Note = programs are not aligned to this change because:
- the original mbedtls_pk_ec is not ufficially deprecated
- that function is used in tests when ECP_C is defined, so
the legacy version of that function is available in that
case
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
We don't commit *.o files anywhere, not even as test data. So ignore them
everywhere.
This resolves *.o files not being ignored under 3rdparty/p256-m.
Also remove a redundant ignore of *.exe in a subdirectory.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We maintain a dict with unique AudiData objects
(AuditData with unique underlying X.509 objects).
We don't need merge_auditdata anymore.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
We should print all the information for each objects
found every line. This makes it easy to analyze the
output.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
The identifier is calculated SHA1 hex string from
the DER encoding of each X.509 objects. It's useful
for finding out the identical X.509 objects.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
check_cryptography_version didn't provide helpful
message with Python < 3.6, because re.Match object
is not subscriptable.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
Previously, if a file had multiple PEM objects, only
the first one would be parsed. This commit add the
support so that we could parse all the PEM objects
in the file.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
This commit adds support to auto-enable
MBEDTLS_CTR_DRBG_USE_128_BIT_KEY if
MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH enabled.
Furthermore, the corresponding check is removed in check_config.h.
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
This commit introduces a new function to generate extra dependencies
based on REGEX search pattern and predefined dependency list.
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
Since handshake_fragmentation uses cipher
"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256" by default.
The corresponding test should be skipped when
MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH is enabled.
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
As output functionality is not added yet return PSA_SUCCESS for
now if inputs are passed correctly. If input validation fails
operation is aborted and output_bytes will return PSA_ERROR_BAD_STATE
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
This change affects:
- both PEM and DER files, since they contain the same public key
only in different formats
- "ec_pub.comp.pem" since it's the same as "ec_pub.pem" but in
compressed format
The makefile was also updated accordingly to reflect these
dependencies.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
The test framework used to treat them specially (but no longer does). Add
these test cases as non-regression for how the test framework allows "?"
and especially "??" (which I think in the very distant path needed special
handling because the test data was embedded in a .c file, and thus ?? could
be interpreted as the prefix of a trigraph).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Now that the C code supports the full range of intmax_t, allow any size of
signed integer type in the .data file parser.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Change the type of signed integer arguments from int32_t to intmax_t.
This allows the C code to work with test function arguments with a range
larger than int32_t. A subsequent commit will change the .datax generator
to support larger types.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Use normalization the equality comparisons instead of loose regular
expressions to determine the type of an argument of a test function.
Now declarations are parsed in a stricter way: there can't be ignored junk
at the beginning or at the end. For example, `long long unsigned int x`
was accepted as a test function argument (but not `long long unsigned x`),
although this was misleading since the value was truncated to the range of
int. Now only recognized types are accepted.
The new code is slightly looser in that it accepts `char const*` as well as
`const char*`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The test framework stores size_t and int32_t values in the parameter store
by converting them all to int. This is ok in practice, since we assume int
covers int32_t and we don't have test data larger than 2GB. But it's
confusing and error-prone. So make the parameter store a union, which allows
size_t values not to be potentially truncated and makes the code a little
clearer.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In the .datax parser, since we're calling strtol() anyway, rely on it for
verification. This makes the .datax parser very slightly more
liberal (leading spaces and '+' are now accepted), and changes the
interpretation of numbers with leading zeros to octal.
Before, an argument like :0123: was parsed as decimal, but an argument like
:0123+1: was parsed as a C expression and hence the leading zero marked an
octal representation. Now, a leading zero is always interpreted according to
C syntax, namely indicating octal. There are no nonzero integer constants
with a leading zero in a .data file, so this does not affect existing test
cases.
In the .datax generator, allow negative arguments to be 'int' (before, they
were systematically treated as 'exp' even though they didn't need to be).
In the .datax parser, validate the range of integer constants. They have to
fit in int32_t. In the .datax generator, use 'exp' instead of 'int' for
integer constants that are out of range.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Treat backslash as a universal escape character: "\n" is a newline,
backslash escapes any non-alphanumeric character.
This affects some test cases that had "\," standing for backslash-comma.
With the new uniform treatment of backslashes, this needs to be "\\,".
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
No intended behavior change. This commit is mainly to satisfy pylint, which
complains that gen_from_test_data now has too many variables. But it's a
good thing anyway to make the function a little more readable.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We're using the non-standard function strcasecmp() just so that the case
of digits beyond 9 can be different in the library and in the test data.
Use matching case in the test data, and use a standard function for the
comparison.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This patch introduces basic unit-testing for the `ecp_mod_p256k1()`.
The method is exposed through the ecp_invasive interface, and
the standard testing data is being provided by the python framework.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
The script requires cryptography >= 35.0.0, we
need to check the version and provide meaningful
error message when the package version was too
old.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
The commit adds '--data-files' and '--suite-data-files'
options so that we could pass names for the two types
of files separately. Additionally, the commit improves
the documentation in the script.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
This patch introduces basic unit-testing for the `ecp_mod_p224k1()`.
The method is exposed through the ecp_invasive interface, and
the standard testing data is being provided by the python framework.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
This commit is a collection of improving the documentation in the
script:
* Restore uppercase in the license header.
* Reword the script description.
* Reword the docstring of AuditData.fill_validity_duration
* Rename AuditData.filename to *.location
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
Make FILE as positional argument so that we can
pass multiple files to the script. This commit
also contains some help message improvements.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
Only some test cases are skipped for which ECP_C is mandatory,
but the other ones are included.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Changes in test_suite_psa_crypto are to enforce the dependency
on ECP_C which is mandatory for some key's derivation.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This is to make CI happy. The script requires cryptography
>= 35.0.0, which is only available for Python >= 3.6. But
both ubuntu-16.04 and Travis CI are using Python 3.5.x.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
Instead of using the legacy mbedtls_ecp_gen_keypair() which makes
use of ECP's math, when USE_PSA_CRYPTO is enabled then the new
function pk_genkey_ec() is used in test_suite_pk.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Instead of using the legacy mbedtls_ecp_mul() function which makes use of
ECP's math, this commit adds a new function named pk_derive_public_key()
which implements the same behavior using PSA functions.
The flow is simple:
- import the private key into PSA
- export its public part
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This patch introduces a new local hash define of
`MBEDTLS_ECP_DP_SECP_GENERIC_ENABLED` to replace the
removed curve specific macros, introduced in upstream.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
This patch replaces similiarly structured test functions
for:
* MBEDTLS_ECP_DP_SECP192R1
* MBEDTLS_ECP_DP_SECP224R1
* MBEDTLS_ECP_DP_SECP256R1
* MBEDTLS_ECP_DP_SECP384R1
* MBEDTLS_ECP_DP_BP512R1R1
with a more generic version, which adjusts the parameters, based on the `curve_id` field,
provided by the testing data.
The python test framework has been updated to provide that extra field.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Restore the dependency on !MBEDTLS_SSL_PROTO_TLS1_3
of the DTLS fragmentation tests. That way the test
is not run on Windows 2013 (as in development) where
there is an issue with MBEDTLS_PRINTF_SIZET when
running those tests. I will address this issue in a
separate PR.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Set hybrid TLS 1.2/1.3 as default server
configuration if both TLS 1.2 and TLS 1.3
are enabled at build time.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Force TLS 1.2 on TLS 1.2 specific tests in
preparation of TLS 1.3 being the default
protocol version when both TLS 1.2 and
TLS 1.3 are enabled.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Force TLS 1.2 version on tests related to
MBEDTLS_SSL_ASYNC_PRIVATE, CA callback and
MBEDTLS_SSL_MAX_FRAGMENT_LENGTH. Those
SSL options are not supported in TLS 1.3
for the time being. Thus force TLS 1.2
version in preparation of TLS 1.3 being
the default protocol version when both
TLS 1.2 and TLS 1.3 are enabled.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Remove unnecessary explicit MBEDTLS_SSL_PROTO_TLS1_2
dependency if TLS 1.2 version is forced or a TLS 1.2
cipher suite is forced (as TLS 1.2 cipher suites are
available if and only if TLS 1.2 is enabled and
cipher suite availability is check automatically).
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Move min/max TLS version setting to endpoint init
where it fits better: before the call to
mbedtls_ssl_setup() and available for all tests
not only those calling perform_handshake().
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
We introduce the script to audit the expiry date of X509 files
(i.e. crt/crl/csr files) in tests/data_files/ folder.
This commit add basic classes and the framework for auditing
and "-a" option to list all valid crt/crl/csr files it found.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>