(1) def cal_code_size( self, - size_version: SimpleNamespace + size_dist_info: CodeSizeDistinctInfo ) -> typing.Dict[str, str]: """Calculate code size of library/*.o in a UTF-8 encoding""" - return CodeSizeCalculator(size_version.revision, size_version.make_cmd, - self.code_size_common.measure_cmd, + return CodeSizeCalculator(size_dist_info.git_rev, + size_dist_info.make_cmd, + self.size_common_info.measure_cmd, self.logger).cal_libraries_code_size() def gen_file_name( self, - old_size_version: SimpleNamespace, - new_size_version=None + old_size_dist_info: CodeSizeDistinctInfo, + new_size_dist_info=None ) -> str: """Generate a literal string as csv file name.""" - if new_size_version: + if new_size_dist_info: return '{}-{}-{}-{}-{}-{}-{}.csv'\ - .format(old_size_version.revision, old_size_version.arch, - old_size_version.config, - new_size_version.revision, new_size_version.arch, - new_size_version.config, - self.code_size_common.measure_cmd.strip()\ + .format(old_size_dist_info.git_rev, old_size_dist_info.arch, + old_size_dist_info.config, + new_size_dist_info.git_rev, new_size_dist_info.arch, + new_size_dist_info.config, + self.size_common_info.measure_cmd.strip()\ .split(' ')[0]) else: return '{}-{}-{}-{}.csv'\ - .format(old_size_version.revision, old_size_version.arch, - old_size_version.config, - self.code_size_common.measure_cmd.strip()\ + .format(old_size_dist_info.git_rev, + old_size_dist_info.arch, + old_size_dist_info.config, + self.size_common_info.measure_cmd.strip()\ .split(' ')[0]) - def gen_code_size_report(self, size_version: SimpleNamespace) -> None: + def gen_code_size_report(self, size_dist_info: CodeSizeDistinctInfo) -> None: """Generate code size record and write it into a file.""" self.logger.info("Start to generate code size record for {}." - .format(size_version.revision)) + .format(size_dist_info.git_rev)) output_file = os.path.join(self.csv_dir, - self.gen_file_name(size_version)) + self.gen_file_name(size_dist_info)) # Check if the corresponding record exists - if size_version.revision != "current" and \ + if size_dist_info.git_rev != "current" and \ os.path.exists(output_file): self.logger.debug("Code size csv file for {} already exists." - .format(size_version.revision)) + .format(size_dist_info.git_rev)) self.code_size_generator.read_size_record( - size_version.revision, output_file) + size_dist_info.git_rev, output_file) else: self.code_size_generator.size_generator_write_record( - size_version.revision, self.cal_code_size(size_version), + size_dist_info.git_rev, self.cal_code_size(size_dist_info), output_file) def gen_code_size_comparison(self) -> None: - """Generate results of code size changes between two revisions, + """Generate results of code size changes between two Git revisions, old and new. - - Measured code size results of these two revisions must be available. + - Measured code size result of these two Git revisions must be available. - The result is directed into either file / stdout depending on - the option, code_size_common.result_options.stdout. (Default: file) + the option, size_common_info.result_options.stdout. (Default: file) """ self.logger.info("Start to generate comparision result between "\ "{} and {}." - .format(self.old_size_version.revision, - self.new_size_version.revision)) + .format(self.old_size_dist_info.git_rev, + self.new_size_dist_info.git_rev)) output_file = os.path.join( - self.result_dir, - self.gen_file_name(self.old_size_version, self.new_size_version)) + self.comp_dir, + self.gen_file_name(self.old_size_dist_info, self.new_size_dist_info)) self.code_size_generator.size_generator_write_comparison( - self.old_size_version.revision, self.new_size_version.revision, - output_file, self.code_size_common.result_options) + self.old_size_dist_info.git_rev, + self.new_size_dist_info.git_rev, + output_file, self.result_options) def get_comparision_results(self) -> None: - """Compare size of library/*.o between self.old_size_version and - self.old_size_version and generate the result file.""" + """Compare size of library/*.o between self.old_size_dist_info and + self.old_size_dist_info and generate the result file.""" build_tree.check_repo_path() - self.gen_code_size_report(self.old_size_version) - self.gen_code_size_report(self.new_size_version) + self.gen_code_size_report(self.old_size_dist_info) + self.gen_code_size_report(self.new_size_dist_info) self.gen_code_size_comparison() @@ -674,18 +745,22 @@ def main(): 'required arguments to parse for running ' + os.path.basename(__file__)) group_required.add_argument( '-o', '--old-rev', type=str, required=True, - help='old revision for comparison.') + help='old Git revision for comparison.') group_optional = parser.add_argument_group( 'optional arguments', 'optional arguments to parse for running ' + os.path.basename(__file__)) group_optional.add_argument( - '-r', '--result-dir', type=str, default='comparison', + '--record_dir', type=str, default='code_size_records', + help='directory where code size record is stored. ' + '(Default: code_size_records)') + group_optional.add_argument( + '-r', '--comp-dir', type=str, default='comparison', help='directory where comparison result is stored. ' '(Default: comparison)') group_optional.add_argument( '-n', '--new-rev', type=str, default=None, - help='new revision as comparison base. ' + help='new Git revision as comparison base. ' '(Default is the current work directory, including uncommitted ' 'changes.)') group_optional.add_argument( @@ -716,48 +791,36 @@ def main(): logging_util.configure_logger(logger) logger.setLevel(logging.DEBUG if comp_args.verbose else logging.INFO) - if os.path.isfile(comp_args.result_dir): - logger.error("{} is not a directory".format(comp_args.result_dir)) + if os.path.isfile(comp_args.comp_dir): + logger.error("{} is not a directory".format(comp_args.comp_dir)) parser.exit() - old_revision = CodeSizeCalculator.validate_revision(comp_args.old_rev) + old_revision = CodeSizeCalculator.validate_git_revision(comp_args.old_rev) if comp_args.new_rev is not None: - new_revision = CodeSizeCalculator.validate_revision(comp_args.new_rev) + new_revision = CodeSizeCalculator.validate_git_revision( + comp_args.new_rev) else: new_revision = "current" - old_size_version = SimpleNamespace( - version='old', - revision=old_revision, - config=comp_args.config, - arch=comp_args.arch, - make_cmd='', - ) - new_size_version = SimpleNamespace( - version='new', - revision=new_revision, - config=comp_args.config, - arch=comp_args.arch, - make_cmd='', - ) - code_size_common = SimpleNamespace( - result_options=SimpleNamespace( - result_dir=comp_args.result_dir, - with_markdown=comp_args.markdown, - stdout=comp_args.stdout, - ), - host_arch=detect_arch(), - measure_cmd='size -t', - ) + old_size_dist_info = CodeSizeDistinctInfo( + 'old', old_revision, comp_args.arch, comp_args.config, '') + new_size_dist_info = CodeSizeDistinctInfo( + 'new', new_revision, comp_args.arch, comp_args.config, '') + size_common_info = CodeSizeCommonInfo( + detect_arch(), 'size -t') + result_options = CodeSizeResultInfo( + comp_args.record_dir, comp_args.comp_dir, + comp_args.markdown, comp_args.stdout) logger.info("Measure code size between {}:{}-{} and {}:{}-{} by `{}`." - .format(old_size_version.revision, old_size_version.config, - old_size_version.arch, - new_size_version.revision, old_size_version.config, - new_size_version.arch, - code_size_common.measure_cmd.strip().split(' ')[0])) - CodeSizeComparison(old_size_version, new_size_version, - code_size_common, logger).get_comparision_results() + .format(old_size_dist_info.git_rev, old_size_dist_info.config, + old_size_dist_info.arch, + new_size_dist_info.git_rev, old_size_dist_info.config, + new_size_dist_info.arch, + size_common_info.measure_cmd.strip().split(' ')[0])) + CodeSizeComparison(old_size_dist_info, new_size_dist_info, + size_common_info, result_options, + logger).get_comparision_results() if __name__ == "__main__": main() From 5605c6f58fce180d10d398c6ce62edee619ddb64 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 21 Jul 2023 16:09:00 +0800 Subject: [PATCH 072/222] code_size_compare: make CodeSizeBuildInfo more flexible This commit changes how to infer make command. Although we haven't supported to pass more options in command line, this is the preparation work to support those features. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 149 ++++++++++++++++++++++++++++------- 1 file changed, 119 insertions(+), 30 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 9b58d5093..30251835c 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -27,6 +27,7 @@ import argparse import logging import os import re +import shutil import subprocess import sys import typing @@ -45,8 +46,6 @@ class SupportedArch(Enum): X86 = 'x86' -CONFIG_TFM_MEDIUM_MBEDCRYPTO_H = '../configs/tfm_mbedcrypto_config_profile_medium.h' -CONFIG_TFM_MEDIUM_PSA_CRYPTO_H = '../configs/crypto_config_profile_medium.h' class SupportedConfig(Enum): """Supported configuration for code size measurement.""" DEFAULT = 'default' @@ -69,7 +68,8 @@ class CodeSizeDistinctInfo: # pylint: disable=too-few-public-methods git_rev: str, arch: str, config: str, - make_cmd: str, + compiler: str, + opt_level: str, ) -> None: """ :param: version: which version to compare with for code size. @@ -77,13 +77,18 @@ class CodeSizeDistinctInfo: # pylint: disable=too-few-public-methods :param: arch: architecture to measure code size on. :param: config: Configuration type to calculate code size. (See SupportedConfig) - :param: make_cmd: make command to build library/*.o. + :param: compiler: compiler used to build library/*.o. + :param: opt_level: Options that control optimization. (E.g. -Os) """ self.version = version self.git_rev = git_rev self.arch = arch self.config = config - self.make_cmd = make_cmd + self.compiler = compiler + self.opt_level = opt_level + # Note: Variables below are not initialized by class instantiation. + self.pre_make_cmd = [] #type: typing.List[str] + self.make_cmd = '' class CodeSizeCommonInfo: # pylint: disable=too-few-public-methods @@ -140,6 +145,13 @@ def detect_arch() -> str: print("Unknown host architecture, cannot auto-detect arch.") sys.exit(1) +TFM_MEDIUM_CONFIG_H = 'configs/tfm_mbedcrypto_config_profile_medium.h' +TFM_MEDIUM_CRYPTO_CONFIG_H = 'configs/crypto_config_profile_medium.h' + +CONFIG_H = 'include/mbedtls/mbedtls_config.h' +CRYPTO_CONFIG_H = 'include/psa/crypto_config.h' +BACKUP_SUFFIX = '.code_size.bak' + class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods """Gather information used to measure code size. @@ -167,34 +179,79 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods - size_dist_info.arch: architecture to measure code size on. - size_dist_info.config: configuration type to measure code size with. + - size_dist_info.compiler: compiler used to build library/*.o. + - size_dist_info.opt_level: Options that control optimization. + (E.g. -Os) :param host_arch: host architecture. :param logger: logging module """ - self.size_dist_info = size_dist_info + self.arch = size_dist_info.arch + self.config = size_dist_info.config + self.compiler = size_dist_info.compiler + self.opt_level = size_dist_info.opt_level + + self.make_cmd = ['make', '-j', 'lib'] + self.host_arch = host_arch self.logger = logger - def infer_make_command(self) -> str: - """Infer make command based on architecture and configuration.""" + def check_correctness(self) -> bool: + """Check whether we are using proper / supported combination + of information to build library/*.o.""" - # make command by default - if self.size_dist_info.config == SupportedConfig.DEFAULT.value and \ - self.size_dist_info.arch == self.host_arch: - return 'make -j lib CFLAGS=\'-Os \' ' - # make command for TF-M - elif self.size_dist_info.arch == SupportedArch.ARMV8_M.value and \ - self.size_dist_info.config == SupportedConfig.TFM_MEDIUM.value: - return \ - 'make -j lib CC=armclang \ - CFLAGS=\'--target=arm-arm-none-eabi -mcpu=cortex-m33 -Os \ - -DMBEDTLS_CONFIG_FILE=\\\"' + CONFIG_TFM_MEDIUM_MBEDCRYPTO_H + '\\\" \ - -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE=\\\"' + CONFIG_TFM_MEDIUM_PSA_CRYPTO_H + '\\\" \'' - # unsupported combinations + # default config + if self.config == SupportedConfig.DEFAULT.value and \ + self.arch == self.host_arch: + return True + # TF-M + elif self.arch == SupportedArch.ARMV8_M.value and \ + self.config == SupportedConfig.TFM_MEDIUM.value: + return True + + return False + + def infer_pre_make_command(self) -> typing.List[str]: + """Infer command to set up proper configuration before running make.""" + pre_make_cmd = [] #type: typing.List[str] + if self.config == SupportedConfig.TFM_MEDIUM.value: + pre_make_cmd.append('cp -r {} {}' + .format(TFM_MEDIUM_CONFIG_H, CONFIG_H)) + pre_make_cmd.append('cp -r {} {}' + .format(TFM_MEDIUM_CRYPTO_CONFIG_H, + CRYPTO_CONFIG_H)) + + return pre_make_cmd + + def infer_make_cflags(self) -> str: + """Infer CFLAGS by instance attributes in CodeSizeDistinctInfo.""" + cflags = [] #type: typing.List[str] + + # set optimization level + cflags.append(self.opt_level) + # set compiler by config + if self.config == SupportedConfig.TFM_MEDIUM.value: + self.compiler = 'armclang' + cflags.append('-mcpu=cortex-m33') + # set target + if self.compiler == 'armclang': + cflags.append('--target=arm-arm-none-eabi') + + return ' '.join(cflags) + + def infer_make_command(self) -> str: + """Infer make command by CFLAGS and CC.""" + + if self.check_correctness(): + # set CFLAGS= + self.make_cmd.append('CFLAGS=\'{}\''.format(self.infer_make_cflags())) + # set CC= + self.make_cmd.append('CC={}'.format(self.compiler)) + return ' '.join(self.make_cmd) else: self.logger.error("Unsupported combination of architecture: {} " \ "and configuration: {}.\n" - .format(self.size_dist_info.arch, - self.size_dist_info.config)) + .format(self.arch, + self.config)) self.logger.info("Please use supported combination of " \ "architecture and configuration:") for comb in CodeSizeBuildInfo.SupportedArchConfig: @@ -213,15 +270,17 @@ class CodeSizeCalculator: Git revision and code size measurement tool. """ - def __init__( + def __init__( #pylint: disable=too-many-arguments self, git_rev: str, + pre_make_cmd: typing.List[str], make_cmd: str, measure_cmd: str, logger: logging.Logger, ) -> None: """ :param git_rev: Git revision. (E.g: commit) + :param pre_make_cmd: command to set up proper config before running make. :param make_cmd: command to build library/*.o. :param measure_cmd: command to measure code size for library/*.o. :param logger: logging module @@ -231,6 +290,7 @@ class CodeSizeCalculator: self.make_clean = 'make clean' self.git_rev = git_rev + self.pre_make_cmd = pre_make_cmd self.make_cmd = make_cmd self.measure_cmd = measure_cmd self.logger = logger @@ -246,7 +306,7 @@ class CodeSizeCalculator: """Create a separate worktree for Git revision. If Git revision is current, use current worktree instead.""" - if self.git_rev == "current": + if self.git_rev == 'current': self.logger.debug("Using current work directory.") git_worktree_path = self.repo_path else: @@ -262,6 +322,16 @@ class CodeSizeCalculator: return git_worktree_path + @staticmethod + def backup_config_files(restore: bool) -> None: + """Backup / Restore config files.""" + if restore: + shutil.move(CONFIG_H + BACKUP_SUFFIX, CONFIG_H) + shutil.move(CRYPTO_CONFIG_H + BACKUP_SUFFIX, CRYPTO_CONFIG_H) + else: + shutil.copy(CONFIG_H, CONFIG_H + BACKUP_SUFFIX) + shutil.copy(CRYPTO_CONFIG_H, CRYPTO_CONFIG_H + BACKUP_SUFFIX) + def _build_libraries(self, git_worktree_path: str) -> None: """Build library/*.o in the specified worktree.""" @@ -269,6 +339,14 @@ class CodeSizeCalculator: .format(self.git_rev)) my_environment = os.environ.copy() try: + if self.git_rev == 'current': + self.backup_config_files(restore=False) + for pre_cmd in self.pre_make_cmd: + subprocess.check_output( + pre_cmd, env=my_environment, shell=True, + cwd=git_worktree_path, stderr=subprocess.STDOUT, + universal_newlines=True + ) subprocess.check_output( self.make_clean, env=my_environment, shell=True, cwd=git_worktree_path, stderr=subprocess.STDOUT, @@ -279,6 +357,8 @@ class CodeSizeCalculator: cwd=git_worktree_path, stderr=subprocess.STDOUT, universal_newlines=True ) + if self.git_rev == 'current': + self.backup_config_files(restore=True) except subprocess.CalledProcessError as e: self._handle_called_process_error(e, git_worktree_path) @@ -628,6 +708,13 @@ class CodeSizeComparison: self.old_size_dist_info = old_size_dist_info self.new_size_dist_info = new_size_dist_info self.size_common_info = size_common_info + # infer pre make command + self.old_size_dist_info.pre_make_cmd = CodeSizeBuildInfo( + self.old_size_dist_info, self.size_common_info.host_arch, + self.logger).infer_pre_make_command() + self.new_size_dist_info.pre_make_cmd = CodeSizeBuildInfo( + self.new_size_dist_info, self.size_common_info.host_arch, + self.logger).infer_pre_make_command() # infer make command self.old_size_dist_info.make_cmd = CodeSizeBuildInfo( self.old_size_dist_info, self.size_common_info.host_arch, @@ -654,7 +741,6 @@ class CodeSizeComparison: .strip().split(' ')[0])) sys.exit(1) - def cal_code_size( self, size_dist_info: CodeSizeDistinctInfo @@ -662,6 +748,7 @@ class CodeSizeComparison: """Calculate code size of library/*.o in a UTF-8 encoding""" return CodeSizeCalculator(size_dist_info.git_rev, + size_dist_info.pre_make_cmd, size_dist_info.make_cmd, self.size_common_info.measure_cmd, self.logger).cal_libraries_code_size() @@ -737,7 +824,6 @@ class CodeSizeComparison: self.gen_code_size_report(self.new_size_dist_info) self.gen_code_size_comparison() - def main(): parser = argparse.ArgumentParser(description=(__doc__)) group_required = parser.add_argument_group( @@ -800,14 +886,17 @@ def main(): new_revision = CodeSizeCalculator.validate_git_revision( comp_args.new_rev) else: - new_revision = "current" + new_revision = 'current' + # version, git_rev, arch, config, compiler, opt_level old_size_dist_info = CodeSizeDistinctInfo( - 'old', old_revision, comp_args.arch, comp_args.config, '') + 'old', old_revision, comp_args.arch, comp_args.config, 'cc', '-Os') new_size_dist_info = CodeSizeDistinctInfo( - 'new', new_revision, comp_args.arch, comp_args.config, '') + 'new', new_revision, comp_args.arch, comp_args.config, 'cc', '-Os') + # host_arch, measure_cmd size_common_info = CodeSizeCommonInfo( detect_arch(), 'size -t') + # record_dir, comp_dir, with_markdown, stdout result_options = CodeSizeResultInfo( comp_args.record_dir, comp_args.comp_dir, comp_args.markdown, comp_args.stdout) From 950590099dbe9b815987e0d30039edc249e54da7 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 24 Jul 2023 12:29:22 +0800 Subject: [PATCH 073/222] code_size_compare: simplify CodeSizeGeneratorWithSize Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 100 +++++++++++++---------------------- 1 file changed, 38 insertions(+), 62 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 30251835c..4ac798a9f 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -426,8 +426,8 @@ class CodeSizeGenerator: """ A generator based on size measurement tool for library/*.o. This is an abstract class. To use it, derive a class that implements - size_generator_write_record and size_generator_write_comparison methods, - then call both of them with proper arguments. + write_record and write_comparison methods, then call both of them with + proper arguments. """ def __init__(self, logger: logging.Logger) -> None: """ @@ -435,11 +435,11 @@ class CodeSizeGenerator: """ self.logger = logger - def size_generator_write_record( + def write_record( self, git_rev: str, - code_size_text: typing.Dict, - output_file: str + code_size_text: typing.Dict[str, str], + output: typing_util.Writable ) -> None: """Write size record into a file. @@ -447,28 +447,26 @@ class CodeSizeGenerator: :param code_size_text: string output (utf-8) from measurement tool of code size. - typing.Dict[mod: str] - :param output_file: file which the code size record is written to. + :param output: output stream which the code size record is written to. + (Note: Normally write code size record into File) """ raise NotImplementedError - def size_generator_write_comparison( + def write_comparison( self, old_rev: str, new_rev: str, - output_stream: str, - result_options: CodeSizeResultInfo + output: typing_util.Writable, + with_markdown=False ) -> None: """Write a comparision result into a stream between two Git revisions. :param old_rev: old Git revision to compared with. :param new_rev: new Git revision to compared with. - :param output_stream: stream which the code size record is written to. - :param result_options: - CodeSizeResultInfo containing options for comparison result. - - result_options.with_markdown: write comparision result in a - markdown table. (Default: False) - - result_options.stdout: direct comparison result into - sys.stdout. (Default: False) + :param output: output stream which the code size record is written to. + (File / sys.stdout) + :param with_markdown: write comparision result in a markdown table. + (Default: False) """ raise NotImplementedError @@ -558,15 +556,19 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): for fname, size_entry in file_size.items(): yield mod, fname, size_entry - def _write_size_record( + def write_record( self, git_rev: str, + code_size_text: typing.Dict[str, str], output: typing_util.Writable ) -> None: """Write size information to a file. Writing Format: file_name text data bss total(dec) """ + for mod, size_text in code_size_text.items(): + self._set_size_record(git_rev, mod, size_text) + format_string = "{:<30} {:>7} {:>7} {:>7} {:>7}\n" output.write(format_string.format("filename", "text", "data", "bss", "total")) @@ -575,12 +577,12 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): size_entry.text, size_entry.data, size_entry.bss, size_entry.total)) - def _write_comparison( + def write_comparison( self, old_rev: str, new_rev: str, output: typing_util.Writable, - with_markdown: bool + with_markdown=False ) -> None: """Write comparison result into a file. @@ -640,44 +642,6 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): .format(fname, str(text_vari[0]) + "," + str(data_vari[0]))) - def size_generator_write_record( - self, - git_rev: str, - code_size_text: typing.Dict, - output_file: str - ) -> None: - """Write size record into a specified file based on Git revision and - output from `size` tool.""" - self.logger.debug("Generating code size csv for {}.".format(git_rev)) - - for mod, size_text in code_size_text.items(): - self._set_size_record(git_rev, mod, size_text) - - output = open(output_file, "w") - self._write_size_record(git_rev, output) - - def size_generator_write_comparison( - self, - old_rev: str, - new_rev: str, - output_stream: str, - result_options: CodeSizeResultInfo - ) -> None: - """Write a comparision result into a stream between two Git revisions. - - By default, it's written into a file called output_stream. - Once result_options.stdout is set, it's written into sys.stdout instead. - """ - self.logger.debug("Generating comparison results between {} and {}." - .format(old_rev, new_rev)) - - if result_options.stdout: - output = sys.stdout - else: - output = open(output_stream, "w") - self._write_comparison(old_rev, new_rev, output, - result_options.with_markdown) - class CodeSizeComparison: """Compare code size between two Git revisions.""" @@ -790,9 +754,14 @@ class CodeSizeComparison: self.code_size_generator.read_size_record( size_dist_info.git_rev, output_file) else: - self.code_size_generator.size_generator_write_record( - size_dist_info.git_rev, self.cal_code_size(size_dist_info), - output_file) + # measure code size + code_size_text = self.cal_code_size(size_dist_info) + + self.logger.debug("Generating code size csv for {}." + .format(size_dist_info.git_rev)) + output = open(output_file, "w") + self.code_size_generator.write_record( + size_dist_info.git_rev, code_size_text, output) def gen_code_size_comparison(self) -> None: """Generate results of code size changes between two Git revisions, @@ -811,10 +780,17 @@ class CodeSizeComparison: self.comp_dir, self.gen_file_name(self.old_size_dist_info, self.new_size_dist_info)) - self.code_size_generator.size_generator_write_comparison( + self.logger.debug("Generating comparison results between {} and {}." + .format(self.old_size_dist_info.git_rev, + self.new_size_dist_info.git_rev)) + if self.result_options.stdout: + output = sys.stdout + else: + output = open(output_file, "w") + self.code_size_generator.write_comparison( self.old_size_dist_info.git_rev, self.new_size_dist_info.git_rev, - output_file, self.result_options) + output, self.result_options.with_markdown) def get_comparision_results(self) -> None: """Compare size of library/*.o between self.old_size_dist_info and From a6cf692e2a6470a194103e4e2fbc480749a6a4c6 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 24 Jul 2023 15:20:42 +0800 Subject: [PATCH 074/222] code_size_compare: simplify how to generate file name of code size Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 65 ++++++++++++++++-------------------- 1 file changed, 28 insertions(+), 37 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 4ac798a9f..a8c8c9641 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -90,6 +90,11 @@ class CodeSizeDistinctInfo: # pylint: disable=too-few-public-methods self.pre_make_cmd = [] #type: typing.List[str] self.make_cmd = '' + def get_info_indication(self): + """Return a unique string to indicate Code Size Distinct Information.""" + return '{}-{}-{}-{}'\ + .format(self.git_rev, self.arch, self.config, self.compiler) + class CodeSizeCommonInfo: # pylint: disable=too-few-public-methods """Data structure to store common information for code size comparison.""" @@ -105,6 +110,10 @@ class CodeSizeCommonInfo: # pylint: disable=too-few-public-methods self.host_arch = host_arch self.measure_cmd = measure_cmd + def get_info_indication(self): + """Return a unique string to indicate Code Size Common Information.""" + return '{}'\ + .format(self.measure_cmd.strip().split(' ')[0]) class CodeSizeResultInfo: # pylint: disable=too-few-public-methods """Data structure to store result options for code size comparison.""" @@ -717,35 +726,16 @@ class CodeSizeComparison: self.size_common_info.measure_cmd, self.logger).cal_libraries_code_size() - def gen_file_name( - self, - old_size_dist_info: CodeSizeDistinctInfo, - new_size_dist_info=None - ) -> str: - """Generate a literal string as csv file name.""" - if new_size_dist_info: - return '{}-{}-{}-{}-{}-{}-{}.csv'\ - .format(old_size_dist_info.git_rev, old_size_dist_info.arch, - old_size_dist_info.config, - new_size_dist_info.git_rev, new_size_dist_info.arch, - new_size_dist_info.config, - self.size_common_info.measure_cmd.strip()\ - .split(' ')[0]) - else: - return '{}-{}-{}-{}.csv'\ - .format(old_size_dist_info.git_rev, - old_size_dist_info.arch, - old_size_dist_info.config, - self.size_common_info.measure_cmd.strip()\ - .split(' ')[0]) - def gen_code_size_report(self, size_dist_info: CodeSizeDistinctInfo) -> None: """Generate code size record and write it into a file.""" self.logger.info("Start to generate code size record for {}." .format(size_dist_info.git_rev)) - output_file = os.path.join(self.csv_dir, - self.gen_file_name(size_dist_info)) + output_file = os.path.join( + self.csv_dir, + '{}-{}.csv' + .format(size_dist_info.get_info_indication(), + self.size_common_info.get_info_indication())) # Check if the corresponding record exists if size_dist_info.git_rev != "current" and \ os.path.exists(output_file): @@ -776,17 +766,20 @@ class CodeSizeComparison: "{} and {}." .format(self.old_size_dist_info.git_rev, self.new_size_dist_info.git_rev)) - output_file = os.path.join( - self.comp_dir, - self.gen_file_name(self.old_size_dist_info, self.new_size_dist_info)) + if self.result_options.stdout: + output = sys.stdout + else: + output_file = os.path.join( + self.comp_dir, + '{}-{}-{}.csv' + .format(self.old_size_dist_info.get_info_indication(), + self.new_size_dist_info.get_info_indication(), + self.size_common_info.get_info_indication())) + output = open(output_file, "w") self.logger.debug("Generating comparison results between {} and {}." .format(self.old_size_dist_info.git_rev, self.new_size_dist_info.git_rev)) - if self.result_options.stdout: - output = sys.stdout - else: - output = open(output_file, "w") self.code_size_generator.write_comparison( self.old_size_dist_info.git_rev, self.new_size_dist_info.git_rev, @@ -877,12 +870,10 @@ def main(): comp_args.record_dir, comp_args.comp_dir, comp_args.markdown, comp_args.stdout) - logger.info("Measure code size between {}:{}-{} and {}:{}-{} by `{}`." - .format(old_size_dist_info.git_rev, old_size_dist_info.config, - old_size_dist_info.arch, - new_size_dist_info.git_rev, old_size_dist_info.config, - new_size_dist_info.arch, - size_common_info.measure_cmd.strip().split(' ')[0])) + logger.info("Measure code size between {} and {} by `{}`." + .format(old_size_dist_info.get_info_indication(), + new_size_dist_info.get_info_indication(), + size_common_info.get_info_indication())) CodeSizeComparison(old_size_dist_info, new_size_dist_info, size_common_info, result_options, logger).get_comparision_results() From 69262fc087ca62255a6a78e61657460416e75f79 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 24 Jul 2023 16:36:40 +0800 Subject: [PATCH 075/222] code_size_compare: add extra indication if print to sys.stdout If we output comparison result into sys.stdout, it will print an extra line to show information we used for code size comparison in detail. This would be helpful if we copy & paste code size changes in Github comment. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index a8c8c9641..b886a9e99 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -768,6 +768,10 @@ class CodeSizeComparison: self.new_size_dist_info.git_rev)) if self.result_options.stdout: output = sys.stdout + print("Measure code size between `{}` and `{}` by `{}`." + .format(self.old_size_dist_info.get_info_indication(), + self.new_size_dist_info.get_info_indication(), + self.size_common_info.get_info_indication())) else: output_file = os.path.join( self.comp_dir, From f2cd717952bc97a23dcfdfd85ba75aef43e3c6af Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 24 Jul 2023 16:56:46 +0800 Subject: [PATCH 076/222] code_size_compare: print 'None' if comparing size for a new file Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index b886a9e99..e79b37908 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -647,9 +647,11 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): "{:.2%}".format(text_vari[3]) + "," + "{:.2%}".format(data_vari[3]))) else: - output.write("{:<30} {:<18}\n" - .format(fname, - str(text_vari[0]) + "," + str(data_vari[0]))) + output.write( + format_string + .format(fname, + str(text_vari[0]) + "," + str(data_vari[0]), + 'None', 'None', 'None')) class CodeSizeComparison: From 25bd33189927a2741124afb45fb719e3e87ecce3 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 25 Jul 2023 10:24:20 +0800 Subject: [PATCH 077/222] code_size_compare: round percentage to an integer value Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index e79b37908..88578feb4 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -644,8 +644,8 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): str(text_vari[0]) + "," + str(data_vari[0]), str(text_vari[1]) + "," + str(data_vari[1]), str(text_vari[2]) + "," + str(data_vari[2]), - "{:.2%}".format(text_vari[3]) + "," - + "{:.2%}".format(data_vari[3]))) + "{:.0%}".format(text_vari[3]) + "," + + "{:.0%}".format(data_vari[3]))) else: output.write( format_string From e4a3636fac45317323c4132450368f824a945d27 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 25 Jul 2023 10:37:11 +0800 Subject: [PATCH 078/222] code_size_compare: add comments to make code more readable Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 88578feb4..0c29c41fa 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -92,8 +92,9 @@ class CodeSizeDistinctInfo: # pylint: disable=too-few-public-methods def get_info_indication(self): """Return a unique string to indicate Code Size Distinct Information.""" - return '{}-{}-{}-{}'\ - .format(self.git_rev, self.arch, self.config, self.compiler) + return '{rev}-{arch}-{config}-{cc}'\ + .format(rev=self.git_rev, arch=self.arch, config=self.config, + cc=self.compiler) class CodeSizeCommonInfo: # pylint: disable=too-few-public-methods @@ -112,8 +113,8 @@ class CodeSizeCommonInfo: # pylint: disable=too-few-public-methods def get_info_indication(self): """Return a unique string to indicate Code Size Common Information.""" - return '{}'\ - .format(self.measure_cmd.strip().split(' ')[0]) + return '{measure_tool}'\ + .format(measure_tool=self.measure_cmd.strip().split(' ')[0]) class CodeSizeResultInfo: # pylint: disable=too-few-public-methods """Data structure to store result options for code size comparison.""" @@ -223,11 +224,11 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods """Infer command to set up proper configuration before running make.""" pre_make_cmd = [] #type: typing.List[str] if self.config == SupportedConfig.TFM_MEDIUM.value: - pre_make_cmd.append('cp -r {} {}' - .format(TFM_MEDIUM_CONFIG_H, CONFIG_H)) - pre_make_cmd.append('cp -r {} {}' - .format(TFM_MEDIUM_CRYPTO_CONFIG_H, - CRYPTO_CONFIG_H)) + pre_make_cmd.append('cp -r {src} {dest}' + .format(src=TFM_MEDIUM_CONFIG_H, dest=CONFIG_H)) + pre_make_cmd.append('cp -r {src} {dest}' + .format(src=TFM_MEDIUM_CRYPTO_CONFIG_H, + dest=CRYPTO_CONFIG_H)) return pre_make_cmd @@ -641,15 +642,20 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): output.write( format_string .format(fname, + # current(text,data) str(text_vari[0]) + "," + str(data_vari[0]), + # old(text,data) str(text_vari[1]) + "," + str(data_vari[1]), + # change(text,data) str(text_vari[2]) + "," + str(data_vari[2]), + # change%(text,data) "{:.0%}".format(text_vari[3]) + "," + "{:.0%}".format(data_vari[3]))) else: output.write( format_string .format(fname, + # current(text,data) str(text_vari[0]) + "," + str(data_vari[0]), 'None', 'None', 'None')) From e3268afb117bc4e66bce2107cf6058fc7e10b633 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 25 Jul 2023 17:33:55 +0100 Subject: [PATCH 079/222] Add PSA SHA3 tests for hash_verify and multipart Signed-off-by: Dave Rodgman --- tests/suites/test_suite_psa_crypto_hash.data | 80 ++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_hash.data b/tests/suites/test_suite_psa_crypto_hash.data index 1133c398d..769df58e1 100644 --- a/tests/suites/test_suite_psa_crypto_hash.data +++ b/tests/suites/test_suite_psa_crypto_hash.data @@ -310,6 +310,22 @@ PSA hash verify: RIPEMD160 depends_on:PSA_WANT_ALG_RIPEMD160 hash_verify:PSA_ALG_RIPEMD160:"bd":"5089265ee5d9af75d12dbf7ea2f27dbdee435b37" +PSA hash verify: SHA3-224 +depends_on:PSA_WANT_ALG_SHA3_224 +hash_verify:PSA_ALG_SHA3_224:"bd":"79bd1a58a357d1a0ac15b43400bc396d17bdc6d3d90369f16f650b25" + +PSA hash verify: SHA3-256 +depends_on:PSA_WANT_ALG_SHA3_256 +hash_verify:PSA_ALG_SHA3_256:"bd":"b389fa0f45f21196cc2736e8de396497a2414be31e7a500a499918b8cf3257b2" + +PSA hash verify: SHA3-384 +depends_on:PSA_WANT_ALG_SHA3_384 +hash_verify:PSA_ALG_SHA3_384:"bd":"5a337b67965736040c5b1f2d4df7f9ca76cf01866c7d64ed8dd812b97995da9b14ef07f9c4d9190888e4b15c4df2203d" + +PSA hash verify: SHA3-512 +depends_on:PSA_WANT_ALG_SHA3_512 +hash_verify:PSA_ALG_SHA3_512:"bd":"72bacd82495cb72a44523cda462f0f02c9f33b6312e24e44f5c40deed2bbc37854b606cb2f62cce6a394b4157d8e6e89b22682380dc129dddd402693ffa98a6c" + PSA hash multi part: SHA-1 Test Vector NIST CAVS #1 depends_on:PSA_WANT_ALG_SHA_1 hash_multi_part:PSA_ALG_SHA_1:"":"da39a3ee5e6b4b0d3255bfef95601890afd80709" @@ -529,3 +545,67 @@ hash_multi_part:PSA_ALG_RIPEMD160:"4142434445464748494a4b4c4d4e4f505152535455565 PSA hash multi part: RIPEMD160 Test vector from paper #8 depends_on:PSA_WANT_ALG_RIPEMD160 hash_multi_part:PSA_ALG_RIPEMD160:"3132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930":"9b752e45573d4b39f4dbd3323cab82bf63326bfb" + +PSA hash multi part: SHA3-224 Test Vector NIST "" +depends_on:PSA_WANT_ALG_SHA3_224 +hash_multi_part:PSA_ALG_SHA3_224:"":"6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7" + +PSA hash multi part: SHA3-256 Test Vector NIST "" +depends_on:PSA_WANT_ALG_SHA3_256 +hash_multi_part:PSA_ALG_SHA3_256:"616263":"3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532" + +PSA hash multi part: SHA3-384 Test Vector NIST "" +depends_on:PSA_WANT_ALG_SHA3_384 +hash_multi_part:PSA_ALG_SHA3_384:"":"0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac3713831264adb47fb6bd1e058d5f004" + +PSA hash multi part: SHA3-512 Test Vector NIST "" +depends_on:PSA_WANT_ALG_SHA3_512 +hash_multi_part:PSA_ALG_SHA3_512:"":"a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26" + +PSA hash multi part: SHA3-224 Test Vector NIST "abc" +depends_on:PSA_WANT_ALG_SHA3_224 +hash_multi_part:PSA_ALG_SHA3_224:"616263":"e642824c3f8cf24ad09234ee7d3c766fc9a3a5168d0c94ad73b46fdf" + +PSA hash multi part: SHA3-256 Test Vector NIST "abc" +depends_on:PSA_WANT_ALG_SHA3_256 +hash_multi_part:PSA_ALG_SHA3_256:"616263":"3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532" + +PSA hash multi part: SHA3-384 Test Vector NIST "abc" +depends_on:PSA_WANT_ALG_SHA3_384 +hash_multi_part:PSA_ALG_SHA3_384:"616263":"ec01498288516fc926459f58e2c6ad8df9b473cb0fc08c2596da7cf0e49be4b298d88cea927ac7f539f1edf228376d25" + +PSA hash multi part: SHA3-512 Test Vector NIST "abc" +depends_on:PSA_WANT_ALG_SHA3_512 +hash_multi_part:PSA_ALG_SHA3_512:"616263":"b751850b1a57168a5693cd924b6b096e08f621827444f70d884f5d0240d2712e10e116e9192af3c91a7ec57647e3934057340b4cf408d5a56592f8274eec53f0" + +PSA hash multi part: SHA3-224 Test Vector NIST 448 bits: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" +depends_on:PSA_WANT_ALG_SHA3_224 +hash_multi_part:PSA_ALG_SHA3_224:"6162636462636465636465666465666765666768666768696768696a68696a6b696a6b6c6a6b6c6d6b6c6d6e6c6d6e6f6d6e6f706e6f7071":"8a24108b154ada21c9fd5574494479ba5c7e7ab76ef264ead0fcce33" + +PSA hash multi part: SHA3-256 Test Vector NIST 448 bits: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" +depends_on:PSA_WANT_ALG_SHA3_256 +hash_multi_part:PSA_ALG_SHA3_256:"6162636462636465636465666465666765666768666768696768696a68696a6b696a6b6c6a6b6c6d6b6c6d6e6c6d6e6f6d6e6f706e6f7071":"41c0dba2a9d6240849100376a8235e2c82e1b9998a999e21db32dd97496d3376" + +PSA hash multi part: SHA3-384 Test Vector NIST 448 bits: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" +depends_on:PSA_WANT_ALG_SHA3_384 +hash_multi_part:PSA_ALG_SHA3_384:"6162636462636465636465666465666765666768666768696768696a68696a6b696a6b6c6a6b6c6d6b6c6d6e6c6d6e6f6d6e6f706e6f7071":"991c665755eb3a4b6bbdfb75c78a492e8c56a22c5c4d7e429bfdbc32b9d4ad5aa04a1f076e62fea19eef51acd0657c22" + +PSA hash multi part: SHA3-512 Test Vector NIST 448 bits: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" +depends_on:PSA_WANT_ALG_SHA3_512 +hash_multi_part:PSA_ALG_SHA3_512:"6162636462636465636465666465666765666768666768696768696a68696a6b696a6b6c6a6b6c6d6b6c6d6e6c6d6e6f6d6e6f706e6f7071":"04a371e84ecfb5b8b77cb48610fca8182dd457ce6f326a0fd3d7ec2f1e91636dee691fbe0c985302ba1b0d8dc78c086346b533b49c030d99a27daf1139d6e75e" + +PSA hash multi part: SHA3-224 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" +depends_on:PSA_WANT_ALG_SHA3_224 +hash_multi_part:PSA_ALG_SHA3_224:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"543e6868e1666c1a643630df77367ae5a62a85070a51c14cbf665cbc" + +PSA hash multi part: SHA3-256 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" +depends_on:PSA_WANT_ALG_SHA3_256 +hash_multi_part:PSA_ALG_SHA3_256:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"916f6061fe879741ca6469b43971dfdb28b1a32dc36cb3254e812be27aad1d18" + +PSA hash multi part: SHA3-384 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" +depends_on:PSA_WANT_ALG_SHA3_384 +hash_multi_part:PSA_ALG_SHA3_384:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"79407d3b5916b59c3e30b09822974791c313fb9ecc849e406f23592d04f625dc8c709b98b43b3852b337216179aa7fc7" + +PSA hash multi part: SHA3-512 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" +depends_on:PSA_WANT_ALG_SHA3_512 +hash_multi_part:PSA_ALG_SHA3_512:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"afebb2ef542e6579c50cad06d2e578f9f8dd6881d7dc824d26360feebf18a4fa73e3261122948efcfd492e74e82e2189ed0fb440d187f382270cb455f21dd185" From 2ba9df2c1b7873507d7316b37a793a6feaf64056 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 26 Jul 2023 10:11:31 +0800 Subject: [PATCH 080/222] code_size_compare: direct error message by logger.error Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 0c29c41fa..53d4e3b6d 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -262,16 +262,16 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods "and configuration: {}.\n" .format(self.arch, self.config)) - self.logger.info("Please use supported combination of " \ + self.logger.error("Please use supported combination of " \ "architecture and configuration:") for comb in CodeSizeBuildInfo.SupportedArchConfig: - self.logger.info(comb) - self.logger.info("") - self.logger.info("For your system, please use:") + self.logger.error(comb) + self.logger.error("") + self.logger.error("For your system, please use:") for comb in CodeSizeBuildInfo.SupportedArchConfig: if "default" in comb and self.host_arch not in comb: continue - self.logger.info(comb) + self.logger.error(comb) sys.exit(1) From 533cde22c02fe31145d857c76889b999bdd70d06 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 26 Jul 2023 10:17:17 +0800 Subject: [PATCH 081/222] code_size_compare: set log level as ERROR in option --stdout If we use option --stdout, the logging level is set as logging.ERROR. But --verbose is able to overwrite logging level as logging.INFO if we want to display intermediate log in the process of code size comparison. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 53d4e3b6d..2bb8b0e2a 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -856,7 +856,10 @@ def main(): logger = logging.getLogger() logging_util.configure_logger(logger) - logger.setLevel(logging.DEBUG if comp_args.verbose else logging.INFO) + if comp_args.stdout and not comp_args.verbose: + logger.setLevel(logging.ERROR) + else: + logger.setLevel(logging.DEBUG if comp_args.verbose else logging.INFO) if os.path.isfile(comp_args.comp_dir): logger.error("{} is not a directory".format(comp_args.comp_dir)) From ea842e791bc3d5aea864365356f0c141444b6586 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 26 Jul 2023 10:34:39 +0800 Subject: [PATCH 082/222] code_size_compare: print prompt message under correct condition Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 2bb8b0e2a..55d116e8f 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -776,10 +776,6 @@ class CodeSizeComparison: self.new_size_dist_info.git_rev)) if self.result_options.stdout: output = sys.stdout - print("Measure code size between `{}` and `{}` by `{}`." - .format(self.old_size_dist_info.get_info_indication(), - self.new_size_dist_info.get_info_indication(), - self.size_common_info.get_info_indication())) else: output_file = os.path.join( self.comp_dir, @@ -792,6 +788,12 @@ class CodeSizeComparison: self.logger.debug("Generating comparison results between {} and {}." .format(self.old_size_dist_info.git_rev, self.new_size_dist_info.git_rev)) + if self.result_options.with_markdown or self.result_options.stdout: + print("Measure code size between {} and {} by `{}`." + .format(self.old_size_dist_info.get_info_indication(), + self.new_size_dist_info.get_info_indication(), + self.size_common_info.get_info_indication()), + file=output) self.code_size_generator.write_comparison( self.old_size_dist_info.git_rev, self.new_size_dist_info.git_rev, From bef1acd7b805c42f388bad3000efe9b1a616dc74 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 26 Jul 2023 10:45:11 +0800 Subject: [PATCH 083/222] code_size_compare: left align file names in markdown table Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 55d116e8f..464290644 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -625,7 +625,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): "change(text,data)", "change%(text,data)")) if with_markdown: output.write(format_string - .format("----:", "----:", "----:", "----:", "----:")) + .format(":----", "----:", "----:", "----:", "----:")) for mod, fname, size_entry in \ self._size_reader_helper(new_rev, output, with_markdown): From 68265f41d7b805727fdf1126cd8789999dea4fca Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 26 Jul 2023 14:44:52 +0800 Subject: [PATCH 084/222] code_size_compare: use `current` as default new Git revision Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 464290644..d4285fd61 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -828,7 +828,7 @@ def main(): help='directory where comparison result is stored. ' '(Default: comparison)') group_optional.add_argument( - '-n', '--new-rev', type=str, default=None, + '-n', '--new-rev', type=str, default='current', help='new Git revision as comparison base. ' '(Default is the current work directory, including uncommitted ' 'changes.)') @@ -867,18 +867,17 @@ def main(): logger.error("{} is not a directory".format(comp_args.comp_dir)) parser.exit() - old_revision = CodeSizeCalculator.validate_git_revision(comp_args.old_rev) - if comp_args.new_rev is not None: - new_revision = CodeSizeCalculator.validate_git_revision( + comp_args.old_rev = CodeSizeCalculator.validate_git_revision( + comp_args.old_rev) + if comp_args.new_rev != 'current': + comp_args.new_rev = CodeSizeCalculator.validate_git_revision( comp_args.new_rev) - else: - new_revision = 'current' # version, git_rev, arch, config, compiler, opt_level old_size_dist_info = CodeSizeDistinctInfo( - 'old', old_revision, comp_args.arch, comp_args.config, 'cc', '-Os') + 'old', comp_args.old_rev, comp_args.arch, comp_args.config, 'cc', '-Os') new_size_dist_info = CodeSizeDistinctInfo( - 'new', new_revision, comp_args.arch, comp_args.config, 'cc', '-Os') + 'new', comp_args.new_rev, comp_args.arch, comp_args.config, 'cc', '-Os') # host_arch, measure_cmd size_common_info = CodeSizeCommonInfo( detect_arch(), 'size -t') From 15b1358f220139f7705aed74c541e6c3fd8d5a2c Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 26 Jul 2023 14:48:08 +0800 Subject: [PATCH 085/222] logging_util: rename argument Signed-off-by: Yanray Wang --- scripts/mbedtls_dev/logging_util.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/mbedtls_dev/logging_util.py b/scripts/mbedtls_dev/logging_util.py index 962361a49..85a3f19ac 100644 --- a/scripts/mbedtls_dev/logging_util.py +++ b/scripts/mbedtls_dev/logging_util.py @@ -21,11 +21,11 @@ import sys def configure_logger( logger: logging.Logger, - logger_format="[%(levelname)s]: %(message)s" + log_format="[%(levelname)s]: %(message)s" ) -> None: """ Configure the logging.Logger instance so that: - - Format is set to any logger_format. + - Format is set to any log_format. Default: "[%(levelname)s]: %(message)s" - loglevel >= WARNING are printed to stderr. - loglevel < WARNING are printed to stdout. @@ -39,7 +39,7 @@ def configure_logger( def filter(self, record: logging.LogRecord) -> bool: return record.levelno <= self.max_level - log_formatter = logging.Formatter(logger_format) + log_formatter = logging.Formatter(log_format) # set loglevel >= WARNING to be printed to stderr stderr_hdlr = logging.StreamHandler(sys.stderr) From 6ef5049b9ffb9ce6688e7ca9deac22595e4b1b64 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 26 Jul 2023 14:59:37 +0800 Subject: [PATCH 086/222] code_size_compare: simplify some code for python dictionary Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index d4285fd61..9b81b82f1 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -92,9 +92,7 @@ class CodeSizeDistinctInfo: # pylint: disable=too-few-public-methods def get_info_indication(self): """Return a unique string to indicate Code Size Distinct Information.""" - return '{rev}-{arch}-{config}-{cc}'\ - .format(rev=self.git_rev, arch=self.arch, config=self.config, - cc=self.compiler) + return '{git_rev}-{arch}-{config}-{compiler}'.format(**self.__dict__) class CodeSizeCommonInfo: # pylint: disable=too-few-public-methods @@ -518,10 +516,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): # file_name: SizeEntry(text, data, bss, dec) size_record[data[5]] = CodeSizeGeneratorWithSize.SizeEntry( data[0], data[1], data[2], data[3]) - if git_rev in self.code_size: - self.code_size[git_rev].update({mod: size_record}) - else: - self.code_size[git_rev] = {mod: size_record} + self.code_size.setdefault(git_rev, {}).update({mod: size_record}) def read_size_record(self, git_rev: str, fname: str) -> None: """Read size information from csv file and write it into code_size. From a279ca9ff8dcfcfa6fa0317fdda9efe27f65f3d9 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 26 Jul 2023 15:01:10 +0800 Subject: [PATCH 087/222] code_size_compare: remove unnecessary -r in cp command Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 9b81b82f1..5fa6d8f78 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -222,9 +222,9 @@ class CodeSizeBuildInfo: # pylint: disable=too-few-public-methods """Infer command to set up proper configuration before running make.""" pre_make_cmd = [] #type: typing.List[str] if self.config == SupportedConfig.TFM_MEDIUM.value: - pre_make_cmd.append('cp -r {src} {dest}' + pre_make_cmd.append('cp {src} {dest}' .format(src=TFM_MEDIUM_CONFIG_H, dest=CONFIG_H)) - pre_make_cmd.append('cp -r {src} {dest}' + pre_make_cmd.append('cp {src} {dest}' .format(src=TFM_MEDIUM_CRYPTO_CONFIG_H, dest=CRYPTO_CONFIG_H)) From 9e8b671b1c52d29227feb770c65730a01ca7e5e7 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 26 Jul 2023 15:37:26 +0800 Subject: [PATCH 088/222] code_size_compare: check --record-dir properly Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 5fa6d8f78..89d8fe92c 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -815,11 +815,11 @@ def main(): 'optional arguments', 'optional arguments to parse for running ' + os.path.basename(__file__)) group_optional.add_argument( - '--record_dir', type=str, default='code_size_records', + '--record-dir', type=str, default='code_size_records', help='directory where code size record is stored. ' '(Default: code_size_records)') group_optional.add_argument( - '-r', '--comp-dir', type=str, default='comparison', + '--comp-dir', type=str, default='comparison', help='directory where comparison result is stored. ' '(Default: comparison)') group_optional.add_argument( @@ -858,9 +858,14 @@ def main(): else: logger.setLevel(logging.DEBUG if comp_args.verbose else logging.INFO) + if os.path.isfile(comp_args.record_dir): + logger.error("record directory: {} is not a directory" + .format(comp_args.record_dir)) + sys.exit(1) if os.path.isfile(comp_args.comp_dir): - logger.error("{} is not a directory".format(comp_args.comp_dir)) - parser.exit() + logger.error("comparison directory: {} is not a directory" + .format(comp_args.comp_dir)) + sys.exit(1) comp_args.old_rev = CodeSizeCalculator.validate_git_revision( comp_args.old_rev) From 6ae94a0a72b6345b07727ad0713c081352425719 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 26 Jul 2023 17:12:57 +0800 Subject: [PATCH 089/222] code_size_compare: make sure _remove_worktree executed Add try and finally to make sure we remove worktree as expected even if we hit errors by accident. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 89d8fe92c..cc43dc75d 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -423,9 +423,11 @@ class CodeSizeCalculator: """ git_worktree_path = self._create_git_worktree() - self._build_libraries(git_worktree_path) - res = self._gen_raw_code_size(git_worktree_path) - self._remove_worktree(git_worktree_path) + try: + self._build_libraries(git_worktree_path) + res = self._gen_raw_code_size(git_worktree_path) + finally: + self._remove_worktree(git_worktree_path) return res From ca9a3cbc1de8961707f078cab9ec0138eaeed84f Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 26 Jul 2023 17:16:29 +0800 Subject: [PATCH 090/222] code_size_compare: detect architecture of x86_32 properly Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index cc43dc75d..3b988a623 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -147,7 +147,7 @@ def detect_arch() -> str: return SupportedArch.AARCH32.value if '__x86_64__' in cc_output: return SupportedArch.X86_64.value - if '__x86__' in cc_output: + if '__i386__' in cc_output: return SupportedArch.X86.value else: print("Unknown host architecture, cannot auto-detect arch.") From e0ac2ffbf043c7f100bc4daa72f9dee403f58643 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Wed, 26 Jul 2023 11:45:51 +0100 Subject: [PATCH 091/222] Clarify in README.md that 'the project' is Mbed TLS Signed-off-by: Tom Cosgrove --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cbdb2df3a..449be1e97 100644 --- a/README.md +++ b/README.md @@ -313,7 +313,7 @@ Unless specifically indicated otherwise in a file, Mbed TLS files are provided u This project contains code from other projects. This code is located within the `3rdparty/` directory. The original license text is included within project subdirectories, and in source files. The projects are listed below: * `3rdparty/everest/`: Files stem from [Project Everest](https://project-everest.github.io/) and are distributed under the Apache 2.0 license. -* `3rdparty/p256-m/p256-m/`: Files have been taken from the [p256-m](https://github.com/mpg/p256-m) repository. The code in the original repository is distributed under the Apache 2.0 license. It is also used by the project under the Apache 2.0 license. We do not plan to regularly update these files, so they may not contain fixes and improvements present in the upstream project. +* `3rdparty/p256-m/p256-m/`: Files have been taken from the [p256-m](https://github.com/mpg/p256-m) repository. The code in the original repository is distributed under the Apache 2.0 license. It is also used by Mbed TLS under the Apache 2.0 license. We do not plan to regularly update these files, so they may not contain fixes and improvements present in the upstream project. Contributing ------------ From f884e603b952a511dcdf777e636da1074eed1340 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Wed, 26 Jul 2023 11:44:45 +0100 Subject: [PATCH 092/222] Have a single source of truth for licensing information MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We had information in both README.md and CONTRIBUTING.md about Mbed TLS licensing, but the information in CONTRIBUTING.md was missing that authors still need to accept that their contributions may be distributed under both Apache 2.0 and GPLv2-or-later. Move all but the most high-level “Mbed TLS files are provided under the Apache-2.0 license” statement to CONTRIBUTING.md, and tidy up the text a bit. Signed-off-by: Tom Cosgrove --- CONTRIBUTING.md | 10 ++++++++-- README.md | 3 ++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3a8c5c65b..0510065b2 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -84,8 +84,14 @@ Mbed TLS is well documented, but if you think documentation is needed, speak out License and Copyright --------------------- -All new files should include the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) standard license header where possible. For licensing details, please see the [License section of the README](README.md#License). +Unless specifically indicated otherwise in a file, Mbed TLS files are provided under the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) license. See the [LICENSE](LICENSE) file for the full text of this license. + +Contributors must accept that their contributions are made under both the Apache-2.0 AND [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) licenses. This enables LTS (Long Term Support) branches of the software to be provided under either the Apache-2.0 or GPL-2.0-or-later licenses. + +All new files should include the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) standard license header where possible. The copyright on contributions is retained by the original authors of the code. Where possible for new files, this should be noted in a comment at the top of the file in the form: "Copyright The Mbed TLS Contributors". -When contributing code to us, the committer and all authors are required to make the submission under the terms of the [Developer Certificate of Origin](dco.txt), confirming that the code submitted can (legally) become part of the project, and be subject to the same Apache 2.0 license. This is done by including the standard Git `Signed-off-by:` line in every commit message. If more than one person contributed to the commit, they should also add their own `Signed-off-by:` line. +When contributing code to us, the committer and all authors are required to make the submission under the terms of the [Developer Certificate of Origin](dco.txt), confirming that the code submitted can (legally) become part of the project, and be subject to either or both the Apache 2.0 and/or GPL-2.0-or-later licenses. + +This is done by including the standard Git `Signed-off-by:` line in every commit message. If more than one person contributed to the commit, they should also add their own `Signed-off-by:` line. diff --git a/README.md b/README.md index 449be1e97..a3fcd2e15 100644 --- a/README.md +++ b/README.md @@ -307,9 +307,10 @@ When using drivers, you will generally want to enable two compilation options (s License ------- -Unless specifically indicated otherwise in a file, Mbed TLS files are provided under the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) license. See the [LICENSE](LICENSE) file for the full text of this license. Contributors must accept that their contributions are made under both the Apache-2.0 AND [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) licenses. This enables LTS (Long Term Support) branches of the software to be provided under either the Apache-2.0 OR GPL-2.0-or-later licenses. +Unless specifically indicated otherwise in a file, Mbed TLS files are provided under the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) license. See the [LICENSE](LICENSE) file for the full text of this license, and [the 'License and Copyright' section in the contributing guidelines](CONTRIBUTING.md#License-and-Copyright) for more information. ### Third-party code included in Mbed TLS + This project contains code from other projects. This code is located within the `3rdparty/` directory. The original license text is included within project subdirectories, and in source files. The projects are listed below: * `3rdparty/everest/`: Files stem from [Project Everest](https://project-everest.github.io/) and are distributed under the Apache 2.0 license. From 2be22a00eb6e203514937c1cb3a1150fbc25d183 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Wed, 26 Jul 2023 12:32:34 +0100 Subject: [PATCH 093/222] Update CONTRIBUTING.md Co-authored-by: Dave Rodgman Signed-off-by: Tom Cosgrove --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0510065b2..8454fb8ea 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -92,6 +92,6 @@ All new files should include the [Apache-2.0](https://spdx.org/licenses/Apache-2 The copyright on contributions is retained by the original authors of the code. Where possible for new files, this should be noted in a comment at the top of the file in the form: "Copyright The Mbed TLS Contributors". -When contributing code to us, the committer and all authors are required to make the submission under the terms of the [Developer Certificate of Origin](dco.txt), confirming that the code submitted can (legally) become part of the project, and be subject to either or both the Apache 2.0 and/or GPL-2.0-or-later licenses. +When contributing code to us, the committer and all authors are required to make the submission under the terms of the [Developer Certificate of Origin](dco.txt), confirming that the code submitted can (legally) become part of the project, and is submitted under both the Apache-2.0 AND GPL-2.0-or-later licenses. This is done by including the standard Git `Signed-off-by:` line in every commit message. If more than one person contributed to the commit, they should also add their own `Signed-off-by:` line. From fe5adfe54708b146ddda295961c635bb5472f27f Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 26 Jul 2023 17:58:48 +0100 Subject: [PATCH 094/222] Add HMAC test-cases for SHA3 Signed-off-by: Dave Rodgman --- tests/suites/test_suite_psa_crypto_hash.data | 19 ++++++++++ .../test_suite_psa_crypto_hash.function | 35 +++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_hash.data b/tests/suites/test_suite_psa_crypto_hash.data index 769df58e1..58bf0cf50 100644 --- a/tests/suites/test_suite_psa_crypto_hash.data +++ b/tests/suites/test_suite_psa_crypto_hash.data @@ -609,3 +609,22 @@ hash_multi_part:PSA_ALG_SHA3_384:"6162636465666768626364656667686963646566676869 PSA hash multi part: SHA3-512 Test Vector NIST 896 bits: "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" depends_on:PSA_WANT_ALG_SHA3_512 hash_multi_part:PSA_ALG_SHA3_512:"61626364656667686263646566676869636465666768696a6465666768696a6b65666768696a6b6c666768696a6b6c6d6768696a6b6c6d6e68696a6b6c6d6e6f696a6b6c6d6e6f706a6b6c6d6e6f70716b6c6d6e6f7071726c6d6e6f707172736d6e6f70717273746e6f707172737475":"afebb2ef542e6579c50cad06d2e578f9f8dd6881d7dc824d26360feebf18a4fa73e3261122948efcfd492e74e82e2189ed0fb440d187f382270cb455f21dd185" + +# HMAC test vectors generated in python with e.g. +# import hmac; hmac.new(bytes([0xaa]*32), b'abc', 'SHA3-224').hexdigest() + +PSA HMAC SHA3-224 +depends_on:PSA_WANT_ALG_SHA3_224 +hmac:PSA_ALG_SHA3_224:"abc":"bf0905154ad610b6a3d6d0b9a1c692494e987337d956624a066d7a1f" + +PSA HMAC SHA3-256 +depends_on:PSA_WANT_ALG_SHA3_256 +hmac:PSA_ALG_SHA3_256:"abc":"a986419a162b6d4731a8e96e44a2c6e784d50137907b457c9fb77c62705dc4d9" + +PSA HMAC SHA3-384 +depends_on:PSA_WANT_ALG_SHA3_384 +hmac:PSA_ALG_SHA3_384:"abc":"87b864ee25f8bfebd516eddd7cdd400d3c368a09e4b1fabaee5636da8a9c876c3f802c366537663910f2e6c5a8426381" + +PSA HMAC SHA3-512 +depends_on:PSA_WANT_ALG_SHA3_512 +hmac:PSA_ALG_SHA3_512:"abc":"2cef45b6950e41a70bc85cb431b2161d47c9e2932187fa15d80e3b7af1da38aa8fe823a72efd7e536e5236a5b0798418d8c8f08b0de5fc262867bb3752b6482d" diff --git a/tests/suites/test_suite_psa_crypto_hash.function b/tests/suites/test_suite_psa_crypto_hash.function index f12541d68..75dde5530 100644 --- a/tests/suites/test_suite_psa_crypto_hash.function +++ b/tests/suites/test_suite_psa_crypto_hash.function @@ -1,6 +1,7 @@ /* BEGIN_HEADER */ #include +#include "psa/crypto.h" /* END_HEADER */ @@ -34,6 +35,40 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void hmac(int alg_arg, char *input, data_t *expected_mac) +{ + psa_algorithm_t alg = PSA_ALG_HMAC(alg_arg); + + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_type_t key_type = PSA_KEY_TYPE_HMAC; + const uint8_t key_data[] = { // 32 bytes of 0xaa + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa + }; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + + PSA_ASSERT(psa_crypto_init()); + + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, key_type); + PSA_ASSERT(psa_import_key(&attributes, key_data, sizeof(key_data), &key)); + + uint8_t mac[PSA_MAC_MAX_SIZE + 10] = { 0 }; + size_t mac_length = 0; + + PSA_ASSERT(psa_mac_compute(key, alg, (uint8_t const *) input, strlen(input), mac, sizeof(mac), &mac_length)); + + ASSERT_COMPARE(expected_mac->x, expected_mac->len, mac, mac_length); + + PSA_ASSERT(psa_destroy_key(key)); +exit: + PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE */ void hash_verify(int alg_arg, data_t *input, data_t *expected_hash) { From faff45c917fee85ea3d624c07d2044f7c3c4fb27 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 26 Jul 2023 18:13:58 +0100 Subject: [PATCH 095/222] Add HMAC tests for other digest algorithms Signed-off-by: Dave Rodgman --- tests/suites/test_suite_psa_crypto_hash.data | 24 ++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_hash.data b/tests/suites/test_suite_psa_crypto_hash.data index 58bf0cf50..5f4313a15 100644 --- a/tests/suites/test_suite_psa_crypto_hash.data +++ b/tests/suites/test_suite_psa_crypto_hash.data @@ -628,3 +628,27 @@ hmac:PSA_ALG_SHA3_384:"abc":"87b864ee25f8bfebd516eddd7cdd400d3c368a09e4b1fabaee5 PSA HMAC SHA3-512 depends_on:PSA_WANT_ALG_SHA3_512 hmac:PSA_ALG_SHA3_512:"abc":"2cef45b6950e41a70bc85cb431b2161d47c9e2932187fa15d80e3b7af1da38aa8fe823a72efd7e536e5236a5b0798418d8c8f08b0de5fc262867bb3752b6482d" + +PSA HMAC SHA-1 +depends_on:PSA_WANT_ALG_SHA_1 +hmac:PSA_ALG_SHA_1:"abc":"0b3a7f96afea3e14a0835f7c9468a24649f85596" + +PSA HMAC SHA-224 +depends_on:PSA_WANT_ALG_SHA_224 +hmac:PSA_ALG_SHA_224:"abc":"249c405cef8bcd3ceeafdb9a933179739fb9b1d7f174df4667ec82f3" + +PSA HMAC SHA-256 +depends_on:PSA_WANT_ALG_SHA_256 +hmac:PSA_ALG_SHA_256:"abc":"b89a1b878289c739595104da55b6f7a8afec3e0757fc166080dc267c09c46841" + +PSA HMAC SHA-384 +depends_on:PSA_WANT_ALG_SHA_384 +hmac:PSA_ALG_SHA_384:"abc":"25a8b55c884bc38286305f76332631726498f5586280b88bc6179cd00c6878fb7d1bb3ee1643fcd2fb02b95823ff1af2" + +PSA HMAC SHA-512 +depends_on:PSA_WANT_ALG_SHA_512 +hmac:PSA_ALG_SHA_512:"abc":"d6e5eebb5cf27f5b686fefc416ee8c431bb10770216aa3c6ba13897ef3fc040b98abc53b95039f2c50622473f958af64a3cae1afbea8ffffa8d35ca24f31e222" + +PSA HMAC RIPEMD160 +depends_on:PSA_WANT_ALG_RIPEMD160 +hmac:PSA_ALG_RIPEMD160:"abc":"114a5cf4637f57c044472e1a0b87cce9137190b2" From 44fae4908d8fed4b07f73f33ebc1b88184b2dc7c Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 26 Jul 2023 18:45:19 +0100 Subject: [PATCH 096/222] Add PSA HMAC MD5 test Signed-off-by: Dave Rodgman --- tests/suites/test_suite_psa_crypto_hash.data | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_hash.data b/tests/suites/test_suite_psa_crypto_hash.data index 5f4313a15..33ced8239 100644 --- a/tests/suites/test_suite_psa_crypto_hash.data +++ b/tests/suites/test_suite_psa_crypto_hash.data @@ -652,3 +652,7 @@ hmac:PSA_ALG_SHA_512:"abc":"d6e5eebb5cf27f5b686fefc416ee8c431bb10770216aa3c6ba13 PSA HMAC RIPEMD160 depends_on:PSA_WANT_ALG_RIPEMD160 hmac:PSA_ALG_RIPEMD160:"abc":"114a5cf4637f57c044472e1a0b87cce9137190b2" + +PSA HMAC MD5 +depends_on:PSA_WANT_ALG_MD5 +hmac:PSA_ALG_MD5:"abc":"39677b12b80118927387aa4a65d16a5e" From 6f09267646f0e8ec0dacdb81dbf701860f9efeb8 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Thu, 27 Jul 2023 10:15:13 +0800 Subject: [PATCH 097/222] code_size_compare: remove column of percentage for code size change Percentage is not a useful number when looking at code size changes. Since it depends on the base of the code size. It might give misleading information by simply looking at the numbers. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 3b988a623..48e129bcc 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -594,7 +594,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): """Write comparison result into a file. Writing Format: file_name current(text,data) old(text,data)\ - change(text,data) change_pct%(text,data) + change(text,data) """ def cal_size_section_variation(mod, fname, size_entry, attr): @@ -603,26 +603,22 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): if fname in self.code_size[old_rev][mod]: old_size = int(self.code_size[old_rev][mod][fname].__dict__[attr]) change = new_size - old_size - if old_size != 0: - change_pct = change / old_size - else: - change_pct = 0 - return [new_size, old_size, change, change_pct] + return [new_size, old_size, change] else: return [new_size] if with_markdown: - format_string = "| {:<30} | {:<18} | {:<14} | {:<17} | {:<18} |\n" + format_string = "| {:<30} | {:<18} | {:<14} | {:<17} |\n" else: - format_string = "{:<30} {:<18} {:<14} {:<17} {:<18}\n" + format_string = "{:<30} {:<18} {:<14} {:<17}\n" output.write(format_string .format("filename", "current(text,data)", "old(text,data)", - "change(text,data)", "change%(text,data)")) + "change(text,data)")) if with_markdown: output.write(format_string - .format(":----", "----:", "----:", "----:", "----:")) + .format(":----", "----:", "----:", "----:")) for mod, fname, size_entry in \ self._size_reader_helper(new_rev, output, with_markdown): @@ -644,17 +640,14 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): # old(text,data) str(text_vari[1]) + "," + str(data_vari[1]), # change(text,data) - str(text_vari[2]) + "," + str(data_vari[2]), - # change%(text,data) - "{:.0%}".format(text_vari[3]) + "," - + "{:.0%}".format(data_vari[3]))) + str(text_vari[2]) + "," + str(data_vari[2]))) else: output.write( format_string .format(fname, # current(text,data) str(text_vari[0]) + "," + str(data_vari[0]), - 'None', 'None', 'None')) + 'None', 'None')) class CodeSizeComparison: From 4dfc132bcbc8e1eb528ab94aaa27827071ff5cbd Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Thu, 27 Jul 2023 10:44:50 +0800 Subject: [PATCH 098/222] code_size_compare: change format for comparison result The result format for code size comparison is: filename new(text) new(data) change(text) change(data) yyy.o xxx xxx xx xx The numbers followed are in bytes. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 48e129bcc..4a50c5b33 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -593,7 +593,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): ) -> None: """Write comparison result into a file. - Writing Format: file_name current(text,data) old(text,data)\ + Writing Format: file_name new(text,data) old(text,data)\ change(text,data) """ @@ -608,17 +608,17 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): return [new_size] if with_markdown: - format_string = "| {:<30} | {:<18} | {:<14} | {:<17} |\n" + format_string = "| {:<30} | {:<9} | {:<9} | {:<12} | {:<12} |\n" else: - format_string = "{:<30} {:<18} {:<14} {:<17}\n" + format_string = "{:<30} {:<9} {:<9} {:<12} {:<12}\n" output.write(format_string .format("filename", - "current(text,data)", "old(text,data)", - "change(text,data)")) + "new(text)", "new(data)", "change(text)", + "change(data)")) if with_markdown: output.write(format_string - .format(":----", "----:", "----:", "----:")) + .format(":----", "----:", "----:", "----:", "----:")) for mod, fname, size_entry in \ self._size_reader_helper(new_rev, output, with_markdown): @@ -635,18 +635,17 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): output.write( format_string .format(fname, - # current(text,data) - str(text_vari[0]) + "," + str(data_vari[0]), - # old(text,data) - str(text_vari[1]) + "," + str(data_vari[1]), - # change(text,data) - str(text_vari[2]) + "," + str(data_vari[2]))) + # new(text), new(data) + str(text_vari[0]), str(data_vari[0]), + # change(text), change(data) + str(text_vari[2]), str(data_vari[2]))) else: output.write( format_string .format(fname, - # current(text,data) - str(text_vari[0]) + "," + str(data_vari[0]), + # new(text), new(data) + str(text_vari[0]), str(data_vari[0]), + # change(text), change(data) 'None', 'None')) From 0c383858580d24888e57377f9946b97972fb5c43 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 27 Jul 2023 12:54:09 +0100 Subject: [PATCH 099/222] Use psa_mac_compare in tests; add some HMAC edge-cases Signed-off-by: Dave Rodgman --- tests/suites/test_suite_psa_crypto_hash.data | 12 ++++++++++++ tests/suites/test_suite_psa_crypto_hash.function | 7 +++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_hash.data b/tests/suites/test_suite_psa_crypto_hash.data index 33ced8239..f957bf16d 100644 --- a/tests/suites/test_suite_psa_crypto_hash.data +++ b/tests/suites/test_suite_psa_crypto_hash.data @@ -656,3 +656,15 @@ hmac:PSA_ALG_RIPEMD160:"abc":"114a5cf4637f57c044472e1a0b87cce9137190b2" PSA HMAC MD5 depends_on:PSA_WANT_ALG_MD5 hmac:PSA_ALG_MD5:"abc":"39677b12b80118927387aa4a65d16a5e" + +PSA HMAC input length 0 +depends_on:PSA_WANT_ALG_SHA_256 +hmac:PSA_ALG_SHA_256:"":"63210aee265762634fa3db8c1aa920dcd07d31ec297309580394a21412f83372" + +PSA HMAC input length 1 +depends_on:PSA_WANT_ALG_SHA_256 +hmac:PSA_ALG_SHA_256:"x":"f61c11d66441e3c0b9902a8491caa2da5a0d0d95ef0fc61d8a3b5ea5e0416f5c" + +PSA HMAC input length 2890 +depends_on:PSA_WANT_ALG_SHA_256 +hmac:PSA_ALG_SHA_256:"0123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999":"dd2e08786029097be5f634fda74a7e20e3e1638e71282892c4fd21d9a71ae418" diff --git a/tests/suites/test_suite_psa_crypto_hash.function b/tests/suites/test_suite_psa_crypto_hash.function index 75dde5530..8ee459e43 100644 --- a/tests/suites/test_suite_psa_crypto_hash.function +++ b/tests/suites/test_suite_psa_crypto_hash.function @@ -51,7 +51,7 @@ void hmac(int alg_arg, char *input, data_t *expected_mac) PSA_ASSERT(psa_crypto_init()); - psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE); psa_set_key_algorithm(&attributes, alg); psa_set_key_type(&attributes, key_type); PSA_ASSERT(psa_import_key(&attributes, key_data, sizeof(key_data), &key)); @@ -59,10 +59,13 @@ void hmac(int alg_arg, char *input, data_t *expected_mac) uint8_t mac[PSA_MAC_MAX_SIZE + 10] = { 0 }; size_t mac_length = 0; - PSA_ASSERT(psa_mac_compute(key, alg, (uint8_t const *) input, strlen(input), mac, sizeof(mac), &mac_length)); + size_t input_len = strlen(input); + PSA_ASSERT(psa_mac_compute(key, alg, (uint8_t const *) input, input_len, mac, sizeof(mac), &mac_length)); ASSERT_COMPARE(expected_mac->x, expected_mac->len, mac, mac_length); + PSA_ASSERT(psa_mac_verify(key, alg, (uint8_t const *) input, input_len, expected_mac->x, expected_mac->len)); + PSA_ASSERT(psa_destroy_key(key)); exit: PSA_DONE(); From d2c9f6d256990628f8179ad6e3006f38f6db166d Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 27 Jul 2023 13:00:02 +0100 Subject: [PATCH 100/222] Strengthen psa_mac_verify testing Signed-off-by: Dave Rodgman --- tests/suites/test_suite_psa_crypto_hash.function | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_hash.function b/tests/suites/test_suite_psa_crypto_hash.function index 8ee459e43..bd3012c4d 100644 --- a/tests/suites/test_suite_psa_crypto_hash.function +++ b/tests/suites/test_suite_psa_crypto_hash.function @@ -62,10 +62,16 @@ void hmac(int alg_arg, char *input, data_t *expected_mac) size_t input_len = strlen(input); PSA_ASSERT(psa_mac_compute(key, alg, (uint8_t const *) input, input_len, mac, sizeof(mac), &mac_length)); + // manual comparison against expected MAC ASSERT_COMPARE(expected_mac->x, expected_mac->len, mac, mac_length); + // use psa_mac_verify to compare to expected MAC PSA_ASSERT(psa_mac_verify(key, alg, (uint8_t const *) input, input_len, expected_mac->x, expected_mac->len)); + // corrupt the MAC and check that psa_mac_verify fails + expected_mac->x[0] ^= 0x7f; + TEST_EQUAL(psa_mac_verify(key, alg, (uint8_t const *) input, input_len, expected_mac->x, expected_mac->len), PSA_ERROR_INVALID_SIGNATURE); + PSA_ASSERT(psa_destroy_key(key)); exit: PSA_DONE(); From 5c603822011b726498f52e914109bd351c50b008 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 27 Jul 2023 13:28:41 +0100 Subject: [PATCH 101/222] code style Signed-off-by: Dave Rodgman --- tests/suites/test_suite_psa_crypto_hash.function | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_hash.function b/tests/suites/test_suite_psa_crypto_hash.function index bd3012c4d..de009a3ad 100644 --- a/tests/suites/test_suite_psa_crypto_hash.function +++ b/tests/suites/test_suite_psa_crypto_hash.function @@ -60,17 +60,20 @@ void hmac(int alg_arg, char *input, data_t *expected_mac) size_t mac_length = 0; size_t input_len = strlen(input); - PSA_ASSERT(psa_mac_compute(key, alg, (uint8_t const *) input, input_len, mac, sizeof(mac), &mac_length)); + PSA_ASSERT(psa_mac_compute(key, alg, (uint8_t const *) input, input_len, mac, sizeof(mac), + &mac_length)); // manual comparison against expected MAC ASSERT_COMPARE(expected_mac->x, expected_mac->len, mac, mac_length); // use psa_mac_verify to compare to expected MAC - PSA_ASSERT(psa_mac_verify(key, alg, (uint8_t const *) input, input_len, expected_mac->x, expected_mac->len)); + PSA_ASSERT(psa_mac_verify(key, alg, (uint8_t const *) input, input_len, expected_mac->x, + expected_mac->len)); // corrupt the MAC and check that psa_mac_verify fails expected_mac->x[0] ^= 0x7f; - TEST_EQUAL(psa_mac_verify(key, alg, (uint8_t const *) input, input_len, expected_mac->x, expected_mac->len), PSA_ERROR_INVALID_SIGNATURE); + TEST_EQUAL(psa_mac_verify(key, alg, (uint8_t const *) input, input_len, expected_mac->x, + expected_mac->len), PSA_ERROR_INVALID_SIGNATURE); PSA_ASSERT(psa_destroy_key(key)); exit: From 2d626cc44fc32112d1e95160f6fd28d32ed8535a Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 27 Jul 2023 14:43:55 +0100 Subject: [PATCH 102/222] Fix missing opening brace in comments Signed-off-by: Dave Rodgman --- include/mbedtls/oid.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index f89420589..133e5d41b 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -270,13 +270,13 @@ #define MBEDTLS_OID_DIGEST_ALG_RIPEMD160 MBEDTLS_OID_TELETRUST "\x03\x02\x01" /**< id-ripemd160 OBJECT IDENTIFIER :: { iso(1) identified-organization(3) teletrust(36) algorithm(3) hashAlgorithm(2) ripemd160(1) } */ -#define MBEDTLS_OID_DIGEST_ALG_SHA3_224 MBEDTLS_OID_NIST_ALG "\x02\x07" /**< id-sha3-224 OBJECT IDENTIFIER ::= joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-224(7) } */ +#define MBEDTLS_OID_DIGEST_ALG_SHA3_224 MBEDTLS_OID_NIST_ALG "\x02\x07" /**< id-sha3-224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-224(7) } */ -#define MBEDTLS_OID_DIGEST_ALG_SHA3_256 MBEDTLS_OID_NIST_ALG "\x02\x08" /**< id-sha3-256 OBJECT IDENTIFIER ::= joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-256(8) } */ +#define MBEDTLS_OID_DIGEST_ALG_SHA3_256 MBEDTLS_OID_NIST_ALG "\x02\x08" /**< id-sha3-256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-256(8) } */ -#define MBEDTLS_OID_DIGEST_ALG_SHA3_384 MBEDTLS_OID_NIST_ALG "\x02\x09" /**< id-sha3-384 OBJECT IDENTIFIER ::= joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-384(9) } */ +#define MBEDTLS_OID_DIGEST_ALG_SHA3_384 MBEDTLS_OID_NIST_ALG "\x02\x09" /**< id-sha3-384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-384(9) } */ -#define MBEDTLS_OID_DIGEST_ALG_SHA3_512 MBEDTLS_OID_NIST_ALG "\x02\x0a" /**< id-sha3-512 OBJECT IDENTIFIER ::= joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-512(10) } */ +#define MBEDTLS_OID_DIGEST_ALG_SHA3_512 MBEDTLS_OID_NIST_ALG "\x02\x0a" /**< id-sha3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-512(10) } */ #define MBEDTLS_OID_HMAC_SHA1 MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */ From a2cdc840de5aa0363d45ce9ebbba95cdda8ed7a9 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 27 Jul 2023 14:44:13 +0100 Subject: [PATCH 103/222] Fix pre-existing missing closing #endif comment Signed-off-by: Dave Rodgman --- library/oid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/oid.c b/library/oid.c index 9ea41cbae..43fa0003d 100644 --- a/library/oid.c +++ b/library/oid.c @@ -820,7 +820,7 @@ static const oid_md_hmac_t oid_md_hmac[] = OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA224, "hmacSHA224", "HMAC-SHA-224"), MBEDTLS_MD_SHA224, }, -#endif +#endif /* MBEDTLS_MD_CAN_SHA224 */ #if defined(MBEDTLS_MD_CAN_SHA256) { OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA256, "hmacSHA256", "HMAC-SHA-256"), From 5cc67a3ee2fc2676d84b71dfc5bbaad6caec01eb Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 27 Jul 2023 14:44:35 +0100 Subject: [PATCH 104/222] Add OIDs for HMAC-SHA3 Signed-off-by: Dave Rodgman --- include/mbedtls/oid.h | 8 ++++++++ library/oid.c | 24 ++++++++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index 133e5d41b..3c9831be5 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -289,6 +289,14 @@ #define MBEDTLS_OID_HMAC_SHA512 MBEDTLS_OID_RSA_COMPANY "\x02\x0B" /**< id-hmacWithSHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 11 } */ +#define MBEDTLS_OID_HMAC_SHA3_224 MBEDTLS_OID_NIST_ALG "\x02\x0d" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-224(13) } */ + +#define MBEDTLS_OID_HMAC_SHA3_256 MBEDTLS_OID_NIST_ALG "\x02\x0e" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-256(14) } */ + +#define MBEDTLS_OID_HMAC_SHA3_384 MBEDTLS_OID_NIST_ALG "\x02\x0f" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-384(15) } */ + +#define MBEDTLS_OID_HMAC_SHA3_512 MBEDTLS_OID_NIST_ALG "\x02\x10" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-512(16) } */ + /* * Encryption algorithms */ diff --git a/library/oid.c b/library/oid.c index 43fa0003d..e12f92485 100644 --- a/library/oid.c +++ b/library/oid.c @@ -839,6 +839,30 @@ static const oid_md_hmac_t oid_md_hmac[] = MBEDTLS_MD_SHA512, }, #endif /* MBEDTLS_MD_CAN_SHA512 */ +#if defined(MBEDTLS_MD_CAN_SHA3_224) + { + OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_224, "hmacSHA3-224", "HMAC-SHA3-224"), + MBEDTLS_MD_SHA3_224, + }, +#endif /* MBEDTLS_MD_CAN_SHA3_224 */ +#if defined(MBEDTLS_MD_CAN_SHA3_256) + { + OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_256, "hmacSHA3-256", "HMAC-SHA3-256"), + MBEDTLS_MD_SHA3_256, + }, +#endif /* MBEDTLS_MD_CAN_SHA3_256 */ +#if defined(MBEDTLS_MD_CAN_SHA3_384) + { + OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_384, "hmacSHA3-384", "HMAC-SHA3-384"), + MBEDTLS_MD_SHA3_384, + }, +#endif /* MBEDTLS_MD_CAN_SHA3_384 */ +#if defined(MBEDTLS_MD_CAN_SHA3_512) + { + OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_512, "hmacSHA3-512", "HMAC-SHA3-512"), + MBEDTLS_MD_SHA3_512, + }, +#endif /* MBEDTLS_MD_CAN_SHA3_512 */ { NULL_OID_DESCRIPTOR, MBEDTLS_MD_NONE, From f2e3eb8bd9f4c5bde788076e2cb6a42979295822 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 27 Jul 2023 15:46:05 +0100 Subject: [PATCH 105/222] Add OID for HMAC-RIPEMD160 Signed-off-by: Dave Rodgman --- include/mbedtls/oid.h | 2 ++ library/oid.c | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index 3c9831be5..954507229 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -297,6 +297,8 @@ #define MBEDTLS_OID_HMAC_SHA3_512 MBEDTLS_OID_NIST_ALG "\x02\x10" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-512(16) } */ +#define MBEDTLS_OID_HMAC_RIPEMD160 MBEDTLS_OID_INTERNET "\x05\x05\x08\x01\x04" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= {iso(1) iso-identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) ipsec(8) isakmpOakley(1) hmacRIPEMD160(4)} */ + /* * Encryption algorithms */ diff --git a/library/oid.c b/library/oid.c index e12f92485..608b6c8ca 100644 --- a/library/oid.c +++ b/library/oid.c @@ -863,6 +863,12 @@ static const oid_md_hmac_t oid_md_hmac[] = MBEDTLS_MD_SHA3_512, }, #endif /* MBEDTLS_MD_CAN_SHA3_512 */ +#if defined(MBEDTLS_MD_CAN_RIPEMD160) + { + OID_DESCRIPTOR(MBEDTLS_OID_HMAC_RIPEMD160, "hmacRIPEMD160", "HMAC-RIPEMD160"), + MBEDTLS_MD_RIPEMD160, + }, +#endif /* MBEDTLS_MD_CAN_RIPEMD160 */ { NULL_OID_DESCRIPTOR, MBEDTLS_MD_NONE, From a0f81e8ef853f4dfef1e6f776b722fbb073a5e82 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 27 Jul 2023 15:46:33 +0100 Subject: [PATCH 106/222] Add OID tests for HMAC-xxx Signed-off-by: Dave Rodgman --- tests/suites/test_suite_oid.data | 40 ++++++++++++++++++++++++++++ tests/suites/test_suite_oid.function | 23 ++++++++++++++++ 2 files changed, 63 insertions(+) diff --git a/tests/suites/test_suite_oid.data b/tests/suites/test_suite_oid.data index cc23c5b66..f8f1d43aa 100644 --- a/tests/suites/test_suite_oid.data +++ b/tests/suites/test_suite_oid.data @@ -201,3 +201,43 @@ oid_from_numeric_string:"2.4294967215":0:"8FFFFFFF7F" OID from numeric string - OID with overflowing subidentifier oid_from_numeric_string:"2.4294967216":MBEDTLS_ERR_ASN1_INVALID_DATA:"" + +mbedtls_oid_get_md_hmac - RIPEMD160 +depends_on:MBEDTLS_MD_CAN_RIPEMD160 +mbedtls_oid_get_md_hmac:"2B06010505080104":MBEDTLS_MD_RIPEMD160 + +mbedtls_oid_get_md_hmac - SHA1 +depends_on:MBEDTLS_MD_CAN_SHA1 +mbedtls_oid_get_md_hmac:"2A864886F70D0207":MBEDTLS_MD_SHA1 + +mbedtls_oid_get_md_hmac - SHA224 +depends_on:MBEDTLS_MD_CAN_SHA224 +mbedtls_oid_get_md_hmac:"2A864886F70D0208":MBEDTLS_MD_SHA224 + +mbedtls_oid_get_md_hmac - SHA256 +depends_on:MBEDTLS_MD_CAN_SHA256 +mbedtls_oid_get_md_hmac:"2A864886F70D0209":MBEDTLS_MD_SHA256 + +mbedtls_oid_get_md_hmac - SHA384 +depends_on:MBEDTLS_MD_CAN_SHA384 +mbedtls_oid_get_md_hmac:"2A864886F70D020A":MBEDTLS_MD_SHA384 + +mbedtls_oid_get_md_hmac - SHA512 +depends_on:MBEDTLS_MD_CAN_SHA512 +mbedtls_oid_get_md_hmac:"2A864886F70D020B":MBEDTLS_MD_SHA512 + +mbedtls_oid_get_md_hmac - SHA3_224 +depends_on:MBEDTLS_MD_CAN_SHA3_224 +mbedtls_oid_get_md_hmac:"60864801650304020D":MBEDTLS_MD_SHA3_224 + +mbedtls_oid_get_md_hmac - SHA3_256 +depends_on:MBEDTLS_MD_CAN_SHA3_256 +mbedtls_oid_get_md_hmac:"60864801650304020E":MBEDTLS_MD_SHA3_256 + +mbedtls_oid_get_md_hmac - SHA3_384 +depends_on:MBEDTLS_MD_CAN_SHA3_384 +mbedtls_oid_get_md_hmac:"60864801650304020F":MBEDTLS_MD_SHA3_384 + +mbedtls_oid_get_md_hmac - SHA3_512 +depends_on:MBEDTLS_MD_CAN_SHA3_512 +mbedtls_oid_get_md_hmac:"608648016503040210":MBEDTLS_MD_SHA3_512 diff --git a/tests/suites/test_suite_oid.function b/tests/suites/test_suite_oid.function index 3adc6af0b..337f84310 100644 --- a/tests/suites/test_suite_oid.function +++ b/tests/suites/test_suite_oid.function @@ -96,6 +96,29 @@ void oid_get_md_alg_id(data_t *oid, int exp_md_id) } /* END_CASE */ +/* BEGIN_CASE */ +void mbedtls_oid_get_md_hmac(data_t *oid, int exp_md_id) +{ + mbedtls_asn1_buf md_oid = { 0, 0, NULL }; + int ret; + mbedtls_md_type_t md_id = 0; + + md_oid.tag = MBEDTLS_ASN1_OID; + md_oid.p = oid->x; + md_oid.len = oid->len; + + ret = mbedtls_oid_get_md_hmac(&md_oid, &md_id); + + if (exp_md_id < 0) { + TEST_ASSERT(ret == MBEDTLS_ERR_OID_NOT_FOUND); + TEST_ASSERT(md_id == 0); + } else { + TEST_ASSERT(ret == 0); + TEST_ASSERT((mbedtls_md_type_t) exp_md_id == md_id); + } +} +/* END_CASE */ + /* BEGIN_CASE */ void oid_get_numeric_string(data_t *oid, int error_ret, char *result_str) { From dcf360dd722ef93c1bd10b9216b83620a204055a Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Thu, 27 Jul 2023 15:28:20 +0800 Subject: [PATCH 107/222] code_size_compare: track removed object as well It makes sense to display code size changes if a file has been removed in our library. With this commit we track old objects as well. If a file is not present in the new Git revision, we display -old_size in the new_size column. The size change is marked as `Removed` to indicate the file has been removed. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 199 ++++++++++++++++++++++------------- 1 file changed, 123 insertions(+), 76 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 4a50c5b33..95d46b81c 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -486,7 +486,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): class SizeEntry: # pylint: disable=too-few-public-methods """Data Structure to only store information of code size.""" - def __init__(self, text, data, bss, dec): + def __init__(self, text: int, data: int, bss: int, dec: int): self.text = text self.data = data self.bss = bss @@ -496,16 +496,20 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): """ Variable code_size is used to store size info for any Git revisions. :param code_size: Data Format as following: - {git_rev: {module: {file_name: [text, data, bss, dec], - etc ... - }, - etc ... - }, - etc ... - } + code_size = { + git_rev: { + module: { + file_name: SizeEntry, + ... + }, + ... + }, + ... + } """ super().__init__(logger) self.code_size = {} #type: typing.Dict[str, typing.Dict] + self.mod_total_suffix = '-' + 'TOTALS' def _set_size_record(self, git_rev: str, mod: str, size_text: str) -> None: """Store size information for target Git revision and high-level module. @@ -515,9 +519,11 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): size_record = {} for line in size_text.splitlines()[1:]: data = line.split() + if re.match(r'\s*\(TOTALS\)', data[5]): + data[5] = mod + self.mod_total_suffix # file_name: SizeEntry(text, data, bss, dec) size_record[data[5]] = CodeSizeGeneratorWithSize.SizeEntry( - data[0], data[1], data[2], data[3]) + int(data[0]), int(data[1]), int(data[2]), int(data[3])) self.code_size.setdefault(git_rev, {}).update({mod: size_record}) def read_size_record(self, git_rev: str, fname: str) -> None: @@ -538,10 +544,10 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): if mod: # file_name: SizeEntry(text, data, bss, dec) size_record[data[0]] = CodeSizeGeneratorWithSize.SizeEntry( - data[1], data[2], data[3], data[4]) + int(data[1]), int(data[2]), int(data[3]), int(data[4])) # check if we hit record for the end of a module - m = re.match(r'.?TOTALS', line) + m = re.match(r'\w+' + self.mod_total_suffix, line) if m: if git_rev in self.code_size: self.code_size[git_rev].update({mod: size_record}) @@ -550,19 +556,6 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): mod = "" size_record = {} - def _size_reader_helper( - self, - git_rev: str, - output: typing_util.Writable, - with_markdown=False - ) -> typing.Iterator[tuple]: - """A helper function to peel code_size based on Git revision.""" - for mod, file_size in self.code_size[git_rev].items(): - if not with_markdown: - output.write("\n" + mod + "\n") - for fname, size_entry in file_size.items(): - yield mod, fname, size_entry - def write_record( self, git_rev: str, @@ -571,7 +564,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): ) -> None: """Write size information to a file. - Writing Format: file_name text data bss total(dec) + Writing Format: filename text data bss total(dec) """ for mod, size_text in code_size_text.items(): self._set_size_record(git_rev, mod, size_text) @@ -579,12 +572,16 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): format_string = "{:<30} {:>7} {:>7} {:>7} {:>7}\n" output.write(format_string.format("filename", "text", "data", "bss", "total")) - for _, fname, size_entry in self._size_reader_helper(git_rev, output): - output.write(format_string.format(fname, - size_entry.text, size_entry.data, - size_entry.bss, size_entry.total)) - def write_comparison( + for mod, f_size in self.code_size[git_rev].items(): + output.write("\n" + mod + "\n") + for fname, size_entry in f_size.items(): + output.write(format_string + .format(fname, + size_entry.text, size_entry.data, + size_entry.bss, size_entry.total)) + + def write_comparison( # pylint: disable=too-many-locals self, old_rev: str, new_rev: str, @@ -593,60 +590,110 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): ) -> None: """Write comparison result into a file. - Writing Format: file_name new(text,data) old(text,data)\ - change(text,data) + Writing Format: filename new(text) new(data) change(text) change(data) """ - - def cal_size_section_variation(mod, fname, size_entry, attr): - new_size = int(size_entry.__dict__[attr]) - # check if we have the file in old Git revision - if fname in self.code_size[old_rev][mod]: - old_size = int(self.code_size[old_rev][mod][fname].__dict__[attr]) - change = new_size - old_size - return [new_size, old_size, change] - else: - return [new_size] + header_line = ["filename", "new(text)", "change(text)", "new(data)", + "change(data)"] if with_markdown: - format_string = "| {:<30} | {:<9} | {:<9} | {:<12} | {:<12} |\n" + dash_line = [":----", "----:", "----:", "----:", "----:"] + line_format = "| {0:<30} | {1:<10} | {3:<10} | {2:<12} | {4:<12} |\n" + bold_text = lambda x: '**' + str(x) + '**' else: - format_string = "{:<30} {:<9} {:<9} {:<12} {:<12}\n" + line_format = "{0:<30} {1:<10} {3:<10} {2:<12} {4:<12}\n" - output.write(format_string - .format("filename", - "new(text)", "new(data)", "change(text)", - "change(data)")) - if with_markdown: - output.write(format_string - .format(":----", "----:", "----:", "----:", "----:")) + def cal_sect_change( + old_size: typing.Optional[CodeSizeGeneratorWithSize.SizeEntry], + new_size: typing.Optional[CodeSizeGeneratorWithSize.SizeEntry], + sect: str + ) -> typing.List: + """Inner helper function to calculate size change for a section. - for mod, fname, size_entry in \ - self._size_reader_helper(new_rev, output, with_markdown): - text_vari = cal_size_section_variation(mod, fname, - size_entry, 'text') - data_vari = cal_size_section_variation(mod, fname, - size_entry, 'data') + Convention for special cases: + - If the object has been removed in new Git revision, + the size is minus code size of old Git revision; + the size change is marked as `Removed`, + - If the object only exists in new Git revision, + the size is code size of new Git revision; + the size change is marked as `None`, - if len(text_vari) != 1: - # skip the files that haven't changed in code size if we write - # comparison result in a markdown table. - if with_markdown and text_vari[2] == 0 and data_vari[2] == 0: - continue - output.write( - format_string - .format(fname, - # new(text), new(data) - str(text_vari[0]), str(data_vari[0]), - # change(text), change(data) - str(text_vari[2]), str(data_vari[2]))) + :param: old_size: code size for objects in old Git revision. + :param: new_size: code size for objects in new Git revision. + :param: sect: section to calculate from `size` tool. This could be + any instance variable in SizeEntry. + :return: List of [section size of objects for new Git revision, + section size change of objects between two Git revisions] + """ + if old_size and new_size: + new_attr = new_size.__dict__[sect] + change_attr = new_size.__dict__[sect] - old_size.__dict__[sect] + elif old_size: + new_attr = - old_size.__dict__[sect] + change_attr = 'Removed' + elif new_size: + new_attr = new_size.__dict__[sect] + change_attr = 'None' else: - output.write( - format_string - .format(fname, - # new(text), new(data) - str(text_vari[0]), str(data_vari[0]), - # change(text), change(data) - 'None', 'None')) + # Should never happen + new_attr = 'Error' + change_attr = 'Error' + return [new_attr, change_attr] + + # sort dictionary by key + sort_by_k = lambda item: item[0].lower() + def get_results( + f_rev_size: + typing.Dict[str, + typing.Dict[str, + CodeSizeGeneratorWithSize.SizeEntry]] + ) -> typing.List: + """Return List of results in the format of: + [filename, new(text), change(text), new(data), change(data)] + """ + res = [] + for fname, revs_size in sorted(f_rev_size.items(), key=sort_by_k): + old_size = revs_size.get(old_rev) + new_size = revs_size.get(new_rev) + + text_sect = cal_sect_change(old_size, new_size, 'text') + data_sect = cal_sect_change(old_size, new_size, 'data') + # skip the files that haven't changed in code size + if text_sect[1] == 0 and data_sect[1] == 0: + continue + + res.append([fname, *text_sect, *data_sect]) + return res + + # write header + output.write(line_format.format(*header_line)) + if with_markdown: + output.write(line_format.format(*dash_line)) + for mod in MBEDTLS_STATIC_LIB: + # convert self.code_size to: + # { + # file_name: { + # old_rev: SizeEntry, + # new_rev: SizeEntry + # }, + # ... + # } + f_rev_size = {} #type: typing.Dict[str, typing.Dict] + for fname, size_entry in self.code_size[old_rev][mod].items(): + f_rev_size.setdefault(fname, {}).update({old_rev: size_entry}) + for fname, size_entry in self.code_size[new_rev][mod].items(): + f_rev_size.setdefault(fname, {}).update({new_rev: size_entry}) + + mod_total_sz = f_rev_size.pop(mod + self.mod_total_suffix) + res = get_results(f_rev_size) + total_clm = get_results({mod + self.mod_total_suffix: mod_total_sz}) + if with_markdown: + # bold row of mod-TOTALS in markdown table + total_clm = [[bold_text(j) for j in i] for i in total_clm] + res += total_clm + + # write comparison result + for line in res: + output.write(line_format.format(*line)) class CodeSizeComparison: From b167320e2761319c103ef7d6afc3292a81d45117 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 28 Jul 2023 13:47:19 +0800 Subject: [PATCH 108/222] code_size_compare: use '.md' suffix if '--markdown' enabled Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 95d46b81c..1bcc73194 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -815,10 +815,11 @@ class CodeSizeComparison: else: output_file = os.path.join( self.comp_dir, - '{}-{}-{}.csv' + '{}-{}-{}.{}' .format(self.old_size_dist_info.get_info_indication(), self.new_size_dist_info.get_info_indication(), - self.size_common_info.get_info_indication())) + self.size_common_info.get_info_indication(), + 'md' if self.result_options.with_markdown else 'csv')) output = open(output_file, "w") self.logger.debug("Generating comparison results between {} and {}." From ee07afa2051a1d7d8a20e46035b3cc8e4c94fc80 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 28 Jul 2023 16:34:05 +0800 Subject: [PATCH 109/222] code_size_compare: add option '--show-all' When '--show-all' is enabled, all the objects will be displayed in comparison result no matter if there is code size change or not. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 1bcc73194..72c69e488 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -116,12 +116,13 @@ class CodeSizeCommonInfo: # pylint: disable=too-few-public-methods class CodeSizeResultInfo: # pylint: disable=too-few-public-methods """Data structure to store result options for code size comparison.""" - def __init__( + def __init__( #pylint: disable=too-many-arguments self, record_dir: str, comp_dir: str, with_markdown=False, stdout=False, + show_all=False, ) -> None: """ :param record_dir: directory to store code size record. @@ -130,11 +131,13 @@ class CodeSizeResultInfo: # pylint: disable=too-few-public-methods (Default: False) :param stdout: direct comparison result into sys.stdout. (Default False) + :param show_all: show all objects in comparison result. (Default False) """ self.record_dir = record_dir self.comp_dir = comp_dir self.with_markdown = with_markdown self.stdout = stdout + self.show_all = show_all DETECT_ARCH_CMD = "cc -dM -E - < /dev/null" @@ -462,12 +465,13 @@ class CodeSizeGenerator: """ raise NotImplementedError - def write_comparison( + def write_comparison( #pylint: disable=too-many-arguments self, old_rev: str, new_rev: str, output: typing_util.Writable, - with_markdown=False + with_markdown=False, + show_all=False ) -> None: """Write a comparision result into a stream between two Git revisions. @@ -477,6 +481,7 @@ class CodeSizeGenerator: (File / sys.stdout) :param with_markdown: write comparision result in a markdown table. (Default: False) + :param show_all: show all objects in comparison result. (Default False) """ raise NotImplementedError @@ -581,13 +586,15 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): size_entry.text, size_entry.data, size_entry.bss, size_entry.total)) - def write_comparison( # pylint: disable=too-many-locals + def write_comparison( #pylint: disable=too-many-arguments self, old_rev: str, new_rev: str, output: typing_util.Writable, - with_markdown=False + with_markdown=False, + show_all=False ) -> None: + # pylint: disable=too-many-locals """Write comparison result into a file. Writing Format: filename new(text) new(data) change(text) change(data) @@ -658,7 +665,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): text_sect = cal_sect_change(old_size, new_size, 'text') data_sect = cal_sect_change(old_size, new_size, 'data') # skip the files that haven't changed in code size - if text_sect[1] == 0 and data_sect[1] == 0: + if not show_all and text_sect[1] == 0 and data_sect[1] == 0: continue res.append([fname, *text_sect, *data_sect]) @@ -834,7 +841,8 @@ class CodeSizeComparison: self.code_size_generator.write_comparison( self.old_size_dist_info.git_rev, self.new_size_dist_info.git_rev, - output, self.result_options.with_markdown) + output, self.result_options.with_markdown, + self.result_options.show_all) def get_comparision_results(self) -> None: """Compare size of library/*.o between self.old_size_dist_info and @@ -887,6 +895,10 @@ def main(): '--stdout', action='store_true', dest='stdout', help='Set this option to direct comparison result into sys.stdout. ' '(Default: file)') + group_optional.add_argument( + '--show-all', action='store_true', dest='show_all', + help='Show all the objects in comparison result, including the ones ' + 'that haven\'t changed in code size. (Default: False)') group_optional.add_argument( '--verbose', action='store_true', dest='verbose', help='Show logs in detail for code size measurement. ' @@ -923,10 +935,10 @@ def main(): # host_arch, measure_cmd size_common_info = CodeSizeCommonInfo( detect_arch(), 'size -t') - # record_dir, comp_dir, with_markdown, stdout + # record_dir, comp_dir, with_markdown, stdout, show_all result_options = CodeSizeResultInfo( comp_args.record_dir, comp_args.comp_dir, - comp_args.markdown, comp_args.stdout) + comp_args.markdown, comp_args.stdout, comp_args.show_all) logger.info("Measure code size between {} and {} by `{}`." .format(old_size_dist_info.get_info_indication(), From c2ad3ad62a10d7ed5eda8f8be074b0c2723b7f27 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 28 Jul 2023 16:44:18 +0100 Subject: [PATCH 110/222] Fix error in test vectors Signed-off-by: Dave Rodgman --- tests/suites/test_suite_psa_crypto_hash.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_hash.data b/tests/suites/test_suite_psa_crypto_hash.data index f957bf16d..0a5f8765f 100644 --- a/tests/suites/test_suite_psa_crypto_hash.data +++ b/tests/suites/test_suite_psa_crypto_hash.data @@ -164,7 +164,7 @@ hash_finish:PSA_ALG_SHA3_224:"":"6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3 PSA hash finish: SHA3-256 Test Vector NIST "" depends_on:PSA_WANT_ALG_SHA3_256 -hash_finish:PSA_ALG_SHA3_256:"616263":"3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532" +hash_finish:PSA_ALG_SHA3_256:"":"a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a" PSA hash finish: SHA3-384 Test Vector NIST "" depends_on:PSA_WANT_ALG_SHA3_384 @@ -552,7 +552,7 @@ hash_multi_part:PSA_ALG_SHA3_224:"":"6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b0 PSA hash multi part: SHA3-256 Test Vector NIST "" depends_on:PSA_WANT_ALG_SHA3_256 -hash_multi_part:PSA_ALG_SHA3_256:"616263":"3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532" +hash_multi_part:PSA_ALG_SHA3_256:"":"a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a" PSA hash multi part: SHA3-384 Test Vector NIST "" depends_on:PSA_WANT_ALG_SHA3_384 From e2caf4161ba96e3e22276707f9e43cdf68caf621 Mon Sep 17 00:00:00 2001 From: Chien Wong Date: Tue, 1 Aug 2023 21:38:46 +0800 Subject: [PATCH 111/222] Fix a few unchecked value issue Signed-off-by: Chien Wong --- library/bignum.c | 4 ++-- library/ecdsa.c | 4 ++-- library/rsa_alt_helpers.c | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index d559c9e76..7661dd3ae 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1706,7 +1706,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, */ const size_t x_index = 0; mbedtls_mpi_init(&W[x_index]); - mbedtls_mpi_copy(&W[x_index], X); + MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[x_index], X)); j = N->n + 1; /* All W[i] and X must have at least N->n limbs for the mpi_montmul() @@ -1893,7 +1893,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, /* * Load the result in the output variable. */ - mbedtls_mpi_copy(X, &W[x_index]); + MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &W[x_index])); cleanup: diff --git a/library/ecdsa.c b/library/ecdsa.c index 1faec1639..6e55f2205 100644 --- a/library/ecdsa.c +++ b/library/ecdsa.c @@ -373,7 +373,7 @@ modn: #if defined(MBEDTLS_ECP_RESTARTABLE) if (rs_ctx != NULL && rs_ctx->sig != NULL) { - mbedtls_mpi_copy(r, pr); + MBEDTLS_MPI_CHK(mbedtls_mpi_copy(r, pr)); } #endif @@ -447,7 +447,7 @@ int mbedtls_ecdsa_sign_det_restartable(mbedtls_ecp_group *grp, MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(d, data, grp_len)); MBEDTLS_MPI_CHK(derive_mpi(grp, &h, buf, blen)); MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&h, data + grp_len, grp_len)); - mbedtls_hmac_drbg_seed_buf(p_rng, md_info, data, 2 * grp_len); + MBEDTLS_MPI_CHK(mbedtls_hmac_drbg_seed_buf(p_rng, md_info, data, 2 * grp_len)); #if defined(MBEDTLS_ECP_RESTARTABLE) if (rs_ctx != NULL && rs_ctx->det != NULL) { diff --git a/library/rsa_alt_helpers.c b/library/rsa_alt_helpers.c index 3451469b9..5cc4636e4 100644 --- a/library/rsa_alt_helpers.c +++ b/library/rsa_alt_helpers.c @@ -126,7 +126,7 @@ int mbedtls_rsa_deduce_primes(mbedtls_mpi const *N, } for (; attempt < num_primes; ++attempt) { - mbedtls_mpi_lset(&K, primes[attempt]); + MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&K, primes[attempt])); /* Check if gcd(K,N) = 1 */ MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(P, &K, N)); From 0d4f4e5b01a1a57677c380b1223520f953eaaaf9 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 31 Mar 2023 14:32:47 +0800 Subject: [PATCH 112/222] Add option to disable built-in aes implementation. For time being, there are only two aes implementations for known architectures. I define runtime detection function as const when built-in was disabled. In this case, compiler will remove dead built-in code. Signed-off-by: Jerry Yu --- include/mbedtls/mbedtls_config.h | 5 +++++ library/aesce.c | 2 ++ library/aesce.h | 5 +++++ library/aesni.c | 2 ++ library/aesni.h | 4 ++++ library/padlock.c | 2 ++ library/padlock.h | 5 ++++- 7 files changed, 24 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 719bbed8f..a086bfe5d 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -4006,4 +4006,9 @@ */ //#define MBEDTLS_ECP_WITH_MPI_UINT +/* + * Platform independent implementation for crypto algorithms. + */ +//#define MBEDTLS_AES_HAS_NO_BUILTIN /* Uncomment to disable built-in platform independent code of AES */ + /** \} name SECTION: Module configuration options */ diff --git a/library/aesce.c b/library/aesce.c index ed3cca11d..baa01dbd6 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -99,6 +99,7 @@ #include #endif +#if !defined(MBEDTLS_AES_HAS_NO_BUILTIN) /* * AES instruction support detection routine */ @@ -113,6 +114,7 @@ int mbedtls_aesce_has_support(void) return 1; #endif } +#endif /* Single round of AESCE encryption */ #define AESCE_ENCRYPT_ROUND \ diff --git a/library/aesce.h b/library/aesce.h index b12bf76ba..b166e15c1 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -47,7 +47,12 @@ extern "C" { * * \return 1 if CPU has support for the feature, 0 otherwise */ +#if !defined(MBEDTLS_AES_HAS_NO_BUILTIN) int mbedtls_aesce_has_support(void); +#else +#define /* no-check-names */ mbedtls_aesce_has_support() 1 +#endif + /** * \brief Internal AES-ECB block encryption and decryption diff --git a/library/aesni.c b/library/aesni.c index 9d1c0f135..b6d119179 100644 --- a/library/aesni.c +++ b/library/aesni.c @@ -39,6 +39,7 @@ #include #endif +#if !defined(MBEDTLS_AES_HAS_NO_BUILTIN) /* * AES-NI support detection routine */ @@ -68,6 +69,7 @@ int mbedtls_aesni_has_support(unsigned int what) return (c & what) != 0; } +#endif /* !MBEDTLS_AES_HAS_NO_BUILTIN */ #if MBEDTLS_AESNI_HAVE_CODE == 2 diff --git a/library/aesni.h b/library/aesni.h index 82947e458..fa1f369ed 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -88,7 +88,11 @@ extern "C" { * * \return 1 if CPU has support for the feature, 0 otherwise */ +#if !defined(MBEDTLS_AES_HAS_NO_BUILTIN) int mbedtls_aesni_has_support(unsigned int what); +#else +#define /* no-check-names */ mbedtls_aesni_has_support(what) 1 +#endif /** * \brief Internal AES-NI AES-ECB block encryption and decryption diff --git a/library/padlock.c b/library/padlock.c index f42c40ff9..111b28cf8 100644 --- a/library/padlock.c +++ b/library/padlock.c @@ -33,6 +33,7 @@ #if defined(MBEDTLS_HAVE_X86) +#if !defined(MBEDTLS_AES_HAS_NO_BUILTIN) /* * PadLock detection routine */ @@ -62,6 +63,7 @@ int mbedtls_padlock_has_support(int feature) return flags & feature; } +#endif /* * PadLock AES-ECB block en(de)cryption diff --git a/library/padlock.h b/library/padlock.h index b5f0d7d7a..10c1c6994 100644 --- a/library/padlock.h +++ b/library/padlock.h @@ -41,7 +41,6 @@ /* Some versions of ASan result in errors about not enough registers */ #if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && defined(__i386__) && \ !defined(MBEDTLS_HAVE_ASAN) - #ifndef MBEDTLS_HAVE_X86 #define MBEDTLS_HAVE_X86 #endif @@ -69,7 +68,11 @@ extern "C" { * * \return non-zero if CPU has support for the feature, 0 otherwise */ +#if !defined(MBEDTLS_AES_HAS_NO_BUILTIN) int mbedtls_padlock_has_support(int feature); +#else +#define /* no-check-names */ mbedtls_padlock_has_support(feature) 1 +#endif /** * \brief Internal PadLock AES-ECB block en(de)cryption From d767cc4106f3a88f25fb6ada9010816e262e1e02 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 31 Mar 2023 15:03:55 +0800 Subject: [PATCH 113/222] Add accelerator only tests. The cases with runtime detection have been covered by `full` configuration Signed-off-by: Jerry Yu --- .travis.yml | 25 +++++++++++++++++++++++++ tests/scripts/all.sh | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) diff --git a/.travis.yml b/.travis.yml index bf5ccd96e..7ed130aa9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -129,6 +129,31 @@ jobs: - tests/scripts/travis-log-failure.sh - tests/context-info.sh + - name: Arm64 accelerators tests on arm64 host + os: linux + dist: focal + arch: arm64 + addons: + apt: + packages: + - gcc + script: + # Do a manual build+test sequence rather than using all.sh. + # + # This is arm64 host only test for no runtime detection case. Internal + # and Open CI do not include Arm64 host, and they check if components + # are be tested. As result, it will always fail on `pre-test-check` in + # them. + - scripts/config.py unset MBEDTLS_AESNI_C + - scripts/config.py unset MBEDTLS_PADLOCK_C + - scripts/config.py set MBEDTLS_AESCE_C + - scripts/config.py set MBEDTLS_AES_HAS_NO_BUILTIN + - make generated_files + - make + - programs/test/selftest + - tests/scripts/travis-log-failure.sh + - tests/context-info.sh + after_failure: - tests/scripts/travis-log-failure.sh diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 97c01f303..8dd6b8cec 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4941,6 +4941,43 @@ component_check_test_helpers () { python3 -m unittest tests/scripts/translate_ciphers.py 2>&1 } +component_test_aes_builtin_only () { + msg "Test: AES builtin only" + scripts/config.py unset MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESCE_C + scripts/config.py unset MBEDTLS_AES_HAS_NO_BUILTIN + msg "build: make, AES built-in only" # ~10s + make + + msg "selftest: AES built-in only" # ~10s + programs/test/selftest +} + +component_test_aes_aesni_only () { + msg "Test: AESNI only" + scripts/config.py set MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESCE_C + scripts/config.py set MBEDTLS_AES_HAS_NO_BUILTIN + msg "build: AESNI only" # ~10s + make + + msg "selftest: AESNI only" # ~10s + programs/test/selftest +} + +component_test_aes_padlock_only () { + msg "Test: AES, VIA padlock only" + scripts/config.py unset MBEDTLS_AESNI_C + scripts/config.py set MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESCE_C + scripts/config.py set MBEDTLS_AES_HAS_NO_BUILTIN + msg "build: AES, VIA padlock only" # ~10s + make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" + +} + ################################################################ #### Termination ################################################################ From 2f26a599101613881767778164f21e4d6b79bfd9 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 31 Mar 2023 15:06:33 +0800 Subject: [PATCH 114/222] Add std output information for AESCE in gcm Signed-off-by: Jerry Yu --- library/gcm.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/library/gcm.c b/library/gcm.c index a05e4c30f..d49725c69 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -884,6 +884,13 @@ int mbedtls_gcm_self_test(int verbose) mbedtls_printf(" GCM note: using AESNI.\n"); } else #endif + +#if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64) + if (mbedtls_aesce_has_support()) { + mbedtls_printf(" GCM note: using AESCE.\n"); + } else +#endif + mbedtls_printf(" GCM note: built-in implementation.\n"); #endif /* MBEDTLS_GCM_ALT */ } From 315fd30201d8866e15e28c9fb5f2b0cf22c47cd5 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 18 Apr 2023 11:19:54 +0800 Subject: [PATCH 115/222] Rename plain c disable option Signed-off-by: Jerry Yu --- .travis.yml | 2 +- include/mbedtls/mbedtls_config.h | 2 +- library/aesce.c | 2 +- library/aesce.h | 2 +- library/aesni.c | 4 ++-- library/aesni.h | 2 +- library/padlock.c | 2 +- library/padlock.h | 2 +- tests/scripts/all.sh | 6 +++--- 9 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.travis.yml b/.travis.yml index 7ed130aa9..04647be63 100644 --- a/.travis.yml +++ b/.travis.yml @@ -147,7 +147,7 @@ jobs: - scripts/config.py unset MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_PADLOCK_C - scripts/config.py set MBEDTLS_AESCE_C - - scripts/config.py set MBEDTLS_AES_HAS_NO_BUILTIN + - scripts/config.py set MBEDTLS_AES_HAS_NO_PLAIN_C - make generated_files - make - programs/test/selftest diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index a086bfe5d..d5753ca2f 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -4009,6 +4009,6 @@ /* * Platform independent implementation for crypto algorithms. */ -//#define MBEDTLS_AES_HAS_NO_BUILTIN /* Uncomment to disable built-in platform independent code of AES */ +//#define MBEDTLS_AES_HAS_NO_PLAIN_C /* Uncomment to disable built-in platform independent code of AES */ /** \} name SECTION: Module configuration options */ diff --git a/library/aesce.c b/library/aesce.c index baa01dbd6..982cad693 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -99,7 +99,7 @@ #include #endif -#if !defined(MBEDTLS_AES_HAS_NO_BUILTIN) +#if !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) /* * AES instruction support detection routine */ diff --git a/library/aesce.h b/library/aesce.h index b166e15c1..1b2edad41 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -47,7 +47,7 @@ extern "C" { * * \return 1 if CPU has support for the feature, 0 otherwise */ -#if !defined(MBEDTLS_AES_HAS_NO_BUILTIN) +#if !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) int mbedtls_aesce_has_support(void); #else #define /* no-check-names */ mbedtls_aesce_has_support() 1 diff --git a/library/aesni.c b/library/aesni.c index b6d119179..766b6713c 100644 --- a/library/aesni.c +++ b/library/aesni.c @@ -39,7 +39,7 @@ #include #endif -#if !defined(MBEDTLS_AES_HAS_NO_BUILTIN) +#if !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) /* * AES-NI support detection routine */ @@ -69,7 +69,7 @@ int mbedtls_aesni_has_support(unsigned int what) return (c & what) != 0; } -#endif /* !MBEDTLS_AES_HAS_NO_BUILTIN */ +#endif /* !MBEDTLS_AES_HAS_NO_PLAIN_C */ #if MBEDTLS_AESNI_HAVE_CODE == 2 diff --git a/library/aesni.h b/library/aesni.h index fa1f369ed..341350a1e 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -88,7 +88,7 @@ extern "C" { * * \return 1 if CPU has support for the feature, 0 otherwise */ -#if !defined(MBEDTLS_AES_HAS_NO_BUILTIN) +#if !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) int mbedtls_aesni_has_support(unsigned int what); #else #define /* no-check-names */ mbedtls_aesni_has_support(what) 1 diff --git a/library/padlock.c b/library/padlock.c index 111b28cf8..eeb6368fa 100644 --- a/library/padlock.c +++ b/library/padlock.c @@ -33,7 +33,7 @@ #if defined(MBEDTLS_HAVE_X86) -#if !defined(MBEDTLS_AES_HAS_NO_BUILTIN) +#if !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) /* * PadLock detection routine */ diff --git a/library/padlock.h b/library/padlock.h index 10c1c6994..7ec960d7a 100644 --- a/library/padlock.h +++ b/library/padlock.h @@ -68,7 +68,7 @@ extern "C" { * * \return non-zero if CPU has support for the feature, 0 otherwise */ -#if !defined(MBEDTLS_AES_HAS_NO_BUILTIN) +#if !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) int mbedtls_padlock_has_support(int feature); #else #define /* no-check-names */ mbedtls_padlock_has_support(feature) 1 diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 8dd6b8cec..20ced44d4 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4946,7 +4946,7 @@ component_test_aes_builtin_only () { scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_PADLOCK_C scripts/config.py unset MBEDTLS_AESCE_C - scripts/config.py unset MBEDTLS_AES_HAS_NO_BUILTIN + scripts/config.py unset MBEDTLS_AES_HAS_NO_PLAIN_C msg "build: make, AES built-in only" # ~10s make @@ -4959,7 +4959,7 @@ component_test_aes_aesni_only () { scripts/config.py set MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_PADLOCK_C scripts/config.py unset MBEDTLS_AESCE_C - scripts/config.py set MBEDTLS_AES_HAS_NO_BUILTIN + scripts/config.py set MBEDTLS_AES_HAS_NO_PLAIN_C msg "build: AESNI only" # ~10s make @@ -4972,7 +4972,7 @@ component_test_aes_padlock_only () { scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py set MBEDTLS_PADLOCK_C scripts/config.py unset MBEDTLS_AESCE_C - scripts/config.py set MBEDTLS_AES_HAS_NO_BUILTIN + scripts/config.py set MBEDTLS_AES_HAS_NO_PLAIN_C msg "build: AES, VIA padlock only" # ~10s make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" From 4d030f3acd1ea6062ee144c1912ab38bdca36265 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 18 Apr 2023 11:25:18 +0800 Subject: [PATCH 116/222] Add check for no aes implementation provided Signed-off-by: Jerry Yu --- library/aesce.h | 3 +++ library/aesni.h | 3 +++ library/padlock.h | 4 ++++ 3 files changed, 10 insertions(+) diff --git a/library/aesce.h b/library/aesce.h index 1b2edad41..a67fc0d9c 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -33,6 +33,9 @@ #if !defined(MBEDTLS_HAVE_ARM64) #if defined(__aarch64__) || defined(_M_ARM64) || defined(_M_ARM64EC) #define MBEDTLS_HAVE_ARM64 +#if !defined(MBEDTLS_AESCE_C) && !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) +#error "MBEDTLS_AESCE_C defined, but not all prerequisites" +#endif #endif #endif diff --git a/library/aesni.h b/library/aesni.h index 341350a1e..1c960703f 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -39,6 +39,9 @@ (defined(__amd64__) || defined(__x86_64__)) && \ !defined(MBEDTLS_HAVE_X86_64) #define MBEDTLS_HAVE_X86_64 +#if !defined(MBEDTLS_AESNI_C) && !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) +#error "MBEDTLS_AESCE_C defined, but not all prerequisites" +#endif #endif #if defined(MBEDTLS_AESNI_C) diff --git a/library/padlock.h b/library/padlock.h index 7ec960d7a..415838685 100644 --- a/library/padlock.h +++ b/library/padlock.h @@ -47,6 +47,10 @@ #include +#if !defined(MBEDTLS_PADLOCK_C) && !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) +#error "MBEDTLS_AESCE_C defined, but not all prerequisites" +#endif + #define MBEDTLS_PADLOCK_RNG 0x000C #define MBEDTLS_PADLOCK_ACE 0x00C0 #define MBEDTLS_PADLOCK_PHE 0x0C00 From 1b3ab36b5596cb90b328907f3b2d659e2aaa49eb Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 18 Apr 2023 11:27:00 +0800 Subject: [PATCH 117/222] Update comments Signed-off-by: Jerry Yu --- include/mbedtls/mbedtls_config.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index d5753ca2f..894ee7897 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -4008,7 +4008,8 @@ /* * Platform independent implementation for crypto algorithms. + * Disable plain c implementation for AES. */ -//#define MBEDTLS_AES_HAS_NO_PLAIN_C /* Uncomment to disable built-in platform independent code of AES */ +//#define MBEDTLS_AES_HAS_NO_PLAIN_C /* Uncomment to disable plain c implementation of AES */ /** \} name SECTION: Module configuration options */ From 3fcf2b505341cc7204513c9dde5faffe18c4a1d9 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 18 Apr 2023 15:57:16 +0800 Subject: [PATCH 118/222] Rename HAS_NO_PLAIN_C to DONT_USE_SOFTWARE_CRYPTO Signed-off-by: Jerry Yu --- .travis.yml | 2 +- include/mbedtls/mbedtls_config.h | 2 +- library/aesce.c | 2 +- library/aesce.h | 4 ++-- library/aesni.c | 4 ++-- library/aesni.h | 4 ++-- library/padlock.c | 2 +- library/padlock.h | 4 ++-- tests/scripts/all.sh | 6 +++--- 9 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.travis.yml b/.travis.yml index 04647be63..10d67ee2e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -147,7 +147,7 @@ jobs: - scripts/config.py unset MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_PADLOCK_C - scripts/config.py set MBEDTLS_AESCE_C - - scripts/config.py set MBEDTLS_AES_HAS_NO_PLAIN_C + - scripts/config.py set MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO - make generated_files - make - programs/test/selftest diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 894ee7897..a1b564f28 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -4010,6 +4010,6 @@ * Platform independent implementation for crypto algorithms. * Disable plain c implementation for AES. */ -//#define MBEDTLS_AES_HAS_NO_PLAIN_C /* Uncomment to disable plain c implementation of AES */ +//#define MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO /* Uncomment to disable plain c implementation of AES */ /** \} name SECTION: Module configuration options */ diff --git a/library/aesce.c b/library/aesce.c index 982cad693..4b7e04819 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -99,7 +99,7 @@ #include #endif -#if !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) +#if !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) /* * AES instruction support detection routine */ diff --git a/library/aesce.h b/library/aesce.h index a67fc0d9c..900eac713 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -33,7 +33,7 @@ #if !defined(MBEDTLS_HAVE_ARM64) #if defined(__aarch64__) || defined(_M_ARM64) || defined(_M_ARM64EC) #define MBEDTLS_HAVE_ARM64 -#if !defined(MBEDTLS_AESCE_C) && !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) +#if !defined(MBEDTLS_AESCE_C) && !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) #error "MBEDTLS_AESCE_C defined, but not all prerequisites" #endif #endif @@ -50,7 +50,7 @@ extern "C" { * * \return 1 if CPU has support for the feature, 0 otherwise */ -#if !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) +#if !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) int mbedtls_aesce_has_support(void); #else #define /* no-check-names */ mbedtls_aesce_has_support() 1 diff --git a/library/aesni.c b/library/aesni.c index 766b6713c..31321c43d 100644 --- a/library/aesni.c +++ b/library/aesni.c @@ -39,7 +39,7 @@ #include #endif -#if !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) +#if !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) /* * AES-NI support detection routine */ @@ -69,7 +69,7 @@ int mbedtls_aesni_has_support(unsigned int what) return (c & what) != 0; } -#endif /* !MBEDTLS_AES_HAS_NO_PLAIN_C */ +#endif /* !MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO */ #if MBEDTLS_AESNI_HAVE_CODE == 2 diff --git a/library/aesni.h b/library/aesni.h index 1c960703f..1302a11f7 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -39,7 +39,7 @@ (defined(__amd64__) || defined(__x86_64__)) && \ !defined(MBEDTLS_HAVE_X86_64) #define MBEDTLS_HAVE_X86_64 -#if !defined(MBEDTLS_AESNI_C) && !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) +#if !defined(MBEDTLS_AESNI_C) && !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) #error "MBEDTLS_AESCE_C defined, but not all prerequisites" #endif #endif @@ -91,7 +91,7 @@ extern "C" { * * \return 1 if CPU has support for the feature, 0 otherwise */ -#if !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) +#if !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) int mbedtls_aesni_has_support(unsigned int what); #else #define /* no-check-names */ mbedtls_aesni_has_support(what) 1 diff --git a/library/padlock.c b/library/padlock.c index eeb6368fa..82b84bfb9 100644 --- a/library/padlock.c +++ b/library/padlock.c @@ -33,7 +33,7 @@ #if defined(MBEDTLS_HAVE_X86) -#if !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) +#if !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) /* * PadLock detection routine */ diff --git a/library/padlock.h b/library/padlock.h index 415838685..7356d01c4 100644 --- a/library/padlock.h +++ b/library/padlock.h @@ -47,7 +47,7 @@ #include -#if !defined(MBEDTLS_PADLOCK_C) && !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) +#if !defined(MBEDTLS_PADLOCK_C) && !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) #error "MBEDTLS_AESCE_C defined, but not all prerequisites" #endif @@ -72,7 +72,7 @@ extern "C" { * * \return non-zero if CPU has support for the feature, 0 otherwise */ -#if !defined(MBEDTLS_AES_HAS_NO_PLAIN_C) +#if !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) int mbedtls_padlock_has_support(int feature); #else #define /* no-check-names */ mbedtls_padlock_has_support(feature) 1 diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 20ced44d4..3ded9d604 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4946,7 +4946,7 @@ component_test_aes_builtin_only () { scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_PADLOCK_C scripts/config.py unset MBEDTLS_AESCE_C - scripts/config.py unset MBEDTLS_AES_HAS_NO_PLAIN_C + scripts/config.py unset MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO msg "build: make, AES built-in only" # ~10s make @@ -4959,7 +4959,7 @@ component_test_aes_aesni_only () { scripts/config.py set MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_PADLOCK_C scripts/config.py unset MBEDTLS_AESCE_C - scripts/config.py set MBEDTLS_AES_HAS_NO_PLAIN_C + scripts/config.py set MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO msg "build: AESNI only" # ~10s make @@ -4972,7 +4972,7 @@ component_test_aes_padlock_only () { scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py set MBEDTLS_PADLOCK_C scripts/config.py unset MBEDTLS_AESCE_C - scripts/config.py set MBEDTLS_AES_HAS_NO_PLAIN_C + scripts/config.py set MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO msg "build: AES, VIA padlock only" # ~10s make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" From 8840a8c5740671f6ce3b8b6996cec23be9e95217 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 19 Apr 2023 10:18:50 +0800 Subject: [PATCH 119/222] fix wrong checks Signed-off-by: Jerry Yu --- library/aesce.h | 4 ++-- library/aesni.h | 4 ++-- library/padlock.h | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/library/aesce.h b/library/aesce.h index 900eac713..0af8f61ef 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -33,8 +33,8 @@ #if !defined(MBEDTLS_HAVE_ARM64) #if defined(__aarch64__) || defined(_M_ARM64) || defined(_M_ARM64EC) #define MBEDTLS_HAVE_ARM64 -#if !defined(MBEDTLS_AESCE_C) && !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) -#error "MBEDTLS_AESCE_C defined, but not all prerequisites" +#if !defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) +#error "MBEDTLS_AES_C defined, but not all prerequisites" #endif #endif #endif diff --git a/library/aesni.h b/library/aesni.h index 1302a11f7..dddbf99b8 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -39,8 +39,8 @@ (defined(__amd64__) || defined(__x86_64__)) && \ !defined(MBEDTLS_HAVE_X86_64) #define MBEDTLS_HAVE_X86_64 -#if !defined(MBEDTLS_AESNI_C) && !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) -#error "MBEDTLS_AESCE_C defined, but not all prerequisites" +#if !defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) +#error "MBEDTLS_AES_C defined, but not all prerequisites" #endif #endif diff --git a/library/padlock.h b/library/padlock.h index 7356d01c4..3b20d4298 100644 --- a/library/padlock.h +++ b/library/padlock.h @@ -47,8 +47,8 @@ #include -#if !defined(MBEDTLS_PADLOCK_C) && !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) -#error "MBEDTLS_AESCE_C defined, but not all prerequisites" +#if !defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) +#error "MBEDTLS_AES_C defined, but not all prerequisites" #endif #define MBEDTLS_PADLOCK_RNG 0x000C From 3660623e59ee8ac9f0d4ec4bdd0f891424f074a5 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 19 Apr 2023 10:44:29 +0800 Subject: [PATCH 120/222] Rename plain c option and update comments Signed-off-by: Jerry Yu --- .travis.yml | 2 +- include/mbedtls/mbedtls_config.h | 10 ++++++++-- library/aesce.c | 2 +- library/aesce.h | 4 ++-- library/aesni.c | 4 ++-- library/aesni.h | 4 ++-- library/padlock.c | 2 +- library/padlock.h | 4 ++-- tests/scripts/all.sh | 8 ++++---- 9 files changed, 23 insertions(+), 17 deletions(-) diff --git a/.travis.yml b/.travis.yml index 10d67ee2e..26e6c578d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -147,7 +147,7 @@ jobs: - scripts/config.py unset MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_PADLOCK_C - scripts/config.py set MBEDTLS_AESCE_C - - scripts/config.py set MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO + - scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY - make generated_files - make - programs/test/selftest diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index a1b564f28..5474060a7 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -4008,8 +4008,14 @@ /* * Platform independent implementation for crypto algorithms. - * Disable plain c implementation for AES. + * Disable plain C implementation for AES. + * + * If the plain C implementation is enabled, and an implementation using a + * special CPU feature (such as MBEDTLS_AESCE_C) is also enabled, runtime + * detection will be used to select between them. + * + * If only one implementation is present, runtime detection will not be used. */ -//#define MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO /* Uncomment to disable plain c implementation of AES */ +//#define MBEDTLS_AES_USE_HARDWARE_ONLY /** \} name SECTION: Module configuration options */ diff --git a/library/aesce.c b/library/aesce.c index 4b7e04819..8aa07894f 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -99,7 +99,7 @@ #include #endif -#if !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) +#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) /* * AES instruction support detection routine */ diff --git a/library/aesce.h b/library/aesce.h index 0af8f61ef..7e9c12a3c 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -33,7 +33,7 @@ #if !defined(MBEDTLS_HAVE_ARM64) #if defined(__aarch64__) || defined(_M_ARM64) || defined(_M_ARM64EC) #define MBEDTLS_HAVE_ARM64 -#if !defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) +#if !defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) #error "MBEDTLS_AES_C defined, but not all prerequisites" #endif #endif @@ -50,7 +50,7 @@ extern "C" { * * \return 1 if CPU has support for the feature, 0 otherwise */ -#if !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) +#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) int mbedtls_aesce_has_support(void); #else #define /* no-check-names */ mbedtls_aesce_has_support() 1 diff --git a/library/aesni.c b/library/aesni.c index 31321c43d..cc3a3b3f3 100644 --- a/library/aesni.c +++ b/library/aesni.c @@ -39,7 +39,7 @@ #include #endif -#if !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) +#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) /* * AES-NI support detection routine */ @@ -69,7 +69,7 @@ int mbedtls_aesni_has_support(unsigned int what) return (c & what) != 0; } -#endif /* !MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO */ +#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */ #if MBEDTLS_AESNI_HAVE_CODE == 2 diff --git a/library/aesni.h b/library/aesni.h index dddbf99b8..c17b61355 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -39,7 +39,7 @@ (defined(__amd64__) || defined(__x86_64__)) && \ !defined(MBEDTLS_HAVE_X86_64) #define MBEDTLS_HAVE_X86_64 -#if !defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) +#if !defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) #error "MBEDTLS_AES_C defined, but not all prerequisites" #endif #endif @@ -91,7 +91,7 @@ extern "C" { * * \return 1 if CPU has support for the feature, 0 otherwise */ -#if !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) +#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) int mbedtls_aesni_has_support(unsigned int what); #else #define /* no-check-names */ mbedtls_aesni_has_support(what) 1 diff --git a/library/padlock.c b/library/padlock.c index 82b84bfb9..001172200 100644 --- a/library/padlock.c +++ b/library/padlock.c @@ -33,7 +33,7 @@ #if defined(MBEDTLS_HAVE_X86) -#if !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) +#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) /* * PadLock detection routine */ diff --git a/library/padlock.h b/library/padlock.h index 3b20d4298..ad407f2ea 100644 --- a/library/padlock.h +++ b/library/padlock.h @@ -47,7 +47,7 @@ #include -#if !defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) +#if !defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) #error "MBEDTLS_AES_C defined, but not all prerequisites" #endif @@ -72,7 +72,7 @@ extern "C" { * * \return non-zero if CPU has support for the feature, 0 otherwise */ -#if !defined(MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO) +#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) int mbedtls_padlock_has_support(int feature); #else #define /* no-check-names */ mbedtls_padlock_has_support(feature) 1 diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 3ded9d604..c2704a97f 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4941,12 +4941,12 @@ component_check_test_helpers () { python3 -m unittest tests/scripts/translate_ciphers.py 2>&1 } -component_test_aes_builtin_only () { +component_test_aes_donot_use_hardware () { msg "Test: AES builtin only" scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_PADLOCK_C scripts/config.py unset MBEDTLS_AESCE_C - scripts/config.py unset MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO + scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY msg "build: make, AES built-in only" # ~10s make @@ -4959,7 +4959,7 @@ component_test_aes_aesni_only () { scripts/config.py set MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_PADLOCK_C scripts/config.py unset MBEDTLS_AESCE_C - scripts/config.py set MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO + scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY msg "build: AESNI only" # ~10s make @@ -4972,7 +4972,7 @@ component_test_aes_padlock_only () { scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py set MBEDTLS_PADLOCK_C scripts/config.py unset MBEDTLS_AESCE_C - scripts/config.py set MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO + scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY msg "build: AES, VIA padlock only" # ~10s make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" From d76ded046c60aaabbc66661c6cbd9292cddc416d Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 19 Apr 2023 11:07:40 +0800 Subject: [PATCH 121/222] fix various issues - unnecessary command - extra blank and empty line Signed-off-by: Jerry Yu --- .travis.yml | 1 - library/padlock.h | 1 + tests/scripts/all.sh | 5 ++--- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 26e6c578d..75f4c6464 100644 --- a/.travis.yml +++ b/.travis.yml @@ -151,7 +151,6 @@ jobs: - make generated_files - make - programs/test/selftest - - tests/scripts/travis-log-failure.sh - tests/context-info.sh after_failure: diff --git a/library/padlock.h b/library/padlock.h index ad407f2ea..4de462ca0 100644 --- a/library/padlock.h +++ b/library/padlock.h @@ -41,6 +41,7 @@ /* Some versions of ASan result in errors about not enough registers */ #if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && defined(__i386__) && \ !defined(MBEDTLS_HAVE_ASAN) + #ifndef MBEDTLS_HAVE_X86 #define MBEDTLS_HAVE_X86 #endif diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index c2704a97f..c34fe990c 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4960,10 +4960,10 @@ component_test_aes_aesni_only () { scripts/config.py unset MBEDTLS_PADLOCK_C scripts/config.py unset MBEDTLS_AESCE_C scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY - msg "build: AESNI only" # ~10s + msg "build: AESNI only" # ~10s make - msg "selftest: AESNI only" # ~10s + msg "selftest: AESNI only" # ~10s programs/test/selftest } @@ -4975,7 +4975,6 @@ component_test_aes_padlock_only () { scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY msg "build: AES, VIA padlock only" # ~10s make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" - } ################################################################ From 4dfbb2e7476d93f0f20cedc1a180be6cc51166d2 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sun, 23 Apr 2023 14:30:34 +0800 Subject: [PATCH 122/222] add changelog entry Signed-off-by: Jerry Yu --- ChangeLog.d/add-aes-hardware-only-option.txt | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ChangeLog.d/add-aes-hardware-only-option.txt diff --git a/ChangeLog.d/add-aes-hardware-only-option.txt b/ChangeLog.d/add-aes-hardware-only-option.txt new file mode 100644 index 000000000..69db58ece --- /dev/null +++ b/ChangeLog.d/add-aes-hardware-only-option.txt @@ -0,0 +1,6 @@ +Features + * New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When using + CPU-accelerated AES (e.g., Arm Crypto Extensions), this option disables + the plain C implementation and the run-time detection for the CPU feature, + which reduces code size and avoid the vulnerability of the plain C + implementation. From 02b1519ab6f7ab297161a2212dd2d6cf95d1a71e Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sun, 23 Apr 2023 14:43:19 +0800 Subject: [PATCH 123/222] move accelerator checks to `aes.c` Origin position is always validate due to conflict between the guards in `aes.c` and module undef check Signed-off-by: Jerry Yu --- library/aes.c | 27 +++++++++++++++++++++++++++ library/aesce.h | 3 --- library/aesni.h | 3 --- library/padlock.h | 4 ---- 4 files changed, 27 insertions(+), 10 deletions(-) diff --git a/library/aes.c b/library/aes.c index 6d718f461..d6ecdcca5 100644 --- a/library/aes.c +++ b/library/aes.c @@ -33,6 +33,33 @@ #include "mbedtls/platform.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" + +#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \ + defined(__aarch64__) && !defined(MBEDTLS_HAVE_ARM64) +#define MBEDTLS_HAVE_ARM64 +#if !defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) +#error "MBEDTLS_AES_C defined, but not all prerequisites" +#endif +#endif + +#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \ + (defined(__amd64__) || defined(__x86_64__)) && \ + !defined(MBEDTLS_HAVE_X86_64) +#define MBEDTLS_HAVE_X86_64 +#if !defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) +#error "MBEDTLS_AES_C defined, but not all prerequisites" +#endif +#endif + +#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && defined(__i386__) && \ + !defined(MBEDTLS_HAVE_ASAN) +#define MBEDTLS_HAVE_X86 + +#if !defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) +#error "MBEDTLS_AES_C defined, but not all prerequisites" +#endif +#endif + #if defined(MBEDTLS_PADLOCK_C) #include "padlock.h" #endif diff --git a/library/aesce.h b/library/aesce.h index 7e9c12a3c..fbf545649 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -33,9 +33,6 @@ #if !defined(MBEDTLS_HAVE_ARM64) #if defined(__aarch64__) || defined(_M_ARM64) || defined(_M_ARM64EC) #define MBEDTLS_HAVE_ARM64 -#if !defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) -#error "MBEDTLS_AES_C defined, but not all prerequisites" -#endif #endif #endif diff --git a/library/aesni.h b/library/aesni.h index c17b61355..6b5afb9b5 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -39,9 +39,6 @@ (defined(__amd64__) || defined(__x86_64__)) && \ !defined(MBEDTLS_HAVE_X86_64) #define MBEDTLS_HAVE_X86_64 -#if !defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) -#error "MBEDTLS_AES_C defined, but not all prerequisites" -#endif #endif #if defined(MBEDTLS_AESNI_C) diff --git a/library/padlock.h b/library/padlock.h index 4de462ca0..c031f4bb5 100644 --- a/library/padlock.h +++ b/library/padlock.h @@ -48,10 +48,6 @@ #include -#if !defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) -#error "MBEDTLS_AES_C defined, but not all prerequisites" -#endif - #define MBEDTLS_PADLOCK_RNG 0x000C #define MBEDTLS_PADLOCK_ACE 0x00C0 #define MBEDTLS_PADLOCK_PHE 0x0C00 From 9e3e3dd45bb761424c7370fdb7c1e0f6d72e7499 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 24 Apr 2023 17:19:38 +0800 Subject: [PATCH 124/222] Fix code-style too-long line fail Signed-off-by: Jerry Yu --- ChangeLog.d/add-aes-hardware-only-option.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ChangeLog.d/add-aes-hardware-only-option.txt b/ChangeLog.d/add-aes-hardware-only-option.txt index 69db58ece..2461479e6 100644 --- a/ChangeLog.d/add-aes-hardware-only-option.txt +++ b/ChangeLog.d/add-aes-hardware-only-option.txt @@ -1,6 +1,6 @@ Features - * New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When using - CPU-accelerated AES (e.g., Arm Crypto Extensions), this option disables - the plain C implementation and the run-time detection for the CPU feature, - which reduces code size and avoid the vulnerability of the plain C - implementation. + * New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When + using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option + disables the plain C implementation and the run-time detection for the + CPU feature, which reduces code size and avoid the vulnerability of the + plain C implementation. From e77c4d95a737b80bf239b2ef8fa95a51b9c033e7 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 24 Apr 2023 17:26:44 +0800 Subject: [PATCH 125/222] Mention the crash risk without runtime detection Signed-off-by: Jerry Yu --- include/mbedtls/mbedtls_config.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 5474060a7..6fcd02561 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -4015,6 +4015,7 @@ * detection will be used to select between them. * * If only one implementation is present, runtime detection will not be used. + * This configuration will crash if running on the CPU without needed features. */ //#define MBEDTLS_AES_USE_HARDWARE_ONLY From 69436818205d4c39eb63d06c9d1e66e557a94f2f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 25 Apr 2023 11:08:30 +0800 Subject: [PATCH 126/222] Improve error message and documents - fix grammar error - Add more information for AES_USE_HARDWARE_ONLY - Improve error message Signed-off-by: Jerry Yu --- ChangeLog.d/add-aes-hardware-only-option.txt | 2 +- include/mbedtls/mbedtls_config.h | 4 +++- library/aes.c | 6 +++--- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/ChangeLog.d/add-aes-hardware-only-option.txt b/ChangeLog.d/add-aes-hardware-only-option.txt index 2461479e6..a185aff2a 100644 --- a/ChangeLog.d/add-aes-hardware-only-option.txt +++ b/ChangeLog.d/add-aes-hardware-only-option.txt @@ -2,5 +2,5 @@ Features * New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option disables the plain C implementation and the run-time detection for the - CPU feature, which reduces code size and avoid the vulnerability of the + CPU feature, which reduces code size and avoids the vulnerability of the plain C implementation. diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 6fcd02561..46d3dc28c 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -4015,7 +4015,9 @@ * detection will be used to select between them. * * If only one implementation is present, runtime detection will not be used. - * This configuration will crash if running on the CPU without needed features. + * This configuration will crash at runtime if running on a CPU without the + * necessary features. It will not build unless at least one of MBEDTLS_AESCE_C, + * MBEDTLS_AESNI_C and/or MBEDTLS_PADLOCK_C is enabled & present in the build. */ //#define MBEDTLS_AES_USE_HARDWARE_ONLY diff --git a/library/aes.c b/library/aes.c index d6ecdcca5..00ba40c36 100644 --- a/library/aes.c +++ b/library/aes.c @@ -38,7 +38,7 @@ defined(__aarch64__) && !defined(MBEDTLS_HAVE_ARM64) #define MBEDTLS_HAVE_ARM64 #if !defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) -#error "MBEDTLS_AES_C defined, but not all prerequisites" +#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" #endif #endif @@ -47,7 +47,7 @@ !defined(MBEDTLS_HAVE_X86_64) #define MBEDTLS_HAVE_X86_64 #if !defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) -#error "MBEDTLS_AES_C defined, but not all prerequisites" +#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" #endif #endif @@ -56,7 +56,7 @@ #define MBEDTLS_HAVE_X86 #if !defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) -#error "MBEDTLS_AES_C defined, but not all prerequisites" +#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" #endif #endif From 1414029ff0a0dba76186fb0be9270faafcb0d9cd Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 1 Aug 2023 12:57:52 +0800 Subject: [PATCH 127/222] improve document about hardware only Signed-off-by: Jerry Yu --- include/mbedtls/mbedtls_config.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 46d3dc28c..3dcaa4614 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -4007,10 +4007,9 @@ //#define MBEDTLS_ECP_WITH_MPI_UINT /* - * Platform independent implementation for crypto algorithms. * Disable plain C implementation for AES. * - * If the plain C implementation is enabled, and an implementation using a + * When the plain C implementation is enabled, and an implementation using a * special CPU feature (such as MBEDTLS_AESCE_C) is also enabled, runtime * detection will be used to select between them. * From 69dd441eb5878446ce877ea4a4b70dac505a726f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 2 Aug 2023 17:42:00 +0800 Subject: [PATCH 128/222] Remove test_aes_* Signed-off-by: Jerry Yu --- tests/scripts/all.sh | 35 ----------------------------------- 1 file changed, 35 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index c34fe990c..dee03e950 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4941,41 +4941,6 @@ component_check_test_helpers () { python3 -m unittest tests/scripts/translate_ciphers.py 2>&1 } -component_test_aes_donot_use_hardware () { - msg "Test: AES builtin only" - scripts/config.py unset MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_PADLOCK_C - scripts/config.py unset MBEDTLS_AESCE_C - scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY - msg "build: make, AES built-in only" # ~10s - make - - msg "selftest: AES built-in only" # ~10s - programs/test/selftest -} - -component_test_aes_aesni_only () { - msg "Test: AESNI only" - scripts/config.py set MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_PADLOCK_C - scripts/config.py unset MBEDTLS_AESCE_C - scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY - msg "build: AESNI only" # ~10s - make - - msg "selftest: AESNI only" # ~10s - programs/test/selftest -} - -component_test_aes_padlock_only () { - msg "Test: AES, VIA padlock only" - scripts/config.py unset MBEDTLS_AESNI_C - scripts/config.py set MBEDTLS_PADLOCK_C - scripts/config.py unset MBEDTLS_AESCE_C - scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY - msg "build: AES, VIA padlock only" # ~10s - make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" -} ################################################################ #### Termination From 1221a31cc475081ba7e517107431b8069d8330bc Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 3 Aug 2023 16:09:07 +0800 Subject: [PATCH 129/222] Run aes tests only for test_aesni That can reduce time of selftest Signed-off-by: Jerry Yu --- tests/scripts/all.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index dee03e950..012e2a8e1 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3869,14 +3869,14 @@ component_test_aesni () { # ~ 60s make clean make test programs/test/selftest CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes' # check that we built intrinsics - this should be used by default when supported by the compiler - ./programs/test/selftest | grep "AESNI code" | grep -q "intrinsics" + ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics" # test the asm implementation msg "AES tests, test assembly" make clean make test programs/test/selftest CC=gcc CFLAGS='-Werror -Wall -Wextra -mno-pclmul -mno-sse2 -mno-aes' # check that we built assembly - this should be built if the compiler does not support intrinsics - ./programs/test/selftest | grep "AESNI code" | grep -q "assembly" + ./programs/test/selftest aes | grep "AESNI code" | grep -q "assembly" # test the plain C implementation scripts/config.py unset MBEDTLS_AESNI_C @@ -3884,7 +3884,7 @@ component_test_aesni () { # ~ 60s make clean make test programs/test/selftest CC=gcc CFLAGS='-O2 -Werror' # check that there is no AESNI code present - ./programs/test/selftest | not grep -q "AESNI code" + ./programs/test/selftest aes | not grep -q "AESNI code" } component_test_aes_only_128_bit_keys () { From 17a9d2e412d74bb39b60d8cc08cfeb46d980ebcb Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 3 Aug 2023 16:14:18 +0800 Subject: [PATCH 130/222] Add MBEDTLS_AES_USE_HADWARE_ONLY for test_aesni Signed-off-by: Jerry Yu --- tests/scripts/all.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 012e2a8e1..a3b720af2 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3862,6 +3862,7 @@ component_test_aesni () { # ~ 60s msg "build: default config with different AES implementations" scripts/config.py set MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY scripts/config.py set MBEDTLS_HAVE_ASM # test the intrinsics implementation @@ -3880,6 +3881,7 @@ component_test_aesni () { # ~ 60s # test the plain C implementation scripts/config.py unset MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY msg "AES tests, plain C" make clean make test programs/test/selftest CC=gcc CFLAGS='-O2 -Werror' From 8a599c03fa63a37490137df66867c17c9d4c102f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 3 Aug 2023 17:01:02 +0800 Subject: [PATCH 131/222] Add aesni only test Signed-off-by: Jerry Yu --- tests/scripts/all.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index a3b720af2..c23222503 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3887,6 +3887,15 @@ component_test_aesni () { # ~ 60s make test programs/test/selftest CC=gcc CFLAGS='-O2 -Werror' # check that there is no AESNI code present ./programs/test/selftest aes | not grep -q "AESNI code" + + # test the intrinsics implementation + scripts/config.py set MBEDTLS_AESNI_C + scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY + msg "AES tests, test AESNI only" + make clean + make test programs/test/selftest CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes' + # check that we built intrinsics - this should be used by default when supported by the compiler + ./programs/test/selftest aes | grep "AES note: using AESNI" } component_test_aes_only_128_bit_keys () { From 193cbc03fe3c2683395fa080c84de0d8a19a3dae Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 3 Aug 2023 17:06:29 +0800 Subject: [PATCH 132/222] Add aesce build test Signed-off-by: Jerry Yu --- tests/scripts/all.sh | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index c23222503..cbd431cff 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3898,6 +3898,39 @@ component_test_aesni () { # ~ 60s ./programs/test/selftest aes | grep "AES note: using AESNI" } + +# For timebeing, no aarch64 gcc available in CI and no arm64 CI node. +component_build_aes_aesce_armcc () { + msg "Build: AESCE test on arm64 platform without plain C." + scripts/config.py baremetal + + # armc[56] don't support SHA-512 intrinsics + scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + + # Stop armclang warning about feature detection for A64_CRYPTO. + # With this enabled, the library does build correctly under armclang, + # but in baremetal builds (as tested here), feature detection is + # unavailable, and the user is notified via a #warning. So enabling + # this feature would prevent us from building with -Werror on + # armclang. Tracked in #7198. + scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + scripts/config.py set MBEDTLS_HAVE_ASM + + msg "AESCE, build with default configuration." + scripts/config.py set MBEDTLS_AESCE_C + scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY + armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" + + msg "AESCE, build AESCE only" + scripts/config.py set MBEDTLS_AESCE_C + scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY + armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" +} + +support_build_aes_aesce_armcc () { + support_build_armcc +} + component_test_aes_only_128_bit_keys () { msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH" scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH From c935aa617b5ea999f9c381a056ec623754c068b9 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 3 Aug 2023 17:08:27 +0800 Subject: [PATCH 133/222] Add via padlock build test Signed-off-by: Jerry Yu --- tests/scripts/all.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index cbd431cff..d67b484b1 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3927,6 +3927,22 @@ component_build_aes_aesce_armcc () { armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" } +# For timebeing, no VIA Padlock platform available. +component_build_aes_via_padlock () { + + msg "AES:VIA PadLock, build with default configuration." + scripts/config.py set MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY + make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" + +} + +support_build_aes_via_padlock_only () { + ( [ "$MBEDTLS_TEST_PLATFORM" == "Linux-x86_64" ] || \ + [ "$MBEDTLS_TEST_PLATFORM" == "Linux-amd64" ] ) && \ + [ "`dpkg --print-foreign-architectures`" == "i386" ] +} + support_build_aes_aesce_armcc () { support_build_armcc } From 2700ef6bb0f5a237e2e446d4e5680ecd0ad14a38 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 3 Aug 2023 17:13:52 +0800 Subject: [PATCH 134/222] Add aesce test string filter Signed-off-by: Jerry Yu --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 75f4c6464..3a608f54e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -150,7 +150,7 @@ jobs: - scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY - make generated_files - make - - programs/test/selftest + - programs/test/selftest aes | grep "using AESCE" - tests/context-info.sh after_failure: From 29c91ba42d05e45fa91d154d1c246c7d3779412b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 4 Aug 2023 11:02:04 +0800 Subject: [PATCH 135/222] fix unreachable code warnings It is detected by clang with bellow patch ``` diff --git a/library/Makefile b/library/Makefile index fdab4f4ba0..967f9e2e65 100644 --- a/library/Makefile +++ b/library/Makefile @@ -306,8 +306,8 @@ libmbedcrypto.dll: $(OBJS_CRYPTO) .c.o: echo " CC $<" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -o $@ -c $< - + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -o $(@:%.o=%.i) -E $< + $(CC) $(LOCAL_CFLAGS) -Wunreachable-code -Werror -Wno-unused-command-line-argument $(CFLAGS) -o $@ -c $(@:%.o=%.i) .PHONY: generated_files GENERATED_FILES = \ error.c version_features.c \ ``` Signed-off-by: Jerry Yu --- library/aes.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/library/aes.c b/library/aes.c index 00ba40c36..8afa7a65d 100644 --- a/library/aes.c +++ b/library/aes.c @@ -622,7 +622,9 @@ static unsigned mbedtls_aes_rk_offset(uint32_t *buf) int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, unsigned int keybits) { +#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) unsigned int i; +#endif uint32_t *RK; switch (keybits) { @@ -656,6 +658,7 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, } #endif +#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) for (i = 0; i < (keybits >> 5); i++) { RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2); } @@ -722,6 +725,7 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, } return 0; +#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */ } #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ @@ -732,10 +736,14 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key, unsigned int keybits) { - int i, j, ret; +#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) + int i, j; + uint32_t *SK; +#endif + int ret; mbedtls_aes_context cty; uint32_t *RK; - uint32_t *SK; + mbedtls_aes_init(&cty); @@ -767,6 +775,7 @@ int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key, } #endif +#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) SK = cty.buf + cty.rk_offset + cty.nr * 4; *RK++ = *SK++; @@ -787,7 +796,7 @@ int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key, *RK++ = *SK++; *RK++ = *SK++; *RK++ = *SK++; - +#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */ exit: mbedtls_aes_free(&cty); @@ -1095,11 +1104,14 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx, } #endif +#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) if (mode == MBEDTLS_AES_ENCRYPT) { return mbedtls_internal_aes_encrypt(ctx, input, output); } else { return mbedtls_internal_aes_decrypt(ctx, input, output); } +#endif + } #if defined(MBEDTLS_CIPHER_MODE_CBC) @@ -1899,7 +1911,11 @@ int mbedtls_aes_self_test(int verbose) mbedtls_printf(" AES note: using AESCE.\n"); } else #endif - mbedtls_printf(" AES note: built-in implementation.\n"); + { +#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) + mbedtls_printf(" AES note: built-in implementation.\n"); +#endif + } #endif /* MBEDTLS_AES_ALT */ } From b241db3e2630b80b8a1d17522b4fda9d2a643b88 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 4 Aug 2023 16:28:22 +0800 Subject: [PATCH 136/222] remove padlock only mode padlock depends on pure c implementation Signed-off-by: Jerry Yu --- library/padlock.c | 6 ++++-- library/padlock.h | 4 ---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/library/padlock.c b/library/padlock.c index 001172200..38d110e0b 100644 --- a/library/padlock.c +++ b/library/padlock.c @@ -33,7 +33,10 @@ #if defined(MBEDTLS_HAVE_X86) -#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) +#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) +#error "MBEDTLS_PADLOCK_C defined, but not all prerequisites" +#endif + /* * PadLock detection routine */ @@ -63,7 +66,6 @@ int mbedtls_padlock_has_support(int feature) return flags & feature; } -#endif /* * PadLock AES-ECB block en(de)cryption diff --git a/library/padlock.h b/library/padlock.h index c031f4bb5..b5f0d7d7a 100644 --- a/library/padlock.h +++ b/library/padlock.h @@ -69,11 +69,7 @@ extern "C" { * * \return non-zero if CPU has support for the feature, 0 otherwise */ -#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) int mbedtls_padlock_has_support(int feature); -#else -#define /* no-check-names */ mbedtls_padlock_has_support(feature) 1 -#endif /** * \brief Internal PadLock AES-ECB block en(de)cryption From fce351def82c1ed5b3135a887e3ada7f75f3fdc3 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 4 Aug 2023 17:13:36 +0800 Subject: [PATCH 137/222] improve platform relative check Signed-off-by: Jerry Yu --- library/aes.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/library/aes.c b/library/aes.c index 8afa7a65d..4929235ec 100644 --- a/library/aes.c +++ b/library/aes.c @@ -34,27 +34,23 @@ #include "mbedtls/platform_util.h" #include "mbedtls/error.h" -#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \ +#if defined(MBEDTLS_HAVE_ASM) && \ defined(__aarch64__) && !defined(MBEDTLS_HAVE_ARM64) -#define MBEDTLS_HAVE_ARM64 #if !defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) #error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" #endif #endif -#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \ +#if defined(MBEDTLS_HAVE_ASM) && \ (defined(__amd64__) || defined(__x86_64__)) && \ !defined(MBEDTLS_HAVE_X86_64) -#define MBEDTLS_HAVE_X86_64 #if !defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) #error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" #endif #endif -#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && defined(__i386__) && \ +#if defined(MBEDTLS_HAVE_ASM) && defined(__i386__) && \ !defined(MBEDTLS_HAVE_ASAN) -#define MBEDTLS_HAVE_X86 - #if !defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) #error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" #endif From 9c0b7d13bf71bea4ca8637c3b815f813f6b8cd85 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 4 Aug 2023 17:25:59 +0800 Subject: [PATCH 138/222] Remove unnecessary name check tag Signed-off-by: Jerry Yu --- library/aesce.h | 2 +- library/aesni.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/library/aesce.h b/library/aesce.h index fbf545649..9b8b0bcd6 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -50,7 +50,7 @@ extern "C" { #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) int mbedtls_aesce_has_support(void); #else -#define /* no-check-names */ mbedtls_aesce_has_support() 1 +#define mbedtls_aesce_has_support() 1 #endif diff --git a/library/aesni.h b/library/aesni.h index 6b5afb9b5..f461ae288 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -91,7 +91,7 @@ extern "C" { #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) int mbedtls_aesni_has_support(unsigned int what); #else -#define /* no-check-names */ mbedtls_aesni_has_support(what) 1 +#define mbedtls_aesni_has_support(what) 1 #endif /** From 7802f65a285eace5ada98a71e616dfd349e172ad Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 7 Aug 2023 10:38:50 +0800 Subject: [PATCH 139/222] Add negative test for aesni only Signed-off-by: Jerry Yu --- tests/scripts/all.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index d67b484b1..9cc2ab181 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3896,6 +3896,7 @@ component_test_aesni () { # ~ 60s make test programs/test/selftest CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes' # check that we built intrinsics - this should be used by default when supported by the compiler ./programs/test/selftest aes | grep "AES note: using AESNI" + ./programs/test/selftest aes | grep -v "AES note: built-in implementation." } From 5fcdd6a28a26a6d565178b055b2cfd3fa86673e7 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 7 Aug 2023 15:32:58 +0800 Subject: [PATCH 140/222] remove unnecessary definition Signed-off-by: Jerry Yu --- library/aes.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/library/aes.c b/library/aes.c index 4929235ec..7c5c80621 100644 --- a/library/aes.c +++ b/library/aes.c @@ -34,16 +34,14 @@ #include "mbedtls/platform_util.h" #include "mbedtls/error.h" -#if defined(MBEDTLS_HAVE_ASM) && \ - defined(__aarch64__) && !defined(MBEDTLS_HAVE_ARM64) +#if defined(MBEDTLS_HAVE_ASM) && defined(__aarch64__) #if !defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) #error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" #endif #endif #if defined(MBEDTLS_HAVE_ASM) && \ - (defined(__amd64__) || defined(__x86_64__)) && \ - !defined(MBEDTLS_HAVE_X86_64) + (defined(__amd64__) || defined(__x86_64__)) #if !defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) #error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" #endif From c4508c07f6e1894478b1db0923d86cc64a770516 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 8 Aug 2023 12:57:06 +0800 Subject: [PATCH 141/222] improve error message and config check for padlock Signed-off-by: Jerry Yu --- library/aes.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/aes.c b/library/aes.c index 7c5c80621..668f1d1e3 100644 --- a/library/aes.c +++ b/library/aes.c @@ -49,8 +49,8 @@ #if defined(MBEDTLS_HAVE_ASM) && defined(__i386__) && \ !defined(MBEDTLS_HAVE_ASAN) -#if !defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) -#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" +#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) +#error "MBEDTLS_AES_USE_HARDWARE_ONLY not supported yet for i386." #endif #endif From a7de78d050aa62197e105d963af926a1b82a64bb Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 8 Aug 2023 12:57:35 +0800 Subject: [PATCH 142/222] improve test - `grep '^flags' /proc/cpuino` does not work in my local machine inside script. - `make test programs/sleftest ` causes `strings | grep ` fail. For timebeing, I did not figure out the root cause. Signed-off-by: Jerry Yu --- tests/scripts/all.sh | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 9cc2ab181..8464599e4 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3849,7 +3849,7 @@ support_test_aesni() { # We can only grep /proc/cpuinfo on Linux, so this also checks for Linux (gcc -v 2>&1 | grep Target | grep -q x86_64) && [[ "$HOSTTYPE" == "x86_64" && "$OSTYPE" == "linux-gnu" ]] && - (grep '^flags' /proc/cpuinfo | grep -qw aes) + (lscpu | grep -qw aes) } component_test_aesni () { # ~ 60s @@ -3868,14 +3868,14 @@ component_test_aesni () { # ~ 60s # test the intrinsics implementation msg "AES tests, test intrinsics" make clean - make test programs/test/selftest CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes' + make CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes' # check that we built intrinsics - this should be used by default when supported by the compiler ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics" # test the asm implementation msg "AES tests, test assembly" make clean - make test programs/test/selftest CC=gcc CFLAGS='-Werror -Wall -Wextra -mno-pclmul -mno-sse2 -mno-aes' + make CC=gcc CFLAGS='-Werror -Wall -Wextra -mno-pclmul -mno-sse2 -mno-aes' # check that we built assembly - this should be built if the compiler does not support intrinsics ./programs/test/selftest aes | grep "AESNI code" | grep -q "assembly" @@ -3884,19 +3884,23 @@ component_test_aesni () { # ~ 60s scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY msg "AES tests, plain C" make clean - make test programs/test/selftest CC=gcc CFLAGS='-O2 -Werror' + make CC=gcc CFLAGS='-O2 -Werror' # check that there is no AESNI code present ./programs/test/selftest aes | not grep -q "AESNI code" + strings ./programs/test/selftest | not grep -q "AES note: using AESNI" + strings ./programs/test/selftest | grep -q "AES note: built-in implementation." # test the intrinsics implementation scripts/config.py set MBEDTLS_AESNI_C scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY msg "AES tests, test AESNI only" make clean - make test programs/test/selftest CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes' - # check that we built intrinsics - this should be used by default when supported by the compiler - ./programs/test/selftest aes | grep "AES note: using AESNI" - ./programs/test/selftest aes | grep -v "AES note: built-in implementation." + make CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes' + strings ./programs/test/selftest | grep -q "AES note: using AESNI" + strings ./programs/test/selftest | not grep -q "AES note: built-in implementation." + ./programs/test/selftest aes | grep -q "AES note: using AESNI" + ./programs/test/selftest aes | not grep -q "AES note: built-in implementation." + } From 76a51b99b6996106b4fd4d28390d69ba2d8f3bcc Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 8 Aug 2023 16:03:55 +0800 Subject: [PATCH 143/222] replace strings command with grep `strings | grep` will fail some time. Signed-off-by: Jerry Yu --- tests/scripts/all.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 8464599e4..508f0b05a 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3887,8 +3887,8 @@ component_test_aesni () { # ~ 60s make CC=gcc CFLAGS='-O2 -Werror' # check that there is no AESNI code present ./programs/test/selftest aes | not grep -q "AESNI code" - strings ./programs/test/selftest | not grep -q "AES note: using AESNI" - strings ./programs/test/selftest | grep -q "AES note: built-in implementation." + not grep -q "AES note: using AESNI" ./programs/test/selftest + grep -q "AES note: built-in implementation." ./programs/test/selftest # test the intrinsics implementation scripts/config.py set MBEDTLS_AESNI_C @@ -3896,10 +3896,11 @@ component_test_aesni () { # ~ 60s msg "AES tests, test AESNI only" make clean make CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes' - strings ./programs/test/selftest | grep -q "AES note: using AESNI" - strings ./programs/test/selftest | not grep -q "AES note: built-in implementation." ./programs/test/selftest aes | grep -q "AES note: using AESNI" ./programs/test/selftest aes | not grep -q "AES note: built-in implementation." + grep -q "AES note: using AESNI" ./programs/test/selftest + not grep -q "AES note: built-in implementation." ./programs/test/selftest + } From ba42b076f96f75deec965fc646ef068bc5cca670 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 10 Aug 2023 12:53:26 +0800 Subject: [PATCH 144/222] Remove asm check for aarch64 aesce we implement it with aesce intrinsic. No asm needed. Signed-off-by: Jerry Yu --- library/aes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/aes.c b/library/aes.c index 668f1d1e3..bf7d6cb4c 100644 --- a/library/aes.c +++ b/library/aes.c @@ -34,7 +34,7 @@ #include "mbedtls/platform_util.h" #include "mbedtls/error.h" -#if defined(MBEDTLS_HAVE_ASM) && defined(__aarch64__) +#if defined(__aarch64__) #if !defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) #error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" #endif From 13696bb07ba5a5de04ceef2857ad1f95bded8de4 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 10 Aug 2023 13:36:32 +0800 Subject: [PATCH 145/222] improve check config option for i386 Signed-off-by: Jerry Yu --- include/mbedtls/check_config.h | 4 ---- library/aes.c | 7 +++++-- library/padlock.c | 4 ---- 3 files changed, 5 insertions(+), 10 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 7a8797107..e4fbb17d7 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -412,10 +412,6 @@ #error "MBEDTLS_MEMORY_DEBUG defined, but not all prerequisites" #endif -#if defined(MBEDTLS_PADLOCK_C) && !defined(MBEDTLS_HAVE_ASM) -#error "MBEDTLS_PADLOCK_C defined, but not all prerequisites" -#endif - #if defined(MBEDTLS_PEM_PARSE_C) && !defined(MBEDTLS_BASE64_C) #error "MBEDTLS_PEM_PARSE_C defined, but not all prerequisites" #endif diff --git a/library/aes.c b/library/aes.c index bf7d6cb4c..52e361a28 100644 --- a/library/aes.c +++ b/library/aes.c @@ -47,11 +47,14 @@ #endif #endif -#if defined(MBEDTLS_HAVE_ASM) && defined(__i386__) && \ - !defined(MBEDTLS_HAVE_ASAN) +#if defined(__i386__) #if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) #error "MBEDTLS_AES_USE_HARDWARE_ONLY not supported yet for i386." #endif + +#if defined(MBEDTLS_PADLOCK_C) && !defined(MBEDTLS_HAVE_ASM) +#error "MBEDTLS_PADLOCK_C defined, but not all prerequisites" +#endif #endif #if defined(MBEDTLS_PADLOCK_C) diff --git a/library/padlock.c b/library/padlock.c index 38d110e0b..f42c40ff9 100644 --- a/library/padlock.c +++ b/library/padlock.c @@ -33,10 +33,6 @@ #if defined(MBEDTLS_HAVE_X86) -#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) -#error "MBEDTLS_PADLOCK_C defined, but not all prerequisites" -#endif - /* * PadLock detection routine */ From 8189f3294589f246f9810683242018c8f5c9caca Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 10 Aug 2023 13:53:41 +0800 Subject: [PATCH 146/222] improve aesni check for x86_64 `MBEDTLS_AESNI_C` does not depends on `MBEDTLS_HAVE_ASM` when intrinsic is available. And compiler relative checks only work on x86_64, it should be only checked on x86_64. Signed-off-by: Jerry Yu --- library/aes.c | 3 +-- library/aesni.h | 12 +++++++----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/library/aes.c b/library/aes.c index 52e361a28..4cb9ce1c1 100644 --- a/library/aes.c +++ b/library/aes.c @@ -40,8 +40,7 @@ #endif #endif -#if defined(MBEDTLS_HAVE_ASM) && \ - (defined(__amd64__) || defined(__x86_64__)) +#if defined(__amd64__) || defined(__x86_64__) #if !defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) #error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" #endif diff --git a/library/aesni.h b/library/aesni.h index f461ae288..da97023cb 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -35,13 +35,13 @@ /* Can we do AESNI with inline assembly? * (Only implemented with gas syntax, only for 64-bit.) */ -#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \ - (defined(__amd64__) || defined(__x86_64__)) && \ - !defined(MBEDTLS_HAVE_X86_64) +#if !defined(MBEDTLS_HAVE_X86_64) && \ + (defined(__amd64__) || defined(__x86_64__) || \ + defined(_M_X64) || defined(_M_AMD64)) #define MBEDTLS_HAVE_X86_64 #endif -#if defined(MBEDTLS_AESNI_C) +#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) /* Can we do AESNI with intrinsics? * (Only implemented with certain compilers, only for certain targets.) @@ -67,8 +67,10 @@ * In the long run, we will likely remove the assembly implementation. */ #if defined(MBEDTLS_AESNI_HAVE_INTRINSICS) #define MBEDTLS_AESNI_HAVE_CODE 2 // via intrinsics -#elif defined(MBEDTLS_HAVE_X86_64) +#elif defined(MBEDTLS_HAVE_ASM) #define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly +#else +#error "MBEDTLS_AESNI_C defined, but neither intrinsics nor assembly available" #endif #if defined(MBEDTLS_AESNI_HAVE_CODE) From b2bc1712a5578ef8f4a644b5a1f35c41fa5c9f2c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 8 Feb 2019 17:27:11 +0100 Subject: [PATCH 147/222] Reduce the size of the small primes table used by primality testing Signed-off-by: Gilles Peskine --- library/bignum.c | 62 ++++++++++++++++++++++++------------------------ 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index d559c9e76..f84b2e7ce 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -2171,29 +2171,29 @@ cleanup: #if defined(MBEDTLS_GENPRIME) -static const int small_prime[] = -{ - 3, 5, 7, 11, 13, 17, 19, 23, - 29, 31, 37, 41, 43, 47, 53, 59, - 61, 67, 71, 73, 79, 83, 89, 97, - 101, 103, 107, 109, 113, 127, 131, 137, - 139, 149, 151, 157, 163, 167, 173, 179, - 181, 191, 193, 197, 199, 211, 223, 227, - 229, 233, 239, 241, 251, 257, 263, 269, - 271, 277, 281, 283, 293, 307, 311, 313, - 317, 331, 337, 347, 349, 353, 359, 367, - 373, 379, 383, 389, 397, 401, 409, 419, - 421, 431, 433, 439, 443, 449, 457, 461, - 463, 467, 479, 487, 491, 499, 503, 509, - 521, 523, 541, 547, 557, 563, 569, 571, - 577, 587, 593, 599, 601, 607, 613, 617, - 619, 631, 641, 643, 647, 653, 659, 661, - 673, 677, 683, 691, 701, 709, 719, 727, - 733, 739, 743, 751, 757, 761, 769, 773, - 787, 797, 809, 811, 821, 823, 827, 829, - 839, 853, 857, 859, 863, 877, 881, 883, - 887, 907, 911, 919, 929, 937, 941, 947, - 953, 967, 971, 977, 983, 991, 997, -103 +/* Gaps between primes, starting at 3. https://oeis.org/A001223 */ +static const unsigned char small_prime_gaps[] = { + 2, 2, 4, 2, 4, 2, 4, 6, + 2, 6, 4, 2, 4, 6, 6, 2, + 6, 4, 2, 6, 4, 6, 8, 4, + 2, 4, 2, 4, 14, 4, 6, 2, + 10, 2, 6, 6, 4, 6, 6, 2, + 10, 2, 4, 2, 12, 12, 4, 2, + 4, 6, 2, 10, 6, 6, 6, 2, + 6, 4, 2, 10, 14, 4, 2, 4, + 14, 6, 10, 2, 4, 6, 8, 6, + 6, 4, 6, 8, 4, 8, 10, 2, + 10, 2, 6, 4, 6, 8, 4, 2, + 4, 12, 8, 4, 8, 4, 6, 12, + 2, 18, 6, 10, 6, 6, 2, 6, + 10, 6, 6, 2, 6, 6, 4, 2, + 12, 10, 2, 4, 6, 6, 2, 12, + 4, 6, 8, 10, 8, 10, 8, 6, + 6, 4, 8, 6, 4, 8, 4, 14, + 10, 12, 2, 10, 2, 4, 2, 10, + 14, 4, 2, 4, 14, 4, 2, 4, + 20, 4, 8, 10, 8, 4, 6, 6, + 14, 4, 6, 6, 8, 6, /*reaches 997*/ }; /* @@ -2210,20 +2210,20 @@ static int mpi_check_small_factors(const mbedtls_mpi *X) int ret = 0; size_t i; mbedtls_mpi_uint r; + unsigned p = 3; /* The first odd prime */ if ((X->p[0] & 1) == 0) { return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; } - for (i = 0; small_prime[i] > 0; i++) { - if (mbedtls_mpi_cmp_int(X, small_prime[i]) <= 0) { - return 1; - } - - MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, small_prime[i])); - + for (i = 0; i < sizeof(small_prime_gaps); p += small_prime_gaps[i], i++) { + MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, p)); if (r == 0) { - return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; + if (mbedtls_mpi_cmp_int(X, p) == 0) { + return 1; + } else { + return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; + } } } From e6cb45e68ef8eefc8d57cbda2927ba18de7d00d8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 10 Aug 2023 15:59:28 +0200 Subject: [PATCH 148/222] mbedtls_mpi_exp_mod: remove spurious copy of the output variable Clear some confusion between `X` as the output variable and "X" as a name given to the accumulator. Previous iterations of the code used the variable `X` as the accumulator, but now that the accumulator is `W[x_index]`, some of the comments didn't make sense. Remove the copy of the initial value of `X` into `W[x_index]`, which was meaningless: the initial value of an output variable should not, and did not, matter. `W[x_index]` is later overridden unconditionally to take the value `RR`. Signed-off-by: Gilles Peskine --- library/bignum.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index f2a864150..798d75824 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1680,8 +1680,9 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, * and squarings. Firstly, when multiplying by an element of the window * W[i], we do a constant-trace table lookup to obfuscate i. This leaves * squarings as having a different memory access patterns from other - * multiplications. So secondly, we put the accumulator X in the table as - * well, and also do a constant-trace table lookup to multiply by X. + * multiplications. So secondly, we put the accumulator in the table as + * well, and also do a constant-trace table lookup to multiply by the + * accumulator which is W[x_index]. * * This way, all multiplications take the form of a lookup-and-multiply. * The number of lookup-and-multiply operations inside each iteration of @@ -1694,19 +1695,16 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, * observe both memory accesses and branches. However, branch prediction * exploitation typically requires many traces of execution over the same * data, which is defeated by randomized blinding. - * - * To achieve this, we make a copy of X and we use the table entry in each - * calculation from this point on. */ const size_t x_index = 0; mbedtls_mpi_init(&W[x_index]); - mbedtls_mpi_copy(&W[x_index], X); j = N->n + 1; - /* All W[i] and X must have at least N->n limbs for the mpi_montmul() - * and mpi_montred() calls later. Here we ensure that W[1] and X are - * large enough, and later we'll grow other W[i] to the same length. - * They must not be shrunk midway through this function! + /* All W[i] including the accumulator must have at least N->n limbs for + * the mpi_montmul() and mpi_montred() calls later. Here we ensure that + * W[1] and the accumulator W[x_index] are large enough. later we'll grow + * other W[i] to the same length. They must not be shrunk midway through + * this function! */ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[x_index], j)); MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], j)); From 240bb11171886b4ae36484c45a69c9623809758f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 11 Aug 2023 10:45:35 +0800 Subject: [PATCH 149/222] Add gnu check for aseni assembly code Signed-off-by: Jerry Yu --- library/aesni.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/aesni.h b/library/aesni.h index da97023cb..dc6444270 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -67,7 +67,7 @@ * In the long run, we will likely remove the assembly implementation. */ #if defined(MBEDTLS_AESNI_HAVE_INTRINSICS) #define MBEDTLS_AESNI_HAVE_CODE 2 // via intrinsics -#elif defined(MBEDTLS_HAVE_ASM) +#elif defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) #define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly #else #error "MBEDTLS_AESNI_C defined, but neither intrinsics nor assembly available" From c9ed5dee695272fb4f0a4aa141526d24998b68e8 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Sat, 13 May 2023 12:47:02 +0100 Subject: [PATCH 150/222] Add aarch64 const-time asm Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 44 ++++++++++++++++++++++++++++++++ library/constant_time_internal.h | 2 ++ 2 files changed, 46 insertions(+) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index 0c3cde99d..a5284cb7a 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -120,6 +120,19 @@ static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x) * Otherwise, we define a plain C fallback which (in May 2023) does not get optimised into * conditional instructions or branches by trunk clang, gcc, or MSVC v19. */ +#if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64)) + mbedtls_ct_uint_t s; + asm volatile ("neg %x[s], %x[x] \n\t" + "orr %x[x], %x[s], %x[x] \n\t" + "asr %x[x], %x[x], 63" + : + [s] "=&r" (s), + [x] "+&r" (x) + : + : + ); + return (mbedtls_ct_condition_t) x; +#else const mbedtls_ct_uint_t xo = mbedtls_ct_compiler_opaque(x); #if defined(_MSC_VER) /* MSVC has a warning about unary minus on unsigned, but this is @@ -132,19 +145,49 @@ static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x) #if defined(_MSC_VER) #pragma warning( pop ) #endif +#endif } static inline mbedtls_ct_uint_t mbedtls_ct_if(mbedtls_ct_condition_t condition, mbedtls_ct_uint_t if1, mbedtls_ct_uint_t if0) { +#if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64)) + asm volatile ("and %x[if1], %x[if1], %x[condition] \n\t" + "mvn %x[condition], %x[condition] \n\t" + "and %x[condition], %x[condition], %x[if0] \n\t" + "orr %x[condition], %x[if1], %x[condition]" + : + [condition] "+&r" (condition), + [if1] "+&r" (if1) + : + [if0] "r" (if0) + : + ); + return (mbedtls_ct_uint_t) condition; +#else mbedtls_ct_condition_t not_cond = (mbedtls_ct_condition_t) (~mbedtls_ct_compiler_opaque(condition)); return (mbedtls_ct_uint_t) ((condition & if1) | (not_cond & if0)); +#endif } static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y) { +#if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64)) + uint64_t s1, s2; + asm volatile ("eor %x[s1], %x[y], %x[x] \n\t" + "sub %x[s2], %x[x], %x[y] \n\t" + "bic %x[s2], %x[s2], %[s1] \n\t" + "and %x[s1], %x[s1], %x[y] \n\t" + "orr %x[s1], %x[s2], %x[s1] \n\t" + "asr %x[x], %x[s1], 63" + : [s1] "=&r" (s1), [s2] "=&r" (s2), [x] "+r" (x) + : [y] "r" (y) + : + ); + return (mbedtls_ct_condition_t) x; +#else /* Ensure that the compiler cannot optimise the following operations over x and y, * even if it knows the value of x and y. */ @@ -173,6 +216,7 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbe // Convert to a condition (i.e., all bits set iff non-zero) return mbedtls_ct_bool(ret); +#endif } static inline mbedtls_ct_condition_t mbedtls_ct_uint_ne(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y) diff --git a/library/constant_time_internal.h b/library/constant_time_internal.h index dabf720aa..44b74aec6 100644 --- a/library/constant_time_internal.h +++ b/library/constant_time_internal.h @@ -85,12 +85,14 @@ typedef ptrdiff_t mbedtls_ct_int_t; typedef uint64_t mbedtls_ct_condition_t; typedef uint64_t mbedtls_ct_uint_t; typedef int64_t mbedtls_ct_int_t; +#define MBEDTLS_CT_SIZE_64 #define MBEDTLS_CT_TRUE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(UINT64_MAX)) #else /* Pointer size <= 32-bit, and no 64-bit MPIs */ typedef uint32_t mbedtls_ct_condition_t; typedef uint32_t mbedtls_ct_uint_t; typedef int32_t mbedtls_ct_int_t; +#define MBEDTLS_CT_SIZE_32 #define MBEDTLS_CT_TRUE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(UINT32_MAX)) #endif #define MBEDTLS_CT_FALSE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(0)) From ef2527901e3b410764e4dde15bb14f04568f69ce Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Sat, 13 May 2023 12:48:02 +0100 Subject: [PATCH 151/222] Add aarch32 const-time asm Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 44 ++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index a5284cb7a..3c82bd53f 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -132,6 +132,18 @@ static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x) : ); return (mbedtls_ct_condition_t) x; +#elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32) + uint32_t s; + asm volatile ("neg %[s], %[x] \n\t" + "orr %[x], %[x], %[s] \n\t" + "asr %[x], %[x], #31" + : + [s] "=&l" (s), + [x] "+&l" (x) + : + : + ); + return (mbedtls_ct_condition_t) x; #else const mbedtls_ct_uint_t xo = mbedtls_ct_compiler_opaque(x); #if defined(_MSC_VER) @@ -165,6 +177,19 @@ static inline mbedtls_ct_uint_t mbedtls_ct_if(mbedtls_ct_condition_t condition, : ); return (mbedtls_ct_uint_t) condition; +#elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32) + asm volatile ("and %[if1], %[if1], %[condition] \n\t" + "mvn %[condition], %[condition] \n\t" + "and %[condition], %[condition], %[if0] \n\t" + "orr %[condition], %[if1], %[condition]" + : + [condition] "+&l" (condition), + [if1] "+&l" (if1) + : + [if0] "l" (if0) + : + ); + return (mbedtls_ct_uint_t) condition; #else mbedtls_ct_condition_t not_cond = (mbedtls_ct_condition_t) (~mbedtls_ct_compiler_opaque(condition)); @@ -187,6 +212,25 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbe : ); return (mbedtls_ct_condition_t) x; +#elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32) + uint32_t s1; + asm volatile ( +#if defined(__thumb__) && !defined(__thumb2__) + "mov %[s1], %[x] \n\t" + "eor %[s1], %[s1], %[y] \n\t" +#else + "eor %[s1], %[x], %[y] \n\t" +#endif + "sub %[x], %[x], %[y] \n\t" + "bic %[x], %[x], %[s1] \n\t" + "and %[y], %[s1], %[y] \n\t" + "orr %[x], %[x], %[y] \n\t" + "asr %[x], %[x], #31" + : [s1] "=&l" (s1), [x] "+&l" (x), [y] "+&l" (y) + : + : + ); + return (mbedtls_ct_condition_t) x; #else /* Ensure that the compiler cannot optimise the following operations over x and y, * even if it knows the value of x and y. From 822c9c7d4edc88bc703adbaeb01017075f9ec7dc Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 12 Jun 2023 15:38:49 +0100 Subject: [PATCH 152/222] Fix unified asm syntax issue Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 61 +++++++++++++++++++++++++++--------- 1 file changed, 46 insertions(+), 15 deletions(-) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index 3c82bd53f..35b0ee844 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -134,14 +134,39 @@ static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x) return (mbedtls_ct_condition_t) x; #elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32) uint32_t s; - asm volatile ("neg %[s], %[x] \n\t" - "orr %[x], %[x], %[s] \n\t" - "asr %[x], %[x], #31" + /* + * Selecting unified syntax is needed for gcc, and harmless on clang. + * + * This is needed because on Thumb 1, condition flags are always set, so + * e.g. "negs" is supported but "neg" is not (on Thumb 2, both exist). + * + * Under Thumb 1 unified syntax, only the "negs" form is accepted, and + * under divided syntax, only the "neg" form is accepted. clang only + * supports unified syntax. + * + * On Thumb 2 and Arm, both compilers are happy with the "s" suffix, + * although we don't actually care about setting the flags. + * + * For gcc, restore divided syntax afterwards - otherwise old versions of gcc + * seem to apply unified syntax globally, which breaks other asm code. + */ +#if !defined(__clang__) +#define RESTORE_ASM_SYNTAX ".syntax divided \n\t" +#else +#define RESTORE_ASM_SYNTAX +#endif + + asm volatile (".syntax unified \n\t" + "negs %[s], %[x] \n\t" + "orrs %[x], %[x], %[s] \n\t" + "asrs %[x], %[x], #31 \n\t" + RESTORE_ASM_SYNTAX : [s] "=&l" (s), [x] "+&l" (x) : : + "cc" /* clobbers flag bits */ ); return (mbedtls_ct_condition_t) x; #else @@ -178,16 +203,19 @@ static inline mbedtls_ct_uint_t mbedtls_ct_if(mbedtls_ct_condition_t condition, ); return (mbedtls_ct_uint_t) condition; #elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32) - asm volatile ("and %[if1], %[if1], %[condition] \n\t" - "mvn %[condition], %[condition] \n\t" - "and %[condition], %[condition], %[if0] \n\t" - "orr %[condition], %[if1], %[condition]" + asm volatile (".syntax unified \n\t" + "ands %[if1], %[if1], %[condition] \n\t" + "mvns %[condition], %[condition] \n\t" + "ands %[condition], %[condition], %[if0] \n\t" + "orrs %[condition], %[if1], %[condition] \n\t" + RESTORE_ASM_SYNTAX : [condition] "+&l" (condition), [if1] "+&l" (if1) : [if0] "l" (if0) : + "cc" ); return (mbedtls_ct_uint_t) condition; #else @@ -215,20 +243,23 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbe #elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32) uint32_t s1; asm volatile ( + ".syntax unified \n\t" #if defined(__thumb__) && !defined(__thumb2__) - "mov %[s1], %[x] \n\t" - "eor %[s1], %[s1], %[y] \n\t" + "movs %[s1], %[x] \n\t" + "eors %[s1], %[s1], %[y] \n\t" #else - "eor %[s1], %[x], %[y] \n\t" + "eors %[s1], %[x], %[y] \n\t" #endif - "sub %[x], %[x], %[y] \n\t" - "bic %[x], %[x], %[s1] \n\t" - "and %[y], %[s1], %[y] \n\t" - "orr %[x], %[x], %[y] \n\t" - "asr %[x], %[x], #31" + "subs %[x], %[x], %[y] \n\t" + "bics %[x], %[x], %[s1] \n\t" + "ands %[y], %[s1], %[y] \n\t" + "orrs %[x], %[x], %[y] \n\t" + "asrs %[x], %[x], #31 \n\t" + RESTORE_ASM_SYNTAX : [s1] "=&l" (s1), [x] "+&l" (x), [y] "+&l" (y) : : + "cc" ); return (mbedtls_ct_condition_t) x; #else From 246210e3c4782e8ec392fbc3fbbf6ce3276e131d Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 31 Jul 2023 18:07:44 +0100 Subject: [PATCH 153/222] Test CT asm under valgrind Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 10 ++++++++-- tests/scripts/all.sh | 20 ++++++++++++++++++++ 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index 35b0ee844..111b9af5a 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -48,8 +48,14 @@ #pragma GCC diagnostic ignored "-Wredundant-decls" #endif -/* Disable asm under Memsan because it confuses Memsan and generates false errors */ -#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) +/* Disable asm under Memsan because it confuses Memsan and generates false errors. + * + * We also disable under Valgrind by default, because it's more useful + * for Valgrind to test the plain C implementation. MBEDTLS_TEST_CONSTANT_FLOW_ASM //no-check-names + * may be set to permit building asm under Valgrind. + */ +#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) || \ + (defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND) && !defined(MBEDTLS_TEST_CONSTANT_FLOW_ASM)) //no-check-names #define MBEDTLS_CT_NO_ASM #elif defined(__has_feature) #if __has_feature(memory_sanitizer) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 2afc18166..300ca1a8c 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1892,6 +1892,16 @@ skip_suites_without_constant_flow () { export SKIP_TEST_SUITES } +skip_all_except_given_suite () { + # Skip all but the given test suite + SKIP_TEST_SUITES=$( + ls -1 tests/suites/test_suite_*.function | + grep -v $1.function | + sed 's/tests.suites.test_suite_//; s/\.function$//' | + tr '\n' ,) + export SKIP_TEST_SUITES +} + component_test_memsan_constant_flow () { # This tests both (1) accesses to undefined memory, and (2) branches or # memory access depending on secret values. To distinguish between those: @@ -1951,6 +1961,16 @@ component_test_valgrind_constant_flow () { # details are left in Testing//DynamicAnalysis.xml msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, valgrind + constant flow)" make memcheck + + # Test asm path in constant time module - by default, it will test the plain C + # path under Valgrind or Memsan. Running only the constant_time tests is fast (<1s) + msg "test: valgrind asm constant_time" + scripts/config.py --force set MBEDTLS_TEST_CONSTANT_FLOW_ASM + skip_all_except_given_suite test_suite_constant_time + cmake -D CMAKE_BUILD_TYPE:String=Release . + make clean + make + make memcheck } component_test_valgrind_constant_flow_psa () { From 42391b4378e5855735e97ea9541cf93ba107e3f2 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 19 May 2023 10:33:21 +0100 Subject: [PATCH 154/222] Perf improvement in memcpy_if Signed-off-by: Dave Rodgman --- library/constant_time.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/library/constant_time.c b/library/constant_time.c index 86cc066b0..6c7ef5678 100644 --- a/library/constant_time.c +++ b/library/constant_time.c @@ -152,8 +152,13 @@ void mbedtls_ct_memcpy_if(mbedtls_ct_condition_t condition, const unsigned char *src2, size_t len) { +#if defined(MBEDTLS_CT_SIZE_64) + const uint64_t mask = (uint64_t) condition; + const uint64_t not_mask = (uint64_t) ~mbedtls_ct_compiler_opaque(condition); +#else const uint32_t mask = (uint32_t) condition; const uint32_t not_mask = (uint32_t) ~mbedtls_ct_compiler_opaque(condition); +#endif /* If src2 is NULL, setup src2 so that we read from the destination address. * @@ -167,11 +172,19 @@ void mbedtls_ct_memcpy_if(mbedtls_ct_condition_t condition, /* dest[i] = c1 == c2 ? src[i] : dest[i] */ size_t i = 0; #if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS) +#if defined(MBEDTLS_CT_SIZE_64) + for (; (i + 8) <= len; i += 8) { + uint64_t a = mbedtls_get_unaligned_uint64(src1 + i) & mask; + uint64_t b = mbedtls_get_unaligned_uint64(src2 + i) & not_mask; + mbedtls_put_unaligned_uint64(dest + i, a | b); + } +#else for (; (i + 4) <= len; i += 4) { uint32_t a = mbedtls_get_unaligned_uint32(src1 + i) & mask; uint32_t b = mbedtls_get_unaligned_uint32(src2 + i) & not_mask; mbedtls_put_unaligned_uint32(dest + i, a | b); } +#endif /* defined(MBEDTLS_CT_SIZE_64) */ #endif /* MBEDTLS_EFFICIENT_UNALIGNED_ACCESS */ for (; i < len; i++) { dest[i] = (src1[i] & mask) | (src2[i] & not_mask); From 2e3858f5eb001cdc4d42980103e4af732c8742ed Mon Sep 17 00:00:00 2001 From: Chien Wong Date: Fri, 11 Aug 2023 18:16:06 +0800 Subject: [PATCH 155/222] Undo a change Signed-off-by: Chien Wong --- library/bignum.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/bignum.c b/library/bignum.c index 7661dd3ae..9c686ad27 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1706,7 +1706,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, */ const size_t x_index = 0; mbedtls_mpi_init(&W[x_index]); - MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&W[x_index], X)); + mbedtls_mpi_copy(&W[x_index], X); j = N->n + 1; /* All W[i] and X must have at least N->n limbs for the mpi_montmul() From a4c477becd0d0e7c8b1c0454335290884399f9e2 Mon Sep 17 00:00:00 2001 From: Chien Wong Date: Fri, 11 Aug 2023 18:19:15 +0800 Subject: [PATCH 156/222] Add changelog entry Signed-off-by: Chien Wong --- ChangeLog.d/fix-a-few-unchecked-return.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/fix-a-few-unchecked-return.txt diff --git a/ChangeLog.d/fix-a-few-unchecked-return.txt b/ChangeLog.d/fix-a-few-unchecked-return.txt new file mode 100644 index 000000000..aadde3631 --- /dev/null +++ b/ChangeLog.d/fix-a-few-unchecked-return.txt @@ -0,0 +1,3 @@ +Bugfix + * Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA + signature can silently return an incorrect result in low memory conditions. From 2a12fc20f2d28727ee0cc6b29fa1cf8dd8192ebd Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 11 Aug 2023 17:45:20 +0100 Subject: [PATCH 157/222] Fix logical dead code found by Coverity Signed-off-by: Paul Elliott --- library/psa_crypto_pake.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c index caba5a115..8de8569ce 100644 --- a/library/psa_crypto_pake.c +++ b/library/psa_crypto_pake.c @@ -178,12 +178,12 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation, return status; } - psa_crypto_driver_pake_get_user_len(inputs, &user_len); + status = psa_crypto_driver_pake_get_user_len(inputs, &user_len); if (status != PSA_SUCCESS) { return status; } - psa_crypto_driver_pake_get_peer_len(inputs, &peer_len); + status = psa_crypto_driver_pake_get_peer_len(inputs, &peer_len); if (status != PSA_SUCCESS) { return status; } From 1998aac349a36f4a810e1f07f271eab55e80c7b4 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 14 Aug 2023 10:33:37 +0800 Subject: [PATCH 158/222] logging_util: support to tweak loglevel directed to stderr/stdout Previously we set loglevel >= WARNING printed to stderr and loglevel < WARNING printed to stdout. To be more flexible, we replace this `WARNING` value with an argument: split_level and leave `WARNING` as default split_level if not set. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 7 ++----- scripts/mbedtls_dev/logging_util.py | 16 +++++++++------- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 72c69e488..672b80366 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -906,11 +906,8 @@ def main(): comp_args = parser.parse_args() logger = logging.getLogger() - logging_util.configure_logger(logger) - if comp_args.stdout and not comp_args.verbose: - logger.setLevel(logging.ERROR) - else: - logger.setLevel(logging.DEBUG if comp_args.verbose else logging.INFO) + logging_util.configure_logger(logger, split_level=logging.NOTSET) + logger.setLevel(logging.DEBUG if comp_args.verbose else logging.INFO) if os.path.isfile(comp_args.record_dir): logger.error("record directory: {} is not a directory" diff --git a/scripts/mbedtls_dev/logging_util.py b/scripts/mbedtls_dev/logging_util.py index 85a3f19ac..db1ebfe5c 100644 --- a/scripts/mbedtls_dev/logging_util.py +++ b/scripts/mbedtls_dev/logging_util.py @@ -21,14 +21,16 @@ import sys def configure_logger( logger: logging.Logger, - log_format="[%(levelname)s]: %(message)s" + log_format="[%(levelname)s]: %(message)s", + split_level=logging.WARNING ) -> None: """ Configure the logging.Logger instance so that: - Format is set to any log_format. Default: "[%(levelname)s]: %(message)s" - - loglevel >= WARNING are printed to stderr. - - loglevel < WARNING are printed to stdout. + - loglevel >= split_level are printed to stderr. + - loglevel < split_level are printed to stdout. + Default: logging.WARNING """ class MaxLevelFilter(logging.Filter): # pylint: disable=too-few-public-methods @@ -41,14 +43,14 @@ def configure_logger( log_formatter = logging.Formatter(log_format) - # set loglevel >= WARNING to be printed to stderr + # set loglevel >= split_level to be printed to stderr stderr_hdlr = logging.StreamHandler(sys.stderr) - stderr_hdlr.setLevel(logging.WARNING) + stderr_hdlr.setLevel(split_level) stderr_hdlr.setFormatter(log_formatter) - # set loglevel <= INFO to be printed to stdout + # set loglevel < split_level to be printed to stdout stdout_hdlr = logging.StreamHandler(sys.stdout) - stdout_hdlr.addFilter(MaxLevelFilter(logging.INFO)) + stdout_hdlr.addFilter(MaxLevelFilter(split_level - 1)) stdout_hdlr.setFormatter(log_formatter) logger.addHandler(stderr_hdlr) From 9a6ee71f6fe3c6c7283f3f3ac0be1116fc24449b Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 14 Aug 2023 11:30:24 +0800 Subject: [PATCH 159/222] code_size_compare: right-align numbers in the comparison result Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 672b80366..d1e8a1b71 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -604,10 +604,10 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): if with_markdown: dash_line = [":----", "----:", "----:", "----:", "----:"] - line_format = "| {0:<30} | {1:<10} | {3:<10} | {2:<12} | {4:<12} |\n" + line_format = "| {0:<30} | {1:>10} | {3:>10} | {2:>12} | {4:>12} |\n" bold_text = lambda x: '**' + str(x) + '**' else: - line_format = "{0:<30} {1:<10} {3:<10} {2:<12} {4:<12}\n" + line_format = "{0:<30} {1:>10} {3:>10} {2:>12} {4:>12}\n" def cal_sect_change( old_size: typing.Optional[CodeSizeGeneratorWithSize.SizeEntry], From 0de1183e4cdc71c5f7a8524fbe669eee01853b2c Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 14 Aug 2023 11:54:47 +0800 Subject: [PATCH 160/222] code_size_compare: add `+` in front of positive values In comparison result, to indicate it's a delta value, we add `+` in front of positive values. For unchanged attributes, it's still shown as `0'. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index d1e8a1b71..841eb47d5 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -633,7 +633,8 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): """ if old_size and new_size: new_attr = new_size.__dict__[sect] - change_attr = new_size.__dict__[sect] - old_size.__dict__[sect] + delta = new_size.__dict__[sect] - old_size.__dict__[sect] + change_attr = '{0:{1}}'.format(delta, '+' if delta else '') elif old_size: new_attr = - old_size.__dict__[sect] change_attr = 'Removed' @@ -665,7 +666,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): text_sect = cal_sect_change(old_size, new_size, 'text') data_sect = cal_sect_change(old_size, new_size, 'data') # skip the files that haven't changed in code size - if not show_all and text_sect[1] == 0 and data_sect[1] == 0: + if not show_all and text_sect[1] == '0' and data_sect[1] == '0': continue res.append([fname, *text_sect, *data_sect]) From 8a25e6fdb2b3b34811a4fd3b77faf0dbe4408936 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 14 Aug 2023 14:38:36 +0800 Subject: [PATCH 161/222] code_size_compare: add old text and data section in CSV output To keep a concise markdown table, we don't list text and data section from old Git revision. However, it should be ideal to keep those two sections in CSV output. Therefore, we list comparison result for CSV output in following format: filename new(text) new(data) old(text) old(data) change(text) change(data) Additionally, if a file only exits in new Git revision not in old Git revision, it's marked as `NotCreated` as we haven't created this file yet from perspective of old Git revision. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 841eb47d5..52e0345c3 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -597,17 +597,23 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): # pylint: disable=too-many-locals """Write comparison result into a file. - Writing Format: filename new(text) new(data) change(text) change(data) + Writing Format: + Markdown Output: + filename new(text) new(data) change(text) change(data) + CSV Output: + filename new(text) new(data) old(text) old(data) change(text) change(data) """ - header_line = ["filename", "new(text)", "change(text)", "new(data)", - "change(data)"] - + header_line = ["filename", "new(text)", "old(text)", "change(text)", + "new(data)", "old(data)", "change(data)"] if with_markdown: - dash_line = [":----", "----:", "----:", "----:", "----:"] - line_format = "| {0:<30} | {1:>10} | {3:>10} | {2:>12} | {4:>12} |\n" + dash_line = [":----", "----:", "----:", "----:", + "----:", "----:", "----:"] + # | filename | new(text) | new(data) | change(text) | change(data) | + line_format = "| {0:<30} | {1:>9} | {4:>9} | {3:>12} | {6:>12} |\n" bold_text = lambda x: '**' + str(x) + '**' else: - line_format = "{0:<30} {1:>10} {3:>10} {2:>12} {4:>12}\n" + # filename new(text) new(data) old(text) old(data) change(text) change(data) + line_format = "{0:<30} {1:>9} {4:>9} {2:>10} {5:>10} {3:>12} {6:>12}\n" def cal_sect_change( old_size: typing.Optional[CodeSizeGeneratorWithSize.SizeEntry], @@ -629,23 +635,28 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): :param: sect: section to calculate from `size` tool. This could be any instance variable in SizeEntry. :return: List of [section size of objects for new Git revision, + section size of objects for old Git revision, section size change of objects between two Git revisions] """ if old_size and new_size: new_attr = new_size.__dict__[sect] - delta = new_size.__dict__[sect] - old_size.__dict__[sect] + old_attr = old_size.__dict__[sect] + delta = new_attr - old_attr change_attr = '{0:{1}}'.format(delta, '+' if delta else '') elif old_size: new_attr = - old_size.__dict__[sect] + old_attr = old_size.__dict__[sect] change_attr = 'Removed' elif new_size: new_attr = new_size.__dict__[sect] + old_attr = 'NotCreated' change_attr = 'None' else: # Should never happen new_attr = 'Error' + old_attr = 'Error' change_attr = 'Error' - return [new_attr, change_attr] + return [new_attr, old_attr, change_attr] # sort dictionary by key sort_by_k = lambda item: item[0].lower() @@ -656,7 +667,8 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): CodeSizeGeneratorWithSize.SizeEntry]] ) -> typing.List: """Return List of results in the format of: - [filename, new(text), change(text), new(data), change(data)] + [filename, new(text), old(text), change(text), + new(data), old(data), change(data)] """ res = [] for fname, revs_size in sorted(f_rev_size.items(), key=sort_by_k): @@ -666,7 +678,7 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): text_sect = cal_sect_change(old_size, new_size, 'text') data_sect = cal_sect_change(old_size, new_size, 'data') # skip the files that haven't changed in code size - if not show_all and text_sect[1] == '0' and data_sect[1] == '0': + if not show_all and text_sect[-1] == '0' and data_sect[-1] == '0': continue res.append([fname, *text_sect, *data_sect]) From 07bdcc2b0dd181823702cc8f842a0b47c4cf3324 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Gonz=C3=A1lez?= Date: Fri, 11 Aug 2023 14:59:03 +0100 Subject: [PATCH 162/222] Add allow list for non-executed test cases MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The allow list explicits which test cases are allowed to not be executed when testing. This may be, for example, because a feature is yet to be developed but the test for that feature is already in our code base. Signed-off-by: Tomás González --- tests/scripts/analyze_outcomes.py | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index c6891bb43..fde07159e 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -73,15 +73,18 @@ def execute_reference_driver_tests(ref_component, driver_component, outcome_file Results.log("Error: failed to run reference/driver components") sys.exit(ret_val) -def analyze_coverage(results, outcomes): +def analyze_coverage(results, outcomes, allow_list): """Check that all available test cases are executed at least once.""" available = check_test_cases.collect_available_test_cases() for key in available: hits = outcomes[key].hits() if key in outcomes else 0 - if hits == 0: + if hits == 0 and key not in allow_list: # Make this a warning, not an error, as long as we haven't # fixed this branch to have full coverage of test cases. results.warning('Test case not executed: {}', key) + elif hits != 0 and key in allow_list: + # Test Case should be removed from the allow list. + results.warning('Allow listed test case was executed: {}', key) def analyze_driver_vs_reference(outcomes, component_ref, component_driver, ignored_suites, ignored_test=None): @@ -122,10 +125,10 @@ def analyze_driver_vs_reference(outcomes, component_ref, component_driver, result = False return result -def analyze_outcomes(outcomes): +def analyze_outcomes(outcomes, allow_list): """Run all analyses on the given outcome collection.""" results = Results() - analyze_coverage(results, outcomes) + analyze_coverage(results, outcomes, allow_list) return results def read_outcome_file(outcome_file): @@ -151,10 +154,9 @@ by a semicolon. def do_analyze_coverage(outcome_file, args): """Perform coverage analysis.""" - del args # unused outcomes = read_outcome_file(outcome_file) Results.log("\n*** Analyze coverage ***\n") - results = analyze_outcomes(outcomes) + results = analyze_outcomes(outcomes, args['allow_list']) return results.error_count == 0 def do_analyze_driver_vs_reference(outcome_file, args): @@ -175,7 +177,9 @@ def do_analyze_driver_vs_reference(outcome_file, args): TASKS = { 'analyze_coverage': { 'test_function': do_analyze_coverage, - 'args': {} + 'args': { + 'allow_list': [], + } }, # There are 2 options to use analyze_driver_vs_reference_xxx locally: # 1. Run tests and then analysis: From b401e113ff3421d2f2c7bba5368bf0eb37920dff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Gonz=C3=A1lez?= Date: Fri, 11 Aug 2023 15:22:04 +0100 Subject: [PATCH 163/222] Add a flag for requiring full coverage in coverage tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduce the --require-full-coverage in analyze_outcomes.py so that when analyze_outcomes.py --require-full-coverage is called, those tests that are not executed and are not in the allowed list issue an error instead of a warning. Note that it is useful to run analyze_outcomes.py on incomplete test results, so this error mode needs to remain optional in the long term. Signed-off-by: Tomás González --- tests/scripts/analyze_outcomes.py | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index fde07159e..24f4da773 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -73,15 +73,16 @@ def execute_reference_driver_tests(ref_component, driver_component, outcome_file Results.log("Error: failed to run reference/driver components") sys.exit(ret_val) -def analyze_coverage(results, outcomes, allow_list): +def analyze_coverage(results, outcomes, allow_list, full_coverage): """Check that all available test cases are executed at least once.""" available = check_test_cases.collect_available_test_cases() for key in available: hits = outcomes[key].hits() if key in outcomes else 0 if hits == 0 and key not in allow_list: - # Make this a warning, not an error, as long as we haven't - # fixed this branch to have full coverage of test cases. - results.warning('Test case not executed: {}', key) + if full_coverage: + results.error('Test case not executed: {}', key) + else: + results.warning('Test case not executed: {}', key) elif hits != 0 and key in allow_list: # Test Case should be removed from the allow list. results.warning('Allow listed test case was executed: {}', key) @@ -125,10 +126,11 @@ def analyze_driver_vs_reference(outcomes, component_ref, component_driver, result = False return result -def analyze_outcomes(outcomes, allow_list): +def analyze_outcomes(outcomes, args): """Run all analyses on the given outcome collection.""" results = Results() - analyze_coverage(results, outcomes, allow_list) + analyze_coverage(results, outcomes, args['allow_list'], + args['full_coverage']) return results def read_outcome_file(outcome_file): @@ -156,7 +158,7 @@ def do_analyze_coverage(outcome_file, args): """Perform coverage analysis.""" outcomes = read_outcome_file(outcome_file) Results.log("\n*** Analyze coverage ***\n") - results = analyze_outcomes(outcomes, args['allow_list']) + results = analyze_outcomes(outcomes, args) return results.error_count == 0 def do_analyze_driver_vs_reference(outcome_file, args): @@ -179,6 +181,7 @@ TASKS = { 'test_function': do_analyze_coverage, 'args': { 'allow_list': [], + 'full_coverage': False, } }, # There are 2 options to use analyze_driver_vs_reference_xxx locally: @@ -430,6 +433,11 @@ def main(): 'comma/space-separated list of tasks. ') parser.add_argument('--list', action='store_true', help='List all available tasks and exit.') + parser.add_argument('--require-full-coverage', action='store_true', + dest='full_coverage', help="Require all available " + "test cases to be executed and issue an error " + "otherwise. This flag is ignored if 'task' is " + "neither 'all' nor 'analyze_coverage'") options = parser.parse_args() if options.list: @@ -449,6 +457,9 @@ def main(): Results.log('Error: invalid task: {}'.format(task)) sys.exit(1) + TASKS['analyze_coverage']['args']['full_coverage'] = \ + options.full_coverage + for task in TASKS: if task in tasks: if not TASKS[task]['test_function'](options.outcomes, TASKS[task]['args']): From 358c6c644a49d5b86a3f24d3e69edbfb10e4c11d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Gonz=C3=A1lez?= Date: Mon, 14 Aug 2023 15:43:46 +0100 Subject: [PATCH 164/222] Add EdDSA and XTS to the allow list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As specified in https://github.com/Mbed-TLS/mbedtls/issues/5390#issuecomment-1669585707 EdDSA and XTS tests are legitimately never executed, so add them to the allow list. Signed-off-by: Tomás González --- tests/scripts/analyze_outcomes.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 24f4da773..e5abae738 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -180,7 +180,11 @@ TASKS = { 'analyze_coverage': { 'test_function': do_analyze_coverage, 'args': { - 'allow_list': [], + 'allow_list': [ + 'test_suite_psa_crypto_metadata;Asymmetric signature: ' + 'pure EdDSA', + 'test_suite_psa_crypto_metadata;Cipher: XTS' + ], 'full_coverage': False, } }, From e62ff095690ff0f45764f9e19c7973567f59f64f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 16 Aug 2023 14:15:00 +0800 Subject: [PATCH 165/222] Restore aesni for i386 intrinsic code can be work on i386 also Signed-off-by: Jerry Yu --- library/aes.c | 9 +++++---- library/aesni.h | 11 +++++++++-- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/library/aes.c b/library/aes.c index 4cb9ce1c1..ebacc671a 100644 --- a/library/aes.c +++ b/library/aes.c @@ -40,15 +40,16 @@ #endif #endif -#if defined(__amd64__) || defined(__x86_64__) +#if defined(__amd64__) || defined(__x86_64__) || \ + defined(_M_X64) || defined(_M_AMD64) #if !defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) #error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" #endif #endif -#if defined(__i386__) -#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) -#error "MBEDTLS_AES_USE_HARDWARE_ONLY not supported yet for i386." +#if defined(__i386__) || defined(_M_IX86) +#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) && !defined(MBEDTLS_AESNI_C) +#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" #endif #if defined(MBEDTLS_PADLOCK_C) && !defined(MBEDTLS_HAVE_ASM) diff --git a/library/aesni.h b/library/aesni.h index dc6444270..1cf01ec9e 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -41,7 +41,13 @@ #define MBEDTLS_HAVE_X86_64 #endif -#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) +#if !defined(MBEDTLS_HAVE_X86) && \ + (defined(__i386__) || defined(_M_IX86)) +#define MBEDTLS_HAVE_X86 +#endif + +#if defined(MBEDTLS_AESNI_C) && \ + (defined(MBEDTLS_HAVE_X86_64) || defined(MBEDTLS_HAVE_X86)) /* Can we do AESNI with intrinsics? * (Only implemented with certain compilers, only for certain targets.) @@ -67,7 +73,8 @@ * In the long run, we will likely remove the assembly implementation. */ #if defined(MBEDTLS_AESNI_HAVE_INTRINSICS) #define MBEDTLS_AESNI_HAVE_CODE 2 // via intrinsics -#elif defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) +#elif defined(MBEDTLS_HAVE_ASM) && \ + defined(__GNUC__) && defined(MBEDTLS_HAVE_X86_64) #define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly #else #error "MBEDTLS_AESNI_C defined, but neither intrinsics nor assembly available" From bc775c48c92bc524384dc0e31f39022073aa70af Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 16 Aug 2023 15:59:55 +0800 Subject: [PATCH 166/222] code_size_compare: handle deleted files and new files properly 'Removed' and 'NotCreated' should be displayed in new and old column respectively. The value of delta is reflected on change column. This commit handles the corner cases properly. Signed-off-by: Yanray Wang --- scripts/code_size_compare.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index 52e0345c3..53d859edf 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -644,13 +644,15 @@ class CodeSizeGeneratorWithSize(CodeSizeGenerator): delta = new_attr - old_attr change_attr = '{0:{1}}'.format(delta, '+' if delta else '') elif old_size: - new_attr = - old_size.__dict__[sect] + new_attr = 'Removed' old_attr = old_size.__dict__[sect] - change_attr = 'Removed' + delta = - old_attr + change_attr = '{0:{1}}'.format(delta, '+' if delta else '') elif new_size: new_attr = new_size.__dict__[sect] old_attr = 'NotCreated' - change_attr = 'None' + delta = new_attr + change_attr = '{0:{1}}'.format(delta, '+' if delta else '') else: # Should never happen new_attr = 'Error' From cc068ae6312ac7cb788abbbf3b3c3e0a78040840 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 16 Aug 2023 16:07:57 +0800 Subject: [PATCH 167/222] fix `-Werror=return-type` when runtime detection enabled and plain c disabled Signed-off-by: Jerry Yu --- library/aes.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/library/aes.c b/library/aes.c index ebacc671a..4ea4d2267 100644 --- a/library/aes.c +++ b/library/aes.c @@ -655,6 +655,13 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, } #endif +/* When runtime detection enabled and plain C is disabled, compiler + reports `-Werror=return-type`. */ +#if defined(MBEDTLS_HAVE_X86) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) && \ + defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_AESNI_HAVE_CODE) + return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED; +#endif + #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) for (i = 0; i < (keybits >> 5); i++) { RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2); @@ -1101,6 +1108,13 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx, } #endif +/* When runtime detection enabled and plain C is disabled, compiler + reports `-Werror=return-type`. */ +#if defined(MBEDTLS_HAVE_X86) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) && \ + defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_AESNI_HAVE_CODE) + return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED; +#endif + #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) if (mode == MBEDTLS_AES_ENCRYPT) { return mbedtls_internal_aes_encrypt(ctx, input, output); From c628486cd93aa6ea50755e8afe059fd5ebb54664 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 16 Aug 2023 16:08:42 +0800 Subject: [PATCH 168/222] enable runtime detection when padlock enabled and plain c disabled Signed-off-by: Jerry Yu --- library/aesni.c | 3 ++- library/aesni.h | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/library/aesni.c b/library/aesni.c index cc3a3b3f3..427c2fdc6 100644 --- a/library/aesni.c +++ b/library/aesni.c @@ -39,7 +39,8 @@ #include #endif -#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) +#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) || \ + (defined(MBEDTLS_HAVE_X86) && defined(MBEDTLS_PADLOCK_C)) /* * AES-NI support detection routine */ diff --git a/library/aesni.h b/library/aesni.h index 1cf01ec9e..9e0790572 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -97,7 +97,8 @@ extern "C" { * * \return 1 if CPU has support for the feature, 0 otherwise */ -#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) +#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) || \ + (defined(MBEDTLS_HAVE_X86) && defined(MBEDTLS_PADLOCK_C)) int mbedtls_aesni_has_support(unsigned int what); #else #define mbedtls_aesni_has_support(what) 1 From b6d39c2f8cba00eca52bc8d1081b7ddbb2c44b29 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 16 Aug 2023 15:11:48 +0800 Subject: [PATCH 169/222] Add aesni test for i386 Signed-off-by: Jerry Yu --- tests/scripts/all.sh | 56 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 54 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 508f0b05a..ee639f71a 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3900,11 +3900,63 @@ component_test_aesni () { # ~ 60s ./programs/test/selftest aes | not grep -q "AES note: built-in implementation." grep -q "AES note: using AESNI" ./programs/test/selftest not grep -q "AES note: built-in implementation." ./programs/test/selftest - - } + +support_test_aesni_m32() { + support_test_m32_o0 && (lscpu | grep -qw aes) +} + +component_test_aesni_m32 () { # ~ 60s + # This tests are duplicated from component_test_aesni for i386 target + # + # AESNI intrinsic code supports i386 and assembly code does not support it. + + msg "build: default config with different AES implementations" + scripts/config.py set MBEDTLS_AESNI_C + scripts/config.py set MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY + scripts/config.py set MBEDTLS_HAVE_ASM + + # test the intrinsics implementation + msg "AES tests, test intrinsics" + make clean + make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra -mpclmul -msse2 -maes' LDFLAGS='-m32' + # check that we built intrinsics - this should be used by default when supported by the compiler + ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics" + grep -q "AES note: using AESNI" ./programs/test/selftest + grep -q "AES note: built-in implementation." ./programs/test/selftest + grep -q "AES note: using VIA Padlock" ./programs/test/selftest + grep -q mbedtls_aesni_has_support ./programs/test/selftest + + scripts/config.py set MBEDTLS_AESNI_C + scripts/config.py set MBEDTLS_PADLOCK_C + scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY + msg "AES tests, test AESNI and VIA Padlock enabled" + make clean + make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra -mpclmul -msse2 -maes' LDFLAGS='-m32' + ./programs/test/selftest aes | grep -q "AES note: using AESNI" + ./programs/test/selftest aes | not grep -q "AES note: built-in implementation." + grep -q "AES note: using AESNI" ./programs/test/selftest + not grep -q "AES note: built-in implementation." ./programs/test/selftest + grep -q "AES note: using VIA Padlock" ./programs/test/selftest + grep -q mbedtls_aesni_has_support ./programs/test/selftest + + scripts/config.py set MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY + msg "AES tests, test AESNI only" + make clean + make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra -mpclmul -msse2 -maes' LDFLAGS='-m32' + ./programs/test/selftest aes | grep -q "AES note: using AESNI" + ./programs/test/selftest aes | not grep -q "AES note: built-in implementation." + grep -q "AES note: using AESNI" ./programs/test/selftest + not grep -q "AES note: built-in implementation." ./programs/test/selftest + not grep -q "AES note: using VIA Padlock" ./programs/test/selftest + not grep -q mbedtls_aesni_has_support ./programs/test/selftest +} + # For timebeing, no aarch64 gcc available in CI and no arm64 CI node. component_build_aes_aesce_armcc () { msg "Build: AESCE test on arm64 platform without plain C." From 506759f5cedcdc8288220476d1d297d239b2b0e2 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 16 Aug 2023 17:11:22 +0800 Subject: [PATCH 170/222] fix build fail for via padlock test Signed-off-by: Jerry Yu --- tests/scripts/all.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index ee639f71a..4fccdf1d6 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3989,9 +3989,11 @@ component_build_aes_aesce_armcc () { component_build_aes_via_padlock () { msg "AES:VIA PadLock, build with default configuration." + scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py set MBEDTLS_PADLOCK_C scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" + grep -q mbedtls_padlock_has_support ./programs/test/selftest } From 3ce0398d1db329fbd88f217af6f7b5087b3abc35 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 16 Aug 2023 17:22:18 +0800 Subject: [PATCH 171/222] Add compiler cflags error message Signed-off-by: Jerry Yu --- library/aesni.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/aesni.h b/library/aesni.h index 9e0790572..93d9f0a13 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -76,6 +76,8 @@ #elif defined(MBEDTLS_HAVE_ASM) && \ defined(__GNUC__) && defined(MBEDTLS_HAVE_X86_64) #define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly +#elif defined(__GNUC__) +# error "Must use `-mpclmul -msse2 -maes` for MBEDTLS_AESNI_C" #else #error "MBEDTLS_AESNI_C defined, but neither intrinsics nor assembly available" #endif From 516cf27d45cfb3e44960641e0924ca0a8461360f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 16 Aug 2023 17:33:32 +0800 Subject: [PATCH 172/222] fix msvc build fail on i386 target Signed-off-by: Jerry Yu --- library/aes.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/library/aes.c b/library/aes.c index 4ea4d2267..38ecd821a 100644 --- a/library/aes.c +++ b/library/aes.c @@ -71,7 +71,7 @@ #if !defined(MBEDTLS_AES_ALT) -#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) +#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) && defined(__GNUC__) static int aes_padlock_ace = -1; #endif @@ -578,7 +578,7 @@ static unsigned mbedtls_aes_rk_offset(uint32_t *buf) #if defined(MAY_NEED_TO_ALIGN) int align_16_bytes = 0; -#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) +#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) && defined(__GNUC__) if (aes_padlock_ace == -1) { aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE); } @@ -1102,7 +1102,7 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx, } #endif -#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) +#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) && defined(__GNUC__) if (aes_padlock_ace > 0) { return mbedtls_padlock_xcryptecb(ctx, mode, input, output); } @@ -1148,7 +1148,7 @@ int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx, return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; } -#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) +#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) && defined(__GNUC__) if (aes_padlock_ace > 0) { if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) { return 0; @@ -1900,7 +1900,7 @@ int mbedtls_aes_self_test(int verbose) #if defined(MBEDTLS_AES_ALT) mbedtls_printf(" AES note: alternative implementation.\n"); #else /* MBEDTLS_AES_ALT */ -#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) +#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) && defined(__GNUC__) if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) { mbedtls_printf(" AES note: using VIA Padlock.\n"); } else From bdd96b9adf5107c1e47fee26ec82fa118bffc790 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 16 Aug 2023 17:34:27 +0800 Subject: [PATCH 173/222] disable aesni for componets without cpu modifiers Signed-off-by: Jerry Yu --- tests/scripts/all.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 4fccdf1d6..9f64be2e7 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4272,6 +4272,7 @@ component_test_m32_o0 () { # build) and not the i386-specific inline assembly. msg "build: i386, make, gcc -O0 (ASan build)" # ~ 30s scripts/config.py full + scripts/config.py unset MBEDTLS_AESNI_C # AESNI depends on cpu modifiers make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O0" LDFLAGS="-m32 $ASAN_CFLAGS" msg "test: i386, make, gcc -O0 (ASan build)" @@ -4289,6 +4290,7 @@ component_test_m32_o2 () { # and go faster for tests. msg "build: i386, make, gcc -O2 (ASan build)" # ~ 30s scripts/config.py full + scripts/config.py unset MBEDTLS_AESNI_C # AESNI depends on cpu modifiers make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" msg "test: i386, make, gcc -O2 (ASan build)" @@ -4304,6 +4306,7 @@ support_test_m32_o2 () { component_test_m32_everest () { msg "build: i386, Everest ECDH context (ASan build)" # ~ 6 min scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED + scripts/config.py unset MBEDTLS_AESNI_C # AESNI depends on cpu modifiers make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" msg "test: i386, Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s @@ -4757,6 +4760,7 @@ component_test_tls13_only_record_size_limit () { component_build_mingw () { msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s + scripts/config.py unset MBEDTLS_AESNI_C # AESNI depends on cpu modifiers make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs # note Make tests only builds the tests, but doesn't run them From e4f6d79bbe70933d145479d89b45be265c26ca26 Mon Sep 17 00:00:00 2001 From: TTornblom Date: Thu, 16 Apr 2020 13:53:38 +0200 Subject: [PATCH 174/222] BUILD: Update For IAR support Applied the same change as in mbed-crypto for using this as a sub project with the IAR toolchain. Use __asm generic ,and avoid empty enum. Avoid declaration of array with null size. This is a porting of the original patch contributed to trusted-firmware-m. Signed-off-by: TTornblom Signed-off-by: Michel Jaouen Signed-off-by: Antonio de Angelis --- CMakeLists.txt | 4 +++- library/constant_time.c | 2 +- library/psa_crypto.c | 7 ++++++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 9092c494d..4d7e0b055 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -226,7 +226,9 @@ if(CMAKE_COMPILER_IS_CLANG) endif(CMAKE_COMPILER_IS_CLANG) if(CMAKE_COMPILER_IS_IAR) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warn_about_c_style_casts -Ohz") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warn_about_c_style_casts") + set(CMAKE_C_FLAGS_RELEASE "-Ohz") + set(CMAKE_C_FLAGS_DEBUG "--debug -On") endif(CMAKE_COMPILER_IS_IAR) if(CMAKE_COMPILER_IS_MSVC) diff --git a/library/constant_time.c b/library/constant_time.c index 832ded9e7..cb5003d02 100644 --- a/library/constant_time.c +++ b/library/constant_time.c @@ -78,7 +78,7 @@ static inline uint32_t mbedtls_get_unaligned_volatile_uint32(volatile const unsi */ uint32_t r; #if defined(MBEDTLS_CT_ARM_ASM) - asm volatile ("ldr %0, [%1]" : "=r" (r) : "r" (p) :); + __asm volatile ("ldr %0, [%1]" : "=r" (r) : "r" (p) :); #elif defined(MBEDTLS_CT_AARCH64_ASM) asm volatile ("ldr %w0, [%1]" : "=r" (r) : MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT(p) :); #else diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 2b9eca8f2..352756dc8 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7049,8 +7049,13 @@ static psa_status_t psa_key_agreement_internal(psa_key_derivation_operation_t *o size_t peer_key_length) { psa_status_t status; +#if PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE != 0 uint8_t shared_secret[PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE]; + size_t shared_secret_length = sizeof(shared_secret); +#else + uint8_t *shared_secret = NULL; size_t shared_secret_length = 0; +#endif psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(operation->alg); /* Step 1: run the secret agreement algorithm to generate the shared @@ -7059,7 +7064,7 @@ static psa_status_t psa_key_agreement_internal(psa_key_derivation_operation_t *o private_key, peer_key, peer_key_length, shared_secret, - sizeof(shared_secret), + shared_secret_length, &shared_secret_length); if (status != PSA_SUCCESS) { goto exit; From 1ee4d1228ccd77a79d38a3dd3c1e200a39dfccf3 Mon Sep 17 00:00:00 2001 From: Antonio de Angelis Date: Wed, 16 Aug 2023 12:26:37 +0100 Subject: [PATCH 175/222] Fix error strings without quotes Some of the error strings that should be printed with the error preprocessor directive are missing quotes Signed-off-by: Antonio de Angelis --- library/aes.c | 2 +- library/common.h | 2 +- library/constant_time.c | 2 +- library/entropy_poll.c | 2 +- library/psa_crypto_storage.h | 2 +- library/x509_crt.c | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/library/aes.c b/library/aes.c index b55c08ab1..fa773ec60 100644 --- a/library/aes.c +++ b/library/aes.c @@ -1866,7 +1866,7 @@ int mbedtls_aes_self_test(int verbose) #elif MBEDTLS_AESNI_HAVE_CODE == 2 mbedtls_printf(" AES note: AESNI code present (intrinsics implementation).\n"); #else -#error Unrecognised value for MBEDTLS_AESNI_HAVE_CODE +#error "Unrecognised value for MBEDTLS_AESNI_HAVE_CODE" #endif if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { mbedtls_printf(" AES note: using AESNI.\n"); diff --git a/library/common.h b/library/common.h index 97dc1d3de..3c472c685 100644 --- a/library/common.h +++ b/library/common.h @@ -288,7 +288,7 @@ static inline void mbedtls_xor_no_simd(unsigned char *r, /* Normal case (64-bit pointers): use "r" as the constraint for pointer operands to asm */ #define MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT "r" #else -#error Unrecognised pointer size for aarch64 +#error "Unrecognised pointer size for aarch64" #endif #endif diff --git a/library/constant_time.c b/library/constant_time.c index cb5003d02..4b71a3da4 100644 --- a/library/constant_time.c +++ b/library/constant_time.c @@ -82,7 +82,7 @@ static inline uint32_t mbedtls_get_unaligned_volatile_uint32(volatile const unsi #elif defined(MBEDTLS_CT_AARCH64_ASM) asm volatile ("ldr %w0, [%1]" : "=r" (r) : MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT(p) :); #else -#error No assembly defined for mbedtls_get_unaligned_volatile_uint32 +#error "No assembly defined for mbedtls_get_unaligned_volatile_uint32" #endif return r; } diff --git a/library/entropy_poll.c b/library/entropy_poll.c index f90167ca8..bc71307f5 100644 --- a/library/entropy_poll.c +++ b/library/entropy_poll.c @@ -75,7 +75,7 @@ int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len, return 0; } #else /* !_WIN32_WINNT_WINXP */ -#error Entropy not available before Windows XP, use MBEDTLS_NO_PLATFORM_ENTROPY +#error "Entropy not available before Windows XP, use MBEDTLS_NO_PLATFORM_ENTROPY" #endif /* !_WIN32_WINNT_WINXP */ #else /* _WIN32 && !EFIX64 && !EFI32 */ diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h index 04768f8a4..edd9b947c 100644 --- a/library/psa_crypto_storage.h +++ b/library/psa_crypto_storage.h @@ -39,7 +39,7 @@ extern "C" { /* Sanity check: a file size must fit in 32 bits. Allow a generous * 64kB of metadata. */ #if PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000 -#error PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000 +#error "PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000" #endif /** The maximum permitted persistent slot number. diff --git a/library/x509_crt.c b/library/x509_crt.c index b40bad2f4..2cbced210 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1599,7 +1599,7 @@ int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path) cleanup: FindClose(hFind); #else /* !_WIN32_WINNT_XP */ -#error mbedtls_x509_crt_parse_path not available before Windows XP +#error "mbedtls_x509_crt_parse_path not available before Windows XP" #endif /* !_WIN32_WINNT_XP */ #else /* _WIN32 */ int t_ret; From f1adc2a7a1e44feef10be3c311e5819fe0b2fd67 Mon Sep 17 00:00:00 2001 From: Antonio de Angelis Date: Wed, 16 Aug 2023 12:31:54 +0100 Subject: [PATCH 176/222] Use asm instead of __asm in constant_time.c The original IAR fix submitted to TF-M directly changed asm to __asm. But mbed TLS now has a workaround for such cases hence just remove the original change modification. Signed-off-by: Antonio de Angelis --- library/constant_time.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/constant_time.c b/library/constant_time.c index 4b71a3da4..12aed13f3 100644 --- a/library/constant_time.c +++ b/library/constant_time.c @@ -78,7 +78,7 @@ static inline uint32_t mbedtls_get_unaligned_volatile_uint32(volatile const unsi */ uint32_t r; #if defined(MBEDTLS_CT_ARM_ASM) - __asm volatile ("ldr %0, [%1]" : "=r" (r) : "r" (p) :); + asm volatile ("ldr %0, [%1]" : "=r" (r) : "r" (p) :); #elif defined(MBEDTLS_CT_AARCH64_ASM) asm volatile ("ldr %w0, [%1]" : "=r" (r) : MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT(p) :); #else From 285f85f962de082084d5ed4c82848a4a7df34959 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Wed, 16 Aug 2023 17:15:48 +0100 Subject: [PATCH 177/222] Remove unnecessary const type qualifiers in casts Signed-off-by: Agathiyan Bragadeesh --- library/constant_time_impl.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index 0c3cde99d..ea3669b8a 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -189,8 +189,8 @@ static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low, unsigned char c, unsigned char t) { - const unsigned char co = (const unsigned char) mbedtls_ct_compiler_opaque(c); - const unsigned char to = (const unsigned char) mbedtls_ct_compiler_opaque(t); + const unsigned char co= (unsigned char) mbedtls_ct_compiler_opaque(c); + const unsigned char to= (unsigned char) mbedtls_ct_compiler_opaque(t); /* low_mask is: 0 if low <= c, 0x...ff if low > c */ unsigned low_mask = ((unsigned) co - low) >> 8; From 35b59d78056cea346d0cf3e3095a9689a3219831 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 17 Aug 2023 10:34:15 +0800 Subject: [PATCH 178/222] exclude arm64ec mode for aesni AESNI does not work correctly for msvc arm64ec Signed-off-by: Jerry Yu --- library/aesni.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/aesni.h b/library/aesni.h index 93d9f0a13..d0daaefb3 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -37,7 +37,8 @@ */ #if !defined(MBEDTLS_HAVE_X86_64) && \ (defined(__amd64__) || defined(__x86_64__) || \ - defined(_M_X64) || defined(_M_AMD64)) + defined(_M_X64) || defined(_M_AMD64)) && \ + !defined(_M_ARM64EC) #define MBEDTLS_HAVE_X86_64 #endif From 2319af0d648045b973a502e287c6929063507e1d Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 17 Aug 2023 10:38:57 +0800 Subject: [PATCH 179/222] Change the order of runtime detection If aesni is available, we will use it. Signed-off-by: Jerry Yu --- library/aes.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/library/aes.c b/library/aes.c index 38ecd821a..6ee9971d8 100644 --- a/library/aes.c +++ b/library/aes.c @@ -1900,11 +1900,6 @@ int mbedtls_aes_self_test(int verbose) #if defined(MBEDTLS_AES_ALT) mbedtls_printf(" AES note: alternative implementation.\n"); #else /* MBEDTLS_AES_ALT */ -#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) && defined(__GNUC__) - if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) { - mbedtls_printf(" AES note: using VIA Padlock.\n"); - } else -#endif #if defined(MBEDTLS_AESNI_HAVE_CODE) #if MBEDTLS_AESNI_HAVE_CODE == 1 mbedtls_printf(" AES note: AESNI code present (assembly implementation).\n"); @@ -1917,6 +1912,11 @@ int mbedtls_aes_self_test(int verbose) mbedtls_printf(" AES note: using AESNI.\n"); } else #endif +#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) && defined(__GNUC__) + if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) { + mbedtls_printf(" AES note: using VIA Padlock.\n"); + } else +#endif #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64) if (mbedtls_aesce_has_support()) { mbedtls_printf(" AES note: using AESCE.\n"); From 9e628621b4e4ef95825d89552dc5444bb31158c2 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 17 Aug 2023 11:20:09 +0800 Subject: [PATCH 180/222] Add via padlock detection macro Signed-off-by: Jerry Yu --- library/aes.c | 14 +++++++------- library/padlock.h | 2 ++ 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/library/aes.c b/library/aes.c index 6ee9971d8..b99a8db92 100644 --- a/library/aes.c +++ b/library/aes.c @@ -71,7 +71,7 @@ #if !defined(MBEDTLS_AES_ALT) -#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) && defined(__GNUC__) +#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) static int aes_padlock_ace = -1; #endif @@ -578,7 +578,7 @@ static unsigned mbedtls_aes_rk_offset(uint32_t *buf) #if defined(MAY_NEED_TO_ALIGN) int align_16_bytes = 0; -#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) && defined(__GNUC__) +#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) if (aes_padlock_ace == -1) { aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE); } @@ -1102,7 +1102,7 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx, } #endif -#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) && defined(__GNUC__) +#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) if (aes_padlock_ace > 0) { return mbedtls_padlock_xcryptecb(ctx, mode, input, output); } @@ -1110,8 +1110,8 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx, /* When runtime detection enabled and plain C is disabled, compiler reports `-Werror=return-type`. */ -#if defined(MBEDTLS_HAVE_X86) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) && \ - defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_AESNI_HAVE_CODE) +#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) && \ + defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) && defined(MBEDTLS_AESNI_HAVE_CODE) return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED; #endif @@ -1148,7 +1148,7 @@ int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx, return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; } -#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) && defined(__GNUC__) +#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) if (aes_padlock_ace > 0) { if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) { return 0; @@ -1912,7 +1912,7 @@ int mbedtls_aes_self_test(int verbose) mbedtls_printf(" AES note: using AESNI.\n"); } else #endif -#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) && defined(__GNUC__) +#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) { mbedtls_printf(" AES note: using VIA Padlock.\n"); } else diff --git a/library/padlock.h b/library/padlock.h index b5f0d7d7a..ae5c48654 100644 --- a/library/padlock.h +++ b/library/padlock.h @@ -42,6 +42,8 @@ #if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && defined(__i386__) && \ !defined(MBEDTLS_HAVE_ASAN) +#define MBEDTLS_VIA_PADLOCK_HAVE_CODE + #ifndef MBEDTLS_HAVE_X86 #define MBEDTLS_HAVE_X86 #endif From 1b4c7eda8066d24704987190c3e4bace871c451a Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 17 Aug 2023 11:25:17 +0800 Subject: [PATCH 181/222] add hardware only check for padlock Signed-off-by: Jerry Yu --- library/aes.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/aes.c b/library/aes.c index b99a8db92..968cd3138 100644 --- a/library/aes.c +++ b/library/aes.c @@ -52,7 +52,8 @@ #error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" #endif -#if defined(MBEDTLS_PADLOCK_C) && !defined(MBEDTLS_HAVE_ASM) +#if defined(MBEDTLS_PADLOCK_C) && \ + (!defined(MBEDTLS_HAVE_ASM) || defined(MBEDTLS_AES_USE_HARDWARE_ONLY)) #error "MBEDTLS_PADLOCK_C defined, but not all prerequisites" #endif #endif From f258d17acda9da2c0dfb6bc3a4969433029ed66a Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 17 Aug 2023 12:39:00 +0800 Subject: [PATCH 182/222] remove aesni + padlock - plain c tests This test is not valid for padlock depends on plain c Signed-off-by: Jerry Yu --- tests/scripts/all.sh | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 9f64be2e7..a64c09efa 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3930,19 +3930,6 @@ component_test_aesni_m32 () { # ~ 60s grep -q "AES note: using VIA Padlock" ./programs/test/selftest grep -q mbedtls_aesni_has_support ./programs/test/selftest - scripts/config.py set MBEDTLS_AESNI_C - scripts/config.py set MBEDTLS_PADLOCK_C - scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY - msg "AES tests, test AESNI and VIA Padlock enabled" - make clean - make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra -mpclmul -msse2 -maes' LDFLAGS='-m32' - ./programs/test/selftest aes | grep -q "AES note: using AESNI" - ./programs/test/selftest aes | not grep -q "AES note: built-in implementation." - grep -q "AES note: using AESNI" ./programs/test/selftest - not grep -q "AES note: built-in implementation." ./programs/test/selftest - grep -q "AES note: using VIA Padlock" ./programs/test/selftest - grep -q mbedtls_aesni_has_support ./programs/test/selftest - scripts/config.py set MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_PADLOCK_C scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY From e9c6b53e74e2a316a6d3651b99fd0c4f6a7d37fb Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 17 Aug 2023 13:53:38 +0800 Subject: [PATCH 183/222] remove return-type when runtime detection enabled without plain c This case does not exist Signed-off-by: Jerry Yu --- library/aes.c | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/library/aes.c b/library/aes.c index 968cd3138..7a6f2d91c 100644 --- a/library/aes.c +++ b/library/aes.c @@ -656,13 +656,6 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, } #endif -/* When runtime detection enabled and plain C is disabled, compiler - reports `-Werror=return-type`. */ -#if defined(MBEDTLS_HAVE_X86) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) && \ - defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_AESNI_HAVE_CODE) - return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED; -#endif - #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) for (i = 0; i < (keybits >> 5); i++) { RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2); @@ -1109,13 +1102,6 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx, } #endif -/* When runtime detection enabled and plain C is disabled, compiler - reports `-Werror=return-type`. */ -#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) && \ - defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) && defined(MBEDTLS_AESNI_HAVE_CODE) - return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED; -#endif - #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) if (mode == MBEDTLS_AES_ENCRYPT) { return mbedtls_internal_aes_encrypt(ctx, input, output); From da8c587531132d01e00f500ac9e1ea3cbec059b6 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Thu, 17 Aug 2023 09:37:46 +0100 Subject: [PATCH 184/222] Add ChangeLog entry Signed-off-by: Agathiyan Bragadeesh --- ChangeLog.d/fix-iar-compiler-warnings.txt | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 ChangeLog.d/fix-iar-compiler-warnings.txt diff --git a/ChangeLog.d/fix-iar-compiler-warnings.txt b/ChangeLog.d/fix-iar-compiler-warnings.txt new file mode 100644 index 000000000..b0bd3e1df --- /dev/null +++ b/ChangeLog.d/fix-iar-compiler-warnings.txt @@ -0,0 +1,2 @@ +Bugfix + * Improve general IAR support \ No newline at end of file From 6c6b9f602c8b3673f0f453d4b0b0c1159454eced Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 17 Aug 2023 16:53:01 +0800 Subject: [PATCH 185/222] Change document to match real status Signed-off-by: Jerry Yu --- include/mbedtls/mbedtls_config.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 3dcaa4614..2c04ea739 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -4015,8 +4015,8 @@ * * If only one implementation is present, runtime detection will not be used. * This configuration will crash at runtime if running on a CPU without the - * necessary features. It will not build unless at least one of MBEDTLS_AESCE_C, - * MBEDTLS_AESNI_C and/or MBEDTLS_PADLOCK_C is enabled & present in the build. + * necessary features. It will not build unless at least one of MBEDTLS_AESCE_C + * and/or MBEDTLS_AESNI_C is enabled & present in the build. */ //#define MBEDTLS_AES_USE_HARDWARE_ONLY From 9ebfa7f64cf3e8749892676e94ad8060fb94844a Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Thu, 17 Aug 2023 10:00:01 +0100 Subject: [PATCH 186/222] Fix style Signed-off-by: Agathiyan Bragadeesh --- library/constant_time_impl.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index ea3669b8a..b251a664c 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -189,8 +189,8 @@ static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low, unsigned char c, unsigned char t) { - const unsigned char co= (unsigned char) mbedtls_ct_compiler_opaque(c); - const unsigned char to= (unsigned char) mbedtls_ct_compiler_opaque(t); + const unsigned char co = (unsigned char) mbedtls_ct_compiler_opaque(c); + const unsigned char to = (unsigned char) mbedtls_ct_compiler_opaque(t); /* low_mask is: 0 if low <= c, 0x...ff if low > c */ unsigned low_mask = ((unsigned) co - low) >> 8; From 3a0f044bdef4bd9556ede02ca9ce2039a92489b2 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 17 Aug 2023 17:06:21 +0800 Subject: [PATCH 187/222] improve readability Signed-off-by: Jerry Yu --- library/aes.c | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/library/aes.c b/library/aes.c index 7a6f2d91c..5a2213733 100644 --- a/library/aes.c +++ b/library/aes.c @@ -620,9 +620,6 @@ static unsigned mbedtls_aes_rk_offset(uint32_t *buf) int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, unsigned int keybits) { -#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) - unsigned int i; -#endif uint32_t *RK; switch (keybits) { @@ -657,14 +654,14 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, #endif #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) - for (i = 0; i < (keybits >> 5); i++) { + for (unsigned int i = 0; i < (keybits >> 5); i++) { RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2); } switch (ctx->nr) { case 10: - for (i = 0; i < 10; i++, RK += 4) { + for (unsigned int i = 0; i < 10; i++, RK += 4) { RK[4] = RK[0] ^ RCON[i] ^ ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[3])]) ^ ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[3])] << 8) ^ @@ -680,7 +677,7 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) case 12: - for (i = 0; i < 8; i++, RK += 6) { + for (unsigned int i = 0; i < 8; i++, RK += 6) { RK[6] = RK[0] ^ RCON[i] ^ ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[5])]) ^ ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[5])] << 8) ^ @@ -697,7 +694,7 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, case 14: - for (i = 0; i < 7; i++, RK += 8) { + for (unsigned int i = 0; i < 7; i++, RK += 8) { RK[8] = RK[0] ^ RCON[i] ^ ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[7])]) ^ ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[7])] << 8) ^ @@ -735,7 +732,6 @@ int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key, unsigned int keybits) { #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) - int i, j; uint32_t *SK; #endif int ret; @@ -780,9 +776,9 @@ int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key, *RK++ = *SK++; *RK++ = *SK++; *RK++ = *SK++; - - for (i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8) { - for (j = 0; j < 4; j++, SK++) { + SK -= 8; + for (int i = ctx->nr - 1; i > 0; i--, SK -= 8) { + for (int j = 0; j < 4; j++, SK++) { *RK++ = AES_RT0(FSb[MBEDTLS_BYTE_0(*SK)]) ^ AES_RT1(FSb[MBEDTLS_BYTE_1(*SK)]) ^ AES_RT2(FSb[MBEDTLS_BYTE_2(*SK)]) ^ From 9608447545c5c7b72439a865a3b8c81406467f82 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 17 Aug 2023 18:10:45 +0800 Subject: [PATCH 188/222] replace padlock_c with padlock_have_code Signed-off-by: Jerry Yu --- library/aes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/aes.c b/library/aes.c index 5a2213733..888ac0f29 100644 --- a/library/aes.c +++ b/library/aes.c @@ -567,7 +567,7 @@ void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx) * Note that the offset is in units of elements of buf, i.e. 32-bit words, * i.e. an offset of 1 means 4 bytes and so on. */ -#if (defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)) || \ +#if (defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)) || \ (defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2) #define MAY_NEED_TO_ALIGN #endif From 2c018744e5bc102d9bb2cf74eef5180410832977 Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Thu, 17 Aug 2023 14:00:10 +0100 Subject: [PATCH 189/222] Add newline at end of changelog Signed-off-by: Agathiyan Bragadeesh --- ChangeLog.d/fix-iar-compiler-warnings.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog.d/fix-iar-compiler-warnings.txt b/ChangeLog.d/fix-iar-compiler-warnings.txt index b0bd3e1df..6250150f0 100644 --- a/ChangeLog.d/fix-iar-compiler-warnings.txt +++ b/ChangeLog.d/fix-iar-compiler-warnings.txt @@ -1,2 +1,3 @@ Bugfix - * Improve general IAR support \ No newline at end of file + * Improve general IAR support + \ No newline at end of file From 48eae138a5ed14e04d20c73b62154874d84fedeb Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Thu, 17 Aug 2023 14:07:23 +0100 Subject: [PATCH 190/222] Fix formatting in changelog Signed-off-by: Agathiyan Bragadeesh --- ChangeLog.d/fix-iar-compiler-warnings.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/ChangeLog.d/fix-iar-compiler-warnings.txt b/ChangeLog.d/fix-iar-compiler-warnings.txt index 6250150f0..eefbd127d 100644 --- a/ChangeLog.d/fix-iar-compiler-warnings.txt +++ b/ChangeLog.d/fix-iar-compiler-warnings.txt @@ -1,3 +1,2 @@ Bugfix * Improve general IAR support - \ No newline at end of file From f2334b7b3900872beb662055269487d0bc6b6144 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 17 Aug 2023 12:24:46 +0000 Subject: [PATCH 191/222] Remove new bignum when not needed New bignum modules are only needed when the new ecp_curves module is present. Remove them when they are not needed to save code size. Signed-off-by: Janos Follath --- library/bignum_mod.c | 4 ++-- library/bignum_mod_raw.c | 4 ++-- tests/src/bignum_helpers.c | 2 ++ tests/suites/test_suite_bignum_mod.function | 2 +- tests/suites/test_suite_bignum_mod_raw.function | 2 +- tests/suites/test_suite_bignum_random.function | 4 ++-- 6 files changed, 10 insertions(+), 8 deletions(-) diff --git a/library/bignum_mod.c b/library/bignum_mod.c index 4d6782972..2f0e9ed09 100644 --- a/library/bignum_mod.c +++ b/library/bignum_mod.c @@ -19,7 +19,7 @@ #include "common.h" -#if defined(MBEDTLS_BIGNUM_C) +#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_ECP_WITH_MPI_UINT) #include @@ -403,4 +403,4 @@ cleanup: return ret; } -#endif /* MBEDTLS_BIGNUM_C */ +#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ECP_WITH_MPI_UINT */ diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c index 75cf8c41e..5ee1b19b2 100644 --- a/library/bignum_mod_raw.c +++ b/library/bignum_mod_raw.c @@ -19,7 +19,7 @@ #include "common.h" -#if defined(MBEDTLS_BIGNUM_C) +#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_ECP_WITH_MPI_UINT) #include @@ -285,4 +285,4 @@ void mbedtls_mpi_mod_raw_neg(mbedtls_mpi_uint *X, (void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) borrow); } -#endif /* MBEDTLS_BIGNUM_C */ +#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ECP_WITH_MPI_UINT */ diff --git a/tests/src/bignum_helpers.c b/tests/src/bignum_helpers.c index efb2eca1c..214530df5 100644 --- a/tests/src/bignum_helpers.c +++ b/tests/src/bignum_helpers.c @@ -86,6 +86,7 @@ exit: return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; } +#if defined(MBEDTLS_ECP_WITH_MPI_UINT) int mbedtls_test_read_mpi_modulus(mbedtls_mpi_mod_modulus *N, const char *s, mbedtls_mpi_mod_rep_selector int_rep) @@ -122,6 +123,7 @@ void mbedtls_test_mpi_mod_modulus_free_with_limbs(mbedtls_mpi_mod_modulus *N) mbedtls_free((mbedtls_mpi_uint *) N->p); mbedtls_mpi_mod_modulus_free(N); } +#endif /* MBEDTLS_ECP_WITH_MPI_UINT */ int mbedtls_test_read_mpi(mbedtls_mpi *X, const char *s) { diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function index eaf2bd5b9..9d0fe939f 100644 --- a/tests/suites/test_suite_bignum_mod.function +++ b/tests/suites/test_suite_bignum_mod.function @@ -35,7 +35,7 @@ static int test_read_residue(mbedtls_mpi_mod_residue *r, /* END_HEADER */ /* BEGIN_DEPENDENCIES - * depends_on:MBEDTLS_BIGNUM_C + * depends_on:MBEDTLS_BIGNUM_C:MBEDTLS_ECP_WITH_MPI_UINT * END_DEPENDENCIES */ diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function index 6b953f571..f7f8a5914 100644 --- a/tests/suites/test_suite_bignum_mod_raw.function +++ b/tests/suites/test_suite_bignum_mod_raw.function @@ -11,7 +11,7 @@ /* END_HEADER */ /* BEGIN_DEPENDENCIES - * depends_on:MBEDTLS_BIGNUM_C + * depends_on:MBEDTLS_BIGNUM_C:MBEDTLS_ECP_WITH_MPI_UINT * END_DEPENDENCIES */ diff --git a/tests/suites/test_suite_bignum_random.function b/tests/suites/test_suite_bignum_random.function index 6e533bc1b..b43b1e713 100644 --- a/tests/suites/test_suite_bignum_random.function +++ b/tests/suites/test_suite_bignum_random.function @@ -192,7 +192,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_ECP_WITH_MPI_UINT */ void mpi_mod_random_values(int min, char *max_hex, int rep) { /* Same RNG as in mpi_core_random_basic */ @@ -403,7 +403,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_ECP_WITH_MPI_UINT */ void mpi_mod_random_validation(int min, char *bound_hex, int result_limbs_delta, int expected_ret) From 8e9d6b927e2f36606b7c59f5b094cc5fa8637c3a Mon Sep 17 00:00:00 2001 From: Antonio de Angelis Date: Thu, 17 Aug 2023 15:27:54 +0100 Subject: [PATCH 192/222] Remove the workaround for psa_key_agreement_internal Remove the workaround for psa_key_agreement_internal to have a shared_secret array always non-zero. The spec is recently updated so that PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE is always non-zero Signed-off-by: Antonio de Angelis --- library/psa_crypto.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 352756dc8..2b9eca8f2 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -7049,13 +7049,8 @@ static psa_status_t psa_key_agreement_internal(psa_key_derivation_operation_t *o size_t peer_key_length) { psa_status_t status; -#if PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE != 0 uint8_t shared_secret[PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE]; - size_t shared_secret_length = sizeof(shared_secret); -#else - uint8_t *shared_secret = NULL; size_t shared_secret_length = 0; -#endif psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(operation->alg); /* Step 1: run the secret agreement algorithm to generate the shared @@ -7064,7 +7059,7 @@ static psa_status_t psa_key_agreement_internal(psa_key_derivation_operation_t *o private_key, peer_key, peer_key_length, shared_secret, - shared_secret_length, + sizeof(shared_secret), &shared_secret_length); if (status != PSA_SUCCESS) { goto exit; From e4d634cd872886138d490e892fae6756318168b4 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Thu, 17 Aug 2023 21:11:34 +0530 Subject: [PATCH 193/222] Add tests with higher input costs for pbkdf2 Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.pbkdf2.data | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 tests/suites/test_suite_psa_crypto.pbkdf2.data diff --git a/tests/suites/test_suite_psa_crypto.pbkdf2.data b/tests/suites/test_suite_psa_crypto.pbkdf2.data new file mode 100644 index 000000000..3544b6886 --- /dev/null +++ b/tests/suites/test_suite_psa_crypto.pbkdf2.data @@ -0,0 +1,15 @@ +PSA key derivation: PBKDF2-HMAC(SHA-1), RFC6070 #4 +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_1 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1):PSA_KEY_DERIVATION_INPUT_COST:"01000000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"70617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"eefe3d61cd4da4e4e9945b3d6ba2158c2634e984":"":0:1:0 + +PSA key derivation: PBKDF2-HMAC(SHA-256), RFC7914 #2 +depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 +derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:"013880":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"4e61436c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"50617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"4ddcd8f60b98be21830cee5ef22701f9641a4418d04c0414aeff08876b34ab56a1d425a1225833549adb841b51c9b3176a272bdebba1d078478f62b397f33c8d":"":0:1:0 + +PSA key derivation: PBKDF2-AES-CMAC-PRF-128, RFC6070 #4 +depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES +derive_output:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_KEY_DERIVATION_INPUT_COST:"01000000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"70617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"c19b71d2daf483abc9e04fbc78928b4204398d1e":"":0:1:0 + +PSA key derivation: PBKDF2-AES-CMAC-PRF-128, RFC7914 #2 +depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES +derive_output:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_KEY_DERIVATION_INPUT_COST:"013880":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"4e61436c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"50617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"3298e89bc3560e61b59aef2c104f93380b5fa26e2e011cb5ac5895fcd5a3bd5a92e617d7cae020fa2c6ef895182d9ffa0cc8f9c22778beb02856127719d95570":"":0:1:0 From 5cad47df8accaf463908f3d3232ecc19f5416366 Mon Sep 17 00:00:00 2001 From: Kusumit Ghoderao Date: Fri, 18 Aug 2023 12:49:07 +0530 Subject: [PATCH 194/222] Modify test description The test data was generated using the python script. PBKDF2_AES_CMAC_PRF_128 test vectors are generated using PyCryptodome library: https://github.com/Legrandin/pycryptodome Steps to generate test vectors: 1. pip install pycryptodome 2. Use the python script below to generate Derived key (see description for details): Example usage: pbkdf2_cmac.py derive_output.py 4a30314e4d45 54687265616437333563383762344f70656e54687265616444656d6f 16384 16 password : 4a30314e4d45 salt : 54687265616437333563383762344f70656e54687265616444656d6f input cost : 16384 derived key len : 16 output : 8b27beed7e7a4dd6c53138c879a8e33c """ from Crypto.Protocol.KDF import PBKDF2 from Crypto.Hash import CMAC from Crypto.Cipher import AES import sys def main(): #check args if len(sys.argv) != 5: print("Invalid number of arguments. Expected: ") return password = bytes.fromhex(sys.argv[1]) salt = bytes.fromhex(sys.argv[2]) iterations = int(sys.argv[3]) dklen = int(sys.argv[4]) # If password is not 16 bytes then we need to use CMAC to derive the password if len(password) != 16: zeros = bytes.fromhex("00000000000000000000000000000000") cobj_pass = CMAC.new(zeros, msg=password, ciphermod=AES, mac_len=16) passwd = bytes.fromhex(cobj_pass.hexdigest()) else: passwd = password cmac_prf = lambda p,s: CMAC.new(p, s, ciphermod=AES, mac_len=16).digest() actual_output = PBKDF2(passwd, salt=salt, dkLen=dklen, count=iterations, prf=cmac_prf) print('password : ' + password.hex()) print('salt : ' + salt.hex()) print('input cost : ' + str(iterations)) print('derived key len : ' + str(dklen)) print('output : ' + actual_output.hex()) if __name__ == "__main__": main() """ Signed-off-by: Kusumit Ghoderao --- tests/suites/test_suite_psa_crypto.pbkdf2.data | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.pbkdf2.data b/tests/suites/test_suite_psa_crypto.pbkdf2.data index 3544b6886..3b8e7e066 100644 --- a/tests/suites/test_suite_psa_crypto.pbkdf2.data +++ b/tests/suites/test_suite_psa_crypto.pbkdf2.data @@ -6,10 +6,11 @@ PSA key derivation: PBKDF2-HMAC(SHA-256), RFC7914 #2 depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256 derive_output:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_COST:"013880":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"4e61436c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"50617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"4ddcd8f60b98be21830cee5ef22701f9641a4418d04c0414aeff08876b34ab56a1d425a1225833549adb841b51c9b3176a272bdebba1d078478f62b397f33c8d":"":0:1:0 -PSA key derivation: PBKDF2-AES-CMAC-PRF-128, RFC6070 #4 +# For PBKDF2_AES_CMAC_PRF_128 the output for the test vectors was generated using a python script. Refer commit message for details. +PSA key derivation: PBKDF2-AES-CMAC-PRF-128, inputs from RFC6070 #4 depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES derive_output:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_KEY_DERIVATION_INPUT_COST:"01000000":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"73616c74":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"70617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":20:"c19b71d2daf483abc9e04fbc78928b4204398d1e":"":0:1:0 -PSA key derivation: PBKDF2-AES-CMAC-PRF-128, RFC7914 #2 +PSA key derivation: PBKDF2-AES-CMAC-PRF-128, inputs from RFC7914 #2 depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES derive_output:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_KEY_DERIVATION_INPUT_COST:"013880":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SALT:"4e61436c":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_PASSWORD:"50617373776f7264":PSA_SUCCESS:0:"":PSA_SUCCESS:"":64:"3298e89bc3560e61b59aef2c104f93380b5fa26e2e011cb5ac5895fcd5a3bd5a92e617d7cae020fa2c6ef895182d9ffa0cc8f9c22778beb02856127719d95570":"":0:1:0 From 372f7a04d0c346c086c4077bf9dd5f323f7d681f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 18 Aug 2023 17:26:25 +0800 Subject: [PATCH 195/222] Add missing check Signed-off-by: Jerry Yu --- library/aes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/aes.c b/library/aes.c index 888ac0f29..1e1039b3a 100644 --- a/library/aes.c +++ b/library/aes.c @@ -41,7 +41,7 @@ #endif #if defined(__amd64__) || defined(__x86_64__) || \ - defined(_M_X64) || defined(_M_AMD64) + ((defined(_M_X64) || defined(_M_AMD64)) && !defined(_M_ARM64EC)) #if !defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY) #error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" #endif From 61fc5ed5f316cec0a6b7439c198b0de580f910e5 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 18 Aug 2023 17:28:48 +0800 Subject: [PATCH 196/222] improve readability of error message Signed-off-by: Jerry Yu --- library/aes.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/library/aes.c b/library/aes.c index 1e1039b3a..63b36c54c 100644 --- a/library/aes.c +++ b/library/aes.c @@ -52,10 +52,15 @@ #error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" #endif -#if defined(MBEDTLS_PADLOCK_C) && \ - (!defined(MBEDTLS_HAVE_ASM) || defined(MBEDTLS_AES_USE_HARDWARE_ONLY)) +#if defined(MBEDTLS_PADLOCK_C) +#if !defined(MBEDTLS_HAVE_ASM) #error "MBEDTLS_PADLOCK_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) +#error "MBEDTLS_AES_USE_HARDWARE_ONLY cannot be defined when " \ + "MBEDTLS_PADLOCK_C is set" +#endif +#endif #endif #if defined(MBEDTLS_PADLOCK_C) From 0a6272d6c9f84d8397cf7d0cb3a8000558a01112 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 18 Aug 2023 17:35:59 +0800 Subject: [PATCH 197/222] revert padlock from aesni module Signed-off-by: Jerry Yu --- library/aesni.c | 3 +-- library/aesni.h | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/library/aesni.c b/library/aesni.c index 427c2fdc6..cc3a3b3f3 100644 --- a/library/aesni.c +++ b/library/aesni.c @@ -39,8 +39,7 @@ #include #endif -#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) || \ - (defined(MBEDTLS_HAVE_X86) && defined(MBEDTLS_PADLOCK_C)) +#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) /* * AES-NI support detection routine */ diff --git a/library/aesni.h b/library/aesni.h index d0daaefb3..332a0f072 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -100,8 +100,7 @@ extern "C" { * * \return 1 if CPU has support for the feature, 0 otherwise */ -#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) || \ - (defined(MBEDTLS_HAVE_X86) && defined(MBEDTLS_PADLOCK_C)) +#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) int mbedtls_aesni_has_support(unsigned int what); #else #define mbedtls_aesni_has_support(what) 1 From 4566132163a11d4f98b0685a33587281f059ef18 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 4 Aug 2023 12:31:58 +0100 Subject: [PATCH 198/222] Make mbedtls_aesce_has_support more efficient Signed-off-by: Dave Rodgman --- library/aesce.c | 34 +++++++++++++++++++++++----------- library/aesce.h | 22 +++++++++++++++++----- 2 files changed, 40 insertions(+), 16 deletions(-) diff --git a/library/aesce.c b/library/aesce.c index 8aa07894f..42e04d3a4 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -94,28 +94,40 @@ #endif /* !(__ARM_FEATURE_CRYPTO || __ARM_FEATURE_AES) || MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG */ -#if defined(__linux__) +#if defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) + #include #include -#endif + +char mbedtls_aesce_has_support_result = 2; #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) /* * AES instruction support detection routine */ -int mbedtls_aesce_has_support(void) +int mbedtls_aesce_has_support_impl(void) { -#if defined(__linux__) - unsigned long auxval = getauxval(AT_HWCAP); - return (auxval & (HWCAP_ASIMD | HWCAP_AES)) == - (HWCAP_ASIMD | HWCAP_AES); -#else - /* Assume AES instructions are supported. */ - return 1; -#endif + /* To avoid many calls to getauxval, cache the result. This is + * thread-safe, because we store the result in a char so cannot + * be vulnerable to non-atomic updates. + * It is possible that we could end up setting result more than + * once, but that is harmless. + */ + if (mbedtls_aesce_has_support_result == 2) { + unsigned long auxval = getauxval(AT_HWCAP); + if ((auxval & (HWCAP_ASIMD | HWCAP_AES)) == + (HWCAP_ASIMD | HWCAP_AES)) { + mbedtls_aesce_has_support_result = 1; + } else { + mbedtls_aesce_has_support_result = 0; + } + } + return mbedtls_aesce_has_support_result; } #endif +#endif /* defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) */ + /* Single round of AESCE encryption */ #define AESCE_ENCRYPT_ROUND \ block = vaeseq_u8(block, vld1q_u8(keys)); \ diff --git a/library/aesce.h b/library/aesce.h index 9b8b0bcd6..1a0abb86f 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -42,17 +42,29 @@ extern "C" { #endif +#if defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) + +extern char mbedtls_aesce_has_support_result; + /** * \brief Internal function to detect the crypto extension in CPUs. * * \return 1 if CPU has support for the feature, 0 otherwise */ -#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) -int mbedtls_aesce_has_support(void); -#else -#define mbedtls_aesce_has_support() 1 -#endif +int mbedtls_aesce_has_support_impl(void); +#define mbedtls_aesce_has_support() (mbedtls_aesce_has_support_result == 2 ? \ + mbedtls_aesce_has_support_impl() : \ + mbedtls_aesce_has_support_result) + +#else /* defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) */ + +/* If we are not on Linux, we can't detect support so assume that it's supported. + * Similarly, assume support if MBEDTLS_AES_USE_HARDWARE_ONLY is set. + */ +#define mbedtls_aesce_has_support() 1 + +#endif /* defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) */ /** * \brief Internal AES-ECB block encryption and decryption From b30adce7fd5c66e0bb35c2d882215c43ae3b32d2 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 4 Aug 2023 12:52:51 +0100 Subject: [PATCH 199/222] Use -1 as uninitialised marker Signed-off-by: Dave Rodgman --- library/aesce.c | 4 ++-- library/aesce.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/library/aesce.c b/library/aesce.c index 42e04d3a4..6f75a67d7 100644 --- a/library/aesce.c +++ b/library/aesce.c @@ -99,7 +99,7 @@ #include #include -char mbedtls_aesce_has_support_result = 2; +signed char mbedtls_aesce_has_support_result = -1; #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) /* @@ -113,7 +113,7 @@ int mbedtls_aesce_has_support_impl(void) * It is possible that we could end up setting result more than * once, but that is harmless. */ - if (mbedtls_aesce_has_support_result == 2) { + if (mbedtls_aesce_has_support_result == -1) { unsigned long auxval = getauxval(AT_HWCAP); if ((auxval & (HWCAP_ASIMD | HWCAP_AES)) == (HWCAP_ASIMD | HWCAP_AES)) { diff --git a/library/aesce.h b/library/aesce.h index 1a0abb86f..8d48c601b 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -44,7 +44,7 @@ extern "C" { #if defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) -extern char mbedtls_aesce_has_support_result; +extern signed char mbedtls_aesce_has_support_result; /** * \brief Internal function to detect the crypto extension in CPUs. @@ -53,7 +53,7 @@ extern char mbedtls_aesce_has_support_result; */ int mbedtls_aesce_has_support_impl(void); -#define mbedtls_aesce_has_support() (mbedtls_aesce_has_support_result == 2 ? \ +#define mbedtls_aesce_has_support() (mbedtls_aesce_has_support_result == -1 ? \ mbedtls_aesce_has_support_impl() : \ mbedtls_aesce_has_support_result) From f2249ec9058f276657cbe59750472798273b25b8 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 4 Aug 2023 14:27:58 +0100 Subject: [PATCH 200/222] Rename mbedtls_aesce_has_support macro to satisfy case rules Signed-off-by: Dave Rodgman --- library/aes.c | 8 ++++---- library/aesce.h | 4 ++-- library/gcm.c | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/library/aes.c b/library/aes.c index 774c2eed0..47a5e3e82 100644 --- a/library/aes.c +++ b/library/aes.c @@ -653,7 +653,7 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, #endif #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64) - if (mbedtls_aesce_has_support()) { + if (MBEDTLS_AESCE_HAS_SUPPORT()) { return mbedtls_aesce_setkey_enc((unsigned char *) RK, key, keybits); } #endif @@ -765,7 +765,7 @@ int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key, #endif #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64) - if (mbedtls_aesce_has_support()) { + if (MBEDTLS_AESCE_HAS_SUPPORT()) { mbedtls_aesce_inverse_key( (unsigned char *) RK, (const unsigned char *) (cty.buf + cty.rk_offset), @@ -1092,7 +1092,7 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx, #endif #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64) - if (mbedtls_aesce_has_support()) { + if (MBEDTLS_AESCE_HAS_SUPPORT()) { return mbedtls_aesce_crypt_ecb(ctx, mode, input, output); } #endif @@ -1911,7 +1911,7 @@ int mbedtls_aes_self_test(int verbose) } else #endif #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64) - if (mbedtls_aesce_has_support()) { + if (MBEDTLS_AESCE_HAS_SUPPORT()) { mbedtls_printf(" AES note: using AESCE.\n"); } else #endif diff --git a/library/aesce.h b/library/aesce.h index 8d48c601b..735c8cfad 100644 --- a/library/aesce.h +++ b/library/aesce.h @@ -53,7 +53,7 @@ extern signed char mbedtls_aesce_has_support_result; */ int mbedtls_aesce_has_support_impl(void); -#define mbedtls_aesce_has_support() (mbedtls_aesce_has_support_result == -1 ? \ +#define MBEDTLS_AESCE_HAS_SUPPORT() (mbedtls_aesce_has_support_result == -1 ? \ mbedtls_aesce_has_support_impl() : \ mbedtls_aesce_has_support_result) @@ -62,7 +62,7 @@ int mbedtls_aesce_has_support_impl(void); /* If we are not on Linux, we can't detect support so assume that it's supported. * Similarly, assume support if MBEDTLS_AES_USE_HARDWARE_ONLY is set. */ -#define mbedtls_aesce_has_support() 1 +#define MBEDTLS_AESCE_HAS_SUPPORT() 1 #endif /* defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) */ diff --git a/library/gcm.c b/library/gcm.c index d49725c69..786290f2f 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -98,7 +98,7 @@ static int gcm_gen_table(mbedtls_gcm_context *ctx) #endif #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64) - if (mbedtls_aesce_has_support()) { + if (MBEDTLS_AESCE_HAS_SUPPORT()) { return 0; } #endif @@ -209,7 +209,7 @@ static void gcm_mult(mbedtls_gcm_context *ctx, const unsigned char x[16], #endif /* MBEDTLS_AESNI_HAVE_CODE */ #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64) - if (mbedtls_aesce_has_support()) { + if (MBEDTLS_AESCE_HAS_SUPPORT()) { unsigned char h[16]; /* mbedtls_aesce_gcm_mult needs big-endian input */ @@ -886,7 +886,7 @@ int mbedtls_gcm_self_test(int verbose) #endif #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64) - if (mbedtls_aesce_has_support()) { + if (MBEDTLS_AESCE_HAS_SUPPORT()) { mbedtls_printf(" GCM note: using AESCE.\n"); } else #endif From 3ab114e3da2a5a471768be5914f3e60bdabd17f3 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 21 Aug 2023 07:54:11 +0100 Subject: [PATCH 201/222] Move non-function-specific macro outside of function definition Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 44 ++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index 111b9af5a..ab393979e 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -115,6 +115,28 @@ static inline mbedtls_ct_uint_t mbedtls_ct_compiler_opaque(mbedtls_ct_uint_t x) #endif } +/* + * Selecting unified syntax is needed for gcc, and harmless on clang. + * + * This is needed because on Thumb 1, condition flags are always set, so + * e.g. "negs" is supported but "neg" is not (on Thumb 2, both exist). + * + * Under Thumb 1 unified syntax, only the "negs" form is accepted, and + * under divided syntax, only the "neg" form is accepted. clang only + * supports unified syntax. + * + * On Thumb 2 and Arm, both compilers are happy with the "s" suffix, + * although we don't actually care about setting the flags. + * + * For gcc, restore divided syntax afterwards - otherwise old versions of gcc + * seem to apply unified syntax globally, which breaks other asm code. + */ +#if !defined(__clang__) +#define RESTORE_ASM_SYNTAX ".syntax divided \n\t" +#else +#define RESTORE_ASM_SYNTAX +#endif + /* Convert a number into a condition in constant time. */ static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x) { @@ -140,28 +162,6 @@ static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x) return (mbedtls_ct_condition_t) x; #elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32) uint32_t s; - /* - * Selecting unified syntax is needed for gcc, and harmless on clang. - * - * This is needed because on Thumb 1, condition flags are always set, so - * e.g. "negs" is supported but "neg" is not (on Thumb 2, both exist). - * - * Under Thumb 1 unified syntax, only the "negs" form is accepted, and - * under divided syntax, only the "neg" form is accepted. clang only - * supports unified syntax. - * - * On Thumb 2 and Arm, both compilers are happy with the "s" suffix, - * although we don't actually care about setting the flags. - * - * For gcc, restore divided syntax afterwards - otherwise old versions of gcc - * seem to apply unified syntax globally, which breaks other asm code. - */ -#if !defined(__clang__) -#define RESTORE_ASM_SYNTAX ".syntax divided \n\t" -#else -#define RESTORE_ASM_SYNTAX -#endif - asm volatile (".syntax unified \n\t" "negs %[s], %[x] \n\t" "orrs %[x], %[x], %[s] \n\t" From 0ce0fbc32ae3f89af65bd40a58b54cb0ab1c1404 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 21 Aug 2023 07:58:50 +0100 Subject: [PATCH 202/222] Simplify aarch64 asm for mbedtls_ct_uint_lt Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index ab393979e..971388c19 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -234,14 +234,14 @@ static inline mbedtls_ct_uint_t mbedtls_ct_if(mbedtls_ct_condition_t condition, static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y) { #if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64)) - uint64_t s1, s2; + uint64_t s1; asm volatile ("eor %x[s1], %x[y], %x[x] \n\t" - "sub %x[s2], %x[x], %x[y] \n\t" - "bic %x[s2], %x[s2], %[s1] \n\t" + "sub %x[x], %x[x], %x[y] \n\t" + "bic %x[x], %x[x], %[s1] \n\t" "and %x[s1], %x[s1], %x[y] \n\t" - "orr %x[s1], %x[s2], %x[s1] \n\t" + "orr %x[s1], %x[x], %x[s1] \n\t" "asr %x[x], %x[s1], 63" - : [s1] "=&r" (s1), [s2] "=&r" (s2), [x] "+r" (x) + : [s1] "=&r" (s1), [x] "+&r" (x) : [y] "r" (y) : ); From 8cd1da4b73009794a5cf5102855d63e1f70f5b7e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 17 May 2023 23:18:41 +0200 Subject: [PATCH 203/222] Remove spurious extern "C" This header only contains preprocessor definitions. They are not affected by extern "C". Signed-off-by: Gilles Peskine --- include/mbedtls/config_psa.h | 8 -------- 1 file changed, 8 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 303758f03..9823fa398 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -44,10 +44,6 @@ #include "psa/crypto_legacy.h" -#ifdef __cplusplus -extern "C" { -#endif - /****************************************************************/ @@ -1074,8 +1070,4 @@ extern "C" { #define PSA_WANT_KEY_TYPE_PASSWORD_HASH 1 #define PSA_WANT_KEY_TYPE_RAW_DATA 1 -#ifdef __cplusplus -} -#endif - #endif /* MBEDTLS_CONFIG_PSA_H */ From a458d48e7f185dcc727f81e86f557f23a12b0e24 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 17 May 2023 23:13:06 +0200 Subject: [PATCH 204/222] Move the inclusion of the PSA config file(s) into build_info.h They belong here, next to the inclusion of the mbedtls config file. We only put them in config_psa.h in Mbed TLS 2.x because there was no build_info.h we could use. Signed-off-by: Gilles Peskine --- include/mbedtls/build_info.h | 14 ++++++++++++++ include/mbedtls/config_psa.h | 12 ------------ 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 985edd233..b54b9baa8 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -59,6 +59,7 @@ #define inline __inline #endif +/* X.509, TLS and non-PSA crypto configuration */ #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/mbedtls_config.h" #else @@ -80,6 +81,19 @@ #include MBEDTLS_USER_CONFIG_FILE #endif +/* PSA crypto configuration */ +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG_FILE) +#include MBEDTLS_PSA_CRYPTO_CONFIG_FILE +#else +#include "psa/crypto_config.h" +#endif +#endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */ + +#if defined(MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE) +#include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE +#endif + /* Auto-enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY if * MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH and MBEDTLS_CTR_DRBG_C defined * to ensure a 128-bit key size in CTR_DRBG. diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 9823fa398..3b30c0277 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -30,18 +30,6 @@ #ifndef MBEDTLS_CONFIG_PSA_H #define MBEDTLS_CONFIG_PSA_H -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG_FILE) -#include MBEDTLS_PSA_CRYPTO_CONFIG_FILE -#else -#include "psa/crypto_config.h" -#endif -#endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */ - -#if defined(MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE) -#include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE -#endif - #include "psa/crypto_legacy.h" From 7b7ecf5e0d42537f5f5deb93eb5ce278ecd6a8f1 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 17 May 2023 23:15:31 +0200 Subject: [PATCH 205/222] Fix condition to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when MBEDTLS_PSA_CRYPTO_CONFIG is disabled. This didn't make sense and was an editorial mistake when adding it: it's meant as an addition to MBEDTLS_PSA_CRYPTO_CONFIG_FILE, so it should be included under the same conditions. Signed-off-by: Gilles Peskine --- ChangeLog.d/psa_crypto_user_config_file.txt | 3 +++ include/mbedtls/build_info.h | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 ChangeLog.d/psa_crypto_user_config_file.txt diff --git a/ChangeLog.d/psa_crypto_user_config_file.txt b/ChangeLog.d/psa_crypto_user_config_file.txt new file mode 100644 index 000000000..f538f4707 --- /dev/null +++ b/ChangeLog.d/psa_crypto_user_config_file.txt @@ -0,0 +1,3 @@ +Bugfix + * Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when + MBEDTLS_PSA_CRYPTO_CONFIG is disabled. diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index b54b9baa8..c0424da82 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -88,11 +88,10 @@ #else #include "psa/crypto_config.h" #endif -#endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */ - #if defined(MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE) #include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE #endif +#endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */ /* Auto-enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY if * MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH and MBEDTLS_CTR_DRBG_C defined From 44243e11ffd47df0ff6e15c0a17a448cde3de954 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 May 2023 19:39:11 +0200 Subject: [PATCH 206/222] Remove obsolete header inclusions Since 3.0.0, mbedtls_config.h (formerly config.h) no longer needs to include config_psa.h or check_config.h: build_info.h takes care of that. Signed-off-by: Gilles Peskine --- tests/include/test/drivers/config_test_driver.h | 3 --- 1 file changed, 3 deletions(-) diff --git a/tests/include/test/drivers/config_test_driver.h b/tests/include/test/drivers/config_test_driver.h index 2585fd9f0..81f988339 100644 --- a/tests/include/test/drivers/config_test_driver.h +++ b/tests/include/test/drivers/config_test_driver.h @@ -53,7 +53,4 @@ //#define MBEDTLS_PEM_PARSE_C //#define MBEDTLS_BASE64_C -#include "mbedtls/config_psa.h" -#include "mbedtls/check_config.h" - #endif /* MBEDTLS_CONFIG_H */ From 9af413bcc5294de8810aca03ecff452f5f695edc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 May 2023 20:12:44 +0200 Subject: [PATCH 207/222] Don't try to include mbedtls/config_*.h They're included by build_info.h and must not be included directly. Currently, this only concerns one file: config_psa.h. It's technically a bug to include it, but a harmless one because that header has already been included by build_info.h except in configurations where it effectively had no effect (enabling PSA options with PSA turned off). We plan to split config_psa.h into multiple headers that are less independent, which could make the inclusion more problematic. Signed-off-by: Gilles Peskine --- programs/test/generate_cpp_dummy_build.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/programs/test/generate_cpp_dummy_build.sh b/programs/test/generate_cpp_dummy_build.sh index 94e911515..254168331 100755 --- a/programs/test/generate_cpp_dummy_build.sh +++ b/programs/test/generate_cpp_dummy_build.sh @@ -63,6 +63,7 @@ EOF for header in include/mbedtls/*.h include/psa/*.h; do case ${header#include/} in mbedtls/mbedtls_config.h) :;; # not meant for direct inclusion + mbedtls/config_*.h) :;; # not meant for direct inclusion psa/crypto_config.h) :;; # not meant for direct inclusion # Some of the psa/crypto_*.h headers are not meant to be included # directly. They do have include guards that make them no-ops if From ea4fc97cd01fdbeb76bb25dce9666f29c1bb64ce Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 22 May 2023 12:18:08 +0200 Subject: [PATCH 208/222] Restore a comment and fix it aca31654e6e96c76b073e0ffedb6ae53c9e4f4c7 removed a sentence with copypasta refering to PBKDF2 instead of XTS. Restore that comment but fix the copypasta. Signed-off-by: Gilles Peskine --- include/psa/crypto_config.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index af78dce17..d8e8e19d0 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -92,7 +92,8 @@ #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 #define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 -/* Note: when adding support, also adjust include/mbedtls/config_psa.h */ +/* XTS is not yet supported via the PSA API in Mbed TLS. + * Note: when adding support, also adjust include/mbedtls/config_psa.h */ //#define PSA_WANT_ALG_XTS 1 #define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1 From 0c99a9083ef633183951c80354fc506ca4e80567 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 21 Aug 2023 17:06:24 +0100 Subject: [PATCH 209/222] Avoid signed right shift UB Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index 971388c19..54bd2b0ed 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -183,8 +183,14 @@ static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x) #pragma warning( push ) #pragma warning( disable : 4146 ) #endif - return (mbedtls_ct_condition_t) (((mbedtls_ct_int_t) ((-xo) | -(xo >> 1))) >> - (MBEDTLS_CT_SIZE - 1)); + // y is negative (i.e., top bit set) iff x is non-zero + mbedtls_ct_int_t y = (-xo) | -(xo >> 1); + + // extract only the sign bit of y so that y == 1 (if x is non-zero) or 0 (if x is zero) + y = (((mbedtls_ct_uint_t) y) >> (MBEDTLS_CT_SIZE - 1)); + + // -y has all bits set (if x is non-zero), or all bits clear (if x is zero) + return (mbedtls_ct_condition_t) (-y); #if defined(_MSC_VER) #pragma warning( pop ) #endif From fdb722384b93675486fae98d7c1817fcf23c3637 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 19 Jun 2023 20:46:47 +0200 Subject: [PATCH 210/222] Move PSA information and dependency automation into their own module This will let us use these features from other modules (yet to be created). Signed-off-by: Gilles Peskine --- scripts/mbedtls_dev/psa_information.py | 162 ++++++++++++++++++++ tests/CMakeLists.txt | 1 + tests/Makefile | 1 + tests/scripts/generate_psa_tests.py | 202 +++++-------------------- 4 files changed, 199 insertions(+), 167 deletions(-) create mode 100644 scripts/mbedtls_dev/psa_information.py diff --git a/scripts/mbedtls_dev/psa_information.py b/scripts/mbedtls_dev/psa_information.py new file mode 100644 index 000000000..a82df41df --- /dev/null +++ b/scripts/mbedtls_dev/psa_information.py @@ -0,0 +1,162 @@ +"""Collect information about PSA cryptographic mechanisms. +""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import re +from typing import Dict, FrozenSet, List, Optional + +from . import macro_collector + + +class Information: + """Gather information about PSA constructors.""" + + def __init__(self) -> None: + self.constructors = self.read_psa_interface() + + @staticmethod + def remove_unwanted_macros( + constructors: macro_collector.PSAMacroEnumerator + ) -> None: + # Mbed TLS does not support finite-field DSA. + # Don't attempt to generate any related test case. + constructors.key_types.discard('PSA_KEY_TYPE_DSA_KEY_PAIR') + constructors.key_types.discard('PSA_KEY_TYPE_DSA_PUBLIC_KEY') + + def read_psa_interface(self) -> macro_collector.PSAMacroEnumerator: + """Return the list of known key types, algorithms, etc.""" + constructors = macro_collector.InputsForTest() + header_file_names = ['include/psa/crypto_values.h', + 'include/psa/crypto_extra.h'] + test_suites = ['tests/suites/test_suite_psa_crypto_metadata.data'] + for header_file_name in header_file_names: + constructors.parse_header(header_file_name) + for test_cases in test_suites: + constructors.parse_test_cases(test_cases) + self.remove_unwanted_macros(constructors) + constructors.gather_arguments() + return constructors + + +def psa_want_symbol(name: str) -> str: + """Return the PSA_WANT_xxx symbol associated with a PSA crypto feature.""" + if name.startswith('PSA_'): + return name[:4] + 'WANT_' + name[4:] + else: + raise ValueError('Unable to determine the PSA_WANT_ symbol for ' + name) + +def finish_family_dependency(dep: str, bits: int) -> str: + """Finish dep if it's a family dependency symbol prefix. + + A family dependency symbol prefix is a PSA_WANT_ symbol that needs to be + qualified by the key size. If dep is such a symbol, finish it by adjusting + the prefix and appending the key size. Other symbols are left unchanged. + """ + return re.sub(r'_FAMILY_(.*)', r'_\1_' + str(bits), dep) + +def finish_family_dependencies(dependencies: List[str], bits: int) -> List[str]: + """Finish any family dependency symbol prefixes. + + Apply `finish_family_dependency` to each element of `dependencies`. + """ + return [finish_family_dependency(dep, bits) for dep in dependencies] + +SYMBOLS_WITHOUT_DEPENDENCY = frozenset([ + 'PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG', # modifier, only in policies + 'PSA_ALG_AEAD_WITH_SHORTENED_TAG', # modifier + 'PSA_ALG_ANY_HASH', # only in policies + 'PSA_ALG_AT_LEAST_THIS_LENGTH_MAC', # modifier, only in policies + 'PSA_ALG_KEY_AGREEMENT', # chaining + 'PSA_ALG_TRUNCATED_MAC', # modifier +]) +def automatic_dependencies(*expressions: str) -> List[str]: + """Infer dependencies of a test case by looking for PSA_xxx symbols. + + The arguments are strings which should be C expressions. Do not use + string literals or comments as this function is not smart enough to + skip them. + """ + used = set() + for expr in expressions: + used.update(re.findall(r'PSA_(?:ALG|ECC_FAMILY|KEY_TYPE)_\w+', expr)) + used.difference_update(SYMBOLS_WITHOUT_DEPENDENCY) + return sorted(psa_want_symbol(name) for name in used) + +# Define set of regular expressions and dependencies to optionally append +# extra dependencies for test case. +AES_128BIT_ONLY_DEP_REGEX = r'AES\s(192|256)' +AES_128BIT_ONLY_DEP = ["!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH"] + +DEPENDENCY_FROM_KEY = { + AES_128BIT_ONLY_DEP_REGEX: AES_128BIT_ONLY_DEP +}#type: Dict[str, List[str]] +def generate_key_dependencies(description: str) -> List[str]: + """Return additional dependencies based on pairs of REGEX and dependencies. + """ + deps = [] + for regex, dep in DEPENDENCY_FROM_KEY.items(): + if re.search(regex, description): + deps += dep + + return deps + +# A temporary hack: at the time of writing, not all dependency symbols +# are implemented yet. Skip test cases for which the dependency symbols are +# not available. Once all dependency symbols are available, this hack must +# be removed so that a bug in the dependency symbols properly leads to a test +# failure. +def read_implemented_dependencies(filename: str) -> FrozenSet[str]: + return frozenset(symbol + for line in open(filename) + for symbol in re.findall(r'\bPSA_WANT_\w+\b', line)) +_implemented_dependencies = None #type: Optional[FrozenSet[str]] #pylint: disable=invalid-name +def hack_dependencies_not_implemented(dependencies: List[str]) -> None: + global _implemented_dependencies #pylint: disable=global-statement,invalid-name + if _implemented_dependencies is None: + _implemented_dependencies = \ + read_implemented_dependencies('include/psa/crypto_config.h') + if not all((dep.lstrip('!') in _implemented_dependencies or + not dep.lstrip('!').startswith('PSA_WANT')) + for dep in dependencies): + dependencies.append('DEPENDENCY_NOT_IMPLEMENTED_YET') + +def tweak_key_pair_dependency(dep: str, usage: str): + """ + This helper function add the proper suffix to PSA_WANT_KEY_TYPE_xxx_KEY_PAIR + symbols according to the required usage. + """ + ret_list = list() + if dep.endswith('KEY_PAIR'): + if usage == "BASIC": + # BASIC automatically includes IMPORT and EXPORT for test purposes (see + # config_psa.h). + ret_list.append(re.sub(r'KEY_PAIR', r'KEY_PAIR_BASIC', dep)) + ret_list.append(re.sub(r'KEY_PAIR', r'KEY_PAIR_IMPORT', dep)) + ret_list.append(re.sub(r'KEY_PAIR', r'KEY_PAIR_EXPORT', dep)) + elif usage == "GENERATE": + ret_list.append(re.sub(r'KEY_PAIR', r'KEY_PAIR_GENERATE', dep)) + else: + # No replacement to do in this case + ret_list.append(dep) + return ret_list + +def fix_key_pair_dependencies(dep_list: List[str], usage: str): + new_list = [new_deps + for dep in dep_list + for new_deps in tweak_key_pair_dependency(dep, usage)] + + return new_list diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 9bd93f156..3274739e5 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -120,6 +120,7 @@ if(GEN_FILES) ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_psa_tests.py ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/crypto_knowledge.py ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/macro_collector.py + ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/psa_information.py ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/psa_storage.py ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_case.py ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_data_generation.py diff --git a/tests/Makefile b/tests/Makefile index 75dc3c629..3a3425b18 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -123,6 +123,7 @@ $(GENERATED_PSA_DATA_FILES): generated_psa_test_data generated_psa_test_data: scripts/generate_psa_tests.py generated_psa_test_data: ../scripts/mbedtls_dev/crypto_knowledge.py generated_psa_test_data: ../scripts/mbedtls_dev/macro_collector.py +generated_psa_test_data: ../scripts/mbedtls_dev/psa_information.py generated_psa_test_data: ../scripts/mbedtls_dev/psa_storage.py generated_psa_test_data: ../scripts/mbedtls_dev/test_case.py generated_psa_test_data: ../scripts/mbedtls_dev/test_data_generation.py diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py index 993457872..5cdeb3bae 100755 --- a/tests/scripts/generate_psa_tests.py +++ b/tests/scripts/generate_psa_tests.py @@ -27,150 +27,13 @@ from typing import Callable, Dict, FrozenSet, Iterable, Iterator, List, Optional import scripts_path # pylint: disable=unused-import from mbedtls_dev import crypto_knowledge -from mbedtls_dev import macro_collector +from mbedtls_dev import macro_collector #pylint: disable=unused-import +from mbedtls_dev import psa_information from mbedtls_dev import psa_storage from mbedtls_dev import test_case from mbedtls_dev import test_data_generation -def psa_want_symbol(name: str) -> str: - """Return the PSA_WANT_xxx symbol associated with a PSA crypto feature.""" - if name.startswith('PSA_'): - return name[:4] + 'WANT_' + name[4:] - else: - raise ValueError('Unable to determine the PSA_WANT_ symbol for ' + name) - -def finish_family_dependency(dep: str, bits: int) -> str: - """Finish dep if it's a family dependency symbol prefix. - - A family dependency symbol prefix is a PSA_WANT_ symbol that needs to be - qualified by the key size. If dep is such a symbol, finish it by adjusting - the prefix and appending the key size. Other symbols are left unchanged. - """ - return re.sub(r'_FAMILY_(.*)', r'_\1_' + str(bits), dep) - -def finish_family_dependencies(dependencies: List[str], bits: int) -> List[str]: - """Finish any family dependency symbol prefixes. - - Apply `finish_family_dependency` to each element of `dependencies`. - """ - return [finish_family_dependency(dep, bits) for dep in dependencies] - -SYMBOLS_WITHOUT_DEPENDENCY = frozenset([ - 'PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG', # modifier, only in policies - 'PSA_ALG_AEAD_WITH_SHORTENED_TAG', # modifier - 'PSA_ALG_ANY_HASH', # only in policies - 'PSA_ALG_AT_LEAST_THIS_LENGTH_MAC', # modifier, only in policies - 'PSA_ALG_KEY_AGREEMENT', # chaining - 'PSA_ALG_TRUNCATED_MAC', # modifier -]) -def automatic_dependencies(*expressions: str) -> List[str]: - """Infer dependencies of a test case by looking for PSA_xxx symbols. - - The arguments are strings which should be C expressions. Do not use - string literals or comments as this function is not smart enough to - skip them. - """ - used = set() - for expr in expressions: - used.update(re.findall(r'PSA_(?:ALG|ECC_FAMILY|KEY_TYPE)_\w+', expr)) - used.difference_update(SYMBOLS_WITHOUT_DEPENDENCY) - return sorted(psa_want_symbol(name) for name in used) - -# Define set of regular expressions and dependencies to optionally append -# extra dependencies for test case. -AES_128BIT_ONLY_DEP_REGEX = r'AES\s(192|256)' -AES_128BIT_ONLY_DEP = ["!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH"] - -DEPENDENCY_FROM_KEY = { - AES_128BIT_ONLY_DEP_REGEX: AES_128BIT_ONLY_DEP -}#type: Dict[str, List[str]] -def generate_key_dependencies(description: str) -> List[str]: - """Return additional dependencies based on pairs of REGEX and dependencies. - """ - deps = [] - for regex, dep in DEPENDENCY_FROM_KEY.items(): - if re.search(regex, description): - deps += dep - - return deps - -# A temporary hack: at the time of writing, not all dependency symbols -# are implemented yet. Skip test cases for which the dependency symbols are -# not available. Once all dependency symbols are available, this hack must -# be removed so that a bug in the dependency symbols properly leads to a test -# failure. -def read_implemented_dependencies(filename: str) -> FrozenSet[str]: - return frozenset(symbol - for line in open(filename) - for symbol in re.findall(r'\bPSA_WANT_\w+\b', line)) -_implemented_dependencies = None #type: Optional[FrozenSet[str]] #pylint: disable=invalid-name -def hack_dependencies_not_implemented(dependencies: List[str]) -> None: - global _implemented_dependencies #pylint: disable=global-statement,invalid-name - if _implemented_dependencies is None: - _implemented_dependencies = \ - read_implemented_dependencies('include/psa/crypto_config.h') - if not all((dep.lstrip('!') in _implemented_dependencies or - not dep.lstrip('!').startswith('PSA_WANT')) - for dep in dependencies): - dependencies.append('DEPENDENCY_NOT_IMPLEMENTED_YET') - -def tweak_key_pair_dependency(dep: str, usage: str): - """ - This helper function add the proper suffix to PSA_WANT_KEY_TYPE_xxx_KEY_PAIR - symbols according to the required usage. - """ - ret_list = list() - if dep.endswith('KEY_PAIR'): - if usage == "BASIC": - # BASIC automatically includes IMPORT and EXPORT for test purposes (see - # config_psa.h). - ret_list.append(re.sub(r'KEY_PAIR', r'KEY_PAIR_BASIC', dep)) - ret_list.append(re.sub(r'KEY_PAIR', r'KEY_PAIR_IMPORT', dep)) - ret_list.append(re.sub(r'KEY_PAIR', r'KEY_PAIR_EXPORT', dep)) - elif usage == "GENERATE": - ret_list.append(re.sub(r'KEY_PAIR', r'KEY_PAIR_GENERATE', dep)) - else: - # No replacement to do in this case - ret_list.append(dep) - return ret_list - -def fix_key_pair_dependencies(dep_list: List[str], usage: str): - new_list = [new_deps - for dep in dep_list - for new_deps in tweak_key_pair_dependency(dep, usage)] - - return new_list - -class Information: - """Gather information about PSA constructors.""" - - def __init__(self) -> None: - self.constructors = self.read_psa_interface() - - @staticmethod - def remove_unwanted_macros( - constructors: macro_collector.PSAMacroEnumerator - ) -> None: - # Mbed TLS does not support finite-field DSA. - # Don't attempt to generate any related test case. - constructors.key_types.discard('PSA_KEY_TYPE_DSA_KEY_PAIR') - constructors.key_types.discard('PSA_KEY_TYPE_DSA_PUBLIC_KEY') - - def read_psa_interface(self) -> macro_collector.PSAMacroEnumerator: - """Return the list of known key types, algorithms, etc.""" - constructors = macro_collector.InputsForTest() - header_file_names = ['include/psa/crypto_values.h', - 'include/psa/crypto_extra.h'] - test_suites = ['tests/suites/test_suite_psa_crypto_metadata.data'] - for header_file_name in header_file_names: - constructors.parse_header(header_file_name) - for test_cases in test_suites: - constructors.parse_test_cases(test_cases) - self.remove_unwanted_macros(constructors) - constructors.gather_arguments() - return constructors - def test_case_for_key_type_not_supported( verb: str, key_type: str, bits: int, @@ -181,7 +44,7 @@ def test_case_for_key_type_not_supported( """Return one test case exercising a key creation method for an unsupported key type or size. """ - hack_dependencies_not_implemented(dependencies) + psa_information.hack_dependencies_not_implemented(dependencies) tc = test_case.TestCase() short_key_type = crypto_knowledge.short_expression(key_type) adverb = 'not' if dependencies else 'never' @@ -197,7 +60,7 @@ def test_case_for_key_type_not_supported( class KeyTypeNotSupported: """Generate test cases for when a key type is not supported.""" - def __init__(self, info: Information) -> None: + def __init__(self, info: psa_information.Information) -> None: self.constructors = info.constructors ALWAYS_SUPPORTED = frozenset([ @@ -224,20 +87,22 @@ class KeyTypeNotSupported: # They would be skipped in all configurations, which is noise. return import_dependencies = [('!' if param is None else '') + - psa_want_symbol(kt.name)] + psa_information.psa_want_symbol(kt.name)] if kt.params is not None: import_dependencies += [('!' if param == i else '') + - psa_want_symbol(sym) + psa_information.psa_want_symbol(sym) for i, sym in enumerate(kt.params)] if kt.name.endswith('_PUBLIC_KEY'): generate_dependencies = [] else: - generate_dependencies = fix_key_pair_dependencies(import_dependencies, 'GENERATE') - import_dependencies = fix_key_pair_dependencies(import_dependencies, 'BASIC') + generate_dependencies = \ + psa_information.fix_key_pair_dependencies(import_dependencies, 'GENERATE') + import_dependencies = \ + psa_information.fix_key_pair_dependencies(import_dependencies, 'BASIC') for bits in kt.sizes_to_test(): yield test_case_for_key_type_not_supported( 'import', kt.expression, bits, - finish_family_dependencies(import_dependencies, bits), + psa_information.finish_family_dependencies(import_dependencies, bits), test_case.hex_string(kt.key_material(bits)), param_descr=param_descr, ) @@ -251,7 +116,7 @@ class KeyTypeNotSupported: if not kt.is_public(): yield test_case_for_key_type_not_supported( 'generate', kt.expression, bits, - finish_family_dependencies(generate_dependencies, bits), + psa_information.finish_family_dependencies(generate_dependencies, bits), str(bits), param_descr=param_descr, ) @@ -294,7 +159,7 @@ def test_case_for_key_generation( ) -> test_case.TestCase: """Return one test case exercising a key generation. """ - hack_dependencies_not_implemented(dependencies) + psa_information.hack_dependencies_not_implemented(dependencies) tc = test_case.TestCase() short_key_type = crypto_knowledge.short_expression(key_type) tc.set_description('PSA {} {}-bit' @@ -308,7 +173,7 @@ def test_case_for_key_generation( class KeyGenerate: """Generate positive and negative (invalid argument) test cases for key generation.""" - def __init__(self, info: Information) -> None: + def __init__(self, info: psa_information.Information) -> None: self.constructors = info.constructors ECC_KEY_TYPES = ('PSA_KEY_TYPE_ECC_KEY_PAIR', @@ -327,9 +192,9 @@ class KeyGenerate: """ result = 'PSA_SUCCESS' - import_dependencies = [psa_want_symbol(kt.name)] + import_dependencies = [psa_information.psa_want_symbol(kt.name)] if kt.params is not None: - import_dependencies += [psa_want_symbol(sym) + import_dependencies += [psa_information.psa_want_symbol(sym) for i, sym in enumerate(kt.params)] if kt.name.endswith('_PUBLIC_KEY'): # The library checks whether the key type is a public key generically, @@ -338,7 +203,8 @@ class KeyGenerate: generate_dependencies = [] result = 'PSA_ERROR_INVALID_ARGUMENT' else: - generate_dependencies = fix_key_pair_dependencies(import_dependencies, 'GENERATE') + generate_dependencies = \ + psa_information.fix_key_pair_dependencies(import_dependencies, 'GENERATE') for bits in kt.sizes_to_test(): if kt.name == 'PSA_KEY_TYPE_RSA_KEY_PAIR': size_dependency = "PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS <= " + str(bits) @@ -347,7 +213,7 @@ class KeyGenerate: test_dependencies = generate_dependencies yield test_case_for_key_generation( kt.expression, bits, - finish_family_dependencies(test_dependencies, bits), + psa_information.finish_family_dependencies(test_dependencies, bits), str(bits), result ) @@ -380,7 +246,7 @@ class OpFail: INCOMPATIBLE = 2 PUBLIC = 3 - def __init__(self, info: Information) -> None: + def __init__(self, info: psa_information.Information) -> None: self.constructors = info.constructors key_type_expressions = self.constructors.generate_expressions( sorted(self.constructors.key_types) @@ -417,8 +283,8 @@ class OpFail: pretty_alg, pretty_reason, ' with ' + pretty_type if pretty_type else '')) - dependencies = automatic_dependencies(alg.base_expression, key_type) - dependencies = fix_key_pair_dependencies(dependencies, 'BASIC') + dependencies = psa_information.automatic_dependencies(alg.base_expression, key_type) + dependencies = psa_information.fix_key_pair_dependencies(dependencies, 'BASIC') for i, dep in enumerate(dependencies): if dep in not_deps: dependencies[i] = '!' + dep @@ -445,7 +311,7 @@ class OpFail: """Generate failure test cases for keyless operations with the specified algorithm.""" if alg.can_do(category): # Compatible operation, unsupported algorithm - for dep in automatic_dependencies(alg.base_expression): + for dep in psa_information.automatic_dependencies(alg.base_expression): yield self.make_test_case(alg, category, self.Reason.NOT_SUPPORTED, not_deps=frozenset([dep])) @@ -463,7 +329,7 @@ class OpFail: key_is_compatible = kt.can_do(alg) if key_is_compatible and alg.can_do(category): # Compatible key and operation, unsupported algorithm - for dep in automatic_dependencies(alg.base_expression): + for dep in psa_information.automatic_dependencies(alg.base_expression): yield self.make_test_case(alg, category, self.Reason.NOT_SUPPORTED, kt=kt, not_deps=frozenset([dep])) @@ -569,7 +435,7 @@ class StorageTestData(StorageKey): class StorageFormat: """Storage format stability test cases.""" - def __init__(self, info: Information, version: int, forward: bool) -> None: + def __init__(self, info: psa_information.Information, version: int, forward: bool) -> None: """Prepare to generate test cases for storage format stability. * `info`: information about the API. See the `Information` class. @@ -636,13 +502,13 @@ class StorageFormat: verb = 'save' if self.forward else 'read' tc = test_case.TestCase() tc.set_description(verb + ' ' + key.description) - dependencies = automatic_dependencies( + dependencies = psa_information.automatic_dependencies( key.lifetime.string, key.type.string, key.alg.string, key.alg2.string, ) - dependencies = finish_family_dependencies(dependencies, key.bits) - dependencies += generate_key_dependencies(key.description) - dependencies = fix_key_pair_dependencies(dependencies, 'BASIC') + dependencies = psa_information.finish_family_dependencies(dependencies, key.bits) + dependencies += psa_information.generate_key_dependencies(key.description) + dependencies = psa_information.fix_key_pair_dependencies(dependencies, 'BASIC') tc.set_dependencies(dependencies) tc.set_function('key_storage_' + verb) if self.forward: @@ -847,13 +713,13 @@ class StorageFormat: class StorageFormatForward(StorageFormat): """Storage format stability test cases for forward compatibility.""" - def __init__(self, info: Information, version: int) -> None: + def __init__(self, info: psa_information.Information, version: int) -> None: super().__init__(info, version, True) class StorageFormatV0(StorageFormat): """Storage format stability test cases for version 0 compatibility.""" - def __init__(self, info: Information) -> None: + def __init__(self, info: psa_information.Information) -> None: super().__init__(info, 0, False) def all_keys_for_usage_flags(self) -> Iterator[StorageTestData]: @@ -963,6 +829,7 @@ class StorageFormatV0(StorageFormat): yield from super().generate_all_keys() yield from self.all_keys_for_implicit_usage() + class PSATestGenerator(test_data_generation.TestGenerator): """Test generator subclass including PSA targets and info.""" # Note that targets whose names contain 'test_format' have their content @@ -978,14 +845,15 @@ class PSATestGenerator(test_data_generation.TestGenerator): lambda info: StorageFormatForward(info, 0).all_test_cases(), 'test_suite_psa_crypto_storage_format.v0': lambda info: StorageFormatV0(info).all_test_cases(), - } #type: Dict[str, Callable[[Information], Iterable[test_case.TestCase]]] + } #type: Dict[str, Callable[[psa_information.Information], Iterable[test_case.TestCase]]] def __init__(self, options): super().__init__(options) - self.info = Information() + self.info = psa_information.Information() def generate_target(self, name: str, *target_args) -> None: super().generate_target(name, self.info) + if __name__ == '__main__': test_data_generation.main(sys.argv[1:], __doc__, PSATestGenerator) From e20d6884635f8cdf5fe72c3fb5c3dd1e637f4364 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 22 Aug 2023 08:46:18 +0100 Subject: [PATCH 211/222] Fix missing operand modifier Co-authored-by: Yanray Wang Signed-off-by: Dave Rodgman --- library/constant_time_impl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h index 54bd2b0ed..bf841fe8a 100644 --- a/library/constant_time_impl.h +++ b/library/constant_time_impl.h @@ -243,7 +243,7 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbe uint64_t s1; asm volatile ("eor %x[s1], %x[y], %x[x] \n\t" "sub %x[x], %x[x], %x[y] \n\t" - "bic %x[x], %x[x], %[s1] \n\t" + "bic %x[x], %x[x], %x[s1] \n\t" "and %x[s1], %x[s1], %x[y] \n\t" "orr %x[s1], %x[x], %x[s1] \n\t" "asr %x[x], %x[s1], 63" From c9187c5866d7d562b7e077cbe7ba6c03f76809d5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 20 Jun 2023 15:22:53 +0200 Subject: [PATCH 212/222] New test suite for the low-level hash interface Some basic test coverage for now: * Nominal operation. * Larger output buffer. * Clone an operation and use it after the original operation stops. Generate test data automatically. For the time being, only do that for hashes that Python supports natively. Supporting all algorithms is future work. Signed-off-by: Gilles Peskine --- scripts/mbedtls_dev/crypto_data_tests.py | 123 ++++++++++ tests/CMakeLists.txt | 1 + tests/Makefile | 1 + tests/scripts/generate_psa_tests.py | 3 + .../test_suite_psa_crypto_low_hash.function | 225 ++++++++++++++++++ 5 files changed, 353 insertions(+) create mode 100644 scripts/mbedtls_dev/crypto_data_tests.py create mode 100644 tests/suites/test_suite_psa_crypto_low_hash.function diff --git a/scripts/mbedtls_dev/crypto_data_tests.py b/scripts/mbedtls_dev/crypto_data_tests.py new file mode 100644 index 000000000..80051fa43 --- /dev/null +++ b/scripts/mbedtls_dev/crypto_data_tests.py @@ -0,0 +1,123 @@ +"""Generate test data for cryptographic mechanisms. + +This module is a work in progress, only implementing a few cases for now. +""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import hashlib +from typing import Callable, Dict, Iterator, List, Optional #pylint: disable=unused-import + +from . import crypto_knowledge +from . import psa_information +from . import test_case + + +def psa_low_level_dependencies(*expressions: str) -> List[str]: + """Infer dependencies of a PSA low-level test case by looking for PSA_xxx symbols. + + This function generates MBEDTLS_PSA_BUILTIN_xxx symbols. + """ + high_level = psa_information.automatic_dependencies(*expressions) + for dep in high_level: + assert dep.startswith('PSA_WANT_') + return ['MBEDTLS_PSA_BUILTIN_' + dep[9:] for dep in high_level] + + +class HashPSALowLevel: + """Generate test cases for the PSA low-level hash interface.""" + + def __init__(self, info: psa_information.Information) -> None: + self.info = info + base_algorithms = sorted(info.constructors.algorithms) + all_algorithms = \ + [crypto_knowledge.Algorithm(expr) + for expr in info.constructors.generate_expressions(base_algorithms)] + self.algorithms = \ + [alg + for alg in all_algorithms + if (not alg.is_wildcard and + alg.can_do(crypto_knowledge.AlgorithmCategory.HASH))] + + # CALCULATE[alg] = function to return the hash of its argument in hex + # TO-DO: implement the None entries with a third-party library, because + # hashlib might not have everything, depending on the Python version and + # the underlying OpenSSL. On Ubuntu 16.04, truncated sha512 and sha3/shake + # are not available. On Ubuntu 22.04, md2, md4 and ripemd160 are not + # available. + CALCULATE = { + 'PSA_ALG_MD5': lambda data: hashlib.md5(data).hexdigest(), + 'PSA_ALG_RIPEMD160': None, #lambda data: hashlib.new('ripdemd160').hexdigest() + 'PSA_ALG_SHA_1': lambda data: hashlib.sha1(data).hexdigest(), + 'PSA_ALG_SHA_224': lambda data: hashlib.sha224(data).hexdigest(), + 'PSA_ALG_SHA_256': lambda data: hashlib.sha256(data).hexdigest(), + 'PSA_ALG_SHA_384': lambda data: hashlib.sha384(data).hexdigest(), + 'PSA_ALG_SHA_512': lambda data: hashlib.sha512(data).hexdigest(), + 'PSA_ALG_SHA_512_224': None, #lambda data: hashlib.new('sha512_224').hexdigest() + 'PSA_ALG_SHA_512_256': None, #lambda data: hashlib.new('sha512_256').hexdigest() + 'PSA_ALG_SHA3_224': None, #lambda data: hashlib.sha3_224(data).hexdigest(), + 'PSA_ALG_SHA3_256': None, #lambda data: hashlib.sha3_256(data).hexdigest(), + 'PSA_ALG_SHA3_384': None, #lambda data: hashlib.sha3_384(data).hexdigest(), + 'PSA_ALG_SHA3_512': None, #lambda data: hashlib.sha3_512(data).hexdigest(), + 'PSA_ALG_SHAKE256_512': None, #lambda data: hashlib.shake_256(data).hexdigest(64), + } #typing: Optional[Dict[str, Callable[[bytes], str]]] + + @staticmethod + def one_test_case(alg: crypto_knowledge.Algorithm, + function: str, note: str, + arguments: List[str]) -> test_case.TestCase: + """Construct one test case involving a hash.""" + tc = test_case.TestCase() + tc.set_description('{}{} {}' + .format(function, + ' ' + note if note else '', + alg.short_expression())) + tc.set_dependencies(psa_low_level_dependencies(alg.expression)) + tc.set_function(function) + tc.set_arguments([alg.expression] + + ['"{}"'.format(arg) for arg in arguments]) + return tc + + def test_cases_for_hash(self, + alg: crypto_knowledge.Algorithm + ) -> Iterator[test_case.TestCase]: + """Enumerate all test cases for one hash algorithm.""" + calc = self.CALCULATE[alg.expression] + if calc is None: + return # not implemented yet + + short = b'abc' + hash_short = calc(short) + long = (b'Hello, world. Here are 16 unprintable bytes: [' + b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a' + b'\x80\x81\x82\x83\xfe\xff]. ' + b' This message was brought to you by a natural intelligence. ' + b' If you can read this, good luck with your debugging!') + hash_long = calc(long) + + yield self.one_test_case(alg, 'hash_empty', '', [calc(b'')]) + yield self.one_test_case(alg, 'hash_valid_one_shot', '', + [short.hex(), hash_short]) + for n in [0, 1, 64, len(long) - 1, len(long)]: + yield self.one_test_case(alg, 'hash_valid_multipart', + '{} + {}'.format(n, len(long) - n), + [long[:n].hex(), calc(long[:n]), + long[n:].hex(), hash_long]) + + def all_test_cases(self) -> Iterator[test_case.TestCase]: + """Enumerate all test cases for all hash algorithms.""" + for alg in self.algorithms: + yield from self.test_cases_for_hash(alg) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 3274739e5..0869aaa01 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -118,6 +118,7 @@ if(GEN_FILES) --directory ${CMAKE_CURRENT_BINARY_DIR}/suites DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_psa_tests.py + ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/crypto_data_tests.py ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/crypto_knowledge.py ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/macro_collector.py ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/psa_information.py diff --git a/tests/Makefile b/tests/Makefile index 3a3425b18..ec016d871 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -121,6 +121,7 @@ generated_ecp_test_data: $(GENERATED_PSA_DATA_FILES): generated_psa_test_data generated_psa_test_data: scripts/generate_psa_tests.py +generated_psa_test_data: ../scripts/mbedtls_dev/crypto_data_tests.py generated_psa_test_data: ../scripts/mbedtls_dev/crypto_knowledge.py generated_psa_test_data: ../scripts/mbedtls_dev/macro_collector.py generated_psa_test_data: ../scripts/mbedtls_dev/psa_information.py diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py index 5cdeb3bae..b6f83c111 100755 --- a/tests/scripts/generate_psa_tests.py +++ b/tests/scripts/generate_psa_tests.py @@ -26,6 +26,7 @@ import sys from typing import Callable, Dict, FrozenSet, Iterable, Iterator, List, Optional import scripts_path # pylint: disable=unused-import +from mbedtls_dev import crypto_data_tests from mbedtls_dev import crypto_knowledge from mbedtls_dev import macro_collector #pylint: disable=unused-import from mbedtls_dev import psa_information @@ -839,6 +840,8 @@ class PSATestGenerator(test_data_generation.TestGenerator): lambda info: KeyGenerate(info).test_cases_for_key_generation(), 'test_suite_psa_crypto_not_supported.generated': lambda info: KeyTypeNotSupported(info).test_cases_for_not_supported(), + 'test_suite_psa_crypto_low_hash.generated': + lambda info: crypto_data_tests.HashPSALowLevel(info).all_test_cases(), 'test_suite_psa_crypto_op_fail.generated': lambda info: OpFail(info).all_test_cases(), 'test_suite_psa_crypto_storage_format.current': diff --git a/tests/suites/test_suite_psa_crypto_low_hash.function b/tests/suites/test_suite_psa_crypto_low_hash.function new file mode 100644 index 000000000..24cc90536 --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_low_hash.function @@ -0,0 +1,225 @@ +/* BEGIN_HEADER */ +/* + * Test suite for the PSA hash built-in driver + * + * This test suite exercises some aspects of the built-in PSA driver for + * hash algorithms (psa_crypto_hash.c). This code is mostly tested via + * the application interface (above the PSA API layer) and via tests of + * individual hash modules. The goal of this test suite is to ensure that + * the driver dispatch layer behaves correctly even when not invoked via + * the API layer, but directly from another driver. + * + * This test suite is currently incomplete. It focuses on non-regression + * tests for past bugs or near misses. + */ + +#include + +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_PSA_BUILTIN_HASH + * END_DEPENDENCIES + */ + +/* BEGIN_CASE */ +void hash_valid_one_shot(int alg_arg, data_t *input, + data_t *expected) +{ + psa_algorithm_t alg = alg_arg; + uint8_t *output = NULL; + size_t output_size = expected->len; + size_t length = SIZE_MAX; + + /* Nominal case */ + ASSERT_ALLOC(output, output_size); + TEST_EQUAL(mbedtls_psa_hash_compute(alg, input->x, input->len, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected->x, expected->len, output, length); + mbedtls_free(output); + output = NULL; + + /* Larger output buffer */ + output_size = expected->len + 1; + ASSERT_ALLOC(output, output_size); + TEST_EQUAL(mbedtls_psa_hash_compute(alg, input->x, input->len, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected->x, expected->len, output, length); + mbedtls_free(output); + output = NULL; + +#if 0 + /* Smaller output buffer (does not have to work!) */ + output_size = expected->len - 1; + ASSERT_ALLOC(output, output_size); + TEST_EQUAL(mbedtls_psa_hash_compute(alg, input->x, input->len, + output, output_size, &length), + PSA_ERROR_BUFFER_TOO_SMALL); + mbedtls_free(output); + output = NULL; +#endif + +exit: + mbedtls_free(output); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void hash_valid_multipart(int alg_arg, + data_t *input1, data_t *expected1, + data_t *input2, data_t *expected2) +{ + psa_algorithm_t alg = alg_arg; + uint8_t *output = NULL; + size_t output_size = expected1->len; + size_t length = SIZE_MAX; + mbedtls_psa_hash_operation_t operation0; // original + memset(&operation0, 0, sizeof(operation0)); + mbedtls_psa_hash_operation_t clone_start; // cloned after setup + memset(&clone_start, 0, sizeof(clone_start)); + mbedtls_psa_hash_operation_t clone_middle; // cloned between updates + memset(&clone_middle, 0, sizeof(clone_middle)); + mbedtls_psa_hash_operation_t clone_end; // cloned before finish + memset(&clone_end, 0, sizeof(clone_end)); + mbedtls_psa_hash_operation_t clone_more; // cloned before finish + memset(&clone_more, 0, sizeof(clone_more)); + + /* Nominal case with two update calls */ + ASSERT_ALLOC(output, output_size); + TEST_EQUAL(mbedtls_psa_hash_setup(&operation0, alg), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_clone(&operation0, &clone_start), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_update(&operation0, input1->x, input1->len), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_clone(&operation0, &clone_middle), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_update(&operation0, input2->x, input2->len), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_clone(&operation0, &clone_end), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_finish(&operation0, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected2->x, expected2->len, output, length); + + /* Nominal case with an operation cloned after setup */ + memset(output, 0, output_size); + TEST_EQUAL(mbedtls_psa_hash_update(&clone_start, input1->x, input1->len), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_finish(&clone_start, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected1->x, expected1->len, output, length); + + /* Nominal case with an operation cloned between updates */ + memset(output, 0, output_size); + TEST_EQUAL(mbedtls_psa_hash_update(&clone_middle, input2->x, input2->len), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_finish(&clone_middle, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected2->x, expected2->len, output, length); + + /* Nominal case with an operation cloned before finish */ + TEST_EQUAL(mbedtls_psa_hash_clone(&clone_end, &clone_more), + PSA_SUCCESS); + memset(output, 0, output_size); + TEST_EQUAL(mbedtls_psa_hash_finish(&clone_end, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected2->x, expected2->len, output, length); + mbedtls_free(output); + output = NULL; + + /* Larger output buffer */ + TEST_EQUAL(mbedtls_psa_hash_clone(&clone_more, &clone_end), + PSA_SUCCESS); + output_size = expected2->len + 1; + ASSERT_ALLOC(output, output_size); + TEST_EQUAL(mbedtls_psa_hash_finish(&clone_end, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected2->x, expected2->len, output, length); + mbedtls_free(output); + output = NULL; + +#if 0 + /* Smaller output buffer (does not have to work!) */ + TEST_EQUAL(mbedtls_psa_hash_clone(&clone_more, &clone_end), + PSA_SUCCESS); + output_size = expected2->len - 1; + ASSERT_ALLOC(output, output_size); + TEST_EQUAL(mbedtls_psa_hash_finish(&clone_end, + output, output_size, &length), + PSA_ERROR_BUFFER_TOO_SMALL); + mbedtls_free(output); + output = NULL; +#endif + + /* Nominal case again after an error in a cloned operation */ + output_size = expected2->len; + ASSERT_ALLOC(output, output_size); + TEST_EQUAL(mbedtls_psa_hash_finish(&clone_more, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected2->x, expected2->len, output, length); + mbedtls_free(output); + output = NULL; + +exit: + mbedtls_free(output); + mbedtls_psa_hash_abort(&operation0); + mbedtls_psa_hash_abort(&clone_start); + mbedtls_psa_hash_abort(&clone_middle); + mbedtls_psa_hash_abort(&clone_end); + mbedtls_psa_hash_abort(&clone_more); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void hash_empty(int alg_arg, data_t *expected) +{ + psa_algorithm_t alg = alg_arg; + uint8_t *output = NULL; + size_t output_size = expected->len; + size_t length = SIZE_MAX; + mbedtls_psa_hash_operation_t operation; + memset(&operation, 0, sizeof(operation)); + + ASSERT_ALLOC(output, output_size); + + /* One-shot */ + TEST_EQUAL(mbedtls_psa_hash_compute(alg, NULL, 0, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected->x, expected->len, output, length); + + /* Multipart, no update */ + memset(output, 0, output_size); + TEST_EQUAL(mbedtls_psa_hash_setup(&operation, alg), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_finish(&operation, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected->x, expected->len, output, length); + + /* Multipart, one update */ + memset(output, 0, output_size); + memset(&operation, 0, sizeof(operation)); + TEST_EQUAL(mbedtls_psa_hash_setup(&operation, alg), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_update(&operation, NULL, 0), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_finish(&operation, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected->x, expected->len, output, length); + +exit: + mbedtls_free(output); + mbedtls_psa_hash_abort(&operation); +} +/* END_CASE */ From 6d14c2b858969c4861c865b2a2240ad0981c2a01 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 7 Aug 2023 21:21:21 +0200 Subject: [PATCH 213/222] Remove dead code Do explain why we don't test a smaller buffer in addition to testing the nominal size and a larger buffer. Signed-off-by: Gilles Peskine --- .../test_suite_psa_crypto_low_hash.function | 28 ++++--------------- 1 file changed, 6 insertions(+), 22 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_low_hash.function b/tests/suites/test_suite_psa_crypto_low_hash.function index 24cc90536..6dabceff9 100644 --- a/tests/suites/test_suite_psa_crypto_low_hash.function +++ b/tests/suites/test_suite_psa_crypto_low_hash.function @@ -50,16 +50,9 @@ void hash_valid_one_shot(int alg_arg, data_t *input, mbedtls_free(output); output = NULL; -#if 0 - /* Smaller output buffer (does not have to work!) */ - output_size = expected->len - 1; - ASSERT_ALLOC(output, output_size); - TEST_EQUAL(mbedtls_psa_hash_compute(alg, input->x, input->len, - output, output_size, &length), - PSA_ERROR_BUFFER_TOO_SMALL); - mbedtls_free(output); - output = NULL; -#endif + /* We don't test with a smaller output buffer because this isn't + * guaranteed to work: the core must pass a sufficiently large + * output buffer to the driver. */ exit: mbedtls_free(output); @@ -146,18 +139,9 @@ void hash_valid_multipart(int alg_arg, mbedtls_free(output); output = NULL; -#if 0 - /* Smaller output buffer (does not have to work!) */ - TEST_EQUAL(mbedtls_psa_hash_clone(&clone_more, &clone_end), - PSA_SUCCESS); - output_size = expected2->len - 1; - ASSERT_ALLOC(output, output_size); - TEST_EQUAL(mbedtls_psa_hash_finish(&clone_end, - output, output_size, &length), - PSA_ERROR_BUFFER_TOO_SMALL); - mbedtls_free(output); - output = NULL; -#endif + /* We don't test with a smaller output buffer because this isn't + * guaranteed to work: the core must pass a sufficiently large + * output buffer to the driver. */ /* Nominal case again after an error in a cloned operation */ output_size = expected2->len; From ad7725d95d2d024034f12411192b1a5179e49c21 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Aug 2023 10:50:58 +0200 Subject: [PATCH 214/222] Fix type annotation Signed-off-by: Gilles Peskine --- scripts/mbedtls_dev/crypto_data_tests.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/mbedtls_dev/crypto_data_tests.py b/scripts/mbedtls_dev/crypto_data_tests.py index 80051fa43..7593952da 100644 --- a/scripts/mbedtls_dev/crypto_data_tests.py +++ b/scripts/mbedtls_dev/crypto_data_tests.py @@ -73,7 +73,7 @@ class HashPSALowLevel: 'PSA_ALG_SHA3_384': None, #lambda data: hashlib.sha3_384(data).hexdigest(), 'PSA_ALG_SHA3_512': None, #lambda data: hashlib.sha3_512(data).hexdigest(), 'PSA_ALG_SHAKE256_512': None, #lambda data: hashlib.shake_256(data).hexdigest(64), - } #typing: Optional[Dict[str, Callable[[bytes], str]]] + } #type: Dict[str, Optional[Callable[[bytes], str]]] @staticmethod def one_test_case(alg: crypto_knowledge.Algorithm, From 7ebb18fbd678d2a454c3111b9d8536886073377a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Gonz=C3=A1lez?= Date: Tue, 22 Aug 2023 09:40:23 +0100 Subject: [PATCH 215/222] Make non-executed tests that are not in the allow list an error MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Turn the warnings produced when finding non-executed tests that are not in the allow list into errors. Signed-off-by: Tomás González --- tests/scripts/analyze_outcomes.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index e5abae738..230fc2f3e 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -85,7 +85,10 @@ def analyze_coverage(results, outcomes, allow_list, full_coverage): results.warning('Test case not executed: {}', key) elif hits != 0 and key in allow_list: # Test Case should be removed from the allow list. - results.warning('Allow listed test case was executed: {}', key) + if full_coverage: + results.error('Allow listed test case was executed: {}', key) + else: + results.warning('Allow listed test case was executed: {}', key) def analyze_driver_vs_reference(outcomes, component_ref, component_driver, ignored_suites, ignored_test=None): From 5022311c9de839a0d4e22a3be47cd569e63d33ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Gonz=C3=A1lez?= Date: Tue, 22 Aug 2023 09:52:06 +0100 Subject: [PATCH 216/222] Tidy up allow list definition MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Don't break string literals in the allow list definition * Comment each test that belongs to the allow list is there. Signed-off-by: Tomás González --- tests/scripts/analyze_outcomes.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 230fc2f3e..ea1172ae2 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -184,9 +184,10 @@ TASKS = { 'test_function': do_analyze_coverage, 'args': { 'allow_list': [ - 'test_suite_psa_crypto_metadata;Asymmetric signature: ' - 'pure EdDSA', - 'test_suite_psa_crypto_metadata;Cipher: XTS' + # Algorithm not supported yet + 'test_suite_psa_crypto_metadata;Asymmetric signature: pure EdDSA', + # Algorithm not supported yet + 'test_suite_psa_crypto_metadata;Cipher: XTS', ], 'full_coverage': False, } From 30b0378008895e5d9c938761aca424dd28b04e0b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 22 Aug 2023 11:06:47 +0200 Subject: [PATCH 217/222] Fix off-by-one error The value of p after adding the last entry in the gap table is not used. Signed-off-by: Gilles Peskine --- library/bignum.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/bignum.c b/library/bignum.c index f84b2e7ce..3724571b2 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -2194,6 +2194,7 @@ static const unsigned char small_prime_gaps[] = { 14, 4, 2, 4, 14, 4, 2, 4, 20, 4, 8, 10, 8, 4, 6, 6, 14, 4, 6, 6, 8, 6, /*reaches 997*/ + 0 /* the last entry is effectively unused */ }; /* From a0631446b530759dce94d9b50e1fccb11de62cd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Gonz=C3=A1lez?= Date: Tue, 22 Aug 2023 12:17:57 +0100 Subject: [PATCH 218/222] Correct analyze_outcomes.py identation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Tomás González --- tests/scripts/analyze_outcomes.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index ea1172ae2..c8bf0799b 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -86,7 +86,7 @@ def analyze_coverage(results, outcomes, allow_list, full_coverage): elif hits != 0 and key in allow_list: # Test Case should be removed from the allow list. if full_coverage: - results.error('Allow listed test case was executed: {}', key) + results.error('Allow listed test case was executed: {}', key) else: results.warning('Allow listed test case was executed: {}', key) From c5eb13d2a986b04b5329400f72f53a971a21de1c Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Tue, 22 Aug 2023 15:13:04 +0100 Subject: [PATCH 219/222] Reword IAR changelog for fixing compiler warnings Signed-off-by: Agathiyan Bragadeesh --- ChangeLog.d/fix-iar-compiler-warnings.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/fix-iar-compiler-warnings.txt b/ChangeLog.d/fix-iar-compiler-warnings.txt index eefbd127d..50f1dcaad 100644 --- a/ChangeLog.d/fix-iar-compiler-warnings.txt +++ b/ChangeLog.d/fix-iar-compiler-warnings.txt @@ -1,2 +1,2 @@ Bugfix - * Improve general IAR support + * Fix IAR compiler warnings. Fixes #7873, #4300. From 1515f351a104807163ce4ef7743b140b27b04b6e Mon Sep 17 00:00:00 2001 From: Agathiyan Bragadeesh Date: Tue, 22 Aug 2023 15:24:38 +0100 Subject: [PATCH 220/222] Remove IAR warning fixes to 2.28 from changelog Signed-off-by: Agathiyan Bragadeesh --- ChangeLog.d/fix-iar-compiler-warnings.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/fix-iar-compiler-warnings.txt b/ChangeLog.d/fix-iar-compiler-warnings.txt index 50f1dcaad..0dc2623f8 100644 --- a/ChangeLog.d/fix-iar-compiler-warnings.txt +++ b/ChangeLog.d/fix-iar-compiler-warnings.txt @@ -1,2 +1,2 @@ Bugfix - * Fix IAR compiler warnings. Fixes #7873, #4300. + * Fix IAR compiler warnings. From d43cab3f5c09bdff40649bade124450bdb05c84f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Gonz=C3=A1lez?= Date: Thu, 24 Aug 2023 09:12:40 +0100 Subject: [PATCH 221/222] Correct analyze_outcomes identation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Tomás González --- tests/scripts/analyze_outcomes.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index c8bf0799b..3b91bfb19 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -188,10 +188,10 @@ TASKS = { 'test_suite_psa_crypto_metadata;Asymmetric signature: pure EdDSA', # Algorithm not supported yet 'test_suite_psa_crypto_metadata;Cipher: XTS', - ], + ], 'full_coverage': False, } - }, + }, # There are 2 options to use analyze_driver_vs_reference_xxx locally: # 1. Run tests and then analysis: # - tests/scripts/all.sh --outcome-file "$PWD/out.csv" From 024a3b3f0402ae99db6b3f56cc12d4b121418188 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 29 Aug 2023 13:21:43 +0100 Subject: [PATCH 222/222] Disable p256-m asm on aarch64 Signed-off-by: Dave Rodgman --- 3rdparty/p256-m/p256-m/p256-m.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/3rdparty/p256-m/p256-m/p256-m.c b/3rdparty/p256-m/p256-m/p256-m.c index 53d306f63..21a021bad 100644 --- a/3rdparty/p256-m/p256-m/p256-m.c +++ b/3rdparty/p256-m/p256-m/p256-m.c @@ -199,10 +199,12 @@ static uint64_t u32_muladd64(uint32_t x, uint32_t y, uint32_t z, uint32_t t); * Currently assembly optimisations are only supported with GCC/Clang for * Arm's Cortex-A and Cortex-M lines of CPUs, which start with the v6-M and * v7-M architectures. __ARM_ARCH_PROFILE is not defined for v6 and earlier. + * Thumb and 32-bit assembly is supported; aarch64 is not supported. */ #if defined(__GNUC__) &&\ defined(__ARM_ARCH) && __ARM_ARCH >= 6 && defined(__ARM_ARCH_PROFILE) && \ - ( __ARM_ARCH_PROFILE == 77 || __ARM_ARCH_PROFILE == 65 ) /* 'M' or 'A' */ + ( __ARM_ARCH_PROFILE == 77 || __ARM_ARCH_PROFILE == 65 ) /* 'M' or 'A' */ && \ + !defined(__aarch64__) /* * This set of CPUs is conveniently partitioned as follows: