Merge pull request #6734 from daverodgman/fix_test_dep_spelling
Fix spelling of test dependency
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 94fb020..50a4901 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -14,6 +14,6 @@
## Notes for the submitter
-Please refer to the [contributing guidelines](../CONTRIBUTING.md), especially the
+Please refer to the [contributing guidelines](https://github.com/Mbed-TLS/mbedtls/blob/development/CONTRIBUTING.md), especially the
checklist for PR contributors.
diff --git a/ChangeLog.d/LMS.txt b/ChangeLog.d/LMS.txt
index 6de374f..785bfcf 100644
--- a/ChangeLog.d/LMS.txt
+++ b/ChangeLog.d/LMS.txt
@@ -3,9 +3,9 @@
Signature verification is production-ready, but generation is for testing
purposes only. This currently only supports one parameter set
(LMS_SHA256_M32_H10), meaning that each private key can be used to sign
- 1024 messages. As such, it is not intended for use in TLS, but instead for
- verification of assets transmitted over an insecure channel, particularly
- firmware images.
+ 1024 messages. As such, it is not intended for use in TLS, but instead
+ for verification of assets transmitted over an insecure channel,
+ particularly firmware images.
* Add the LM-OTS post-quantum-safe one-time signature scheme, which is
- required for LMS. This can be used independently, but each key can only be
- used to sign one message so is impractical for most circumstances.
+ required for LMS. This can be used independently, but each key can only
+ be used to sign one message so is impractical for most circumstances.
diff --git a/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt b/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt
index f88eb9e..0d40968 100644
--- a/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt
+++ b/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt
@@ -1,8 +1,8 @@
Features
- * When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
- declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
- `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
- the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
- for its signature in the key exchange message. As Mbed TLS 1.2 does not
- support them, the handshake fails. Add `rsa_pss_rsae_*` support for TLS 1.2
- to resolve the compitablity issue.
+ * Support rsa_pss_rsae_* signature algorithms in TLS 1.2.
+Bugfix
+ * Fix an interoperability failure between an Mbed TLS client with both
+ TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server that supports
+ rsa_pss_rsae_* signature algorithms. This failed because Mbed TLS
+ advertised support for PSS in both TLS 1.2 and 1.3, but only
+ actually supported PSS in TLS 1.3.
diff --git a/ChangeLog.d/dtls-connection-id.txt b/ChangeLog.d/dtls-connection-id.txt
index eb9e216..840f837 100644
--- a/ChangeLog.d/dtls-connection-id.txt
+++ b/ChangeLog.d/dtls-connection-id.txt
@@ -3,14 +3,15 @@
MBEDTLS_SSL_DTLS_CONNECTION_ID (enabled by default) and configured with
mbedtls_ssl_set_cid().
-Changes
+Default behavior changes
* Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05
- of the draft, and was marked experimental and disabled by default. It is
- now no longer experimental, and implements the final version from RFC 9146,
- which is not interoperable with the draft-05 version. If you need to
- communicate with peers that use earlier versions of Mbed TLS, you
- need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT to 1, but then you
- won't be able to communicate with peers that use the standard (non-draft)
- version. If you need to interoperate with both classes of peers with the
+ of the IETF draft, and was marked experimental and disabled by default.
+ It is now no longer experimental, and implements the final version from
+ RFC 9146, which is not interoperable with the draft-05 version.
+ If you need to communicate with peers that use earlier versions of
+ Mbed TLS, then you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
+ to 1, but then you won't be able to communicate with peers that use the
+ standard (non-draft) version.
+ If you need to interoperate with both classes of peers with the
same build of Mbed TLS, please let us know about your situation on the
mailing list or GitHub.
diff --git a/ChangeLog.d/extend-query_compile_time_config-to-psa_want.txt b/ChangeLog.d/extend-query_compile_time_config-to-psa_want.txt
index b268fd4..99b2ec4 100644
--- a/ChangeLog.d/extend-query_compile_time_config-to-psa_want.txt
+++ b/ChangeLog.d/extend-query_compile_time_config-to-psa_want.txt
@@ -1,2 +1,2 @@
Changes
- * Add the ability to query PSA_WANT_xxx macros to query_compile_time_config
+ * Add the ability to query PSA_WANT_xxx macros to query_compile_time_config.
diff --git a/ChangeLog.d/fix-tls12server-sent-sigalgs.txt b/ChangeLog.d/fix-tls12server-sent-sigalgs.txt
index 9abde2b..b74c6ec 100644
--- a/ChangeLog.d/fix-tls12server-sent-sigalgs.txt
+++ b/ChangeLog.d/fix-tls12server-sent-sigalgs.txt
@@ -1,5 +1,5 @@
Bugfix
- * Fix a bug whereby the the list of signature algorithms sent as part of the
- TLS 1.2 server certificate request would get corrupted, meaning the first
- algorithm would not get sent and an entry consisting of two random bytes
- would be sent instead. Found by Serban Bejan and Dudek Sebastian.
+ * Fix a bug whereby the list of signature algorithms sent as part of
+ the TLS 1.2 server certificate request would get corrupted, meaning the
+ first algorithm would not get sent and an entry consisting of two random
+ bytes would be sent instead. Found by Serban Bejan and Dudek Sebastian.
diff --git a/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt b/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt
index a70521a..f0fa000 100644
--- a/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt
+++ b/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt
@@ -1,3 +1,3 @@
Bugfix
- * Fix build error due to missing prototype
- warning when MBEDTLS_DEPRECATED_REMOVED is enabled
+ * Fix a build error due to a missing prototype warning when
+ MBEDTLS_DEPRECATED_REMOVED is enabled.
diff --git a/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt b/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt
index bac4910..c7d2691 100644
--- a/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt
+++ b/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt
@@ -1,4 +1,3 @@
Bugfix
- * Fix bugs and missing dependencies when
- building and testing configurations with
- only one encryption type enabled in TLS 1.2.
+ * Fix bugs and missing dependencies when building and testing
+ configurations with only one encryption type enabled in TLS 1.2.
diff --git a/ChangeLog.d/fix_cmake_gen_files b/ChangeLog.d/fix_cmake_gen_files
deleted file mode 100644
index 3b2c099..0000000
--- a/ChangeLog.d/fix_cmake_gen_files
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix an issue in releases with GEN_FILES turned off whereby missing
- generated files could be turned into symlinks to themselves.
diff --git a/ChangeLog.d/fix_cmake_gen_files.txt b/ChangeLog.d/fix_cmake_gen_files.txt
new file mode 100644
index 0000000..cdec6e8
--- /dev/null
+++ b/ChangeLog.d/fix_cmake_gen_files.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix an issue with in-tree CMake builds in releases with GEN_FILES
+ turned off: if a shipped file was missing from the working directory,
+ it could be turned into a symbolic link to itself.
diff --git a/ChangeLog.d/fix_cmake_using_iar_toolchain.txt b/ChangeLog.d/fix_cmake_using_iar_toolchain.txt
index ecc09c2..9ec6e0d 100644
--- a/ChangeLog.d/fix_cmake_using_iar_toolchain.txt
+++ b/ChangeLog.d/fix_cmake_using_iar_toolchain.txt
@@ -1,3 +1,3 @@
Bugfix
- * Fixed an issue that cause compile error using CMake IAR toolchain.
+ * Fix a compilation error when using CMake with an IAR toolchain.
Fixes #5964.
diff --git a/ChangeLog.d/fix_hard_link_across_drives b/ChangeLog.d/fix_hard_link_across_drives
deleted file mode 100644
index 0c55c30..0000000
--- a/ChangeLog.d/fix_hard_link_across_drives
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix a build issue on Windows where the source and build directory could not be on
- different drives (#5751).
diff --git a/ChangeLog.d/fix_hard_link_across_drives.txt b/ChangeLog.d/fix_hard_link_across_drives.txt
new file mode 100644
index 0000000..46d05c0
--- /dev/null
+++ b/ChangeLog.d/fix_hard_link_across_drives.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix a build issue on Windows using CMake where the source and build
+ directories could not be on different drives. Fixes #5751.
diff --git a/ChangeLog.d/fix_tls13_session_resumption_fail_when_hostname_is_not_localhost.txt b/ChangeLog.d/fix_tls13_session_resumption_fail_when_hostname_is_not_localhost.txt
index 5797f48..9f5c649 100644
--- a/ChangeLog.d/fix_tls13_session_resumption_fail_when_hostname_is_not_localhost.txt
+++ b/ChangeLog.d/fix_tls13_session_resumption_fail_when_hostname_is_not_localhost.txt
@@ -1,4 +1,4 @@
Bugfix
- * Fix TLS 1.3 session resumption fail. Fixes #6488.
- * Add configuration check to exclude TLS 1.3 optional authentication of
- client.
+ * Fix TLS 1.3 session resumption. Fixes #6488.
+ * Add a configuration check to exclude optional client authentication
+ in TLS 1.3 (where it is forbidden).
diff --git a/ChangeLog.d/fix_zeroization.txt b/ChangeLog.d/fix_zeroization.txt
index ad74d9c..8b00dcc 100644
--- a/ChangeLog.d/fix_zeroization.txt
+++ b/ChangeLog.d/fix_zeroization.txt
@@ -1,3 +1,3 @@
Bugfix
- * Fix possible crash in TLS PRF code, if a failure to allocate memory occurs.
- Reported by Michael Madsen in #6516.
+ * Fix a possible null pointer dereference if a memory allocation fails
+ in TLS PRF code. Reported by Michael Madsen in #6516.
diff --git a/ChangeLog.d/mbedtls_asn1_type_free.txt b/ChangeLog.d/mbedtls_asn1_type_free.txt
index 81f3a20..3459bbe 100644
--- a/ChangeLog.d/mbedtls_asn1_type_free.txt
+++ b/ChangeLog.d/mbedtls_asn1_type_free.txt
@@ -1,6 +1,8 @@
Features
- * Shared code to free x509 structs like mbedtls_x509_named_data
+ * The new functions mbedtls_asn1_free_named_data_list() and
+ mbedtls_asn1_free_named_data_list_shallow() simplify the management
+ of memory in named data lists in X.509 structures.
New deprecations
* Deprecate mbedtls_asn1_free_named_data().
Use mbedtls_asn1_free_named_data_list()
- or mbedtls_asn1_free_named_data_list_shallow()
+ or mbedtls_asn1_free_named_data_list_shallow().
diff --git a/ChangeLog.d/pkcs7-parser.txt b/ChangeLog.d/pkcs7-parser.txt
deleted file mode 100644
index 7f85f0c..0000000
--- a/ChangeLog.d/pkcs7-parser.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-Features
- * Added partial support for parsing the PKCS7 cryptographic message syntax,
- as defined in RFC 2315. Currently, support is limited to the following:
- - Only the signed data content type, version 1 is supported.
- - Only DER encoding is supported.
- - Only a single digest algorithm per message is supported.
- - Only 0 or 1, certificate is supported per message, which must be in
- X509 format.
- - There is no support for certificate-revocation lists.
- - The authenticated and unauthenticated attribute fields of SignerInfo
- must be empty.
- Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
- contributing this feature.
diff --git a/ChangeLog.d/psa_crypto_code_gen_1_1.txt b/ChangeLog.d/psa_crypto_code_gen_1_1.txt
index 2c18e6f..e10a81c 100644
--- a/ChangeLog.d/psa_crypto_code_gen_1_1.txt
+++ b/ChangeLog.d/psa_crypto_code_gen_1_1.txt
@@ -1,6 +1,13 @@
Features
- * Brought in PSA code geneneration JSON driver list.
- Added auto generated templating support for key management.
- Added Support for transparent and opaque keys (import/export/copy).
- Included some general JSON validation for the given entry points.
- Addresses version 1.1 of #5137.
+ * The PSA driver wrapper generator generate_driver_wrappers.py now
+ supports a subset of the driver description language, including
+ the following entry points: import_key, export_key, export_public_key,
+ get_builtin_key, copy_key.
+
+Requirement changes
+ * When building with PSA drivers using generate_driver_wrappers.py, or
+ when building the library from the development branch rather than
+ from a release, the Python module jsonschema is now necessary, in
+ addition to jinja2. The official list of required Python modules is
+ maintained in scripts/basic.requirements.txt and may change again
+ in the future.
diff --git a/ChangeLog.d/remove_ssl_session_compression.txt b/ChangeLog.d/remove_ssl_session_compression.txt
deleted file mode 100644
index dc59f1c..0000000
--- a/ChangeLog.d/remove_ssl_session_compression.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Removals
- * Remove compression property from SSL session struct.
- MBEDTLS_SSL_COMPRESS_NULL is now the only supported
- compression option and can be used for compatibility
- reasons. Changes requested in #4223.
diff --git a/ChangeLog.d/tls13-misc.txt b/ChangeLog.d/tls13-misc.txt
index 497ed38..6733173 100644
--- a/ChangeLog.d/tls13-misc.txt
+++ b/ChangeLog.d/tls13-misc.txt
@@ -1,9 +1,8 @@
Features
- * Mbed TLS supports TLS 1.3 key establishment via pre-shared keys,
- pre-shared keys provisioned externally or via the ticket mechanism
- (session resumption).
- The MBEDTLS_SSL_SESSION_TICKETS configuration option controls the support
- for the ticket mechanism.
- MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED configuration options
- have been introduced to control the support for the three possible
- TLS 1.3 key exchange modes.
+ * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
+ The pre-shared keys can be provisioned externally or via the ticket
+ mechanism (session resumption).
+ The ticket mechanism is supported when the configuration option
+ MBEDTLS_SSL_SESSION_TICKETS is enabled.
+ New options MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED
+ control the support for the three possible TLS 1.3 key exchange modes.
diff --git a/doxygen/input/doc_encdec.h b/doxygen/input/doc_encdec.h
index 96734bd..ec149ae 100644
--- a/doxygen/input/doc_encdec.h
+++ b/doxygen/input/doc_encdec.h
@@ -38,7 +38,7 @@
* All symmetric encryption algorithms are accessible via the generic cipher layer
* (see \c mbedtls_cipher_setup()).
*
- * The asymmetric encryptrion algorithms are accessible via the generic public
+ * The asymmetric encryption algorithms are accessible via the generic public
* key layer (see \c mbedtls_pk_init()).
*
* The following algorithms are provided:
diff --git a/include/mbedtls/asn1write.h b/include/mbedtls/asn1write.h
index 5554720..e6f0479 100644
--- a/include/mbedtls/asn1write.h
+++ b/include/mbedtls/asn1write.h
@@ -352,7 +352,7 @@
* the existing buffer to fit \p val_len.
*
* \return A pointer to the new / existing entry on success.
- * \return \c NULL if if there was a memory allocation error.
+ * \return \c NULL if there was a memory allocation error.
*/
mbedtls_asn1_named_data *mbedtls_asn1_store_named_data( mbedtls_asn1_named_data **list,
const char *oid, size_t oid_len,
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 7f55580..04e43e3 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -32,6 +32,8 @@
#error "mbed TLS requires a platform with 8-bit chars"
#endif
+#include <stdint.h>
+
#if defined(_WIN32)
#if !defined(MBEDTLS_PLATFORM_C)
#error "MBEDTLS_PLATFORM_C is required on Windows"
@@ -849,6 +851,13 @@
#error "MBEDTLS_SSL_EARLY_DATA defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C) && \
+ ( !defined(MBEDTLS_SSL_MAX_EARLY_DATA_SIZE) || \
+ ( MBEDTLS_SSL_MAX_EARLY_DATA_SIZE < 0 ) || \
+ ( MBEDTLS_SSL_MAX_EARLY_DATA_SIZE > UINT32_MAX ) )
+#error "MBEDTLS_SSL_MAX_EARLY_DATA_SIZE MUST be defined and in range(0..UINT32_MAX)"
+#endif
+
#if defined(MBEDTLS_SSL_PROTO_DTLS) && \
!defined(MBEDTLS_SSL_PROTO_TLS1_2)
#error "MBEDTLS_SSL_PROTO_DTLS defined, but not all prerequisites"
@@ -905,7 +914,7 @@
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) && \
!defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-#error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT defined, but not all prerequsites"
+#error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) && MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT != 0
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index 5b27dda..5727c5e 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -7,7 +7,7 @@
* those definitions to define symbols used in the library code.
*
* Users and integrators should not edit this file, please edit
- * include/mbedtls/mbedtls_config.h for MBETLS_XXX settings or
+ * include/mbedtls/mbedtls_config.h for MBEDTLS_XXX settings or
* include/psa/crypto_config.h for PSA_WANT_XXX settings.
*/
/*
diff --git a/include/mbedtls/lms.h b/include/mbedtls/lms.h
index fe87d40..1179cd1 100644
--- a/include/mbedtls/lms.h
+++ b/include/mbedtls/lms.h
@@ -58,7 +58,7 @@
#define MBEDTLS_LMS_TYPE_LEN (4)
#define MBEDTLS_LMS_H_TREE_HEIGHT(type) ((type) == MBEDTLS_LMS_SHA256_M32_H10 ? 10u : 0)
-/* The length of a hash output, Currently only imlemented for SHA256.
+/* The length of a hash output, Currently only implemented for SHA256.
* Max is 32 bytes.
*/
#define MBEDTLS_LMS_M_NODE_BYTES(type) ((type) == MBEDTLS_LMS_SHA256_M32_H10 ? 32 : 0)
@@ -82,7 +82,7 @@
/** The Identifier of the LMS parameter set, as per
* https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml
- * We are only implementing a subset of the types, particularly H10, for the sake of simplicty.
+ * We are only implementing a subset of the types, particularly H10, for the sake of simplicity.
*/
typedef enum {
MBEDTLS_LMS_SHA256_M32_H10 = 0x6,
@@ -90,7 +90,7 @@
/** The Identifier of the LMOTS parameter set, as per
* https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml.
- * We are only implementing a subset of the types, particularly N32_W8, for the sake of simplicty.
+ * We are only implementing a subset of the types, particularly N32_W8, for the sake of simplicity.
*/
typedef enum {
MBEDTLS_LMOTS_SHA256_N32_W8 = 4
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index c719073..78c3635 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1543,7 +1543,7 @@
* Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
* Requires: MBEDTLS_PSA_CRYPTO_C
*
- * Note: even though TLS 1.3 depends on PSA Crypto, and uses it unconditonally
+ * Note: even though TLS 1.3 depends on PSA Crypto, and uses it unconditionally
* for most operations, if you want it to only use PSA for all crypto
* operations, you need to also enable MBEDTLS_USE_PSA_CRYPTO; otherwise X.509
* operations, and functions that are common with TLS 1.2 (record protection,
@@ -1674,6 +1674,23 @@
//#define MBEDTLS_SSL_EARLY_DATA
/**
+ * \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE
+ *
+ * The default maximum amount of 0-RTT data. See the documentation of
+ * \c mbedtls_ssl_tls13_conf_max_early_data_size() for more information.
+ *
+ * It must be positive and smaller than UINT32_MAX.
+ *
+ * If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not
+ * have any impact on the build.
+ *
+ * This feature is experimental, not completed and thus not ready for
+ * production.
+ *
+ */
+#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024
+
+/**
* \def MBEDTLS_SSL_PROTO_DTLS
*
* Enable support for DTLS (all available versions).
@@ -2817,6 +2834,10 @@
/**
* \def MBEDTLS_PKCS7_C
*
+ * This feature is a work in progress and not ready for production. Testing and
+ * validation is incomplete, and handling of malformed inputs may not be robust.
+ * The API may change.
+ *
* Enable PKCS7 core for using PKCS7 formatted signatures.
* RFC Link - https://tools.ietf.org/html/rfc2315
*
@@ -2828,7 +2849,7 @@
*
* This module is required for the PKCS7 parsing modules.
*/
-#define MBEDTLS_PKCS7_C
+//#define MBEDTLS_PKCS7_C
/**
* \def MBEDTLS_PKCS12_C
diff --git a/include/mbedtls/pkcs12.h b/include/mbedtls/pkcs12.h
index 1b87aea..327996a 100644
--- a/include/mbedtls/pkcs12.h
+++ b/include/mbedtls/pkcs12.h
@@ -94,7 +94,7 @@
* no byte order mark and with a null terminator (i.e. the
* last two bytes should be 0x00 0x00).
* \param pwdlen length of the password (may be 0).
- * \param salt Salt buffer to use This may only be \c NULL when
+ * \param salt Salt buffer to use. This may only be \c NULL when
* \p saltlen is 0.
* \param saltlen length of the salt (may be zero)
* \param mbedtls_md mbedtls_md type to use during the derivation
diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h
index 52895ac..bf61a63 100644
--- a/include/mbedtls/pkcs7.h
+++ b/include/mbedtls/pkcs7.h
@@ -22,6 +22,11 @@
*/
/**
+ * This feature is a work in progress and not ready for production. The API may
+ * change. Furthermore, please note that the implementation has only been
+ * validated with well-formed inputs, not yet with untrusted inputs (which is
+ * almost always the case in practice).
+ *
* Note: For the time being, this implementation of the PKCS7 cryptographic
* message syntax is a partial implementation of RFC 2315.
* Differences include:
@@ -179,7 +184,7 @@
*
* \param pkcs7 The pkcs7 structure to be filled by parser for the output.
* \param buf The buffer holding the DER encoded pkcs7.
- * \param buflen The size in Bytes of \p buf.
+ * \param buflen The size in bytes of \p buf.
*
* \note This function makes an internal copy of the PKCS7 buffer
* \p buf. In particular, \p buf may be destroyed or reused
@@ -192,7 +197,18 @@
const size_t buflen );
/**
- * \brief Verification of PKCS7 signature.
+ * \brief Verification of PKCS7 signature against a caller-supplied
+ * certificate.
+ *
+ * For each signer in the PKCS structure, this function computes
+ * a signature over the supplied data, using the supplied
+ * certificate and the same digest algorithm as specified by the
+ * signer. It then compares this signature against the
+ * signer's signature; verification succeeds if any comparison
+ * matches.
+ *
+ * This function does not use the certificates held within the
+ * PKCS7 structure itself.
*
* \param pkcs7 PKCS7 structure containing signature.
* \param cert Certificate containing key to verify signature.
@@ -202,7 +218,7 @@
* \note This function internally calculates the hash on the supplied
* plain data for signature verification.
*
- * \return A negative error code on failure.
+ * \return 0 if the signature verifies, or a negative error code on failure.
*/
int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7,
const mbedtls_x509_crt *cert,
@@ -210,7 +226,18 @@
size_t datalen );
/**
- * \brief Verification of PKCS7 signature.
+ * \brief Verification of PKCS7 signature against a caller-supplied
+ * certificate.
+ *
+ * For each signer in the PKCS structure, this function computes
+ * a signature over the supplied hash, using the supplied
+ * certificate and the same digest algorithm as specified by the
+ * signer. It then compares this signature against the
+ * signer's signature; verification succeeds if any comparison
+ * matches.
+ *
+ * This function does not use the certificates held within the
+ * PKCS7 structure itself.
*
* \param pkcs7 PKCS7 structure containing signature.
* \param cert Certificate containing key to verify signature.
@@ -218,9 +245,9 @@
* \param hashlen Length of the hash.
*
* \note This function is different from mbedtls_pkcs7_signed_data_verify()
- * in a way that it directly recieves the hash of the data.
+ * in a way that it directly receives the hash of the data.
*
- * \return A negative error code on failure.
+ * \return 0 if the signature verifies, or a negative error code on failure.
*/
int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7,
const mbedtls_x509_crt *cert,
diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h
index 002551f..2bfaf8f 100644
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h
@@ -239,7 +239,7 @@
* \param N The RSA modulus. This may be \c NULL.
* \param N_len The Byte length of \p N; it is ignored if \p N == NULL.
* \param P The first prime factor of \p N. This may be \c NULL.
- * \param P_len The Byte length of \p P; it ns ignored if \p P == NULL.
+ * \param P_len The Byte length of \p P; it is ignored if \p P == NULL.
* \param Q The second prime factor of \p N. This may be \c NULL.
* \param Q_len The Byte length of \p Q; it is ignored if \p Q == NULL.
* \param D The private exponent. This may be \c NULL.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 3165cd5..3f48377 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1527,6 +1527,12 @@
int MBEDTLS_PRIVATE(early_data_enabled); /*!< Early data enablement:
* - MBEDTLS_SSL_EARLY_DATA_DISABLED,
* - MBEDTLS_SSL_EARLY_DATA_ENABLED */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+ /* The maximum amount of 0-RTT data. RFC 8446 section 4.6.1 */
+ uint32_t MBEDTLS_PRIVATE(max_early_data_size);
+#endif /* MBEDTLS_SSL_SRV_C */
+
#endif /* MBEDTLS_SSL_EARLY_DATA */
#if defined(MBEDTLS_SSL_ALPN)
@@ -1964,6 +1970,35 @@
*/
void mbedtls_ssl_tls13_conf_early_data( mbedtls_ssl_config *conf,
int early_data_enabled );
+
+#if defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief Set the maximum amount of 0-RTT data in bytes
+ * Default: #MBEDTLS_SSL_MAX_EARLY_DATA_SIZE
+ *
+ * This function sets the value of the max_early_data_size
+ * field of the early data indication extension included in
+ * the NewSessionTicket messages that the server may send.
+ *
+ * The value defines the maximum amount of 0-RTT data
+ * in bytes that a client will be allowed to send when using
+ * one of the tickets defined by the NewSessionTicket messages.
+ *
+ * \note When resuming a session using a ticket, if the server receives more
+ * early data than allowed for the ticket, it terminates the connection.
+ * The maximum amount of 0-RTT data should thus be large enough
+ * to allow a minimum of early data to be exchanged.
+ *
+ * \param[in] conf The SSL configuration to use.
+ * \param[in] max_early_data_size The maximum amount of 0-RTT data.
+ *
+ * \warning This interface is experimental and may change without notice.
+ *
+ */
+void mbedtls_ssl_tls13_conf_max_early_data_size(
+ mbedtls_ssl_config *conf, uint32_t max_early_data_size );
+#endif /* MBEDTLS_SSL_SRV_C */
+
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_EARLY_DATA */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -2136,7 +2171,7 @@
* the `ServerHello` contains the CID extension, too,
* the CID extension will actually be put to use.
* - On the Server, enabling the use of the CID through
- * this call implies that that the server will look for
+ * this call implies that the server will look for
* the CID extension in a `ClientHello` from the client,
* and, if present, reply with a CID extension in its
* `ServerHello`.
@@ -2582,7 +2617,7 @@
* \note The library stores \c p without accessing it. It is the responsibility
* of the caller to ensure that the pointer remains valid.
*
- * \param ssl The SSL context context to modify.
+ * \param ssl The SSL context to modify.
* \param p The new value of the user data.
*/
static inline void mbedtls_ssl_set_user_data_p(
@@ -2596,7 +2631,7 @@
*
* You can retrieve this value later with mbedtls_ssl_get_user_data_n().
*
- * \param ssl The SSL context context to modify.
+ * \param ssl The SSL context to modify.
* \param n The new value of the user data.
*/
static inline void mbedtls_ssl_set_user_data_n(
@@ -2613,7 +2648,7 @@
* called. The value is undefined if mbedtls_ssl_set_user_data_n() has
* been called without a subsequent call to mbedtls_ssl_set_user_data_p().
*
- * \param ssl The SSL context context to modify.
+ * \param ssl The SSL context to modify.
* \return The current value of the user data.
*/
static inline void *mbedtls_ssl_get_user_data_p(
@@ -2629,7 +2664,7 @@
* called. The value is undefined if mbedtls_ssl_set_user_data_p() has
* been called without a subsequent call to mbedtls_ssl_set_user_data_n().
*
- * \param ssl The SSL context context to modify.
+ * \param ssl The SSL context to modify.
* \return The current value of the user data.
*/
static inline uintptr_t mbedtls_ssl_get_user_data_n(
diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index a71ca3f..03181ed 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -525,7 +525,7 @@
*
* This function destroys a key from both volatile
* memory and, if applicable, non-volatile storage. Implementations shall
- * make a best effort to ensure that that the key material cannot be recovered.
+ * make a best effort to ensure that the key material cannot be recovered.
*
* This function also erases any metadata such as policies and frees
* resources associated with the key.
@@ -3823,7 +3823,7 @@
* compares those bytes to an expected value, provided as key of type
* #PSA_KEY_TYPE_PASSWORD_HASH.
* If you view the key derivation's output as a stream of bytes, this
- * function destructively reads the number of bytes corresponding the the
+ * function destructively reads the number of bytes corresponding to the
* length of the expected value from the stream before comparing them.
* The operation's capacity decreases by the number of bytes read.
*
diff --git a/include/psa/crypto_se_driver.h b/include/psa/crypto_se_driver.h
index f0252c8..225fb17 100644
--- a/include/psa/crypto_se_driver.h
+++ b/include/psa/crypto_se_driver.h
@@ -226,7 +226,7 @@
* operation by comparing the resulting MAC against a provided value
*
* \param[in,out] op_context A hardware-specific structure for the previously
- * started MAC operation to be fiinished
+ * started MAC operation to be finished
* \param[in] p_mac The MAC value against which the resulting MAC
* will be compared against
* \param[in] mac_length The size in bytes of the value stored in `p_mac`
@@ -337,7 +337,7 @@
/** Function that completes a MAC operation with a verify check
*/
psa_drv_se_mac_finish_verify_t MBEDTLS_PRIVATE(p_finish_verify);
- /** Function that aborts a previoustly started MAC operation
+ /** Function that aborts a previously started MAC operation
*/
psa_drv_se_mac_abort_t MBEDTLS_PRIVATE(p_abort);
/** Function that performs a MAC operation in one call
@@ -746,7 +746,7 @@
size_t ciphertext_size,
size_t *p_ciphertext_length);
-/** A function that peforms a secure element authenticated decryption operation
+/** A function that performs a secure element authenticated decryption operation
*
* \param[in,out] drv_context The driver context structure.
* \param[in] key_slot Slot containing the key to use
@@ -1157,7 +1157,7 @@
*
* Different key derivation algorithms require a different number of inputs.
* Instead of having an API that takes as input variable length arrays, which
- * can be problemmatic to manage on embedded platforms, the inputs are passed
+ * can be problematic to manage on embedded platforms, the inputs are passed
* to the driver via a function, `psa_drv_se_key_derivation_collateral`, that
* is called multiple times with different `collateral_id`s. Thus, for a key
* derivation algorithm that required 3 parameter inputs, the flow would look
@@ -1271,7 +1271,7 @@
psa_drv_se_key_derivation_collateral_t MBEDTLS_PRIVATE(p_collateral);
/** Function that performs a final key derivation step */
psa_drv_se_key_derivation_derive_t MBEDTLS_PRIVATE(p_derive);
- /** Function that perforsm a final key derivation or agreement and
+ /** Function that performs a final key derivation or agreement and
* exports the key */
psa_drv_se_key_derivation_export_t MBEDTLS_PRIVATE(p_export);
} psa_drv_se_key_derivation_t;
diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h
index 231ea62..b42b2df 100644
--- a/include/psa/crypto_sizes.h
+++ b/include/psa/crypto_sizes.h
@@ -717,7 +717,7 @@
(PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) + 11)
/* Maximum size of the export encoding of an RSA key pair.
- * Assumes thatthe public exponent is less than 2^32 and that the size
+ * Assumes that the public exponent is less than 2^32 and that the size
* difference between the two primes is at most 1 bit.
*
* RSAPrivateKey ::= SEQUENCE {
diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h
index 739062d..af61aea 100644
--- a/include/psa/crypto_types.h
+++ b/include/psa/crypto_types.h
@@ -297,7 +297,7 @@
#else /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
/* Implementation-specific: The Mbed Cryptography library can be built as
- * part of a multi-client service that exposes the PSA Cryptograpy API in each
+ * part of a multi-client service that exposes the PSA Cryptography API in each
* client and encodes the client identity in the key identifier argument of
* functions such as psa_open_key().
*/
diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index b465ddb..c9c1ec0 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -2577,7 +2577,7 @@
*
* This flag allows the key to be used for a MAC verification operation
* or for an asymmetric signature verification operation,
- * if otherwise permitted by by the key's type and policy.
+ * if otherwise permitted by the key's type and policy.
*
* For a key pair, this concerns the public key.
*/
@@ -2587,7 +2587,7 @@
* hash.
*
* This flag allows the key to be used for a key derivation operation or for
- * a key agreement operation, if otherwise permitted by by the key's type and
+ * a key agreement operation, if otherwise permitted by the key's type and
* policy.
*
* If this flag is present on all keys used in calls to
@@ -2603,7 +2603,7 @@
* This flag allows the key to be used:
*
* This flag allows the key to be used in a key derivation operation, if
- * otherwise permitted by by the key's type and policy.
+ * otherwise permitted by the key's type and policy.
*
* If this flag is present on all keys used in calls to
* psa_key_derivation_input_key() for a key derivation operation, then it
diff --git a/library/aes.c b/library/aes.c
index 7d03524..319d9bb 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -1112,7 +1112,7 @@
{
/* We are on the last block in a decrypt operation that has
* leftover bytes, so we need to use the next tweak for this block,
- * and this tweak for the lefover bytes. Save the current tweak for
+ * and this tweak for the leftover bytes. Save the current tweak for
* the leftovers and then update the current tweak for use on this,
* the last full block. */
memcpy( prev_tweak, tweak, sizeof( tweak ) );
diff --git a/library/bignum_core.c b/library/bignum_core.c
index 6635351..30fc661 100644
--- a/library/bignum_core.c
+++ b/library/bignum_core.c
@@ -596,6 +596,19 @@
return( wsize );
}
+size_t mbedtls_mpi_core_exp_mod_working_limbs( size_t AN_limbs, size_t E_limbs )
+{
+ const size_t wsize = exp_mod_get_window_size( E_limbs * biL );
+ const size_t welem = ( (size_t) 1 ) << wsize;
+
+ /* How big does each part of the working memory pool need to be? */
+ const size_t table_limbs = welem * AN_limbs;
+ const size_t select_limbs = AN_limbs;
+ const size_t temp_limbs = 2 * AN_limbs + 1;
+
+ return( table_limbs + select_limbs + temp_limbs );
+}
+
static void exp_mod_precompute_window( const mbedtls_mpi_uint *A,
const mbedtls_mpi_uint *N,
size_t AN_limbs,
@@ -610,9 +623,9 @@
Wtable[0] = 1;
mbedtls_mpi_core_montmul( Wtable, Wtable, RR, AN_limbs, N, AN_limbs, mm, temp );
- /* W[1] = A * R^2 * R^-1 mod N = A * R mod N */
+ /* W[1] = A (already in Montgomery presentation) */
mbedtls_mpi_uint *W1 = Wtable + AN_limbs;
- mbedtls_mpi_core_montmul( W1, A, RR, AN_limbs, N, AN_limbs, mm, temp );
+ memcpy( W1, A, AN_limbs * ciL );
/* W[i+1] = W[i] * W[1], i >= 2 */
mbedtls_mpi_uint *Wprev = W1;
@@ -626,6 +639,8 @@
/* Exponentiation: X := A^E mod N.
*
+ * A must already be in Montgomery form.
+ *
* As in other bignum functions, assume that AN_limbs and E_limbs are nonzero.
*
* RR must contain 2^{2*biL} mod N.
@@ -634,35 +649,27 @@
* (The difference is that the body in our loop processes a single bit instead
* of a full window.)
*/
-int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X,
- const mbedtls_mpi_uint *A,
- const mbedtls_mpi_uint *N,
- size_t AN_limbs,
- const mbedtls_mpi_uint *E,
- size_t E_limbs,
- const mbedtls_mpi_uint *RR )
+void mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N,
+ size_t AN_limbs,
+ const mbedtls_mpi_uint *E,
+ size_t E_limbs,
+ const mbedtls_mpi_uint *RR,
+ mbedtls_mpi_uint *T )
{
const size_t wsize = exp_mod_get_window_size( E_limbs * biL );
const size_t welem = ( (size_t) 1 ) << wsize;
- /* Allocate memory pool and set pointers to parts of it */
- const size_t table_limbs = welem * AN_limbs;
- const size_t temp_limbs = 2 * AN_limbs + 1;
- const size_t select_limbs = AN_limbs;
- const size_t total_limbs = table_limbs + temp_limbs + select_limbs;
+ /* This is how we will use the temporary storage T, which must have space
+ * for table_limbs, select_limbs and (2 * AN_limbs + 1) for montmul. */
+ const size_t table_limbs = welem * AN_limbs;
+ const size_t select_limbs = AN_limbs;
- /* heap allocated memory pool */
- mbedtls_mpi_uint *mempool =
- mbedtls_calloc( total_limbs, sizeof(mbedtls_mpi_uint) );
- if( mempool == NULL )
- {
- return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
- }
-
- /* pointers to temporaries within memory pool */
- mbedtls_mpi_uint *const Wtable = mempool;
- mbedtls_mpi_uint *const Wselect = Wtable + table_limbs;
- mbedtls_mpi_uint *const temp = Wselect + select_limbs;
+ /* Pointers to specific parts of the temporary working memory pool */
+ mbedtls_mpi_uint *const Wtable = T;
+ mbedtls_mpi_uint *const Wselect = Wtable + table_limbs;
+ mbedtls_mpi_uint *const temp = Wselect + select_limbs;
/*
* Window precomputation
@@ -729,14 +736,6 @@
}
}
while( ! ( E_bit_index == 0 && E_limb_index == 0 ) );
-
- /* Convert X back to normal presentation */
- const mbedtls_mpi_uint one = 1;
- mbedtls_mpi_core_montmul( X, X, &one, 1, N, AN_limbs, mm, temp );
-
- mbedtls_platform_zeroize( mempool, total_limbs * sizeof(mbedtls_mpi_uint) );
- mbedtls_free( mempool );
- return( 0 );
}
/* END MERGE SLOT 1 */
diff --git a/library/bignum_core.h b/library/bignum_core.h
index 24559c6..add7fee 100644
--- a/library/bignum_core.h
+++ b/library/bignum_core.h
@@ -499,27 +499,50 @@
/* BEGIN MERGE SLOT 1 */
/**
- * \brief Perform a modular exponentiation with secret exponent:
- * X = A^E mod N
+ * \brief Returns the number of limbs of working memory required for
+ * a call to `mbedtls_mpi_core_exp_mod()`.
*
- * \param[out] X The destination MPI, as a little endian array of length
- * \p AN_limbs.
- * \param[in] A The base MPI, as a little endian array of length \p AN_limbs.
- * \param[in] N The modulus, as a little endian array of length \p AN_limbs.
- * \param AN_limbs The number of limbs in \p X, \p A, \p N, \p RR.
- * \param[in] E The exponent, as a little endian array of length \p E_limbs.
- * \param E_limbs The number of limbs in \p E.
- * \param[in] RR The precomputed residue of 2^{2*biL} modulo N, as a little
- * endian array of length \p AN_limbs.
+ * \param AN_limbs The number of limbs in the input `A` and the modulus `N`
+ * (they must be the same size) that will be given to
+ * `mbedtls_mpi_core_exp_mod()`.
+ * \param E_limbs The number of limbs in the exponent `E` that will be given
+ * to `mbedtls_mpi_core_exp_mod()`.
*
- * \return \c 0 if successful.
- * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return The number of limbs of working memory required by
+ * `mbedtls_mpi_core_exp_mod()`.
*/
-int mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X,
- const mbedtls_mpi_uint *A,
- const mbedtls_mpi_uint *N, size_t AN_limbs,
- const mbedtls_mpi_uint *E, size_t E_limbs,
- const mbedtls_mpi_uint *RR );
+size_t mbedtls_mpi_core_exp_mod_working_limbs( size_t AN_limbs, size_t E_limbs );
+
+/**
+ * \brief Perform a modular exponentiation with secret exponent:
+ * X = A^E mod N, where \p A is already in Montgomery form.
+ *
+ * \param[out] X The destination MPI, as a little endian array of length
+ * \p AN_limbs.
+ * \param[in] A The base MPI, as a little endian array of length \p AN_limbs.
+ * Must be in Montgomery form.
+ * \param[in] N The modulus, as a little endian array of length \p AN_limbs.
+ * \param AN_limbs The number of limbs in \p X, \p A, \p N, \p RR.
+ * \param[in] E The exponent, as a little endian array of length \p E_limbs.
+ * \param E_limbs The number of limbs in \p E.
+ * \param[in] RR The precomputed residue of 2^{2*biL} modulo N, as a little
+ * endian array of length \p AN_limbs.
+ * \param[in,out] T Temporary storage of at least the number of limbs returned
+ * by `mbedtls_mpi_core_exp_mod_working_limbs()`.
+ * Its initial content is unused and its final content is
+ * indeterminate.
+ * It must not alias or otherwise overlap any of the other
+ * parameters.
+ * It is up to the caller to zeroize \p T when it is no
+ * longer needed, and before freeing it if it was dynamically
+ * allocated.
+ */
+void mbedtls_mpi_core_exp_mod( mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N, size_t AN_limbs,
+ const mbedtls_mpi_uint *E, size_t E_limbs,
+ const mbedtls_mpi_uint *RR,
+ mbedtls_mpi_uint *T );
/* END MERGE SLOT 1 */
diff --git a/library/bignum_mod.c b/library/bignum_mod.c
index 7a5539d..7cf2fb2 100644
--- a/library/bignum_mod.c
+++ b/library/bignum_mod.c
@@ -179,7 +179,18 @@
/* END MERGE SLOT 2 */
/* BEGIN MERGE SLOT 3 */
+int mbedtls_mpi_mod_sub( mbedtls_mpi_mod_residue *X,
+ const mbedtls_mpi_mod_residue *A,
+ const mbedtls_mpi_mod_residue *B,
+ const mbedtls_mpi_mod_modulus *N )
+{
+ if( X->limbs != N->limbs || A->limbs != N->limbs || B->limbs != N->limbs )
+ return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+ mbedtls_mpi_mod_raw_sub( X->p, A->p, B->p, N );
+
+ return( 0 );
+}
/* END MERGE SLOT 3 */
/* BEGIN MERGE SLOT 4 */
diff --git a/library/bignum_mod.h b/library/bignum_mod.h
index d92f21e..0a8f4d3 100644
--- a/library/bignum_mod.h
+++ b/library/bignum_mod.h
@@ -163,7 +163,35 @@
/* END MERGE SLOT 2 */
/* BEGIN MERGE SLOT 3 */
-
+/**
+ * \brief Perform a fixed-size modular subtraction.
+ *
+ * Calculate `A - B modulo N`.
+ *
+ * \p A, \p B and \p X must all have the same number of limbs as \p N.
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise.
+ *
+ * \note This function does not check that \p A or \p B are in canonical
+ * form (that is, are < \p N) - that will have been done by
+ * mbedtls_mpi_mod_residue_setup().
+ *
+ * \param[out] X The address of the result MPI. Must be initialized.
+ * Must have the same number of limbs as the modulus \p N.
+ * \param[in] A The address of the first MPI.
+ * \param[in] B The address of the second MPI.
+ * \param[in] N The address of the modulus. Used to perform a modulo
+ * operation on the result of the subtraction.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the given MPIs do not
+ * have the correct number of limbs.
+ */
+int mbedtls_mpi_mod_sub( mbedtls_mpi_mod_residue *X,
+ const mbedtls_mpi_mod_residue *A,
+ const mbedtls_mpi_mod_residue *B,
+ const mbedtls_mpi_mod_modulus *N );
/* END MERGE SLOT 3 */
/* BEGIN MERGE SLOT 4 */
diff --git a/library/ccm.c b/library/ccm.c
index 3edfba3..675783e 100644
--- a/library/ccm.c
+++ b/library/ccm.c
@@ -144,7 +144,7 @@
unsigned char i;
size_t len_left, olen;
- /* length calulcation can be done only after both
+ /* length calculation can be done only after both
* mbedtls_ccm_starts() and mbedtls_ccm_set_lengths() have been executed
*/
if( !(ctx->state & CCM_STATE__STARTED) || !(ctx->state & CCM_STATE__LENGTHS_SET) )
diff --git a/library/debug.c b/library/debug.c
index 6114a46..78ce9ce 100644
--- a/library/debug.c
+++ b/library/debug.c
@@ -107,7 +107,7 @@
/*
* With non-blocking I/O and examples that just retry immediately,
* the logs would be quickly flooded with WANT_READ, so ignore that.
- * Don't ignore WANT_WRITE however, since is is usually rare.
+ * Don't ignore WANT_WRITE however, since it is usually rare.
*/
if( ret == MBEDTLS_ERR_SSL_WANT_READ )
return;
diff --git a/library/lmots.h b/library/lmots.h
index 39e8699..022dcf3 100644
--- a/library/lmots.h
+++ b/library/lmots.h
@@ -139,7 +139,7 @@
* this public key.
*
* \param ctx The initialized LMOTS context that contains the
- * publc key.
+ * public key.
* \param key The buffer into which the key will be output. Must
* be at least #MBEDTLS_LMOTS_PUBLIC_KEY_LEN in size.
*
diff --git a/library/mps_reader.c b/library/mps_reader.c
index 6f823bd..df97b6c 100644
--- a/library/mps_reader.c
+++ b/library/mps_reader.c
@@ -530,7 +530,7 @@
* of the accumulator. */
memmove( acc, acc + acc_backup_offset, acc_backup_len );
- /* Copy uncmmitted parts of the current fragment to the
+ /* Copy uncommitted parts of the current fragment to the
* accumulator. */
memcpy( acc + acc_backup_len,
frag + frag_backup_offset, frag_backup_len );
diff --git a/library/pkcs7.c b/library/pkcs7.c
index e4238b6..5b22afa 100644
--- a/library/pkcs7.c
+++ b/library/pkcs7.c
@@ -314,7 +314,7 @@
if( ret != 0 )
goto out;
- /* Asssume authenticatedAttributes is nonexistent */
+ /* Assume authenticatedAttributes is nonexistent */
ret = pkcs7_get_digest_algorithm( p, end_signer, &signer->sig_alg_identifier );
if( ret != 0 )
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index c73f342..cb5791f 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -5998,7 +5998,7 @@
if( status != PSA_SUCCESS )
return( status );
/* Breaking up a request into smaller chunks is currently not supported
- * for the extrernal RNG interface. */
+ * for the external RNG interface. */
if( output_length != output_size )
return( PSA_ERROR_INSUFFICIENT_ENTROPY );
return( PSA_SUCCESS );
diff --git a/library/psa_crypto_se.h b/library/psa_crypto_se.h
index 549dfb6..693c3ea 100644
--- a/library/psa_crypto_se.h
+++ b/library/psa_crypto_se.h
@@ -139,7 +139,7 @@
psa_se_drv_table_entry_t *driver,
psa_key_slot_number_t *slot_number );
-/** Destoy a key in a secure element.
+/** Destroy a key in a secure element.
*
* This function calls the relevant driver method to destroy a key
* and updates the driver's persistent data.
diff --git a/library/ssl_client.c b/library/ssl_client.c
index 0f0ea1d..2c4ce43 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -784,7 +784,7 @@
/*
* Generate the random bytes, except when responding to a verify request
- * where we MUST reuse the previoulsy generated random bytes
+ * where we MUST reuse the previously generated random bytes
* (RFC 6347 4.2.1).
*/
#if defined(MBEDTLS_SSL_PROTO_DTLS)
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 53d50f2..5808cab 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -143,7 +143,7 @@
MBEDTLS_SSL_EXT_MASK( TRUNCATED_HMAC ) | \
MBEDTLS_SSL_EXT_MASK( UNRECOGNIZED ) )
-/* RFC 8446 section 4.2. Allowed extensions for ClienHello */
+/* RFC 8446 section 4.2. Allowed extensions for ClientHello */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \
( MBEDTLS_SSL_EXT_MASK( SERVERNAME ) | \
MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH ) | \
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 040dc80..e4d50db 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -691,7 +691,7 @@
int auth_done = 0;
unsigned char * data;
/* For an explanation of the additional data length see
- * the descrpition of ssl_extract_add_data_from_record().
+ * the description of ssl_extract_add_data_from_record().
*/
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
unsigned char add_data[23 + MBEDTLS_SSL_CID_OUT_LEN_MAX];
@@ -1289,7 +1289,7 @@
#endif
unsigned char* data;
/* For an explanation of the additional data length see
- * the descrpition of ssl_extract_add_data_from_record().
+ * the description of ssl_extract_add_data_from_record().
*/
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
unsigned char add_data[23 + MBEDTLS_SSL_CID_IN_LEN_MAX];
@@ -4098,7 +4098,7 @@
if( hs == NULL )
return( -1 );
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_message" ) );
if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 2fcc950..9bb9dc2 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1704,6 +1704,15 @@
{
conf->early_data_enabled = early_data_enabled;
}
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_tls13_conf_max_early_data_size(
+ mbedtls_ssl_config *conf, uint32_t max_early_data_size )
+{
+ conf->max_early_data_size = max_early_data_size;
+}
+#endif /* MBEDTLS_SSL_SRV_C */
+
#endif /* MBEDTLS_SSL_EARLY_DATA */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
@@ -5117,6 +5126,15 @@
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ mbedtls_ssl_tls13_conf_early_data( conf, MBEDTLS_SSL_EARLY_DATA_DISABLED );
+#if defined(MBEDTLS_SSL_SRV_C)
+ mbedtls_ssl_tls13_conf_max_early_data_size(
+ conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE );
+#endif
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_conf_new_session_tickets(
conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS );
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index 5def8b6..7a17452 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -1971,8 +1971,8 @@
}
/*
- * Note: we currently ignore the PKS identity hint, as we only allow one
- * PSK to be provisionned on the client. This could be changed later if
+ * Note: we currently ignore the PSK identity hint, as we only allow one
+ * PSK to be provisioned on the client. This could be changed later if
* someone needs that feature.
*/
*p += len;
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index ce8767c..6caae89 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -634,7 +634,7 @@
if( p_identity_len != identities_end || p_binder_len != binders_end )
{
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key extesion decode error" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key extension decode error" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
MBEDTLS_ERR_SSL_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
diff --git a/library/x509.c b/library/x509.c
index 362e036..be87973 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -233,7 +233,7 @@
*
* RFC 4055 (which defines use of RSASSA-PSS in PKIX) states that the value
* of trailerField MUST be 1, and PKCS#1 v2.2 doesn't even define any other
- * option. Enfore this at parsing time.
+ * option. Enforce this at parsing time.
*/
int mbedtls_x509_get_rsassa_pss_params( const mbedtls_x509_buf *params,
mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
diff --git a/library/x509_crl.c b/library/x509_crl.c
index d830fcd..dc2d2e3 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -1,5 +1,5 @@
/*
- * X.509 Certidicate Revocation List (CRL) parsing
+ * X.509 Certificate Revocation List (CRL) parsing
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
diff --git a/programs/pkey/dh_genprime.c b/programs/pkey/dh_genprime.c
index 331838b..3e81d13 100644
--- a/programs/pkey/dh_genprime.c
+++ b/programs/pkey/dh_genprime.c
@@ -42,7 +42,7 @@
#define USAGE \
"\n usage: dh_genprime param=<>...\n" \
- "\n acceprable parameters:\n" \
+ "\n acceptable parameters:\n" \
" bits=%%d default: 2048\n"
#define DFL_BITS 2048
diff --git a/programs/psa/aead_demo.c b/programs/psa/aead_demo.c
index c4ed0dd..1efd132 100644
--- a/programs/psa/aead_demo.c
+++ b/programs/psa/aead_demo.c
@@ -104,7 +104,7 @@
/* Run a PSA function and bail out if it fails.
* The symbolic name of the error code can be recovered using:
- * programs/psa/psa_consant_name status <value> */
+ * programs/psa/psa_constant_name status <value> */
#define PSA_CHECK( expr ) \
do \
{ \
diff --git a/programs/psa/hmac_demo.c b/programs/psa/hmac_demo.c
index 6238892..f949a89 100644
--- a/programs/psa/hmac_demo.c
+++ b/programs/psa/hmac_demo.c
@@ -81,7 +81,7 @@
/* Run a PSA function and bail out if it fails.
* The symbolic name of the error code can be recovered using:
- * programs/psa/psa_consant_name status <value> */
+ * programs/psa/psa_constant_name status <value> */
#define PSA_CHECK( expr ) \
do \
{ \
diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c
index 23a34e0..d13ea28 100644
--- a/programs/ssl/dtls_client.c
+++ b/programs/ssl/dtls_client.c
@@ -343,5 +343,5 @@
mbedtls_exit( ret );
}
#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_DTLS && MBEDTLS_NET_C &&
- MBEDTLD_TIMING_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C &&
+ MBEDTLS_TIMING_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C &&
MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_RSA_C && MBEDTLS_PEM_PARSE_C */
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 1b4a94a..00624b5 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -129,6 +129,7 @@
#define DFL_SNI NULL
#define DFL_ALPN_STRING NULL
#define DFL_CURVES NULL
+#define DFL_MAX_EARLY_DATA_SIZE 0
#define DFL_SIG_ALGS NULL
#define DFL_DHM_FILE NULL
#define DFL_TRANSPORT MBEDTLS_SSL_TRANSPORT_STREAM
@@ -424,6 +425,15 @@
#define USAGE_ECJPAKE ""
#endif
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+#define USAGE_EARLY_DATA \
+ " max_early_data_size=%%d default: -1 (disabled)\n" \
+ " options: -1 (disabled), " \
+ " >= 0 (enabled, max amount of early data )\n"
+#else
+#define USAGE_EARLY_DATA ""
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
#if defined(MBEDTLS_ECP_C)
#define USAGE_CURVES \
" curves=a,b,c,d default: \"default\" (library default)\n" \
@@ -677,6 +687,7 @@
const char *cid_val_renego; /* the CID to use for incoming messages
* after renegotiation */
int reproducible; /* make communication reproducible */
+ uint32_t max_early_data_size; /* max amount of early data */
int query_config_mode; /* whether to read config */
int use_srtp; /* Support SRTP */
int force_srtp_profile; /* SRTP protection profile to use or all */
@@ -1535,6 +1546,9 @@
};
#endif /* MBEDTLS_SSL_DTLS_SRTP */
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ int tls13_early_data_enabled = MBEDTLS_SSL_EARLY_DATA_DISABLED;
+#endif
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
mbedtls_memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) );
#if defined(MBEDTLS_MEMORY_DEBUG)
@@ -1691,6 +1705,7 @@
opt.sni = DFL_SNI;
opt.alpn_string = DFL_ALPN_STRING;
opt.curves = DFL_CURVES;
+ opt.max_early_data_size = DFL_MAX_EARLY_DATA_SIZE;
opt.sig_algs = DFL_SIG_ALGS;
opt.dhm_file = DFL_DHM_FILE;
opt.transport = DFL_TRANSPORT;
@@ -1881,6 +1896,19 @@
else if( strcmp( p, "sig_algs" ) == 0 )
opt.sig_algs = q;
#endif
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ else if( strcmp( p, "max_early_data_size" ) == 0 )
+ {
+ long long value = atoll( q );
+ tls13_early_data_enabled =
+ value >= 0 ? MBEDTLS_SSL_EARLY_DATA_ENABLED :
+ MBEDTLS_SSL_EARLY_DATA_DISABLED;
+ if( tls13_early_data_enabled )
+ {
+ opt.max_early_data_size = atoi( q );
+ }
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
else if( strcmp( p, "renegotiation" ) == 0 )
{
opt.renegotiation = (atoi( q )) ?
@@ -1949,7 +1977,7 @@
* is not recommended in practice.
* `psk_or_ephemeral` exists in theory, we need this mode to test if
* this setting work correctly. With this key exchange setting, server
- * should always perform `ephemeral` handshake. `psk` or `psk_ephermal`
+ * should always perform `ephemeral` handshake. `psk` or `psk_ephemeral`
* is not expected.
*/
else if( strcmp( q, "psk_or_ephemeral" ) == 0 )
@@ -2876,6 +2904,15 @@
if( opt.cert_req_ca_list != DFL_CERT_REQ_CA_LIST )
mbedtls_ssl_conf_cert_req_ca_list( &conf, opt.cert_req_ca_list );
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ mbedtls_ssl_tls13_conf_early_data( &conf, tls13_early_data_enabled );
+ if( tls13_early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED )
+ {
+ mbedtls_ssl_tls13_conf_max_early_data_size(
+ &conf, opt.max_early_data_size );
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
/* exercise setting DN hints for server certificate request
* (Intended for use where the client cert expected has been signed by
diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c
index ecb093e..6313c52 100644
--- a/programs/test/benchmark.c
+++ b/programs/test/benchmark.c
@@ -416,7 +416,7 @@
Sleep( alarmMs );
mbedtls_timing_alarmed = 1;
/* _endthread will be called implicitly on return
- * That ensures execution of thread funcition's epilogue */
+ * That ensures execution of thread function's epilogue */
}
static void mbedtls_set_alarm( int seconds )
diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c
index e3386d1..ccd1303 100644
--- a/programs/test/udp_proxy.c
+++ b/programs/test/udp_proxy.c
@@ -377,7 +377,7 @@
#if defined(MBEDTLS_TIMING_C)
/* Return elapsed time in milliseconds since the first call */
-static unsigned ellapsed_time( void )
+static unsigned elapsed_time( void )
{
static int initialized = 0;
static struct mbedtls_timing_hr_time hires;
@@ -413,9 +413,9 @@
int ret;
mbedtls_printf( " %05u flush %s: %u bytes, %u datagrams, last %u ms\n",
- ellapsed_time(), buf->description,
+ elapsed_time(), buf->description,
(unsigned) buf->len, buf->num_datagrams,
- ellapsed_time() - buf->packet_lifetime );
+ elapsed_time() - buf->packet_lifetime );
ret = mbedtls_net_send( buf->ctx, buf->data, buf->len );
@@ -427,7 +427,7 @@
static unsigned ctx_buffer_time_remaining( ctx_buffer *buf )
{
- unsigned const cur_time = ellapsed_time();
+ unsigned const cur_time = elapsed_time();
if( buf->num_datagrams == 0 )
return( (unsigned) -1 );
@@ -467,7 +467,7 @@
buf->len += len;
if( ++buf->num_datagrams == 1 )
- buf->packet_lifetime = ellapsed_time();
+ buf->packet_lifetime = elapsed_time();
return( (int) len );
}
@@ -517,10 +517,10 @@
#if defined(MBEDTLS_TIMING_C)
if( why == NULL )
mbedtls_printf( " %05u dispatch %s %s (%u bytes)\n",
- ellapsed_time(), p->way, p->type, p->len );
+ elapsed_time(), p->way, p->type, p->len );
else
mbedtls_printf( " %05u dispatch %s %s (%u bytes): %s\n",
- ellapsed_time(), p->way, p->type, p->len, why );
+ elapsed_time(), p->way, p->type, p->len, why );
#else
if( why == NULL )
mbedtls_printf( " dispatch %s %s (%u bytes)\n",
diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c
index 30b389a..4879583 100644
--- a/programs/x509/cert_req.c
+++ b/programs/x509/cert_req.c
@@ -355,7 +355,7 @@
if( ( ret = write_certificate_request( &req, opt.output_file,
mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
{
- mbedtls_printf( " failed\n ! write_certifcate_request %d", ret );
+ mbedtls_printf( " failed\n ! write_certificate_request %d", ret );
goto exit;
}
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index f9366fe..a8910d7 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -752,7 +752,7 @@
if( ret != 0 )
{
mbedtls_strerror( ret, buf, sizeof(buf) );
- mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints "
+ mbedtls_printf( " failed\n ! x509write_crt_set_basic_constraints "
"returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
goto exit;
}
diff --git a/scripts/mbedtls_dev/bignum_common.py b/scripts/mbedtls_dev/bignum_common.py
index 67ea78d..3ff8b2f 100644
--- a/scripts/mbedtls_dev/bignum_common.py
+++ b/scripts/mbedtls_dev/bignum_common.py
@@ -251,6 +251,12 @@
# provides earlier/more robust input validation.
self.int_n = hex_to_int(val_n)
+ def to_montgomery(self, val: int) -> int:
+ return (val * self.r) % self.int_n
+
+ def from_montgomery(self, val: int) -> int:
+ return (val * self.r_inv) % self.int_n
+
@property
def boundary(self) -> int:
return self.int_n
diff --git a/scripts/mbedtls_dev/bignum_core.py b/scripts/mbedtls_dev/bignum_core.py
index 2960d24..118a659 100644
--- a/scripts/mbedtls_dev/bignum_core.py
+++ b/scripts/mbedtls_dev/bignum_core.py
@@ -759,12 +759,23 @@
"""Test cases for bignum core exponentiation."""
symbol = "^"
test_function = "mpi_core_exp_mod"
- test_name = "Core modular exponentiation"
+ test_name = "Core modular exponentiation (Mongtomery form only)"
input_style = "fixed"
+ def arguments(self) -> List[str]:
+ # Input 'a' has to be given in Montgomery form
+ mont_a = self.to_montgomery(self.int_a)
+ arg_mont_a = self.format_arg('{:x}'.format(mont_a))
+ return [bignum_common.quote_str(n) for n in [self.arg_n,
+ arg_mont_a,
+ self.arg_b]
+ ] + self.result()
+
def result(self) -> List[str]:
+ # Result has to be given in Montgomery form too
result = pow(self.int_a, self.int_b, self.int_n)
- return [self.format_result(result)]
+ mont_result = self.to_montgomery(result)
+ return [self.format_result(mont_result)]
@property
def is_valid(self) -> bool:
diff --git a/scripts/mbedtls_dev/bignum_data.py b/scripts/mbedtls_dev/bignum_data.py
index 74d21d0..e6ed300 100644
--- a/scripts/mbedtls_dev/bignum_data.py
+++ b/scripts/mbedtls_dev/bignum_data.py
@@ -18,7 +18,7 @@
import random
# Functions calling these were used to produce test data and are here only for
-# reproducability, they are not used by the test generation framework/classes
+# reproducibility, they are not used by the test generation framework/classes
try:
from Cryptodome.Util.number import isPrime, getPrime #type: ignore #pylint: disable=import-error
except ImportError:
@@ -128,7 +128,7 @@
randbytes.
'''
rng = random.Random()
- # We want reproducability across python versions
+ # We want reproducibility across python versions
rng.seed(seed, version=2)
while True:
prime = 2*getPrime(bits-1, rng.randbytes)+1 #pylint: disable=no-member
diff --git a/scripts/mbedtls_dev/bignum_mod.py b/scripts/mbedtls_dev/bignum_mod.py
index 81ece07..aa06fe8 100644
--- a/scripts/mbedtls_dev/bignum_mod.py
+++ b/scripts/mbedtls_dev/bignum_mod.py
@@ -34,6 +34,20 @@
# BEGIN MERGE SLOT 3
+class BignumModSub(bignum_common.ModOperationCommon, BignumModTarget):
+ """Test cases for bignum mpi_mod_sub()."""
+ symbol = "-"
+ test_function = "mpi_mod_sub"
+ test_name = "mbedtls_mpi_mod_sub"
+ input_style = "fixed"
+ arity = 2
+
+ def result(self) -> List[str]:
+ result = (self.int_a - self.int_b) % self.int_n
+ # To make negative tests easier, append 0 for success to the
+ # generated cases
+ return [self.format_result(result), "0"]
+
# END MERGE SLOT 3
# BEGIN MERGE SLOT 4
diff --git a/scripts/mbedtls_dev/bignum_mod_raw.py b/scripts/mbedtls_dev/bignum_mod_raw.py
index 0bbad5d..d05479a 100644
--- a/scripts/mbedtls_dev/bignum_mod_raw.py
+++ b/scripts/mbedtls_dev/bignum_mod_raw.py
@@ -92,10 +92,9 @@
arity = 1
def result(self) -> List[str]:
- result = (self.int_a * self.r) % self.int_n
+ result = self.to_montgomery(self.int_a)
return [self.format_result(result)]
-
class BignumModRawConvertFromMont(bignum_common.ModOperationCommon,
BignumModRawTarget):
""" Test cases for mpi_mod_raw_from_mont_rep(). """
@@ -106,7 +105,7 @@
arity = 1
def result(self) -> List[str]:
- result = (self.int_a * self.r_inv) % self.int_n
+ result = self.from_montgomery(self.int_a)
return [self.format_result(result)]
diff --git a/tests/include/test/constant_flow.h b/tests/include/test/constant_flow.h
index 9626af9..f3d676e 100644
--- a/tests/include/test/constant_flow.h
+++ b/tests/include/test/constant_flow.h
@@ -46,6 +46,12 @@
* This file contains two implementations: one based on MemorySanitizer, the
* other on valgrind's memcheck. If none of them is enabled, dummy macros that
* do nothing are defined for convenience.
+ *
+ * \note #TEST_CF_SECRET must be called directly from within a .function file,
+ * not indirectly via a macro defined under tests/include or a function
+ * under tests/src. This is because we only run Valgrind for constant
+ * flow on test suites that have greppable annotations inside them (see
+ * `skip_suites_without_constant_flow` in `tests/scripts/all.sh`).
*/
#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN)
diff --git a/tests/include/test/psa_crypto_helpers.h b/tests/include/test/psa_crypto_helpers.h
index bc2b016..3542950 100644
--- a/tests/include/test/psa_crypto_helpers.h
+++ b/tests/include/test/psa_crypto_helpers.h
@@ -189,7 +189,7 @@
*
* Do a key policy permission extension on key usage policies always involves
* permissions of other usage policies
- * (like PSA_KEY_USAGE_SIGN_HASH involves PSA_KEY_USAGE_SIGN_MESSGAE).
+ * (like PSA_KEY_USAGE_SIGN_HASH involves PSA_KEY_USAGE_SIGN_MESSAGE).
*/
psa_key_usage_t mbedtls_test_update_key_usage_flags( psa_key_usage_t usage_flags );
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index d3eedcf..cadedb1 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1591,6 +1591,17 @@
env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
}
+skip_suites_without_constant_flow () {
+ # Skip the test suites that don't have any constant-flow annotations.
+ # This will need to be adjusted if we ever start declaring things as
+ # secret from macros or functions inside tests/include or tests/src.
+ SKIP_TEST_SUITES=$(
+ git -C tests/suites grep -L TEST_CF_ 'test_suite_*.function' |
+ sed 's/test_suite_//; s/\.function$//' |
+ tr '\n' ,)
+ export SKIP_TEST_SUITES
+}
+
component_test_memsan_constant_flow () {
# This tests both (1) accesses to undefined memory, and (2) branches or
# memory access depending on secret values. To distinguish between those:
@@ -1642,12 +1653,13 @@
scripts/config.py full
scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+ skip_suites_without_constant_flow
cmake -D CMAKE_BUILD_TYPE:String=Release .
make
# this only shows a summary of the results (how many of each type)
# details are left in Testing/<date>/DynamicAnalysis.xml
- msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO, valgrind + constant flow)"
+ msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, valgrind + constant flow)"
make memcheck
}
@@ -1664,12 +1676,13 @@
msg "build: cmake release GCC, full config with constant flow testing"
scripts/config.py full
scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
+ skip_suites_without_constant_flow
cmake -D CMAKE_BUILD_TYPE:String=Release .
make
# this only shows a summary of the results (how many of each type)
# details are left in Testing/<date>/DynamicAnalysis.xml
- msg "test: main suites (valgrind + constant flow)"
+ msg "test: some suites (valgrind + constant flow)"
make memcheck
}
@@ -3476,30 +3489,43 @@
component_test_valgrind () {
msg "build: Release (clang)"
+ # default config, in particular without MBEDTLS_USE_PSA_CRYPTO
CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release .
make
- msg "test: main suites valgrind (Release)"
+ msg "test: main suites, Valgrind (default config)"
make memcheck
# Optional parts (slow; currently broken on OS X because programs don't
# seem to receive signals under valgrind on OS X).
+ # These optional parts don't run on the CI.
if [ "$MEMORY" -gt 0 ]; then
- msg "test: ssl-opt.sh --memcheck (Release)"
+ msg "test: ssl-opt.sh --memcheck (default config)"
tests/ssl-opt.sh --memcheck
fi
if [ "$MEMORY" -gt 1 ]; then
- msg "test: compat.sh --memcheck (Release)"
+ msg "test: compat.sh --memcheck (default config)"
tests/compat.sh --memcheck
fi
if [ "$MEMORY" -gt 0 ]; then
- msg "test: context-info.sh --memcheck (Release)"
+ msg "test: context-info.sh --memcheck (default config)"
tests/context-info.sh --memcheck
fi
}
+component_test_valgrind_psa () {
+ msg "build: Release, full (clang)"
+ # full config, in particular with MBEDTLS_USE_PSA_CRYPTO
+ scripts/config.py full
+ CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release .
+ make
+
+ msg "test: main suites, Valgrind (full config)"
+ make memcheck
+}
+
support_test_cmake_out_of_source () {
distrib_id=""
distrib_ver=""
diff --git a/tests/scripts/check_names.py b/tests/scripts/check_names.py
index 396ab74..920537e 100755
--- a/tests/scripts/check_names.py
+++ b/tests/scripts/check_names.py
@@ -629,7 +629,7 @@
self.log.info("Compiling...")
symbols = []
- # Back up the config and atomically compile with the full configratuion.
+ # Back up the config and atomically compile with the full configuration.
shutil.copy(
"include/mbedtls/mbedtls_config.h",
"include/mbedtls/mbedtls_config.h.bak"
@@ -892,7 +892,7 @@
parser.add_argument(
"-q", "--quiet",
action="store_true",
- help="hide unnecessary text, explanations, and highlighs"
+ help="hide unnecessary text, explanations, and highlights"
)
args = parser.parse_args()
diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py
index 2f09007..b271048 100755
--- a/tests/scripts/generate_psa_tests.py
+++ b/tests/scripts/generate_psa_tests.py
@@ -80,7 +80,7 @@
# A temporary hack: at the time of writing, not all dependency symbols
# are implemented yet. Skip test cases for which the dependency symbols are
# not available. Once all dependency symbols are available, this hack must
-# be removed so that a bug in the dependency symbols proprely leads to a test
+# be removed so that a bug in the dependency symbols properly leads to a test
# failure.
def read_implemented_dependencies(filename: str) -> FrozenSet[str]:
return frozenset(symbol
@@ -459,7 +459,7 @@
"""Prepare to generate a key.
* `usage` : The usage flags used for the key.
- * `without_implicit_usage`: Flag to defide to apply the usage extension
+ * `without_implicit_usage`: Flag to define to apply the usage extension
"""
usage_flags = set(usage)
if not without_implicit_usage:
@@ -483,7 +483,7 @@
) -> None:
"""Prepare to generate test data
- * `description` : used for the the test case names
+ * `description` : used for the test case names
* `expected_usage`: the usage flags generated as the expected usage flags
in the test cases. CAn differ from the usage flags
stored in the keys because of the usage flags extension.
diff --git a/tests/scripts/test_psa_compliance.py b/tests/scripts/test_psa_compliance.py
index 7d06db1..92db417 100755
--- a/tests/scripts/test_psa_compliance.py
+++ b/tests/scripts/test_psa_compliance.py
@@ -1,7 +1,7 @@
#!/usr/bin/env python3
"""Run the PSA Crypto API compliance test suite.
Clone the repo and check out the commit specified by PSA_ARCH_TEST_REPO and PSA_ARCH_TEST_REF,
-then complie and run the test suite. The clone is stored at <Mbed TLS root>/psa-arch-tests.
+then compile and run the test suite. The clone is stored at <Mbed TLS root>/psa-arch-tests.
Known defects in either the test suite or mbedtls - identified by their test number - are ignored,
while unexpected failures AND successes are reported as errors,
to help keep the list of known defects as up to date as possible.
diff --git a/tests/suites/test_suite_bignum_core.function b/tests/suites/test_suite_bignum_core.function
index 078239f..b64127a 100644
--- a/tests/suites/test_suite_bignum_core.function
+++ b/tests/suites/test_suite_bignum_core.function
@@ -1046,15 +1046,13 @@
char * input_E, char * input_X )
{
mbedtls_mpi_uint *A = NULL;
- size_t A_limbs;
mbedtls_mpi_uint *E = NULL;
- size_t E_limbs;
mbedtls_mpi_uint *N = NULL;
- size_t N_limbs;
mbedtls_mpi_uint *X = NULL;
- size_t X_limbs;
+ size_t A_limbs, E_limbs, N_limbs, X_limbs;
const mbedtls_mpi_uint *R2 = NULL;
mbedtls_mpi_uint *Y = NULL;
+ mbedtls_mpi_uint *T = NULL;
/* Legacy MPIs for computing R2 */
mbedtls_mpi N_mpi;
mbedtls_mpi_init( &N_mpi );
@@ -1078,11 +1076,29 @@
TEST_EQUAL( 0, mbedtls_mpi_grow( &R2_mpi, N_limbs ) );
R2 = R2_mpi.p;
- TEST_EQUAL( 0,
- mbedtls_mpi_core_exp_mod( Y, A, N, N_limbs, E, E_limbs, R2 ) );
+ size_t working_limbs = mbedtls_mpi_core_exp_mod_working_limbs( N_limbs,
+ E_limbs );
+
+ /* No point exactly duplicating the code in mbedtls_mpi_core_exp_mod_working_limbs()
+ * to see if the output is correct, but we can check that it's in a
+ * reasonable range. The current calculation works out as
+ * `1 + N_limbs * (welem + 3)`, where welem is the number of elements in
+ * the window (1 << 1 up to 1 << 6).
+ */
+ size_t min_expected_working_limbs = 1 + N_limbs * 4;
+ size_t max_expected_working_limbs = 1 + N_limbs * 67;
+
+ TEST_LE_U( min_expected_working_limbs, working_limbs );
+ TEST_LE_U( working_limbs, max_expected_working_limbs );
+
+ ASSERT_ALLOC( T, working_limbs );
+
+ mbedtls_mpi_core_exp_mod( Y, A, N, N_limbs, E, E_limbs, R2, T );
+
TEST_EQUAL( 0, memcmp( X, Y, N_limbs * sizeof( mbedtls_mpi_uint ) ) );
exit:
+ mbedtls_free( T );
mbedtls_free( A );
mbedtls_free( E );
mbedtls_free( N );
diff --git a/tests/suites/test_suite_bignum_mod.data b/tests/suites/test_suite_bignum_mod.data
index 2ea4a58..501d9d7 100644
--- a/tests/suites/test_suite_bignum_mod.data
+++ b/tests/suites/test_suite_bignum_mod.data
@@ -17,6 +17,27 @@
# BEGIN MERGE SLOT 3
+mpi_mod_sub base case for negative testing (N, a, b all >= 1 limb)
+mpi_mod_sub:"014320a022ccb75bdf470ddf25":"000000025a55a46e5da99c71c7":"00033b2e3c9fd0803ce8000f93":"013fe57440828b4a0008aa4159":0
+
+mpi_mod_sub with modulus too long/both inputs too short
+mpi_mod_sub:"0000000014320a022ccb75bdf470ddf25":"000000025a55a46e5da99c71c7":"00033b2e3c9fd0803ce8000f93":"00":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
+
+mpi_mod_sub with first input too long
+mpi_mod_sub:"014320a022ccb75bdf470ddf25":"0000000000000025a55a46e5da99c71c7":"00033b2e3c9fd0803ce8000f93":"00":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
+
+mpi_mod_sub with second input too long
+mpi_mod_sub:"014320a022ccb75bdf470ddf25":"000000025a55a46e5da99c71c7":"000000000033b2e3c9fd0803ce8000f93":"00":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
+
+mpi_mod_sub with both inputs too long
+mpi_mod_sub:"014320a022ccb75bdf470ddf25":"0000000000000025a55a46e5da99c71c7":"000000000033b2e3c9fd0803ce8000f93":"00":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
+
+mpi_mod_sub with first input too short
+mpi_mod_sub:"014320a022ccb75bdf470ddf25":"a99c71c7":"00033b2e3c9fd0803ce8000f93":"00":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
+
+mpi_mod_sub with second input too short
+mpi_mod_sub:"014320a022ccb75bdf470ddf25":"000000025a55a46e5da99c71c7":"e8000f93":"00":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
+
# END MERGE SLOT 3
# BEGIN MERGE SLOT 4
diff --git a/tests/suites/test_suite_bignum_mod.function b/tests/suites/test_suite_bignum_mod.function
index a941cb6..0d2e232 100644
--- a/tests/suites/test_suite_bignum_mod.function
+++ b/tests/suites/test_suite_bignum_mod.function
@@ -4,6 +4,47 @@
#include "bignum_mod.h"
#include "constant_time_internal.h"
#include "test/constant_flow.h"
+
+#define TEST_COMPARE_MPI_RESIDUES( a, b ) \
+ ASSERT_COMPARE( (a).p, (a).limbs * sizeof(mbedtls_mpi_uint), \
+ (b).p, (b).limbs * sizeof(mbedtls_mpi_uint) )
+
+static int test_read_modulus( mbedtls_mpi_mod_modulus *m,
+ mbedtls_mpi_mod_rep_selector int_rep,
+ char *input )
+{
+ mbedtls_mpi_uint *p = NULL;
+ size_t limbs;
+
+ int ret = mbedtls_test_read_mpi_core( &p, &limbs, input );
+ if( ret != 0 )
+ return( ret );
+
+ return( mbedtls_mpi_mod_modulus_setup( m, p, limbs, int_rep ) );
+}
+
+static int test_read_residue( mbedtls_mpi_mod_residue *r,
+ const mbedtls_mpi_mod_modulus *m,
+ char *input,
+ int skip_limbs_and_value_checks )
+{
+ mbedtls_mpi_uint *p = NULL;
+ size_t limbs;
+
+ int ret = mbedtls_test_read_mpi_core( &p, &limbs, input );
+ if( ret != 0 )
+ return( ret );
+
+ if( skip_limbs_and_value_checks )
+ {
+ r->p = p;
+ r->limbs = limbs;
+ return( 0 );
+ }
+
+ /* mbedtls_mpi_mod_residue_setup() checks limbs, and that value < m */
+ return( mbedtls_mpi_mod_residue_setup( r, m, p, limbs ) );
+}
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -64,7 +105,104 @@
/* END MERGE SLOT 2 */
/* BEGIN MERGE SLOT 3 */
+/* BEGIN_CASE */
+void mpi_mod_sub( char * input_N,
+ char * input_A, char * input_B,
+ char * input_D, int oret )
+{
+ mbedtls_mpi_mod_residue a = { NULL, 0 };
+ mbedtls_mpi_mod_residue b = { NULL, 0 };
+ mbedtls_mpi_mod_residue d = { NULL, 0 };
+ mbedtls_mpi_mod_residue x = { NULL, 0 };
+ mbedtls_mpi_uint *X_raw = NULL;
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_modulus_init( &m );
+
+ TEST_EQUAL( 0,
+ test_read_modulus( &m, MBEDTLS_MPI_MOD_REP_MONTGOMERY, input_N ) );
+
+ /* test_read_residue() normally checks that inputs have the same number of
+ * limbs as the modulus. For negative testing we can ask it to skip this
+ * with a non-zero final parameter. */
+ TEST_EQUAL( 0, test_read_residue( &a, &m, input_A, oret != 0 ) );
+ TEST_EQUAL( 0, test_read_residue( &b, &m, input_B, oret != 0 ) );
+ TEST_EQUAL( 0, test_read_residue( &d, &m, input_D, oret != 0 ) );
+
+ size_t limbs = m.limbs;
+ size_t bytes = limbs * sizeof( *X_raw );
+
+ /* One spare limb for negative testing */
+ ASSERT_ALLOC( X_raw, limbs + 1 );
+
+ if( oret == 0 )
+ {
+ /* Sneak in a couple of negative tests on known-good data */
+
+ /* First, negative test with too many limbs in output */
+ x.p = X_raw;
+ x.limbs = limbs + 1;
+ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+ mbedtls_mpi_mod_sub( &x, &a, &b, &m ) );
+
+ /* Then negative test with too few limbs in output */
+ if( limbs > 1 )
+ {
+ x.p = X_raw;
+ x.limbs = limbs - 1;
+ TEST_EQUAL( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+ mbedtls_mpi_mod_sub( &x, &a, &b, &m ) );
+ }
+
+ /* Negative testing with too many/too few limbs in a and b is covered by
+ * manually-written test cases with oret != 0. */
+
+ /* Back to the normally-scheduled programme */
+ }
+
+ TEST_EQUAL( 0, mbedtls_mpi_mod_residue_setup( &x, &m, X_raw, limbs ) );
+
+ /* a - b => Correct result, or expected error */
+ TEST_EQUAL( oret, mbedtls_mpi_mod_sub( &x, &a, &b, &m ) );
+ if( oret != 0 )
+ goto exit;
+
+ TEST_COMPARE_MPI_RESIDUES( x, d );
+
+ /* a - b: alias x to a => Correct result */
+ memcpy( x.p, a.p, bytes );
+ TEST_EQUAL( 0, mbedtls_mpi_mod_sub( &x, &x, &b, &m ) );
+ TEST_COMPARE_MPI_RESIDUES( x, d );
+
+ /* a - b: alias x to b => Correct result */
+ memcpy( x.p, b.p, bytes );
+ TEST_EQUAL( 0, mbedtls_mpi_mod_sub( &x, &a, &x, &m ) );
+ TEST_COMPARE_MPI_RESIDUES( x, d );
+
+ if ( memcmp( a.p, b.p, bytes ) == 0 )
+ {
+ /* a == b: alias a and b */
+
+ /* a - a => Correct result */
+ TEST_EQUAL( 0, mbedtls_mpi_mod_sub( &x, &a, &a, &m ) );
+ TEST_COMPARE_MPI_RESIDUES( x, d );
+
+ /* a - a: x, a, b all aliased together => Correct result */
+ memcpy( x.p, a.p, bytes );
+ TEST_EQUAL( 0, mbedtls_mpi_mod_sub( &x, &x, &x, &m ) );
+ TEST_COMPARE_MPI_RESIDUES( x, d );
+ }
+
+exit:
+ mbedtls_free( (void *)m.p ); /* mbedtls_mpi_mod_modulus_free() sets m.p = NULL */
+ mbedtls_mpi_mod_modulus_free( &m );
+
+ mbedtls_free( a.p );
+ mbedtls_free( b.p );
+ mbedtls_free( d.p );
+ mbedtls_free( X_raw );
+}
+/* END_CASE */
/* END MERGE SLOT 3 */
/* BEGIN MERGE SLOT 4 */
diff --git a/tests/suites/test_suite_constant_time.data b/tests/suites/test_suite_constant_time.data
new file mode 100644
index 0000000..4504aa4
--- /dev/null
+++ b/tests/suites/test_suite_constant_time.data
@@ -0,0 +1,11 @@
+# these are the numbers we'd get with an empty plaintext and truncated HMAC
+Constant-flow memcpy from offset: small
+ssl_cf_memcpy_offset:0:5:10
+
+# we could get this with 255-bytes plaintext and untruncated SHA-256
+Constant-flow memcpy from offset: medium
+ssl_cf_memcpy_offset:0:255:32
+
+# we could get this with 255-bytes plaintext and untruncated SHA-384
+Constant-flow memcpy from offset: large
+ssl_cf_memcpy_offset:100:339:48
diff --git a/tests/suites/test_suite_constant_time.function b/tests/suites/test_suite_constant_time.function
new file mode 100644
index 0000000..a3673b7
--- /dev/null
+++ b/tests/suites/test_suite_constant_time.function
@@ -0,0 +1,49 @@
+/* BEGIN_HEADER */
+/** \file test_suite_constant_time.function
+ *
+ * Functional testing of functions in the constant_time module.
+ *
+ * The tests are instrumented with #TEST_CF_SECRET and #TEST_CF_PUBLIC
+ * (see tests/include/test/constant_flow.h) so that running the tests
+ * under MSan or Valgrind will detect a non-constant-time implementation.
+ */
+
+#include <mbedtls/constant_time.h>
+#include <constant_time_internal.h>
+#include <constant_time_invasive.h>
+
+#include <test/constant_flow.h>
+/* END_HEADER */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC:MBEDTLS_TEST_HOOKS */
+void ssl_cf_memcpy_offset( int offset_min, int offset_max, int len )
+{
+ unsigned char *dst = NULL;
+ unsigned char *src = NULL;
+ size_t src_len = offset_max + len;
+ size_t secret;
+
+ ASSERT_ALLOC( dst, len );
+ ASSERT_ALLOC( src, src_len );
+
+ /* Fill src in a way that we can detect if we copied the right bytes */
+ mbedtls_test_rnd_std_rand( NULL, src, src_len );
+
+ for( secret = offset_min; secret <= (size_t) offset_max; secret++ )
+ {
+ mbedtls_test_set_step( (int) secret );
+
+ TEST_CF_SECRET( &secret, sizeof( secret ) );
+ mbedtls_ct_memcpy_offset( dst, src, secret,
+ offset_min, offset_max, len );
+ TEST_CF_PUBLIC( &secret, sizeof( secret ) );
+ TEST_CF_PUBLIC( dst, len );
+
+ ASSERT_COMPARE( dst, len, src + secret, len );
+ }
+
+exit:
+ mbedtls_free( dst );
+ mbedtls_free( src );
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_constant_time_hmac.data b/tests/suites/test_suite_constant_time_hmac.data
new file mode 100644
index 0000000..abf90f0
--- /dev/null
+++ b/tests/suites/test_suite_constant_time_hmac.data
@@ -0,0 +1,15 @@
+Constant-flow HMAC: MD5
+depends_on:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+ssl_cf_hmac:MBEDTLS_MD_MD5
+
+Constant-flow HMAC: SHA1
+depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+ssl_cf_hmac:MBEDTLS_MD_SHA1
+
+Constant-flow HMAC: SHA256
+depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+ssl_cf_hmac:MBEDTLS_MD_SHA256
+
+Constant-flow HMAC: SHA384
+depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+ssl_cf_hmac:MBEDTLS_MD_SHA384
diff --git a/tests/suites/test_suite_constant_time_hmac.function b/tests/suites/test_suite_constant_time_hmac.function
new file mode 100644
index 0000000..f8c1bfc
--- /dev/null
+++ b/tests/suites/test_suite_constant_time_hmac.function
@@ -0,0 +1,160 @@
+/* BEGIN_HEADER */
+
+#include <mbedtls/constant_time.h>
+#include <mbedtls/legacy_or_psa.h>
+#include <mbedtls/md.h>
+#include <constant_time_internal.h>
+#include <hash_info.h>
+
+#include <test/constant_flow.h>
+/* END_HEADER */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC:MBEDTLS_TEST_HOOKS */
+void ssl_cf_hmac( int hash )
+{
+ /*
+ * Test the function mbedtls_ct_hmac() against a reference
+ * implementation.
+ */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_algorithm_t alg;
+ psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
+#else
+ mbedtls_md_context_t ctx, ref_ctx;
+ const mbedtls_md_info_t *md_info;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ size_t out_len, block_size;
+ size_t min_in_len, in_len, max_in_len, i;
+ /* TLS additional data is 13 bytes (hence the "lucky 13" name) */
+ unsigned char add_data[13];
+ unsigned char ref_out[MBEDTLS_HASH_MAX_SIZE];
+ unsigned char *data = NULL;
+ unsigned char *out = NULL;
+ unsigned char rec_num = 0;
+
+ USE_PSA_INIT( );
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ alg = PSA_ALG_HMAC( mbedtls_hash_info_psa_from_md( hash ) );
+
+ out_len = PSA_HASH_LENGTH( alg );
+ block_size = PSA_HASH_BLOCK_LENGTH( alg );
+
+ /* mbedtls_ct_hmac() requires the key to be exportable */
+ psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT |
+ PSA_KEY_USAGE_VERIFY_HASH );
+ psa_set_key_algorithm( &attributes, PSA_ALG_HMAC( alg ) );
+ psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC );
+#else
+ mbedtls_md_init( &ctx );
+ mbedtls_md_init( &ref_ctx );
+
+ md_info = mbedtls_md_info_from_type( hash );
+ TEST_ASSERT( md_info != NULL );
+ out_len = mbedtls_md_get_size( md_info );
+ TEST_ASSERT( out_len != 0 );
+ block_size = hash == MBEDTLS_MD_SHA384 ? 128 : 64;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ /* Use allocated out buffer to catch overwrites */
+ ASSERT_ALLOC( out, out_len );
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ /* Set up dummy key */
+ memset( ref_out, 42, sizeof( ref_out ) );
+ TEST_EQUAL( PSA_SUCCESS, psa_import_key( &attributes,
+ ref_out, out_len,
+ &key ) );
+#else
+ /* Set up contexts with the given hash and a dummy key */
+ TEST_EQUAL( 0, mbedtls_md_setup( &ctx, md_info, 1 ) );
+ TEST_EQUAL( 0, mbedtls_md_setup( &ref_ctx, md_info, 1 ) );
+ memset( ref_out, 42, sizeof( ref_out ) );
+ TEST_EQUAL( 0, mbedtls_md_hmac_starts( &ctx, ref_out, out_len ) );
+ TEST_EQUAL( 0, mbedtls_md_hmac_starts( &ref_ctx, ref_out, out_len ) );
+ memset( ref_out, 0, sizeof( ref_out ) );
+#endif
+
+ /*
+ * Test all possible lengths up to a point. The difference between
+ * max_in_len and min_in_len is at most 255, and make sure they both vary
+ * by at least one block size.
+ */
+ for( max_in_len = 0; max_in_len <= 255 + block_size; max_in_len++ )
+ {
+ mbedtls_test_set_step( max_in_len * 10000 );
+
+ /* Use allocated in buffer to catch overreads */
+ ASSERT_ALLOC( data, max_in_len );
+
+ min_in_len = max_in_len > 255 ? max_in_len - 255 : 0;
+ for( in_len = min_in_len; in_len <= max_in_len; in_len++ )
+ {
+ mbedtls_test_set_step( max_in_len * 10000 + in_len );
+
+ /* Set up dummy data and add_data */
+ rec_num++;
+ memset( add_data, rec_num, sizeof( add_data ) );
+ for( i = 0; i < in_len; i++ )
+ data[i] = ( i & 0xff ) ^ rec_num;
+
+ /* Get the function's result */
+ TEST_CF_SECRET( &in_len, sizeof( in_len ) );
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ TEST_EQUAL( 0, mbedtls_ct_hmac( key, PSA_ALG_HMAC( alg ),
+ add_data, sizeof( add_data ),
+ data, in_len,
+ min_in_len, max_in_len,
+ out ) );
+#else
+ TEST_EQUAL( 0, mbedtls_ct_hmac( &ctx, add_data, sizeof( add_data ),
+ data, in_len,
+ min_in_len, max_in_len,
+ out ) );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ TEST_CF_PUBLIC( &in_len, sizeof( in_len ) );
+ TEST_CF_PUBLIC( out, out_len );
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ TEST_EQUAL( PSA_SUCCESS, psa_mac_verify_setup( &operation,
+ key, alg ) );
+ TEST_EQUAL( PSA_SUCCESS, psa_mac_update( &operation, add_data,
+ sizeof( add_data ) ) );
+ TEST_EQUAL( PSA_SUCCESS, psa_mac_update( &operation,
+ data, in_len ) );
+ TEST_EQUAL( PSA_SUCCESS, psa_mac_verify_finish( &operation,
+ out, out_len ) );
+#else
+ /* Compute the reference result */
+ TEST_EQUAL( 0, mbedtls_md_hmac_update( &ref_ctx, add_data,
+ sizeof( add_data ) ) );
+ TEST_EQUAL( 0, mbedtls_md_hmac_update( &ref_ctx, data, in_len ) );
+ TEST_EQUAL( 0, mbedtls_md_hmac_finish( &ref_ctx, ref_out ) );
+ TEST_EQUAL( 0, mbedtls_md_hmac_reset( &ref_ctx ) );
+
+ /* Compare */
+ ASSERT_COMPARE( out, out_len, ref_out, out_len );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ }
+
+ mbedtls_free( data );
+ data = NULL;
+ }
+
+exit:
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_mac_abort( &operation );
+ psa_destroy_key( key );
+#else
+ mbedtls_md_free( &ref_ctx );
+ mbedtls_md_free( &ctx );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ mbedtls_free( data );
+ mbedtls_free( out );
+
+ USE_PSA_DONE( );
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_mps.function b/tests/suites/test_suite_mps.function
index c40c50e..ec1122a 100644
--- a/tests/suites/test_suite_mps.function
+++ b/tests/suites/test_suite_mps.function
@@ -295,7 +295,7 @@
/* This test exercises the behaviour of the MPS reader with accumulator
* in the situation where upon calling mbedtls_mps_reader_reclaim(), the
* uncommitted data together with the excess data missing in the last
- * call to medtls_mps_reader_get() exceeds the bounds of the type
+ * call to mbedtls_mps_reader_get() exceeds the bounds of the type
* holding the buffer length.
*/
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 0c0f2ed..dbbac76 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -622,7 +622,7 @@
* the data in to be encrypted / decrypted. If
* -1, no chunking
* \param expected_output Expected output
- * \param is_verify If non-zero this is an verify operation.
+ * \param is_verify If non-zero this is a verify operation.
* \param do_zero_parts If non-zero, interleave zero length chunks
* with normal length chunks.
* \return int Zero on failure, non-zero on success.
@@ -6131,7 +6131,7 @@
psa_aead_abort( &operation );
- /* Test for calling set lengths with an plaintext length of SIZE_MAX, after setting nonce */
+ /* Test for calling set lengths with a plaintext length of SIZE_MAX, after setting nonce */
PSA_ASSERT( psa_aead_encrypt_setup( &operation, key, alg ) );
PSA_ASSERT( psa_aead_set_nonce( &operation, nonce->x, nonce->len ) );
diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function
index b895796..b713cb2 100644
--- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function
+++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function
@@ -748,14 +748,14 @@
mbedtls_psa_cipher_operation_t mbedtls_operation =
MBEDTLS_PSA_CIPHER_OPERATION_INIT;
- mbedtls_transparent_test_driver_cipher_operation_t tranparent_operation =
+ mbedtls_transparent_test_driver_cipher_operation_t transparent_operation =
MBEDTLS_TRANSPARENT_TEST_DRIVER_CIPHER_OPERATION_INIT;
mbedtls_opaque_test_driver_cipher_operation_t opaque_operation =
MBEDTLS_OPAQUE_TEST_DRIVER_CIPHER_OPERATION_INIT;
operation.ctx.mbedtls_ctx = mbedtls_operation;
- operation.ctx.transparent_test_driver_ctx = tranparent_operation;
+ operation.ctx.transparent_test_driver_ctx = transparent_operation;
operation.ctx.opaque_test_driver_ctx = opaque_operation;
PSA_ASSERT( psa_crypto_init( ) );
@@ -880,14 +880,14 @@
mbedtls_psa_cipher_operation_t mbedtls_operation =
MBEDTLS_PSA_CIPHER_OPERATION_INIT;
- mbedtls_transparent_test_driver_cipher_operation_t tranparent_operation =
+ mbedtls_transparent_test_driver_cipher_operation_t transparent_operation =
MBEDTLS_TRANSPARENT_TEST_DRIVER_CIPHER_OPERATION_INIT;
mbedtls_opaque_test_driver_cipher_operation_t opaque_operation =
MBEDTLS_OPAQUE_TEST_DRIVER_CIPHER_OPERATION_INIT;
operation.ctx.mbedtls_ctx = mbedtls_operation;
- operation.ctx.transparent_test_driver_ctx = tranparent_operation;
+ operation.ctx.transparent_test_driver_ctx = transparent_operation;
operation.ctx.opaque_test_driver_ctx = opaque_operation;
PSA_ASSERT( psa_crypto_init( ) );
diff --git a/tests/suites/test_suite_psa_crypto_generate_key.function b/tests/suites/test_suite_psa_crypto_generate_key.function
index dbe9a0e..6dc6043 100644
--- a/tests/suites/test_suite_psa_crypto_generate_key.function
+++ b/tests/suites/test_suite_psa_crypto_generate_key.function
@@ -18,7 +18,7 @@
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
mbedtls_svc_key_id_t key_id = INVALID_KEY_ID;
- // key lifetiem, usage flags, algorithm are irrelevant for this test
+ // key lifetime, usage flags, algorithm are irrelevant for this test
psa_key_type_t key_type = key_type_arg;
size_t bits = bits_arg;
psa_status_t expected_status = expected_status_arg;
diff --git a/tests/suites/test_suite_psa_crypto_persistent_key.function b/tests/suites/test_suite_psa_crypto_persistent_key.function
index 08db34a..bb87923 100644
--- a/tests/suites/test_suite_psa_crypto_persistent_key.function
+++ b/tests/suites/test_suite_psa_crypto_persistent_key.function
@@ -2,7 +2,7 @@
/* The tests in this module verify the contents of key store files. They
* access internal key storage functions directly. Some of the tests depend
- * on the the storage format. On the other hand, these tests treat the storage
+ * on the storage format. On the other hand, these tests treat the storage
* subsystem as a black box, and in particular have no reliance on the
* internals of the ITS implementation.
*
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index e718411..a7f0501 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3378,34 +3378,6 @@
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C
ssl_serialize_session_load_buf_size:0:"":MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3
-Constant-flow HMAC: MD5
-depends_on:MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-ssl_cf_hmac:MBEDTLS_MD_MD5
-
-Constant-flow HMAC: SHA1
-depends_on:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-ssl_cf_hmac:MBEDTLS_MD_SHA1
-
-Constant-flow HMAC: SHA256
-depends_on:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-ssl_cf_hmac:MBEDTLS_MD_SHA256
-
-Constant-flow HMAC: SHA384
-depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-ssl_cf_hmac:MBEDTLS_MD_SHA384
-
-# these are the numbers we'd get with an empty plaintext and truncated HMAC
-Constant-flow memcpy from offset: small
-ssl_cf_memcpy_offset:0:5:10
-
-# we could get this with 255-bytes plaintext and untruncated SHA-256
-Constant-flow memcpy from offset: medium
-ssl_cf_memcpy_offset:0:255:32
-
-# we could get this with 255-bytes plaintext and untruncated SHA-384
-Constant-flow memcpy from offset: large
-ssl_cf_memcpy_offset:100:339:48
-
Test configuration of groups for DHE through mbedtls_ssl_conf_curves()
conf_curve:
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 7447a1d..674e649 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -511,7 +511,7 @@
* \p peer1 and \p peer2 must have been previously initialized by calling
* mbedtls_mock_socket_init().
*
- * The capacites of the internal buffers are set to \p bufsize. Setting this to
+ * The capacities of the internal buffers are set to \p bufsize. Setting this to
* the correct value allows for simulation of MTU, sanity testing the mock
* implementation and mocking TCP connections with lower memory cost.
*/
@@ -652,7 +652,7 @@
}
/*
- * Setup a given mesasge socket context including initialization of
+ * Setup a given message socket context including initialization of
* input/output queues to a chosen capacity of messages. Also set the
* corresponding mock socket.
*
@@ -5438,189 +5438,6 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC:MBEDTLS_TEST_HOOKS */
-void ssl_cf_hmac( int hash )
-{
- /*
- * Test the function mbedtls_ct_hmac() against a reference
- * implementation.
- */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
- psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- psa_algorithm_t alg;
- psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
-#else
- mbedtls_md_context_t ctx, ref_ctx;
- const mbedtls_md_info_t *md_info;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- size_t out_len, block_size;
- size_t min_in_len, in_len, max_in_len, i;
- /* TLS additional data is 13 bytes (hence the "lucky 13" name) */
- unsigned char add_data[13];
- unsigned char ref_out[MBEDTLS_HASH_MAX_SIZE];
- unsigned char *data = NULL;
- unsigned char *out = NULL;
- unsigned char rec_num = 0;
-
- USE_PSA_INIT( );
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- alg = PSA_ALG_HMAC( mbedtls_hash_info_psa_from_md( hash ) );
-
- out_len = PSA_HASH_LENGTH( alg );
- block_size = PSA_HASH_BLOCK_LENGTH( alg );
-
- /* mbedtls_ct_hmac() requires the key to be exportable */
- psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT |
- PSA_KEY_USAGE_VERIFY_HASH );
- psa_set_key_algorithm( &attributes, PSA_ALG_HMAC( alg ) );
- psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC );
-#else
- mbedtls_md_init( &ctx );
- mbedtls_md_init( &ref_ctx );
-
- md_info = mbedtls_md_info_from_type( hash );
- TEST_ASSERT( md_info != NULL );
- out_len = mbedtls_md_get_size( md_info );
- TEST_ASSERT( out_len != 0 );
- block_size = hash == MBEDTLS_MD_SHA384 ? 128 : 64;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- /* Use allocated out buffer to catch overwrites */
- ASSERT_ALLOC( out, out_len );
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- /* Set up dummy key */
- memset( ref_out, 42, sizeof( ref_out ) );
- TEST_EQUAL( PSA_SUCCESS, psa_import_key( &attributes,
- ref_out, out_len,
- &key ) );
-#else
- /* Set up contexts with the given hash and a dummy key */
- TEST_EQUAL( 0, mbedtls_md_setup( &ctx, md_info, 1 ) );
- TEST_EQUAL( 0, mbedtls_md_setup( &ref_ctx, md_info, 1 ) );
- memset( ref_out, 42, sizeof( ref_out ) );
- TEST_EQUAL( 0, mbedtls_md_hmac_starts( &ctx, ref_out, out_len ) );
- TEST_EQUAL( 0, mbedtls_md_hmac_starts( &ref_ctx, ref_out, out_len ) );
- memset( ref_out, 0, sizeof( ref_out ) );
-#endif
-
- /*
- * Test all possible lengths up to a point. The difference between
- * max_in_len and min_in_len is at most 255, and make sure they both vary
- * by at least one block size.
- */
- for( max_in_len = 0; max_in_len <= 255 + block_size; max_in_len++ )
- {
- mbedtls_test_set_step( max_in_len * 10000 );
-
- /* Use allocated in buffer to catch overreads */
- ASSERT_ALLOC( data, max_in_len );
-
- min_in_len = max_in_len > 255 ? max_in_len - 255 : 0;
- for( in_len = min_in_len; in_len <= max_in_len; in_len++ )
- {
- mbedtls_test_set_step( max_in_len * 10000 + in_len );
-
- /* Set up dummy data and add_data */
- rec_num++;
- memset( add_data, rec_num, sizeof( add_data ) );
- for( i = 0; i < in_len; i++ )
- data[i] = ( i & 0xff ) ^ rec_num;
-
- /* Get the function's result */
- TEST_CF_SECRET( &in_len, sizeof( in_len ) );
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- TEST_EQUAL( 0, mbedtls_ct_hmac( key, PSA_ALG_HMAC( alg ),
- add_data, sizeof( add_data ),
- data, in_len,
- min_in_len, max_in_len,
- out ) );
-#else
- TEST_EQUAL( 0, mbedtls_ct_hmac( &ctx, add_data, sizeof( add_data ),
- data, in_len,
- min_in_len, max_in_len,
- out ) );
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- TEST_CF_PUBLIC( &in_len, sizeof( in_len ) );
- TEST_CF_PUBLIC( out, out_len );
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- TEST_EQUAL( PSA_SUCCESS, psa_mac_verify_setup( &operation,
- key, alg ) );
- TEST_EQUAL( PSA_SUCCESS, psa_mac_update( &operation, add_data,
- sizeof( add_data ) ) );
- TEST_EQUAL( PSA_SUCCESS, psa_mac_update( &operation,
- data, in_len ) );
- TEST_EQUAL( PSA_SUCCESS, psa_mac_verify_finish( &operation,
- out, out_len ) );
-#else
- /* Compute the reference result */
- TEST_EQUAL( 0, mbedtls_md_hmac_update( &ref_ctx, add_data,
- sizeof( add_data ) ) );
- TEST_EQUAL( 0, mbedtls_md_hmac_update( &ref_ctx, data, in_len ) );
- TEST_EQUAL( 0, mbedtls_md_hmac_finish( &ref_ctx, ref_out ) );
- TEST_EQUAL( 0, mbedtls_md_hmac_reset( &ref_ctx ) );
-
- /* Compare */
- ASSERT_COMPARE( out, out_len, ref_out, out_len );
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
- }
-
- mbedtls_free( data );
- data = NULL;
- }
-
-exit:
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_mac_abort( &operation );
- psa_destroy_key( key );
-#else
- mbedtls_md_free( &ref_ctx );
- mbedtls_md_free( &ctx );
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- mbedtls_free( data );
- mbedtls_free( out );
-
- USE_PSA_DONE( );
-}
-/* END_CASE */
-
-/* BEGIN_CASE depends_on:MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC:MBEDTLS_TEST_HOOKS */
-void ssl_cf_memcpy_offset( int offset_min, int offset_max, int len )
-{
- unsigned char *dst = NULL;
- unsigned char *src = NULL;
- size_t src_len = offset_max + len;
- size_t secret;
-
- ASSERT_ALLOC( dst, len );
- ASSERT_ALLOC( src, src_len );
-
- /* Fill src in a way that we can detect if we copied the right bytes */
- mbedtls_test_rnd_std_rand( NULL, src, src_len );
-
- for( secret = offset_min; secret <= (size_t) offset_max; secret++ )
- {
- mbedtls_test_set_step( (int) secret );
-
- TEST_CF_SECRET( &secret, sizeof( secret ) );
- mbedtls_ct_memcpy_offset( dst, src, secret,
- offset_min, offset_max, len );
- TEST_CF_PUBLIC( &secret, sizeof( secret ) );
- TEST_CF_PUBLIC( dst, len );
-
- ASSERT_COMPARE( dst, len, src + secret, len );
- }
-
-exit:
- mbedtls_free( dst );
- mbedtls_free( src );
-}
-/* END_CASE */
-
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
void test_multiple_psks()
{