From 01df9ddda758536f9020eb7c4dfaba9600e7b22b Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Thu, 20 Oct 2022 14:21:21 +0200
Subject: [PATCH 001/159] Add test component:
 component_test_psa_crypto_config_reference_hash_use_psa

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/all.sh | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 61d675f4f..140166b8f 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2110,6 +2110,34 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
     fi
 }
 
+component_test_psa_crypto_config_reference_hash_use_psa() {
+    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
+    # start with full
+    scripts/config.py full
+    # use PSA config and disable driver-less algs as in the component
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
+    # disable options as in the component
+    # (no need to disable whole modules, we'll just skip their test suite)
+    scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
+
+    msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
+    make test
+
+    # hidden option: when running outcome-analysis.sh, we can skip this
+    if [ "${SKIP_SSL_OPT_COMPAT_SH-unset}" = "unset" ]; then
+        msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
+        tests/ssl-opt.sh
+
+        msg "test: compat.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
+        tests/compat.sh
+    else
+        echo "skip ssl-opt.sh and compat.sh"
+    fi
+}
+
 component_test_psa_crypto_config_accel_cipher () {
     msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated cipher"
 

From 4e95590ae79ba9c026eec992f3e307f4cf16f8a4 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Fri, 21 Oct 2022 13:42:08 +0200
Subject: [PATCH 002/159] analyze_outcomes.py: Add test coverage regresion
 analyze for driver only builds

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/analyze_outcomes.py | 77 ++++++++++++++++++++++++++++---
 1 file changed, 71 insertions(+), 6 deletions(-)

diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index d06a0596f..f5d2ac131 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -60,6 +60,41 @@ def analyze_coverage(results, outcomes):
             # fixed this branch to have full coverage of test cases.
             results.warning('Test case not executed: {}', key)
 
+def analyze_driver_vs_reference(outcomes, components, ignored_tests):
+    """Check that all tests executed in the reference component are also
+    executed in the corresponding driver component.
+    Skip test suits provided in ignored_tests list.
+    """
+    driver_component = components[0]
+    reference_component = components[1]
+    available = check_test_cases.collect_available_test_cases()
+    result = True
+
+    for key in available:
+        # Skip ignored test suites
+        test_suit = key.split(';')[0] # retrieve test suit name
+        test_suit = test_suit.split('.')[0] # retrieve main part of test suit name
+        if(test_suit in ignored_tests):
+            continue
+        # Continue if test was not executed by any component
+        hits = outcomes[key].hits() if key in outcomes else 0
+        if(hits == 0):
+            continue
+        # Search for tests that run in reference component and not in driver component
+        driver_test_passed = False
+        reference_test_passed = False
+        for entry in outcomes[key].successes:
+            if(driver_component in entry):
+                driver_test_passed = True
+            if(reference_component in entry):
+                reference_test_passed = True
+        #if(driver_test_passed == True and reference_test_passed == False):
+        #    print('{}: driver: passed; reference: skipped'.format(key))
+        if(driver_test_passed == False and reference_test_passed == True):
+            print('{}: driver: skipped/failed; reference: passed'.format(key))
+            result = False
+    return result
+
 def analyze_outcomes(outcomes):
     """Run all analyses on the given outcome collection."""
     results = Results()
@@ -87,20 +122,50 @@ by a semicolon.
                 outcomes[key].failures.append(setup)
     return outcomes
 
-def analyze_outcome_file(outcome_file):
-    """Analyze the given outcome file."""
+def do_analyze_coverage(outcome_file):
+    """Perform coverage analyze."""
     outcomes = read_outcome_file(outcome_file)
-    return analyze_outcomes(outcomes)
+    results = analyze_outcomes(outcomes)
+    return (True if results.error_count == 0 else False)
+
+def do_analyze_driver_vs_reference(outcome_file, components, ignored_tests):
+    """Perform driver vs reference analyze."""
+    # We need exactly 2 components to analyze (first driver and second reference)
+    if(len(components) != 2 or "accel" not in components[0] or "reference" not in components[1]):
+        print('Error: Wrong component list. Exactly 2 components are required (driver,reference). ')
+        return False
+    outcomes = read_outcome_file(outcome_file)
+    return analyze_driver_vs_reference(outcomes, components, ignored_tests)
 
 def main():
     try:
         parser = argparse.ArgumentParser(description=__doc__)
-        parser.add_argument('outcomes', metavar='OUTCOMES.CSV',
+        parser.add_argument('--outcomes', metavar='OUTCOMES.CSV',
                             help='Outcome file to analyze')
+        parser.add_argument('--task',
+                            help='Analyze to be done: analyze_coverage or analyze_driver_vs_reference')
+        parser.add_argument('--components',
+                            help='List of test components to compare. Must be exactly 2 in valid order: driver,reference. '
+                            'Apply only for analyze_driver_vs_reference task.')
+        parser.add_argument('--ignore',
+                            help='List of test suits to ignore. Apply only for analyze_driver_vs_reference task.')
         options = parser.parse_args()
-        results = analyze_outcome_file(options.outcomes)
-        if results.error_count > 0:
+
+        result = False
+
+        if(options.task == 'analyze_coverage'):
+            result = do_analyze_coverage(options.outcomes)
+        elif(options.task == 'analyze_driver_vs_reference'):
+            components_list = options.components.split(',')
+            ignored_tests_list = options.ignore.split(',')
+            ignored_tests_list = ['test_suite_' + x for x in ignored_tests_list]
+            result = do_analyze_driver_vs_reference(options.outcomes, components_list, ignored_tests_list)
+        else:
+            print('Error: Unknown task: {}'.format(options.task))
+
+        if(result == False):
             sys.exit(1)
+        print("SUCCESS :-)")
     except Exception: # pylint: disable=broad-except
         # Print the backtrace and exit explicitly with our chosen status.
         traceback.print_exc()

From 58bbc23ca30794e109609948f4f64051615e9c39 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Mon, 24 Oct 2022 08:10:10 +0200
Subject: [PATCH 003/159] Use coverage analyze as default task

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/analyze_outcomes.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index f5d2ac131..1100086c1 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -140,9 +140,9 @@ def do_analyze_driver_vs_reference(outcome_file, components, ignored_tests):
 def main():
     try:
         parser = argparse.ArgumentParser(description=__doc__)
-        parser.add_argument('--outcomes', metavar='OUTCOMES.CSV',
+        parser.add_argument('outcomes', metavar='OUTCOMES.CSV',
                             help='Outcome file to analyze')
-        parser.add_argument('--task',
+        parser.add_argument('--task', default='analyze_coverage',
                             help='Analyze to be done: analyze_coverage or analyze_driver_vs_reference')
         parser.add_argument('--components',
                             help='List of test components to compare. Must be exactly 2 in valid order: driver,reference. '

From c86dedfdc183eb0a7681887416085be182e08101 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Mon, 24 Oct 2022 09:16:04 +0200
Subject: [PATCH 004/159] Fix code style

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/analyze_outcomes.py | 32 +++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 1100086c1..3e9599730 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -74,23 +74,23 @@ def analyze_driver_vs_reference(outcomes, components, ignored_tests):
         # Skip ignored test suites
         test_suit = key.split(';')[0] # retrieve test suit name
         test_suit = test_suit.split('.')[0] # retrieve main part of test suit name
-        if(test_suit in ignored_tests):
+        if test_suit in ignored_tests:
             continue
         # Continue if test was not executed by any component
         hits = outcomes[key].hits() if key in outcomes else 0
-        if(hits == 0):
+        if hits == 0:
             continue
         # Search for tests that run in reference component and not in driver component
         driver_test_passed = False
         reference_test_passed = False
         for entry in outcomes[key].successes:
-            if(driver_component in entry):
+            if driver_component in entry:
                 driver_test_passed = True
-            if(reference_component in entry):
+            if reference_component in entry:
                 reference_test_passed = True
-        #if(driver_test_passed == True and reference_test_passed == False):
+        #if(driver_test_passed is True and reference_test_passed is False):
         #    print('{}: driver: passed; reference: skipped'.format(key))
-        if(driver_test_passed == False and reference_test_passed == True):
+        if(driver_test_passed is False and reference_test_passed is True):
             print('{}: driver: skipped/failed; reference: passed'.format(key))
             result = False
     return result
@@ -126,7 +126,7 @@ def do_analyze_coverage(outcome_file):
     """Perform coverage analyze."""
     outcomes = read_outcome_file(outcome_file)
     results = analyze_outcomes(outcomes)
-    return (True if results.error_count == 0 else False)
+    return results.error_count == 0
 
 def do_analyze_driver_vs_reference(outcome_file, components, ignored_tests):
     """Perform driver vs reference analyze."""
@@ -143,27 +143,31 @@ def main():
         parser.add_argument('outcomes', metavar='OUTCOMES.CSV',
                             help='Outcome file to analyze')
         parser.add_argument('--task', default='analyze_coverage',
-                            help='Analyze to be done: analyze_coverage or analyze_driver_vs_reference')
+                            help='Analyze to be done: analyze_coverage or '
+                            'analyze_driver_vs_reference')
         parser.add_argument('--components',
-                            help='List of test components to compare. Must be exactly 2 in valid order: driver,reference. '
+                            help='List of test components to compare. '
+                            'Must be exactly 2 in valid order: driver,reference. '
                             'Apply only for analyze_driver_vs_reference task.')
         parser.add_argument('--ignore',
-                            help='List of test suits to ignore. Apply only for analyze_driver_vs_reference task.')
+                            help='List of test suits to ignore. '
+                            'Apply only for analyze_driver_vs_reference task.')
         options = parser.parse_args()
 
         result = False
 
-        if(options.task == 'analyze_coverage'):
+        if options.task == 'analyze_coverage':
             result = do_analyze_coverage(options.outcomes)
-        elif(options.task == 'analyze_driver_vs_reference'):
+        elif options.task == 'analyze_driver_vs_reference':
             components_list = options.components.split(',')
             ignored_tests_list = options.ignore.split(',')
             ignored_tests_list = ['test_suite_' + x for x in ignored_tests_list]
-            result = do_analyze_driver_vs_reference(options.outcomes, components_list, ignored_tests_list)
+            result = do_analyze_driver_vs_reference(options.outcomes,
+                                                    components_list, ignored_tests_list)
         else:
             print('Error: Unknown task: {}'.format(options.task))
 
-        if(result == False):
+        if result is False:
             sys.exit(1)
         print("SUCCESS :-)")
     except Exception: # pylint: disable=broad-except

From ab0451bc2c28185608243273327d10aa92c34e90 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Mon, 24 Oct 2022 11:29:35 +0200
Subject: [PATCH 005/159] Fix build command in
 test_psa_crypto_config_reference_hash_use_psa

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/all.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 140166b8f..d84ad8531 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2123,6 +2123,8 @@ component_test_psa_crypto_config_reference_hash_use_psa() {
     scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
     scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
 
+    make
+
     msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
     make test
 

From 4d13c833dad616601b5b1c8d78ee470fc6b28224 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Wed, 26 Oct 2022 16:11:26 +0200
Subject: [PATCH 006/159] analyze_outcomes.py: remove components and ignore
 parameters

Use a dictionary to specify optional parameters for each task.
If the task is not specified then all tasks are executed.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/analyze_outcomes.py | 54 +++++++++++++++++++------------
 1 file changed, 33 insertions(+), 21 deletions(-)

diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 3e9599730..de52d776b 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -122,14 +122,18 @@ by a semicolon.
                 outcomes[key].failures.append(setup)
     return outcomes
 
-def do_analyze_coverage(outcome_file):
+def do_analyze_coverage(outcome_file, args):
     """Perform coverage analyze."""
+    del args # unused
     outcomes = read_outcome_file(outcome_file)
     results = analyze_outcomes(outcomes)
     return results.error_count == 0
 
-def do_analyze_driver_vs_reference(outcome_file, components, ignored_tests):
+def do_analyze_driver_vs_reference(outcome_file, args):
     """Perform driver vs reference analyze."""
+    components = args['components'].split(',')
+    ignored_tests = args['ignored'].split(',')
+    ignored_tests = ['test_suite_' + x for x in ignored_tests]
     # We need exactly 2 components to analyze (first driver and second reference)
     if(len(components) != 2 or "accel" not in components[0] or "reference" not in components[1]):
         print('Error: Wrong component list. Exactly 2 components are required (driver,reference). ')
@@ -137,35 +141,43 @@ def do_analyze_driver_vs_reference(outcome_file, components, ignored_tests):
     outcomes = read_outcome_file(outcome_file)
     return analyze_driver_vs_reference(outcomes, components, ignored_tests)
 
+# List of tasks with function that can handle this task and additional arguments if required
+# pylint: disable=line-too-long
+TASKS = {
+    'analyze_coverage':                 {
+        'test_function': do_analyze_coverage,
+        'args': {}},
+    'analyze_driver_vs_reference_hash': {
+        'test_function': do_analyze_driver_vs_reference,
+        'args': {
+            'components': 'test_psa_crypto_config_accel_hash_use_psa,test_psa_crypto_config_reference_hash_use_psa',
+            'ignored': 'md,mdx,shax,entropy,hmac_drbg,random,psa_crypto_init,hkdf'}}
+}
+# pylint: enable=line-too-long
+
 def main():
     try:
         parser = argparse.ArgumentParser(description=__doc__)
         parser.add_argument('outcomes', metavar='OUTCOMES.CSV',
                             help='Outcome file to analyze')
-        parser.add_argument('--task', default='analyze_coverage',
-                            help='Analyze to be done: analyze_coverage or '
-                            'analyze_driver_vs_reference')
-        parser.add_argument('--components',
-                            help='List of test components to compare. '
-                            'Must be exactly 2 in valid order: driver,reference. '
-                            'Apply only for analyze_driver_vs_reference task.')
-        parser.add_argument('--ignore',
-                            help='List of test suits to ignore. '
-                            'Apply only for analyze_driver_vs_reference task.')
+        parser.add_argument('--task', default='all',
+                            help='Analyze to be done: all or analyze_coverage or '
+                            'analyze_driver_vs_reference_hash')
         options = parser.parse_args()
 
-        result = False
+        result = True
 
-        if options.task == 'analyze_coverage':
-            result = do_analyze_coverage(options.outcomes)
-        elif options.task == 'analyze_driver_vs_reference':
-            components_list = options.components.split(',')
-            ignored_tests_list = options.ignore.split(',')
-            ignored_tests_list = ['test_suite_' + x for x in ignored_tests_list]
-            result = do_analyze_driver_vs_reference(options.outcomes,
-                                                    components_list, ignored_tests_list)
+        if options.task == 'all':
+            for task in TASKS:
+                if not TASKS[task]['test_function'](options.outcomes, TASKS[task]['args']):
+                    result = False
+        elif options.task in TASKS:
+            if not TASKS[options.task]['test_function'](options.outcomes,
+                                                        TASKS[options.task]['args']):
+                result = False
         else:
             print('Error: Unknown task: {}'.format(options.task))
+            result = False
 
         if result is False:
             sys.exit(1)

From 5f6f32a0addcfb3b70197f216a745da58d2cd92e Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Thu, 27 Oct 2022 08:24:43 +0200
Subject: [PATCH 007/159] Remove hidden option to skip ssl-opt and compat tests

Also remove compat tests from reference component as results from this run are not included in outcome file.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/all.sh | 25 ++++++-------------------
 1 file changed, 6 insertions(+), 19 deletions(-)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index d84ad8531..cecfb5d61 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2098,16 +2098,11 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
     msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA"
     make test
 
-    # hidden option: when running outcome-analysis.sh, we can skip this
-    if [ "${SKIP_SSL_OPT_COMPAT_SH-unset}" = "unset" ]; then
-        msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA"
-        tests/ssl-opt.sh
+    msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA"
+    tests/ssl-opt.sh
 
-        msg "test: compat.sh, MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA"
-        tests/compat.sh
-    else
-        echo "skip ssl-opt.sh and compat.sh"
-    fi
+    msg "test: compat.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
+    tests/compat.sh
 }
 
 component_test_psa_crypto_config_reference_hash_use_psa() {
@@ -2128,16 +2123,8 @@ component_test_psa_crypto_config_reference_hash_use_psa() {
     msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
     make test
 
-    # hidden option: when running outcome-analysis.sh, we can skip this
-    if [ "${SKIP_SSL_OPT_COMPAT_SH-unset}" = "unset" ]; then
-        msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
-        tests/ssl-opt.sh
-
-        msg "test: compat.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
-        tests/compat.sh
-    else
-        echo "skip ssl-opt.sh and compat.sh"
-    fi
+    msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
+    tests/ssl-opt.sh
 }
 
 component_test_psa_crypto_config_accel_cipher () {

From 120ed8f8faf0128a9632917710059d27816001ec Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Thu, 27 Oct 2022 10:29:15 +0200
Subject: [PATCH 008/159] Add comments to explan the purpose of the reference
 component

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/all.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index cecfb5d61..6a7501a97 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2041,6 +2041,9 @@ component_test_psa_crypto_config_accel_hash () {
     make test
 }
 
+# Note that component_test_psa_crypto_config_reference_hash_use_psa
+# is related to this component and both components need to be kept in sync.
+# For details please see comments for component_test_psa_crypto_config_reference_hash_use_psa.
 component_test_psa_crypto_config_accel_hash_use_psa () {
     msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA"
 
@@ -2105,6 +2108,10 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
     tests/compat.sh
 }
 
+# This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa
+# without accelerated hash. The outcome from both components are used by the analyze_outcomes.py
+# script to find regression in test coverage when accelerated hash is used (tests and ssl-opt).
+# Both components need to be kept in sync.
 component_test_psa_crypto_config_reference_hash_use_psa() {
     msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
     # start with full

From a380b06c26086e695345a04163c1d174c3eb7d20 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Thu, 27 Oct 2022 14:15:26 +0200
Subject: [PATCH 009/159] Add fake dependency to test CI

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/suites/test_suite_error.data | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/suites/test_suite_error.data b/tests/suites/test_suite_error.data
index dec5639ee..65f0daa84 100644
--- a/tests/suites/test_suite_error.data
+++ b/tests/suites/test_suite_error.data
@@ -3,7 +3,7 @@ depends_on:MBEDTLS_AES_C
 error_strerror:-0x0020:"AES - Invalid key length"
 
 Single high error
-depends_on:MBEDTLS_RSA_C
+depends_on:MBEDTLS_RSA_C:MBEDTLS_ENTROPY_C
 error_strerror:-0x4080:"RSA - Bad input parameters to function"
 
 Low and high error

From 471dee5a128a33da461eaf7e546188b99572f7bb Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Thu, 4 Aug 2022 16:33:14 +0800
Subject: [PATCH 010/159] Add debug helpers to track extensions

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_debug_helpers.h |  21 ++++++
 library/ssl_tls13_generic.c | 126 ++++++++++++++++++++++++++++++++++++
 library/ssl_tls13_server.c  |  60 +----------------
 3 files changed, 150 insertions(+), 57 deletions(-)

diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h
index 9f1df736b..07e8c7103 100644
--- a/library/ssl_debug_helpers.h
+++ b/library/ssl_debug_helpers.h
@@ -45,4 +45,25 @@ const char *mbedtls_ssl_named_group_to_str( uint16_t in );
 
 #endif /* MBEDTLS_DEBUG_C */
 
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#if defined(MBEDTLS_DEBUG_C)
+
+const char *mbedtls_tls13_get_extension_name( uint16_t extension_type );
+
+void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl,
+                                         int level, const char *file, int line,
+                                         const char *hs_msg_name,
+                                         uint32_t extensions_present );
+
+#define MBEDTLS_SSL_TLS1_3_PRINT_EXTS( level, hs_msg_name, extensions_present ) \
+            mbedtls_ssl_tls13_print_extensions( \
+                ssl, level, __FILE__, __LINE__, hs_msg_name, extensions_present )
+#else
+
+#define MBEDTLS_SSL_TLS1_3_PRINT_EXTS( level, hs_msg_name, extensions_present )
+
+#endif
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
 #endif /* SSL_DEBUG_HELPERS_H */
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 48e367582..662e6f4c8 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1485,4 +1485,130 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
 }
 #endif /* MBEDTLS_ECDH_C */
 
+#if defined(MBEDTLS_DEBUG_C)
+const char *mbedtls_tls13_get_extension_name( uint16_t extension_type )
+{
+    switch( extension_type )
+    {
+        case MBEDTLS_TLS_EXT_SERVERNAME:
+            return( "server_name" );
+
+        case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
+            return( "max_fragment_length" );
+
+        case MBEDTLS_TLS_EXT_STATUS_REQUEST:
+            return( "status_request" );
+
+        case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
+            return( "supported_groups" );
+
+        case MBEDTLS_TLS_EXT_SIG_ALG:
+            return( "signature_algorithms" );
+
+        case MBEDTLS_TLS_EXT_USE_SRTP:
+            return( "use_srtp" );
+
+        case MBEDTLS_TLS_EXT_HEARTBEAT:
+            return( "heartbeat" );
+
+        case MBEDTLS_TLS_EXT_ALPN:
+            return( "application_layer_protocol_negotiation" );
+
+        case MBEDTLS_TLS_EXT_SCT:
+            return( "signed_certificate_timestamp" );
+
+        case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
+            return( "client_certificate_type" );
+
+        case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
+            return( "server_certificate_type" );
+
+        case MBEDTLS_TLS_EXT_PADDING:
+            return( "padding" );
+
+        case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
+            return( "pre_shared_key" );
+
+        case MBEDTLS_TLS_EXT_EARLY_DATA:
+            return( "early_data" );
+
+        case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
+            return( "supported_versions" );
+
+        case MBEDTLS_TLS_EXT_COOKIE:
+            return( "cookie" );
+
+        case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
+            return( "psk_key_exchange_modes" );
+
+        case MBEDTLS_TLS_EXT_CERT_AUTH:
+            return( "certificate_authorities" );
+
+        case MBEDTLS_TLS_EXT_OID_FILTERS:
+            return( "oid_filters" );
+
+        case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
+            return( "post_handshake_auth" );
+
+        case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
+            return( "signature_algorithms_cert" );
+
+        case MBEDTLS_TLS_EXT_KEY_SHARE:
+            return( "key_share" );
+    };
+
+    return( "unknown" );
+}
+
+void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl,
+                                         int level, const char *file, int line,
+                                         const char *hs_msg_name,
+                                         uint32_t extensions_present )
+{
+    static const struct{
+        uint32_t extension_mask;
+        const char *extension_name;
+    } mask_to_str_table[] = {
+            { MBEDTLS_SSL_EXT_SERVERNAME, "server_name" },
+            { MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH, "max_fragment_length" },
+            { MBEDTLS_SSL_EXT_STATUS_REQUEST, "status_request" },
+            { MBEDTLS_SSL_EXT_SUPPORTED_GROUPS, "supported_groups" },
+            { MBEDTLS_SSL_EXT_SIG_ALG, "signature_algorithms" },
+            { MBEDTLS_SSL_EXT_USE_SRTP, "use_srtp" },
+            { MBEDTLS_SSL_EXT_HEARTBEAT, "heartbeat" },
+            { MBEDTLS_SSL_EXT_ALPN, "application_layer_protocol_negotiation" },
+            { MBEDTLS_SSL_EXT_SCT, "signed_certificate_timestamp" },
+            { MBEDTLS_SSL_EXT_CLI_CERT_TYPE, "client_certificate_type" },
+            { MBEDTLS_SSL_EXT_SERV_CERT_TYPE, "server_certificate_type" },
+            { MBEDTLS_SSL_EXT_PADDING, "padding" },
+            { MBEDTLS_SSL_EXT_PRE_SHARED_KEY, "pre_shared_key" },
+            { MBEDTLS_SSL_EXT_EARLY_DATA, "early_data" },
+            { MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS, "supported_versions" },
+            { MBEDTLS_SSL_EXT_COOKIE, "cookie" },
+            { MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES, "psk_key_exchange_modes" },
+            { MBEDTLS_SSL_EXT_CERT_AUTH, "certificate_authorities" },
+            { MBEDTLS_SSL_EXT_OID_FILTERS, "oid_filters" },
+            { MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH, "post_handshake_auth" },
+            { MBEDTLS_SSL_EXT_SIG_ALG_CERT, "signature_algorithms_cert" },
+            { MBEDTLS_SSL_EXT_KEY_SHARE, "key_share" } };
+
+    mbedtls_debug_print_msg( ssl, level, file, line,
+                             "extension list of %s:", hs_msg_name );
+
+    for( unsigned i = 0;
+         i < sizeof( mask_to_str_table ) / sizeof( mask_to_str_table[0] );
+         i++ )
+    {
+        const char *extension_name = mask_to_str_table[i].extension_name;
+        uint32_t is_present = extensions_present &
+                              mask_to_str_table[i].extension_mask;
+
+        mbedtls_debug_print_msg( ssl, level, file, line,
+                "- %s extension ( %s )", extension_name,
+                is_present ? "true" : "false" );
+    }
+}
+
+#endif /* MBEDTLS_DEBUG_C */
+
 #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 3762393b9..b24aa4a8c 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -926,56 +926,6 @@ static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
 }
 #endif /* MBEDTLS_ECDH_C */
 
-#if defined(MBEDTLS_DEBUG_C)
-static void ssl_tls13_debug_print_client_hello_exts( mbedtls_ssl_context *ssl )
-{
-    ((void) ssl);
-
-    MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Extensions:" ) );
-    MBEDTLS_SSL_DEBUG_MSG( 3,
-            ( "- KEY_SHARE_EXTENSION ( %s )",
-            ( ( ssl->handshake->extensions_present
-                & MBEDTLS_SSL_EXT_KEY_SHARE ) > 0 ) ? "TRUE" : "FALSE" ) );
-    MBEDTLS_SSL_DEBUG_MSG( 3,
-            ( "- PSK_KEY_EXCHANGE_MODES_EXTENSION ( %s )",
-            ( ( ssl->handshake->extensions_present
-                & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) > 0 ) ?
-                "TRUE" : "FALSE" ) );
-    MBEDTLS_SSL_DEBUG_MSG( 3,
-            ( "- PRE_SHARED_KEY_EXTENSION ( %s )",
-            ( ( ssl->handshake->extensions_present
-                & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) > 0 ) ? "TRUE" : "FALSE" ) );
-    MBEDTLS_SSL_DEBUG_MSG( 3,
-            ( "- SIGNATURE_ALGORITHM_EXTENSION ( %s )",
-            ( ( ssl->handshake->extensions_present
-                & MBEDTLS_SSL_EXT_SIG_ALG ) > 0 ) ? "TRUE" : "FALSE" ) );
-    MBEDTLS_SSL_DEBUG_MSG( 3,
-            ( "- SUPPORTED_GROUPS_EXTENSION ( %s )",
-            ( ( ssl->handshake->extensions_present
-                & MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ) >0 ) ?
-                "TRUE" : "FALSE" ) );
-    MBEDTLS_SSL_DEBUG_MSG( 3,
-            ( "- SUPPORTED_VERSION_EXTENSION ( %s )",
-            ( ( ssl->handshake->extensions_present
-                & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) > 0 ) ?
-                "TRUE" : "FALSE" ) );
-#if defined ( MBEDTLS_SSL_SERVER_NAME_INDICATION )
-    MBEDTLS_SSL_DEBUG_MSG( 3,
-            ( "- SERVERNAME_EXTENSION    ( %s )",
-            ( ( ssl->handshake->extensions_present
-                & MBEDTLS_SSL_EXT_SERVERNAME ) > 0 ) ?
-                "TRUE" : "FALSE" ) );
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-#if defined ( MBEDTLS_SSL_ALPN )
-    MBEDTLS_SSL_DEBUG_MSG( 3,
-            ( "- ALPN_EXTENSION   ( %s )",
-            ( ( ssl->handshake->extensions_present
-                & MBEDTLS_SSL_EXT_ALPN ) > 0 ) ?
-                "TRUE" : "FALSE" ) );
-#endif /* MBEDTLS_SSL_ALPN */
-}
-#endif /* MBEDTLS_DEBUG_C */
-
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
                                             int exts_mask )
@@ -1655,18 +1605,14 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
 
             default:
                 MBEDTLS_SSL_DEBUG_MSG( 3,
-                        ( "unknown extension found: %ud ( ignoring )",
-                          extension_type ) );
+                    ( "client hello: received %s(%u) extension ( ignored )",
+                      mbedtls_tls13_get_extension_name( extension_type ),
+                      extension_type ) );
         }
 
         p += extension_data_len;
     }
 
-#if defined(MBEDTLS_DEBUG_C)
-    /* List all the extensions we have received */
-    ssl_tls13_debug_print_client_hello_exts( ssl );
-#endif /* MBEDTLS_DEBUG_C */
-
     mbedtls_ssl_add_hs_hdr_to_checksum( ssl,
                                         MBEDTLS_SSL_HS_CLIENT_HELLO,
                                         p - buf );

From e18dc7eb9ac8d4d4161dace796c436cb6a2ef225 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Thu, 4 Aug 2022 16:29:22 +0800
Subject: [PATCH 011/159] Add forbidden extensions check for ClientHello

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_misc.h         | 173 ++++++++++++++++++++++++++++++++++++-
 library/ssl_tls13_server.c |  57 +++++++++---
 2 files changed, 216 insertions(+), 14 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 41bb9c514..cf3010a8f 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -103,6 +103,93 @@
 #define MBEDTLS_SSL_EXT_SIG_ALG_CERT                ( 1 << 20 )
 #define MBEDTLS_SSL_EXT_KEY_SHARE                   ( 1 << 21 )
 
+/* Except ServerHello, other message should ignore unrecognized extension.
+ *
+ * RFC 8446 page 31
+ *
+ * The ServerHello MUST only include extensions which are required to establish
+ * the cryptographic context and negotiate the protocol version.
+ *
+ * RFC 8446 page 35
+ *
+ * If an implementation receives an extension which it recognizes and which is
+ * not specified for the message in which it appears, it MUST abort the handshake
+ * with an "illegal_parameter" alert.
+ */
+#define MBEDTLS_SSL_EXT_UNRECOGNIZED                ( 1U << 31 )
+
+/* RFC 8446 page 36. Allowed extensions for ClienHello */
+#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH                                  \
+            ( MBEDTLS_SSL_EXT_SERVERNAME                                     | \
+              MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH                            | \
+              MBEDTLS_SSL_EXT_STATUS_REQUEST                                 | \
+              MBEDTLS_SSL_EXT_SUPPORTED_GROUPS                               | \
+              MBEDTLS_SSL_EXT_SIG_ALG                                        | \
+              MBEDTLS_SSL_EXT_USE_SRTP                                       | \
+              MBEDTLS_SSL_EXT_HEARTBEAT                                      | \
+              MBEDTLS_SSL_EXT_ALPN                                           | \
+              MBEDTLS_SSL_EXT_SCT                                            | \
+              MBEDTLS_SSL_EXT_CLI_CERT_TYPE                                  | \
+              MBEDTLS_SSL_EXT_SERV_CERT_TYPE                                 | \
+              MBEDTLS_SSL_EXT_PADDING                                        | \
+              MBEDTLS_SSL_EXT_KEY_SHARE                                      | \
+              MBEDTLS_SSL_EXT_PRE_SHARED_KEY                                 | \
+              MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES                         | \
+              MBEDTLS_SSL_EXT_EARLY_DATA                                     | \
+              MBEDTLS_SSL_EXT_COOKIE                                         | \
+              MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS                             | \
+              MBEDTLS_SSL_EXT_CERT_AUTH                                      | \
+              MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH                            | \
+              MBEDTLS_SSL_EXT_SIG_ALG_CERT                                   | \
+              MBEDTLS_SSL_EXT_UNRECOGNIZED )
+
+/* RFC 8446 page 36. Allowed extensions for EncryptedExtensions */
+#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE                                  \
+            ( MBEDTLS_SSL_EXT_SERVERNAME                                     | \
+              MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH                            | \
+              MBEDTLS_SSL_EXT_SUPPORTED_GROUPS                               | \
+              MBEDTLS_SSL_EXT_USE_SRTP                                       | \
+              MBEDTLS_SSL_EXT_HEARTBEAT                                      | \
+              MBEDTLS_SSL_EXT_ALPN                                           | \
+              MBEDTLS_SSL_EXT_CLI_CERT_TYPE                                  | \
+              MBEDTLS_SSL_EXT_SERV_CERT_TYPE                                 | \
+              MBEDTLS_SSL_EXT_EARLY_DATA                                     | \
+              MBEDTLS_SSL_EXT_UNRECOGNIZED )
+
+/* RFC 8446 page 36. Allowed extensions for CertificateRequest */
+#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR                                  \
+            ( MBEDTLS_SSL_EXT_STATUS_REQUEST                                 | \
+              MBEDTLS_SSL_EXT_SIG_ALG                                        | \
+              MBEDTLS_SSL_EXT_SCT                                            | \
+              MBEDTLS_SSL_EXT_CERT_AUTH                                      | \
+              MBEDTLS_SSL_EXT_OID_FILTERS                                    | \
+              MBEDTLS_SSL_EXT_SIG_ALG_CERT                                   | \
+              MBEDTLS_SSL_EXT_UNRECOGNIZED )
+
+/* RFC 8446 page 36. Allowed extensions for Certificate */
+#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT                                  \
+            ( MBEDTLS_SSL_EXT_STATUS_REQUEST                                 | \
+              MBEDTLS_SSL_EXT_SCT                                            | \
+              MBEDTLS_SSL_EXT_UNRECOGNIZED )
+
+/* RFC 8446 page 36. Allowed extensions for ServerHello */
+#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH                                  \
+            ( MBEDTLS_SSL_EXT_KEY_SHARE                                      | \
+              MBEDTLS_SSL_EXT_PRE_SHARED_KEY                                 | \
+              MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS )
+
+/* RFC 8446 page 36. Allowed extensions for HelloRetryRequest */
+#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR                                 \
+            ( MBEDTLS_SSL_EXT_KEY_SHARE                                      | \
+              MBEDTLS_SSL_EXT_COOKIE                                         | \
+              MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS                             | \
+              MBEDTLS_SSL_EXT_UNRECOGNIZED )
+
+/* RFC 8446 page 36. Allowed extensions for NewSessionTicket */
+#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST                                 \
+            ( MBEDTLS_SSL_EXT_EARLY_DATA                                     | \
+              MBEDTLS_SSL_EXT_UNRECOGNIZED )
+
 /*
  * Helper macros for function call with return check.
  */
@@ -858,7 +945,7 @@ struct mbedtls_ssl_handshake_params
 #endif
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    int extensions_present;             /*!< extension presence; Each bitfield
+    uint32_t extensions_present;        /*!< extension presence; Each bitfield
                                              represents an extension and defined
                                              as \c MBEDTLS_SSL_EXT_XXX */
 
@@ -1838,6 +1925,90 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_SSL_SRV_C &&
           MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
 
+/*
+ * Helper functions to check if the extension is allowed or forbiden
+ */
+static inline int mbedtls_ssl_tls13_has_extensions( mbedtls_ssl_context *ssl,
+                                                    int extensions_mask )
+{
+    int masked = ssl->handshake->extensions_present & extensions_mask;
+    return( masked != 0 );
+}
+
+static inline int mbedtls_tls13_get_extension_mask( uint16_t extension_type )
+{
+    switch( extension_type )
+    {
+        case MBEDTLS_TLS_EXT_SERVERNAME:
+            return( MBEDTLS_SSL_EXT_SERVERNAME );
+
+        case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
+            return( MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH );
+
+        case MBEDTLS_TLS_EXT_STATUS_REQUEST:
+            return( MBEDTLS_SSL_EXT_STATUS_REQUEST );
+
+        case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
+            return( MBEDTLS_SSL_EXT_SUPPORTED_GROUPS );
+
+        case MBEDTLS_TLS_EXT_SIG_ALG:
+            return( MBEDTLS_SSL_EXT_SIG_ALG );
+
+        case MBEDTLS_TLS_EXT_USE_SRTP:
+            return( MBEDTLS_SSL_EXT_USE_SRTP );
+
+        case MBEDTLS_TLS_EXT_HEARTBEAT:
+            return( MBEDTLS_SSL_EXT_HEARTBEAT );
+
+        case MBEDTLS_TLS_EXT_ALPN:
+            return( MBEDTLS_SSL_EXT_ALPN );
+
+        case MBEDTLS_TLS_EXT_SCT:
+            return( MBEDTLS_SSL_EXT_SCT );
+
+        case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
+            return( MBEDTLS_SSL_EXT_CLI_CERT_TYPE );
+
+        case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
+            return( MBEDTLS_SSL_EXT_SERV_CERT_TYPE );
+
+        case MBEDTLS_TLS_EXT_PADDING:
+            return( MBEDTLS_SSL_EXT_PADDING );
+
+        case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
+            return( MBEDTLS_SSL_EXT_PRE_SHARED_KEY );
+
+        case MBEDTLS_TLS_EXT_EARLY_DATA:
+            return( MBEDTLS_SSL_EXT_EARLY_DATA );
+
+        case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
+            return( MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS );
+
+        case MBEDTLS_TLS_EXT_COOKIE:
+            return( MBEDTLS_SSL_EXT_COOKIE );
+
+        case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
+            return( MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES );
+
+        case MBEDTLS_TLS_EXT_CERT_AUTH:
+            return( MBEDTLS_SSL_EXT_CERT_AUTH );
+
+        case MBEDTLS_TLS_EXT_OID_FILTERS:
+            return( MBEDTLS_SSL_EXT_OID_FILTERS );
+
+        case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
+            return( MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH );
+
+        case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
+            return( MBEDTLS_SSL_EXT_SIG_ALG_CERT );
+
+        case MBEDTLS_TLS_EXT_KEY_SHARE:
+            return( MBEDTLS_SSL_EXT_KEY_SHARE );
+    };
+
+    return( MBEDTLS_SSL_EXT_UNRECOGNIZED );
+}
+
 /*
  * Helper functions to check the selected key exchange mode.
  */
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index b24aa4a8c..32f64d73c 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1239,6 +1239,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
     const unsigned char *cipher_suites_end;
     size_t extensions_len;
     const unsigned char *extensions_end;
+    uint32_t extensions_present;
     int hrr_required = 0;
 
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
@@ -1247,7 +1248,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
     const unsigned char *pre_shared_key_ext_end = NULL;
 #endif
 
-    ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
+    extensions_present = MBEDTLS_SSL_EXT_NONE;
 
     /*
      * ClientHello layout:
@@ -1431,7 +1432,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
          * Servers MUST check that it is the last extension and otherwise fail
          * the handshake with an "illegal_parameter" alert.
          */
-        if( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY )
+        if( extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY )
         {
             MBEDTLS_SSL_DEBUG_MSG(
                 3, ( "pre_shared_key is not last extension." ) );
@@ -1449,6 +1450,27 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
         extension_data_end = p + extension_data_len;
 
+        /* RFC 8446 page 35
+         *
+         * If an implementation receives an extension which it recognizes and which
+         * is not specified for the message in which it appears, it MUST abort the
+         * handshake with an "illegal_parameter" alert.
+         */
+        extensions_present |= mbedtls_tls13_get_extension_mask( extension_type );
+        MBEDTLS_SSL_DEBUG_MSG( 3,
+                    ( "client hello : received %s(%u) extension",
+                      mbedtls_tls13_get_extension_name( extension_type ),
+                      extension_type ) );
+        if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH ) == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG(
+                3, ( "forbidden extension received." ) );
+            MBEDTLS_SSL_PEND_FATAL_ALERT(
+                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+                MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+        }
+
         switch( extension_type )
         {
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
@@ -1462,7 +1484,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
                             1, "mbedtls_ssl_parse_servername_ext", ret );
                     return( ret );
                 }
-                ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SERVERNAME;
                 break;
 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
 
@@ -1485,7 +1506,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
                     return( ret );
                 }
 
-                ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS;
                 break;
 #endif /* MBEDTLS_ECDH_C */
 
@@ -1515,7 +1535,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
                     return( ret );
                 }
 
-                ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
                 break;
 #endif /* MBEDTLS_ECDH_C */
 
@@ -1530,7 +1549,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
                                 ( "ssl_tls13_parse_supported_versions_ext" ), ret );
                     return( ret );
                 }
-                ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS;
                 break;
 
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
@@ -1546,13 +1564,12 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
                     return( ret );
                 }
 
-                ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES;
                 break;
 #endif
 
             case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
-                if( ( ssl->handshake->extensions_present &
+                if( ( extensions_present &
                       MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) == 0 )
                 {
                     MBEDTLS_SSL_PEND_FATAL_ALERT(
@@ -1567,8 +1584,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
                  */
                 pre_shared_key_ext = p;
                 pre_shared_key_ext_end = extension_data_end;
-#endif
-                ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
                 break;
 
 #if defined(MBEDTLS_SSL_ALPN)
@@ -1582,7 +1598,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
                             1, ( "mbedtls_ssl_parse_alpn_ext" ), ret );
                     return( ret );
                 }
-                ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_ALPN;
                 break;
 #endif /* MBEDTLS_SSL_ALPN */
 
@@ -1599,7 +1614,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
                       ret ) );
                     return( ret );
                 }
-                ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
                 break;
 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
 
@@ -1613,6 +1627,22 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
         p += extension_data_len;
     }
 
+    MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "ClientHello", extensions_present );
+
+    /* RFC 8446 page 102
+     * -  "supported_versions" is REQUIRED for all ClientHello, ServerHello, and
+     *    HelloRetryRequest messages.
+     */
+    if( ( extensions_present & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+                    ( "client hello: supported_versions not found" ) );
+        MBEDTLS_SSL_PEND_FATAL_ALERT(
+                MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION,
+                MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+    }
+
     mbedtls_ssl_add_hs_hdr_to_checksum( ssl,
                                         MBEDTLS_SSL_HS_CLIENT_HELLO,
                                         p - buf );
@@ -1636,7 +1666,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
                                                   cipher_suites_end );
         if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
         {
-            ssl->handshake->extensions_present &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
+            extensions_present &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
         }
         else if( ret != 0 )
         {
@@ -1651,6 +1681,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
         ssl->handshake->update_checksum( ssl, buf, p - buf );
     }
 
+    ssl->handshake->extensions_present = extensions_present;
     ret = ssl_tls13_determine_key_exchange_mode( ssl );
     if( ret < 0 )
         return( ret );

From cbd082f396eabdba054c03215b6636c254275d87 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Thu, 4 Aug 2022 16:55:10 +0800
Subject: [PATCH 012/159] Add extension check for EncryptedExtensions

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_tls13_client.c | 40 +++++++++++++++++++++++++++++---------
 1 file changed, 31 insertions(+), 9 deletions(-)

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index ac19f6308..db0eb44d7 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -32,6 +32,7 @@
 #include "ssl_misc.h"
 #include "ssl_client.h"
 #include "ssl_tls13_keys.h"
+#include "ssl_debug_helpers.h"
 
 /* Write extensions */
 
@@ -1969,6 +1970,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
     size_t extensions_len;
     const unsigned char *p = buf;
     const unsigned char *extensions_end;
+    uint32_t extensions_present;
 
     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
     extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
@@ -1978,6 +1980,8 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
     extensions_end = p + extensions_len;
 
+    extensions_present = MBEDTLS_SSL_EXT_NONE;
+
     while( p < extensions_end )
     {
         unsigned int extension_type;
@@ -1996,10 +2000,27 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
 
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
 
-        /* The client MUST check EncryptedExtensions for the
-         * presence of any forbidden extensions and if any are found MUST abort
-         * the handshake with an "unsupported_extension" alert.
+        /* RFC 8446 page 35
+         *
+         * If an implementation receives an extension which it recognizes and which
+         * is not specified for the message in which it appears, it MUST abort the
+         * handshake with an "illegal_parameter" alert.
          */
+        extensions_present |= mbedtls_tls13_get_extension_mask( extension_type );
+        MBEDTLS_SSL_DEBUG_MSG( 3,
+                    ( "encrypted extensions : received %s(%u) extension",
+                      mbedtls_tls13_get_extension_name( extension_type ),
+                      extension_type ) );
+        if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE ) == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG(
+                3, ( "forbidden extension received." ) );
+            MBEDTLS_SSL_PEND_FATAL_ALERT(
+                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+                MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+        }
+
         switch( extension_type )
         {
             case MBEDTLS_TLS_EXT_SERVERNAME:
@@ -2024,17 +2045,18 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
                 break;
 #endif /* MBEDTLS_SSL_ALPN */
             default:
-                MBEDTLS_SSL_DEBUG_MSG(
-                    3, ( "unsupported extension found: %u ", extension_type) );
-                MBEDTLS_SSL_PEND_FATAL_ALERT(
-                    MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
-                    MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
-                return ( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
+                MBEDTLS_SSL_DEBUG_MSG( 3,
+                    ( "encrypted extensions: received %s(%u) extension ( ignored )",
+                      mbedtls_tls13_get_extension_name( extension_type ),
+                      extension_type ) );
+                break;
         }
 
         p += extension_data_len;
     }
 
+    MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "EncrypedExtensions", extensions_present );
+
     /* Check that we consumed all the message. */
     if( p != end )
     {

From c55a6af9eb9749cba60c67954b4d077e21e9d0ac Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Thu, 4 Aug 2022 17:01:21 +0800
Subject: [PATCH 013/159] Add extensions check for CertificateRequest

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_tls13_client.c | 66 +++++++++++++++++++++++++++++---------
 1 file changed, 51 insertions(+), 15 deletions(-)

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index db0eb44d7..599f488be 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2162,7 +2162,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
     size_t certificate_request_context_len = 0;
     size_t extensions_len = 0;
     const unsigned char *extensions_end;
-    unsigned char sig_alg_ext_found = 0;
+    uint32_t extensions_present;
 
     /* ...
      * opaque certificate_request_context<0..2^8-1>
@@ -2202,10 +2202,13 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
     extensions_end = p + extensions_len;
 
+    extensions_present = MBEDTLS_SSL_EXT_NONE;
+
     while( p < extensions_end )
     {
         unsigned int extension_type;
         size_t extension_data_len;
+        uint32_t extension_mask;
 
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
         extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
@@ -2214,6 +2217,38 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
 
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
 
+        /* RFC 8446 page 35
+         *
+         * If an implementation receives an extension which it recognizes and which
+         * is not specified for the message in which it appears, it MUST abort the
+         * handshake with an "illegal_parameter" alert.
+         */
+        extension_mask = mbedtls_tls13_get_extension_mask( extension_type );
+
+        MBEDTLS_SSL_DEBUG_MSG( 3,
+                    ( "encrypted extensions : received %s(%u) extension",
+                      mbedtls_tls13_get_extension_name( extension_type ),
+                      extension_type ) );
+        if( ( extension_mask & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR ) == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG(
+                3, ( "forbidden extension received." ) );
+            MBEDTLS_SSL_PEND_FATAL_ALERT(
+                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+                MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+        }
+
+        if( extensions_present & extension_mask )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3,
+                ( "Duplicate %s extensions found",
+                    mbedtls_tls13_get_extension_name( extension_type ) ) );
+            goto decode_error;
+
+        }
+        extensions_present |= extension_mask;
+
         switch( extension_type )
         {
             case MBEDTLS_TLS_EXT_SIG_ALG:
@@ -2223,25 +2258,22 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
                                                      p + extension_data_len );
                 if( ret != 0 )
                     return( ret );
-                if( ! sig_alg_ext_found )
-                    sig_alg_ext_found = 1;
-                else
-                {
-                    MBEDTLS_SSL_DEBUG_MSG( 3,
-                        ( "Duplicate signature algorithms extensions found" ) );
-                    goto decode_error;
-                }
+
                 break;
 
             default:
-                MBEDTLS_SSL_DEBUG_MSG(
-                    3,
-                    ( "unknown extension found: %u ( ignoring )",
-                    extension_type ) );
+                MBEDTLS_SSL_DEBUG_MSG( 3,
+                    ( "certificate request: received %s(%u) extension ( ignored )",
+                      mbedtls_tls13_get_extension_name( extension_type ),
+                      extension_type ) );
                 break;
         }
+
         p += extension_data_len;
     }
+
+    MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "CertificateRequest", extensions_present );
+
     /* Check that we consumed all the message. */
     if( p != end )
     {
@@ -2249,8 +2281,12 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
             ( "CertificateRequest misaligned" ) );
         goto decode_error;
     }
-    /* Check that we found signature algorithms extension */
-    if( ! sig_alg_ext_found )
+
+    /* RFC 8446 page 60
+     *
+     * The "signature_algorithms" extension MUST be specified
+     */
+    if( ( extensions_present & MBEDTLS_SSL_EXT_SIG_ALG ) == 0 )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3,
             ( "no signature algorithms extension found" ) );

From 2eaa76044b13e6ced8d828438629718c3221cc2f Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Thu, 4 Aug 2022 17:28:15 +0800
Subject: [PATCH 014/159] Add extension check for Certificate

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_tls13_generic.c | 59 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 58 insertions(+), 1 deletion(-)

diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 662e6f4c8..bd56666a9 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -447,6 +447,8 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
     while( p < certificate_list_end )
     {
         size_t cert_data_len, extensions_len;
+        const unsigned char *extensions_end;
+        uint32_t extensions_present;
 
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
         cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
@@ -504,7 +506,62 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
         extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
         p += 2;
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
-        p += extensions_len;
+
+        extensions_end = p + extensions_len;
+        extensions_present = MBEDTLS_SSL_EXT_NONE;
+
+        while( p < extensions_end )
+        {
+            unsigned int extension_type;
+            size_t extension_data_len;
+
+            /*
+            * struct {
+            *     ExtensionType extension_type; (2 bytes)
+            *     opaque extension_data<0..2^16-1>;
+            * } Extension;
+            */
+            MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
+            extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
+            extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
+            p += 4;
+
+            MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
+
+            /* RFC 8446 page 35
+             *
+             * If an implementation receives an extension which it recognizes and
+             * which is not specified for the message in which it appears, it MUST
+             * abort the handshake with an "illegal_parameter" alert.
+             */
+            extensions_present |= mbedtls_tls13_get_extension_mask( extension_type );
+            MBEDTLS_SSL_DEBUG_MSG( 3,
+                        ( "encrypted extensions : received %s(%u) extension",
+                        mbedtls_tls13_get_extension_name( extension_type ),
+                        extension_type ) );
+            if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT ) == 0 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG(
+                    3, ( "forbidden extension received." ) );
+                MBEDTLS_SSL_PEND_FATAL_ALERT(
+                    MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+                    MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+                return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+            }
+            switch( extension_type )
+            {
+                default:
+                    MBEDTLS_SSL_DEBUG_MSG( 3,
+                        ( "Certificate: received %s(%u) extension ( ignored )",
+                        mbedtls_tls13_get_extension_name( extension_type ),
+                        extension_type ) );
+                    break;
+            }
+
+            p += extension_data_len;
+        }
+
+        MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "Certificate", extensions_present );
     }
 
 exit:

From 2c5363e58b92c245e03dd0ad3997622d6bedf320 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Thu, 4 Aug 2022 17:42:49 +0800
Subject: [PATCH 015/159] Add extension check for ServerHello and HRR

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_tls13_client.c | 50 +++++++++++++++++++++++++++++++++-----
 1 file changed, 44 insertions(+), 6 deletions(-)

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 599f488be..f42e591bd 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1496,6 +1496,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
     size_t extensions_len;
     const unsigned char *extensions_end;
+    uint32_t extensions_present, allowed_extension_mask;
     uint16_t cipher_suite;
     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
     int fatal_alert = 0;
@@ -1641,6 +1642,11 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len );
 
+    extensions_present = MBEDTLS_SSL_EXT_NONE;
+    allowed_extension_mask = is_hrr ?
+                                  MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :
+                                  MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;
+
     while( p < extensions_end )
     {
         unsigned int extension_type;
@@ -1655,6 +1661,24 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
         extension_data_end = p + extension_data_len;
 
+        /* RFC 8446 page 35
+         *
+         * If an implementation receives an extension which it recognizes and which
+         * is not specified for the message in which it appears, it MUST abort the
+         * handshake with an "illegal_parameter" alert.
+         */
+        extensions_present |= mbedtls_tls13_get_extension_mask( extension_type );
+        MBEDTLS_SSL_DEBUG_MSG( 3,
+                    ( "%s: received %s(%u) extension",
+                      is_hrr ? "hello retry request" : "server hello",
+                      mbedtls_tls13_get_extension_name( extension_type ),
+                      extension_type ) );
+        if( ( extensions_present & allowed_extension_mask ) == 0 )
+        {
+            fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
+            goto cleanup;
+        }
+
         switch( extension_type )
         {
             case MBEDTLS_TLS_EXT_COOKIE:
@@ -1727,18 +1751,32 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
                 break;
 
             default:
-                MBEDTLS_SSL_DEBUG_MSG(
-                    3,
-                    ( "unknown extension found: %u ( ignoring )",
+                MBEDTLS_SSL_DEBUG_MSG( 3,
+                    ( "%s: ignore %s(%u) extension",
+                      is_hrr ? "hello retry request" : "server hello",
+                      mbedtls_tls13_get_extension_name( extension_type ),
                       extension_type ) );
-
-                fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
-                goto cleanup;
+                break;
         }
 
         p += extension_data_len;
     }
 
+    MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
+        3, is_hrr ? "HelloRetryRequest" : "ServerHello", extensions_present );
+
+    /* RFC 8446 page 102
+     * -  "supported_versions" is REQUIRED for all ClientHello, ServerHello, and
+     *    HelloRetryRequest messages.
+     */
+    if( ( extensions_present & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+                    ( "%s: supported_versions not found",
+                      is_hrr ? "hello retry request" : "server hello" ) );
+        fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
+    }
+
 cleanup:
 
     if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT )

From 6ba9f1c959cdcb30e0da23c1a7ced1ceb85e73a6 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Thu, 4 Aug 2022 17:53:25 +0800
Subject: [PATCH 016/159] Add extension check for NewSessionTicket

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_tls13_client.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index f42e591bd..1abe09e5e 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2565,9 +2565,12 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
                                                     const unsigned char *end )
 {
     const unsigned char *p = buf;
+    uint32_t extensions_present;
 
     ((void) ssl);
 
+    extensions_present = MBEDTLS_SSL_EXT_NONE;
+
     while( p < end )
     {
         unsigned int extension_type;
@@ -2580,6 +2583,27 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
 
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extension_data_len );
 
+        /* RFC 8446 page 35
+         *
+         * If an implementation receives an extension which it recognizes and which
+         * is not specified for the message in which it appears, it MUST abort the
+         * handshake with an "illegal_parameter" alert.
+         */
+        extensions_present |= mbedtls_tls13_get_extension_mask( extension_type );
+        MBEDTLS_SSL_DEBUG_MSG( 3,
+                    ( "NewSessionTicket : received %s(%u) extension",
+                      mbedtls_tls13_get_extension_name( extension_type ),
+                      extension_type ) );
+        if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST ) == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG(
+                3, ( "forbidden extension received." ) );
+            MBEDTLS_SSL_PEND_FATAL_ALERT(
+                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+                MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+        }
+
         switch( extension_type )
         {
             case MBEDTLS_TLS_EXT_EARLY_DATA:
@@ -2587,11 +2611,18 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
                 break;
 
             default:
+                MBEDTLS_SSL_DEBUG_MSG( 3,
+                    ( "NewSessionTicket : received %s(%u) extension ( ignored )",
+                      mbedtls_tls13_get_extension_name( extension_type ),
+                      extension_type ) );
                 break;
         }
+
         p +=  extension_data_len;
     }
 
+    MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "NewSessionTicket", extensions_present );
+
     return( 0 );
 }
 

From d15992d3ce5aba001a843b0b832cbbf3a4cd8da5 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 29 Aug 2022 10:58:31 +0800
Subject: [PATCH 017/159] fix wrong setting of unrecognized ext

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_misc.h | 33 +++++++++++++++++----------------
 1 file changed, 17 insertions(+), 16 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index cf3010a8f..aaa910fc8 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -103,14 +103,18 @@
 #define MBEDTLS_SSL_EXT_SIG_ALG_CERT                ( 1 << 20 )
 #define MBEDTLS_SSL_EXT_KEY_SHARE                   ( 1 << 21 )
 
-/* Except ServerHello, other message should ignore unrecognized extension.
+/* For request messages, we should just ignore unrecognized extension when
+ * parsing messages. For response messages, we should not ignore unrecognized
+ * extension when parsing messages. Request messages include ClientHello,
+ * Certificate and NewSessionTicket. Response messages include ServerHello,
+ * EncryptExtensions, Certificate and HelloRetryRequest.
  *
- * RFC 8446 page 31
+ * RFC 8446 section 4.1.3
  *
  * The ServerHello MUST only include extensions which are required to establish
  * the cryptographic context and negotiate the protocol version.
  *
- * RFC 8446 page 35
+ * RFC 8446 section 4.2
  *
  * If an implementation receives an extension which it recognizes and which is
  * not specified for the message in which it appears, it MUST abort the handshake
@@ -118,7 +122,7 @@
  */
 #define MBEDTLS_SSL_EXT_UNRECOGNIZED                ( 1U << 31 )
 
-/* RFC 8446 page 36. Allowed extensions for ClienHello */
+/* RFC 8446 section 4.2. Allowed extensions for ClienHello */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH                                  \
             ( MBEDTLS_SSL_EXT_SERVERNAME                                     | \
               MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH                            | \
@@ -143,7 +147,7 @@
               MBEDTLS_SSL_EXT_SIG_ALG_CERT                                   | \
               MBEDTLS_SSL_EXT_UNRECOGNIZED )
 
-/* RFC 8446 page 36. Allowed extensions for EncryptedExtensions */
+/* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE                                  \
             ( MBEDTLS_SSL_EXT_SERVERNAME                                     | \
               MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH                            | \
@@ -153,10 +157,9 @@
               MBEDTLS_SSL_EXT_ALPN                                           | \
               MBEDTLS_SSL_EXT_CLI_CERT_TYPE                                  | \
               MBEDTLS_SSL_EXT_SERV_CERT_TYPE                                 | \
-              MBEDTLS_SSL_EXT_EARLY_DATA                                     | \
-              MBEDTLS_SSL_EXT_UNRECOGNIZED )
+              MBEDTLS_SSL_EXT_EARLY_DATA )
 
-/* RFC 8446 page 36. Allowed extensions for CertificateRequest */
+/* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR                                  \
             ( MBEDTLS_SSL_EXT_STATUS_REQUEST                                 | \
               MBEDTLS_SSL_EXT_SIG_ALG                                        | \
@@ -166,26 +169,24 @@
               MBEDTLS_SSL_EXT_SIG_ALG_CERT                                   | \
               MBEDTLS_SSL_EXT_UNRECOGNIZED )
 
-/* RFC 8446 page 36. Allowed extensions for Certificate */
+/* RFC 8446 section 4.2. Allowed extensions for Certificate */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT                                  \
             ( MBEDTLS_SSL_EXT_STATUS_REQUEST                                 | \
-              MBEDTLS_SSL_EXT_SCT                                            | \
-              MBEDTLS_SSL_EXT_UNRECOGNIZED )
+              MBEDTLS_SSL_EXT_SCT )
 
-/* RFC 8446 page 36. Allowed extensions for ServerHello */
+/* RFC 8446 section 4.2. Allowed extensions for ServerHello */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH                                  \
             ( MBEDTLS_SSL_EXT_KEY_SHARE                                      | \
               MBEDTLS_SSL_EXT_PRE_SHARED_KEY                                 | \
               MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS )
 
-/* RFC 8446 page 36. Allowed extensions for HelloRetryRequest */
+/* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR                                 \
             ( MBEDTLS_SSL_EXT_KEY_SHARE                                      | \
               MBEDTLS_SSL_EXT_COOKIE                                         | \
-              MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS                             | \
-              MBEDTLS_SSL_EXT_UNRECOGNIZED )
+              MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS )
 
-/* RFC 8446 page 36. Allowed extensions for NewSessionTicket */
+/* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST                                 \
             ( MBEDTLS_SSL_EXT_EARLY_DATA                                     | \
               MBEDTLS_SSL_EXT_UNRECOGNIZED )

From 43ff252688c77568d3a19f43e75efa96effbee60 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 29 Aug 2022 12:58:05 +0800
Subject: [PATCH 018/159] Remove unnecessary checks.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_tls13_client.c | 31 -------------------------------
 1 file changed, 31 deletions(-)

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 1abe09e5e..5b7a14a28 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1683,12 +1683,6 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
         {
             case MBEDTLS_TLS_EXT_COOKIE:
 
-                if( !is_hrr )
-                {
-                    fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
-                    goto cleanup;
-                }
-
                 ret = ssl_tls13_parse_cookie_ext( ssl,
                                                   p, extension_data_end );
                 if( ret != 0 )
@@ -1711,11 +1705,6 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
             case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
-                if( is_hrr )
-                {
-                    fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
-                    goto cleanup;
-                }
 
                 if( ( ret = ssl_tls13_parse_server_pre_shared_key_ext(
                                 ssl, p, extension_data_end ) ) != 0 )
@@ -1765,18 +1754,6 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
         3, is_hrr ? "HelloRetryRequest" : "ServerHello", extensions_present );
 
-    /* RFC 8446 page 102
-     * -  "supported_versions" is REQUIRED for all ClientHello, ServerHello, and
-     *    HelloRetryRequest messages.
-     */
-    if( ( extensions_present & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) == 0 )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1,
-                    ( "%s: supported_versions not found",
-                      is_hrr ? "hello retry request" : "server hello" ) );
-        fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
-    }
-
 cleanup:
 
     if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT )
@@ -2277,14 +2254,6 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
             return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
         }
 
-        if( extensions_present & extension_mask )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 3,
-                ( "Duplicate %s extensions found",
-                    mbedtls_tls13_get_extension_name( extension_type ) ) );
-            goto decode_error;
-
-        }
         extensions_present |= extension_mask;
 
         switch( extension_type )

From 9872eb2d691602f51fae5629c2ff606666c25f80 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 29 Aug 2022 13:42:01 +0800
Subject: [PATCH 019/159] change return type for unexpected extension

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_tls13_client.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 5b7a14a28..2e0599d00 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1740,12 +1740,13 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
                 break;
 
             default:
-                MBEDTLS_SSL_DEBUG_MSG( 3,
-                    ( "%s: ignore %s(%u) extension",
+                MBEDTLS_SSL_DEBUG_MSG( 2,
+                    ( "%s: unexpected extension (%s(%u)) received .",
                       is_hrr ? "hello retry request" : "server hello",
                       mbedtls_tls13_get_extension_name( extension_type ),
                       extension_type ) );
-                break;
+                ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+                goto cleanup;
         }
 
         p += extension_data_len;

From ffa15827933a9fcc5af5fb39155a4650e56bb48d Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 29 Aug 2022 15:19:42 +0800
Subject: [PATCH 020/159] move get_extension mask

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_misc.h          | 81 +------------------------------------
 library/ssl_tls13_generic.c | 74 +++++++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+), 79 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index aaa910fc8..10ebfff98 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -1927,88 +1927,11 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
           MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
 
 /*
- * Helper functions to check if the extension is allowed or forbiden
+ * Helper functions for extensions checking and convert.
  */
-static inline int mbedtls_ssl_tls13_has_extensions( mbedtls_ssl_context *ssl,
-                                                    int extensions_mask )
-{
-    int masked = ssl->handshake->extensions_present & extensions_mask;
-    return( masked != 0 );
-}
 
-static inline int mbedtls_tls13_get_extension_mask( uint16_t extension_type )
-{
-    switch( extension_type )
-    {
-        case MBEDTLS_TLS_EXT_SERVERNAME:
-            return( MBEDTLS_SSL_EXT_SERVERNAME );
+uint32_t mbedtls_tls13_get_extension_mask( uint16_t extension_type );
 
-        case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
-            return( MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH );
-
-        case MBEDTLS_TLS_EXT_STATUS_REQUEST:
-            return( MBEDTLS_SSL_EXT_STATUS_REQUEST );
-
-        case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
-            return( MBEDTLS_SSL_EXT_SUPPORTED_GROUPS );
-
-        case MBEDTLS_TLS_EXT_SIG_ALG:
-            return( MBEDTLS_SSL_EXT_SIG_ALG );
-
-        case MBEDTLS_TLS_EXT_USE_SRTP:
-            return( MBEDTLS_SSL_EXT_USE_SRTP );
-
-        case MBEDTLS_TLS_EXT_HEARTBEAT:
-            return( MBEDTLS_SSL_EXT_HEARTBEAT );
-
-        case MBEDTLS_TLS_EXT_ALPN:
-            return( MBEDTLS_SSL_EXT_ALPN );
-
-        case MBEDTLS_TLS_EXT_SCT:
-            return( MBEDTLS_SSL_EXT_SCT );
-
-        case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
-            return( MBEDTLS_SSL_EXT_CLI_CERT_TYPE );
-
-        case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
-            return( MBEDTLS_SSL_EXT_SERV_CERT_TYPE );
-
-        case MBEDTLS_TLS_EXT_PADDING:
-            return( MBEDTLS_SSL_EXT_PADDING );
-
-        case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
-            return( MBEDTLS_SSL_EXT_PRE_SHARED_KEY );
-
-        case MBEDTLS_TLS_EXT_EARLY_DATA:
-            return( MBEDTLS_SSL_EXT_EARLY_DATA );
-
-        case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
-            return( MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS );
-
-        case MBEDTLS_TLS_EXT_COOKIE:
-            return( MBEDTLS_SSL_EXT_COOKIE );
-
-        case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
-            return( MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES );
-
-        case MBEDTLS_TLS_EXT_CERT_AUTH:
-            return( MBEDTLS_SSL_EXT_CERT_AUTH );
-
-        case MBEDTLS_TLS_EXT_OID_FILTERS:
-            return( MBEDTLS_SSL_EXT_OID_FILTERS );
-
-        case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
-            return( MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH );
-
-        case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
-            return( MBEDTLS_SSL_EXT_SIG_ALG_CERT );
-
-        case MBEDTLS_TLS_EXT_KEY_SHARE:
-            return( MBEDTLS_SSL_EXT_KEY_SHARE );
-    };
-
-    return( MBEDTLS_SSL_EXT_UNRECOGNIZED );
-}
 
 /*
  * Helper functions to check the selected key exchange mode.
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index bd56666a9..5eac1f1b1 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1542,6 +1542,80 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
 }
 #endif /* MBEDTLS_ECDH_C */
 
+uint32_t mbedtls_tls13_get_extension_mask( uint16_t extension_type )
+{
+    switch( extension_type )
+    {
+        case MBEDTLS_TLS_EXT_SERVERNAME:
+            return( MBEDTLS_SSL_EXT_SERVERNAME );
+
+        case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
+            return( MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH );
+
+        case MBEDTLS_TLS_EXT_STATUS_REQUEST:
+            return( MBEDTLS_SSL_EXT_STATUS_REQUEST );
+
+        case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
+            return( MBEDTLS_SSL_EXT_SUPPORTED_GROUPS );
+
+        case MBEDTLS_TLS_EXT_SIG_ALG:
+            return( MBEDTLS_SSL_EXT_SIG_ALG );
+
+        case MBEDTLS_TLS_EXT_USE_SRTP:
+            return( MBEDTLS_SSL_EXT_USE_SRTP );
+
+        case MBEDTLS_TLS_EXT_HEARTBEAT:
+            return( MBEDTLS_SSL_EXT_HEARTBEAT );
+
+        case MBEDTLS_TLS_EXT_ALPN:
+            return( MBEDTLS_SSL_EXT_ALPN );
+
+        case MBEDTLS_TLS_EXT_SCT:
+            return( MBEDTLS_SSL_EXT_SCT );
+
+        case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
+            return( MBEDTLS_SSL_EXT_CLI_CERT_TYPE );
+
+        case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
+            return( MBEDTLS_SSL_EXT_SERV_CERT_TYPE );
+
+        case MBEDTLS_TLS_EXT_PADDING:
+            return( MBEDTLS_SSL_EXT_PADDING );
+
+        case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
+            return( MBEDTLS_SSL_EXT_PRE_SHARED_KEY );
+
+        case MBEDTLS_TLS_EXT_EARLY_DATA:
+            return( MBEDTLS_SSL_EXT_EARLY_DATA );
+
+        case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
+            return( MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS );
+
+        case MBEDTLS_TLS_EXT_COOKIE:
+            return( MBEDTLS_SSL_EXT_COOKIE );
+
+        case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
+            return( MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES );
+
+        case MBEDTLS_TLS_EXT_CERT_AUTH:
+            return( MBEDTLS_SSL_EXT_CERT_AUTH );
+
+        case MBEDTLS_TLS_EXT_OID_FILTERS:
+            return( MBEDTLS_SSL_EXT_OID_FILTERS );
+
+        case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
+            return( MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH );
+
+        case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
+            return( MBEDTLS_SSL_EXT_SIG_ALG_CERT );
+
+        case MBEDTLS_TLS_EXT_KEY_SHARE:
+            return( MBEDTLS_SSL_EXT_KEY_SHARE );
+    };
+
+    return( MBEDTLS_SSL_EXT_UNRECOGNIZED );
+}
+
 #if defined(MBEDTLS_DEBUG_C)
 const char *mbedtls_tls13_get_extension_name( uint16_t extension_type )
 {

From 0c354a211bed62b86e8c00b6eb806e16e0dc563a Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 29 Aug 2022 15:25:36 +0800
Subject: [PATCH 021/159] introduce sent/recv extensions field

And remove `extensions_present`

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_client.c        |  24 ++++-
 library/ssl_debug_helpers.h |   6 +-
 library/ssl_misc.h          |  17 +++-
 library/ssl_tls.c           |   8 +-
 library/ssl_tls13_client.c  | 189 +++++++++++++++---------------------
 library/ssl_tls13_generic.c | 118 +++++++++++++++++-----
 library/ssl_tls13_server.c  |  64 ++++--------
 7 files changed, 235 insertions(+), 191 deletions(-)

diff --git a/library/ssl_client.c b/library/ssl_client.c
index d9c678159..b0d2dcf3c 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -106,6 +106,14 @@ static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
 
     *olen = hostname_len + 9;
 
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+    mbedtls_tls13_set_sent_ext_mask( ssl,
+                                     MBEDTLS_TLS_EXT_SERVERNAME );
+    MBEDTLS_SSL_DEBUG_MSG(
+        4, ( "sent %s extension",
+             mbedtls_tls13_get_extension_name(
+                 MBEDTLS_TLS_EXT_SERVERNAME ) ) );
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
     return( 0 );
 }
 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
@@ -177,6 +185,14 @@ static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
     /* Extension length = *out_len - 2 (ext_type) - 2 (ext_len) */
     MBEDTLS_PUT_UINT16_BE( *out_len - 4, buf, 2 );
 
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+    mbedtls_tls13_set_sent_ext_mask( ssl,
+                                     MBEDTLS_TLS_EXT_ALPN );
+    MBEDTLS_SSL_DEBUG_MSG(
+        4, ( "sent %s extension",
+             mbedtls_tls13_get_extension_name(
+                 MBEDTLS_TLS_EXT_ALPN ) ) );
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
     return( 0 );
 }
 #endif /* MBEDTLS_SSL_ALPN */
@@ -296,7 +312,11 @@ static int ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl,
     *out_len = p - buf;
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS;
+    mbedtls_tls13_set_sent_ext_mask( ssl,
+                                     MBEDTLS_TLS_EXT_SUPPORTED_GROUPS );
+    MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent %s extension",
+                                mbedtls_tls13_get_extension_name(
+                                    MBEDTLS_TLS_EXT_SUPPORTED_GROUPS ) ) );
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 
     return( 0 );
@@ -557,7 +577,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
     /* Keeping track of the included extensions */
-    handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
+    handshake->sent_extensions = MBEDTLS_SSL_EXT_NONE;
 #endif
 
     /* First write extensions, then the total length */
diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h
index 07e8c7103..6b97bc652 100644
--- a/library/ssl_debug_helpers.h
+++ b/library/ssl_debug_helpers.h
@@ -52,12 +52,12 @@ const char *mbedtls_tls13_get_extension_name( uint16_t extension_type );
 
 void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl,
                                          int level, const char *file, int line,
-                                         const char *hs_msg_name,
+                                         int hs_msg_type,
                                          uint32_t extensions_present );
 
-#define MBEDTLS_SSL_TLS1_3_PRINT_EXTS( level, hs_msg_name, extensions_present ) \
+#define MBEDTLS_SSL_TLS1_3_PRINT_EXTS( level, hs_msg_type, extensions_present ) \
             mbedtls_ssl_tls13_print_extensions( \
-                ssl, level, __FILE__, __LINE__, hs_msg_name, extensions_present )
+                ssl, level, __FILE__, __LINE__, hs_msg_type, extensions_present )
 #else
 
 #define MBEDTLS_SSL_TLS1_3_PRINT_EXTS( level, hs_msg_name, extensions_present )
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 10ebfff98..b7f1440bb 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -946,9 +946,8 @@ struct mbedtls_ssl_handshake_params
 #endif
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    uint32_t extensions_present;        /*!< extension presence; Each bitfield
-                                             represents an extension and defined
-                                             as \c MBEDTLS_SSL_EXT_XXX */
+    uint32_t sent_extensions;       /*!< extensions sent by endpoint */
+    uint32_t received_extensions;   /*!< extensions received by endpoint */
 
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
     unsigned char certificate_request_context_len;
@@ -1932,6 +1931,18 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
 
 uint32_t mbedtls_tls13_get_extension_mask( uint16_t extension_type );
 
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_tls13_check_received_extensions( mbedtls_ssl_context *ssl,
+                                             int hs_msg_type,
+                                             uint32_t extension_type,
+                                             uint32_t allowed_mask );
+
+static inline void mbedtls_tls13_set_sent_ext_mask( mbedtls_ssl_context *ssl,
+                                                    uint16_t extension_type )
+{
+    ssl->handshake->sent_extensions |=
+        mbedtls_tls13_get_extension_mask( extension_type );
+}
 
 /*
  * Helper functions to check the selected key exchange mode.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index a49f774ed..9947d39d8 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8713,8 +8713,14 @@ int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
     *out_len = p - buf;
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
+    mbedtls_tls13_set_sent_ext_mask( ssl,
+                                     MBEDTLS_TLS_EXT_SIG_ALG );
+    MBEDTLS_SSL_DEBUG_MSG(
+        4, ( "sent %s extension",
+             mbedtls_tls13_get_extension_name(
+                MBEDTLS_TLS_EXT_SIG_ALG ) ) );
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
     return( 0 );
 }
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 2e0599d00..c29b90ee3 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -89,7 +89,12 @@ static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
     }
 
     *out_len = 5 + versions_len;
-
+    mbedtls_tls13_set_sent_ext_mask( ssl,
+                                     MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS );
+    MBEDTLS_SSL_DEBUG_MSG(
+        4, ( "sent %s extension",
+             mbedtls_tls13_get_extension_name(
+                 MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS ) ) );
     return( 0 );
 }
 
@@ -360,7 +365,13 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *out_len );
 
-    ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
+    mbedtls_tls13_set_sent_ext_mask( ssl,
+                                     MBEDTLS_TLS_EXT_KEY_SHARE );
+    MBEDTLS_SSL_DEBUG_MSG(
+        4, ( "sent %s extension",
+
+             mbedtls_tls13_get_extension_name(
+                 MBEDTLS_TLS_EXT_KEY_SHARE ) ) );
 
 cleanup:
 
@@ -513,7 +524,6 @@ static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,
     else
         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
 
-    ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
     return( ret );
 }
 
@@ -601,6 +611,13 @@ static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
 
     *out_len = handshake->hrr_cookie_len + 6;
 
+
+    mbedtls_tls13_set_sent_ext_mask( ssl,
+                                     MBEDTLS_TLS_EXT_COOKIE );
+    MBEDTLS_SSL_DEBUG_MSG(
+        4, ( "sent %s extension",
+             mbedtls_tls13_get_extension_name(
+                 MBEDTLS_TLS_EXT_COOKIE ) ) );
     return( 0 );
 }
 
@@ -670,7 +687,13 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
     buf[4] = ke_modes_len;
 
     *out_len = p - buf;
-    ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES;
+
+    mbedtls_tls13_set_sent_ext_mask( ssl,
+                                     MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES );
+    MBEDTLS_SSL_DEBUG_MSG(
+        4, ( "sent %s extension",
+             mbedtls_tls13_get_extension_name(
+                 MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES ) ) );
     return ( 0 );
 }
 
@@ -982,8 +1005,6 @@ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key identities", buf, p - buf );
 
-    ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
-
     return( 0 );
 }
 
@@ -1038,6 +1059,13 @@ int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key binders", buf, p - buf );
 
+    mbedtls_tls13_set_sent_ext_mask( ssl,
+                                     MBEDTLS_TLS_EXT_PRE_SHARED_KEY );
+    MBEDTLS_SSL_DEBUG_MSG(
+        4, ( "sent %s extension",
+             mbedtls_tls13_get_extension_name(
+                 MBEDTLS_TLS_EXT_PRE_SHARED_KEY ) ) );
+
     return( 0 );
 }
 
@@ -1110,8 +1138,6 @@ static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
         return( ret );
     }
 
-    ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
-
     return( 0 );
 }
 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
@@ -1389,7 +1415,7 @@ static int ssl_tls13_preprocess_server_hello( mbedtls_ssl_context *ssl,
     ssl->session_negotiate->tls_version = ssl->tls_version;
 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
 
-    handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
+    handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
 
     ret = ssl_server_hello_is_hrr( ssl, buf, end );
     switch( ret )
@@ -1496,10 +1522,10 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
     size_t extensions_len;
     const unsigned char *extensions_end;
-    uint32_t extensions_present, allowed_extension_mask;
     uint16_t cipher_suite;
     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
     int fatal_alert = 0;
+    uint32_t allowed_extensions_mask;
 
     /*
      * Check there is space for minimal fields
@@ -1642,8 +1668,8 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len );
 
-    extensions_present = MBEDTLS_SSL_EXT_NONE;
-    allowed_extension_mask = is_hrr ?
+    ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
+    allowed_extensions_mask = is_hrr ?
                                   MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :
                                   MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;
 
@@ -1661,23 +1687,14 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
         extension_data_end = p + extension_data_len;
 
-        /* RFC 8446 page 35
-         *
-         * If an implementation receives an extension which it recognizes and which
-         * is not specified for the message in which it appears, it MUST abort the
-         * handshake with an "illegal_parameter" alert.
-         */
-        extensions_present |= mbedtls_tls13_get_extension_mask( extension_type );
-        MBEDTLS_SSL_DEBUG_MSG( 3,
-                    ( "%s: received %s(%u) extension",
-                      is_hrr ? "hello retry request" : "server hello",
-                      mbedtls_tls13_get_extension_name( extension_type ),
-                      extension_type ) );
-        if( ( extensions_present & allowed_extension_mask ) == 0 )
-        {
-            fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
-            goto cleanup;
-        }
+        ret = mbedtls_tls13_check_received_extensions(
+                  ssl,
+                  is_hrr ?
+                      -MBEDTLS_SSL_HS_SERVER_HELLO : MBEDTLS_SSL_HS_SERVER_HELLO,
+                  extension_type,
+                  allowed_extensions_mask );
+        if( ret != 0 )
+            return( ret );
 
         switch( extension_type )
         {
@@ -1740,11 +1757,6 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
                 break;
 
             default:
-                MBEDTLS_SSL_DEBUG_MSG( 2,
-                    ( "%s: unexpected extension (%s(%u)) received .",
-                      is_hrr ? "hello retry request" : "server hello",
-                      mbedtls_tls13_get_extension_name( extension_type ),
-                      extension_type ) );
                 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
                 goto cleanup;
         }
@@ -1753,7 +1765,8 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
     }
 
     MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
-        3, is_hrr ? "HelloRetryRequest" : "ServerHello", extensions_present );
+        3, is_hrr ? -MBEDTLS_SSL_HS_SERVER_HELLO : MBEDTLS_SSL_HS_SERVER_HELLO,
+        ssl->handshake->received_extensions );
 
 cleanup:
 
@@ -1803,7 +1816,7 @@ static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
      * 3) If only the key_share extension was received then the key
      *    exchange mode is EPHEMERAL-only.
      */
-    switch( handshake->extensions_present &
+    switch( handshake->received_extensions &
             ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ) )
     {
         /* Only the pre_shared_key extension was received */
@@ -1986,7 +1999,6 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
     size_t extensions_len;
     const unsigned char *p = buf;
     const unsigned char *extensions_end;
-    uint32_t extensions_present;
 
     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
     extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
@@ -1996,7 +2008,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
     extensions_end = p + extensions_len;
 
-    extensions_present = MBEDTLS_SSL_EXT_NONE;
+    ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
 
     while( p < extensions_end )
     {
@@ -2016,26 +2028,11 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
 
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
 
-        /* RFC 8446 page 35
-         *
-         * If an implementation receives an extension which it recognizes and which
-         * is not specified for the message in which it appears, it MUST abort the
-         * handshake with an "illegal_parameter" alert.
-         */
-        extensions_present |= mbedtls_tls13_get_extension_mask( extension_type );
-        MBEDTLS_SSL_DEBUG_MSG( 3,
-                    ( "encrypted extensions : received %s(%u) extension",
-                      mbedtls_tls13_get_extension_name( extension_type ),
-                      extension_type ) );
-        if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE ) == 0 )
-        {
-            MBEDTLS_SSL_DEBUG_MSG(
-                3, ( "forbidden extension received." ) );
-            MBEDTLS_SSL_PEND_FATAL_ALERT(
-                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
-                MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-            return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-        }
+        ret = mbedtls_tls13_check_received_extensions(
+                  ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,
+                  MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE );
+        if( ret != 0 )
+            return( ret );
 
         switch( extension_type )
         {
@@ -2071,7 +2068,8 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
         p += extension_data_len;
     }
 
-    MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "EncrypedExtensions", extensions_present );
+    MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
+                                   ssl->handshake->received_extensions );
 
     /* Check that we consumed all the message. */
     if( p != end )
@@ -2178,7 +2176,6 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
     size_t certificate_request_context_len = 0;
     size_t extensions_len = 0;
     const unsigned char *extensions_end;
-    uint32_t extensions_present;
 
     /* ...
      * opaque certificate_request_context<0..2^8-1>
@@ -2218,13 +2215,12 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
     extensions_end = p + extensions_len;
 
-    extensions_present = MBEDTLS_SSL_EXT_NONE;
+    ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
 
     while( p < extensions_end )
     {
         unsigned int extension_type;
         size_t extension_data_len;
-        uint32_t extension_mask;
 
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
         extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
@@ -2233,29 +2229,11 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
 
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
 
-        /* RFC 8446 page 35
-         *
-         * If an implementation receives an extension which it recognizes and which
-         * is not specified for the message in which it appears, it MUST abort the
-         * handshake with an "illegal_parameter" alert.
-         */
-        extension_mask = mbedtls_tls13_get_extension_mask( extension_type );
-
-        MBEDTLS_SSL_DEBUG_MSG( 3,
-                    ( "encrypted extensions : received %s(%u) extension",
-                      mbedtls_tls13_get_extension_name( extension_type ),
-                      extension_type ) );
-        if( ( extension_mask & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR ) == 0 )
-        {
-            MBEDTLS_SSL_DEBUG_MSG(
-                3, ( "forbidden extension received." ) );
-            MBEDTLS_SSL_PEND_FATAL_ALERT(
-                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
-                MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-            return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-        }
-
-        extensions_present |= extension_mask;
+        ret = mbedtls_tls13_check_received_extensions(
+                  ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,
+                  MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR );
+        if( ret != 0 )
+            return( ret );
 
         switch( extension_type )
         {
@@ -2280,7 +2258,9 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
         p += extension_data_len;
     }
 
-    MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "CertificateRequest", extensions_present );
+    MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3,
+                                   MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
+                                   ssl->handshake->received_extensions );
 
     /* Check that we consumed all the message. */
     if( p != end )
@@ -2290,11 +2270,11 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
         goto decode_error;
     }
 
-    /* RFC 8446 page 60
+    /* RFC 8446 section 4.3.2
      *
      * The "signature_algorithms" extension MUST be specified
      */
-    if( ( extensions_present & MBEDTLS_SSL_EXT_SIG_ALG ) == 0 )
+    if( ( ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_SIG_ALG ) == 0 )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3,
             ( "no signature algorithms extension found" ) );
@@ -2535,16 +2515,15 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
                                                     const unsigned char *end )
 {
     const unsigned char *p = buf;
-    uint32_t extensions_present;
 
-    ((void) ssl);
 
-    extensions_present = MBEDTLS_SSL_EXT_NONE;
+    ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
 
     while( p < end )
     {
         unsigned int extension_type;
         size_t extension_data_len;
+        int ret;
 
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
         extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
@@ -2553,26 +2532,11 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
 
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extension_data_len );
 
-        /* RFC 8446 page 35
-         *
-         * If an implementation receives an extension which it recognizes and which
-         * is not specified for the message in which it appears, it MUST abort the
-         * handshake with an "illegal_parameter" alert.
-         */
-        extensions_present |= mbedtls_tls13_get_extension_mask( extension_type );
-        MBEDTLS_SSL_DEBUG_MSG( 3,
-                    ( "NewSessionTicket : received %s(%u) extension",
-                      mbedtls_tls13_get_extension_name( extension_type ),
-                      extension_type ) );
-        if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST ) == 0 )
-        {
-            MBEDTLS_SSL_DEBUG_MSG(
-                3, ( "forbidden extension received." ) );
-            MBEDTLS_SSL_PEND_FATAL_ALERT(
-                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
-                MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-            return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-        }
+        ret = mbedtls_tls13_check_received_extensions(
+                  ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type,
+                  MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH );
+        if( ret != 0 )
+            return( ret );
 
         switch( extension_type )
         {
@@ -2591,7 +2555,8 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
         p +=  extension_data_len;
     }
 
-    MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "NewSessionTicket", extensions_present );
+    MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
+        3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl->handshake->received_extensions );
 
     return( 0 );
 }
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 5eac1f1b1..7b66be1c7 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -448,7 +448,6 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
     {
         size_t cert_data_len, extensions_len;
         const unsigned char *extensions_end;
-        uint32_t extensions_present;
 
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
         cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
@@ -508,7 +507,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
 
         extensions_end = p + extensions_len;
-        extensions_present = MBEDTLS_SSL_EXT_NONE;
+        ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
 
         while( p < extensions_end )
         {
@@ -528,26 +527,12 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
 
             MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
 
-            /* RFC 8446 page 35
-             *
-             * If an implementation receives an extension which it recognizes and
-             * which is not specified for the message in which it appears, it MUST
-             * abort the handshake with an "illegal_parameter" alert.
-             */
-            extensions_present |= mbedtls_tls13_get_extension_mask( extension_type );
-            MBEDTLS_SSL_DEBUG_MSG( 3,
-                        ( "encrypted extensions : received %s(%u) extension",
-                        mbedtls_tls13_get_extension_name( extension_type ),
-                        extension_type ) );
-            if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT ) == 0 )
-            {
-                MBEDTLS_SSL_DEBUG_MSG(
-                    3, ( "forbidden extension received." ) );
-                MBEDTLS_SSL_PEND_FATAL_ALERT(
-                    MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
-                    MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-                return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-            }
+            ret = mbedtls_tls13_check_received_extensions(
+                  ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type,
+                  MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT );
+            if( ret != 0 )
+                return( ret );
+
             switch( extension_type )
             {
                 default:
@@ -561,7 +546,8 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
             p += extension_data_len;
         }
 
-        MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "Certificate", extensions_present );
+        MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
+            3, MBEDTLS_SSL_HS_CERTIFICATE, ssl->handshake->received_extensions );
     }
 
 exit:
@@ -1691,9 +1677,31 @@ const char *mbedtls_tls13_get_extension_name( uint16_t extension_type )
     return( "unknown" );
 }
 
+static const char *ssl_tls13_get_hs_msg_name( int hs_msg_type )
+{
+    switch( hs_msg_type )
+    {
+        case MBEDTLS_SSL_HS_CLIENT_HELLO:
+            return( "ClientHello" );
+        case MBEDTLS_SSL_HS_SERVER_HELLO:
+            return( "ServerHello" );
+        case -MBEDTLS_SSL_HS_SERVER_HELLO: // HRR does not have IANA value.
+            return( "HelloRetryRequest" );
+        case MBEDTLS_SSL_HS_NEW_SESSION_TICKET:
+            return( "NewSessionTicket" );
+        case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
+            return( "EncryptedExtensions" );
+        case MBEDTLS_SSL_HS_CERTIFICATE:
+            return( "Certificate" );
+        case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
+            return( "CertificateRequest" );
+    }
+    return( NULL );
+}
+
 void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl,
                                          int level, const char *file, int line,
-                                         const char *hs_msg_name,
+                                         int hs_msg_type,
                                          uint32_t extensions_present )
 {
     static const struct{
@@ -1724,7 +1732,8 @@ void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl,
             { MBEDTLS_SSL_EXT_KEY_SHARE, "key_share" } };
 
     mbedtls_debug_print_msg( ssl, level, file, line,
-                             "extension list of %s:", hs_msg_name );
+                             "extension list of %s:",
+                             ssl_tls13_get_hs_msg_name( hs_msg_type ) );
 
     for( unsigned i = 0;
          i < sizeof( mask_to_str_table ) / sizeof( mask_to_str_table[0] );
@@ -1742,4 +1751,63 @@ void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl,
 
 #endif /* MBEDTLS_DEBUG_C */
 
+/* RFC 8446 section 4.2
+ *
+ * If an implementation receives an extension which it recognizes and which is
+ * not specified for the message in which it appears, it MUST abort the handshake
+ * with an "illegal_parameter" alert.
+ *
+ */
+
+int mbedtls_tls13_check_received_extensions( mbedtls_ssl_context *ssl,
+                                             int hs_msg_type,
+                                             uint32_t extension_type,
+                                             uint32_t allowed_mask )
+{
+    uint32_t extension_mask;
+
+#if defined(MBEDTLS_DEBUG_C)
+    const char *hs_msg_name = ssl_tls13_get_hs_msg_name( hs_msg_type );
+#endif
+
+    extension_mask = mbedtls_tls13_get_extension_mask( extension_type );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3,
+                ( "%s : received %s(%x) extension",
+                  hs_msg_name,
+                  mbedtls_tls13_get_extension_name( extension_type ),
+                  (unsigned int)extension_type ) );
+
+    if( ( extension_mask & allowed_mask ) == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG(
+            3, ( "%s : forbidden extension received.", hs_msg_name ) );
+        MBEDTLS_SSL_PEND_FATAL_ALERT(
+            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+            MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+    }
+
+    ssl->handshake->received_extensions |= extension_mask;
+    switch( hs_msg_type )
+    {
+        case MBEDTLS_SSL_HS_SERVER_HELLO:
+        case -MBEDTLS_SSL_HS_SERVER_HELLO: // HRR does not have IANA value.
+        case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
+        case MBEDTLS_SSL_HS_CERTIFICATE:
+            if( ( ~ssl->handshake->sent_extensions & extension_mask ) == 0 )
+                return( 0 );
+            break;
+        default:
+            return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG(
+            3, ( "%s : forbidden extension received.", hs_msg_name ) );
+    MBEDTLS_SSL_PEND_FATAL_ALERT(
+        MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
+        MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+    return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+}
+
 #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 32f64d73c..4fdd6ade8 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -930,7 +930,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
                                             int exts_mask )
 {
-    int masked = ssl->handshake->extensions_present & exts_mask;
+    int masked = ssl->handshake->received_extensions & exts_mask;
     return( masked == exts_mask );
 }
 
@@ -1239,7 +1239,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
     const unsigned char *cipher_suites_end;
     size_t extensions_len;
     const unsigned char *extensions_end;
-    uint32_t extensions_present;
     int hrr_required = 0;
 
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
@@ -1248,8 +1247,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
     const unsigned char *pre_shared_key_ext_end = NULL;
 #endif
 
-    extensions_present = MBEDTLS_SSL_EXT_NONE;
-
     /*
      * ClientHello layout:
      *     0  .   1   protocol version
@@ -1419,20 +1416,23 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len );
 
+    ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
+
     while( p < extensions_end )
     {
         unsigned int extension_type;
         size_t extension_data_len;
         const unsigned char *extension_data_end;
 
-        /* RFC 8446, page 57
+        /* RFC 8446, section 4.2.11
          *
          * The "pre_shared_key" extension MUST be the last extension in the
          * ClientHello (this facilitates implementation as described below).
          * Servers MUST check that it is the last extension and otherwise fail
          * the handshake with an "illegal_parameter" alert.
          */
-        if( extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY )
+        if( ssl->handshake->received_extensions &
+            mbedtls_tls13_get_extension_mask( MBEDTLS_TLS_EXT_PRE_SHARED_KEY ) )
         {
             MBEDTLS_SSL_DEBUG_MSG(
                 3, ( "pre_shared_key is not last extension." ) );
@@ -1450,26 +1450,11 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
         extension_data_end = p + extension_data_len;
 
-        /* RFC 8446 page 35
-         *
-         * If an implementation receives an extension which it recognizes and which
-         * is not specified for the message in which it appears, it MUST abort the
-         * handshake with an "illegal_parameter" alert.
-         */
-        extensions_present |= mbedtls_tls13_get_extension_mask( extension_type );
-        MBEDTLS_SSL_DEBUG_MSG( 3,
-                    ( "client hello : received %s(%u) extension",
-                      mbedtls_tls13_get_extension_name( extension_type ),
-                      extension_type ) );
-        if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH ) == 0 )
-        {
-            MBEDTLS_SSL_DEBUG_MSG(
-                3, ( "forbidden extension received." ) );
-            MBEDTLS_SSL_PEND_FATAL_ALERT(
-                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
-                MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-            return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-        }
+        ret = mbedtls_tls13_check_received_extensions(
+                  ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type,
+                  MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH );
+        if( ret != 0 )
+            return( ret );
 
         switch( extension_type )
         {
@@ -1569,7 +1554,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
 
             case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
-                if( ( extensions_present &
+                if( ( ssl->handshake->received_extensions &
                       MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) == 0 )
                 {
                     MBEDTLS_SSL_PEND_FATAL_ALERT(
@@ -1622,26 +1607,14 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
                     ( "client hello: received %s(%u) extension ( ignored )",
                       mbedtls_tls13_get_extension_name( extension_type ),
                       extension_type ) );
+                break;
         }
 
         p += extension_data_len;
     }
 
-    MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "ClientHello", extensions_present );
-
-    /* RFC 8446 page 102
-     * -  "supported_versions" is REQUIRED for all ClientHello, ServerHello, and
-     *    HelloRetryRequest messages.
-     */
-    if( ( extensions_present & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) == 0 )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1,
-                    ( "client hello: supported_versions not found" ) );
-        MBEDTLS_SSL_PEND_FATAL_ALERT(
-                MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION,
-                MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-        return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-    }
+    MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
+        3, MBEDTLS_SSL_HS_CLIENT_HELLO, ssl->handshake->received_extensions );
 
     mbedtls_ssl_add_hs_hdr_to_checksum( ssl,
                                         MBEDTLS_SSL_HS_CLIENT_HELLO,
@@ -1655,7 +1628,8 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
     /* If we've settled on a PSK-based exchange, parse PSK identity ext */
     if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) &&
         mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
-        ( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) )
+        ( ssl->handshake->received_extensions &
+          MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) )
     {
         ssl->handshake->update_checksum( ssl, buf,
                                          pre_shared_key_ext - buf );
@@ -1666,7 +1640,8 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
                                                   cipher_suites_end );
         if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
         {
-            extensions_present &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
+            ssl->handshake->received_extensions &=
+                                ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
         }
         else if( ret != 0 )
         {
@@ -1681,7 +1656,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
         ssl->handshake->update_checksum( ssl, buf, p - buf );
     }
 
-    ssl->handshake->extensions_present = extensions_present;
     ret = ssl_tls13_determine_key_exchange_mode( ssl );
     if( ret < 0 )
         return( ret );

From 03112ae0228e2031eb01c8fc70a0df371ddb2191 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Tue, 30 Aug 2022 16:27:17 +0800
Subject: [PATCH 022/159] change input extension_type

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_misc.h          | 2 +-
 library/ssl_tls13_generic.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index b7f1440bb..dad1c82a1 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -1929,7 +1929,7 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
  * Helper functions for extensions checking and convert.
  */
 
-uint32_t mbedtls_tls13_get_extension_mask( uint16_t extension_type );
+uint32_t mbedtls_tls13_get_extension_mask( unsigned int extension_type );
 
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_tls13_check_received_extensions( mbedtls_ssl_context *ssl,
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 7b66be1c7..2fbcdf063 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1528,7 +1528,7 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
 }
 #endif /* MBEDTLS_ECDH_C */
 
-uint32_t mbedtls_tls13_get_extension_mask( uint16_t extension_type )
+uint32_t mbedtls_tls13_get_extension_mask( unsigned int extension_type )
 {
     switch( extension_type )
     {

From c4bf5d658e47f6b0d6b73e4ab851a074b92681ae Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Sat, 29 Oct 2022 09:08:47 +0800
Subject: [PATCH 023/159] fix various issues

- Signature of
  - mbedtls_tls13_set_hs_sent_ext_mask
  - check_received_extension and issues
- Also fix comment issue.
- improve readablity.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_client.c        |  9 ++----
 library/ssl_misc.h          | 24 ++++++++-------
 library/ssl_tls.c           |  3 +-
 library/ssl_tls13_client.c  | 58 +++++++++++++++----------------------
 library/ssl_tls13_generic.c | 50 +++++++++++++++++---------------
 library/ssl_tls13_server.c  | 34 ++++++++++------------
 6 files changed, 84 insertions(+), 94 deletions(-)

diff --git a/library/ssl_client.c b/library/ssl_client.c
index b0d2dcf3c..16cef0204 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -107,8 +107,7 @@ static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
     *olen = hostname_len + 9;
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    mbedtls_tls13_set_sent_ext_mask( ssl,
-                                     MBEDTLS_TLS_EXT_SERVERNAME );
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_SERVERNAME );
     MBEDTLS_SSL_DEBUG_MSG(
         4, ( "sent %s extension",
              mbedtls_tls13_get_extension_name(
@@ -186,8 +185,7 @@ static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
     MBEDTLS_PUT_UINT16_BE( *out_len - 4, buf, 2 );
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    mbedtls_tls13_set_sent_ext_mask( ssl,
-                                     MBEDTLS_TLS_EXT_ALPN );
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_ALPN );
     MBEDTLS_SSL_DEBUG_MSG(
         4, ( "sent %s extension",
              mbedtls_tls13_get_extension_name(
@@ -312,8 +310,7 @@ static int ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl,
     *out_len = p - buf;
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    mbedtls_tls13_set_sent_ext_mask( ssl,
-                                     MBEDTLS_TLS_EXT_SUPPORTED_GROUPS );
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_SUPPORTED_GROUPS );
     MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent %s extension",
                                 mbedtls_tls13_get_extension_name(
                                     MBEDTLS_TLS_EXT_SUPPORTED_GROUPS ) ) );
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index dad1c82a1..3aeab0cd8 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -103,11 +103,12 @@
 #define MBEDTLS_SSL_EXT_SIG_ALG_CERT                ( 1 << 20 )
 #define MBEDTLS_SSL_EXT_KEY_SHARE                   ( 1 << 21 )
 
-/* For request messages, we should just ignore unrecognized extension when
- * parsing messages. For response messages, we should not ignore unrecognized
- * extension when parsing messages. Request messages include ClientHello,
- * Certificate and NewSessionTicket. Response messages include ServerHello,
- * EncryptExtensions, Certificate and HelloRetryRequest.
+/* In messages containing extension requests, we should ignore unrecognized
+ * extensions. In messages containing extension responses, unrecognized
+ * extensions should result in handshake abortion. Messages containing
+ * extension requests include ClientHello, CertificateRequest and
+ * NewSessionTicket. Messages containing extension responses include
+ * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate.
  *
  * RFC 8446 section 4.1.3
  *
@@ -1932,13 +1933,14 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
 uint32_t mbedtls_tls13_get_extension_mask( unsigned int extension_type );
 
 MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_tls13_check_received_extensions( mbedtls_ssl_context *ssl,
-                                             int hs_msg_type,
-                                             uint32_t extension_type,
-                                             uint32_t allowed_mask );
+int mbedtls_ssl_tls13_check_received_extension(
+        mbedtls_ssl_context *ssl,
+        int hs_msg_type,
+        unsigned int received_extension_type,
+        uint32_t hs_msg_allowed_extensions_mask );
 
-static inline void mbedtls_tls13_set_sent_ext_mask( mbedtls_ssl_context *ssl,
-                                                    uint16_t extension_type )
+static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask(
+                       mbedtls_ssl_context *ssl, unsigned int extension_type )
 {
     ssl->handshake->sent_extensions |=
         mbedtls_tls13_get_extension_mask( extension_type );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 9947d39d8..3678ec0bd 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8713,8 +8713,7 @@ int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
     *out_len = p - buf;
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    mbedtls_tls13_set_sent_ext_mask( ssl,
-                                     MBEDTLS_TLS_EXT_SIG_ALG );
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_SIG_ALG );
     MBEDTLS_SSL_DEBUG_MSG(
         4, ( "sent %s extension",
              mbedtls_tls13_get_extension_name(
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index c29b90ee3..27747a209 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -89,8 +89,8 @@ static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
     }
 
     *out_len = 5 + versions_len;
-    mbedtls_tls13_set_sent_ext_mask( ssl,
-                                     MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS );
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask(
+        ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS );
     MBEDTLS_SSL_DEBUG_MSG(
         4, ( "sent %s extension",
              mbedtls_tls13_get_extension_name(
@@ -365,8 +365,7 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *out_len );
 
-    mbedtls_tls13_set_sent_ext_mask( ssl,
-                                     MBEDTLS_TLS_EXT_KEY_SHARE );
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_KEY_SHARE );
     MBEDTLS_SSL_DEBUG_MSG(
         4, ( "sent %s extension",
 
@@ -612,8 +611,7 @@ static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
     *out_len = handshake->hrr_cookie_len + 6;
 
 
-    mbedtls_tls13_set_sent_ext_mask( ssl,
-                                     MBEDTLS_TLS_EXT_COOKIE );
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_COOKIE );
     MBEDTLS_SSL_DEBUG_MSG(
         4, ( "sent %s extension",
              mbedtls_tls13_get_extension_name(
@@ -688,8 +686,8 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
 
     *out_len = p - buf;
 
-    mbedtls_tls13_set_sent_ext_mask( ssl,
-                                     MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES );
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask(
+        ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES );
     MBEDTLS_SSL_DEBUG_MSG(
         4, ( "sent %s extension",
              mbedtls_tls13_get_extension_name(
@@ -1059,8 +1057,8 @@ int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key binders", buf, p - buf );
 
-    mbedtls_tls13_set_sent_ext_mask( ssl,
-                                     MBEDTLS_TLS_EXT_PRE_SHARED_KEY );
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask(
+        ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY );
     MBEDTLS_SSL_DEBUG_MSG(
         4, ( "sent %s extension",
              mbedtls_tls13_get_extension_name(
@@ -1668,7 +1666,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len );
 
-    ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
+    handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
     allowed_extensions_mask = is_hrr ?
                                   MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :
                                   MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;
@@ -1687,7 +1685,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
         extension_data_end = p + extension_data_len;
 
-        ret = mbedtls_tls13_check_received_extensions(
+        ret = mbedtls_ssl_tls13_check_received_extension(
                   ssl,
                   is_hrr ?
                       -MBEDTLS_SSL_HS_SERVER_HELLO : MBEDTLS_SSL_HS_SERVER_HELLO,
@@ -1766,7 +1764,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
         3, is_hrr ? -MBEDTLS_SSL_HS_SERVER_HELLO : MBEDTLS_SSL_HS_SERVER_HELLO,
-        ssl->handshake->received_extensions );
+        handshake->received_extensions );
 
 cleanup:
 
@@ -1999,6 +1997,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
     size_t extensions_len;
     const unsigned char *p = buf;
     const unsigned char *extensions_end;
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
 
     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
     extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
@@ -2008,7 +2007,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
     extensions_end = p + extensions_len;
 
-    ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
+    handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
 
     while( p < extensions_end )
     {
@@ -2028,7 +2027,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
 
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
 
-        ret = mbedtls_tls13_check_received_extensions(
+        ret = mbedtls_ssl_tls13_check_received_extension(
                   ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,
                   MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE );
         if( ret != 0 )
@@ -2036,16 +2035,6 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
 
         switch( extension_type )
         {
-            case MBEDTLS_TLS_EXT_SERVERNAME:
-                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found server_name extension" ) );
-
-                /* The server_name extension should be an empty extension */
-
-                break;
-            case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
-                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extensions supported groups" ) );
-                break;
-
 #if defined(MBEDTLS_SSL_ALPN)
             case MBEDTLS_TLS_EXT_ALPN:
                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
@@ -2069,7 +2058,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
     }
 
     MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
-                                   ssl->handshake->received_extensions );
+                                   handshake->received_extensions );
 
     /* Check that we consumed all the message. */
     if( p != end )
@@ -2176,6 +2165,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
     size_t certificate_request_context_len = 0;
     size_t extensions_len = 0;
     const unsigned char *extensions_end;
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
 
     /* ...
      * opaque certificate_request_context<0..2^8-1>
@@ -2191,7 +2181,6 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_DEBUG_BUF( 3, "Certificate Request Context",
                                p, certificate_request_context_len );
 
-        mbedtls_ssl_handshake_params *handshake = ssl->handshake;
         handshake->certificate_request_context =
                 mbedtls_calloc( 1, certificate_request_context_len );
         if( handshake->certificate_request_context == NULL )
@@ -2215,7 +2204,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
     extensions_end = p + extensions_len;
 
-    ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
+    handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
 
     while( p < extensions_end )
     {
@@ -2229,7 +2218,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
 
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
 
-        ret = mbedtls_tls13_check_received_extensions(
+        ret = mbedtls_ssl_tls13_check_received_extension(
                   ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,
                   MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR );
         if( ret != 0 )
@@ -2260,7 +2249,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3,
                                    MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
-                                   ssl->handshake->received_extensions );
+                                   handshake->received_extensions );
 
     /* Check that we consumed all the message. */
     if( p != end )
@@ -2274,7 +2263,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
      *
      * The "signature_algorithms" extension MUST be specified
      */
-    if( ( ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_SIG_ALG ) == 0 )
+    if( ( handshake->received_extensions & MBEDTLS_SSL_EXT_SIG_ALG ) == 0 )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3,
             ( "no signature algorithms extension found" ) );
@@ -2514,10 +2503,11 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
                                                     const unsigned char *buf,
                                                     const unsigned char *end )
 {
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
     const unsigned char *p = buf;
 
 
-    ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
+    handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
 
     while( p < end )
     {
@@ -2532,7 +2522,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
 
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extension_data_len );
 
-        ret = mbedtls_tls13_check_received_extensions(
+        ret = mbedtls_ssl_tls13_check_received_extension(
                   ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type,
                   MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH );
         if( ret != 0 )
@@ -2556,7 +2546,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
     }
 
     MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
-        3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl->handshake->received_extensions );
+        3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, handshake->received_extensions );
 
     return( 0 );
 }
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 2fbcdf063..21644ede4 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -398,6 +398,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
     size_t certificate_list_len = 0;
     const unsigned char *p = buf;
     const unsigned char *certificate_list_end;
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
 
     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
     certificate_request_context_len = p[0];
@@ -507,7 +508,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
 
         extensions_end = p + extensions_len;
-        ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
+        handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
 
         while( p < extensions_end )
         {
@@ -527,9 +528,9 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
 
             MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
 
-            ret = mbedtls_tls13_check_received_extensions(
-                  ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type,
-                  MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT );
+            ret = mbedtls_ssl_tls13_check_received_extension(
+                      ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type,
+                      MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT );
             if( ret != 0 )
                 return( ret );
 
@@ -547,7 +548,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
         }
 
         MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
-            3, MBEDTLS_SSL_HS_CERTIFICATE, ssl->handshake->received_extensions );
+            3, MBEDTLS_SSL_HS_CERTIFICATE, handshake->received_extensions );
     }
 
 exit:
@@ -555,7 +556,7 @@ exit:
     if( p != end )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
-        MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
+        MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
                                       MBEDTLS_ERR_SSL_DECODE_ERROR );
         return( MBEDTLS_ERR_SSL_DECODE_ERROR );
     }
@@ -1759,43 +1760,46 @@ void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl,
  *
  */
 
-int mbedtls_tls13_check_received_extensions( mbedtls_ssl_context *ssl,
-                                             int hs_msg_type,
-                                             uint32_t extension_type,
-                                             uint32_t allowed_mask )
+int mbedtls_ssl_tls13_check_received_extension(
+        mbedtls_ssl_context *ssl,
+        int hs_msg_type,
+        unsigned int received_extension_type,
+        uint32_t hs_msg_allowed_extensions_mask )
 {
-    uint32_t extension_mask;
-
 #if defined(MBEDTLS_DEBUG_C)
     const char *hs_msg_name = ssl_tls13_get_hs_msg_name( hs_msg_type );
 #endif
-
-    extension_mask = mbedtls_tls13_get_extension_mask( extension_type );
+    uint32_t extension_mask = mbedtls_tls13_get_extension_mask( received_extension_type );
 
     MBEDTLS_SSL_DEBUG_MSG( 3,
                 ( "%s : received %s(%x) extension",
                   hs_msg_name,
-                  mbedtls_tls13_get_extension_name( extension_type ),
-                  (unsigned int)extension_type ) );
+                  mbedtls_tls13_get_extension_name( received_extension_type ),
+                  (unsigned int)received_extension_type ) );
 
-    if( ( extension_mask & allowed_mask ) == 0 )
+    if( ( extension_mask & hs_msg_allowed_extensions_mask ) == 0 )
     {
         MBEDTLS_SSL_DEBUG_MSG(
             3, ( "%s : forbidden extension received.", hs_msg_name ) );
         MBEDTLS_SSL_PEND_FATAL_ALERT(
             MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
-            MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-        return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+            MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
     }
 
     ssl->handshake->received_extensions |= extension_mask;
+    /*
+     * If it is a message containing extension responses, check that we
+     * previously sent the extension.
+     */
     switch( hs_msg_type )
     {
         case MBEDTLS_SSL_HS_SERVER_HELLO:
         case -MBEDTLS_SSL_HS_SERVER_HELLO: // HRR does not have IANA value.
         case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
         case MBEDTLS_SSL_HS_CERTIFICATE:
-            if( ( ~ssl->handshake->sent_extensions & extension_mask ) == 0 )
+            /* Check if the received extension is sent by peer message.*/
+            if( ( ssl->handshake->sent_extensions & extension_mask ) != 0 )
                 return( 0 );
             break;
         default:
@@ -1803,11 +1807,11 @@ int mbedtls_tls13_check_received_extensions( mbedtls_ssl_context *ssl,
     }
 
     MBEDTLS_SSL_DEBUG_MSG(
-            3, ( "%s : forbidden extension received.", hs_msg_name ) );
+            3, ( "%s : unexpected extension received.", hs_msg_name ) );
     MBEDTLS_SSL_PEND_FATAL_ALERT(
         MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
-        MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-    return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+        MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
+    return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
 }
 
 #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 4fdd6ade8..f0f06b81a 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1239,6 +1239,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
     const unsigned char *cipher_suites_end;
     size_t extensions_len;
     const unsigned char *extensions_end;
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
     int hrr_required = 0;
 
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
@@ -1304,7 +1305,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes",
                            p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
 
-    memcpy( &ssl->handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
+    memcpy( &handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
     p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
 
     /* ...
@@ -1374,13 +1375,13 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
             continue;
 
         ssl->session_negotiate->ciphersuite = cipher_suite;
-        ssl->handshake->ciphersuite_info = ciphersuite_info;
+        handshake->ciphersuite_info = ciphersuite_info;
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %04x - %s",
                                     cipher_suite,
                                     ciphersuite_info->name ) );
     }
 
-    if( ssl->handshake->ciphersuite_info == NULL )
+    if( handshake->ciphersuite_info == NULL )
     {
         MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
                                       MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
@@ -1416,7 +1417,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len );
 
-    ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
+    handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
 
     while( p < extensions_end )
     {
@@ -1431,8 +1432,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
          * Servers MUST check that it is the last extension and otherwise fail
          * the handshake with an "illegal_parameter" alert.
          */
-        if( ssl->handshake->received_extensions &
-            mbedtls_tls13_get_extension_mask( MBEDTLS_TLS_EXT_PRE_SHARED_KEY ) )
+        if( handshake->received_extensions & MBEDTLS_SSL_EXT_PRE_SHARED_KEY )
         {
             MBEDTLS_SSL_DEBUG_MSG(
                 3, ( "pre_shared_key is not last extension." ) );
@@ -1450,7 +1450,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
         extension_data_end = p + extension_data_len;
 
-        ret = mbedtls_tls13_check_received_extensions(
+        ret = mbedtls_ssl_tls13_check_received_extension(
                   ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type,
                   MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH );
         if( ret != 0 )
@@ -1554,13 +1554,13 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
 
             case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
-                if( ( ssl->handshake->received_extensions &
+                if( ( handshake->received_extensions &
                       MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) == 0 )
                 {
                     MBEDTLS_SSL_PEND_FATAL_ALERT(
                         MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
-                        MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-                    return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+                        MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+                    return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
                 }
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
                 /* Delay processing of the PSK identity once we have
@@ -1614,7 +1614,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
     }
 
     MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
-        3, MBEDTLS_SSL_HS_CLIENT_HELLO, ssl->handshake->received_extensions );
+        3, MBEDTLS_SSL_HS_CLIENT_HELLO, handshake->received_extensions );
 
     mbedtls_ssl_add_hs_hdr_to_checksum( ssl,
                                         MBEDTLS_SSL_HS_CLIENT_HELLO,
@@ -1628,10 +1628,9 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
     /* If we've settled on a PSK-based exchange, parse PSK identity ext */
     if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) &&
         mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
-        ( ssl->handshake->received_extensions &
-          MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) )
+        ( handshake->received_extensions & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) )
     {
-        ssl->handshake->update_checksum( ssl, buf,
+        handshake->update_checksum( ssl, buf,
                                          pre_shared_key_ext - buf );
         ret = ssl_tls13_parse_pre_shared_key_ext( ssl,
                                                   pre_shared_key_ext,
@@ -1640,8 +1639,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
                                                   cipher_suites_end );
         if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
         {
-            ssl->handshake->received_extensions &=
-                                ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
+            handshake->received_extensions &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
         }
         else if( ret != 0 )
         {
@@ -1653,14 +1651,14 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
     else
 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
     {
-        ssl->handshake->update_checksum( ssl, buf, p - buf );
+        handshake->update_checksum( ssl, buf, p - buf );
     }
 
     ret = ssl_tls13_determine_key_exchange_mode( ssl );
     if( ret < 0 )
         return( ret );
 
-    mbedtls_ssl_optimize_checksum( ssl, ssl->handshake->ciphersuite_info );
+    mbedtls_ssl_optimize_checksum( ssl, handshake->ciphersuite_info );
 
     return( hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK );
 }

From 7a485c1fdf02b6370c1a96eec44700243c31dcee Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 31 Oct 2022 13:08:18 +0800
Subject: [PATCH 024/159] Add ext id and utilities

- Remove `MBEDTLS_SSL_EXT_*`
- Add macros and functions for translating iana identifer.
- Add internal identity for extension

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_misc.h          | 67 +++++++++++++++-----------
 library/ssl_tls.c           | 95 +++++++++++++++++++++++++++++++++++++
 library/ssl_tls13_generic.c | 74 -----------------------------
 3 files changed, 134 insertions(+), 102 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 3aeab0cd8..8bd98b3c4 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -75,33 +75,46 @@
 #define MBEDTLS_SSL_RENEGOTIATION_PENDING       3   /* Requested (server only) */
 
 /*
- * Mask of TLS 1.3 handshake extensions used in extensions_present
- * of mbedtls_ssl_handshake_params.
+ * Inernal identity of handshake extensions
  */
-#define MBEDTLS_SSL_EXT_NONE                        0
+#define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED                0
+#define MBEDTLS_SSL_EXT_ID_SERVERNAME                  1
+#define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME         1
+#define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH         2
+#define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST              3
+#define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS            4
+#define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES   4
+#define MBEDTLS_SSL_EXT_ID_SIG_ALG                     5
+#define MBEDTLS_SSL_EXT_ID_USE_SRTP                    6
+#define MBEDTLS_SSL_EXT_ID_HEARTBEAT                   7
+#define MBEDTLS_SSL_EXT_ID_ALPN                        8
+#define MBEDTLS_SSL_EXT_ID_SCT                         9
+#define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE              10
+#define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE             11
+#define MBEDTLS_SSL_EXT_ID_PADDING                    12
+#define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY             13
+#define MBEDTLS_SSL_EXT_ID_EARLY_DATA                 14
+#define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS         15
+#define MBEDTLS_SSL_EXT_ID_COOKIE                     16
+#define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES     17
+#define MBEDTLS_SSL_EXT_ID_CERT_AUTH                  18
+#define MBEDTLS_SSL_EXT_ID_OID_FILTERS                19
+#define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH        20
+#define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT               21
+#define MBEDTLS_SSL_EXT_ID_KEY_SHARE                  22
+#define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC             23
+#define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS    24
+#define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC           25
+#define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET     26
+#define MBEDTLS_SSL_EXT_ID_SESSION_TICKET             27
 
-#define MBEDTLS_SSL_EXT_SERVERNAME                  ( 1 <<  0 )
-#define MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH         ( 1 <<  1 )
-#define MBEDTLS_SSL_EXT_STATUS_REQUEST              ( 1 <<  2 )
-#define MBEDTLS_SSL_EXT_SUPPORTED_GROUPS            ( 1 <<  3 )
-#define MBEDTLS_SSL_EXT_SIG_ALG                     ( 1 <<  4 )
-#define MBEDTLS_SSL_EXT_USE_SRTP                    ( 1 <<  5 )
-#define MBEDTLS_SSL_EXT_HEARTBEAT                   ( 1 <<  6 )
-#define MBEDTLS_SSL_EXT_ALPN                        ( 1 <<  7 )
-#define MBEDTLS_SSL_EXT_SCT                         ( 1 <<  8 )
-#define MBEDTLS_SSL_EXT_CLI_CERT_TYPE               ( 1 <<  9 )
-#define MBEDTLS_SSL_EXT_SERV_CERT_TYPE              ( 1 << 10 )
-#define MBEDTLS_SSL_EXT_PADDING                     ( 1 << 11 )
-#define MBEDTLS_SSL_EXT_PRE_SHARED_KEY              ( 1 << 12 )
-#define MBEDTLS_SSL_EXT_EARLY_DATA                  ( 1 << 13 )
-#define MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS          ( 1 << 14 )
-#define MBEDTLS_SSL_EXT_COOKIE                      ( 1 << 15 )
-#define MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES      ( 1 << 16 )
-#define MBEDTLS_SSL_EXT_CERT_AUTH                   ( 1 << 17 )
-#define MBEDTLS_SSL_EXT_OID_FILTERS                 ( 1 << 18 )
-#define MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH         ( 1 << 19 )
-#define MBEDTLS_SSL_EXT_SIG_ALG_CERT                ( 1 << 20 )
-#define MBEDTLS_SSL_EXT_KEY_SHARE                   ( 1 << 21 )
+/* Utility for translating IANA extension type. */
+uint32_t mbedtls_ssl_get_extension_id( unsigned int extension_type );
+uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type );
+/* Macros used to define mask constants */
+#define MBEDTLS_SSL_EXT_MASK( id )       ( 1ULL << ( MBEDTLS_SSL_EXT_ID_##id ) )
+/* Reset value of extension mask */
+#define MBEDTLS_SSL_EXT_MASK_NONE                                              0
 
 /* In messages containing extension requests, we should ignore unrecognized
  * extensions. In messages containing extension responses, unrecognized
@@ -1930,8 +1943,6 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
  * Helper functions for extensions checking and convert.
  */
 
-uint32_t mbedtls_tls13_get_extension_mask( unsigned int extension_type );
-
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_tls13_check_received_extension(
         mbedtls_ssl_context *ssl,
@@ -1943,7 +1954,7 @@ static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask(
                        mbedtls_ssl_context *ssl, unsigned int extension_type )
 {
     ssl->handshake->sent_extensions |=
-        mbedtls_tls13_get_extension_mask( extension_type );
+        mbedtls_ssl_get_extension_mask( extension_type );
 }
 
 /*
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3678ec0bd..b3210c415 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -521,6 +521,101 @@ static void ssl_clear_peer_cert( mbedtls_ssl_session *session )
 }
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
+uint32_t mbedtls_ssl_get_extension_id( unsigned int extension_type )
+{
+    switch( extension_type )
+    {
+        case MBEDTLS_TLS_EXT_SERVERNAME:
+            return( MBEDTLS_SSL_EXT_ID_SERVERNAME );
+
+        case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
+            return( MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH );
+
+        case MBEDTLS_TLS_EXT_STATUS_REQUEST:
+            return( MBEDTLS_SSL_EXT_ID_STATUS_REQUEST );
+
+        case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
+            return( MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS );
+
+        case MBEDTLS_TLS_EXT_SIG_ALG:
+            return( MBEDTLS_SSL_EXT_ID_SIG_ALG );
+
+        case MBEDTLS_TLS_EXT_USE_SRTP:
+            return( MBEDTLS_SSL_EXT_ID_USE_SRTP );
+
+        case MBEDTLS_TLS_EXT_HEARTBEAT:
+            return( MBEDTLS_SSL_EXT_ID_HEARTBEAT );
+
+        case MBEDTLS_TLS_EXT_ALPN:
+            return( MBEDTLS_SSL_EXT_ID_ALPN );
+
+        case MBEDTLS_TLS_EXT_SCT:
+            return( MBEDTLS_SSL_EXT_ID_SCT );
+
+        case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
+            return( MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE );
+
+        case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
+            return( MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE );
+
+        case MBEDTLS_TLS_EXT_PADDING:
+            return( MBEDTLS_SSL_EXT_ID_PADDING );
+
+        case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
+            return( MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY );
+
+        case MBEDTLS_TLS_EXT_EARLY_DATA:
+            return( MBEDTLS_SSL_EXT_ID_EARLY_DATA );
+
+        case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
+            return( MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS );
+
+        case MBEDTLS_TLS_EXT_COOKIE:
+            return( MBEDTLS_SSL_EXT_ID_COOKIE );
+
+        case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
+            return( MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES );
+
+        case MBEDTLS_TLS_EXT_CERT_AUTH:
+            return( MBEDTLS_SSL_EXT_ID_CERT_AUTH );
+
+        case MBEDTLS_TLS_EXT_OID_FILTERS:
+            return( MBEDTLS_SSL_EXT_ID_OID_FILTERS );
+
+        case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
+            return( MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH );
+
+        case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
+            return( MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT );
+
+        case MBEDTLS_TLS_EXT_KEY_SHARE:
+            return( MBEDTLS_SSL_EXT_ID_KEY_SHARE );
+
+        case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
+            return( MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC );
+
+        case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
+            return( MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS );
+
+        case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
+            return( MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC );
+
+        case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
+            return( MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET );
+
+        case MBEDTLS_TLS_EXT_SESSION_TICKET:
+            return( MBEDTLS_SSL_EXT_ID_SESSION_TICKET );
+
+    }
+
+    return( MBEDTLS_SSL_EXT_ID_UNRECOGNIZED );
+}
+
+uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type )
+{
+    return( 1 << mbedtls_ssl_get_extension_id( extension_type ) );
+}
+
 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
                             const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
 {
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 21644ede4..a52b4ca69 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1529,80 +1529,6 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
 }
 #endif /* MBEDTLS_ECDH_C */
 
-uint32_t mbedtls_tls13_get_extension_mask( unsigned int extension_type )
-{
-    switch( extension_type )
-    {
-        case MBEDTLS_TLS_EXT_SERVERNAME:
-            return( MBEDTLS_SSL_EXT_SERVERNAME );
-
-        case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
-            return( MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH );
-
-        case MBEDTLS_TLS_EXT_STATUS_REQUEST:
-            return( MBEDTLS_SSL_EXT_STATUS_REQUEST );
-
-        case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
-            return( MBEDTLS_SSL_EXT_SUPPORTED_GROUPS );
-
-        case MBEDTLS_TLS_EXT_SIG_ALG:
-            return( MBEDTLS_SSL_EXT_SIG_ALG );
-
-        case MBEDTLS_TLS_EXT_USE_SRTP:
-            return( MBEDTLS_SSL_EXT_USE_SRTP );
-
-        case MBEDTLS_TLS_EXT_HEARTBEAT:
-            return( MBEDTLS_SSL_EXT_HEARTBEAT );
-
-        case MBEDTLS_TLS_EXT_ALPN:
-            return( MBEDTLS_SSL_EXT_ALPN );
-
-        case MBEDTLS_TLS_EXT_SCT:
-            return( MBEDTLS_SSL_EXT_SCT );
-
-        case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
-            return( MBEDTLS_SSL_EXT_CLI_CERT_TYPE );
-
-        case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
-            return( MBEDTLS_SSL_EXT_SERV_CERT_TYPE );
-
-        case MBEDTLS_TLS_EXT_PADDING:
-            return( MBEDTLS_SSL_EXT_PADDING );
-
-        case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
-            return( MBEDTLS_SSL_EXT_PRE_SHARED_KEY );
-
-        case MBEDTLS_TLS_EXT_EARLY_DATA:
-            return( MBEDTLS_SSL_EXT_EARLY_DATA );
-
-        case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
-            return( MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS );
-
-        case MBEDTLS_TLS_EXT_COOKIE:
-            return( MBEDTLS_SSL_EXT_COOKIE );
-
-        case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
-            return( MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES );
-
-        case MBEDTLS_TLS_EXT_CERT_AUTH:
-            return( MBEDTLS_SSL_EXT_CERT_AUTH );
-
-        case MBEDTLS_TLS_EXT_OID_FILTERS:
-            return( MBEDTLS_SSL_EXT_OID_FILTERS );
-
-        case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
-            return( MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH );
-
-        case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
-            return( MBEDTLS_SSL_EXT_SIG_ALG_CERT );
-
-        case MBEDTLS_TLS_EXT_KEY_SHARE:
-            return( MBEDTLS_SSL_EXT_KEY_SHARE );
-    };
-
-    return( MBEDTLS_SSL_EXT_UNRECOGNIZED );
-}
-
 #if defined(MBEDTLS_DEBUG_C)
 const char *mbedtls_tls13_get_extension_name( uint16_t extension_type )
 {

From df0ad658a30e1a6a613852522fe322582666b49a Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 31 Oct 2022 13:20:57 +0800
Subject: [PATCH 025/159] tls13: Add allowed extesions constants.

- And refactor check_received_extension

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_misc.h          | 105 +++++++++++++++++++-----------------
 library/ssl_tls13_generic.c |  25 ++++-----
 2 files changed, 66 insertions(+), 64 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 8bd98b3c4..8ffdccb37 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -134,76 +134,83 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type );
  * not specified for the message in which it appears, it MUST abort the handshake
  * with an "illegal_parameter" alert.
  */
-#define MBEDTLS_SSL_EXT_UNRECOGNIZED                ( 1U << 31 )
+
+/* Extensions that not recognized by TLS 1.3 */
+#define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED                                \
+            ( MBEDTLS_SSL_EXT_MASK( SUPPORTED_POINT_FORMATS )                | \
+              MBEDTLS_SSL_EXT_MASK( ENCRYPT_THEN_MAC )                       | \
+              MBEDTLS_SSL_EXT_MASK( EXTENDED_MASTER_SECRET )                 | \
+              MBEDTLS_SSL_EXT_MASK( SESSION_TICKET )                         | \
+              MBEDTLS_SSL_EXT_MASK( UNRECOGNIZED ) )
 
 /* RFC 8446 section 4.2. Allowed extensions for ClienHello */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH                                  \
-            ( MBEDTLS_SSL_EXT_SERVERNAME                                     | \
-              MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH                            | \
-              MBEDTLS_SSL_EXT_STATUS_REQUEST                                 | \
-              MBEDTLS_SSL_EXT_SUPPORTED_GROUPS                               | \
-              MBEDTLS_SSL_EXT_SIG_ALG                                        | \
-              MBEDTLS_SSL_EXT_USE_SRTP                                       | \
-              MBEDTLS_SSL_EXT_HEARTBEAT                                      | \
-              MBEDTLS_SSL_EXT_ALPN                                           | \
-              MBEDTLS_SSL_EXT_SCT                                            | \
-              MBEDTLS_SSL_EXT_CLI_CERT_TYPE                                  | \
-              MBEDTLS_SSL_EXT_SERV_CERT_TYPE                                 | \
-              MBEDTLS_SSL_EXT_PADDING                                        | \
-              MBEDTLS_SSL_EXT_KEY_SHARE                                      | \
-              MBEDTLS_SSL_EXT_PRE_SHARED_KEY                                 | \
-              MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES                         | \
-              MBEDTLS_SSL_EXT_EARLY_DATA                                     | \
-              MBEDTLS_SSL_EXT_COOKIE                                         | \
-              MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS                             | \
-              MBEDTLS_SSL_EXT_CERT_AUTH                                      | \
-              MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH                            | \
-              MBEDTLS_SSL_EXT_SIG_ALG_CERT                                   | \
-              MBEDTLS_SSL_EXT_UNRECOGNIZED )
+            ( MBEDTLS_SSL_EXT_MASK( SERVERNAME )                             | \
+              MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH )                    | \
+              MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST )                         | \
+              MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS )                       | \
+              MBEDTLS_SSL_EXT_MASK( SIG_ALG )                                | \
+              MBEDTLS_SSL_EXT_MASK( USE_SRTP )                               | \
+              MBEDTLS_SSL_EXT_MASK( HEARTBEAT )                              | \
+              MBEDTLS_SSL_EXT_MASK( ALPN )                                   | \
+              MBEDTLS_SSL_EXT_MASK( SCT )                                    | \
+              MBEDTLS_SSL_EXT_MASK( CLI_CERT_TYPE )                          | \
+              MBEDTLS_SSL_EXT_MASK( SERV_CERT_TYPE )                         | \
+              MBEDTLS_SSL_EXT_MASK( PADDING )                                | \
+              MBEDTLS_SSL_EXT_MASK( KEY_SHARE )                              | \
+              MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY )                         | \
+              MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES )                 | \
+              MBEDTLS_SSL_EXT_MASK( EARLY_DATA )                             | \
+              MBEDTLS_SSL_EXT_MASK( COOKIE )                                 | \
+              MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS )                     | \
+              MBEDTLS_SSL_EXT_MASK( CERT_AUTH )                              | \
+              MBEDTLS_SSL_EXT_MASK( POST_HANDSHAKE_AUTH )                    | \
+              MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT )                           | \
+              MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED )
 
 /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE                                  \
-            ( MBEDTLS_SSL_EXT_SERVERNAME                                     | \
-              MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH                            | \
-              MBEDTLS_SSL_EXT_SUPPORTED_GROUPS                               | \
-              MBEDTLS_SSL_EXT_USE_SRTP                                       | \
-              MBEDTLS_SSL_EXT_HEARTBEAT                                      | \
-              MBEDTLS_SSL_EXT_ALPN                                           | \
-              MBEDTLS_SSL_EXT_CLI_CERT_TYPE                                  | \
-              MBEDTLS_SSL_EXT_SERV_CERT_TYPE                                 | \
-              MBEDTLS_SSL_EXT_EARLY_DATA )
+            ( MBEDTLS_SSL_EXT_MASK( SERVERNAME )                             | \
+              MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH )                    | \
+              MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS )                       | \
+              MBEDTLS_SSL_EXT_MASK( USE_SRTP )                               | \
+              MBEDTLS_SSL_EXT_MASK( HEARTBEAT )                              | \
+              MBEDTLS_SSL_EXT_MASK( ALPN )                                   | \
+              MBEDTLS_SSL_EXT_MASK( CLI_CERT_TYPE )                          | \
+              MBEDTLS_SSL_EXT_MASK( SERV_CERT_TYPE )                         | \
+              MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) )
 
 /* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR                                  \
-            ( MBEDTLS_SSL_EXT_STATUS_REQUEST                                 | \
-              MBEDTLS_SSL_EXT_SIG_ALG                                        | \
-              MBEDTLS_SSL_EXT_SCT                                            | \
-              MBEDTLS_SSL_EXT_CERT_AUTH                                      | \
-              MBEDTLS_SSL_EXT_OID_FILTERS                                    | \
-              MBEDTLS_SSL_EXT_SIG_ALG_CERT                                   | \
-              MBEDTLS_SSL_EXT_UNRECOGNIZED )
+            ( MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST )                         | \
+              MBEDTLS_SSL_EXT_MASK( SIG_ALG )                                | \
+              MBEDTLS_SSL_EXT_MASK( SCT )                                    | \
+              MBEDTLS_SSL_EXT_MASK( CERT_AUTH )                              | \
+              MBEDTLS_SSL_EXT_MASK( OID_FILTERS )                            | \
+              MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT )                           | \
+              MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED )
 
 /* RFC 8446 section 4.2. Allowed extensions for Certificate */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT                                  \
-            ( MBEDTLS_SSL_EXT_STATUS_REQUEST                                 | \
-              MBEDTLS_SSL_EXT_SCT )
+            ( MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST )                         | \
+              MBEDTLS_SSL_EXT_MASK( SCT ) )
 
 /* RFC 8446 section 4.2. Allowed extensions for ServerHello */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH                                  \
-            ( MBEDTLS_SSL_EXT_KEY_SHARE                                      | \
-              MBEDTLS_SSL_EXT_PRE_SHARED_KEY                                 | \
-              MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS )
+            ( MBEDTLS_SSL_EXT_MASK( KEY_SHARE )                              | \
+              MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY )                         | \
+              MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) )
 
 /* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR                                 \
-            ( MBEDTLS_SSL_EXT_KEY_SHARE                                      | \
-              MBEDTLS_SSL_EXT_COOKIE                                         | \
-              MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS )
+            ( MBEDTLS_SSL_EXT_MASK( KEY_SHARE )                              | \
+              MBEDTLS_SSL_EXT_MASK( COOKIE )                                 | \
+              MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) )
 
 /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST                                 \
-            ( MBEDTLS_SSL_EXT_EARLY_DATA                                     | \
-              MBEDTLS_SSL_EXT_UNRECOGNIZED )
+            ( MBEDTLS_SSL_EXT_MASK( EARLY_DATA )                             | \
+              MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED )
 
 /*
  * Helper macros for function call with return check.
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index a52b4ca69..1bbd7f033 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1685,28 +1685,22 @@ void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl,
  * with an "illegal_parameter" alert.
  *
  */
-
 int mbedtls_ssl_tls13_check_received_extension(
         mbedtls_ssl_context *ssl,
         int hs_msg_type,
         unsigned int received_extension_type,
         uint32_t hs_msg_allowed_extensions_mask )
 {
-#if defined(MBEDTLS_DEBUG_C)
-    const char *hs_msg_name = ssl_tls13_get_hs_msg_name( hs_msg_type );
-#endif
-    uint32_t extension_mask = mbedtls_tls13_get_extension_mask( received_extension_type );
+    uint32_t extension_mask = mbedtls_ssl_get_extension_mask(
+                                  received_extension_type );
 
-    MBEDTLS_SSL_DEBUG_MSG( 3,
-                ( "%s : received %s(%x) extension",
-                  hs_msg_name,
-                  mbedtls_tls13_get_extension_name( received_extension_type ),
-                  (unsigned int)received_extension_type ) );
+    MBEDTLS_SSL_PRINT_EXT_TYPE(
+        3, hs_msg_type, received_extension_type, "received" );
 
     if( ( extension_mask & hs_msg_allowed_extensions_mask ) == 0 )
     {
-        MBEDTLS_SSL_DEBUG_MSG(
-            3, ( "%s : forbidden extension received.", hs_msg_name ) );
+        MBEDTLS_SSL_PRINT_EXT_TYPE(
+            3, hs_msg_type, received_extension_type, "is illegal" );
         MBEDTLS_SSL_PEND_FATAL_ALERT(
             MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
             MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
@@ -1721,7 +1715,7 @@ int mbedtls_ssl_tls13_check_received_extension(
     switch( hs_msg_type )
     {
         case MBEDTLS_SSL_HS_SERVER_HELLO:
-        case -MBEDTLS_SSL_HS_SERVER_HELLO: // HRR does not have IANA value.
+        case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
         case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
         case MBEDTLS_SSL_HS_CERTIFICATE:
             /* Check if the received extension is sent by peer message.*/
@@ -1732,8 +1726,8 @@ int mbedtls_ssl_tls13_check_received_extension(
             return( 0 );
     }
 
-    MBEDTLS_SSL_DEBUG_MSG(
-            3, ( "%s : unexpected extension received.", hs_msg_name ) );
+    MBEDTLS_SSL_PRINT_EXT_TYPE(
+            3, hs_msg_type, received_extension_type, "is unsupported" );
     MBEDTLS_SSL_PEND_FATAL_ALERT(
         MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
         MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
@@ -1741,3 +1735,4 @@ int mbedtls_ssl_tls13_check_received_extension(
 }
 
 #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
+

From d25cab0327d40e05f5bd9ea84fb5cc61f820cdd8 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 31 Oct 2022 12:48:30 +0800
Subject: [PATCH 026/159] Refactor debug helpers for exts and hs message

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_debug_helpers.h |  46 +++++++----
 library/ssl_misc.h          |   3 +
 library/ssl_tls.c           | 146 +++++++++++++++++++++++++++++++++++
 library/ssl_tls13_generic.c | 149 ------------------------------------
 4 files changed, 180 insertions(+), 164 deletions(-)

diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h
index 6b97bc652..8fce87a98 100644
--- a/library/ssl_debug_helpers.h
+++ b/library/ssl_debug_helpers.h
@@ -43,27 +43,43 @@ const char *mbedtls_ssl_sig_alg_to_str( uint16_t in );
 
 const char *mbedtls_ssl_named_group_to_str( uint16_t in );
 
-#endif /* MBEDTLS_DEBUG_C */
+const char *mbedtls_ssl_get_extension_name( unsigned int extension_type );
 
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-#if defined(MBEDTLS_DEBUG_C)
+void mbedtls_ssl_print_extensions( const mbedtls_ssl_context *ssl,
+                                   int level, const char *file, int line,
+                                   int hs_msg_type, uint32_t extensions_mask,
+                                   const char *extra );
 
-const char *mbedtls_tls13_get_extension_name( uint16_t extension_type );
+void mbedtls_ssl_print_extension_type( const mbedtls_ssl_context *ssl,
+                                       int level, const char *file, int line,
+                                       int hs_msg_type,
+                                       unsigned int extension_type,
+                                       const char *extra_msg0,
+                                       const char *extra_msg1 );
 
-void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl,
-                                         int level, const char *file, int line,
-                                         int hs_msg_type,
-                                         uint32_t extensions_present );
+#define MBEDTLS_SSL_PRINT_SENT_EXTS( level, hs_msg_type )                       \
+            mbedtls_ssl_print_extensions( ssl, level, __FILE__, __LINE__,       \
+                                          hs_msg_type,                          \
+                                          ssl->handshake->sent_extensions,      \
+                                          "sent" )
 
-#define MBEDTLS_SSL_TLS1_3_PRINT_EXTS( level, hs_msg_type, extensions_present ) \
-            mbedtls_ssl_tls13_print_extensions( \
-                ssl, level, __FILE__, __LINE__, hs_msg_type, extensions_present )
+#define MBEDTLS_SSL_PRINT_RECEIVED_EXTS( level, hs_msg_type )                   \
+            mbedtls_ssl_print_extensions( ssl, level, __FILE__, __LINE__,       \
+                                          hs_msg_type,                          \
+                                          ssl->handshake->received_extensions,  \
+                                          "received" )
+
+#define MBEDTLS_SSL_PRINT_EXT_TYPE( level, hs_msg_type, extension_type, extra ) \
+            mbedtls_ssl_print_extension_type( ssl, level, __FILE__, __LINE__,   \
+                                    hs_msg_type, extension_type, extra, NULL )
 #else
 
-#define MBEDTLS_SSL_TLS1_3_PRINT_EXTS( level, hs_msg_name, extensions_present )
+#define MBEDTLS_SSL_PRINT_SENT_EXTS( level, hs_msg_type )
 
-#endif
+#define MBEDTLS_SSL_PRINT_RECEIVED_EXTS( level, hs_msg_type )
 
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+#define MBEDTLS_SSL_PRINT_EXT_TYPE( level, hs_msg_type, extension_type, extra )
 
-#endif /* SSL_DEBUG_HELPERS_H */
+#endif /* MBEDTLS_DEBUG_C */
+
+#endif /* MBEDTLS_SSL_DEBUG_HELPERS_H */
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 8ffdccb37..7c32969b2 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -74,6 +74,9 @@
 #define MBEDTLS_SSL_RENEGOTIATION_DONE          2   /* Done or aborted */
 #define MBEDTLS_SSL_RENEGOTIATION_PENDING       3   /* Requested (server only) */
 
+/* Faked handshake message identity for HelloRetryRequest. */
+#define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST ( -MBEDTLS_SSL_HS_SERVER_HELLO )
+
 /*
  * Inernal identity of handshake extensions
  */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index b3210c415..7bc0a0cd5 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -616,6 +616,152 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type )
     return( 1 << mbedtls_ssl_get_extension_id( extension_type ) );
 }
 
+#if defined(MBEDTLS_DEBUG_C)
+static const char *extension_name_table[] = {
+    [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unreognized",
+    [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name",
+    [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length",
+    [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request",
+    [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups",
+    [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms",
+    [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp",
+    [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat",
+    [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation",
+    [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp",
+    [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type",
+    [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type",
+    [MBEDTLS_SSL_EXT_ID_PADDING] = "padding",
+    [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key",
+    [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data",
+    [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions",
+    [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie",
+    [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes",
+    [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities",
+    [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters",
+    [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth",
+    [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert",
+    [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share",
+    [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac",
+    [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats",
+    [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac",
+    [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret",
+    [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket"
+};
+
+static unsigned int extension_type_tbl[]={
+    [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff,
+    [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME,
+    [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH,
+    [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST,
+    [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS,
+    [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG,
+    [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP,
+    [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT,
+    [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN,
+    [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT,
+    [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE,
+    [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE,
+    [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING,
+    [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY,
+    [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA,
+    [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS,
+    [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE,
+    [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES,
+    [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH,
+    [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS,
+    [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH,
+    [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT,
+    [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE,
+    [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC,
+    [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS,
+    [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC,
+    [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET,
+    [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET
+};
+
+const char *mbedtls_ssl_get_extension_name( unsigned int extension_type )
+{
+    return( extension_name_table[
+                mbedtls_ssl_get_extension_id( extension_type ) ] );
+}
+
+static const char *ssl_tls13_get_hs_msg_name( int hs_msg_type )
+{
+    switch( hs_msg_type )
+    {
+        case MBEDTLS_SSL_HS_CLIENT_HELLO:
+            return( "ClientHello" );
+        case MBEDTLS_SSL_HS_SERVER_HELLO:
+            return( "ServerHello" );
+        case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
+            return( "HelloRetryRequest" );
+        case MBEDTLS_SSL_HS_NEW_SESSION_TICKET:
+            return( "NewSessionTicket" );
+        case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
+            return( "EncryptedExtensions" );
+        case MBEDTLS_SSL_HS_CERTIFICATE:
+            return( "Certificate" );
+        case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
+            return( "CertificateRequest" );
+    }
+    return( NULL );
+}
+
+void mbedtls_ssl_print_extension_type( const mbedtls_ssl_context *ssl,
+                                       int level, const char *file, int line,
+                                       int hs_msg_type,
+                                       unsigned int extension_type,
+                                       const char *extra_msg0,
+                                       const char *extra_msg1 )
+{
+    const char *extra_msg;
+    if( extra_msg0 && extra_msg1 )
+    {
+        mbedtls_debug_print_msg(
+            ssl, level, file, line,
+            "%s: %s(%u) extension %s %s.",
+            ssl_tls13_get_hs_msg_name( hs_msg_type ),
+            mbedtls_ssl_get_extension_name( extension_type ),
+            extension_type,
+            extra_msg0, extra_msg1 );
+        return;
+    }
+
+    extra_msg = extra_msg0 ? extra_msg0 : extra_msg1;
+    if( extra_msg )
+    {
+        mbedtls_debug_print_msg(
+            ssl, level, file, line,
+            "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name( hs_msg_type ),
+            mbedtls_ssl_get_extension_name( extension_type ), extension_type,
+            extra_msg );
+        return;
+    }
+
+    mbedtls_debug_print_msg(
+        ssl, level, file, line,
+        "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name( hs_msg_type ),
+        mbedtls_ssl_get_extension_name( extension_type ), extension_type );
+}
+
+void mbedtls_ssl_print_extensions( const mbedtls_ssl_context *ssl,
+                                   int level, const char *file, int line,
+                                   int hs_msg_type, uint32_t extensions_mask,
+                                   const char *extra )
+{
+
+    for( unsigned i = 0;
+         i < sizeof( extension_name_table ) / sizeof( extension_name_table[0] );
+         i++ )
+    {
+        mbedtls_ssl_print_extension_type(
+            ssl, level, file, line, hs_msg_type, extension_type_tbl[i],
+            extensions_mask & ( 1 << i ) ? "was" : "was not", extra );
+    }
+}
+
+#endif /* MBEDTLS_DEBUG_C */
+
 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
                             const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
 {
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 1bbd7f033..a94bbef28 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1529,155 +1529,6 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
 }
 #endif /* MBEDTLS_ECDH_C */
 
-#if defined(MBEDTLS_DEBUG_C)
-const char *mbedtls_tls13_get_extension_name( uint16_t extension_type )
-{
-    switch( extension_type )
-    {
-        case MBEDTLS_TLS_EXT_SERVERNAME:
-            return( "server_name" );
-
-        case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
-            return( "max_fragment_length" );
-
-        case MBEDTLS_TLS_EXT_STATUS_REQUEST:
-            return( "status_request" );
-
-        case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
-            return( "supported_groups" );
-
-        case MBEDTLS_TLS_EXT_SIG_ALG:
-            return( "signature_algorithms" );
-
-        case MBEDTLS_TLS_EXT_USE_SRTP:
-            return( "use_srtp" );
-
-        case MBEDTLS_TLS_EXT_HEARTBEAT:
-            return( "heartbeat" );
-
-        case MBEDTLS_TLS_EXT_ALPN:
-            return( "application_layer_protocol_negotiation" );
-
-        case MBEDTLS_TLS_EXT_SCT:
-            return( "signed_certificate_timestamp" );
-
-        case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
-            return( "client_certificate_type" );
-
-        case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
-            return( "server_certificate_type" );
-
-        case MBEDTLS_TLS_EXT_PADDING:
-            return( "padding" );
-
-        case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
-            return( "pre_shared_key" );
-
-        case MBEDTLS_TLS_EXT_EARLY_DATA:
-            return( "early_data" );
-
-        case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
-            return( "supported_versions" );
-
-        case MBEDTLS_TLS_EXT_COOKIE:
-            return( "cookie" );
-
-        case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
-            return( "psk_key_exchange_modes" );
-
-        case MBEDTLS_TLS_EXT_CERT_AUTH:
-            return( "certificate_authorities" );
-
-        case MBEDTLS_TLS_EXT_OID_FILTERS:
-            return( "oid_filters" );
-
-        case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
-            return( "post_handshake_auth" );
-
-        case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
-            return( "signature_algorithms_cert" );
-
-        case MBEDTLS_TLS_EXT_KEY_SHARE:
-            return( "key_share" );
-    };
-
-    return( "unknown" );
-}
-
-static const char *ssl_tls13_get_hs_msg_name( int hs_msg_type )
-{
-    switch( hs_msg_type )
-    {
-        case MBEDTLS_SSL_HS_CLIENT_HELLO:
-            return( "ClientHello" );
-        case MBEDTLS_SSL_HS_SERVER_HELLO:
-            return( "ServerHello" );
-        case -MBEDTLS_SSL_HS_SERVER_HELLO: // HRR does not have IANA value.
-            return( "HelloRetryRequest" );
-        case MBEDTLS_SSL_HS_NEW_SESSION_TICKET:
-            return( "NewSessionTicket" );
-        case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
-            return( "EncryptedExtensions" );
-        case MBEDTLS_SSL_HS_CERTIFICATE:
-            return( "Certificate" );
-        case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
-            return( "CertificateRequest" );
-    }
-    return( NULL );
-}
-
-void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl,
-                                         int level, const char *file, int line,
-                                         int hs_msg_type,
-                                         uint32_t extensions_present )
-{
-    static const struct{
-        uint32_t extension_mask;
-        const char *extension_name;
-    } mask_to_str_table[] = {
-            { MBEDTLS_SSL_EXT_SERVERNAME, "server_name" },
-            { MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH, "max_fragment_length" },
-            { MBEDTLS_SSL_EXT_STATUS_REQUEST, "status_request" },
-            { MBEDTLS_SSL_EXT_SUPPORTED_GROUPS, "supported_groups" },
-            { MBEDTLS_SSL_EXT_SIG_ALG, "signature_algorithms" },
-            { MBEDTLS_SSL_EXT_USE_SRTP, "use_srtp" },
-            { MBEDTLS_SSL_EXT_HEARTBEAT, "heartbeat" },
-            { MBEDTLS_SSL_EXT_ALPN, "application_layer_protocol_negotiation" },
-            { MBEDTLS_SSL_EXT_SCT, "signed_certificate_timestamp" },
-            { MBEDTLS_SSL_EXT_CLI_CERT_TYPE, "client_certificate_type" },
-            { MBEDTLS_SSL_EXT_SERV_CERT_TYPE, "server_certificate_type" },
-            { MBEDTLS_SSL_EXT_PADDING, "padding" },
-            { MBEDTLS_SSL_EXT_PRE_SHARED_KEY, "pre_shared_key" },
-            { MBEDTLS_SSL_EXT_EARLY_DATA, "early_data" },
-            { MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS, "supported_versions" },
-            { MBEDTLS_SSL_EXT_COOKIE, "cookie" },
-            { MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES, "psk_key_exchange_modes" },
-            { MBEDTLS_SSL_EXT_CERT_AUTH, "certificate_authorities" },
-            { MBEDTLS_SSL_EXT_OID_FILTERS, "oid_filters" },
-            { MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH, "post_handshake_auth" },
-            { MBEDTLS_SSL_EXT_SIG_ALG_CERT, "signature_algorithms_cert" },
-            { MBEDTLS_SSL_EXT_KEY_SHARE, "key_share" } };
-
-    mbedtls_debug_print_msg( ssl, level, file, line,
-                             "extension list of %s:",
-                             ssl_tls13_get_hs_msg_name( hs_msg_type ) );
-
-    for( unsigned i = 0;
-         i < sizeof( mask_to_str_table ) / sizeof( mask_to_str_table[0] );
-         i++ )
-    {
-        const char *extension_name = mask_to_str_table[i].extension_name;
-        uint32_t is_present = extensions_present &
-                              mask_to_str_table[i].extension_mask;
-
-        mbedtls_debug_print_msg( ssl, level, file, line,
-                "- %s extension ( %s )", extension_name,
-                is_present ? "true" : "false" );
-    }
-}
-
-#endif /* MBEDTLS_DEBUG_C */
-
 /* RFC 8446 section 4.2
  *
  * If an implementation receives an extension which it recognizes and which is

From 4b8f2f72668270e46b475c697565df0bbb305876 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 31 Oct 2022 13:31:22 +0800
Subject: [PATCH 027/159] Refactor sent extension message output

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_client.c        | 18 ++++++------------
 library/ssl_tls.c           |  4 ----
 library/ssl_tls13_client.c  | 26 ++++----------------------
 library/ssl_tls13_generic.c |  2 ++
 library/ssl_tls13_server.c  | 10 ++++++++++
 5 files changed, 22 insertions(+), 38 deletions(-)

diff --git a/library/ssl_client.c b/library/ssl_client.c
index 16cef0204..1c5b447fe 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -108,10 +108,6 @@ static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
     mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_SERVERNAME );
-    MBEDTLS_SSL_DEBUG_MSG(
-        4, ( "sent %s extension",
-             mbedtls_tls13_get_extension_name(
-                 MBEDTLS_TLS_EXT_SERVERNAME ) ) );
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
     return( 0 );
 }
@@ -186,10 +182,6 @@ static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
     mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_ALPN );
-    MBEDTLS_SSL_DEBUG_MSG(
-        4, ( "sent %s extension",
-             mbedtls_tls13_get_extension_name(
-                 MBEDTLS_TLS_EXT_ALPN ) ) );
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
     return( 0 );
 }
@@ -310,10 +302,8 @@ static int ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl,
     *out_len = p - buf;
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_SUPPORTED_GROUPS );
-    MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent %s extension",
-                                mbedtls_tls13_get_extension_name(
-                                    MBEDTLS_TLS_EXT_SUPPORTED_GROUPS ) ) );
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask(
+        ssl, MBEDTLS_TLS_EXT_SUPPORTED_GROUPS );
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 
     return( 0 );
@@ -684,6 +674,10 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
                                   p_extensions_len, extensions_len );
     }
 
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+    MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_CLIENT_HELLO );
+#endif
+
     *out_len = p - buf;
     return( 0 );
 }
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 7bc0a0cd5..04d2ef440 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8955,10 +8955,6 @@ int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
     mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_SIG_ALG );
-    MBEDTLS_SSL_DEBUG_MSG(
-        4, ( "sent %s extension",
-             mbedtls_tls13_get_extension_name(
-                MBEDTLS_TLS_EXT_SIG_ALG ) ) );
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 
     return( 0 );
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 27747a209..54101cb34 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -89,12 +89,10 @@ static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
     }
 
     *out_len = 5 + versions_len;
+
     mbedtls_ssl_tls13_set_hs_sent_ext_mask(
         ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS );
-    MBEDTLS_SSL_DEBUG_MSG(
-        4, ( "sent %s extension",
-             mbedtls_tls13_get_extension_name(
-                 MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS ) ) );
+
     return( 0 );
 }
 
@@ -366,11 +364,6 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *out_len );
 
     mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_KEY_SHARE );
-    MBEDTLS_SSL_DEBUG_MSG(
-        4, ( "sent %s extension",
-
-             mbedtls_tls13_get_extension_name(
-                 MBEDTLS_TLS_EXT_KEY_SHARE ) ) );
 
 cleanup:
 
@@ -610,12 +603,8 @@ static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
 
     *out_len = handshake->hrr_cookie_len + 6;
 
-
     mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_COOKIE );
-    MBEDTLS_SSL_DEBUG_MSG(
-        4, ( "sent %s extension",
-             mbedtls_tls13_get_extension_name(
-                 MBEDTLS_TLS_EXT_COOKIE ) ) );
+
     return( 0 );
 }
 
@@ -688,10 +677,7 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
 
     mbedtls_ssl_tls13_set_hs_sent_ext_mask(
         ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES );
-    MBEDTLS_SSL_DEBUG_MSG(
-        4, ( "sent %s extension",
-             mbedtls_tls13_get_extension_name(
-                 MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES ) ) );
+
     return ( 0 );
 }
 
@@ -1059,10 +1045,6 @@ int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
 
     mbedtls_ssl_tls13_set_hs_sent_ext_mask(
         ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY );
-    MBEDTLS_SSL_DEBUG_MSG(
-        4, ( "sent %s extension",
-             mbedtls_tls13_get_extension_name(
-                 MBEDTLS_TLS_EXT_PRE_SHARED_KEY ) ) );
 
     return( 0 );
 }
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index a94bbef28..1a1737283 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -887,6 +887,8 @@ static int ssl_tls13_write_certificate_body( mbedtls_ssl_context *ssl,
 
     *out_len = p - buf;
 
+    MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE );
+
     return( 0 );
 }
 
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index f0f06b81a..0239090f3 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -2128,6 +2128,10 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "server hello", buf, *out_len );
 
+    MBEDTLS_SSL_PRINT_SENT_EXTS(
+        3, is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
+                    MBEDTLS_SSL_HS_SERVER_HELLO );
+
     return( ret );
 }
 
@@ -2312,6 +2316,8 @@ static int ssl_tls13_write_encrypted_extensions_body( mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_BUF( 4, "encrypted extensions", buf, *out_len );
 
+    MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS );
+
     return( 0 );
 }
 
@@ -2441,6 +2447,8 @@ static int ssl_tls13_write_certificate_request_body( mbedtls_ssl_context *ssl,
 
     *out_len = p - buf;
 
+    MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
+
     return( 0 );
 }
 
@@ -2834,6 +2842,8 @@ static int ssl_tls13_write_new_session_ticket_body( mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", buf, *out_len );
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
 
+    MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET );
+
     return( 0 );
 }
 

From 63a459cde5995c1909d873c707fae8fef09e8e37 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 31 Oct 2022 13:38:40 +0800
Subject: [PATCH 028/159] Refactor client_hello parser and writer

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_client.c       |  2 +-
 library/ssl_tls13_server.c | 42 ++++++++++++++++++--------------------
 2 files changed, 21 insertions(+), 23 deletions(-)

diff --git a/library/ssl_client.c b/library/ssl_client.c
index 1c5b447fe..ebf0fa701 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -564,7 +564,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
     /* Keeping track of the included extensions */
-    handshake->sent_extensions = MBEDTLS_SSL_EXT_NONE;
+    handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
 #endif
 
     /* First write extensions, then the total length */
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 0239090f3..607347d73 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -940,9 +940,9 @@ static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
 {
     return( ssl_tls13_client_hello_has_exts(
                 ssl,
-                MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
-                MBEDTLS_SSL_EXT_KEY_SHARE        |
-                MBEDTLS_SSL_EXT_SIG_ALG ) );
+                MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) |
+                MBEDTLS_SSL_EXT_MASK( KEY_SHARE )        |
+                MBEDTLS_SSL_EXT_MASK( SIG_ALG ) ) );
 }
 
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
@@ -952,8 +952,8 @@ static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
 {
     return( ssl_tls13_client_hello_has_exts(
                 ssl,
-                MBEDTLS_SSL_EXT_PRE_SHARED_KEY          |
-                MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) );
+                MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY )          |
+                MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) ) );
 }
 
 MBEDTLS_CHECK_RETURN_CRITICAL
@@ -962,10 +962,10 @@ static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
 {
     return( ssl_tls13_client_hello_has_exts(
                 ssl,
-                MBEDTLS_SSL_EXT_SUPPORTED_GROUPS        |
-                MBEDTLS_SSL_EXT_KEY_SHARE               |
-                MBEDTLS_SSL_EXT_PRE_SHARED_KEY          |
-                MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) );
+                MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS )        |
+                MBEDTLS_SSL_EXT_MASK( KEY_SHARE )               |
+                MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY )          |
+                MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) ) );
 }
 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
 
@@ -1417,7 +1417,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len );
 
-    handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
+    handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
 
     while( p < extensions_end )
     {
@@ -1432,7 +1432,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
          * Servers MUST check that it is the last extension and otherwise fail
          * the handshake with an "illegal_parameter" alert.
          */
-        if( handshake->received_extensions & MBEDTLS_SSL_EXT_PRE_SHARED_KEY )
+        if( handshake->received_extensions & MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) )
         {
             MBEDTLS_SSL_DEBUG_MSG(
                 3, ( "pre_shared_key is not last extension." ) );
@@ -1555,7 +1555,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
             case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
                 if( ( handshake->received_extensions &
-                      MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) == 0 )
+                      MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) ) == 0 )
                 {
                     MBEDTLS_SSL_PEND_FATAL_ALERT(
                         MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
@@ -1603,18 +1603,16 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
 
             default:
-                MBEDTLS_SSL_DEBUG_MSG( 3,
-                    ( "client hello: received %s(%u) extension ( ignored )",
-                      mbedtls_tls13_get_extension_name( extension_type ),
-                      extension_type ) );
+                MBEDTLS_SSL_PRINT_EXT_TYPE(
+                    3, MBEDTLS_SSL_HS_CLIENT_HELLO,
+                    extension_type, "( ignored )" );
                 break;
         }
 
         p += extension_data_len;
     }
 
-    MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
-        3, MBEDTLS_SSL_HS_CLIENT_HELLO, handshake->received_extensions );
+    MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_CLIENT_HELLO );
 
     mbedtls_ssl_add_hs_hdr_to_checksum( ssl,
                                         MBEDTLS_SSL_HS_CLIENT_HELLO,
@@ -1628,7 +1626,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
     /* If we've settled on a PSK-based exchange, parse PSK identity ext */
     if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) &&
         mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
-        ( handshake->received_extensions & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) )
+        ( handshake->received_extensions & MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) ) )
     {
         handshake->update_checksum( ssl, buf,
                                          pre_shared_key_ext - buf );
@@ -1639,12 +1637,12 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
                                                   cipher_suites_end );
         if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
         {
-            handshake->received_extensions &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
+            handshake->received_extensions &= ~MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY );
         }
         else if( ret != 0 )
         {
-            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_tls13_parse_pre_shared_key_ext" ),
-                                   ret );
+            MBEDTLS_SSL_DEBUG_RET(
+                1, "ssl_tls13_parse_pre_shared_key_ext" , ret );
             return( ret );
         }
     }

From 9eba750916b751bb1cf1a1d4c0fc2c59bd7be64f Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 31 Oct 2022 13:46:16 +0800
Subject: [PATCH 029/159] Refactor encrypted extensions

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_tls13_client.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 54101cb34..082be20b3 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1989,7 +1989,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
     extensions_end = p + extensions_len;
 
-    handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
+    handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
 
     while( p < extensions_end )
     {
@@ -2029,18 +2029,16 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
                 break;
 #endif /* MBEDTLS_SSL_ALPN */
             default:
-                MBEDTLS_SSL_DEBUG_MSG( 3,
-                    ( "encrypted extensions: received %s(%u) extension ( ignored )",
-                      mbedtls_tls13_get_extension_name( extension_type ),
-                      extension_type ) );
+                MBEDTLS_SSL_PRINT_EXT_TYPE(
+                    3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
+                    extension_type, "( ignored )" );
                 break;
         }
 
         p += extension_data_len;
     }
 
-    MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
-                                   handshake->received_extensions );
+    MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS );
 
     /* Check that we consumed all the message. */
     if( p != end )

From 6d0e78ba22cbaa19e4de862a79b03cdedefe4ff2 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 31 Oct 2022 14:13:25 +0800
Subject: [PATCH 030/159] Refactor certificate request

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_tls13_client.c | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 082be20b3..688eb5201 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2184,7 +2184,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
     extensions_end = p + extensions_len;
 
-    handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
+    handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
 
     while( p < extensions_end )
     {
@@ -2217,19 +2217,16 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
                 break;
 
             default:
-                MBEDTLS_SSL_DEBUG_MSG( 3,
-                    ( "certificate request: received %s(%u) extension ( ignored )",
-                      mbedtls_tls13_get_extension_name( extension_type ),
-                      extension_type ) );
+                MBEDTLS_SSL_PRINT_EXT_TYPE(
+                    3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
+                    extension_type, "( ignored )" );
                 break;
         }
 
         p += extension_data_len;
     }
 
-    MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3,
-                                   MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
-                                   handshake->received_extensions );
+    MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
 
     /* Check that we consumed all the message. */
     if( p != end )
@@ -2243,7 +2240,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
      *
      * The "signature_algorithms" extension MUST be specified
      */
-    if( ( handshake->received_extensions & MBEDTLS_SSL_EXT_SIG_ALG ) == 0 )
+    if( ( handshake->received_extensions & MBEDTLS_SSL_EXT_MASK( SIG_ALG ) ) == 0 )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3,
             ( "no signature algorithms extension found" ) );

From 0d5cfb7703c51be78e71a6efd4548753ca7929c9 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 31 Oct 2022 14:15:48 +0800
Subject: [PATCH 031/159] Refactor Certificate

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_tls13_generic.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 1a1737283..a9c8c973f 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -508,7 +508,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
 
         extensions_end = p + extensions_len;
-        handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
+        handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
 
         while( p < extensions_end )
         {
@@ -537,18 +537,16 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
             switch( extension_type )
             {
                 default:
-                    MBEDTLS_SSL_DEBUG_MSG( 3,
-                        ( "Certificate: received %s(%u) extension ( ignored )",
-                        mbedtls_tls13_get_extension_name( extension_type ),
-                        extension_type ) );
+                    MBEDTLS_SSL_PRINT_EXT_TYPE(
+                        3, MBEDTLS_SSL_HS_CERTIFICATE,
+                        extension_type, "( ignored )" );
                     break;
             }
 
             p += extension_data_len;
         }
 
-        MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
-            3, MBEDTLS_SSL_HS_CERTIFICATE, handshake->received_extensions );
+        MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE );
     }
 
 exit:

From edab637b515d4015c10c59b4ecc176e66bea62d1 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 31 Oct 2022 14:37:31 +0800
Subject: [PATCH 032/159] Refactor new session ticket

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_tls13_client.c | 20 +++++++-------------
 library/ssl_tls13_server.c |  2 ++
 2 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 688eb5201..b0a835f4e 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2484,7 +2484,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
     const unsigned char *p = buf;
 
 
-    handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
+    handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
 
     while( p < end )
     {
@@ -2500,30 +2500,24 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extension_data_len );
 
         ret = mbedtls_ssl_tls13_check_received_extension(
-                  ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type,
-                  MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH );
+                  ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,
+                  MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST );
         if( ret != 0 )
             return( ret );
 
         switch( extension_type )
         {
-            case MBEDTLS_TLS_EXT_EARLY_DATA:
-                MBEDTLS_SSL_DEBUG_MSG( 4, ( "early_data extension received" ) );
-                break;
-
             default:
-                MBEDTLS_SSL_DEBUG_MSG( 3,
-                    ( "NewSessionTicket : received %s(%u) extension ( ignored )",
-                      mbedtls_tls13_get_extension_name( extension_type ),
-                      extension_type ) );
+                MBEDTLS_SSL_PRINT_EXT_TYPE(
+                    3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
+                    extension_type, "( ignored )" );
                 break;
         }
 
         p +=  extension_data_len;
     }
 
-    MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
-        3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, handshake->received_extensions );
+    MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET );
 
     return( 0 );
 }
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 607347d73..f31e7ab89 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -2832,6 +2832,8 @@ static int ssl_tls13_write_new_session_ticket_body( mbedtls_ssl_context *ssl,
      * Note: We currently don't have any extensions.
      * Set length to zero.
      */
+    ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
+
     MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
     MBEDTLS_PUT_UINT16_BE( 0, p, 0 );
     p += 2;

From 50e00e3ac6b7c9f7940d0f459d727bd35a96c9fc Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 31 Oct 2022 14:45:01 +0800
Subject: [PATCH 033/159] Refactor server hello

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_tls13_client.c | 24 ++++++++++--------------
 library/ssl_tls13_server.c |  1 +
 2 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index b0a835f4e..fff0febed 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1395,7 +1395,7 @@ static int ssl_tls13_preprocess_server_hello( mbedtls_ssl_context *ssl,
     ssl->session_negotiate->tls_version = ssl->tls_version;
 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
 
-    handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
+    handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
 
     ret = ssl_server_hello_is_hrr( ssl, buf, end );
     switch( ret )
@@ -1506,6 +1506,8 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
     int fatal_alert = 0;
     uint32_t allowed_extensions_mask;
+    int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
+                               MBEDTLS_SSL_HS_SERVER_HELLO;
 
     /*
      * Check there is space for minimal fields
@@ -1648,7 +1650,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len );
 
-    handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
+    handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
     allowed_extensions_mask = is_hrr ?
                                   MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :
                                   MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;
@@ -1668,11 +1670,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
         extension_data_end = p + extension_data_len;
 
         ret = mbedtls_ssl_tls13_check_received_extension(
-                  ssl,
-                  is_hrr ?
-                      -MBEDTLS_SSL_HS_SERVER_HELLO : MBEDTLS_SSL_HS_SERVER_HELLO,
-                  extension_type,
-                  allowed_extensions_mask );
+                  ssl, hs_msg_type, extension_type, allowed_extensions_mask );
         if( ret != 0 )
             return( ret );
 
@@ -1744,9 +1742,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
         p += extension_data_len;
     }
 
-    MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
-        3, is_hrr ? -MBEDTLS_SSL_HS_SERVER_HELLO : MBEDTLS_SSL_HS_SERVER_HELLO,
-        handshake->received_extensions );
+    MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, hs_msg_type );
 
 cleanup:
 
@@ -1797,20 +1793,20 @@ static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
      *    exchange mode is EPHEMERAL-only.
      */
     switch( handshake->received_extensions &
-            ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ) )
+            ( MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) ) )
     {
         /* Only the pre_shared_key extension was received */
-        case MBEDTLS_SSL_EXT_PRE_SHARED_KEY:
+        case MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ):
             handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
             break;
 
         /* Only the key_share extension was received */
-        case MBEDTLS_SSL_EXT_KEY_SHARE:
+        case MBEDTLS_SSL_EXT_MASK( KEY_SHARE ):
             handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
             break;
 
         /* Both the pre_shared_key and key_share extensions were received */
-        case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ):
+        case ( MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) ):
             handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
             break;
 
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index f31e7ab89..288332865 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -2001,6 +2001,7 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl,
     size_t output_len;
 
     *out_len = 0;
+    ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
 
     /* ...
      * ProtocolVersion legacy_version = 0x0303; // TLS 1.2

From f467d46bbbcee711d647441152d0f316a354e855 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 7 Nov 2022 13:12:44 +0800
Subject: [PATCH 034/159] move get_srv_psk_list

It can be reused in other test-suites

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 tests/opt-testcases/tls13-kex-modes.sh |  9 ---------
 tests/ssl-opt.sh                       | 10 ++++++++++
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh
index 4f62ed69b..b1320c5b5 100755
--- a/tests/opt-testcases/tls13-kex-modes.sh
+++ b/tests/opt-testcases/tls13-kex-modes.sh
@@ -18,15 +18,6 @@
 # limitations under the License.
 #
 
-get_srv_psk_list ()
-{
-    case $(( TESTS % 3 )) in
-        0) echo "psk_list=abc,dead,def,beef,Client_identity,6162636465666768696a6b6c6d6e6f70";;
-        1) echo "psk_list=abc,dead,Client_identity,6162636465666768696a6b6c6d6e6f70,def,beef";;
-        2) echo "psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70,abc,dead,def,beef";;
-    esac
-}
-
 requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index a75b3f593..f264b5ed1 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1024,6 +1024,16 @@ is_gnutls() {
     esac
 }
 
+# Generate random psk_list argument for ssl_server2
+get_srv_psk_list ()
+{
+    case $(( TESTS % 3 )) in
+        0) echo "psk_list=abc,dead,def,beef,Client_identity,6162636465666768696a6b6c6d6e6f70";;
+        1) echo "psk_list=abc,dead,Client_identity,6162636465666768696a6b6c6d6e6f70,def,beef";;
+        2) echo "psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70,abc,dead,def,beef";;
+    esac
+}
+
 # Determine what calc_verify trace is to be expected, if any.
 #
 # calc_verify is only called for two things: to calculate the

From e5991328ffaa3139f6a747cd6a68fbac55e931aa Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Mon, 7 Nov 2022 14:03:44 +0800
Subject: [PATCH 035/159] fix tls13 psk only test fail

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_tls13_server.c        | 17 ++++++--
 tests/opt-testcases/tls13-misc.sh | 70 +++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+), 4 deletions(-)
 create mode 100755 tests/opt-testcases/tls13-misc.sh

diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 288332865..598ca91bf 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -934,6 +934,7 @@ static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
     return( masked == exts_mask );
 }
 
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
         mbedtls_ssl_context *ssl )
@@ -944,8 +945,9 @@ static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
                 MBEDTLS_SSL_EXT_MASK( KEY_SHARE )        |
                 MBEDTLS_SSL_EXT_MASK( SIG_ALG ) ) );
 }
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
 
-#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
                mbedtls_ssl_context *ssl )
@@ -955,7 +957,9 @@ static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
                 MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY )          |
                 MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) ) );
 }
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED */
 
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
                mbedtls_ssl_context *ssl )
@@ -967,19 +971,24 @@ static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
                 MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY )          |
                 MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) ) );
 }
-#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED */
 
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
 {
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
     return( mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) &&
             ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) );
+#else
+    ((void) ssl);
+    return( 0 );
+#endif
 }
 
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl )
 {
-#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
     return( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) &&
             mbedtls_ssl_tls13_psk_enabled( ssl ) &&
             ssl_tls13_client_hello_has_exts_for_psk_key_exchange( ssl ) );
@@ -992,7 +1001,7 @@ static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl )
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_check_psk_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
 {
-#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
     return( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) &&
             mbedtls_ssl_tls13_psk_ephemeral_enabled( ssl ) &&
             ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( ssl ) );
diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh
new file mode 100755
index 000000000..661b3500b
--- /dev/null
+++ b/tests/opt-testcases/tls13-misc.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+
+# tls13-misc.sh
+#
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+requires_all_configs_disabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "TLS 1.3: G->m: PSK: configured psk only, good." \
+            "$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \
+            "$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+VERS-TLS1.3:+GROUP-ALL \
+                         --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \
+                         localhost" \
+            0 \
+            -s "found psk key exchange modes extension" \
+            -s "found pre_shared_key extension"         \
+            -s "Found PSK_EPHEMERAL KEX MODE"           \
+            -s "Found PSK KEX MODE"                     \
+            -s "key exchange mode: psk$"
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+requires_all_configs_disabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+run_test    "TLS 1.3: G->m: PSK: configured psk_ephemeral only, good." \
+            "$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \
+            "$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+VERS-TLS1.3:+GROUP-ALL \
+                         --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \
+                         localhost" \
+            0 \
+            -s "found psk key exchange modes extension" \
+            -s "found pre_shared_key extension"         \
+            -s "Found PSK_EPHEMERAL KEX MODE"           \
+            -s "Found PSK KEX MODE"                     \
+            -s "key exchange mode: psk_ephemeral$"
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \
+                             MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_all_configs_disabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test    "TLS 1.3: G->m: PSK: configured ephemeral only, good." \
+            "$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \
+            "$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+VERS-TLS1.3:+GROUP-ALL \
+                         --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \
+                         localhost" \
+            0 \
+            -s "key exchange mode: ephemeral$"
+

From ea52ed91cf746915736625ad6205c5adc615e160 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Tue, 8 Nov 2022 21:01:17 +0800
Subject: [PATCH 036/159] fix typo and spell issues

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_misc.h | 14 +++++++-------
 library/ssl_tls.c  |  6 +++---
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 7c32969b2..77b091d03 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -78,7 +78,7 @@
 #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST ( -MBEDTLS_SSL_HS_SERVER_HELLO )
 
 /*
- * Inernal identity of handshake extensions
+ * Internal identity of handshake extensions
  */
 #define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED                0
 #define MBEDTLS_SSL_EXT_ID_SERVERNAME                  1
@@ -138,8 +138,8 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type );
  * with an "illegal_parameter" alert.
  */
 
-/* Extensions that not recognized by TLS 1.3 */
-#define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED                                \
+/* Extensions that are not recognized by TLS 1.3 */
+#define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED                               \
             ( MBEDTLS_SSL_EXT_MASK( SUPPORTED_POINT_FORMATS )                | \
               MBEDTLS_SSL_EXT_MASK( ENCRYPT_THEN_MAC )                       | \
               MBEDTLS_SSL_EXT_MASK( EXTENDED_MASTER_SECRET )                 | \
@@ -169,7 +169,7 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type );
               MBEDTLS_SSL_EXT_MASK( CERT_AUTH )                              | \
               MBEDTLS_SSL_EXT_MASK( POST_HANDSHAKE_AUTH )                    | \
               MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT )                           | \
-              MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED )
+              MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED )
 
 /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE                                  \
@@ -191,7 +191,7 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type );
               MBEDTLS_SSL_EXT_MASK( CERT_AUTH )                              | \
               MBEDTLS_SSL_EXT_MASK( OID_FILTERS )                            | \
               MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT )                           | \
-              MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED )
+              MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED )
 
 /* RFC 8446 section 4.2. Allowed extensions for Certificate */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT                                  \
@@ -213,7 +213,7 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type );
 /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST                                 \
             ( MBEDTLS_SSL_EXT_MASK( EARLY_DATA )                             | \
-              MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED )
+              MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED )
 
 /*
  * Helper macros for function call with return check.
@@ -1950,7 +1950,7 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
           MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
 
 /*
- * Helper functions for extensions checking and convert.
+ * Helper functions for extensions checking.
  */
 
 MBEDTLS_CHECK_RETURN_CRITICAL
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 04d2ef440..cf71d263a 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -618,7 +618,7 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type )
 
 #if defined(MBEDTLS_DEBUG_C)
 static const char *extension_name_table[] = {
-    [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unreognized",
+    [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized",
     [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name",
     [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length",
     [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request",
@@ -648,7 +648,7 @@ static const char *extension_name_table[] = {
     [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket"
 };
 
-static unsigned int extension_type_tbl[]={
+static unsigned int extension_type_table[]={
     [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff,
     [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME,
     [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH,
@@ -755,7 +755,7 @@ void mbedtls_ssl_print_extensions( const mbedtls_ssl_context *ssl,
          i++ )
     {
         mbedtls_ssl_print_extension_type(
-            ssl, level, file, line, hs_msg_type, extension_type_tbl[i],
+            ssl, level, file, line, hs_msg_type, extension_type_table[i],
             extensions_mask & ( 1 << i ) ? "was" : "was not", extra );
     }
 }

From c437ee3bac80e52b5d6d637f6816426fb12a7c2a Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Tue, 8 Nov 2022 21:04:15 +0800
Subject: [PATCH 037/159] fix wrong return value

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_tls13_server.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 598ca91bf..378ce8fc9 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1447,8 +1447,8 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
                 3, ( "pre_shared_key is not last extension." ) );
             MBEDTLS_SSL_PEND_FATAL_ALERT(
                 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
-                MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-            return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+                MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
         }
 
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );

From b95dd3683b99d5a34876952f65d915656804c819 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Tue, 8 Nov 2022 21:19:34 +0800
Subject: [PATCH 038/159] Add missing mask set and tls13 unrecognized extension

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_misc.h         | 1 +
 library/ssl_tls.c          | 5 +++++
 library/ssl_tls13_server.c | 9 +++++++++
 3 files changed, 15 insertions(+)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 77b091d03..ad8754cac 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -144,6 +144,7 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type );
               MBEDTLS_SSL_EXT_MASK( ENCRYPT_THEN_MAC )                       | \
               MBEDTLS_SSL_EXT_MASK( EXTENDED_MASTER_SECRET )                 | \
               MBEDTLS_SSL_EXT_MASK( SESSION_TICKET )                         | \
+              MBEDTLS_SSL_EXT_MASK( TRUNCATED_HMAC )                         | \
               MBEDTLS_SSL_EXT_MASK( UNRECOGNIZED ) )
 
 /* RFC 8446 section 4.2. Allowed extensions for ClienHello */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index cf71d263a..4787ca058 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -9155,6 +9155,11 @@ int mbedtls_ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
     p[6] = MBEDTLS_BYTE_0( protocol_name_len );
 
     memcpy( p + 7, ssl->alpn_chosen, protocol_name_len );
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_ALPN );
+#endif
+
     return ( 0 );
 }
 #endif /* MBEDTLS_SSL_ALPN */
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 378ce8fc9..051afa270 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -700,6 +700,8 @@ static int ssl_tls13_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent selected_identity: %u",
                                 ssl->handshake->selected_identity ) );
 
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY );
+
     return( 0 );
 }
 
@@ -1812,6 +1814,9 @@ static int ssl_tls13_write_server_hello_supported_versions_ext(
 
     *out_len = 6;
 
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask(
+        ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS );
+
     return( 0 );
 }
 
@@ -1918,6 +1923,8 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
 
     *out_len = p - buf;
 
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_KEY_SHARE );
+
     return( 0 );
 }
 
@@ -1982,6 +1989,8 @@ static int ssl_tls13_write_hrr_key_share_ext( mbedtls_ssl_context *ssl,
 
     *out_len = 6;
 
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_KEY_SHARE );
+
     return( 0 );
 }
 

From 79aa721adee6042afecae06c124d35a36337b18a Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Tue, 8 Nov 2022 21:30:21 +0800
Subject: [PATCH 039/159] Rename ext print function and macro

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_debug_helpers.h | 19 +++++++++----------
 library/ssl_tls.c           | 14 ++++++--------
 library/ssl_tls13_client.c  |  6 +++---
 library/ssl_tls13_generic.c |  8 ++++----
 library/ssl_tls13_server.c  |  2 +-
 5 files changed, 23 insertions(+), 26 deletions(-)

diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h
index 8fce87a98..ad84619a0 100644
--- a/library/ssl_debug_helpers.h
+++ b/library/ssl_debug_helpers.h
@@ -50,12 +50,10 @@ void mbedtls_ssl_print_extensions( const mbedtls_ssl_context *ssl,
                                    int hs_msg_type, uint32_t extensions_mask,
                                    const char *extra );
 
-void mbedtls_ssl_print_extension_type( const mbedtls_ssl_context *ssl,
-                                       int level, const char *file, int line,
-                                       int hs_msg_type,
-                                       unsigned int extension_type,
-                                       const char *extra_msg0,
-                                       const char *extra_msg1 );
+void mbedtls_ssl_print_extension( const mbedtls_ssl_context *ssl,
+                                  int level, const char *file, int line,
+                                  int hs_msg_type, unsigned int extension_type,
+                                  const char *extra_msg0, const char *extra_msg1 );
 
 #define MBEDTLS_SSL_PRINT_SENT_EXTS( level, hs_msg_type )                       \
             mbedtls_ssl_print_extensions( ssl, level, __FILE__, __LINE__,       \
@@ -69,16 +67,17 @@ void mbedtls_ssl_print_extension_type( const mbedtls_ssl_context *ssl,
                                           ssl->handshake->received_extensions,  \
                                           "received" )
 
-#define MBEDTLS_SSL_PRINT_EXT_TYPE( level, hs_msg_type, extension_type, extra ) \
-            mbedtls_ssl_print_extension_type( ssl, level, __FILE__, __LINE__,   \
-                                    hs_msg_type, extension_type, extra, NULL )
+#define MBEDTLS_SSL_PRINT_EXT( level, hs_msg_type, extension_type, extra )      \
+            mbedtls_ssl_print_extension( ssl, level, __FILE__, __LINE__,        \
+                                         hs_msg_type, extension_type,           \
+                                         extra, NULL )
 #else
 
 #define MBEDTLS_SSL_PRINT_SENT_EXTS( level, hs_msg_type )
 
 #define MBEDTLS_SSL_PRINT_RECEIVED_EXTS( level, hs_msg_type )
 
-#define MBEDTLS_SSL_PRINT_EXT_TYPE( level, hs_msg_type, extension_type, extra )
+#define MBEDTLS_SSL_PRINT_EXT( level, hs_msg_type, extension_type, extra )
 
 #endif /* MBEDTLS_DEBUG_C */
 
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 4787ca058..efe24634f 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -704,15 +704,13 @@ static const char *ssl_tls13_get_hs_msg_name( int hs_msg_type )
         case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
             return( "CertificateRequest" );
     }
-    return( NULL );
+    return( "Unknown" );
 }
 
-void mbedtls_ssl_print_extension_type( const mbedtls_ssl_context *ssl,
-                                       int level, const char *file, int line,
-                                       int hs_msg_type,
-                                       unsigned int extension_type,
-                                       const char *extra_msg0,
-                                       const char *extra_msg1 )
+void mbedtls_ssl_print_extension( const mbedtls_ssl_context *ssl,
+                                  int level, const char *file, int line,
+                                  int hs_msg_type, unsigned int extension_type,
+                                  const char *extra_msg0, const char *extra_msg1 )
 {
     const char *extra_msg;
     if( extra_msg0 && extra_msg1 )
@@ -754,7 +752,7 @@ void mbedtls_ssl_print_extensions( const mbedtls_ssl_context *ssl,
          i < sizeof( extension_name_table ) / sizeof( extension_name_table[0] );
          i++ )
     {
-        mbedtls_ssl_print_extension_type(
+        mbedtls_ssl_print_extension(
             ssl, level, file, line, hs_msg_type, extension_type_table[i],
             extensions_mask & ( 1 << i ) ? "was" : "was not", extra );
     }
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index fff0febed..f4502d290 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2025,7 +2025,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
                 break;
 #endif /* MBEDTLS_SSL_ALPN */
             default:
-                MBEDTLS_SSL_PRINT_EXT_TYPE(
+                MBEDTLS_SSL_PRINT_EXT(
                     3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
                     extension_type, "( ignored )" );
                 break;
@@ -2213,7 +2213,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
                 break;
 
             default:
-                MBEDTLS_SSL_PRINT_EXT_TYPE(
+                MBEDTLS_SSL_PRINT_EXT(
                     3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
                     extension_type, "( ignored )" );
                 break;
@@ -2504,7 +2504,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
         switch( extension_type )
         {
             default:
-                MBEDTLS_SSL_PRINT_EXT_TYPE(
+                MBEDTLS_SSL_PRINT_EXT(
                     3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
                     extension_type, "( ignored )" );
                 break;
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index a9c8c973f..39b86b984 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -537,7 +537,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
             switch( extension_type )
             {
                 default:
-                    MBEDTLS_SSL_PRINT_EXT_TYPE(
+                    MBEDTLS_SSL_PRINT_EXT(
                         3, MBEDTLS_SSL_HS_CERTIFICATE,
                         extension_type, "( ignored )" );
                     break;
@@ -1545,12 +1545,12 @@ int mbedtls_ssl_tls13_check_received_extension(
     uint32_t extension_mask = mbedtls_ssl_get_extension_mask(
                                   received_extension_type );
 
-    MBEDTLS_SSL_PRINT_EXT_TYPE(
+    MBEDTLS_SSL_PRINT_EXT(
         3, hs_msg_type, received_extension_type, "received" );
 
     if( ( extension_mask & hs_msg_allowed_extensions_mask ) == 0 )
     {
-        MBEDTLS_SSL_PRINT_EXT_TYPE(
+        MBEDTLS_SSL_PRINT_EXT(
             3, hs_msg_type, received_extension_type, "is illegal" );
         MBEDTLS_SSL_PEND_FATAL_ALERT(
             MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
@@ -1577,7 +1577,7 @@ int mbedtls_ssl_tls13_check_received_extension(
             return( 0 );
     }
 
-    MBEDTLS_SSL_PRINT_EXT_TYPE(
+    MBEDTLS_SSL_PRINT_EXT(
             3, hs_msg_type, received_extension_type, "is unsupported" );
     MBEDTLS_SSL_PEND_FATAL_ALERT(
         MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 051afa270..28f242295 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1614,7 +1614,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
 
             default:
-                MBEDTLS_SSL_PRINT_EXT_TYPE(
+                MBEDTLS_SSL_PRINT_EXT(
                     3, MBEDTLS_SSL_HS_CLIENT_HELLO,
                     extension_type, "( ignored )" );
                 break;

From 7de2ff0310f4c7e7493844533e10785a6207a2a8 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Tue, 8 Nov 2022 21:43:46 +0800
Subject: [PATCH 040/159] Refactor extension list print

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_client.c        |  3 ++-
 library/ssl_debug_helpers.h | 16 +++-------------
 library/ssl_tls.c           |  2 +-
 library/ssl_tls13_client.c  | 12 ++++++++----
 library/ssl_tls13_generic.c |  6 ++++--
 library/ssl_tls13_server.c  | 17 +++++++++++------
 6 files changed, 29 insertions(+), 27 deletions(-)

diff --git a/library/ssl_client.c b/library/ssl_client.c
index ebf0fa701..b226cafff 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -675,7 +675,8 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
     }
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_CLIENT_HELLO );
+    MBEDTLS_SSL_PRINT_EXTS(
+        3, MBEDTLS_SSL_HS_CLIENT_HELLO, ssl->handshake->sent_extensions );
 #endif
 
     *out_len = p - buf;
diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h
index ad84619a0..ccdda2a0d 100644
--- a/library/ssl_debug_helpers.h
+++ b/library/ssl_debug_helpers.h
@@ -55,17 +55,9 @@ void mbedtls_ssl_print_extension( const mbedtls_ssl_context *ssl,
                                   int hs_msg_type, unsigned int extension_type,
                                   const char *extra_msg0, const char *extra_msg1 );
 
-#define MBEDTLS_SSL_PRINT_SENT_EXTS( level, hs_msg_type )                       \
+#define MBEDTLS_SSL_PRINT_EXTS( level, hs_msg_type, extension_mask )            \
             mbedtls_ssl_print_extensions( ssl, level, __FILE__, __LINE__,       \
-                                          hs_msg_type,                          \
-                                          ssl->handshake->sent_extensions,      \
-                                          "sent" )
-
-#define MBEDTLS_SSL_PRINT_RECEIVED_EXTS( level, hs_msg_type )                   \
-            mbedtls_ssl_print_extensions( ssl, level, __FILE__, __LINE__,       \
-                                          hs_msg_type,                          \
-                                          ssl->handshake->received_extensions,  \
-                                          "received" )
+                                          hs_msg_type, extension_mask, NULL )
 
 #define MBEDTLS_SSL_PRINT_EXT( level, hs_msg_type, extension_type, extra )      \
             mbedtls_ssl_print_extension( ssl, level, __FILE__, __LINE__,        \
@@ -73,9 +65,7 @@ void mbedtls_ssl_print_extension( const mbedtls_ssl_context *ssl,
                                          extra, NULL )
 #else
 
-#define MBEDTLS_SSL_PRINT_SENT_EXTS( level, hs_msg_type )
-
-#define MBEDTLS_SSL_PRINT_RECEIVED_EXTS( level, hs_msg_type )
+#define MBEDTLS_SSL_PRINT_EXTS( level, hs_msg_type, extension_mask )
 
 #define MBEDTLS_SSL_PRINT_EXT( level, hs_msg_type, extension_type, extra )
 
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index efe24634f..ea8464f0c 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -754,7 +754,7 @@ void mbedtls_ssl_print_extensions( const mbedtls_ssl_context *ssl,
     {
         mbedtls_ssl_print_extension(
             ssl, level, file, line, hs_msg_type, extension_type_table[i],
-            extensions_mask & ( 1 << i ) ? "was" : "was not", extra );
+            extensions_mask & ( 1 << i ) ? "exists" : "does not exists", extra );
     }
 }
 
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index f4502d290..364e886bc 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1742,7 +1742,8 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
         p += extension_data_len;
     }
 
-    MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, hs_msg_type );
+    MBEDTLS_SSL_PRINT_EXTS(
+        3, hs_msg_type, ssl->handshake->received_extensions );
 
 cleanup:
 
@@ -2034,7 +2035,8 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
         p += extension_data_len;
     }
 
-    MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS );
+    MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
+                            ssl->handshake->received_extensions );
 
     /* Check that we consumed all the message. */
     if( p != end )
@@ -2222,7 +2224,8 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
         p += extension_data_len;
     }
 
-    MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
+    MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
+                            ssl->handshake->received_extensions );
 
     /* Check that we consumed all the message. */
     if( p != end )
@@ -2513,7 +2516,8 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
         p +=  extension_data_len;
     }
 
-    MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET );
+    MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
+                            ssl->handshake->received_extensions );
 
     return( 0 );
 }
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 39b86b984..a39949c1c 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -546,7 +546,8 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
             p += extension_data_len;
         }
 
-        MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE );
+        MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE,
+                                ssl->handshake->received_extensions );
     }
 
 exit:
@@ -885,7 +886,8 @@ static int ssl_tls13_write_certificate_body( mbedtls_ssl_context *ssl,
 
     *out_len = p - buf;
 
-    MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE );
+    MBEDTLS_SSL_PRINT_EXTS(
+        3, MBEDTLS_SSL_HS_CERTIFICATE, ssl->handshake->sent_extensions );
 
     return( 0 );
 }
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 28f242295..597fbb7e6 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1623,7 +1623,8 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
         p += extension_data_len;
     }
 
-    MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_CLIENT_HELLO );
+    MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CLIENT_HELLO,
+                            ssl->handshake->received_extensions );
 
     mbedtls_ssl_add_hs_hdr_to_checksum( ssl,
                                         MBEDTLS_SSL_HS_CLIENT_HELLO,
@@ -2145,9 +2146,10 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "server hello", buf, *out_len );
 
-    MBEDTLS_SSL_PRINT_SENT_EXTS(
+    MBEDTLS_SSL_PRINT_EXTS(
         3, is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
-                    MBEDTLS_SSL_HS_SERVER_HELLO );
+                    MBEDTLS_SSL_HS_SERVER_HELLO,
+        ssl->handshake->sent_extensions );
 
     return( ret );
 }
@@ -2333,7 +2335,8 @@ static int ssl_tls13_write_encrypted_extensions_body( mbedtls_ssl_context *ssl,
 
     MBEDTLS_SSL_DEBUG_BUF( 4, "encrypted extensions", buf, *out_len );
 
-    MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS );
+    MBEDTLS_SSL_PRINT_EXTS(
+        3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, ssl->handshake->sent_extensions );
 
     return( 0 );
 }
@@ -2464,7 +2467,8 @@ static int ssl_tls13_write_certificate_request_body( mbedtls_ssl_context *ssl,
 
     *out_len = p - buf;
 
-    MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
+    MBEDTLS_SSL_PRINT_EXTS(
+        3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, ssl->handshake->sent_extensions );
 
     return( 0 );
 }
@@ -2861,7 +2865,8 @@ static int ssl_tls13_write_new_session_ticket_body( mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", buf, *out_len );
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
 
-    MBEDTLS_SSL_PRINT_SENT_EXTS( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET );
+    MBEDTLS_SSL_PRINT_EXTS(
+        3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl->handshake->sent_extensions );
 
     return( 0 );
 }

From 616ba75c233b47dac91ac652621acb15b30a32c9 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Tue, 8 Nov 2022 21:49:47 +0800
Subject: [PATCH 041/159] move test cases and mark `tls13-kex-modes.sh` as
 locked

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 tests/opt-testcases/tls13-kex-modes.sh | 215 +------------------------
 tests/opt-testcases/tls13-misc.sh      | 214 ++++++++++++++++++++++++
 2 files changed, 216 insertions(+), 213 deletions(-)

diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh
index b1320c5b5..2681f61f1 100755
--- a/tests/opt-testcases/tls13-kex-modes.sh
+++ b/tests/opt-testcases/tls13-kex-modes.sh
@@ -18,219 +18,8 @@
 # limitations under the License.
 #
 
-requires_gnutls_tls1_3
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-requires_config_enabled MBEDTLS_SSL_SRV_C
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
-
-run_test    "TLS 1.3: PSK: No valid ciphersuite. G->m" \
-            "$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \
-            "$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-CIPHER-ALL:+AES-256-GCM:+AEAD:+SHA384:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+VERS-TLS1.3 \
-                         --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \
-                         localhost" \
-            1 \
-            -s "found psk key exchange modes extension" \
-            -s "found pre_shared_key extension" \
-            -s "Found PSK_EPHEMERAL KEX MODE" \
-            -s "Found PSK KEX MODE" \
-            -s "No matched ciphersuite"
-
-requires_openssl_tls1_3
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-requires_config_enabled MBEDTLS_SSL_SRV_C
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
-
-run_test    "TLS 1.3: PSK: No valid ciphersuite. O->m" \
-            "$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \
-            "$O_NEXT_CLI -tls1_3 -msg -allow_no_dhe_kex -ciphersuites TLS_AES_256_GCM_SHA384\
-                         -psk_identity Client_identity -psk 6162636465666768696a6b6c6d6e6f70" \
-            1 \
-            -s "found psk key exchange modes extension" \
-            -s "found pre_shared_key extension" \
-            -s "Found PSK_EPHEMERAL KEX MODE" \
-            -s "Found PSK KEX MODE" \
-            -s "No matched ciphersuite"
-
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
-                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
-requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
-                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
-                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-run_test "TLS 1.3 m->m: Multiple PSKs: valid ticket, reconnect with ticket" \
-         "$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8" \
-         "$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \
-         0 \
-         -c "Pre-configured PSK number = 2" \
-         -s "sent selected_identity: 0" \
-         -s "key exchange mode: psk_ephemeral" \
-         -S "key exchange mode: psk$" \
-         -S "key exchange mode: ephemeral$" \
-         -S "ticket is not authentic"
-
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
-                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
-requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
-                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
-                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-run_test "TLS 1.3 m->m: Multiple PSKs: invalid ticket, reconnect with PSK" \
-         "$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8 dummy_ticket=1" \
-         "$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \
-         0 \
-         -c "Pre-configured PSK number = 2" \
-         -s "sent selected_identity: 1" \
-         -s "key exchange mode: psk_ephemeral" \
-         -S "key exchange mode: psk$" \
-         -S "key exchange mode: ephemeral$" \
-         -s "ticket is not authentic"
-
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
-                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
-requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
-                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
-                             MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-run_test "TLS 1.3 m->m: Session resumption failure, ticket authentication failed." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=1" \
-         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
-         0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "sent selected_identity:" \
-         -s "key exchange mode: ephemeral" \
-         -S "key exchange mode: psk_ephemeral" \
-         -S "key exchange mode: psk$" \
-         -s "ticket is not authentic" \
-         -S "ticket is expired" \
-         -S "Invalid ticket start time" \
-         -S "Ticket age exceeds limitation" \
-         -S "Ticket age outside tolerance window"
-
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
-                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
-requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
-                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
-                             MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-run_test "TLS 1.3 m->m: Session resumption failure, ticket expired." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=2" \
-         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
-         0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "sent selected_identity:" \
-         -s "key exchange mode: ephemeral" \
-         -S "key exchange mode: psk_ephemeral" \
-         -S "key exchange mode: psk$" \
-         -S "ticket is not authentic" \
-         -s "ticket is expired" \
-         -S "Invalid ticket start time" \
-         -S "Ticket age exceeds limitation" \
-         -S "Ticket age outside tolerance window"
-
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
-                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
-requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
-                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
-                             MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-run_test "TLS 1.3 m->m: Session resumption failure, invalid start time." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=3" \
-         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
-         0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "sent selected_identity:" \
-         -s "key exchange mode: ephemeral" \
-         -S "key exchange mode: psk_ephemeral" \
-         -S "key exchange mode: psk$" \
-         -S "ticket is not authentic" \
-         -S "ticket is expired" \
-         -s "Invalid ticket start time" \
-         -S "Ticket age exceeds limitation" \
-         -S "Ticket age outside tolerance window"
-
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
-                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
-requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
-                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
-                             MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-run_test "TLS 1.3 m->m: Session resumption failure, ticket expired. too old" \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=4" \
-         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
-         0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "sent selected_identity:" \
-         -s "key exchange mode: ephemeral" \
-         -S "key exchange mode: psk_ephemeral" \
-         -S "key exchange mode: psk$" \
-         -S "ticket is not authentic" \
-         -S "ticket is expired" \
-         -S "Invalid ticket start time" \
-         -s "Ticket age exceeds limitation" \
-         -S "Ticket age outside tolerance window"
-
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
-                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
-requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
-                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
-                             MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too young." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=5" \
-         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
-         0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "sent selected_identity:" \
-         -s "key exchange mode: ephemeral" \
-         -S "key exchange mode: psk_ephemeral" \
-         -S "key exchange mode: psk$" \
-         -S "ticket is not authentic" \
-         -S "ticket is expired" \
-         -S "Invalid ticket start time" \
-         -S "Ticket age exceeds limitation" \
-         -s "Ticket age outside tolerance window"
-
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
-                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
-requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
-                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
-                             MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too old." \
-         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=6" \
-         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
-         0 \
-         -c "Pre-configured PSK number = 1" \
-         -S "sent selected_identity:" \
-         -s "key exchange mode: ephemeral" \
-         -S "key exchange mode: psk_ephemeral" \
-         -S "key exchange mode: psk$" \
-         -S "ticket is not authentic" \
-         -S "ticket is expired" \
-         -S "Invalid ticket start time" \
-         -S "Ticket age exceeds limitation" \
-         -s "Ticket age outside tolerance window"
-
-requires_gnutls_tls1_3
-requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
-run_test    "TLS 1.3: G->m: ephemeral_all/psk, fail, no common kex mode" \
-            "$P_SRV force_version=tls13 tls13_kex_modes=psk debug_level=5 $(get_srv_psk_list)" \
-            "$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK:+VERS-TLS1.3 \
-                         --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \
-                         localhost" \
-            1 \
-            -s "found psk key exchange modes extension" \
-            -s "found pre_shared_key extension" \
-            -s "Found PSK_EPHEMERAL KEX MODE" \
-            -S "Found PSK KEX MODE" \
-            -S "key exchange mode: psk$"  \
-            -S "key exchange mode: psk_ephemeral"  \
-            -S "key exchange mode: ephemeral"
+# DO NOT ADD NEW TEST CASES INTO THIS FILE. The left cases can be generated by
+# scripts in future(#6280)
 
 requires_gnutls_tls1_3
 requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh
index 661b3500b..4ad6faa48 100755
--- a/tests/opt-testcases/tls13-misc.sh
+++ b/tests/opt-testcases/tls13-misc.sh
@@ -18,6 +18,220 @@
 # limitations under the License.
 #
 
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+
+run_test    "TLS 1.3: PSK: No valid ciphersuite. G->m" \
+            "$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \
+            "$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-CIPHER-ALL:+AES-256-GCM:+AEAD:+SHA384:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+VERS-TLS1.3 \
+                         --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \
+                         localhost" \
+            1 \
+            -s "found psk key exchange modes extension" \
+            -s "found pre_shared_key extension" \
+            -s "Found PSK_EPHEMERAL KEX MODE" \
+            -s "Found PSK KEX MODE" \
+            -s "No matched ciphersuite"
+
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+
+run_test    "TLS 1.3: PSK: No valid ciphersuite. O->m" \
+            "$P_SRV force_version=tls13 tls13_kex_modes=all debug_level=5 $(get_srv_psk_list)" \
+            "$O_NEXT_CLI -tls1_3 -msg -allow_no_dhe_kex -ciphersuites TLS_AES_256_GCM_SHA384\
+                         -psk_identity Client_identity -psk 6162636465666768696a6b6c6d6e6f70" \
+            1 \
+            -s "found psk key exchange modes extension" \
+            -s "found pre_shared_key extension" \
+            -s "Found PSK_EPHEMERAL KEX MODE" \
+            -s "Found PSK KEX MODE" \
+            -s "No matched ciphersuite"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_test "TLS 1.3 m->m: Multiple PSKs: valid ticket, reconnect with ticket" \
+         "$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8" \
+         "$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Pre-configured PSK number = 2" \
+         -s "sent selected_identity: 0" \
+         -s "key exchange mode: psk_ephemeral" \
+         -S "key exchange mode: psk$" \
+         -S "key exchange mode: ephemeral$" \
+         -S "ticket is not authentic"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_test "TLS 1.3 m->m: Multiple PSKs: invalid ticket, reconnect with PSK" \
+         "$P_SRV force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 tickets=8 dummy_ticket=1" \
+         "$P_CLI force_version=tls13 tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Pre-configured PSK number = 2" \
+         -s "sent selected_identity: 1" \
+         -s "key exchange mode: psk_ephemeral" \
+         -S "key exchange mode: psk$" \
+         -S "key exchange mode: ephemeral$" \
+         -s "ticket is not authentic"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_test "TLS 1.3 m->m: Session resumption failure, ticket authentication failed." \
+         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=1" \
+         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Pre-configured PSK number = 1" \
+         -S "sent selected_identity:" \
+         -s "key exchange mode: ephemeral" \
+         -S "key exchange mode: psk_ephemeral" \
+         -S "key exchange mode: psk$" \
+         -s "ticket is not authentic" \
+         -S "ticket is expired" \
+         -S "Invalid ticket start time" \
+         -S "Ticket age exceeds limitation" \
+         -S "Ticket age outside tolerance window"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_test "TLS 1.3 m->m: Session resumption failure, ticket expired." \
+         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=2" \
+         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Pre-configured PSK number = 1" \
+         -S "sent selected_identity:" \
+         -s "key exchange mode: ephemeral" \
+         -S "key exchange mode: psk_ephemeral" \
+         -S "key exchange mode: psk$" \
+         -S "ticket is not authentic" \
+         -s "ticket is expired" \
+         -S "Invalid ticket start time" \
+         -S "Ticket age exceeds limitation" \
+         -S "Ticket age outside tolerance window"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_test "TLS 1.3 m->m: Session resumption failure, invalid start time." \
+         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=3" \
+         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Pre-configured PSK number = 1" \
+         -S "sent selected_identity:" \
+         -s "key exchange mode: ephemeral" \
+         -S "key exchange mode: psk_ephemeral" \
+         -S "key exchange mode: psk$" \
+         -S "ticket is not authentic" \
+         -S "ticket is expired" \
+         -s "Invalid ticket start time" \
+         -S "Ticket age exceeds limitation" \
+         -S "Ticket age outside tolerance window"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_test "TLS 1.3 m->m: Session resumption failure, ticket expired. too old" \
+         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=4" \
+         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Pre-configured PSK number = 1" \
+         -S "sent selected_identity:" \
+         -s "key exchange mode: ephemeral" \
+         -S "key exchange mode: psk_ephemeral" \
+         -S "key exchange mode: psk$" \
+         -S "ticket is not authentic" \
+         -S "ticket is expired" \
+         -S "Invalid ticket start time" \
+         -s "Ticket age exceeds limitation" \
+         -S "Ticket age outside tolerance window"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too young." \
+         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=5" \
+         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Pre-configured PSK number = 1" \
+         -S "sent selected_identity:" \
+         -s "key exchange mode: ephemeral" \
+         -S "key exchange mode: psk_ephemeral" \
+         -S "key exchange mode: psk$" \
+         -S "ticket is not authentic" \
+         -S "ticket is expired" \
+         -S "Invalid ticket start time" \
+         -S "Ticket age exceeds limitation" \
+         -s "Ticket age outside tolerance window"
+
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_SSL_SRV_C \
+                             MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
+                             MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too old." \
+         "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=6" \
+         "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \
+         0 \
+         -c "Pre-configured PSK number = 1" \
+         -S "sent selected_identity:" \
+         -s "key exchange mode: ephemeral" \
+         -S "key exchange mode: psk_ephemeral" \
+         -S "key exchange mode: psk$" \
+         -S "ticket is not authentic" \
+         -S "ticket is expired" \
+         -S "Invalid ticket start time" \
+         -S "Ticket age exceeds limitation" \
+         -s "Ticket age outside tolerance window"
+
+requires_gnutls_tls1_3
+requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test    "TLS 1.3: G->m: ephemeral_all/psk, fail, no common kex mode" \
+            "$P_SRV force_version=tls13 tls13_kex_modes=psk debug_level=5 $(get_srv_psk_list)" \
+            "$G_NEXT_CLI -d 10 --priority NORMAL:-VERS-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK:+VERS-TLS1.3 \
+                         --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \
+                         localhost" \
+            1 \
+            -s "found psk key exchange modes extension" \
+            -s "found pre_shared_key extension" \
+            -s "Found PSK_EPHEMERAL KEX MODE" \
+            -S "Found PSK KEX MODE" \
+            -S "key exchange mode: psk$"  \
+            -S "key exchange mode: psk_ephemeral"  \
+            -S "key exchange mode: ephemeral"
+
 requires_gnutls_tls1_3
 requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \
                              MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \

From 6856f4c70d2a0e3fb16e180ae45aa19db36772d7 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Wed, 9 Nov 2022 10:50:29 +0100
Subject: [PATCH 042/159] Fix typos and comments

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/analyze_outcomes.py | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index de52d776b..74b3184d0 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -63,7 +63,7 @@ def analyze_coverage(results, outcomes):
 def analyze_driver_vs_reference(outcomes, components, ignored_tests):
     """Check that all tests executed in the reference component are also
     executed in the corresponding driver component.
-    Skip test suits provided in ignored_tests list.
+    Skip test suites provided in ignored_tests list.
     """
     driver_component = components[0]
     reference_component = components[1]
@@ -72,9 +72,9 @@ def analyze_driver_vs_reference(outcomes, components, ignored_tests):
 
     for key in available:
         # Skip ignored test suites
-        test_suit = key.split(';')[0] # retrieve test suit name
-        test_suit = test_suit.split('.')[0] # retrieve main part of test suit name
-        if test_suit in ignored_tests:
+        test_suite = key.split(';')[0] # retrieve test suit name
+        test_suite = test_suite.split('.')[0] # retrieve main part of test suit name
+        if test_suite in ignored_tests:
             continue
         # Continue if test was not executed by any component
         hits = outcomes[key].hits() if key in outcomes else 0
@@ -88,8 +88,6 @@ def analyze_driver_vs_reference(outcomes, components, ignored_tests):
                 driver_test_passed = True
             if reference_component in entry:
                 reference_test_passed = True
-        #if(driver_test_passed is True and reference_test_passed is False):
-        #    print('{}: driver: passed; reference: skipped'.format(key))
         if(driver_test_passed is False and reference_test_passed is True):
             print('{}: driver: skipped/failed; reference: passed'.format(key))
             result = False
@@ -123,7 +121,7 @@ by a semicolon.
     return outcomes
 
 def do_analyze_coverage(outcome_file, args):
-    """Perform coverage analyze."""
+    """Perform coverage analysis."""
     del args # unused
     outcomes = read_outcome_file(outcome_file)
     results = analyze_outcomes(outcomes)
@@ -141,7 +139,7 @@ def do_analyze_driver_vs_reference(outcome_file, args):
     outcomes = read_outcome_file(outcome_file)
     return analyze_driver_vs_reference(outcomes, components, ignored_tests)
 
-# List of tasks with function that can handle this task and additional arguments if required
+# List of tasks with a function that can handle this task and additional arguments if required
 # pylint: disable=line-too-long
 TASKS = {
     'analyze_coverage':                 {
@@ -161,7 +159,7 @@ def main():
         parser.add_argument('outcomes', metavar='OUTCOMES.CSV',
                             help='Outcome file to analyze')
         parser.add_argument('--task', default='all',
-                            help='Analyze to be done: all or analyze_coverage or '
+                            help='Analysis to be done: all or analyze_coverage or '
                             'analyze_driver_vs_reference_hash')
         options = parser.parse_args()
 

From 51f30ff6e687ccd669611a4d9190cc98d67886a9 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Wed, 9 Nov 2022 12:07:29 +0100
Subject: [PATCH 043/159] Make separate components for ref and driver in TASKS

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/analyze_outcomes.py | 22 ++++++++--------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 74b3184d0..031e16132 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -60,13 +60,11 @@ def analyze_coverage(results, outcomes):
             # fixed this branch to have full coverage of test cases.
             results.warning('Test case not executed: {}', key)
 
-def analyze_driver_vs_reference(outcomes, components, ignored_tests):
+def analyze_driver_vs_reference(outcomes, component_ref,component_driver, ignored_tests):
     """Check that all tests executed in the reference component are also
     executed in the corresponding driver component.
     Skip test suites provided in ignored_tests list.
     """
-    driver_component = components[0]
-    reference_component = components[1]
     available = check_test_cases.collect_available_test_cases()
     result = True
 
@@ -84,9 +82,9 @@ def analyze_driver_vs_reference(outcomes, components, ignored_tests):
         driver_test_passed = False
         reference_test_passed = False
         for entry in outcomes[key].successes:
-            if driver_component in entry:
+            if component_driver in entry:
                 driver_test_passed = True
-            if reference_component in entry:
+            if component_ref in entry:
                 reference_test_passed = True
         if(driver_test_passed is False and reference_test_passed is True):
             print('{}: driver: skipped/failed; reference: passed'.format(key))
@@ -129,18 +127,14 @@ def do_analyze_coverage(outcome_file, args):
 
 def do_analyze_driver_vs_reference(outcome_file, args):
     """Perform driver vs reference analyze."""
-    components = args['components'].split(',')
     ignored_tests = args['ignored'].split(',')
     ignored_tests = ['test_suite_' + x for x in ignored_tests]
-    # We need exactly 2 components to analyze (first driver and second reference)
-    if(len(components) != 2 or "accel" not in components[0] or "reference" not in components[1]):
-        print('Error: Wrong component list. Exactly 2 components are required (driver,reference). ')
-        return False
+
     outcomes = read_outcome_file(outcome_file)
-    return analyze_driver_vs_reference(outcomes, components, ignored_tests)
+    return analyze_driver_vs_reference(outcomes, args['component_ref'],
+                                       args['component_driver'], ignored_tests)
 
 # List of tasks with a function that can handle this task and additional arguments if required
-# pylint: disable=line-too-long
 TASKS = {
     'analyze_coverage':                 {
         'test_function': do_analyze_coverage,
@@ -148,10 +142,10 @@ TASKS = {
     'analyze_driver_vs_reference_hash': {
         'test_function': do_analyze_driver_vs_reference,
         'args': {
-            'components': 'test_psa_crypto_config_accel_hash_use_psa,test_psa_crypto_config_reference_hash_use_psa',
+            'component_ref': 'test_psa_crypto_config_reference_hash_use_psa',
+            'component_driver': 'test_psa_crypto_config_accel_hash_use_psa',
             'ignored': 'md,mdx,shax,entropy,hmac_drbg,random,psa_crypto_init,hkdf'}}
 }
-# pylint: enable=line-too-long
 
 def main():
     try:

From be279c7bcc6f5b33a704ff925960d81fdc72b3c1 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Wed, 9 Nov 2022 12:17:08 +0100
Subject: [PATCH 044/159] Make a list from ignored tests in TASKS

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/analyze_outcomes.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 031e16132..85ec97c16 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -127,8 +127,7 @@ def do_analyze_coverage(outcome_file, args):
 
 def do_analyze_driver_vs_reference(outcome_file, args):
     """Perform driver vs reference analyze."""
-    ignored_tests = args['ignored'].split(',')
-    ignored_tests = ['test_suite_' + x for x in ignored_tests]
+    ignored_tests = ['test_suite_' + x for x in args['ignored_suites']]
 
     outcomes = read_outcome_file(outcome_file)
     return analyze_driver_vs_reference(outcomes, args['component_ref'],
@@ -144,7 +143,13 @@ TASKS = {
         'args': {
             'component_ref': 'test_psa_crypto_config_reference_hash_use_psa',
             'component_driver': 'test_psa_crypto_config_accel_hash_use_psa',
-            'ignored': 'md,mdx,shax,entropy,hmac_drbg,random,psa_crypto_init,hkdf'}}
+            'ignored_suites': ['shax','mdx', # the software implementations that are being excluded
+                               'md'  # the legacy abstraction layer that's being excluded
+                               'entropy','hmac_drbg','random', # temporary limitation (see RNG EPIC)
+                               'psa_crypto_init', # doesn't work with external RNG
+                               'hkdf', # legacy still depends on MD, but there's a PSA interface that doesn't
+                               'pkcs7 '  # recent addition, will be addressed later
+                              ]}}
 }
 
 def main():

From 91e35e3c32426387541f176f2d9320d3514b3564 Mon Sep 17 00:00:00 2001
From: Tom Cosgrove <tom.cosgrove@arm.com>
Date: Wed, 9 Nov 2022 11:45:29 +0000
Subject: [PATCH 045/159] Enable mpi_mod_int test case to take full-range MPI
 integers

Also add commented-out test cases that currently fail

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
---
 tests/suites/test_suite_bignum.function  | 37 +++++++++++++++++-----
 tests/suites/test_suite_bignum.misc.data | 40 +++++++++++++++++-------
 2 files changed, 58 insertions(+), 19 deletions(-)

diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function
index 4cec0a7c7..40b23fe63 100644
--- a/tests/suites/test_suite_bignum.function
+++ b/tests/suites/test_suite_bignum.function
@@ -959,24 +959,47 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mpi_mod_int( char * input_X, int input_Y,
-                  int input_A, int div_result )
+void mpi_mod_int( char * input_X, char * input_Y,
+                  char * input_A, int mod_result )
 {
     mbedtls_mpi X;
+    mbedtls_mpi Y;
+    mbedtls_mpi A;
     int res;
     mbedtls_mpi_uint r;
-    mbedtls_mpi_init( &X );
 
-    TEST_ASSERT( mbedtls_test_read_mpi( &X, input_X ) == 0 );
-    res = mbedtls_mpi_mod_int( &r, &X, input_Y );
-    TEST_ASSERT( res == div_result );
+    mbedtls_mpi_init( &X );
+    mbedtls_mpi_init( &Y );
+    mbedtls_mpi_init( &A );
+
+    /* We use MPIs to read Y and A since the test framework limits us to
+     * ints, so we can't have 64-bit values */
+    TEST_EQUAL( mbedtls_test_read_mpi( &X, input_X ), 0 );
+    TEST_EQUAL( mbedtls_test_read_mpi( &Y, input_Y ), 0 );
+    TEST_EQUAL( mbedtls_test_read_mpi( &A, input_A ), 0 );
+
+    TEST_EQUAL( Y.n, 1 );
+    TEST_EQUAL( A.n, 1 );
+
+    /* Convert the MPIs for Y and A to signed mbedtls_mpi_uints */
+    mbedtls_mpi_uint y = Y.p[0];
+    if( Y.s == -1 )
+        y = -y;
+    mbedtls_mpi_uint a = A.p[0];
+    if( A.s == -1 )
+        a = -a;
+
+    res = mbedtls_mpi_mod_int( &r, &X, y );
+    TEST_EQUAL( res, mod_result );
     if( res == 0 )
     {
-        TEST_ASSERT( r == (mbedtls_mpi_uint) input_A );
+        TEST_EQUAL( r, a );
     }
 
 exit:
     mbedtls_mpi_free( &X );
+    mbedtls_mpi_free( &Y );
+    mbedtls_mpi_free( &A );
 }
 /* END_CASE */
 
diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data
index 29ba4ab46..70b4998e2 100644
--- a/tests/suites/test_suite_bignum.misc.data
+++ b/tests/suites/test_suite_bignum.misc.data
@@ -1205,40 +1205,56 @@ Test mbedtls_mpi_mod_mpi: 0 (null) % -1
 mpi_mod_mpi:"":"-1":"":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
 
 Base test mbedtls_mpi_mod_int #1
-mpi_mod_int:"3e8":13:12:0
+mpi_mod_int:"3e8":"d":"c":0
 
 Base test mbedtls_mpi_mod_int #2 (Divide by zero)
-mpi_mod_int:"3e8":0:0:MBEDTLS_ERR_MPI_DIVISION_BY_ZERO
+mpi_mod_int:"3e8":"0":"0":MBEDTLS_ERR_MPI_DIVISION_BY_ZERO
 
 Base test mbedtls_mpi_mod_int #3
-mpi_mod_int:"-3e8":13:1:0
+mpi_mod_int:"-3e8":"d":"1":0
 
 Base test mbedtls_mpi_mod_int #4 (Negative modulo)
-mpi_mod_int:"3e8":-13:0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+mpi_mod_int:"3e8":"-d":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
 
 Base test mbedtls_mpi_mod_int #5 (Negative modulo)
-mpi_mod_int:"-3e8":-13:0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+mpi_mod_int:"-3e8":"-d":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
 
 Base test mbedtls_mpi_mod_int #6 (By 1)
-mpi_mod_int:"3e8":1:0:0
+mpi_mod_int:"3e8":"1":"0":0
 
 Base test mbedtls_mpi_mod_int #7 (By 2)
-mpi_mod_int:"3e9":2:1:0
+mpi_mod_int:"3e9":"2":"1":0
 
 Base test mbedtls_mpi_mod_int #8 (By 2)
-mpi_mod_int:"3e8":2:0:0
+mpi_mod_int:"3e8":"2":"0":0
 
 Test mbedtls_mpi_mod_int: 0 (null) % 1
-mpi_mod_int:"":1:0:0
+mpi_mod_int:"":"1":"0":0
 
 Test mbedtls_mpi_mod_int: 0 (null) % 2
-mpi_mod_int:"":2:0:0
+mpi_mod_int:"":"2":"0":0
 
 Test mbedtls_mpi_mod_int: 0 (null) % -1
-mpi_mod_int:"":-1:0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+mpi_mod_int:"":"-1":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
 
 Test mbedtls_mpi_mod_int: 0 (null) % -2
-mpi_mod_int:"":-2:0:MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+mpi_mod_int:"":"-2":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+
+# CURRENTLY FAILS
+#Test mbedtls_mpi_mod_int: 230772460340063000000100500000300000010 % 5178236083361335880 -> 3386266129388798810
+#depends_on:MBEDTLS_HAVE_INT64
+#mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA4847DCCA48":"2EFE6F1A7D28035A":0
+
+Test mbedtls_mpi_mod_mpi: 230772460340063000000100500000300000010 % 5178236083361335880 -> 3386266129388798810
+mpi_mod_mpi:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA4847DCCA48":"2EFE6F1A7D28035A":0
+
+# CURRENTLY FAILS WHEN MPIS ARE 32-BIT: WHEN FIXED, REMOVE "depends_on" LINE
+Test mbedtls_mpi_mod_int: 230772460340063000000100500000300000010 % 1205652040 -> 3644370
+depends_on:MBEDTLS_HAVE_INT64
+mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA48":"379BD2":0
+
+Test mbedtls_mpi_mod_mpi: 230772460340063000000100500000300000010 % 1205652040 -> 3644370
+mpi_mod_mpi:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA48":"379BD2":0
 
 Base test mbedtls_mpi_exp_mod #1
 mpi_exp_mod:"17":"d":"1d":"18":0

From 992de3c56284bf48758a33d189a511a73c7c727e Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Wed, 9 Nov 2022 13:54:49 +0100
Subject: [PATCH 046/159] Make TASK parameter positional and allow more than
 one task

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/analyze_outcomes.py | 36 +++++++++++++++++++++----------
 1 file changed, 25 insertions(+), 11 deletions(-)

diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 85ec97c16..f78af68f3 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -144,7 +144,7 @@ TASKS = {
             'component_ref': 'test_psa_crypto_config_reference_hash_use_psa',
             'component_driver': 'test_psa_crypto_config_accel_hash_use_psa',
             'ignored_suites': ['shax','mdx', # the software implementations that are being excluded
-                               'md'  # the legacy abstraction layer that's being excluded
+                               'md',  # the legacy abstraction layer that's being excluded
                                'entropy','hmac_drbg','random', # temporary limitation (see RNG EPIC)
                                'psa_crypto_init', # doesn't work with external RNG
                                'hkdf', # legacy still depends on MD, but there's a PSA interface that doesn't
@@ -157,24 +157,38 @@ def main():
         parser = argparse.ArgumentParser(description=__doc__)
         parser.add_argument('outcomes', metavar='OUTCOMES.CSV',
                             help='Outcome file to analyze')
-        parser.add_argument('--task', default='all',
-                            help='Analysis to be done: all or analyze_coverage or '
-                            'analyze_driver_vs_reference_hash')
+        parser.add_argument('task', default='all',
+                            help='Analysis to be done. By default, run all tasks. '
+                                 'With one or more TASK, run only those. '
+                                 'TASK can be the name of a single task or '
+                                 'coma-separated list of tasks. ')
+        parser.add_argument('--list', action='store_true',
+                            help='List all available tasks and exit.')
         options = parser.parse_args()
 
+        if options.list:
+            for task in TASKS:
+                print(task)
+            sys.exit(0)
+
         result = True
 
+        tasks = []
         if options.task == 'all':
             for task in TASKS:
+                tasks.append(task)
+        else:
+            tasks = options.task.split(',')
+
+        for task in tasks:
+            if task not in TASKS:
+                print('Error: invalid task: {}'.format(task))
+                sys.exit(1)
+
+        for task in TASKS:
+            if task in tasks:
                 if not TASKS[task]['test_function'](options.outcomes, TASKS[task]['args']):
                     result = False
-        elif options.task in TASKS:
-            if not TASKS[options.task]['test_function'](options.outcomes,
-                                                        TASKS[options.task]['args']):
-                result = False
-        else:
-            print('Error: Unknown task: {}'.format(options.task))
-            result = False
 
         if result is False:
             sys.exit(1)

From 93986645d8a6f6e157d04c892386ddc6fa5a7de5 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Wed, 9 Nov 2022 15:06:44 +0100
Subject: [PATCH 047/159] Remove reference vs drivers test from
 outcome-analysis.sh

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 .../psa-migration/outcome-analysis.sh         | 71 ++++++-------------
 1 file changed, 20 insertions(+), 51 deletions(-)

diff --git a/docs/architecture/psa-migration/outcome-analysis.sh b/docs/architecture/psa-migration/outcome-analysis.sh
index 81ab69183..908468548 100755
--- a/docs/architecture/psa-migration/outcome-analysis.sh
+++ b/docs/architecture/psa-migration/outcome-analysis.sh
@@ -13,6 +13,7 @@
 # - the set of tests skipped in the driver-only build is the same as in an
 #   equivalent software-based configuration, or the difference is small enough,
 #   justified, and a github issue is created to track it.
+#   This part is verified by tests/scripts/analyze_outcomes.py
 #
 # WARNING: this script checks out a commit other than the head of the current
 # branch; it checks out the current branch again when running successfully,
@@ -26,30 +27,12 @@
 # re-running this script (for example "get numbers before this PR").
 
 # ----- BEGIN edit this -----
-# The component in all.sh that builds and tests with drivers.
-DRIVER_COMPONENT=test_psa_crypto_config_accel_hash_use_psa
-# A similar configuration to that of the component, except without drivers,
-# for comparison.
-reference_config () {
-    # start with full
-    scripts/config.py full
-    # use PSA config and disable driver-less algs as in the component
-    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
-    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
-    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
-    # disable options as in the component
-    # (no need to disable whole modules, we'll just skip their test suite)
-    scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
-    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
-}
 # Space-separated list of test suites to ignore:
 # if SSS is in that list, test_suite_SSS and test_suite_SSS.* are ignored.
 IGNORE="md mdx shax" # accelerated
 IGNORE="$IGNORE entropy hmac_drbg random" # disabled (ext. RNG)
 IGNORE="$IGNORE psa_crypto_init" # needs internal RNG
 IGNORE="$IGNORE hkdf" # disabled in the all.sh component tested
-# Compare only "reference vs driver" or also "before vs after"?
-BEFORE_AFTER=1 # 0 or 1
 # ----- END edit this -----
 
 set -eu
@@ -65,38 +48,27 @@ record() {
     make check
 }
 
-if [ "$BEFORE_AFTER" -eq 1 ]; then
-    # save current HEAD
-    HEAD=$(git branch --show-current)
+# save current HEAD
+HEAD=$(git branch --show-current)
 
-    # get the numbers before this PR for default and full
-    cleanup
-    git checkout $(git merge-base HEAD development)
-    record "before-default"
-
-    cleanup
-    scripts/config.py full
-    record "before-full"
-
-    # get the numbers now for default and full
-    cleanup
-    git checkout $HEAD
-    record "after-default"
-
-    cleanup
-    scripts/config.py full
-    record "after-full"
-fi
-
-# get the numbers now for driver-only and reference
+# get the numbers before this PR for default and full
 cleanup
-reference_config
-record "reference"
+git checkout $(git merge-base HEAD development)
+record "before-default"
 
 cleanup
-export MBEDTLS_TEST_OUTCOME_FILE="$PWD/outcome-drivers.csv"
-export SKIP_SSL_OPT_COMPAT_SH=1
-tests/scripts/all.sh -k test_psa_crypto_config_accel_hash_use_psa
+scripts/config.py full
+record "before-full"
+
+# get the numbers now for default and full
+cleanup
+git checkout $HEAD
+record "after-default"
+
+cleanup
+scripts/config.py full
+record "after-full"
+
 
 # analysis
 
@@ -156,8 +128,5 @@ compare_builds () {
 }
 
 populate_suites
-if [ "$BEFORE_AFTER" -eq 1 ]; then
-    compare_builds before-default after-default
-    compare_builds before-full after-full
-fi
-compare_builds reference drivers
+compare_builds before-default after-default
+compare_builds before-full after-full

From 97be6a913ecf7d4436ca7bf923958b5bb5191421 Mon Sep 17 00:00:00 2001
From: Jerry Yu <jerry.h.yu@arm.com>
Date: Wed, 9 Nov 2022 22:43:31 +0800
Subject: [PATCH 048/159] fix various issues

- typo error
- replace `ssl->hanshake` with handshake

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
---
 library/ssl_client.c                   | 2 +-
 library/ssl_debug_helpers.h            | 4 ++--
 library/ssl_tls.c                      | 2 +-
 library/ssl_tls13_client.c             | 9 ++++-----
 library/ssl_tls13_generic.c            | 2 +-
 library/ssl_tls13_server.c             | 2 +-
 tests/opt-testcases/tls13-kex-modes.sh | 2 +-
 7 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/library/ssl_client.c b/library/ssl_client.c
index b226cafff..0f0ea1dc5 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -676,7 +676,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
     MBEDTLS_SSL_PRINT_EXTS(
-        3, MBEDTLS_SSL_HS_CLIENT_HELLO, ssl->handshake->sent_extensions );
+        3, MBEDTLS_SSL_HS_CLIENT_HELLO, handshake->sent_extensions );
 #endif
 
     *out_len = p - buf;
diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h
index ccdda2a0d..4412f8e21 100644
--- a/library/ssl_debug_helpers.h
+++ b/library/ssl_debug_helpers.h
@@ -55,9 +55,9 @@ void mbedtls_ssl_print_extension( const mbedtls_ssl_context *ssl,
                                   int hs_msg_type, unsigned int extension_type,
                                   const char *extra_msg0, const char *extra_msg1 );
 
-#define MBEDTLS_SSL_PRINT_EXTS( level, hs_msg_type, extension_mask )            \
+#define MBEDTLS_SSL_PRINT_EXTS( level, hs_msg_type, extensions_mask )            \
             mbedtls_ssl_print_extensions( ssl, level, __FILE__, __LINE__,       \
-                                          hs_msg_type, extension_mask, NULL )
+                                          hs_msg_type, extensions_mask, NULL )
 
 #define MBEDTLS_SSL_PRINT_EXT( level, hs_msg_type, extension_type, extra )      \
             mbedtls_ssl_print_extension( ssl, level, __FILE__, __LINE__,        \
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ea8464f0c..20648a166 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -754,7 +754,7 @@ void mbedtls_ssl_print_extensions( const mbedtls_ssl_context *ssl,
     {
         mbedtls_ssl_print_extension(
             ssl, level, file, line, hs_msg_type, extension_type_table[i],
-            extensions_mask & ( 1 << i ) ? "exists" : "does not exists", extra );
+            extensions_mask & ( 1 << i ) ? "exists" : "does not exist", extra );
     }
 }
 
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 364e886bc..9940a0e5e 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1742,8 +1742,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
         p += extension_data_len;
     }
 
-    MBEDTLS_SSL_PRINT_EXTS(
-        3, hs_msg_type, ssl->handshake->received_extensions );
+    MBEDTLS_SSL_PRINT_EXTS( 3, hs_msg_type, handshake->received_extensions );
 
 cleanup:
 
@@ -2036,7 +2035,7 @@ static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
     }
 
     MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
-                            ssl->handshake->received_extensions );
+                            handshake->received_extensions );
 
     /* Check that we consumed all the message. */
     if( p != end )
@@ -2225,7 +2224,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
     }
 
     MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
-                            ssl->handshake->received_extensions );
+                            handshake->received_extensions );
 
     /* Check that we consumed all the message. */
     if( p != end )
@@ -2517,7 +2516,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
     }
 
     MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
-                            ssl->handshake->received_extensions );
+                            handshake->received_extensions );
 
     return( 0 );
 }
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index a39949c1c..f85499889 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -547,7 +547,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
         }
 
         MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE,
-                                ssl->handshake->received_extensions );
+                                handshake->received_extensions );
     }
 
 exit:
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 597fbb7e6..3cd03108f 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1624,7 +1624,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
     }
 
     MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CLIENT_HELLO,
-                            ssl->handshake->received_extensions );
+                            handshake->received_extensions );
 
     mbedtls_ssl_add_hs_hdr_to_checksum( ssl,
                                         MBEDTLS_SSL_HS_CLIENT_HELLO,
diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh
index 2681f61f1..974d513d8 100755
--- a/tests/opt-testcases/tls13-kex-modes.sh
+++ b/tests/opt-testcases/tls13-kex-modes.sh
@@ -18,7 +18,7 @@
 # limitations under the License.
 #
 
-# DO NOT ADD NEW TEST CASES INTO THIS FILE. The left cases can be generated by
+# DO NOT ADD NEW TEST CASES INTO THIS FILE. The left cases will be generated by
 # scripts in future(#6280)
 
 requires_gnutls_tls1_3

From d21ecd71c0227c39178375c8204f63ff7b5987ec Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Tue, 8 Nov 2022 14:30:45 +0300
Subject: [PATCH 049/159] dh_genprime: Fix issue where the error code returned
 by mbedtls_mpi_write_file() is incorrectly reported on failure

In 'dh_genprime.c', the following condition can be found inside an 'if' statement:

ret = mbedtls_mpi_write_file( "P = ", &P, 16, fout ) != 0

As the '!=' operator binds closer than the assignment operator ('='), the value assigned to 'ret' will be the boolean result of the comparison (0 or 1) instead of the status code returned by 'mbedtls_mpi_write_file'. This means that the above statement is actually equivalent to:

ret = ( mbedtls_mpi_write_file( "P = ", &P, 16, fout ) != 0 )

What we want instead is for the the status code to be assigned to 'ret'. If the value assigned is non-zero, it will be 'truthy' and the 'if' branch will be taken.

( ret = mbedtls_mpi_write_file( "P = ", &P, 16, fout ) )  != 0

This PR fixes the issue by explicitly specifying the precedence of operations with parentheses.

Signed-off-by: ihsinme <ihsinme@gmail.com>
---
 programs/pkey/dh_genprime.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/programs/pkey/dh_genprime.c b/programs/pkey/dh_genprime.c
index 2e696e574..331838bb4 100644
--- a/programs/pkey/dh_genprime.c
+++ b/programs/pkey/dh_genprime.c
@@ -157,8 +157,8 @@ int main( int argc, char **argv )
         goto exit;
     }
 
-    if( ( ret = mbedtls_mpi_write_file( "P = ", &P, 16, fout ) != 0 ) ||
-        ( ret = mbedtls_mpi_write_file( "G = ", &G, 16, fout ) != 0 ) )
+    if( ( ( ret = mbedtls_mpi_write_file( "P = ", &P, 16, fout ) ) != 0 ) ||
+        ( ( ret = mbedtls_mpi_write_file( "G = ", &G, 16, fout ) ) != 0 ) )
     {
         mbedtls_printf( " failed\n  ! mbedtls_mpi_write_file returned %d\n\n", ret );
         fclose( fout );

From e9c86a100a90196e2560bc1614c53e68b3d71d2a Mon Sep 17 00:00:00 2001
From: Minos Galanakis <minos.galanakis@arm.com>
Date: Wed, 9 Nov 2022 11:46:47 +0000
Subject: [PATCH 050/159] bignum_mod_raw.py: Added BignumModRawOperation

This patch is adding a basic instantance of `BignumModRawOperation`
and creates an `BignumModRawOperationArchSplit` class, copying
over the implementation of `BignumCoreRawOperationArchSplit`.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
---
 scripts/mbedtls_dev/bignum_mod_raw.py | 38 +++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index 2e059b26e..1127ced8d 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -15,8 +15,11 @@
 # limitations under the License.
 
 from abc import ABCMeta
+from typing import Dict, Iterator, List
 
+from . import test_case
 from . import test_data_generation
+from . import bignum_common
 
 class BignumModRawTarget(test_data_generation.BaseTarget, metaclass=ABCMeta):
     #pylint: disable=abstract-method
@@ -48,7 +51,42 @@ class BignumModRawTarget(test_data_generation.BaseTarget, metaclass=ABCMeta):
 # END MERGE SLOT 6
 
 # BEGIN MERGE SLOT 7
+class BignumModRawOperation(bignum_common.OperationCommon, BignumModRawTarget, metaclass=ABCMeta):
+    #pylint: disable=abstract-method
+    pass
 
+class BignumModRawOperationArchSplit(BignumModRawOperation):
+    #pylint: disable=abstract-method
+    """Common features for bignum core operations where the result depends on
+    the limb size."""
+
+    def __init__(self, val_a: str, val_b: str, bits_in_limb: int) -> None:
+        super().__init__(val_a, val_b)
+        bound_val = max(self.int_a, self.int_b)
+        self.bits_in_limb = bits_in_limb
+        self.bound = bignum_common.bound_mpi(bound_val, self.bits_in_limb)
+        limbs = bignum_common.limbs_mpi(bound_val, self.bits_in_limb)
+        byte_len = limbs * self.bits_in_limb // 8
+        self.hex_digits = 2 * byte_len
+        if self.bits_in_limb == 32:
+            self.dependencies = ["MBEDTLS_HAVE_INT32"]
+        elif self.bits_in_limb == 64:
+            self.dependencies = ["MBEDTLS_HAVE_INT64"]
+        else:
+            raise ValueError("Invalid number of bits in limb!")
+        self.arg_a = self.arg_a.zfill(self.hex_digits)
+        self.arg_b = self.arg_b.zfill(self.hex_digits)
+        self.arg_a_int = bignum_common.hex_to_int(self.arg_a)
+        self.arg_b_int = bignum_common.hex_to_int(self.arg_b)
+
+    def pad_to_limbs(self, val) -> str:
+        return "{:x}".format(val).zfill(self.hex_digits)
+
+    @classmethod
+    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
+        for a_value, b_value in cls.get_value_pairs():
+            yield cls(a_value, b_value, 32).create_test_case()
+            yield cls(a_value, b_value, 64).create_test_case()
 # END MERGE SLOT 7
 
 # BEGIN MERGE SLOT 8

From a461ece8104d1e50b0d9e041c63fb0218ca265e0 Mon Sep 17 00:00:00 2001
From: Minos Galanakis <minos.galanakis@arm.com>
Date: Wed, 9 Nov 2022 12:36:02 +0000
Subject: [PATCH 051/159] bignum_mod_raw.py: Refactoring
 `BignumModRawOperation`

This patch modifies the BignumModRawOperation class to
provide special access to key members commonly used
in tests.

It binds the module's getters to conversion functions
which enable automatic conversions such as:

* hex to int.
* zero padding hex strings.
* common Montgomery constants such as R, R^2 and R^01
  are now be calculated upon access.

class `BignumModRawOperationArchSplit` is also updated to
utilise the new design.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
---
 scripts/mbedtls_dev/bignum_mod_raw.py | 83 +++++++++++++++++++--------
 1 file changed, 59 insertions(+), 24 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index 1127ced8d..19942ed16 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -53,40 +53,75 @@ class BignumModRawTarget(test_data_generation.BaseTarget, metaclass=ABCMeta):
 # BEGIN MERGE SLOT 7
 class BignumModRawOperation(bignum_common.OperationCommon, BignumModRawTarget, metaclass=ABCMeta):
     #pylint: disable=abstract-method
-    pass
+    """Target for bignum mod_raw test case generation."""
+
+    def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None:
+        super().__init__(val_a=val_a, val_b=val_b)
+        self.val_n = val_n
+        self.bits_in_limb = bits_in_limb
+
+    @property
+    def int_n(self) -> int:
+        return bignum_common.hex_to_int(self.val_n)
+
+    @property
+    def boundary(self) -> int:
+        data_in = [self.int_a, self.int_b, self.int_n]
+        return max([n for n in data_in if n is not None])
+
+    @property
+    def limbs(self) -> int:
+        return bignum_common.limbs_mpi(self.boundary, self.bits_in_limb)
+
+    @property
+    def hex_digits(self) -> int:
+        return 2 * (self.limbs * self.bits_in_limb // 8)
+
+    @property
+    def hex_n(self) -> str:
+        return "{:x}".format(self.int_n).zfill(self.hex_digits)
+
+    @property
+    def hex_a(self) -> str:
+        return "{:x}".format(self.int_a).zfill(self.hex_digits)
+
+    @property
+    def hex_b(self) -> str:
+        return "{:x}".format(self.int_b).zfill(self.hex_digits)
+
+    @property
+    def r(self) -> int: # pylint: disable=invalid-name
+        l = bignum_common.limbs_mpi(self.int_n, self.bits_in_limb)
+        return bignum_common.bound_mpi_limbs(l, self.bits_in_limb)
+
+    @property
+    def r_inv(self) -> int:
+        return bignum_common.invmod(self.r, self.int_n)
+
+    @property
+    def r_sqrt(self) -> int: # pylint: disable=invalid-name
+        return pow(self.r, 2)
 
 class BignumModRawOperationArchSplit(BignumModRawOperation):
     #pylint: disable=abstract-method
-    """Common features for bignum core operations where the result depends on
+    """Common features for bignum mod raw operations where the result depends on
     the limb size."""
 
-    def __init__(self, val_a: str, val_b: str, bits_in_limb: int) -> None:
-        super().__init__(val_a, val_b)
-        bound_val = max(self.int_a, self.int_b)
-        self.bits_in_limb = bits_in_limb
-        self.bound = bignum_common.bound_mpi(bound_val, self.bits_in_limb)
-        limbs = bignum_common.limbs_mpi(bound_val, self.bits_in_limb)
-        byte_len = limbs * self.bits_in_limb // 8
-        self.hex_digits = 2 * byte_len
-        if self.bits_in_limb == 32:
-            self.dependencies = ["MBEDTLS_HAVE_INT32"]
-        elif self.bits_in_limb == 64:
-            self.dependencies = ["MBEDTLS_HAVE_INT64"]
-        else:
-            raise ValueError("Invalid number of bits in limb!")
-        self.arg_a = self.arg_a.zfill(self.hex_digits)
-        self.arg_b = self.arg_b.zfill(self.hex_digits)
-        self.arg_a_int = bignum_common.hex_to_int(self.arg_a)
-        self.arg_b_int = bignum_common.hex_to_int(self.arg_b)
+    limb_sizes = [32, 64] # type: List[int]
 
-    def pad_to_limbs(self, val) -> str:
-        return "{:x}".format(val).zfill(self.hex_digits)
+    def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None:
+        super().__init__(val_n=val_n, val_a=val_a, val_b=val_b, bits_in_limb=bits_in_limb)
+
+        if bits_in_limb not in self.limb_sizes:
+            raise ValueError("Invalid number of bits in limb!")
+
+        self.dependencies = ["MBEDTLS_HAVE_INT{:d}".format(bits_in_limb)]
 
     @classmethod
     def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
         for a_value, b_value in cls.get_value_pairs():
-            yield cls(a_value, b_value, 32).create_test_case()
-            yield cls(a_value, b_value, 64).create_test_case()
+            for bil in cls.limb_sizes:
+                yield cls(a_value, b_value, bits_in_limb=bil).create_test_case()
 # END MERGE SLOT 7
 
 # BEGIN MERGE SLOT 8

From 5566eff65740025802810e55cdaad026d563c34c Mon Sep 17 00:00:00 2001
From: Minos Galanakis <minos.galanakis@arm.com>
Date: Mon, 7 Nov 2022 16:02:21 +0000
Subject: [PATCH 052/159] generate_bignum_tests: Enabled BignumModRaw automatic
 generation

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
---
 tests/scripts/generate_bignum_tests.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py
index 4ac9210e7..a105203b0 100755
--- a/tests/scripts/generate_bignum_tests.py
+++ b/tests/scripts/generate_bignum_tests.py
@@ -66,7 +66,7 @@ from mbedtls_dev import bignum_common
 # Import modules containing additional test classes
 # Test function classes in these modules will be registered by
 # the framework
-from mbedtls_dev import bignum_core # pylint: disable=unused-import
+from mbedtls_dev import bignum_core, bignum_mod_raw # pylint: disable=unused-import
 
 class BignumTarget(test_data_generation.BaseTarget, metaclass=ABCMeta):
     #pylint: disable=abstract-method

From 855c228b29ccdb6723608e6089565be318fabd9a Mon Sep 17 00:00:00 2001
From: Minos Galanakis <minos.galanakis@arm.com>
Date: Thu, 10 Nov 2022 11:33:25 +0000
Subject: [PATCH 053/159] bignum_mod_raw.py: Moved Classes outside of slots

This patch moves `BignumModRawOperation` and `BignumModRawOperationArchSplit`
outside of the scaffolding merge slot.

It also renames `r_sqrt` property to `r2`.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
---
 scripts/mbedtls_dev/bignum_mod_raw.py | 53 ++++++++++++++-------------
 1 file changed, 27 insertions(+), 26 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index 19942ed16..1465e3ed7 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -26,31 +26,6 @@ class BignumModRawTarget(test_data_generation.BaseTarget, metaclass=ABCMeta):
     """Target for bignum mod_raw test case generation."""
     target_basename = 'test_suite_bignum_mod_raw.generated'
 
-# BEGIN MERGE SLOT 1
-
-# END MERGE SLOT 1
-
-# BEGIN MERGE SLOT 2
-
-# END MERGE SLOT 2
-
-# BEGIN MERGE SLOT 3
-
-# END MERGE SLOT 3
-
-# BEGIN MERGE SLOT 4
-
-# END MERGE SLOT 4
-
-# BEGIN MERGE SLOT 5
-
-# END MERGE SLOT 5
-
-# BEGIN MERGE SLOT 6
-
-# END MERGE SLOT 6
-
-# BEGIN MERGE SLOT 7
 class BignumModRawOperation(bignum_common.OperationCommon, BignumModRawTarget, metaclass=ABCMeta):
     #pylint: disable=abstract-method
     """Target for bignum mod_raw test case generation."""
@@ -99,7 +74,7 @@ class BignumModRawOperation(bignum_common.OperationCommon, BignumModRawTarget, m
         return bignum_common.invmod(self.r, self.int_n)
 
     @property
-    def r_sqrt(self) -> int: # pylint: disable=invalid-name
+    def r2(self) -> int: # pylint: disable=invalid-name
         return pow(self.r, 2)
 
 class BignumModRawOperationArchSplit(BignumModRawOperation):
@@ -122,6 +97,32 @@ class BignumModRawOperationArchSplit(BignumModRawOperation):
         for a_value, b_value in cls.get_value_pairs():
             for bil in cls.limb_sizes:
                 yield cls(a_value, b_value, bits_in_limb=bil).create_test_case()
+# BEGIN MERGE SLOT 1
+
+# END MERGE SLOT 1
+
+# BEGIN MERGE SLOT 2
+
+# END MERGE SLOT 2
+
+# BEGIN MERGE SLOT 3
+
+# END MERGE SLOT 3
+
+# BEGIN MERGE SLOT 4
+
+# END MERGE SLOT 4
+
+# BEGIN MERGE SLOT 5
+
+# END MERGE SLOT 5
+
+# BEGIN MERGE SLOT 6
+
+# END MERGE SLOT 6
+
+# BEGIN MERGE SLOT 7
+
 # END MERGE SLOT 7
 
 # BEGIN MERGE SLOT 8

From 9feb19f98dedd0aa516c38dd83e7f6bccd3fa052 Mon Sep 17 00:00:00 2001
From: Tom Cosgrove <tom.cosgrove@arm.com>
Date: Thu, 10 Nov 2022 12:05:55 +0000
Subject: [PATCH 054/159] Use mbedtls_mpi_sint not mbedtls_mpi_uint in
 mpi_mod_int test

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
---
 tests/suites/test_suite_bignum.function | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function
index 40b23fe63..5c3d776f0 100644
--- a/tests/suites/test_suite_bignum.function
+++ b/tests/suites/test_suite_bignum.function
@@ -981,11 +981,21 @@ void mpi_mod_int( char * input_X, char * input_Y,
     TEST_EQUAL( Y.n, 1 );
     TEST_EQUAL( A.n, 1 );
 
-    /* Convert the MPIs for Y and A to signed mbedtls_mpi_uints */
-    mbedtls_mpi_uint y = Y.p[0];
+    /* Convert the MPIs for Y and A to (signed) mbedtls_mpi_sints */
+
+    /* Since we're converting sign+magnitude to two's complement, we lose one
+     * bit of value in the output. This means there are some values we can't
+     * represent, e.g. (hex) -A0000000 on 32-bit systems. These are technically
+     * invalid test cases, so could be considered "won't happen", but they are
+     * easy to test for, and this helps guard against human error. */
+
+    mbedtls_mpi_sint y = (mbedtls_mpi_sint) Y.p[0];
+    TEST_ASSERT( y >= 0 );      /* If y < 0 here, we can't make negative y */
     if( Y.s == -1 )
         y = -y;
-    mbedtls_mpi_uint a = A.p[0];
+
+    mbedtls_mpi_sint a = (mbedtls_mpi_sint) A.p[0];
+    TEST_ASSERT( a >= 0 );      /* Same goes for a */
     if( A.s == -1 )
         a = -a;
 

From 163d8952b391f00665c3badd7357e6cb1bcfb172 Mon Sep 17 00:00:00 2001
From: Tom Cosgrove <tom.cosgrove@arm.com>
Date: Thu, 10 Nov 2022 12:17:36 +0000
Subject: [PATCH 055/159] Add additional (would fail) test cases for
 mpi_mod_int with 0 remainder

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
---
 tests/suites/test_suite_bignum.misc.data | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data
index 70b4998e2..0b8aa334a 100644
--- a/tests/suites/test_suite_bignum.misc.data
+++ b/tests/suites/test_suite_bignum.misc.data
@@ -1240,7 +1240,7 @@ mpi_mod_int:"":"-1":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
 Test mbedtls_mpi_mod_int: 0 (null) % -2
 mpi_mod_int:"":"-2":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
 
-# CURRENTLY FAILS
+# CURRENTLY FAILS - SEE GITHUB ISSUE #6540
 #Test mbedtls_mpi_mod_int: 230772460340063000000100500000300000010 % 5178236083361335880 -> 3386266129388798810
 #depends_on:MBEDTLS_HAVE_INT64
 #mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA4847DCCA48":"2EFE6F1A7D28035A":0
@@ -1248,7 +1248,15 @@ mpi_mod_int:"":"-2":"0":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
 Test mbedtls_mpi_mod_mpi: 230772460340063000000100500000300000010 % 5178236083361335880 -> 3386266129388798810
 mpi_mod_mpi:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA4847DCCA48":"2EFE6F1A7D28035A":0
 
-# CURRENTLY FAILS WHEN MPIS ARE 32-BIT: WHEN FIXED, REMOVE "depends_on" LINE
+# CURRENTLY FAILS - SEE GITHUB ISSUE #6540
+#Test mbedtls_mpi_mod_int: 230772460340062999996714233870911201200 % 5178236083361335880 -> 0
+#depends_on:MBEDTLS_HAVE_INT64
+#mpi_mod_int:"AD9D28BF6C4E98FDC2584FEF03A6DFB0":"47DCCA4847DCCA48":"0":0
+
+Test mbedtls_mpi_mod_mpi: 230772460340062999996714233870911201200 % 5178236083361335880 -> 0
+mpi_mod_mpi:"AD9D28BF6C4E98FDC2584FEF03A6DFB0":"47DCCA4847DCCA48":"0":0
+
+# CURRENTLY FAILS WHEN MPIS ARE 32-BIT (ISSUE #6450): WHEN FIXED, REMOVE "depends_on" LINE
 Test mbedtls_mpi_mod_int: 230772460340063000000100500000300000010 % 1205652040 -> 3644370
 depends_on:MBEDTLS_HAVE_INT64
 mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA48":"379BD2":0
@@ -1256,6 +1264,14 @@ mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA48":"379BD2":0
 Test mbedtls_mpi_mod_mpi: 230772460340063000000100500000300000010 % 1205652040 -> 3644370
 mpi_mod_mpi:"AD9D28BF6C4E98FDF156BF0980CEE30A":"47DCCA48":"379BD2":0
 
+# CURRENTLY FAILS WHEN MPIS ARE 32-BIT (ISSUE #6450): WHEN FIXED, REMOVE "depends_on" LINE
+Test mbedtls_mpi_mod_int: 230772460340063000000100500000296355640 % 1205652040 -> 0
+depends_on:MBEDTLS_HAVE_INT64
+mpi_mod_int:"AD9D28BF6C4E98FDF156BF0980974738":"47DCCA48":"0":0
+
+Test mbedtls_mpi_mod_mpi: 230772460340063000000100500000296355640 % 1205652040 -> 0
+mpi_mod_mpi:"AD9D28BF6C4E98FDF156BF0980974738":"47DCCA48":"0":0
+
 Base test mbedtls_mpi_exp_mod #1
 mpi_exp_mod:"17":"d":"1d":"18":0
 

From bd2bfa92bd679983c0fff75fe5b39811ab393ca4 Mon Sep 17 00:00:00 2001
From: Aditya Deshpande <aditya.deshpande@arm.com>
Date: Thu, 10 Nov 2022 14:07:20 +0000
Subject: [PATCH 056/159] Add Changelog entry

Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
---
 ChangeLog.d/fix_dh_genprime_error_reporting.txt | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 ChangeLog.d/fix_dh_genprime_error_reporting.txt

diff --git a/ChangeLog.d/fix_dh_genprime_error_reporting.txt b/ChangeLog.d/fix_dh_genprime_error_reporting.txt
new file mode 100644
index 000000000..1c98947f3
--- /dev/null
+++ b/ChangeLog.d/fix_dh_genprime_error_reporting.txt
@@ -0,0 +1,4 @@
+Bugfix
+   * Fix bug in error reporting in dh_genprime.c where upon failure,
+     the error code returned by mbedtls_mpi_write_file() is overwritten
+     and therefore not printed.

From 5ad4a93596ef3b7ec4d70ade7a30a18149f09efc Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Tue, 9 Aug 2022 14:45:53 +0100
Subject: [PATCH 057/159] bignum_mod_raw: Added conversion methods for
 internal/public data representation

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
---
 library/bignum_mod_raw.c | 21 +++++++++++++++++++++
 library/bignum_mod_raw.h | 18 ++++++++++++++++++
 2 files changed, 39 insertions(+)

diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c
index a329e86df..97f7731c4 100644
--- a/library/bignum_mod_raw.c
+++ b/library/bignum_mod_raw.c
@@ -127,7 +127,28 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A,
 /* END MERGE SLOT 6 */
 
 /* BEGIN MERGE SLOT 7 */
+int mbedtls_mpi_mod_raw_conv_inv( mbedtls_mpi_uint *X,
+                                  const mbedtls_mpi_mod_modulus *modulus )
+{
+    mbedtls_mpi_uint one = 1;
+    mbedtls_mpi T;
+    mbedtls_mpi_init( &T );
+    mbedtls_mpi_core_montmul( X, X, &one, 1, m->p, m->limbs,
+                              m->rep.mont.mm, T.p );
+    mbedtls_mpi_free( &T );
+    return( 0 );
+}
 
+int mbedtls_mpi_mod_raw_conv_fwd( mbedtls_mpi_uint *X,
+                                  const mbedtls_mpi_mod_modulus *modulus )
+{
+    mbedtls_mpi T;
+    mbedtls_mpi_init( &T );
+    mbedtls_mpi_core_montmul( X, X, m->rep.mont.rr, 1, m->p, m->limbs,
+                              m->rep.mont.mm, T.p );
+    mbedtls_mpi_free( &T );
+    return( 0 );
+}
 /* END MERGE SLOT 7 */
 
 /* BEGIN MERGE SLOT 8 */
diff --git a/library/bignum_mod_raw.h b/library/bignum_mod_raw.h
index 30648d3cc..38415f415 100644
--- a/library/bignum_mod_raw.h
+++ b/library/bignum_mod_raw.h
@@ -163,7 +163,25 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A,
 /* END MERGE SLOT 6 */
 
 /* BEGIN MERGE SLOT 7 */
+/** Convert from internal to public (little endian) data presentation
+ *
+ * \param X      The address of the MPI.
+ * \param m      The address of a modulus.
+ *
+ * \return       \c 0 if successful.
+ */
+int mbedtls_mpi_mod_raw_conv_inv( mbedtls_mpi_uint *X,
+                                  const mbedtls_mpi_mod_modulus *modulus );
 
+/** Convert from public (little endian) to internal data presentation.
+ *
+ * \param X      The address of the MPI.
+ * \param m      The address of a modulus.
+ *
+ * \return       \c 0 if successful.
+ */
+int mbedtls_mpi_mod_raw_conv_fwd( mbedtls_mpi_uint *X,
+                                  const mbedtls_mpi_mod_modulus *modulus );
 /* END MERGE SLOT 7 */
 
 /* BEGIN MERGE SLOT 8 */

From d9299c388e9bb60166c72e943c704a3d079256bd Mon Sep 17 00:00:00 2001
From: Minos Galanakis <minos.galanakis@arm.com>
Date: Tue, 1 Nov 2022 16:19:07 +0000
Subject: [PATCH 058/159] bignum_mod_raw: Refactored Montgomery conversion
 functions

This patch updates the `mbedtls_mpi_mod_raw_conv_xx()` methods
as follows:

* Renamed for simplicity: conv_fwd -> from_mont_rep, conv_inv -> to_mont_rep.
* Uncoupled the dependency on the legaly bignum interface.
* `mbedtls_mpi` is no longer used for temporary buffer allocation.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
---
 library/bignum_mod_raw.c | 42 ++++++++++++++++++++++++++--------------
 library/bignum_mod_raw.h | 20 +++++++++++--------
 2 files changed, 39 insertions(+), 23 deletions(-)

diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c
index 97f7731c4..b43add77d 100644
--- a/library/bignum_mod_raw.c
+++ b/library/bignum_mod_raw.c
@@ -127,26 +127,38 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A,
 /* END MERGE SLOT 6 */
 
 /* BEGIN MERGE SLOT 7 */
-int mbedtls_mpi_mod_raw_conv_inv( mbedtls_mpi_uint *X,
-                                  const mbedtls_mpi_mod_modulus *modulus )
+int mbedtls_mpi_mod_raw_to_mont_rep( mbedtls_mpi_uint *X,
+                                     const mbedtls_mpi_mod_modulus *m )
 {
-    mbedtls_mpi_uint one = 1;
-    mbedtls_mpi T;
-    mbedtls_mpi_init( &T );
-    mbedtls_mpi_core_montmul( X, X, &one, 1, m->p, m->limbs,
-                              m->rep.mont.mm, T.p );
-    mbedtls_mpi_free( &T );
+    mbedtls_mpi_uint *T;
+    const size_t t_limbs = m->limbs * 2 + 1;
+
+    if( ( T = (mbedtls_mpi_uint *) mbedtls_calloc( t_limbs, ciL ) ) == NULL )
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+    mbedtls_mpi_core_montmul( X, X, m->rep.mont.rr, m->limbs, m->p, m->limbs,
+                              m->rep.mont.mm, T );
+
+    mbedtls_platform_zeroize( T, t_limbs * ciL );
+    mbedtls_free( T );
     return( 0 );
 }
 
-int mbedtls_mpi_mod_raw_conv_fwd( mbedtls_mpi_uint *X,
-                                  const mbedtls_mpi_mod_modulus *modulus )
+int mbedtls_mpi_mod_raw_from_mont_rep( mbedtls_mpi_uint *X,
+                                       const mbedtls_mpi_mod_modulus *m )
 {
-    mbedtls_mpi T;
-    mbedtls_mpi_init( &T );
-    mbedtls_mpi_core_montmul( X, X, m->rep.mont.rr, 1, m->p, m->limbs,
-                              m->rep.mont.mm, T.p );
-    mbedtls_mpi_free( &T );
+    const mbedtls_mpi_uint one = 1;
+    const size_t t_limbs = m->limbs * 2 + 1;
+    mbedtls_mpi_uint *T;
+
+    if( ( T = (mbedtls_mpi_uint *) mbedtls_calloc( t_limbs, ciL ) ) == NULL )
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+    mbedtls_mpi_core_montmul( X, X, &one, 1, m->p, m->limbs,
+                              m->rep.mont.mm, T );
+
+    mbedtls_platform_zeroize( T, t_limbs * ciL );
+    mbedtls_free( T );
     return( 0 );
 }
 /* END MERGE SLOT 7 */
diff --git a/library/bignum_mod_raw.h b/library/bignum_mod_raw.h
index 38415f415..f738e917e 100644
--- a/library/bignum_mod_raw.h
+++ b/library/bignum_mod_raw.h
@@ -163,25 +163,29 @@ int mbedtls_mpi_mod_raw_write( const mbedtls_mpi_uint *A,
 /* END MERGE SLOT 6 */
 
 /* BEGIN MERGE SLOT 7 */
-/** Convert from internal to public (little endian) data presentation
+/** Convert an MPI into Montgomery form.
  *
  * \param X      The address of the MPI.
- * \param m      The address of a modulus.
+ *               Must have the same number of limbs as \p m.
+ * \param m      The address of the modulus, which gives the size of
+ *               the base `R` = 2^(biL*m->limbs).
  *
  * \return       \c 0 if successful.
  */
-int mbedtls_mpi_mod_raw_conv_inv( mbedtls_mpi_uint *X,
-                                  const mbedtls_mpi_mod_modulus *modulus );
+int mbedtls_mpi_mod_raw_to_mont_rep( mbedtls_mpi_uint *X,
+                                     const mbedtls_mpi_mod_modulus *m );
 
-/** Convert from public (little endian) to internal data presentation.
+/** Convert an MPI back from Montgomery representation.
  *
  * \param X      The address of the MPI.
- * \param m      The address of a modulus.
+ *               Must have the same number of limbs as \p m.
+ * \param m      The address of the modulus, which gives the size of
+ *               the base `R`= 2^(biL*m->limbs).
  *
  * \return       \c 0 if successful.
  */
-int mbedtls_mpi_mod_raw_conv_fwd( mbedtls_mpi_uint *X,
-                                  const mbedtls_mpi_mod_modulus *modulus );
+int mbedtls_mpi_mod_raw_from_mont_rep( mbedtls_mpi_uint *X,
+                                       const mbedtls_mpi_mod_modulus *m );
 /* END MERGE SLOT 7 */
 
 /* BEGIN MERGE SLOT 8 */

From 631b491cbf7de025d4a0c670789ab8b5e42f4e8d Mon Sep 17 00:00:00 2001
From: Minos Galanakis <minos.galanakis@arm.com>
Date: Mon, 7 Nov 2022 15:53:23 +0000
Subject: [PATCH 059/159] bignum_tests: Added test for
 `mbedtls_mpi_mod_raw_to_mont_rep()`

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
---
 .../suites/test_suite_bignum_mod_raw.function | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function
index 4b906751f..026b49d13 100644
--- a/tests/suites/test_suite_bignum_mod_raw.function
+++ b/tests/suites/test_suite_bignum_mod_raw.function
@@ -294,7 +294,43 @@ exit:
 /* END MERGE SLOT 6 */
 
 /* BEGIN MERGE SLOT 7 */
+/* BEGIN_CASE */
+void mpi_mod_raw_to_mont_rep( char * input_N, char * input_A, char * input_X )
+{
+    mbedtls_mpi N, A, X;
+    mbedtls_mpi_mod_modulus m;
 
+    mbedtls_mpi_init( &N );
+    mbedtls_mpi_init( &A );
+    mbedtls_mpi_init( &X );
+
+    /* Read inputs */
+    TEST_EQUAL( 0, mbedtls_test_read_mpi( &N, input_N ) );
+    TEST_EQUAL( 0, mbedtls_test_read_mpi( &A, input_A ) );
+    TEST_EQUAL( 0, mbedtls_test_read_mpi( &X, input_X ) );
+
+    /* All of the inputs are +ve (or zero) */
+    TEST_EQUAL( 1, X.s );
+    TEST_EQUAL( 1, A.s );
+
+    mbedtls_mpi_mod_modulus_init( &m );
+    TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N.p, N.n, MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) );
+
+    TEST_EQUAL(0, mbedtls_mpi_mod_raw_to_mont_rep( A.p ,&m ) );
+
+    /* Calculated matches expected value */
+    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &A, &X ) == 0 );
+
+   /* Output is +ve (or zero) */
+    TEST_EQUAL( 1, A.s );
+
+exit:
+    mbedtls_mpi_mod_modulus_free( &m );
+    mbedtls_mpi_free( &N );
+    mbedtls_mpi_free( &A );
+    mbedtls_mpi_free( &X );
+}
+/* END_CASE */
 /* END MERGE SLOT 7 */
 
 /* BEGIN MERGE SLOT 8 */

From df070d660d6eaee91ba0811894ea1d0ccdad8c48 Mon Sep 17 00:00:00 2001
From: Minos Galanakis <minos.galanakis@arm.com>
Date: Tue, 8 Nov 2022 16:19:04 +0000
Subject: [PATCH 060/159] bignum_tests: Added test for
 `mbedtls_mpi_mod_raw_from_mont_rep()`

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
---
 .../suites/test_suite_bignum_mod_raw.function | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function
index 026b49d13..8536e310e 100644
--- a/tests/suites/test_suite_bignum_mod_raw.function
+++ b/tests/suites/test_suite_bignum_mod_raw.function
@@ -324,6 +324,44 @@ void mpi_mod_raw_to_mont_rep( char * input_N, char * input_A, char * input_X )
    /* Output is +ve (or zero) */
     TEST_EQUAL( 1, A.s );
 
+exit:
+    mbedtls_mpi_mod_modulus_free( &m );
+    mbedtls_mpi_free( &N );
+    mbedtls_mpi_free( &A );
+    mbedtls_mpi_free( &X );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mpi_mod_raw_from_mont_rep( char * input_N, char * input_A, char * input_X )
+{
+    mbedtls_mpi N, A, X;
+    mbedtls_mpi_mod_modulus m;
+
+    mbedtls_mpi_init( &N );
+    mbedtls_mpi_init( &A );
+    mbedtls_mpi_init( &X );
+
+    /* Read inputs */
+    TEST_EQUAL( 0, mbedtls_test_read_mpi( &N, input_N ) );
+    TEST_EQUAL( 0, mbedtls_test_read_mpi( &A, input_A ) );
+    TEST_EQUAL( 0, mbedtls_test_read_mpi( &X, input_X ) );
+
+    /* All of the inputs are +ve (or zero) */
+    TEST_EQUAL( 1, X.s );
+    TEST_EQUAL( 1, A.s );
+
+    mbedtls_mpi_mod_modulus_init( &m );
+    TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N.p, N.n, MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) );
+
+    TEST_EQUAL(0, mbedtls_mpi_mod_raw_from_mont_rep( A.p ,&m ) );
+
+    /* Calculated matches expected value */
+    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &A, &X ) == 0 );
+
+   /* Output is +ve (or zero) */
+    TEST_EQUAL( 1, A.s );
+
 exit:
     mbedtls_mpi_mod_modulus_free( &m );
     mbedtls_mpi_free( &N );

From 47691fb75619044716a3a5f9c356bbf595d5fd70 Mon Sep 17 00:00:00 2001
From: Minos Galanakis <minos.galanakis@arm.com>
Date: Thu, 10 Nov 2022 09:02:51 +0000
Subject: [PATCH 061/159] bignum_tests: Refactored
 mpi_mod_raw_to/fromt_mont_rep

This patch migrates the tests to use the `mbedtls_test_read_mpi_core()`.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
---
 .../suites/test_suite_bignum_mod_raw.function | 82 +++++++++----------
 1 file changed, 38 insertions(+), 44 deletions(-)

diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function
index 8536e310e..d0ffd27b0 100644
--- a/tests/suites/test_suite_bignum_mod_raw.function
+++ b/tests/suites/test_suite_bignum_mod_raw.function
@@ -297,76 +297,70 @@ exit:
 /* BEGIN_CASE */
 void mpi_mod_raw_to_mont_rep( char * input_N, char * input_A, char * input_X )
 {
-    mbedtls_mpi N, A, X;
+    mbedtls_mpi_uint *N = NULL;
+    mbedtls_mpi_uint *A = NULL;
+    mbedtls_mpi_uint *X = NULL;
     mbedtls_mpi_mod_modulus m;
-
-    mbedtls_mpi_init( &N );
-    mbedtls_mpi_init( &A );
-    mbedtls_mpi_init( &X );
+    size_t n_limbs, a_limbs, x_limbs, x_bytes;
 
     /* Read inputs */
-    TEST_EQUAL( 0, mbedtls_test_read_mpi( &N, input_N ) );
-    TEST_EQUAL( 0, mbedtls_test_read_mpi( &A, input_A ) );
-    TEST_EQUAL( 0, mbedtls_test_read_mpi( &X, input_X ) );
+    TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) );
+    TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &A, &a_limbs, input_A ) );
+    TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &X, &x_limbs, input_X ) );
+    x_bytes = x_limbs * sizeof(mbedtls_mpi_uint);
 
-    /* All of the inputs are +ve (or zero) */
-    TEST_EQUAL( 1, X.s );
-    TEST_EQUAL( 1, A.s );
+    /* Test that input does not require more limbs than modulo */
+    TEST_LE_U(a_limbs, n_limbs);
 
     mbedtls_mpi_mod_modulus_init( &m );
-    TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N.p, N.n, MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) );
+    TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs,
+                MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) );
 
-    TEST_EQUAL(0, mbedtls_mpi_mod_raw_to_mont_rep( A.p ,&m ) );
-
-    /* Calculated matches expected value */
-    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &A, &X ) == 0 );
-
-   /* Output is +ve (or zero) */
-    TEST_EQUAL( 1, A.s );
+    /* Convert from cannonical into Montgomery representation */
+    TEST_EQUAL(0, mbedtls_mpi_mod_raw_to_mont_rep( A, &m ) );
 
+    /* The result matches expected value */
+    ASSERT_COMPARE( A, x_bytes, X, x_bytes );
 exit:
     mbedtls_mpi_mod_modulus_free( &m );
-    mbedtls_mpi_free( &N );
-    mbedtls_mpi_free( &A );
-    mbedtls_mpi_free( &X );
+    mbedtls_free( N );
+    mbedtls_free( A );
+    mbedtls_free( X );
 }
 /* END_CASE */
 
 /* BEGIN_CASE */
 void mpi_mod_raw_from_mont_rep( char * input_N, char * input_A, char * input_X )
 {
-    mbedtls_mpi N, A, X;
+    mbedtls_mpi_uint *N = NULL;
+    mbedtls_mpi_uint *A = NULL;
+    mbedtls_mpi_uint *X = NULL;
     mbedtls_mpi_mod_modulus m;
-
-    mbedtls_mpi_init( &N );
-    mbedtls_mpi_init( &A );
-    mbedtls_mpi_init( &X );
+    size_t n_limbs, a_limbs, x_limbs, x_bytes;
 
     /* Read inputs */
-    TEST_EQUAL( 0, mbedtls_test_read_mpi( &N, input_N ) );
-    TEST_EQUAL( 0, mbedtls_test_read_mpi( &A, input_A ) );
-    TEST_EQUAL( 0, mbedtls_test_read_mpi( &X, input_X ) );
+    TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) );
+    TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &A, &a_limbs, input_A ) );
+    TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &X, &x_limbs, input_X ) );
+    x_bytes = x_limbs * sizeof(mbedtls_mpi_uint);
 
-    /* All of the inputs are +ve (or zero) */
-    TEST_EQUAL( 1, X.s );
-    TEST_EQUAL( 1, A.s );
+    /* Test that input does not require more limbs than modulo */
+    TEST_LE_U(a_limbs, n_limbs);
 
     mbedtls_mpi_mod_modulus_init( &m );
-    TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N.p, N.n, MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) );
+    TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs,
+                MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) );
 
-    TEST_EQUAL(0, mbedtls_mpi_mod_raw_from_mont_rep( A.p ,&m ) );
-
-    /* Calculated matches expected value */
-    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &A, &X ) == 0 );
-
-   /* Output is +ve (or zero) */
-    TEST_EQUAL( 1, A.s );
+    /* Convert from Montgomery into cannonical representation */
+    TEST_EQUAL(0, mbedtls_mpi_mod_raw_from_mont_rep( A, &m ) );
 
+    /* The result matches expected value */
+    ASSERT_COMPARE( A, x_bytes, X, x_bytes );
 exit:
     mbedtls_mpi_mod_modulus_free( &m );
-    mbedtls_mpi_free( &N );
-    mbedtls_mpi_free( &A );
-    mbedtls_mpi_free( &X );
+    mbedtls_free( N );
+    mbedtls_free( A );
+    mbedtls_free( X );
 }
 /* END_CASE */
 /* END MERGE SLOT 7 */

From a252f6b24c95322617059a2ba61bc691cb63df19 Mon Sep 17 00:00:00 2001
From: Minos Galanakis <minos.galanakis@arm.com>
Date: Wed, 9 Nov 2022 19:23:53 +0000
Subject: [PATCH 062/159] bignum_mod_raw.py: Added BignumModRawConvertToMont

This patch adds test class for 'mpi_mod_raw_to_mont_rep()`.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
---
 scripts/mbedtls_dev/bignum_mod_raw.py | 88 +++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)

diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index 1465e3ed7..cea7ec78d 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -122,7 +122,95 @@ class BignumModRawOperationArchSplit(BignumModRawOperation):
 # END MERGE SLOT 6
 
 # BEGIN MERGE SLOT 7
+class BignumModRawConvertToMont(BignumModRawOperationArchSplit):
+    """ Test cases for mpi_mod_raw_to_mont_rep(). """
 
+    test_function = "mpi_mod_raw_to_mont_rep"
+    test_name = "Convert into Mont: "
+
+    test_data_moduli = ["b",
+                        "fd",
+                        "eeff99aa37",
+                        "eeff99aa11",
+                        "800000000005",
+                        "7fffffffffffffff",
+                        "80fe000a10000001",
+                        "25a55a46e5da99c71c7",
+                        "1058ad82120c3a10196bb36229c1",
+                        "7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f"
+                        "18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a"
+                        "98df75154f8c914a282f8b",
+                        "8335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63",
+                        "ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f"
+                        "2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a6"
+                        "4d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2"
+                        "deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d"
+                        "6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a0"
+                        "7e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d389"
+                        "8c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6"
+                        "bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3a"
+                        "d4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181d"
+                        "b8896f33bb12e6ef73f12ec5c5ea7a8a337"
+                        ]
+
+    test_input_numbers = ["0",
+                          "1",
+                          "97",
+                          "f5",
+                          "6f5c3",
+                          "745bfe50f7",
+                          "ffa1f9924123",
+                          "334a8b983c79bd",
+                          "5b84f632b58f3461",
+                          "19acd15bc38008e1",
+                          "ffffffffffffffff",
+                          "54ce6a6bb8247fa0427cfc75a6b0599",
+                          "fecafe8eca052f154ce6a6bb8247fa019558bfeecce9bb9",
+                          "a87d7a56fa4bfdc7da42ef798b9cf6843d4c54794698cb14d72"
+                          "851dec9586a319f4bb6d5695acbd7c92e7a42a5ede6972adcbc"
+                          "f68425265887f2d721f462b7f1b91531bac29fa648facb8e3c6"
+                          "1bd5ae42d5a59ba1c89a95897bfe541a8ce1d633b98f379c481"
+                          "6f25e21f6ac49286b261adb4b78274fe5f61c187581f213e84b"
+                          "2a821e341ef956ecd5de89e6c1a35418cd74a549379d2d4594a"
+                          "577543147f8e35b3514e62cf3e89d1156cdc91ab5f4c928fbd6"
+                          "9148c35df5962fed381f4d8a62852a36823d5425f7487c13a12"
+                          "523473fb823aa9d6ea5f42e794e15f2c1a8785cf6b7d51a4617"
+                          "947fb3baf674f74a673cf1d38126983a19ed52c7439fab42c2185"
+                          ]
+
+    descr_tpl = '{} #{} N: \"{}\" A: \"{}\".'
+
+    def result(self) -> List[str]:
+        return [self.hex_x]
+
+    def arguments(self) -> List[str]:
+        return [bignum_common.quote_str(n) for n in [self.hex_n,
+                                                     self.hex_a,
+                                                     self.hex_x]]
+
+    def description(self) -> str:
+        return self.descr_tpl.format(self.test_name,
+                                     self.count,
+                                     self.int_n,
+                                     self.int_a)
+
+    @classmethod
+    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
+        for bil in [32, 64]:
+            for n in cls.test_data_moduli:
+                for i in cls.test_input_numbers:
+                    # Skip invalid combinations where A.limbs > N.limbs
+                    if bignum_common.hex_to_int(i) > bignum_common.hex_to_int(n):
+                        continue
+                    yield cls(n, i, bits_in_limb=bil).create_test_case()
+
+    @property
+    def x(self) -> int: # pylint: disable=invalid-name
+        return (self.int_a * self.r) % self.int_n
+
+    @property
+    def hex_x(self) -> str:
+        return "{:x}".format(self.x).zfill(self.hex_digits)
 # END MERGE SLOT 7
 
 # BEGIN MERGE SLOT 8

From 50de073c84a5cc0946a87dddc457b3d125cb5ac1 Mon Sep 17 00:00:00 2001
From: Minos Galanakis <minos.galanakis@arm.com>
Date: Wed, 9 Nov 2022 19:36:16 +0000
Subject: [PATCH 063/159] bignum_mod_raw.py: Added BignumModRawConvertfromMont

This patch adds test class for 'mpi_mod_raw_from_mont_rep()`.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
---
 scripts/mbedtls_dev/bignum_mod_raw.py | 31 +++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index cea7ec78d..bd694a608 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -211,6 +211,37 @@ class BignumModRawConvertToMont(BignumModRawOperationArchSplit):
     @property
     def hex_x(self) -> str:
         return "{:x}".format(self.x).zfill(self.hex_digits)
+
+class BignumModRawConvertFromMont(BignumModRawConvertToMont):
+    """ Test cases for mpi_mod_raw_from_mont_rep(). """
+
+    test_function = "mpi_mod_raw_from_mont_rep"
+    test_name = "Convert from Mont: "
+
+    test_input_numbers = ["0",
+                          "1",
+                          "3ca",
+                          "539ed428",
+                          "7dfe5c6beb35a2d6",
+                          "dca8de1c2adfc6d7aafb9b48e",
+                          "a7d17b6c4be72f3d5c16bf9c1af6fc933",
+                          "2fec97beec546f9553142ed52f147845463f579",
+                          "378dc83b8bc5a7b62cba495af4919578dce6d4f175cadc4f",
+                          "b6415f2a1a8e48a518345db11f56db3829c8f2c6415ab4a395a"
+                          "b3ac2ea4cbef4af86eb18a84eb6ded4c6ecbfc4b59c2879a675"
+                          "487f687adea9d197a84a5242a5cf6125ce19a6ad2e7341f1c57"
+                          "d43ea4f4c852a51cb63dabcd1c9de2b827a3146a3d175b35bea"
+                          "41ae75d2a286a3e9d43623152ac513dcdea1d72a7da846a8ab3"
+                          "58d9be4926c79cfb287cf1cf25b689de3b912176be5dcaf4d4c"
+                          "6e7cb839a4a3243a6c47c1e2c99d65c59d6fa3672575c2f1ca8"
+                          "de6a32e854ec9d8ec635c96af7679fce26d7d159e4a9da3bd74"
+                          "e1272c376cd926d74fe3fb164a5935cff3d5cdb92b35fe2cea32"
+                          "138a7e6bfbc319ebd1725dacb9a359cbf693f2ecb785efb9d627"
+                         ]
+
+    @property
+    def x(self): # pylint: disable=invalid-name
+        return (self.int_a * self.r_inv) % self.int_n
 # END MERGE SLOT 7
 
 # BEGIN MERGE SLOT 8

From 0e97d4d16dcf4d90fdac381a3c0ec7cd68fd29f2 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Mon, 24 Oct 2022 11:12:51 +0000
Subject: [PATCH 064/159] Add early data indication to client side

Add fields to mbedtls_ssl_context
Add write early data indication function
Add check whether write early data indication
Add early data option to ssl_client2
Add test cases for early data

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 include/mbedtls/build_info.h |  4 ++++
 include/mbedtls/ssl.h        | 16 ++++++++++++++
 library/ssl_misc.h           | 19 ++++++++++++++++
 library/ssl_tls.c            |  9 ++++++++
 library/ssl_tls13_client.c   | 39 +++++++++++++++++++++++----------
 library/ssl_tls13_generic.c  | 35 ++++++++++++++++++++++++++++++
 programs/ssl/ssl_client2.c   | 42 ++++++++++++++++++++++++++++++++++++
 tests/configs/tls13-only.h   |  1 +
 tests/ssl-opt.sh             | 18 ++++++++++++++++
 9 files changed, 172 insertions(+), 11 deletions(-)

diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index 170cbebbe..f1bb52770 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -112,6 +112,10 @@
 #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
 #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+#endif
+
+#if !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \
+    !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
 #undef MBEDTLS_SSL_EARLY_DATA
 #endif
 
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 01ede4088..47ce3c695 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -332,6 +332,9 @@
 #define MBEDTLS_SSL_EARLY_DATA_DISABLED        0
 #define MBEDTLS_SSL_EARLY_DATA_ENABLED         1
 
+#define MBEDTLS_SSL_EARLY_DATA_OFF        0
+#define MBEDTLS_SSL_EARLY_DATA_ON         1
+
 #define MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED    0
 #define MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED      1
 
@@ -801,6 +804,11 @@ typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert;
 typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
 #endif
 
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+#define MBEDTLS_SSL_EARLY_DATA_NOT_SENT       0
+#define MBEDTLS_SSL_EARLY_DATA_REJECTED       1
+#define MBEDTLS_SSL_EARLY_DATA_ACCEPTED       2
+#endif
 /**
  * \brief          Callback type: server-side session cache getter
  *
@@ -1783,6 +1791,13 @@ struct mbedtls_ssl_context
                             *   and #MBEDTLS_SSL_CID_DISABLED. */
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+    /*
+     * early data request state
+     */
+    int MBEDTLS_PRIVATE(early_data_status);
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */
+
     /** Callback to export key block and master secret                      */
     mbedtls_ssl_export_keys_t *MBEDTLS_PRIVATE(f_export_keys);
     void *MBEDTLS_PRIVATE(p_export_keys);            /*!< context for key export callback    */
@@ -1936,6 +1951,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
 */
 void mbedtls_ssl_tls13_conf_early_data( mbedtls_ssl_config *conf,
                                         int early_data_enabled );
+
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_EARLY_DATA */
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index ad8754cac..2b1f90f4f 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -987,6 +987,15 @@ struct mbedtls_ssl_handshake_params
     } tls13_master_secrets;
 
     mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    mbedtls_ssl_tls13_early_secrets early_secrets;
+
+    int early_data;     /*!< Early data indication:
+                         * 0  -- MBEDTLS_SSL_EARLY_DATA_DISABLED (for no early data), and
+                         * 1  -- MBEDTLS_SSL_EARLY_DATA_ENABLED (for use early data)
+                         */
+#endif /* MBEDTLS_SSL_EARLY_DATA */
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 
 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
@@ -1480,6 +1489,11 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl,
 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 
+#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl );
+#endif
+
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
 #if defined(MBEDTLS_SSL_CLI_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
@@ -2046,6 +2060,11 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
                 size_t *out_len );
 #endif /* MBEDTLS_ECDH_C */
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+int mbedtls_ssl_tls13_write_early_data_ext(
+    mbedtls_ssl_context *ssl,
+    unsigned char *buf, const unsigned char *end, size_t *olen);
+#endif /* MBEDTLS_SSL_EARLY_DATA */
 
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index da90b2350..945a2e9bd 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1872,6 +1872,15 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
 }
 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
 
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+int mbedtls_ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    return( ssl->handshake->resume &&
+            session != NULL && session->ticket != NULL );
+}
+#endif
+
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
 int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf )
 {
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 9940a0e5e..0d24474ec 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -693,13 +693,6 @@ static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg( int ciphersuite )
 }
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
-static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl )
-{
-    mbedtls_ssl_session *session = ssl->session_negotiate;
-    return( ssl->handshake->resume &&
-            session != NULL && session->ticket != NULL );
-}
-
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl,
                                           psa_algorithm_t *hash_alg,
@@ -708,7 +701,7 @@ static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl,
 {
     mbedtls_ssl_session *session = ssl->session_negotiate;
 
-    if( !ssl_tls13_has_configured_ticket( ssl ) )
+    if( !mbedtls_ssl_tls13_has_configured_ticket( ssl ) )
         return( -1 );
 
     *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite );
@@ -726,7 +719,7 @@ static int ssl_tls13_ticket_get_psk( mbedtls_ssl_context *ssl,
 
     mbedtls_ssl_session *session = ssl->session_negotiate;
 
-    if( !ssl_tls13_has_configured_ticket( ssl ) )
+    if( !mbedtls_ssl_tls13_has_configured_ticket( ssl ) )
         return( -1 );
 
     *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite );
@@ -773,7 +766,7 @@ static int ssl_tls13_get_configured_psk_count( mbedtls_ssl_context *ssl )
 {
     int configured_psk_count = 0;
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
-    if( ssl_tls13_has_configured_ticket( ssl ) )
+    if( mbedtls_ssl_tls13_has_configured_ticket( ssl ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "Ticket is configured" ) );
         configured_psk_count++;
@@ -1093,7 +1086,8 @@ static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
     }
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
-    if( selected_identity == 0 && ssl_tls13_has_configured_ticket( ssl ) )
+    if( selected_identity == 0 &&
+        mbedtls_ssl_tls13_has_configured_ticket( ssl ) )
     {
         ret = ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len );
     }
@@ -1160,6 +1154,29 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
     }
 #endif
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
+        ( mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 1 ||
+          mbedtls_ssl_tls13_has_configured_ticket( ssl ) ) &&
+        ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED )
+    {
+        ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, p, end, &ext_len );
+        if( ret != 0 )
+            return( ret );
+        p += ext_len;
+
+        ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_ON;
+        /* We're using rejected once we send the EarlyData extension,
+           and change it to accepted upon receipt of the server extension. */
+        ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_REJECTED;
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write early_data extension" ) );
+        ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_OFF;
+    }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
     /* For PSK-based key exchange we need the pre_shared_key extension
      * and the psk_key_exchange_modes extension.
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index f85499889..875748753 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1374,6 +1374,41 @@ cleanup:
 
 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
 
+/* Early Data Extension
+ *
+ * struct {} Empty;
+ *
+ * struct {
+ *   select ( Handshake.msg_type ) {
+ *     case new_session_ticket:   uint32 max_early_data_size;
+ *     case client_hello:         Empty;
+ *     case encrypted_extensions: Empty;
+ *   };
+ * } EarlyDataIndication;
+ */
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+int mbedtls_ssl_tls13_write_early_data_ext( mbedtls_ssl_context *ssl,
+                                            unsigned char *buf,
+                                            const unsigned char *end,
+                                            size_t *out_len )
+{
+    unsigned char *p = buf;
+    *out_len = 0;
+    ((void) ssl);
+
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
+    MBEDTLS_SSL_DEBUG_MSG(
+            3, ( "client hello, adding early_data extension" ) );
+
+    MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_EARLY_DATA, p, 0 );
+    /* Write length of the early data indication extension */
+    MBEDTLS_PUT_UINT16_BE( 0, p, 2 );
+
+    *out_len = 4;
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
 /* Reset SSL context and update hash for handling HRR.
  *
  * Replace Transcript-Hash(X) by
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 56efb3c17..9685e69d4 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -344,6 +344,14 @@ int main( void )
 #define USAGE_SERIALIZATION ""
 #endif
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+#define USAGE_EARLY_DATA \
+    "    early_data=%%d        default: 0 (disabled)\n"      \
+    "                        options: 0 (disabled), 1 (enabled)\n"
+#else
+#define USAGE_EARLY_DATA ""
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_PROTO_TLS1_3 */
+
 #define USAGE_KEY_OPAQUE_ALGS \
     "    key_opaque_algs=%%s  Allowed opaque key algorithms.\n"                      \
     "                        comma-separated pair of values among the following:\n"    \
@@ -533,6 +541,7 @@ struct options
                                  * after renegotiation                      */
     int reproducible;           /* make communication reproducible          */
     int skip_close_notify;      /* skip sending the close_notify alert      */
+    int early_data;             /* support for early data                   */
     int query_config_mode;      /* whether to read config                   */
     int use_srtp;               /* Support SRTP                             */
     int force_srtp_profile;     /* SRTP protection profile to use or all    */
@@ -1189,7 +1198,24 @@ int main( int argc, char *argv[] )
                 default: goto usage;
             }
         }
+
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+        else if( strcmp( p, "early_data" ) == 0 )
+        {
+            switch( atoi( q ) )
+            {
+                case 0:
+                    opt.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
+                    break;
+                case 1:
+                    opt.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+                    break;
+                default: goto usage;
+            }
+        }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
         else if( strcmp( p, "tls13_kex_modes" ) == 0 )
         {
             if( strcmp( q, "psk" ) == 0 )
@@ -2091,6 +2117,10 @@ int main( int argc, char *argv[] )
     if( opt.max_version != DFL_MAX_VERSION )
         mbedtls_ssl_conf_max_tls_version( &conf, opt.max_version );
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    mbedtls_ssl_tls13_conf_early_data( &conf, opt.early_data );
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
     if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
     {
         mbedtls_printf( " failed\n  ! mbedtls_ssl_setup returned -0x%x\n\n",
@@ -2467,6 +2497,12 @@ int main( int argc, char *argv[] )
         }
     }
 
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+    /* TODO: We can log the actual early data status after we define
+     * the API mbedtls_ssl_get_early_data_status.
+     */
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */
+
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
     /*
      * 5. Verify the server certificate
@@ -3177,6 +3213,12 @@ reconnect:
 
         mbedtls_printf( " ok\n" );
 
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+        /* TODO: We can log the actual early data status when reconnect
+         * after we define the API mbedtls_ssl_get_early_data_status.
+         */
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */
+
         goto send_request;
     }
 
diff --git a/tests/configs/tls13-only.h b/tests/configs/tls13-only.h
index 7483f1cd9..a4dcb92ba 100644
--- a/tests/configs/tls13-only.h
+++ b/tests/configs/tls13-only.h
@@ -24,6 +24,7 @@
 
 /* Enable TLS 1.3 and core 1.3 features */
 #define MBEDTLS_SSL_PROTO_TLS1_3
+#define MBEDTLS_SSL_EARLY_DATA
 #define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 
 /* Disable TLS 1.2 and 1.2-specific features */
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 9eb925aa1..14123fa9a 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -80,12 +80,14 @@ fi
 
 if [ -n "${OPENSSL_NEXT:-}" ]; then
     O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
+    O_NEXT_SRV_NO_WWW="$OPENSSL_NEXT s_server -cert data_files/server5.crt -key data_files/server5.key"
     O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www "
     O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile data_files/test-ca_cat12.crt"
     O_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
 else
     O_NEXT_SRV=false
     O_NEXT_SRV_NO_CERT=false
+    O_NEXT_SRV_NO_WWW=false
     O_NEXT_CLI_NO_CERT=false
     O_NEXT_CLI=false
 fi
@@ -1690,6 +1692,7 @@ fi
 if [ -n "${OPENSSL_NEXT:-}" ]; then
     O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT"
     O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT"
+    O_NEXT_SRV_NO_WWW="$O_NEXT_SRV_NO_WWW -accept $SRV_PORT"
     O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT"
     O_NEXT_CLI_NO_CERT="$O_NEXT_CLI_NO_CERT -connect 127.0.0.1:+SRV_PORT"
 fi
@@ -13039,6 +13042,21 @@ run_test    "TLS 1.3: NewSessionTicket: servername negative check, m->m" \
             -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
             -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH"
 
+requires_openssl_next
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_SSL_EARLY_DATA
+run_test    "TLS 1.3, ext PSK, early data" \
+            "$O_NEXT_SRV_NO_WWW -msg -debug -tls1_3 -early_data -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \
+            "$P_CLI nbio=2 debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \
+            1 \
+            -c "=> write client hello"  \
+            -c "client hello, adding early_data extension"  \
+            -c "<= write client hello"  \
+            -c "client state: MBEDTLS_SSL_SERVER_HELLO"
+
 # Test heap memory usage after handshake
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_MEMORY_DEBUG

From 911c0cc4f0971e0cc77685359cc8b649bb147e4f Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Mon, 31 Oct 2022 09:35:32 +0000
Subject: [PATCH 065/159] Fix format issues in comments

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 include/mbedtls/ssl.h       | 2 +-
 library/ssl_tls13_generic.c | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 47ce3c695..6369de0a9 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1793,7 +1793,7 @@ struct mbedtls_ssl_context
 
 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
     /*
-     * early data request state
+     * early data request status
      */
     int MBEDTLS_PRIVATE(early_data_status);
 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 875748753..a27315102 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1375,8 +1375,6 @@ cleanup:
 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
 
 /* Early Data Extension
- *
- * struct {} Empty;
  *
  * struct {
  *   select ( Handshake.msg_type ) {

From 893ad8196689e0c75ec3a318bee1270da724222e Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Mon, 31 Oct 2022 10:38:10 +0000
Subject: [PATCH 066/159] Remove useless early_secrets field

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 library/ssl_misc.h | 2 --
 1 file changed, 2 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 2b1f90f4f..52dbb3b17 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -989,8 +989,6 @@ struct mbedtls_ssl_handshake_params
     mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
 
 #if defined(MBEDTLS_SSL_EARLY_DATA)
-    mbedtls_ssl_tls13_early_secrets early_secrets;
-
     int early_data;     /*!< Early data indication:
                          * 0  -- MBEDTLS_SSL_EARLY_DATA_DISABLED (for no early data), and
                          * 1  -- MBEDTLS_SSL_EARLY_DATA_ENABLED (for use early data)

From b781a2323c8aa878b3370a6335479940b6d9483c Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Tue, 1 Nov 2022 07:39:46 +0000
Subject: [PATCH 067/159] Move ssl_tls13_has_configured_ticket() back to tls13
 client

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 library/ssl_misc.h         |  5 -----
 library/ssl_tls.c          |  9 ---------
 library/ssl_tls13_client.c | 18 +++++++++++++-----
 3 files changed, 13 insertions(+), 19 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 52dbb3b17..901c1049d 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -1487,11 +1487,6 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl,
 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 
-#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl );
-#endif
-
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
 #if defined(MBEDTLS_SSL_CLI_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 945a2e9bd..da90b2350 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1872,15 +1872,6 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
 }
 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
 
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-int mbedtls_ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl )
-{
-    mbedtls_ssl_session *session = ssl->session_negotiate;
-    return( ssl->handshake->resume &&
-            session != NULL && session->ticket != NULL );
-}
-#endif
-
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
 int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf )
 {
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 0d24474ec..bb7e14bea 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -693,6 +693,14 @@ static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg( int ciphersuite )
 }
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    return( ssl->handshake->resume &&
+            session != NULL && session->ticket != NULL );
+}
+
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl,
                                           psa_algorithm_t *hash_alg,
@@ -701,7 +709,7 @@ static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl,
 {
     mbedtls_ssl_session *session = ssl->session_negotiate;
 
-    if( !mbedtls_ssl_tls13_has_configured_ticket( ssl ) )
+    if( !ssl_tls13_has_configured_ticket( ssl ) )
         return( -1 );
 
     *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite );
@@ -719,7 +727,7 @@ static int ssl_tls13_ticket_get_psk( mbedtls_ssl_context *ssl,
 
     mbedtls_ssl_session *session = ssl->session_negotiate;
 
-    if( !mbedtls_ssl_tls13_has_configured_ticket( ssl ) )
+    if( !ssl_tls13_has_configured_ticket( ssl ) )
         return( -1 );
 
     *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite );
@@ -766,7 +774,7 @@ static int ssl_tls13_get_configured_psk_count( mbedtls_ssl_context *ssl )
 {
     int configured_psk_count = 0;
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
-    if( mbedtls_ssl_tls13_has_configured_ticket( ssl ) )
+    if( ssl_tls13_has_configured_ticket( ssl ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "Ticket is configured" ) );
         configured_psk_count++;
@@ -1087,7 +1095,7 @@ static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
     if( selected_identity == 0 &&
-        mbedtls_ssl_tls13_has_configured_ticket( ssl ) )
+        ssl_tls13_has_configured_ticket( ssl ) )
     {
         ret = ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len );
     }
@@ -1157,7 +1165,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_SSL_EARLY_DATA)
     if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
         ( mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 1 ||
-          mbedtls_ssl_tls13_has_configured_ticket( ssl ) ) &&
+          ssl_tls13_has_configured_ticket( ssl ) ) &&
         ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED )
     {
         ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, p, end, &ext_len );

From 338f7276835fa1543de883017c8dc7802b567521 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Wed, 2 Nov 2022 07:18:30 +0000
Subject: [PATCH 068/159] Move EARLY_DATA_OFF/ON guard to ssl_misc.h

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 include/mbedtls/ssl.h | 3 ---
 library/ssl_misc.h    | 4 ++++
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 6369de0a9..8c4985987 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -332,9 +332,6 @@
 #define MBEDTLS_SSL_EARLY_DATA_DISABLED        0
 #define MBEDTLS_SSL_EARLY_DATA_ENABLED         1
 
-#define MBEDTLS_SSL_EARLY_DATA_OFF        0
-#define MBEDTLS_SSL_EARLY_DATA_ON         1
-
 #define MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED    0
 #define MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED      1
 
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 901c1049d..d454ebb51 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -77,6 +77,10 @@
 /* Faked handshake message identity for HelloRetryRequest. */
 #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST ( -MBEDTLS_SSL_HS_SERVER_HELLO )
 
+/* Early data indication sent or not */
+#define MBEDTLS_SSL_EARLY_DATA_OFF        0
+#define MBEDTLS_SSL_EARLY_DATA_ON         1
+
 /*
  * Internal identity of handshake extensions
  */

From 76332816c7a29d2f5f3e8a623fd4b9712caead08 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Wed, 2 Nov 2022 07:22:48 +0000
Subject: [PATCH 069/159] Define the EARLY_DATA_STATUS

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 include/mbedtls/ssl.h      | 7 ++++---
 library/ssl_tls13_client.c | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 8c4985987..92ab1a390 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -802,9 +802,10 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
 #endif
 
 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
-#define MBEDTLS_SSL_EARLY_DATA_NOT_SENT       0
-#define MBEDTLS_SSL_EARLY_DATA_REJECTED       1
-#define MBEDTLS_SSL_EARLY_DATA_ACCEPTED       2
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN   0
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT  1
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED  2
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED  3
 #endif
 /**
  * \brief          Callback type: server-side session cache getter
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index bb7e14bea..8879c44af 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1176,7 +1176,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
         ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_ON;
         /* We're using rejected once we send the EarlyData extension,
            and change it to accepted upon receipt of the server extension. */
-        ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_REJECTED;
+        ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
     }
     else
     {

From ecc2948f211627acb21d4d9b7b003543f84f0692 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Wed, 2 Nov 2022 07:52:47 +0000
Subject: [PATCH 070/159] Fix format issues

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 include/mbedtls/ssl.h       | 1 -
 library/ssl_misc.h          | 7 ++++---
 library/ssl_tls13_client.c  | 8 +++-----
 library/ssl_tls13_generic.c | 5 ++---
 4 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 92ab1a390..f1d16bc60 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1949,7 +1949,6 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
 */
 void mbedtls_ssl_tls13_conf_early_data( mbedtls_ssl_config *conf,
                                         int early_data_enabled );
-
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_EARLY_DATA */
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index d454ebb51..581e1534c 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2058,9 +2058,10 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
 #endif /* MBEDTLS_ECDH_C */
 
 #if defined(MBEDTLS_SSL_EARLY_DATA)
-int mbedtls_ssl_tls13_write_early_data_ext(
-    mbedtls_ssl_context *ssl,
-    unsigned char *buf, const unsigned char *end, size_t *olen);
+int mbedtls_ssl_tls13_write_early_data_ext( mbedtls_ssl_context *ssl,
+                                            unsigned char *buf,
+                                            const unsigned char *end,
+                                            size_t *out_len );
 #endif /* MBEDTLS_SSL_EARLY_DATA */
 
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 8879c44af..c019db2fa 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -693,7 +693,6 @@ static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg( int ciphersuite )
 }
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
-MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl )
 {
     mbedtls_ssl_session *session = ssl->session_negotiate;
@@ -1094,8 +1093,7 @@ static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
     }
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
-    if( selected_identity == 0 &&
-        ssl_tls13_has_configured_ticket( ssl ) )
+    if( selected_identity == 0 && ssl_tls13_has_configured_ticket( ssl ) )
     {
         ret = ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len );
     }
@@ -1174,8 +1172,8 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
         p += ext_len;
 
         ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_ON;
-        /* We're using rejected once we send the EarlyData extension,
-           and change it to accepted upon receipt of the server extension. */
+        /* Initializes the status to `rejected`. Changes it to `accepted`
+         * when `early_data` is received in EncryptedExtesion. */
         ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
     }
     else
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index a27315102..04790387a 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1374,11 +1374,11 @@ cleanup:
 
 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
 
-/* Early Data Extension
+/* Early Data Indication Extension
  *
  * struct {
  *   select ( Handshake.msg_type ) {
- *     case new_session_ticket:   uint32 max_early_data_size;
+ *     ...
  *     case client_hello:         Empty;
  *     case encrypted_extensions: Empty;
  *   };
@@ -1399,7 +1399,6 @@ int mbedtls_ssl_tls13_write_early_data_ext( mbedtls_ssl_context *ssl,
             3, ( "client hello, adding early_data extension" ) );
 
     MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_EARLY_DATA, p, 0 );
-    /* Write length of the early data indication extension */
     MBEDTLS_PUT_UINT16_BE( 0, p, 2 );
 
     *out_len = 4;

From b0c32d8b20d729cad83cb786bf2c1cca7a8fde4c Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Wed, 2 Nov 2022 10:51:13 +0000
Subject: [PATCH 071/159] Update early data test cases

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 tests/ssl-opt.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 14123fa9a..868de81d2 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -80,14 +80,14 @@ fi
 
 if [ -n "${OPENSSL_NEXT:-}" ]; then
     O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
-    O_NEXT_SRV_NO_WWW="$OPENSSL_NEXT s_server -cert data_files/server5.crt -key data_files/server5.key"
+    O_NEXT_SRV_EARLY_DATA="$OPENSSL_NEXT s_server -early_data -cert data_files/server5.crt -key data_files/server5.key"
     O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www "
     O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile data_files/test-ca_cat12.crt"
     O_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
 else
     O_NEXT_SRV=false
     O_NEXT_SRV_NO_CERT=false
-    O_NEXT_SRV_NO_WWW=false
+    O_NEXT_SRV_EARLY_DATA=false
     O_NEXT_CLI_NO_CERT=false
     O_NEXT_CLI=false
 fi
@@ -1692,7 +1692,7 @@ fi
 if [ -n "${OPENSSL_NEXT:-}" ]; then
     O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT"
     O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT"
-    O_NEXT_SRV_NO_WWW="$O_NEXT_SRV_NO_WWW -accept $SRV_PORT"
+    O_NEXT_SRV_EARLY_DATA="$O_NEXT_SRV_EARLY_DATA -accept $SRV_PORT"
     O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT"
     O_NEXT_CLI_NO_CERT="$O_NEXT_CLI_NO_CERT -connect 127.0.0.1:+SRV_PORT"
 fi
@@ -13049,8 +13049,8 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_EARLY_DATA
 run_test    "TLS 1.3, ext PSK, early data" \
-            "$O_NEXT_SRV_NO_WWW -msg -debug -tls1_3 -early_data -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \
-            "$P_CLI nbio=2 debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \
+            "$O_NEXT_SRV_EARLY_DATA -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \
+            "$P_CLI debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \
             1 \
             -c "=> write client hello"  \
             -c "client hello, adding early_data extension"  \

From 01323a46c6f7e8a2b39b78a3458b456d88c41be6 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Thu, 3 Nov 2022 02:27:35 +0000
Subject: [PATCH 072/159] Add session ticket related check when send early data

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 library/ssl_tls13_client.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index c019db2fa..9434c2b08 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -700,6 +700,18 @@ static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl )
             session != NULL && session->ticket != NULL );
 }
 
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+static int ssl_tls13_early_data_ticket_verify( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    return( ssl->handshake->resume &&
+            session != NULL && session->ticket != NULL &&
+            session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
+            mbedtls_ssl_tls13_cipher_suite_is_offered(
+                ssl, session->ciphersuite ) );
+}
+#endif
+
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl,
                                           psa_algorithm_t *hash_alg,
@@ -1162,8 +1174,11 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
 
 #if defined(MBEDTLS_SSL_EARLY_DATA)
     if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
-        ( mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 1 ||
-          ssl_tls13_has_configured_ticket( ssl ) ) &&
+        ( mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 1
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+          || ssl_tls13_early_data_ticket_verify( ssl )
+#endif
+        ) &&
         ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED )
     {
         ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, p, end, &ext_len );

From a341225fd03a96051b482e0fd64623c464885864 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Fri, 4 Nov 2022 10:13:19 +0000
Subject: [PATCH 073/159] Change function name
 ssl_tls13_early_data_has_valid_ticket

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 library/ssl_tls13_client.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 9434c2b08..b539f8ff4 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -701,7 +701,7 @@ static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl )
 }
 
 #if defined(MBEDTLS_SSL_EARLY_DATA)
-static int ssl_tls13_early_data_ticket_verify( mbedtls_ssl_context *ssl )
+static int ssl_tls13_early_data_has_valid_ticket( mbedtls_ssl_context *ssl )
 {
     mbedtls_ssl_session *session = ssl->session_negotiate;
     return( ssl->handshake->resume &&
@@ -1176,7 +1176,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
     if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
         ( mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 1
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
-          || ssl_tls13_early_data_ticket_verify( ssl )
+          || ssl_tls13_early_data_has_valid_ticket( ssl )
 #endif
         ) &&
         ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED )

From f447e8a8d38730cb0973888cfd1cce818942c290 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Tue, 8 Nov 2022 07:02:27 +0000
Subject: [PATCH 074/159] Address comments base on reviews

Improve early data indication check
Update test case to gnutls server

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 include/mbedtls/ssl.h       | 23 ++++++++++++++++-------
 library/ssl_debug_helpers.h |  5 +++++
 library/ssl_misc.h          |  7 -------
 library/ssl_tls13_client.c  | 22 ++++++++++++----------
 tests/ssl-opt.sh            | 14 +++++++-------
 5 files changed, 40 insertions(+), 31 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index f1d16bc60..080474613 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -802,11 +802,23 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
 #endif
 
 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
-#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN   0
-#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT  1
-#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED  2
-#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED  3
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN           0
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT          1
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT   2
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED          3
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED          4
 #endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+
+typedef enum
+{
+    MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA = 1,
+    MBEDTLS_SSL_TICKET_ALLOW_DHE_RESUMPTION = 2,
+    MBEDTLS_SSL_TICKET_ALLOW_PSK_RESUMPTION = 4,
+} mbedtls_ssl_ticket_flags;
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
 /**
  * \brief          Callback type: server-side session cache getter
  *
@@ -1790,9 +1802,6 @@ struct mbedtls_ssl_context
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 
 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
-    /*
-     * early data request status
-     */
     int MBEDTLS_PRIVATE(early_data_status);
 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */
 
diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h
index 4412f8e21..9efbbbcd2 100644
--- a/library/ssl_debug_helpers.h
+++ b/library/ssl_debug_helpers.h
@@ -33,6 +33,11 @@
 
 const char *mbedtls_ssl_states_str( mbedtls_ssl_states in );
 
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+const char *mbedtls_ssl_ticket_flags_str( mbedtls_ssl_ticket_flags in );
+#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_3) &&
+          defined(MBEDTLS_SSL_SESSION_TICKETS) */
+
 const char *mbedtls_ssl_protocol_version_str( mbedtls_ssl_protocol_version in );
 
 const char *mbedtls_tls_prf_types_str( mbedtls_tls_prf_types in );
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 581e1534c..342cabb3a 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -991,13 +991,6 @@ struct mbedtls_ssl_handshake_params
     } tls13_master_secrets;
 
     mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
-
-#if defined(MBEDTLS_SSL_EARLY_DATA)
-    int early_data;     /*!< Early data indication:
-                         * 0  -- MBEDTLS_SSL_EARLY_DATA_DISABLED (for no early data), and
-                         * 1  -- MBEDTLS_SSL_EARLY_DATA_ENABLED (for use early data)
-                         */
-#endif /* MBEDTLS_SSL_EARLY_DATA */
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 
 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index b539f8ff4..46c7c4589 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -705,8 +705,8 @@ static int ssl_tls13_early_data_has_valid_ticket( mbedtls_ssl_context *ssl )
 {
     mbedtls_ssl_session *session = ssl->session_negotiate;
     return( ssl->handshake->resume &&
-            session != NULL && session->ticket != NULL &&
             session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
+            ( session->ticket_flags & MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA ) &&
             mbedtls_ssl_tls13_cipher_suite_is_offered(
                 ssl, session->ciphersuite ) );
 }
@@ -1174,11 +1174,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
 
 #if defined(MBEDTLS_SSL_EARLY_DATA)
     if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
-        ( mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 1
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-          || ssl_tls13_early_data_has_valid_ticket( ssl )
-#endif
-        ) &&
+        ssl_tls13_early_data_has_valid_ticket( ssl ) &&
         ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED )
     {
         ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, p, end, &ext_len );
@@ -1186,15 +1182,14 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
             return( ret );
         p += ext_len;
 
-        ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_ON;
-        /* Initializes the status to `rejected`. Changes it to `accepted`
+        /* Initializes the status to `indication sent`. Changes it to `accepted`
          * when `early_data` is received in EncryptedExtesion. */
-        ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
+        ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT;
     }
     else
     {
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write early_data extension" ) );
-        ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_OFF;
+        ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
     }
 #endif /* MBEDTLS_SSL_EARLY_DATA */
 
@@ -2543,6 +2538,13 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
 
         switch( extension_type )
         {
+            case MBEDTLS_TLS_EXT_EARLY_DATA:
+                MBEDTLS_SSL_DEBUG_MSG( 4, ( "early_data extension received" ) );
+                if( extension_data_len == 4 && ssl->session != NULL)
+                    ssl->session->ticket_flags |=
+                            MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA;
+                break;
+
             default:
                 MBEDTLS_SSL_PRINT_EXT(
                     3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 868de81d2..b6c3982d8 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -13042,15 +13042,15 @@ run_test    "TLS 1.3: NewSessionTicket: servername negative check, m->m" \
             -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
             -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH"
 
-requires_openssl_next
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_config_enabled MBEDTLS_SSL_EARLY_DATA
-run_test    "TLS 1.3, ext PSK, early data" \
-            "$O_NEXT_SRV_EARLY_DATA -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \
-            "$P_CLI debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+run_test    "TLS 1.3: NewSessionTicket: early data, m->G" \
+            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+PSK --earlydata --disable-client-cert" \
+            "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1" \
             1 \
             -c "=> write client hello"  \
             -c "client hello, adding early_data extension"  \

From a042b8406d0ec8489eceff88e27c5583577bab26 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Wed, 9 Nov 2022 01:59:33 +0000
Subject: [PATCH 075/159] Address some format issues

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 library/ssl_misc.h         | 4 ----
 library/ssl_tls13_client.c | 8 +++++---
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 342cabb3a..4d7f63547 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -77,10 +77,6 @@
 /* Faked handshake message identity for HelloRetryRequest. */
 #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST ( -MBEDTLS_SSL_HS_SERVER_HELLO )
 
-/* Early data indication sent or not */
-#define MBEDTLS_SSL_EARLY_DATA_OFF        0
-#define MBEDTLS_SSL_EARLY_DATA_ON         1
-
 /*
  * Internal identity of handshake extensions
  */
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 46c7c4589..f68b24080 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1182,8 +1182,10 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
             return( ret );
         p += ext_len;
 
-        /* Initializes the status to `indication sent`. Changes it to `accepted`
-         * when `early_data` is received in EncryptedExtesion. */
+        /* Initializes the status to `indication sent`. It will be updated to
+         * `accepted` or `rejected` depend on whether the EncryptedExtension
+         * message will contain an early data indication extension or not.
+         */
         ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT;
     }
     else
@@ -2540,7 +2542,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
         {
             case MBEDTLS_TLS_EXT_EARLY_DATA:
                 MBEDTLS_SSL_DEBUG_MSG( 4, ( "early_data extension received" ) );
-                if( extension_data_len == 4 && ssl->session != NULL)
+                if( extension_data_len == 4 && ssl->session != NULL )
                     ssl->session->ticket_flags |=
                             MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA;
                 break;

From 097771672d0923b10d7eb44bc689e3f0ff717bce Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Wed, 9 Nov 2022 03:46:23 +0000
Subject: [PATCH 076/159] Update early data document and prerequisites check

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 include/mbedtls/build_info.h     | 4 ++++
 include/mbedtls/check_config.h   | 5 +++--
 include/mbedtls/mbedtls_config.h | 5 ++++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index f1bb52770..71f5bffd2 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -119,6 +119,10 @@
 #undef MBEDTLS_SSL_EARLY_DATA
 #endif
 
+#if !defined(MBEDTLS_SSL_SESSION_TICKETS)
+#undef MBEDTLS_SSL_EARLY_DATA
+#endif
+
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) || \
     defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index d36db4a9e..4eb1528bb 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -844,8 +844,9 @@
 
 /* Early data requires PSK related mode defined */
 #if defined(MBEDTLS_SSL_EARLY_DATA) && \
-        ( !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \
-          !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED))
+    ( !defined(MBEDTLS_SSL_SESSION_TICKETS) || \
+      ( !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \
+        !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) ) )
 #error "MBEDTLS_SSL_EARLY_DATA  defined, but not all prerequisites"
 #endif
 
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index b4c863521..93ca9b58a 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1641,7 +1641,10 @@
 *           MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 *
 * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3
-* is not enabled, this option does not have any effect on the build.
+* is not enabled or both MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED and
+* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED are disabled or
+* MBEDTLS_SSL_SESSION_TICKETS is not enabled, this option does not have any
+* effect on the build.
 *
 * This feature is experimental, not completed and thus not ready for
 * production.

From 50a47940b60d0dcb104bfcd3d0300df95e6e95d8 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Wed, 9 Nov 2022 03:58:41 +0000
Subject: [PATCH 077/159] Update early data test case with gnutls

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 tests/ssl-opt.sh | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index b6c3982d8..ccca83b73 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -13048,14 +13048,15 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test    "TLS 1.3: NewSessionTicket: early data, m->G" \
+run_test    "TLS 1.3 m->G: EarlyData: basic check, good" \
             "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+PSK --earlydata --disable-client-cert" \
             "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1" \
             1 \
-            -c "=> write client hello"  \
-            -c "client hello, adding early_data extension"  \
-            -c "<= write client hello"  \
-            -c "client state: MBEDTLS_SSL_SERVER_HELLO"
+            -c "client hello, adding early_data extension" \
+            -c "Reconnecting with saved session" \
+            -c "unsupported extension found: 42" \
+            -s "Parsing extension 'Early Data/42' (0 bytes)" \
+            -s "Sending extension Early Data/42 (0 bytes)"
 
 # Test heap memory usage after handshake
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2

From 29ee43c0e17d4c1a7bf3b1c47d54e14d8ae73bb7 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Wed, 9 Nov 2022 07:39:57 +0000
Subject: [PATCH 078/159] Update document base on comments

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 include/mbedtls/mbedtls_config.h | 3 ++-
 include/mbedtls/ssl.h            | 9 +++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 93ca9b58a..e3bae2cf8 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1637,7 +1637,8 @@
 *
 * Enable support for RFC 8446 TLS 1.3 early data.
 *
-* Requires: MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or
+* Requires: MBEDTLS_SSL_SESSION_TICKETS and either
+*           MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or
 *           MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 *
 * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 080474613..1ae441caa 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -802,6 +802,15 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
 #endif
 
 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+/* Define the status of early data.
+ * MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN : Initilized.
+ * MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT: Have sent early data
+ *  indication in client hello successfully.
+ * MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT: Have sent client hello without
+ *  data indication.
+ * MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED: Server side reject the early data.
+ * MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED: Server side accept the early data.
+ */
 #define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN           0
 #define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT          1
 #define MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT   2

From 2d87a9eeb551fe6d5c447374283eb163f33ab4a9 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Wed, 9 Nov 2022 07:55:48 +0000
Subject: [PATCH 079/159] Pend one alert in case wrong EXT_EARLY_DATA length

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 library/ssl_tls13_client.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index f68b24080..4935fbf4e 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2542,9 +2542,18 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
         {
             case MBEDTLS_TLS_EXT_EARLY_DATA:
                 MBEDTLS_SSL_DEBUG_MSG( 4, ( "early_data extension received" ) );
-                if( extension_data_len == 4 && ssl->session != NULL )
+                if( extension_data_len != 4 )
+                {
+                    MBEDTLS_SSL_PEND_FATAL_ALERT(
+                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+                        MBEDTLS_ERR_SSL_DECODE_ERROR );
+                    return( MBEDTLS_ERR_SSL_DECODE_ERROR );
+                }
+                if( ssl->session != NULL )
+                {
                     ssl->session->ticket_flags |=
                             MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA;
+                }
                 break;
 
             default:

From ae07cd995a7cb20f570a00dfaaf4d03cdc1ae422 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Wed, 9 Nov 2022 08:09:47 +0000
Subject: [PATCH 080/159] Change ticket_flag base on review

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 include/mbedtls/ssl.h       | 10 ++++------
 library/ssl_debug_helpers.h |  5 -----
 library/ssl_tls13_client.c  |  5 +++--
 3 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 1ae441caa..8b1ed23d1 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -820,12 +820,10 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
 
-typedef enum
-{
-    MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA = 1,
-    MBEDTLS_SSL_TICKET_ALLOW_DHE_RESUMPTION = 2,
-    MBEDTLS_SSL_TICKET_ALLOW_PSK_RESUMPTION = 4,
-} mbedtls_ssl_ticket_flags;
+typedef uint8_t mbedtls_ssl_tls13_ticket_flags;
+#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION              ( 1u << 0 )
+#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION    ( 1u << 2 )
+#define MBEDTLS_SSL_TLS1_3_TICKET_HAS_EARLY_DATA_INDACTION          ( 1u << 3 )
 
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
 /**
diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h
index 9efbbbcd2..4412f8e21 100644
--- a/library/ssl_debug_helpers.h
+++ b/library/ssl_debug_helpers.h
@@ -33,11 +33,6 @@
 
 const char *mbedtls_ssl_states_str( mbedtls_ssl_states in );
 
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
-const char *mbedtls_ssl_ticket_flags_str( mbedtls_ssl_ticket_flags in );
-#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_3) &&
-          defined(MBEDTLS_SSL_SESSION_TICKETS) */
-
 const char *mbedtls_ssl_protocol_version_str( mbedtls_ssl_protocol_version in );
 
 const char *mbedtls_tls_prf_types_str( mbedtls_tls_prf_types in );
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 4935fbf4e..aea7adab0 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -706,7 +706,8 @@ static int ssl_tls13_early_data_has_valid_ticket( mbedtls_ssl_context *ssl )
     mbedtls_ssl_session *session = ssl->session_negotiate;
     return( ssl->handshake->resume &&
             session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
-            ( session->ticket_flags & MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA ) &&
+            ( session->ticket_flags &
+              MBEDTLS_SSL_TLS1_3_TICKET_HAS_EARLY_DATA_INDACTION ) &&
             mbedtls_ssl_tls13_cipher_suite_is_offered(
                 ssl, session->ciphersuite ) );
 }
@@ -2552,7 +2553,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
                 if( ssl->session != NULL )
                 {
                     ssl->session->ticket_flags |=
-                            MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA;
+                            MBEDTLS_SSL_TLS1_3_TICKET_HAS_EARLY_DATA_INDACTION;
                 }
                 break;
 

From fe3483f9a142ca019c5371d04a3b83e084289cf7 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Wed, 9 Nov 2022 10:45:23 +0000
Subject: [PATCH 081/159] Update early data doument and config dependencies

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 include/mbedtls/build_info.h     |  4 ----
 include/mbedtls/check_config.h   |  7 ++-----
 include/mbedtls/mbedtls_config.h |  9 +++------
 include/mbedtls/ssl.h            | 13 ++-----------
 library/ssl_tls13_client.c       |  6 +++---
 5 files changed, 10 insertions(+), 29 deletions(-)

diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index 71f5bffd2..f1bb52770 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -119,10 +119,6 @@
 #undef MBEDTLS_SSL_EARLY_DATA
 #endif
 
-#if !defined(MBEDTLS_SSL_SESSION_TICKETS)
-#undef MBEDTLS_SSL_EARLY_DATA
-#endif
-
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) || \
     defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 4eb1528bb..4c4bde49b 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -842,11 +842,8 @@
         "but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx"
 #endif
 
-/* Early data requires PSK related mode defined */
-#if defined(MBEDTLS_SSL_EARLY_DATA) && \
-    ( !defined(MBEDTLS_SSL_SESSION_TICKETS) || \
-      ( !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \
-        !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) ) )
+/* Early data requires MBEDTLS_SSL_SESSION_TICKETS defined */
+#if defined(MBEDTLS_SSL_EARLY_DATA) && !defined(MBEDTLS_SSL_SESSION_TICKETS)
 #error "MBEDTLS_SSL_EARLY_DATA  defined, but not all prerequisites"
 #endif
 
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index e3bae2cf8..3c4697175 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1637,15 +1637,12 @@
 *
 * Enable support for RFC 8446 TLS 1.3 early data.
 *
-* Requires: MBEDTLS_SSL_SESSION_TICKETS and either
-*           MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or
-*           MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+* Requires: MBEDTLS_SSL_SESSION_TICKETS
 *
 * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3
 * is not enabled or both MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED and
-* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED are disabled or
-* MBEDTLS_SSL_SESSION_TICKETS is not enabled, this option does not have any
-* effect on the build.
+* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED are disabled,
+* this option does not have any effect on the build.
 *
 * This feature is experimental, not completed and thus not ready for
 * production.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 8b1ed23d1..16de0f806 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -802,15 +802,6 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
 #endif
 
 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
-/* Define the status of early data.
- * MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN : Initilized.
- * MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT: Have sent early data
- *  indication in client hello successfully.
- * MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT: Have sent client hello without
- *  data indication.
- * MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED: Server side reject the early data.
- * MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED: Server side accept the early data.
- */
 #define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN           0
 #define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT          1
 #define MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT   2
@@ -822,8 +813,8 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
 
 typedef uint8_t mbedtls_ssl_tls13_ticket_flags;
 #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION              ( 1u << 0 )
-#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION    ( 1u << 2 )
-#define MBEDTLS_SSL_TLS1_3_TICKET_HAS_EARLY_DATA_INDACTION          ( 1u << 3 )
+#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION    ( 1u << 1 )
+#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA                  ( 1u << 2 )
 
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
 /**
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index aea7adab0..405cce031 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -707,7 +707,7 @@ static int ssl_tls13_early_data_has_valid_ticket( mbedtls_ssl_context *ssl )
     return( ssl->handshake->resume &&
             session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
             ( session->ticket_flags &
-              MBEDTLS_SSL_TLS1_3_TICKET_HAS_EARLY_DATA_INDACTION ) &&
+              MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ) &&
             mbedtls_ssl_tls13_cipher_suite_is_offered(
                 ssl, session->ciphersuite ) );
 }
@@ -1184,7 +1184,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
         p += ext_len;
 
         /* Initializes the status to `indication sent`. It will be updated to
-         * `accepted` or `rejected` depend on whether the EncryptedExtension
+         * `accepted` or `rejected` depending on whether the EncryptedExtension
          * message will contain an early data indication extension or not.
          */
         ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT;
@@ -2553,7 +2553,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
                 if( ssl->session != NULL )
                 {
                     ssl->session->ticket_flags |=
-                            MBEDTLS_SSL_TLS1_3_TICKET_HAS_EARLY_DATA_INDACTION;
+                            MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA;
                 }
                 break;
 

From de95604f6c144807b315f3b3625b540729cbf7b7 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Thu, 10 Nov 2022 03:11:54 +0000
Subject: [PATCH 082/159] Update ticket_flags related macros

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 include/mbedtls/ssl.h | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 16de0f806..02685e1f8 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -812,9 +812,12 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
 
 typedef uint8_t mbedtls_ssl_tls13_ticket_flags;
-#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION              ( 1u << 0 )
-#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION    ( 1u << 1 )
-#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA                  ( 1u << 2 )
+#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION \
+    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK
+#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION \
+    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL
+#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA \
+    MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION << 1
 
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
 /**

From 402bb1ee905e43410ddb442b8070f901677e7416 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Thu, 10 Nov 2022 10:38:17 +0000
Subject: [PATCH 083/159] Update documents and check

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 include/mbedtls/build_info.h     | 4 ----
 include/mbedtls/check_config.h   | 9 +++++++--
 include/mbedtls/mbedtls_config.h | 8 ++++----
 tests/configs/tls13-only.h       | 1 -
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index f1bb52770..170cbebbe 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -112,10 +112,6 @@
 #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
 #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-#endif
-
-#if !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \
-    !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
 #undef MBEDTLS_SSL_EARLY_DATA
 #endif
 
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 4c4bde49b..f932901ec 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -842,8 +842,13 @@
         "but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx"
 #endif
 
-/* Early data requires MBEDTLS_SSL_SESSION_TICKETS defined */
-#if defined(MBEDTLS_SSL_EARLY_DATA) && !defined(MBEDTLS_SSL_SESSION_TICKETS)
+/* Early data requires MBEDTLS_SSL_SESSION_TICKETS and SOME_PSK related
+ * mode defined
+ */
+#if defined(MBEDTLS_SSL_EARLY_DATA) && \
+    ( !defined(MBEDTLS_SSL_SESSION_TICKETS) || \
+      ( !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \
+        !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) ) )
 #error "MBEDTLS_SSL_EARLY_DATA  defined, but not all prerequisites"
 #endif
 
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 3c4697175..12d503e38 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1637,12 +1637,12 @@
 *
 * Enable support for RFC 8446 TLS 1.3 early data.
 *
-* Requires: MBEDTLS_SSL_SESSION_TICKETS
+* Requires: MBEDTLS_SSL_SESSION_TICKETS and either
+*           MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or
+*           MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 *
 * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3
-* is not enabled or both MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED and
-* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED are disabled,
-* this option does not have any effect on the build.
+* is not enabled, this option does not have any effect on the build.
 *
 * This feature is experimental, not completed and thus not ready for
 * production.
diff --git a/tests/configs/tls13-only.h b/tests/configs/tls13-only.h
index a4dcb92ba..7483f1cd9 100644
--- a/tests/configs/tls13-only.h
+++ b/tests/configs/tls13-only.h
@@ -24,7 +24,6 @@
 
 /* Enable TLS 1.3 and core 1.3 features */
 #define MBEDTLS_SSL_PROTO_TLS1_3
-#define MBEDTLS_SSL_EARLY_DATA
 #define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 
 /* Disable TLS 1.2 and 1.2-specific features */

From 733c76e08a32b81905fb0a50a486c203d3699776 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Mon, 14 Nov 2022 08:33:21 +0100
Subject: [PATCH 084/159] Fix style issues pointed by pylint

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/analyze_outcomes.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index f78af68f3..2cdad692b 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -60,7 +60,7 @@ def analyze_coverage(results, outcomes):
             # fixed this branch to have full coverage of test cases.
             results.warning('Test case not executed: {}', key)
 
-def analyze_driver_vs_reference(outcomes, component_ref,component_driver, ignored_tests):
+def analyze_driver_vs_reference(outcomes, component_ref, component_driver, ignored_tests):
     """Check that all tests executed in the reference component are also
     executed in the corresponding driver component.
     Skip test suites provided in ignored_tests list.
@@ -143,12 +143,14 @@ TASKS = {
         'args': {
             'component_ref': 'test_psa_crypto_config_reference_hash_use_psa',
             'component_driver': 'test_psa_crypto_config_accel_hash_use_psa',
-            'ignored_suites': ['shax','mdx', # the software implementations that are being excluded
+            'ignored_suites': ['shax', 'mdx', # the software implementations that are being excluded
                                'md',  # the legacy abstraction layer that's being excluded
-                               'entropy','hmac_drbg','random', # temporary limitation (see RNG EPIC)
+                               'entropy', 'hmac_drbg', 'random', # temporary limitation
+                                                                 # (see RNG EPIC)
                                'psa_crypto_init', # doesn't work with external RNG
-                               'hkdf', # legacy still depends on MD, but there's a PSA interface that doesn't
-                               'pkcs7 '  # recent addition, will be addressed later
+                               'hkdf', # legacy still depends on MD,
+                                       # but there's a PSA interface that doesn't
+                               'pkcs7' # recent addition, will be addressed later
                               ]}}
 }
 

From 8b6826d309fcf90d6f7bde72e2fad184b56a6d8b Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Mon, 14 Nov 2022 08:33:47 +0100
Subject: [PATCH 085/159] Revert "Add fake dependency to test CI"

This reverts commit a380b06c26086e695345a04163c1d174c3eb7d20.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/suites/test_suite_error.data | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/suites/test_suite_error.data b/tests/suites/test_suite_error.data
index 65f0daa84..dec5639ee 100644
--- a/tests/suites/test_suite_error.data
+++ b/tests/suites/test_suite_error.data
@@ -3,7 +3,7 @@ depends_on:MBEDTLS_AES_C
 error_strerror:-0x0020:"AES - Invalid key length"
 
 Single high error
-depends_on:MBEDTLS_RSA_C:MBEDTLS_ENTROPY_C
+depends_on:MBEDTLS_RSA_C
 error_strerror:-0x4080:"RSA - Bad input parameters to function"
 
 Low and high error

From 48e8fc737a58c50e0c8a267a4de669265ef7b381 Mon Sep 17 00:00:00 2001
From: Valerio Setti <vsetti@baylibre.com>
Date: Wed, 19 Oct 2022 15:14:29 +0200
Subject: [PATCH 086/159] Adding unit test for
 mbedtls_x509write_csr_set_extension()

The already existing "x509_csr_check()" function is extended in order
to support/test also CSR's extensions. The test is performed by
adding an extended key usage.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
---
 tests/data_files/Makefile                  |  5 ++
 tests/data_files/server1.req.sha256.ext    | 17 +++++++
 tests/suites/test_suite_x509write.data     | 28 ++++++-----
 tests/suites/test_suite_x509write.function | 56 +++++++++++++++++++++-
 4 files changed, 93 insertions(+), 13 deletions(-)
 create mode 100644 tests/data_files/server1.req.sha256.ext

diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index 6187d17bc..cd4285c15 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -881,6 +881,11 @@ server1.req.sha256: server1.key
 	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA256
 all_final += server1.req.sha256
 
+server1.req.sha256.ext: server1.key
+	# Generating this with OpenSSL as a comparison point to test we're getting the same result
+	openssl req -new -out $@ -key $< -subj '/C=NL/O=PolarSSL/CN=PolarSSL Server 1' -sha256 -addext "extendedKeyUsage=serverAuth"
+all_final += server1.req.sha256.ext
+
 server1.req.sha384: server1.key
 	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA384
 all_final += server1.req.sha384
diff --git a/tests/data_files/server1.req.sha256.ext b/tests/data_files/server1.req.sha256.ext
new file mode 100644
index 000000000..3f26f09ef
--- /dev/null
+++ b/tests/data_files/server1.req.sha256.ext
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICpzCCAY8CAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
+ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
+HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
+W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
+FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
+DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAmMCQGCSqGSIb3DQEJDjEX
+MBUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAHi0yEGu
+Fh5tuLiLuT95UrRnly55+lTY9xchFiKtlcoEdSheybYxqk3JHuSSqojOFKZBlRdk
+oG6Azg56/aMHPWyvtCMSRQX4b+FgjeQsm9IfhYNMquQOxyPxm62vjuU3MfZIofXH
+hKdI6Ci2CDF4Fyvw50KBWniV38eE9+kjsvDLdXD3ESZJGhjjuFl8ReUiA2wdBTcP
+XEZaXUIc6B4tUnlPeqn/2zp4GBqqWzNZx6TXBpApASGG3BEJnM52FVPC7E9p+8YZ
+qIGuiF5Cz/rYZkpwffBWIfS2zZakHLm5TB8FgZkWlyReJU9Ihk2Tl/sZ1kllFdYa
+xLPnLCL82KFL1Co=
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data
index 1844e5cf6..5793ff8d8 100644
--- a/tests/suites/test_suite_x509write.data
+++ b/tests/suites/test_suite_x509write.data
@@ -1,30 +1,30 @@
 Certificate Request check Server1 SHA1
 depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0:0:0:0
 
 Certificate Request check Server1 SHA224
 depends_on:MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0:0:0:0
 
 Certificate Request check Server1 SHA256
 depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0:0:0:0
 
 Certificate Request check Server1 SHA384
 depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0:0:0:0
 
 Certificate Request check Server1 SHA512
 depends_on:MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0:0:0:0
 
 Certificate Request check Server1 MD5
 depends_on:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0:0:0:0
 
 Certificate Request check Server1 key_usage
 depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:0
 
 Certificate Request check opaque Server1 key_usage
 depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
@@ -32,23 +32,27 @@ x509_csr_check_opaque:"data_files/server1.key":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_D
 
 Certificate Request check Server1 key_usage empty
 depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage_empty":MBEDTLS_MD_SHA1:0:1:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage_empty":MBEDTLS_MD_SHA1:0:1:0:0:0
 
 Certificate Request check Server1 ns_cert_type
 depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0
 
 Certificate Request check Server1 ns_cert_type empty
 depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type_empty":MBEDTLS_MD_SHA1:0:0:0:1
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type_empty":MBEDTLS_MD_SHA1:0:0:0:1:0
 
 Certificate Request check Server1 key_usage + ns_cert_type
 depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0
 
 Certificate Request check Server5 ECDSA, key_usage
 depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0
+x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0:0
+
+Certificate Request check Server1, set_extension
+depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256.ext":MBEDTLS_MD_SHA256:0:0:0:0:1
 
 Certificate Request check opaque Server5 ECDSA, key_usage
 depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 1120bee14..f37b7b8ee 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -5,6 +5,7 @@
 #include "mbedtls/pem.h"
 #include "mbedtls/oid.h"
 #include "mbedtls/rsa.h"
+#include "mbedtls/asn1write.h"
 
 #include "hash_info.h"
 #include "mbedtls/legacy_or_psa.h"
@@ -74,6 +75,56 @@ cleanup:
 }
 #endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */
 
+#if defined(MBEDTLS_X509_CSR_WRITE_C)
+
+/*
+ * The size of this temporary buffer is given by the sequence of functions
+ * called hereinafter:
+ * - mbedtls_asn1_write_oid()
+ *     - 8 bytes for MBEDTLS_OID_EXTENDED_KEY_USAGE raw value
+ *     - 1 byte for MBEDTLS_OID_EXTENDED_KEY_USAGE length
+ *     - 1 byte for MBEDTLS_ASN1_OID tag
+ * - mbedtls_asn1_write_len()
+ *     - 1 byte since we're dealing with sizes which are less than 0x80
+ * - mbedtls_asn1_write_tag()
+ *     - 1 byte
+ *
+ * This length is fine as long as this function is called using the
+ * MBEDTLS_OID_SERVER_AUTH OID. If this is changed in the future, then this
+ * buffer's length should be adjusted accordingly.
+ * Unfortunately there's no predefined max size for OIDs which can be used
+ * to set an overall upper boundary which is always guaranteed.
+ */
+#define EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH    12
+
+static int csr_set_extended_key_usage( mbedtls_x509write_csr *ctx,
+                        const char *oid, size_t oid_len )
+{
+    unsigned char buf[EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH] = { 0 };
+    unsigned char *p = buf + sizeof( buf );
+    int ret;
+    size_t len = 0;
+
+    /*
+     * Following functions fail anyway if the temporary buffer is not large,
+     * but we set an extra check here to emphasize a possible source of errors
+     */
+    if ( oid_len > EXT_KEY_USAGE_TMP_BUF_MAX_LENGTH )
+    {
+        return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( &p, buf, oid, oid_len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, buf, ret ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, buf,
+                        MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
+
+    ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_EXTENDED_KEY_USAGE,
+              MBEDTLS_OID_SIZE( MBEDTLS_OID_EXTENDED_KEY_USAGE ), 0, p, len );
+
+    return ret;
+}
+#endif  /* MBEDTLS_X509_CSR_WRITE_C */
 /* END_HEADER */
 
 /* BEGIN_DEPENDENCIES
@@ -84,7 +135,7 @@ cleanup:
 /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */
 void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type,
                      int key_usage, int set_key_usage, int cert_type,
-                     int set_cert_type )
+                     int set_cert_type, int set_extension )
 {
     mbedtls_pk_context key;
     mbedtls_x509write_csr req;
@@ -117,6 +168,9 @@ void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type,
         TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 );
     if( set_cert_type != 0 )
         TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 );
+    if ( set_extension != 0 )
+        TEST_ASSERT( csr_set_extended_key_usage( &req, MBEDTLS_OID_SERVER_AUTH,
+                            MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH ) ) == 0 );
 
     ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ),
                                      mbedtls_test_rnd_pseudo_rand, &rnd_info );

From d3068af2a8b6067e0c8a5574fa984eecd8027782 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Mon, 14 Nov 2022 16:15:19 +0100
Subject: [PATCH 087/159] Optimize code (tasks list initialization, task
 verification)

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/analyze_outcomes.py | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 2cdad692b..ba38ec280 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -175,17 +175,15 @@ def main():
 
         result = True
 
-        tasks = []
         if options.task == 'all':
-            for task in TASKS:
-                tasks.append(task)
+            tasks = TASKS.keys()
         else:
             tasks = options.task.split(',')
 
-        for task in tasks:
-            if task not in TASKS:
-                print('Error: invalid task: {}'.format(task))
-                sys.exit(1)
+            for task in tasks:
+                if task not in TASKS:
+                    print('Error: invalid task: {}'.format(task))
+                    sys.exit(1)
 
         for task in TASKS:
             if task in tasks:

From 9a0aafbe79dc362aecd284a6e24ff3c52949bc89 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Thu, 10 Nov 2022 10:45:43 +0000
Subject: [PATCH 088/159] Enable/disable MBEDTLS_SSL_EARLY_DATA for cases in
 ssl-opt.sh

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 programs/ssl/ssl_client2.c | 7 +++++++
 tests/scripts/all.sh       | 3 +++
 tests/ssl-opt.sh           | 9 +++++----
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 9685e69d4..186ac18de 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -64,6 +64,7 @@ int main( void )
 #define DFL_KEY_OPAQUE          0
 #define DFL_KEY_PWD             ""
 #define DFL_PSK                 ""
+#define DFL_EARLY_DATA          MBEDTLS_SSL_EARLY_DATA_DISABLED
 #define DFL_PSK_OPAQUE          0
 #define DFL_PSK_IDENTITY        "Client_identity"
 #define DFL_ECJPAKE_PW          NULL
@@ -430,6 +431,7 @@ int main( void )
     USAGE_REPRODUCIBLE                                      \
     USAGE_CURVES                                            \
     USAGE_SIG_ALGS                                          \
+    USAGE_EARLY_DATA                                        \
     USAGE_DHMLEN                                            \
     USAGE_KEY_OPAQUE_ALGS                                   \
     "\n"
@@ -541,7 +543,9 @@ struct options
                                  * after renegotiation                      */
     int reproducible;           /* make communication reproducible          */
     int skip_close_notify;      /* skip sending the close_notify alert      */
+#if defined(MBEDTLS_SSL_EARLY_DATA)
     int early_data;             /* support for early data                   */
+#endif
     int query_config_mode;      /* whether to read config                   */
     int use_srtp;               /* Support SRTP                             */
     int force_srtp_profile;     /* SRTP protection profile to use or all    */
@@ -941,6 +945,9 @@ int main( int argc, char *argv[] )
     opt.alpn_string         = DFL_ALPN_STRING;
     opt.curves              = DFL_CURVES;
     opt.sig_algs            = DFL_SIG_ALGS;
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+    opt.early_data          = DFL_EARLY_DATA;
+#endif
     opt.transport           = DFL_TRANSPORT;
     opt.hs_to_min           = DFL_HS_TO_MIN;
     opt.hs_to_max           = DFL_HS_TO_MAX;
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 9295c9d00..32e920d22 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2105,6 +2105,7 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
     scripts/config.py unset MBEDTLS_HKDF_C # has independent PSA implementation
     scripts/config.py unset MBEDTLS_HMAC_DRBG_C
     scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
+    scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
     scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
 
     loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
@@ -3221,6 +3222,7 @@ component_build_armcc () {
 
 component_test_tls13_only () {
     msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3, without MBEDTLS_SSL_PROTO_TLS1_2"
+    scripts/config.py set MBEDTLS_SSL_EARLY_DATA
     make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
 
     msg "test: TLS 1.3 only, all key exchange modes enabled"
@@ -3300,6 +3302,7 @@ component_test_tls13_only_psk_all () {
 component_test_tls13_only_ephemeral_all () {
     msg "build: TLS 1.3 only from default, without PSK key exchange mode"
     scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+    scripts/config.py set MBEDTLS_SSL_EARLY_DATA
     make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
 
     msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes"
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index ccca83b73..20c1b0f4d 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -13047,14 +13047,15 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_EARLY_DATA
 run_test    "TLS 1.3 m->G: EarlyData: basic check, good" \
-            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+PSK --earlydata --disable-client-cert" \
-            "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1" \
+            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \
+            "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
             1 \
             -c "client hello, adding early_data extension" \
             -c "Reconnecting with saved session" \
-            -c "unsupported extension found: 42" \
+            -c "EncryptedExtensions: early_data(42) extension is unsupported" \
             -s "Parsing extension 'Early Data/42' (0 bytes)" \
             -s "Sending extension Early Data/42 (0 bytes)"
 

From 72b9b17e1120f5c4c8ff7911697c57d73a26f8ee Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Fri, 11 Nov 2022 06:08:51 +0000
Subject: [PATCH 089/159] Add comments to fix mini format issue

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 include/mbedtls/ssl.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 02685e1f8..5294ec28b 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -813,9 +813,9 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
 
 typedef uint8_t mbedtls_ssl_tls13_ticket_flags;
 #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION \
-    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK
+    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK /* 1U << 0 */
 #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION \
-    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL
+    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL /* 1U << 2 */
 #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA \
     MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION << 1
 

From f90111b2b59c26a9a0ed18184a93fa2445f48f06 Mon Sep 17 00:00:00 2001
From: Tom Cosgrove <tom.cosgrove@arm.com>
Date: Tue, 15 Nov 2022 06:15:15 +0000
Subject: [PATCH 090/159] Must call mbedtls_mpi_mod_modulus_init() before
 anything else in tests

Fixes (new) Coverity issues 381893 and 381894

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
---
 tests/suites/test_suite_bignum_mod_raw.function | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function
index d0ffd27b0..ff766b9dc 100644
--- a/tests/suites/test_suite_bignum_mod_raw.function
+++ b/tests/suites/test_suite_bignum_mod_raw.function
@@ -300,9 +300,11 @@ void mpi_mod_raw_to_mont_rep( char * input_N, char * input_A, char * input_X )
     mbedtls_mpi_uint *N = NULL;
     mbedtls_mpi_uint *A = NULL;
     mbedtls_mpi_uint *X = NULL;
-    mbedtls_mpi_mod_modulus m;
     size_t n_limbs, a_limbs, x_limbs, x_bytes;
 
+    mbedtls_mpi_mod_modulus m;
+    mbedtls_mpi_mod_modulus_init( &m );
+
     /* Read inputs */
     TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) );
     TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &A, &a_limbs, input_A ) );
@@ -312,7 +314,6 @@ void mpi_mod_raw_to_mont_rep( char * input_N, char * input_A, char * input_X )
     /* Test that input does not require more limbs than modulo */
     TEST_LE_U(a_limbs, n_limbs);
 
-    mbedtls_mpi_mod_modulus_init( &m );
     TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs,
                 MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) );
 
@@ -335,9 +336,11 @@ void mpi_mod_raw_from_mont_rep( char * input_N, char * input_A, char * input_X )
     mbedtls_mpi_uint *N = NULL;
     mbedtls_mpi_uint *A = NULL;
     mbedtls_mpi_uint *X = NULL;
-    mbedtls_mpi_mod_modulus m;
     size_t n_limbs, a_limbs, x_limbs, x_bytes;
 
+    mbedtls_mpi_mod_modulus m;
+    mbedtls_mpi_mod_modulus_init( &m );
+
     /* Read inputs */
     TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &N, &n_limbs, input_N ) );
     TEST_EQUAL( 0, mbedtls_test_read_mpi_core( &A, &a_limbs, input_A ) );
@@ -347,7 +350,6 @@ void mpi_mod_raw_from_mont_rep( char * input_N, char * input_A, char * input_X )
     /* Test that input does not require more limbs than modulo */
     TEST_LE_U(a_limbs, n_limbs);
 
-    mbedtls_mpi_mod_modulus_init( &m );
     TEST_EQUAL( 0, mbedtls_mpi_mod_modulus_setup( &m, N, n_limbs,
                 MBEDTLS_MPI_MOD_EXT_REP_BE, MBEDTLS_MPI_MOD_REP_MONTGOMERY ) );
 

From 2cd5ce0c6b41dbe69c39c3cda2bd491a04d9effb Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Tue, 15 Nov 2022 10:33:53 +0000
Subject: [PATCH 091/159] Fix various issues cause rebase to latest code

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 include/mbedtls/check_config.h   |  3 ---
 include/mbedtls/mbedtls_config.h |  2 +-
 include/mbedtls/ssl.h            |  7 +++++--
 library/ssl_tls13_client.c       |  1 -
 library/ssl_tls13_generic.c      |  5 +++--
 programs/ssl/ssl_client2.c       | 12 ------------
 6 files changed, 9 insertions(+), 21 deletions(-)

diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index f932901ec..391863971 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -842,9 +842,6 @@
         "but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx"
 #endif
 
-/* Early data requires MBEDTLS_SSL_SESSION_TICKETS and SOME_PSK related
- * mode defined
- */
 #if defined(MBEDTLS_SSL_EARLY_DATA) && \
     ( !defined(MBEDTLS_SSL_SESSION_TICKETS) || \
       ( !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 12d503e38..3f869b9ff 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1648,7 +1648,7 @@
 * production.
 *
 */
-//#define MBEDTLS_SSL_EARLY_DATA
+#define MBEDTLS_SSL_EARLY_DATA
 
 /**
  * \def MBEDTLS_SSL_PROTO_DTLS
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 5294ec28b..6829fd7b6 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -816,9 +816,12 @@ typedef uint8_t mbedtls_ssl_tls13_ticket_flags;
     MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK /* 1U << 0 */
 #define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION \
     MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL /* 1U << 2 */
-#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA \
-    MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION << 1
+#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ( 1U << 3 )
 
+#define MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK                               \
+            ( MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION             | \
+              MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION   | \
+              MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA )
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
 /**
  * \brief          Callback type: server-side session cache getter
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 405cce031..d276a9566 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2542,7 +2542,6 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
         switch( extension_type )
         {
             case MBEDTLS_TLS_EXT_EARLY_DATA:
-                MBEDTLS_SSL_DEBUG_MSG( 4, ( "early_data extension received" ) );
                 if( extension_data_len != 4 )
                 {
                     MBEDTLS_SSL_PEND_FATAL_ALERT(
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 04790387a..761c00ec5 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1395,13 +1395,14 @@ int mbedtls_ssl_tls13_write_early_data_ext( mbedtls_ssl_context *ssl,
     ((void) ssl);
 
     MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
-    MBEDTLS_SSL_DEBUG_MSG(
-            3, ( "client hello, adding early_data extension" ) );
 
     MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_EARLY_DATA, p, 0 );
     MBEDTLS_PUT_UINT16_BE( 0, p, 2 );
 
     *out_len = 4;
+
+    mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_EARLY_DATA );
+
     return( 0 );
 }
 #endif /* MBEDTLS_SSL_EARLY_DATA */
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 186ac18de..6aa295d66 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -2504,12 +2504,6 @@ int main( int argc, char *argv[] )
         }
     }
 
-#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
-    /* TODO: We can log the actual early data status after we define
-     * the API mbedtls_ssl_get_early_data_status.
-     */
-#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */
-
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
     /*
      * 5. Verify the server certificate
@@ -3220,12 +3214,6 @@ reconnect:
 
         mbedtls_printf( " ok\n" );
 
-#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
-        /* TODO: We can log the actual early data status when reconnect
-         * after we define the API mbedtls_ssl_get_early_data_status.
-         */
-#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */
-
         goto send_request;
     }
 

From aa88e0b86b5df3d70b9b6fb80d8116a61e984450 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Tue, 15 Nov 2022 13:21:14 +0100
Subject: [PATCH 092/159] Make configurations (driver, reference) as close as
 possible

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/all.sh | 83 +++++++++++++++++++++++---------------------
 1 file changed, 43 insertions(+), 40 deletions(-)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 6a7501a97..9fba034cd 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2041,6 +2041,45 @@ component_test_psa_crypto_config_accel_hash () {
     make test
 }
 
+# Auxiliary function to build config for hashes with and without drivers
+config_psa_crypto_hash_use_psa () {
+    DRIVER_ONLY="$1"
+    # start with config full for maximum coverage (also enables USE_PSA)
+    scripts/config.py full
+    # enable support for configuring PSA-only algorithms
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    if [ "$DRIVER_ONLY" -eq 1 ]; then
+        # enable support for drivers
+        scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+        # disable the built-in implementation of hashes
+        scripts/config.py unset MBEDTLS_MD5_C
+        scripts/config.py unset MBEDTLS_RIPEMD160_C
+        scripts/config.py unset MBEDTLS_SHA1_C
+        scripts/config.py unset MBEDTLS_SHA224_C
+        scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below
+        scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
+        scripts/config.py unset MBEDTLS_SHA384_C
+        scripts/config.py unset MBEDTLS_SHA512_C
+        scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
+    fi
+    # Use an external RNG as currently internal RNGs depend on entropy.c
+    # which in turn hard-depends on SHA256_C (or SHA512_C).
+    # See component_test_psa_external_rng_no_drbg_use_psa.
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+    scripts/config.py unset MBEDTLS_ENTROPY_C
+    scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED # depends on ENTROPY_C
+    scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT # depends on former
+    # Also unset MD_C and things that depend on it;
+    # see component_test_crypto_full_no_md.
+    if [ "$DRIVER_ONLY" -eq 1 ]; then
+        scripts/config.py unset MBEDTLS_MD_C
+    fi
+    scripts/config.py unset MBEDTLS_HKDF_C # has independent PSA implementation
+    scripts/config.py unset MBEDTLS_HMAC_DRBG_C
+    scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
+}
+
 # Note that component_test_psa_crypto_config_reference_hash_use_psa
 # is related to this component and both components need to be kept in sync.
 # For details please see comments for component_test_psa_crypto_config_reference_hash_use_psa.
@@ -2056,35 +2095,7 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
     loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
     make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
 
-    # start with config full for maximum coverage (also enables USE_PSA)
-    scripts/config.py full
-    # enable support for drivers and configuring PSA-only algorithms
-    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
-    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
-    # disable the built-in implementation of hashes
-    scripts/config.py unset MBEDTLS_MD5_C
-    scripts/config.py unset MBEDTLS_RIPEMD160_C
-    scripts/config.py unset MBEDTLS_SHA1_C
-    scripts/config.py unset MBEDTLS_SHA224_C
-    scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below
-    scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
-    scripts/config.py unset MBEDTLS_SHA384_C
-    scripts/config.py unset MBEDTLS_SHA512_C
-    scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
-    # Use an external RNG as currently internal RNGs depend on entropy.c
-    # which in turn hard-depends on SHA256_C (or SHA512_C).
-    # See component_test_psa_external_rng_no_drbg_use_psa.
-    scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
-    scripts/config.py unset MBEDTLS_ENTROPY_C
-    scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED # depends on ENTROPY_C
-    scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT # depends on former
-    # Also unset MD_C and things that depend on it;
-    # see component_test_crypto_full_no_md.
-    scripts/config.py unset MBEDTLS_MD_C
-    scripts/config.py unset MBEDTLS_HKDF_C # has independent PSA implementation
-    scripts/config.py unset MBEDTLS_HMAC_DRBG_C
-    scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
-    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
+    config_psa_crypto_hash_use_psa 1
 
     loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
     make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" all
@@ -2105,7 +2116,7 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
     tests/ssl-opt.sh
 
     msg "test: compat.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
-    tests/compat.sh
+    #tests/compat.sh
 }
 
 # This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa
@@ -2114,16 +2125,8 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
 # Both components need to be kept in sync.
 component_test_psa_crypto_config_reference_hash_use_psa() {
     msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
-    # start with full
-    scripts/config.py full
-    # use PSA config and disable driver-less algs as in the component
-    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
-    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
-    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
-    # disable options as in the component
-    # (no need to disable whole modules, we'll just skip their test suite)
-    scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
-    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
+
+    config_psa_crypto_hash_use_psa 0
 
     make
 

From 72ee1e3f3c4b7045cca770577d70cc88cb7b5460 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 9 Nov 2022 21:34:09 +0100
Subject: [PATCH 093/159] Unify mbedtls_mpi_add_mpi and mbedtls_mpi_sub_mpi

mbedtls_mpi_add_mpi() and mbedtls_mpi_sub_mpi() have the same logic, just
with one bit to flip in the sign calculation. Move the shared logic to a new
auxiliary function. This slightly reduces the code size (if the compiler
doesn't inline) and reduces the maintenance burden.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 library/bignum.c | 47 +++++++++++++++--------------------------------
 1 file changed, 15 insertions(+), 32 deletions(-)

diff --git a/library/bignum.c b/library/bignum.c
index 521787d74..abbf9b8a4 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -972,10 +972,12 @@ cleanup:
     return( ret );
 }
 
-/*
- * Signed addition: X = A + B
+/* Common function for signed addition and subtraction.
+ * Calculate A + B * flip_B where flip_B is 1 or -1.
  */
-int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+static int add_sub_mpi( mbedtls_mpi *X,
+                        const mbedtls_mpi *A, const mbedtls_mpi *B,
+                        int flip_B )
 {
     int ret, s;
     MPI_VALIDATE_RET( X != NULL );
@@ -983,7 +985,7 @@ int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
     MPI_VALIDATE_RET( B != NULL );
 
     s = A->s;
-    if( A->s * B->s < 0 )
+    if( A->s * B->s * flip_B < 0 )
     {
         if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
         {
@@ -1007,39 +1009,20 @@ cleanup:
     return( ret );
 }
 
+/*
+ * Signed addition: X = A + B
+ */
+int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    return( add_sub_mpi( X, A, B, 1 ) );
+}
+
 /*
  * Signed subtraction: X = A - B
  */
 int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
 {
-    int ret, s;
-    MPI_VALIDATE_RET( X != NULL );
-    MPI_VALIDATE_RET( A != NULL );
-    MPI_VALIDATE_RET( B != NULL );
-
-    s = A->s;
-    if( A->s * B->s > 0 )
-    {
-        if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
-        {
-            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
-            X->s =  s;
-        }
-        else
-        {
-            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
-            X->s = -s;
-        }
-    }
-    else
-    {
-        MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) );
-        X->s = s;
-    }
-
-cleanup:
-
-    return( ret );
+    return( add_sub_mpi( X, A, B, -1 ) );
 }
 
 /*

From 128895775d4ccb64977f1d3f7020b85f19428fa8 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 9 Nov 2022 21:55:33 +0100
Subject: [PATCH 094/159] Document invariants of MPI objects

Note that s must be +1 for zero.

Note that p may be NULL for zero, when n is 0.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 include/mbedtls/bignum.h | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h
index 9d15955f3..3bd1ca026 100644
--- a/include/mbedtls/bignum.h
+++ b/include/mbedtls/bignum.h
@@ -188,9 +188,27 @@ extern "C" {
  */
 typedef struct mbedtls_mpi
 {
-    int MBEDTLS_PRIVATE(s);              /*!<  Sign: -1 if the mpi is negative, 1 otherwise */
-    size_t MBEDTLS_PRIVATE(n);           /*!<  total # of limbs  */
-    mbedtls_mpi_uint *MBEDTLS_PRIVATE(p);          /*!<  pointer to limbs  */
+    /** Sign: -1 if the mpi is negative, 1 otherwise.
+     *
+     * The number 0 must be represented with `s = +1`. Although many library
+     * functions treat all-limbs-zero as equivalent to a valid representation
+     * of 0 regardless of the sign bit, there are exceptions, so bignum
+     * functions and external callers must always set \c s to +1 for the
+     * number zero.
+     *
+     * Note that this implies that calloc() or `... = {0}` does not create
+     * a valid MPI representation. You must call mbedtls_mpi_init().
+     */
+    int MBEDTLS_PRIVATE(s);
+
+    /** Total number of limbs in \c p.  */
+    size_t MBEDTLS_PRIVATE(n);
+
+    /** Pointer to limbs.
+     *
+     * This may be \c NULL if \c n is 0.
+     */
+    mbedtls_mpi_uint *MBEDTLS_PRIVATE(p);
 }
 mbedtls_mpi;
 

From 4cbbfd8d4ee6c724c385688467f23ca5a73071fc Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 9 Nov 2022 21:57:52 +0100
Subject: [PATCH 095/159] For binary operations, test both x op y and y op x

This exposes a bug in mbedtls_mpi_add_mpi() and mbedtls_mpi_sub_mpi() which
will be fixed in a subsequent commit.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index 279668fd5..c2891fc61 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -57,15 +57,8 @@ def limbs_mpi(val: int, bits_in_limb: int) -> int:
     return (val.bit_length() + bits_in_limb - 1) // bits_in_limb
 
 def combination_pairs(values: List[T]) -> List[Tuple[T, T]]:
-    """Return all pair combinations from input values.
-
-    The return value is cast, as older versions of mypy are unable to derive
-    the specific type returned by itertools.combinations_with_replacement.
-    """
-    return typing.cast(
-        List[Tuple[T, T]],
-        list(itertools.combinations_with_replacement(values, 2))
-    )
+    """Return all pair combinations from input values."""
+    return [(x, y) for x in values for y in values]
 
 
 class OperationCommon:

From 4a768dd17d9910e0e90ae739ecdaf68de1ee78f9 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 9 Nov 2022 22:02:16 +0100
Subject: [PATCH 096/159] Fix negative zero created by (-A) + (+A) or (-A) -
 (-A)

In mbedtls_mpi_add_mpi() and mbedtls_mpi_sub_mpi(), and by extention
mbedtls_mpi_add_int() and mbedtls_mpi_sub_int(), when the resulting value
was zero, the sign bit of the result was incorrectly set to -1 when the
left-hand operand was negative. This is not a valid mbedtls_mpi
representation. Fix this: always set the sign to +1 when the result is 0.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 library/bignum.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/library/bignum.c b/library/bignum.c
index abbf9b8a4..42be815ba 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -987,14 +987,19 @@ static int add_sub_mpi( mbedtls_mpi *X,
     s = A->s;
     if( A->s * B->s * flip_B < 0 )
     {
-        if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
+        int cmp = mbedtls_mpi_cmp_abs( A, B );
+        if( cmp >= 0 )
         {
             MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
-            X->s =  s;
+            /* If |A| = |B|, the result is 0 and we must set the sign bit
+             * to +1 regardless of which of A or B was negative. Otherwise,
+             * since |A| > |B|, the sign is the sign of A. */
+            X->s = cmp == 0 ? 1 : s;
         }
         else
         {
             MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
+            /* Since |A| < |B|, the sign is the opposite of A. */
             X->s = -s;
         }
     }

From 806c9588ef424af188c5afe3c0932acee131bd63 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 9 Nov 2022 22:05:52 +0100
Subject: [PATCH 097/159] Changelog entry for the negative zero from add/sub

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 ChangeLog.d/negative-zero-from-add.txt | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 ChangeLog.d/negative-zero-from-add.txt

diff --git a/ChangeLog.d/negative-zero-from-add.txt b/ChangeLog.d/negative-zero-from-add.txt
new file mode 100644
index 000000000..107d858d3
--- /dev/null
+++ b/ChangeLog.d/negative-zero-from-add.txt
@@ -0,0 +1,6 @@
+Bugfix
+   * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
+     with A > 0 created an unintended representation of the value 0 which was
+     not processed correctly by some bignum operations. Fix this. This had no
+     consequence on cryptography code, but might affect applications that call
+     bignum directly and use negative numbers.

From ca6e8aac587966c726c25723c67c3680edc57ef5 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 9 Nov 2022 21:08:44 +0100
Subject: [PATCH 098/159] Support negative zero as MPI test input

The bignum module does not officially support "negative zero" (an
mbedtls_mpi object with s=-1 and all limbs zero). However, we have a
history of bugs where a function that should produce an official
zero (with s=1), produces a negative zero in some circumstances. So it's
good to check that the bignum functions are robust when passed a negative
zero as input. And for that, we need a way to construct a negative zero
from test case arguments.

There are checks that functions don't produce negative zeros as output in
the test suite. Skip those checks if there's a negative zero input: we
don't want functions to _create_ negative zeros, but we don't mind if
they _propagate_ negative zeros.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/include/test/helpers.h             | 26 +++++++++++++++++-----
 tests/src/helpers.c                      | 28 ++++++++++++++++++++++--
 tests/suites/test_suite_bignum.function  | 17 +++++++++++---
 tests/suites/test_suite_bignum.misc.data | 24 ++++++++++++++++++++
 4 files changed, 84 insertions(+), 11 deletions(-)

diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h
index e0e6fd27f..568d5e527 100644
--- a/tests/include/test/helpers.h
+++ b/tests/include/test/helpers.h
@@ -295,13 +295,19 @@ int mbedtls_test_read_mpi_core( mbedtls_mpi_uint **pX, size_t *plimbs,
 
 /** Read an MPI from a hexadecimal string.
  *
- * Like mbedtls_mpi_read_string(), but size the resulting bignum based
- * on the number of digits in the string. In particular, construct a
- * bignum with 0 limbs for an empty string, and a bignum with leading 0
- * limbs if the string has sufficiently many leading 0 digits.
+ * Like mbedtls_mpi_read_string(), but with tighter guarantees around
+ * edge cases.
  *
- * This is important so that the "0 (null)" and "0 (1 limb)" and
- * "leading zeros" test cases do what they claim.
+ * - This function guarantees that if \p s begins with '-' then the sign
+ *   bit of the result will be negative, even if the value is 0.
+ *   When this function encounters such a "negative 0", it
+ *   increments #mbedtls_test_read_mpi.
+ * - The size of the result is exactly the minimum number of limbs needed
+ *   to fit the digits in the input. In particular, this function constructs
+ *   a bignum with 0 limbs for an empty string, and a bignum with leading 0
+ *   limbs if the string has sufficiently many leading 0 digits.
+ *   This is important so that the "0 (null)" and "0 (1 limb)" and
+ *   "leading zeros" test cases do what they claim.
  *
  * \param[out] X        The MPI object to populate. It must be initialized.
  * \param[in] s         The null-terminated hexadecimal string to read from.
@@ -309,6 +315,14 @@ int mbedtls_test_read_mpi_core( mbedtls_mpi_uint **pX, size_t *plimbs,
  * \return \c 0 on success, an \c MBEDTLS_ERR_MPI_xxx error code otherwise.
  */
 int mbedtls_test_read_mpi( mbedtls_mpi *X, const char *s );
+
+/** Nonzero if the current test case had an input parsed with
+ * mbedtls_test_read_mpi() that is a negative 0 (`"-"`, `"-0"`, `"-00"`, etc.,
+ * constructing a result with the sign bit set to -1 and the value being
+ * all-limbs-0, which is not a valid representation in #mbedtls_mpi but is
+ * tested for robustness).
+ */
+extern unsigned mbedtls_test_case_uses_negative_0;
 #endif /* MBEDTLS_BIGNUM_C */
 
 #endif /* TEST_HELPERS_H */
diff --git a/tests/src/helpers.c b/tests/src/helpers.c
index cc23fd7c4..7c83714f1 100644
--- a/tests/src/helpers.c
+++ b/tests/src/helpers.c
@@ -89,6 +89,10 @@ void mbedtls_test_set_step( unsigned long step )
     mbedtls_test_info.step = step;
 }
 
+#if defined(MBEDTLS_BIGNUM_C)
+unsigned mbedtls_test_case_uses_negative_0 = 0;
+#endif
+
 void mbedtls_test_info_reset( void )
 {
     mbedtls_test_info.result = MBEDTLS_TEST_RESULT_SUCCESS;
@@ -98,6 +102,9 @@ void mbedtls_test_info_reset( void )
     mbedtls_test_info.filename = 0;
     memset( mbedtls_test_info.line1, 0, sizeof( mbedtls_test_info.line1 ) );
     memset( mbedtls_test_info.line2, 0, sizeof( mbedtls_test_info.line2 ) );
+#if defined(MBEDTLS_BIGNUM_C)
+    mbedtls_test_case_uses_negative_0 = 0;
+#endif
 }
 
 int mbedtls_test_equal( const char *test, int line_no, const char* filename,
@@ -396,6 +403,15 @@ exit:
 
 int mbedtls_test_read_mpi( mbedtls_mpi *X, const char *s )
 {
+    int negative = 0;
+    /* Always set the sign bit to -1 if the input has a minus sign, even for 0.
+     * This creates an invalid representation, which mbedtls_mpi_read_string()
+     * avoids but we want to be able to create that in test data. */
+    if( s[0] == '-' )
+    {
+        ++s;
+        negative = 1;
+    }
     /* mbedtls_mpi_read_string() currently retains leading zeros.
      * It always allocates at least one limb for the value 0. */
     if( s[0] == 0 )
@@ -403,7 +419,15 @@ int mbedtls_test_read_mpi( mbedtls_mpi *X, const char *s )
         mbedtls_mpi_free( X );
         return( 0 );
     }
-    else
-        return( mbedtls_mpi_read_string( X, 16, s ) );
+    int ret = mbedtls_mpi_read_string( X, 16, s );
+    if( ret != 0 )
+        return( ret );
+    if( negative )
+    {
+        if( mbedtls_mpi_cmp_int( X, 0 ) == 0 )
+            ++mbedtls_test_case_uses_negative_0;
+        X->s = -1;
+    }
+    return( 0 );
 }
 #endif
diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function
index 5c3d776f0..b75f534f4 100644
--- a/tests/suites/test_suite_bignum.function
+++ b/tests/suites/test_suite_bignum.function
@@ -13,10 +13,21 @@
  * constructing the value. */
 static int sign_is_valid( const mbedtls_mpi *X )
 {
+    /* Only +1 and -1 are valid sign bits, not e.g. 0 */
     if( X->s != 1 && X->s != -1 )
-        return( 0 ); // invalid sign bit, e.g. 0
-    if( mbedtls_mpi_bitlen( X ) == 0 && X->s != 1 )
-        return( 0 ); // negative zero
+        return( 0 );
+
+    /* The value 0 must be represented with the sign +1. A "negative zero"
+     * with s=-1 is an invalid representation. Forbid that. As an exception,
+     * we sometimes test the robustness of library functions when given
+     * a negative zero input. If a test case has a negative zero as input,
+     * we don't mind if the function has a negative zero output. */
+    if( ! mbedtls_test_case_uses_negative_0 &&
+        mbedtls_mpi_bitlen( X ) == 0 && X->s != 1 )
+    {
+        return( 0 );
+    }
+
     return( 1 );
 }
 
diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data
index 0b8aa334a..818f3613b 100644
--- a/tests/suites/test_suite_bignum.misc.data
+++ b/tests/suites/test_suite_bignum.misc.data
@@ -1144,6 +1144,18 @@ mpi_div_mpi:"":"1":"":"":0
 Test mbedtls_mpi_div_mpi: 0 (null) / -1
 mpi_div_mpi:"":"-1":"":"":0
 
+Test mbedtls_mpi_div_mpi: -0 (null) / 1
+mpi_div_mpi:"-":"1":"":"":0
+
+Test mbedtls_mpi_div_mpi: -0 (null) / -1
+mpi_div_mpi:"-":"-1":"":"":0
+
+Test mbedtls_mpi_div_mpi: -0 (null) / 42
+mpi_div_mpi:"-":"2a":"":"":0
+
+Test mbedtls_mpi_div_mpi: -0 (null) / -42
+mpi_div_mpi:"-":"-2a":"":"":0
+
 Test mbedtls_mpi_div_mpi #1
 mpi_div_mpi:"9e22d6da18a33d1ef28d2a82242b3f6e9c9742f63e5d440f58a190bfaf23a7866e67589adb80":"22":"4a6abf75b13dc268ea9cc8b5b6aaf0ac85ecd437a4e0987fb13cf8d2acc57c0306c738c1583":"1a":0
 
@@ -1204,6 +1216,18 @@ mpi_mod_mpi:"":"1":"":0
 Test mbedtls_mpi_mod_mpi: 0 (null) % -1
 mpi_mod_mpi:"":"-1":"":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
 
+Test mbedtls_mpi_mod_mpi: -0 (null) % 1
+mpi_mod_mpi:"-":"1":"":0
+
+Test mbedtls_mpi_mod_mpi: -0 (null) % -1
+mpi_mod_mpi:"-":"-1":"":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+
+Test mbedtls_mpi_mod_mpi: -0 (null) % 42
+mpi_mod_mpi:"-":"2a":"":0
+
+Test mbedtls_mpi_mod_mpi: -0 (null) % -42
+mpi_mod_mpi:"-":"-2a":"":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+
 Base test mbedtls_mpi_mod_int #1
 mpi_mod_int:"3e8":"d":"c":0
 

From 35af02171d186b29c746e9e54c32387f75dcd30d Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 15 Nov 2022 20:43:33 +0100
Subject: [PATCH 099/159] Add negative zero as an input to automatically
 generated tests

Although negative zero is officially unsupported, we've had bugs related to
it in the past. So do test functions with a negative zero input.

There will likely be cases where we don't want to accept negative zero as if
it was valid, because it's too hard to handle. We'll add exceptions on a
case by case basis.

For the functions that are currently tested by the generated tests, the new
test cases pass.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py   |  8 +++++++-
 tests/scripts/generate_bignum_tests.py | 28 +++++++++++++++++++++++---
 2 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index c2891fc61..1eb4ca7df 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -38,7 +38,13 @@ def invmod(a: int, n: int) -> int:
     raise ValueError("Not invertible")
 
 def hex_to_int(val: str) -> int:
-    return int(val, 16) if val else 0
+    """Implement the syntax accepted by mbedtls_test_read_mpi().
+
+    This is a superset of what is accepted by mbedtls_test_read_mpi_core().
+    """
+    if val == '' or val == '-':
+        return 0
+    return int(val, 16)
 
 def quote_str(val) -> str:
     return "\"{}\"".format(val)
diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py
index a105203b0..f1b24409e 100755
--- a/tests/scripts/generate_bignum_tests.py
+++ b/tests/scripts/generate_bignum_tests.py
@@ -78,11 +78,16 @@ class BignumOperation(bignum_common.OperationCommon, BignumTarget, metaclass=ABC
     #pylint: disable=abstract-method
     """Common features for bignum operations in legacy tests."""
     input_values = [
-        "", "0", "7b", "-7b",
+        "", "0", "-", "-0",
+        "7b", "-7b",
         "0000000000000000123", "-0000000000000000123",
         "1230000000000000000", "-1230000000000000000"
     ]
 
+    def description_suffix(self) -> str:
+        """Text to add at the end of the test case description."""
+        return ""
+
     def description(self) -> str:
         """Generate a description for the test case.
 
@@ -96,6 +101,9 @@ class BignumOperation(bignum_common.OperationCommon, BignumTarget, metaclass=ABC
                 self.symbol,
                 self.value_description(self.arg_b)
             )
+            description_suffix = self.description_suffix()
+            if description_suffix:
+                self.case_description += " " + description_suffix
         return super().description()
 
     @staticmethod
@@ -107,6 +115,8 @@ class BignumOperation(bignum_common.OperationCommon, BignumTarget, metaclass=ABC
         """
         if val == "":
             return "0 (null)"
+        if val == "-":
+            return "negative 0 (null)"
         if val == "0":
             return "0 (1 limb)"
 
@@ -171,9 +181,21 @@ class BignumAdd(BignumOperation):
         ]
     )
 
-    def result(self) -> List[str]:
-        return [bignum_common.quote_str("{:x}").format(self.int_a + self.int_b)]
+    def __init__(self, val_a: str, val_b: str) -> None:
+        super().__init__(val_a, val_b)
+        self._result = self.int_a + self.int_b
 
+    def description_suffix(self) -> str:
+        if (self.int_a >= 0 and self.int_b >= 0):
+            return "" # obviously positive result or 0
+        if (self.int_a <= 0 and self.int_b <= 0):
+            return "" # obviously negative result or 0
+        # The sign of the result is not obvious, so indicate it
+        return ", result{}0".format('>' if self._result > 0 else
+                                    '<' if self._result < 0 else '=')
+
+    def result(self) -> List[str]:
+        return [bignum_common.quote_str("{:x}".format(self._result))]
 
 if __name__ == '__main__':
     # Use the section of the docstring relevant to the CLI as description

From b9b9026c531e0f6c6df02a1025cdabc48cfa0e99 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Thu, 10 Nov 2022 09:15:21 +0100
Subject: [PATCH 100/159] Pacify pylint

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py   | 5 +----
 tests/scripts/generate_bignum_tests.py | 1 +
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index 1eb4ca7df..8b11bc283 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -14,9 +14,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import itertools
-import typing
-
 from abc import abstractmethod
 from typing import Iterator, List, Tuple, TypeVar
 
@@ -42,7 +39,7 @@ def hex_to_int(val: str) -> int:
 
     This is a superset of what is accepted by mbedtls_test_read_mpi_core().
     """
-    if val == '' or val == '-':
+    if val in ['', '-']:
         return 0
     return int(val, 16)
 
diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py
index f1b24409e..eee2f657a 100755
--- a/tests/scripts/generate_bignum_tests.py
+++ b/tests/scripts/generate_bignum_tests.py
@@ -85,6 +85,7 @@ class BignumOperation(bignum_common.OperationCommon, BignumTarget, metaclass=ABC
     ]
 
     def description_suffix(self) -> str:
+        #pylint: disable=no-self-use # derived classes need self
         """Text to add at the end of the test case description."""
         return ""
 

From 23875ceb112cc2dd66b034a76f7357c641987338 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 11 Nov 2022 15:59:51 +0100
Subject: [PATCH 101/159] Fix autocucumber in documentation

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/include/test/helpers.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h
index 568d5e527..5f9bde697 100644
--- a/tests/include/test/helpers.h
+++ b/tests/include/test/helpers.h
@@ -301,7 +301,7 @@ int mbedtls_test_read_mpi_core( mbedtls_mpi_uint **pX, size_t *plimbs,
  * - This function guarantees that if \p s begins with '-' then the sign
  *   bit of the result will be negative, even if the value is 0.
  *   When this function encounters such a "negative 0", it
- *   increments #mbedtls_test_read_mpi.
+ *   increments #mbedtls_test_case_uses_negative_0.
  * - The size of the result is exactly the minimum number of limbs needed
  *   to fit the digits in the input. In particular, this function constructs
  *   a bignum with 0 limbs for an empty string, and a bignum with leading 0

From 348410f7097bfffdd73d9c370d2d1eb7a75b9b2c Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Tue, 15 Nov 2022 22:22:07 +0100
Subject: [PATCH 102/159] Make a copy of the key in operation while setting
 pake password

Additionally use psa_get_and_lock_key_slot_with_policy() to obtain key.
This requires making this function public. This will have to be solved while adding driver dipatch for EC-JPAKE.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 include/psa/crypto_extra.h |  5 ++--
 library/psa_crypto.c       |  2 +-
 library/psa_crypto_pake.c  | 59 +++++++++++++++++++++++++++++---------
 3 files changed, 49 insertions(+), 17 deletions(-)

diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h
index 4f65398e2..d527e579b 100644
--- a/include/psa/crypto_extra.h
+++ b/include/psa/crypto_extra.h
@@ -1829,7 +1829,7 @@ psa_status_t psa_pake_abort( psa_pake_operation_t * operation );
  */
 #if defined(MBEDTLS_PSA_BUILTIN_PAKE)
 #define PSA_PAKE_OPERATION_INIT {PSA_ALG_NONE, 0, 0, 0, 0,              \
-                                 MBEDTLS_SVC_KEY_ID_INIT,               \
+                                 NULL, 0                ,               \
                                  PSA_PAKE_ROLE_NONE, {0}, 0, 0,         \
                                  {.dummy = 0}}
 #else
@@ -1920,7 +1920,8 @@ struct psa_pake_operation_s
 #if defined(MBEDTLS_PSA_BUILTIN_PAKE)
     unsigned int MBEDTLS_PRIVATE(input_step);
     unsigned int MBEDTLS_PRIVATE(output_step);
-    mbedtls_svc_key_id_t MBEDTLS_PRIVATE(password);
+    uint8_t* MBEDTLS_PRIVATE(password_data);
+    size_t MBEDTLS_PRIVATE(password_bytes);
     psa_pake_role_t MBEDTLS_PRIVATE(role);
     uint8_t MBEDTLS_PRIVATE(buffer[MBEDTLS_PSA_PAKE_BUFFER_SIZE]);
     size_t MBEDTLS_PRIVATE(buffer_length);
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 2ce5e4320..55319c4bd 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -890,7 +890,7 @@ static psa_status_t psa_restrict_key_policy(
  * On success, the returned key slot is locked. It is the responsibility of
  * the caller to unlock the key slot when it does not access it anymore.
  */
-static psa_status_t psa_get_and_lock_key_slot_with_policy(
+psa_status_t psa_get_and_lock_key_slot_with_policy(
     mbedtls_svc_key_id_t key,
     psa_key_slot_t **p_slot,
     psa_key_usage_t usage,
diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c
index 870b5b565..1deb48875 100644
--- a/library/psa_crypto_pake.c
+++ b/library/psa_crypto_pake.c
@@ -33,6 +33,11 @@
 #include <mbedtls/error.h>
 #include <string.h>
 
+extern psa_status_t psa_get_and_lock_key_slot_with_policy(
+    mbedtls_svc_key_id_t key,
+    psa_key_slot_t **p_slot,
+    psa_key_usage_t usage,
+    psa_algorithm_t alg );
 /*
  * State sequence:
  *
@@ -248,6 +253,7 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation,
     psa_key_attributes_t attributes = psa_key_attributes_init();
     psa_key_type_t type;
     psa_key_usage_t usage;
+    psa_key_slot_t *slot = NULL;
 
     if( operation->alg == PSA_ALG_NONE ||
         operation->state != PSA_PAKE_STATE_SETUP )
@@ -255,6 +261,9 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation,
         return( PSA_ERROR_BAD_STATE );
     }
 
+    if( psa_is_valid_key_id( password, 1 ) == 0 )
+        return( PSA_ERROR_BAD_STATE );
+
     status = psa_get_key_attributes( password, &attributes );
     if( status != PSA_SUCCESS )
         return( status );
@@ -273,7 +282,33 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation,
     if( ( usage & PSA_KEY_USAGE_DERIVE ) == 0 )
         return( PSA_ERROR_NOT_PERMITTED );
 
-    operation->password = password;
+    status = psa_get_and_lock_key_slot_with_policy( password, &slot,
+                                                    PSA_KEY_USAGE_DERIVE,
+                                                    PSA_ALG_JPAKE );
+    if( status != PSA_SUCCESS )
+        return( status );
+
+    if( slot->key.data == NULL || slot->key.bytes == 0 )
+        return( PSA_ERROR_INVALID_ARGUMENT );
+
+    if( operation->password_data != NULL )
+    {
+        mbedtls_free( operation->password_data );
+        operation->password_bytes = 0;
+    }
+
+    operation->password_data = mbedtls_calloc( 1, slot->key.bytes );
+    if( operation->password_data == NULL )
+    {
+        status = psa_unlock_key_slot( slot );
+        return( PSA_ERROR_INSUFFICIENT_MEMORY );
+    }
+    memcpy( operation->password_data, slot->key.data, slot->key.bytes );
+    operation->password_bytes = slot->key.bytes;
+
+    status = psa_unlock_key_slot( slot );
+    if( status != PSA_SUCCESS )
+        return( status );
 
     return( PSA_SUCCESS );
 }
@@ -348,9 +383,7 @@ psa_status_t psa_pake_set_role( psa_pake_operation_t *operation,
 static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation )
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
     mbedtls_ecjpake_role role;
-    psa_key_slot_t *slot = NULL;
 
     if( operation->role == PSA_PAKE_ROLE_CLIENT )
         role = MBEDTLS_ECJPAKE_CLIENT;
@@ -359,22 +392,18 @@ static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation )
     else
         return( PSA_ERROR_BAD_STATE );
 
-    if( psa_is_valid_key_id( operation->password, 1 ) == 0 )
+    if (operation->password_data == NULL ||
+        operation->password_bytes == 0 )
+    {
         return( PSA_ERROR_BAD_STATE );
-
-    status = psa_get_and_lock_key_slot( operation->password, &slot );
-    if( status != PSA_SUCCESS )
-        return( status );
-
+    }
 
     ret = mbedtls_ecjpake_setup( &operation->ctx.ecjpake,
                                  role,
                                  MBEDTLS_MD_SHA256,
                                  MBEDTLS_ECP_DP_SECP256R1,
-                                 slot->key.data, slot->key.bytes );
-
-    psa_unlock_key_slot( slot );
-    slot = NULL;
+                                 operation->password_data,
+                                 operation->password_bytes );
 
     if( ret != 0 )
         return( mbedtls_ecjpake_to_psa_error( ret ) );
@@ -840,7 +869,9 @@ psa_status_t psa_pake_abort(psa_pake_operation_t * operation)
     {
         operation->input_step = PSA_PAKE_STEP_INVALID;
         operation->output_step = PSA_PAKE_STEP_INVALID;
-        operation->password = MBEDTLS_SVC_KEY_ID_INIT;
+        mbedtls_free( operation->password_data );
+        operation->password_data = NULL;
+        operation->password_bytes = 0;
         operation->role = PSA_PAKE_ROLE_NONE;
         mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE );
         operation->buffer_length = 0;

From 6110a16555bcb185c825fbfcccaca200a1c98c95 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 15 Nov 2022 21:22:27 +0100
Subject: [PATCH 103/159] Document mbedtls_mpi_uint and mbedtls_mpi_sint

Since they're part of the public API (even if only through a few functions),
they should be documented.

I deliberately skipped documenting how to configure the size of the type.
Right now, MBEDTLS_HAVE_INT32 and MBEDTLS_HAVE_INT64 have no Doxygen
documentation, so it's ambiguous whether they're part of the public API.
Resolving this ambiguity is out of scope of my current work.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 include/mbedtls/bignum.h | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h
index 9d15955f3..5800d4acb 100644
--- a/include/mbedtls/bignum.h
+++ b/include/mbedtls/bignum.h
@@ -179,6 +179,20 @@
     #endif /* !MBEDTLS_NO_UDBL_DIVISION */
 #endif /* !MBEDTLS_HAVE_INT64 */
 
+/** \typedef mbedtls_mpi_uint
+ * \brief The type of machine digits in a bignum, called _limbs_.
+ *
+ * This is always an unsigned integer type with no padding bits. The size
+ * is platform-dependent.
+ */
+
+/** \typedef mbedtls_mpi_sint
+ * \brief The signed type corresponding to #mbedtls_mpi_uint.
+ *
+ * This is always an signed integer type with no padding bits. The size
+ * is platform-dependent.
+ */
+
 #ifdef __cplusplus
 extern "C" {
 #endif

From db14a9d180069e8a6cb63455e75463aad9f68889 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 15 Nov 2022 22:59:00 +0100
Subject: [PATCH 104/159] Fix NULL+0 in addition 0 + 0

Fix undefined behavior (typically harmless in practice) of
mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int() when
both operands are 0 and the left operand is represented with 0 limbs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 ChangeLog.d/mpi-add-0-ub.txt | 4 ++++
 library/bignum.c             | 5 +++++
 2 files changed, 9 insertions(+)
 create mode 100644 ChangeLog.d/mpi-add-0-ub.txt

diff --git a/ChangeLog.d/mpi-add-0-ub.txt b/ChangeLog.d/mpi-add-0-ub.txt
new file mode 100644
index 000000000..9f131a430
--- /dev/null
+++ b/ChangeLog.d/mpi-add-0-ub.txt
@@ -0,0 +1,4 @@
+Bugfix
+   * Fix undefined behavior (typically harmless in practice) of
+     mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int()
+     when both operands are 0 and the left operand is represented with 0 limbs.
diff --git a/library/bignum.c b/library/bignum.c
index 521787d74..497ccbc81 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -889,6 +889,11 @@ int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
         if( B->p[j - 1] != 0 )
             break;
 
+    /* Exit early to avoid undefined behavior on NULL+0 when X->n == 0
+     * and B is 0 (of any size). */
+    if( j == 0 )
+        return( 0 );
+
     MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
 
     /* j is the number of non-zero limbs of B. Add those to X. */

From af601f97519f90cc4b669984dd3fcf215b8b2792 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 15 Nov 2022 23:02:14 +0100
Subject: [PATCH 105/159] Fix undefined behavior with the most negative
 mbedtls_mpi_sint

When x is the most negative value of a two's complement type,
`(unsigned_type)(-x)` has undefined behavior, whereas `-(unsigned_type)x`
has well-defined behavior and does what was intended.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 ChangeLog.d/mpi-most-negative-sint.txt   |   4 +
 library/bignum.c                         |  10 +-
 tests/suites/test_suite_bignum.function  | 144 +++++++++++++++++++++++
 tests/suites/test_suite_bignum.misc.data |   3 +
 4 files changed, 156 insertions(+), 5 deletions(-)
 create mode 100644 ChangeLog.d/mpi-most-negative-sint.txt

diff --git a/ChangeLog.d/mpi-most-negative-sint.txt b/ChangeLog.d/mpi-most-negative-sint.txt
new file mode 100644
index 000000000..5e775c482
--- /dev/null
+++ b/ChangeLog.d/mpi-most-negative-sint.txt
@@ -0,0 +1,4 @@
+Bugfix
+   * Fix undefined behavior (typically harmless in practice) when some bignum
+     functions receive the most negative value of mbedtls_mpi_sint. Credit
+     to OSS-Fuzz. Fixes #6597.
diff --git a/library/bignum.c b/library/bignum.c
index 497ccbc81..04aca69e8 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -263,7 +263,7 @@ int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z )
     MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, 1 ) );
     memset( X->p, 0, X->n * ciL );
 
-    X->p[0] = ( z < 0 ) ? -z : z;
+    X->p[0] = ( z < 0 ) ? -(mbedtls_mpi_uint)z : z;
     X->s    = ( z < 0 ) ? -1 : 1;
 
 cleanup:
@@ -853,7 +853,7 @@ int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z )
     mbedtls_mpi_uint p[1];
     MPI_VALIDATE_RET( X != NULL );
 
-    *p  = ( z < 0 ) ? -z : z;
+    *p  = ( z < 0 ) ? -(mbedtls_mpi_uint)z : z;
     Y.s = ( z < 0 ) ? -1 : 1;
     Y.n = 1;
     Y.p = p;
@@ -1057,7 +1057,7 @@ int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint
     MPI_VALIDATE_RET( X != NULL );
     MPI_VALIDATE_RET( A != NULL );
 
-    p[0] = ( b < 0 ) ? -b : b;
+    p[0] = ( b < 0 ) ? -(mbedtls_mpi_uint)b : b;
     B.s = ( b < 0 ) ? -1 : 1;
     B.n = 1;
     B.p = p;
@@ -1075,7 +1075,7 @@ int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint
     MPI_VALIDATE_RET( X != NULL );
     MPI_VALIDATE_RET( A != NULL );
 
-    p[0] = ( b < 0 ) ? -b : b;
+    p[0] = ( b < 0 ) ? -(mbedtls_mpi_uint)b : b;
     B.s = ( b < 0 ) ? -1 : 1;
     B.n = 1;
     B.p = p;
@@ -1413,7 +1413,7 @@ int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R,
     mbedtls_mpi_uint p[1];
     MPI_VALIDATE_RET( A != NULL );
 
-    p[0] = ( b < 0 ) ? -b : b;
+    p[0] = ( b < 0 ) ? -(mbedtls_mpi_uint)b : b;
     B.s = ( b < 0 ) ? -1 : 1;
     B.n = 1;
     B.p = p;
diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function
index 5c3d776f0..323846759 100644
--- a/tests/suites/test_suite_bignum.function
+++ b/tests/suites/test_suite_bignum.function
@@ -1447,6 +1447,150 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE */
+void most_negative_mpi_sint( )
+{
+    /* Ad hoc tests for n = -p = -2^(biL-1) as a mbedtls_mpi_sint. We
+     * guarantee that mbedtls_mpi_sint is a two's complement type, so this
+     * is a valid value. However, negating it (`-n`) has undefined behavior
+     * (although in practice `-n` evaluates to the value n).
+     *
+     * This function has ad hoc tests for this value. It's separated from other
+     * functions because the test framework makes it hard to pass this value
+     * into test cases.
+     *
+     * In the comments here:
+     * - biL = number of bits in limbs
+     * - p = 2^(biL-1) (smallest positive value not in mbedtls_mpi_sint range)
+     * - n = -2^(biL-1) (largest negative value in mbedtls_mpi_sint range)
+     */
+
+    mbedtls_mpi A, R, X;
+    mbedtls_mpi_init( &A );
+    mbedtls_mpi_init( &R );
+    mbedtls_mpi_init( &X );
+
+    const size_t biL = 8 * sizeof( mbedtls_mpi_sint );
+    mbedtls_mpi_uint most_positive_plus_1 = (mbedtls_mpi_uint) 1 << ( biL - 1 );
+    const mbedtls_mpi_sint most_positive = most_positive_plus_1 - 1;
+    const mbedtls_mpi_sint most_negative = - most_positive - 1;
+    TEST_EQUAL( (mbedtls_mpi_uint) most_negative,
+                (mbedtls_mpi_uint) 1 << ( biL - 1 ) );
+    TEST_EQUAL( (mbedtls_mpi_uint) most_negative << 1, 0 );
+
+    /* Test mbedtls_mpi_lset() */
+    TEST_EQUAL( mbedtls_mpi_lset( &A, most_negative ), 0 );
+    TEST_EQUAL( A.s, -1 );
+    TEST_EQUAL( A.n, 1 );
+    TEST_EQUAL( A.p[0], most_positive_plus_1 );
+
+    /* Test mbedtls_mpi_cmp_int(): -p == -p */
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &A, most_negative ), 0 );
+
+    /* Test mbedtls_mpi_cmp_int(): -(p+1) < -p */
+    A.p[0] = most_positive_plus_1 + 1;
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &A, most_negative ), -1 );
+
+    /* Test mbedtls_mpi_cmp_int(): -(p-1) > -p */
+    A.p[0] = most_positive_plus_1 - 1;
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &A, most_negative ), 1 );
+
+    /* Test mbedtls_mpi_add_int(): (p-1) + (-p) */
+    TEST_EQUAL( mbedtls_mpi_lset( &A, most_positive ), 0 );
+    TEST_EQUAL( mbedtls_mpi_add_int( &X, &A, most_negative ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &X, -1 ), 0 );
+
+    /* Test mbedtls_mpi_add_int(): (0) + (-p) */
+    TEST_EQUAL( mbedtls_mpi_lset( &A, 0 ), 0 );
+    TEST_EQUAL( mbedtls_mpi_add_int( &X, &A, most_negative ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &X, most_negative ), 0 );
+
+    /* Test mbedtls_mpi_add_int(): (-p) + (-p) */
+    TEST_EQUAL( mbedtls_mpi_lset( &A, most_negative ), 0 );
+    TEST_EQUAL( mbedtls_mpi_add_int( &X, &A, most_negative ), 0 );
+    TEST_EQUAL( X.s, -1 );
+    TEST_EQUAL( X.n, 2 );
+    TEST_EQUAL( X.p[0], 0 );
+    TEST_EQUAL( X.p[1], 1 );
+
+    /* Test mbedtls_mpi_sub_int(): (p) - (-p) */
+    mbedtls_mpi_free( &X );
+    TEST_EQUAL( mbedtls_mpi_lset( &A, most_positive ), 0 );
+    TEST_EQUAL( mbedtls_mpi_sub_int( &X, &A, most_negative ), 0 );
+    TEST_EQUAL( X.s, 1 );
+    TEST_EQUAL( X.n, 1 );
+    TEST_EQUAL( X.p[0], ~(mbedtls_mpi_uint)0 );
+
+    /* Test mbedtls_mpi_sub_int(): (0) - (-p) */
+    TEST_EQUAL( mbedtls_mpi_lset( &A, 0 ), 0 );
+    TEST_EQUAL( mbedtls_mpi_sub_int( &X, &A, most_negative ), 0 );
+    TEST_EQUAL( X.s, 1 );
+    TEST_EQUAL( X.n, 1 );
+    TEST_EQUAL( X.p[0], most_positive_plus_1 );
+
+    /* Test mbedtls_mpi_sub_int(): (-p) - (-p) */
+    TEST_EQUAL( mbedtls_mpi_lset( &A, most_negative ), 0 );
+    TEST_EQUAL( mbedtls_mpi_sub_int( &X, &A, most_negative ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 0 ), 0 );
+
+    /* Test mbedtls_mpi_div_int(): (-p+1) / (-p) */
+    TEST_EQUAL( mbedtls_mpi_lset( &A, -most_positive ), 0 );
+    TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 0 ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &R, -most_positive ), 0 );
+
+    /* Test mbedtls_mpi_div_int(): (-p) / (-p) */
+    TEST_EQUAL( mbedtls_mpi_lset( &A, most_negative ), 0 );
+    TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 1 ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &R, 0 ), 0 );
+
+    /* Test mbedtls_mpi_div_int(): (-2*p) / (-p) */
+    TEST_EQUAL( mbedtls_mpi_shift_l( &A, 1 ), 0 );
+    TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 2 ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &R, 0 ), 0 );
+
+    /* Test mbedtls_mpi_div_int(): (-2*p+1) / (-p) */
+    TEST_EQUAL( mbedtls_mpi_add_int( &A, &A, 1 ), 0 );
+    TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 1 ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &R, -most_positive ), 0 );
+
+    /* Test mbedtls_mpi_div_int(): (p-1) / (-p) */
+    TEST_EQUAL( mbedtls_mpi_lset( &A, most_positive ), 0 );
+    TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 0 ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &R, most_positive ), 0 );
+
+    /* Test mbedtls_mpi_div_int(): (p) / (-p) */
+    TEST_EQUAL( mbedtls_mpi_add_int( &A, &A, 1 ), 0 );
+    TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &X, -1 ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &R, 0 ), 0 );
+
+    /* Test mbedtls_mpi_div_int(): (2*p) / (-p) */
+    TEST_EQUAL( mbedtls_mpi_shift_l( &A, 1 ), 0 );
+    TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &X, -2 ), 0 );
+    TEST_EQUAL( mbedtls_mpi_cmp_int( &R, 0 ), 0 );
+
+    /* Test mbedtls_mpi_mod_int(): never valid */
+    TEST_EQUAL( mbedtls_mpi_mod_int( X.p, &A, most_negative ),
+                MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
+
+    /* Test mbedtls_mpi_random(): never valid */
+    TEST_EQUAL( mbedtls_mpi_random( &X, most_negative, &A,
+                                    mbedtls_test_rnd_std_rand, NULL ),
+                MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+exit:
+    mbedtls_mpi_free( &A );
+    mbedtls_mpi_free( &R );
+    mbedtls_mpi_free( &X );
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
 void mpi_selftest(  )
 {
diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data
index 0b8aa334a..7aaacbe73 100644
--- a/tests/suites/test_suite_bignum.misc.data
+++ b/tests/suites/test_suite_bignum.misc.data
@@ -1934,6 +1934,9 @@ mpi_random_fail:2:"01":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
 MPI random bad arguments: min > N = 1, 0 limb in upper bound
 mpi_random_fail:2:"000000000000000001":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
 
+Most negative mbedtls_mpi_sint
+most_negative_mpi_sint:
+
 MPI Selftest
 depends_on:MBEDTLS_SELF_TEST
 mpi_selftest:

From ef7f4e47b183549784239d2d5bd3bb5c856e93c6 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 15 Nov 2022 23:25:27 +0100
Subject: [PATCH 106/159] Express abs(z) in a way that satisfies GCC and MSVC

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 library/bignum.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/library/bignum.c b/library/bignum.c
index 04aca69e8..53a9aa5e7 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -252,6 +252,17 @@ void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y )
     memcpy(  Y, &T, sizeof( mbedtls_mpi ) );
 }
 
+static inline mbedtls_mpi_uint mpi_sint_abs( mbedtls_mpi_sint z )
+{
+    if( z >= 0 )
+        return( z );
+    /* Take care to handle the most negative value (-2^(biL-1)) correctly.
+     * A naive -z would have undefined behavior.
+     * Write this in a way that makes popular compilers happy (GCC, Clang,
+     * MSVC). */
+    return( (mbedtls_mpi_uint) 0 - (mbedtls_mpi_uint) z );
+}
+
 /*
  * Set value from integer
  */
@@ -263,7 +274,7 @@ int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z )
     MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, 1 ) );
     memset( X->p, 0, X->n * ciL );
 
-    X->p[0] = ( z < 0 ) ? -(mbedtls_mpi_uint)z : z;
+    X->p[0] = mpi_sint_abs( z );
     X->s    = ( z < 0 ) ? -1 : 1;
 
 cleanup:
@@ -853,7 +864,7 @@ int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z )
     mbedtls_mpi_uint p[1];
     MPI_VALIDATE_RET( X != NULL );
 
-    *p  = ( z < 0 ) ? -(mbedtls_mpi_uint)z : z;
+    *p  = mpi_sint_abs( z );
     Y.s = ( z < 0 ) ? -1 : 1;
     Y.n = 1;
     Y.p = p;
@@ -1057,7 +1068,7 @@ int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint
     MPI_VALIDATE_RET( X != NULL );
     MPI_VALIDATE_RET( A != NULL );
 
-    p[0] = ( b < 0 ) ? -(mbedtls_mpi_uint)b : b;
+    p[0] = mpi_sint_abs( b );
     B.s = ( b < 0 ) ? -1 : 1;
     B.n = 1;
     B.p = p;
@@ -1075,7 +1086,7 @@ int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint
     MPI_VALIDATE_RET( X != NULL );
     MPI_VALIDATE_RET( A != NULL );
 
-    p[0] = ( b < 0 ) ? -(mbedtls_mpi_uint)b : b;
+    p[0] = mpi_sint_abs( b );
     B.s = ( b < 0 ) ? -1 : 1;
     B.n = 1;
     B.p = p;
@@ -1413,7 +1424,7 @@ int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R,
     mbedtls_mpi_uint p[1];
     MPI_VALIDATE_RET( A != NULL );
 
-    p[0] = ( b < 0 ) ? -(mbedtls_mpi_uint)b : b;
+    p[0] = mpi_sint_abs( b );
     B.s = ( b < 0 ) ? -1 : 1;
     B.n = 1;
     B.p = p;

From 298f781948d4bd69cfe826ce86de907ac9dbb6c2 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 15 Nov 2022 23:54:26 +0100
Subject: [PATCH 107/159] Use .datax for `make test`, not .data

Looking for the .data file doesn't work in out-of-tree builds. Use the
.datax file instead. `make clean` removes all .datax files, so this resolves
the issue of executables not present on the current branch being left behind
after a branch change followed by a `make clean`.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/scripts/run-test-suites.pl | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/scripts/run-test-suites.pl b/tests/scripts/run-test-suites.pl
index 8a5bb937d..cedc0bfa5 100755
--- a/tests/scripts/run-test-suites.pl
+++ b/tests/scripts/run-test-suites.pl
@@ -50,10 +50,10 @@ GetOptions(
            'verbose|v:1' => \$verbose,
           ) or die;
 
-# All test suites = executable files derived from a .data file.
+# All test suites = executable files with a .datax file.
 my @suites = ();
-for my $data_file (glob 'suites/test_suite_*.data') {
-    (my $base = $data_file) =~ s#^suites/(.*)\.data$#$1#;
+for my $data_file (glob 'test_suite_*.datax') {
+    (my $base = $data_file) =~ s/\.datax$//;
     push @suites, $base if -x $base;
     push @suites, "$base.exe" if -e "$base.exe";
 }

From 2dbfedae4a269c72438f6fff8e5cf6974e37c1ea Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Tue, 15 Nov 2022 10:52:57 +0000
Subject: [PATCH 108/159] Update early data test cases with latest code message

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 tests/scripts/all.sh |  3 +--
 tests/ssl-opt.sh     | 61 +++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 59 insertions(+), 5 deletions(-)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 32e920d22..4b6a4cbb9 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -3222,7 +3222,6 @@ component_build_armcc () {
 
 component_test_tls13_only () {
     msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3, without MBEDTLS_SSL_PROTO_TLS1_2"
-    scripts/config.py set MBEDTLS_SSL_EARLY_DATA
     make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
 
     msg "test: TLS 1.3 only, all key exchange modes enabled"
@@ -3255,6 +3254,7 @@ component_test_tls13_only_ephemeral () {
     msg "build: TLS 1.3 only from default, only ephemeral key exchange mode"
     scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
     scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+    scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
     make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
 
     msg "test_suite_ssl: TLS 1.3 only, only ephemeral key exchange mode"
@@ -3302,7 +3302,6 @@ component_test_tls13_only_psk_all () {
 component_test_tls13_only_ephemeral_all () {
     msg "build: TLS 1.3 only from default, without PSK key exchange mode"
     scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
-    scripts/config.py set MBEDTLS_SSL_EARLY_DATA
     make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
 
     msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes"
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 20c1b0f4d..5576320ff 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -13050,14 +13050,69 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_EARLY_DATA
 run_test    "TLS 1.3 m->G: EarlyData: basic check, good" \
+            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \
+            "$P_CLI debug_level=4 force_version=tls13 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
+            1 \
+            -c "Reconnecting with saved session" \
+            -c "NewSessionTicket: early_data(42) extension received." \
+            -c "ClientHello: early_data(42) extension exists." \
+            -c "EncryptedExtensions: early_data(42) extension received." \
+            -c "EncryptedExtensions: early_data(42) extension ( ignored )." \
+            -s "Parsing extension 'Early Data/42' (0 bytes)" \
+            -s "Sending extension Early Data/42 (0 bytes)" \
+            -s "early data accepted"
+
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_EARLY_DATA
+run_test    "TLS 1.3 m->G: EarlyData: hybrid check, good" \
             "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \
             "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
             1 \
-            -c "client hello, adding early_data extension" \
             -c "Reconnecting with saved session" \
-            -c "EncryptedExtensions: early_data(42) extension is unsupported" \
+            -c "NewSessionTicket: early_data(42) extension received." \
+            -c "ClientHello: early_data(42) extension exists." \
+            -c "EncryptedExtensions: early_data(42) extension received." \
+            -c "EncryptedExtensions: early_data(42) extension ( ignored )." \
             -s "Parsing extension 'Early Data/42' (0 bytes)" \
-            -s "Sending extension Early Data/42 (0 bytes)"
+            -s "Sending extension Early Data/42 (0 bytes)" \
+            -s "early data accepted"
+
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_EARLY_DATA
+run_test    "TLS 1.3 m->G: EarlyData: negative check, fail" \
+            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \
+            "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
+            0 \
+            -c "Reconnecting with saved session" \
+            -C "NewSessionTicket: early_data(42) extension received." \
+            -c "ClientHello: early_data(42) extension does not exist." \
+            -C "EncryptedExtensions: early_data(42) extension received." \
+            -C "EncryptedExtensions: early_data(42) extension ( ignored )."
+
+#TODO openssl compatible mode can't work currently, it will need external psk.
+skip_next_test
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_SSL_EARLY_DATA
+run_test    "TLS 1.3, ext PSK, early data" \
+            "$O_NEXT_SRV_EARLY_DATA -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \
+            "$P_CLI debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \
+             1 \
+            -c "Reconnecting with saved session" \
+            -c "NewSessionTicket: early_data(42) extension received." \
+            -c "ClientHello: early_data(42) extension exists." \
+            -c "EncryptedExtensions: early_data(42) extension received." \
+            -c "EncryptedExtensions: early_data(42) extension ( ignored )."
 
 # Test heap memory usage after handshake
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2

From f3cefb4f4cf3b0720a6f56fe70371ba6889aefac Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Wed, 16 Nov 2022 03:23:46 +0000
Subject: [PATCH 109/159] Move early data test cases to tls13-misc.sh

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 tests/opt-testcases/tls13-misc.sh | 72 +++++++++++++++++++++++++++++++
 tests/ssl-opt.sh                  | 72 -------------------------------
 2 files changed, 72 insertions(+), 72 deletions(-)

diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh
index 4ad6faa48..cc650c1e1 100755
--- a/tests/opt-testcases/tls13-misc.sh
+++ b/tests/opt-testcases/tls13-misc.sh
@@ -282,3 +282,75 @@ run_test    "TLS 1.3: G->m: PSK: configured ephemeral only, good." \
             0 \
             -s "key exchange mode: ephemeral$"
 
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_EARLY_DATA
+run_test    "TLS 1.3 m->G: EarlyData: basic check, good" \
+            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \
+            "$P_CLI debug_level=4 force_version=tls13 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
+            1 \
+            -c "Reconnecting with saved session" \
+            -c "NewSessionTicket: early_data(42) extension received." \
+            -c "ClientHello: early_data(42) extension exists." \
+            -c "EncryptedExtensions: early_data(42) extension received." \
+            -c "EncryptedExtensions: early_data(42) extension ( ignored )." \
+            -s "Parsing extension 'Early Data/42' (0 bytes)" \
+            -s "Sending extension Early Data/42 (0 bytes)" \
+            -s "early data accepted"
+
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_EARLY_DATA
+run_test    "TLS 1.3 m->G: EarlyData: hybrid check, good" \
+            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \
+            "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
+            1 \
+            -c "Reconnecting with saved session" \
+            -c "NewSessionTicket: early_data(42) extension received." \
+            -c "ClientHello: early_data(42) extension exists." \
+            -c "EncryptedExtensions: early_data(42) extension received." \
+            -c "EncryptedExtensions: early_data(42) extension ( ignored )." \
+            -s "Parsing extension 'Early Data/42' (0 bytes)" \
+            -s "Sending extension Early Data/42 (0 bytes)" \
+            -s "early data accepted"
+
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_EARLY_DATA
+run_test    "TLS 1.3 m->G: EarlyData: negative check, fail" \
+            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \
+            "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
+            0 \
+            -c "Reconnecting with saved session" \
+            -C "NewSessionTicket: early_data(42) extension received." \
+            -c "ClientHello: early_data(42) extension does not exist." \
+            -C "EncryptedExtensions: early_data(42) extension received." \
+            -C "EncryptedExtensions: early_data(42) extension ( ignored )."
+
+#TODO openssl compatible mode can't work currently, it will need external psk.
+skip_next_test
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_SSL_EARLY_DATA
+run_test    "TLS 1.3, ext PSK, early data" \
+            "$O_NEXT_SRV_EARLY_DATA -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \
+            "$P_CLI debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \
+             1 \
+            -c "Reconnecting with saved session" \
+            -c "NewSessionTicket: early_data(42) extension received." \
+            -c "ClientHello: early_data(42) extension exists." \
+            -c "EncryptedExtensions: early_data(42) extension received." \
+            -c "EncryptedExtensions: early_data(42) extension ( ignored )."
+
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 5576320ff..fdbb31050 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -13042,78 +13042,6 @@ run_test    "TLS 1.3: NewSessionTicket: servername negative check, m->m" \
             -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
             -s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH"
 
-requires_gnutls_tls1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_EARLY_DATA
-run_test    "TLS 1.3 m->G: EarlyData: basic check, good" \
-            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \
-            "$P_CLI debug_level=4 force_version=tls13 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
-            1 \
-            -c "Reconnecting with saved session" \
-            -c "NewSessionTicket: early_data(42) extension received." \
-            -c "ClientHello: early_data(42) extension exists." \
-            -c "EncryptedExtensions: early_data(42) extension received." \
-            -c "EncryptedExtensions: early_data(42) extension ( ignored )." \
-            -s "Parsing extension 'Early Data/42' (0 bytes)" \
-            -s "Sending extension Early Data/42 (0 bytes)" \
-            -s "early data accepted"
-
-requires_gnutls_tls1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_EARLY_DATA
-run_test    "TLS 1.3 m->G: EarlyData: hybrid check, good" \
-            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \
-            "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
-            1 \
-            -c "Reconnecting with saved session" \
-            -c "NewSessionTicket: early_data(42) extension received." \
-            -c "ClientHello: early_data(42) extension exists." \
-            -c "EncryptedExtensions: early_data(42) extension received." \
-            -c "EncryptedExtensions: early_data(42) extension ( ignored )." \
-            -s "Parsing extension 'Early Data/42' (0 bytes)" \
-            -s "Sending extension Early Data/42 (0 bytes)" \
-            -s "early data accepted"
-
-requires_gnutls_tls1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_EARLY_DATA
-run_test    "TLS 1.3 m->G: EarlyData: negative check, fail" \
-            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \
-            "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
-            0 \
-            -c "Reconnecting with saved session" \
-            -C "NewSessionTicket: early_data(42) extension received." \
-            -c "ClientHello: early_data(42) extension does not exist." \
-            -C "EncryptedExtensions: early_data(42) extension received." \
-            -C "EncryptedExtensions: early_data(42) extension ( ignored )."
-
-#TODO openssl compatible mode can't work currently, it will need external psk.
-skip_next_test
-requires_config_enabled MBEDTLS_SSL_SRV_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_config_enabled MBEDTLS_SSL_EARLY_DATA
-run_test    "TLS 1.3, ext PSK, early data" \
-            "$O_NEXT_SRV_EARLY_DATA -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \
-            "$P_CLI debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \
-             1 \
-            -c "Reconnecting with saved session" \
-            -c "NewSessionTicket: early_data(42) extension received." \
-            -c "ClientHello: early_data(42) extension exists." \
-            -c "EncryptedExtensions: early_data(42) extension received." \
-            -c "EncryptedExtensions: early_data(42) extension ( ignored )."
-
 # Test heap memory usage after handshake
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_MEMORY_DEBUG

From 51c5a8b561f4e509ed69ea3761c89248410146a9 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Wed, 16 Nov 2022 08:32:51 +0000
Subject: [PATCH 110/159] Update ticket flag macros

Define the ALLOW_PSK_RESUMPTION and ALLOW_PSK_EPHEMERAL_RESUMPTION
to the key exchange mode EXCHANGE_MODE_PSK and
EXCHANGE_MODE_PSK_EPHEMERAL to facilate later check.
Since they are 1( 1u<<0 ) and 4( 1u<<2 ), so define
ALLOW_EARLY_DATA to 8( 1u<<3 ).

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 include/mbedtls/ssl.h | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 6829fd7b6..d0558511a 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -810,19 +810,20 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
 #endif
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
-
 typedef uint8_t mbedtls_ssl_tls13_ticket_flags;
-#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION \
-    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK /* 1U << 0 */
-#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION \
-    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL /* 1U << 2 */
-#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ( 1U << 3 )
 
-#define MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK                               \
-            ( MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION             | \
-              MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION   | \
+#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION                          \
+            MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK                /* 1U << 0 */
+#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION                \
+            MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL      /* 1U << 2 */
+#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA                  ( 1U << 3 )
+
+#define MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK                                    \
+            ( MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION             |      \
+              MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION   |      \
               MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA )
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
+
 /**
  * \brief          Callback type: server-side session cache getter
  *

From 0cc4320e16fc58dfab6dbe277e4115032b9c0220 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Wed, 16 Nov 2022 08:43:50 +0000
Subject: [PATCH 111/159] Add EARLY_DATA guard to the early data extension in
 session ticket

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 library/ssl_tls13_client.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index d276a9566..0372f2d98 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2541,6 +2541,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
 
         switch( extension_type )
         {
+#if defined(MBEDTLS_SSL_EARLY_DATA)
             case MBEDTLS_TLS_EXT_EARLY_DATA:
                 if( extension_data_len != 4 )
                 {
@@ -2555,6 +2556,7 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
                             MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA;
                 }
                 break;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
 
             default:
                 MBEDTLS_SSL_PRINT_EXT(

From e7bab00825c42bb39ed63d42a98c306cb9869edd Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Wed, 16 Nov 2022 08:51:01 +0000
Subject: [PATCH 112/159] Update enabled guards for early data cases

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 tests/opt-testcases/tls13-misc.sh | 22 +++++++++++++++-------
 tests/scripts/all.sh              |  1 -
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh
index cc650c1e1..8b9d5750f 100755
--- a/tests/opt-testcases/tls13-misc.sh
+++ b/tests/opt-testcases/tls13-misc.sh
@@ -287,8 +287,9 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_EARLY_DATA
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
 run_test    "TLS 1.3 m->G: EarlyData: basic check, good" \
             "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \
             "$P_CLI debug_level=4 force_version=tls13 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
@@ -307,8 +308,9 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_EARLY_DATA
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
 run_test    "TLS 1.3 m->G: EarlyData: hybrid check, good" \
             "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \
             "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
@@ -327,9 +329,10 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_EARLY_DATA
-run_test    "TLS 1.3 m->G: EarlyData: negative check, fail" \
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test    "TLS 1.3 m->G: EarlyData: no early_data in NewSessionTicket, good." \
             "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \
             "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
             0 \
@@ -339,11 +342,16 @@ run_test    "TLS 1.3 m->G: EarlyData: negative check, fail" \
             -C "EncryptedExtensions: early_data(42) extension received." \
             -C "EncryptedExtensions: early_data(42) extension ( ignored )."
 
-#TODO openssl compatible mode can't work currently, it will need external psk.
+#TODO: OpenSSL tests don't work now. It might be openssl options issue, cause GnuTLS has worked.
 skip_next_test
-requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_config_enabled MBEDTLS_SSL_EARLY_DATA
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_EARLY_DATA
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
 run_test    "TLS 1.3, ext PSK, early data" \
             "$O_NEXT_SRV_EARLY_DATA -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \
             "$P_CLI debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 4b6a4cbb9..245324a5f 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2105,7 +2105,6 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
     scripts/config.py unset MBEDTLS_HKDF_C # has independent PSA implementation
     scripts/config.py unset MBEDTLS_HMAC_DRBG_C
     scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
-    scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
     scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
 
     loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"

From f3be7ccadebd605ad23c4b46bfce1aa2af02666a Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Wed, 16 Nov 2022 12:53:20 +0100
Subject: [PATCH 113/159] Keep drivers enabled also in reference build

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/all.sh | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 9fba034cd..c76a94fcf 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2046,11 +2046,10 @@ config_psa_crypto_hash_use_psa () {
     DRIVER_ONLY="$1"
     # start with config full for maximum coverage (also enables USE_PSA)
     scripts/config.py full
-    # enable support for configuring PSA-only algorithms
+    # enable support for drivers and configuring PSA-only algorithms
     scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
     if [ "$DRIVER_ONLY" -eq 1 ]; then
-        # enable support for drivers
-        scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
         # disable the built-in implementation of hashes
         scripts/config.py unset MBEDTLS_MD5_C
         scripts/config.py unset MBEDTLS_RIPEMD160_C

From 52d8e96ff6f729c9f64222c56f1088458f023dce Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Wed, 16 Nov 2022 12:55:27 +0100
Subject: [PATCH 114/159] Disable PSA_WANT_ALG_STREAM_CIPHER,
 PSA_WANT_ALG_ECB_NO_PADDING also in reference config

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/all.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index c76a94fcf..22c3f760e 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2115,7 +2115,7 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
     tests/ssl-opt.sh
 
     msg "test: compat.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
-    #tests/compat.sh
+    tests/compat.sh
 }
 
 # This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa
@@ -2125,6 +2125,9 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
 component_test_psa_crypto_config_reference_hash_use_psa() {
     msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
 
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
+
     config_psa_crypto_hash_use_psa 0
 
     make

From 6419ab5299a723684f7ada8d69f0e8046ecc7d26 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Wed, 16 Nov 2022 12:57:06 +0100
Subject: [PATCH 115/159] Reduce number of skipped suites (after making configs
 more similar)

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/analyze_outcomes.py | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index ba38ec280..508933718 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -145,12 +145,6 @@ TASKS = {
             'component_driver': 'test_psa_crypto_config_accel_hash_use_psa',
             'ignored_suites': ['shax', 'mdx', # the software implementations that are being excluded
                                'md',  # the legacy abstraction layer that's being excluded
-                               'entropy', 'hmac_drbg', 'random', # temporary limitation
-                                                                 # (see RNG EPIC)
-                               'psa_crypto_init', # doesn't work with external RNG
-                               'hkdf', # legacy still depends on MD,
-                                       # but there's a PSA interface that doesn't
-                               'pkcs7' # recent addition, will be addressed later
                               ]}}
 }
 

From 7c7954842b6e287f95168a5dafdc00f0491e1675 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Tue, 15 Nov 2022 22:26:12 +0100
Subject: [PATCH 116/159] Adapt ec-jpake_setup test

Now when operation holds pointer to dynamically allocated buffer for password key we can't do copy of the operation object in test instead we need to re-initialize operation object after error.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/suites/test_suite_psa_crypto.function | 54 ++++++++++++++++-----
 1 file changed, 41 insertions(+), 13 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 779f594dc..60befa73f 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -31,6 +31,29 @@
 #define ASSERT_OPERATION_IS_ACTIVE(   operation ) TEST_ASSERT( operation.id != 0 )
 #define ASSERT_OPERATION_IS_INACTIVE( operation ) TEST_ASSERT( operation.id == 0 )
 
+#if defined(PSA_WANT_ALG_JPAKE)
+void ecjpake_operation_setup( psa_pake_operation_t *operation,
+                              psa_pake_cipher_suite_t *cipher_suite,
+                              psa_pake_role_t role,
+                              mbedtls_svc_key_id_t key,
+                              size_t key_available )
+{
+    *operation = psa_pake_operation_init();
+
+    TEST_EQUAL( psa_pake_setup( operation, cipher_suite ),
+                PSA_SUCCESS );
+
+    TEST_EQUAL( psa_pake_set_role( operation, role),
+                PSA_SUCCESS );
+
+    if( key_available )
+        TEST_EQUAL( psa_pake_set_password_key( operation, key ),
+                    PSA_SUCCESS );
+exit:
+    return;
+}
+#endif
+
 /** An invalid export length that will never be set by psa_export_key(). */
 static const size_t INVALID_EXPORT_LENGTH = ~0U;
 
@@ -8740,7 +8763,6 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg,
 {
     psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
     psa_pake_operation_t operation = psa_pake_operation_init();
-    psa_pake_operation_t op_copy = psa_pake_operation_init();
     psa_algorithm_t alg = alg_arg;
     psa_pake_primitive_t primitive = primitive_arg;
     psa_key_type_t key_type_pw = key_type_pw_arg;
@@ -8839,22 +8861,25 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg,
     if( input_first )
     {
         /* Invalid parameters (input) */
-        op_copy = operation;
-        TEST_EQUAL( psa_pake_input( &op_copy, PSA_PAKE_STEP_ZK_PROOF,
+        TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF,
                                     NULL, 0 ),
                     PSA_ERROR_INVALID_ARGUMENT );
         /* Invalid parameters (step) */
-        op_copy = operation;
-        TEST_EQUAL( psa_pake_input( &op_copy, PSA_PAKE_STEP_ZK_PROOF + 10,
+        ecjpake_operation_setup( &operation, &cipher_suite, role,
+                                 key, pw_data->len );
+        TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF + 10,
                                     output_buffer, size_zk_proof ),
                     PSA_ERROR_INVALID_ARGUMENT );
         /* Invalid first step */
-        op_copy = operation;
-        TEST_EQUAL( psa_pake_input( &op_copy, PSA_PAKE_STEP_ZK_PROOF,
+        ecjpake_operation_setup( &operation, &cipher_suite, role,
+                                 key, pw_data->len );
+        TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF,
                                     output_buffer, size_zk_proof ),
                     PSA_ERROR_BAD_STATE );
 
         /* Possibly valid */
+        ecjpake_operation_setup( &operation, &cipher_suite, role,
+                                 key, pw_data->len );
         TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE,
                                     output_buffer, size_key_share ),
                     expected_status_input_output);
@@ -8875,22 +8900,25 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg,
     else
     {
         /* Invalid parameters (output) */
-        op_copy = operation;
-        TEST_EQUAL( psa_pake_output( &op_copy, PSA_PAKE_STEP_ZK_PROOF,
+        TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF,
                                      NULL, 0, NULL ),
                     PSA_ERROR_INVALID_ARGUMENT );
-        op_copy = operation;
         /* Invalid parameters (step) */
-        TEST_EQUAL( psa_pake_output( &op_copy, PSA_PAKE_STEP_ZK_PROOF + 10,
+        ecjpake_operation_setup( &operation, &cipher_suite, role,
+                                key, pw_data->len );
+        TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF + 10,
                                      output_buffer, buf_size, &output_len ),
                     PSA_ERROR_INVALID_ARGUMENT );
         /* Invalid first step */
-        op_copy = operation;
-        TEST_EQUAL( psa_pake_output( &op_copy, PSA_PAKE_STEP_ZK_PROOF,
+        ecjpake_operation_setup( &operation, &cipher_suite, role,
+                                 key, pw_data->len );
+        TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF,
                                      output_buffer, buf_size, &output_len ),
                     PSA_ERROR_BAD_STATE );
 
         /* Possibly valid */
+        ecjpake_operation_setup( &operation, &cipher_suite, role,
+                                 key, pw_data->len );
         TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE,
                                      output_buffer, buf_size, &output_len ),
                     expected_status_input_output );

From 1def5becc285b9150b334d7626e98d413b29a026 Mon Sep 17 00:00:00 2001
From: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
Date: Wed, 16 Nov 2022 12:00:26 +0100
Subject: [PATCH 117/159] Add psa_get_and_lock_key_slot_with_policy to header
 file

Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
---
 library/psa_crypto_core.h | 8 ++++++++
 library/psa_crypto_pake.c | 5 -----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index 98638481c..37f8162de 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -183,6 +183,14 @@ static inline psa_key_slot_number_t psa_key_slot_get_slot_number(
 }
 #endif
 
+/** Get the description of a key given its identifier and policy constraints
+ *  and lock it.
+ */
+psa_status_t psa_get_and_lock_key_slot_with_policy( mbedtls_svc_key_id_t key,
+                                                    psa_key_slot_t **p_slot,
+                                                    psa_key_usage_t usage,
+                                                    psa_algorithm_t alg );
+
 /** Completely wipe a slot in memory, including its policy.
  *
  * Persistent storage is not affected.
diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c
index 1deb48875..224f922db 100644
--- a/library/psa_crypto_pake.c
+++ b/library/psa_crypto_pake.c
@@ -33,11 +33,6 @@
 #include <mbedtls/error.h>
 #include <string.h>
 
-extern psa_status_t psa_get_and_lock_key_slot_with_policy(
-    mbedtls_svc_key_id_t key,
-    psa_key_slot_t **p_slot,
-    psa_key_usage_t usage,
-    psa_algorithm_t alg );
 /*
  * State sequence:
  *

From 542d9323521434bb5b4533eec244e95f79e73eae Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Thu, 17 Nov 2022 09:43:34 +0100
Subject: [PATCH 118/159] Fix handling of default value for task argument

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/analyze_outcomes.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 508933718..4ebd5f630 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -153,7 +153,7 @@ def main():
         parser = argparse.ArgumentParser(description=__doc__)
         parser.add_argument('outcomes', metavar='OUTCOMES.CSV',
                             help='Outcome file to analyze')
-        parser.add_argument('task', default='all',
+        parser.add_argument('task', default='all', nargs='?',
                             help='Analysis to be done. By default, run all tasks. '
                                  'With one or more TASK, run only those. '
                                  'TASK can be the name of a single task or '

From 8c0eb9744ce3a8bc9cf7bb5c0fec21ccfc6d8cc3 Mon Sep 17 00:00:00 2001
From: Tom Cosgrove <tom.cosgrove@arm.com>
Date: Thu, 17 Nov 2022 08:48:12 +0000
Subject: [PATCH 119/159] Must call mbedtls_mpi_mod_modulus_init() before
 anything else in tests

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
---
 tests/suites/test_suite_bignum_mod_raw.function | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function
index ff766b9dc..4adccce25 100644
--- a/tests/suites/test_suite_bignum_mod_raw.function
+++ b/tests/suites/test_suite_bignum_mod_raw.function
@@ -117,10 +117,12 @@ void mpi_mod_raw_cond_assign( char * input_X,
     mbedtls_mpi_uint *X = NULL;
     mbedtls_mpi_uint *Y = NULL;
     mbedtls_mpi_uint *buff_m = NULL;
-    mbedtls_mpi_mod_modulus m;
     size_t limbs_X;
     size_t limbs_Y;
 
+    mbedtls_mpi_mod_modulus m;
+    mbedtls_mpi_mod_modulus_init( &m );
+
     TEST_EQUAL( mbedtls_test_read_mpi_core( &X, &limbs_X, input_X ), 0 );
     TEST_EQUAL( mbedtls_test_read_mpi_core( &Y, &limbs_Y, input_Y ), 0 );
 
@@ -129,8 +131,6 @@ void mpi_mod_raw_cond_assign( char * input_X,
     size_t bytes = limbs * sizeof( mbedtls_mpi_uint );
     size_t copy_bytes = copy_limbs * sizeof( mbedtls_mpi_uint );
 
-    mbedtls_mpi_mod_modulus_init( &m );
-
     TEST_EQUAL( limbs_X, limbs_Y );
     TEST_ASSERT( copy_limbs <= limbs );
 
@@ -190,10 +190,12 @@ void mpi_mod_raw_cond_swap( char * input_X,
     mbedtls_mpi_uint *X = NULL;
     mbedtls_mpi_uint *Y = NULL;
     mbedtls_mpi_uint *buff_m = NULL;
-    mbedtls_mpi_mod_modulus m;
     size_t limbs_X;
     size_t limbs_Y;
 
+    mbedtls_mpi_mod_modulus m;
+    mbedtls_mpi_mod_modulus_init( &m );
+
     TEST_EQUAL( mbedtls_test_read_mpi_core( &tmp_X, &limbs_X, input_X ), 0 );
     TEST_EQUAL( mbedtls_test_read_mpi_core( &tmp_Y, &limbs_Y, input_Y ), 0 );
 
@@ -202,8 +204,6 @@ void mpi_mod_raw_cond_swap( char * input_X,
     size_t bytes = limbs * sizeof( mbedtls_mpi_uint );
     size_t copy_bytes = copy_limbs * sizeof( mbedtls_mpi_uint );
 
-    mbedtls_mpi_mod_modulus_init( &m );
-
     TEST_EQUAL( limbs_X, limbs_Y );
     TEST_ASSERT( copy_limbs <= limbs );
 

From e9622ac4bac64a2c0b5550b30be5b23f63fa7f60 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Thu, 17 Nov 2022 09:23:32 +0000
Subject: [PATCH 120/159] Remove the fore_tls13 option case from client side

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 tests/opt-testcases/tls13-misc.sh | 23 +----------------------
 1 file changed, 1 insertion(+), 22 deletions(-)

diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh
index 8b9d5750f..3e2fd0b20 100755
--- a/tests/opt-testcases/tls13-misc.sh
+++ b/tests/opt-testcases/tls13-misc.sh
@@ -291,27 +291,6 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
 requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
 run_test    "TLS 1.3 m->G: EarlyData: basic check, good" \
-            "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \
-            "$P_CLI debug_level=4 force_version=tls13 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
-            1 \
-            -c "Reconnecting with saved session" \
-            -c "NewSessionTicket: early_data(42) extension received." \
-            -c "ClientHello: early_data(42) extension exists." \
-            -c "EncryptedExtensions: early_data(42) extension received." \
-            -c "EncryptedExtensions: early_data(42) extension ( ignored )." \
-            -s "Parsing extension 'Early Data/42' (0 bytes)" \
-            -s "Sending extension Early Data/42 (0 bytes)" \
-            -s "early data accepted"
-
-requires_gnutls_tls1_3
-requires_config_enabled MBEDTLS_DEBUG_C
-requires_config_enabled MBEDTLS_SSL_CLI_C
-requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_EARLY_DATA
-requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
-                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
-run_test    "TLS 1.3 m->G: EarlyData: hybrid check, good" \
             "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \
             "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
             1 \
@@ -332,7 +311,7 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                              MBEDTLS_SSL_EARLY_DATA
 requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
                              MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
-run_test    "TLS 1.3 m->G: EarlyData: no early_data in NewSessionTicket, good." \
+run_test    "TLS 1.3 m->G: EarlyData: no early_data in NewSessionTicket, good" \
             "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \
             "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
             0 \

From 85c54ea3613f44c0f8c4c52d265128dcf478aaf4 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Thu, 17 Nov 2022 11:50:23 +0100
Subject: [PATCH 121/159] Allow providing space sepatated tasks

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/scripts/analyze_outcomes.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 4ebd5f630..bb4439653 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -9,6 +9,7 @@ less likely to be useful.
 import argparse
 import sys
 import traceback
+import re
 
 import check_test_cases
 
@@ -157,7 +158,7 @@ def main():
                             help='Analysis to be done. By default, run all tasks. '
                                  'With one or more TASK, run only those. '
                                  'TASK can be the name of a single task or '
-                                 'coma-separated list of tasks. ')
+                                 'comma/space-separated list of tasks. ')
         parser.add_argument('--list', action='store_true',
                             help='List all available tasks and exit.')
         options = parser.parse_args()
@@ -172,7 +173,7 @@ def main():
         if options.task == 'all':
             tasks = TASKS.keys()
         else:
-            tasks = options.task.split(',')
+            tasks = re.split(r'[, ]+', options.task)
 
             for task in tasks:
                 if task not in TASKS:

From 152ae07682a7c7630b03fc2337721b4b0a19df01 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Thu, 17 Nov 2022 13:24:36 +0100
Subject: [PATCH 122/159] Change password ec j-pake operation fields to more
 suitable

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 include/psa/crypto_extra.h |  4 ++--
 library/psa_crypto_pake.c  | 28 ++++++++++++++--------------
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h
index d527e579b..33e2e77b9 100644
--- a/include/psa/crypto_extra.h
+++ b/include/psa/crypto_extra.h
@@ -1920,8 +1920,8 @@ struct psa_pake_operation_s
 #if defined(MBEDTLS_PSA_BUILTIN_PAKE)
     unsigned int MBEDTLS_PRIVATE(input_step);
     unsigned int MBEDTLS_PRIVATE(output_step);
-    uint8_t* MBEDTLS_PRIVATE(password_data);
-    size_t MBEDTLS_PRIVATE(password_bytes);
+    uint8_t* MBEDTLS_PRIVATE(password);
+    size_t MBEDTLS_PRIVATE(password_len);
     psa_pake_role_t MBEDTLS_PRIVATE(role);
     uint8_t MBEDTLS_PRIVATE(buffer[MBEDTLS_PSA_PAKE_BUFFER_SIZE]);
     size_t MBEDTLS_PRIVATE(buffer_length);
diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c
index 224f922db..b89954830 100644
--- a/library/psa_crypto_pake.c
+++ b/library/psa_crypto_pake.c
@@ -286,20 +286,20 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation,
     if( slot->key.data == NULL || slot->key.bytes == 0 )
         return( PSA_ERROR_INVALID_ARGUMENT );
 
-    if( operation->password_data != NULL )
+    if( operation->password != NULL )
     {
-        mbedtls_free( operation->password_data );
-        operation->password_bytes = 0;
+        mbedtls_free( operation->password );
+        operation->password_len = 0;
     }
 
-    operation->password_data = mbedtls_calloc( 1, slot->key.bytes );
-    if( operation->password_data == NULL )
+    operation->password = mbedtls_calloc( 1, slot->key.bytes );
+    if( operation->password == NULL )
     {
         status = psa_unlock_key_slot( slot );
         return( PSA_ERROR_INSUFFICIENT_MEMORY );
     }
-    memcpy( operation->password_data, slot->key.data, slot->key.bytes );
-    operation->password_bytes = slot->key.bytes;
+    memcpy( operation->password, slot->key.data, slot->key.bytes );
+    operation->password_len = slot->key.bytes;
 
     status = psa_unlock_key_slot( slot );
     if( status != PSA_SUCCESS )
@@ -387,8 +387,8 @@ static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation )
     else
         return( PSA_ERROR_BAD_STATE );
 
-    if (operation->password_data == NULL ||
-        operation->password_bytes == 0 )
+    if (operation->password == NULL ||
+        operation->password_len == 0 )
     {
         return( PSA_ERROR_BAD_STATE );
     }
@@ -397,8 +397,8 @@ static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation )
                                  role,
                                  MBEDTLS_MD_SHA256,
                                  MBEDTLS_ECP_DP_SECP256R1,
-                                 operation->password_data,
-                                 operation->password_bytes );
+                                 operation->password,
+                                 operation->password_len );
 
     if( ret != 0 )
         return( mbedtls_ecjpake_to_psa_error( ret ) );
@@ -864,9 +864,9 @@ psa_status_t psa_pake_abort(psa_pake_operation_t * operation)
     {
         operation->input_step = PSA_PAKE_STEP_INVALID;
         operation->output_step = PSA_PAKE_STEP_INVALID;
-        mbedtls_free( operation->password_data );
-        operation->password_data = NULL;
-        operation->password_bytes = 0;
+        mbedtls_free( operation->password );
+        operation->password = NULL;
+        operation->password_len = 0;
         operation->role = PSA_PAKE_ROLE_NONE;
         mbedtls_platform_zeroize( operation->buffer, MBEDTLS_PSA_PAKE_BUFFER_SIZE );
         operation->buffer_length = 0;

From 369ae0afc35079979d32b93ba824898a23e1f733 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Thu, 17 Nov 2022 14:14:31 +0100
Subject: [PATCH 123/159] Zeroize pake password buffer before free

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 library/psa_crypto_pake.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c
index b89954830..ef31af420 100644
--- a/library/psa_crypto_pake.c
+++ b/library/psa_crypto_pake.c
@@ -288,6 +288,7 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation,
 
     if( operation->password != NULL )
     {
+        mbedtls_platform_zeroize( operation->password, operation->password_len );
         mbedtls_free( operation->password );
         operation->password_len = 0;
     }
@@ -864,6 +865,7 @@ psa_status_t psa_pake_abort(psa_pake_operation_t * operation)
     {
         operation->input_step = PSA_PAKE_STEP_INVALID;
         operation->output_step = PSA_PAKE_STEP_INVALID;
+        mbedtls_platform_zeroize( operation->password, operation->password_len );
         mbedtls_free( operation->password );
         operation->password = NULL;
         operation->password_len = 0;

From 96a0fd951f8995b381ba31b104ce971b0c56007a Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Tue, 8 Nov 2022 17:09:56 +0000
Subject: [PATCH 124/159] Fix signature algorithms list entry getting
 overwritten by length.

Fix bug whereby the supported signature algorithm list sent by the
server in the certificate request would not leave enough space for the
length to be written, and thus the first element would get overwritten,
leaving two random bytes in the last entry.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 ChangeLog.d/fix-tls12server-sent-sigalgs.txt | 5 +++++
 library/ssl_tls12_server.c                   | 7 ++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 ChangeLog.d/fix-tls12server-sent-sigalgs.txt

diff --git a/ChangeLog.d/fix-tls12server-sent-sigalgs.txt b/ChangeLog.d/fix-tls12server-sent-sigalgs.txt
new file mode 100644
index 000000000..9abde2b52
--- /dev/null
+++ b/ChangeLog.d/fix-tls12server-sent-sigalgs.txt
@@ -0,0 +1,5 @@
+Bugfix
+    * Fix a bug whereby the the list of signature algorithms sent as part of the
+      TLS 1.2 server certificate request would get corrupted, meaning the first
+      algorithm would not get sent and an entry consisting of two random bytes
+      would be sent instead. Found by Serban Bejan and Dudek Sebastian.
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 71f703c7f..3dab2467c 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -2531,10 +2531,15 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
         if( ! mbedtls_ssl_sig_alg_is_supported( ssl, *sig_alg ) )
             continue;
 
-        MBEDTLS_PUT_UINT16_BE( *sig_alg, p, sa_len );
+        /* Write elements at offsets starting from 1 (offset 0 is for the
+         * length). Thus the offset of each element is the length of the
+         * partial list including that element. */
         sa_len += 2;
+        MBEDTLS_PUT_UINT16_BE( *sig_alg, p, sa_len );
+
     }
 
+    /* Fill in list length. */
     MBEDTLS_PUT_UINT16_BE( sa_len, p, 0 );
     sa_len += 2;
     p += sa_len;

From ec71b0937f74a84a781f955ecb10ca89ba1577b2 Mon Sep 17 00:00:00 2001
From: Andrzej Kurek <andrzej.kurek@arm.com>
Date: Tue, 15 Nov 2022 10:21:50 -0500
Subject: [PATCH 125/159] Introduce a test for single signature algorithm
 correctness

The value of the first sent signature algorithm is overwritten.
This test forces only a single algorithm to be sent and then
validates that the client received such algorithm.
04 03 is the expected value for SECP256R1_SHA256.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
---
 library/ssl_tls12_client.c |  2 +-
 tests/ssl-opt.sh           | 29 +++++++++++++++++++++--------
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index 1c53a0990..21b3ba621 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -2654,7 +2654,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
     for( size_t i = 0; i < sig_alg_len; i += 2 )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3,
-            ( "Supported Signature Algorithm found: %d,%d",
+            ( "Supported Signature Algorithm found: %02x %02x",
               sig_alg[i], sig_alg[i + 1]  ) );
     }
 #endif
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index fc892a18b..c5d0d9ada 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2371,6 +2371,19 @@ run_test    "Unique IV in GCM" \
             -u "IV used" \
             -U "IV used"
 
+# Test for correctness of sent single supported algorithm
+requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_hash_alg SHA_256
+run_test    "Single supported algorithm sending" \
+            "$P_SRV sig_algs=ecdsa_secp256r1_sha256 auth_mode=required" \
+            "$P_CLI sig_algs=ecdsa_secp256r1_sha256 debug_level=3" \
+            0 \
+            -c "Supported Signature Algorithm found: 04 03"
+
 # Tests for certificate verification callback
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Configuration-specific CRT verification callback" \
@@ -5274,8 +5287,8 @@ run_test    "Authentication: client SHA256, server required" \
              key_file=data_files/server6.key \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
             0 \
-            -c "Supported Signature Algorithm found: 4," \
-            -c "Supported Signature Algorithm found: 5,"
+            -c "Supported Signature Algorithm found: 04 " \
+            -c "Supported Signature Algorithm found: 05 "
 
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
@@ -5285,8 +5298,8 @@ run_test    "Authentication: client SHA384, server required" \
              key_file=data_files/server6.key \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
             0 \
-            -c "Supported Signature Algorithm found: 4," \
-            -c "Supported Signature Algorithm found: 5,"
+            -c "Supported Signature Algorithm found: 04 " \
+            -c "Supported Signature Algorithm found: 05 "
 
 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
 run_test    "Authentication: client has no cert, server required (TLS)" \
@@ -5687,8 +5700,8 @@ run_test    "Authentication, CA callback: client SHA256, server required" \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
             0 \
             -s "use CA callback for X.509 CRT verification" \
-            -c "Supported Signature Algorithm found: 4," \
-            -c "Supported Signature Algorithm found: 5,"
+            -c "Supported Signature Algorithm found: 04 " \
+            -c "Supported Signature Algorithm found: 05 "
 
 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@@ -5700,8 +5713,8 @@ run_test    "Authentication, CA callback: client SHA384, server required" \
              force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
             0 \
             -s "use CA callback for X.509 CRT verification" \
-            -c "Supported Signature Algorithm found: 4," \
-            -c "Supported Signature Algorithm found: 5,"
+            -c "Supported Signature Algorithm found: 04 " \
+            -c "Supported Signature Algorithm found: 05 "
 
 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2

From 3b4cedaa713427e609bebfa59538a77d5eac74ce Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Thu, 17 Nov 2022 12:47:10 +0000
Subject: [PATCH 126/159] Add SSL_SRV requirement to test

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/ssl-opt.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index c5d0d9ada..41dd491f7 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2376,6 +2376,7 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_ECDSA_C
 requires_hash_alg SHA_256
 run_test    "Single supported algorithm sending" \

From f6e342cae29c68c4e598962c3f9553aa7e1b92c2 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Thu, 17 Nov 2022 12:50:29 +0000
Subject: [PATCH 127/159]  Add test for single signature alg with openssl

Test supplied by Gilles Peskine. Also rename previous test to fit to
naming pattern.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 tests/ssl-opt.sh | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 41dd491f7..f2e3f0cc7 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2379,12 +2379,23 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_ECDSA_C
 requires_hash_alg SHA_256
-run_test    "Single supported algorithm sending" \
+run_test    "Single supported algorithm sending: mbedtls client" \
             "$P_SRV sig_algs=ecdsa_secp256r1_sha256 auth_mode=required" \
             "$P_CLI sig_algs=ecdsa_secp256r1_sha256 debug_level=3" \
             0 \
             -c "Supported Signature Algorithm found: 04 03"
 
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
+requires_hash_alg SHA_256
+run_test    "Single supported algorithm sending: openssl client" \
+            "$P_SRV sig_algs=ecdsa_secp256r1_sha256 auth_mode=required" \
+            "$O_CLI -cert data_files/server6.crt \
+                    -key data_files/server6.key" \
+            0
+
 # Tests for certificate verification callback
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "Configuration-specific CRT verification callback" \

From 4e83173bb7b6770d99022d79ac2d3624c80b8c37 Mon Sep 17 00:00:00 2001
From: Xiaokang Qian <xiaokang.qian@arm.com>
Date: Fri, 18 Nov 2022 10:57:46 +0000
Subject: [PATCH 128/159] Skip early data basic check temp

Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
---
 tests/opt-testcases/tls13-misc.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh
index 3e2fd0b20..edece456b 100755
--- a/tests/opt-testcases/tls13-misc.sh
+++ b/tests/opt-testcases/tls13-misc.sh
@@ -282,6 +282,9 @@ run_test    "TLS 1.3: G->m: PSK: configured ephemeral only, good." \
             0 \
             -s "key exchange mode: ephemeral$"
 
+# skip the basic check now cause it will randomly trigger the anti-replay protection in gnutls_server
+# Add it back once we fix the issue
+skip_next_test
 requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C

From 0cd8967ba10a8f1d6a2b9be1e4f1a8289e8484ee Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Wed, 9 Nov 2022 12:14:14 +0000
Subject: [PATCH 129/159] Split test generator base class

The class BaseTarget served two purposes:
- track test cases and target files for generation
- provide an abstract base class for individual test groups

Splitting these allows decoupling these two and to have further common
superclasses across targets.

No intended change in generated test cases.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py        |  5 ++--
 scripts/mbedtls_dev/bignum_core.py          | 14 +++++------
 scripts/mbedtls_dev/bignum_mod.py           |  6 ++---
 scripts/mbedtls_dev/bignum_mod_raw.py       |  4 +--
 scripts/mbedtls_dev/test_data_generation.py | 28 +++++++++++++--------
 tests/scripts/generate_bignum_tests.py      |  6 ++---
 6 files changed, 35 insertions(+), 28 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index 8b11bc283..ba30be40e 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -17,6 +17,8 @@
 from abc import abstractmethod
 from typing import Iterator, List, Tuple, TypeVar
 
+from . import test_data_generation
+
 T = TypeVar('T') #pylint: disable=invalid-name
 
 def invmod(a: int, n: int) -> int:
@@ -63,8 +65,7 @@ def combination_pairs(values: List[T]) -> List[Tuple[T, T]]:
     """Return all pair combinations from input values."""
     return [(x, y) for x in values for y in values]
 
-
-class OperationCommon:
+class OperationCommon(test_data_generation.BaseTest):
     """Common features for bignum binary operations.
 
     This adds functionality common in binary operation tests.
diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py
index 0cc86b809..db9d1b7ca 100644
--- a/scripts/mbedtls_dev/bignum_core.py
+++ b/scripts/mbedtls_dev/bignum_core.py
@@ -16,20 +16,19 @@
 
 import random
 
-from abc import ABCMeta
 from typing import Dict, Iterator, List, Tuple
 
 from . import test_case
 from . import test_data_generation
 from . import bignum_common
 
-class BignumCoreTarget(test_data_generation.BaseTarget, metaclass=ABCMeta):
-    #pylint: disable=abstract-method
+class BignumCoreTarget(test_data_generation.BaseTarget):
+    #pylint: disable=abstract-method, too-few-public-methods
     """Target for bignum core test case generation."""
     target_basename = 'test_suite_bignum_core.generated'
 
 
-class BignumCoreShiftR(BignumCoreTarget, metaclass=ABCMeta):
+class BignumCoreShiftR(BignumCoreTarget, test_data_generation.BaseTest):
     """Test cases for mbedtls_bignum_core_shift_r()."""
     count = 0
     test_function = "mpi_core_shift_r"
@@ -69,7 +68,7 @@ class BignumCoreShiftR(BignumCoreTarget, metaclass=ABCMeta):
             for count in counts:
                 yield cls(input_hex, descr, count).create_test_case()
 
-class BignumCoreCTLookup(BignumCoreTarget, metaclass=ABCMeta):
+class BignumCoreCTLookup(BignumCoreTarget, test_data_generation.BaseTest):
     """Test cases for mbedtls_mpi_core_ct_uint_table_lookup()."""
     test_function = "mpi_core_ct_uint_table_lookup"
     test_name = "Constant time MPI table lookup"
@@ -107,7 +106,8 @@ class BignumCoreCTLookup(BignumCoreTarget, metaclass=ABCMeta):
                 yield (cls(bitsize, bitsize_description, window_size)
                        .create_test_case())
 
-class BignumCoreOperation(bignum_common.OperationCommon, BignumCoreTarget, metaclass=ABCMeta):
+class BignumCoreOperation(BignumCoreTarget, bignum_common.OperationCommon,
+                          metaclass=ABCMeta):
     #pylint: disable=abstract-method
     """Common features for bignum core operations."""
     input_values = [
@@ -297,7 +297,7 @@ class BignumCoreMLA(BignumCoreOperation):
                 yield cur_op.create_test_case()
 
 
-class BignumCoreMontmul(BignumCoreTarget):
+class BignumCoreMontmul(BignumCoreTarget, test_data_generation.BaseTest):
     """Test cases for Montgomery multiplication."""
     count = 0
     test_function = "mpi_core_montmul"
diff --git a/scripts/mbedtls_dev/bignum_mod.py b/scripts/mbedtls_dev/bignum_mod.py
index 2bd7fbbda..a604cc0c5 100644
--- a/scripts/mbedtls_dev/bignum_mod.py
+++ b/scripts/mbedtls_dev/bignum_mod.py
@@ -14,12 +14,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from abc import ABCMeta
-
 from . import test_data_generation
 
-class BignumModTarget(test_data_generation.BaseTarget, metaclass=ABCMeta):
-    #pylint: disable=abstract-method
+class BignumModTarget(test_data_generation.BaseTarget):
+    #pylint: disable=abstract-method, too-few-public-methods
     """Target for bignum mod test case generation."""
     target_basename = 'test_suite_bignum_mod.generated'
 
diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index bd694a608..4f12d9a86 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -21,8 +21,8 @@ from . import test_case
 from . import test_data_generation
 from . import bignum_common
 
-class BignumModRawTarget(test_data_generation.BaseTarget, metaclass=ABCMeta):
-    #pylint: disable=abstract-method
+class BignumModRawTarget(test_data_generation.BaseTarget):
+    #pylint: disable=abstract-method, too-few-public-methods
     """Target for bignum mod_raw test case generation."""
     target_basename = 'test_suite_bignum_mod_raw.generated'
 
diff --git a/scripts/mbedtls_dev/test_data_generation.py b/scripts/mbedtls_dev/test_data_generation.py
index eec0f9d97..3d703eec7 100644
--- a/scripts/mbedtls_dev/test_data_generation.py
+++ b/scripts/mbedtls_dev/test_data_generation.py
@@ -25,6 +25,7 @@ import argparse
 import os
 import posixpath
 import re
+import inspect
 
 from abc import ABCMeta, abstractmethod
 from typing import Callable, Dict, Iterable, Iterator, List, Type, TypeVar
@@ -35,12 +36,8 @@ from . import test_case
 T = TypeVar('T') #pylint: disable=invalid-name
 
 
-class BaseTarget(metaclass=ABCMeta):
-    """Base target for test case generation.
-
-    Child classes of this class represent an output file, and can be referred
-    to as file targets. These indicate where test cases will be written to for
-    all subclasses of the file target, which is set by `target_basename`.
+class BaseTest(metaclass=ABCMeta):
+    """Base class for test case generation.
 
     Attributes:
         count: Counter for test cases from this class.
@@ -48,8 +45,6 @@ class BaseTarget(metaclass=ABCMeta):
             automatically generated using the class, or manually set.
         dependencies: A list of dependencies required for the test case.
         show_test_count: Toggle for inclusion of `count` in the test description.
-        target_basename: Basename of file to write generated tests to. This
-            should be specified in a child class of BaseTarget.
         test_function: Test function which the class generates cases for.
         test_name: A common name or description of the test function. This can
             be `test_function`, a clearer equivalent, or a short summary of the
@@ -59,7 +54,6 @@ class BaseTarget(metaclass=ABCMeta):
     case_description = ""
     dependencies = [] # type: List[str]
     show_test_count = True
-    target_basename = ""
     test_function = ""
     test_name = ""
 
@@ -121,6 +115,20 @@ class BaseTarget(metaclass=ABCMeta):
         """
         raise NotImplementedError
 
+
+class BaseTarget:
+    """Base target for test case generation.
+
+    Child classes of this class represent an output file, and can be referred
+    to as file targets. These indicate where test cases will be written to for
+    all subclasses of the file target, which is set by `target_basename`.
+
+    Attributes:
+        target_basename: Basename of file to write generated tests to. This
+            should be specified in a child class of BaseTarget.
+    """
+    target_basename = ""
+
     @classmethod
     def generate_tests(cls) -> Iterator[test_case.TestCase]:
         """Generate test cases for the class and its subclasses.
@@ -132,7 +140,7 @@ class BaseTarget(metaclass=ABCMeta):
         yield from `generate_tests()` in each. Calling this method on a class X
         will yield test cases from all classes derived from X.
         """
-        if cls.test_function:
+        if issubclass(cls, BaseTest) and not inspect.isabstract(cls):
             yield from cls.generate_function_tests()
         for subclass in sorted(cls.__subclasses__(), key=lambda c: c.__name__):
             yield from subclass.generate_tests()
diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py
index eee2f657a..9e5db3a11 100755
--- a/tests/scripts/generate_bignum_tests.py
+++ b/tests/scripts/generate_bignum_tests.py
@@ -68,13 +68,13 @@ from mbedtls_dev import bignum_common
 # the framework
 from mbedtls_dev import bignum_core, bignum_mod_raw # pylint: disable=unused-import
 
-class BignumTarget(test_data_generation.BaseTarget, metaclass=ABCMeta):
-    #pylint: disable=abstract-method
+class BignumTarget(test_data_generation.BaseTarget):
     """Target for bignum (legacy) test case generation."""
     target_basename = 'test_suite_bignum.generated'
 
 
-class BignumOperation(bignum_common.OperationCommon, BignumTarget, metaclass=ABCMeta):
+class BignumOperation(bignum_common.OperationCommon, BignumTarget,
+                      metaclass=ABCMeta):
     #pylint: disable=abstract-method
     """Common features for bignum operations in legacy tests."""
     input_values = [

From 87df373e0e52949dbe394893ad768e563c2683a4 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Wed, 9 Nov 2022 12:31:23 +0000
Subject: [PATCH 130/159] Bignum test: Move identical function to superclass

No intended change in generated test cases.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py   | 6 ++++++
 scripts/mbedtls_dev/bignum_core.py     | 5 -----
 tests/scripts/generate_bignum_tests.py | 5 -----
 3 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index ba30be40e..02241141f 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -17,6 +17,7 @@
 from abc import abstractmethod
 from typing import Iterator, List, Tuple, TypeVar
 
+from . import test_case
 from . import test_data_generation
 
 T = TypeVar('T') #pylint: disable=invalid-name
@@ -122,6 +123,11 @@ class OperationCommon(test_data_generation.BaseTest):
             )
         yield from cls.input_cases
 
+    @classmethod
+    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
+        for a_value, b_value in cls.get_value_pairs():
+            yield cls(a_value, b_value).create_test_case()
+
 # BEGIN MERGE SLOT 1
 
 # END MERGE SLOT 1
diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py
index db9d1b7ca..a1c2e1bc6 100644
--- a/scripts/mbedtls_dev/bignum_core.py
+++ b/scripts/mbedtls_dev/bignum_core.py
@@ -144,11 +144,6 @@ class BignumCoreOperation(BignumCoreTarget, bignum_common.OperationCommon,
             )
         return super().description()
 
-    @classmethod
-    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
-        for a_value, b_value in cls.get_value_pairs():
-            yield cls(a_value, b_value).create_test_case()
-
 
 class BignumCoreOperationArchSplit(BignumCoreOperation):
     #pylint: disable=abstract-method
diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py
index 9e5db3a11..d923828ce 100755
--- a/tests/scripts/generate_bignum_tests.py
+++ b/tests/scripts/generate_bignum_tests.py
@@ -132,11 +132,6 @@ class BignumOperation(bignum_common.OperationCommon, BignumTarget,
             tmp = "large " + tmp
         return tmp
 
-    @classmethod
-    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
-        for a_value, b_value in cls.get_value_pairs():
-            yield cls(a_value, b_value).create_test_case()
-
 
 class BignumCmp(BignumOperation):
     """Test cases for bignum value comparison."""

From 3aeb60add6038855fc63704947824a016a6e79fc Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Wed, 9 Nov 2022 13:24:46 +0000
Subject: [PATCH 131/159] Bignum test: move archsplit to superclass

We need arch split tests in different modules, moving it to the common
module makes it reusable.

No intended changes in the generated tests. (The position of the
core_add_if tests changed, but they are still all there.)

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py | 46 +++++++++++++++
 scripts/mbedtls_dev/bignum_core.py   | 88 +++++++++-------------------
 2 files changed, 73 insertions(+), 61 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index 02241141f..7ab788be0 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -97,6 +97,19 @@ class OperationCommon(test_data_generation.BaseTest):
             quote_str(self.arg_a), quote_str(self.arg_b)
         ] + self.result()
 
+    def description(self) -> str:
+        """Generate a description for the test case.
+
+        If not set, case_description uses the form A `symbol` B, where symbol
+        is used to represent the operation. Descriptions of each value are
+        generated to provide some context to the test case.
+        """
+        if not self.case_description:
+            self.case_description = "{:x} {} {:x}".format(
+                self.int_a, self.symbol, self.int_b
+            )
+        return super().description()
+
     @abstractmethod
     def result(self) -> List[str]:
         """Get the result of the operation.
@@ -128,6 +141,39 @@ class OperationCommon(test_data_generation.BaseTest):
         for a_value, b_value in cls.get_value_pairs():
             yield cls(a_value, b_value).create_test_case()
 
+
+class OperationCommonArchSplit(OperationCommon):
+    #pylint: disable=abstract-method
+    """Common features for operations where the result depends on
+    the limb size."""
+
+    def __init__(self, val_a: str, val_b: str, bits_in_limb: int) -> None:
+        super().__init__(val_a, val_b)
+        bound_val = max(self.int_a, self.int_b)
+        self.bits_in_limb = bits_in_limb
+        self.bound = bound_mpi(bound_val, self.bits_in_limb)
+        limbs = limbs_mpi(bound_val, self.bits_in_limb)
+        byte_len = limbs * self.bits_in_limb // 8
+        self.hex_digits = 2 * byte_len
+        if self.bits_in_limb == 32:
+            self.dependencies = ["MBEDTLS_HAVE_INT32"]
+        elif self.bits_in_limb == 64:
+            self.dependencies = ["MBEDTLS_HAVE_INT64"]
+        else:
+            raise ValueError("Invalid number of bits in limb!")
+        self.arg_a = self.arg_a.zfill(self.hex_digits)
+        self.arg_b = self.arg_b.zfill(self.hex_digits)
+
+    def pad_to_limbs(self, val) -> str:
+        return "{:x}".format(val).zfill(self.hex_digits)
+
+    @classmethod
+    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
+        for a_value, b_value in cls.get_value_pairs():
+            yield cls(a_value, b_value, 32).create_test_case()
+            yield cls(a_value, b_value, 64).create_test_case()
+
+
 # BEGIN MERGE SLOT 1
 
 # END MERGE SLOT 1
diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py
index a1c2e1bc6..591e53c20 100644
--- a/scripts/mbedtls_dev/bignum_core.py
+++ b/scripts/mbedtls_dev/bignum_core.py
@@ -106,75 +106,41 @@ class BignumCoreCTLookup(BignumCoreTarget, test_data_generation.BaseTest):
                 yield (cls(bitsize, bitsize_description, window_size)
                        .create_test_case())
 
-class BignumCoreOperation(BignumCoreTarget, bignum_common.OperationCommon,
-                          metaclass=ABCMeta):
+INPUT_VALUES = [
+    "0", "1", "3", "f", "fe", "ff", "100", "ff00", "fffe", "ffff", "10000",
+    "fffffffe", "ffffffff", "100000000", "1f7f7f7f7f7f7f",
+    "8000000000000000", "fefefefefefefefe", "fffffffffffffffe",
+    "ffffffffffffffff", "10000000000000000", "1234567890abcdef0",
+    "fffffffffffffffffefefefefefefefe", "fffffffffffffffffffffffffffffffe",
+    "ffffffffffffffffffffffffffffffff", "100000000000000000000000000000000",
+    "1234567890abcdef01234567890abcdef0",
+    "fffffffffffffffffffffffffffffffffffffffffffffffffefefefefefefefe",
+    "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe",
+    "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+    "10000000000000000000000000000000000000000000000000000000000000000",
+    "1234567890abcdef01234567890abcdef01234567890abcdef01234567890abcdef0",
+    (
+        "4df72d07b4b71c8dacb6cffa954f8d88254b6277099308baf003fab73227f34029"
+        "643b5a263f66e0d3c3fa297ef71755efd53b8fb6cb812c6bbf7bcf179298bd9947"
+        "c4c8b14324140a2c0f5fad7958a69050a987a6096e9f055fb38edf0c5889eca4a0"
+        "cfa99b45fbdeee4c696b328ddceae4723945901ec025076b12b"
+    )
+]
+
+
+class BignumCoreOperation(BignumCoreTarget, bignum_common.OperationCommon):
     #pylint: disable=abstract-method
     """Common features for bignum core operations."""
-    input_values = [
-        "0", "1", "3", "f", "fe", "ff", "100", "ff00", "fffe", "ffff", "10000",
-        "fffffffe", "ffffffff", "100000000", "1f7f7f7f7f7f7f",
-        "8000000000000000", "fefefefefefefefe", "fffffffffffffffe",
-        "ffffffffffffffff", "10000000000000000", "1234567890abcdef0",
-        "fffffffffffffffffefefefefefefefe", "fffffffffffffffffffffffffffffffe",
-        "ffffffffffffffffffffffffffffffff", "100000000000000000000000000000000",
-        "1234567890abcdef01234567890abcdef0",
-        "fffffffffffffffffffffffffffffffffffffffffffffffffefefefefefefefe",
-        "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe",
-        "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
-        "10000000000000000000000000000000000000000000000000000000000000000",
-        "1234567890abcdef01234567890abcdef01234567890abcdef01234567890abcdef0",
-        (
-            "4df72d07b4b71c8dacb6cffa954f8d88254b6277099308baf003fab73227f34029"
-            "643b5a263f66e0d3c3fa297ef71755efd53b8fb6cb812c6bbf7bcf179298bd9947"
-            "c4c8b14324140a2c0f5fad7958a69050a987a6096e9f055fb38edf0c5889eca4a0"
-            "cfa99b45fbdeee4c696b328ddceae4723945901ec025076b12b"
-        )
-    ]
-
-    def description(self) -> str:
-        """Generate a description for the test case.
-
-        If not set, case_description uses the form A `symbol` B, where symbol
-        is used to represent the operation. Descriptions of each value are
-        generated to provide some context to the test case.
-        """
-        if not self.case_description:
-            self.case_description = "{:x} {} {:x}".format(
-                self.int_a, self.symbol, self.int_b
-            )
-        return super().description()
+    input_values = INPUT_VALUES
 
 
-class BignumCoreOperationArchSplit(BignumCoreOperation):
+class BignumCoreOperationArchSplit(BignumCoreTarget,
+                                   bignum_common.OperationCommonArchSplit):
     #pylint: disable=abstract-method
     """Common features for bignum core operations where the result depends on
     the limb size."""
+    input_values = INPUT_VALUES
 
-    def __init__(self, val_a: str, val_b: str, bits_in_limb: int) -> None:
-        super().__init__(val_a, val_b)
-        bound_val = max(self.int_a, self.int_b)
-        self.bits_in_limb = bits_in_limb
-        self.bound = bignum_common.bound_mpi(bound_val, self.bits_in_limb)
-        limbs = bignum_common.limbs_mpi(bound_val, self.bits_in_limb)
-        byte_len = limbs * self.bits_in_limb // 8
-        self.hex_digits = 2 * byte_len
-        if self.bits_in_limb == 32:
-            self.dependencies = ["MBEDTLS_HAVE_INT32"]
-        elif self.bits_in_limb == 64:
-            self.dependencies = ["MBEDTLS_HAVE_INT64"]
-        else:
-            raise ValueError("Invalid number of bits in limb!")
-        self.arg_a = self.arg_a.zfill(self.hex_digits)
-        self.arg_b = self.arg_b.zfill(self.hex_digits)
-
-    def pad_to_limbs(self, val) -> str:
-        return "{:x}".format(val).zfill(self.hex_digits)
-
-    @classmethod
-    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
-        for a_value, b_value in cls.get_value_pairs():
-            yield cls(a_value, b_value, 32).create_test_case()
-            yield cls(a_value, b_value, 64).create_test_case()
 
 class BignumCoreAddAndAddIf(BignumCoreOperationArchSplit):
     """Test cases for bignum core add and add-if."""

From 351e6885f55fd6354b57b51a5dbaadf3231aa7c8 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Wed, 9 Nov 2022 16:04:41 +0000
Subject: [PATCH 132/159] Make pylint happy

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/test_data_generation.py | 2 ++
 tests/scripts/generate_bignum_tests.py      | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/scripts/mbedtls_dev/test_data_generation.py b/scripts/mbedtls_dev/test_data_generation.py
index 3d703eec7..02aa51051 100644
--- a/scripts/mbedtls_dev/test_data_generation.py
+++ b/scripts/mbedtls_dev/test_data_generation.py
@@ -117,6 +117,7 @@ class BaseTest(metaclass=ABCMeta):
 
 
 class BaseTarget:
+    #pylint: disable=too-few-public-methods
     """Base target for test case generation.
 
     Child classes of this class represent an output file, and can be referred
@@ -141,6 +142,7 @@ class BaseTarget:
         will yield test cases from all classes derived from X.
         """
         if issubclass(cls, BaseTest) and not inspect.isabstract(cls):
+            #pylint: disable=no-member
             yield from cls.generate_function_tests()
         for subclass in sorted(cls.__subclasses__(), key=lambda c: c.__name__):
             yield from subclass.generate_tests()
diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py
index d923828ce..89d0ac29e 100755
--- a/tests/scripts/generate_bignum_tests.py
+++ b/tests/scripts/generate_bignum_tests.py
@@ -57,7 +57,7 @@ of BaseTarget in test_data_generation.py.
 import sys
 
 from abc import ABCMeta
-from typing import Iterator, List
+from typing import List
 
 import scripts_path # pylint: disable=unused-import
 from mbedtls_dev import test_case
@@ -69,6 +69,7 @@ from mbedtls_dev import bignum_common
 from mbedtls_dev import bignum_core, bignum_mod_raw # pylint: disable=unused-import
 
 class BignumTarget(test_data_generation.BaseTarget):
+    #pylint: disable=too-few-public-methods
     """Target for bignum (legacy) test case generation."""
     target_basename = 'test_suite_bignum.generated'
 

From 5b1dbb4cbcdad4f3c37e40219c3f1a2398d7d87d Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Thu, 17 Nov 2022 13:32:43 +0000
Subject: [PATCH 133/159] Bignum Tests: Move ModOperation to common

The class BignumModRawOperation implements functionality that are needed
in other modules, therefore we move it to common.

No intended changes to test cases. The order of add_and_add_if and sub tests
have been switched.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py  | 52 +++++++++++++++++++++++++
 scripts/mbedtls_dev/bignum_mod_raw.py | 55 +--------------------------
 2 files changed, 54 insertions(+), 53 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index 7ab788be0..28e27b039 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -142,6 +142,58 @@ class OperationCommon(test_data_generation.BaseTest):
             yield cls(a_value, b_value).create_test_case()
 
 
+class ModOperationCommon(OperationCommon):
+    #pylint: disable=abstract-method
+    """Target for bignum mod_raw test case generation."""
+
+    def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None:
+        super().__init__(val_a=val_a, val_b=val_b)
+        self.val_n = val_n
+        self.bits_in_limb = bits_in_limb
+
+    @property
+    def int_n(self) -> int:
+        return hex_to_int(self.val_n)
+
+    @property
+    def boundary(self) -> int:
+        data_in = [self.int_a, self.int_b, self.int_n]
+        return max([n for n in data_in if n is not None])
+
+    @property
+    def limbs(self) -> int:
+        return limbs_mpi(self.boundary, self.bits_in_limb)
+
+    @property
+    def hex_digits(self) -> int:
+        return 2 * (self.limbs * self.bits_in_limb // 8)
+
+    @property
+    def hex_n(self) -> str:
+        return "{:x}".format(self.int_n).zfill(self.hex_digits)
+
+    @property
+    def hex_a(self) -> str:
+        return "{:x}".format(self.int_a).zfill(self.hex_digits)
+
+    @property
+    def hex_b(self) -> str:
+        return "{:x}".format(self.int_b).zfill(self.hex_digits)
+
+    @property
+    def r(self) -> int: # pylint: disable=invalid-name
+        l = limbs_mpi(self.int_n, self.bits_in_limb)
+        return bound_mpi_limbs(l, self.bits_in_limb)
+
+    @property
+    def r_inv(self) -> int:
+        return invmod(self.r, self.int_n)
+
+    @property
+    def r2(self) -> int: # pylint: disable=invalid-name
+        return pow(self.r, 2)
+
+
 class OperationCommonArchSplit(OperationCommon):
     #pylint: disable=abstract-method
     """Common features for operations where the result depends on
diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index 4f12d9a86..884e2ef4a 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -14,7 +14,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from abc import ABCMeta
 from typing import Dict, Iterator, List
 
 from . import test_case
@@ -26,58 +25,8 @@ class BignumModRawTarget(test_data_generation.BaseTarget):
     """Target for bignum mod_raw test case generation."""
     target_basename = 'test_suite_bignum_mod_raw.generated'
 
-class BignumModRawOperation(bignum_common.OperationCommon, BignumModRawTarget, metaclass=ABCMeta):
-    #pylint: disable=abstract-method
-    """Target for bignum mod_raw test case generation."""
-
-    def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None:
-        super().__init__(val_a=val_a, val_b=val_b)
-        self.val_n = val_n
-        self.bits_in_limb = bits_in_limb
-
-    @property
-    def int_n(self) -> int:
-        return bignum_common.hex_to_int(self.val_n)
-
-    @property
-    def boundary(self) -> int:
-        data_in = [self.int_a, self.int_b, self.int_n]
-        return max([n for n in data_in if n is not None])
-
-    @property
-    def limbs(self) -> int:
-        return bignum_common.limbs_mpi(self.boundary, self.bits_in_limb)
-
-    @property
-    def hex_digits(self) -> int:
-        return 2 * (self.limbs * self.bits_in_limb // 8)
-
-    @property
-    def hex_n(self) -> str:
-        return "{:x}".format(self.int_n).zfill(self.hex_digits)
-
-    @property
-    def hex_a(self) -> str:
-        return "{:x}".format(self.int_a).zfill(self.hex_digits)
-
-    @property
-    def hex_b(self) -> str:
-        return "{:x}".format(self.int_b).zfill(self.hex_digits)
-
-    @property
-    def r(self) -> int: # pylint: disable=invalid-name
-        l = bignum_common.limbs_mpi(self.int_n, self.bits_in_limb)
-        return bignum_common.bound_mpi_limbs(l, self.bits_in_limb)
-
-    @property
-    def r_inv(self) -> int:
-        return bignum_common.invmod(self.r, self.int_n)
-
-    @property
-    def r2(self) -> int: # pylint: disable=invalid-name
-        return pow(self.r, 2)
-
-class BignumModRawOperationArchSplit(BignumModRawOperation):
+class BignumModRawOperationArchSplit(bignum_common.ModOperationCommon,
+                                     BignumModRawTarget):
     #pylint: disable=abstract-method
     """Common features for bignum mod raw operations where the result depends on
     the limb size."""

From 948afcecb91caed178b85c6c285768ea604a82aa Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Thu, 17 Nov 2022 13:38:56 +0000
Subject: [PATCH 134/159] Bignum Tests: move ModOperationArchSplit to common

The class BignumModRawOperationArchSplit has functionality that are
needed in other modules, therefore moving it to bignum_common.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py  | 22 ++++++++++++++++++++++
 scripts/mbedtls_dev/bignum_mod_raw.py | 24 ++----------------------
 2 files changed, 24 insertions(+), 22 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index 28e27b039..b853d1136 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -226,6 +226,28 @@ class OperationCommonArchSplit(OperationCommon):
             yield cls(a_value, b_value, 64).create_test_case()
 
 
+class ModOperationCommonArchSplit(ModOperationCommon):
+    #pylint: disable=abstract-method
+    """Common features for bignum mod raw operations where the result depends on
+    the limb size."""
+
+    limb_sizes = [32, 64] # type: List[int]
+
+    def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None:
+        super().__init__(val_n=val_n, val_a=val_a, val_b=val_b, bits_in_limb=bits_in_limb)
+
+        if bits_in_limb not in self.limb_sizes:
+            raise ValueError("Invalid number of bits in limb!")
+
+        self.dependencies = ["MBEDTLS_HAVE_INT{:d}".format(bits_in_limb)]
+
+    @classmethod
+    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
+        for a_value, b_value in cls.get_value_pairs():
+            for bil in cls.limb_sizes:
+                yield cls(a_value, b_value, bits_in_limb=bil).create_test_case()
+
+
 # BEGIN MERGE SLOT 1
 
 # END MERGE SLOT 1
diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index 884e2ef4a..58a93fc5d 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -25,27 +25,6 @@ class BignumModRawTarget(test_data_generation.BaseTarget):
     """Target for bignum mod_raw test case generation."""
     target_basename = 'test_suite_bignum_mod_raw.generated'
 
-class BignumModRawOperationArchSplit(bignum_common.ModOperationCommon,
-                                     BignumModRawTarget):
-    #pylint: disable=abstract-method
-    """Common features for bignum mod raw operations where the result depends on
-    the limb size."""
-
-    limb_sizes = [32, 64] # type: List[int]
-
-    def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None:
-        super().__init__(val_n=val_n, val_a=val_a, val_b=val_b, bits_in_limb=bits_in_limb)
-
-        if bits_in_limb not in self.limb_sizes:
-            raise ValueError("Invalid number of bits in limb!")
-
-        self.dependencies = ["MBEDTLS_HAVE_INT{:d}".format(bits_in_limb)]
-
-    @classmethod
-    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
-        for a_value, b_value in cls.get_value_pairs():
-            for bil in cls.limb_sizes:
-                yield cls(a_value, b_value, bits_in_limb=bil).create_test_case()
 # BEGIN MERGE SLOT 1
 
 # END MERGE SLOT 1
@@ -71,7 +50,8 @@ class BignumModRawOperationArchSplit(bignum_common.ModOperationCommon,
 # END MERGE SLOT 6
 
 # BEGIN MERGE SLOT 7
-class BignumModRawConvertToMont(BignumModRawOperationArchSplit):
+class BignumModRawConvertToMont(bignum_common.ModOperationCommonArchSplit,
+                                BignumModRawTarget):
     """ Test cases for mpi_mod_raw_to_mont_rep(). """
 
     test_function = "mpi_mod_raw_to_mont_rep"

From 155ad8c2971973b950c5c730a21fd9815f57fef7 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Thu, 17 Nov 2022 14:42:40 +0000
Subject: [PATCH 135/159] Bignum Tests: remove ModOperationCommonArchSplit

The functionality of ModOperationCommonArchSplit is needed in several
subclasses, therefore moving it to a superclass.

There is another, redundant ArchSplit class, which will be removed in a
later commit.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py  | 49 ++++++++++++---------------
 scripts/mbedtls_dev/bignum_mod_raw.py |  3 +-
 2 files changed, 24 insertions(+), 28 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index b853d1136..cbbbf9f67 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -80,17 +80,29 @@ class OperationCommon(test_data_generation.BaseTest):
         unique_combinations_only: Boolean to select if test case combinations
             must be unique. If True, only A,B or B,A would be included as a test
             case. If False, both A,B and B,A would be included.
+        arch_split: Boolean to select if different test cases are needed
+            depending on the architecture/limb size. This will cause test
+            objects being generated with different architectures. Individual
+            test objects can tell their architecture by accessing the
+            bits_in_limb instance variable.
     """
     symbol = ""
     input_values = [] # type: List[str]
     input_cases = [] # type: List[Tuple[str, str]]
     unique_combinations_only = True
+    arch_split = False
+    limb_sizes = [32, 64] # type: List[int]
 
-    def __init__(self, val_a: str, val_b: str) -> None:
+    def __init__(self, val_a: str, val_b: str, bits_in_limb: int = 64) -> None:
         self.arg_a = val_a
         self.arg_b = val_b
         self.int_a = hex_to_int(val_a)
         self.int_b = hex_to_int(val_b)
+        if bits_in_limb not in self.limb_sizes:
+            raise ValueError("Invalid number of bits in limb!")
+        if self.arch_split:
+            self.dependencies = ["MBEDTLS_HAVE_INT{:d}".format(bits_in_limb)]
+        self.bits_in_limb = bits_in_limb
 
     def arguments(self) -> List[str]:
         return [
@@ -139,17 +151,22 @@ class OperationCommon(test_data_generation.BaseTest):
     @classmethod
     def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
         for a_value, b_value in cls.get_value_pairs():
-            yield cls(a_value, b_value).create_test_case()
+            if cls.arch_split:
+                for bil in cls.limb_sizes:
+                    yield cls(a_value, b_value,
+                              bits_in_limb=bil).create_test_case()
+            else:
+                yield cls(a_value, b_value).create_test_case()
 
 
 class ModOperationCommon(OperationCommon):
     #pylint: disable=abstract-method
     """Target for bignum mod_raw test case generation."""
 
-    def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None:
-        super().__init__(val_a=val_a, val_b=val_b)
+    def __init__(self, val_n: str, val_a: str, val_b: str = "0",
+                 bits_in_limb: int = 64) -> None:
+        super().__init__(val_a=val_a, val_b=val_b, bits_in_limb=bits_in_limb)
         self.val_n = val_n
-        self.bits_in_limb = bits_in_limb
 
     @property
     def int_n(self) -> int:
@@ -226,28 +243,6 @@ class OperationCommonArchSplit(OperationCommon):
             yield cls(a_value, b_value, 64).create_test_case()
 
 
-class ModOperationCommonArchSplit(ModOperationCommon):
-    #pylint: disable=abstract-method
-    """Common features for bignum mod raw operations where the result depends on
-    the limb size."""
-
-    limb_sizes = [32, 64] # type: List[int]
-
-    def __init__(self, val_n: str, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None:
-        super().__init__(val_n=val_n, val_a=val_a, val_b=val_b, bits_in_limb=bits_in_limb)
-
-        if bits_in_limb not in self.limb_sizes:
-            raise ValueError("Invalid number of bits in limb!")
-
-        self.dependencies = ["MBEDTLS_HAVE_INT{:d}".format(bits_in_limb)]
-
-    @classmethod
-    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
-        for a_value, b_value in cls.get_value_pairs():
-            for bil in cls.limb_sizes:
-                yield cls(a_value, b_value, bits_in_limb=bil).create_test_case()
-
-
 # BEGIN MERGE SLOT 1
 
 # END MERGE SLOT 1
diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index 58a93fc5d..f44acef73 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -50,12 +50,13 @@ class BignumModRawTarget(test_data_generation.BaseTarget):
 # END MERGE SLOT 6
 
 # BEGIN MERGE SLOT 7
-class BignumModRawConvertToMont(bignum_common.ModOperationCommonArchSplit,
+class BignumModRawConvertToMont(bignum_common.ModOperationCommon,
                                 BignumModRawTarget):
     """ Test cases for mpi_mod_raw_to_mont_rep(). """
 
     test_function = "mpi_mod_raw_to_mont_rep"
     test_name = "Convert into Mont: "
+    arch_split = True
 
     test_data_moduli = ["b",
                         "fd",

From b41ab926b2dc1808235099bbeed31159dbebc4c1 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Thu, 17 Nov 2022 15:13:02 +0000
Subject: [PATCH 136/159] Bignum Tests: move properties to superclass

Move properties that are needed in several children to the superclass.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py | 40 +++++++++++++++-------------
 1 file changed, 21 insertions(+), 19 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index cbbbf9f67..7d52749f8 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -104,6 +104,27 @@ class OperationCommon(test_data_generation.BaseTest):
             self.dependencies = ["MBEDTLS_HAVE_INT{:d}".format(bits_in_limb)]
         self.bits_in_limb = bits_in_limb
 
+    @property
+    def boundary(self) -> int:
+        data_in = [self.int_a, self.int_b]
+        return max([n for n in data_in if n is not None])
+
+    @property
+    def limbs(self) -> int:
+        return limbs_mpi(self.boundary, self.bits_in_limb)
+
+    @property
+    def hex_digits(self) -> int:
+        return 2 * (self.limbs * self.bits_in_limb // 8)
+
+    @property
+    def hex_a(self) -> str:
+        return "{:x}".format(self.int_a).zfill(self.hex_digits)
+
+    @property
+    def hex_b(self) -> str:
+        return "{:x}".format(self.int_b).zfill(self.hex_digits)
+
     def arguments(self) -> List[str]:
         return [
             quote_str(self.arg_a), quote_str(self.arg_b)
@@ -177,26 +198,10 @@ class ModOperationCommon(OperationCommon):
         data_in = [self.int_a, self.int_b, self.int_n]
         return max([n for n in data_in if n is not None])
 
-    @property
-    def limbs(self) -> int:
-        return limbs_mpi(self.boundary, self.bits_in_limb)
-
-    @property
-    def hex_digits(self) -> int:
-        return 2 * (self.limbs * self.bits_in_limb // 8)
-
     @property
     def hex_n(self) -> str:
         return "{:x}".format(self.int_n).zfill(self.hex_digits)
 
-    @property
-    def hex_a(self) -> str:
-        return "{:x}".format(self.int_a).zfill(self.hex_digits)
-
-    @property
-    def hex_b(self) -> str:
-        return "{:x}".format(self.int_b).zfill(self.hex_digits)
-
     @property
     def r(self) -> int: # pylint: disable=invalid-name
         l = limbs_mpi(self.int_n, self.bits_in_limb)
@@ -221,9 +226,6 @@ class OperationCommonArchSplit(OperationCommon):
         bound_val = max(self.int_a, self.int_b)
         self.bits_in_limb = bits_in_limb
         self.bound = bound_mpi(bound_val, self.bits_in_limb)
-        limbs = limbs_mpi(bound_val, self.bits_in_limb)
-        byte_len = limbs * self.bits_in_limb // 8
-        self.hex_digits = 2 * byte_len
         if self.bits_in_limb == 32:
             self.dependencies = ["MBEDTLS_HAVE_INT32"]
         elif self.bits_in_limb == 64:

From 6fa3f0653ae081ea43d5414624993d17f9b056dd Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Thu, 17 Nov 2022 20:33:51 +0000
Subject: [PATCH 137/159] Bignum Tests: remove OperationCommonArchSplit

The ArchSplit functionality was duplicated and moved to OperationCommon
from the other copy. The remnants of the functionality is moved to the
only subclass using this.

There is no semantic change to the generated tests. The order has
changed however: core_add tests have been moved before core_mla tests
and the order of the 64 and 32 bit versions have been swapped.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py  | 52 ++++++++-------------------
 scripts/mbedtls_dev/bignum_core.py    | 24 +++++++------
 scripts/mbedtls_dev/bignum_mod_raw.py |  2 +-
 3 files changed, 29 insertions(+), 49 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index 7d52749f8..0784f845f 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -80,17 +80,18 @@ class OperationCommon(test_data_generation.BaseTest):
         unique_combinations_only: Boolean to select if test case combinations
             must be unique. If True, only A,B or B,A would be included as a test
             case. If False, both A,B and B,A would be included.
-        arch_split: Boolean to select if different test cases are needed
-            depending on the architecture/limb size. This will cause test
-            objects being generated with different architectures. Individual
-            test objects can tell their architecture by accessing the
-            bits_in_limb instance variable.
+        input_style: Controls the way how test data is passed to the functions
+            in the generated test cases. "variable" passes them as they are
+            defined in the python source. "arch_split" pads the values with
+            zeroes depending on the architecture/limb size. If this is set,
+            test cases are generated for all architectures.
     """
     symbol = ""
     input_values = [] # type: List[str]
     input_cases = [] # type: List[Tuple[str, str]]
     unique_combinations_only = True
-    arch_split = False
+    input_styles = ["variable", "arch_split"] # type: List[str]
+    input_style = "variable" # type: str
     limb_sizes = [32, 64] # type: List[int]
 
     def __init__(self, val_a: str, val_b: str, bits_in_limb: int = 64) -> None:
@@ -100,7 +101,7 @@ class OperationCommon(test_data_generation.BaseTest):
         self.int_b = hex_to_int(val_b)
         if bits_in_limb not in self.limb_sizes:
             raise ValueError("Invalid number of bits in limb!")
-        if self.arch_split:
+        if self.input_style == "arch_split":
             self.dependencies = ["MBEDTLS_HAVE_INT{:d}".format(bits_in_limb)]
         self.bits_in_limb = bits_in_limb
 
@@ -109,6 +110,10 @@ class OperationCommon(test_data_generation.BaseTest):
         data_in = [self.int_a, self.int_b]
         return max([n for n in data_in if n is not None])
 
+    @property
+    def limb_boundary(self) -> int:
+        return bound_mpi(self.boundary, self.bits_in_limb)
+
     @property
     def limbs(self) -> int:
         return limbs_mpi(self.boundary, self.bits_in_limb)
@@ -171,8 +176,10 @@ class OperationCommon(test_data_generation.BaseTest):
 
     @classmethod
     def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
+        if cls.input_style not in cls.input_styles:
+            raise ValueError("Unknown input style!")
         for a_value, b_value in cls.get_value_pairs():
-            if cls.arch_split:
+            if cls.input_style == "arch_split":
                 for bil in cls.limb_sizes:
                     yield cls(a_value, b_value,
                               bits_in_limb=bil).create_test_case()
@@ -216,35 +223,6 @@ class ModOperationCommon(OperationCommon):
         return pow(self.r, 2)
 
 
-class OperationCommonArchSplit(OperationCommon):
-    #pylint: disable=abstract-method
-    """Common features for operations where the result depends on
-    the limb size."""
-
-    def __init__(self, val_a: str, val_b: str, bits_in_limb: int) -> None:
-        super().__init__(val_a, val_b)
-        bound_val = max(self.int_a, self.int_b)
-        self.bits_in_limb = bits_in_limb
-        self.bound = bound_mpi(bound_val, self.bits_in_limb)
-        if self.bits_in_limb == 32:
-            self.dependencies = ["MBEDTLS_HAVE_INT32"]
-        elif self.bits_in_limb == 64:
-            self.dependencies = ["MBEDTLS_HAVE_INT64"]
-        else:
-            raise ValueError("Invalid number of bits in limb!")
-        self.arg_a = self.arg_a.zfill(self.hex_digits)
-        self.arg_b = self.arg_b.zfill(self.hex_digits)
-
-    def pad_to_limbs(self, val) -> str:
-        return "{:x}".format(val).zfill(self.hex_digits)
-
-    @classmethod
-    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
-        for a_value, b_value in cls.get_value_pairs():
-            yield cls(a_value, b_value, 32).create_test_case()
-            yield cls(a_value, b_value, 64).create_test_case()
-
-
 # BEGIN MERGE SLOT 1
 
 # END MERGE SLOT 1
diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py
index 591e53c20..749403705 100644
--- a/scripts/mbedtls_dev/bignum_core.py
+++ b/scripts/mbedtls_dev/bignum_core.py
@@ -106,6 +106,7 @@ class BignumCoreCTLookup(BignumCoreTarget, test_data_generation.BaseTest):
                 yield (cls(bitsize, bitsize_description, window_size)
                        .create_test_case())
 
+
 INPUT_VALUES = [
     "0", "1", "3", "f", "fe", "ff", "100", "ff00", "fffe", "ffff", "10000",
     "fffffffe", "ffffffff", "100000000", "1f7f7f7f7f7f7f",
@@ -127,38 +128,39 @@ INPUT_VALUES = [
     )
 ]
 
-
 class BignumCoreOperation(BignumCoreTarget, bignum_common.OperationCommon):
     #pylint: disable=abstract-method
     """Common features for bignum core operations."""
     input_values = INPUT_VALUES
 
 
-class BignumCoreOperationArchSplit(BignumCoreTarget,
-                                   bignum_common.OperationCommonArchSplit):
-    #pylint: disable=abstract-method
-    """Common features for bignum core operations where the result depends on
-    the limb size."""
-    input_values = INPUT_VALUES
-
-
-class BignumCoreAddAndAddIf(BignumCoreOperationArchSplit):
+class BignumCoreAddAndAddIf(BignumCoreOperation):
     """Test cases for bignum core add and add-if."""
     count = 0
     symbol = "+"
     test_function = "mpi_core_add_and_add_if"
     test_name = "mpi_core_add_and_add_if"
+    input_style = "arch_split"
+
+    def __init__(self, val_a: str, val_b: str, bits_in_limb: int) -> None:
+        super().__init__(val_a, val_b)
+        self.arg_a = self.arg_a.zfill(self.hex_digits)
+        self.arg_b = self.arg_b.zfill(self.hex_digits)
+
+    def pad_to_limbs(self, val) -> str:
+        return "{:x}".format(val).zfill(self.hex_digits)
 
     def result(self) -> List[str]:
         result = self.int_a + self.int_b
 
-        carry, result = divmod(result, self.bound)
+        carry, result = divmod(result, self.limb_boundary)
 
         return [
             bignum_common.quote_str(self.pad_to_limbs(result)),
             str(carry)
         ]
 
+
 class BignumCoreSub(BignumCoreOperation):
     """Test cases for bignum core sub."""
     count = 0
diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index f44acef73..b330c493d 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -56,7 +56,7 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon,
 
     test_function = "mpi_mod_raw_to_mont_rep"
     test_name = "Convert into Mont: "
-    arch_split = True
+    input_style = "arch_split"
 
     test_data_moduli = ["b",
                         "fd",

From 4c59d35e00d08ae2a6ab51a13077776c05d22a3d Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Fri, 18 Nov 2022 16:05:46 +0000
Subject: [PATCH 138/159] Bignum tests: make args use input_style

Before arg_ attributes were the arguments as they were defined in the
python script. Turning these into properties and having them take the
form respect the style set in input_style makes the class easier to use
and more consistent.

This change makes the hex_ properties redundant and therefore they are
removed.

There are no semantic changes to the generated test cases. (The order
of appearance of 64 and 32 bit mpi_core_add_and_add_if test cases has
changed.)

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py  | 30 +++++++++++++++++++--------
 scripts/mbedtls_dev/bignum_core.py    | 10 +--------
 scripts/mbedtls_dev/bignum_mod_raw.py |  4 ++--
 3 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index 0784f845f..907c0b6d5 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -95,8 +95,8 @@ class OperationCommon(test_data_generation.BaseTest):
     limb_sizes = [32, 64] # type: List[int]
 
     def __init__(self, val_a: str, val_b: str, bits_in_limb: int = 64) -> None:
-        self.arg_a = val_a
-        self.arg_b = val_b
+        self.val_a = val_a
+        self.val_b = val_b
         self.int_a = hex_to_int(val_a)
         self.int_b = hex_to_int(val_b)
         if bits_in_limb not in self.limb_sizes:
@@ -122,13 +122,25 @@ class OperationCommon(test_data_generation.BaseTest):
     def hex_digits(self) -> int:
         return 2 * (self.limbs * self.bits_in_limb // 8)
 
-    @property
-    def hex_a(self) -> str:
-        return "{:x}".format(self.int_a).zfill(self.hex_digits)
+    def format_arg(self, val) -> str:
+        if self.input_style not in self.input_styles:
+            raise ValueError("Unknown input style!")
+        if self.input_style == "variable":
+            return val
+        else:
+            return val.zfill(self.hex_digits)
+
+    def format_result(self, res) -> str:
+        res_str = '{:x}'.format(res)
+        return quote_str(self.format_arg(res_str))
 
     @property
-    def hex_b(self) -> str:
-        return "{:x}".format(self.int_b).zfill(self.hex_digits)
+    def arg_a(self) -> str:
+        return self.format_arg(self.val_a)
+
+    @property
+    def arg_b(self) -> str:
+        return self.format_arg(self.val_b)
 
     def arguments(self) -> List[str]:
         return [
@@ -206,8 +218,8 @@ class ModOperationCommon(OperationCommon):
         return max([n for n in data_in if n is not None])
 
     @property
-    def hex_n(self) -> str:
-        return "{:x}".format(self.int_n).zfill(self.hex_digits)
+    def arg_n(self) -> str:
+        return self.format_arg(self.val_n)
 
     @property
     def r(self) -> int: # pylint: disable=invalid-name
diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py
index 749403705..48390b98c 100644
--- a/scripts/mbedtls_dev/bignum_core.py
+++ b/scripts/mbedtls_dev/bignum_core.py
@@ -142,21 +142,13 @@ class BignumCoreAddAndAddIf(BignumCoreOperation):
     test_name = "mpi_core_add_and_add_if"
     input_style = "arch_split"
 
-    def __init__(self, val_a: str, val_b: str, bits_in_limb: int) -> None:
-        super().__init__(val_a, val_b)
-        self.arg_a = self.arg_a.zfill(self.hex_digits)
-        self.arg_b = self.arg_b.zfill(self.hex_digits)
-
-    def pad_to_limbs(self, val) -> str:
-        return "{:x}".format(val).zfill(self.hex_digits)
-
     def result(self) -> List[str]:
         result = self.int_a + self.int_b
 
         carry, result = divmod(result, self.limb_boundary)
 
         return [
-            bignum_common.quote_str(self.pad_to_limbs(result)),
+            self.format_result(result),
             str(carry)
         ]
 
diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index b330c493d..e2d8cd698 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -114,8 +114,8 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon,
         return [self.hex_x]
 
     def arguments(self) -> List[str]:
-        return [bignum_common.quote_str(n) for n in [self.hex_n,
-                                                     self.hex_a,
+        return [bignum_common.quote_str(n) for n in [self.arg_n,
+                                                     self.arg_a,
                                                      self.hex_x]]
 
     def description(self) -> str:

From abfca8f938e9923a849a0aaa350767e93f10ca5a Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Fri, 18 Nov 2022 16:48:45 +0000
Subject: [PATCH 139/159] Bignum tests: make n an attribute

Having int_ variants as an attribute has the advantage of the input
being validated when the object is instantiated. In theory otherwise if
a particular int_ attribute is not accessed, then the invalid argument
is passed to the tests as it is. (This would in all likelihood detected
by the actual test cases, still, it is more robust like this.)

There are no semantic changes to the generated test cases. (The order
of appearance of 64 and 32 bit mpi_core_add_and_add_if test cases has
changed.)

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index 907c0b6d5..58eb11ebd 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -97,6 +97,8 @@ class OperationCommon(test_data_generation.BaseTest):
     def __init__(self, val_a: str, val_b: str, bits_in_limb: int = 64) -> None:
         self.val_a = val_a
         self.val_b = val_b
+        # Setting the int versions here as opposed to making them @properties
+        # provides earlier/more robust input validation.
         self.int_a = hex_to_int(val_a)
         self.int_b = hex_to_int(val_b)
         if bits_in_limb not in self.limb_sizes:
@@ -207,10 +209,9 @@ class ModOperationCommon(OperationCommon):
                  bits_in_limb: int = 64) -> None:
         super().__init__(val_a=val_a, val_b=val_b, bits_in_limb=bits_in_limb)
         self.val_n = val_n
-
-    @property
-    def int_n(self) -> int:
-        return hex_to_int(self.val_n)
+        # Setting the int versions here as opposed to making them @properties
+        # provides earlier/more robust input validation.
+        self.int_n = hex_to_int(val_n)
 
     @property
     def boundary(self) -> int:

From a36a3d36b5c749011f8b94f88d37a3f3523ff8a8 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Fri, 18 Nov 2022 17:49:13 +0000
Subject: [PATCH 140/159] Bignum tests: add arity

Add the ability to control the number of operands, by setting the arity
class attribute.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py | 30 ++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index 58eb11ebd..ecff206a3 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -85,6 +85,8 @@ class OperationCommon(test_data_generation.BaseTest):
             defined in the python source. "arch_split" pads the values with
             zeroes depending on the architecture/limb size. If this is set,
             test cases are generated for all architectures.
+        arity: the number of operands for the operation. Currently supported
+            values are 1 and 2.
     """
     symbol = ""
     input_values = [] # type: List[str]
@@ -93,8 +95,10 @@ class OperationCommon(test_data_generation.BaseTest):
     input_styles = ["variable", "arch_split"] # type: List[str]
     input_style = "variable" # type: str
     limb_sizes = [32, 64] # type: List[int]
+    arities = [1, 2]
+    arity = 2
 
-    def __init__(self, val_a: str, val_b: str, bits_in_limb: int = 64) -> None:
+    def __init__(self, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None:
         self.val_a = val_a
         self.val_b = val_b
         # Setting the int versions here as opposed to making them @properties
@@ -109,8 +113,11 @@ class OperationCommon(test_data_generation.BaseTest):
 
     @property
     def boundary(self) -> int:
-        data_in = [self.int_a, self.int_b]
-        return max([n for n in data_in if n is not None])
+        if self.arity == 1:
+            return self.int_a
+        elif self.arity == 2:
+            return max(self.int_a, self.int_b)
+        raise ValueError("Unsupported number of operands!")
 
     @property
     def limb_boundary(self) -> int:
@@ -142,12 +149,15 @@ class OperationCommon(test_data_generation.BaseTest):
 
     @property
     def arg_b(self) -> str:
+        if self.arity == 1:
+            raise AttributeError("Operation is unary and doesn't have arg_b!")
         return self.format_arg(self.val_b)
 
     def arguments(self) -> List[str]:
-        return [
-            quote_str(self.arg_a), quote_str(self.arg_b)
-        ] + self.result()
+        args = [quote_str(self.arg_a)]
+        if self.arity == 2:
+            args.append(quote_str(self.arg_b))
+        return args + self.result()
 
     def description(self) -> str:
         """Generate a description for the test case.
@@ -192,6 +202,8 @@ class OperationCommon(test_data_generation.BaseTest):
     def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
         if cls.input_style not in cls.input_styles:
             raise ValueError("Unknown input style!")
+        if cls.arity not in cls.arities:
+            raise ValueError("Unsupported number of operands!")
         for a_value, b_value in cls.get_value_pairs():
             if cls.input_style == "arch_split":
                 for bil in cls.limb_sizes:
@@ -215,13 +227,15 @@ class ModOperationCommon(OperationCommon):
 
     @property
     def boundary(self) -> int:
-        data_in = [self.int_a, self.int_b, self.int_n]
-        return max([n for n in data_in if n is not None])
+        return self.int_n
 
     @property
     def arg_n(self) -> str:
         return self.format_arg(self.val_n)
 
+    def arguments(self) -> List[str]:
+        return [quote_str(self.arg_n)] + super().arguments()
+
     @property
     def r(self) -> int: # pylint: disable=invalid-name
         l = limbs_mpi(self.int_n, self.bits_in_limb)

From 1921fd585cb0314bb7e6e165727664c52052dd97 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Fri, 18 Nov 2022 17:51:02 +0000
Subject: [PATCH 141/159] Bignum tests: use arity in bignum_mod_raw

This makes a couple of properties redundant which are cleaned up.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_mod_raw.py | 24 ++++++++----------------
 1 file changed, 8 insertions(+), 16 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index e2d8cd698..6c217c235 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -57,6 +57,7 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon,
     test_function = "mpi_mod_raw_to_mont_rep"
     test_name = "Convert into Mont: "
     input_style = "arch_split"
+    arity = 1
 
     test_data_moduli = ["b",
                         "fd",
@@ -111,12 +112,8 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon,
     descr_tpl = '{} #{} N: \"{}\" A: \"{}\".'
 
     def result(self) -> List[str]:
-        return [self.hex_x]
-
-    def arguments(self) -> List[str]:
-        return [bignum_common.quote_str(n) for n in [self.arg_n,
-                                                     self.arg_a,
-                                                     self.hex_x]]
+        result = (self.int_a * self.r) % self.int_n
+        return [self.format_result(result)]
 
     def description(self) -> str:
         return self.descr_tpl.format(self.test_name,
@@ -134,13 +131,6 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon,
                         continue
                     yield cls(n, i, bits_in_limb=bil).create_test_case()
 
-    @property
-    def x(self) -> int: # pylint: disable=invalid-name
-        return (self.int_a * self.r) % self.int_n
-
-    @property
-    def hex_x(self) -> str:
-        return "{:x}".format(self.x).zfill(self.hex_digits)
 
 class BignumModRawConvertFromMont(BignumModRawConvertToMont):
     """ Test cases for mpi_mod_raw_from_mont_rep(). """
@@ -169,9 +159,11 @@ class BignumModRawConvertFromMont(BignumModRawConvertToMont):
                           "138a7e6bfbc319ebd1725dacb9a359cbf693f2ecb785efb9d627"
                          ]
 
-    @property
-    def x(self): # pylint: disable=invalid-name
-        return (self.int_a * self.r_inv) % self.int_n
+    def result(self) -> List[str]:
+        result = (self.int_a * self.r_inv) % self.int_n
+        return [self.format_result(result)]
+
+
 # END MERGE SLOT 7
 
 # BEGIN MERGE SLOT 8

From 939621f8ed6803f2967568a3d70582ba27e85e07 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Fri, 18 Nov 2022 18:15:24 +0000
Subject: [PATCH 142/159] Bignum tests: add support for filtering

Sometimes we don't want all possible combinations of the input data and
sometimes not all combinations make sense. We are adding a convenient
way to decide on a case by case basis. Now child classes only need to
implement the is_valid method and the invalid cases will be filtered out
automatically.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index ecff206a3..b22846b71 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -172,6 +172,10 @@ class OperationCommon(test_data_generation.BaseTest):
             )
         return super().description()
 
+    @property
+    def is_valid(self) -> bool:
+        return True
+
     @abstractmethod
     def result(self) -> List[str]:
         """Get the result of the operation.
@@ -204,13 +208,18 @@ class OperationCommon(test_data_generation.BaseTest):
             raise ValueError("Unknown input style!")
         if cls.arity not in cls.arities:
             raise ValueError("Unsupported number of operands!")
-        for a_value, b_value in cls.get_value_pairs():
-            if cls.input_style == "arch_split":
-                for bil in cls.limb_sizes:
-                    yield cls(a_value, b_value,
-                              bits_in_limb=bil).create_test_case()
-            else:
-                yield cls(a_value, b_value).create_test_case()
+        if cls.input_style == "arch_split":
+            test_objects = (cls(a_value, b_value, bits_in_limb=bil)
+                            for a_value, b_value in cls.get_value_pairs()
+                            for bil in cls.limb_sizes)
+        else:
+            test_objects = (cls(a_value, b_value) for
+                            a_value, b_value in cls.get_value_pairs())
+        yield from (valid_test_object.create_test_case()
+                    for valid_test_object in filter(
+                        lambda test_object: test_object.is_valid,
+                        test_objects
+                        ))
 
 
 class ModOperationCommon(OperationCommon):

From c4fca5de3ebe5a586a4be591f32b4b641d6e558c Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Sat, 19 Nov 2022 10:42:20 +0000
Subject: [PATCH 143/159] Bignum tests: automate modulo test object generation

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py | 37 +++++++++++++++++++++++++---
 1 file changed, 33 insertions(+), 4 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index b22846b71..7d7170d17 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -209,12 +209,12 @@ class OperationCommon(test_data_generation.BaseTest):
         if cls.arity not in cls.arities:
             raise ValueError("Unsupported number of operands!")
         if cls.input_style == "arch_split":
-            test_objects = (cls(a_value, b_value, bits_in_limb=bil)
-                            for a_value, b_value in cls.get_value_pairs()
+            test_objects = (cls(a, b, bits_in_limb=bil)
+                            for a, b in cls.get_value_pairs()
                             for bil in cls.limb_sizes)
         else:
-            test_objects = (cls(a_value, b_value) for
-                            a_value, b_value in cls.get_value_pairs())
+            test_objects = (cls(a, b)
+                            for a, b in cls.get_value_pairs())
         yield from (valid_test_object.create_test_case()
                     for valid_test_object in filter(
                         lambda test_object: test_object.is_valid,
@@ -225,6 +225,7 @@ class OperationCommon(test_data_generation.BaseTest):
 class ModOperationCommon(OperationCommon):
     #pylint: disable=abstract-method
     """Target for bignum mod_raw test case generation."""
+    moduli = [] # type: List[str]
 
     def __init__(self, val_n: str, val_a: str, val_b: str = "0",
                  bits_in_limb: int = 64) -> None:
@@ -258,6 +259,34 @@ class ModOperationCommon(OperationCommon):
     def r2(self) -> int: # pylint: disable=invalid-name
         return pow(self.r, 2)
 
+    @property
+    def is_valid(self) -> bool:
+        if self.int_a >= self.int_n:
+            return False
+        if self.arity == 2 and self.int_b >= self.int_n:
+            return False
+        return True
+
+    @classmethod
+    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
+        if cls.input_style not in cls.input_styles:
+            raise ValueError("Unknown input style!")
+        if cls.arity not in cls.arities:
+            raise ValueError("Unsupported number of operands!")
+        if cls.input_style == "arch_split":
+            test_objects = (cls(n, a, b, bits_in_limb=bil)
+                            for n in cls.moduli
+                            for a, b in cls.get_value_pairs()
+                            for bil in cls.limb_sizes)
+        else:
+            test_objects = (cls(n, a, b)
+                            for n in cls.moduli
+                            for a, b in cls.get_value_pairs())
+        yield from (valid_test_object.create_test_case()
+                    for valid_test_object in filter(
+                        lambda test_object: test_object.is_valid,
+                        test_objects
+                        ))
 
 # BEGIN MERGE SLOT 1
 

From 98edf21bb4bb33b1dc2b6a62f0eca204b4160c48 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Sat, 19 Nov 2022 12:48:17 +0000
Subject: [PATCH 144/159] Bignum test: remove type restrictrion

The special case list type depends on the arity and the subclass. Remove
type restriction to make defining special case lists more flexible and natural.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py | 16 +++++++++++-----
 scripts/mbedtls_dev/bignum_core.py   | 10 ++++++++++
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index 7d7170d17..ed321d7c3 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -15,7 +15,8 @@
 # limitations under the License.
 
 from abc import abstractmethod
-from typing import Iterator, List, Tuple, TypeVar
+from typing import Iterator, List, Tuple, TypeVar, Any
+from itertools import chain
 
 from . import test_case
 from . import test_data_generation
@@ -90,7 +91,7 @@ class OperationCommon(test_data_generation.BaseTest):
     """
     symbol = ""
     input_values = [] # type: List[str]
-    input_cases = [] # type: List[Tuple[str, str]]
+    input_cases = [] # type: List[Any]
     unique_combinations_only = True
     input_styles = ["variable", "arch_split"] # type: List[str]
     input_style = "variable" # type: str
@@ -200,7 +201,6 @@ class OperationCommon(test_data_generation.BaseTest):
                 for a in cls.input_values
                 for b in cls.input_values
             )
-        yield from cls.input_cases
 
     @classmethod
     def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
@@ -212,14 +212,20 @@ class OperationCommon(test_data_generation.BaseTest):
             test_objects = (cls(a, b, bits_in_limb=bil)
                             for a, b in cls.get_value_pairs()
                             for bil in cls.limb_sizes)
+            special_cases = (cls(*args, bits_in_limb=bil) # type: ignore
+                             for args in cls.input_cases
+                             for bil in cls.limb_sizes)
         else:
             test_objects = (cls(a, b)
                             for a, b in cls.get_value_pairs())
+            special_cases = (cls(*args) for args in cls.input_cases)
         yield from (valid_test_object.create_test_case()
                     for valid_test_object in filter(
                         lambda test_object: test_object.is_valid,
-                        test_objects
-                        ))
+                        chain(test_objects, special_cases)
+                        )
+                    )
+
 
 
 class ModOperationCommon(OperationCommon):
diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py
index 48390b98c..1bfc652ef 100644
--- a/scripts/mbedtls_dev/bignum_core.py
+++ b/scripts/mbedtls_dev/bignum_core.py
@@ -243,6 +243,16 @@ class BignumCoreMLA(BignumCoreOperation):
             "\"{:x}\"".format(carry_8)
         ]
 
+    @classmethod
+    def get_value_pairs(cls) -> Iterator[Tuple[str, str]]:
+        """Generator to yield pairs of inputs.
+
+        Combinations are first generated from all input values, and then
+        specific cases provided.
+        """
+        yield from super().get_value_pairs()
+        yield from cls.input_cases
+
     @classmethod
     def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
         """Override for additional scalar input."""

From 435b305a491853c7b477f5b012c226832574104e Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Sat, 19 Nov 2022 14:18:02 +0000
Subject: [PATCH 145/159] Bignum tests: add special cases to mod

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index ed321d7c3..6fd42d1e7 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -273,6 +273,15 @@ class ModOperationCommon(OperationCommon):
             return False
         return True
 
+    @classmethod
+    def input_cases_args(cls) -> Iterator[Tuple[Any, Any, Any]]:
+        if cls.arity == 1:
+            yield from ((n, a, "0") for a, n in cls.input_cases)
+        elif cls.arity == 2:
+            yield from ((n, a, b) for a, b, n in cls.input_cases)
+        else:
+            raise ValueError("Unsupported number of operands!")
+
     @classmethod
     def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
         if cls.input_style not in cls.input_styles:
@@ -284,14 +293,18 @@ class ModOperationCommon(OperationCommon):
                             for n in cls.moduli
                             for a, b in cls.get_value_pairs()
                             for bil in cls.limb_sizes)
+            special_cases = (cls(*args, bits_in_limb=bil)
+                             for args in cls.input_cases_args()
+                             for bil in cls.limb_sizes)
         else:
             test_objects = (cls(n, a, b)
                             for n in cls.moduli
                             for a, b in cls.get_value_pairs())
+            special_cases = (cls(*args) for args in cls.input_cases_args())
         yield from (valid_test_object.create_test_case()
                     for valid_test_object in filter(
                         lambda test_object: test_object.is_valid,
-                        test_objects
+                        chain(test_objects, special_cases)
                         ))
 
 # BEGIN MERGE SLOT 1

From 284672ccfb23b7a62aa730cc86012722cd794f85 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Sat, 19 Nov 2022 14:55:43 +0000
Subject: [PATCH 146/159] Bignum tests: complete support for unary operators

There are no intended changes to generated tests. (The ordering of tests
in the mod_raw module has changed.)

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py  |  19 ++--
 scripts/mbedtls_dev/bignum_mod_raw.py | 149 ++++++++++++--------------
 2 files changed, 81 insertions(+), 87 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index 6fd42d1e7..318e25ca1 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -193,14 +193,19 @@ class OperationCommon(test_data_generation.BaseTest):
         Combinations are first generated from all input values, and then
         specific cases provided.
         """
-        if cls.unique_combinations_only:
-            yield from combination_pairs(cls.input_values)
+        if cls.arity == 1:
+            yield from ((a, "0") for a in cls.input_values)
+        elif cls.arity == 2:
+            if cls.unique_combinations_only:
+                yield from combination_pairs(cls.input_values)
+            else:
+                yield from (
+                    (a, b)
+                    for a in cls.input_values
+                    for b in cls.input_values
+                )
         else:
-            yield from (
-                (a, b)
-                for a in cls.input_values
-                for b in cls.input_values
-            )
+            raise ValueError("Unsupported number of operands!")
 
     @classmethod
     def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index 6c217c235..087c8dc87 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -14,9 +14,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from typing import Dict, Iterator, List
+from typing import Dict, List
 
-from . import test_case
 from . import test_data_generation
 from . import bignum_common
 
@@ -59,55 +58,55 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon,
     input_style = "arch_split"
     arity = 1
 
-    test_data_moduli = ["b",
-                        "fd",
-                        "eeff99aa37",
-                        "eeff99aa11",
-                        "800000000005",
-                        "7fffffffffffffff",
-                        "80fe000a10000001",
-                        "25a55a46e5da99c71c7",
-                        "1058ad82120c3a10196bb36229c1",
-                        "7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f"
-                        "18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a"
-                        "98df75154f8c914a282f8b",
-                        "8335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63",
-                        "ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f"
-                        "2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a6"
-                        "4d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2"
-                        "deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d"
-                        "6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a0"
-                        "7e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d389"
-                        "8c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6"
-                        "bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3a"
-                        "d4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181d"
-                        "b8896f33bb12e6ef73f12ec5c5ea7a8a337"
-                        ]
+    moduli = ["b",
+              "fd",
+              "eeff99aa37",
+              "eeff99aa11",
+              "800000000005",
+              "7fffffffffffffff",
+              "80fe000a10000001",
+              "25a55a46e5da99c71c7",
+              "1058ad82120c3a10196bb36229c1",
+              "7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f"
+              "18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a"
+              "98df75154f8c914a282f8b",
+              "8335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63",
+              "ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f"
+              "2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a6"
+              "4d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2"
+              "deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d"
+              "6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a0"
+              "7e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d389"
+              "8c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6"
+              "bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3a"
+              "d4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181d"
+              "b8896f33bb12e6ef73f12ec5c5ea7a8a337"
+              ]
 
-    test_input_numbers = ["0",
-                          "1",
-                          "97",
-                          "f5",
-                          "6f5c3",
-                          "745bfe50f7",
-                          "ffa1f9924123",
-                          "334a8b983c79bd",
-                          "5b84f632b58f3461",
-                          "19acd15bc38008e1",
-                          "ffffffffffffffff",
-                          "54ce6a6bb8247fa0427cfc75a6b0599",
-                          "fecafe8eca052f154ce6a6bb8247fa019558bfeecce9bb9",
-                          "a87d7a56fa4bfdc7da42ef798b9cf6843d4c54794698cb14d72"
-                          "851dec9586a319f4bb6d5695acbd7c92e7a42a5ede6972adcbc"
-                          "f68425265887f2d721f462b7f1b91531bac29fa648facb8e3c6"
-                          "1bd5ae42d5a59ba1c89a95897bfe541a8ce1d633b98f379c481"
-                          "6f25e21f6ac49286b261adb4b78274fe5f61c187581f213e84b"
-                          "2a821e341ef956ecd5de89e6c1a35418cd74a549379d2d4594a"
-                          "577543147f8e35b3514e62cf3e89d1156cdc91ab5f4c928fbd6"
-                          "9148c35df5962fed381f4d8a62852a36823d5425f7487c13a12"
-                          "523473fb823aa9d6ea5f42e794e15f2c1a8785cf6b7d51a4617"
-                          "947fb3baf674f74a673cf1d38126983a19ed52c7439fab42c2185"
-                          ]
+    input_values = ["0",
+                    "1",
+                    "97",
+                    "f5",
+                    "6f5c3",
+                    "745bfe50f7",
+                    "ffa1f9924123",
+                    "334a8b983c79bd",
+                    "5b84f632b58f3461",
+                    "19acd15bc38008e1",
+                    "ffffffffffffffff",
+                    "54ce6a6bb8247fa0427cfc75a6b0599",
+                    "fecafe8eca052f154ce6a6bb8247fa019558bfeecce9bb9",
+                    "a87d7a56fa4bfdc7da42ef798b9cf6843d4c54794698cb14d72"
+                    "851dec9586a319f4bb6d5695acbd7c92e7a42a5ede6972adcbc"
+                    "f68425265887f2d721f462b7f1b91531bac29fa648facb8e3c6"
+                    "1bd5ae42d5a59ba1c89a95897bfe541a8ce1d633b98f379c481"
+                    "6f25e21f6ac49286b261adb4b78274fe5f61c187581f213e84b"
+                    "2a821e341ef956ecd5de89e6c1a35418cd74a549379d2d4594a"
+                    "577543147f8e35b3514e62cf3e89d1156cdc91ab5f4c928fbd6"
+                    "9148c35df5962fed381f4d8a62852a36823d5425f7487c13a12"
+                    "523473fb823aa9d6ea5f42e794e15f2c1a8785cf6b7d51a4617"
+                    "947fb3baf674f74a673cf1d38126983a19ed52c7439fab42c2185"
+                    ]
 
     descr_tpl = '{} #{} N: \"{}\" A: \"{}\".'
 
@@ -121,16 +120,6 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon,
                                      self.int_n,
                                      self.int_a)
 
-    @classmethod
-    def generate_function_tests(cls) -> Iterator[test_case.TestCase]:
-        for bil in [32, 64]:
-            for n in cls.test_data_moduli:
-                for i in cls.test_input_numbers:
-                    # Skip invalid combinations where A.limbs > N.limbs
-                    if bignum_common.hex_to_int(i) > bignum_common.hex_to_int(n):
-                        continue
-                    yield cls(n, i, bits_in_limb=bil).create_test_case()
-
 
 class BignumModRawConvertFromMont(BignumModRawConvertToMont):
     """ Test cases for mpi_mod_raw_from_mont_rep(). """
@@ -138,26 +127,26 @@ class BignumModRawConvertFromMont(BignumModRawConvertToMont):
     test_function = "mpi_mod_raw_from_mont_rep"
     test_name = "Convert from Mont: "
 
-    test_input_numbers = ["0",
-                          "1",
-                          "3ca",
-                          "539ed428",
-                          "7dfe5c6beb35a2d6",
-                          "dca8de1c2adfc6d7aafb9b48e",
-                          "a7d17b6c4be72f3d5c16bf9c1af6fc933",
-                          "2fec97beec546f9553142ed52f147845463f579",
-                          "378dc83b8bc5a7b62cba495af4919578dce6d4f175cadc4f",
-                          "b6415f2a1a8e48a518345db11f56db3829c8f2c6415ab4a395a"
-                          "b3ac2ea4cbef4af86eb18a84eb6ded4c6ecbfc4b59c2879a675"
-                          "487f687adea9d197a84a5242a5cf6125ce19a6ad2e7341f1c57"
-                          "d43ea4f4c852a51cb63dabcd1c9de2b827a3146a3d175b35bea"
-                          "41ae75d2a286a3e9d43623152ac513dcdea1d72a7da846a8ab3"
-                          "58d9be4926c79cfb287cf1cf25b689de3b912176be5dcaf4d4c"
-                          "6e7cb839a4a3243a6c47c1e2c99d65c59d6fa3672575c2f1ca8"
-                          "de6a32e854ec9d8ec635c96af7679fce26d7d159e4a9da3bd74"
-                          "e1272c376cd926d74fe3fb164a5935cff3d5cdb92b35fe2cea32"
-                          "138a7e6bfbc319ebd1725dacb9a359cbf693f2ecb785efb9d627"
-                         ]
+    input_values = ["0",
+                    "1",
+                    "3ca",
+                    "539ed428",
+                    "7dfe5c6beb35a2d6",
+                    "dca8de1c2adfc6d7aafb9b48e",
+                    "a7d17b6c4be72f3d5c16bf9c1af6fc933",
+                    "2fec97beec546f9553142ed52f147845463f579",
+                    "378dc83b8bc5a7b62cba495af4919578dce6d4f175cadc4f",
+                    "b6415f2a1a8e48a518345db11f56db3829c8f2c6415ab4a395a"
+                    "b3ac2ea4cbef4af86eb18a84eb6ded4c6ecbfc4b59c2879a675"
+                    "487f687adea9d197a84a5242a5cf6125ce19a6ad2e7341f1c57"
+                    "d43ea4f4c852a51cb63dabcd1c9de2b827a3146a3d175b35bea"
+                    "41ae75d2a286a3e9d43623152ac513dcdea1d72a7da846a8ab3"
+                    "58d9be4926c79cfb287cf1cf25b689de3b912176be5dcaf4d4c"
+                    "6e7cb839a4a3243a6c47c1e2c99d65c59d6fa3672575c2f1ca8"
+                    "de6a32e854ec9d8ec635c96af7679fce26d7d159e4a9da3bd74"
+                    "e1272c376cd926d74fe3fb164a5935cff3d5cdb92b35fe2cea32"
+                    "138a7e6bfbc319ebd1725dacb9a359cbf693f2ecb785efb9d627"
+                   ]
 
     def result(self) -> List[str]:
         result = (self.int_a * self.r_inv) % self.int_n

From 8ae7a657acb7e35b51de4c39c4e47aba4858a11e Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Sat, 19 Nov 2022 15:05:19 +0000
Subject: [PATCH 147/159] Bignum tests: improve mod descriptions

There are no semantic changes to the generated tests.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py  | 23 +++++++++++++++++++----
 scripts/mbedtls_dev/bignum_mod_raw.py | 12 +++---------
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index 318e25ca1..9e92b8e61 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -168,9 +168,14 @@ class OperationCommon(test_data_generation.BaseTest):
         generated to provide some context to the test case.
         """
         if not self.case_description:
-            self.case_description = "{:x} {} {:x}".format(
-                self.int_a, self.symbol, self.int_b
-            )
+            if self.arity == 1:
+                self.case_description = "{} {:x}".format(
+                    self.symbol, self.int_a
+                )
+            elif self.arity == 2:
+                self.case_description = "{:x} {} {:x}".format(
+                    self.int_a, self.symbol, self.int_b
+                )
         return super().description()
 
     @property
@@ -232,7 +237,6 @@ class OperationCommon(test_data_generation.BaseTest):
                     )
 
 
-
 class ModOperationCommon(OperationCommon):
     #pylint: disable=abstract-method
     """Target for bignum mod_raw test case generation."""
@@ -278,6 +282,17 @@ class ModOperationCommon(OperationCommon):
             return False
         return True
 
+    def description(self) -> str:
+        """Generate a description for the test case.
+
+        It uses the form A `symbol` B mod N, where symbol is used to represent
+        the operation.
+        """
+
+        if not self.case_description:
+            return super().description() + " mod {:x}".format(self.int_n)
+        return super().description()
+
     @classmethod
     def input_cases_args(cls) -> Iterator[Tuple[Any, Any, Any]]:
         if cls.arity == 1:
diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index 087c8dc87..b23fbb2dc 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -55,6 +55,7 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon,
 
     test_function = "mpi_mod_raw_to_mont_rep"
     test_name = "Convert into Mont: "
+    symbol = "R *"
     input_style = "arch_split"
     arity = 1
 
@@ -108,24 +109,17 @@ class BignumModRawConvertToMont(bignum_common.ModOperationCommon,
                     "947fb3baf674f74a673cf1d38126983a19ed52c7439fab42c2185"
                     ]
 
-    descr_tpl = '{} #{} N: \"{}\" A: \"{}\".'
-
     def result(self) -> List[str]:
         result = (self.int_a * self.r) % self.int_n
         return [self.format_result(result)]
 
-    def description(self) -> str:
-        return self.descr_tpl.format(self.test_name,
-                                     self.count,
-                                     self.int_n,
-                                     self.int_a)
-
 
 class BignumModRawConvertFromMont(BignumModRawConvertToMont):
     """ Test cases for mpi_mod_raw_from_mont_rep(). """
-
+    count = 0
     test_function = "mpi_mod_raw_from_mont_rep"
     test_name = "Convert from Mont: "
+    symbol = "1/R *"
 
     input_values = ["0",
                     "1",

From a36e430251d855143267c2ea1185d13c7d8e3042 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Sat, 19 Nov 2022 15:55:53 +0000
Subject: [PATCH 148/159] Bignum tests: add support for fixed width input

Only fixed width input_style uses the default value of the bits_in_limb
parameter, so set it to 32 in order to have less leading zeroes.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index 9e92b8e61..b68653a03 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -93,13 +93,13 @@ class OperationCommon(test_data_generation.BaseTest):
     input_values = [] # type: List[str]
     input_cases = [] # type: List[Any]
     unique_combinations_only = True
-    input_styles = ["variable", "arch_split"] # type: List[str]
+    input_styles = ["variable", "fixed", "arch_split"] # type: List[str]
     input_style = "variable" # type: str
     limb_sizes = [32, 64] # type: List[int]
     arities = [1, 2]
     arity = 2
 
-    def __init__(self, val_a: str, val_b: str = "0", bits_in_limb: int = 64) -> None:
+    def __init__(self, val_a: str, val_b: str = "0", bits_in_limb: int = 32) -> None:
         self.val_a = val_a
         self.val_b = val_b
         # Setting the int versions here as opposed to making them @properties

From b2a850c746ea475aaa22c7c26756d1eefdfd6883 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Sun, 20 Nov 2022 10:56:05 +0000
Subject: [PATCH 149/159] Bignum Tests: add test data

The goal of this commit is to add some constants that can be used to
define datasets and add test data in a more readable and reusable
manner.

All platforms using ECC need to support calculations with at least 192
bits, therefore constants for this length are added. We are not using a
curve prime as those will be tested elsewhere and it is better not to
play favourites.

All platforms using RSA or FFDH need to support calculations with at
least 1024 bits, therefore numbers of this size are added too.

A safe prime is added for both sizes as it makes all elements generators
(except 0 and 1 of course), which in turn makes some tests more
effective.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_data.py | 109 +++++++++++++++++++++++++++++
 1 file changed, 109 insertions(+)
 create mode 100644 scripts/mbedtls_dev/bignum_data.py

diff --git a/scripts/mbedtls_dev/bignum_data.py b/scripts/mbedtls_dev/bignum_data.py
new file mode 100644
index 000000000..78fbb8c04
--- /dev/null
+++ b/scripts/mbedtls_dev/bignum_data.py
@@ -0,0 +1,109 @@
+"""Base values and datasets for bignum generated tests and helper functions that
+produced them."""
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import random
+
+# Functions calling these were used to produce test data and are here only for
+# reproducability, they are not used by the test generation framework/classes
+try:
+    from Cryptodome.Util.number import isPrime, getPrime #type: ignore #pylint: disable=import-error
+except ImportError:
+    pass
+
+# Generated by bignum_common.gen_safe_prime(192,1)
+SAFE_PRIME_192_BIT_SEED_1 = "d1c127a667786703830500038ebaef20e5a3e2dc378fb75b"
+
+# First number generated by random.getrandbits(192) - seed(2,2), not a prime
+RANDOM_192_BIT_SEED_2_NO1 = "177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"
+
+# Second number generated by random.getrandbits(192) - seed(2,2), not a prime
+RANDOM_192_BIT_SEED_2_NO2 = "cf1822ffbc6887782b491044d5e341245c6e433715ba2bdd"
+
+# Third number generated by random.getrandbits(192) - seed(2,2), not a prime
+RANDOM_192_BIT_SEED_2_NO3 = "3653f8dd9b1f282e4067c3584ee207f8da94e3e8ab73738f"
+
+# Fourth number generated by random.getrandbits(192) - seed(2,2), not a prime
+RANDOM_192_BIT_SEED_2_NO4 = "ffed9235288bc781ae66267594c9c9500925e4749b575bd1"
+
+# Ninth number generated by random.getrandbits(192) - seed(2,2), not a prime
+RANDOM_192_BIT_SEED_2_NO9 = "2a1be9cd8697bbd0e2520e33e44c50556c71c4a66148a86f"
+
+# Generated by bignum_common.gen_safe_prime(1024,3)
+SAFE_PRIME_1024_BIT_SEED_3 = ("c93ba7ec74d96f411ba008bdb78e63ff11bb5df46a51e16b"
+                              "2c9d156f8e4e18abf5e052cb01f47d0d1925a77f60991577"
+                              "e128fb6f52f34a27950a594baadd3d8057abeb222cf3cca9"
+                              "62db16abf79f2ada5bd29ab2f51244bf295eff9f6aaba130"
+                              "2efc449b128be75eeaca04bc3c1a155d11d14e8be32a2c82"
+                              "87b3996cf6ad5223")
+
+# First number generated by random.getrandbits(1024) - seed(4,2), not a prime
+RANDOM_1024_BIT_SEED_4_NO1 = ("6905269ed6f0b09f165c8ce36e2f24b43000de01b2ed40ed"
+                              "3addccb2c33be0ac79d679346d4ac7a5c3902b38963dc6e8"
+                              "534f45738d048ec0f1099c6c3e1b258fd724452ccea71ff4"
+                              "a14876aeaff1a098ca5996666ceab360512bd13110722311"
+                              "710cf5327ac435a7a97c643656412a9b8a1abcd1a6916c74"
+                              "da4f9fc3c6da5d7")
+
+# Second number generated by random.getrandbits(1024) - seed(4,2), not a prime
+RANDOM_1024_BIT_SEED_4_NO2 = ("f1cfd99216df648647adec26793d0e453f5082492d83a823"
+                              "3fb62d2c81862fc9634f806fabf4a07c566002249b191bf4"
+                              "d8441b5616332aca5f552773e14b0190d93936e1daca3c06"
+                              "f5ff0c03bb5d7385de08caa1a08179104a25e4664f5253a0"
+                              "2a3187853184ff27459142deccea264542a00403ce80c4b0"
+                              "a4042bb3d4341aad")
+
+# Third number generated by random.getrandbits(1024) - seed(4,2), not a prime
+RANDOM_1024_BIT_SEED_4_NO3 = ("14c15c910b11ad28cc21ce88d0060cc54278c2614e1bcb38"
+                              "3bb4a570294c4ea3738d243a6e58d5ca49c7b59b995253fd"
+                              "6c79a3de69f85e3131f3b9238224b122c3e4a892d9196ada"
+                              "4fcfa583e1df8af9b474c7e89286a1754abcb06ae8abb93f"
+                              "01d89a024cdce7a6d7288ff68c320f89f1347e0cdd905ecf"
+                              "d160c5d0ef412ed6")
+
+# Fourth number generated by random.getrandbits(1024) - seed(4,2), not a prime
+RANDOM_1024_BIT_SEED_4_NO4 = ("32decd6b8efbc170a26a25c852175b7a96b98b5fbf37a2be"
+                              "6f98bca35b17b9662f0733c846bbe9e870ef55b1a1f65507"
+                              "a2909cb633e238b4e9dd38b869ace91311021c9e32111ac1"
+                              "ac7cc4a4ff4dab102522d53857c49391b36cc9aa78a330a1"
+                              "a5e333cb88dcf94384d4cd1f47ca7883ff5a52f1a05885ac"
+                              "7671863c0bdbc23a")
+
+# Fifth number generated by random.getrandbits(1024) - seed(4,2), not a prime
+RANDOM_1024_BIT_SEED_4_NO5 = ("53be4721f5b9e1f5acdac615bc20f6264922b9ccf469aef8"
+                              "f6e7d078e55b85dd1525f363b281b8885b69dc230af5ac87"
+                              "0692b534758240df4a7a03052d733dcdef40af2e54c0ce68"
+                              "1f44ebd13cc75f3edcb285f89d8cf4d4950b16ffc3e1ac3b"
+                              "4708d9893a973000b54a23020fc5b043d6e4a51519d9c9cc"
+                              "52d32377e78131c1")
+
+def __gen_safe_prime(bits, seed):
+    '''
+    Generate a safe prime.
+
+    This function is intended for generating constants offline and shouldn't be
+    used in test generation classes.
+
+    Requires pycryptodomex for getPrime and isPrime and python 3.9 or later for
+    randbytes.
+    '''
+    rng = random.Random()
+    # We want reproducability across python versions
+    rng.seed(seed, version=2)
+    while True:
+        prime = 2*getPrime(bits-1, rng.randbytes)+1 #pylint: disable=no-member
+        if isPrime(prime, 1e-30):
+            return prime

From dac44e6021f0653352ef81611738f8cbf432543d Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Sun, 20 Nov 2022 11:58:12 +0000
Subject: [PATCH 150/159] Bignum tests: add default datasets

Add data for small values, 192 bit and 1024 bit values, primes,
non-primes odd, even, and some typical corner cases.

All subclasses override this for the time being so there are no changes
to the test cases.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py |  5 +++--
 scripts/mbedtls_dev/bignum_data.py   | 27 +++++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index b68653a03..e03c1c3f8 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -20,6 +20,7 @@ from itertools import chain
 
 from . import test_case
 from . import test_data_generation
+from .bignum_data import INPUTS_DEFAULT, MODULI_DEFAULT
 
 T = TypeVar('T') #pylint: disable=invalid-name
 
@@ -90,7 +91,7 @@ class OperationCommon(test_data_generation.BaseTest):
             values are 1 and 2.
     """
     symbol = ""
-    input_values = [] # type: List[str]
+    input_values = INPUTS_DEFAULT # type: List[str]
     input_cases = [] # type: List[Any]
     unique_combinations_only = True
     input_styles = ["variable", "fixed", "arch_split"] # type: List[str]
@@ -240,7 +241,7 @@ class OperationCommon(test_data_generation.BaseTest):
 class ModOperationCommon(OperationCommon):
     #pylint: disable=abstract-method
     """Target for bignum mod_raw test case generation."""
-    moduli = [] # type: List[str]
+    moduli = MODULI_DEFAULT # type: List[str]
 
     def __init__(self, val_n: str, val_a: str, val_b: str = "0",
                  bits_in_limb: int = 64) -> None:
diff --git a/scripts/mbedtls_dev/bignum_data.py b/scripts/mbedtls_dev/bignum_data.py
index 78fbb8c04..74d21d0ca 100644
--- a/scripts/mbedtls_dev/bignum_data.py
+++ b/scripts/mbedtls_dev/bignum_data.py
@@ -90,6 +90,33 @@ RANDOM_1024_BIT_SEED_4_NO5 = ("53be4721f5b9e1f5acdac615bc20f6264922b9ccf469aef8"
                               "4708d9893a973000b54a23020fc5b043d6e4a51519d9c9cc"
                               "52d32377e78131c1")
 
+# Adding 192 bit and 1024 bit numbers because these are the shortest required
+# for ECC and RSA respectively.
+INPUTS_DEFAULT = [
+        "0", "1", # corner cases
+        "2", "3", # small primes
+        "4",      # non-prime even
+        "38",     # small random
+        SAFE_PRIME_192_BIT_SEED_1,  # prime
+        RANDOM_192_BIT_SEED_2_NO1,  # not a prime
+        RANDOM_192_BIT_SEED_2_NO2,  # not a prime
+        SAFE_PRIME_1024_BIT_SEED_3, # prime
+        RANDOM_1024_BIT_SEED_4_NO1, # not a prime
+        RANDOM_1024_BIT_SEED_4_NO3, # not a prime
+        RANDOM_1024_BIT_SEED_4_NO2, # largest (not a prime)
+        ]
+
+# Only odd moduli are present as in the new bignum code only odd moduli are
+# supported for now.
+MODULI_DEFAULT = [
+        "53", # safe prime
+        "45", # non-prime
+        SAFE_PRIME_192_BIT_SEED_1,  # safe prime
+        RANDOM_192_BIT_SEED_2_NO4,  # not a prime
+        SAFE_PRIME_1024_BIT_SEED_3, # safe prime
+        RANDOM_1024_BIT_SEED_4_NO5, # not a prime
+        ]
+
 def __gen_safe_prime(bits, seed):
     '''
     Generate a safe prime.

From be5e7aea7ceefc27dd69f405da1ed76170ba231c Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Sun, 20 Nov 2022 12:45:58 +0000
Subject: [PATCH 151/159] Bignum tests: remove deprecated dataset

Remove old dataset that was overriding the defaults in bignum_core. This
will change the datasets for core_sub and core_add to the default
inherited from bignum_common.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_core.py | 22 ----------------------
 1 file changed, 22 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py
index 1bfc652ef..deff6a8a6 100644
--- a/scripts/mbedtls_dev/bignum_core.py
+++ b/scripts/mbedtls_dev/bignum_core.py
@@ -107,31 +107,9 @@ class BignumCoreCTLookup(BignumCoreTarget, test_data_generation.BaseTest):
                        .create_test_case())
 
 
-INPUT_VALUES = [
-    "0", "1", "3", "f", "fe", "ff", "100", "ff00", "fffe", "ffff", "10000",
-    "fffffffe", "ffffffff", "100000000", "1f7f7f7f7f7f7f",
-    "8000000000000000", "fefefefefefefefe", "fffffffffffffffe",
-    "ffffffffffffffff", "10000000000000000", "1234567890abcdef0",
-    "fffffffffffffffffefefefefefefefe", "fffffffffffffffffffffffffffffffe",
-    "ffffffffffffffffffffffffffffffff", "100000000000000000000000000000000",
-    "1234567890abcdef01234567890abcdef0",
-    "fffffffffffffffffffffffffffffffffffffffffffffffffefefefefefefefe",
-    "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe",
-    "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
-    "10000000000000000000000000000000000000000000000000000000000000000",
-    "1234567890abcdef01234567890abcdef01234567890abcdef01234567890abcdef0",
-    (
-        "4df72d07b4b71c8dacb6cffa954f8d88254b6277099308baf003fab73227f34029"
-        "643b5a263f66e0d3c3fa297ef71755efd53b8fb6cb812c6bbf7bcf179298bd9947"
-        "c4c8b14324140a2c0f5fad7958a69050a987a6096e9f055fb38edf0c5889eca4a0"
-        "cfa99b45fbdeee4c696b328ddceae4723945901ec025076b12b"
-    )
-]
-
 class BignumCoreOperation(BignumCoreTarget, bignum_common.OperationCommon):
     #pylint: disable=abstract-method
     """Common features for bignum core operations."""
-    input_values = INPUT_VALUES
 
 
 class BignumCoreAddAndAddIf(BignumCoreOperation):

From 76c21bd2421cd8ecb0bcd31c095399f31cb9da2e Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Sun, 20 Nov 2022 12:52:53 +0000
Subject: [PATCH 152/159] Bignum tests: flatten class hierarchy in _core

There is no semantic changes to the generated tests, the order of the
test blocks has changed.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_core.py | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py
index deff6a8a6..806e13193 100644
--- a/scripts/mbedtls_dev/bignum_core.py
+++ b/scripts/mbedtls_dev/bignum_core.py
@@ -107,12 +107,7 @@ class BignumCoreCTLookup(BignumCoreTarget, test_data_generation.BaseTest):
                        .create_test_case())
 
 
-class BignumCoreOperation(BignumCoreTarget, bignum_common.OperationCommon):
-    #pylint: disable=abstract-method
-    """Common features for bignum core operations."""
-
-
-class BignumCoreAddAndAddIf(BignumCoreOperation):
+class BignumCoreAddAndAddIf(BignumCoreTarget, bignum_common.OperationCommon):
     """Test cases for bignum core add and add-if."""
     count = 0
     symbol = "+"
@@ -131,7 +126,7 @@ class BignumCoreAddAndAddIf(BignumCoreOperation):
         ]
 
 
-class BignumCoreSub(BignumCoreOperation):
+class BignumCoreSub(BignumCoreTarget, bignum_common.OperationCommon):
     """Test cases for bignum core sub."""
     count = 0
     symbol = "-"
@@ -157,7 +152,7 @@ class BignumCoreSub(BignumCoreOperation):
         ]
 
 
-class BignumCoreMLA(BignumCoreOperation):
+class BignumCoreMLA(BignumCoreTarget, bignum_common.OperationCommon):
     """Test cases for fixed-size multiply accumulate."""
     count = 0
     test_function = "mpi_core_mla"

From f45797652fef6a53a11bd760c76e3f987f03a901 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Sun, 20 Nov 2022 13:32:54 +0000
Subject: [PATCH 153/159] Bignum tests: set unique combinations off by default

Normally we need all the combinations, unique combinations make sense
only if the operation is commutative.

No changes to generated tests.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_common.py   | 2 +-
 scripts/mbedtls_dev/bignum_core.py     | 3 +--
 tests/scripts/generate_bignum_tests.py | 1 +
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index e03c1c3f8..67ea78db4 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -93,7 +93,7 @@ class OperationCommon(test_data_generation.BaseTest):
     symbol = ""
     input_values = INPUTS_DEFAULT # type: List[str]
     input_cases = [] # type: List[Any]
-    unique_combinations_only = True
+    unique_combinations_only = False
     input_styles = ["variable", "fixed", "arch_split"] # type: List[str]
     input_style = "variable" # type: str
     limb_sizes = [32, 64] # type: List[int]
diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py
index 806e13193..4910daea8 100644
--- a/scripts/mbedtls_dev/bignum_core.py
+++ b/scripts/mbedtls_dev/bignum_core.py
@@ -114,6 +114,7 @@ class BignumCoreAddAndAddIf(BignumCoreTarget, bignum_common.OperationCommon):
     test_function = "mpi_core_add_and_add_if"
     test_name = "mpi_core_add_and_add_if"
     input_style = "arch_split"
+    unique_combinations_only = True
 
     def result(self) -> List[str]:
         result = self.int_a + self.int_b
@@ -132,7 +133,6 @@ class BignumCoreSub(BignumCoreTarget, bignum_common.OperationCommon):
     symbol = "-"
     test_function = "mpi_core_sub"
     test_name = "mbedtls_mpi_core_sub"
-    unique_combinations_only = False
 
     def result(self) -> List[str]:
         if self.int_a >= self.int_b:
@@ -157,7 +157,6 @@ class BignumCoreMLA(BignumCoreTarget, bignum_common.OperationCommon):
     count = 0
     test_function = "mpi_core_mla"
     test_name = "mbedtls_mpi_core_mla"
-    unique_combinations_only = False
 
     input_values = [
         "0", "1", "fffe", "ffffffff", "100000000", "20000000000000",
diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py
index 89d0ac29e..c3058e98a 100755
--- a/tests/scripts/generate_bignum_tests.py
+++ b/tests/scripts/generate_bignum_tests.py
@@ -78,6 +78,7 @@ class BignumOperation(bignum_common.OperationCommon, BignumTarget,
                       metaclass=ABCMeta):
     #pylint: disable=abstract-method
     """Common features for bignum operations in legacy tests."""
+    unique_combinations_only = True
     input_values = [
         "", "0", "-", "-0",
         "7b", "-7b",

From f352c67bc30e48c4162126f340e247d5835b8627 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Sun, 20 Nov 2022 13:40:25 +0000
Subject: [PATCH 154/159] Bignum tests: use default dataset in mod_raw

While at it, flatten class hierarchy as well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 scripts/mbedtls_dev/bignum_mod_raw.py | 79 ++-------------------------
 1 file changed, 5 insertions(+), 74 deletions(-)

diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index b23fbb2dc..60f2feded 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -49,98 +49,29 @@ class BignumModRawTarget(test_data_generation.BaseTarget):
 # END MERGE SLOT 6
 
 # BEGIN MERGE SLOT 7
+
 class BignumModRawConvertToMont(bignum_common.ModOperationCommon,
                                 BignumModRawTarget):
     """ Test cases for mpi_mod_raw_to_mont_rep(). """
-
     test_function = "mpi_mod_raw_to_mont_rep"
     test_name = "Convert into Mont: "
     symbol = "R *"
     input_style = "arch_split"
     arity = 1
 
-    moduli = ["b",
-              "fd",
-              "eeff99aa37",
-              "eeff99aa11",
-              "800000000005",
-              "7fffffffffffffff",
-              "80fe000a10000001",
-              "25a55a46e5da99c71c7",
-              "1058ad82120c3a10196bb36229c1",
-              "7e35b84cb19ea5bc57ec37f5e431462fa962d98c1e63738d4657f"
-              "18ad6532e6adc3eafe67f1e5fa262af94cee8d3e7268593942a2a"
-              "98df75154f8c914a282f8b",
-              "8335616aed761f1f7f44e6bd49e807b82e3bf2bf11bfa63",
-              "ffcece570f2f991013f26dd5b03c4c5b65f97be5905f36cb4664f"
-              "2c78ff80aa8135a4aaf57ccb8a0aca2f394909a74cef1ef6758a6"
-              "4d11e2c149c393659d124bfc94196f0ce88f7d7d567efa5a649e2"
-              "deefaa6e10fdc3deac60d606bf63fc540ac95294347031aefd73d"
-              "6a9ee10188aaeb7a90d920894553cb196881691cadc51808715a0"
-              "7e8b24fcb1a63df047c7cdf084dd177ba368c806f3d51ddb5d389"
-              "8c863e687ecaf7d649a57a46264a582f94d3c8f2edaf59f77a7f6"
-              "bdaf83c991e8f06abe220ec8507386fce8c3da84c6c3903ab8f3a"
-              "d4630a204196a7dbcbd9bcca4e40ec5cc5c09938d49f5e1e6181d"
-              "b8896f33bb12e6ef73f12ec5c5ea7a8a337"
-              ]
-
-    input_values = ["0",
-                    "1",
-                    "97",
-                    "f5",
-                    "6f5c3",
-                    "745bfe50f7",
-                    "ffa1f9924123",
-                    "334a8b983c79bd",
-                    "5b84f632b58f3461",
-                    "19acd15bc38008e1",
-                    "ffffffffffffffff",
-                    "54ce6a6bb8247fa0427cfc75a6b0599",
-                    "fecafe8eca052f154ce6a6bb8247fa019558bfeecce9bb9",
-                    "a87d7a56fa4bfdc7da42ef798b9cf6843d4c54794698cb14d72"
-                    "851dec9586a319f4bb6d5695acbd7c92e7a42a5ede6972adcbc"
-                    "f68425265887f2d721f462b7f1b91531bac29fa648facb8e3c6"
-                    "1bd5ae42d5a59ba1c89a95897bfe541a8ce1d633b98f379c481"
-                    "6f25e21f6ac49286b261adb4b78274fe5f61c187581f213e84b"
-                    "2a821e341ef956ecd5de89e6c1a35418cd74a549379d2d4594a"
-                    "577543147f8e35b3514e62cf3e89d1156cdc91ab5f4c928fbd6"
-                    "9148c35df5962fed381f4d8a62852a36823d5425f7487c13a12"
-                    "523473fb823aa9d6ea5f42e794e15f2c1a8785cf6b7d51a4617"
-                    "947fb3baf674f74a673cf1d38126983a19ed52c7439fab42c2185"
-                    ]
-
     def result(self) -> List[str]:
         result = (self.int_a * self.r) % self.int_n
         return [self.format_result(result)]
 
 
-class BignumModRawConvertFromMont(BignumModRawConvertToMont):
+class BignumModRawConvertFromMont(bignum_common.ModOperationCommon,
+                                  BignumModRawTarget):
     """ Test cases for mpi_mod_raw_from_mont_rep(). """
-    count = 0
     test_function = "mpi_mod_raw_from_mont_rep"
     test_name = "Convert from Mont: "
     symbol = "1/R *"
-
-    input_values = ["0",
-                    "1",
-                    "3ca",
-                    "539ed428",
-                    "7dfe5c6beb35a2d6",
-                    "dca8de1c2adfc6d7aafb9b48e",
-                    "a7d17b6c4be72f3d5c16bf9c1af6fc933",
-                    "2fec97beec546f9553142ed52f147845463f579",
-                    "378dc83b8bc5a7b62cba495af4919578dce6d4f175cadc4f",
-                    "b6415f2a1a8e48a518345db11f56db3829c8f2c6415ab4a395a"
-                    "b3ac2ea4cbef4af86eb18a84eb6ded4c6ecbfc4b59c2879a675"
-                    "487f687adea9d197a84a5242a5cf6125ce19a6ad2e7341f1c57"
-                    "d43ea4f4c852a51cb63dabcd1c9de2b827a3146a3d175b35bea"
-                    "41ae75d2a286a3e9d43623152ac513dcdea1d72a7da846a8ab3"
-                    "58d9be4926c79cfb287cf1cf25b689de3b912176be5dcaf4d4c"
-                    "6e7cb839a4a3243a6c47c1e2c99d65c59d6fa3672575c2f1ca8"
-                    "de6a32e854ec9d8ec635c96af7679fce26d7d159e4a9da3bd74"
-                    "e1272c376cd926d74fe3fb164a5935cff3d5cdb92b35fe2cea32"
-                    "138a7e6bfbc319ebd1725dacb9a359cbf693f2ecb785efb9d627"
-                   ]
+    input_style = "arch_split"
+    arity = 1
 
     def result(self) -> List[str]:
         result = (self.int_a * self.r_inv) % self.int_n

From cd356c3cdb312e276473e038d1593f6f92bcd5b3 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Sun, 20 Nov 2022 19:05:20 +0100
Subject: [PATCH 155/159] Add ec-jpake test to verify if key can be destroyed
 after set_password_key

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/suites/test_suite_psa_crypto.data     | 9 +++++++--
 tests/suites/test_suite_psa_crypto.function | 5 ++++-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index cce3fd0fe..659205d52 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -6549,11 +6549,16 @@ ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_
 
 PSA PAKE: ecjpake rounds
 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
-ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0
+ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:0
 
 PSA PAKE: ecjpake rounds, client input first
 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
-ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":1
+ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":1:0
+
+# This test case relies on implementation (it may need to be adjusted in the future)
+PSA PAKE: ecjpake rounds - key is destroyed after being passed to set_password_key
+depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_TLS12_PSK_TO_MS
+ecjpake_rounds:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):"abcdef":0:1
 
 PSA PAKE: ecjpake no input errors
 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 60befa73f..f84a0cc3f 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -9002,7 +9002,7 @@ exit:
 /* BEGIN_CASE depends_on:PSA_WANT_ALG_JPAKE */
 void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg,
                      int derive_alg_arg, data_t *pw_data,
-                     int client_input_first )
+                     int client_input_first, int destroy_key )
 {
     psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
     psa_pake_operation_t server = psa_pake_operation_init();
@@ -9053,6 +9053,9 @@ void ecjpake_rounds( int alg_arg, int primitive_arg, int hash_arg,
     PSA_ASSERT( psa_pake_set_password_key( &server, key ) );
     PSA_ASSERT( psa_pake_set_password_key( &client, key ) );
 
+    if( destroy_key == 1 )
+        psa_destroy_key( key );
+
     TEST_EQUAL( psa_pake_get_implicit_key( &server, &server_derive ),
                 PSA_ERROR_BAD_STATE );
     TEST_EQUAL( psa_pake_get_implicit_key( &client, &client_derive ),

From e2d6b5f45b207efa6745cfdbf73332e7403bb5b8 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Mon, 21 Nov 2022 15:03:52 +0100
Subject: [PATCH 156/159] psa_key_slot_get_slot_number: Move documentation to
 header file

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 library/psa_crypto.c      | 13 -------------
 library/psa_crypto_core.h | 10 ++++++++++
 2 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 55319c4bd..8c9deffad 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -877,19 +877,6 @@ static psa_status_t psa_restrict_key_policy(
     return( PSA_SUCCESS );
 }
 
-/** Get the description of a key given its identifier and policy constraints
- *  and lock it.
- *
- * The key must have allow all the usage flags set in \p usage. If \p alg is
- * nonzero, the key must allow operations with this algorithm. If \p alg is
- * zero, the algorithm is not checked.
- *
- * In case of a persistent key, the function loads the description of the key
- * into a key slot if not already done.
- *
- * On success, the returned key slot is locked. It is the responsibility of
- * the caller to unlock the key slot when it does not access it anymore.
- */
 psa_status_t psa_get_and_lock_key_slot_with_policy(
     mbedtls_svc_key_id_t key,
     psa_key_slot_t **p_slot,
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index 37f8162de..5cefa273a 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -185,6 +185,16 @@ static inline psa_key_slot_number_t psa_key_slot_get_slot_number(
 
 /** Get the description of a key given its identifier and policy constraints
  *  and lock it.
+ *
+ * The key must have allow all the usage flags set in \p usage. If \p alg is
+ * nonzero, the key must allow operations with this algorithm. If \p alg is
+ * zero, the algorithm is not checked.
+ *
+ * In case of a persistent key, the function loads the description of the key
+ * into a key slot if not already done.
+ *
+ * On success, the returned key slot is locked. It is the responsibility of
+ * the caller to unlock the key slot when it does not access it anymore.
  */
 psa_status_t psa_get_and_lock_key_slot_with_policy( mbedtls_svc_key_id_t key,
                                                     psa_key_slot_t **p_slot,

From ad0f357178448f9483c572b26b32345d182a99b4 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Mon, 21 Nov 2022 15:04:37 +0100
Subject: [PATCH 157/159] Optimize pake code that sets/use password key

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 library/psa_crypto_pake.c | 37 +++++++++++++++++++++----------------
 1 file changed, 21 insertions(+), 16 deletions(-)

diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c
index ef31af420..9ac4c5f29 100644
--- a/library/psa_crypto_pake.c
+++ b/library/psa_crypto_pake.c
@@ -256,9 +256,6 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation,
         return( PSA_ERROR_BAD_STATE );
     }
 
-    if( psa_is_valid_key_id( password, 1 ) == 0 )
-        return( PSA_ERROR_BAD_STATE );
-
     status = psa_get_key_attributes( password, &attributes );
     if( status != PSA_SUCCESS )
         return( status );
@@ -283,15 +280,8 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation,
     if( status != PSA_SUCCESS )
         return( status );
 
-    if( slot->key.data == NULL || slot->key.bytes == 0 )
-        return( PSA_ERROR_INVALID_ARGUMENT );
-
     if( operation->password != NULL )
-    {
-        mbedtls_platform_zeroize( operation->password, operation->password_len );
-        mbedtls_free( operation->password );
-        operation->password_len = 0;
-    }
+        return( PSA_ERROR_BAD_STATE );
 
     operation->password = mbedtls_calloc( 1, slot->key.bytes );
     if( operation->password == NULL )
@@ -388,11 +378,8 @@ static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation )
     else
         return( PSA_ERROR_BAD_STATE );
 
-    if (operation->password == NULL ||
-        operation->password_len == 0 )
-    {
+    if( operation->password_len == 0 )
         return( PSA_ERROR_BAD_STATE );
-    }
 
     ret = mbedtls_ecjpake_setup( &operation->ctx.ecjpake,
                                  role,
@@ -404,6 +391,11 @@ static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation )
     if( ret != 0 )
         return( mbedtls_ecjpake_to_psa_error( ret ) );
 
+    mbedtls_platform_zeroize( operation->password, operation->password_len );
+    mbedtls_free( operation->password );
+    operation->password = NULL;
+    operation->password_len = 0;
+
     operation->state = PSA_PAKE_STATE_READY;
 
     return( PSA_SUCCESS );
@@ -453,7 +445,13 @@ static psa_status_t psa_pake_output_internal(
         if( operation->state == PSA_PAKE_STATE_SETUP ) {
             status = psa_pake_ecjpake_setup( operation );
             if( status != PSA_SUCCESS )
+            {
+                mbedtls_platform_zeroize( operation->password, operation->password_len );
+                mbedtls_free( operation->password );
+                operation->password = NULL;
+                operation->password_len = 0;
                 return( status );
+            }
         }
 
         if( operation->state != PSA_PAKE_STATE_READY &&
@@ -661,7 +659,13 @@ static psa_status_t psa_pake_input_internal(
         {
             status = psa_pake_ecjpake_setup( operation );
             if( status != PSA_SUCCESS )
+            {
+                mbedtls_platform_zeroize( operation->password, operation->password_len );
+                mbedtls_free( operation->password );
+                operation->password = NULL;
+                operation->password_len = 0;
                 return( status );
+            }
         }
 
         if( operation->state != PSA_PAKE_STATE_READY &&
@@ -865,7 +869,8 @@ psa_status_t psa_pake_abort(psa_pake_operation_t * operation)
     {
         operation->input_step = PSA_PAKE_STEP_INVALID;
         operation->output_step = PSA_PAKE_STEP_INVALID;
-        mbedtls_platform_zeroize( operation->password, operation->password_len );
+        if( operation->password_len > 0 )
+            mbedtls_platform_zeroize( operation->password, operation->password_len );
         mbedtls_free( operation->password );
         operation->password = NULL;
         operation->password_len = 0;

From f82effa9826a0e93aaa8c4c7928ad1016a16a8e8 Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Mon, 21 Nov 2022 15:10:32 +0100
Subject: [PATCH 158/159] Optimize pake test code

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 tests/suites/test_suite_psa_crypto.function | 40 ++++++++++-----------
 1 file changed, 19 insertions(+), 21 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index f84a0cc3f..ca1614bef 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -32,25 +32,23 @@
 #define ASSERT_OPERATION_IS_INACTIVE( operation ) TEST_ASSERT( operation.id == 0 )
 
 #if defined(PSA_WANT_ALG_JPAKE)
-void ecjpake_operation_setup( psa_pake_operation_t *operation,
+int ecjpake_operation_setup( psa_pake_operation_t *operation,
                               psa_pake_cipher_suite_t *cipher_suite,
                               psa_pake_role_t role,
                               mbedtls_svc_key_id_t key,
                               size_t key_available )
 {
-    *operation = psa_pake_operation_init();
+    PSA_ASSERT( psa_pake_abort( operation ) );
 
-    TEST_EQUAL( psa_pake_setup( operation, cipher_suite ),
-                PSA_SUCCESS );
+    PSA_ASSERT( psa_pake_setup( operation, cipher_suite ) );
 
-    TEST_EQUAL( psa_pake_set_role( operation, role),
-                PSA_SUCCESS );
+    PSA_ASSERT( psa_pake_set_role( operation, role) );
 
     if( key_available )
-        TEST_EQUAL( psa_pake_set_password_key( operation, key ),
-                    PSA_SUCCESS );
+        PSA_ASSERT( psa_pake_set_password_key( operation, key ) );
+    return 0;
 exit:
-    return;
+    return 1;
 }
 #endif
 
@@ -8865,21 +8863,21 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg,
                                     NULL, 0 ),
                     PSA_ERROR_INVALID_ARGUMENT );
         /* Invalid parameters (step) */
-        ecjpake_operation_setup( &operation, &cipher_suite, role,
-                                 key, pw_data->len );
+        TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role,
+                                 key, pw_data->len ) , 0 );
         TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF + 10,
                                     output_buffer, size_zk_proof ),
                     PSA_ERROR_INVALID_ARGUMENT );
         /* Invalid first step */
-        ecjpake_operation_setup( &operation, &cipher_suite, role,
-                                 key, pw_data->len );
+        TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role,
+                                 key, pw_data->len ), 0 );
         TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_ZK_PROOF,
                                     output_buffer, size_zk_proof ),
                     PSA_ERROR_BAD_STATE );
 
         /* Possibly valid */
-        ecjpake_operation_setup( &operation, &cipher_suite, role,
-                                 key, pw_data->len );
+        TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role,
+                                 key, pw_data->len ), 0 );
         TEST_EQUAL( psa_pake_input( &operation, PSA_PAKE_STEP_KEY_SHARE,
                                     output_buffer, size_key_share ),
                     expected_status_input_output);
@@ -8904,21 +8902,21 @@ void ecjpake_setup( int alg_arg, int key_type_pw_arg, int key_usage_pw_arg,
                                      NULL, 0, NULL ),
                     PSA_ERROR_INVALID_ARGUMENT );
         /* Invalid parameters (step) */
-        ecjpake_operation_setup( &operation, &cipher_suite, role,
-                                key, pw_data->len );
+        TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role,
+                                key, pw_data->len ), 0 );
         TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF + 10,
                                      output_buffer, buf_size, &output_len ),
                     PSA_ERROR_INVALID_ARGUMENT );
         /* Invalid first step */
-        ecjpake_operation_setup( &operation, &cipher_suite, role,
-                                 key, pw_data->len );
+        TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role,
+                                 key, pw_data->len ), 0 );
         TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_ZK_PROOF,
                                      output_buffer, buf_size, &output_len ),
                     PSA_ERROR_BAD_STATE );
 
         /* Possibly valid */
-        ecjpake_operation_setup( &operation, &cipher_suite, role,
-                                 key, pw_data->len );
+        TEST_EQUAL( ecjpake_operation_setup( &operation, &cipher_suite, role,
+                                 key, pw_data->len ), 0 );
         TEST_EQUAL( psa_pake_output( &operation, PSA_PAKE_STEP_KEY_SHARE,
                                      output_buffer, buf_size, &output_len ),
                     expected_status_input_output );

From 0bdec19c93a2aacf023c46bb81e3ce0fb8cc6baa Mon Sep 17 00:00:00 2001
From: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Date: Tue, 22 Nov 2022 09:10:35 +0100
Subject: [PATCH 159/159] Further optimizations of pake set_password
 implementation

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
---
 library/psa_crypto_pake.c | 26 +++++++-------------------
 1 file changed, 7 insertions(+), 19 deletions(-)

diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c
index 9ac4c5f29..659b712a5 100644
--- a/library/psa_crypto_pake.c
+++ b/library/psa_crypto_pake.c
@@ -274,19 +274,19 @@ psa_status_t psa_pake_set_password_key( psa_pake_operation_t *operation,
     if( ( usage & PSA_KEY_USAGE_DERIVE ) == 0 )
         return( PSA_ERROR_NOT_PERMITTED );
 
+    if( operation->password != NULL )
+        return( PSA_ERROR_BAD_STATE );
+
     status = psa_get_and_lock_key_slot_with_policy( password, &slot,
                                                     PSA_KEY_USAGE_DERIVE,
                                                     PSA_ALG_JPAKE );
     if( status != PSA_SUCCESS )
         return( status );
 
-    if( operation->password != NULL )
-        return( PSA_ERROR_BAD_STATE );
-
     operation->password = mbedtls_calloc( 1, slot->key.bytes );
     if( operation->password == NULL )
     {
-        status = psa_unlock_key_slot( slot );
+        psa_unlock_key_slot( slot );
         return( PSA_ERROR_INSUFFICIENT_MEMORY );
     }
     memcpy( operation->password, slot->key.data, slot->key.bytes );
@@ -388,14 +388,14 @@ static psa_status_t psa_pake_ecjpake_setup( psa_pake_operation_t *operation )
                                  operation->password,
                                  operation->password_len );
 
-    if( ret != 0 )
-        return( mbedtls_ecjpake_to_psa_error( ret ) );
-
     mbedtls_platform_zeroize( operation->password, operation->password_len );
     mbedtls_free( operation->password );
     operation->password = NULL;
     operation->password_len = 0;
 
+    if( ret != 0 )
+        return( mbedtls_ecjpake_to_psa_error( ret ) );
+
     operation->state = PSA_PAKE_STATE_READY;
 
     return( PSA_SUCCESS );
@@ -445,13 +445,7 @@ static psa_status_t psa_pake_output_internal(
         if( operation->state == PSA_PAKE_STATE_SETUP ) {
             status = psa_pake_ecjpake_setup( operation );
             if( status != PSA_SUCCESS )
-            {
-                mbedtls_platform_zeroize( operation->password, operation->password_len );
-                mbedtls_free( operation->password );
-                operation->password = NULL;
-                operation->password_len = 0;
                 return( status );
-            }
         }
 
         if( operation->state != PSA_PAKE_STATE_READY &&
@@ -659,13 +653,7 @@ static psa_status_t psa_pake_input_internal(
         {
             status = psa_pake_ecjpake_setup( operation );
             if( status != PSA_SUCCESS )
-            {
-                mbedtls_platform_zeroize( operation->password, operation->password_len );
-                mbedtls_free( operation->password );
-                operation->password = NULL;
-                operation->password_len = 0;
                 return( status );
-            }
         }
 
         if( operation->state != PSA_PAKE_STATE_READY &&