Merge pull request #6608 from mprse/ecjpake_password_fix
Make a copy of the password key in operation object while setting j-pake password
diff --git a/ChangeLog.d/fix-tls12server-sent-sigalgs.txt b/ChangeLog.d/fix-tls12server-sent-sigalgs.txt
new file mode 100644
index 0000000..9abde2b
--- /dev/null
+++ b/ChangeLog.d/fix-tls12server-sent-sigalgs.txt
@@ -0,0 +1,5 @@
+Bugfix
+ * Fix a bug whereby the the list of signature algorithms sent as part of the
+ TLS 1.2 server certificate request would get corrupted, meaning the first
+ algorithm would not get sent and an entry consisting of two random bytes
+ would be sent instead. Found by Serban Bejan and Dudek Sebastian.
diff --git a/ChangeLog.d/mpi-add-0-ub.txt b/ChangeLog.d/mpi-add-0-ub.txt
new file mode 100644
index 0000000..9f131a4
--- /dev/null
+++ b/ChangeLog.d/mpi-add-0-ub.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix undefined behavior (typically harmless in practice) of
+ mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int()
+ when both operands are 0 and the left operand is represented with 0 limbs.
diff --git a/ChangeLog.d/mpi-most-negative-sint.txt b/ChangeLog.d/mpi-most-negative-sint.txt
new file mode 100644
index 0000000..5e775c4
--- /dev/null
+++ b/ChangeLog.d/mpi-most-negative-sint.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix undefined behavior (typically harmless in practice) when some bignum
+ functions receive the most negative value of mbedtls_mpi_sint. Credit
+ to OSS-Fuzz. Fixes #6597.
diff --git a/ChangeLog.d/negative-zero-from-add.txt b/ChangeLog.d/negative-zero-from-add.txt
new file mode 100644
index 0000000..107d858
--- /dev/null
+++ b/ChangeLog.d/negative-zero-from-add.txt
@@ -0,0 +1,6 @@
+Bugfix
+ * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
+ with A > 0 created an unintended representation of the value 0 which was
+ not processed correctly by some bignum operations. Fix this. This had no
+ consequence on cryptography code, but might affect applications that call
+ bignum directly and use negative numbers.
diff --git a/docs/architecture/psa-migration/outcome-analysis.sh b/docs/architecture/psa-migration/outcome-analysis.sh
index 81ab691..9084685 100755
--- a/docs/architecture/psa-migration/outcome-analysis.sh
+++ b/docs/architecture/psa-migration/outcome-analysis.sh
@@ -13,6 +13,7 @@
# - the set of tests skipped in the driver-only build is the same as in an
# equivalent software-based configuration, or the difference is small enough,
# justified, and a github issue is created to track it.
+# This part is verified by tests/scripts/analyze_outcomes.py
#
# WARNING: this script checks out a commit other than the head of the current
# branch; it checks out the current branch again when running successfully,
@@ -26,30 +27,12 @@
# re-running this script (for example "get numbers before this PR").
# ----- BEGIN edit this -----
-# The component in all.sh that builds and tests with drivers.
-DRIVER_COMPONENT=test_psa_crypto_config_accel_hash_use_psa
-# A similar configuration to that of the component, except without drivers,
-# for comparison.
-reference_config () {
- # start with full
- scripts/config.py full
- # use PSA config and disable driver-less algs as in the component
- scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
- scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
- scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
- # disable options as in the component
- # (no need to disable whole modules, we'll just skip their test suite)
- scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
- scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
-}
# Space-separated list of test suites to ignore:
# if SSS is in that list, test_suite_SSS and test_suite_SSS.* are ignored.
IGNORE="md mdx shax" # accelerated
IGNORE="$IGNORE entropy hmac_drbg random" # disabled (ext. RNG)
IGNORE="$IGNORE psa_crypto_init" # needs internal RNG
IGNORE="$IGNORE hkdf" # disabled in the all.sh component tested
-# Compare only "reference vs driver" or also "before vs after"?
-BEFORE_AFTER=1 # 0 or 1
# ----- END edit this -----
set -eu
@@ -65,38 +48,27 @@
make check
}
-if [ "$BEFORE_AFTER" -eq 1 ]; then
- # save current HEAD
- HEAD=$(git branch --show-current)
+# save current HEAD
+HEAD=$(git branch --show-current)
- # get the numbers before this PR for default and full
- cleanup
- git checkout $(git merge-base HEAD development)
- record "before-default"
-
- cleanup
- scripts/config.py full
- record "before-full"
-
- # get the numbers now for default and full
- cleanup
- git checkout $HEAD
- record "after-default"
-
- cleanup
- scripts/config.py full
- record "after-full"
-fi
-
-# get the numbers now for driver-only and reference
+# get the numbers before this PR for default and full
cleanup
-reference_config
-record "reference"
+git checkout $(git merge-base HEAD development)
+record "before-default"
cleanup
-export MBEDTLS_TEST_OUTCOME_FILE="$PWD/outcome-drivers.csv"
-export SKIP_SSL_OPT_COMPAT_SH=1
-tests/scripts/all.sh -k test_psa_crypto_config_accel_hash_use_psa
+scripts/config.py full
+record "before-full"
+
+# get the numbers now for default and full
+cleanup
+git checkout $HEAD
+record "after-default"
+
+cleanup
+scripts/config.py full
+record "after-full"
+
# analysis
@@ -156,8 +128,5 @@
}
populate_suites
-if [ "$BEFORE_AFTER" -eq 1 ]; then
- compare_builds before-default after-default
- compare_builds before-full after-full
-fi
-compare_builds reference drivers
+compare_builds before-default after-default
+compare_builds before-full after-full
diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h
index 9d15955..877fbc7 100644
--- a/include/mbedtls/bignum.h
+++ b/include/mbedtls/bignum.h
@@ -179,6 +179,20 @@
#endif /* !MBEDTLS_NO_UDBL_DIVISION */
#endif /* !MBEDTLS_HAVE_INT64 */
+/** \typedef mbedtls_mpi_uint
+ * \brief The type of machine digits in a bignum, called _limbs_.
+ *
+ * This is always an unsigned integer type with no padding bits. The size
+ * is platform-dependent.
+ */
+
+/** \typedef mbedtls_mpi_sint
+ * \brief The signed type corresponding to #mbedtls_mpi_uint.
+ *
+ * This is always an signed integer type with no padding bits. The size
+ * is platform-dependent.
+ */
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -188,9 +202,27 @@
*/
typedef struct mbedtls_mpi
{
- int MBEDTLS_PRIVATE(s); /*!< Sign: -1 if the mpi is negative, 1 otherwise */
- size_t MBEDTLS_PRIVATE(n); /*!< total # of limbs */
- mbedtls_mpi_uint *MBEDTLS_PRIVATE(p); /*!< pointer to limbs */
+ /** Sign: -1 if the mpi is negative, 1 otherwise.
+ *
+ * The number 0 must be represented with `s = +1`. Although many library
+ * functions treat all-limbs-zero as equivalent to a valid representation
+ * of 0 regardless of the sign bit, there are exceptions, so bignum
+ * functions and external callers must always set \c s to +1 for the
+ * number zero.
+ *
+ * Note that this implies that calloc() or `... = {0}` does not create
+ * a valid MPI representation. You must call mbedtls_mpi_init().
+ */
+ int MBEDTLS_PRIVATE(s);
+
+ /** Total number of limbs in \c p. */
+ size_t MBEDTLS_PRIVATE(n);
+
+ /** Pointer to limbs.
+ *
+ * This may be \c NULL if \c n is 0.
+ */
+ mbedtls_mpi_uint *MBEDTLS_PRIVATE(p);
}
mbedtls_mpi;
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index d36db4a..3918639 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -842,10 +842,10 @@
"but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx"
#endif
-/* Early data requires PSK related mode defined */
#if defined(MBEDTLS_SSL_EARLY_DATA) && \
- ( !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \
- !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED))
+ ( !defined(MBEDTLS_SSL_SESSION_TICKETS) || \
+ ( !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \
+ !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) ) )
#error "MBEDTLS_SSL_EARLY_DATA defined, but not all prerequisites"
#endif
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index b4c8635..3f869b9 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1637,7 +1637,8 @@
*
* Enable support for RFC 8446 TLS 1.3 early data.
*
-* Requires: MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or
+* Requires: MBEDTLS_SSL_SESSION_TICKETS and either
+* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or
* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
*
* Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3
@@ -1647,7 +1648,7 @@
* production.
*
*/
-//#define MBEDTLS_SSL_EARLY_DATA
+#define MBEDTLS_SSL_EARLY_DATA
/**
* \def MBEDTLS_SSL_PROTO_DTLS
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 01ede40..d055851 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -801,6 +801,29 @@
typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
#endif
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN 0
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 1
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT 2
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 3
+#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 4
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+typedef uint8_t mbedtls_ssl_tls13_ticket_flags;
+
+#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK /* 1U << 0 */
+#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL /* 1U << 2 */
+#define MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ( 1U << 3 )
+
+#define MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK \
+ ( MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION | \
+ MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION | \
+ MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA )
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
+
/**
* \brief Callback type: server-side session cache getter
*
@@ -1783,6 +1806,10 @@
* and #MBEDTLS_SSL_CID_DISABLED. */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+ int MBEDTLS_PRIVATE(early_data_status);
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */
+
/** Callback to export key block and master secret */
mbedtls_ssl_export_keys_t *MBEDTLS_PRIVATE(f_export_keys);
void *MBEDTLS_PRIVATE(p_export_keys); /*!< context for key export callback */
diff --git a/library/bignum.c b/library/bignum.c
index 521787d..ba03988 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -252,6 +252,17 @@
memcpy( Y, &T, sizeof( mbedtls_mpi ) );
}
+static inline mbedtls_mpi_uint mpi_sint_abs( mbedtls_mpi_sint z )
+{
+ if( z >= 0 )
+ return( z );
+ /* Take care to handle the most negative value (-2^(biL-1)) correctly.
+ * A naive -z would have undefined behavior.
+ * Write this in a way that makes popular compilers happy (GCC, Clang,
+ * MSVC). */
+ return( (mbedtls_mpi_uint) 0 - (mbedtls_mpi_uint) z );
+}
+
/*
* Set value from integer
*/
@@ -263,7 +274,7 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, 1 ) );
memset( X->p, 0, X->n * ciL );
- X->p[0] = ( z < 0 ) ? -z : z;
+ X->p[0] = mpi_sint_abs( z );
X->s = ( z < 0 ) ? -1 : 1;
cleanup:
@@ -853,7 +864,7 @@
mbedtls_mpi_uint p[1];
MPI_VALIDATE_RET( X != NULL );
- *p = ( z < 0 ) ? -z : z;
+ *p = mpi_sint_abs( z );
Y.s = ( z < 0 ) ? -1 : 1;
Y.n = 1;
Y.p = p;
@@ -889,6 +900,11 @@
if( B->p[j - 1] != 0 )
break;
+ /* Exit early to avoid undefined behavior on NULL+0 when X->n == 0
+ * and B is 0 (of any size). */
+ if( j == 0 )
+ return( 0 );
+
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
/* j is the number of non-zero limbs of B. Add those to X. */
@@ -972,10 +988,12 @@
return( ret );
}
-/*
- * Signed addition: X = A + B
+/* Common function for signed addition and subtraction.
+ * Calculate A + B * flip_B where flip_B is 1 or -1.
*/
-int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+static int add_sub_mpi( mbedtls_mpi *X,
+ const mbedtls_mpi *A, const mbedtls_mpi *B,
+ int flip_B )
{
int ret, s;
MPI_VALIDATE_RET( X != NULL );
@@ -983,16 +1001,21 @@
MPI_VALIDATE_RET( B != NULL );
s = A->s;
- if( A->s * B->s < 0 )
+ if( A->s * B->s * flip_B < 0 )
{
- if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
+ int cmp = mbedtls_mpi_cmp_abs( A, B );
+ if( cmp >= 0 )
{
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
- X->s = s;
+ /* If |A| = |B|, the result is 0 and we must set the sign bit
+ * to +1 regardless of which of A or B was negative. Otherwise,
+ * since |A| > |B|, the sign is the sign of A. */
+ X->s = cmp == 0 ? 1 : s;
}
else
{
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
+ /* Since |A| < |B|, the sign is the opposite of A. */
X->s = -s;
}
}
@@ -1008,38 +1031,19 @@
}
/*
+ * Signed addition: X = A + B
+ */
+int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+ return( add_sub_mpi( X, A, B, 1 ) );
+}
+
+/*
* Signed subtraction: X = A - B
*/
int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
{
- int ret, s;
- MPI_VALIDATE_RET( X != NULL );
- MPI_VALIDATE_RET( A != NULL );
- MPI_VALIDATE_RET( B != NULL );
-
- s = A->s;
- if( A->s * B->s > 0 )
- {
- if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
- {
- MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
- X->s = s;
- }
- else
- {
- MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
- X->s = -s;
- }
- }
- else
- {
- MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) );
- X->s = s;
- }
-
-cleanup:
-
- return( ret );
+ return( add_sub_mpi( X, A, B, -1 ) );
}
/*
@@ -1052,7 +1056,7 @@
MPI_VALIDATE_RET( X != NULL );
MPI_VALIDATE_RET( A != NULL );
- p[0] = ( b < 0 ) ? -b : b;
+ p[0] = mpi_sint_abs( b );
B.s = ( b < 0 ) ? -1 : 1;
B.n = 1;
B.p = p;
@@ -1070,7 +1074,7 @@
MPI_VALIDATE_RET( X != NULL );
MPI_VALIDATE_RET( A != NULL );
- p[0] = ( b < 0 ) ? -b : b;
+ p[0] = mpi_sint_abs( b );
B.s = ( b < 0 ) ? -1 : 1;
B.n = 1;
B.p = p;
@@ -1408,7 +1412,7 @@
mbedtls_mpi_uint p[1];
MPI_VALIDATE_RET( A != NULL );
- p[0] = ( b < 0 ) ? -b : b;
+ p[0] = mpi_sint_abs( b );
B.s = ( b < 0 ) ? -1 : 1;
B.n = 1;
B.p = p;
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index ad8754c..4d7f635 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2046,6 +2046,12 @@
size_t *out_len );
#endif /* MBEDTLS_ECDH_C */
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+int mbedtls_ssl_tls13_write_early_data_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *out_len );
+#endif /* MBEDTLS_SSL_EARLY_DATA */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index 1c53a09..21b3ba6 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -2654,7 +2654,7 @@
for( size_t i = 0; i < sig_alg_len; i += 2 )
{
MBEDTLS_SSL_DEBUG_MSG( 3,
- ( "Supported Signature Algorithm found: %d,%d",
+ ( "Supported Signature Algorithm found: %02x %02x",
sig_alg[i], sig_alg[i + 1] ) );
}
#endif
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 71f703c..3dab246 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -2531,10 +2531,15 @@
if( ! mbedtls_ssl_sig_alg_is_supported( ssl, *sig_alg ) )
continue;
- MBEDTLS_PUT_UINT16_BE( *sig_alg, p, sa_len );
+ /* Write elements at offsets starting from 1 (offset 0 is for the
+ * length). Thus the offset of each element is the length of the
+ * partial list including that element. */
sa_len += 2;
+ MBEDTLS_PUT_UINT16_BE( *sig_alg, p, sa_len );
+
}
+ /* Fill in list length. */
MBEDTLS_PUT_UINT16_BE( sa_len, p, 0 );
sa_len += 2;
p += sa_len;
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 9940a0e..0372f2d 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -700,6 +700,19 @@
session != NULL && session->ticket != NULL );
}
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+static int ssl_tls13_early_data_has_valid_ticket( mbedtls_ssl_context *ssl )
+{
+ mbedtls_ssl_session *session = ssl->session_negotiate;
+ return( ssl->handshake->resume &&
+ session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
+ ( session->ticket_flags &
+ MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ) &&
+ mbedtls_ssl_tls13_cipher_suite_is_offered(
+ ssl, session->ciphersuite ) );
+}
+#endif
+
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl,
psa_algorithm_t *hash_alg,
@@ -1160,6 +1173,29 @@
}
#endif
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
+ ssl_tls13_early_data_has_valid_ticket( ssl ) &&
+ ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED )
+ {
+ ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, p, end, &ext_len );
+ if( ret != 0 )
+ return( ret );
+ p += ext_len;
+
+ /* Initializes the status to `indication sent`. It will be updated to
+ * `accepted` or `rejected` depending on whether the EncryptedExtension
+ * message will contain an early data indication extension or not.
+ */
+ ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT;
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write early_data extension" ) );
+ ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
/* For PSK-based key exchange we need the pre_shared_key extension
* and the psk_key_exchange_modes extension.
@@ -2505,6 +2541,23 @@
switch( extension_type )
{
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ case MBEDTLS_TLS_EXT_EARLY_DATA:
+ if( extension_data_len != 4 )
+ {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+ MBEDTLS_ERR_SSL_DECODE_ERROR );
+ return( MBEDTLS_ERR_SSL_DECODE_ERROR );
+ }
+ if( ssl->session != NULL )
+ {
+ ssl->session->ticket_flags |=
+ MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA;
+ }
+ break;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
default:
MBEDTLS_SSL_PRINT_EXT(
3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index f854998..761c00e 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1374,6 +1374,39 @@
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+/* Early Data Indication Extension
+ *
+ * struct {
+ * select ( Handshake.msg_type ) {
+ * ...
+ * case client_hello: Empty;
+ * case encrypted_extensions: Empty;
+ * };
+ * } EarlyDataIndication;
+ */
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+int mbedtls_ssl_tls13_write_early_data_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *out_len )
+{
+ unsigned char *p = buf;
+ *out_len = 0;
+ ((void) ssl);
+
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
+
+ MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_EARLY_DATA, p, 0 );
+ MBEDTLS_PUT_UINT16_BE( 0, p, 2 );
+
+ *out_len = 4;
+
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_EARLY_DATA );
+
+ return( 0 );
+}
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
/* Reset SSL context and update hash for handling HRR.
*
* Replace Transcript-Hash(X) by
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 56efb3c..6aa295d 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -64,6 +64,7 @@
#define DFL_KEY_OPAQUE 0
#define DFL_KEY_PWD ""
#define DFL_PSK ""
+#define DFL_EARLY_DATA MBEDTLS_SSL_EARLY_DATA_DISABLED
#define DFL_PSK_OPAQUE 0
#define DFL_PSK_IDENTITY "Client_identity"
#define DFL_ECJPAKE_PW NULL
@@ -344,6 +345,14 @@
#define USAGE_SERIALIZATION ""
#endif
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+#define USAGE_EARLY_DATA \
+ " early_data=%%d default: 0 (disabled)\n" \
+ " options: 0 (disabled), 1 (enabled)\n"
+#else
+#define USAGE_EARLY_DATA ""
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_PROTO_TLS1_3 */
+
#define USAGE_KEY_OPAQUE_ALGS \
" key_opaque_algs=%%s Allowed opaque key algorithms.\n" \
" comma-separated pair of values among the following:\n" \
@@ -422,6 +431,7 @@
USAGE_REPRODUCIBLE \
USAGE_CURVES \
USAGE_SIG_ALGS \
+ USAGE_EARLY_DATA \
USAGE_DHMLEN \
USAGE_KEY_OPAQUE_ALGS \
"\n"
@@ -533,6 +543,9 @@
* after renegotiation */
int reproducible; /* make communication reproducible */
int skip_close_notify; /* skip sending the close_notify alert */
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ int early_data; /* support for early data */
+#endif
int query_config_mode; /* whether to read config */
int use_srtp; /* Support SRTP */
int force_srtp_profile; /* SRTP protection profile to use or all */
@@ -932,6 +945,9 @@
opt.alpn_string = DFL_ALPN_STRING;
opt.curves = DFL_CURVES;
opt.sig_algs = DFL_SIG_ALGS;
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ opt.early_data = DFL_EARLY_DATA;
+#endif
opt.transport = DFL_TRANSPORT;
opt.hs_to_min = DFL_HS_TO_MIN;
opt.hs_to_max = DFL_HS_TO_MAX;
@@ -1189,7 +1205,24 @@
default: goto usage;
}
}
+
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ else if( strcmp( p, "early_data" ) == 0 )
+ {
+ switch( atoi( q ) )
+ {
+ case 0:
+ opt.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
+ break;
+ case 1:
+ opt.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+ break;
+ default: goto usage;
+ }
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
else if( strcmp( p, "tls13_kex_modes" ) == 0 )
{
if( strcmp( q, "psk" ) == 0 )
@@ -2091,6 +2124,10 @@
if( opt.max_version != DFL_MAX_VERSION )
mbedtls_ssl_conf_max_tls_version( &conf, opt.max_version );
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ mbedtls_ssl_tls13_conf_early_data( &conf, opt.early_data );
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n",
diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index 279668f..8b11bc2 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -14,9 +14,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-import itertools
-import typing
-
from abc import abstractmethod
from typing import Iterator, List, Tuple, TypeVar
@@ -38,7 +35,13 @@
raise ValueError("Not invertible")
def hex_to_int(val: str) -> int:
- return int(val, 16) if val else 0
+ """Implement the syntax accepted by mbedtls_test_read_mpi().
+
+ This is a superset of what is accepted by mbedtls_test_read_mpi_core().
+ """
+ if val in ['', '-']:
+ return 0
+ return int(val, 16)
def quote_str(val) -> str:
return "\"{}\"".format(val)
@@ -57,15 +60,8 @@
return (val.bit_length() + bits_in_limb - 1) // bits_in_limb
def combination_pairs(values: List[T]) -> List[Tuple[T, T]]:
- """Return all pair combinations from input values.
-
- The return value is cast, as older versions of mypy are unable to derive
- the specific type returned by itertools.combinations_with_replacement.
- """
- return typing.cast(
- List[Tuple[T, T]],
- list(itertools.combinations_with_replacement(values, 2))
- )
+ """Return all pair combinations from input values."""
+ return [(x, y) for x in values for y in values]
class OperationCommon:
diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h
index e0e6fd2..5f9bde6 100644
--- a/tests/include/test/helpers.h
+++ b/tests/include/test/helpers.h
@@ -295,13 +295,19 @@
/** Read an MPI from a hexadecimal string.
*
- * Like mbedtls_mpi_read_string(), but size the resulting bignum based
- * on the number of digits in the string. In particular, construct a
- * bignum with 0 limbs for an empty string, and a bignum with leading 0
- * limbs if the string has sufficiently many leading 0 digits.
+ * Like mbedtls_mpi_read_string(), but with tighter guarantees around
+ * edge cases.
*
- * This is important so that the "0 (null)" and "0 (1 limb)" and
- * "leading zeros" test cases do what they claim.
+ * - This function guarantees that if \p s begins with '-' then the sign
+ * bit of the result will be negative, even if the value is 0.
+ * When this function encounters such a "negative 0", it
+ * increments #mbedtls_test_case_uses_negative_0.
+ * - The size of the result is exactly the minimum number of limbs needed
+ * to fit the digits in the input. In particular, this function constructs
+ * a bignum with 0 limbs for an empty string, and a bignum with leading 0
+ * limbs if the string has sufficiently many leading 0 digits.
+ * This is important so that the "0 (null)" and "0 (1 limb)" and
+ * "leading zeros" test cases do what they claim.
*
* \param[out] X The MPI object to populate. It must be initialized.
* \param[in] s The null-terminated hexadecimal string to read from.
@@ -309,6 +315,14 @@
* \return \c 0 on success, an \c MBEDTLS_ERR_MPI_xxx error code otherwise.
*/
int mbedtls_test_read_mpi( mbedtls_mpi *X, const char *s );
+
+/** Nonzero if the current test case had an input parsed with
+ * mbedtls_test_read_mpi() that is a negative 0 (`"-"`, `"-0"`, `"-00"`, etc.,
+ * constructing a result with the sign bit set to -1 and the value being
+ * all-limbs-0, which is not a valid representation in #mbedtls_mpi but is
+ * tested for robustness).
+ */
+extern unsigned mbedtls_test_case_uses_negative_0;
#endif /* MBEDTLS_BIGNUM_C */
#endif /* TEST_HELPERS_H */
diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh
index 4ad6faa..edece45 100755
--- a/tests/opt-testcases/tls13-misc.sh
+++ b/tests/opt-testcases/tls13-misc.sh
@@ -282,3 +282,65 @@
0 \
-s "key exchange mode: ephemeral$"
+# skip the basic check now cause it will randomly trigger the anti-replay protection in gnutls_server
+# Add it back once we fix the issue
+skip_next_test
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+ MBEDTLS_SSL_EARLY_DATA
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test "TLS 1.3 m->G: EarlyData: basic check, good" \
+ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \
+ "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
+ 1 \
+ -c "Reconnecting with saved session" \
+ -c "NewSessionTicket: early_data(42) extension received." \
+ -c "ClientHello: early_data(42) extension exists." \
+ -c "EncryptedExtensions: early_data(42) extension received." \
+ -c "EncryptedExtensions: early_data(42) extension ( ignored )." \
+ -s "Parsing extension 'Early Data/42' (0 bytes)" \
+ -s "Sending extension Early Data/42 (0 bytes)" \
+ -s "early data accepted"
+
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+ MBEDTLS_SSL_EARLY_DATA
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test "TLS 1.3 m->G: EarlyData: no early_data in NewSessionTicket, good" \
+ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \
+ "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \
+ 0 \
+ -c "Reconnecting with saved session" \
+ -C "NewSessionTicket: early_data(42) extension received." \
+ -c "ClientHello: early_data(42) extension does not exist." \
+ -C "EncryptedExtensions: early_data(42) extension received." \
+ -C "EncryptedExtensions: early_data(42) extension ( ignored )."
+
+#TODO: OpenSSL tests don't work now. It might be openssl options issue, cause GnuTLS has worked.
+skip_next_test
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+ MBEDTLS_SSL_EARLY_DATA
+requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+run_test "TLS 1.3, ext PSK, early data" \
+ "$O_NEXT_SRV_EARLY_DATA -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \
+ "$P_CLI debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \
+ 1 \
+ -c "Reconnecting with saved session" \
+ -c "NewSessionTicket: early_data(42) extension received." \
+ -c "ClientHello: early_data(42) extension exists." \
+ -c "EncryptedExtensions: early_data(42) extension received." \
+ -c "EncryptedExtensions: early_data(42) extension ( ignored )."
+
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 9295c9d..8272dcc 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2065,6 +2065,47 @@
make test
}
+# Auxiliary function to build config for hashes with and without drivers
+config_psa_crypto_hash_use_psa () {
+ DRIVER_ONLY="$1"
+ # start with config full for maximum coverage (also enables USE_PSA)
+ scripts/config.py full
+ # enable support for drivers and configuring PSA-only algorithms
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+ if [ "$DRIVER_ONLY" -eq 1 ]; then
+ # disable the built-in implementation of hashes
+ scripts/config.py unset MBEDTLS_MD5_C
+ scripts/config.py unset MBEDTLS_RIPEMD160_C
+ scripts/config.py unset MBEDTLS_SHA1_C
+ scripts/config.py unset MBEDTLS_SHA224_C
+ scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below
+ scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
+ scripts/config.py unset MBEDTLS_SHA384_C
+ scripts/config.py unset MBEDTLS_SHA512_C
+ scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
+ fi
+ # Use an external RNG as currently internal RNGs depend on entropy.c
+ # which in turn hard-depends on SHA256_C (or SHA512_C).
+ # See component_test_psa_external_rng_no_drbg_use_psa.
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+ scripts/config.py unset MBEDTLS_ENTROPY_C
+ scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED # depends on ENTROPY_C
+ scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT # depends on former
+ # Also unset MD_C and things that depend on it;
+ # see component_test_crypto_full_no_md.
+ if [ "$DRIVER_ONLY" -eq 1 ]; then
+ scripts/config.py unset MBEDTLS_MD_C
+ fi
+ scripts/config.py unset MBEDTLS_HKDF_C # has independent PSA implementation
+ scripts/config.py unset MBEDTLS_HMAC_DRBG_C
+ scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
+ scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
+}
+
+# Note that component_test_psa_crypto_config_reference_hash_use_psa
+# is related to this component and both components need to be kept in sync.
+# For details please see comments for component_test_psa_crypto_config_reference_hash_use_psa.
component_test_psa_crypto_config_accel_hash_use_psa () {
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA"
@@ -2077,35 +2118,7 @@
loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
- # start with config full for maximum coverage (also enables USE_PSA)
- scripts/config.py full
- # enable support for drivers and configuring PSA-only algorithms
- scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
- scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
- # disable the built-in implementation of hashes
- scripts/config.py unset MBEDTLS_MD5_C
- scripts/config.py unset MBEDTLS_RIPEMD160_C
- scripts/config.py unset MBEDTLS_SHA1_C
- scripts/config.py unset MBEDTLS_SHA224_C
- scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below
- scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
- scripts/config.py unset MBEDTLS_SHA384_C
- scripts/config.py unset MBEDTLS_SHA512_C
- scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
- # Use an external RNG as currently internal RNGs depend on entropy.c
- # which in turn hard-depends on SHA256_C (or SHA512_C).
- # See component_test_psa_external_rng_no_drbg_use_psa.
- scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
- scripts/config.py unset MBEDTLS_ENTROPY_C
- scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED # depends on ENTROPY_C
- scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT # depends on former
- # Also unset MD_C and things that depend on it;
- # see component_test_crypto_full_no_md.
- scripts/config.py unset MBEDTLS_MD_C
- scripts/config.py unset MBEDTLS_HKDF_C # has independent PSA implementation
- scripts/config.py unset MBEDTLS_HMAC_DRBG_C
- scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
- scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
+ config_psa_crypto_hash_use_psa 1
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" all
@@ -2122,16 +2135,32 @@
msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA"
make test
- # hidden option: when running outcome-analysis.sh, we can skip this
- if [ "${SKIP_SSL_OPT_COMPAT_SH-unset}" = "unset" ]; then
- msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA"
- tests/ssl-opt.sh
+ msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA"
+ tests/ssl-opt.sh
- msg "test: compat.sh, MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash and USE_PSA"
- tests/compat.sh
- else
- echo "skip ssl-opt.sh and compat.sh"
- fi
+ msg "test: compat.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
+ tests/compat.sh
+}
+
+# This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa
+# without accelerated hash. The outcome from both components are used by the analyze_outcomes.py
+# script to find regression in test coverage when accelerated hash is used (tests and ssl-opt).
+# Both components need to be kept in sync.
+component_test_psa_crypto_config_reference_hash_use_psa() {
+ msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
+
+ scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER
+ scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING
+
+ config_psa_crypto_hash_use_psa 0
+
+ make
+
+ msg "test: MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
+ make test
+
+ msg "test: ssl-opt.sh, MBEDTLS_PSA_CRYPTO_CONFIG without accelerated hash and USE_PSA"
+ tests/ssl-opt.sh
}
component_test_psa_crypto_config_accel_cipher () {
@@ -3253,6 +3282,7 @@
msg "build: TLS 1.3 only from default, only ephemeral key exchange mode"
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+ scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
msg "test_suite_ssl: TLS 1.3 only, only ephemeral key exchange mode"
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index d06a059..bb44396 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -9,6 +9,7 @@
import argparse
import sys
import traceback
+import re
import check_test_cases
@@ -60,6 +61,37 @@
# fixed this branch to have full coverage of test cases.
results.warning('Test case not executed: {}', key)
+def analyze_driver_vs_reference(outcomes, component_ref, component_driver, ignored_tests):
+ """Check that all tests executed in the reference component are also
+ executed in the corresponding driver component.
+ Skip test suites provided in ignored_tests list.
+ """
+ available = check_test_cases.collect_available_test_cases()
+ result = True
+
+ for key in available:
+ # Skip ignored test suites
+ test_suite = key.split(';')[0] # retrieve test suit name
+ test_suite = test_suite.split('.')[0] # retrieve main part of test suit name
+ if test_suite in ignored_tests:
+ continue
+ # Continue if test was not executed by any component
+ hits = outcomes[key].hits() if key in outcomes else 0
+ if hits == 0:
+ continue
+ # Search for tests that run in reference component and not in driver component
+ driver_test_passed = False
+ reference_test_passed = False
+ for entry in outcomes[key].successes:
+ if component_driver in entry:
+ driver_test_passed = True
+ if component_ref in entry:
+ reference_test_passed = True
+ if(driver_test_passed is False and reference_test_passed is True):
+ print('{}: driver: skipped/failed; reference: passed'.format(key))
+ result = False
+ return result
+
def analyze_outcomes(outcomes):
"""Run all analyses on the given outcome collection."""
results = Results()
@@ -87,20 +119,75 @@
outcomes[key].failures.append(setup)
return outcomes
-def analyze_outcome_file(outcome_file):
- """Analyze the given outcome file."""
+def do_analyze_coverage(outcome_file, args):
+ """Perform coverage analysis."""
+ del args # unused
outcomes = read_outcome_file(outcome_file)
- return analyze_outcomes(outcomes)
+ results = analyze_outcomes(outcomes)
+ return results.error_count == 0
+
+def do_analyze_driver_vs_reference(outcome_file, args):
+ """Perform driver vs reference analyze."""
+ ignored_tests = ['test_suite_' + x for x in args['ignored_suites']]
+
+ outcomes = read_outcome_file(outcome_file)
+ return analyze_driver_vs_reference(outcomes, args['component_ref'],
+ args['component_driver'], ignored_tests)
+
+# List of tasks with a function that can handle this task and additional arguments if required
+TASKS = {
+ 'analyze_coverage': {
+ 'test_function': do_analyze_coverage,
+ 'args': {}},
+ 'analyze_driver_vs_reference_hash': {
+ 'test_function': do_analyze_driver_vs_reference,
+ 'args': {
+ 'component_ref': 'test_psa_crypto_config_reference_hash_use_psa',
+ 'component_driver': 'test_psa_crypto_config_accel_hash_use_psa',
+ 'ignored_suites': ['shax', 'mdx', # the software implementations that are being excluded
+ 'md', # the legacy abstraction layer that's being excluded
+ ]}}
+}
def main():
try:
parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument('outcomes', metavar='OUTCOMES.CSV',
help='Outcome file to analyze')
+ parser.add_argument('task', default='all', nargs='?',
+ help='Analysis to be done. By default, run all tasks. '
+ 'With one or more TASK, run only those. '
+ 'TASK can be the name of a single task or '
+ 'comma/space-separated list of tasks. ')
+ parser.add_argument('--list', action='store_true',
+ help='List all available tasks and exit.')
options = parser.parse_args()
- results = analyze_outcome_file(options.outcomes)
- if results.error_count > 0:
+
+ if options.list:
+ for task in TASKS:
+ print(task)
+ sys.exit(0)
+
+ result = True
+
+ if options.task == 'all':
+ tasks = TASKS.keys()
+ else:
+ tasks = re.split(r'[, ]+', options.task)
+
+ for task in tasks:
+ if task not in TASKS:
+ print('Error: invalid task: {}'.format(task))
+ sys.exit(1)
+
+ for task in TASKS:
+ if task in tasks:
+ if not TASKS[task]['test_function'](options.outcomes, TASKS[task]['args']):
+ result = False
+
+ if result is False:
sys.exit(1)
+ print("SUCCESS :-)")
except Exception: # pylint: disable=broad-except
# Print the backtrace and exit explicitly with our chosen status.
traceback.print_exc()
diff --git a/tests/scripts/generate_bignum_tests.py b/tests/scripts/generate_bignum_tests.py
index a105203..eee2f65 100755
--- a/tests/scripts/generate_bignum_tests.py
+++ b/tests/scripts/generate_bignum_tests.py
@@ -78,11 +78,17 @@
#pylint: disable=abstract-method
"""Common features for bignum operations in legacy tests."""
input_values = [
- "", "0", "7b", "-7b",
+ "", "0", "-", "-0",
+ "7b", "-7b",
"0000000000000000123", "-0000000000000000123",
"1230000000000000000", "-1230000000000000000"
]
+ def description_suffix(self) -> str:
+ #pylint: disable=no-self-use # derived classes need self
+ """Text to add at the end of the test case description."""
+ return ""
+
def description(self) -> str:
"""Generate a description for the test case.
@@ -96,6 +102,9 @@
self.symbol,
self.value_description(self.arg_b)
)
+ description_suffix = self.description_suffix()
+ if description_suffix:
+ self.case_description += " " + description_suffix
return super().description()
@staticmethod
@@ -107,6 +116,8 @@
"""
if val == "":
return "0 (null)"
+ if val == "-":
+ return "negative 0 (null)"
if val == "0":
return "0 (1 limb)"
@@ -171,9 +182,21 @@
]
)
- def result(self) -> List[str]:
- return [bignum_common.quote_str("{:x}").format(self.int_a + self.int_b)]
+ def __init__(self, val_a: str, val_b: str) -> None:
+ super().__init__(val_a, val_b)
+ self._result = self.int_a + self.int_b
+ def description_suffix(self) -> str:
+ if (self.int_a >= 0 and self.int_b >= 0):
+ return "" # obviously positive result or 0
+ if (self.int_a <= 0 and self.int_b <= 0):
+ return "" # obviously negative result or 0
+ # The sign of the result is not obvious, so indicate it
+ return ", result{}0".format('>' if self._result > 0 else
+ '<' if self._result < 0 else '=')
+
+ def result(self) -> List[str]:
+ return [bignum_common.quote_str("{:x}".format(self._result))]
if __name__ == '__main__':
# Use the section of the docstring relevant to the CLI as description
diff --git a/tests/src/helpers.c b/tests/src/helpers.c
index cc23fd7..7c83714 100644
--- a/tests/src/helpers.c
+++ b/tests/src/helpers.c
@@ -89,6 +89,10 @@
mbedtls_test_info.step = step;
}
+#if defined(MBEDTLS_BIGNUM_C)
+unsigned mbedtls_test_case_uses_negative_0 = 0;
+#endif
+
void mbedtls_test_info_reset( void )
{
mbedtls_test_info.result = MBEDTLS_TEST_RESULT_SUCCESS;
@@ -98,6 +102,9 @@
mbedtls_test_info.filename = 0;
memset( mbedtls_test_info.line1, 0, sizeof( mbedtls_test_info.line1 ) );
memset( mbedtls_test_info.line2, 0, sizeof( mbedtls_test_info.line2 ) );
+#if defined(MBEDTLS_BIGNUM_C)
+ mbedtls_test_case_uses_negative_0 = 0;
+#endif
}
int mbedtls_test_equal( const char *test, int line_no, const char* filename,
@@ -396,6 +403,15 @@
int mbedtls_test_read_mpi( mbedtls_mpi *X, const char *s )
{
+ int negative = 0;
+ /* Always set the sign bit to -1 if the input has a minus sign, even for 0.
+ * This creates an invalid representation, which mbedtls_mpi_read_string()
+ * avoids but we want to be able to create that in test data. */
+ if( s[0] == '-' )
+ {
+ ++s;
+ negative = 1;
+ }
/* mbedtls_mpi_read_string() currently retains leading zeros.
* It always allocates at least one limb for the value 0. */
if( s[0] == 0 )
@@ -403,7 +419,15 @@
mbedtls_mpi_free( X );
return( 0 );
}
- else
- return( mbedtls_mpi_read_string( X, 16, s ) );
+ int ret = mbedtls_mpi_read_string( X, 16, s );
+ if( ret != 0 )
+ return( ret );
+ if( negative )
+ {
+ if( mbedtls_mpi_cmp_int( X, 0 ) == 0 )
+ ++mbedtls_test_case_uses_negative_0;
+ X->s = -1;
+ }
+ return( 0 );
}
#endif
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 9eb925a..6220527 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -80,12 +80,14 @@
if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
+ O_NEXT_SRV_EARLY_DATA="$OPENSSL_NEXT s_server -early_data -cert data_files/server5.crt -key data_files/server5.key"
O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www "
O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile data_files/test-ca_cat12.crt"
O_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
else
O_NEXT_SRV=false
O_NEXT_SRV_NO_CERT=false
+ O_NEXT_SRV_EARLY_DATA=false
O_NEXT_CLI_NO_CERT=false
O_NEXT_CLI=false
fi
@@ -1690,6 +1692,7 @@
if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT"
O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT"
+ O_NEXT_SRV_EARLY_DATA="$O_NEXT_SRV_EARLY_DATA -accept $SRV_PORT"
O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT"
O_NEXT_CLI_NO_CERT="$O_NEXT_CLI_NO_CERT -connect 127.0.0.1:+SRV_PORT"
fi
@@ -2381,6 +2384,31 @@
-u "IV used" \
-U "IV used"
+# Test for correctness of sent single supported algorithm
+requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_hash_alg SHA_256
+run_test "Single supported algorithm sending: mbedtls client" \
+ "$P_SRV sig_algs=ecdsa_secp256r1_sha256 auth_mode=required" \
+ "$P_CLI sig_algs=ecdsa_secp256r1_sha256 debug_level=3" \
+ 0 \
+ -c "Supported Signature Algorithm found: 04 03"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_SRV_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
+requires_hash_alg SHA_256
+run_test "Single supported algorithm sending: openssl client" \
+ "$P_SRV sig_algs=ecdsa_secp256r1_sha256 auth_mode=required" \
+ "$O_CLI -cert data_files/server6.crt \
+ -key data_files/server6.key" \
+ 0
+
# Tests for certificate verification callback
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Configuration-specific CRT verification callback" \
@@ -5284,8 +5312,8 @@
key_file=data_files/server6.key \
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
0 \
- -c "Supported Signature Algorithm found: 4," \
- -c "Supported Signature Algorithm found: 5,"
+ -c "Supported Signature Algorithm found: 04 " \
+ -c "Supported Signature Algorithm found: 05 "
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
@@ -5295,8 +5323,8 @@
key_file=data_files/server6.key \
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
0 \
- -c "Supported Signature Algorithm found: 4," \
- -c "Supported Signature Algorithm found: 5,"
+ -c "Supported Signature Algorithm found: 04 " \
+ -c "Supported Signature Algorithm found: 05 "
requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
run_test "Authentication: client has no cert, server required (TLS)" \
@@ -5697,8 +5725,8 @@
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
0 \
-s "use CA callback for X.509 CRT verification" \
- -c "Supported Signature Algorithm found: 4," \
- -c "Supported Signature Algorithm found: 5,"
+ -c "Supported Signature Algorithm found: 04 " \
+ -c "Supported Signature Algorithm found: 05 "
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@@ -5710,8 +5738,8 @@
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
0 \
-s "use CA callback for X.509 CRT verification" \
- -c "Supported Signature Algorithm found: 4," \
- -c "Supported Signature Algorithm found: 5,"
+ -c "Supported Signature Algorithm found: 04 " \
+ -c "Supported Signature Algorithm found: 05 "
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
diff --git a/tests/suites/test_suite_bignum.function b/tests/suites/test_suite_bignum.function
index 5c3d776..55bb2f5 100644
--- a/tests/suites/test_suite_bignum.function
+++ b/tests/suites/test_suite_bignum.function
@@ -13,10 +13,21 @@
* constructing the value. */
static int sign_is_valid( const mbedtls_mpi *X )
{
+ /* Only +1 and -1 are valid sign bits, not e.g. 0 */
if( X->s != 1 && X->s != -1 )
- return( 0 ); // invalid sign bit, e.g. 0
- if( mbedtls_mpi_bitlen( X ) == 0 && X->s != 1 )
- return( 0 ); // negative zero
+ return( 0 );
+
+ /* The value 0 must be represented with the sign +1. A "negative zero"
+ * with s=-1 is an invalid representation. Forbid that. As an exception,
+ * we sometimes test the robustness of library functions when given
+ * a negative zero input. If a test case has a negative zero as input,
+ * we don't mind if the function has a negative zero output. */
+ if( ! mbedtls_test_case_uses_negative_0 &&
+ mbedtls_mpi_bitlen( X ) == 0 && X->s != 1 )
+ {
+ return( 0 );
+ }
+
return( 1 );
}
@@ -1447,6 +1458,150 @@
}
/* END_CASE */
+/* BEGIN_CASE */
+void most_negative_mpi_sint( )
+{
+ /* Ad hoc tests for n = -p = -2^(biL-1) as a mbedtls_mpi_sint. We
+ * guarantee that mbedtls_mpi_sint is a two's complement type, so this
+ * is a valid value. However, negating it (`-n`) has undefined behavior
+ * (although in practice `-n` evaluates to the value n).
+ *
+ * This function has ad hoc tests for this value. It's separated from other
+ * functions because the test framework makes it hard to pass this value
+ * into test cases.
+ *
+ * In the comments here:
+ * - biL = number of bits in limbs
+ * - p = 2^(biL-1) (smallest positive value not in mbedtls_mpi_sint range)
+ * - n = -2^(biL-1) (largest negative value in mbedtls_mpi_sint range)
+ */
+
+ mbedtls_mpi A, R, X;
+ mbedtls_mpi_init( &A );
+ mbedtls_mpi_init( &R );
+ mbedtls_mpi_init( &X );
+
+ const size_t biL = 8 * sizeof( mbedtls_mpi_sint );
+ mbedtls_mpi_uint most_positive_plus_1 = (mbedtls_mpi_uint) 1 << ( biL - 1 );
+ const mbedtls_mpi_sint most_positive = most_positive_plus_1 - 1;
+ const mbedtls_mpi_sint most_negative = - most_positive - 1;
+ TEST_EQUAL( (mbedtls_mpi_uint) most_negative,
+ (mbedtls_mpi_uint) 1 << ( biL - 1 ) );
+ TEST_EQUAL( (mbedtls_mpi_uint) most_negative << 1, 0 );
+
+ /* Test mbedtls_mpi_lset() */
+ TEST_EQUAL( mbedtls_mpi_lset( &A, most_negative ), 0 );
+ TEST_EQUAL( A.s, -1 );
+ TEST_EQUAL( A.n, 1 );
+ TEST_EQUAL( A.p[0], most_positive_plus_1 );
+
+ /* Test mbedtls_mpi_cmp_int(): -p == -p */
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &A, most_negative ), 0 );
+
+ /* Test mbedtls_mpi_cmp_int(): -(p+1) < -p */
+ A.p[0] = most_positive_plus_1 + 1;
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &A, most_negative ), -1 );
+
+ /* Test mbedtls_mpi_cmp_int(): -(p-1) > -p */
+ A.p[0] = most_positive_plus_1 - 1;
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &A, most_negative ), 1 );
+
+ /* Test mbedtls_mpi_add_int(): (p-1) + (-p) */
+ TEST_EQUAL( mbedtls_mpi_lset( &A, most_positive ), 0 );
+ TEST_EQUAL( mbedtls_mpi_add_int( &X, &A, most_negative ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &X, -1 ), 0 );
+
+ /* Test mbedtls_mpi_add_int(): (0) + (-p) */
+ TEST_EQUAL( mbedtls_mpi_lset( &A, 0 ), 0 );
+ TEST_EQUAL( mbedtls_mpi_add_int( &X, &A, most_negative ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &X, most_negative ), 0 );
+
+ /* Test mbedtls_mpi_add_int(): (-p) + (-p) */
+ TEST_EQUAL( mbedtls_mpi_lset( &A, most_negative ), 0 );
+ TEST_EQUAL( mbedtls_mpi_add_int( &X, &A, most_negative ), 0 );
+ TEST_EQUAL( X.s, -1 );
+ TEST_EQUAL( X.n, 2 );
+ TEST_EQUAL( X.p[0], 0 );
+ TEST_EQUAL( X.p[1], 1 );
+
+ /* Test mbedtls_mpi_sub_int(): (p) - (-p) */
+ mbedtls_mpi_free( &X );
+ TEST_EQUAL( mbedtls_mpi_lset( &A, most_positive ), 0 );
+ TEST_EQUAL( mbedtls_mpi_sub_int( &X, &A, most_negative ), 0 );
+ TEST_EQUAL( X.s, 1 );
+ TEST_EQUAL( X.n, 1 );
+ TEST_EQUAL( X.p[0], ~(mbedtls_mpi_uint)0 );
+
+ /* Test mbedtls_mpi_sub_int(): (0) - (-p) */
+ TEST_EQUAL( mbedtls_mpi_lset( &A, 0 ), 0 );
+ TEST_EQUAL( mbedtls_mpi_sub_int( &X, &A, most_negative ), 0 );
+ TEST_EQUAL( X.s, 1 );
+ TEST_EQUAL( X.n, 1 );
+ TEST_EQUAL( X.p[0], most_positive_plus_1 );
+
+ /* Test mbedtls_mpi_sub_int(): (-p) - (-p) */
+ TEST_EQUAL( mbedtls_mpi_lset( &A, most_negative ), 0 );
+ TEST_EQUAL( mbedtls_mpi_sub_int( &X, &A, most_negative ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 0 ), 0 );
+
+ /* Test mbedtls_mpi_div_int(): (-p+1) / (-p) */
+ TEST_EQUAL( mbedtls_mpi_lset( &A, -most_positive ), 0 );
+ TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 0 ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &R, -most_positive ), 0 );
+
+ /* Test mbedtls_mpi_div_int(): (-p) / (-p) */
+ TEST_EQUAL( mbedtls_mpi_lset( &A, most_negative ), 0 );
+ TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 1 ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &R, 0 ), 0 );
+
+ /* Test mbedtls_mpi_div_int(): (-2*p) / (-p) */
+ TEST_EQUAL( mbedtls_mpi_shift_l( &A, 1 ), 0 );
+ TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 2 ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &R, 0 ), 0 );
+
+ /* Test mbedtls_mpi_div_int(): (-2*p+1) / (-p) */
+ TEST_EQUAL( mbedtls_mpi_add_int( &A, &A, 1 ), 0 );
+ TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 1 ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &R, -most_positive ), 0 );
+
+ /* Test mbedtls_mpi_div_int(): (p-1) / (-p) */
+ TEST_EQUAL( mbedtls_mpi_lset( &A, most_positive ), 0 );
+ TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &X, 0 ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &R, most_positive ), 0 );
+
+ /* Test mbedtls_mpi_div_int(): (p) / (-p) */
+ TEST_EQUAL( mbedtls_mpi_add_int( &A, &A, 1 ), 0 );
+ TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &X, -1 ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &R, 0 ), 0 );
+
+ /* Test mbedtls_mpi_div_int(): (2*p) / (-p) */
+ TEST_EQUAL( mbedtls_mpi_shift_l( &A, 1 ), 0 );
+ TEST_EQUAL( mbedtls_mpi_div_int( &X, &R, &A, most_negative ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &X, -2 ), 0 );
+ TEST_EQUAL( mbedtls_mpi_cmp_int( &R, 0 ), 0 );
+
+ /* Test mbedtls_mpi_mod_int(): never valid */
+ TEST_EQUAL( mbedtls_mpi_mod_int( X.p, &A, most_negative ),
+ MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
+
+ /* Test mbedtls_mpi_random(): never valid */
+ TEST_EQUAL( mbedtls_mpi_random( &X, most_negative, &A,
+ mbedtls_test_rnd_std_rand, NULL ),
+ MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+exit:
+ mbedtls_mpi_free( &A );
+ mbedtls_mpi_free( &R );
+ mbedtls_mpi_free( &X );
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
void mpi_selftest( )
{
diff --git a/tests/suites/test_suite_bignum.misc.data b/tests/suites/test_suite_bignum.misc.data
index 0b8aa33..dc6830e 100644
--- a/tests/suites/test_suite_bignum.misc.data
+++ b/tests/suites/test_suite_bignum.misc.data
@@ -1144,6 +1144,18 @@
Test mbedtls_mpi_div_mpi: 0 (null) / -1
mpi_div_mpi:"":"-1":"":"":0
+Test mbedtls_mpi_div_mpi: -0 (null) / 1
+mpi_div_mpi:"-":"1":"":"":0
+
+Test mbedtls_mpi_div_mpi: -0 (null) / -1
+mpi_div_mpi:"-":"-1":"":"":0
+
+Test mbedtls_mpi_div_mpi: -0 (null) / 42
+mpi_div_mpi:"-":"2a":"":"":0
+
+Test mbedtls_mpi_div_mpi: -0 (null) / -42
+mpi_div_mpi:"-":"-2a":"":"":0
+
Test mbedtls_mpi_div_mpi #1
mpi_div_mpi:"9e22d6da18a33d1ef28d2a82242b3f6e9c9742f63e5d440f58a190bfaf23a7866e67589adb80":"22":"4a6abf75b13dc268ea9cc8b5b6aaf0ac85ecd437a4e0987fb13cf8d2acc57c0306c738c1583":"1a":0
@@ -1204,6 +1216,18 @@
Test mbedtls_mpi_mod_mpi: 0 (null) % -1
mpi_mod_mpi:"":"-1":"":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+Test mbedtls_mpi_mod_mpi: -0 (null) % 1
+mpi_mod_mpi:"-":"1":"":0
+
+Test mbedtls_mpi_mod_mpi: -0 (null) % -1
+mpi_mod_mpi:"-":"-1":"":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+
+Test mbedtls_mpi_mod_mpi: -0 (null) % 42
+mpi_mod_mpi:"-":"2a":"":0
+
+Test mbedtls_mpi_mod_mpi: -0 (null) % -42
+mpi_mod_mpi:"-":"-2a":"":MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+
Base test mbedtls_mpi_mod_int #1
mpi_mod_int:"3e8":"d":"c":0
@@ -1934,6 +1958,9 @@
MPI random bad arguments: min > N = 1, 0 limb in upper bound
mpi_random_fail:2:"000000000000000001":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
+Most negative mbedtls_mpi_sint
+most_negative_mpi_sint:
+
MPI Selftest
depends_on:MBEDTLS_SELF_TEST
mpi_selftest:
diff --git a/tests/suites/test_suite_bignum_mod_raw.function b/tests/suites/test_suite_bignum_mod_raw.function
index ff766b9..4adccce 100644
--- a/tests/suites/test_suite_bignum_mod_raw.function
+++ b/tests/suites/test_suite_bignum_mod_raw.function
@@ -117,10 +117,12 @@
mbedtls_mpi_uint *X = NULL;
mbedtls_mpi_uint *Y = NULL;
mbedtls_mpi_uint *buff_m = NULL;
- mbedtls_mpi_mod_modulus m;
size_t limbs_X;
size_t limbs_Y;
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_modulus_init( &m );
+
TEST_EQUAL( mbedtls_test_read_mpi_core( &X, &limbs_X, input_X ), 0 );
TEST_EQUAL( mbedtls_test_read_mpi_core( &Y, &limbs_Y, input_Y ), 0 );
@@ -129,8 +131,6 @@
size_t bytes = limbs * sizeof( mbedtls_mpi_uint );
size_t copy_bytes = copy_limbs * sizeof( mbedtls_mpi_uint );
- mbedtls_mpi_mod_modulus_init( &m );
-
TEST_EQUAL( limbs_X, limbs_Y );
TEST_ASSERT( copy_limbs <= limbs );
@@ -190,10 +190,12 @@
mbedtls_mpi_uint *X = NULL;
mbedtls_mpi_uint *Y = NULL;
mbedtls_mpi_uint *buff_m = NULL;
- mbedtls_mpi_mod_modulus m;
size_t limbs_X;
size_t limbs_Y;
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_modulus_init( &m );
+
TEST_EQUAL( mbedtls_test_read_mpi_core( &tmp_X, &limbs_X, input_X ), 0 );
TEST_EQUAL( mbedtls_test_read_mpi_core( &tmp_Y, &limbs_Y, input_Y ), 0 );
@@ -202,8 +204,6 @@
size_t bytes = limbs * sizeof( mbedtls_mpi_uint );
size_t copy_bytes = copy_limbs * sizeof( mbedtls_mpi_uint );
- mbedtls_mpi_mod_modulus_init( &m );
-
TEST_EQUAL( limbs_X, limbs_Y );
TEST_ASSERT( copy_limbs <= limbs );