diff --git a/.github/update.log b/.github/update.log index 9050c7c599..0602b93c23 100644 --- a/.github/update.log +++ b/.github/update.log @@ -749,3 +749,4 @@ Update On Mon Aug 26 20:34:29 CEST 2024 Update On Tue Aug 27 20:32:11 CEST 2024 Update On Wed Aug 28 20:33:23 CEST 2024 Update On Fri Aug 30 20:32:59 CEST 2024 +Update On Sat Aug 31 20:34:23 CEST 2024 diff --git a/clash-meta-android/core/src/foss/golang/clash/component/fakeip/pool.go b/clash-meta-android/core/src/foss/golang/clash/component/fakeip/pool.go index e2c1072254..12c063324b 100644 --- a/clash-meta-android/core/src/foss/golang/clash/component/fakeip/pool.go +++ b/clash-meta-android/core/src/foss/golang/clash/component/fakeip/pool.go @@ -36,6 +36,7 @@ type Pool struct { cycle bool mux sync.Mutex host []C.DomainMatcher + mode C.FilterMode ipnet netip.Prefix store store } @@ -66,6 +67,14 @@ func (p *Pool) LookBack(ip netip.Addr) (string, bool) { // ShouldSkipped return if domain should be skipped func (p *Pool) ShouldSkipped(domain string) bool { + should := p.shouldSkipped(domain) + if p.mode == C.FilterWhiteList { + return !should + } + return should +} + +func (p *Pool) shouldSkipped(domain string) bool { for _, matcher := range p.host { if matcher.MatchDomain(domain) { return true @@ -157,6 +166,7 @@ func (p *Pool) restoreState() { type Options struct { IPNet netip.Prefix Host []C.DomainMatcher + Mode C.FilterMode // Size sets the maximum number of entries in memory // and does not work if Persistence is true @@ -187,6 +197,7 @@ func New(options Options) (*Pool, error) { offset: first.Prev(), cycle: false, host: options.Host, + mode: options.Mode, ipnet: options.IPNet, } if options.Persistence { diff --git a/clash-meta-android/core/src/foss/golang/clash/component/fakeip/pool_test.go b/clash-meta-android/core/src/foss/golang/clash/component/fakeip/pool_test.go index 1d4fa05f0a..923cca574d 100644 --- a/clash-meta-android/core/src/foss/golang/clash/component/fakeip/pool_test.go +++ b/clash-meta-android/core/src/foss/golang/clash/component/fakeip/pool_test.go @@ -164,6 +164,28 @@ func TestPool_Skip(t *testing.T) { for _, pool := range pools { assert.True(t, pool.ShouldSkipped("example.com")) assert.False(t, pool.ShouldSkipped("foo.com")) + assert.False(t, pool.shouldSkipped("baz.com")) + } +} + +func TestPool_SkipWhiteList(t *testing.T) { + ipnet := netip.MustParsePrefix("192.168.0.1/29") + tree := trie.New[struct{}]() + assert.NoError(t, tree.Insert("example.com", struct{}{})) + assert.False(t, tree.IsEmpty()) + pools, tempfile, err := createPools(Options{ + IPNet: ipnet, + Size: 10, + Host: []C.DomainMatcher{tree.NewDomainSet()}, + Mode: C.FilterWhiteList, + }) + assert.Nil(t, err) + defer os.Remove(tempfile) + + for _, pool := range pools { + assert.False(t, pool.ShouldSkipped("example.com")) + assert.True(t, pool.ShouldSkipped("foo.com")) + assert.True(t, pool.ShouldSkipped("baz.com")) } } diff --git a/clash-meta-android/core/src/foss/golang/clash/config/config.go b/clash-meta-android/core/src/foss/golang/clash/config/config.go index c250d3ec21..ed30bfe452 100644 --- a/clash-meta-android/core/src/foss/golang/clash/config/config.go +++ b/clash-meta-android/core/src/foss/golang/clash/config/config.go @@ -205,6 +205,7 @@ type RawDNS struct { EnhancedMode C.DNSMode `yaml:"enhanced-mode" json:"enhanced-mode"` FakeIPRange string `yaml:"fake-ip-range" json:"fake-ip-range"` FakeIPFilter []string `yaml:"fake-ip-filter" json:"fake-ip-filter"` + FakeIPFilterMode C.FilterMode `yaml:"fake-ip-filter-mode" json:"fake-ip-filter-mode"` DefaultNameserver []string `yaml:"default-nameserver" json:"default-nameserver"` CacheAlgorithm string `yaml:"cache-algorithm" json:"cache-algorithm"` NameServerPolicy *orderedmap.OrderedMap[string, any] `yaml:"nameserver-policy" json:"nameserver-policy"` @@ -474,6 +475,7 @@ func DefaultRawConfig() *RawConfig { "www.msftnsci.com", "www.msftconnecttest.com", }, + FakeIPFilterMode: C.FilterBlackList, }, NTP: RawNTP{ Enable: false, @@ -1458,6 +1460,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul IPNet: fakeIPRange, Size: 1000, Host: host, + Mode: cfg.FakeIPFilterMode, Persistence: rawCfg.Profile.StoreFakeIP, }) if err != nil { diff --git a/clash-meta-android/core/src/foss/golang/clash/constant/dns.go b/clash-meta-android/core/src/foss/golang/clash/constant/dns.go index 3d97d97b71..8d038a6bbb 100644 --- a/clash-meta-android/core/src/foss/golang/clash/constant/dns.go +++ b/clash-meta-android/core/src/foss/golang/clash/constant/dns.go @@ -43,7 +43,9 @@ func (e DNSMode) MarshalYAML() (any, error) { // UnmarshalJSON unserialize EnhancedMode with json func (e *DNSMode) UnmarshalJSON(data []byte) error { var tp string - json.Unmarshal(data, &tp) + if err := json.Unmarshal(data, &tp); err != nil { + return err + } mode, exist := DNSModeMapping[tp] if !exist { return errors.New("invalid mode") @@ -115,6 +117,64 @@ func NewDNSPrefer(prefer string) DNSPrefer { } } +// FilterModeMapping is a mapping for FilterMode enum +var FilterModeMapping = map[string]FilterMode{ + FilterBlackList.String(): FilterBlackList, + FilterWhiteList.String(): FilterWhiteList, +} + +type FilterMode int + +const ( + FilterBlackList FilterMode = iota + FilterWhiteList +) + +func (e FilterMode) String() string { + switch e { + case FilterBlackList: + return "blacklist" + case FilterWhiteList: + return "whitelist" + default: + return "unknown" + } +} + +func (e FilterMode) MarshalYAML() (interface{}, error) { + return e.String(), nil +} + +func (e *FilterMode) UnmarshalYAML(unmarshal func(interface{}) error) error { + var tp string + if err := unmarshal(&tp); err != nil { + return err + } + mode, exist := FilterModeMapping[tp] + if !exist { + return errors.New("invalid mode") + } + *e = mode + return nil +} + +func (e FilterMode) MarshalJSON() ([]byte, error) { + return json.Marshal(e.String()) +} + +func (e *FilterMode) UnmarshalJSON(data []byte) error { + var tp string + if err := json.Unmarshal(data, &tp); err != nil { + return err + } + mode, exist := FilterModeMapping[tp] + if !exist { + return errors.New("invalid mode") + } + *e = mode + return nil +} + type HTTPVersion string const ( diff --git a/clash-meta-android/core/src/foss/golang/clash/docs/config.yaml b/clash-meta-android/core/src/foss/golang/clash/docs/config.yaml index bb60b28649..1da37841cb 100644 --- a/clash-meta-android/core/src/foss/golang/clash/docs/config.yaml +++ b/clash-meta-android/core/src/foss/golang/clash/docs/config.yaml @@ -249,6 +249,9 @@ dns: - rule-set:fakeip-filter # fakeip-filter 为 geosite 中名为 fakeip-filter 的分类(需要自行保证该分类存在) - geosite:fakeip-filter + # 配置fake-ip-filter的匹配模式,默认为blacklist,即如果匹配成功不返回fake-ip + # 可设置为whitelist,即只有匹配成功才返回fake-ip + fake-ip-filter-mode: blacklist # use-hosts: true # 查询 hosts diff --git a/clash-meta-android/core/src/foss/golang/clash/hub/executor/executor.go b/clash-meta-android/core/src/foss/golang/clash/hub/executor/executor.go index 442666f05d..e7e9b72c4c 100644 --- a/clash-meta-android/core/src/foss/golang/clash/hub/executor/executor.go +++ b/clash-meta-android/core/src/foss/golang/clash/hub/executor/executor.go @@ -77,7 +77,7 @@ func ParseWithBytes(buf []byte) (*config.Config, error) { return config.Parse(buf) } -// ApplyConfig dispatch configure to all parts +// ApplyConfig dispatch configure to all parts without ExternalController func ApplyConfig(cfg *config.Config, force bool) { mux.Lock() defer mux.Unlock() diff --git a/clash-meta-android/core/src/foss/golang/clash/hub/hub.go b/clash-meta-android/core/src/foss/golang/clash/hub/hub.go index 2a53b19793..d439d32e35 100644 --- a/clash-meta-android/core/src/foss/golang/clash/hub/hub.go +++ b/clash-meta-android/core/src/foss/golang/clash/hub/hub.go @@ -1,7 +1,10 @@ package hub import ( + "strings" + "github.com/metacubex/mihomo/config" + "github.com/metacubex/mihomo/constant/features" "github.com/metacubex/mihomo/hub/executor" "github.com/metacubex/mihomo/hub/route" "github.com/metacubex/mihomo/log" @@ -33,6 +36,33 @@ func WithSecret(secret string) Option { } } +// ApplyConfig dispatch configure to all parts include ExternalController +func ApplyConfig(cfg *config.Config) { + applyRoute(cfg) + executor.ApplyConfig(cfg, true) +} + +func applyRoute(cfg *config.Config) { + if features.CMFA && strings.HasSuffix(cfg.Controller.ExternalUI, ":0") { + // CMFA have set its default override value to end with ":0" for security. + // so we direct return at here + return + } + if cfg.Controller.ExternalUI != "" { + route.SetUIPath(cfg.Controller.ExternalUI) + } + route.ReCreateServer(&route.Config{ + Addr: cfg.Controller.ExternalController, + TLSAddr: cfg.Controller.ExternalControllerTLS, + UnixAddr: cfg.Controller.ExternalControllerUnix, + Secret: cfg.Controller.Secret, + Certificate: cfg.TLS.Certificate, + PrivateKey: cfg.TLS.PrivateKey, + DohServer: cfg.Controller.ExternalDohServer, + IsDebug: cfg.General.LogLevel == log.DEBUG, + }) +} + // Parse call at the beginning of mihomo func Parse(options ...Option) error { cfg, err := executor.Parse() @@ -44,20 +74,6 @@ func Parse(options ...Option) error { option(cfg) } - if cfg.Controller.ExternalUI != "" { - route.SetUIPath(cfg.Controller.ExternalUI) - } - - if cfg.Controller.ExternalController != "" { - go route.Start(cfg.Controller.ExternalController, cfg.Controller.ExternalControllerTLS, - cfg.Controller.Secret, cfg.TLS.Certificate, cfg.TLS.PrivateKey, cfg.Controller.ExternalDohServer, - cfg.General.LogLevel == log.DEBUG) - } - - if cfg.Controller.ExternalControllerUnix != "" { - go route.StartUnix(cfg.Controller.ExternalControllerUnix, cfg.Controller.ExternalDohServer, cfg.General.LogLevel == log.DEBUG) - } - - executor.ApplyConfig(cfg, true) + ApplyConfig(cfg) return nil } diff --git a/clash-meta-android/core/src/foss/golang/clash/hub/route/server.go b/clash-meta-android/core/src/foss/golang/clash/hub/route/server.go index 165c7c6970..1605b4bf74 100644 --- a/clash-meta-android/core/src/foss/golang/clash/hub/route/server.go +++ b/clash-meta-android/core/src/foss/golang/clash/hub/route/server.go @@ -30,10 +30,11 @@ import ( ) var ( - serverSecret = "" - serverAddr = "" - uiPath = "" + + httpServer *http.Server + tlsServer *http.Server + unixServer *http.Server ) type Traffic struct { @@ -46,11 +47,28 @@ type Memory struct { OSLimit uint64 `json:"oslimit"` // maybe we need it in the future } +type Config struct { + Addr string + TLSAddr string + UnixAddr string + Secret string + Certificate string + PrivateKey string + DohServer string + IsDebug bool +} + +func ReCreateServer(cfg *Config) { + go start(cfg) + go startTLS(cfg) + go startUnix(cfg) +} + func SetUIPath(path string) { uiPath = C.Path.Resolve(path) } -func router(isDebug bool, withAuth bool, dohServer string) *chi.Mux { +func router(isDebug bool, secret string, dohServer string) *chi.Mux { r := chi.NewRouter() corsM := cors.New(cors.Options{ AllowedOrigins: []string{"*"}, @@ -72,8 +90,8 @@ func router(isDebug bool, withAuth bool, dohServer string) *chi.Mux { }()) } r.Group(func(r chi.Router) { - if withAuth { - r.Use(authentication) + if secret != "" { + r.Use(authentication(secret)) } r.Get("/", hello) r.Get("/logs", getLogs) @@ -111,88 +129,111 @@ func router(isDebug bool, withAuth bool, dohServer string) *chi.Mux { return r } -func Start(addr string, tlsAddr string, secret string, - certificate, privateKey string, dohServer string, isDebug bool) { - if serverAddr != "" { - return +func start(cfg *Config) { + // first stop existing server + if httpServer != nil { + _ = httpServer.Close() + httpServer = nil } - serverAddr = addr - serverSecret = secret + // handle addr + if len(cfg.Addr) > 0 { + l, err := inbound.Listen("tcp", cfg.Addr) + if err != nil { + log.Errorln("External controller listen error: %s", err) + return + } + log.Infoln("RESTful API listening at: %s", l.Addr().String()) - if len(tlsAddr) > 0 { - go func() { - c, err := CN.ParseCert(certificate, privateKey, C.Path) - if err != nil { - log.Errorln("External controller tls listen error: %s", err) - return - } - - l, err := inbound.Listen("tcp", tlsAddr) - if err != nil { - log.Errorln("External controller tls listen error: %s", err) - return - } - - serverAddr = l.Addr().String() - log.Infoln("RESTful API tls listening at: %s", serverAddr) - tlsServe := &http.Server{ - Handler: router(isDebug, true, dohServer), - TLSConfig: &tls.Config{ - Certificates: []tls.Certificate{c}, - }, - } - if err = tlsServe.ServeTLS(l, "", ""); err != nil { - log.Errorln("External controller tls serve error: %s", err) - } - }() + server := &http.Server{ + Handler: router(cfg.IsDebug, cfg.Secret, cfg.DohServer), + } + if err = server.Serve(l); err != nil { + log.Errorln("External controller serve error: %s", err) + } + httpServer = server } - - l, err := inbound.Listen("tcp", addr) - if err != nil { - log.Errorln("External controller listen error: %s", err) - return - } - serverAddr = l.Addr().String() - log.Infoln("RESTful API listening at: %s", serverAddr) - - if err = http.Serve(l, router(isDebug, true, dohServer)); err != nil { - log.Errorln("External controller serve error: %s", err) - } - } -func StartUnix(addr string, dohServer string, isDebug bool) { - addr = C.Path.Resolve(addr) +func startTLS(cfg *Config) { + // first stop existing server + if tlsServer != nil { + _ = tlsServer.Close() + tlsServer = nil + } - dir := filepath.Dir(addr) - if _, err := os.Stat(dir); os.IsNotExist(err) { - if err := os.MkdirAll(dir, 0o755); err != nil { + // handle tlsAddr + if len(cfg.TLSAddr) > 0 { + c, err := CN.ParseCert(cfg.Certificate, cfg.PrivateKey, C.Path) + if err != nil { + log.Errorln("External controller tls listen error: %s", err) + return + } + + l, err := inbound.Listen("tcp", cfg.TLSAddr) + if err != nil { + log.Errorln("External controller tls listen error: %s", err) + return + } + + log.Infoln("RESTful API tls listening at: %s", l.Addr().String()) + server := &http.Server{ + Handler: router(cfg.IsDebug, cfg.Secret, cfg.DohServer), + TLSConfig: &tls.Config{ + Certificates: []tls.Certificate{c}, + }, + } + if err = server.ServeTLS(l, "", ""); err != nil { + log.Errorln("External controller tls serve error: %s", err) + } + tlsServer = server + } +} + +func startUnix(cfg *Config) { + // first stop existing server + if unixServer != nil { + _ = unixServer.Close() + unixServer = nil + } + + // handle addr + if len(cfg.UnixAddr) > 0 { + addr := C.Path.Resolve(cfg.UnixAddr) + + dir := filepath.Dir(addr) + if _, err := os.Stat(dir); os.IsNotExist(err) { + if err := os.MkdirAll(dir, 0o755); err != nil { + log.Errorln("External controller unix listen error: %s", err) + return + } + } + + // https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/ + // + // Note: As mentioned above in the ‘security’ section, when a socket binds a socket to a valid pathname address, + // a socket file is created within the filesystem. On Linux, the application is expected to unlink + // (see the notes section in the man page for AF_UNIX) before any other socket can be bound to the same address. + // The same applies to Windows unix sockets, except that, DeleteFile (or any other file delete API) + // should be used to delete the socket file prior to calling bind with the same path. + _ = syscall.Unlink(addr) + + l, err := inbound.Listen("unix", addr) + if err != nil { log.Errorln("External controller unix listen error: %s", err) return } + log.Infoln("RESTful API unix listening at: %s", l.Addr().String()) + + server := &http.Server{ + Handler: router(cfg.IsDebug, "", cfg.DohServer), + } + if err = server.Serve(l); err != nil { + log.Errorln("External controller unix serve error: %s", err) + } + unixServer = server } - // https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/ - // - // Note: As mentioned above in the ‘security’ section, when a socket binds a socket to a valid pathname address, - // a socket file is created within the filesystem. On Linux, the application is expected to unlink - // (see the notes section in the man page for AF_UNIX) before any other socket can be bound to the same address. - // The same applies to Windows unix sockets, except that, DeleteFile (or any other file delete API) - // should be used to delete the socket file prior to calling bind with the same path. - _ = syscall.Unlink(addr) - - l, err := inbound.Listen("unix", addr) - if err != nil { - log.Errorln("External controller unix listen error: %s", err) - return - } - serverAddr = l.Addr().String() - log.Infoln("RESTful API unix listening at: %s", serverAddr) - - if err = http.Serve(l, router(isDebug, false, dohServer)); err != nil { - log.Errorln("External controller unix serve error: %s", err) - } } func setPrivateNetworkAccess(next http.Handler) http.Handler { @@ -210,38 +251,35 @@ func safeEuqal(a, b string) bool { return subtle.ConstantTimeCompare(aBuf, bBuf) == 1 } -func authentication(next http.Handler) http.Handler { - fn := func(w http.ResponseWriter, r *http.Request) { - if serverSecret == "" { - next.ServeHTTP(w, r) - return - } +func authentication(secret string) func(http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + fn := func(w http.ResponseWriter, r *http.Request) { + // Browser websocket not support custom header + if r.Header.Get("Upgrade") == "websocket" && r.URL.Query().Get("token") != "" { + token := r.URL.Query().Get("token") + if !safeEuqal(token, secret) { + render.Status(r, http.StatusUnauthorized) + render.JSON(w, r, ErrUnauthorized) + return + } + next.ServeHTTP(w, r) + return + } - // Browser websocket not support custom header - if r.Header.Get("Upgrade") == "websocket" && r.URL.Query().Get("token") != "" { - token := r.URL.Query().Get("token") - if !safeEuqal(token, serverSecret) { + header := r.Header.Get("Authorization") + bearer, token, found := strings.Cut(header, " ") + + hasInvalidHeader := bearer != "Bearer" + hasInvalidSecret := !found || !safeEuqal(token, secret) + if hasInvalidHeader || hasInvalidSecret { render.Status(r, http.StatusUnauthorized) render.JSON(w, r, ErrUnauthorized) return } next.ServeHTTP(w, r) - return } - - header := r.Header.Get("Authorization") - bearer, token, found := strings.Cut(header, " ") - - hasInvalidHeader := bearer != "Bearer" - hasInvalidSecret := !found || !safeEuqal(token, serverSecret) - if hasInvalidHeader || hasInvalidSecret { - render.Status(r, http.StatusUnauthorized) - render.JSON(w, r, ErrUnauthorized) - return - } - next.ServeHTTP(w, r) + return http.HandlerFunc(fn) } - return http.HandlerFunc(fn) } func hello(w http.ResponseWriter, r *http.Request) { diff --git a/clash-meta-android/core/src/foss/golang/clash/listener/sing_tun/server_android.go b/clash-meta-android/core/src/foss/golang/clash/listener/sing_tun/server_android.go index bd5c4bd071..d8240534ed 100644 --- a/clash-meta-android/core/src/foss/golang/clash/listener/sing_tun/server_android.go +++ b/clash-meta-android/core/src/foss/golang/clash/listener/sing_tun/server_android.go @@ -1,3 +1,5 @@ +//go:build android && !cmfa + package sing_tun import ( diff --git a/clash-meta-android/core/src/foss/golang/clash/listener/sing_tun/server_notandroid.go b/clash-meta-android/core/src/foss/golang/clash/listener/sing_tun/server_notandroid.go index 6b30ee03b2..10fd3997b4 100644 --- a/clash-meta-android/core/src/foss/golang/clash/listener/sing_tun/server_notandroid.go +++ b/clash-meta-android/core/src/foss/golang/clash/listener/sing_tun/server_notandroid.go @@ -1,4 +1,4 @@ -//go:build !android +//go:build !android || cmfa package sing_tun diff --git a/clash-meta-android/core/src/foss/golang/clash/main.go b/clash-meta-android/core/src/foss/golang/clash/main.go index 06a04ca17b..c7a7acbc3b 100644 --- a/clash-meta-android/core/src/foss/golang/clash/main.go +++ b/clash-meta-android/core/src/foss/golang/clash/main.go @@ -135,7 +135,7 @@ func main() { return case <-hupSign: if cfg, err := executor.ParseWithPath(C.Path.Config()); err == nil { - executor.ApplyConfig(cfg, true) + hub.ApplyConfig(cfg) } else { log.Errorln("Parse config error: %s", err.Error()) } diff --git a/clash-meta-android/core/src/foss/golang/go.mod b/clash-meta-android/core/src/foss/golang/go.mod index df201b63cc..b79a292d79 100644 --- a/clash-meta-android/core/src/foss/golang/go.mod +++ b/clash-meta-android/core/src/foss/golang/go.mod @@ -11,6 +11,7 @@ require ( github.com/Kr328/tun2socket v0.0.0-20220414050025-d07c78d06d34 // indirect github.com/RyuaNerin/go-krypto v1.2.4 // indirect github.com/Yawning/aez v0.0.0-20211027044916-e49e68abd344 // indirect + github.com/ajg/form v1.5.1 // indirect github.com/andybalholm/brotli v1.0.6 // indirect github.com/bahlo/generic-list-go v0.2.0 // indirect github.com/buger/jsonparser v1.1.1 // indirect @@ -23,6 +24,9 @@ require ( github.com/ericlagergren/subtle v0.0.0-20220507045147-890d697da010 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/gaukas/godicttls v0.0.4 // indirect + github.com/go-chi/chi/v5 v5.1.0 // indirect + github.com/go-chi/cors v1.2.1 // indirect + github.com/go-chi/render v1.0.3 // indirect github.com/go-ole/go-ole v1.3.0 // indirect github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/gobwas/httphead v0.1.0 // indirect diff --git a/clash-meta-android/core/src/foss/golang/go.sum b/clash-meta-android/core/src/foss/golang/go.sum index 5c35e659dc..23e05d6416 100644 --- a/clash-meta-android/core/src/foss/golang/go.sum +++ b/clash-meta-android/core/src/foss/golang/go.sum @@ -7,6 +7,8 @@ github.com/RyuaNerin/go-krypto v1.2.4 h1:mXuNdK6M317aPV0llW6Xpjbo4moOlPF7Yxz4tb4 github.com/RyuaNerin/go-krypto v1.2.4/go.mod h1:QqCYkoutU3yInyD9INt2PGolVRsc3W4oraQadVGXJ/8= github.com/Yawning/aez v0.0.0-20211027044916-e49e68abd344 h1:cDVUiFo+npB0ZASqnw4q90ylaVAbnYyx0JYqK4YcGok= github.com/Yawning/aez v0.0.0-20211027044916-e49e68abd344/go.mod h1:9pIqrY6SXNL8vjRQE5Hd/OL5GyK/9MrGUWs87z/eFfk= +github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU= +github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY= github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sxfOI= github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= github.com/bahlo/generic-list-go v0.2.0 h1:5sz/EEAK+ls5wF+NeqDpk5+iNdMDXrh3z3nPnH1Wvgk= @@ -39,6 +41,12 @@ github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nos github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/gaukas/godicttls v0.0.4 h1:NlRaXb3J6hAnTmWdsEKb9bcSBD6BvcIjdGdeb0zfXbk= github.com/gaukas/godicttls v0.0.4/go.mod h1:l6EenT4TLWgTdwslVb4sEMOCf7Bv0JAK67deKr9/NCI= +github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw= +github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= +github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4= +github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58= +github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4= +github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0= github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE= diff --git a/clash-meta-android/core/src/main/golang/go.mod b/clash-meta-android/core/src/main/golang/go.mod index 0502a5bca6..9786cb7059 100644 --- a/clash-meta-android/core/src/main/golang/go.mod +++ b/clash-meta-android/core/src/main/golang/go.mod @@ -9,7 +9,7 @@ require ( github.com/miekg/dns v1.1.62 github.com/oschwald/maxminddb-golang v1.12.0 golang.org/x/sync v0.8.0 - gopkg.in/yaml.v2 v2.4.0 + gopkg.in/yaml.v3 v3.0.1 ) replace github.com/metacubex/mihomo => ../../foss/golang/clash @@ -20,6 +20,7 @@ require ( github.com/3andne/restls-client-go v0.1.6 // indirect github.com/RyuaNerin/go-krypto v1.2.4 // indirect github.com/Yawning/aez v0.0.0-20211027044916-e49e68abd344 // indirect + github.com/ajg/form v1.5.1 // indirect github.com/andybalholm/brotli v1.0.6 // indirect github.com/bahlo/generic-list-go v0.2.0 // indirect github.com/buger/jsonparser v1.1.1 // indirect @@ -31,6 +32,9 @@ require ( github.com/ericlagergren/subtle v0.0.0-20220507045147-890d697da010 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/gaukas/godicttls v0.0.4 // indirect + github.com/go-chi/chi/v5 v5.1.0 // indirect + github.com/go-chi/cors v1.2.1 // indirect + github.com/go-chi/render v1.0.3 // indirect github.com/go-ole/go-ole v1.3.0 // indirect github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/gobwas/httphead v0.1.0 // indirect @@ -107,6 +111,5 @@ require ( golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.24.0 // indirect google.golang.org/protobuf v1.34.2 // indirect - gopkg.in/yaml.v3 v3.0.1 // indirect lukechampine.com/blake3 v1.3.0 // indirect ) diff --git a/clash-meta-android/core/src/main/golang/go.sum b/clash-meta-android/core/src/main/golang/go.sum index 5c35e659dc..edb7b0ae3d 100644 --- a/clash-meta-android/core/src/main/golang/go.sum +++ b/clash-meta-android/core/src/main/golang/go.sum @@ -7,6 +7,8 @@ github.com/RyuaNerin/go-krypto v1.2.4 h1:mXuNdK6M317aPV0llW6Xpjbo4moOlPF7Yxz4tb4 github.com/RyuaNerin/go-krypto v1.2.4/go.mod h1:QqCYkoutU3yInyD9INt2PGolVRsc3W4oraQadVGXJ/8= github.com/Yawning/aez v0.0.0-20211027044916-e49e68abd344 h1:cDVUiFo+npB0ZASqnw4q90ylaVAbnYyx0JYqK4YcGok= github.com/Yawning/aez v0.0.0-20211027044916-e49e68abd344/go.mod h1:9pIqrY6SXNL8vjRQE5Hd/OL5GyK/9MrGUWs87z/eFfk= +github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU= +github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY= github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sxfOI= github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= github.com/bahlo/generic-list-go v0.2.0 h1:5sz/EEAK+ls5wF+NeqDpk5+iNdMDXrh3z3nPnH1Wvgk= @@ -39,6 +41,12 @@ github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nos github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/gaukas/godicttls v0.0.4 h1:NlRaXb3J6hAnTmWdsEKb9bcSBD6BvcIjdGdeb0zfXbk= github.com/gaukas/godicttls v0.0.4/go.mod h1:l6EenT4TLWgTdwslVb4sEMOCf7Bv0JAK67deKr9/NCI= +github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw= +github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= +github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4= +github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58= +github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4= +github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0= github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE= @@ -259,8 +267,6 @@ google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6h google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= -gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/clash-meta-android/core/src/main/golang/native/config/load.go b/clash-meta-android/core/src/main/golang/native/config/load.go index 8b51146572..470276527e 100644 --- a/clash-meta-android/core/src/main/golang/native/config/load.go +++ b/clash-meta-android/core/src/main/golang/native/config/load.go @@ -1,18 +1,18 @@ package config import ( - "io/ioutil" + "os" P "path" "runtime" "strings" - "gopkg.in/yaml.v2" + "gopkg.in/yaml.v3" "cfa/native/app" - "github.com/metacubex/mihomo/log" "github.com/metacubex/mihomo/config" - "github.com/metacubex/mihomo/hub/executor" + "github.com/metacubex/mihomo/hub" + "github.com/metacubex/mihomo/log" ) func logDns(cfg *config.RawConfig) { @@ -33,7 +33,7 @@ func logDns(cfg *config.RawConfig) { func UnmarshalAndPatch(profilePath string) (*config.RawConfig, error) { configPath := P.Join(profilePath, "config.yaml") - configData, err := ioutil.ReadFile(configPath) + configData, err := os.ReadFile(configPath) if err != nil { return nil, err } @@ -76,7 +76,9 @@ func Load(path string) error { return err } - executor.ApplyConfig(cfg, true) + // Start the external controller like in hub.Parse(), but we have set its + // default override value to end with ":0" for security. + hub.ApplyConfig(cfg) app.ApplySubtitlePattern(rawCfg.ClashForAndroid.UiSubtitlePattern) @@ -91,5 +93,5 @@ func LoadDefault() { panic(err.Error()) } - executor.ApplyConfig(cfg, true) + hub.ApplyConfig(cfg) } diff --git a/clash-meta-android/core/src/main/golang/native/config/override.go b/clash-meta-android/core/src/main/golang/native/config/override.go index c42f5543ab..cf0ae94213 100644 --- a/clash-meta-android/core/src/main/golang/native/config/override.go +++ b/clash-meta-android/core/src/main/golang/native/config/override.go @@ -1,7 +1,7 @@ package config import ( - "io/ioutil" + "io" "os" "github.com/metacubex/mihomo/constant" @@ -31,7 +31,7 @@ func ReadOverride(slot OverrideSlot) string { return defaultPersistOverride } - buf, err := ioutil.ReadAll(file) + buf, err := io.ReadAll(file) if err != nil { return defaultPersistOverride } diff --git a/clash-meta-android/core/src/main/golang/native/config/process.go b/clash-meta-android/core/src/main/golang/native/config/process.go index f4f8be228c..545f127703 100644 --- a/clash-meta-android/core/src/main/golang/native/config/process.go +++ b/clash-meta-android/core/src/main/golang/native/config/process.go @@ -41,7 +41,6 @@ func patchOverride(cfg *config.RawConfig, _ string) error { func patchGeneral(cfg *config.RawConfig, _ string) error { cfg.Interface = "" cfg.ExternalUI = "" - cfg.ExternalController = "" return nil } diff --git a/clash-meta-android/core/src/main/java/com/github/kr328/clash/core/model/ConfigurationOverride.kt b/clash-meta-android/core/src/main/java/com/github/kr328/clash/core/model/ConfigurationOverride.kt index a64baac84d..8f87a6985e 100644 --- a/clash-meta-android/core/src/main/java/com/github/kr328/clash/core/model/ConfigurationOverride.kt +++ b/clash-meta-android/core/src/main/java/com/github/kr328/clash/core/model/ConfigurationOverride.kt @@ -41,6 +41,12 @@ data class ConfigurationOverride( @SerialName("ipv6") var ipv6: Boolean? = null, + @SerialName("external-controller") + var externalController: String? = "127.0.0.1:0", + + @SerialName("secret") + var secret: String? = null, + @SerialName("hosts") var hosts: Map? = null, diff --git a/clash-meta-android/design/src/main/java/com/github/kr328/clash/design/OverrideSettingsDesign.kt b/clash-meta-android/design/src/main/java/com/github/kr328/clash/design/OverrideSettingsDesign.kt index 8622cbaa45..80426ff4d4 100644 --- a/clash-meta-android/design/src/main/java/com/github/kr328/clash/design/OverrideSettingsDesign.kt +++ b/clash-meta-android/design/src/main/java/com/github/kr328/clash/design/OverrideSettingsDesign.kt @@ -185,6 +185,22 @@ class OverrideSettingsDesign( empty = R.string.default_ ) + editableText( + value = configuration::externalController, + adapter = NullableTextAdapter.String, + title = R.string.external_controller, + placeholder = R.string.dont_modify, + empty = R.string.default_ + ) + + editableText( + value = configuration::secret, + adapter = NullableTextAdapter.String, + title = R.string.secret, + placeholder = R.string.dont_modify, + empty = R.string.default_ + ) + selectableList( value = configuration::mode, values = arrayOf( diff --git a/clash-meta-android/design/src/main/res/values/strings.xml b/clash-meta-android/design/src/main/res/values/strings.xml index a6c87acda8..cba90dcfa2 100644 --- a/clash-meta-android/design/src/main/res/values/strings.xml +++ b/clash-meta-android/design/src/main/res/values/strings.xml @@ -144,6 +144,8 @@ Mode Log Level IPv6 + External Controller + Secret Hosts Sideload GEOIP External GEOIP database diff --git a/clash-meta/.github/workflows/build.yml b/clash-meta/.github/workflows/build.yml index b62e982000..5ba2ef6f9e 100644 --- a/clash-meta/.github/workflows/build.yml +++ b/clash-meta/.github/workflows/build.yml @@ -387,18 +387,18 @@ jobs: git fetch --tags echo "PREVERSION=$(git describe --tags --abbrev=0 HEAD)" >> $GITHUB_ENV - - name: Merge Alpha branch into Meta + - name: Force push Alpha branch to Meta run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" git fetch origin Alpha:Alpha - git merge Alpha - git push origin Meta + git push origin Alpha:Meta --force env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Tag the commit + - name: Tag the commit on Alpha run: | + git checkout Alpha git tag ${{ github.event.inputs.version }} git push origin ${{ github.event.inputs.version }} env: diff --git a/clash-meta/component/fakeip/pool.go b/clash-meta/component/fakeip/pool.go index e2c1072254..12c063324b 100644 --- a/clash-meta/component/fakeip/pool.go +++ b/clash-meta/component/fakeip/pool.go @@ -36,6 +36,7 @@ type Pool struct { cycle bool mux sync.Mutex host []C.DomainMatcher + mode C.FilterMode ipnet netip.Prefix store store } @@ -66,6 +67,14 @@ func (p *Pool) LookBack(ip netip.Addr) (string, bool) { // ShouldSkipped return if domain should be skipped func (p *Pool) ShouldSkipped(domain string) bool { + should := p.shouldSkipped(domain) + if p.mode == C.FilterWhiteList { + return !should + } + return should +} + +func (p *Pool) shouldSkipped(domain string) bool { for _, matcher := range p.host { if matcher.MatchDomain(domain) { return true @@ -157,6 +166,7 @@ func (p *Pool) restoreState() { type Options struct { IPNet netip.Prefix Host []C.DomainMatcher + Mode C.FilterMode // Size sets the maximum number of entries in memory // and does not work if Persistence is true @@ -187,6 +197,7 @@ func New(options Options) (*Pool, error) { offset: first.Prev(), cycle: false, host: options.Host, + mode: options.Mode, ipnet: options.IPNet, } if options.Persistence { diff --git a/clash-meta/component/fakeip/pool_test.go b/clash-meta/component/fakeip/pool_test.go index 1d4fa05f0a..923cca574d 100644 --- a/clash-meta/component/fakeip/pool_test.go +++ b/clash-meta/component/fakeip/pool_test.go @@ -164,6 +164,28 @@ func TestPool_Skip(t *testing.T) { for _, pool := range pools { assert.True(t, pool.ShouldSkipped("example.com")) assert.False(t, pool.ShouldSkipped("foo.com")) + assert.False(t, pool.shouldSkipped("baz.com")) + } +} + +func TestPool_SkipWhiteList(t *testing.T) { + ipnet := netip.MustParsePrefix("192.168.0.1/29") + tree := trie.New[struct{}]() + assert.NoError(t, tree.Insert("example.com", struct{}{})) + assert.False(t, tree.IsEmpty()) + pools, tempfile, err := createPools(Options{ + IPNet: ipnet, + Size: 10, + Host: []C.DomainMatcher{tree.NewDomainSet()}, + Mode: C.FilterWhiteList, + }) + assert.Nil(t, err) + defer os.Remove(tempfile) + + for _, pool := range pools { + assert.False(t, pool.ShouldSkipped("example.com")) + assert.True(t, pool.ShouldSkipped("foo.com")) + assert.True(t, pool.ShouldSkipped("baz.com")) } } diff --git a/clash-meta/config/config.go b/clash-meta/config/config.go index c250d3ec21..ed30bfe452 100644 --- a/clash-meta/config/config.go +++ b/clash-meta/config/config.go @@ -205,6 +205,7 @@ type RawDNS struct { EnhancedMode C.DNSMode `yaml:"enhanced-mode" json:"enhanced-mode"` FakeIPRange string `yaml:"fake-ip-range" json:"fake-ip-range"` FakeIPFilter []string `yaml:"fake-ip-filter" json:"fake-ip-filter"` + FakeIPFilterMode C.FilterMode `yaml:"fake-ip-filter-mode" json:"fake-ip-filter-mode"` DefaultNameserver []string `yaml:"default-nameserver" json:"default-nameserver"` CacheAlgorithm string `yaml:"cache-algorithm" json:"cache-algorithm"` NameServerPolicy *orderedmap.OrderedMap[string, any] `yaml:"nameserver-policy" json:"nameserver-policy"` @@ -474,6 +475,7 @@ func DefaultRawConfig() *RawConfig { "www.msftnsci.com", "www.msftconnecttest.com", }, + FakeIPFilterMode: C.FilterBlackList, }, NTP: RawNTP{ Enable: false, @@ -1458,6 +1460,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul IPNet: fakeIPRange, Size: 1000, Host: host, + Mode: cfg.FakeIPFilterMode, Persistence: rawCfg.Profile.StoreFakeIP, }) if err != nil { diff --git a/clash-meta/constant/dns.go b/clash-meta/constant/dns.go index 3d97d97b71..8d038a6bbb 100644 --- a/clash-meta/constant/dns.go +++ b/clash-meta/constant/dns.go @@ -43,7 +43,9 @@ func (e DNSMode) MarshalYAML() (any, error) { // UnmarshalJSON unserialize EnhancedMode with json func (e *DNSMode) UnmarshalJSON(data []byte) error { var tp string - json.Unmarshal(data, &tp) + if err := json.Unmarshal(data, &tp); err != nil { + return err + } mode, exist := DNSModeMapping[tp] if !exist { return errors.New("invalid mode") @@ -115,6 +117,64 @@ func NewDNSPrefer(prefer string) DNSPrefer { } } +// FilterModeMapping is a mapping for FilterMode enum +var FilterModeMapping = map[string]FilterMode{ + FilterBlackList.String(): FilterBlackList, + FilterWhiteList.String(): FilterWhiteList, +} + +type FilterMode int + +const ( + FilterBlackList FilterMode = iota + FilterWhiteList +) + +func (e FilterMode) String() string { + switch e { + case FilterBlackList: + return "blacklist" + case FilterWhiteList: + return "whitelist" + default: + return "unknown" + } +} + +func (e FilterMode) MarshalYAML() (interface{}, error) { + return e.String(), nil +} + +func (e *FilterMode) UnmarshalYAML(unmarshal func(interface{}) error) error { + var tp string + if err := unmarshal(&tp); err != nil { + return err + } + mode, exist := FilterModeMapping[tp] + if !exist { + return errors.New("invalid mode") + } + *e = mode + return nil +} + +func (e FilterMode) MarshalJSON() ([]byte, error) { + return json.Marshal(e.String()) +} + +func (e *FilterMode) UnmarshalJSON(data []byte) error { + var tp string + if err := json.Unmarshal(data, &tp); err != nil { + return err + } + mode, exist := FilterModeMapping[tp] + if !exist { + return errors.New("invalid mode") + } + *e = mode + return nil +} + type HTTPVersion string const ( diff --git a/clash-meta/docs/config.yaml b/clash-meta/docs/config.yaml index bb60b28649..1da37841cb 100644 --- a/clash-meta/docs/config.yaml +++ b/clash-meta/docs/config.yaml @@ -249,6 +249,9 @@ dns: - rule-set:fakeip-filter # fakeip-filter 为 geosite 中名为 fakeip-filter 的分类(需要自行保证该分类存在) - geosite:fakeip-filter + # 配置fake-ip-filter的匹配模式,默认为blacklist,即如果匹配成功不返回fake-ip + # 可设置为whitelist,即只有匹配成功才返回fake-ip + fake-ip-filter-mode: blacklist # use-hosts: true # 查询 hosts diff --git a/clash-meta/hub/executor/executor.go b/clash-meta/hub/executor/executor.go index 442666f05d..e7e9b72c4c 100644 --- a/clash-meta/hub/executor/executor.go +++ b/clash-meta/hub/executor/executor.go @@ -77,7 +77,7 @@ func ParseWithBytes(buf []byte) (*config.Config, error) { return config.Parse(buf) } -// ApplyConfig dispatch configure to all parts +// ApplyConfig dispatch configure to all parts without ExternalController func ApplyConfig(cfg *config.Config, force bool) { mux.Lock() defer mux.Unlock() diff --git a/clash-meta/hub/hub.go b/clash-meta/hub/hub.go index 2a53b19793..d439d32e35 100644 --- a/clash-meta/hub/hub.go +++ b/clash-meta/hub/hub.go @@ -1,7 +1,10 @@ package hub import ( + "strings" + "github.com/metacubex/mihomo/config" + "github.com/metacubex/mihomo/constant/features" "github.com/metacubex/mihomo/hub/executor" "github.com/metacubex/mihomo/hub/route" "github.com/metacubex/mihomo/log" @@ -33,6 +36,33 @@ func WithSecret(secret string) Option { } } +// ApplyConfig dispatch configure to all parts include ExternalController +func ApplyConfig(cfg *config.Config) { + applyRoute(cfg) + executor.ApplyConfig(cfg, true) +} + +func applyRoute(cfg *config.Config) { + if features.CMFA && strings.HasSuffix(cfg.Controller.ExternalUI, ":0") { + // CMFA have set its default override value to end with ":0" for security. + // so we direct return at here + return + } + if cfg.Controller.ExternalUI != "" { + route.SetUIPath(cfg.Controller.ExternalUI) + } + route.ReCreateServer(&route.Config{ + Addr: cfg.Controller.ExternalController, + TLSAddr: cfg.Controller.ExternalControllerTLS, + UnixAddr: cfg.Controller.ExternalControllerUnix, + Secret: cfg.Controller.Secret, + Certificate: cfg.TLS.Certificate, + PrivateKey: cfg.TLS.PrivateKey, + DohServer: cfg.Controller.ExternalDohServer, + IsDebug: cfg.General.LogLevel == log.DEBUG, + }) +} + // Parse call at the beginning of mihomo func Parse(options ...Option) error { cfg, err := executor.Parse() @@ -44,20 +74,6 @@ func Parse(options ...Option) error { option(cfg) } - if cfg.Controller.ExternalUI != "" { - route.SetUIPath(cfg.Controller.ExternalUI) - } - - if cfg.Controller.ExternalController != "" { - go route.Start(cfg.Controller.ExternalController, cfg.Controller.ExternalControllerTLS, - cfg.Controller.Secret, cfg.TLS.Certificate, cfg.TLS.PrivateKey, cfg.Controller.ExternalDohServer, - cfg.General.LogLevel == log.DEBUG) - } - - if cfg.Controller.ExternalControllerUnix != "" { - go route.StartUnix(cfg.Controller.ExternalControllerUnix, cfg.Controller.ExternalDohServer, cfg.General.LogLevel == log.DEBUG) - } - - executor.ApplyConfig(cfg, true) + ApplyConfig(cfg) return nil } diff --git a/clash-meta/hub/route/server.go b/clash-meta/hub/route/server.go index 165c7c6970..1605b4bf74 100644 --- a/clash-meta/hub/route/server.go +++ b/clash-meta/hub/route/server.go @@ -30,10 +30,11 @@ import ( ) var ( - serverSecret = "" - serverAddr = "" - uiPath = "" + + httpServer *http.Server + tlsServer *http.Server + unixServer *http.Server ) type Traffic struct { @@ -46,11 +47,28 @@ type Memory struct { OSLimit uint64 `json:"oslimit"` // maybe we need it in the future } +type Config struct { + Addr string + TLSAddr string + UnixAddr string + Secret string + Certificate string + PrivateKey string + DohServer string + IsDebug bool +} + +func ReCreateServer(cfg *Config) { + go start(cfg) + go startTLS(cfg) + go startUnix(cfg) +} + func SetUIPath(path string) { uiPath = C.Path.Resolve(path) } -func router(isDebug bool, withAuth bool, dohServer string) *chi.Mux { +func router(isDebug bool, secret string, dohServer string) *chi.Mux { r := chi.NewRouter() corsM := cors.New(cors.Options{ AllowedOrigins: []string{"*"}, @@ -72,8 +90,8 @@ func router(isDebug bool, withAuth bool, dohServer string) *chi.Mux { }()) } r.Group(func(r chi.Router) { - if withAuth { - r.Use(authentication) + if secret != "" { + r.Use(authentication(secret)) } r.Get("/", hello) r.Get("/logs", getLogs) @@ -111,88 +129,111 @@ func router(isDebug bool, withAuth bool, dohServer string) *chi.Mux { return r } -func Start(addr string, tlsAddr string, secret string, - certificate, privateKey string, dohServer string, isDebug bool) { - if serverAddr != "" { - return +func start(cfg *Config) { + // first stop existing server + if httpServer != nil { + _ = httpServer.Close() + httpServer = nil } - serverAddr = addr - serverSecret = secret + // handle addr + if len(cfg.Addr) > 0 { + l, err := inbound.Listen("tcp", cfg.Addr) + if err != nil { + log.Errorln("External controller listen error: %s", err) + return + } + log.Infoln("RESTful API listening at: %s", l.Addr().String()) - if len(tlsAddr) > 0 { - go func() { - c, err := CN.ParseCert(certificate, privateKey, C.Path) - if err != nil { - log.Errorln("External controller tls listen error: %s", err) - return - } - - l, err := inbound.Listen("tcp", tlsAddr) - if err != nil { - log.Errorln("External controller tls listen error: %s", err) - return - } - - serverAddr = l.Addr().String() - log.Infoln("RESTful API tls listening at: %s", serverAddr) - tlsServe := &http.Server{ - Handler: router(isDebug, true, dohServer), - TLSConfig: &tls.Config{ - Certificates: []tls.Certificate{c}, - }, - } - if err = tlsServe.ServeTLS(l, "", ""); err != nil { - log.Errorln("External controller tls serve error: %s", err) - } - }() + server := &http.Server{ + Handler: router(cfg.IsDebug, cfg.Secret, cfg.DohServer), + } + if err = server.Serve(l); err != nil { + log.Errorln("External controller serve error: %s", err) + } + httpServer = server } - - l, err := inbound.Listen("tcp", addr) - if err != nil { - log.Errorln("External controller listen error: %s", err) - return - } - serverAddr = l.Addr().String() - log.Infoln("RESTful API listening at: %s", serverAddr) - - if err = http.Serve(l, router(isDebug, true, dohServer)); err != nil { - log.Errorln("External controller serve error: %s", err) - } - } -func StartUnix(addr string, dohServer string, isDebug bool) { - addr = C.Path.Resolve(addr) +func startTLS(cfg *Config) { + // first stop existing server + if tlsServer != nil { + _ = tlsServer.Close() + tlsServer = nil + } - dir := filepath.Dir(addr) - if _, err := os.Stat(dir); os.IsNotExist(err) { - if err := os.MkdirAll(dir, 0o755); err != nil { + // handle tlsAddr + if len(cfg.TLSAddr) > 0 { + c, err := CN.ParseCert(cfg.Certificate, cfg.PrivateKey, C.Path) + if err != nil { + log.Errorln("External controller tls listen error: %s", err) + return + } + + l, err := inbound.Listen("tcp", cfg.TLSAddr) + if err != nil { + log.Errorln("External controller tls listen error: %s", err) + return + } + + log.Infoln("RESTful API tls listening at: %s", l.Addr().String()) + server := &http.Server{ + Handler: router(cfg.IsDebug, cfg.Secret, cfg.DohServer), + TLSConfig: &tls.Config{ + Certificates: []tls.Certificate{c}, + }, + } + if err = server.ServeTLS(l, "", ""); err != nil { + log.Errorln("External controller tls serve error: %s", err) + } + tlsServer = server + } +} + +func startUnix(cfg *Config) { + // first stop existing server + if unixServer != nil { + _ = unixServer.Close() + unixServer = nil + } + + // handle addr + if len(cfg.UnixAddr) > 0 { + addr := C.Path.Resolve(cfg.UnixAddr) + + dir := filepath.Dir(addr) + if _, err := os.Stat(dir); os.IsNotExist(err) { + if err := os.MkdirAll(dir, 0o755); err != nil { + log.Errorln("External controller unix listen error: %s", err) + return + } + } + + // https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/ + // + // Note: As mentioned above in the ‘security’ section, when a socket binds a socket to a valid pathname address, + // a socket file is created within the filesystem. On Linux, the application is expected to unlink + // (see the notes section in the man page for AF_UNIX) before any other socket can be bound to the same address. + // The same applies to Windows unix sockets, except that, DeleteFile (or any other file delete API) + // should be used to delete the socket file prior to calling bind with the same path. + _ = syscall.Unlink(addr) + + l, err := inbound.Listen("unix", addr) + if err != nil { log.Errorln("External controller unix listen error: %s", err) return } + log.Infoln("RESTful API unix listening at: %s", l.Addr().String()) + + server := &http.Server{ + Handler: router(cfg.IsDebug, "", cfg.DohServer), + } + if err = server.Serve(l); err != nil { + log.Errorln("External controller unix serve error: %s", err) + } + unixServer = server } - // https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/ - // - // Note: As mentioned above in the ‘security’ section, when a socket binds a socket to a valid pathname address, - // a socket file is created within the filesystem. On Linux, the application is expected to unlink - // (see the notes section in the man page for AF_UNIX) before any other socket can be bound to the same address. - // The same applies to Windows unix sockets, except that, DeleteFile (or any other file delete API) - // should be used to delete the socket file prior to calling bind with the same path. - _ = syscall.Unlink(addr) - - l, err := inbound.Listen("unix", addr) - if err != nil { - log.Errorln("External controller unix listen error: %s", err) - return - } - serverAddr = l.Addr().String() - log.Infoln("RESTful API unix listening at: %s", serverAddr) - - if err = http.Serve(l, router(isDebug, false, dohServer)); err != nil { - log.Errorln("External controller unix serve error: %s", err) - } } func setPrivateNetworkAccess(next http.Handler) http.Handler { @@ -210,38 +251,35 @@ func safeEuqal(a, b string) bool { return subtle.ConstantTimeCompare(aBuf, bBuf) == 1 } -func authentication(next http.Handler) http.Handler { - fn := func(w http.ResponseWriter, r *http.Request) { - if serverSecret == "" { - next.ServeHTTP(w, r) - return - } +func authentication(secret string) func(http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + fn := func(w http.ResponseWriter, r *http.Request) { + // Browser websocket not support custom header + if r.Header.Get("Upgrade") == "websocket" && r.URL.Query().Get("token") != "" { + token := r.URL.Query().Get("token") + if !safeEuqal(token, secret) { + render.Status(r, http.StatusUnauthorized) + render.JSON(w, r, ErrUnauthorized) + return + } + next.ServeHTTP(w, r) + return + } - // Browser websocket not support custom header - if r.Header.Get("Upgrade") == "websocket" && r.URL.Query().Get("token") != "" { - token := r.URL.Query().Get("token") - if !safeEuqal(token, serverSecret) { + header := r.Header.Get("Authorization") + bearer, token, found := strings.Cut(header, " ") + + hasInvalidHeader := bearer != "Bearer" + hasInvalidSecret := !found || !safeEuqal(token, secret) + if hasInvalidHeader || hasInvalidSecret { render.Status(r, http.StatusUnauthorized) render.JSON(w, r, ErrUnauthorized) return } next.ServeHTTP(w, r) - return } - - header := r.Header.Get("Authorization") - bearer, token, found := strings.Cut(header, " ") - - hasInvalidHeader := bearer != "Bearer" - hasInvalidSecret := !found || !safeEuqal(token, serverSecret) - if hasInvalidHeader || hasInvalidSecret { - render.Status(r, http.StatusUnauthorized) - render.JSON(w, r, ErrUnauthorized) - return - } - next.ServeHTTP(w, r) + return http.HandlerFunc(fn) } - return http.HandlerFunc(fn) } func hello(w http.ResponseWriter, r *http.Request) { diff --git a/clash-meta/listener/sing_tun/server_android.go b/clash-meta/listener/sing_tun/server_android.go index bd5c4bd071..d8240534ed 100644 --- a/clash-meta/listener/sing_tun/server_android.go +++ b/clash-meta/listener/sing_tun/server_android.go @@ -1,3 +1,5 @@ +//go:build android && !cmfa + package sing_tun import ( diff --git a/clash-meta/listener/sing_tun/server_notandroid.go b/clash-meta/listener/sing_tun/server_notandroid.go index 6b30ee03b2..10fd3997b4 100644 --- a/clash-meta/listener/sing_tun/server_notandroid.go +++ b/clash-meta/listener/sing_tun/server_notandroid.go @@ -1,4 +1,4 @@ -//go:build !android +//go:build !android || cmfa package sing_tun diff --git a/clash-meta/main.go b/clash-meta/main.go index 06a04ca17b..c7a7acbc3b 100644 --- a/clash-meta/main.go +++ b/clash-meta/main.go @@ -135,7 +135,7 @@ func main() { return case <-hupSign: if cfg, err := executor.ParseWithPath(C.Path.Config()); err == nil { - executor.ApplyConfig(cfg, true) + hub.ApplyConfig(cfg) } else { log.Errorln("Parse config error: %s", err.Error()) } diff --git a/clash-nyanpasu/frontend/interface/package.json b/clash-nyanpasu/frontend/interface/package.json index 385424458e..e130b1c561 100644 --- a/clash-nyanpasu/frontend/interface/package.json +++ b/clash-nyanpasu/frontend/interface/package.json @@ -18,6 +18,6 @@ "swr": "2.2.5" }, "devDependencies": { - "@types/react": "18.3.4" + "@types/react": "18.3.5" } } diff --git a/clash-nyanpasu/frontend/nyanpasu/package.json b/clash-nyanpasu/frontend/nyanpasu/package.json index df5b4aa9c7..2e19227c26 100644 --- a/clash-nyanpasu/frontend/nyanpasu/package.json +++ b/clash-nyanpasu/frontend/nyanpasu/package.json @@ -29,7 +29,7 @@ "framer-motion": "12.0.0-alpha.0", "i18next": "23.14.0", "jotai": "2.9.3", - "material-react-table": "2.13.1", + "material-react-table": "2.13.2", "monaco-editor": "0.51.0", "mui-color-input": "4.0.0", "react": "18.3.1", @@ -43,20 +43,20 @@ "react-split-grid": "1.0.4", "react-use": "17.5.1", "swr": "2.2.5", - "virtua": "0.34.0" + "virtua": "0.34.1" }, "devDependencies": { "@csstools/normalize.css": "12.1.1", "@emotion/babel-plugin": "11.12.0", "@emotion/react": "11.13.3", "@iconify/json": "2.2.242", - "@types/react": "18.3.4", + "@types/react": "18.3.5", "@types/react-dom": "18.3.0", "@vitejs/plugin-react": "4.3.1", "@vitejs/plugin-react-swc": "3.7.0", "clsx": "2.1.1", "sass": "1.77.8", - "shiki": "1.14.1", + "shiki": "1.15.1", "tailwindcss-textshadow": "2.1.3", "unplugin-auto-import": "0.18.2", "unplugin-icons": "0.19.2", diff --git a/clash-nyanpasu/frontend/ui/package.json b/clash-nyanpasu/frontend/ui/package.json index f48703f3ec..fcb1de7b07 100644 --- a/clash-nyanpasu/frontend/ui/package.json +++ b/clash-nyanpasu/frontend/ui/package.json @@ -24,7 +24,7 @@ "@radix-ui/react-scroll-area": "1.1.0", "@tauri-apps/api": "1.6.0", "@types/d3": "7.4.3", - "@types/react": "18.3.4", + "@types/react": "18.3.5", "@vitejs/plugin-react": "4.3.1", "ahooks": "3.8.1", "d3": "7.9.0", diff --git a/clash-nyanpasu/manifest/version.json b/clash-nyanpasu/manifest/version.json index 7703baed72..86fd1e301b 100644 --- a/clash-nyanpasu/manifest/version.json +++ b/clash-nyanpasu/manifest/version.json @@ -2,7 +2,7 @@ "manifest_version": 1, "latest": { "mihomo": "v1.18.7", - "mihomo_alpha": "alpha-38fd371", + "mihomo_alpha": "alpha-08ac9a3", "clash_rs": "v0.3.0", "clash_premium": "2023-09-05-gdcc8d87" }, @@ -36,5 +36,5 @@ "darwin-x64": "clash-darwin-amd64-n{}.gz" } }, - "updated_at": "2024-08-29T22:20:32.104Z" + "updated_at": "2024-08-30T22:20:27.034Z" } diff --git a/clash-nyanpasu/package.json b/clash-nyanpasu/package.json index d08a775b45..7278c9e29e 100644 --- a/clash-nyanpasu/package.json +++ b/clash-nyanpasu/package.json @@ -80,7 +80,7 @@ "eslint-plugin-react": "7.35.0", "eslint-plugin-react-compiler": "0.0.0-experimental-f8a5409-20240829", "eslint-plugin-react-hooks": "4.6.2", - "knip": "5.27.4", + "knip": "5.28.0", "lint-staged": "15.2.9", "npm-run-all2": "6.2.2", "postcss": "8.4.41", diff --git a/clash-nyanpasu/pnpm-lock.yaml b/clash-nyanpasu/pnpm-lock.yaml index 9736fd564d..4b40c3cd78 100644 --- a/clash-nyanpasu/pnpm-lock.yaml +++ b/clash-nyanpasu/pnpm-lock.yaml @@ -98,8 +98,8 @@ importers: specifier: 4.6.2 version: 4.6.2(eslint@8.57.0) knip: - specifier: 5.27.4 - version: 5.27.4(@types/node@22.5.1)(typescript@5.5.4) + specifier: 5.28.0 + version: 5.28.0(@types/node@22.5.1)(typescript@5.5.4) lint-staged: specifier: 15.2.9 version: 15.2.9 @@ -246,8 +246,8 @@ importers: specifier: 2.9.3 version: 2.9.3(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1) material-react-table: - specifier: 2.13.1 - version: 2.13.1(px6672jbssk23ndlae6ak2yfga) + specifier: 2.13.2 + version: 2.13.2(px6672jbssk23ndlae6ak2yfga) monaco-editor: specifier: 0.51.0 version: 0.51.0 @@ -288,8 +288,8 @@ importers: specifier: 2.2.5 version: 2.2.5(react@19.0.0-rc-e948a5ac-20240807) virtua: - specifier: 0.34.0 - version: 0.34.0(react-dom@19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807))(react@19.0.0-rc-e948a5ac-20240807) + specifier: 0.34.1 + version: 0.34.1(react-dom@19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807))(react@19.0.0-rc-e948a5ac-20240807) devDependencies: '@csstools/normalize.css': specifier: 12.1.1 @@ -322,8 +322,8 @@ importers: specifier: 1.77.8 version: 1.77.8 shiki: - specifier: 1.14.1 - version: 1.14.1 + specifier: 1.15.1 + version: 1.15.1 tailwindcss-textshadow: specifier: 2.1.3 version: 2.1.3 @@ -2048,8 +2048,8 @@ packages: '@rushstack/ts-command-line@4.22.3': resolution: {integrity: sha512-edMpWB3QhFFZ4KtSzS8WNjBgR4PXPPOVrOHMbb7kNpmQ1UFS9HdVtjCXg1H5fG+xYAbeE+TMPcVPUyX2p84STA==} - '@shikijs/core@1.14.1': - resolution: {integrity: sha512-KyHIIpKNaT20FtFPFjCQB5WVSTpLR/n+jQXhWHWVUMm9MaOaG9BGOG0MSyt7yA4+Lm+4c9rTc03tt3nYzeYSfw==} + '@shikijs/core@1.15.1': + resolution: {integrity: sha512-DwkQTDNlhr7PwZMJswdvWIKts+2mqjIn8txByr88fhBRBtUSsIQR43RRoATjRrbeu4hyNTSTMBdxgp/vlxnxvA==} '@sindresorhus/is@4.6.0': resolution: {integrity: sha512-t09vSN3MdfsyCHoFcTRCH/iUtG7OJ0CsjzB8cjAmKc/va/kIgeDI/TxsigdncE/4be734m0cvIYwNaV4i2XqAw==} @@ -2207,29 +2207,29 @@ packages: resolution: {integrity: sha512-4BAffykYOgO+5nzBWYwE3W90sBgLJoUPRWWcL8wlyiM8IB8ipJz3UMJ9KXQd1RKQXpKp8Tutn80HZtWsu2u76w==} engines: {node: '>=10'} - '@tanstack/match-sorter-utils@8.15.1': - resolution: {integrity: sha512-PnVV3d2poenUM31ZbZi/yXkBu3J7kd5k2u51CGwwNojag451AjTH9N6n41yjXz2fpLeewleyLBmNS6+HcGDlXw==} + '@tanstack/match-sorter-utils@8.19.4': + resolution: {integrity: sha512-Wo1iKt2b9OT7d+YGhvEPD3DXvPv2etTusIMhMUoG7fbhmxcXCtIjJDEygy91Y2JFlwGyjqiBPRozme7UD8hoqg==} engines: {node: '>=12'} - '@tanstack/react-table@8.19.3': - resolution: {integrity: sha512-MtgPZc4y+cCRtU16y1vh1myuyZ2OdkWgMEBzyjYsoMWMicKZGZvcDnub3Zwb6XF2pj9iRMvm1SO1n57lS0vXLw==} + '@tanstack/react-table@8.20.5': + resolution: {integrity: sha512-WEHopKw3znbUZ61s9i0+i9g8drmDo6asTWbrQh8Us63DAk/M0FkmIqERew6P71HI75ksZ2Pxyuf4vvKh9rAkiA==} engines: {node: '>=12'} peerDependencies: react: npm:react@rc react-dom: npm:react-dom@rc - '@tanstack/react-virtual@3.8.3': - resolution: {integrity: sha512-9ICwbDUUzN99CJIGc373i8NLoj6zFTKI2Hlcmo0+lCSAhPQ5mxq4dGOMKmLYoEFyHcGQ64Bd6ZVbnPpM6lNK5w==} + '@tanstack/react-virtual@3.10.6': + resolution: {integrity: sha512-xaSy6uUxB92O8mngHZ6CvbhGuqxQ5lIZWCBy+FjhrbHmOwc6BnOnKkYm2FsB1/BpKw/+FVctlMbEtI+F6I1aJg==} peerDependencies: react: npm:react@rc react-dom: npm:react-dom@rc - '@tanstack/table-core@8.19.3': - resolution: {integrity: sha512-IqREj9ADoml9zCAouIG/5kCGoyIxPFdqdyoxis9FisXFi5vT+iYfEfLosq4xkU/iDbMcEuAj+X8dWRLvKYDNoQ==} + '@tanstack/table-core@8.20.5': + resolution: {integrity: sha512-P9dF7XbibHph2PFRz8gfBKEXEY/HJPOhym8CHmjF8y3q5mWpKx9xtZapXQUWCgkqvsK0R46Azuz+VaxD4Xl+Tg==} engines: {node: '>=12'} - '@tanstack/virtual-core@3.8.3': - resolution: {integrity: sha512-vd2A2TnM5lbnWZnHi9B+L2gPtkSeOtJOAw358JqokIH1+v2J7vUAzFVPwB/wrye12RFOurffXu33plm4uQ+JBQ==} + '@tanstack/virtual-core@3.10.6': + resolution: {integrity: sha512-1giLc4dzgEKLMx5pgKjL6HlG5fjZMgCjzlKAlpr7yoUtetVPELgER1NtephAI910nMwfPTHNyWKSFmJdHkz2Cw==} '@taplo/core@0.1.1': resolution: {integrity: sha512-BG/zLGf5wiNXGEVPvUAAX/4ilB3PwDUY2o0MV0y47mZbDZ9ad9UK/cIQsILat3bqbPJsALVbU6k3cskNZ3vAQg==} @@ -4623,8 +4623,8 @@ packages: resolution: {integrity: sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==} engines: {node: '>=0.10.0'} - knip@5.27.4: - resolution: {integrity: sha512-7t1yqIKxaVGYD1cLI4raVLWi9cNqv+JNbngc8mgvTVJbomnxOg1pjxgCGEztB7eVgD+6VEwf7Jg5WHXzk+Kbpw==} + knip@5.28.0: + resolution: {integrity: sha512-3nlqKCHFCfXp4VDP570ly7HLCyIM3JyLM+msr2l3HtQJ1NeraBrj6AQE80SFIyu8nOJZZpiZQWmiXq5RSczqsQ==} engines: {node: '>=18.6.0'} hasBin: true peerDependencies: @@ -4778,8 +4778,8 @@ packages: resolution: {integrity: sha512-OkeDaAZ/bQCxeFAozM55PKcKU0yJMPGifLwV4Qgjitu+5MoAfSQN4lsLJeXZ1b8w0x+/Emda6MZgXS1jvsapng==} engines: {node: '>=10'} - material-react-table@2.13.1: - resolution: {integrity: sha512-3iWwCa24ogxwllP4+W11euR/GV6f5wQE5FEilJ72/H3hDYHgsN+XehANytaG0G7/qy/OWYE7oXkcsRUU35I/iA==} + material-react-table@2.13.2: + resolution: {integrity: sha512-8q2Jq723rqCNNxZ9yKZOBU9A2EzcdjT/6IQIXoigRZO2IUROEhcv5bvg8Sqojz+Au5bNQJ8f7RNzSP1UOzirNA==} engines: {node: '>=16'} peerDependencies: '@emotion/react': '>=11.11' @@ -5927,8 +5927,8 @@ packages: shell-quote@1.8.1: resolution: {integrity: sha512-6j1W9l1iAs/4xYBI1SYOVZyFcCis9b4KCLQ8fgAGG07QvzaRLVVRQvAy85yNmmZSjYjg4MWh4gNvlPujU/5LpA==} - shiki@1.14.1: - resolution: {integrity: sha512-FujAN40NEejeXdzPt+3sZ3F2dx1U24BY2XTY01+MG8mbxCiA2XukXdcbyMyLAHJ/1AUUnQd1tZlvIjefWWEJeA==} + shiki@1.15.1: + resolution: {integrity: sha512-QPtVwbafyHmH9Z90iEZgZL4BhqFh5RMnRq2Bic0Cqp5lgbpbkn4nNmed0zzXbh/yPFs2PpkCviM9qcrbN+9zAA==} side-channel@1.0.6: resolution: {integrity: sha512-fDW/EZ6Q9RiO8eFG8Hj+7u/oW+XrPTIChwCOM2+th2A6OblDtYYIpve9m+KvI9Z4C9qSEXlaGR6bTEYHReuglA==} @@ -6557,8 +6557,8 @@ packages: vfile@6.0.1: resolution: {integrity: sha512-1bYqc7pt6NIADBJ98UiG0Bn/CHIVOoZ/IyEkqIruLg0mE1BKzkOXY2D6CSqQIcKqgadppE5lrxgWXJmXd7zZJw==} - virtua@0.34.0: - resolution: {integrity: sha512-tcIehi5MXW5TrJyPiwZXyPIquw5lSNMBlFVwZMomnuwn4bsTx3T2FB7knfY1VB53T9poGd9OPX3zpqh7gu1WyQ==} + virtua@0.34.1: + resolution: {integrity: sha512-8KrAoZboqvMdAjtaaODJQrsKNFhsf1mgGF1tmWRh5J0PTgeBCG9Mci/rep/YT3A7CbiTfdq+yThJ2SbatqZ+Ug==} peerDependencies: react: npm:react@rc react-dom: npm:react-dom@rc @@ -8341,7 +8341,7 @@ snapshots: transitivePeerDependencies: - '@types/node' - '@shikijs/core@1.14.1': + '@shikijs/core@1.15.1': dependencies: '@types/hast': 3.0.4 @@ -8479,25 +8479,25 @@ snapshots: dependencies: defer-to-connect: 2.0.1 - '@tanstack/match-sorter-utils@8.15.1': + '@tanstack/match-sorter-utils@8.19.4': dependencies: remove-accents: 0.5.0 - '@tanstack/react-table@8.19.3(react-dom@19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807))(react@19.0.0-rc-e948a5ac-20240807)': + '@tanstack/react-table@8.20.5(react-dom@19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807))(react@19.0.0-rc-e948a5ac-20240807)': dependencies: - '@tanstack/table-core': 8.19.3 + '@tanstack/table-core': 8.20.5 react: 19.0.0-rc-e948a5ac-20240807 react-dom: 19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807) - '@tanstack/react-virtual@3.8.3(react-dom@19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807))(react@19.0.0-rc-e948a5ac-20240807)': + '@tanstack/react-virtual@3.10.6(react-dom@19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807))(react@19.0.0-rc-e948a5ac-20240807)': dependencies: - '@tanstack/virtual-core': 3.8.3 + '@tanstack/virtual-core': 3.10.6 react: 19.0.0-rc-e948a5ac-20240807 react-dom: 19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807) - '@tanstack/table-core@8.19.3': {} + '@tanstack/table-core@8.20.5': {} - '@tanstack/virtual-core@3.8.3': {} + '@tanstack/virtual-core@3.10.6': {} '@taplo/core@0.1.1': {} @@ -11169,7 +11169,7 @@ snapshots: kind-of@6.0.3: {} - knip@5.27.4(@types/node@22.5.1)(typescript@5.5.4): + knip@5.28.0(@types/node@22.5.1)(typescript@5.5.4): dependencies: '@nodelib/fs.walk': 1.2.8 '@snyk/github-codeowners': 1.1.0 @@ -11346,16 +11346,16 @@ snapshots: escape-string-regexp: 4.0.0 optional: true - material-react-table@2.13.1(px6672jbssk23ndlae6ak2yfga): + material-react-table@2.13.2(px6672jbssk23ndlae6ak2yfga): dependencies: '@emotion/react': 11.13.3(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1) '@emotion/styled': 11.13.0(@emotion/react@11.13.3(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1))(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1) '@mui/icons-material': 5.16.7(@mui/material@5.16.7(@emotion/react@11.13.3(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1))(@emotion/styled@11.13.0(@emotion/react@11.13.3(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1))(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1))(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1))(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1) '@mui/material': 5.16.7(@emotion/react@11.13.3(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1))(@emotion/styled@11.13.0(@emotion/react@11.13.3(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1))(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1))(react-dom@19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807))(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1) '@mui/x-date-pickers': 7.9.0(@emotion/react@11.13.3(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1))(@emotion/styled@11.13.0(@emotion/react@11.13.3(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1))(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1))(@mui/material@5.16.7(@emotion/react@11.13.3(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1))(@emotion/styled@11.13.0(@emotion/react@11.13.3(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1))(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1))(react-dom@19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807))(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1))(dayjs@1.11.13)(react-dom@19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807))(react@19.0.0-rc-e948a5ac-20240807)(types-react@19.0.0-rc.1) - '@tanstack/match-sorter-utils': 8.15.1 - '@tanstack/react-table': 8.19.3(react-dom@19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807))(react@19.0.0-rc-e948a5ac-20240807) - '@tanstack/react-virtual': 3.8.3(react-dom@19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807))(react@19.0.0-rc-e948a5ac-20240807) + '@tanstack/match-sorter-utils': 8.19.4 + '@tanstack/react-table': 8.20.5(react-dom@19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807))(react@19.0.0-rc-e948a5ac-20240807) + '@tanstack/react-virtual': 3.10.6(react-dom@19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807))(react@19.0.0-rc-e948a5ac-20240807) highlight-words: 1.2.2 react: 19.0.0-rc-e948a5ac-20240807 react-dom: 19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807) @@ -12583,9 +12583,9 @@ snapshots: shell-quote@1.8.1: {} - shiki@1.14.1: + shiki@1.15.1: dependencies: - '@shikijs/core': 1.14.1 + '@shikijs/core': 1.15.1 '@types/hast': 3.0.4 side-channel@1.0.6: @@ -13374,7 +13374,7 @@ snapshots: unist-util-stringify-position: 4.0.0 vfile-message: 4.0.2 - virtua@0.34.0(react-dom@19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807))(react@19.0.0-rc-e948a5ac-20240807): + virtua@0.34.1(react-dom@19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807))(react@19.0.0-rc-e948a5ac-20240807): optionalDependencies: react: 19.0.0-rc-e948a5ac-20240807 react-dom: 19.0.0-rc-e948a5ac-20240807(react@19.0.0-rc-e948a5ac-20240807) diff --git a/filebrowser/CHANGELOG.md b/filebrowser/CHANGELOG.md index e1d3df9a9f..d173411e42 100644 --- a/filebrowser/CHANGELOG.md +++ b/filebrowser/CHANGELOG.md @@ -2,6 +2,18 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +### [2.31.1](https://github.com/filebrowser/filebrowser/compare/v2.31.0...v2.31.1) (2024-08-30) + + +### Bug Fixes + +* command not found in shell ([#3438](https://github.com/filebrowser/filebrowser/issues/3438)) ([121d9ab](https://github.com/filebrowser/filebrowser/commit/121d9abecdc7d4e923cfc5023519995938a6ccae)) + + +### Build + +* update to alpine 3.20 ([#3447](https://github.com/filebrowser/filebrowser/issues/3447)) ([7de6bc4](https://github.com/filebrowser/filebrowser/commit/7de6bc4a912b5734dd0df02ed8391e78619e2615)) + ## [2.31.0](https://github.com/filebrowser/filebrowser/compare/v2.30.0...v2.31.0) (2024-08-29) diff --git a/filebrowser/Dockerfile.s6 b/filebrowser/Dockerfile.s6 index 233feb22ba..63c43018af 100644 --- a/filebrowser/Dockerfile.s6 +++ b/filebrowser/Dockerfile.s6 @@ -1,4 +1,4 @@ -FROM ghcr.io/linuxserver/baseimage-alpine:3.17 +FROM ghcr.io/linuxserver/baseimage-alpine:3.20 RUN apk --update add ca-certificates \ mailcap \ diff --git a/filebrowser/Dockerfile.s6.aarch64 b/filebrowser/Dockerfile.s6.aarch64 index d7f3dcee9e..752e3ed3f8 100644 --- a/filebrowser/Dockerfile.s6.aarch64 +++ b/filebrowser/Dockerfile.s6.aarch64 @@ -1,4 +1,4 @@ -FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.17 +FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.20 RUN apk --update add ca-certificates \ mailcap \ diff --git a/filebrowser/Dockerfile.s6.armhf b/filebrowser/Dockerfile.s6.armhf deleted file mode 100644 index 17bd1def22..0000000000 --- a/filebrowser/Dockerfile.s6.armhf +++ /dev/null @@ -1,16 +0,0 @@ -FROM ghcr.io/linuxserver/baseimage-alpine:arm32v7-3.17 - -RUN apk --update add ca-certificates \ - mailcap \ - curl - -HEALTHCHECK --start-period=2s --interval=5s --timeout=3s \ - CMD curl -f http://localhost/health || exit 1 - -# copy local files -COPY docker/root/ / -COPY filebrowser /usr/bin/filebrowser - -# ports and volumes -VOLUME /srv /config /database -EXPOSE 80 \ No newline at end of file diff --git a/filebrowser/docker/root/etc/cont-init.d/20-config b/filebrowser/docker/root/etc/cont-init.d/20-config old mode 100644 new mode 100755 diff --git a/filebrowser/docker/root/etc/services.d/filebrowser/run b/filebrowser/docker/root/etc/services.d/filebrowser/run old mode 100644 new mode 100755 diff --git a/filebrowser/runner/parser.go b/filebrowser/runner/parser.go index 65891f5f16..6fd64a4b64 100644 --- a/filebrowser/runner/parser.go +++ b/filebrowser/runner/parser.go @@ -12,7 +12,7 @@ import ( func ParseCommand(s *settings.Settings, raw string) ([]string, error) { var command []string - if len(s.Shell) == 0 { + if len(s.Shell) == 0 || s.Shell[0] == "" { cmd, args, err := SplitCommandAndArgs(raw) if err != nil { return nil, err diff --git a/geoip/configuration.md b/geoip/configuration.md index 2b225dd8f5..b25bf45d9a 100644 --- a/geoip/configuration.md +++ b/geoip/configuration.md @@ -570,10 +570,11 @@ - **type**:(必须)输入格式的名称 - **action**:(必须)操作类型,值为 `add`(添加 IP 地址)或 `remove`(移除 IP 地址) - **args**:(必须) - - **name**:类别名称。(不能与 `inputDir` 同时使用;需要与 `uri` 同时使用) - - **uri**:纯文本 txt 文件路径,可为本地文件路径或远程 `http`、`https` 文件 URL。(不能与 `inputDir` 同时使用;需要与 `name` 同时使用) - - **inputDir**:需要遍历的输入目录(不遍历子目录)。(遍历的文件名作为类别名称;不能与 `name` 和 `uri` 同时使用) - - **wantedList**:(可选,数组)指定需要的类别/文件。(与 `inputDir` 同时使用) + - **name**:(可选)类别名称。(不能与 `inputDir` 同时使用;需要与 `uri` 或 `ipOrCIDR` 同时使用) + - **uri**:(可选)纯文本 txt 文件路径,可为本地文件路径或远程 `http`、`https` 文件 URL。(不能与 `inputDir` 同时使用;需要与 `name` 同时使用;可与 `ipOrCIDR` 同时使用) + - **ipOrCIDR**:(可选,数组)纯文本 IP 地址或 CIDR。(不能与 `inputDir` 同时使用;需要与 `name` 同时使用;可与 `uri` 同时使用) + - **inputDir**:(可选)需要遍历的输入目录(不遍历子目录)。(遍历的文件名作为类别名称;不能与 `name`、`uri` 和 `ipOrCIDR` 同时使用) + - **wantedList**:(可选,数组)指定需要的文件。(与 `inputDir` 同时使用) - **onlyIPType**:(可选)只处理的 IP 地址类型,值为 `ipv4` 或 `ipv6` - **removePrefixesInLine**:(可选,数组)每一行需要移除的字符串前缀 - **removeSuffixesInLine**:(可选,数组)每一行需要移除的字符串后缀 @@ -591,6 +592,40 @@ } ``` +```jsonc +{ + "type": "text", + "action": "add", // 添加 IP 地址 + "args": { + "name": "cn", + "ipOrCIDR": ["1.0.0.1", "1.0.0.1/24"] // 添加 IP 或 CIDR 到 cn 类别 + } +} +``` + +```jsonc +{ + "type": "text", + "action": "remove", // 移除 IP 地址 + "args": { + "name": "cn", + "ipOrCIDR": ["1.0.0.1", "1.0.0.1/24"] // 从 cn 类别移除 IP 或 CIDR + } +} +``` + +```jsonc +{ + "type": "text", + "action": "add", // 添加 IP 地址 + "args": { + "name": "cn", + "uri": "./cn.txt", // 读取本地文件 cn.txt 的 IPv4 和 IPv6 地址,并添加到 cn 类别中 + "ipOrCIDR": ["1.0.0.1", "1.0.0.1/24"] // 添加 IP 或 CIDR 到 cn 类别 + } +} +``` + ```jsonc { "type": "text", diff --git a/geoip/go.mod b/geoip/go.mod index 1cb36da92a..10d17b92f7 100644 --- a/geoip/go.mod +++ b/geoip/go.mod @@ -1,44 +1,44 @@ module github.com/Loyalsoldier/geoip -go 1.21 +go 1.22 -toolchain go1.21.10 +toolchain go1.22.6 require ( github.com/klauspost/compress v1.17.9 github.com/maxmind/mmdbwriter v1.0.0 github.com/oschwald/maxminddb-golang v1.13.1 - github.com/sagernet/sing-box v1.9.3 + github.com/sagernet/sing-box v1.9.4 github.com/spf13/cobra v1.8.1 github.com/tidwall/gjson v1.17.3 - github.com/v2fly/v2ray-core/v5 v5.16.1 + github.com/v2fly/v2ray-core/v5 v5.17.1 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v2 v2.4.0 ) require ( - github.com/adrg/xdg v0.4.0 // indirect + github.com/adrg/xdg v0.5.0 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/kr/text v0.2.0 // indirect - github.com/miekg/dns v1.1.59 // indirect + github.com/miekg/dns v1.1.62 // indirect github.com/pelletier/go-toml v1.9.5 // indirect github.com/pires/go-proxyproto v0.7.0 // indirect - github.com/quic-go/quic-go v0.43.0 // indirect - github.com/sagernet/sing v0.4.1 // indirect - github.com/sagernet/sing-dns v0.2.0 // indirect + github.com/quic-go/quic-go v0.46.0 // indirect + github.com/sagernet/sing v0.4.2 // indirect + github.com/sagernet/sing-dns v0.2.3 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/tidwall/match v1.1.1 // indirect github.com/tidwall/pretty v1.2.0 // indirect go.starlark.net v0.0.0-20230612165344-9532f5667272 // indirect - golang.org/x/crypto v0.23.0 // indirect - golang.org/x/mod v0.17.0 // indirect - golang.org/x/net v0.25.0 // indirect - golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.21.0 // indirect - golang.org/x/text v0.15.0 // indirect - golang.org/x/tools v0.21.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect + golang.org/x/crypto v0.26.0 // indirect + golang.org/x/mod v0.18.0 // indirect + golang.org/x/net v0.28.0 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/text v0.17.0 // indirect + golang.org/x/tools v0.22.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/geoip/go.sum b/geoip/go.sum index 054d58a4b5..7b013a9404 100644 --- a/geoip/go.sum +++ b/geoip/go.sum @@ -1,7 +1,7 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/adrg/xdg v0.4.0 h1:RzRqFcjH4nE5C6oTAxhBtoE2IRyjBSa62SCbyPidvls= -github.com/adrg/xdg v0.4.0/go.mod h1:N6ag73EX4wyxeaoeHctc1mas01KZgsj5tYiAIwqJE/E= +github.com/adrg/xdg v0.5.0 h1:dDaZvhMXatArP1NPHhnfaQUqWBLBsmx1h1HXQdMoFCY= +github.com/adrg/xdg v0.5.0/go.mod h1:dDdY4M4DF9Rjy4kHPeNL+ilVF+p2lK8IdM9/rTSGcI4= github.com/aead/cmac v0.0.0-20160719120800-7af84192f0b1 h1:+JkXLHME8vLJafGhOH4aoV2Iu8bR55nU6iKMVfYVLjY= github.com/aead/cmac v0.0.0-20160719120800-7af84192f0b1/go.mod h1:nuudZmJhzWtx2212z+pkuy7B6nkBqa+xwNXZHL1j8cg= github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU= @@ -21,7 +21,6 @@ github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vc github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgryski/go-metro v0.0.0-20211217172704-adc40b04c140 h1:y7y0Oa6UawqTFPCDw9JG6pdKt4F9pAhHv0B7FMGaGD0= @@ -32,8 +31,8 @@ github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.m github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0= github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk= -github.com/go-chi/chi/v5 v5.0.12 h1:9euLV5sTrTNTRUU9POmDUvfxyj6LAABLUcEWO+JJb4s= -github.com/go-chi/chi/v5 v5.0.12/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= +github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw= +github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4= github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0= github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= @@ -42,10 +41,12 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY= github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY= github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= -github.com/go-playground/validator/v10 v10.20.0 h1:K9ISHbSaI0lyB2eWMPJo+kOS/FBExVwjEviJTixqxL8= -github.com/go-playground/validator/v10 v10.20.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM= +github.com/go-playground/validator/v10 v10.22.0 h1:k6HsTZ0sTnROkhS//R0O+55JgM8C4Bx7ia+JlgcnOao= +github.com/go-playground/validator/v10 v10.22.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/golang-collections/go-datastructures v0.0.0-20150211160725-59788d5eb259 h1:ZHJ7+IGpuOXtVf6Zk/a3WuHQgkC+vXwaqfUBDFwahtI= +github.com/golang-collections/go-datastructures v0.0.0-20150211160725-59788d5eb259/go.mod h1:9Qcha0gTWLw//0VNka1Cbnjvg3pNKGFdAm7E9sBabxE= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc= @@ -74,8 +75,8 @@ github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo= github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a h1:fEBsGL/sjAuJrgah5XqmmYsTLzJp/TO9Lhy39gkverk= github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY= -github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY= +github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg= +github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jhump/protoreflect v1.16.0 h1:54fZg+49widqXYQ0b+usAFHbMkBGR4PpXrsHc8+TBDg= @@ -94,8 +95,8 @@ github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 h1:EnfXoSqDfSNJv0 github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40/go.mod h1:vy1vK6wD6j7xX6O6hXe621WabdtNkou2h7uRtTfRMyg= github.com/maxmind/mmdbwriter v1.0.0 h1:bieL4P6yaYaHvbtLSwnKtEvScUKKD6jcKaLiTM3WSMw= github.com/maxmind/mmdbwriter v1.0.0/go.mod h1:noBMCUtyN5PUQ4H8ikkOvGSHhzhLok51fON2hcrpKj8= -github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs= -github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk= +github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ= +github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ= github.com/mustafaturan/bus v1.0.2 h1:2x3ErwZ0uUPwwZ5ZZoknEQprdaxr68Yl3mY8jDye1Ws= github.com/mustafaturan/bus v1.0.2/go.mod h1:h7gfehm8TThv4Dcaa+wDQG7r7j6p74v+7ftr0Rq9i1Q= github.com/mustafaturan/monoton v1.0.0 h1:8SCej+JiNn0lyps7V+Jzc1CRAkDR4EZPWrTupQ61YCQ= @@ -112,16 +113,16 @@ github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaR github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ= github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8= github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= -github.com/pion/dtls/v2 v2.2.7 h1:cSUBsETxepsCSFSxC3mc/aDo14qQLMSL+O6IjG28yV8= -github.com/pion/dtls/v2 v2.2.7/go.mod h1:8WiMkebSHFD0T+dIU+UeBaoV7kDhOW5oDCzZ7WZ/F9s= +github.com/pion/dtls/v2 v2.2.12 h1:KP7H5/c1EiVAAKUmXyCzPiQe5+bCJrpOeKg/L05dunk= +github.com/pion/dtls/v2 v2.2.12/go.mod h1:d9SYc9fch0CqK90mRk1dC7AkzzpwJj6u2GU3u+9pqFE= github.com/pion/logging v0.2.2 h1:M9+AIj/+pxNsDfAT64+MAVgJO0rsyLnoJKCqf//DoeY= github.com/pion/logging v0.2.2/go.mod h1:k0/tDVsRCX2Mb2ZEmTqNa7CWsQPc+YYCB7Q+5pahoms= github.com/pion/randutil v0.1.0 h1:CFG1UdESneORglEsnimhUjf33Rwjubwj6xfiOXBa3mA= github.com/pion/randutil v0.1.0/go.mod h1:XcJrSMMbbMRhASFVOlj/5hQial/Y8oH/HVo7TBZq+j8= github.com/pion/sctp v1.8.7 h1:JnABvFakZueGAn4KU/4PSKg+GWbF6QWbKTWZOSGJjXw= github.com/pion/sctp v1.8.7/go.mod h1:g1Ul+ARqZq5JEmoFy87Q/4CePtKnTJ1QCL9dBBdN6AU= -github.com/pion/transport/v2 v2.2.5 h1:iyi25i/21gQck4hfRhomF6SktmUQjRsRW4WJdhfc3Kc= -github.com/pion/transport/v2 v2.2.5/go.mod h1:q2U/tf9FEfnSBGSW6w5Qp5PFWRLRj3NjLhCCgpRK4p0= +github.com/pion/transport/v2 v2.2.10 h1:ucLBLE8nuxiHfvkFKnkDQRYWYfp8ejf4YBOPfaQpw6Q= +github.com/pion/transport/v2 v2.2.10/go.mod h1:sq1kSLWs+cHW9E+2fJP95QudkzbK7wscs8yYgQToO5E= github.com/pires/go-proxyproto v0.7.0 h1:IukmRewDQFWC7kfnb66CSomk2q/seBuilHBYFwyq0Hs= github.com/pires/go-proxyproto v0.7.0/go.mod h1:Vz/1JPY/OACxWGQNIRY2BeyDmpoaWmEP40O9LbuiFR4= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -131,21 +132,21 @@ github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo= github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A= github.com/quic-go/qtls-go1-20 v0.4.1 h1:D33340mCNDAIKBqXuAvexTNMUByrYmFYVfKfDN5nfFs= github.com/quic-go/qtls-go1-20 v0.4.1/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k= -github.com/quic-go/quic-go v0.43.0 h1:sjtsTKWX0dsHpuMJvLxGqoQdtgJnbAPWY+W+5vjYW/g= -github.com/quic-go/quic-go v0.43.0/go.mod h1:132kz4kL3F9vxhW3CtQJLDVwcFe5wdWeJXXijhsO57M= -github.com/refraction-networking/utls v1.6.5 h1:Jlfqgs/t1Uy6FHHQ8Fz9ZTrRmP/zS7d/NZw7BLahaL8= -github.com/refraction-networking/utls v1.6.5/go.mod h1:BC3O4vQzye5hqpmDTWUqi4P5DDhzJfkV1tdqtawQIH0= +github.com/quic-go/quic-go v0.46.0 h1:uuwLClEEyk1DNvchH8uCByQVjo3yKL9opKulExNDs7Y= +github.com/quic-go/quic-go v0.46.0/go.mod h1:1dLehS7TIR64+vxGR70GDcatWTOtMX2PUtnKsjbTurI= +github.com/refraction-networking/utls v1.6.7 h1:zVJ7sP1dJx/WtVuITug3qYUq034cDq9B2MR1K67ULZM= +github.com/refraction-networking/utls v1.6.7/go.mod h1:BC3O4vQzye5hqpmDTWUqi4P5DDhzJfkV1tdqtawQIH0= github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 h1:f/FNXud6gA3MNr8meMVVGxhp+QBTqY91tM8HjEuMjGg= github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3/go.mod h1:HgjTstvQsPGkxUsCd2KWxErBblirPizecHcpD3ffK+s= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sagernet/quic-go v0.43.1-beta.2 h1:6YRCE9t1Q3UbNX1/dJGqpwFQbh6DXC6XBrQr2xp6hXY= -github.com/sagernet/quic-go v0.43.1-beta.2/go.mod h1:BkrQYeop7Jx3hN3TW8/76CXcdhYiNPyYEBL/BVJ1ifc= -github.com/sagernet/sing v0.4.1 h1:zVlpE+7k7AFoC2pv6ReqLf0PIHjihL/jsBl5k05PQFk= -github.com/sagernet/sing v0.4.1/go.mod h1:ieZHA/+Y9YZfXs2I3WtuwgyCZ6GPsIR7HdKb1SdEnls= -github.com/sagernet/sing-box v1.9.3 h1:jXiAqQRzBeXCSLTTl0Z92OLs5GkVotsdiNRVATZWpoY= -github.com/sagernet/sing-box v1.9.3/go.mod h1:6Rx5nzbqIfN7HlUaHgO/IdkP7fDPPQ/U/TAC5asEjSM= -github.com/sagernet/sing-dns v0.2.0 h1:dka3weRX6+CrYO3v+hrTy2z68rCOCZXNBiNXpLZ6JNs= -github.com/sagernet/sing-dns v0.2.0/go.mod h1:BJpJv6XLnrUbSyIntOT6DG9FW0f4fETmPAHvNjOprLg= +github.com/sagernet/quic-go v0.46.0-beta.4 h1:k9f7VSKaM47AY6MPND0Qf1KRN7HwimPg9zdOFTXTiCk= +github.com/sagernet/quic-go v0.46.0-beta.4/go.mod h1:zJmVdJUNqEDXfubf4KtIOUHHerggjBduiGRLNzJspcM= +github.com/sagernet/sing v0.4.2 h1:jzGNJdZVRI0xlAfFugsIQUPvyB9SuWvbJK7zQCXc4QM= +github.com/sagernet/sing v0.4.2/go.mod h1:ieZHA/+Y9YZfXs2I3WtuwgyCZ6GPsIR7HdKb1SdEnls= +github.com/sagernet/sing-box v1.9.4 h1:Sf2JffjKvcG2a2+YWPOP0NiCOqpu2iPU12RkpZ0PhaM= +github.com/sagernet/sing-box v1.9.4/go.mod h1:DGX0xLYqlQa36DX1PTWJBh6EnChI1hUyzwoJUObhlW4= +github.com/sagernet/sing-dns v0.2.3 h1:YzeBUn2tR38F7HtvGEQ0kLRLmZWMEgi/+7wqa4Twb1k= +github.com/sagernet/sing-dns v0.2.3/go.mod h1:BJpJv6XLnrUbSyIntOT6DG9FW0f4fETmPAHvNjOprLg= github.com/secure-io/siv-go v0.0.0-20180922214919-5ff40651e2c4 h1:zOjq+1/uLzn/Xo40stbvjIY/yehG0+mfmlsiEmc0xmQ= github.com/secure-io/siv-go v0.0.0-20180922214919-5ff40651e2c4/go.mod h1:aI+8yClBW+1uovkHw6HM01YXnYB8vohtB9C83wzx34E= github.com/seiflotfy/cuckoofilter v0.0.0-20220411075957-e3b120b3f5fb h1:XfLJSPIOUX+osiMraVgIrMR27uMXnRJWGm1+GL8/63U= @@ -154,8 +155,6 @@ github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/tidwall/gjson v1.17.3 h1:bwWLZU7icoKRG+C+0PNwIKC6FCJO/Q3p2pZvuP0jN94= @@ -170,8 +169,8 @@ github.com/v2fly/VSign v0.0.0-20201108000810-e2adc24bf848 h1:p1UzXK6VAutXFFQMnre github.com/v2fly/VSign v0.0.0-20201108000810-e2adc24bf848/go.mod h1:p80Bv154ZtrGpXMN15slDCqc9UGmfBuUzheDFBYaW/M= github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e h1:5QefA066A1tF8gHIiADmOVOV5LS43gt3ONnlEl3xkwI= github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e/go.mod h1:5t19P9LBIrNamL6AcMQOncg/r10y3Pc01AbHeMhwlpU= -github.com/v2fly/v2ray-core/v5 v5.16.1 h1:hIuRzCJhmRYqCA76hGiNLkAHopgbNt91L871wlJ/yUU= -github.com/v2fly/v2ray-core/v5 v5.16.1/go.mod h1:3pWIBTmNagMKpzd9/QicXq/7JZCQt716GsGZdBNmYkU= +github.com/v2fly/v2ray-core/v5 v5.17.1 h1:IIMMtmRdaG5HTYNn6VX1xKULknJl7nhkSFnmoTb5TDQ= +github.com/v2fly/v2ray-core/v5 v5.17.1/go.mod h1:IhDN0rhXJnNcs9jUuC5sILTGCT2L+4yr0+tfD8ZVuL8= github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI= github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U= github.com/xiaokangwang/VLite v0.0.0-20220418190619-cff95160a432 h1:I/ATawgO2RerCq9ACwL0wBB8xNXZdE3J+93MCEHReRs= @@ -185,47 +184,46 @@ go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc= go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M= go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= -golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= +golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= +golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM= golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= -golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= +golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= -golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= -golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= -golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA= +golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= @@ -233,13 +231,13 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:H4O17MA/PE9BsGx3w+a+W2VOLLD1Qf7oJneAoU6WktY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 h1:Zy9XzmMEflZ/MAaA7vNcoebnRAld7FsPW1EeBB7V0m8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM= -google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA= +google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= +google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -255,7 +253,6 @@ gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8X gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gvisor.dev/gvisor v0.0.0-20231020174304-b8a429915ff1 h1:qDCwdCWECGnwQSQC01Dpnp09fRHxJs9PbktotUqG+hs= diff --git a/geoip/plugin/maxmind/asn_csv.go b/geoip/plugin/maxmind/asn_csv.go index e738a44b12..8c90d60d90 100644 --- a/geoip/plugin/maxmind/asn_csv.go +++ b/geoip/plugin/maxmind/asn_csv.go @@ -129,7 +129,7 @@ func (g *geoLite2ASNCSV) Input(container lib.Container) (lib.Container, error) { } if len(entries) == 0 { - return nil, fmt.Errorf("❌ [type %s | action %s] no entry is generated", typeASNCSV, g.Action) + return nil, fmt.Errorf("❌ [type %s | action %s] no entry is generated", g.Type, g.Action) } var ignoreIPType lib.IgnoreIPOption @@ -190,7 +190,7 @@ func (g *geoLite2ASNCSV) process(file string, entries map[string]*lib.Entry) err } if len(record) < 2 { - return fmt.Errorf("❌ [type %s | action %s] invalid record: %v", typeASNCSV, g.Action, record) + return fmt.Errorf("❌ [type %s | action %s] invalid record: %v", g.Type, g.Action, record) } if listArr, found := g.Want[strings.TrimSpace(record[1])]; found { diff --git a/geoip/plugin/maxmind/country_csv.go b/geoip/plugin/maxmind/country_csv.go index 090de13a85..eb538deca3 100644 --- a/geoip/plugin/maxmind/country_csv.go +++ b/geoip/plugin/maxmind/country_csv.go @@ -123,7 +123,7 @@ func (g *geoLite2CountryCSV) Input(container lib.Container) (lib.Container, erro } if len(entries) == 0 { - return nil, fmt.Errorf("❌ [type %s | action %s] no entry is generated", typeCountryCSV, g.Action) + return nil, fmt.Errorf("❌ [type %s | action %s] no entry is generated", g.Type, g.Action) } var ignoreIPType lib.IgnoreIPOption @@ -176,7 +176,7 @@ func (g *geoLite2CountryCSV) getCountryCode() (map[string]string, error) { ccMap := make(map[string]string) for _, line := range lines[1:] { if len(line) < 5 { - return nil, fmt.Errorf("❌ [type %s | action %s] invalid record: %v", typeCountryCSV, g.Action, line) + return nil, fmt.Errorf("❌ [type %s | action %s] invalid record: %v", g.Type, g.Action, line) } id := strings.TrimSpace(line[0]) @@ -193,7 +193,7 @@ func (g *geoLite2CountryCSV) getCountryCode() (map[string]string, error) { } if len(ccMap) == 0 { - return nil, fmt.Errorf("❌ [type %s | action %s] invalid country code data", typeCountryCSV, g.Action) + return nil, fmt.Errorf("❌ [type %s | action %s] invalid country code data", g.Type, g.Action) } return ccMap, nil @@ -201,7 +201,7 @@ func (g *geoLite2CountryCSV) getCountryCode() (map[string]string, error) { func (g *geoLite2CountryCSV) process(file string, ccMap map[string]string, entries map[string]*lib.Entry) error { if len(ccMap) == 0 { - return fmt.Errorf("❌ [type %s | action %s] invalid country code data", typeCountryCSV, g.Action) + return fmt.Errorf("❌ [type %s | action %s] invalid country code data", g.Type, g.Action) } if entries == nil { entries = make(map[string]*lib.Entry, len(ccMap)) @@ -234,7 +234,7 @@ func (g *geoLite2CountryCSV) process(file string, ccMap map[string]string, entri } if len(record) < 4 { - return fmt.Errorf("❌ [type %s | action %s] invalid record: %v", typeCountryCSV, g.Action, record) + return fmt.Errorf("❌ [type %s | action %s] invalid record: %v", g.Type, g.Action, record) } ccID := "" diff --git a/geoip/plugin/maxmind/mmdb_in.go b/geoip/plugin/maxmind/mmdb_in.go index 3ee1eacb59..fc891c7a2b 100644 --- a/geoip/plugin/maxmind/mmdb_in.go +++ b/geoip/plugin/maxmind/mmdb_in.go @@ -105,7 +105,7 @@ func (m *maxmindMMDBIn) Input(container lib.Container) (lib.Container, error) { } if len(entries) == 0 { - return nil, fmt.Errorf("❌ [type %s | action %s] no entry is generated", typeMaxmindMMDBIn, m.Action) + return nil, fmt.Errorf("❌ [type %s | action %s] no entry is generated", m.Type, m.Action) } var ignoreIPType lib.IgnoreIPOption diff --git a/geoip/plugin/maxmind/mmdb_out.go b/geoip/plugin/maxmind/mmdb_out.go index e42ea02dff..964971d755 100644 --- a/geoip/plugin/maxmind/mmdb_out.go +++ b/geoip/plugin/maxmind/mmdb_out.go @@ -123,7 +123,7 @@ func (m *mmdbOut) Output(container lib.Container) error { return err } } else { - return fmt.Errorf("type %s | action %s failed to write file", m.Type, m.Action) + return fmt.Errorf("❌ [type %s | action %s] failed to write file", m.Type, m.Action) } return nil diff --git a/geoip/plugin/mihomo/mrs_in.go b/geoip/plugin/mihomo/mrs_in.go index 4976e071af..a3ab93641c 100644 --- a/geoip/plugin/mihomo/mrs_in.go +++ b/geoip/plugin/mihomo/mrs_in.go @@ -50,11 +50,11 @@ func newMRSIn(action lib.Action, data json.RawMessage) (lib.InputConverter, erro } if tmp.Name == "" && tmp.URI == "" && tmp.InputDir == "" { - return nil, fmt.Errorf("type %s | action %s missing inputdir or name or uri", typeMRSIn, action) + return nil, fmt.Errorf("❌ [type %s | action %s] missing inputDir or name or uri", typeMRSIn, action) } if (tmp.Name != "" && tmp.URI == "") || (tmp.Name == "" && tmp.URI != "") { - return nil, fmt.Errorf("type %s | action %s name & uri must be specified together", typeMRSIn, action) + return nil, fmt.Errorf("❌ [type %s | action %s] name & uri must be specified together", typeMRSIn, action) } // Filter want list @@ -115,7 +115,7 @@ func (m *mrsIn) Input(container lib.Container) (lib.Container, error) { err = m.walkLocalFile(m.URI, m.Name, entries) } default: - return nil, fmt.Errorf("config missing argument inputDir or name or uri") + return nil, fmt.Errorf("❌ [type %s | action %s] config missing argument inputDir or name or uri", m.Type, m.Action) } if err != nil { @@ -181,7 +181,7 @@ func (m *mrsIn) walkLocalFile(path, name string, entries map[string]*lib.Entry) // check filename if !regexp.MustCompile(`^[a-zA-Z0-9_.\-]+$`).MatchString(entryName) { - return fmt.Errorf("filename %s cannot be entry name, please remove special characters in it", entryName) + return fmt.Errorf("❌ [type %s | action %s] filename %s cannot be entry name, please remove special characters in it", m.Type, m.Action, entryName) } // remove file extension but not hidden files of which filename starts with "." @@ -193,7 +193,7 @@ func (m *mrsIn) walkLocalFile(path, name string, entries map[string]*lib.Entry) entryName = strings.ToUpper(entryName) if _, found := entries[entryName]; found { - return fmt.Errorf("found duplicated list %s", entryName) + return fmt.Errorf("❌ [type %s | action %s] found duplicated list %s", m.Type, m.Action, entryName) } file, err := os.Open(path) @@ -217,7 +217,7 @@ func (m *mrsIn) walkRemoteFile(url, name string, entries map[string]*lib.Entry) defer resp.Body.Close() if resp.StatusCode != 200 { - return fmt.Errorf("failed to get remote file %s, http status code %d", url, resp.StatusCode) + return fmt.Errorf("❌ [type %s | action %s] failed to get remote file %s, http status code %d", m.Type, m.Action, url, resp.StatusCode) } if err := m.generateEntries(name, resp.Body, entries); err != nil { diff --git a/geoip/plugin/mihomo/mrs_out.go b/geoip/plugin/mihomo/mrs_out.go index 14d4842812..fe9480dab3 100644 --- a/geoip/plugin/mihomo/mrs_out.go +++ b/geoip/plugin/mihomo/mrs_out.go @@ -148,7 +148,7 @@ func (m *mrsOut) generate(entry *lib.Entry) error { } if len(ipRanges) == 0 { - return fmt.Errorf("entry %s has no CIDR", entry.GetName()) + return fmt.Errorf("❌ [type %s | action %s] entry %s has no CIDR", m.Type, m.Action, entry.GetName()) } filename := strings.ToLower(entry.GetName()) + ".mrs" diff --git a/geoip/plugin/plaintext/common_in.go b/geoip/plugin/plaintext/common_in.go index bf678e371c..06032c9db6 100644 --- a/geoip/plugin/plaintext/common_in.go +++ b/geoip/plugin/plaintext/common_in.go @@ -17,6 +17,7 @@ type textIn struct { Description string Name string URI string + IPOrCIDR []string InputDir string Want map[string]bool OnlyIPType lib.IPType @@ -199,7 +200,7 @@ func (t *textIn) scanFileForJSONIn(reader io.Reader, entry *lib.Entry) error { } if !gjson.ValidBytes(data) { - return fmt.Errorf("invalid JSON data") + return fmt.Errorf("❌ [type %s | action %s] invalid JSON data", t.Type, t.Action) } // JSON Path syntax: diff --git a/geoip/plugin/plaintext/text_in.go b/geoip/plugin/plaintext/text_in.go index 037271c127..68d60eaadd 100644 --- a/geoip/plugin/plaintext/text_in.go +++ b/geoip/plugin/plaintext/text_in.go @@ -30,6 +30,7 @@ func newTextIn(iType string, action lib.Action, data json.RawMessage) (lib.Input var tmp struct { Name string `json:"name"` URI string `json:"uri"` + IPOrCIDR []string `json:"ipOrCIDR"` InputDir string `json:"inputDir"` Want []string `json:"wantedList"` OnlyIPType lib.IPType `json:"onlyIPType"` @@ -49,16 +50,23 @@ func newTextIn(iType string, action lib.Action, data json.RawMessage) (lib.Input } } - if tmp.Name == "" && tmp.URI == "" && tmp.InputDir == "" { - return nil, fmt.Errorf("type %s | action %s missing inputdir or name or uri", typeTextIn, action) - } - - if (tmp.Name != "" && tmp.URI == "") || (tmp.Name == "" && tmp.URI != "") { - return nil, fmt.Errorf("type %s | action %s name & uri must be specified together", typeTextIn, action) + if iType != typeTextIn && len(tmp.IPOrCIDR) > 0 { + return nil, fmt.Errorf("❌ [type %s | action %s] ipOrCIDR is invalid for this input format", iType, action) } if iType == typeJSONIn && len(tmp.JSONPath) == 0 { - return nil, fmt.Errorf("type %s | action %s missing jsonPath", typeJSONIn, action) + return nil, fmt.Errorf("❌ [type %s | action %s] missing jsonPath", iType, action) + } + + if tmp.InputDir == "" { + if tmp.Name == "" { + return nil, fmt.Errorf("❌ [type %s | action %s] missing inputDir or name", iType, action) + } + if tmp.URI == "" && len(tmp.IPOrCIDR) == 0 { + return nil, fmt.Errorf("❌ [type %s | action %s] missing uri or ipOrCIDR", iType, action) + } + } else if tmp.Name != "" || tmp.URI != "" || len(tmp.IPOrCIDR) > 0 { + return nil, fmt.Errorf("❌ [type %s | action %s] inputDir is not allowed to be used with name or uri or ipOrCIDR", iType, action) } // Filter want list @@ -75,6 +83,7 @@ func newTextIn(iType string, action lib.Action, data json.RawMessage) (lib.Input Description: descTextIn, Name: tmp.Name, URI: tmp.URI, + IPOrCIDR: tmp.IPOrCIDR, InputDir: tmp.InputDir, Want: wantList, OnlyIPType: tmp.OnlyIPType, @@ -104,6 +113,7 @@ func (t *textIn) Input(container lib.Container) (lib.Container, error) { switch { case t.InputDir != "": err = t.walkDir(t.InputDir, entries) + case t.Name != "" && t.URI != "": switch { case strings.HasPrefix(strings.ToLower(t.URI), "http://"), strings.HasPrefix(strings.ToLower(t.URI), "https://"): @@ -111,8 +121,17 @@ func (t *textIn) Input(container lib.Container) (lib.Container, error) { default: err = t.walkLocalFile(t.URI, t.Name, entries) } + if err != nil { + return nil, err + } + + fallthrough + + case t.Name != "" && len(t.IPOrCIDR) > 0: + err = t.appendIPOrCIDR(t.IPOrCIDR, t.Name, entries) + default: - return nil, fmt.Errorf("config missing argument inputDir or name or uri") + return nil, fmt.Errorf("❌ [type %s | action %s] config missing argument inputDir or name or uri or ipOrCIDR", t.Type, t.Action) } if err != nil { @@ -128,7 +147,7 @@ func (t *textIn) Input(container lib.Container) (lib.Container, error) { } if len(entries) == 0 { - return nil, fmt.Errorf("type %s | action %s no entry is generated", t.Type, t.Action) + return nil, fmt.Errorf("❌ [type %s | action %s] no entry is generated", t.Type, t.Action) } for _, entry := range entries { @@ -178,7 +197,7 @@ func (t *textIn) walkLocalFile(path, name string, entries map[string]*lib.Entry) // check filename if !regexp.MustCompile(`^[a-zA-Z0-9_.\-]+$`).MatchString(entryName) { - return fmt.Errorf("filename %s cannot be entry name, please remove special characters in it", entryName) + return fmt.Errorf("❌ [type %s | action %s] filename %s cannot be entry name, please remove special characters in it", t.Type, t.Action, entryName) } // remove file extension but not hidden files of which filename starts with "." @@ -194,7 +213,7 @@ func (t *textIn) walkLocalFile(path, name string, entries map[string]*lib.Entry) return nil } if _, found := entries[entryName]; found { - return fmt.Errorf("found duplicated list %s", entryName) + return fmt.Errorf("❌ [type %s | action %s] found duplicated list %s", t.Type, t.Action, entryName) } entry := lib.NewEntry(entryName) @@ -220,7 +239,7 @@ func (t *textIn) walkRemoteFile(url, name string, entries map[string]*lib.Entry) defer resp.Body.Close() if resp.StatusCode != 200 { - return fmt.Errorf("failed to get remote file %s, http status code %d", url, resp.StatusCode) + return fmt.Errorf("❌ [type %s | action %s] failed to get remote file %s, http status code %d", t.Type, t.Action, url, resp.StatusCode) } name = strings.ToUpper(name) @@ -238,3 +257,22 @@ func (t *textIn) walkRemoteFile(url, name string, entries map[string]*lib.Entry) return nil } + +func (t *textIn) appendIPOrCIDR(ipOrCIDR []string, name string, entries map[string]*lib.Entry) error { + name = strings.ToUpper(name) + + entry, found := entries[name] + if !found { + entry = lib.NewEntry(name) + } + + for _, cidr := range ipOrCIDR { + if err := entry.AddPrefix(strings.TrimSpace(cidr)); err != nil { + return err + } + } + + entries[name] = entry + + return nil +} diff --git a/geoip/plugin/singbox/srs_in.go b/geoip/plugin/singbox/srs_in.go index 2a69e775db..f38c53cd4d 100644 --- a/geoip/plugin/singbox/srs_in.go +++ b/geoip/plugin/singbox/srs_in.go @@ -44,11 +44,11 @@ func newSRSIn(action lib.Action, data json.RawMessage) (lib.InputConverter, erro } if tmp.Name == "" && tmp.URI == "" && tmp.InputDir == "" { - return nil, fmt.Errorf("type %s | action %s missing inputdir or name or uri", typeSRSIn, action) + return nil, fmt.Errorf("❌ [type %s | action %s] missing inputdir or name or uri", typeSRSIn, action) } if (tmp.Name != "" && tmp.URI == "") || (tmp.Name == "" && tmp.URI != "") { - return nil, fmt.Errorf("type %s | action %s name & uri must be specified together", typeSRSIn, action) + return nil, fmt.Errorf("❌ [type %s | action %s] name & uri must be specified together", typeSRSIn, action) } // Filter want list @@ -109,7 +109,7 @@ func (s *srsIn) Input(container lib.Container) (lib.Container, error) { err = s.walkLocalFile(s.URI, s.Name, entries) } default: - return nil, fmt.Errorf("config missing argument inputDir or name or uri") + return nil, fmt.Errorf("❌ [type %s | action %s] config missing argument inputDir or name or uri", s.Type, s.Action) } if err != nil { @@ -117,7 +117,7 @@ func (s *srsIn) Input(container lib.Container) (lib.Container, error) { } if len(entries) == 0 { - return nil, fmt.Errorf("type %s | action %s no entry is generated", s.Type, s.Action) + return nil, fmt.Errorf("❌ [type %s | action %s] no entry is generated", s.Type, s.Action) } var ignoreIPType lib.IgnoreIPOption @@ -175,7 +175,7 @@ func (s *srsIn) walkLocalFile(path, name string, entries map[string]*lib.Entry) // check filename if !regexp.MustCompile(`^[a-zA-Z0-9_.\-]+$`).MatchString(entryName) { - return fmt.Errorf("filename %s cannot be entry name, please remove special characters in it", entryName) + return fmt.Errorf("❌ [type %s | action %s] filename %s cannot be entry name, please remove special characters in it", s.Type, s.Action, entryName) } // remove file extension but not hidden files of which filename starts with "." @@ -187,7 +187,7 @@ func (s *srsIn) walkLocalFile(path, name string, entries map[string]*lib.Entry) entryName = strings.ToUpper(entryName) if _, found := entries[entryName]; found { - return fmt.Errorf("found duplicated list %s", entryName) + return fmt.Errorf("❌ [type %s | action %s] found duplicated list %s", s.Type, s.Action, entryName) } file, err := os.Open(path) @@ -211,7 +211,7 @@ func (s *srsIn) walkRemoteFile(url, name string, entries map[string]*lib.Entry) defer resp.Body.Close() if resp.StatusCode != 200 { - return fmt.Errorf("failed to get remote file %s, http status code %d", url, resp.StatusCode) + return fmt.Errorf("❌ [type %s | action %s] failed to get remote file %s, http status code %d", s.Type, s.Action, url, resp.StatusCode) } if err := s.generateEntries(name, resp.Body, entries); err != nil { diff --git a/geoip/plugin/singbox/srs_out.go b/geoip/plugin/singbox/srs_out.go index 877e5acd08..d2950ee559 100644 --- a/geoip/plugin/singbox/srs_out.go +++ b/geoip/plugin/singbox/srs_out.go @@ -175,7 +175,7 @@ func (s *srsOut) generateRuleSet(entry *lib.Entry) (*option.PlainRuleSet, error) return &plainRuleSet, nil } - return nil, fmt.Errorf("entry %s has no CIDR", entry.GetName()) + return nil, fmt.Errorf("❌ [type %s | action %s] entry %s has no CIDR", s.Type, s.Action, entry.GetName()) } func (s *srsOut) writeFile(filename string, ruleset *option.PlainRuleSet) error { diff --git a/geoip/plugin/special/cutter.go b/geoip/plugin/special/cutter.go index 2d52e16110..2b33ee2771 100644 --- a/geoip/plugin/special/cutter.go +++ b/geoip/plugin/special/cutter.go @@ -35,7 +35,7 @@ func newCutter(action lib.Action, data json.RawMessage) (lib.InputConverter, err } if action != lib.ActionRemove { - return nil, fmt.Errorf("type %s only supports `remove` action", typeCutter) + return nil, fmt.Errorf("❌ [type %s] only supports `remove` action", typeCutter) } // Filter want list @@ -47,7 +47,7 @@ func newCutter(action lib.Action, data json.RawMessage) (lib.InputConverter, err } if len(wantList) == 0 { - return nil, fmt.Errorf("type %s wantedList must be specified", typeCutter) + return nil, fmt.Errorf("❌ [type %s] wantedList must be specified", typeCutter) } return &cutter{ diff --git a/geoip/plugin/special/lookup.go b/geoip/plugin/special/lookup.go index 7c97e74646..34ba0207da 100644 --- a/geoip/plugin/special/lookup.go +++ b/geoip/plugin/special/lookup.go @@ -38,7 +38,7 @@ func newLookup(action lib.Action, data json.RawMessage) (lib.OutputConverter, er tmp.Search = strings.TrimSpace(tmp.Search) if tmp.Search == "" { - return nil, fmt.Errorf("type %s | action %s: please specify an IP or a CIDR as search target", typeLookup, action) + return nil, fmt.Errorf("❌ [type %s | action %s] please specify an IP or a CIDR as search target", typeLookup, action) } return &lookup{ diff --git a/geoip/plugin/special/stdin.go b/geoip/plugin/special/stdin.go index 4f56d75623..1621c3516f 100644 --- a/geoip/plugin/special/stdin.go +++ b/geoip/plugin/special/stdin.go @@ -37,7 +37,7 @@ func newStdin(action lib.Action, data json.RawMessage) (lib.InputConverter, erro } if tmp.Name == "" { - return nil, fmt.Errorf("type %s | action %s missing name", typeStdin, action) + return nil, fmt.Errorf("❌ [type %s | action %s] missing name", typeStdin, action) } return &stdin{ diff --git a/geoip/plugin/v2ray/dat_in.go b/geoip/plugin/v2ray/dat_in.go index 4b2a98c07c..96de3d7082 100644 --- a/geoip/plugin/v2ray/dat_in.go +++ b/geoip/plugin/v2ray/dat_in.go @@ -42,7 +42,7 @@ func newGeoIPDatIn(action lib.Action, data json.RawMessage) (lib.InputConverter, } if tmp.URI == "" { - return nil, fmt.Errorf("[type %s | action %s] uri must be specified in config", typeGeoIPdatIn, action) + return nil, fmt.Errorf("❌ [type %s | action %s] uri must be specified in config", typeGeoIPdatIn, action) } // Filter want list @@ -100,7 +100,7 @@ func (g *geoIPDatIn) Input(container lib.Container) (lib.Container, error) { } if len(entries) == 0 { - return nil, fmt.Errorf("❌ [type %s | action %s] no entry is generated", typeGeoIPdatIn, g.Action) + return nil, fmt.Errorf("❌ [type %s | action %s] no entry is generated", g.Type, g.Action) } var ignoreIPType lib.IgnoreIPOption @@ -151,7 +151,7 @@ func (g *geoIPDatIn) walkRemoteFile(url string, entries map[string]*lib.Entry) e defer resp.Body.Close() if resp.StatusCode != 200 { - return fmt.Errorf("failed to get remote file %s, http status code %d", url, resp.StatusCode) + return fmt.Errorf("❌ [type %s | action %s] failed to get remote file %s, http status code %d", g.Type, g.Action, url, resp.StatusCode) } if err := g.generateEntries(resp.Body, entries); err != nil { diff --git a/geoip/plugin/v2ray/dat_out.go b/geoip/plugin/v2ray/dat_out.go index abb00ca409..771d4e27ab 100644 --- a/geoip/plugin/v2ray/dat_out.go +++ b/geoip/plugin/v2ray/dat_out.go @@ -219,7 +219,7 @@ func (g *geoIPDatOut) generateGeoIP(entry *lib.Entry) (*router.GeoIP, error) { }, nil } - return nil, fmt.Errorf("entry %s has no CIDR", entry.GetName()) + return nil, fmt.Errorf("❌ [type %s | action %s] entry %s has no CIDR", g.Type, g.Action, entry.GetName()) } // Sort by country code to make reproducible builds diff --git a/lede/target/linux/rockchip/image/rk35xx.mk b/lede/target/linux/rockchip/image/rk35xx.mk index dfd568f204..722a69329a 100644 --- a/lede/target/linux/rockchip/image/rk35xx.mk +++ b/lede/target/linux/rockchip/image/rk35xx.mk @@ -35,6 +35,15 @@ $(call Device/rk3588) endef TARGET_DEVICES += armsom_sige7 +define Device/cyber_cyber3588-aib +$(call Device/rk3588) + DEVICE_VENDOR := Cyber + DEVICE_MODEL := 3588 AIB + DEVICE_DTS := rk3588-cyber3588-aib + DEVICE_PACKAGES := kmod-switch-rtl8367b kmod-r8125 kmod-nvme kmod-thermal swconfig +endef +TARGET_DEVICES += cyber_cyber3588-aib + define Device/friendlyarm_nanopi-r6c $(call Device/rk3588) DEVICE_VENDOR := FriendlyARM diff --git a/mihomo/.github/workflows/build.yml b/mihomo/.github/workflows/build.yml index b62e982000..5ba2ef6f9e 100644 --- a/mihomo/.github/workflows/build.yml +++ b/mihomo/.github/workflows/build.yml @@ -387,18 +387,18 @@ jobs: git fetch --tags echo "PREVERSION=$(git describe --tags --abbrev=0 HEAD)" >> $GITHUB_ENV - - name: Merge Alpha branch into Meta + - name: Force push Alpha branch to Meta run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" git fetch origin Alpha:Alpha - git merge Alpha - git push origin Meta + git push origin Alpha:Meta --force env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Tag the commit + - name: Tag the commit on Alpha run: | + git checkout Alpha git tag ${{ github.event.inputs.version }} git push origin ${{ github.event.inputs.version }} env: diff --git a/mihomo/component/fakeip/pool.go b/mihomo/component/fakeip/pool.go index e2c1072254..12c063324b 100644 --- a/mihomo/component/fakeip/pool.go +++ b/mihomo/component/fakeip/pool.go @@ -36,6 +36,7 @@ type Pool struct { cycle bool mux sync.Mutex host []C.DomainMatcher + mode C.FilterMode ipnet netip.Prefix store store } @@ -66,6 +67,14 @@ func (p *Pool) LookBack(ip netip.Addr) (string, bool) { // ShouldSkipped return if domain should be skipped func (p *Pool) ShouldSkipped(domain string) bool { + should := p.shouldSkipped(domain) + if p.mode == C.FilterWhiteList { + return !should + } + return should +} + +func (p *Pool) shouldSkipped(domain string) bool { for _, matcher := range p.host { if matcher.MatchDomain(domain) { return true @@ -157,6 +166,7 @@ func (p *Pool) restoreState() { type Options struct { IPNet netip.Prefix Host []C.DomainMatcher + Mode C.FilterMode // Size sets the maximum number of entries in memory // and does not work if Persistence is true @@ -187,6 +197,7 @@ func New(options Options) (*Pool, error) { offset: first.Prev(), cycle: false, host: options.Host, + mode: options.Mode, ipnet: options.IPNet, } if options.Persistence { diff --git a/mihomo/component/fakeip/pool_test.go b/mihomo/component/fakeip/pool_test.go index 1d4fa05f0a..923cca574d 100644 --- a/mihomo/component/fakeip/pool_test.go +++ b/mihomo/component/fakeip/pool_test.go @@ -164,6 +164,28 @@ func TestPool_Skip(t *testing.T) { for _, pool := range pools { assert.True(t, pool.ShouldSkipped("example.com")) assert.False(t, pool.ShouldSkipped("foo.com")) + assert.False(t, pool.shouldSkipped("baz.com")) + } +} + +func TestPool_SkipWhiteList(t *testing.T) { + ipnet := netip.MustParsePrefix("192.168.0.1/29") + tree := trie.New[struct{}]() + assert.NoError(t, tree.Insert("example.com", struct{}{})) + assert.False(t, tree.IsEmpty()) + pools, tempfile, err := createPools(Options{ + IPNet: ipnet, + Size: 10, + Host: []C.DomainMatcher{tree.NewDomainSet()}, + Mode: C.FilterWhiteList, + }) + assert.Nil(t, err) + defer os.Remove(tempfile) + + for _, pool := range pools { + assert.False(t, pool.ShouldSkipped("example.com")) + assert.True(t, pool.ShouldSkipped("foo.com")) + assert.True(t, pool.ShouldSkipped("baz.com")) } } diff --git a/mihomo/config/config.go b/mihomo/config/config.go index c250d3ec21..ed30bfe452 100644 --- a/mihomo/config/config.go +++ b/mihomo/config/config.go @@ -205,6 +205,7 @@ type RawDNS struct { EnhancedMode C.DNSMode `yaml:"enhanced-mode" json:"enhanced-mode"` FakeIPRange string `yaml:"fake-ip-range" json:"fake-ip-range"` FakeIPFilter []string `yaml:"fake-ip-filter" json:"fake-ip-filter"` + FakeIPFilterMode C.FilterMode `yaml:"fake-ip-filter-mode" json:"fake-ip-filter-mode"` DefaultNameserver []string `yaml:"default-nameserver" json:"default-nameserver"` CacheAlgorithm string `yaml:"cache-algorithm" json:"cache-algorithm"` NameServerPolicy *orderedmap.OrderedMap[string, any] `yaml:"nameserver-policy" json:"nameserver-policy"` @@ -474,6 +475,7 @@ func DefaultRawConfig() *RawConfig { "www.msftnsci.com", "www.msftconnecttest.com", }, + FakeIPFilterMode: C.FilterBlackList, }, NTP: RawNTP{ Enable: false, @@ -1458,6 +1460,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul IPNet: fakeIPRange, Size: 1000, Host: host, + Mode: cfg.FakeIPFilterMode, Persistence: rawCfg.Profile.StoreFakeIP, }) if err != nil { diff --git a/mihomo/constant/dns.go b/mihomo/constant/dns.go index 3d97d97b71..8d038a6bbb 100644 --- a/mihomo/constant/dns.go +++ b/mihomo/constant/dns.go @@ -43,7 +43,9 @@ func (e DNSMode) MarshalYAML() (any, error) { // UnmarshalJSON unserialize EnhancedMode with json func (e *DNSMode) UnmarshalJSON(data []byte) error { var tp string - json.Unmarshal(data, &tp) + if err := json.Unmarshal(data, &tp); err != nil { + return err + } mode, exist := DNSModeMapping[tp] if !exist { return errors.New("invalid mode") @@ -115,6 +117,64 @@ func NewDNSPrefer(prefer string) DNSPrefer { } } +// FilterModeMapping is a mapping for FilterMode enum +var FilterModeMapping = map[string]FilterMode{ + FilterBlackList.String(): FilterBlackList, + FilterWhiteList.String(): FilterWhiteList, +} + +type FilterMode int + +const ( + FilterBlackList FilterMode = iota + FilterWhiteList +) + +func (e FilterMode) String() string { + switch e { + case FilterBlackList: + return "blacklist" + case FilterWhiteList: + return "whitelist" + default: + return "unknown" + } +} + +func (e FilterMode) MarshalYAML() (interface{}, error) { + return e.String(), nil +} + +func (e *FilterMode) UnmarshalYAML(unmarshal func(interface{}) error) error { + var tp string + if err := unmarshal(&tp); err != nil { + return err + } + mode, exist := FilterModeMapping[tp] + if !exist { + return errors.New("invalid mode") + } + *e = mode + return nil +} + +func (e FilterMode) MarshalJSON() ([]byte, error) { + return json.Marshal(e.String()) +} + +func (e *FilterMode) UnmarshalJSON(data []byte) error { + var tp string + if err := json.Unmarshal(data, &tp); err != nil { + return err + } + mode, exist := FilterModeMapping[tp] + if !exist { + return errors.New("invalid mode") + } + *e = mode + return nil +} + type HTTPVersion string const ( diff --git a/mihomo/docs/config.yaml b/mihomo/docs/config.yaml index bb60b28649..1da37841cb 100644 --- a/mihomo/docs/config.yaml +++ b/mihomo/docs/config.yaml @@ -249,6 +249,9 @@ dns: - rule-set:fakeip-filter # fakeip-filter 为 geosite 中名为 fakeip-filter 的分类(需要自行保证该分类存在) - geosite:fakeip-filter + # 配置fake-ip-filter的匹配模式,默认为blacklist,即如果匹配成功不返回fake-ip + # 可设置为whitelist,即只有匹配成功才返回fake-ip + fake-ip-filter-mode: blacklist # use-hosts: true # 查询 hosts diff --git a/mihomo/hub/executor/executor.go b/mihomo/hub/executor/executor.go index 442666f05d..e7e9b72c4c 100644 --- a/mihomo/hub/executor/executor.go +++ b/mihomo/hub/executor/executor.go @@ -77,7 +77,7 @@ func ParseWithBytes(buf []byte) (*config.Config, error) { return config.Parse(buf) } -// ApplyConfig dispatch configure to all parts +// ApplyConfig dispatch configure to all parts without ExternalController func ApplyConfig(cfg *config.Config, force bool) { mux.Lock() defer mux.Unlock() diff --git a/mihomo/hub/hub.go b/mihomo/hub/hub.go index 2a53b19793..d439d32e35 100644 --- a/mihomo/hub/hub.go +++ b/mihomo/hub/hub.go @@ -1,7 +1,10 @@ package hub import ( + "strings" + "github.com/metacubex/mihomo/config" + "github.com/metacubex/mihomo/constant/features" "github.com/metacubex/mihomo/hub/executor" "github.com/metacubex/mihomo/hub/route" "github.com/metacubex/mihomo/log" @@ -33,6 +36,33 @@ func WithSecret(secret string) Option { } } +// ApplyConfig dispatch configure to all parts include ExternalController +func ApplyConfig(cfg *config.Config) { + applyRoute(cfg) + executor.ApplyConfig(cfg, true) +} + +func applyRoute(cfg *config.Config) { + if features.CMFA && strings.HasSuffix(cfg.Controller.ExternalUI, ":0") { + // CMFA have set its default override value to end with ":0" for security. + // so we direct return at here + return + } + if cfg.Controller.ExternalUI != "" { + route.SetUIPath(cfg.Controller.ExternalUI) + } + route.ReCreateServer(&route.Config{ + Addr: cfg.Controller.ExternalController, + TLSAddr: cfg.Controller.ExternalControllerTLS, + UnixAddr: cfg.Controller.ExternalControllerUnix, + Secret: cfg.Controller.Secret, + Certificate: cfg.TLS.Certificate, + PrivateKey: cfg.TLS.PrivateKey, + DohServer: cfg.Controller.ExternalDohServer, + IsDebug: cfg.General.LogLevel == log.DEBUG, + }) +} + // Parse call at the beginning of mihomo func Parse(options ...Option) error { cfg, err := executor.Parse() @@ -44,20 +74,6 @@ func Parse(options ...Option) error { option(cfg) } - if cfg.Controller.ExternalUI != "" { - route.SetUIPath(cfg.Controller.ExternalUI) - } - - if cfg.Controller.ExternalController != "" { - go route.Start(cfg.Controller.ExternalController, cfg.Controller.ExternalControllerTLS, - cfg.Controller.Secret, cfg.TLS.Certificate, cfg.TLS.PrivateKey, cfg.Controller.ExternalDohServer, - cfg.General.LogLevel == log.DEBUG) - } - - if cfg.Controller.ExternalControllerUnix != "" { - go route.StartUnix(cfg.Controller.ExternalControllerUnix, cfg.Controller.ExternalDohServer, cfg.General.LogLevel == log.DEBUG) - } - - executor.ApplyConfig(cfg, true) + ApplyConfig(cfg) return nil } diff --git a/mihomo/hub/route/server.go b/mihomo/hub/route/server.go index 165c7c6970..1605b4bf74 100644 --- a/mihomo/hub/route/server.go +++ b/mihomo/hub/route/server.go @@ -30,10 +30,11 @@ import ( ) var ( - serverSecret = "" - serverAddr = "" - uiPath = "" + + httpServer *http.Server + tlsServer *http.Server + unixServer *http.Server ) type Traffic struct { @@ -46,11 +47,28 @@ type Memory struct { OSLimit uint64 `json:"oslimit"` // maybe we need it in the future } +type Config struct { + Addr string + TLSAddr string + UnixAddr string + Secret string + Certificate string + PrivateKey string + DohServer string + IsDebug bool +} + +func ReCreateServer(cfg *Config) { + go start(cfg) + go startTLS(cfg) + go startUnix(cfg) +} + func SetUIPath(path string) { uiPath = C.Path.Resolve(path) } -func router(isDebug bool, withAuth bool, dohServer string) *chi.Mux { +func router(isDebug bool, secret string, dohServer string) *chi.Mux { r := chi.NewRouter() corsM := cors.New(cors.Options{ AllowedOrigins: []string{"*"}, @@ -72,8 +90,8 @@ func router(isDebug bool, withAuth bool, dohServer string) *chi.Mux { }()) } r.Group(func(r chi.Router) { - if withAuth { - r.Use(authentication) + if secret != "" { + r.Use(authentication(secret)) } r.Get("/", hello) r.Get("/logs", getLogs) @@ -111,88 +129,111 @@ func router(isDebug bool, withAuth bool, dohServer string) *chi.Mux { return r } -func Start(addr string, tlsAddr string, secret string, - certificate, privateKey string, dohServer string, isDebug bool) { - if serverAddr != "" { - return +func start(cfg *Config) { + // first stop existing server + if httpServer != nil { + _ = httpServer.Close() + httpServer = nil } - serverAddr = addr - serverSecret = secret + // handle addr + if len(cfg.Addr) > 0 { + l, err := inbound.Listen("tcp", cfg.Addr) + if err != nil { + log.Errorln("External controller listen error: %s", err) + return + } + log.Infoln("RESTful API listening at: %s", l.Addr().String()) - if len(tlsAddr) > 0 { - go func() { - c, err := CN.ParseCert(certificate, privateKey, C.Path) - if err != nil { - log.Errorln("External controller tls listen error: %s", err) - return - } - - l, err := inbound.Listen("tcp", tlsAddr) - if err != nil { - log.Errorln("External controller tls listen error: %s", err) - return - } - - serverAddr = l.Addr().String() - log.Infoln("RESTful API tls listening at: %s", serverAddr) - tlsServe := &http.Server{ - Handler: router(isDebug, true, dohServer), - TLSConfig: &tls.Config{ - Certificates: []tls.Certificate{c}, - }, - } - if err = tlsServe.ServeTLS(l, "", ""); err != nil { - log.Errorln("External controller tls serve error: %s", err) - } - }() + server := &http.Server{ + Handler: router(cfg.IsDebug, cfg.Secret, cfg.DohServer), + } + if err = server.Serve(l); err != nil { + log.Errorln("External controller serve error: %s", err) + } + httpServer = server } - - l, err := inbound.Listen("tcp", addr) - if err != nil { - log.Errorln("External controller listen error: %s", err) - return - } - serverAddr = l.Addr().String() - log.Infoln("RESTful API listening at: %s", serverAddr) - - if err = http.Serve(l, router(isDebug, true, dohServer)); err != nil { - log.Errorln("External controller serve error: %s", err) - } - } -func StartUnix(addr string, dohServer string, isDebug bool) { - addr = C.Path.Resolve(addr) +func startTLS(cfg *Config) { + // first stop existing server + if tlsServer != nil { + _ = tlsServer.Close() + tlsServer = nil + } - dir := filepath.Dir(addr) - if _, err := os.Stat(dir); os.IsNotExist(err) { - if err := os.MkdirAll(dir, 0o755); err != nil { + // handle tlsAddr + if len(cfg.TLSAddr) > 0 { + c, err := CN.ParseCert(cfg.Certificate, cfg.PrivateKey, C.Path) + if err != nil { + log.Errorln("External controller tls listen error: %s", err) + return + } + + l, err := inbound.Listen("tcp", cfg.TLSAddr) + if err != nil { + log.Errorln("External controller tls listen error: %s", err) + return + } + + log.Infoln("RESTful API tls listening at: %s", l.Addr().String()) + server := &http.Server{ + Handler: router(cfg.IsDebug, cfg.Secret, cfg.DohServer), + TLSConfig: &tls.Config{ + Certificates: []tls.Certificate{c}, + }, + } + if err = server.ServeTLS(l, "", ""); err != nil { + log.Errorln("External controller tls serve error: %s", err) + } + tlsServer = server + } +} + +func startUnix(cfg *Config) { + // first stop existing server + if unixServer != nil { + _ = unixServer.Close() + unixServer = nil + } + + // handle addr + if len(cfg.UnixAddr) > 0 { + addr := C.Path.Resolve(cfg.UnixAddr) + + dir := filepath.Dir(addr) + if _, err := os.Stat(dir); os.IsNotExist(err) { + if err := os.MkdirAll(dir, 0o755); err != nil { + log.Errorln("External controller unix listen error: %s", err) + return + } + } + + // https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/ + // + // Note: As mentioned above in the ‘security’ section, when a socket binds a socket to a valid pathname address, + // a socket file is created within the filesystem. On Linux, the application is expected to unlink + // (see the notes section in the man page for AF_UNIX) before any other socket can be bound to the same address. + // The same applies to Windows unix sockets, except that, DeleteFile (or any other file delete API) + // should be used to delete the socket file prior to calling bind with the same path. + _ = syscall.Unlink(addr) + + l, err := inbound.Listen("unix", addr) + if err != nil { log.Errorln("External controller unix listen error: %s", err) return } + log.Infoln("RESTful API unix listening at: %s", l.Addr().String()) + + server := &http.Server{ + Handler: router(cfg.IsDebug, "", cfg.DohServer), + } + if err = server.Serve(l); err != nil { + log.Errorln("External controller unix serve error: %s", err) + } + unixServer = server } - // https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/ - // - // Note: As mentioned above in the ‘security’ section, when a socket binds a socket to a valid pathname address, - // a socket file is created within the filesystem. On Linux, the application is expected to unlink - // (see the notes section in the man page for AF_UNIX) before any other socket can be bound to the same address. - // The same applies to Windows unix sockets, except that, DeleteFile (or any other file delete API) - // should be used to delete the socket file prior to calling bind with the same path. - _ = syscall.Unlink(addr) - - l, err := inbound.Listen("unix", addr) - if err != nil { - log.Errorln("External controller unix listen error: %s", err) - return - } - serverAddr = l.Addr().String() - log.Infoln("RESTful API unix listening at: %s", serverAddr) - - if err = http.Serve(l, router(isDebug, false, dohServer)); err != nil { - log.Errorln("External controller unix serve error: %s", err) - } } func setPrivateNetworkAccess(next http.Handler) http.Handler { @@ -210,38 +251,35 @@ func safeEuqal(a, b string) bool { return subtle.ConstantTimeCompare(aBuf, bBuf) == 1 } -func authentication(next http.Handler) http.Handler { - fn := func(w http.ResponseWriter, r *http.Request) { - if serverSecret == "" { - next.ServeHTTP(w, r) - return - } +func authentication(secret string) func(http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + fn := func(w http.ResponseWriter, r *http.Request) { + // Browser websocket not support custom header + if r.Header.Get("Upgrade") == "websocket" && r.URL.Query().Get("token") != "" { + token := r.URL.Query().Get("token") + if !safeEuqal(token, secret) { + render.Status(r, http.StatusUnauthorized) + render.JSON(w, r, ErrUnauthorized) + return + } + next.ServeHTTP(w, r) + return + } - // Browser websocket not support custom header - if r.Header.Get("Upgrade") == "websocket" && r.URL.Query().Get("token") != "" { - token := r.URL.Query().Get("token") - if !safeEuqal(token, serverSecret) { + header := r.Header.Get("Authorization") + bearer, token, found := strings.Cut(header, " ") + + hasInvalidHeader := bearer != "Bearer" + hasInvalidSecret := !found || !safeEuqal(token, secret) + if hasInvalidHeader || hasInvalidSecret { render.Status(r, http.StatusUnauthorized) render.JSON(w, r, ErrUnauthorized) return } next.ServeHTTP(w, r) - return } - - header := r.Header.Get("Authorization") - bearer, token, found := strings.Cut(header, " ") - - hasInvalidHeader := bearer != "Bearer" - hasInvalidSecret := !found || !safeEuqal(token, serverSecret) - if hasInvalidHeader || hasInvalidSecret { - render.Status(r, http.StatusUnauthorized) - render.JSON(w, r, ErrUnauthorized) - return - } - next.ServeHTTP(w, r) + return http.HandlerFunc(fn) } - return http.HandlerFunc(fn) } func hello(w http.ResponseWriter, r *http.Request) { diff --git a/mihomo/listener/sing_tun/server_android.go b/mihomo/listener/sing_tun/server_android.go index bd5c4bd071..d8240534ed 100644 --- a/mihomo/listener/sing_tun/server_android.go +++ b/mihomo/listener/sing_tun/server_android.go @@ -1,3 +1,5 @@ +//go:build android && !cmfa + package sing_tun import ( diff --git a/mihomo/listener/sing_tun/server_notandroid.go b/mihomo/listener/sing_tun/server_notandroid.go index 6b30ee03b2..10fd3997b4 100644 --- a/mihomo/listener/sing_tun/server_notandroid.go +++ b/mihomo/listener/sing_tun/server_notandroid.go @@ -1,4 +1,4 @@ -//go:build !android +//go:build !android || cmfa package sing_tun diff --git a/mihomo/main.go b/mihomo/main.go index 06a04ca17b..c7a7acbc3b 100644 --- a/mihomo/main.go +++ b/mihomo/main.go @@ -135,7 +135,7 @@ func main() { return case <-hupSign: if cfg, err := executor.ParseWithPath(C.Path.Config()); err == nil { - executor.ApplyConfig(cfg, true) + hub.ApplyConfig(cfg) } else { log.Errorln("Parse config error: %s", err.Error()) } diff --git a/openwrt-packages/UnblockNeteaseMusic/Makefile b/openwrt-packages/UnblockNeteaseMusic/Makefile index 5d3a8d925d..256576ed27 100644 --- a/openwrt-packages/UnblockNeteaseMusic/Makefile +++ b/openwrt-packages/UnblockNeteaseMusic/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=UnblockNeteaseMusic -PKG_VERSION:=0.27.7 +PKG_VERSION:=0.27.8 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/UnblockNeteaseMusic/server/tar.gz/v${PKG_VERSION}? -PKG_HASH:=858f0b4dd325aefe631789b23f28ad9d3b3ea0e471af82d3a9c3d7572c92e992 +PKG_HASH:=eae9bf5ad40e4d0fee9a5c9db6519e061ad13e0803d72dae4f08518f13a1e6e0 PKG_SOURCE_SUBDIR:=$(PKG_NAME) PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_SOURCE_SUBDIR) diff --git a/openwrt-packages/filebrowser/Makefile b/openwrt-packages/filebrowser/Makefile index 977a0f8f85..3fae062e5f 100644 --- a/openwrt-packages/filebrowser/Makefile +++ b/openwrt-packages/filebrowser/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=filebrowser -PKG_VERSION:=2.31.0 +PKG_VERSION:=2.31.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/filebrowser/filebrowser/tar.gz/v${PKG_VERSION}? -PKG_HASH:=c88cca596317f1293a05c74a4d9b152f22b1fae9c43cb6c85eb77dc781e5710f +PKG_HASH:=fdc93a00b614ea365ff4cb980d36d167ed961b0a32fe219b612d92e0045e569f PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE diff --git a/openwrt-passwall/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua b/openwrt-passwall/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua index 6b10651fe1..59f62eb11b 100644 --- a/openwrt-passwall/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua +++ b/openwrt-passwall/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua @@ -369,16 +369,21 @@ if has_singbox or has_xray then end end -o = s:option(ListValue, "chinadns_ng_default_tag", translate("ChinaDNS-NG Domain Default Tag")) +o = s:option(ListValue, "chinadns_ng_default_tag", translate("Default DNS")) o.default = "none" -o:value("none", translate("Default")) o:value("gfw", translate("Remote DNS")) o:value("chn", translate("Direct DNS")) -o.description = "" o:depends({dns_shunt = "dnsmasq", tcp_proxy_mode = "proxy", chn_list = "direct"}) return m diff --git a/openwrt-passwall2/.github/workflows/Auto compile with openwrt sdk.yml b/openwrt-passwall2/.github/workflows/Auto compile with openwrt sdk.yml index 0a4678ad26..d8adfe3a07 100644 --- a/openwrt-passwall2/.github/workflows/Auto compile with openwrt sdk.yml +++ b/openwrt-passwall2/.github/workflows/Auto compile with openwrt sdk.yml @@ -162,7 +162,7 @@ jobs: run: | cd sdk echo "make package/luci-app-passwall2/{clean,compile} -j$(nproc)" - make package/luci-app-passwall2/{clean,compile} -j$(nproc) + make package/luci-app-passwall2/{clean,compile} -j1 mv bin/packages/x86_64/passwall2/ ../ rm .config .config.old cd ../passwall2 diff --git a/openwrt-passwall2/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua b/openwrt-passwall2/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua index 12ec9960b3..e6c9730c84 100644 --- a/openwrt-passwall2/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua +++ b/openwrt-passwall2/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua @@ -202,6 +202,17 @@ o:value("default", translate("Use global config") .. "(" .. UDP_REDIR_PORTS .. " o:value("1:65535", translate("All")) o.validate = port_validate +o = s:option(ListValue, "direct_dns_query_strategy", translate("Direct Query Strategy")) +o.default = "UseIP" +o:value("UseIP") +o:value("UseIPv4") +o:value("UseIPv6") +o:depends({ node = "default", ['!reverse'] = true }) + +o = s:option(Flag, "write_ipset_direct", translate("Direct DNS result write to IPSet"), translate("Perform the matching direct domain name rules into IP to IPSet/NFTSet, and then connect directly (not entering the core). Maybe conflict with some special circumstances.")) +o.default = "1" +o:depends({ node = "default", ['!reverse'] = true }) + o = s:option(ListValue, "remote_dns_protocol", translate("Remote DNS Protocol")) o:value("tcp", "TCP") o:value("doh", "DoH") @@ -291,8 +302,4 @@ for k, v in pairs(nodes_table) do end end -o = s:option(Flag, "write_ipset_direct", translate("Direct DNS result write to IPSet"), translate("Perform the matching direct domain name rules into IP to IPSet/NFTSet, and then connect directly (not entering the core). Maybe conflict with some special circumstances.")) -o.default = "1" -o:depends({ node = "default", ['!reverse'] = true }) - return m diff --git a/openwrt-passwall2/luci-app-passwall2/root/usr/share/passwall2/app.sh b/openwrt-passwall2/luci-app-passwall2/root/usr/share/passwall2/app.sh index 485d1518eb..fa2e73bf3f 100755 --- a/openwrt-passwall2/luci-app-passwall2/root/usr/share/passwall2/app.sh +++ b/openwrt-passwall2/luci-app-passwall2/root/usr/share/passwall2/app.sh @@ -337,7 +337,7 @@ run_xray() { [ -n "${direct_ipset}" ] && _extra_param="${_extra_param} -direct_ipset ${direct_ipset}" [ -n "${direct_nftset}" ] && _extra_param="${_extra_param} -direct_nftset ${direct_nftset}" } - _extra_param="${_extra_param} -direct_dns_udp_port ${DIRECT_DNS_UDP_PORT} -direct_dns_udp_server ${DIRECT_DNS_UDP_SERVER} -direct_dns_query_strategy UseIP" + _extra_param="${_extra_param} -direct_dns_udp_port ${DIRECT_DNS_UDP_PORT} -direct_dns_udp_server ${DIRECT_DNS_UDP_SERVER} -direct_dns_query_strategy ${direct_dns_query_strategy}" DNS_REMOTE_ARGS="" case "$remote_dns_protocol" in diff --git a/openwrt-passwall2/luci-app-passwall2/root/usr/share/passwall2/rule_update.lua b/openwrt-passwall2/luci-app-passwall2/root/usr/share/passwall2/rule_update.lua index 60e55fdc15..b51c2181ea 100755 --- a/openwrt-passwall2/luci-app-passwall2/root/usr/share/passwall2/rule_update.lua +++ b/openwrt-passwall2/luci-app-passwall2/root/usr/share/passwall2/rule_update.lua @@ -108,14 +108,14 @@ local function fetch_geosite() local json = jsonc.parse(content) if json.tag_name and json.assets then for _, v in ipairs(json.assets) do - if v.name and v.name == "geosite.dat.sha256sum" then + if v.name and (v.name == "geosite.dat.sha256sum" or v.name == "dlc.dat.sha256sum") then local sret = curl(v.browser_download_url, "/tmp/geosite.dat.sha256sum") if sret == 200 then local f = io.open("/tmp/geosite.dat.sha256sum", "r") local content = f:read() f:close() f = io.open("/tmp/geosite.dat.sha256sum", "w") - f:write(content:gsub("geosite.dat", "/tmp/geosite.dat"), "") + f:write(content:gsub("[^%s]+.dat", "/tmp/geosite.dat"), "") f:close() if nixio.fs.access(asset_location .. "geosite.dat") then @@ -126,7 +126,7 @@ local function fetch_geosite() end end for _2, v2 in ipairs(json.assets) do - if v2.name and v2.name == "geosite.dat" then + if v2.name and (v2.name == "geosite.dat" or v2.name == "dlc.dat") then sret = curl(v2.browser_download_url, "/tmp/geosite.dat") if luci.sys.call('sha256sum -c /tmp/geosite.dat.sha256sum > /dev/null 2>&1') == 0 then luci.sys.call(string.format("mkdir -p %s && cp -f %s %s", asset_location, "/tmp/geosite.dat", asset_location .. "geosite.dat")) diff --git a/ryujinx/Directory.Packages.props b/ryujinx/Directory.Packages.props index c310990720..8a9fdc3be5 100644 --- a/ryujinx/Directory.Packages.props +++ b/ryujinx/Directory.Packages.props @@ -42,11 +42,11 @@ - - + + - \ No newline at end of file + diff --git a/ryujinx/Ryujinx.sln b/ryujinx/Ryujinx.sln index b8304164d5..76ebd573f3 100644 --- a/ryujinx/Ryujinx.sln +++ b/ryujinx/Ryujinx.sln @@ -87,6 +87,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Ryujinx.Horizon", "src\Ryuj EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Ryujinx.Horizon.Kernel.Generators", "src\Ryujinx.Horizon.Kernel.Generators\Ryujinx.Horizon.Kernel.Generators.csproj", "{7F55A45D-4E1D-4A36-ADD3-87F29A285AA2}" EndProject +Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Ryujinx.HLE.Generators", "src\Ryujinx.HLE.Generators\Ryujinx.HLE.Generators.csproj", "{B575BCDE-2FD8-4A5D-8756-31CDD7FE81F0}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU @@ -249,6 +251,10 @@ Global {7F55A45D-4E1D-4A36-ADD3-87F29A285AA2}.Debug|Any CPU.Build.0 = Debug|Any CPU {7F55A45D-4E1D-4A36-ADD3-87F29A285AA2}.Release|Any CPU.ActiveCfg = Release|Any CPU {7F55A45D-4E1D-4A36-ADD3-87F29A285AA2}.Release|Any CPU.Build.0 = Release|Any CPU + {B575BCDE-2FD8-4A5D-8756-31CDD7FE81F0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {B575BCDE-2FD8-4A5D-8756-31CDD7FE81F0}.Debug|Any CPU.Build.0 = Debug|Any CPU + {B575BCDE-2FD8-4A5D-8756-31CDD7FE81F0}.Release|Any CPU.ActiveCfg = Release|Any CPU + {B575BCDE-2FD8-4A5D-8756-31CDD7FE81F0}.Release|Any CPU.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/ryujinx/src/Ryujinx.Graphics.Device/DeviceState.cs b/ryujinx/src/Ryujinx.Graphics.Device/DeviceState.cs index de8582a3b6..54178a4140 100644 --- a/ryujinx/src/Ryujinx.Graphics.Device/DeviceState.cs +++ b/ryujinx/src/Ryujinx.Graphics.Device/DeviceState.cs @@ -39,7 +39,10 @@ namespace Ryujinx.Graphics.Device { var field = fields[fieldIndex]; - int sizeOfField = SizeCalculator.SizeOf(field.FieldType); + var currentFieldOffset = (int)Marshal.OffsetOf(field.Name); + var nextFieldOffset = fieldIndex + 1 == fields.Length ? Unsafe.SizeOf() : (int)Marshal.OffsetOf(fields[fieldIndex + 1].Name); + + int sizeOfField = nextFieldOffset - currentFieldOffset; for (int i = 0; i < ((sizeOfField + 3) & ~3); i += 4) { diff --git a/ryujinx/src/Ryujinx.Graphics.Device/SizeCalculator.cs b/ryujinx/src/Ryujinx.Graphics.Device/SizeCalculator.cs deleted file mode 100644 index 54820ec36f..0000000000 --- a/ryujinx/src/Ryujinx.Graphics.Device/SizeCalculator.cs +++ /dev/null @@ -1,63 +0,0 @@ -using System; -using System.Reflection; - -namespace Ryujinx.Graphics.Device -{ - public static class SizeCalculator - { - public static int SizeOf(Type type) - { - // Is type a enum type? - if (type.IsEnum) - { - type = type.GetEnumUnderlyingType(); - } - - // Is type a pointer type? - if (type.IsPointer || type == typeof(IntPtr) || type == typeof(UIntPtr)) - { - return IntPtr.Size; - } - - // Is type a struct type? - if (type.IsValueType && !type.IsPrimitive) - { - // Check if the struct has a explicit size, if so, return that. - if (type.StructLayoutAttribute.Size != 0) - { - return type.StructLayoutAttribute.Size; - } - - // Otherwise we calculate the sum of the sizes of all fields. - int size = 0; - var fields = type.GetFields(BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Instance); - - for (int fieldIndex = 0; fieldIndex < fields.Length; fieldIndex++) - { - size += SizeOf(fields[fieldIndex].FieldType); - } - - return size; - } - - // Primitive types. - return (Type.GetTypeCode(type)) switch - { - TypeCode.SByte => sizeof(sbyte), - TypeCode.Byte => sizeof(byte), - TypeCode.Int16 => sizeof(short), - TypeCode.UInt16 => sizeof(ushort), - TypeCode.Int32 => sizeof(int), - TypeCode.UInt32 => sizeof(uint), - TypeCode.Int64 => sizeof(long), - TypeCode.UInt64 => sizeof(ulong), - TypeCode.Char => sizeof(char), - TypeCode.Single => sizeof(float), - TypeCode.Double => sizeof(double), - TypeCode.Decimal => sizeof(decimal), - TypeCode.Boolean => sizeof(bool), - _ => throw new ArgumentException($"Length for type \"{type.Name}\" is unknown."), - }; - } - } -} diff --git a/ryujinx/src/Ryujinx.Graphics.Gpu/Engine/Threed/StateUpdateTracker.cs b/ryujinx/src/Ryujinx.Graphics.Gpu/Engine/Threed/StateUpdateTracker.cs index e54855a8ff..effcb7bbb7 100644 --- a/ryujinx/src/Ryujinx.Graphics.Gpu/Engine/Threed/StateUpdateTracker.cs +++ b/ryujinx/src/Ryujinx.Graphics.Gpu/Engine/Threed/StateUpdateTracker.cs @@ -79,7 +79,10 @@ namespace Ryujinx.Graphics.Gpu.Engine.Threed { var field = fields[fieldIndex]; - int sizeOfField = SizeCalculator.SizeOf(field.FieldType); + var currentFieldOffset = (int)Marshal.OffsetOf(field.Name); + var nextFieldOffset = fieldIndex + 1 == fields.Length ? Unsafe.SizeOf() : (int)Marshal.OffsetOf(fields[fieldIndex + 1].Name); + + int sizeOfField = nextFieldOffset - currentFieldOffset; if (fieldToDelegate.TryGetValue(field.Name, out int entryIndex)) { diff --git a/ryujinx/src/Ryujinx.Gtk3/Program.cs b/ryujinx/src/Ryujinx.Gtk3/Program.cs index 8bb6516409..745335ac95 100644 --- a/ryujinx/src/Ryujinx.Gtk3/Program.cs +++ b/ryujinx/src/Ryujinx.Gtk3/Program.cs @@ -13,7 +13,6 @@ using Ryujinx.UI.Common.Configuration; using Ryujinx.UI.Common.Helper; using Ryujinx.UI.Common.SystemInfo; using Ryujinx.UI.Widgets; -using SixLabors.ImageSharp.Formats.Jpeg; using System; using System.Collections.Generic; using System.Diagnostics; @@ -162,12 +161,6 @@ namespace Ryujinx }); }; - // Sets ImageSharp Jpeg Encoder Quality. - SixLabors.ImageSharp.Configuration.Default.ImageFormatsManager.SetEncoder(JpegFormat.Instance, new JpegEncoder() - { - Quality = 100, - }); - string localConfigurationPath = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, ReleaseInformation.ConfigName); string appDataConfigurationPath = Path.Combine(AppDataManager.BaseDirPath, ReleaseInformation.ConfigName); diff --git a/ryujinx/src/Ryujinx.Gtk3/Ryujinx.Gtk3.csproj b/ryujinx/src/Ryujinx.Gtk3/Ryujinx.Gtk3.csproj index b4453f9d79..722d6080be 100644 --- a/ryujinx/src/Ryujinx.Gtk3/Ryujinx.Gtk3.csproj +++ b/ryujinx/src/Ryujinx.Gtk3/Ryujinx.Gtk3.csproj @@ -30,7 +30,6 @@ - diff --git a/ryujinx/src/Ryujinx.Gtk3/UI/RendererWidgetBase.cs b/ryujinx/src/Ryujinx.Gtk3/UI/RendererWidgetBase.cs index 0e636792db..12139e87d9 100644 --- a/ryujinx/src/Ryujinx.Gtk3/UI/RendererWidgetBase.cs +++ b/ryujinx/src/Ryujinx.Gtk3/UI/RendererWidgetBase.cs @@ -13,16 +13,13 @@ using Ryujinx.Input.HLE; using Ryujinx.UI.Common.Configuration; using Ryujinx.UI.Common.Helper; using Ryujinx.UI.Widgets; -using SixLabors.ImageSharp; -using SixLabors.ImageSharp.Formats.Png; -using SixLabors.ImageSharp.PixelFormats; -using SixLabors.ImageSharp.Processing; +using SkiaSharp; using System; using System.Diagnostics; using System.IO; +using System.Runtime.InteropServices; using System.Threading; using System.Threading.Tasks; -using Image = SixLabors.ImageSharp.Image; using Key = Ryujinx.Input.Key; using ScalingFilter = Ryujinx.Graphics.GAL.ScalingFilter; using Switch = Ryujinx.HLE.Switch; @@ -404,23 +401,31 @@ namespace Ryujinx.UI return; } - Image image = e.IsBgra ? Image.LoadPixelData(e.Data, e.Width, e.Height) - : Image.LoadPixelData(e.Data, e.Width, e.Height); + var colorType = e.IsBgra ? SKColorType.Bgra8888 : SKColorType.Rgba8888; + using var image = new SKBitmap(new SKImageInfo(e.Width, e.Height, colorType, SKAlphaType.Premul)); - if (e.FlipX) + Marshal.Copy(e.Data, 0, image.GetPixels(), e.Data.Length); + using var surface = SKSurface.Create(image.Info); + var canvas = surface.Canvas; + + if (e.FlipX || e.FlipY) { - image.Mutate(x => x.Flip(FlipMode.Horizontal)); + canvas.Clear(SKColors.Transparent); + + float scaleX = e.FlipX ? -1 : 1; + float scaleY = e.FlipY ? -1 : 1; + + var matrix = SKMatrix.CreateScale(scaleX, scaleY, image.Width / 2f, image.Height / 2f); + + canvas.SetMatrix(matrix); } + canvas.DrawBitmap(image, new SKPoint()); - if (e.FlipY) - { - image.Mutate(x => x.Flip(FlipMode.Vertical)); - } - - image.SaveAsPng(path, new PngEncoder() - { - ColorType = PngColorType.Rgb, - }); + surface.Flush(); + using var snapshot = surface.Snapshot(); + using var encoded = snapshot.Encode(SKEncodedImageFormat.Png, 80); + using var file = File.OpenWrite(path); + encoded.SaveTo(file); image.Dispose(); diff --git a/ryujinx/src/Ryujinx.Gtk3/UI/Windows/AvatarWindow.cs b/ryujinx/src/Ryujinx.Gtk3/UI/Windows/AvatarWindow.cs index d9ecd47b76..fcd960df0a 100644 --- a/ryujinx/src/Ryujinx.Gtk3/UI/Windows/AvatarWindow.cs +++ b/ryujinx/src/Ryujinx.Gtk3/UI/Windows/AvatarWindow.cs @@ -9,16 +9,13 @@ using LibHac.Tools.FsSystem.NcaUtils; using Ryujinx.Common.Memory; using Ryujinx.HLE.FileSystem; using Ryujinx.UI.Common.Configuration; -using SixLabors.ImageSharp; -using SixLabors.ImageSharp.Formats.Png; -using SixLabors.ImageSharp.PixelFormats; -using SixLabors.ImageSharp.Processing; +using SkiaSharp; using System; using System.Buffers.Binary; using System.Collections.Generic; using System.IO; using System.Reflection; -using Image = SixLabors.ImageSharp.Image; +using System.Runtime.InteropServices; namespace Ryujinx.UI.Windows { @@ -144,9 +141,11 @@ namespace Ryujinx.UI.Windows stream.Position = 0; - Image avatarImage = Image.LoadPixelData(DecompressYaz0(stream), 256, 256); + using var avatarImage = new SKBitmap(new SKImageInfo(256, 256, SKColorType.Rgba8888)); + var data = DecompressYaz0(stream); + Marshal.Copy(data, 0, avatarImage.GetPixels(), data.Length); - avatarImage.SaveAsPng(streamPng); + avatarImage.Encode(streamPng, SKEncodedImageFormat.Png, 80); _avatarDict.Add(item.FullPath, streamPng.ToArray()); } @@ -170,15 +169,23 @@ namespace Ryujinx.UI.Windows { using MemoryStream streamJpg = MemoryStreamManager.Shared.GetStream(); - Image avatarImage = Image.Load(data, new PngDecoder()); + using var avatarImage = SKBitmap.Decode(data); + using var surface = SKSurface.Create(avatarImage.Info); - avatarImage.Mutate(x => x.BackgroundColor(new Rgba32( + var background = new SKColor( (byte)(_backgroundColor.Red * 255), (byte)(_backgroundColor.Green * 255), (byte)(_backgroundColor.Blue * 255), (byte)(_backgroundColor.Alpha * 255) - ))); - avatarImage.SaveAsJpeg(streamJpg); + ); + var canvas = surface.Canvas; + canvas.Clear(background); + canvas.DrawBitmap(avatarImage, new SKPoint()); + + surface.Flush(); + using var snapshot = surface.Snapshot(); + using var encoded = snapshot.Encode(SKEncodedImageFormat.Jpeg, 80); + encoded.SaveTo(streamJpg); return streamJpg.ToArray(); } diff --git a/ryujinx/src/Ryujinx.Gtk3/UI/Windows/UserProfilesManagerWindow.cs b/ryujinx/src/Ryujinx.Gtk3/UI/Windows/UserProfilesManagerWindow.cs index d1e5fa9fc1..77afc5d1f1 100644 --- a/ryujinx/src/Ryujinx.Gtk3/UI/Windows/UserProfilesManagerWindow.cs +++ b/ryujinx/src/Ryujinx.Gtk3/UI/Windows/UserProfilesManagerWindow.cs @@ -4,15 +4,13 @@ using Ryujinx.HLE.FileSystem; using Ryujinx.HLE.HOS.Services.Account.Acc; using Ryujinx.UI.Common.Configuration; using Ryujinx.UI.Widgets; -using SixLabors.ImageSharp; -using SixLabors.ImageSharp.Processing; +using SkiaSharp; using System; using System.Collections.Generic; using System.IO; using System.Reflection; using System.Threading; using System.Threading.Tasks; -using Image = SixLabors.ImageSharp.Image; namespace Ryujinx.UI.Windows { @@ -177,13 +175,13 @@ namespace Ryujinx.UI.Windows private void ProcessProfileImage(byte[] buffer) { - using Image image = Image.Load(buffer); + using var image = SKBitmap.Decode(buffer); - image.Mutate(x => x.Resize(256, 256)); + image.Resize(new SKImageInfo(256, 256), SKFilterQuality.High); using MemoryStream streamJpg = MemoryStreamManager.Shared.GetStream(); - image.SaveAsJpeg(streamJpg); + image.Encode(streamJpg, SKEncodedImageFormat.Jpeg, 80); _bufferImageProfile = streamJpg.ToArray(); } diff --git a/ryujinx/src/Ryujinx.HLE.Generators/CodeGenerator.cs b/ryujinx/src/Ryujinx.HLE.Generators/CodeGenerator.cs new file mode 100644 index 0000000000..7e4848ad39 --- /dev/null +++ b/ryujinx/src/Ryujinx.HLE.Generators/CodeGenerator.cs @@ -0,0 +1,63 @@ +using System.Text; + +namespace Ryujinx.HLE.Generators +{ + class CodeGenerator + { + private const int IndentLength = 4; + + private readonly StringBuilder _sb; + private int _currentIndentCount; + + public CodeGenerator() + { + _sb = new StringBuilder(); + } + + public void EnterScope(string header = null) + { + if (header != null) + { + AppendLine(header); + } + + AppendLine("{"); + IncreaseIndentation(); + } + + public void LeaveScope(string suffix = "") + { + DecreaseIndentation(); + AppendLine($"}}{suffix}"); + } + + public void IncreaseIndentation() + { + _currentIndentCount++; + } + + public void DecreaseIndentation() + { + if (_currentIndentCount - 1 >= 0) + { + _currentIndentCount--; + } + } + + public void AppendLine() + { + _sb.AppendLine(); + } + + public void AppendLine(string text) + { + _sb.Append(' ', IndentLength * _currentIndentCount); + _sb.AppendLine(text); + } + + public override string ToString() + { + return _sb.ToString(); + } + } +} diff --git a/ryujinx/src/Ryujinx.HLE.Generators/IpcServiceGenerator.cs b/ryujinx/src/Ryujinx.HLE.Generators/IpcServiceGenerator.cs new file mode 100644 index 0000000000..19fdbe1972 --- /dev/null +++ b/ryujinx/src/Ryujinx.HLE.Generators/IpcServiceGenerator.cs @@ -0,0 +1,76 @@ +using Microsoft.CodeAnalysis; +using Microsoft.CodeAnalysis.CSharp; +using Microsoft.CodeAnalysis.CSharp.Syntax; +using System.Linq; + +namespace Ryujinx.HLE.Generators +{ + [Generator] + public class IpcServiceGenerator : ISourceGenerator + { + public void Execute(GeneratorExecutionContext context) + { + var syntaxReceiver = (ServiceSyntaxReceiver)context.SyntaxReceiver; + CodeGenerator generator = new CodeGenerator(); + + generator.AppendLine("using System;"); + generator.EnterScope($"namespace Ryujinx.HLE.HOS.Services.Sm"); + generator.EnterScope($"partial class IUserInterface"); + + generator.EnterScope($"public IpcService? GetServiceInstance(Type type, ServiceCtx context, object? parameter = null)"); + foreach (var className in syntaxReceiver.Types) + { + if (className.Modifiers.Any(SyntaxKind.AbstractKeyword) || className.Modifiers.Any(SyntaxKind.PrivateKeyword) || !className.AttributeLists.Any(x => x.Attributes.Any(y => y.ToString().StartsWith("Service")))) + continue; + var name = GetFullName(className, context).Replace("global::", ""); + if (!name.StartsWith("Ryujinx.HLE.HOS.Services")) + continue; + var constructors = className.ChildNodes().Where(x => x.IsKind(SyntaxKind.ConstructorDeclaration)).Select(y => y as ConstructorDeclarationSyntax); + + if (!constructors.Any(x => x.ParameterList.Parameters.Count >= 1)) + continue; + + if (constructors.Where(x => x.ParameterList.Parameters.Count >= 1).FirstOrDefault().ParameterList.Parameters[0].Type.ToString() == "ServiceCtx") + { + generator.EnterScope($"if (type == typeof({GetFullName(className, context)}))"); + if (constructors.Any(x => x.ParameterList.Parameters.Count == 2)) + { + var type = constructors.Where(x => x.ParameterList.Parameters.Count == 2).FirstOrDefault().ParameterList.Parameters[1].Type; + var model = context.Compilation.GetSemanticModel(type.SyntaxTree); + var typeSymbol = model.GetSymbolInfo(type).Symbol as INamedTypeSymbol; + var fullName = typeSymbol.ToString(); + generator.EnterScope("if (parameter != null)"); + generator.AppendLine($"return new {GetFullName(className, context)}(context, ({fullName})parameter);"); + generator.LeaveScope(); + } + + if (constructors.Any(x => x.ParameterList.Parameters.Count == 1)) + { + generator.AppendLine($"return new {GetFullName(className, context)}(context);"); + } + + generator.LeaveScope(); + } + } + + generator.AppendLine("return null;"); + generator.LeaveScope(); + + generator.LeaveScope(); + generator.LeaveScope(); + context.AddSource($"IUserInterface.g.cs", generator.ToString()); + } + + private string GetFullName(ClassDeclarationSyntax syntaxNode, GeneratorExecutionContext context) + { + var typeSymbol = context.Compilation.GetSemanticModel(syntaxNode.SyntaxTree).GetDeclaredSymbol(syntaxNode); + + return typeSymbol.ToDisplayString(SymbolDisplayFormat.FullyQualifiedFormat); + } + + public void Initialize(GeneratorInitializationContext context) + { + context.RegisterForSyntaxNotifications(() => new ServiceSyntaxReceiver()); + } + } +} diff --git a/ryujinx/src/Ryujinx.HLE.Generators/Ryujinx.HLE.Generators.csproj b/ryujinx/src/Ryujinx.HLE.Generators/Ryujinx.HLE.Generators.csproj new file mode 100644 index 0000000000..eeab9c0e97 --- /dev/null +++ b/ryujinx/src/Ryujinx.HLE.Generators/Ryujinx.HLE.Generators.csproj @@ -0,0 +1,19 @@ + + + + netstandard2.0 + true + true + Generated + true + + + + + all + runtime; build; native; contentfiles; analyzers; buildtransitive + + + + + diff --git a/ryujinx/src/Ryujinx.HLE.Generators/ServiceSyntaxReceiver.cs b/ryujinx/src/Ryujinx.HLE.Generators/ServiceSyntaxReceiver.cs new file mode 100644 index 0000000000..e4269cb9a4 --- /dev/null +++ b/ryujinx/src/Ryujinx.HLE.Generators/ServiceSyntaxReceiver.cs @@ -0,0 +1,24 @@ +using Microsoft.CodeAnalysis; +using Microsoft.CodeAnalysis.CSharp.Syntax; +using System.Collections.Generic; + +namespace Ryujinx.HLE.Generators +{ + internal class ServiceSyntaxReceiver : ISyntaxReceiver + { + public HashSet Types = new HashSet(); + + public void OnVisitSyntaxNode(SyntaxNode syntaxNode) + { + if (syntaxNode is ClassDeclarationSyntax classDeclaration) + { + if (classDeclaration.BaseList == null) + { + return; + } + + Types.Add(classDeclaration); + } + } + } +} diff --git a/ryujinx/src/Ryujinx.HLE/HOS/Applets/AppletManager.cs b/ryujinx/src/Ryujinx.HLE/HOS/Applets/AppletManager.cs index 30300f1b63..3c34d5c789 100644 --- a/ryujinx/src/Ryujinx.HLE/HOS/Applets/AppletManager.cs +++ b/ryujinx/src/Ryujinx.HLE/HOS/Applets/AppletManager.cs @@ -8,27 +8,24 @@ namespace Ryujinx.HLE.HOS.Applets { static class AppletManager { - private static readonly Dictionary _appletMapping; - - static AppletManager() - { - _appletMapping = new Dictionary - { - { AppletId.Error, typeof(ErrorApplet) }, - { AppletId.PlayerSelect, typeof(PlayerSelectApplet) }, - { AppletId.Controller, typeof(ControllerApplet) }, - { AppletId.SoftwareKeyboard, typeof(SoftwareKeyboardApplet) }, - { AppletId.LibAppletWeb, typeof(BrowserApplet) }, - { AppletId.LibAppletShop, typeof(BrowserApplet) }, - { AppletId.LibAppletOff, typeof(BrowserApplet) }, - }; - } - public static IApplet Create(AppletId applet, Horizon system) { - if (_appletMapping.TryGetValue(applet, out Type appletClass)) + switch (applet) { - return (IApplet)Activator.CreateInstance(appletClass, system); + case AppletId.Controller: + return new ControllerApplet(system); + case AppletId.Error: + return new ErrorApplet(system); + case AppletId.PlayerSelect: + return new PlayerSelectApplet(system); + case AppletId.SoftwareKeyboard: + return new SoftwareKeyboardApplet(system); + case AppletId.LibAppletWeb: + return new BrowserApplet(system); + case AppletId.LibAppletShop: + return new BrowserApplet(system); + case AppletId.LibAppletOff: + return new BrowserApplet(system); } throw new NotImplementedException($"{applet} applet is not implemented."); diff --git a/ryujinx/src/Ryujinx.HLE/HOS/Applets/SoftwareKeyboard/SoftwareKeyboardRenderer.cs b/ryujinx/src/Ryujinx.HLE/HOS/Applets/SoftwareKeyboard/SoftwareKeyboardRenderer.cs index 3f7516e6a7..239535ad5f 100644 --- a/ryujinx/src/Ryujinx.HLE/HOS/Applets/SoftwareKeyboard/SoftwareKeyboardRenderer.cs +++ b/ryujinx/src/Ryujinx.HLE/HOS/Applets/SoftwareKeyboard/SoftwareKeyboardRenderer.cs @@ -112,11 +112,16 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard { // Update the parameters that were provided. _state.InputText = inputText ?? _state.InputText; - _state.CursorBegin = cursorBegin.GetValueOrDefault(_state.CursorBegin); - _state.CursorEnd = cursorEnd.GetValueOrDefault(_state.CursorEnd); + _state.CursorBegin = Math.Max(0, cursorBegin.GetValueOrDefault(_state.CursorBegin)); + _state.CursorEnd = Math.Min(cursorEnd.GetValueOrDefault(_state.CursorEnd), _state.InputText.Length); _state.OverwriteMode = overwriteMode.GetValueOrDefault(_state.OverwriteMode); _state.TypingEnabled = typingEnabled.GetValueOrDefault(_state.TypingEnabled); + var begin = _state.CursorBegin; + var end = _state.CursorEnd; + _state.CursorBegin = Math.Min(begin, end); + _state.CursorEnd = Math.Max(begin, end); + // Reset the cursor blink. _state.TextBoxBlinkCounter = 0; diff --git a/ryujinx/src/Ryujinx.HLE/HOS/Applets/SoftwareKeyboard/SoftwareKeyboardRendererBase.cs b/ryujinx/src/Ryujinx.HLE/HOS/Applets/SoftwareKeyboard/SoftwareKeyboardRendererBase.cs index 9e48568e13..cc62eca1df 100644 --- a/ryujinx/src/Ryujinx.HLE/HOS/Applets/SoftwareKeyboard/SoftwareKeyboardRendererBase.cs +++ b/ryujinx/src/Ryujinx.HLE/HOS/Applets/SoftwareKeyboard/SoftwareKeyboardRendererBase.cs @@ -1,14 +1,9 @@ using Ryujinx.HLE.UI; using Ryujinx.Memory; -using SixLabors.Fonts; -using SixLabors.ImageSharp; -using SixLabors.ImageSharp.Drawing.Processing; -using SixLabors.ImageSharp.PixelFormats; -using SixLabors.ImageSharp.Processing; +using SkiaSharp; using System; using System.Diagnostics; using System.IO; -using System.Numerics; using System.Reflection; using System.Runtime.InteropServices; @@ -29,38 +24,39 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard private readonly object _bufferLock = new(); private RenderingSurfaceInfo _surfaceInfo = null; - private Image _surface = null; + private SKImageInfo _imageInfo; + private SKSurface _surface = null; private byte[] _bufferData = null; - private readonly Image _ryujinxLogo = null; - private readonly Image _padAcceptIcon = null; - private readonly Image _padCancelIcon = null; - private readonly Image _keyModeIcon = null; + private readonly SKBitmap _ryujinxLogo = null; + private readonly SKBitmap _padAcceptIcon = null; + private readonly SKBitmap _padCancelIcon = null; + private readonly SKBitmap _keyModeIcon = null; private readonly float _textBoxOutlineWidth; private readonly float _padPressedPenWidth; - private readonly Color _textNormalColor; - private readonly Color _textSelectedColor; - private readonly Color _textOverCursorColor; + private readonly SKColor _textNormalColor; + private readonly SKColor _textSelectedColor; + private readonly SKColor _textOverCursorColor; - private readonly Brush _panelBrush; - private readonly Brush _disabledBrush; - private readonly Brush _cursorBrush; - private readonly Brush _selectionBoxBrush; + private readonly SKPaint _panelBrush; + private readonly SKPaint _disabledBrush; + private readonly SKPaint _cursorBrush; + private readonly SKPaint _selectionBoxBrush; - private readonly Pen _textBoxOutlinePen; - private readonly Pen _cursorPen; - private readonly Pen _selectionBoxPen; - private readonly Pen _padPressedPen; + private readonly SKPaint _textBoxOutlinePen; + private readonly SKPaint _cursorPen; + private readonly SKPaint _selectionBoxPen; + private readonly SKPaint _padPressedPen; private readonly int _inputTextFontSize; - private Font _messageFont; - private Font _inputTextFont; - private Font _labelsTextFont; + private SKFont _messageFont; + private SKFont _inputTextFont; + private SKFont _labelsTextFont; - private RectangleF _panelRectangle; - private Point _logoPosition; + private SKRect _panelRectangle; + private SKPoint _logoPosition; private float _messagePositionY; public SoftwareKeyboardRendererBase(IHostUITheme uiTheme) @@ -78,10 +74,10 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard _padCancelIcon = LoadResource(typeof(SoftwareKeyboardRendererBase).Assembly, padCancelIconPath, 0, 0); _keyModeIcon = LoadResource(typeof(SoftwareKeyboardRendererBase).Assembly, keyModeIconPath, 0, 0); - Color panelColor = ToColor(uiTheme.DefaultBackgroundColor, 255); - Color panelTransparentColor = ToColor(uiTheme.DefaultBackgroundColor, 150); - Color borderColor = ToColor(uiTheme.DefaultBorderColor); - Color selectionBackgroundColor = ToColor(uiTheme.SelectionBackgroundColor); + var panelColor = ToColor(uiTheme.DefaultBackgroundColor, 255); + var panelTransparentColor = ToColor(uiTheme.DefaultBackgroundColor, 150); + var borderColor = ToColor(uiTheme.DefaultBorderColor); + var selectionBackgroundColor = ToColor(uiTheme.SelectionBackgroundColor); _textNormalColor = ToColor(uiTheme.DefaultForegroundColor); _textSelectedColor = ToColor(uiTheme.SelectionForegroundColor); @@ -92,15 +88,29 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard _textBoxOutlineWidth = 2; _padPressedPenWidth = 2; - _panelBrush = new SolidBrush(panelColor); - _disabledBrush = new SolidBrush(panelTransparentColor); - _cursorBrush = new SolidBrush(_textNormalColor); - _selectionBoxBrush = new SolidBrush(selectionBackgroundColor); + _panelBrush = new SKPaint() + { + Color = panelColor, + IsAntialias = true + }; + _disabledBrush = new SKPaint() + { + Color = panelTransparentColor, + IsAntialias = true + }; + _cursorBrush = new SKPaint() { Color = _textNormalColor, IsAntialias = true }; + _selectionBoxBrush = new SKPaint() { Color = selectionBackgroundColor, IsAntialias = true }; - _textBoxOutlinePen = Pens.Solid(borderColor, _textBoxOutlineWidth); - _cursorPen = Pens.Solid(_textNormalColor, cursorWidth); - _selectionBoxPen = Pens.Solid(selectionBackgroundColor, cursorWidth); - _padPressedPen = Pens.Solid(borderColor, _padPressedPenWidth); + _textBoxOutlinePen = new SKPaint() + { + Color = borderColor, + StrokeWidth = _textBoxOutlineWidth, + IsStroke = true, + IsAntialias = true + }; + _cursorPen = new SKPaint() { Color = _textNormalColor, StrokeWidth = cursorWidth, IsStroke = true, IsAntialias = true }; + _selectionBoxPen = new SKPaint() { Color = selectionBackgroundColor, StrokeWidth = cursorWidth, IsStroke = true, IsAntialias = true }; + _padPressedPen = new SKPaint() { Color = borderColor, StrokeWidth = _padPressedPenWidth, IsStroke = true, IsAntialias = true }; _inputTextFontSize = 20; @@ -123,9 +133,10 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard { try { - _messageFont = SystemFonts.CreateFont(fontFamily, 26, FontStyle.Regular); - _inputTextFont = SystemFonts.CreateFont(fontFamily, _inputTextFontSize, FontStyle.Regular); - _labelsTextFont = SystemFonts.CreateFont(fontFamily, 24, FontStyle.Regular); + using var typeface = SKTypeface.FromFamilyName(fontFamily, SKFontStyle.Normal); + _messageFont = new SKFont(typeface, 26); + _inputTextFont = new SKFont(typeface, _inputTextFontSize); + _labelsTextFont = new SKFont(typeface, 24); return; } @@ -137,7 +148,7 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard throw new Exception($"None of these fonts were found in the system: {String.Join(", ", availableFonts)}!"); } - private static Color ToColor(ThemeColor color, byte? overrideAlpha = null, bool flipRgb = false) + private static SKColor ToColor(ThemeColor color, byte? overrideAlpha = null, bool flipRgb = false) { var a = (byte)(color.A * 255); var r = (byte)(color.R * 255); @@ -151,34 +162,33 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard b = (byte)(255 - b); } - return Color.FromRgba(r, g, b, overrideAlpha.GetValueOrDefault(a)); + return new SKColor(r, g, b, overrideAlpha.GetValueOrDefault(a)); } - private static Image LoadResource(Assembly assembly, string resourcePath, int newWidth, int newHeight) + private static SKBitmap LoadResource(Assembly assembly, string resourcePath, int newWidth, int newHeight) { Stream resourceStream = assembly.GetManifestResourceStream(resourcePath); return LoadResource(resourceStream, newWidth, newHeight); } - private static Image LoadResource(Stream resourceStream, int newWidth, int newHeight) + private static SKBitmap LoadResource(Stream resourceStream, int newWidth, int newHeight) { Debug.Assert(resourceStream != null); - var image = Image.Load(resourceStream); + var bitmap = SKBitmap.Decode(resourceStream); if (newHeight != 0 && newWidth != 0) { - image.Mutate(x => x.Resize(newWidth, newHeight, KnownResamplers.Lanczos3)); + var resized = bitmap.Resize(new SKImageInfo(newWidth, newHeight), SKFilterQuality.High); + if (resized != null) + { + bitmap.Dispose(); + bitmap = resized; + } } - return image; - } - - private static void SetGraphicsOptions(IImageProcessingContext context) - { - context.GetGraphicsOptions().Antialias = true; - context.GetDrawingOptions().GraphicsOptions.Antialias = true; + return bitmap; } private void DrawImmutableElements() @@ -187,22 +197,18 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard { return; } + var canvas = _surface.Canvas; - _surface.Mutate(context => - { - SetGraphicsOptions(context); + canvas.Clear(SKColors.Transparent); + canvas.DrawRect(_panelRectangle, _panelBrush); + canvas.DrawBitmap(_ryujinxLogo, _logoPosition); - context.Clear(Color.Transparent); - context.Fill(_panelBrush, _panelRectangle); - context.DrawImage(_ryujinxLogo, _logoPosition, 1); + float halfWidth = _panelRectangle.Width / 2; + float buttonsY = _panelRectangle.Top + 185; - float halfWidth = _panelRectangle.Width / 2; - float buttonsY = _panelRectangle.Y + 185; + SKPoint disableButtonPosition = new(halfWidth + 180, buttonsY); - PointF disableButtonPosition = new(halfWidth + 180, buttonsY); - - DrawControllerToggle(context, disableButtonPosition); - }); + DrawControllerToggle(canvas, disableButtonPosition); } public void DrawMutableElements(SoftwareKeyboardUIState state) @@ -212,40 +218,43 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard return; } - _surface.Mutate(context => + using var paint = new SKPaint(_messageFont) { - var messageRectangle = MeasureString(MessageText, _messageFont); - float messagePositionX = (_panelRectangle.Width - messageRectangle.Width) / 2 - messageRectangle.X; - float messagePositionY = _messagePositionY - messageRectangle.Y; - var messagePosition = new PointF(messagePositionX, messagePositionY); - var messageBoundRectangle = new RectangleF(messagePositionX, messagePositionY, messageRectangle.Width, messageRectangle.Height); + Color = _textNormalColor, + IsAntialias = true + }; - SetGraphicsOptions(context); + var canvas = _surface.Canvas; + var messageRectangle = MeasureString(MessageText, paint); + float messagePositionX = (_panelRectangle.Width - messageRectangle.Width) / 2 - messageRectangle.Left; + float messagePositionY = _messagePositionY - messageRectangle.Top; + var messagePosition = new SKPoint(messagePositionX, messagePositionY); + var messageBoundRectangle = SKRect.Create(messagePositionX, messagePositionY, messageRectangle.Width, messageRectangle.Height); - context.Fill(_panelBrush, messageBoundRectangle); + canvas.DrawRect(messageBoundRectangle, _panelBrush); - context.DrawText(MessageText, _messageFont, _textNormalColor, messagePosition); + canvas.DrawText(MessageText, messagePosition.X, messagePosition.Y + _messageFont.Metrics.XHeight + _messageFont.Metrics.Descent, paint); - if (!state.TypingEnabled) - { - // Just draw a semi-transparent rectangle on top to fade the component with the background. - // TODO (caian): This will not work if one decides to add make background semi-transparent as well. + if (!state.TypingEnabled) + { + // Just draw a semi-transparent rectangle on top to fade the component with the background. + // TODO (caian): This will not work if one decides to add make background semi-transparent as well. - context.Fill(_disabledBrush, messageBoundRectangle); - } + canvas.DrawRect(messageBoundRectangle, _disabledBrush); + } - DrawTextBox(context, state); + DrawTextBox(canvas, state); - float halfWidth = _panelRectangle.Width / 2; - float buttonsY = _panelRectangle.Y + 185; + float halfWidth = _panelRectangle.Width / 2; + float buttonsY = _panelRectangle.Top + 185; - PointF acceptButtonPosition = new(halfWidth - 180, buttonsY); - PointF cancelButtonPosition = new(halfWidth, buttonsY); - PointF disableButtonPosition = new(halfWidth + 180, buttonsY); + SKPoint acceptButtonPosition = new(halfWidth - 180, buttonsY); + SKPoint cancelButtonPosition = new(halfWidth, buttonsY); + SKPoint disableButtonPosition = new(halfWidth + 180, buttonsY); + + DrawPadButton(canvas, acceptButtonPosition, _padAcceptIcon, AcceptText, state.AcceptPressed, state.ControllerEnabled); + DrawPadButton(canvas, cancelButtonPosition, _padCancelIcon, CancelText, state.CancelPressed, state.ControllerEnabled); - DrawPadButton(context, acceptButtonPosition, _padAcceptIcon, AcceptText, state.AcceptPressed, state.ControllerEnabled); - DrawPadButton(context, cancelButtonPosition, _padCancelIcon, CancelText, state.CancelPressed, state.ControllerEnabled); - }); } public void CreateSurface(RenderingSurfaceInfo surfaceInfo) @@ -268,7 +277,8 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard Debug.Assert(_surfaceInfo.Height <= totalHeight); Debug.Assert(_surfaceInfo.Pitch * _surfaceInfo.Height <= _surfaceInfo.Size); - _surface = new Image((int)totalWidth, (int)totalHeight); + _imageInfo = new SKImageInfo((int)totalWidth, (int)totalHeight, SKColorType.Rgba8888); + _surface = SKSurface.Create(_imageInfo); ComputeConstants(); DrawImmutableElements(); @@ -282,76 +292,81 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard int panelHeight = 240; int panelPositionY = totalHeight - panelHeight; - _panelRectangle = new RectangleF(0, panelPositionY, totalWidth, panelHeight); + _panelRectangle = SKRect.Create(0, panelPositionY, totalWidth, panelHeight); _messagePositionY = panelPositionY + 60; int logoPositionX = (totalWidth - _ryujinxLogo.Width) / 2; int logoPositionY = panelPositionY + 18; - _logoPosition = new Point(logoPositionX, logoPositionY); + _logoPosition = new SKPoint(logoPositionX, logoPositionY); } - private static RectangleF MeasureString(string text, Font font) + private static SKRect MeasureString(string text, SKPaint paint) { - TextOptions options = new(font); + SKRect bounds = SKRect.Empty; if (text == "") { - FontRectangle emptyRectangle = TextMeasurer.MeasureSize(" ", options); - - return new RectangleF(0, emptyRectangle.Y, 0, emptyRectangle.Height); + paint.MeasureText(" ", ref bounds); + } + else + { + paint.MeasureText(text, ref bounds); } - FontRectangle rectangle = TextMeasurer.MeasureSize(text, options); - - return new RectangleF(rectangle.X, rectangle.Y, rectangle.Width, rectangle.Height); + return bounds; } - private static RectangleF MeasureString(ReadOnlySpan text, Font font) + private static SKRect MeasureString(ReadOnlySpan text, SKPaint paint) { - TextOptions options = new(font); + SKRect bounds = SKRect.Empty; if (text == "") { - FontRectangle emptyRectangle = TextMeasurer.MeasureSize(" ", options); - return new RectangleF(0, emptyRectangle.Y, 0, emptyRectangle.Height); + paint.MeasureText(" ", ref bounds); + } + else + { + paint.MeasureText(text, ref bounds); } - FontRectangle rectangle = TextMeasurer.MeasureSize(text, options); - - return new RectangleF(rectangle.X, rectangle.Y, rectangle.Width, rectangle.Height); + return bounds; } - private void DrawTextBox(IImageProcessingContext context, SoftwareKeyboardUIState state) + private void DrawTextBox(SKCanvas canvas, SoftwareKeyboardUIState state) { - var inputTextRectangle = MeasureString(state.InputText, _inputTextFont); + using var textPaint = new SKPaint(_labelsTextFont) + { + IsAntialias = true, + Color = _textNormalColor + }; + var inputTextRectangle = MeasureString(state.InputText, textPaint); - float boxWidth = (int)(Math.Max(300, inputTextRectangle.Width + inputTextRectangle.X + 8)); + float boxWidth = (int)(Math.Max(300, inputTextRectangle.Width + inputTextRectangle.Left + 8)); float boxHeight = 32; - float boxY = _panelRectangle.Y + 110; + float boxY = _panelRectangle.Top + 110; float boxX = (int)((_panelRectangle.Width - boxWidth) / 2); - RectangleF boxRectangle = new(boxX, boxY, boxWidth, boxHeight); + SKRect boxRectangle = SKRect.Create(boxX, boxY, boxWidth, boxHeight); - RectangleF boundRectangle = new(_panelRectangle.X, boxY - _textBoxOutlineWidth, + SKRect boundRectangle = SKRect.Create(_panelRectangle.Left, boxY - _textBoxOutlineWidth, _panelRectangle.Width, boxHeight + 2 * _textBoxOutlineWidth); - context.Fill(_panelBrush, boundRectangle); + canvas.DrawRect(boundRectangle, _panelBrush); - context.Draw(_textBoxOutlinePen, boxRectangle); + canvas.DrawRect(boxRectangle, _textBoxOutlinePen); - float inputTextX = (_panelRectangle.Width - inputTextRectangle.Width) / 2 - inputTextRectangle.X; + float inputTextX = (_panelRectangle.Width - inputTextRectangle.Width) / 2 - inputTextRectangle.Left; float inputTextY = boxY + 5; - var inputTextPosition = new PointF(inputTextX, inputTextY); - - context.DrawText(state.InputText, _inputTextFont, _textNormalColor, inputTextPosition); + var inputTextPosition = new SKPoint(inputTextX, inputTextY); + canvas.DrawText(state.InputText, inputTextPosition.X, inputTextPosition.Y + (_labelsTextFont.Metrics.XHeight + _labelsTextFont.Metrics.Descent), textPaint); // Draw the cursor on top of the text and redraw the text with a different color if necessary. - Color cursorTextColor; - Brush cursorBrush; - Pen cursorPen; + SKColor cursorTextColor; + SKPaint cursorBrush; + SKPaint cursorPen; float cursorPositionYTop = inputTextY + 1; float cursorPositionYBottom = cursorPositionYTop + _inputTextFontSize + 1; @@ -371,12 +386,12 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard ReadOnlySpan textUntilBegin = state.InputText.AsSpan(0, state.CursorBegin); ReadOnlySpan textUntilEnd = state.InputText.AsSpan(0, state.CursorEnd); - var selectionBeginRectangle = MeasureString(textUntilBegin, _inputTextFont); - var selectionEndRectangle = MeasureString(textUntilEnd, _inputTextFont); + var selectionBeginRectangle = MeasureString(textUntilBegin, textPaint); + var selectionEndRectangle = MeasureString(textUntilEnd, textPaint); cursorVisible = true; - cursorPositionXLeft = inputTextX + selectionBeginRectangle.Width + selectionBeginRectangle.X; - cursorPositionXRight = inputTextX + selectionEndRectangle.Width + selectionEndRectangle.X; + cursorPositionXLeft = inputTextX + selectionBeginRectangle.Width + selectionBeginRectangle.Left; + cursorPositionXRight = inputTextX + selectionEndRectangle.Width + selectionEndRectangle.Left; } else { @@ -390,10 +405,10 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard int cursorBegin = Math.Min(state.InputText.Length, state.CursorBegin); ReadOnlySpan textUntilCursor = state.InputText.AsSpan(0, cursorBegin); - var cursorTextRectangle = MeasureString(textUntilCursor, _inputTextFont); + var cursorTextRectangle = MeasureString(textUntilCursor, textPaint); cursorVisible = true; - cursorPositionXLeft = inputTextX + cursorTextRectangle.Width + cursorTextRectangle.X; + cursorPositionXLeft = inputTextX + cursorTextRectangle.Width + cursorTextRectangle.Left; if (state.OverwriteMode) { @@ -402,8 +417,8 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard if (state.CursorBegin < state.InputText.Length) { textUntilCursor = state.InputText.AsSpan(0, cursorBegin + 1); - cursorTextRectangle = MeasureString(textUntilCursor, _inputTextFont); - cursorPositionXRight = inputTextX + cursorTextRectangle.Width + cursorTextRectangle.X; + cursorTextRectangle = MeasureString(textUntilCursor, textPaint); + cursorPositionXRight = inputTextX + cursorTextRectangle.Width + cursorTextRectangle.Left; } else { @@ -430,29 +445,32 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard if (cursorWidth == 0) { - PointF[] points = { - new PointF(cursorPositionXLeft, cursorPositionYTop), - new PointF(cursorPositionXLeft, cursorPositionYBottom), - }; - - context.DrawLine(cursorPen, points); + canvas.DrawLine(new SKPoint(cursorPositionXLeft, cursorPositionYTop), + new SKPoint(cursorPositionXLeft, cursorPositionYBottom), + cursorPen); } else { - var cursorRectangle = new RectangleF(cursorPositionXLeft, cursorPositionYTop, cursorWidth, cursorHeight); + var cursorRectangle = SKRect.Create(cursorPositionXLeft, cursorPositionYTop, cursorWidth, cursorHeight); - context.Draw(cursorPen, cursorRectangle); - context.Fill(cursorBrush, cursorRectangle); + canvas.DrawRect(cursorRectangle, cursorPen); + canvas.DrawRect(cursorRectangle, cursorBrush); - Image textOverCursor = new((int)cursorRectangle.Width, (int)cursorRectangle.Height); - textOverCursor.Mutate(context => + using var textOverCursor = SKSurface.Create(new SKImageInfo((int)cursorRectangle.Width, (int)cursorRectangle.Height, SKColorType.Rgba8888)); + var textOverCanvas = textOverCursor.Canvas; + var textRelativePosition = new SKPoint(inputTextPosition.X - cursorRectangle.Left, inputTextPosition.Y - cursorRectangle.Top); + + using var cursorPaint = new SKPaint(_inputTextFont) { - var textRelativePosition = new PointF(inputTextPosition.X - cursorRectangle.X, inputTextPosition.Y - cursorRectangle.Y); - context.DrawText(state.InputText, _inputTextFont, cursorTextColor, textRelativePosition); - }); + Color = cursorTextColor, + IsAntialias = true + }; - var cursorPosition = new Point((int)cursorRectangle.X, (int)cursorRectangle.Y); - context.DrawImage(textOverCursor, cursorPosition, 1); + textOverCanvas.DrawText(state.InputText, textRelativePosition.X, textRelativePosition.Y + _inputTextFont.Metrics.XHeight + _inputTextFont.Metrics.Descent, cursorPaint); + + var cursorPosition = new SKPoint((int)cursorRectangle.Left, (int)cursorRectangle.Top); + textOverCursor.Flush(); + canvas.DrawSurface(textOverCursor, cursorPosition); } } else if (!state.TypingEnabled) @@ -460,11 +478,11 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard // Just draw a semi-transparent rectangle on top to fade the component with the background. // TODO (caian): This will not work if one decides to add make background semi-transparent as well. - context.Fill(_disabledBrush, boundRectangle); + canvas.DrawRect(boundRectangle, _disabledBrush); } } - private void DrawPadButton(IImageProcessingContext context, PointF point, Image icon, string label, bool pressed, bool enabled) + private void DrawPadButton(SKCanvas canvas, SKPoint point, SKBitmap icon, string label, bool pressed, bool enabled) { // Use relative positions so we can center the entire drawing later. @@ -473,12 +491,18 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard float iconWidth = icon.Width; float iconHeight = icon.Height; - var labelRectangle = MeasureString(label, _labelsTextFont); + using var paint = new SKPaint(_labelsTextFont) + { + Color = _textNormalColor, + IsAntialias = true + }; - float labelPositionX = iconWidth + 8 - labelRectangle.X; + var labelRectangle = MeasureString(label, paint); + + float labelPositionX = iconWidth + 8 - labelRectangle.Left; float labelPositionY = 3; - float fullWidth = labelPositionX + labelRectangle.Width + labelRectangle.X; + float fullWidth = labelPositionX + labelRectangle.Width + labelRectangle.Left; float fullHeight = iconHeight; // Convert all relative positions into absolute. @@ -489,24 +513,24 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard iconX += originX; iconY += originY; - var iconPosition = new Point((int)iconX, (int)iconY); - var labelPosition = new PointF(labelPositionX + originX, labelPositionY + originY); + var iconPosition = new SKPoint((int)iconX, (int)iconY); + var labelPosition = new SKPoint(labelPositionX + originX, labelPositionY + originY); - var selectedRectangle = new RectangleF(originX - 2 * _padPressedPenWidth, originY - 2 * _padPressedPenWidth, + var selectedRectangle = SKRect.Create(originX - 2 * _padPressedPenWidth, originY - 2 * _padPressedPenWidth, fullWidth + 4 * _padPressedPenWidth, fullHeight + 4 * _padPressedPenWidth); - var boundRectangle = new RectangleF(originX, originY, fullWidth, fullHeight); + var boundRectangle = SKRect.Create(originX, originY, fullWidth, fullHeight); boundRectangle.Inflate(4 * _padPressedPenWidth, 4 * _padPressedPenWidth); - context.Fill(_panelBrush, boundRectangle); - context.DrawImage(icon, iconPosition, 1); - context.DrawText(label, _labelsTextFont, _textNormalColor, labelPosition); + canvas.DrawRect(boundRectangle, _panelBrush); + canvas.DrawBitmap(icon, iconPosition); + canvas.DrawText(label, labelPosition.X, labelPosition.Y + _labelsTextFont.Metrics.XHeight + _labelsTextFont.Metrics.Descent, paint); if (enabled) { if (pressed) { - context.Draw(_padPressedPen, selectedRectangle); + canvas.DrawRect(selectedRectangle, _padPressedPen); } } else @@ -514,21 +538,26 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard // Just draw a semi-transparent rectangle on top to fade the component with the background. // TODO (caian): This will not work if one decides to add make background semi-transparent as well. - context.Fill(_disabledBrush, boundRectangle); + canvas.DrawRect(boundRectangle, _disabledBrush); } } - private void DrawControllerToggle(IImageProcessingContext context, PointF point) + private void DrawControllerToggle(SKCanvas canvas, SKPoint point) { - var labelRectangle = MeasureString(ControllerToggleText, _labelsTextFont); + using var paint = new SKPaint(_labelsTextFont) + { + IsAntialias = true, + Color = _textNormalColor + }; + var labelRectangle = MeasureString(ControllerToggleText, paint); // Use relative positions so we can center the entire drawing later. float keyWidth = _keyModeIcon.Width; float keyHeight = _keyModeIcon.Height; - float labelPositionX = keyWidth + 8 - labelRectangle.X; - float labelPositionY = -labelRectangle.Y - 1; + float labelPositionX = keyWidth + 8 - labelRectangle.Left; + float labelPositionY = -labelRectangle.Top - 1; float keyX = 0; float keyY = (int)((labelPositionY + labelRectangle.Height - keyHeight) / 2); @@ -544,14 +573,14 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard keyX += originX; keyY += originY; - var labelPosition = new PointF(labelPositionX + originX, labelPositionY + originY); - var overlayPosition = new Point((int)keyX, (int)keyY); + var labelPosition = new SKPoint(labelPositionX + originX, labelPositionY + originY); + var overlayPosition = new SKPoint((int)keyX, (int)keyY); - context.DrawImage(_keyModeIcon, overlayPosition, 1); - context.DrawText(ControllerToggleText, _labelsTextFont, _textNormalColor, labelPosition); + canvas.DrawBitmap(_keyModeIcon, overlayPosition); + canvas.DrawText(ControllerToggleText, labelPosition.X, labelPosition.Y + _labelsTextFont.Metrics.XHeight, paint); } - public void CopyImageToBuffer() + public unsafe void CopyImageToBuffer() { lock (_bufferLock) { @@ -561,21 +590,20 @@ namespace Ryujinx.HLE.HOS.Applets.SoftwareKeyboard } // Convert the pixel format used in the image to the one used in the Switch surface. + _surface.Flush(); - if (!_surface.DangerousTryGetSinglePixelMemory(out Memory pixels)) + var buffer = new byte[_imageInfo.BytesSize]; + fixed (byte* bufferPtr = buffer) { - return; + if (!_surface.ReadPixels(_imageInfo, (nint)bufferPtr, _imageInfo.RowBytes, 0, 0)) + { + return; + } } - _bufferData = MemoryMarshal.AsBytes(pixels.Span).ToArray(); - Span dataConvert = MemoryMarshal.Cast(_bufferData); + _bufferData = buffer; - Debug.Assert(_bufferData.Length == _surfaceInfo.Size); - - for (int i = 0; i < dataConvert.Length; i++) - { - dataConvert[i] = BitOperations.RotateRight(dataConvert[i], 8); - } + Debug.Assert(buffer.Length == _surfaceInfo.Size); } } diff --git a/ryujinx/src/Ryujinx.HLE/HOS/Services/Caps/CaptureManager.cs b/ryujinx/src/Ryujinx.HLE/HOS/Services/Caps/CaptureManager.cs index 91a8958e6c..bf0c7e9dc6 100644 --- a/ryujinx/src/Ryujinx.HLE/HOS/Services/Caps/CaptureManager.cs +++ b/ryujinx/src/Ryujinx.HLE/HOS/Services/Caps/CaptureManager.cs @@ -1,10 +1,10 @@ using Ryujinx.Common.Memory; using Ryujinx.HLE.HOS.Services.Caps.Types; -using SixLabors.ImageSharp; -using SixLabors.ImageSharp.PixelFormats; +using SkiaSharp; using System; using System.IO; using System.Runtime.CompilerServices; +using System.Runtime.InteropServices; using System.Security.Cryptography; namespace Ryujinx.HLE.HOS.Services.Caps @@ -118,7 +118,11 @@ namespace Ryujinx.HLE.HOS.Services.Caps } // NOTE: The saved JPEG file doesn't have the limitation in the extra EXIF data. - Image.LoadPixelData(screenshotData, 1280, 720).SaveAsJpegAsync(filePath); + using var bitmap = new SKBitmap(new SKImageInfo(1280, 720, SKColorType.Rgba8888)); + Marshal.Copy(screenshotData, 0, bitmap.GetPixels(), screenshotData.Length); + using var data = bitmap.Encode(SKEncodedImageFormat.Jpeg, 80); + using var file = File.OpenWrite(filePath); + data.SaveTo(file); return ResultCode.Success; } diff --git a/ryujinx/src/Ryujinx.HLE/HOS/Services/Sm/IUserInterface.cs b/ryujinx/src/Ryujinx.HLE/HOS/Services/Sm/IUserInterface.cs index 3dc82035fd..7a90c664e3 100644 --- a/ryujinx/src/Ryujinx.HLE/HOS/Services/Sm/IUserInterface.cs +++ b/ryujinx/src/Ryujinx.HLE/HOS/Services/Sm/IUserInterface.cs @@ -2,6 +2,7 @@ using Ryujinx.Common.Logging; using Ryujinx.HLE.HOS.Ipc; using Ryujinx.HLE.HOS.Kernel; using Ryujinx.HLE.HOS.Kernel.Ipc; +using Ryujinx.HLE.HOS.Services.Apm; using Ryujinx.Horizon.Common; using System; using System.Collections.Generic; @@ -12,7 +13,7 @@ using System.Text; namespace Ryujinx.HLE.HOS.Services.Sm { - class IUserInterface : IpcService + partial class IUserInterface : IpcService { private static readonly Dictionary _services; @@ -95,9 +96,7 @@ namespace Ryujinx.HLE.HOS.Services.Sm { ServiceAttribute serviceAttribute = (ServiceAttribute)type.GetCustomAttributes(typeof(ServiceAttribute)).First(service => ((ServiceAttribute)service).Name == name); - IpcService service = serviceAttribute.Parameter != null - ? (IpcService)Activator.CreateInstance(type, context, serviceAttribute.Parameter) - : (IpcService)Activator.CreateInstance(type, context); + IpcService service = GetServiceInstance(type, context, serviceAttribute.Parameter); service.TrySetServer(_commonServer); service.Server.AddSessionObj(session.ServerSession, service); diff --git a/ryujinx/src/Ryujinx.HLE/Ryujinx.HLE.csproj b/ryujinx/src/Ryujinx.HLE/Ryujinx.HLE.csproj index 0fcf9e4b57..a7bb3cd7f6 100644 --- a/ryujinx/src/Ryujinx.HLE/Ryujinx.HLE.csproj +++ b/ryujinx/src/Ryujinx.HLE/Ryujinx.HLE.csproj @@ -2,6 +2,7 @@ net8.0 + true @@ -11,6 +12,7 @@ + @@ -24,8 +26,8 @@ - - + + diff --git a/ryujinx/src/Ryujinx.UI.Common/Helper/ShortcutHelper.cs b/ryujinx/src/Ryujinx.UI.Common/Helper/ShortcutHelper.cs index 58bdc90e6a..1849f40cbb 100644 --- a/ryujinx/src/Ryujinx.UI.Common/Helper/ShortcutHelper.cs +++ b/ryujinx/src/Ryujinx.UI.Common/Helper/ShortcutHelper.cs @@ -1,10 +1,7 @@ using Ryujinx.Common; using Ryujinx.Common.Configuration; using ShellLink; -using SixLabors.ImageSharp; -using SixLabors.ImageSharp.Formats.Png; -using SixLabors.ImageSharp.PixelFormats; -using SixLabors.ImageSharp.Processing; +using SkiaSharp; using System; using System.Collections.Generic; using System.IO; @@ -21,8 +18,8 @@ namespace Ryujinx.UI.Common.Helper iconPath += ".ico"; MemoryStream iconDataStream = new(iconData); - var image = Image.Load(iconDataStream); - image.Mutate(x => x.Resize(128, 128)); + using var image = SKBitmap.Decode(iconDataStream); + image.Resize(new SKImageInfo(128, 128), SKFilterQuality.High); SaveBitmapAsIcon(image, iconPath); var shortcut = Shortcut.CreateShortcut(basePath, GetArgsString(applicationFilePath, applicationId), iconPath, 0); @@ -37,8 +34,10 @@ namespace Ryujinx.UI.Common.Helper var desktopFile = EmbeddedResources.ReadAllText("Ryujinx.UI.Common/shortcut-template.desktop"); iconPath += ".png"; - var image = Image.Load(iconData); - image.SaveAsPng(iconPath); + var image = SKBitmap.Decode(iconData); + using var data = image.Encode(SKEncodedImageFormat.Png, 100); + using var file = File.OpenWrite(iconPath); + data.SaveTo(file); using StreamWriter outputFile = new(Path.Combine(desktopPath, cleanedAppName + ".desktop")); outputFile.Write(desktopFile, cleanedAppName, iconPath, $"{basePath} {GetArgsString(applicationFilePath, applicationId)}"); @@ -78,8 +77,10 @@ namespace Ryujinx.UI.Common.Helper } const string IconName = "icon.png"; - var image = Image.Load(iconData); - image.SaveAsPng(Path.Combine(resourceFolderPath, IconName)); + var image = SKBitmap.Decode(iconData); + using var data = image.Encode(SKEncodedImageFormat.Png, 100); + using var file = File.OpenWrite(Path.Combine(resourceFolderPath, IconName)); + data.SaveTo(file); // plist file using StreamWriter outputFile = new(Path.Combine(contentFolderPath, "Info.plist")); @@ -148,7 +149,7 @@ namespace Ryujinx.UI.Common.Helper /// The source bitmap image that will be saved as an .ico file /// The location that the new .ico file will be saved too (Make sure to include '.ico' in the path). [SupportedOSPlatform("windows")] - private static void SaveBitmapAsIcon(Image source, string filePath) + private static void SaveBitmapAsIcon(SKBitmap source, string filePath) { // Code Modified From https://stackoverflow.com/a/11448060/368354 by Benlitz byte[] header = { 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 32, 0, 0, 0, 0, 0, 22, 0, 0, 0 }; @@ -156,13 +157,16 @@ namespace Ryujinx.UI.Common.Helper fs.Write(header); // Writing actual data - source.Save(fs, PngFormat.Instance); + using var data = source.Encode(SKEncodedImageFormat.Png, 100); + data.SaveTo(fs); // Getting data length (file length minus header) long dataLength = fs.Length - header.Length; // Write it in the correct place fs.Seek(14, SeekOrigin.Begin); fs.WriteByte((byte)dataLength); fs.WriteByte((byte)(dataLength >> 8)); + fs.WriteByte((byte)(dataLength >> 16)); + fs.WriteByte((byte)(dataLength >> 24)); } } } diff --git a/ryujinx/src/Ryujinx/UI/Applet/AvaloniaDynamicTextInputHandler.cs b/ryujinx/src/Ryujinx/UI/Applet/AvaloniaDynamicTextInputHandler.cs index 531d006115..0e7cfb8e6c 100644 --- a/ryujinx/src/Ryujinx/UI/Applet/AvaloniaDynamicTextInputHandler.cs +++ b/ryujinx/src/Ryujinx/UI/Applet/AvaloniaDynamicTextInputHandler.cs @@ -41,17 +41,12 @@ namespace Ryujinx.Ava.UI.Applet private void TextChanged(string text) { - TextChangedEvent?.Invoke(text ?? string.Empty, _hiddenTextBox.SelectionStart, _hiddenTextBox.SelectionEnd, true); + TextChangedEvent?.Invoke(text ?? string.Empty, _hiddenTextBox.SelectionStart, _hiddenTextBox.SelectionEnd, false); } private void SelectionChanged(int selection) { - if (_hiddenTextBox.SelectionEnd < _hiddenTextBox.SelectionStart) - { - _hiddenTextBox.SelectionStart = _hiddenTextBox.SelectionEnd; - } - - TextChangedEvent?.Invoke(_hiddenTextBox.Text ?? string.Empty, _hiddenTextBox.SelectionStart, _hiddenTextBox.SelectionEnd, true); + TextChangedEvent?.Invoke(_hiddenTextBox.Text ?? string.Empty, _hiddenTextBox.SelectionStart, _hiddenTextBox.SelectionEnd, false); } private void AvaloniaDynamicTextInputHandler_TextInput(object sender, string text) diff --git a/ryujinx/src/Ryujinx/UI/Helpers/OffscreenTextBox.cs b/ryujinx/src/Ryujinx/UI/Helpers/OffscreenTextBox.cs index a055f33538..dd736037ee 100644 --- a/ryujinx/src/Ryujinx/UI/Helpers/OffscreenTextBox.cs +++ b/ryujinx/src/Ryujinx/UI/Helpers/OffscreenTextBox.cs @@ -1,11 +1,14 @@ using Avalonia.Controls; using Avalonia.Input; using Avalonia.Interactivity; +using System; namespace Ryujinx.Ava.UI.Helpers { public class OffscreenTextBox : TextBox { + protected override Type StyleKeyOverride => typeof(TextBox); + public static RoutedEvent GetKeyDownRoutedEvent() { return KeyDownEvent; diff --git a/ryujinx/src/Ryujinx/UI/Windows/MainWindow.axaml b/ryujinx/src/Ryujinx/UI/Windows/MainWindow.axaml index 6c2042f93c..3a2e02c260 100644 --- a/ryujinx/src/Ryujinx/UI/Windows/MainWindow.axaml +++ b/ryujinx/src/Ryujinx/UI/Windows/MainWindow.axaml @@ -42,12 +42,10 @@ - - + diff --git a/small/gn/Makefile b/small/gn/Makefile index 6bb69dda06..f3f4fc4502 100644 --- a/small/gn/Makefile +++ b/small/gn/Makefile @@ -11,7 +11,7 @@ PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://gn.googlesource.com/gn.git PKG_SOURCE_DATE:=2024-08-13 PKG_SOURCE_VERSION:=54f5b539df8c4e460b18c62a11132d77b5601136 -PKG_MIRROR_HASH:=ac0d44b2f7162be614ac090ef0618ea0f44760e80f5df7acc43b69a492611e0f +PKG_MIRROR_HASH:=1b5562417adfa29823301fea948197b23dfc887838fc94f96df5bbfd132dc592 PKG_LICENSE:=BSD 3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/small/gn/patches/010-gcc.patch b/small/gn/patches/010-gcc.patch deleted file mode 100644 index d6078b8c02..0000000000 --- a/small/gn/patches/010-gcc.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/build/gen.py -+++ b/build/gen.py -@@ -368,7 +368,7 @@ def WriteGNNinja(path, platform, host, o - cxx = os.environ.get('CXX', 'g++') - ld = os.environ.get('LD', 'g++') - ar = os.environ.get('AR', 'ar -X64') -- elif platform.is_msys() or platform.is_mingw(): -+ elif platform.is_msys() or platform.is_mingw() or platform.is_linux(): - cxx = os.environ.get('CXX', 'g++') - ld = os.environ.get('LD', 'g++') - ar = os.environ.get('AR', 'ar') diff --git a/small/gn/src/out/last_commit_position.h b/small/gn/src/out/last_commit_position.h index 5a35e52ce4..30de68f981 100644 --- a/small/gn/src/out/last_commit_position.h +++ b/small/gn/src/out/last_commit_position.h @@ -3,7 +3,7 @@ #ifndef OUT_LAST_COMMIT_POSITION_H_ #define OUT_LAST_COMMIT_POSITION_H_ -#define LAST_COMMIT_POSITION_NUM 2186 -#define LAST_COMMIT_POSITION "2186 (54f5b539df8c)" +#define LAST_COMMIT_POSITION_NUM 2188 +#define LAST_COMMIT_POSITION "2188 (54f5b539df8c)" #endif // OUT_LAST_COMMIT_POSITION_H_ diff --git a/small/luci-app-homeproxy/htdocs/luci-static/resources/homeproxy.js b/small/luci-app-homeproxy/htdocs/luci-static/resources/homeproxy.js index 2d274d9d9a..f80fb64302 100644 --- a/small/luci-app-homeproxy/htdocs/luci-static/resources/homeproxy.js +++ b/small/luci-app-homeproxy/htdocs/luci-static/resources/homeproxy.js @@ -169,11 +169,26 @@ return baseclass.extend({ return L.resolveDefault(callGetSingBoxFeatures(), {}); }, - generateUUIDv4: function() { - /* Thanks to https://stackoverflow.com/a/2117523 */ - return ([1e7]+-1e3+-4e3+-8e3+-1e11).replace(/[018]/g, (c) => - (c ^ crypto.getRandomValues(new Uint8Array(1))[0] & 15 >> c / 4).toString(16) - ); + generateRand: function(type, length) { + var byteArr; + if (['base64', 'hex'].includes(type)) + byteArr = crypto.getRandomValues(new Uint8Array(length)); + switch (type) { + case 'base64': + /* Thanks to https://stackoverflow.com/questions/9267899 */ + return btoa(String.fromCharCode.apply(null, byteArr)); + case 'hex': + return Array.from(byteArr, (byte) => + (byte & 255).toString(16).padStart(2, '0') + ).join(''); + case 'uuid': + /* Thanks to https://stackoverflow.com/a/2117523 */ + return ([1e7]+-1e3+-4e3+-8e3+-1e11).replace(/[018]/g, (c) => + (c ^ crypto.getRandomValues(new Uint8Array(1))[0] & 15 >> c / 4).toString(16) + ); + default: + return null; + }; }, loadDefaultLabel: function(uciconfig, ucisection) { diff --git a/small/luci-app-homeproxy/htdocs/luci-static/resources/view/homeproxy/client.js b/small/luci-app-homeproxy/htdocs/luci-static/resources/view/homeproxy/client.js index acc1c164f8..e02026113b 100644 --- a/small/luci-app-homeproxy/htdocs/luci-static/resources/view/homeproxy/client.js +++ b/small/luci-app-homeproxy/htdocs/luci-static/resources/view/homeproxy/client.js @@ -313,6 +313,15 @@ return view.extend({ so.depends('tcpip_stack', 'gvisor'); so.rmempty = false; + so = ss.option(form.Value, 'udp_timeout', _('UDP NAT expiration time'), + _('In seconds. 300 is used by default.')); + so.datatype = 'uinteger'; + so.default = '300'; + so.depends('homeproxy.config.proxy_mode', 'redirect_tproxy'); + so.depends('homeproxy.config.proxy_mode', 'redirect_tun'); + so.depends('homeproxy.config.proxy_mode', 'tun'); + so.rmempty = false; + so = ss.option(form.Flag, 'bypass_cn_traffic', _('Bypass CN traffic'), _('Bypass mainland China traffic via firewall rules by default.')); so.default = so.disabled; diff --git a/small/luci-app-homeproxy/htdocs/luci-static/resources/view/homeproxy/node.js b/small/luci-app-homeproxy/htdocs/luci-static/resources/view/homeproxy/node.js index ea5fd8519c..58d1434b60 100644 --- a/small/luci-app-homeproxy/htdocs/luci-static/resources/view/homeproxy/node.js +++ b/small/luci-app-homeproxy/htdocs/luci-static/resources/view/homeproxy/node.js @@ -468,6 +468,14 @@ function renderNodeSettings(section, data, features, main_node, routing_mode) { o.datatype = 'port'; o.depends('type', 'direct'); + o = s.option(form.ListValue, 'proxy_protocol', _('Proxy protocol'), + _('Write proxy protocol in the connection header.')); + o.value('', _('Disable')); + o.value('1', _('v1')); + o.value('2', _('v2')); + o.depends('type', 'direct'); + o.modalonly = true; + /* Hysteria (2) config start */ o = s.option(form.ListValue, 'hysteria_protocol', _('Protocol')); o.value('udp'); diff --git a/small/luci-app-homeproxy/htdocs/luci-static/resources/view/homeproxy/server.js b/small/luci-app-homeproxy/htdocs/luci-static/resources/view/homeproxy/server.js index b3d5f64b24..117f2a0a85 100644 --- a/small/luci-app-homeproxy/htdocs/luci-static/resources/view/homeproxy/server.js +++ b/small/luci-app-homeproxy/htdocs/luci-static/resources/view/homeproxy/server.js @@ -9,6 +9,7 @@ 'require poll'; 'require rpc'; 'require uci'; +'require ui'; 'require view'; 'require homeproxy as hp'; @@ -41,6 +42,46 @@ function renderStatus(isRunning) { return renderHTML; } +function handleGenKey(option) { + var section_id = this.section.section; + var type = this.section.getOption('type').formvalue(section_id); + var widget = this.map.findElement('id', 'widget.cbid.homeproxy.%s.%s'.format(section_id, option)); + var password, required_method; + + if (option === 'uuid') + required_method = 'uuid'; + else if (type === 'shadowsocks') + required_method = this.section.getOption('shadowsocks_encrypt_method')?.formvalue(section_id); + + switch (required_method) { + case 'aes-128-gcm': + case '2022-blake3-aes-128-gcm': + password = hp.generateRand('base64', 16); + break; + case 'aes-192-gcm': + password = hp.generateRand('base64', 24); + break; + case 'aes-256-gcm': + case 'chacha20-ietf-poly1305': + case 'xchacha20-ietf-poly1305': + case '2022-blake3-aes-256-gcm': + case '2022-blake3-chacha20-poly1305': + password = hp.generateRand('base64', 32); + break; + case 'none': + password = ''; + break; + case 'uuid': + password = hp.generateRand('uuid'); + break; + default: + password = hp.generateRand('hex', 16); + break; + } + + return widget.value = password; +} + return view.extend({ load: function() { return Promise.all([ @@ -139,6 +180,17 @@ return view.extend({ o.depends('type', 'shadowsocks'); o.depends('type', 'trojan'); o.depends('type', 'tuic'); + o.renderWidget = function() { + var node = form.Value.prototype.renderWidget.apply(this, arguments); + + (node.querySelector('.control-group') || node).appendChild(E('button', { + 'class': 'cbi-button cbi-button-apply', + 'title': _('Generate'), + 'click': ui.createHandlerFn(this, handleGenKey, this.option) + }, [ _('Generate') ])); + + return node; + } o.validate = function(section_id, value) { if (section_id) { var type = this.map.lookupOption('type', section_id)[0].formvalue(section_id); @@ -265,6 +317,17 @@ return view.extend({ o.depends('type', 'tuic'); o.depends('type', 'vless'); o.depends('type', 'vmess'); + o.renderWidget = function() { + var node = form.Value.prototype.renderWidget.apply(this, arguments); + + (node.querySelector('.control-group') || node).appendChild(E('button', { + 'class': 'cbi-button cbi-button-apply', + 'title': _('Generate'), + 'click': ui.createHandlerFn(this, handleGenKey, this.option) + }, [ _('Generate') ])); + + return node; + } o.validate = hp.validateUUID; o.modalonly = true; @@ -277,7 +340,7 @@ return view.extend({ o.depends('type', 'tuic'); o.modalonly = true; - o = s.option(form.ListValue, 'tuic_auth_timeout', _('Auth timeout'), + o = s.option(form.Value, 'tuic_auth_timeout', _('Auth timeout'), _('How long the server should wait for the client to send the authentication command (in seconds).')); o.datatype = 'uinteger'; o.default = '3'; @@ -716,6 +779,13 @@ return view.extend({ o.depends({'network': 'tcp', '!reverse': true}); o.modalonly = true; + o = s.option(form.Value, 'udp_timeout', _('UDP NAT expiration time'), + _('In seconds. 300 is used by default.')); + o.datatype = 'uinteger'; + o.default = '300'; + o.depends({'network': 'tcp', '!reverse': true}); + o.modalonly = true; + o = s.option(form.Flag, 'sniff_override', _('Override destination'), _('Override the connection destination address with the sniffed domain.')); o.rmempty = false; diff --git a/small/luci-app-homeproxy/po/templates/homeproxy.pot b/small/luci-app-homeproxy/po/templates/homeproxy.pot index 295134ad0d..18a81c6523 100644 --- a/small/luci-app-homeproxy/po/templates/homeproxy.pot +++ b/small/luci-app-homeproxy/po/templates/homeproxy.pot @@ -5,50 +5,50 @@ msgstr "Content-Type: text/plain; charset=UTF-8" msgid "%s log" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1391 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1399 msgid "%s nodes removed" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:560 -#: htdocs/luci-static/resources/view/homeproxy/client.js:894 +#: htdocs/luci-static/resources/view/homeproxy/client.js:569 +#: htdocs/luci-static/resources/view/homeproxy/client.js:903 msgid "-- Please choose --" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:465 +#: htdocs/luci-static/resources/view/homeproxy/client.js:474 msgid "4 or 6. Not limited if empty." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1021 -#: htdocs/luci-static/resources/view/homeproxy/server.js:675 -#: htdocs/luci-static/resources/view/homeproxy/server.js:693 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1029 +#: htdocs/luci-static/resources/view/homeproxy/server.js:738 +#: htdocs/luci-static/resources/view/homeproxy/server.js:756 msgid "Save your configuration before uploading files!" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:584 +#: htdocs/luci-static/resources/view/homeproxy/server.js:647 msgid "API token" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:598 +#: htdocs/luci-static/resources/view/homeproxy/node.js:606 msgid "Accept any if empty." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1057 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1066 msgid "Access Control" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:569 +#: htdocs/luci-static/resources/view/homeproxy/server.js:632 msgid "Access key ID" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:574 +#: htdocs/luci-static/resources/view/homeproxy/server.js:637 msgid "Access key secret" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:763 +#: htdocs/luci-static/resources/view/homeproxy/client.js:772 msgid "Add a DNS rule" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:668 +#: htdocs/luci-static/resources/view/homeproxy/client.js:677 msgid "Add a DNS server" msgstr "" @@ -56,36 +56,36 @@ msgstr "" msgid "Add a node" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:355 +#: htdocs/luci-static/resources/view/homeproxy/client.js:364 msgid "Add a routing node" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:431 +#: htdocs/luci-static/resources/view/homeproxy/client.js:440 msgid "Add a routing rule" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:978 +#: htdocs/luci-static/resources/view/homeproxy/client.js:987 msgid "Add a rule set" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:88 +#: htdocs/luci-static/resources/view/homeproxy/server.js:129 msgid "Add a server" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:682 +#: htdocs/luci-static/resources/view/homeproxy/client.js:691 #: htdocs/luci-static/resources/view/homeproxy/node.js:413 msgid "Address" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:686 +#: htdocs/luci-static/resources/view/homeproxy/client.js:695 msgid "Address resolver" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:718 +#: htdocs/luci-static/resources/view/homeproxy/client.js:727 msgid "Address strategy" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:562 +#: htdocs/luci-static/resources/view/homeproxy/server.js:625 msgid "Alibaba Cloud DNS" msgstr "" @@ -98,21 +98,21 @@ msgstr "" msgid "All ports" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:974 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1317 +#: htdocs/luci-static/resources/view/homeproxy/node.js:982 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1325 msgid "Allow insecure" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:975 +#: htdocs/luci-static/resources/view/homeproxy/node.js:983 msgid "Allow insecure connection at TLS client." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1318 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1326 msgid "Allow insecure connection by default when add nodes from subscriptions." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:805 -#: htdocs/luci-static/resources/view/homeproxy/server.js:400 +#: htdocs/luci-static/resources/view/homeproxy/node.js:813 +#: htdocs/luci-static/resources/view/homeproxy/server.js:463 msgid "Allowed payload size is in the request." msgstr "" @@ -124,37 +124,37 @@ msgstr "" msgid "Already in updating." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:671 -#: htdocs/luci-static/resources/view/homeproxy/server.js:309 +#: htdocs/luci-static/resources/view/homeproxy/node.js:679 +#: htdocs/luci-static/resources/view/homeproxy/server.js:372 msgid "Alter ID" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:599 +#: htdocs/luci-static/resources/view/homeproxy/server.js:662 msgid "Alternative HTTP port" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:605 +#: htdocs/luci-static/resources/view/homeproxy/server.js:668 msgid "Alternative TLS port" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1354 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1362 msgid "An error occurred during updating subscriptions: %s" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:920 +#: htdocs/luci-static/resources/view/homeproxy/client.js:929 msgid "Any" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:642 -#: htdocs/luci-static/resources/view/homeproxy/client.js:748 -#: htdocs/luci-static/resources/view/homeproxy/client.js:962 +#: htdocs/luci-static/resources/view/homeproxy/client.js:651 +#: htdocs/luci-static/resources/view/homeproxy/client.js:757 +#: htdocs/luci-static/resources/view/homeproxy/client.js:971 msgid "" "Append a edns0-subnet OPT extra record with the specified IP " "prefix to every query by default.
If value is an IP address instead of " "prefix, /32 or /128 will be appended automatically." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1007 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1015 msgid "Append self-signed certificate" msgstr "" @@ -171,37 +171,37 @@ msgstr "" msgid "Are you sure to allow insecure?" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:280 +#: htdocs/luci-static/resources/view/homeproxy/server.js:343 msgid "Auth timeout" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:695 +#: htdocs/luci-static/resources/view/homeproxy/node.js:703 msgid "Authenticated length" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:490 -#: htdocs/luci-static/resources/view/homeproxy/server.js:200 +#: htdocs/luci-static/resources/view/homeproxy/node.js:498 +#: htdocs/luci-static/resources/view/homeproxy/server.js:252 msgid "Authentication payload" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:483 -#: htdocs/luci-static/resources/view/homeproxy/server.js:193 +#: htdocs/luci-static/resources/view/homeproxy/node.js:491 +#: htdocs/luci-static/resources/view/homeproxy/server.js:245 msgid "Authentication type" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:79 +#: htdocs/luci-static/resources/view/homeproxy/server.js:120 msgid "Auto configure firewall" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1271 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1279 msgid "Auto update" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1272 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1280 msgid "Auto update subscriptions." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:629 +#: htdocs/luci-static/resources/view/homeproxy/node.js:637 msgid "BBR" msgstr "" @@ -209,8 +209,8 @@ msgstr "" msgid "BaiDu" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:485 -#: htdocs/luci-static/resources/view/homeproxy/server.js:195 +#: htdocs/luci-static/resources/view/homeproxy/node.js:493 +#: htdocs/luci-static/resources/view/homeproxy/server.js:247 msgid "Base64" msgstr "" @@ -218,44 +218,44 @@ msgstr "" msgid "Based on google/gvisor." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1000 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1009 msgid "Binary file" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:382 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1070 +#: htdocs/luci-static/resources/view/homeproxy/client.js:391 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1079 msgid "Bind interface" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1071 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1080 msgid "" "Bind outbound traffic to specific interface. Leave empty to auto detect." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1307 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1315 msgid "Blacklist mode" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:333 -#: htdocs/luci-static/resources/view/homeproxy/client.js:588 -#: htdocs/luci-static/resources/view/homeproxy/client.js:922 +#: htdocs/luci-static/resources/view/homeproxy/client.js:342 +#: htdocs/luci-static/resources/view/homeproxy/client.js:597 +#: htdocs/luci-static/resources/view/homeproxy/client.js:931 msgid "Block" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:618 -#: htdocs/luci-static/resources/view/homeproxy/client.js:940 +#: htdocs/luci-static/resources/view/homeproxy/client.js:627 +#: htdocs/luci-static/resources/view/homeproxy/client.js:949 msgid "Block DNS queries" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:468 -#: htdocs/luci-static/resources/view/homeproxy/client.js:481 -#: htdocs/luci-static/resources/view/homeproxy/client.js:799 -#: htdocs/luci-static/resources/view/homeproxy/client.js:809 -#: htdocs/luci-static/resources/view/homeproxy/server.js:732 +#: htdocs/luci-static/resources/view/homeproxy/client.js:477 +#: htdocs/luci-static/resources/view/homeproxy/client.js:490 +#: htdocs/luci-static/resources/view/homeproxy/client.js:808 +#: htdocs/luci-static/resources/view/homeproxy/client.js:818 +#: htdocs/luci-static/resources/view/homeproxy/server.js:802 msgid "Both" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:316 +#: htdocs/luci-static/resources/view/homeproxy/client.js:325 msgid "Bypass CN traffic" msgstr "" @@ -263,11 +263,11 @@ msgstr "" msgid "Bypass mainland China" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:317 +#: htdocs/luci-static/resources/view/homeproxy/client.js:326 msgid "Bypass mainland China traffic via firewall rules by default." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:548 +#: htdocs/luci-static/resources/view/homeproxy/server.js:611 msgid "CA provider" msgstr "" @@ -275,16 +275,16 @@ msgstr "" msgid "CNNIC Public DNS (210.2.4.8)" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:627 +#: htdocs/luci-static/resources/view/homeproxy/node.js:635 msgid "CUBIC" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1171 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1179 msgid "Cancel" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1013 -#: htdocs/luci-static/resources/view/homeproxy/server.js:664 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1021 +#: htdocs/luci-static/resources/view/homeproxy/server.js:727 msgid "Certificate path" msgstr "" @@ -312,8 +312,8 @@ msgstr "" msgid "China list version" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:999 -#: htdocs/luci-static/resources/view/homeproxy/server.js:506 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1007 +#: htdocs/luci-static/resources/view/homeproxy/server.js:569 msgid "Cipher suites" msgstr "" @@ -329,7 +329,7 @@ msgstr "" msgid "Client Settings" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:592 +#: htdocs/luci-static/resources/view/homeproxy/node.js:600 msgid "Client version" msgstr "" @@ -337,12 +337,12 @@ msgstr "" msgid "CloudFlare Public DNS (1.1.1.1)" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:563 +#: htdocs/luci-static/resources/view/homeproxy/server.js:626 msgid "Cloudflare" msgstr "" #: htdocs/luci-static/resources/view/homeproxy/client.js:122 -#: htdocs/luci-static/resources/view/homeproxy/server.js:69 +#: htdocs/luci-static/resources/view/homeproxy/server.js:110 #: htdocs/luci-static/resources/view/homeproxy/status.js:128 msgid "Collecting data..." msgstr "" @@ -351,8 +351,8 @@ msgstr "" msgid "Common ports only (bypass P2P traffic)" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:625 -#: htdocs/luci-static/resources/view/homeproxy/server.js:271 +#: htdocs/luci-static/resources/view/homeproxy/node.js:633 +#: htdocs/luci-static/resources/view/homeproxy/server.js:334 msgid "Congestion control algorithm" msgstr "" @@ -364,208 +364,209 @@ msgstr "" msgid "Custom routing" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:816 +#: htdocs/luci-static/resources/view/homeproxy/client.js:825 msgid "DNS" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:754 +#: htdocs/luci-static/resources/view/homeproxy/client.js:763 msgid "DNS Rules" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:659 +#: htdocs/luci-static/resources/view/homeproxy/client.js:668 msgid "DNS Servers" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:601 +#: htdocs/luci-static/resources/view/homeproxy/client.js:610 msgid "DNS Settings" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:561 +#: htdocs/luci-static/resources/view/homeproxy/server.js:624 msgid "DNS provider" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:763 +#: htdocs/luci-static/resources/view/homeproxy/client.js:772 msgid "DNS rule" msgstr "" #: htdocs/luci-static/resources/view/homeproxy/client.js:158 -#: htdocs/luci-static/resources/view/homeproxy/client.js:668 +#: htdocs/luci-static/resources/view/homeproxy/client.js:677 msgid "DNS server" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:556 +#: htdocs/luci-static/resources/view/homeproxy/server.js:619 msgid "DNS01 challenge" msgstr "" #: htdocs/luci-static/resources/homeproxy.js:17 -#: htdocs/luci-static/resources/view/homeproxy/client.js:459 -#: htdocs/luci-static/resources/view/homeproxy/client.js:791 -#: htdocs/luci-static/resources/view/homeproxy/node.js:637 +#: htdocs/luci-static/resources/view/homeproxy/client.js:468 +#: htdocs/luci-static/resources/view/homeproxy/client.js:800 +#: htdocs/luci-static/resources/view/homeproxy/node.js:645 msgid "Default" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:616 -#: htdocs/luci-static/resources/view/homeproxy/client.js:693 -#: htdocs/luci-static/resources/view/homeproxy/client.js:938 +#: htdocs/luci-static/resources/view/homeproxy/client.js:625 +#: htdocs/luci-static/resources/view/homeproxy/client.js:702 +#: htdocs/luci-static/resources/view/homeproxy/client.js:947 msgid "Default DNS (issued by WAN)" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:611 +#: htdocs/luci-static/resources/view/homeproxy/client.js:620 msgid "Default DNS server" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:606 +#: htdocs/luci-static/resources/view/homeproxy/client.js:615 msgid "Default DNS strategy" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:725 +#: htdocs/luci-static/resources/view/homeproxy/client.js:734 msgid "Default domain strategy for resolving the domain names." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:326 +#: htdocs/luci-static/resources/view/homeproxy/client.js:335 msgid "Default outbound" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1325 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1333 msgid "Default packet encoding" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:527 +#: htdocs/luci-static/resources/view/homeproxy/server.js:590 msgid "Default server name" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:332 -#: htdocs/luci-static/resources/view/homeproxy/client.js:395 -#: htdocs/luci-static/resources/view/homeproxy/client.js:587 -#: htdocs/luci-static/resources/view/homeproxy/client.js:735 -#: htdocs/luci-static/resources/view/homeproxy/client.js:921 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1039 +#: htdocs/luci-static/resources/view/homeproxy/client.js:341 +#: htdocs/luci-static/resources/view/homeproxy/client.js:404 +#: htdocs/luci-static/resources/view/homeproxy/client.js:596 +#: htdocs/luci-static/resources/view/homeproxy/client.js:744 +#: htdocs/luci-static/resources/view/homeproxy/client.js:930 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1048 #: htdocs/luci-static/resources/view/homeproxy/node.js:394 msgid "Direct" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1169 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1178 msgid "Direct Domain List" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1086 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1131 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1095 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1140 msgid "Direct IPv4 IP-s" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1089 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1134 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1098 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1143 msgid "Direct IPv6 IP-s" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1092 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1101 msgid "Direct MAC-s" msgstr "" #: htdocs/luci-static/resources/view/homeproxy/client.js:142 #: htdocs/luci-static/resources/view/homeproxy/client.js:150 -#: htdocs/luci-static/resources/view/homeproxy/client.js:331 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1080 -#: htdocs/luci-static/resources/view/homeproxy/node.js:484 -#: htdocs/luci-static/resources/view/homeproxy/node.js:496 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1053 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1306 -#: htdocs/luci-static/resources/view/homeproxy/server.js:194 -#: htdocs/luci-static/resources/view/homeproxy/server.js:206 +#: htdocs/luci-static/resources/view/homeproxy/client.js:340 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1089 +#: htdocs/luci-static/resources/view/homeproxy/node.js:473 +#: htdocs/luci-static/resources/view/homeproxy/node.js:492 +#: htdocs/luci-static/resources/view/homeproxy/node.js:504 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1061 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1314 +#: htdocs/luci-static/resources/view/homeproxy/server.js:246 +#: htdocs/luci-static/resources/view/homeproxy/server.js:258 msgid "Disable" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:629 +#: htdocs/luci-static/resources/view/homeproxy/client.js:638 msgid "Disable DNS cache" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:589 +#: htdocs/luci-static/resources/view/homeproxy/server.js:652 msgid "Disable HTTP challenge" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:532 -#: htdocs/luci-static/resources/view/homeproxy/server.js:237 +#: htdocs/luci-static/resources/view/homeproxy/node.js:540 +#: htdocs/luci-static/resources/view/homeproxy/server.js:289 msgid "Disable Path MTU discovery" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:594 +#: htdocs/luci-static/resources/view/homeproxy/server.js:657 msgid "Disable TLS ALPN challenge" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:952 +#: htdocs/luci-static/resources/view/homeproxy/client.js:961 msgid "Disable cache and save cache in this query." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:632 +#: htdocs/luci-static/resources/view/homeproxy/client.js:641 msgid "Disable cache expire" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:951 +#: htdocs/luci-static/resources/view/homeproxy/client.js:960 msgid "Disable dns cache" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1035 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1043 msgid "Disable dynamic record sizing" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:533 -#: htdocs/luci-static/resources/view/homeproxy/server.js:238 +#: htdocs/luci-static/resources/view/homeproxy/node.js:541 +#: htdocs/luci-static/resources/view/homeproxy/server.js:290 msgid "" "Disables Path MTU Discovery (RFC 8899). Packets will then be at most 1252 " "(IPv4) / 1232 (IPv6) bytes in size." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:492 -#: htdocs/luci-static/resources/view/homeproxy/client.js:828 +#: htdocs/luci-static/resources/view/homeproxy/client.js:501 +#: htdocs/luci-static/resources/view/homeproxy/client.js:837 msgid "Domain keyword" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:483 -#: htdocs/luci-static/resources/view/homeproxy/client.js:819 +#: htdocs/luci-static/resources/view/homeproxy/client.js:492 +#: htdocs/luci-static/resources/view/homeproxy/client.js:828 msgid "Domain name" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:496 -#: htdocs/luci-static/resources/view/homeproxy/client.js:832 +#: htdocs/luci-static/resources/view/homeproxy/client.js:505 +#: htdocs/luci-static/resources/view/homeproxy/client.js:841 msgid "Domain regex" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:376 -#: htdocs/luci-static/resources/view/homeproxy/server.js:723 +#: htdocs/luci-static/resources/view/homeproxy/client.js:385 +#: htdocs/luci-static/resources/view/homeproxy/server.js:793 msgid "Domain strategy" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:488 -#: htdocs/luci-static/resources/view/homeproxy/client.js:824 +#: htdocs/luci-static/resources/view/homeproxy/client.js:497 +#: htdocs/luci-static/resources/view/homeproxy/client.js:833 msgid "Domain suffix" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:521 +#: htdocs/luci-static/resources/view/homeproxy/server.js:584 msgid "Domains" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:923 -#: htdocs/luci-static/resources/view/homeproxy/server.js:438 +#: htdocs/luci-static/resources/view/homeproxy/node.js:931 +#: htdocs/luci-static/resources/view/homeproxy/server.js:501 msgid "Download bandwidth" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:924 -#: htdocs/luci-static/resources/view/homeproxy/server.js:439 +#: htdocs/luci-static/resources/view/homeproxy/node.js:932 +#: htdocs/luci-static/resources/view/homeproxy/server.js:502 msgid "Download bandwidth in Mbps." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1313 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1321 msgid "" "Drop/keep nodes that contain the specific keywords. Regex is supported." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1305 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1313 msgid "Drop/keep specific nodes from subscriptions." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:612 +#: htdocs/luci-static/resources/view/homeproxy/server.js:675 msgid "" "EAB (External Account Binding) contains information necessary to bind or map " "an ACME account to some other account known by the CA.
External account " @@ -573,91 +574,91 @@ msgid "" "a non-ACME system, such as a CA customer database." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1030 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1038 msgid "" "ECH (Encrypted Client Hello) is a TLS extension that allows a client to " "encrypt the first part of its ClientHello message." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1045 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1053 msgid "ECH config" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:641 -#: htdocs/luci-static/resources/view/homeproxy/client.js:747 -#: htdocs/luci-static/resources/view/homeproxy/client.js:961 +#: htdocs/luci-static/resources/view/homeproxy/client.js:650 +#: htdocs/luci-static/resources/view/homeproxy/client.js:756 +#: htdocs/luci-static/resources/view/homeproxy/client.js:970 msgid "EDNS Client subnet" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:804 -#: htdocs/luci-static/resources/view/homeproxy/server.js:399 +#: htdocs/luci-static/resources/view/homeproxy/node.js:812 +#: htdocs/luci-static/resources/view/homeproxy/server.js:462 msgid "Early data" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:811 -#: htdocs/luci-static/resources/view/homeproxy/server.js:406 +#: htdocs/luci-static/resources/view/homeproxy/node.js:819 +#: htdocs/luci-static/resources/view/homeproxy/server.js:469 msgid "Early data header name" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:407 +#: htdocs/luci-static/resources/view/homeproxy/server.js:470 msgid "Early data is sent in path instead of header by default." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1147 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1155 msgid "Edit nodes" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:533 +#: htdocs/luci-static/resources/view/homeproxy/server.js:596 msgid "Email" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:364 -#: htdocs/luci-static/resources/view/homeproxy/client.js:446 -#: htdocs/luci-static/resources/view/homeproxy/client.js:677 -#: htdocs/luci-static/resources/view/homeproxy/client.js:778 -#: htdocs/luci-static/resources/view/homeproxy/client.js:987 -#: htdocs/luci-static/resources/view/homeproxy/server.js:75 -#: htdocs/luci-static/resources/view/homeproxy/server.js:98 +#: htdocs/luci-static/resources/view/homeproxy/client.js:373 +#: htdocs/luci-static/resources/view/homeproxy/client.js:455 +#: htdocs/luci-static/resources/view/homeproxy/client.js:686 +#: htdocs/luci-static/resources/view/homeproxy/client.js:787 +#: htdocs/luci-static/resources/view/homeproxy/client.js:996 +#: htdocs/luci-static/resources/view/homeproxy/server.js:116 +#: htdocs/luci-static/resources/view/homeproxy/server.js:139 msgid "Enable" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:650 -#: htdocs/luci-static/resources/view/homeproxy/server.js:288 +#: htdocs/luci-static/resources/view/homeproxy/node.js:658 +#: htdocs/luci-static/resources/view/homeproxy/server.js:351 msgid "" "Enable 0-RTT QUIC connection handshake on the client side. This is not " "impacting much on the performance, as the protocol is fully multiplexed.
Disabling this is highly recommended, as it is vulnerable to replay attacks." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:649 -#: htdocs/luci-static/resources/view/homeproxy/server.js:287 +#: htdocs/luci-static/resources/view/homeproxy/node.js:657 +#: htdocs/luci-static/resources/view/homeproxy/server.js:350 msgid "Enable 0-RTT handshake" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:515 +#: htdocs/luci-static/resources/view/homeproxy/server.js:578 msgid "Enable ACME" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1029 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1037 msgid "Enable ECH" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1040 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1048 msgid "Enable PQ signature schemes" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:917 -#: htdocs/luci-static/resources/view/homeproxy/server.js:432 +#: htdocs/luci-static/resources/view/homeproxy/node.js:925 +#: htdocs/luci-static/resources/view/homeproxy/server.js:495 msgid "Enable TCP Brutal" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:918 -#: htdocs/luci-static/resources/view/homeproxy/server.js:433 +#: htdocs/luci-static/resources/view/homeproxy/node.js:926 +#: htdocs/luci-static/resources/view/homeproxy/server.js:496 msgid "Enable TCP Brutal congestion control algorithm" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1111 -#: htdocs/luci-static/resources/view/homeproxy/server.js:714 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1119 +#: htdocs/luci-static/resources/view/homeproxy/server.js:777 msgid "Enable UDP fragmentation." msgstr "" @@ -665,88 +666,88 @@ msgstr "" msgid "Enable endpoint-independent NAT" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:912 -#: htdocs/luci-static/resources/view/homeproxy/server.js:426 +#: htdocs/luci-static/resources/view/homeproxy/node.js:920 +#: htdocs/luci-static/resources/view/homeproxy/server.js:489 msgid "Enable padding" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:703 +#: htdocs/luci-static/resources/view/homeproxy/server.js:766 msgid "Enable tcp fast open for listener." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1116 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1124 msgid "" "Enable the SUoT protocol, requires server support. Conflict with multiplex." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:540 -#: htdocs/luci-static/resources/view/homeproxy/node.js:677 -#: htdocs/luci-static/resources/view/homeproxy/server.js:256 +#: htdocs/luci-static/resources/view/homeproxy/node.js:548 +#: htdocs/luci-static/resources/view/homeproxy/node.js:685 +#: htdocs/luci-static/resources/view/homeproxy/server.js:308 msgid "Encrypt method" msgstr "" -#: htdocs/luci-static/resources/homeproxy.js:206 -#: htdocs/luci-static/resources/homeproxy.js:240 -#: htdocs/luci-static/resources/homeproxy.js:248 -#: htdocs/luci-static/resources/homeproxy.js:257 -#: htdocs/luci-static/resources/homeproxy.js:266 -#: htdocs/luci-static/resources/homeproxy.js:268 +#: htdocs/luci-static/resources/homeproxy.js:221 +#: htdocs/luci-static/resources/homeproxy.js:255 +#: htdocs/luci-static/resources/homeproxy.js:263 +#: htdocs/luci-static/resources/homeproxy.js:272 +#: htdocs/luci-static/resources/homeproxy.js:281 +#: htdocs/luci-static/resources/homeproxy.js:283 #: htdocs/luci-static/resources/view/homeproxy/client.js:75 #: htdocs/luci-static/resources/view/homeproxy/client.js:176 #: htdocs/luci-static/resources/view/homeproxy/client.js:178 #: htdocs/luci-static/resources/view/homeproxy/client.js:206 #: htdocs/luci-static/resources/view/homeproxy/client.js:244 #: htdocs/luci-static/resources/view/homeproxy/client.js:249 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1015 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1020 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1023 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1162 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1191 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1024 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1029 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1032 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1171 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1200 #: htdocs/luci-static/resources/view/homeproxy/node.js:452 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1074 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1234 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1294 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1297 -#: htdocs/luci-static/resources/view/homeproxy/server.js:159 -#: htdocs/luci-static/resources/view/homeproxy/server.js:539 -#: htdocs/luci-static/resources/view/homeproxy/server.js:541 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1082 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1242 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1302 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1305 +#: htdocs/luci-static/resources/view/homeproxy/server.js:211 +#: htdocs/luci-static/resources/view/homeproxy/server.js:602 +#: htdocs/luci-static/resources/view/homeproxy/server.js:604 msgid "Expecting: %s" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:611 +#: htdocs/luci-static/resources/view/homeproxy/server.js:674 msgid "External Account Binding" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:623 +#: htdocs/luci-static/resources/view/homeproxy/server.js:686 msgid "External account MAC key" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:618 +#: htdocs/luci-static/resources/view/homeproxy/server.js:681 msgid "External account key ID" msgstr "" -#: htdocs/luci-static/resources/homeproxy.js:230 +#: htdocs/luci-static/resources/homeproxy.js:245 msgid "Failed to upload %s, error: %s." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1312 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1320 msgid "Filter keywords" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1304 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1312 msgid "Filter nodes" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:665 -#: htdocs/luci-static/resources/view/homeproxy/server.js:303 +#: htdocs/luci-static/resources/view/homeproxy/node.js:673 +#: htdocs/luci-static/resources/view/homeproxy/server.js:366 msgid "Flow" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:998 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1007 msgid "Format" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:773 +#: htdocs/luci-static/resources/view/homeproxy/node.js:781 msgid "GET" msgstr "" @@ -758,20 +759,27 @@ msgstr "" msgid "GFWList" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1104 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1113 msgid "Gaming mode IPv4 IP-s" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1106 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1115 msgid "Gaming mode IPv6 IP-s" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1109 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1118 msgid "Gaming mode MAC-s" msgstr "" +#: htdocs/luci-static/resources/view/homeproxy/server.js:188 +#: htdocs/luci-static/resources/view/homeproxy/server.js:190 +#: htdocs/luci-static/resources/view/homeproxy/server.js:325 +#: htdocs/luci-static/resources/view/homeproxy/server.js:327 +msgid "Generate" +msgstr "" + #: htdocs/luci-static/resources/view/homeproxy/client.js:282 -#: htdocs/luci-static/resources/view/homeproxy/node.js:827 +#: htdocs/luci-static/resources/view/homeproxy/node.js:835 msgid "Generic segmentation offload" msgstr "" @@ -779,23 +787,23 @@ msgstr "" msgid "Global" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:688 +#: htdocs/luci-static/resources/view/homeproxy/node.js:696 msgid "Global padding" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1111 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1120 msgid "Global proxy IPv4 IP-s" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1114 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1123 msgid "Global proxy IPv6 IP-s" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1117 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1126 msgid "Global proxy MAC-s" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:73 +#: htdocs/luci-static/resources/view/homeproxy/server.js:114 msgid "Global settings" msgstr "" @@ -811,36 +819,36 @@ msgstr "" msgid "Grant access to homeproxy configuration" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:473 -#: htdocs/luci-static/resources/view/homeproxy/client.js:813 +#: htdocs/luci-static/resources/view/homeproxy/client.js:482 +#: htdocs/luci-static/resources/view/homeproxy/client.js:822 #: htdocs/luci-static/resources/view/homeproxy/node.js:395 -#: htdocs/luci-static/resources/view/homeproxy/node.js:707 -#: htdocs/luci-static/resources/view/homeproxy/server.js:104 -#: htdocs/luci-static/resources/view/homeproxy/server.js:321 +#: htdocs/luci-static/resources/view/homeproxy/node.js:715 +#: htdocs/luci-static/resources/view/homeproxy/server.js:145 +#: htdocs/luci-static/resources/view/homeproxy/server.js:384 msgid "HTTP" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:250 +#: htdocs/luci-static/resources/view/homeproxy/server.js:302 msgid "" "HTTP3 server behavior when authentication fails.
A 404 page will be " "returned if empty." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:708 -#: htdocs/luci-static/resources/view/homeproxy/server.js:322 +#: htdocs/luci-static/resources/view/homeproxy/node.js:716 +#: htdocs/luci-static/resources/view/homeproxy/server.js:385 msgid "HTTPUpgrade" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:651 +#: htdocs/luci-static/resources/view/homeproxy/server.js:714 msgid "Handshake server address" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:657 +#: htdocs/luci-static/resources/view/homeproxy/server.js:720 msgid "Handshake server port" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:656 -#: htdocs/luci-static/resources/view/homeproxy/server.js:294 +#: htdocs/luci-static/resources/view/homeproxy/node.js:664 +#: htdocs/luci-static/resources/view/homeproxy/server.js:357 msgid "Heartbeat interval" msgstr "" @@ -852,62 +860,62 @@ msgstr "" msgid "HomeProxy" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:37 -#: htdocs/luci-static/resources/view/homeproxy/server.js:39 -#: htdocs/luci-static/resources/view/homeproxy/server.js:56 +#: htdocs/luci-static/resources/view/homeproxy/server.js:38 +#: htdocs/luci-static/resources/view/homeproxy/server.js:40 +#: htdocs/luci-static/resources/view/homeproxy/server.js:97 msgid "HomeProxy Server" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:757 -#: htdocs/luci-static/resources/view/homeproxy/node.js:762 -#: htdocs/luci-static/resources/view/homeproxy/node.js:796 -#: htdocs/luci-static/resources/view/homeproxy/server.js:355 -#: htdocs/luci-static/resources/view/homeproxy/server.js:360 -#: htdocs/luci-static/resources/view/homeproxy/server.js:391 +#: htdocs/luci-static/resources/view/homeproxy/node.js:765 +#: htdocs/luci-static/resources/view/homeproxy/node.js:770 +#: htdocs/luci-static/resources/view/homeproxy/node.js:804 +#: htdocs/luci-static/resources/view/homeproxy/server.js:418 +#: htdocs/luci-static/resources/view/homeproxy/server.js:423 +#: htdocs/luci-static/resources/view/homeproxy/server.js:454 msgid "Host" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:436 -#: htdocs/luci-static/resources/view/homeproxy/client.js:768 +#: htdocs/luci-static/resources/view/homeproxy/client.js:445 +#: htdocs/luci-static/resources/view/homeproxy/client.js:777 msgid "Host fields" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:597 +#: htdocs/luci-static/resources/view/homeproxy/node.js:605 msgid "Host key" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:602 +#: htdocs/luci-static/resources/view/homeproxy/node.js:610 msgid "Host key algorithms" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:281 +#: htdocs/luci-static/resources/view/homeproxy/server.js:344 msgid "" "How long the server should wait for the client to send the authentication " "command (in seconds)." msgstr "" #: htdocs/luci-static/resources/view/homeproxy/node.js:397 -#: htdocs/luci-static/resources/view/homeproxy/server.js:106 +#: htdocs/luci-static/resources/view/homeproxy/server.js:147 msgid "Hysteria" msgstr "" #: htdocs/luci-static/resources/view/homeproxy/node.js:398 -#: htdocs/luci-static/resources/view/homeproxy/server.js:107 +#: htdocs/luci-static/resources/view/homeproxy/server.js:148 msgid "Hysteria2" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:511 -#: htdocs/luci-static/resources/view/homeproxy/client.js:856 +#: htdocs/luci-static/resources/view/homeproxy/client.js:520 +#: htdocs/luci-static/resources/view/homeproxy/client.js:865 msgid "IP CIDR" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:464 -#: htdocs/luci-static/resources/view/homeproxy/client.js:796 +#: htdocs/luci-static/resources/view/homeproxy/client.js:473 +#: htdocs/luci-static/resources/view/homeproxy/client.js:805 msgid "IP version" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:466 -#: htdocs/luci-static/resources/view/homeproxy/client.js:797 +#: htdocs/luci-static/resources/view/homeproxy/client.js:475 +#: htdocs/luci-static/resources/view/homeproxy/client.js:806 msgid "IPv4" msgstr "" @@ -915,8 +923,8 @@ msgstr "" msgid "IPv4 only" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:467 -#: htdocs/luci-static/resources/view/homeproxy/client.js:798 +#: htdocs/luci-static/resources/view/homeproxy/client.js:476 +#: htdocs/luci-static/resources/view/homeproxy/client.js:807 msgid "IPv6" msgstr "" @@ -928,77 +936,82 @@ msgstr "" msgid "IPv6 support" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:778 -#: htdocs/luci-static/resources/view/homeproxy/server.js:374 +#: htdocs/luci-static/resources/view/homeproxy/node.js:786 +#: htdocs/luci-static/resources/view/homeproxy/server.js:437 msgid "Idle timeout" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:749 +#: htdocs/luci-static/resources/view/homeproxy/node.js:757 msgid "" "If enabled, the client transport sends keepalive pings even with no active " "connections." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:724 +#: htdocs/luci-static/resources/view/homeproxy/server.js:794 msgid "" "If set, the requested domain name will be resolved to IP before routing." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:377 +#: htdocs/luci-static/resources/view/homeproxy/client.js:386 msgid "" "If set, the server domain name will be resolved to IP before connecting.
dns.strategy will be used if empty." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:734 -#: htdocs/luci-static/resources/view/homeproxy/server.js:343 +#: htdocs/luci-static/resources/view/homeproxy/node.js:742 +#: htdocs/luci-static/resources/view/homeproxy/server.js:406 msgid "" "If the transport doesn't see any activity after a duration of this time (in " "seconds), it pings the client to check if the connection is still active." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1008 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1016 msgid "" "If you have the root certificate, use this option instead of allowing " "insecure." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:243 +#: htdocs/luci-static/resources/view/homeproxy/server.js:295 msgid "Ignore client bandwidth" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1217 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1225 msgid "Import" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1164 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1243 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1245 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1172 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1251 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1253 msgid "Import share links" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:636 +#: htdocs/luci-static/resources/view/homeproxy/client.js:317 +#: htdocs/luci-static/resources/view/homeproxy/server.js:783 +msgid "In seconds. 300 is used by default." +msgstr "" + +#: htdocs/luci-static/resources/view/homeproxy/client.js:645 msgid "Independent cache per server" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1063 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1072 msgid "Interface Control" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:657 -#: htdocs/luci-static/resources/view/homeproxy/server.js:295 +#: htdocs/luci-static/resources/view/homeproxy/node.js:665 +#: htdocs/luci-static/resources/view/homeproxy/server.js:358 msgid "" "Interval for sending heartbeat packets for keeping the connection alive (in " "seconds)." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:576 -#: htdocs/luci-static/resources/view/homeproxy/client.js:909 +#: htdocs/luci-static/resources/view/homeproxy/client.js:585 +#: htdocs/luci-static/resources/view/homeproxy/client.js:918 msgid "Invert" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:577 -#: htdocs/luci-static/resources/view/homeproxy/client.js:910 +#: htdocs/luci-static/resources/view/homeproxy/client.js:586 +#: htdocs/luci-static/resources/view/homeproxy/client.js:919 msgid "Invert match result." msgstr "" @@ -1006,26 +1019,26 @@ msgstr "" msgid "It MUST support TCP query." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:682 +#: htdocs/luci-static/resources/view/homeproxy/server.js:745 msgid "Key path" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1077 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1086 msgid "LAN IP Policy" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:359 -#: htdocs/luci-static/resources/view/homeproxy/client.js:441 -#: htdocs/luci-static/resources/view/homeproxy/client.js:672 -#: htdocs/luci-static/resources/view/homeproxy/client.js:773 -#: htdocs/luci-static/resources/view/homeproxy/client.js:982 +#: htdocs/luci-static/resources/view/homeproxy/client.js:368 +#: htdocs/luci-static/resources/view/homeproxy/client.js:450 +#: htdocs/luci-static/resources/view/homeproxy/client.js:681 +#: htdocs/luci-static/resources/view/homeproxy/client.js:782 +#: htdocs/luci-static/resources/view/homeproxy/client.js:991 #: htdocs/luci-static/resources/view/homeproxy/node.js:388 -#: htdocs/luci-static/resources/view/homeproxy/server.js:92 +#: htdocs/luci-static/resources/view/homeproxy/server.js:133 msgid "Label" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:672 -#: htdocs/luci-static/resources/view/homeproxy/server.js:310 +#: htdocs/luci-static/resources/view/homeproxy/node.js:680 +#: htdocs/luci-static/resources/view/homeproxy/server.js:373 msgid "" "Legacy protocol support (VMess MD5 Authentication) is provided for " "compatibility purposes only, use of alterId > 1 is not recommended." @@ -1035,29 +1048,29 @@ msgstr "" msgid "Less compatibility and sometimes better performance." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:550 +#: htdocs/luci-static/resources/view/homeproxy/server.js:613 msgid "Let's Encrypt" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:834 +#: htdocs/luci-static/resources/view/homeproxy/node.js:842 msgid "" "List of IP (v4 or v6) addresses prefixes to be assigned to the interface." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:970 -#: htdocs/luci-static/resources/view/homeproxy/server.js:486 +#: htdocs/luci-static/resources/view/homeproxy/node.js:978 +#: htdocs/luci-static/resources/view/homeproxy/server.js:549 msgid "List of supported application level protocols, in order of preference." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:119 +#: htdocs/luci-static/resources/view/homeproxy/server.js:160 msgid "Listen address" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1065 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1074 msgid "Listen interfaces" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:124 +#: htdocs/luci-static/resources/view/homeproxy/server.js:165 msgid "Listen port" msgstr "" @@ -1065,11 +1078,11 @@ msgstr "" msgid "Loading" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:993 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1002 msgid "Local" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:833 +#: htdocs/luci-static/resources/view/homeproxy/node.js:841 msgid "Local address" msgstr "" @@ -1081,7 +1094,7 @@ msgstr "" msgid "Log is empty." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:867 +#: htdocs/luci-static/resources/view/homeproxy/node.js:875 msgid "MTU" msgstr "" @@ -1093,182 +1106,182 @@ msgstr "" msgid "Main node" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:905 +#: htdocs/luci-static/resources/view/homeproxy/client.js:914 msgid "Make ipcidr in rule sets match the source IP." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:571 +#: htdocs/luci-static/resources/view/homeproxy/client.js:580 msgid "Make IP CIDR in rule set used to match the source IP." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:637 +#: htdocs/luci-static/resources/view/homeproxy/client.js:646 msgid "" "Make each DNS server's cache independent for special purposes. If enabled, " "will slightly degrade performance." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:249 +#: htdocs/luci-static/resources/view/homeproxy/server.js:301 msgid "Masquerade" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:915 +#: htdocs/luci-static/resources/view/homeproxy/client.js:924 msgid "Match .outbounds[].server domains." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:857 +#: htdocs/luci-static/resources/view/homeproxy/client.js:866 msgid "Match IP CIDR with query response." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:512 +#: htdocs/luci-static/resources/view/homeproxy/client.js:521 msgid "Match IP CIDR." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:489 -#: htdocs/luci-static/resources/view/homeproxy/client.js:825 +#: htdocs/luci-static/resources/view/homeproxy/client.js:498 +#: htdocs/luci-static/resources/view/homeproxy/client.js:834 msgid "Match domain suffix." msgstr "" +#: htdocs/luci-static/resources/view/homeproxy/client.js:502 +#: htdocs/luci-static/resources/view/homeproxy/client.js:838 +msgid "Match domain using keyword." +msgstr "" + +#: htdocs/luci-static/resources/view/homeproxy/client.js:506 +#: htdocs/luci-static/resources/view/homeproxy/client.js:842 +msgid "Match domain using regular expression." +msgstr "" + #: htdocs/luci-static/resources/view/homeproxy/client.js:493 #: htdocs/luci-static/resources/view/homeproxy/client.js:829 -msgid "Match domain using keyword." -msgstr "" - -#: htdocs/luci-static/resources/view/homeproxy/client.js:497 -#: htdocs/luci-static/resources/view/homeproxy/client.js:833 -msgid "Match domain using regular expression." -msgstr "" - -#: htdocs/luci-static/resources/view/homeproxy/client.js:484 -#: htdocs/luci-static/resources/view/homeproxy/client.js:820 msgid "Match full domain." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:538 -#: htdocs/luci-static/resources/view/homeproxy/client.js:842 +#: htdocs/luci-static/resources/view/homeproxy/client.js:547 +#: htdocs/luci-static/resources/view/homeproxy/client.js:851 msgid "Match port range. Format as START:/:END/START:END." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:533 -#: htdocs/luci-static/resources/view/homeproxy/client.js:837 +#: htdocs/luci-static/resources/view/homeproxy/client.js:542 +#: htdocs/luci-static/resources/view/homeproxy/client.js:846 msgid "Match port." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:862 +#: htdocs/luci-static/resources/view/homeproxy/client.js:871 msgid "Match private IP with query response." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:517 +#: htdocs/luci-static/resources/view/homeproxy/client.js:526 msgid "Match private IP." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:506 -#: htdocs/luci-static/resources/view/homeproxy/client.js:852 +#: htdocs/luci-static/resources/view/homeproxy/client.js:515 +#: htdocs/luci-static/resources/view/homeproxy/client.js:861 msgid "Match private source IP." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:543 -#: htdocs/luci-static/resources/view/homeproxy/client.js:877 +#: htdocs/luci-static/resources/view/homeproxy/client.js:552 +#: htdocs/luci-static/resources/view/homeproxy/client.js:886 msgid "Match process name." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:547 -#: htdocs/luci-static/resources/view/homeproxy/client.js:881 +#: htdocs/luci-static/resources/view/homeproxy/client.js:556 +#: htdocs/luci-static/resources/view/homeproxy/client.js:890 msgid "Match process path." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:803 +#: htdocs/luci-static/resources/view/homeproxy/client.js:812 msgid "Match query type." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:555 -#: htdocs/luci-static/resources/view/homeproxy/client.js:889 +#: htdocs/luci-static/resources/view/homeproxy/client.js:564 +#: htdocs/luci-static/resources/view/homeproxy/client.js:898 msgid "Match rule set." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:501 -#: htdocs/luci-static/resources/view/homeproxy/client.js:847 +#: htdocs/luci-static/resources/view/homeproxy/client.js:510 +#: htdocs/luci-static/resources/view/homeproxy/client.js:856 msgid "Match source IP CIDR." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:570 +#: htdocs/luci-static/resources/view/homeproxy/client.js:579 msgid "Match source IP via rule set" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:528 -#: htdocs/luci-static/resources/view/homeproxy/client.js:872 +#: htdocs/luci-static/resources/view/homeproxy/client.js:537 +#: htdocs/luci-static/resources/view/homeproxy/client.js:881 msgid "Match source port range. Format as START:/:END/START:END." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:523 -#: htdocs/luci-static/resources/view/homeproxy/client.js:867 +#: htdocs/luci-static/resources/view/homeproxy/client.js:532 +#: htdocs/luci-static/resources/view/homeproxy/client.js:876 msgid "Match source port." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:551 -#: htdocs/luci-static/resources/view/homeproxy/client.js:885 +#: htdocs/luci-static/resources/view/homeproxy/client.js:560 +#: htdocs/luci-static/resources/view/homeproxy/client.js:894 msgid "Match user name." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:506 -#: htdocs/luci-static/resources/view/homeproxy/server.js:179 +#: htdocs/luci-static/resources/view/homeproxy/node.js:514 +#: htdocs/luci-static/resources/view/homeproxy/server.js:231 msgid "Max download speed" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:507 -#: htdocs/luci-static/resources/view/homeproxy/server.js:180 +#: htdocs/luci-static/resources/view/homeproxy/node.js:515 +#: htdocs/luci-static/resources/view/homeproxy/server.js:232 msgid "Max download speed in Mbps." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:646 +#: htdocs/luci-static/resources/view/homeproxy/server.js:709 msgid "Max time difference" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:513 -#: htdocs/luci-static/resources/view/homeproxy/server.js:186 +#: htdocs/luci-static/resources/view/homeproxy/node.js:521 +#: htdocs/luci-static/resources/view/homeproxy/server.js:238 msgid "Max upload speed" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:514 -#: htdocs/luci-static/resources/view/homeproxy/server.js:187 +#: htdocs/luci-static/resources/view/homeproxy/node.js:522 +#: htdocs/luci-static/resources/view/homeproxy/server.js:239 msgid "Max upload speed in Mbps." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:991 -#: htdocs/luci-static/resources/view/homeproxy/server.js:498 +#: htdocs/luci-static/resources/view/homeproxy/node.js:999 +#: htdocs/luci-static/resources/view/homeproxy/server.js:561 msgid "Maximum TLS version" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:894 +#: htdocs/luci-static/resources/view/homeproxy/node.js:902 msgid "Maximum connections" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:906 +#: htdocs/luci-static/resources/view/homeproxy/node.js:914 msgid "" "Maximum multiplexed streams in a connection before opening a new connection." "
Conflict with Maximum connections and Minimum " "streams." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:905 +#: htdocs/luci-static/resources/view/homeproxy/node.js:913 msgid "Maximum streams" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:772 -#: htdocs/luci-static/resources/view/homeproxy/server.js:370 +#: htdocs/luci-static/resources/view/homeproxy/node.js:780 +#: htdocs/luci-static/resources/view/homeproxy/server.js:433 msgid "Method" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:983 -#: htdocs/luci-static/resources/view/homeproxy/server.js:490 +#: htdocs/luci-static/resources/view/homeproxy/node.js:991 +#: htdocs/luci-static/resources/view/homeproxy/server.js:553 msgid "Minimum TLS version" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:900 +#: htdocs/luci-static/resources/view/homeproxy/node.js:908 msgid "" "Minimum multiplexed streams in a connection before opening a new connection." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:899 +#: htdocs/luci-static/resources/view/homeproxy/node.js:907 msgid "Minimum streams" msgstr "" @@ -1280,77 +1293,77 @@ msgstr "" msgid "Mixed system TCP stack and gVisor UDP stack." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:451 -#: htdocs/luci-static/resources/view/homeproxy/client.js:783 +#: htdocs/luci-static/resources/view/homeproxy/client.js:460 +#: htdocs/luci-static/resources/view/homeproxy/client.js:792 msgid "Mode" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1106 -#: htdocs/luci-static/resources/view/homeproxy/server.js:708 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1114 +#: htdocs/luci-static/resources/view/homeproxy/server.js:771 msgid "MultiPath TCP" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:876 -#: htdocs/luci-static/resources/view/homeproxy/server.js:418 +#: htdocs/luci-static/resources/view/homeproxy/node.js:884 +#: htdocs/luci-static/resources/view/homeproxy/server.js:481 msgid "Multiplex" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:885 +#: htdocs/luci-static/resources/view/homeproxy/node.js:893 msgid "Multiplex protocol." msgstr "" #: htdocs/luci-static/resources/view/homeproxy/client.js:57 -#: htdocs/luci-static/resources/view/homeproxy/server.js:39 +#: htdocs/luci-static/resources/view/homeproxy/server.js:40 msgid "NOT RUNNING" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1331 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1339 msgid "NOTE: Save current settings before updating subscriptions." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:638 +#: htdocs/luci-static/resources/view/homeproxy/node.js:646 msgid "Native" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:108 +#: htdocs/luci-static/resources/view/homeproxy/server.js:149 msgid "NaïveProxy" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:478 -#: htdocs/luci-static/resources/view/homeproxy/client.js:806 -#: htdocs/luci-static/resources/view/homeproxy/server.js:729 +#: htdocs/luci-static/resources/view/homeproxy/client.js:487 +#: htdocs/luci-static/resources/view/homeproxy/client.js:815 +#: htdocs/luci-static/resources/view/homeproxy/server.js:799 msgid "Network" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:628 +#: htdocs/luci-static/resources/view/homeproxy/node.js:636 msgid "New Reno" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:704 -#: htdocs/luci-static/resources/view/homeproxy/node.js:721 -#: htdocs/luci-static/resources/view/homeproxy/server.js:318 -#: htdocs/luci-static/resources/view/homeproxy/server.js:335 +#: htdocs/luci-static/resources/view/homeproxy/node.js:712 +#: htdocs/luci-static/resources/view/homeproxy/node.js:729 +#: htdocs/luci-static/resources/view/homeproxy/server.js:381 +#: htdocs/luci-static/resources/view/homeproxy/server.js:398 msgid "No TCP transport, plain HTTP is merged into the HTTP transport." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:719 -#: htdocs/luci-static/resources/view/homeproxy/server.js:333 +#: htdocs/luci-static/resources/view/homeproxy/node.js:727 +#: htdocs/luci-static/resources/view/homeproxy/server.js:396 msgid "No additional encryption support: It's basically duplicate encryption." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1347 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1355 msgid "No subscription available" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1372 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1380 msgid "No subscription node" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1203 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1211 msgid "No valid share link found." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:369 +#: htdocs/luci-static/resources/view/homeproxy/client.js:378 #: htdocs/luci-static/resources/view/homeproxy/node.js:363 msgid "Node" msgstr "" @@ -1359,29 +1372,29 @@ msgstr "" msgid "Node Settings" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1153 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1161 msgid "Nodes" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:692 -#: htdocs/luci-static/resources/view/homeproxy/node.js:666 -#: htdocs/luci-static/resources/view/homeproxy/node.js:705 -#: htdocs/luci-static/resources/view/homeproxy/server.js:304 -#: htdocs/luci-static/resources/view/homeproxy/server.js:319 +#: htdocs/luci-static/resources/view/homeproxy/client.js:701 +#: htdocs/luci-static/resources/view/homeproxy/node.js:674 +#: htdocs/luci-static/resources/view/homeproxy/node.js:713 +#: htdocs/luci-static/resources/view/homeproxy/server.js:367 +#: htdocs/luci-static/resources/view/homeproxy/server.js:382 msgid "None" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:501 -#: htdocs/luci-static/resources/view/homeproxy/server.js:211 +#: htdocs/luci-static/resources/view/homeproxy/node.js:509 +#: htdocs/luci-static/resources/view/homeproxy/server.js:263 msgid "Obfuscate password" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:495 -#: htdocs/luci-static/resources/view/homeproxy/server.js:205 +#: htdocs/luci-static/resources/view/homeproxy/node.js:503 +#: htdocs/luci-static/resources/view/homeproxy/server.js:257 msgid "Obfuscate type" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1066 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1075 msgid "Only process traffic from specific interfaces. Leave empty for all." msgstr "" @@ -1389,20 +1402,20 @@ msgstr "" msgid "Only proxy mainland China" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:435 -#: htdocs/luci-static/resources/view/homeproxy/client.js:767 +#: htdocs/luci-static/resources/view/homeproxy/client.js:444 +#: htdocs/luci-static/resources/view/homeproxy/client.js:776 msgid "Other fields" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:389 -#: htdocs/luci-static/resources/view/homeproxy/client.js:581 -#: htdocs/luci-static/resources/view/homeproxy/client.js:729 -#: htdocs/luci-static/resources/view/homeproxy/client.js:914 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1033 +#: htdocs/luci-static/resources/view/homeproxy/client.js:398 +#: htdocs/luci-static/resources/view/homeproxy/client.js:590 +#: htdocs/luci-static/resources/view/homeproxy/client.js:738 +#: htdocs/luci-static/resources/view/homeproxy/client.js:923 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1042 msgid "Outbound" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:370 +#: htdocs/luci-static/resources/view/homeproxy/client.js:379 msgid "Outbound node" msgstr "" @@ -1410,8 +1423,8 @@ msgstr "" msgid "Override address" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:321 -#: htdocs/luci-static/resources/view/homeproxy/server.js:719 +#: htdocs/luci-static/resources/view/homeproxy/client.js:330 +#: htdocs/luci-static/resources/view/homeproxy/server.js:789 msgid "Override destination" msgstr "" @@ -1419,8 +1432,8 @@ msgstr "" msgid "Override port" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:322 -#: htdocs/luci-static/resources/view/homeproxy/server.js:720 +#: htdocs/luci-static/resources/view/homeproxy/client.js:331 +#: htdocs/luci-static/resources/view/homeproxy/server.js:790 msgid "Override the connection destination address with the sniffed domain." msgstr "" @@ -1432,28 +1445,28 @@ msgstr "" msgid "Override the connection destination port." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:774 +#: htdocs/luci-static/resources/view/homeproxy/node.js:782 msgid "PUT" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:817 +#: htdocs/luci-static/resources/view/homeproxy/node.js:825 msgid "Packet encoding" msgstr "" #: htdocs/luci-static/resources/view/homeproxy/node.js:429 -#: htdocs/luci-static/resources/view/homeproxy/server.js:135 +#: htdocs/luci-static/resources/view/homeproxy/server.js:176 msgid "Password" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1004 -#: htdocs/luci-static/resources/view/homeproxy/node.js:767 -#: htdocs/luci-static/resources/view/homeproxy/node.js:800 -#: htdocs/luci-static/resources/view/homeproxy/server.js:365 -#: htdocs/luci-static/resources/view/homeproxy/server.js:395 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1013 +#: htdocs/luci-static/resources/view/homeproxy/node.js:775 +#: htdocs/luci-static/resources/view/homeproxy/node.js:808 +#: htdocs/luci-static/resources/view/homeproxy/server.js:428 +#: htdocs/luci-static/resources/view/homeproxy/server.js:458 msgid "Path" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:848 +#: htdocs/luci-static/resources/view/homeproxy/node.js:856 msgid "Peer pubkic key" msgstr "" @@ -1463,21 +1476,21 @@ msgid "" "it is not needed." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:786 -#: htdocs/luci-static/resources/view/homeproxy/server.js:382 +#: htdocs/luci-static/resources/view/homeproxy/node.js:794 +#: htdocs/luci-static/resources/view/homeproxy/server.js:445 msgid "Ping timeout" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:558 +#: htdocs/luci-static/resources/view/homeproxy/node.js:566 msgid "Plugin" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:565 +#: htdocs/luci-static/resources/view/homeproxy/node.js:573 msgid "Plugin opts" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:532 -#: htdocs/luci-static/resources/view/homeproxy/client.js:836 +#: htdocs/luci-static/resources/view/homeproxy/client.js:541 +#: htdocs/luci-static/resources/view/homeproxy/client.js:845 #: htdocs/luci-static/resources/view/homeproxy/node.js:418 msgid "Port" msgstr "" @@ -1486,17 +1499,17 @@ msgstr "" msgid "Port %s alrealy exists!" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:437 -#: htdocs/luci-static/resources/view/homeproxy/client.js:769 +#: htdocs/luci-static/resources/view/homeproxy/client.js:446 +#: htdocs/luci-static/resources/view/homeproxy/client.js:778 msgid "Port fields" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:537 -#: htdocs/luci-static/resources/view/homeproxy/client.js:841 +#: htdocs/luci-static/resources/view/homeproxy/client.js:546 +#: htdocs/luci-static/resources/view/homeproxy/client.js:850 msgid "Port range" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:855 +#: htdocs/luci-static/resources/view/homeproxy/node.js:863 msgid "Pre-shared key" msgstr "" @@ -1508,80 +1521,80 @@ msgstr "" msgid "Prefer IPv6" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:516 -#: htdocs/luci-static/resources/view/homeproxy/client.js:861 +#: htdocs/luci-static/resources/view/homeproxy/client.js:525 +#: htdocs/luci-static/resources/view/homeproxy/client.js:870 msgid "Private IP" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:606 -#: htdocs/luci-static/resources/view/homeproxy/node.js:840 +#: htdocs/luci-static/resources/view/homeproxy/node.js:614 +#: htdocs/luci-static/resources/view/homeproxy/node.js:848 msgid "Private key" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:611 +#: htdocs/luci-static/resources/view/homeproxy/node.js:619 msgid "Private key passphrase" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:505 -#: htdocs/luci-static/resources/view/homeproxy/client.js:851 +#: htdocs/luci-static/resources/view/homeproxy/client.js:514 +#: htdocs/luci-static/resources/view/homeproxy/client.js:860 msgid "Private source IP" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:542 -#: htdocs/luci-static/resources/view/homeproxy/client.js:876 +#: htdocs/luci-static/resources/view/homeproxy/client.js:551 +#: htdocs/luci-static/resources/view/homeproxy/client.js:885 msgid "Process name" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:546 -#: htdocs/luci-static/resources/view/homeproxy/client.js:880 +#: htdocs/luci-static/resources/view/homeproxy/client.js:555 +#: htdocs/luci-static/resources/view/homeproxy/client.js:889 msgid "Process path" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:471 -#: htdocs/luci-static/resources/view/homeproxy/client.js:811 -#: htdocs/luci-static/resources/view/homeproxy/node.js:472 -#: htdocs/luci-static/resources/view/homeproxy/node.js:884 -#: htdocs/luci-static/resources/view/homeproxy/server.js:168 +#: htdocs/luci-static/resources/view/homeproxy/client.js:480 +#: htdocs/luci-static/resources/view/homeproxy/client.js:820 +#: htdocs/luci-static/resources/view/homeproxy/node.js:480 +#: htdocs/luci-static/resources/view/homeproxy/node.js:892 +#: htdocs/luci-static/resources/view/homeproxy/server.js:220 msgid "Protocol" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:696 +#: htdocs/luci-static/resources/view/homeproxy/node.js:704 msgid "Protocol parameter. Enable length block encryption." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:689 +#: htdocs/luci-static/resources/view/homeproxy/node.js:697 msgid "" "Protocol parameter. Will waste traffic randomly if enabled (enabled by " "default in v2ray and cannot be disabled)." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1140 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1149 msgid "Proxy Domain List" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1095 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1124 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1104 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1133 msgid "Proxy IPv4 IP-s" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1098 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1127 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1107 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1136 msgid "Proxy IPv6 IP-s" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1101 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1110 msgid "Proxy MAC-s" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1082 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1091 msgid "Proxy all except listed" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1079 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1088 msgid "Proxy filter mode" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1081 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1090 msgid "Proxy listed only" msgstr "" @@ -1589,73 +1602,77 @@ msgstr "" msgid "Proxy mode" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:475 -#: htdocs/luci-static/resources/view/homeproxy/client.js:815 -#: htdocs/luci-static/resources/view/homeproxy/node.js:639 -#: htdocs/luci-static/resources/view/homeproxy/node.js:709 -#: htdocs/luci-static/resources/view/homeproxy/server.js:323 +#: htdocs/luci-static/resources/view/homeproxy/node.js:471 +msgid "Proxy protocol" +msgstr "" + +#: htdocs/luci-static/resources/view/homeproxy/client.js:484 +#: htdocs/luci-static/resources/view/homeproxy/client.js:824 +#: htdocs/luci-static/resources/view/homeproxy/node.js:647 +#: htdocs/luci-static/resources/view/homeproxy/node.js:717 +#: htdocs/luci-static/resources/view/homeproxy/server.js:386 msgid "QUIC" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:626 -#: htdocs/luci-static/resources/view/homeproxy/server.js:272 +#: htdocs/luci-static/resources/view/homeproxy/node.js:634 +#: htdocs/luci-static/resources/view/homeproxy/server.js:335 msgid "QUIC congestion control algorithm." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:526 -#: htdocs/luci-static/resources/view/homeproxy/server.js:223 +#: htdocs/luci-static/resources/view/homeproxy/node.js:534 +#: htdocs/luci-static/resources/view/homeproxy/server.js:275 msgid "QUIC connection receive window" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:230 +#: htdocs/luci-static/resources/view/homeproxy/server.js:282 msgid "QUIC maximum concurrent bidirectional streams" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:520 -#: htdocs/luci-static/resources/view/homeproxy/server.js:216 +#: htdocs/luci-static/resources/view/homeproxy/node.js:528 +#: htdocs/luci-static/resources/view/homeproxy/server.js:268 msgid "QUIC stream receive window" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:802 +#: htdocs/luci-static/resources/view/homeproxy/client.js:811 msgid "Query type" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:652 +#: htdocs/luci-static/resources/view/homeproxy/client.js:661 msgid "RDRC timeout" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1085 -#: htdocs/luci-static/resources/view/homeproxy/server.js:630 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1093 +#: htdocs/luci-static/resources/view/homeproxy/server.js:693 msgid "REALITY" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:636 +#: htdocs/luci-static/resources/view/homeproxy/server.js:699 msgid "REALITY private key" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1090 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1098 msgid "REALITY public key" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1095 -#: htdocs/luci-static/resources/view/homeproxy/server.js:641 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1103 +#: htdocs/luci-static/resources/view/homeproxy/server.js:704 msgid "REALITY short ID" msgstr "" #: htdocs/luci-static/resources/view/homeproxy/client.js:55 -#: htdocs/luci-static/resources/view/homeproxy/server.js:37 +#: htdocs/luci-static/resources/view/homeproxy/server.js:38 msgid "RUNNING" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:593 +#: htdocs/luci-static/resources/view/homeproxy/node.js:601 msgid "Random version will be used if empty." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:414 +#: htdocs/luci-static/resources/view/homeproxy/client.js:423 msgid "Recursive outbound detected!" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:711 +#: htdocs/luci-static/resources/view/homeproxy/client.js:720 msgid "Recursive resolver detected!" msgstr "" @@ -1675,27 +1692,27 @@ msgstr "" msgid "Refresh every %s seconds." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:579 +#: htdocs/luci-static/resources/view/homeproxy/server.js:642 msgid "Region ID" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:994 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1003 msgid "Remote" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1369 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1377 msgid "Remove %s nodes" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1359 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1367 msgid "Remove all nodes from subscriptions" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:862 +#: htdocs/luci-static/resources/view/homeproxy/node.js:870 msgid "Reserved field bytes" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:724 +#: htdocs/luci-static/resources/view/homeproxy/client.js:733 msgid "Resolve strategy" msgstr "" @@ -1703,19 +1720,19 @@ msgstr "" msgid "Resources management" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:956 +#: htdocs/luci-static/resources/view/homeproxy/client.js:965 msgid "Rewrite TTL" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:957 +#: htdocs/luci-static/resources/view/homeproxy/client.js:966 msgid "Rewrite TTL in DNS responses." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:346 +#: htdocs/luci-static/resources/view/homeproxy/client.js:355 msgid "Routing Nodes" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:422 +#: htdocs/luci-static/resources/view/homeproxy/client.js:431 msgid "Routing Rules" msgstr "" @@ -1727,7 +1744,7 @@ msgstr "" msgid "Routing mode" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:355 +#: htdocs/luci-static/resources/view/homeproxy/client.js:364 msgid "Routing node" msgstr "" @@ -1735,32 +1752,32 @@ msgstr "" msgid "Routing ports" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:431 +#: htdocs/luci-static/resources/view/homeproxy/client.js:440 msgid "Routing rule" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:554 -#: htdocs/luci-static/resources/view/homeproxy/client.js:888 -#: htdocs/luci-static/resources/view/homeproxy/client.js:969 +#: htdocs/luci-static/resources/view/homeproxy/client.js:563 +#: htdocs/luci-static/resources/view/homeproxy/client.js:897 #: htdocs/luci-static/resources/view/homeproxy/client.js:978 +#: htdocs/luci-static/resources/view/homeproxy/client.js:987 msgid "Rule set" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:904 +#: htdocs/luci-static/resources/view/homeproxy/client.js:913 msgid "Rule set IP CIDR as source IP" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1011 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1020 msgid "Rule set URL" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:438 -#: htdocs/luci-static/resources/view/homeproxy/client.js:770 +#: htdocs/luci-static/resources/view/homeproxy/client.js:447 +#: htdocs/luci-static/resources/view/homeproxy/client.js:779 msgid "SRC-IP fields" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:439 -#: htdocs/luci-static/resources/view/homeproxy/client.js:771 +#: htdocs/luci-static/resources/view/homeproxy/client.js:448 +#: htdocs/luci-static/resources/view/homeproxy/client.js:780 msgid "SRC-Port fields" msgstr "" @@ -1768,17 +1785,17 @@ msgstr "" msgid "SSH" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:476 -#: htdocs/luci-static/resources/view/homeproxy/client.js:817 +#: htdocs/luci-static/resources/view/homeproxy/client.js:485 +#: htdocs/luci-static/resources/view/homeproxy/client.js:826 msgid "STUN" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1122 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1130 msgid "SUoT version" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:497 -#: htdocs/luci-static/resources/view/homeproxy/server.js:207 +#: htdocs/luci-static/resources/view/homeproxy/node.js:505 +#: htdocs/luci-static/resources/view/homeproxy/server.js:259 msgid "Salamander" msgstr "" @@ -1786,16 +1803,16 @@ msgstr "" msgid "Same as main node" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1333 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1341 msgid "Save current settings" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1330 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1338 msgid "Save subscriptions settings" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:932 -#: htdocs/luci-static/resources/view/homeproxy/server.js:88 +#: htdocs/luci-static/resources/view/homeproxy/client.js:941 +#: htdocs/luci-static/resources/view/homeproxy/server.js:129 msgid "Server" msgstr "" @@ -1803,13 +1820,13 @@ msgstr "" msgid "Server Settings" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:528 +#: htdocs/luci-static/resources/view/homeproxy/server.js:591 msgid "" "Server name to use when choosing a certificate if the ClientHello's " "ServerName field is empty." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:83 +#: htdocs/luci-static/resources/view/homeproxy/server.js:124 msgid "Server settings" msgstr "" @@ -1821,64 +1838,64 @@ msgstr "" msgid "ShadowTLS" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:572 +#: htdocs/luci-static/resources/view/homeproxy/node.js:580 msgid "ShadowTLS version" msgstr "" #: htdocs/luci-static/resources/view/homeproxy/node.js:400 -#: htdocs/luci-static/resources/view/homeproxy/server.js:110 +#: htdocs/luci-static/resources/view/homeproxy/server.js:151 msgid "Shadowsocks" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:472 -#: htdocs/luci-static/resources/view/homeproxy/client.js:812 +#: htdocs/luci-static/resources/view/homeproxy/client.js:481 +#: htdocs/luci-static/resources/view/homeproxy/client.js:821 msgid "" "Sniffed protocol, see Sniff for details." msgstr "" #: htdocs/luci-static/resources/view/homeproxy/node.js:402 -#: htdocs/luci-static/resources/view/homeproxy/server.js:111 +#: htdocs/luci-static/resources/view/homeproxy/server.js:152 msgid "Socks" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:582 +#: htdocs/luci-static/resources/view/homeproxy/node.js:590 msgid "Socks version" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:583 +#: htdocs/luci-static/resources/view/homeproxy/node.js:591 msgid "Socks4" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:584 +#: htdocs/luci-static/resources/view/homeproxy/node.js:592 msgid "Socks4A" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:585 +#: htdocs/luci-static/resources/view/homeproxy/node.js:593 msgid "Socks5" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:500 -#: htdocs/luci-static/resources/view/homeproxy/client.js:846 +#: htdocs/luci-static/resources/view/homeproxy/client.js:509 +#: htdocs/luci-static/resources/view/homeproxy/client.js:855 msgid "Source IP CIDR" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:999 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1008 msgid "Source file" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:522 -#: htdocs/luci-static/resources/view/homeproxy/client.js:866 +#: htdocs/luci-static/resources/view/homeproxy/client.js:531 +#: htdocs/luci-static/resources/view/homeproxy/client.js:875 msgid "Source port" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:527 -#: htdocs/luci-static/resources/view/homeproxy/client.js:871 +#: htdocs/luci-static/resources/view/homeproxy/client.js:536 +#: htdocs/luci-static/resources/view/homeproxy/client.js:880 msgid "Source port range" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:726 -#: htdocs/luci-static/resources/view/homeproxy/node.js:779 +#: htdocs/luci-static/resources/view/homeproxy/node.js:734 +#: htdocs/luci-static/resources/view/homeproxy/node.js:787 msgid "" "Specifies the period of time (in seconds) after which a health check will be " "performed using a ping frame if no frames have been received on the " @@ -1887,15 +1904,15 @@ msgid "" "will be executed every interval." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:340 -#: htdocs/luci-static/resources/view/homeproxy/server.js:375 +#: htdocs/luci-static/resources/view/homeproxy/server.js:403 +#: htdocs/luci-static/resources/view/homeproxy/server.js:438 msgid "" "Specifies the time (in seconds) until idle clients should be closed with a " "GOAWAY frame. PING frames are not considered as activity." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:730 -#: htdocs/luci-static/resources/view/homeproxy/node.js:787 +#: htdocs/luci-static/resources/view/homeproxy/node.js:738 +#: htdocs/luci-static/resources/view/homeproxy/node.js:795 msgid "" "Specifies the timeout duration (in seconds) after sending a PING frame, " "within which a response must be received.
If a response to the PING " @@ -1909,34 +1926,34 @@ msgid "" "commas." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:646 +#: htdocs/luci-static/resources/view/homeproxy/client.js:655 msgid "Store RDRC" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:647 +#: htdocs/luci-static/resources/view/homeproxy/client.js:656 msgid "" "Store rejected DNS response cache.
The check results of Address " "filter DNS rule items will be cached until expiration." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:486 -#: htdocs/luci-static/resources/view/homeproxy/server.js:196 +#: htdocs/luci-static/resources/view/homeproxy/node.js:494 +#: htdocs/luci-static/resources/view/homeproxy/server.js:248 msgid "String" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1258 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1266 msgid "Sub (%s)" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1287 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1295 msgid "Subscription URL-s" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1269 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1277 msgid "Subscriptions" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1205 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1213 msgid "Successfully imported %s nodes of total %s." msgstr "" @@ -1944,8 +1961,8 @@ msgstr "" msgid "Successfully updated." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1165 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1288 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1173 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1296 msgid "" "Support Hysteria, Shadowsocks, Trojan, v2rayN (VMess), and XTLS (VLESS) " "online configuration delivery standard." @@ -1955,20 +1972,20 @@ msgstr "" msgid "System" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:617 -#: htdocs/luci-static/resources/view/homeproxy/client.js:694 -#: htdocs/luci-static/resources/view/homeproxy/client.js:939 +#: htdocs/luci-static/resources/view/homeproxy/client.js:626 +#: htdocs/luci-static/resources/view/homeproxy/client.js:703 +#: htdocs/luci-static/resources/view/homeproxy/client.js:948 msgid "System DNS" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:479 -#: htdocs/luci-static/resources/view/homeproxy/client.js:807 -#: htdocs/luci-static/resources/view/homeproxy/server.js:730 +#: htdocs/luci-static/resources/view/homeproxy/client.js:488 +#: htdocs/luci-static/resources/view/homeproxy/client.js:816 +#: htdocs/luci-static/resources/view/homeproxy/server.js:800 msgid "TCP" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1102 -#: htdocs/luci-static/resources/view/homeproxy/server.js:702 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1110 +#: htdocs/luci-static/resources/view/homeproxy/server.js:765 msgid "TCP fast open" msgstr "" @@ -1980,51 +1997,51 @@ msgstr "" msgid "TCP/IP stack." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:474 -#: htdocs/luci-static/resources/view/homeproxy/client.js:814 -#: htdocs/luci-static/resources/view/homeproxy/node.js:937 -#: htdocs/luci-static/resources/view/homeproxy/server.js:453 +#: htdocs/luci-static/resources/view/homeproxy/client.js:483 +#: htdocs/luci-static/resources/view/homeproxy/client.js:823 +#: htdocs/luci-static/resources/view/homeproxy/node.js:945 +#: htdocs/luci-static/resources/view/homeproxy/server.js:516 msgid "TLS" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:969 -#: htdocs/luci-static/resources/view/homeproxy/server.js:485 +#: htdocs/luci-static/resources/view/homeproxy/node.js:977 +#: htdocs/luci-static/resources/view/homeproxy/server.js:548 msgid "TLS ALPN" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:964 -#: htdocs/luci-static/resources/view/homeproxy/server.js:480 +#: htdocs/luci-static/resources/view/homeproxy/node.js:972 +#: htdocs/luci-static/resources/view/homeproxy/server.js:543 msgid "TLS SNI" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:717 -#: htdocs/luci-static/resources/view/homeproxy/server.js:331 +#: htdocs/luci-static/resources/view/homeproxy/node.js:725 +#: htdocs/luci-static/resources/view/homeproxy/server.js:394 msgid "TLS is not enforced. If TLS is not configured, plain HTTP 1.1 is used." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:687 +#: htdocs/luci-static/resources/view/homeproxy/client.js:696 msgid "" "Tag of a another server to resolve the domain name in the address. Required " "if address contains domain." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:730 +#: htdocs/luci-static/resources/view/homeproxy/client.js:739 msgid "Tag of an outbound for connecting to the dns server." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1034 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1043 msgid "Tag of the outbound to download rule set." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:933 +#: htdocs/luci-static/resources/view/homeproxy/client.js:942 msgid "Tag of the target dns server." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:582 +#: htdocs/luci-static/resources/view/homeproxy/client.js:591 msgid "Tag of the target outbound." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:244 +#: htdocs/luci-static/resources/view/homeproxy/server.js:296 msgid "" "Tell the client to use the BBR flow control algorithm instead of Hysteria CC." msgstr "" @@ -2034,41 +2051,41 @@ msgstr "" msgid "Tencent Public DNS (119.29.29.29)" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:549 +#: htdocs/luci-static/resources/view/homeproxy/server.js:612 msgid "The ACME CA provider to use." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:607 +#: htdocs/luci-static/resources/view/homeproxy/client.js:616 msgid "The DNS strategy for resolving the domain name in the address." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:527 -#: htdocs/luci-static/resources/view/homeproxy/server.js:224 +#: htdocs/luci-static/resources/view/homeproxy/node.js:535 +#: htdocs/luci-static/resources/view/homeproxy/server.js:276 msgid "The QUIC connection-level flow control window for receiving data." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:521 -#: htdocs/luci-static/resources/view/homeproxy/server.js:217 +#: htdocs/luci-static/resources/view/homeproxy/node.js:529 +#: htdocs/luci-static/resources/view/homeproxy/server.js:269 msgid "The QUIC stream-level flow control window for receiving data." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:683 +#: htdocs/luci-static/resources/view/homeproxy/client.js:692 msgid "The address of the dns server. Support UDP, TCP, DoT, DoH and RCode." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:600 +#: htdocs/luci-static/resources/view/homeproxy/server.js:663 msgid "" "The alternate port to use for the ACME HTTP challenge; if non-empty, this " "port will be used instead of 80 to spin up a listener for the HTTP challenge." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:606 +#: htdocs/luci-static/resources/view/homeproxy/server.js:669 msgid "" "The alternate port to use for the ACME TLS-ALPN challenge; the system must " "forward 443 to this port for challenge to succeed." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:452 +#: htdocs/luci-static/resources/view/homeproxy/client.js:461 msgid "" "The default rule uses the following matching logic:
(domain || " "domain_suffix || domain_keyword || domain_regex || ip_cidr || " @@ -2079,7 +2096,7 @@ msgid "" "than as a single rule sub-item." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:784 +#: htdocs/luci-static/resources/view/homeproxy/client.js:793 msgid "" "The default rule uses the following matching logic:
(domain || " "domain_suffix || domain_keyword || domain_regex) &&
(port " @@ -2089,103 +2106,103 @@ msgid "" "considered merged rather than as a single rule sub-item." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:719 +#: htdocs/luci-static/resources/view/homeproxy/client.js:728 msgid "" "The domain strategy for resolving the domain name in the address. dns." "strategy will be used if empty." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1000 -#: htdocs/luci-static/resources/view/homeproxy/server.js:507 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1008 +#: htdocs/luci-static/resources/view/homeproxy/server.js:570 msgid "" "The elliptic curves that will be used in an ECDHE handshake, in preference " "order. If empty, the default will be used." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:534 +#: htdocs/luci-static/resources/view/homeproxy/server.js:597 msgid "" "The email address to use when creating or selecting an existing ACME server " "account." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:992 -#: htdocs/luci-static/resources/view/homeproxy/server.js:499 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1000 +#: htdocs/luci-static/resources/view/homeproxy/server.js:562 msgid "The maximum TLS version that is acceptable." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:231 +#: htdocs/luci-static/resources/view/homeproxy/server.js:283 msgid "" "The maximum number of QUIC concurrent bidirectional streams that a peer is " "allowed to open." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:647 +#: htdocs/luci-static/resources/view/homeproxy/server.js:710 msgid "The maximum time difference between the server and the client." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:984 -#: htdocs/luci-static/resources/view/homeproxy/server.js:491 +#: htdocs/luci-static/resources/view/homeproxy/node.js:992 +#: htdocs/luci-static/resources/view/homeproxy/server.js:554 msgid "The minimum TLS version that is acceptable." msgstr "" #: htdocs/luci-static/resources/view/homeproxy/client.js:110 -#: htdocs/luci-static/resources/view/homeproxy/server.js:57 +#: htdocs/luci-static/resources/view/homeproxy/server.js:98 msgid "The modern ImmortalWrt proxy platform for ARM64/AMD64." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:383 +#: htdocs/luci-static/resources/view/homeproxy/client.js:392 msgid "The network interface to bind to." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1014 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1022 msgid "The path to the server certificate, in PEM format." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:125 +#: htdocs/luci-static/resources/view/homeproxy/server.js:166 msgid "The port must be unique." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:683 +#: htdocs/luci-static/resources/view/homeproxy/server.js:746 msgid "The server private key, in PEM format." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:665 +#: htdocs/luci-static/resources/view/homeproxy/server.js:728 msgid "The server public key, in PEM format." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:390 +#: htdocs/luci-static/resources/view/homeproxy/client.js:399 msgid "" "The tag of the upstream outbound.
Other dial fields will be ignored when " "enabled." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:737 -#: htdocs/luci-static/resources/view/homeproxy/server.js:383 +#: htdocs/luci-static/resources/view/homeproxy/node.js:745 +#: htdocs/luci-static/resources/view/homeproxy/server.js:446 msgid "" "The timeout (in seconds) that after performing a keepalive check, the client " "will wait for activity. If no activity is detected, the connection will be " "closed." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:977 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1320 +#: htdocs/luci-static/resources/view/homeproxy/node.js:985 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1328 msgid "" "This is DANGEROUS, your traffic is almost like " "PLAIN TEXT! Use at your own risk!" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:644 +#: htdocs/luci-static/resources/view/homeproxy/node.js:652 msgid "" "This is the TUIC port of the UDP over TCP protocol, designed to provide a " "QUIC stream based UDP relay mode that TUIC does not provide." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:653 +#: htdocs/luci-static/resources/view/homeproxy/client.js:662 msgid "" "Timeout of rejected DNS response cache. 7d is used by default." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:409 +#: htdocs/luci-static/resources/view/homeproxy/server.js:472 msgid "" "To be compatible with Xray-core, set this to Sec-WebSocket-Protocol." @@ -2197,18 +2214,18 @@ msgid "" "kmod-tun" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:703 -#: htdocs/luci-static/resources/view/homeproxy/server.js:317 +#: htdocs/luci-static/resources/view/homeproxy/node.js:711 +#: htdocs/luci-static/resources/view/homeproxy/server.js:380 msgid "Transport" msgstr "" #: htdocs/luci-static/resources/view/homeproxy/node.js:404 -#: htdocs/luci-static/resources/view/homeproxy/server.js:112 +#: htdocs/luci-static/resources/view/homeproxy/server.js:153 msgid "Trojan" msgstr "" #: htdocs/luci-static/resources/view/homeproxy/node.js:406 -#: htdocs/luci-static/resources/view/homeproxy/server.js:114 +#: htdocs/luci-static/resources/view/homeproxy/server.js:155 msgid "Tuic" msgstr "" @@ -2216,41 +2233,46 @@ msgstr "" msgid "Tun TCP/UDP" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:992 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1001 #: htdocs/luci-static/resources/view/homeproxy/node.js:393 -#: htdocs/luci-static/resources/view/homeproxy/server.js:103 +#: htdocs/luci-static/resources/view/homeproxy/server.js:144 msgid "Type" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:480 -#: htdocs/luci-static/resources/view/homeproxy/client.js:808 -#: htdocs/luci-static/resources/view/homeproxy/server.js:731 +#: htdocs/luci-static/resources/view/homeproxy/client.js:489 +#: htdocs/luci-static/resources/view/homeproxy/client.js:817 +#: htdocs/luci-static/resources/view/homeproxy/server.js:801 msgid "UDP" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1110 -#: htdocs/luci-static/resources/view/homeproxy/server.js:713 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1118 +#: htdocs/luci-static/resources/view/homeproxy/server.js:776 msgid "UDP Fragment" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1115 +#: htdocs/luci-static/resources/view/homeproxy/client.js:316 +#: htdocs/luci-static/resources/view/homeproxy/server.js:782 +msgid "UDP NAT expiration time" +msgstr "" + +#: htdocs/luci-static/resources/view/homeproxy/node.js:1123 msgid "UDP over TCP" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:643 +#: htdocs/luci-static/resources/view/homeproxy/node.js:651 msgid "UDP over stream" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:636 +#: htdocs/luci-static/resources/view/homeproxy/node.js:644 msgid "UDP packet relay mode." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:635 +#: htdocs/luci-static/resources/view/homeproxy/node.js:643 msgid "UDP relay mode" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:618 -#: htdocs/luci-static/resources/view/homeproxy/server.js:264 +#: htdocs/luci-static/resources/view/homeproxy/node.js:626 +#: htdocs/luci-static/resources/view/homeproxy/server.js:316 msgid "UUID" msgstr "" @@ -2262,11 +2284,11 @@ msgstr "" msgid "Unknown error: %s" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1078 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1086 msgid "Unsupported fingerprint!" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1344 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1352 msgid "Update %s subscriptions" msgstr "" @@ -2274,83 +2296,83 @@ msgstr "" msgid "Update failed." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1051 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1060 msgid "Update interval" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1052 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1061 msgid "Update interval of rule set.
1d will be used if empty." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1339 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1347 msgid "Update nodes from subscriptions" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1283 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1291 msgid "Update subscriptions via proxy." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1276 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1284 msgid "Update time" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1282 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1290 msgid "Update via proxy" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:929 -#: htdocs/luci-static/resources/view/homeproxy/server.js:444 +#: htdocs/luci-static/resources/view/homeproxy/node.js:937 +#: htdocs/luci-static/resources/view/homeproxy/server.js:507 msgid "Upload bandwidth" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:930 -#: htdocs/luci-static/resources/view/homeproxy/server.js:445 +#: htdocs/luci-static/resources/view/homeproxy/node.js:938 +#: htdocs/luci-static/resources/view/homeproxy/server.js:508 msgid "Upload bandwidth in Mbps." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1020 -#: htdocs/luci-static/resources/view/homeproxy/server.js:674 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1028 +#: htdocs/luci-static/resources/view/homeproxy/server.js:737 msgid "Upload certificate" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:692 +#: htdocs/luci-static/resources/view/homeproxy/server.js:755 msgid "Upload key" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1023 -#: htdocs/luci-static/resources/view/homeproxy/server.js:677 -#: htdocs/luci-static/resources/view/homeproxy/server.js:695 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1031 +#: htdocs/luci-static/resources/view/homeproxy/server.js:740 +#: htdocs/luci-static/resources/view/homeproxy/server.js:758 msgid "Upload..." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:516 +#: htdocs/luci-static/resources/view/homeproxy/server.js:579 msgid "Use ACME TLS certificate issuer." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:965 -#: htdocs/luci-static/resources/view/homeproxy/server.js:481 +#: htdocs/luci-static/resources/view/homeproxy/node.js:973 +#: htdocs/luci-static/resources/view/homeproxy/server.js:544 msgid "" "Used to verify the hostname on the returned certificates unless insecure is " "given." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:550 -#: htdocs/luci-static/resources/view/homeproxy/client.js:884 +#: htdocs/luci-static/resources/view/homeproxy/client.js:559 +#: htdocs/luci-static/resources/view/homeproxy/client.js:893 msgid "User" msgstr "" #: htdocs/luci-static/resources/view/homeproxy/node.js:423 -#: htdocs/luci-static/resources/view/homeproxy/server.js:129 +#: htdocs/luci-static/resources/view/homeproxy/server.js:170 msgid "Username" msgstr "" #: htdocs/luci-static/resources/view/homeproxy/node.js:409 -#: htdocs/luci-static/resources/view/homeproxy/server.js:115 +#: htdocs/luci-static/resources/view/homeproxy/server.js:156 msgid "VLESS" msgstr "" #: htdocs/luci-static/resources/view/homeproxy/node.js:410 -#: htdocs/luci-static/resources/view/homeproxy/server.js:116 +#: htdocs/luci-static/resources/view/homeproxy/server.js:157 msgid "VMess" msgstr "" @@ -2359,16 +2381,16 @@ msgstr "" msgid "WAN DNS (read from interface)" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1122 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1131 msgid "WAN IP Policy" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:710 -#: htdocs/luci-static/resources/view/homeproxy/server.js:324 +#: htdocs/luci-static/resources/view/homeproxy/node.js:718 +#: htdocs/luci-static/resources/view/homeproxy/server.js:387 msgid "WebSocket" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1308 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1316 msgid "Whitelist mode" msgstr "" @@ -2376,25 +2398,29 @@ msgstr "" msgid "WireGuard" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:849 +#: htdocs/luci-static/resources/view/homeproxy/node.js:857 msgid "WireGuard peer public key." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:856 +#: htdocs/luci-static/resources/view/homeproxy/node.js:864 msgid "WireGuard pre-shared key." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:841 +#: htdocs/luci-static/resources/view/homeproxy/node.js:849 msgid "WireGuard requires base64-encoded private keys." msgstr "" +#: htdocs/luci-static/resources/view/homeproxy/node.js:472 +msgid "Write proxy protocol in the connection header." +msgstr "" + #: htdocs/luci-static/resources/view/homeproxy/client.js:167 #: htdocs/luci-static/resources/view/homeproxy/client.js:190 msgid "Xinfeng Public DNS (114.114.114.114)" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:820 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1328 +#: htdocs/luci-static/resources/view/homeproxy/node.js:828 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1336 msgid "Xudp (Xray-core)" msgstr "" @@ -2402,23 +2428,23 @@ msgstr "" msgid "You can only have two servers set at maximum." msgstr "" -#: htdocs/luci-static/resources/homeproxy.js:228 +#: htdocs/luci-static/resources/homeproxy.js:243 msgid "Your %s was successfully uploaded. Size: %sB." msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:551 +#: htdocs/luci-static/resources/view/homeproxy/server.js:614 msgid "ZeroSSL" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1025 -#: htdocs/luci-static/resources/view/homeproxy/server.js:679 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1033 +#: htdocs/luci-static/resources/view/homeproxy/server.js:742 msgid "certificate" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:985 #: htdocs/luci-static/resources/view/homeproxy/node.js:993 -#: htdocs/luci-static/resources/view/homeproxy/server.js:492 -#: htdocs/luci-static/resources/view/homeproxy/server.js:500 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1001 +#: htdocs/luci-static/resources/view/homeproxy/server.js:555 +#: htdocs/luci-static/resources/view/homeproxy/server.js:563 msgid "default" msgstr "" @@ -2426,17 +2452,17 @@ msgstr "" msgid "failed" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:706 -#: htdocs/luci-static/resources/view/homeproxy/server.js:320 +#: htdocs/luci-static/resources/view/homeproxy/node.js:714 +#: htdocs/luci-static/resources/view/homeproxy/server.js:383 msgid "gRPC" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:748 +#: htdocs/luci-static/resources/view/homeproxy/node.js:756 msgid "gRPC permit without stream" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:743 -#: htdocs/luci-static/resources/view/homeproxy/server.js:348 +#: htdocs/luci-static/resources/view/homeproxy/node.js:751 +#: htdocs/luci-static/resources/view/homeproxy/server.js:411 msgid "gRPC service name" msgstr "" @@ -2444,24 +2470,24 @@ msgstr "" msgid "gVisor" msgstr "" -#: htdocs/luci-static/resources/homeproxy.js:248 -#: htdocs/luci-static/resources/homeproxy.js:266 +#: htdocs/luci-static/resources/homeproxy.js:263 +#: htdocs/luci-static/resources/homeproxy.js:281 #: htdocs/luci-static/resources/view/homeproxy/client.js:176 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1015 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1024 #: htdocs/luci-static/resources/view/homeproxy/node.js:452 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1074 -#: htdocs/luci-static/resources/view/homeproxy/server.js:159 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1082 +#: htdocs/luci-static/resources/view/homeproxy/server.js:211 msgid "non-empty value" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:559 -#: htdocs/luci-static/resources/view/homeproxy/node.js:818 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1326 +#: htdocs/luci-static/resources/view/homeproxy/node.js:567 +#: htdocs/luci-static/resources/view/homeproxy/node.js:826 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1334 msgid "none" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:819 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1327 +#: htdocs/luci-static/resources/view/homeproxy/node.js:827 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1335 msgid "packet addr (v2ray-core v5+)" msgstr "" @@ -2469,7 +2495,7 @@ msgstr "" msgid "passed" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/server.js:697 +#: htdocs/luci-static/resources/view/homeproxy/server.js:760 msgid "private key" msgstr "" @@ -2481,11 +2507,11 @@ msgstr "" msgid "sing-box server" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1051 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1059 msgid "uTLS fingerprint" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1052 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1060 msgid "" "uTLS is a fork of \"crypto/tls\", which provides ClientHello fingerprinting " "resistance." @@ -2495,26 +2521,28 @@ msgstr "" msgid "unchecked" msgstr "" -#: htdocs/luci-static/resources/homeproxy.js:206 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1234 +#: htdocs/luci-static/resources/homeproxy.js:221 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1242 msgid "unique UCI identifier" msgstr "" -#: htdocs/luci-static/resources/homeproxy.js:257 +#: htdocs/luci-static/resources/homeproxy.js:272 msgid "unique value" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:573 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1123 +#: htdocs/luci-static/resources/view/homeproxy/node.js:474 +#: htdocs/luci-static/resources/view/homeproxy/node.js:581 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1131 msgid "v1" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:574 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1124 +#: htdocs/luci-static/resources/view/homeproxy/node.js:475 +#: htdocs/luci-static/resources/view/homeproxy/node.js:582 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1132 msgid "v2" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/node.js:575 +#: htdocs/luci-static/resources/view/homeproxy/node.js:583 msgid "v3" msgstr "" @@ -2522,10 +2550,10 @@ msgstr "" msgid "valid IP address" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1020 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1023 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1294 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1297 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1029 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1032 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1302 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1305 msgid "valid URL" msgstr "" @@ -2533,12 +2561,12 @@ msgstr "" msgid "valid address#port" msgstr "" -#: htdocs/luci-static/resources/homeproxy.js:240 +#: htdocs/luci-static/resources/homeproxy.js:255 msgid "valid base64 key with %d characters" msgstr "" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1162 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1191 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1171 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1200 msgid "valid hostname" msgstr "" @@ -2551,6 +2579,6 @@ msgstr "" msgid "valid port value" msgstr "" -#: htdocs/luci-static/resources/homeproxy.js:268 +#: htdocs/luci-static/resources/homeproxy.js:283 msgid "valid uuid" msgstr "" diff --git a/small/luci-app-homeproxy/po/zh_Hans/homeproxy.po b/small/luci-app-homeproxy/po/zh_Hans/homeproxy.po index 8d64a72c9c..69f783c1dc 100644 --- a/small/luci-app-homeproxy/po/zh_Hans/homeproxy.po +++ b/small/luci-app-homeproxy/po/zh_Hans/homeproxy.po @@ -12,50 +12,50 @@ msgstr "" msgid "%s log" msgstr "%s 日志" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1391 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1399 msgid "%s nodes removed" msgstr "移除了 %s 个节点" -#: htdocs/luci-static/resources/view/homeproxy/client.js:560 -#: htdocs/luci-static/resources/view/homeproxy/client.js:894 +#: htdocs/luci-static/resources/view/homeproxy/client.js:569 +#: htdocs/luci-static/resources/view/homeproxy/client.js:903 msgid "-- Please choose --" msgstr "-- 请选择 --" -#: htdocs/luci-static/resources/view/homeproxy/client.js:465 +#: htdocs/luci-static/resources/view/homeproxy/client.js:474 msgid "4 or 6. Not limited if empty." msgstr "4 或 6。留空不限制。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1021 -#: htdocs/luci-static/resources/view/homeproxy/server.js:675 -#: htdocs/luci-static/resources/view/homeproxy/server.js:693 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1029 +#: htdocs/luci-static/resources/view/homeproxy/server.js:738 +#: htdocs/luci-static/resources/view/homeproxy/server.js:756 msgid "Save your configuration before uploading files!" msgstr "上传文件前请先保存配置!" -#: htdocs/luci-static/resources/view/homeproxy/server.js:584 +#: htdocs/luci-static/resources/view/homeproxy/server.js:647 msgid "API token" msgstr "API 令牌" -#: htdocs/luci-static/resources/view/homeproxy/node.js:598 +#: htdocs/luci-static/resources/view/homeproxy/node.js:606 msgid "Accept any if empty." msgstr "留空则不校验。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1057 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1066 msgid "Access Control" msgstr "访问控制" -#: htdocs/luci-static/resources/view/homeproxy/server.js:569 +#: htdocs/luci-static/resources/view/homeproxy/server.js:632 msgid "Access key ID" msgstr "访问密钥 ID" -#: htdocs/luci-static/resources/view/homeproxy/server.js:574 +#: htdocs/luci-static/resources/view/homeproxy/server.js:637 msgid "Access key secret" msgstr "访问密钥" -#: htdocs/luci-static/resources/view/homeproxy/client.js:763 +#: htdocs/luci-static/resources/view/homeproxy/client.js:772 msgid "Add a DNS rule" msgstr "新增 DNS 规则" -#: htdocs/luci-static/resources/view/homeproxy/client.js:668 +#: htdocs/luci-static/resources/view/homeproxy/client.js:677 msgid "Add a DNS server" msgstr "新增 DNS 服务器" @@ -63,36 +63,36 @@ msgstr "新增 DNS 服务器" msgid "Add a node" msgstr "新增节点" -#: htdocs/luci-static/resources/view/homeproxy/client.js:355 +#: htdocs/luci-static/resources/view/homeproxy/client.js:364 msgid "Add a routing node" msgstr "新增路由节点" -#: htdocs/luci-static/resources/view/homeproxy/client.js:431 +#: htdocs/luci-static/resources/view/homeproxy/client.js:440 msgid "Add a routing rule" msgstr "新增路由规则" -#: htdocs/luci-static/resources/view/homeproxy/client.js:978 +#: htdocs/luci-static/resources/view/homeproxy/client.js:987 msgid "Add a rule set" msgstr "新增规则集" -#: htdocs/luci-static/resources/view/homeproxy/server.js:88 +#: htdocs/luci-static/resources/view/homeproxy/server.js:129 msgid "Add a server" msgstr "新增服务器" -#: htdocs/luci-static/resources/view/homeproxy/client.js:682 +#: htdocs/luci-static/resources/view/homeproxy/client.js:691 #: htdocs/luci-static/resources/view/homeproxy/node.js:413 msgid "Address" msgstr "地址" -#: htdocs/luci-static/resources/view/homeproxy/client.js:686 +#: htdocs/luci-static/resources/view/homeproxy/client.js:695 msgid "Address resolver" msgstr "地址解析器" -#: htdocs/luci-static/resources/view/homeproxy/client.js:718 +#: htdocs/luci-static/resources/view/homeproxy/client.js:727 msgid "Address strategy" msgstr "地址解析策略" -#: htdocs/luci-static/resources/view/homeproxy/server.js:562 +#: htdocs/luci-static/resources/view/homeproxy/server.js:625 msgid "Alibaba Cloud DNS" msgstr "阿里云 DNS" @@ -105,21 +105,21 @@ msgstr "阿里云公共 DNS(223.5.5.5)" msgid "All ports" msgstr "所有端口" -#: htdocs/luci-static/resources/view/homeproxy/node.js:974 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1317 +#: htdocs/luci-static/resources/view/homeproxy/node.js:982 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1325 msgid "Allow insecure" msgstr "允许不安全连接" -#: htdocs/luci-static/resources/view/homeproxy/node.js:975 +#: htdocs/luci-static/resources/view/homeproxy/node.js:983 msgid "Allow insecure connection at TLS client." msgstr "允许 TLS 客户端侧的不安全连接。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1318 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1326 msgid "Allow insecure connection by default when add nodes from subscriptions." msgstr "从订阅获取节点时,默认允许不安全连接。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:805 -#: htdocs/luci-static/resources/view/homeproxy/server.js:400 +#: htdocs/luci-static/resources/view/homeproxy/node.js:813 +#: htdocs/luci-static/resources/view/homeproxy/server.js:463 msgid "Allowed payload size is in the request." msgstr "请求中允许的载荷大小。" @@ -131,30 +131,30 @@ msgstr "已是最新版本。" msgid "Already in updating." msgstr "已在更新中。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:671 -#: htdocs/luci-static/resources/view/homeproxy/server.js:309 +#: htdocs/luci-static/resources/view/homeproxy/node.js:679 +#: htdocs/luci-static/resources/view/homeproxy/server.js:372 msgid "Alter ID" msgstr "额外 ID" -#: htdocs/luci-static/resources/view/homeproxy/server.js:599 +#: htdocs/luci-static/resources/view/homeproxy/server.js:662 msgid "Alternative HTTP port" msgstr "替代 HTTP 端口" -#: htdocs/luci-static/resources/view/homeproxy/server.js:605 +#: htdocs/luci-static/resources/view/homeproxy/server.js:668 msgid "Alternative TLS port" msgstr "替代 HTTPS 端口" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1354 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1362 msgid "An error occurred during updating subscriptions: %s" msgstr "更新订阅时发生错误:%s" -#: htdocs/luci-static/resources/view/homeproxy/client.js:920 +#: htdocs/luci-static/resources/view/homeproxy/client.js:929 msgid "Any" msgstr "任何" -#: htdocs/luci-static/resources/view/homeproxy/client.js:642 -#: htdocs/luci-static/resources/view/homeproxy/client.js:748 -#: htdocs/luci-static/resources/view/homeproxy/client.js:962 +#: htdocs/luci-static/resources/view/homeproxy/client.js:651 +#: htdocs/luci-static/resources/view/homeproxy/client.js:757 +#: htdocs/luci-static/resources/view/homeproxy/client.js:971 msgid "" "Append a edns0-subnet OPT extra record with the specified IP " "prefix to every query by default.
If value is an IP address instead of " @@ -163,7 +163,7 @@ msgstr "" "将带有指定 IP 前缀的 edns0-subnet OPT 记录附加到每个查询。如果值" "是 IP 地址而不是前缀,则会自动添加 /32/128。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1007 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1015 msgid "Append self-signed certificate" msgstr "追加自签名证书" @@ -180,37 +180,37 @@ msgstr "应用" msgid "Are you sure to allow insecure?" msgstr "确定要允许不安全连接吗?" -#: htdocs/luci-static/resources/view/homeproxy/server.js:280 +#: htdocs/luci-static/resources/view/homeproxy/server.js:343 msgid "Auth timeout" msgstr "认证超时" -#: htdocs/luci-static/resources/view/homeproxy/node.js:695 +#: htdocs/luci-static/resources/view/homeproxy/node.js:703 msgid "Authenticated length" msgstr "认证长度" -#: htdocs/luci-static/resources/view/homeproxy/node.js:490 -#: htdocs/luci-static/resources/view/homeproxy/server.js:200 +#: htdocs/luci-static/resources/view/homeproxy/node.js:498 +#: htdocs/luci-static/resources/view/homeproxy/server.js:252 msgid "Authentication payload" msgstr "认证载荷" -#: htdocs/luci-static/resources/view/homeproxy/node.js:483 -#: htdocs/luci-static/resources/view/homeproxy/server.js:193 +#: htdocs/luci-static/resources/view/homeproxy/node.js:491 +#: htdocs/luci-static/resources/view/homeproxy/server.js:245 msgid "Authentication type" msgstr "认证类型" -#: htdocs/luci-static/resources/view/homeproxy/server.js:79 +#: htdocs/luci-static/resources/view/homeproxy/server.js:120 msgid "Auto configure firewall" msgstr "自动配置防火墙" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1271 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1279 msgid "Auto update" msgstr "自动更新" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1272 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1280 msgid "Auto update subscriptions." msgstr "自动更新订阅。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:629 +#: htdocs/luci-static/resources/view/homeproxy/node.js:637 msgid "BBR" msgstr "BBR" @@ -218,8 +218,8 @@ msgstr "BBR" msgid "BaiDu" msgstr "百度" -#: htdocs/luci-static/resources/view/homeproxy/node.js:485 -#: htdocs/luci-static/resources/view/homeproxy/server.js:195 +#: htdocs/luci-static/resources/view/homeproxy/node.js:493 +#: htdocs/luci-static/resources/view/homeproxy/server.js:247 msgid "Base64" msgstr "Base64" @@ -227,44 +227,44 @@ msgstr "Base64" msgid "Based on google/gvisor." msgstr "基于 google/gvisor。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1000 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1009 msgid "Binary file" msgstr "二进制文件" -#: htdocs/luci-static/resources/view/homeproxy/client.js:382 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1070 +#: htdocs/luci-static/resources/view/homeproxy/client.js:391 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1079 msgid "Bind interface" msgstr "绑定接口" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1071 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1080 msgid "" "Bind outbound traffic to specific interface. Leave empty to auto detect." msgstr "绑定出站流量至指定端口。留空自动检测。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1307 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1315 msgid "Blacklist mode" msgstr "黑名单模式" -#: htdocs/luci-static/resources/view/homeproxy/client.js:333 -#: htdocs/luci-static/resources/view/homeproxy/client.js:588 -#: htdocs/luci-static/resources/view/homeproxy/client.js:922 +#: htdocs/luci-static/resources/view/homeproxy/client.js:342 +#: htdocs/luci-static/resources/view/homeproxy/client.js:597 +#: htdocs/luci-static/resources/view/homeproxy/client.js:931 msgid "Block" msgstr "封锁" -#: htdocs/luci-static/resources/view/homeproxy/client.js:618 -#: htdocs/luci-static/resources/view/homeproxy/client.js:940 +#: htdocs/luci-static/resources/view/homeproxy/client.js:627 +#: htdocs/luci-static/resources/view/homeproxy/client.js:949 msgid "Block DNS queries" msgstr "封锁 DNS 请求" -#: htdocs/luci-static/resources/view/homeproxy/client.js:468 -#: htdocs/luci-static/resources/view/homeproxy/client.js:481 -#: htdocs/luci-static/resources/view/homeproxy/client.js:799 -#: htdocs/luci-static/resources/view/homeproxy/client.js:809 -#: htdocs/luci-static/resources/view/homeproxy/server.js:732 +#: htdocs/luci-static/resources/view/homeproxy/client.js:477 +#: htdocs/luci-static/resources/view/homeproxy/client.js:490 +#: htdocs/luci-static/resources/view/homeproxy/client.js:808 +#: htdocs/luci-static/resources/view/homeproxy/client.js:818 +#: htdocs/luci-static/resources/view/homeproxy/server.js:802 msgid "Both" msgstr "全部" -#: htdocs/luci-static/resources/view/homeproxy/client.js:316 +#: htdocs/luci-static/resources/view/homeproxy/client.js:325 msgid "Bypass CN traffic" msgstr "绕过中国流量" @@ -272,11 +272,11 @@ msgstr "绕过中国流量" msgid "Bypass mainland China" msgstr "大陆白名单" -#: htdocs/luci-static/resources/view/homeproxy/client.js:317 +#: htdocs/luci-static/resources/view/homeproxy/client.js:326 msgid "Bypass mainland China traffic via firewall rules by default." msgstr "默认使用防火墙规则绕过中国大陆流量。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:548 +#: htdocs/luci-static/resources/view/homeproxy/server.js:611 msgid "CA provider" msgstr "CA 颁发机构" @@ -284,16 +284,16 @@ msgstr "CA 颁发机构" msgid "CNNIC Public DNS (210.2.4.8)" msgstr "CNNIC 公共 DNS(210.2.4.8)" -#: htdocs/luci-static/resources/view/homeproxy/node.js:627 +#: htdocs/luci-static/resources/view/homeproxy/node.js:635 msgid "CUBIC" msgstr "CUBIC" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1171 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1179 msgid "Cancel" msgstr "取消" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1013 -#: htdocs/luci-static/resources/view/homeproxy/server.js:664 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1021 +#: htdocs/luci-static/resources/view/homeproxy/server.js:727 msgid "Certificate path" msgstr "证书路径" @@ -321,8 +321,8 @@ msgstr "大陆 IPv6 库版本" msgid "China list version" msgstr "大陆域名列表版本" -#: htdocs/luci-static/resources/view/homeproxy/node.js:999 -#: htdocs/luci-static/resources/view/homeproxy/server.js:506 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1007 +#: htdocs/luci-static/resources/view/homeproxy/server.js:569 msgid "Cipher suites" msgstr "密码套件" @@ -338,7 +338,7 @@ msgstr "清空日志" msgid "Client Settings" msgstr "客户端设置" -#: htdocs/luci-static/resources/view/homeproxy/node.js:592 +#: htdocs/luci-static/resources/view/homeproxy/node.js:600 msgid "Client version" msgstr "客户端版本" @@ -346,12 +346,12 @@ msgstr "客户端版本" msgid "CloudFlare Public DNS (1.1.1.1)" msgstr "CloudFlare 公共 DNS(1.1.1.1)" -#: htdocs/luci-static/resources/view/homeproxy/server.js:563 +#: htdocs/luci-static/resources/view/homeproxy/server.js:626 msgid "Cloudflare" msgstr "Cloudflare" #: htdocs/luci-static/resources/view/homeproxy/client.js:122 -#: htdocs/luci-static/resources/view/homeproxy/server.js:69 +#: htdocs/luci-static/resources/view/homeproxy/server.js:110 #: htdocs/luci-static/resources/view/homeproxy/status.js:128 msgid "Collecting data..." msgstr "收集数据中..." @@ -360,8 +360,8 @@ msgstr "收集数据中..." msgid "Common ports only (bypass P2P traffic)" msgstr "仅常用端口(绕过 P2P 流量)" -#: htdocs/luci-static/resources/view/homeproxy/node.js:625 -#: htdocs/luci-static/resources/view/homeproxy/server.js:271 +#: htdocs/luci-static/resources/view/homeproxy/node.js:633 +#: htdocs/luci-static/resources/view/homeproxy/server.js:334 msgid "Congestion control algorithm" msgstr "拥塞控制算法" @@ -373,152 +373,153 @@ msgstr "连接检查" msgid "Custom routing" msgstr "自定义路由" -#: htdocs/luci-static/resources/view/homeproxy/client.js:816 +#: htdocs/luci-static/resources/view/homeproxy/client.js:825 msgid "DNS" msgstr "DNS" -#: htdocs/luci-static/resources/view/homeproxy/client.js:754 +#: htdocs/luci-static/resources/view/homeproxy/client.js:763 msgid "DNS Rules" msgstr "DNS 规则" -#: htdocs/luci-static/resources/view/homeproxy/client.js:659 +#: htdocs/luci-static/resources/view/homeproxy/client.js:668 msgid "DNS Servers" msgstr "DNS 服务器" -#: htdocs/luci-static/resources/view/homeproxy/client.js:601 +#: htdocs/luci-static/resources/view/homeproxy/client.js:610 msgid "DNS Settings" msgstr "DNS 设置" -#: htdocs/luci-static/resources/view/homeproxy/server.js:561 +#: htdocs/luci-static/resources/view/homeproxy/server.js:624 msgid "DNS provider" msgstr "DNS 提供商" -#: htdocs/luci-static/resources/view/homeproxy/client.js:763 +#: htdocs/luci-static/resources/view/homeproxy/client.js:772 msgid "DNS rule" msgstr "DNS 规则" #: htdocs/luci-static/resources/view/homeproxy/client.js:158 -#: htdocs/luci-static/resources/view/homeproxy/client.js:668 +#: htdocs/luci-static/resources/view/homeproxy/client.js:677 msgid "DNS server" msgstr "DNS 服务器" -#: htdocs/luci-static/resources/view/homeproxy/server.js:556 +#: htdocs/luci-static/resources/view/homeproxy/server.js:619 msgid "DNS01 challenge" msgstr "DNS01 验证" #: htdocs/luci-static/resources/homeproxy.js:17 -#: htdocs/luci-static/resources/view/homeproxy/client.js:459 -#: htdocs/luci-static/resources/view/homeproxy/client.js:791 -#: htdocs/luci-static/resources/view/homeproxy/node.js:637 +#: htdocs/luci-static/resources/view/homeproxy/client.js:468 +#: htdocs/luci-static/resources/view/homeproxy/client.js:800 +#: htdocs/luci-static/resources/view/homeproxy/node.js:645 msgid "Default" msgstr "默认" -#: htdocs/luci-static/resources/view/homeproxy/client.js:616 -#: htdocs/luci-static/resources/view/homeproxy/client.js:693 -#: htdocs/luci-static/resources/view/homeproxy/client.js:938 +#: htdocs/luci-static/resources/view/homeproxy/client.js:625 +#: htdocs/luci-static/resources/view/homeproxy/client.js:702 +#: htdocs/luci-static/resources/view/homeproxy/client.js:947 msgid "Default DNS (issued by WAN)" msgstr "默认 DNS(由 WAN 下发)" -#: htdocs/luci-static/resources/view/homeproxy/client.js:611 +#: htdocs/luci-static/resources/view/homeproxy/client.js:620 msgid "Default DNS server" msgstr "默认 DNS 服务器" -#: htdocs/luci-static/resources/view/homeproxy/client.js:606 +#: htdocs/luci-static/resources/view/homeproxy/client.js:615 msgid "Default DNS strategy" msgstr "默认 DNS 解析策略" -#: htdocs/luci-static/resources/view/homeproxy/client.js:725 +#: htdocs/luci-static/resources/view/homeproxy/client.js:734 msgid "Default domain strategy for resolving the domain names." msgstr "默认域名解析策略。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:326 +#: htdocs/luci-static/resources/view/homeproxy/client.js:335 msgid "Default outbound" msgstr "默认出站" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1325 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1333 msgid "Default packet encoding" msgstr "默认包封装格式" -#: htdocs/luci-static/resources/view/homeproxy/server.js:527 +#: htdocs/luci-static/resources/view/homeproxy/server.js:590 msgid "Default server name" msgstr "默认服务器名称" -#: htdocs/luci-static/resources/view/homeproxy/client.js:332 -#: htdocs/luci-static/resources/view/homeproxy/client.js:395 -#: htdocs/luci-static/resources/view/homeproxy/client.js:587 -#: htdocs/luci-static/resources/view/homeproxy/client.js:735 -#: htdocs/luci-static/resources/view/homeproxy/client.js:921 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1039 +#: htdocs/luci-static/resources/view/homeproxy/client.js:341 +#: htdocs/luci-static/resources/view/homeproxy/client.js:404 +#: htdocs/luci-static/resources/view/homeproxy/client.js:596 +#: htdocs/luci-static/resources/view/homeproxy/client.js:744 +#: htdocs/luci-static/resources/view/homeproxy/client.js:930 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1048 #: htdocs/luci-static/resources/view/homeproxy/node.js:394 msgid "Direct" msgstr "直连" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1169 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1178 msgid "Direct Domain List" msgstr "直连域名列表" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1086 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1131 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1095 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1140 msgid "Direct IPv4 IP-s" msgstr "直连 IPv4 地址" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1089 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1134 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1098 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1143 msgid "Direct IPv6 IP-s" msgstr "直连 IPv6 地址" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1092 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1101 msgid "Direct MAC-s" msgstr "直连 MAC 地址" #: htdocs/luci-static/resources/view/homeproxy/client.js:142 #: htdocs/luci-static/resources/view/homeproxy/client.js:150 -#: htdocs/luci-static/resources/view/homeproxy/client.js:331 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1080 -#: htdocs/luci-static/resources/view/homeproxy/node.js:484 -#: htdocs/luci-static/resources/view/homeproxy/node.js:496 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1053 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1306 -#: htdocs/luci-static/resources/view/homeproxy/server.js:194 -#: htdocs/luci-static/resources/view/homeproxy/server.js:206 +#: htdocs/luci-static/resources/view/homeproxy/client.js:340 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1089 +#: htdocs/luci-static/resources/view/homeproxy/node.js:473 +#: htdocs/luci-static/resources/view/homeproxy/node.js:492 +#: htdocs/luci-static/resources/view/homeproxy/node.js:504 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1061 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1314 +#: htdocs/luci-static/resources/view/homeproxy/server.js:246 +#: htdocs/luci-static/resources/view/homeproxy/server.js:258 msgid "Disable" msgstr "禁用" -#: htdocs/luci-static/resources/view/homeproxy/client.js:629 +#: htdocs/luci-static/resources/view/homeproxy/client.js:638 msgid "Disable DNS cache" msgstr "禁用 DNS 缓存" -#: htdocs/luci-static/resources/view/homeproxy/server.js:589 +#: htdocs/luci-static/resources/view/homeproxy/server.js:652 msgid "Disable HTTP challenge" msgstr "禁用 HTTP 验证" -#: htdocs/luci-static/resources/view/homeproxy/node.js:532 -#: htdocs/luci-static/resources/view/homeproxy/server.js:237 +#: htdocs/luci-static/resources/view/homeproxy/node.js:540 +#: htdocs/luci-static/resources/view/homeproxy/server.js:289 msgid "Disable Path MTU discovery" msgstr "禁用路径 MTU 探测" -#: htdocs/luci-static/resources/view/homeproxy/server.js:594 +#: htdocs/luci-static/resources/view/homeproxy/server.js:657 msgid "Disable TLS ALPN challenge" msgstr "禁用 TLS ALPN 认证" -#: htdocs/luci-static/resources/view/homeproxy/client.js:952 +#: htdocs/luci-static/resources/view/homeproxy/client.js:961 msgid "Disable cache and save cache in this query." msgstr "在本次查询中禁用缓存。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:632 +#: htdocs/luci-static/resources/view/homeproxy/client.js:641 msgid "Disable cache expire" msgstr "缓存永不过期" -#: htdocs/luci-static/resources/view/homeproxy/client.js:951 +#: htdocs/luci-static/resources/view/homeproxy/client.js:960 msgid "Disable dns cache" msgstr "禁用 DNS 缓存" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1035 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1043 msgid "Disable dynamic record sizing" msgstr "禁用动态记录大小" -#: htdocs/luci-static/resources/view/homeproxy/node.js:533 -#: htdocs/luci-static/resources/view/homeproxy/server.js:238 +#: htdocs/luci-static/resources/view/homeproxy/node.js:541 +#: htdocs/luci-static/resources/view/homeproxy/server.js:290 msgid "" "Disables Path MTU Discovery (RFC 8899). Packets will then be at most 1252 " "(IPv4) / 1232 (IPv6) bytes in size." @@ -526,46 +527,46 @@ msgstr "" "禁用路径 MTU 发现 (RFC 8899)。 数据包的大小最多为 1252 (IPv4) / 1232 (IPv6) " "字节。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:492 -#: htdocs/luci-static/resources/view/homeproxy/client.js:828 +#: htdocs/luci-static/resources/view/homeproxy/client.js:501 +#: htdocs/luci-static/resources/view/homeproxy/client.js:837 msgid "Domain keyword" msgstr "域名关键词" -#: htdocs/luci-static/resources/view/homeproxy/client.js:483 -#: htdocs/luci-static/resources/view/homeproxy/client.js:819 +#: htdocs/luci-static/resources/view/homeproxy/client.js:492 +#: htdocs/luci-static/resources/view/homeproxy/client.js:828 msgid "Domain name" msgstr "域名" -#: htdocs/luci-static/resources/view/homeproxy/client.js:496 -#: htdocs/luci-static/resources/view/homeproxy/client.js:832 +#: htdocs/luci-static/resources/view/homeproxy/client.js:505 +#: htdocs/luci-static/resources/view/homeproxy/client.js:841 msgid "Domain regex" msgstr "域名正则表达式" -#: htdocs/luci-static/resources/view/homeproxy/client.js:376 -#: htdocs/luci-static/resources/view/homeproxy/server.js:723 +#: htdocs/luci-static/resources/view/homeproxy/client.js:385 +#: htdocs/luci-static/resources/view/homeproxy/server.js:793 msgid "Domain strategy" msgstr "域名解析策略" -#: htdocs/luci-static/resources/view/homeproxy/client.js:488 -#: htdocs/luci-static/resources/view/homeproxy/client.js:824 +#: htdocs/luci-static/resources/view/homeproxy/client.js:497 +#: htdocs/luci-static/resources/view/homeproxy/client.js:833 msgid "Domain suffix" msgstr "域名后缀" -#: htdocs/luci-static/resources/view/homeproxy/server.js:521 +#: htdocs/luci-static/resources/view/homeproxy/server.js:584 msgid "Domains" msgstr "域名" -#: htdocs/luci-static/resources/view/homeproxy/node.js:923 -#: htdocs/luci-static/resources/view/homeproxy/server.js:438 +#: htdocs/luci-static/resources/view/homeproxy/node.js:931 +#: htdocs/luci-static/resources/view/homeproxy/server.js:501 msgid "Download bandwidth" msgstr "下载带宽" -#: htdocs/luci-static/resources/view/homeproxy/node.js:924 -#: htdocs/luci-static/resources/view/homeproxy/server.js:439 +#: htdocs/luci-static/resources/view/homeproxy/node.js:932 +#: htdocs/luci-static/resources/view/homeproxy/server.js:502 msgid "Download bandwidth in Mbps." msgstr "下载带宽(单位:Mbps)。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1313 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1321 msgid "" "Drop/keep nodes that contain the specific keywords. " "正则表达式。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1305 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1313 msgid "Drop/keep specific nodes from subscriptions." msgstr "从订阅中 丢弃/保留 指定节点" -#: htdocs/luci-static/resources/view/homeproxy/server.js:612 +#: htdocs/luci-static/resources/view/homeproxy/server.js:675 msgid "" "EAB (External Account Binding) contains information necessary to bind or map " "an ACME account to some other account known by the CA.
External account " @@ -590,7 +591,7 @@ msgstr "" "
外部帐户绑定“用于将 ACME 帐户与非 ACME 系统中的现有帐户相关联,例如 CA " "客户数据库。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1030 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1038 msgid "" "ECH (Encrypted Client Hello) is a TLS extension that allows a client to " "encrypt the first part of its ClientHello message." @@ -598,50 +599,50 @@ msgstr "" "ECH(Encrypted Client Hello)是一个 TLS 扩展,它允许客户端加密其 ClientHello " "信息的第一部分。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1045 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1053 msgid "ECH config" msgstr "ECH 配置" -#: htdocs/luci-static/resources/view/homeproxy/client.js:641 -#: htdocs/luci-static/resources/view/homeproxy/client.js:747 -#: htdocs/luci-static/resources/view/homeproxy/client.js:961 +#: htdocs/luci-static/resources/view/homeproxy/client.js:650 +#: htdocs/luci-static/resources/view/homeproxy/client.js:756 +#: htdocs/luci-static/resources/view/homeproxy/client.js:970 msgid "EDNS Client subnet" msgstr "ENDS 客户端子网" -#: htdocs/luci-static/resources/view/homeproxy/node.js:804 -#: htdocs/luci-static/resources/view/homeproxy/server.js:399 +#: htdocs/luci-static/resources/view/homeproxy/node.js:812 +#: htdocs/luci-static/resources/view/homeproxy/server.js:462 msgid "Early data" msgstr "前置数据" -#: htdocs/luci-static/resources/view/homeproxy/node.js:811 -#: htdocs/luci-static/resources/view/homeproxy/server.js:406 +#: htdocs/luci-static/resources/view/homeproxy/node.js:819 +#: htdocs/luci-static/resources/view/homeproxy/server.js:469 msgid "Early data header name" msgstr "前置数据标头" -#: htdocs/luci-static/resources/view/homeproxy/server.js:407 +#: htdocs/luci-static/resources/view/homeproxy/server.js:470 msgid "Early data is sent in path instead of header by default." msgstr "前置数据默认发送在路径而不是标头中。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1147 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1155 msgid "Edit nodes" msgstr "修改节点" -#: htdocs/luci-static/resources/view/homeproxy/server.js:533 +#: htdocs/luci-static/resources/view/homeproxy/server.js:596 msgid "Email" msgstr "Email" -#: htdocs/luci-static/resources/view/homeproxy/client.js:364 -#: htdocs/luci-static/resources/view/homeproxy/client.js:446 -#: htdocs/luci-static/resources/view/homeproxy/client.js:677 -#: htdocs/luci-static/resources/view/homeproxy/client.js:778 -#: htdocs/luci-static/resources/view/homeproxy/client.js:987 -#: htdocs/luci-static/resources/view/homeproxy/server.js:75 -#: htdocs/luci-static/resources/view/homeproxy/server.js:98 +#: htdocs/luci-static/resources/view/homeproxy/client.js:373 +#: htdocs/luci-static/resources/view/homeproxy/client.js:455 +#: htdocs/luci-static/resources/view/homeproxy/client.js:686 +#: htdocs/luci-static/resources/view/homeproxy/client.js:787 +#: htdocs/luci-static/resources/view/homeproxy/client.js:996 +#: htdocs/luci-static/resources/view/homeproxy/server.js:116 +#: htdocs/luci-static/resources/view/homeproxy/server.js:139 msgid "Enable" msgstr "启用" -#: htdocs/luci-static/resources/view/homeproxy/node.js:650 -#: htdocs/luci-static/resources/view/homeproxy/server.js:288 +#: htdocs/luci-static/resources/view/homeproxy/node.js:658 +#: htdocs/luci-static/resources/view/homeproxy/server.js:351 msgid "" "Enable 0-RTT QUIC connection handshake on the client side. This is not " "impacting much on the performance, as the protocol is fully multiplexed.
强烈建议禁用此功能,因为它容易受到重放攻击。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:649 -#: htdocs/luci-static/resources/view/homeproxy/server.js:287 +#: htdocs/luci-static/resources/view/homeproxy/node.js:657 +#: htdocs/luci-static/resources/view/homeproxy/server.js:350 msgid "Enable 0-RTT handshake" msgstr "启用 0-RTT 握手" -#: htdocs/luci-static/resources/view/homeproxy/server.js:515 +#: htdocs/luci-static/resources/view/homeproxy/server.js:578 msgid "Enable ACME" msgstr "启用 ACME" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1029 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1037 msgid "Enable ECH" msgstr "启用 ECH" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1040 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1048 msgid "Enable PQ signature schemes" msgstr "启用 PQ 签名方案" -#: htdocs/luci-static/resources/view/homeproxy/node.js:917 -#: htdocs/luci-static/resources/view/homeproxy/server.js:432 +#: htdocs/luci-static/resources/view/homeproxy/node.js:925 +#: htdocs/luci-static/resources/view/homeproxy/server.js:495 msgid "Enable TCP Brutal" msgstr "启用 TCP Brutal" -#: htdocs/luci-static/resources/view/homeproxy/node.js:918 -#: htdocs/luci-static/resources/view/homeproxy/server.js:433 +#: htdocs/luci-static/resources/view/homeproxy/node.js:926 +#: htdocs/luci-static/resources/view/homeproxy/server.js:496 msgid "Enable TCP Brutal congestion control algorithm" msgstr "启用 TCP Brutal 拥塞控制算法。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1111 -#: htdocs/luci-static/resources/view/homeproxy/server.js:714 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1119 +#: htdocs/luci-static/resources/view/homeproxy/server.js:777 msgid "Enable UDP fragmentation." msgstr "启用 UDP 分片。" @@ -686,88 +687,88 @@ msgstr "启用 UDP 分片。" msgid "Enable endpoint-independent NAT" msgstr "启用端点独立 NAT" -#: htdocs/luci-static/resources/view/homeproxy/node.js:912 -#: htdocs/luci-static/resources/view/homeproxy/server.js:426 +#: htdocs/luci-static/resources/view/homeproxy/node.js:920 +#: htdocs/luci-static/resources/view/homeproxy/server.js:489 msgid "Enable padding" msgstr "启用填充" -#: htdocs/luci-static/resources/view/homeproxy/server.js:703 +#: htdocs/luci-static/resources/view/homeproxy/server.js:766 msgid "Enable tcp fast open for listener." msgstr "为监听器启用 TCP 快速打开。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1116 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1124 msgid "" "Enable the SUoT protocol, requires server support. Conflict with multiplex." msgstr "启用 SUoT 协议,需要服务端支持。与多路复用冲突。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:540 -#: htdocs/luci-static/resources/view/homeproxy/node.js:677 -#: htdocs/luci-static/resources/view/homeproxy/server.js:256 +#: htdocs/luci-static/resources/view/homeproxy/node.js:548 +#: htdocs/luci-static/resources/view/homeproxy/node.js:685 +#: htdocs/luci-static/resources/view/homeproxy/server.js:308 msgid "Encrypt method" msgstr "加密方式" -#: htdocs/luci-static/resources/homeproxy.js:206 -#: htdocs/luci-static/resources/homeproxy.js:240 -#: htdocs/luci-static/resources/homeproxy.js:248 -#: htdocs/luci-static/resources/homeproxy.js:257 -#: htdocs/luci-static/resources/homeproxy.js:266 -#: htdocs/luci-static/resources/homeproxy.js:268 +#: htdocs/luci-static/resources/homeproxy.js:221 +#: htdocs/luci-static/resources/homeproxy.js:255 +#: htdocs/luci-static/resources/homeproxy.js:263 +#: htdocs/luci-static/resources/homeproxy.js:272 +#: htdocs/luci-static/resources/homeproxy.js:281 +#: htdocs/luci-static/resources/homeproxy.js:283 #: htdocs/luci-static/resources/view/homeproxy/client.js:75 #: htdocs/luci-static/resources/view/homeproxy/client.js:176 #: htdocs/luci-static/resources/view/homeproxy/client.js:178 #: htdocs/luci-static/resources/view/homeproxy/client.js:206 #: htdocs/luci-static/resources/view/homeproxy/client.js:244 #: htdocs/luci-static/resources/view/homeproxy/client.js:249 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1015 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1020 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1023 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1162 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1191 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1024 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1029 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1032 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1171 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1200 #: htdocs/luci-static/resources/view/homeproxy/node.js:452 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1074 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1234 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1294 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1297 -#: htdocs/luci-static/resources/view/homeproxy/server.js:159 -#: htdocs/luci-static/resources/view/homeproxy/server.js:539 -#: htdocs/luci-static/resources/view/homeproxy/server.js:541 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1082 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1242 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1302 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1305 +#: htdocs/luci-static/resources/view/homeproxy/server.js:211 +#: htdocs/luci-static/resources/view/homeproxy/server.js:602 +#: htdocs/luci-static/resources/view/homeproxy/server.js:604 msgid "Expecting: %s" msgstr "请输入:%s" -#: htdocs/luci-static/resources/view/homeproxy/server.js:611 +#: htdocs/luci-static/resources/view/homeproxy/server.js:674 msgid "External Account Binding" msgstr "外部账户绑定" -#: htdocs/luci-static/resources/view/homeproxy/server.js:623 +#: htdocs/luci-static/resources/view/homeproxy/server.js:686 msgid "External account MAC key" msgstr "外部账户 MAC 密钥" -#: htdocs/luci-static/resources/view/homeproxy/server.js:618 +#: htdocs/luci-static/resources/view/homeproxy/server.js:681 msgid "External account key ID" msgstr "外部账户密钥标识符" -#: htdocs/luci-static/resources/homeproxy.js:230 +#: htdocs/luci-static/resources/homeproxy.js:245 msgid "Failed to upload %s, error: %s." msgstr "上传 %s 失败,错误:%s。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1312 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1320 msgid "Filter keywords" msgstr "过滤关键词" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1304 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1312 msgid "Filter nodes" msgstr "过滤节点" -#: htdocs/luci-static/resources/view/homeproxy/node.js:665 -#: htdocs/luci-static/resources/view/homeproxy/server.js:303 +#: htdocs/luci-static/resources/view/homeproxy/node.js:673 +#: htdocs/luci-static/resources/view/homeproxy/server.js:366 msgid "Flow" msgstr "流控" -#: htdocs/luci-static/resources/view/homeproxy/client.js:998 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1007 msgid "Format" msgstr "格式" -#: htdocs/luci-static/resources/view/homeproxy/node.js:773 +#: htdocs/luci-static/resources/view/homeproxy/node.js:781 msgid "GET" msgstr "GET" @@ -779,20 +780,27 @@ msgstr "GFW 域名列表版本" msgid "GFWList" msgstr "GFWList" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1104 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1113 msgid "Gaming mode IPv4 IP-s" msgstr "游戏模式 IPv4 地址" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1106 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1115 msgid "Gaming mode IPv6 IP-s" msgstr "游戏模式 IPv6 地址" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1109 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1118 msgid "Gaming mode MAC-s" msgstr "游戏模式 MAC 地址" +#: htdocs/luci-static/resources/view/homeproxy/server.js:188 +#: htdocs/luci-static/resources/view/homeproxy/server.js:190 +#: htdocs/luci-static/resources/view/homeproxy/server.js:325 +#: htdocs/luci-static/resources/view/homeproxy/server.js:327 +msgid "Generate" +msgstr "生成" + #: htdocs/luci-static/resources/view/homeproxy/client.js:282 -#: htdocs/luci-static/resources/view/homeproxy/node.js:827 +#: htdocs/luci-static/resources/view/homeproxy/node.js:835 msgid "Generic segmentation offload" msgstr "通用分段卸载(GSO)" @@ -800,23 +808,23 @@ msgstr "通用分段卸载(GSO)" msgid "Global" msgstr "全局" -#: htdocs/luci-static/resources/view/homeproxy/node.js:688 +#: htdocs/luci-static/resources/view/homeproxy/node.js:696 msgid "Global padding" msgstr "全局填充" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1111 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1120 msgid "Global proxy IPv4 IP-s" msgstr "全局代理 IPv4 地址" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1114 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1123 msgid "Global proxy IPv6 IP-s" msgstr "全局代理 IPv6 地址" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1117 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1126 msgid "Global proxy MAC-s" msgstr "全局代理 MAC 地址" -#: htdocs/luci-static/resources/view/homeproxy/server.js:73 +#: htdocs/luci-static/resources/view/homeproxy/server.js:114 msgid "Global settings" msgstr "全局设置" @@ -832,36 +840,36 @@ msgstr "谷歌公共 DNS(8.8.8.8)" msgid "Grant access to homeproxy configuration" msgstr "授予 homeproxy 访问 UCI 配置的权限" -#: htdocs/luci-static/resources/view/homeproxy/client.js:473 -#: htdocs/luci-static/resources/view/homeproxy/client.js:813 +#: htdocs/luci-static/resources/view/homeproxy/client.js:482 +#: htdocs/luci-static/resources/view/homeproxy/client.js:822 #: htdocs/luci-static/resources/view/homeproxy/node.js:395 -#: htdocs/luci-static/resources/view/homeproxy/node.js:707 -#: htdocs/luci-static/resources/view/homeproxy/server.js:104 -#: htdocs/luci-static/resources/view/homeproxy/server.js:321 +#: htdocs/luci-static/resources/view/homeproxy/node.js:715 +#: htdocs/luci-static/resources/view/homeproxy/server.js:145 +#: htdocs/luci-static/resources/view/homeproxy/server.js:384 msgid "HTTP" msgstr "HTTP" -#: htdocs/luci-static/resources/view/homeproxy/server.js:250 +#: htdocs/luci-static/resources/view/homeproxy/server.js:302 msgid "" "HTTP3 server behavior when authentication fails.
A 404 page will be " "returned if empty." msgstr "身份验证失败时的 HTTP3 服务器响应。默认返回 404 页面。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:708 -#: htdocs/luci-static/resources/view/homeproxy/server.js:322 +#: htdocs/luci-static/resources/view/homeproxy/node.js:716 +#: htdocs/luci-static/resources/view/homeproxy/server.js:385 msgid "HTTPUpgrade" msgstr "HTTPUpgrade" -#: htdocs/luci-static/resources/view/homeproxy/server.js:651 +#: htdocs/luci-static/resources/view/homeproxy/server.js:714 msgid "Handshake server address" msgstr "握手服务器地址" -#: htdocs/luci-static/resources/view/homeproxy/server.js:657 +#: htdocs/luci-static/resources/view/homeproxy/server.js:720 msgid "Handshake server port" msgstr "握手服务器端口" -#: htdocs/luci-static/resources/view/homeproxy/node.js:656 -#: htdocs/luci-static/resources/view/homeproxy/server.js:294 +#: htdocs/luci-static/resources/view/homeproxy/node.js:664 +#: htdocs/luci-static/resources/view/homeproxy/server.js:357 msgid "Heartbeat interval" msgstr "心跳间隔" @@ -873,62 +881,62 @@ msgstr "心跳间隔" msgid "HomeProxy" msgstr "HomeProxy" -#: htdocs/luci-static/resources/view/homeproxy/server.js:37 -#: htdocs/luci-static/resources/view/homeproxy/server.js:39 -#: htdocs/luci-static/resources/view/homeproxy/server.js:56 +#: htdocs/luci-static/resources/view/homeproxy/server.js:38 +#: htdocs/luci-static/resources/view/homeproxy/server.js:40 +#: htdocs/luci-static/resources/view/homeproxy/server.js:97 msgid "HomeProxy Server" msgstr "HomeProxy 服务端" -#: htdocs/luci-static/resources/view/homeproxy/node.js:757 -#: htdocs/luci-static/resources/view/homeproxy/node.js:762 -#: htdocs/luci-static/resources/view/homeproxy/node.js:796 -#: htdocs/luci-static/resources/view/homeproxy/server.js:355 -#: htdocs/luci-static/resources/view/homeproxy/server.js:360 -#: htdocs/luci-static/resources/view/homeproxy/server.js:391 +#: htdocs/luci-static/resources/view/homeproxy/node.js:765 +#: htdocs/luci-static/resources/view/homeproxy/node.js:770 +#: htdocs/luci-static/resources/view/homeproxy/node.js:804 +#: htdocs/luci-static/resources/view/homeproxy/server.js:418 +#: htdocs/luci-static/resources/view/homeproxy/server.js:423 +#: htdocs/luci-static/resources/view/homeproxy/server.js:454 msgid "Host" msgstr "主机名" -#: htdocs/luci-static/resources/view/homeproxy/client.js:436 -#: htdocs/luci-static/resources/view/homeproxy/client.js:768 +#: htdocs/luci-static/resources/view/homeproxy/client.js:445 +#: htdocs/luci-static/resources/view/homeproxy/client.js:777 msgid "Host fields" msgstr "主机字段" -#: htdocs/luci-static/resources/view/homeproxy/node.js:597 +#: htdocs/luci-static/resources/view/homeproxy/node.js:605 msgid "Host key" msgstr "主机密钥" -#: htdocs/luci-static/resources/view/homeproxy/node.js:602 +#: htdocs/luci-static/resources/view/homeproxy/node.js:610 msgid "Host key algorithms" msgstr "主机密钥算法" -#: htdocs/luci-static/resources/view/homeproxy/server.js:281 +#: htdocs/luci-static/resources/view/homeproxy/server.js:344 msgid "" "How long the server should wait for the client to send the authentication " "command (in seconds)." msgstr "服务器等待客户端发送认证命令的时间(单位:秒)。" #: htdocs/luci-static/resources/view/homeproxy/node.js:397 -#: htdocs/luci-static/resources/view/homeproxy/server.js:106 +#: htdocs/luci-static/resources/view/homeproxy/server.js:147 msgid "Hysteria" msgstr "Hysteria" #: htdocs/luci-static/resources/view/homeproxy/node.js:398 -#: htdocs/luci-static/resources/view/homeproxy/server.js:107 +#: htdocs/luci-static/resources/view/homeproxy/server.js:148 msgid "Hysteria2" msgstr "Hysteria2" -#: htdocs/luci-static/resources/view/homeproxy/client.js:511 -#: htdocs/luci-static/resources/view/homeproxy/client.js:856 +#: htdocs/luci-static/resources/view/homeproxy/client.js:520 +#: htdocs/luci-static/resources/view/homeproxy/client.js:865 msgid "IP CIDR" msgstr "IP CIDR" -#: htdocs/luci-static/resources/view/homeproxy/client.js:464 -#: htdocs/luci-static/resources/view/homeproxy/client.js:796 +#: htdocs/luci-static/resources/view/homeproxy/client.js:473 +#: htdocs/luci-static/resources/view/homeproxy/client.js:805 msgid "IP version" msgstr "IP 版本" -#: htdocs/luci-static/resources/view/homeproxy/client.js:466 -#: htdocs/luci-static/resources/view/homeproxy/client.js:797 +#: htdocs/luci-static/resources/view/homeproxy/client.js:475 +#: htdocs/luci-static/resources/view/homeproxy/client.js:806 msgid "IPv4" msgstr "IPv4" @@ -936,8 +944,8 @@ msgstr "IPv4" msgid "IPv4 only" msgstr "仅 IPv4" -#: htdocs/luci-static/resources/view/homeproxy/client.js:467 -#: htdocs/luci-static/resources/view/homeproxy/client.js:798 +#: htdocs/luci-static/resources/view/homeproxy/client.js:476 +#: htdocs/luci-static/resources/view/homeproxy/client.js:807 msgid "IPv6" msgstr "IPv6" @@ -949,31 +957,31 @@ msgstr "仅 IPv6" msgid "IPv6 support" msgstr "IPv6 支持" -#: htdocs/luci-static/resources/view/homeproxy/node.js:778 -#: htdocs/luci-static/resources/view/homeproxy/server.js:374 +#: htdocs/luci-static/resources/view/homeproxy/node.js:786 +#: htdocs/luci-static/resources/view/homeproxy/server.js:437 msgid "Idle timeout" msgstr "空闲超时" -#: htdocs/luci-static/resources/view/homeproxy/node.js:749 +#: htdocs/luci-static/resources/view/homeproxy/node.js:757 msgid "" "If enabled, the client transport sends keepalive pings even with no active " "connections." msgstr "如果启用,客户端传输即使没有活动连接也会发送 keepalive ping。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:724 +#: htdocs/luci-static/resources/view/homeproxy/server.js:794 msgid "" "If set, the requested domain name will be resolved to IP before routing." msgstr "如果设置,请求的域名将在路由前被解析为 IP 地址。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:377 +#: htdocs/luci-static/resources/view/homeproxy/client.js:386 msgid "" "If set, the server domain name will be resolved to IP before connecting.
dns.strategy will be used if empty." msgstr "" "如果设置,服务器域名将在连接前被解析为 IP。
默认使用 dns.strategy。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:734 -#: htdocs/luci-static/resources/view/homeproxy/server.js:343 +#: htdocs/luci-static/resources/view/homeproxy/node.js:742 +#: htdocs/luci-static/resources/view/homeproxy/server.js:406 msgid "" "If the transport doesn't see any activity after a duration of this time (in " "seconds), it pings the client to check if the connection is still active." @@ -981,48 +989,53 @@ msgstr "" "如果传输在此时间段(单位:秒)后没有看到任何活动,它会向客户端发送 ping 请求" "以检查连接是否仍然活动。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1008 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1016 msgid "" "If you have the root certificate, use this option instead of allowing " "insecure." msgstr "如果你拥有根证书,使用此选项而不是允许不安全连接。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:243 +#: htdocs/luci-static/resources/view/homeproxy/server.js:295 msgid "Ignore client bandwidth" msgstr "忽略客户端带宽" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1217 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1225 msgid "Import" msgstr "导入" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1164 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1243 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1245 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1172 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1251 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1253 msgid "Import share links" msgstr "导入分享链接" -#: htdocs/luci-static/resources/view/homeproxy/client.js:636 +#: htdocs/luci-static/resources/view/homeproxy/client.js:317 +#: htdocs/luci-static/resources/view/homeproxy/server.js:783 +msgid "In seconds. 300 is used by default." +msgstr "单位:秒。默认使用 300。" + +#: htdocs/luci-static/resources/view/homeproxy/client.js:645 msgid "Independent cache per server" msgstr "独立缓存" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1063 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1072 msgid "Interface Control" msgstr "接口控制" -#: htdocs/luci-static/resources/view/homeproxy/node.js:657 -#: htdocs/luci-static/resources/view/homeproxy/server.js:295 +#: htdocs/luci-static/resources/view/homeproxy/node.js:665 +#: htdocs/luci-static/resources/view/homeproxy/server.js:358 msgid "" "Interval for sending heartbeat packets for keeping the connection alive (in " "seconds)." msgstr "发送心跳包以保持连接存活的时间间隔(单位:秒)。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:576 -#: htdocs/luci-static/resources/view/homeproxy/client.js:909 +#: htdocs/luci-static/resources/view/homeproxy/client.js:585 +#: htdocs/luci-static/resources/view/homeproxy/client.js:918 msgid "Invert" msgstr "反转" -#: htdocs/luci-static/resources/view/homeproxy/client.js:577 -#: htdocs/luci-static/resources/view/homeproxy/client.js:910 +#: htdocs/luci-static/resources/view/homeproxy/client.js:586 +#: htdocs/luci-static/resources/view/homeproxy/client.js:919 msgid "Invert match result." msgstr "反转匹配结果" @@ -1030,26 +1043,26 @@ msgstr "反转匹配结果" msgid "It MUST support TCP query." msgstr "它必须支持 TCP 查询。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:682 +#: htdocs/luci-static/resources/view/homeproxy/server.js:745 msgid "Key path" msgstr "证书路径" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1077 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1086 msgid "LAN IP Policy" msgstr "LAN IP 策略" -#: htdocs/luci-static/resources/view/homeproxy/client.js:359 -#: htdocs/luci-static/resources/view/homeproxy/client.js:441 -#: htdocs/luci-static/resources/view/homeproxy/client.js:672 -#: htdocs/luci-static/resources/view/homeproxy/client.js:773 -#: htdocs/luci-static/resources/view/homeproxy/client.js:982 +#: htdocs/luci-static/resources/view/homeproxy/client.js:368 +#: htdocs/luci-static/resources/view/homeproxy/client.js:450 +#: htdocs/luci-static/resources/view/homeproxy/client.js:681 +#: htdocs/luci-static/resources/view/homeproxy/client.js:782 +#: htdocs/luci-static/resources/view/homeproxy/client.js:991 #: htdocs/luci-static/resources/view/homeproxy/node.js:388 -#: htdocs/luci-static/resources/view/homeproxy/server.js:92 +#: htdocs/luci-static/resources/view/homeproxy/server.js:133 msgid "Label" msgstr "标签" -#: htdocs/luci-static/resources/view/homeproxy/node.js:672 -#: htdocs/luci-static/resources/view/homeproxy/server.js:310 +#: htdocs/luci-static/resources/view/homeproxy/node.js:680 +#: htdocs/luci-static/resources/view/homeproxy/server.js:373 msgid "" "Legacy protocol support (VMess MD5 Authentication) is provided for " "compatibility purposes only, use of alterId > 1 is not recommended." @@ -1061,29 +1074,29 @@ msgstr "" msgid "Less compatibility and sometimes better performance." msgstr "有时性能更好。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:550 +#: htdocs/luci-static/resources/view/homeproxy/server.js:613 msgid "Let's Encrypt" msgstr "Let's Encrypt" -#: htdocs/luci-static/resources/view/homeproxy/node.js:834 +#: htdocs/luci-static/resources/view/homeproxy/node.js:842 msgid "" "List of IP (v4 or v6) addresses prefixes to be assigned to the interface." msgstr "分配给接口的 IP(v4 或 v6)地址前缀列表。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:970 -#: htdocs/luci-static/resources/view/homeproxy/server.js:486 +#: htdocs/luci-static/resources/view/homeproxy/node.js:978 +#: htdocs/luci-static/resources/view/homeproxy/server.js:549 msgid "List of supported application level protocols, in order of preference." msgstr "支持的应用层协议协商列表,按顺序排列。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:119 +#: htdocs/luci-static/resources/view/homeproxy/server.js:160 msgid "Listen address" msgstr "监听地址" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1065 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1074 msgid "Listen interfaces" msgstr "监听接口" -#: htdocs/luci-static/resources/view/homeproxy/server.js:124 +#: htdocs/luci-static/resources/view/homeproxy/server.js:165 msgid "Listen port" msgstr "监听端口" @@ -1091,11 +1104,11 @@ msgstr "监听端口" msgid "Loading" msgstr "加载中" -#: htdocs/luci-static/resources/view/homeproxy/client.js:993 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1002 msgid "Local" msgstr "本地" -#: htdocs/luci-static/resources/view/homeproxy/node.js:833 +#: htdocs/luci-static/resources/view/homeproxy/node.js:841 msgid "Local address" msgstr "本地地址" @@ -1107,7 +1120,7 @@ msgstr "日志文件不存在。" msgid "Log is empty." msgstr "日志为空。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:867 +#: htdocs/luci-static/resources/view/homeproxy/node.js:875 msgid "MTU" msgstr "MTU" @@ -1119,156 +1132,156 @@ msgstr "主 UDP 节点" msgid "Main node" msgstr "主节点" -#: htdocs/luci-static/resources/view/homeproxy/client.js:905 +#: htdocs/luci-static/resources/view/homeproxy/client.js:914 msgid "Make ipcidr in rule sets match the source IP." msgstr "使规则集中的 ipcidr 用于匹配源 IP。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:571 +#: htdocs/luci-static/resources/view/homeproxy/client.js:580 msgid "Make IP CIDR in rule set used to match the source IP." msgstr "使规则集中的 IP CIDR 用于匹配源 IP。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:637 +#: htdocs/luci-static/resources/view/homeproxy/client.js:646 msgid "" "Make each DNS server's cache independent for special purposes. If enabled, " "will slightly degrade performance." msgstr "独立缓存每个 DNS 服务器的结果以供特殊用途。启用后会略微降低性能。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:249 +#: htdocs/luci-static/resources/view/homeproxy/server.js:301 msgid "Masquerade" msgstr "伪装" -#: htdocs/luci-static/resources/view/homeproxy/client.js:915 +#: htdocs/luci-static/resources/view/homeproxy/client.js:924 msgid "Match .outbounds[].server domains." msgstr "匹配 .outbounds[].server 域名。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:857 +#: htdocs/luci-static/resources/view/homeproxy/client.js:866 msgid "Match IP CIDR with query response." msgstr "使用查询响应匹配 IP CIDR。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:512 +#: htdocs/luci-static/resources/view/homeproxy/client.js:521 msgid "Match IP CIDR." msgstr "匹配 IP CIDR。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:489 -#: htdocs/luci-static/resources/view/homeproxy/client.js:825 +#: htdocs/luci-static/resources/view/homeproxy/client.js:498 +#: htdocs/luci-static/resources/view/homeproxy/client.js:834 msgid "Match domain suffix." msgstr "匹配域名后缀。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:493 -#: htdocs/luci-static/resources/view/homeproxy/client.js:829 +#: htdocs/luci-static/resources/view/homeproxy/client.js:502 +#: htdocs/luci-static/resources/view/homeproxy/client.js:838 msgid "Match domain using keyword." msgstr "使用关键词匹配域名。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:497 -#: htdocs/luci-static/resources/view/homeproxy/client.js:833 +#: htdocs/luci-static/resources/view/homeproxy/client.js:506 +#: htdocs/luci-static/resources/view/homeproxy/client.js:842 msgid "Match domain using regular expression." msgstr "使用正则表达式匹配域名。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:484 -#: htdocs/luci-static/resources/view/homeproxy/client.js:820 +#: htdocs/luci-static/resources/view/homeproxy/client.js:493 +#: htdocs/luci-static/resources/view/homeproxy/client.js:829 msgid "Match full domain." msgstr "匹配完整域名。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:538 -#: htdocs/luci-static/resources/view/homeproxy/client.js:842 +#: htdocs/luci-static/resources/view/homeproxy/client.js:547 +#: htdocs/luci-static/resources/view/homeproxy/client.js:851 msgid "Match port range. Format as START:/:END/START:END." msgstr "匹配端口范围。格式为 START:/:END/START:END。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:533 -#: htdocs/luci-static/resources/view/homeproxy/client.js:837 +#: htdocs/luci-static/resources/view/homeproxy/client.js:542 +#: htdocs/luci-static/resources/view/homeproxy/client.js:846 msgid "Match port." msgstr "匹配端口。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:862 +#: htdocs/luci-static/resources/view/homeproxy/client.js:871 msgid "Match private IP with query response." msgstr "使用查询响应匹配私有 IP。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:517 +#: htdocs/luci-static/resources/view/homeproxy/client.js:526 msgid "Match private IP." msgstr "匹配私有 IP。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:506 -#: htdocs/luci-static/resources/view/homeproxy/client.js:852 +#: htdocs/luci-static/resources/view/homeproxy/client.js:515 +#: htdocs/luci-static/resources/view/homeproxy/client.js:861 msgid "Match private source IP." msgstr "匹配私有源 IP。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:543 -#: htdocs/luci-static/resources/view/homeproxy/client.js:877 +#: htdocs/luci-static/resources/view/homeproxy/client.js:552 +#: htdocs/luci-static/resources/view/homeproxy/client.js:886 msgid "Match process name." msgstr "匹配进程名。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:547 -#: htdocs/luci-static/resources/view/homeproxy/client.js:881 +#: htdocs/luci-static/resources/view/homeproxy/client.js:556 +#: htdocs/luci-static/resources/view/homeproxy/client.js:890 msgid "Match process path." msgstr "匹配进程路径。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:803 +#: htdocs/luci-static/resources/view/homeproxy/client.js:812 msgid "Match query type." msgstr "匹配请求类型。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:555 -#: htdocs/luci-static/resources/view/homeproxy/client.js:889 +#: htdocs/luci-static/resources/view/homeproxy/client.js:564 +#: htdocs/luci-static/resources/view/homeproxy/client.js:898 msgid "Match rule set." msgstr "匹配规则集。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:501 -#: htdocs/luci-static/resources/view/homeproxy/client.js:847 +#: htdocs/luci-static/resources/view/homeproxy/client.js:510 +#: htdocs/luci-static/resources/view/homeproxy/client.js:856 msgid "Match source IP CIDR." msgstr "匹配源 IP CIDR。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:570 +#: htdocs/luci-static/resources/view/homeproxy/client.js:579 msgid "Match source IP via rule set" msgstr "通过规则集匹配源 IP" -#: htdocs/luci-static/resources/view/homeproxy/client.js:528 -#: htdocs/luci-static/resources/view/homeproxy/client.js:872 +#: htdocs/luci-static/resources/view/homeproxy/client.js:537 +#: htdocs/luci-static/resources/view/homeproxy/client.js:881 msgid "Match source port range. Format as START:/:END/START:END." msgstr "匹配源端口范围。格式为 START:/:END/START:END。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:523 -#: htdocs/luci-static/resources/view/homeproxy/client.js:867 +#: htdocs/luci-static/resources/view/homeproxy/client.js:532 +#: htdocs/luci-static/resources/view/homeproxy/client.js:876 msgid "Match source port." msgstr "匹配源端口。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:551 -#: htdocs/luci-static/resources/view/homeproxy/client.js:885 +#: htdocs/luci-static/resources/view/homeproxy/client.js:560 +#: htdocs/luci-static/resources/view/homeproxy/client.js:894 msgid "Match user name." msgstr "匹配用户名。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:506 -#: htdocs/luci-static/resources/view/homeproxy/server.js:179 +#: htdocs/luci-static/resources/view/homeproxy/node.js:514 +#: htdocs/luci-static/resources/view/homeproxy/server.js:231 msgid "Max download speed" msgstr "最大下载速度" -#: htdocs/luci-static/resources/view/homeproxy/node.js:507 -#: htdocs/luci-static/resources/view/homeproxy/server.js:180 +#: htdocs/luci-static/resources/view/homeproxy/node.js:515 +#: htdocs/luci-static/resources/view/homeproxy/server.js:232 msgid "Max download speed in Mbps." msgstr "最大下载速度(Mbps)。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:646 +#: htdocs/luci-static/resources/view/homeproxy/server.js:709 msgid "Max time difference" msgstr "最大时间差" -#: htdocs/luci-static/resources/view/homeproxy/node.js:513 -#: htdocs/luci-static/resources/view/homeproxy/server.js:186 +#: htdocs/luci-static/resources/view/homeproxy/node.js:521 +#: htdocs/luci-static/resources/view/homeproxy/server.js:238 msgid "Max upload speed" msgstr "最大上传速度" -#: htdocs/luci-static/resources/view/homeproxy/node.js:514 -#: htdocs/luci-static/resources/view/homeproxy/server.js:187 +#: htdocs/luci-static/resources/view/homeproxy/node.js:522 +#: htdocs/luci-static/resources/view/homeproxy/server.js:239 msgid "Max upload speed in Mbps." msgstr "最大上传速度(Mbps)。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:991 -#: htdocs/luci-static/resources/view/homeproxy/server.js:498 +#: htdocs/luci-static/resources/view/homeproxy/node.js:999 +#: htdocs/luci-static/resources/view/homeproxy/server.js:561 msgid "Maximum TLS version" msgstr "最大 TLS 版本" -#: htdocs/luci-static/resources/view/homeproxy/node.js:894 +#: htdocs/luci-static/resources/view/homeproxy/node.js:902 msgid "Maximum connections" msgstr "最大连接数" -#: htdocs/luci-static/resources/view/homeproxy/node.js:906 +#: htdocs/luci-static/resources/view/homeproxy/node.js:914 msgid "" "Maximum multiplexed streams in a connection before opening a new connection." "
Conflict with Maximum connections and Minimum " @@ -1277,26 +1290,26 @@ msgstr "" "在打开新连接之前,连接中的最大多路复用流数量。与 Maximum connectionsMinimum streams 冲突。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:905 +#: htdocs/luci-static/resources/view/homeproxy/node.js:913 msgid "Maximum streams" msgstr "最大流数量" -#: htdocs/luci-static/resources/view/homeproxy/node.js:772 -#: htdocs/luci-static/resources/view/homeproxy/server.js:370 +#: htdocs/luci-static/resources/view/homeproxy/node.js:780 +#: htdocs/luci-static/resources/view/homeproxy/server.js:433 msgid "Method" msgstr "方式" -#: htdocs/luci-static/resources/view/homeproxy/node.js:983 -#: htdocs/luci-static/resources/view/homeproxy/server.js:490 +#: htdocs/luci-static/resources/view/homeproxy/node.js:991 +#: htdocs/luci-static/resources/view/homeproxy/server.js:553 msgid "Minimum TLS version" msgstr "最低 TLS 版本" -#: htdocs/luci-static/resources/view/homeproxy/node.js:900 +#: htdocs/luci-static/resources/view/homeproxy/node.js:908 msgid "" "Minimum multiplexed streams in a connection before opening a new connection." msgstr "在打开新连接之前,连接中的最小多路复用流数量。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:899 +#: htdocs/luci-static/resources/view/homeproxy/node.js:907 msgid "Minimum streams" msgstr "最小流数量" @@ -1308,77 +1321,77 @@ msgstr "混合" msgid "Mixed system TCP stack and gVisor UDP stack." msgstr "混合系统 TCP 栈和 gVisor UDP 栈。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:451 -#: htdocs/luci-static/resources/view/homeproxy/client.js:783 +#: htdocs/luci-static/resources/view/homeproxy/client.js:460 +#: htdocs/luci-static/resources/view/homeproxy/client.js:792 msgid "Mode" msgstr "模式" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1106 -#: htdocs/luci-static/resources/view/homeproxy/server.js:708 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1114 +#: htdocs/luci-static/resources/view/homeproxy/server.js:771 msgid "MultiPath TCP" msgstr "多路径 TCP(MPTCP)" -#: htdocs/luci-static/resources/view/homeproxy/node.js:876 -#: htdocs/luci-static/resources/view/homeproxy/server.js:418 +#: htdocs/luci-static/resources/view/homeproxy/node.js:884 +#: htdocs/luci-static/resources/view/homeproxy/server.js:481 msgid "Multiplex" msgstr "多路复用" -#: htdocs/luci-static/resources/view/homeproxy/node.js:885 +#: htdocs/luci-static/resources/view/homeproxy/node.js:893 msgid "Multiplex protocol." msgstr "多路复用协议。" #: htdocs/luci-static/resources/view/homeproxy/client.js:57 -#: htdocs/luci-static/resources/view/homeproxy/server.js:39 +#: htdocs/luci-static/resources/view/homeproxy/server.js:40 msgid "NOT RUNNING" msgstr "未运行" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1331 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1339 msgid "NOTE: Save current settings before updating subscriptions." msgstr "注意:更新订阅前先保存当前配置。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:638 +#: htdocs/luci-static/resources/view/homeproxy/node.js:646 msgid "Native" msgstr "原生" -#: htdocs/luci-static/resources/view/homeproxy/server.js:108 +#: htdocs/luci-static/resources/view/homeproxy/server.js:149 msgid "NaïveProxy" msgstr "NaïveProxy" -#: htdocs/luci-static/resources/view/homeproxy/client.js:478 -#: htdocs/luci-static/resources/view/homeproxy/client.js:806 -#: htdocs/luci-static/resources/view/homeproxy/server.js:729 +#: htdocs/luci-static/resources/view/homeproxy/client.js:487 +#: htdocs/luci-static/resources/view/homeproxy/client.js:815 +#: htdocs/luci-static/resources/view/homeproxy/server.js:799 msgid "Network" msgstr "网络" -#: htdocs/luci-static/resources/view/homeproxy/node.js:628 +#: htdocs/luci-static/resources/view/homeproxy/node.js:636 msgid "New Reno" msgstr "New Reno" -#: htdocs/luci-static/resources/view/homeproxy/node.js:704 -#: htdocs/luci-static/resources/view/homeproxy/node.js:721 -#: htdocs/luci-static/resources/view/homeproxy/server.js:318 -#: htdocs/luci-static/resources/view/homeproxy/server.js:335 +#: htdocs/luci-static/resources/view/homeproxy/node.js:712 +#: htdocs/luci-static/resources/view/homeproxy/node.js:729 +#: htdocs/luci-static/resources/view/homeproxy/server.js:381 +#: htdocs/luci-static/resources/view/homeproxy/server.js:398 msgid "No TCP transport, plain HTTP is merged into the HTTP transport." msgstr "无 TCP 传输层, 纯 HTTP 已合并到 HTTP 传输层。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:719 -#: htdocs/luci-static/resources/view/homeproxy/server.js:333 +#: htdocs/luci-static/resources/view/homeproxy/node.js:727 +#: htdocs/luci-static/resources/view/homeproxy/server.js:396 msgid "No additional encryption support: It's basically duplicate encryption." msgstr "无额外加密支持:它基本上是重复加密。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1347 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1355 msgid "No subscription available" msgstr "无可用订阅" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1372 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1380 msgid "No subscription node" msgstr "无订阅节点" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1203 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1211 msgid "No valid share link found." msgstr "找不到有效分享链接。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:369 +#: htdocs/luci-static/resources/view/homeproxy/client.js:378 #: htdocs/luci-static/resources/view/homeproxy/node.js:363 msgid "Node" msgstr "节点" @@ -1387,29 +1400,29 @@ msgstr "节点" msgid "Node Settings" msgstr "节点设置" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1153 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1161 msgid "Nodes" msgstr "节点" -#: htdocs/luci-static/resources/view/homeproxy/client.js:692 -#: htdocs/luci-static/resources/view/homeproxy/node.js:666 -#: htdocs/luci-static/resources/view/homeproxy/node.js:705 -#: htdocs/luci-static/resources/view/homeproxy/server.js:304 -#: htdocs/luci-static/resources/view/homeproxy/server.js:319 +#: htdocs/luci-static/resources/view/homeproxy/client.js:701 +#: htdocs/luci-static/resources/view/homeproxy/node.js:674 +#: htdocs/luci-static/resources/view/homeproxy/node.js:713 +#: htdocs/luci-static/resources/view/homeproxy/server.js:367 +#: htdocs/luci-static/resources/view/homeproxy/server.js:382 msgid "None" msgstr "无" -#: htdocs/luci-static/resources/view/homeproxy/node.js:501 -#: htdocs/luci-static/resources/view/homeproxy/server.js:211 +#: htdocs/luci-static/resources/view/homeproxy/node.js:509 +#: htdocs/luci-static/resources/view/homeproxy/server.js:263 msgid "Obfuscate password" msgstr "混淆密码" -#: htdocs/luci-static/resources/view/homeproxy/node.js:495 -#: htdocs/luci-static/resources/view/homeproxy/server.js:205 +#: htdocs/luci-static/resources/view/homeproxy/node.js:503 +#: htdocs/luci-static/resources/view/homeproxy/server.js:257 msgid "Obfuscate type" msgstr "混淆类型" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1066 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1075 msgid "Only process traffic from specific interfaces. Leave empty for all." msgstr "只处理来自指定接口的流量。留空表示全部。" @@ -1417,20 +1430,20 @@ msgstr "只处理来自指定接口的流量。留空表示全部。" msgid "Only proxy mainland China" msgstr "仅代理中国大陆" -#: htdocs/luci-static/resources/view/homeproxy/client.js:435 -#: htdocs/luci-static/resources/view/homeproxy/client.js:767 +#: htdocs/luci-static/resources/view/homeproxy/client.js:444 +#: htdocs/luci-static/resources/view/homeproxy/client.js:776 msgid "Other fields" msgstr "其他字段" -#: htdocs/luci-static/resources/view/homeproxy/client.js:389 -#: htdocs/luci-static/resources/view/homeproxy/client.js:581 -#: htdocs/luci-static/resources/view/homeproxy/client.js:729 -#: htdocs/luci-static/resources/view/homeproxy/client.js:914 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1033 +#: htdocs/luci-static/resources/view/homeproxy/client.js:398 +#: htdocs/luci-static/resources/view/homeproxy/client.js:590 +#: htdocs/luci-static/resources/view/homeproxy/client.js:738 +#: htdocs/luci-static/resources/view/homeproxy/client.js:923 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1042 msgid "Outbound" msgstr "出站" -#: htdocs/luci-static/resources/view/homeproxy/client.js:370 +#: htdocs/luci-static/resources/view/homeproxy/client.js:379 msgid "Outbound node" msgstr "出站节点" @@ -1438,8 +1451,8 @@ msgstr "出站节点" msgid "Override address" msgstr "覆盖地址" -#: htdocs/luci-static/resources/view/homeproxy/client.js:321 -#: htdocs/luci-static/resources/view/homeproxy/server.js:719 +#: htdocs/luci-static/resources/view/homeproxy/client.js:330 +#: htdocs/luci-static/resources/view/homeproxy/server.js:789 msgid "Override destination" msgstr "覆盖目标地址" @@ -1447,8 +1460,8 @@ msgstr "覆盖目标地址" msgid "Override port" msgstr "覆盖端口" -#: htdocs/luci-static/resources/view/homeproxy/client.js:322 -#: htdocs/luci-static/resources/view/homeproxy/server.js:720 +#: htdocs/luci-static/resources/view/homeproxy/client.js:331 +#: htdocs/luci-static/resources/view/homeproxy/server.js:790 msgid "Override the connection destination address with the sniffed domain." msgstr "使用嗅探到的域名覆盖连接目标。" @@ -1460,28 +1473,28 @@ msgstr "覆盖目标连接地址。" msgid "Override the connection destination port." msgstr "覆盖目标连接端口。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:774 +#: htdocs/luci-static/resources/view/homeproxy/node.js:782 msgid "PUT" msgstr "PUT" -#: htdocs/luci-static/resources/view/homeproxy/node.js:817 +#: htdocs/luci-static/resources/view/homeproxy/node.js:825 msgid "Packet encoding" msgstr "数据包编码" #: htdocs/luci-static/resources/view/homeproxy/node.js:429 -#: htdocs/luci-static/resources/view/homeproxy/server.js:135 +#: htdocs/luci-static/resources/view/homeproxy/server.js:176 msgid "Password" msgstr "密码" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1004 -#: htdocs/luci-static/resources/view/homeproxy/node.js:767 -#: htdocs/luci-static/resources/view/homeproxy/node.js:800 -#: htdocs/luci-static/resources/view/homeproxy/server.js:365 -#: htdocs/luci-static/resources/view/homeproxy/server.js:395 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1013 +#: htdocs/luci-static/resources/view/homeproxy/node.js:775 +#: htdocs/luci-static/resources/view/homeproxy/node.js:808 +#: htdocs/luci-static/resources/view/homeproxy/server.js:428 +#: htdocs/luci-static/resources/view/homeproxy/server.js:458 msgid "Path" msgstr "路径" -#: htdocs/luci-static/resources/view/homeproxy/node.js:848 +#: htdocs/luci-static/resources/view/homeproxy/node.js:856 msgid "Peer pubkic key" msgstr "对端公钥" @@ -1491,21 +1504,21 @@ msgid "" "it is not needed." msgstr "性能可能会略有下降,建议仅在需要时开启。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:786 -#: htdocs/luci-static/resources/view/homeproxy/server.js:382 +#: htdocs/luci-static/resources/view/homeproxy/node.js:794 +#: htdocs/luci-static/resources/view/homeproxy/server.js:445 msgid "Ping timeout" msgstr "Ping 超时" -#: htdocs/luci-static/resources/view/homeproxy/node.js:558 +#: htdocs/luci-static/resources/view/homeproxy/node.js:566 msgid "Plugin" msgstr "插件" -#: htdocs/luci-static/resources/view/homeproxy/node.js:565 +#: htdocs/luci-static/resources/view/homeproxy/node.js:573 msgid "Plugin opts" msgstr "插件参数" -#: htdocs/luci-static/resources/view/homeproxy/client.js:532 -#: htdocs/luci-static/resources/view/homeproxy/client.js:836 +#: htdocs/luci-static/resources/view/homeproxy/client.js:541 +#: htdocs/luci-static/resources/view/homeproxy/client.js:845 #: htdocs/luci-static/resources/view/homeproxy/node.js:418 msgid "Port" msgstr "端口" @@ -1514,17 +1527,17 @@ msgstr "端口" msgid "Port %s alrealy exists!" msgstr "端口 %s 已存在!" -#: htdocs/luci-static/resources/view/homeproxy/client.js:437 -#: htdocs/luci-static/resources/view/homeproxy/client.js:769 +#: htdocs/luci-static/resources/view/homeproxy/client.js:446 +#: htdocs/luci-static/resources/view/homeproxy/client.js:778 msgid "Port fields" msgstr "端口字段" -#: htdocs/luci-static/resources/view/homeproxy/client.js:537 -#: htdocs/luci-static/resources/view/homeproxy/client.js:841 +#: htdocs/luci-static/resources/view/homeproxy/client.js:546 +#: htdocs/luci-static/resources/view/homeproxy/client.js:850 msgid "Port range" msgstr "端口范围" -#: htdocs/luci-static/resources/view/homeproxy/node.js:855 +#: htdocs/luci-static/resources/view/homeproxy/node.js:863 msgid "Pre-shared key" msgstr "预共享密钥" @@ -1536,80 +1549,80 @@ msgstr "优先 IPv4" msgid "Prefer IPv6" msgstr "优先 IPv6" -#: htdocs/luci-static/resources/view/homeproxy/client.js:516 -#: htdocs/luci-static/resources/view/homeproxy/client.js:861 +#: htdocs/luci-static/resources/view/homeproxy/client.js:525 +#: htdocs/luci-static/resources/view/homeproxy/client.js:870 msgid "Private IP" msgstr "私有 IP" -#: htdocs/luci-static/resources/view/homeproxy/node.js:606 -#: htdocs/luci-static/resources/view/homeproxy/node.js:840 +#: htdocs/luci-static/resources/view/homeproxy/node.js:614 +#: htdocs/luci-static/resources/view/homeproxy/node.js:848 msgid "Private key" msgstr "私钥" -#: htdocs/luci-static/resources/view/homeproxy/node.js:611 +#: htdocs/luci-static/resources/view/homeproxy/node.js:619 msgid "Private key passphrase" msgstr "私钥指纹" -#: htdocs/luci-static/resources/view/homeproxy/client.js:505 -#: htdocs/luci-static/resources/view/homeproxy/client.js:851 +#: htdocs/luci-static/resources/view/homeproxy/client.js:514 +#: htdocs/luci-static/resources/view/homeproxy/client.js:860 msgid "Private source IP" msgstr "私有源 IP" -#: htdocs/luci-static/resources/view/homeproxy/client.js:542 -#: htdocs/luci-static/resources/view/homeproxy/client.js:876 +#: htdocs/luci-static/resources/view/homeproxy/client.js:551 +#: htdocs/luci-static/resources/view/homeproxy/client.js:885 msgid "Process name" msgstr "进程名" -#: htdocs/luci-static/resources/view/homeproxy/client.js:546 -#: htdocs/luci-static/resources/view/homeproxy/client.js:880 +#: htdocs/luci-static/resources/view/homeproxy/client.js:555 +#: htdocs/luci-static/resources/view/homeproxy/client.js:889 msgid "Process path" msgstr "进程路径" -#: htdocs/luci-static/resources/view/homeproxy/client.js:471 -#: htdocs/luci-static/resources/view/homeproxy/client.js:811 -#: htdocs/luci-static/resources/view/homeproxy/node.js:472 -#: htdocs/luci-static/resources/view/homeproxy/node.js:884 -#: htdocs/luci-static/resources/view/homeproxy/server.js:168 +#: htdocs/luci-static/resources/view/homeproxy/client.js:480 +#: htdocs/luci-static/resources/view/homeproxy/client.js:820 +#: htdocs/luci-static/resources/view/homeproxy/node.js:480 +#: htdocs/luci-static/resources/view/homeproxy/node.js:892 +#: htdocs/luci-static/resources/view/homeproxy/server.js:220 msgid "Protocol" msgstr "协议" -#: htdocs/luci-static/resources/view/homeproxy/node.js:696 +#: htdocs/luci-static/resources/view/homeproxy/node.js:704 msgid "Protocol parameter. Enable length block encryption." msgstr "协议参数。启用长度块加密。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:689 +#: htdocs/luci-static/resources/view/homeproxy/node.js:697 msgid "" "Protocol parameter. Will waste traffic randomly if enabled (enabled by " "default in v2ray and cannot be disabled)." msgstr "协议参数。 如启用会随机浪费流量(在 v2ray 中默认启用并且无法禁用)。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1140 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1149 msgid "Proxy Domain List" msgstr "代理域名列表" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1095 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1124 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1104 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1133 msgid "Proxy IPv4 IP-s" msgstr "代理 IPv4 地址" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1098 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1127 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1107 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1136 msgid "Proxy IPv6 IP-s" msgstr "代理 IPv6 地址" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1101 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1110 msgid "Proxy MAC-s" msgstr "代理 MAC 地址" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1082 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1091 msgid "Proxy all except listed" msgstr "仅允许列表外" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1079 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1088 msgid "Proxy filter mode" msgstr "代理过滤模式" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1081 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1090 msgid "Proxy listed only" msgstr "仅允许列表内" @@ -1617,73 +1630,77 @@ msgstr "仅允许列表内" msgid "Proxy mode" msgstr "代理模式" -#: htdocs/luci-static/resources/view/homeproxy/client.js:475 -#: htdocs/luci-static/resources/view/homeproxy/client.js:815 -#: htdocs/luci-static/resources/view/homeproxy/node.js:639 -#: htdocs/luci-static/resources/view/homeproxy/node.js:709 -#: htdocs/luci-static/resources/view/homeproxy/server.js:323 +#: htdocs/luci-static/resources/view/homeproxy/node.js:471 +msgid "Proxy protocol" +msgstr "代理协议" + +#: htdocs/luci-static/resources/view/homeproxy/client.js:484 +#: htdocs/luci-static/resources/view/homeproxy/client.js:824 +#: htdocs/luci-static/resources/view/homeproxy/node.js:647 +#: htdocs/luci-static/resources/view/homeproxy/node.js:717 +#: htdocs/luci-static/resources/view/homeproxy/server.js:386 msgid "QUIC" msgstr "QUIC" -#: htdocs/luci-static/resources/view/homeproxy/node.js:626 -#: htdocs/luci-static/resources/view/homeproxy/server.js:272 +#: htdocs/luci-static/resources/view/homeproxy/node.js:634 +#: htdocs/luci-static/resources/view/homeproxy/server.js:335 msgid "QUIC congestion control algorithm." msgstr "QUIC 拥塞控制算法。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:526 -#: htdocs/luci-static/resources/view/homeproxy/server.js:223 +#: htdocs/luci-static/resources/view/homeproxy/node.js:534 +#: htdocs/luci-static/resources/view/homeproxy/server.js:275 msgid "QUIC connection receive window" msgstr "QUIC 连接窗口" -#: htdocs/luci-static/resources/view/homeproxy/server.js:230 +#: htdocs/luci-static/resources/view/homeproxy/server.js:282 msgid "QUIC maximum concurrent bidirectional streams" msgstr "QUIC 最大双向并发流" -#: htdocs/luci-static/resources/view/homeproxy/node.js:520 -#: htdocs/luci-static/resources/view/homeproxy/server.js:216 +#: htdocs/luci-static/resources/view/homeproxy/node.js:528 +#: htdocs/luci-static/resources/view/homeproxy/server.js:268 msgid "QUIC stream receive window" msgstr "QUIC 流接收窗口" -#: htdocs/luci-static/resources/view/homeproxy/client.js:802 +#: htdocs/luci-static/resources/view/homeproxy/client.js:811 msgid "Query type" msgstr "请求类型" -#: htdocs/luci-static/resources/view/homeproxy/client.js:652 +#: htdocs/luci-static/resources/view/homeproxy/client.js:661 msgid "RDRC timeout" msgstr "RDRC 超时" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1085 -#: htdocs/luci-static/resources/view/homeproxy/server.js:630 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1093 +#: htdocs/luci-static/resources/view/homeproxy/server.js:693 msgid "REALITY" msgstr "REALITY" -#: htdocs/luci-static/resources/view/homeproxy/server.js:636 +#: htdocs/luci-static/resources/view/homeproxy/server.js:699 msgid "REALITY private key" msgstr "REALITY 私钥" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1090 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1098 msgid "REALITY public key" msgstr "REALITY 公钥" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1095 -#: htdocs/luci-static/resources/view/homeproxy/server.js:641 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1103 +#: htdocs/luci-static/resources/view/homeproxy/server.js:704 msgid "REALITY short ID" msgstr "REALITY 标识符" #: htdocs/luci-static/resources/view/homeproxy/client.js:55 -#: htdocs/luci-static/resources/view/homeproxy/server.js:37 +#: htdocs/luci-static/resources/view/homeproxy/server.js:38 msgid "RUNNING" msgstr "运行中" -#: htdocs/luci-static/resources/view/homeproxy/node.js:593 +#: htdocs/luci-static/resources/view/homeproxy/node.js:601 msgid "Random version will be used if empty." msgstr "如留空,则使用随机版本。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:414 +#: htdocs/luci-static/resources/view/homeproxy/client.js:423 msgid "Recursive outbound detected!" msgstr "检测到递归出站!" -#: htdocs/luci-static/resources/view/homeproxy/client.js:711 +#: htdocs/luci-static/resources/view/homeproxy/client.js:720 msgid "Recursive resolver detected!" msgstr "检测到递归解析器!" @@ -1703,27 +1720,27 @@ msgstr "Redirect TCP + Tun UDP" msgid "Refresh every %s seconds." msgstr "每 %s 秒刷新。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:579 +#: htdocs/luci-static/resources/view/homeproxy/server.js:642 msgid "Region ID" msgstr "区域 ID" -#: htdocs/luci-static/resources/view/homeproxy/client.js:994 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1003 msgid "Remote" msgstr "远程" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1369 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1377 msgid "Remove %s nodes" msgstr "移除 %s 个节点" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1359 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1367 msgid "Remove all nodes from subscriptions" msgstr "移除所有订阅节点" -#: htdocs/luci-static/resources/view/homeproxy/node.js:862 +#: htdocs/luci-static/resources/view/homeproxy/node.js:870 msgid "Reserved field bytes" msgstr "保留字段字节" -#: htdocs/luci-static/resources/view/homeproxy/client.js:724 +#: htdocs/luci-static/resources/view/homeproxy/client.js:733 msgid "Resolve strategy" msgstr "解析策略" @@ -1731,19 +1748,19 @@ msgstr "解析策略" msgid "Resources management" msgstr "资源管理" -#: htdocs/luci-static/resources/view/homeproxy/client.js:956 +#: htdocs/luci-static/resources/view/homeproxy/client.js:965 msgid "Rewrite TTL" msgstr "重写 TTL" -#: htdocs/luci-static/resources/view/homeproxy/client.js:957 +#: htdocs/luci-static/resources/view/homeproxy/client.js:966 msgid "Rewrite TTL in DNS responses." msgstr "在 DNS 响应中重写 TTL。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:346 +#: htdocs/luci-static/resources/view/homeproxy/client.js:355 msgid "Routing Nodes" msgstr "路由节点" -#: htdocs/luci-static/resources/view/homeproxy/client.js:422 +#: htdocs/luci-static/resources/view/homeproxy/client.js:431 msgid "Routing Rules" msgstr "路由规则" @@ -1755,7 +1772,7 @@ msgstr "路由设置" msgid "Routing mode" msgstr "路由模式" -#: htdocs/luci-static/resources/view/homeproxy/client.js:355 +#: htdocs/luci-static/resources/view/homeproxy/client.js:364 msgid "Routing node" msgstr "路由节点" @@ -1763,32 +1780,32 @@ msgstr "路由节点" msgid "Routing ports" msgstr "路由端口" -#: htdocs/luci-static/resources/view/homeproxy/client.js:431 +#: htdocs/luci-static/resources/view/homeproxy/client.js:440 msgid "Routing rule" msgstr "路由规则" -#: htdocs/luci-static/resources/view/homeproxy/client.js:554 -#: htdocs/luci-static/resources/view/homeproxy/client.js:888 -#: htdocs/luci-static/resources/view/homeproxy/client.js:969 +#: htdocs/luci-static/resources/view/homeproxy/client.js:563 +#: htdocs/luci-static/resources/view/homeproxy/client.js:897 #: htdocs/luci-static/resources/view/homeproxy/client.js:978 +#: htdocs/luci-static/resources/view/homeproxy/client.js:987 msgid "Rule set" msgstr "规则集" -#: htdocs/luci-static/resources/view/homeproxy/client.js:904 +#: htdocs/luci-static/resources/view/homeproxy/client.js:913 msgid "Rule set IP CIDR as source IP" msgstr "规则集 IP CIDR 作为源 IP" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1011 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1020 msgid "Rule set URL" msgstr "规则集 URL" -#: htdocs/luci-static/resources/view/homeproxy/client.js:438 -#: htdocs/luci-static/resources/view/homeproxy/client.js:770 +#: htdocs/luci-static/resources/view/homeproxy/client.js:447 +#: htdocs/luci-static/resources/view/homeproxy/client.js:779 msgid "SRC-IP fields" msgstr "源 IP 字段" -#: htdocs/luci-static/resources/view/homeproxy/client.js:439 -#: htdocs/luci-static/resources/view/homeproxy/client.js:771 +#: htdocs/luci-static/resources/view/homeproxy/client.js:448 +#: htdocs/luci-static/resources/view/homeproxy/client.js:780 msgid "SRC-Port fields" msgstr "源端口字段" @@ -1796,17 +1813,17 @@ msgstr "源端口字段" msgid "SSH" msgstr "SSH" -#: htdocs/luci-static/resources/view/homeproxy/client.js:476 -#: htdocs/luci-static/resources/view/homeproxy/client.js:817 +#: htdocs/luci-static/resources/view/homeproxy/client.js:485 +#: htdocs/luci-static/resources/view/homeproxy/client.js:826 msgid "STUN" msgstr "STUN" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1122 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1130 msgid "SUoT version" msgstr "SUoT 版本" -#: htdocs/luci-static/resources/view/homeproxy/node.js:497 -#: htdocs/luci-static/resources/view/homeproxy/server.js:207 +#: htdocs/luci-static/resources/view/homeproxy/node.js:505 +#: htdocs/luci-static/resources/view/homeproxy/server.js:259 msgid "Salamander" msgstr "Salamander" @@ -1814,16 +1831,16 @@ msgstr "Salamander" msgid "Same as main node" msgstr "保持与主节点一致" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1333 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1341 msgid "Save current settings" msgstr "保存当前设置" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1330 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1338 msgid "Save subscriptions settings" msgstr "保存订阅设置" -#: htdocs/luci-static/resources/view/homeproxy/client.js:932 -#: htdocs/luci-static/resources/view/homeproxy/server.js:88 +#: htdocs/luci-static/resources/view/homeproxy/client.js:941 +#: htdocs/luci-static/resources/view/homeproxy/server.js:129 msgid "Server" msgstr "服务器" @@ -1831,13 +1848,13 @@ msgstr "服务器" msgid "Server Settings" msgstr "服务器设置" -#: htdocs/luci-static/resources/view/homeproxy/server.js:528 +#: htdocs/luci-static/resources/view/homeproxy/server.js:591 msgid "" "Server name to use when choosing a certificate if the ClientHello's " "ServerName field is empty." msgstr "当 ClientHello 的 ServerName 字段为空时,选择证书所使用的服务器名称。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:83 +#: htdocs/luci-static/resources/view/homeproxy/server.js:124 msgid "Server settings" msgstr "服务器设置" @@ -1849,17 +1866,17 @@ msgstr "服务状态" msgid "ShadowTLS" msgstr "ShadowTLS" -#: htdocs/luci-static/resources/view/homeproxy/node.js:572 +#: htdocs/luci-static/resources/view/homeproxy/node.js:580 msgid "ShadowTLS version" msgstr "ShadowTLS 版本" #: htdocs/luci-static/resources/view/homeproxy/node.js:400 -#: htdocs/luci-static/resources/view/homeproxy/server.js:110 +#: htdocs/luci-static/resources/view/homeproxy/server.js:151 msgid "Shadowsocks" msgstr "Shadowsocks" -#: htdocs/luci-static/resources/view/homeproxy/client.js:472 -#: htdocs/luci-static/resources/view/homeproxy/client.js:812 +#: htdocs/luci-static/resources/view/homeproxy/client.js:481 +#: htdocs/luci-static/resources/view/homeproxy/client.js:821 msgid "" "Sniffed protocol, see Sniff for details." @@ -1868,47 +1885,47 @@ msgstr "" "configuration/route/sniff/\">Sniff。" #: htdocs/luci-static/resources/view/homeproxy/node.js:402 -#: htdocs/luci-static/resources/view/homeproxy/server.js:111 +#: htdocs/luci-static/resources/view/homeproxy/server.js:152 msgid "Socks" msgstr "Socks" -#: htdocs/luci-static/resources/view/homeproxy/node.js:582 +#: htdocs/luci-static/resources/view/homeproxy/node.js:590 msgid "Socks version" msgstr "Socks 版本" -#: htdocs/luci-static/resources/view/homeproxy/node.js:583 +#: htdocs/luci-static/resources/view/homeproxy/node.js:591 msgid "Socks4" msgstr "Socks4" -#: htdocs/luci-static/resources/view/homeproxy/node.js:584 +#: htdocs/luci-static/resources/view/homeproxy/node.js:592 msgid "Socks4A" msgstr "Socks4A" -#: htdocs/luci-static/resources/view/homeproxy/node.js:585 +#: htdocs/luci-static/resources/view/homeproxy/node.js:593 msgid "Socks5" msgstr "Socks5" -#: htdocs/luci-static/resources/view/homeproxy/client.js:500 -#: htdocs/luci-static/resources/view/homeproxy/client.js:846 +#: htdocs/luci-static/resources/view/homeproxy/client.js:509 +#: htdocs/luci-static/resources/view/homeproxy/client.js:855 msgid "Source IP CIDR" msgstr "源 IP CIDR" -#: htdocs/luci-static/resources/view/homeproxy/client.js:999 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1008 msgid "Source file" msgstr "源文件" -#: htdocs/luci-static/resources/view/homeproxy/client.js:522 -#: htdocs/luci-static/resources/view/homeproxy/client.js:866 +#: htdocs/luci-static/resources/view/homeproxy/client.js:531 +#: htdocs/luci-static/resources/view/homeproxy/client.js:875 msgid "Source port" msgstr "源端口" -#: htdocs/luci-static/resources/view/homeproxy/client.js:527 -#: htdocs/luci-static/resources/view/homeproxy/client.js:871 +#: htdocs/luci-static/resources/view/homeproxy/client.js:536 +#: htdocs/luci-static/resources/view/homeproxy/client.js:880 msgid "Source port range" msgstr "源端口范围" -#: htdocs/luci-static/resources/view/homeproxy/node.js:726 -#: htdocs/luci-static/resources/view/homeproxy/node.js:779 +#: htdocs/luci-static/resources/view/homeproxy/node.js:734 +#: htdocs/luci-static/resources/view/homeproxy/node.js:787 msgid "" "Specifies the period of time (in seconds) after which a health check will be " "performed using a ping frame if no frames have been received on the " @@ -1920,8 +1937,8 @@ msgstr "" "查。
需要注意的是,PING 响应被视为已接收的帧,因此如果连接上没有其他流" "量,则健康检查将在每个间隔执行一次。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:340 -#: htdocs/luci-static/resources/view/homeproxy/server.js:375 +#: htdocs/luci-static/resources/view/homeproxy/server.js:403 +#: htdocs/luci-static/resources/view/homeproxy/server.js:438 msgid "" "Specifies the time (in seconds) until idle clients should be closed with a " "GOAWAY frame. PING frames are not considered as activity." @@ -1929,8 +1946,8 @@ msgstr "" "指定闲置客户端应在多长时间(单位:秒)内使用 GOAWAY 帧关闭。PING 帧不被视为活" "动。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:730 -#: htdocs/luci-static/resources/view/homeproxy/node.js:787 +#: htdocs/luci-static/resources/view/homeproxy/node.js:738 +#: htdocs/luci-static/resources/view/homeproxy/node.js:795 msgid "" "Specifies the timeout duration (in seconds) after sending a PING frame, " "within which a response must be received.
If a response to the PING " @@ -1946,11 +1963,11 @@ msgid "" "commas." msgstr "指定需要被代理的目标端口。多个端口必须用逗号隔开。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:646 +#: htdocs/luci-static/resources/view/homeproxy/client.js:655 msgid "Store RDRC" msgstr "存储 RDRC" -#: htdocs/luci-static/resources/view/homeproxy/client.js:647 +#: htdocs/luci-static/resources/view/homeproxy/client.js:656 msgid "" "Store rejected DNS response cache.
The check results of Address " "filter DNS rule items will be cached until expiration." @@ -1958,24 +1975,24 @@ msgstr "" "存储被拒绝的 DNS 响应缓存。
地址过滤 DNS 规则 的检查结果将被" "缓存直到过期。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:486 -#: htdocs/luci-static/resources/view/homeproxy/server.js:196 +#: htdocs/luci-static/resources/view/homeproxy/node.js:494 +#: htdocs/luci-static/resources/view/homeproxy/server.js:248 msgid "String" msgstr "字符串" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1258 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1266 msgid "Sub (%s)" msgstr "订阅(%s)" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1287 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1295 msgid "Subscription URL-s" msgstr "订阅地址" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1269 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1277 msgid "Subscriptions" msgstr "订阅" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1205 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1213 msgid "Successfully imported %s nodes of total %s." msgstr "成功导入 %s 个节点,共 %s 个。" @@ -1983,8 +2000,8 @@ msgstr "成功导入 %s 个节点,共 %s 个。" msgid "Successfully updated." msgstr "更新成功。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1165 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1288 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1173 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1296 msgid "" "Support Hysteria, Shadowsocks, Trojan, v2rayN (VMess), and XTLS (VLESS) " "online configuration delivery standard." @@ -1996,20 +2013,20 @@ msgstr "" msgid "System" msgstr "系统" -#: htdocs/luci-static/resources/view/homeproxy/client.js:617 -#: htdocs/luci-static/resources/view/homeproxy/client.js:694 -#: htdocs/luci-static/resources/view/homeproxy/client.js:939 +#: htdocs/luci-static/resources/view/homeproxy/client.js:626 +#: htdocs/luci-static/resources/view/homeproxy/client.js:703 +#: htdocs/luci-static/resources/view/homeproxy/client.js:948 msgid "System DNS" msgstr "系统 DNS" -#: htdocs/luci-static/resources/view/homeproxy/client.js:479 -#: htdocs/luci-static/resources/view/homeproxy/client.js:807 -#: htdocs/luci-static/resources/view/homeproxy/server.js:730 +#: htdocs/luci-static/resources/view/homeproxy/client.js:488 +#: htdocs/luci-static/resources/view/homeproxy/client.js:816 +#: htdocs/luci-static/resources/view/homeproxy/server.js:800 msgid "TCP" msgstr "TCP" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1102 -#: htdocs/luci-static/resources/view/homeproxy/server.js:702 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1110 +#: htdocs/luci-static/resources/view/homeproxy/server.js:765 msgid "TCP fast open" msgstr "TCP 快速打开" @@ -2021,29 +2038,29 @@ msgstr "TCP/IP 协议栈" msgid "TCP/IP stack." msgstr "TCP/IP 协议栈。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:474 -#: htdocs/luci-static/resources/view/homeproxy/client.js:814 -#: htdocs/luci-static/resources/view/homeproxy/node.js:937 -#: htdocs/luci-static/resources/view/homeproxy/server.js:453 +#: htdocs/luci-static/resources/view/homeproxy/client.js:483 +#: htdocs/luci-static/resources/view/homeproxy/client.js:823 +#: htdocs/luci-static/resources/view/homeproxy/node.js:945 +#: htdocs/luci-static/resources/view/homeproxy/server.js:516 msgid "TLS" msgstr "TLS" -#: htdocs/luci-static/resources/view/homeproxy/node.js:969 -#: htdocs/luci-static/resources/view/homeproxy/server.js:485 +#: htdocs/luci-static/resources/view/homeproxy/node.js:977 +#: htdocs/luci-static/resources/view/homeproxy/server.js:548 msgid "TLS ALPN" msgstr "TLS ALPN" -#: htdocs/luci-static/resources/view/homeproxy/node.js:964 -#: htdocs/luci-static/resources/view/homeproxy/server.js:480 +#: htdocs/luci-static/resources/view/homeproxy/node.js:972 +#: htdocs/luci-static/resources/view/homeproxy/server.js:543 msgid "TLS SNI" msgstr "TLS SNI" -#: htdocs/luci-static/resources/view/homeproxy/node.js:717 -#: htdocs/luci-static/resources/view/homeproxy/server.js:331 +#: htdocs/luci-static/resources/view/homeproxy/node.js:725 +#: htdocs/luci-static/resources/view/homeproxy/server.js:394 msgid "TLS is not enforced. If TLS is not configured, plain HTTP 1.1 is used." msgstr "不强制执行 TLS。如未配置 TLS,将使用纯 HTTP 1.1。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:687 +#: htdocs/luci-static/resources/view/homeproxy/client.js:696 msgid "" "Tag of a another server to resolve the domain name in the address. Required " "if address contains domain." @@ -2051,23 +2068,23 @@ msgstr "" "用于解析本 DNS 服务器的域名的另一个 DNS 服务器的标签。如果服务器地址包括域名" "则必须。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:730 +#: htdocs/luci-static/resources/view/homeproxy/client.js:739 msgid "Tag of an outbound for connecting to the dns server." msgstr "用于连接到 DNS 服务器的出站标签。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1034 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1043 msgid "Tag of the outbound to download rule set." msgstr "用于下载规则集的出站标签。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:933 +#: htdocs/luci-static/resources/view/homeproxy/client.js:942 msgid "Tag of the target dns server." msgstr "目标 DNS 服务器标签。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:582 +#: htdocs/luci-static/resources/view/homeproxy/client.js:591 msgid "Tag of the target outbound." msgstr "目标出站标签。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:244 +#: htdocs/luci-static/resources/view/homeproxy/server.js:296 msgid "" "Tell the client to use the BBR flow control algorithm instead of Hysteria CC." msgstr "让客户端使用 BBR 流控算法。" @@ -2077,29 +2094,29 @@ msgstr "让客户端使用 BBR 流控算法。" msgid "Tencent Public DNS (119.29.29.29)" msgstr "腾讯公共 DNS(119.29.29.29)" -#: htdocs/luci-static/resources/view/homeproxy/server.js:549 +#: htdocs/luci-static/resources/view/homeproxy/server.js:612 msgid "The ACME CA provider to use." msgstr "使用的 ACME CA 颁发机构。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:607 +#: htdocs/luci-static/resources/view/homeproxy/client.js:616 msgid "The DNS strategy for resolving the domain name in the address." msgstr "解析域名的默认策略。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:527 -#: htdocs/luci-static/resources/view/homeproxy/server.js:224 +#: htdocs/luci-static/resources/view/homeproxy/node.js:535 +#: htdocs/luci-static/resources/view/homeproxy/server.js:276 msgid "The QUIC connection-level flow control window for receiving data." msgstr "用于接收数据的 QUIC 连接级流控制窗口。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:521 -#: htdocs/luci-static/resources/view/homeproxy/server.js:217 +#: htdocs/luci-static/resources/view/homeproxy/node.js:529 +#: htdocs/luci-static/resources/view/homeproxy/server.js:269 msgid "The QUIC stream-level flow control window for receiving data." msgstr "用于接收数据的 QUIC 流级流控制窗口。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:683 +#: htdocs/luci-static/resources/view/homeproxy/client.js:692 msgid "The address of the dns server. Support UDP, TCP, DoT, DoH and RCode." msgstr "DNS 服务器的地址。支持 UDP、TCP、DoT、DoH 和 RCode。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:600 +#: htdocs/luci-static/resources/view/homeproxy/server.js:663 msgid "" "The alternate port to use for the ACME HTTP challenge; if non-empty, this " "port will be used instead of 80 to spin up a listener for the HTTP challenge." @@ -2107,14 +2124,14 @@ msgstr "" "用于 ACME HTTP 质询的备用端口;如果非空,将使用此端口而不是 80 来启动 HTTP 质" "询的侦听器。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:606 +#: htdocs/luci-static/resources/view/homeproxy/server.js:669 msgid "" "The alternate port to use for the ACME TLS-ALPN challenge; the system must " "forward 443 to this port for challenge to succeed." msgstr "" "用于 ACME TLS-ALPN 质询的备用端口; 系统必须将 443 转发到此端口以使质询成功。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:452 +#: htdocs/luci-static/resources/view/homeproxy/client.js:461 msgid "" "The default rule uses the following matching logic:
(domain || " "domain_suffix || domain_keyword || domain_regex || ip_cidr || " @@ -2131,7 +2148,7 @@ msgstr "" "source_port_range) &&
其他字段。此外,包含的所有规则" "集会被合并而不是独立生效。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:784 +#: htdocs/luci-static/resources/view/homeproxy/client.js:793 msgid "" "The default rule uses the following matching logic:
(domain || " "domain_suffix || domain_keyword || domain_regex) &&
(port " @@ -2146,78 +2163,78 @@ msgstr "" ">(source_port || source_port_range) &&
其他字段。此外,包含的所有规则集会被合并而不是独立生效。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:719 +#: htdocs/luci-static/resources/view/homeproxy/client.js:728 msgid "" "The domain strategy for resolving the domain name in the address. dns." "strategy will be used if empty." msgstr "用于解析本 DNS 服务器的域名的策略。默认使用 dns.strategy。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1000 -#: htdocs/luci-static/resources/view/homeproxy/server.js:507 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1008 +#: htdocs/luci-static/resources/view/homeproxy/server.js:570 msgid "" "The elliptic curves that will be used in an ECDHE handshake, in preference " "order. If empty, the default will be used." msgstr "将在 ECDHE 握手中使用的椭圆曲线,按优先顺序排列。留空使用默认值。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:534 +#: htdocs/luci-static/resources/view/homeproxy/server.js:597 msgid "" "The email address to use when creating or selecting an existing ACME server " "account." msgstr "创建或选择现有 ACME 服务器帐户时使用的电子邮件地址。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:992 -#: htdocs/luci-static/resources/view/homeproxy/server.js:499 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1000 +#: htdocs/luci-static/resources/view/homeproxy/server.js:562 msgid "The maximum TLS version that is acceptable." msgstr "可接受的最高 TLS 版本。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:231 +#: htdocs/luci-static/resources/view/homeproxy/server.js:283 msgid "" "The maximum number of QUIC concurrent bidirectional streams that a peer is " "allowed to open." msgstr "允许对等点打开的 QUIC 并发双向流的最大数量。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:647 +#: htdocs/luci-static/resources/view/homeproxy/server.js:710 msgid "The maximum time difference between the server and the client." msgstr "服务器和客户端之间的最大时间差。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:984 -#: htdocs/luci-static/resources/view/homeproxy/server.js:491 +#: htdocs/luci-static/resources/view/homeproxy/node.js:992 +#: htdocs/luci-static/resources/view/homeproxy/server.js:554 msgid "The minimum TLS version that is acceptable." msgstr "可接受的最低 TLS 版本。" #: htdocs/luci-static/resources/view/homeproxy/client.js:110 -#: htdocs/luci-static/resources/view/homeproxy/server.js:57 +#: htdocs/luci-static/resources/view/homeproxy/server.js:98 msgid "The modern ImmortalWrt proxy platform for ARM64/AMD64." msgstr "为 ARM64/AMD64 设计的现代 ImmortalWrt 代理平台。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:383 +#: htdocs/luci-static/resources/view/homeproxy/client.js:392 msgid "The network interface to bind to." msgstr "绑定到的网络接口。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1014 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1022 msgid "The path to the server certificate, in PEM format." msgstr "服务端证书路径,需要 PEM 格式。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:125 +#: htdocs/luci-static/resources/view/homeproxy/server.js:166 msgid "The port must be unique." msgstr "必须是唯一端口。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:683 +#: htdocs/luci-static/resources/view/homeproxy/server.js:746 msgid "The server private key, in PEM format." msgstr "服务端私钥,需要 PEM 格式。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:665 +#: htdocs/luci-static/resources/view/homeproxy/server.js:728 msgid "The server public key, in PEM format." msgstr "服务端公钥,需要 PEM 格式。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:390 +#: htdocs/luci-static/resources/view/homeproxy/client.js:399 msgid "" "The tag of the upstream outbound.
Other dial fields will be ignored when " "enabled." msgstr "上游出站的标签。
启用时,其他拨号字段将被忽略。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:737 -#: htdocs/luci-static/resources/view/homeproxy/server.js:383 +#: htdocs/luci-static/resources/view/homeproxy/node.js:745 +#: htdocs/luci-static/resources/view/homeproxy/server.js:446 msgid "" "The timeout (in seconds) that after performing a keepalive check, the client " "will wait for activity. If no activity is detected, the connection will be " @@ -2226,15 +2243,15 @@ msgstr "" "经过一段时间(单位:秒)之后,客户端将执行 keepalive 检查并等待活动。如果没有" "检测到任何活动,则会关闭连接。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:977 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1320 +#: htdocs/luci-static/resources/view/homeproxy/node.js:985 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1328 msgid "" "This is DANGEROUS, your traffic is almost like " "PLAIN TEXT! Use at your own risk!" msgstr "" "这是危险行为,您的流量将几乎等同于明文!使用风险自负!" -#: htdocs/luci-static/resources/view/homeproxy/node.js:644 +#: htdocs/luci-static/resources/view/homeproxy/node.js:652 msgid "" "This is the TUIC port of the UDP over TCP protocol, designed to provide a " "QUIC stream based UDP relay mode that TUIC does not provide." @@ -2242,12 +2259,12 @@ msgstr "" "这是 TUIC 的 UDP over TCP 协议移植, 旨在提供 TUIC 不提供的基于 QUIC 流的 " "UDP 中继模式。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:653 +#: htdocs/luci-static/resources/view/homeproxy/client.js:662 msgid "" "Timeout of rejected DNS response cache. 7d is used by default." msgstr "被拒绝的 DNS 响应缓存超时。默认时长 7d。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:409 +#: htdocs/luci-static/resources/view/homeproxy/server.js:472 msgid "" "To be compatible with Xray-core, set this to Sec-WebSocket-Protocol." @@ -2261,18 +2278,18 @@ msgid "" msgstr "" "要启用 Tun 支持,您需要安装 ip-fullkmod-tun。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:703 -#: htdocs/luci-static/resources/view/homeproxy/server.js:317 +#: htdocs/luci-static/resources/view/homeproxy/node.js:711 +#: htdocs/luci-static/resources/view/homeproxy/server.js:380 msgid "Transport" msgstr "传输层" #: htdocs/luci-static/resources/view/homeproxy/node.js:404 -#: htdocs/luci-static/resources/view/homeproxy/server.js:112 +#: htdocs/luci-static/resources/view/homeproxy/server.js:153 msgid "Trojan" msgstr "Trojan" #: htdocs/luci-static/resources/view/homeproxy/node.js:406 -#: htdocs/luci-static/resources/view/homeproxy/server.js:114 +#: htdocs/luci-static/resources/view/homeproxy/server.js:155 msgid "Tuic" msgstr "Tuic" @@ -2280,41 +2297,46 @@ msgstr "Tuic" msgid "Tun TCP/UDP" msgstr "Tun TCP/UDP" -#: htdocs/luci-static/resources/view/homeproxy/client.js:992 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1001 #: htdocs/luci-static/resources/view/homeproxy/node.js:393 -#: htdocs/luci-static/resources/view/homeproxy/server.js:103 +#: htdocs/luci-static/resources/view/homeproxy/server.js:144 msgid "Type" msgstr "类型" -#: htdocs/luci-static/resources/view/homeproxy/client.js:480 -#: htdocs/luci-static/resources/view/homeproxy/client.js:808 -#: htdocs/luci-static/resources/view/homeproxy/server.js:731 +#: htdocs/luci-static/resources/view/homeproxy/client.js:489 +#: htdocs/luci-static/resources/view/homeproxy/client.js:817 +#: htdocs/luci-static/resources/view/homeproxy/server.js:801 msgid "UDP" msgstr "UDP" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1110 -#: htdocs/luci-static/resources/view/homeproxy/server.js:713 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1118 +#: htdocs/luci-static/resources/view/homeproxy/server.js:776 msgid "UDP Fragment" msgstr "UDP 分片" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1115 +#: htdocs/luci-static/resources/view/homeproxy/client.js:316 +#: htdocs/luci-static/resources/view/homeproxy/server.js:782 +msgid "UDP NAT expiration time" +msgstr "UDP NAT 过期时间" + +#: htdocs/luci-static/resources/view/homeproxy/node.js:1123 msgid "UDP over TCP" msgstr "UDP over TCP" -#: htdocs/luci-static/resources/view/homeproxy/node.js:643 +#: htdocs/luci-static/resources/view/homeproxy/node.js:651 msgid "UDP over stream" msgstr "UDP over stream" -#: htdocs/luci-static/resources/view/homeproxy/node.js:636 +#: htdocs/luci-static/resources/view/homeproxy/node.js:644 msgid "UDP packet relay mode." msgstr "UDP 包中继模式。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:635 +#: htdocs/luci-static/resources/view/homeproxy/node.js:643 msgid "UDP relay mode" msgstr "UDP 中继模式" -#: htdocs/luci-static/resources/view/homeproxy/node.js:618 -#: htdocs/luci-static/resources/view/homeproxy/server.js:264 +#: htdocs/luci-static/resources/view/homeproxy/node.js:626 +#: htdocs/luci-static/resources/view/homeproxy/server.js:316 msgid "UUID" msgstr "UUID" @@ -2326,11 +2348,11 @@ msgstr "未知错误。" msgid "Unknown error: %s" msgstr "未知错误:%s" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1078 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1086 msgid "Unsupported fingerprint!" msgstr "不支持的指纹!" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1344 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1352 msgid "Update %s subscriptions" msgstr "更新 %s 个订阅" @@ -2338,83 +2360,83 @@ msgstr "更新 %s 个订阅" msgid "Update failed." msgstr "更新失败。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1051 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1060 msgid "Update interval" msgstr "更新间隔" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1052 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1061 msgid "Update interval of rule set.
1d will be used if empty." msgstr "规则集更新间隔。
留空使用 1d。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1339 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1347 msgid "Update nodes from subscriptions" msgstr "从订阅更新节点" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1283 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1291 msgid "Update subscriptions via proxy." msgstr "使用代理更新订阅。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1276 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1284 msgid "Update time" msgstr "更新时间" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1282 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1290 msgid "Update via proxy" msgstr "使用代理更新" -#: htdocs/luci-static/resources/view/homeproxy/node.js:929 -#: htdocs/luci-static/resources/view/homeproxy/server.js:444 +#: htdocs/luci-static/resources/view/homeproxy/node.js:937 +#: htdocs/luci-static/resources/view/homeproxy/server.js:507 msgid "Upload bandwidth" msgstr "上传带宽" -#: htdocs/luci-static/resources/view/homeproxy/node.js:930 -#: htdocs/luci-static/resources/view/homeproxy/server.js:445 +#: htdocs/luci-static/resources/view/homeproxy/node.js:938 +#: htdocs/luci-static/resources/view/homeproxy/server.js:508 msgid "Upload bandwidth in Mbps." msgstr "上传带宽(单位:Mbps)。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1020 -#: htdocs/luci-static/resources/view/homeproxy/server.js:674 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1028 +#: htdocs/luci-static/resources/view/homeproxy/server.js:737 msgid "Upload certificate" msgstr "上传证书" -#: htdocs/luci-static/resources/view/homeproxy/server.js:692 +#: htdocs/luci-static/resources/view/homeproxy/server.js:755 msgid "Upload key" msgstr "上传密钥" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1023 -#: htdocs/luci-static/resources/view/homeproxy/server.js:677 -#: htdocs/luci-static/resources/view/homeproxy/server.js:695 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1031 +#: htdocs/luci-static/resources/view/homeproxy/server.js:740 +#: htdocs/luci-static/resources/view/homeproxy/server.js:758 msgid "Upload..." msgstr "上传..." -#: htdocs/luci-static/resources/view/homeproxy/server.js:516 +#: htdocs/luci-static/resources/view/homeproxy/server.js:579 msgid "Use ACME TLS certificate issuer." msgstr "使用 ACME TLS 证书颁发机构。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:965 -#: htdocs/luci-static/resources/view/homeproxy/server.js:481 +#: htdocs/luci-static/resources/view/homeproxy/node.js:973 +#: htdocs/luci-static/resources/view/homeproxy/server.js:544 msgid "" "Used to verify the hostname on the returned certificates unless insecure is " "given." msgstr "用于验证返回证书上的主机名。如允许不安全连接,此配置无效。" -#: htdocs/luci-static/resources/view/homeproxy/client.js:550 -#: htdocs/luci-static/resources/view/homeproxy/client.js:884 +#: htdocs/luci-static/resources/view/homeproxy/client.js:559 +#: htdocs/luci-static/resources/view/homeproxy/client.js:893 msgid "User" msgstr "用户" #: htdocs/luci-static/resources/view/homeproxy/node.js:423 -#: htdocs/luci-static/resources/view/homeproxy/server.js:129 +#: htdocs/luci-static/resources/view/homeproxy/server.js:170 msgid "Username" msgstr "用户名" #: htdocs/luci-static/resources/view/homeproxy/node.js:409 -#: htdocs/luci-static/resources/view/homeproxy/server.js:115 +#: htdocs/luci-static/resources/view/homeproxy/server.js:156 msgid "VLESS" msgstr "VLESS" #: htdocs/luci-static/resources/view/homeproxy/node.js:410 -#: htdocs/luci-static/resources/view/homeproxy/server.js:116 +#: htdocs/luci-static/resources/view/homeproxy/server.js:157 msgid "VMess" msgstr "VMess" @@ -2423,16 +2445,16 @@ msgstr "VMess" msgid "WAN DNS (read from interface)" msgstr "WAN DNS(从接口获取)" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1122 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1131 msgid "WAN IP Policy" msgstr "WAN IP 策略" -#: htdocs/luci-static/resources/view/homeproxy/node.js:710 -#: htdocs/luci-static/resources/view/homeproxy/server.js:324 +#: htdocs/luci-static/resources/view/homeproxy/node.js:718 +#: htdocs/luci-static/resources/view/homeproxy/server.js:387 msgid "WebSocket" msgstr "WebSocket" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1308 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1316 msgid "Whitelist mode" msgstr "白名单模式" @@ -2440,25 +2462,29 @@ msgstr "白名单模式" msgid "WireGuard" msgstr "WireGuard" -#: htdocs/luci-static/resources/view/homeproxy/node.js:849 +#: htdocs/luci-static/resources/view/homeproxy/node.js:857 msgid "WireGuard peer public key." msgstr "WireGuard 对端公钥。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:856 +#: htdocs/luci-static/resources/view/homeproxy/node.js:864 msgid "WireGuard pre-shared key." msgstr "WireGuard 预共享密钥。" -#: htdocs/luci-static/resources/view/homeproxy/node.js:841 +#: htdocs/luci-static/resources/view/homeproxy/node.js:849 msgid "WireGuard requires base64-encoded private keys." msgstr "WireGuard 要求 base64 编码的私钥。" +#: htdocs/luci-static/resources/view/homeproxy/node.js:472 +msgid "Write proxy protocol in the connection header." +msgstr "在连接头中写入代理协议。" + #: htdocs/luci-static/resources/view/homeproxy/client.js:167 #: htdocs/luci-static/resources/view/homeproxy/client.js:190 msgid "Xinfeng Public DNS (114.114.114.114)" msgstr "信风公共 DNS(114.114.114.114)" -#: htdocs/luci-static/resources/view/homeproxy/node.js:820 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1328 +#: htdocs/luci-static/resources/view/homeproxy/node.js:828 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1336 msgid "Xudp (Xray-core)" msgstr "Xudp (Xray-core)" @@ -2466,23 +2492,23 @@ msgstr "Xudp (Xray-core)" msgid "You can only have two servers set at maximum." msgstr "您最多只能设置两个服务器。" -#: htdocs/luci-static/resources/homeproxy.js:228 +#: htdocs/luci-static/resources/homeproxy.js:243 msgid "Your %s was successfully uploaded. Size: %sB." msgstr "您的 %s 已成功上传。大小:%sB。" -#: htdocs/luci-static/resources/view/homeproxy/server.js:551 +#: htdocs/luci-static/resources/view/homeproxy/server.js:614 msgid "ZeroSSL" msgstr "ZeroSSL" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1025 -#: htdocs/luci-static/resources/view/homeproxy/server.js:679 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1033 +#: htdocs/luci-static/resources/view/homeproxy/server.js:742 msgid "certificate" msgstr "证书" -#: htdocs/luci-static/resources/view/homeproxy/node.js:985 #: htdocs/luci-static/resources/view/homeproxy/node.js:993 -#: htdocs/luci-static/resources/view/homeproxy/server.js:492 -#: htdocs/luci-static/resources/view/homeproxy/server.js:500 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1001 +#: htdocs/luci-static/resources/view/homeproxy/server.js:555 +#: htdocs/luci-static/resources/view/homeproxy/server.js:563 msgid "default" msgstr "默认" @@ -2490,17 +2516,17 @@ msgstr "默认" msgid "failed" msgstr "失败" -#: htdocs/luci-static/resources/view/homeproxy/node.js:706 -#: htdocs/luci-static/resources/view/homeproxy/server.js:320 +#: htdocs/luci-static/resources/view/homeproxy/node.js:714 +#: htdocs/luci-static/resources/view/homeproxy/server.js:383 msgid "gRPC" msgstr "gRPC" -#: htdocs/luci-static/resources/view/homeproxy/node.js:748 +#: htdocs/luci-static/resources/view/homeproxy/node.js:756 msgid "gRPC permit without stream" msgstr "gRPC 允许无活动连接" -#: htdocs/luci-static/resources/view/homeproxy/node.js:743 -#: htdocs/luci-static/resources/view/homeproxy/server.js:348 +#: htdocs/luci-static/resources/view/homeproxy/node.js:751 +#: htdocs/luci-static/resources/view/homeproxy/server.js:411 msgid "gRPC service name" msgstr "gRPC 服务名称" @@ -2508,24 +2534,24 @@ msgstr "gRPC 服务名称" msgid "gVisor" msgstr "gVisor" -#: htdocs/luci-static/resources/homeproxy.js:248 -#: htdocs/luci-static/resources/homeproxy.js:266 +#: htdocs/luci-static/resources/homeproxy.js:263 +#: htdocs/luci-static/resources/homeproxy.js:281 #: htdocs/luci-static/resources/view/homeproxy/client.js:176 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1015 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1024 #: htdocs/luci-static/resources/view/homeproxy/node.js:452 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1074 -#: htdocs/luci-static/resources/view/homeproxy/server.js:159 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1082 +#: htdocs/luci-static/resources/view/homeproxy/server.js:211 msgid "non-empty value" msgstr "非空值" -#: htdocs/luci-static/resources/view/homeproxy/node.js:559 -#: htdocs/luci-static/resources/view/homeproxy/node.js:818 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1326 +#: htdocs/luci-static/resources/view/homeproxy/node.js:567 +#: htdocs/luci-static/resources/view/homeproxy/node.js:826 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1334 msgid "none" msgstr "无" -#: htdocs/luci-static/resources/view/homeproxy/node.js:819 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1327 +#: htdocs/luci-static/resources/view/homeproxy/node.js:827 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1335 msgid "packet addr (v2ray-core v5+)" msgstr "packet addr (v2ray-core v5+)" @@ -2533,7 +2559,7 @@ msgstr "packet addr (v2ray-core v5+)" msgid "passed" msgstr "通过" -#: htdocs/luci-static/resources/view/homeproxy/server.js:697 +#: htdocs/luci-static/resources/view/homeproxy/server.js:760 msgid "private key" msgstr "私钥" @@ -2545,11 +2571,11 @@ msgstr "sing-box 客户端" msgid "sing-box server" msgstr "sing-box 服务端" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1051 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1059 msgid "uTLS fingerprint" msgstr "uTLS 指纹" -#: htdocs/luci-static/resources/view/homeproxy/node.js:1052 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1060 msgid "" "uTLS is a fork of \"crypto/tls\", which provides ClientHello fingerprinting " "resistance." @@ -2560,26 +2586,28 @@ msgstr "" msgid "unchecked" msgstr "未检查" -#: htdocs/luci-static/resources/homeproxy.js:206 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1234 +#: htdocs/luci-static/resources/homeproxy.js:221 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1242 msgid "unique UCI identifier" msgstr "独立 UCI 标识" -#: htdocs/luci-static/resources/homeproxy.js:257 +#: htdocs/luci-static/resources/homeproxy.js:272 msgid "unique value" msgstr "独立值" -#: htdocs/luci-static/resources/view/homeproxy/node.js:573 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1123 +#: htdocs/luci-static/resources/view/homeproxy/node.js:474 +#: htdocs/luci-static/resources/view/homeproxy/node.js:581 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1131 msgid "v1" msgstr "v1" -#: htdocs/luci-static/resources/view/homeproxy/node.js:574 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1124 +#: htdocs/luci-static/resources/view/homeproxy/node.js:475 +#: htdocs/luci-static/resources/view/homeproxy/node.js:582 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1132 msgid "v2" msgstr "v2" -#: htdocs/luci-static/resources/view/homeproxy/node.js:575 +#: htdocs/luci-static/resources/view/homeproxy/node.js:583 msgid "v3" msgstr "v3" @@ -2587,10 +2615,10 @@ msgstr "v3" msgid "valid IP address" msgstr "有效 IP 地址" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1020 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1023 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1294 -#: htdocs/luci-static/resources/view/homeproxy/node.js:1297 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1029 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1032 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1302 +#: htdocs/luci-static/resources/view/homeproxy/node.js:1305 msgid "valid URL" msgstr "有效网址" @@ -2598,12 +2626,12 @@ msgstr "有效网址" msgid "valid address#port" msgstr "有效 地址#端口" -#: htdocs/luci-static/resources/homeproxy.js:240 +#: htdocs/luci-static/resources/homeproxy.js:255 msgid "valid base64 key with %d characters" msgstr "包含 %d 个字符的有效 base64 密钥" -#: htdocs/luci-static/resources/view/homeproxy/client.js:1162 -#: htdocs/luci-static/resources/view/homeproxy/client.js:1191 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1171 +#: htdocs/luci-static/resources/view/homeproxy/client.js:1200 msgid "valid hostname" msgstr "有效主机名" @@ -2616,9 +2644,6 @@ msgstr "有效端口范围(port1:port2)" msgid "valid port value" msgstr "有效端口值" -#: htdocs/luci-static/resources/homeproxy.js:268 +#: htdocs/luci-static/resources/homeproxy.js:283 msgid "valid uuid" msgstr "有效 uuid" - -#~ msgid "Match outbound." -#~ msgstr "匹配出站。" diff --git a/small/luci-app-homeproxy/root/etc/config/homeproxy b/small/luci-app-homeproxy/root/etc/config/homeproxy index d8438f0aee..cc6a0ead86 100644 --- a/small/luci-app-homeproxy/root/etc/config/homeproxy +++ b/small/luci-app-homeproxy/root/etc/config/homeproxy @@ -7,6 +7,7 @@ config homeproxy 'infra' option tproxy_port '5332' option dns_port '5333' option china_dns_port '5334' + option udp_timeout '' option tun_name 'singtun0' option tun_addr4 '172.19.0.1/30' option tun_addr6 'fdfe:dcba:9876::1/126' diff --git a/small/luci-app-homeproxy/root/etc/homeproxy/scripts/generate_client.uc b/small/luci-app-homeproxy/root/etc/homeproxy/scripts/generate_client.uc index f51fff61fa..66da664f35 100755 --- a/small/luci-app-homeproxy/root/etc/homeproxy/scripts/generate_client.uc +++ b/small/luci-app-homeproxy/root/etc/homeproxy/scripts/generate_client.uc @@ -93,7 +93,10 @@ const cache_file_store_rdrc = uci.get(uciconfig, uciexp, 'cache_file_store_rdrc' const mixed_port = uci.get(uciconfig, uciinfra, 'mixed_port') || '5330'; let self_mark, redirect_port, tproxy_port, tun_name, tun_addr4, tun_addr6, tun_mtu, tun_gso, - tcpip_stack, endpoint_independent_nat; + tcpip_stack, endpoint_independent_nat, udp_timeout; +udp_timeout = uci.get(uciconfig, 'infra', 'udp_timeout'); +if (routing_mode === 'custom') + udp_timeout = uci.get(uciconfig, uciroutingsetting, 'udp_timeout'); if (match(proxy_mode, /redirect/)) { self_mark = uci.get(uciconfig, 'infra', 'self_mark') || '100'; redirect_port = uci.get(uciconfig, 'infra', 'redirect_port') || '5331'; @@ -160,6 +163,7 @@ function generate_outbound(node) { /* Direct */ override_address: node.override_address, override_port: strToInt(node.override_port), + proxy_protocol: strToInt(node.proxy_protocol), /* Hysteria (2) */ up_mbps: strToInt(node.hysteria_up_mbps), down_mbps: strToInt(node.hysteria_down_mbps), @@ -482,6 +486,7 @@ push(config.inbounds, { tag: 'mixed-in', listen: '::', listen_port: int(mixed_port), + udp_timeout: udp_timeout ? (udp_timeout + 's') : null, sniff: true, sniff_override_destination: (sniff_override === '1'), set_system_proxy: false @@ -505,6 +510,7 @@ if (match(proxy_mode, /tproxy/)) listen: '::', listen_port: int(tproxy_port), network: 'udp', + udp_timeout: udp_timeout ? (udp_timeout + 's') : null, sniff: true, sniff_override_destination: (sniff_override === '1') }); @@ -520,6 +526,7 @@ if (match(proxy_mode, /tun/)) gso: (tun_gso === '1'), auto_route: false, endpoint_independent_nat: strToBool(endpoint_independent_nat), + udp_timeout: udp_timeout ? (udp_timeout + 's') : null, stack: tcpip_stack, sniff: true, sniff_override_destination: (sniff_override === '1'), diff --git a/small/luci-app-homeproxy/root/etc/homeproxy/scripts/generate_server.uc b/small/luci-app-homeproxy/root/etc/homeproxy/scripts/generate_server.uc index 077f68983a..7e9b735b38 100755 --- a/small/luci-app-homeproxy/root/etc/homeproxy/scripts/generate_server.uc +++ b/small/luci-app-homeproxy/root/etc/homeproxy/scripts/generate_server.uc @@ -49,6 +49,7 @@ uci.foreach(uciconfig, uciserver, (cfg) => { tcp_fast_open: strToBool(cfg.tcp_fast_open), tcp_multi_path: strToBool(cfg.tcp_multi_path), udp_fragment: strToBool(cfg.udp_fragment), + udp_timeout: cfg.udp_timeout ? (cfg.udp_timeout + 's') : null, sniff: true, sniff_override_destination: (cfg.sniff_override === '1'), domain_strategy: cfg.domain_strategy, diff --git a/small/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua b/small/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua index 6b10651fe1..59f62eb11b 100644 --- a/small/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua +++ b/small/luci-app-passwall/luasrc/model/cbi/passwall/client/acl_config.lua @@ -369,16 +369,21 @@ if has_singbox or has_xray then end end -o = s:option(ListValue, "chinadns_ng_default_tag", translate("ChinaDNS-NG Domain Default Tag")) +o = s:option(ListValue, "chinadns_ng_default_tag", translate("Default DNS")) o.default = "none" -o:value("none", translate("Default")) o:value("gfw", translate("Remote DNS")) o:value("chn", translate("Direct DNS")) -o.description = "
    " +o:value("none", translate("Smart, Do not accept no-ip reply from Direct DNS")) +o:value("none_noip", translate("Smart, Accept no-ip reply from Direct DNS")) +local desc = "
      " .. "
    • " .. translate("When not matching any domain name list:") .. "
      • " - .. "
    • " .. translate("Default: Forward to both direct and remote DNS, if the direct DNS resolution result is a mainland China ip, then use the direct result, otherwise use the remote result.") .. "
      • " .. "
    • " .. translate("Remote DNS: Can avoid more DNS leaks, but some domestic domain names maybe to proxy!") .. "
      • " .. "
    • " .. translate("Direct DNS: Internet experience may be better, but DNS will be leaked!") .. "
      • " +o.description = desc + .. "
    • " .. translate("Smart: Forward to both direct and remote DNS, if the direct DNS resolution result is a mainland China IP, then use the direct result, otherwise use the remote result.") .. "
      • " + .. "
    • " .. translate("In smart mode, no-ip reply from Direct DNS:") .. "
      • " + .. "
    • " .. translate("Do not accept: Wait and use Remote DNS Reply.") .. "
      • " + .. "
    • " .. translate("Accept: Trust the Reply, using this option can improve DNS resolution speeds for some mainland IPv4-only sites.") .. "
      • " .. "
    " o:depends({dns_shunt = "chinadns-ng", tcp_proxy_mode = "proxy", chn_list = "direct"}) @@ -386,11 +391,7 @@ o = s:option(ListValue, "use_default_dns", translate("Default DNS")) o.default = "direct" o:value("remote", translate("Remote DNS")) o:value("direct", translate("Direct DNS")) -o.description = "
      " - .. "
    • " .. translate("When not matching any domain name list:") .. "
      • " - .. "
    • " .. translate("Remote DNS: Can avoid more DNS leaks, but some domestic domain names maybe to proxy!") .. "
      • " - .. "
    • " .. translate("Direct DNS: Internet experience may be better, but DNS will be leaked!") .. "
      • " - .. "
    " +o.description = desc .. "
" o:depends({dns_shunt = "dnsmasq", tcp_proxy_mode = "proxy", chn_list = "direct"}) return m diff --git a/small/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua b/small/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua index 12ec9960b3..e6c9730c84 100644 --- a/small/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua +++ b/small/luci-app-passwall2/luasrc/model/cbi/passwall2/client/acl_config.lua @@ -202,6 +202,17 @@ o:value("default", translate("Use global config") .. "(" .. UDP_REDIR_PORTS .. " o:value("1:65535", translate("All")) o.validate = port_validate +o = s:option(ListValue, "direct_dns_query_strategy", translate("Direct Query Strategy")) +o.default = "UseIP" +o:value("UseIP") +o:value("UseIPv4") +o:value("UseIPv6") +o:depends({ node = "default", ['!reverse'] = true }) + +o = s:option(Flag, "write_ipset_direct", translate("Direct DNS result write to IPSet"), translate("Perform the matching direct domain name rules into IP to IPSet/NFTSet, and then connect directly (not entering the core). Maybe conflict with some special circumstances.")) +o.default = "1" +o:depends({ node = "default", ['!reverse'] = true }) + o = s:option(ListValue, "remote_dns_protocol", translate("Remote DNS Protocol")) o:value("tcp", "TCP") o:value("doh", "DoH") @@ -291,8 +302,4 @@ for k, v in pairs(nodes_table) do end end -o = s:option(Flag, "write_ipset_direct", translate("Direct DNS result write to IPSet"), translate("Perform the matching direct domain name rules into IP to IPSet/NFTSet, and then connect directly (not entering the core). Maybe conflict with some special circumstances.")) -o.default = "1" -o:depends({ node = "default", ['!reverse'] = true }) - return m diff --git a/small/luci-app-passwall2/root/usr/share/passwall2/app.sh b/small/luci-app-passwall2/root/usr/share/passwall2/app.sh index 485d1518eb..fa2e73bf3f 100755 --- a/small/luci-app-passwall2/root/usr/share/passwall2/app.sh +++ b/small/luci-app-passwall2/root/usr/share/passwall2/app.sh @@ -337,7 +337,7 @@ run_xray() { [ -n "${direct_ipset}" ] && _extra_param="${_extra_param} -direct_ipset ${direct_ipset}" [ -n "${direct_nftset}" ] && _extra_param="${_extra_param} -direct_nftset ${direct_nftset}" } - _extra_param="${_extra_param} -direct_dns_udp_port ${DIRECT_DNS_UDP_PORT} -direct_dns_udp_server ${DIRECT_DNS_UDP_SERVER} -direct_dns_query_strategy UseIP" + _extra_param="${_extra_param} -direct_dns_udp_port ${DIRECT_DNS_UDP_PORT} -direct_dns_udp_server ${DIRECT_DNS_UDP_SERVER} -direct_dns_query_strategy ${direct_dns_query_strategy}" DNS_REMOTE_ARGS="" case "$remote_dns_protocol" in diff --git a/small/luci-app-passwall2/root/usr/share/passwall2/rule_update.lua b/small/luci-app-passwall2/root/usr/share/passwall2/rule_update.lua index 60e55fdc15..b51c2181ea 100755 --- a/small/luci-app-passwall2/root/usr/share/passwall2/rule_update.lua +++ b/small/luci-app-passwall2/root/usr/share/passwall2/rule_update.lua @@ -108,14 +108,14 @@ local function fetch_geosite() local json = jsonc.parse(content) if json.tag_name and json.assets then for _, v in ipairs(json.assets) do - if v.name and v.name == "geosite.dat.sha256sum" then + if v.name and (v.name == "geosite.dat.sha256sum" or v.name == "dlc.dat.sha256sum") then local sret = curl(v.browser_download_url, "/tmp/geosite.dat.sha256sum") if sret == 200 then local f = io.open("/tmp/geosite.dat.sha256sum", "r") local content = f:read() f:close() f = io.open("/tmp/geosite.dat.sha256sum", "w") - f:write(content:gsub("geosite.dat", "/tmp/geosite.dat"), "") + f:write(content:gsub("[^%s]+.dat", "/tmp/geosite.dat"), "") f:close() if nixio.fs.access(asset_location .. "geosite.dat") then @@ -126,7 +126,7 @@ local function fetch_geosite() end end for _2, v2 in ipairs(json.assets) do - if v2.name and v2.name == "geosite.dat" then + if v2.name and (v2.name == "geosite.dat" or v2.name == "dlc.dat") then sret = curl(v2.browser_download_url, "/tmp/geosite.dat") if luci.sys.call('sha256sum -c /tmp/geosite.dat.sha256sum > /dev/null 2>&1') == 0 then luci.sys.call(string.format("mkdir -p %s && cp -f %s %s", asset_location, "/tmp/geosite.dat", asset_location .. "geosite.dat")) diff --git a/small/v2ray-geodata/Makefile b/small/v2ray-geodata/Makefile index c3917e4c5a..97b94e6760 100644 --- a/small/v2ray-geodata/Makefile +++ b/small/v2ray-geodata/Makefile @@ -12,13 +12,13 @@ PKG_MAINTAINER:=Tianling Shen include $(INCLUDE_DIR)/package.mk -GEOIP_VER:=202408290048 +GEOIP_VER:=202408310351 GEOIP_FILE:=geoip.dat.$(GEOIP_VER) define Download/geoip URL:=https://github.com/v2fly/geoip/releases/download/$(GEOIP_VER)/ URL_FILE:=geoip.dat FILE:=$(GEOIP_FILE) - HASH:=428f8d3c2f65be51afa945a3464b44fde82d509f5df3f1383a5902d1706d1fe4 + HASH:=3b95b24108334c0a9f1f6480159437e7ce128bf45483469b534eea484ad7de8e endef GEOSITE_VER:=20240829063032 diff --git a/v2rayn/v2rayN/ServiceLib/Handler/ConfigHandler.cs b/v2rayn/v2rayN/ServiceLib/Handler/ConfigHandler.cs index 8d2bfe6df2..601bec23a5 100644 --- a/v2rayn/v2rayN/ServiceLib/Handler/ConfigHandler.cs +++ b/v2rayn/v2rayN/ServiceLib/Handler/ConfigHandler.cs @@ -173,6 +173,13 @@ namespace ServiceLib.Handler config.speedTestItem.speedPingTestUrl = Global.SpeedPingTestUrl; } + config.mux4RayItem ??= new() + { + concurrency = 8, + xudpConcurrency = 16, + xudpProxyUDP443 = "reject" + }; + if (config.mux4SboxItem == null) { config.mux4SboxItem = new() diff --git a/v2rayn/v2rayN/ServiceLib/Handler/CoreConfig/CoreConfigSingbox.cs b/v2rayn/v2rayN/ServiceLib/Handler/CoreConfig/CoreConfigSingbox.cs index ba6fc69d00..f0b366d686 100644 --- a/v2rayn/v2rayN/ServiceLib/Handler/CoreConfig/CoreConfigSingbox.cs +++ b/v2rayn/v2rayN/ServiceLib/Handler/CoreConfig/CoreConfigSingbox.cs @@ -702,6 +702,7 @@ namespace ServiceLib.Handler.CoreConfig enabled = true, protocol = _config.mux4SboxItem.protocol, max_connections = _config.mux4SboxItem.max_connections, + padding = _config.mux4SboxItem.padding, }; outbound.multiplex = mux; } diff --git a/v2rayn/v2rayN/ServiceLib/Handler/CoreConfig/CoreConfigV2ray.cs b/v2rayn/v2rayN/ServiceLib/Handler/CoreConfig/CoreConfigV2ray.cs index 9e092ae336..3c11bae2cd 100644 --- a/v2rayn/v2rayN/ServiceLib/Handler/CoreConfig/CoreConfigV2ray.cs +++ b/v2rayn/v2rayN/ServiceLib/Handler/CoreConfig/CoreConfigV2ray.cs @@ -770,7 +770,9 @@ namespace ServiceLib.Handler.CoreConfig if (enabled) { outbound.mux.enabled = true; - outbound.mux.concurrency = 8; + outbound.mux.concurrency = _config.mux4RayItem.concurrency; + outbound.mux.xudpConcurrency = _config.mux4RayItem.xudpConcurrency; + outbound.mux.xudpProxyUDP443 = _config.mux4RayItem.xudpProxyUDP443; } else { diff --git a/v2rayn/v2rayN/ServiceLib/Models/Config.cs b/v2rayn/v2rayN/ServiceLib/Models/Config.cs index 062cd501af..1c943547f3 100644 --- a/v2rayn/v2rayN/ServiceLib/Models/Config.cs +++ b/v2rayn/v2rayN/ServiceLib/Models/Config.cs @@ -41,6 +41,7 @@ public UIItem uiItem { get; set; } public ConstItem constItem { get; set; } public SpeedTestItem speedTestItem { get; set; } + public Mux4RayItem mux4RayItem { get; set; } public Mux4SboxItem mux4SboxItem { get; set; } public HysteriaItem hysteriaItem { get; set; } public ClashUIItem clashUIItem { get; set; } diff --git a/v2rayn/v2rayN/ServiceLib/Models/ConfigItems.cs b/v2rayn/v2rayN/ServiceLib/Models/ConfigItems.cs index ec7f746a09..7ddcf37602 100644 --- a/v2rayn/v2rayN/ServiceLib/Models/ConfigItems.cs +++ b/v2rayn/v2rayN/ServiceLib/Models/ConfigItems.cs @@ -197,11 +197,20 @@ public int Index { get; set; } } + [Serializable] + public class Mux4RayItem + { + public int? concurrency { get; set; } + public int? xudpConcurrency { get; set; } + public string? xudpProxyUDP443 { get; set; } + } + [Serializable] public class Mux4SboxItem { public string protocol { get; set; } public int max_connections { get; set; } + public bool? padding { get; set; } } [Serializable] diff --git a/v2rayn/v2rayN/ServiceLib/Models/SingboxConfig.cs b/v2rayn/v2rayN/ServiceLib/Models/SingboxConfig.cs index 12689a1a5e..259bb39590 100644 --- a/v2rayn/v2rayN/ServiceLib/Models/SingboxConfig.cs +++ b/v2rayn/v2rayN/ServiceLib/Models/SingboxConfig.cs @@ -150,6 +150,7 @@ public bool enabled { get; set; } public string protocol { get; set; } public int max_connections { get; set; } + public bool? padding { get; set; } } public class Utls4Sbox diff --git a/v2rayn/v2rayN/ServiceLib/Models/V2rayConfig.cs b/v2rayn/v2rayN/ServiceLib/Models/V2rayConfig.cs index 1118a193ae..6335db48cb 100644 --- a/v2rayn/v2rayN/ServiceLib/Models/V2rayConfig.cs +++ b/v2rayn/v2rayN/ServiceLib/Models/V2rayConfig.cs @@ -343,15 +343,10 @@ namespace ServiceLib.Models public class Mux4Ray { - /// - /// - /// public bool enabled { get; set; } - - /// - /// - /// - public int concurrency { get; set; } + public int? concurrency { get; set; } + public int? xudpConcurrency { get; set; } + public string? xudpProxyUDP443 { get; set; } } public class Response4Ray diff --git a/yass/third_party/mbedtls/.github/pull_request_template.md b/yass/third_party/mbedtls/.github/pull_request_template.md index 9d30412fd8..892ed28ce1 100644 --- a/yass/third_party/mbedtls/.github/pull_request_template.md +++ b/yass/third_party/mbedtls/.github/pull_request_template.md @@ -9,7 +9,8 @@ Please write a few sentences describing the overall goals of the pull request's Please tick as appropriate and edit the reasons (e.g.: "backport: not needed because this is a new feature") - [ ] **changelog** provided, or not required -- [ ] **backport** done, or not required +- [ ] **3.6 backport** done, or not required +- [ ] **2.28 backport** done, or not required - [ ] **tests** provided, or not required diff --git a/yass/third_party/mbedtls/.gitignore b/yass/third_party/mbedtls/.gitignore index 4f29d5be50..6068cbca76 100644 --- a/yass/third_party/mbedtls/.gitignore +++ b/yass/third_party/mbedtls/.gitignore @@ -2,6 +2,9 @@ seedfile # MBEDTLS_PSA_INJECT_ENTROPY seed file created by the test framework 00000000ffffff52.psa_its +# Log files created by all.sh to reduce the logs in case a component runs +# successfully +quiet-make.* # CMake build artifacts: CMakeCache.txt @@ -67,3 +70,6 @@ massif-* compile_commands.json # clangd index files /.cache/clangd/index/ + +# VScode folder to store local debug files and configurations +.vscode diff --git a/yass/third_party/mbedtls/3rdparty/p256-m/.gitignore b/yass/third_party/mbedtls/3rdparty/p256-m/.gitignore new file mode 100644 index 0000000000..f3c7a7c5da --- /dev/null +++ b/yass/third_party/mbedtls/3rdparty/p256-m/.gitignore @@ -0,0 +1 @@ +Makefile diff --git a/yass/third_party/mbedtls/BRANCHES.md b/yass/third_party/mbedtls/BRANCHES.md index bcceda883a..9d5d779345 100644 --- a/yass/third_party/mbedtls/BRANCHES.md +++ b/yass/third_party/mbedtls/BRANCHES.md @@ -107,9 +107,9 @@ The following branches are currently maintained: - [`development`](https://github.com/Mbed-TLS/mbedtls/) - [`mbedtls-3.6`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-3.6) maintained until March 2027, see - . + . - [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28) maintained until the end of 2024, see - . + . Users are urged to always use the latest version of a maintained branch. diff --git a/yass/third_party/mbedtls/CMakeLists.txt b/yass/third_party/mbedtls/CMakeLists.txt index 2404783a99..1b0c73f468 100644 --- a/yass/third_party/mbedtls/CMakeLists.txt +++ b/yass/third_party/mbedtls/CMakeLists.txt @@ -22,6 +22,10 @@ cmake_minimum_required(VERSION 3.5.1) include(CMakePackageConfigHelpers) +# Include convenience functions for printing properties and variables, like +# cmake_print_properties(), cmake_print_variables(). +include(CMakePrintHelpers) + # https://cmake.org/cmake/help/latest/policy/CMP0011.html # Setting this policy is required in CMake >= 3.18.0, otherwise a warning is generated. The OLD # policy setting is deprecated, and will be removed in future versions. @@ -36,12 +40,12 @@ cmake_policy(SET CMP0012 NEW) if(TEST_CPP) project("Mbed TLS" LANGUAGES C CXX - VERSION 3.6.0 + VERSION 3.6.1 ) else() project("Mbed TLS" LANGUAGES C - VERSION 3.6.0 + VERSION 3.6.1 ) endif() @@ -73,10 +77,16 @@ endif() option(DISABLE_PACKAGE_CONFIG_AND_INSTALL "Disable package configuration, target export and installation" ${MBEDTLS_AS_SUBPROJECT}) -string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${CMAKE_C_COMPILER_ID}") -string(REGEX MATCH "GNU" CMAKE_COMPILER_IS_GNU "${CMAKE_C_COMPILER_ID}") -string(REGEX MATCH "IAR" CMAKE_COMPILER_IS_IAR "${CMAKE_C_COMPILER_ID}") -string(REGEX MATCH "MSVC" CMAKE_COMPILER_IS_MSVC "${CMAKE_C_COMPILER_ID}") +if (CMAKE_C_SIMULATE_ID) + set(COMPILER_ID ${CMAKE_C_SIMULATE_ID}) +else() + set(COMPILER_ID ${CMAKE_C_COMPILER_ID}) +endif(CMAKE_C_SIMULATE_ID) + +string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${COMPILER_ID}") +string(REGEX MATCH "GNU" CMAKE_COMPILER_IS_GNU "${COMPILER_ID}") +string(REGEX MATCH "IAR" CMAKE_COMPILER_IS_IAR "${COMPILER_ID}") +string(REGEX MATCH "MSVC" CMAKE_COMPILER_IS_MSVC "${COMPILER_ID}") # the test suites currently have compile errors with MSVC if(CMAKE_COMPILER_IS_MSVC) @@ -184,8 +194,6 @@ function(get_name_without_last_ext dest_var full_name) set(${dest_var} ${no_ext_name} PARENT_SCOPE) endfunction(get_name_without_last_ext) -string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${CMAKE_C_COMPILER_ID}") - include(CheckCCompilerFlag) set(CMAKE_C_EXTENSIONS OFF) @@ -196,7 +204,7 @@ if(CMAKE_COMPILER_IS_GNU) # note: starting with CMake 2.8 we could use CMAKE_C_COMPILER_VERSION execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion OUTPUT_VARIABLE GCC_VERSION) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wmissing-prototypes") if (GCC_VERSION VERSION_GREATER 3.0 OR GCC_VERSION VERSION_EQUAL 3.0) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat=2 -Wno-format-nonliteral") endif() @@ -230,7 +238,7 @@ if(CMAKE_COMPILER_IS_GNU) endif(CMAKE_COMPILER_IS_GNU) if(CMAKE_COMPILER_IS_CLANG) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wmissing-prototypes -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral") set(CMAKE_C_FLAGS_RELEASE "-O2") set(CMAKE_C_FLAGS_DEBUG "-O0 -g3") set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage") @@ -283,6 +291,15 @@ if(MBEDTLS_FATAL_WARNINGS) endif(CMAKE_COMPILER_IS_IAR) endif(MBEDTLS_FATAL_WARNINGS) +if(CMAKE_BUILD_TYPE STREQUAL "Check" AND TEST_CPP) + set(CMAKE_CXX_STANDARD 11) + set(CMAKE_CXX_STANDARD_REQUIRED ON) + set(CMAKE_CXX_EXTENSIONS OFF) + if(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU) + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -pedantic") + endif() +endif() + if(CMAKE_BUILD_TYPE STREQUAL "Coverage") if(CMAKE_COMPILER_IS_GNU OR CMAKE_COMPILER_IS_CLANG) set(CMAKE_SHARED_LINKER_FLAGS "--coverage") @@ -320,6 +337,37 @@ if(ENABLE_TESTING OR ENABLE_PROGRAMS) ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/*.c ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/drivers/*.c) add_library(mbedtls_test OBJECT ${MBEDTLS_TEST_FILES}) + if(GEN_FILES) + add_custom_command( + OUTPUT + ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_keys.h + WORKING_DIRECTORY + ${CMAKE_CURRENT_SOURCE_DIR}/tests + COMMAND + "${MBEDTLS_PYTHON_EXECUTABLE}" + "${CMAKE_CURRENT_SOURCE_DIR}/framework/scripts/generate_test_keys.py" + "--output" + "${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_keys.h" + DEPENDS + ${CMAKE_CURRENT_SOURCE_DIR}/framework/scripts/generate_test_keys.py + ) + add_custom_target(test_keys_header DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_keys.h) + add_custom_command( + OUTPUT + ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h + WORKING_DIRECTORY + ${CMAKE_CURRENT_SOURCE_DIR}/tests + COMMAND + "${MBEDTLS_PYTHON_EXECUTABLE}" + "${CMAKE_CURRENT_SOURCE_DIR}/framework/scripts/generate_test_cert_macros.py" + "--output" + "${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h" + DEPENDS + ${CMAKE_CURRENT_SOURCE_DIR}/framework/scripts/generate_test_cert_macros.py + ) + add_custom_target(test_certs_header DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h) + add_dependencies(mbedtls_test test_keys_header test_certs_header) + endif() target_include_directories(mbedtls_test PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tests/include PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include @@ -406,7 +454,7 @@ if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL) write_basic_package_version_file( "cmake/MbedTLSConfigVersion.cmake" COMPATIBILITY SameMajorVersion - VERSION 3.6.0) + VERSION 3.6.1) install( FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake" diff --git a/yass/third_party/mbedtls/ChangeLog b/yass/third_party/mbedtls/ChangeLog index eae2a1977e..8eb43fe65c 100644 --- a/yass/third_party/mbedtls/ChangeLog +++ b/yass/third_party/mbedtls/ChangeLog @@ -1,5 +1,188 @@ Mbed TLS ChangeLog (Sorted per branch, date) += Mbed TLS 3.6.1 branch released 2024-08-30 + +API changes + * The experimental functions psa_generate_key_ext() and + psa_key_derivation_output_key_ext() are no longer declared when compiling + in C++. This resolves a build failure under C++ compilers that do not + support flexible array members (a C99 feature not adopted by C++). + Fixes #9020. + +Default behavior changes + * In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT && + !MBEDTLS_PSA_CRYPTO_C), do not automatically enable local crypto when the + corresponding PSA mechanism is enabled, since the server provides the + crypto. Fixes #9126. + * A TLS handshake may now call psa_crypto_init() if TLS 1.3 is enabled. + This can happen even if TLS 1.3 is offered but eventually not selected + in the protocol version negotiation. + * By default, the handling of TLS 1.3 tickets by the Mbed TLS client is now + disabled at runtime. Applications that were using TLS 1.3 tickets + signalled by MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET return values now + need to enable the handling of TLS 1.3 tickets through the new + mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets() API. + +New deprecations + * The experimental functions psa_generate_key_ext() and + psa_key_derivation_output_key_ext() are deprecated in favor of + psa_generate_key_custom() and psa_key_derivation_output_key_custom(). + They have almost exactly the same interface, but the variable-length + data is passed in a separate parameter instead of a flexible array + member. + * The following cryptographic mechanisms are planned to be removed + in Mbed TLS 4.0: + - DES (including 3DES). + - PKCS#1v1.5 encryption/decryption (RSAES-PKCS1-v1_5). + (OAEP, PSS, and PKCS#1v1.5 signature are staying.) + - Finite-field Diffie-Hellman with custom groups. + (RFC 7919 groups remain supported.) + - Elliptic curves of size 225 bits or less. + * The following cipher suites are planned to be removed from (D)TLS 1.2 + in Mbed TLS 4.0: + - TLS_RSA_* (including TLS_RSA_PSK_*), i.e. cipher suites using + RSA decryption. + (RSA signatures, i.e. TLS_ECDHE_RSA_*, are staying.) + - TLS_ECDH_*, i.e. cipher suites using static ECDH. + (Ephemeral ECDH, i.e. TLS_ECDHE_*, is staying.) + - TLS_DHE_*, i.e. cipher suites using finite-field Diffie-Hellman. + (Ephemeral ECDH, i.e. TLS_ECDHE_*, is staying.) + - TLS_*CBC*, i.e. all cipher suites using CBC. + * The following low-level application interfaces are planned to be removed + from the public API in Mbed TLS 4.0: + - Hashes: hkdf.h, md5.h, ripemd160.h, sha1.h, sha3.h, sha256.h, sha512.h; + - Random generation: ctr_drbg.h, hmac_drbg.h, entropy.h; + - Ciphers and modes: aes.h, aria.h, camellia.h, chacha20.h, chachapoly.h, + cipher.h, cmac.h, gcm.h, poly1305.h; + - Private key encryption mechanisms: pkcs5.h, pkcs12.h. + - Asymmetric cryptography: bignum.h, dhm.h, ecdh.h, ecdsa.h, ecjpake.h, + ecp.h, rsa.h. + The cryptographic mechanisms remain present, but they will only be + accessible via the PSA API (psa_xxx functions introduced gradually + starting with Mbed TLS 2.17) and, where relevant, `pk.h`. + For guidance on migrating application code to the PSA API, please consult + the PSA transition guide (docs/psa-transition.md). + * The following integration interfaces are planned to be removed + in Mbed TLS 4.0: + - MBEDTLS_xxx_ALT replacement of cryptographic modules and functions. + Use PSA transparent drivers instead. + - MBEDTLS_PK_RSA_ALT and MBEDTLS_PSA_CRYPTO_SE_C. + Use PSA opaque drivers instead. + +Features + * When the new compilation option MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, + the number of volatile PSA keys is virtually unlimited, at the expense + of increased code size. This option is off by default, but enabled in + the default mbedtls_config.h. Fixes #9216. + +Security + * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does + not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when + MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled. + CVE-2024-45157 + * Fix a stack buffer overflow in mbedtls_ecdsa_der_to_raw() and + mbedtls_ecdsa_raw_to_der() when the bits parameter is larger than the + largest supported curve. In some configurations with PSA disabled, + all values of bits are affected. This never happens in internal library + calls, but can affect applications that call these functions directly. + CVE-2024-45158 + * With TLS 1.3, when a server enables optional authentication of the + client, if the client-provided certificate does not have appropriate values + in keyUsage or extKeyUsage extensions, then the return value of + mbedtls_ssl_get_verify_result() would incorrectly have the + MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_EXT_KEY_USAGE bits + clear. As a result, an attacker that had a certificate valid for uses other + than TLS client authentication could be able to use it for TLS client + authentication anyway. Only TLS 1.3 servers were affected, and only with + optional authentication (required would abort the handshake with a fatal + alert). + CVE-2024-45159 + +Bugfix + * Fix TLS 1.3 client build and runtime when support for session tickets is + disabled (MBEDTLS_SSL_SESSION_TICKETS configuration option). Fixes #6395. + * Fix compilation error when memcpy() is a function-like macros. Fixes #8994. + * MBEDTLS_ASN1_PARSE_C and MBEDTLS_ASN1_WRITE_C are now automatically enabled + as soon as MBEDTLS_RSA_C is enabled. Fixes #9041. + * Fix undefined behaviour (incrementing a NULL pointer by zero length) when + passing in zero length additional data to multipart AEAD. + * Fix rare concurrent access bug where attempting to operate on a + non-existent key while concurrently creating a new key could potentially + corrupt the key store. + * Fix error handling when creating a key in a dynamic secure element + (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition, + the creation could return PSA_SUCCESS but using or destroying the key + would not work. Fixes #8537. + * Fix issue of redefinition warning messages for _GNU_SOURCE in + entropy_poll.c and sha_256.c. There was a build warning during + building for linux platform. + Resolves #9026 + * Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled. + * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in + CMAC is enabled, but no built-in unauthenticated cipher is enabled. + Fixes #9209. + * Fix redefinition warnings when SECP192R1 and/or SECP192K1 are disabled. + Fixes #9029. + * Fix psa_cipher_decrypt() with CCM* rejecting messages less than 3 bytes + long. Credit to Cryptofuzz. Fixes #9314. + * Fix interference between PSA volatile keys and built-in keys + when MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled and + MBEDTLS_PSA_KEY_SLOT_COUNT is more than 4096. + * Document and enforce the limitation of mbedtls_psa_register_se_key() + to persistent keys. Resolves #9253. + * Fix Clang compilation error when MBEDTLS_USE_PSA_CRYPTO is enabled + but MBEDTLS_DHM_C is disabled. Reported by Michael Schuster in #9188. + * Fix server mode only build when MBEDTLS_SSL_SRV_C is enabled but + MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186. + * When MBEDTLS_PSA_CRYPTO_C was disabled and MBEDTLS_ECDSA_C enabled, + some code was defining 0-size arrays, resulting in compilation errors. + Fixed by disabling the offending code in configurations without PSA + Crypto, where it never worked. Fixes #9311. + * Fix unintended performance regression when using short RSA public keys. + Fixes #9232. + * Fixes an issue where some TLS 1.2 clients could not connect to an + Mbed TLS 3.6.0 server, due to incorrect handling of + legacy_compression_methods in the ClientHello. + Fixes #8995, #9243. + * Fix TLS connections failing when the handshake selects TLS 1.3 + in an application that does not call psa_crypto_init(). + Fixes #9072. + * Fix TLS connection failure in applications using an Mbed TLS client in + the default configuration connecting to a TLS 1.3 server sending tickets. + See the documentation of + mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets() for more + information. + Fixes #8749. + * Fix a memory leak that could occur when failing to process an RSA + key through some PSA functions due to low memory conditions. + * Fixed a regression introduced in 3.6.0 where the CA callback set with + mbedtls_ssl_conf_ca_cb() would stop working when connections were + upgraded to TLS 1.3. Fixed by adding support for the CA callback with TLS + 1.3. + * Fixed a regression introduced in 3.6.0 where clients that relied on + optional/none authentication mode, by calling mbedtls_ssl_conf_authmode() + with MBEDTLS_SSL_VERIFY_OPTIONAL or MBEDTLS_SSL_VERIFY_NONE, would stop + working when connections were upgraded to TLS 1.3. Fixed by adding + support for optional/none with TLS 1.3 as well. Note that the TLS 1.3 + standard makes server authentication mandatory; users are advised not to + use authmode none, and to carefully check the results when using optional + mode. + * Fixed a regression introduced in 3.6.0 where context-specific certificate + verify callbacks, set with mbedtls_ssl_set_verify() as opposed to + mbedtls_ssl_conf_verify(), would stop working when connections were + upgraded to TLS 1.3. Fixed by adding support for context-specific verify + callback in TLS 1.3. + +Changes + * Warn if mbedtls/check_config.h is included manually, as this can + lead to spurious errors. Error if a *adjust*.h header is included + manually, as this can lead to silently inconsistent configurations, + potentially resulting in buffer overflows. + When migrating from Mbed TLS 2.x, if you had a custom config.h that + included check_config.h, remove this inclusion from the Mbed TLS 3.x + configuration file (renamed to mbedtls_config.h). This change was made + in Mbed TLS 3.0, but was not announced in a changelog entry at the time. + = Mbed TLS 3.6.0 branch released 2024-03-28 API changes @@ -144,6 +327,7 @@ Security * Fix a stack buffer overread (less than 256 bytes) when parsing a TLS 1.3 ClientHello in a TLS 1.3 server supporting some PSK key exchange mode. A malicious client could cause information disclosure or a denial of service. + Fixes CVE-2024-30166. * Passing buffers that are stored in untrusted memory as arguments to PSA functions is now secure by default. The PSA core now protects against modification of inputs or exposure diff --git a/yass/third_party/mbedtls/configs/config-symmetric-only.h b/yass/third_party/mbedtls/configs/config-symmetric-only.h index 512dd7616c..f73db3a7d7 100644 --- a/yass/third_party/mbedtls/configs/config-symmetric-only.h +++ b/yass/third_party/mbedtls/configs/config-symmetric-only.h @@ -65,13 +65,11 @@ #define MBEDTLS_PSA_ITS_FILE_C #define MBEDTLS_RIPEMD160_C #define MBEDTLS_SHA1_C -/* The library does not currently support enabling SHA-224 without SHA-256. - * A future version of the library will have this option disabled - * by default. */ #define MBEDTLS_SHA224_C #define MBEDTLS_SHA256_C #define MBEDTLS_SHA384_C #define MBEDTLS_SHA512_C +#define MBEDTLS_SHA3_C //#define MBEDTLS_THREADING_C #define MBEDTLS_TIMING_C #define MBEDTLS_VERSION_C diff --git a/yass/third_party/mbedtls/configs/crypto-config-ccm-aes-sha256.h b/yass/third_party/mbedtls/configs/crypto-config-ccm-aes-sha256.h index 7f8d58768c..68a9c0a539 100644 --- a/yass/third_party/mbedtls/configs/crypto-config-ccm-aes-sha256.h +++ b/yass/third_party/mbedtls/configs/crypto-config-ccm-aes-sha256.h @@ -2,7 +2,7 @@ * \file configs/crypto-config-ccm-aes-sha256.h * * \brief PSA crypto configuration with only symmetric cryptography: CCM-AES, - * SHA-256, HMAC and key derivation + * SHA-256 and key derivation (uses HMAC). */ /* * Copyright The Mbed TLS Contributors @@ -13,12 +13,10 @@ #define PSA_CRYPTO_CONFIG_H #define PSA_WANT_ALG_CCM 1 -#define PSA_WANT_ALG_HMAC 1 #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 #define PSA_WANT_KEY_TYPE_DERIVE 1 -#define PSA_WANT_KEY_TYPE_HMAC 1 #define PSA_WANT_KEY_TYPE_AES 1 #define PSA_WANT_KEY_TYPE_RAW_DATA 1 diff --git a/yass/third_party/mbedtls/docs/architecture/psa-crypto-implementation-structure.md b/yass/third_party/mbedtls/docs/architecture/psa-crypto-implementation-structure.md index d7e4f9c488..0954602cb6 100644 --- a/yass/third_party/mbedtls/docs/architecture/psa-crypto-implementation-structure.md +++ b/yass/third_party/mbedtls/docs/architecture/psa-crypto-implementation-structure.md @@ -86,7 +86,7 @@ Summary of files to modify when adding a new algorithm or key type: * [ ] `tests/suites/test_suite_psa_crypto_metadata.data` — [New functions and macros](#new-functions-and-macros) * (If adding `PSA_IS_xxx`) `tests/suites/test_suite_psa_crypto_metadata.function` — [New functions and macros](#new-functions-and-macros) * [ ] `tests/suites/test_suite_psa_crypto*.data`, `tests/suites/test_suite_psa_crypto*.function` — [Unit tests](#unit-tests) -* [ ] `scripts/mbedtls_dev/crypto_knowledge.py`, `scripts/mbedtls_dev/asymmetric_key_data.py` — [Unit tests](#unit-tests) +* [ ] `framework/scripts/mbedtls_framework/crypto_knowledge.py`, `framework/scripts/mbedtls_framework/asymmetric_key_data.py` — [Unit tests](#unit-tests) * [ ] `ChangeLog.d/*.txt` — changelog entry Summary of files to modify when adding new API functions: @@ -153,7 +153,7 @@ The size of operation structures needs to be known at compile time, since caller ### Unit tests -A number of unit tests are automatically generated by `tests/scripts/generate_psa_tests.py` based on the algorithms and key types declared in `include/psa/crypto_values.h` and `include/psa/crypto_extra.h`: +A number of unit tests are automatically generated by `framework/scripts/generate_psa_tests.py` based on the algorithms and key types declared in `include/psa/crypto_values.h` and `include/psa/crypto_extra.h`: * Attempt to create a key with a key type that is not supported. * Attempt to perform an operation with a combination of key type and algorithm that is not valid or not supported. @@ -161,8 +161,8 @@ A number of unit tests are automatically generated by `tests/scripts/generate_ps When adding a new key type or algorithm: -* `scripts/mbedtls_dev/crypto_knowledge.py` contains knowledge about the compatibility of key types, key sizes and algorithms. -* `scripts/mbedtls_dev/asymmetric_key_data.py` contains valid key data for asymmetric key types. +* `framework/scripts/mbedtls_framework/crypto_knowledge.py` contains knowledge about the compatibility of key types, key sizes and algorithms. +* `framework/scripts/mbedtls_framework/asymmetric_key_data.py` contains valid key data for asymmetric key types. Other things need to be tested manually, either in `tests/suites/test_sutie_psa_crypto.data` or in another file. For example (this is not an exhaustive list): diff --git a/yass/third_party/mbedtls/docs/architecture/psa-keystore-design.md b/yass/third_party/mbedtls/docs/architecture/psa-keystore-design.md new file mode 100644 index 0000000000..cdd2cac3ab --- /dev/null +++ b/yass/third_party/mbedtls/docs/architecture/psa-keystore-design.md @@ -0,0 +1,214 @@ +PSA key store design +==================== + +## Introduction + +This document describes the architecture of the key storage in memory in the Mbed TLS and TF-PSA-Crypto implementation of the PSA Cryptography API. + +In the PSA Cryptography API, cryptographic operations access key materials via a key identifier (key ID for short). Applications must first create a key object, which allocates storage in memory for the key material and metadata. This storage is under the control of the library and may be located in a different memory space such as a trusted execution environment or a secure element. + +The storage of persistent keys is out of scope of this document. See the [Mbed Crypto storage specification](mbed-crypto-storage-specification.md). + +## Key slot management interface + +### Key store and key slots + +The **key store** consists of a collection of **key slots**. Each key slot contains the metadata for one key, as well as the key material or a reference to the key material. + +A key slot has the type `psa_key_slot_t`. The key store is a global object which is private inside `psa_crypto_slot_management.c`. + +### Key slot entry points + +The following operations allocate a key slot by calling `psa_reserve_free_key_slot()`: + +* **Creating** a key object, through means such as import, random generation, deterministic derivation, copy, or registration of an existing key that is stored in protected hardware (secure element, hardware unique key (HUK)). +* **Loading** a persistent key from storage, or loading a built-in key. This is done through `psa_get_and_lock_key_slot()`, which calls `psa_reserve_free_key_slot()` and loads the key if applicable. + +The following operations free a key slot by calling `psa_wipe_key_slot()` and, if applicable, `psa_free_key_slot()`: + +* **Destroying** a key. +* **Purging** a persistent key from memory, either explicitly at the application's request or to free memory. + +Deinitializing the PSA Crypto subsystem with `mbedtls_psa_crypto_free()` destroys all volatile keys and purges all persistent keys. + +The library accesses key slots in the following scenarios: + +* while the key is being created or loaded; +* while the key is being destroyed or purged; +* while the key metadata or key material is being accessed. + +### Key slot states + +The state of a key slot is indicated by its `state` field of type `psa_key_slot_state_t`, which can be: + +* `PSA_SLOT_EMPTY`: a slot that occupies memory but does not currently contain a key. +* `PSA_SLOT_FILLING`: a slot that is being filled to create or load a key. +* `PSA_SLOT_FULL`: a slot containing a key. +* `PSA_SLOT_PENDING_DELETION`: a slot whose key is being destroy or purged. + +These states are mostly useful for concurrency. See [Concurrency](#concurrency) below and [key slot states in the PSA thread safety specification](psa-thread-safety/psa-thread-safety.md#key-slot-states). + +#### Concurrency + +In a multithreaded environment, since Mbed TLS 3.6.0, each key slot is protected by a reader-writer lock. (In earlier versions, the key store was not thread-safe.) The lock is controlled by a single global mutex `mbedtls_threading_psa_globaldata_mutex`. The concurrency state of the slot is indicated by the state and the `registered_readers` field: + +* `EMPTY` or `FULL` state, `registered_readers == 0`: the slot is not in use by any thread. +* `FULL` state, `registered_readers != 0`: the slot is being read. +* `FILLING` or `PENDING_DELETION` state: the slot is being written. + +For more information, see [PSA thread safety](psa-thread-safety/psa-thread-safety.md). + +Note that a slot must not be moved in memory while it is being read or written. + +## Key slot management implementations + +### Key store implementation variants + +There are three variants of the key store implementation, responding to different needs. + +* Hybrid key store ([static key slots](#static-key-store) with dynamic key data): the key store is a statically allocated array of slots, of size `MBEDTLS_PSA_KEY_SLOT_COUNT`. Key material is allocated on the heap. This is the historical implementation. It remains the default in the Mbed TLS 3.6 long-time support (LTS) branch when using a handwritten `mbedtls_config.h`, as is common on resource-constrained platforms, because the alternatives have tradeoffs (key size limit and larger RAM usage at rest for the static key store, larger code size and more risk due to code complexity for the dynamic key store). +* Fully [static key store](#static-key-store) (since Mbed TLS 3.6.2): the key store is a statically allocated array of slots, of size `MBEDTLS_PSA_KEY_SLOT_COUNT`. Each key slot contains the key representation directly, and the key representation must be no more than `MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE` bytes. This is intended for very constrained devices that do not have a heap. +* [Dynamic key store](#dynamic-key-store) (since Mbed TLS 3.6.1): the key store is dynamically allocated as multiple slices on the heap, with a size that adjusts to the application's usage. Key material is allocated on the heap. Compared to the hybrid key store, the code size and RAM consumption are larger. This is intended for higher-end devices where applications are not expected to have a highly predicatable resource usage. This is the default implementation when using the default `mbedtls_config.h` file, as is common on platforms such as Linux, starting with Mbed TLS 3.6.1. + +#### Future improvement: merging the key store variants + +In the future, we may reduce the number of key store variants to just two, perhaps even one. + +We introduced the variants other than the hybrid key store in a patch release of a long-time support version. As a consequence, we wanted to minimize making changes to the default build (when not using the supplied `mbedtls_config.h`, as explained above), to minimize the risk of bugs and the increase in code size. These considerations will not apply in future major or minor releases, so the default key store can change later. + +The static key store could become a runtime decision, where only keys larger than some threshold require the use of heap memory. The reasons not to do this in Mbed TLS 3.6.x are that this increases complexity somewhat (slightly more code size, and more risk), and this changes the RAM usage profile somewhat. + +A major constraint on the design of the dynamic key store is the need to preserve slot pointers while a slot may be accessed by another thread (see [“Concurrency”](#concurrency)). With the concurrency primitives available in Mbed TLS 3.x, it is very hard to move a key slot in memory, because there could be an indefinite wait until some other thread has finished accessing the slot. This pushed towards the slice-based organisation described below, where each slice is allocated for the long term. In particular, slices cannot be compacted (compacting would be moving slots out of a sparsely-used slice to free it). Better concurrency primitives (e.g. condition variables or semaphores), together with a `realloc()` primitive, could allow freeing unused memory more aggressively, which could make the dynamic key store not detrimental in RAM usage compared to the historical hybrid key store. + +#### Slice abstraction + +Some parts of the key slot management code use **key slices** as an abstraction. A key slice is an array of key slots. Key slices are identified by an index which is a small non-negative integer. + +* With a [static key store](#static-key-store), there is a single, statically allocated slice, with the index 0. +* With a [dynamic key store](#dynamic-key-store), there is statically allocated array of pointers to key slices. The index of a slice is the index in that array. The slices are allocated on the heap as needed. + +#### Key identifiers and slot location + +When creating a volatile key, the slice containing the slot and index of the slot in its slice determine the key identifier. When accessing a volatile key, the slice and the slot index in the slice are calculated from the key identifier. The encoding of the slot location in the volatile key identifier is different for a [static](#volatile-key-identifiers-in-the-static-key-store) or [dynamic](#volatile-key-identifiers-in-the-dynamic-key-store) key store. + +### Static key store + +The static key store is the historical implementation. The key store is a statically allocated array of slots, of size `MBEDTLS_PSA_KEY_SLOT_COUNT`. This value is an upper bound for the total number of volatile keys plus loaded keys. + +Since Mbed TLS 3.6.2, there are two variants for the static key store: a hybrid variant (default), and a fully-static variant enabled by the configuration option `MBEDTLS_PSA_STATIC_KEY_SLOTS`. The two variants have the same key store management: the only difference is in how the memory for key data is managed. With fully static key slots, the key data is directly inside the slot, and limited to `MBEDTLS_PSA_KEY_SLOT_BUFFER_SIZE` bytes. With the hybrid key store, the slot contains a pointer to the key data, which is allocated on the heap. + +#### Volatile key identifiers in the static key store + +For easy lookup, a volatile key whose index is `id` is stored at the index `id - PSA_KEY_ID_VOLATILE_MIN`. + +#### Key creation with a static key store + +To create a key, `psa_reserve_free_key_slot()` searches the key slot array until it finds one that is empty. If there are none, the code looks for a persistent key that can be purged (see [“Persistent key cache”](#persistent-key-cache)), and purges it. If no slot is free and no slot contains a purgeable key, the key creation fails. + +#### Freeing a key slot with a static key store + +With a static key store, `psa_wipe_key_slot()` destroys or purges a key by freeing any associated resources, then setting the key slot to the empty state. The slot is then ready for reuse. + +### Dynamic key store + +The dynamic key store allows a large number of keys, at the expense of more complex memory management. + +The dynamic key store was added in Mbed TLS 3.6.1. It is enabled by `MBEDTLS_PSA_KEY_STORE_DYNAMIC`, which is enabled by default since Mbed TLS 3.6.1. + +#### Dynamic key slot performance characteristics + +Key management and key access have $O(1)$ amortized performance, and mostly $O(1)$ performance for actions involving keys. More precisely: + +* Access to an existing volatile key takes $O(1)$ time. +* Access to a persistent key (including creation and destruction) takes time that is linear in `MBEDTLS_PSA_KEY_SLOT_COUNT`. +* Allocating a key takes amortized $O(1)$ time. Usually the time is $O(s)$ where $s$ is the number of slices (which is a hard-coded value less than $30$), but when creating $k$ volatile keys, at most $\log(k)$ creations will involve calls to `calloc()`, totalling $O(k)$ memory. +* Destroying a volatile key takes $O(1)$ time as of Mbed TLS 3.6.1. Later improvements to memory consumption are likely to involve calls to `free()` which may total $O(k)$ memory where $k$ is the maximum number of volatile keys. + +#### Key slices in the dynamic key store + +The key slot is organized in slices, which are dynamically arrays of key slot. The number of slices is determined at compile time. The key store contains a static array of pointers to slices. + +Volatile keys and loaded keys (persistent or built-in) are stored in separate slices. +Key slices number 0 to `KEY_SLOT_VOLATILE_SLICE_COUNT - 1` contain only volatile keys. +One key slice contains only loaded keys: that key slice is thus the cache slice. See [“Persistent key cache”](persistent-key-cache) for how the cache is managed. + +#### Volatile key identifiers in the dynamic key store + +A volatile key identifier encodes the slice index and the slot index at separate bit positions. That is, `key_id = BASE | slice_index | slot_index` where the bits set in `BASE`, `slice_index` and `slot_index` do not overlap. + +#### From key slot to key slice + +Some parts of the slot management code need to determine which key slice contains a key slot when given a pointer to the key slot. In principle, the key slice is uniquely determined from the key identifier which is located in the slot: + +* for a volatile key identifier, the [slice index is encoded in the key identifier](#volatile-key-identifiers-in-the-dynamic-key-store); +* for a persistent key identifier or built-in key identifier, [the slot is in the sole cache slice](#key-slices-in-the-dynamic-key-store). + +Nonetheless, we store the slice index as a field in the slot, for two reasons: + +* It is more robust in case the slice assignment becomes more complex in the future or is somehow buggy. +* It allows the slot to slice correspondence to work even if the key identifier field has not been filled yet or has been wiped. The implementation in Mbed TLS 3.6.1 requires this because `psa_wipe_key_slot()` wipes the slot, then calls `psa_free_key_slot()`, which needs to determine the slice. Keeping the slice index as a separate field allows us to better separate the concerns of key liveness and slot liveness. A redesign of the internal interfaces could improve this, but would be too disruptive in the 3.6 LTS branch. + +#### Length of the volatile key slices + +The volatile key slices have exponentially increasing length: each slice is twice as long as the previous one. Thus if the length of slice 0 is `B` and there are `N` slices, then there are `B * (2^N - 1)` slots. + +As of Mbed TLS 3.6.1, the maximum number of volatile key slots is less than the theoretical maximum of 2^30 - 2^16 (0x10000000..0x7ffeffff, the largest range of key identifiers reserved for the PSA Crypto implementation that does not overlap the range for built-in keys). The reason is that we limit the slot index to 2^25-1 so that the [encoding of volatile key identifiers](#volatile-key-identifiers-in-the-dynamic-key-store) has 25 bits for the slot index. + +When `MBEDTLS_TEST_HOOKS` is enabled, the length of key slices can be overridden. We use this in tests that need to fill the key store. + +#### Free list + +Each volatile key slice has a **free list**. This is a linked list of all the slots in the slice that are free. The global data contains a static array of free list heads, i.e. the index of a free slot in the slice. Each free slot contains the index of the next free slot in that slice's free list. The end of the list is indicated by an index that is larger than the length of the slice. If the list is empty, the head contains an index that is larger than the length. + +As a small optimization, a free slot does not actually contain the index of the next slot, but the index of the next free slot on the list _relative to the next slot in the array_. For example, 0 indicates that the next free slot is the slot immediately after the current slot. This fact is the reason for the encoding: a slice freshly obtained from `calloc` has all of its slots in the free list in order. The value 1 indicates that there is one element between this slot and the next free slot. The next element of the free list can come before the current slot: -2 indicates that it's the slot immediately before, -3 is two slots before, and so on (-1 is impossible). In general, the absolute index of the next slot after slot `i` in the free list is `i + 1 slice[i].next_free_relative_to_next`. + +#### Dynamic key slot allocation + +To create a volatile key, `psa_reserve_free_key_slot()` searches the free lists of each allocated slice until it finds a slice that is not full. If all allocated slices are full, the code allocates a new slice at the lowest possible slice index. If all possible slices are already allocated and full, the key creation fails. + +The newly allocated slot is removed from the slice's free list. + +We only allocate a slice of size `B * 2^k` if there are already `B * (2^k - 1)` occupied slots. Thus the memory overhead is at most `B` slots plus the number of occupied slots, i.e. the memory consumption for slots is at most twice the required memory plus a small constant overhead. + +#### Dynamic key slot deallocation + +When destroying a volatile key, `psa_wipe_key_slot()` calls `psa_free_key_slot()`. This function adds the newly freed slot to the head of the free list. + +##### Future improvement: slice deallocation + +As of Mbed TLS 3.6.1, `psa_free_key_slot()` does not deallocate slices. Thus the memory consumption for slots never decreases (except when the PSA crypto subsystem is deinitialized). Freeing key slices intelligently would be a desirable improvement. + +We should not free a key slice as soon as it becomes empty, because that would cause large allocations and deallocations if there are slices full of long-lived keys, and then one slice keeps being allocate and deallocated for the occasional short-lived keys. Rather, there should be some hysteresis, e.g. only deallocate a slice if there are at least T free slots in the previous slice. [#9435](https://github.com/Mbed-TLS/mbedtls/issues/9435) + +Note that currently, the slice array contains one sequence of allocated slices followed by one sequence of unallocated slices. Mixing allocated and unallocated slices may make some parts of the code a little more complex, and should be tested thoroughly. + +### Persistent key cache + +Persistent keys and built-in keys need to be loaded into the in-memory key store each time they are accessed: + +* while creating them; +* to access their metadata; +* to start performing an operation with the key; +* when destroying the key. + +To avoid frequent storage access, we cache persistent keys in memory. This cache also applies to built-in keys. + +With the [static key store](#static-key-store), a non-empty slot can contain either a volatile key or a cache entry for a persistent or built-in key. With the [dynamic key store](#dynamic-key-store), volatile keys and cached keys are placed in separate [slices](#key-slices-in-the-dynamic-key-store). + +The persistent key cache is a fixed-size array of `MBEDTLS_PSA_KEY_SLOT_COUNT` slots. In the static key store, this array is shared with volatile keys. In the dynamic key store, the cache is a separate array that does not contain volatile keys. + +#### Accessing a persistent key + +`psa_get_and_lock_key_slot()` automatically loads persistent and built-in keys if the specified key identifier is in the corresponding range. To that effect, it traverses the key cache to see if a key with the given identifier is already loaded. If not, it loads the key. This cache walk takes time that is proportional to the cache size. + +#### Cache eviction + +A key slot must be allocated in the cache slice: + +* to create a volatile key (static key store only); +* to create a persistent key; +* to load a persistent or built-in key. + +If the cache slice is full, the code will try to evict an entry. Only slots that do not have readers can be evicted (see [“Concurrency”](#concurrency)). In the static key store, slots containing volatile keys cannot be evicted. + +As of Mbed TLS 3.6.1, there is no tracking of a key's usage frequency or age. The slot eviction code picks the first evictable slot it finds in its traversal order. We have not reasoned about or experimented with different strategies. diff --git a/yass/third_party/mbedtls/docs/architecture/psa-shared-memory.md b/yass/third_party/mbedtls/docs/architecture/psa-shared-memory.md index ef3a6b09de..283ffc6265 100644 --- a/yass/third_party/mbedtls/docs/architecture/psa-shared-memory.md +++ b/yass/third_party/mbedtls/docs/architecture/psa-shared-memory.md @@ -663,7 +663,7 @@ psa_status_t mem_poison_psa_aead_update(psa_aead_operation_t *operation, There now exists a more generic mechanism for making exactly this kind of transformation - the PSA test wrappers, which exist in the files `tests/include/test/psa_test_wrappers.h` and `tests/src/psa_test_wrappers.c`. These are wrappers around all PSA functions that allow testing code to be inserted at the start and end of a PSA function call. -The test wrappers are generated by a script, although they are not automatically generated as part of the build process. Instead, they are checked into source control and must be manually updated when functions change by running `tests/scripts/generate_psa_wrappers.py`. +The test wrappers are generated by a script, although they are not automatically generated as part of the build process. Instead, they are checked into source control and must be manually updated when functions change by running `framework/scripts/generate_psa_wrappers.py`. Poisoning code is added to these test wrappers where relevant in order to pre-poison and post-unpoison the parameters to the functions. diff --git a/yass/third_party/mbedtls/docs/driver-only-builds.md b/yass/third_party/mbedtls/docs/driver-only-builds.md index 4095d8ee77..5d950b068d 100644 --- a/yass/third_party/mbedtls/docs/driver-only-builds.md +++ b/yass/third_party/mbedtls/docs/driver-only-builds.md @@ -277,6 +277,11 @@ The same holds for the associated algorithm: `[PSA_WANT|MBEDTLS_PSA_ACCEL]_ALG_FFDH` allow builds accelerating FFDH and removing builtin support (i.e. `MBEDTLS_DHM_C`). +Note that the PSA API only supports FFDH with RFC 7919 groups, whereas the +Mbed TLS legacy API supports custom groups. As a consequence, the TLS layer +of Mbed TLS only supports DHE cipher suites if built-in FFDH +(`MBEDTLS_DHM_C`) is present, even when `MBEDTLS_USE_PSA_CRYPTO` is enabled. + RSA --- diff --git a/yass/third_party/mbedtls/docs/psa-transition.md b/yass/third_party/mbedtls/docs/psa-transition.md index bbb7da2470..dea14fe4dd 100644 --- a/yass/third_party/mbedtls/docs/psa-transition.md +++ b/yass/third_party/mbedtls/docs/psa-transition.md @@ -779,7 +779,7 @@ A finite-field Diffie-Hellman key can be used for key agreement with the algorit The easiest way to create a key pair object is by randomly generating it with [`psa_generate_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga1985eae417dfbccedf50d5fff54ea8c5). Compared with the low-level functions from the legacy API (`mbedtls_rsa_gen_key`, `mbedtls_ecp_gen_privkey`, `mbedtls_ecp_gen_keypair`, `mbedtls_ecp_gen_keypair_base`, `mbedtls_ecdsa_genkey`), this directly creates an object that can be used with high-level APIs, but removes some of the flexibility. Note that if you want to export the generated private key, you must pass the flag [`PSA_KEY_USAGE_EXPORT`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#group__policy_1ga7dddccdd1303176e87a4d20c87b589ed) to [`psa_set_key_usage_flags`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga42a65b3c4522ce9b67ea5ea7720e17de); exporting the public key with [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) is always permitted. -For RSA keys, `psa_generate_key` uses 65537 as the public exponent. You can use [`psa_generate_key_ext`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga6776360ae8046a4456a5f990f997da58) to select a different public exponent. As of Mbed TLS 3.6.0, selecting a different public exponent is only supported with the built-in RSA implementation, not with PSA drivers. +For RSA keys, `psa_generate_key` uses 65537 as the public exponent. You can use [`psa_generate_key_custom`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#ga0415617443afe42a712027bbb8ad89f0) to select a different public exponent. As of Mbed TLS 3.6.1, selecting a different public exponent is only supported with the built-in RSA implementation, not with PSA drivers. To create a key object from existing material, use [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b). This function has the same basic goal as the PK parse functions (`mbedtls_pk_parse_key`, `mbedtls_pk_parse_public_key`, `mbedtls_pk_parse_subpubkey`), but only supports a single format that just contains the number(s) that make up the key, with very little metadata. The table below summarizes the PSA import/export format for key pairs and public keys; see the documentation of [`psa_export_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga668e35be8d2852ad3feeef74ac6f75bf) and [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) for more details. diff --git a/yass/third_party/mbedtls/docs/requirements.txt b/yass/third_party/mbedtls/docs/requirements.txt index a1bfd82377..2287b2a72b 100644 --- a/yass/third_party/mbedtls/docs/requirements.txt +++ b/yass/third_party/mbedtls/docs/requirements.txt @@ -1,63 +1,66 @@ # -# This file is autogenerated by pip-compile with Python 3.9 +# This file is autogenerated by pip-compile with Python 3.8 # by the following command: # # pip-compile requirements.in # alabaster==0.7.13 # via sphinx -babel==2.12.1 +babel==2.15.0 # via sphinx breathe==4.35.0 # via -r requirements.in -certifi==2022.12.7 +certifi==2024.7.4 # via requests -charset-normalizer==3.1.0 +charset-normalizer==3.3.2 # via requests -click==8.1.3 +click==8.1.7 # via readthedocs-cli -docutils==0.17.1 +docutils==0.20.1 # via # breathe # sphinx # sphinx-rtd-theme -idna==3.4 +idna==3.7 # via requests imagesize==1.4.1 # via sphinx -importlib-metadata==6.0.0 +importlib-metadata==8.0.0 # via sphinx -jinja2==3.1.2 +jinja2==3.1.4 # via sphinx -markdown-it-py==2.2.0 +markdown-it-py==3.0.0 # via rich -markupsafe==2.1.2 +markupsafe==2.1.5 # via jinja2 mdurl==0.1.2 # via markdown-it-py -packaging==23.0 +packaging==24.1 # via sphinx -pygments==2.14.0 +pygments==2.18.0 # via # rich # sphinx -pyyaml==6.0 +pytz==2024.1 + # via babel +pyyaml==6.0.1 # via readthedocs-cli readthedocs-cli==4 # via -r requirements.in -requests==2.28.2 +requests==2.32.3 # via # readthedocs-cli # sphinx -rich==13.3.5 +rich==13.7.1 # via readthedocs-cli snowballstemmer==2.2.0 # via sphinx -sphinx==4.5.0 +sphinx==7.1.2 # via # breathe # sphinx-rtd-theme -sphinx-rtd-theme==1.2.0 + # sphinxcontrib-jquery +sphinx-rtd-theme==2.0.0 # via -r requirements.in sphinxcontrib-applehelp==1.0.4 # via sphinx @@ -65,7 +68,7 @@ sphinxcontrib-devhelp==1.0.2 # via sphinx sphinxcontrib-htmlhelp==2.0.1 # via sphinx -sphinxcontrib-jquery==2.0.0 +sphinxcontrib-jquery==4.1 # via sphinx-rtd-theme sphinxcontrib-jsmath==1.0.1 # via sphinx @@ -73,10 +76,9 @@ sphinxcontrib-qthelp==1.0.3 # via sphinx sphinxcontrib-serializinghtml==1.1.5 # via sphinx -urllib3==1.26.15 +typing-extensions==4.12.2 + # via rich +urllib3==2.2.2 # via requests -zipp==3.15.0 +zipp==3.19.2 # via importlib-metadata - -# The following packages are considered to be unsafe in a requirements file: -# setuptools diff --git a/yass/third_party/mbedtls/docs/use-psa-crypto.md b/yass/third_party/mbedtls/docs/use-psa-crypto.md index 92d0985249..f2983bd37a 100644 --- a/yass/third_party/mbedtls/docs/use-psa-crypto.md +++ b/yass/third_party/mbedtls/docs/use-psa-crypto.md @@ -75,13 +75,8 @@ operations and its public part can be exported. **Benefits:** isolation of long-term secrets, use of PSA Crypto drivers. -**Limitations:** can only wrap a key pair, can only use it for private key -operations. (That is, signature generation, and for RSA decryption too.) -Note: for ECDSA, currently this uses randomized ECDSA while Mbed TLS uses -deterministic ECDSA by default. The following operations are not supported -with a context set this way, while they would be available with a normal -context: `mbedtls_pk_check_pair()`, `mbedtls_pk_debug()`, all public key -operations. +**Limitations:** please refer to the documentation of `mbedtls_pk_setup_opaque()` +for a full list of supported operations and limitations. **Use in X.509 and TLS:** opt-in. The application needs to construct the PK context using the new API in order to get the benefits; it can then pass the diff --git a/yass/third_party/mbedtls/doxygen/input/doc_mainpage.h b/yass/third_party/mbedtls/doxygen/input/doc_mainpage.h index 3eb5f7555c..740bb19dee 100644 --- a/yass/third_party/mbedtls/doxygen/input/doc_mainpage.h +++ b/yass/third_party/mbedtls/doxygen/input/doc_mainpage.h @@ -10,7 +10,7 @@ */ /** - * @mainpage Mbed TLS v3.6.0 API Documentation + * @mainpage Mbed TLS v3.6.1 API Documentation * * This documentation describes the internal structure of Mbed TLS. It was * automatically generated from specially formatted comment blocks in diff --git a/yass/third_party/mbedtls/doxygen/mbedtls.doxyfile b/yass/third_party/mbedtls/doxygen/mbedtls.doxyfile index c4505ac239..2a8282073b 100644 --- a/yass/third_party/mbedtls/doxygen/mbedtls.doxyfile +++ b/yass/third_party/mbedtls/doxygen/mbedtls.doxyfile @@ -1,4 +1,4 @@ -PROJECT_NAME = "Mbed TLS v3.6.0" +PROJECT_NAME = "Mbed TLS v3.6.1" OUTPUT_DIRECTORY = ../apidoc/ FULL_PATH_NAMES = NO OPTIMIZE_OUTPUT_FOR_C = YES diff --git a/yass/third_party/mbedtls/framework/CONTRIBUTING.md b/yass/third_party/mbedtls/framework/CONTRIBUTING.md new file mode 100644 index 0000000000..4a1039954d --- /dev/null +++ b/yass/third_party/mbedtls/framework/CONTRIBUTING.md @@ -0,0 +1,26 @@ +Contributing +============ +We gratefully accept bug reports and contributions from the community. All PRs are reviewed by the project team / community, and may need some modifications to +be accepted. + +Most contributions in this repository will be associated with [Mbed TLS](https://github.com/Mbed-TLS/mbedtls/blob/development/CONTRIBUTING.md) or TF-PSA-Crypto. Please consult their respective contribution guidelines for more information. + +What can I contribute here? +--------------------------- + +This repository is intended to contain files that are shared between multiple maintained branches of Mbed TLS and TF-PSA-Crypto. The exact policies are not yet written down. Please contribute in this repository if you wish to update one of the files that are present here. + +License and Copyright +--------------------- + +Unless specifically indicated otherwise in a file, Mbed TLS framework files are provided under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license. See the [LICENSE](LICENSE) file for the full text of these licenses. This means that users may choose which of these licenses they take the code under. + +Contributors must accept that their contributions are made under both the Apache-2.0 AND [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) licenses. + +All new files should include the standard SPDX license identifier where possible, i.e. "SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later". + +The copyright on contributions is retained by the original authors of the code. Where possible for new files, this should be noted in a comment at the top of the file in the form: "Copyright The Mbed TLS Contributors". + +When contributing code to us, the committer and all authors are required to make the submission under the terms of the [Developer Certificate of Origin](dco.txt), confirming that the code submitted can (legally) become part of the project, and is submitted under both the Apache-2.0 AND GPL-2.0-or-later licenses. + +This is done by including the standard Git `Signed-off-by:` line in every commit message. If more than one person contributed to the commit, they should also add their own `Signed-off-by:` line. diff --git a/yass/third_party/mbedtls/framework/README.md b/yass/third_party/mbedtls/framework/README.md index ba3df31b1d..fda3ffc6d3 100644 --- a/yass/third_party/mbedtls/framework/README.md +++ b/yass/third_party/mbedtls/framework/README.md @@ -10,10 +10,15 @@ You need this repository as a Git submodule in a branch of one of the above repo You do not need this repository if: * You are working with Mbed TLS 2.28. -* You want to build or test a release of Mbed TLS. +* You want to build a release of Mbed TLS and run its unit tests. + +Contributing +------------ + +We gratefully accept bug reports and contributions from the community. Please see the [contributing guidelines](CONTRIBUTING.md) for details on how to do this. License ------- -Unless specifically indicated otherwise in a file, Mbed TLS files are provided under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license. See the [LICENSE](LICENSE) file for the full text of these licenses, and [the 'License and Copyright' section in the Mbed TLS contributing guidelines](https://github.com/Mbed-TLS/mbedtls/blob/development/CONTRIBUTING.md#License-and-Copyright) for more information. +Unless specifically indicated otherwise in a file, Mbed TLS framework files are provided under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license. See the [LICENSE](LICENSE) file for the full text of these licenses, and [the 'License and Copyright' section in the contributing guidelines](CONTRIBUTING.md#License-and-Copyright) for more information. diff --git a/yass/third_party/mbedtls/tests/data_files/.gitignore b/yass/third_party/mbedtls/framework/data_files/.gitignore similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/.gitignore rename to yass/third_party/mbedtls/framework/data_files/.gitignore diff --git a/yass/third_party/mbedtls/tests/data_files/Makefile b/yass/third_party/mbedtls/framework/data_files/Makefile similarity index 97% rename from yass/third_party/mbedtls/tests/data_files/Makefile rename to yass/third_party/mbedtls/framework/data_files/Makefile index d6df19c20c..6dae31d19e 100644 --- a/yass/third_party/mbedtls/tests/data_files/Makefile +++ b/yass/third_party/mbedtls/framework/data_files/Makefile @@ -706,17 +706,43 @@ keys_rsa_basic_pwd = testkey ### Password used for PKCS8-encoded encrypted RSA keys keys_rsa_pkcs8_pwd = PolarSSLTest -### Basic 1024-, 2048- and 4096-bit unencrypted RSA keys from which +### Basic unencrypted RSA keys from which ### all other encrypted RSA keys are derived. +keys_rsa_base = +### TODO: the commands require OpenSSL 1.x to work as desired. With +### OpenSSL 3.x, they produce pkcs8 files. +rsa_pkcs1_768_clear.pem: + $(OPENSSL) genrsa -out $@ 768 +keys_rsa_base += rsa_pkcs1_768_clear.pem +rsa_pkcs1_769_clear.pem: + $(OPENSSL) genrsa -out $@ 769 +keys_rsa_base += rsa_pkcs1_769_clear.pem +rsa_pkcs1_770_clear.pem: + $(OPENSSL) genrsa -out $@ 770 +keys_rsa_base += rsa_pkcs1_770_clear.pem +rsa_pkcs1_776_clear.pem: + $(OPENSSL) genrsa -out $@ 776 +keys_rsa_base += rsa_pkcs1_776_clear.pem +rsa_pkcs1_784_clear.pem: + $(OPENSSL) genrsa -out $@ 784 +keys_rsa_base += rsa_pkcs1_784_clear.pem rsa_pkcs1_1024_clear.pem: $(OPENSSL) genrsa -out $@ 1024 -all_final += rsa_pkcs1_1024_clear.pem +keys_rsa_base += rsa_pkcs1_1024_clear.pem rsa_pkcs1_2048_clear.pem: $(OPENSSL) genrsa -out $@ 2048 -all_final += rsa_pkcs1_2048_clear.pem +keys_rsa_base += rsa_pkcs1_2048_clear.pem rsa_pkcs1_4096_clear.pem: $(OPENSSL) genrsa -out $@ 4096 -all_final += rsa_pkcs1_4096_clear.pem +keys_rsa_base += rsa_pkcs1_4096_clear.pem + +all_final += $(keys_rsa_base) + +### PKCS1-encoded, plaintext RSA keys in derived forms + +rsa_pkcs1_%.der: rsa_pkcs1_%.pem + $(OPENSSL) pkey -inform PEM -in $< -outform DER -out $@ +all_final += $(keys_rsa_base:.pem=.der) ### ### PKCS1-encoded, encrypted RSA keys @@ -1170,8 +1196,8 @@ keys_rsa_enc_pkcs8_v2_4096_sha512: keys_rsa_enc_pkcs8_v2_4096_3des_sha512 keys_r ### Rules to generate all RSA keys from a particular class ### -### Generate basic unencrypted RSA keys -keys_rsa_unenc: rsa_pkcs1_1024_clear.pem rsa_pkcs1_2048_clear.pem rsa_pkcs1_4096_clear.pem +### Generate cleartext RSA keys in derived formats +keys_rsa_cleartext: $(keys_rsa_base) $(keys_rsa_base:.pem=.der) ### Generate PKCS1-encoded encrypted RSA keys keys_rsa_enc_basic: keys_rsa_enc_basic_1024 keys_rsa_enc_basic_2048 keys_rsa_enc_basic_4096 @@ -1183,7 +1209,8 @@ keys_rsa_enc_pkcs8_v1: keys_rsa_enc_pkcs8_v1_1024 keys_rsa_enc_pkcs8_v1_2048 key keys_rsa_enc_pkcs8_v2: keys_rsa_enc_pkcs8_v2_1024 keys_rsa_enc_pkcs8_v2_2048 keys_rsa_enc_pkcs8_v2_4096 keys_rsa_enc_pkcs8_v2_1024_sha224 keys_rsa_enc_pkcs8_v2_2048_sha224 keys_rsa_enc_pkcs8_v2_4096_sha224 keys_rsa_enc_pkcs8_v2_1024_sha256 keys_rsa_enc_pkcs8_v2_2048_sha256 keys_rsa_enc_pkcs8_v2_4096_sha256 keys_rsa_enc_pkcs8_v2_1024_sha384 keys_rsa_enc_pkcs8_v2_2048_sha384 keys_rsa_enc_pkcs8_v2_4096_sha384 keys_rsa_enc_pkcs8_v2_1024_sha512 keys_rsa_enc_pkcs8_v2_2048_sha512 keys_rsa_enc_pkcs8_v2_4096_sha512 ### Generate all RSA keys -keys_rsa_all: keys_rsa_unenc keys_rsa_enc_basic keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2 +keys_rsa_all: keys_rsa_base keys_rsa_cleartext +keys_rsa_all: keys_rsa_enc_basic keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2 ################################################################ #### Generate various EC keys @@ -1765,6 +1792,22 @@ server2-sha256.crt: server2.req.sha256 $(MBEDTLS_CERT_WRITE) request_file=server2.req.sha256 serial=2 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA256 version=3 output_file=$@ all_final += server2-sha256.crt +server2-sha256.ku-ka.crt: SERVER2_CRT_SERIAL=22 +server2-sha256.ku-ka.crt: SERVER2_KEY_USAGE=key_agreement +server2-sha256.ku-ke.crt: SERVER2_CRT_SERIAL=23 +server2-sha256.ku-ke.crt: SERVER2_KEY_USAGE=key_encipherment +server2-sha256.ku-ds.crt: SERVER2_CRT_SERIAL=24 +server2-sha256.ku-ds.crt: SERVER2_KEY_USAGE=digital_signature +server2-sha256.ku-ds_ke.crt: SERVER2_CRT_SERIAL=28 +server2-sha256.ku-ds_ke.crt: SERVER2_KEY_USAGE=digital_signature,key_encipherment +server2-sha256.ku-%.crt: server2.req.sha256 + $(MBEDTLS_CERT_WRITE) request_file=server2.req.sha256 serial=$(SERVER2_CRT_SERIAL) \ + issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) \ + key_usage="$(SERVER2_KEY_USAGE)" \ + not_before=20190210144406 not_after=20290210144406 md=SHA256 version=3 output_file=$@ +all_final += server2-sha256.ku-ka.crt server2-sha256.ku-ke.crt server2-sha256.ku-ds.crt server2-sha256.ku-ds_ke.crt + +all_final += server2.ku-ka.crt server2.ku-ke.crt server2.ku-ds.crt server2.ku-ds_ke.crt server2.ku-ka.crt: SERVER2_CRT_SERIAL=42 server2.ku-ka.crt: SERVER2_KEY_USAGE=key_agreement server2.ku-ke.crt: SERVER2_CRT_SERIAL=43 @@ -2075,72 +2118,6 @@ all_final += server2-v1.crt server2-v1-chain.crt: server2-v1.crt server1-v1.crt cat $^ > $@ -################################################################ -#### Generate C format test certs header -################################################################ - -TEST_CERTS_H_INPUT_FILES=test-ca2.crt \ - test-ca2.crt.der \ - test-ca2.key.enc \ - test-ca2.key.der \ - test-ca-sha256.crt \ - test-ca-sha256.crt.der \ - test-ca-sha1.crt \ - test-ca-sha1.crt.der \ - test-ca.key \ - test-ca.key.der \ - server5.crt \ - server5.crt.der \ - server5.key \ - server5.key.der \ - server2-sha256.crt \ - server2-sha256.crt.der \ - server2.crt \ - server2.crt.der \ - server2.key \ - server2.key.der \ - cli2.crt \ - cli2.crt.der \ - cli2.key \ - cli2.key.der \ - cli-rsa-sha256.crt \ - cli-rsa-sha256.crt.der \ - cli-rsa.key \ - cli-rsa.key.der -../src/test_certs.h: ../scripts/generate_test_cert_macros.py \ - $(TEST_CERTS_H_INPUT_FILES) - ../scripts/generate_test_cert_macros.py --output $@ \ - --string TEST_CA_CRT_EC_PEM=test-ca2.crt \ - --binary TEST_CA_CRT_EC_DER=test-ca2.crt.der \ - --string TEST_CA_KEY_EC_PEM=test-ca2.key.enc \ - --password TEST_CA_PWD_EC_PEM=PolarSSLTest \ - --binary TEST_CA_KEY_EC_DER=test-ca2.key.der \ - --string TEST_CA_CRT_RSA_SHA256_PEM=test-ca-sha256.crt \ - --binary TEST_CA_CRT_RSA_SHA256_DER=test-ca-sha256.crt.der \ - --string TEST_CA_CRT_RSA_SHA1_PEM=test-ca-sha1.crt \ - --binary TEST_CA_CRT_RSA_SHA1_DER=test-ca-sha1.crt.der \ - --string TEST_CA_KEY_RSA_PEM=test-ca.key \ - --password TEST_CA_PWD_RSA_PEM=PolarSSLTest \ - --binary TEST_CA_KEY_RSA_DER=test-ca.key.der \ - --string TEST_SRV_CRT_EC_PEM=server5.crt \ - --binary TEST_SRV_CRT_EC_DER=server5.crt.der \ - --string TEST_SRV_KEY_EC_PEM=server5.key \ - --binary TEST_SRV_KEY_EC_DER=server5.key.der \ - --string TEST_SRV_CRT_RSA_SHA256_PEM=server2-sha256.crt \ - --binary TEST_SRV_CRT_RSA_SHA256_DER=server2-sha256.crt.der \ - --string TEST_SRV_CRT_RSA_SHA1_PEM=server2.crt \ - --binary TEST_SRV_CRT_RSA_SHA1_DER=server2.crt.der \ - --string TEST_SRV_KEY_RSA_PEM=server2.key \ - --binary TEST_SRV_KEY_RSA_DER=server2.key.der \ - --string TEST_CLI_CRT_EC_PEM=cli2.crt \ - --binary TEST_CLI_CRT_EC_DER=cli2.crt.der \ - --string TEST_CLI_KEY_EC_PEM=cli2.key \ - --binary TEST_CLI_KEY_EC_DER=cli2.key.der \ - --string TEST_CLI_CRT_RSA_PEM=cli-rsa-sha256.crt \ - --binary TEST_CLI_CRT_RSA_DER=cli-rsa-sha256.crt.der \ - --string TEST_CLI_KEY_RSA_PEM=cli-rsa.key \ - --binary TEST_CLI_KEY_RSA_DER=cli-rsa.key.der - ################################################################ #### Diffie-Hellman parameters ################################################################ @@ -2161,7 +2138,7 @@ all: $(all_intermediate) $(all_final) .PHONY: default all_final all .PHONY: keys_rsa_all -.PHONY: keys_rsa_unenc keys_rsa_enc_basic +.PHONY: keys_rsa_enc_basic .PHONY: keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2 .PHONY: keys_rsa_enc_basic_1024 keys_rsa_enc_basic_2048 keys_rsa_enc_basic_4096 .PHONY: keys_rsa_enc_pkcs8_v1_1024 keys_rsa_enc_pkcs8_v2_1024 diff --git a/yass/third_party/mbedtls/tests/data_files/Readme-x509.txt b/yass/third_party/mbedtls/framework/data_files/Readme-x509.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/Readme-x509.txt rename to yass/third_party/mbedtls/framework/data_files/Readme-x509.txt diff --git a/yass/third_party/mbedtls/tests/data_files/authorityKeyId_no_authorityKeyId.crt.der b/yass/third_party/mbedtls/framework/data_files/authorityKeyId_no_authorityKeyId.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/authorityKeyId_no_authorityKeyId.crt.der rename to yass/third_party/mbedtls/framework/data_files/authorityKeyId_no_authorityKeyId.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/authorityKeyId_no_issuer.crt.der b/yass/third_party/mbedtls/framework/data_files/authorityKeyId_no_issuer.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/authorityKeyId_no_issuer.crt.der rename to yass/third_party/mbedtls/framework/data_files/authorityKeyId_no_issuer.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/authorityKeyId_no_keyid.crt.der b/yass/third_party/mbedtls/framework/data_files/authorityKeyId_no_keyid.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/authorityKeyId_no_keyid.crt.der rename to yass/third_party/mbedtls/framework/data_files/authorityKeyId_no_keyid.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId.conf b/yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId.conf similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId.conf rename to yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId.conf diff --git a/yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId.crt.der b/yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId.crt.der rename to yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_issuer_tag1_malformed.crt.der b/yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_issuer_tag1_malformed.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_issuer_tag1_malformed.crt.der rename to yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_issuer_tag1_malformed.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_issuer_tag2_malformed.crt.der b/yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_issuer_tag2_malformed.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_issuer_tag2_malformed.crt.der rename to yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_issuer_tag2_malformed.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_keyid_tag_len_malformed.crt.der b/yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_keyid_tag_len_malformed.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_keyid_tag_len_malformed.crt.der rename to yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_keyid_tag_len_malformed.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_keyid_tag_malformed.crt.der b/yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_keyid_tag_malformed.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_keyid_tag_malformed.crt.der rename to yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_keyid_tag_malformed.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_length_malformed.crt.der b/yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_length_malformed.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_length_malformed.crt.der rename to yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_length_malformed.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_sequence_tag_malformed.crt.der b/yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_sequence_tag_malformed.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_sequence_tag_malformed.crt.der rename to yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_sequence_tag_malformed.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_sn_len_malformed.crt.der b/yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_sn_len_malformed.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_sn_len_malformed.crt.der rename to yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_sn_len_malformed.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_sn_tag_malformed.crt.der b/yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_sn_tag_malformed.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_sn_tag_malformed.crt.der rename to yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_sn_tag_malformed.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_tag_len_malformed.crt.der b/yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_tag_len_malformed.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_tag_len_malformed.crt.der rename to yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_tag_len_malformed.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_tag_malformed.crt.der b/yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_tag_malformed.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/authorityKeyId_subjectKeyId_tag_malformed.crt.der rename to yass/third_party/mbedtls/framework/data_files/authorityKeyId_subjectKeyId_tag_malformed.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/base64/cli_cid.txt b/yass/third_party/mbedtls/framework/data_files/base64/cli_cid.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/cli_cid.txt rename to yass/third_party/mbedtls/framework/data_files/base64/cli_cid.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/cli_ciphersuite.txt b/yass/third_party/mbedtls/framework/data_files/base64/cli_ciphersuite.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/cli_ciphersuite.txt rename to yass/third_party/mbedtls/framework/data_files/base64/cli_ciphersuite.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/cli_def.txt b/yass/third_party/mbedtls/framework/data_files/base64/cli_def.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/cli_def.txt rename to yass/third_party/mbedtls/framework/data_files/base64/cli_def.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/cli_min_cfg.txt b/yass/third_party/mbedtls/framework/data_files/base64/cli_min_cfg.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/cli_min_cfg.txt rename to yass/third_party/mbedtls/framework/data_files/base64/cli_min_cfg.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/cli_no_alpn.txt b/yass/third_party/mbedtls/framework/data_files/base64/cli_no_alpn.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/cli_no_alpn.txt rename to yass/third_party/mbedtls/framework/data_files/base64/cli_no_alpn.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/cli_no_keep_cert.txt b/yass/third_party/mbedtls/framework/data_files/base64/cli_no_keep_cert.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/cli_no_keep_cert.txt rename to yass/third_party/mbedtls/framework/data_files/base64/cli_no_keep_cert.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/cli_no_mfl.txt b/yass/third_party/mbedtls/framework/data_files/base64/cli_no_mfl.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/cli_no_mfl.txt rename to yass/third_party/mbedtls/framework/data_files/base64/cli_no_mfl.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/cli_no_packing.txt b/yass/third_party/mbedtls/framework/data_files/base64/cli_no_packing.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/cli_no_packing.txt rename to yass/third_party/mbedtls/framework/data_files/base64/cli_no_packing.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/def_b64_ff.bin b/yass/third_party/mbedtls/framework/data_files/base64/def_b64_ff.bin similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/def_b64_ff.bin rename to yass/third_party/mbedtls/framework/data_files/base64/def_b64_ff.bin diff --git a/yass/third_party/mbedtls/tests/data_files/base64/def_b64_too_big_1.txt b/yass/third_party/mbedtls/framework/data_files/base64/def_b64_too_big_1.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/def_b64_too_big_1.txt rename to yass/third_party/mbedtls/framework/data_files/base64/def_b64_too_big_1.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/def_b64_too_big_2.txt b/yass/third_party/mbedtls/framework/data_files/base64/def_b64_too_big_2.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/def_b64_too_big_2.txt rename to yass/third_party/mbedtls/framework/data_files/base64/def_b64_too_big_2.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/def_b64_too_big_3.txt b/yass/third_party/mbedtls/framework/data_files/base64/def_b64_too_big_3.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/def_b64_too_big_3.txt rename to yass/third_party/mbedtls/framework/data_files/base64/def_b64_too_big_3.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/def_bad_b64.txt b/yass/third_party/mbedtls/framework/data_files/base64/def_bad_b64.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/def_bad_b64.txt rename to yass/third_party/mbedtls/framework/data_files/base64/def_bad_b64.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/empty.txt b/yass/third_party/mbedtls/framework/data_files/base64/empty.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/empty.txt rename to yass/third_party/mbedtls/framework/data_files/base64/empty.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/mfl_1024.txt b/yass/third_party/mbedtls/framework/data_files/base64/mfl_1024.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/mfl_1024.txt rename to yass/third_party/mbedtls/framework/data_files/base64/mfl_1024.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/mtu_10000.txt b/yass/third_party/mbedtls/framework/data_files/base64/mtu_10000.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/mtu_10000.txt rename to yass/third_party/mbedtls/framework/data_files/base64/mtu_10000.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/srv_cid.txt b/yass/third_party/mbedtls/framework/data_files/base64/srv_cid.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/srv_cid.txt rename to yass/third_party/mbedtls/framework/data_files/base64/srv_cid.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/srv_ciphersuite.txt b/yass/third_party/mbedtls/framework/data_files/base64/srv_ciphersuite.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/srv_ciphersuite.txt rename to yass/third_party/mbedtls/framework/data_files/base64/srv_ciphersuite.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/srv_def.txt b/yass/third_party/mbedtls/framework/data_files/base64/srv_def.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/srv_def.txt rename to yass/third_party/mbedtls/framework/data_files/base64/srv_def.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/srv_min_cfg.txt b/yass/third_party/mbedtls/framework/data_files/base64/srv_min_cfg.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/srv_min_cfg.txt rename to yass/third_party/mbedtls/framework/data_files/base64/srv_min_cfg.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/srv_no_alpn.txt b/yass/third_party/mbedtls/framework/data_files/base64/srv_no_alpn.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/srv_no_alpn.txt rename to yass/third_party/mbedtls/framework/data_files/base64/srv_no_alpn.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/srv_no_keep_cert.txt b/yass/third_party/mbedtls/framework/data_files/base64/srv_no_keep_cert.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/srv_no_keep_cert.txt rename to yass/third_party/mbedtls/framework/data_files/base64/srv_no_keep_cert.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/srv_no_mfl.txt b/yass/third_party/mbedtls/framework/data_files/base64/srv_no_mfl.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/srv_no_mfl.txt rename to yass/third_party/mbedtls/framework/data_files/base64/srv_no_mfl.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/srv_no_packing.txt b/yass/third_party/mbedtls/framework/data_files/base64/srv_no_packing.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/srv_no_packing.txt rename to yass/third_party/mbedtls/framework/data_files/base64/srv_no_packing.txt diff --git a/yass/third_party/mbedtls/tests/data_files/base64/v2.19.1.txt b/yass/third_party/mbedtls/framework/data_files/base64/v2.19.1.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/base64/v2.19.1.txt rename to yass/third_party/mbedtls/framework/data_files/base64/v2.19.1.txt diff --git a/yass/third_party/mbedtls/tests/data_files/cert_example_multi.crt b/yass/third_party/mbedtls/framework/data_files/cert_example_multi.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cert_example_multi.crt rename to yass/third_party/mbedtls/framework/data_files/cert_example_multi.crt diff --git a/yass/third_party/mbedtls/tests/data_files/cert_example_multi_nocn.crt b/yass/third_party/mbedtls/framework/data_files/cert_example_multi_nocn.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cert_example_multi_nocn.crt rename to yass/third_party/mbedtls/framework/data_files/cert_example_multi_nocn.crt diff --git a/yass/third_party/mbedtls/tests/data_files/cert_example_wildcard.crt b/yass/third_party/mbedtls/framework/data_files/cert_example_wildcard.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cert_example_wildcard.crt rename to yass/third_party/mbedtls/framework/data_files/cert_example_wildcard.crt diff --git a/yass/third_party/mbedtls/tests/data_files/cert_md5.crt b/yass/third_party/mbedtls/framework/data_files/cert_md5.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cert_md5.crt rename to yass/third_party/mbedtls/framework/data_files/cert_md5.crt diff --git a/yass/third_party/mbedtls/tests/data_files/cert_md5.csr b/yass/third_party/mbedtls/framework/data_files/cert_md5.csr similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cert_md5.csr rename to yass/third_party/mbedtls/framework/data_files/cert_md5.csr diff --git a/yass/third_party/mbedtls/tests/data_files/cert_sha1.crt b/yass/third_party/mbedtls/framework/data_files/cert_sha1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cert_sha1.crt rename to yass/third_party/mbedtls/framework/data_files/cert_sha1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/cert_sha224.crt b/yass/third_party/mbedtls/framework/data_files/cert_sha224.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cert_sha224.crt rename to yass/third_party/mbedtls/framework/data_files/cert_sha224.crt diff --git a/yass/third_party/mbedtls/tests/data_files/cert_sha256.crt b/yass/third_party/mbedtls/framework/data_files/cert_sha256.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cert_sha256.crt rename to yass/third_party/mbedtls/framework/data_files/cert_sha256.crt diff --git a/yass/third_party/mbedtls/tests/data_files/cert_sha384.crt b/yass/third_party/mbedtls/framework/data_files/cert_sha384.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cert_sha384.crt rename to yass/third_party/mbedtls/framework/data_files/cert_sha384.crt diff --git a/yass/third_party/mbedtls/tests/data_files/cert_sha512.crt b/yass/third_party/mbedtls/framework/data_files/cert_sha512.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cert_sha512.crt rename to yass/third_party/mbedtls/framework/data_files/cert_sha512.crt diff --git a/yass/third_party/mbedtls/tests/data_files/cert_v1_with_ext.crt b/yass/third_party/mbedtls/framework/data_files/cert_v1_with_ext.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cert_v1_with_ext.crt rename to yass/third_party/mbedtls/framework/data_files/cert_v1_with_ext.crt diff --git a/yass/third_party/mbedtls/tests/data_files/cli-rsa-sha1.crt b/yass/third_party/mbedtls/framework/data_files/cli-rsa-sha1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cli-rsa-sha1.crt rename to yass/third_party/mbedtls/framework/data_files/cli-rsa-sha1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/cli-rsa-sha256.crt b/yass/third_party/mbedtls/framework/data_files/cli-rsa-sha256.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cli-rsa-sha256.crt rename to yass/third_party/mbedtls/framework/data_files/cli-rsa-sha256.crt diff --git a/yass/third_party/mbedtls/tests/data_files/cli-rsa-sha256.crt.der b/yass/third_party/mbedtls/framework/data_files/cli-rsa-sha256.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cli-rsa-sha256.crt.der rename to yass/third_party/mbedtls/framework/data_files/cli-rsa-sha256.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/cli-rsa-sha256.key.der b/yass/third_party/mbedtls/framework/data_files/cli-rsa-sha256.key.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cli-rsa-sha256.key.der rename to yass/third_party/mbedtls/framework/data_files/cli-rsa-sha256.key.der diff --git a/yass/third_party/mbedtls/tests/data_files/cli-rsa.key b/yass/third_party/mbedtls/framework/data_files/cli-rsa.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cli-rsa.key rename to yass/third_party/mbedtls/framework/data_files/cli-rsa.key diff --git a/yass/third_party/mbedtls/tests/data_files/cli-rsa.key.der b/yass/third_party/mbedtls/framework/data_files/cli-rsa.key.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cli-rsa.key.der rename to yass/third_party/mbedtls/framework/data_files/cli-rsa.key.der diff --git a/yass/third_party/mbedtls/tests/data_files/cli.opensslconf b/yass/third_party/mbedtls/framework/data_files/cli.opensslconf similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cli.opensslconf rename to yass/third_party/mbedtls/framework/data_files/cli.opensslconf diff --git a/yass/third_party/mbedtls/tests/data_files/cli2.crt b/yass/third_party/mbedtls/framework/data_files/cli2.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cli2.crt rename to yass/third_party/mbedtls/framework/data_files/cli2.crt diff --git a/yass/third_party/mbedtls/tests/data_files/cli2.crt.der b/yass/third_party/mbedtls/framework/data_files/cli2.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cli2.crt.der rename to yass/third_party/mbedtls/framework/data_files/cli2.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/cli2.key b/yass/third_party/mbedtls/framework/data_files/cli2.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cli2.key rename to yass/third_party/mbedtls/framework/data_files/cli2.key diff --git a/yass/third_party/mbedtls/tests/data_files/cli2.key.der b/yass/third_party/mbedtls/framework/data_files/cli2.key.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/cli2.key.der rename to yass/third_party/mbedtls/framework/data_files/cli2.key.der diff --git a/yass/third_party/mbedtls/tests/data_files/clusterfuzz-testcase-minimized-fuzz_x509crt-6666050834661376.crt.der b/yass/third_party/mbedtls/framework/data_files/clusterfuzz-testcase-minimized-fuzz_x509crt-6666050834661376.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/clusterfuzz-testcase-minimized-fuzz_x509crt-6666050834661376.crt.der rename to yass/third_party/mbedtls/framework/data_files/clusterfuzz-testcase-minimized-fuzz_x509crt-6666050834661376.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/crl-ec-sha1.pem b/yass/third_party/mbedtls/framework/data_files/crl-ec-sha1.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl-ec-sha1.pem rename to yass/third_party/mbedtls/framework/data_files/crl-ec-sha1.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crl-ec-sha256.pem b/yass/third_party/mbedtls/framework/data_files/crl-ec-sha256.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl-ec-sha256.pem rename to yass/third_party/mbedtls/framework/data_files/crl-ec-sha256.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crl-future.pem b/yass/third_party/mbedtls/framework/data_files/crl-future.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl-future.pem rename to yass/third_party/mbedtls/framework/data_files/crl-future.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crl-futureRevocationDate.pem b/yass/third_party/mbedtls/framework/data_files/crl-futureRevocationDate.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl-futureRevocationDate.pem rename to yass/third_party/mbedtls/framework/data_files/crl-futureRevocationDate.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crl-rsa-pss-sha1-badsign.pem b/yass/third_party/mbedtls/framework/data_files/crl-rsa-pss-sha1-badsign.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl-rsa-pss-sha1-badsign.pem rename to yass/third_party/mbedtls/framework/data_files/crl-rsa-pss-sha1-badsign.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crl-rsa-pss-sha1.pem b/yass/third_party/mbedtls/framework/data_files/crl-rsa-pss-sha1.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl-rsa-pss-sha1.pem rename to yass/third_party/mbedtls/framework/data_files/crl-rsa-pss-sha1.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crl-rsa-pss-sha224.pem b/yass/third_party/mbedtls/framework/data_files/crl-rsa-pss-sha224.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl-rsa-pss-sha224.pem rename to yass/third_party/mbedtls/framework/data_files/crl-rsa-pss-sha224.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crl-rsa-pss-sha256.pem b/yass/third_party/mbedtls/framework/data_files/crl-rsa-pss-sha256.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl-rsa-pss-sha256.pem rename to yass/third_party/mbedtls/framework/data_files/crl-rsa-pss-sha256.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crl-rsa-pss-sha384.pem b/yass/third_party/mbedtls/framework/data_files/crl-rsa-pss-sha384.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl-rsa-pss-sha384.pem rename to yass/third_party/mbedtls/framework/data_files/crl-rsa-pss-sha384.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crl-rsa-pss-sha512.pem b/yass/third_party/mbedtls/framework/data_files/crl-rsa-pss-sha512.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl-rsa-pss-sha512.pem rename to yass/third_party/mbedtls/framework/data_files/crl-rsa-pss-sha512.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crl.pem b/yass/third_party/mbedtls/framework/data_files/crl.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl.pem rename to yass/third_party/mbedtls/framework/data_files/crl.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crl_cat_ec-rsa.pem b/yass/third_party/mbedtls/framework/data_files/crl_cat_ec-rsa.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl_cat_ec-rsa.pem rename to yass/third_party/mbedtls/framework/data_files/crl_cat_ec-rsa.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crl_cat_ecfut-rsa.pem b/yass/third_party/mbedtls/framework/data_files/crl_cat_ecfut-rsa.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl_cat_ecfut-rsa.pem rename to yass/third_party/mbedtls/framework/data_files/crl_cat_ecfut-rsa.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crl_cat_rsa-ec.pem b/yass/third_party/mbedtls/framework/data_files/crl_cat_rsa-ec.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl_cat_rsa-ec.pem rename to yass/third_party/mbedtls/framework/data_files/crl_cat_rsa-ec.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crl_cat_rsabadpem-ec.pem b/yass/third_party/mbedtls/framework/data_files/crl_cat_rsabadpem-ec.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl_cat_rsabadpem-ec.pem rename to yass/third_party/mbedtls/framework/data_files/crl_cat_rsabadpem-ec.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crl_expired.pem b/yass/third_party/mbedtls/framework/data_files/crl_expired.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl_expired.pem rename to yass/third_party/mbedtls/framework/data_files/crl_expired.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crl_sha256.pem b/yass/third_party/mbedtls/framework/data_files/crl_sha256.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crl_sha256.pem rename to yass/third_party/mbedtls/framework/data_files/crl_sha256.pem diff --git a/yass/third_party/mbedtls/tests/data_files/crt_cat_rsaexp-ec.pem b/yass/third_party/mbedtls/framework/data_files/crt_cat_rsaexp-ec.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/crt_cat_rsaexp-ec.pem rename to yass/third_party/mbedtls/framework/data_files/crt_cat_rsaexp-ec.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dh.1000.pem b/yass/third_party/mbedtls/framework/data_files/dh.1000.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dh.1000.pem rename to yass/third_party/mbedtls/framework/data_files/dh.1000.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dh.998.pem b/yass/third_party/mbedtls/framework/data_files/dh.998.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dh.998.pem rename to yass/third_party/mbedtls/framework/data_files/dh.998.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dh.999.pem b/yass/third_party/mbedtls/framework/data_files/dh.999.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dh.999.pem rename to yass/third_party/mbedtls/framework/data_files/dh.999.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dh.optlen.der b/yass/third_party/mbedtls/framework/data_files/dh.optlen.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dh.optlen.der rename to yass/third_party/mbedtls/framework/data_files/dh.optlen.der diff --git a/yass/third_party/mbedtls/tests/data_files/dh.optlen.pem b/yass/third_party/mbedtls/framework/data_files/dh.optlen.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dh.optlen.pem rename to yass/third_party/mbedtls/framework/data_files/dh.optlen.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dhparams.pem b/yass/third_party/mbedtls/framework/data_files/dhparams.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dhparams.pem rename to yass/third_party/mbedtls/framework/data_files/dhparams.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/00.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/00.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/00.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/00.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/00.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/00.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/00.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/00.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/01.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/01.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/01.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/01.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/01.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/01.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/01.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/01.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/02.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/02.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/02.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/02.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/02.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/02.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/02.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/02.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/03.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/03.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/03.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/03.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/03.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/03.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/03.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/03.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/04.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/04.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/04.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/04.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/04.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/04.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/04.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/04.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/05.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/05.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/05.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/05.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/05.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/05.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/05.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/05.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/06.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/06.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/06.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/06.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/06.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/06.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/06.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/06.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/07.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/07.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/07.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/07.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/07.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/07.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/07.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/07.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/08.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/08.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/08.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/08.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/08.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/08.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/08.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/08.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/09.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/09.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/09.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/09.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/09.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/09.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/09.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/09.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/10.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/10.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/10.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/10.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/10.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/10.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/10.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/10.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/11.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/11.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/11.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/11.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/11.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/11.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/11.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/11.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/12.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/12.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/12.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/12.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/12.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/12.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/12.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/12.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/13.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/13.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/13.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/13.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/13.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/13.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/13.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/13.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/14.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/14.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/14.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/14.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/14.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/14.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/14.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/14.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/15.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/15.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/15.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/15.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/15.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/15.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/15.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/15.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/16.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/16.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/16.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/16.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/16.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/16.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/16.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/16.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/17.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/17.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/17.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/17.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/17.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/17.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/17.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/17.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/18.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/18.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/18.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/18.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/18.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/18.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/18.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/18.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/19.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/19.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/19.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/19.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/19.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/19.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/19.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/19.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/20.crt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/20.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/20.crt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/20.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/20.key b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/20.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/20.key rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/20.key diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/Readme.txt b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/Readme.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/Readme.txt rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/Readme.txt diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c00.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c00.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c00.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c00.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c01.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c01.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c01.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c01.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c02.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c02.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c02.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c02.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c03.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c03.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c03.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c03.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c04.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c04.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c04.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c04.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c05.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c05.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c05.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c05.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c06.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c06.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c06.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c06.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c07.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c07.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c07.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c07.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c08.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c08.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c08.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c08.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c09.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c09.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c09.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c09.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c10.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c10.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c10.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c10.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c11.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c11.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c11.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c11.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c12.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c12.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c12.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c12.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c13.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c13.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c13.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c13.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c14.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c14.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c14.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c14.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c15.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c15.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c15.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c15.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c16.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c16.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c16.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c16.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c17.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c17.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c17.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c17.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c18.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c18.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c18.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c18.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c19.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c19.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c19.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c19.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/c20.pem b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/c20.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/c20.pem rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/c20.pem diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/int.opensslconf b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/int.opensslconf similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/int.opensslconf rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/int.opensslconf diff --git a/yass/third_party/mbedtls/tests/data_files/dir-maxpath/long.sh b/yass/third_party/mbedtls/framework/data_files/dir-maxpath/long.sh similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir-maxpath/long.sh rename to yass/third_party/mbedtls/framework/data_files/dir-maxpath/long.sh diff --git a/yass/third_party/mbedtls/tests/data_files/dir1/test-ca.crt b/yass/third_party/mbedtls/framework/data_files/dir1/test-ca.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir1/test-ca.crt rename to yass/third_party/mbedtls/framework/data_files/dir1/test-ca.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir2/test-ca.crt b/yass/third_party/mbedtls/framework/data_files/dir2/test-ca.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir2/test-ca.crt rename to yass/third_party/mbedtls/framework/data_files/dir2/test-ca.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir2/test-ca2.crt b/yass/third_party/mbedtls/framework/data_files/dir2/test-ca2.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir2/test-ca2.crt rename to yass/third_party/mbedtls/framework/data_files/dir2/test-ca2.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir3/Readme b/yass/third_party/mbedtls/framework/data_files/dir3/Readme similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir3/Readme rename to yass/third_party/mbedtls/framework/data_files/dir3/Readme diff --git a/yass/third_party/mbedtls/tests/data_files/dir3/test-ca.crt b/yass/third_party/mbedtls/framework/data_files/dir3/test-ca.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir3/test-ca.crt rename to yass/third_party/mbedtls/framework/data_files/dir3/test-ca.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir3/test-ca2.crt b/yass/third_party/mbedtls/framework/data_files/dir3/test-ca2.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir3/test-ca2.crt rename to yass/third_party/mbedtls/framework/data_files/dir3/test-ca2.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/Readme b/yass/third_party/mbedtls/framework/data_files/dir4/Readme similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/Readme rename to yass/third_party/mbedtls/framework/data_files/dir4/Readme diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert11.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert11.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert11.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert11.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert12.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert12.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert12.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert12.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert13.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert13.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert13.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert13.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert14.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert14.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert14.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert14.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert21.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert21.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert21.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert21.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert22.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert22.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert22.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert22.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert23.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert23.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert23.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert23.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert31.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert31.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert31.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert31.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert32.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert32.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert32.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert32.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert33.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert33.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert33.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert33.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert34.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert34.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert34.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert34.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert41.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert41.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert41.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert41.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert42.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert42.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert42.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert42.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert43.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert43.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert43.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert43.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert44.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert44.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert44.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert44.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert45.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert45.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert45.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert45.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert51.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert51.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert51.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert51.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert52.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert52.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert52.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert52.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert53.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert53.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert53.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert53.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert54.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert54.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert54.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert54.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert61.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert61.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert61.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert61.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert62.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert62.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert62.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert62.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert63.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert63.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert63.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert63.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert71.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert71.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert71.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert71.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert72.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert72.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert72.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert72.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert73.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert73.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert73.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert73.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert74.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert74.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert74.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert74.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert81.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert81.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert81.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert81.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert82.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert82.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert82.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert82.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert83.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert83.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert83.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert83.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert91.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert91.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert91.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert91.crt diff --git a/yass/third_party/mbedtls/tests/data_files/dir4/cert92.crt b/yass/third_party/mbedtls/framework/data_files/dir4/cert92.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/dir4/cert92.crt rename to yass/third_party/mbedtls/framework/data_files/dir4/cert92.crt diff --git a/yass/third_party/mbedtls/tests/data_files/ec_224_prv.comp.pem b/yass/third_party/mbedtls/framework/data_files/ec_224_prv.comp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_224_prv.comp.pem rename to yass/third_party/mbedtls/framework/data_files/ec_224_prv.comp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_224_prv.pem b/yass/third_party/mbedtls/framework/data_files/ec_224_prv.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_224_prv.pem rename to yass/third_party/mbedtls/framework/data_files/ec_224_prv.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_224_pub.comp.pem b/yass/third_party/mbedtls/framework/data_files/ec_224_pub.comp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_224_pub.comp.pem rename to yass/third_party/mbedtls/framework/data_files/ec_224_pub.comp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_224_pub.pem b/yass/third_party/mbedtls/framework/data_files/ec_224_pub.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_224_pub.pem rename to yass/third_party/mbedtls/framework/data_files/ec_224_pub.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_256_long_prv.der b/yass/third_party/mbedtls/framework/data_files/ec_256_long_prv.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_256_long_prv.der rename to yass/third_party/mbedtls/framework/data_files/ec_256_long_prv.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_256_long_prv.pem b/yass/third_party/mbedtls/framework/data_files/ec_256_long_prv.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_256_long_prv.pem rename to yass/third_party/mbedtls/framework/data_files/ec_256_long_prv.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_256_prv.comp.pem b/yass/third_party/mbedtls/framework/data_files/ec_256_prv.comp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_256_prv.comp.pem rename to yass/third_party/mbedtls/framework/data_files/ec_256_prv.comp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_256_prv.pem b/yass/third_party/mbedtls/framework/data_files/ec_256_prv.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_256_prv.pem rename to yass/third_party/mbedtls/framework/data_files/ec_256_prv.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_256_pub.comp.pem b/yass/third_party/mbedtls/framework/data_files/ec_256_pub.comp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_256_pub.comp.pem rename to yass/third_party/mbedtls/framework/data_files/ec_256_pub.comp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_256_pub.pem b/yass/third_party/mbedtls/framework/data_files/ec_256_pub.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_256_pub.pem rename to yass/third_party/mbedtls/framework/data_files/ec_256_pub.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_384_prv.comp.pem b/yass/third_party/mbedtls/framework/data_files/ec_384_prv.comp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_384_prv.comp.pem rename to yass/third_party/mbedtls/framework/data_files/ec_384_prv.comp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_384_prv.pem b/yass/third_party/mbedtls/framework/data_files/ec_384_prv.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_384_prv.pem rename to yass/third_party/mbedtls/framework/data_files/ec_384_prv.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_384_pub.comp.pem b/yass/third_party/mbedtls/framework/data_files/ec_384_pub.comp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_384_pub.comp.pem rename to yass/third_party/mbedtls/framework/data_files/ec_384_pub.comp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_384_pub.pem b/yass/third_party/mbedtls/framework/data_files/ec_384_pub.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_384_pub.pem rename to yass/third_party/mbedtls/framework/data_files/ec_384_pub.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_521_prv.comp.pem b/yass/third_party/mbedtls/framework/data_files/ec_521_prv.comp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_521_prv.comp.pem rename to yass/third_party/mbedtls/framework/data_files/ec_521_prv.comp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_521_prv.der b/yass/third_party/mbedtls/framework/data_files/ec_521_prv.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_521_prv.der rename to yass/third_party/mbedtls/framework/data_files/ec_521_prv.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_521_prv.pem b/yass/third_party/mbedtls/framework/data_files/ec_521_prv.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_521_prv.pem rename to yass/third_party/mbedtls/framework/data_files/ec_521_prv.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_521_pub.comp.pem b/yass/third_party/mbedtls/framework/data_files/ec_521_pub.comp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_521_pub.comp.pem rename to yass/third_party/mbedtls/framework/data_files/ec_521_pub.comp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_521_pub.der b/yass/third_party/mbedtls/framework/data_files/ec_521_pub.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_521_pub.der rename to yass/third_party/mbedtls/framework/data_files/ec_521_pub.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_521_pub.pem b/yass/third_party/mbedtls/framework/data_files/ec_521_pub.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_521_pub.pem rename to yass/third_party/mbedtls/framework/data_files/ec_521_pub.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_521_short_prv.der b/yass/third_party/mbedtls/framework/data_files/ec_521_short_prv.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_521_short_prv.der rename to yass/third_party/mbedtls/framework/data_files/ec_521_short_prv.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_521_short_prv.pem b/yass/third_party/mbedtls/framework/data_files/ec_521_short_prv.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_521_short_prv.pem rename to yass/third_party/mbedtls/framework/data_files/ec_521_short_prv.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_bp256_prv.comp.pem b/yass/third_party/mbedtls/framework/data_files/ec_bp256_prv.comp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_bp256_prv.comp.pem rename to yass/third_party/mbedtls/framework/data_files/ec_bp256_prv.comp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_bp256_prv.pem b/yass/third_party/mbedtls/framework/data_files/ec_bp256_prv.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_bp256_prv.pem rename to yass/third_party/mbedtls/framework/data_files/ec_bp256_prv.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_bp256_pub.comp.pem b/yass/third_party/mbedtls/framework/data_files/ec_bp256_pub.comp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_bp256_pub.comp.pem rename to yass/third_party/mbedtls/framework/data_files/ec_bp256_pub.comp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_bp256_pub.pem b/yass/third_party/mbedtls/framework/data_files/ec_bp256_pub.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_bp256_pub.pem rename to yass/third_party/mbedtls/framework/data_files/ec_bp256_pub.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_bp384_prv.comp.pem b/yass/third_party/mbedtls/framework/data_files/ec_bp384_prv.comp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_bp384_prv.comp.pem rename to yass/third_party/mbedtls/framework/data_files/ec_bp384_prv.comp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_bp384_prv.pem b/yass/third_party/mbedtls/framework/data_files/ec_bp384_prv.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_bp384_prv.pem rename to yass/third_party/mbedtls/framework/data_files/ec_bp384_prv.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_bp384_pub.comp.pem b/yass/third_party/mbedtls/framework/data_files/ec_bp384_pub.comp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_bp384_pub.comp.pem rename to yass/third_party/mbedtls/framework/data_files/ec_bp384_pub.comp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_bp384_pub.pem b/yass/third_party/mbedtls/framework/data_files/ec_bp384_pub.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_bp384_pub.pem rename to yass/third_party/mbedtls/framework/data_files/ec_bp384_pub.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_bp512_prv.comp.pem b/yass/third_party/mbedtls/framework/data_files/ec_bp512_prv.comp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_bp512_prv.comp.pem rename to yass/third_party/mbedtls/framework/data_files/ec_bp512_prv.comp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_bp512_prv.der b/yass/third_party/mbedtls/framework/data_files/ec_bp512_prv.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_bp512_prv.der rename to yass/third_party/mbedtls/framework/data_files/ec_bp512_prv.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_bp512_prv.pem b/yass/third_party/mbedtls/framework/data_files/ec_bp512_prv.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_bp512_prv.pem rename to yass/third_party/mbedtls/framework/data_files/ec_bp512_prv.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_bp512_pub.comp.pem b/yass/third_party/mbedtls/framework/data_files/ec_bp512_pub.comp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_bp512_pub.comp.pem rename to yass/third_party/mbedtls/framework/data_files/ec_bp512_pub.comp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_bp512_pub.der b/yass/third_party/mbedtls/framework/data_files/ec_bp512_pub.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_bp512_pub.der rename to yass/third_party/mbedtls/framework/data_files/ec_bp512_pub.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_bp512_pub.pem b/yass/third_party/mbedtls/framework/data_files/ec_bp512_pub.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_bp512_pub.pem rename to yass/third_party/mbedtls/framework/data_files/ec_bp512_pub.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_prv.pk8.der b/yass/third_party/mbedtls/framework/data_files/ec_prv.pk8.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_prv.pk8.der rename to yass/third_party/mbedtls/framework/data_files/ec_prv.pk8.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_prv.pk8.pem b/yass/third_party/mbedtls/framework/data_files/ec_prv.pk8.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_prv.pk8.pem rename to yass/third_party/mbedtls/framework/data_files/ec_prv.pk8.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_prv.pk8.pw.der b/yass/third_party/mbedtls/framework/data_files/ec_prv.pk8.pw.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_prv.pk8.pw.der rename to yass/third_party/mbedtls/framework/data_files/ec_prv.pk8.pw.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_prv.pk8.pw.pem b/yass/third_party/mbedtls/framework/data_files/ec_prv.pk8.pw.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_prv.pk8.pw.pem rename to yass/third_party/mbedtls/framework/data_files/ec_prv.pk8.pw.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_prv.pk8nopub.der b/yass/third_party/mbedtls/framework/data_files/ec_prv.pk8nopub.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_prv.pk8nopub.der rename to yass/third_party/mbedtls/framework/data_files/ec_prv.pk8nopub.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_prv.pk8nopub.pem b/yass/third_party/mbedtls/framework/data_files/ec_prv.pk8nopub.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_prv.pk8nopub.pem rename to yass/third_party/mbedtls/framework/data_files/ec_prv.pk8nopub.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_prv.pk8nopubparam.der b/yass/third_party/mbedtls/framework/data_files/ec_prv.pk8nopubparam.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_prv.pk8nopubparam.der rename to yass/third_party/mbedtls/framework/data_files/ec_prv.pk8nopubparam.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_prv.pk8nopubparam.pem b/yass/third_party/mbedtls/framework/data_files/ec_prv.pk8nopubparam.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_prv.pk8nopubparam.pem rename to yass/third_party/mbedtls/framework/data_files/ec_prv.pk8nopubparam.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_prv.pk8param.der b/yass/third_party/mbedtls/framework/data_files/ec_prv.pk8param.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_prv.pk8param.der rename to yass/third_party/mbedtls/framework/data_files/ec_prv.pk8param.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_prv.pk8param.pem b/yass/third_party/mbedtls/framework/data_files/ec_prv.pk8param.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_prv.pk8param.pem rename to yass/third_party/mbedtls/framework/data_files/ec_prv.pk8param.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_prv.sec1.comp.pem b/yass/third_party/mbedtls/framework/data_files/ec_prv.sec1.comp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_prv.sec1.comp.pem rename to yass/third_party/mbedtls/framework/data_files/ec_prv.sec1.comp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_prv.sec1.der b/yass/third_party/mbedtls/framework/data_files/ec_prv.sec1.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_prv.sec1.der rename to yass/third_party/mbedtls/framework/data_files/ec_prv.sec1.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_prv.sec1.pem b/yass/third_party/mbedtls/framework/data_files/ec_prv.sec1.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_prv.sec1.pem rename to yass/third_party/mbedtls/framework/data_files/ec_prv.sec1.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_prv.sec1.pw.pem b/yass/third_party/mbedtls/framework/data_files/ec_prv.sec1.pw.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_prv.sec1.pw.pem rename to yass/third_party/mbedtls/framework/data_files/ec_prv.sec1.pw.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_prv.specdom.der b/yass/third_party/mbedtls/framework/data_files/ec_prv.specdom.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_prv.specdom.der rename to yass/third_party/mbedtls/framework/data_files/ec_prv.specdom.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_pub.comp.pem b/yass/third_party/mbedtls/framework/data_files/ec_pub.comp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_pub.comp.pem rename to yass/third_party/mbedtls/framework/data_files/ec_pub.comp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_pub.der b/yass/third_party/mbedtls/framework/data_files/ec_pub.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_pub.der rename to yass/third_party/mbedtls/framework/data_files/ec_pub.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_pub.pem b/yass/third_party/mbedtls/framework/data_files/ec_pub.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_pub.pem rename to yass/third_party/mbedtls/framework/data_files/ec_pub.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_x25519_prv.der b/yass/third_party/mbedtls/framework/data_files/ec_x25519_prv.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_x25519_prv.der rename to yass/third_party/mbedtls/framework/data_files/ec_x25519_prv.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_x25519_prv.pem b/yass/third_party/mbedtls/framework/data_files/ec_x25519_prv.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_x25519_prv.pem rename to yass/third_party/mbedtls/framework/data_files/ec_x25519_prv.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_x25519_pub.der b/yass/third_party/mbedtls/framework/data_files/ec_x25519_pub.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_x25519_pub.der rename to yass/third_party/mbedtls/framework/data_files/ec_x25519_pub.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_x25519_pub.pem b/yass/third_party/mbedtls/framework/data_files/ec_x25519_pub.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_x25519_pub.pem rename to yass/third_party/mbedtls/framework/data_files/ec_x25519_pub.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_x448_prv.der b/yass/third_party/mbedtls/framework/data_files/ec_x448_prv.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_x448_prv.der rename to yass/third_party/mbedtls/framework/data_files/ec_x448_prv.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_x448_prv.pem b/yass/third_party/mbedtls/framework/data_files/ec_x448_prv.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_x448_prv.pem rename to yass/third_party/mbedtls/framework/data_files/ec_x448_prv.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ec_x448_pub.der b/yass/third_party/mbedtls/framework/data_files/ec_x448_pub.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_x448_pub.der rename to yass/third_party/mbedtls/framework/data_files/ec_x448_pub.der diff --git a/yass/third_party/mbedtls/tests/data_files/ec_x448_pub.pem b/yass/third_party/mbedtls/framework/data_files/ec_x448_pub.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ec_x448_pub.pem rename to yass/third_party/mbedtls/framework/data_files/ec_x448_pub.pem diff --git a/yass/third_party/mbedtls/tests/data_files/ecdsa_secp256r1.crt b/yass/third_party/mbedtls/framework/data_files/ecdsa_secp256r1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ecdsa_secp256r1.crt rename to yass/third_party/mbedtls/framework/data_files/ecdsa_secp256r1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/ecdsa_secp256r1.key b/yass/third_party/mbedtls/framework/data_files/ecdsa_secp256r1.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ecdsa_secp256r1.key rename to yass/third_party/mbedtls/framework/data_files/ecdsa_secp256r1.key diff --git a/yass/third_party/mbedtls/tests/data_files/ecdsa_secp384r1.crt b/yass/third_party/mbedtls/framework/data_files/ecdsa_secp384r1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ecdsa_secp384r1.crt rename to yass/third_party/mbedtls/framework/data_files/ecdsa_secp384r1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/ecdsa_secp384r1.key b/yass/third_party/mbedtls/framework/data_files/ecdsa_secp384r1.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ecdsa_secp384r1.key rename to yass/third_party/mbedtls/framework/data_files/ecdsa_secp384r1.key diff --git a/yass/third_party/mbedtls/tests/data_files/ecdsa_secp521r1.crt b/yass/third_party/mbedtls/framework/data_files/ecdsa_secp521r1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ecdsa_secp521r1.crt rename to yass/third_party/mbedtls/framework/data_files/ecdsa_secp521r1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/ecdsa_secp521r1.key b/yass/third_party/mbedtls/framework/data_files/ecdsa_secp521r1.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/ecdsa_secp521r1.key rename to yass/third_party/mbedtls/framework/data_files/ecdsa_secp521r1.key diff --git a/yass/third_party/mbedtls/tests/data_files/enco-ca-prstr.pem b/yass/third_party/mbedtls/framework/data_files/enco-ca-prstr.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/enco-ca-prstr.pem rename to yass/third_party/mbedtls/framework/data_files/enco-ca-prstr.pem diff --git a/yass/third_party/mbedtls/tests/data_files/enco-cert-utf8str.pem b/yass/third_party/mbedtls/framework/data_files/enco-cert-utf8str.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/enco-cert-utf8str.pem rename to yass/third_party/mbedtls/framework/data_files/enco-cert-utf8str.pem diff --git a/yass/third_party/mbedtls/tests/data_files/format_gen.key b/yass/third_party/mbedtls/framework/data_files/format_gen.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/format_gen.key rename to yass/third_party/mbedtls/framework/data_files/format_gen.key diff --git a/yass/third_party/mbedtls/tests/data_files/format_gen.pub b/yass/third_party/mbedtls/framework/data_files/format_gen.pub similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/format_gen.pub rename to yass/third_party/mbedtls/framework/data_files/format_gen.pub diff --git a/yass/third_party/mbedtls/tests/data_files/format_pkcs12.fmt b/yass/third_party/mbedtls/framework/data_files/format_pkcs12.fmt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/format_pkcs12.fmt rename to yass/third_party/mbedtls/framework/data_files/format_pkcs12.fmt diff --git a/yass/third_party/mbedtls/tests/data_files/format_rsa.key b/yass/third_party/mbedtls/framework/data_files/format_rsa.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/format_rsa.key rename to yass/third_party/mbedtls/framework/data_files/format_rsa.key diff --git a/yass/third_party/mbedtls/tests/data_files/hash_file_1 b/yass/third_party/mbedtls/framework/data_files/hash_file_1 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/hash_file_1 rename to yass/third_party/mbedtls/framework/data_files/hash_file_1 diff --git a/yass/third_party/mbedtls/tests/data_files/hash_file_2 b/yass/third_party/mbedtls/framework/data_files/hash_file_2 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/hash_file_2 rename to yass/third_party/mbedtls/framework/data_files/hash_file_2 diff --git a/yass/third_party/mbedtls/tests/data_files/hash_file_3 b/yass/third_party/mbedtls/framework/data_files/hash_file_3 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/hash_file_3 rename to yass/third_party/mbedtls/framework/data_files/hash_file_3 diff --git a/yass/third_party/mbedtls/tests/data_files/hash_file_4 b/yass/third_party/mbedtls/framework/data_files/hash_file_4 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/hash_file_4 rename to yass/third_party/mbedtls/framework/data_files/hash_file_4 diff --git a/yass/third_party/mbedtls/tests/data_files/hash_file_5 b/yass/third_party/mbedtls/framework/data_files/hash_file_5 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/hash_file_5 rename to yass/third_party/mbedtls/framework/data_files/hash_file_5 diff --git a/yass/third_party/mbedtls/tests/data_files/keyUsage.decipherOnly.crt b/yass/third_party/mbedtls/framework/data_files/keyUsage.decipherOnly.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/keyUsage.decipherOnly.crt rename to yass/third_party/mbedtls/framework/data_files/keyUsage.decipherOnly.crt diff --git a/yass/third_party/mbedtls/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux b/yass/third_party/mbedtls/framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux rename to yass/third_party/mbedtls/framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux diff --git a/yass/third_party/mbedtls/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv b/yass/third_party/mbedtls/framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv rename to yass/third_party/mbedtls/framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv diff --git a/yass/third_party/mbedtls/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub b/yass/third_party/mbedtls/framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub rename to yass/third_party/mbedtls/framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub diff --git a/yass/third_party/mbedtls/tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv b/yass/third_party/mbedtls/framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv rename to yass/third_party/mbedtls/framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv diff --git a/yass/third_party/mbedtls/tests/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv b/yass/third_party/mbedtls/framework/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv rename to yass/third_party/mbedtls/framework/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv diff --git a/yass/third_party/mbedtls/tests/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_pub b/yass/third_party/mbedtls/framework/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_pub similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_pub rename to yass/third_party/mbedtls/framework/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_pub diff --git a/yass/third_party/mbedtls/tests/data_files/mpi_16 b/yass/third_party/mbedtls/framework/data_files/mpi_16 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/mpi_16 rename to yass/third_party/mbedtls/framework/data_files/mpi_16 diff --git a/yass/third_party/mbedtls/tests/data_files/mpi_too_big b/yass/third_party/mbedtls/framework/data_files/mpi_too_big similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/mpi_too_big rename to yass/third_party/mbedtls/framework/data_files/mpi_too_big diff --git a/yass/third_party/mbedtls/tests/data_files/opensslcnf/server9.crt.v3_ext b/yass/third_party/mbedtls/framework/data_files/opensslcnf/server9.crt.v3_ext similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/opensslcnf/server9.crt.v3_ext rename to yass/third_party/mbedtls/framework/data_files/opensslcnf/server9.crt.v3_ext diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/bitstring-in-dn.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/bitstring-in-dn.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/bitstring-in-dn.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/bitstring-in-dn.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/cert_example_multi.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/cert_example_multi.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/cert_example_multi.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/cert_example_multi.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/cert_example_multi_nocn.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/cert_example_multi_nocn.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/cert_example_multi_nocn.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/cert_example_multi_nocn.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/cert_md5.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/cert_md5.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/cert_md5.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/cert_md5.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/cert_sha1.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/cert_sha1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/cert_sha1.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/cert_sha1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/cert_sha224.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/cert_sha224.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/cert_sha224.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/cert_sha224.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/cert_sha256.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/cert_sha256.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/cert_sha256.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/cert_sha256.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/cert_sha384.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/cert_sha384.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/cert_sha384.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/cert_sha384.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/cert_sha512.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/cert_sha512.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/cert_sha512.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/cert_sha512.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/cli-rsa-sha256-badalg.crt.der b/yass/third_party/mbedtls/framework/data_files/parse_input/cli-rsa-sha256-badalg.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/cli-rsa-sha256-badalg.crt.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/cli-rsa-sha256-badalg.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl-ec-sha1.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl-ec-sha1.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl-ec-sha1.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl-ec-sha1.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl-ec-sha224.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl-ec-sha224.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl-ec-sha224.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl-ec-sha224.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl-ec-sha256.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl-ec-sha256.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl-ec-sha256.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl-ec-sha256.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl-ec-sha384.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl-ec-sha384.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl-ec-sha384.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl-ec-sha384.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl-ec-sha512.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl-ec-sha512.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl-ec-sha512.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl-ec-sha512.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl-idp.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl-idp.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl-idp.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl-idp.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl-idpnc.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl-idpnc.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl-idpnc.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl-idpnc.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl-malformed-trailing-spaces.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl-malformed-trailing-spaces.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl-malformed-trailing-spaces.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl-malformed-trailing-spaces.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl-rsa-pss-sha1.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl-rsa-pss-sha1.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl-rsa-pss-sha1.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl-rsa-pss-sha1.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl-rsa-pss-sha224.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl-rsa-pss-sha224.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl-rsa-pss-sha224.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl-rsa-pss-sha224.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl-rsa-pss-sha256.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl-rsa-pss-sha256.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl-rsa-pss-sha256.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl-rsa-pss-sha256.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl-rsa-pss-sha384.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl-rsa-pss-sha384.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl-rsa-pss-sha384.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl-rsa-pss-sha384.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl-rsa-pss-sha512.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl-rsa-pss-sha512.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl-rsa-pss-sha512.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl-rsa-pss-sha512.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl_expired.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl_expired.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl_expired.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl_expired.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl_md5.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl_md5.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl_md5.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl_md5.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl_sha1.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl_sha1.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl_sha1.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl_sha1.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl_sha224.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl_sha224.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl_sha224.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl_sha224.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl_sha256.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl_sha256.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl_sha256.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl_sha256.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl_sha384.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl_sha384.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl_sha384.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl_sha384.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/crl_sha512.pem b/yass/third_party/mbedtls/framework/data_files/parse_input/crl_sha512.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/crl_sha512.pem rename to yass/third_party/mbedtls/framework/data_files/parse_input/crl_sha512.pem diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/keyUsage.decipherOnly.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/keyUsage.decipherOnly.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/keyUsage.decipherOnly.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/keyUsage.decipherOnly.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/multiple_san.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/multiple_san.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/multiple_san.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/multiple_san.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/non-ascii-string-in-issuer.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/non-ascii-string-in-issuer.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/non-ascii-string-in-issuer.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/non-ascii-string-in-issuer.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/rsa_multiple_san_uri.crt.der b/yass/third_party/mbedtls/framework/data_files/parse_input/rsa_multiple_san_uri.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/rsa_multiple_san_uri.crt.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/rsa_multiple_san_uri.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/rsa_single_san_uri.crt.der b/yass/third_party/mbedtls/framework/data_files/parse_input/rsa_single_san_uri.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/rsa_single_san_uri.crt.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/rsa_single_san_uri.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server1-ms.req.sha256 b/yass/third_party/mbedtls/framework/data_files/parse_input/server1-ms.req.sha256 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server1-ms.req.sha256 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server1-ms.req.sha256 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server1.cert_type.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server1.cert_type.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server1.cert_type.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server1.cert_type.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server1.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server1.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server1.crt.der b/yass/third_party/mbedtls/framework/data_files/parse_input/server1.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server1.crt.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/server1.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server1.ext_ku.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server1.ext_ku.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server1.ext_ku.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server1.ext_ku.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server1.key_usage.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server1.key_usage.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server1.key_usage.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server1.key_usage.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server1.req.commas.sha256 b/yass/third_party/mbedtls/framework/data_files/parse_input/server1.req.commas.sha256 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server1.req.commas.sha256 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server1.req.commas.sha256 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server1.req.md5 b/yass/third_party/mbedtls/framework/data_files/parse_input/server1.req.md5 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server1.req.md5 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server1.req.md5 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server1.req.sha1 b/yass/third_party/mbedtls/framework/data_files/parse_input/server1.req.sha1 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server1.req.sha1 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server1.req.sha1 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server1.req.sha224 b/yass/third_party/mbedtls/framework/data_files/parse_input/server1.req.sha224 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server1.req.sha224 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server1.req.sha224 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server1.req.sha256 b/yass/third_party/mbedtls/framework/data_files/parse_input/server1.req.sha256 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server1.req.sha256 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server1.req.sha256 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server1.req.sha384 b/yass/third_party/mbedtls/framework/data_files/parse_input/server1.req.sha384 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server1.req.sha384 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server1.req.sha384 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server1.req.sha512 b/yass/third_party/mbedtls/framework/data_files/parse_input/server1.req.sha512 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server1.req.sha512 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server1.req.sha512 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server1_pathlen_int_max-1.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server1_pathlen_int_max-1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server1_pathlen_int_max-1.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server1_pathlen_int_max-1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server1_pathlen_int_max.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server1_pathlen_int_max.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server1_pathlen_int_max.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server1_pathlen_int_max.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server2.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server2.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server2.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server2.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server2.crt.der b/yass/third_party/mbedtls/framework/data_files/parse_input/server2.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server2.crt.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/server2.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server3.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server3.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server3.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server3.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server4.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server4.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server4.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server4.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5-directoryname-seq-malformed.crt.der b/yass/third_party/mbedtls/framework/data_files/parse_input/server5-directoryname-seq-malformed.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5-directoryname-seq-malformed.crt.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5-directoryname-seq-malformed.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5-directoryname.crt.der b/yass/third_party/mbedtls/framework/data_files/parse_input/server5-directoryname.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5-directoryname.crt.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5-directoryname.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5-fan.crt.der b/yass/third_party/mbedtls/framework/data_files/parse_input/server5-fan.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5-fan.crt.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5-fan.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5-non-compliant.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server5-non-compliant.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5-non-compliant.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5-non-compliant.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5-nonprintable_othername.crt.der b/yass/third_party/mbedtls/framework/data_files/parse_input/server5-nonprintable_othername.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5-nonprintable_othername.crt.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5-nonprintable_othername.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5-othername.crt.der b/yass/third_party/mbedtls/framework/data_files/parse_input/server5-othername.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5-othername.crt.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5-othername.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5-second-directoryname-oid-malformed.crt.der b/yass/third_party/mbedtls/framework/data_files/parse_input/server5-second-directoryname-oid-malformed.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5-second-directoryname-oid-malformed.crt.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5-second-directoryname-oid-malformed.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5-sha1.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server5-sha1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5-sha1.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5-sha1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5-sha224.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server5-sha224.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5-sha224.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5-sha224.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5-sha384.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server5-sha384.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5-sha384.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5-sha384.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5-sha512.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server5-sha512.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5-sha512.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5-sha512.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5-two-directorynames.crt.der b/yass/third_party/mbedtls/framework/data_files/parse_input/server5-two-directorynames.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5-two-directorynames.crt.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5-two-directorynames.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5-unsupported_othername.crt.der b/yass/third_party/mbedtls/framework/data_files/parse_input/server5-unsupported_othername.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5-unsupported_othername.crt.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5-unsupported_othername.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server5.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5.req.sha1 b/yass/third_party/mbedtls/framework/data_files/parse_input/server5.req.sha1 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5.req.sha1 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5.req.sha1 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5.req.sha224 b/yass/third_party/mbedtls/framework/data_files/parse_input/server5.req.sha224 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5.req.sha224 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5.req.sha224 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5.req.sha256 b/yass/third_party/mbedtls/framework/data_files/parse_input/server5.req.sha256 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5.req.sha256 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5.req.sha256 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5.req.sha384 b/yass/third_party/mbedtls/framework/data_files/parse_input/server5.req.sha384 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5.req.sha384 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5.req.sha384 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server5.req.sha512 b/yass/third_party/mbedtls/framework/data_files/parse_input/server5.req.sha512 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server5.req.sha512 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server5.req.sha512 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server7_all_space.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server7_all_space.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server7_all_space.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server7_all_space.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server7_int-ca.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server7_int-ca.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server7_int-ca.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server7_int-ca.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server7_pem_space.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server7_pem_space.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server7_pem_space.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server7_pem_space.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server7_trailing_space.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server7_trailing_space.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server7_trailing_space.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server7_trailing_space.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server9-sha224.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server9-sha224.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server9-sha224.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server9-sha224.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server9-sha256.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server9-sha256.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server9-sha256.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server9-sha256.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server9-sha384.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server9-sha384.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server9-sha384.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server9-sha384.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server9-sha512.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server9-sha512.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server9-sha512.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server9-sha512.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server9.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/server9.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server9.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/server9.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server9.req.sha1 b/yass/third_party/mbedtls/framework/data_files/parse_input/server9.req.sha1 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server9.req.sha1 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server9.req.sha1 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server9.req.sha224 b/yass/third_party/mbedtls/framework/data_files/parse_input/server9.req.sha224 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server9.req.sha224 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server9.req.sha224 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server9.req.sha256 b/yass/third_party/mbedtls/framework/data_files/parse_input/server9.req.sha256 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server9.req.sha256 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server9.req.sha256 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server9.req.sha384 b/yass/third_party/mbedtls/framework/data_files/parse_input/server9.req.sha384 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server9.req.sha384 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server9.req.sha384 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/server9.req.sha512 b/yass/third_party/mbedtls/framework/data_files/parse_input/server9.req.sha512 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/server9.req.sha512 rename to yass/third_party/mbedtls/framework/data_files/parse_input/server9.req.sha512 diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test-ca-any_policy.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/test-ca-any_policy.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test-ca-any_policy.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/test-ca-any_policy.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test-ca-any_policy_ec.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/test-ca-any_policy_ec.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test-ca-any_policy_ec.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/test-ca-any_policy_ec.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test-ca-any_policy_with_qualifier.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/test-ca-any_policy_with_qualifier.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test-ca-any_policy_with_qualifier.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/test-ca-any_policy_with_qualifier.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test-ca-any_policy_with_qualifier_ec.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/test-ca-any_policy_with_qualifier_ec.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test-ca-any_policy_with_qualifier_ec.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/test-ca-any_policy_with_qualifier_ec.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test-ca-multi_policy.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/test-ca-multi_policy.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test-ca-multi_policy.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/test-ca-multi_policy.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test-ca-multi_policy_ec.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/test-ca-multi_policy_ec.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test-ca-multi_policy_ec.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/test-ca-multi_policy_ec.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test-ca-unsupported_policy.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/test-ca-unsupported_policy.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test-ca-unsupported_policy.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/test-ca-unsupported_policy.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test-ca-unsupported_policy_ec.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/test-ca-unsupported_policy_ec.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test-ca-unsupported_policy_ec.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/test-ca-unsupported_policy_ec.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test-ca.crt b/yass/third_party/mbedtls/framework/data_files/parse_input/test-ca.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test-ca.crt rename to yass/third_party/mbedtls/framework/data_files/parse_input/test-ca.crt diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test-ca.crt.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test-ca.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test-ca.crt.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test-ca.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_cert_rfc822name.crt.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_cert_rfc822name.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_cert_rfc822name.crt.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_cert_rfc822name.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_id_tag.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_id_tag.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_id_tag.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_id_tag.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_len1.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_len1.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_len1.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_len1.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_len2.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_len2.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_len2.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_len2.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_duplicated_extension.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_duplicated_extension.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_duplicated_extension.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_duplicated_extension.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len1.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len1.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len1.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len1.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len2.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len2.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len2.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len2.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_tag.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extension_data_tag.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_data_tag.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extension_data_tag.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_id_tag.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extension_id_tag.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_id_tag.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extension_id_tag.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_type_oid.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extension_type_oid.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extension_type_oid.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extension_type_oid.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_keyUsage.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_keyUsage.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_keyUsage.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_keyUsage.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_nsCertType.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_nsCertType.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_nsCertType.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_nsCertType.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_subjectAltName.csr.der b/yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_subjectAltName.csr.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/parse_input/test_csr_v3_subjectAltName.csr.der rename to yass/third_party/mbedtls/framework/data_files/parse_input/test_csr_v3_subjectAltName.csr.der diff --git a/yass/third_party/mbedtls/tests/data_files/passwd.psk b/yass/third_party/mbedtls/framework/data_files/passwd.psk similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/passwd.psk rename to yass/third_party/mbedtls/framework/data_files/passwd.psk diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-expired.crt b/yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-expired.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-expired.crt rename to yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-expired.crt diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-expired.der b/yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-expired.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-expired.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-expired.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-expired.key b/yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-expired.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-expired.key rename to yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-expired.key diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-1.crt b/yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-1.crt rename to yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-1.der b/yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-1.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-1.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-1.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-1.key b/yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-1.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-1.key rename to yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-1.key diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-1.pem b/yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-1.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-1.pem rename to yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-1.pem diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-2.crt b/yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-2.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-2.crt rename to yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-2.crt diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-2.der b/yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-2.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-2.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-2.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-2.key b/yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-2.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-2.key rename to yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-2.key diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-2.pem b/yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-2.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-2.pem rename to yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-2.pem diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-3.crt b/yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-3.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-3.crt rename to yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-3.crt diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-3.key b/yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-3.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-3.key rename to yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-3.key diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-3.pem b/yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-3.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7-rsa-sha256-3.pem rename to yass/third_party/mbedtls/framework/data_files/pkcs7-rsa-sha256-3.pem diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data.bin b/yass/third_party/mbedtls/framework/data_files/pkcs7_data.bin similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data.bin rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data.bin diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_1.bin b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_1.bin similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_1.bin rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_1.bin diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_3_signed.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_3_signed.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_3_signed.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_3_signed.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_cert_encrypted.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_cert_encrypted.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_cert_encrypted.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_cert_encrypted.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_cert_signed_sha1.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_cert_signed_sha1.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_cert_signed_sha1.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_cert_signed_sha1.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_cert_signed_sha256.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_cert_signed_sha256.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_cert_signed_sha256.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_cert_signed_sha256.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_cert_signed_sha512.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_cert_signed_sha512.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_cert_signed_sha512.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_cert_signed_sha512.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_cert_signed_v2.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_cert_signed_v2.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_cert_signed_v2.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_cert_signed_v2.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_cert_signeddata_sha256.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_cert_signeddata_sha256.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_cert_signeddata_sha256.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_cert_signeddata_sha256.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_multiple_certs_signed.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_multiple_certs_signed.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_multiple_certs_signed.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_multiple_certs_signed.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_multiple_signed.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_multiple_signed.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_multiple_signed.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_multiple_signed.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_no_signers.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_no_signers.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_no_signers.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_no_signers.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_rsa_expired.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_rsa_expired.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_rsa_expired.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_rsa_expired.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_signed_badcert.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_signed_badcert.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_signed_badcert.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_signed_badcert.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_signed_badsigner.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_signed_badsigner.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_signed_badsigner.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_signed_badsigner.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_signed_badsigner1_badsize.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_signed_badsigner1_badsize.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_signed_badsigner1_badsize.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_signed_badsigner1_badsize.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_signed_badsigner1_badtag.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_signed_badsigner1_badtag.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_signed_badsigner1_badtag.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_signed_badsigner1_badtag.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_signed_badsigner1_fuzzbad.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_signed_badsigner1_fuzzbad.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_signed_badsigner1_fuzzbad.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_signed_badsigner1_fuzzbad.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_signed_badsigner2_badsize.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_signed_badsigner2_badsize.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_signed_badsigner2_badsize.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_signed_badsigner2_badsize.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_signed_badsigner2_badtag.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_signed_badsigner2_badtag.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_signed_badsigner2_badtag.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_signed_badsigner2_badtag.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_signed_badsigner2_fuzzbad.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_signed_badsigner2_fuzzbad.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_signed_badsigner2_fuzzbad.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_signed_badsigner2_fuzzbad.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_with_signature.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_with_signature.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_with_signature.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_with_signature.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_data_without_cert_signed.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_data_without_cert_signed.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_data_without_cert_signed.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_data_without_cert_signed.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_signerInfo_2_invalid_tag.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_signerInfo_2_invalid_tag.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_signerInfo_2_invalid_tag.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_signerInfo_2_invalid_tag.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_signerInfo_issuer_invalid_size.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_signerInfo_issuer_invalid_size.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_signerInfo_serial_invalid_size.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_signerInfo_serial_invalid_size.der diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_zerolendata.bin b/yass/third_party/mbedtls/framework/data_files/pkcs7_zerolendata.bin similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_zerolendata.bin rename to yass/third_party/mbedtls/framework/data_files/pkcs7_zerolendata.bin diff --git a/yass/third_party/mbedtls/tests/data_files/pkcs7_zerolendata_detached.der b/yass/third_party/mbedtls/framework/data_files/pkcs7_zerolendata_detached.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/pkcs7_zerolendata_detached.der rename to yass/third_party/mbedtls/framework/data_files/pkcs7_zerolendata_detached.der diff --git a/yass/third_party/mbedtls/tests/data_files/print_c.pl b/yass/third_party/mbedtls/framework/data_files/print_c.pl similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/print_c.pl rename to yass/third_party/mbedtls/framework/data_files/print_c.pl diff --git a/yass/third_party/mbedtls/tests/data_files/rsa4096_prv.der b/yass/third_party/mbedtls/framework/data_files/rsa4096_prv.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa4096_prv.der rename to yass/third_party/mbedtls/framework/data_files/rsa4096_prv.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa4096_prv.pem b/yass/third_party/mbedtls/framework/data_files/rsa4096_prv.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa4096_prv.pem rename to yass/third_party/mbedtls/framework/data_files/rsa4096_prv.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa4096_pub.der b/yass/third_party/mbedtls/framework/data_files/rsa4096_pub.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa4096_pub.der rename to yass/third_party/mbedtls/framework/data_files/rsa4096_pub.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa4096_pub.pem b/yass/third_party/mbedtls/framework/data_files/rsa4096_pub.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa4096_pub.pem rename to yass/third_party/mbedtls/framework/data_files/rsa4096_pub.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa512.key b/yass/third_party/mbedtls/framework/data_files/rsa512.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa512.key rename to yass/third_party/mbedtls/framework/data_files/rsa512.key diff --git a/yass/third_party/mbedtls/tests/data_files/rsa521.key b/yass/third_party/mbedtls/framework/data_files/rsa521.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa521.key rename to yass/third_party/mbedtls/framework/data_files/rsa521.key diff --git a/yass/third_party/mbedtls/tests/data_files/rsa522.key b/yass/third_party/mbedtls/framework/data_files/rsa522.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa522.key rename to yass/third_party/mbedtls/framework/data_files/rsa522.key diff --git a/yass/third_party/mbedtls/tests/data_files/rsa528.key b/yass/third_party/mbedtls/framework/data_files/rsa528.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa528.key rename to yass/third_party/mbedtls/framework/data_files/rsa528.key diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_multiple_san_uri.key b/yass/third_party/mbedtls/framework/data_files/rsa_multiple_san_uri.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_multiple_san_uri.key rename to yass/third_party/mbedtls/framework/data_files/rsa_multiple_san_uri.key diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_1024_3des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_1024_3des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_1024_3des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_1024_3des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_1024_aes128.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_1024_aes128.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_1024_aes128.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_1024_aes128.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_1024_aes192.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_1024_aes192.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_1024_aes192.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_1024_aes192.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_1024_aes256.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_1024_aes256.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_1024_aes256.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_1024_aes256.pem diff --git a/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_1024_clear.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_1024_clear.der new file mode 100644 index 0000000000..cec2c30117 Binary files /dev/null and b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_1024_clear.der differ diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_1024_clear.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_1024_clear.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_1024_clear.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_1024_clear.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_1024_des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_1024_des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_1024_des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_1024_des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_2048_3des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_3des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_2048_3des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_3des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_2048_aes128.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_aes128.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_2048_aes128.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_aes128.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_2048_aes192.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_aes192.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_2048_aes192.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_aes192.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_2048_aes256.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_aes256.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_2048_aes256.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_aes256.pem diff --git a/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_clear.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_clear.der new file mode 100644 index 0000000000..667051bd80 Binary files /dev/null and b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_clear.der differ diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_2048_clear.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_clear.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_2048_clear.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_clear.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_2048_des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_2048_des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_2048_public.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_public.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_2048_public.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_public.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_2048_public.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_public.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_2048_public.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_2048_public.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_4096_3des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_4096_3des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_4096_3des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_4096_3des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_4096_aes128.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_4096_aes128.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_4096_aes128.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_4096_aes128.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_4096_aes192.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_4096_aes192.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_4096_aes192.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_4096_aes192.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_4096_aes256.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_4096_aes256.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_4096_aes256.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_4096_aes256.pem diff --git a/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_4096_clear.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_4096_clear.der new file mode 100644 index 0000000000..9dc971e991 Binary files /dev/null and b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_4096_clear.der differ diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_4096_clear.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_4096_clear.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_4096_clear.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_4096_clear.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_4096_des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_4096_des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs1_4096_des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_4096_des.pem diff --git a/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_768_clear.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_768_clear.der new file mode 100644 index 0000000000..a80b891e49 Binary files /dev/null and b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_768_clear.der differ diff --git a/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_768_clear.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_768_clear.pem new file mode 100644 index 0000000000..33140c3c71 --- /dev/null +++ b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_768_clear.pem @@ -0,0 +1,12 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBywIBAAJhANmJY6FPDF0oqQEJCSrTx+ezfCU8qB6NwF2SqrphhhRFCYaMiKeg +bRVB4pCxjGrDM2iuwlMy2QqJo4TST4MgMbK44fG7fHip+IhD/lJAfSsL56ZKz3T9 +tlog4VFGynJL1wIDAQABAmEAjB02Etw7dnWOBaCwSumFxPOSbtmW37clxB+H3+yY +081zyToTewSVvi9loxT5AHshHYt2P+c6ylbUUEV6ZhC3mDqYMcuQmX5pJ2MhaK4T +cCihi9eBhROPzudJ27Jx84wBAjEA9CKkG30d9+PgbUp+KnMxZuavEG4U45EDEUOG +5+MRgSnRlPz8JsiY+Q6ReeBaEZiBAjEA5BvToGaPFSkbFT1HiV4zEEDQoXrNUO/l +vAP6p7fCLh2nnaIRIwuHwxTUhG8pe3hXAjEAzKJAtj3gockjc9ht+n0F2r/f28C5 +x6nkTVMxwCsHoCGCaATKAmRAPPrmG6dfN8KBAjAcwNkzPdpJW44bZkcPLL2ZDeJ+ +iGE7E5JM2d+Npp8mevx25Uftt/VcBNMpAm4jLy8CMHCcVdhdVFydsL8DSYRnWD8x +1tn1npbAeyiMHBxyhDF9EP1me7rEHvJ4Wl61HSXQNA== +-----END RSA PRIVATE KEY----- diff --git a/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_769_clear.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_769_clear.der new file mode 100644 index 0000000000..c4bfe6c0bb Binary files /dev/null and b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_769_clear.der differ diff --git a/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_769_clear.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_769_clear.pem new file mode 100644 index 0000000000..25e12bde55 --- /dev/null +++ b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_769_clear.pem @@ -0,0 +1,12 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBzAIBAAJhAbUzqda7ne4UGzC60NkNAXxewl/l7X5W1scvWQVKbshsSQoHcOPj +12RmuuA2sR6MzTNxBxsb52HNbrlqZYN5L07uanwM2bio5xl1SFXN2p3hzE2EHlM1 +nBq0sSXbX4Ua+QIDAQABAmEA1RgMVPx3Wp50LkkwGErtiXgKV4GTQzwCTW13f0ur +OYcGBpxf2sOnrWkg9r3RkKlg25cI5IVMb8HhHtmwqGxbmF08zu5e4Jb3zaR59lTs +uOEhVudWBtSRsid6qZug0Pt9AjEBvN2EO7Vn0xMQPphOwMR7htVzxxsADRBHmS+1 +pppCFLOpwqVDObcnl3pVw2wGd3PTAjEA+5cKqX6tfKUwNR88/urAGg+T3YsqNs4t +5t5HuGs7AsYj0xDTTvHEsIwaovCEwBKDAjBSTDiWQyz941zx94M6Lh8cBojwoJIV +2JkmQak9NPRcmBAjricNmlB8uWj8ShO4LXkCMQDj0c0c2JIeibLSl7vzFf3oW2zJ +M6iBQkh8g5GsZKVmCKgOC3FdTj6Oo//GxkdfaiMCMQGsQWYVeZ43Eqn+ZYSeX7Sz +Fol0BMyjvKXTpCznqk9+c1T86c9Cw2Rd/7NLJmPmGR4= +-----END RSA PRIVATE KEY----- diff --git a/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_770_clear.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_770_clear.der new file mode 100644 index 0000000000..89e140fdc1 Binary files /dev/null and b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_770_clear.der differ diff --git a/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_770_clear.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_770_clear.pem new file mode 100644 index 0000000000..0a707a8b7e --- /dev/null +++ b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_770_clear.pem @@ -0,0 +1,12 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBzQIBAAJhA0tr23/I4PgNNhnJdvdVGlg2hiAKKWD7kYcXGEZgPqTyY1rVND8q +oqI7n9IJiC4A0l+N7lZceGVotMj/dPY1DTMWT01NsEJXh47lQJNdHhpJysZyodmF ++N71sstc2iynMQIDAQABAmEBGOm/nfwGEhg0YLpdSVuq/p6KZbl8trSTb+8dQrNj +qgShWuuQD0ngCTDatlY+aTQTp82hyjT7+EtGfxzofA8pWHSV1uvuJVWamKy8AtV1 +YXo5lREZyjTgdJzuKjwIx00BAjEB4XPP3C/etfJzmCcCYoK+TYjSCdYdIbVIZZTR +8xgarUBu2KzedKfcdR0H8yklRpxpAjEBwHe8tsyXpzbX8E0fe+qKGrp/hWeosThd +3LbhYN+6NVs7YUkthICJa4TZfC5qyPuJAjEBxOtjTvvFoxsL/cYs6ymeB2jAVzqT +O0PEcLOY8vzpE7V60eGGgO3taks+UFWT2KKJAjEAhCGDI2SiJe0dsDo41Xyj1f4u +xjJlXFmcJgRn4O/p4ACSPTafR5PLaTdKELFoWvDpAjEBeGO+jrDgz6aoJ7eka8JM +xAWHubm0UPsr7JILYSsxViJFWIVGwIgnJU4Ny8U5LhfS +-----END RSA PRIVATE KEY----- diff --git a/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_776_clear.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_776_clear.der new file mode 100644 index 0000000000..a311c6772b Binary files /dev/null and b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_776_clear.der differ diff --git a/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_776_clear.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_776_clear.pem new file mode 100644 index 0000000000..e62f7b195b --- /dev/null +++ b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_776_clear.pem @@ -0,0 +1,12 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBzgIBAAJiANnXRUGM65e+JIE48z8L9fxWiIrBffeFynsFih4lhFrIliTf++Jy +R98lR8TGLO0x2Cosfb+vPcX7+bNdvqOn3q53NcYYFnih7GuNHeC/BAsI6c5H2HT3 +Rw3LCJPBk/yXhFsCAwEAAQJhP/xdWV29LbsqGdLSkChBPrdkL+2ZxITF7tC3uxcm +A0x73aT05ZTPy5m1tPTI6XsEjOHlZNkYUkqebCSAk+Jwoi8eMjqkejry7R92SBEx +vRxhSxYkFiY3M1AxUO1km9QZYQIxDz25KT5pjdnXmcXon4wjsplmKlVXRoy11Cju +kLLZLIM+wLW0nhiks0CsrNY6VTcL0wIxDksBCJ3sMRKQcUW/MLmorTHTvV5iraKr +YS5A0e37Y4i/g3VEJrzWaTr1FpKMMwD4WQIxCO9w3KNAku9CHV8P8Gnii9SvNuZt +kmjwOP/+TUrtU9FmOujMiVt9Q7IJChNWg5sQDQIxBMin1Ol+d0I+ZBszDazmPumx +c+1WW8VZVRJ1EY50mHDZoLcsE0cbAGeCRobQM/X8KQIxAbOSOWnQiL+4QuY5rQ05 +W2BL3qSET7u75RcT3ePnaZsJf5CweulDtVOVy8cq2sXQWw== +-----END RSA PRIVATE KEY----- diff --git a/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_784_clear.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_784_clear.der new file mode 100644 index 0000000000..94f3d3bcd9 Binary files /dev/null and b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_784_clear.der differ diff --git a/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_784_clear.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_784_clear.pem new file mode 100644 index 0000000000..b7b424b02b --- /dev/null +++ b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs1_784_clear.pem @@ -0,0 +1,12 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIB0wIBAAJjAL2x2bcoZLRL21gXcWsVJpjy65T7t6lsg/7loYbeZoIM1YCbgOaw +j3c2bkiToc53k1siXpXSLzdIyPCvs7Tm9q1mNHi4pMmiOU/49wXKZzEr8+iIMHXf +GVxysbIsch/1m/yTAgMBAAECYhsXm5CdJETb0Kf0MS6qBqkxiJPun3yDExcElN0+ +RkWsr5F+pBpOfS75hya2bxWd3l2WyEA3JTTkveghmsOy3UzPC/IhQLGFYOsRg6ia +yflUVObDrrdmXL0ysI2V4a0770MBAjIA3fXqP6Q8rg5WE2RddFeAGYTmfaDU9RGH +8ee4w0kITTXOr23WHEgIYuspKMB01gvg+QIyANrJMJ8VzwJdeq28KSBTCtQawLGH +mXzzsaSiD14hjEDQnVTkBEWMhtbyudm0NXjuOOsCMXj2gAbW9srUvUwsMlIpLYK6 +zvJAKE62kyPeaO7kakXJwS4R6dHX39oo1nGDESllp+ECMgDKEvcgiHEZuyNbIiZO +H8UpoMgHcLn4adDSwYg2JgA3wTb/uFalsiS8lZXImSSmXEkfAjE3y7xpVjmzp3W2 +/iNSKwBWTOLyu06KQ03gQEtvuXyEk6Nx+8siz9RHyjKnRL4HzRM9 +-----END RSA PRIVATE KEY----- diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_1024_public.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_1024_public.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_1024_public.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_1024_public.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_2048_public.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_2048_public.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_2048_public.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_2048_public.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_2048_public.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_2048_public.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_2048_public.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_2048_public.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_1024_2des.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_1024_2des.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_1024_2des.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_1024_2des.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_1024_3des.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_1024_3des.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_1024_3des.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_1024_3des.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_2048_2des.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_2048_2des.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_2048_2des.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_2048_2des.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_2048_3des.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_2048_3des.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_2048_3des.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_2048_3des.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_4096_2des.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_4096_2des.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_4096_2des.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_4096_2des.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_4096_3des.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_4096_3des.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_4096_3des.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_4096_3des.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem b/yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem rename to yass/third_party/mbedtls/framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_single_san_uri.crt.der b/yass/third_party/mbedtls/framework/data_files/rsa_single_san_uri.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_single_san_uri.crt.der rename to yass/third_party/mbedtls/framework/data_files/rsa_single_san_uri.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/rsa_single_san_uri.key b/yass/third_party/mbedtls/framework/data_files/rsa_single_san_uri.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/rsa_single_san_uri.key rename to yass/third_party/mbedtls/framework/data_files/rsa_single_san_uri.key diff --git a/yass/third_party/mbedtls/tests/data_files/server1-nospace.crt b/yass/third_party/mbedtls/framework/data_files/server1-nospace.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1-nospace.crt rename to yass/third_party/mbedtls/framework/data_files/server1-nospace.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1-v1.crt b/yass/third_party/mbedtls/framework/data_files/server1-v1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1-v1.crt rename to yass/third_party/mbedtls/framework/data_files/server1-v1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.80serial.crt b/yass/third_party/mbedtls/framework/data_files/server1.80serial.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.80serial.crt rename to yass/third_party/mbedtls/framework/data_files/server1.80serial.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.allSubjectAltNames.crt b/yass/third_party/mbedtls/framework/data_files/server1.allSubjectAltNames.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.allSubjectAltNames.crt rename to yass/third_party/mbedtls/framework/data_files/server1.allSubjectAltNames.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.asciichars.crt b/yass/third_party/mbedtls/framework/data_files/server1.asciichars.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.asciichars.crt rename to yass/third_party/mbedtls/framework/data_files/server1.asciichars.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.ca.crt b/yass/third_party/mbedtls/framework/data_files/server1.ca.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.ca.crt rename to yass/third_party/mbedtls/framework/data_files/server1.ca.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.ca.der b/yass/third_party/mbedtls/framework/data_files/server1.ca.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.ca.der rename to yass/third_party/mbedtls/framework/data_files/server1.ca.der diff --git a/yass/third_party/mbedtls/tests/data_files/server1.ca_noauthid.crt b/yass/third_party/mbedtls/framework/data_files/server1.ca_noauthid.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.ca_noauthid.crt rename to yass/third_party/mbedtls/framework/data_files/server1.ca_noauthid.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.cert_type.crt b/yass/third_party/mbedtls/framework/data_files/server1.cert_type.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.cert_type.crt rename to yass/third_party/mbedtls/framework/data_files/server1.cert_type.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.cert_type.crt.openssl.v3_ext b/yass/third_party/mbedtls/framework/data_files/server1.cert_type.crt.openssl.v3_ext similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.cert_type.crt.openssl.v3_ext rename to yass/third_party/mbedtls/framework/data_files/server1.cert_type.crt.openssl.v3_ext diff --git a/yass/third_party/mbedtls/tests/data_files/server1.cert_type_noauthid.crt b/yass/third_party/mbedtls/framework/data_files/server1.cert_type_noauthid.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.cert_type_noauthid.crt rename to yass/third_party/mbedtls/framework/data_files/server1.cert_type_noauthid.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.commas.crt b/yass/third_party/mbedtls/framework/data_files/server1.commas.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.commas.crt rename to yass/third_party/mbedtls/framework/data_files/server1.commas.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.crt b/yass/third_party/mbedtls/framework/data_files/server1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.crt rename to yass/third_party/mbedtls/framework/data_files/server1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.crt.openssl.v3_ext b/yass/third_party/mbedtls/framework/data_files/server1.crt.openssl.v3_ext similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.crt.openssl.v3_ext rename to yass/third_party/mbedtls/framework/data_files/server1.crt.openssl.v3_ext diff --git a/yass/third_party/mbedtls/tests/data_files/server1.csr b/yass/third_party/mbedtls/framework/data_files/server1.csr similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.csr rename to yass/third_party/mbedtls/framework/data_files/server1.csr diff --git a/yass/third_party/mbedtls/tests/data_files/server1.der b/yass/third_party/mbedtls/framework/data_files/server1.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.der rename to yass/third_party/mbedtls/framework/data_files/server1.der diff --git a/yass/third_party/mbedtls/tests/data_files/server1.hashsymbol.crt b/yass/third_party/mbedtls/framework/data_files/server1.hashsymbol.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.hashsymbol.crt rename to yass/third_party/mbedtls/framework/data_files/server1.hashsymbol.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.key b/yass/third_party/mbedtls/framework/data_files/server1.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.key rename to yass/third_party/mbedtls/framework/data_files/server1.key diff --git a/yass/third_party/mbedtls/tests/data_files/server1.key.der b/yass/third_party/mbedtls/framework/data_files/server1.key.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.key.der rename to yass/third_party/mbedtls/framework/data_files/server1.key.der diff --git a/yass/third_party/mbedtls/tests/data_files/server1.key_ext_usage.crt b/yass/third_party/mbedtls/framework/data_files/server1.key_ext_usage.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.key_ext_usage.crt rename to yass/third_party/mbedtls/framework/data_files/server1.key_ext_usage.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.key_ext_usages.crt b/yass/third_party/mbedtls/framework/data_files/server1.key_ext_usages.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.key_ext_usages.crt rename to yass/third_party/mbedtls/framework/data_files/server1.key_ext_usages.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.key_usage.crt b/yass/third_party/mbedtls/framework/data_files/server1.key_usage.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.key_usage.crt rename to yass/third_party/mbedtls/framework/data_files/server1.key_usage.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.key_usage.crt.openssl.v3_ext b/yass/third_party/mbedtls/framework/data_files/server1.key_usage.crt.openssl.v3_ext similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.key_usage.crt.openssl.v3_ext rename to yass/third_party/mbedtls/framework/data_files/server1.key_usage.crt.openssl.v3_ext diff --git a/yass/third_party/mbedtls/tests/data_files/server1.key_usage_noauthid.crt b/yass/third_party/mbedtls/framework/data_files/server1.key_usage_noauthid.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.key_usage_noauthid.crt rename to yass/third_party/mbedtls/framework/data_files/server1.key_usage_noauthid.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.long_serial.crt b/yass/third_party/mbedtls/framework/data_files/server1.long_serial.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.long_serial.crt rename to yass/third_party/mbedtls/framework/data_files/server1.long_serial.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.long_serial_FF.crt b/yass/third_party/mbedtls/framework/data_files/server1.long_serial_FF.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.long_serial_FF.crt rename to yass/third_party/mbedtls/framework/data_files/server1.long_serial_FF.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.noauthid.crt b/yass/third_party/mbedtls/framework/data_files/server1.noauthid.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.noauthid.crt rename to yass/third_party/mbedtls/framework/data_files/server1.noauthid.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.pubkey b/yass/third_party/mbedtls/framework/data_files/server1.pubkey similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.pubkey rename to yass/third_party/mbedtls/framework/data_files/server1.pubkey diff --git a/yass/third_party/mbedtls/tests/data_files/server1.pubkey.der b/yass/third_party/mbedtls/framework/data_files/server1.pubkey.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.pubkey.der rename to yass/third_party/mbedtls/framework/data_files/server1.pubkey.der diff --git a/yass/third_party/mbedtls/tests/data_files/server1.req.cert_type b/yass/third_party/mbedtls/framework/data_files/server1.req.cert_type similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.req.cert_type rename to yass/third_party/mbedtls/framework/data_files/server1.req.cert_type diff --git a/yass/third_party/mbedtls/tests/data_files/server1.req.cert_type_empty b/yass/third_party/mbedtls/framework/data_files/server1.req.cert_type_empty similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.req.cert_type_empty rename to yass/third_party/mbedtls/framework/data_files/server1.req.cert_type_empty diff --git a/yass/third_party/mbedtls/tests/data_files/server1.req.key_usage b/yass/third_party/mbedtls/framework/data_files/server1.req.key_usage similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.req.key_usage rename to yass/third_party/mbedtls/framework/data_files/server1.req.key_usage diff --git a/yass/third_party/mbedtls/tests/data_files/server1.req.key_usage_empty b/yass/third_party/mbedtls/framework/data_files/server1.req.key_usage_empty similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.req.key_usage_empty rename to yass/third_party/mbedtls/framework/data_files/server1.req.key_usage_empty diff --git a/yass/third_party/mbedtls/tests/data_files/server1.req.ku-ct b/yass/third_party/mbedtls/framework/data_files/server1.req.ku-ct similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.req.ku-ct rename to yass/third_party/mbedtls/framework/data_files/server1.req.ku-ct diff --git a/yass/third_party/mbedtls/tests/data_files/server1.req.md5 b/yass/third_party/mbedtls/framework/data_files/server1.req.md5 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.req.md5 rename to yass/third_party/mbedtls/framework/data_files/server1.req.md5 diff --git a/yass/third_party/mbedtls/tests/data_files/server1.req.sha1 b/yass/third_party/mbedtls/framework/data_files/server1.req.sha1 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.req.sha1 rename to yass/third_party/mbedtls/framework/data_files/server1.req.sha1 diff --git a/yass/third_party/mbedtls/tests/data_files/server1.req.sha224 b/yass/third_party/mbedtls/framework/data_files/server1.req.sha224 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.req.sha224 rename to yass/third_party/mbedtls/framework/data_files/server1.req.sha224 diff --git a/yass/third_party/mbedtls/tests/data_files/server1.req.sha256 b/yass/third_party/mbedtls/framework/data_files/server1.req.sha256 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.req.sha256 rename to yass/third_party/mbedtls/framework/data_files/server1.req.sha256 diff --git a/yass/third_party/mbedtls/tests/data_files/server1.req.sha256.conf b/yass/third_party/mbedtls/framework/data_files/server1.req.sha256.conf similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.req.sha256.conf rename to yass/third_party/mbedtls/framework/data_files/server1.req.sha256.conf diff --git a/yass/third_party/mbedtls/tests/data_files/server1.req.sha256.ext b/yass/third_party/mbedtls/framework/data_files/server1.req.sha256.ext similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.req.sha256.ext rename to yass/third_party/mbedtls/framework/data_files/server1.req.sha256.ext diff --git a/yass/third_party/mbedtls/tests/data_files/server1.req.sha384 b/yass/third_party/mbedtls/framework/data_files/server1.req.sha384 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.req.sha384 rename to yass/third_party/mbedtls/framework/data_files/server1.req.sha384 diff --git a/yass/third_party/mbedtls/tests/data_files/server1.req.sha512 b/yass/third_party/mbedtls/framework/data_files/server1.req.sha512 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.req.sha512 rename to yass/third_party/mbedtls/framework/data_files/server1.req.sha512 diff --git a/yass/third_party/mbedtls/tests/data_files/server1.spaces.crt b/yass/third_party/mbedtls/framework/data_files/server1.spaces.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.spaces.crt rename to yass/third_party/mbedtls/framework/data_files/server1.spaces.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1.v1.crt b/yass/third_party/mbedtls/framework/data_files/server1.v1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1.v1.crt rename to yass/third_party/mbedtls/framework/data_files/server1.v1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server10-badsign.crt b/yass/third_party/mbedtls/framework/data_files/server10-badsign.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server10-badsign.crt rename to yass/third_party/mbedtls/framework/data_files/server10-badsign.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server10-bs_int3.pem b/yass/third_party/mbedtls/framework/data_files/server10-bs_int3.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server10-bs_int3.pem rename to yass/third_party/mbedtls/framework/data_files/server10-bs_int3.pem diff --git a/yass/third_party/mbedtls/tests/data_files/server10.crt b/yass/third_party/mbedtls/framework/data_files/server10.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server10.crt rename to yass/third_party/mbedtls/framework/data_files/server10.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server10.key b/yass/third_party/mbedtls/framework/data_files/server10.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server10.key rename to yass/third_party/mbedtls/framework/data_files/server10.key diff --git a/yass/third_party/mbedtls/tests/data_files/server10_int3-bs.pem b/yass/third_party/mbedtls/framework/data_files/server10_int3-bs.pem similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server10_int3-bs.pem rename to yass/third_party/mbedtls/framework/data_files/server10_int3-bs.pem diff --git a/yass/third_party/mbedtls/tests/data_files/server10_int3_int-ca2.crt b/yass/third_party/mbedtls/framework/data_files/server10_int3_int-ca2.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server10_int3_int-ca2.crt rename to yass/third_party/mbedtls/framework/data_files/server10_int3_int-ca2.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server10_int3_int-ca2_ca.crt b/yass/third_party/mbedtls/framework/data_files/server10_int3_int-ca2_ca.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server10_int3_int-ca2_ca.crt rename to yass/third_party/mbedtls/framework/data_files/server10_int3_int-ca2_ca.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server10_int3_spurious_int-ca2.crt b/yass/third_party/mbedtls/framework/data_files/server10_int3_spurious_int-ca2.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server10_int3_spurious_int-ca2.crt rename to yass/third_party/mbedtls/framework/data_files/server10_int3_spurious_int-ca2.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1_ca.crt b/yass/third_party/mbedtls/framework/data_files/server1_ca.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1_ca.crt rename to yass/third_party/mbedtls/framework/data_files/server1_ca.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server1_csr.opensslconf b/yass/third_party/mbedtls/framework/data_files/server1_csr.opensslconf similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server1_csr.opensslconf rename to yass/third_party/mbedtls/framework/data_files/server1_csr.opensslconf diff --git a/yass/third_party/mbedtls/tests/data_files/server2-badsign.crt b/yass/third_party/mbedtls/framework/data_files/server2-badsign.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server2-badsign.crt rename to yass/third_party/mbedtls/framework/data_files/server2-badsign.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server2-sha256.crt b/yass/third_party/mbedtls/framework/data_files/server2-sha256.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server2-sha256.crt rename to yass/third_party/mbedtls/framework/data_files/server2-sha256.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server2-sha256.crt.der b/yass/third_party/mbedtls/framework/data_files/server2-sha256.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server2-sha256.crt.der rename to yass/third_party/mbedtls/framework/data_files/server2-sha256.crt.der diff --git a/yass/third_party/mbedtls/framework/data_files/server2-sha256.ku-ds.crt b/yass/third_party/mbedtls/framework/data_files/server2-sha256.ku-ds.crt new file mode 100644 index 0000000000..0d4866c5cb --- /dev/null +++ b/yass/third_party/mbedtls/framework/data_files/server2-sha256.ku-ds.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRzCCAi+gAwIBAgIBGDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN +owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz +NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM +tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P +hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya +HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNdMFswCQYD +VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw +FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3 +DQEBCwUAA4IBAQAtKutVrQunnzOQg3TP2vnOT8Qr5LrbvsSBaPEm21Oxkpr0gJcC +/BgON5WrBdfpEDZ5jOMGgqdF3AxFzh/Zw1EBr2y2wIcleodtzV5j2fTQV9MPYJ9z +XYfhNsr9idt/i4YCqJSe6lB/+GG/p+9jtMLGMjfSkNnG7ppa7Sv6NVsAxgbKskTw +WU/z7T7Y/afK5omAPpHfWddzCl5o+o9VFi5scYyjv2iNPkRiTMDh4bE8RVm9vxcf +TMH14TSa1Y6OkaTuzJLbU3V8yJZ67s2SK89Trd75SQ+B62nZYe+0NG+6b2s+D97y +ex2x2EbfK/nxEL2Gv7/xG4gcpzxmKObhPpsS +-----END CERTIFICATE----- diff --git a/yass/third_party/mbedtls/framework/data_files/server2-sha256.ku-ds_ke.crt b/yass/third_party/mbedtls/framework/data_files/server2-sha256.ku-ds_ke.crt new file mode 100644 index 0000000000..e89e17dda2 --- /dev/null +++ b/yass/third_party/mbedtls/framework/data_files/server2-sha256.ku-ds_ke.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRzCCAi+gAwIBAgIBHDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN +owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz +NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM +tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P +hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya +HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNdMFswCQYD +VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw +FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3 +DQEBCwUAA4IBAQBZBDKh6TRkGh9ro5l/Rv6/LE9slTLCrAAjCA6fT2dig6WsijmK +OLwjjuWRdKT+SPrm+42db4j++KcPVk/HwPNkbcXF7sAHy13DGi47mi7ySKqCiOZ8 +RVnpBWjZJpMzXi5l8RgXGK10v2C4iPX3E7iRw+CYTZjOWfjnzHUWqQ93eu3s6OU3 +3FobrPFKYkS9CvqvbGBIqpv8TTAoAvUAsjUbQHY2SlqlJLw2DUmewmeBzS2ItNyp +BO367lTm03z+nG77pZYOhgxch8EA2RcIuoEExj0tHZcG3JLOz60ijqqG1lxjrTXV +qMDRttuL8jisekj4gZD90T9JdMHpz8goNhO7 +-----END CERTIFICATE----- diff --git a/yass/third_party/mbedtls/framework/data_files/server2-sha256.ku-ka.crt b/yass/third_party/mbedtls/framework/data_files/server2-sha256.ku-ka.crt new file mode 100644 index 0000000000..326876be58 --- /dev/null +++ b/yass/third_party/mbedtls/framework/data_files/server2-sha256.ku-ka.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRzCCAi+gAwIBAgIBFjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN +owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz +NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM +tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P +hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya +HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNdMFswCQYD +VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw +FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDgYDVR0PAQH/BAQDAgMIMA0GCSqGSIb3 +DQEBCwUAA4IBAQBsd9wHhcSkcO/AyrHRw33RVgdydoUIcopGHCnl+6ThQj9lM2cF +eh7Zdu2GVyd2yyIeI7c+N1w1NOLxXYk4vviU6J/Jol706UefflMEMHIwgJqakWdj +uq8o7CTOEhMpzSE6AfNj02jLb3qrkoJGB+STIwgx2IYdDzTrIr2Cb2T9zbDJCQBd +l2PTVR5id/+Uy4h+2KNJzgRgOUIPc0eFN0aE5a7IHRx3q7h5h/DbBaQU4tVmaAYF +o/6XlBvwVxan87w+hLfnFHUO7eMe0jnLvH2O+MW4ZeYh4VP2Jq7cLJQgTfCbFK9L +PNG8gfhW71rcMRTxwKM5qziJ8h6PeomSglsO +-----END CERTIFICATE----- diff --git a/yass/third_party/mbedtls/framework/data_files/server2-sha256.ku-ke.crt b/yass/third_party/mbedtls/framework/data_files/server2-sha256.ku-ke.crt new file mode 100644 index 0000000000..ca5c3c76b2 --- /dev/null +++ b/yass/third_party/mbedtls/framework/data_files/server2-sha256.ku-ke.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRzCCAi+gAwIBAgIBFzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN +owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz +NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM +tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P +hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya +HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNdMFswCQYD +VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw +FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDgYDVR0PAQH/BAQDAgUgMA0GCSqGSIb3 +DQEBCwUAA4IBAQAuR/fgNifvtW6ukLxp+VFlYael3kAGJpKhe271fjkaqiyBB9Qt +NfFX1HDq1hJe8c8uf+SgFnY6rg1BjdctrEU92avPYjhpsyYEuSjt9LAtLfpeMaWD +ltem8PNh/lkR+v0xqeYsDcHTv/oR9NfCIqoPFWOPlH7CvLowNbI06D8KkKiWAlL1 +tC62db6T5sOrmcmyjLoKUyerBqCWC+MM4G+AXMdfp54/xLOvkTq/K1cu1oRIGIYL +SSAtVeRQXqwgaH2M2EkN79joF6XnjGG27TN8rCS7gxJm87vZjtZiSFugwhFFHFhX +Gmp9IkBVZKQci1NbTY18l/2wxFYICv486sAV +-----END CERTIFICATE----- diff --git a/yass/third_party/mbedtls/tests/data_files/server2-v1-chain.crt b/yass/third_party/mbedtls/framework/data_files/server2-v1-chain.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server2-v1-chain.crt rename to yass/third_party/mbedtls/framework/data_files/server2-v1-chain.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server2-v1.crt b/yass/third_party/mbedtls/framework/data_files/server2-v1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server2-v1.crt rename to yass/third_party/mbedtls/framework/data_files/server2-v1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server2.crt b/yass/third_party/mbedtls/framework/data_files/server2.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server2.crt rename to yass/third_party/mbedtls/framework/data_files/server2.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server2.crt.der b/yass/third_party/mbedtls/framework/data_files/server2.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server2.crt.der rename to yass/third_party/mbedtls/framework/data_files/server2.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/server2.der b/yass/third_party/mbedtls/framework/data_files/server2.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server2.der rename to yass/third_party/mbedtls/framework/data_files/server2.der diff --git a/yass/third_party/mbedtls/tests/data_files/server2.key b/yass/third_party/mbedtls/framework/data_files/server2.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server2.key rename to yass/third_party/mbedtls/framework/data_files/server2.key diff --git a/yass/third_party/mbedtls/tests/data_files/server2.key.der b/yass/third_party/mbedtls/framework/data_files/server2.key.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server2.key.der rename to yass/third_party/mbedtls/framework/data_files/server2.key.der diff --git a/yass/third_party/mbedtls/tests/data_files/server2.key.enc b/yass/third_party/mbedtls/framework/data_files/server2.key.enc similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server2.key.enc rename to yass/third_party/mbedtls/framework/data_files/server2.key.enc diff --git a/yass/third_party/mbedtls/tests/data_files/server2.ku-ds.crt b/yass/third_party/mbedtls/framework/data_files/server2.ku-ds.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server2.ku-ds.crt rename to yass/third_party/mbedtls/framework/data_files/server2.ku-ds.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server2.ku-ds_ke.crt b/yass/third_party/mbedtls/framework/data_files/server2.ku-ds_ke.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server2.ku-ds_ke.crt rename to yass/third_party/mbedtls/framework/data_files/server2.ku-ds_ke.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server2.ku-ka.crt b/yass/third_party/mbedtls/framework/data_files/server2.ku-ka.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server2.ku-ka.crt rename to yass/third_party/mbedtls/framework/data_files/server2.ku-ka.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server2.ku-ke.crt b/yass/third_party/mbedtls/framework/data_files/server2.ku-ke.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server2.ku-ke.crt rename to yass/third_party/mbedtls/framework/data_files/server2.ku-ke.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server3.crt b/yass/third_party/mbedtls/framework/data_files/server3.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server3.crt rename to yass/third_party/mbedtls/framework/data_files/server3.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server3.key b/yass/third_party/mbedtls/framework/data_files/server3.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server3.key rename to yass/third_party/mbedtls/framework/data_files/server3.key diff --git a/yass/third_party/mbedtls/tests/data_files/server4.crt b/yass/third_party/mbedtls/framework/data_files/server4.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server4.crt rename to yass/third_party/mbedtls/framework/data_files/server4.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server4.key b/yass/third_party/mbedtls/framework/data_files/server4.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server4.key rename to yass/third_party/mbedtls/framework/data_files/server4.key diff --git a/yass/third_party/mbedtls/tests/data_files/server5-badsign.crt b/yass/third_party/mbedtls/framework/data_files/server5-badsign.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-badsign.crt rename to yass/third_party/mbedtls/framework/data_files/server5-badsign.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-der0.crt b/yass/third_party/mbedtls/framework/data_files/server5-der0.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-der0.crt rename to yass/third_party/mbedtls/framework/data_files/server5-der0.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-der1a.crt b/yass/third_party/mbedtls/framework/data_files/server5-der1a.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-der1a.crt rename to yass/third_party/mbedtls/framework/data_files/server5-der1a.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-der1b.crt b/yass/third_party/mbedtls/framework/data_files/server5-der1b.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-der1b.crt rename to yass/third_party/mbedtls/framework/data_files/server5-der1b.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-der2.crt b/yass/third_party/mbedtls/framework/data_files/server5-der2.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-der2.crt rename to yass/third_party/mbedtls/framework/data_files/server5-der2.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-der4.crt b/yass/third_party/mbedtls/framework/data_files/server5-der4.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-der4.crt rename to yass/third_party/mbedtls/framework/data_files/server5-der4.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-der8.crt b/yass/third_party/mbedtls/framework/data_files/server5-der8.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-der8.crt rename to yass/third_party/mbedtls/framework/data_files/server5-der8.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-der9.crt b/yass/third_party/mbedtls/framework/data_files/server5-der9.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-der9.crt rename to yass/third_party/mbedtls/framework/data_files/server5-der9.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-expired.crt b/yass/third_party/mbedtls/framework/data_files/server5-expired.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-expired.crt rename to yass/third_party/mbedtls/framework/data_files/server5-expired.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-future.crt b/yass/third_party/mbedtls/framework/data_files/server5-future.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-future.crt rename to yass/third_party/mbedtls/framework/data_files/server5-future.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-selfsigned.crt b/yass/third_party/mbedtls/framework/data_files/server5-selfsigned.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-selfsigned.crt rename to yass/third_party/mbedtls/framework/data_files/server5-selfsigned.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-sha1.crt b/yass/third_party/mbedtls/framework/data_files/server5-sha1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-sha1.crt rename to yass/third_party/mbedtls/framework/data_files/server5-sha1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-sha224.crt b/yass/third_party/mbedtls/framework/data_files/server5-sha224.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-sha224.crt rename to yass/third_party/mbedtls/framework/data_files/server5-sha224.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-sha384.crt b/yass/third_party/mbedtls/framework/data_files/server5-sha384.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-sha384.crt rename to yass/third_party/mbedtls/framework/data_files/server5-sha384.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-sha512.crt b/yass/third_party/mbedtls/framework/data_files/server5-sha512.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-sha512.crt rename to yass/third_party/mbedtls/framework/data_files/server5-sha512.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-ss-expired.crt b/yass/third_party/mbedtls/framework/data_files/server5-ss-expired.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-ss-expired.crt rename to yass/third_party/mbedtls/framework/data_files/server5-ss-expired.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-ss-forgeca.crt b/yass/third_party/mbedtls/framework/data_files/server5-ss-forgeca.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-ss-forgeca.crt rename to yass/third_party/mbedtls/framework/data_files/server5-ss-forgeca.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5-tricky-ip-san-malformed-len.crt.der b/yass/third_party/mbedtls/framework/data_files/server5-tricky-ip-san-malformed-len.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-tricky-ip-san-malformed-len.crt.der rename to yass/third_party/mbedtls/framework/data_files/server5-tricky-ip-san-malformed-len.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/server5-tricky-ip-san.crt.der b/yass/third_party/mbedtls/framework/data_files/server5-tricky-ip-san.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5-tricky-ip-san.crt.der rename to yass/third_party/mbedtls/framework/data_files/server5-tricky-ip-san.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/server5.crt b/yass/third_party/mbedtls/framework/data_files/server5.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5.crt rename to yass/third_party/mbedtls/framework/data_files/server5.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5.crt.der b/yass/third_party/mbedtls/framework/data_files/server5.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5.crt.der rename to yass/third_party/mbedtls/framework/data_files/server5.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/server5.crt.openssl.v3_ext b/yass/third_party/mbedtls/framework/data_files/server5.crt.openssl.v3_ext similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5.crt.openssl.v3_ext rename to yass/third_party/mbedtls/framework/data_files/server5.crt.openssl.v3_ext diff --git a/yass/third_party/mbedtls/tests/data_files/server5.eku-cli.crt b/yass/third_party/mbedtls/framework/data_files/server5.eku-cli.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5.eku-cli.crt rename to yass/third_party/mbedtls/framework/data_files/server5.eku-cli.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5.eku-cs.crt b/yass/third_party/mbedtls/framework/data_files/server5.eku-cs.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5.eku-cs.crt rename to yass/third_party/mbedtls/framework/data_files/server5.eku-cs.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5.eku-cs_any.crt b/yass/third_party/mbedtls/framework/data_files/server5.eku-cs_any.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5.eku-cs_any.crt rename to yass/third_party/mbedtls/framework/data_files/server5.eku-cs_any.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5.eku-srv.crt b/yass/third_party/mbedtls/framework/data_files/server5.eku-srv.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5.eku-srv.crt rename to yass/third_party/mbedtls/framework/data_files/server5.eku-srv.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5.eku-srv_cli.crt b/yass/third_party/mbedtls/framework/data_files/server5.eku-srv_cli.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5.eku-srv_cli.crt rename to yass/third_party/mbedtls/framework/data_files/server5.eku-srv_cli.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5.key b/yass/third_party/mbedtls/framework/data_files/server5.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5.key rename to yass/third_party/mbedtls/framework/data_files/server5.key diff --git a/yass/third_party/mbedtls/tests/data_files/server5.key.der b/yass/third_party/mbedtls/framework/data_files/server5.key.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5.key.der rename to yass/third_party/mbedtls/framework/data_files/server5.key.der diff --git a/yass/third_party/mbedtls/tests/data_files/server5.key.enc b/yass/third_party/mbedtls/framework/data_files/server5.key.enc similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5.key.enc rename to yass/third_party/mbedtls/framework/data_files/server5.key.enc diff --git a/yass/third_party/mbedtls/tests/data_files/server5.ku-ds.crt b/yass/third_party/mbedtls/framework/data_files/server5.ku-ds.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5.ku-ds.crt rename to yass/third_party/mbedtls/framework/data_files/server5.ku-ds.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5.ku-ka.crt b/yass/third_party/mbedtls/framework/data_files/server5.ku-ka.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5.ku-ka.crt rename to yass/third_party/mbedtls/framework/data_files/server5.ku-ka.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5.ku-ke.crt b/yass/third_party/mbedtls/framework/data_files/server5.ku-ke.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5.ku-ke.crt rename to yass/third_party/mbedtls/framework/data_files/server5.ku-ke.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server5.req.ku.sha1 b/yass/third_party/mbedtls/framework/data_files/server5.req.ku.sha1 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server5.req.ku.sha1 rename to yass/third_party/mbedtls/framework/data_files/server5.req.ku.sha1 diff --git a/yass/third_party/mbedtls/tests/data_files/server6-ss-child.crt b/yass/third_party/mbedtls/framework/data_files/server6-ss-child.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server6-ss-child.crt rename to yass/third_party/mbedtls/framework/data_files/server6-ss-child.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server6-ss-child.crt.openssl.v3_ext b/yass/third_party/mbedtls/framework/data_files/server6-ss-child.crt.openssl.v3_ext similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server6-ss-child.crt.openssl.v3_ext rename to yass/third_party/mbedtls/framework/data_files/server6-ss-child.crt.openssl.v3_ext diff --git a/yass/third_party/mbedtls/tests/data_files/server6.crt b/yass/third_party/mbedtls/framework/data_files/server6.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server6.crt rename to yass/third_party/mbedtls/framework/data_files/server6.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server6.key b/yass/third_party/mbedtls/framework/data_files/server6.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server6.key rename to yass/third_party/mbedtls/framework/data_files/server6.key diff --git a/yass/third_party/mbedtls/tests/data_files/server7-badsign.crt b/yass/third_party/mbedtls/framework/data_files/server7-badsign.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server7-badsign.crt rename to yass/third_party/mbedtls/framework/data_files/server7-badsign.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server7-expired.crt b/yass/third_party/mbedtls/framework/data_files/server7-expired.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server7-expired.crt rename to yass/third_party/mbedtls/framework/data_files/server7-expired.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server7-future.crt b/yass/third_party/mbedtls/framework/data_files/server7-future.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server7-future.crt rename to yass/third_party/mbedtls/framework/data_files/server7-future.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server7.crt b/yass/third_party/mbedtls/framework/data_files/server7.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server7.crt rename to yass/third_party/mbedtls/framework/data_files/server7.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server7.key b/yass/third_party/mbedtls/framework/data_files/server7.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server7.key rename to yass/third_party/mbedtls/framework/data_files/server7.key diff --git a/yass/third_party/mbedtls/tests/data_files/server7_int-ca-exp.crt b/yass/third_party/mbedtls/framework/data_files/server7_int-ca-exp.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server7_int-ca-exp.crt rename to yass/third_party/mbedtls/framework/data_files/server7_int-ca-exp.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server7_int-ca.crt b/yass/third_party/mbedtls/framework/data_files/server7_int-ca.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server7_int-ca.crt rename to yass/third_party/mbedtls/framework/data_files/server7_int-ca.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server7_int-ca_ca2.crt b/yass/third_party/mbedtls/framework/data_files/server7_int-ca_ca2.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server7_int-ca_ca2.crt rename to yass/third_party/mbedtls/framework/data_files/server7_int-ca_ca2.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server7_spurious_int-ca.crt b/yass/third_party/mbedtls/framework/data_files/server7_spurious_int-ca.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server7_spurious_int-ca.crt rename to yass/third_party/mbedtls/framework/data_files/server7_spurious_int-ca.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server8.crt b/yass/third_party/mbedtls/framework/data_files/server8.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server8.crt rename to yass/third_party/mbedtls/framework/data_files/server8.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server8.key b/yass/third_party/mbedtls/framework/data_files/server8.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server8.key rename to yass/third_party/mbedtls/framework/data_files/server8.key diff --git a/yass/third_party/mbedtls/tests/data_files/server8_int-ca2.crt b/yass/third_party/mbedtls/framework/data_files/server8_int-ca2.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server8_int-ca2.crt rename to yass/third_party/mbedtls/framework/data_files/server8_int-ca2.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server9-bad-mgfhash.crt b/yass/third_party/mbedtls/framework/data_files/server9-bad-mgfhash.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server9-bad-mgfhash.crt rename to yass/third_party/mbedtls/framework/data_files/server9-bad-mgfhash.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server9-bad-saltlen.crt b/yass/third_party/mbedtls/framework/data_files/server9-bad-saltlen.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server9-bad-saltlen.crt rename to yass/third_party/mbedtls/framework/data_files/server9-bad-saltlen.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server9-badsign.crt b/yass/third_party/mbedtls/framework/data_files/server9-badsign.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server9-badsign.crt rename to yass/third_party/mbedtls/framework/data_files/server9-badsign.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server9-defaults.crt b/yass/third_party/mbedtls/framework/data_files/server9-defaults.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server9-defaults.crt rename to yass/third_party/mbedtls/framework/data_files/server9-defaults.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server9-sha224.crt b/yass/third_party/mbedtls/framework/data_files/server9-sha224.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server9-sha224.crt rename to yass/third_party/mbedtls/framework/data_files/server9-sha224.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server9-sha256.crt b/yass/third_party/mbedtls/framework/data_files/server9-sha256.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server9-sha256.crt rename to yass/third_party/mbedtls/framework/data_files/server9-sha256.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server9-sha384.crt b/yass/third_party/mbedtls/framework/data_files/server9-sha384.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server9-sha384.crt rename to yass/third_party/mbedtls/framework/data_files/server9-sha384.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server9-sha512.crt b/yass/third_party/mbedtls/framework/data_files/server9-sha512.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server9-sha512.crt rename to yass/third_party/mbedtls/framework/data_files/server9-sha512.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server9-with-ca.crt b/yass/third_party/mbedtls/framework/data_files/server9-with-ca.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server9-with-ca.crt rename to yass/third_party/mbedtls/framework/data_files/server9-with-ca.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server9.crt b/yass/third_party/mbedtls/framework/data_files/server9.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server9.crt rename to yass/third_party/mbedtls/framework/data_files/server9.crt diff --git a/yass/third_party/mbedtls/tests/data_files/server9.key b/yass/third_party/mbedtls/framework/data_files/server9.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/server9.key rename to yass/third_party/mbedtls/framework/data_files/server9.key diff --git a/yass/third_party/mbedtls/tests/data_files/simplepass.psk b/yass/third_party/mbedtls/framework/data_files/simplepass.psk similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/simplepass.psk rename to yass/third_party/mbedtls/framework/data_files/simplepass.psk diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca-alt-good.crt b/yass/third_party/mbedtls/framework/data_files/test-ca-alt-good.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca-alt-good.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca-alt-good.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca-alt.crt b/yass/third_party/mbedtls/framework/data_files/test-ca-alt.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca-alt.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca-alt.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca-alt.csr b/yass/third_party/mbedtls/framework/data_files/test-ca-alt.csr similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca-alt.csr rename to yass/third_party/mbedtls/framework/data_files/test-ca-alt.csr diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca-alt.key b/yass/third_party/mbedtls/framework/data_files/test-ca-alt.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca-alt.key rename to yass/third_party/mbedtls/framework/data_files/test-ca-alt.key diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca-good-alt.crt b/yass/third_party/mbedtls/framework/data_files/test-ca-good-alt.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca-good-alt.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca-good-alt.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca-sha1.crt b/yass/third_party/mbedtls/framework/data_files/test-ca-sha1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca-sha1.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca-sha1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca-sha1.crt.der b/yass/third_party/mbedtls/framework/data_files/test-ca-sha1.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca-sha1.crt.der rename to yass/third_party/mbedtls/framework/data_files/test-ca-sha1.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca-sha256.crt b/yass/third_party/mbedtls/framework/data_files/test-ca-sha256.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca-sha256.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca-sha256.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca-sha256.crt.der b/yass/third_party/mbedtls/framework/data_files/test-ca-sha256.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca-sha256.crt.der rename to yass/third_party/mbedtls/framework/data_files/test-ca-sha256.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca-v1.crt b/yass/third_party/mbedtls/framework/data_files/test-ca-v1.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca-v1.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca-v1.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca.crt b/yass/third_party/mbedtls/framework/data_files/test-ca.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca.der b/yass/third_party/mbedtls/framework/data_files/test-ca.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca.der rename to yass/third_party/mbedtls/framework/data_files/test-ca.der diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca.key b/yass/third_party/mbedtls/framework/data_files/test-ca.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca.key rename to yass/third_party/mbedtls/framework/data_files/test-ca.key diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca.key.der b/yass/third_party/mbedtls/framework/data_files/test-ca.key.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca.key.der rename to yass/third_party/mbedtls/framework/data_files/test-ca.key.der diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca.opensslconf b/yass/third_party/mbedtls/framework/data_files/test-ca.opensslconf similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca.opensslconf rename to yass/third_party/mbedtls/framework/data_files/test-ca.opensslconf diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca.req.sha256 b/yass/third_party/mbedtls/framework/data_files/test-ca.req.sha256 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca.req.sha256 rename to yass/third_party/mbedtls/framework/data_files/test-ca.req.sha256 diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca.req_ec.sha256 b/yass/third_party/mbedtls/framework/data_files/test-ca.req_ec.sha256 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca.req_ec.sha256 rename to yass/third_party/mbedtls/framework/data_files/test-ca.req_ec.sha256 diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca.server1.db b/yass/third_party/mbedtls/framework/data_files/test-ca.server1.db similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca.server1.db rename to yass/third_party/mbedtls/framework/data_files/test-ca.server1.db diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca.server1.future-crl.db b/yass/third_party/mbedtls/framework/data_files/test-ca.server1.future-crl.db similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca.server1.future-crl.db rename to yass/third_party/mbedtls/framework/data_files/test-ca.server1.future-crl.db diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca.server1.future-crl.opensslconf b/yass/third_party/mbedtls/framework/data_files/test-ca.server1.future-crl.opensslconf similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca.server1.future-crl.opensslconf rename to yass/third_party/mbedtls/framework/data_files/test-ca.server1.future-crl.opensslconf diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca.server1.opensslconf b/yass/third_party/mbedtls/framework/data_files/test-ca.server1.opensslconf similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca.server1.opensslconf rename to yass/third_party/mbedtls/framework/data_files/test-ca.server1.opensslconf diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca.server1.test_serial.opensslconf b/yass/third_party/mbedtls/framework/data_files/test-ca.server1.test_serial.opensslconf similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca.server1.test_serial.opensslconf rename to yass/third_party/mbedtls/framework/data_files/test-ca.server1.test_serial.opensslconf diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2-expired.crt b/yass/third_party/mbedtls/framework/data_files/test-ca2-expired.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2-expired.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca2-expired.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2.crt b/yass/third_party/mbedtls/framework/data_files/test-ca2.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca2.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2.crt.der b/yass/third_party/mbedtls/framework/data_files/test-ca2.crt.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2.crt.der rename to yass/third_party/mbedtls/framework/data_files/test-ca2.crt.der diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2.key b/yass/third_party/mbedtls/framework/data_files/test-ca2.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2.key rename to yass/third_party/mbedtls/framework/data_files/test-ca2.key diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2.key.der b/yass/third_party/mbedtls/framework/data_files/test-ca2.key.der similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2.key.der rename to yass/third_party/mbedtls/framework/data_files/test-ca2.key.der diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2.key.enc b/yass/third_party/mbedtls/framework/data_files/test-ca2.key.enc similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2.key.enc rename to yass/third_party/mbedtls/framework/data_files/test-ca2.key.enc diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2.ku-crl.crt b/yass/third_party/mbedtls/framework/data_files/test-ca2.ku-crl.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2.ku-crl.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca2.ku-crl.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2.ku-crl.crt.openssl.v3_ext b/yass/third_party/mbedtls/framework/data_files/test-ca2.ku-crl.crt.openssl.v3_ext similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2.ku-crl.crt.openssl.v3_ext rename to yass/third_party/mbedtls/framework/data_files/test-ca2.ku-crl.crt.openssl.v3_ext diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2.ku-crt.crt b/yass/third_party/mbedtls/framework/data_files/test-ca2.ku-crt.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2.ku-crt.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca2.ku-crt.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2.ku-crt.crt.openssl.v3_ext b/yass/third_party/mbedtls/framework/data_files/test-ca2.ku-crt.crt.openssl.v3_ext similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2.ku-crt.crt.openssl.v3_ext rename to yass/third_party/mbedtls/framework/data_files/test-ca2.ku-crt.crt.openssl.v3_ext diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2.ku-crt_crl.crt b/yass/third_party/mbedtls/framework/data_files/test-ca2.ku-crt_crl.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2.ku-crt_crl.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca2.ku-crt_crl.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2.ku-crt_crl.crt.openssl.v3_ext b/yass/third_party/mbedtls/framework/data_files/test-ca2.ku-crt_crl.crt.openssl.v3_ext similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2.ku-crt_crl.crt.openssl.v3_ext rename to yass/third_party/mbedtls/framework/data_files/test-ca2.ku-crt_crl.crt.openssl.v3_ext diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2.ku-ds.crt b/yass/third_party/mbedtls/framework/data_files/test-ca2.ku-ds.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2.ku-ds.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca2.ku-ds.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2.ku-ds.crt.openssl.v3_ext b/yass/third_party/mbedtls/framework/data_files/test-ca2.ku-ds.crt.openssl.v3_ext similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2.ku-ds.crt.openssl.v3_ext rename to yass/third_party/mbedtls/framework/data_files/test-ca2.ku-ds.crt.openssl.v3_ext diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2.req.sha256 b/yass/third_party/mbedtls/framework/data_files/test-ca2.req.sha256 similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2.req.sha256 rename to yass/third_party/mbedtls/framework/data_files/test-ca2.req.sha256 diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2_cat-future-invalid.crt b/yass/third_party/mbedtls/framework/data_files/test-ca2_cat-future-invalid.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2_cat-future-invalid.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca2_cat-future-invalid.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2_cat-future-present.crt b/yass/third_party/mbedtls/framework/data_files/test-ca2_cat-future-present.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2_cat-future-present.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca2_cat-future-present.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2_cat-past-invalid.crt b/yass/third_party/mbedtls/framework/data_files/test-ca2_cat-past-invalid.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2_cat-past-invalid.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca2_cat-past-invalid.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2_cat-past-present.crt b/yass/third_party/mbedtls/framework/data_files/test-ca2_cat-past-present.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2_cat-past-present.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca2_cat-past-present.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2_cat-present-future.crt b/yass/third_party/mbedtls/framework/data_files/test-ca2_cat-present-future.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2_cat-present-future.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca2_cat-present-future.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca2_cat-present-past.crt b/yass/third_party/mbedtls/framework/data_files/test-ca2_cat-present-past.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca2_cat-present-past.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca2_cat-present-past.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca_cat12.crt b/yass/third_party/mbedtls/framework/data_files/test-ca_cat12.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca_cat12.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca_cat12.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca_cat21.crt b/yass/third_party/mbedtls/framework/data_files/test-ca_cat21.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca_cat21.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca_cat21.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca_printable.crt b/yass/third_party/mbedtls/framework/data_files/test-ca_printable.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca_printable.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca_printable.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca_unenc.key b/yass/third_party/mbedtls/framework/data_files/test-ca_unenc.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca_unenc.key rename to yass/third_party/mbedtls/framework/data_files/test-ca_unenc.key diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca_uppercase.crt b/yass/third_party/mbedtls/framework/data_files/test-ca_uppercase.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca_uppercase.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca_uppercase.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-ca_utf8.crt b/yass/third_party/mbedtls/framework/data_files/test-ca_utf8.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-ca_utf8.crt rename to yass/third_party/mbedtls/framework/data_files/test-ca_utf8.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-int-ca-exp.crt b/yass/third_party/mbedtls/framework/data_files/test-int-ca-exp.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-int-ca-exp.crt rename to yass/third_party/mbedtls/framework/data_files/test-int-ca-exp.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-int-ca.crt b/yass/third_party/mbedtls/framework/data_files/test-int-ca.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-int-ca.crt rename to yass/third_party/mbedtls/framework/data_files/test-int-ca.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-int-ca.key b/yass/third_party/mbedtls/framework/data_files/test-int-ca.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-int-ca.key rename to yass/third_party/mbedtls/framework/data_files/test-int-ca.key diff --git a/yass/third_party/mbedtls/tests/data_files/test-int-ca2.crt b/yass/third_party/mbedtls/framework/data_files/test-int-ca2.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-int-ca2.crt rename to yass/third_party/mbedtls/framework/data_files/test-int-ca2.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-int-ca2.key b/yass/third_party/mbedtls/framework/data_files/test-int-ca2.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-int-ca2.key rename to yass/third_party/mbedtls/framework/data_files/test-int-ca2.key diff --git a/yass/third_party/mbedtls/tests/data_files/test-int-ca3-badsign.crt b/yass/third_party/mbedtls/framework/data_files/test-int-ca3-badsign.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-int-ca3-badsign.crt rename to yass/third_party/mbedtls/framework/data_files/test-int-ca3-badsign.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-int-ca3.crt b/yass/third_party/mbedtls/framework/data_files/test-int-ca3.crt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-int-ca3.crt rename to yass/third_party/mbedtls/framework/data_files/test-int-ca3.crt diff --git a/yass/third_party/mbedtls/tests/data_files/test-int-ca3.key b/yass/third_party/mbedtls/framework/data_files/test-int-ca3.key similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/test-int-ca3.key rename to yass/third_party/mbedtls/framework/data_files/test-int-ca3.key diff --git a/yass/third_party/mbedtls/tests/data_files/test_certs.h.jinja2 b/yass/third_party/mbedtls/framework/data_files/test_certs.h.jinja2 similarity index 92% rename from yass/third_party/mbedtls/tests/data_files/test_certs.h.jinja2 rename to yass/third_party/mbedtls/framework/data_files/test_certs.h.jinja2 index 4a64b3a796..c420c7964b 100644 --- a/yass/third_party/mbedtls/tests/data_files/test_certs.h.jinja2 +++ b/yass/third_party/mbedtls/framework/data_files/test_certs.h.jinja2 @@ -5,7 +5,7 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -/* THIS FILE is generated by `tests/scripts/generate_test_cert_macros.py` */ +/* THIS FILE is generated by `framework/scripts/generate_test_cert_macros.py` */ /* *INDENT-OFF* */ {% for mode, name, value in macros %} @@ -40,3 +40,4 @@ {% endif %} {% endfor %} +/* End of generated file */ diff --git a/yass/third_party/mbedtls/tests/data_files/tls13_early_data.txt b/yass/third_party/mbedtls/framework/data_files/tls13_early_data.txt similarity index 100% rename from yass/third_party/mbedtls/tests/data_files/tls13_early_data.txt rename to yass/third_party/mbedtls/framework/data_files/tls13_early_data.txt diff --git a/yass/third_party/mbedtls/framework/dco.txt b/yass/third_party/mbedtls/framework/dco.txt new file mode 100644 index 0000000000..8201f99215 --- /dev/null +++ b/yass/third_party/mbedtls/framework/dco.txt @@ -0,0 +1,37 @@ +Developer Certificate of Origin +Version 1.1 + +Copyright (C) 2004, 2006 The Linux Foundation and its contributors. +1 Letterman Drive +Suite D4700 +San Francisco, CA, 94129 + +Everyone is permitted to copy and distribute verbatim copies of this +license document, but changing it is not allowed. + + +Developer's Certificate of Origin 1.1 + +By making a contribution to this project, I certify that: + +(a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + +(b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + +(c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + +(d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. diff --git a/yass/third_party/mbedtls/framework/docs/framework-design.md b/yass/third_party/mbedtls/framework/docs/framework-design.md new file mode 100644 index 0000000000..ae01c1022f --- /dev/null +++ b/yass/third_party/mbedtls/framework/docs/framework-design.md @@ -0,0 +1,138 @@ +Version-independent build and test framework +============================================ + +## Introduction + +The [`mbedtls-framework`](https://github.com/Mbed-TLS/mbedtls-framework) repository provides tooling used to build and test TF-PSA-Crypto (all versions) and Mbed TLS from 3.6.0 onwards. + +## Requirements + +### Initial motivation + +Mbed TLS 3.x was a library for cryptography, X.509 and TLS. In 2024, the cryptography part of the library moved to a separate repository: [TF-PSA-Crypto](https://github.com/Mbed-TLS/TF-PSA-Crypto). Many support files are used by both projects: several helper scripts in `scripts` and `tests/scripts`, most of the test data in `tests/data`, a few helper programs under `programs`, most of the test helper code in `tests/include`, `tests/src` and `tests/drivers`, etc. + +The Mbed TLS project maintains long-time support (LTS) branches (with only bug fixes) in addition to the `development` branch where new features are added. Fixes to bugs often need to be backported from `development` to LTS branches, which involves backporting tests, which often involves backporting test helper code. If we had a place to put files shared among multiple maintained branches, that would reduce the amount of backporting. + +The `mbedtls-framework` was created to be a shared place for files that need to be shared by two or more of Mbed TLS 3.6 LTS, Mbed TLS 4.x development and TF-PSA-Crypto (as well as other LTS branches that will be created in the future). Mbed TLS 2.28 LTS was excluded from consideration due to its short remaining lifetime which would make any benefits small. + +### Usage of the repository + +The [`mbedtls-framework`](https://github.com/Mbed-TLS/mbedtls-framework) repository is consumed by each maintained branch of [Mbed TLS](https://github.com/Mbed-TLS/mbedtls) and [TF-PSA-Crypto](https://github.com/Mbed-TLS/TF-PSA-Crypto). This includes development branches, release branches and long-time support branches. (Exception: the older branch Mbed TLS 2.28 LTS was excluded.) + +In each consuming branch, the `mbedtls-framework` repository appears as a Git submodule located at the path `/framework`. + +### Requirements for the framework repository + +#### Framework repository versioning + +The framework repository is not versioned: projects are only supposed to consume the tip of the `main` branch. There are no tagged releases. However, each release of a consuming branch will designate a specific commit of the framework repository (this behavior is built into Git submodules), which can be tagged accordingly. + +At any point in time, each consuming branch requires a specific commit in the framework repository. Moving a consuming branch to the tip of the framework repository is a manual action. As a consequence, breaking changes are possible: they will not break any actual commit, they would only prevent a consuming branch from updating its submodule version to the tip of the framework repository. + +However, breaking changes are still problematic. Breaking changes in the framework repository require the affected consuming branches to fully adapt to the changes when they want to gain access to any new features in the framework repository. Breaking changes in a consuming branch that concern a feature that is consumed by the framework repository (e.g. internal library functions called by test helper functions) have the same effect. + +To facilitate parallel development, major changes should avoid breaking existing code and should provide a transition period. For example, if a function needs a new argument, define a new function with a new name, start using the new fuction, and later remove the old function. + +### Requirements for consuming repositories + +We generalize some current principles: + +* For development work and to run the CI, you need a Git checkout. +* To build the project and run functional tests, you need a complete set of files, but you don't need a Git checkout. +* To just build the library, if the platform-independent generated files are present, you only need the `include` directory and the directories containing library C files (`library`, `3rdparty`, `core`, `drivers` depending on the repository and desired features). + +#### Requirements for development in consuming branches + +Consuming branches must have the framework repository as a Git submodule for development work and CI scripts. + +Compared with pre-framework tooling, this means that Git submodules must be enabled. This requires an explicit step in many Git APIs (e.g. running `git submodule update --init` after `git init`, or passing `--recurse-submodules` to `git checkout`). + +#### Requirements for processes involving consuming branches + +Release archives must include the content of the framework repository. + +#### Requirements for tooling in consuming branches + +Consuming branches may assume that the `framework` submodule is present wherever they assume a Git checkout. + +Consuming branches may assume that the content of the `framework` directory is present anywhere where they would normally assume that all files are present. In particular, this allows the use of framework files for: + +* Generating configuration-independent files (e.g. `make generated_files`), including the ones in the `library` directory. +* `make lib` (with GNU make or CMake) from a pristine checkout (because this involves `make generated_files`). +* `make test` (even if all the tests have been built). + +Consuming branches must not assume that the framework is present when merely building the library. In particular: + +* Our provided build scripts (e.g. `library/Makefile`, `library/CMakeLists.txt`) must not require any files from `framework` when compiling the library. +* It's ok to have a file in `library` with a make dependency on a framework file, as long as the build works when the framework file is missing. This allows `make lib` to work as long as the generated files are present. +* Library source files must not rely on headers from the framework. + +#### Requirements for users of consuming branches + +Corresponding to the requirements on the repository above: + +* Contributors need the framework submodule. +* Users who wish to run full CI tests need the framework submodule. +* Users who want to build or run tests need the `framework` directory content. +* Users who merely want to build the library, and who have the configuration-independent files already generated, do not need the `framework` directory content. + +## Contents of the framework repository + +### Criteria for inclusion + +In general, a file should be in the framework repository if it is expected to be present with near-identical content in two or more consuming branches. Some files have a significant proportion of shared content and branch-specific content; such files should be split into a shared part and a non-shared part. + +For example: + +* `test_suite_*.function` contains a lot of code that is specific to each consuming branch. Even when the same test function exists in all maintained branches, there are often minor differences such as a deprecated alternative that only exists in older branches, differences in compile-time dependencies, etc. Thus we do not expect to share these files. Common code can go into separate `.c` files, historically under `tests/src`, that are in the framework repository. +* `test_suite_*.data` contains many test cases that exist in all maintained branches. However the exact expression of these test cases are often different, for example due to compile-time dependencies. Furthermore the set of test cases is often different, for example due to cryptographic mechanisms that are added or removed. Thus we do not expect to share these files. Where there is a lot of commonality, the test cases can be generated from a script located in the framework repository, with code in the generation script to handle the differing parts. + +## CI architecture + +* CI in consuming repositories must support Git submodules. Other than that, keep the CI as it is now. In particular, the CI in consuming repositories does not need to consider anything but the commit that the framework submodule points to. +* CI in the framework repository should run a subset of the CI of all consuming branches, to warn about unintended breakage. This way, most of the time, updating the framework submodule in a consuming branch to the tip of the `main` branch should work. Gatekeepers can bypass this check if the incompatibility is deliberate. +* When merging a pull request to an official branch in a consuming repository (`development`, LTS branches), check that the framework submodule's commit is on the main branch of the `mbedtls-framework` submodule. + +TODO: once this is set up, detail the processes here. + +## How to make a change + +### Change in a consuming branch requiring a new framework feature + +If a change in a consuming branch requires a new feature in the framework, you need to make both a pull request in the framework repository and a pull request in the framework repository. + +1. Make a pull request (PR) in the framework repository. +2. Upload the framework branch to the framework repository itself (not a fork). This is necessary for the commit to be available on the CI of the consuming repositories (and also for it to be conveniently available to reviewers). + Open question: can we make the CI work with a fork, and make using forks convenient enough for reviewers, so that people don't need to upload the branch to the main repository? +3. Make a pull request to the consuming branch. Include a commit that advances the submodule to the tip of the branch in the framework repository. +4. If there is rework in the framework PR that is needed for the consuming PR's review or CI, update the framework branch in the framework repository. +5. After the framework PR is merged, update the consuming PR to update the framework submodule to the merge commit (or a later commit). + +### Backward-incompatible change in the framework repository + +This section discusses cases where a change in the framework repository breaks one or more consuming branches. This includes cases where the change starts in a consuming branch, for example if some test helper code in the framework repository calls an internal library function which is removed or has its API changed. + +#### Split approach for backward-incompatible framework changes + +If a change in the framework repository breaks a consuming branch, it should ideally be split into two parts: one that adds the new feature, and one that removes the old feature. The new feature may be gated by a compilation directive if it's convenient to have only one of the versions at compile time. + +1. Make and merge a pull request in the framework repository with a backward-compatible change. +2. Update all affected consuming branches to: + 1. update the framework submodule to the new version; + 2. migrate all uses of the old feature to the new feature. +3. Make and merge a pull request in the framework repository that removes the old version of the feature. + +#### Watershed approach for backward-incompatible framework changes + +If a change in the framework repository breaks a consuming branch, it is possible to make it in a single step in the framework repository. However, this makes it mandatory to reflect this change in consuming branches the next time their framework submodule is updated. Therefore this should only be done if the change can be reflected quickly and there are no other urgent pending framework-submodule updates. + +1. Make a pull request (PR) in the framework repository with a backward-incompatible change. +2. For each affected consuming branch, make a PR that updates the framework submodule to the new version and changes the code to work with the updated framework code. Wait for those PR to be approved and passing the CI. +3. Merge the framework PR. +4. Update the PR in the consuming branches and merge them. + +## Releases + +Release archives for a consuming branch must include the content of the framework repository. (Note that as of Git 2.39, `git archive` does not support submodules, so it is insufficient to generate a release archive.) + +The framework repository does not have releases of its own. diff --git a/yass/third_party/mbedtls/framework/psasim/.gitignore b/yass/third_party/mbedtls/framework/psasim/.gitignore new file mode 100644 index 0000000000..4065abf771 --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/.gitignore @@ -0,0 +1,12 @@ +bin/* +*.o +*.so +test/psa_ff_bootstrap.c +test/psa_manifest/* +test/client +test/partition +cscope.out +*.orig +*.swp +*.DS_Store +*psa_ff_bootstrap_* diff --git a/yass/third_party/mbedtls/framework/psasim/Makefile b/yass/third_party/mbedtls/framework/psasim/Makefile new file mode 100644 index 0000000000..88ea7091c4 --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/Makefile @@ -0,0 +1,64 @@ +CFLAGS ?= -Wall -std=c99 +INCLUDE := -I./include/ +DESTDIR ?= /usr/local +PREFIX := libpsaff +BUILDDIR ?= bin + +.PHONY: all install test uninstall run docker ci + +all: libpsaff.so + +libpsaff.so: + $(CC) $(INCLUDE) $(CFLAGS) -c -fpic src/common.c -o common.o + $(CC) $(INCLUDE) $(CFLAGS) -c -fpic src/client.c -o client.o + $(CC) $(INCLUDE) $(CFLAGS) -c -fpic src/service.c -o server.o + $(CC) -shared -o libpsaff.so common.o client.o server.o + +ifeq ($(DEBUG),1) + CFLAGS += -DDEBUG -g +endif + +clean: + rm -rf $(BUILDDIR) + rm -f *.so *.o + rm -rf test/*dSYM + cd test && make clean + +test: + cd test && make + +test/partition: + cd test && make + +run: test/partition + pkill partition || true + pkill client || true + ipcs | grep q | awk '{ printf " -q " $$2 }' | xargs ipcrm > /dev/null 2>&1 || true + (sleep 3 && ./test/client)& + ./test/partition + +ci: + pkill client || true + ipcs | grep q | awk '{ printf " -q " $$2 }' | xargs ipcrm > /dev/null 2>&1 || true + ./test/partition 2>&1 & + sleep 3 && ./test/client + pkill partition || true + +docker: + @docker run --rm -ti -v $$PWD:/opt --entrypoint /bin/bash ubuntu \ + -c "cd /opt && ls && apt-get update -qq && apt install \ + -y gcc make gdb python -qq && make clean && make install && make test && ldconfig && make run" + +install: libpsaff.so + mkdir -p $(DESTDIR)/lib + mkdir -p $(DESTDIR)/include + cp libpsaff.so $(DESTDIR)/lib/ + cp -r include/* $(DESTDIR)/include/ + cp tools/psa_autogen /usr/local/bin/ + +uninstall: + rm $(DESTDIR)/lib/libpsaff.so + rm -rf $(DESTDIR)/include/psa + rm -rf $(DESTDIR)/include/psasim + rm -f /usr/local/bin/psa_autogen + diff --git a/yass/third_party/mbedtls/framework/psasim/README.md b/yass/third_party/mbedtls/framework/psasim/README.md new file mode 100644 index 0000000000..e8f2863180 --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/README.md @@ -0,0 +1,60 @@ +# psasim + +This tool simulates a PSA Firmware Framework implementation. +It allows you to develop secure partitions and their clients on a desktop computer. +It should be able to run on all systems that support POSIX and System V IPC: +e.g. macOS, Linux, FreeBSD, and perhaps Windows 10 WSL2. + +Please note that the code in this directory is maintained by the Mbed TLS / PSA Crypto project solely for the purpose of testing the use of Mbed TLS with client/service separation. We do not recommend using this code for any other purpose. In particular: + +* This simulator is not intended to pass or demonstrate compliance. +* This code is only intended for simulation and does not have any security goals. It does not isolate services from clients. + +## Building + +To build and run the test program make sure you have `make`, `python` and a +C compiler installed and then enter the following commands: + +```sh +make install +make run +``` + +On Linux you may need to run `ldconfig` to ensure the library is properly installed. + +An example pair of programs is included in the `test` directory. + +## Features + +The implemented API is intended to be compliant with PSA-FF 1.0.0 with the exception of a couple of things that are a work in progress: + +* `psa_notify` support +* "strict" policy in manifest + +The only supported "interrupts" are POSIX signals, which act +as a "virtual interrupt". + +The standard PSA RoT APIs are not included (e.g. cryptography, attestation, lifecycle etc). + +## Design + +The code is designed to be readable rather than fast or secure. +In this implementation only one message is delivered to a +RoT service at a time. +The code is not thread-safe. + +To debug the simulator enable the debug flag: + +```sh +make DEBUG=1 install +``` + +## Unsupported features + +Because this is a simulator there are a few things that +can't be reasonably emulated: + +* Manifest MMIO regions are unsupported +* Manifest priority field is ignored +* Partition IDs are in fact POSIX `pid_t`, which are only assigned at runtime, + making it infeasible to populate pid.h with correct values. diff --git a/yass/third_party/mbedtls/framework/psasim/include/psa/client.h b/yass/third_party/mbedtls/framework/psasim/include/psa/client.h new file mode 100644 index 0000000000..55d536917e --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/include/psa/client.h @@ -0,0 +1,78 @@ +/* PSA Firmware Framework client header for psasim. */ + +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#ifndef __PSA_CLIENT_H__ +#define __PSA_CLIENT_H__ + +#ifdef __cplusplus +extern "C" { +#endif + +#include +#include +#include +/*********************** PSA Client Macros and Types *************************/ + +#define PSA_FRAMEWORK_VERSION (0x0100) + +#define PSA_VERSION_NONE (0) + +/* PSA response types */ +#define PSA_CONNECTION_REFUSED PSA_ERROR_CONNECTION_REFUSED +#define PSA_CONNECTION_BUSY PSA_ERROR_CONNECTION_BUSY +#define PSA_DROP_CONNECTION PSA_ERROR_PROGRAMMER_ERROR + +/* PSA message handles */ +#define PSA_NULL_HANDLE ((psa_handle_t) 0) + +#define PSA_HANDLE_IS_VALID(handle) ((psa_handle_t) (handle) > 0) +#define PSA_HANDLE_TO_ERROR(handle) ((psa_status_t) (handle)) + +#define PSA_MAX_IOVEC (4u) + +#define PSA_IPC_CALL (0) + +typedef int32_t psa_handle_t; + +/** + * A read-only input memory region provided to an RoT Service. + */ +typedef struct psa_invec { + const void *base; + size_t len; +} psa_invec; + +/** + * A writable output memory region provided to an RoT Service. + */ +typedef struct psa_outvec { + void *base; + size_t len; +} psa_outvec; + +/*************************** PSA Client API **********************************/ + +uint32_t psa_framework_version(void); + +uint32_t psa_version(uint32_t sid); + +psa_handle_t psa_connect(uint32_t sid, uint32_t version); + +psa_status_t psa_call(psa_handle_t handle, + int32_t type, + const psa_invec *in_vec, + size_t in_len, + psa_outvec *out_vec, + size_t out_len); + +void psa_close(psa_handle_t handle); + +#ifdef __cplusplus +} +#endif + +#endif /* __PSA_CLIENT_H__ */ diff --git a/yass/third_party/mbedtls/framework/psasim/include/psa/error.h b/yass/third_party/mbedtls/framework/psasim/include/psa/error.h new file mode 100644 index 0000000000..2a7558a5d0 --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/include/psa/error.h @@ -0,0 +1,36 @@ +/* PSA status codes used by psasim. */ + +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#ifndef PSA_ERROR_H +#define PSA_ERROR_H +#include +typedef int32_t psa_status_t; + +#define PSA_SUCCESS ((psa_status_t) 0) + +#define PSA_ERROR_PROGRAMMER_ERROR ((psa_status_t) -129) +#define PSA_ERROR_CONNECTION_REFUSED ((psa_status_t) -130) +#define PSA_ERROR_CONNECTION_BUSY ((psa_status_t) -131) +#define PSA_ERROR_GENERIC_ERROR ((psa_status_t) -132) +#define PSA_ERROR_NOT_PERMITTED ((psa_status_t) -133) +#define PSA_ERROR_NOT_SUPPORTED ((psa_status_t) -134) +#define PSA_ERROR_INVALID_ARGUMENT ((psa_status_t) -135) +#define PSA_ERROR_INVALID_HANDLE ((psa_status_t) -136) +#define PSA_ERROR_BAD_STATE ((psa_status_t) -137) +#define PSA_ERROR_BUFFER_TOO_SMALL ((psa_status_t) -138) +#define PSA_ERROR_ALREADY_EXISTS ((psa_status_t) -139) +#define PSA_ERROR_DOES_NOT_EXIST ((psa_status_t) -140) +#define PSA_ERROR_INSUFFICIENT_MEMORY ((psa_status_t) -141) +#define PSA_ERROR_INSUFFICIENT_STORAGE ((psa_status_t) -142) +#define PSA_ERROR_INSUFFICIENT_DATA ((psa_status_t) -143) +#define PSA_ERROR_SERVICE_FAILURE ((psa_status_t) -144) +#define PSA_ERROR_COMMUNICATION_FAILURE ((psa_status_t) -145) +#define PSA_ERROR_STORAGE_FAILURE ((psa_status_t) -146) +#define PSA_ERROR_HARDWARE_FAILURE ((psa_status_t) -147) +#define PSA_ERROR_INVALID_SIGNATURE ((psa_status_t) -149) + +#endif diff --git a/yass/third_party/mbedtls/framework/psasim/include/psa/lifecycle.h b/yass/third_party/mbedtls/framework/psasim/include/psa/lifecycle.h new file mode 100644 index 0000000000..1148397a88 --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/include/psa/lifecycle.h @@ -0,0 +1,17 @@ +/* PSA lifecycle states used by psasim. */ + +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#define PSA_LIFECYCLE_PSA_STATE_MASK (0xff00u) +#define PSA_LIFECYCLE_IMP_STATE_MASK (0x00ffu) +#define PSA_LIFECYCLE_UNKNOWN (0x0000u) +#define PSA_LIFECYCLE_ASSEMBLY_AND_TEST (0x1000u) +#define PSA_LIFECYCLE_PSA_ROT_PROVISIONING (0x2000u) +#define PSA_LIFECYCLE_SECURED (0x3000u) +#define PSA_LIFECYCLE_NON_PSA_ROT_DEBUG (0x4000u) +#define PSA_LIFECYCLE_RECOVERABLE_PSA_ROT_DEBUG (0x5000u) +#define PSA_LIFECYCLE_DECOMMISSIONED (0x6000u) +#define psa_rot_lifecycle_state(void) PSA_LIFECYCLE_UNKNOWN diff --git a/yass/third_party/mbedtls/framework/psasim/include/psa/service.h b/yass/third_party/mbedtls/framework/psasim/include/psa/service.h new file mode 100644 index 0000000000..9ae801d8fd --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/include/psa/service.h @@ -0,0 +1,249 @@ +/* PSA Firmware Framework service header for psasim. */ + +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#ifndef __PSA_SERVICE_H__ +#define __PSA_SERVICE_H__ + +#ifdef __cplusplus +extern "C" { +#endif +#include +#include +#include +#include +/********************** PSA Secure Partition Macros and Types ****************/ + +/* PSA wait timeouts */ +#define PSA_POLL (0x00000000u) +#define PSA_BLOCK (0x80000000u) + +/* A mask value that includes all Secure Partition signals */ +#define PSA_WAIT_ANY (~0u) + +/* Doorbell signal */ +#define PSA_DOORBELL (0x00000008u) + +/* PSA message types */ +#define PSA_IPC_CONNECT (-1) +#define PSA_IPC_DISCONNECT (-2) + +/* Return code from psa_get() */ +#define PSA_ERR_NOMSG (INT32_MIN + 3) + +/* Store a set of one or more Secure Partition signals */ +typedef uint32_t psa_signal_t; + +/** + * Describe a message received by an RoT Service after calling \ref psa_get(). + */ +typedef struct psa_msg_t { + uint32_t type; /* One of the following values: + * \ref PSA_IPC_CONNECT + * \ref PSA_IPC_CALL + * \ref PSA_IPC_DISCONNECT + */ + psa_handle_t handle; /* A reference generated by the SPM to the + * message returned by psa_get(). + */ + int32_t client_id; /* Partition ID of the sender of the message */ + void *rhandle; /* Be useful for binding a connection to some + * application-specific data or function + * pointer within the RoT Service + * implementation. + */ + size_t in_size[PSA_MAX_IOVEC]; /* Provide the size of each client input + * vector in bytes. + */ + size_t out_size[PSA_MAX_IOVEC];/* Provide the size of each client output + * vector in bytes. + */ +} psa_msg_t; + +/************************* PSA Secure Partition API **************************/ + +/** + * \brief Return the Secure Partition interrupt signals that have been asserted + * from a subset of signals provided by the caller. + * + * \param[in] signal_mask A set of signals to query. Signals that are not + * in this set will be ignored. + * \param[in] timeout Specify either blocking \ref PSA_BLOCK or + * polling \ref PSA_POLL operation. + * + * \retval >0 At least one signal is asserted. + * \retval 0 No signals are asserted. This is only seen when + * a polling timeout is used. + */ +psa_signal_t psa_wait(psa_signal_t signal_mask, uint32_t timeout); + +/** + * \brief Retrieve the message which corresponds to a given RoT Service signal + * and remove the message from the RoT Service queue. + * + * \param[in] signal The signal value for an asserted RoT Service. + * \param[out] msg Pointer to \ref psa_msg_t object for receiving + * the message. + * + * \retval PSA_SUCCESS Success, *msg will contain the delivered + * message. + * \retval PSA_ERR_NOMSG Message could not be delivered. + * \retval "Does not return" The call is invalid because one or more of the + * following are true: + * \arg signal has more than a single bit set. + * \arg signal does not correspond to an RoT Service. + * \arg The RoT Service signal is not currently + * asserted. + * \arg The msg pointer provided is not a valid memory + * reference. + */ +psa_status_t psa_get(psa_signal_t signal, psa_msg_t *msg); + +/** + * \brief Associate some RoT Service private data with a client connection. + * + * \param[in] msg_handle Handle for the client's message. + * \param[in] rhandle Reverse handle allocated by the RoT Service. + * + * \retval void Success, rhandle will be provided with all + * subsequent messages delivered on this + * connection. + * \retval "Does not return" msg_handle is invalid. + */ +void psa_set_rhandle(psa_handle_t msg_handle, void *rhandle); + +/** + * \brief Read a message parameter or part of a message parameter from a client + * input vector. + * + * \param[in] msg_handle Handle for the client's message. + * \param[in] invec_idx Index of the input vector to read from. Must be + * less than \ref PSA_MAX_IOVEC. + * \param[out] buffer Buffer in the Secure Partition to copy the + * requested data to. + * \param[in] num_bytes Maximum number of bytes to be read from the + * client input vector. + * + * \retval >0 Number of bytes copied. + * \retval 0 There was no remaining data in this input + * vector. + * \retval "Does not return" The call is invalid, one or more of the + * following are true: + * \arg msg_handle is invalid. + * \arg msg_handle does not refer to a + * \ref PSA_IPC_CALL message. + * \arg invec_idx is equal to or greater than + * \ref PSA_MAX_IOVEC. + * \arg the memory reference for buffer is invalid or + * not writable. + */ +size_t psa_read(psa_handle_t msg_handle, uint32_t invec_idx, + void *buffer, size_t num_bytes); + +/** + * \brief Skip over part of a client input vector. + * + * \param[in] msg_handle Handle for the client's message. + * \param[in] invec_idx Index of input vector to skip from. Must be + * less than \ref PSA_MAX_IOVEC. + * \param[in] num_bytes Maximum number of bytes to skip in the client + * input vector. + * + * \retval >0 Number of bytes skipped. + * \retval 0 There was no remaining data in this input + * vector. + * \retval "Does not return" The call is invalid, one or more of the + * following are true: + * \arg msg_handle is invalid. + * \arg msg_handle does not refer to a + * \ref PSA_IPC_CALL message. + * \arg invec_idx is equal to or greater than + * \ref PSA_MAX_IOVEC. + */ +size_t psa_skip(psa_handle_t msg_handle, uint32_t invec_idx, size_t num_bytes); + +/** + * \brief Write a message response to a client output vector. + * + * \param[in] msg_handle Handle for the client's message. + * \param[out] outvec_idx Index of output vector in message to write to. + * Must be less than \ref PSA_MAX_IOVEC. + * \param[in] buffer Buffer with the data to write. + * \param[in] num_bytes Number of bytes to write to the client output + * vector. + * + * \retval void Success + * \retval "Does not return" The call is invalid, one or more of the + * following are true: + * \arg msg_handle is invalid. + * \arg msg_handle does not refer to a + * \ref PSA_IPC_CALL message. + * \arg outvec_idx is equal to or greater than + * \ref PSA_MAX_IOVEC. + * \arg The memory reference for buffer is invalid. + * \arg The call attempts to write data past the end + * of the client output vector. + */ +void psa_write(psa_handle_t msg_handle, uint32_t outvec_idx, + const void *buffer, size_t num_bytes); + +/** + * \brief Complete handling of a specific message and unblock the client. + * + * \param[in] msg_handle Handle for the client's message. + * \param[in] status Message result value to be reported to the + * client. + * + * \retval void Success. + * \retval "Does not return" The call is invalid, one or more of the + * following are true: + * \arg msg_handle is invalid. + * \arg An invalid status code is specified for the + * type of message. + */ +void psa_reply(psa_handle_t msg_handle, psa_status_t status); + +/** + * \brief Send a PSA_DOORBELL signal to a specific Secure Partition. + * + * \param[in] partition_id Secure Partition ID of the target partition. + * + * \retval void Success. + * \retval "Does not return" partition_id does not correspond to a Secure + * Partition. + */ +void psa_notify(int32_t partition_id); + +/** + * \brief Clear the PSA_DOORBELL signal. + * + * \retval void Success. + * \retval "Does not return" The Secure Partition's doorbell signal is not + * currently asserted. + */ +void psa_clear(void); + +/** + * \brief Inform the SPM that an interrupt has been handled (end of interrupt). + * + * \param[in] irq_signal The interrupt signal that has been processed. + * + * \retval void Success. + * \retval "Does not return" The call is invalid, one or more of the + * following are true: + * \arg irq_signal is not an interrupt signal. + * \arg irq_signal indicates more than one signal. + * \arg irq_signal is not currently asserted. + */ +void psa_eoi(psa_signal_t irq_signal); + +#define psa_panic(X) abort(); + +#ifdef __cplusplus +} +#endif + +#endif /* __PSA_SERVICE_H__ */ diff --git a/yass/third_party/mbedtls/framework/psasim/include/psasim/init.h b/yass/third_party/mbedtls/framework/psasim/include/psasim/init.h new file mode 100644 index 0000000000..9496fc2a1c --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/include/psasim/init.h @@ -0,0 +1,15 @@ +/* Declarations of internal functions. */ + +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#include +#include +void raise_signal(psa_signal_t signal); +void __init_psasim(const char **array, + int size, + const int allow_ns_clients_array[32], + const uint32_t versions[32], + const int strict_policy_array[32]); diff --git a/yass/third_party/mbedtls/framework/psasim/src/client.c b/yass/third_party/mbedtls/framework/psasim/src/client.c new file mode 100644 index 0000000000..fa989002e8 --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/src/client.c @@ -0,0 +1,380 @@ +/* PSA firmware framework client API */ + +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "common.h" + +typedef struct internal_handle { + int server_qid; + int client_qid; + int internal_server_qid; + int valid; +} internal_handle_t; + +/* Access to this global is not thread safe */ +#define MAX_HANDLES 32 +static internal_handle_t handles[MAX_HANDLES] = { { 0 } }; + +static int get_next_free_handle() +{ + /* Never return handle 0 as it's a special null handle */ + for (int i = 1; i < MAX_HANDLES; i++) { + if (handles[i].valid == 0) { + return i; + } + } + return -1; +} + +static int handle_is_valid(psa_handle_t handle) +{ + if (handle > 0 && handle < MAX_HANDLES) { + if (handles[handle].valid == 1) { + return 1; + } + } + PROGRAMMER_ERROR("ERROR: Invalid handle"); + return 0; +} + +static int get_queue_info(char *path, int *cqid, int *sqid) +{ + + key_t server_queue_key; + int rx_qid, server_qid; + + INFO("Attempting to contact a RoT service queue"); + + if ((rx_qid = msgget(IPC_PRIVATE, 0660)) == -1) { + INFO("msgget: rx_qid"); + return -1; + } + + if ((server_queue_key = ftok(path, PROJECT_ID)) == -1) { + INFO("ftok"); + return -2; + } + + if ((server_qid = msgget(server_queue_key, 0)) == -1) { + INFO("msgget: server_qid"); + return -3; + } + + *cqid = rx_qid; + *sqid = server_qid; + + return 0; +} + +static psa_status_t process_response(int rx_qid, vectors_t *vecs, int type, + int *internal_server_qid) +{ + + struct message response, request; + psa_status_t ret = PSA_ERROR_CONNECTION_REFUSED; + size_t invec_seek[4] = { 0 }; + size_t data_size; + psa_status_t invec, outvec; /* TODO: Should these be size_t ? */ + + assert(internal_server_qid > 0); + + while (1) { + data_size = 0; + invec = 0; + outvec = 0; + + // read response from server + if (msgrcv(rx_qid, &response, sizeof(struct message_text), 0, 0) == -1) { + puts(" msgrcv failed"); + return ret; + } + + // process return message from server + switch (response.message_type) { + case PSA_REPLY: + memcpy(&ret, response.message_text.buf, sizeof(psa_status_t)); + printf(" Message received from server: %d\n", ret); + if (type == PSA_IPC_CONNECT && ret > 0) { + *internal_server_qid = ret; + INFO(" ASSSIGNED q ID %d", *internal_server_qid); + ret = PSA_SUCCESS; + } + return ret; + break; + case READ_REQUEST: + /* read data request */ + request.message_type = READ_RESPONSE; + + assert(vecs != 0); + + memcpy(&invec, response.message_text.buf, sizeof(psa_status_t)); + memcpy(&data_size, response.message_text.buf+sizeof(size_t), sizeof(size_t)); + INFO(" Partition asked for %lu bytes from invec %d", data_size, invec); + + /* need to add more checks here */ + assert(invec >= 0 && invec < PSA_MAX_IOVEC); + + if (data_size > MAX_FRAGMENT_SIZE) { + data_size = MAX_FRAGMENT_SIZE; + } + + /* send response */ + INFO(" invec_seek[invec] is %lu", invec_seek[invec]); + INFO(" Reading from offset %p", vecs->in_vec[invec].base + invec_seek[invec]); + memcpy(request.message_text.buf, + (vecs->in_vec[invec].base + invec_seek[invec]), + data_size); + + /* update invec base TODO: check me */ + invec_seek[invec] = invec_seek[invec] + data_size; + + INFO(" Sending message of type %li", request.message_type); + INFO(" with content %s\n", request.message_text.buf); + + if (msgsnd(*internal_server_qid, &request, + sizeof(int) + sizeof(uint32_t) + data_size, 0) == -1) { + INFO("Internal error: failed to respond to read request"); + } + break; + case WRITE_REQUEST: + assert(vecs != 0); + + request.message_type = WRITE_RESPONSE; + + memcpy(&outvec, response.message_text.buf, sizeof(psa_status_t)); + memcpy(&data_size, response.message_text.buf + sizeof(size_t), sizeof(size_t)); + INFO(" Partition wants to write %lu bytes to outvec %d", data_size, outvec); + + assert(outvec >= 0 && outvec < PSA_MAX_IOVEC); + + /* copy memory into message and send back amount written */ + size_t sofar = vecs->out_vec[outvec].len; + memcpy(vecs->out_vec[outvec].base + sofar, + response.message_text.buf+(sizeof(size_t)*2), data_size); + INFO(" Data size is %lu\n", data_size); + vecs->out_vec[outvec].len += data_size; + + INFO(" Sending message of type %li\n", request.message_type); + + /* send response */ + if (msgsnd(*internal_server_qid, &request, sizeof(int) + data_size, 0) == -1) { + INFO("Internal error: failed to respond to write request"); + } + break; + case SKIP_REQUEST: + memcpy(&invec, response.message_text.buf, sizeof(psa_status_t)); + memcpy(&data_size, response.message_text.buf+sizeof(size_t), sizeof(size_t)); + INFO(" Partition asked to skip %lu bytes in invec %d", data_size, invec); + assert(invec >= 0 && invec < PSA_MAX_IOVEC); + /* update invec base TODO: check me */ + invec_seek[invec] = invec_seek[invec] + data_size; + break; + + default: + FATAL(" ERROR: unknown internal message type: %ld\n", + response.message_type); + return ret; + } + } +} + +static psa_status_t send(int rx_qid, int server_qid, int *internal_server_qid, + int32_t type, uint32_t minor_version, vectors_t *vecs) +{ + { + psa_status_t ret = PSA_ERROR_CONNECTION_REFUSED; + size_t request_msg_size = (sizeof(int) + sizeof(long)); /* msg type plus queue id */ + struct message request; + request.message_type = 1; /* TODO: change this */ + request.message_text.psa_type = type; + vector_sizes_t vec_sizes; + + /* If the client is non-secure then set the NS bit */ + if (__psa_ff_client_security_state != 0) { + request.message_type |= NON_SECURE; + } + + assert(request.message_type >= 0); + + INFO("SEND: Sending message of type %ld with psa_type %d", request.message_type, type); + INFO(" internal_server_qid = %i", *internal_server_qid); + + request.message_text.qid = rx_qid; + + if (type == PSA_IPC_CONNECT) { + memcpy(request.message_text.buf, &minor_version, sizeof(minor_version)); + request_msg_size = request_msg_size + sizeof(minor_version); + INFO(" Request msg size is %lu", request_msg_size); + } else { + assert(internal_server_qid > 0); + } + + if (vecs != NULL && type >= PSA_IPC_CALL) { + + bzero(&vec_sizes, sizeof(vec_sizes)); + + /* Copy invec sizes */ + for (size_t i = 0; i < (vecs->in_len); i++) { + vec_sizes.invec_sizes[i] = vecs->in_vec[i].len; + INFO(" Client sending vector %lu: %lu", i, vec_sizes.invec_sizes[i]); + } + + /* Copy outvec sizes */ + for (size_t i = 0; i < (vecs->out_len); i++) { + vec_sizes.outvec_sizes[i] = vecs->out_vec[i].len; + + /* Reset to 0 since we need to eventually fill in with bytes written */ + vecs->out_vec[i].len = 0; + } + + memcpy(request.message_text.buf, &vec_sizes, sizeof(vec_sizes)); + request_msg_size = request_msg_size + sizeof(vec_sizes); + } + + INFO(" Sending and then waiting"); + + // send message to server + if (msgsnd(server_qid, &request, request_msg_size, 0) == -1) { + puts(" msgsnd failed"); + return ret; + } + + return process_response(rx_qid, vecs, type, internal_server_qid); + } +} + + +uint32_t psa_framework_version(void) +{ + return PSA_FRAMEWORK_VERSION; +} + +psa_handle_t psa_connect(uint32_t sid, uint32_t minor_version) +{ + + int idx; + psa_status_t ret; + char pathname[PATHNAMESIZE] = { 0 }; + + idx = get_next_free_handle(); + + /* if there's a free handle available */ + if (idx >= 0) { + snprintf(pathname, PATHNAMESIZE - 1, "/tmp/psa_service_%u", sid); + INFO("Attempting to contact RoT service at %s", pathname); + + /* if communication is possible */ + if (get_queue_info(pathname, &handles[idx].client_qid, &handles[idx].server_qid) >= 0) { + + ret = send(handles[idx].client_qid, + handles[idx].server_qid, + &handles[idx].internal_server_qid, + PSA_IPC_CONNECT, + minor_version, + NULL); + + /* if connection accepted by RoT service */ + if (ret >= 0) { + handles[idx].valid = 1; + return idx; + } else { + INFO("Server didn't like you"); + } + } else { + INFO("Couldn't contact RoT service. Does it exist?"); + + if (__psa_ff_client_security_state == 0) { + PROGRAMMER_ERROR("Invalid SID"); + } + } + } + + INFO("Couldn't obtain a free handle"); + return PSA_ERROR_CONNECTION_REFUSED; +} + +uint32_t psa_version(uint32_t sid) +{ + int idx; + psa_status_t ret; + char pathname[PATHNAMESIZE] = { 0 }; + + idx = get_next_free_handle(); + + if (idx >= 0) { + snprintf(pathname, PATHNAMESIZE, "/tmp/psa_service_%u", sid); + if (get_queue_info(pathname, &handles[idx].client_qid, &handles[idx].server_qid) >= 0) { + ret = send(handles[idx].client_qid, + handles[idx].server_qid, + &handles[idx].internal_server_qid, + VERSION_REQUEST, + 0, + NULL); + INFO("psa_version: Recieved from server %d\n", ret); + if (ret > 0) { + return ret; + } + } + } + INFO("psa_version failed: does the service exist?"); + return PSA_VERSION_NONE; +} + +psa_status_t psa_call(psa_handle_t handle, + int32_t type, + const psa_invec *in_vec, + size_t in_len, + psa_outvec *out_vec, + size_t out_len) +{ + + handle_is_valid(handle); + + if ((in_len + out_len) > PSA_MAX_IOVEC) { + PROGRAMMER_ERROR("Too many iovecs: %lu + %lu", in_len, out_len); + } + + vectors_t vecs = { 0 }; + vecs.in_vec = in_vec; + vecs.in_len = in_len; + vecs.out_vec = out_vec; + vecs.out_len = out_len; + + return send(handles[handle].client_qid, + handles[handle].server_qid, + &handles[handle].internal_server_qid, + type, + 0, + &vecs); +} + +void psa_close(psa_handle_t handle) +{ + handle_is_valid(handle); + if (send(handles[handle].client_qid, handles[handle].server_qid, + &handles[handle].internal_server_qid, PSA_IPC_DISCONNECT, 0, NULL)) { + puts("ERROR: Couldn't send disconnect msg"); + } else { + if (msgctl(handles[handle].client_qid, IPC_RMID, NULL) != 0) { + puts("ERROR: Failed to delete msg queue"); + } + } + INFO("Closing handle %u", handle); + handles[handle].valid = 0; +} diff --git a/yass/third_party/mbedtls/framework/psasim/src/common.c b/yass/third_party/mbedtls/framework/psasim/src/common.c new file mode 100644 index 0000000000..26f3719089 --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/src/common.c @@ -0,0 +1,23 @@ +/* Common code between clients and services */ + +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#include "common.h" +int __psa_ff_client_security_state = NON_SECURE; + +#if 0 +static void _printbits(uint32_t num) +{ + for (int i = 0; i < 32; i++) { + if ((num >> (31-i) & 0x1)) { + INFO("1"); + } else { + INFO("0"); + } + } + INFO("\n"); +} +#endif diff --git a/yass/third_party/mbedtls/framework/psasim/src/common.h b/yass/third_party/mbedtls/framework/psasim/src/common.h new file mode 100644 index 0000000000..96760d909f --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/src/common.h @@ -0,0 +1,85 @@ +/* Common definitions used for clients and services */ + +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#include + +#ifdef DEBUG +#define DEBUG_TEST 1 +#else +#define DEBUG_TEST 0 +#endif + +#define PRINT(...) \ + do { if (DEBUG_TEST) fprintf(stderr, __VA_ARGS__); } while (0) +#define INFO(...) \ + do { if (DEBUG_TEST) { PRINT("%s", __FILE__); PRINT(" INFO: " __VA_ARGS__); printf("\n"); \ + } } while (0) + +#define PROGRAMMER_ERROR(...) \ + do { if (DEBUG_TEST) { PRINT("%s:%d:%s(): PROGRAMMER ERROR", __FILE__, __LINE__, __func__); \ + PRINT(__VA_ARGS__); } abort(); } while (0) + +#define FATAL(...) \ + do { if (DEBUG_TEST) { PRINT("%s:%d:%s(): INTERNAL ERROR", __FILE__, __LINE__, __func__); PRINT( \ + __VA_ARGS__); } abort(); } while (0) + + +#define PROJECT_ID 'M' +#define PATHNAMESIZE 64 + +/* Increasing this might break on some platforms */ +#define MAX_FRAGMENT_SIZE 200 + +#define CONNECT_REQUEST 1 +#define CALL_REQUEST 2 +#define CLOSE_REQUEST 3 +#define VERSION_REQUEST 4 +#define READ_REQUEST 5 +#define READ_RESPONSE 6 +#define WRITE_REQUEST 7 +#define WRITE_RESPONSE 8 +#define SKIP_REQUEST 9 +#define PSA_REPLY 10 + +#define NON_SECURE (1 << 30) + +/* Note that this implementation is functional and not secure */ +extern int __psa_ff_client_security_state; + +struct message_text { + int qid; + int32_t psa_type; + char buf[MAX_FRAGMENT_SIZE]; +}; + + +struct message { + long message_type; + struct message_text message_text; +}; + +struct request_msg_internal { + psa_invec invec; + size_t skip_num; +}; + +struct skip_request_msg { + long message_type; + struct request_msg_internal message_text; +}; + +typedef struct vectors { + const psa_invec *in_vec; + size_t in_len; + psa_outvec *out_vec; + size_t out_len; +} vectors_t; + +typedef struct vector_sizes { + size_t invec_sizes[PSA_MAX_IOVEC]; + size_t outvec_sizes[PSA_MAX_IOVEC]; +} vector_sizes_t; diff --git a/yass/third_party/mbedtls/framework/psasim/src/service.c b/yass/third_party/mbedtls/framework/psasim/src/service.c new file mode 100644 index 0000000000..9bfe20f78a --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/src/service.c @@ -0,0 +1,655 @@ +/* PSA Firmware Framework service API */ + +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "common.h" + +#define MAX_CLIENTS 128 +#define MAX_MESSAGES 32 + +struct connection { + uint32_t client; + void *rhandle; + int client_to_server_q; // this should be called client to server +}; + +static psa_msg_t messages[MAX_MESSAGES]; /* Message slots */ +static uint8_t pending_message[MAX_MESSAGES] = { 0 }; /* Booleans indicating active message slots */ +static uint32_t message_client[MAX_MESSAGES] = { 0 }; /* Each client's response queue */ +static int nsacl[32]; +static int strict_policy[32] = { 0 }; +static uint32_t rot_svc_versions[32]; +static int rot_svc_incoming_queue[32] = { -1 }; +static struct connection connections[MAX_CLIENTS] = { { 0 } }; + +static uint32_t exposed_signals = 0; + +void print_vectors(vector_sizes_t *sizes) +{ + INFO("Printing iovec sizes"); + for (int j = 0; j < PSA_MAX_IOVEC; j++) { + INFO("Invec %d: %lu", j, sizes->invec_sizes[j]); + } + + for (int j = 0; j < PSA_MAX_IOVEC; j++) { + INFO("Outvec %d: %lu", j, sizes->outvec_sizes[j]); + } +} + +int find_connection(uint32_t client) +{ + for (int i = 1; i < MAX_CLIENTS; i++) { + if (client == connections[i].client) { + return i; + } + } + return -1; +} + +void destroy_connection(uint32_t client) +{ + int idx = find_connection(client); + if (idx >= 0) { + connections[idx].client = 0; + connections[idx].rhandle = 0; + INFO("Destroying connection"); + } else { + INFO("Couldn't destroy connection for %u", client); + } +} + +int find_free_connection() +{ + INFO("Allocating connection"); + return find_connection(0); +} + +static void reply(psa_handle_t msg_handle, psa_status_t status) +{ + pending_message[msg_handle] = 1; + psa_reply(msg_handle, status); + pending_message[msg_handle] = 0; +} + +psa_signal_t psa_wait(psa_signal_t signal_mask, uint32_t timeout) +{ + + psa_signal_t mask; + struct message msg; + vector_sizes_t sizes; + struct msqid_ds qinfo; + uint32_t requested_version; + ssize_t len; + int idx; + + if (timeout == PSA_POLL) { + INFO("psa_wait: Called in polling mode"); + } + + do { + mask = signal_mask; + + /* Check the status of each queue */ + for (int i = 0; i < 32; i++) { + if (mask & 0x1) { + if (i < 3) { + // do nothing (reserved) + } else if (i == 3) { + // this must be psa doorbell + } else { + + /* Check if this signal corresponds to a queue */ + if (rot_svc_incoming_queue[i] >= 0 && (pending_message[i] == 0)) { + + /* AFAIK there is no "peek" method in SysV, so try to get a message */ + len = msgrcv(rot_svc_incoming_queue[i], + &msg, + sizeof(struct message_text), + 0, + IPC_NOWAIT); + if (len > 0) { + + INFO("Storing that QID in message_client[%d]\n", i); + INFO("The message handle will be %d\n", i); + + msgctl(rot_svc_incoming_queue[i], IPC_STAT, &qinfo); + messages[i].client_id = qinfo.msg_lspid; /* PID of last msgsnd(2) call */ + message_client[i] = msg.message_text.qid; + idx = find_connection(msg.message_text.qid); + + if (msg.message_type & NON_SECURE) { + /* This is a non-secure message */ + + /* Check if NS client is allowed for this RoT service */ + if (nsacl[i] <= 0) { +#if 0 + INFO( + "Rejecting non-secure client due to manifest security policy"); + reply(i, PSA_ERROR_CONNECTION_REFUSED); + continue; /* Skip to next signal */ +#endif + } + + msg.message_type &= ~(NON_SECURE); /* clear */ + messages[i].client_id = messages[i].client_id * -1; + } + + INFO("Got a message from client ID %d\n", messages[i].client_id); + INFO("Message type is %lu\n", msg.message_type); + INFO("PSA message type is %d\n", msg.message_text.psa_type); + + messages[i].handle = i; + + switch (msg.message_text.psa_type) { + case PSA_IPC_CONNECT: + + if (len >= 16) { + memcpy(&requested_version, msg.message_text.buf, + sizeof(requested_version)); + INFO("Requesting version %u\n", requested_version); + INFO("Implemented version %u\n", rot_svc_versions[i]); + /* TODO: need to check whether the policy is strict, + * and if so, then reject the client if the number doesn't match */ + + if (requested_version > rot_svc_versions[i]) { + INFO( + "Rejecting client because requested version that was too high"); + reply(i, PSA_ERROR_CONNECTION_REFUSED); + continue; /* Skip to next signal */ + } + + if (strict_policy[i] == 1 && + (requested_version != rot_svc_versions[i])) { + INFO( + "Rejecting client because enforcing a STRICT version policy"); + reply(i, PSA_ERROR_CONNECTION_REFUSED); + continue; /* Skip to next signal */ + } else { + INFO("Not rejecting client"); + } + } + + messages[i].type = PSA_IPC_CONNECT; + + if (idx < 0) { + idx = find_free_connection(); + } + + if (idx >= 0) { + connections[idx].client = msg.message_text.qid; + } else { + /* We've run out of system wide connections */ + reply(i, PSA_ERROR_CONNECTION_BUSY); + INFO("Ran out of free connections"); + continue; + } + + break; + case PSA_IPC_DISCONNECT: + messages[i].type = PSA_IPC_DISCONNECT; + break; + case VERSION_REQUEST: + INFO("Got a version request"); + reply(i, rot_svc_versions[i]); + continue; /* Skip to next signal */ + break; + + default: + + /* PSA CALL */ + if (msg.message_text.psa_type >= 0) { + messages[i].type = msg.message_text.psa_type; + memcpy(&sizes, msg.message_text.buf, sizeof(sizes)); + print_vectors(&sizes); + memcpy(&messages[i].in_size, &sizes.invec_sizes, + (sizeof(size_t) * PSA_MAX_IOVEC)); + memcpy(&messages[i].out_size, &sizes.outvec_sizes, + (sizeof(size_t) * PSA_MAX_IOVEC)); + } else { + FATAL("UNKNOWN MESSAGE TYPE RECEIVED %li\n", + msg.message_type); + } + break; + } + messages[i].handle = i; + + /* Check if the client has a connection */ + if (idx >= 0) { + messages[i].rhandle = connections[idx].rhandle; + } else { + /* Client is begging for a programmer error */ + reply(i, PSA_ERROR_PROGRAMMER_ERROR); + continue; + } + + /* House keeping */ + pending_message[i] = 1; /* set message as pending */ + exposed_signals |= (0x1 << i); /* assert the signal */ + } + } + } + mask = mask >> 1; + } + } + + if ((timeout == PSA_BLOCK) && (exposed_signals > 0)) { + break; + } else { + /* There is no 'select' function in SysV to block on multiple queues, so busy-wait :( */ + usleep(50000); + } + } while (timeout == PSA_BLOCK); + + INFO("\n"); + + /* Assert signals */ + return signal_mask & exposed_signals; +} + +static int signal_to_index(psa_signal_t signal) +{ + + int i; + int count = 0; + int ret = -1; + + for (i = 0; i < 32; i++) { + if (signal & 0x1) { + ret = i; + count++; + } + signal = signal >> 1; + } + + if (count > 1) { + INFO("ERROR: Too many signals"); + return -1; /* Too many signals */ + } + return ret; +} + +static void clear_signal(psa_signal_t signal) +{ + exposed_signals = exposed_signals & ~signal; +} + +void raise_signal(psa_signal_t signal) +{ + exposed_signals |= signal; +} + +psa_status_t psa_get(psa_signal_t signal, psa_msg_t *msg) +{ + int index = signal_to_index(signal); + if (index < 0) { + PROGRAMMER_ERROR("Bad signal\n"); + } + + clear_signal(signal); + + assert(messages[index].handle != 0); + + if (pending_message[index] == 1) { + INFO("There is a pending message!"); + memcpy(msg, &messages[index], sizeof(struct psa_msg_t)); + assert(msg->handle != 0); + return PSA_SUCCESS; + } else { + INFO("no pending message"); + } + + return PSA_ERROR_DOES_NOT_EXIST; +} + +static int is_valid_msg_handle(psa_handle_t h) +{ + if (h > 0 && h < MAX_MESSAGES) { + return 1; + } + PROGRAMMER_ERROR("Not a valid message handle"); +} + +static inline int is_call_msg(psa_handle_t h) +{ + assert(messages[h].type >= PSA_IPC_CALL); + return 1; +} + +void psa_set_rhandle(psa_handle_t msg_handle, void *rhandle) +{ + is_valid_msg_handle(msg_handle); + int idx = find_connection(message_client[msg_handle]); + INFO("Setting rhandle to %p", rhandle); + assert(idx >= 0); + connections[idx].rhandle = rhandle; +} + +/* Sends a message from the server to the client. Does not wait for a response */ +static void send_msg(psa_handle_t msg_handle, + int ctrl_msg, + psa_status_t status, + size_t amount, + const void *data, + size_t data_amount) +{ + + struct message response; + int flags = 0; + + assert(ctrl_msg > 0); /* According to System V, it must be greater than 0 */ + + response.message_type = ctrl_msg; + if (ctrl_msg == PSA_REPLY) { + memcpy(response.message_text.buf, &status, sizeof(psa_status_t)); + } else if (ctrl_msg == READ_REQUEST || ctrl_msg == WRITE_REQUEST || ctrl_msg == SKIP_REQUEST) { + memcpy(response.message_text.buf, &status, sizeof(psa_status_t)); + memcpy(response.message_text.buf+sizeof(size_t), &amount, sizeof(size_t)); + if (ctrl_msg == WRITE_REQUEST) { + /* TODO: Check if too big */ + memcpy(response.message_text.buf + (sizeof(size_t) * 2), data, data_amount); + } + } + + /* TODO: sizeof doesn't need to be so big here for small responses */ + if (msgsnd(message_client[msg_handle], &response, sizeof(response.message_text), flags) == -1) { + INFO("Failed to reply"); + } +} + +static size_t skip(psa_handle_t msg_handle, uint32_t invec_idx, size_t num_bytes) +{ + if (num_bytes < (messages[msg_handle].in_size[invec_idx] - num_bytes)) { + messages[msg_handle].in_size[invec_idx] = messages[msg_handle].in_size[invec_idx] - + num_bytes; + return num_bytes; + } else { + if (num_bytes >= messages[msg_handle].in_size[invec_idx]) { + size_t ret = messages[msg_handle].in_size[invec_idx]; + messages[msg_handle].in_size[invec_idx] = 0; + return ret; + } else { + return num_bytes; + } + } +} + +size_t psa_read(psa_handle_t msg_handle, uint32_t invec_idx, + void *buffer, size_t num_bytes) +{ + size_t sofar = 0; + struct message msg = { 0 }; + int idx; + ssize_t len; + + is_valid_msg_handle(msg_handle); + is_call_msg(msg_handle); + + if (invec_idx >= PSA_MAX_IOVEC) { + PROGRAMMER_ERROR("Invalid iovec number"); + } + + /* If user wants more data than what's available, truncate their request */ + if (num_bytes > messages[msg_handle].in_size[invec_idx]) { + num_bytes = messages[msg_handle].in_size[invec_idx]; + } + + while (sofar < num_bytes) { + INFO("Server: requesting %lu bytes from client\n", (num_bytes - sofar)); + send_msg(msg_handle, READ_REQUEST, invec_idx, (num_bytes - sofar), NULL, 0); + + idx = find_connection(message_client[msg_handle]); + assert(idx >= 0); + + len = msgrcv(connections[idx].client_to_server_q, &msg, sizeof(struct message_text), 0, 0); + len = (len - sizeof(msg.message_text.qid)); + + if (len < 0) { + FATAL("Internal error: failed to dispatch read request to the client"); + } + + if (len > (num_bytes - sofar)) { + if ((num_bytes - sofar) > 0) { + memcpy(buffer+sofar, msg.message_text.buf, (num_bytes - sofar)); + } + } else { + memcpy(buffer + sofar, msg.message_text.buf, len); + } + + INFO("Printing what i got so far: %s\n", msg.message_text.buf); + + sofar = sofar + len; + } + + /* Update the seek count */ + skip(msg_handle, invec_idx, num_bytes); + INFO("Finished psa_read"); + return sofar; +} + +void psa_write(psa_handle_t msg_handle, uint32_t outvec_idx, + const void *buffer, size_t num_bytes) +{ + + size_t sofar = 0; + struct message msg = { 0 }; + int idx; + ssize_t len; + + is_valid_msg_handle(msg_handle); + is_call_msg(msg_handle); + + if (outvec_idx >= PSA_MAX_IOVEC) { + PROGRAMMER_ERROR("Invalid iovec number"); + } + + if (num_bytes > messages[msg_handle].out_size[outvec_idx]) { + PROGRAMMER_ERROR("Program tried to write too much data %lu/%lu", num_bytes, + messages[msg_handle].out_size[outvec_idx]); + } + + while (sofar < num_bytes) { + size_t sending = (num_bytes - sofar); + if (sending >= MAX_FRAGMENT_SIZE) { + sending = MAX_FRAGMENT_SIZE - (sizeof(size_t) * 2); + } + + INFO("Server: sending %lu bytes to client\n", sending); + + send_msg(msg_handle, WRITE_REQUEST, outvec_idx, sending, buffer, sending); + + idx = find_connection(message_client[msg_handle]); + assert(idx >= 0); + + len = msgrcv(connections[idx].client_to_server_q, &msg, sizeof(struct message_text), 0, 0); + if (len < 1) { + FATAL("Client didn't give me a full response"); + } + sofar = sofar + len; + } + + /* Update the seek count */ + messages[msg_handle].out_size[outvec_idx] -= num_bytes; +} + +size_t psa_skip(psa_handle_t msg_handle, uint32_t invec_idx, size_t num_bytes) +{ + + is_valid_msg_handle(msg_handle); + is_call_msg(msg_handle); + + size_t ret = skip(msg_handle, invec_idx, num_bytes); + + /* notify client to skip */ + send_msg(msg_handle, SKIP_REQUEST, invec_idx, num_bytes, NULL, 0); + return ret; +} + +static void destroy_temporary_queue(int myqid) +{ + + if (msgctl(myqid, IPC_RMID, NULL) != 0) { + INFO("ERROR: Failed to delete msg queue %d", myqid); + } +} + +static int make_temporary_queue() +{ + int myqid; + if ((myqid = msgget(IPC_PRIVATE, 0660)) == -1) { + INFO("msgget: myqid"); + return -1; + } + return myqid; +} + +/** + * Assumes msg_handle is the index into the message array + */ +void psa_reply(psa_handle_t msg_handle, psa_status_t status) +{ + int idx, q; + is_valid_msg_handle(msg_handle); + + if (pending_message[msg_handle] != 1) { + PROGRAMMER_ERROR("Not a valid message handle"); + } + + if (messages[msg_handle].type == PSA_IPC_CONNECT) { + switch (status) { + case PSA_SUCCESS: + idx = find_connection(message_client[msg_handle]); + q = make_temporary_queue(); + if (q > 0 && idx >= 0) { + connections[idx].client_to_server_q = q; + status = q; + } else { + FATAL("What happened?"); + } + break; + case PSA_ERROR_CONNECTION_REFUSED: + destroy_connection(message_client[msg_handle]); + break; + case PSA_ERROR_CONNECTION_BUSY: + destroy_connection(message_client[msg_handle]); + break; + case PSA_ERROR_PROGRAMMER_ERROR: + destroy_connection(message_client[msg_handle]); + break; + default: + PROGRAMMER_ERROR("Not a valid reply %d\n", status); + } + } else if (messages[msg_handle].type == PSA_IPC_DISCONNECT) { + idx = find_connection(message_client[msg_handle]); + if (idx >= 0) { + destroy_temporary_queue(connections[idx].client_to_server_q); + } + destroy_connection(message_client[msg_handle]); + } + + send_msg(msg_handle, PSA_REPLY, status, 0, NULL, 0); + + pending_message[msg_handle] = 0; + message_client[msg_handle] = 0; +} + +/* TODO: make sure you only clear interrupt signals, and not others */ +void psa_eoi(psa_signal_t signal) +{ + int index = signal_to_index(signal); + if (index >= 0 && (rot_svc_incoming_queue[index] >= 0)) { + clear_signal(signal); + } else { + PROGRAMMER_ERROR("Tried to EOI a signal that isn't an interrupt"); + } +} + +void psa_notify(int32_t partition_id) +{ + char pathname[PATHNAMESIZE] = { 0 }; + + if (partition_id < 0) { + PROGRAMMER_ERROR("Not a valid secure partition"); + } + + snprintf(pathname, PATHNAMESIZE, "/tmp/psa_notify_%u", partition_id); + INFO("psa_notify: notifying partition %u using %s", + partition_id, pathname); + INFO("psa_notify is unimplemented"); +} + +void psa_clear(void) +{ + clear_signal(PSA_DOORBELL); +} + +void __init_psasim(const char **array, + int size, + const int allow_ns_clients_array[32], + const uint32_t versions[32], + const int strict_policy_array[32]) +{ + + static uint8_t library_initialised = 0; + key_t key; + int qid; + FILE *fp; + char doorbell_path[PATHNAMESIZE] = { 0 }; + snprintf(doorbell_path, PATHNAMESIZE, "/tmp/psa_notify_%u", getpid()); + + if (library_initialised > 0) { + return; + } else { + library_initialised = 1; + } + + if (size != 32) { + FATAL("Unsupported value. Aborting."); + } + + array[3] = doorbell_path; + + for (int i = 0; i < 32; i++) { + if (strncmp(array[i], "", 1) != 0) { + INFO("Setting up %s", array[i]); + + /* Create file if doesn't exist */ + fp = fopen(array[i], "ab+"); + if (fp) { + fclose(fp); + } + + if ((key = ftok(array[i], PROJECT_ID)) == -1) { + FATAL("Error finding message queue during initialisation"); + } + + /* TODO: Investigate. Permissions are likely to be too relaxed */ + if ((qid = msgget(key, IPC_CREAT | 0660)) == -1) { + FATAL("Error opening message queue during initialisation"); + } else { + rot_svc_incoming_queue[i] = qid; + } + } + } + + memcpy(nsacl, allow_ns_clients_array, sizeof(int) * 32); + memcpy(strict_policy, strict_policy_array, sizeof(int) * 32); + memcpy(rot_svc_versions, versions, sizeof(uint32_t) * 32); + bzero(&connections, sizeof(struct connection) * MAX_CLIENTS); + + __psa_ff_client_security_state = 0; /* Set the client status to SECURE */ +} diff --git a/yass/third_party/mbedtls/framework/psasim/test/Makefile b/yass/third_party/mbedtls/framework/psasim/test/Makefile new file mode 100644 index 0000000000..07d1586cd6 --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/test/Makefile @@ -0,0 +1,12 @@ +INCLUDE := -I../include/ -I./psa_manifest + +.PHONY: all clean + +all: + psa_autogen manifest.json + $(CC) psa_ff_bootstrap_TEST_PARTITION.c -lpsaff -o partition + $(CC) client.c -lpsaff -o client + +clean: + rm -rf psa_manifest + rm -f client partition psa_ff_bootstrap_TEST_PARTITION.c diff --git a/yass/third_party/mbedtls/framework/psasim/test/client.c b/yass/third_party/mbedtls/framework/psasim/test/client.c new file mode 100644 index 0000000000..c768a71a97 --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/test/client.c @@ -0,0 +1,48 @@ +/* psasim test client */ + +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#include +#include "psa_manifest/sid.h" +#include +#include + +int main() +{ + + const char *text = "FOOBARCOOL!!"; + + char output[100] = { 0 }; + printf("My PID is %d\n", getpid()); + + printf("The version of the service is %u\n", psa_version(PSA_SID_SHA256_SID)); + psa_handle_t h = psa_connect(PSA_SID_SHA256_SID, 1); + + if (h < 0) { + printf("Couldn't connect %d\n", h); + return 1; + } else { + int type = 2; + puts("Calling!"); + puts("Trying without invec"); + printf("Answer to my call was %d (no invec)\n", psa_call(h, type, NULL, 0, NULL, 0)); + psa_invec invecs[1]; + psa_outvec outvecs[1]; + invecs[0].base = text; + invecs[0].len = 24; + outvecs[0].base = output; + outvecs[0].len = 99; + + printf("My iovec size should be %lu\n", invecs[0].len); + printf("Answer to my call was %d (with invec)\n", psa_call(h, type, invecs, 1, outvecs, 1)); + printf("Here's the payload I recieved: %s\n", output); + printf("Apparently the server wrote %lu bytes in outvec %d\n", outvecs[0].len, 0); + puts("Closing handle"); + psa_close(h); + } + + return 0; +} diff --git a/yass/third_party/mbedtls/framework/psasim/test/manifest.json b/yass/third_party/mbedtls/framework/psasim/test/manifest.json new file mode 100644 index 0000000000..0ab83ef907 --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/test/manifest.json @@ -0,0 +1,29 @@ +{ + "psa_framework_version":1.0, + "name":"TEST_PARTITION", + "type":"PSA-ROT", + "priority":"LOW", + "entry_point":"psa_sha256_main", + "stack_size":"0x400", + "heap_size":"0x100", + "services":[ + { + "name":"PSA_SID_SHA256", + "sid":"0x0000F000", + "signal":"PSA_SHA256", + "non_secure_clients": "true", + "minor_version":1, + "minor_policy":"STRICT" + } + ], + "irqs": [ + { + "source": "SIGINT", + "signal": "SIGINT_SIG" + }, + { + "source": "SIGTSTP", + "signal": "SIGSTP_SIG" + } + ] +} diff --git a/yass/third_party/mbedtls/framework/psasim/test/server.c b/yass/third_party/mbedtls/framework/psasim/test/server.c new file mode 100644 index 0000000000..bbd90f20fc --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/test/server.c @@ -0,0 +1,105 @@ +/* psasim test server */ + +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#include +#include "psa_manifest/manifest.h" +#include +#include + +void printbits(uint32_t num) +{ + for (int i = 0; i < 32; i++) { + if ((num >> (31-i) & 0x1)) { + printf("1"); + } else { + printf("0"); + } + } + printf("\n"); +} + +#define BUF_SIZE 25 + +int psa_sha256_main() +{ + psa_status_t ret = PSA_ERROR_PROGRAMMER_ERROR; + psa_msg_t msg = { -1 }; + char foo[BUF_SIZE] = { 0 }; + const int magic_num = 66; + + puts("Starting"); + + while (1) { + puts("Calling psa_wait"); + psa_signal_t signals = psa_wait(PSA_WAIT_ANY, PSA_BLOCK); + + if (signals > 0) { + printbits(signals); + } + + if (signals & PSA_SHA256_SIGNAL) { + puts("Oooh a signal!"); + + if (PSA_SUCCESS == psa_get(PSA_SHA256_SIGNAL, &msg)) { + printf("My handle is %d\n", msg.handle); + printf("My rhandle is %p\n", (int *) msg.rhandle); + switch (msg.type) { + case PSA_IPC_CONNECT: + puts("Got a connection message"); + psa_set_rhandle(msg.handle, (void *) &magic_num); + ret = PSA_SUCCESS; + break; + case PSA_IPC_DISCONNECT: + puts("Got a disconnection message"); + ret = PSA_SUCCESS; + break; + + default: + printf("Got an IPC call of type %d\n", msg.type); + ret = 42; + size_t size = msg.in_size[0]; + + if ((size > 0) && (size <= sizeof(foo))) { + psa_read(msg.handle, 0, foo, 6); + foo[(BUF_SIZE-1)] = '\0'; + printf("Reading payload: %s\n", foo); + psa_read(msg.handle, 0, foo+6, 6); + foo[(BUF_SIZE-1)] = '\0'; + printf("Reading payload: %s\n", foo); + } + + size = msg.out_size[0]; + if ((size > 0)) { + puts("Writing response"); + psa_write(msg.handle, 0, "RESP", 4); + psa_write(msg.handle, 0, "ONSE", 4); + } + + if (msg.client_id > 0) { + psa_notify(msg.client_id); + } else { + puts("Client is non-secure, so won't notify"); + } + + } + + psa_reply(msg.handle, ret); + } else { + puts("Failed to retrieve message"); + } + } else if (SIGSTP_SIG & signals) { + puts("Recieved SIGSTP signal. Gonna EOI it."); + psa_eoi(SIGSTP_SIG); + } else if (SIGINT_SIG & signals) { + puts("Handling interrupt!\n"); + puts("Gracefully quitting"); + psa_panic(); + } else { + puts("No signal asserted"); + } + } +} diff --git a/yass/third_party/mbedtls/framework/psasim/tools/psa_autogen.py b/yass/third_party/mbedtls/framework/psasim/tools/psa_autogen.py new file mode 100755 index 0000000000..685320733e --- /dev/null +++ b/yass/third_party/mbedtls/framework/psasim/tools/psa_autogen.py @@ -0,0 +1,163 @@ +#!/usr/bin/env python3 +"""This hacky script generates a partition from a manifest file""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +import json +import os +import sys +from os import listdir + +if len(sys.argv) != 2: + print("Usage: psa_autogen ") + sys.exit(1) + +FILENAME = str(sys.argv[1]) + + +with open(str(FILENAME), "r") as read_file: + data = json.load(read_file) + FILENAME = os.path.basename(FILENAME) + FILENAME = FILENAME.split('.')[0] + print("Base filename is " + str(FILENAME)) + + if str(data['psa_framework_version'] == "1.0"): + entry_point = str(data['entry_point']) + partition_name = str(data['name']) + services = data['services'] + try: + irqs = data['irqs'] + except KeyError: + irqs = [] + + try: + os.mkdir("psa_manifest") + print("Generating psa_manifest directory") + except OSError: + print ("PSA manifest directory already exists") + + man = open(str("psa_manifest/" + FILENAME + ".h"), "w") + pids = open("psa_manifest/pid.h", "a") + sids = open("psa_manifest/sid.h", "a") + + if len(services) > 28: + print ("Unsupported number of services") + + count = 4 # For creating SID array + nsacl = "const int ns_allowed[32] = {" + policy = "const int strict_policy[32] = {" + qcode = "const char * psa_queues[] = { " + versions = "const uint32_t versions[32] = {" + queue_path = "/tmp/psa_service_" + start = False + + for x in range(0, count): + qcode = qcode + "\"\", " + nsacl = nsacl + " 0," + policy = policy + "0," + versions = versions + " 0," + + # Go through all the services to make sid.h and pid.h + for svc in services: + man.write("#define " + str(svc['signal']) + "_SIGNAL " + str(2 ** (count)) + 'u\n') + sids.write("#define " + str(svc['name']) + "_SID " + str(svc['sid'] + '\n')) + qcode = qcode + "\"" + queue_path + str(int(svc['sid'], 16)) + "\"," + ns_clients = svc['non_secure_clients'] + print(str(svc)) + if ns_clients == "true": + nsacl = nsacl + " 1," + else: + nsacl = nsacl + " 0," + try: + versions = versions + str(svc['minor_version']) + "," + except KeyError: + versions = versions + "1," + + strict = 0 + try: + if str(svc['minor_policy']).lower() == "strict": + strict = 1 + policy = policy + "1," + else: + policy = policy + "0," + except KeyError: + strict = 0 + policy = policy + "0," + + count = count+1 + + sigcode = "" + handlercode = "void __sig_handler(int signo) {\n" + irqcount = count + for irq in irqs: + man.write("#define " + str(irq['signal']) + " " + str(2 ** (irqcount)) + 'u\n') + sigcode = sigcode + " signal(" + str(irq['source']) + ", __sig_handler);\n" + handlercode = handlercode + " if (signo == " + str(irq['source']) + ") { raise_signal(" + str(2 ** (irqcount)) + 'u);' + " };\n" + irqcount = irqcount+1 + + handlercode = handlercode + "}\n" + + while (count < 32): + qcode = qcode + "\"\"," + nsacl = nsacl + "0," + versions = versions + "0," + policy = policy + "0," + count = count + 1 + + qcode = qcode + "};\n" + nsacl = nsacl + "};\n" + versions = versions + "};\n" + policy = policy + "};\n" + + pids.close() + sids.close() + man.close() + + symbols = [] + # Go through all the files in the current directory and look for the entrypoint + + for root, directories, filenames in os.walk('.'): + for filename in filenames: + + if "psa_ff_bootstrap" in filename or filename == "psa_manifest": + continue + + try: + fullpath = os.path.join(root,filename) + with open(fullpath, encoding='utf-8') as currentFile: + text = currentFile.read() + if str(entry_point + "(") in text: + symbols.append(fullpath) + except IOError: + print("Couldn't open " + filename) + + except UnicodeDecodeError: + pass + + print(str("Number of entrypoints detected: " + str(len(symbols)))) + if len(symbols) < 1: + print("Couldn't find function " + entry_point) + sys.exit(1) + elif len(symbols) > 1: + print("Duplicate entrypoint symbol detected: " + str(symbols)) + sys.exit(2) + else: + bs = open(str("psa_ff_bootstrap_" + str(partition_name) + ".c"), "w") + bs.write("#include \n") + bs.write("#include \"" + symbols[0] + "\"\n") + bs.write("#include \n") + bs.write(qcode) + bs.write("\n") + bs.write(nsacl + "\n") + bs.write(policy + "\n") + bs.write(versions + "\n") + bs.write(handlercode) + bs.write("\n") + bs.write("int main() {\n") + bs.write(sigcode) + bs.write(" __init_psasim(psa_queues, 32, ns_allowed, versions, strict_policy);\n") + bs.write(" " + entry_point + "();\nfor(;;);\n}\n") + bs.close() + + print("Success") diff --git a/yass/third_party/mbedtls/tests/scripts/generate_bignum_tests.py b/yass/third_party/mbedtls/framework/scripts/generate_bignum_tests.py similarity index 96% rename from yass/third_party/mbedtls/tests/scripts/generate_bignum_tests.py rename to yass/third_party/mbedtls/framework/scripts/generate_bignum_tests.py index 8dbb6ed783..68ad42f484 100755 --- a/yass/third_party/mbedtls/tests/scripts/generate_bignum_tests.py +++ b/yass/third_party/mbedtls/framework/scripts/generate_bignum_tests.py @@ -47,13 +47,12 @@ import sys from abc import ABCMeta from typing import List -import scripts_path # pylint: disable=unused-import -from mbedtls_dev import test_data_generation -from mbedtls_dev import bignum_common +from mbedtls_framework import test_data_generation +from mbedtls_framework import bignum_common # Import modules containing additional test classes # Test function classes in these modules will be registered by # the framework -from mbedtls_dev import bignum_core, bignum_mod_raw, bignum_mod # pylint: disable=unused-import +from mbedtls_framework import bignum_core, bignum_mod_raw, bignum_mod # pylint: disable=unused-import class BignumTarget(test_data_generation.BaseTarget): #pylint: disable=too-few-public-methods diff --git a/yass/third_party/mbedtls/framework/scripts/generate_config_tests.py b/yass/third_party/mbedtls/framework/scripts/generate_config_tests.py new file mode 100755 index 0000000000..3438f84602 --- /dev/null +++ b/yass/third_party/mbedtls/framework/scripts/generate_config_tests.py @@ -0,0 +1,177 @@ +#!/usr/bin/env python3 +"""Generate test data for configuration reporting. +""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +import abc +import re +import sys +from typing import Iterable, Iterator, List, Optional, Tuple + +import project_scripts # pylint: disable=unused-import +import config +from mbedtls_framework import test_case +from mbedtls_framework import test_data_generation + + +def single_setting_case(setting: config.Setting, when_on: bool, + dependencies: List[str], + note: Optional[str]) -> test_case.TestCase: + """Construct a test case for a boolean setting. + + This test case passes if the setting and its dependencies are enabled, + and is skipped otherwise. + + * setting: the setting to be tested. + * when_on: True to test with the setting enabled, or False to test + with the setting disabled. + * dependencies: extra dependencies for the test case. + * note: a note to add after the setting name in the test description. + This is generally a summary of dependencies, and is generally empty + if the given setting is only tested once. + """ + base = setting.name if when_on else '!' + setting.name + tc = test_case.TestCase() + tc.set_function('pass') + description_suffix = ' (' + note + ')' if note else '' + tc.set_description('Config: ' + base + description_suffix) + tc.set_dependencies([base] + dependencies) + return tc + + +PSA_WANT_KEY_TYPE_KEY_PAIR_RE = \ + re.compile(r'(?PPSA_WANT_KEY_TYPE_(?P\w+)_KEY_PAIR_)(?P\w+)\Z') + +# If foo is a setting that is only meaningful when bar is enabled, set +# SIMPLE_DEPENDENCIES[foo]=bar. More generally, bar can be a colon-separated +# list of settings, meaning that all the settings must be enabled. Each setting +# in bar can be prefixed with '!' to negate it. This is the same syntax as a +# depends_on directive in test data. +# See also `dependencies_of_settting`. +SIMPLE_DEPENDENCIES = { + 'MBEDTLS_AESCE_C': 'MBEDTLS_AES_C', + 'MBEDTLS_AESNI_C': 'MBEDTLS_AES_C', + 'MBEDTLS_ERROR_STRERROR_DUMMY': '!MBEDTLS_ERROR_C', + 'MBEDTLS_GENPRIME': 'MBEDTLS_RSA_C', + 'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES': 'MBEDTLS_ENTROPY_C', + 'MBEDTLS_NO_PLATFORM_ENTROPY': 'MBEDTLS_ENTROPY_C', + 'MBEDTLS_PKCS1_V15': 'MBEDTLS_RSA_C', + 'MBEDTLS_PKCS1_V21': 'MBEDTLS_RSA_C', + 'MBEDTLS_PSA_CRYPTO_CLIENT': '!MBEDTLS_PSA_CRYPTO_C', + 'MBEDTLS_PSA_INJECT_ENTROPY': 'MBEDTLS_PSA_CRYPTO_C', + 'MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS': 'MBEDTLS_PSA_CRYPTO_C', +} + +def dependencies_of_setting(cfg: config.Config, + setting: config.Setting) -> Optional[str]: + """Return dependencies without which a setting is not meaningful. + + The dependencies of a setting express when a setting can be enabled and + is relevant. For example, if ``check_config.h`` errors out when + ``defined(FOO) && !defined(BAR)``, then ``BAR`` is a dependency of ``FOO``. + If ``FOO`` has no effect when ``CORGE`` is disabled, then ``CORGE`` + is a dependency of ``FOO``. + + The return value can be a colon-separated list of settings, if the setting + is only meaningful when all of these settings are enabled. Each setting can + be negated by prefixing them with '!'. This is the same syntax as a + depends_on directive in test data. + """ + #pylint: disable=too-many-return-statements + name = setting.name + if name in SIMPLE_DEPENDENCIES: + return SIMPLE_DEPENDENCIES[name] + if name.startswith('MBEDTLS_') and not name.endswith('_C'): + if name.startswith('MBEDTLS_CIPHER_PADDING_'): + return 'MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC' + if name.startswith('MBEDTLS_PK_PARSE_EC_'): + return 'MBEDTLS_PK_C:MBEDTLS_PK_HAVE_ECC_KEYS' + # For TLS settings, insist on having them once off and once on in + # a configuration where both client support and server support are + # enabled. The settings are also meaningful when only one side is + # enabled, but there isn't much point in having separate records + # for client-side and server-side, so we keep things simple. + # Requiring both sides to be enabled also means we know we'll run + # tests that only run Mbed TLS against itself, which only run in + # configurations with both sides enabled. + if name.startswith('MBEDTLS_SSL_TLS1_3_') or \ + name == 'MBEDTLS_SSL_EARLY_DATA': + return 'MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_TLS1_3' + if name.startswith('MBEDTLS_SSL_DTLS_'): + return 'MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_DTLS' + if name.startswith('MBEDTLS_SSL_'): + return 'MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C' + for pos in re.finditer(r'_', name): + super_name = name[:pos.start()] + '_C' + if cfg.known(super_name): + return super_name + m = PSA_WANT_KEY_TYPE_KEY_PAIR_RE.match(name) + if m and m.group('operation') != 'BASIC': + return m.group('prefix') + 'BASIC' + return None + +def conditions_for_setting(cfg: config.Config, + setting: config.Setting + ) -> Iterator[Tuple[List[str], str]]: + """Enumerate the conditions under which to test the given setting. + + * cfg: all configuration settings. + * setting: the setting to be tested. + + Generate a stream of conditions, i.e. extra dependencies to test with + together with a human-readable explanation of each dependency. Some + typical cases: + + * By default, generate a one-element stream with no extra dependencies. + * If the setting is ignored unless some other setting is enabled, generate + a one-element stream with that other setting as an extra dependency. + * If the setting is known to interact with some other setting, generate + a stream with one element where this setting is on and one where it's off. + * To skip the setting altogether, generate an empty stream. + """ + name = setting.name + if name.endswith('_ALT') and not config.is_seamless_alt(name): + # We don't test alt implementations, except (most) platform alts + return + dependencies = dependencies_of_setting(cfg, setting) + if dependencies: + yield [dependencies], '' + return + yield [], '' + + +def enumerate_boolean_setting_cases(cfg: config.Config + ) -> Iterable[test_case.TestCase]: + """Emit test cases for all boolean settings.""" + for name in sorted(cfg.settings.keys()): + setting = cfg.settings[name] + if not name.startswith('PSA_WANT_') and setting.value: + continue # non-boolean setting + for when_on in True, False: + for deps, note in conditions_for_setting(cfg, setting): + yield single_setting_case(setting, when_on, deps, note) + + + +class ConfigTestGenerator(test_data_generation.TestGenerator): + """Generate test cases for configuration reporting.""" + + def __init__(self, settings): + # Temporarily use different config classes for 3.6. With the config.py moving to + # the framework it will be unified. + is_3_6 = not isinstance(config.ConfigFile, abc.ABCMeta) + # pylint: disable=no-value-for-parameter, no-member + self.mbedtls_config = config.ConfigFile() if is_3_6 else config.MbedTLSConfig() + self.targets['test_suite_config.mbedtls_boolean'] = \ + lambda: enumerate_boolean_setting_cases(self.mbedtls_config) + self.psa_config = config.ConfigFile('include/psa/crypto_config.h') if is_3_6 else \ + config.CryptoConfig() + self.targets['test_suite_config.psa_boolean'] = \ + lambda: enumerate_boolean_setting_cases(self.psa_config) + super().__init__(settings) + + +if __name__ == '__main__': + test_data_generation.main(sys.argv[1:], __doc__, ConfigTestGenerator) diff --git a/yass/third_party/mbedtls/tests/scripts/generate_ecp_tests.py b/yass/third_party/mbedtls/framework/scripts/generate_ecp_tests.py similarity index 79% rename from yass/third_party/mbedtls/tests/scripts/generate_ecp_tests.py rename to yass/third_party/mbedtls/framework/scripts/generate_ecp_tests.py index df1e4696a0..b506be8f5f 100755 --- a/yass/third_party/mbedtls/tests/scripts/generate_ecp_tests.py +++ b/yass/third_party/mbedtls/framework/scripts/generate_ecp_tests.py @@ -10,12 +10,11 @@ as in generate_bignum_tests.py. import sys -import scripts_path # pylint: disable=unused-import -from mbedtls_dev import test_data_generation +from mbedtls_framework import test_data_generation # Import modules containing additional test classes # Test function classes in these modules will be registered by # the framework -from mbedtls_dev import ecp # pylint: disable=unused-import +from mbedtls_framework import ecp # pylint: disable=unused-import if __name__ == '__main__': # Use the section of the docstring relevant to the CLI as description diff --git a/yass/third_party/mbedtls/tests/scripts/generate_pkcs7_tests.py b/yass/third_party/mbedtls/framework/scripts/generate_pkcs7_tests.py similarity index 100% rename from yass/third_party/mbedtls/tests/scripts/generate_pkcs7_tests.py rename to yass/third_party/mbedtls/framework/scripts/generate_pkcs7_tests.py diff --git a/yass/third_party/mbedtls/tests/scripts/generate_psa_tests.py b/yass/third_party/mbedtls/framework/scripts/generate_psa_tests.py similarity index 99% rename from yass/third_party/mbedtls/tests/scripts/generate_psa_tests.py rename to yass/third_party/mbedtls/framework/scripts/generate_psa_tests.py index fd278f8ffc..1618e793d6 100755 --- a/yass/third_party/mbedtls/tests/scripts/generate_psa_tests.py +++ b/yass/third_party/mbedtls/framework/scripts/generate_psa_tests.py @@ -13,14 +13,13 @@ import re import sys from typing import Callable, Dict, FrozenSet, Iterable, Iterator, List, Optional -import scripts_path # pylint: disable=unused-import -from mbedtls_dev import crypto_data_tests -from mbedtls_dev import crypto_knowledge -from mbedtls_dev import macro_collector #pylint: disable=unused-import -from mbedtls_dev import psa_information -from mbedtls_dev import psa_storage -from mbedtls_dev import test_case -from mbedtls_dev import test_data_generation +from mbedtls_framework import crypto_data_tests +from mbedtls_framework import crypto_knowledge +from mbedtls_framework import macro_collector #pylint: disable=unused-import +from mbedtls_framework import psa_information +from mbedtls_framework import psa_storage +from mbedtls_framework import test_case +from mbedtls_framework import test_data_generation diff --git a/yass/third_party/mbedtls/framework/scripts/generate_psa_wrappers.py b/yass/third_party/mbedtls/framework/scripts/generate_psa_wrappers.py new file mode 100755 index 0000000000..29cb4e3fd8 --- /dev/null +++ b/yass/third_party/mbedtls/framework/scripts/generate_psa_wrappers.py @@ -0,0 +1,43 @@ +#!/usr/bin/env python3 +"""Generate wrapper functions for PSA function calls. +""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +import argparse +from mbedtls_framework.code_wrapper.psa_test_wrapper import PSATestWrapper, PSALoggingTestWrapper + +DEFAULT_C_OUTPUT_FILE_NAME = 'tests/src/psa_test_wrappers.c' +DEFAULT_H_OUTPUT_FILE_NAME = 'tests/include/test/psa_test_wrappers.h' + +def main() -> None: + parser = argparse.ArgumentParser(description=globals()['__doc__']) + parser.add_argument('--log', + help='Stream to log to (default: no logging code)') + parser.add_argument('--output-c', + metavar='FILENAME', + default=DEFAULT_C_OUTPUT_FILE_NAME, + help=('Output .c file path (default: {}; skip .c output if empty)' + .format(DEFAULT_C_OUTPUT_FILE_NAME))) + parser.add_argument('--output-h', + metavar='FILENAME', + default=DEFAULT_H_OUTPUT_FILE_NAME, + help=('Output .h file path (default: {}; skip .h output if empty)' + .format(DEFAULT_H_OUTPUT_FILE_NAME))) + options = parser.parse_args() + if options.log: + generator = PSALoggingTestWrapper(DEFAULT_H_OUTPUT_FILE_NAME, + DEFAULT_C_OUTPUT_FILE_NAME, + options.log) #type: PSATestWrapper + else: + generator = PSATestWrapper(DEFAULT_H_OUTPUT_FILE_NAME, + DEFAULT_C_OUTPUT_FILE_NAME) + + if options.output_h: + generator.write_h_file(options.output_h) + if options.output_c: + generator.write_c_file(options.output_c) + +if __name__ == '__main__': + main() diff --git a/yass/third_party/mbedtls/framework/scripts/generate_test_cert_macros.py b/yass/third_party/mbedtls/framework/scripts/generate_test_cert_macros.py new file mode 100755 index 0000000000..b6d97fcd1d --- /dev/null +++ b/yass/third_party/mbedtls/framework/scripts/generate_test_cert_macros.py @@ -0,0 +1,108 @@ +#!/usr/bin/env python3 + +""" +Generate `tests/src/test_certs.h` which includes certficaties/keys/certificate list for testing. +""" + +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + + +import os +import sys +import argparse +import jinja2 +from mbedtls_framework.build_tree import guess_project_root + +TESTS_DIR = os.path.join(guess_project_root(), 'tests') +FRAMEWORK_DIR = os.path.join(guess_project_root(), 'framework') +DATA_FILES_PATH = os.path.join(FRAMEWORK_DIR, 'data_files') + +INPUT_ARGS = [ + ("string", "TEST_CA_CRT_EC_PEM", DATA_FILES_PATH + "/test-ca2.crt"), + ("binary", "TEST_CA_CRT_EC_DER", DATA_FILES_PATH + "/test-ca2.crt.der"), + ("string", "TEST_CA_KEY_EC_PEM", DATA_FILES_PATH + "/test-ca2.key.enc"), + ("password", "TEST_CA_PWD_EC_PEM", "PolarSSLTest"), + ("binary", "TEST_CA_KEY_EC_DER", DATA_FILES_PATH + "/test-ca2.key.der"), + ("string", "TEST_CA_CRT_RSA_SHA256_PEM", DATA_FILES_PATH + "/test-ca-sha256.crt"), + ("binary", "TEST_CA_CRT_RSA_SHA256_DER", DATA_FILES_PATH + "/test-ca-sha256.crt.der"), + ("string", "TEST_CA_CRT_RSA_SHA1_PEM", DATA_FILES_PATH + "/test-ca-sha1.crt"), + ("binary", "TEST_CA_CRT_RSA_SHA1_DER", DATA_FILES_PATH + "/test-ca-sha1.crt.der"), + ("string", "TEST_CA_KEY_RSA_PEM", DATA_FILES_PATH + "/test-ca.key"), + ("password", "TEST_CA_PWD_RSA_PEM", "PolarSSLTest"), + ("binary", "TEST_CA_KEY_RSA_DER", DATA_FILES_PATH + "/test-ca.key.der"), + ("string", "TEST_SRV_CRT_EC_PEM", DATA_FILES_PATH + "/server5.crt"), + ("binary", "TEST_SRV_CRT_EC_DER", DATA_FILES_PATH + "/server5.crt.der"), + ("string", "TEST_SRV_KEY_EC_PEM", DATA_FILES_PATH + "/server5.key"), + ("binary", "TEST_SRV_KEY_EC_DER", DATA_FILES_PATH + "/server5.key.der"), + ("string", "TEST_SRV_CRT_RSA_SHA256_PEM", DATA_FILES_PATH + "/server2-sha256.crt"), + ("binary", "TEST_SRV_CRT_RSA_SHA256_DER", DATA_FILES_PATH + "/server2-sha256.crt.der"), + ("string", "TEST_SRV_CRT_RSA_SHA1_PEM", DATA_FILES_PATH + "/server2.crt"), + ("binary", "TEST_SRV_CRT_RSA_SHA1_DER", DATA_FILES_PATH + "/server2.crt.der"), + ("string", "TEST_SRV_KEY_RSA_PEM", DATA_FILES_PATH + "/server2.key"), + ("binary", "TEST_SRV_KEY_RSA_DER", DATA_FILES_PATH + "/server2.key.der"), + ("string", "TEST_CLI_CRT_EC_PEM", DATA_FILES_PATH + "/cli2.crt"), + ("binary", "TEST_CLI_CRT_EC_DER", DATA_FILES_PATH + "/cli2.crt.der"), + ("string", "TEST_CLI_KEY_EC_PEM", DATA_FILES_PATH + "/cli2.key"), + ("binary", "TEST_CLI_KEY_EC_DER", DATA_FILES_PATH + "/cli2.key.der"), + ("string", "TEST_CLI_CRT_RSA_PEM", DATA_FILES_PATH + "/cli-rsa-sha256.crt"), + ("binary", "TEST_CLI_CRT_RSA_DER", DATA_FILES_PATH + "/cli-rsa-sha256.crt.der"), + ("string", "TEST_CLI_KEY_RSA_PEM", DATA_FILES_PATH + "/cli-rsa.key"), + ("binary", "TEST_CLI_KEY_RSA_DER", DATA_FILES_PATH + "/cli-rsa.key.der"), +] + +def main(): + parser = argparse.ArgumentParser() + default_output_path = os.path.join(TESTS_DIR, 'src', 'test_certs.h') + parser.add_argument('--output', type=str, default=default_output_path) + parser.add_argument('--list-dependencies', action='store_true') + args = parser.parse_args() + + if args.list_dependencies: + files_list = [arg[2] for arg in INPUT_ARGS] + print(" ".join(files_list)) + return + + generate(INPUT_ARGS, output=args.output) + +#pylint: disable=dangerous-default-value, unused-argument +def generate(values=[], output=None): + """Generate C header file. + """ + template_loader = jinja2.FileSystemLoader(DATA_FILES_PATH) + template_env = jinja2.Environment( + loader=template_loader, lstrip_blocks=True, trim_blocks=True, + keep_trailing_newline=True) + + def read_as_c_array(filename): + with open(filename, 'rb') as f: + data = f.read(12) + while data: + yield ', '.join(['{:#04x}'.format(b) for b in data]) + data = f.read(12) + + def read_lines(filename): + with open(filename) as f: + try: + for line in f: + yield line.strip() + except: + print(filename) + raise + + def put_to_column(value, position=0): + return ' '*position + value + + template_env.filters['read_as_c_array'] = read_as_c_array + template_env.filters['read_lines'] = read_lines + template_env.filters['put_to_column'] = put_to_column + + template = template_env.get_template('test_certs.h.jinja2') + + with open(output, 'w') as f: + f.write(template.render(macros=values)) + + +if __name__ == '__main__': + sys.exit(main()) diff --git a/yass/third_party/mbedtls/tests/scripts/generate_test_code.py b/yass/third_party/mbedtls/framework/scripts/generate_test_code.py similarity index 99% rename from yass/third_party/mbedtls/tests/scripts/generate_test_code.py rename to yass/third_party/mbedtls/framework/scripts/generate_test_code.py index 5f711bfb19..6a69f9d3d2 100755 --- a/yass/third_party/mbedtls/tests/scripts/generate_test_code.py +++ b/yass/third_party/mbedtls/framework/scripts/generate_test_code.py @@ -328,7 +328,7 @@ def gen_function_wrapper(name, local_vars, args_dispatch): """ # Then create the wrapper wrapper = ''' -void {name}_wrapper( void ** params ) +static void {name}_wrapper( void ** params ) {{ {unused_params}{locals} {name}( {args} ); @@ -651,6 +651,9 @@ def parse_function_code(funcs_f, dependencies, suite_dependencies): raise GeneratorInputError("file: %s - Test functions not found!" % funcs_f.name) + # Make the test function static + code = code.replace('void', 'static void', 1) + # Prefix test function name with 'test_' code = code.replace(name, 'test_' + name, 1) name = 'test_' + name diff --git a/yass/third_party/mbedtls/framework/scripts/generate_test_keys.py b/yass/third_party/mbedtls/framework/scripts/generate_test_keys.py new file mode 100755 index 0000000000..effc65ac3e --- /dev/null +++ b/yass/third_party/mbedtls/framework/scripts/generate_test_keys.py @@ -0,0 +1,184 @@ +#!/usr/bin/env python3 + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +"""Module generating EC and RSA keys to be used in test_suite_pk instead of +generating the required key at run time. This helps speeding up testing.""" + +from typing import Iterator, List, Tuple +import re +import argparse +from mbedtls_framework.asymmetric_key_data import ASYMMETRIC_KEY_DATA +from mbedtls_framework.build_tree import guess_project_root + +BYTES_PER_LINE = 16 + +def c_byte_array_literal_content(array_name: str, key_data: bytes) -> Iterator[str]: + yield 'const unsigned char ' + yield array_name + yield '[] = {' + for index in range(0, len(key_data), BYTES_PER_LINE): + yield '\n ' + for b in key_data[index:index + BYTES_PER_LINE]: + yield ' {:#04x},'.format(b) + yield '\n};' + +def convert_der_to_c(array_name: str, key_data: bytes) -> str: + return ''.join(c_byte_array_literal_content(array_name, key_data)) + +def get_key_type(key: str) -> str: + if re.match('PSA_KEY_TYPE_RSA_.*', key): + return "rsa" + elif re.match('PSA_KEY_TYPE_ECC_.*', key): + return "ec" + else: + print("Unhandled key type {}".format(key)) + return "unknown" + +def get_ec_key_family(key: str) -> str: + match = re.search(r'.*\((.*)\)', key) + if match is None: + raise Exception("Unable to get EC family from {}".format(key)) + return match.group(1) + +# Legacy EC group ID do not support all the key types that PSA does, so the +# following dictionaries are used for: +# - getting prefix/suffix for legacy curve names +# - understand if the curve is supported in legacy symbols (MBEDTLS_ECP_DP_...) +EC_NAME_CONVERSION = { + 'PSA_ECC_FAMILY_SECP_K1': { + 192: ('secp', 'k1'), + 224: ('secp', 'k1'), + 256: ('secp', 'k1') + }, + 'PSA_ECC_FAMILY_SECP_R1': { + 192: ('secp', 'r1'), + 224: ('secp', 'r1'), + 256: ('secp', 'r1'), + 384: ('secp', 'r1'), + 521: ('secp', 'r1') + }, + 'PSA_ECC_FAMILY_BRAINPOOL_P_R1': { + 256: ('bp', 'r1'), + 384: ('bp', 'r1'), + 512: ('bp', 'r1') + }, + 'PSA_ECC_FAMILY_MONTGOMERY': { + 255: ('curve', '19'), + 448: ('curve', '') + } +} + +def get_ec_curve_name(priv_key: str, bits: int) -> str: + ec_family = get_ec_key_family(priv_key) + try: + prefix = EC_NAME_CONVERSION[ec_family][bits][0] + suffix = EC_NAME_CONVERSION[ec_family][bits][1] + except KeyError: + return "" + return prefix + str(bits) + suffix + +def get_look_up_table_entry(key_type: str, group_id_or_keybits: str, + priv_array_name: str, pub_array_name: str) -> Iterator[str]: + if key_type == "ec": + yield " {{ {}, 0,\n".format(group_id_or_keybits) + else: + yield " {{ 0, {},\n".format(group_id_or_keybits) + yield " {0}, sizeof({0}),\n".format(priv_array_name) + yield " {0}, sizeof({0}) }},".format(pub_array_name) + + +def write_output_file(output_file_name: str, arrays: str, look_up_table: str): + with open(output_file_name, 'wt') as output: + output.write("""\ +/********************************************************************************* + * This file was automatically generated from framework/scripts/generate_test_keys.py. + * Please do not edit it manually. + *********************************************************************************/ +""") + output.write(arrays) + output.write(""" +struct predefined_key_element {{ + int group_id; // EC group ID; 0 for RSA keys + int keybits; // bits size of RSA key; 0 for EC keys + const unsigned char *priv_key; + size_t priv_key_len; + const unsigned char *pub_key; + size_t pub_key_len; +}}; + +struct predefined_key_element predefined_keys[] = {{ +{} +}}; + +/* End of generated file */ +""".format(look_up_table)) + +def collect_keys() -> Tuple[str, str]: + """" + This function reads key data from ASYMMETRIC_KEY_DATA and, only for the + keys supported in legacy ECP/RSA modules, it returns 2 strings: + - the 1st contains C arrays declaration of these keys and + - the 2nd contains the final look-up table for all these arrays. + """ + arrays = [] + look_up_table = [] + + # Get a list of private keys only in order to get a single item for every + # (key type, key bits) pair. We know that ASYMMETRIC_KEY_DATA + # contains also the public counterpart. + priv_keys = [key for key in ASYMMETRIC_KEY_DATA if '_KEY_PAIR' in key] + priv_keys = sorted(priv_keys) + + for priv_key in priv_keys: + key_type = get_key_type(priv_key) + # Ignore keys which are not EC or RSA + if key_type == "unknown": + continue + + pub_key = re.sub('_KEY_PAIR', '_PUBLIC_KEY', priv_key) + + for bits in ASYMMETRIC_KEY_DATA[priv_key]: + if key_type == "ec": + curve = get_ec_curve_name(priv_key, bits) + # Ignore EC curves unsupported in legacy symbols + if curve == "": + continue + # Create output array name + if key_type == "rsa": + array_name_base = "_".join(["test", key_type, str(bits)]) + else: + array_name_base = "_".join(["test", key_type, curve]) + array_name_priv = array_name_base + "_priv" + array_name_pub = array_name_base + "_pub" + # Convert bytearray to C array + c_array_priv = convert_der_to_c(array_name_priv, ASYMMETRIC_KEY_DATA[priv_key][bits]) + c_array_pub = convert_der_to_c(array_name_pub, ASYMMETRIC_KEY_DATA[pub_key][bits]) + # Write the C array to the output file + arrays.append(''.join(["\n", c_array_priv, "\n", c_array_pub, "\n"])) + # Update the lookup table + if key_type == "ec": + group_id_or_keybits = "MBEDTLS_ECP_DP_" + curve.upper() + else: + group_id_or_keybits = str(bits) + look_up_table.append(''.join(get_look_up_table_entry(key_type, group_id_or_keybits, + array_name_priv, array_name_pub))) + + return ''.join(arrays), '\n'.join(look_up_table) + +def main() -> None: + default_output_path = guess_project_root() + "/tests/src/test_keys.h" + + argparser = argparse.ArgumentParser() + argparser.add_argument("--output", help="Output file", default=default_output_path) + args = argparser.parse_args() + + output_file = args.output + + arrays, look_up_table = collect_keys() + + write_output_file(output_file, arrays, look_up_table) + +if __name__ == '__main__': + main() diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/__init__.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/__init__.py similarity index 57% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/__init__.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/__init__.py index 15b0d60dd3..50147ce629 100644 --- a/yass/third_party/mbedtls/scripts/mbedtls_dev/__init__.py +++ b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/__init__.py @@ -1,3 +1,3 @@ -# This file needs to exist to make mbedtls_dev a package. +# This file needs to exist to make mbedtls_framework a package. # Among other things, this allows modules in this directory to make # relative imports. diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/asymmetric_key_data.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/asymmetric_key_data.py similarity index 50% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/asymmetric_key_data.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/asymmetric_key_data.py index 8ca6758782..175bc9f03f 100644 --- a/yass/third_party/mbedtls/scripts/mbedtls_dev/asymmetric_key_data.py +++ b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/asymmetric_key_data.py @@ -136,6 +136,54 @@ ASYMMETRIC_KEY_DATA = construct_asymmetric_key_data({ 308189 02818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3 0203010001 +"""), + 1026: (""" +3082025e + 020100 + 02818102d09661fc74224ba7be7907abef4f5e8bcc264a802c978f7eaa5855ada05436d75db768d20f68595dbcc3d725b138e80b247e44a4163a0542fab612acbbde45f2e93894aa253bddef6a7becdc9cc29a99bacf48dc6e38db7a33e9ac924c520fc6be7d6e5646c1d67fb8b2b97ac60beecc3bb8e75bed8315aa3fe46f748a66d6ef + 0203010001 + 0281806a4a346beba97f655fe834647d2944f5f40815e7302caf02ed179893c2d989395d5e877cacbf24a77a079d3db71580ccdbf63023d00f80e52f5c1a0716b323b7bfcbdc8a1781c44c4153e3da228d17b2dc78eb1f44cff60fe1150808a6e38ba2470aee2e948a6898ddadea56d9470927aca8d94a0338c11a8e95715b5f94e011 + 024101f5418534c36236fc9fd38934d7c06dfed3829151ccab56b6330c641f7796a71924cf8119ca26e186ecd3068d6607a05260db4857651980436891adde9eb92ab7 + 02410170042fbdbaba1e102b7f7f1dc9d940cfdcd85dd0ea65f543c6432e9c5480724bb49b1e5f80ca2b9f84cd6644bfb2e3d0968090b89f534dc2951e606db909dd89 + 0241014b6c1aeb1c14a04ec04e5975fb015cb914984c054dd22bef24299939c514733f88bb3a9d16b04685b3a883b8923190ab672715d9d31add57b4983de1e8087e59 + 02410117bf76f308b0560e00a2c864427dcd50b5161c2aa523a00f46f4e6c79b4c90958fd2a282028aac227477169888085a38c34f33b3c41934f1071db23b75ff53d1 + 02410120a428b4e0c4a6f202920fd49cc9886e6b6719d40a3ad0604f5d5efd5ef6973a573ab324f38ecb8e669a69341597081e240b6ae4e2714887dd78dadaeb0b9216 +""", """ +308189 + 02818102d09661fc74224ba7be7907abef4f5e8bcc264a802c978f7eaa5855ada05436d75db768d20f68595dbcc3d725b138e80b247e44a4163a0542fab612acbbde45f2e93894aa253bddef6a7becdc9cc29a99bacf48dc6e38db7a33e9ac924c520fc6be7d6e5646c1d67fb8b2b97ac60beecc3bb8e75bed8315aa3fe46f748a66d6ef + 0203010001 +"""), + 1028: (""" +3082025e + 020100 + 0281810e62a76f0e0b59683a7ebf7cbfd37b1d1781d8f1b900604b507f0f04c72a3d340d067bcd53bea3caff4e4ae694f0b6d8f591a4167fbf7f372ab57e83a69a3f26f447bcf582bc9621a30a3b44d6b43e986d1a867b07489e4f9bfcadaa82a2782dc2729a631fb1fb9ffb794b4e53c76239e04d4a8f80352588db29462dde18237cf5 + 0203010001 + 02818101cfa0422e3bb60c15ef2e96db4499e789f5d634ea64567b2cdd6e2bdd121f85edccdee9b4ed178c5f33816101a7c371518b3e23f9fdc71b90242cd310b6b31428b0b64eb9596be0cc044cc85048982f90b706e66ccdd39ad5a1a7b64cf034eac0c35d7ace93f2bcd3ce243bd8f83b46f509ca2f805063002af2bb2d88b6ee36a9 + 024103f0886d2977526f3f3f6a075600232ce3008517276dd3721dee08fd6c999fc976b9e8dd2bc143385fa4b48735ce81c66b501d7129ee7860cfbef23b5da91e6c2d + 024103a6c8734aace59d5f386f97de450f8a12d63ae6ac15d336e010c9fcf03a32f0611881ac6cd8b3f989925c0f025af26cf26aebd7d9b04eb503048dca2f503c28e9 + 0241019b300451c3b47866f113e9a9c6a490c87c8dc6c2eca42902caea1f6907b97e0a4a02072aafc1185ae66c34345bddcd683361cda1aaf8a98009f9f8fa56d97081 + 02401bcca849173d38e1e50ec48872ab54a2dcc621a80a7a1e8ea951287988718d5e85d90d64ab4926e9a575a168a385c421ad765813fc3f4af8cd00de7b6bba6e49 + 0241036dcf69f6e548c8acfb536fb6cd186f8b8f20d313361d0447c1b5e380f4113e578b31e867dda47d44ad3761e793f725031b8d379f389de277a9a0137651df548a +""", """ +308189 + 0281810e62a76f0e0b59683a7ebf7cbfd37b1d1781d8f1b900604b507f0f04c72a3d340d067bcd53bea3caff4e4ae694f0b6d8f591a4167fbf7f372ab57e83a69a3f26f447bcf582bc9621a30a3b44d6b43e986d1a867b07489e4f9bfcadaa82a2782dc2729a631fb1fb9ffb794b4e53c76239e04d4a8f80352588db29462dde18237cf5 + 0203010001 +"""), + 1030: (""" +3082025f + 020100 + 0281812b7cd197f5796d1f8e576b2b37723fd9210814ef1c1995f9899d50058f379d239c66878e922f34c6ae3672c8598fcd5d47b764d2ec156e134d03cf6a94d38d2ea8bc76dbbc60c4b974219090eaf287497d7dcf7f119cfa867496f7e91c12b5d552e1d1461a80dbe9a59db3b016c6c0141c3b2a0e226089b855cb88ef656408bd89 + 0203010001 + 0281810210d5ff531cacb22f8cf7dd1fd9fb0376f3647f2e9ab3df9c89b9ad3c98e68b89adeb29901dd2f2cf2ac1f817726278830ec8a8d0fdd19d496ec6bc683671174786b7d6a8e822fa71d65ad35abbdf0e6e55ff2c1821b62bc630192160e5c9b3dcafc65ae6b2a088fbc5591da58a45dd7a30960f7d3def75b80cdf73247360e8fb + 0241072e371a3ba861e78e3eb9313065faab0a97216e9544bfc2d5b403844b43273705755a85aa0baf7114770cfeca20bca17ac19bc4cbba106a33b3dddca0fb535f33 + 0241060e6af37ab4ea11f52b9344e7160eb2a53f1075e1229a7f10a301de3359f53e981ea0e17df0fb380f089e5c37dd40daa29eefd205f5c87b38f8fef636b57ba053 + 0241023a5dd09ef83540b30b554d24f64f9c28d212068cfc62ffe26d53b605e05557a632ee9e90cfc56531f36aadd82be63bb8aa405a04d8bbe5281bc45883fed7b4af + 0241041de6dbad4caf5417a9504965201c4b99827de8f369f7456a84b3ef5c4ec9238c7a3d782a8915ebec643a698b5bee0af0c243592bce0042aadeaf49a4b4c6dd9b + 024105d32dee952b503b536fcecf19ec08236a9cd945c49551bf99f15b674fc21aa199f4c4211f0f0007c417c1fb4155326a2142fca454bbd38d6dbc6caa7ac335a17c +""", """ +308189 + 0281812b7cd197f5796d1f8e576b2b37723fd9210814ef1c1995f9899d50058f379d239c66878e922f34c6ae3672c8598fcd5d47b764d2ec156e134d03cf6a94d38d2ea8bc76dbbc60c4b974219090eaf287497d7dcf7f119cfa867496f7e91c12b5d552e1d1461a80dbe9a59db3b016c6c0141c3b2a0e226089b855cb88ef656408bd89 + 0203010001 """), 1536: (""" 3082037b @@ -152,6 +200,38 @@ ASYMMETRIC_KEY_DATA = construct_asymmetric_key_data({ 3081c9 0281c100c870feb6ca6b1d2bd9f2dd99e20f1fe2d7e5192de662229dbe162bd1ba66336a7182903ca0b72796cd441c83d24bcdc3e9a2f5e4399c8a043f1c3ddf04754a66d4cfe7b3671a37dd31a9b4c13bfe06ee90f9d94ddaa06de67a52ac863e68f756736ceb014405a6160579640f831dddccc34ad0b05070e3f9954a58d1815813e1b83bcadba814789c87f1ef2ba5d738b793ec456a67360eea1b5faf1c7cc7bf24f3b2a9d0f8958b1096e0f0c335f8888d0c63a51c3c0337214fa3f5efdf6dcc35 0203010001 +"""), + 2048: (""" +308204a3 + 020100 + 0282010100f7bb6b8eab40491cd64455ec04d4ed8db5051a9738fc7af73ff3b097511cce40aaf76537b1353504427986b7b2b53a964a6937b558ec0d1dea274af2b8fff2f094c243fa577266a79db0c26ffe30416d23ef05dd5fecab413ebbb4f8526ae720a94584226b37d92ef463fc736cb38e530e7488d9162f5726807bc543138a2d258adb4d680221c2532381ccfa81bc89bc3d7b84039c2df41ce3ec8db91c2380e781ba3aa9e23b74ed9973d4908efca47aa8d9b7b0a4423297a404427c3f3cd6e0782e4553880f06ba39a64f4a7b0eef921a6050a207cefadcf07394a3e18ea915dc8497e7ae61fc3162f62f5065a692af077266f7360c2076cebeaf14cb22c1ed + 0203010001 + 0282010000b8962dce604bc62e7678f48ca80cfff456ad36e2f6d329cc911a42ba7cf5b9b8f5aae1005e4a06f6e591279038d8508f2b62badfa5223da3cc94fa8360d5556f6d6852be75ea08135cac1834da719a4e7837e166d1d2c6c816b64661c10766b02f705cc4489f947428255835a909214341c21335ae12181dd81e611d59b1db70667bebd7e92b71e1d388318d3ec14d616f72c231f6727a183e6818285bd65f6572cadc9012248821b2d0ae6cedd30ca440d4d34cd77e2cf6b40ed2c7d856b30d474733fce0fb695c3e6530c079aed955e4073055f2655d4b671e291fde400f2f06d0b33f87d261e0ad3dae48a913841b34cfed03790fcaee00de2e90fb9621 + 02818100fcbe89cd1aa319e49ef4f72149bf06da57dcc64d3de605e9ff3e76fc66f4b1e2878245ffd71990511b17e97f33818889a8c21b5527fd181327affe88f9bba670c4e6f1e6309bd0323074e4cbcf23dce3c19b8d5495f56a93059ba7414f28ed1ec906ad18c63de1148abcfe9be7986000f425e580b70e43e48e24fa9d51aaae4d + 02818100faec5a7bed2e53cfca1e167db4641db5a00fe2c328125423d594789f3ec072c623e7afbdee0089fd26307651f6d3611a88af28c34585d5cb713a650c35933f58944db9bd15ba9fc28b07e6705b7b3ef1ccb48d21a53569c8b84c444b61ea5c6e67b54f0afd852ffb8c92a111fab8677263eeb80cf1a3403b4a9a209776947221 + 0281802ff99afeabc7b9ea83a1cc272d706d4494d8fb6b3e0ca3a2bf28843d74ed8db68a3258472ff5524792f4ff057e296059810717591ab61813cabcc57c0aab6bf48bebaa8f1f3af45212909dbd721c449996ee87ed3e69cf49090f7ab812e699dbf61ca64ec592895ef4d6db1d8ce08798a6bf6ac8fbf6613cc91e8bd3c0e4bd21 + 02818100b29b34590bddb308afecb4c3ab78abf1114add755e7b956aa0677b6896a933c937db7dabaad2b565fd1df7caa5ef9629e5eb100fd6d7c9f372d846fee6cfb6025e25e934df57a4ca3c5e5637d9d6235ac80428852f6c92acae0a937e38e731fde0521d3e4c70d653ae9edc89c8b623e4379fbf606f4b6db8068528f7c70f2921 + 0281800ed47ae05b275a23a7dfe3ffb727e3a268e626a59d401d2d846de26954ff54fc9ed93a9af33fac2c967a18e0f86145083e39923454bc10da5f4937e836b99851956bffb301ce9e06789786693213fcde6d5f2933d52bb29dc340ea011257788d3c5775eb6569230aafbf08752d40a8419de71b01d4927e27c1079caada0568b1 + """, """ +3082010a + 0282010100f7bb6b8eab40491cd64455ec04d4ed8db5051a9738fc7af73ff3b097511cce40aaf76537b1353504427986b7b2b53a964a6937b558ec0d1dea274af2b8fff2f094c243fa577266a79db0c26ffe30416d23ef05dd5fecab413ebbb4f8526ae720a94584226b37d92ef463fc736cb38e530e7488d9162f5726807bc543138a2d258adb4d680221c2532381ccfa81bc89bc3d7b84039c2df41ce3ec8db91c2380e781ba3aa9e23b74ed9973d4908efca47aa8d9b7b0a4423297a404427c3f3cd6e0782e4553880f06ba39a64f4a7b0eef921a6050a207cefadcf07394a3e18ea915dc8497e7ae61fc3162f62f5065a692af077266f7360c2076cebeaf14cb22c1ed + 0203010001 +"""), + 4096: (""" +30820929 + 020100 + 0282020100cc8725f6b38d5d01aeeb07d36e03de4d31a0261ce74fe11a895ecfd13d168aee932af135ffbb849877273897081f3f7593c14ae82bc266c10544f726ae1ccf133d8a4018d380dfa25251c011107b7513a943346aa0e0dec11d8d7fa25644653c118daabce6d41f066f6621768801478055780e91b68ea3c95856d172a89032b39c824e8b7dc1a3f8aee4f6b368baa3cd68f50d52680117e9b913d7f8c852a0d1008e8b87a5c97e37afc11a080550557b8b4dcbd8e192ed3366d83a09d27c77e150f66855b5dcfdb2df151bd7f444250eaf6fe3f236826c81fa848101bfaad535ffb522d6ff97c9dd1e43b82cce2921d153c15450c4724ffd3efdca578e013650a03a5cf501fc58600fb5c860c0ef0cfe0ac0712d441313dca41a4d7d411e6c83b2151749d28be4692f62373db07e4a79051c5682ec20d491c4cfc7bc140f35fa15e5a1fa756d65b8ef93addf4c47c4a35b184f22a1ef089948f946f6faeb6470f26746e658cf9b4177417842e6d373558089aff721b930e9ec61b4f6a02c052c6924d39a5bbb15ed1106c4010f4dd69c79d042c8b31661b1ee486bc69db5f2f07a50d85b20699d601315625bb869629c7f4c5d48b211d097f438acec95973a38d421090af0f13484e4e94b8cb5efc18507f4b931df39987ffb2830293e4da381aaf70b3292952ef934e2b40fdebba3d9701b76e1be548274b2602d888537482d + 0203010001 + 028202001a943e9c0089f0aa0116048a96abb486321a86916f82fb352460789fcfb1400550853e5afedc9ad6e877259cc4feb093c24b968534f89abb5f48aed8ad3c4bb1cba7cd7c1c724d3dae36770010b5068a334f2b3ee720c9f9ed320001f3f587f5662f939e605df519343d60c0635ccd32b188bc55f5d434173c9e6db2199341af833990e50246f99cddf79dd2c35babe14c103a76b8d2d98d73528f98c249b0a1f09155b31f599fc833542422a2342623bbbef4ac7ee605e2cdecf01fea25683bd4f66ca924ccef00418adff730c4714f66ffa2af0da3e5df7f539c634289fc12bc24093ec8f0ec180af0907cec1ebec911fa180fb5f3c80ed852896ad6e6b3eccb44de62193d52118cab2b171071d5fdaa7c4288fc7766d57774f4be46151bb90ace7c10c215f62ed26e52e6122436f532bd54fc08272adb216a2db433d5699c40ad58faa2660898ffccfc98002f8bb0361b4cf9ed6e93c1ca96d34a1ef40460f85918cfde4a8193b51ecea4b3903cae924a8fad5f8308954c9f19a7597bf0a75126a557e49f8bbd31fc4e8556f230640bf36204c6cf3d56dca5a41d860307ba6705a698681100a327f91739c486c470ba71d03d285314b0d7d04008e03f2a2b85e7c243d6fd9b97a02168c069ec572d3f0ca15ebcb1739f3a0b3c147a88e0b74f45a007ae927d6f822bf50b87b1e93fe7d9180bc6bc12bde6c8070d10c97331 + 0282010100f50ebceac9d3c64482a8c265d6365461aa4a31a6a7633a24c8e34794ecdfcab1d6b52fb6a5f38055cc32d6a61b889550de27b3d0bd68b6d4fda041598ab98887143988576806b1c48720794902952ebe1bf0def65a0e6f94067056e6864fa2882e3a16f246282093d037639078182dd0a6eb21d3bad0637901a268b14c632c9d0b1690ed88abdde03f528247aa2e41557d0865ad34e53ff53ae0e5dea195d93fe65c25871f6f23adf34b6e960c2978f2b7475dafce6cbb26a53934d26c193d67f32de91035eeb89022beb7d5df784ac20ca6ab91bf6b775b6c9416f605b4841736cbfbd22ad98ab2e8428457e0793f5af40e550b48765d59e6e1b4a4a1f571f1 + 0282010100d5a91d4d44bb9b73c1fe0248925e2c0ec1de51390bd8a73b453da51ae29325ae7657089fd4ee4a2fd96e345b57f672d7d484fde99189ab0a6365bf2b38680d6bb947f4b217be660323c26b86d643ae686d82e36ec00cfd038942443caa04a0f91e68ec717935b45e790311be56440d7176949594688ed1dd5c9103c57c158d05e4c37b98d81898030744a64f6ebdbf750aab79757e34dac422163ea7c0f42b97710c861978b24100385aad727e5f3836a74ea4bf1d36ef2a5edf9c9e8f996ef3191348450ea9f1d4a63db29cb06f63e5badb18e4d40f5112b658d1cc23cb65388aca03d141a6bc5fbd9429fe33d340d3e85bfa848908d60b562f894e8a337dfd + 0282010100c4950f0d95dc51d791ad094d223b3113abc49af1e2a361f83242c8a07a28c8744315d3f1c44c82edd0c21398eacb75648ae1f48885f92379d6ffa08cd11126a99d9acd79b8946e3486659185f511718ec5e1432b02714426cdc77e9eacade36735161a643dcd60dcd2922c47af5f4e196c5d8124555f67fca148048dfe062cbaca334f0d8daeb96d73be9f8e17c1c55d6bd0b9a7e99fe1dfba5cc16a07dbaa8c6d220c64c9dda114a0f029052b3a75b0d73fe3b2ed7821e5cd7307a1a95fd1f7ba8760c8454b7c38fbf65c88b01cd273ba2c55c3b477e426ae025a2cffc4a095f2ba4e0779a24b765b85489f2a0e79b95fc0c38e2a91f12ef65ca749ce369431 + 028201002aa48e0c95e33bab66d4637048863314deec9819629be30499552c56a951e4fb64f309ed9c79d2a4aa28ac9a6e7be97fda1290fac4e94d11cdb4c8eabf5f450e72f4418a29e2fe493221e3840dcf8447a353b440ae63e93b83718e5ced31ef4ec91af7d5cdf3420478f27be019278be7515b665f305f10d3b55ddbfad64116dc4e4415aef3b234e4a5d6b5bab4c77a26c9f25f536bd4f0b4a478fc184f126c80d53742ac62c270e6b258a6b56b3365ecc28797a9ed12c1b91b265603ef751807bcc1747313f22729e1e3fe79f75cc3fb5dc7ccb81efacf9b847945a6109ecf9cf156505cbb55a3d317eb325661d18fe6bb416046837318053b365199334c03a1 + 0282010100ee63706030a4ece9fe3bddcfc49f5a83f37f63ebcb29dbdc999f6ff54b596f115cf1eca09990108a439518e996f689fdde89b2c67edc04bf8e366734c2ae3017ec14e042050e7c656840146ca048394dcebe90dd2195349bbad306569031b2ef6e9171d2ae7797c8844e548394ca3b768d8496e99ef63abb59b0ff7fc70eb53153dd0f59018a275acba701f2c76a15c894f53461fedf65bc25c2c5cec396e556a1a919bc7a056393d50644126dcdef9256642e65a6043cbce9497e192cf2cb33648e117f41dbf01900acb93b0c78ddf31f381f4db3f9ccbbb69093dabf2e89dbbc0cb72f20c005a2519e3a874146495d7aacf3416a422e560986f22f39456e7f + """, """ +3082020a + 0282020100cc8725f6b38d5d01aeeb07d36e03de4d31a0261ce74fe11a895ecfd13d168aee932af135ffbb849877273897081f3f7593c14ae82bc266c10544f726ae1ccf133d8a4018d380dfa25251c011107b7513a943346aa0e0dec11d8d7fa25644653c118daabce6d41f066f6621768801478055780e91b68ea3c95856d172a89032b39c824e8b7dc1a3f8aee4f6b368baa3cd68f50d52680117e9b913d7f8c852a0d1008e8b87a5c97e37afc11a080550557b8b4dcbd8e192ed3366d83a09d27c77e150f66855b5dcfdb2df151bd7f444250eaf6fe3f236826c81fa848101bfaad535ffb522d6ff97c9dd1e43b82cce2921d153c15450c4724ffd3efdca578e013650a03a5cf501fc58600fb5c860c0ef0cfe0ac0712d441313dca41a4d7d411e6c83b2151749d28be4692f62373db07e4a79051c5682ec20d491c4cfc7bc140f35fa15e5a1fa756d65b8ef93addf4c47c4a35b184f22a1ef089948f946f6faeb6470f26746e658cf9b4177417842e6d373558089aff721b930e9ec61b4f6a02c052c6924d39a5bbb15ed1106c4010f4dd69c79d042c8b31661b1ee486bc69db5f2f07a50d85b20699d601315625bb869629c7f4c5d48b211d097f438acec95973a38d421090af0f13484e4e94b8cb5efc18507f4b931df39987ffb2830293e4da381aaf70b3292952ef934e2b40fdebba3d9701b76e1be548274b2602d888537482d + 0203010001 """), }, }) diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/bignum_common.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/bignum_common.py similarity index 100% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/bignum_common.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/bignum_common.py diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/bignum_core.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/bignum_core.py similarity index 100% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/bignum_core.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/bignum_core.py diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/bignum_data.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/bignum_data.py similarity index 100% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/bignum_data.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/bignum_data.py diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/bignum_mod.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/bignum_mod.py similarity index 100% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/bignum_mod.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/bignum_mod.py diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/bignum_mod_raw.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/bignum_mod_raw.py similarity index 100% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/bignum_mod_raw.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/bignum_mod_raw.py diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/build_tree.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/build_tree.py similarity index 95% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/build_tree.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/build_tree.py index ec67e4cdfa..702a2cd9d3 100644 --- a/yass/third_party/mbedtls/scripts/mbedtls_dev/build_tree.py +++ b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/build_tree.py @@ -37,9 +37,13 @@ def crypto_core_directory(root: Optional[str] = None, relative: Optional[bool] = return "core" return os.path.join(root, "core") elif looks_like_mbedtls_root(root): + if os.path.isdir(os.path.join(root, 'tf-psa-crypto')): + path = "tf-psa-crypto/core" + else: + path = "library" if relative: - return "library" - return os.path.join(root, "library") + return path + return os.path.join(root, path) else: raise Exception('Neither Mbed TLS nor TF-PSA-Crypto source tree found') diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/c_build_helper.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/c_build_helper.py similarity index 100% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/c_build_helper.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/c_build_helper.py diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/c_parsing_helper.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/c_parsing_helper.py similarity index 77% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/c_parsing_helper.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/c_parsing_helper.py index 2657b7d230..0e428cd049 100644 --- a/yass/third_party/mbedtls/scripts/mbedtls_dev/c_parsing_helper.py +++ b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/c_parsing_helper.py @@ -46,6 +46,8 @@ class ArgumentInfo: self.name = m.group('name') #type: Optional[str] self.suffix = m.group('suffix') if m.group('suffix') else '' #type: str + def __str__(self) -> str: + return self.decl class FunctionInfo: """Information about an API function.""" @@ -60,18 +62,38 @@ class FunctionInfo: qualifiers: Iterable[str], return_type: str, name: str, - arguments: List[str]) -> None: + arguments: List[str], + doc: str = "") -> None: + self.filename = filename self.line_number = line_number self.qualifiers = frozenset(qualifiers) self.return_type = return_type self.name = name self.arguments = [ArgumentInfo(arg) for arg in arguments] + self.doc = doc def returns_void(self) -> bool: """Whether the function returns void.""" return bool(self.VOID_RE.search(self.return_type)) + def __str__(self) -> str: + str_args = [str(a) for a in self.arguments] + str_text = "{} {} {}({})".format(" ".join(self.qualifiers), + self.return_type, self.name, + ", ".join(str_args)).strip() + str_text = self._c_wrap_(str_text) + return self.doc + "\n" + str_text + + @staticmethod + def _c_wrap_(in_str: str, line_len: int = 80) -> str: + """Auto-idents function declaration args using opening parenthesis.""" + if len(in_str) >= line_len: + p_idx = in_str.index("(") + ident = " " * p_idx + padded_comma = ",\n" + ident + in_str = in_str.replace(",", padded_comma) + return in_str # Match one C comment. # Note that we match both comment types, so things like // in a /*...*/ @@ -112,6 +134,7 @@ _C_FUNCTION_DECLARATION_RE = re.compile( def read_function_declarations(functions: Dict[str, FunctionInfo], filename: str) -> None: + """Collect function declarations from a C header file.""" for line_number, line in read_logical_lines(filename): m = _C_FUNCTION_DECLARATION_RE.match(line) @@ -129,3 +152,17 @@ def read_function_declarations(functions: Dict[str, FunctionInfo], return_type, name, arguments) + +_C_TYPEDEF_DECLARATION_RE = re.compile(r'typedef (?:struct )?(?P\w+) (?P\w+)') + +def read_typedefs(filename: str) -> Dict[str, str]: + """ Extract type definitions in a {typedef aliased name: original type} dictionary. + Multi-line typedef struct are not captured. """ + + type_decl = {} + + for _, line in read_logical_lines(filename): + m = _C_TYPEDEF_DECLARATION_RE.match(line) + if m: + type_decl[m.group("name")] = m.group("type") + return type_decl diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/c_wrapper_generator.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/c_wrapper_generator.py similarity index 86% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/c_wrapper_generator.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/c_wrapper_generator.py index 3cf1e05ebb..f15f3a7f3f 100644 --- a/yass/third_party/mbedtls/scripts/mbedtls_dev/c_wrapper_generator.py +++ b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/c_wrapper_generator.py @@ -11,8 +11,7 @@ import os import re import sys -import typing -from typing import Dict, List, Optional, Tuple +from typing import Dict, NamedTuple, List, Optional, Tuple from .c_parsing_helper import ArgumentInfo, FunctionInfo from . import typing_util @@ -25,12 +24,35 @@ def c_declare(prefix: str, name: str, suffix: str) -> str: return prefix + name + suffix -WrapperInfo = typing.NamedTuple('WrapperInfo', [ +WrapperInfo = NamedTuple('WrapperInfo', [ ('argument_names', List[str]), ('guard', Optional[str]), ('wrapper_name', str), ]) +def strip_indentation(in_str: str, new_lines: int = 1, indent_lv: int = 0) -> str: + """Return a whitespace stripped str, with configurable whitespace in output. + + The method will remove space-character indentation from input string. + It will also remove all new-lines around the text-block as well as + trailing whitespace. + The output indentation can be configured by indent_lv, and will use blocks + of 4 spaces. + At the end of the string a `new_lines` amount of empty lines will be added. + """ + + _ret_string = in_str.lstrip('\n').rstrip() + # Count empty spaces in beggining of each line. The smallest non-zero entry + # will be used to clean up input indentation. + indents = [len(n)-1 for n in re.findall(r'(?m)^ +\S', in_str)] + + if indents: + _ret_string = re.sub(r'(?m)^ {{{indent}}}'.format(indent=min(indents)), + '', _ret_string) + if indent_lv: + _ret_string = '\n'.join([' ' * indent_lv * 4 + s + for s in _ret_string.splitlines()]) + return _ret_string + ('\n' * (new_lines + 1)) class Base: """Generate a C source file containing wrapper functions.""" @@ -46,6 +68,8 @@ class Base: # Suffix appended to the function's name to form the wrapper name. _WRAPPER_NAME_SUFFIX = '_wrap' + _INCLUDES = [''] + # Functions with one of these qualifiers are skipped. _SKIP_FUNCTION_WITH_QUALIFIERS = frozenset(['inline', 'static']) @@ -55,6 +79,7 @@ class Base: self.program_name = os.path.basename(sys.argv[0]) # To be populated in a derived class self.functions = {} #type: Dict[str, FunctionInfo] + self._function_guards = {} #type: Dict[str, str] # Preprocessor symbol used as a guard against multiple inclusion in the # header. Must be set before writing output to a header. # Not used when writing .c output. @@ -65,42 +90,49 @@ class Base: This includes a description comment and some include directives. """ - out.write("""/* Automatically generated by {}, do not edit! */ + prologue = strip_indentation(f''' + /* Automatically generated by {self.program_name}, do not edit! */ + + /* Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + + ''') -/* Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - */ -""" - .format(self.program_name)) if header: - out.write(""" -#ifndef {guard} -#define {guard} + prologue += strip_indentation(f''' + #ifndef {self.header_guard} + #define {self.header_guard} -#ifdef __cplusplus -extern "C" {{ -#endif -""" - .format(guard=self.header_guard)) - out.write(""" -#include -""") + #ifdef __cplusplus + extern "C" {{ + #endif + + ''') + + for include in self._INCLUDES: + prologue += "#include {}\n".format(include) + + # Make certain there is an empty line at the end of this section. + prologue += '\n' if self._INCLUDES else '\n\n' + + out.write(prologue) def _write_epilogue(self, out: typing_util.Writable, header: bool) -> None: - """Write the epilogue of a C file. - """ + """Write the epilogue of a C file.""" + epilogue = "" if header: - out.write(""" -#ifdef __cplusplus -}} -#endif + epilogue += strip_indentation(f''' + #ifdef __cplusplus + }} + #endif -#endif /* {guard} */ -""" - .format(guard=self.header_guard)) - out.write(""" -/* End of automatically generated file. */ -""") + #endif /* {self.header_guard} */ + + ''') + + epilogue += ('/* End of automatically generated file. */\n') + out.write(epilogue) def _wrapper_function_name(self, original_name: str) -> str: """The name of the wrapper function. @@ -207,15 +239,12 @@ extern "C" {{ return True return False - _FUNCTION_GUARDS = { - } #type: Dict[str, str] - def _function_guard(self, function: FunctionInfo) -> Optional[str]: """A preprocessor condition for this function. The wrapper will be guarded with `#if` on this condition, if not None. """ - return self._FUNCTION_GUARDS.get(function.name) + return self._function_guards.get(function.name) def _wrapper_info(self, function: FunctionInfo) -> Optional[WrapperInfo]: """Information about the wrapper for one function. @@ -268,10 +297,8 @@ extern "C" {{ wrapper = self._wrapper_info(function) if wrapper is None: return - out.write(""" -/* Wrapper for {} */ -""" - .format(function.name)) + out.write('/* Wrapper for {} */\n'.format(function.name)) + if wrapper.guard is not None: out.write('#if {}\n'.format(wrapper.guard)) self._write_function_prototype(out, function, wrapper, False) @@ -280,6 +307,7 @@ extern "C" {{ out.write('}\n') if wrapper.guard is not None: out.write('#endif /* {} */\n'.format(wrapper.guard)) + out.write('\n') def _write_h_function_declaration(self, out: typing_util.Writable, function: FunctionInfo, @@ -311,13 +339,13 @@ extern "C" {{ wrapper = self._wrapper_info(function) if wrapper is None: return - out.write('\n') if wrapper.guard is not None: out.write('#if {}\n'.format(wrapper.guard)) self._write_h_function_declaration(out, function, wrapper) self._write_h_macro_definition(out, function, wrapper) if wrapper.guard is not None: out.write('#endif /* {} */\n'.format(wrapper.guard)) + out.write('\n') def write_c_file(self, filename: str) -> None: """Output a whole C file containing function wrapper definitions.""" diff --git a/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/code_wrapper/__init__.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/code_wrapper/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/code_wrapper/psa_buffer.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/code_wrapper/psa_buffer.py new file mode 100644 index 0000000000..ca6296872b --- /dev/null +++ b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/code_wrapper/psa_buffer.py @@ -0,0 +1,29 @@ +""" PSA Buffer utility data-class. +""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +from typing import List +from .. import typing_util + +class BufferParameter: + """Description of an input or output buffer parameter sequence to a PSA function.""" + #pylint: disable=too-few-public-methods + + def __init__(self, i: int, is_output: bool, + buffer_name: str, size_name: str) -> None: + """Initialize the parameter information. + + i is the index of the function argument that is the pointer to the buffer. + The size is argument i+1. For a variable-size output, the actual length + goes in argument i+2. + + buffer_name and size_names are the names of arguments i and i+1. + This class does not yet help with the output length. + """ + self.index = i + self.buffer_name = buffer_name + self.size_name = size_name + self.is_output = is_output + diff --git a/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/code_wrapper/psa_test_wrapper.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/code_wrapper/psa_test_wrapper.py new file mode 100644 index 0000000000..6b90fe20ee --- /dev/null +++ b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/code_wrapper/psa_test_wrapper.py @@ -0,0 +1,39 @@ +"""Generate wrapper functions for PSA function calls. +""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +import argparse +import itertools +import os +from typing import Iterator, List, Collection, Optional, Tuple + +from .. import build_tree +from .. import c_parsing_helper +from .. import c_wrapper_generator +from .. import typing_util + +from .psa_buffer import BufferParameter +from .psa_wrapper import PSAWrapper, PSALoggingWrapper, PSAWrapperConfiguration + +class PSATestWrapper(PSAWrapper): + """Generate a C source file containing wrapper functions for PSA Crypto API calls.""" + + _WRAPPER_NAME_PREFIX = 'mbedtls_test_wrap_' + _WRAPPER_NAME_SUFFIX = '' + + _PSA_WRAPPER_INCLUDES = ['', + '', + '', + ''] + +class PSALoggingTestWrapper(PSATestWrapper, PSALoggingWrapper): + """Generate a C source file containing wrapper functions that log PSA Crypto API calls.""" + + def __init__(self, out_h_f: str, + out_c_f: str, + stream: str, + in_headers: Optional[List[str]] = None) -> None: + super().__init__(out_h_f, out_c_f, stream, in_headers) + diff --git a/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/code_wrapper/psa_wrapper.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/code_wrapper/psa_wrapper.py new file mode 100644 index 0000000000..7e6b3e8c91 --- /dev/null +++ b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/code_wrapper/psa_wrapper.py @@ -0,0 +1,286 @@ +"""Generate wrapper functions for PSA function calls. +""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +import argparse +import itertools +import os +from typing import Any, Iterator, List, Dict, Collection, Optional, Tuple + +from .. import build_tree +from .. import c_parsing_helper +from .. import c_wrapper_generator +from .. import typing_util + +from .psa_buffer import BufferParameter + +class PSAWrapperConfiguration: + """Configuration data class for PSA Wrapper.""" + + def __init__(self) -> None: + self.cpp_guards = ["MBEDTLS_PSA_CRYPTO_C", "MBEDTLS_TEST_HOOKS", "!RECORD_PSA_STATUS_COVERAGE_LOG"] + + self.skipped_functions = frozenset([ + 'mbedtls_psa_external_get_random', # not a library function + 'psa_get_key_domain_parameters', # client-side function + 'psa_get_key_slot_number', # client-side function + 'psa_key_derivation_verify_bytes', # not implemented yet + 'psa_key_derivation_verify_key', # not implemented yet + 'psa_set_key_domain_parameters', # client-side function + ]) + + self.skipped_argument_types = frozenset([ + # PAKE stuff: not implemented yet + 'psa_crypto_driver_pake_inputs_t *', + 'psa_pake_cipher_suite_t *', + ]) + + self.function_guards = { + 'mbedtls_psa_register_se_key': 'defined(MBEDTLS_PSA_CRYPTO_SE_C)', + 'mbedtls_psa_inject_entropy': 'defined(MBEDTLS_PSA_INJECT_ENTROPY)', + 'mbedtls_psa_external_get_random': 'defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)', + 'mbedtls_psa_platform_get_builtin_key': 'defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)', + 'psa_crypto_driver_pake_get_cipher_suite' : 'defined(PSA_WANT_ALG_SOME_PAKE)', + 'psa_crypto_driver_pake_get_password' : 'defined(PSA_WANT_ALG_SOME_PAKE)', + 'psa_crypto_driver_pake_get_password_len' : 'defined(PSA_WANT_ALG_SOME_PAKE)', + 'psa_crypto_driver_pake_get_peer' : 'defined(PSA_WANT_ALG_SOME_PAKE)', + 'psa_crypto_driver_pake_get_peer_len' : 'defined(PSA_WANT_ALG_SOME_PAKE)', + 'psa_crypto_driver_pake_get_user' : 'defined(PSA_WANT_ALG_SOME_PAKE)', + 'psa_crypto_driver_pake_get_user_len' : 'defined(PSA_WANT_ALG_SOME_PAKE)', + 'psa_pake_abort' : 'defined(PSA_WANT_ALG_SOME_PAKE)', + 'psa_pake_get_implicit_key' : 'defined(PSA_WANT_ALG_SOME_PAKE)', + 'psa_pake_input' : 'defined(PSA_WANT_ALG_SOME_PAKE)', + 'psa_pake_output' : 'defined(PSA_WANT_ALG_SOME_PAKE)', + 'psa_pake_set_password_key' : 'defined(PSA_WANT_ALG_SOME_PAKE)', + 'psa_pake_set_peer' : 'defined(PSA_WANT_ALG_SOME_PAKE)', + 'psa_pake_set_role' : 'defined(PSA_WANT_ALG_SOME_PAKE)', + 'psa_pake_set_user' : 'defined(PSA_WANT_ALG_SOME_PAKE)', + 'psa_pake_setup' : 'defined(PSA_WANT_ALG_SOME_PAKE)', + } + +class PSAWrapper(c_wrapper_generator.Base): + """Generate a C source file containing wrapper functions for PSA Crypto API calls.""" + + _WRAPPER_NAME_PREFIX = 'mbedtls_test_wrap_' + _WRAPPER_NAME_SUFFIX = '' + + _PSA_WRAPPER_INCLUDES = [''] + _DEFAULT_IN_HEADERS = ['crypto.h', 'crypto_extra.h'] + + def __init__(self, + out_h_f: str, + out_c_f: str, + in_headers: Optional[List[str]] = None, + config: PSAWrapperConfiguration = PSAWrapperConfiguration()) -> None: + + super().__init__() + self.out_c_f = out_c_f + self.out_h_f = out_h_f + + self.mbedtls_root = build_tree.guess_mbedtls_root() + self.read_config(config) + self.read_headers(in_headers) + + def read_config(self, cfg: PSAWrapperConfiguration)-> None: + """Configure instance's parameters from a user provided config.""" + + self._cpp_guards = PSAWrapper.parse_def_guards(cfg.cpp_guards) + self._skip_functions = cfg.skipped_functions + self._function_guards.update(cfg.function_guards) + self._not_implemented = cfg.skipped_argument_types + + def read_headers(self, headers: Optional[List[str]]) -> None: + """Reads functions to be wrapped from source header files into self.functions.""" + self.in_headers = self._DEFAULT_IN_HEADERS if headers is None else headers + for header_name in self.in_headers: + header_path = self.rel_path(header_name) + c_parsing_helper.read_function_declarations(self.functions, header_path) + + def rel_path(self, filename: str, path_list: List[str] = ['include', 'psa']) -> str: + """Return the estimated path in relationship to the mbedtls_root. + + The method allows overriding the targetted sub-directory. + Currently the default is set to mbedtls_root/include/psa.""" + # Temporary, while Mbed TLS does not just rely on the TF-PSA-Crypto + # build system to build its crypto library. When it does, the first + # case can just be removed. + if os.path.isdir(os.path.join(self.mbedtls_root, 'tf-psa-crypto')): + path_list = ['tf-psa-crypto' ] + path_list + return os.path.join(self.mbedtls_root, *path_list, filename) + + return os.path.join(self.mbedtls_root, *path_list, filename) + + # Utility Methods + @staticmethod + def parse_def_guards(def_list: Collection[str])-> str: + """ Create define guards. + + Convert an input list of into a C preprocessor + expression of defined() && !defined() syntax string.""" + + output = "" + dl = [("defined({})".format(n) if n[0] != "!" else + "!defined({})".format(n[1:])) + for n in def_list] + + # Split the list in chunks of 2 and add new lines + for i in range(0, len(dl), 2): + output += "{} && {} && \\".format(dl[i], dl[i+1]) + "\n "\ + if i+2 <= len(dl) else dl[i] + return output + + @staticmethod + def _detect_buffer_parameters(arguments: List[c_parsing_helper.ArgumentInfo], + argument_names: List[str]) -> Iterator[BufferParameter]: + """Detect function arguments that are buffers (pointer, size [,length]).""" + types = ['' if arg.suffix else arg.type for arg in arguments] + # pairs = list of (type_of_arg_N, type_of_arg_N+1) + # where each type_of_arg_X is the empty string if the type is an array + # or there is no argument X. + pairs = enumerate(itertools.zip_longest(types, types[1:], fillvalue='')) + for i, t01 in pairs: + if (t01[0] == 'const uint8_t *' or t01[0] == 'uint8_t *') and \ + t01[1] == 'size_t': + yield BufferParameter(i, not t01[0].startswith('const '), + argument_names[i], argument_names[i+1]) + + @staticmethod + def _parameter_should_be_copied(function_name: str, + _buffer_name: Optional[str]) -> bool: + """Whether the specified buffer argument to a PSA function should be copied. + """ + # False-positives that do not need buffer copying + if function_name in ('mbedtls_psa_inject_entropy', + 'psa_crypto_driver_pake_get_password', + 'psa_crypto_driver_pake_get_user', + 'psa_crypto_driver_pake_get_peer'): + return False + + return True + + def _poison_wrap(self, param : BufferParameter, poison: bool, ident_lv = 1) -> str: + """Returns a call to MBEDTLS_TEST_MEMORY_[UN]POISON. + + The output is prefixed with MBEDTLS_TEST_MEMORY_ followed by POISON/UNPOISON + and the input parameter arguments (name, length) + """ + return "{}MBEDTLS_TEST_MEMORY_{}({}, {});\n".format((ident_lv * 4) * ' ', + 'POISON' if poison else 'UNPOISON', + param.buffer_name, param.size_name) + + def _poison_multi_write(self, + out: typing_util.Writable, + buffer_parameters: List['BufferParameter'], + poison: bool) -> None: + """Write poisoning or unpoisoning code for the buffer parameters. + + Write poisoning code if poison is true, unpoisoning code otherwise. + """ + + if not buffer_parameters: + return + out.write('#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)\n') + for param in buffer_parameters: + out.write(self._poison_wrap(param, poison)) + out.write('#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */\n') + + # Override parent's methods + def _write_function_call(self, out: typing_util.Writable, + function: c_wrapper_generator.FunctionInfo, + argument_names: List[str]) -> None: + buffer_parameters = list( + param + for param in self._detect_buffer_parameters(function.arguments, + argument_names) + if self._parameter_should_be_copied(function.name, + function.arguments[param.index].name)) + + self._poison_multi_write(out, buffer_parameters, True) + super()._write_function_call(out, function, argument_names) + self._poison_multi_write(out, buffer_parameters, False) + + def _skip_function(self, function: c_wrapper_generator.FunctionInfo) -> bool: + if function.return_type != 'psa_status_t': + return True + if function.name in self._skip_functions: + return True + return False + + def _return_variable_name(self, + function: c_wrapper_generator.FunctionInfo) -> str: + """The name of the variable that will contain the return value.""" + + if function.return_type == 'psa_status_t': + return 'status' + return super()._return_variable_name(function) + + def _write_prologue(self, out: typing_util.Writable, header: bool) -> None: + super()._write_prologue(out, header) + + prologue = [] + if self._cpp_guards: + prologue.append("#if {}".format(self._cpp_guards)) + prologue.append('') + + for include in self._PSA_WRAPPER_INCLUDES: + prologue.append("#include {}".format(include)) + + # Make certain there is an empty line at the end of this section. + for i in [-1, -2]: + if prologue[i] != '': + prologue.append('') + + out.write("\n".join(prologue)) + + def _write_epilogue(self, out: typing_util.Writable, header: bool) -> None: + if self._cpp_guards: + out.write("#endif /* {} */\n\n".format(self._cpp_guards)) + super()._write_epilogue(out, header) + +class PSALoggingWrapper(PSAWrapper, c_wrapper_generator.Logging): + """Generate a C source file containing wrapper functions that log PSA Crypto API calls.""" + + def __init__(self, + stream: str, + out_h_f: str, + out_c_f: str, + in_headers: Optional[List[str]] = None, + config: PSAWrapperConfiguration = PSAWrapperConfiguration()) -> None: + + super().__init__(out_h_f, out_c_f, in_headers, config) + self.set_stream(stream) + + _PRINTF_TYPE_CAST = c_wrapper_generator.Logging._PRINTF_TYPE_CAST.copy() + _PRINTF_TYPE_CAST.update({ + 'mbedtls_svc_key_id_t': 'unsigned', + 'psa_algorithm_t': 'unsigned', + 'psa_drv_slot_number_t': 'unsigned long long', + 'psa_key_derivation_step_t': 'int', + 'psa_key_id_t': 'unsigned', + 'psa_key_slot_number_t': 'unsigned long long', + 'psa_key_lifetime_t': 'unsigned', + 'psa_key_type_t': 'unsigned', + 'psa_key_usage_flags_t': 'unsigned', + 'psa_pake_role_t': 'int', + 'psa_pake_step_t': 'int', + 'psa_status_t': 'int', + }) + + def _printf_parameters(self, typ: str, var: str) -> Tuple[str, List[str]]: + if typ.startswith('const '): + typ = typ[6:] + if typ == 'uint8_t *': + # Skip buffers + return '', [] + if typ.endswith('operation_t *'): + return '', [] + if typ in self._not_implemented: + return '', [] + if typ == 'psa_key_attributes_t *': + return (var + '={id=%u, lifetime=0x%08x, type=0x%08x, bits=%u, alg=%08x, usage=%08x}', + ['(unsigned) psa_get_key_{}({})'.format(field, var) + for field in ['id', 'lifetime', 'type', 'bits', 'algorithm', 'usage_flags']]) + return super()._printf_parameters(typ, var) + diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/crypto_data_tests.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/crypto_data_tests.py similarity index 100% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/crypto_data_tests.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/crypto_data_tests.py diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/crypto_knowledge.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/crypto_knowledge.py similarity index 100% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/crypto_knowledge.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/crypto_knowledge.py diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/ecp.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/ecp.py similarity index 100% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/ecp.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/ecp.py diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/logging_util.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/logging_util.py similarity index 100% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/logging_util.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/logging_util.py diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/macro_collector.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/macro_collector.py similarity index 100% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/macro_collector.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/macro_collector.py diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/psa_information.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/psa_information.py similarity index 83% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/psa_information.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/psa_information.py index 60803864f2..0d4ea9edd8 100644 --- a/yass/third_party/mbedtls/scripts/mbedtls_dev/psa_information.py +++ b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/psa_information.py @@ -5,6 +5,7 @@ # SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later # +import os import re from collections import OrderedDict from typing import FrozenSet, List, Optional @@ -30,9 +31,18 @@ class Information: def read_psa_interface(self) -> macro_collector.PSAMacroEnumerator: """Return the list of known key types, algorithms, etc.""" constructors = macro_collector.InputsForTest() - header_file_names = ['include/psa/crypto_values.h', - 'include/psa/crypto_extra.h'] - test_suites = ['tests/suites/test_suite_psa_crypto_metadata.data'] + # Temporary, while Mbed TLS does not just rely on the TF-PSA-Crypto + # build system to build its crypto library. When it does, the first + # case can just be removed. + if os.path.isdir('tf-psa-crypto'): + header_file_names = ['tf-psa-crypto/include/psa/crypto_values.h', + 'tf-psa-crypto/include/psa/crypto_extra.h'] + test_suites = ['tf-psa-crypto/tests/suites/test_suite_psa_crypto_metadata.data'] + else: + header_file_names = ['include/psa/crypto_values.h', + 'include/psa/crypto_extra.h'] + test_suites = ['tests/suites/test_suite_psa_crypto_metadata.data'] + for header_file_name in header_file_names: constructors.parse_header(header_file_name) for test_cases in test_suites: @@ -124,10 +134,22 @@ def read_implemented_dependencies(filename: str) -> FrozenSet[str]: for symbol in re.findall(r'\bPSA_WANT_\w+\b', line)) _implemented_dependencies = None #type: Optional[FrozenSet[str]] #pylint: disable=invalid-name def hack_dependencies_not_implemented(dependencies: List[str]) -> None: + """ + Hack dependencies to skip test cases for which at least one dependency + symbol is not available yet. + """ global _implemented_dependencies #pylint: disable=global-statement,invalid-name if _implemented_dependencies is None: - _implemented_dependencies = \ - read_implemented_dependencies('include/psa/crypto_config.h') + # Temporary, while Mbed TLS does not just rely on the TF-PSA-Crypto + # build system to build its crypto library. When it does, the first + # case can just be removed. + if os.path.isdir('tf-psa-crypto'): + _implemented_dependencies = \ + read_implemented_dependencies('tf-psa-crypto/include/psa/crypto_config.h') + else: + _implemented_dependencies = \ + read_implemented_dependencies('include/psa/crypto_config.h') + if not all((dep.lstrip('!') in _implemented_dependencies or not dep.lstrip('!').startswith('PSA_WANT')) for dep in dependencies): diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/psa_storage.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/psa_storage.py similarity index 91% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/psa_storage.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/psa_storage.py index b1fc377104..64e4fabc16 100644 --- a/yass/third_party/mbedtls/scripts/mbedtls_dev/psa_storage.py +++ b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/psa_storage.py @@ -10,6 +10,7 @@ before changing how test data is constructed or validated. # SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later # +import os import re import struct from typing import Dict, List, Optional, Set, Union @@ -41,9 +42,22 @@ class Expr: def update_cache(self) -> None: """Update `value_cache` for expressions registered in `unknown_values`.""" expressions = sorted(self.unknown_values) - includes = ['include'] + # Temporary, while Mbed TLS does not just rely on the TF-PSA-Crypto + # build system to build its crypto library. When it does, the first + # case can just be removed. + if os.path.isdir('tf-psa-crypto'): + includes = ['include', 'tf-psa-crypto/include', + 'tf-psa-crypto/drivers/builtin/include'] + else: + includes = ['include'] + if build_tree.looks_like_tf_psa_crypto_root('.'): includes.append('drivers/builtin/include') + # Temporary, while TF-PSA-Crypto build system in Mbed TLS still + # reference some files in Mbed TLS include directory. When it does + # not anymore, this can be removed. + if build_tree.looks_like_mbedtls_root('..'): + includes.append('../include') values = c_build_helper.get_c_expression_values( 'unsigned long', '%lu', expressions, diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/test_case.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/test_case.py similarity index 100% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/test_case.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/test_case.py diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/test_data_generation.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/test_data_generation.py similarity index 100% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/test_data_generation.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/test_data_generation.py diff --git a/yass/third_party/mbedtls/scripts/mbedtls_dev/typing_util.py b/yass/third_party/mbedtls/framework/scripts/mbedtls_framework/typing_util.py similarity index 100% rename from yass/third_party/mbedtls/scripts/mbedtls_dev/typing_util.py rename to yass/third_party/mbedtls/framework/scripts/mbedtls_framework/typing_util.py diff --git a/yass/third_party/mbedtls/framework/scripts/project_scripts.py b/yass/third_party/mbedtls/framework/scripts/project_scripts.py new file mode 100644 index 0000000000..2666c7b106 --- /dev/null +++ b/yass/third_party/mbedtls/framework/scripts/project_scripts.py @@ -0,0 +1,17 @@ +"""Add the consuming repository's scripts to the module search path. + +Usage: + + import project_scripts # pylint: disable=unused-import +""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +# + +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), + os.path.pardir, os.path.pardir, + 'scripts')) diff --git a/yass/third_party/mbedtls/tests/scripts/test_generate_test_code.py b/yass/third_party/mbedtls/framework/scripts/test_generate_test_code.py similarity index 98% rename from yass/third_party/mbedtls/tests/scripts/test_generate_test_code.py rename to yass/third_party/mbedtls/framework/scripts/test_generate_test_code.py index abc46a7291..0523e98c11 100755 --- a/yass/third_party/mbedtls/tests/scripts/test_generate_test_code.py +++ b/yass/third_party/mbedtls/framework/scripts/test_generate_test_code.py @@ -194,7 +194,7 @@ class GenFunctionWrapper(TestCase): """ code = gen_function_wrapper('test_a', '', ('a', 'b', 'c', 'd')) expected = ''' -void test_a_wrapper( void ** params ) +static void test_a_wrapper( void ** params ) { test_a( a, b, c, d ); @@ -211,7 +211,7 @@ void test_a_wrapper( void ** params ) code = gen_function_wrapper('test_a', 'int x = 1;', ('x', 'b', 'c', 'd')) expected = ''' -void test_a_wrapper( void ** params ) +static void test_a_wrapper( void ** params ) { int x = 1; test_a( x, b, c, d ); @@ -227,7 +227,7 @@ int x = 1; """ code = gen_function_wrapper('test_a', '', ()) expected = ''' -void test_a_wrapper( void ** params ) +static void test_a_wrapper( void ** params ) { (void)params; @@ -635,7 +635,7 @@ void func() self.assertEqual(arg, []) expected = '''#line 1 "test_suite_ut.function" -void test_func(void) +static void test_func(void) { ba ba black sheep have you any wool @@ -678,7 +678,7 @@ exit: expected = '''#line 1 "test_suite_ut.function" -void test_func(void) +static void test_func(void) { ba ba black sheep have you any wool @@ -735,7 +735,7 @@ exit: expected = '''#line 1 "test_suite_ut.function" -void +static void test_func(void) @@ -791,7 +791,7 @@ exit: -void test_func(void) +static void test_func(void) { ba ba black sheep have you any wool @@ -836,7 +836,7 @@ exit: expected = '''#line 1 "test_suite_ut.function" -void test_func( int x, +static void test_func( int x, int y ) { @@ -881,7 +881,7 @@ exit: expected = '''#line 1 "test_suite_ut.function" -void test_func( int x ) +static void test_func( int x ) { ba ba black sheep have you any wool @@ -926,7 +926,7 @@ exit: expected = '''#line 1 "test_suite_ut.function" -void test_func( int x ) +static void test_func( int x ) { ba ba black sheep have you any wool @@ -975,7 +975,7 @@ class ParseFunction(TestCase): raise Exception parse_until_pattern_mock.side_effect = stop data = '''/* BEGIN_SUITE_HELPERS */ -void print_hello_world() +static void print_hello_world() { printf("Hello World!\n"); } @@ -1022,7 +1022,7 @@ void print_hello_world() dependencies_str = '/* BEGIN_CASE ' \ 'depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */\n' - data = '''%svoid test_func() + data = '''%sstatic void test_func() { } ''' % dependencies_str @@ -1039,7 +1039,7 @@ void print_hello_world() :return: """ func_mock1.return_value = [] - in_func_code = '''void test_func() + in_func_code = '''static void test_func() { } ''' @@ -1050,7 +1050,7 @@ void print_hello_world() in_func_code, func_dispatch dependencies_str = '/* BEGIN_CASE ' \ 'depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */\n' - data = '''%svoid test_func() + data = '''%sstatic void test_func() { } ''' % dependencies_str @@ -1127,13 +1127,13 @@ void func2() #if defined(MBEDTLS_ENTROPY_NV_SEED) #if defined(MBEDTLS_FS_IO) #line 13 "test_suite_ut.function" -void test_func1(void) +static void test_func1(void) { exit: ; } -void test_func1_wrapper( void ** params ) +static void test_func1_wrapper( void ** params ) { (void)params; @@ -1144,13 +1144,13 @@ void test_func1_wrapper( void ** params ) #if defined(MBEDTLS_ENTROPY_NV_SEED) #if defined(MBEDTLS_FS_IO) #line 19 "test_suite_ut.function" -void test_func2(void) +static void test_func2(void) { exit: ; } -void test_func2_wrapper( void ** params ) +static void test_func2_wrapper( void ** params ) { (void)params; diff --git a/yass/third_party/mbedtls/include/mbedtls/bignum.h b/yass/third_party/mbedtls/include/mbedtls/bignum.h index 71d7b97672..8367cd34e6 100644 --- a/yass/third_party/mbedtls/include/mbedtls/bignum.h +++ b/yass/third_party/mbedtls/include/mbedtls/bignum.h @@ -880,7 +880,7 @@ int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b); /** - * \brief Perform a sliding-window exponentiation: X = A^E mod N + * \brief Perform a modular exponentiation: X = A^E mod N * * \param X The destination MPI. This must point to an initialized MPI. * This must not alias E or N. diff --git a/yass/third_party/mbedtls/include/mbedtls/build_info.h b/yass/third_party/mbedtls/include/mbedtls/build_info.h index eab167f383..8242ec6828 100644 --- a/yass/third_party/mbedtls/include/mbedtls/build_info.h +++ b/yass/third_party/mbedtls/include/mbedtls/build_info.h @@ -26,16 +26,16 @@ */ #define MBEDTLS_VERSION_MAJOR 3 #define MBEDTLS_VERSION_MINOR 6 -#define MBEDTLS_VERSION_PATCH 0 +#define MBEDTLS_VERSION_PATCH 1 /** * The single version number has the following structure: * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x03060000 -#define MBEDTLS_VERSION_STRING "3.6.0" -#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.6.0" +#define MBEDTLS_VERSION_NUMBER 0x03060100 +#define MBEDTLS_VERSION_STRING "3.6.1" +#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.6.1" /* Macros for build-time platform detection */ @@ -101,6 +101,13 @@ #define inline __inline #endif +#if defined(MBEDTLS_CONFIG_FILES_READ) +#error "Something went wrong: MBEDTLS_CONFIG_FILES_READ defined before reading the config files!" +#endif +#if defined(MBEDTLS_CONFIG_IS_FINALIZED) +#error "Something went wrong: MBEDTLS_CONFIG_IS_FINALIZED defined before reading the config files!" +#endif + /* X.509, TLS and non-PSA crypto configuration */ #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/mbedtls_config.h" @@ -135,6 +142,12 @@ #endif #endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */ +/* Indicate that all configuration files have been read. + * It is now time to adjust the configuration (follow through on dependencies, + * make PSA and legacy crypto consistent, etc.). + */ +#define MBEDTLS_CONFIG_FILES_READ + /* Auto-enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY if * MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH and MBEDTLS_CTR_DRBG_C defined * to ensure a 128-bit key size in CTR_DRBG. @@ -169,8 +182,13 @@ #include "mbedtls/config_adjust_ssl.h" -/* Make sure all configuration symbols are set before including check_config.h, - * even the ones that are calculated programmatically. */ +/* Indicate that all configuration symbols are set, + * even the ones that are calculated programmatically. + * It is now safe to query the configuration (to check it, to size buffers, + * etc.). + */ +#define MBEDTLS_CONFIG_IS_FINALIZED + #include "mbedtls/check_config.h" #endif /* MBEDTLS_BUILD_INFO_H */ diff --git a/yass/third_party/mbedtls/include/mbedtls/check_config.h b/yass/third_party/mbedtls/include/mbedtls/check_config.h index b3c038dd2e..67a05f83b8 100644 --- a/yass/third_party/mbedtls/include/mbedtls/check_config.h +++ b/yass/third_party/mbedtls/include/mbedtls/check_config.h @@ -2,6 +2,13 @@ * \file check_config.h * * \brief Consistency checks for configuration options + * + * This is an internal header. Do not include it directly. + * + * This header is included automatically by all public Mbed TLS headers + * (via mbedtls/build_info.h). Do not include it directly in a configuration + * file such as mbedtls/mbedtls_config.h or #MBEDTLS_USER_CONFIG_FILE! + * It would run at the wrong time due to missing derived symbols. */ /* * Copyright The Mbed TLS Contributors @@ -12,6 +19,13 @@ #define MBEDTLS_CHECK_CONFIG_H /* *INDENT-OFF* */ + +#if !defined(MBEDTLS_CONFIG_IS_FINALIZED) +#warning "Do not include mbedtls/check_config.h manually! " \ + "This may cause spurious errors. " \ + "It is included automatically at the right point since Mbed TLS 3.0." +#endif /* !MBEDTLS_CONFIG_IS_FINALIZED */ + /* * We assume CHAR_BIT is 8 in many places. In practice, this is true on our * target platforms, so not an issue, but let's just be extra sure. diff --git a/yass/third_party/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h b/yass/third_party/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h index 9b06041228..3ba987ebb2 100644 --- a/yass/third_party/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h +++ b/yass/third_party/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h @@ -2,7 +2,9 @@ * \file mbedtls/config_adjust_legacy_crypto.h * \brief Adjust legacy configuration configuration * - * Automatically enable certain dependencies. Generally, MBEDLTS_xxx + * This is an internal header. Do not include it directly. + * + * Automatically enable certain dependencies. Generally, MBEDTLS_xxx * configurations need to be explicitly enabled by the user: enabling * MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a * compilation error. However, we do automatically enable certain options @@ -22,6 +24,14 @@ #ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H #define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H +#if !defined(MBEDTLS_CONFIG_FILES_READ) +#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \ + "up to and including runtime errors such as buffer overflows. " \ + "If you're trying to fix a complaint from check_config.h, just remove " \ + "it from your configuration file: since Mbed TLS 3.0, it is included " \ + "automatically at the right point." +#endif /* */ + /* Ideally, we'd set those as defaults in mbedtls_config.h, but * putting an #ifdef _WIN32 in mbedtls_config.h would confuse config.py. * @@ -48,7 +58,8 @@ defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG)) + defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)) #define MBEDTLS_CIPHER_C #endif @@ -293,6 +304,14 @@ #define MBEDTLS_ECP_LIGHT #endif +/* Backward compatibility: after #8740 the RSA module offers functions to parse + * and write RSA private/public keys without relying on the PK one. Of course + * this needs ASN1 support to do so, so we enable it here. */ +#if defined(MBEDTLS_RSA_C) +#define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_WRITE_C +#endif + /* MBEDTLS_PK_PARSE_EC_COMPRESSED is introduced in Mbed TLS version 3.5, while * in previous version compressed points were automatically supported as long * as PK_PARSE_C and ECP_C were enabled. As a consequence, for backward @@ -409,12 +428,12 @@ /* psa_util file features some ECDSA conversion functions, to convert between * legacy's ASN.1 DER format and PSA's raw one. */ -#if defined(MBEDTLS_ECDSA_C) || (defined(MBEDTLS_PSA_CRYPTO_C) && \ +#if (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && \ (defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA))) #define MBEDTLS_PSA_UTIL_HAVE_ECDSA #endif -/* Some internal helpers to determine which keys are availble. */ +/* Some internal helpers to determine which keys are available. */ #if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_AES_C)) || \ (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_AES)) #define MBEDTLS_SSL_HAVE_AES @@ -428,7 +447,7 @@ #define MBEDTLS_SSL_HAVE_CAMELLIA #endif -/* Some internal helpers to determine which operation modes are availble. */ +/* Some internal helpers to determine which operation modes are available. */ #if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CIPHER_MODE_CBC)) || \ (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CBC_NO_PADDING)) #define MBEDTLS_SSL_HAVE_CBC diff --git a/yass/third_party/mbedtls/include/mbedtls/config_adjust_legacy_from_psa.h b/yass/third_party/mbedtls/include/mbedtls/config_adjust_legacy_from_psa.h index 0091e246b2..04bdae61bb 100644 --- a/yass/third_party/mbedtls/include/mbedtls/config_adjust_legacy_from_psa.h +++ b/yass/third_party/mbedtls/include/mbedtls/config_adjust_legacy_from_psa.h @@ -2,6 +2,8 @@ * \file mbedtls/config_adjust_legacy_from_psa.h * \brief Adjust PSA configuration: activate legacy implementations * + * This is an internal header. Do not include it directly. + * * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, activate legacy implementations * of cryptographic mechanisms as needed to fulfill the needs of the PSA * configuration. Generally speaking, we activate a legacy mechanism if @@ -16,6 +18,14 @@ #ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_FROM_PSA_H #define MBEDTLS_CONFIG_ADJUST_LEGACY_FROM_PSA_H +#if !defined(MBEDTLS_CONFIG_FILES_READ) +#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \ + "up to and including runtime errors such as buffer overflows. " \ + "If you're trying to fix a complaint from check_config.h, just remove " \ + "it from your configuration file: since Mbed TLS 3.0, it is included " \ + "automatically at the right point." +#endif /* */ + /* Define appropriate ACCEL macros for the p256-m driver. * In the future, those should be generated from the drivers JSON description. */ @@ -498,7 +508,6 @@ * The PSA implementation has its own implementation of HKDF, separate from * hkdf.c. No need to enable MBEDTLS_HKDF_C here. */ -#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1 #endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */ #endif /* PSA_WANT_ALG_HKDF */ @@ -509,7 +518,6 @@ * The PSA implementation has its own implementation of HKDF, separate from * hkdf.c. No need to enable MBEDTLS_HKDF_C here. */ -#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT 1 #endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT */ #endif /* PSA_WANT_ALG_HKDF_EXTRACT */ @@ -520,7 +528,6 @@ * The PSA implementation has its own implementation of HKDF, separate from * hkdf.c. No need to enable MBEDTLS_HKDF_C here. */ -#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND 1 #endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND */ #endif /* PSA_WANT_ALG_HKDF_EXPAND */ @@ -630,9 +637,6 @@ #if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC) #define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC 1 #define PSA_HAVE_SOFT_PBKDF2_HMAC 1 -#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC) -#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 -#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */ #endif /* !MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */ #endif /* PSA_WANT_ALG_PBKDF2_HMAC */ diff --git a/yass/third_party/mbedtls/include/mbedtls/config_adjust_psa_from_legacy.h b/yass/third_party/mbedtls/include/mbedtls/config_adjust_psa_from_legacy.h index 3456615943..14ca14696f 100644 --- a/yass/third_party/mbedtls/include/mbedtls/config_adjust_psa_from_legacy.h +++ b/yass/third_party/mbedtls/include/mbedtls/config_adjust_psa_from_legacy.h @@ -2,6 +2,8 @@ * \file mbedtls/config_adjust_psa_from_legacy.h * \brief Adjust PSA configuration: construct PSA configuration from legacy * + * This is an internal header. Do not include it directly. + * * When MBEDTLS_PSA_CRYPTO_CONFIG is disabled, we automatically enable * cryptographic mechanisms through the PSA interface when the corresponding * legacy mechanism is enabled. In many cases, this just enables the PSA @@ -18,6 +20,14 @@ #ifndef MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H #define MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H +#if !defined(MBEDTLS_CONFIG_FILES_READ) +#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \ + "up to and including runtime errors such as buffer overflows. " \ + "If you're trying to fix a complaint from check_config.h, just remove " \ + "it from your configuration file: since Mbed TLS 3.0, it is included " \ + "automatically at the right point." +#endif /* */ + /* * Ensure PSA_WANT_* defines are setup properly if MBEDTLS_PSA_CRYPTO_CONFIG * is not defined diff --git a/yass/third_party/mbedtls/include/mbedtls/config_adjust_psa_superset_legacy.h b/yass/third_party/mbedtls/include/mbedtls/config_adjust_psa_superset_legacy.h index 3a55c3f6e1..ef65cce0d9 100644 --- a/yass/third_party/mbedtls/include/mbedtls/config_adjust_psa_superset_legacy.h +++ b/yass/third_party/mbedtls/include/mbedtls/config_adjust_psa_superset_legacy.h @@ -2,6 +2,8 @@ * \file mbedtls/config_adjust_psa_superset_legacy.h * \brief Adjust PSA configuration: automatic enablement from legacy * + * This is an internal header. Do not include it directly. + * * To simplify some edge cases, we automatically enable certain cryptographic * mechanisms in the PSA API if they are enabled in the legacy API. The general * idea is that if legacy module M uses mechanism A internally, and A has @@ -17,6 +19,14 @@ #ifndef MBEDTLS_CONFIG_ADJUST_PSA_SUPERSET_LEGACY_H #define MBEDTLS_CONFIG_ADJUST_PSA_SUPERSET_LEGACY_H +#if !defined(MBEDTLS_CONFIG_FILES_READ) +#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \ + "up to and including runtime errors such as buffer overflows. " \ + "If you're trying to fix a complaint from check_config.h, just remove " \ + "it from your configuration file: since Mbed TLS 3.0, it is included " \ + "automatically at the right point." +#endif /* */ + /****************************************************************/ /* Hashes that are built in are also enabled in PSA. * This simplifies dependency declarations especially diff --git a/yass/third_party/mbedtls/include/mbedtls/config_adjust_ssl.h b/yass/third_party/mbedtls/include/mbedtls/config_adjust_ssl.h index 39c7b3b117..1f82d9c006 100644 --- a/yass/third_party/mbedtls/include/mbedtls/config_adjust_ssl.h +++ b/yass/third_party/mbedtls/include/mbedtls/config_adjust_ssl.h @@ -2,7 +2,9 @@ * \file mbedtls/config_adjust_ssl.h * \brief Adjust TLS configuration * - * Automatically enable certain dependencies. Generally, MBEDLTS_xxx + * This is an internal header. Do not include it directly. + * + * Automatically enable certain dependencies. Generally, MBEDTLS_xxx * configurations need to be explicitly enabled by the user: enabling * MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a * compilation error. However, we do automatically enable certain options @@ -22,6 +24,14 @@ #ifndef MBEDTLS_CONFIG_ADJUST_SSL_H #define MBEDTLS_CONFIG_ADJUST_SSL_H +#if !defined(MBEDTLS_CONFIG_FILES_READ) +#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \ + "up to and including runtime errors such as buffer overflows. " \ + "If you're trying to fix a complaint from check_config.h, just remove " \ + "it from your configuration file: since Mbed TLS 3.0, it is included " \ + "automatically at the right point." +#endif /* */ + /* The following blocks make it easier to disable all of TLS, * or of TLS 1.2 or 1.3 or DTLS, without having to manually disable all * key exchanges, options and extensions related to them. */ diff --git a/yass/third_party/mbedtls/include/mbedtls/config_adjust_x509.h b/yass/third_party/mbedtls/include/mbedtls/config_adjust_x509.h index 346c8ae6d5..cfb2d88916 100644 --- a/yass/third_party/mbedtls/include/mbedtls/config_adjust_x509.h +++ b/yass/third_party/mbedtls/include/mbedtls/config_adjust_x509.h @@ -2,7 +2,9 @@ * \file mbedtls/config_adjust_x509.h * \brief Adjust X.509 configuration * - * Automatically enable certain dependencies. Generally, MBEDLTS_xxx + * This is an internal header. Do not include it directly. + * + * Automatically enable certain dependencies. Generally, MBEDTLS_xxx * configurations need to be explicitly enabled by the user: enabling * MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a * compilation error. However, we do automatically enable certain options @@ -22,4 +24,12 @@ #ifndef MBEDTLS_CONFIG_ADJUST_X509_H #define MBEDTLS_CONFIG_ADJUST_X509_H +#if !defined(MBEDTLS_CONFIG_FILES_READ) +#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \ + "up to and including runtime errors such as buffer overflows. " \ + "If you're trying to fix a complaint from check_config.h, just remove " \ + "it from your configuration file: since Mbed TLS 3.0, it is included " \ + "automatically at the right point." +#endif /* */ + #endif /* MBEDTLS_CONFIG_ADJUST_X509_H */ diff --git a/yass/third_party/mbedtls/include/mbedtls/config_psa.h b/yass/third_party/mbedtls/include/mbedtls/config_psa.h index 17da61b3e8..5f3d0f3d5d 100644 --- a/yass/third_party/mbedtls/include/mbedtls/config_psa.h +++ b/yass/third_party/mbedtls/include/mbedtls/config_psa.h @@ -22,6 +22,8 @@ #include "psa/crypto_adjust_config_synonyms.h" +#include "psa/crypto_adjust_config_dependencies.h" + #include "mbedtls/config_adjust_psa_superset_legacy.h" #if defined(MBEDTLS_PSA_CRYPTO_CONFIG) @@ -32,7 +34,11 @@ * before we deduce what built-ins are required. */ #include "psa/crypto_adjust_config_key_pair_types.h" +#if defined(MBEDTLS_PSA_CRYPTO_C) +/* If we are implementing PSA crypto ourselves, then we want to enable the + * required built-ins. Otherwise, PSA features will be provided by the server. */ #include "mbedtls/config_adjust_legacy_from_psa.h" +#endif #else /* MBEDTLS_PSA_CRYPTO_CONFIG */ diff --git a/yass/third_party/mbedtls/include/mbedtls/ctr_drbg.h b/yass/third_party/mbedtls/include/mbedtls/ctr_drbg.h index c00756df1b..0b7cce1923 100644 --- a/yass/third_party/mbedtls/include/mbedtls/ctr_drbg.h +++ b/yass/third_party/mbedtls/include/mbedtls/ctr_drbg.h @@ -32,12 +32,27 @@ #include "mbedtls/build_info.h" -/* In case AES_C is defined then it is the primary option for backward - * compatibility purposes. If that's not available, PSA is used instead */ -#if defined(MBEDTLS_AES_C) -#include "mbedtls/aes.h" -#else +/* The CTR_DRBG implementation can either directly call the low-level AES + * module (gated by MBEDTLS_AES_C) or call the PSA API to perform AES + * operations. Calling the AES module directly is the default, both for + * maximum backward compatibility and because it's a bit more efficient + * (less glue code). + * + * When MBEDTLS_AES_C is disabled, the CTR_DRBG module calls PSA crypto and + * thus benefits from the PSA AES accelerator driver. + * It is technically possible to enable MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO + * to use PSA even when MBEDTLS_AES_C is enabled, but there is very little + * reason to do so other than testing purposes and this is not officially + * supported. + */ +#if !defined(MBEDTLS_AES_C) +#define MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO +#endif + +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) #include "psa/crypto.h" +#else +#include "mbedtls/aes.h" #endif #include "entropy.h" @@ -157,7 +172,7 @@ extern "C" { #define MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN (MBEDTLS_CTR_DRBG_ENTROPY_LEN + 1) / 2 #endif -#if !defined(MBEDTLS_AES_C) +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) typedef struct mbedtls_ctr_drbg_psa_context { mbedtls_svc_key_id_t key_id; psa_cipher_operation_t operation; @@ -189,10 +204,10 @@ typedef struct mbedtls_ctr_drbg_context { * This is the maximum number of requests * that can be made between reseedings. */ -#if defined(MBEDTLS_AES_C) - mbedtls_aes_context MBEDTLS_PRIVATE(aes_ctx); /*!< The AES context. */ -#else +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) mbedtls_ctr_drbg_psa_context MBEDTLS_PRIVATE(psa_ctx); /*!< The PSA context. */ +#else + mbedtls_aes_context MBEDTLS_PRIVATE(aes_ctx); /*!< The AES context. */ #endif /* diff --git a/yass/third_party/mbedtls/include/mbedtls/ecdh.h b/yass/third_party/mbedtls/include/mbedtls/ecdh.h index a0909d6b44..a6a5069337 100644 --- a/yass/third_party/mbedtls/include/mbedtls/ecdh.h +++ b/yass/third_party/mbedtls/include/mbedtls/ecdh.h @@ -325,7 +325,7 @@ int mbedtls_ecdh_read_params(mbedtls_ecdh_context *ctx, * \brief This function sets up an ECDH context from an EC key. * * It is used by clients and servers in place of the - * ServerKeyEchange for static ECDH, and imports ECDH + * ServerKeyExchange for static ECDH, and imports ECDH * parameters from the EC key information of a certificate. * * \see ecp.h diff --git a/yass/third_party/mbedtls/include/mbedtls/ecp.h b/yass/third_party/mbedtls/include/mbedtls/ecp.h index d8f73ae965..623910bcbd 100644 --- a/yass/third_party/mbedtls/include/mbedtls/ecp.h +++ b/yass/third_party/mbedtls/include/mbedtls/ecp.h @@ -216,7 +216,7 @@ mbedtls_ecp_point; * range of 0..2^(2*pbits)-1, and transforms it in-place to an integer * which is congruent mod \p P to the given MPI, and is close enough to \p pbits * in size, so that it may be efficiently brought in the 0..P-1 range by a few - * additions or subtractions. Therefore, it is only an approximative modular + * additions or subtractions. Therefore, it is only an approximate modular * reduction. It must return 0 on success and non-zero on failure. * * \note Alternative implementations of the ECP module must obey the diff --git a/yass/third_party/mbedtls/include/mbedtls/mbedtls_config.h b/yass/third_party/mbedtls/include/mbedtls/mbedtls_config.h index 35921412c6..bd3f71d5bc 100644 --- a/yass/third_party/mbedtls/include/mbedtls/mbedtls_config.h +++ b/yass/third_party/mbedtls/include/mbedtls/mbedtls_config.h @@ -1118,7 +1118,7 @@ * MBEDTLS_ECP_DP_SECP256R1_ENABLED * * \warning If SHA-256 is provided only by a PSA driver, you must call - * psa_crypto_init() before the first hanshake (even if + * psa_crypto_init() before the first handshake (even if * MBEDTLS_USE_PSA_CRYPTO is disabled). * * This enables the following ciphersuites (if other requisites are @@ -1414,6 +1414,23 @@ */ //#define MBEDTLS_PSA_CRYPTO_SPM +/** + * \def MBEDTLS_PSA_KEY_STORE_DYNAMIC + * + * Dynamically resize the PSA key store to accommodate any number of + * volatile keys (until the heap memory is exhausted). + * + * If this option is disabled, the key store has a fixed size + * #MBEDTLS_PSA_KEY_SLOT_COUNT for volatile keys and loaded persistent keys + * together. + * + * This option has no effect when #MBEDTLS_PSA_CRYPTO_C is disabled. + * + * Module: library/psa_crypto.c + * Requires: MBEDTLS_PSA_CRYPTO_C + */ +#define MBEDTLS_PSA_KEY_STORE_DYNAMIC + /** * Uncomment to enable p256-m. This is an alternative implementation of * key generation, ECDH and (randomized) ECDSA on the curve SECP256R1. @@ -1781,8 +1798,9 @@ * Requires: MBEDTLS_PSA_CRYPTO_C * * \note TLS 1.3 uses PSA crypto for cryptographic operations that are - * directly performed by TLS 1.3 code. As a consequence, you must - * call psa_crypto_init() before the first TLS 1.3 handshake. + * directly performed by TLS 1.3 code. As a consequence, when TLS 1.3 + * is enabled, a TLS handshake may call psa_crypto_init(), even + * if it ends up negotiating a different TLS version. * * \note Cryptographic operations performed indirectly via another module * (X.509, PK) or by code shared with TLS 1.2 (record protection, @@ -2625,7 +2643,7 @@ * The CTR_DRBG generator uses AES-256 by default. * To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above. * - * AES support can either be achived through builtin (MBEDTLS_AES_C) or PSA. + * AES support can either be achieved through builtin (MBEDTLS_AES_C) or PSA. * Builtin is the default option when MBEDTLS_AES_C is defined otherwise PSA * is used. * @@ -4016,22 +4034,38 @@ * Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the * PSA crypto subsystem. * - * If this option is unset: - * - If CTR_DRBG is available, the PSA subsystem uses it rather than HMAC_DRBG. - * - Otherwise, the PSA subsystem uses HMAC_DRBG with either - * #MBEDTLS_MD_SHA512 or #MBEDTLS_MD_SHA256 based on availability and - * on unspecified heuristics. + * If this option is unset, the library chooses a hash (currently between + * #MBEDTLS_MD_SHA512 and #MBEDTLS_MD_SHA256) based on availability and + * unspecified heuristics. + * + * \note The PSA crypto subsystem uses the first available mechanism amongst + * the following: + * - #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if enabled; + * - Entropy from #MBEDTLS_ENTROPY_C plus CTR_DRBG with AES + * if #MBEDTLS_CTR_DRBG_C is enabled; + * - Entropy from #MBEDTLS_ENTROPY_C plus HMAC_DRBG. + * + * A future version may reevaluate the prioritization of DRBG mechanisms. */ //#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 /** \def MBEDTLS_PSA_KEY_SLOT_COUNT - * Restrict the PSA library to supporting a maximum amount of simultaneously - * loaded keys. A loaded key is a key stored by the PSA Crypto core as a - * volatile key, or a persistent key which is loaded temporarily by the - * library as part of a crypto operation in flight. * - * If this option is unset, the library will fall back to a default value of - * 32 keys. + * When #MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled, + * the maximum amount of PSA keys simultaneously in memory. This counts all + * volatile keys, plus loaded persistent keys. + * + * When #MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, + * the maximum number of loaded persistent keys. + * + * Currently, persistent keys do not need to be loaded all the time while + * a multipart operation is in progress, only while the operation is being + * set up. This may change in future versions of the library. + * + * Currently, the library traverses of the whole table on each access to a + * persistent key. Therefore large values may cause poor performance. + * + * This option has no effect when #MBEDTLS_PSA_CRYPTO_C is disabled. */ //#define MBEDTLS_PSA_KEY_SLOT_COUNT 32 diff --git a/yass/third_party/mbedtls/include/mbedtls/pk.h b/yass/third_party/mbedtls/include/mbedtls/pk.h index fde302f872..52f4cc6c9e 100644 --- a/yass/third_party/mbedtls/include/mbedtls/pk.h +++ b/yass/third_party/mbedtls/include/mbedtls/pk.h @@ -359,32 +359,40 @@ int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info); #if defined(MBEDTLS_USE_PSA_CRYPTO) /** - * \brief Initialize a PK context to wrap a PSA key. + * \brief Initialize a PK context to wrap a PSA key. * - * \note This function replaces mbedtls_pk_setup() for contexts - * that wrap a (possibly opaque) PSA key instead of - * storing and manipulating the key material directly. + * This function creates a PK context which wraps a PSA key. The PSA wrapped + * key must be an EC or RSA key pair (DH is not suported in the PK module). * - * \param ctx The context to initialize. It must be empty (type NONE). - * \param key The PSA key to wrap, which must hold an ECC or RSA key - * pair (see notes below). + * Under the hood PSA functions will be used to perform the required + * operations and, based on the key type, used algorithms will be: + * * EC: + * * verify, verify_ext, sign, sign_ext: ECDSA. + * * RSA: + * * sign, decrypt: use the primary algorithm in the wrapped PSA key; + * * sign_ext: RSA PSS if the pk_type is #MBEDTLS_PK_RSASSA_PSS, otherwise + * it falls back to the sign() case; + * * verify, verify_ext, encrypt: not supported. * - * \note The wrapped key must remain valid as long as the - * wrapping PK context is in use, that is at least between - * the point this function is called and the point - * mbedtls_pk_free() is called on this context. The wrapped - * key might then be independently used or destroyed. + * In order for the above operations to succeed, the policy of the wrapped PSA + * key must allow the specified algorithm. * - * \note This function is currently only available for ECC or RSA - * key pairs (that is, keys containing private key material). - * Support for other key types may be added later. + * Opaque PK contexts wrapping an EC keys also support \c mbedtls_pk_check_pair(), + * whereas RSA ones do not. * - * \return \c 0 on success. - * \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input - * (context already used, invalid key identifier). - * \return #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the key is not an - * ECC key pair. - * \return #MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure. + * \warning The PSA wrapped key must remain valid as long as the wrapping PK + * context is in use, that is at least between the point this function + * is called and the point mbedtls_pk_free() is called on this context. + * + * \param ctx The context to initialize. It must be empty (type NONE). + * \param key The PSA key to wrap, which must hold an ECC or RSA key pair. + * + * \return \c 0 on success. + * \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input (context already + * used, invalid key identifier). + * \return #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the key is not an ECC or + * RSA key pair. + * \return #MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure. */ int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx, const mbedtls_svc_key_id_t key); diff --git a/yass/third_party/mbedtls/include/mbedtls/ssl.h b/yass/third_party/mbedtls/include/mbedtls/ssl.h index 172d4693b2..42fffbf860 100644 --- a/yass/third_party/mbedtls/include/mbedtls/ssl.h +++ b/yass/third_party/mbedtls/include/mbedtls/ssl.h @@ -83,10 +83,7 @@ /** Processing of the Certificate handshake message failed. */ #define MBEDTLS_ERR_SSL_BAD_CERTIFICATE -0x7A00 /* Error space gap */ -/** - * Received NewSessionTicket Post Handshake Message. - * This error code is experimental and may be changed or removed without notice. - */ +/** A TLS 1.3 NewSessionTicket message has been received. */ #define MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET -0x7B00 /** Not possible to read early data */ #define MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA -0x7B80 @@ -324,6 +321,9 @@ #define MBEDTLS_SSL_SESSION_TICKETS_DISABLED 0 #define MBEDTLS_SSL_SESSION_TICKETS_ENABLED 1 +#define MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED 0 +#define MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED 1 + #define MBEDTLS_SSL_PRESET_DEFAULT 0 #define MBEDTLS_SSL_PRESET_SUITEB 2 @@ -1446,6 +1446,12 @@ struct mbedtls_ssl_config { #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ defined(MBEDTLS_SSL_CLI_C) + /** Encodes two booleans, one stating whether TLS 1.2 session tickets are + * enabled or not, the other one whether the handling of TLS 1.3 + * NewSessionTicket messages is enabled or not. They are respectively set + * by mbedtls_ssl_conf_session_tickets() and + * mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(). + */ uint8_t MBEDTLS_PRIVATE(session_tickets); /*!< use session tickets? */ #endif @@ -2364,7 +2370,7 @@ int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl, */ int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl, int *enabled, - unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX], + unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX], size_t *own_cid_len); /** @@ -3216,16 +3222,16 @@ void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf, * a full handshake. * * \note This function can handle a variety of mechanisms for session - * resumption: For TLS 1.2, both session ID-based resumption and - * ticket-based resumption will be considered. For TLS 1.3, - * once implemented, sessions equate to tickets, and loading - * one or more sessions via this call will lead to their - * corresponding tickets being advertised as resumption PSKs - * by the client. - * - * \note Calling this function multiple times will only be useful - * once TLS 1.3 is supported. For TLS 1.2 connections, this - * function should be called at most once. + * resumption: For TLS 1.2, both session ID-based resumption + * and ticket-based resumption will be considered. For TLS 1.3, + * sessions equate to tickets, and loading one session by + * calling this function will lead to its corresponding ticket + * being advertised as resumption PSK by the client. This + * depends on session tickets being enabled (see + * #MBEDTLS_SSL_SESSION_TICKETS configuration option) though. + * If session tickets are disabled, a call to this function + * with a TLS 1.3 session, will not have any effect on the next + * handshake for the SSL context \p ssl. * * \param ssl The SSL context representing the connection which should * be attempted to be setup using session resumption. This @@ -3240,9 +3246,10 @@ void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf, * * \return \c 0 if successful. * \return \c MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the session - * could not be loaded because of an implementation limitation. - * This error is non-fatal, and has no observable effect on - * the SSL context or the session that was attempted to be loaded. + * could not be loaded because one session has already been + * loaded. This error is non-fatal, and has no observable + * effect on the SSL context or the session that was attempted + * to be loaded. * \return Another negative error code on other kinds of failure. * * \sa mbedtls_ssl_get_session() @@ -3309,8 +3316,16 @@ int mbedtls_ssl_session_load(mbedtls_ssl_session *session, * to determine the necessary size by calling this function * with \p buf set to \c NULL and \p buf_len to \c 0. * + * \note For TLS 1.3 sessions, this feature is supported only if the + * MBEDTLS_SSL_SESSION_TICKETS configuration option is enabled, + * as in TLS 1.3 session resumption is possible only with + * tickets. + * * \return \c 0 if successful. * \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small. + * \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the + * MBEDTLS_SSL_SESSION_TICKETS configuration option is disabled + * and the session is a TLS 1.3 session. */ int mbedtls_ssl_session_save(const mbedtls_ssl_session *session, unsigned char *buf, @@ -4456,21 +4471,50 @@ int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_co void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order); #endif /* MBEDTLS_SSL_SRV_C */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ - defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) /** - * \brief Enable / Disable session tickets (client only). - * (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.) + * \brief Enable / Disable TLS 1.2 session tickets (client only, + * TLS 1.2 only). Enabled by default. * * \note On server, use \c mbedtls_ssl_conf_session_tickets_cb(). * * \param conf SSL configuration - * \param use_tickets Enable or disable (MBEDTLS_SSL_SESSION_TICKETS_ENABLED or - * MBEDTLS_SSL_SESSION_TICKETS_DISABLED) + * \param use_tickets Enable or disable (#MBEDTLS_SSL_SESSION_TICKETS_ENABLED or + * #MBEDTLS_SSL_SESSION_TICKETS_DISABLED) */ void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets); -#endif /* MBEDTLS_SSL_SESSION_TICKETS && - MBEDTLS_SSL_CLI_C */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +/** + * \brief Enable / Disable handling of TLS 1.3 NewSessionTicket messages + * (client only, TLS 1.3 only). + * + * The handling of TLS 1.3 NewSessionTicket messages is disabled by + * default. + * + * In TLS 1.3, servers may send a NewSessionTicket message at any time, + * and may send multiple NewSessionTicket messages. By default, TLS 1.3 + * clients ignore NewSessionTicket messages. + * + * To support session tickets in TLS 1.3 clients, call this function + * with #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED. When + * this is enabled, when a client receives a NewSessionTicket message, + * the next call to a message processing functions (notably + * mbedtls_ssl_handshake() and mbedtls_ssl_read()) will return + * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET. The client should then + * call mbedtls_ssl_get_session() to retrieve the session ticket before + * calling the same message processing function again. + * + * \param conf SSL configuration + * \param signal_new_session_tickets Enable or disable + * (#MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED or + * #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED) + */ +void mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets( + mbedtls_ssl_config *conf, int signal_new_session_tickets); + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ defined(MBEDTLS_SSL_SRV_C) && \ @@ -4837,23 +4881,16 @@ const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl * \note This function can handle a variety of mechanisms for session * resumption: For TLS 1.2, both session ID-based resumption and * ticket-based resumption will be considered. For TLS 1.3, - * once implemented, sessions equate to tickets, and calling - * this function multiple times will export the available - * tickets one a time until no further tickets are available, - * in which case MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE will - * be returned. - * - * \note Calling this function multiple times will only be useful - * once TLS 1.3 is supported. For TLS 1.2 connections, this - * function should be called at most once. + * sessions equate to tickets, and if session tickets are + * enabled (see #MBEDTLS_SSL_SESSION_TICKETS configuration + * option), this function exports the last received ticket and + * the exported session may be used to resume the TLS 1.3 + * session. If session tickets are disabled, exported sessions + * cannot be used to resume a TLS 1.3 session. * * \return \c 0 if successful. In this case, \p session can be used for * session resumption by passing it to mbedtls_ssl_set_session(), * and serialized for storage via mbedtls_ssl_session_save(). - * \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if no further session - * is available for export. - * This error is a non-fatal, and has no observable effect on - * the SSL context or the destination session. * \return Another negative error code on other kinds of failure. * * \sa mbedtls_ssl_set_session() @@ -4885,6 +4922,10 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, * \return #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use * and the client did not demonstrate reachability yet - in * this case you must stop using the context (see below). + * \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + * NewSessionTicket message has been received. See the + * documentation of mbedtls_ssl_read() for more information + * about this error code. * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as * defined in RFC 8446 (TLS 1.3 specification), has been * received as part of the handshake. This is server specific @@ -4901,6 +4942,7 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, * #MBEDTLS_ERR_SSL_WANT_WRITE, * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, * you must stop using the SSL context for reading or writing, * and either free it or call \c mbedtls_ssl_session_reset() @@ -4921,10 +4963,13 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, * currently being processed might or might not contain further * DTLS records. * - * \note If the context is configured to allow TLS 1.3, or if - * #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto + * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto * subsystem must have been initialized by calling * psa_crypto_init() before calling this function. + * Otherwise, the handshake may call psa_crypto_init() + * if a negotiation involving TLS 1.3 takes place (this may + * be the case even if TLS 1.3 is offered but eventually + * not selected). */ int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl); @@ -4972,6 +5017,7 @@ static inline int mbedtls_ssl_is_handshake_over(mbedtls_ssl_context *ssl) * #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE, * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, you must stop using * the SSL context for reading or writing, and either free it * or call \c mbedtls_ssl_session_reset() on it before @@ -5040,6 +5086,17 @@ int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl); * \return #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server * side of a DTLS connection and the client is initiating a * new connection using the same source port. See below. + * \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + * NewSessionTicket message has been received. + * This error code is only returned on the client side. It is + * only returned if handling of TLS 1.3 NewSessionTicket + * messages has been enabled through + * mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(). + * This error code indicates that a TLS 1.3 NewSessionTicket + * message has been received and parsed successfully by the + * client. The ticket data can be retrieved from the SSL + * context by calling mbedtls_ssl_get_session(). It remains + * available until the next call to mbedtls_ssl_read(). * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as * defined in RFC 8446 (TLS 1.3 specification), has been * received as part of the handshake. This is server specific @@ -5057,6 +5114,7 @@ int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl); * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, * #MBEDTLS_ERR_SSL_CLIENT_RECONNECT or + * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, * you must stop using the SSL context for reading or writing, * and either free it or call \c mbedtls_ssl_session_reset() @@ -5122,6 +5180,10 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len); * operation is in progress (see mbedtls_ecp_set_max_ops()) - * in this case you must call this function again to complete * the handshake when you're done attending other tasks. + * \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3 + * NewSessionTicket message has been received. See the + * documentation of mbedtls_ssl_read() for more information + * about this error code. * \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as * defined in RFC 8446 (TLS 1.3 specification), has been * received as part of the handshake. This is server specific @@ -5138,6 +5200,7 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len); * #MBEDTLS_ERR_SSL_WANT_WRITE, * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or + * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or * #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, * you must stop using the SSL context for reading or writing, * and either free it or call \c mbedtls_ssl_session_reset() diff --git a/yass/third_party/mbedtls/include/psa/crypto.h b/yass/third_party/mbedtls/include/psa/crypto.h index 7083bd911b..2bbcea3ee0 100644 --- a/yass/third_party/mbedtls/include/psa/crypto.h +++ b/yass/third_party/mbedtls/include/psa/crypto.h @@ -119,8 +119,8 @@ static psa_key_attributes_t psa_key_attributes_init(void); * value in the structure. * The persistent key will be written to storage when the attribute * structure is passed to a key creation function such as - * psa_import_key(), psa_generate_key(), psa_generate_key_ext(), - * psa_key_derivation_output_key(), psa_key_derivation_output_key_ext() + * psa_import_key(), psa_generate_key(), psa_generate_key_custom(), + * psa_key_derivation_output_key(), psa_key_derivation_output_key_custom() * or psa_copy_key(). * * This function may be declared as `static` (i.e. without external @@ -129,6 +129,9 @@ static psa_key_attributes_t psa_key_attributes_init(void); * * \param[out] attributes The attribute structure to write to. * \param key The persistent identifier for the key. + * This can be any value in the range from + * #PSA_KEY_ID_USER_MIN to #PSA_KEY_ID_USER_MAX + * inclusive. */ static void psa_set_key_id(psa_key_attributes_t *attributes, mbedtls_svc_key_id_t key); @@ -164,8 +167,8 @@ static void mbedtls_set_key_owner_id(psa_key_attributes_t *attributes, * value in the structure. * The persistent key will be written to storage when the attribute * structure is passed to a key creation function such as - * psa_import_key(), psa_generate_key(), psa_generate_key_ext(), - * psa_key_derivation_output_key(), psa_key_derivation_output_key_ext() + * psa_import_key(), psa_generate_key(), psa_generate_key_custom(), + * psa_key_derivation_output_key(), psa_key_derivation_output_key_custom() * or psa_copy_key(). * * This function may be declared as `static` (i.e. without external @@ -871,7 +874,7 @@ psa_status_t psa_hash_compute(psa_algorithm_t alg, * such that #PSA_ALG_IS_HASH(\p alg) is true). * \param[in] input Buffer containing the message to hash. * \param input_length Size of the \p input buffer in bytes. - * \param[out] hash Buffer containing the expected hash value. + * \param[in] hash Buffer containing the expected hash value. * \param hash_length Size of the \p hash buffer in bytes. * * \retval #PSA_SUCCESS @@ -1224,7 +1227,7 @@ psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key, * such that #PSA_ALG_IS_MAC(\p alg) is true). * \param[in] input Buffer containing the input message. * \param input_length Size of the \p input buffer in bytes. - * \param[out] mac Buffer containing the expected MAC value. + * \param[in] mac Buffer containing the expected MAC value. * \param mac_length Size of the \p mac buffer in bytes. * * \retval #PSA_SUCCESS @@ -2910,7 +2913,7 @@ psa_status_t psa_sign_message(mbedtls_svc_key_id_t key, * \p key. * \param[in] input The message whose signature is to be verified. * \param[in] input_length Size of the \p input buffer in bytes. - * \param[out] signature Buffer containing the signature to verify. + * \param[in] signature Buffer containing the signature to verify. * \param[in] signature_length Size of the \p signature buffer in bytes. * * \retval #PSA_SUCCESS \emptydescription @@ -3234,7 +3237,7 @@ static psa_key_derivation_operation_t psa_key_derivation_operation_init(void); * of or after providing inputs. For some algorithms, this step is mandatory * because the output depends on the maximum capacity. * -# To derive a key, call psa_key_derivation_output_key() or - * psa_key_derivation_output_key_ext(). + * psa_key_derivation_output_key_custom(). * To derive a byte string for a different purpose, call * psa_key_derivation_output_bytes(). * Successive calls to these functions use successive output bytes @@ -3457,7 +3460,7 @@ psa_status_t psa_key_derivation_input_integer( * \note Once all inputs steps are completed, the operations will allow: * - psa_key_derivation_output_bytes() if each input was either a direct input * or a key with #PSA_KEY_USAGE_DERIVE set; - * - psa_key_derivation_output_key() or psa_key_derivation_output_key_ext() + * - psa_key_derivation_output_key() or psa_key_derivation_output_key_custom() * if the input for step * #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD * was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was @@ -3707,9 +3710,9 @@ psa_status_t psa_key_derivation_output_bytes( * on the derived key based on the attributes and strength of the secret key. * * \note This function is equivalent to calling - * psa_key_derivation_output_key_ext() - * with the production parameters #PSA_KEY_PRODUCTION_PARAMETERS_INIT - * and `params_data_length == 0` (i.e. `params->data` is empty). + * psa_key_derivation_output_key_custom() + * with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT + * and `custom_data_length == 0` (i.e. `custom_data` is empty). * * \param[in] attributes The attributes for the new key. * If the key type to be created is @@ -3781,6 +3784,85 @@ psa_status_t psa_key_derivation_output_key( * the policy must be the same as in the current * operation. * \param[in,out] operation The key derivation operation object to read from. + * \param[in] custom Customization parameters for the key generation. + * When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT + * with \p custom_data_length = 0, + * this function is equivalent to + * psa_key_derivation_output_key(). + * \param[in] custom_data Variable-length data associated with \c custom. + * \param custom_data_length + * Length of `custom_data` in bytes. + * \param[out] key On success, an identifier for the newly created + * key. For persistent keys, this is the key + * identifier defined in \p attributes. + * \c 0 on failure. + * + * \retval #PSA_SUCCESS + * Success. + * If the key is persistent, the key material and the key's metadata + * have been saved to persistent storage. + * \retval #PSA_ERROR_ALREADY_EXISTS + * This is an attempt to create a persistent key, and there is + * already a persistent key with the given identifier. + * \retval #PSA_ERROR_INSUFFICIENT_DATA + * There was not enough data to create the desired key. + * Note that in this case, no output is written to the output buffer. + * The operation's capacity is set to 0, thus subsequent calls to + * this function will not succeed, even with a smaller output buffer. + * \retval #PSA_ERROR_NOT_SUPPORTED + * The key type or key size is not supported, either by the + * implementation in general or in this particular location. + * \retval #PSA_ERROR_INVALID_ARGUMENT + * The provided key attributes are not valid for the operation. + * \retval #PSA_ERROR_NOT_PERMITTED + * The #PSA_KEY_DERIVATION_INPUT_SECRET or + * #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a + * key; or one of the inputs was a key whose policy didn't allow + * #PSA_KEY_USAGE_DERIVE. + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_BAD_STATE + * The operation state is not valid (it must be active and completed + * all required input steps), or the library has not been previously + * initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_key_derivation_output_key_custom( + const psa_key_attributes_t *attributes, + psa_key_derivation_operation_t *operation, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, + size_t custom_data_length, + mbedtls_svc_key_id_t *key); + +#ifndef __cplusplus +/* Omitted when compiling in C++, because one of the parameters is a + * pointer to a struct with a flexible array member, and that is not + * standard C++. + * https://github.com/Mbed-TLS/mbedtls/issues/9020 + */ +/** Derive a key from an ongoing key derivation operation with custom + * production parameters. + * + * \note + * This is a deprecated variant of psa_key_derivation_output_key_custom(). + * It is equivalent except that the associated variable-length data + * is passed in `params->data` instead of a separate parameter. + * This function will be removed in a future version of Mbed TLS. + * + * \param[in] attributes The attributes for the new key. + * If the key type to be created is + * #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in + * the policy must be the same as in the current + * operation. + * \param[in,out] operation The key derivation operation object to read from. * \param[in] params Customization parameters for the key derivation. * When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT * with \p params_data_length = 0, @@ -3840,6 +3922,7 @@ psa_status_t psa_key_derivation_output_key_ext( const psa_key_production_parameters_t *params, size_t params_data_length, mbedtls_svc_key_id_t *key); +#endif /* !__cplusplus */ /** Compare output data from a key derivation operation to an expected value. * @@ -3865,8 +3948,8 @@ psa_status_t psa_key_derivation_output_key_ext( * psa_key_derivation_abort(). * * \param[in,out] operation The key derivation operation object to read from. - * \param[in] expected_output Buffer containing the expected derivation output. - * \param output_length Length of the expected output; this is also the + * \param[in] expected Buffer containing the expected derivation output. + * \param expected_length Length of the expected output; this is also the * number of bytes that will be read. * * \retval #PSA_SUCCESS \emptydescription @@ -3896,8 +3979,8 @@ psa_status_t psa_key_derivation_output_key_ext( */ psa_status_t psa_key_derivation_verify_bytes( psa_key_derivation_operation_t *operation, - const uint8_t *expected_output, - size_t output_length); + const uint8_t *expected, + size_t expected_length); /** Compare output data from a key derivation operation to an expected value * stored in a key object. @@ -3927,7 +4010,7 @@ psa_status_t psa_key_derivation_verify_bytes( * operation. The value of this key was likely * computed by a previous call to * psa_key_derivation_output_key() or - * psa_key_derivation_output_key_ext(). + * psa_key_derivation_output_key_custom(). * * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_INVALID_SIGNATURE @@ -4095,9 +4178,9 @@ psa_status_t psa_generate_random(uint8_t *output, * between 2^{n-1} and 2^n where n is the bit size specified in the * attributes. * - * \note This function is equivalent to calling psa_generate_key_ext() - * with the production parameters #PSA_KEY_PRODUCTION_PARAMETERS_INIT - * and `params_data_length == 0` (i.e. `params->data` is empty). + * \note This function is equivalent to calling psa_generate_key_custom() + * with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT + * and `custom_data_length == 0` (i.e. `custom_data` is empty). * * \param[in] attributes The attributes for the new key. * \param[out] key On success, an identifier for the newly created @@ -4137,7 +4220,7 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, * See the description of psa_generate_key() for the operation of this * function with the default production parameters. In addition, this function * supports the following production customizations, described in more detail - * in the documentation of ::psa_key_production_parameters_t: + * in the documentation of ::psa_custom_key_parameters_t: * * - RSA keys: generation with a custom public exponent. * @@ -4145,6 +4228,64 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, * versions of Mbed TLS. * * \param[in] attributes The attributes for the new key. + * \param[in] custom Customization parameters for the key generation. + * When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT + * with \p custom_data_length = 0, + * this function is equivalent to + * psa_generate_key(). + * \param[in] custom_data Variable-length data associated with \c custom. + * \param custom_data_length + * Length of `custom_data` in bytes. + * \param[out] key On success, an identifier for the newly created + * key. For persistent keys, this is the key + * identifier defined in \p attributes. + * \c 0 on failure. + * + * \retval #PSA_SUCCESS + * Success. + * If the key is persistent, the key material and the key's metadata + * have been saved to persistent storage. + * \retval #PSA_ERROR_ALREADY_EXISTS + * This is an attempt to create a persistent key, and there is + * already a persistent key with the given identifier. + * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription + * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription + * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription + * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription + * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription + * \retval #PSA_ERROR_DATA_INVALID \emptydescription + * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription + * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription + * \retval #PSA_ERROR_BAD_STATE + * The library has not been previously initialized by psa_crypto_init(). + * It is implementation-dependent whether a failure to initialize + * results in this error code. + */ +psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, + size_t custom_data_length, + mbedtls_svc_key_id_t *key); + +#ifndef __cplusplus +/* Omitted when compiling in C++, because one of the parameters is a + * pointer to a struct with a flexible array member, and that is not + * standard C++. + * https://github.com/Mbed-TLS/mbedtls/issues/9020 + */ +/** + * \brief Generate a key or key pair using custom production parameters. + * + * \note + * This is a deprecated variant of psa_key_derivation_output_key_custom(). + * It is equivalent except that the associated variable-length data + * is passed in `params->data` instead of a separate parameter. + * This function will be removed in a future version of Mbed TLS. + * + * \param[in] attributes The attributes for the new key. * \param[in] params Customization parameters for the key generation. * When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT * with \p params_data_length = 0, @@ -4184,6 +4325,7 @@ psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, const psa_key_production_parameters_t *params, size_t params_data_length, mbedtls_svc_key_id_t *key); +#endif /* !__cplusplus */ /**@}*/ diff --git a/yass/third_party/mbedtls/include/psa/crypto_adjust_auto_enabled.h b/yass/third_party/mbedtls/include/psa/crypto_adjust_auto_enabled.h index 63fb29e85b..3a2af15180 100644 --- a/yass/third_party/mbedtls/include/psa/crypto_adjust_auto_enabled.h +++ b/yass/third_party/mbedtls/include/psa/crypto_adjust_auto_enabled.h @@ -2,6 +2,8 @@ * \file psa/crypto_adjust_auto_enabled.h * \brief Adjust PSA configuration: enable always-on features * + * This is an internal header. Do not include it directly. + * * Always enable certain features which require a negligible amount of code * to implement, to avoid some edge cases in the configuration combinatorics. */ @@ -13,6 +15,14 @@ #ifndef PSA_CRYPTO_ADJUST_AUTO_ENABLED_H #define PSA_CRYPTO_ADJUST_AUTO_ENABLED_H +#if !defined(MBEDTLS_CONFIG_FILES_READ) +#error "Do not include psa/crypto_adjust_*.h manually! This can lead to problems, " \ + "up to and including runtime errors such as buffer overflows. " \ + "If you're trying to fix a complaint from check_config.h, just remove " \ + "it from your configuration file: since Mbed TLS 3.0, it is included " \ + "automatically at the right point." +#endif /* */ + #define PSA_WANT_KEY_TYPE_DERIVE 1 #define PSA_WANT_KEY_TYPE_PASSWORD 1 #define PSA_WANT_KEY_TYPE_PASSWORD_HASH 1 diff --git a/yass/third_party/mbedtls/include/psa/crypto_adjust_config_dependencies.h b/yass/third_party/mbedtls/include/psa/crypto_adjust_config_dependencies.h new file mode 100644 index 0000000000..92e9c4de28 --- /dev/null +++ b/yass/third_party/mbedtls/include/psa/crypto_adjust_config_dependencies.h @@ -0,0 +1,51 @@ +/** + * \file psa/crypto_adjust_config_dependencies.h + * \brief Adjust PSA configuration by resolving some dependencies. + * + * This is an internal header. Do not include it directly. + * + * See docs/proposed/psa-conditional-inclusion-c.md. + * If the Mbed TLS implementation of a cryptographic mechanism A depends on a + * cryptographic mechanism B then if the cryptographic mechanism A is enabled + * and not accelerated enable B. Note that if A is enabled and accelerated, it + * is not necessary to enable B for A support. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#ifndef PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H +#define PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H + +#if !defined(MBEDTLS_CONFIG_FILES_READ) +#error "Do not include psa/crypto_adjust_*.h manually! This can lead to problems, " \ + "up to and including runtime errors such as buffer overflows. " \ + "If you're trying to fix a complaint from check_config.h, just remove " \ + "it from your configuration file: since Mbed TLS 3.0, it is included " \ + "automatically at the right point." +#endif /* */ + +#if (defined(PSA_WANT_ALG_TLS12_PRF) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF)) || \ + (defined(PSA_WANT_ALG_TLS12_PSK_TO_MS) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS)) || \ + (defined(PSA_WANT_ALG_HKDF) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)) || \ + (defined(PSA_WANT_ALG_HKDF_EXTRACT) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT)) || \ + (defined(PSA_WANT_ALG_HKDF_EXPAND) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND)) || \ + (defined(PSA_WANT_ALG_PBKDF2_HMAC) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC)) +#define PSA_WANT_ALG_HMAC 1 +#define PSA_WANT_KEY_TYPE_HMAC 1 +#endif + +#if (defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128)) +#define PSA_WANT_KEY_TYPE_AES 1 +#define PSA_WANT_ALG_CMAC 1 +#endif + +#endif /* PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H */ diff --git a/yass/third_party/mbedtls/include/psa/crypto_adjust_config_key_pair_types.h b/yass/third_party/mbedtls/include/psa/crypto_adjust_config_key_pair_types.h index 63afc0e402..cec39e01ce 100644 --- a/yass/third_party/mbedtls/include/psa/crypto_adjust_config_key_pair_types.h +++ b/yass/third_party/mbedtls/include/psa/crypto_adjust_config_key_pair_types.h @@ -2,6 +2,8 @@ * \file psa/crypto_adjust_config_key_pair_types.h * \brief Adjust PSA configuration for key pair types. * + * This is an internal header. Do not include it directly. + * * See docs/proposed/psa-conditional-inclusion-c.md. * - Support non-basic operations in a keypair type implicitly enables basic * support for that keypair type. @@ -19,6 +21,14 @@ #ifndef PSA_CRYPTO_ADJUST_KEYPAIR_TYPES_H #define PSA_CRYPTO_ADJUST_KEYPAIR_TYPES_H +#if !defined(MBEDTLS_CONFIG_FILES_READ) +#error "Do not include psa/crypto_adjust_*.h manually! This can lead to problems, " \ + "up to and including runtime errors such as buffer overflows. " \ + "If you're trying to fix a complaint from check_config.h, just remove " \ + "it from your configuration file: since Mbed TLS 3.0, it is included " \ + "automatically at the right point." +#endif /* */ + /***************************************************************** * ANYTHING -> BASIC ****************************************************************/ diff --git a/yass/third_party/mbedtls/include/psa/crypto_adjust_config_synonyms.h b/yass/third_party/mbedtls/include/psa/crypto_adjust_config_synonyms.h index 332b622c9b..54b116f434 100644 --- a/yass/third_party/mbedtls/include/psa/crypto_adjust_config_synonyms.h +++ b/yass/third_party/mbedtls/include/psa/crypto_adjust_config_synonyms.h @@ -2,6 +2,8 @@ * \file psa/crypto_adjust_config_synonyms.h * \brief Adjust PSA configuration: enable quasi-synonyms * + * This is an internal header. Do not include it directly. + * * When two features require almost the same code, we automatically enable * both when either one is requested, to reduce the combinatorics of * possible configurations. @@ -14,6 +16,14 @@ #ifndef PSA_CRYPTO_ADJUST_CONFIG_SYNONYMS_H #define PSA_CRYPTO_ADJUST_CONFIG_SYNONYMS_H +#if !defined(MBEDTLS_CONFIG_FILES_READ) +#error "Do not include psa/crypto_adjust_*.h manually! This can lead to problems, " \ + "up to and including runtime errors such as buffer overflows. " \ + "If you're trying to fix a complaint from check_config.h, just remove " \ + "it from your configuration file: since Mbed TLS 3.0, it is included " \ + "automatically at the right point." +#endif /* */ + /****************************************************************/ /* De facto synonyms */ /****************************************************************/ diff --git a/yass/third_party/mbedtls/include/psa/crypto_extra.h b/yass/third_party/mbedtls/include/psa/crypto_extra.h index 6ed1f6c43a..0cf42c6055 100644 --- a/yass/third_party/mbedtls/include/psa/crypto_extra.h +++ b/yass/third_party/mbedtls/include/psa/crypto_extra.h @@ -154,6 +154,14 @@ static inline void psa_clear_key_slot_number( * specified in \p attributes. * * \param[in] attributes The attributes of the existing key. + * - The lifetime must be a persistent lifetime + * in a secure element. Volatile lifetimes are + * not currently supported. + * - The key identifier must be in the valid + * range for persistent keys. + * - The key type and size must be specified and + * must be consistent with the key material + * in the secure element. * * \retval #PSA_SUCCESS * The key was successfully registered. @@ -479,7 +487,7 @@ psa_status_t mbedtls_psa_external_get_random( * #PSA_KEY_ID_VENDOR_MIN and #PSA_KEY_ID_VENDOR_MAX and must not intersect * with any other set of implementation-chosen key identifiers. * - * This value is part of the library's ABI since changing it would invalidate + * This value is part of the library's API since changing it would invalidate * the values of built-in key identifiers in applications. */ #define MBEDTLS_PSA_KEY_ID_BUILTIN_MIN ((psa_key_id_t) 0x7fff0000) diff --git a/yass/third_party/mbedtls/include/psa/crypto_struct.h b/yass/third_party/mbedtls/include/psa/crypto_struct.h index 3913551aa8..362e921a36 100644 --- a/yass/third_party/mbedtls/include/psa/crypto_struct.h +++ b/yass/third_party/mbedtls/include/psa/crypto_struct.h @@ -223,9 +223,34 @@ static inline struct psa_key_derivation_s psa_key_derivation_operation_init( return v; } -struct psa_key_production_parameters_s { +struct psa_custom_key_parameters_s { /* Future versions may add other fields in this structure. */ uint32_t flags; +}; + +/** The default production parameters for key generation or key derivation. + * + * Calling psa_generate_key_custom() or psa_key_derivation_output_key_custom() + * with `custom=PSA_CUSTOM_KEY_PARAMETERS_INIT` and `custom_data_length=0` is + * equivalent to calling psa_generate_key() or psa_key_derivation_output_key() + * respectively. + */ +#define PSA_CUSTOM_KEY_PARAMETERS_INIT { 0 } + +#ifndef __cplusplus +/* Omitted when compiling in C++, because one of the parameters is a + * pointer to a struct with a flexible array member, and that is not + * standard C++. + * https://github.com/Mbed-TLS/mbedtls/issues/9020 + */ +/* This is a deprecated variant of `struct psa_custom_key_parameters_s`. + * It has exactly the same layout, plus an extra field which is a flexible + * array member. Thus a `const struct psa_key_production_parameters_s *` + * can be passed to any function that reads a + * `const struct psa_custom_key_parameters_s *`. + */ +struct psa_key_production_parameters_s { + uint32_t flags; uint8_t data[]; }; @@ -238,6 +263,7 @@ struct psa_key_production_parameters_s { * respectively. */ #define PSA_KEY_PRODUCTION_PARAMETERS_INIT { 0 } +#endif /* !__cplusplus */ struct psa_key_policy_s { psa_key_usage_t MBEDTLS_PRIVATE(usage); diff --git a/yass/third_party/mbedtls/include/psa/crypto_types.h b/yass/third_party/mbedtls/include/psa/crypto_types.h index c21bad86cc..f831486f4e 100644 --- a/yass/third_party/mbedtls/include/psa/crypto_types.h +++ b/yass/third_party/mbedtls/include/psa/crypto_types.h @@ -455,6 +455,30 @@ typedef uint64_t psa_key_slot_number_t; */ typedef uint16_t psa_key_derivation_step_t; +/** \brief Custom parameters for key generation or key derivation. + * + * This is a structure type with at least the following field: + * + * - \c flags: an unsigned integer type. 0 for the default production parameters. + * + * Functions that take such a structure as input also take an associated + * input buffer \c custom_data of length \c custom_data_length. + * + * The interpretation of this structure and the associated \c custom_data + * parameter depend on the type of the created key. + * + * - #PSA_KEY_TYPE_RSA_KEY_PAIR: + * - \c flags: must be 0. + * - \c custom_data: the public exponent, in little-endian order. + * This must be an odd integer and must not be 1. + * Implementations must support 65537, should support 3 and may + * support other values. + * When not using a driver, Mbed TLS supports values up to \c INT_MAX. + * If this is empty, the default value 65537 is used. + * - Other key types: reserved for future use. \c flags must be 0. + */ +typedef struct psa_custom_key_parameters_s psa_custom_key_parameters_t; + /** \brief Custom parameters for key generation or key derivation. * * This is a structure type with at least the following fields: diff --git a/yass/third_party/mbedtls/library/CMakeLists.txt b/yass/third_party/mbedtls/library/CMakeLists.txt index 0aec38f646..dcc7c59b47 100644 --- a/yass/third_party/mbedtls/library/CMakeLists.txt +++ b/yass/third_party/mbedtls/library/CMakeLists.txt @@ -197,11 +197,11 @@ else() endif() if(CMAKE_COMPILER_IS_GNUCC) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations") endif(CMAKE_COMPILER_IS_GNUCC) if(CMAKE_COMPILER_IS_CLANG) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes -Wno-documentation-deprecated-sync -Wunreachable-code") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wno-documentation-deprecated-sync -Wunreachable-code") endif(CMAKE_COMPILER_IS_CLANG) if(CMAKE_COMPILER_IS_MSVC) @@ -220,6 +220,15 @@ if(WIN32) set(libs ${libs} ws2_32 bcrypt) endif(WIN32) +if(CMAKE_C_COMPILER_ID MATCHES "AppleClang") + set(CMAKE_C_ARCHIVE_CREATE " Scr ") + set(CMAKE_C_ARCHIVE_FINISH " -no_warning_for_no_symbols -c ") +endif() +if(CMAKE_CXX_COMPILER_ID MATCHES "AppleClang") + set(CMAKE_CXX_ARCHIVE_CREATE " Scr ") + set(CMAKE_CXX_ARCHIVE_FINISH " -no_warning_for_no_symbols -c ") +endif() + if(HAIKU) set(libs ${libs} network) endif(HAIKU) @@ -291,7 +300,7 @@ endif(USE_STATIC_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY) set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR}) add_library(${mbedcrypto_target} SHARED ${src_crypto}) - set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.6.0 SOVERSION 16) + set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.6.1 SOVERSION 16) target_link_libraries(${mbedcrypto_target} PUBLIC ${libs}) if(TARGET ${everest_target}) @@ -303,11 +312,11 @@ if(USE_SHARED_MBEDTLS_LIBRARY) endif() add_library(${mbedx509_target} SHARED ${src_x509}) - set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.6.0 SOVERSION 7) + set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.6.1 SOVERSION 7) target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target}) add_library(${mbedtls_target} SHARED ${src_tls}) - set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.6.0 SOVERSION 21) + set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.6.1 SOVERSION 21) target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target}) endif(USE_SHARED_MBEDTLS_LIBRARY) diff --git a/yass/third_party/mbedtls/library/bignum.c b/yass/third_party/mbedtls/library/bignum.c index c45fd5bf24..424490951d 100644 --- a/yass/third_party/mbedtls/library/bignum.c +++ b/yass/third_party/mbedtls/library/bignum.c @@ -27,6 +27,7 @@ #include "mbedtls/bignum.h" #include "bignum_core.h" +#include "bignum_internal.h" #include "bn_mul.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" @@ -1610,9 +1611,13 @@ int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_s return 0; } -int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, - const mbedtls_mpi *E, const mbedtls_mpi *N, - mbedtls_mpi *prec_RR) +/* + * Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value, + * this function is not constant time with respect to the exponent (parameter E). + */ +static int mbedtls_mpi_exp_mod_optionally_safe(mbedtls_mpi *X, const mbedtls_mpi *A, + const mbedtls_mpi *E, int E_public, + const mbedtls_mpi *N, mbedtls_mpi *prec_RR) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -1695,7 +1700,11 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, { mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p); mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T); - mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T); + if (E_public == MBEDTLS_MPI_IS_PUBLIC) { + mbedtls_mpi_core_exp_mod_unsafe(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T); + } else { + mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T); + } mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T); } @@ -1720,6 +1729,20 @@ cleanup: return ret; } +int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A, + const mbedtls_mpi *E, const mbedtls_mpi *N, + mbedtls_mpi *prec_RR) +{ + return mbedtls_mpi_exp_mod_optionally_safe(X, A, E, MBEDTLS_MPI_IS_SECRET, N, prec_RR); +} + +int mbedtls_mpi_exp_mod_unsafe(mbedtls_mpi *X, const mbedtls_mpi *A, + const mbedtls_mpi *E, const mbedtls_mpi *N, + mbedtls_mpi *prec_RR) +{ + return mbedtls_mpi_exp_mod_optionally_safe(X, A, E, MBEDTLS_MPI_IS_PUBLIC, N, prec_RR); +} + /* * Greatest common divisor: G = gcd(A, B) (HAC 14.54) */ diff --git a/yass/third_party/mbedtls/library/bignum_core.c b/yass/third_party/mbedtls/library/bignum_core.c index 1a3e0b9b6f..4231554b84 100644 --- a/yass/third_party/mbedtls/library/bignum_core.c +++ b/yass/third_party/mbedtls/library/bignum_core.c @@ -746,7 +746,93 @@ static void exp_mod_precompute_window(const mbedtls_mpi_uint *A, } } +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) +// Set to a default that is neither MBEDTLS_MPI_IS_PUBLIC nor MBEDTLS_MPI_IS_SECRET +int mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC + MBEDTLS_MPI_IS_SECRET + 1; +#endif + +/* + * This function calculates the indices of the exponent where the exponentiation algorithm should + * start processing. + * + * Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value, + * this function is not constant time with respect to the exponent (parameter E). + */ +static inline void exp_mod_calc_first_bit_optionally_safe(const mbedtls_mpi_uint *E, + size_t E_limbs, + int E_public, + size_t *E_limb_index, + size_t *E_bit_index) +{ + if (E_public == MBEDTLS_MPI_IS_PUBLIC) { + /* + * Skip leading zero bits. + */ + size_t E_bits = mbedtls_mpi_core_bitlen(E, E_limbs); + if (E_bits == 0) { + /* + * If E is 0 mbedtls_mpi_core_bitlen() returns 0. Even if that is the case, we will want + * to represent it as a single 0 bit and as such the bitlength will be 1. + */ + E_bits = 1; + } + + *E_limb_index = E_bits / biL; + *E_bit_index = E_bits % biL; + +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC; +#endif + } else { + /* + * Here we need to be constant time with respect to E and can't do anything better than + * start at the first allocated bit. + */ + *E_limb_index = E_limbs; + *E_bit_index = 0; +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + // Only mark the codepath safe if there wasn't an unsafe codepath before + if (mbedtls_mpi_optionally_safe_codepath != MBEDTLS_MPI_IS_PUBLIC) { + mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_SECRET; + } +#endif + } +} + +/* + * Warning! If the parameter window_public has MBEDTLS_MPI_IS_PUBLIC as its value, this function is + * not constant time with respect to the window parameter and consequently the exponent of the + * exponentiation (parameter E of mbedtls_mpi_core_exp_mod_optionally_safe). + */ +static inline void exp_mod_table_lookup_optionally_safe(mbedtls_mpi_uint *Wselect, + mbedtls_mpi_uint *Wtable, + size_t AN_limbs, size_t welem, + mbedtls_mpi_uint window, + int window_public) +{ + if (window_public == MBEDTLS_MPI_IS_PUBLIC) { + memcpy(Wselect, Wtable + window * AN_limbs, AN_limbs * ciL); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC; +#endif + } else { + /* Select Wtable[window] without leaking window through + * memory access patterns. */ + mbedtls_mpi_core_ct_uint_table_lookup(Wselect, Wtable, + AN_limbs, welem, window); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + // Only mark the codepath safe if there wasn't an unsafe codepath before + if (mbedtls_mpi_optionally_safe_codepath != MBEDTLS_MPI_IS_PUBLIC) { + mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_SECRET; + } +#endif + } +} + /* Exponentiation: X := A^E mod N. + * + * Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value, + * this function is not constant time with respect to the exponent (parameter E). * * A must already be in Montgomery form. * @@ -758,16 +844,25 @@ static void exp_mod_precompute_window(const mbedtls_mpi_uint *A, * (The difference is that the body in our loop processes a single bit instead * of a full window.) */ -void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X, - const mbedtls_mpi_uint *A, - const mbedtls_mpi_uint *N, - size_t AN_limbs, - const mbedtls_mpi_uint *E, - size_t E_limbs, - const mbedtls_mpi_uint *RR, - mbedtls_mpi_uint *T) +static void mbedtls_mpi_core_exp_mod_optionally_safe(mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *N, + size_t AN_limbs, + const mbedtls_mpi_uint *E, + size_t E_limbs, + int E_public, + const mbedtls_mpi_uint *RR, + mbedtls_mpi_uint *T) { - const size_t wsize = exp_mod_get_window_size(E_limbs * biL); + /* We'll process the bits of E from most significant + * (limb_index=E_limbs-1, E_bit_index=biL-1) to least significant + * (limb_index=0, E_bit_index=0). */ + size_t E_limb_index; + size_t E_bit_index; + exp_mod_calc_first_bit_optionally_safe(E, E_limbs, E_public, + &E_limb_index, &E_bit_index); + + const size_t wsize = exp_mod_get_window_size(E_limb_index * biL); const size_t welem = ((size_t) 1) << wsize; /* This is how we will use the temporary storage T, which must have space @@ -786,7 +881,7 @@ void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X, const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N); - /* Set Wtable[i] = A^(2^i) (in Montgomery representation) */ + /* Set Wtable[i] = A^i (in Montgomery representation) */ exp_mod_precompute_window(A, N, AN_limbs, mm, RR, welem, Wtable, temp); @@ -798,11 +893,6 @@ void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X, /* X = 1 (in Montgomery presentation) initially */ memcpy(X, Wtable, AN_limbs * ciL); - /* We'll process the bits of E from most significant - * (limb_index=E_limbs-1, E_bit_index=biL-1) to least significant - * (limb_index=0, E_bit_index=0). */ - size_t E_limb_index = E_limbs; - size_t E_bit_index = 0; /* At any given time, window contains window_bits bits from E. * window_bits can go up to wsize. */ size_t window_bits = 0; @@ -828,10 +918,9 @@ void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X, * when we've finished processing the exponent. */ if (window_bits == wsize || (E_bit_index == 0 && E_limb_index == 0)) { - /* Select Wtable[window] without leaking window through - * memory access patterns. */ - mbedtls_mpi_core_ct_uint_table_lookup(Wselect, Wtable, - AN_limbs, welem, window); + + exp_mod_table_lookup_optionally_safe(Wselect, Wtable, AN_limbs, welem, + window, E_public); /* Multiply X by the selected element. */ mbedtls_mpi_core_montmul(X, X, Wselect, AN_limbs, N, AN_limbs, mm, temp); @@ -841,6 +930,42 @@ void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X, } while (!(E_bit_index == 0 && E_limb_index == 0)); } +void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *N, size_t AN_limbs, + const mbedtls_mpi_uint *E, size_t E_limbs, + const mbedtls_mpi_uint *RR, + mbedtls_mpi_uint *T) +{ + mbedtls_mpi_core_exp_mod_optionally_safe(X, + A, + N, + AN_limbs, + E, + E_limbs, + MBEDTLS_MPI_IS_SECRET, + RR, + T); +} + +void mbedtls_mpi_core_exp_mod_unsafe(mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *N, size_t AN_limbs, + const mbedtls_mpi_uint *E, size_t E_limbs, + const mbedtls_mpi_uint *RR, + mbedtls_mpi_uint *T) +{ + mbedtls_mpi_core_exp_mod_optionally_safe(X, + A, + N, + AN_limbs, + E, + E_limbs, + MBEDTLS_MPI_IS_PUBLIC, + RR, + T); +} + mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X, const mbedtls_mpi_uint *A, mbedtls_mpi_uint c, /* doubles as carry */ diff --git a/yass/third_party/mbedtls/library/bignum_core.h b/yass/third_party/mbedtls/library/bignum_core.h index 92c8d47db5..cf6485a148 100644 --- a/yass/third_party/mbedtls/library/bignum_core.h +++ b/yass/third_party/mbedtls/library/bignum_core.h @@ -90,6 +90,27 @@ #define GET_BYTE(X, i) \ (((X)[(i) / ciL] >> (((i) % ciL) * 8)) & 0xff) +/* Constants to identify whether a value is public or secret. If a parameter is marked as secret by + * this constant, the function must be constant time with respect to the parameter. + * + * This is only needed for functions with the _optionally_safe postfix. All other functions have + * fixed behavior that can't be changed at runtime and are constant time with respect to their + * parameters as prescribed by their documentation or by conventions in their module's documentation. + * + * Parameters should be named X_public where X is the name of the + * corresponding input parameter. + * + * Implementation should always check using + * if (X_public == MBEDTLS_MPI_IS_PUBLIC) { + * // unsafe path + * } else { + * // safe path + * } + * not the other way round, in order to prevent misuse. (This is, if a value + * other than the two below is passed, default to the safe path.) */ +#define MBEDTLS_MPI_IS_PUBLIC 0x2a2a2a2a +#define MBEDTLS_MPI_IS_SECRET 0 + /** Count leading zero bits in a given integer. * * \warning The result is undefined if \p a == 0 @@ -604,6 +625,42 @@ int mbedtls_mpi_core_random(mbedtls_mpi_uint *X, */ size_t mbedtls_mpi_core_exp_mod_working_limbs(size_t AN_limbs, size_t E_limbs); +/** + * \brief Perform a modular exponentiation with public or secret exponent: + * X = A^E mod N, where \p A is already in Montgomery form. + * + * \warning This function is not constant time with respect to \p E (the exponent). + * + * \p X may be aliased to \p A, but not to \p RR or \p E, even if \p E_limbs == + * \p AN_limbs. + * + * \param[out] X The destination MPI, as a little endian array of length + * \p AN_limbs. + * \param[in] A The base MPI, as a little endian array of length \p AN_limbs. + * Must be in Montgomery form. + * \param[in] N The modulus, as a little endian array of length \p AN_limbs. + * \param AN_limbs The number of limbs in \p X, \p A, \p N, \p RR. + * \param[in] E The exponent, as a little endian array of length \p E_limbs. + * \param E_limbs The number of limbs in \p E. + * \param[in] RR The precomputed residue of 2^{2*biL} modulo N, as a little + * endian array of length \p AN_limbs. + * \param[in,out] T Temporary storage of at least the number of limbs returned + * by `mbedtls_mpi_core_exp_mod_working_limbs()`. + * Its initial content is unused and its final content is + * indeterminate. + * It must not alias or otherwise overlap any of the other + * parameters. + * It is up to the caller to zeroize \p T when it is no + * longer needed, and before freeing it if it was dynamically + * allocated. + */ +void mbedtls_mpi_core_exp_mod_unsafe(mbedtls_mpi_uint *X, + const mbedtls_mpi_uint *A, + const mbedtls_mpi_uint *N, size_t AN_limbs, + const mbedtls_mpi_uint *E, size_t E_limbs, + const mbedtls_mpi_uint *RR, + mbedtls_mpi_uint *T); + /** * \brief Perform a modular exponentiation with secret exponent: * X = A^E mod N, where \p A is already in Montgomery form. @@ -760,4 +817,17 @@ void mbedtls_mpi_core_from_mont_rep(mbedtls_mpi_uint *X, mbedtls_mpi_uint mm, mbedtls_mpi_uint *T); +/* + * Can't define thread local variables with our abstraction layer: do nothing if threading is on. + */ +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) +extern int mbedtls_mpi_optionally_safe_codepath; + +static inline void mbedtls_mpi_optionally_safe_codepath_reset(void) +{ + // Set to a default that is neither MBEDTLS_MPI_IS_PUBLIC nor MBEDTLS_MPI_IS_SECRET + mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC + MBEDTLS_MPI_IS_SECRET + 1; +} +#endif + #endif /* MBEDTLS_BIGNUM_CORE_H */ diff --git a/yass/third_party/mbedtls/library/bignum_internal.h b/yass/third_party/mbedtls/library/bignum_internal.h new file mode 100644 index 0000000000..aceaf55ea2 --- /dev/null +++ b/yass/third_party/mbedtls/library/bignum_internal.h @@ -0,0 +1,50 @@ +/** + * \file bignum_internal.h + * + * \brief Internal-only bignum public-key cryptosystem API. + * + * This file declares bignum-related functions that are to be used + * only from within the Mbed TLS library itself. + * + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ +#ifndef MBEDTLS_BIGNUM_INTERNAL_H +#define MBEDTLS_BIGNUM_INTERNAL_H + +/** + * \brief Perform a modular exponentiation: X = A^E mod N + * + * \warning This function is not constant time with respect to \p E (the exponent). + * + * \param X The destination MPI. This must point to an initialized MPI. + * This must not alias E or N. + * \param A The base of the exponentiation. + * This must point to an initialized MPI. + * \param E The exponent MPI. This must point to an initialized MPI. + * \param N The base for the modular reduction. This must point to an + * initialized MPI. + * \param prec_RR A helper MPI depending solely on \p N which can be used to + * speed-up multiple modular exponentiations for the same value + * of \p N. This may be \c NULL. If it is not \c NULL, it must + * point to an initialized MPI. If it hasn't been used after + * the call to mbedtls_mpi_init(), this function will compute + * the helper value and store it in \p prec_RR for reuse on + * subsequent calls to this function. Otherwise, the function + * will assume that \p prec_RR holds the helper value set by a + * previous call to mbedtls_mpi_exp_mod(), and reuse it. + * + * \return \c 0 if successful. + * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed. + * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \c N is negative or + * even, or if \c E is negative. + * \return Another negative error code on different kinds of failures. + * + */ +int mbedtls_mpi_exp_mod_unsafe(mbedtls_mpi *X, const mbedtls_mpi *A, + const mbedtls_mpi *E, const mbedtls_mpi *N, + mbedtls_mpi *prec_RR); + +#endif /* bignum_internal.h */ diff --git a/yass/third_party/mbedtls/library/block_cipher.c b/yass/third_party/mbedtls/library/block_cipher.c index 04cd7fb444..51cdcdf46b 100644 --- a/yass/third_party/mbedtls/library/block_cipher.c +++ b/yass/third_party/mbedtls/library/block_cipher.c @@ -51,6 +51,10 @@ static int mbedtls_cipher_error_from_psa(psa_status_t status) void mbedtls_block_cipher_free(mbedtls_block_cipher_context_t *ctx) { + if (ctx == NULL) { + return; + } + #if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA) if (ctx->engine == MBEDTLS_BLOCK_CIPHER_ENGINE_PSA) { psa_destroy_key(ctx->psa_key_id); diff --git a/yass/third_party/mbedtls/library/cipher.c b/yass/third_party/mbedtls/library/cipher.c index 0683677eda..7f4c121492 100644 --- a/yass/third_party/mbedtls/library/cipher.c +++ b/yass/third_party/mbedtls/library/cipher.c @@ -849,6 +849,9 @@ static int get_pkcs_padding(unsigned char *input, size_t input_len, } padding_len = input[input_len - 1]; + if (padding_len == 0 || padding_len > input_len) { + return MBEDTLS_ERR_CIPHER_INVALID_PADDING; + } *data_len = input_len - padding_len; mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len); diff --git a/yass/third_party/mbedtls/library/common.h b/yass/third_party/mbedtls/library/common.h index 3936ffdfe1..7bb2674293 100644 --- a/yass/third_party/mbedtls/library/common.h +++ b/yass/third_party/mbedtls/library/common.h @@ -352,17 +352,19 @@ static inline void mbedtls_xor_no_simd(unsigned char *r, #endif /* Always provide a static assert macro, so it can be used unconditionally. - * It will expand to nothing on some systems. - * Can be used outside functions (but don't add a trailing ';' in that case: - * the semicolon is included here to avoid triggering -Wextra-semi when - * MBEDTLS_STATIC_ASSERT() expands to nothing). - * Can't use the C11-style `defined(static_assert)` on FreeBSD, since it + * It does nothing on systems where we don't know how to define a static assert. + */ +/* Can't use the C11-style `defined(static_assert)` on FreeBSD, since it * defines static_assert even with -std=c99, but then complains about it. */ #if defined(static_assert) && !defined(__FreeBSD__) -#define MBEDTLS_STATIC_ASSERT(expr, msg) static_assert(expr, msg); +#define MBEDTLS_STATIC_ASSERT(expr, msg) static_assert(expr, msg) #else -#define MBEDTLS_STATIC_ASSERT(expr, msg) +/* Make sure `MBEDTLS_STATIC_ASSERT(expr, msg);` is valid both inside and + * outside a function. We choose a struct declaration, which can be repeated + * any number of times and does not need a matching definition. */ +#define MBEDTLS_STATIC_ASSERT(expr, msg) \ + struct ISO_C_does_not_allow_extra_semicolon_outside_of_a_function #endif #if defined(__has_builtin) diff --git a/yass/third_party/mbedtls/library/ctr_drbg.c b/yass/third_party/mbedtls/library/ctr_drbg.c index 66d9d28c58..b82044eb7d 100644 --- a/yass/third_party/mbedtls/library/ctr_drbg.c +++ b/yass/third_party/mbedtls/library/ctr_drbg.c @@ -26,13 +26,13 @@ #endif /* Using error translation functions from PSA to MbedTLS */ -#if !defined(MBEDTLS_AES_C) +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) #include "psa_util_internal.h" #endif #include "mbedtls/platform.h" -#if !defined(MBEDTLS_AES_C) +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) static psa_status_t ctr_drbg_setup_psa_context(mbedtls_ctr_drbg_psa_context *psa_ctx, unsigned char *key, size_t key_len) { @@ -73,11 +73,11 @@ static void ctr_drbg_destroy_psa_contex(mbedtls_ctr_drbg_psa_context *psa_ctx) void mbedtls_ctr_drbg_init(mbedtls_ctr_drbg_context *ctx) { memset(ctx, 0, sizeof(mbedtls_ctr_drbg_context)); -#if defined(MBEDTLS_AES_C) - mbedtls_aes_init(&ctx->aes_ctx); -#else +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) ctx->psa_ctx.key_id = MBEDTLS_SVC_KEY_ID_INIT; ctx->psa_ctx.operation = psa_cipher_operation_init(); +#else + mbedtls_aes_init(&ctx->aes_ctx); #endif /* Indicate that the entropy nonce length is not set explicitly. * See mbedtls_ctr_drbg_set_nonce_len(). */ @@ -102,10 +102,10 @@ void mbedtls_ctr_drbg_free(mbedtls_ctr_drbg_context *ctx) mbedtls_mutex_free(&ctx->mutex); } #endif -#if defined(MBEDTLS_AES_C) - mbedtls_aes_free(&ctx->aes_ctx); -#else +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) ctr_drbg_destroy_psa_contex(&ctx->psa_ctx); +#else + mbedtls_aes_free(&ctx->aes_ctx); #endif mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ctr_drbg_context)); ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL; @@ -168,15 +168,15 @@ static int block_cipher_df(unsigned char *output, unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE]; unsigned char *p, *iv; int ret = 0; -#if defined(MBEDTLS_AES_C) - mbedtls_aes_context aes_ctx; -#else +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) psa_status_t status; size_t tmp_len; mbedtls_ctr_drbg_psa_context psa_ctx; psa_ctx.key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_ctx.operation = psa_cipher_operation_init(); +#else + mbedtls_aes_context aes_ctx; #endif int i, j; @@ -209,19 +209,19 @@ static int block_cipher_df(unsigned char *output, key[i] = i; } -#if defined(MBEDTLS_AES_C) +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) + status = ctr_drbg_setup_psa_context(&psa_ctx, key, sizeof(key)); + if (status != PSA_SUCCESS) { + ret = psa_generic_status_to_mbedtls(status); + goto exit; + } +#else mbedtls_aes_init(&aes_ctx); if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS)) != 0) { goto exit; } -#else - status = ctr_drbg_setup_psa_context(&psa_ctx, key, sizeof(key)); - if (status != PSA_SUCCESS) { - ret = psa_generic_status_to_mbedtls(status); - goto exit; - } #endif /* @@ -238,18 +238,18 @@ static int block_cipher_df(unsigned char *output, use_len -= (use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE) ? MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len; -#if defined(MBEDTLS_AES_C) - if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT, - chain, chain)) != 0) { - goto exit; - } -#else +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) status = psa_cipher_update(&psa_ctx.operation, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len); if (status != PSA_SUCCESS) { ret = psa_generic_status_to_mbedtls(status); goto exit; } +#else + if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT, + chain, chain)) != 0) { + goto exit; + } #endif } @@ -264,12 +264,7 @@ static int block_cipher_df(unsigned char *output, /* * Do final encryption with reduced data */ -#if defined(MBEDTLS_AES_C) - if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, tmp, - MBEDTLS_CTR_DRBG_KEYBITS)) != 0) { - goto exit; - } -#else +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) ctr_drbg_destroy_psa_contex(&psa_ctx); status = ctr_drbg_setup_psa_context(&psa_ctx, tmp, MBEDTLS_CTR_DRBG_KEYSIZE); @@ -277,32 +272,37 @@ static int block_cipher_df(unsigned char *output, ret = psa_generic_status_to_mbedtls(status); goto exit; } +#else + if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, tmp, + MBEDTLS_CTR_DRBG_KEYBITS)) != 0) { + goto exit; + } #endif iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE; p = output; for (j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE) { -#if defined(MBEDTLS_AES_C) - if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT, - iv, iv)) != 0) { - goto exit; - } -#else +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) status = psa_cipher_update(&psa_ctx.operation, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len); if (status != PSA_SUCCESS) { ret = psa_generic_status_to_mbedtls(status); goto exit; } +#else + if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT, + iv, iv)) != 0) { + goto exit; + } #endif memcpy(p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE); p += MBEDTLS_CTR_DRBG_BLOCKSIZE; } exit: -#if defined(MBEDTLS_AES_C) - mbedtls_aes_free(&aes_ctx); -#else +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) ctr_drbg_destroy_psa_contex(&psa_ctx); +#else + mbedtls_aes_free(&aes_ctx); #endif /* * tidy up the stack @@ -336,7 +336,7 @@ static int ctr_drbg_update_internal(mbedtls_ctr_drbg_context *ctx, unsigned char *p = tmp; int j; int ret = 0; -#if !defined(MBEDTLS_AES_C) +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) psa_status_t status; size_t tmp_len; #endif @@ -352,18 +352,18 @@ static int ctr_drbg_update_internal(mbedtls_ctr_drbg_context *ctx, /* * Crypt counter block */ -#if defined(MBEDTLS_AES_C) - if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, - ctx->counter, p)) != 0) { - goto exit; - } -#else +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) status = psa_cipher_update(&ctx->psa_ctx.operation, ctx->counter, sizeof(ctx->counter), p, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len); if (status != PSA_SUCCESS) { ret = psa_generic_status_to_mbedtls(status); goto exit; } +#else + if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, + ctx->counter, p)) != 0) { + goto exit; + } #endif p += MBEDTLS_CTR_DRBG_BLOCKSIZE; @@ -374,12 +374,7 @@ static int ctr_drbg_update_internal(mbedtls_ctr_drbg_context *ctx, /* * Update key and counter */ -#if defined(MBEDTLS_AES_C) - if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, tmp, - MBEDTLS_CTR_DRBG_KEYBITS)) != 0) { - goto exit; - } -#else +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) ctr_drbg_destroy_psa_contex(&ctx->psa_ctx); status = ctr_drbg_setup_psa_context(&ctx->psa_ctx, tmp, MBEDTLS_CTR_DRBG_KEYSIZE); @@ -387,6 +382,11 @@ static int ctr_drbg_update_internal(mbedtls_ctr_drbg_context *ctx, ret = psa_generic_status_to_mbedtls(status); goto exit; } +#else + if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, tmp, + MBEDTLS_CTR_DRBG_KEYBITS)) != 0) { + goto exit; + } #endif memcpy(ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE); @@ -564,12 +564,7 @@ int mbedtls_ctr_drbg_seed(mbedtls_ctr_drbg_context *ctx, good_nonce_len(ctx->entropy_len)); /* Initialize with an empty key. */ -#if defined(MBEDTLS_AES_C) - if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, key, - MBEDTLS_CTR_DRBG_KEYBITS)) != 0) { - return ret; - } -#else +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) psa_status_t status; status = ctr_drbg_setup_psa_context(&ctx->psa_ctx, key, MBEDTLS_CTR_DRBG_KEYSIZE); @@ -577,6 +572,11 @@ int mbedtls_ctr_drbg_seed(mbedtls_ctr_drbg_context *ctx, ret = psa_generic_status_to_mbedtls(status); return status; } +#else + if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, key, + MBEDTLS_CTR_DRBG_KEYBITS)) != 0) { + return ret; + } #endif /* Do the initial seeding. */ @@ -655,12 +655,7 @@ int mbedtls_ctr_drbg_random_with_add(void *p_rng, /* * Crypt counter block */ -#if defined(MBEDTLS_AES_C) - if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, - ctx->counter, locals.tmp)) != 0) { - goto exit; - } -#else +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) psa_status_t status; size_t tmp_len; @@ -670,6 +665,11 @@ int mbedtls_ctr_drbg_random_with_add(void *p_rng, ret = psa_generic_status_to_mbedtls(status); goto exit; } +#else + if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, + ctx->counter, locals.tmp)) != 0) { + goto exit; + } #endif use_len = (output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE) diff --git a/yass/third_party/mbedtls/library/entropy.c b/yass/third_party/mbedtls/library/entropy.c index e3bc8516e2..7dcf067a52 100644 --- a/yass/third_party/mbedtls/library/entropy.c +++ b/yass/third_party/mbedtls/library/entropy.c @@ -61,6 +61,10 @@ void mbedtls_entropy_init(mbedtls_entropy_context *ctx) void mbedtls_entropy_free(mbedtls_entropy_context *ctx) { + if (ctx == NULL) { + return; + } + /* If the context was already free, don't call free() again. * This is important for mutexes which don't allow double-free. */ if (ctx->accumulator_started == -1) { diff --git a/yass/third_party/mbedtls/library/entropy_poll.c b/yass/third_party/mbedtls/library/entropy_poll.c index 1b316d1d50..611768cd85 100644 --- a/yass/third_party/mbedtls/library/entropy_poll.c +++ b/yass/third_party/mbedtls/library/entropy_poll.c @@ -5,10 +5,12 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#if (defined(__linux__) || defined(__midipix__)) && !defined(_GNU_SOURCE) +#if defined(__linux__) || defined(__midipix__) /* Ensure that syscall() is available even when compiling with -std=c99 */ +#if !defined(_GNU_SOURCE) #define _GNU_SOURCE #endif +#endif #include "common.h" diff --git a/yass/third_party/mbedtls/library/error.c b/yass/third_party/mbedtls/library/error.c index 84b637aeb2..6ad7162ab5 100644 --- a/yass/third_party/mbedtls/library/error.c +++ b/yass/third_party/mbedtls/library/error.c @@ -418,7 +418,7 @@ const char *mbedtls_high_level_strerr(int error_code) case -(MBEDTLS_ERR_SSL_BAD_CERTIFICATE): return( "SSL - Processing of the Certificate handshake message failed" ); case -(MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET): - return( "SSL - * Received NewSessionTicket Post Handshake Message. This error code is experimental and may be changed or removed without notice" ); + return( "SSL - A TLS 1.3 NewSessionTicket message has been received" ); case -(MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA): return( "SSL - Not possible to read early data" ); case -(MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA): diff --git a/yass/third_party/mbedtls/library/lmots.c b/yass/third_party/mbedtls/library/lmots.c index c7091b49e1..c51cb41ece 100644 --- a/yass/third_party/mbedtls/library/lmots.c +++ b/yass/third_party/mbedtls/library/lmots.c @@ -387,6 +387,10 @@ void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx) void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx) { + if (ctx == NULL) { + return; + } + mbedtls_platform_zeroize(ctx, sizeof(*ctx)); } @@ -556,6 +560,10 @@ void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx) void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx) { + if (ctx == NULL) { + return; + } + mbedtls_platform_zeroize(ctx, sizeof(*ctx)); } diff --git a/yass/third_party/mbedtls/library/lms.c b/yass/third_party/mbedtls/library/lms.c index 8d3cae0524..7f7bec068b 100644 --- a/yass/third_party/mbedtls/library/lms.c +++ b/yass/third_party/mbedtls/library/lms.c @@ -229,6 +229,10 @@ void mbedtls_lms_public_init(mbedtls_lms_public_t *ctx) void mbedtls_lms_public_free(mbedtls_lms_public_t *ctx) { + if (ctx == NULL) { + return; + } + mbedtls_platform_zeroize(ctx, sizeof(*ctx)); } @@ -528,6 +532,10 @@ void mbedtls_lms_private_init(mbedtls_lms_private_t *ctx) void mbedtls_lms_private_free(mbedtls_lms_private_t *ctx) { + if (ctx == NULL) { + return; + } + unsigned int idx; if (ctx->have_private_key) { diff --git a/yass/third_party/mbedtls/library/md.c b/yass/third_party/mbedtls/library/md.c index 12a3ea2374..c95846aa04 100644 --- a/yass/third_party/mbedtls/library/md.c +++ b/yass/third_party/mbedtls/library/md.c @@ -41,7 +41,7 @@ #include "mbedtls/sha512.h" #include "mbedtls/sha3.h" -#if defined(MBEDTLS_PSA_CRYPTO_C) +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) #include #include "md_psa.h" #include "psa_util_internal.h" @@ -761,13 +761,13 @@ mbedtls_md_type_t mbedtls_md_get_type(const mbedtls_md_info_t *md_info) return md_info->type; } -#if defined(MBEDTLS_PSA_CRYPTO_C) +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) int mbedtls_md_error_from_psa(psa_status_t status) { return PSA_TO_MBEDTLS_ERR_LIST(status, psa_to_md_errors, psa_generic_status_to_mbedtls); } -#endif /* MBEDTLS_PSA_CRYPTO_C */ +#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ /************************************************************************ diff --git a/yass/third_party/mbedtls/library/net_sockets.c b/yass/third_party/mbedtls/library/net_sockets.c index edec5876ad..ef89a88ef0 100644 --- a/yass/third_party/mbedtls/library/net_sockets.c +++ b/yass/third_party/mbedtls/library/net_sockets.c @@ -683,7 +683,7 @@ void mbedtls_net_close(mbedtls_net_context *ctx) */ void mbedtls_net_free(mbedtls_net_context *ctx) { - if (ctx->fd == -1) { + if (ctx == NULL || ctx->fd == -1) { return; } diff --git a/yass/third_party/mbedtls/library/nist_kw.c b/yass/third_party/mbedtls/library/nist_kw.c index f15425b8bd..8faafe43f1 100644 --- a/yass/third_party/mbedtls/library/nist_kw.c +++ b/yass/third_party/mbedtls/library/nist_kw.c @@ -102,6 +102,10 @@ int mbedtls_nist_kw_setkey(mbedtls_nist_kw_context *ctx, */ void mbedtls_nist_kw_free(mbedtls_nist_kw_context *ctx) { + if (ctx == NULL) { + return; + } + mbedtls_cipher_free(&ctx->cipher_ctx); mbedtls_platform_zeroize(ctx, sizeof(mbedtls_nist_kw_context)); } diff --git a/yass/third_party/mbedtls/library/pem.c b/yass/third_party/mbedtls/library/pem.c index 0fee5df43a..0207601456 100644 --- a/yass/third_party/mbedtls/library/pem.c +++ b/yass/third_party/mbedtls/library/pem.c @@ -481,6 +481,10 @@ int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const void mbedtls_pem_free(mbedtls_pem_context *ctx) { + if (ctx == NULL) { + return; + } + if (ctx->buf != NULL) { mbedtls_zeroize_and_free(ctx->buf, ctx->buflen); } diff --git a/yass/third_party/mbedtls/library/pk.c b/yass/third_party/mbedtls/library/pk.c index 097777f2c0..3fe51ea34f 100644 --- a/yass/third_party/mbedtls/library/pk.c +++ b/yass/third_party/mbedtls/library/pk.c @@ -868,7 +868,6 @@ static int copy_from_psa(mbedtls_svc_key_id_t key_id, psa_status_t status; psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; psa_key_type_t key_type; - psa_algorithm_t alg_type; size_t key_bits; /* Use a buffer size large enough to contain either a key pair or public key. */ unsigned char exp_key[PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE]; @@ -899,7 +898,6 @@ static int copy_from_psa(mbedtls_svc_key_id_t key_id, key_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(key_type); } key_bits = psa_get_key_bits(&key_attr); - alg_type = psa_get_key_algorithm(&key_attr); #if defined(MBEDTLS_RSA_C) if ((key_type == PSA_KEY_TYPE_RSA_KEY_PAIR) || @@ -919,6 +917,7 @@ static int copy_from_psa(mbedtls_svc_key_id_t key_id, goto exit; } + psa_algorithm_t alg_type = psa_get_key_algorithm(&key_attr); mbedtls_md_type_t md_type = MBEDTLS_MD_NONE; if (PSA_ALG_GET_HASH(alg_type) != PSA_ALG_ANY_HASH) { md_type = mbedtls_md_type_from_psa_alg(alg_type); @@ -968,6 +967,7 @@ static int copy_from_psa(mbedtls_svc_key_id_t key_id, } else #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ { + (void) key_bits; return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } @@ -1327,43 +1327,19 @@ int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type, } if (mbedtls_pk_get_type(ctx) == MBEDTLS_PK_OPAQUE) { - psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; - psa_algorithm_t psa_alg, sign_alg; -#if defined(MBEDTLS_PSA_CRYPTO_C) - psa_algorithm_t psa_enrollment_alg; -#endif /* MBEDTLS_PSA_CRYPTO_C */ psa_status_t status; - status = psa_get_key_attributes(ctx->priv_id, &key_attr); - if (status != PSA_SUCCESS) { - return PSA_PK_RSA_TO_MBEDTLS_ERR(status); - } - psa_alg = psa_get_key_algorithm(&key_attr); -#if defined(MBEDTLS_PSA_CRYPTO_C) - psa_enrollment_alg = psa_get_key_enrollment_algorithm(&key_attr); -#endif /* MBEDTLS_PSA_CRYPTO_C */ - psa_reset_key_attributes(&key_attr); - - /* Since we're PK type is MBEDTLS_PK_RSASSA_PSS at least one between - * alg and enrollment alg should be of type RSA_PSS. */ - if (PSA_ALG_IS_RSA_PSS(psa_alg)) { - sign_alg = psa_alg; - } -#if defined(MBEDTLS_PSA_CRYPTO_C) - else if (PSA_ALG_IS_RSA_PSS(psa_enrollment_alg)) { - sign_alg = psa_enrollment_alg; - } -#endif /* MBEDTLS_PSA_CRYPTO_C */ - else { - /* The opaque key has no RSA PSS algorithm associated. */ - return MBEDTLS_ERR_PK_BAD_INPUT_DATA; - } - /* Adjust the hashing algorithm. */ - sign_alg = (sign_alg & ~PSA_ALG_HASH_MASK) | PSA_ALG_GET_HASH(psa_md_alg); - - status = psa_sign_hash(ctx->priv_id, sign_alg, + /* PSA_ALG_RSA_PSS() behaves the same as PSA_ALG_RSA_PSS_ANY_SALT() when + * performing a signature, but they are encoded differently. Instead of + * extracting the proper one from the wrapped key policy, just try both. */ + status = psa_sign_hash(ctx->priv_id, PSA_ALG_RSA_PSS(psa_md_alg), hash, hash_len, sig, sig_size, sig_len); + if (status == PSA_ERROR_NOT_PERMITTED) { + status = psa_sign_hash(ctx->priv_id, PSA_ALG_RSA_PSS_ANY_SALT(psa_md_alg), + hash, hash_len, + sig, sig_size, sig_len); + } return PSA_PK_RSA_TO_MBEDTLS_ERR(status); } diff --git a/yass/third_party/mbedtls/library/platform_util.c b/yass/third_party/mbedtls/library/platform_util.c index 0741bf575e..19ef07aead 100644 --- a/yass/third_party/mbedtls/library/platform_util.c +++ b/yass/third_party/mbedtls/library/platform_util.c @@ -149,7 +149,7 @@ void mbedtls_zeroize_and_free(void *buf, size_t len) #include #if !defined(_WIN32) && (defined(unix) || \ defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \ - defined(__MACH__)) || defined__midipix__) + defined(__MACH__)) || defined(__midipix__)) #include #endif /* !_WIN32 && (unix || __unix || __unix__ || * (__APPLE__ && __MACH__) || __midipix__) */ diff --git a/yass/third_party/mbedtls/library/psa_crypto.c b/yass/third_party/mbedtls/library/psa_crypto.c index 969c695ac0..c4f41db10b 100644 --- a/yass/third_party/mbedtls/library/psa_crypto.c +++ b/yass/third_party/mbedtls/library/psa_crypto.c @@ -1210,15 +1210,15 @@ psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot) case PSA_SLOT_PENDING_DELETION: /* In this state psa_wipe_key_slot() must only be called if the * caller is the last reader. */ - if (slot->registered_readers != 1) { - MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->registered_readers == 1); + if (slot->var.occupied.registered_readers != 1) { + MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->var.occupied.registered_readers == 1); status = PSA_ERROR_CORRUPTION_DETECTED; } break; case PSA_SLOT_FILLING: /* In this state registered_readers must be 0. */ - if (slot->registered_readers != 0) { - MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->registered_readers == 0); + if (slot->var.occupied.registered_readers != 0) { + MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->var.occupied.registered_readers == 0); status = PSA_ERROR_CORRUPTION_DETECTED; } break; @@ -1232,6 +1232,11 @@ psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot) status = PSA_ERROR_CORRUPTION_DETECTED; } +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + size_t slice_index = slot->slice_index; +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + + /* Multipart operations may still be using the key. This is safe * because all multipart operation objects are independent from * the key slot: if they need to access the key after the setup @@ -1242,6 +1247,17 @@ psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot) * zeroize because the metadata is not particularly sensitive. * This memset also sets the slot's state to PSA_SLOT_EMPTY. */ memset(slot, 0, sizeof(*slot)); + +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + /* If the slot is already corrupted, something went deeply wrong, + * like a thread still using the slot or a stray pointer leading + * to the slot's memory being used for another object. Let the slot + * leak rather than make the corruption worse. */ + if (status == PSA_SUCCESS) { + status = psa_free_key_slot(slice_index, slot); + } +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + return status; } @@ -1753,8 +1769,6 @@ static psa_status_t psa_start_key_creation( psa_se_drv_table_entry_t **p_drv) { psa_status_t status; - psa_key_id_t volatile_key_id; - psa_key_slot_t *slot; (void) method; *p_drv = NULL; @@ -1764,11 +1778,16 @@ static psa_status_t psa_start_key_creation( return status; } + int key_is_volatile = PSA_KEY_LIFETIME_IS_VOLATILE(attributes->lifetime); + psa_key_id_t volatile_key_id; + #if defined(MBEDTLS_THREADING_C) PSA_THREADING_CHK_RET(mbedtls_mutex_lock( &mbedtls_threading_key_slot_mutex)); #endif - status = psa_reserve_free_key_slot(&volatile_key_id, p_slot); + status = psa_reserve_free_key_slot( + key_is_volatile ? &volatile_key_id : NULL, + p_slot); #if defined(MBEDTLS_THREADING_C) PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( &mbedtls_threading_key_slot_mutex)); @@ -1776,7 +1795,7 @@ static psa_status_t psa_start_key_creation( if (status != PSA_SUCCESS) { return status; } - slot = *p_slot; + psa_key_slot_t *slot = *p_slot; /* We're storing the declared bit-size of the key. It's up to each * creation mechanism to verify that this information is correct. @@ -1787,7 +1806,7 @@ static psa_status_t psa_start_key_creation( * definition. */ slot->attr = *attributes; - if (PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) { + if (key_is_volatile) { #if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) slot->attr.id = volatile_key_id; #else @@ -1835,6 +1854,9 @@ static psa_status_t psa_start_key_creation( status = psa_copy_key_material_into_slot( slot, (uint8_t *) (&slot_number), sizeof(slot_number)); + if (status != PSA_SUCCESS) { + return status; + } } if (*p_drv == NULL && method == PSA_KEY_CREATION_REGISTER) { @@ -2146,6 +2168,14 @@ psa_status_t mbedtls_psa_register_se_key( return PSA_ERROR_NOT_SUPPORTED; } + /* Not usable with volatile keys, even with an appropriate location, + * due to the API design. + * https://github.com/Mbed-TLS/mbedtls/issues/9253 + */ + if (PSA_KEY_LIFETIME_IS_VOLATILE(psa_get_key_lifetime(attributes))) { + return PSA_ERROR_INVALID_ARGUMENT; + } + status = psa_start_key_creation(PSA_KEY_CREATION_REGISTER, attributes, &slot, &driver); if (status != PSA_SUCCESS) { @@ -4628,11 +4658,7 @@ psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key, goto exit; } - if (alg == PSA_ALG_CCM_STAR_NO_TAG && - input_length < PSA_BLOCK_CIPHER_BLOCK_LENGTH(slot->attr.type)) { - status = PSA_ERROR_INVALID_ARGUMENT; - goto exit; - } else if (input_length < PSA_CIPHER_IV_LENGTH(slot->attr.type, alg)) { + if (input_length < PSA_CIPHER_IV_LENGTH(slot->attr.type, alg)) { status = PSA_ERROR_INVALID_ARGUMENT; goto exit; } @@ -5194,6 +5220,12 @@ psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation, goto exit; } + /* No input to add (zero length), nothing to do. */ + if (input_length == 0) { + status = PSA_SUCCESS; + goto exit; + } + if (operation->lengths_set) { if (operation->ad_remaining < input_length) { status = PSA_ERROR_INVALID_ARGUMENT; @@ -6407,27 +6439,28 @@ exit: return status; } -static const psa_key_production_parameters_t default_production_parameters = - PSA_KEY_PRODUCTION_PARAMETERS_INIT; +static const psa_custom_key_parameters_t default_custom_production = + PSA_CUSTOM_KEY_PARAMETERS_INIT; -int psa_key_production_parameters_are_default( - const psa_key_production_parameters_t *params, - size_t params_data_length) +int psa_custom_key_parameters_are_default( + const psa_custom_key_parameters_t *custom, + size_t custom_data_length) { - if (params->flags != 0) { + if (custom->flags != 0) { return 0; } - if (params_data_length != 0) { + if (custom_data_length != 0) { return 0; } return 1; } -psa_status_t psa_key_derivation_output_key_ext( +psa_status_t psa_key_derivation_output_key_custom( const psa_key_attributes_t *attributes, psa_key_derivation_operation_t *operation, - const psa_key_production_parameters_t *params, - size_t params_data_length, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, + size_t custom_data_length, mbedtls_svc_key_id_t *key) { psa_status_t status; @@ -6442,7 +6475,8 @@ psa_status_t psa_key_derivation_output_key_ext( return PSA_ERROR_INVALID_ARGUMENT; } - if (!psa_key_production_parameters_are_default(params, params_data_length)) { + (void) custom_data; /* We only accept 0-length data */ + if (!psa_custom_key_parameters_are_default(custom, custom_data_length)) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -6477,14 +6511,29 @@ psa_status_t psa_key_derivation_output_key_ext( return status; } +psa_status_t psa_key_derivation_output_key_ext( + const psa_key_attributes_t *attributes, + psa_key_derivation_operation_t *operation, + const psa_key_production_parameters_t *params, + size_t params_data_length, + mbedtls_svc_key_id_t *key) +{ + return psa_key_derivation_output_key_custom( + attributes, operation, + (const psa_custom_key_parameters_t *) params, + params->data, params_data_length, + key); +} + psa_status_t psa_key_derivation_output_key( const psa_key_attributes_t *attributes, psa_key_derivation_operation_t *operation, mbedtls_svc_key_id_t *key) { - return psa_key_derivation_output_key_ext(attributes, operation, - &default_production_parameters, 0, - key); + return psa_key_derivation_output_key_custom(attributes, operation, + &default_custom_production, + NULL, 0, + key); } @@ -7858,15 +7907,18 @@ static psa_status_t psa_validate_key_type_and_size_for_key_generation( psa_status_t psa_generate_key_internal( const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, size_t params_data_length, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, + size_t custom_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_type_t type = attributes->type; /* Only used for RSA */ - (void) params; - (void) params_data_length; + (void) custom; + (void) custom_data; + (void) custom_data_length; if (key_type_is_raw_bytes(type)) { status = psa_generate_random_internal(key_buffer, key_buffer_size); @@ -7884,7 +7936,7 @@ psa_status_t psa_generate_key_internal( #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) { return mbedtls_psa_rsa_generate_key(attributes, - params, params_data_length, + custom_data, custom_data_length, key_buffer, key_buffer_size, key_buffer_length); @@ -7916,10 +7968,11 @@ psa_status_t psa_generate_key_internal( return PSA_SUCCESS; } -psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, - size_t params_data_length, - mbedtls_svc_key_id_t *key) +psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, + size_t custom_data_length, + mbedtls_svc_key_id_t *key) { psa_status_t status; psa_key_slot_t *slot = NULL; @@ -7941,12 +7994,12 @@ psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) { - if (params->flags != 0) { + if (custom->flags != 0) { return PSA_ERROR_INVALID_ARGUMENT; } } else #endif - if (!psa_key_production_parameters_are_default(params, params_data_length)) { + if (!psa_custom_key_parameters_are_default(custom, custom_data_length)) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -7987,7 +8040,8 @@ psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, } status = psa_driver_wrapper_generate_key(attributes, - params, params_data_length, + custom, + custom_data, custom_data_length, slot->key.data, slot->key.bytes, &slot->key.bytes); if (status != PSA_SUCCESS) { @@ -8005,12 +8059,25 @@ exit: return status; } +psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, + const psa_key_production_parameters_t *params, + size_t params_data_length, + mbedtls_svc_key_id_t *key) +{ + return psa_generate_key_custom( + attributes, + (const psa_custom_key_parameters_t *) params, + params->data, params_data_length, + key); +} + psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, mbedtls_svc_key_id_t *key) { - return psa_generate_key_ext(attributes, - &default_production_parameters, 0, - key); + return psa_generate_key_custom(attributes, + &default_custom_production, + NULL, 0, + key); } /****************************************************************/ diff --git a/yass/third_party/mbedtls/library/psa_crypto_cipher.c b/yass/third_party/mbedtls/library/psa_crypto_cipher.c index 881d673cc0..3216c94898 100644 --- a/yass/third_party/mbedtls/library/psa_crypto_cipher.c +++ b/yass/third_party/mbedtls/library/psa_crypto_cipher.c @@ -263,7 +263,7 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( { mbedtls_cipher_mode_t mode; psa_status_t status; - mbedtls_cipher_id_t cipher_id_tmp; + mbedtls_cipher_id_t cipher_id_tmp = MBEDTLS_CIPHER_ID_NONE; status = mbedtls_cipher_values_from_psa(alg, key_type, &key_bits, &mode, &cipher_id_tmp); if (status != PSA_SUCCESS) { diff --git a/yass/third_party/mbedtls/library/psa_crypto_core.h b/yass/third_party/mbedtls/library/psa_crypto_core.h index 9462d2e8be..21e7559f01 100644 --- a/yass/third_party/mbedtls/library/psa_crypto_core.h +++ b/yass/third_party/mbedtls/library/psa_crypto_core.h @@ -59,6 +59,8 @@ typedef enum { * and metadata for one key. */ typedef struct { + /* This field is accessed in a lot of places. Putting it first + * reduces the code size. */ psa_key_attributes_t attr; /* @@ -78,35 +80,77 @@ typedef struct { * slots that are in a suitable state for the function. * For example, psa_get_and_lock_key_slot_in_memory, which finds a slot * containing a given key ID, will only check slots whose state variable is - * PSA_SLOT_FULL. */ + * PSA_SLOT_FULL. + */ psa_key_slot_state_t state; - /* - * Number of functions registered as reading the material in the key slot. +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + /* The index of the slice containing this slot. + * This field must be filled if the slot contains a key + * (including keys being created or destroyed), and can be either + * filled or 0 when the slot is free. * - * Library functions must not write directly to registered_readers - * - * A function must call psa_register_read(slot) before reading the current - * contents of the slot for an operation. - * They then must call psa_unregister_read(slot) once they have finished - * reading the current contents of the slot. If the key slot mutex is not - * held (when mutexes are enabled), this call must be done via a call to - * psa_unregister_read_under_mutex(slot). - * A function must call psa_key_slot_has_readers(slot) to check if - * the slot is in use for reading. - * - * This counter is used to prevent resetting the key slot while the library - * may access it. For example, such control is needed in the following - * scenarios: - * . In case of key slot starvation, all key slots contain the description - * of a key, and the library asks for the description of a persistent - * key not present in the key slots, the key slots currently accessed by - * the library cannot be reclaimed to free a key slot to load the - * persistent key. - * . In case of a multi-threaded application where one thread asks to close - * or purge or destroy a key while it is in use by the library through - * another thread. */ - size_t registered_readers; + * In most cases, the slice index can be deduced from the key identifer. + * We keep it in a separate field for robustness (it reduces the chance + * that a coding mistake in the key store will result in accessing the + * wrong slice), and also so that it's available even on code paths + * during creation or destruction where the key identifier might not be + * filled in. + * */ + uint8_t slice_index; +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + + union { + struct { + /* The index of the next slot in the free list for this + * slice, relative * to the next array element. + * + * That is, 0 means the next slot, 1 means the next slot + * but one, etc. -1 would mean the slot itself. -2 means + * the previous slot, etc. + * + * If this is beyond the array length, the free list ends with the + * current element. + * + * The reason for this strange encoding is that 0 means the next + * element. This way, when we allocate a slice and initialize it + * to all-zero, the slice is ready for use, with a free list that + * consists of all the slots in order. + */ + int32_t next_free_relative_to_next; + } free; + + struct { + /* + * Number of functions registered as reading the material in the key slot. + * + * Library functions must not write directly to registered_readers + * + * A function must call psa_register_read(slot) before reading + * the current contents of the slot for an operation. + * They then must call psa_unregister_read(slot) once they have + * finished reading the current contents of the slot. If the key + * slot mutex is not held (when mutexes are enabled), this call + * must be done via a call to + * psa_unregister_read_under_mutex(slot). + * A function must call psa_key_slot_has_readers(slot) to check if + * the slot is in use for reading. + * + * This counter is used to prevent resetting the key slot while + * the library may access it. For example, such control is needed + * in the following scenarios: + * . In case of key slot starvation, all key slots contain the + * description of a key, and the library asks for the + * description of a persistent key not present in the + * key slots, the key slots currently accessed by the + * library cannot be reclaimed to free a key slot to load + * the persistent key. + * . In case of a multi-threaded application where one thread + * asks to close or purge or destroy a key while it is in use + * by the library through another thread. */ + size_t registered_readers; + } occupied; + } var; /* Dynamically allocated key data buffer. * Format as specified in psa_export_key(). */ @@ -169,7 +213,7 @@ typedef struct { */ static inline int psa_key_slot_has_readers(const psa_key_slot_t *slot) { - return slot->registered_readers > 0; + return slot->var.occupied.registered_readers > 0; } #if defined(MBEDTLS_PSA_CRYPTO_SE_C) @@ -343,17 +387,18 @@ psa_status_t psa_export_public_key_internal( const uint8_t *key_buffer, size_t key_buffer_size, uint8_t *data, size_t data_size, size_t *data_length); -/** Whether a key production parameters structure is the default. +/** Whether a key custom production parameters structure is the default. * - * Calls to a key generation driver with non-default production parameters + * Calls to a key generation driver with non-default custom production parameters * require a driver supporting custom production parameters. * - * \param[in] params The key production parameters to check. - * \param params_data_length Size of `params->data` in bytes. + * \param[in] custom The key custom production parameters to check. + * \param custom_data_length Size of the associated variable-length data + * in bytes. */ -int psa_key_production_parameters_are_default( - const psa_key_production_parameters_t *params, - size_t params_data_length); +int psa_custom_key_parameters_are_default( + const psa_custom_key_parameters_t *custom, + size_t custom_data_length); /** * \brief Generate a key. @@ -362,9 +407,9 @@ int psa_key_production_parameters_are_default( * entry point. * * \param[in] attributes The attributes for the key to generate. - * \param[in] params The production parameters from - * psa_generate_key_ext(). - * \param params_data_length The size of `params->data` in bytes. + * \param[in] custom Custom parameters for the key generation. + * \param[in] custom_data Variable-length data associated with \c custom. + * \param custom_data_length Length of `custom_data` in bytes. * \param[out] key_buffer Buffer where the key data is to be written. * \param[in] key_buffer_size Size of \p key_buffer in bytes. * \param[out] key_buffer_length On success, the number of bytes written in @@ -379,8 +424,9 @@ int psa_key_production_parameters_are_default( * The size of \p key_buffer is too small. */ psa_status_t psa_generate_key_internal(const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, - size_t params_data_length, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, + size_t custom_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length); diff --git a/yass/third_party/mbedtls/library/psa_crypto_driver_wrappers.h b/yass/third_party/mbedtls/library/psa_crypto_driver_wrappers.h index ea6aee32eb..b901557208 100644 --- a/yass/third_party/mbedtls/library/psa_crypto_driver_wrappers.h +++ b/yass/third_party/mbedtls/library/psa_crypto_driver_wrappers.h @@ -730,7 +730,8 @@ static inline psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data( static inline psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, size_t params_data_length, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, size_t custom_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; @@ -739,7 +740,7 @@ static inline psa_status_t psa_driver_wrapper_generate_key( #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) int is_default_production = - psa_key_production_parameters_are_default(params, params_data_length); + psa_custom_key_parameters_are_default(custom, custom_data_length); if( location != PSA_KEY_LOCATION_LOCAL_STORAGE && !is_default_production ) { /* We don't support passing custom production parameters @@ -810,7 +811,7 @@ static inline psa_status_t psa_driver_wrapper_generate_key( /* Software fallback */ status = psa_generate_key_internal( - attributes, params, params_data_length, + attributes, custom, custom_data, custom_data_length, key_buffer, key_buffer_size, key_buffer_length ); break; diff --git a/yass/third_party/mbedtls/library/psa_crypto_random_impl.h b/yass/third_party/mbedtls/library/psa_crypto_random_impl.h index 533fb2e940..5b5163111b 100644 --- a/yass/third_party/mbedtls/library/psa_crypto_random_impl.h +++ b/yass/third_party/mbedtls/library/psa_crypto_random_impl.h @@ -21,13 +21,10 @@ typedef mbedtls_psa_external_random_context_t mbedtls_psa_random_context_t; #include "mbedtls/entropy.h" /* Choose a DRBG based on configuration and availability */ -#if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE) - -#include "mbedtls/hmac_drbg.h" - -#elif defined(MBEDTLS_CTR_DRBG_C) +#if defined(MBEDTLS_CTR_DRBG_C) #include "mbedtls/ctr_drbg.h" +#undef MBEDTLS_PSA_HMAC_DRBG_MD_TYPE #elif defined(MBEDTLS_HMAC_DRBG_C) @@ -49,17 +46,11 @@ typedef mbedtls_psa_external_random_context_t mbedtls_psa_random_context_t; #error "No hash algorithm available for HMAC_DBRG." #endif -#else /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/ +#else /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/ #error "No DRBG module available for the psa_crypto module." -#endif /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/ - -#if defined(MBEDTLS_CTR_DRBG_C) -#include "mbedtls/ctr_drbg.h" -#elif defined(MBEDTLS_HMAC_DRBG_C) -#include "mbedtls/hmac_drbg.h" -#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */ +#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/ /* The maximum number of bytes that mbedtls_psa_get_random() is expected to return. */ #if defined(MBEDTLS_CTR_DRBG_C) diff --git a/yass/third_party/mbedtls/library/psa_crypto_rsa.c b/yass/third_party/mbedtls/library/psa_crypto_rsa.c index 2f613b32da..38dc3b8edc 100644 --- a/yass/third_party/mbedtls/library/psa_crypto_rsa.c +++ b/yass/third_party/mbedtls/library/psa_crypto_rsa.c @@ -197,16 +197,14 @@ psa_status_t mbedtls_psa_rsa_export_public_key( status = mbedtls_psa_rsa_load_representation( attributes->type, key_buffer, key_buffer_size, &rsa); - if (status != PSA_SUCCESS) { - return status; + if (status == PSA_SUCCESS) { + status = mbedtls_psa_rsa_export_key(PSA_KEY_TYPE_RSA_PUBLIC_KEY, + rsa, + data, + data_size, + data_length); } - status = mbedtls_psa_rsa_export_key(PSA_KEY_TYPE_RSA_PUBLIC_KEY, - rsa, - data, - data_size, - data_length); - mbedtls_rsa_free(rsa); mbedtls_free(rsa); @@ -241,7 +239,7 @@ static psa_status_t psa_rsa_read_exponent(const uint8_t *e_bytes, psa_status_t mbedtls_psa_rsa_generate_key( const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, size_t params_data_length, + const uint8_t *custom_data, size_t custom_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) { psa_status_t status; @@ -249,8 +247,8 @@ psa_status_t mbedtls_psa_rsa_generate_key( int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int exponent = 65537; - if (params_data_length != 0) { - status = psa_rsa_read_exponent(params->data, params_data_length, + if (custom_data_length != 0) { + status = psa_rsa_read_exponent(custom_data, custom_data_length, &exponent); if (status != PSA_SUCCESS) { return status; @@ -264,6 +262,7 @@ psa_status_t mbedtls_psa_rsa_generate_key( (unsigned int) attributes->bits, exponent); if (ret != 0) { + mbedtls_rsa_free(&rsa); return mbedtls_to_psa_error(ret); } @@ -330,7 +329,7 @@ psa_status_t mbedtls_psa_rsa_sign_hash( key_buffer_size, &rsa); if (status != PSA_SUCCESS) { - return status; + goto exit; } status = psa_rsa_decode_md_type(alg, hash_length, &md_alg); diff --git a/yass/third_party/mbedtls/library/psa_crypto_rsa.h b/yass/third_party/mbedtls/library/psa_crypto_rsa.h index ffeef26be1..1a780006a9 100644 --- a/yass/third_party/mbedtls/library/psa_crypto_rsa.h +++ b/yass/third_party/mbedtls/library/psa_crypto_rsa.h @@ -105,17 +105,11 @@ psa_status_t mbedtls_psa_rsa_export_public_key( /** * \brief Generate an RSA key. * - * \note The signature of the function is that of a PSA driver generate_key - * entry point. - * * \param[in] attributes The attributes for the RSA key to generate. - * \param[in] params Production parameters for the key - * generation. This function only uses - * `params->data`, - * which contains the public exponent. + * \param[in] custom_data The public exponent to use. * This can be a null pointer if * \c params_data_length is 0. - * \param params_data_length Length of `params->data` in bytes. + * \param custom_data_length Length of \p custom_data in bytes. * This can be 0, in which case the * public exponent will be 65537. * \param[out] key_buffer Buffer where the key data is to be written. @@ -132,7 +126,7 @@ psa_status_t mbedtls_psa_rsa_export_public_key( */ psa_status_t mbedtls_psa_rsa_generate_key( const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, size_t params_data_length, + const uint8_t *custom_data, size_t custom_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length); /** Sign an already-calculated hash with an RSA private key. diff --git a/yass/third_party/mbedtls/library/psa_crypto_slot_management.c b/yass/third_party/mbedtls/library/psa_crypto_slot_management.c index b184ed08c9..9850d8c750 100644 --- a/yass/third_party/mbedtls/library/psa_crypto_slot_management.c +++ b/yass/third_party/mbedtls/library/psa_crypto_slot_management.c @@ -27,8 +27,166 @@ #include "mbedtls/threading.h" #endif + + +/* Make sure we have distinct ranges of key identifiers for distinct + * purposes. */ +MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_USER_MIN < PSA_KEY_ID_USER_MAX, + "Empty user key ID range"); +MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_VENDOR_MIN < PSA_KEY_ID_VENDOR_MAX, + "Empty vendor key ID range"); +MBEDTLS_STATIC_ASSERT(MBEDTLS_PSA_KEY_ID_BUILTIN_MIN < MBEDTLS_PSA_KEY_ID_BUILTIN_MAX, + "Empty builtin key ID range"); +MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_VOLATILE_MIN < PSA_KEY_ID_VOLATILE_MAX, + "Empty volatile key ID range"); + +MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_USER_MAX < PSA_KEY_ID_VENDOR_MIN || + PSA_KEY_ID_VENDOR_MAX < PSA_KEY_ID_USER_MIN, + "Overlap between user key IDs and vendor key IDs"); + +MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_VENDOR_MIN <= MBEDTLS_PSA_KEY_ID_BUILTIN_MIN && + MBEDTLS_PSA_KEY_ID_BUILTIN_MAX <= PSA_KEY_ID_VENDOR_MAX, + "Builtin key identifiers are not in the vendor range"); + +MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_VENDOR_MIN <= PSA_KEY_ID_VOLATILE_MIN && + PSA_KEY_ID_VOLATILE_MAX <= PSA_KEY_ID_VENDOR_MAX, + "Volatile key identifiers are not in the vendor range"); + +MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_VOLATILE_MAX < MBEDTLS_PSA_KEY_ID_BUILTIN_MIN || + MBEDTLS_PSA_KEY_ID_BUILTIN_MAX < PSA_KEY_ID_VOLATILE_MIN, + "Overlap between builtin key IDs and volatile key IDs"); + + + +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + +/* Dynamic key store. + * + * The key store consists of multiple slices. + * + * The volatile keys are stored in variable-sized tables called slices. + * Slices are allocated on demand and deallocated when possible. + * The size of slices increases exponentially, so the average overhead + * (number of slots that are allocated but not used) is roughly + * proportional to the number of keys (with a factor that grows + * when the key store is fragmented). + * + * One slice is dedicated to the cache of persistent and built-in keys. + * For simplicity, they are separated from volatile keys. This cache + * slice has a fixed size and has the slice index KEY_SLOT_CACHE_SLICE_INDEX, + * located after the slices for volatile keys. + */ + +/* Size of the last slice containing the cache of persistent and built-in keys. */ +#define PERSISTENT_KEY_CACHE_COUNT MBEDTLS_PSA_KEY_SLOT_COUNT + +/* Volatile keys are stored in slices 0 through + * (KEY_SLOT_VOLATILE_SLICE_COUNT - 1) inclusive. + * Each slice is twice the size of the previous slice. + * Volatile key identifiers encode the slice number as follows: + * bits 30..31: 0b10 (mandated by the PSA Crypto specification). + * bits 25..29: slice index (0...KEY_SLOT_VOLATILE_SLICE_COUNT-1) + * bits 0..24: slot index in slice + */ +#define KEY_ID_SLOT_INDEX_WIDTH 25u +#define KEY_ID_SLICE_INDEX_WIDTH 5u + +#define KEY_SLOT_VOLATILE_SLICE_BASE_LENGTH 16u +#define KEY_SLOT_VOLATILE_SLICE_COUNT 22u +#define KEY_SLICE_COUNT (KEY_SLOT_VOLATILE_SLICE_COUNT + 1u) +#define KEY_SLOT_CACHE_SLICE_INDEX KEY_SLOT_VOLATILE_SLICE_COUNT + + +/* Check that the length of the largest slice (calculated as + * KEY_SLICE_LENGTH_MAX below) does not overflow size_t. We use + * an indirect method in case the calculation of KEY_SLICE_LENGTH_MAX + * itself overflows uintmax_t: if (BASE_LENGTH << c) + * overflows size_t then BASE_LENGTH > SIZE_MAX >> c. + */ +#if (KEY_SLOT_VOLATILE_SLICE_BASE_LENGTH > \ + SIZE_MAX >> (KEY_SLOT_VOLATILE_SLICE_COUNT - 1)) +#error "Maximum slice length overflows size_t" +#endif + +#if KEY_ID_SLICE_INDEX_WIDTH + KEY_ID_SLOT_INDEX_WIDTH > 30 +#error "Not enough room in volatile key IDs for slice index and slot index" +#endif +#if KEY_SLOT_VOLATILE_SLICE_COUNT > (1 << KEY_ID_SLICE_INDEX_WIDTH) +#error "Too many slices to fit the slice index in a volatile key ID" +#endif +#define KEY_SLICE_LENGTH_MAX \ + (KEY_SLOT_VOLATILE_SLICE_BASE_LENGTH << (KEY_SLOT_VOLATILE_SLICE_COUNT - 1)) +#if KEY_SLICE_LENGTH_MAX > 1 << KEY_ID_SLOT_INDEX_WIDTH +#error "Not enough room in volatile key IDs for a slot index in the largest slice" +#endif +#if KEY_ID_SLICE_INDEX_WIDTH > 8 +#error "Slice index does not fit in uint8_t for psa_key_slot_t::slice_index" +#endif + + +/* Calculate the volatile key id to use for a given slot. + * This function assumes valid parameter values. */ +static psa_key_id_t volatile_key_id_of_index(size_t slice_idx, + size_t slot_idx) +{ + /* We assert above that the slice and slot indexes fit in separate + * bit-fields inside psa_key_id_t, which is a 32-bit type per the + * PSA Cryptography specification. */ + return (psa_key_id_t) (0x40000000u | + (slice_idx << KEY_ID_SLOT_INDEX_WIDTH) | + slot_idx); +} + +/* Calculate the slice containing the given volatile key. + * This function assumes valid parameter values. */ +static size_t slice_index_of_volatile_key_id(psa_key_id_t key_id) +{ + size_t mask = (1LU << KEY_ID_SLICE_INDEX_WIDTH) - 1; + return (key_id >> KEY_ID_SLOT_INDEX_WIDTH) & mask; +} + +/* Calculate the index of the slot containing the given volatile key. + * This function assumes valid parameter values. */ +static size_t slot_index_of_volatile_key_id(psa_key_id_t key_id) +{ + return key_id & ((1LU << KEY_ID_SLOT_INDEX_WIDTH) - 1); +} + +/* In global_data.first_free_slot_index, use this special value to + * indicate that the slice is full. */ +#define FREE_SLOT_INDEX_NONE ((size_t) -1) + +#if defined(MBEDTLS_TEST_HOOKS) +size_t psa_key_slot_volatile_slice_count(void) +{ + return KEY_SLOT_VOLATILE_SLICE_COUNT; +} +#endif + +#else /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + +/* Static key store. + * + * All the keys (volatile or persistent) are in a single slice. + * We only use slices as a concept to allow some differences between + * static and dynamic key store management to be buried in auxiliary + * functions. + */ + +#define PERSISTENT_KEY_CACHE_COUNT MBEDTLS_PSA_KEY_SLOT_COUNT +#define KEY_SLICE_COUNT 1u +#define KEY_SLOT_CACHE_SLICE_INDEX 0 + +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + + typedef struct { +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + psa_key_slot_t *key_slices[KEY_SLICE_COUNT]; + size_t first_free_slot_index[KEY_SLOT_VOLATILE_SLICE_COUNT]; +#else /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ psa_key_slot_t key_slots[MBEDTLS_PSA_KEY_SLOT_COUNT]; +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ uint8_t key_slots_initialized; } psa_global_data_t; @@ -51,6 +209,125 @@ static uint8_t psa_get_key_slots_initialized(void) return initialized; } + + +/** The length of the given slice in the key slot table. + * + * \param slice_idx The slice number. It must satisfy + * 0 <= slice_idx < KEY_SLICE_COUNT. + * + * \return The number of elements in the given slice. + */ +static inline size_t key_slice_length(size_t slice_idx); + +/** Get a pointer to the slot where the given volatile key is located. + * + * \param key_id The key identifier. It must be a valid volatile key + * identifier. + * \return A pointer to the only slot that the given key + * can be in. Note that the slot may be empty or + * contain a different key. + */ +static inline psa_key_slot_t *get_volatile_key_slot(psa_key_id_t key_id); + +/** Get a pointer to an entry in the persistent key cache. + * + * \param slot_idx The index in the table. It must satisfy + * 0 <= slot_idx < PERSISTENT_KEY_CACHE_COUNT. + * \return A pointer to the slot containing the given + * persistent key cache entry. + */ +static inline psa_key_slot_t *get_persistent_key_slot(size_t slot_idx); + +/** Get a pointer to a slot given by slice and index. + * + * \param slice_idx The slice number. It must satisfy + * 0 <= slice_idx < KEY_SLICE_COUNT. + * \param slot_idx An index in the given slice. It must satisfy + * 0 <= slot_idx < key_slice_length(slice_idx). + * + * \return A pointer to the given slot. + */ +static inline psa_key_slot_t *get_key_slot(size_t slice_idx, size_t slot_idx); + +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + +#if defined(MBEDTLS_TEST_HOOKS) +size_t (*mbedtls_test_hook_psa_volatile_key_slice_length)(size_t slice_idx) = NULL; +#endif + +static inline size_t key_slice_length(size_t slice_idx) +{ + if (slice_idx == KEY_SLOT_CACHE_SLICE_INDEX) { + return PERSISTENT_KEY_CACHE_COUNT; + } else { +#if defined(MBEDTLS_TEST_HOOKS) + if (mbedtls_test_hook_psa_volatile_key_slice_length != NULL) { + return mbedtls_test_hook_psa_volatile_key_slice_length(slice_idx); + } +#endif + return KEY_SLOT_VOLATILE_SLICE_BASE_LENGTH << slice_idx; + } +} + +static inline psa_key_slot_t *get_volatile_key_slot(psa_key_id_t key_id) +{ + size_t slice_idx = slice_index_of_volatile_key_id(key_id); + if (slice_idx >= KEY_SLOT_VOLATILE_SLICE_COUNT) { + return NULL; + } + size_t slot_idx = slot_index_of_volatile_key_id(key_id); + if (slot_idx >= key_slice_length(slice_idx)) { + return NULL; + } + psa_key_slot_t *slice = global_data.key_slices[slice_idx]; + if (slice == NULL) { + return NULL; + } + return &slice[slot_idx]; +} + +static inline psa_key_slot_t *get_persistent_key_slot(size_t slot_idx) +{ + return &global_data.key_slices[KEY_SLOT_CACHE_SLICE_INDEX][slot_idx]; +} + +static inline psa_key_slot_t *get_key_slot(size_t slice_idx, size_t slot_idx) +{ + return &global_data.key_slices[slice_idx][slot_idx]; +} + +#else /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + +static inline size_t key_slice_length(size_t slice_idx) +{ + (void) slice_idx; + return ARRAY_LENGTH(global_data.key_slots); +} + +static inline psa_key_slot_t *get_volatile_key_slot(psa_key_id_t key_id) +{ + MBEDTLS_STATIC_ASSERT(ARRAY_LENGTH(global_data.key_slots) <= + PSA_KEY_ID_VOLATILE_MAX - PSA_KEY_ID_VOLATILE_MIN + 1, + "The key slot array is larger than the volatile key ID range"); + return &global_data.key_slots[key_id - PSA_KEY_ID_VOLATILE_MIN]; +} + +static inline psa_key_slot_t *get_persistent_key_slot(size_t slot_idx) +{ + return &global_data.key_slots[slot_idx]; +} + +static inline psa_key_slot_t *get_key_slot(size_t slice_idx, size_t slot_idx) +{ + (void) slice_idx; + return &global_data.key_slots[slot_idx]; +} + +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + + + int psa_is_valid_key_id(mbedtls_svc_key_id_t key, int vendor_ok) { psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key); @@ -112,12 +389,13 @@ static psa_status_t psa_get_and_lock_key_slot_in_memory( psa_key_slot_t *slot = NULL; if (psa_key_id_is_volatile(key_id)) { - slot = &global_data.key_slots[key_id - PSA_KEY_ID_VOLATILE_MIN]; + slot = get_volatile_key_slot(key_id); /* Check if both the PSA key identifier key_id and the owner * identifier of key match those of the key slot. */ - if ((slot->state == PSA_SLOT_FULL) && - (mbedtls_svc_key_id_equal(key, slot->attr.id))) { + if (slot != NULL && + slot->state == PSA_SLOT_FULL && + mbedtls_svc_key_id_equal(key, slot->attr.id)) { status = PSA_SUCCESS; } else { status = PSA_ERROR_DOES_NOT_EXIST; @@ -127,8 +405,8 @@ static psa_status_t psa_get_and_lock_key_slot_in_memory( return PSA_ERROR_INVALID_HANDLE; } - for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) { - slot = &global_data.key_slots[slot_idx]; + for (slot_idx = 0; slot_idx < PERSISTENT_KEY_CACHE_COUNT; slot_idx++) { + slot = get_persistent_key_slot(slot_idx); /* Only consider slots which are in a full state. */ if ((slot->state == PSA_SLOT_FULL) && (mbedtls_svc_key_id_equal(key, slot->attr.id))) { @@ -151,29 +429,169 @@ static psa_status_t psa_get_and_lock_key_slot_in_memory( psa_status_t psa_initialize_key_slots(void) { +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + global_data.key_slices[KEY_SLOT_CACHE_SLICE_INDEX] = + mbedtls_calloc(PERSISTENT_KEY_CACHE_COUNT, + sizeof(*global_data.key_slices[KEY_SLOT_CACHE_SLICE_INDEX])); + if (global_data.key_slices[KEY_SLOT_CACHE_SLICE_INDEX] == NULL) { + return PSA_ERROR_INSUFFICIENT_MEMORY; + } +#else /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ /* Nothing to do: program startup and psa_wipe_all_key_slots() both * guarantee that the key slots are initialized to all-zero, which * means that all the key slots are in a valid, empty state. The global * data mutex is already held when calling this function, so no need to * lock it here, to set the flag. */ +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + global_data.key_slots_initialized = 1; return PSA_SUCCESS; } void psa_wipe_all_key_slots(void) { - size_t slot_idx; - - for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) { - psa_key_slot_t *slot = &global_data.key_slots[slot_idx]; - slot->registered_readers = 1; - slot->state = PSA_SLOT_PENDING_DELETION; - (void) psa_wipe_key_slot(slot); + for (size_t slice_idx = 0; slice_idx < KEY_SLICE_COUNT; slice_idx++) { +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + if (global_data.key_slices[slice_idx] == NULL) { + continue; + } +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + for (size_t slot_idx = 0; slot_idx < key_slice_length(slice_idx); slot_idx++) { + psa_key_slot_t *slot = get_key_slot(slice_idx, slot_idx); +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + /* When MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled, calling + * psa_wipe_key_slot() on an unused slot is useless, but it + * happens to work (because we flip the state to PENDING_DELETION). + * + * When MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, + * psa_wipe_key_slot() needs to have a valid slice_index + * field, but that value might not be correct in a + * free slot, so we must not call it. + * + * Bypass the call to psa_wipe_key_slot() if the slot is empty, + * but only if MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, to save + * a few bytes of code size otherwise. + */ + if (slot->state == PSA_SLOT_EMPTY) { + continue; + } +#endif + slot->var.occupied.registered_readers = 1; + slot->state = PSA_SLOT_PENDING_DELETION; + (void) psa_wipe_key_slot(slot); + } +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + mbedtls_free(global_data.key_slices[slice_idx]); + global_data.key_slices[slice_idx] = NULL; +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ } + +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + for (size_t slice_idx = 0; slice_idx < KEY_SLOT_VOLATILE_SLICE_COUNT; slice_idx++) { + global_data.first_free_slot_index[slice_idx] = 0; + } +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + /* The global data mutex is already held when calling this function. */ global_data.key_slots_initialized = 0; } +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + +static psa_status_t psa_allocate_volatile_key_slot(psa_key_id_t *key_id, + psa_key_slot_t **p_slot) +{ + size_t slice_idx; + for (slice_idx = 0; slice_idx < KEY_SLOT_VOLATILE_SLICE_COUNT; slice_idx++) { + if (global_data.first_free_slot_index[slice_idx] != FREE_SLOT_INDEX_NONE) { + break; + } + } + if (slice_idx == KEY_SLOT_VOLATILE_SLICE_COUNT) { + return PSA_ERROR_INSUFFICIENT_MEMORY; + } + + if (global_data.key_slices[slice_idx] == NULL) { + global_data.key_slices[slice_idx] = + mbedtls_calloc(key_slice_length(slice_idx), + sizeof(psa_key_slot_t)); + if (global_data.key_slices[slice_idx] == NULL) { + return PSA_ERROR_INSUFFICIENT_MEMORY; + } + } + psa_key_slot_t *slice = global_data.key_slices[slice_idx]; + + size_t slot_idx = global_data.first_free_slot_index[slice_idx]; + *key_id = volatile_key_id_of_index(slice_idx, slot_idx); + + psa_key_slot_t *slot = &slice[slot_idx]; + size_t next_free = slot_idx + 1 + slot->var.free.next_free_relative_to_next; + if (next_free >= key_slice_length(slice_idx)) { + next_free = FREE_SLOT_INDEX_NONE; + } + global_data.first_free_slot_index[slice_idx] = next_free; + /* The .next_free field is not meaningful when the slot is not free, + * so give it the same content as freshly initialized memory. */ + slot->var.free.next_free_relative_to_next = 0; + + psa_status_t status = psa_key_slot_state_transition(slot, + PSA_SLOT_EMPTY, + PSA_SLOT_FILLING); + if (status != PSA_SUCCESS) { + /* The only reason for failure is if the slot state was not empty. + * This indicates that something has gone horribly wrong. + * In this case, we leave the slot out of the free list, and stop + * modifying it. This minimizes any further corruption. The slot + * is a memory leak, but that's a lesser evil. */ + return status; + } + + *p_slot = slot; + /* We assert at compile time that the slice index fits in uint8_t. */ + slot->slice_index = (uint8_t) slice_idx; + return PSA_SUCCESS; +} + +psa_status_t psa_free_key_slot(size_t slice_idx, + psa_key_slot_t *slot) +{ + + if (slice_idx == KEY_SLOT_CACHE_SLICE_INDEX) { + /* This is a cache entry. We don't maintain a free list, so + * there's nothing to do. */ + return PSA_SUCCESS; + } + if (slice_idx >= KEY_SLOT_VOLATILE_SLICE_COUNT) { + return PSA_ERROR_CORRUPTION_DETECTED; + } + + psa_key_slot_t *slice = global_data.key_slices[slice_idx]; + psa_key_slot_t *slice_end = slice + key_slice_length(slice_idx); + if (slot < slice || slot >= slice_end) { + /* The slot isn't actually in the slice! We can't detect that + * condition for sure, because the pointer comparison itself is + * undefined behavior in that case. That same condition makes the + * subtraction to calculate the slot index also UB. + * Give up now to avoid causing further corruption. + */ + return PSA_ERROR_CORRUPTION_DETECTED; + } + size_t slot_idx = slot - slice; + + size_t next_free = global_data.first_free_slot_index[slice_idx]; + if (next_free >= key_slice_length(slice_idx)) { + /* The slot was full. The newly freed slot thus becomes the + * end of the free list. */ + next_free = key_slice_length(slice_idx); + } + global_data.first_free_slot_index[slice_idx] = slot_idx; + slot->var.free.next_free_relative_to_next = + (int32_t) next_free - (int32_t) slot_idx - 1; + + return PSA_SUCCESS; +} +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id, psa_key_slot_t **p_slot) { @@ -186,9 +604,19 @@ psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id, goto error; } +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + if (volatile_key_id != NULL) { + return psa_allocate_volatile_key_slot(volatile_key_id, p_slot); + } +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + + /* With a dynamic key store, allocate an entry in the cache slice, + * applicable only to non-volatile keys that get cached in RAM. + * With a static key store, allocate an entry in the sole slice, + * applicable to all keys. */ selected_slot = unused_persistent_key_slot = NULL; - for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) { - psa_key_slot_t *slot = &global_data.key_slots[slot_idx]; + for (slot_idx = 0; slot_idx < PERSISTENT_KEY_CACHE_COUNT; slot_idx++) { + psa_key_slot_t *slot = get_key_slot(KEY_SLOT_CACHE_SLICE_INDEX, slot_idx); if (slot->state == PSA_SLOT_EMPTY) { selected_slot = slot; break; @@ -226,8 +654,18 @@ psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id, goto error; } - *volatile_key_id = PSA_KEY_ID_VOLATILE_MIN + - ((psa_key_id_t) (selected_slot - global_data.key_slots)); +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + selected_slot->slice_index = KEY_SLOT_CACHE_SLICE_INDEX; +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + +#if !defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + if (volatile_key_id != NULL) { + /* Refresh slot_idx, for when the slot is not the original + * selected_slot but rather unused_persistent_key_slot. */ + slot_idx = selected_slot - global_data.key_slots; + *volatile_key_id = PSA_KEY_ID_VOLATILE_MIN + slot_idx; + } +#endif *p_slot = selected_slot; return PSA_SUCCESS; @@ -236,7 +674,6 @@ psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id, error: *p_slot = NULL; - *volatile_key_id = 0; return status; } @@ -395,9 +832,8 @@ psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key, /* Loading keys from storage requires support for such a mechanism */ #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || \ defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS) - psa_key_id_t volatile_key_id; - status = psa_reserve_free_key_slot(&volatile_key_id, p_slot); + status = psa_reserve_free_key_slot(NULL, p_slot); if (status != PSA_SUCCESS) { #if defined(MBEDTLS_THREADING_C) PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( @@ -424,6 +860,8 @@ psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key, if (status != PSA_SUCCESS) { psa_wipe_key_slot(*p_slot); + /* If the key does not exist, we need to return + * PSA_ERROR_INVALID_HANDLE. */ if (status == PSA_ERROR_DOES_NOT_EXIST) { status = PSA_ERROR_INVALID_HANDLE; } @@ -440,6 +878,9 @@ psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key, status = PSA_ERROR_INVALID_HANDLE; #endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */ + if (status != PSA_SUCCESS) { + *p_slot = NULL; + } #if defined(MBEDTLS_THREADING_C) PSA_THREADING_CHK_RET(mbedtls_mutex_unlock( &mbedtls_threading_key_slot_mutex)); @@ -460,12 +901,12 @@ psa_status_t psa_unregister_read(psa_key_slot_t *slot) /* If we are the last reader and the slot is marked for deletion, * we must wipe the slot here. */ if ((slot->state == PSA_SLOT_PENDING_DELETION) && - (slot->registered_readers == 1)) { + (slot->var.occupied.registered_readers == 1)) { return psa_wipe_key_slot(slot); } if (psa_key_slot_has_readers(slot)) { - slot->registered_readers--; + slot->var.occupied.registered_readers--; return PSA_SUCCESS; } @@ -599,7 +1040,7 @@ psa_status_t psa_close_key(psa_key_handle_t handle) return status; } - if (slot->registered_readers == 1) { + if (slot->var.occupied.registered_readers == 1) { status = psa_wipe_key_slot(slot); } else { status = psa_unregister_read(slot); @@ -634,7 +1075,7 @@ psa_status_t psa_purge_key(mbedtls_svc_key_id_t key) } if ((!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) && - (slot->registered_readers == 1)) { + (slot->var.occupied.registered_readers == 1)) { status = psa_wipe_key_slot(slot); } else { status = psa_unregister_read(slot); @@ -649,34 +1090,39 @@ psa_status_t psa_purge_key(mbedtls_svc_key_id_t key) void mbedtls_psa_get_stats(mbedtls_psa_stats_t *stats) { - size_t slot_idx; - memset(stats, 0, sizeof(*stats)); - for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) { - const psa_key_slot_t *slot = &global_data.key_slots[slot_idx]; - if (psa_key_slot_has_readers(slot)) { - ++stats->locked_slots; - } - if (slot->state == PSA_SLOT_EMPTY) { - ++stats->empty_slots; + for (size_t slice_idx = 0; slice_idx < KEY_SLICE_COUNT; slice_idx++) { +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + if (global_data.key_slices[slice_idx] == NULL) { continue; } - if (PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) { - ++stats->volatile_slots; - } else { - psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id); - ++stats->persistent_slots; - if (id > stats->max_open_internal_key_id) { - stats->max_open_internal_key_id = id; +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + for (size_t slot_idx = 0; slot_idx < key_slice_length(slice_idx); slot_idx++) { + const psa_key_slot_t *slot = get_key_slot(slice_idx, slot_idx); + if (slot->state == PSA_SLOT_EMPTY) { + ++stats->empty_slots; + continue; } - } - if (PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime) != - PSA_KEY_LOCATION_LOCAL_STORAGE) { - psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id); - ++stats->external_slots; - if (id > stats->max_open_external_key_id) { - stats->max_open_external_key_id = id; + if (psa_key_slot_has_readers(slot)) { + ++stats->locked_slots; + } + if (PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) { + ++stats->volatile_slots; + } else { + psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id); + ++stats->persistent_slots; + if (id > stats->max_open_internal_key_id) { + stats->max_open_internal_key_id = id; + } + } + if (PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime) != + PSA_KEY_LOCATION_LOCAL_STORAGE) { + psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id); + ++stats->external_slots; + if (id > stats->max_open_external_key_id) { + stats->max_open_external_key_id = id; + } } } } diff --git a/yass/third_party/mbedtls/library/psa_crypto_slot_management.h b/yass/third_party/mbedtls/library/psa_crypto_slot_management.h index bcfc9d8adc..af1208e3ae 100644 --- a/yass/third_party/mbedtls/library/psa_crypto_slot_management.h +++ b/yass/third_party/mbedtls/library/psa_crypto_slot_management.h @@ -15,20 +15,26 @@ /** Range of volatile key identifiers. * - * The last #MBEDTLS_PSA_KEY_SLOT_COUNT identifiers of the implementation + * The first #MBEDTLS_PSA_KEY_SLOT_COUNT identifiers of the implementation * range of key identifiers are reserved for volatile key identifiers. - * A volatile key identifier is equal to #PSA_KEY_ID_VOLATILE_MIN plus the - * index of the key slot containing the volatile key definition. + * + * If \c id is a a volatile key identifier, #PSA_KEY_ID_VOLATILE_MIN - \c id + * indicates the key slot containing the volatile key definition. See + * psa_crypto_slot_management.c for details. */ /** The minimum value for a volatile key identifier. */ -#define PSA_KEY_ID_VOLATILE_MIN (PSA_KEY_ID_VENDOR_MAX - \ - MBEDTLS_PSA_KEY_SLOT_COUNT + 1) +#define PSA_KEY_ID_VOLATILE_MIN PSA_KEY_ID_VENDOR_MIN /** The maximum value for a volatile key identifier. */ -#define PSA_KEY_ID_VOLATILE_MAX PSA_KEY_ID_VENDOR_MAX +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) +#define PSA_KEY_ID_VOLATILE_MAX (MBEDTLS_PSA_KEY_ID_BUILTIN_MIN - 1) +#else /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ +#define PSA_KEY_ID_VOLATILE_MAX \ + (PSA_KEY_ID_VOLATILE_MIN + MBEDTLS_PSA_KEY_SLOT_COUNT - 1) +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ /** Test whether a key identifier is a volatile key identifier. * @@ -58,6 +64,9 @@ static inline int psa_key_id_is_volatile(psa_key_id_t key_id) * It is the responsibility of the caller to call psa_unregister_read(slot) * when they have finished reading the contents of the slot. * + * On failure, `*p_slot` is set to NULL. This ensures that it is always valid + * to call psa_unregister_read on the returned slot. + * * \param key Key identifier to query. * \param[out] p_slot On success, `*p_slot` contains a pointer to the * key slot containing the description of the key @@ -91,6 +100,24 @@ psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key, */ psa_status_t psa_initialize_key_slots(void); +#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) +/* Allow test code to customize the key slice length. We use this in tests + * that exhaust the key store to reach a full key store in reasonable time + * and memory. + * + * The length of each slice must be between 1 and + * (1 << KEY_ID_SLOT_INDEX_WIDTH) inclusive. + * + * The length for a given slice index must not change while + * the key store is initialized. + */ +extern size_t (*mbedtls_test_hook_psa_volatile_key_slice_length)( + size_t slice_idx); + +/* The number of volatile key slices. */ +size_t psa_key_slot_volatile_slice_count(void); +#endif + /** Delete all data from key slots in memory. * This function is not thread safe, it wipes every key slot regardless of * state and reader count. It should only be called when no slot is in use. @@ -110,13 +137,22 @@ void psa_wipe_all_key_slots(void); * If multi-threading is enabled, the caller must hold the * global key slot mutex. * - * \param[out] volatile_key_id On success, volatile key identifier - * associated to the returned slot. + * \param[out] volatile_key_id - If null, reserve a cache slot for + * a persistent or built-in key. + * - If non-null, allocate a slot for + * a volatile key. On success, + * \p *volatile_key_id is the + * identifier corresponding to the + * returned slot. It is the caller's + * responsibility to set this key identifier + * in the attributes. * \param[out] p_slot On success, a pointer to the slot. * * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_INSUFFICIENT_MEMORY * There were no free key slots. + * When #MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, there was not + * enough memory to allocate more slots. * \retval #PSA_ERROR_BAD_STATE \emptydescription * \retval #PSA_ERROR_CORRUPTION_DETECTED * This function attempted to operate on a key slot which was in an @@ -125,6 +161,29 @@ void psa_wipe_all_key_slots(void); psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id, psa_key_slot_t **p_slot); +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) +/** Return a key slot to the free list. + * + * Call this function when a slot obtained from psa_reserve_free_key_slot() + * is no longer in use. + * + * If multi-threading is enabled, the caller must hold the + * global key slot mutex. + * + * \param slice_idx The slice containing the slot. + * This is `slot->slice_index` when the slot + * is obtained from psa_reserve_free_key_slot(). + * \param slot The key slot. + * + * \retval #PSA_SUCCESS \emptydescription + * \retval #PSA_ERROR_CORRUPTION_DETECTED + * This function attempted to operate on a key slot which was in an + * unexpected state. + */ +psa_status_t psa_free_key_slot(size_t slice_idx, + psa_key_slot_t *slot); +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + /** Change the state of a key slot. * * This function changes the state of the key slot from expected_state to @@ -171,10 +230,10 @@ static inline psa_status_t psa_key_slot_state_transition( static inline psa_status_t psa_register_read(psa_key_slot_t *slot) { if ((slot->state != PSA_SLOT_FULL) || - (slot->registered_readers >= SIZE_MAX)) { + (slot->var.occupied.registered_readers >= SIZE_MAX)) { return PSA_ERROR_CORRUPTION_DETECTED; } - slot->registered_readers++; + slot->var.occupied.registered_readers++; return PSA_SUCCESS; } diff --git a/yass/third_party/mbedtls/library/psa_util.c b/yass/third_party/mbedtls/library/psa_util.c index 4ccc5b05d8..679d00ea9b 100644 --- a/yass/third_party/mbedtls/library/psa_util.c +++ b/yass/third_party/mbedtls/library/psa_util.c @@ -443,6 +443,9 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l if (raw_len != (2 * coordinate_len)) { return MBEDTLS_ERR_ASN1_INVALID_DATA; } + if (coordinate_len > sizeof(r)) { + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } /* Since raw and der buffers might overlap, dump r and s before starting * the conversion. */ @@ -561,6 +564,9 @@ int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_l if (raw_size < coordinate_size * 2) { return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; } + if (2 * coordinate_size > sizeof(raw_tmp)) { + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } /* Check that the provided input DER buffer has the right header. */ ret = mbedtls_asn1_get_tag(&p, der + der_len, &data_len, diff --git a/yass/third_party/mbedtls/library/rsa.c b/yass/third_party/mbedtls/library/rsa.c index 7eb4a259ea..557faaf363 100644 --- a/yass/third_party/mbedtls/library/rsa.c +++ b/yass/third_party/mbedtls/library/rsa.c @@ -29,6 +29,7 @@ #include "mbedtls/rsa.h" #include "bignum_core.h" +#include "bignum_internal.h" #include "rsa_alt_helpers.h" #include "rsa_internal.h" #include "mbedtls/oid.h" @@ -1259,7 +1260,7 @@ int mbedtls_rsa_public(mbedtls_rsa_context *ctx, } olen = ctx->len; - MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &ctx->E, &ctx->N, &ctx->RN)); + MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod_unsafe(&T, &T, &ctx->E, &ctx->N, &ctx->RN)); MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen)); cleanup: diff --git a/yass/third_party/mbedtls/library/sha256.c b/yass/third_party/mbedtls/library/sha256.c index e1ae238124..159acccaeb 100644 --- a/yass/third_party/mbedtls/library/sha256.c +++ b/yass/third_party/mbedtls/library/sha256.c @@ -44,7 +44,7 @@ #endif /* defined(__clang__) && (__clang_major__ >= 4) */ /* Ensure that SIG_SETMASK is defined when -std=c99 is used. */ -#ifndef _GNU_SOURCE +#if !defined(_GNU_SOURCE) #define _GNU_SOURCE #endif @@ -152,7 +152,9 @@ static int mbedtls_a64_crypto_sha256_determine_support(void) return 1; } #elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) +#ifndef WIN32_LEAN_AND_MEAN #define WIN32_LEAN_AND_MEAN +#endif #include #include diff --git a/yass/third_party/mbedtls/library/ssl_cookie.c b/yass/third_party/mbedtls/library/ssl_cookie.c index 2772cac4be..acc9e8c080 100644 --- a/yass/third_party/mbedtls/library/ssl_cookie.c +++ b/yass/third_party/mbedtls/library/ssl_cookie.c @@ -84,6 +84,10 @@ void mbedtls_ssl_cookie_set_timeout(mbedtls_ssl_cookie_ctx *ctx, unsigned long d void mbedtls_ssl_cookie_free(mbedtls_ssl_cookie_ctx *ctx) { + if (ctx == NULL) { + return; + } + #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key(ctx->psa_hmac_key); #else diff --git a/yass/third_party/mbedtls/library/ssl_debug_helpers_generated.c b/yass/third_party/mbedtls/library/ssl_debug_helpers_generated.c index f8b4448c86..734c417b8b 100644 --- a/yass/third_party/mbedtls/library/ssl_debug_helpers_generated.c +++ b/yass/third_party/mbedtls/library/ssl_debug_helpers_generated.c @@ -60,7 +60,7 @@ const char *mbedtls_ssl_named_group_to_str( uint16_t in ) return "ffdhe8192"; }; - return "UNKOWN"; + return "UNKNOWN"; } const char *mbedtls_ssl_sig_alg_to_str( uint16_t in ) { diff --git a/yass/third_party/mbedtls/library/ssl_misc.h b/yass/third_party/mbedtls/library/ssl_misc.h index a8807f67c6..98668798a8 100644 --- a/yass/third_party/mbedtls/library/ssl_misc.h +++ b/yass/third_party/mbedtls/library/ssl_misc.h @@ -1507,7 +1507,7 @@ int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) -#if defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_CLI_C) || defined(MBEDTLS_SSL_SRV_C) MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf); #endif @@ -1674,18 +1674,53 @@ static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl) } /* - * Check usage of a certificate wrt extensions: - * keyUsage, extendedKeyUsage (later), and nSCertType (later). + * Verify a certificate. * - * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we - * check a cert we received from them)! + * [in/out] ssl: misc. things read + * ssl->session_negotiate->verify_result updated + * [in] authmode: one of MBEDTLS_SSL_VERIFY_{NONE,OPTIONAL,REQUIRED} + * [in] chain: the certificate chain to verify (ie the peer's chain) + * [in] ciphersuite_info: For TLS 1.2, this session's ciphersuite; + * for TLS 1.3, may be left NULL. + * [in] rs_ctx: restart context if restartable ECC is in use; + * leave NULL for no restartable behaviour. + * + * Return: + * - 0 if the handshake should continue. Depending on the + * authmode it means: + * - REQUIRED: the certificate was found to be valid, trusted & acceptable. + * ssl->session_negotiate->verify_result is 0. + * - OPTIONAL: the certificate may or may not be acceptable, but + * ssl->session_negotiate->verify_result was updated with the result. + * - NONE: the certificate wasn't even checked. + * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED or MBEDTLS_ERR_SSL_BAD_CERTIFICATE if + * the certificate was found to be invalid/untrusted/unacceptable and the + * handshake should be aborted (can only happen with REQUIRED). + * - another error code if another error happened (out-of-memory, etc.) + */ +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, + int authmode, + mbedtls_x509_crt *chain, + const mbedtls_ssl_ciphersuite_t *ciphersuite_info, + void *rs_ctx); + +/* + * Check usage of a certificate wrt usage extensions: + * keyUsage and extendedKeyUsage. + * (Note: nSCertType is deprecated and not standard, we don't check it.) + * + * Note: if tls_version is 1.3, ciphersuite is ignored and can be NULL. + * + * Note: recv_endpoint is the receiver's endpoint. * * Return 0 if everything is OK, -1 if not. */ MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, const mbedtls_ssl_ciphersuite_t *ciphersuite, - int cert_endpoint, + int recv_endpoint, + mbedtls_ssl_protocol_version tls_version, uint32_t *flags); #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -1891,6 +1926,26 @@ static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_confi #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) + +/** \brief Initialize the PSA crypto subsystem if necessary. + * + * Call this function before doing any cryptography in a TLS 1.3 handshake. + * + * This is necessary in Mbed TLS 3.x for backward compatibility. + * Up to Mbed TLS 3.5, in the default configuration, you could perform + * a TLS connection with default parameters without having called + * psa_crypto_init(), since the TLS layer only supported TLS 1.2 and + * did not use PSA crypto. (TLS 1.2 only uses PSA crypto if + * MBEDTLS_USE_PSA_CRYPTO is enabled, which is not the case in the default + * configuration.) Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled + * by default, and the TLS 1.3 layer uses PSA crypto. This means that + * applications that are not otherwise using PSA crypto and that worked + * with Mbed TLS 3.5 started failing in TLS 3.6.0 if they connected to + * a peer that supports TLS 1.3. See + * https://github.com/Mbed-TLS/mbedtls/issues/9072 + */ +int mbedtls_ssl_tls13_crypto_init(mbedtls_ssl_context *ssl); + extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[ MBEDTLS_SERVER_HELLO_RANDOM_LEN]; MBEDTLS_CHECK_RETURN_CRITICAL @@ -2914,8 +2969,37 @@ static inline void mbedtls_ssl_tls13_session_clear_ticket_flags( { session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); } + #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT 0 +#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT 1 + +#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK \ + (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT) +#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK \ + (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT) + +static inline int mbedtls_ssl_conf_get_session_tickets( + const mbedtls_ssl_config *conf) +{ + return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK ? + MBEDTLS_SSL_SESSION_TICKETS_ENABLED : + MBEDTLS_SSL_SESSION_TICKETS_DISABLED; +} + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +static inline int mbedtls_ssl_conf_is_signal_new_session_tickets_enabled( + const mbedtls_ssl_config *conf) +{ + return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK ? + MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED : + MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED; +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ + #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl); #endif diff --git a/yass/third_party/mbedtls/library/ssl_msg.c b/yass/third_party/mbedtls/library/ssl_msg.c index b07cd96f1b..ef722d7bdc 100644 --- a/yass/third_party/mbedtls/library/ssl_msg.c +++ b/yass/third_party/mbedtls/library/ssl_msg.c @@ -5570,9 +5570,9 @@ static int ssl_check_ctr_renegotiate(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_CLI_C) MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_check_new_session_ticket(mbedtls_ssl_context *ssl) +static int ssl_tls13_is_new_session_ticket(mbedtls_ssl_context *ssl) { if ((ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl)) || @@ -5580,15 +5580,9 @@ static int ssl_tls13_check_new_session_ticket(mbedtls_ssl_context *ssl) return 0; } - ssl->keep_current_message = 1; - - MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received")); - mbedtls_ssl_handshake_set_state(ssl, - MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); - - return MBEDTLS_ERR_SSL_WANT_READ; + return 1; } -#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_CLI_C */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl) @@ -5596,14 +5590,29 @@ static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl) MBEDTLS_SSL_DEBUG_MSG(3, ("received post-handshake message")); -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_CLI_C) if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { - int ret = ssl_tls13_check_new_session_ticket(ssl); - if (ret != 0) { - return ret; + if (ssl_tls13_is_new_session_ticket(ssl)) { +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received")); + if (mbedtls_ssl_conf_is_signal_new_session_tickets_enabled(ssl->conf) == + MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED) { + ssl->keep_current_message = 1; + + mbedtls_ssl_handshake_set_state(ssl, + MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); + return MBEDTLS_ERR_SSL_WANT_READ; + } else { + MBEDTLS_SSL_DEBUG_MSG(3, ("Ignoring NewSessionTicket, handling disabled.")); + return 0; + } +#else + MBEDTLS_SSL_DEBUG_MSG(3, ("Ignoring NewSessionTicket, not supported.")); + return 0; +#endif } } -#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_CLI_C */ /* Fail in all other cases. */ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; diff --git a/yass/third_party/mbedtls/library/ssl_ticket.c b/yass/third_party/mbedtls/library/ssl_ticket.c index 6a31b0bee6..bfb656cf62 100644 --- a/yass/third_party/mbedtls/library/ssl_ticket.c +++ b/yass/third_party/mbedtls/library/ssl_ticket.c @@ -534,6 +534,10 @@ cleanup: */ void mbedtls_ssl_ticket_free(mbedtls_ssl_ticket_context *ctx) { + if (ctx == NULL) { + return; + } + #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key(ctx->keys[0].key); psa_destroy_key(ctx->keys[1].key); diff --git a/yass/third_party/mbedtls/library/ssl_tls.c b/yass/third_party/mbedtls/library/ssl_tls.c index c5e06491c1..c773365bf6 100644 --- a/yass/third_party/mbedtls/library/ssl_tls.c +++ b/yass/third_party/mbedtls/library/ssl_tls.c @@ -132,7 +132,7 @@ int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl, int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl, int *enabled, - unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX], + unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX], size_t *own_cid_len) { *enabled = MBEDTLS_SSL_CID_DISABLED; @@ -1354,29 +1354,6 @@ static int ssl_conf_check(const mbedtls_ssl_context *ssl) return ret; } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - /* RFC 8446 section 4.4.3 - * - * If the verification fails, the receiver MUST terminate the handshake with - * a "decrypt_error" alert. - * - * If the client is configured as TLS 1.3 only with optional verify, return - * bad config. - * - */ - if (mbedtls_ssl_conf_tls13_is_ephemeral_enabled( - (mbedtls_ssl_context *) ssl) && - ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && - ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && - ssl->conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && - ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) { - MBEDTLS_SSL_DEBUG_MSG( - 1, ("Optional verify auth mode " - "is not available for TLS 1.3 client")); - return MBEDTLS_ERR_SSL_BAD_CONFIG; - } -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ - if (ssl->conf->f_rng == NULL) { MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); return MBEDTLS_ERR_SSL_NO_RNG; @@ -1760,6 +1737,7 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session #if defined(MBEDTLS_SSL_PROTO_TLS1_3) if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { +#if defined(MBEDTLS_SSL_SESSION_TICKETS) const mbedtls_ssl_ciphersuite_t *ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite); @@ -1770,6 +1748,14 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session session->ciphersuite)); return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } +#else + /* + * If session tickets are not enabled, it is not possible to resume a + * TLS 1.3 session, thus do not make any change to the SSL context in + * the first place. + */ + return 0; +#endif } #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ @@ -2234,6 +2220,7 @@ static void ssl_remove_psk(mbedtls_ssl_context *ssl) mbedtls_zeroize_and_free(ssl->handshake->psk, ssl->handshake->psk_len); ssl->handshake->psk_len = 0; + ssl->handshake->psk = NULL; } #endif /* MBEDTLS_USE_PSA_CRYPTO */ } @@ -2999,11 +2986,24 @@ void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf, #if defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_SSL_CLI_C) + void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets) { - conf->session_tickets = use_tickets; + conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK; + conf->session_tickets |= (use_tickets != 0) << + MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT; } -#endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +void mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets( + mbedtls_ssl_config *conf, int signal_new_session_tickets) +{ + conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK; + conf->session_tickets |= (signal_new_session_tickets != 0) << + MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT; +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +#endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) @@ -4049,7 +4049,7 @@ static int ssl_tls13_session_save(const mbedtls_ssl_session *session, } static int ssl_tls13_session_load(const mbedtls_ssl_session *session, - unsigned char *buf, + const unsigned char *buf, size_t buf_len) { ((void) session); @@ -5868,7 +5868,33 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf, if (endpoint == MBEDTLS_SSL_IS_CLIENT) { conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; #if defined(MBEDTLS_SSL_SESSION_TICKETS) - conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; + mbedtls_ssl_conf_session_tickets(conf, MBEDTLS_SSL_SESSION_TICKETS_ENABLED); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + /* Contrary to TLS 1.2 tickets, TLS 1.3 NewSessionTicket message + * handling is disabled by default in Mbed TLS 3.6.x for backward + * compatibility with client applications developed using Mbed TLS 3.5 + * or earlier with the default configuration. + * + * Up to Mbed TLS 3.5, in the default configuration TLS 1.3 was + * disabled, and a Mbed TLS client with the default configuration would + * establish a TLS 1.2 connection with a TLS 1.2 and TLS 1.3 capable + * server. + * + * Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled by default, and thus + * an Mbed TLS client with the default configuration establishes a + * TLS 1.3 connection with a TLS 1.2 and TLS 1.3 capable server. If + * following the handshake the TLS 1.3 server sends NewSessionTicket + * messages and the Mbed TLS client processes them, this results in + * Mbed TLS high level APIs (mbedtls_ssl_read(), + * mbedtls_ssl_handshake(), ...) to eventually return an + * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET non fatal error code + * (see the documentation of mbedtls_ssl_read() for more information on + * that error code). Applications unaware of that TLS 1.3 specific non + * fatal error code are then failing. + */ + mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets( + conf, MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED); +#endif #endif } #endif @@ -6030,6 +6056,10 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf, */ void mbedtls_ssl_config_free(mbedtls_ssl_config *conf) { + if (conf == NULL) { + return; + } + #if defined(MBEDTLS_DHM_C) mbedtls_mpi_free(&conf->dhm_P); mbedtls_mpi_free(&conf->dhm_G); @@ -6344,71 +6374,6 @@ const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id) } #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) -int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, - const mbedtls_ssl_ciphersuite_t *ciphersuite, - int cert_endpoint, - uint32_t *flags) -{ - int ret = 0; - unsigned int usage = 0; - const char *ext_oid; - size_t ext_len; - - if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) { - /* Server part of the key exchange */ - switch (ciphersuite->key_exchange) { - case MBEDTLS_KEY_EXCHANGE_RSA: - case MBEDTLS_KEY_EXCHANGE_RSA_PSK: - usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT; - break; - - case MBEDTLS_KEY_EXCHANGE_DHE_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: - usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; - break; - - case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: - usage = MBEDTLS_X509_KU_KEY_AGREEMENT; - break; - - /* Don't use default: we want warnings when adding new values */ - case MBEDTLS_KEY_EXCHANGE_NONE: - case MBEDTLS_KEY_EXCHANGE_PSK: - case MBEDTLS_KEY_EXCHANGE_DHE_PSK: - case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: - case MBEDTLS_KEY_EXCHANGE_ECJPAKE: - usage = 0; - } - } else { - /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */ - usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; - } - - if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) { - *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; - ret = -1; - } - - if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) { - ext_oid = MBEDTLS_OID_SERVER_AUTH; - ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH); - } else { - ext_oid = MBEDTLS_OID_CLIENT_AUTH; - ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH); - } - - if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) { - *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; - ret = -1; - } - - return ret; -} -#endif /* MBEDTLS_X509_CRT_PARSE_C */ - #if defined(MBEDTLS_USE_PSA_CRYPTO) int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, const mbedtls_md_type_t md, @@ -7927,196 +7892,6 @@ static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl, return SSL_CERTIFICATE_EXPECTED; } -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl, - int authmode, - mbedtls_x509_crt *chain, - void *rs_ctx) -{ - int ret = 0; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = - ssl->handshake->ciphersuite_info; - int have_ca_chain = 0; - - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); - void *p_vrfy; - - if (authmode == MBEDTLS_SSL_VERIFY_NONE) { - return 0; - } - - if (ssl->f_vrfy != NULL) { - MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback")); - f_vrfy = ssl->f_vrfy; - p_vrfy = ssl->p_vrfy; - } else { - MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback")); - f_vrfy = ssl->conf->f_vrfy; - p_vrfy = ssl->conf->p_vrfy; - } - - /* - * Main check: verify certificate - */ -#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) - if (ssl->conf->f_ca_cb != NULL) { - ((void) rs_ctx); - have_ca_chain = 1; - - MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification")); - ret = mbedtls_x509_crt_verify_with_ca_cb( - chain, - ssl->conf->f_ca_cb, - ssl->conf->p_ca_cb, - ssl->conf->cert_profile, - ssl->hostname, - &ssl->session_negotiate->verify_result, - f_vrfy, p_vrfy); - } else -#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ - { - mbedtls_x509_crt *ca_chain; - mbedtls_x509_crl *ca_crl; - -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if (ssl->handshake->sni_ca_chain != NULL) { - ca_chain = ssl->handshake->sni_ca_chain; - ca_crl = ssl->handshake->sni_ca_crl; - } else -#endif - { - ca_chain = ssl->conf->ca_chain; - ca_crl = ssl->conf->ca_crl; - } - - if (ca_chain != NULL) { - have_ca_chain = 1; - } - - ret = mbedtls_x509_crt_verify_restartable( - chain, - ca_chain, ca_crl, - ssl->conf->cert_profile, - ssl->hostname, - &ssl->session_negotiate->verify_result, - f_vrfy, p_vrfy, rs_ctx); - } - - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret); - } - -#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) - if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { - return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; - } -#endif - - /* - * Secondary checks: always done, but change 'ret' only if it was 0 - */ - -#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) - { - const mbedtls_pk_context *pk = &chain->pk; - - /* If certificate uses an EC key, make sure the curve is OK. - * This is a public key, so it can't be opaque, so can_do() is a good - * enough check to ensure pk_ec() is safe to use here. */ - if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) { - /* and in the unlikely case the above assumption no longer holds - * we are making sure that pk_ec() here does not return a NULL - */ - mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk); - if (grp_id == MBEDTLS_ECP_DP_NONE) { - MBEDTLS_SSL_DEBUG_MSG(1, ("invalid group ID")); - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; - } - if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) { - ssl->session_negotiate->verify_result |= - MBEDTLS_X509_BADCERT_BAD_KEY; - - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)")); - if (ret == 0) { - ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; - } - } - } - } -#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ - - if (mbedtls_ssl_check_cert_usage(chain, - ciphersuite_info, - !ssl->conf->endpoint, - &ssl->session_negotiate->verify_result) != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)")); - if (ret == 0) { - ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; - } - } - - /* mbedtls_x509_crt_verify_with_profile is supposed to report a - * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, - * with details encoded in the verification flags. All other kinds - * of error codes, including those from the user provided f_vrfy - * functions, are treated as fatal and lead to a failure of - * ssl_parse_certificate even if verification was optional. */ - if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && - (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || - ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) { - ret = 0; - } - - if (have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) { - MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain")); - ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; - } - - if (ret != 0) { - uint8_t alert; - - /* The certificate may have been rejected for several reasons. - Pick one and send the corresponding alert. Which alert to send - may be a subject of debate in some cases. */ - if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) { - alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) { - alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) { - alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) { - alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE) { - alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) { - alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) { - alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) { - alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) { - alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED; - } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) { - alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA; - } else { - alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN; - } - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - alert); - } - -#if defined(MBEDTLS_DEBUG_C) - if (ssl->session_negotiate->verify_result != 0) { - MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x", - (unsigned int) ssl->session_negotiate->verify_result)); - } else { - MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear")); - } -#endif /* MBEDTLS_DEBUG_C */ - - return ret; -} - #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl, @@ -8173,6 +7948,7 @@ int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl) { int ret = 0; int crt_expected; + /* Authmode: precedence order is SNI if used else configuration */ #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ? ssl->handshake->sni_authmode @@ -8252,8 +8028,9 @@ crt_verify: } #endif - ret = ssl_parse_certificate_verify(ssl, authmode, - chain, rs_ctx); + ret = mbedtls_ssl_verify_certificate(ssl, authmode, chain, + ssl->handshake->ciphersuite_info, + rs_ctx); if (ret != 0) { goto exit; } @@ -9919,4 +9696,274 @@ int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session, return 0; } #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */ + +/* + * The following functions are used by 1.2 and 1.3, client and server. + */ +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, + const mbedtls_ssl_ciphersuite_t *ciphersuite, + int recv_endpoint, + mbedtls_ssl_protocol_version tls_version, + uint32_t *flags) +{ + int ret = 0; + unsigned int usage = 0; + const char *ext_oid; + size_t ext_len; + + /* + * keyUsage + */ + + /* Note: don't guard this with MBEDTLS_SSL_CLI_C because the server wants + * to check what a compliant client will think while choosing which cert + * to send to the client. */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && + recv_endpoint == MBEDTLS_SSL_IS_CLIENT) { + /* TLS 1.2 server part of the key exchange */ + switch (ciphersuite->key_exchange) { + case MBEDTLS_KEY_EXCHANGE_RSA: + case MBEDTLS_KEY_EXCHANGE_RSA_PSK: + usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT; + break; + + case MBEDTLS_KEY_EXCHANGE_DHE_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: + usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; + break; + + case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: + usage = MBEDTLS_X509_KU_KEY_AGREEMENT; + break; + + /* Don't use default: we want warnings when adding new values */ + case MBEDTLS_KEY_EXCHANGE_NONE: + case MBEDTLS_KEY_EXCHANGE_PSK: + case MBEDTLS_KEY_EXCHANGE_DHE_PSK: + case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: + case MBEDTLS_KEY_EXCHANGE_ECJPAKE: + usage = 0; + } + } else +#endif + { + /* This is either TLS 1.3 authentication, which always uses signatures, + * or 1.2 client auth: rsa_sign and mbedtls_ecdsa_sign are the only + * options we implement, both using signatures. */ + (void) tls_version; + (void) ciphersuite; + usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; + } + + if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) { + *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; + ret = -1; + } + + /* + * extKeyUsage + */ + + if (recv_endpoint == MBEDTLS_SSL_IS_CLIENT) { + ext_oid = MBEDTLS_OID_SERVER_AUTH; + ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH); + } else { + ext_oid = MBEDTLS_OID_CLIENT_AUTH; + ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH); + } + + if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) { + *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; + ret = -1; + } + + return ret; +} + +int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, + int authmode, + mbedtls_x509_crt *chain, + const mbedtls_ssl_ciphersuite_t *ciphersuite_info, + void *rs_ctx) +{ + if (authmode == MBEDTLS_SSL_VERIFY_NONE) { + return 0; + } + + /* + * Primary check: use the appropriate X.509 verification function + */ + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); + void *p_vrfy; + if (ssl->f_vrfy != NULL) { + MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback")); + f_vrfy = ssl->f_vrfy; + p_vrfy = ssl->p_vrfy; + } else { + MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback")); + f_vrfy = ssl->conf->f_vrfy; + p_vrfy = ssl->conf->p_vrfy; + } + + int ret = 0; + int have_ca_chain_or_callback = 0; +#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) + if (ssl->conf->f_ca_cb != NULL) { + ((void) rs_ctx); + have_ca_chain_or_callback = 1; + + MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification")); + ret = mbedtls_x509_crt_verify_with_ca_cb( + chain, + ssl->conf->f_ca_cb, + ssl->conf->p_ca_cb, + ssl->conf->cert_profile, + ssl->hostname, + &ssl->session_negotiate->verify_result, + f_vrfy, p_vrfy); + } else +#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ + { + mbedtls_x509_crt *ca_chain; + mbedtls_x509_crl *ca_crl; +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + if (ssl->handshake->sni_ca_chain != NULL) { + ca_chain = ssl->handshake->sni_ca_chain; + ca_crl = ssl->handshake->sni_ca_crl; + } else +#endif + { + ca_chain = ssl->conf->ca_chain; + ca_crl = ssl->conf->ca_crl; + } + + if (ca_chain != NULL) { + have_ca_chain_or_callback = 1; + } + + ret = mbedtls_x509_crt_verify_restartable( + chain, + ca_chain, ca_crl, + ssl->conf->cert_profile, + ssl->hostname, + &ssl->session_negotiate->verify_result, + f_vrfy, p_vrfy, rs_ctx); + } + + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret); + } + +#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) + if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { + return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; + } +#endif + + /* + * Secondary checks: always done, but change 'ret' only if it was 0 + */ + + /* With TLS 1.2 and ECC certs, check that the curve used by the + * certificate is on our list of acceptable curves. + * + * With TLS 1.3 this is not needed because the curve is part of the + * signature algorithm (eg ecdsa_secp256r1_sha256) which is checked when + * we validate the signature made with the key associated to this cert. + */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ + defined(MBEDTLS_PK_HAVE_ECC_KEYS) + if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && + mbedtls_pk_can_do(&chain->pk, MBEDTLS_PK_ECKEY)) { + if (mbedtls_ssl_check_curve(ssl, mbedtls_pk_get_ec_group_id(&chain->pk)) != 0) { + MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)")); + ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY; + if (ret == 0) { + ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; + } + } + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_PK_HAVE_ECC_KEYS */ + + /* Check X.509 usage extensions (keyUsage, extKeyUsage) */ + if (mbedtls_ssl_check_cert_usage(chain, + ciphersuite_info, + ssl->conf->endpoint, + ssl->tls_version, + &ssl->session_negotiate->verify_result) != 0) { + MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)")); + if (ret == 0) { + ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; + } + } + + /* With authmode optional, we want to keep going if the certificate was + * unacceptable, but still fail on other errors (out of memory etc), + * including fatal errors from the f_vrfy callback. + * + * The only acceptable errors are: + * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: cert rejected by primary check; + * - MBEDTLS_ERR_SSL_BAD_CERTIFICATE: cert rejected by secondary checks. + * Anything else is a fatal error. */ + if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && + (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || + ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) { + ret = 0; + } + + /* Return a specific error as this is a user error: inconsistent + * configuration - can't verify without trust anchors. */ + if (have_ca_chain_or_callback == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) { + MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain")); + ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; + } + + if (ret != 0) { + uint8_t alert; + + /* The certificate may have been rejected for several reasons. + Pick one and send the corresponding alert. Which alert to send + may be a subject of debate in some cases. */ + if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) { + alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) { + alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) { + alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) { + alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) { + alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) { + alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) { + alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) { + alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED; + } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) { + alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA; + } else { + alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN; + } + mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + alert); + } + +#if defined(MBEDTLS_DEBUG_C) + if (ssl->session_negotiate->verify_result != 0) { + MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x", + (unsigned int) ssl->session_negotiate->verify_result)); + } else { + MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear")); + } +#endif /* MBEDTLS_DEBUG_C */ + + return ret; +} +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ + #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/yass/third_party/mbedtls/library/ssl_tls12_client.c b/yass/third_party/mbedtls/library/ssl_tls12_client.c index eac6a3aadd..9b2da5a39d 100644 --- a/yass/third_party/mbedtls/library/ssl_tls12_client.c +++ b/yass/third_party/mbedtls/library/ssl_tls12_client.c @@ -364,7 +364,8 @@ static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl, *olen = 0; - if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) { + if (mbedtls_ssl_conf_get_session_tickets(ssl->conf) == + MBEDTLS_SSL_SESSION_TICKETS_DISABLED) { return 0; } @@ -787,7 +788,8 @@ static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len) { - if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || + if ((mbedtls_ssl_conf_get_session_tickets(ssl->conf) == + MBEDTLS_SSL_SESSION_TICKETS_DISABLED) || len != 0) { MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching session ticket extension")); diff --git a/yass/third_party/mbedtls/library/ssl_tls12_server.c b/yass/third_party/mbedtls/library/ssl_tls12_server.c index b49a8ae6a6..03722ac33c 100644 --- a/yass/third_party/mbedtls/library/ssl_tls12_server.c +++ b/yass/third_party/mbedtls/library/ssl_tls12_server.c @@ -756,7 +756,9 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl, * and decrypting with the same RSA key. */ if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info, - MBEDTLS_SSL_IS_SERVER, &flags) != 0) { + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_VERSION_TLS1_2, + &flags) != 0) { MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: " "(extended) key usage extension")); continue; @@ -2631,13 +2633,8 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes); ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes); - if (pk_type == MBEDTLS_PK_OPAQUE) { - /* Opaque key is created by the user (externally from Mbed TLS) - * so we assume it already has the right algorithm and flags - * set. Just copy its ID as reference. */ - ssl->handshake->xxdh_psa_privkey = pk->priv_id; - ssl->handshake->xxdh_psa_privkey_is_external = 1; - } else { +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + if (pk_type != MBEDTLS_PK_OPAQUE) { /* PK_ECKEY[_DH] and PK_ECDSA instead as parsed from the PK * module and only have ECDSA capabilities. Since we need * them for ECDH later, we export and then re-import them with @@ -2665,10 +2662,20 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) /* Set this key as owned by the TLS library: it will be its duty * to clear it exit. */ ssl->handshake->xxdh_psa_privkey_is_external = 0; - } + ret = 0; + break; + } +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ + + /* Opaque key is created by the user (externally from Mbed TLS) + * so we assume it already has the right algorithm and flags + * set. Just copy its ID as reference. */ + ssl->handshake->xxdh_psa_privkey = pk->priv_id; + ssl->handshake->xxdh_psa_privkey_is_external = 1; ret = 0; break; + #if !defined(MBEDTLS_PK_USE_PSA_EC_DATA) case MBEDTLS_PK_ECKEY: case MBEDTLS_PK_ECKEY_DH: @@ -3916,7 +3923,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; - uint8_t ecpoint_len; + size_t ecpoint_len; mbedtls_ssl_handshake_params *handshake = ssl->handshake; diff --git a/yass/third_party/mbedtls/library/ssl_tls13_client.c b/yass/third_party/mbedtls/library/ssl_tls13_client.c index 7fcc394319..b63b5e63c5 100644 --- a/yass/third_party/mbedtls/library/ssl_tls13_client.c +++ b/yass/third_party/mbedtls/library/ssl_tls13_client.c @@ -666,6 +666,7 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl, return 0; } +#if defined(MBEDTLS_SSL_SESSION_TICKETS) static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL; @@ -678,7 +679,6 @@ static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite) return PSA_ALG_NONE; } -#if defined(MBEDTLS_SSL_SESSION_TICKETS) static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl) { mbedtls_ssl_session *session = ssl->session_negotiate; @@ -1141,6 +1141,11 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, *out_len = 0; + ret = mbedtls_ssl_tls13_crypto_init(ssl); + if (ret != 0) { + return ret; + } + /* Write supported_versions extension * * Supported Versions Extension is mandatory with TLS 1.3. diff --git a/yass/third_party/mbedtls/library/ssl_tls13_generic.c b/yass/third_party/mbedtls/library/ssl_tls13_generic.c index d448a054a9..b6d09788ba 100644 --- a/yass/third_party/mbedtls/library/ssl_tls13_generic.c +++ b/yass/third_party/mbedtls/library/ssl_tls13_generic.c @@ -27,7 +27,6 @@ #include "psa/crypto.h" #include "psa_util_internal.h" -#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) /* Define a local translating function to save code size by not using too many * arguments in each translating place. */ static int local_err_translation(psa_status_t status) @@ -37,7 +36,16 @@ static int local_err_translation(psa_status_t status) psa_generic_status_to_mbedtls); } #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status) -#endif + +int mbedtls_ssl_tls13_crypto_init(mbedtls_ssl_context *ssl) +{ + psa_status_t status = psa_crypto_init(); + if (status != PSA_SUCCESS) { + (void) ssl; // unused when debugging is disabled + MBEDTLS_SSL_DEBUG_RET(1, "psa_crypto_init", status); + } + return PSA_TO_MBEDTLS_ERR(status); +} const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[ MBEDTLS_SERVER_HELLO_RANDOM_LEN] = @@ -193,10 +201,12 @@ static void ssl_tls13_create_verify_structure(const unsigned char *transcript_ha idx = 64; if (from == MBEDTLS_SSL_IS_CLIENT) { - memcpy(verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(client_cv)); + memcpy(verify_buffer + idx, mbedtls_ssl_tls13_labels.client_cv, + MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv)); idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv); } else { /* from == MBEDTLS_SSL_IS_SERVER */ - memcpy(verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(server_cv)); + memcpy(verify_buffer + idx, mbedtls_ssl_tls13_labels.server_cv, + MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv)); idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv); } @@ -470,6 +480,7 @@ int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl, mbedtls_free(ssl->session_negotiate->peer_cert); } + /* This is used by ssl_tls13_validate_certificate() */ if (certificate_list_len == 0) { ssl->session_negotiate->peer_cert = NULL; ret = 0; @@ -625,25 +636,13 @@ int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl, MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl) { - int ret = 0; - int authmode = MBEDTLS_SSL_VERIFY_REQUIRED; - mbedtls_x509_crt *ca_chain; - mbedtls_x509_crl *ca_crl; - const char *ext_oid; - size_t ext_len; - uint32_t verify_result = 0; - - /* If SNI was used, overwrite authentication mode - * from the configuration. */ -#if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) { - authmode = ssl->handshake->sni_authmode; - } else -#endif - authmode = ssl->conf->authmode; - } + /* Authmode: precedence order is SNI if used else configuration */ +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET + ? ssl->handshake->sni_authmode + : ssl->conf->authmode; +#else + const int authmode = ssl->conf->authmode; #endif /* @@ -675,6 +674,11 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl) #endif /* MBEDTLS_SSL_SRV_C */ #if defined(MBEDTLS_SSL_CLI_C) + /* Regardless of authmode, the server is not allowed to send an empty + * certificate chain. (Last paragraph before 4.4.2.1 in RFC 8446: "The + * server's certificate_list MUST always be non-empty.") With authmode + * optional/none, we continue the handshake if we can't validate the + * server's cert, but we still break it if no certificate was sent. */ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_NO_CERT, MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE); @@ -683,114 +687,9 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl) #endif /* MBEDTLS_SSL_CLI_C */ } -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if (ssl->handshake->sni_ca_chain != NULL) { - ca_chain = ssl->handshake->sni_ca_chain; - ca_crl = ssl->handshake->sni_ca_crl; - } else -#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ - { - ca_chain = ssl->conf->ca_chain; - ca_crl = ssl->conf->ca_crl; - } - - /* - * Main check: verify certificate - */ - ret = mbedtls_x509_crt_verify_with_profile( - ssl->session_negotiate->peer_cert, - ca_chain, ca_crl, - ssl->conf->cert_profile, - ssl->hostname, - &verify_result, - ssl->conf->f_vrfy, ssl->conf->p_vrfy); - - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret); - } - - /* - * Secondary checks: always done, but change 'ret' only if it was 0 - */ - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { - ext_oid = MBEDTLS_OID_SERVER_AUTH; - ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH); - } else { - ext_oid = MBEDTLS_OID_CLIENT_AUTH; - ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH); - } - - if ((mbedtls_x509_crt_check_key_usage( - ssl->session_negotiate->peer_cert, - MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0) || - (mbedtls_x509_crt_check_extended_key_usage( - ssl->session_negotiate->peer_cert, - ext_oid, ext_len) != 0)) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)")); - if (ret == 0) { - ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; - } - } - - /* mbedtls_x509_crt_verify_with_profile is supposed to report a - * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, - * with details encoded in the verification flags. All other kinds - * of error codes, including those from the user provided f_vrfy - * functions, are treated as fatal and lead to a failure of - * mbedtls_ssl_tls13_parse_certificate even if verification was optional. - */ - if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && - (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || - ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) { - ret = 0; - } - - if (ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) { - MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain")); - ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; - } - - if (ret != 0) { - /* The certificate may have been rejected for several reasons. - Pick one and send the corresponding alert. Which alert to send - may be a subject of debate in some cases. */ - if (verify_result & MBEDTLS_X509_BADCERT_OTHER) { - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret); - } else if (verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) { - MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret); - } else if (verify_result & (MBEDTLS_X509_BADCERT_KEY_USAGE | - MBEDTLS_X509_BADCERT_EXT_KEY_USAGE | - MBEDTLS_X509_BADCERT_NS_CERT_TYPE | - MBEDTLS_X509_BADCERT_BAD_PK | - MBEDTLS_X509_BADCERT_BAD_KEY)) { - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret); - } else if (verify_result & MBEDTLS_X509_BADCERT_EXPIRED) { - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret); - } else if (verify_result & MBEDTLS_X509_BADCERT_REVOKED) { - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret); - } else if (verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) { - MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret); - } else { - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret); - } - } - -#if defined(MBEDTLS_DEBUG_C) - if (verify_result != 0) { - MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x", - (unsigned int) verify_result)); - } else { - MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear")); - } -#endif /* MBEDTLS_DEBUG_C */ - - ssl->session_negotiate->verify_result = verify_result; - return ret; + return mbedtls_ssl_verify_certificate(ssl, authmode, + ssl->session_negotiate->peer_cert, + NULL, NULL); } #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ MBEDTLS_CHECK_RETURN_CRITICAL @@ -1482,9 +1381,11 @@ int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl, ssl->total_early_data_size)) { MBEDTLS_SSL_DEBUG_MSG( - 2, ("EarlyData: Too much early data received, %u + %" MBEDTLS_PRINTF_SIZET " > %u", - ssl->total_early_data_size, early_data_len, - ssl->session_negotiate->max_early_data_size)); + 2, ("EarlyData: Too much early data received, " + "%lu + %" MBEDTLS_PRINTF_SIZET " > %lu", + (unsigned long) ssl->total_early_data_size, + early_data_len, + (unsigned long) ssl->session_negotiate->max_early_data_size)); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, diff --git a/yass/third_party/mbedtls/library/ssl_tls13_server.c b/yass/third_party/mbedtls/library/ssl_tls13_server.c index 2760d76a5d..693edc7b0b 100644 --- a/yass/third_party/mbedtls/library/ssl_tls13_server.c +++ b/yass/third_party/mbedtls/library/ssl_tls13_server.c @@ -92,8 +92,9 @@ static void ssl_tls13_select_ciphersuite( return; } - MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%x", - (unsigned) psk_ciphersuite_id, psk_hash_alg)); + MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%lx", + (unsigned) psk_ciphersuite_id, + (unsigned long) psk_hash_alg)); } #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) @@ -172,12 +173,12 @@ static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl, #define SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE 1 #define SSL_TLS1_3_PSK_IDENTITY_MATCH 0 -#if defined(MBEDTLS_SSL_SESSION_TICKETS) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl); MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl); +#if defined(MBEDTLS_SSL_SESSION_TICKETS) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_offered_psks_check_identity_match_ticket( mbedtls_ssl_context *ssl, @@ -575,10 +576,8 @@ static int ssl_tls13_parse_pre_shared_key_ext( psa_algorithm_t psk_hash_alg; int allowed_key_exchange_modes; -#if defined(MBEDTLS_SSL_SESSION_TICKETS) mbedtls_ssl_session session; mbedtls_ssl_session_init(&session); -#endif MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, identities_end, 2 + 1 + 4); identity_len = MBEDTLS_GET_UINT16_BE(p_identity_len, 0); @@ -1356,19 +1355,23 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, * compression methods and the length of the extensions. * * cipher_suites cipher_suites_len bytes - * legacy_compression_methods 2 bytes - * extensions_len 2 bytes + * legacy_compression_methods length 1 byte */ - MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cipher_suites_len + 2 + 2); + MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cipher_suites_len + 1); p += cipher_suites_len; cipher_suites_end = p; + /* Check if we have enough data for legacy_compression_methods + * and the length of the extensions (2 bytes). + */ + MBEDTLS_SSL_CHK_BUF_READ_PTR(p + 1, end, p[0] + 2); + /* * Search for the supported versions extension and parse it to determine * if the client supports TLS 1.3. */ ret = mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts( - ssl, p + 2, end, + ssl, p + 1 + p[0], end, &supported_versions_data, &supported_versions_data_end); if (ret < 0) { MBEDTLS_SSL_DEBUG_RET(1, @@ -1409,6 +1412,12 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3; ssl->session_negotiate->endpoint = ssl->conf->endpoint; + /* Before doing any crypto, make sure we can. */ + ret = mbedtls_ssl_tls13_crypto_init(ssl); + if (ret != 0) { + return ret; + } + /* * We are negotiating the version 1.3 of the protocol. Do what we have * postponed: copy of the client random bytes, copy of the legacy session @@ -3109,6 +3118,7 @@ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl) return 0; } +#if defined(MBEDTLS_SSL_SESSION_TICKETS) /* * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET */ @@ -3138,7 +3148,6 @@ static int ssl_tls13_write_new_session_ticket_coordinate(mbedtls_ssl_context *ss return SSL_NEW_SESSION_TICKET_WRITE; } -#if defined(MBEDTLS_SSL_SESSION_TICKETS) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl, unsigned char *ticket_nonce, diff --git a/yass/third_party/mbedtls/library/version_features.c b/yass/third_party/mbedtls/library/version_features.c index 406161d4c7..f542d9808f 100644 --- a/yass/third_party/mbedtls/library/version_features.c +++ b/yass/third_party/mbedtls/library/version_features.c @@ -423,6 +423,9 @@ static const char * const features[] = { #if defined(MBEDTLS_PSA_CRYPTO_SPM) "PSA_CRYPTO_SPM", //no-check-names #endif /* MBEDTLS_PSA_CRYPTO_SPM */ +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + "PSA_KEY_STORE_DYNAMIC", //no-check-names +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ #if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED) "PSA_P256M_DRIVER_ENABLED", //no-check-names #endif /* MBEDTLS_PSA_P256M_DRIVER_ENABLED */ diff --git a/yass/third_party/mbedtls/library/x509_crt.c b/yass/third_party/mbedtls/library/x509_crt.c index 2fd56fbd79..53cdcf0266 100644 --- a/yass/third_party/mbedtls/library/x509_crt.c +++ b/yass/third_party/mbedtls/library/x509_crt.c @@ -48,7 +48,9 @@ #if defined(MBEDTLS_HAVE_TIME) #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) +#ifndef WIN32_LEAN_AND_MEAN #define WIN32_LEAN_AND_MEAN +#endif #include #else #include diff --git a/yass/third_party/mbedtls/library/x509write_crt.c b/yass/third_party/mbedtls/library/x509write_crt.c index 72f5a10a17..56f23c9fab 100644 --- a/yass/third_party/mbedtls/library/x509write_crt.c +++ b/yass/third_party/mbedtls/library/x509write_crt.c @@ -46,6 +46,10 @@ void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx) void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx) { + if (ctx == NULL) { + return; + } + mbedtls_asn1_free_named_data_list(&ctx->subject); mbedtls_asn1_free_named_data_list(&ctx->issuer); mbedtls_asn1_free_named_data_list(&ctx->extensions); diff --git a/yass/third_party/mbedtls/library/x509write_csr.c b/yass/third_party/mbedtls/library/x509write_csr.c index d3ddbcc03d..0d6f6bb1d3 100644 --- a/yass/third_party/mbedtls/library/x509write_csr.c +++ b/yass/third_party/mbedtls/library/x509write_csr.c @@ -43,6 +43,10 @@ void mbedtls_x509write_csr_init(mbedtls_x509write_csr *ctx) void mbedtls_x509write_csr_free(mbedtls_x509write_csr *ctx) { + if (ctx == NULL) { + return; + } + mbedtls_asn1_free_named_data_list(&ctx->subject); mbedtls_asn1_free_named_data_list(&ctx->extensions); diff --git a/yass/third_party/mbedtls/pkgconfig/.gitignore b/yass/third_party/mbedtls/pkgconfig/.gitignore new file mode 100644 index 0000000000..5460c20766 --- /dev/null +++ b/yass/third_party/mbedtls/pkgconfig/.gitignore @@ -0,0 +1,2 @@ +Makefile +*.pc diff --git a/yass/third_party/mbedtls/programs/cipher/cipher_aead_demo.c b/yass/third_party/mbedtls/programs/cipher/cipher_aead_demo.c index 853ec202c6..83fcce5878 100644 --- a/yass/third_party/mbedtls/programs/cipher/cipher_aead_demo.c +++ b/yass/third_party/mbedtls/programs/cipher/cipher_aead_demo.c @@ -79,7 +79,7 @@ const unsigned char msg2_part2[] = { 0x15, 0x16, 0x17 }; const unsigned char key_bytes[32] = { 0x2a }; /* Print the contents of a buffer in hex */ -void print_buf(const char *title, unsigned char *buf, size_t len) +static void print_buf(const char *title, unsigned char *buf, size_t len) { printf("%s:", title); for (size_t i = 0; i < len; i++) { diff --git a/yass/third_party/mbedtls/programs/fuzz/Makefile b/yass/third_party/mbedtls/programs/fuzz/Makefile index 828e5184a6..71cba0bcdc 100644 --- a/yass/third_party/mbedtls/programs/fuzz/Makefile +++ b/yass/third_party/mbedtls/programs/fuzz/Makefile @@ -9,9 +9,7 @@ ifdef FUZZINGENGINE LOCAL_LDFLAGS += -lFuzzingEngine endif -# A test application is built for each suites/test_suite_*.data file. -# Application name is same as .data file's base name and can be -# constructed by stripping path 'suites/' and extension .data. +# A test application is built for each fuzz_*.c file. APPS = $(basename $(wildcard fuzz_*.c)) # Construct executable name by adding OS specific suffix $(EXEXT). diff --git a/yass/third_party/mbedtls/programs/fuzz/common.h b/yass/third_party/mbedtls/programs/fuzz/common.h index 094383c7a4..88dceacf72 100644 --- a/yass/third_party/mbedtls/programs/fuzz/common.h +++ b/yass/third_party/mbedtls/programs/fuzz/common.h @@ -23,3 +23,6 @@ int dummy_random(void *p_rng, unsigned char *output, size_t output_len); int dummy_entropy(void *data, unsigned char *output, size_t len); int fuzz_recv_timeout(void *ctx, unsigned char *buf, size_t len, uint32_t timeout); + +/* Implemented in the fuzz_*.c sources and required by onefile.c */ +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); diff --git a/yass/third_party/mbedtls/programs/fuzz/fuzz_pkcs7.c b/yass/third_party/mbedtls/programs/fuzz/fuzz_pkcs7.c index 2056913f25..38b4dc1399 100644 --- a/yass/third_party/mbedtls/programs/fuzz/fuzz_pkcs7.c +++ b/yass/third_party/mbedtls/programs/fuzz/fuzz_pkcs7.c @@ -1,5 +1,6 @@ #include #include "mbedtls/pkcs7.h" +#include "common.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { diff --git a/yass/third_party/mbedtls/programs/fuzz/fuzz_pubkey.c b/yass/third_party/mbedtls/programs/fuzz/fuzz_pubkey.c index 0b153b14d7..b2500e57c2 100644 --- a/yass/third_party/mbedtls/programs/fuzz/fuzz_pubkey.c +++ b/yass/third_party/mbedtls/programs/fuzz/fuzz_pubkey.c @@ -1,6 +1,7 @@ #include #include #include "mbedtls/pk.h" +#include "common.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { diff --git a/yass/third_party/mbedtls/programs/fuzz/fuzz_x509crl.c b/yass/third_party/mbedtls/programs/fuzz/fuzz_x509crl.c index 151db92c89..e8dacd90b6 100644 --- a/yass/third_party/mbedtls/programs/fuzz/fuzz_x509crl.c +++ b/yass/third_party/mbedtls/programs/fuzz/fuzz_x509crl.c @@ -1,5 +1,6 @@ #include #include "mbedtls/x509_crl.h" +#include "common.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { diff --git a/yass/third_party/mbedtls/programs/fuzz/fuzz_x509crt.c b/yass/third_party/mbedtls/programs/fuzz/fuzz_x509crt.c index 3eee07258b..74d3b077c6 100644 --- a/yass/third_party/mbedtls/programs/fuzz/fuzz_x509crt.c +++ b/yass/third_party/mbedtls/programs/fuzz/fuzz_x509crt.c @@ -1,5 +1,6 @@ #include #include "mbedtls/x509_crt.h" +#include "common.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { diff --git a/yass/third_party/mbedtls/programs/fuzz/fuzz_x509csr.c b/yass/third_party/mbedtls/programs/fuzz/fuzz_x509csr.c index 7946e57eda..4c123f8e0d 100644 --- a/yass/third_party/mbedtls/programs/fuzz/fuzz_x509csr.c +++ b/yass/third_party/mbedtls/programs/fuzz/fuzz_x509csr.c @@ -1,5 +1,6 @@ #include #include "mbedtls/x509_csr.h" +#include "common.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { diff --git a/yass/third_party/mbedtls/programs/fuzz/onefile.c b/yass/third_party/mbedtls/programs/fuzz/onefile.c index 3b2709f805..2d4330abc3 100644 --- a/yass/third_party/mbedtls/programs/fuzz/onefile.c +++ b/yass/third_party/mbedtls/programs/fuzz/onefile.c @@ -1,14 +1,13 @@ #include #include #include +#include "common.h" /* This file doesn't use any Mbed TLS function, but grab mbedtls_config.h anyway * in case it contains platform-specific #defines related to malloc or * stdio functions. */ #include "mbedtls/build_info.h" -int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); - int main(int argc, char **argv) { FILE *fp; diff --git a/yass/third_party/mbedtls/programs/hash/md_hmac_demo.c b/yass/third_party/mbedtls/programs/hash/md_hmac_demo.c index 581816a1d9..494e9efaa4 100644 --- a/yass/third_party/mbedtls/programs/hash/md_hmac_demo.c +++ b/yass/third_party/mbedtls/programs/hash/md_hmac_demo.c @@ -57,7 +57,7 @@ const unsigned char msg2_part2[] = { 0x06, 0x06 }; const unsigned char key_bytes[32] = { 0 }; /* Print the contents of a buffer in hex */ -void print_buf(const char *title, unsigned char *buf, size_t len) +static void print_buf(const char *title, unsigned char *buf, size_t len) { printf("%s:", title); for (size_t i = 0; i < len; i++) { @@ -87,7 +87,7 @@ void print_buf(const char *title, unsigned char *buf, size_t len) * This function demonstrates computation of the HMAC of two messages using * the multipart API. */ -int hmac_demo(void) +static int hmac_demo(void) { int ret; const mbedtls_md_type_t alg = MBEDTLS_MD_SHA256; diff --git a/yass/third_party/mbedtls/programs/pkey/gen_key.c b/yass/third_party/mbedtls/programs/pkey/gen_key.c index 194a5cbba6..83d7b71875 100644 --- a/yass/third_party/mbedtls/programs/pkey/gen_key.c +++ b/yass/third_party/mbedtls/programs/pkey/gen_key.c @@ -39,8 +39,8 @@ int main(void) #define DEV_RANDOM_THRESHOLD 32 -int dev_random_entropy_poll(void *data, unsigned char *output, - size_t len, size_t *olen) +static int dev_random_entropy_poll(void *data, unsigned char *output, + size_t len, size_t *olen) { FILE *file; size_t ret, left = len; diff --git a/yass/third_party/mbedtls/programs/psa/aead_demo.c b/yass/third_party/mbedtls/programs/psa/aead_demo.c index 619166dba4..2d99e3cbec 100644 --- a/yass/third_party/mbedtls/programs/psa/aead_demo.c +++ b/yass/third_party/mbedtls/programs/psa/aead_demo.c @@ -82,7 +82,7 @@ const unsigned char msg2_part2[] = { 0x15, 0x16, 0x17 }; const unsigned char key_bytes[32] = { 0x2a }; /* Print the contents of a buffer in hex */ -void print_buf(const char *title, uint8_t *buf, size_t len) +static void print_buf(const char *title, uint8_t *buf, size_t len) { printf("%s:", title); for (size_t i = 0; i < len; i++) { diff --git a/yass/third_party/mbedtls/programs/psa/hmac_demo.c b/yass/third_party/mbedtls/programs/psa/hmac_demo.c index 205505407f..683f3e59c9 100644 --- a/yass/third_party/mbedtls/programs/psa/hmac_demo.c +++ b/yass/third_party/mbedtls/programs/psa/hmac_demo.c @@ -59,7 +59,7 @@ const unsigned char msg2_part2[] = { 0x06, 0x06 }; const unsigned char key_bytes[32] = { 0 }; /* Print the contents of a buffer in hex */ -void print_buf(const char *title, uint8_t *buf, size_t len) +static void print_buf(const char *title, uint8_t *buf, size_t len) { printf("%s:", title); for (size_t i = 0; i < len; i++) { @@ -90,7 +90,7 @@ void print_buf(const char *title, uint8_t *buf, size_t len) * This function demonstrates computation of the HMAC of two messages using * the multipart API. */ -psa_status_t hmac_demo(void) +static psa_status_t hmac_demo(void) { psa_status_t status; const psa_algorithm_t alg = PSA_ALG_HMAC(PSA_ALG_SHA_256); diff --git a/yass/third_party/mbedtls/programs/psa/psa_constant_names.c b/yass/third_party/mbedtls/programs/psa/psa_constant_names.c index 0baf4a065e..7905b527cc 100644 --- a/yass/third_party/mbedtls/programs/psa/psa_constant_names.c +++ b/yass/third_party/mbedtls/programs/psa/psa_constant_names.c @@ -192,7 +192,7 @@ typedef enum { TYPE_STATUS, } signed_value_type; -int process_signed(signed_value_type type, long min, long max, char **argp) +static int process_signed(signed_value_type type, long min, long max, char **argp) { for (; *argp != NULL; argp++) { char buffer[200]; @@ -231,7 +231,7 @@ typedef enum { TYPE_KEY_USAGE, } unsigned_value_type; -int process_unsigned(unsigned_value_type type, unsigned long max, char **argp) +static int process_unsigned(unsigned_value_type type, unsigned long max, char **argp) { for (; *argp != NULL; argp++) { char buffer[200]; diff --git a/yass/third_party/mbedtls/programs/ssl/mini_client.c b/yass/third_party/mbedtls/programs/ssl/mini_client.c index 6bef2085c5..ba0195c46f 100644 --- a/yass/third_party/mbedtls/programs/ssl/mini_client.c +++ b/yass/third_party/mbedtls/programs/ssl/mini_client.c @@ -70,7 +70,7 @@ const char psk_id[] = "Client_identity"; #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) -/* This is tests/data_files/test-ca2.crt, a CA using EC secp384r1 */ +/* This is framework/data_files/test-ca2.crt, a CA using EC secp384r1 */ const unsigned char ca_cert[] = { 0x30, 0x82, 0x02, 0x52, 0x30, 0x82, 0x01, 0xd7, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8, diff --git a/yass/third_party/mbedtls/programs/ssl/ssl_client2.c b/yass/third_party/mbedtls/programs/ssl/ssl_client2.c index 43133d901c..025f3c59a6 100644 --- a/yass/third_party/mbedtls/programs/ssl/ssl_client2.c +++ b/yass/third_party/mbedtls/programs/ssl/ssl_client2.c @@ -82,6 +82,7 @@ int main(void) #define DFL_CID_VALUE_RENEGO NULL #define DFL_RECONNECT_HARD 0 #define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED +#define DFL_NEW_SESSION_TICKETS MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED #define DFL_ALPN_STRING NULL #define DFL_GROUPS NULL #define DFL_SIG_ALGS NULL @@ -198,7 +199,8 @@ int main(void) #if defined(MBEDTLS_SSL_SESSION_TICKETS) #define USAGE_TICKETS \ - " tickets=%%d default: 1 (enabled)\n" + " tickets=%%d default: 1 (enabled)\n" \ + " new_session_tickets=%%d default: 1 (enabled)\n" #else #define USAGE_TICKETS "" #endif /* MBEDTLS_SSL_SESSION_TICKETS */ @@ -514,7 +516,8 @@ struct options { int reco_delay; /* delay in seconds before resuming session */ int reco_mode; /* how to keep the session around */ int reconnect_hard; /* unexpectedly reconnect from the same port */ - int tickets; /* enable / disable session tickets */ + int tickets; /* enable / disable session tickets (TLS 1.2) */ + int new_session_tickets; /* enable / disable new session tickets (TLS 1.3) */ const char *groups; /* list of supported groups */ const char *sig_algs; /* supported TLS 1.3 signature algorithms */ const char *alpn_string; /* ALPN supported protocols */ @@ -597,8 +600,8 @@ static int my_verify(void *data, mbedtls_x509_crt *crt, #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) -int report_cid_usage(mbedtls_ssl_context *ssl, - const char *additional_description) +static int report_cid_usage(mbedtls_ssl_context *ssl, + const char *additional_description) { int ret; unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; @@ -818,8 +821,6 @@ int main(int argc, char *argv[]) psa_key_attributes_t key_attributes; #endif psa_status_t status; -#elif defined(MBEDTLS_SSL_PROTO_TLS1_3) - psa_status_t status; #endif rng_context_t rng; @@ -894,7 +895,15 @@ int main(int argc, char *argv[]) memset((void *) alpn_list, 0, sizeof(alpn_list)); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) + /* For builds with TLS 1.3 enabled but not MBEDTLS_USE_PSA_CRYPTO, + * we deliberately do not call psa_crypto_init() here, to test that + * the library is backward-compatible with versions prior to 3.6.0 + * where calling psa_crypto_init() was not required to open a TLS + * connection in the default configuration. See + * https://github.com/Mbed-TLS/mbedtls/issues/9072 and + * mbedtls_ssl_tls13_crypto_init(). + */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", @@ -963,6 +972,7 @@ int main(int argc, char *argv[]) opt.reco_mode = DFL_RECO_MODE; opt.reconnect_hard = DFL_RECONNECT_HARD; opt.tickets = DFL_TICKETS; + opt.new_session_tickets = DFL_NEW_SESSION_TICKETS; opt.alpn_string = DFL_ALPN_STRING; opt.groups = DFL_GROUPS; opt.sig_algs = DFL_SIG_ALGS; @@ -1220,6 +1230,11 @@ usage: if (opt.tickets < 0) { goto usage; } + } else if (strcmp(p, "new_session_tickets") == 0) { + opt.new_session_tickets = atoi(q); + if (opt.new_session_tickets < 0) { + goto usage; + } } else if (strcmp(p, "alpn") == 0) { opt.alpn_string = q; } else if (strcmp(p, "extended_ms") == 0) { @@ -1930,7 +1945,11 @@ usage: #if defined(MBEDTLS_SSL_SESSION_TICKETS) mbedtls_ssl_conf_session_tickets(&conf, opt.tickets); -#endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets( + &conf, opt.new_session_tickets); +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ if (opt.force_ciphersuite[0] != DFL_FORCE_CIPHER) { mbedtls_ssl_conf_ciphersuites(&conf, opt.force_ciphersuite); @@ -2204,7 +2223,9 @@ usage: ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) { mbedtls_printf(" failed\n ! mbedtls_ssl_handshake returned -0x%x\n", (unsigned int) -ret); - if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) + if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || + ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE) { mbedtls_printf( " Unable to verify the server's certificate. " "Either it is invalid,\n" @@ -2215,7 +2236,13 @@ usage: "not using TLS 1.3.\n" " For TLS 1.3 server, try `ca_path=/etc/ssl/certs/`" "or other folder that has root certificates\n"); + + flags = mbedtls_ssl_get_verify_result(&ssl); + char vrfy_buf[512]; + x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), " ! ", flags); + mbedtls_printf("%s\n", vrfy_buf); } +#endif mbedtls_printf("\n"); goto exit; } @@ -3192,6 +3219,9 @@ exit: /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto * resources are freed by rng_free(). */ + /* For builds with MBEDTLS_SSL_PROTO_TLS1_3, PSA may have been + * initialized under the hood by the TLS layer. See + * mbedtls_ssl_tls13_crypto_init(). */ #if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) && \ !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) mbedtls_psa_crypto_free(); diff --git a/yass/third_party/mbedtls/programs/ssl/ssl_context_info.c b/yass/third_party/mbedtls/programs/ssl/ssl_context_info.c index ee2cdb7b96..51e87817ad 100644 --- a/yass/third_party/mbedtls/programs/ssl/ssl_context_info.c +++ b/yass/third_party/mbedtls/programs/ssl/ssl_context_info.c @@ -111,12 +111,12 @@ const char buf_ln_err[] = "Buffer does not have enough data to complete the pars /* * Basic printing functions */ -void print_version(void) +static void print_version(void) { printf("%s v%d.%d\n", PROG_NAME, VER_MAJOR, VER_MINOR); } -void print_usage(void) +static void print_usage(void) { print_version(); printf("\nThis program is used to deserialize an Mbed TLS SSL session from the base64 code provided\n" @@ -138,7 +138,7 @@ void print_usage(void) ); } -void printf_dbg(const char *str, ...) +static void printf_dbg(const char *str, ...) { if (debug) { va_list args; @@ -151,7 +151,7 @@ void printf_dbg(const char *str, ...) } MBEDTLS_PRINTF_ATTRIBUTE(1, 2) -void printf_err(const char *str, ...) +static void printf_err(const char *str, ...) { va_list args; va_start(args, str); @@ -165,7 +165,7 @@ void printf_err(const char *str, ...) /* * Exit from the program in case of error */ -void error_exit(void) +static void error_exit(void) { if (NULL != b64_file) { fclose(b64_file); @@ -176,7 +176,7 @@ void error_exit(void) /* * This function takes the input arguments of this program */ -void parse_arguments(int argc, char *argv[]) +static void parse_arguments(int argc, char *argv[]) { int i = 1; @@ -223,7 +223,7 @@ void parse_arguments(int argc, char *argv[]) /* * This function prints base64 code to the stdout */ -void print_b64(const uint8_t *b, size_t len) +static void print_b64(const uint8_t *b, size_t len) { size_t i = 0; const uint8_t *end = b + len; @@ -247,8 +247,8 @@ void print_b64(const uint8_t *b, size_t len) * /p in_line number of bytes in one line * /p prefix prefix for the new lines */ -void print_hex(const uint8_t *b, size_t len, - const size_t in_line, const char *prefix) +static void print_hex(const uint8_t *b, size_t len, + const size_t in_line, const char *prefix) { size_t i = 0; const uint8_t *end = b + len; @@ -271,7 +271,7 @@ void print_hex(const uint8_t *b, size_t len, /* * Print the value of time_t in format e.g. 2020-01-23 13:05:59 */ -void print_time(const uint64_t *time) +static void print_time(const uint64_t *time) { #if defined(MBEDTLS_HAVE_TIME) char buf[20]; @@ -292,7 +292,7 @@ void print_time(const uint64_t *time) /* * Print the input string if the bit is set in the value */ -void print_if_bit(const char *str, int bit, int val) +static void print_if_bit(const char *str, int bit, int val) { if (bit & val) { printf("\t%s\n", str); @@ -302,7 +302,7 @@ void print_if_bit(const char *str, int bit, int val) /* * Return pointer to hardcoded "enabled" or "disabled" depending on the input value */ -const char *get_enabled_str(int is_en) +static const char *get_enabled_str(int is_en) { return (is_en) ? "enabled" : "disabled"; } @@ -310,7 +310,7 @@ const char *get_enabled_str(int is_en) /* * Return pointer to hardcoded MFL string value depending on the MFL code at the input */ -const char *get_mfl_str(int mfl_code) +static const char *get_mfl_str(int mfl_code) { switch (mfl_code) { case MBEDTLS_SSL_MAX_FRAG_LEN_NONE: @@ -343,7 +343,7 @@ const char *get_mfl_str(int mfl_code) * \retval number of bytes written in to the b64 buffer or 0 in case no more * data was found */ -size_t read_next_b64_code(uint8_t **b64, size_t *max_len) +static size_t read_next_b64_code(uint8_t **b64, size_t *max_len) { int valid_balance = 0; /* balance between valid and invalid characters */ size_t len = 0; @@ -443,7 +443,7 @@ size_t read_next_b64_code(uint8_t **b64, size_t *max_len) * /p ssl pointer to serialized certificate * /p len number of bytes in the buffer */ -void print_deserialized_ssl_cert(const uint8_t *ssl, uint32_t len) +static void print_deserialized_ssl_cert(const uint8_t *ssl, uint32_t len) { enum { STRLEN = 4096 }; mbedtls_x509_crt crt; @@ -509,8 +509,8 @@ void print_deserialized_ssl_cert(const uint8_t *ssl, uint32_t len) * /p len number of bytes in the buffer * /p session_cfg_flag session configuration flags */ -void print_deserialized_ssl_session(const uint8_t *ssl, uint32_t len, - int session_cfg_flag) +static void print_deserialized_ssl_session(const uint8_t *ssl, uint32_t len, + int session_cfg_flag) { const struct mbedtls_ssl_ciphersuite_t *ciphersuite_info; int ciphersuite_id; @@ -746,7 +746,7 @@ void print_deserialized_ssl_session(const uint8_t *ssl, uint32_t len, * /p ssl pointer to serialized session * /p len number of bytes in the buffer */ -void print_deserialized_ssl_context(const uint8_t *ssl, size_t len) +static void print_deserialized_ssl_context(const uint8_t *ssl, size_t len) { const uint8_t *end = ssl + len; uint32_t session_len; diff --git a/yass/third_party/mbedtls/programs/ssl/ssl_mail_client.c b/yass/third_party/mbedtls/programs/ssl/ssl_mail_client.c index febb881c80..e3ed697fad 100644 --- a/yass/third_party/mbedtls/programs/ssl/ssl_mail_client.c +++ b/yass/third_party/mbedtls/programs/ssl/ssl_mail_client.c @@ -727,7 +727,11 @@ usage: mbedtls_printf(" > Write MAIL FROM to server:"); fflush(stdout); - len = sprintf((char *) buf, "MAIL FROM:<%s>\r\n", opt.mail_from); + len = mbedtls_snprintf((char *) buf, sizeof(buf), "MAIL FROM:<%s>\r\n", opt.mail_from); + if (len < 0 || (size_t) len >= sizeof(buf)) { + mbedtls_printf(" failed\n ! mbedtls_snprintf encountered error or truncated output\n\n"); + goto exit; + } ret = write_ssl_and_get_response(&ssl, buf, len); if (ret < 200 || ret > 299) { mbedtls_printf(" failed\n ! server responded with %d\n\n", ret); @@ -739,7 +743,11 @@ usage: mbedtls_printf(" > Write RCPT TO to server:"); fflush(stdout); - len = sprintf((char *) buf, "RCPT TO:<%s>\r\n", opt.mail_to); + len = mbedtls_snprintf((char *) buf, sizeof(buf), "RCPT TO:<%s>\r\n", opt.mail_to); + if (len < 0 || (size_t) len >= sizeof(buf)) { + mbedtls_printf(" failed\n ! mbedtls_snprintf encountered error or truncated output\n\n"); + goto exit; + } ret = write_ssl_and_get_response(&ssl, buf, len); if (ret < 200 || ret > 299) { mbedtls_printf(" failed\n ! server responded with %d\n\n", ret); @@ -763,11 +771,16 @@ usage: mbedtls_printf(" > Write content to server:"); fflush(stdout); - len = sprintf((char *) buf, "From: %s\r\nSubject: Mbed TLS Test mail\r\n\r\n" - "This is a simple test mail from the " - "Mbed TLS mail client example.\r\n" - "\r\n" - "Enjoy!", opt.mail_from); + len = mbedtls_snprintf((char *) buf, sizeof(buf), + "From: %s\r\nSubject: Mbed TLS Test mail\r\n\r\n" + "This is a simple test mail from the " + "Mbed TLS mail client example.\r\n" + "\r\n" + "Enjoy!", opt.mail_from); + if (len < 0 || (size_t) len >= sizeof(buf)) { + mbedtls_printf(" failed\n ! mbedtls_snprintf encountered error or truncated output\n\n"); + goto exit; + } ret = write_ssl_data(&ssl, buf, len); len = sprintf((char *) buf, "\r\n.\r\n"); diff --git a/yass/third_party/mbedtls/programs/ssl/ssl_server2.c b/yass/third_party/mbedtls/programs/ssl/ssl_server2.c index a5d2ed1020..ed69590642 100644 --- a/yass/third_party/mbedtls/programs/ssl/ssl_server2.c +++ b/yass/third_party/mbedtls/programs/ssl/ssl_server2.c @@ -756,7 +756,7 @@ struct _sni_entry { sni_entry *next; }; -void sni_free(sni_entry *head) +static void sni_free(sni_entry *head) { sni_entry *cur = head, *next; @@ -786,7 +786,7 @@ void sni_free(sni_entry *head) * * Modifies the input string! This is not production quality! */ -sni_entry *sni_parse(char *sni_string) +static sni_entry *sni_parse(char *sni_string) { sni_entry *cur = NULL, *new = NULL; char *p = sni_string; @@ -878,8 +878,8 @@ error: /* * SNI callback. */ -int sni_callback(void *p_info, mbedtls_ssl_context *ssl, - const unsigned char *name, size_t name_len) +static int sni_callback(void *p_info, mbedtls_ssl_context *ssl, + const unsigned char *name, size_t name_len) { const sni_entry *cur = (const sni_entry *) p_info; @@ -909,7 +909,7 @@ int sni_callback(void *p_info, mbedtls_ssl_context *ssl, /* * server certificate selection callback. */ -int cert_callback(mbedtls_ssl_context *ssl) +static int cert_callback(mbedtls_ssl_context *ssl) { const sni_entry *cur = (sni_entry *) mbedtls_ssl_get_user_data_p(ssl); if (cur != NULL) { @@ -954,7 +954,7 @@ struct _psk_entry { /* * Free a list of psk_entry's */ -int psk_free(psk_entry *head) +static int psk_free(psk_entry *head) { psk_entry *next; @@ -985,7 +985,7 @@ int psk_free(psk_entry *head) * * Modifies the input string! This is not production quality! */ -psk_entry *psk_parse(char *psk_string) +static psk_entry *psk_parse(char *psk_string) { psk_entry *cur = NULL, *new = NULL; char *p = psk_string; @@ -1027,8 +1027,8 @@ error: /* * PSK callback */ -int psk_callback(void *p_info, mbedtls_ssl_context *ssl, - const unsigned char *name, size_t name_len) +static int psk_callback(void *p_info, mbedtls_ssl_context *ssl, + const unsigned char *name, size_t name_len) { psk_entry *cur = (psk_entry *) p_info; @@ -1055,7 +1055,7 @@ static mbedtls_net_context listen_fd, client_fd; /* Interruption handler to ensure clean exit (for valgrind testing) */ #if !defined(_WIN32) static int received_sigterm = 0; -void term_handler(int sig) +static void term_handler(int sig) { ((void) sig); received_sigterm = 1; @@ -1105,11 +1105,11 @@ typedef struct { void *p_rng; } ssl_async_key_context_t; -int ssl_async_set_key(ssl_async_key_context_t *ctx, - mbedtls_x509_crt *cert, - mbedtls_pk_context *pk, - int pk_take_ownership, - unsigned delay) +static int ssl_async_set_key(ssl_async_key_context_t *ctx, + mbedtls_x509_crt *cert, + mbedtls_pk_context *pk, + int pk_take_ownership, + unsigned delay) { if (ctx->slots_used >= sizeof(ctx->slots) / sizeof(*ctx->slots)) { return -1; @@ -1332,8 +1332,8 @@ static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot, #endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) -int report_cid_usage(mbedtls_ssl_context *ssl, - const char *additional_description) +static int report_cid_usage(mbedtls_ssl_context *ssl, + const char *additional_description) { int ret; unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; @@ -1376,16 +1376,17 @@ int report_cid_usage(mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_HAVE_TIME) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) && \ + defined(MBEDTLS_HAVE_TIME) static inline void put_unaligned_uint32(void *p, uint32_t x) { memcpy(p, &x, sizeof(x)); } /* Functions for session ticket tests */ -int dummy_ticket_write(void *p_ticket, const mbedtls_ssl_session *session, - unsigned char *start, const unsigned char *end, - size_t *tlen, uint32_t *ticket_lifetime) +static int dummy_ticket_write(void *p_ticket, const mbedtls_ssl_session *session, + unsigned char *start, const unsigned char *end, + size_t *tlen, uint32_t *ticket_lifetime) { int ret; unsigned char *p = start; @@ -1410,8 +1411,8 @@ int dummy_ticket_write(void *p_ticket, const mbedtls_ssl_session *session, return 0; } -int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session, - unsigned char *buf, size_t len) +static int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session, + unsigned char *buf, size_t len) { int ret; ((void) p_ticket); @@ -1467,9 +1468,9 @@ int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session, return ret; } -#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_HAVE_TIME */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C && MBEDTLS_HAVE_TIME */ -int parse_cipher(char *buf) +static int parse_cipher(char *buf) { if (strcmp(buf, "AES-128-CCM")) { return MBEDTLS_CIPHER_AES_128_CCM; @@ -1593,7 +1594,7 @@ int main(int argc, char *argv[]) int i; char *p, *q; const int *list; -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) +#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status; #endif unsigned char eap_tls_keymaterial[16]; @@ -1659,7 +1660,15 @@ int main(int argc, char *argv[]) mbedtls_ssl_cookie_init(&cookie_ctx); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) + /* For builds with TLS 1.3 enabled but not MBEDTLS_USE_PSA_CRYPTO, + * we deliberately do not call psa_crypto_init() here, to test that + * the library is backward-compatible with versions prior to 3.6.0 + * where calling psa_crypto_init() was not required to open a TLS + * connection in the default configuration. See + * https://github.com/Mbed-TLS/mbedtls/issues/9072 and + * mbedtls_ssl_tls13_crypto_init(). + */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", @@ -3504,7 +3513,8 @@ handshake: (unsigned int) -ret); #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) - if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { + if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || + ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE) { char vrfy_buf[512]; flags = mbedtls_ssl_get_verify_result(&ssl); @@ -4308,6 +4318,9 @@ exit: /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto * resources are freed by rng_free(). */ + /* For builds with MBEDTLS_SSL_PROTO_TLS1_3, PSA may have been + * initialized under the hood by the TLS layer. See + * mbedtls_ssl_tls13_crypto_init(). */ #if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) \ && !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) mbedtls_psa_crypto_free(); diff --git a/yass/third_party/mbedtls/programs/ssl/ssl_test_common_source.c b/yass/third_party/mbedtls/programs/ssl/ssl_test_common_source.c index 1ff2077d4a..6d333e803a 100644 --- a/yass/third_party/mbedtls/programs/ssl/ssl_test_common_source.c +++ b/yass/third_party/mbedtls/programs/ssl/ssl_test_common_source.c @@ -12,13 +12,13 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -void eap_tls_key_derivation(void *p_expkey, - mbedtls_ssl_key_export_type secret_type, - const unsigned char *secret, - size_t secret_len, - const unsigned char client_random[32], - const unsigned char server_random[32], - mbedtls_tls_prf_types tls_prf_type) +static void eap_tls_key_derivation(void *p_expkey, + mbedtls_ssl_key_export_type secret_type, + const unsigned char *secret, + size_t secret_len, + const unsigned char client_random[32], + const unsigned char server_random[32], + mbedtls_tls_prf_types tls_prf_type) { eap_tls_keys *keys = (eap_tls_keys *) p_expkey; @@ -36,13 +36,13 @@ void eap_tls_key_derivation(void *p_expkey, keys->tls_prf_type = tls_prf_type; } -void nss_keylog_export(void *p_expkey, - mbedtls_ssl_key_export_type secret_type, - const unsigned char *secret, - size_t secret_len, - const unsigned char client_random[32], - const unsigned char server_random[32], - mbedtls_tls_prf_types tls_prf_type) +static void nss_keylog_export(void *p_expkey, + mbedtls_ssl_key_export_type secret_type, + const unsigned char *secret, + size_t secret_len, + const unsigned char client_random[32], + const unsigned char server_random[32], + mbedtls_tls_prf_types tls_prf_type) { char nss_keylog_line[200]; size_t const client_random_len = 32; @@ -106,13 +106,13 @@ exit: } #if defined(MBEDTLS_SSL_DTLS_SRTP) -void dtls_srtp_key_derivation(void *p_expkey, - mbedtls_ssl_key_export_type secret_type, - const unsigned char *secret, - size_t secret_len, - const unsigned char client_random[32], - const unsigned char server_random[32], - mbedtls_tls_prf_types tls_prf_type) +static void dtls_srtp_key_derivation(void *p_expkey, + mbedtls_ssl_key_export_type secret_type, + const unsigned char *secret, + size_t secret_len, + const unsigned char client_random[32], + const unsigned char server_random[32], + mbedtls_tls_prf_types tls_prf_type) { dtls_srtp_keys *keys = (dtls_srtp_keys *) p_expkey; @@ -131,8 +131,8 @@ void dtls_srtp_key_derivation(void *p_expkey, } #endif /* MBEDTLS_SSL_DTLS_SRTP */ -int ssl_check_record(mbedtls_ssl_context const *ssl, - unsigned char const *buf, size_t len) +static int ssl_check_record(mbedtls_ssl_context const *ssl, + unsigned char const *buf, size_t len) { int my_ret = 0, ret_cr1, ret_cr2; unsigned char *tmp_buf; @@ -195,7 +195,7 @@ cleanup: return my_ret; } -int recv_cb(void *ctx, unsigned char *buf, size_t len) +static int recv_cb(void *ctx, unsigned char *buf, size_t len) { io_ctx_t *io_ctx = (io_ctx_t *) ctx; size_t recv_len; @@ -223,8 +223,8 @@ int recv_cb(void *ctx, unsigned char *buf, size_t len) return (int) recv_len; } -int recv_timeout_cb(void *ctx, unsigned char *buf, size_t len, - uint32_t timeout) +static int recv_timeout_cb(void *ctx, unsigned char *buf, size_t len, + uint32_t timeout) { io_ctx_t *io_ctx = (io_ctx_t *) ctx; int ret; @@ -248,7 +248,7 @@ int recv_timeout_cb(void *ctx, unsigned char *buf, size_t len, return (int) recv_len; } -int send_cb(void *ctx, unsigned char const *buf, size_t len) +static int send_cb(void *ctx, unsigned char const *buf, size_t len) { io_ctx_t *io_ctx = (io_ctx_t *) ctx; @@ -319,8 +319,8 @@ uint16_t ssl_sig_algs_for_test[] = { /** Functionally equivalent to mbedtls_x509_crt_verify_info, see that function * for more info. */ -int x509_crt_verify_info(char *buf, size_t size, const char *prefix, - uint32_t flags) +static int x509_crt_verify_info(char *buf, size_t size, const char *prefix, + uint32_t flags) { #if !defined(MBEDTLS_X509_REMOVE_INFO) return mbedtls_x509_crt_verify_info(buf, size, prefix, flags); @@ -352,7 +352,8 @@ int x509_crt_verify_info(char *buf, size_t size, const char *prefix, } #endif /* MBEDTLS_X509_CRT_PARSE_C */ -void mbedtls_print_supported_sig_algs(void) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +static void mbedtls_print_supported_sig_algs(void) { mbedtls_printf("supported signature algorithms:\n"); mbedtls_printf("\trsa_pkcs1_sha256 "); @@ -373,3 +374,4 @@ void mbedtls_print_supported_sig_algs(void) mbedtls_printf("ecdsa_sha1\n"); mbedtls_printf("\n"); } +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ diff --git a/yass/third_party/mbedtls/programs/test/cmake_package/.gitignore b/yass/third_party/mbedtls/programs/test/cmake_package/.gitignore index 9ae6b59c4b..89d8c2bf69 100644 --- a/yass/third_party/mbedtls/programs/test/cmake_package/.gitignore +++ b/yass/third_party/mbedtls/programs/test/cmake_package/.gitignore @@ -1,3 +1,4 @@ build Makefile cmake_package +mbedtls diff --git a/yass/third_party/mbedtls/programs/test/cmake_package_install/.gitignore b/yass/third_party/mbedtls/programs/test/cmake_package_install/.gitignore index b9b828288b..aaa5942090 100644 --- a/yass/third_party/mbedtls/programs/test/cmake_package_install/.gitignore +++ b/yass/third_party/mbedtls/programs/test/cmake_package_install/.gitignore @@ -1,3 +1,4 @@ build Makefile cmake_package_install +mbedtls diff --git a/yass/third_party/mbedtls/programs/test/metatest.c b/yass/third_party/mbedtls/programs/test/metatest.c index c52e579661..d876e9a87d 100644 --- a/yass/third_party/mbedtls/programs/test/metatest.c +++ b/yass/third_party/mbedtls/programs/test/metatest.c @@ -76,13 +76,13 @@ void(*volatile do_nothing_with_object_but_the_compiler_does_not_know)(void *) = /* Test framework features */ /****************************************************************/ -void meta_test_fail(const char *name) +static void meta_test_fail(const char *name) { (void) name; mbedtls_test_fail("Forced test failure", __LINE__, __FILE__); } -void meta_test_not_equal(const char *name) +static void meta_test_not_equal(const char *name) { int left = 20; int right = 10; @@ -94,7 +94,7 @@ exit: ; } -void meta_test_not_le_s(const char *name) +static void meta_test_not_le_s(const char *name) { int left = 20; int right = 10; @@ -106,7 +106,7 @@ exit: ; } -void meta_test_not_le_u(const char *name) +static void meta_test_not_le_u(const char *name) { size_t left = 20; size_t right = 10; @@ -122,16 +122,16 @@ exit: /* Platform features */ /****************************************************************/ -void null_pointer_dereference(const char *name) +static void null_pointer_dereference(const char *name) { (void) name; volatile char *volatile p; set_to_zero_but_the_compiler_does_not_know(&p, sizeof(p)); /* Undefined behavior (read from null data pointer) */ - mbedtls_printf("%p -> %u\n", p, (unsigned) *p); + mbedtls_printf("%p -> %u\n", (void *) p, (unsigned) *p); } -void null_pointer_call(const char *name) +static void null_pointer_call(const char *name) { (void) name; unsigned(*volatile p)(void); @@ -148,7 +148,7 @@ void null_pointer_call(const char *name) /* Memory */ /****************************************************************/ -void read_after_free(const char *name) +static void read_after_free(const char *name) { (void) name; volatile char *p = calloc_but_the_compiler_does_not_know(1, 1); @@ -158,7 +158,7 @@ void read_after_free(const char *name) mbedtls_printf("%u\n", (unsigned) *p); } -void double_free(const char *name) +static void double_free(const char *name) { (void) name; volatile char *p = calloc_but_the_compiler_does_not_know(1, 1); @@ -168,7 +168,7 @@ void double_free(const char *name) free_but_the_compiler_does_not_know((void *) p); } -void read_uninitialized_stack(const char *name) +static void read_uninitialized_stack(const char *name) { (void) name; char buf[1]; @@ -182,7 +182,7 @@ void read_uninitialized_stack(const char *name) } } -void memory_leak(const char *name) +static void memory_leak(const char *name) { (void) name; volatile char *p = calloc_but_the_compiler_does_not_know(1, 1); @@ -196,7 +196,7 @@ void memory_leak(const char *name) * %(start), %(offset) and %(count) are decimal integers. * %(direction) is either the character 'r' for read or 'w' for write. */ -void test_memory_poison(const char *name) +static void test_memory_poison(const char *name) { size_t start = 0, offset = 0, count = 0; char direction = 'r'; @@ -254,7 +254,7 @@ void test_memory_poison(const char *name) /* Threading */ /****************************************************************/ -void mutex_lock_not_initialized(const char *name) +static void mutex_lock_not_initialized(const char *name) { (void) name; #if defined(MBEDTLS_THREADING_C) @@ -270,7 +270,7 @@ exit: #endif } -void mutex_unlock_not_initialized(const char *name) +static void mutex_unlock_not_initialized(const char *name) { (void) name; #if defined(MBEDTLS_THREADING_C) @@ -286,7 +286,7 @@ exit: #endif } -void mutex_free_not_initialized(const char *name) +static void mutex_free_not_initialized(const char *name) { (void) name; #if defined(MBEDTLS_THREADING_C) @@ -300,7 +300,7 @@ void mutex_free_not_initialized(const char *name) #endif } -void mutex_double_init(const char *name) +static void mutex_double_init(const char *name) { (void) name; #if defined(MBEDTLS_THREADING_C) @@ -315,7 +315,7 @@ void mutex_double_init(const char *name) #endif } -void mutex_double_free(const char *name) +static void mutex_double_free(const char *name) { (void) name; #if defined(MBEDTLS_THREADING_C) @@ -330,7 +330,7 @@ void mutex_double_free(const char *name) #endif } -void mutex_leak(const char *name) +static void mutex_leak(const char *name) { (void) name; #if defined(MBEDTLS_THREADING_C) @@ -381,7 +381,7 @@ typedef struct { void (*entry_point)(const char *name); } metatest_t; -/* The list of availble meta-tests. Remember to register new functions here! +/* The list of available meta-tests. Remember to register new functions here! * * Note that we always compile all the functions, so that `metatest --list` * will always list all the available meta-tests. diff --git a/yass/third_party/mbedtls/programs/test/query_config.c b/yass/third_party/mbedtls/programs/test/query_config.c index 54a0884625..1c44fa621e 100644 --- a/yass/third_party/mbedtls/programs/test/query_config.c +++ b/yass/third_party/mbedtls/programs/test/query_config.c @@ -1204,6 +1204,14 @@ int query_config(const char *config) } #endif /* MBEDTLS_PSA_CRYPTO_SPM */ +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + if( strcmp( "MBEDTLS_PSA_KEY_STORE_DYNAMIC", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_PSA_KEY_STORE_DYNAMIC ); + return( 0 ); + } +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + #if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED) if( strcmp( "MBEDTLS_PSA_P256M_DRIVER_ENABLED", config ) == 0 ) { @@ -4086,6 +4094,10 @@ void list_config(void) OUTPUT_MACRO_NAME_VALUE(MBEDTLS_PSA_CRYPTO_SPM); #endif /* MBEDTLS_PSA_CRYPTO_SPM */ +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) + OUTPUT_MACRO_NAME_VALUE(MBEDTLS_PSA_KEY_STORE_DYNAMIC); +#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */ + #if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED) OUTPUT_MACRO_NAME_VALUE(MBEDTLS_PSA_P256M_DRIVER_ENABLED); #endif /* MBEDTLS_PSA_P256M_DRIVER_ENABLED */ diff --git a/yass/third_party/mbedtls/programs/test/selftest.c b/yass/third_party/mbedtls/programs/test/selftest.c index 043209b7ff..e72386f023 100644 --- a/yass/third_party/mbedtls/programs/test/selftest.c +++ b/yass/third_party/mbedtls/programs/test/selftest.c @@ -241,7 +241,7 @@ static void create_entropy_seed_file(void) } #endif -int mbedtls_entropy_self_test_wrapper(int verbose) +static int mbedtls_entropy_self_test_wrapper(int verbose) { #if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_NO_PLATFORM_ENTROPY) create_entropy_seed_file(); @@ -252,7 +252,7 @@ int mbedtls_entropy_self_test_wrapper(int verbose) #if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) -int mbedtls_memory_buffer_alloc_free_and_self_test(int verbose) +static int mbedtls_memory_buffer_alloc_free_and_self_test(int verbose) { if (verbose != 0) { #if defined(MBEDTLS_MEMORY_DEBUG) diff --git a/yass/third_party/mbedtls/programs/test/udp_proxy.c b/yass/third_party/mbedtls/programs/test/udp_proxy.c index beaa8bd5ea..7213f8aea0 100644 --- a/yass/third_party/mbedtls/programs/test/udp_proxy.c +++ b/yass/third_party/mbedtls/programs/test/udp_proxy.c @@ -483,7 +483,7 @@ typedef struct { } packet; /* Print packet. Outgoing packets come with a reason (forward, dupl, etc.) */ -void print_packet(const packet *p, const char *why) +static void print_packet(const packet *p, const char *why) { #if defined(MBEDTLS_TIMING_C) if (why == NULL) { @@ -527,7 +527,7 @@ typedef enum { static inject_clihlo_state_t inject_clihlo_state; static packet initial_clihlo; -int send_packet(const packet *p, const char *why) +static int send_packet(const packet *p, const char *why) { int ret; mbedtls_net_context *dst = p->dst; @@ -616,13 +616,13 @@ int send_packet(const packet *p, const char *why) static size_t prev_len; static packet prev[MAX_DELAYED_MSG]; -void clear_pending(void) +static void clear_pending(void) { memset(&prev, 0, sizeof(prev)); prev_len = 0; } -void delay_packet(packet *delay) +static void delay_packet(packet *delay) { if (prev_len == MAX_DELAYED_MSG) { return; @@ -631,7 +631,7 @@ void delay_packet(packet *delay) memcpy(&prev[prev_len++], delay, sizeof(packet)); } -int send_delayed(void) +static int send_delayed(void) { uint8_t offset; int ret; @@ -663,9 +663,9 @@ int send_delayed(void) static unsigned char held[2048] = { 0 }; #define HOLD_MAX 2 -int handle_message(const char *way, - mbedtls_net_context *dst, - mbedtls_net_context *src) +static int handle_message(const char *way, + mbedtls_net_context *dst, + mbedtls_net_context *src) { int ret; packet cur; diff --git a/yass/third_party/mbedtls/programs/test/zeroize.c b/yass/third_party/mbedtls/programs/test/zeroize.c index 1e9b98d71e..c1cee0d840 100644 --- a/yass/third_party/mbedtls/programs/test/zeroize.c +++ b/yass/third_party/mbedtls/programs/test/zeroize.c @@ -23,7 +23,7 @@ #define BUFFER_LEN 1024 -void usage(void) +static void usage(void) { mbedtls_printf("Zeroize is a simple program to assist with testing\n"); mbedtls_printf("the mbedtls_platform_zeroize() function by using the\n"); diff --git a/yass/third_party/mbedtls/programs/util/pem2der.c b/yass/third_party/mbedtls/programs/util/pem2der.c index d682c2b067..177365b87c 100644 --- a/yass/third_party/mbedtls/programs/util/pem2der.c +++ b/yass/third_party/mbedtls/programs/util/pem2der.c @@ -45,8 +45,8 @@ struct options { const char *output_file; /* where to store the output */ } opt; -int convert_pem_to_der(const unsigned char *input, size_t ilen, - unsigned char *output, size_t *olen) +static int convert_pem_to_der(const unsigned char *input, size_t ilen, + unsigned char *output, size_t *olen) { int ret; const unsigned char *s1, *s2, *end = input + ilen; diff --git a/yass/third_party/mbedtls/programs/x509/cert_req.c b/yass/third_party/mbedtls/programs/x509/cert_req.c index dcfd1765c3..995ee499d5 100644 --- a/yass/third_party/mbedtls/programs/x509/cert_req.c +++ b/yass/third_party/mbedtls/programs/x509/cert_req.c @@ -94,22 +94,22 @@ int main(void) * global options */ struct options { - const char *filename; /* filename of the key file */ - const char *password; /* password for the key file */ - int debug_level; /* level of debugging */ + const char *filename; /* filename of the key file */ + const char *password; /* password for the key file */ + int debug_level; /* level of debugging */ const char *output_file; /* where to store the constructed key file */ - const char *subject_name; /* subject name for certificate request */ - mbedtls_x509_san_list *san_list; /* subjectAltName for certificate request */ - unsigned char key_usage; /* key usage flags */ - int force_key_usage; /* Force adding the KeyUsage extension */ - unsigned char ns_cert_type; /* NS cert type */ - int force_ns_cert_type; /* Force adding NsCertType extension */ - mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */ + const char *subject_name; /* subject name for certificate request */ + mbedtls_x509_san_list *san_list; /* subjectAltName for certificate request */ + unsigned char key_usage; /* key usage flags */ + int force_key_usage; /* Force adding the KeyUsage extension */ + unsigned char ns_cert_type; /* NS cert type */ + int force_ns_cert_type; /* Force adding NsCertType extension */ + mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */ } opt; -int write_certificate_request(mbedtls_x509write_csr *req, const char *output_file, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng) +static int write_certificate_request(mbedtls_x509write_csr *req, const char *output_file, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng) { int ret; FILE *f; diff --git a/yass/third_party/mbedtls/programs/x509/cert_write.c b/yass/third_party/mbedtls/programs/x509/cert_write.c index 0b2575e84a..6fd1dce1fc 100644 --- a/yass/third_party/mbedtls/programs/x509/cert_write.c +++ b/yass/third_party/mbedtls/programs/x509/cert_write.c @@ -204,9 +204,9 @@ struct options { int format; /* format */ } opt; -int write_certificate(mbedtls_x509write_cert *crt, const char *output_file, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng) +static int write_certificate(mbedtls_x509write_cert *crt, const char *output_file, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng) { int ret; FILE *f; @@ -249,8 +249,8 @@ int write_certificate(mbedtls_x509write_cert *crt, const char *output_file, return 0; } -int parse_serial_decimal_format(unsigned char *obuf, size_t obufmax, - const char *ibuf, size_t *len) +static int parse_serial_decimal_format(unsigned char *obuf, size_t obufmax, + const char *ibuf, size_t *len) { unsigned long long int dec; unsigned int remaining_bytes = sizeof(dec); diff --git a/yass/third_party/mbedtls/programs/x509/load_roots.c b/yass/third_party/mbedtls/programs/x509/load_roots.c index f0e6acf25a..d14537fd47 100644 --- a/yass/third_party/mbedtls/programs/x509/load_roots.c +++ b/yass/third_party/mbedtls/programs/x509/load_roots.c @@ -48,7 +48,7 @@ struct options { } opt; -int read_certificates(const char *const *filenames) +static int read_certificates(const char *const *filenames) { mbedtls_x509_crt cas; int ret = 0; diff --git a/yass/third_party/mbedtls/scripts/abi_check.py b/yass/third_party/mbedtls/scripts/abi_check.py index 8a604c4e24..f91d80e504 100755 --- a/yass/third_party/mbedtls/scripts/abi_check.py +++ b/yass/third_party/mbedtls/scripts/abi_check.py @@ -101,7 +101,8 @@ from types import SimpleNamespace import xml.etree.ElementTree as ET -from mbedtls_dev import build_tree +import framework_scripts_path # pylint: disable=unused-import +from mbedtls_framework import build_tree class AbiChecker: @@ -325,8 +326,14 @@ class AbiChecker: @staticmethod def _list_generated_test_data_files(git_worktree_path): """List the generated test data files.""" + generate_psa_tests = 'framework/scripts/generate_psa_tests.py' + if not os.path.isfile(git_worktree_path + '/' + generate_psa_tests): + # The checked-out revision is from before generate_psa_tests.py + # was moved to the framework submodule. Use the old location. + generate_psa_tests = 'tests/scripts/generate_psa_tests.py' + output = subprocess.check_output( - ['tests/scripts/generate_psa_tests.py', '--list'], + [generate_psa_tests, '--list'], cwd=git_worktree_path, ).decode('ascii') return [line for line in output.split('\n') if line] @@ -352,8 +359,14 @@ class AbiChecker: if 'storage_format' in filename: storage_data_files.add(filename) to_be_generated.add(filename) + + generate_psa_tests = 'framework/scripts/generate_psa_tests.py' + if not os.path.isfile(git_worktree_path + '/' + generate_psa_tests): + # The checked-out revision is from before generate_psa_tests.py + # was moved to the framework submodule. Use the old location. + generate_psa_tests = 'tests/scripts/generate_psa_tests.py' subprocess.check_call( - ['tests/scripts/generate_psa_tests.py'] + sorted(to_be_generated), + [generate_psa_tests] + sorted(to_be_generated), cwd=git_worktree_path, ) for test_file in sorted(storage_data_files): diff --git a/yass/third_party/mbedtls/scripts/ci.requirements.txt b/yass/third_party/mbedtls/scripts/ci.requirements.txt index 69c2db07a5..d21aa27988 100644 --- a/yass/third_party/mbedtls/scripts/ci.requirements.txt +++ b/yass/third_party/mbedtls/scripts/ci.requirements.txt @@ -19,6 +19,6 @@ mypy >= 0.780 # to run audit-validity-dates.py on Python >=3.6. cryptography # >= 35.0.0 -# For building `tests/data_files/server9-bad-saltlen.crt` and check python +# For building `framework/data_files/server9-bad-saltlen.crt` and check python # files. asn1crypto diff --git a/yass/third_party/mbedtls/scripts/code_size_compare.py b/yass/third_party/mbedtls/scripts/code_size_compare.py index abd13df240..50749b6a8b 100755 --- a/yass/third_party/mbedtls/scripts/code_size_compare.py +++ b/yass/third_party/mbedtls/scripts/code_size_compare.py @@ -21,9 +21,10 @@ import sys import typing from enum import Enum -from mbedtls_dev import build_tree -from mbedtls_dev import logging_util -from mbedtls_dev import typing_util +import framework_scripts_path # pylint: disable=unused-import +from mbedtls_framework import build_tree +from mbedtls_framework import logging_util +from mbedtls_framework import typing_util class SupportedArch(Enum): """Supported architecture for code size measurement.""" diff --git a/yass/third_party/mbedtls/scripts/code_style.py b/yass/third_party/mbedtls/scripts/code_style.py index 07952b6cb5..d3f89d9130 100755 --- a/yass/third_party/mbedtls/scripts/code_style.py +++ b/yass/third_party/mbedtls/scripts/code_style.py @@ -75,16 +75,55 @@ def get_src_files(since: Optional[str]) -> List[str]: output = subprocess.check_output(["git", "ls-files"] + file_patterns, universal_newlines=True) src_files = output.split() + + # When this script is called from a git hook, some environment variables + # are set by default which force all git commands to use the main repository + # (i.e. prevent us from performing commands on the framework repo). + # Create an environment without these variables for running commands on the + # framework repo. + framework_env = os.environ.copy() + # Get a list of environment vars that git sets + git_env_vars = subprocess.check_output(["git", "rev-parse", "--local-env-vars"], + universal_newlines=True) + # Remove the vars from the environment + for var in git_env_vars.split(): + framework_env.pop(var, None) + + output = subprocess.check_output(["git", "-C", "framework", "ls-files"] + + file_patterns, + universal_newlines=True, + env=framework_env) + framework_src_files = output.split() + if since: - # get all files changed in commits since the starting point - cmd = ["git", "log", since + "..HEAD", "--name-only", "--pretty=", "--"] + src_files + # get all files changed in commits since the starting point in ... + # ... the main repository + cmd = ["git", "log", since + "..HEAD", "--ignore-submodules", + "--name-only", "--pretty=", "--"] + src_files output = subprocess.check_output(cmd, universal_newlines=True) committed_changed_files = output.split() - # and also get all files with uncommitted changes + # ... the framework submodule + cmd = ["git", "-C", "framework", "log", since + "..HEAD", + "--name-only", "--pretty=", "--"] + framework_src_files + output = subprocess.check_output(cmd, universal_newlines=True, + env=framework_env) + committed_changed_files += ["framework/" + s for s in output.split()] + + # and also get all files with uncommitted changes in ... + # ... the main repository cmd = ["git", "diff", "--name-only", "--"] + src_files output = subprocess.check_output(cmd, universal_newlines=True) uncommitted_changed_files = output.split() - src_files = list(set(committed_changed_files + uncommitted_changed_files)) + # ... the framework submodule + cmd = ["git", "-C", "framework", "diff", "--name-only", "--"] + \ + framework_src_files + output = subprocess.check_output(cmd, universal_newlines=True, + env=framework_env) + uncommitted_changed_files += ["framework/" + s for s in output.split()] + + src_files = committed_changed_files + uncommitted_changed_files + else: + src_files += ["framework/" + s for s in framework_src_files] generated_files = list_generated_files() # Don't correct style for third-party files (and, for simplicity, diff --git a/yass/third_party/mbedtls/scripts/common.make b/yass/third_party/mbedtls/scripts/common.make index 9908a3c265..439f13d0c2 100644 --- a/yass/third_party/mbedtls/scripts/common.make +++ b/yass/third_party/mbedtls/scripts/common.make @@ -18,7 +18,7 @@ include $(MBEDTLS_PATH)/framework/exported.make CFLAGS ?= -O2 WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral -WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral +WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral -std=c++11 -pedantic LDFLAGS ?= LOCAL_CFLAGS = $(WARNING_CFLAGS) -I$(MBEDTLS_TEST_PATH)/include -I$(MBEDTLS_PATH)/include -D_FILE_OFFSET_BITS=64 diff --git a/yass/third_party/mbedtls/scripts/config.py b/yass/third_party/mbedtls/scripts/config.py index c53f9e7fe2..8704bdb51e 100755 --- a/yass/third_party/mbedtls/scripts/config.py +++ b/yass/third_party/mbedtls/scripts/config.py @@ -396,6 +396,7 @@ class ConfigFile(Config): self.default_path) super().__init__() self.filename = filename + self.inclusion_guard = None self.current_section = 'header' with open(filename, 'r', encoding='utf-8') as file: self.templates = [self._parse_line(line) for line in file] @@ -413,9 +414,11 @@ class ConfigFile(Config): r'(?P(?:\((?:\w|\s|,)*\))?)' + r'(?P\s*)' + r'(?P.*)') + _ifndef_line_regexp = r'#ifndef (?P\w+)' _section_line_regexp = (r'\s*/?\*+\s*[\\@]name\s+SECTION:\s*' + r'(?P
.*)[ */]*') _config_line_regexp = re.compile(r'|'.join([_define_line_regexp, + _ifndef_line_regexp, _section_line_regexp])) def _parse_line(self, line): """Parse a line in mbedtls_config.h and return the corresponding template.""" @@ -426,10 +429,16 @@ class ConfigFile(Config): elif m.group('section'): self.current_section = m.group('section') return line + elif m.group('inclusion_guard') and self.inclusion_guard is None: + self.inclusion_guard = m.group('inclusion_guard') + return line else: active = not m.group('commented_out') name = m.group('name') value = m.group('value') + if name == self.inclusion_guard and value == '': + # The file double-inclusion guard is not an option. + return line template = (name, m.group('indentation'), m.group('define') + name + diff --git a/yass/third_party/mbedtls/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja b/yass/third_party/mbedtls/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja index 8b91f0bb72..d3b7d6fb31 100644 --- a/yass/third_party/mbedtls/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja +++ b/yass/third_party/mbedtls/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja @@ -731,7 +731,8 @@ static inline psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data( static inline psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, size_t params_data_length, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, size_t custom_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; @@ -740,7 +741,7 @@ static inline psa_status_t psa_driver_wrapper_generate_key( #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) int is_default_production = - psa_key_production_parameters_are_default(params, params_data_length); + psa_custom_key_parameters_are_default(custom, custom_data_length); if( location != PSA_KEY_LOCATION_LOCAL_STORAGE && !is_default_production ) { /* We don't support passing custom production parameters @@ -811,7 +812,7 @@ static inline psa_status_t psa_driver_wrapper_generate_key( /* Software fallback */ status = psa_generate_key_internal( - attributes, params, params_data_length, + attributes, custom, custom_data, custom_data_length, key_buffer, key_buffer_size, key_buffer_length ); break; diff --git a/yass/third_party/mbedtls/scripts/framework_scripts_path.py b/yass/third_party/mbedtls/scripts/framework_scripts_path.py new file mode 100644 index 0000000000..4d4a440c23 --- /dev/null +++ b/yass/third_party/mbedtls/scripts/framework_scripts_path.py @@ -0,0 +1,17 @@ +"""Add our Python library directory to the module search path. + +Usage: + + import framework_scripts_path # pylint: disable=unused-import +""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +# + +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), + os.path.pardir, + 'framework', 'scripts')) diff --git a/yass/third_party/mbedtls/scripts/generate_driver_wrappers.py b/yass/third_party/mbedtls/scripts/generate_driver_wrappers.py index 624ab81df1..0f0c8c7be1 100755 --- a/yass/third_party/mbedtls/scripts/generate_driver_wrappers.py +++ b/yass/third_party/mbedtls/scripts/generate_driver_wrappers.py @@ -17,7 +17,9 @@ from traceback import format_tb import argparse import jsonschema import jinja2 -from mbedtls_dev import build_tree + +import framework_scripts_path # pylint: disable=unused-import +from mbedtls_framework import build_tree JSONSchema = NewType('JSONSchema', object) # The Driver is an Object, but practically it's indexable and can called a dictionary to diff --git a/yass/third_party/mbedtls/scripts/generate_psa_constants.py b/yass/third_party/mbedtls/scripts/generate_psa_constants.py index f13b507d0d..d57d46a299 100755 --- a/yass/third_party/mbedtls/scripts/generate_psa_constants.py +++ b/yass/third_party/mbedtls/scripts/generate_psa_constants.py @@ -17,8 +17,9 @@ file is written: import os import sys -from mbedtls_dev import build_tree -from mbedtls_dev import macro_collector +import framework_scripts_path # pylint: disable=unused-import +from mbedtls_framework import build_tree +from mbedtls_framework import macro_collector OUTPUT_TEMPLATE = '''\ /* Automatically generated by generate_psa_constant.py. DO NOT EDIT. */ diff --git a/yass/third_party/mbedtls/scripts/generate_ssl_debug_helpers.py b/yass/third_party/mbedtls/scripts/generate_ssl_debug_helpers.py index a0544f1537..600d16096e 100755 --- a/yass/third_party/mbedtls/scripts/generate_ssl_debug_helpers.py +++ b/yass/third_party/mbedtls/scripts/generate_ssl_debug_helpers.py @@ -14,7 +14,9 @@ import re import os import textwrap import argparse -from mbedtls_dev import build_tree + +import framework_scripts_path # pylint: disable=unused-import +from mbedtls_framework import build_tree def remove_c_comments(string): @@ -328,7 +330,7 @@ class NamedGroupDefinition: {translation_table} }}; - return "UNKOWN"; + return "UNKNOWN"; }}''') body = body.format(translation_table='\n'.join(translation_table)) return body diff --git a/yass/third_party/mbedtls/scripts/lcov.sh b/yass/third_party/mbedtls/scripts/lcov.sh index 9a0c58243f..2d2f42bcbc 100755 --- a/yass/third_party/mbedtls/scripts/lcov.sh +++ b/yass/third_party/mbedtls/scripts/lcov.sh @@ -30,9 +30,15 @@ EOF set -eu -# Repository detection -in_mbedtls_build_dir () { - test -d library +# Project detection +PROJECT_NAME_FILE='./scripts/project_name.txt' +if read -r PROJECT_NAME < "$PROJECT_NAME_FILE"; then :; else + echo "$PROJECT_NAME_FILE does not exist... Exiting..." >&2 + exit 1 +fi + +in_mbedtls_repo () { + test "$PROJECT_NAME" = "Mbed TLS" } # Collect stats and build a HTML report. @@ -68,7 +74,7 @@ if [ $# -gt 0 ] && [ "$1" = "--help" ]; then exit fi -if in_mbedtls_build_dir; then +if in_mbedtls_repo; then library_dir='library' title='Mbed TLS' else diff --git a/yass/third_party/mbedtls/scripts/make_generated_files.bat b/yass/third_party/mbedtls/scripts/make_generated_files.bat index 496863029a..93c9c0659a 100644 --- a/yass/third_party/mbedtls/scripts/make_generated_files.bat +++ b/yass/third_party/mbedtls/scripts/make_generated_files.bat @@ -10,6 +10,9 @@ perl scripts\generate_features.pl || exit /b 1 python scripts\generate_ssl_debug_helpers.py || exit /b 1 perl scripts\generate_visualc_files.pl || exit /b 1 python scripts\generate_psa_constants.py || exit /b 1 -python tests\scripts\generate_bignum_tests.py || exit /b 1 -python tests\scripts\generate_ecp_tests.py || exit /b 1 -python tests\scripts\generate_psa_tests.py || exit /b 1 +python framework\scripts\generate_bignum_tests.py || exit /b 1 +python framework\scripts\generate_config_tests.py || exit /b 1 +python framework\scripts\generate_ecp_tests.py || exit /b 1 +python framework\scripts\generate_psa_tests.py || exit /b 1 +python framework\scripts\generate_test_keys.py --output tests\src\test_keys.h || exit /b 1 +python framework\scripts\generate_test_cert_macros.py --output tests\src\test_certs.h || exit /b 1 diff --git a/yass/third_party/mbedtls/scripts/min_requirements.py b/yass/third_party/mbedtls/scripts/min_requirements.py index 9888abe085..b36f906622 100755 --- a/yass/third_party/mbedtls/scripts/min_requirements.py +++ b/yass/third_party/mbedtls/scripts/min_requirements.py @@ -14,7 +14,9 @@ import tempfile import typing from typing import List, Optional -from mbedtls_dev import typing_util + +import framework_scripts_path # pylint: disable=unused-import +from mbedtls_framework import typing_util def pylint_doesn_t_notice_that_certain_types_are_used_in_annotations( _list: List[typing.Any], diff --git a/yass/third_party/mbedtls/scripts/project_name.txt b/yass/third_party/mbedtls/scripts/project_name.txt new file mode 100644 index 0000000000..a38cf263b6 --- /dev/null +++ b/yass/third_party/mbedtls/scripts/project_name.txt @@ -0,0 +1 @@ +Mbed TLS diff --git a/yass/third_party/mbedtls/tests/.gitignore b/yass/third_party/mbedtls/tests/.gitignore index 71cc50b7c6..ef597fc1d5 100644 --- a/yass/third_party/mbedtls/tests/.gitignore +++ b/yass/third_party/mbedtls/tests/.gitignore @@ -3,22 +3,26 @@ *.log /test_suite* -data_files/mpi_write -data_files/hmac_drbg_seed -data_files/ctr_drbg_seed -data_files/entropy_seed +/data_files/mpi_write +/data_files/hmac_drbg_seed +/data_files/ctr_drbg_seed +/data_files/entropy_seed -include/alt-extra/psa/crypto_platform_alt.h -include/alt-extra/psa/crypto_struct_alt.h -include/test/instrument_record_status.h +/include/alt-extra/psa/crypto_platform_alt.h +/include/alt-extra/psa/crypto_struct_alt.h +/include/test/instrument_record_status.h -src/libmbed* +/src/libmbed* -libtestdriver1/* +/libtestdriver1/* ####START_COMMENTED_GENERATED_FILES### ## Generated source files #/suites/*.generated.data +#/suites/test_suite_config.mbedtls_boolean.data +#/suites/test_suite_config.psa_boolean.data #/suites/test_suite_psa_crypto_storage_format.v[0-9]*.data #/suites/test_suite_psa_crypto_storage_format.current.data +#/src/test_keys.h +#/src/test_certs.h ####END_COMMENTED_GENERATED_FILES### diff --git a/yass/third_party/mbedtls/tests/CMakeLists.txt b/yass/third_party/mbedtls/tests/CMakeLists.txt index 206ad72d0a..dab7457829 100644 --- a/yass/third_party/mbedtls/tests/CMakeLists.txt +++ b/yass/third_party/mbedtls/tests/CMakeLists.txt @@ -21,7 +21,7 @@ file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/suites) execute_process( COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} - ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_bignum_tests.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_bignum_tests.py --list-for-cmake WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/.. @@ -33,7 +33,19 @@ string(REGEX REPLACE "[^;]*/" "" execute_process( COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} - ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_ecp_tests.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_config_tests.py + --list-for-cmake + WORKING_DIRECTORY + ${CMAKE_CURRENT_SOURCE_DIR}/.. + OUTPUT_VARIABLE + base_config_generated_data_files) +string(REGEX REPLACE "[^;]*/" "" + base_config_generated_data_files "${base_config_generated_data_files}") + +execute_process( + COMMAND + ${MBEDTLS_PYTHON_EXECUTABLE} + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_ecp_tests.py --list-for-cmake WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/.. @@ -45,7 +57,7 @@ string(REGEX REPLACE "[^;]*/" "" execute_process( COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} - ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_psa_tests.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_psa_tests.py --list-for-cmake WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/.. @@ -57,15 +69,20 @@ string(REGEX REPLACE "[^;]*/" "" # Derive generated file paths in the build directory. The generated data # files go into the suites/ subdirectory. set(base_generated_data_files - ${base_bignum_generated_data_files} ${base_ecp_generated_data_files} ${base_psa_generated_data_files}) + ${base_bignum_generated_data_files} ${base_config_generated_data_files} + ${base_ecp_generated_data_files} ${base_psa_generated_data_files}) string(REGEX REPLACE "([^;]+)" "suites/\\1" all_generated_data_files "${base_generated_data_files}") set(bignum_generated_data_files "") +set(config_generated_data_files "") set(ecp_generated_data_files "") set(psa_generated_data_files "") foreach(file ${base_bignum_generated_data_files}) list(APPEND bignum_generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/suites/${file}) endforeach() +foreach(file ${base_config_generated_data_files}) + list(APPEND config_generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/suites/${file}) +endforeach() foreach(file ${base_ecp_generated_data_files}) list(APPEND ecp_generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/suites/${file}) endforeach() @@ -81,16 +98,31 @@ if(GEN_FILES) ${CMAKE_CURRENT_SOURCE_DIR}/.. COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} - ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_bignum_tests.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_bignum_tests.py --directory ${CMAKE_CURRENT_BINARY_DIR}/suites DEPENDS - ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_bignum_tests.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_common.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_core.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_mod_raw.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_mod.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_case.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_data_generation.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_bignum_tests.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/bignum_common.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/bignum_core.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/bignum_mod_raw.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/bignum_mod.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_case.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_data_generation.py + ) + add_custom_command( + OUTPUT + ${config_generated_data_files} + WORKING_DIRECTORY + ${CMAKE_CURRENT_SOURCE_DIR}/.. + COMMAND + ${MBEDTLS_PYTHON_EXECUTABLE} + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_config_tests.py + --directory ${CMAKE_CURRENT_BINARY_DIR}/suites + DEPENDS + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_config_tests.py + # Do not declare the configuration files as dependencies: they + # change too often in ways that don't affect the result + # ((un)commenting some options). ) add_custom_command( OUTPUT @@ -99,14 +131,14 @@ if(GEN_FILES) ${CMAKE_CURRENT_SOURCE_DIR}/.. COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} - ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_ecp_tests.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_ecp_tests.py --directory ${CMAKE_CURRENT_BINARY_DIR}/suites DEPENDS - ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_ecp_tests.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_common.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/ecp.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_case.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_data_generation.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_ecp_tests.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/bignum_common.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/ecp.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_case.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_data_generation.py ) add_custom_command( OUTPUT @@ -115,17 +147,17 @@ if(GEN_FILES) ${CMAKE_CURRENT_SOURCE_DIR}/.. COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} - ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_psa_tests.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_psa_tests.py --directory ${CMAKE_CURRENT_BINARY_DIR}/suites DEPENDS - ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_psa_tests.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/crypto_data_tests.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/crypto_knowledge.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/macro_collector.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/psa_information.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/psa_storage.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_case.py - ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_data_generation.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_psa_tests.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/crypto_data_tests.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/crypto_knowledge.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/macro_collector.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/psa_information.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/psa_storage.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_case.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_data_generation.py ${CMAKE_CURRENT_SOURCE_DIR}/../include/psa/crypto_config.h ${CMAKE_CURRENT_SOURCE_DIR}/../include/psa/crypto_values.h ${CMAKE_CURRENT_SOURCE_DIR}/../include/psa/crypto_extra.h @@ -142,6 +174,7 @@ endif() # With this line, only 4 sub-makefiles include the above command, that reduces # the risk of a race. add_custom_target(test_suite_bignum_generated_data DEPENDS ${bignum_generated_data_files}) +add_custom_target(test_suite_config_generated_data DEPENDS ${config_generated_data_files}) add_custom_target(test_suite_ecp_generated_data DEPENDS ${ecp_generated_data_files}) add_custom_target(test_suite_psa_generated_data DEPENDS ${psa_generated_data_files}) # If SKIP_TEST_SUITES is not defined with -D, get it from the environment. @@ -165,6 +198,7 @@ function(add_test_suite suite_name) # Get the test names of the tests with generated .data files # from the generated_data_files list in parent scope. set(bignum_generated_data_names "") + set(config_generated_data_names "") set(ecp_generated_data_names "") set(psa_generated_data_names "") foreach(generated_data_file ${bignum_generated_data_files}) @@ -176,6 +210,15 @@ function(add_test_suite suite_name) string(SUBSTRING ${generated_data_name} 11 -1 generated_data_name) list(APPEND bignum_generated_data_names ${generated_data_name}) endforeach() + foreach(generated_data_file ${config_generated_data_files}) + # Get the plain filename + get_filename_component(generated_data_name ${generated_data_file} NAME) + # Remove the ".data" extension + get_name_without_last_ext(generated_data_name ${generated_data_name}) + # Remove leading "test_suite_" + string(SUBSTRING ${generated_data_name} 11 -1 generated_data_name) + list(APPEND config_generated_data_names ${generated_data_name}) + endforeach() foreach(generated_data_file ${ecp_generated_data_files}) # Get the plain filename get_filename_component(generated_data_name ${generated_data_file} NAME) @@ -199,6 +242,10 @@ function(add_test_suite suite_name) set(data_file ${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data) set(dependency test_suite_bignum_generated_data) + elseif(";${config_generated_data_names};" MATCHES ";${data_name};") + set(data_file + ${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data) + set(dependency test_suite_config_generated_data) elseif(";${ecp_generated_data_names};" MATCHES ";${data_name};") set(data_file ${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data) @@ -210,7 +257,11 @@ function(add_test_suite suite_name) else() set(data_file ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${data_name}.data) - set(dependency test_suite_bignum_generated_data test_suite_ecp_generated_data test_suite_psa_generated_data) + set(dependency + test_suite_bignum_generated_data + test_suite_config_generated_data + test_suite_ecp_generated_data + test_suite_psa_generated_data) endif() add_custom_command( @@ -220,7 +271,7 @@ function(add_test_suite suite_name) test_suite_${data_name}.c COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} - ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_test_code.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_test_code.py -f ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function -d ${data_file} -t ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function @@ -229,7 +280,7 @@ function(add_test_suite suite_name) --helpers-file ${CMAKE_CURRENT_SOURCE_DIR}/suites/helpers.function -o . DEPENDS - ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_test_code.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_test_code.py ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function ${data_file} ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function @@ -300,7 +351,7 @@ if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR}) link_to_source(Descriptions.txt) link_to_source(compat.sh) link_to_source(context-info.sh) - link_to_source(data_files) + link_to_source(../framework/data_files) link_to_source(scripts) link_to_source(ssl-opt.sh) link_to_source(opt-testcases) diff --git a/yass/third_party/mbedtls/tests/Makefile b/yass/third_party/mbedtls/tests/Makefile index c2a0b84f07..14c6995fed 100644 --- a/yass/third_party/mbedtls/tests/Makefile +++ b/yass/third_party/mbedtls/tests/Makefile @@ -16,29 +16,46 @@ ifdef RECORD_PSA_STATUS_COVERAGE_LOG LOCAL_CFLAGS += -Werror -DRECORD_PSA_STATUS_COVERAGE_LOG endif -.PHONY: generated_files GENERATED_BIGNUM_DATA_FILES := $(patsubst tests/%,%,$(shell \ - $(PYTHON) scripts/generate_bignum_tests.py --list || \ + $(PYTHON) ../framework/scripts/generate_bignum_tests.py --list || \ echo FAILED \ )) ifeq ($(GENERATED_BIGNUM_DATA_FILES),FAILED) -$(error "$(PYTHON) scripts/generate_bignum_tests.py --list" failed) +$(error "$(PYTHON) ../framework/scripts/generate_bignum_tests.py --list" failed) endif +GENERATED_DATA_FILES += $(GENERATED_BIGNUM_DATA_FILES) + +GENERATED_CONFIG_DATA_FILES := $(patsubst tests/%,%,$(shell \ + $(PYTHON) ../framework/scripts/generate_config_tests.py --list || \ + echo FAILED \ +)) +ifeq ($(GENERATED_CONFIG_DATA_FILES),FAILED) +$(error "$(PYTHON) ../framework/scripts/generate_config_tests.py --list" failed) +endif +GENERATED_DATA_FILES += $(GENERATED_CONFIG_DATA_FILES) + GENERATED_ECP_DATA_FILES := $(patsubst tests/%,%,$(shell \ - $(PYTHON) scripts/generate_ecp_tests.py --list || \ + $(PYTHON) ../framework/scripts/generate_ecp_tests.py --list || \ echo FAILED \ )) ifeq ($(GENERATED_ECP_DATA_FILES),FAILED) -$(error "$(PYTHON) scripts/generate_ecp_tests.py --list" failed) +$(error "$(PYTHON) ../framework/scripts/generate_ecp_tests.py --list" failed) endif +GENERATED_DATA_FILES += $(GENERATED_ECP_DATA_FILES) + GENERATED_PSA_DATA_FILES := $(patsubst tests/%,%,$(shell \ - $(PYTHON) scripts/generate_psa_tests.py --list || \ + $(PYTHON) ../framework/scripts/generate_psa_tests.py --list || \ echo FAILED \ )) ifeq ($(GENERATED_PSA_DATA_FILES),FAILED) -$(error "$(PYTHON) scripts/generate_psa_tests.py --list" failed) +$(error "$(PYTHON) ../framework/scripts/generate_psa_tests.py --list" failed) endif -GENERATED_FILES := $(GENERATED_PSA_DATA_FILES) $(GENERATED_ECP_DATA_FILES) $(GENERATED_BIGNUM_DATA_FILES) +GENERATED_DATA_FILES += $(GENERATED_PSA_DATA_FILES) + +GENERATED_FILES = $(GENERATED_DATA_FILES) +GENERATED_FILES += src/test_keys.h src/test_certs.h + +.PHONY: generated_files generated_files: $(GENERATED_FILES) # generate_bignum_tests.py and generate_psa_tests.py spend more time analyzing @@ -47,38 +64,55 @@ generated_files: $(GENERATED_FILES) # It's rare not to want all the outputs. So always generate all of its outputs. # Use an intermediate phony dependency so that parallel builds don't run # a separate instance of the recipe for each output file. -.SECONDARY: generated_bignum_test_data generated_ecp_test_data generated_psa_test_data $(GENERATED_BIGNUM_DATA_FILES): $(gen_file_dep) generated_bignum_test_data -generated_bignum_test_data: scripts/generate_bignum_tests.py -generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_common.py -generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_core.py -generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_mod_raw.py -generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_mod.py -generated_bignum_test_data: ../scripts/mbedtls_dev/test_case.py -generated_bignum_test_data: ../scripts/mbedtls_dev/test_data_generation.py +generated_bignum_test_data: ../framework/scripts/generate_bignum_tests.py +generated_bignum_test_data: ../framework/scripts/mbedtls_framework/bignum_common.py +generated_bignum_test_data: ../framework/scripts/mbedtls_framework/bignum_core.py +generated_bignum_test_data: ../framework/scripts/mbedtls_framework/bignum_mod_raw.py +generated_bignum_test_data: ../framework/scripts/mbedtls_framework/bignum_mod.py +generated_bignum_test_data: ../framework/scripts/mbedtls_framework/test_case.py +generated_bignum_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py generated_bignum_test_data: echo " Gen $(GENERATED_BIGNUM_DATA_FILES)" - $(PYTHON) scripts/generate_bignum_tests.py + $(PYTHON) ../framework/scripts/generate_bignum_tests.py +.SECONDARY: generated_bignum_test_data + +# We deliberately omit the configuration files (mbedtls_config.h, +# crypto_config.h) from the depenency list because during development +# and on the CI, we often edit those in a way that doesn't change the +# output, to comment out certain options, or even to remove certain +# lines which do affect the output negatively (it will miss the +# corresponding test cases). +$(GENERATED_CONFIG_DATA_FILES): $(gen_file_dep) generated_config_test_data +generated_config_test_data: ../framework/scripts/generate_config_tests.py +generated_config_test_data: ../scripts/config.py +generated_config_test_data: ../framework/scripts/mbedtls_framework/test_case.py +generated_config_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py +generated_config_test_data: + echo " Gen $(GENERATED_CONFIG_DATA_FILES)" + $(PYTHON) ../framework/scripts/generate_config_tests.py +.SECONDARY: generated_config_test_data $(GENERATED_ECP_DATA_FILES): $(gen_file_dep) generated_ecp_test_data -generated_ecp_test_data: scripts/generate_ecp_tests.py -generated_ecp_test_data: ../scripts/mbedtls_dev/bignum_common.py -generated_ecp_test_data: ../scripts/mbedtls_dev/ecp.py -generated_ecp_test_data: ../scripts/mbedtls_dev/test_case.py -generated_ecp_test_data: ../scripts/mbedtls_dev/test_data_generation.py +generated_ecp_test_data: ../framework/scripts/generate_ecp_tests.py +generated_ecp_test_data: ../framework/scripts/mbedtls_framework/bignum_common.py +generated_ecp_test_data: ../framework/scripts/mbedtls_framework/ecp.py +generated_ecp_test_data: ../framework/scripts/mbedtls_framework/test_case.py +generated_ecp_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py generated_ecp_test_data: echo " Gen $(GENERATED_ECP_DATA_FILES)" - $(PYTHON) scripts/generate_ecp_tests.py + $(PYTHON) ../framework/scripts/generate_ecp_tests.py +.SECONDARY: generated_ecp_test_data $(GENERATED_PSA_DATA_FILES): $(gen_file_dep) generated_psa_test_data -generated_psa_test_data: scripts/generate_psa_tests.py -generated_psa_test_data: ../scripts/mbedtls_dev/crypto_data_tests.py -generated_psa_test_data: ../scripts/mbedtls_dev/crypto_knowledge.py -generated_psa_test_data: ../scripts/mbedtls_dev/macro_collector.py -generated_psa_test_data: ../scripts/mbedtls_dev/psa_information.py -generated_psa_test_data: ../scripts/mbedtls_dev/psa_storage.py -generated_psa_test_data: ../scripts/mbedtls_dev/test_case.py -generated_psa_test_data: ../scripts/mbedtls_dev/test_data_generation.py +generated_psa_test_data: ../framework/scripts/generate_psa_tests.py +generated_psa_test_data: ../framework/scripts/mbedtls_framework/crypto_data_tests.py +generated_psa_test_data: ../framework/scripts/mbedtls_framework/crypto_knowledge.py +generated_psa_test_data: ../framework/scripts/mbedtls_framework/macro_collector.py +generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_information.py +generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_storage.py +generated_psa_test_data: ../framework/scripts/mbedtls_framework/test_case.py +generated_psa_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py ## The generated file only depends on the options that are present in ## crypto_config.h, not on which options are set. To avoid regenerating this ## file all the time when switching between configurations, don't declare @@ -90,7 +124,8 @@ generated_psa_test_data: ../include/psa/crypto_extra.h generated_psa_test_data: suites/test_suite_psa_crypto_metadata.data generated_psa_test_data: echo " Gen $(GENERATED_PSA_DATA_FILES) ..." - $(PYTHON) scripts/generate_psa_tests.py + $(PYTHON) ../framework/scripts/generate_psa_tests.py +.SECONDARY: generated_psa_test_data # A test application is built for each suites/test_suite_*.data file. # Application name is same as .data file's base name and can be @@ -98,7 +133,7 @@ generated_psa_test_data: DATA_FILES := $(wildcard suites/test_suite_*.data) # Make sure that generated data files are included even if they don't # exist yet when the makefile is parsed. -DATA_FILES += $(filter-out $(DATA_FILES),$(GENERATED_FILES)) +DATA_FILES += $(filter-out $(DATA_FILES),$(GENERATED_DATA_FILES)) APPS = $(basename $(subst suites/,,$(DATA_FILES))) # Construct executable name by adding OS specific suffix $(EXEXT). @@ -112,6 +147,13 @@ all: $(BINARIES) mbedtls_test: $(MBEDTLS_TEST_OBJS) +src/test_certs.h: ../framework/scripts/generate_test_cert_macros.py \ + $($(PYTHON) ../framework/scripts/generate_test_cert_macros.py --list-dependencies) + $(PYTHON) ../framework/scripts/generate_test_cert_macros.py --output $@ + +src/test_keys.h: ../framework/scripts/generate_test_keys.py + $(PYTHON) ../framework/scripts/generate_test_keys.py --output $@ + TEST_OBJS_DEPS = $(wildcard include/test/*.h include/test/*/*.h) ifdef RECORD_PSA_STATUS_COVERAGE_LOG # Explicitly depend on this header because on a clean copy of the source tree, @@ -119,6 +161,7 @@ ifdef RECORD_PSA_STATUS_COVERAGE_LOG # therefore the wildcard enumeration above doesn't include it. TEST_OBJS_DEPS += include/test/instrument_record_status.h endif +TEST_OBJS_DEPS += src/test_certs.h src/test_keys.h # Rule to compile common test C files in src folder src/%.o : src/%.c $(TEST_OBJS_DEPS) @@ -151,9 +194,9 @@ c: $(C_FILES) # dot in .c file's base name. # .SECONDEXPANSION: -%.c: suites/$$(firstword $$(subst ., ,$$*)).function suites/%.data scripts/generate_test_code.py suites/helpers.function suites/main_test.function suites/host_test.function +%.c: suites/$$(firstword $$(subst ., ,$$*)).function suites/%.data ../framework/scripts/generate_test_code.py suites/helpers.function suites/main_test.function suites/host_test.function echo " Gen $@" - $(PYTHON) scripts/generate_test_code.py -f suites/$(firstword $(subst ., ,$*)).function \ + $(PYTHON) ../framework/scripts/generate_test_code.py -f suites/$(firstword $(subst ., ,$*)).function \ -d suites/$*.data \ -t suites/main_test.function \ -p suites/host_test.function \ @@ -181,7 +224,7 @@ else if exist src/*.o del /Q /F src/*.o if exist src/drivers/*.o del /Q /F src/drivers/*.o if exist src/test_helpers/*.o del /Q /F src/test_helpers/*.o - if exist src/libmbed* del /Q /F src/libmed* + if exist src/libmbed* del /Q /F src/libmbed* if exist include/test/instrument_record_status.h del /Q /F include/test/instrument_record_status.h endif diff --git a/yass/third_party/mbedtls/tests/compat.sh b/yass/third_party/mbedtls/tests/compat.sh index a101ffd138..52f75e0de3 100755 --- a/yass/third_party/mbedtls/tests/compat.sh +++ b/yass/third_party/mbedtls/tests/compat.sh @@ -96,6 +96,7 @@ FILTER="" EXCLUDE='NULL\|ARIA\|CHACHA20_POLY1305' VERBOSE="" MEMCHECK=0 +MIN_TESTS=1 PRESERVE_LOGS=0 PEERS="OpenSSL$PEER_GNUTLS mbedTLS" @@ -116,6 +117,7 @@ print_usage() { printf " -M|--memcheck\tCheck memory leaks and errors.\n" printf " -v|--verbose\tSet verbose output.\n" printf " --list-test-cases\tList all potential test cases (No Execution)\n" + printf " --min \tMinimum number of non-skipped tests (default 1)\n" printf " --outcome-file\tFile where test outcomes are written\n" printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n" printf " --preserve-logs\tPreserve logs of successful tests as well\n" @@ -131,22 +133,28 @@ print_test_case() { # list_test_cases lists all potential test cases in compat.sh without execution list_test_cases() { - reset_ciphersuites for TYPE in $TYPES; do + reset_ciphersuites add_common_ciphersuites add_openssl_ciphersuites add_gnutls_ciphersuites add_mbedtls_ciphersuites - done - for VERIFY in $VERIFIES; do - VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') - for MODE in $MODES; do - print_test_case m O "$O_CIPHERS" - print_test_case O m "$O_CIPHERS" - print_test_case m G "$G_CIPHERS" - print_test_case G m "$G_CIPHERS" - print_test_case m m "$M_CIPHERS" + # PSK cipher suites do not allow client certificate verification. + SUB_VERIFIES=$VERIFIES + if [ "$TYPE" = "PSK" ]; then + SUB_VERIFIES="NO" + fi + + for VERIFY in $SUB_VERIFIES; do + VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') + for MODE in $MODES; do + print_test_case m O "$O_CIPHERS" + print_test_case O m "$O_CIPHERS" + print_test_case m G "$G_CIPHERS" + print_test_case G m "$G_CIPHERS" + print_test_case m m "$M_CIPHERS" + done done done } @@ -184,6 +192,9 @@ get_options() { list_test_cases exit $? ;; + --min) + shift; MIN_TESTS=$1 + ;; --outcome-file) shift; MBEDTLS_TEST_OUTCOME_FILE=$1 ;; @@ -264,12 +275,6 @@ filter_ciphersuites() # Ciphersuite for GnuTLS G_CIPHERS=$( filter "$G_CIPHERS" ) fi - - # For GnuTLS client -> Mbed TLS server, - # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails - if is_dtls "$MODE" && [ "X$VERIFY" = "XYES" ]; then - G_CIPHERS="" - fi } reset_ciphersuites() @@ -588,7 +593,18 @@ add_mbedtls_ciphersuites() # o_check_ciphersuite STANDARD_CIPHER_SUITE o_check_ciphersuite() { - if [ "${O_SUPPORT_ECDH}" = "NO" ]; then + # skip DTLS when lack of support was declared + if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then + SKIP_NEXT_="YES" + fi + + # skip DTLS 1.2 is support was not detected + if [ "$O_SUPPORT_DTLS12" = "NO" -a "$MODE" = "dtls12" ]; then + SKIP_NEXT="YES" + fi + + # skip static ECDH when OpenSSL doesn't support it + if [ "${O_SUPPORT_STATIC_ECDH}" = "NO" ]; then case "$1" in *ECDH_*) SKIP_NEXT="YES" esac @@ -597,6 +613,8 @@ o_check_ciphersuite() setup_arguments() { + DATA_FILES_PATH="../framework/data_files" + O_MODE="" G_MODE="" case "$MODE" in @@ -635,7 +653,7 @@ setup_arguments() # force it or not for intermediate versions. case $($OPENSSL version) in "OpenSSL 1.0"*) - O_SERVER_ARGS="$O_SERVER_ARGS -dhparam data_files/dhparams.pem" + O_SERVER_ARGS="$O_SERVER_ARGS -dhparam $DATA_FILES_PATH/dhparams.pem" ;; esac @@ -665,19 +683,34 @@ setup_arguments() esac case $($OPENSSL ciphers ALL) in - *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";; - *) O_SUPPORT_ECDH="NO";; + *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_STATIC_ECDH="YES";; + *) O_SUPPORT_STATIC_ECDH="NO";; esac + case $($OPENSSL ciphers ALL) in + *DES-CBC-*) O_SUPPORT_SINGLE_DES="YES";; + *) O_SUPPORT_SINGLE_DES="NO";; + esac + + # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL + # supports -dtls1_2 from the s_server help. (The s_client + # help isn't accurate as of 1.0.2g: it supports DTLS 1.2 + # but doesn't list it. But the s_server help seems to be + # accurate.) + O_SUPPORT_DTLS12="NO" + if $OPENSSL s_server -help 2>&1 | grep -q "^ *-dtls1_2 "; then + O_SUPPORT_DTLS12="YES" + fi + if [ "X$VERIFY" = "XYES" ]; then - M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" - O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10" - G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile data_files/test-ca_cat12.crt --require-client-cert" + M_SERVER_ARGS="$M_SERVER_ARGS ca_file=$DATA_FILES_PATH/test-ca_cat12.crt auth_mode=required" + O_SERVER_ARGS="$O_SERVER_ARGS -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -Verify 10" + G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --require-client-cert" - M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" - O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/test-ca_cat12.crt -verify 10" - G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile data_files/test-ca_cat12.crt" + M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=$DATA_FILES_PATH/test-ca_cat12.crt auth_mode=required" + O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -verify 10" + G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt" else # don't request a client cert at all M_SERVER_ARGS="$M_SERVER_ARGS ca_file=none auth_mode=none" @@ -690,28 +723,28 @@ setup_arguments() case $TYPE in "ECDSA") - M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server5.crt key_file=data_files/server5.key" - O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server5.crt -key data_files/server5.key" - G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key" + M_SERVER_ARGS="$M_SERVER_ARGS crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key" + O_SERVER_ARGS="$O_SERVER_ARGS -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" + G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key" if [ "X$VERIFY" = "XYES" ]; then - M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server6.crt key_file=data_files/server6.key" - O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server6.crt -key data_files/server6.key" - G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server6.crt --x509keyfile data_files/server6.key" + M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" + O_CLIENT_ARGS="$O_CLIENT_ARGS -cert $DATA_FILES_PATH/server6.crt -key $DATA_FILES_PATH/server6.key" + G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile $DATA_FILES_PATH/server6.crt --x509keyfile $DATA_FILES_PATH/server6.key" else M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none" fi ;; "RSA") - M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key" - O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2-sha256.crt -key data_files/server2.key" - G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key" + M_SERVER_ARGS="$M_SERVER_ARGS crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key" + O_SERVER_ARGS="$O_SERVER_ARGS -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key" + G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key" if [ "X$VERIFY" = "XYES" ]; then - M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/cert_sha256.crt key_file=data_files/server1.key" - O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/cert_sha256.crt -key data_files/server1.key" - G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/cert_sha256.crt --x509keyfile data_files/server1.key" + M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=$DATA_FILES_PATH/cert_sha256.crt key_file=$DATA_FILES_PATH/server1.key" + O_CLIENT_ARGS="$O_CLIENT_ARGS -cert $DATA_FILES_PATH/cert_sha256.crt -key $DATA_FILES_PATH/server1.key" + G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile $DATA_FILES_PATH/cert_sha256.crt --x509keyfile $DATA_FILES_PATH/server1.key" else M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none" fi @@ -720,9 +753,9 @@ setup_arguments() "PSK") # give RSA-PSK-capable server a RSA cert # (should be a separate type, but harder to close with openssl) - M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key" + M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key" O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert" - G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk" + G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --pskpasswd $DATA_FILES_PATH/passwd.psk" M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none" O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70" @@ -939,13 +972,7 @@ run_client() { ;; [Gg]nu*) - # need to force IPv4 with UDP, but keep localhost for auth - if is_dtls "$MODE"; then - G_HOST="127.0.0.1" - else - G_HOST="localhost" - fi - CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$3 $G_HOST" + CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$3 localhost" log "$CLIENT_CMD" echo "$CLIENT_CMD" > $CLI_OUT printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 & @@ -1115,19 +1142,6 @@ for MODE in $MODES; do [Oo]pen*) - if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then - continue; - fi - - # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL - # supports $O_MODE from the s_server help. (The s_client - # help isn't accurate as of 1.0.2g: it supports DTLS 1.2 - # but doesn't list it. But the s_server help seems to be - # accurate.) - if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then - continue; - fi - reset_ciphersuites add_common_ciphersuites add_openssl_ciphersuites @@ -1231,6 +1245,16 @@ fi PASSED=$(( $TESTS - $FAILED )) echo " ($PASSED / $TESTS tests ($SKIPPED skipped$MEMREPORT))" +if [ $((TESTS - SKIPPED)) -lt $MIN_TESTS ]; then + cat < #endif +#include + #if defined(MBEDTLS_PSA_CRYPTO_C) /** Initialize the PSA Crypto subsystem. */ #define PSA_INIT() PSA_ASSERT(psa_crypto_init()) @@ -332,9 +334,18 @@ uint64_t mbedtls_test_parse_binary_string(data_t *bin_string); * This is like #PSA_DONE except it does nothing under the same conditions as * #USE_PSA_INIT. */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) +#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USE_PSA_INIT() PSA_INIT() #define USE_PSA_DONE() PSA_DONE() +#elif defined(MBEDTLS_SSL_PROTO_TLS1_3) +/* TLS 1.3 must work without having called psa_crypto_init(), for backward + * compatibility with Mbed TLS <= 3.5 when connecting with a peer that + * supports both TLS 1.2 and TLS 1.3. See mbedtls_ssl_tls13_crypto_init() + * and https://github.com/Mbed-TLS/mbedtls/issues/9072 . */ +#define USE_PSA_INIT() ((void) 0) +/* TLS 1.3 may have initialized the PSA subsystem. Shut it down cleanly, + * otherwise Asan and Valgrind would notice a resource leak. */ +#define USE_PSA_DONE() PSA_DONE() #else /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ /* Define empty macros so that we can use them in the preamble and teardown * of every test function that uses PSA conditionally based on @@ -406,13 +417,12 @@ uint64_t mbedtls_test_parse_binary_string(data_t *bin_string); * This is like #PSA_DONE except it does nothing under the same conditions as * #MD_OR_USE_PSA_INIT. */ -#if defined(MBEDTLS_MD_SOME_PSA) || \ - defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) +#if defined(MBEDTLS_MD_SOME_PSA) #define MD_OR_USE_PSA_INIT() PSA_INIT() #define MD_OR_USE_PSA_DONE() PSA_DONE() #else -#define MD_OR_USE_PSA_INIT() ((void) 0) -#define MD_OR_USE_PSA_DONE() ((void) 0) +#define MD_OR_USE_PSA_INIT() USE_PSA_INIT() +#define MD_OR_USE_PSA_DONE() USE_PSA_DONE() #endif /** \def AES_PSA_INIT @@ -430,12 +440,32 @@ uint64_t mbedtls_test_parse_binary_string(data_t *bin_string); * This is like #PSA_DONE except it does nothing under the same conditions as * #AES_PSA_INIT. */ -#if defined(MBEDTLS_AES_C) -#define AES_PSA_INIT() ((void) 0) -#define AES_PSA_DONE() ((void) 0) -#else /* MBEDTLS_AES_C */ +#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) #define AES_PSA_INIT() PSA_INIT() #define AES_PSA_DONE() PSA_DONE() -#endif /* MBEDTLS_AES_C */ +#else /* MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO */ +#define AES_PSA_INIT() ((void) 0) +#define AES_PSA_DONE() ((void) 0) +#endif /* MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO */ + +#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) && \ + defined(MBEDTLS_CTR_DRBG_C) && \ + defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) +/* When AES_C is not defined and PSA does not have an external RNG, + * then CTR_DRBG uses PSA to perform AES-ECB. In this scenario 1 key + * slot is used internally from PSA to hold the AES key and it should + * not be taken into account when evaluating remaining open slots. */ +#define MBEDTLS_TEST_PSA_INTERNAL_KEYS_FOR_DRBG 1 +#else +#define MBEDTLS_TEST_PSA_INTERNAL_KEYS_FOR_DRBG 0 +#endif + +/** The number of volatile keys that PSA crypto uses internally. + * + * We expect that many volatile keys to be in use after a successful + * psa_crypto_init(). + */ +#define MBEDTLS_TEST_PSA_INTERNAL_KEYS \ + MBEDTLS_TEST_PSA_INTERNAL_KEYS_FOR_DRBG #endif /* PSA_CRYPTO_HELPERS_H */ diff --git a/yass/third_party/mbedtls/tests/include/test/psa_test_wrappers.h b/yass/third_party/mbedtls/tests/include/test/psa_test_wrappers.h index ecf926eb07..134a547c85 100644 --- a/yass/third_party/mbedtls/tests/include/test/psa_test_wrappers.h +++ b/yass/third_party/mbedtls/tests/include/test/psa_test_wrappers.h @@ -17,7 +17,6 @@ extern "C" { !defined(RECORD_PSA_STATUS_COVERAGE_LOG) #include - #include #include #include @@ -262,12 +261,15 @@ psa_status_t mbedtls_test_wrap_psa_copy_key( #define psa_copy_key(arg0_source_key, arg1_attributes, arg2_target_key) \ mbedtls_test_wrap_psa_copy_key(arg0_source_key, arg1_attributes, arg2_target_key) +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_cipher_suite( const psa_crypto_driver_pake_inputs_t *arg0_inputs, psa_pake_cipher_suite_t *arg1_cipher_suite); #define psa_crypto_driver_pake_get_cipher_suite(arg0_inputs, arg1_cipher_suite) \ mbedtls_test_wrap_psa_crypto_driver_pake_get_cipher_suite(arg0_inputs, arg1_cipher_suite) +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_password( const psa_crypto_driver_pake_inputs_t *arg0_inputs, uint8_t *arg1_buffer, @@ -275,13 +277,17 @@ psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_password( size_t *arg3_buffer_length); #define psa_crypto_driver_pake_get_password(arg0_inputs, arg1_buffer, arg2_buffer_size, arg3_buffer_length) \ mbedtls_test_wrap_psa_crypto_driver_pake_get_password(arg0_inputs, arg1_buffer, arg2_buffer_size, arg3_buffer_length) +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_password_len( const psa_crypto_driver_pake_inputs_t *arg0_inputs, size_t *arg1_password_len); #define psa_crypto_driver_pake_get_password_len(arg0_inputs, arg1_password_len) \ mbedtls_test_wrap_psa_crypto_driver_pake_get_password_len(arg0_inputs, arg1_password_len) +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_peer( const psa_crypto_driver_pake_inputs_t *arg0_inputs, uint8_t *arg1_peer_id, @@ -289,13 +295,17 @@ psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_peer( size_t *arg3_peer_id_length); #define psa_crypto_driver_pake_get_peer(arg0_inputs, arg1_peer_id, arg2_peer_id_size, arg3_peer_id_length) \ mbedtls_test_wrap_psa_crypto_driver_pake_get_peer(arg0_inputs, arg1_peer_id, arg2_peer_id_size, arg3_peer_id_length) +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_peer_len( const psa_crypto_driver_pake_inputs_t *arg0_inputs, size_t *arg1_peer_len); #define psa_crypto_driver_pake_get_peer_len(arg0_inputs, arg1_peer_len) \ mbedtls_test_wrap_psa_crypto_driver_pake_get_peer_len(arg0_inputs, arg1_peer_len) +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_user( const psa_crypto_driver_pake_inputs_t *arg0_inputs, uint8_t *arg1_user_id, @@ -303,12 +313,15 @@ psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_user( size_t *arg3_user_id_len); #define psa_crypto_driver_pake_get_user(arg0_inputs, arg1_user_id, arg2_user_id_size, arg3_user_id_len) \ mbedtls_test_wrap_psa_crypto_driver_pake_get_user(arg0_inputs, arg1_user_id, arg2_user_id_size, arg3_user_id_len) +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_user_len( const psa_crypto_driver_pake_inputs_t *arg0_inputs, size_t *arg1_user_len); #define psa_crypto_driver_pake_get_user_len(arg0_inputs, arg1_user_len) \ mbedtls_test_wrap_psa_crypto_driver_pake_get_user_len(arg0_inputs, arg1_user_len) +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ psa_status_t mbedtls_test_wrap_psa_crypto_init(void); #define psa_crypto_init() \ @@ -341,6 +354,15 @@ psa_status_t mbedtls_test_wrap_psa_generate_key( #define psa_generate_key(arg0_attributes, arg1_key) \ mbedtls_test_wrap_psa_generate_key(arg0_attributes, arg1_key) +psa_status_t mbedtls_test_wrap_psa_generate_key_custom( + const psa_key_attributes_t *arg0_attributes, + const psa_custom_key_parameters_t *arg1_custom, + const uint8_t *arg2_custom_data, + size_t arg3_custom_data_length, + mbedtls_svc_key_id_t *arg4_key); +#define psa_generate_key_custom(arg0_attributes, arg1_custom, arg2_custom_data, arg3_custom_data_length, arg4_key) \ + mbedtls_test_wrap_psa_generate_key_custom(arg0_attributes, arg1_custom, arg2_custom_data, arg3_custom_data_length, arg4_key) + psa_status_t mbedtls_test_wrap_psa_generate_key_ext( const psa_key_attributes_t *arg0_attributes, const psa_key_production_parameters_t *arg1_params, @@ -483,6 +505,16 @@ psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key( #define psa_key_derivation_output_key(arg0_attributes, arg1_operation, arg2_key) \ mbedtls_test_wrap_psa_key_derivation_output_key(arg0_attributes, arg1_operation, arg2_key) +psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key_custom( + const psa_key_attributes_t *arg0_attributes, + psa_key_derivation_operation_t *arg1_operation, + const psa_custom_key_parameters_t *arg2_custom, + const uint8_t *arg3_custom_data, + size_t arg4_custom_data_length, + mbedtls_svc_key_id_t *arg5_key); +#define psa_key_derivation_output_key_custom(arg0_attributes, arg1_operation, arg2_custom, arg3_custom_data, arg4_custom_data_length, arg5_key) \ + mbedtls_test_wrap_psa_key_derivation_output_key_custom(arg0_attributes, arg1_operation, arg2_custom, arg3_custom_data, arg4_custom_data_length, arg5_key) + psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key_ext( const psa_key_attributes_t *arg0_attributes, psa_key_derivation_operation_t *arg1_operation, @@ -566,17 +598,22 @@ psa_status_t mbedtls_test_wrap_psa_mac_verify_setup( #define psa_mac_verify_setup(arg0_operation, arg1_key, arg2_alg) \ mbedtls_test_wrap_psa_mac_verify_setup(arg0_operation, arg1_key, arg2_alg) +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_abort( psa_pake_operation_t *arg0_operation); #define psa_pake_abort(arg0_operation) \ mbedtls_test_wrap_psa_pake_abort(arg0_operation) +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_get_implicit_key( psa_pake_operation_t *arg0_operation, psa_key_derivation_operation_t *arg1_output); #define psa_pake_get_implicit_key(arg0_operation, arg1_output) \ mbedtls_test_wrap_psa_pake_get_implicit_key(arg0_operation, arg1_output) +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_input( psa_pake_operation_t *arg0_operation, psa_pake_step_t arg1_step, @@ -584,7 +621,9 @@ psa_status_t mbedtls_test_wrap_psa_pake_input( size_t arg3_input_length); #define psa_pake_input(arg0_operation, arg1_step, arg2_input, arg3_input_length) \ mbedtls_test_wrap_psa_pake_input(arg0_operation, arg1_step, arg2_input, arg3_input_length) +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_output( psa_pake_operation_t *arg0_operation, psa_pake_step_t arg1_step, @@ -593,38 +632,49 @@ psa_status_t mbedtls_test_wrap_psa_pake_output( size_t *arg4_output_length); #define psa_pake_output(arg0_operation, arg1_step, arg2_output, arg3_output_size, arg4_output_length) \ mbedtls_test_wrap_psa_pake_output(arg0_operation, arg1_step, arg2_output, arg3_output_size, arg4_output_length) +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_set_password_key( psa_pake_operation_t *arg0_operation, mbedtls_svc_key_id_t arg1_password); #define psa_pake_set_password_key(arg0_operation, arg1_password) \ mbedtls_test_wrap_psa_pake_set_password_key(arg0_operation, arg1_password) +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_set_peer( psa_pake_operation_t *arg0_operation, const uint8_t *arg1_peer_id, size_t arg2_peer_id_len); #define psa_pake_set_peer(arg0_operation, arg1_peer_id, arg2_peer_id_len) \ mbedtls_test_wrap_psa_pake_set_peer(arg0_operation, arg1_peer_id, arg2_peer_id_len) +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_set_role( psa_pake_operation_t *arg0_operation, psa_pake_role_t arg1_role); #define psa_pake_set_role(arg0_operation, arg1_role) \ mbedtls_test_wrap_psa_pake_set_role(arg0_operation, arg1_role) +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_set_user( psa_pake_operation_t *arg0_operation, const uint8_t *arg1_user_id, size_t arg2_user_id_len); #define psa_pake_set_user(arg0_operation, arg1_user_id, arg2_user_id_len) \ mbedtls_test_wrap_psa_pake_set_user(arg0_operation, arg1_user_id, arg2_user_id_len) +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_setup( psa_pake_operation_t *arg0_operation, const psa_pake_cipher_suite_t *arg1_cipher_suite); #define psa_pake_setup(arg0_operation, arg1_cipher_suite) \ mbedtls_test_wrap_psa_pake_setup(arg0_operation, arg1_cipher_suite) +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ psa_status_t mbedtls_test_wrap_psa_purge_key( mbedtls_svc_key_id_t arg0_key); diff --git a/yass/third_party/mbedtls/tests/opt-testcases/tls13-compat.sh b/yass/third_party/mbedtls/tests/opt-testcases/tls13-compat.sh index 9cf2550a06..b3a02953a2 100755 --- a/yass/third_party/mbedtls/tests/opt-testcases/tls13-compat.sh +++ b/yass/third_party/mbedtls/tests/opt-testcases/tls13-compat.sh @@ -13,6 +13,8 @@ # PLEASE DO NOT EDIT THIS FILE. IF NEEDED, PLEASE MODIFY `generate_tls13_compat_tests.py` # AND REGENERATE THIS FILE. # + +DATA_FILES_PATH=../framework/data_files requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED @@ -20,8 +22,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -37,8 +39,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -54,8 +56,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -72,8 +74,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -89,8 +91,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -106,8 +108,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -123,8 +125,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -141,8 +143,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -158,8 +160,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -175,8 +177,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -192,8 +194,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -210,8 +212,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -227,8 +229,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -244,8 +246,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -261,8 +263,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -279,8 +281,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -296,8 +298,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -313,8 +315,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -330,8 +332,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -348,8 +350,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,x448,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -366,8 +368,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -384,8 +386,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -402,8 +404,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -421,8 +423,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -438,8 +440,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -455,8 +457,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -472,8 +474,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -490,8 +492,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp256r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -507,8 +509,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -524,8 +526,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -541,8 +543,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -559,8 +561,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp384r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -576,8 +578,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -593,8 +595,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -610,8 +612,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -628,8 +630,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,secp521r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -645,8 +647,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,x25519,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -662,8 +664,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,x25519,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -679,8 +681,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,x25519,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -697,8 +699,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,x25519,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -714,8 +716,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,x448,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -731,8 +733,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,x448,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -748,8 +750,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,x448,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -766,8 +768,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,x448,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -784,8 +786,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -802,8 +804,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -820,8 +822,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -839,8 +841,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_256_GCM_SHA384,ffdhe2048,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -856,8 +858,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -873,8 +875,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -890,8 +892,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -908,8 +910,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -925,8 +927,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -942,8 +944,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -959,8 +961,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -977,8 +979,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -994,8 +996,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -1011,8 +1013,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -1028,8 +1030,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -1046,8 +1048,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -1063,8 +1065,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -1080,8 +1082,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -1097,8 +1099,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -1115,8 +1117,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -1132,8 +1134,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -1149,8 +1151,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -1166,8 +1168,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -1184,8 +1186,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,x448,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -1202,8 +1204,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -1220,8 +1222,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -1238,8 +1240,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -1257,8 +1259,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: CHACHA20_POLY1305_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -1274,8 +1276,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1291,8 +1293,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1308,8 +1310,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1326,8 +1328,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1343,8 +1345,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1360,8 +1362,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1377,8 +1379,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1395,8 +1397,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1412,8 +1414,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1429,8 +1431,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1446,8 +1448,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1464,8 +1466,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1481,8 +1483,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1498,8 +1500,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1515,8 +1517,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1533,8 +1535,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1550,8 +1552,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1567,8 +1569,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1584,8 +1586,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1602,8 +1604,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,x448,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1620,8 +1622,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1638,8 +1640,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1656,8 +1658,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1675,8 +1677,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_CCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -1692,8 +1694,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1709,8 +1711,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1726,8 +1728,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1744,8 +1746,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1761,8 +1763,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1778,8 +1780,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1795,8 +1797,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1813,8 +1815,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1830,8 +1832,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1847,8 +1849,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1864,8 +1866,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1882,8 +1884,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1899,8 +1901,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1916,8 +1918,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1933,8 +1935,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1951,8 +1953,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1968,8 +1970,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -1985,8 +1987,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -2002,8 +2004,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -2020,8 +2022,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,x448,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -2038,8 +2040,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -2056,8 +2058,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -2074,8 +2076,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -2093,8 +2095,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: AES_128_CCM_8_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -2112,8 +2114,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2131,8 +2133,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2150,8 +2152,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2170,8 +2172,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2189,8 +2191,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2208,8 +2210,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2227,8 +2229,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2247,8 +2249,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2266,8 +2268,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2285,8 +2287,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2304,8 +2306,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2324,8 +2326,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2343,8 +2345,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2362,8 +2364,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2381,8 +2383,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2401,8 +2403,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2420,8 +2422,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2439,8 +2441,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2458,8 +2460,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2478,8 +2480,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,x448,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2498,8 +2500,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2518,8 +2520,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2538,8 +2540,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2559,8 +2561,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -2578,8 +2580,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2597,8 +2599,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2616,8 +2618,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2636,8 +2638,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp256r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2655,8 +2657,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2674,8 +2676,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2693,8 +2695,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2713,8 +2715,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp384r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2732,8 +2734,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2751,8 +2753,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2770,8 +2772,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2790,8 +2792,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,secp521r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2809,8 +2811,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,x25519,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2828,8 +2830,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,x25519,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2847,8 +2849,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,x25519,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2867,8 +2869,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,x25519,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2886,8 +2888,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,x448,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2905,8 +2907,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,x448,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2924,8 +2926,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,x448,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2944,8 +2946,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,x448,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2964,8 +2966,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -2984,8 +2986,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -3004,8 +3006,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -3025,8 +3027,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_256_GCM_SHA384,ffdhe2048,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -3044,8 +3046,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3063,8 +3065,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3082,8 +3084,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3102,8 +3104,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3121,8 +3123,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3140,8 +3142,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3159,8 +3161,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3179,8 +3181,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3198,8 +3200,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3217,8 +3219,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3236,8 +3238,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3256,8 +3258,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3275,8 +3277,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3294,8 +3296,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3313,8 +3315,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3333,8 +3335,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3352,8 +3354,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3371,8 +3373,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3390,8 +3392,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3410,8 +3412,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,x448,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3430,8 +3432,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3450,8 +3452,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3470,8 +3472,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3491,8 +3493,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: CHACHA20_POLY1305_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -3510,8 +3512,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3529,8 +3531,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3548,8 +3550,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3568,8 +3570,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3587,8 +3589,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3606,8 +3608,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3625,8 +3627,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3645,8 +3647,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3664,8 +3666,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3683,8 +3685,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3702,8 +3704,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3722,8 +3724,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3741,8 +3743,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3760,8 +3762,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3779,8 +3781,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3799,8 +3801,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3818,8 +3820,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3837,8 +3839,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3856,8 +3858,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3876,8 +3878,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,x448,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3896,8 +3898,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3916,8 +3918,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3936,8 +3938,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3957,8 +3959,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -3976,8 +3978,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -3995,8 +3997,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4014,8 +4016,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4034,8 +4036,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4053,8 +4055,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4072,8 +4074,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4091,8 +4093,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4111,8 +4113,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4130,8 +4132,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4149,8 +4151,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4168,8 +4170,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4188,8 +4190,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4207,8 +4209,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4226,8 +4228,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4245,8 +4247,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4265,8 +4267,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4284,8 +4286,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4303,8 +4305,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4322,8 +4324,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4342,8 +4344,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,x448,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4362,8 +4364,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4382,8 +4384,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4402,8 +4404,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4423,8 +4425,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_CCM_8_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -4440,8 +4442,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4458,8 +4460,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4476,8 +4478,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4495,8 +4497,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4513,8 +4515,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4531,8 +4533,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4549,8 +4551,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4568,8 +4570,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4586,8 +4588,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4604,8 +4606,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4622,8 +4624,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4641,8 +4643,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4659,8 +4661,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4677,8 +4679,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4695,8 +4697,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4714,8 +4716,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4732,8 +4734,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4750,8 +4752,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4768,8 +4770,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4787,8 +4789,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,x448,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4806,8 +4808,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4825,8 +4827,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4844,8 +4846,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4864,8 +4866,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4882,8 +4884,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp256r1,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4900,8 +4902,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp256r1,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4918,8 +4920,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp256r1,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4937,8 +4939,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp256r1,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4955,8 +4957,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp384r1,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4973,8 +4975,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp384r1,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -4991,8 +4993,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp384r1,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5010,8 +5012,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp384r1,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5028,8 +5030,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp521r1,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5046,8 +5048,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp521r1,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5064,8 +5066,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp521r1,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5083,8 +5085,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,secp521r1,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5101,8 +5103,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,x25519,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5119,8 +5121,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,x25519,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5137,8 +5139,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,x25519,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5156,8 +5158,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,x25519,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5174,8 +5176,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,x448,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5192,8 +5194,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,x448,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5210,8 +5212,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,x448,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5229,8 +5231,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,x448,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5248,8 +5250,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5267,8 +5269,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5286,8 +5288,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5306,8 +5308,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_256_GCM_SHA384,ffdhe2048,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5324,8 +5326,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5342,8 +5344,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5360,8 +5362,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5379,8 +5381,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5397,8 +5399,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5415,8 +5417,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5433,8 +5435,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5452,8 +5454,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5470,8 +5472,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5488,8 +5490,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5506,8 +5508,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5525,8 +5527,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5543,8 +5545,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5561,8 +5563,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5579,8 +5581,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5598,8 +5600,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5616,8 +5618,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5634,8 +5636,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5652,8 +5654,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5671,8 +5673,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,x448,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5690,8 +5692,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5709,8 +5711,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5728,8 +5730,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5748,8 +5750,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: CHACHA20_POLY1305_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_CHACHA20_POLY1305_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5766,8 +5768,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5784,8 +5786,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5802,8 +5804,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5821,8 +5823,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5839,8 +5841,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5857,8 +5859,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5875,8 +5877,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5894,8 +5896,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5912,8 +5914,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5930,8 +5932,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5948,8 +5950,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5967,8 +5969,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -5985,8 +5987,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6003,8 +6005,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6021,8 +6023,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6040,8 +6042,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6058,8 +6060,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6076,8 +6078,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6094,8 +6096,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6113,8 +6115,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,x448,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6132,8 +6134,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6151,8 +6153,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6170,8 +6172,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6190,8 +6192,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_CCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6208,8 +6210,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6226,8 +6228,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6244,8 +6246,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6263,8 +6265,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6281,8 +6283,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6299,8 +6301,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6317,8 +6319,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6336,8 +6338,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6354,8 +6356,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6372,8 +6374,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6390,8 +6392,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6409,8 +6411,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6427,8 +6429,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6445,8 +6447,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6463,8 +6465,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6482,8 +6484,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6500,8 +6502,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6518,8 +6520,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6536,8 +6538,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6555,8 +6557,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,x448,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6574,8 +6576,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6593,8 +6595,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp384r1.crt -key $DATA_FILES_PATH/ecdsa_secp384r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp384r1_sha384 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6612,8 +6614,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp521r1.crt -key $DATA_FILES_PATH/ecdsa_secp521r1.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs ecdsa_secp521r1_sha512 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6632,8 +6634,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: AES_128_CCM_8_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -ciphersuites TLS_AES_128_CCM_8_SHA256 -sigalgs rsa_pss_rsae_sha256 -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -6652,8 +6654,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6672,8 +6674,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6692,8 +6694,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6713,8 +6715,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6733,8 +6735,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6753,8 +6755,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6773,8 +6775,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6794,8 +6796,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6814,8 +6816,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6834,8 +6836,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6854,8 +6856,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6875,8 +6877,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6895,8 +6897,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6915,8 +6917,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6935,8 +6937,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6956,8 +6958,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6976,8 +6978,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -6996,8 +6998,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7016,8 +7018,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7037,8 +7039,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,x448,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7058,8 +7060,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7079,8 +7081,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7100,8 +7102,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7122,8 +7124,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7142,8 +7144,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp256r1,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7162,8 +7164,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp256r1,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7182,8 +7184,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp256r1,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7203,8 +7205,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp256r1,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7223,8 +7225,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp384r1,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7243,8 +7245,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp384r1,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7263,8 +7265,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp384r1,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7284,8 +7286,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp384r1,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7304,8 +7306,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp521r1,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7324,8 +7326,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp521r1,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7344,8 +7346,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp521r1,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7365,8 +7367,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,secp521r1,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7385,8 +7387,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,x25519,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7405,8 +7407,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,x25519,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7425,8 +7427,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,x25519,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7446,8 +7448,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,x25519,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7466,8 +7468,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,x448,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7486,8 +7488,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,x448,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7506,8 +7508,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,x448,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7527,8 +7529,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,x448,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7548,8 +7550,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7569,8 +7571,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7590,8 +7592,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7612,8 +7614,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_256_GCM_SHA384,ffdhe2048,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-256-GCM:+SHA384:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7632,8 +7634,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7652,8 +7654,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7672,8 +7674,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7693,8 +7695,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7713,8 +7715,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7733,8 +7735,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7753,8 +7755,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7774,8 +7776,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7794,8 +7796,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7814,8 +7816,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7834,8 +7836,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7855,8 +7857,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7875,8 +7877,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7895,8 +7897,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7915,8 +7917,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7936,8 +7938,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7956,8 +7958,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7976,8 +7978,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -7996,8 +7998,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8017,8 +8019,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,x448,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8038,8 +8040,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8059,8 +8061,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8080,8 +8082,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8102,8 +8104,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: CHACHA20_POLY1305_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+CHACHA20-POLY1305:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8122,8 +8124,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8142,8 +8144,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8162,8 +8164,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8183,8 +8185,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8203,8 +8205,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8223,8 +8225,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8243,8 +8245,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8264,8 +8266,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8284,8 +8286,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8304,8 +8306,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8324,8 +8326,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8345,8 +8347,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8365,8 +8367,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8385,8 +8387,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8405,8 +8407,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8426,8 +8428,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8446,8 +8448,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8466,8 +8468,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8486,8 +8488,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8507,8 +8509,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,x448,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8528,8 +8530,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8549,8 +8551,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8570,8 +8572,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8592,8 +8594,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_CCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8612,8 +8614,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8632,8 +8634,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8652,8 +8654,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8673,8 +8675,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8693,8 +8695,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8713,8 +8715,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8733,8 +8735,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8754,8 +8756,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8774,8 +8776,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8794,8 +8796,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8814,8 +8816,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8835,8 +8837,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8855,8 +8857,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8875,8 +8877,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8895,8 +8897,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8916,8 +8918,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8936,8 +8938,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8956,8 +8958,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8976,8 +8978,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -8997,8 +8999,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,x448,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -9018,8 +9020,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -9039,8 +9041,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp384r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp384r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP384R1-SHA384:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -9060,8 +9062,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp521r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp521r1.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-ECDSA-SECP521R1-SHA512:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -9082,8 +9084,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: AES_128_CCM_8_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-CCM-8:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -9104,8 +9106,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9130,8 +9132,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9156,8 +9158,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9184,8 +9186,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9210,8 +9212,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9236,8 +9238,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9262,8 +9264,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9290,8 +9292,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9316,8 +9318,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9342,8 +9344,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9368,8 +9370,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9396,8 +9398,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9422,8 +9424,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9448,8 +9450,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9474,8 +9476,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9502,8 +9504,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9528,8 +9530,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9554,8 +9556,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9580,8 +9582,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9608,8 +9610,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,x448,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9636,8 +9638,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9664,8 +9666,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9692,8 +9694,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9722,8 +9724,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_GCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -9748,8 +9750,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -9774,8 +9776,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -9800,8 +9802,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp256r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -9828,8 +9830,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp256r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -9854,8 +9856,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -9880,8 +9882,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -9906,8 +9908,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp384r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -9934,8 +9936,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp384r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -9960,8 +9962,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -9986,8 +9988,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -10012,8 +10014,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp521r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -10040,8 +10042,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,secp521r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -10066,8 +10068,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,x25519,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -10092,8 +10094,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,x25519,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -10118,8 +10120,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,x25519,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -10146,8 +10148,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,x25519,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -10172,8 +10174,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,x448,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -10198,8 +10200,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,x448,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -10224,8 +10226,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,x448,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -10252,8 +10254,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,x448,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -10280,8 +10282,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -10308,8 +10310,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -10336,8 +10338,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -10366,8 +10368,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_256_GCM_SHA384,ffdhe2048,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-256-GCM-SHA384 ( id=4866 )" \ @@ -10392,8 +10394,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10418,8 +10420,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10444,8 +10446,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10472,8 +10474,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10498,8 +10500,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10524,8 +10526,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10550,8 +10552,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10578,8 +10580,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10604,8 +10606,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10630,8 +10632,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10656,8 +10658,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10684,8 +10686,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10710,8 +10712,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10736,8 +10738,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10762,8 +10764,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10790,8 +10792,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10816,8 +10818,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10842,8 +10844,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10868,8 +10870,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10896,8 +10898,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,x448,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10924,8 +10926,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10952,8 +10954,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -10980,8 +10982,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -11010,8 +11012,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: CHACHA20_POLY1305_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-CHACHA20-POLY1305-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-CHACHA20-POLY1305-SHA256 ( id=4867 )" \ @@ -11036,8 +11038,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11062,8 +11064,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11088,8 +11090,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11116,8 +11118,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11142,8 +11144,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11168,8 +11170,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11194,8 +11196,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11222,8 +11224,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11248,8 +11250,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11274,8 +11276,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11300,8 +11302,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11328,8 +11330,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11354,8 +11356,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11380,8 +11382,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11406,8 +11408,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11434,8 +11436,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11460,8 +11462,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11486,8 +11488,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11512,8 +11514,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11540,8 +11542,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,x448,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11568,8 +11570,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11596,8 +11598,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11624,8 +11626,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11654,8 +11656,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_CCM_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-SHA256 ( id=4868 )" \ @@ -11680,8 +11682,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -11706,8 +11708,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -11732,8 +11734,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp256r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -11760,8 +11762,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp256r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -11786,8 +11788,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -11812,8 +11814,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -11838,8 +11840,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp384r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -11866,8 +11868,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp384r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -11892,8 +11894,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -11918,8 +11920,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -11944,8 +11946,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp521r1,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -11972,8 +11974,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,secp521r1,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -11998,8 +12000,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -12024,8 +12026,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -12050,8 +12052,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,x25519,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -12078,8 +12080,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,x25519,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -12104,8 +12106,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -12130,8 +12132,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -12156,8 +12158,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,x448,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -12184,8 +12186,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,x448,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -12212,8 +12214,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp256r1_sha256" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -12240,8 +12242,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp384r1_sha384" \ - "$P_SRV crt_file=data_files/ecdsa_secp384r1.crt key_file=data_files/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp384r1_sha384 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -12268,8 +12270,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,ffdhe2048,ecdsa_secp521r1_sha512" \ - "$P_SRV crt_file=data_files/ecdsa_secp521r1.crt key_file=data_files/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=ecdsa_secp521r1_sha512 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -12298,8 +12300,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: AES_128_CCM_8_SHA256,ffdhe2048,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-CCM-8-SHA256 ( id=4869 )" \ @@ -12320,8 +12322,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR secp256r1 -> secp384r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-256:P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-256:P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp384r1(0018)" \ @@ -12335,8 +12337,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR secp256r1 -> secp521r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-256:P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-256:P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp521r1(0019)" \ @@ -12350,8 +12352,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR secp256r1 -> x25519" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-256:X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-256:X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x25519(001d)" \ @@ -12365,8 +12367,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR secp256r1 -> x448" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-256:X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-256:X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x448(001e)" \ @@ -12381,8 +12383,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: HRR secp256r1 -> ffdhe2048" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-256:ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-256:ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: ffdhe2048(0100)" \ @@ -12396,8 +12398,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR secp384r1 -> secp256r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-384:P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-384:P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp256r1(0017)" \ @@ -12411,8 +12413,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR secp384r1 -> secp521r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-384:P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-384:P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp521r1(0019)" \ @@ -12426,8 +12428,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR secp384r1 -> x25519" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-384:X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-384:X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x25519(001d)" \ @@ -12441,8 +12443,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR secp384r1 -> x448" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-384:X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-384:X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x448(001e)" \ @@ -12457,8 +12459,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: HRR secp384r1 -> ffdhe2048" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-384:ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-384:ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: ffdhe2048(0100)" \ @@ -12472,8 +12474,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR secp521r1 -> secp256r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-521:P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-521:P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp256r1(0017)" \ @@ -12487,8 +12489,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR secp521r1 -> secp384r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-521:P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-521:P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp384r1(0018)" \ @@ -12502,8 +12504,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR secp521r1 -> x25519" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-521:X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-521:X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x25519(001d)" \ @@ -12517,8 +12519,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR secp521r1 -> x448" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-521:X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-521:X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x448(001e)" \ @@ -12533,8 +12535,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: HRR secp521r1 -> ffdhe2048" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups P-521:ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups P-521:ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: ffdhe2048(0100)" \ @@ -12548,8 +12550,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR x25519 -> secp256r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X25519:P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X25519:P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp256r1(0017)" \ @@ -12563,8 +12565,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR x25519 -> secp384r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X25519:P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X25519:P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp384r1(0018)" \ @@ -12578,8 +12580,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR x25519 -> secp521r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X25519:P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X25519:P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp521r1(0019)" \ @@ -12593,8 +12595,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR x25519 -> x448" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X25519:X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X25519:X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x448(001e)" \ @@ -12609,8 +12611,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: HRR x25519 -> ffdhe2048" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X25519:ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X25519:ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: ffdhe2048(0100)" \ @@ -12624,8 +12626,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR x448 -> secp256r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X448:P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X448:P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp256r1(0017)" \ @@ -12639,8 +12641,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR x448 -> secp384r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X448:P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X448:P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp384r1(0018)" \ @@ -12654,8 +12656,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR x448 -> secp521r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X448:P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X448:P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp521r1(0019)" \ @@ -12669,8 +12671,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3 run_test "TLS 1.3 O->m: HRR x448 -> x25519" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X448:X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X448:X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x25519(001d)" \ @@ -12685,8 +12687,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: HRR x448 -> ffdhe2048" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups X448:ffdhe2048 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups X448:ffdhe2048 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: ffdhe2048(0100)" \ @@ -12700,8 +12702,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: HRR ffdhe2048 -> secp256r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups ffdhe2048:P-256 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups ffdhe2048:P-256 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp256r1(0017)" \ @@ -12715,8 +12717,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: HRR ffdhe2048 -> secp384r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups ffdhe2048:P-384 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups ffdhe2048:P-384 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp384r1(0018)" \ @@ -12730,8 +12732,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: HRR ffdhe2048 -> secp521r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups ffdhe2048:P-521 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups ffdhe2048:P-521 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp521r1(0019)" \ @@ -12745,8 +12747,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: HRR ffdhe2048 -> x25519" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups ffdhe2048:X25519 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups ffdhe2048:X25519 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x25519(001d)" \ @@ -12760,8 +12762,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH requires_openssl_tls1_3_with_ffdh run_test "TLS 1.3 O->m: HRR ffdhe2048 -> x448" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$O_NEXT_CLI_NO_CERT -CAfile data_files/test-ca2.crt -groups ffdhe2048:X448 -msg -tls1_3" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$O_NEXT_CLI_NO_CERT -CAfile $DATA_FILES_PATH/test-ca2.crt -groups ffdhe2048:X448 -msg -tls1_3" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x448(001e)" \ @@ -12777,8 +12779,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR secp256r1 -> secp384r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp384r1(0018)" \ @@ -12794,8 +12796,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR secp256r1 -> secp521r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp521r1(0019)" \ @@ -12811,8 +12813,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR secp256r1 -> x25519" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x25519(001d)" \ @@ -12828,8 +12830,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR secp256r1 -> x448" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x448(001e)" \ @@ -12846,8 +12848,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR secp256r1 -> ffdhe2048" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: ffdhe2048(0100)" \ @@ -12863,8 +12865,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR secp384r1 -> secp256r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp256r1(0017)" \ @@ -12880,8 +12882,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR secp384r1 -> secp521r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp521r1(0019)" \ @@ -12897,8 +12899,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR secp384r1 -> x25519" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x25519(001d)" \ @@ -12914,8 +12916,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR secp384r1 -> x448" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x448(001e)" \ @@ -12932,8 +12934,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR secp384r1 -> ffdhe2048" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: ffdhe2048(0100)" \ @@ -12949,8 +12951,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR secp521r1 -> secp256r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp256r1(0017)" \ @@ -12966,8 +12968,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR secp521r1 -> secp384r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp384r1(0018)" \ @@ -12983,8 +12985,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR secp521r1 -> x25519" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x25519(001d)" \ @@ -13000,8 +13002,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR secp521r1 -> x448" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x448(001e)" \ @@ -13018,8 +13020,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR secp521r1 -> ffdhe2048" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: ffdhe2048(0100)" \ @@ -13035,8 +13037,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR x25519 -> secp256r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp256r1(0017)" \ @@ -13052,8 +13054,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR x25519 -> secp384r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp384r1(0018)" \ @@ -13069,8 +13071,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR x25519 -> secp521r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp521r1(0019)" \ @@ -13086,8 +13088,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR x25519 -> x448" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x448(001e)" \ @@ -13104,8 +13106,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR x25519 -> ffdhe2048" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: ffdhe2048(0100)" \ @@ -13121,8 +13123,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR x448 -> secp256r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp256r1(0017)" \ @@ -13138,8 +13140,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR x448 -> secp384r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp384r1(0018)" \ @@ -13155,8 +13157,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR x448 -> secp521r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp521r1(0019)" \ @@ -13172,8 +13174,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR x448 -> x25519" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x25519(001d)" \ @@ -13190,8 +13192,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR x448 -> ffdhe2048" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: ffdhe2048(0100)" \ @@ -13207,8 +13209,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR ffdhe2048 -> secp256r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp256r1(0017)" \ @@ -13224,8 +13226,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR ffdhe2048 -> secp384r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp384r1(0018)" \ @@ -13241,8 +13243,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR ffdhe2048 -> secp521r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp521r1(0019)" \ @@ -13258,8 +13260,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR ffdhe2048 -> x25519" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x25519(001d)" \ @@ -13275,8 +13277,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: HRR ffdhe2048 -> x448" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca2.crt --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x448(001e)" \ @@ -13290,8 +13292,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR secp256r1 -> secp384r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13308,8 +13310,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR secp256r1 -> secp521r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13326,8 +13328,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR secp256r1 -> x25519" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13344,8 +13346,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR secp256r1 -> x448" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13364,8 +13366,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR secp256r1 -> ffdhe2048" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13382,8 +13384,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR secp384r1 -> secp256r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13400,8 +13402,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR secp384r1 -> secp521r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13418,8 +13420,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR secp384r1 -> x25519" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13436,8 +13438,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR secp384r1 -> x448" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13456,8 +13458,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR secp384r1 -> ffdhe2048" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13474,8 +13476,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR secp521r1 -> secp256r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13492,8 +13494,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR secp521r1 -> secp384r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13510,8 +13512,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR secp521r1 -> x25519" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13528,8 +13530,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR secp521r1 -> x448" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13548,8 +13550,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR secp521r1 -> ffdhe2048" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13566,8 +13568,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR x25519 -> secp256r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13584,8 +13586,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR x25519 -> secp384r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13602,8 +13604,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR x25519 -> secp521r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13620,8 +13622,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR x25519 -> x448" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13640,8 +13642,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR x25519 -> ffdhe2048" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13658,8 +13660,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR x448 -> secp256r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13676,8 +13678,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR x448 -> secp384r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13694,8 +13696,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR x448 -> secp521r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13712,8 +13714,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->O: HRR x448 -> x25519" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13732,8 +13734,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR x448 -> ffdhe2048" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,ffdhe2048" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups ffdhe2048 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,ffdhe2048" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13752,8 +13754,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR ffdhe2048 -> secp256r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp256r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13772,8 +13774,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR ffdhe2048 -> secp384r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13792,8 +13794,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR ffdhe2048 -> secp521r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13812,8 +13814,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR ffdhe2048 -> x25519" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x25519" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13832,8 +13834,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->O: HRR ffdhe2048 -> x448" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x448" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/ecdsa_secp256r1.crt -key $DATA_FILES_PATH/ecdsa_secp256r1.key -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x448" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "Protocol is TLSv1.3" \ @@ -13852,8 +13854,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR secp256r1 -> secp384r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -13872,8 +13874,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR secp256r1 -> secp521r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -13892,8 +13894,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR secp256r1 -> x25519" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -13912,8 +13914,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR secp256r1 -> x448" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -13934,8 +13936,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR secp256r1 -> ffdhe2048" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -13954,8 +13956,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR secp384r1 -> secp256r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -13974,8 +13976,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR secp384r1 -> secp521r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -13994,8 +13996,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR secp384r1 -> x25519" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14014,8 +14016,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR secp384r1 -> x448" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14036,8 +14038,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR secp384r1 -> ffdhe2048" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14056,8 +14058,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR secp521r1 -> secp256r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14076,8 +14078,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR secp521r1 -> secp384r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14096,8 +14098,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR secp521r1 -> x25519" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14116,8 +14118,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR secp521r1 -> x448" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14138,8 +14140,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR secp521r1 -> ffdhe2048" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14158,8 +14160,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR x25519 -> secp256r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14178,8 +14180,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR x25519 -> secp384r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14198,8 +14200,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR x25519 -> secp521r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14218,8 +14220,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR x25519 -> x448" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14240,8 +14242,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR x25519 -> ffdhe2048" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14260,8 +14262,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR x448 -> secp256r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14280,8 +14282,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR x448 -> secp384r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14300,8 +14302,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR x448 -> secp521r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14320,8 +14322,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->G: HRR x448 -> x25519" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14342,8 +14344,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR x448 -> ffdhe2048" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,ffdhe2048" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-FFDHE2048:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,ffdhe2048" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14364,8 +14366,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR ffdhe2048 -> secp256r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP256R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp256r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14386,8 +14388,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR ffdhe2048 -> secp384r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP384R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp384r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14408,8 +14410,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR ffdhe2048 -> secp521r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-SECP521R1:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp521r1" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14430,8 +14432,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR ffdhe2048 -> x25519" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X25519:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x25519" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14452,8 +14454,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->G: HRR ffdhe2048 -> x448" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/ecdsa_secp256r1.crt --x509keyfile $DATA_FILES_PATH/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+GROUP-X448:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x448" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -14474,8 +14476,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR secp256r1 -> secp384r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp384r1(0018)" \ @@ -14499,8 +14501,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR secp256r1 -> secp521r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp521r1(0019)" \ @@ -14524,8 +14526,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR secp256r1 -> x25519" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x25519(001d)" \ @@ -14549,8 +14551,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR secp256r1 -> x448" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x448(001e)" \ @@ -14577,8 +14579,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR secp256r1 -> ffdhe2048" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1,ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: ffdhe2048(0100)" \ @@ -14602,8 +14604,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR secp384r1 -> secp256r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp256r1(0017)" \ @@ -14627,8 +14629,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR secp384r1 -> secp521r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp521r1(0019)" \ @@ -14652,8 +14654,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR secp384r1 -> x25519" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x25519(001d)" \ @@ -14677,8 +14679,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR secp384r1 -> x448" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x448(001e)" \ @@ -14705,8 +14707,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR secp384r1 -> ffdhe2048" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1,ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: ffdhe2048(0100)" \ @@ -14730,8 +14732,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR secp521r1 -> secp256r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp256r1(0017)" \ @@ -14755,8 +14757,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR secp521r1 -> secp384r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp384r1(0018)" \ @@ -14780,8 +14782,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR secp521r1 -> x25519" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x25519(001d)" \ @@ -14805,8 +14807,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR secp521r1 -> x448" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x448(001e)" \ @@ -14833,8 +14835,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR secp521r1 -> ffdhe2048" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1,ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: ffdhe2048(0100)" \ @@ -14858,8 +14860,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR x25519 -> secp256r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp256r1(0017)" \ @@ -14883,8 +14885,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR x25519 -> secp384r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp384r1(0018)" \ @@ -14908,8 +14910,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR x25519 -> secp521r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp521r1(0019)" \ @@ -14933,8 +14935,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR x25519 -> x448" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x448(001e)" \ @@ -14961,8 +14963,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR x25519 -> ffdhe2048" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519,ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: ffdhe2048(0100)" \ @@ -14986,8 +14988,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR x448 -> secp256r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp256r1(0017)" \ @@ -15011,8 +15013,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR x448 -> secp384r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp384r1(0018)" \ @@ -15036,8 +15038,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR x448 -> secp521r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp521r1(0019)" \ @@ -15061,8 +15063,8 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled PSA_WANT_ALG_ECDH run_test "TLS 1.3 m->m: HRR x448 -> x25519" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x25519(001d)" \ @@ -15089,8 +15091,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR x448 -> ffdhe2048" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,ffdhe2048" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448,ffdhe2048" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: ffdhe2048(0100)" \ @@ -15116,8 +15118,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR ffdhe2048 -> secp256r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp256r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp256r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp256r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp256r1(0017)" \ @@ -15143,8 +15145,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR ffdhe2048 -> secp384r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp384r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp384r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp384r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp384r1(0018)" \ @@ -15170,8 +15172,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR ffdhe2048 -> secp521r1" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp521r1" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=secp521r1 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,secp521r1" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: secp521r1(0019)" \ @@ -15197,8 +15199,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR ffdhe2048 -> x25519" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x25519" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x25519 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x25519" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x25519(001d)" \ @@ -15224,8 +15226,8 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_2048 run_test "TLS 1.3 m->m: HRR ffdhe2048 -> x448" \ - "$P_SRV crt_file=data_files/ecdsa_secp256r1.crt key_file=data_files/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$P_CLI ca_file=data_files/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x448" \ + "$P_SRV crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=x448 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca2.crt debug_level=4 sig_algs=ecdsa_secp256r1_sha256 groups=ffdhe2048,x448" \ 0 \ -s "Protocol is TLSv1.3" \ -s "got named group: x448(001e)" \ diff --git a/yass/third_party/mbedtls/tests/opt-testcases/tls13-kex-modes.sh b/yass/third_party/mbedtls/tests/opt-testcases/tls13-kex-modes.sh index 49f06e0715..782bda2283 100755 --- a/yass/third_party/mbedtls/tests/opt-testcases/tls13-kex-modes.sh +++ b/yass/third_party/mbedtls/tests/opt-testcases/tls13-kex-modes.sh @@ -1460,8 +1460,10 @@ run_test "TLS 1.3: O->m: all/psk_or_ephemeral, fail, key material mismatch" \ -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + PSA_WANT_ALG_ECDH PSA_WANT_ECC_SECP_R1_256 run_test "TLS 1.3: O->m: psk_ephemeral group(secp256r1) check, good" \ "$P_SRV tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70" \ "$O_NEXT_CLI -tls1_3 -msg -allow_no_dhe_kex -groups P-256 \ @@ -1473,8 +1475,10 @@ run_test "TLS 1.3: O->m: psk_ephemeral group(secp256r1) check, good" \ -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + PSA_WANT_ALG_ECDH PSA_WANT_ECC_SECP_R1_384 run_test "TLS 1.3: O->m: psk_ephemeral group(secp384r1) check, good" \ "$P_SRV tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70" \ "$O_NEXT_CLI -tls1_3 -msg -allow_no_dhe_kex -groups secp384r1 \ @@ -1486,8 +1490,10 @@ run_test "TLS 1.3: O->m: psk_ephemeral group(secp384r1) check, good" \ -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + PSA_WANT_ALG_ECDH PSA_WANT_ECC_SECP_R1_521 run_test "TLS 1.3: O->m: psk_ephemeral group(secp521r1) check, good" \ "$P_SRV tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70" \ "$O_NEXT_CLI -tls1_3 -msg -allow_no_dhe_kex -groups secp521r1 \ @@ -1499,8 +1505,10 @@ run_test "TLS 1.3: O->m: psk_ephemeral group(secp521r1) check, good" \ -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + PSA_WANT_ALG_ECDH PSA_WANT_ECC_MONTGOMERY_255 run_test "TLS 1.3: O->m: psk_ephemeral group(x25519) check, good" \ "$P_SRV tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70" \ "$O_NEXT_CLI -tls1_3 -msg -allow_no_dhe_kex -groups X25519 \ @@ -1512,8 +1520,10 @@ run_test "TLS 1.3: O->m: psk_ephemeral group(x25519) check, good" \ -S "key exchange mode: ephemeral" requires_openssl_tls1_3_with_compatible_ephemeral -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + PSA_WANT_ALG_ECDH PSA_WANT_ECC_MONTGOMERY_448 run_test "TLS 1.3: O->m: psk_ephemeral group(x448) check, good" \ "$P_SRV tls13_kex_modes=psk_ephemeral debug_level=5 psk_identity=Client_identity psk=6162636465666768696a6b6c6d6e6f70" \ "$O_NEXT_CLI -tls1_3 -msg -allow_no_dhe_kex -groups X448 \ @@ -1524,9 +1534,11 @@ run_test "TLS 1.3: O->m: psk_ephemeral group(x448) check, good" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C requires_openssl_tls1_3_with_compatible_ephemeral -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + PSA_WANT_ALG_ECDH PSA_WANT_ECC_SECP_R1_384 run_test "TLS 1.3 O->m: psk_ephemeral group(secp256r1->secp384r1) check, good" \ "$P_SRV tls13_kex_modes=psk_ephemeral debug_level=5 psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70,abc,dead,def,beef groups=secp384r1" \ "$O_NEXT_CLI_NO_CERT -tls1_3 -msg -allow_no_dhe_kex -psk_identity Client_identity -psk 6162636465666768696a6b6c6d6e6f70 -groups P-256:P-384" \ @@ -1537,12 +1549,13 @@ run_test "TLS 1.3 O->m: psk_ephemeral group(secp256r1->secp384r1) check, good" \ -s "key exchange mode: psk_ephemeral" \ -S "key exchange mode: ephemeral" -requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_config_enabled PSA_WANT_ALG_ECDH +requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ + PSA_WANT_ALG_ECDH PSA_WANT_ECC_SECP_R1_384 run_test "TLS 1.3 G->m: psk_ephemeral group(secp256r1->secp384r1) check, good" \ "$P_SRV tls13_kex_modes=psk_ephemeral debug_level=5 psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70,abc,dead,def,beef groups=secp384r1" \ "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --priority NORMAL:-VERS-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1 --pskusername Client_identity --pskkey 6162636465666768696a6b6c6d6e6f70 localhost" \ @@ -2938,7 +2951,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3: m->G: psk/all, good" \ - "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \ + "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=../framework/data_files/simplepass.psk" \ "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ 0 \ -c "=> write client hello" \ @@ -2958,7 +2971,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3: m->G: psk/ephemeral_all, fail - no common kex mode" \ - "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \ + "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=../framework/data_files/simplepass.psk" \ "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk" \ 1 \ -c "=> write client hello" \ @@ -2979,7 +2992,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3: m->G: psk_all/all, good" \ - "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \ + "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=../framework/data_files/simplepass.psk" \ "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_all" \ 0 \ -c "=> write client hello" \ @@ -3000,7 +3013,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3: m->G: psk_all/ephemeral_all, good" \ - "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \ + "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=../framework/data_files/simplepass.psk" \ "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_all" \ 0 \ -c "=> write client hello" \ @@ -3021,7 +3034,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3: m->G: psk_ephemeral/all, good" \ - "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \ + "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=../framework/data_files/simplepass.psk" \ "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ 0 \ -c "=> write client hello" \ @@ -3041,7 +3054,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3: m->G: psk_ephemeral/ephemeral_all, good" \ - "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \ + "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=../framework/data_files/simplepass.psk" \ "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk_ephemeral" \ 0 \ -c "=> write client hello" \ @@ -3062,7 +3075,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: m->G: ephemeral/all, good" \ - "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \ + "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=../framework/data_files/simplepass.psk" \ "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral" \ 0 \ -c "Selected key exchange mode: ephemeral" \ @@ -3075,7 +3088,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: m->G: ephemeral/ephemeral_all, good" \ - "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \ + "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=../framework/data_files/simplepass.psk" \ "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral" \ 0 \ -c "Selected key exchange mode: ephemeral" \ @@ -3090,7 +3103,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3: m->G: ephemeral_all/all, good" \ - "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \ + "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=../framework/data_files/simplepass.psk" \ "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral_all" \ 0 \ -c "=> write client hello" \ @@ -3111,7 +3124,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3: m->G: ephemeral_all/ephemeral_all, good" \ - "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \ + "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=../framework/data_files/simplepass.psk" \ "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral_all" \ 0 \ -c "=> write client hello" \ @@ -3134,7 +3147,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3: m->G: all/all, good" \ - "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \ + "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=../framework/data_files/simplepass.psk" \ "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=all" \ 0 \ -c "=> write client hello" \ @@ -3156,7 +3169,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3: m->G: all/ephemeral_all, good" \ - "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \ + "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=../framework/data_files/simplepass.psk" \ "$P_CLI debug_level=4 psk=010203 psk_identity=0a0b0c tls13_kex_modes=all" \ 0 \ -c "=> write client hello" \ diff --git a/yass/third_party/mbedtls/tests/opt-testcases/tls13-misc.sh b/yass/third_party/mbedtls/tests/opt-testcases/tls13-misc.sh index 5e43921710..90ae3b2b57 100755 --- a/yass/third_party/mbedtls/tests/opt-testcases/tls13-misc.sh +++ b/yass/third_party/mbedtls/tests/opt-testcases/tls13-misc.sh @@ -146,7 +146,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption" \ - "$P_SRV debug_level=2 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + "$P_SRV debug_level=2 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key" \ "$P_CLI reco_mode=1 reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -165,8 +165,8 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption with servername" \ - "$P_SRV debug_level=2 crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ + "$P_SRV debug_level=2 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key \ + sni=localhost,../framework/data_files/server2.crt,../framework/data_files/server2.key,-,-,-,polarssl.example,../framework/data_files/server1-nospace.crt,../framework/data_files/server1.key,-,-,-" \ "$P_CLI server_name=localhost reco_mode=1 reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -185,7 +185,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption with ticket max lifetime (7d)" \ - "$P_SRV debug_level=2 crt_file=data_files/server5.crt key_file=data_files/server5.key ticket_timeout=604800 tickets=1" \ + "$P_SRV debug_level=2 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key ticket_timeout=604800 tickets=1" \ "$P_CLI reco_mode=1 reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -205,7 +205,7 @@ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED requires_ciphersuite_enabled TLS1-3-AES-256-GCM-SHA384 run_test "TLS 1.3 m->m: resumption with AES-256-GCM-SHA384 only" \ - "$P_SRV debug_level=2 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + "$P_SRV debug_level=2 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key" \ "$P_CLI force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 reco_mode=1 reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -225,7 +225,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption with early data" \ - "$P_SRV debug_level=4 early_data=1 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + "$P_SRV debug_level=4 early_data=1 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key" \ "$P_CLI debug_level=3 early_data=1 reco_mode=1 reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -256,7 +256,7 @@ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED requires_ciphersuite_enabled TLS1-3-AES-256-GCM-SHA384 run_test "TLS 1.3 m->m: resumption with early data, AES-256-GCM-SHA384 only" \ - "$P_SRV debug_level=4 early_data=1 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + "$P_SRV debug_level=4 early_data=1 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key" \ "$P_CLI debug_level=3 force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 early_data=1 reco_mode=1 reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -287,7 +287,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption, early data cli-enabled/srv-default" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key" \ "$P_CLI debug_level=3 early_data=1 reco_mode=1 reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -316,7 +316,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption, early data cli-enabled/srv-disabled" \ - "$P_SRV debug_level=4 early_data=0 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + "$P_SRV debug_level=4 early_data=0 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key" \ "$P_CLI debug_level=3 early_data=1 reco_mode=1 reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -345,7 +345,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption, early data cli-default/srv-enabled" \ - "$P_SRV debug_level=4 early_data=1 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + "$P_SRV debug_level=4 early_data=1 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key" \ "$P_CLI debug_level=3 reco_mode=1 reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -374,7 +374,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption, early data cli-disabled/srv-enabled" \ - "$P_SRV debug_level=4 early_data=1 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + "$P_SRV debug_level=4 early_data=1 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key" \ "$P_CLI debug_level=3 early_data=0 reco_mode=1 reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -403,7 +403,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption fails, ticket lifetime too long (7d + 1s)" \ - "$P_SRV debug_level=2 crt_file=data_files/server5.crt key_file=data_files/server5.key ticket_timeout=604801 tickets=1" \ + "$P_SRV debug_level=2 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key ticket_timeout=604801 tickets=1" \ "$P_CLI reco_mode=1 reconnect=1" \ 1 \ -c "Protocol is TLSv1.3" \ @@ -422,7 +422,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption fails, ticket lifetime=0" \ - "$P_SRV debug_level=2 crt_file=data_files/server5.crt key_file=data_files/server5.key ticket_timeout=0 tickets=1" \ + "$P_SRV debug_level=2 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key ticket_timeout=0 tickets=1" \ "$P_CLI debug_level=2 reco_mode=1 reconnect=1" \ 1 \ -c "Protocol is TLSv1.3" \ @@ -441,8 +441,8 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption fails, servername check failed" \ - "$P_SRV debug_level=2 crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ + "$P_SRV debug_level=2 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key \ + sni=localhost,../framework/data_files/server2.crt,../framework/data_files/server2.key,-,-,-,polarssl.example,../framework/data_files/server1-nospace.crt,../framework/data_files/server1.key,-,-,-" \ "$P_CLI debug_level=4 server_name=localhost reco_server_name=remote reco_mode=1 reconnect=1" \ 1 \ -c "Protocol is TLSv1.3" \ @@ -461,7 +461,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption fails, ticket auth failed." \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=8 dummy_ticket=1" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key tickets=8 dummy_ticket=1" \ "$P_CLI reco_mode=1 reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -484,7 +484,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption fails, ticket expired." \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=8 dummy_ticket=2" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key tickets=8 dummy_ticket=2" \ "$P_CLI reco_mode=1 reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -507,7 +507,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption fails, invalid creation time." \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=8 dummy_ticket=3" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key tickets=8 dummy_ticket=3" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -530,7 +530,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption fails, ticket expired, too old" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=8 dummy_ticket=4" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key tickets=8 dummy_ticket=4" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -553,7 +553,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption fails, age outside tolerance window, too young" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=8 dummy_ticket=5" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key tickets=8 dummy_ticket=5" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -576,7 +576,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption fails, age outside tolerance window, too old" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=8 dummy_ticket=6" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key tickets=8 dummy_ticket=6" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -598,7 +598,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->m: resumption fails, cli/tkt kex modes psk/none" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=7" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=7" \ "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -616,7 +616,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->m: ephemeral over psk resumption, cli/tkt kex modes psk/psk" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=8" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=8" \ "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -634,7 +634,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->m: resumption fails, cli/tkt kex modes psk/psk_ephemeral" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=9" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=9" \ "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -652,7 +652,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->m: ephemeral over psk resumption, cli/tkt kex modes psk/psk_all" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=10" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=10" \ "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -670,7 +670,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption fails, cli/tkt kex modes psk_ephemeral/none" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=7" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=7" \ "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -688,7 +688,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption fails, cli/tkt kex modes psk_ephemeral/psk" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=8" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=8" \ "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -706,7 +706,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption, cli/tkt kex modes psk_ephemeral/psk_ephemeral" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=9" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=9" \ "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -724,7 +724,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption, cli/tkt kex modes psk_ephemeral/psk_all" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=10" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=10" \ "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -743,7 +743,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption fails, cli/tkt kex modes psk_all/none" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=7" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=7" \ "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ 0 \ -c "Pre-configured PSK number = 1" \ @@ -762,7 +762,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: ephemeral over psk resumption, cli/tkt kex modes psk_all/psk" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=8" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=8" \ "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -781,7 +781,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption, cli/tkt kex modes psk_all/psk_ephemeral" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=9" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=9" \ "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -800,7 +800,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 m->m: resumption, cli/tkt kex modes psk_all/psk_all" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key dummy_ticket=10" \ + "$P_SRV debug_level=4 crt_file=../framework/data_files/server5.crt key_file=../framework/data_files/server5.key dummy_ticket=10" \ "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -813,6 +813,7 @@ run_test "TLS 1.3 m->m: resumption, cli/tkt kex modes psk_all/psk_all" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_CLI_C \ + MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ @@ -826,6 +827,34 @@ run_test "TLS 1.3 m->O: resumption" \ -c "Reconnecting with saved session... ok" \ -c "HTTP/1.0 200 ok" +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_CLI_C \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_config_disabled MBEDTLS_SSL_SESSION_TICKETS +run_test "TLS 1.3 m->O: resumption fails, no ticket support" \ + "$O_NEXT_SRV -msg -tls1_3 -no_resume_ephemeral -no_cache --num_tickets 1" \ + "$P_CLI debug_level=3 reco_mode=1 reconnect=1" \ + 1 \ + -c "Protocol is TLSv1.3" \ + -C "Saving session for reuse... ok" \ + -C "Reconnecting with saved session... ok" \ + -c "Ignoring NewSessionTicket, not supported." + +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_CLI_C \ + MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "TLS 1.3 m->O: resumption fails, ticket handling disabled" \ + "$O_NEXT_SRV -msg -tls1_3 -no_resume_ephemeral -no_cache --num_tickets 1" \ + "$P_CLI debug_level=3 new_session_tickets=0 reco_mode=1 reconnect=1" \ + 1 \ + -c "Protocol is TLSv1.3" \ + -C "Saving session for reuse... ok" \ + -C "Reconnecting with saved session... ok" \ + -c "Ignoring NewSessionTicket, handling disabled." + # No early data m->O tests for the time being. The option -early_data is needed # to enable early data on OpenSSL server and it is not compatible with the # -www option we usually use for testing with OpenSSL server (see @@ -858,6 +887,7 @@ run_test "TLS 1.3 m->O: resumption with early data" \ requires_gnutls_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_CLI_C \ + MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ @@ -875,6 +905,35 @@ requires_gnutls_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_CLI_C \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_config_disabled MBEDTLS_SSL_SESSION_TICKETS +run_test "TLS 1.3 m->G: resumption fails, no ticket support" \ + "$G_NEXT_SRV -d 5 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert" \ + "$P_CLI debug_level=3 reco_mode=1 reconnect=1" \ + 1 \ + -c "Protocol is TLSv1.3" \ + -C "Saving session for reuse... ok" \ + -C "Reconnecting with saved session... ok" \ + -c "Ignoring NewSessionTicket, not supported." + +requires_gnutls_tls1_3 +requires_all_configs_enabled MBEDTLS_SSL_CLI_C \ + MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "TLS 1.3 m->G: resumption fails, ticket handling disabled" \ + "$G_NEXT_SRV -d 5 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert" \ + "$P_CLI debug_level=3 new_session_tickets=0 reco_mode=1 reconnect=1" \ + 1 \ + -c "Protocol is TLSv1.3" \ + -C "Saving session for reuse... ok" \ + -C "Reconnecting with saved session... ok" \ + -c "Ignoring NewSessionTicket, handling disabled." + +requires_gnutls_tls1_3 +requires_all_configs_enabled MBEDTLS_SSL_CLI_C \ + MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED requires_ciphersuite_enabled TLS1-3-AES-256-GCM-SHA384 diff --git a/yass/third_party/mbedtls/tests/scripts/all.sh b/yass/third_party/mbedtls/tests/scripts/all.sh index a1203f7726..1a73020812 100755 --- a/yass/third_party/mbedtls/tests/scripts/all.sh +++ b/yass/third_party/mbedtls/tests/scripts/all.sh @@ -44,7 +44,7 @@ # * GNUTLS_{CLI,SERV} = 3.4.10 # * GNUTLS_NEXT_{CLI,SERV} = 3.7.2 # * OPENSSL = 1.0.2g (without Debian/Ubuntu patches) -# * OPENSSL_NEXT = 1.1.1a +# * OPENSSL_NEXT = 3.1.2 # See the invocation of check_tools below for details. # # This script must be invoked from the toplevel directory of a git @@ -115,15 +115,23 @@ set -e -o pipefail -u # Enable ksh/bash extended file matching patterns shopt -s extglob +# For project detection in_mbedtls_repo () { - test -d include -a -d library -a -d programs -a -d tests + test "$PROJECT_NAME" = "Mbed TLS" } in_tf_psa_crypto_repo () { - test -d include -a -d core -a -d drivers -a -d programs -a -d tests + test "$PROJECT_NAME" = "TF-PSA-Crypto" } pre_check_environment () { + # For project detection + PROJECT_NAME_FILE='./scripts/project_name.txt' + if read -r PROJECT_NAME < "$PROJECT_NAME_FILE"; then :; else + echo "$PROJECT_NAME_FILE does not exist... Exiting..." >&2 + exit 1 + fi + if in_mbedtls_repo || in_tf_psa_crypto_repo; then :; else echo "Must be run from Mbed TLS / TF-PSA-Crypto root" >&2 exit 1 @@ -195,6 +203,10 @@ pre_initialize_variables () { export CC="clang" fi + if [ -n "${OPENSSL_3+set}" ]; then + export OPENSSL_NEXT="$OPENSSL_3" + fi + # Include more verbose output for failing tests run by CMake or make export CTEST_OUTPUT_ON_FAILURE=1 @@ -323,8 +335,9 @@ cleanup() -iname CTestTestfile.cmake -o \ -iname CMakeCache.txt -o \ -path './cmake/*.cmake' \) -exec rm -f {} \+ - # Recover files overwritten by in-tree CMake builds - rm -f include/Makefile include/mbedtls/Makefile programs/!(fuzz)/Makefile + # Remove Makefiles generated by in-tree CMake builds + rm -f 3rdparty/Makefile 3rdparty/*/Makefile pkgconfig/Makefile framework/Makefile + rm -f include/Makefile programs/!(fuzz)/Makefile # Remove any artifacts from the component_test_cmake_as_subdirectory test. rm -rf programs/test/cmake_subproject/build @@ -821,7 +834,7 @@ pre_check_tools () { "$@" scripts/output_env.sh } -pre_generate_files() { +pre_generate_files () { # since make doesn't have proper dependencies, remove any possibly outdate # file that might be around before generating fresh ones make neat @@ -832,7 +845,7 @@ pre_generate_files() { fi } -clang_version() { +clang_version () { if command -v clang > /dev/null ; then clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#' else @@ -887,7 +900,7 @@ clang_version() { # Adjust the configuration - for both libtestdriver1 and main library, # as they should have the same PSA_WANT macros. -helper_libtestdriver1_adjust_config() { +helper_libtestdriver1_adjust_config () { base_config=$1 # Select the base configuration if [ "$base_config" != "default" ]; then @@ -915,7 +928,7 @@ helper_libtestdriver1_adjust_config() { # When called with no parameter this function disables all builtin curves. # The function optionally accepts 1 parameter: a space-separated list of the # curves that should be kept enabled. -helper_disable_builtin_curves() { +helper_disable_builtin_curves () { allowed_list="${1:-}" scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED" @@ -951,7 +964,7 @@ helper_get_psa_dh_group_list () { # Get the list of uncommented PSA_WANT_KEY_TYPE_xxx_ from CRYPTO_CONFIG_H. This # is useful to easily get a list of key type symbols to accelerate. # The function accepts a single argument which is the key type: ECC, DH, RSA. -helper_get_psa_key_type_list() { +helper_get_psa_key_type_list () { key_type="$1" loc_list="" for item in $(sed -n "s/^#define PSA_WANT_\(KEY_TYPE_${key_type}_[0-9A-Z_a-z]*\).*/\1/p" <"$CRYPTO_CONFIG_H"); do @@ -971,7 +984,7 @@ helper_get_psa_key_type_list() { # 1. a space-separated list of things to accelerate; # 2. optional: a space-separate list of things to also support. # Here "things" are PSA_WANT_ symbols but with PSA_WANT_ removed. -helper_libtestdriver1_make_drivers() { +helper_libtestdriver1_make_drivers () { loc_accel_flags=$( echo "$1 ${2-}" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) make CC=$ASAN_CC -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" } @@ -984,7 +997,7 @@ helper_libtestdriver1_make_drivers() { # *. remaining arguments if any are passed directly to make # (examples: lib, -C tests test_suite_xxx, etc.) # Here "things" are PSA_WANT_ symbols but with PSA_WANT_ removed. -helper_libtestdriver1_make_main() { +helper_libtestdriver1_make_main () { loc_accel_list=$1 shift @@ -994,5419 +1007,11 @@ helper_libtestdriver1_make_main() { make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" "$@" } -################################################################ -#### Basic checks -################################################################ - -# -# Test Suites to be executed -# -# The test ordering tries to optimize for the following criteria: -# 1. Catch possible problems early, by running first tests that run quickly -# and/or are more likely to fail than others (eg I use Clang most of the -# time, so start with a GCC build). -# 2. Minimize total running time, by avoiding useless rebuilds -# -# Indicative running times are given for reference. - -component_check_recursion () { - msg "Check: recursion.pl" # < 1s - tests/scripts/recursion.pl library/*.c -} - -component_check_generated_files () { - msg "Check: check-generated-files, files generated with make" # 2s - make generated_files - tests/scripts/check-generated-files.sh - - msg "Check: check-generated-files -u, files present" # 2s - tests/scripts/check-generated-files.sh -u - # Check that the generated files are considered up to date. - tests/scripts/check-generated-files.sh - - msg "Check: check-generated-files -u, files absent" # 2s - command make neat - tests/scripts/check-generated-files.sh -u - # Check that the generated files are considered up to date. - tests/scripts/check-generated-files.sh - - # This component ends with the generated files present in the source tree. - # This is necessary for subsequent components! -} - -component_check_doxy_blocks () { - msg "Check: doxygen markup outside doxygen blocks" # < 1s - tests/scripts/check-doxy-blocks.pl -} - -component_check_files () { - msg "Check: file sanity checks (permissions, encodings)" # < 1s - tests/scripts/check_files.py -} - -component_check_changelog () { - msg "Check: changelog entries" # < 1s - rm -f ChangeLog.new - scripts/assemble_changelog.py -o ChangeLog.new - if [ -e ChangeLog.new ]; then - # Show the diff for information. It isn't an error if the diff is - # non-empty. - diff -u ChangeLog ChangeLog.new || true - rm ChangeLog.new - fi -} - -component_check_names () { - msg "Check: declared and exported names (builds the library)" # < 3s - tests/scripts/check_names.py -v -} - -component_check_test_cases () { - msg "Check: test case descriptions" # < 1s - if [ $QUIET -eq 1 ]; then - opt='--quiet' - else - opt='' - fi - tests/scripts/check_test_cases.py -q $opt - unset opt -} - -component_check_test_dependencies () { - msg "Check: test case dependencies: legacy vs PSA" # < 1s - # The purpose of this component is to catch unjustified dependencies on - # legacy feature macros (MBEDTLS_xxx) in PSA tests. Generally speaking, - # PSA test should use PSA feature macros (PSA_WANT_xxx, more rarely - # MBEDTLS_PSA_xxx). - # - # Most of the time, use of legacy MBEDTLS_xxx macros are mistakes, which - # this component is meant to catch. However a few of them are justified, - # mostly by the absence of a PSA equivalent, so this component includes a - # list of expected exceptions. - - found="check-test-deps-found-$$" - expected="check-test-deps-expected-$$" - - # Find legacy dependencies in PSA tests - grep 'depends_on' \ - tests/suites/test_suite_psa*.data tests/suites/test_suite_psa*.function | - grep -Eo '!?MBEDTLS_[^: ]*' | - grep -v -e MBEDTLS_PSA_ -e MBEDTLS_TEST_ | - sort -u > $found - - # Expected ones with justification - keep in sorted order by ASCII table! - rm -f $expected - # No PSA equivalent - WANT_KEY_TYPE_AES means all sizes - echo "!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" >> $expected - # No PSA equivalent - used to skip decryption tests in PSA-ECB, CBC/XTS/NIST_KW/DES - echo "!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT" >> $expected - # MBEDTLS_ASN1_WRITE_C is used by import_rsa_made_up() in test_suite_psa_crypto - # in order to build a fake RSA key of the wanted size based on - # PSA_VENDOR_RSA_MAX_KEY_BITS. The legacy module is only used by - # the test code and that's probably the most convenient way of achieving - # the test's goal. - echo "MBEDTLS_ASN1_WRITE_C" >> $expected - # No PSA equivalent - we should probably have one in the future. - echo "MBEDTLS_ECP_RESTARTABLE" >> $expected - # No PSA equivalent - needed by some init tests - echo "MBEDTLS_ENTROPY_NV_SEED" >> $expected - # No PSA equivalent - required to run threaded tests. - echo "MBEDTLS_THREADING_PTHREAD" >> $expected - - # Compare reality with expectation. - # We want an exact match, to ensure the above list remains up-to-date. - # - # The output should be empty. When it's not: - # - Each '+' line is a macro that was found but not expected. You want to - # find where that macro occurs, and either replace it with PSA macros, or - # add it to the exceptions list above with a justification. - # - Each '-' line is a macro that was expected but not found; it means the - # exceptions list above should be updated by removing that macro. - diff -U0 $expected $found - - rm $found $expected -} - -component_check_doxygen_warnings () { - msg "Check: doxygen warnings (builds the documentation)" # ~ 3s - tests/scripts/doxygen.sh -} - - - -################################################################ -#### Build and test many configurations and targets -################################################################ - -component_test_default_out_of_box () { - msg "build: make, default config (out-of-box)" # ~1min - make - # Disable fancy stuff - unset MBEDTLS_TEST_OUTCOME_FILE - - msg "test: main suites make, default config (out-of-box)" # ~10s - make test - - msg "selftest: make, default config (out-of-box)" # ~10s - programs/test/selftest - - msg "program demos: make, default config (out-of-box)" # ~10s - tests/scripts/run_demos.py -} - -component_test_default_cmake_gcc_asan () { - msg "build: cmake, gcc, ASan" # ~ 1 min 50s - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s - make test - - msg "program demos (ASan build)" # ~10s - tests/scripts/run_demos.py - - msg "test: selftest (ASan build)" # ~ 10s - programs/test/selftest - - msg "test: metatests (GCC, ASan build)" - tests/scripts/run-metatests.sh any asan poison - - msg "test: ssl-opt.sh (ASan build)" # ~ 1 min - tests/ssl-opt.sh - - msg "test: compat.sh (ASan build)" # ~ 6 min - tests/compat.sh - - msg "test: context-info.sh (ASan build)" # ~ 15 sec - tests/context-info.sh -} - -component_test_default_cmake_gcc_asan_new_bignum () { - msg "build: cmake, gcc, ASan" # ~ 1 min 50s - scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s - make test - - msg "test: selftest (ASan build)" # ~ 10s - programs/test/selftest - - msg "test: ssl-opt.sh (ASan build)" # ~ 1 min - tests/ssl-opt.sh - - msg "test: compat.sh (ASan build)" # ~ 6 min - tests/compat.sh - - msg "test: context-info.sh (ASan build)" # ~ 15 sec - tests/context-info.sh -} - -component_test_full_cmake_gcc_asan () { - msg "build: full config, cmake, gcc, ASan" - scripts/config.py full - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: main suites (inc. selftests) (full config, ASan build)" - make test - - msg "test: selftest (ASan build)" # ~ 10s - programs/test/selftest - - msg "test: ssl-opt.sh (full config, ASan build)" - tests/ssl-opt.sh - - msg "test: compat.sh (full config, ASan build)" - tests/compat.sh - - msg "test: context-info.sh (full config, ASan build)" # ~ 15 sec - tests/context-info.sh -} - - -component_test_full_cmake_gcc_asan_new_bignum () { - msg "build: full config, cmake, gcc, ASan" - scripts/config.py full - scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: main suites (inc. selftests) (full config, ASan build)" - make test - - msg "test: selftest (ASan build)" # ~ 10s - programs/test/selftest - - msg "test: ssl-opt.sh (full config, ASan build)" - tests/ssl-opt.sh - - msg "test: compat.sh (full config, ASan build)" - tests/compat.sh - - msg "test: context-info.sh (full config, ASan build)" # ~ 15 sec - tests/context-info.sh -} - -component_test_psa_crypto_key_id_encodes_owner () { - msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" - scripts/config.py full - scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" - make test -} - -component_test_psa_assume_exclusive_buffers () { - msg "build: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan" - scripts/config.py full - scripts/config.py set MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan" - make test -} - -# check_renamed_symbols HEADER LIB -# Check that if HEADER contains '#define MACRO ...' then MACRO is not a symbol -# name is LIB. -check_renamed_symbols () { - ! nm "$2" | sed 's/.* //' | - grep -x -F "$(sed -n 's/^ *# *define *\([A-Z_a-z][0-9A-Z_a-z]*\)..*/\1/p' "$1")" -} - -component_build_psa_crypto_spm () { - msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER + PSA_CRYPTO_SPM, make, gcc" - scripts/config.py full - scripts/config.py unset MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS - scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER - scripts/config.py set MBEDTLS_PSA_CRYPTO_SPM - # We can only compile, not link, since our test and sample programs - # aren't equipped for the modified names used when MBEDTLS_PSA_CRYPTO_SPM - # is active. - make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' lib - - # Check that if a symbol is renamed by crypto_spe.h, the non-renamed - # version is not present. - echo "Checking for renamed symbols in the library" - check_renamed_symbols tests/include/spe/crypto_spe.h library/libmbedcrypto.a -} - -# Get a list of library-wise undefined symbols and ensure that they only -# belong to psa_xxx() functions and not to mbedtls_yyy() ones. -# This function is a common helper used by both: -# - component_test_default_psa_crypto_client_without_crypto_provider -# - component_build_full_psa_crypto_client_without_crypto_provider. -common_check_mbedtls_missing_symbols() { - nm library/libmbedcrypto.a | grep ' [TRrDC] ' | grep -Eo '(mbedtls_|psa_).*' | sort -u > sym_def.txt - nm library/libmbedcrypto.a | grep ' U ' | grep -Eo '(mbedtls_|psa_).*' | sort -u > sym_undef.txt - comm sym_def.txt sym_undef.txt -13 > linking_errors.txt - not grep mbedtls_ linking_errors.txt - - rm sym_def.txt sym_undef.txt linking_errors.txt -} - -component_test_default_psa_crypto_client_without_crypto_provider () { - msg "build: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT" - - scripts/config.py unset MBEDTLS_PSA_CRYPTO_C - scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C - scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py set MBEDTLS_PSA_CRYPTO_CLIENT - scripts/config.py unset MBEDTLS_LMS_C - - make - - msg "check missing symbols: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT" - common_check_mbedtls_missing_symbols - - msg "test: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT" - make test -} - -component_build_full_psa_crypto_client_without_crypto_provider () { - msg "build: full config - PSA_CRYPTO_C" - - # Use full config which includes USE_PSA and CRYPTO_CLIENT. - scripts/config.py full - - scripts/config.py unset MBEDTLS_PSA_CRYPTO_C - scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C - # Dynamic secure element support is a deprecated feature and it is not - # available when CRYPTO_C and PSA_CRYPTO_STORAGE_C are disabled. - scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C - - # Since there is no crypto provider in this build it is not possible to - # build all the test executables and progrems due to missing PSA functions - # at link time. Therefore we will just build libraries and we'll check - # that symbols of interest are there. - make lib - - msg "check missing symbols: full config - PSA_CRYPTO_C" - - common_check_mbedtls_missing_symbols - - # Ensure that desired functions are included into the build (extend the - # following list as required). - grep mbedtls_pk_get_psa_attributes library/libmbedcrypto.a - grep mbedtls_pk_import_into_psa library/libmbedcrypto.a - grep mbedtls_pk_copy_from_psa library/libmbedcrypto.a -} - -component_test_psa_crypto_rsa_no_genprime() { - msg "build: default config minus MBEDTLS_GENPRIME" - scripts/config.py unset MBEDTLS_GENPRIME - make - - msg "test: default config minus MBEDTLS_GENPRIME" - make test -} - -component_test_ref_configs () { - msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s - # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake - # want to re-generate generated files that depend on it, quite correctly. - # However this doesn't work as the generation script expects a specific - # format for mbedtls_config.h, which the other files don't follow. Also, - # cmake can't know this, but re-generation is actually not necessary as - # the generated files only depend on the list of available options, not - # whether they're on or off. So, disable cmake's (over-sensitive here) - # dependency resolution for generated files and just rely on them being - # present (thanks to pre_generate_files) by turning GEN_FILES off. - CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . - tests/scripts/test-ref-configs.pl -} - -component_test_no_renegotiation () { - msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min - scripts/config.py unset MBEDTLS_SSL_RENEGOTIATION - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s - make test - - msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min - tests/ssl-opt.sh -} - -component_test_no_pem_no_fs () { - msg "build: Default + !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO (ASan build)" - scripts/config.py unset MBEDTLS_PEM_PARSE_C - scripts/config.py unset MBEDTLS_FS_IO - scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C # requires a filesystem - scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C # requires PSA ITS - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - main suites (inc. selftests) (ASan build)" # ~ 50s - make test - - msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - ssl-opt.sh (ASan build)" # ~ 6 min - tests/ssl-opt.sh -} - -component_test_rsa_no_crt () { - msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min - scripts/config.py set MBEDTLS_RSA_NO_CRT - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s - make test - - msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s - tests/ssl-opt.sh -f RSA - - msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min - tests/compat.sh -t RSA - - msg "test: RSA_NO_CRT - RSA-related part of context-info.sh (ASan build)" # ~ 15 sec - tests/context-info.sh -} - -component_test_no_ctr_drbg_classic () { - msg "build: Full minus CTR_DRBG, classic crypto in TLS" - scripts/config.py full - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: Full minus CTR_DRBG, classic crypto - main suites" - make test - - # In this configuration, the TLS test programs use HMAC_DRBG. - # The SSL tests are slow, so run a small subset, just enough to get - # confidence that the SSL code copes with HMAC_DRBG. - msg "test: Full minus CTR_DRBG, classic crypto - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' - - msg "test: Full minus CTR_DRBG, classic crypto - compat.sh (subset)" - tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL -} - -component_test_no_ctr_drbg_use_psa () { - msg "build: Full minus CTR_DRBG, PSA crypto in TLS" - scripts/config.py full - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites" - make test - - # In this configuration, the TLS test programs use HMAC_DRBG. - # The SSL tests are slow, so run a small subset, just enough to get - # confidence that the SSL code copes with HMAC_DRBG. - msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' - - msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)" - tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL -} - -component_test_no_hmac_drbg_classic () { - msg "build: Full minus HMAC_DRBG, classic crypto in TLS" - scripts/config.py full - scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: Full minus HMAC_DRBG, classic crypto - main suites" - make test - - # Normally our ECDSA implementation uses deterministic ECDSA. But since - # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used - # instead. - # Test SSL with non-deterministic ECDSA. Only test features that - # might be affected by how ECDSA signature is performed. - msg "test: Full minus HMAC_DRBG, classic crypto - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f 'Default\|SSL async private: sign' - - # To save time, only test one protocol version, since this part of - # the protocol is identical in (D)TLS up to 1.2. - msg "test: Full minus HMAC_DRBG, classic crypto - compat.sh (ECDSA)" - tests/compat.sh -m tls12 -t 'ECDSA' -} - -component_test_no_hmac_drbg_use_psa () { - msg "build: Full minus HMAC_DRBG, PSA crypto in TLS" - scripts/config.py full - scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites" - make test - - # Normally our ECDSA implementation uses deterministic ECDSA. But since - # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used - # instead. - # Test SSL with non-deterministic ECDSA. Only test features that - # might be affected by how ECDSA signature is performed. - msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f 'Default\|SSL async private: sign' - - # To save time, only test one protocol version, since this part of - # the protocol is identical in (D)TLS up to 1.2. - msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)" - tests/compat.sh -m tls12 -t 'ECDSA' -} - -component_test_psa_external_rng_no_drbg_classic () { - msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto in TLS" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG - scripts/config.py unset MBEDTLS_ENTROPY_C - scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED - scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG - # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG, - # the SSL test programs don't have an RNG and can't work. Explicitly - # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG. - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS" - - msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites" - make test - - msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f 'Default' -} - -component_test_psa_external_rng_no_drbg_use_psa () { - msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS" - scripts/config.py full - scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG - scripts/config.py unset MBEDTLS_ENTROPY_C - scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED - scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - - msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" - make test - - msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f 'Default\|opaque' -} - -component_test_psa_external_rng_use_psa_crypto () { - msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" - scripts/config.py full - scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_CTR_DRBG_C - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - - msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" - make test - - msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" - tests/ssl-opt.sh -f 'Default\|opaque' -} - -component_test_psa_inject_entropy () { - msg "build: full + MBEDTLS_PSA_INJECT_ENTROPY" - scripts/config.py full - scripts/config.py set MBEDTLS_PSA_INJECT_ENTROPY - scripts/config.py set MBEDTLS_ENTROPY_NV_SEED - scripts/config.py set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES - scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT - scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_READ - scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_WRITE - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS" - - msg "test: full + MBEDTLS_PSA_INJECT_ENTROPY" - make test -} - -component_test_sw_inet_pton () { - msg "build: default plus MBEDTLS_TEST_SW_INET_PTON" - - # MBEDTLS_TEST_HOOKS required for x509_crt_parse_cn_inet_pton - scripts/config.py set MBEDTLS_TEST_HOOKS - make CFLAGS="-DMBEDTLS_TEST_SW_INET_PTON" - - msg "test: default plus MBEDTLS_TEST_SW_INET_PTON" - make test -} - -component_full_no_pkparse_pkwrite() { - msg "build: full without pkparse and pkwrite" - - scripts/config.py crypto_full - scripts/config.py unset MBEDTLS_PK_PARSE_C - scripts/config.py unset MBEDTLS_PK_WRITE_C - - make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - - # Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config). - not grep mbedtls_pk_parse_key library/pkparse.o - not grep mbedtls_pk_write_key_der library/pkwrite.o - - msg "test: full without pkparse and pkwrite" - make test -} - -component_test_crypto_full_md_light_only () { - msg "build: crypto_full with only the light subset of MD" - scripts/config.py crypto_full - scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG - # Disable MD - scripts/config.py unset MBEDTLS_MD_C - # Disable direct dependencies of MD_C - scripts/config.py unset MBEDTLS_HKDF_C - scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_PKCS7_C - # Disable indirect dependencies of MD_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG - # Disable things that would auto-enable MD_C - scripts/config.py unset MBEDTLS_PKCS5_C - - # Note: MD-light is auto-enabled in build_info.h by modules that need it, - # which we haven't disabled, so no need to explicitly enable it. - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - - # Make sure we don't have the HMAC functions, but the hashing functions - not grep mbedtls_md_hmac library/md.o - grep mbedtls_md library/md.o - - msg "test: crypto_full with only the light subset of MD" - make test -} - -component_test_full_no_cipher_no_psa_crypto () { - msg "build: full no CIPHER no PSA_CRYPTO_C" - scripts/config.py full - scripts/config.py unset MBEDTLS_CIPHER_C - # Don't pull in cipher via PSA mechanisms - # (currently ignored anyway because we completely disable PSA) - scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG - # Disable features that depend on CIPHER_C - scripts/config.py unset MBEDTLS_CMAC_C - scripts/config.py unset MBEDTLS_NIST_KW_C - scripts/config.py unset MBEDTLS_PSA_CRYPTO_C - scripts/config.py unset MBEDTLS_PSA_CRYPTO_CLIENT - scripts/config.py unset MBEDTLS_SSL_TLS_C - scripts/config.py unset MBEDTLS_SSL_TICKET_C - # Disable features that depend on PSA_CRYPTO_C - scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C - scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_LMS_C - scripts/config.py unset MBEDTLS_LMS_PRIVATE - - msg "test: full no CIPHER no PSA_CRYPTO_C" - make test -} - -# This is a common configurator and test function that is used in: -# - component_test_full_no_cipher_with_psa_crypto -# - component_test_full_no_cipher_with_psa_crypto_config -# It accepts 2 input parameters: -# - $1: boolean value which basically reflects status of MBEDTLS_PSA_CRYPTO_CONFIG -# - $2: a text string which describes the test component -common_test_full_no_cipher_with_psa_crypto () { - USE_CRYPTO_CONFIG="$1" - COMPONENT_DESCRIPTION="$2" - - msg "build: $COMPONENT_DESCRIPTION" - - scripts/config.py full - scripts/config.py unset MBEDTLS_CIPHER_C - - if [ "$USE_CRYPTO_CONFIG" -eq 1 ]; then - # The built-in implementation of the following algs/key-types depends - # on CIPHER_C so we disable them. - # This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305 - # so we keep them enabled. - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES - else - # Don't pull in cipher via PSA mechanisms - scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG - # Disable cipher modes/keys that make PSA depend on CIPHER_C. - # Keep CHACHA20 and CHACHAPOLY enabled since they do not depend on CIPHER_C. - scripts/config.py unset-all MBEDTLS_CIPHER_MODE - fi - # The following modules directly depends on CIPHER_C - scripts/config.py unset MBEDTLS_CMAC_C - scripts/config.py unset MBEDTLS_NIST_KW_C - - make - - # Ensure that CIPHER_C was not re-enabled - not grep mbedtls_cipher_init library/cipher.o - - msg "test: $COMPONENT_DESCRIPTION" - make test -} - -component_test_full_no_cipher_with_psa_crypto() { - common_test_full_no_cipher_with_psa_crypto 0 "full no CIPHER no CRYPTO_CONFIG" -} - -component_test_full_no_cipher_with_psa_crypto_config() { - common_test_full_no_cipher_with_psa_crypto 1 "full no CIPHER" -} - -component_test_full_no_ccm() { - msg "build: full no PSA_WANT_ALG_CCM" - - # Full config enables: - # - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA - # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated - scripts/config.py full - - # Disable PSA_WANT_ALG_CCM so that CCM is not supported in PSA. CCM_C is still - # enabled, but not used from TLS since USE_PSA is set. - # This is helpful to ensure that TLS tests below have proper dependencies. - # - # Note: also PSA_WANT_ALG_CCM_STAR_NO_TAG is enabled, but it does not cause - # PSA_WANT_ALG_CCM to be re-enabled. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM - - make - - msg "test: full no PSA_WANT_ALG_CCM" - make test -} - -component_test_full_no_ccm_star_no_tag() { - msg "build: full no PSA_WANT_ALG_CCM_STAR_NO_TAG" - - # Full config enables CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated - scripts/config.py full - - # Disable CCM_STAR_NO_TAG, which is the target of this test, as well as all - # other components that enable MBEDTLS_PSA_BUILTIN_CIPHER internal symbol. - # This basically disables all unauthenticated ciphers on the PSA side, while - # keeping AEADs enabled. - # - # Note: PSA_WANT_ALG_CCM is enabled, but it does not cause - # PSA_WANT_ALG_CCM_STAR_NO_TAG to be re-enabled. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 - - make - - # Ensure MBEDTLS_PSA_BUILTIN_CIPHER was not enabled - not grep mbedtls_psa_cipher library/psa_crypto_cipher.o - - msg "test: full no PSA_WANT_ALG_CCM_STAR_NO_TAG" - make test -} - -component_test_full_no_bignum () { - msg "build: full minus bignum" - scripts/config.py full - scripts/config.py unset MBEDTLS_BIGNUM_C - # Direct dependencies of bignum - scripts/config.py unset MBEDTLS_ECP_C - scripts/config.py unset MBEDTLS_RSA_C - scripts/config.py unset MBEDTLS_DHM_C - # Direct dependencies of ECP - scripts/config.py unset MBEDTLS_ECDH_C - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_ECJPAKE_C - scripts/config.py unset MBEDTLS_ECP_RESTARTABLE - # Disable what auto-enables ECP_LIGHT - scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED - scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED - # Indirect dependencies of ECP - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED - # Direct dependencies of DHM - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED - # Direct dependencies of RSA - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED - scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT - # PK and its dependencies - scripts/config.py unset MBEDTLS_PK_C - scripts/config.py unset MBEDTLS_PK_PARSE_C - scripts/config.py unset MBEDTLS_PK_WRITE_C - scripts/config.py unset MBEDTLS_X509_USE_C - scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C - scripts/config.py unset MBEDTLS_X509_CRL_PARSE_C - scripts/config.py unset MBEDTLS_X509_CSR_PARSE_C - scripts/config.py unset MBEDTLS_X509_CREATE_C - scripts/config.py unset MBEDTLS_X509_CRT_WRITE_C - scripts/config.py unset MBEDTLS_X509_CSR_WRITE_C - scripts/config.py unset MBEDTLS_PKCS7_C - scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION - scripts/config.py unset MBEDTLS_SSL_ASYNC_PRIVATE - scripts/config.py unset MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK - - make - - msg "test: full minus bignum" - make test -} - -component_test_tls1_2_default_stream_cipher_only () { - msg "build: default with only stream cipher" - - # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - #Disable TLS 1.3 (as no AEAD) - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) - scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC - # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) - scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER - # Modules that depend on AEAD - scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_TICKET_C - - make - - msg "test: default with only stream cipher" - make test - - # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite. -} - -component_test_tls1_2_default_stream_cipher_only_use_psa () { - msg "build: default with only stream cipher use psa" - - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - #Disable TLS 1.3 (as no AEAD) - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) - scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC - # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) - scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER - # Modules that depend on AEAD - scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_TICKET_C - - make - - msg "test: default with only stream cipher use psa" - make test - - # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite. -} - -component_test_tls1_2_default_cbc_legacy_cipher_only () { - msg "build: default with only CBC-legacy cipher" - - # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - #Disable TLS 1.3 (as no AEAD) - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) - scripts/config.py set MBEDTLS_CIPHER_MODE_CBC - # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) - scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC - # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) - scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER - # Modules that depend on AEAD - scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_TICKET_C - - make - - msg "test: default with only CBC-legacy cipher" - make test - - msg "test: default with only CBC-legacy cipher - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f "TLS 1.2" -} - -component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () { - msg "build: default with only CBC-legacy cipher use psa" - - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - #Disable TLS 1.3 (as no AEAD) - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) - scripts/config.py set MBEDTLS_CIPHER_MODE_CBC - # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) - scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC - # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) - scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER - # Modules that depend on AEAD - scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_TICKET_C - - make - - msg "test: default with only CBC-legacy cipher use psa" - make test - - msg "test: default with only CBC-legacy cipher use psa - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f "TLS 1.2" -} - -component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { - msg "build: default with only CBC-legacy and CBC-EtM ciphers" - - # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - #Disable TLS 1.3 (as no AEAD) - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) - scripts/config.py set MBEDTLS_CIPHER_MODE_CBC - # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) - scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC - # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) - scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER - # Modules that depend on AEAD - scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_TICKET_C - - make - - msg "test: default with only CBC-legacy and CBC-EtM ciphers" - make test - - msg "test: default with only CBC-legacy and CBC-EtM ciphers - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f "TLS 1.2" -} - -component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () { - msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa" - - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - #Disable TLS 1.3 (as no AEAD) - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) - scripts/config.py set MBEDTLS_CIPHER_MODE_CBC - # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) - scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC - # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) - scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER - # Modules that depend on AEAD - scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_TICKET_C - - make - - msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa" - make test - - msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f "TLS 1.2" -} - -# We're not aware of any other (open source) implementation of EC J-PAKE in TLS -# that we could use for interop testing. However, we now have sort of two -# implementations ourselves: one using PSA, the other not. At least test that -# these two interoperate with each other. -component_test_tls1_2_ecjpake_compatibility() { - msg "build: TLS1.2 server+client w/ EC-JPAKE w/o USE_PSA" - scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED - # Explicitly make lib first to avoid a race condition: - # https://github.com/Mbed-TLS/mbedtls/issues/8229 - make lib - make -C programs ssl/ssl_server2 ssl/ssl_client2 - cp programs/ssl/ssl_server2 s2_no_use_psa - cp programs/ssl/ssl_client2 c2_no_use_psa - - msg "build: TLS1.2 server+client w/ EC-JPAKE w/ USE_PSA" - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - make clean - make lib - make -C programs ssl/ssl_server2 ssl/ssl_client2 - make -C programs test/udp_proxy test/query_compile_time_config - - msg "test: server w/o USE_PSA - client w/ USE_PSA, text password" - P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS" - msg "test: server w/o USE_PSA - client w/ USE_PSA, opaque password" - P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password client only, working, TLS" - msg "test: client w/o USE_PSA - server w/ USE_PSA, text password" - P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS" - msg "test: client w/o USE_PSA - server w/ USE_PSA, opaque password" - P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password server only, working, TLS" - - rm s2_no_use_psa c2_no_use_psa -} - -component_test_everest () { - msg "build: Everest ECDH context (ASan build)" # ~ 6 min - scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED - CC=clang cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s - make test - - msg "test: metatests (clang, ASan)" - tests/scripts/run-metatests.sh any asan poison - - msg "test: Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s - tests/ssl-opt.sh -f ECDH - - msg "test: Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min - # Exclude some symmetric ciphers that are redundant here to gain time. - tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA' -} - -component_test_everest_curve25519_only () { - msg "build: Everest ECDH context, only Curve25519" # ~ 6 min - scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_ECJPAKE_C - # Disable all curves - scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED" - scripts/config.py set MBEDTLS_ECP_DP_CURVE25519_ENABLED - - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - - msg "test: Everest ECDH context, only Curve25519" # ~ 50s - make test -} - -component_test_small_ssl_out_content_len () { - msg "build: small SSL_OUT_CONTENT_LEN (ASan build)" - scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 - scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: small SSL_OUT_CONTENT_LEN - ssl-opt.sh MFL and large packet tests" - tests/ssl-opt.sh -f "Max fragment\|Large packet" -} - -component_test_small_ssl_in_content_len () { - msg "build: small SSL_IN_CONTENT_LEN (ASan build)" - scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 4096 - scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 16384 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: small SSL_IN_CONTENT_LEN - ssl-opt.sh MFL tests" - tests/ssl-opt.sh -f "Max fragment" -} - -component_test_small_ssl_dtls_max_buffering () { - msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0" - scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 1000 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0 - ssl-opt.sh specific reordering test" - tests/ssl-opt.sh -f "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" -} - -component_test_small_mbedtls_ssl_dtls_max_buffering () { - msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1" - scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 190 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1 - ssl-opt.sh specific reordering test" - tests/ssl-opt.sh -f "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" -} - -component_test_psa_collect_statuses () { - msg "build+test: psa_collect_statuses" # ~30s - scripts/config.py full - tests/scripts/psa_collect_statuses.py - # Check that psa_crypto_init() succeeded at least once - grep -q '^0:psa_crypto_init:' tests/statuses.log - rm -f tests/statuses.log -} - -component_test_full_cmake_clang () { - msg "build: cmake, full config, clang" # ~ 50s - scripts/config.py full - CC=clang CXX=clang cmake -D CMAKE_BUILD_TYPE:String=Release -D ENABLE_TESTING=On -D TEST_CPP=1 . - make - - msg "test: main suites (full config, clang)" # ~ 5s - make test - - msg "test: cpp_dummy_build (full config, clang)" # ~ 1s - programs/test/cpp_dummy_build - - msg "test: metatests (clang)" - tests/scripts/run-metatests.sh any pthread - - msg "program demos (full config, clang)" # ~10s - tests/scripts/run_demos.py - - msg "test: psa_constant_names (full config, clang)" # ~ 1s - tests/scripts/test_psa_constant_names.py - - msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s - tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private' - - msg "test: compat.sh NULL (full config)" # ~ 2 min - tests/compat.sh -e '^$' -f 'NULL' - - msg "test: compat.sh ARIA + ChachaPoly" - env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' -} - -skip_suites_without_constant_flow () { - # Skip the test suites that don't have any constant-flow annotations. - # This will need to be adjusted if we ever start declaring things as - # secret from macros or functions inside tests/include or tests/src. - SKIP_TEST_SUITES=$( - git -C tests/suites grep -L TEST_CF_ 'test_suite_*.function' | - sed 's/test_suite_//; s/\.function$//' | - tr '\n' ,) - export SKIP_TEST_SUITES -} - -skip_all_except_given_suite () { - # Skip all but the given test suite - SKIP_TEST_SUITES=$( - ls -1 tests/suites/test_suite_*.function | - grep -v $1.function | - sed 's/tests.suites.test_suite_//; s/\.function$//' | - tr '\n' ,) - export SKIP_TEST_SUITES -} - -component_test_memsan_constant_flow () { - # This tests both (1) accesses to undefined memory, and (2) branches or - # memory access depending on secret values. To distinguish between those: - # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist? - # - or alternatively, change the build type to MemSanDbg, which enables - # origin tracking and nicer stack traces (which are useful for debugging - # anyway), and check if the origin was TEST_CF_SECRET() or something else. - msg "build: cmake MSan (clang), full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing" - scripts/config.py full - scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm - CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . - make - - msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO, Msan + constant flow)" - make test -} - -component_test_memsan_constant_flow_psa () { - # This tests both (1) accesses to undefined memory, and (2) branches or - # memory access depending on secret values. To distinguish between those: - # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist? - # - or alternatively, change the build type to MemSanDbg, which enables - # origin tracking and nicer stack traces (which are useful for debugging - # anyway), and check if the origin was TEST_CF_SECRET() or something else. - msg "build: cmake MSan (clang), full config with constant flow testing" - scripts/config.py full - scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm - CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . - make - - msg "test: main suites (Msan + constant flow)" - make test -} - -component_release_test_valgrind_constant_flow () { - # This tests both (1) everything that valgrind's memcheck usually checks - # (heap buffer overflows, use of uninitialized memory, use-after-free, - # etc.) and (2) branches or memory access depending on secret values, - # which will be reported as uninitialized memory. To distinguish between - # secret and actually uninitialized: - # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist? - # - or alternatively, build with debug info and manually run the offending - # test suite with valgrind --track-origins=yes, then check if the origin - # was TEST_CF_SECRET() or something else. - msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing" - scripts/config.py full - scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - skip_suites_without_constant_flow - cmake -D CMAKE_BUILD_TYPE:String=Release . - make - - # this only shows a summary of the results (how many of each type) - # details are left in Testing//DynamicAnalysis.xml - msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, valgrind + constant flow)" - make memcheck - - # Test asm path in constant time module - by default, it will test the plain C - # path under Valgrind or Memsan. Running only the constant_time tests is fast (<1s) - msg "test: valgrind asm constant_time" - scripts/config.py --force set MBEDTLS_TEST_CONSTANT_FLOW_ASM - skip_all_except_given_suite test_suite_constant_time - cmake -D CMAKE_BUILD_TYPE:String=Release . - make clean - make - make memcheck -} - -component_release_test_valgrind_constant_flow_psa () { - # This tests both (1) everything that valgrind's memcheck usually checks - # (heap buffer overflows, use of uninitialized memory, use-after-free, - # etc.) and (2) branches or memory access depending on secret values, - # which will be reported as uninitialized memory. To distinguish between - # secret and actually uninitialized: - # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist? - # - or alternatively, build with debug info and manually run the offending - # test suite with valgrind --track-origins=yes, then check if the origin - # was TEST_CF_SECRET() or something else. - msg "build: cmake release GCC, full config with constant flow testing" - scripts/config.py full - scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - skip_suites_without_constant_flow - cmake -D CMAKE_BUILD_TYPE:String=Release . - make - - # this only shows a summary of the results (how many of each type) - # details are left in Testing//DynamicAnalysis.xml - msg "test: some suites (valgrind + constant flow)" - make memcheck -} - -component_test_tsan () { - msg "build: TSan (clang)" - scripts/config.py full - scripts/config.py set MBEDTLS_THREADING_C - scripts/config.py set MBEDTLS_THREADING_PTHREAD - # Self-tests do not currently use multiple threads. - scripts/config.py unset MBEDTLS_SELF_TEST - - # The deprecated MBEDTLS_PSA_CRYPTO_SE_C interface is not thread safe. - scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C - - CC=clang cmake -D CMAKE_BUILD_TYPE:String=TSan . - make - - msg "test: main suites (TSan)" - make test -} - -component_test_default_no_deprecated () { - # Test that removing the deprecated features from the default - # configuration leaves something consistent. - msg "build: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 30s - scripts/config.py set MBEDTLS_DEPRECATED_REMOVED - make CFLAGS='-O -Werror -Wall -Wextra' - - msg "test: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 5s - make test -} - -component_test_full_no_deprecated () { - msg "build: make, full_no_deprecated config" # ~ 30s - scripts/config.py full_no_deprecated - make CFLAGS='-O -Werror -Wall -Wextra' - - msg "test: make, full_no_deprecated config" # ~ 5s - make test - - msg "test: ensure that X509 has no direct dependency on BIGNUM_C" - not grep mbedtls_mpi library/libmbedx509.a -} - -component_test_full_no_deprecated_deprecated_warning () { - # Test that there is nothing deprecated in "full_no_deprecated". - # A deprecated feature would trigger a warning (made fatal) from - # MBEDTLS_DEPRECATED_WARNING. - msg "build: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 30s - scripts/config.py full_no_deprecated - scripts/config.py unset MBEDTLS_DEPRECATED_REMOVED - scripts/config.py set MBEDTLS_DEPRECATED_WARNING - make CFLAGS='-O -Werror -Wall -Wextra' - - msg "test: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 5s - make test -} - -component_test_full_deprecated_warning () { - # Test that when MBEDTLS_DEPRECATED_WARNING is enabled, the build passes - # with only certain whitelisted types of warnings. - msg "build: make, full config + MBEDTLS_DEPRECATED_WARNING, expect warnings" # ~ 30s - scripts/config.py full - scripts/config.py set MBEDTLS_DEPRECATED_WARNING - # Expect warnings from '#warning' directives in check_config.h. - # Note that gcc is required to allow the use of -Wno-error=cpp, which allows us to - # display #warning messages without them being treated as errors. - make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=cpp' lib programs - - msg "build: make tests, full config + MBEDTLS_DEPRECATED_WARNING, expect warnings" # ~ 30s - # Set MBEDTLS_TEST_DEPRECATED to enable tests for deprecated features. - # By default those are disabled when MBEDTLS_DEPRECATED_WARNING is set. - # Expect warnings from '#warning' directives in check_config.h and - # from the use of deprecated functions in test suites. - make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=deprecated-declarations -Wno-error=cpp -DMBEDTLS_TEST_DEPRECATED' tests - - msg "test: full config + MBEDTLS_TEST_DEPRECATED" # ~ 30s - make test - - msg "program demos: full config + MBEDTLS_TEST_DEPRECATED" # ~10s - tests/scripts/run_demos.py -} - -# Check that the specified libraries exist and are empty. -are_empty_libraries () { - nm "$@" >/dev/null 2>/dev/null - ! nm "$@" 2>/dev/null | grep -v ':$' | grep . -} - -component_build_crypto_default () { - msg "build: make, crypto only" - scripts/config.py crypto - make CFLAGS='-O1 -Werror' - are_empty_libraries library/libmbedx509.* library/libmbedtls.* -} - -component_build_crypto_full () { - msg "build: make, crypto only, full config" - scripts/config.py crypto_full - make CFLAGS='-O1 -Werror' - are_empty_libraries library/libmbedx509.* library/libmbedtls.* -} - -component_test_crypto_for_psa_service () { - msg "build: make, config for PSA crypto service" - scripts/config.py crypto - scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER - # Disable things that are not needed for just cryptography, to - # reach a configuration that would be typical for a PSA cryptography - # service providing all implemented PSA algorithms. - # System stuff - scripts/config.py unset MBEDTLS_ERROR_C - scripts/config.py unset MBEDTLS_TIMING_C - scripts/config.py unset MBEDTLS_VERSION_FEATURES - # Crypto stuff with no PSA interface - scripts/config.py unset MBEDTLS_BASE64_C - # Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it. - scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent - # Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG. - scripts/config.py unset MBEDTLS_NIST_KW_C - scripts/config.py unset MBEDTLS_PEM_PARSE_C - scripts/config.py unset MBEDTLS_PEM_WRITE_C - scripts/config.py unset MBEDTLS_PKCS12_C - scripts/config.py unset MBEDTLS_PKCS5_C - # MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C are actually currently needed - # in PSA code to work with RSA keys. We don't require users to set those: - # they will be reenabled in build_info.h. - scripts/config.py unset MBEDTLS_PK_C - scripts/config.py unset MBEDTLS_PK_PARSE_C - scripts/config.py unset MBEDTLS_PK_WRITE_C - make CFLAGS='-O1 -Werror' all test - are_empty_libraries library/libmbedx509.* library/libmbedtls.* -} - -component_build_crypto_baremetal () { - msg "build: make, crypto only, baremetal config" - scripts/config.py crypto_baremetal - make CFLAGS="-O1 -Werror -I$PWD/tests/include/baremetal-override/" - are_empty_libraries library/libmbedx509.* library/libmbedtls.* -} -support_build_crypto_baremetal () { - support_build_baremetal "$@" -} - -component_build_baremetal () { - msg "build: make, baremetal config" - scripts/config.py baremetal - make CFLAGS="-O1 -Werror -I$PWD/tests/include/baremetal-override/" -} -support_build_baremetal () { - # Older Glibc versions include time.h from other headers such as stdlib.h, - # which makes the no-time.h-in-baremetal check fail. Ubuntu 16.04 has this - # problem, Ubuntu 18.04 is ok. - ! grep -q -F time.h /usr/include/x86_64-linux-gnu/sys/types.h -} - -# depends.py family of tests -component_test_depends_py_cipher_id () { - msg "test/build: depends.py cipher_id (gcc)" - tests/scripts/depends.py cipher_id --unset-use-psa -} - -component_test_depends_py_cipher_chaining () { - msg "test/build: depends.py cipher_chaining (gcc)" - tests/scripts/depends.py cipher_chaining --unset-use-psa -} - -component_test_depends_py_cipher_padding () { - msg "test/build: depends.py cipher_padding (gcc)" - tests/scripts/depends.py cipher_padding --unset-use-psa -} - -component_test_depends_py_curves () { - msg "test/build: depends.py curves (gcc)" - tests/scripts/depends.py curves --unset-use-psa -} - -component_test_depends_py_hashes () { - msg "test/build: depends.py hashes (gcc)" - tests/scripts/depends.py hashes --unset-use-psa -} - -component_test_depends_py_kex () { - msg "test/build: depends.py kex (gcc)" - tests/scripts/depends.py kex --unset-use-psa -} - -component_test_depends_py_pkalgs () { - msg "test/build: depends.py pkalgs (gcc)" - tests/scripts/depends.py pkalgs --unset-use-psa -} - -# PSA equivalents of the depends.py tests -component_test_depends_py_cipher_id_psa () { - msg "test/build: depends.py cipher_id (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" - tests/scripts/depends.py cipher_id -} - -component_test_depends_py_cipher_chaining_psa () { - msg "test/build: depends.py cipher_chaining (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" - tests/scripts/depends.py cipher_chaining -} - -component_test_depends_py_cipher_padding_psa () { - msg "test/build: depends.py cipher_padding (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" - tests/scripts/depends.py cipher_padding -} - -component_test_depends_py_curves_psa () { - msg "test/build: depends.py curves (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" - tests/scripts/depends.py curves -} - -component_test_depends_py_hashes_psa () { - msg "test/build: depends.py hashes (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" - tests/scripts/depends.py hashes -} - -component_test_depends_py_kex_psa () { - msg "test/build: depends.py kex (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" - tests/scripts/depends.py kex -} - -component_test_depends_py_pkalgs_psa () { - msg "test/build: depends.py pkalgs (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" - tests/scripts/depends.py pkalgs -} - -component_test_psa_crypto_config_ffdh_2048_only () { - msg "build: full config - only DH 2048" - - scripts/config.py full - - # Disable all DH groups other than 2048. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_3072 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_4096 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_6144 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_8192 - - make CFLAGS="$ASAN_CFLAGS -Werror" LDFLAGS="$ASAN_CFLAGS" - - msg "test: full config - only DH 2048" - make test - - msg "ssl-opt: full config - only DH 2048" - tests/ssl-opt.sh -f "ffdh" -} - -component_build_no_pk_rsa_alt_support () { - msg "build: !MBEDTLS_PK_RSA_ALT_SUPPORT" # ~30s - - scripts/config.py full - scripts/config.py unset MBEDTLS_PK_RSA_ALT_SUPPORT - scripts/config.py set MBEDTLS_RSA_C - scripts/config.py set MBEDTLS_X509_CRT_WRITE_C - - # Only compile - this is primarily to test for compile issues - make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' -} - -component_build_module_alt () { - msg "build: MBEDTLS_XXX_ALT" # ~30s - scripts/config.py full - - # Disable options that are incompatible with some ALT implementations: - # aesni.c and padlock.c reference mbedtls_aes_context fields directly. - scripts/config.py unset MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_PADLOCK_C - scripts/config.py unset MBEDTLS_AESCE_C - # MBEDTLS_ECP_RESTARTABLE is documented as incompatible. - scripts/config.py unset MBEDTLS_ECP_RESTARTABLE - # You can only have one threading implementation: alt or pthread, not both. - scripts/config.py unset MBEDTLS_THREADING_PTHREAD - # The SpecifiedECDomain parsing code accesses mbedtls_ecp_group fields - # directly and assumes the implementation works with partial groups. - scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED - # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_* - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY - # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_* - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY - - # Enable all MBEDTLS_XXX_ALT for whole modules. Do not enable - # MBEDTLS_XXX_YYY_ALT which are for single functions. - scripts/config.py set-all 'MBEDTLS_([A-Z0-9]*|NIST_KW)_ALT' - scripts/config.py unset MBEDTLS_DHM_ALT #incompatible with MBEDTLS_DEBUG_C - - # We can only compile, not link, since we don't have any implementations - # suitable for testing with the dummy alt headers. - make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib -} - -component_build_dhm_alt () { - msg "build: MBEDTLS_DHM_ALT" # ~30s - scripts/config.py full - scripts/config.py set MBEDTLS_DHM_ALT - # debug.c currently references mbedtls_dhm_context fields directly. - scripts/config.py unset MBEDTLS_DEBUG_C - # We can only compile, not link, since we don't have any implementations - # suitable for testing with the dummy alt headers. - make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib -} - -component_test_no_psa_crypto_full_cmake_asan() { - # full minus MBEDTLS_PSA_CRYPTO_C: run the same set of tests as basic-build-test.sh - msg "build: cmake, full config minus PSA crypto, ASan" - scripts/config.py full - scripts/config.py unset MBEDTLS_PSA_CRYPTO_C - scripts/config.py unset MBEDTLS_PSA_CRYPTO_CLIENT - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C - scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C - scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C - scripts/config.py unset MBEDTLS_LMS_C - scripts/config.py unset MBEDTLS_LMS_PRIVATE - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: main suites (full minus PSA crypto)" - make test - - # Note: ssl-opt.sh has some test cases that depend on - # MBEDTLS_ECP_RESTARTABLE && !MBEDTLS_USE_PSA_CRYPTO - # This is the only component where those tests are not skipped. - msg "test: ssl-opt.sh (full minus PSA crypto)" - tests/ssl-opt.sh - - msg "test: compat.sh default (full minus PSA crypto)" - tests/compat.sh - - msg "test: compat.sh NULL (full minus PSA crypto)" - tests/compat.sh -f 'NULL' - - msg "test: compat.sh ARIA + ChachaPoly (full minus PSA crypto)" - env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' -} - -component_test_psa_crypto_config_accel_ecdsa () { - msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA" - - # Algorithms and key types to accelerate - loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ - $(helper_get_psa_key_type_list "ECC") \ - $(helper_get_psa_curve_list)" - - # Configure - # --------- - - # Start from default config (no USE_PSA) + TLS 1.3 - helper_libtestdriver1_adjust_config "default" - - # Disable the module that's accelerated - scripts/config.py unset MBEDTLS_ECDSA_C - - # Disable things that depend on it - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - - # Build - # ----- - - # These hashes are needed for some ECDSA signature tests. - loc_extra_list="ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ - ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" - - helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # Make sure this was not re-enabled by accident (additive config) - not grep mbedtls_ecdsa_ library/ecdsa.o - - # Run the tests - # ------------- - - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA" - make test -} - -component_test_psa_crypto_config_accel_ecdh () { - msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" - - # Algorithms and key types to accelerate - loc_accel_list="ALG_ECDH \ - $(helper_get_psa_key_type_list "ECC") \ - $(helper_get_psa_curve_list)" - - # Configure - # --------- - - # Start from default config (no USE_PSA) - helper_libtestdriver1_adjust_config "default" - - # Disable the module that's accelerated - scripts/config.py unset MBEDTLS_ECDH_C - - # Disable things that depend on it - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED - - # Build - # ----- - - helper_libtestdriver1_make_drivers "$loc_accel_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # Make sure this was not re-enabled by accident (additive config) - not grep mbedtls_ecdh_ library/ecdh.o - - # Run the tests - # ------------- - - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" - make test -} - -component_test_psa_crypto_config_accel_ffdh () { - msg "build: full with accelerated FFDH" - - # Algorithms and key types to accelerate - loc_accel_list="ALG_FFDH \ - $(helper_get_psa_key_type_list "DH") \ - $(helper_get_psa_dh_group_list)" - - # Configure - # --------- - - # start with full (USE_PSA and TLS 1.3) - helper_libtestdriver1_adjust_config "full" - - # Disable the module that's accelerated - scripts/config.py unset MBEDTLS_DHM_C - - # Disable things that depend on it - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED - - # Build - # ----- - - helper_libtestdriver1_make_drivers "$loc_accel_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # Make sure this was not re-enabled by accident (additive config) - not grep mbedtls_dhm_ library/dhm.o - - # Run the tests - # ------------- - - msg "test: full with accelerated FFDH" - make test - - msg "ssl-opt: full with accelerated FFDH alg" - tests/ssl-opt.sh -f "ffdh" -} - -component_test_psa_crypto_config_reference_ffdh () { - msg "build: full with non-accelerated FFDH" - - # Start with full (USE_PSA and TLS 1.3) - helper_libtestdriver1_adjust_config "full" - - # Disable things that are not supported - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED - make - - msg "test suites: full with non-accelerated FFDH alg" - make test - - msg "ssl-opt: full with non-accelerated FFDH alg" - tests/ssl-opt.sh -f "ffdh" -} - -component_test_psa_crypto_config_accel_pake() { - msg "build: full with accelerated PAKE" - - loc_accel_list="ALG_JPAKE \ - $(helper_get_psa_key_type_list "ECC") \ - $(helper_get_psa_curve_list)" - - # Configure - # --------- - - helper_libtestdriver1_adjust_config "full" - - # Make built-in fallback not available - scripts/config.py unset MBEDTLS_ECJPAKE_C - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED - - # Build - # ----- - - helper_libtestdriver1_make_drivers "$loc_accel_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # Make sure this was not re-enabled by accident (additive config) - not grep mbedtls_ecjpake_init library/ecjpake.o - - # Run the tests - # ------------- - - msg "test: full with accelerated PAKE" - make test -} - -component_test_psa_crypto_config_accel_ecc_some_key_types () { - msg "build: full with accelerated EC algs and some key types" - - # Algorithms and key types to accelerate - # For key types, use an explicitly list to omit GENERATE (and DERIVE) - loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ - ALG_ECDH \ - ALG_JPAKE \ - KEY_TYPE_ECC_PUBLIC_KEY \ - KEY_TYPE_ECC_KEY_PAIR_BASIC \ - KEY_TYPE_ECC_KEY_PAIR_IMPORT \ - KEY_TYPE_ECC_KEY_PAIR_EXPORT \ - $(helper_get_psa_curve_list)" - - # Configure - # --------- - - # start with config full for maximum coverage (also enables USE_PSA) - helper_libtestdriver1_adjust_config "full" - - # Disable modules that are accelerated - some will be re-enabled - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_ECDH_C - scripts/config.py unset MBEDTLS_ECJPAKE_C - scripts/config.py unset MBEDTLS_ECP_C - - # Disable all curves - those that aren't accelerated should be re-enabled - helper_disable_builtin_curves - - # Restartable feature is not yet supported by PSA. Once it will in - # the future, the following line could be removed (see issues - # 6061, 6332 and following ones) - scripts/config.py unset MBEDTLS_ECP_RESTARTABLE - - # this is not supported by the driver API yet - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE - - # Build - # ----- - - # These hashes are needed for some ECDSA signature tests. - loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ - ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" - helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # ECP should be re-enabled but not the others - not grep mbedtls_ecdh_ library/ecdh.o - not grep mbedtls_ecdsa library/ecdsa.o - not grep mbedtls_ecjpake library/ecjpake.o - grep mbedtls_ecp library/ecp.o - - # Run the tests - # ------------- - - msg "test suites: full with accelerated EC algs and some key types" - make test -} - -# Run tests with only (non-)Weierstrass accelerated -# Common code used in: -# - component_test_psa_crypto_config_accel_ecc_weierstrass_curves -# - component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves -common_test_psa_crypto_config_accel_ecc_some_curves () { - weierstrass=$1 - if [ $weierstrass -eq 1 ]; then - desc="Weierstrass" - else - desc="non-Weierstrass" - fi - - msg "build: crypto_full minus PK with accelerated EC algs and $desc curves" - - # Note: Curves are handled in a special way by the libtestdriver machinery, - # so we only want to include them in the accel list when building the main - # libraries, hence the use of a separate variable. - # Note: the following loop is a modified version of - # helper_get_psa_curve_list that only keeps Weierstrass families. - loc_weierstrass_list="" - loc_non_weierstrass_list="" - for item in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do - case $item in - ECC_BRAINPOOL*|ECC_SECP*) - loc_weierstrass_list="$loc_weierstrass_list $item" - ;; - *) - loc_non_weierstrass_list="$loc_non_weierstrass_list $item" - ;; - esac - done - if [ $weierstrass -eq 1 ]; then - loc_curve_list=$loc_weierstrass_list - else - loc_curve_list=$loc_non_weierstrass_list - fi - - # Algorithms and key types to accelerate - loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ - ALG_ECDH \ - ALG_JPAKE \ - $(helper_get_psa_key_type_list "ECC") \ - $loc_curve_list" - - # Configure - # --------- - - # Start with config crypto_full and remove PK_C: - # that's what's supported now, see docs/driver-only-builds.md. - helper_libtestdriver1_adjust_config "crypto_full" - scripts/config.py unset MBEDTLS_PK_C - scripts/config.py unset MBEDTLS_PK_PARSE_C - scripts/config.py unset MBEDTLS_PK_WRITE_C - - # Disable modules that are accelerated - some will be re-enabled - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_ECDH_C - scripts/config.py unset MBEDTLS_ECJPAKE_C - scripts/config.py unset MBEDTLS_ECP_C - - # Disable all curves - those that aren't accelerated should be re-enabled - helper_disable_builtin_curves - - # Restartable feature is not yet supported by PSA. Once it will in - # the future, the following line could be removed (see issues - # 6061, 6332 and following ones) - scripts/config.py unset MBEDTLS_ECP_RESTARTABLE - - # this is not supported by the driver API yet - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE - - # Build - # ----- - - # These hashes are needed for some ECDSA signature tests. - loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ - ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" - helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # We expect ECDH to be re-enabled for the missing curves - grep mbedtls_ecdh_ library/ecdh.o - # We expect ECP to be re-enabled, however the parts specific to the - # families of curves that are accelerated should be ommited. - # - functions with mxz in the name are specific to Montgomery curves - # - ecp_muladd is specific to Weierstrass curves - ##nm library/ecp.o | tee ecp.syms - if [ $weierstrass -eq 1 ]; then - not grep mbedtls_ecp_muladd library/ecp.o - grep mxz library/ecp.o - else - grep mbedtls_ecp_muladd library/ecp.o - not grep mxz library/ecp.o - fi - # We expect ECDSA and ECJPAKE to be re-enabled only when - # Weierstrass curves are not accelerated - if [ $weierstrass -eq 1 ]; then - not grep mbedtls_ecdsa library/ecdsa.o - not grep mbedtls_ecjpake library/ecjpake.o - else - grep mbedtls_ecdsa library/ecdsa.o - grep mbedtls_ecjpake library/ecjpake.o - fi - - # Run the tests - # ------------- - - msg "test suites: crypto_full minus PK with accelerated EC algs and $desc curves" - make test -} - -component_test_psa_crypto_config_accel_ecc_weierstrass_curves () { - common_test_psa_crypto_config_accel_ecc_some_curves 1 -} - -component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves () { - common_test_psa_crypto_config_accel_ecc_some_curves 0 -} - -# Auxiliary function to build config for all EC based algorithms (EC-JPAKE, -# ECDH, ECDSA) with and without drivers. -# The input parameter is a boolean value which indicates: -# - 0 keep built-in EC algs, -# - 1 exclude built-in EC algs (driver only). -# -# This is used by the two following components to ensure they always use the -# same config, except for the use of driver or built-in EC algorithms: -# - component_test_psa_crypto_config_accel_ecc_ecp_light_only; -# - component_test_psa_crypto_config_reference_ecc_ecp_light_only. -# This supports comparing their test coverage with analyze_outcomes.py. -config_psa_crypto_config_ecp_light_only () { - driver_only="$1" - # start with config full for maximum coverage (also enables USE_PSA) - helper_libtestdriver1_adjust_config "full" - if [ "$driver_only" -eq 1 ]; then - # Disable modules that are accelerated - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_ECDH_C - scripts/config.py unset MBEDTLS_ECJPAKE_C - scripts/config.py unset MBEDTLS_ECP_C - fi - - # Restartable feature is not yet supported by PSA. Once it will in - # the future, the following line could be removed (see issues - # 6061, 6332 and following ones) - scripts/config.py unset MBEDTLS_ECP_RESTARTABLE -} - -# Keep in sync with component_test_psa_crypto_config_reference_ecc_ecp_light_only -component_test_psa_crypto_config_accel_ecc_ecp_light_only () { - msg "build: full with accelerated EC algs" - - # Algorithms and key types to accelerate - loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ - ALG_ECDH \ - ALG_JPAKE \ - $(helper_get_psa_key_type_list "ECC") \ - $(helper_get_psa_curve_list)" - - # Configure - # --------- - - # Use the same config as reference, only without built-in EC algs - config_psa_crypto_config_ecp_light_only 1 - - # Do not disable builtin curves because that support is required for: - # - MBEDTLS_PK_PARSE_EC_EXTENDED - # - MBEDTLS_PK_PARSE_EC_COMPRESSED - - # Build - # ----- - - # These hashes are needed for some ECDSA signature tests. - loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ - ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" - helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # Make sure any built-in EC alg was not re-enabled by accident (additive config) - not grep mbedtls_ecdsa_ library/ecdsa.o - not grep mbedtls_ecdh_ library/ecdh.o - not grep mbedtls_ecjpake_ library/ecjpake.o - not grep mbedtls_ecp_mul library/ecp.o - - # Run the tests - # ------------- - - msg "test suites: full with accelerated EC algs" - make test - - msg "ssl-opt: full with accelerated EC algs" - tests/ssl-opt.sh -} - -# Keep in sync with component_test_psa_crypto_config_accel_ecc_ecp_light_only -component_test_psa_crypto_config_reference_ecc_ecp_light_only () { - msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs" - - config_psa_crypto_config_ecp_light_only 0 - - make - - msg "test suites: full with non-accelerated EC algs" - make test - - msg "ssl-opt: full with non-accelerated EC algs" - tests/ssl-opt.sh -} - -# This helper function is used by: -# - component_test_psa_crypto_config_accel_ecc_no_ecp_at_all() -# - component_test_psa_crypto_config_reference_ecc_no_ecp_at_all() -# to ensure that both tests use the same underlying configuration when testing -# driver's coverage with analyze_outcomes.py. -# -# This functions accepts 1 boolean parameter as follows: -# - 1: building with accelerated EC algorithms (ECDSA, ECDH, ECJPAKE), therefore -# excluding their built-in implementation as well as ECP_C & ECP_LIGHT -# - 0: include built-in implementation of EC algorithms. -# -# PK_C and RSA_C are always disabled to ensure there is no remaining dependency -# on the ECP module. -config_psa_crypto_no_ecp_at_all () { - driver_only="$1" - # start with full config for maximum coverage (also enables USE_PSA) - helper_libtestdriver1_adjust_config "full" - - if [ "$driver_only" -eq 1 ]; then - # Disable modules that are accelerated - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_ECDH_C - scripts/config.py unset MBEDTLS_ECJPAKE_C - # Disable ECP module (entirely) - scripts/config.py unset MBEDTLS_ECP_C - fi - - # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) - scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED - scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE - - # Restartable feature is not yet supported by PSA. Once it will in - # the future, the following line could be removed (see issues - # 6061, 6332 and following ones) - scripts/config.py unset MBEDTLS_ECP_RESTARTABLE -} - -# Build and test a configuration where driver accelerates all EC algs while -# all support and dependencies from ECP and ECP_LIGHT are removed on the library -# side. -# -# Keep in sync with component_test_psa_crypto_config_reference_ecc_no_ecp_at_all() -component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () { - msg "build: full + accelerated EC algs - ECP" - - # Algorithms and key types to accelerate - loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ - ALG_ECDH \ - ALG_JPAKE \ - $(helper_get_psa_key_type_list "ECC") \ - $(helper_get_psa_curve_list)" - - # Configure - # --------- - - # Set common configurations between library's and driver's builds - config_psa_crypto_no_ecp_at_all 1 - # Disable all the builtin curves. All the required algs are accelerated. - helper_disable_builtin_curves - - # Build - # ----- - - # Things we wanted supported in libtestdriver1, but not accelerated in the main library: - # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic. - loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ - ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" - - helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # Make sure any built-in EC alg was not re-enabled by accident (additive config) - not grep mbedtls_ecdsa_ library/ecdsa.o - not grep mbedtls_ecdh_ library/ecdh.o - not grep mbedtls_ecjpake_ library/ecjpake.o - # Also ensure that ECP module was not re-enabled - not grep mbedtls_ecp_ library/ecp.o - - # Run the tests - # ------------- - - msg "test: full + accelerated EC algs - ECP" - make test - - msg "ssl-opt: full + accelerated EC algs - ECP" - tests/ssl-opt.sh -} - -# Reference function used for driver's coverage analysis in analyze_outcomes.py -# in conjunction with component_test_psa_crypto_config_accel_ecc_no_ecp_at_all(). -# Keep in sync with its accelerated counterpart. -component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () { - msg "build: full + non accelerated EC algs" - - config_psa_crypto_no_ecp_at_all 0 - - make - - msg "test: full + non accelerated EC algs" - make test - - msg "ssl-opt: full + non accelerated EC algs" - tests/ssl-opt.sh -} - -# This is a common configuration helper used directly from: -# - common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum -# - common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum -# and indirectly from: -# - component_test_psa_crypto_config_accel_ecc_no_bignum -# - accelerate all EC algs, disable RSA and FFDH -# - component_test_psa_crypto_config_reference_ecc_no_bignum -# - this is the reference component of the above -# - it still disables RSA and FFDH, but it uses builtin EC algs -# - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum -# - accelerate all EC and FFDH algs, disable only RSA -# - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum -# - this is the reference component of the above -# - it still disables RSA, but it uses builtin EC and FFDH algs -# -# This function accepts 2 parameters: -# $1: a boolean value which states if we are testing an accelerated scenario -# or not. -# $2: a string value which states which components are tested. Allowed values -# are "ECC" or "ECC_DH". -config_psa_crypto_config_accel_ecc_ffdh_no_bignum() { - driver_only="$1" - test_target="$2" - # start with full config for maximum coverage (also enables USE_PSA) - helper_libtestdriver1_adjust_config "full" - - if [ "$driver_only" -eq 1 ]; then - # Disable modules that are accelerated - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_ECDH_C - scripts/config.py unset MBEDTLS_ECJPAKE_C - # Disable ECP module (entirely) - scripts/config.py unset MBEDTLS_ECP_C - # Also disable bignum - scripts/config.py unset MBEDTLS_BIGNUM_C - fi - - # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) - scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED - scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE - - # RSA support is intentionally disabled on this test because RSA_C depends - # on BIGNUM_C. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*" - scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*" - scripts/config.py unset MBEDTLS_RSA_C - scripts/config.py unset MBEDTLS_PKCS1_V15 - scripts/config.py unset MBEDTLS_PKCS1_V21 - scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT - # Also disable key exchanges that depend on RSA - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - - if [ "$test_target" = "ECC" ]; then - # When testing ECC only, we disable FFDH support, both from builtin and - # PSA sides, and also disable the key exchanges that depend on DHM. - scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_FFDH - scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*" - scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_DH_RFC7919_[0-9]*" - scripts/config.py unset MBEDTLS_DHM_C - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED - else - # When testing ECC and DH instead, we disable DHM and depending key - # exchanges only in the accelerated build - if [ "$driver_only" -eq 1 ]; then - scripts/config.py unset MBEDTLS_DHM_C - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED - fi - fi - - # Restartable feature is not yet supported by PSA. Once it will in - # the future, the following line could be removed (see issues - # 6061, 6332 and following ones) - scripts/config.py unset MBEDTLS_ECP_RESTARTABLE -} - -# Common helper used by: -# - component_test_psa_crypto_config_accel_ecc_no_bignum -# - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum -# -# The goal is to build and test accelerating either: -# - ECC only or -# - both ECC and FFDH -# -# It is meant to be used in conjunction with -# common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum() for drivers -# coverage analysis in the "analyze_outcomes.py" script. -common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { - test_target="$1" - - # This is an internal helper to simplify text message handling - if [ "$test_target" = "ECC_DH" ]; then - accel_text="ECC/FFDH" - removed_text="ECP - DH" - else - accel_text="ECC" - removed_text="ECP" - fi - - msg "build: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM" - - # By default we accelerate all EC keys/algs - loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ - ALG_ECDH \ - ALG_JPAKE \ - $(helper_get_psa_key_type_list "ECC") \ - $(helper_get_psa_curve_list)" - # Optionally we can also add DH to the list of accelerated items - if [ "$test_target" = "ECC_DH" ]; then - loc_accel_list="$loc_accel_list \ - ALG_FFDH \ - $(helper_get_psa_key_type_list "DH") \ - $(helper_get_psa_dh_group_list)" - fi - - # Configure - # --------- - - # Set common configurations between library's and driver's builds - config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$test_target" - # Disable all the builtin curves. All the required algs are accelerated. - helper_disable_builtin_curves - - # Build - # ----- - - # Things we wanted supported in libtestdriver1, but not accelerated in the main library: - # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic. - loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ - ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" - - helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # Make sure any built-in EC alg was not re-enabled by accident (additive config) - not grep mbedtls_ecdsa_ library/ecdsa.o - not grep mbedtls_ecdh_ library/ecdh.o - not grep mbedtls_ecjpake_ library/ecjpake.o - # Also ensure that ECP, RSA, [DHM] or BIGNUM modules were not re-enabled - not grep mbedtls_ecp_ library/ecp.o - not grep mbedtls_rsa_ library/rsa.o - not grep mbedtls_mpi_ library/bignum.o - not grep mbedtls_dhm_ library/dhm.o - - # Run the tests - # ------------- - - msg "test suites: full + accelerated $accel_text algs + USE_PSA - $removed_text - DHM - BIGNUM" - - make test - - msg "ssl-opt: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM" - tests/ssl-opt.sh -} - -# Common helper used by: -# - component_test_psa_crypto_config_reference_ecc_no_bignum -# - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum -# -# The goal is to build and test a reference scenario (i.e. with builtin -# components) compared to the ones used in -# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() above. -# -# It is meant to be used in conjunction with -# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() for drivers' -# coverage analysis in "analyze_outcomes.py" script. -common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { - test_target="$1" - - # This is an internal helper to simplify text message handling - if [ "$test_target" = "ECC_DH" ]; then - accel_text="ECC/FFDH" - else - accel_text="ECC" - fi - - msg "build: full + non accelerated $accel_text algs + USE_PSA" - - config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$test_target" - - make - - msg "test suites: full + non accelerated EC algs + USE_PSA" - make test - - msg "ssl-opt: full + non accelerated $accel_text algs + USE_PSA" - tests/ssl-opt.sh -} - -component_test_psa_crypto_config_accel_ecc_no_bignum () { - common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC" -} - -component_test_psa_crypto_config_reference_ecc_no_bignum () { - common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC" -} - -component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { - common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC_DH" -} - -component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { - common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC_DH" -} - -# Helper for setting common configurations between: -# - component_test_tfm_config_p256m_driver_accel_ec() -# - component_test_tfm_config() -common_tfm_config () { - # Enable TF-M config - cp configs/config-tfm.h "$CONFIG_H" - echo "#undef MBEDTLS_PSA_CRYPTO_CONFIG_FILE" >> "$CONFIG_H" - cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" - - # Other config adjustment to make the tests pass. - # This should probably be adopted upstream. - # - # - USE_PSA_CRYPTO for PK_HAVE_ECC_KEYS - echo "#define MBEDTLS_USE_PSA_CRYPTO" >> "$CONFIG_H" - - # Config adjustment for better test coverage in our environment. - # This is not needed just to build and pass tests. - # - # Enable filesystem I/O for the benefit of PK parse/write tests. - echo "#define MBEDTLS_FS_IO" >> "$CONFIG_H" -} - -# Keep this in sync with component_test_tfm_config() as they are both meant -# to be used in analyze_outcomes.py for driver's coverage analysis. -component_test_tfm_config_p256m_driver_accel_ec () { - msg "build: TF-M config + p256m driver + accel ECDH(E)/ECDSA" - - common_tfm_config - - # Build crypto library - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include/spe" LDFLAGS="$ASAN_CFLAGS" - - # Make sure any built-in EC alg was not re-enabled by accident (additive config) - not grep mbedtls_ecdsa_ library/ecdsa.o - not grep mbedtls_ecdh_ library/ecdh.o - not grep mbedtls_ecjpake_ library/ecjpake.o - # Also ensure that ECP, RSA, DHM or BIGNUM modules were not re-enabled - not grep mbedtls_ecp_ library/ecp.o - not grep mbedtls_rsa_ library/rsa.o - not grep mbedtls_dhm_ library/dhm.o - not grep mbedtls_mpi_ library/bignum.o - # Check that p256m was built - grep -q p256_ecdsa_ library/libmbedcrypto.a - - # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration - # files, so we want to ensure that it has not be re-enabled accidentally. - not grep mbedtls_cipher library/cipher.o - - # Run the tests - msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA" - make test -} - -# Keep this in sync with component_test_tfm_config_p256m_driver_accel_ec() as -# they are both meant to be used in analyze_outcomes.py for driver's coverage -# analysis. -component_test_tfm_config() { - common_tfm_config - - # Disable P256M driver, which is on by default, so that analyze_outcomes - # can compare this test with test_tfm_config_p256m_driver_accel_ec - echo "#undef MBEDTLS_PSA_P256M_DRIVER_ENABLED" >> "$CONFIG_H" - - msg "build: TF-M config" - make CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' tests - - # Check that p256m was not built - not grep p256_ecdsa_ library/libmbedcrypto.a - - # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration - # files, so we want to ensure that it has not be re-enabled accidentally. - not grep mbedtls_cipher library/cipher.o - - msg "test: TF-M config" - make test -} - -# Common helper for component_full_without_ecdhe_ecdsa() and -# component_full_without_ecdhe_ecdsa_and_tls13() which: -# - starts from the "full" configuration minus the list of symbols passed in -# as 1st parameter -# - build -# - test only TLS (i.e. test_suite_tls and ssl-opt) -build_full_minus_something_and_test_tls () { - symbols_to_disable="$1" - - msg "build: full minus something, test TLS" - - scripts/config.py full - for sym in $symbols_to_disable; do - echo "Disabling $sym" - scripts/config.py unset $sym - done - - make - - msg "test: full minus something, test TLS" - ( cd tests; ./test_suite_ssl ) - - msg "ssl-opt: full minus something, test TLS" - tests/ssl-opt.sh -} - -component_full_without_ecdhe_ecdsa () { - build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" -} - -component_full_without_ecdhe_ecdsa_and_tls13 () { - build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - MBEDTLS_SSL_PROTO_TLS1_3" -} - -# This is an helper used by: -# - component_test_psa_ecc_key_pair_no_derive -# - component_test_psa_ecc_key_pair_no_generate -# The goal is to test with all PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy symbols -# enabled, but one. Input arguments are as follows: -# - $1 is the key type under test, i.e. ECC/RSA/DH -# - $2 is the key option to be unset (i.e. generate, derive, etc) -build_and_test_psa_want_key_pair_partial() { - key_type=$1 - unset_option=$2 - disabled_psa_want="PSA_WANT_KEY_TYPE_${key_type}_KEY_PAIR_${unset_option}" - - msg "build: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - - # All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in - # crypto_config.h so we just disable the one we don't want. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want" - - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - - msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}" - make test -} - -component_test_psa_ecc_key_pair_no_derive() { - build_and_test_psa_want_key_pair_partial "ECC" "DERIVE" -} - -component_test_psa_ecc_key_pair_no_generate() { - build_and_test_psa_want_key_pair_partial "ECC" "GENERATE" -} - -config_psa_crypto_accel_rsa () { - driver_only=$1 - - # Start from crypto_full config (no X.509, no TLS) - helper_libtestdriver1_adjust_config "crypto_full" - - if [ "$driver_only" -eq 1 ]; then - # Remove RSA support and its dependencies - scripts/config.py unset MBEDTLS_RSA_C - scripts/config.py unset MBEDTLS_PKCS1_V15 - scripts/config.py unset MBEDTLS_PKCS1_V21 - - # We need PEM parsing in the test library as well to support the import - # of PEM encoded RSA keys. - scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C - scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C - fi -} - -component_test_psa_crypto_config_accel_rsa_crypto () { - msg "build: crypto_full with accelerated RSA" - - loc_accel_list="ALG_RSA_OAEP ALG_RSA_PSS \ - ALG_RSA_PKCS1V15_CRYPT ALG_RSA_PKCS1V15_SIGN \ - KEY_TYPE_RSA_PUBLIC_KEY \ - KEY_TYPE_RSA_KEY_PAIR_BASIC \ - KEY_TYPE_RSA_KEY_PAIR_GENERATE \ - KEY_TYPE_RSA_KEY_PAIR_IMPORT \ - KEY_TYPE_RSA_KEY_PAIR_EXPORT" - - # Configure - # --------- - - config_psa_crypto_accel_rsa 1 - - # Build - # ----- - - # These hashes are needed for unit tests. - loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ - ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512 ALG_MD5" - helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # Make sure this was not re-enabled by accident (additive config) - not grep mbedtls_rsa library/rsa.o - - # Run the tests - # ------------- - - msg "test: crypto_full with accelerated RSA" - make test -} - -component_test_psa_crypto_config_reference_rsa_crypto () { - msg "build: crypto_full with non-accelerated RSA" - - # Configure - # --------- - config_psa_crypto_accel_rsa 0 - - # Build - # ----- - make - - # Run the tests - # ------------- - msg "test: crypto_full with non-accelerated RSA" - make test -} - -# This is a temporary test to verify that full RSA support is present even when -# only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined. -component_test_new_psa_want_key_pair_symbol() { - msg "Build: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" - - # Create a temporary output file unless there is already one set - if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then - REMOVE_OUTCOME_ON_EXIT="no" - else - REMOVE_OUTCOME_ON_EXIT="yes" - MBEDTLS_TEST_OUTCOME_FILE="$PWD/out.csv" - export MBEDTLS_TEST_OUTCOME_FILE - fi - - # Start from crypto configuration - scripts/config.py crypto - - # Remove RSA support and its dependencies - scripts/config.py unset MBEDTLS_PKCS1_V15 - scripts/config.py unset MBEDTLS_PKCS1_V21 - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED - scripts/config.py unset MBEDTLS_RSA_C - scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT - - # Enable PSA support - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - - # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure - # that proper translations is done in crypto_legacy.h. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE - - make - - msg "Test: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" - make test - - # Parse only 1 relevant line from the outcome file, i.e. a test which is - # performing RSA signature. - msg "Verify that 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' is PASS" - cat $MBEDTLS_TEST_OUTCOME_FILE | grep 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' | grep -q "PASS" - - if [ "$REMOVE_OUTCOME_ON_EXIT" == "yes" ]; then - rm $MBEDTLS_TEST_OUTCOME_FILE - fi -} - -component_test_psa_crypto_config_accel_hash () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" - - loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ - ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ - ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" - - # Configure - # --------- - - # Start from default config (no USE_PSA) - helper_libtestdriver1_adjust_config "default" - - # Disable the things that are being accelerated - scripts/config.py unset MBEDTLS_MD5_C - scripts/config.py unset MBEDTLS_RIPEMD160_C - scripts/config.py unset MBEDTLS_SHA1_C - scripts/config.py unset MBEDTLS_SHA224_C - scripts/config.py unset MBEDTLS_SHA256_C - scripts/config.py unset MBEDTLS_SHA384_C - scripts/config.py unset MBEDTLS_SHA512_C - scripts/config.py unset MBEDTLS_SHA3_C - - # Build - # ----- - - helper_libtestdriver1_make_drivers "$loc_accel_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # There's a risk of something getting re-enabled via config_psa.h; - # make sure it did not happen. Note: it's OK for MD_C to be enabled. - not grep mbedtls_md5 library/md5.o - not grep mbedtls_sha1 library/sha1.o - not grep mbedtls_sha256 library/sha256.o - not grep mbedtls_sha512 library/sha512.o - not grep mbedtls_ripemd160 library/ripemd160.o - - # Run the tests - # ------------- - - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" - make test -} - -component_test_psa_crypto_config_accel_hash_keep_builtins () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated+builtin hash" - # This component ensures that all the test cases for - # md_psa_dynamic_dispatch with legacy+driver in test_suite_md are run. - - loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ - ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ - ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" - - # Start from default config (no USE_PSA) - helper_libtestdriver1_adjust_config "default" - - helper_libtestdriver1_make_drivers "$loc_accel_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated+builtin hash" - make test -} - -# Auxiliary function to build config for hashes with and without drivers -config_psa_crypto_hash_use_psa () { - driver_only="$1" - # start with config full for maximum coverage (also enables USE_PSA) - helper_libtestdriver1_adjust_config "full" - if [ "$driver_only" -eq 1 ]; then - # disable the built-in implementation of hashes - scripts/config.py unset MBEDTLS_MD5_C - scripts/config.py unset MBEDTLS_RIPEMD160_C - scripts/config.py unset MBEDTLS_SHA1_C - scripts/config.py unset MBEDTLS_SHA224_C - scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA384_C - scripts/config.py unset MBEDTLS_SHA512_C - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA3_C - fi -} - -# Note that component_test_psa_crypto_config_reference_hash_use_psa -# is related to this component and both components need to be kept in sync. -# For details please see comments for component_test_psa_crypto_config_reference_hash_use_psa. -component_test_psa_crypto_config_accel_hash_use_psa () { - msg "test: full with accelerated hashes" - - loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ - ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ - ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" - - # Configure - # --------- - - config_psa_crypto_hash_use_psa 1 - - # Build - # ----- - - helper_libtestdriver1_make_drivers "$loc_accel_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # There's a risk of something getting re-enabled via config_psa.h; - # make sure it did not happen. Note: it's OK for MD_C to be enabled. - not grep mbedtls_md5 library/md5.o - not grep mbedtls_sha1 library/sha1.o - not grep mbedtls_sha256 library/sha256.o - not grep mbedtls_sha512 library/sha512.o - not grep mbedtls_ripemd160 library/ripemd160.o - - # Run the tests - # ------------- - - msg "test: full with accelerated hashes" - make test - - # This is mostly useful so that we can later compare outcome files with - # the reference config in analyze_outcomes.py, to check that the - # dependency declarations in ssl-opt.sh and in TLS code are correct. - msg "test: ssl-opt.sh, full with accelerated hashes" - tests/ssl-opt.sh - - # This is to make sure all ciphersuites are exercised, but we don't need - # interop testing (besides, we already got some from ssl-opt.sh). - msg "test: compat.sh, full with accelerated hashes" - tests/compat.sh -p mbedTLS -V YES -} - -# This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa -# without accelerated hash. The outcome from both components are used by the analyze_outcomes.py -# script to find regression in test coverage when accelerated hash is used (tests and ssl-opt). -# Both components need to be kept in sync. -component_test_psa_crypto_config_reference_hash_use_psa() { - msg "test: full without accelerated hashes" - - config_psa_crypto_hash_use_psa 0 - - make - - msg "test: full without accelerated hashes" - make test - - msg "test: ssl-opt.sh, full without accelerated hashes" - tests/ssl-opt.sh -} - -# Auxiliary function to build config for hashes with and without drivers -config_psa_crypto_hmac_use_psa () { - driver_only="$1" - # start with config full for maximum coverage (also enables USE_PSA) - helper_libtestdriver1_adjust_config "full" - - if [ "$driver_only" -eq 1 ]; then - # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT - # is still enabled though (for ENTROPY_C among others). - scripts/config.py unset MBEDTLS_MD_C - # Disable also the builtin hashes since they are supported by the driver - # and MD module is able to perform PSA dispathing. - scripts/config.py unset-all MBEDTLS_SHA - scripts/config.py unset MBEDTLS_MD5_C - scripts/config.py unset MBEDTLS_RIPEMD160_C - fi - - # Direct dependencies of MD_C. We disable them also in the reference - # component to work with the same set of features. - scripts/config.py unset MBEDTLS_PKCS7_C - scripts/config.py unset MBEDTLS_PKCS5_C - scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_HKDF_C - # Dependencies of HMAC_DRBG - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA -} - -component_test_psa_crypto_config_accel_hmac() { - msg "test: full with accelerated hmac" - - loc_accel_list="ALG_HMAC KEY_TYPE_HMAC \ - ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ - ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ - ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" - - # Configure - # --------- - - config_psa_crypto_hmac_use_psa 1 - - # Build - # ----- - - helper_libtestdriver1_make_drivers "$loc_accel_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # Ensure that built-in support for HMAC is disabled. - not grep mbedtls_md_hmac library/md.o - - # Run the tests - # ------------- - - msg "test: full with accelerated hmac" - make test -} - -component_test_psa_crypto_config_reference_hmac() { - msg "test: full without accelerated hmac" - - config_psa_crypto_hmac_use_psa 0 - - make - - msg "test: full without accelerated hmac" - make test -} - -component_test_psa_crypto_config_accel_des () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES" - - # Albeit this components aims at accelerating DES which should only support - # CBC and ECB modes, we need to accelerate more than that otherwise DES_C - # would automatically be re-enabled by "config_adjust_legacy_from_psa.c" - loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 \ - ALG_CTR ALG_CFB ALG_OFB ALG_XTS ALG_CMAC \ - KEY_TYPE_DES" - - # Note: we cannot accelerate all ciphers' key types otherwise we would also - # have to either disable CCM/GCM or accelerate them, but that's out of scope - # of this component. This limitation will be addressed by #8598. - - # Configure - # --------- - - # Start from the full config - helper_libtestdriver1_adjust_config "full" - - # Disable the things that are being accelerated - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 - scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR - scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB - scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB - scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS - scripts/config.py unset MBEDTLS_DES_C - scripts/config.py unset MBEDTLS_CMAC_C - - # Build - # ----- - - helper_libtestdriver1_make_drivers "$loc_accel_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # Make sure this was not re-enabled by accident (additive config) - not grep mbedtls_des* library/des.o - - # Run the tests - # ------------- - - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES" - make test -} - -component_test_psa_crypto_config_accel_aead () { - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD" - - loc_accel_list="ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 \ - KEY_TYPE_AES KEY_TYPE_CHACHA20 KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" - - # Configure - # --------- - - # Start from full config - helper_libtestdriver1_adjust_config "full" - - # Disable things that are being accelerated - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - - # Disable CCM_STAR_NO_TAG because this re-enables CCM_C. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG - - # Build - # ----- - - helper_libtestdriver1_make_drivers "$loc_accel_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # Make sure this was not re-enabled by accident (additive config) - not grep mbedtls_ccm library/ccm.o - not grep mbedtls_gcm library/gcm.o - not grep mbedtls_chachapoly library/chachapoly.o - - # Run the tests - # ------------- - - msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD" - make test -} - -# This is a common configuration function used in: -# - component_test_psa_crypto_config_accel_cipher_aead_cmac -# - component_test_psa_crypto_config_reference_cipher_aead_cmac -common_psa_crypto_config_accel_cipher_aead_cmac() { - # Start from the full config - helper_libtestdriver1_adjust_config "full" - - scripts/config.py unset MBEDTLS_NIST_KW_C -} - -# The 2 following test components, i.e. -# - component_test_psa_crypto_config_accel_cipher_aead_cmac -# - component_test_psa_crypto_config_reference_cipher_aead_cmac -# are meant to be used together in analyze_outcomes.py script in order to test -# driver's coverage for ciphers and AEADs. -component_test_psa_crypto_config_accel_cipher_aead_cmac () { - msg "build: full config with accelerated cipher inc. AEAD and CMAC" - - loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB \ - ALG_OFB ALG_XTS ALG_STREAM_CIPHER ALG_CCM_STAR_NO_TAG \ - ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 ALG_CMAC \ - KEY_TYPE_DES KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CHACHA20 KEY_TYPE_CAMELLIA" - - # Configure - # --------- - - common_psa_crypto_config_accel_cipher_aead_cmac - - # Disable the things that are being accelerated - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 - scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR - scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB - scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB - scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - scripts/config.py unset MBEDTLS_CMAC_C - scripts/config.py unset MBEDTLS_DES_C - scripts/config.py unset MBEDTLS_AES_C - scripts/config.py unset MBEDTLS_ARIA_C - scripts/config.py unset MBEDTLS_CHACHA20_C - scripts/config.py unset MBEDTLS_CAMELLIA_C - - # Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA - # does not depend on it. - scripts/config.py unset MBEDTLS_CIPHER_C - - # Build - # ----- - - helper_libtestdriver1_make_drivers "$loc_accel_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # Make sure this was not re-enabled by accident (additive config) - not grep mbedtls_cipher library/cipher.o - not grep mbedtls_des library/des.o - not grep mbedtls_aes library/aes.o - not grep mbedtls_aria library/aria.o - not grep mbedtls_camellia library/camellia.o - not grep mbedtls_ccm library/ccm.o - not grep mbedtls_gcm library/gcm.o - not grep mbedtls_chachapoly library/chachapoly.o - not grep mbedtls_cmac library/cmac.o - - # Run the tests - # ------------- - - msg "test: full config with accelerated cipher inc. AEAD and CMAC" - make test - - msg "ssl-opt: full config with accelerated cipher inc. AEAD and CMAC" - tests/ssl-opt.sh - - msg "compat.sh: full config with accelerated cipher inc. AEAD and CMAC" - tests/compat.sh -V NO -p mbedTLS -} - -component_test_psa_crypto_config_reference_cipher_aead_cmac () { - msg "build: full config with non-accelerated cipher inc. AEAD and CMAC" - common_psa_crypto_config_accel_cipher_aead_cmac - - make - - msg "test: full config with non-accelerated cipher inc. AEAD and CMAC" - make test - - msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC" - tests/ssl-opt.sh - - msg "compat.sh: full config with non-accelerated cipher inc. AEAD and CMAC" - tests/compat.sh -V NO -p mbedTLS -} - -common_block_cipher_dispatch() { - TEST_WITH_DRIVER="$1" - - # Start from the full config - helper_libtestdriver1_adjust_config "full" - - if [ "$TEST_WITH_DRIVER" -eq 1 ]; then - # Disable key types that are accelerated (there is no legacy equivalent - # symbol for ECB) - scripts/config.py unset MBEDTLS_AES_C - scripts/config.py unset MBEDTLS_ARIA_C - scripts/config.py unset MBEDTLS_CAMELLIA_C - fi - - # Disable cipher's modes that, when not accelerated, cause - # legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h". - # Keep this also in the reference component in order to skip the same tests - # that were skipped in the accelerated one. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG - - # Disable direct dependency on AES_C - scripts/config.py unset MBEDTLS_NIST_KW_C - - # Prevent the cipher module from using deprecated PSA path. The reason is - # that otherwise there will be tests relying on "aes_info" (defined in - # "cipher_wrap.c") whose functions are not available when AES_C is - # not defined. ARIA and Camellia are not a problem in this case because - # the PSA path is not tested for these key types. - scripts/config.py set MBEDTLS_DEPRECATED_REMOVED -} - -component_test_full_block_cipher_psa_dispatch () { - msg "build: full + PSA dispatch in block_cipher" - - loc_accel_list="ALG_ECB_NO_PADDING \ - KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" - - # Configure - # --------- - - common_block_cipher_dispatch 1 - - # Build - # ----- - - helper_libtestdriver1_make_drivers "$loc_accel_list" - - helper_libtestdriver1_make_main "$loc_accel_list" - - # Make sure disabled components were not re-enabled by accident (additive - # config) - not grep mbedtls_aes_ library/aes.o - not grep mbedtls_aria_ library/aria.o - not grep mbedtls_camellia_ library/camellia.o - - # Run the tests - # ------------- - - msg "test: full + PSA dispatch in block_cipher" - make test -} - -# This is the reference component of component_test_full_block_cipher_psa_dispatch -component_test_full_block_cipher_legacy_dispatch () { - msg "build: full + legacy dispatch in block_cipher" - - common_block_cipher_dispatch 0 - - make - - msg "test: full + legacy dispatch in block_cipher" - make test -} - -component_test_aead_chachapoly_disabled() { - msg "build: full minus CHACHAPOLY" - scripts/config.py full - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - - msg "test: full minus CHACHAPOLY" - make test -} - -component_test_aead_only_ccm() { - msg "build: full minus CHACHAPOLY and GCM" - scripts/config.py full - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - - msg "test: full minus CHACHAPOLY and GCM" - make test -} - -component_test_ccm_aes_sha256() { - msg "build: CCM + AES + SHA256 configuration" - - cp "$CONFIG_TEST_DRIVER_H" "$CONFIG_H" - cp configs/crypto-config-ccm-aes-sha256.h "$CRYPTO_CONFIG_H" - - make - - msg "test: CCM + AES + SHA256 configuration" - make test -} - -# This should be renamed to test and updated once the accelerator ECDH code is in place and ready to test. -component_build_psa_accel_alg_ecdh() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py unset MBEDTLS_ECDH_C - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test. -component_build_psa_accel_alg_hmac() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HMAC" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HMAC -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator HKDF code is in place and ready to test. -component_build_psa_accel_alg_hkdf() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_HKDF_C - # Make sure to unset TLS1_3 since it requires HKDF_C and will not build properly without it. - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HKDF -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator MD5 code is in place and ready to test. -component_build_psa_accel_alg_md5() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_MD5 - other hashes" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS - scripts/config.py unset MBEDTLS_LMS_C - scripts/config.py unset MBEDTLS_LMS_PRIVATE - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_MD5 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator RIPEMD160 code is in place and ready to test. -component_build_psa_accel_alg_ripemd160() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RIPEMD160 - other hashes" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS - scripts/config.py unset MBEDTLS_LMS_C - scripts/config.py unset MBEDTLS_LMS_PRIVATE - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RIPEMD160 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator SHA1 code is in place and ready to test. -component_build_psa_accel_alg_sha1() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_1 - other hashes" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS - scripts/config.py unset MBEDTLS_LMS_C - scripts/config.py unset MBEDTLS_LMS_PRIVATE - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_1 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator SHA224 code is in place and ready to test. -component_build_psa_accel_alg_sha224() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_224 - other hashes" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_224 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator SHA256 code is in place and ready to test. -component_build_psa_accel_alg_sha256() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_256 - other hashes" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_256 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator SHA384 code is in place and ready to test. -component_build_psa_accel_alg_sha384() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_384 - other hashes" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS - scripts/config.py unset MBEDTLS_LMS_C - scripts/config.py unset MBEDTLS_LMS_PRIVATE - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_384 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator SHA512 code is in place and ready to test. -component_build_psa_accel_alg_sha512() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_512 - other hashes" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS - scripts/config.py unset MBEDTLS_LMS_C - scripts/config.py unset MBEDTLS_LMS_PRIVATE - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_512 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. -component_build_psa_accel_alg_rsa_pkcs1v15_crypt() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. -component_build_psa_accel_alg_rsa_pkcs1v15_sign() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_SIGN + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. -component_build_psa_accel_alg_rsa_oaep() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_OAEP + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_OAEP 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_OAEP -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. -component_build_psa_accel_alg_rsa_pss() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PSS + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PSS -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. -component_build_psa_accel_key_type_rsa_key_pair() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx + PSA_WANT_ALG_RSA_PSS" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1 - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - -# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. -component_build_psa_accel_key_type_rsa_public_key() { - msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + PSA_WANT_ALG_RSA_PSS" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 - scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1 - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY -I../tests/include" LDFLAGS="$ASAN_CFLAGS" -} - - -support_build_tfm_armcc () { - support_build_armcc -} - -component_build_tfm_armcc() { - # test the TF-M configuration can build cleanly with various warning flags enabled - cp configs/config-tfm.h "$CONFIG_H" - - msg "build: TF-M config, armclang armv7-m thumb2" - armc6_build_test "--target=arm-arm-none-eabi -march=armv7-m -mthumb -Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused -I../tests/include/spe" -} - -component_build_tfm() { - # Check that the TF-M configuration can build cleanly with various - # warning flags enabled. We don't build or run tests, since the - # TF-M configuration needs a TF-M platform. A tweaked version of - # the configuration that works on mainstream platforms is in - # configs/config-tfm.h, tested via test-ref-configs.pl. - cp configs/config-tfm.h "$CONFIG_H" - - msg "build: TF-M config, clang, armv7-m thumb2" - make lib CC="clang" CFLAGS="--target=arm-linux-gnueabihf -march=armv7-m -mthumb -Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused -I../tests/include/spe" - - msg "build: TF-M config, gcc native build" - make clean - make lib CC="gcc" CFLAGS="-Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wformat-signedness -Wlogical-op -I../tests/include/spe" -} - -# Test that the given .o file builds with all (valid) combinations of the given options. -# -# Syntax: build_test_config_combos FILE VALIDATOR_FUNCTION OPT1 OPT2 ... -# -# The validator function is the name of a function to validate the combination of options. -# It may be "" if all combinations are valid. -# It receives a string containing a combination of options, as passed to the compiler, -# e.g. "-DOPT1 -DOPT2 ...". It must return 0 iff the combination is valid, non-zero if invalid. -build_test_config_combos() { - file=$1 - shift - validate_options=$1 - shift - options=("$@") - - # clear all of the options so that they can be overridden on the clang commandline - for opt in "${options[@]}"; do - ./scripts/config.py unset ${opt} - done - - # enter the directory containing the target file & strip the dir from the filename - cd $(dirname ${file}) - file=$(basename ${file}) - - # The most common issue is unused variables/functions, so ensure -Wunused is set. - warning_flags="-Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused" - - # Extract the command generated by the Makefile to build the target file. - # This ensures that we have any include paths, macro definitions, etc - # that may be applied by make. - # Add -fsyntax-only as we only want a syntax check and don't need to generate a file. - compile_cmd="clang \$(LOCAL_CFLAGS) ${warning_flags} -fsyntax-only -c" - - makefile=$(TMPDIR=. mktemp) - deps="" - - len=${#options[@]} - source_file=${file%.o}.c - - targets=0 - echo 'include Makefile' >${makefile} - - for ((i = 0; i < $((2**${len})); i++)); do - # generate each of 2^n combinations of options - # each bit of $i is used to determine if options[i] will be set or not - target="t" - clang_args="" - for ((j = 0; j < ${len}; j++)); do - if (((i >> j) & 1)); then - opt=-D${options[$j]} - clang_args="${clang_args} ${opt}" - target="${target}${opt}" - fi - done - - # if combination is not known to be invalid, add it to the makefile - if [[ -z $validate_options ]] || $validate_options "${clang_args}"; then - cmd="${compile_cmd} ${clang_args}" - echo "${target}: ${source_file}; $cmd ${source_file}" >> ${makefile} - - deps="${deps} ${target}" - ((++targets)) - fi - done - - echo "build_test_config_combos: ${deps}" >> ${makefile} - - # execute all of the commands via Make (probably in parallel) - make -s -f ${makefile} build_test_config_combos - echo "$targets targets checked" - - # clean up the temporary makefile - rm ${makefile} -} - -validate_aes_config_variations() { - if [[ "$1" == *"MBEDTLS_AES_USE_HARDWARE_ONLY"* ]]; then - if [[ "$1" == *"MBEDTLS_PADLOCK_C"* ]]; then - return 1 - fi - if [[ !(("$HOSTTYPE" == "aarch64" && "$1" != *"MBEDTLS_AESCE_C"*) || \ - ("$HOSTTYPE" == "x86_64" && "$1" != *"MBEDTLS_AESNI_C"*)) ]]; then - return 1 - fi - fi - return 0 -} - -component_build_aes_variations() { - # 18s - around 90ms per clang invocation on M1 Pro - # - # aes.o has many #if defined(...) guards that intersect in complex ways. - # Test that all the combinations build cleanly. - - MBEDTLS_ROOT_DIR="$PWD" - msg "build: aes.o for all combinations of relevant config options" - - build_test_config_combos library/aes.o validate_aes_config_variations \ - "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \ - "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \ - "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_PADLOCK_C" "MBEDTLS_AES_USE_HARDWARE_ONLY" \ - "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" - - cd "$MBEDTLS_ROOT_DIR" - msg "build: aes.o for all combinations of relevant config options + BLOCK_CIPHER_NO_DECRYPT" - - # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is incompatible with ECB in PSA, CBC/XTS/NIST_KW/DES, - # manually set or unset those configurations to check - # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o. - scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS - scripts/config.py unset MBEDTLS_DES_C - scripts/config.py unset MBEDTLS_NIST_KW_C - build_test_config_combos library/aes.o validate_aes_config_variations \ - "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \ - "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \ - "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_PADLOCK_C" "MBEDTLS_AES_USE_HARDWARE_ONLY" \ - "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" -} - -component_test_no_platform () { - # Full configuration build, without platform support, file IO and net sockets. - # This should catch missing mbedtls_printf definitions, and by disabling file - # IO, it should catch missing '#include ' - msg "build: full config except platform/fsio/net, make, gcc, C99" # ~ 30s - scripts/config.py full_no_platform - scripts/config.py unset MBEDTLS_PLATFORM_C - scripts/config.py unset MBEDTLS_NET_C - scripts/config.py unset MBEDTLS_FS_IO - scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C - scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C - scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C - scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED - # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19, - # to re-enable platform integration features otherwise disabled in C99 builds - make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs - make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os' test -} - -component_build_no_std_function () { - # catch compile bugs in _uninit functions - msg "build: full config with NO_STD_FUNCTION, make, gcc" # ~ 30s - scripts/config.py full - scripts/config.py set MBEDTLS_PLATFORM_NO_STD_FUNCTIONS - scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED - scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Check . - make -} - -component_build_no_ssl_srv () { - msg "build: full config except SSL server, make, gcc" # ~ 30s - scripts/config.py full - scripts/config.py unset MBEDTLS_SSL_SRV_C - make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1' -} - -component_build_no_ssl_cli () { - msg "build: full config except SSL client, make, gcc" # ~ 30s - scripts/config.py full - scripts/config.py unset MBEDTLS_SSL_CLI_C - make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1' -} - -component_build_no_sockets () { - # Note, C99 compliance can also be tested with the sockets support disabled, - # as that requires a POSIX platform (which isn't the same as C99). - msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s - scripts/config.py full - scripts/config.py unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc. - scripts/config.py set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux - make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -std=c99 -pedantic' lib -} - -component_test_memory_buffer_allocator_backtrace () { - msg "build: default config with memory buffer allocator and backtrace enabled" - scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C - scripts/config.py set MBEDTLS_PLATFORM_MEMORY - scripts/config.py set MBEDTLS_MEMORY_BACKTRACE - scripts/config.py set MBEDTLS_MEMORY_DEBUG - cmake -DCMAKE_BUILD_TYPE:String=Release . - make - - msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE" - make test -} - -component_test_memory_buffer_allocator () { - msg "build: default config with memory buffer allocator" - scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C - scripts/config.py set MBEDTLS_PLATFORM_MEMORY - cmake -DCMAKE_BUILD_TYPE:String=Release . - make - - msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C" - make test - - msg "test: ssl-opt.sh, MBEDTLS_MEMORY_BUFFER_ALLOC_C" - # MBEDTLS_MEMORY_BUFFER_ALLOC is slow. Skip tests that tend to time out. - tests/ssl-opt.sh -e '^DTLS proxy' -} - -component_test_no_max_fragment_length () { - # Run max fragment length tests with MFL disabled - msg "build: default config except MFL extension (ASan build)" # ~ 30s - scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: ssl-opt.sh, MFL-related tests" - tests/ssl-opt.sh -f "Max fragment length" -} - -component_test_asan_remove_peer_certificate () { - msg "build: default config with MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled (ASan build)" - scripts/config.py unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" - make test - - msg "test: ssl-opt.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" - tests/ssl-opt.sh - - msg "test: compat.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" - tests/compat.sh - - msg "test: context-info.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" - tests/context-info.sh -} - -component_test_no_max_fragment_length_small_ssl_out_content_len () { - msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)" - scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH - scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 - scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: MFL tests (disabled MFL extension case) & large packet tests" - tests/ssl-opt.sh -f "Max fragment length\|Large buffer" - - msg "test: context-info.sh (disabled MFL extension case)" - tests/context-info.sh -} - -component_test_variable_ssl_in_out_buffer_len () { - msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled (ASan build)" - scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" - make test - - msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" - tests/ssl-opt.sh - - msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" - tests/compat.sh -} - -component_test_dtls_cid_legacy () { - msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)" - scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1 - - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy)" - make test - - msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" - tests/ssl-opt.sh - - msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" - tests/compat.sh -} - -component_test_ssl_alloc_buffer_and_mfl () { - msg "build: default config with memory buffer allocator and MFL extension" - scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C - scripts/config.py set MBEDTLS_PLATFORM_MEMORY - scripts/config.py set MBEDTLS_MEMORY_DEBUG - scripts/config.py set MBEDTLS_SSL_MAX_FRAGMENT_LENGTH - scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH - cmake -DCMAKE_BUILD_TYPE:String=Release . - make - - msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH" - make test - - msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH" - tests/ssl-opt.sh -f "Handshake memory usage" -} - -component_test_when_no_ciphersuites_have_mac () { - msg "build: when no ciphersuites have MAC" - scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_CMAC_C - make - - msg "test: !MBEDTLS_SSL_SOME_MODES_USE_MAC" - make test - - msg "test ssl-opt.sh: !MBEDTLS_SSL_SOME_MODES_USE_MAC" - tests/ssl-opt.sh -f 'Default\|EtM' -e 'without EtM' -} - -component_test_no_date_time () { - msg "build: default config without MBEDTLS_HAVE_TIME_DATE" - scripts/config.py unset MBEDTLS_HAVE_TIME_DATE - cmake -D CMAKE_BUILD_TYPE:String=Check . - make - - msg "test: !MBEDTLS_HAVE_TIME_DATE - main suites" - make test -} - -component_test_platform_calloc_macro () { - msg "build: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)" - scripts/config.py set MBEDTLS_PLATFORM_MEMORY - scripts/config.py set MBEDTLS_PLATFORM_CALLOC_MACRO calloc - scripts/config.py set MBEDTLS_PLATFORM_FREE_MACRO free - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)" - make test -} - -component_test_malloc_0_null () { - msg "build: malloc(0) returns NULL (ASan+UBSan build)" - scripts/config.py full - make CC=$ASAN_CC CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"$PWD/tests/configs/user-config-malloc-0-null.h\"' $ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - - msg "test: malloc(0) returns NULL (ASan+UBSan build)" - make test - - msg "selftest: malloc(0) returns NULL (ASan+UBSan build)" - # Just the calloc selftest. "make test" ran the others as part of the - # test suites. - programs/test/selftest calloc - - msg "test ssl-opt.sh: malloc(0) returns NULL (ASan+UBSan build)" - # Run a subset of the tests. The choice is a balance between coverage - # and time (including time indirectly wasted due to flaky tests). - # The current choice is to skip tests whose description includes - # "proxy", which is an approximation of skipping tests that use the - # UDP proxy, which tend to be slower and flakier. - tests/ssl-opt.sh -e 'proxy' -} - -support_test_aesni() { - # Check that gcc targets x86_64 (we can build AESNI), and check for - # AESNI support on the host (we can run AESNI). - # - # The name of this function is possibly slightly misleading, but needs to align - # with the name of the corresponding test, component_test_aesni. - # - # In principle 32-bit x86 can support AESNI, but our implementation does not - # support 32-bit x86, so we check for x86-64. - # We can only grep /proc/cpuinfo on Linux, so this also checks for Linux - (gcc -v 2>&1 | grep Target | grep -q x86_64) && - [[ "$HOSTTYPE" == "x86_64" && "$OSTYPE" == "linux-gnu" ]] && - (lscpu | grep -qw aes) -} - -component_test_aesni () { # ~ 60s - # This tests the two AESNI implementations (intrinsics and assembly), and also the plain C - # fallback. It also tests the logic that is used to select which implementation(s) to build. - # - # This test does not require the host to have support for AESNI (if it doesn't, the run-time - # AESNI detection will fallback to the plain C implementation, so the tests will instead - # exercise the plain C impl). - - msg "build: default config with different AES implementations" - scripts/config.py set MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY - scripts/config.py set MBEDTLS_HAVE_ASM - - # test the intrinsics implementation - msg "AES tests, test intrinsics" - make clean - make CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes' - # check that we built intrinsics - this should be used by default when supported by the compiler - ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics" - - # test the asm implementation - msg "AES tests, test assembly" - make clean - make CC=gcc CFLAGS='-Werror -Wall -Wextra -mno-pclmul -mno-sse2 -mno-aes' - # check that we built assembly - this should be built if the compiler does not support intrinsics - ./programs/test/selftest aes | grep "AESNI code" | grep -q "assembly" - - # test the plain C implementation - scripts/config.py unset MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY - msg "AES tests, plain C" - make clean - make CC=gcc CFLAGS='-O2 -Werror' - # check that there is no AESNI code present - ./programs/test/selftest aes | not grep -q "AESNI code" - not grep -q "AES note: using AESNI" ./programs/test/selftest - grep -q "AES note: built-in implementation." ./programs/test/selftest - - # test the intrinsics implementation - scripts/config.py set MBEDTLS_AESNI_C - scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY - msg "AES tests, test AESNI only" - make clean - make CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes' - ./programs/test/selftest aes | grep -q "AES note: using AESNI" - ./programs/test/selftest aes | not grep -q "AES note: built-in implementation." - grep -q "AES note: using AESNI" ./programs/test/selftest - not grep -q "AES note: built-in implementation." ./programs/test/selftest -} - -component_test_sha3_variations() { - msg "sha3 loop unroll variations" - - # define minimal config sufficient to test SHA3 - cat > include/mbedtls/mbedtls_config.h << END - #define MBEDTLS_SELF_TEST - #define MBEDTLS_SHA3_C -END - - msg "all loops unrolled" - make clean - make -C tests test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=1 -DMBEDTLS_SHA3_PI_UNROLL=1 -DMBEDTLS_SHA3_CHI_UNROLL=1 -DMBEDTLS_SHA3_RHO_UNROLL=1" - ./tests/test_suite_shax - - msg "all loops rolled up" - make clean - make -C tests test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=0 -DMBEDTLS_SHA3_PI_UNROLL=0 -DMBEDTLS_SHA3_CHI_UNROLL=0 -DMBEDTLS_SHA3_RHO_UNROLL=0" - ./tests/test_suite_shax -} - -support_test_aesni_m32() { - support_test_m32_no_asm && (lscpu | grep -qw aes) -} - -component_test_aesni_m32 () { # ~ 60s - # This tests are duplicated from component_test_aesni for i386 target - # - # AESNI intrinsic code supports i386 and assembly code does not support it. - - msg "build: default config with different AES implementations" - scripts/config.py set MBEDTLS_AESNI_C - scripts/config.py set MBEDTLS_PADLOCK_C - scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY - scripts/config.py set MBEDTLS_HAVE_ASM - - # test the intrinsics implementation with gcc - msg "AES tests, test intrinsics (gcc)" - make clean - make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra' LDFLAGS='-m32' - # check that we built intrinsics - this should be used by default when supported by the compiler - ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics" - grep -q "AES note: using AESNI" ./programs/test/selftest - grep -q "AES note: built-in implementation." ./programs/test/selftest - grep -q "AES note: using VIA Padlock" ./programs/test/selftest - grep -q mbedtls_aesni_has_support ./programs/test/selftest - - scripts/config.py set MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_PADLOCK_C - scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY - msg "AES tests, test AESNI only" - make clean - make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra -mpclmul -msse2 -maes' LDFLAGS='-m32' - ./programs/test/selftest aes | grep -q "AES note: using AESNI" - ./programs/test/selftest aes | not grep -q "AES note: built-in implementation." - grep -q "AES note: using AESNI" ./programs/test/selftest - not grep -q "AES note: built-in implementation." ./programs/test/selftest - not grep -q "AES note: using VIA Padlock" ./programs/test/selftest - not grep -q mbedtls_aesni_has_support ./programs/test/selftest -} - -support_test_aesni_m32_clang() { - # clang >= 4 is required to build with target attributes - support_test_aesni_m32 && [[ $(clang_version) -ge 4 ]] -} - -component_test_aesni_m32_clang() { - - scripts/config.py set MBEDTLS_AESNI_C - scripts/config.py set MBEDTLS_PADLOCK_C - scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY - scripts/config.py set MBEDTLS_HAVE_ASM - - # test the intrinsics implementation with clang - msg "AES tests, test intrinsics (clang)" - make clean - make CC=clang CFLAGS='-m32 -Werror -Wall -Wextra' LDFLAGS='-m32' - # check that we built intrinsics - this should be used by default when supported by the compiler - ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics" - grep -q "AES note: using AESNI" ./programs/test/selftest - grep -q "AES note: built-in implementation." ./programs/test/selftest - grep -q "AES note: using VIA Padlock" ./programs/test/selftest - grep -q mbedtls_aesni_has_support ./programs/test/selftest -} - -# For timebeing, no aarch64 gcc available in CI and no arm64 CI node. -component_build_aes_aesce_armcc () { - msg "Build: AESCE test on arm64 platform without plain C." - scripts/config.py baremetal - - # armc[56] don't support SHA-512 intrinsics - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT - - # Stop armclang warning about feature detection for A64_CRYPTO. - # With this enabled, the library does build correctly under armclang, - # but in baremetal builds (as tested here), feature detection is - # unavailable, and the user is notified via a #warning. So enabling - # this feature would prevent us from building with -Werror on - # armclang. Tracked in #7198. - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT - scripts/config.py set MBEDTLS_HAVE_ASM - - msg "AESCE, build with default configuration." - scripts/config.py set MBEDTLS_AESCE_C - scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY - armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" - - msg "AESCE, build AESCE only" - scripts/config.py set MBEDTLS_AESCE_C - scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY - armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" -} - -support_build_aes_armce() { - # clang >= 11 is required to build with AES extensions - [[ $(clang_version) -ge 11 ]] -} - -component_build_aes_armce () { - # Test variations of AES with Armv8 crypto extensions - scripts/config.py set MBEDTLS_AESCE_C - scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY - - msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, aarch64" - make -B library/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto" - - msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, arm" - make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm" - - msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, thumb" - make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" - - scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY - - msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, aarch64" - make -B library/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto" - - msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, arm" - make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm" - - msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, thumb" - make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" - - # test for presence of AES instructions - scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY - msg "clang, test A32 crypto instructions built" - make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S" - grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' library/aesce.o - msg "clang, test T32 crypto instructions built" - make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S" - grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' library/aesce.o - msg "clang, test aarch64 crypto instructions built" - make -B library/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S" - grep -E 'aes[a-z]+\s*[qv]' library/aesce.o - - # test for absence of AES instructions - scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY - scripts/config.py unset MBEDTLS_AESCE_C - msg "clang, test A32 crypto instructions not built" - make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S" - not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' library/aesce.o - msg "clang, test T32 crypto instructions not built" - make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S" - not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' library/aesce.o - msg "clang, test aarch64 crypto instructions not built" - make -B library/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S" - not grep -E 'aes[a-z]+\s*[qv]' library/aesce.o -} - -support_build_sha_armce() { - # clang >= 4 is required to build with SHA extensions - [[ $(clang_version) -ge 4 ]] -} - -component_build_sha_armce () { - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT - - - # Test variations of SHA256 Armv8 crypto extensions - scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY - msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, aarch64" - make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a" - msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, arm" - make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm" - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY - - - # test the deprecated form of the config option - scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, thumb" - make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY - - scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT - msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, aarch64" - make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a" - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT - - - # test the deprecated form of the config option - scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, arm" - make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99" - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, thumb" - make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT - - - # examine the disassembly for presence of SHA instructions - for opt in MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT; do - scripts/config.py set ${opt} - msg "${opt} clang, test A32 crypto instructions built" - make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S" - grep -E 'sha256[a-z0-9]+.32\s+[qv]' library/sha256.o - - msg "${opt} clang, test T32 crypto instructions built" - make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S" - grep -E 'sha256[a-z0-9]+.32\s+[qv]' library/sha256.o - - msg "${opt} clang, test aarch64 crypto instructions built" - make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S" - grep -E 'sha256[a-z0-9]+\s+[qv]' library/sha256.o - scripts/config.py unset ${opt} - done - - - # examine the disassembly for absence of SHA instructions - msg "clang, test A32 crypto instructions not built" - make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S" - not grep -E 'sha256[a-z0-9]+.32\s+[qv]' library/sha256.o - - msg "clang, test T32 crypto instructions not built" - make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S" - not grep -E 'sha256[a-z0-9]+.32\s+[qv]' library/sha256.o - - msg "clang, test aarch64 crypto instructions not built" - make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S" - not grep -E 'sha256[a-z0-9]+\s+[qv]' library/sha256.o -} - -# For timebeing, no VIA Padlock platform available. -component_build_aes_via_padlock () { - - msg "AES:VIA PadLock, build with default configuration." - scripts/config.py unset MBEDTLS_AESNI_C - scripts/config.py set MBEDTLS_PADLOCK_C - scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY - make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS" - grep -q mbedtls_padlock_has_support ./programs/test/selftest - -} - -support_build_aes_via_padlock_only () { - ( [ "$MBEDTLS_TEST_PLATFORM" == "Linux-x86_64" ] || \ - [ "$MBEDTLS_TEST_PLATFORM" == "Linux-amd64" ] ) && \ - [ "`dpkg --print-foreign-architectures`" == "i386" ] -} - -support_build_aes_aesce_armcc () { - support_build_armcc -} - -component_test_aes_only_128_bit_keys () { - msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH" - scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH - scripts/config.py unset MBEDTLS_PADLOCK_C - - make CFLAGS='-O2 -Werror -Wall -Wextra' - - msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH" - make test -} - -component_test_no_ctr_drbg_aes_only_128_bit_keys () { - msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" - scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_PADLOCK_C - - make CC=clang CFLAGS='-Werror -Wall -Wextra' - - msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" - make test -} - -component_test_aes_only_128_bit_keys_have_builtins () { - msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" - scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH - scripts/config.py unset MBEDTLS_PADLOCK_C - scripts/config.py unset MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_AESCE_C - - make CFLAGS='-O2 -Werror -Wall -Wextra' - - msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" - make test - - msg "selftest: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" - programs/test/selftest -} - -component_test_gcm_largetable () { - msg "build: default config + GCM_LARGE_TABLE - AESNI_C - AESCE_C" - scripts/config.py set MBEDTLS_GCM_LARGE_TABLE - scripts/config.py unset MBEDTLS_PADLOCK_C - scripts/config.py unset MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_AESCE_C - - make CFLAGS='-O2 -Werror -Wall -Wextra' - - msg "test: default config - GCM_LARGE_TABLE - AESNI_C - AESCE_C" - make test -} - -component_test_aes_fewer_tables () { - msg "build: default config with AES_FEWER_TABLES enabled" - scripts/config.py set MBEDTLS_AES_FEWER_TABLES - make CFLAGS='-O2 -Werror -Wall -Wextra' - - msg "test: AES_FEWER_TABLES" - make test -} - -component_test_aes_rom_tables () { - msg "build: default config with AES_ROM_TABLES enabled" - scripts/config.py set MBEDTLS_AES_ROM_TABLES - make CFLAGS='-O2 -Werror -Wall -Wextra' - - msg "test: AES_ROM_TABLES" - make test -} - -component_test_aes_fewer_tables_and_rom_tables () { - msg "build: default config with AES_ROM_TABLES and AES_FEWER_TABLES enabled" - scripts/config.py set MBEDTLS_AES_FEWER_TABLES - scripts/config.py set MBEDTLS_AES_ROM_TABLES - make CFLAGS='-O2 -Werror -Wall -Wextra' - - msg "test: AES_FEWER_TABLES + AES_ROM_TABLES" - make test -} - -# helper for common_block_cipher_no_decrypt() which: -# - enable/disable the list of config options passed from -s/-u respectively. -# - build -# - test for tests_suite_xxx -# - selftest -# -# Usage: helper_block_cipher_no_decrypt_build_test -# [-s set_opts] [-u unset_opts] [-c cflags] [-l ldflags] [option [...]] -# Options: -s set_opts the list of config options to enable -# -u unset_opts the list of config options to disable -# -c cflags the list of options passed to CFLAGS -# -l ldflags the list of options passed to LDFLAGS -helper_block_cipher_no_decrypt_build_test () { - while [ $# -gt 0 ]; do - case "$1" in - -s) - shift; local set_opts="$1";; - -u) - shift; local unset_opts="$1";; - -c) - shift; local cflags="-Werror -Wall -Wextra $1";; - -l) - shift; local ldflags="$1";; - esac - shift - done - set_opts="${set_opts:-}" - unset_opts="${unset_opts:-}" - cflags="${cflags:-}" - ldflags="${ldflags:-}" - - [ -n "$set_opts" ] && echo "Enabling: $set_opts" && scripts/config.py set-all $set_opts - [ -n "$unset_opts" ] && echo "Disabling: $unset_opts" && scripts/config.py unset-all $unset_opts - - msg "build: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" - make clean - make CFLAGS="-O2 $cflags" LDFLAGS="$ldflags" - - # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA - not grep mbedtls_aes_setkey_dec library/aes.o - not grep mbedtls_aria_setkey_dec library/aria.o - not grep mbedtls_camellia_setkey_dec library/camellia.o - # Make sure we don't have mbedtls_internal_aes_decrypt in AES - not grep mbedtls_internal_aes_decrypt library/aes.o - # Make sure we don't have mbedtls_aesni_inverse_key in AESNI - not grep mbedtls_aesni_inverse_key library/aesni.o - - msg "test: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" - make test - - msg "selftest: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" - programs/test/selftest -} - -# This is a common configuration function used in: -# - component_test_block_cipher_no_decrypt_aesni_legacy() -# - component_test_block_cipher_no_decrypt_aesni_use_psa() -# in order to test BLOCK_CIPHER_NO_DECRYPT with AESNI intrinsics, -# AESNI assembly and AES C implementation on x86_64 and with AESNI intrinsics -# on x86. -common_block_cipher_no_decrypt () { - # test AESNI intrinsics - helper_block_cipher_no_decrypt_build_test \ - -s "MBEDTLS_AESNI_C" \ - -c "-mpclmul -msse2 -maes" - - # test AESNI assembly - helper_block_cipher_no_decrypt_build_test \ - -s "MBEDTLS_AESNI_C" \ - -c "-mno-pclmul -mno-sse2 -mno-aes" - - # test AES C implementation - helper_block_cipher_no_decrypt_build_test \ - -u "MBEDTLS_AESNI_C" - - # test AESNI intrinsics for i386 target - helper_block_cipher_no_decrypt_build_test \ - -s "MBEDTLS_AESNI_C" \ - -c "-m32 -mpclmul -msse2 -maes" \ - -l "-m32" -} - -# This is a configuration function used in component_test_block_cipher_no_decrypt_xxx: -# usage: 0: no PSA crypto configuration -# 1: use PSA crypto configuration -config_block_cipher_no_decrypt () { - use_psa=$1 - - scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS - scripts/config.py unset MBEDTLS_DES_C - scripts/config.py unset MBEDTLS_NIST_KW_C - - if [ "$use_psa" -eq 1 ]; then - # Enable support for cryptographic mechanisms through the PSA API. - # Note: XTS, KW are not yet supported via the PSA API in Mbed TLS. - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES - fi -} - -component_test_block_cipher_no_decrypt_aesni () { - # This consistently causes an llvm crash on clang 3.8, so use gcc - export CC=gcc - config_block_cipher_no_decrypt 0 - common_block_cipher_no_decrypt -} - -component_test_block_cipher_no_decrypt_aesni_use_psa () { - # This consistently causes an llvm crash on clang 3.8, so use gcc - export CC=gcc - config_block_cipher_no_decrypt 1 - common_block_cipher_no_decrypt -} - -support_test_block_cipher_no_decrypt_aesce_armcc () { - support_build_armcc -} - -component_test_block_cipher_no_decrypt_aesce_armcc () { - scripts/config.py baremetal - - # armc[56] don't support SHA-512 intrinsics - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT - - # Stop armclang warning about feature detection for A64_CRYPTO. - # With this enabled, the library does build correctly under armclang, - # but in baremetal builds (as tested here), feature detection is - # unavailable, and the user is notified via a #warning. So enabling - # this feature would prevent us from building with -Werror on - # armclang. Tracked in #7198. - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT - scripts/config.py set MBEDTLS_HAVE_ASM - - config_block_cipher_no_decrypt 1 - - # test AESCE baremetal build - scripts/config.py set MBEDTLS_AESCE_C - msg "build: default config + BLOCK_CIPHER_NO_DECRYPT with AESCE" - armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto -Werror -Wall -Wextra" - - # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA - not grep mbedtls_aes_setkey_dec library/aes.o - not grep mbedtls_aria_setkey_dec library/aria.o - not grep mbedtls_camellia_setkey_dec library/camellia.o - # Make sure we don't have mbedtls_internal_aes_decrypt in AES - not grep mbedtls_internal_aes_decrypt library/aes.o - # Make sure we don't have mbedtls_aesce_inverse_key and aesce_decrypt_block in AESCE - not grep mbedtls_aesce_inverse_key library/aesce.o - not grep aesce_decrypt_block library/aesce.o -} - -component_test_ctr_drbg_aes_256_sha_256 () { - msg "build: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" - scripts/config.py full - scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C - scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" - make test -} - -component_test_ctr_drbg_aes_128_sha_512 () { - msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" - scripts/config.py full - scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C - scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" - make test -} - -component_test_ctr_drbg_aes_128_sha_256 () { - msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" - scripts/config.py full - scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C - scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY - scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" - make test -} - -component_test_se_default () { - msg "build: default config + MBEDTLS_PSA_CRYPTO_SE_C" - scripts/config.py set MBEDTLS_PSA_CRYPTO_SE_C - make CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" - - msg "test: default config + MBEDTLS_PSA_CRYPTO_SE_C" - make test -} - -component_test_psa_crypto_drivers () { - msg "build: full + test drivers dispatching to builtins" - scripts/config.py full - scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG - loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST_ALL" - loc_cflags="${loc_cflags} '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" - loc_cflags="${loc_cflags} -I../tests/include -O2" - - make CC=$ASAN_CC CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS" - - msg "test: full + test drivers dispatching to builtins" - make test -} - -component_test_make_shared () { - msg "build/test: make shared" # ~ 40s - make SHARED=1 all check - ldd programs/util/strerror | grep libmbedcrypto - programs/test/dlopen_demo.sh -} - -component_test_cmake_shared () { - msg "build/test: cmake shared" # ~ 2min - cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On . - make - ldd programs/util/strerror | grep libmbedcrypto - make test - programs/test/dlopen_demo.sh -} - -test_build_opt () { - info=$1 cc=$2; shift 2 - $cc --version - for opt in "$@"; do - msg "build/test: $cc $opt, $info" # ~ 30s - make CC="$cc" CFLAGS="$opt -std=c99 -pedantic -Wall -Wextra -Werror" - # We're confident enough in compilers to not run _all_ the tests, - # but at least run the unit tests. In particular, runs with - # optimizations use inline assembly whereas runs with -O0 - # skip inline assembly. - make test # ~30s - make clean - done -} - -# For FreeBSD we invoke the function by name so this condition is added -# to disable the existing test_clang_opt function for linux. -if [[ $(uname) != "Linux" ]]; then - component_test_clang_opt () { - scripts/config.py full - test_build_opt 'full config' clang -O0 -Os -O2 - } -fi - -component_test_clang_latest_opt () { - scripts/config.py full - test_build_opt 'full config' "$CLANG_LATEST" -O0 -Os -O2 -} -support_test_clang_latest_opt () { - type "$CLANG_LATEST" >/dev/null 2>/dev/null -} - -component_test_clang_earliest_opt () { - scripts/config.py full - test_build_opt 'full config' "$CLANG_EARLIEST" -O0 -} -support_test_clang_earliest_opt () { - type "$CLANG_EARLIEST" >/dev/null 2>/dev/null -} - -component_test_gcc_latest_opt () { - scripts/config.py full - test_build_opt 'full config' "$GCC_LATEST" -O0 -Os -O2 -} -support_test_gcc_latest_opt () { - type "$GCC_LATEST" >/dev/null 2>/dev/null -} - -component_test_gcc_earliest_opt () { - scripts/config.py full - test_build_opt 'full config' "$GCC_EARLIEST" -O0 -} -support_test_gcc_earliest_opt () { - type "$GCC_EARLIEST" >/dev/null 2>/dev/null -} - -component_build_mbedtls_config_file () { - msg "build: make with MBEDTLS_CONFIG_FILE" # ~40s - scripts/config.py -w full_config.h full - echo '#error "MBEDTLS_CONFIG_FILE is not working"' >"$CONFIG_H" - make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"'" - # Make sure this feature is enabled. We'll disable it in the next phase. - programs/test/query_compile_time_config MBEDTLS_NIST_KW_C - make clean - - msg "build: make with MBEDTLS_CONFIG_FILE + MBEDTLS_USER_CONFIG_FILE" - # In the user config, disable one feature (for simplicity, pick a feature - # that nothing else depends on). - echo '#undef MBEDTLS_NIST_KW_C' >user_config.h - make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"' -DMBEDTLS_USER_CONFIG_FILE='\"user_config.h\"'" - not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C - - rm -f user_config.h full_config.h -} - -component_build_psa_config_file () { - msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE" # ~40s - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - cp "$CRYPTO_CONFIG_H" psa_test_config.h - echo '#error "MBEDTLS_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H" - make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'" - # Make sure this feature is enabled. We'll disable it in the next phase. - programs/test/query_compile_time_config MBEDTLS_CMAC_C - make clean - - msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s - # In the user config, disable one feature, which will reflect on the - # mbedtls configuration so we can query it with query_compile_time_config. - echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h - scripts/config.py unset MBEDTLS_CMAC_C - make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'" - not programs/test/query_compile_time_config MBEDTLS_CMAC_C - - rm -f psa_test_config.h psa_user_config.h -} - -component_build_psa_alt_headers () { - msg "build: make with PSA alt headers" # ~20s - - # Generate alternative versions of the substitutable headers with the - # same content except different include guards. - make -C tests include/alt-extra/psa/crypto_platform_alt.h include/alt-extra/psa/crypto_struct_alt.h - - # Build the library and some programs. - # Don't build the fuzzers to avoid having to go through hoops to set - # a correct include path for programs/fuzz/Makefile. - make CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" lib - make -C programs -o fuzz CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" - - # Check that we're getting the alternative include guards and not the - # original include guards. - programs/test/query_included_headers | grep -x PSA_CRYPTO_PLATFORM_ALT_H - programs/test/query_included_headers | grep -x PSA_CRYPTO_STRUCT_ALT_H - programs/test/query_included_headers | not grep -x PSA_CRYPTO_PLATFORM_H - programs/test/query_included_headers | not grep -x PSA_CRYPTO_STRUCT_H -} - -component_test_m32_no_asm () { - # Build without assembly, so as to use portable C code (in a 32-bit - # build) and not the i386-specific inline assembly. - # - # Note that we require gcc, because clang Asan builds fail to link for - # this target (cannot find libclang_rt.lsan-i386.a - this is a known clang issue). - msg "build: i386, make, gcc, no asm (ASan build)" # ~ 30s - scripts/config.py full - scripts/config.py unset MBEDTLS_HAVE_ASM - scripts/config.py unset MBEDTLS_PADLOCK_C - scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32 - make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS" - - msg "test: i386, make, gcc, no asm (ASan build)" - make test -} -support_test_m32_no_asm () { - case $(uname -m) in - amd64|x86_64) true;; - *) false;; - esac -} - -component_test_m32_o2 () { - # Build with optimization, to use the i386 specific inline assembly - # and go faster for tests. - msg "build: i386, make, gcc -O2 (ASan build)" # ~ 30s - scripts/config.py full - scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32 - make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS" - - msg "test: i386, make, gcc -O2 (ASan build)" - make test - - msg "test ssl-opt.sh, i386, make, gcc-O2" - tests/ssl-opt.sh -} -support_test_m32_o2 () { - support_test_m32_no_asm "$@" -} - -component_test_m32_everest () { - msg "build: i386, Everest ECDH context (ASan build)" # ~ 6 min - scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED - scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32 - make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS" - - msg "test: i386, Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s - make test - - msg "test: i386, Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s - tests/ssl-opt.sh -f ECDH - - msg "test: i386, Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min - # Exclude some symmetric ciphers that are redundant here to gain time. - tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA' -} -support_test_m32_everest () { - support_test_m32_no_asm "$@" -} - -component_test_mx32 () { - msg "build: 64-bit ILP32, make, gcc" # ~ 30s - scripts/config.py full - make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -mx32' LDFLAGS='-mx32' - - msg "test: 64-bit ILP32, make, gcc" - make test -} -support_test_mx32 () { - case $(uname -m) in - amd64|x86_64) true;; - *) false;; - esac -} - -component_test_min_mpi_window_size () { - msg "build: Default + MBEDTLS_MPI_WINDOW_SIZE=1 (ASan build)" # ~ 10s - scripts/config.py set MBEDTLS_MPI_WINDOW_SIZE 1 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s - make test -} - -component_test_have_int32 () { - msg "build: gcc, force 32-bit bignum limbs" - scripts/config.py unset MBEDTLS_HAVE_ASM - scripts/config.py unset MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_PADLOCK_C - scripts/config.py unset MBEDTLS_AESCE_C - make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32' - - msg "test: gcc, force 32-bit bignum limbs" - make test -} - -component_test_have_int64 () { - msg "build: gcc, force 64-bit bignum limbs" - scripts/config.py unset MBEDTLS_HAVE_ASM - scripts/config.py unset MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_PADLOCK_C - scripts/config.py unset MBEDTLS_AESCE_C - make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -DMBEDTLS_HAVE_INT64' - - msg "test: gcc, force 64-bit bignum limbs" - make test -} - -component_test_have_int32_cmake_new_bignum () { - msg "build: gcc, force 32-bit bignum limbs, new bignum interface, test hooks (ASan build)" - scripts/config.py unset MBEDTLS_HAVE_ASM - scripts/config.py unset MBEDTLS_AESNI_C - scripts/config.py unset MBEDTLS_PADLOCK_C - scripts/config.py unset MBEDTLS_AESCE_C - scripts/config.py set MBEDTLS_TEST_HOOKS - scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT - make CC=gcc CFLAGS="$ASAN_CFLAGS -Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32" LDFLAGS="$ASAN_CFLAGS" - - msg "test: gcc, force 32-bit bignum limbs, new bignum interface, test hooks (ASan build)" - make test -} - -component_test_no_udbl_division () { - msg "build: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s - scripts/config.py full - scripts/config.py set MBEDTLS_NO_UDBL_DIVISION - make CFLAGS='-Werror -O1' - - msg "test: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s - make test -} - -component_test_no_64bit_multiplication () { - msg "build: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s - scripts/config.py full - scripts/config.py set MBEDTLS_NO_64BIT_MULTIPLICATION - make CFLAGS='-Werror -O1' - - msg "test: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s - make test -} - -component_test_no_strings () { - msg "build: no strings" # ~10s - scripts/config.py full - # Disable options that activate a large amount of string constants. - scripts/config.py unset MBEDTLS_DEBUG_C - scripts/config.py unset MBEDTLS_ERROR_C - scripts/config.py set MBEDTLS_ERROR_STRERROR_DUMMY - scripts/config.py unset MBEDTLS_VERSION_FEATURES - make CFLAGS='-Werror -Os' - - msg "test: no strings" # ~ 10s - make test -} - -component_test_no_x509_info () { - msg "build: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s - scripts/config.pl full - scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests - scripts/config.pl set MBEDTLS_X509_REMOVE_INFO - make CFLAGS='-Werror -O2' - - msg "test: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s - make test - - msg "test: ssl-opt.sh, full + MBEDTLS_X509_REMOVE_INFO" # ~ 1 min - tests/ssl-opt.sh -} - -component_build_arm_none_eabi_gcc () { - msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1, baremetal+debug" # ~ 10s - scripts/config.py baremetal - make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra -O1' lib - - msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1, baremetal+debug" - ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o -} - -component_build_arm_linux_gnueabi_gcc_arm5vte () { - msg "build: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -march=arm5vte, baremetal+debug" # ~ 10s - scripts/config.py baremetal - # Build for a target platform that's close to what Debian uses - # for its "armel" distribution (https://wiki.debian.org/ArmEabiPort). - # See https://github.com/Mbed-TLS/mbedtls/pull/2169 and comments. - # Build everything including programs, see for example - # https://github.com/Mbed-TLS/mbedtls/pull/3449#issuecomment-675313720 - make CC="${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc" AR="${ARM_LINUX_GNUEABI_GCC_PREFIX}ar" CFLAGS='-Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te' - - msg "size: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug" - ${ARM_LINUX_GNUEABI_GCC_PREFIX}size -t library/*.o -} -support_build_arm_linux_gnueabi_gcc_arm5vte () { - type ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc >/dev/null 2>&1 -} - -component_build_arm_none_eabi_gcc_arm5vte () { - msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -march=arm5vte, baremetal+debug" # ~ 10s - scripts/config.py baremetal - # This is an imperfect substitute for - # component_build_arm_linux_gnueabi_gcc_arm5vte - # in case the gcc-arm-linux-gnueabi toolchain is not available - make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" CFLAGS='-std=c99 -Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te' SHELL='sh -x' lib - - msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug" - ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o -} - -component_build_arm_none_eabi_gcc_m0plus () { - msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus, baremetal_size" # ~ 10s - scripts/config.py baremetal_size - make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra -mthumb -mcpu=cortex-m0plus -Os' lib - - msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus -Os, baremetal_size" - ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o - for lib in library/*.a; do - echo "$lib:" - ${ARM_NONE_EABI_GCC_PREFIX}size -t $lib | grep TOTALS - done -} - -component_build_arm_none_eabi_gcc_no_udbl_division () { - msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -DMBEDTLS_NO_UDBL_DIVISION, make" # ~ 10s - scripts/config.py baremetal - scripts/config.py set MBEDTLS_NO_UDBL_DIVISION - make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra' lib - echo "Checking that software 64-bit division is not required" - not grep __aeabi_uldiv library/*.o -} - -component_build_arm_none_eabi_gcc_no_64bit_multiplication () { - msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc MBEDTLS_NO_64BIT_MULTIPLICATION, make" # ~ 10s - scripts/config.py baremetal - scripts/config.py set MBEDTLS_NO_64BIT_MULTIPLICATION - make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -O1 -march=armv6-m -mthumb' lib - echo "Checking that software 64-bit multiplication is not required" - not grep __aeabi_lmul library/*.o -} - -component_build_arm_clang_thumb () { - # ~ 30s - - scripts/config.py baremetal - - msg "build: clang thumb 2, make" - make clean - make CC="clang" CFLAGS='-std=c99 -Werror -Os --target=arm-linux-gnueabihf -march=armv7-m -mthumb' lib - - # Some Thumb 1 asm is sensitive to optimisation level, so test both -O0 and -Os - msg "build: clang thumb 1 -O0, make" - make clean - make CC="clang" CFLAGS='-std=c99 -Werror -O0 --target=arm-linux-gnueabihf -mcpu=arm1136j-s -mthumb' lib - - msg "build: clang thumb 1 -Os, make" - make clean - make CC="clang" CFLAGS='-std=c99 -Werror -Os --target=arm-linux-gnueabihf -mcpu=arm1136j-s -mthumb' lib -} - -component_build_armcc () { - msg "build: ARM Compiler 5" - scripts/config.py baremetal - # armc[56] don't support SHA-512 intrinsics - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT - - # older versions of armcc/armclang don't support AESCE_C on 32-bit Arm - scripts/config.py unset MBEDTLS_AESCE_C - - # Stop armclang warning about feature detection for A64_CRYPTO. - # With this enabled, the library does build correctly under armclang, - # but in baremetal builds (as tested here), feature detection is - # unavailable, and the user is notified via a #warning. So enabling - # this feature would prevent us from building with -Werror on - # armclang. Tracked in #7198. - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT - - scripts/config.py set MBEDTLS_HAVE_ASM - - make CC="$ARMC5_CC" AR="$ARMC5_AR" WARNING_CFLAGS='--strict --c99' lib - - msg "size: ARM Compiler 5" - "$ARMC5_FROMELF" -z library/*.o - - # Compile mostly with -O1 since some Arm inline assembly is disabled for -O0. - - # ARM Compiler 6 - Target ARMv7-A - armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-a" - - # ARM Compiler 6 - Target ARMv7-M - armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-m" - - # ARM Compiler 6 - Target ARMv7-M+DSP - armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-m+dsp" - - # ARM Compiler 6 - Target ARMv8-A - AArch32 - armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv8.2-a" - - # ARM Compiler 6 - Target ARMv8-M - armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv8-m.main" - - # ARM Compiler 6 - Target Cortex-M0 - no optimisation - armc6_build_test "-O0 --target=arm-arm-none-eabi -mcpu=cortex-m0" - - # ARM Compiler 6 - Target Cortex-M0 - armc6_build_test "-Os --target=arm-arm-none-eabi -mcpu=cortex-m0" - - # ARM Compiler 6 - Target ARMv8.2-A - AArch64 - # - # Re-enable MBEDTLS_AESCE_C as this should be supported by the version of armclang - # that we have in our CI - scripts/config.py set MBEDTLS_AESCE_C - armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8.2-a+crypto" -} - -support_build_armcc () { - armc5_cc="$ARMC5_BIN_DIR/armcc" - armc6_cc="$ARMC6_BIN_DIR/armclang" - (check_tools "$armc5_cc" "$armc6_cc" > /dev/null 2>&1) -} - -component_test_tls12_only () { - msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_3, cmake, gcc, ASan" - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: main suites (inc. selftests) (ASan build)" - make test - - msg "test: ssl-opt.sh (ASan build)" - tests/ssl-opt.sh - - msg "test: compat.sh (ASan build)" - tests/compat.sh -} - -component_test_tls13_only () { - msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_2" - scripts/config.py set MBEDTLS_SSL_EARLY_DATA - scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" - - msg "test: TLS 1.3 only, all key exchange modes enabled" - make test - - msg "ssl-opt.sh: TLS 1.3 only, all key exchange modes enabled" - tests/ssl-opt.sh -} - -component_test_tls13_only_psk () { - msg "build: TLS 1.3 only from default, only PSK key exchange mode" - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED - scripts/config.py unset MBEDTLS_ECDH_C - scripts/config.py unset MBEDTLS_DHM_C - scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C - scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT - scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 - scripts/config.py unset MBEDTLS_PKCS7_C - scripts/config.py set MBEDTLS_SSL_EARLY_DATA - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" - - msg "test_suite_ssl: TLS 1.3 only, only PSK key exchange mode enabled" - cd tests; ./test_suite_ssl; cd .. - - msg "ssl-opt.sh: TLS 1.3 only, only PSK key exchange mode enabled" - tests/ssl-opt.sh -} - -component_test_tls13_only_ephemeral () { - msg "build: TLS 1.3 only from default, only ephemeral key exchange mode" - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED - scripts/config.py unset MBEDTLS_SSL_EARLY_DATA - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" - - msg "test_suite_ssl: TLS 1.3 only, only ephemeral key exchange mode" - cd tests; ./test_suite_ssl; cd .. - - msg "ssl-opt.sh: TLS 1.3 only, only ephemeral key exchange mode" - tests/ssl-opt.sh -} - -component_test_tls13_only_ephemeral_ffdh () { - msg "build: TLS 1.3 only from default, only ephemeral ffdh key exchange mode" - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED - scripts/config.py unset MBEDTLS_SSL_EARLY_DATA - scripts/config.py unset MBEDTLS_ECDH_C - - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" - - msg "test_suite_ssl: TLS 1.3 only, only ephemeral ffdh key exchange mode" - cd tests; ./test_suite_ssl; cd .. - - msg "ssl-opt.sh: TLS 1.3 only, only ephemeral ffdh key exchange mode" - tests/ssl-opt.sh -} - -component_test_tls13_only_psk_ephemeral () { - msg "build: TLS 1.3 only from default, only PSK ephemeral key exchange mode" - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED - scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C - scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT - scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 - scripts/config.py unset MBEDTLS_PKCS7_C - scripts/config.py set MBEDTLS_SSL_EARLY_DATA - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" - - msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral key exchange mode" - cd tests; ./test_suite_ssl; cd .. - - msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral key exchange mode" - tests/ssl-opt.sh -} - -component_test_tls13_only_psk_ephemeral_ffdh () { - msg "build: TLS 1.3 only from default, only PSK ephemeral ffdh key exchange mode" - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED - scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C - scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT - scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 - scripts/config.py unset MBEDTLS_PKCS7_C - scripts/config.py set MBEDTLS_SSL_EARLY_DATA - scripts/config.py unset MBEDTLS_ECDH_C - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" - - msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode" - cd tests; ./test_suite_ssl; cd .. - - msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode" - tests/ssl-opt.sh -} - -component_test_tls13_only_psk_all () { - msg "build: TLS 1.3 only from default, without ephemeral key exchange mode" - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED - scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C - scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT - scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 - scripts/config.py unset MBEDTLS_PKCS7_C - scripts/config.py set MBEDTLS_SSL_EARLY_DATA - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" - - msg "test_suite_ssl: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" - cd tests; ./test_suite_ssl; cd .. - - msg "ssl-opt.sh: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" - tests/ssl-opt.sh -} - -component_test_tls13_only_ephemeral_all () { - msg "build: TLS 1.3 only from default, without PSK key exchange mode" - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED - scripts/config.py set MBEDTLS_SSL_EARLY_DATA - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" - - msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" - cd tests; ./test_suite_ssl; cd .. - - msg "ssl-opt.sh: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" - tests/ssl-opt.sh -} - -component_test_tls13_no_padding () { - msg "build: default config plus early data minus padding" - scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 - scripts/config.py set MBEDTLS_SSL_EARLY_DATA - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - msg "test: default config plus early data minus padding" - make test - msg "ssl-opt.sh (TLS 1.3 no padding)" - tests/ssl-opt.sh -} - -component_test_tls13_no_compatibility_mode () { - msg "build: default config plus early data minus middlebox compatibility mode" - scripts/config.py unset MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE - scripts/config.py set MBEDTLS_SSL_EARLY_DATA - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - msg "test: default config plus early data minus middlebox compatibility mode" - make test - msg "ssl-opt.sh (TLS 1.3 no compatibility mode)" - tests/ssl-opt.sh -} - -component_build_mingw () { - msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s - make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 lib programs - - # note Make tests only builds the tests, but doesn't run them - make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -maes -msse2 -mpclmul' WINDOWS_BUILD=1 tests - make WINDOWS_BUILD=1 clean - - msg "build: Windows cross build - mingw64, make (DLL)" # ~ 30s - make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 lib programs - make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 tests - make WINDOWS_BUILD=1 clean - - msg "build: Windows cross build - mingw64, make (Library only, default config without MBEDTLS_AESNI_C)" # ~ 30s - ./scripts/config.py unset MBEDTLS_AESNI_C # - make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib - make WINDOWS_BUILD=1 clean -} -support_build_mingw() { - case $(i686-w64-mingw32-gcc -dumpversion 2>/dev/null) in - [0-5]*|"") false;; - *) true;; - esac -} - -component_test_memsan () { - msg "build: MSan (clang)" # ~ 1 min 20s - scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm - CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . - make - - msg "test: main suites (MSan)" # ~ 10s - make test - - msg "test: metatests (MSan)" - tests/scripts/run-metatests.sh any msan - - msg "program demos (MSan)" # ~20s - tests/scripts/run_demos.py - - msg "test: ssl-opt.sh (MSan)" # ~ 1 min - tests/ssl-opt.sh - - # Optional part(s) - - if [ "$MEMORY" -gt 0 ]; then - msg "test: compat.sh (MSan)" # ~ 6 min 20s - tests/compat.sh - fi -} - -component_release_test_valgrind () { - msg "build: Release (clang)" - # default config, in particular without MBEDTLS_USE_PSA_CRYPTO - CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release . - make - - msg "test: main suites, Valgrind (default config)" - make memcheck - - # Optional parts (slow; currently broken on OS X because programs don't - # seem to receive signals under valgrind on OS X). - # These optional parts don't run on the CI. - if [ "$MEMORY" -gt 0 ]; then - msg "test: ssl-opt.sh --memcheck (default config)" - tests/ssl-opt.sh --memcheck - fi - - if [ "$MEMORY" -gt 1 ]; then - msg "test: compat.sh --memcheck (default config)" - tests/compat.sh --memcheck - fi - - if [ "$MEMORY" -gt 0 ]; then - msg "test: context-info.sh --memcheck (default config)" - tests/context-info.sh --memcheck - fi -} - -component_release_test_valgrind_psa () { - msg "build: Release, full (clang)" - # full config, in particular with MBEDTLS_USE_PSA_CRYPTO - scripts/config.py full - CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release . - make - - msg "test: main suites, Valgrind (full config)" - make memcheck -} - -support_test_cmake_out_of_source () { - distrib_id="" - distrib_ver="" - distrib_ver_minor="" - distrib_ver_major="" - - # Attempt to parse lsb-release to find out distribution and version. If not - # found this should fail safe (test is supported). - if [[ -f /etc/lsb-release ]]; then - - while read -r lsb_line; do - case "$lsb_line" in - "DISTRIB_ID"*) distrib_id=${lsb_line/#DISTRIB_ID=};; - "DISTRIB_RELEASE"*) distrib_ver=${lsb_line/#DISTRIB_RELEASE=};; - esac - done < /etc/lsb-release - - distrib_ver_major="${distrib_ver%%.*}" - distrib_ver="${distrib_ver#*.}" - distrib_ver_minor="${distrib_ver%%.*}" - fi - - # Running the out of source CMake test on Ubuntu 16.04 using more than one - # processor (as the CI does) can create a race condition whereby the build - # fails to see a generated file, despite that file actually having been - # generated. This problem appears to go away with 18.04 or newer, so make - # the out of source tests unsupported on Ubuntu 16.04. - [ "$distrib_id" != "Ubuntu" ] || [ "$distrib_ver_major" -gt 16 ] -} - -component_test_cmake_out_of_source () { - # Remove existing generated files so that we use the ones cmake - # generates - make neat - - msg "build: cmake 'out-of-source' build" - MBEDTLS_ROOT_DIR="$PWD" - mkdir "$OUT_OF_SOURCE_DIR" - cd "$OUT_OF_SOURCE_DIR" - # Note: Explicitly generate files as these are turned off in releases - cmake -D CMAKE_BUILD_TYPE:String=Check -D GEN_FILES=ON "$MBEDTLS_ROOT_DIR" - make - - msg "test: cmake 'out-of-source' build" - make test - # Check that ssl-opt.sh can find the test programs. - # Also ensure that there are no error messages such as - # "No such file or directory", which would indicate that some required - # file is missing (ssl-opt.sh tolerates the absence of some files so - # may exit with status 0 but emit errors). - ./tests/ssl-opt.sh -f 'Default' >ssl-opt.out 2>ssl-opt.err - grep PASS ssl-opt.out - cat ssl-opt.err >&2 - # If ssl-opt.err is non-empty, record an error and keep going. - [ ! -s ssl-opt.err ] - rm ssl-opt.out ssl-opt.err - cd "$MBEDTLS_ROOT_DIR" - rm -rf "$OUT_OF_SOURCE_DIR" -} - -component_test_cmake_as_subdirectory () { - # Remove existing generated files so that we use the ones CMake - # generates - make neat - - msg "build: cmake 'as-subdirectory' build" - cd programs/test/cmake_subproject - # Note: Explicitly generate files as these are turned off in releases - cmake -D GEN_FILES=ON . - make - ./cmake_subproject -} -support_test_cmake_as_subdirectory () { - support_test_cmake_out_of_source -} - -component_test_cmake_as_package () { - # Remove existing generated files so that we use the ones CMake - # generates - make neat - - msg "build: cmake 'as-package' build" - cd programs/test/cmake_package - cmake . - make - ./cmake_package -} -support_test_cmake_as_package () { - support_test_cmake_out_of_source -} - -component_test_cmake_as_package_install () { - # Remove existing generated files so that we use the ones CMake - # generates - make neat - - msg "build: cmake 'as-installed-package' build" - cd programs/test/cmake_package_install - cmake . - make - ./cmake_package_install -} -support_test_cmake_as_package_install () { - support_test_cmake_out_of_source -} - -component_build_cmake_custom_config_file () { - # Make a copy of config file to use for the in-tree test - cp "$CONFIG_H" include/mbedtls_config_in_tree_copy.h - - MBEDTLS_ROOT_DIR="$PWD" - mkdir "$OUT_OF_SOURCE_DIR" - cd "$OUT_OF_SOURCE_DIR" - - # Build once to get the generated files (which need an intact config file) - cmake "$MBEDTLS_ROOT_DIR" - make - - msg "build: cmake with -DMBEDTLS_CONFIG_FILE" - scripts/config.py -w full_config.h full - echo '#error "cmake -DMBEDTLS_CONFIG_FILE is not working."' > "$MBEDTLS_ROOT_DIR/$CONFIG_H" - cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h "$MBEDTLS_ROOT_DIR" - make - - msg "build: cmake with -DMBEDTLS_CONFIG_FILE + -DMBEDTLS_USER_CONFIG_FILE" - # In the user config, disable one feature (for simplicity, pick a feature - # that nothing else depends on). - echo '#undef MBEDTLS_NIST_KW_C' >user_config.h - - cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h -DMBEDTLS_USER_CONFIG_FILE=user_config.h "$MBEDTLS_ROOT_DIR" - make - not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C - - rm -f user_config.h full_config.h - - cd "$MBEDTLS_ROOT_DIR" - rm -rf "$OUT_OF_SOURCE_DIR" - - # Now repeat the test for an in-tree build: - - # Restore config for the in-tree test - mv include/mbedtls_config_in_tree_copy.h "$CONFIG_H" - - # Build once to get the generated files (which need an intact config) - cmake . - make - - msg "build: cmake (in-tree) with -DMBEDTLS_CONFIG_FILE" - scripts/config.py -w full_config.h full - echo '#error "cmake -DMBEDTLS_CONFIG_FILE is not working."' > "$MBEDTLS_ROOT_DIR/$CONFIG_H" - cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h . - make - - msg "build: cmake (in-tree) with -DMBEDTLS_CONFIG_FILE + -DMBEDTLS_USER_CONFIG_FILE" - # In the user config, disable one feature (for simplicity, pick a feature - # that nothing else depends on). - echo '#undef MBEDTLS_NIST_KW_C' >user_config.h - - cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h -DMBEDTLS_USER_CONFIG_FILE=user_config.h . - make - not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C - - rm -f user_config.h full_config.h -} -support_build_cmake_custom_config_file () { - support_test_cmake_out_of_source -} - - -component_build_zeroize_checks () { - msg "build: check for obviously wrong calls to mbedtls_platform_zeroize()" - - scripts/config.py full - - # Only compile - we're looking for sizeof-pointer-memaccess warnings - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-zeroize-memset.h\"' -DMBEDTLS_TEST_DEFINES_ZEROIZE -Werror -Wsizeof-pointer-memaccess" -} - - -component_test_zeroize () { - # Test that the function mbedtls_platform_zeroize() is not optimized away by - # different combinations of compilers and optimization flags by using an - # auxiliary GDB script. Unfortunately, GDB does not return error values to the - # system in all cases that the script fails, so we must manually search the - # output to check whether the pass string is present and no failure strings - # were printed. - - # Don't try to disable ASLR. We don't care about ASLR here. We do care - # about a spurious message if Gdb tries and fails, so suppress that. - gdb_disable_aslr= - if [ -z "$(gdb -batch -nw -ex 'set disable-randomization off' 2>&1)" ]; then - gdb_disable_aslr='set disable-randomization off' - fi - - for optimization_flag in -O2 -O3 -Ofast -Os; do - for compiler in clang gcc; do - msg "test: $compiler $optimization_flag, mbedtls_platform_zeroize()" - make programs CC="$compiler" DEBUG=1 CFLAGS="$optimization_flag" - gdb -ex "$gdb_disable_aslr" -x tests/scripts/test_zeroize.gdb -nw -batch -nx 2>&1 | tee test_zeroize.log - grep "The buffer was correctly zeroized" test_zeroize.log - not grep -i "error" test_zeroize.log - rm -f test_zeroize.log - make clean - done - done -} - -component_test_psa_compliance () { - # The arch tests build with gcc, so require use of gcc here to link properly - msg "build: make, default config (out-of-box), libmbedcrypto.a only" - CC=gcc make -C library libmbedcrypto.a - - msg "unit test: test_psa_compliance.py" - CC=gcc ./tests/scripts/test_psa_compliance.py -} - -support_test_psa_compliance () { - # psa-compliance-tests only supports CMake >= 3.10.0 - ver="$(cmake --version)" - ver="${ver#cmake version }" - ver_major="${ver%%.*}" - - ver="${ver#*.}" - ver_minor="${ver%%.*}" - - [ "$ver_major" -eq 3 ] && [ "$ver_minor" -ge 10 ] -} - -component_check_code_style () { - msg "Check C code style" - ./scripts/code_style.py -} - -support_check_code_style() { - case $(uncrustify --version) in - *0.75.1*) true;; - *) false;; - esac -} - -component_check_python_files () { - msg "Lint: Python scripts" - tests/scripts/check-python-files.sh -} - -component_check_test_helpers () { - msg "unit test: generate_test_code.py" - # unittest writes out mundane stuff like number or tests run on stderr. - # Our convention is to reserve stderr for actual errors, and write - # harmless info on stdout so it can be suppress with --quiet. - ./tests/scripts/test_generate_test_code.py 2>&1 - - msg "unit test: translate_ciphers.py" - python3 -m unittest tests/scripts/translate_ciphers.py 2>&1 -} - +# Include the components from components.sh +test_script_dir="${0%/*}" +for file in "$test_script_dir"/components*.sh; do + source $file +done ################################################################ #### Termination @@ -6419,8 +1024,6 @@ post_report () { final_report } - - ################################################################ #### Run all the things ################################################################ diff --git a/yass/third_party/mbedtls/tests/scripts/analyze_outcomes.py b/yass/third_party/mbedtls/tests/scripts/analyze_outcomes.py index 5b4deb6298..082ed01b15 100755 --- a/yass/third_party/mbedtls/tests/scripts/analyze_outcomes.py +++ b/yass/third_party/mbedtls/tests/scripts/analyze_outcomes.py @@ -85,6 +85,17 @@ def execute_reference_driver_tests(results: Results, ref_component: str, driver_ def analyze_coverage(results: Results, outcomes: Outcomes, allow_list: typing.List[str], full_coverage: bool) -> None: """Check that all available test cases are executed at least once.""" + # Make sure that the generated data files are present (and up-to-date). + # This allows analyze_outcomes.py to run correctly on a fresh Git + # checkout. + cp = subprocess.run(['make', 'generated_files'], + cwd='tests', + stdout=subprocess.PIPE, stderr=subprocess.STDOUT, + check=False) + if cp.returncode != 0: + sys.stderr.write(cp.stdout.decode('utf-8')) + results.error("Failed \"make generated_files\" in tests. " + "Coverage analysis may be incorrect.") available = check_test_cases.collect_available_test_cases() for suite_case in available: hit = any(suite_case in comp_outcomes.successes or @@ -149,10 +160,10 @@ def analyze_driver_vs_reference(results: Results, outcomes: Outcomes, # don't issue an error if they're skipped with drivers, # but issue an error if they're not (means we have a bad entry). ignored = False - if full_test_suite in ignored_tests: - for str_or_re in ignored_tests[full_test_suite]: - if name_matches_pattern(test_string, str_or_re): - ignored = True + for str_or_re in (ignored_tests.get(full_test_suite, []) + + ignored_tests.get(test_suite, [])): + if name_matches_pattern(test_string, str_or_re): + ignored = True if not ignored and not suite_case in driver_outcomes.successes: results.error("PASS -> SKIP/FAIL: {}", suite_case) @@ -231,6 +242,9 @@ KNOWN_TASKS = { 'psa_crypto_low_hash.generated', # testing the builtins ], 'ignored_tests': { + 'test_suite_config': [ + re.compile(r'.*\bMBEDTLS_(MD5|RIPEMD160|SHA[0-9]+)_.*'), + ], 'test_suite_platform': [ # Incompatible with sanitizers (e.g. ASan). If the driver # component uses a sanitizer but the reference component @@ -254,6 +268,10 @@ KNOWN_TASKS = { 'psa_crypto_low_hash.generated', ], 'ignored_tests': { + 'test_suite_config': [ + re.compile(r'.*\bMBEDTLS_(MD5|RIPEMD160|SHA[0-9]+)_.*'), + re.compile(r'.*\bMBEDTLS_MD_C\b') + ], 'test_suite_md': [ # Builtin HMAC is not supported in the accelerate component. re.compile('.*HMAC.*'), @@ -293,6 +311,12 @@ KNOWN_TASKS = { 'cipher', ], 'ignored_tests': { + 'test_suite_config': [ + re.compile(r'.*\bMBEDTLS_(AES|ARIA|CAMELLIA|CHACHA20|DES)_.*'), + re.compile(r'.*\bMBEDTLS_(CCM|CHACHAPOLY|CMAC|GCM)_.*'), + re.compile(r'.*\bMBEDTLS_AES(\w+)_C\b.*'), + re.compile(r'.*\bMBEDTLS_CIPHER_.*'), + ], # PEM decryption is not supported so far. # The rest of PEM (write, unencrypted read) works though. 'test_suite_pem': [ @@ -333,6 +357,12 @@ KNOWN_TASKS = { 'Key ASN1 (Encrypted key PKCS5, trailing garbage data)', re.compile(r'Parse (RSA|EC) Key .*\(.* ([Ee]ncrypted|password).*\)'), ], + # Encrypted keys are not supported so far. + 'ssl-opt': [ + 'TLS: password protected server key', + 'TLS: password protected client key', + 'TLS: password protected server key, two certificates', + ], } } }, @@ -346,6 +376,9 @@ KNOWN_TASKS = { 'ecdsa', 'ecdh', 'ecjpake', ], 'ignored_tests': { + 'test_suite_config': [ + re.compile(r'.*\bMBEDTLS_(ECDH|ECDSA|ECJPAKE|ECP)_.*'), + ], 'test_suite_platform': [ # Incompatible with sanitizers (e.g. ASan). If the driver # component uses a sanitizer but the reference component @@ -386,6 +419,10 @@ KNOWN_TASKS = { 'ecp', 'ecdsa', 'ecdh', 'ecjpake', ], 'ignored_tests': { + 'test_suite_config': [ + re.compile(r'.*\bMBEDTLS_(ECDH|ECDSA|ECJPAKE|ECP)_.*'), + re.compile(r'.*\bMBEDTLS_PK_PARSE_EC_COMPRESSED\b.*'), + ], 'test_suite_platform': [ # Incompatible with sanitizers (e.g. ASan). If the driver # component uses a sanitizer but the reference component @@ -425,6 +462,11 @@ KNOWN_TASKS = { 'bignum.generated', 'bignum.misc', ], 'ignored_tests': { + 'test_suite_config': [ + re.compile(r'.*\bMBEDTLS_BIGNUM_C\b.*'), + re.compile(r'.*\bMBEDTLS_(ECDH|ECDSA|ECJPAKE|ECP)_.*'), + re.compile(r'.*\bMBEDTLS_PK_PARSE_EC_COMPRESSED\b.*'), + ], 'test_suite_platform': [ # Incompatible with sanitizers (e.g. ASan). If the driver # component uses a sanitizer but the reference component @@ -468,6 +510,19 @@ KNOWN_TASKS = { 'bignum.generated', 'bignum.misc', ], 'ignored_tests': { + 'ssl-opt': [ + # DHE support in TLS 1.2 requires built-in MBEDTLS_DHM_C + # (because it needs custom groups, which PSA does not + # provide), even with MBEDTLS_USE_PSA_CRYPTO. + re.compile(r'PSK callback:.*\bdhe-psk\b.*'), + ], + 'test_suite_config': [ + re.compile(r'.*\bMBEDTLS_BIGNUM_C\b.*'), + re.compile(r'.*\bMBEDTLS_DHM_C\b.*'), + re.compile(r'.*\bMBEDTLS_(ECDH|ECDSA|ECJPAKE|ECP)_.*'), + re.compile(r'.*\bMBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED\b.*'), + re.compile(r'.*\bMBEDTLS_PK_PARSE_EC_COMPRESSED\b.*'), + ], 'test_suite_platform': [ # Incompatible with sanitizers (e.g. ASan). If the driver # component uses a sanitizer but the reference component @@ -506,6 +561,9 @@ KNOWN_TASKS = { 'component_driver': 'test_psa_crypto_config_accel_ffdh', 'ignored_suites': ['dhm'], 'ignored_tests': { + 'test_suite_config': [ + re.compile(r'.*\bMBEDTLS_DHM_C\b.*'), + ], 'test_suite_platform': [ # Incompatible with sanitizers (e.g. ASan). If the driver # component uses a sanitizer but the reference component @@ -528,6 +586,15 @@ KNOWN_TASKS = { 'bignum.generated', 'bignum.misc', ], 'ignored_tests': { + 'test_suite_config': [ + re.compile(r'.*\bMBEDTLS_BIGNUM_C\b.*'), + re.compile(r'.*\bMBEDTLS_(ASN1\w+)_C\b.*'), + re.compile(r'.*\bMBEDTLS_(ECDH|ECDSA|ECP)_.*'), + re.compile(r'.*\bMBEDTLS_PSA_P256M_DRIVER_ENABLED\b.*') + ], + 'test_suite_config.crypto_combinations': [ + 'Config: ECC: Weierstrass curves only', + ], 'test_suite_platform': [ # Incompatible with sanitizers (e.g. ASan). If the driver # component uses a sanitizer but the reference component @@ -553,6 +620,10 @@ KNOWN_TASKS = { 'pk', 'pkwrite', 'pkparse' ], 'ignored_tests': { + 'test_suite_config': [ + re.compile(r'.*\bMBEDTLS_(PKCS1|RSA)_.*'), + re.compile(r'.*\bMBEDTLS_GENPRIME\b.*') + ], 'test_suite_platform': [ # Incompatible with sanitizers (e.g. ASan). If the driver # component uses a sanitizer but the reference component @@ -571,8 +642,9 @@ KNOWN_TASKS = { re.compile(r'mbedtls_ct_memmove_left .*') ], 'test_suite_psa_crypto': [ - # We don't support generate_key_ext entry points + # We don't support generate_key_custom entry points # in drivers yet. + re.compile(r'PSA generate key custom: RSA, e=.*'), re.compile(r'PSA generate key ext: RSA, e=.*'), ], } @@ -594,6 +666,10 @@ KNOWN_TASKS = { 'cipher.camellia', ], 'ignored_tests': { + 'test_suite_config': [ + re.compile(r'.*\bMBEDTLS_(AES|ARIA|CAMELLIA)_.*'), + re.compile(r'.*\bMBEDTLS_AES(\w+)_C\b.*'), + ], 'test_suite_cmac': [ # Following tests require AES_C/ARIA_C/CAMELLIA_C to be enabled, # but these are not available in the accelerated component. diff --git a/yass/third_party/mbedtls/tests/scripts/audit-validity-dates.py b/yass/third_party/mbedtls/tests/scripts/audit-validity-dates.py index 96b705a281..3d0924602c 100755 --- a/yass/third_party/mbedtls/tests/scripts/audit-validity-dates.py +++ b/yass/third_party/mbedtls/tests/scripts/audit-validity-dates.py @@ -8,7 +8,7 @@ This script is used to audit the validity date of crt/crl/csr used for testing. It prints the information about X.509 objects excluding the objects that are valid throughout the desired validity period. The data are collected -from tests/data_files/ and tests/suites/*.data files by default. +from framework/data_files/ and tests/suites/*.data files by default. """ import os @@ -29,8 +29,8 @@ from cryptography import x509 from generate_test_code import FileWrapper import scripts_path # pylint: disable=unused-import -from mbedtls_dev import build_tree -from mbedtls_dev import logging_util +from mbedtls_framework import build_tree +from mbedtls_framework import logging_util def check_cryptography_version(): match = re.match(r'^[0-9]+', cryptography.__version__) @@ -269,12 +269,12 @@ class Auditor: class TestDataAuditor(Auditor): - """Class for auditing files in `tests/data_files/`""" + """Class for auditing files in `framework/data_files/`""" def collect_default_files(self): - """Collect all files in `tests/data_files/`""" - test_dir = self.find_test_dir() - test_data_glob = os.path.join(test_dir, 'data_files/**') + """Collect all files in `framework/data_files/`""" + test_data_glob = os.path.join(build_tree.guess_mbedtls_root(), + 'framework', 'data_files/**') data_files = [f for f in glob.glob(test_data_glob, recursive=True) if os.path.isfile(f)] return data_files diff --git a/yass/third_party/mbedtls/tests/scripts/basic-build-test.sh b/yass/third_party/mbedtls/tests/scripts/basic-build-test.sh index 52617541de..d2e955f1eb 100755 --- a/yass/third_party/mbedtls/tests/scripts/basic-build-test.sh +++ b/yass/third_party/mbedtls/tests/scripts/basic-build-test.sh @@ -103,11 +103,7 @@ echo echo '################ compat.sh ################' { echo '#### compat.sh: Default versions' - sh compat.sh - echo - - echo '#### compat.sh: null cipher' - sh compat.sh -e '^$' -f 'NULL' + sh compat.sh -e 'ARIA\|CHACHA' echo echo '#### compat.sh: next (ARIA, ChaCha)' diff --git a/yass/third_party/mbedtls/tests/scripts/check-generated-files.sh b/yass/third_party/mbedtls/tests/scripts/check-generated-files.sh index 2f20026afc..09c850af7a 100755 --- a/yass/third_party/mbedtls/tests/scripts/check-generated-files.sh +++ b/yass/third_party/mbedtls/tests/scripts/check-generated-files.sh @@ -128,9 +128,11 @@ check() # These checks are common to Mbed TLS and TF-PSA-Crypto check scripts/generate_psa_constants.py programs/psa/psa_constant_names_generated.c -check tests/scripts/generate_bignum_tests.py $(tests/scripts/generate_bignum_tests.py --list) -check tests/scripts/generate_ecp_tests.py $(tests/scripts/generate_ecp_tests.py --list) -check tests/scripts/generate_psa_tests.py $(tests/scripts/generate_psa_tests.py --list) +check framework/scripts/generate_bignum_tests.py $(framework/scripts/generate_bignum_tests.py --list) +check framework/scripts/generate_config_tests.py $(framework/scripts/generate_config_tests.py --list) +check framework/scripts/generate_ecp_tests.py $(framework/scripts/generate_ecp_tests.py --list) +check framework/scripts/generate_psa_tests.py $(framework/scripts/generate_psa_tests.py --list) +check framework/scripts/generate_test_keys.py tests/src/test_keys.h check scripts/generate_driver_wrappers.py $library_dir/psa_crypto_driver_wrappers.h $library_dir/psa_crypto_driver_wrappers_no_static.c # Additional checks for Mbed TLS only @@ -139,6 +141,7 @@ if in_mbedtls_repo; then check scripts/generate_query_config.pl programs/test/query_config.c check scripts/generate_features.pl library/version_features.c check scripts/generate_ssl_debug_helpers.py library/ssl_debug_helpers_generated.c + check framework/scripts/generate_test_cert_macros.py tests/src/test_certs.h # generate_visualc_files enumerates source files (library/*.c). It doesn't # care about their content, but the files must exist. So it must run after # the step that creates or updates these files. @@ -148,4 +151,4 @@ fi # Generated files that are present in the repository even in the development # branch. (This is intended to be temporary, until the generator scripts are # fully reviewed and the build scripts support a generated header file.) -check tests/scripts/generate_psa_wrappers.py tests/include/test/psa_test_wrappers.h tests/src/psa_test_wrappers.c +check framework/scripts/generate_psa_wrappers.py tests/include/test/psa_test_wrappers.h tests/src/psa_test_wrappers.c diff --git a/yass/third_party/mbedtls/tests/scripts/check-python-files.sh b/yass/third_party/mbedtls/tests/scripts/check-python-files.sh index 51e80792b0..77102ba50c 100755 --- a/yass/third_party/mbedtls/tests/scripts/check-python-files.sh +++ b/yass/third_party/mbedtls/tests/scripts/check-python-files.sh @@ -31,14 +31,14 @@ EOF can_pylint () { # Pylint 1.5.2 from Ubuntu 16.04 is too old: - # E: 34, 0: Unable to import 'mbedtls_dev' (import-error) + # E: 34, 0: Unable to import 'mbedtls_framework' (import-error) # Pylint 1.8.3 from Ubuntu 18.04 passed on the first commit containing this line. check_version pylint 1.8.3 } can_mypy () { # mypy 0.770 is too old: - # tests/scripts/test_psa_constant_names.py:34: error: Cannot find implementation or library stub for module named 'mbedtls_dev' + # tests/scripts/test_psa_constant_names.py:34: error: Cannot find implementation or library stub for module named 'mbedtls_framework' # mypy 0.780 from pip passed on the first commit containing this line. check_version mypy.version 0.780 } @@ -55,14 +55,14 @@ elif [ "$1" = "--can-mypy" ]; then fi echo 'Running pylint ...' -$PYTHON -m pylint scripts/mbedtls_dev/*.py scripts/*.py tests/scripts/*.py || { +$PYTHON -m pylint framework/scripts/*.py framework/scripts/mbedtls_framework/*.py scripts/*.py tests/scripts/*.py || { echo >&2 "pylint reported errors" ret=1 } echo echo 'Running mypy ...' -$PYTHON -m mypy scripts/*.py tests/scripts/*.py || +$PYTHON -m mypy framework/scripts/*.py framework/scripts/mbedtls_framework/*.py scripts/*.py tests/scripts/*.py || ret=1 exit $ret diff --git a/yass/third_party/mbedtls/tests/scripts/check_files.py b/yass/third_party/mbedtls/tests/scripts/check_files.py index d5a4b921e4..2a5d64b79f 100755 --- a/yass/third_party/mbedtls/tests/scripts/check_files.py +++ b/yass/third_party/mbedtls/tests/scripts/check_files.py @@ -24,7 +24,7 @@ except ImportError: pass import scripts_path # pylint: disable=unused-import -from mbedtls_dev import build_tree +from mbedtls_framework import build_tree class FileIssueTracker: @@ -107,12 +107,12 @@ BINARY_FILE_PATH_RE_LIST = [ r'docs/.*\.pdf\Z', r'docs/.*\.png\Z', r'programs/fuzz/corpuses/[^.]+\Z', - r'tests/data_files/[^.]+\Z', - r'tests/data_files/.*\.(crt|csr|db|der|key|pubkey)\Z', - r'tests/data_files/.*\.req\.[^/]+\Z', - r'tests/data_files/.*malformed[^/]+\Z', - r'tests/data_files/format_pkcs12\.fmt\Z', - r'tests/data_files/.*\.bin\Z', + r'framework/data_files/[^.]+\Z', + r'framework/data_files/.*\.(crt|csr|db|der|key|pubkey)\Z', + r'framework/data_files/.*\.req\.[^/]+\Z', + r'framework/data_files/.*malformed[^/]+\Z', + r'framework/data_files/format_pkcs12\.fmt\Z', + r'framework/data_files/.*\.bin\Z', ] BINARY_FILE_PATH_RE = re.compile('|'.join(BINARY_FILE_PATH_RE_LIST)) @@ -373,7 +373,7 @@ class LicenseIssueTracker(LineIssueTracker): r'3rdparty/(?!(p256-m)/.*)', # Documentation explaining the license may have accidental # false positives. - r'(ChangeLog|LICENSE|[-0-9A-Z_a-z]+\.md)\Z', + r'(ChangeLog|LICENSE|framework\/LICENSE|[-0-9A-Z_a-z]+\.md)\Z', # Files imported from TF-M, and not used except in test builds, # may be under a different license. r'configs/ext/crypto_config_profile_medium\.h\Z', @@ -381,6 +381,7 @@ class LicenseIssueTracker(LineIssueTracker): r'configs/ext/README\.md\Z', # Third-party file. r'dco\.txt\Z', + r'framework\/dco\.txt\Z', ] path_exemptions = re.compile('|'.join(BINARY_FILE_PATH_RE_LIST + LICENSE_EXEMPTION_RE_LIST)) @@ -486,9 +487,17 @@ class IntegrityChecker: These are the regular files commited into Git. """ + bytes_output = subprocess.check_output(['git', '-C', 'framework', + 'ls-files', '-z']) + bytes_framework_filepaths = bytes_output.split(b'\0')[:-1] + bytes_framework_filepaths = ["framework/".encode() + filepath + for filepath in bytes_framework_filepaths] + bytes_output = subprocess.check_output(['git', 'ls-files', '-z']) - bytes_filepaths = bytes_output.split(b'\0')[:-1] + bytes_filepaths = bytes_output.split(b'\0')[:-1] + \ + bytes_framework_filepaths ascii_filepaths = map(lambda fp: fp.decode('ascii'), bytes_filepaths) + # Filter out directories. Normally Git doesn't list directories # (it only knows about the files inside them), but there is # at least one case where 'git ls-files' includes a directory: diff --git a/yass/third_party/mbedtls/tests/scripts/check_names.py b/yass/third_party/mbedtls/tests/scripts/check_names.py index 9e8ed219a4..5128dc8e0d 100755 --- a/yass/third_party/mbedtls/tests/scripts/check_names.py +++ b/yass/third_party/mbedtls/tests/scripts/check_names.py @@ -45,7 +45,7 @@ import subprocess import logging import scripts_path # pylint: disable=unused-import -from mbedtls_dev import build_tree +from mbedtls_framework import build_tree # Naming patterns to check against. These are defined outside the NameCheck diff --git a/yass/third_party/mbedtls/tests/scripts/components-basic-checks.sh b/yass/third_party/mbedtls/tests/scripts/components-basic-checks.sh new file mode 100644 index 0000000000..053aacfe7f --- /dev/null +++ b/yass/third_party/mbedtls/tests/scripts/components-basic-checks.sh @@ -0,0 +1,162 @@ +# components-basic-checks.sh +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +# This file contains test components that are executed by all.sh + +################################################################ +#### Basic checks +################################################################ + +component_check_recursion () { + msg "Check: recursion.pl" # < 1s + tests/scripts/recursion.pl library/*.c +} + +component_check_generated_files () { + msg "Check: check-generated-files, files generated with make" # 2s + make generated_files + tests/scripts/check-generated-files.sh + + msg "Check: check-generated-files -u, files present" # 2s + tests/scripts/check-generated-files.sh -u + # Check that the generated files are considered up to date. + tests/scripts/check-generated-files.sh + + msg "Check: check-generated-files -u, files absent" # 2s + command make neat + tests/scripts/check-generated-files.sh -u + # Check that the generated files are considered up to date. + tests/scripts/check-generated-files.sh + + # This component ends with the generated files present in the source tree. + # This is necessary for subsequent components! +} + +component_check_doxy_blocks () { + msg "Check: doxygen markup outside doxygen blocks" # < 1s + tests/scripts/check-doxy-blocks.pl +} + +component_check_files () { + msg "Check: file sanity checks (permissions, encodings)" # < 1s + tests/scripts/check_files.py +} + +component_check_changelog () { + msg "Check: changelog entries" # < 1s + rm -f ChangeLog.new + scripts/assemble_changelog.py -o ChangeLog.new + if [ -e ChangeLog.new ]; then + # Show the diff for information. It isn't an error if the diff is + # non-empty. + diff -u ChangeLog ChangeLog.new || true + rm ChangeLog.new + fi +} + +component_check_names () { + msg "Check: declared and exported names (builds the library)" # < 3s + tests/scripts/check_names.py -v +} + +component_check_test_cases () { + msg "Check: test case descriptions" # < 1s + if [ $QUIET -eq 1 ]; then + opt='--quiet' + else + opt='' + fi + tests/scripts/check_test_cases.py -q $opt + unset opt +} + +component_check_test_dependencies () { + msg "Check: test case dependencies: legacy vs PSA" # < 1s + # The purpose of this component is to catch unjustified dependencies on + # legacy feature macros (MBEDTLS_xxx) in PSA tests. Generally speaking, + # PSA test should use PSA feature macros (PSA_WANT_xxx, more rarely + # MBEDTLS_PSA_xxx). + # + # Most of the time, use of legacy MBEDTLS_xxx macros are mistakes, which + # this component is meant to catch. However a few of them are justified, + # mostly by the absence of a PSA equivalent, so this component includes a + # list of expected exceptions. + + found="check-test-deps-found-$$" + expected="check-test-deps-expected-$$" + + # Find legacy dependencies in PSA tests + grep 'depends_on' \ + tests/suites/test_suite_psa*.data tests/suites/test_suite_psa*.function | + grep -Eo '!?MBEDTLS_[^: ]*' | + grep -v -e MBEDTLS_PSA_ -e MBEDTLS_TEST_ | + sort -u > $found + + # Expected ones with justification - keep in sorted order by ASCII table! + rm -f $expected + # No PSA equivalent - WANT_KEY_TYPE_AES means all sizes + echo "!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" >> $expected + # No PSA equivalent - used to skip decryption tests in PSA-ECB, CBC/XTS/NIST_KW/DES + echo "!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT" >> $expected + # MBEDTLS_ASN1_WRITE_C is used by import_rsa_made_up() in test_suite_psa_crypto + # in order to build a fake RSA key of the wanted size based on + # PSA_VENDOR_RSA_MAX_KEY_BITS. The legacy module is only used by + # the test code and that's probably the most convenient way of achieving + # the test's goal. + echo "MBEDTLS_ASN1_WRITE_C" >> $expected + # No PSA equivalent - we should probably have one in the future. + echo "MBEDTLS_ECP_RESTARTABLE" >> $expected + # No PSA equivalent - needed by some init tests + echo "MBEDTLS_ENTROPY_NV_SEED" >> $expected + # No PSA equivalent - required to run threaded tests. + echo "MBEDTLS_THREADING_PTHREAD" >> $expected + + # Compare reality with expectation. + # We want an exact match, to ensure the above list remains up-to-date. + # + # The output should be empty. When it's not: + # - Each '+' line is a macro that was found but not expected. You want to + # find where that macro occurs, and either replace it with PSA macros, or + # add it to the exceptions list above with a justification. + # - Each '-' line is a macro that was expected but not found; it means the + # exceptions list above should be updated by removing that macro. + diff -U0 $expected $found + + rm $found $expected +} + +component_check_doxygen_warnings () { + msg "Check: doxygen warnings (builds the documentation)" # ~ 3s + tests/scripts/doxygen.sh +} + +component_check_code_style () { + msg "Check C code style" + ./scripts/code_style.py +} + +support_check_code_style () { + case $(uncrustify --version) in + *0.75.1*) true;; + *) false;; + esac +} + +component_check_python_files () { + msg "Lint: Python scripts" + tests/scripts/check-python-files.sh +} + +component_check_test_helpers () { + msg "unit test: generate_test_code.py" + # unittest writes out mundane stuff like number or tests run on stderr. + # Our convention is to reserve stderr for actual errors, and write + # harmless info on stdout so it can be suppress with --quiet. + ./framework/scripts/test_generate_test_code.py 2>&1 + + msg "unit test: translate_ciphers.py" + python3 -m unittest tests/scripts/translate_ciphers.py 2>&1 +} + diff --git a/yass/third_party/mbedtls/tests/scripts/components-build-system.sh b/yass/third_party/mbedtls/tests/scripts/components-build-system.sh new file mode 100644 index 0000000000..c41aa48952 --- /dev/null +++ b/yass/third_party/mbedtls/tests/scripts/components-build-system.sh @@ -0,0 +1,210 @@ +# components-build-system.sh +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +# This file contains test components that are executed by all.sh + +################################################################ +#### Build System Testing +################################################################ + +component_test_make_shared () { + msg "build/test: make shared" # ~ 40s + make SHARED=1 TEST_CPP=1 all check + ldd programs/util/strerror | grep libmbedcrypto + programs/test/dlopen_demo.sh +} + +component_test_cmake_shared () { + msg "build/test: cmake shared" # ~ 2min + cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On . + make + ldd programs/util/strerror | grep libmbedcrypto + make test + programs/test/dlopen_demo.sh +} + +support_test_cmake_out_of_source () { + distrib_id="" + distrib_ver="" + distrib_ver_minor="" + distrib_ver_major="" + + # Attempt to parse lsb-release to find out distribution and version. If not + # found this should fail safe (test is supported). + if [[ -f /etc/lsb-release ]]; then + + while read -r lsb_line; do + case "$lsb_line" in + "DISTRIB_ID"*) distrib_id=${lsb_line/#DISTRIB_ID=};; + "DISTRIB_RELEASE"*) distrib_ver=${lsb_line/#DISTRIB_RELEASE=};; + esac + done < /etc/lsb-release + + distrib_ver_major="${distrib_ver%%.*}" + distrib_ver="${distrib_ver#*.}" + distrib_ver_minor="${distrib_ver%%.*}" + fi + + # Running the out of source CMake test on Ubuntu 16.04 using more than one + # processor (as the CI does) can create a race condition whereby the build + # fails to see a generated file, despite that file actually having been + # generated. This problem appears to go away with 18.04 or newer, so make + # the out of source tests unsupported on Ubuntu 16.04. + [ "$distrib_id" != "Ubuntu" ] || [ "$distrib_ver_major" -gt 16 ] +} + +component_test_cmake_out_of_source () { + # Remove existing generated files so that we use the ones cmake + # generates + make neat + + msg "build: cmake 'out-of-source' build" + MBEDTLS_ROOT_DIR="$PWD" + mkdir "$OUT_OF_SOURCE_DIR" + cd "$OUT_OF_SOURCE_DIR" + # Note: Explicitly generate files as these are turned off in releases + cmake -D CMAKE_BUILD_TYPE:String=Check -D GEN_FILES=ON -D TEST_CPP=1 "$MBEDTLS_ROOT_DIR" + make + + msg "test: cmake 'out-of-source' build" + make test + # Check that ssl-opt.sh can find the test programs. + # Also ensure that there are no error messages such as + # "No such file or directory", which would indicate that some required + # file is missing (ssl-opt.sh tolerates the absence of some files so + # may exit with status 0 but emit errors). + ./tests/ssl-opt.sh -f 'Default' >ssl-opt.out 2>ssl-opt.err + grep PASS ssl-opt.out + cat ssl-opt.err >&2 + # If ssl-opt.err is non-empty, record an error and keep going. + [ ! -s ssl-opt.err ] + rm ssl-opt.out ssl-opt.err + cd "$MBEDTLS_ROOT_DIR" + rm -rf "$OUT_OF_SOURCE_DIR" +} + +component_test_cmake_as_subdirectory () { + # Remove existing generated files so that we use the ones CMake + # generates + make neat + + msg "build: cmake 'as-subdirectory' build" + cd programs/test/cmake_subproject + # Note: Explicitly generate files as these are turned off in releases + cmake -D GEN_FILES=ON . + make + ./cmake_subproject +} + +support_test_cmake_as_subdirectory () { + support_test_cmake_out_of_source +} + +component_test_cmake_as_package () { + # Remove existing generated files so that we use the ones CMake + # generates + make neat + + msg "build: cmake 'as-package' build" + cd programs/test/cmake_package + cmake . + make + ./cmake_package +} + +support_test_cmake_as_package () { + support_test_cmake_out_of_source +} + +component_test_cmake_as_package_install () { + # Remove existing generated files so that we use the ones CMake + # generates + make neat + + msg "build: cmake 'as-installed-package' build" + cd programs/test/cmake_package_install + cmake . + make + ./cmake_package_install +} + +support_test_cmake_as_package_install () { + support_test_cmake_out_of_source +} + +component_build_cmake_custom_config_file () { + # Make a copy of config file to use for the in-tree test + cp "$CONFIG_H" include/mbedtls_config_in_tree_copy.h + + MBEDTLS_ROOT_DIR="$PWD" + mkdir "$OUT_OF_SOURCE_DIR" + cd "$OUT_OF_SOURCE_DIR" + + # Build once to get the generated files (which need an intact config file) + cmake "$MBEDTLS_ROOT_DIR" + make + + msg "build: cmake with -DMBEDTLS_CONFIG_FILE" + scripts/config.py -w full_config.h full + echo '#error "cmake -DMBEDTLS_CONFIG_FILE is not working."' > "$MBEDTLS_ROOT_DIR/$CONFIG_H" + cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h "$MBEDTLS_ROOT_DIR" + make + + msg "build: cmake with -DMBEDTLS_CONFIG_FILE + -DMBEDTLS_USER_CONFIG_FILE" + # In the user config, disable one feature (for simplicity, pick a feature + # that nothing else depends on). + echo '#undef MBEDTLS_NIST_KW_C' >user_config.h + + cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h -DMBEDTLS_USER_CONFIG_FILE=user_config.h "$MBEDTLS_ROOT_DIR" + make + not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C + + rm -f user_config.h full_config.h + + cd "$MBEDTLS_ROOT_DIR" + rm -rf "$OUT_OF_SOURCE_DIR" + + # Now repeat the test for an in-tree build: + + # Restore config for the in-tree test + mv include/mbedtls_config_in_tree_copy.h "$CONFIG_H" + + # Build once to get the generated files (which need an intact config) + cmake . + make + + msg "build: cmake (in-tree) with -DMBEDTLS_CONFIG_FILE" + scripts/config.py -w full_config.h full + echo '#error "cmake -DMBEDTLS_CONFIG_FILE is not working."' > "$MBEDTLS_ROOT_DIR/$CONFIG_H" + cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h . + make + + msg "build: cmake (in-tree) with -DMBEDTLS_CONFIG_FILE + -DMBEDTLS_USER_CONFIG_FILE" + # In the user config, disable one feature (for simplicity, pick a feature + # that nothing else depends on). + echo '#undef MBEDTLS_NIST_KW_C' >user_config.h + + cmake -DGEN_FILES=OFF -DMBEDTLS_CONFIG_FILE=full_config.h -DMBEDTLS_USER_CONFIG_FILE=user_config.h . + make + not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C + + rm -f user_config.h full_config.h +} + +support_build_cmake_custom_config_file () { + support_test_cmake_out_of_source +} + +component_build_cmake_programs_no_testing () { + # Verify that the type of builds performed by oss-fuzz don't get accidentally broken + msg "build: cmake with -DENABLE_PROGRAMS=ON and -DENABLE_TESTING=OFF" + cmake -DENABLE_PROGRAMS=ON -DENABLE_TESTING=OFF . + make +} + +support_build_cmake_programs_no_testing () { + support_test_cmake_out_of_source +} + diff --git a/yass/third_party/mbedtls/tests/scripts/components-compiler.sh b/yass/third_party/mbedtls/tests/scripts/components-compiler.sh new file mode 100644 index 0000000000..5badabbc56 --- /dev/null +++ b/yass/third_party/mbedtls/tests/scripts/components-compiler.sh @@ -0,0 +1,145 @@ +# components-compiler.sh +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +# This file contains test components that are executed by all.sh + +################################################################ +#### Compiler Testing +################################################################ + +support_build_tfm_armcc () { + support_build_armcc +} + +component_build_tfm_armcc () { + # test the TF-M configuration can build cleanly with various warning flags enabled + cp configs/config-tfm.h "$CONFIG_H" + + msg "build: TF-M config, armclang armv7-m thumb2" + armc6_build_test "--target=arm-arm-none-eabi -march=armv7-m -mthumb -Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused -I../tests/include/spe" +} + +test_build_opt () { + info=$1 cc=$2; shift 2 + $cc --version + for opt in "$@"; do + msg "build/test: $cc $opt, $info" # ~ 30s + make CC="$cc" CFLAGS="$opt -std=c99 -pedantic -Wall -Wextra -Werror" + # We're confident enough in compilers to not run _all_ the tests, + # but at least run the unit tests. In particular, runs with + # optimizations use inline assembly whereas runs with -O0 + # skip inline assembly. + make test # ~30s + make clean + done +} + +# For FreeBSD we invoke the function by name so this condition is added +# to disable the existing test_clang_opt function for linux. +if [[ $(uname) != "Linux" ]]; then + component_test_clang_opt () { + scripts/config.py full + test_build_opt 'full config' clang -O0 -Os -O2 + } +fi + +component_test_clang_latest_opt () { + scripts/config.py full + test_build_opt 'full config' "$CLANG_LATEST" -O0 -Os -O2 +} + +support_test_clang_latest_opt () { + type "$CLANG_LATEST" >/dev/null 2>/dev/null +} + +component_test_clang_earliest_opt () { + scripts/config.py full + test_build_opt 'full config' "$CLANG_EARLIEST" -O0 +} + +support_test_clang_earliest_opt () { + type "$CLANG_EARLIEST" >/dev/null 2>/dev/null +} + +component_test_gcc_latest_opt () { + scripts/config.py full + test_build_opt 'full config' "$GCC_LATEST" -O0 -Os -O2 +} + +support_test_gcc_latest_opt () { + type "$GCC_LATEST" >/dev/null 2>/dev/null +} + +component_test_gcc_earliest_opt () { + scripts/config.py full + test_build_opt 'full config' "$GCC_EARLIEST" -O0 +} + +support_test_gcc_earliest_opt () { + type "$GCC_EARLIEST" >/dev/null 2>/dev/null +} + +component_build_mingw () { + msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s + make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 lib programs + + # note Make tests only builds the tests, but doesn't run them + make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -maes -msse2 -mpclmul' WINDOWS_BUILD=1 tests + make WINDOWS_BUILD=1 clean + + msg "build: Windows cross build - mingw64, make (DLL)" # ~ 30s + make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 lib programs + make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 tests + make WINDOWS_BUILD=1 clean + + msg "build: Windows cross build - mingw64, make (Library only, default config without MBEDTLS_AESNI_C)" # ~ 30s + ./scripts/config.py unset MBEDTLS_AESNI_C # + make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib + make WINDOWS_BUILD=1 clean +} + +support_build_mingw () { + case $(i686-w64-mingw32-gcc -dumpversion 2>/dev/null) in + [0-5]*|"") false;; + *) true;; + esac +} + +component_build_zeroize_checks () { + msg "build: check for obviously wrong calls to mbedtls_platform_zeroize()" + + scripts/config.py full + + # Only compile - we're looking for sizeof-pointer-memaccess warnings + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-zeroize-memset.h\"' -DMBEDTLS_TEST_DEFINES_ZEROIZE -Werror -Wsizeof-pointer-memaccess" +} + +component_test_zeroize () { + # Test that the function mbedtls_platform_zeroize() is not optimized away by + # different combinations of compilers and optimization flags by using an + # auxiliary GDB script. Unfortunately, GDB does not return error values to the + # system in all cases that the script fails, so we must manually search the + # output to check whether the pass string is present and no failure strings + # were printed. + + # Don't try to disable ASLR. We don't care about ASLR here. We do care + # about a spurious message if Gdb tries and fails, so suppress that. + gdb_disable_aslr= + if [ -z "$(gdb -batch -nw -ex 'set disable-randomization off' 2>&1)" ]; then + gdb_disable_aslr='set disable-randomization off' + fi + + for optimization_flag in -O2 -O3 -Ofast -Os; do + for compiler in clang gcc; do + msg "test: $compiler $optimization_flag, mbedtls_platform_zeroize()" + make programs CC="$compiler" DEBUG=1 CFLAGS="$optimization_flag" + gdb -ex "$gdb_disable_aslr" -x tests/scripts/test_zeroize.gdb -nw -batch -nx 2>&1 | tee test_zeroize.log + grep "The buffer was correctly zeroized" test_zeroize.log + not grep -i "error" test_zeroize.log + rm -f test_zeroize.log + make clean + done + done +} diff --git a/yass/third_party/mbedtls/tests/scripts/components-compliance.sh b/yass/third_party/mbedtls/tests/scripts/components-compliance.sh new file mode 100644 index 0000000000..38bcd01430 --- /dev/null +++ b/yass/third_party/mbedtls/tests/scripts/components-compliance.sh @@ -0,0 +1,31 @@ +# components-compliance.sh +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +# This file contains test components that are executed by all.sh + +################################################################ +#### Compliance Testing +################################################################ + +component_test_psa_compliance () { + # The arch tests build with gcc, so require use of gcc here to link properly + msg "build: make, default config (out-of-box), libmbedcrypto.a only" + CC=gcc make -C library libmbedcrypto.a + + msg "unit test: test_psa_compliance.py" + CC=gcc ./tests/scripts/test_psa_compliance.py +} + +support_test_psa_compliance () { + # psa-compliance-tests only supports CMake >= 3.10.0 + ver="$(cmake --version)" + ver="${ver#cmake version }" + ver_major="${ver%%.*}" + + ver="${ver#*.}" + ver_minor="${ver%%.*}" + + [ "$ver_major" -eq 3 ] && [ "$ver_minor" -ge 10 ] +} diff --git a/yass/third_party/mbedtls/tests/scripts/components-configuration-crypto.sh b/yass/third_party/mbedtls/tests/scripts/components-configuration-crypto.sh new file mode 100644 index 0000000000..da0e180801 --- /dev/null +++ b/yass/third_party/mbedtls/tests/scripts/components-configuration-crypto.sh @@ -0,0 +1,3151 @@ +# components-configuration-crypto.sh +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +# This file contains test components that are executed by all.sh + +################################################################ +#### Configuration Testing - Crypto +################################################################ + +component_test_psa_crypto_key_id_encodes_owner () { + msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" + scripts/config.py full + scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" + make test +} + +component_test_psa_assume_exclusive_buffers () { + msg "build: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan" + scripts/config.py full + scripts/config.py set MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: full config + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS, cmake, gcc, ASan" + make test +} + +# check_renamed_symbols HEADER LIB +# Check that if HEADER contains '#define MACRO ...' then MACRO is not a symbol +# name in LIB. +check_renamed_symbols () { + ! nm "$2" | sed 's/.* //' | + grep -x -F "$(sed -n 's/^ *# *define *\([A-Z_a-z][0-9A-Z_a-z]*\)..*/\1/p' "$1")" +} + +component_build_psa_crypto_spm () { + msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER + PSA_CRYPTO_SPM, make, gcc" + scripts/config.py full + scripts/config.py unset MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS + scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER + scripts/config.py set MBEDTLS_PSA_CRYPTO_SPM + # We can only compile, not link, since our test and sample programs + # aren't equipped for the modified names used when MBEDTLS_PSA_CRYPTO_SPM + # is active. + make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' lib + + # Check that if a symbol is renamed by crypto_spe.h, the non-renamed + # version is not present. + echo "Checking for renamed symbols in the library" + check_renamed_symbols tests/include/spe/crypto_spe.h library/libmbedcrypto.a +} + +# Get a list of library-wise undefined symbols and ensure that they only +# belong to psa_xxx() functions and not to mbedtls_yyy() ones. +# This function is a common helper used by both: +# - component_test_default_psa_crypto_client_without_crypto_provider +# - component_build_full_psa_crypto_client_without_crypto_provider. +common_check_mbedtls_missing_symbols () { + nm library/libmbedcrypto.a | grep ' [TRrDC] ' | grep -Eo '(mbedtls_|psa_).*' | sort -u > sym_def.txt + nm library/libmbedcrypto.a | grep ' U ' | grep -Eo '(mbedtls_|psa_).*' | sort -u > sym_undef.txt + comm sym_def.txt sym_undef.txt -13 > linking_errors.txt + not grep mbedtls_ linking_errors.txt + + rm sym_def.txt sym_undef.txt linking_errors.txt +} + +component_test_default_psa_crypto_client_without_crypto_provider () { + msg "build: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT" + + scripts/config.py unset MBEDTLS_PSA_CRYPTO_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C + scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py set MBEDTLS_PSA_CRYPTO_CLIENT + scripts/config.py unset MBEDTLS_LMS_C + + make + + msg "check missing symbols: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT" + common_check_mbedtls_missing_symbols + + msg "test: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT" + make test +} + +component_build_full_psa_crypto_client_without_crypto_provider () { + msg "build: full config - PSA_CRYPTO_C" + + # Use full config which includes USE_PSA and CRYPTO_CLIENT. + scripts/config.py full + + scripts/config.py unset MBEDTLS_PSA_CRYPTO_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C + # Dynamic secure element support is a deprecated feature and it is not + # available when CRYPTO_C and PSA_CRYPTO_STORAGE_C are disabled. + scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C + + # Since there is no crypto provider in this build it is not possible to + # build all the test executables and progrems due to missing PSA functions + # at link time. Therefore we will just build libraries and we'll check + # that symbols of interest are there. + make lib + + msg "check missing symbols: full config - PSA_CRYPTO_C" + + common_check_mbedtls_missing_symbols + + # Ensure that desired functions are included into the build (extend the + # following list as required). + grep mbedtls_pk_get_psa_attributes library/libmbedcrypto.a + grep mbedtls_pk_import_into_psa library/libmbedcrypto.a + grep mbedtls_pk_copy_from_psa library/libmbedcrypto.a +} + +component_test_psa_crypto_rsa_no_genprime () { + msg "build: default config minus MBEDTLS_GENPRIME" + scripts/config.py unset MBEDTLS_GENPRIME + make + + msg "test: default config minus MBEDTLS_GENPRIME" + make test +} + +component_test_no_pem_no_fs () { + msg "build: Default + !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO (ASan build)" + scripts/config.py unset MBEDTLS_PEM_PARSE_C + scripts/config.py unset MBEDTLS_FS_IO + scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C # requires a filesystem + scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C # requires PSA ITS + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - main suites (inc. selftests) (ASan build)" # ~ 50s + make test + + msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - ssl-opt.sh (ASan build)" # ~ 6 min + tests/ssl-opt.sh +} + +component_test_rsa_no_crt () { + msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min + scripts/config.py set MBEDTLS_RSA_NO_CRT + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s + make test + + msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s + tests/ssl-opt.sh -f RSA + + msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min + tests/compat.sh -t RSA + + msg "test: RSA_NO_CRT - RSA-related part of context-info.sh (ASan build)" # ~ 15 sec + tests/context-info.sh +} + +component_test_no_ctr_drbg_classic () { + msg "build: Full minus CTR_DRBG, classic crypto in TLS" + scripts/config.py full + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: Full minus CTR_DRBG, classic crypto - main suites" + make test + + # In this configuration, the TLS test programs use HMAC_DRBG. + # The SSL tests are slow, so run a small subset, just enough to get + # confidence that the SSL code copes with HMAC_DRBG. + msg "test: Full minus CTR_DRBG, classic crypto - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' + + msg "test: Full minus CTR_DRBG, classic crypto - compat.sh (subset)" + tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL +} + +component_test_no_ctr_drbg_use_psa () { + msg "build: Full minus CTR_DRBG, PSA crypto in TLS" + scripts/config.py full + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites" + make test + + # In this configuration, the TLS test programs use HMAC_DRBG. + # The SSL tests are slow, so run a small subset, just enough to get + # confidence that the SSL code copes with HMAC_DRBG. + msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' + + msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)" + tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL +} + +component_test_no_hmac_drbg_classic () { + msg "build: Full minus HMAC_DRBG, classic crypto in TLS" + scripts/config.py full + scripts/config.py unset MBEDTLS_HMAC_DRBG_C + scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: Full minus HMAC_DRBG, classic crypto - main suites" + make test + + # Normally our ECDSA implementation uses deterministic ECDSA. But since + # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used + # instead. + # Test SSL with non-deterministic ECDSA. Only test features that + # might be affected by how ECDSA signature is performed. + msg "test: Full minus HMAC_DRBG, classic crypto - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f 'Default\|SSL async private: sign' + + # To save time, only test one protocol version, since this part of + # the protocol is identical in (D)TLS up to 1.2. + msg "test: Full minus HMAC_DRBG, classic crypto - compat.sh (ECDSA)" + tests/compat.sh -m tls12 -t 'ECDSA' +} + +component_test_no_hmac_drbg_use_psa () { + msg "build: Full minus HMAC_DRBG, PSA crypto in TLS" + scripts/config.py full + scripts/config.py unset MBEDTLS_HMAC_DRBG_C + scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites" + make test + + # Normally our ECDSA implementation uses deterministic ECDSA. But since + # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used + # instead. + # Test SSL with non-deterministic ECDSA. Only test features that + # might be affected by how ECDSA signature is performed. + msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f 'Default\|SSL async private: sign' + + # To save time, only test one protocol version, since this part of + # the protocol is identical in (D)TLS up to 1.2. + msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)" + tests/compat.sh -m tls12 -t 'ECDSA' +} + +component_test_psa_external_rng_no_drbg_classic () { + msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto in TLS" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG + scripts/config.py unset MBEDTLS_ENTROPY_C + scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED + scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_HMAC_DRBG_C + scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG + # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG, + # the SSL test programs don't have an RNG and can't work. Explicitly + # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG. + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS" + + msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites" + make test + + msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f 'Default' +} + +component_test_psa_external_rng_no_drbg_use_psa () { + msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS" + scripts/config.py full + scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG + scripts/config.py unset MBEDTLS_ENTROPY_C + scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED + scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_HMAC_DRBG_C + scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + + msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" + make test + + msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f 'Default\|opaque' +} + +component_test_psa_external_rng_use_psa_crypto () { + msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + scripts/config.py full + scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_CTR_DRBG_C + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + make test + + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + tests/ssl-opt.sh -f 'Default\|opaque' +} + +component_test_psa_inject_entropy () { + msg "build: full + MBEDTLS_PSA_INJECT_ENTROPY" + scripts/config.py full + scripts/config.py set MBEDTLS_PSA_INJECT_ENTROPY + scripts/config.py set MBEDTLS_ENTROPY_NV_SEED + scripts/config.py set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES + scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT + scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_READ + scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_WRITE + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS" + + msg "test: full + MBEDTLS_PSA_INJECT_ENTROPY" + make test +} + +component_full_no_pkparse_pkwrite () { + msg "build: full without pkparse and pkwrite" + + scripts/config.py crypto_full + scripts/config.py unset MBEDTLS_PK_PARSE_C + scripts/config.py unset MBEDTLS_PK_WRITE_C + + make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + + # Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config). + not grep mbedtls_pk_parse_key library/pkparse.o + not grep mbedtls_pk_write_key_der library/pkwrite.o + + msg "test: full without pkparse and pkwrite" + make test +} + +component_test_crypto_full_md_light_only () { + msg "build: crypto_full with only the light subset of MD" + scripts/config.py crypto_full + scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG + # Disable MD + scripts/config.py unset MBEDTLS_MD_C + # Disable direct dependencies of MD_C + scripts/config.py unset MBEDTLS_HKDF_C + scripts/config.py unset MBEDTLS_HMAC_DRBG_C + scripts/config.py unset MBEDTLS_PKCS7_C + # Disable indirect dependencies of MD_C + scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG + # Disable things that would auto-enable MD_C + scripts/config.py unset MBEDTLS_PKCS5_C + + # Note: MD-light is auto-enabled in build_info.h by modules that need it, + # which we haven't disabled, so no need to explicitly enable it. + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + + # Make sure we don't have the HMAC functions, but the hashing functions + not grep mbedtls_md_hmac library/md.o + grep mbedtls_md library/md.o + + msg "test: crypto_full with only the light subset of MD" + make test +} + +component_test_full_no_cipher_no_psa_crypto () { + msg "build: full no CIPHER no PSA_CRYPTO_C" + scripts/config.py full + scripts/config.py unset MBEDTLS_CIPHER_C + # Don't pull in cipher via PSA mechanisms + # (currently ignored anyway because we completely disable PSA) + scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG + # Disable features that depend on CIPHER_C + scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_NIST_KW_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_CLIENT + scripts/config.py unset MBEDTLS_SSL_TLS_C + scripts/config.py unset MBEDTLS_SSL_TICKET_C + # Disable features that depend on PSA_CRYPTO_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_LMS_C + scripts/config.py unset MBEDTLS_LMS_PRIVATE + + msg "test: full no CIPHER no PSA_CRYPTO_C" + make test +} + +# This is a common configurator and test function that is used in: +# - component_test_full_no_cipher_with_psa_crypto +# - component_test_full_no_cipher_with_psa_crypto_config +# It accepts 2 input parameters: +# - $1: boolean value which basically reflects status of MBEDTLS_PSA_CRYPTO_CONFIG +# - $2: a text string which describes the test component +common_test_full_no_cipher_with_psa_crypto () { + USE_CRYPTO_CONFIG="$1" + COMPONENT_DESCRIPTION="$2" + + msg "build: $COMPONENT_DESCRIPTION" + + scripts/config.py full + scripts/config.py unset MBEDTLS_CIPHER_C + + if [ "$USE_CRYPTO_CONFIG" -eq 1 ]; then + # The built-in implementation of the following algs/key-types depends + # on CIPHER_C so we disable them. + # This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305 + # so we keep them enabled. + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES + else + # Don't pull in cipher via PSA mechanisms + scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG + # Disable cipher modes/keys that make PSA depend on CIPHER_C. + # Keep CHACHA20 and CHACHAPOLY enabled since they do not depend on CIPHER_C. + scripts/config.py unset-all MBEDTLS_CIPHER_MODE + fi + # The following modules directly depends on CIPHER_C + scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_NIST_KW_C + + make + + # Ensure that CIPHER_C was not re-enabled + not grep mbedtls_cipher_init library/cipher.o + + msg "test: $COMPONENT_DESCRIPTION" + make test +} + +component_test_full_no_cipher_with_psa_crypto () { + common_test_full_no_cipher_with_psa_crypto 0 "full no CIPHER no CRYPTO_CONFIG" +} + +component_test_full_no_cipher_with_psa_crypto_config () { + common_test_full_no_cipher_with_psa_crypto 1 "full no CIPHER" +} + +component_test_full_no_ccm () { + msg "build: full no PSA_WANT_ALG_CCM" + + # Full config enables: + # - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA + # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated + scripts/config.py full + + # Disable PSA_WANT_ALG_CCM so that CCM is not supported in PSA. CCM_C is still + # enabled, but not used from TLS since USE_PSA is set. + # This is helpful to ensure that TLS tests below have proper dependencies. + # + # Note: also PSA_WANT_ALG_CCM_STAR_NO_TAG is enabled, but it does not cause + # PSA_WANT_ALG_CCM to be re-enabled. + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM + + make + + msg "test: full no PSA_WANT_ALG_CCM" + make test +} + +component_test_full_no_ccm_star_no_tag () { + msg "build: full no PSA_WANT_ALG_CCM_STAR_NO_TAG" + + # Full config enables CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated + scripts/config.py full + + # Disable CCM_STAR_NO_TAG, which is the target of this test, as well as all + # other components that enable MBEDTLS_PSA_BUILTIN_CIPHER internal symbol. + # This basically disables all unauthenticated ciphers on the PSA side, while + # keeping AEADs enabled. + # + # Note: PSA_WANT_ALG_CCM is enabled, but it does not cause + # PSA_WANT_ALG_CCM_STAR_NO_TAG to be re-enabled. + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 + + make + + # Ensure MBEDTLS_PSA_BUILTIN_CIPHER was not enabled + not grep mbedtls_psa_cipher library/psa_crypto_cipher.o + + msg "test: full no PSA_WANT_ALG_CCM_STAR_NO_TAG" + make test +} + +component_test_full_no_bignum () { + msg "build: full minus bignum" + scripts/config.py full + scripts/config.py unset MBEDTLS_BIGNUM_C + # Direct dependencies of bignum + scripts/config.py unset MBEDTLS_ECP_C + scripts/config.py unset MBEDTLS_RSA_C + scripts/config.py unset MBEDTLS_DHM_C + # Direct dependencies of ECP + scripts/config.py unset MBEDTLS_ECDH_C + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_ECJPAKE_C + scripts/config.py unset MBEDTLS_ECP_RESTARTABLE + # Disable what auto-enables ECP_LIGHT + scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED + scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED + # Indirect dependencies of ECP + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + # Direct dependencies of DHM + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED + # Direct dependencies of RSA + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED + scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT + # PK and its dependencies + scripts/config.py unset MBEDTLS_PK_C + scripts/config.py unset MBEDTLS_PK_PARSE_C + scripts/config.py unset MBEDTLS_PK_WRITE_C + scripts/config.py unset MBEDTLS_X509_USE_C + scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C + scripts/config.py unset MBEDTLS_X509_CRL_PARSE_C + scripts/config.py unset MBEDTLS_X509_CSR_PARSE_C + scripts/config.py unset MBEDTLS_X509_CREATE_C + scripts/config.py unset MBEDTLS_X509_CRT_WRITE_C + scripts/config.py unset MBEDTLS_X509_CSR_WRITE_C + scripts/config.py unset MBEDTLS_PKCS7_C + scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION + scripts/config.py unset MBEDTLS_SSL_ASYNC_PRIVATE + scripts/config.py unset MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK + + make + + msg "test: full minus bignum" + make test +} + +component_build_dhm_alt () { + msg "build: MBEDTLS_DHM_ALT" # ~30s + scripts/config.py full + scripts/config.py set MBEDTLS_DHM_ALT + # debug.c currently references mbedtls_dhm_context fields directly. + scripts/config.py unset MBEDTLS_DEBUG_C + # We can only compile, not link, since we don't have any implementations + # suitable for testing with the dummy alt headers. + make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib +} + +component_test_everest () { + msg "build: Everest ECDH context (ASan build)" # ~ 6 min + scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED + CC=clang cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s + make test + + msg "test: metatests (clang, ASan)" + tests/scripts/run-metatests.sh any asan poison + + msg "test: Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s + tests/ssl-opt.sh -f ECDH + + msg "test: Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min + # Exclude some symmetric ciphers that are redundant here to gain time. + tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA' +} + +component_test_everest_curve25519_only () { + msg "build: Everest ECDH context, only Curve25519" # ~ 6 min + scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_ECJPAKE_C + # Disable all curves + scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED" + scripts/config.py set MBEDTLS_ECP_DP_CURVE25519_ENABLED + + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + + msg "test: Everest ECDH context, only Curve25519" # ~ 50s + make test +} + +component_test_psa_collect_statuses () { + msg "build+test: psa_collect_statuses" # ~30s + scripts/config.py full + tests/scripts/psa_collect_statuses.py + # Check that psa_crypto_init() succeeded at least once + grep -q '^0:psa_crypto_init:' tests/statuses.log + rm -f tests/statuses.log +} + +# Check that the specified libraries exist and are empty. +are_empty_libraries () { + nm "$@" >/dev/null 2>/dev/null + ! nm "$@" 2>/dev/null | grep -v ':$' | grep . +} + +component_build_crypto_default () { + msg "build: make, crypto only" + scripts/config.py crypto + make CFLAGS='-O1 -Werror' + are_empty_libraries library/libmbedx509.* library/libmbedtls.* +} + +component_build_crypto_full () { + msg "build: make, crypto only, full config" + scripts/config.py crypto_full + make CFLAGS='-O1 -Werror' + are_empty_libraries library/libmbedx509.* library/libmbedtls.* +} + +component_test_crypto_for_psa_service () { + msg "build: make, config for PSA crypto service" + scripts/config.py crypto + scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER + # Disable things that are not needed for just cryptography, to + # reach a configuration that would be typical for a PSA cryptography + # service providing all implemented PSA algorithms. + # System stuff + scripts/config.py unset MBEDTLS_ERROR_C + scripts/config.py unset MBEDTLS_TIMING_C + scripts/config.py unset MBEDTLS_VERSION_FEATURES + # Crypto stuff with no PSA interface + scripts/config.py unset MBEDTLS_BASE64_C + # Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it. + scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent + # Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG. + scripts/config.py unset MBEDTLS_NIST_KW_C + scripts/config.py unset MBEDTLS_PEM_PARSE_C + scripts/config.py unset MBEDTLS_PEM_WRITE_C + scripts/config.py unset MBEDTLS_PKCS12_C + scripts/config.py unset MBEDTLS_PKCS5_C + # MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C are actually currently needed + # in PSA code to work with RSA keys. We don't require users to set those: + # they will be reenabled in build_info.h. + scripts/config.py unset MBEDTLS_PK_C + scripts/config.py unset MBEDTLS_PK_PARSE_C + scripts/config.py unset MBEDTLS_PK_WRITE_C + make CFLAGS='-O1 -Werror' all test + are_empty_libraries library/libmbedx509.* library/libmbedtls.* +} + +component_build_crypto_baremetal () { + msg "build: make, crypto only, baremetal config" + scripts/config.py crypto_baremetal + make CFLAGS="-O1 -Werror -I$PWD/tests/include/baremetal-override/" + are_empty_libraries library/libmbedx509.* library/libmbedtls.* +} + +support_build_crypto_baremetal () { + support_build_baremetal "$@" +} + +# depends.py family of tests +component_test_depends_py_cipher_id () { + msg "test/build: depends.py cipher_id (gcc)" + tests/scripts/depends.py cipher_id --unset-use-psa +} + +component_test_depends_py_cipher_chaining () { + msg "test/build: depends.py cipher_chaining (gcc)" + tests/scripts/depends.py cipher_chaining --unset-use-psa +} + +component_test_depends_py_cipher_padding () { + msg "test/build: depends.py cipher_padding (gcc)" + tests/scripts/depends.py cipher_padding --unset-use-psa +} + +component_test_depends_py_curves () { + msg "test/build: depends.py curves (gcc)" + tests/scripts/depends.py curves --unset-use-psa +} + +component_test_depends_py_hashes () { + msg "test/build: depends.py hashes (gcc)" + tests/scripts/depends.py hashes --unset-use-psa +} + +component_test_depends_py_pkalgs () { + msg "test/build: depends.py pkalgs (gcc)" + tests/scripts/depends.py pkalgs --unset-use-psa +} + +# PSA equivalents of the depends.py tests +component_test_depends_py_cipher_id_psa () { + msg "test/build: depends.py cipher_id (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" + tests/scripts/depends.py cipher_id +} + +component_test_depends_py_cipher_chaining_psa () { + msg "test/build: depends.py cipher_chaining (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" + tests/scripts/depends.py cipher_chaining +} + +component_test_depends_py_cipher_padding_psa () { + msg "test/build: depends.py cipher_padding (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" + tests/scripts/depends.py cipher_padding +} + +component_test_depends_py_curves_psa () { + msg "test/build: depends.py curves (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" + tests/scripts/depends.py curves +} + +component_test_depends_py_hashes_psa () { + msg "test/build: depends.py hashes (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" + tests/scripts/depends.py hashes +} + +component_test_depends_py_pkalgs_psa () { + msg "test/build: depends.py pkalgs (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" + tests/scripts/depends.py pkalgs +} + +component_test_psa_crypto_config_ffdh_2048_only () { + msg "build: full config - only DH 2048" + + scripts/config.py full + + # Disable all DH groups other than 2048. + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_3072 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_4096 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_6144 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_8192 + + make CFLAGS="$ASAN_CFLAGS -Werror" LDFLAGS="$ASAN_CFLAGS" + + msg "test: full config - only DH 2048" + make test + + msg "ssl-opt: full config - only DH 2048" + tests/ssl-opt.sh -f "ffdh" +} + +component_build_no_pk_rsa_alt_support () { + msg "build: !MBEDTLS_PK_RSA_ALT_SUPPORT" # ~30s + + scripts/config.py full + scripts/config.py unset MBEDTLS_PK_RSA_ALT_SUPPORT + scripts/config.py set MBEDTLS_RSA_C + scripts/config.py set MBEDTLS_X509_CRT_WRITE_C + + # Only compile - this is primarily to test for compile issues + make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' +} + +component_build_module_alt () { + msg "build: MBEDTLS_XXX_ALT" # ~30s + scripts/config.py full + + # Disable options that are incompatible with some ALT implementations: + # aesni.c and padlock.c reference mbedtls_aes_context fields directly. + scripts/config.py unset MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESCE_C + # MBEDTLS_ECP_RESTARTABLE is documented as incompatible. + scripts/config.py unset MBEDTLS_ECP_RESTARTABLE + # You can only have one threading implementation: alt or pthread, not both. + scripts/config.py unset MBEDTLS_THREADING_PTHREAD + # The SpecifiedECDomain parsing code accesses mbedtls_ecp_group fields + # directly and assumes the implementation works with partial groups. + scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED + # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_* + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY + # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_* + scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY + + # Enable all MBEDTLS_XXX_ALT for whole modules. Do not enable + # MBEDTLS_XXX_YYY_ALT which are for single functions. + scripts/config.py set-all 'MBEDTLS_([A-Z0-9]*|NIST_KW)_ALT' + scripts/config.py unset MBEDTLS_DHM_ALT #incompatible with MBEDTLS_DEBUG_C + + # We can only compile, not link, since we don't have any implementations + # suitable for testing with the dummy alt headers. + make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' lib +} + +component_test_psa_crypto_config_accel_ecdsa () { + msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA" + + # Algorithms and key types to accelerate + loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ + $(helper_get_psa_key_type_list "ECC") \ + $(helper_get_psa_curve_list)" + + # Configure + # --------- + + # Start from default config (no USE_PSA) + TLS 1.3 + helper_libtestdriver1_adjust_config "default" + + # Disable the module that's accelerated + scripts/config.py unset MBEDTLS_ECDSA_C + + # Disable things that depend on it + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + + # Build + # ----- + + # These hashes are needed for some ECDSA signature tests. + loc_extra_list="ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ + ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" + + helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # Make sure this was not re-enabled by accident (additive config) + not grep mbedtls_ecdsa_ library/ecdsa.o + + # Run the tests + # ------------- + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA" + make test +} + +component_test_psa_crypto_config_accel_ecdh () { + msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" + + # Algorithms and key types to accelerate + loc_accel_list="ALG_ECDH \ + $(helper_get_psa_key_type_list "ECC") \ + $(helper_get_psa_curve_list)" + + # Configure + # --------- + + # Start from default config (no USE_PSA) + helper_libtestdriver1_adjust_config "default" + + # Disable the module that's accelerated + scripts/config.py unset MBEDTLS_ECDH_C + + # Disable things that depend on it + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + + # Build + # ----- + + helper_libtestdriver1_make_drivers "$loc_accel_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # Make sure this was not re-enabled by accident (additive config) + not grep mbedtls_ecdh_ library/ecdh.o + + # Run the tests + # ------------- + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDH" + make test +} + +component_test_psa_crypto_config_accel_ffdh () { + msg "build: full with accelerated FFDH" + + # Algorithms and key types to accelerate + loc_accel_list="ALG_FFDH \ + $(helper_get_psa_key_type_list "DH") \ + $(helper_get_psa_dh_group_list)" + + # Configure + # --------- + + # start with full (USE_PSA and TLS 1.3) + helper_libtestdriver1_adjust_config "full" + + # Disable the module that's accelerated + scripts/config.py unset MBEDTLS_DHM_C + + # Disable things that depend on it + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + + # Build + # ----- + + helper_libtestdriver1_make_drivers "$loc_accel_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # Make sure this was not re-enabled by accident (additive config) + not grep mbedtls_dhm_ library/dhm.o + + # Run the tests + # ------------- + + msg "test: full with accelerated FFDH" + make test + + msg "ssl-opt: full with accelerated FFDH alg" + tests/ssl-opt.sh -f "ffdh" +} + +component_test_psa_crypto_config_reference_ffdh () { + msg "build: full with non-accelerated FFDH" + + # Start with full (USE_PSA and TLS 1.3) + helper_libtestdriver1_adjust_config "full" + + # Disable things that are not supported + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + make + + msg "test suites: full with non-accelerated FFDH alg" + make test + + msg "ssl-opt: full with non-accelerated FFDH alg" + tests/ssl-opt.sh -f "ffdh" +} + +component_test_psa_crypto_config_accel_pake () { + msg "build: full with accelerated PAKE" + + loc_accel_list="ALG_JPAKE \ + $(helper_get_psa_key_type_list "ECC") \ + $(helper_get_psa_curve_list)" + + # Configure + # --------- + + helper_libtestdriver1_adjust_config "full" + + # Make built-in fallback not available + scripts/config.py unset MBEDTLS_ECJPAKE_C + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + + # Build + # ----- + + helper_libtestdriver1_make_drivers "$loc_accel_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # Make sure this was not re-enabled by accident (additive config) + not grep mbedtls_ecjpake_init library/ecjpake.o + + # Run the tests + # ------------- + + msg "test: full with accelerated PAKE" + make test +} + +component_test_psa_crypto_config_accel_ecc_some_key_types () { + msg "build: full with accelerated EC algs and some key types" + + # Algorithms and key types to accelerate + # For key types, use an explicitly list to omit GENERATE (and DERIVE) + loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ + ALG_ECDH \ + ALG_JPAKE \ + KEY_TYPE_ECC_PUBLIC_KEY \ + KEY_TYPE_ECC_KEY_PAIR_BASIC \ + KEY_TYPE_ECC_KEY_PAIR_IMPORT \ + KEY_TYPE_ECC_KEY_PAIR_EXPORT \ + $(helper_get_psa_curve_list)" + + # Configure + # --------- + + # start with config full for maximum coverage (also enables USE_PSA) + helper_libtestdriver1_adjust_config "full" + + # Disable modules that are accelerated - some will be re-enabled + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_ECDH_C + scripts/config.py unset MBEDTLS_ECJPAKE_C + scripts/config.py unset MBEDTLS_ECP_C + + # Disable all curves - those that aren't accelerated should be re-enabled + helper_disable_builtin_curves + + # Restartable feature is not yet supported by PSA. Once it will in + # the future, the following line could be removed (see issues + # 6061, 6332 and following ones) + scripts/config.py unset MBEDTLS_ECP_RESTARTABLE + + # this is not supported by the driver API yet + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE + + # Build + # ----- + + # These hashes are needed for some ECDSA signature tests. + loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ + ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" + helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # ECP should be re-enabled but not the others + not grep mbedtls_ecdh_ library/ecdh.o + not grep mbedtls_ecdsa library/ecdsa.o + not grep mbedtls_ecjpake library/ecjpake.o + grep mbedtls_ecp library/ecp.o + + # Run the tests + # ------------- + + msg "test suites: full with accelerated EC algs and some key types" + make test +} + +# Run tests with only (non-)Weierstrass accelerated +# Common code used in: +# - component_test_psa_crypto_config_accel_ecc_weierstrass_curves +# - component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves +common_test_psa_crypto_config_accel_ecc_some_curves () { + weierstrass=$1 + if [ $weierstrass -eq 1 ]; then + desc="Weierstrass" + else + desc="non-Weierstrass" + fi + + msg "build: crypto_full minus PK with accelerated EC algs and $desc curves" + + # Note: Curves are handled in a special way by the libtestdriver machinery, + # so we only want to include them in the accel list when building the main + # libraries, hence the use of a separate variable. + # Note: the following loop is a modified version of + # helper_get_psa_curve_list that only keeps Weierstrass families. + loc_weierstrass_list="" + loc_non_weierstrass_list="" + for item in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do + case $item in + ECC_BRAINPOOL*|ECC_SECP*) + loc_weierstrass_list="$loc_weierstrass_list $item" + ;; + *) + loc_non_weierstrass_list="$loc_non_weierstrass_list $item" + ;; + esac + done + if [ $weierstrass -eq 1 ]; then + loc_curve_list=$loc_weierstrass_list + else + loc_curve_list=$loc_non_weierstrass_list + fi + + # Algorithms and key types to accelerate + loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ + ALG_ECDH \ + ALG_JPAKE \ + $(helper_get_psa_key_type_list "ECC") \ + $loc_curve_list" + + # Configure + # --------- + + # Start with config crypto_full and remove PK_C: + # that's what's supported now, see docs/driver-only-builds.md. + helper_libtestdriver1_adjust_config "crypto_full" + scripts/config.py unset MBEDTLS_PK_C + scripts/config.py unset MBEDTLS_PK_PARSE_C + scripts/config.py unset MBEDTLS_PK_WRITE_C + + # Disable modules that are accelerated - some will be re-enabled + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_ECDH_C + scripts/config.py unset MBEDTLS_ECJPAKE_C + scripts/config.py unset MBEDTLS_ECP_C + + # Disable all curves - those that aren't accelerated should be re-enabled + helper_disable_builtin_curves + + # Restartable feature is not yet supported by PSA. Once it will in + # the future, the following line could be removed (see issues + # 6061, 6332 and following ones) + scripts/config.py unset MBEDTLS_ECP_RESTARTABLE + + # this is not supported by the driver API yet + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE + + # Build + # ----- + + # These hashes are needed for some ECDSA signature tests. + loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ + ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" + helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # We expect ECDH to be re-enabled for the missing curves + grep mbedtls_ecdh_ library/ecdh.o + # We expect ECP to be re-enabled, however the parts specific to the + # families of curves that are accelerated should be ommited. + # - functions with mxz in the name are specific to Montgomery curves + # - ecp_muladd is specific to Weierstrass curves + ##nm library/ecp.o | tee ecp.syms + if [ $weierstrass -eq 1 ]; then + not grep mbedtls_ecp_muladd library/ecp.o + grep mxz library/ecp.o + else + grep mbedtls_ecp_muladd library/ecp.o + not grep mxz library/ecp.o + fi + # We expect ECDSA and ECJPAKE to be re-enabled only when + # Weierstrass curves are not accelerated + if [ $weierstrass -eq 1 ]; then + not grep mbedtls_ecdsa library/ecdsa.o + not grep mbedtls_ecjpake library/ecjpake.o + else + grep mbedtls_ecdsa library/ecdsa.o + grep mbedtls_ecjpake library/ecjpake.o + fi + + # Run the tests + # ------------- + + msg "test suites: crypto_full minus PK with accelerated EC algs and $desc curves" + make test +} + +component_test_psa_crypto_config_accel_ecc_weierstrass_curves () { + common_test_psa_crypto_config_accel_ecc_some_curves 1 +} + +component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves () { + common_test_psa_crypto_config_accel_ecc_some_curves 0 +} + +# Auxiliary function to build config for all EC based algorithms (EC-JPAKE, +# ECDH, ECDSA) with and without drivers. +# The input parameter is a boolean value which indicates: +# - 0 keep built-in EC algs, +# - 1 exclude built-in EC algs (driver only). +# +# This is used by the two following components to ensure they always use the +# same config, except for the use of driver or built-in EC algorithms: +# - component_test_psa_crypto_config_accel_ecc_ecp_light_only; +# - component_test_psa_crypto_config_reference_ecc_ecp_light_only. +# This supports comparing their test coverage with analyze_outcomes.py. +config_psa_crypto_config_ecp_light_only () { + driver_only="$1" + # start with config full for maximum coverage (also enables USE_PSA) + helper_libtestdriver1_adjust_config "full" + if [ "$driver_only" -eq 1 ]; then + # Disable modules that are accelerated + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_ECDH_C + scripts/config.py unset MBEDTLS_ECJPAKE_C + scripts/config.py unset MBEDTLS_ECP_C + fi + + # Restartable feature is not yet supported by PSA. Once it will in + # the future, the following line could be removed (see issues + # 6061, 6332 and following ones) + scripts/config.py unset MBEDTLS_ECP_RESTARTABLE +} + +# Keep in sync with component_test_psa_crypto_config_reference_ecc_ecp_light_only +component_test_psa_crypto_config_accel_ecc_ecp_light_only () { + msg "build: full with accelerated EC algs" + + # Algorithms and key types to accelerate + loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ + ALG_ECDH \ + ALG_JPAKE \ + $(helper_get_psa_key_type_list "ECC") \ + $(helper_get_psa_curve_list)" + + # Configure + # --------- + + # Use the same config as reference, only without built-in EC algs + config_psa_crypto_config_ecp_light_only 1 + + # Do not disable builtin curves because that support is required for: + # - MBEDTLS_PK_PARSE_EC_EXTENDED + # - MBEDTLS_PK_PARSE_EC_COMPRESSED + + # Build + # ----- + + # These hashes are needed for some ECDSA signature tests. + loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ + ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" + helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # Make sure any built-in EC alg was not re-enabled by accident (additive config) + not grep mbedtls_ecdsa_ library/ecdsa.o + not grep mbedtls_ecdh_ library/ecdh.o + not grep mbedtls_ecjpake_ library/ecjpake.o + not grep mbedtls_ecp_mul library/ecp.o + + # Run the tests + # ------------- + + msg "test suites: full with accelerated EC algs" + make test + + msg "ssl-opt: full with accelerated EC algs" + tests/ssl-opt.sh +} + +# Keep in sync with component_test_psa_crypto_config_accel_ecc_ecp_light_only +component_test_psa_crypto_config_reference_ecc_ecp_light_only () { + msg "build: MBEDTLS_PSA_CRYPTO_CONFIG with non-accelerated EC algs" + + config_psa_crypto_config_ecp_light_only 0 + + make + + msg "test suites: full with non-accelerated EC algs" + make test + + msg "ssl-opt: full with non-accelerated EC algs" + tests/ssl-opt.sh +} + +# This helper function is used by: +# - component_test_psa_crypto_config_accel_ecc_no_ecp_at_all() +# - component_test_psa_crypto_config_reference_ecc_no_ecp_at_all() +# to ensure that both tests use the same underlying configuration when testing +# driver's coverage with analyze_outcomes.py. +# +# This functions accepts 1 boolean parameter as follows: +# - 1: building with accelerated EC algorithms (ECDSA, ECDH, ECJPAKE), therefore +# excluding their built-in implementation as well as ECP_C & ECP_LIGHT +# - 0: include built-in implementation of EC algorithms. +# +# PK_C and RSA_C are always disabled to ensure there is no remaining dependency +# on the ECP module. +config_psa_crypto_no_ecp_at_all () { + driver_only="$1" + # start with full config for maximum coverage (also enables USE_PSA) + helper_libtestdriver1_adjust_config "full" + + if [ "$driver_only" -eq 1 ]; then + # Disable modules that are accelerated + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_ECDH_C + scripts/config.py unset MBEDTLS_ECJPAKE_C + # Disable ECP module (entirely) + scripts/config.py unset MBEDTLS_ECP_C + fi + + # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) + scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED + scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE + + # Restartable feature is not yet supported by PSA. Once it will in + # the future, the following line could be removed (see issues + # 6061, 6332 and following ones) + scripts/config.py unset MBEDTLS_ECP_RESTARTABLE +} + +# Build and test a configuration where driver accelerates all EC algs while +# all support and dependencies from ECP and ECP_LIGHT are removed on the library +# side. +# +# Keep in sync with component_test_psa_crypto_config_reference_ecc_no_ecp_at_all() +component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () { + msg "build: full + accelerated EC algs - ECP" + + # Algorithms and key types to accelerate + loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ + ALG_ECDH \ + ALG_JPAKE \ + $(helper_get_psa_key_type_list "ECC") \ + $(helper_get_psa_curve_list)" + + # Configure + # --------- + + # Set common configurations between library's and driver's builds + config_psa_crypto_no_ecp_at_all 1 + # Disable all the builtin curves. All the required algs are accelerated. + helper_disable_builtin_curves + + # Build + # ----- + + # Things we wanted supported in libtestdriver1, but not accelerated in the main library: + # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic. + loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ + ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" + + helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # Make sure any built-in EC alg was not re-enabled by accident (additive config) + not grep mbedtls_ecdsa_ library/ecdsa.o + not grep mbedtls_ecdh_ library/ecdh.o + not grep mbedtls_ecjpake_ library/ecjpake.o + # Also ensure that ECP module was not re-enabled + not grep mbedtls_ecp_ library/ecp.o + + # Run the tests + # ------------- + + msg "test: full + accelerated EC algs - ECP" + make test + + msg "ssl-opt: full + accelerated EC algs - ECP" + tests/ssl-opt.sh +} + +# Reference function used for driver's coverage analysis in analyze_outcomes.py +# in conjunction with component_test_psa_crypto_config_accel_ecc_no_ecp_at_all(). +# Keep in sync with its accelerated counterpart. +component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () { + msg "build: full + non accelerated EC algs" + + config_psa_crypto_no_ecp_at_all 0 + + make + + msg "test: full + non accelerated EC algs" + make test + + msg "ssl-opt: full + non accelerated EC algs" + tests/ssl-opt.sh +} + +# This is a common configuration helper used directly from: +# - common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum +# - common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum +# and indirectly from: +# - component_test_psa_crypto_config_accel_ecc_no_bignum +# - accelerate all EC algs, disable RSA and FFDH +# - component_test_psa_crypto_config_reference_ecc_no_bignum +# - this is the reference component of the above +# - it still disables RSA and FFDH, but it uses builtin EC algs +# - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum +# - accelerate all EC and FFDH algs, disable only RSA +# - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum +# - this is the reference component of the above +# - it still disables RSA, but it uses builtin EC and FFDH algs +# +# This function accepts 2 parameters: +# $1: a boolean value which states if we are testing an accelerated scenario +# or not. +# $2: a string value which states which components are tested. Allowed values +# are "ECC" or "ECC_DH". +config_psa_crypto_config_accel_ecc_ffdh_no_bignum () { + driver_only="$1" + test_target="$2" + # start with full config for maximum coverage (also enables USE_PSA) + helper_libtestdriver1_adjust_config "full" + + if [ "$driver_only" -eq 1 ]; then + # Disable modules that are accelerated + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_ECDH_C + scripts/config.py unset MBEDTLS_ECJPAKE_C + # Disable ECP module (entirely) + scripts/config.py unset MBEDTLS_ECP_C + # Also disable bignum + scripts/config.py unset MBEDTLS_BIGNUM_C + fi + + # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) + scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED + scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE + + # RSA support is intentionally disabled on this test because RSA_C depends + # on BIGNUM_C. + scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*" + scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*" + scripts/config.py unset MBEDTLS_RSA_C + scripts/config.py unset MBEDTLS_PKCS1_V15 + scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT + # Also disable key exchanges that depend on RSA + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + + if [ "$test_target" = "ECC" ]; then + # When testing ECC only, we disable FFDH support, both from builtin and + # PSA sides, and also disable the key exchanges that depend on DHM. + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_FFDH + scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*" + scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_DH_RFC7919_[0-9]*" + scripts/config.py unset MBEDTLS_DHM_C + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + else + # When testing ECC and DH instead, we disable DHM and depending key + # exchanges only in the accelerated build + if [ "$driver_only" -eq 1 ]; then + scripts/config.py unset MBEDTLS_DHM_C + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + fi + fi + + # Restartable feature is not yet supported by PSA. Once it will in + # the future, the following line could be removed (see issues + # 6061, 6332 and following ones) + scripts/config.py unset MBEDTLS_ECP_RESTARTABLE +} + +# Common helper used by: +# - component_test_psa_crypto_config_accel_ecc_no_bignum +# - component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum +# +# The goal is to build and test accelerating either: +# - ECC only or +# - both ECC and FFDH +# +# It is meant to be used in conjunction with +# common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum() for drivers +# coverage analysis in the "analyze_outcomes.py" script. +common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { + test_target="$1" + + # This is an internal helper to simplify text message handling + if [ "$test_target" = "ECC_DH" ]; then + accel_text="ECC/FFDH" + removed_text="ECP - DH" + else + accel_text="ECC" + removed_text="ECP" + fi + + msg "build: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM" + + # By default we accelerate all EC keys/algs + loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ + ALG_ECDH \ + ALG_JPAKE \ + $(helper_get_psa_key_type_list "ECC") \ + $(helper_get_psa_curve_list)" + # Optionally we can also add DH to the list of accelerated items + if [ "$test_target" = "ECC_DH" ]; then + loc_accel_list="$loc_accel_list \ + ALG_FFDH \ + $(helper_get_psa_key_type_list "DH") \ + $(helper_get_psa_dh_group_list)" + fi + + # Configure + # --------- + + # Set common configurations between library's and driver's builds + config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$test_target" + # Disable all the builtin curves. All the required algs are accelerated. + helper_disable_builtin_curves + + # Build + # ----- + + # Things we wanted supported in libtestdriver1, but not accelerated in the main library: + # SHA-1 and all SHA-2/3 variants, as they are used by ECDSA deterministic. + loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ + ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" + + helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # Make sure any built-in EC alg was not re-enabled by accident (additive config) + not grep mbedtls_ecdsa_ library/ecdsa.o + not grep mbedtls_ecdh_ library/ecdh.o + not grep mbedtls_ecjpake_ library/ecjpake.o + # Also ensure that ECP, RSA, [DHM] or BIGNUM modules were not re-enabled + not grep mbedtls_ecp_ library/ecp.o + not grep mbedtls_rsa_ library/rsa.o + not grep mbedtls_mpi_ library/bignum.o + not grep mbedtls_dhm_ library/dhm.o + + # Run the tests + # ------------- + + msg "test suites: full + accelerated $accel_text algs + USE_PSA - $removed_text - DHM - BIGNUM" + + make test + + msg "ssl-opt: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM" + tests/ssl-opt.sh +} + +# Common helper used by: +# - component_test_psa_crypto_config_reference_ecc_no_bignum +# - component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum +# +# The goal is to build and test a reference scenario (i.e. with builtin +# components) compared to the ones used in +# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() above. +# +# It is meant to be used in conjunction with +# common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() for drivers' +# coverage analysis in "analyze_outcomes.py" script. +common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { + test_target="$1" + + # This is an internal helper to simplify text message handling + if [ "$test_target" = "ECC_DH" ]; then + accel_text="ECC/FFDH" + else + accel_text="ECC" + fi + + msg "build: full + non accelerated $accel_text algs + USE_PSA" + + config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$test_target" + + make + + msg "test suites: full + non accelerated EC algs + USE_PSA" + make test + + msg "ssl-opt: full + non accelerated $accel_text algs + USE_PSA" + tests/ssl-opt.sh +} + +component_test_psa_crypto_config_accel_ecc_no_bignum () { + common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC" +} + +component_test_psa_crypto_config_reference_ecc_no_bignum () { + common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC" +} + +component_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { + common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum "ECC_DH" +} + +component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { + common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum "ECC_DH" +} + +# Helper for setting common configurations between: +# - component_test_tfm_config_p256m_driver_accel_ec() +# - component_test_tfm_config() +common_tfm_config () { + # Enable TF-M config + cp configs/config-tfm.h "$CONFIG_H" + echo "#undef MBEDTLS_PSA_CRYPTO_CONFIG_FILE" >> "$CONFIG_H" + cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" + + # Other config adjustment to make the tests pass. + # This should probably be adopted upstream. + # + # - USE_PSA_CRYPTO for PK_HAVE_ECC_KEYS + echo "#define MBEDTLS_USE_PSA_CRYPTO" >> "$CONFIG_H" + + # Config adjustment for better test coverage in our environment. + # This is not needed just to build and pass tests. + # + # Enable filesystem I/O for the benefit of PK parse/write tests. + echo "#define MBEDTLS_FS_IO" >> "$CONFIG_H" +} + +# Keep this in sync with component_test_tfm_config() as they are both meant +# to be used in analyze_outcomes.py for driver's coverage analysis. +component_test_tfm_config_p256m_driver_accel_ec () { + msg "build: TF-M config + p256m driver + accel ECDH(E)/ECDSA" + + common_tfm_config + + # Build crypto library + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include/spe" LDFLAGS="$ASAN_CFLAGS" + + # Make sure any built-in EC alg was not re-enabled by accident (additive config) + not grep mbedtls_ecdsa_ library/ecdsa.o + not grep mbedtls_ecdh_ library/ecdh.o + not grep mbedtls_ecjpake_ library/ecjpake.o + # Also ensure that ECP, RSA, DHM or BIGNUM modules were not re-enabled + not grep mbedtls_ecp_ library/ecp.o + not grep mbedtls_rsa_ library/rsa.o + not grep mbedtls_dhm_ library/dhm.o + not grep mbedtls_mpi_ library/bignum.o + # Check that p256m was built + grep -q p256_ecdsa_ library/libmbedcrypto.a + + # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration + # files, so we want to ensure that it has not be re-enabled accidentally. + not grep mbedtls_cipher library/cipher.o + + # Run the tests + msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA" + make test +} + +# Keep this in sync with component_test_tfm_config_p256m_driver_accel_ec() as +# they are both meant to be used in analyze_outcomes.py for driver's coverage +# analysis. +component_test_tfm_config () { + common_tfm_config + + # Disable P256M driver, which is on by default, so that analyze_outcomes + # can compare this test with test_tfm_config_p256m_driver_accel_ec + echo "#undef MBEDTLS_PSA_P256M_DRIVER_ENABLED" >> "$CONFIG_H" + + msg "build: TF-M config" + make CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' tests + + # Check that p256m was not built + not grep p256_ecdsa_ library/libmbedcrypto.a + + # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration + # files, so we want to ensure that it has not be re-enabled accidentally. + not grep mbedtls_cipher library/cipher.o + + msg "test: TF-M config" + make test +} + +# This is an helper used by: +# - component_test_psa_ecc_key_pair_no_derive +# - component_test_psa_ecc_key_pair_no_generate +# The goal is to test with all PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy symbols +# enabled, but one. Input arguments are as follows: +# - $1 is the key type under test, i.e. ECC/RSA/DH +# - $2 is the key option to be unset (i.e. generate, derive, etc) +build_and_test_psa_want_key_pair_partial () { + key_type=$1 + unset_option=$2 + disabled_psa_want="PSA_WANT_KEY_TYPE_${key_type}_KEY_PAIR_${unset_option}" + + msg "build: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + + # All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in + # crypto_config.h so we just disable the one we don't want. + scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want" + + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + + msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}" + make test +} + +component_test_psa_ecc_key_pair_no_derive () { + build_and_test_psa_want_key_pair_partial "ECC" "DERIVE" +} + +component_test_psa_ecc_key_pair_no_generate () { + build_and_test_psa_want_key_pair_partial "ECC" "GENERATE" +} + +config_psa_crypto_accel_rsa () { + driver_only=$1 + + # Start from crypto_full config (no X.509, no TLS) + helper_libtestdriver1_adjust_config "crypto_full" + + if [ "$driver_only" -eq 1 ]; then + # Remove RSA support and its dependencies + scripts/config.py unset MBEDTLS_RSA_C + scripts/config.py unset MBEDTLS_PKCS1_V15 + scripts/config.py unset MBEDTLS_PKCS1_V21 + + # We need PEM parsing in the test library as well to support the import + # of PEM encoded RSA keys. + scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C + scripts/config.py -f "$CONFIG_TEST_DRIVER_H" set MBEDTLS_BASE64_C + fi +} + +component_test_psa_crypto_config_accel_rsa_crypto () { + msg "build: crypto_full with accelerated RSA" + + loc_accel_list="ALG_RSA_OAEP ALG_RSA_PSS \ + ALG_RSA_PKCS1V15_CRYPT ALG_RSA_PKCS1V15_SIGN \ + KEY_TYPE_RSA_PUBLIC_KEY \ + KEY_TYPE_RSA_KEY_PAIR_BASIC \ + KEY_TYPE_RSA_KEY_PAIR_GENERATE \ + KEY_TYPE_RSA_KEY_PAIR_IMPORT \ + KEY_TYPE_RSA_KEY_PAIR_EXPORT" + + # Configure + # --------- + + config_psa_crypto_accel_rsa 1 + + # Build + # ----- + + # These hashes are needed for unit tests. + loc_extra_list="ALG_SHA_1 ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ + ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512 ALG_MD5" + helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # Make sure this was not re-enabled by accident (additive config) + not grep mbedtls_rsa library/rsa.o + + # Run the tests + # ------------- + + msg "test: crypto_full with accelerated RSA" + make test +} + +component_test_psa_crypto_config_reference_rsa_crypto () { + msg "build: crypto_full with non-accelerated RSA" + + # Configure + # --------- + config_psa_crypto_accel_rsa 0 + + # Build + # ----- + make + + # Run the tests + # ------------- + msg "test: crypto_full with non-accelerated RSA" + make test +} + +# This is a temporary test to verify that full RSA support is present even when +# only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined. +component_test_new_psa_want_key_pair_symbol () { + msg "Build: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" + + # Create a temporary output file unless there is already one set + if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then + REMOVE_OUTCOME_ON_EXIT="no" + else + REMOVE_OUTCOME_ON_EXIT="yes" + MBEDTLS_TEST_OUTCOME_FILE="$PWD/out.csv" + export MBEDTLS_TEST_OUTCOME_FILE + fi + + # Start from crypto configuration + scripts/config.py crypto + + # Remove RSA support and its dependencies + scripts/config.py unset MBEDTLS_PKCS1_V15 + scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED + scripts/config.py unset MBEDTLS_RSA_C + scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT + + # Enable PSA support + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + + # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure + # that proper translations is done in crypto_legacy.h. + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE + + make + + msg "Test: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" + make test + + # Parse only 1 relevant line from the outcome file, i.e. a test which is + # performing RSA signature. + msg "Verify that 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' is PASS" + cat $MBEDTLS_TEST_OUTCOME_FILE | grep 'RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)' | grep -q "PASS" + + if [ "$REMOVE_OUTCOME_ON_EXIT" == "yes" ]; then + rm $MBEDTLS_TEST_OUTCOME_FILE + fi +} + +component_test_psa_crypto_config_accel_hash () { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" + + loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ + ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ + ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" + + # Configure + # --------- + + # Start from default config (no USE_PSA) + helper_libtestdriver1_adjust_config "default" + + # Disable the things that are being accelerated + scripts/config.py unset MBEDTLS_MD5_C + scripts/config.py unset MBEDTLS_RIPEMD160_C + scripts/config.py unset MBEDTLS_SHA1_C + scripts/config.py unset MBEDTLS_SHA224_C + scripts/config.py unset MBEDTLS_SHA256_C + scripts/config.py unset MBEDTLS_SHA384_C + scripts/config.py unset MBEDTLS_SHA512_C + scripts/config.py unset MBEDTLS_SHA3_C + + # Build + # ----- + + helper_libtestdriver1_make_drivers "$loc_accel_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # There's a risk of something getting re-enabled via config_psa.h; + # make sure it did not happen. Note: it's OK for MD_C to be enabled. + not grep mbedtls_md5 library/md5.o + not grep mbedtls_sha1 library/sha1.o + not grep mbedtls_sha256 library/sha256.o + not grep mbedtls_sha512 library/sha512.o + not grep mbedtls_ripemd160 library/ripemd160.o + + # Run the tests + # ------------- + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated hash" + make test +} + +component_test_psa_crypto_config_accel_hash_keep_builtins () { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated+builtin hash" + # This component ensures that all the test cases for + # md_psa_dynamic_dispatch with legacy+driver in test_suite_md are run. + + loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ + ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ + ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" + + # Start from default config (no USE_PSA) + helper_libtestdriver1_adjust_config "default" + + helper_libtestdriver1_make_drivers "$loc_accel_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated+builtin hash" + make test +} + +# This should be renamed to test and updated once the accelerator ECDH code is in place and ready to test. +component_build_psa_accel_alg_ecdh () { + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py unset MBEDTLS_ECDH_C + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include" LDFLAGS="$ASAN_CFLAGS" +} + +# This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test. +component_build_psa_accel_alg_hmac () { + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HMAC" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HMAC -I../tests/include" LDFLAGS="$ASAN_CFLAGS" +} + +# This should be renamed to test and updated once the accelerator HKDF code is in place and ready to test. +component_build_psa_accel_alg_hkdf () { + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_HKDF_C + # Make sure to unset TLS1_3 since it requires HKDF_C and will not build properly without it. + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HKDF -I../tests/include" LDFLAGS="$ASAN_CFLAGS" +} + +# This should be renamed to test and updated once the accelerator MD5 code is in place and ready to test. +component_build_psa_accel_alg_md5 () { + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_MD5 - other hashes" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS + scripts/config.py unset MBEDTLS_LMS_C + scripts/config.py unset MBEDTLS_LMS_PRIVATE + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_MD5 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" +} + +# This should be renamed to test and updated once the accelerator RIPEMD160 code is in place and ready to test. +component_build_psa_accel_alg_ripemd160 () { + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RIPEMD160 - other hashes" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS + scripts/config.py unset MBEDTLS_LMS_C + scripts/config.py unset MBEDTLS_LMS_PRIVATE + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RIPEMD160 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" +} + +# This should be renamed to test and updated once the accelerator SHA1 code is in place and ready to test. +component_build_psa_accel_alg_sha1 () { + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_1 - other hashes" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS + scripts/config.py unset MBEDTLS_LMS_C + scripts/config.py unset MBEDTLS_LMS_PRIVATE + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_1 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" +} + +# This should be renamed to test and updated once the accelerator SHA224 code is in place and ready to test. +component_build_psa_accel_alg_sha224 () { + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_224 - other hashes" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_224 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" +} + +# This should be renamed to test and updated once the accelerator SHA256 code is in place and ready to test. +component_build_psa_accel_alg_sha256 () { + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_256 - other hashes" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512 + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_256 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" +} + +# This should be renamed to test and updated once the accelerator SHA384 code is in place and ready to test. +component_build_psa_accel_alg_sha384 () { + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_384 - other hashes" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS + scripts/config.py unset MBEDTLS_LMS_C + scripts/config.py unset MBEDTLS_LMS_PRIVATE + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_384 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" +} + +# This should be renamed to test and updated once the accelerator SHA512 code is in place and ready to test. +component_build_psa_accel_alg_sha512 () { + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_SHA_512 - other hashes" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_MD5 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RIPEMD160 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_1 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_224 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_256 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS + scripts/config.py unset MBEDTLS_LMS_C + scripts/config.py unset MBEDTLS_LMS_PRIVATE + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_512 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" +} + +# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. +component_build_psa_accel_alg_rsa_pkcs1v15_crypt () { + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT -I../tests/include" LDFLAGS="$ASAN_CFLAGS" +} + +# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. +component_build_psa_accel_alg_rsa_pkcs1v15_sign () { + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PKCS1V15_SIGN + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN -I../tests/include" LDFLAGS="$ASAN_CFLAGS" +} + +# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. +component_build_psa_accel_alg_rsa_oaep () { + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_OAEP + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_OAEP 1 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_OAEP -I../tests/include" LDFLAGS="$ASAN_CFLAGS" +} + +# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. +component_build_psa_accel_alg_rsa_pss () { + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_RSA_PSS + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PSS -I../tests/include" LDFLAGS="$ASAN_CFLAGS" +} + +# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. +component_build_psa_accel_key_type_rsa_key_pair () { + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx + PSA_WANT_ALG_RSA_PSS" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 + scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC 1 + scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1 + scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1 + scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1 + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR -I../tests/include" LDFLAGS="$ASAN_CFLAGS" +} + +# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test. +component_build_psa_accel_key_type_rsa_public_key () { + msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + PSA_WANT_ALG_RSA_PSS" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1 + scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1 + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY -I../tests/include" LDFLAGS="$ASAN_CFLAGS" +} + +# Auxiliary function to build config for hashes with and without drivers +config_psa_crypto_hash_use_psa () { + driver_only="$1" + # start with config full for maximum coverage (also enables USE_PSA) + helper_libtestdriver1_adjust_config "full" + if [ "$driver_only" -eq 1 ]; then + # disable the built-in implementation of hashes + scripts/config.py unset MBEDTLS_MD5_C + scripts/config.py unset MBEDTLS_RIPEMD160_C + scripts/config.py unset MBEDTLS_SHA1_C + scripts/config.py unset MBEDTLS_SHA224_C + scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA384_C + scripts/config.py unset MBEDTLS_SHA512_C + scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA3_C + fi +} + +# Note that component_test_psa_crypto_config_reference_hash_use_psa +# is related to this component and both components need to be kept in sync. +# For details please see comments for component_test_psa_crypto_config_reference_hash_use_psa. +component_test_psa_crypto_config_accel_hash_use_psa () { + msg "test: full with accelerated hashes" + + loc_accel_list="ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ + ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ + ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" + + # Configure + # --------- + + config_psa_crypto_hash_use_psa 1 + + # Build + # ----- + + helper_libtestdriver1_make_drivers "$loc_accel_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # There's a risk of something getting re-enabled via config_psa.h; + # make sure it did not happen. Note: it's OK for MD_C to be enabled. + not grep mbedtls_md5 library/md5.o + not grep mbedtls_sha1 library/sha1.o + not grep mbedtls_sha256 library/sha256.o + not grep mbedtls_sha512 library/sha512.o + not grep mbedtls_ripemd160 library/ripemd160.o + + # Run the tests + # ------------- + + msg "test: full with accelerated hashes" + make test + + # This is mostly useful so that we can later compare outcome files with + # the reference config in analyze_outcomes.py, to check that the + # dependency declarations in ssl-opt.sh and in TLS code are correct. + msg "test: ssl-opt.sh, full with accelerated hashes" + tests/ssl-opt.sh + + # This is to make sure all ciphersuites are exercised, but we don't need + # interop testing (besides, we already got some from ssl-opt.sh). + msg "test: compat.sh, full with accelerated hashes" + tests/compat.sh -p mbedTLS -V YES +} + +# This component provides reference configuration for test_psa_crypto_config_accel_hash_use_psa +# without accelerated hash. The outcome from both components are used by the analyze_outcomes.py +# script to find regression in test coverage when accelerated hash is used (tests and ssl-opt). +# Both components need to be kept in sync. +component_test_psa_crypto_config_reference_hash_use_psa () { + msg "test: full without accelerated hashes" + + config_psa_crypto_hash_use_psa 0 + + make + + msg "test: full without accelerated hashes" + make test + + msg "test: ssl-opt.sh, full without accelerated hashes" + tests/ssl-opt.sh +} + +# Auxiliary function to build config for hashes with and without drivers +config_psa_crypto_hmac_use_psa () { + driver_only="$1" + # start with config full for maximum coverage (also enables USE_PSA) + helper_libtestdriver1_adjust_config "full" + + if [ "$driver_only" -eq 1 ]; then + # Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT + # is still enabled though (for ENTROPY_C among others). + scripts/config.py unset MBEDTLS_MD_C + # Disable also the builtin hashes since they are supported by the driver + # and MD module is able to perform PSA dispathing. + scripts/config.py unset-all MBEDTLS_SHA + scripts/config.py unset MBEDTLS_MD5_C + scripts/config.py unset MBEDTLS_RIPEMD160_C + fi + + # Direct dependencies of MD_C. We disable them also in the reference + # component to work with the same set of features. + scripts/config.py unset MBEDTLS_PKCS7_C + scripts/config.py unset MBEDTLS_PKCS5_C + scripts/config.py unset MBEDTLS_HMAC_DRBG_C + scripts/config.py unset MBEDTLS_HKDF_C + # Dependencies of HMAC_DRBG + scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA +} + +component_test_psa_crypto_config_accel_hmac () { + msg "test: full with accelerated hmac" + + loc_accel_list="ALG_HMAC KEY_TYPE_HMAC \ + ALG_MD5 ALG_RIPEMD160 ALG_SHA_1 \ + ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \ + ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512" + + # Configure + # --------- + + config_psa_crypto_hmac_use_psa 1 + + # Build + # ----- + + helper_libtestdriver1_make_drivers "$loc_accel_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # Ensure that built-in support for HMAC is disabled. + not grep mbedtls_md_hmac library/md.o + + # Run the tests + # ------------- + + msg "test: full with accelerated hmac" + make test +} + +component_test_psa_crypto_config_reference_hmac () { + msg "test: full without accelerated hmac" + + config_psa_crypto_hmac_use_psa 0 + + make + + msg "test: full without accelerated hmac" + make test +} + +component_test_psa_crypto_config_accel_des () { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES" + + # Albeit this components aims at accelerating DES which should only support + # CBC and ECB modes, we need to accelerate more than that otherwise DES_C + # would automatically be re-enabled by "config_adjust_legacy_from_psa.c" + loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 \ + ALG_CTR ALG_CFB ALG_OFB ALG_XTS ALG_CMAC \ + KEY_TYPE_DES" + + # Note: we cannot accelerate all ciphers' key types otherwise we would also + # have to either disable CCM/GCM or accelerate them, but that's out of scope + # of this component. This limitation will be addressed by #8598. + + # Configure + # --------- + + # Start from the full config + helper_libtestdriver1_adjust_config "full" + + # Disable the things that are being accelerated + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 + scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR + scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB + scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB + scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS + scripts/config.py unset MBEDTLS_DES_C + scripts/config.py unset MBEDTLS_CMAC_C + + # Build + # ----- + + helper_libtestdriver1_make_drivers "$loc_accel_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # Make sure this was not re-enabled by accident (additive config) + not grep mbedtls_des* library/des.o + + # Run the tests + # ------------- + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated DES" + make test +} + +component_test_psa_crypto_config_accel_aead () { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD" + + loc_accel_list="ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 \ + KEY_TYPE_AES KEY_TYPE_CHACHA20 KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" + + # Configure + # --------- + + # Start from full config + helper_libtestdriver1_adjust_config "full" + + # Disable things that are being accelerated + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + + # Disable CCM_STAR_NO_TAG because this re-enables CCM_C. + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG + + # Build + # ----- + + helper_libtestdriver1_make_drivers "$loc_accel_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # Make sure this was not re-enabled by accident (additive config) + not grep mbedtls_ccm library/ccm.o + not grep mbedtls_gcm library/gcm.o + not grep mbedtls_chachapoly library/chachapoly.o + + # Run the tests + # ------------- + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated AEAD" + make test +} + +# This is a common configuration function used in: +# - component_test_psa_crypto_config_accel_cipher_aead_cmac +# - component_test_psa_crypto_config_reference_cipher_aead_cmac +common_psa_crypto_config_accel_cipher_aead_cmac () { + # Start from the full config + helper_libtestdriver1_adjust_config "full" + + scripts/config.py unset MBEDTLS_NIST_KW_C +} + +# The 2 following test components, i.e. +# - component_test_psa_crypto_config_accel_cipher_aead_cmac +# - component_test_psa_crypto_config_reference_cipher_aead_cmac +# are meant to be used together in analyze_outcomes.py script in order to test +# driver's coverage for ciphers and AEADs. +component_test_psa_crypto_config_accel_cipher_aead_cmac () { + msg "build: full config with accelerated cipher inc. AEAD and CMAC" + + loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB \ + ALG_OFB ALG_XTS ALG_STREAM_CIPHER ALG_CCM_STAR_NO_TAG \ + ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 ALG_CMAC \ + KEY_TYPE_DES KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CHACHA20 KEY_TYPE_CAMELLIA" + + # Configure + # --------- + + common_psa_crypto_config_accel_cipher_aead_cmac + + # Disable the things that are being accelerated + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 + scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR + scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB + scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB + scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_DES_C + scripts/config.py unset MBEDTLS_AES_C + scripts/config.py unset MBEDTLS_ARIA_C + scripts/config.py unset MBEDTLS_CHACHA20_C + scripts/config.py unset MBEDTLS_CAMELLIA_C + + # Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA + # does not depend on it. + scripts/config.py unset MBEDTLS_CIPHER_C + + # Build + # ----- + + helper_libtestdriver1_make_drivers "$loc_accel_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # Make sure this was not re-enabled by accident (additive config) + not grep mbedtls_cipher library/cipher.o + not grep mbedtls_des library/des.o + not grep mbedtls_aes library/aes.o + not grep mbedtls_aria library/aria.o + not grep mbedtls_camellia library/camellia.o + not grep mbedtls_ccm library/ccm.o + not grep mbedtls_gcm library/gcm.o + not grep mbedtls_chachapoly library/chachapoly.o + not grep mbedtls_cmac library/cmac.o + + # Run the tests + # ------------- + + msg "test: full config with accelerated cipher inc. AEAD and CMAC" + make test + + msg "ssl-opt: full config with accelerated cipher inc. AEAD and CMAC" + tests/ssl-opt.sh + + msg "compat.sh: full config with accelerated cipher inc. AEAD and CMAC" + tests/compat.sh -V NO -p mbedTLS +} + +component_test_psa_crypto_config_reference_cipher_aead_cmac () { + msg "build: full config with non-accelerated cipher inc. AEAD and CMAC" + common_psa_crypto_config_accel_cipher_aead_cmac + + make + + msg "test: full config with non-accelerated cipher inc. AEAD and CMAC" + make test + + msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC" + tests/ssl-opt.sh + + msg "compat.sh: full config with non-accelerated cipher inc. AEAD and CMAC" + tests/compat.sh -V NO -p mbedTLS +} + +common_block_cipher_dispatch () { + TEST_WITH_DRIVER="$1" + + # Start from the full config + helper_libtestdriver1_adjust_config "full" + + if [ "$TEST_WITH_DRIVER" -eq 1 ]; then + # Disable key types that are accelerated (there is no legacy equivalent + # symbol for ECB) + scripts/config.py unset MBEDTLS_AES_C + scripts/config.py unset MBEDTLS_ARIA_C + scripts/config.py unset MBEDTLS_CAMELLIA_C + fi + + # Disable cipher's modes that, when not accelerated, cause + # legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h". + # Keep this also in the reference component in order to skip the same tests + # that were skipped in the accelerated one. + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 + + # Disable direct dependency on AES_C + scripts/config.py unset MBEDTLS_NIST_KW_C + + # Prevent the cipher module from using deprecated PSA path. The reason is + # that otherwise there will be tests relying on "aes_info" (defined in + # "cipher_wrap.c") whose functions are not available when AES_C is + # not defined. ARIA and Camellia are not a problem in this case because + # the PSA path is not tested for these key types. + scripts/config.py set MBEDTLS_DEPRECATED_REMOVED +} + +component_test_full_block_cipher_psa_dispatch_static_keystore () { + msg "build: full + PSA dispatch in block_cipher with static keystore" + # Check that the static key store works well when CTR_DRBG uses a + # PSA key for AES. + scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC + + loc_accel_list="ALG_ECB_NO_PADDING \ + KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" + + # Configure + # --------- + + common_block_cipher_dispatch 1 + + # Build + # ----- + + helper_libtestdriver1_make_drivers "$loc_accel_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # Make sure disabled components were not re-enabled by accident (additive + # config) + not grep mbedtls_aes_ library/aes.o + not grep mbedtls_aria_ library/aria.o + not grep mbedtls_camellia_ library/camellia.o + + # Run the tests + # ------------- + + msg "test: full + PSA dispatch in block_cipher with static keystore" + make test +} + +component_test_full_block_cipher_psa_dispatch () { + msg "build: full + PSA dispatch in block_cipher" + + loc_accel_list="ALG_ECB_NO_PADDING \ + KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CAMELLIA" + + # Configure + # --------- + + common_block_cipher_dispatch 1 + + # Build + # ----- + + helper_libtestdriver1_make_drivers "$loc_accel_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # Make sure disabled components were not re-enabled by accident (additive + # config) + not grep mbedtls_aes_ library/aes.o + not grep mbedtls_aria_ library/aria.o + not grep mbedtls_camellia_ library/camellia.o + + # Run the tests + # ------------- + + msg "test: full + PSA dispatch in block_cipher" + make test +} + +# This is the reference component of component_test_full_block_cipher_psa_dispatch +component_test_full_block_cipher_legacy_dispatch () { + msg "build: full + legacy dispatch in block_cipher" + + common_block_cipher_dispatch 0 + + make + + msg "test: full + legacy dispatch in block_cipher" + make test +} + +component_test_aead_chachapoly_disabled () { + msg "build: full minus CHACHAPOLY" + scripts/config.py full + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + + msg "test: full minus CHACHAPOLY" + make test +} + +component_test_aead_only_ccm () { + msg "build: full minus CHACHAPOLY and GCM" + scripts/config.py full + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + + msg "test: full minus CHACHAPOLY and GCM" + make test +} + +component_test_ccm_aes_sha256 () { + msg "build: CCM + AES + SHA256 configuration" + + cp "$CONFIG_TEST_DRIVER_H" "$CONFIG_H" + cp configs/crypto-config-ccm-aes-sha256.h "$CRYPTO_CONFIG_H" + + make + + msg "test: CCM + AES + SHA256 configuration" + make test +} + +# Test that the given .o file builds with all (valid) combinations of the given options. +# +# Syntax: build_test_config_combos FILE VALIDATOR_FUNCTION OPT1 OPT2 ... +# +# The validator function is the name of a function to validate the combination of options. +# It may be "" if all combinations are valid. +# It receives a string containing a combination of options, as passed to the compiler, +# e.g. "-DOPT1 -DOPT2 ...". It must return 0 iff the combination is valid, non-zero if invalid. +build_test_config_combos () { + file=$1 + shift + validate_options=$1 + shift + options=("$@") + + # clear all of the options so that they can be overridden on the clang commandline + for opt in "${options[@]}"; do + ./scripts/config.py unset ${opt} + done + + # enter the directory containing the target file & strip the dir from the filename + cd $(dirname ${file}) + file=$(basename ${file}) + + # The most common issue is unused variables/functions, so ensure -Wunused is set. + warning_flags="-Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused" + + # Extract the command generated by the Makefile to build the target file. + # This ensures that we have any include paths, macro definitions, etc + # that may be applied by make. + # Add -fsyntax-only as we only want a syntax check and don't need to generate a file. + compile_cmd="clang \$(LOCAL_CFLAGS) ${warning_flags} -fsyntax-only -c" + + makefile=$(TMPDIR=. mktemp) + deps="" + + len=${#options[@]} + source_file=${file%.o}.c + + targets=0 + echo 'include Makefile' >${makefile} + + for ((i = 0; i < $((2**${len})); i++)); do + # generate each of 2^n combinations of options + # each bit of $i is used to determine if options[i] will be set or not + target="t" + clang_args="" + for ((j = 0; j < ${len}; j++)); do + if (((i >> j) & 1)); then + opt=-D${options[$j]} + clang_args="${clang_args} ${opt}" + target="${target}${opt}" + fi + done + + # if combination is not known to be invalid, add it to the makefile + if [[ -z $validate_options ]] || $validate_options "${clang_args}"; then + cmd="${compile_cmd} ${clang_args}" + echo "${target}: ${source_file}; $cmd ${source_file}" >> ${makefile} + + deps="${deps} ${target}" + ((++targets)) + fi + done + + echo "build_test_config_combos: ${deps}" >> ${makefile} + + # execute all of the commands via Make (probably in parallel) + make -s -f ${makefile} build_test_config_combos + echo "$targets targets checked" + + # clean up the temporary makefile + rm ${makefile} +} + +validate_aes_config_variations () { + if [[ "$1" == *"MBEDTLS_AES_USE_HARDWARE_ONLY"* ]]; then + if [[ "$1" == *"MBEDTLS_PADLOCK_C"* ]]; then + return 1 + fi + if [[ !(("$HOSTTYPE" == "aarch64" && "$1" != *"MBEDTLS_AESCE_C"*) || \ + ("$HOSTTYPE" == "x86_64" && "$1" != *"MBEDTLS_AESNI_C"*)) ]]; then + return 1 + fi + fi + return 0 +} + +component_build_aes_variations () { + # 18s - around 90ms per clang invocation on M1 Pro + # + # aes.o has many #if defined(...) guards that intersect in complex ways. + # Test that all the combinations build cleanly. + + MBEDTLS_ROOT_DIR="$PWD" + msg "build: aes.o for all combinations of relevant config options" + + build_test_config_combos library/aes.o validate_aes_config_variations \ + "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \ + "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \ + "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_PADLOCK_C" "MBEDTLS_AES_USE_HARDWARE_ONLY" \ + "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" + + cd "$MBEDTLS_ROOT_DIR" + msg "build: aes.o for all combinations of relevant config options + BLOCK_CIPHER_NO_DECRYPT" + + # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is incompatible with ECB in PSA, CBC/XTS/NIST_KW/DES, + # manually set or unset those configurations to check + # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o. + scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS + scripts/config.py unset MBEDTLS_DES_C + scripts/config.py unset MBEDTLS_NIST_KW_C + build_test_config_combos library/aes.o validate_aes_config_variations \ + "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \ + "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \ + "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_PADLOCK_C" "MBEDTLS_AES_USE_HARDWARE_ONLY" \ + "MBEDTLS_AESNI_C" "MBEDTLS_AESCE_C" "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" +} + +component_test_sha3_variations () { + msg "sha3 loop unroll variations" + + # define minimal config sufficient to test SHA3 + cat > include/mbedtls/mbedtls_config.h << END + #define MBEDTLS_SELF_TEST + #define MBEDTLS_SHA3_C +END + + msg "all loops unrolled" + make clean + make -C tests test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=1 -DMBEDTLS_SHA3_PI_UNROLL=1 -DMBEDTLS_SHA3_CHI_UNROLL=1 -DMBEDTLS_SHA3_RHO_UNROLL=1" + ./tests/test_suite_shax + + msg "all loops rolled up" + make clean + make -C tests test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=0 -DMBEDTLS_SHA3_PI_UNROLL=0 -DMBEDTLS_SHA3_CHI_UNROLL=0 -DMBEDTLS_SHA3_RHO_UNROLL=0" + ./tests/test_suite_shax +} + +# For timebeing, no aarch64 gcc available in CI and no arm64 CI node. +component_build_aes_aesce_armcc () { + msg "Build: AESCE test on arm64 platform without plain C." + scripts/config.py baremetal + + # armc[56] don't support SHA-512 intrinsics + scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + + # Stop armclang warning about feature detection for A64_CRYPTO. + # With this enabled, the library does build correctly under armclang, + # but in baremetal builds (as tested here), feature detection is + # unavailable, and the user is notified via a #warning. So enabling + # this feature would prevent us from building with -Werror on + # armclang. Tracked in #7198. + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT + scripts/config.py set MBEDTLS_HAVE_ASM + + msg "AESCE, build with default configuration." + scripts/config.py set MBEDTLS_AESCE_C + scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY + armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" + + msg "AESCE, build AESCE only" + scripts/config.py set MBEDTLS_AESCE_C + scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY + armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" +} + +support_build_aes_aesce_armcc () { + support_build_armcc +} + +component_test_aes_only_128_bit_keys () { + msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH" + scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH + scripts/config.py unset MBEDTLS_PADLOCK_C + + make CFLAGS='-O2 -Werror -Wall -Wextra' + + msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH" + make test +} + +component_test_no_ctr_drbg_aes_only_128_bit_keys () { + msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" + scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_PADLOCK_C + + make CC=clang CFLAGS='-Werror -Wall -Wextra' + + msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" + make test +} + +component_test_aes_only_128_bit_keys_have_builtins () { + msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" + scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH + scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_AESCE_C + + make CFLAGS='-O2 -Werror -Wall -Wextra' + + msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" + make test + + msg "selftest: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" + programs/test/selftest +} + +component_test_gcm_largetable () { + msg "build: default config + GCM_LARGE_TABLE - AESNI_C - AESCE_C" + scripts/config.py set MBEDTLS_GCM_LARGE_TABLE + scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_AESCE_C + + make CFLAGS='-O2 -Werror -Wall -Wextra' + + msg "test: default config - GCM_LARGE_TABLE - AESNI_C - AESCE_C" + make test +} + +component_test_aes_fewer_tables () { + msg "build: default config with AES_FEWER_TABLES enabled" + scripts/config.py set MBEDTLS_AES_FEWER_TABLES + make CFLAGS='-O2 -Werror -Wall -Wextra' + + msg "test: AES_FEWER_TABLES" + make test +} + +component_test_aes_rom_tables () { + msg "build: default config with AES_ROM_TABLES enabled" + scripts/config.py set MBEDTLS_AES_ROM_TABLES + make CFLAGS='-O2 -Werror -Wall -Wextra' + + msg "test: AES_ROM_TABLES" + make test +} + +component_test_aes_fewer_tables_and_rom_tables () { + msg "build: default config with AES_ROM_TABLES and AES_FEWER_TABLES enabled" + scripts/config.py set MBEDTLS_AES_FEWER_TABLES + scripts/config.py set MBEDTLS_AES_ROM_TABLES + make CFLAGS='-O2 -Werror -Wall -Wextra' + + msg "test: AES_FEWER_TABLES + AES_ROM_TABLES" + make test +} + +# helper for common_block_cipher_no_decrypt() which: +# - enable/disable the list of config options passed from -s/-u respectively. +# - build +# - test for tests_suite_xxx +# - selftest +# +# Usage: helper_block_cipher_no_decrypt_build_test +# [-s set_opts] [-u unset_opts] [-c cflags] [-l ldflags] [option [...]] +# Options: -s set_opts the list of config options to enable +# -u unset_opts the list of config options to disable +# -c cflags the list of options passed to CFLAGS +# -l ldflags the list of options passed to LDFLAGS +helper_block_cipher_no_decrypt_build_test () { + while [ $# -gt 0 ]; do + case "$1" in + -s) + shift; local set_opts="$1";; + -u) + shift; local unset_opts="$1";; + -c) + shift; local cflags="-Werror -Wall -Wextra $1";; + -l) + shift; local ldflags="$1";; + esac + shift + done + set_opts="${set_opts:-}" + unset_opts="${unset_opts:-}" + cflags="${cflags:-}" + ldflags="${ldflags:-}" + + [ -n "$set_opts" ] && echo "Enabling: $set_opts" && scripts/config.py set-all $set_opts + [ -n "$unset_opts" ] && echo "Disabling: $unset_opts" && scripts/config.py unset-all $unset_opts + + msg "build: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" + make clean + make CFLAGS="-O2 $cflags" LDFLAGS="$ldflags" + + # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA + not grep mbedtls_aes_setkey_dec library/aes.o + not grep mbedtls_aria_setkey_dec library/aria.o + not grep mbedtls_camellia_setkey_dec library/camellia.o + # Make sure we don't have mbedtls_internal_aes_decrypt in AES + not grep mbedtls_internal_aes_decrypt library/aes.o + # Make sure we don't have mbedtls_aesni_inverse_key in AESNI + not grep mbedtls_aesni_inverse_key library/aesni.o + + msg "test: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" + make test + + msg "selftest: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" + programs/test/selftest +} + +# This is a common configuration function used in: +# - component_test_block_cipher_no_decrypt_aesni_legacy() +# - component_test_block_cipher_no_decrypt_aesni_use_psa() +# in order to test BLOCK_CIPHER_NO_DECRYPT with AESNI intrinsics, +# AESNI assembly and AES C implementation on x86_64 and with AESNI intrinsics +# on x86. +common_block_cipher_no_decrypt () { + # test AESNI intrinsics + helper_block_cipher_no_decrypt_build_test \ + -s "MBEDTLS_AESNI_C" \ + -c "-mpclmul -msse2 -maes" + + # test AESNI assembly + helper_block_cipher_no_decrypt_build_test \ + -s "MBEDTLS_AESNI_C" \ + -c "-mno-pclmul -mno-sse2 -mno-aes" + + # test AES C implementation + helper_block_cipher_no_decrypt_build_test \ + -u "MBEDTLS_AESNI_C" + + # test AESNI intrinsics for i386 target + helper_block_cipher_no_decrypt_build_test \ + -s "MBEDTLS_AESNI_C" \ + -c "-m32 -mpclmul -msse2 -maes" \ + -l "-m32" +} + +# This is a configuration function used in component_test_block_cipher_no_decrypt_xxx: +# usage: 0: no PSA crypto configuration +# 1: use PSA crypto configuration +config_block_cipher_no_decrypt () { + use_psa=$1 + + scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS + scripts/config.py unset MBEDTLS_DES_C + scripts/config.py unset MBEDTLS_NIST_KW_C + + if [ "$use_psa" -eq 1 ]; then + # Enable support for cryptographic mechanisms through the PSA API. + # Note: XTS, KW are not yet supported via the PSA API in Mbed TLS. + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES + fi +} + +component_test_block_cipher_no_decrypt_aesni () { + # This consistently causes an llvm crash on clang 3.8, so use gcc + export CC=gcc + config_block_cipher_no_decrypt 0 + common_block_cipher_no_decrypt +} + +component_test_block_cipher_no_decrypt_aesni_use_psa () { + # This consistently causes an llvm crash on clang 3.8, so use gcc + export CC=gcc + config_block_cipher_no_decrypt 1 + common_block_cipher_no_decrypt +} + +support_test_block_cipher_no_decrypt_aesce_armcc () { + support_build_armcc +} + +component_test_block_cipher_no_decrypt_aesce_armcc () { + scripts/config.py baremetal + + # armc[56] don't support SHA-512 intrinsics + scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + + # Stop armclang warning about feature detection for A64_CRYPTO. + # With this enabled, the library does build correctly under armclang, + # but in baremetal builds (as tested here), feature detection is + # unavailable, and the user is notified via a #warning. So enabling + # this feature would prevent us from building with -Werror on + # armclang. Tracked in #7198. + scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + scripts/config.py set MBEDTLS_HAVE_ASM + + config_block_cipher_no_decrypt 1 + + # test AESCE baremetal build + scripts/config.py set MBEDTLS_AESCE_C + msg "build: default config + BLOCK_CIPHER_NO_DECRYPT with AESCE" + armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto -Werror -Wall -Wextra" + + # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA + not grep mbedtls_aes_setkey_dec library/aes.o + not grep mbedtls_aria_setkey_dec library/aria.o + not grep mbedtls_camellia_setkey_dec library/camellia.o + # Make sure we don't have mbedtls_internal_aes_decrypt in AES + not grep mbedtls_internal_aes_decrypt library/aes.o + # Make sure we don't have mbedtls_aesce_inverse_key and aesce_decrypt_block in AESCE + not grep mbedtls_aesce_inverse_key library/aesce.o + not grep aesce_decrypt_block library/aesce.o +} + +component_test_ctr_drbg_aes_256_sha_256 () { + msg "build: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" + scripts/config.py full + scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" + make test +} + +component_test_ctr_drbg_aes_128_sha_512 () { + msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" + scripts/config.py full + scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" + make test +} + +component_test_ctr_drbg_aes_128_sha_256 () { + msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" + scripts/config.py full + scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" + make test +} + +component_test_se_default () { + msg "build: default config + MBEDTLS_PSA_CRYPTO_SE_C" + scripts/config.py set MBEDTLS_PSA_CRYPTO_SE_C + make CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" + + msg "test: default config + MBEDTLS_PSA_CRYPTO_SE_C" + make test +} + +component_test_full_static_keystore () { + msg "build: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" + scripts/config.py full + scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC + make CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" + + msg "test: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" + make test +} + +component_test_psa_crypto_drivers () { + msg "build: full + test drivers dispatching to builtins" + scripts/config.py full + scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG + loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST_ALL" + loc_cflags="${loc_cflags} '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" + loc_cflags="${loc_cflags} -I../tests/include -O2" + + make CC=$ASAN_CC CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS" + + msg "test: full + test drivers dispatching to builtins" + make test +} + +component_build_psa_config_file () { + msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE" # ~40s + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + cp "$CRYPTO_CONFIG_H" psa_test_config.h + echo '#error "MBEDTLS_PSA_CRYPTO_CONFIG_FILE is not working"' >"$CRYPTO_CONFIG_H" + make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"'" + # Make sure this feature is enabled. We'll disable it in the next phase. + programs/test/query_compile_time_config MBEDTLS_CMAC_C + make clean + + msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s + # In the user config, disable one feature and its dependencies, which will + # reflect on the mbedtls configuration so we can query it with + # query_compile_time_config. + echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h + echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h + scripts/config.py unset MBEDTLS_CMAC_C + make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'" + not programs/test/query_compile_time_config MBEDTLS_CMAC_C + + rm -f psa_test_config.h psa_user_config.h +} + +component_build_psa_alt_headers () { + msg "build: make with PSA alt headers" # ~20s + + # Generate alternative versions of the substitutable headers with the + # same content except different include guards. + make -C tests include/alt-extra/psa/crypto_platform_alt.h include/alt-extra/psa/crypto_struct_alt.h + + # Build the library and some programs. + # Don't build the fuzzers to avoid having to go through hoops to set + # a correct include path for programs/fuzz/Makefile. + make CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" lib + make -C programs -o fuzz CFLAGS="-I ../tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" + + # Check that we're getting the alternative include guards and not the + # original include guards. + programs/test/query_included_headers | grep -x PSA_CRYPTO_PLATFORM_ALT_H + programs/test/query_included_headers | grep -x PSA_CRYPTO_STRUCT_ALT_H + programs/test/query_included_headers | not grep -x PSA_CRYPTO_PLATFORM_H + programs/test/query_included_headers | not grep -x PSA_CRYPTO_STRUCT_H +} + +component_test_min_mpi_window_size () { + msg "build: Default + MBEDTLS_MPI_WINDOW_SIZE=1 (ASan build)" # ~ 10s + scripts/config.py set MBEDTLS_MPI_WINDOW_SIZE 1 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s + make test +} diff --git a/yass/third_party/mbedtls/tests/scripts/components-configuration-platform.sh b/yass/third_party/mbedtls/tests/scripts/components-configuration-platform.sh new file mode 100644 index 0000000000..0b96634b3d --- /dev/null +++ b/yass/third_party/mbedtls/tests/scripts/components-configuration-platform.sh @@ -0,0 +1,111 @@ +# components-configuration-platform.sh +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +# This file contains test components that are executed by all.sh + +################################################################ +#### Configuration Testing - Platform +################################################################ + +component_build_no_std_function () { + # catch compile bugs in _uninit functions + msg "build: full config with NO_STD_FUNCTION, make, gcc" # ~ 30s + scripts/config.py full + scripts/config.py set MBEDTLS_PLATFORM_NO_STD_FUNCTIONS + scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED + scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Check . + make +} + +component_build_no_sockets () { + # Note, C99 compliance can also be tested with the sockets support disabled, + # as that requires a POSIX platform (which isn't the same as C99). + msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s + scripts/config.py full + scripts/config.py unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc. + scripts/config.py set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux + make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -std=c99 -pedantic' lib +} + +component_test_no_date_time () { + msg "build: default config without MBEDTLS_HAVE_TIME_DATE" + scripts/config.py unset MBEDTLS_HAVE_TIME_DATE + cmake -D CMAKE_BUILD_TYPE:String=Check . + make + + msg "test: !MBEDTLS_HAVE_TIME_DATE - main suites" + make test +} + +component_test_platform_calloc_macro () { + msg "build: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)" + scripts/config.py set MBEDTLS_PLATFORM_MEMORY + scripts/config.py set MBEDTLS_PLATFORM_CALLOC_MACRO calloc + scripts/config.py set MBEDTLS_PLATFORM_FREE_MACRO free + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)" + make test +} + +component_test_have_int32 () { + msg "build: gcc, force 32-bit bignum limbs" + scripts/config.py unset MBEDTLS_HAVE_ASM + scripts/config.py unset MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESCE_C + make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32' + + msg "test: gcc, force 32-bit bignum limbs" + make test +} + +component_test_have_int64 () { + msg "build: gcc, force 64-bit bignum limbs" + scripts/config.py unset MBEDTLS_HAVE_ASM + scripts/config.py unset MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESCE_C + make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -DMBEDTLS_HAVE_INT64' + + msg "test: gcc, force 64-bit bignum limbs" + make test +} + +component_test_have_int32_cmake_new_bignum () { + msg "build: gcc, force 32-bit bignum limbs, new bignum interface, test hooks (ASan build)" + scripts/config.py unset MBEDTLS_HAVE_ASM + scripts/config.py unset MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESCE_C + scripts/config.py set MBEDTLS_TEST_HOOKS + scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT + make CC=gcc CFLAGS="$ASAN_CFLAGS -Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32" LDFLAGS="$ASAN_CFLAGS" + + msg "test: gcc, force 32-bit bignum limbs, new bignum interface, test hooks (ASan build)" + make test +} + +component_test_no_udbl_division () { + msg "build: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s + scripts/config.py full + scripts/config.py set MBEDTLS_NO_UDBL_DIVISION + make CFLAGS='-Werror -O1' + + msg "test: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s + make test +} + +component_test_no_64bit_multiplication () { + msg "build: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s + scripts/config.py full + scripts/config.py set MBEDTLS_NO_64BIT_MULTIPLICATION + make CFLAGS='-Werror -O1' + + msg "test: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s + make test +} diff --git a/yass/third_party/mbedtls/tests/scripts/components-configuration-tls.sh b/yass/third_party/mbedtls/tests/scripts/components-configuration-tls.sh new file mode 100644 index 0000000000..7debb342b0 --- /dev/null +++ b/yass/third_party/mbedtls/tests/scripts/components-configuration-tls.sh @@ -0,0 +1,627 @@ +# components-configuration-tls.sh +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +# This file contains test components that are executed by all.sh + +################################################################ +#### Configuration Testing - TLS +################################################################ + +component_test_no_renegotiation () { + msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min + scripts/config.py unset MBEDTLS_SSL_RENEGOTIATION + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s + make test + + msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min + tests/ssl-opt.sh +} + +component_test_tls1_2_default_stream_cipher_only () { + msg "build: default with only stream cipher" + + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + #Disable TLS 1.3 (as no AEAD) + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER + # Modules that depend on AEAD + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_TICKET_C + + make + + msg "test: default with only stream cipher" + make test + + # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite. +} + +component_test_tls1_2_default_stream_cipher_only_use_psa () { + msg "build: default with only stream cipher use psa" + + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + #Disable TLS 1.3 (as no AEAD) + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER + # Modules that depend on AEAD + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_TICKET_C + + make + + msg "test: default with only stream cipher use psa" + make test + + # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite. +} + +component_test_tls1_2_default_cbc_legacy_cipher_only () { + msg "build: default with only CBC-legacy cipher" + + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + #Disable TLS 1.3 (as no AEAD) + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py set MBEDTLS_CIPHER_MODE_CBC + # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Modules that depend on AEAD + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_TICKET_C + + make + + msg "test: default with only CBC-legacy cipher" + make test + + msg "test: default with only CBC-legacy cipher - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f "TLS 1.2" +} + +component_test_tls1_2_default_cbc_legacy_cipher_only_use_psa () { + msg "build: default with only CBC-legacy cipher use psa" + + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + #Disable TLS 1.3 (as no AEAD) + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py set MBEDTLS_CIPHER_MODE_CBC + # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Modules that depend on AEAD + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_TICKET_C + + make + + msg "test: default with only CBC-legacy cipher use psa" + make test + + msg "test: default with only CBC-legacy cipher use psa - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f "TLS 1.2" +} + +component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { + msg "build: default with only CBC-legacy and CBC-EtM ciphers" + + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + #Disable TLS 1.3 (as no AEAD) + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py set MBEDTLS_CIPHER_MODE_CBC + # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Modules that depend on AEAD + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_TICKET_C + + make + + msg "test: default with only CBC-legacy and CBC-EtM ciphers" + make test + + msg "test: default with only CBC-legacy and CBC-EtM ciphers - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f "TLS 1.2" +} + +component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () { + msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa" + + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + #Disable TLS 1.3 (as no AEAD) + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py set MBEDTLS_CIPHER_MODE_CBC + # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Modules that depend on AEAD + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_TICKET_C + + make + + msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa" + make test + + msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f "TLS 1.2" +} + +# We're not aware of any other (open source) implementation of EC J-PAKE in TLS +# that we could use for interop testing. However, we now have sort of two +# implementations ourselves: one using PSA, the other not. At least test that +# these two interoperate with each other. +component_test_tls1_2_ecjpake_compatibility () { + msg "build: TLS1.2 server+client w/ EC-JPAKE w/o USE_PSA" + scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + # Explicitly make lib first to avoid a race condition: + # https://github.com/Mbed-TLS/mbedtls/issues/8229 + make lib + make -C programs ssl/ssl_server2 ssl/ssl_client2 + cp programs/ssl/ssl_server2 s2_no_use_psa + cp programs/ssl/ssl_client2 c2_no_use_psa + + msg "build: TLS1.2 server+client w/ EC-JPAKE w/ USE_PSA" + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + make clean + make lib + make -C programs ssl/ssl_server2 ssl/ssl_client2 + make -C programs test/udp_proxy test/query_compile_time_config + + msg "test: server w/o USE_PSA - client w/ USE_PSA, text password" + P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS" + msg "test: server w/o USE_PSA - client w/ USE_PSA, opaque password" + P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password client only, working, TLS" + msg "test: client w/o USE_PSA - server w/ USE_PSA, text password" + P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS" + msg "test: client w/o USE_PSA - server w/ USE_PSA, opaque password" + P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password server only, working, TLS" + + rm s2_no_use_psa c2_no_use_psa +} + +component_test_small_ssl_out_content_len () { + msg "build: small SSL_OUT_CONTENT_LEN (ASan build)" + scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 + scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: small SSL_OUT_CONTENT_LEN - ssl-opt.sh MFL and large packet tests" + tests/ssl-opt.sh -f "Max fragment\|Large packet" +} + +component_test_small_ssl_in_content_len () { + msg "build: small SSL_IN_CONTENT_LEN (ASan build)" + scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 4096 + scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 16384 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: small SSL_IN_CONTENT_LEN - ssl-opt.sh MFL tests" + tests/ssl-opt.sh -f "Max fragment" +} + +component_test_small_ssl_dtls_max_buffering () { + msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0" + scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 1000 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0 - ssl-opt.sh specific reordering test" + tests/ssl-opt.sh -f "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" +} + +component_test_small_mbedtls_ssl_dtls_max_buffering () { + msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1" + scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 190 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1 - ssl-opt.sh specific reordering test" + tests/ssl-opt.sh -f "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" +} + +component_test_depends_py_kex () { + msg "test/build: depends.py kex (gcc)" + tests/scripts/depends.py kex --unset-use-psa +} + +component_test_depends_py_kex_psa () { + msg "test/build: depends.py kex (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" + tests/scripts/depends.py kex +} + +# Common helper for component_full_without_ecdhe_ecdsa() and +# component_full_without_ecdhe_ecdsa_and_tls13() which: +# - starts from the "full" configuration minus the list of symbols passed in +# as 1st parameter +# - build +# - test only TLS (i.e. test_suite_tls and ssl-opt) +build_full_minus_something_and_test_tls () { + symbols_to_disable="$1" + + msg "build: full minus something, test TLS" + + scripts/config.py full + for sym in $symbols_to_disable; do + echo "Disabling $sym" + scripts/config.py unset $sym + done + + make + + msg "test: full minus something, test TLS" + ( cd tests; ./test_suite_ssl ) + + msg "ssl-opt: full minus something, test TLS" + tests/ssl-opt.sh +} + +component_full_without_ecdhe_ecdsa () { + build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" +} + +component_full_without_ecdhe_ecdsa_and_tls13 () { + build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + MBEDTLS_SSL_PROTO_TLS1_3" +} + +component_build_no_ssl_srv () { + msg "build: full config except SSL server, make, gcc" # ~ 30s + scripts/config.py full + scripts/config.py unset MBEDTLS_SSL_SRV_C + make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -Wmissing-prototypes' +} + +component_build_no_ssl_cli () { + msg "build: full config except SSL client, make, gcc" # ~ 30s + scripts/config.py full + scripts/config.py unset MBEDTLS_SSL_CLI_C + make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -Wmissing-prototypes' +} + +component_test_no_max_fragment_length () { + # Run max fragment length tests with MFL disabled + msg "build: default config except MFL extension (ASan build)" # ~ 30s + scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: ssl-opt.sh, MFL-related tests" + tests/ssl-opt.sh -f "Max fragment length" +} + +component_test_asan_remove_peer_certificate () { + msg "build: default config with MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled (ASan build)" + scripts/config.py unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" + make test + + msg "test: ssl-opt.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" + tests/ssl-opt.sh + + msg "test: compat.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" + tests/compat.sh + + msg "test: context-info.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" + tests/context-info.sh +} + +component_test_no_max_fragment_length_small_ssl_out_content_len () { + msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)" + scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH + scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 + scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: MFL tests (disabled MFL extension case) & large packet tests" + tests/ssl-opt.sh -f "Max fragment length\|Large buffer" + + msg "test: context-info.sh (disabled MFL extension case)" + tests/context-info.sh +} + +component_test_variable_ssl_in_out_buffer_len () { + msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled (ASan build)" + scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" + make test + + msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" + tests/ssl-opt.sh + + msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" + tests/compat.sh +} + +component_test_dtls_cid_legacy () { + msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)" + scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1 + + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy)" + make test + + msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" + tests/ssl-opt.sh + + msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" + tests/compat.sh +} + +component_test_ssl_alloc_buffer_and_mfl () { + msg "build: default config with memory buffer allocator and MFL extension" + scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.py set MBEDTLS_PLATFORM_MEMORY + scripts/config.py set MBEDTLS_MEMORY_DEBUG + scripts/config.py set MBEDTLS_SSL_MAX_FRAGMENT_LENGTH + scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH + cmake -DCMAKE_BUILD_TYPE:String=Release . + make + + msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH" + make test + + msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH" + tests/ssl-opt.sh -f "Handshake memory usage" +} + +component_test_when_no_ciphersuites_have_mac () { + msg "build: when no ciphersuites have MAC" + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + scripts/config.py unset MBEDTLS_CMAC_C + make + + msg "test: !MBEDTLS_SSL_SOME_SUITES_USE_MAC" + make test + + msg "test ssl-opt.sh: !MBEDTLS_SSL_SOME_SUITES_USE_MAC" + tests/ssl-opt.sh -f 'Default\|EtM' -e 'without EtM' +} + +component_test_tls12_only () { + msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_3, cmake, gcc, ASan" + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: main suites (inc. selftests) (ASan build)" + make test + + msg "test: ssl-opt.sh (ASan build)" + tests/ssl-opt.sh + + msg "test: compat.sh (ASan build)" + tests/compat.sh +} + +component_test_tls13_only () { + msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_2" + scripts/config.py set MBEDTLS_SSL_EARLY_DATA + scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" + + msg "test: TLS 1.3 only, all key exchange modes enabled" + make test + + msg "ssl-opt.sh: TLS 1.3 only, all key exchange modes enabled" + tests/ssl-opt.sh +} + +component_test_tls13_only_psk () { + msg "build: TLS 1.3 only from default, only PSK key exchange mode" + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_ECDH_C + scripts/config.py unset MBEDTLS_DHM_C + scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C + scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT + scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_PKCS7_C + scripts/config.py set MBEDTLS_SSL_EARLY_DATA + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" + + msg "test_suite_ssl: TLS 1.3 only, only PSK key exchange mode enabled" + cd tests; ./test_suite_ssl; cd .. + + msg "ssl-opt.sh: TLS 1.3 only, only PSK key exchange mode enabled" + tests/ssl-opt.sh +} + +component_test_tls13_only_ephemeral () { + msg "build: TLS 1.3 only from default, only ephemeral key exchange mode" + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_SSL_EARLY_DATA + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" + + msg "test_suite_ssl: TLS 1.3 only, only ephemeral key exchange mode" + cd tests; ./test_suite_ssl; cd .. + + msg "ssl-opt.sh: TLS 1.3 only, only ephemeral key exchange mode" + tests/ssl-opt.sh +} + +component_test_tls13_only_ephemeral_ffdh () { + msg "build: TLS 1.3 only from default, only ephemeral ffdh key exchange mode" + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_SSL_EARLY_DATA + scripts/config.py unset MBEDTLS_ECDH_C + + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" + + msg "test_suite_ssl: TLS 1.3 only, only ephemeral ffdh key exchange mode" + cd tests; ./test_suite_ssl; cd .. + + msg "ssl-opt.sh: TLS 1.3 only, only ephemeral ffdh key exchange mode" + tests/ssl-opt.sh +} + +component_test_tls13_only_psk_ephemeral () { + msg "build: TLS 1.3 only from default, only PSK ephemeral key exchange mode" + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C + scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT + scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_PKCS7_C + scripts/config.py set MBEDTLS_SSL_EARLY_DATA + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" + + msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral key exchange mode" + cd tests; ./test_suite_ssl; cd .. + + msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral key exchange mode" + tests/ssl-opt.sh +} + +component_test_tls13_only_psk_ephemeral_ffdh () { + msg "build: TLS 1.3 only from default, only PSK ephemeral ffdh key exchange mode" + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C + scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT + scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_PKCS7_C + scripts/config.py set MBEDTLS_SSL_EARLY_DATA + scripts/config.py unset MBEDTLS_ECDH_C + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" + + msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode" + cd tests; ./test_suite_ssl; cd .. + + msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode" + tests/ssl-opt.sh +} + +component_test_tls13_only_psk_all () { + msg "build: TLS 1.3 only from default, without ephemeral key exchange mode" + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C + scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT + scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_PKCS7_C + scripts/config.py set MBEDTLS_SSL_EARLY_DATA + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" + + msg "test_suite_ssl: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" + cd tests; ./test_suite_ssl; cd .. + + msg "ssl-opt.sh: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" + tests/ssl-opt.sh +} + +component_test_tls13_only_ephemeral_all () { + msg "build: TLS 1.3 only from default, without PSK key exchange mode" + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + scripts/config.py set MBEDTLS_SSL_EARLY_DATA + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" + + msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" + cd tests; ./test_suite_ssl; cd .. + + msg "ssl-opt.sh: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" + tests/ssl-opt.sh +} + +component_test_tls13_no_padding () { + msg "build: default config plus early data minus padding" + scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 + scripts/config.py set MBEDTLS_SSL_EARLY_DATA + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + msg "test: default config plus early data minus padding" + make test + msg "ssl-opt.sh (TLS 1.3 no padding)" + tests/ssl-opt.sh +} + +component_test_tls13_no_compatibility_mode () { + msg "build: default config plus early data minus middlebox compatibility mode" + scripts/config.py unset MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE + scripts/config.py set MBEDTLS_SSL_EARLY_DATA + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + msg "test: default config plus early data minus middlebox compatibility mode" + make test + msg "ssl-opt.sh (TLS 1.3 no compatibility mode)" + tests/ssl-opt.sh +} + +component_test_full_minus_session_tickets () { + msg "build: full config without session tickets" + scripts/config.py full + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_EARLY_DATA + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + msg "test: full config without session tickets" + make test + msg "ssl-opt.sh (full config without session tickets)" + tests/ssl-opt.sh +} diff --git a/yass/third_party/mbedtls/tests/scripts/components-configuration-x509.sh b/yass/third_party/mbedtls/tests/scripts/components-configuration-x509.sh new file mode 100644 index 0000000000..e8ef283fc2 --- /dev/null +++ b/yass/third_party/mbedtls/tests/scripts/components-configuration-x509.sh @@ -0,0 +1,35 @@ +# components-configuration-x509.sh +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +# This file contains test components that are executed by all.sh + +################################################################ +#### Configuration Testing - X509 +################################################################ + +component_test_no_x509_info () { + msg "build: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s + scripts/config.pl full + scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests + scripts/config.pl set MBEDTLS_X509_REMOVE_INFO + make CFLAGS='-Werror -O2' + + msg "test: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s + make test + + msg "test: ssl-opt.sh, full + MBEDTLS_X509_REMOVE_INFO" # ~ 1 min + tests/ssl-opt.sh +} + +component_test_sw_inet_pton () { + msg "build: default plus MBEDTLS_TEST_SW_INET_PTON" + + # MBEDTLS_TEST_HOOKS required for x509_crt_parse_cn_inet_pton + scripts/config.py set MBEDTLS_TEST_HOOKS + make CFLAGS="-DMBEDTLS_TEST_SW_INET_PTON" + + msg "test: default plus MBEDTLS_TEST_SW_INET_PTON" + make test +} diff --git a/yass/third_party/mbedtls/tests/scripts/components-configuration.sh b/yass/third_party/mbedtls/tests/scripts/components-configuration.sh new file mode 100644 index 0000000000..3a75c4c1e7 --- /dev/null +++ b/yass/third_party/mbedtls/tests/scripts/components-configuration.sh @@ -0,0 +1,397 @@ +# components-configuration.sh +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +# This file contains test components that are executed by all.sh + +################################################################ +#### Configuration Testing +################################################################ + +component_test_default_out_of_box () { + msg "build: make, default config (out-of-box)" # ~1min + make + # Disable fancy stuff + unset MBEDTLS_TEST_OUTCOME_FILE + + msg "test: main suites make, default config (out-of-box)" # ~10s + make test + + msg "selftest: make, default config (out-of-box)" # ~10s + programs/test/selftest + + msg "program demos: make, default config (out-of-box)" # ~10s + tests/scripts/run_demos.py +} + +component_test_default_cmake_gcc_asan () { + msg "build: cmake, gcc, ASan" # ~ 1 min 50s + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s + make test + + msg "program demos (ASan build)" # ~10s + tests/scripts/run_demos.py + + msg "test: selftest (ASan build)" # ~ 10s + programs/test/selftest + + msg "test: metatests (GCC, ASan build)" + tests/scripts/run-metatests.sh any asan poison + + msg "test: ssl-opt.sh (ASan build)" # ~ 1 min + tests/ssl-opt.sh + + msg "test: compat.sh (ASan build)" # ~ 6 min + tests/compat.sh + + msg "test: context-info.sh (ASan build)" # ~ 15 sec + tests/context-info.sh +} + +component_test_default_cmake_gcc_asan_new_bignum () { + msg "build: cmake, gcc, ASan" # ~ 1 min 50s + scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s + make test + + msg "test: selftest (ASan build)" # ~ 10s + programs/test/selftest + + msg "test: ssl-opt.sh (ASan build)" # ~ 1 min + tests/ssl-opt.sh + + msg "test: compat.sh (ASan build)" # ~ 6 min + tests/compat.sh + + msg "test: context-info.sh (ASan build)" # ~ 15 sec + tests/context-info.sh +} + +component_test_full_cmake_gcc_asan () { + msg "build: full config, cmake, gcc, ASan" + scripts/config.py full + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: main suites (inc. selftests) (full config, ASan build)" + make test + + msg "test: selftest (full config, ASan build)" # ~ 10s + programs/test/selftest + + msg "test: ssl-opt.sh (full config, ASan build)" + tests/ssl-opt.sh + + # Note: the next two invocations cover all compat.sh test cases. + # We should use the same here and in basic-build-test.sh. + msg "test: compat.sh: default version (full config, ASan build)" + tests/compat.sh -e 'ARIA\|CHACHA' + + msg "test: compat.sh: next: ARIA, Chacha (full config, ASan build)" + env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' + + msg "test: context-info.sh (full config, ASan build)" # ~ 15 sec + tests/context-info.sh +} + +component_test_full_cmake_gcc_asan_new_bignum () { + msg "build: full config, cmake, gcc, ASan" + scripts/config.py full + scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: main suites (inc. selftests) (full config, new bignum, ASan)" + make test + + msg "test: selftest (full config, new bignum, ASan)" # ~ 10s + programs/test/selftest + + msg "test: ssl-opt.sh (full config, new bignum, ASan)" + tests/ssl-opt.sh + + # Note: the next two invocations cover all compat.sh test cases. + # We should use the same here and in basic-build-test.sh. + msg "test: compat.sh: default version (full config, new bignum, ASan)" + tests/compat.sh -e 'ARIA\|CHACHA' + + msg "test: compat.sh: next: ARIA, Chacha (full config, new bignum, ASan)" + env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' + + msg "test: context-info.sh (full config, new bignum, ASan)" # ~ 15 sec + tests/context-info.sh +} + +component_test_ref_configs () { + msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s + # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake + # want to re-generate generated files that depend on it, quite correctly. + # However this doesn't work as the generation script expects a specific + # format for mbedtls_config.h, which the other files don't follow. Also, + # cmake can't know this, but re-generation is actually not necessary as + # the generated files only depend on the list of available options, not + # whether they're on or off. So, disable cmake's (over-sensitive here) + # dependency resolution for generated files and just rely on them being + # present (thanks to pre_generate_files) by turning GEN_FILES off. + CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . + tests/scripts/test-ref-configs.pl +} + +component_test_full_cmake_clang () { + msg "build: cmake, full config, clang" # ~ 50s + scripts/config.py full + CC=clang CXX=clang cmake -D CMAKE_BUILD_TYPE:String=Release -D ENABLE_TESTING=On -D TEST_CPP=1 . + make + + msg "test: main suites (full config, clang)" # ~ 5s + make test + + msg "test: cpp_dummy_build (full config, clang)" # ~ 1s + programs/test/cpp_dummy_build + + msg "test: metatests (clang)" + tests/scripts/run-metatests.sh any pthread + + msg "program demos (full config, clang)" # ~10s + tests/scripts/run_demos.py + + msg "test: psa_constant_names (full config, clang)" # ~ 1s + tests/scripts/test_psa_constant_names.py + + msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s + tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private' +} + +component_test_default_no_deprecated () { + # Test that removing the deprecated features from the default + # configuration leaves something consistent. + msg "build: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 30s + scripts/config.py set MBEDTLS_DEPRECATED_REMOVED + make CFLAGS='-O -Werror -Wall -Wextra' + + msg "test: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 5s + make test +} + +component_test_full_no_deprecated () { + msg "build: make, full_no_deprecated config" # ~ 30s + scripts/config.py full_no_deprecated + make CFLAGS='-O -Werror -Wall -Wextra' + + msg "test: make, full_no_deprecated config" # ~ 5s + make test + + msg "test: ensure that X509 has no direct dependency on BIGNUM_C" + not grep mbedtls_mpi library/libmbedx509.a +} + +component_test_full_no_deprecated_deprecated_warning () { + # Test that there is nothing deprecated in "full_no_deprecated". + # A deprecated feature would trigger a warning (made fatal) from + # MBEDTLS_DEPRECATED_WARNING. + msg "build: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 30s + scripts/config.py full_no_deprecated + scripts/config.py unset MBEDTLS_DEPRECATED_REMOVED + scripts/config.py set MBEDTLS_DEPRECATED_WARNING + make CFLAGS='-O -Werror -Wall -Wextra' + + msg "test: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 5s + make test +} + +component_test_full_deprecated_warning () { + # Test that when MBEDTLS_DEPRECATED_WARNING is enabled, the build passes + # with only certain whitelisted types of warnings. + msg "build: make, full config + MBEDTLS_DEPRECATED_WARNING, expect warnings" # ~ 30s + scripts/config.py full + scripts/config.py set MBEDTLS_DEPRECATED_WARNING + # Expect warnings from '#warning' directives in check_config.h. + # Note that gcc is required to allow the use of -Wno-error=cpp, which allows us to + # display #warning messages without them being treated as errors. + make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=cpp' lib programs + + msg "build: make tests, full config + MBEDTLS_DEPRECATED_WARNING, expect warnings" # ~ 30s + # Set MBEDTLS_TEST_DEPRECATED to enable tests for deprecated features. + # By default those are disabled when MBEDTLS_DEPRECATED_WARNING is set. + # Expect warnings from '#warning' directives in check_config.h and + # from the use of deprecated functions in test suites. + make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=deprecated-declarations -Wno-error=cpp -DMBEDTLS_TEST_DEPRECATED' tests + + msg "test: full config + MBEDTLS_TEST_DEPRECATED" # ~ 30s + make test + + msg "program demos: full config + MBEDTLS_TEST_DEPRECATED" # ~10s + tests/scripts/run_demos.py +} + +component_build_baremetal () { + msg "build: make, baremetal config" + scripts/config.py baremetal + make CFLAGS="-O1 -Werror -I$PWD/tests/include/baremetal-override/" +} + +support_build_baremetal () { + # Older Glibc versions include time.h from other headers such as stdlib.h, + # which makes the no-time.h-in-baremetal check fail. Ubuntu 16.04 has this + # problem, Ubuntu 18.04 is ok. + ! grep -q -F time.h /usr/include/x86_64-linux-gnu/sys/types.h +} + +component_test_no_psa_crypto_full_cmake_asan () { + # full minus MBEDTLS_PSA_CRYPTO_C: run the same set of tests as basic-build-test.sh + msg "build: cmake, full config minus PSA crypto, ASan" + scripts/config.py full + scripts/config.py unset MBEDTLS_PSA_CRYPTO_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_CLIENT + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C + scripts/config.py unset MBEDTLS_LMS_C + scripts/config.py unset MBEDTLS_LMS_PRIVATE + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: main suites (full minus PSA crypto)" + make test + + # Note: ssl-opt.sh has some test cases that depend on + # MBEDTLS_ECP_RESTARTABLE && !MBEDTLS_USE_PSA_CRYPTO + # This is the only component where those tests are not skipped. + msg "test: ssl-opt.sh (full minus PSA crypto)" + tests/ssl-opt.sh + + # Note: the next two invocations cover all compat.sh test cases. + # We should use the same here and in basic-build-test.sh. + msg "test: compat.sh: default version (full minus PSA crypto)" + tests/compat.sh -e 'ARIA\|CHACHA' + + msg "test: compat.sh: next: ARIA, Chacha (full minus PSA crypto)" + env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' +} + +component_build_tfm () { + # Check that the TF-M configuration can build cleanly with various + # warning flags enabled. We don't build or run tests, since the + # TF-M configuration needs a TF-M platform. A tweaked version of + # the configuration that works on mainstream platforms is in + # configs/config-tfm.h, tested via test-ref-configs.pl. + cp configs/config-tfm.h "$CONFIG_H" + + msg "build: TF-M config, clang, armv7-m thumb2" + make lib CC="clang" CFLAGS="--target=arm-linux-gnueabihf -march=armv7-m -mthumb -Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused -I../tests/include/spe" + + msg "build: TF-M config, gcc native build" + make clean + make lib CC="gcc" CFLAGS="-Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wformat-signedness -Wlogical-op -I../tests/include/spe" +} + +component_test_no_platform () { + # Full configuration build, without platform support, file IO and net sockets. + # This should catch missing mbedtls_printf definitions, and by disabling file + # IO, it should catch missing '#include ' + msg "build: full config except platform/fsio/net, make, gcc, C99" # ~ 30s + scripts/config.py full_no_platform + scripts/config.py unset MBEDTLS_PLATFORM_C + scripts/config.py unset MBEDTLS_NET_C + scripts/config.py unset MBEDTLS_FS_IO + scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C + scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C + scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED + # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19, + # to re-enable platform integration features otherwise disabled in C99 builds + make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs + make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os' test +} + +component_test_memory_buffer_allocator_backtrace () { + msg "build: default config with memory buffer allocator and backtrace enabled" + scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.py set MBEDTLS_PLATFORM_MEMORY + scripts/config.py set MBEDTLS_MEMORY_BACKTRACE + scripts/config.py set MBEDTLS_MEMORY_DEBUG + cmake -DCMAKE_BUILD_TYPE:String=Release . + make + + msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE" + make test +} + +component_test_memory_buffer_allocator () { + msg "build: default config with memory buffer allocator" + scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.py set MBEDTLS_PLATFORM_MEMORY + cmake -DCMAKE_BUILD_TYPE:String=Release . + make + + msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C" + make test + + msg "test: ssl-opt.sh, MBEDTLS_MEMORY_BUFFER_ALLOC_C" + # MBEDTLS_MEMORY_BUFFER_ALLOC is slow. Skip tests that tend to time out. + tests/ssl-opt.sh -e '^DTLS proxy' +} + +component_test_malloc_0_null () { + msg "build: malloc(0) returns NULL (ASan+UBSan build)" + scripts/config.py full + make CC=$ASAN_CC CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"$PWD/tests/configs/user-config-malloc-0-null.h\"' $ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + + msg "test: malloc(0) returns NULL (ASan+UBSan build)" + make test + + msg "selftest: malloc(0) returns NULL (ASan+UBSan build)" + # Just the calloc selftest. "make test" ran the others as part of the + # test suites. + programs/test/selftest calloc + + msg "test ssl-opt.sh: malloc(0) returns NULL (ASan+UBSan build)" + # Run a subset of the tests. The choice is a balance between coverage + # and time (including time indirectly wasted due to flaky tests). + # The current choice is to skip tests whose description includes + # "proxy", which is an approximation of skipping tests that use the + # UDP proxy, which tend to be slower and flakier. + tests/ssl-opt.sh -e 'proxy' +} + +component_build_mbedtls_config_file () { + msg "build: make with MBEDTLS_CONFIG_FILE" # ~40s + scripts/config.py -w full_config.h full + echo '#error "MBEDTLS_CONFIG_FILE is not working"' >"$CONFIG_H" + make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"'" + # Make sure this feature is enabled. We'll disable it in the next phase. + programs/test/query_compile_time_config MBEDTLS_NIST_KW_C + make clean + + msg "build: make with MBEDTLS_CONFIG_FILE + MBEDTLS_USER_CONFIG_FILE" + # In the user config, disable one feature (for simplicity, pick a feature + # that nothing else depends on). + echo '#undef MBEDTLS_NIST_KW_C' >user_config.h + make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"' -DMBEDTLS_USER_CONFIG_FILE='\"user_config.h\"'" + not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C + + rm -f user_config.h full_config.h +} + +component_test_no_strings () { + msg "build: no strings" # ~10s + scripts/config.py full + # Disable options that activate a large amount of string constants. + scripts/config.py unset MBEDTLS_DEBUG_C + scripts/config.py unset MBEDTLS_ERROR_C + scripts/config.py set MBEDTLS_ERROR_STRERROR_DUMMY + scripts/config.py unset MBEDTLS_VERSION_FEATURES + make CFLAGS='-Werror -Os' + + msg "test: no strings" # ~ 10s + make test +} diff --git a/yass/third_party/mbedtls/tests/scripts/components-platform.sh b/yass/third_party/mbedtls/tests/scripts/components-platform.sh new file mode 100644 index 0000000000..b104428278 --- /dev/null +++ b/yass/third_party/mbedtls/tests/scripts/components-platform.sh @@ -0,0 +1,514 @@ +# components-platform.sh +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +# This file contains test components that are executed by all.sh + +################################################################ +#### Platform Testing +################################################################ + +support_test_aesni () { + # Check that gcc targets x86_64 (we can build AESNI), and check for + # AESNI support on the host (we can run AESNI). + # + # The name of this function is possibly slightly misleading, but needs to align + # with the name of the corresponding test, component_test_aesni. + # + # In principle 32-bit x86 can support AESNI, but our implementation does not + # support 32-bit x86, so we check for x86-64. + # We can only grep /proc/cpuinfo on Linux, so this also checks for Linux + (gcc -v 2>&1 | grep Target | grep -q x86_64) && + [[ "$HOSTTYPE" == "x86_64" && "$OSTYPE" == "linux-gnu" ]] && + (lscpu | grep -qw aes) +} + +component_test_aesni () { # ~ 60s + # This tests the two AESNI implementations (intrinsics and assembly), and also the plain C + # fallback. It also tests the logic that is used to select which implementation(s) to build. + # + # This test does not require the host to have support for AESNI (if it doesn't, the run-time + # AESNI detection will fallback to the plain C implementation, so the tests will instead + # exercise the plain C impl). + + msg "build: default config with different AES implementations" + scripts/config.py set MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY + scripts/config.py set MBEDTLS_HAVE_ASM + + # test the intrinsics implementation + msg "AES tests, test intrinsics" + make clean + make CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes' + # check that we built intrinsics - this should be used by default when supported by the compiler + ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics" + + # test the asm implementation + msg "AES tests, test assembly" + make clean + make CC=gcc CFLAGS='-Werror -Wall -Wextra -mno-pclmul -mno-sse2 -mno-aes' + # check that we built assembly - this should be built if the compiler does not support intrinsics + ./programs/test/selftest aes | grep "AESNI code" | grep -q "assembly" + + # test the plain C implementation + scripts/config.py unset MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY + msg "AES tests, plain C" + make clean + make CC=gcc CFLAGS='-O2 -Werror' + # check that there is no AESNI code present + ./programs/test/selftest aes | not grep -q "AESNI code" + not grep -q "AES note: using AESNI" ./programs/test/selftest + grep -q "AES note: built-in implementation." ./programs/test/selftest + + # test the intrinsics implementation + scripts/config.py set MBEDTLS_AESNI_C + scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY + msg "AES tests, test AESNI only" + make clean + make CC=gcc CFLAGS='-Werror -Wall -Wextra -mpclmul -msse2 -maes' + ./programs/test/selftest aes | grep -q "AES note: using AESNI" + ./programs/test/selftest aes | not grep -q "AES note: built-in implementation." + grep -q "AES note: using AESNI" ./programs/test/selftest + not grep -q "AES note: built-in implementation." ./programs/test/selftest +} + +support_test_aesni_m32 () { + support_test_m32_no_asm && (lscpu | grep -qw aes) +} + +component_test_aesni_m32 () { # ~ 60s + # This tests are duplicated from component_test_aesni for i386 target + # + # AESNI intrinsic code supports i386 and assembly code does not support it. + + msg "build: default config with different AES implementations" + scripts/config.py set MBEDTLS_AESNI_C + scripts/config.py set MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY + scripts/config.py set MBEDTLS_HAVE_ASM + + # test the intrinsics implementation with gcc + msg "AES tests, test intrinsics (gcc)" + make clean + make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra' LDFLAGS='-m32' + # check that we built intrinsics - this should be used by default when supported by the compiler + ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics" + grep -q "AES note: using AESNI" ./programs/test/selftest + grep -q "AES note: built-in implementation." ./programs/test/selftest + grep -q "AES note: using VIA Padlock" ./programs/test/selftest + grep -q mbedtls_aesni_has_support ./programs/test/selftest + + scripts/config.py set MBEDTLS_AESNI_C + scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY + msg "AES tests, test AESNI only" + make clean + make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra -mpclmul -msse2 -maes' LDFLAGS='-m32' + ./programs/test/selftest aes | grep -q "AES note: using AESNI" + ./programs/test/selftest aes | not grep -q "AES note: built-in implementation." + grep -q "AES note: using AESNI" ./programs/test/selftest + not grep -q "AES note: built-in implementation." ./programs/test/selftest + not grep -q "AES note: using VIA Padlock" ./programs/test/selftest + not grep -q mbedtls_aesni_has_support ./programs/test/selftest +} + +support_test_aesni_m32_clang () { + # clang >= 4 is required to build with target attributes + support_test_aesni_m32 && [[ $(clang_version) -ge 4 ]] +} + +component_test_aesni_m32_clang () { + + scripts/config.py set MBEDTLS_AESNI_C + scripts/config.py set MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY + scripts/config.py set MBEDTLS_HAVE_ASM + + # test the intrinsics implementation with clang + msg "AES tests, test intrinsics (clang)" + make clean + make CC=clang CFLAGS='-m32 -Werror -Wall -Wextra' LDFLAGS='-m32' + # check that we built intrinsics - this should be used by default when supported by the compiler + ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics" + grep -q "AES note: using AESNI" ./programs/test/selftest + grep -q "AES note: built-in implementation." ./programs/test/selftest + grep -q "AES note: using VIA Padlock" ./programs/test/selftest + grep -q mbedtls_aesni_has_support ./programs/test/selftest +} + +support_build_aes_armce () { + # clang >= 11 is required to build with AES extensions + [[ $(clang_version) -ge 11 ]] +} + +component_build_aes_armce () { + # Test variations of AES with Armv8 crypto extensions + scripts/config.py set MBEDTLS_AESCE_C + scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY + + msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, aarch64" + make -B library/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto" + + msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, arm" + make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm" + + msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, thumb" + make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" + + scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY + + msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, aarch64" + make -B library/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto" + + msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, arm" + make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm" + + msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, thumb" + make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" + + # test for presence of AES instructions + scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY + msg "clang, test A32 crypto instructions built" + make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S" + grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' library/aesce.o + msg "clang, test T32 crypto instructions built" + make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S" + grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' library/aesce.o + msg "clang, test aarch64 crypto instructions built" + make -B library/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S" + grep -E 'aes[a-z]+\s*[qv]' library/aesce.o + + # test for absence of AES instructions + scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY + scripts/config.py unset MBEDTLS_AESCE_C + msg "clang, test A32 crypto instructions not built" + make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S" + not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' library/aesce.o + msg "clang, test T32 crypto instructions not built" + make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S" + not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' library/aesce.o + msg "clang, test aarch64 crypto instructions not built" + make -B library/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S" + not grep -E 'aes[a-z]+\s*[qv]' library/aesce.o +} + +support_build_sha_armce () { + # clang >= 4 is required to build with SHA extensions + [[ $(clang_version) -ge 4 ]] +} + +component_build_sha_armce () { + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT + + + # Test variations of SHA256 Armv8 crypto extensions + scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY + msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, aarch64" + make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a" + msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, arm" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm" + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY + + + # test the deprecated form of the config option + scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY + msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, thumb" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" + scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY + + scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT + msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, aarch64" + make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a" + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT + + + # test the deprecated form of the config option + scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, arm" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99" + msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, thumb" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" + scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + + + # examine the disassembly for presence of SHA instructions + for opt in MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT; do + scripts/config.py set ${opt} + msg "${opt} clang, test A32 crypto instructions built" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S" + grep -E 'sha256[a-z0-9]+.32\s+[qv]' library/sha256.o + + msg "${opt} clang, test T32 crypto instructions built" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S" + grep -E 'sha256[a-z0-9]+.32\s+[qv]' library/sha256.o + + msg "${opt} clang, test aarch64 crypto instructions built" + make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S" + grep -E 'sha256[a-z0-9]+\s+[qv]' library/sha256.o + scripts/config.py unset ${opt} + done + + + # examine the disassembly for absence of SHA instructions + msg "clang, test A32 crypto instructions not built" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S" + not grep -E 'sha256[a-z0-9]+.32\s+[qv]' library/sha256.o + + msg "clang, test T32 crypto instructions not built" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S" + not grep -E 'sha256[a-z0-9]+.32\s+[qv]' library/sha256.o + + msg "clang, test aarch64 crypto instructions not built" + make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S" + not grep -E 'sha256[a-z0-9]+\s+[qv]' library/sha256.o +} + +component_test_m32_no_asm () { + # Build without assembly, so as to use portable C code (in a 32-bit + # build) and not the i386-specific inline assembly. + # + # Note that we require gcc, because clang Asan builds fail to link for + # this target (cannot find libclang_rt.lsan-i386.a - this is a known clang issue). + msg "build: i386, make, gcc, no asm (ASan build)" # ~ 30s + scripts/config.py full + scripts/config.py unset MBEDTLS_HAVE_ASM + scripts/config.py unset MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32 + make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS" + + msg "test: i386, make, gcc, no asm (ASan build)" + make test +} + +support_test_m32_no_asm () { + case $(uname -m) in + amd64|x86_64) true;; + *) false;; + esac +} + +component_test_m32_o2 () { + # Build with optimization, to use the i386 specific inline assembly + # and go faster for tests. + msg "build: i386, make, gcc -O2 (ASan build)" # ~ 30s + scripts/config.py full + scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32 + make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS" + + msg "test: i386, make, gcc -O2 (ASan build)" + make test + + msg "test ssl-opt.sh, i386, make, gcc-O2" + tests/ssl-opt.sh +} + +support_test_m32_o2 () { + support_test_m32_no_asm "$@" +} + +component_test_m32_everest () { + msg "build: i386, Everest ECDH context (ASan build)" # ~ 6 min + scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED + scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32 + make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS" + + msg "test: i386, Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s + make test + + msg "test: i386, Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s + tests/ssl-opt.sh -f ECDH + + msg "test: i386, Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min + # Exclude some symmetric ciphers that are redundant here to gain time. + tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA' +} + +support_test_m32_everest () { + support_test_m32_no_asm "$@" +} + +component_test_mx32 () { + msg "build: 64-bit ILP32, make, gcc" # ~ 30s + scripts/config.py full + make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -mx32' LDFLAGS='-mx32' + + msg "test: 64-bit ILP32, make, gcc" + make test +} + +support_test_mx32 () { + case $(uname -m) in + amd64|x86_64) true;; + *) false;; + esac +} + +component_build_arm_none_eabi_gcc () { + msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1, baremetal+debug" # ~ 10s + scripts/config.py baremetal + make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra -O1' lib + + msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1, baremetal+debug" + ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o +} + +component_build_arm_linux_gnueabi_gcc_arm5vte () { + msg "build: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -march=arm5vte, baremetal+debug" # ~ 10s + scripts/config.py baremetal + # Build for a target platform that's close to what Debian uses + # for its "armel" distribution (https://wiki.debian.org/ArmEabiPort). + # See https://github.com/Mbed-TLS/mbedtls/pull/2169 and comments. + # Build everything including programs, see for example + # https://github.com/Mbed-TLS/mbedtls/pull/3449#issuecomment-675313720 + make CC="${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc" AR="${ARM_LINUX_GNUEABI_GCC_PREFIX}ar" CFLAGS='-Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te' + + msg "size: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug" + ${ARM_LINUX_GNUEABI_GCC_PREFIX}size -t library/*.o +} + +support_build_arm_linux_gnueabi_gcc_arm5vte () { + type ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc >/dev/null 2>&1 +} + +component_build_arm_none_eabi_gcc_arm5vte () { + msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -march=arm5vte, baremetal+debug" # ~ 10s + scripts/config.py baremetal + # This is an imperfect substitute for + # component_build_arm_linux_gnueabi_gcc_arm5vte + # in case the gcc-arm-linux-gnueabi toolchain is not available + make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" CFLAGS='-std=c99 -Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te' SHELL='sh -x' lib + + msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug" + ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o +} + +component_build_arm_none_eabi_gcc_m0plus () { + msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus, baremetal_size" # ~ 10s + scripts/config.py baremetal_size + make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra -mthumb -mcpu=cortex-m0plus -Os' lib + + msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus -Os, baremetal_size" + ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o + for lib in library/*.a; do + echo "$lib:" + ${ARM_NONE_EABI_GCC_PREFIX}size -t $lib | grep TOTALS + done +} + +component_build_arm_none_eabi_gcc_no_udbl_division () { + msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc -DMBEDTLS_NO_UDBL_DIVISION, make" # ~ 10s + scripts/config.py baremetal + scripts/config.py set MBEDTLS_NO_UDBL_DIVISION + make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra' lib + echo "Checking that software 64-bit division is not required" + not grep __aeabi_uldiv library/*.o +} + +component_build_arm_none_eabi_gcc_no_64bit_multiplication () { + msg "build: ${ARM_NONE_EABI_GCC_PREFIX}gcc MBEDTLS_NO_64BIT_MULTIPLICATION, make" # ~ 10s + scripts/config.py baremetal + scripts/config.py set MBEDTLS_NO_64BIT_MULTIPLICATION + make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -O1 -march=armv6-m -mthumb' lib + echo "Checking that software 64-bit multiplication is not required" + not grep __aeabi_lmul library/*.o +} + +component_build_arm_clang_thumb () { + # ~ 30s + + scripts/config.py baremetal + + msg "build: clang thumb 2, make" + make clean + make CC="clang" CFLAGS='-std=c99 -Werror -Os --target=arm-linux-gnueabihf -march=armv7-m -mthumb' lib + + # Some Thumb 1 asm is sensitive to optimisation level, so test both -O0 and -Os + msg "build: clang thumb 1 -O0, make" + make clean + make CC="clang" CFLAGS='-std=c99 -Werror -O0 --target=arm-linux-gnueabihf -mcpu=arm1136j-s -mthumb' lib + + msg "build: clang thumb 1 -Os, make" + make clean + make CC="clang" CFLAGS='-std=c99 -Werror -Os --target=arm-linux-gnueabihf -mcpu=arm1136j-s -mthumb' lib +} + +component_build_armcc () { + msg "build: ARM Compiler 5" + scripts/config.py baremetal + # armc[56] don't support SHA-512 intrinsics + scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + + # older versions of armcc/armclang don't support AESCE_C on 32-bit Arm + scripts/config.py unset MBEDTLS_AESCE_C + + # Stop armclang warning about feature detection for A64_CRYPTO. + # With this enabled, the library does build correctly under armclang, + # but in baremetal builds (as tested here), feature detection is + # unavailable, and the user is notified via a #warning. So enabling + # this feature would prevent us from building with -Werror on + # armclang. Tracked in #7198. + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT + + scripts/config.py set MBEDTLS_HAVE_ASM + + make CC="$ARMC5_CC" AR="$ARMC5_AR" WARNING_CFLAGS='--strict --c99' lib + + msg "size: ARM Compiler 5" + "$ARMC5_FROMELF" -z library/*.o + + # Compile mostly with -O1 since some Arm inline assembly is disabled for -O0. + + # ARM Compiler 6 - Target ARMv7-A + armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-a" + + # ARM Compiler 6 - Target ARMv7-M + armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-m" + + # ARM Compiler 6 - Target ARMv7-M+DSP + armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv7-m+dsp" + + # ARM Compiler 6 - Target ARMv8-A - AArch32 + armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv8.2-a" + + # ARM Compiler 6 - Target ARMv8-M + armc6_build_test "-O1 --target=arm-arm-none-eabi -march=armv8-m.main" + + # ARM Compiler 6 - Target Cortex-M0 - no optimisation + armc6_build_test "-O0 --target=arm-arm-none-eabi -mcpu=cortex-m0" + + # ARM Compiler 6 - Target Cortex-M0 + armc6_build_test "-Os --target=arm-arm-none-eabi -mcpu=cortex-m0" + + # ARM Compiler 6 - Target ARMv8.2-A - AArch64 + # + # Re-enable MBEDTLS_AESCE_C as this should be supported by the version of armclang + # that we have in our CI + scripts/config.py set MBEDTLS_AESCE_C + armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8.2-a+crypto" +} + +support_build_armcc () { + armc5_cc="$ARMC5_BIN_DIR/armcc" + armc6_cc="$ARMC6_BIN_DIR/armclang" + (check_tools "$armc5_cc" "$armc6_cc" > /dev/null 2>&1) +} + +# For timebeing, no VIA Padlock platform available. +component_build_aes_via_padlock () { + + msg "AES:VIA PadLock, build with default configuration." + scripts/config.py unset MBEDTLS_AESNI_C + scripts/config.py set MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY + make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS" + grep -q mbedtls_padlock_has_support ./programs/test/selftest + +} + +support_build_aes_via_padlock_only () { + ( [ "$MBEDTLS_TEST_PLATFORM" == "Linux-x86_64" ] || \ + [ "$MBEDTLS_TEST_PLATFORM" == "Linux-amd64" ] ) && \ + [ "`dpkg --print-foreign-architectures`" == "i386" ] +} diff --git a/yass/third_party/mbedtls/tests/scripts/components-sanitizers.sh b/yass/third_party/mbedtls/tests/scripts/components-sanitizers.sh new file mode 100644 index 0000000000..5b79d2b778 --- /dev/null +++ b/yass/third_party/mbedtls/tests/scripts/components-sanitizers.sh @@ -0,0 +1,208 @@ +# components-sanitizers.sh +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +# This file contains test components that are executed by all.sh + +################################################################ +#### Sanitizer Testing +################################################################ + +skip_suites_without_constant_flow () { + # Skip the test suites that don't have any constant-flow annotations. + # This will need to be adjusted if we ever start declaring things as + # secret from macros or functions inside tests/include or tests/src. + SKIP_TEST_SUITES=$( + git -C tests/suites grep -L TEST_CF_ 'test_suite_*.function' | + sed 's/test_suite_//; s/\.function$//' | + tr '\n' ,) + export SKIP_TEST_SUITES +} + +skip_all_except_given_suite () { + # Skip all but the given test suite + SKIP_TEST_SUITES=$( + ls -1 tests/suites/test_suite_*.function | + grep -v $1.function | + sed 's/tests.suites.test_suite_//; s/\.function$//' | + tr '\n' ,) + export SKIP_TEST_SUITES +} + +component_test_memsan_constant_flow () { + # This tests both (1) accesses to undefined memory, and (2) branches or + # memory access depending on secret values. To distinguish between those: + # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist? + # - or alternatively, change the build type to MemSanDbg, which enables + # origin tracking and nicer stack traces (which are useful for debugging + # anyway), and check if the origin was TEST_CF_SECRET() or something else. + msg "build: cmake MSan (clang), full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing" + scripts/config.py full + scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm + CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . + make + + msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO, Msan + constant flow)" + make test +} + +component_test_memsan_constant_flow_psa () { + # This tests both (1) accesses to undefined memory, and (2) branches or + # memory access depending on secret values. To distinguish between those: + # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist? + # - or alternatively, change the build type to MemSanDbg, which enables + # origin tracking and nicer stack traces (which are useful for debugging + # anyway), and check if the origin was TEST_CF_SECRET() or something else. + msg "build: cmake MSan (clang), full config with constant flow testing" + scripts/config.py full + scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN + scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm + CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . + make + + msg "test: main suites (Msan + constant flow)" + make test +} + +component_release_test_valgrind_constant_flow () { + # This tests both (1) everything that valgrind's memcheck usually checks + # (heap buffer overflows, use of uninitialized memory, use-after-free, + # etc.) and (2) branches or memory access depending on secret values, + # which will be reported as uninitialized memory. To distinguish between + # secret and actually uninitialized: + # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist? + # - or alternatively, build with debug info and manually run the offending + # test suite with valgrind --track-origins=yes, then check if the origin + # was TEST_CF_SECRET() or something else. + msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing" + scripts/config.py full + scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + skip_suites_without_constant_flow + cmake -D CMAKE_BUILD_TYPE:String=Release . + make + + # this only shows a summary of the results (how many of each type) + # details are left in Testing//DynamicAnalysis.xml + msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, valgrind + constant flow)" + make memcheck + + # Test asm path in constant time module - by default, it will test the plain C + # path under Valgrind or Memsan. Running only the constant_time tests is fast (<1s) + msg "test: valgrind asm constant_time" + scripts/config.py --force set MBEDTLS_TEST_CONSTANT_FLOW_ASM + skip_all_except_given_suite test_suite_constant_time + cmake -D CMAKE_BUILD_TYPE:String=Release . + make clean + make + make memcheck +} + +component_release_test_valgrind_constant_flow_psa () { + # This tests both (1) everything that valgrind's memcheck usually checks + # (heap buffer overflows, use of uninitialized memory, use-after-free, + # etc.) and (2) branches or memory access depending on secret values, + # which will be reported as uninitialized memory. To distinguish between + # secret and actually uninitialized: + # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist? + # - or alternatively, build with debug info and manually run the offending + # test suite with valgrind --track-origins=yes, then check if the origin + # was TEST_CF_SECRET() or something else. + msg "build: cmake release GCC, full config with constant flow testing" + scripts/config.py full + scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND + skip_suites_without_constant_flow + cmake -D CMAKE_BUILD_TYPE:String=Release . + make + + # this only shows a summary of the results (how many of each type) + # details are left in Testing//DynamicAnalysis.xml + msg "test: some suites (valgrind + constant flow)" + make memcheck +} + +component_test_tsan () { + msg "build: TSan (clang)" + scripts/config.py full + scripts/config.py set MBEDTLS_THREADING_C + scripts/config.py set MBEDTLS_THREADING_PTHREAD + # Self-tests do not currently use multiple threads. + scripts/config.py unset MBEDTLS_SELF_TEST + + # The deprecated MBEDTLS_PSA_CRYPTO_SE_C interface is not thread safe. + scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C + + CC=clang cmake -D CMAKE_BUILD_TYPE:String=TSan . + make + + msg "test: main suites (TSan)" + make test +} + +component_test_memsan () { + msg "build: MSan (clang)" # ~ 1 min 20s + scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm + CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . + make + + msg "test: main suites (MSan)" # ~ 10s + make test + + msg "test: metatests (MSan)" + tests/scripts/run-metatests.sh any msan + + msg "program demos (MSan)" # ~20s + tests/scripts/run_demos.py + + msg "test: ssl-opt.sh (MSan)" # ~ 1 min + tests/ssl-opt.sh + + # Optional part(s) + + if [ "$MEMORY" -gt 0 ]; then + msg "test: compat.sh (MSan)" # ~ 6 min 20s + tests/compat.sh + fi +} + +component_release_test_valgrind () { + msg "build: Release (clang)" + # default config, in particular without MBEDTLS_USE_PSA_CRYPTO + CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release . + make + + msg "test: main suites, Valgrind (default config)" + make memcheck + + # Optional parts (slow; currently broken on OS X because programs don't + # seem to receive signals under valgrind on OS X). + # These optional parts don't run on the CI. + if [ "$MEMORY" -gt 0 ]; then + msg "test: ssl-opt.sh --memcheck (default config)" + tests/ssl-opt.sh --memcheck + fi + + if [ "$MEMORY" -gt 1 ]; then + msg "test: compat.sh --memcheck (default config)" + tests/compat.sh --memcheck + fi + + if [ "$MEMORY" -gt 0 ]; then + msg "test: context-info.sh --memcheck (default config)" + tests/context-info.sh --memcheck + fi +} + +component_release_test_valgrind_psa () { + msg "build: Release, full (clang)" + # full config, in particular with MBEDTLS_USE_PSA_CRYPTO + scripts/config.py full + CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release . + make + + msg "test: main suites, Valgrind (full config)" + make memcheck +} diff --git a/yass/third_party/mbedtls/tests/scripts/generate_psa_wrappers.py b/yass/third_party/mbedtls/tests/scripts/generate_psa_wrappers.py deleted file mode 100755 index 07d1450ff3..0000000000 --- a/yass/third_party/mbedtls/tests/scripts/generate_psa_wrappers.py +++ /dev/null @@ -1,257 +0,0 @@ -#!/usr/bin/env python3 -"""Generate wrapper functions for PSA function calls. -""" - -# Copyright The Mbed TLS Contributors -# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - -### WARNING: the code in this file has not been extensively reviewed yet. -### We do not think it is harmful, but it may be below our normal standards -### for robustness and maintainability. - -import argparse -import itertools -import os -from typing import Iterator, List, Optional, Tuple - -import scripts_path #pylint: disable=unused-import -from mbedtls_dev import build_tree -from mbedtls_dev import c_parsing_helper -from mbedtls_dev import c_wrapper_generator -from mbedtls_dev import typing_util - - -class BufferParameter: - """Description of an input or output buffer parameter sequence to a PSA function.""" - #pylint: disable=too-few-public-methods - - def __init__(self, i: int, is_output: bool, - buffer_name: str, size_name: str) -> None: - """Initialize the parameter information. - - i is the index of the function argument that is the pointer to the buffer. - The size is argument i+1. For a variable-size output, the actual length - goes in argument i+2. - - buffer_name and size_names are the names of arguments i and i+1. - This class does not yet help with the output length. - """ - self.index = i - self.buffer_name = buffer_name - self.size_name = size_name - self.is_output = is_output - - -class PSAWrapperGenerator(c_wrapper_generator.Base): - """Generate a C source file containing wrapper functions for PSA Crypto API calls.""" - - _CPP_GUARDS = ('defined(MBEDTLS_PSA_CRYPTO_C) && ' + - 'defined(MBEDTLS_TEST_HOOKS) && \\\n ' + - '!defined(RECORD_PSA_STATUS_COVERAGE_LOG)') - _WRAPPER_NAME_PREFIX = 'mbedtls_test_wrap_' - _WRAPPER_NAME_SUFFIX = '' - - def gather_data(self) -> None: - root_dir = build_tree.guess_mbedtls_root() - for header_name in ['crypto.h', 'crypto_extra.h']: - header_path = os.path.join(root_dir, 'include', 'psa', header_name) - c_parsing_helper.read_function_declarations(self.functions, header_path) - - _SKIP_FUNCTIONS = frozenset([ - 'mbedtls_psa_external_get_random', # not a library function - 'psa_get_key_domain_parameters', # client-side function - 'psa_get_key_slot_number', # client-side function - 'psa_key_derivation_verify_bytes', # not implemented yet - 'psa_key_derivation_verify_key', # not implemented yet - 'psa_set_key_domain_parameters', # client-side function - ]) - - def _skip_function(self, function: c_wrapper_generator.FunctionInfo) -> bool: - if function.return_type != 'psa_status_t': - return True - if function.name in self._SKIP_FUNCTIONS: - return True - return False - - # PAKE stuff: not implemented yet - _PAKE_STUFF = frozenset([ - 'psa_crypto_driver_pake_inputs_t *', - 'psa_pake_cipher_suite_t *', - ]) - - def _return_variable_name(self, - function: c_wrapper_generator.FunctionInfo) -> str: - """The name of the variable that will contain the return value.""" - if function.return_type == 'psa_status_t': - return 'status' - return super()._return_variable_name(function) - - _FUNCTION_GUARDS = c_wrapper_generator.Base._FUNCTION_GUARDS.copy() \ - #pylint: disable=protected-access - _FUNCTION_GUARDS.update({ - 'mbedtls_psa_register_se_key': 'defined(MBEDTLS_PSA_CRYPTO_SE_C)', - 'mbedtls_psa_inject_entropy': 'defined(MBEDTLS_PSA_INJECT_ENTROPY)', - 'mbedtls_psa_external_get_random': 'defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)', - 'mbedtls_psa_platform_get_builtin_key': 'defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)', - }) - - @staticmethod - def _detect_buffer_parameters(arguments: List[c_parsing_helper.ArgumentInfo], - argument_names: List[str]) -> Iterator[BufferParameter]: - """Detect function arguments that are buffers (pointer, size [,length]).""" - types = ['' if arg.suffix else arg.type for arg in arguments] - # pairs = list of (type_of_arg_N, type_of_arg_N+1) - # where each type_of_arg_X is the empty string if the type is an array - # or there is no argument X. - pairs = enumerate(itertools.zip_longest(types, types[1:], fillvalue='')) - for i, t01 in pairs: - if (t01[0] == 'const uint8_t *' or t01[0] == 'uint8_t *') and \ - t01[1] == 'size_t': - yield BufferParameter(i, not t01[0].startswith('const '), - argument_names[i], argument_names[i+1]) - - @staticmethod - def _write_poison_buffer_parameter(out: typing_util.Writable, - param: BufferParameter, - poison: bool) -> None: - """Write poisoning or unpoisoning code for a buffer parameter. - - Write poisoning code if poison is true, unpoisoning code otherwise. - """ - out.write(' MBEDTLS_TEST_MEMORY_{}({}, {});\n'.format( - 'POISON' if poison else 'UNPOISON', - param.buffer_name, param.size_name - )) - - def _write_poison_buffer_parameters(self, out: typing_util.Writable, - buffer_parameters: List[BufferParameter], - poison: bool) -> None: - """Write poisoning or unpoisoning code for the buffer parameters. - - Write poisoning code if poison is true, unpoisoning code otherwise. - """ - if not buffer_parameters: - return - out.write('#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)\n') - for param in buffer_parameters: - self._write_poison_buffer_parameter(out, param, poison) - out.write('#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */\n') - - @staticmethod - def _parameter_should_be_copied(function_name: str, - _buffer_name: Optional[str]) -> bool: - """Whether the specified buffer argument to a PSA function should be copied. - """ - # False-positives that do not need buffer copying - if function_name in ('mbedtls_psa_inject_entropy', - 'psa_crypto_driver_pake_get_password', - 'psa_crypto_driver_pake_get_user', - 'psa_crypto_driver_pake_get_peer'): - return False - - return True - - def _write_function_call(self, out: typing_util.Writable, - function: c_wrapper_generator.FunctionInfo, - argument_names: List[str]) -> None: - buffer_parameters = list( - param - for param in self._detect_buffer_parameters(function.arguments, - argument_names) - if self._parameter_should_be_copied(function.name, - function.arguments[param.index].name)) - self._write_poison_buffer_parameters(out, buffer_parameters, True) - super()._write_function_call(out, function, argument_names) - self._write_poison_buffer_parameters(out, buffer_parameters, False) - - def _write_prologue(self, out: typing_util.Writable, header: bool) -> None: - super()._write_prologue(out, header) - out.write(""" -#if {} - -#include - -#include -#include -#include -""" - .format(self._CPP_GUARDS)) - - def _write_epilogue(self, out: typing_util.Writable, header: bool) -> None: - out.write(""" -#endif /* {} */ -""" - .format(self._CPP_GUARDS)) - super()._write_epilogue(out, header) - - -class PSALoggingWrapperGenerator(PSAWrapperGenerator, c_wrapper_generator.Logging): - """Generate a C source file containing wrapper functions that log PSA Crypto API calls.""" - - def __init__(self, stream: str) -> None: - super().__init__() - self.set_stream(stream) - - _PRINTF_TYPE_CAST = c_wrapper_generator.Logging._PRINTF_TYPE_CAST.copy() - _PRINTF_TYPE_CAST.update({ - 'mbedtls_svc_key_id_t': 'unsigned', - 'psa_algorithm_t': 'unsigned', - 'psa_drv_slot_number_t': 'unsigned long long', - 'psa_key_derivation_step_t': 'int', - 'psa_key_id_t': 'unsigned', - 'psa_key_slot_number_t': 'unsigned long long', - 'psa_key_lifetime_t': 'unsigned', - 'psa_key_type_t': 'unsigned', - 'psa_key_usage_flags_t': 'unsigned', - 'psa_pake_role_t': 'int', - 'psa_pake_step_t': 'int', - 'psa_status_t': 'int', - }) - - def _printf_parameters(self, typ: str, var: str) -> Tuple[str, List[str]]: - if typ.startswith('const '): - typ = typ[6:] - if typ == 'uint8_t *': - # Skip buffers - return '', [] - if typ.endswith('operation_t *'): - return '', [] - if typ in self._PAKE_STUFF: - return '', [] - if typ == 'psa_key_attributes_t *': - return (var + '={id=%u, lifetime=0x%08x, type=0x%08x, bits=%u, alg=%08x, usage=%08x}', - ['(unsigned) psa_get_key_{}({})'.format(field, var) - for field in ['id', 'lifetime', 'type', 'bits', 'algorithm', 'usage_flags']]) - return super()._printf_parameters(typ, var) - - -DEFAULT_C_OUTPUT_FILE_NAME = 'tests/src/psa_test_wrappers.c' -DEFAULT_H_OUTPUT_FILE_NAME = 'tests/include/test/psa_test_wrappers.h' - -def main() -> None: - parser = argparse.ArgumentParser(description=globals()['__doc__']) - parser.add_argument('--log', - help='Stream to log to (default: no logging code)') - parser.add_argument('--output-c', - metavar='FILENAME', - default=DEFAULT_C_OUTPUT_FILE_NAME, - help=('Output .c file path (default: {}; skip .c output if empty)' - .format(DEFAULT_C_OUTPUT_FILE_NAME))) - parser.add_argument('--output-h', - metavar='FILENAME', - default=DEFAULT_H_OUTPUT_FILE_NAME, - help=('Output .h file path (default: {}; skip .h output if empty)' - .format(DEFAULT_H_OUTPUT_FILE_NAME))) - options = parser.parse_args() - if options.log: - generator = PSALoggingWrapperGenerator(options.log) #type: PSAWrapperGenerator - else: - generator = PSAWrapperGenerator() - generator.gather_data() - if options.output_h: - generator.write_h_file(options.output_h) - if options.output_c: - generator.write_c_file(options.output_c) - -if __name__ == '__main__': - main() diff --git a/yass/third_party/mbedtls/tests/scripts/generate_test_cert_macros.py b/yass/third_party/mbedtls/tests/scripts/generate_test_cert_macros.py deleted file mode 100755 index a3bca7e6f6..0000000000 --- a/yass/third_party/mbedtls/tests/scripts/generate_test_cert_macros.py +++ /dev/null @@ -1,95 +0,0 @@ -#!/usr/bin/env python3 - -""" -Generate `tests/src/test_certs.h` which includes certficaties/keys/certificate list for testing. -""" - -# -# Copyright The Mbed TLS Contributors -# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - - -import os -import sys -import argparse -import jinja2 - -class MacroDefineAction(argparse.Action): - #pylint: disable=signature-differs, too-few-public-methods - def __call__(self, parser, namespace, values, option_string): - if not hasattr(namespace, 'values'): - setattr(namespace, 'values', []) - macro_name, filename = values - if self.dest in ('string', 'binary') and not os.path.exists(filename): - raise argparse.ArgumentError( - None, '`{}`: Input file does not exist.'.format(filename)) - namespace.values.append((self.dest, macro_name, filename)) - - -def macro_define_type(value): - ret = value.split('=', 1) - if len(ret) != 2: - raise argparse.ArgumentTypeError( - '`{}` is not MACRO=value format'.format(value)) - return ret - - -def build_argparser(parser): - parser.description = __doc__ - parser.add_argument('--string', type=macro_define_type, action=MacroDefineAction, - metavar='MACRO_NAME=path/to/file', help='PEM to C string. ') - parser.add_argument('--binary', type=macro_define_type, action=MacroDefineAction, - metavar='MACRO_NAME=path/to/file', - help='DER to C arrary.') - parser.add_argument('--password', type=macro_define_type, action=MacroDefineAction, - metavar='MACRO_NAME=password', help='Password to C string.') - parser.add_argument('--output', type=str, required=True) - - -def main(): - parser = argparse.ArgumentParser() - build_argparser(parser) - args = parser.parse_args() - return generate(**vars(args)) - -#pylint: disable=dangerous-default-value, unused-argument -def generate(values=[], output=None, **kwargs): - """Generate C header file. - """ - this_dir = os.path.dirname(os.path.abspath(__file__)) - template_loader = jinja2.FileSystemLoader( - searchpath=os.path.join(this_dir, '..', 'data_files')) - template_env = jinja2.Environment( - loader=template_loader, lstrip_blocks=True, trim_blocks=True) - - def read_as_c_array(filename): - with open(filename, 'rb') as f: - data = f.read(12) - while data: - yield ', '.join(['{:#04x}'.format(b) for b in data]) - data = f.read(12) - - def read_lines(filename): - with open(filename) as f: - try: - for line in f: - yield line.strip() - except: - print(filename) - raise - - def put_to_column(value, position=0): - return ' '*position + value - - template_env.filters['read_as_c_array'] = read_as_c_array - template_env.filters['read_lines'] = read_lines - template_env.filters['put_to_column'] = put_to_column - - template = template_env.get_template('test_certs.h.jinja2') - - with open(output, 'w') as f: - f.write(template.render(macros=values)) - - -if __name__ == '__main__': - sys.exit(main()) diff --git a/yass/third_party/mbedtls/tests/scripts/generate_tls13_compat_tests.py b/yass/third_party/mbedtls/tests/scripts/generate_tls13_compat_tests.py index 8b28590b87..dde37b765d 100755 --- a/yass/third_party/mbedtls/tests/scripts/generate_tls13_compat_tests.py +++ b/yass/third_party/mbedtls/tests/scripts/generate_tls13_compat_tests.py @@ -20,18 +20,18 @@ from collections import namedtuple Certificate = namedtuple("Certificate", ['cafile', 'certfile', 'keyfile']) # define the certificate parameters for signature algorithms CERTIFICATES = { - 'ecdsa_secp256r1_sha256': Certificate('data_files/test-ca2.crt', - 'data_files/ecdsa_secp256r1.crt', - 'data_files/ecdsa_secp256r1.key'), - 'ecdsa_secp384r1_sha384': Certificate('data_files/test-ca2.crt', - 'data_files/ecdsa_secp384r1.crt', - 'data_files/ecdsa_secp384r1.key'), - 'ecdsa_secp521r1_sha512': Certificate('data_files/test-ca2.crt', - 'data_files/ecdsa_secp521r1.crt', - 'data_files/ecdsa_secp521r1.key'), - 'rsa_pss_rsae_sha256': Certificate('data_files/test-ca_cat12.crt', - 'data_files/server2-sha256.crt', 'data_files/server2.key' - ) + 'ecdsa_secp256r1_sha256': Certificate('$DATA_FILES_PATH/test-ca2.crt', + '$DATA_FILES_PATH/ecdsa_secp256r1.crt', + '$DATA_FILES_PATH/ecdsa_secp256r1.key'), + 'ecdsa_secp384r1_sha384': Certificate('$DATA_FILES_PATH/test-ca2.crt', + '$DATA_FILES_PATH/ecdsa_secp384r1.crt', + '$DATA_FILES_PATH/ecdsa_secp384r1.key'), + 'ecdsa_secp521r1_sha512': Certificate('$DATA_FILES_PATH/test-ca2.crt', + '$DATA_FILES_PATH/ecdsa_secp521r1.crt', + '$DATA_FILES_PATH/ecdsa_secp521r1.key'), + 'rsa_pss_rsae_sha256': Certificate('$DATA_FILES_PATH/test-ca_cat12.crt', + '$DATA_FILES_PATH/server2-sha256.crt', + '$DATA_FILES_PATH/server2.key') } CIPHER_SUITE_IANA_VALUE = { @@ -549,6 +549,9 @@ SSL_OUTPUT_HEADER = '''#!/bin/sh # AND REGENERATE THIS FILE. # ''' +DATA_FILES_PATH_VAR = ''' +DATA_FILES_PATH=../framework/data_files +''' def main(): """ @@ -628,6 +631,7 @@ def main(): with open(args.output, 'w', encoding="utf-8") as f: f.write(SSL_OUTPUT_HEADER.format( filename=os.path.basename(args.output), cmd=' '.join(sys.argv))) + f.write(DATA_FILES_PATH_VAR) f.write('\n\n'.join(get_all_test_cases())) f.write('\n') else: diff --git a/yass/third_party/mbedtls/tests/scripts/scripts_path.py b/yass/third_party/mbedtls/tests/scripts/scripts_path.py index 5d83f29f92..ce2afcfc36 100644 --- a/yass/third_party/mbedtls/tests/scripts/scripts_path.py +++ b/yass/third_party/mbedtls/tests/scripts/scripts_path.py @@ -15,3 +15,6 @@ import sys sys.path.append(os.path.join(os.path.dirname(__file__), os.path.pardir, os.path.pardir, 'scripts')) +sys.path.append(os.path.join(os.path.dirname(__file__), + os.path.pardir, os.path.pardir, + 'framework', 'scripts')) diff --git a/yass/third_party/mbedtls/tests/scripts/test-ref-configs.pl b/yass/third_party/mbedtls/tests/scripts/test-ref-configs.pl index 055023a5f2..5557de3276 100755 --- a/yass/third_party/mbedtls/tests/scripts/test-ref-configs.pl +++ b/yass/third_party/mbedtls/tests/scripts/test-ref-configs.pl @@ -17,32 +17,26 @@ use strict; my %configs = ( 'config-ccm-psk-tls1_2.h' => { - 'compat' => '-m tls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', - 'test_again_with_use_psa' => 1 + 'compat' => '-m tls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'', }, 'config-ccm-psk-dtls1_2.h' => { - 'compat' => '-m dtls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', + 'compat' => '-m dtls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'', 'opt' => ' ', 'opt_needs_debug' => 1, - 'test_again_with_use_psa' => 1 }, 'config-no-entropy.h' => { }, 'config-suite-b.h' => { - 'compat' => "-m tls12 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS", - 'test_again_with_use_psa' => 1, + 'compat' => "-m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS", 'opt' => ' ', 'opt_needs_debug' => 1, }, 'config-symmetric-only.h' => { - 'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice }, 'config-tfm.h' => { - 'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice }, 'config-thread.h' => { 'opt' => '-f ECJPAKE.*nolog', - 'test_again_with_use_psa' => 1, }, ); @@ -148,7 +142,10 @@ sub perform_test { } foreach my $conf ( @configs_to_test ) { - my $test_with_psa = $configs{$conf}{'test_again_with_use_psa'}; + system("grep '//#define MBEDTLS_USE_PSA_CRYPTO' configs/$conf > /dev/null"); + die "grep ... configs/$conf: $!" if $? != 0 && $? != 0x100; + my $test_with_psa = $? == 0; + if ( $test_with_psa ) { perform_test( $conf, $configs{$conf}, $test_with_psa ); diff --git a/yass/third_party/mbedtls/tests/scripts/test_psa_compliance.py b/yass/third_party/mbedtls/tests/scripts/test_psa_compliance.py index 8d70cbca38..f7d18954ca 100755 --- a/yass/third_party/mbedtls/tests/scripts/test_psa_compliance.py +++ b/yass/third_party/mbedtls/tests/scripts/test_psa_compliance.py @@ -20,7 +20,7 @@ from typing import List #pylint: disable=unused-import import scripts_path -from mbedtls_dev import build_tree +from mbedtls_framework import build_tree # PSA Compliance tests we expect to fail due to known defects in Mbed TLS / # TF-PSA-Crypto (or the test suite). diff --git a/yass/third_party/mbedtls/tests/scripts/test_psa_constant_names.py b/yass/third_party/mbedtls/tests/scripts/test_psa_constant_names.py index 6883e279fa..86d9e6f2be 100755 --- a/yass/third_party/mbedtls/tests/scripts/test_psa_constant_names.py +++ b/yass/third_party/mbedtls/tests/scripts/test_psa_constant_names.py @@ -19,9 +19,9 @@ import sys from typing import Iterable, List, Optional, Tuple import scripts_path # pylint: disable=unused-import -from mbedtls_dev import c_build_helper -from mbedtls_dev.macro_collector import InputsForTest, PSAMacroEnumerator -from mbedtls_dev import typing_util +from mbedtls_framework import c_build_helper +from mbedtls_framework.macro_collector import InputsForTest, PSAMacroEnumerator +from mbedtls_framework import typing_util def gather_inputs(headers: Iterable[str], test_suites: Iterable[str], diff --git a/yass/third_party/mbedtls/tests/src/asn1_helpers.c b/yass/third_party/mbedtls/tests/src/asn1_helpers.c index c8df1995e3..c63bd0cdf7 100644 --- a/yass/third_party/mbedtls/tests/src/asn1_helpers.c +++ b/yass/third_party/mbedtls/tests/src/asn1_helpers.c @@ -15,6 +15,8 @@ #include +#include + int mbedtls_test_asn1_skip_integer(unsigned char **p, const unsigned char *end, size_t min_bits, size_t max_bits, int must_be_odd) diff --git a/yass/third_party/mbedtls/tests/src/drivers/platform_builtin_keys.c b/yass/third_party/mbedtls/tests/src/drivers/platform_builtin_keys.c index 01fc050bbb..4561b6fdc2 100644 --- a/yass/third_party/mbedtls/tests/src/drivers/platform_builtin_keys.c +++ b/yass/third_party/mbedtls/tests/src/drivers/platform_builtin_keys.c @@ -10,6 +10,8 @@ #include +#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS) + #include #include @@ -76,3 +78,5 @@ psa_status_t mbedtls_psa_platform_get_builtin_key( return PSA_ERROR_DOES_NOT_EXIST; } + +#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */ diff --git a/yass/third_party/mbedtls/tests/src/drivers/test_driver_key_management.c b/yass/third_party/mbedtls/tests/src/drivers/test_driver_key_management.c index 866b31edee..2a878994c2 100644 --- a/yass/third_party/mbedtls/tests/src/drivers/test_driver_key_management.c +++ b/yass/third_party/mbedtls/tests/src/drivers/test_driver_key_management.c @@ -193,6 +193,7 @@ psa_status_t mbedtls_test_transparent_generate_key( uint8_t *key, size_t key_size, size_t *key_length) { ++mbedtls_test_driver_key_management_hooks.hits; + ++mbedtls_test_driver_key_management_hooks.hits_generate_key; if (mbedtls_test_driver_key_management_hooks.forced_status != PSA_SUCCESS) { return mbedtls_test_driver_key_management_hooks.forced_status; diff --git a/yass/third_party/mbedtls/tests/src/psa_crypto_helpers.c b/yass/third_party/mbedtls/tests/src/psa_crypto_helpers.c index e1ea2b5c81..197fd41980 100644 --- a/yass/third_party/mbedtls/tests/src/psa_crypto_helpers.c +++ b/yass/third_party/mbedtls/tests/src/psa_crypto_helpers.c @@ -13,6 +13,10 @@ #include #include +#if defined(MBEDTLS_CTR_DRBG_C) +#include +#endif + #if defined(MBEDTLS_PSA_CRYPTO_C) #include @@ -70,20 +74,14 @@ const char *mbedtls_test_helper_is_psa_leaking(void) mbedtls_psa_get_stats(&stats); -#if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C) && \ - !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) - /* When AES_C is not defined and PSA does not have an external RNG, - * then CTR_DRBG uses PSA to perform AES-ECB. In this scenario 1 key - * slot is used internally from PSA to hold the AES key and it should - * not be taken into account when evaluating remaining open slots. */ - if (stats.volatile_slots > 1) { + /* Some volatile slots may be used for internal purposes. Generally + * we'll have exactly MBEDTLS_TEST_PSA_INTERNAL_KEYS at this point, + * but in some cases we might have less, e.g. if a code path calls + * PSA_DONE more than once, or if there has only been a partial or + * failed initialization. */ + if (stats.volatile_slots > MBEDTLS_TEST_PSA_INTERNAL_KEYS) { return "A volatile slot has not been closed properly."; } -#else - if (stats.volatile_slots != 0) { - return "A volatile slot has not been closed properly."; - } -#endif if (stats.persistent_slots != 0) { return "A persistent slot has not been closed properly."; } diff --git a/yass/third_party/mbedtls/tests/src/psa_memory_poisoning_wrappers.c b/yass/third_party/mbedtls/tests/src/psa_memory_poisoning_wrappers.c index 05cba18ee7..7b48c7c95e 100644 --- a/yass/third_party/mbedtls/tests/src/psa_memory_poisoning_wrappers.c +++ b/yass/third_party/mbedtls/tests/src/psa_memory_poisoning_wrappers.c @@ -4,7 +4,8 @@ * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#include "test/memory.h" +#include +#include #include "psa_crypto_invasive.h" diff --git a/yass/third_party/mbedtls/tests/src/psa_test_wrappers.c b/yass/third_party/mbedtls/tests/src/psa_test_wrappers.c index 809f1cd6f5..eceb40bc70 100644 --- a/yass/third_party/mbedtls/tests/src/psa_test_wrappers.c +++ b/yass/third_party/mbedtls/tests/src/psa_test_wrappers.c @@ -10,7 +10,6 @@ !defined(RECORD_PSA_STATUS_COVERAGE_LOG) #include - #include #include #include @@ -465,6 +464,7 @@ psa_status_t mbedtls_test_wrap_psa_copy_key( } /* Wrapper for psa_crypto_driver_pake_get_cipher_suite */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_cipher_suite( const psa_crypto_driver_pake_inputs_t *arg0_inputs, psa_pake_cipher_suite_t *arg1_cipher_suite) @@ -472,8 +472,10 @@ psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_cipher_suite( psa_status_t status = (psa_crypto_driver_pake_get_cipher_suite)(arg0_inputs, arg1_cipher_suite); return status; } +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ /* Wrapper for psa_crypto_driver_pake_get_password */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_password( const psa_crypto_driver_pake_inputs_t *arg0_inputs, uint8_t *arg1_buffer, @@ -483,8 +485,10 @@ psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_password( psa_status_t status = (psa_crypto_driver_pake_get_password)(arg0_inputs, arg1_buffer, arg2_buffer_size, arg3_buffer_length); return status; } +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ /* Wrapper for psa_crypto_driver_pake_get_password_len */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_password_len( const psa_crypto_driver_pake_inputs_t *arg0_inputs, size_t *arg1_password_len) @@ -492,8 +496,10 @@ psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_password_len( psa_status_t status = (psa_crypto_driver_pake_get_password_len)(arg0_inputs, arg1_password_len); return status; } +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ /* Wrapper for psa_crypto_driver_pake_get_peer */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_peer( const psa_crypto_driver_pake_inputs_t *arg0_inputs, uint8_t *arg1_peer_id, @@ -503,8 +509,10 @@ psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_peer( psa_status_t status = (psa_crypto_driver_pake_get_peer)(arg0_inputs, arg1_peer_id, arg2_peer_id_size, arg3_peer_id_length); return status; } +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ /* Wrapper for psa_crypto_driver_pake_get_peer_len */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_peer_len( const psa_crypto_driver_pake_inputs_t *arg0_inputs, size_t *arg1_peer_len) @@ -512,8 +520,10 @@ psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_peer_len( psa_status_t status = (psa_crypto_driver_pake_get_peer_len)(arg0_inputs, arg1_peer_len); return status; } +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ /* Wrapper for psa_crypto_driver_pake_get_user */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_user( const psa_crypto_driver_pake_inputs_t *arg0_inputs, uint8_t *arg1_user_id, @@ -523,8 +533,10 @@ psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_user( psa_status_t status = (psa_crypto_driver_pake_get_user)(arg0_inputs, arg1_user_id, arg2_user_id_size, arg3_user_id_len); return status; } +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ /* Wrapper for psa_crypto_driver_pake_get_user_len */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_user_len( const psa_crypto_driver_pake_inputs_t *arg0_inputs, size_t *arg1_user_len) @@ -532,6 +544,7 @@ psa_status_t mbedtls_test_wrap_psa_crypto_driver_pake_get_user_len( psa_status_t status = (psa_crypto_driver_pake_get_user_len)(arg0_inputs, arg1_user_len); return status; } +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ /* Wrapper for psa_crypto_init */ psa_status_t mbedtls_test_wrap_psa_crypto_init(void) @@ -591,6 +604,24 @@ psa_status_t mbedtls_test_wrap_psa_generate_key( return status; } +/* Wrapper for psa_generate_key_custom */ +psa_status_t mbedtls_test_wrap_psa_generate_key_custom( + const psa_key_attributes_t *arg0_attributes, + const psa_custom_key_parameters_t *arg1_custom, + const uint8_t *arg2_custom_data, + size_t arg3_custom_data_length, + mbedtls_svc_key_id_t *arg4_key) +{ +#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) + MBEDTLS_TEST_MEMORY_POISON(arg2_custom_data, arg3_custom_data_length); +#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */ + psa_status_t status = (psa_generate_key_custom)(arg0_attributes, arg1_custom, arg2_custom_data, arg3_custom_data_length, arg4_key); +#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) + MBEDTLS_TEST_MEMORY_UNPOISON(arg2_custom_data, arg3_custom_data_length); +#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */ + return status; +} + /* Wrapper for psa_generate_key_ext */ psa_status_t mbedtls_test_wrap_psa_generate_key_ext( const psa_key_attributes_t *arg0_attributes, @@ -857,6 +888,25 @@ psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key( return status; } +/* Wrapper for psa_key_derivation_output_key_custom */ +psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key_custom( + const psa_key_attributes_t *arg0_attributes, + psa_key_derivation_operation_t *arg1_operation, + const psa_custom_key_parameters_t *arg2_custom, + const uint8_t *arg3_custom_data, + size_t arg4_custom_data_length, + mbedtls_svc_key_id_t *arg5_key) +{ +#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) + MBEDTLS_TEST_MEMORY_POISON(arg3_custom_data, arg4_custom_data_length); +#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */ + psa_status_t status = (psa_key_derivation_output_key_custom)(arg0_attributes, arg1_operation, arg2_custom, arg3_custom_data, arg4_custom_data_length, arg5_key); +#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) + MBEDTLS_TEST_MEMORY_UNPOISON(arg3_custom_data, arg4_custom_data_length); +#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */ + return status; +} + /* Wrapper for psa_key_derivation_output_key_ext */ psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key_ext( const psa_key_attributes_t *arg0_attributes, @@ -1008,14 +1058,17 @@ psa_status_t mbedtls_test_wrap_psa_mac_verify_setup( } /* Wrapper for psa_pake_abort */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_abort( psa_pake_operation_t *arg0_operation) { psa_status_t status = (psa_pake_abort)(arg0_operation); return status; } +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ /* Wrapper for psa_pake_get_implicit_key */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_get_implicit_key( psa_pake_operation_t *arg0_operation, psa_key_derivation_operation_t *arg1_output) @@ -1023,8 +1076,10 @@ psa_status_t mbedtls_test_wrap_psa_pake_get_implicit_key( psa_status_t status = (psa_pake_get_implicit_key)(arg0_operation, arg1_output); return status; } +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ /* Wrapper for psa_pake_input */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_input( psa_pake_operation_t *arg0_operation, psa_pake_step_t arg1_step, @@ -1040,8 +1095,10 @@ psa_status_t mbedtls_test_wrap_psa_pake_input( #endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */ return status; } +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ /* Wrapper for psa_pake_output */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_output( psa_pake_operation_t *arg0_operation, psa_pake_step_t arg1_step, @@ -1058,8 +1115,10 @@ psa_status_t mbedtls_test_wrap_psa_pake_output( #endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */ return status; } +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ /* Wrapper for psa_pake_set_password_key */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_set_password_key( psa_pake_operation_t *arg0_operation, mbedtls_svc_key_id_t arg1_password) @@ -1067,8 +1126,10 @@ psa_status_t mbedtls_test_wrap_psa_pake_set_password_key( psa_status_t status = (psa_pake_set_password_key)(arg0_operation, arg1_password); return status; } +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ /* Wrapper for psa_pake_set_peer */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_set_peer( psa_pake_operation_t *arg0_operation, const uint8_t *arg1_peer_id, @@ -1083,8 +1144,10 @@ psa_status_t mbedtls_test_wrap_psa_pake_set_peer( #endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */ return status; } +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ /* Wrapper for psa_pake_set_role */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_set_role( psa_pake_operation_t *arg0_operation, psa_pake_role_t arg1_role) @@ -1092,8 +1155,10 @@ psa_status_t mbedtls_test_wrap_psa_pake_set_role( psa_status_t status = (psa_pake_set_role)(arg0_operation, arg1_role); return status; } +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ /* Wrapper for psa_pake_set_user */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_set_user( psa_pake_operation_t *arg0_operation, const uint8_t *arg1_user_id, @@ -1108,8 +1173,10 @@ psa_status_t mbedtls_test_wrap_psa_pake_set_user( #endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */ return status; } +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ /* Wrapper for psa_pake_setup */ +#if defined(PSA_WANT_ALG_SOME_PAKE) psa_status_t mbedtls_test_wrap_psa_pake_setup( psa_pake_operation_t *arg0_operation, const psa_pake_cipher_suite_t *arg1_cipher_suite) @@ -1117,6 +1184,7 @@ psa_status_t mbedtls_test_wrap_psa_pake_setup( psa_status_t status = (psa_pake_setup)(arg0_operation, arg1_cipher_suite); return status; } +#endif /* defined(PSA_WANT_ALG_SOME_PAKE) */ /* Wrapper for psa_purge_key */ psa_status_t mbedtls_test_wrap_psa_purge_key( diff --git a/yass/third_party/mbedtls/tests/src/test_certs.h b/yass/third_party/mbedtls/tests/src/test_certs.h index b313ea88de..d740635e6e 100644 --- a/yass/third_party/mbedtls/tests/src/test_certs.h +++ b/yass/third_party/mbedtls/tests/src/test_certs.h @@ -5,11 +5,11 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -/* THIS FILE is generated by `tests/scripts/generate_test_cert_macros.py` */ +/* THIS FILE is generated by `framework/scripts/generate_test_cert_macros.py` */ /* *INDENT-OFF* */ -/* This is taken from test-ca2.crt. */ -/* BEGIN FILE string macro TEST_CA_CRT_EC_PEM test-ca2.crt */ +/* This is taken from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca2.crt. */ +/* BEGIN FILE string macro TEST_CA_CRT_EC_PEM /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca2.crt */ #define TEST_CA_CRT_EC_PEM \ "-----BEGIN CERTIFICATE-----\r\n" \ "MIICBzCCAYugAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE\r\n" \ @@ -26,8 +26,8 @@ "-----END CERTIFICATE-----\r\n" /* END FILE */ -/* This is generated from test-ca2.crt.der. */ -/* BEGIN FILE binary macro TEST_CA_CRT_EC_DER test-ca2.crt.der */ +/* This is generated from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca2.crt.der. */ +/* BEGIN FILE binary macro TEST_CA_CRT_EC_DER /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca2.crt.der */ #define TEST_CA_CRT_EC_DER { \ 0x30, 0x82, 0x02, 0x07, 0x30, 0x82, 0x01, 0x8b, 0xa0, 0x03, 0x02, 0x01, \ 0x02, 0x02, 0x09, 0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8, \ @@ -76,8 +76,8 @@ } /* END FILE */ -/* This is taken from test-ca2.key.enc. */ -/* BEGIN FILE string macro TEST_CA_KEY_EC_PEM test-ca2.key.enc */ +/* This is taken from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca2.key.enc. */ +/* BEGIN FILE string macro TEST_CA_KEY_EC_PEM /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca2.key.enc */ #define TEST_CA_KEY_EC_PEM \ "-----BEGIN EC PRIVATE KEY-----\r\n" \ "Proc-Type: 4,ENCRYPTED\r\n" \ @@ -92,8 +92,8 @@ #define TEST_CA_PWD_EC_PEM "PolarSSLTest" -/* This is generated from test-ca2.key.der. */ -/* BEGIN FILE binary macro TEST_CA_KEY_EC_DER test-ca2.key.der */ +/* This is generated from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca2.key.der. */ +/* BEGIN FILE binary macro TEST_CA_KEY_EC_DER /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca2.key.der */ #define TEST_CA_KEY_EC_DER { \ 0x30, 0x81, 0xa4, 0x02, 0x01, 0x01, 0x04, 0x30, 0x83, 0xd9, 0x15, 0x0e, \ 0xa0, 0x71, 0xf0, 0x57, 0x10, 0x33, 0xa3, 0x38, 0xb8, 0x86, 0xc1, 0xa6, \ @@ -112,8 +112,8 @@ } /* END FILE */ -/* This is taken from test-ca-sha256.crt. */ -/* BEGIN FILE string macro TEST_CA_CRT_RSA_SHA256_PEM test-ca-sha256.crt */ +/* This is taken from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca-sha256.crt. */ +/* BEGIN FILE string macro TEST_CA_CRT_RSA_SHA256_PEM /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca-sha256.crt */ #define TEST_CA_CRT_RSA_SHA256_PEM \ "-----BEGIN CERTIFICATE-----\r\n" \ "MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \ @@ -137,8 +137,8 @@ "-----END CERTIFICATE-----\r\n" /* END FILE */ -/* This is generated from test-ca-sha256.crt.der. */ -/* BEGIN FILE binary macro TEST_CA_CRT_RSA_SHA256_DER test-ca-sha256.crt.der */ +/* This is generated from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca-sha256.crt.der. */ +/* BEGIN FILE binary macro TEST_CA_CRT_RSA_SHA256_DER /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca-sha256.crt.der */ #define TEST_CA_CRT_RSA_SHA256_DER { \ 0x30, 0x82, 0x03, 0x41, 0x30, 0x82, 0x02, 0x29, 0xa0, 0x03, 0x02, 0x01, \ 0x02, 0x02, 0x01, 0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, \ @@ -213,8 +213,8 @@ } /* END FILE */ -/* This is taken from test-ca-sha1.crt. */ -/* BEGIN FILE string macro TEST_CA_CRT_RSA_SHA1_PEM test-ca-sha1.crt */ +/* This is taken from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca-sha1.crt. */ +/* BEGIN FILE string macro TEST_CA_CRT_RSA_SHA1_PEM /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca-sha1.crt */ #define TEST_CA_CRT_RSA_SHA1_PEM \ "-----BEGIN CERTIFICATE-----\r\n" \ "MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \ @@ -238,8 +238,8 @@ "-----END CERTIFICATE-----\r\n" /* END FILE */ -/* This is generated from test-ca-sha1.crt.der. */ -/* BEGIN FILE binary macro TEST_CA_CRT_RSA_SHA1_DER test-ca-sha1.crt.der */ +/* This is generated from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca-sha1.crt.der. */ +/* BEGIN FILE binary macro TEST_CA_CRT_RSA_SHA1_DER /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca-sha1.crt.der */ #define TEST_CA_CRT_RSA_SHA1_DER { \ 0x30, 0x82, 0x03, 0x41, 0x30, 0x82, 0x02, 0x29, 0xa0, 0x03, 0x02, 0x01, \ 0x02, 0x02, 0x01, 0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, \ @@ -314,8 +314,8 @@ } /* END FILE */ -/* This is taken from test-ca.key. */ -/* BEGIN FILE string macro TEST_CA_KEY_RSA_PEM test-ca.key */ +/* This is taken from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca.key. */ +/* BEGIN FILE string macro TEST_CA_KEY_RSA_PEM /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca.key */ #define TEST_CA_KEY_RSA_PEM \ "-----BEGIN RSA PRIVATE KEY-----\r\n" \ "Proc-Type: 4,ENCRYPTED\r\n" \ @@ -351,8 +351,8 @@ #define TEST_CA_PWD_RSA_PEM "PolarSSLTest" -/* This is generated from test-ca.key.der. */ -/* BEGIN FILE binary macro TEST_CA_KEY_RSA_DER test-ca.key.der */ +/* This is generated from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca.key.der. */ +/* BEGIN FILE binary macro TEST_CA_KEY_RSA_DER /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/test-ca.key.der */ #define TEST_CA_KEY_RSA_DER { \ 0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, \ 0xc0, 0xdf, 0x37, 0xfc, 0x17, 0xbb, 0xe0, 0x96, 0x9d, 0x3f, 0x86, 0xde, \ @@ -457,8 +457,8 @@ } /* END FILE */ -/* This is taken from server5.crt. */ -/* BEGIN FILE string macro TEST_SRV_CRT_EC_PEM server5.crt */ +/* This is taken from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server5.crt. */ +/* BEGIN FILE string macro TEST_SRV_CRT_EC_PEM /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server5.crt */ #define TEST_SRV_CRT_EC_PEM \ "-----BEGIN CERTIFICATE-----\r\n" \ "MIICIDCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n" \ @@ -476,8 +476,8 @@ "-----END CERTIFICATE-----\r\n" /* END FILE */ -/* This is generated from server5.crt.der. */ -/* BEGIN FILE binary macro TEST_SRV_CRT_EC_DER server5.crt.der */ +/* This is generated from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server5.crt.der. */ +/* BEGIN FILE binary macro TEST_SRV_CRT_EC_DER /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server5.crt.der */ #define TEST_SRV_CRT_EC_DER { \ 0x30, 0x82, 0x02, 0x20, 0x30, 0x82, 0x01, 0xa5, 0xa0, 0x03, 0x02, 0x01, \ 0x02, 0x02, 0x01, 0x09, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, \ @@ -528,8 +528,8 @@ } /* END FILE */ -/* This is taken from server5.key. */ -/* BEGIN FILE string macro TEST_SRV_KEY_EC_PEM server5.key */ +/* This is taken from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server5.key. */ +/* BEGIN FILE string macro TEST_SRV_KEY_EC_PEM /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server5.key */ #define TEST_SRV_KEY_EC_PEM \ "-----BEGIN EC PRIVATE KEY-----\r\n" \ "MHcCAQEEIPEqEyB2AnCoPL/9U/YDHvdqXYbIogTywwyp6/UfDw6noAoGCCqGSM49\r\n" \ @@ -538,8 +538,8 @@ "-----END EC PRIVATE KEY-----\r\n" /* END FILE */ -/* This is generated from server5.key.der. */ -/* BEGIN FILE binary macro TEST_SRV_KEY_EC_DER server5.key.der */ +/* This is generated from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server5.key.der. */ +/* BEGIN FILE binary macro TEST_SRV_KEY_EC_DER /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server5.key.der */ #define TEST_SRV_KEY_EC_DER { \ 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0xf1, 0x2a, 0x13, 0x20, 0x76, \ 0x02, 0x70, 0xa8, 0x3c, 0xbf, 0xfd, 0x53, 0xf6, 0x03, 0x1e, 0xf7, 0x6a, \ @@ -555,8 +555,8 @@ } /* END FILE */ -/* This is taken from server2-sha256.crt. */ -/* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA256_PEM server2-sha256.crt */ +/* This is taken from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server2-sha256.crt. */ +/* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA256_PEM /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server2-sha256.crt */ #define TEST_SRV_CRT_RSA_SHA256_PEM \ "-----BEGIN CERTIFICATE-----\r\n" \ "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \ @@ -580,8 +580,8 @@ "-----END CERTIFICATE-----\r\n" /* END FILE */ -/* This is generated from server2-sha256.crt.der. */ -/* BEGIN FILE binary macro TEST_SRV_CRT_RSA_SHA256_DER server2-sha256.crt.der */ +/* This is generated from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server2-sha256.crt.der. */ +/* BEGIN FILE binary macro TEST_SRV_CRT_RSA_SHA256_DER /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server2-sha256.crt.der */ #define TEST_SRV_CRT_RSA_SHA256_DER { \ 0x30, 0x82, 0x03, 0x37, 0x30, 0x82, 0x02, 0x1f, 0xa0, 0x03, 0x02, 0x01, \ 0x02, 0x02, 0x01, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, \ @@ -655,8 +655,8 @@ } /* END FILE */ -/* This is taken from server2.crt. */ -/* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA1_PEM server2.crt */ +/* This is taken from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server2.crt. */ +/* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA1_PEM /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server2.crt */ #define TEST_SRV_CRT_RSA_SHA1_PEM \ "-----BEGIN CERTIFICATE-----\r\n" \ "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \ @@ -680,8 +680,8 @@ "-----END CERTIFICATE-----\r\n" /* END FILE */ -/* This is generated from server2.crt.der. */ -/* BEGIN FILE binary macro TEST_SRV_CRT_RSA_SHA1_DER server2.crt.der */ +/* This is generated from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server2.crt.der. */ +/* BEGIN FILE binary macro TEST_SRV_CRT_RSA_SHA1_DER /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server2.crt.der */ #define TEST_SRV_CRT_RSA_SHA1_DER { \ 0x30, 0x82, 0x03, 0x37, 0x30, 0x82, 0x02, 0x1f, 0xa0, 0x03, 0x02, 0x01, \ 0x02, 0x02, 0x01, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, \ @@ -755,8 +755,8 @@ } /* END FILE */ -/* This is taken from server2.key. */ -/* BEGIN FILE string macro TEST_SRV_KEY_RSA_PEM server2.key */ +/* This is taken from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server2.key. */ +/* BEGIN FILE string macro TEST_SRV_KEY_RSA_PEM /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server2.key */ #define TEST_SRV_KEY_RSA_PEM \ "-----BEGIN RSA PRIVATE KEY-----\r\n" \ "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n" \ @@ -787,8 +787,8 @@ "-----END RSA PRIVATE KEY-----\r\n" /* END FILE */ -/* This is generated from server2.key.der. */ -/* BEGIN FILE binary macro TEST_SRV_KEY_RSA_DER server2.key.der */ +/* This is generated from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server2.key.der. */ +/* BEGIN FILE binary macro TEST_SRV_KEY_RSA_DER /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/server2.key.der */ #define TEST_SRV_KEY_RSA_DER { \ 0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, \ 0xc1, 0x4d, 0xa3, 0xdd, 0xe7, 0xcd, 0x1d, 0xd1, 0x04, 0xd7, 0x49, 0x72, \ @@ -893,8 +893,8 @@ } /* END FILE */ -/* This is taken from cli2.crt. */ -/* BEGIN FILE string macro TEST_CLI_CRT_EC_PEM cli2.crt */ +/* This is taken from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/cli2.crt. */ +/* BEGIN FILE string macro TEST_CLI_CRT_EC_PEM /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/cli2.crt */ #define TEST_CLI_CRT_EC_PEM \ "-----BEGIN CERTIFICATE-----\r\n" \ "MIIB3zCCAWOgAwIBAgIBDTAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw\r\n" \ @@ -911,8 +911,8 @@ "-----END CERTIFICATE-----\r\n" /* END FILE */ -/* This is generated from cli2.crt.der. */ -/* BEGIN FILE binary macro TEST_CLI_CRT_EC_DER cli2.crt.der */ +/* This is generated from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/cli2.crt.der. */ +/* BEGIN FILE binary macro TEST_CLI_CRT_EC_DER /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/cli2.crt.der */ #define TEST_CLI_CRT_EC_DER { \ 0x30, 0x82, 0x01, 0xdf, 0x30, 0x82, 0x01, 0x63, 0xa0, 0x03, 0x02, 0x01, \ 0x02, 0x02, 0x01, 0x0d, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, \ @@ -958,8 +958,8 @@ } /* END FILE */ -/* This is taken from cli2.key. */ -/* BEGIN FILE string macro TEST_CLI_KEY_EC_PEM cli2.key */ +/* This is taken from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/cli2.key. */ +/* BEGIN FILE string macro TEST_CLI_KEY_EC_PEM /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/cli2.key */ #define TEST_CLI_KEY_EC_PEM \ "-----BEGIN EC PRIVATE KEY-----\r\n" \ "MHcCAQEEIPb3hmTxZ3/mZI3vyk7p3U3wBf+WIop6hDhkFzJhmLcqoAoGCCqGSM49\r\n" \ @@ -968,8 +968,8 @@ "-----END EC PRIVATE KEY-----\r\n" /* END FILE */ -/* This is generated from cli2.key.der. */ -/* BEGIN FILE binary macro TEST_CLI_KEY_EC_DER cli2.key.der */ +/* This is generated from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/cli2.key.der. */ +/* BEGIN FILE binary macro TEST_CLI_KEY_EC_DER /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/cli2.key.der */ #define TEST_CLI_KEY_EC_DER { \ 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0xf6, 0xf7, 0x86, 0x64, 0xf1, \ 0x67, 0x7f, 0xe6, 0x64, 0x8d, 0xef, 0xca, 0x4e, 0xe9, 0xdd, 0x4d, 0xf0, \ @@ -985,8 +985,8 @@ } /* END FILE */ -/* This is taken from cli-rsa-sha256.crt. */ -/* BEGIN FILE string macro TEST_CLI_CRT_RSA_PEM cli-rsa-sha256.crt */ +/* This is taken from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/cli-rsa-sha256.crt. */ +/* BEGIN FILE string macro TEST_CLI_CRT_RSA_PEM /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/cli-rsa-sha256.crt */ #define TEST_CLI_CRT_RSA_PEM \ "-----BEGIN CERTIFICATE-----\r\n" \ "MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \ @@ -1010,8 +1010,8 @@ "-----END CERTIFICATE-----\r\n" /* END FILE */ -/* This is generated from cli-rsa-sha256.crt.der. */ -/* BEGIN FILE binary macro TEST_CLI_CRT_RSA_DER cli-rsa-sha256.crt.der */ +/* This is generated from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/cli-rsa-sha256.crt.der. */ +/* BEGIN FILE binary macro TEST_CLI_CRT_RSA_DER /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/cli-rsa-sha256.crt.der */ #define TEST_CLI_CRT_RSA_DER { \ 0x30, 0x82, 0x03, 0x3f, 0x30, 0x82, 0x02, 0x27, 0xa0, 0x03, 0x02, 0x01, \ 0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, \ @@ -1086,8 +1086,8 @@ } /* END FILE */ -/* This is taken from cli-rsa.key. */ -/* BEGIN FILE string macro TEST_CLI_KEY_RSA_PEM cli-rsa.key */ +/* This is taken from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/cli-rsa.key. */ +/* BEGIN FILE string macro TEST_CLI_KEY_RSA_PEM /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/cli-rsa.key */ #define TEST_CLI_KEY_RSA_PEM \ "-----BEGIN RSA PRIVATE KEY-----\r\n" \ "MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF\r\n" \ @@ -1118,8 +1118,8 @@ "-----END RSA PRIVATE KEY-----\r\n" /* END FILE */ -/* This is generated from cli-rsa.key.der. */ -/* BEGIN FILE binary macro TEST_CLI_KEY_RSA_DER cli-rsa.key.der */ +/* This is generated from /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/cli-rsa.key.der. */ +/* BEGIN FILE binary macro TEST_CLI_KEY_RSA_DER /home/davhor01/seclibs/misc/mbedtls-prepare-release/tmp-3.6.1-release-creation-mbedtls/framework/data_files/cli-rsa.key.der */ #define TEST_CLI_KEY_RSA_DER { \ 0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, \ 0xc8, 0x74, 0xc4, 0xcc, 0xb9, 0xf9, 0xb5, 0x79, 0xe9, 0x45, 0xd9, 0x14, \ @@ -1224,3 +1224,4 @@ } /* END FILE */ +/* End of generated file */ diff --git a/yass/third_party/mbedtls/tests/src/test_helpers/ssl_helpers.c b/yass/third_party/mbedtls/tests/src/test_helpers/ssl_helpers.c index 55201c0b78..3cb6175b98 100644 --- a/yass/third_party/mbedtls/tests/src/test_helpers/ssl_helpers.c +++ b/yass/third_party/mbedtls/tests/src/test_helpers/ssl_helpers.c @@ -551,7 +551,10 @@ int mbedtls_test_mock_tcp_recv_msg(void *ctx, * happen in test environment, unless forced manually. */ } } - mbedtls_test_ssl_message_queue_pop_info(queue, buf_len); + ret = mbedtls_test_ssl_message_queue_pop_info(queue, buf_len); + if (ret < 0) { + return ret; + } return (msg_len > INT_MAX) ? INT_MAX : (int) msg_len; } @@ -947,10 +950,10 @@ int mbedtls_test_move_handshake_to_state(mbedtls_ssl_context *ssl, /* * Write application data. Increase write counter if necessary. */ -int mbedtls_ssl_write_fragment(mbedtls_ssl_context *ssl, - unsigned char *buf, int buf_len, - int *written, - const int expected_fragments) +static int mbedtls_ssl_write_fragment(mbedtls_ssl_context *ssl, + unsigned char *buf, int buf_len, + int *written, + const int expected_fragments) { int ret; /* Verify that calling mbedtls_ssl_write with a NULL buffer and zero length is @@ -994,10 +997,10 @@ exit: * Read application data and increase read counter and fragments counter * if necessary. */ -int mbedtls_ssl_read_fragment(mbedtls_ssl_context *ssl, - unsigned char *buf, int buf_len, - int *read, int *fragments, - const int expected_fragments) +static int mbedtls_ssl_read_fragment(mbedtls_ssl_context *ssl, + unsigned char *buf, int buf_len, + int *read, int *fragments, + const int expected_fragments) { int ret; /* Verify that calling mbedtls_ssl_write with a NULL buffer and zero length is @@ -1791,30 +1794,33 @@ int mbedtls_test_ssl_tls13_populate_session(mbedtls_ssl_session *session, session->endpoint = endpoint_type == MBEDTLS_SSL_IS_CLIENT ? MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER; session->ciphersuite = 0xabcd; + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) session->ticket_age_add = 0x87654321; session->ticket_flags = 0x7; - session->resumption_key_len = 32; memset(session->resumption_key, 0x99, sizeof(session->resumption_key)); - -#if defined(MBEDTLS_SSL_EARLY_DATA) - session->max_early_data_size = 0x87654321; -#if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) - int ret = mbedtls_ssl_session_set_ticket_alpn(session, "ALPNExample"); - if (ret != 0) { - return -1; - } -#endif /* MBEDTLS_SSL_ALPN && MBEDTLS_SSL_SRV_C */ -#endif /* MBEDTLS_SSL_EARLY_DATA */ - -#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) - if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { - session->ticket_creation_time = mbedtls_ms_time() - 42; - } #endif +#if defined(MBEDTLS_SSL_SRV_C) + if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) + int ret = mbedtls_ssl_session_set_ticket_alpn(session, "ALPNExample"); + if (ret != 0) { + return -1; + } +#endif +#if defined(MBEDTLS_HAVE_TIME) + session->ticket_creation_time = mbedtls_ms_time() - 42; +#endif +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + } +#endif /* MBEDTLS_SSL_SRV_C */ + #if defined(MBEDTLS_SSL_CLI_C) if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { +#if defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_HAVE_TIME) session->ticket_reception_time = mbedtls_ms_time() - 40; #endif @@ -1828,9 +1834,22 @@ int mbedtls_test_ssl_tls13_populate_session(mbedtls_ssl_session *session, } memset(session->ticket, 33, ticket_len); } +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + char hostname[] = "hostname example"; + session->hostname = mbedtls_calloc(1, sizeof(hostname)); + if (session->hostname == NULL) { + return -1; + } + memcpy(session->hostname, hostname, sizeof(hostname)); +#endif +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ } #endif /* MBEDTLS_SSL_CLI_C */ +#if defined(MBEDTLS_SSL_EARLY_DATA) + session->max_early_data_size = 0x87654321; +#endif /* MBEDTLS_SSL_EARLY_DATA */ + #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) session->record_size_limit = 2048; #endif @@ -2524,6 +2543,9 @@ int mbedtls_test_get_tls13_ticket( server_options, NULL, NULL, NULL); TEST_EQUAL(ret, 0); + mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets( + &client_ep.conf, MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED); + mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, mbedtls_test_ticket_write, mbedtls_test_ticket_parse, diff --git a/yass/third_party/mbedtls/tests/src/test_keys.h b/yass/third_party/mbedtls/tests/src/test_keys.h new file mode 100644 index 0000000000..7ebf9f87e7 --- /dev/null +++ b/yass/third_party/mbedtls/tests/src/test_keys.h @@ -0,0 +1,801 @@ +/********************************************************************************* + * This file was automatically generated from framework/scripts/generate_test_keys.py. + * Please do not edit it manually. + *********************************************************************************/ + +const unsigned char test_ec_bp256r1_priv[] = { + 0x21, 0x61, 0xd6, 0xf2, 0xdb, 0x76, 0x52, 0x6f, 0xa6, 0x2c, 0x16, 0xf3, 0x56, 0xa8, 0x0f, 0x01, + 0xf3, 0x2f, 0x77, 0x67, 0x84, 0xb3, 0x6a, 0xa9, 0x97, 0x99, 0xa8, 0xb7, 0x66, 0x20, 0x80, 0xff, +}; +const unsigned char test_ec_bp256r1_pub[] = { + 0x04, 0x76, 0x8c, 0x8c, 0xae, 0x4a, 0xbc, 0xa6, 0x30, 0x6d, 0xb0, 0xed, 0x81, 0xb0, 0xc4, 0xa6, + 0x21, 0x5c, 0x37, 0x80, 0x66, 0xec, 0x6d, 0x61, 0x6c, 0x14, 0x6e, 0x13, 0xf1, 0xc7, 0xdf, 0x80, + 0x9b, 0x96, 0xab, 0x69, 0x11, 0xc2, 0x7d, 0x8a, 0x02, 0x33, 0x9f, 0x09, 0x26, 0x84, 0x0e, 0x55, + 0x23, 0x6d, 0x3d, 0x1e, 0xfb, 0xe2, 0x66, 0x9d, 0x09, 0x0e, 0x4c, 0x4c, 0x66, 0x0f, 0xad, 0xa9, + 0x1d, +}; + +const unsigned char test_ec_bp384r1_priv[] = { + 0x3d, 0xd9, 0x2e, 0x75, 0x0d, 0x90, 0xd7, 0xd3, 0x9f, 0xc1, 0x88, 0x5c, 0xd8, 0xad, 0x12, 0xea, + 0x94, 0x41, 0xf2, 0x2b, 0x93, 0x34, 0xb4, 0xd9, 0x65, 0x20, 0x2a, 0xdb, 0x14, 0x48, 0xce, 0x24, + 0xc5, 0x80, 0x8a, 0x85, 0xdd, 0x9a, 0xfc, 0x22, 0x9a, 0xf0, 0xa3, 0x12, 0x4f, 0x75, 0x5b, 0xcb, +}; +const unsigned char test_ec_bp384r1_pub[] = { + 0x04, 0x71, 0x9f, 0x9d, 0x09, 0x3a, 0x62, 0x7e, 0x0d, 0x35, 0x03, 0x85, 0xc6, 0x61, 0xce, 0xbf, + 0x00, 0xc6, 0x19, 0x23, 0x56, 0x6f, 0xe9, 0x00, 0x6a, 0x31, 0x07, 0xaf, 0x1d, 0x87, 0x1b, 0xc6, + 0xbb, 0x68, 0x98, 0x5f, 0xd7, 0x22, 0xea, 0x32, 0xbe, 0x31, 0x6f, 0x8e, 0x78, 0x3b, 0x7c, 0xd1, + 0x95, 0x77, 0x85, 0xf6, 0x6c, 0xfc, 0x0c, 0xb1, 0x95, 0xdd, 0x5c, 0x99, 0xa8, 0xe7, 0xab, 0xaa, + 0x84, 0x85, 0x53, 0xa5, 0x84, 0xdf, 0xd2, 0xb4, 0x8e, 0x76, 0xd4, 0x45, 0xfe, 0x00, 0xdd, 0x8b, + 0xe5, 0x90, 0x96, 0xd8, 0x77, 0xd4, 0x69, 0x6d, 0x23, 0xb4, 0xbc, 0x8d, 0xb1, 0x47, 0x24, 0xe6, + 0x6a, +}; + +const unsigned char test_ec_bp512r1_priv[] = { + 0x37, 0x2c, 0x97, 0x78, 0xf6, 0x9f, 0x72, 0x6c, 0xbc, 0xa3, 0xf4, 0xa2, 0x68, 0xf1, 0x6b, 0x4d, + 0x61, 0x7d, 0x10, 0x28, 0x0d, 0x79, 0xa6, 0xa0, 0x29, 0xcd, 0x51, 0x87, 0x9f, 0xe1, 0x01, 0x29, + 0x34, 0xdf, 0xe5, 0x39, 0x54, 0x55, 0x33, 0x7d, 0xf6, 0x90, 0x6d, 0xc7, 0xd6, 0xd2, 0xee, 0xa4, + 0xdb, 0xb2, 0x06, 0x5c, 0x02, 0x28, 0xf7, 0x3b, 0x3e, 0xd7, 0x16, 0x48, 0x0e, 0x7d, 0x71, 0xd2, +}; +const unsigned char test_ec_bp512r1_pub[] = { + 0x04, 0x38, 0xb7, 0xec, 0x92, 0xb6, 0x1c, 0x5c, 0x6c, 0x7f, 0xbc, 0x28, 0xa4, 0xec, 0x75, 0x9d, + 0x48, 0xfc, 0xd4, 0xe2, 0xe3, 0x74, 0xde, 0xfd, 0x5c, 0x49, 0x68, 0xa5, 0x4d, 0xbe, 0xf7, 0x51, + 0x0e, 0x51, 0x78, 0x86, 0xfb, 0xfc, 0x38, 0xea, 0x39, 0xaa, 0x52, 0x93, 0x59, 0xd7, 0x0a, 0x71, + 0x56, 0xc3, 0x5d, 0x3c, 0xba, 0xc7, 0xce, 0x77, 0x6b, 0xdb, 0x25, 0x1d, 0xd6, 0x4b, 0xce, 0x71, + 0x23, 0x44, 0x24, 0xee, 0x70, 0x49, 0xee, 0xd0, 0x72, 0xf0, 0xdb, 0xc4, 0xd7, 0x99, 0x96, 0xe1, + 0x75, 0xd5, 0x57, 0xe2, 0x63, 0x76, 0x3a, 0xe9, 0x70, 0x95, 0xc0, 0x81, 0xe7, 0x3e, 0x7d, 0xb2, + 0xe3, 0x8a, 0xdc, 0x3d, 0x4c, 0x9a, 0x04, 0x87, 0xb1, 0xed, 0xe8, 0x76, 0xdc, 0x1f, 0xca, 0x61, + 0xc9, 0x02, 0xe9, 0xa1, 0xd8, 0x72, 0x2b, 0x86, 0x12, 0x92, 0x8f, 0x18, 0xa2, 0x48, 0x45, 0x59, + 0x1a, +}; + +const unsigned char test_ec_curve25519_priv[] = { + 0x70, 0x07, 0x6d, 0x0a, 0x73, 0x18, 0xa5, 0x7d, 0x3c, 0x16, 0xc1, 0x72, 0x51, 0xb2, 0x66, 0x45, + 0xdf, 0x4c, 0x2f, 0x87, 0xeb, 0xc0, 0x99, 0x2a, 0xb1, 0x77, 0xfb, 0xa5, 0x1d, 0xb9, 0x2c, 0x6a, +}; +const unsigned char test_ec_curve25519_pub[] = { + 0x85, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54, 0x74, 0x8b, 0x7d, 0xdc, 0xb4, 0x3e, 0xf7, 0x5a, + 0x0d, 0xbf, 0x3a, 0x0d, 0x26, 0x38, 0x1a, 0xf4, 0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, 0x4e, 0x6a, +}; + +const unsigned char test_ec_curve448_priv[] = { + 0xe4, 0xe4, 0x9f, 0x52, 0x68, 0x6f, 0x9e, 0xe3, 0xb6, 0x38, 0x52, 0x8f, 0x72, 0x1f, 0x15, 0x96, + 0x19, 0x6f, 0xfd, 0x0a, 0x1c, 0xdd, 0xb6, 0x4c, 0x3f, 0x21, 0x6f, 0x06, 0x54, 0x18, 0x05, 0xcf, + 0xeb, 0x1a, 0x28, 0x6d, 0xc7, 0x80, 0x18, 0x09, 0x5c, 0xdf, 0xec, 0x05, 0x0e, 0x80, 0x07, 0xb5, + 0xf4, 0x90, 0x89, 0x62, 0xba, 0x20, 0xd6, 0xc1, +}; +const unsigned char test_ec_curve448_pub[] = { + 0xc0, 0xd3, 0xa5, 0xa2, 0xb4, 0x16, 0xa5, 0x73, 0xdc, 0x99, 0x09, 0xf9, 0x2f, 0x13, 0x4a, 0xc0, + 0x13, 0x23, 0xab, 0x8f, 0x8e, 0x36, 0x80, 0x4e, 0x57, 0x85, 0x88, 0xba, 0x2d, 0x09, 0xfe, 0x7c, + 0x3e, 0x73, 0x7f, 0x77, 0x1c, 0xa1, 0x12, 0x82, 0x5b, 0x54, 0x8a, 0x0f, 0xfd, 0xed, 0x6d, 0x6a, + 0x2f, 0xd0, 0x9a, 0x3e, 0x77, 0xde, 0xc3, 0x0e, +}; + +const unsigned char test_ec_secp192k1_priv[] = { + 0x29, 0x7a, 0xc1, 0x72, 0x2c, 0xca, 0xc7, 0x58, 0x9e, 0xcb, 0x24, 0x0d, 0xc7, 0x19, 0x84, 0x25, + 0x38, 0xca, 0x97, 0x4b, 0xeb, 0x79, 0xf2, 0x28, +}; +const unsigned char test_ec_secp192k1_pub[] = { + 0x04, 0x26, 0xb7, 0xbb, 0x38, 0xda, 0x64, 0x9a, 0xc2, 0x13, 0x8f, 0xc0, 0x50, 0xc6, 0x54, 0x8b, + 0x32, 0x55, 0x3d, 0xab, 0x68, 0xaf, 0xeb, 0xc3, 0x61, 0x05, 0xd3, 0x25, 0xb7, 0x55, 0x38, 0xc1, + 0x23, 0x23, 0xcb, 0x07, 0x64, 0x78, 0x9e, 0xcb, 0x99, 0x26, 0x71, 0xbe, 0xb2, 0xb6, 0xbe, 0xf2, + 0xf5, +}; + +const unsigned char test_ec_secp256k1_priv[] = { + 0x7f, 0xa0, 0x6f, 0xa0, 0x2d, 0x0e, 0x91, 0x1b, 0x9a, 0x47, 0xfd, 0xc1, 0x7d, 0x2d, 0x96, 0x2c, + 0xa0, 0x1e, 0x2f, 0x31, 0xd6, 0x0c, 0x62, 0x12, 0xd0, 0xed, 0x7e, 0x3b, 0xba, 0x23, 0xa7, 0xb9, +}; +const unsigned char test_ec_secp256k1_pub[] = { + 0x04, 0x5c, 0x39, 0x15, 0x45, 0x79, 0xef, 0xd6, 0x67, 0xad, 0xc7, 0x3a, 0x81, 0x01, 0x5a, 0x79, + 0x7d, 0x2c, 0x86, 0x82, 0xcd, 0xfb, 0xd3, 0xc3, 0x55, 0x3c, 0x4a, 0x18, 0x5d, 0x48, 0x1c, 0xdc, + 0x50, 0xe4, 0x2a, 0x0e, 0x1c, 0xbc, 0x3c, 0xa2, 0x9a, 0x32, 0xa6, 0x45, 0xe9, 0x27, 0xf5, 0x4b, + 0xea, 0xed, 0x14, 0xc9, 0xdb, 0xbf, 0x82, 0x79, 0xd7, 0x25, 0xf5, 0x49, 0x5c, 0xa9, 0x24, 0xb2, + 0x4d, +}; + +const unsigned char test_ec_secp192r1_priv[] = { + 0xd8, 0x3b, 0x57, 0xa5, 0x9c, 0x51, 0x35, 0x8d, 0x9c, 0x8b, 0xbb, 0x89, 0x8a, 0xff, 0x50, 0x7f, + 0x44, 0xdd, 0x14, 0xcf, 0x16, 0x91, 0x71, 0x90, +}; +const unsigned char test_ec_secp192r1_pub[] = { + 0x04, 0xe3, 0x5f, 0xcb, 0xee, 0x11, 0xce, 0xc3, 0x15, 0x4f, 0x80, 0xa1, 0xa6, 0x1d, 0xf7, 0xd7, + 0x61, 0x2d, 0xe4, 0xf2, 0xfd, 0x70, 0xc5, 0x60, 0x8d, 0x0e, 0xe3, 0xa4, 0xa1, 0xa5, 0x71, 0x94, + 0x71, 0xad, 0xb3, 0x39, 0x66, 0xdd, 0x9b, 0x03, 0x5f, 0xdb, 0x77, 0x4f, 0xee, 0xba, 0x94, 0xb0, + 0x4c, +}; + +const unsigned char test_ec_secp224r1_priv[] = { + 0x87, 0x2f, 0x20, 0x3b, 0x3a, 0xd3, 0x5b, 0x7f, 0x2e, 0xcc, 0x80, 0x3c, 0x3a, 0x0e, 0x1e, 0x0b, + 0x1e, 0xd6, 0x1c, 0xc1, 0xaf, 0xe7, 0x1b, 0x18, 0x9c, 0xd4, 0xc9, 0x95, +}; +const unsigned char test_ec_secp224r1_pub[] = { + 0x04, 0x6f, 0x00, 0xea, 0xda, 0xa9, 0x49, 0xfe, 0xe3, 0xe9, 0xe1, 0xc7, 0xfa, 0x12, 0x47, 0xee, + 0xce, 0xc8, 0x6a, 0x0d, 0xce, 0x46, 0x41, 0x8b, 0x9b, 0xd3, 0x11, 0x7b, 0x98, 0x1d, 0x4b, 0xd0, + 0xae, 0x7a, 0x99, 0x0d, 0xe9, 0x12, 0xf9, 0xd0, 0x60, 0xd6, 0xcb, 0x53, 0x1a, 0x42, 0xd2, 0x2e, + 0x39, 0x4a, 0xc2, 0x9e, 0x81, 0x80, 0x4b, 0xf1, 0x60, +}; + +const unsigned char test_ec_secp256r1_priv[] = { + 0x49, 0xc9, 0xa8, 0xc1, 0x8c, 0x4b, 0x88, 0x56, 0x38, 0xc4, 0x31, 0xcf, 0x1d, 0xf1, 0xc9, 0x94, + 0x13, 0x16, 0x09, 0xb5, 0x80, 0xd4, 0xfd, 0x43, 0xa0, 0xca, 0xb1, 0x7d, 0xb2, 0xf1, 0x3e, 0xee, +}; +const unsigned char test_ec_secp256r1_pub[] = { + 0x04, 0x77, 0x72, 0x65, 0x6f, 0x81, 0x4b, 0x39, 0x92, 0x79, 0xd5, 0xe1, 0xf1, 0x78, 0x1f, 0xac, + 0x6f, 0x09, 0x9a, 0x3c, 0x5c, 0xa1, 0xb0, 0xe3, 0x53, 0x51, 0x83, 0x4b, 0x08, 0xb6, 0x5e, 0x0b, + 0x57, 0x25, 0x90, 0xcd, 0xaf, 0x8f, 0x76, 0x93, 0x61, 0xbc, 0xf3, 0x4a, 0xcf, 0xc1, 0x1e, 0x5e, + 0x07, 0x4e, 0x84, 0x26, 0xbd, 0xde, 0x04, 0xbe, 0x6e, 0x65, 0x39, 0x45, 0x44, 0x96, 0x17, 0xde, + 0x45, +}; + +const unsigned char test_ec_secp384r1_priv[] = { + 0x3f, 0x5d, 0x8d, 0x9b, 0xe2, 0x80, 0xb5, 0x69, 0x6c, 0xc5, 0xcc, 0x9f, 0x94, 0xcf, 0x8a, 0xf7, + 0xe6, 0xb6, 0x1d, 0xd6, 0x59, 0x2b, 0x2a, 0xb2, 0xb3, 0xa4, 0xc6, 0x07, 0x45, 0x04, 0x17, 0xec, + 0x32, 0x7d, 0xcd, 0xca, 0xed, 0x7c, 0x10, 0x05, 0x3d, 0x71, 0x9a, 0x05, 0x74, 0xf0, 0xa7, 0x6a, +}; +const unsigned char test_ec_secp384r1_pub[] = { + 0x04, 0xd9, 0xc6, 0x62, 0xb5, 0x0b, 0xa2, 0x9c, 0xa4, 0x79, 0x90, 0x45, 0x0e, 0x04, 0x3a, 0xea, + 0xf4, 0xf0, 0xc6, 0x9b, 0x15, 0x67, 0x6d, 0x11, 0x2f, 0x62, 0x2a, 0x71, 0xc9, 0x30, 0x59, 0xaf, + 0x99, 0x96, 0x91, 0xc5, 0x68, 0x0d, 0x2b, 0x44, 0xd1, 0x11, 0x57, 0x9d, 0xb1, 0x2f, 0x4a, 0x41, + 0x3a, 0x2e, 0xd5, 0xc4, 0x5f, 0xcf, 0xb6, 0x7b, 0x5b, 0x63, 0xe0, 0x0b, 0x91, 0xeb, 0xe5, 0x9d, + 0x09, 0xa6, 0xb1, 0xac, 0x2c, 0x0c, 0x42, 0x82, 0xaa, 0x12, 0x31, 0x7e, 0xd5, 0x91, 0x4f, 0x99, + 0x9b, 0xc4, 0x88, 0xbb, 0x13, 0x2e, 0x83, 0x42, 0xcc, 0x36, 0xf2, 0xca, 0x5e, 0x33, 0x79, 0xc7, + 0x47, +}; + +const unsigned char test_ec_secp521r1_priv[] = { + 0x01, 0xb1, 0xb6, 0xad, 0x07, 0xbb, 0x79, 0xe7, 0x32, 0x0d, 0xa5, 0x98, 0x60, 0xea, 0x28, 0xe0, + 0x55, 0x28, 0x4f, 0x60, 0x58, 0xf2, 0x79, 0xde, 0x66, 0x6e, 0x06, 0xd4, 0x35, 0xd2, 0xaf, 0x7b, + 0xda, 0x28, 0xd9, 0x9f, 0xa4, 0x7b, 0x7d, 0xd0, 0x96, 0x3e, 0x16, 0xb0, 0x07, 0x30, 0x78, 0xee, + 0x8b, 0x8a, 0x38, 0xd9, 0x66, 0xa5, 0x82, 0xf4, 0x6d, 0x19, 0xff, 0x95, 0xdf, 0x3a, 0xd9, 0x68, + 0x5a, 0xae, +}; +const unsigned char test_ec_secp521r1_pub[] = { + 0x04, 0x00, 0x1d, 0xe1, 0x42, 0xd5, 0x4f, 0x69, 0xeb, 0x03, 0x8e, 0xe4, 0xb7, 0xaf, 0x9d, 0x3c, + 0xa0, 0x77, 0x36, 0xfd, 0x9c, 0xf7, 0x19, 0xeb, 0x35, 0x4d, 0x69, 0x87, 0x9e, 0xe7, 0xf3, 0xc1, + 0x36, 0xfb, 0x0f, 0xbf, 0x9f, 0x08, 0xf8, 0x6b, 0xe5, 0xfa, 0x12, 0x8e, 0xc1, 0xa0, 0x51, 0xd3, + 0xe6, 0xc6, 0x43, 0xe8, 0x5a, 0xda, 0x8f, 0xfa, 0xcf, 0x36, 0x63, 0xc2, 0x60, 0xbd, 0x2c, 0x84, + 0x4b, 0x6f, 0x56, 0x00, 0xce, 0xe8, 0xe4, 0x8a, 0x9e, 0x65, 0xd0, 0x9c, 0xad, 0xd8, 0x9f, 0x23, + 0x5d, 0xee, 0x05, 0xf3, 0xb8, 0xa6, 0x46, 0xbe, 0x71, 0x5f, 0x1f, 0x67, 0xd5, 0xb4, 0x34, 0xe0, + 0xff, 0x23, 0xa1, 0xfc, 0x07, 0xef, 0x77, 0x40, 0x19, 0x3e, 0x40, 0xee, 0xff, 0x6f, 0x3b, 0xcd, + 0xfd, 0x76, 0x5a, 0xa9, 0x15, 0x50, 0x33, 0x52, 0x4f, 0xe4, 0xf2, 0x05, 0xf5, 0x44, 0x4e, 0x29, + 0x2c, 0x4c, 0x2f, 0x6a, 0xc1, +}; + +const unsigned char test_rsa_1024_priv[] = { + 0x30, 0x82, 0x02, 0x5e, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xaf, 0x05, 0x7d, 0x39, 0x6e, + 0xe8, 0x4f, 0xb7, 0x5f, 0xdb, 0xb5, 0xc2, 0xb1, 0x3c, 0x7f, 0xe5, 0xa6, 0x54, 0xaa, 0x8a, 0xa2, + 0x47, 0x0b, 0x54, 0x1e, 0xe1, 0xfe, 0xb0, 0xb1, 0x2d, 0x25, 0xc7, 0x97, 0x11, 0x53, 0x12, 0x49, + 0xe1, 0x12, 0x96, 0x28, 0x04, 0x2d, 0xbb, 0xb6, 0xc1, 0x20, 0xd1, 0x44, 0x35, 0x24, 0xef, 0x4c, + 0x0e, 0x6e, 0x1d, 0x89, 0x56, 0xee, 0xb2, 0x07, 0x7a, 0xf1, 0x23, 0x49, 0xdd, 0xee, 0xe5, 0x44, + 0x83, 0xbc, 0x06, 0xc2, 0xc6, 0x19, 0x48, 0xcd, 0x02, 0xb2, 0x02, 0xe7, 0x96, 0xae, 0xbd, 0x94, + 0xd3, 0xa7, 0xcb, 0xf8, 0x59, 0xc2, 0xc1, 0x81, 0x9c, 0x32, 0x4c, 0xb8, 0x2b, 0x9c, 0xd3, 0x4e, + 0xde, 0x26, 0x3a, 0x2a, 0xbf, 0xfe, 0x47, 0x33, 0xf0, 0x77, 0x86, 0x9e, 0x86, 0x60, 0xf7, 0xd6, + 0x83, 0x4d, 0xa5, 0x3d, 0x69, 0x0e, 0xf7, 0x98, 0x5f, 0x6b, 0xc3, 0x02, 0x03, 0x01, 0x00, 0x01, + 0x02, 0x81, 0x81, 0x00, 0x87, 0x4b, 0xf0, 0xff, 0xc2, 0xf2, 0xa7, 0x1d, 0x14, 0x67, 0x1d, 0xdd, + 0x01, 0x71, 0xc9, 0x54, 0xd7, 0xfd, 0xbf, 0x50, 0x28, 0x1e, 0x4f, 0x6d, 0x99, 0xea, 0x0e, 0x1e, + 0xbc, 0xf8, 0x2f, 0xaa, 0x58, 0xe7, 0xb5, 0x95, 0xff, 0xb2, 0x93, 0xd1, 0xab, 0xe1, 0x7f, 0x11, + 0x0b, 0x37, 0xc4, 0x8c, 0xc0, 0xf3, 0x6c, 0x37, 0xe8, 0x4d, 0x87, 0x66, 0x21, 0xd3, 0x27, 0xf6, + 0x4b, 0xbe, 0x08, 0x45, 0x7d, 0x3e, 0xc4, 0x09, 0x8b, 0xa2, 0xfa, 0x0a, 0x31, 0x9f, 0xba, 0x41, + 0x1c, 0x28, 0x41, 0xed, 0x7b, 0xe8, 0x31, 0x96, 0xa8, 0xcd, 0xf9, 0xda, 0xa5, 0xd0, 0x06, 0x94, + 0xbc, 0x33, 0x5f, 0xc4, 0xc3, 0x22, 0x17, 0xfe, 0x04, 0x88, 0xbc, 0xe9, 0xcb, 0x72, 0x02, 0xe5, + 0x94, 0x68, 0xb1, 0xea, 0xd1, 0x19, 0x00, 0x04, 0x77, 0xdb, 0x2c, 0xa7, 0x97, 0xfa, 0xc1, 0x9e, + 0xda, 0x3f, 0x58, 0xc1, 0x02, 0x41, 0x00, 0xe2, 0xab, 0x76, 0x08, 0x41, 0xbb, 0x9d, 0x30, 0xa8, + 0x1d, 0x22, 0x2d, 0xe1, 0xeb, 0x73, 0x81, 0xd8, 0x22, 0x14, 0x40, 0x7f, 0x1b, 0x97, 0x5c, 0xbb, + 0xfe, 0x4e, 0x1a, 0x94, 0x67, 0xfd, 0x98, 0xad, 0xbd, 0x78, 0xf6, 0x07, 0x83, 0x6c, 0xa5, 0xbe, + 0x19, 0x28, 0xb9, 0xd1, 0x60, 0xd9, 0x7f, 0xd4, 0x5c, 0x12, 0xd6, 0xb5, 0x2e, 0x2c, 0x98, 0x71, + 0xa1, 0x74, 0xc6, 0x6b, 0x48, 0x81, 0x13, 0x02, 0x41, 0x00, 0xc5, 0xab, 0x27, 0x60, 0x21, 0x59, + 0xae, 0x7d, 0x6f, 0x20, 0xc3, 0xc2, 0xee, 0x85, 0x1e, 0x46, 0xdc, 0x11, 0x2e, 0x68, 0x9e, 0x28, + 0xd5, 0xfc, 0xbb, 0xf9, 0x90, 0xa9, 0x9e, 0xf8, 0xa9, 0x0b, 0x8b, 0xb4, 0x4f, 0xd3, 0x64, 0x67, + 0xe7, 0xfc, 0x17, 0x89, 0xce, 0xb6, 0x63, 0xab, 0xda, 0x33, 0x86, 0x52, 0xc3, 0xc7, 0x3f, 0x11, + 0x17, 0x74, 0x90, 0x2e, 0x84, 0x05, 0x65, 0x92, 0x70, 0x91, 0x02, 0x41, 0x00, 0xb6, 0xcd, 0xbd, + 0x35, 0x4f, 0x7d, 0xf5, 0x79, 0xa6, 0x3b, 0x48, 0xb3, 0x64, 0x3e, 0x35, 0x3b, 0x84, 0x89, 0x87, + 0x77, 0xb4, 0x8b, 0x15, 0xf9, 0x4e, 0x0b, 0xfc, 0x05, 0x67, 0xa6, 0xae, 0x59, 0x11, 0xd5, 0x7a, + 0xd6, 0x40, 0x9c, 0xf7, 0x64, 0x7b, 0xf9, 0x62, 0x64, 0xe9, 0xbd, 0x87, 0xeb, 0x95, 0xe2, 0x63, + 0xb7, 0x11, 0x0b, 0x9a, 0x1f, 0x9f, 0x94, 0xac, 0xce, 0xd0, 0xfa, 0xfa, 0x4d, 0x02, 0x40, 0x71, + 0x19, 0x5e, 0xec, 0x37, 0xe8, 0xd2, 0x57, 0xde, 0xcf, 0xc6, 0x72, 0xb0, 0x7a, 0xe6, 0x39, 0xf1, + 0x0c, 0xbb, 0x9b, 0x0c, 0x73, 0x9d, 0x0c, 0x80, 0x99, 0x68, 0xd6, 0x44, 0xa9, 0x4e, 0x3f, 0xd6, + 0xed, 0x92, 0x87, 0x07, 0x7a, 0x14, 0x58, 0x3f, 0x37, 0x90, 0x58, 0xf7, 0x6a, 0x8a, 0xec, 0xd4, + 0x3c, 0x62, 0xdc, 0x8c, 0x0f, 0x41, 0x76, 0x66, 0x50, 0xd7, 0x25, 0x27, 0x5a, 0xc4, 0xa1, 0x02, + 0x41, 0x00, 0xbb, 0x32, 0xd1, 0x33, 0xed, 0xc2, 0xe0, 0x48, 0xd4, 0x63, 0x38, 0x8b, 0x7b, 0xe9, + 0xcb, 0x4b, 0xe2, 0x9f, 0x4b, 0x62, 0x50, 0xbe, 0x60, 0x3e, 0x70, 0xe3, 0x64, 0x75, 0x01, 0xc9, + 0x7d, 0xdd, 0xe2, 0x0a, 0x4e, 0x71, 0xbe, 0x95, 0xfd, 0x5e, 0x71, 0x78, 0x4e, 0x25, 0xac, 0xa4, + 0xba, 0xf2, 0x5b, 0xe5, 0x73, 0x8a, 0xae, 0x59, 0xbb, 0xfe, 0x1c, 0x99, 0x77, 0x81, 0x44, 0x7a, + 0x2b, 0x24, +}; +const unsigned char test_rsa_1024_pub[] = { + 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xaf, 0x05, 0x7d, 0x39, 0x6e, 0xe8, 0x4f, 0xb7, 0x5f, + 0xdb, 0xb5, 0xc2, 0xb1, 0x3c, 0x7f, 0xe5, 0xa6, 0x54, 0xaa, 0x8a, 0xa2, 0x47, 0x0b, 0x54, 0x1e, + 0xe1, 0xfe, 0xb0, 0xb1, 0x2d, 0x25, 0xc7, 0x97, 0x11, 0x53, 0x12, 0x49, 0xe1, 0x12, 0x96, 0x28, + 0x04, 0x2d, 0xbb, 0xb6, 0xc1, 0x20, 0xd1, 0x44, 0x35, 0x24, 0xef, 0x4c, 0x0e, 0x6e, 0x1d, 0x89, + 0x56, 0xee, 0xb2, 0x07, 0x7a, 0xf1, 0x23, 0x49, 0xdd, 0xee, 0xe5, 0x44, 0x83, 0xbc, 0x06, 0xc2, + 0xc6, 0x19, 0x48, 0xcd, 0x02, 0xb2, 0x02, 0xe7, 0x96, 0xae, 0xbd, 0x94, 0xd3, 0xa7, 0xcb, 0xf8, + 0x59, 0xc2, 0xc1, 0x81, 0x9c, 0x32, 0x4c, 0xb8, 0x2b, 0x9c, 0xd3, 0x4e, 0xde, 0x26, 0x3a, 0x2a, + 0xbf, 0xfe, 0x47, 0x33, 0xf0, 0x77, 0x86, 0x9e, 0x86, 0x60, 0xf7, 0xd6, 0x83, 0x4d, 0xa5, 0x3d, + 0x69, 0x0e, 0xf7, 0x98, 0x5f, 0x6b, 0xc3, 0x02, 0x03, 0x01, 0x00, 0x01, +}; + +const unsigned char test_rsa_1026_priv[] = { + 0x30, 0x82, 0x02, 0x5e, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x02, 0xd0, 0x96, 0x61, 0xfc, 0x74, + 0x22, 0x4b, 0xa7, 0xbe, 0x79, 0x07, 0xab, 0xef, 0x4f, 0x5e, 0x8b, 0xcc, 0x26, 0x4a, 0x80, 0x2c, + 0x97, 0x8f, 0x7e, 0xaa, 0x58, 0x55, 0xad, 0xa0, 0x54, 0x36, 0xd7, 0x5d, 0xb7, 0x68, 0xd2, 0x0f, + 0x68, 0x59, 0x5d, 0xbc, 0xc3, 0xd7, 0x25, 0xb1, 0x38, 0xe8, 0x0b, 0x24, 0x7e, 0x44, 0xa4, 0x16, + 0x3a, 0x05, 0x42, 0xfa, 0xb6, 0x12, 0xac, 0xbb, 0xde, 0x45, 0xf2, 0xe9, 0x38, 0x94, 0xaa, 0x25, + 0x3b, 0xdd, 0xef, 0x6a, 0x7b, 0xec, 0xdc, 0x9c, 0xc2, 0x9a, 0x99, 0xba, 0xcf, 0x48, 0xdc, 0x6e, + 0x38, 0xdb, 0x7a, 0x33, 0xe9, 0xac, 0x92, 0x4c, 0x52, 0x0f, 0xc6, 0xbe, 0x7d, 0x6e, 0x56, 0x46, + 0xc1, 0xd6, 0x7f, 0xb8, 0xb2, 0xb9, 0x7a, 0xc6, 0x0b, 0xee, 0xcc, 0x3b, 0xb8, 0xe7, 0x5b, 0xed, + 0x83, 0x15, 0xaa, 0x3f, 0xe4, 0x6f, 0x74, 0x8a, 0x66, 0xd6, 0xef, 0x02, 0x03, 0x01, 0x00, 0x01, + 0x02, 0x81, 0x80, 0x6a, 0x4a, 0x34, 0x6b, 0xeb, 0xa9, 0x7f, 0x65, 0x5f, 0xe8, 0x34, 0x64, 0x7d, + 0x29, 0x44, 0xf5, 0xf4, 0x08, 0x15, 0xe7, 0x30, 0x2c, 0xaf, 0x02, 0xed, 0x17, 0x98, 0x93, 0xc2, + 0xd9, 0x89, 0x39, 0x5d, 0x5e, 0x87, 0x7c, 0xac, 0xbf, 0x24, 0xa7, 0x7a, 0x07, 0x9d, 0x3d, 0xb7, + 0x15, 0x80, 0xcc, 0xdb, 0xf6, 0x30, 0x23, 0xd0, 0x0f, 0x80, 0xe5, 0x2f, 0x5c, 0x1a, 0x07, 0x16, + 0xb3, 0x23, 0xb7, 0xbf, 0xcb, 0xdc, 0x8a, 0x17, 0x81, 0xc4, 0x4c, 0x41, 0x53, 0xe3, 0xda, 0x22, + 0x8d, 0x17, 0xb2, 0xdc, 0x78, 0xeb, 0x1f, 0x44, 0xcf, 0xf6, 0x0f, 0xe1, 0x15, 0x08, 0x08, 0xa6, + 0xe3, 0x8b, 0xa2, 0x47, 0x0a, 0xee, 0x2e, 0x94, 0x8a, 0x68, 0x98, 0xdd, 0xad, 0xea, 0x56, 0xd9, + 0x47, 0x09, 0x27, 0xac, 0xa8, 0xd9, 0x4a, 0x03, 0x38, 0xc1, 0x1a, 0x8e, 0x95, 0x71, 0x5b, 0x5f, + 0x94, 0xe0, 0x11, 0x02, 0x41, 0x01, 0xf5, 0x41, 0x85, 0x34, 0xc3, 0x62, 0x36, 0xfc, 0x9f, 0xd3, + 0x89, 0x34, 0xd7, 0xc0, 0x6d, 0xfe, 0xd3, 0x82, 0x91, 0x51, 0xcc, 0xab, 0x56, 0xb6, 0x33, 0x0c, + 0x64, 0x1f, 0x77, 0x96, 0xa7, 0x19, 0x24, 0xcf, 0x81, 0x19, 0xca, 0x26, 0xe1, 0x86, 0xec, 0xd3, + 0x06, 0x8d, 0x66, 0x07, 0xa0, 0x52, 0x60, 0xdb, 0x48, 0x57, 0x65, 0x19, 0x80, 0x43, 0x68, 0x91, + 0xad, 0xde, 0x9e, 0xb9, 0x2a, 0xb7, 0x02, 0x41, 0x01, 0x70, 0x04, 0x2f, 0xbd, 0xba, 0xba, 0x1e, + 0x10, 0x2b, 0x7f, 0x7f, 0x1d, 0xc9, 0xd9, 0x40, 0xcf, 0xdc, 0xd8, 0x5d, 0xd0, 0xea, 0x65, 0xf5, + 0x43, 0xc6, 0x43, 0x2e, 0x9c, 0x54, 0x80, 0x72, 0x4b, 0xb4, 0x9b, 0x1e, 0x5f, 0x80, 0xca, 0x2b, + 0x9f, 0x84, 0xcd, 0x66, 0x44, 0xbf, 0xb2, 0xe3, 0xd0, 0x96, 0x80, 0x90, 0xb8, 0x9f, 0x53, 0x4d, + 0xc2, 0x95, 0x1e, 0x60, 0x6d, 0xb9, 0x09, 0xdd, 0x89, 0x02, 0x41, 0x01, 0x4b, 0x6c, 0x1a, 0xeb, + 0x1c, 0x14, 0xa0, 0x4e, 0xc0, 0x4e, 0x59, 0x75, 0xfb, 0x01, 0x5c, 0xb9, 0x14, 0x98, 0x4c, 0x05, + 0x4d, 0xd2, 0x2b, 0xef, 0x24, 0x29, 0x99, 0x39, 0xc5, 0x14, 0x73, 0x3f, 0x88, 0xbb, 0x3a, 0x9d, + 0x16, 0xb0, 0x46, 0x85, 0xb3, 0xa8, 0x83, 0xb8, 0x92, 0x31, 0x90, 0xab, 0x67, 0x27, 0x15, 0xd9, + 0xd3, 0x1a, 0xdd, 0x57, 0xb4, 0x98, 0x3d, 0xe1, 0xe8, 0x08, 0x7e, 0x59, 0x02, 0x41, 0x01, 0x17, + 0xbf, 0x76, 0xf3, 0x08, 0xb0, 0x56, 0x0e, 0x00, 0xa2, 0xc8, 0x64, 0x42, 0x7d, 0xcd, 0x50, 0xb5, + 0x16, 0x1c, 0x2a, 0xa5, 0x23, 0xa0, 0x0f, 0x46, 0xf4, 0xe6, 0xc7, 0x9b, 0x4c, 0x90, 0x95, 0x8f, + 0xd2, 0xa2, 0x82, 0x02, 0x8a, 0xac, 0x22, 0x74, 0x77, 0x16, 0x98, 0x88, 0x08, 0x5a, 0x38, 0xc3, + 0x4f, 0x33, 0xb3, 0xc4, 0x19, 0x34, 0xf1, 0x07, 0x1d, 0xb2, 0x3b, 0x75, 0xff, 0x53, 0xd1, 0x02, + 0x41, 0x01, 0x20, 0xa4, 0x28, 0xb4, 0xe0, 0xc4, 0xa6, 0xf2, 0x02, 0x92, 0x0f, 0xd4, 0x9c, 0xc9, + 0x88, 0x6e, 0x6b, 0x67, 0x19, 0xd4, 0x0a, 0x3a, 0xd0, 0x60, 0x4f, 0x5d, 0x5e, 0xfd, 0x5e, 0xf6, + 0x97, 0x3a, 0x57, 0x3a, 0xb3, 0x24, 0xf3, 0x8e, 0xcb, 0x8e, 0x66, 0x9a, 0x69, 0x34, 0x15, 0x97, + 0x08, 0x1e, 0x24, 0x0b, 0x6a, 0xe4, 0xe2, 0x71, 0x48, 0x87, 0xdd, 0x78, 0xda, 0xda, 0xeb, 0x0b, + 0x92, 0x16, +}; +const unsigned char test_rsa_1026_pub[] = { + 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x02, 0xd0, 0x96, 0x61, 0xfc, 0x74, 0x22, 0x4b, 0xa7, 0xbe, + 0x79, 0x07, 0xab, 0xef, 0x4f, 0x5e, 0x8b, 0xcc, 0x26, 0x4a, 0x80, 0x2c, 0x97, 0x8f, 0x7e, 0xaa, + 0x58, 0x55, 0xad, 0xa0, 0x54, 0x36, 0xd7, 0x5d, 0xb7, 0x68, 0xd2, 0x0f, 0x68, 0x59, 0x5d, 0xbc, + 0xc3, 0xd7, 0x25, 0xb1, 0x38, 0xe8, 0x0b, 0x24, 0x7e, 0x44, 0xa4, 0x16, 0x3a, 0x05, 0x42, 0xfa, + 0xb6, 0x12, 0xac, 0xbb, 0xde, 0x45, 0xf2, 0xe9, 0x38, 0x94, 0xaa, 0x25, 0x3b, 0xdd, 0xef, 0x6a, + 0x7b, 0xec, 0xdc, 0x9c, 0xc2, 0x9a, 0x99, 0xba, 0xcf, 0x48, 0xdc, 0x6e, 0x38, 0xdb, 0x7a, 0x33, + 0xe9, 0xac, 0x92, 0x4c, 0x52, 0x0f, 0xc6, 0xbe, 0x7d, 0x6e, 0x56, 0x46, 0xc1, 0xd6, 0x7f, 0xb8, + 0xb2, 0xb9, 0x7a, 0xc6, 0x0b, 0xee, 0xcc, 0x3b, 0xb8, 0xe7, 0x5b, 0xed, 0x83, 0x15, 0xaa, 0x3f, + 0xe4, 0x6f, 0x74, 0x8a, 0x66, 0xd6, 0xef, 0x02, 0x03, 0x01, 0x00, 0x01, +}; + +const unsigned char test_rsa_1028_priv[] = { + 0x30, 0x82, 0x02, 0x5e, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x0e, 0x62, 0xa7, 0x6f, 0x0e, 0x0b, + 0x59, 0x68, 0x3a, 0x7e, 0xbf, 0x7c, 0xbf, 0xd3, 0x7b, 0x1d, 0x17, 0x81, 0xd8, 0xf1, 0xb9, 0x00, + 0x60, 0x4b, 0x50, 0x7f, 0x0f, 0x04, 0xc7, 0x2a, 0x3d, 0x34, 0x0d, 0x06, 0x7b, 0xcd, 0x53, 0xbe, + 0xa3, 0xca, 0xff, 0x4e, 0x4a, 0xe6, 0x94, 0xf0, 0xb6, 0xd8, 0xf5, 0x91, 0xa4, 0x16, 0x7f, 0xbf, + 0x7f, 0x37, 0x2a, 0xb5, 0x7e, 0x83, 0xa6, 0x9a, 0x3f, 0x26, 0xf4, 0x47, 0xbc, 0xf5, 0x82, 0xbc, + 0x96, 0x21, 0xa3, 0x0a, 0x3b, 0x44, 0xd6, 0xb4, 0x3e, 0x98, 0x6d, 0x1a, 0x86, 0x7b, 0x07, 0x48, + 0x9e, 0x4f, 0x9b, 0xfc, 0xad, 0xaa, 0x82, 0xa2, 0x78, 0x2d, 0xc2, 0x72, 0x9a, 0x63, 0x1f, 0xb1, + 0xfb, 0x9f, 0xfb, 0x79, 0x4b, 0x4e, 0x53, 0xc7, 0x62, 0x39, 0xe0, 0x4d, 0x4a, 0x8f, 0x80, 0x35, + 0x25, 0x88, 0xdb, 0x29, 0x46, 0x2d, 0xde, 0x18, 0x23, 0x7c, 0xf5, 0x02, 0x03, 0x01, 0x00, 0x01, + 0x02, 0x81, 0x81, 0x01, 0xcf, 0xa0, 0x42, 0x2e, 0x3b, 0xb6, 0x0c, 0x15, 0xef, 0x2e, 0x96, 0xdb, + 0x44, 0x99, 0xe7, 0x89, 0xf5, 0xd6, 0x34, 0xea, 0x64, 0x56, 0x7b, 0x2c, 0xdd, 0x6e, 0x2b, 0xdd, + 0x12, 0x1f, 0x85, 0xed, 0xcc, 0xde, 0xe9, 0xb4, 0xed, 0x17, 0x8c, 0x5f, 0x33, 0x81, 0x61, 0x01, + 0xa7, 0xc3, 0x71, 0x51, 0x8b, 0x3e, 0x23, 0xf9, 0xfd, 0xc7, 0x1b, 0x90, 0x24, 0x2c, 0xd3, 0x10, + 0xb6, 0xb3, 0x14, 0x28, 0xb0, 0xb6, 0x4e, 0xb9, 0x59, 0x6b, 0xe0, 0xcc, 0x04, 0x4c, 0xc8, 0x50, + 0x48, 0x98, 0x2f, 0x90, 0xb7, 0x06, 0xe6, 0x6c, 0xcd, 0xd3, 0x9a, 0xd5, 0xa1, 0xa7, 0xb6, 0x4c, + 0xf0, 0x34, 0xea, 0xc0, 0xc3, 0x5d, 0x7a, 0xce, 0x93, 0xf2, 0xbc, 0xd3, 0xce, 0x24, 0x3b, 0xd8, + 0xf8, 0x3b, 0x46, 0xf5, 0x09, 0xca, 0x2f, 0x80, 0x50, 0x63, 0x00, 0x2a, 0xf2, 0xbb, 0x2d, 0x88, + 0xb6, 0xee, 0x36, 0xa9, 0x02, 0x41, 0x03, 0xf0, 0x88, 0x6d, 0x29, 0x77, 0x52, 0x6f, 0x3f, 0x3f, + 0x6a, 0x07, 0x56, 0x00, 0x23, 0x2c, 0xe3, 0x00, 0x85, 0x17, 0x27, 0x6d, 0xd3, 0x72, 0x1d, 0xee, + 0x08, 0xfd, 0x6c, 0x99, 0x9f, 0xc9, 0x76, 0xb9, 0xe8, 0xdd, 0x2b, 0xc1, 0x43, 0x38, 0x5f, 0xa4, + 0xb4, 0x87, 0x35, 0xce, 0x81, 0xc6, 0x6b, 0x50, 0x1d, 0x71, 0x29, 0xee, 0x78, 0x60, 0xcf, 0xbe, + 0xf2, 0x3b, 0x5d, 0xa9, 0x1e, 0x6c, 0x2d, 0x02, 0x41, 0x03, 0xa6, 0xc8, 0x73, 0x4a, 0xac, 0xe5, + 0x9d, 0x5f, 0x38, 0x6f, 0x97, 0xde, 0x45, 0x0f, 0x8a, 0x12, 0xd6, 0x3a, 0xe6, 0xac, 0x15, 0xd3, + 0x36, 0xe0, 0x10, 0xc9, 0xfc, 0xf0, 0x3a, 0x32, 0xf0, 0x61, 0x18, 0x81, 0xac, 0x6c, 0xd8, 0xb3, + 0xf9, 0x89, 0x92, 0x5c, 0x0f, 0x02, 0x5a, 0xf2, 0x6c, 0xf2, 0x6a, 0xeb, 0xd7, 0xd9, 0xb0, 0x4e, + 0xb5, 0x03, 0x04, 0x8d, 0xca, 0x2f, 0x50, 0x3c, 0x28, 0xe9, 0x02, 0x41, 0x01, 0x9b, 0x30, 0x04, + 0x51, 0xc3, 0xb4, 0x78, 0x66, 0xf1, 0x13, 0xe9, 0xa9, 0xc6, 0xa4, 0x90, 0xc8, 0x7c, 0x8d, 0xc6, + 0xc2, 0xec, 0xa4, 0x29, 0x02, 0xca, 0xea, 0x1f, 0x69, 0x07, 0xb9, 0x7e, 0x0a, 0x4a, 0x02, 0x07, + 0x2a, 0xaf, 0xc1, 0x18, 0x5a, 0xe6, 0x6c, 0x34, 0x34, 0x5b, 0xdd, 0xcd, 0x68, 0x33, 0x61, 0xcd, + 0xa1, 0xaa, 0xf8, 0xa9, 0x80, 0x09, 0xf9, 0xf8, 0xfa, 0x56, 0xd9, 0x70, 0x81, 0x02, 0x40, 0x1b, + 0xcc, 0xa8, 0x49, 0x17, 0x3d, 0x38, 0xe1, 0xe5, 0x0e, 0xc4, 0x88, 0x72, 0xab, 0x54, 0xa2, 0xdc, + 0xc6, 0x21, 0xa8, 0x0a, 0x7a, 0x1e, 0x8e, 0xa9, 0x51, 0x28, 0x79, 0x88, 0x71, 0x8d, 0x5e, 0x85, + 0xd9, 0x0d, 0x64, 0xab, 0x49, 0x26, 0xe9, 0xa5, 0x75, 0xa1, 0x68, 0xa3, 0x85, 0xc4, 0x21, 0xad, + 0x76, 0x58, 0x13, 0xfc, 0x3f, 0x4a, 0xf8, 0xcd, 0x00, 0xde, 0x7b, 0x6b, 0xba, 0x6e, 0x49, 0x02, + 0x41, 0x03, 0x6d, 0xcf, 0x69, 0xf6, 0xe5, 0x48, 0xc8, 0xac, 0xfb, 0x53, 0x6f, 0xb6, 0xcd, 0x18, + 0x6f, 0x8b, 0x8f, 0x20, 0xd3, 0x13, 0x36, 0x1d, 0x04, 0x47, 0xc1, 0xb5, 0xe3, 0x80, 0xf4, 0x11, + 0x3e, 0x57, 0x8b, 0x31, 0xe8, 0x67, 0xdd, 0xa4, 0x7d, 0x44, 0xad, 0x37, 0x61, 0xe7, 0x93, 0xf7, + 0x25, 0x03, 0x1b, 0x8d, 0x37, 0x9f, 0x38, 0x9d, 0xe2, 0x77, 0xa9, 0xa0, 0x13, 0x76, 0x51, 0xdf, + 0x54, 0x8a, +}; +const unsigned char test_rsa_1028_pub[] = { + 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x0e, 0x62, 0xa7, 0x6f, 0x0e, 0x0b, 0x59, 0x68, 0x3a, 0x7e, + 0xbf, 0x7c, 0xbf, 0xd3, 0x7b, 0x1d, 0x17, 0x81, 0xd8, 0xf1, 0xb9, 0x00, 0x60, 0x4b, 0x50, 0x7f, + 0x0f, 0x04, 0xc7, 0x2a, 0x3d, 0x34, 0x0d, 0x06, 0x7b, 0xcd, 0x53, 0xbe, 0xa3, 0xca, 0xff, 0x4e, + 0x4a, 0xe6, 0x94, 0xf0, 0xb6, 0xd8, 0xf5, 0x91, 0xa4, 0x16, 0x7f, 0xbf, 0x7f, 0x37, 0x2a, 0xb5, + 0x7e, 0x83, 0xa6, 0x9a, 0x3f, 0x26, 0xf4, 0x47, 0xbc, 0xf5, 0x82, 0xbc, 0x96, 0x21, 0xa3, 0x0a, + 0x3b, 0x44, 0xd6, 0xb4, 0x3e, 0x98, 0x6d, 0x1a, 0x86, 0x7b, 0x07, 0x48, 0x9e, 0x4f, 0x9b, 0xfc, + 0xad, 0xaa, 0x82, 0xa2, 0x78, 0x2d, 0xc2, 0x72, 0x9a, 0x63, 0x1f, 0xb1, 0xfb, 0x9f, 0xfb, 0x79, + 0x4b, 0x4e, 0x53, 0xc7, 0x62, 0x39, 0xe0, 0x4d, 0x4a, 0x8f, 0x80, 0x35, 0x25, 0x88, 0xdb, 0x29, + 0x46, 0x2d, 0xde, 0x18, 0x23, 0x7c, 0xf5, 0x02, 0x03, 0x01, 0x00, 0x01, +}; + +const unsigned char test_rsa_1030_priv[] = { + 0x30, 0x82, 0x02, 0x5f, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x2b, 0x7c, 0xd1, 0x97, 0xf5, 0x79, + 0x6d, 0x1f, 0x8e, 0x57, 0x6b, 0x2b, 0x37, 0x72, 0x3f, 0xd9, 0x21, 0x08, 0x14, 0xef, 0x1c, 0x19, + 0x95, 0xf9, 0x89, 0x9d, 0x50, 0x05, 0x8f, 0x37, 0x9d, 0x23, 0x9c, 0x66, 0x87, 0x8e, 0x92, 0x2f, + 0x34, 0xc6, 0xae, 0x36, 0x72, 0xc8, 0x59, 0x8f, 0xcd, 0x5d, 0x47, 0xb7, 0x64, 0xd2, 0xec, 0x15, + 0x6e, 0x13, 0x4d, 0x03, 0xcf, 0x6a, 0x94, 0xd3, 0x8d, 0x2e, 0xa8, 0xbc, 0x76, 0xdb, 0xbc, 0x60, + 0xc4, 0xb9, 0x74, 0x21, 0x90, 0x90, 0xea, 0xf2, 0x87, 0x49, 0x7d, 0x7d, 0xcf, 0x7f, 0x11, 0x9c, + 0xfa, 0x86, 0x74, 0x96, 0xf7, 0xe9, 0x1c, 0x12, 0xb5, 0xd5, 0x52, 0xe1, 0xd1, 0x46, 0x1a, 0x80, + 0xdb, 0xe9, 0xa5, 0x9d, 0xb3, 0xb0, 0x16, 0xc6, 0xc0, 0x14, 0x1c, 0x3b, 0x2a, 0x0e, 0x22, 0x60, + 0x89, 0xb8, 0x55, 0xcb, 0x88, 0xef, 0x65, 0x64, 0x08, 0xbd, 0x89, 0x02, 0x03, 0x01, 0x00, 0x01, + 0x02, 0x81, 0x81, 0x02, 0x10, 0xd5, 0xff, 0x53, 0x1c, 0xac, 0xb2, 0x2f, 0x8c, 0xf7, 0xdd, 0x1f, + 0xd9, 0xfb, 0x03, 0x76, 0xf3, 0x64, 0x7f, 0x2e, 0x9a, 0xb3, 0xdf, 0x9c, 0x89, 0xb9, 0xad, 0x3c, + 0x98, 0xe6, 0x8b, 0x89, 0xad, 0xeb, 0x29, 0x90, 0x1d, 0xd2, 0xf2, 0xcf, 0x2a, 0xc1, 0xf8, 0x17, + 0x72, 0x62, 0x78, 0x83, 0x0e, 0xc8, 0xa8, 0xd0, 0xfd, 0xd1, 0x9d, 0x49, 0x6e, 0xc6, 0xbc, 0x68, + 0x36, 0x71, 0x17, 0x47, 0x86, 0xb7, 0xd6, 0xa8, 0xe8, 0x22, 0xfa, 0x71, 0xd6, 0x5a, 0xd3, 0x5a, + 0xbb, 0xdf, 0x0e, 0x6e, 0x55, 0xff, 0x2c, 0x18, 0x21, 0xb6, 0x2b, 0xc6, 0x30, 0x19, 0x21, 0x60, + 0xe5, 0xc9, 0xb3, 0xdc, 0xaf, 0xc6, 0x5a, 0xe6, 0xb2, 0xa0, 0x88, 0xfb, 0xc5, 0x59, 0x1d, 0xa5, + 0x8a, 0x45, 0xdd, 0x7a, 0x30, 0x96, 0x0f, 0x7d, 0x3d, 0xef, 0x75, 0xb8, 0x0c, 0xdf, 0x73, 0x24, + 0x73, 0x60, 0xe8, 0xfb, 0x02, 0x41, 0x07, 0x2e, 0x37, 0x1a, 0x3b, 0xa8, 0x61, 0xe7, 0x8e, 0x3e, + 0xb9, 0x31, 0x30, 0x65, 0xfa, 0xab, 0x0a, 0x97, 0x21, 0x6e, 0x95, 0x44, 0xbf, 0xc2, 0xd5, 0xb4, + 0x03, 0x84, 0x4b, 0x43, 0x27, 0x37, 0x05, 0x75, 0x5a, 0x85, 0xaa, 0x0b, 0xaf, 0x71, 0x14, 0x77, + 0x0c, 0xfe, 0xca, 0x20, 0xbc, 0xa1, 0x7a, 0xc1, 0x9b, 0xc4, 0xcb, 0xba, 0x10, 0x6a, 0x33, 0xb3, + 0xdd, 0xdc, 0xa0, 0xfb, 0x53, 0x5f, 0x33, 0x02, 0x41, 0x06, 0x0e, 0x6a, 0xf3, 0x7a, 0xb4, 0xea, + 0x11, 0xf5, 0x2b, 0x93, 0x44, 0xe7, 0x16, 0x0e, 0xb2, 0xa5, 0x3f, 0x10, 0x75, 0xe1, 0x22, 0x9a, + 0x7f, 0x10, 0xa3, 0x01, 0xde, 0x33, 0x59, 0xf5, 0x3e, 0x98, 0x1e, 0xa0, 0xe1, 0x7d, 0xf0, 0xfb, + 0x38, 0x0f, 0x08, 0x9e, 0x5c, 0x37, 0xdd, 0x40, 0xda, 0xa2, 0x9e, 0xef, 0xd2, 0x05, 0xf5, 0xc8, + 0x7b, 0x38, 0xf8, 0xfe, 0xf6, 0x36, 0xb5, 0x7b, 0xa0, 0x53, 0x02, 0x41, 0x02, 0x3a, 0x5d, 0xd0, + 0x9e, 0xf8, 0x35, 0x40, 0xb3, 0x0b, 0x55, 0x4d, 0x24, 0xf6, 0x4f, 0x9c, 0x28, 0xd2, 0x12, 0x06, + 0x8c, 0xfc, 0x62, 0xff, 0xe2, 0x6d, 0x53, 0xb6, 0x05, 0xe0, 0x55, 0x57, 0xa6, 0x32, 0xee, 0x9e, + 0x90, 0xcf, 0xc5, 0x65, 0x31, 0xf3, 0x6a, 0xad, 0xd8, 0x2b, 0xe6, 0x3b, 0xb8, 0xaa, 0x40, 0x5a, + 0x04, 0xd8, 0xbb, 0xe5, 0x28, 0x1b, 0xc4, 0x58, 0x83, 0xfe, 0xd7, 0xb4, 0xaf, 0x02, 0x41, 0x04, + 0x1d, 0xe6, 0xdb, 0xad, 0x4c, 0xaf, 0x54, 0x17, 0xa9, 0x50, 0x49, 0x65, 0x20, 0x1c, 0x4b, 0x99, + 0x82, 0x7d, 0xe8, 0xf3, 0x69, 0xf7, 0x45, 0x6a, 0x84, 0xb3, 0xef, 0x5c, 0x4e, 0xc9, 0x23, 0x8c, + 0x7a, 0x3d, 0x78, 0x2a, 0x89, 0x15, 0xeb, 0xec, 0x64, 0x3a, 0x69, 0x8b, 0x5b, 0xee, 0x0a, 0xf0, + 0xc2, 0x43, 0x59, 0x2b, 0xce, 0x00, 0x42, 0xaa, 0xde, 0xaf, 0x49, 0xa4, 0xb4, 0xc6, 0xdd, 0x9b, + 0x02, 0x41, 0x05, 0xd3, 0x2d, 0xee, 0x95, 0x2b, 0x50, 0x3b, 0x53, 0x6f, 0xce, 0xcf, 0x19, 0xec, + 0x08, 0x23, 0x6a, 0x9c, 0xd9, 0x45, 0xc4, 0x95, 0x51, 0xbf, 0x99, 0xf1, 0x5b, 0x67, 0x4f, 0xc2, + 0x1a, 0xa1, 0x99, 0xf4, 0xc4, 0x21, 0x1f, 0x0f, 0x00, 0x07, 0xc4, 0x17, 0xc1, 0xfb, 0x41, 0x55, + 0x32, 0x6a, 0x21, 0x42, 0xfc, 0xa4, 0x54, 0xbb, 0xd3, 0x8d, 0x6d, 0xbc, 0x6c, 0xaa, 0x7a, 0xc3, + 0x35, 0xa1, 0x7c, +}; +const unsigned char test_rsa_1030_pub[] = { + 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x2b, 0x7c, 0xd1, 0x97, 0xf5, 0x79, 0x6d, 0x1f, 0x8e, 0x57, + 0x6b, 0x2b, 0x37, 0x72, 0x3f, 0xd9, 0x21, 0x08, 0x14, 0xef, 0x1c, 0x19, 0x95, 0xf9, 0x89, 0x9d, + 0x50, 0x05, 0x8f, 0x37, 0x9d, 0x23, 0x9c, 0x66, 0x87, 0x8e, 0x92, 0x2f, 0x34, 0xc6, 0xae, 0x36, + 0x72, 0xc8, 0x59, 0x8f, 0xcd, 0x5d, 0x47, 0xb7, 0x64, 0xd2, 0xec, 0x15, 0x6e, 0x13, 0x4d, 0x03, + 0xcf, 0x6a, 0x94, 0xd3, 0x8d, 0x2e, 0xa8, 0xbc, 0x76, 0xdb, 0xbc, 0x60, 0xc4, 0xb9, 0x74, 0x21, + 0x90, 0x90, 0xea, 0xf2, 0x87, 0x49, 0x7d, 0x7d, 0xcf, 0x7f, 0x11, 0x9c, 0xfa, 0x86, 0x74, 0x96, + 0xf7, 0xe9, 0x1c, 0x12, 0xb5, 0xd5, 0x52, 0xe1, 0xd1, 0x46, 0x1a, 0x80, 0xdb, 0xe9, 0xa5, 0x9d, + 0xb3, 0xb0, 0x16, 0xc6, 0xc0, 0x14, 0x1c, 0x3b, 0x2a, 0x0e, 0x22, 0x60, 0x89, 0xb8, 0x55, 0xcb, + 0x88, 0xef, 0x65, 0x64, 0x08, 0xbd, 0x89, 0x02, 0x03, 0x01, 0x00, 0x01, +}; + +const unsigned char test_rsa_1536_priv[] = { + 0x30, 0x82, 0x03, 0x7b, 0x02, 0x01, 0x00, 0x02, 0x81, 0xc1, 0x00, 0xc8, 0x70, 0xfe, 0xb6, 0xca, + 0x6b, 0x1d, 0x2b, 0xd9, 0xf2, 0xdd, 0x99, 0xe2, 0x0f, 0x1f, 0xe2, 0xd7, 0xe5, 0x19, 0x2d, 0xe6, + 0x62, 0x22, 0x9d, 0xbe, 0x16, 0x2b, 0xd1, 0xba, 0x66, 0x33, 0x6a, 0x71, 0x82, 0x90, 0x3c, 0xa0, + 0xb7, 0x27, 0x96, 0xcd, 0x44, 0x1c, 0x83, 0xd2, 0x4b, 0xcd, 0xc3, 0xe9, 0xa2, 0xf5, 0xe4, 0x39, + 0x9c, 0x8a, 0x04, 0x3f, 0x1c, 0x3d, 0xdf, 0x04, 0x75, 0x4a, 0x66, 0xd4, 0xcf, 0xe7, 0xb3, 0x67, + 0x1a, 0x37, 0xdd, 0x31, 0xa9, 0xb4, 0xc1, 0x3b, 0xfe, 0x06, 0xee, 0x90, 0xf9, 0xd9, 0x4d, 0xda, + 0xa0, 0x6d, 0xe6, 0x7a, 0x52, 0xac, 0x86, 0x3e, 0x68, 0xf7, 0x56, 0x73, 0x6c, 0xeb, 0x01, 0x44, + 0x05, 0xa6, 0x16, 0x05, 0x79, 0x64, 0x0f, 0x83, 0x1d, 0xdd, 0xcc, 0xc3, 0x4a, 0xd0, 0xb0, 0x50, + 0x70, 0xe3, 0xf9, 0x95, 0x4a, 0x58, 0xd1, 0x81, 0x58, 0x13, 0xe1, 0xb8, 0x3b, 0xca, 0xdb, 0xa8, + 0x14, 0x78, 0x9c, 0x87, 0xf1, 0xef, 0x2b, 0xa5, 0xd7, 0x38, 0xb7, 0x93, 0xec, 0x45, 0x6a, 0x67, + 0x36, 0x0e, 0xea, 0x1b, 0x5f, 0xaf, 0x1c, 0x7c, 0xc7, 0xbf, 0x24, 0xf3, 0xb2, 0xa9, 0xd0, 0xf8, + 0x95, 0x8b, 0x10, 0x96, 0xe0, 0xf0, 0xc3, 0x35, 0xf8, 0x88, 0x8d, 0x0c, 0x63, 0xa5, 0x1c, 0x3c, + 0x03, 0x37, 0x21, 0x4f, 0xa3, 0xf5, 0xef, 0xdf, 0x6d, 0xcc, 0x35, 0x02, 0x03, 0x01, 0x00, 0x01, + 0x02, 0x81, 0xc0, 0x6d, 0x2d, 0x67, 0x00, 0x47, 0x97, 0x3a, 0x87, 0x75, 0x2a, 0x9d, 0x5b, 0xc1, + 0x4f, 0x3d, 0xae, 0x00, 0xac, 0xb0, 0x1f, 0x59, 0x3a, 0xa0, 0xe2, 0x4c, 0xf4, 0xa4, 0x9f, 0x93, + 0x29, 0x31, 0xde, 0x4b, 0xbf, 0xb3, 0x32, 0xe2, 0xd3, 0x80, 0x83, 0xda, 0x80, 0xbc, 0x0b, 0x6d, + 0x53, 0x8e, 0xdb, 0xa4, 0x79, 0xf7, 0xf7, 0x7d, 0x0d, 0xef, 0xfb, 0x4a, 0x28, 0xe6, 0xe6, 0x7f, + 0xf6, 0x27, 0x35, 0x85, 0xbb, 0x4c, 0xd8, 0x62, 0x53, 0x5c, 0x94, 0x66, 0x05, 0xab, 0x08, 0x09, + 0xd6, 0x5f, 0x0e, 0x38, 0xf7, 0x6e, 0x4e, 0xc2, 0xc3, 0xd9, 0xb8, 0xcd, 0x6e, 0x14, 0xbc, 0xf6, + 0x67, 0x94, 0x38, 0x92, 0xcd, 0x4b, 0x34, 0xcc, 0x64, 0x20, 0xa4, 0x39, 0xab, 0xbf, 0x3d, 0x7d, + 0x35, 0xef, 0x73, 0x97, 0x6d, 0xd6, 0xf9, 0xcb, 0xde, 0x35, 0xa5, 0x1f, 0xa5, 0x21, 0x3f, 0x01, + 0x07, 0xf8, 0x3e, 0x34, 0x25, 0x83, 0x5d, 0x16, 0xd3, 0xc9, 0x14, 0x6f, 0xc9, 0xe3, 0x6c, 0xe7, + 0x5a, 0x09, 0xbb, 0x66, 0xcd, 0xff, 0x21, 0xdd, 0x5a, 0x77, 0x68, 0x99, 0xf1, 0xcb, 0x07, 0xe2, + 0x82, 0xcc, 0xa2, 0x7b, 0xe4, 0x65, 0x10, 0xe9, 0xc7, 0x99, 0xf0, 0xd8, 0xdb, 0x27, 0x5a, 0x6b, + 0xe0, 0x85, 0xd9, 0xf3, 0xf8, 0x03, 0x21, 0x8e, 0xe3, 0x38, 0x42, 0x65, 0xbf, 0xb1, 0xa3, 0x64, + 0x0e, 0x8c, 0xa1, 0x02, 0x61, 0x00, 0xe6, 0x84, 0x8c, 0x31, 0xd4, 0x66, 0xff, 0xfe, 0xfc, 0x54, + 0x7e, 0x3a, 0x3b, 0x0d, 0x37, 0x85, 0xde, 0x6f, 0x78, 0xb0, 0xdd, 0x12, 0x61, 0x08, 0x43, 0x51, + 0x2e, 0x49, 0x56, 0x11, 0xa0, 0x67, 0x55, 0x09, 0xb1, 0x65, 0x0b, 0x27, 0x41, 0x50, 0x09, 0x83, + 0x8d, 0xd8, 0xe6, 0x8e, 0xec, 0x6e, 0x75, 0x30, 0x55, 0x3b, 0x63, 0x7d, 0x60, 0x24, 0x24, 0x64, + 0x3b, 0x33, 0xe8, 0xbc, 0x5b, 0x76, 0x2e, 0x17, 0x99, 0xbc, 0x79, 0xd5, 0x6b, 0x13, 0x25, 0x1d, + 0x36, 0xd4, 0xf2, 0x01, 0xda, 0x21, 0x82, 0x41, 0x6c, 0xe1, 0x35, 0x74, 0xe8, 0x82, 0x78, 0xff, + 0x04, 0x46, 0x7a, 0xd6, 0x02, 0xd9, 0x02, 0x61, 0x00, 0xde, 0x99, 0x4f, 0xdf, 0x18, 0x1f, 0x02, + 0xbe, 0x2b, 0xf9, 0xe5, 0xf5, 0xe4, 0xe5, 0x17, 0xa9, 0x49, 0x93, 0xb8, 0x27, 0xd1, 0xea, 0xf6, + 0x09, 0x03, 0x3e, 0x3a, 0x6a, 0x6f, 0x23, 0x96, 0xae, 0x7c, 0x44, 0xe9, 0xeb, 0x59, 0x4c, 0xf1, + 0x04, 0x4c, 0xb3, 0xad, 0x32, 0xea, 0x25, 0x8f, 0x0c, 0x82, 0x96, 0x3b, 0x27, 0xbb, 0x65, 0x0e, + 0xd2, 0x00, 0xcd, 0xe8, 0x2c, 0xb9, 0x93, 0x37, 0x4b, 0xe3, 0x4b, 0xe5, 0xb1, 0xc7, 0xea, 0xd5, + 0x44, 0x6a, 0x2b, 0x82, 0xa4, 0x48, 0x6e, 0x8c, 0x18, 0x10, 0xa0, 0xb0, 0x15, 0x51, 0x60, 0x9f, + 0xb0, 0x84, 0x1d, 0x47, 0x4b, 0xad, 0xa8, 0x02, 0xbd, 0x02, 0x60, 0x76, 0xdd, 0xae, 0x75, 0x1b, + 0x73, 0xa9, 0x59, 0xd0, 0xbf, 0xb8, 0xff, 0x49, 0xe7, 0xfc, 0xd3, 0x78, 0xe9, 0xbe, 0x30, 0x65, + 0x2e, 0xce, 0xfe, 0x35, 0xc8, 0x2c, 0xb8, 0x00, 0x3b, 0xc2, 0x9c, 0xc6, 0x0a, 0xe3, 0x80, 0x99, + 0x09, 0xba, 0xf2, 0x0c, 0x95, 0xdb, 0x95, 0x16, 0xfe, 0x68, 0x08, 0x65, 0x41, 0x71, 0x11, 0xd8, + 0xb1, 0x93, 0xdb, 0xcf, 0x30, 0x28, 0x1f, 0x12, 0x49, 0xde, 0x57, 0xc8, 0x58, 0xbf, 0x1b, 0xa3, + 0x2f, 0x5b, 0xb1, 0x59, 0x98, 0x00, 0xe8, 0x39, 0x8a, 0x9e, 0xf2, 0x5c, 0x7a, 0x64, 0x2c, 0x95, + 0x26, 0x1d, 0xa6, 0xf9, 0xc1, 0x76, 0x70, 0xe9, 0x72, 0x65, 0xb1, 0x02, 0x60, 0x73, 0x24, 0x82, + 0xb8, 0x37, 0xd5, 0xf2, 0xa9, 0x44, 0x3e, 0x23, 0xc1, 0xaa, 0x01, 0x06, 0xd8, 0x3e, 0x82, 0xf6, + 0xc3, 0x42, 0x46, 0x73, 0xb5, 0xfd, 0xc3, 0x76, 0x9c, 0x0f, 0x99, 0x2d, 0x1c, 0x5c, 0x93, 0x99, + 0x1c, 0x70, 0x38, 0xe8, 0x82, 0xfc, 0xda, 0x04, 0x41, 0x4d, 0xf4, 0xd7, 0xa5, 0xf4, 0xf6, 0x98, + 0xea, 0xd8, 0x78, 0x51, 0xce, 0x37, 0x34, 0x4b, 0x60, 0xb7, 0x2d, 0x7b, 0x70, 0xf9, 0xc6, 0x0c, + 0xae, 0x85, 0x66, 0xe7, 0xa2, 0x57, 0xf8, 0xe1, 0xbe, 0xf0, 0xe8, 0x9d, 0xf6, 0xe4, 0xc2, 0xf9, + 0xd2, 0x4d, 0x21, 0xd9, 0xf8, 0x88, 0x9e, 0x4c, 0x7e, 0xcc, 0xf9, 0x17, 0x51, 0x02, 0x60, 0x09, + 0x05, 0x0d, 0x94, 0x49, 0x3d, 0xa8, 0xf0, 0x0a, 0x4d, 0xdb, 0xe9, 0xc8, 0x00, 0xaf, 0xe3, 0xd4, + 0x4b, 0x43, 0xf7, 0x8a, 0x48, 0x94, 0x1a, 0x79, 0xb2, 0x81, 0x4a, 0x1f, 0x0b, 0x81, 0xa1, 0x8a, + 0x8b, 0x23, 0x47, 0x64, 0x2a, 0x03, 0xb2, 0x79, 0x98, 0xf5, 0xa1, 0x8d, 0xe9, 0xab, 0xc9, 0xae, + 0x0e, 0x54, 0xab, 0x82, 0x94, 0xfe, 0xac, 0x66, 0xdc, 0x87, 0xe8, 0x54, 0xcc, 0xe6, 0xf7, 0x27, + 0x8a, 0xc2, 0x71, 0x0c, 0xb5, 0x87, 0x8b, 0x59, 0x2f, 0xfe, 0xb1, 0xf4, 0xf0, 0xa1, 0x85, 0x3e, + 0x4e, 0x8d, 0x1d, 0x05, 0x61, 0xb6, 0xef, 0xcc, 0x83, 0x1a, 0x29, 0x6c, 0xf7, 0xee, 0xaf, +}; +const unsigned char test_rsa_1536_pub[] = { + 0x30, 0x81, 0xc9, 0x02, 0x81, 0xc1, 0x00, 0xc8, 0x70, 0xfe, 0xb6, 0xca, 0x6b, 0x1d, 0x2b, 0xd9, + 0xf2, 0xdd, 0x99, 0xe2, 0x0f, 0x1f, 0xe2, 0xd7, 0xe5, 0x19, 0x2d, 0xe6, 0x62, 0x22, 0x9d, 0xbe, + 0x16, 0x2b, 0xd1, 0xba, 0x66, 0x33, 0x6a, 0x71, 0x82, 0x90, 0x3c, 0xa0, 0xb7, 0x27, 0x96, 0xcd, + 0x44, 0x1c, 0x83, 0xd2, 0x4b, 0xcd, 0xc3, 0xe9, 0xa2, 0xf5, 0xe4, 0x39, 0x9c, 0x8a, 0x04, 0x3f, + 0x1c, 0x3d, 0xdf, 0x04, 0x75, 0x4a, 0x66, 0xd4, 0xcf, 0xe7, 0xb3, 0x67, 0x1a, 0x37, 0xdd, 0x31, + 0xa9, 0xb4, 0xc1, 0x3b, 0xfe, 0x06, 0xee, 0x90, 0xf9, 0xd9, 0x4d, 0xda, 0xa0, 0x6d, 0xe6, 0x7a, + 0x52, 0xac, 0x86, 0x3e, 0x68, 0xf7, 0x56, 0x73, 0x6c, 0xeb, 0x01, 0x44, 0x05, 0xa6, 0x16, 0x05, + 0x79, 0x64, 0x0f, 0x83, 0x1d, 0xdd, 0xcc, 0xc3, 0x4a, 0xd0, 0xb0, 0x50, 0x70, 0xe3, 0xf9, 0x95, + 0x4a, 0x58, 0xd1, 0x81, 0x58, 0x13, 0xe1, 0xb8, 0x3b, 0xca, 0xdb, 0xa8, 0x14, 0x78, 0x9c, 0x87, + 0xf1, 0xef, 0x2b, 0xa5, 0xd7, 0x38, 0xb7, 0x93, 0xec, 0x45, 0x6a, 0x67, 0x36, 0x0e, 0xea, 0x1b, + 0x5f, 0xaf, 0x1c, 0x7c, 0xc7, 0xbf, 0x24, 0xf3, 0xb2, 0xa9, 0xd0, 0xf8, 0x95, 0x8b, 0x10, 0x96, + 0xe0, 0xf0, 0xc3, 0x35, 0xf8, 0x88, 0x8d, 0x0c, 0x63, 0xa5, 0x1c, 0x3c, 0x03, 0x37, 0x21, 0x4f, + 0xa3, 0xf5, 0xef, 0xdf, 0x6d, 0xcc, 0x35, 0x02, 0x03, 0x01, 0x00, 0x01, +}; + +const unsigned char test_rsa_2048_priv[] = { + 0x30, 0x82, 0x04, 0xa3, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xf7, 0xbb, 0x6b, 0x8e, + 0xab, 0x40, 0x49, 0x1c, 0xd6, 0x44, 0x55, 0xec, 0x04, 0xd4, 0xed, 0x8d, 0xb5, 0x05, 0x1a, 0x97, + 0x38, 0xfc, 0x7a, 0xf7, 0x3f, 0xf3, 0xb0, 0x97, 0x51, 0x1c, 0xce, 0x40, 0xaa, 0xf7, 0x65, 0x37, + 0xb1, 0x35, 0x35, 0x04, 0x42, 0x79, 0x86, 0xb7, 0xb2, 0xb5, 0x3a, 0x96, 0x4a, 0x69, 0x37, 0xb5, + 0x58, 0xec, 0x0d, 0x1d, 0xea, 0x27, 0x4a, 0xf2, 0xb8, 0xff, 0xf2, 0xf0, 0x94, 0xc2, 0x43, 0xfa, + 0x57, 0x72, 0x66, 0xa7, 0x9d, 0xb0, 0xc2, 0x6f, 0xfe, 0x30, 0x41, 0x6d, 0x23, 0xef, 0x05, 0xdd, + 0x5f, 0xec, 0xab, 0x41, 0x3e, 0xbb, 0xb4, 0xf8, 0x52, 0x6a, 0xe7, 0x20, 0xa9, 0x45, 0x84, 0x22, + 0x6b, 0x37, 0xd9, 0x2e, 0xf4, 0x63, 0xfc, 0x73, 0x6c, 0xb3, 0x8e, 0x53, 0x0e, 0x74, 0x88, 0xd9, + 0x16, 0x2f, 0x57, 0x26, 0x80, 0x7b, 0xc5, 0x43, 0x13, 0x8a, 0x2d, 0x25, 0x8a, 0xdb, 0x4d, 0x68, + 0x02, 0x21, 0xc2, 0x53, 0x23, 0x81, 0xcc, 0xfa, 0x81, 0xbc, 0x89, 0xbc, 0x3d, 0x7b, 0x84, 0x03, + 0x9c, 0x2d, 0xf4, 0x1c, 0xe3, 0xec, 0x8d, 0xb9, 0x1c, 0x23, 0x80, 0xe7, 0x81, 0xba, 0x3a, 0xa9, + 0xe2, 0x3b, 0x74, 0xed, 0x99, 0x73, 0xd4, 0x90, 0x8e, 0xfc, 0xa4, 0x7a, 0xa8, 0xd9, 0xb7, 0xb0, + 0xa4, 0x42, 0x32, 0x97, 0xa4, 0x04, 0x42, 0x7c, 0x3f, 0x3c, 0xd6, 0xe0, 0x78, 0x2e, 0x45, 0x53, + 0x88, 0x0f, 0x06, 0xba, 0x39, 0xa6, 0x4f, 0x4a, 0x7b, 0x0e, 0xef, 0x92, 0x1a, 0x60, 0x50, 0xa2, + 0x07, 0xce, 0xfa, 0xdc, 0xf0, 0x73, 0x94, 0xa3, 0xe1, 0x8e, 0xa9, 0x15, 0xdc, 0x84, 0x97, 0xe7, + 0xae, 0x61, 0xfc, 0x31, 0x62, 0xf6, 0x2f, 0x50, 0x65, 0xa6, 0x92, 0xaf, 0x07, 0x72, 0x66, 0xf7, + 0x36, 0x0c, 0x20, 0x76, 0xce, 0xbe, 0xaf, 0x14, 0xcb, 0x22, 0xc1, 0xed, 0x02, 0x03, 0x01, 0x00, + 0x01, 0x02, 0x82, 0x01, 0x00, 0x00, 0xb8, 0x96, 0x2d, 0xce, 0x60, 0x4b, 0xc6, 0x2e, 0x76, 0x78, + 0xf4, 0x8c, 0xa8, 0x0c, 0xff, 0xf4, 0x56, 0xad, 0x36, 0xe2, 0xf6, 0xd3, 0x29, 0xcc, 0x91, 0x1a, + 0x42, 0xba, 0x7c, 0xf5, 0xb9, 0xb8, 0xf5, 0xaa, 0xe1, 0x00, 0x5e, 0x4a, 0x06, 0xf6, 0xe5, 0x91, + 0x27, 0x90, 0x38, 0xd8, 0x50, 0x8f, 0x2b, 0x62, 0xba, 0xdf, 0xa5, 0x22, 0x3d, 0xa3, 0xcc, 0x94, + 0xfa, 0x83, 0x60, 0xd5, 0x55, 0x6f, 0x6d, 0x68, 0x52, 0xbe, 0x75, 0xea, 0x08, 0x13, 0x5c, 0xac, + 0x18, 0x34, 0xda, 0x71, 0x9a, 0x4e, 0x78, 0x37, 0xe1, 0x66, 0xd1, 0xd2, 0xc6, 0xc8, 0x16, 0xb6, + 0x46, 0x61, 0xc1, 0x07, 0x66, 0xb0, 0x2f, 0x70, 0x5c, 0xc4, 0x48, 0x9f, 0x94, 0x74, 0x28, 0x25, + 0x58, 0x35, 0xa9, 0x09, 0x21, 0x43, 0x41, 0xc2, 0x13, 0x35, 0xae, 0x12, 0x18, 0x1d, 0xd8, 0x1e, + 0x61, 0x1d, 0x59, 0xb1, 0xdb, 0x70, 0x66, 0x7b, 0xeb, 0xd7, 0xe9, 0x2b, 0x71, 0xe1, 0xd3, 0x88, + 0x31, 0x8d, 0x3e, 0xc1, 0x4d, 0x61, 0x6f, 0x72, 0xc2, 0x31, 0xf6, 0x72, 0x7a, 0x18, 0x3e, 0x68, + 0x18, 0x28, 0x5b, 0xd6, 0x5f, 0x65, 0x72, 0xca, 0xdc, 0x90, 0x12, 0x24, 0x88, 0x21, 0xb2, 0xd0, + 0xae, 0x6c, 0xed, 0xd3, 0x0c, 0xa4, 0x40, 0xd4, 0xd3, 0x4c, 0xd7, 0x7e, 0x2c, 0xf6, 0xb4, 0x0e, + 0xd2, 0xc7, 0xd8, 0x56, 0xb3, 0x0d, 0x47, 0x47, 0x33, 0xfc, 0xe0, 0xfb, 0x69, 0x5c, 0x3e, 0x65, + 0x30, 0xc0, 0x79, 0xae, 0xd9, 0x55, 0xe4, 0x07, 0x30, 0x55, 0xf2, 0x65, 0x5d, 0x4b, 0x67, 0x1e, + 0x29, 0x1f, 0xde, 0x40, 0x0f, 0x2f, 0x06, 0xd0, 0xb3, 0x3f, 0x87, 0xd2, 0x61, 0xe0, 0xad, 0x3d, + 0xae, 0x48, 0xa9, 0x13, 0x84, 0x1b, 0x34, 0xcf, 0xed, 0x03, 0x79, 0x0f, 0xca, 0xee, 0x00, 0xde, + 0x2e, 0x90, 0xfb, 0x96, 0x21, 0x02, 0x81, 0x81, 0x00, 0xfc, 0xbe, 0x89, 0xcd, 0x1a, 0xa3, 0x19, + 0xe4, 0x9e, 0xf4, 0xf7, 0x21, 0x49, 0xbf, 0x06, 0xda, 0x57, 0xdc, 0xc6, 0x4d, 0x3d, 0xe6, 0x05, + 0xe9, 0xff, 0x3e, 0x76, 0xfc, 0x66, 0xf4, 0xb1, 0xe2, 0x87, 0x82, 0x45, 0xff, 0xd7, 0x19, 0x90, + 0x51, 0x1b, 0x17, 0xe9, 0x7f, 0x33, 0x81, 0x88, 0x89, 0xa8, 0xc2, 0x1b, 0x55, 0x27, 0xfd, 0x18, + 0x13, 0x27, 0xaf, 0xfe, 0x88, 0xf9, 0xbb, 0xa6, 0x70, 0xc4, 0xe6, 0xf1, 0xe6, 0x30, 0x9b, 0xd0, + 0x32, 0x30, 0x74, 0xe4, 0xcb, 0xcf, 0x23, 0xdc, 0xe3, 0xc1, 0x9b, 0x8d, 0x54, 0x95, 0xf5, 0x6a, + 0x93, 0x05, 0x9b, 0xa7, 0x41, 0x4f, 0x28, 0xed, 0x1e, 0xc9, 0x06, 0xad, 0x18, 0xc6, 0x3d, 0xe1, + 0x14, 0x8a, 0xbc, 0xfe, 0x9b, 0xe7, 0x98, 0x60, 0x00, 0xf4, 0x25, 0xe5, 0x80, 0xb7, 0x0e, 0x43, + 0xe4, 0x8e, 0x24, 0xfa, 0x9d, 0x51, 0xaa, 0xae, 0x4d, 0x02, 0x81, 0x81, 0x00, 0xfa, 0xec, 0x5a, + 0x7b, 0xed, 0x2e, 0x53, 0xcf, 0xca, 0x1e, 0x16, 0x7d, 0xb4, 0x64, 0x1d, 0xb5, 0xa0, 0x0f, 0xe2, + 0xc3, 0x28, 0x12, 0x54, 0x23, 0xd5, 0x94, 0x78, 0x9f, 0x3e, 0xc0, 0x72, 0xc6, 0x23, 0xe7, 0xaf, + 0xbd, 0xee, 0x00, 0x89, 0xfd, 0x26, 0x30, 0x76, 0x51, 0xf6, 0xd3, 0x61, 0x1a, 0x88, 0xaf, 0x28, + 0xc3, 0x45, 0x85, 0xd5, 0xcb, 0x71, 0x3a, 0x65, 0x0c, 0x35, 0x93, 0x3f, 0x58, 0x94, 0x4d, 0xb9, + 0xbd, 0x15, 0xba, 0x9f, 0xc2, 0x8b, 0x07, 0xe6, 0x70, 0x5b, 0x7b, 0x3e, 0xf1, 0xcc, 0xb4, 0x8d, + 0x21, 0xa5, 0x35, 0x69, 0xc8, 0xb8, 0x4c, 0x44, 0x4b, 0x61, 0xea, 0x5c, 0x6e, 0x67, 0xb5, 0x4f, + 0x0a, 0xfd, 0x85, 0x2f, 0xfb, 0x8c, 0x92, 0xa1, 0x11, 0xfa, 0xb8, 0x67, 0x72, 0x63, 0xee, 0xb8, + 0x0c, 0xf1, 0xa3, 0x40, 0x3b, 0x4a, 0x9a, 0x20, 0x97, 0x76, 0x94, 0x72, 0x21, 0x02, 0x81, 0x80, + 0x2f, 0xf9, 0x9a, 0xfe, 0xab, 0xc7, 0xb9, 0xea, 0x83, 0xa1, 0xcc, 0x27, 0x2d, 0x70, 0x6d, 0x44, + 0x94, 0xd8, 0xfb, 0x6b, 0x3e, 0x0c, 0xa3, 0xa2, 0xbf, 0x28, 0x84, 0x3d, 0x74, 0xed, 0x8d, 0xb6, + 0x8a, 0x32, 0x58, 0x47, 0x2f, 0xf5, 0x52, 0x47, 0x92, 0xf4, 0xff, 0x05, 0x7e, 0x29, 0x60, 0x59, + 0x81, 0x07, 0x17, 0x59, 0x1a, 0xb6, 0x18, 0x13, 0xca, 0xbc, 0xc5, 0x7c, 0x0a, 0xab, 0x6b, 0xf4, + 0x8b, 0xeb, 0xaa, 0x8f, 0x1f, 0x3a, 0xf4, 0x52, 0x12, 0x90, 0x9d, 0xbd, 0x72, 0x1c, 0x44, 0x99, + 0x96, 0xee, 0x87, 0xed, 0x3e, 0x69, 0xcf, 0x49, 0x09, 0x0f, 0x7a, 0xb8, 0x12, 0xe6, 0x99, 0xdb, + 0xf6, 0x1c, 0xa6, 0x4e, 0xc5, 0x92, 0x89, 0x5e, 0xf4, 0xd6, 0xdb, 0x1d, 0x8c, 0xe0, 0x87, 0x98, + 0xa6, 0xbf, 0x6a, 0xc8, 0xfb, 0xf6, 0x61, 0x3c, 0xc9, 0x1e, 0x8b, 0xd3, 0xc0, 0xe4, 0xbd, 0x21, + 0x02, 0x81, 0x81, 0x00, 0xb2, 0x9b, 0x34, 0x59, 0x0b, 0xdd, 0xb3, 0x08, 0xaf, 0xec, 0xb4, 0xc3, + 0xab, 0x78, 0xab, 0xf1, 0x11, 0x4a, 0xdd, 0x75, 0x5e, 0x7b, 0x95, 0x6a, 0xa0, 0x67, 0x7b, 0x68, + 0x96, 0xa9, 0x33, 0xc9, 0x37, 0xdb, 0x7d, 0xab, 0xaa, 0xd2, 0xb5, 0x65, 0xfd, 0x1d, 0xf7, 0xca, + 0xa5, 0xef, 0x96, 0x29, 0xe5, 0xeb, 0x10, 0x0f, 0xd6, 0xd7, 0xc9, 0xf3, 0x72, 0xd8, 0x46, 0xfe, + 0xe6, 0xcf, 0xb6, 0x02, 0x5e, 0x25, 0xe9, 0x34, 0xdf, 0x57, 0xa4, 0xca, 0x3c, 0x5e, 0x56, 0x37, + 0xd9, 0xd6, 0x23, 0x5a, 0xc8, 0x04, 0x28, 0x85, 0x2f, 0x6c, 0x92, 0xac, 0xae, 0x0a, 0x93, 0x7e, + 0x38, 0xe7, 0x31, 0xfd, 0xe0, 0x52, 0x1d, 0x3e, 0x4c, 0x70, 0xd6, 0x53, 0xae, 0x9e, 0xdc, 0x89, + 0xc8, 0xb6, 0x23, 0xe4, 0x37, 0x9f, 0xbf, 0x60, 0x6f, 0x4b, 0x6d, 0xb8, 0x06, 0x85, 0x28, 0xf7, + 0xc7, 0x0f, 0x29, 0x21, 0x02, 0x81, 0x80, 0x0e, 0xd4, 0x7a, 0xe0, 0x5b, 0x27, 0x5a, 0x23, 0xa7, + 0xdf, 0xe3, 0xff, 0xb7, 0x27, 0xe3, 0xa2, 0x68, 0xe6, 0x26, 0xa5, 0x9d, 0x40, 0x1d, 0x2d, 0x84, + 0x6d, 0xe2, 0x69, 0x54, 0xff, 0x54, 0xfc, 0x9e, 0xd9, 0x3a, 0x9a, 0xf3, 0x3f, 0xac, 0x2c, 0x96, + 0x7a, 0x18, 0xe0, 0xf8, 0x61, 0x45, 0x08, 0x3e, 0x39, 0x92, 0x34, 0x54, 0xbc, 0x10, 0xda, 0x5f, + 0x49, 0x37, 0xe8, 0x36, 0xb9, 0x98, 0x51, 0x95, 0x6b, 0xff, 0xb3, 0x01, 0xce, 0x9e, 0x06, 0x78, + 0x97, 0x86, 0x69, 0x32, 0x13, 0xfc, 0xde, 0x6d, 0x5f, 0x29, 0x33, 0xd5, 0x2b, 0xb2, 0x9d, 0xc3, + 0x40, 0xea, 0x01, 0x12, 0x57, 0x78, 0x8d, 0x3c, 0x57, 0x75, 0xeb, 0x65, 0x69, 0x23, 0x0a, 0xaf, + 0xbf, 0x08, 0x75, 0x2d, 0x40, 0xa8, 0x41, 0x9d, 0xe7, 0x1b, 0x01, 0xd4, 0x92, 0x7e, 0x27, 0xc1, + 0x07, 0x9c, 0xaa, 0xda, 0x05, 0x68, 0xb1, +}; +const unsigned char test_rsa_2048_pub[] = { + 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xf7, 0xbb, 0x6b, 0x8e, 0xab, 0x40, 0x49, + 0x1c, 0xd6, 0x44, 0x55, 0xec, 0x04, 0xd4, 0xed, 0x8d, 0xb5, 0x05, 0x1a, 0x97, 0x38, 0xfc, 0x7a, + 0xf7, 0x3f, 0xf3, 0xb0, 0x97, 0x51, 0x1c, 0xce, 0x40, 0xaa, 0xf7, 0x65, 0x37, 0xb1, 0x35, 0x35, + 0x04, 0x42, 0x79, 0x86, 0xb7, 0xb2, 0xb5, 0x3a, 0x96, 0x4a, 0x69, 0x37, 0xb5, 0x58, 0xec, 0x0d, + 0x1d, 0xea, 0x27, 0x4a, 0xf2, 0xb8, 0xff, 0xf2, 0xf0, 0x94, 0xc2, 0x43, 0xfa, 0x57, 0x72, 0x66, + 0xa7, 0x9d, 0xb0, 0xc2, 0x6f, 0xfe, 0x30, 0x41, 0x6d, 0x23, 0xef, 0x05, 0xdd, 0x5f, 0xec, 0xab, + 0x41, 0x3e, 0xbb, 0xb4, 0xf8, 0x52, 0x6a, 0xe7, 0x20, 0xa9, 0x45, 0x84, 0x22, 0x6b, 0x37, 0xd9, + 0x2e, 0xf4, 0x63, 0xfc, 0x73, 0x6c, 0xb3, 0x8e, 0x53, 0x0e, 0x74, 0x88, 0xd9, 0x16, 0x2f, 0x57, + 0x26, 0x80, 0x7b, 0xc5, 0x43, 0x13, 0x8a, 0x2d, 0x25, 0x8a, 0xdb, 0x4d, 0x68, 0x02, 0x21, 0xc2, + 0x53, 0x23, 0x81, 0xcc, 0xfa, 0x81, 0xbc, 0x89, 0xbc, 0x3d, 0x7b, 0x84, 0x03, 0x9c, 0x2d, 0xf4, + 0x1c, 0xe3, 0xec, 0x8d, 0xb9, 0x1c, 0x23, 0x80, 0xe7, 0x81, 0xba, 0x3a, 0xa9, 0xe2, 0x3b, 0x74, + 0xed, 0x99, 0x73, 0xd4, 0x90, 0x8e, 0xfc, 0xa4, 0x7a, 0xa8, 0xd9, 0xb7, 0xb0, 0xa4, 0x42, 0x32, + 0x97, 0xa4, 0x04, 0x42, 0x7c, 0x3f, 0x3c, 0xd6, 0xe0, 0x78, 0x2e, 0x45, 0x53, 0x88, 0x0f, 0x06, + 0xba, 0x39, 0xa6, 0x4f, 0x4a, 0x7b, 0x0e, 0xef, 0x92, 0x1a, 0x60, 0x50, 0xa2, 0x07, 0xce, 0xfa, + 0xdc, 0xf0, 0x73, 0x94, 0xa3, 0xe1, 0x8e, 0xa9, 0x15, 0xdc, 0x84, 0x97, 0xe7, 0xae, 0x61, 0xfc, + 0x31, 0x62, 0xf6, 0x2f, 0x50, 0x65, 0xa6, 0x92, 0xaf, 0x07, 0x72, 0x66, 0xf7, 0x36, 0x0c, 0x20, + 0x76, 0xce, 0xbe, 0xaf, 0x14, 0xcb, 0x22, 0xc1, 0xed, 0x02, 0x03, 0x01, 0x00, 0x01, +}; + +const unsigned char test_rsa_4096_priv[] = { + 0x30, 0x82, 0x09, 0x29, 0x02, 0x01, 0x00, 0x02, 0x82, 0x02, 0x01, 0x00, 0xcc, 0x87, 0x25, 0xf6, + 0xb3, 0x8d, 0x5d, 0x01, 0xae, 0xeb, 0x07, 0xd3, 0x6e, 0x03, 0xde, 0x4d, 0x31, 0xa0, 0x26, 0x1c, + 0xe7, 0x4f, 0xe1, 0x1a, 0x89, 0x5e, 0xcf, 0xd1, 0x3d, 0x16, 0x8a, 0xee, 0x93, 0x2a, 0xf1, 0x35, + 0xff, 0xbb, 0x84, 0x98, 0x77, 0x27, 0x38, 0x97, 0x08, 0x1f, 0x3f, 0x75, 0x93, 0xc1, 0x4a, 0xe8, + 0x2b, 0xc2, 0x66, 0xc1, 0x05, 0x44, 0xf7, 0x26, 0xae, 0x1c, 0xcf, 0x13, 0x3d, 0x8a, 0x40, 0x18, + 0xd3, 0x80, 0xdf, 0xa2, 0x52, 0x51, 0xc0, 0x11, 0x10, 0x7b, 0x75, 0x13, 0xa9, 0x43, 0x34, 0x6a, + 0xa0, 0xe0, 0xde, 0xc1, 0x1d, 0x8d, 0x7f, 0xa2, 0x56, 0x44, 0x65, 0x3c, 0x11, 0x8d, 0xaa, 0xbc, + 0xe6, 0xd4, 0x1f, 0x06, 0x6f, 0x66, 0x21, 0x76, 0x88, 0x01, 0x47, 0x80, 0x55, 0x78, 0x0e, 0x91, + 0xb6, 0x8e, 0xa3, 0xc9, 0x58, 0x56, 0xd1, 0x72, 0xa8, 0x90, 0x32, 0xb3, 0x9c, 0x82, 0x4e, 0x8b, + 0x7d, 0xc1, 0xa3, 0xf8, 0xae, 0xe4, 0xf6, 0xb3, 0x68, 0xba, 0xa3, 0xcd, 0x68, 0xf5, 0x0d, 0x52, + 0x68, 0x01, 0x17, 0xe9, 0xb9, 0x13, 0xd7, 0xf8, 0xc8, 0x52, 0xa0, 0xd1, 0x00, 0x8e, 0x8b, 0x87, + 0xa5, 0xc9, 0x7e, 0x37, 0xaf, 0xc1, 0x1a, 0x08, 0x05, 0x50, 0x55, 0x7b, 0x8b, 0x4d, 0xcb, 0xd8, + 0xe1, 0x92, 0xed, 0x33, 0x66, 0xd8, 0x3a, 0x09, 0xd2, 0x7c, 0x77, 0xe1, 0x50, 0xf6, 0x68, 0x55, + 0xb5, 0xdc, 0xfd, 0xb2, 0xdf, 0x15, 0x1b, 0xd7, 0xf4, 0x44, 0x25, 0x0e, 0xaf, 0x6f, 0xe3, 0xf2, + 0x36, 0x82, 0x6c, 0x81, 0xfa, 0x84, 0x81, 0x01, 0xbf, 0xaa, 0xd5, 0x35, 0xff, 0xb5, 0x22, 0xd6, + 0xff, 0x97, 0xc9, 0xdd, 0x1e, 0x43, 0xb8, 0x2c, 0xce, 0x29, 0x21, 0xd1, 0x53, 0xc1, 0x54, 0x50, + 0xc4, 0x72, 0x4f, 0xfd, 0x3e, 0xfd, 0xca, 0x57, 0x8e, 0x01, 0x36, 0x50, 0xa0, 0x3a, 0x5c, 0xf5, + 0x01, 0xfc, 0x58, 0x60, 0x0f, 0xb5, 0xc8, 0x60, 0xc0, 0xef, 0x0c, 0xfe, 0x0a, 0xc0, 0x71, 0x2d, + 0x44, 0x13, 0x13, 0xdc, 0xa4, 0x1a, 0x4d, 0x7d, 0x41, 0x1e, 0x6c, 0x83, 0xb2, 0x15, 0x17, 0x49, + 0xd2, 0x8b, 0xe4, 0x69, 0x2f, 0x62, 0x37, 0x3d, 0xb0, 0x7e, 0x4a, 0x79, 0x05, 0x1c, 0x56, 0x82, + 0xec, 0x20, 0xd4, 0x91, 0xc4, 0xcf, 0xc7, 0xbc, 0x14, 0x0f, 0x35, 0xfa, 0x15, 0xe5, 0xa1, 0xfa, + 0x75, 0x6d, 0x65, 0xb8, 0xef, 0x93, 0xad, 0xdf, 0x4c, 0x47, 0xc4, 0xa3, 0x5b, 0x18, 0x4f, 0x22, + 0xa1, 0xef, 0x08, 0x99, 0x48, 0xf9, 0x46, 0xf6, 0xfa, 0xeb, 0x64, 0x70, 0xf2, 0x67, 0x46, 0xe6, + 0x58, 0xcf, 0x9b, 0x41, 0x77, 0x41, 0x78, 0x42, 0xe6, 0xd3, 0x73, 0x55, 0x80, 0x89, 0xaf, 0xf7, + 0x21, 0xb9, 0x30, 0xe9, 0xec, 0x61, 0xb4, 0xf6, 0xa0, 0x2c, 0x05, 0x2c, 0x69, 0x24, 0xd3, 0x9a, + 0x5b, 0xbb, 0x15, 0xed, 0x11, 0x06, 0xc4, 0x01, 0x0f, 0x4d, 0xd6, 0x9c, 0x79, 0xd0, 0x42, 0xc8, + 0xb3, 0x16, 0x61, 0xb1, 0xee, 0x48, 0x6b, 0xc6, 0x9d, 0xb5, 0xf2, 0xf0, 0x7a, 0x50, 0xd8, 0x5b, + 0x20, 0x69, 0x9d, 0x60, 0x13, 0x15, 0x62, 0x5b, 0xb8, 0x69, 0x62, 0x9c, 0x7f, 0x4c, 0x5d, 0x48, + 0xb2, 0x11, 0xd0, 0x97, 0xf4, 0x38, 0xac, 0xec, 0x95, 0x97, 0x3a, 0x38, 0xd4, 0x21, 0x09, 0x0a, + 0xf0, 0xf1, 0x34, 0x84, 0xe4, 0xe9, 0x4b, 0x8c, 0xb5, 0xef, 0xc1, 0x85, 0x07, 0xf4, 0xb9, 0x31, + 0xdf, 0x39, 0x98, 0x7f, 0xfb, 0x28, 0x30, 0x29, 0x3e, 0x4d, 0xa3, 0x81, 0xaa, 0xf7, 0x0b, 0x32, + 0x92, 0x95, 0x2e, 0xf9, 0x34, 0xe2, 0xb4, 0x0f, 0xde, 0xbb, 0xa3, 0xd9, 0x70, 0x1b, 0x76, 0xe1, + 0xbe, 0x54, 0x82, 0x74, 0xb2, 0x60, 0x2d, 0x88, 0x85, 0x37, 0x48, 0x2d, 0x02, 0x03, 0x01, 0x00, + 0x01, 0x02, 0x82, 0x02, 0x00, 0x1a, 0x94, 0x3e, 0x9c, 0x00, 0x89, 0xf0, 0xaa, 0x01, 0x16, 0x04, + 0x8a, 0x96, 0xab, 0xb4, 0x86, 0x32, 0x1a, 0x86, 0x91, 0x6f, 0x82, 0xfb, 0x35, 0x24, 0x60, 0x78, + 0x9f, 0xcf, 0xb1, 0x40, 0x05, 0x50, 0x85, 0x3e, 0x5a, 0xfe, 0xdc, 0x9a, 0xd6, 0xe8, 0x77, 0x25, + 0x9c, 0xc4, 0xfe, 0xb0, 0x93, 0xc2, 0x4b, 0x96, 0x85, 0x34, 0xf8, 0x9a, 0xbb, 0x5f, 0x48, 0xae, + 0xd8, 0xad, 0x3c, 0x4b, 0xb1, 0xcb, 0xa7, 0xcd, 0x7c, 0x1c, 0x72, 0x4d, 0x3d, 0xae, 0x36, 0x77, + 0x00, 0x10, 0xb5, 0x06, 0x8a, 0x33, 0x4f, 0x2b, 0x3e, 0xe7, 0x20, 0xc9, 0xf9, 0xed, 0x32, 0x00, + 0x01, 0xf3, 0xf5, 0x87, 0xf5, 0x66, 0x2f, 0x93, 0x9e, 0x60, 0x5d, 0xf5, 0x19, 0x34, 0x3d, 0x60, + 0xc0, 0x63, 0x5c, 0xcd, 0x32, 0xb1, 0x88, 0xbc, 0x55, 0xf5, 0xd4, 0x34, 0x17, 0x3c, 0x9e, 0x6d, + 0xb2, 0x19, 0x93, 0x41, 0xaf, 0x83, 0x39, 0x90, 0xe5, 0x02, 0x46, 0xf9, 0x9c, 0xdd, 0xf7, 0x9d, + 0xd2, 0xc3, 0x5b, 0xab, 0xe1, 0x4c, 0x10, 0x3a, 0x76, 0xb8, 0xd2, 0xd9, 0x8d, 0x73, 0x52, 0x8f, + 0x98, 0xc2, 0x49, 0xb0, 0xa1, 0xf0, 0x91, 0x55, 0xb3, 0x1f, 0x59, 0x9f, 0xc8, 0x33, 0x54, 0x24, + 0x22, 0xa2, 0x34, 0x26, 0x23, 0xbb, 0xbe, 0xf4, 0xac, 0x7e, 0xe6, 0x05, 0xe2, 0xcd, 0xec, 0xf0, + 0x1f, 0xea, 0x25, 0x68, 0x3b, 0xd4, 0xf6, 0x6c, 0xa9, 0x24, 0xcc, 0xef, 0x00, 0x41, 0x8a, 0xdf, + 0xf7, 0x30, 0xc4, 0x71, 0x4f, 0x66, 0xff, 0xa2, 0xaf, 0x0d, 0xa3, 0xe5, 0xdf, 0x7f, 0x53, 0x9c, + 0x63, 0x42, 0x89, 0xfc, 0x12, 0xbc, 0x24, 0x09, 0x3e, 0xc8, 0xf0, 0xec, 0x18, 0x0a, 0xf0, 0x90, + 0x7c, 0xec, 0x1e, 0xbe, 0xc9, 0x11, 0xfa, 0x18, 0x0f, 0xb5, 0xf3, 0xc8, 0x0e, 0xd8, 0x52, 0x89, + 0x6a, 0xd6, 0xe6, 0xb3, 0xec, 0xcb, 0x44, 0xde, 0x62, 0x19, 0x3d, 0x52, 0x11, 0x8c, 0xab, 0x2b, + 0x17, 0x10, 0x71, 0xd5, 0xfd, 0xaa, 0x7c, 0x42, 0x88, 0xfc, 0x77, 0x66, 0xd5, 0x77, 0x74, 0xf4, + 0xbe, 0x46, 0x15, 0x1b, 0xb9, 0x0a, 0xce, 0x7c, 0x10, 0xc2, 0x15, 0xf6, 0x2e, 0xd2, 0x6e, 0x52, + 0xe6, 0x12, 0x24, 0x36, 0xf5, 0x32, 0xbd, 0x54, 0xfc, 0x08, 0x27, 0x2a, 0xdb, 0x21, 0x6a, 0x2d, + 0xb4, 0x33, 0xd5, 0x69, 0x9c, 0x40, 0xad, 0x58, 0xfa, 0xa2, 0x66, 0x08, 0x98, 0xff, 0xcc, 0xfc, + 0x98, 0x00, 0x2f, 0x8b, 0xb0, 0x36, 0x1b, 0x4c, 0xf9, 0xed, 0x6e, 0x93, 0xc1, 0xca, 0x96, 0xd3, + 0x4a, 0x1e, 0xf4, 0x04, 0x60, 0xf8, 0x59, 0x18, 0xcf, 0xde, 0x4a, 0x81, 0x93, 0xb5, 0x1e, 0xce, + 0xa4, 0xb3, 0x90, 0x3c, 0xae, 0x92, 0x4a, 0x8f, 0xad, 0x5f, 0x83, 0x08, 0x95, 0x4c, 0x9f, 0x19, + 0xa7, 0x59, 0x7b, 0xf0, 0xa7, 0x51, 0x26, 0xa5, 0x57, 0xe4, 0x9f, 0x8b, 0xbd, 0x31, 0xfc, 0x4e, + 0x85, 0x56, 0xf2, 0x30, 0x64, 0x0b, 0xf3, 0x62, 0x04, 0xc6, 0xcf, 0x3d, 0x56, 0xdc, 0xa5, 0xa4, + 0x1d, 0x86, 0x03, 0x07, 0xba, 0x67, 0x05, 0xa6, 0x98, 0x68, 0x11, 0x00, 0xa3, 0x27, 0xf9, 0x17, + 0x39, 0xc4, 0x86, 0xc4, 0x70, 0xba, 0x71, 0xd0, 0x3d, 0x28, 0x53, 0x14, 0xb0, 0xd7, 0xd0, 0x40, + 0x08, 0xe0, 0x3f, 0x2a, 0x2b, 0x85, 0xe7, 0xc2, 0x43, 0xd6, 0xfd, 0x9b, 0x97, 0xa0, 0x21, 0x68, + 0xc0, 0x69, 0xec, 0x57, 0x2d, 0x3f, 0x0c, 0xa1, 0x5e, 0xbc, 0xb1, 0x73, 0x9f, 0x3a, 0x0b, 0x3c, + 0x14, 0x7a, 0x88, 0xe0, 0xb7, 0x4f, 0x45, 0xa0, 0x07, 0xae, 0x92, 0x7d, 0x6f, 0x82, 0x2b, 0xf5, + 0x0b, 0x87, 0xb1, 0xe9, 0x3f, 0xe7, 0xd9, 0x18, 0x0b, 0xc6, 0xbc, 0x12, 0xbd, 0xe6, 0xc8, 0x07, + 0x0d, 0x10, 0xc9, 0x73, 0x31, 0x02, 0x82, 0x01, 0x01, 0x00, 0xf5, 0x0e, 0xbc, 0xea, 0xc9, 0xd3, + 0xc6, 0x44, 0x82, 0xa8, 0xc2, 0x65, 0xd6, 0x36, 0x54, 0x61, 0xaa, 0x4a, 0x31, 0xa6, 0xa7, 0x63, + 0x3a, 0x24, 0xc8, 0xe3, 0x47, 0x94, 0xec, 0xdf, 0xca, 0xb1, 0xd6, 0xb5, 0x2f, 0xb6, 0xa5, 0xf3, + 0x80, 0x55, 0xcc, 0x32, 0xd6, 0xa6, 0x1b, 0x88, 0x95, 0x50, 0xde, 0x27, 0xb3, 0xd0, 0xbd, 0x68, + 0xb6, 0xd4, 0xfd, 0xa0, 0x41, 0x59, 0x8a, 0xb9, 0x88, 0x87, 0x14, 0x39, 0x88, 0x57, 0x68, 0x06, + 0xb1, 0xc4, 0x87, 0x20, 0x79, 0x49, 0x02, 0x95, 0x2e, 0xbe, 0x1b, 0xf0, 0xde, 0xf6, 0x5a, 0x0e, + 0x6f, 0x94, 0x06, 0x70, 0x56, 0xe6, 0x86, 0x4f, 0xa2, 0x88, 0x2e, 0x3a, 0x16, 0xf2, 0x46, 0x28, + 0x20, 0x93, 0xd0, 0x37, 0x63, 0x90, 0x78, 0x18, 0x2d, 0xd0, 0xa6, 0xeb, 0x21, 0xd3, 0xba, 0xd0, + 0x63, 0x79, 0x01, 0xa2, 0x68, 0xb1, 0x4c, 0x63, 0x2c, 0x9d, 0x0b, 0x16, 0x90, 0xed, 0x88, 0xab, + 0xdd, 0xe0, 0x3f, 0x52, 0x82, 0x47, 0xaa, 0x2e, 0x41, 0x55, 0x7d, 0x08, 0x65, 0xad, 0x34, 0xe5, + 0x3f, 0xf5, 0x3a, 0xe0, 0xe5, 0xde, 0xa1, 0x95, 0xd9, 0x3f, 0xe6, 0x5c, 0x25, 0x87, 0x1f, 0x6f, + 0x23, 0xad, 0xf3, 0x4b, 0x6e, 0x96, 0x0c, 0x29, 0x78, 0xf2, 0xb7, 0x47, 0x5d, 0xaf, 0xce, 0x6c, + 0xbb, 0x26, 0xa5, 0x39, 0x34, 0xd2, 0x6c, 0x19, 0x3d, 0x67, 0xf3, 0x2d, 0xe9, 0x10, 0x35, 0xee, + 0xb8, 0x90, 0x22, 0xbe, 0xb7, 0xd5, 0xdf, 0x78, 0x4a, 0xc2, 0x0c, 0xa6, 0xab, 0x91, 0xbf, 0x6b, + 0x77, 0x5b, 0x6c, 0x94, 0x16, 0xf6, 0x05, 0xb4, 0x84, 0x17, 0x36, 0xcb, 0xfb, 0xd2, 0x2a, 0xd9, + 0x8a, 0xb2, 0xe8, 0x42, 0x84, 0x57, 0xe0, 0x79, 0x3f, 0x5a, 0xf4, 0x0e, 0x55, 0x0b, 0x48, 0x76, + 0x5d, 0x59, 0xe6, 0xe1, 0xb4, 0xa4, 0xa1, 0xf5, 0x71, 0xf1, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd5, + 0xa9, 0x1d, 0x4d, 0x44, 0xbb, 0x9b, 0x73, 0xc1, 0xfe, 0x02, 0x48, 0x92, 0x5e, 0x2c, 0x0e, 0xc1, + 0xde, 0x51, 0x39, 0x0b, 0xd8, 0xa7, 0x3b, 0x45, 0x3d, 0xa5, 0x1a, 0xe2, 0x93, 0x25, 0xae, 0x76, + 0x57, 0x08, 0x9f, 0xd4, 0xee, 0x4a, 0x2f, 0xd9, 0x6e, 0x34, 0x5b, 0x57, 0xf6, 0x72, 0xd7, 0xd4, + 0x84, 0xfd, 0xe9, 0x91, 0x89, 0xab, 0x0a, 0x63, 0x65, 0xbf, 0x2b, 0x38, 0x68, 0x0d, 0x6b, 0xb9, + 0x47, 0xf4, 0xb2, 0x17, 0xbe, 0x66, 0x03, 0x23, 0xc2, 0x6b, 0x86, 0xd6, 0x43, 0xae, 0x68, 0x6d, + 0x82, 0xe3, 0x6e, 0xc0, 0x0c, 0xfd, 0x03, 0x89, 0x42, 0x44, 0x3c, 0xaa, 0x04, 0xa0, 0xf9, 0x1e, + 0x68, 0xec, 0x71, 0x79, 0x35, 0xb4, 0x5e, 0x79, 0x03, 0x11, 0xbe, 0x56, 0x44, 0x0d, 0x71, 0x76, + 0x94, 0x95, 0x94, 0x68, 0x8e, 0xd1, 0xdd, 0x5c, 0x91, 0x03, 0xc5, 0x7c, 0x15, 0x8d, 0x05, 0xe4, + 0xc3, 0x7b, 0x98, 0xd8, 0x18, 0x98, 0x03, 0x07, 0x44, 0xa6, 0x4f, 0x6e, 0xbd, 0xbf, 0x75, 0x0a, + 0xab, 0x79, 0x75, 0x7e, 0x34, 0xda, 0xc4, 0x22, 0x16, 0x3e, 0xa7, 0xc0, 0xf4, 0x2b, 0x97, 0x71, + 0x0c, 0x86, 0x19, 0x78, 0xb2, 0x41, 0x00, 0x38, 0x5a, 0xad, 0x72, 0x7e, 0x5f, 0x38, 0x36, 0xa7, + 0x4e, 0xa4, 0xbf, 0x1d, 0x36, 0xef, 0x2a, 0x5e, 0xdf, 0x9c, 0x9e, 0x8f, 0x99, 0x6e, 0xf3, 0x19, + 0x13, 0x48, 0x45, 0x0e, 0xa9, 0xf1, 0xd4, 0xa6, 0x3d, 0xb2, 0x9c, 0xb0, 0x6f, 0x63, 0xe5, 0xba, + 0xdb, 0x18, 0xe4, 0xd4, 0x0f, 0x51, 0x12, 0xb6, 0x58, 0xd1, 0xcc, 0x23, 0xcb, 0x65, 0x38, 0x8a, + 0xca, 0x03, 0xd1, 0x41, 0xa6, 0xbc, 0x5f, 0xbd, 0x94, 0x29, 0xfe, 0x33, 0xd3, 0x40, 0xd3, 0xe8, + 0x5b, 0xfa, 0x84, 0x89, 0x08, 0xd6, 0x0b, 0x56, 0x2f, 0x89, 0x4e, 0x8a, 0x33, 0x7d, 0xfd, 0x02, + 0x82, 0x01, 0x01, 0x00, 0xc4, 0x95, 0x0f, 0x0d, 0x95, 0xdc, 0x51, 0xd7, 0x91, 0xad, 0x09, 0x4d, + 0x22, 0x3b, 0x31, 0x13, 0xab, 0xc4, 0x9a, 0xf1, 0xe2, 0xa3, 0x61, 0xf8, 0x32, 0x42, 0xc8, 0xa0, + 0x7a, 0x28, 0xc8, 0x74, 0x43, 0x15, 0xd3, 0xf1, 0xc4, 0x4c, 0x82, 0xed, 0xd0, 0xc2, 0x13, 0x98, + 0xea, 0xcb, 0x75, 0x64, 0x8a, 0xe1, 0xf4, 0x88, 0x85, 0xf9, 0x23, 0x79, 0xd6, 0xff, 0xa0, 0x8c, + 0xd1, 0x11, 0x26, 0xa9, 0x9d, 0x9a, 0xcd, 0x79, 0xb8, 0x94, 0x6e, 0x34, 0x86, 0x65, 0x91, 0x85, + 0xf5, 0x11, 0x71, 0x8e, 0xc5, 0xe1, 0x43, 0x2b, 0x02, 0x71, 0x44, 0x26, 0xcd, 0xc7, 0x7e, 0x9e, + 0xac, 0xad, 0xe3, 0x67, 0x35, 0x16, 0x1a, 0x64, 0x3d, 0xcd, 0x60, 0xdc, 0xd2, 0x92, 0x2c, 0x47, + 0xaf, 0x5f, 0x4e, 0x19, 0x6c, 0x5d, 0x81, 0x24, 0x55, 0x5f, 0x67, 0xfc, 0xa1, 0x48, 0x04, 0x8d, + 0xfe, 0x06, 0x2c, 0xba, 0xca, 0x33, 0x4f, 0x0d, 0x8d, 0xae, 0xb9, 0x6d, 0x73, 0xbe, 0x9f, 0x8e, + 0x17, 0xc1, 0xc5, 0x5d, 0x6b, 0xd0, 0xb9, 0xa7, 0xe9, 0x9f, 0xe1, 0xdf, 0xba, 0x5c, 0xc1, 0x6a, + 0x07, 0xdb, 0xaa, 0x8c, 0x6d, 0x22, 0x0c, 0x64, 0xc9, 0xdd, 0xa1, 0x14, 0xa0, 0xf0, 0x29, 0x05, + 0x2b, 0x3a, 0x75, 0xb0, 0xd7, 0x3f, 0xe3, 0xb2, 0xed, 0x78, 0x21, 0xe5, 0xcd, 0x73, 0x07, 0xa1, + 0xa9, 0x5f, 0xd1, 0xf7, 0xba, 0x87, 0x60, 0xc8, 0x45, 0x4b, 0x7c, 0x38, 0xfb, 0xf6, 0x5c, 0x88, + 0xb0, 0x1c, 0xd2, 0x73, 0xba, 0x2c, 0x55, 0xc3, 0xb4, 0x77, 0xe4, 0x26, 0xae, 0x02, 0x5a, 0x2c, + 0xff, 0xc4, 0xa0, 0x95, 0xf2, 0xba, 0x4e, 0x07, 0x79, 0xa2, 0x4b, 0x76, 0x5b, 0x85, 0x48, 0x9f, + 0x2a, 0x0e, 0x79, 0xb9, 0x5f, 0xc0, 0xc3, 0x8e, 0x2a, 0x91, 0xf1, 0x2e, 0xf6, 0x5c, 0xa7, 0x49, + 0xce, 0x36, 0x94, 0x31, 0x02, 0x82, 0x01, 0x00, 0x2a, 0xa4, 0x8e, 0x0c, 0x95, 0xe3, 0x3b, 0xab, + 0x66, 0xd4, 0x63, 0x70, 0x48, 0x86, 0x33, 0x14, 0xde, 0xec, 0x98, 0x19, 0x62, 0x9b, 0xe3, 0x04, + 0x99, 0x55, 0x2c, 0x56, 0xa9, 0x51, 0xe4, 0xfb, 0x64, 0xf3, 0x09, 0xed, 0x9c, 0x79, 0xd2, 0xa4, + 0xaa, 0x28, 0xac, 0x9a, 0x6e, 0x7b, 0xe9, 0x7f, 0xda, 0x12, 0x90, 0xfa, 0xc4, 0xe9, 0x4d, 0x11, + 0xcd, 0xb4, 0xc8, 0xea, 0xbf, 0x5f, 0x45, 0x0e, 0x72, 0xf4, 0x41, 0x8a, 0x29, 0xe2, 0xfe, 0x49, + 0x32, 0x21, 0xe3, 0x84, 0x0d, 0xcf, 0x84, 0x47, 0xa3, 0x53, 0xb4, 0x40, 0xae, 0x63, 0xe9, 0x3b, + 0x83, 0x71, 0x8e, 0x5c, 0xed, 0x31, 0xef, 0x4e, 0xc9, 0x1a, 0xf7, 0xd5, 0xcd, 0xf3, 0x42, 0x04, + 0x78, 0xf2, 0x7b, 0xe0, 0x19, 0x27, 0x8b, 0xe7, 0x51, 0x5b, 0x66, 0x5f, 0x30, 0x5f, 0x10, 0xd3, + 0xb5, 0x5d, 0xdb, 0xfa, 0xd6, 0x41, 0x16, 0xdc, 0x4e, 0x44, 0x15, 0xae, 0xf3, 0xb2, 0x34, 0xe4, + 0xa5, 0xd6, 0xb5, 0xba, 0xb4, 0xc7, 0x7a, 0x26, 0xc9, 0xf2, 0x5f, 0x53, 0x6b, 0xd4, 0xf0, 0xb4, + 0xa4, 0x78, 0xfc, 0x18, 0x4f, 0x12, 0x6c, 0x80, 0xd5, 0x37, 0x42, 0xac, 0x62, 0xc2, 0x70, 0xe6, + 0xb2, 0x58, 0xa6, 0xb5, 0x6b, 0x33, 0x65, 0xec, 0xc2, 0x87, 0x97, 0xa9, 0xed, 0x12, 0xc1, 0xb9, + 0x1b, 0x26, 0x56, 0x03, 0xef, 0x75, 0x18, 0x07, 0xbc, 0xc1, 0x74, 0x73, 0x13, 0xf2, 0x27, 0x29, + 0xe1, 0xe3, 0xfe, 0x79, 0xf7, 0x5c, 0xc3, 0xfb, 0x5d, 0xc7, 0xcc, 0xb8, 0x1e, 0xfa, 0xcf, 0x9b, + 0x84, 0x79, 0x45, 0xa6, 0x10, 0x9e, 0xcf, 0x9c, 0xf1, 0x56, 0x50, 0x5c, 0xbb, 0x55, 0xa3, 0xd3, + 0x17, 0xeb, 0x32, 0x56, 0x61, 0xd1, 0x8f, 0xe6, 0xbb, 0x41, 0x60, 0x46, 0x83, 0x73, 0x18, 0x05, + 0x3b, 0x36, 0x51, 0x99, 0x33, 0x4c, 0x03, 0xa1, 0x02, 0x82, 0x01, 0x01, 0x00, 0xee, 0x63, 0x70, + 0x60, 0x30, 0xa4, 0xec, 0xe9, 0xfe, 0x3b, 0xdd, 0xcf, 0xc4, 0x9f, 0x5a, 0x83, 0xf3, 0x7f, 0x63, + 0xeb, 0xcb, 0x29, 0xdb, 0xdc, 0x99, 0x9f, 0x6f, 0xf5, 0x4b, 0x59, 0x6f, 0x11, 0x5c, 0xf1, 0xec, + 0xa0, 0x99, 0x90, 0x10, 0x8a, 0x43, 0x95, 0x18, 0xe9, 0x96, 0xf6, 0x89, 0xfd, 0xde, 0x89, 0xb2, + 0xc6, 0x7e, 0xdc, 0x04, 0xbf, 0x8e, 0x36, 0x67, 0x34, 0xc2, 0xae, 0x30, 0x17, 0xec, 0x14, 0xe0, + 0x42, 0x05, 0x0e, 0x7c, 0x65, 0x68, 0x40, 0x14, 0x6c, 0xa0, 0x48, 0x39, 0x4d, 0xce, 0xbe, 0x90, + 0xdd, 0x21, 0x95, 0x34, 0x9b, 0xba, 0xd3, 0x06, 0x56, 0x90, 0x31, 0xb2, 0xef, 0x6e, 0x91, 0x71, + 0xd2, 0xae, 0x77, 0x97, 0xc8, 0x84, 0x4e, 0x54, 0x83, 0x94, 0xca, 0x3b, 0x76, 0x8d, 0x84, 0x96, + 0xe9, 0x9e, 0xf6, 0x3a, 0xbb, 0x59, 0xb0, 0xff, 0x7f, 0xc7, 0x0e, 0xb5, 0x31, 0x53, 0xdd, 0x0f, + 0x59, 0x01, 0x8a, 0x27, 0x5a, 0xcb, 0xa7, 0x01, 0xf2, 0xc7, 0x6a, 0x15, 0xc8, 0x94, 0xf5, 0x34, + 0x61, 0xfe, 0xdf, 0x65, 0xbc, 0x25, 0xc2, 0xc5, 0xce, 0xc3, 0x96, 0xe5, 0x56, 0xa1, 0xa9, 0x19, + 0xbc, 0x7a, 0x05, 0x63, 0x93, 0xd5, 0x06, 0x44, 0x12, 0x6d, 0xcd, 0xef, 0x92, 0x56, 0x64, 0x2e, + 0x65, 0xa6, 0x04, 0x3c, 0xbc, 0xe9, 0x49, 0x7e, 0x19, 0x2c, 0xf2, 0xcb, 0x33, 0x64, 0x8e, 0x11, + 0x7f, 0x41, 0xdb, 0xf0, 0x19, 0x00, 0xac, 0xb9, 0x3b, 0x0c, 0x78, 0xdd, 0xf3, 0x1f, 0x38, 0x1f, + 0x4d, 0xb3, 0xf9, 0xcc, 0xbb, 0xb6, 0x90, 0x93, 0xda, 0xbf, 0x2e, 0x89, 0xdb, 0xbc, 0x0c, 0xb7, + 0x2f, 0x20, 0xc0, 0x05, 0xa2, 0x51, 0x9e, 0x3a, 0x87, 0x41, 0x46, 0x49, 0x5d, 0x7a, 0xac, 0xf3, + 0x41, 0x6a, 0x42, 0x2e, 0x56, 0x09, 0x86, 0xf2, 0x2f, 0x39, 0x45, 0x6e, 0x7f, +}; +const unsigned char test_rsa_4096_pub[] = { + 0x30, 0x82, 0x02, 0x0a, 0x02, 0x82, 0x02, 0x01, 0x00, 0xcc, 0x87, 0x25, 0xf6, 0xb3, 0x8d, 0x5d, + 0x01, 0xae, 0xeb, 0x07, 0xd3, 0x6e, 0x03, 0xde, 0x4d, 0x31, 0xa0, 0x26, 0x1c, 0xe7, 0x4f, 0xe1, + 0x1a, 0x89, 0x5e, 0xcf, 0xd1, 0x3d, 0x16, 0x8a, 0xee, 0x93, 0x2a, 0xf1, 0x35, 0xff, 0xbb, 0x84, + 0x98, 0x77, 0x27, 0x38, 0x97, 0x08, 0x1f, 0x3f, 0x75, 0x93, 0xc1, 0x4a, 0xe8, 0x2b, 0xc2, 0x66, + 0xc1, 0x05, 0x44, 0xf7, 0x26, 0xae, 0x1c, 0xcf, 0x13, 0x3d, 0x8a, 0x40, 0x18, 0xd3, 0x80, 0xdf, + 0xa2, 0x52, 0x51, 0xc0, 0x11, 0x10, 0x7b, 0x75, 0x13, 0xa9, 0x43, 0x34, 0x6a, 0xa0, 0xe0, 0xde, + 0xc1, 0x1d, 0x8d, 0x7f, 0xa2, 0x56, 0x44, 0x65, 0x3c, 0x11, 0x8d, 0xaa, 0xbc, 0xe6, 0xd4, 0x1f, + 0x06, 0x6f, 0x66, 0x21, 0x76, 0x88, 0x01, 0x47, 0x80, 0x55, 0x78, 0x0e, 0x91, 0xb6, 0x8e, 0xa3, + 0xc9, 0x58, 0x56, 0xd1, 0x72, 0xa8, 0x90, 0x32, 0xb3, 0x9c, 0x82, 0x4e, 0x8b, 0x7d, 0xc1, 0xa3, + 0xf8, 0xae, 0xe4, 0xf6, 0xb3, 0x68, 0xba, 0xa3, 0xcd, 0x68, 0xf5, 0x0d, 0x52, 0x68, 0x01, 0x17, + 0xe9, 0xb9, 0x13, 0xd7, 0xf8, 0xc8, 0x52, 0xa0, 0xd1, 0x00, 0x8e, 0x8b, 0x87, 0xa5, 0xc9, 0x7e, + 0x37, 0xaf, 0xc1, 0x1a, 0x08, 0x05, 0x50, 0x55, 0x7b, 0x8b, 0x4d, 0xcb, 0xd8, 0xe1, 0x92, 0xed, + 0x33, 0x66, 0xd8, 0x3a, 0x09, 0xd2, 0x7c, 0x77, 0xe1, 0x50, 0xf6, 0x68, 0x55, 0xb5, 0xdc, 0xfd, + 0xb2, 0xdf, 0x15, 0x1b, 0xd7, 0xf4, 0x44, 0x25, 0x0e, 0xaf, 0x6f, 0xe3, 0xf2, 0x36, 0x82, 0x6c, + 0x81, 0xfa, 0x84, 0x81, 0x01, 0xbf, 0xaa, 0xd5, 0x35, 0xff, 0xb5, 0x22, 0xd6, 0xff, 0x97, 0xc9, + 0xdd, 0x1e, 0x43, 0xb8, 0x2c, 0xce, 0x29, 0x21, 0xd1, 0x53, 0xc1, 0x54, 0x50, 0xc4, 0x72, 0x4f, + 0xfd, 0x3e, 0xfd, 0xca, 0x57, 0x8e, 0x01, 0x36, 0x50, 0xa0, 0x3a, 0x5c, 0xf5, 0x01, 0xfc, 0x58, + 0x60, 0x0f, 0xb5, 0xc8, 0x60, 0xc0, 0xef, 0x0c, 0xfe, 0x0a, 0xc0, 0x71, 0x2d, 0x44, 0x13, 0x13, + 0xdc, 0xa4, 0x1a, 0x4d, 0x7d, 0x41, 0x1e, 0x6c, 0x83, 0xb2, 0x15, 0x17, 0x49, 0xd2, 0x8b, 0xe4, + 0x69, 0x2f, 0x62, 0x37, 0x3d, 0xb0, 0x7e, 0x4a, 0x79, 0x05, 0x1c, 0x56, 0x82, 0xec, 0x20, 0xd4, + 0x91, 0xc4, 0xcf, 0xc7, 0xbc, 0x14, 0x0f, 0x35, 0xfa, 0x15, 0xe5, 0xa1, 0xfa, 0x75, 0x6d, 0x65, + 0xb8, 0xef, 0x93, 0xad, 0xdf, 0x4c, 0x47, 0xc4, 0xa3, 0x5b, 0x18, 0x4f, 0x22, 0xa1, 0xef, 0x08, + 0x99, 0x48, 0xf9, 0x46, 0xf6, 0xfa, 0xeb, 0x64, 0x70, 0xf2, 0x67, 0x46, 0xe6, 0x58, 0xcf, 0x9b, + 0x41, 0x77, 0x41, 0x78, 0x42, 0xe6, 0xd3, 0x73, 0x55, 0x80, 0x89, 0xaf, 0xf7, 0x21, 0xb9, 0x30, + 0xe9, 0xec, 0x61, 0xb4, 0xf6, 0xa0, 0x2c, 0x05, 0x2c, 0x69, 0x24, 0xd3, 0x9a, 0x5b, 0xbb, 0x15, + 0xed, 0x11, 0x06, 0xc4, 0x01, 0x0f, 0x4d, 0xd6, 0x9c, 0x79, 0xd0, 0x42, 0xc8, 0xb3, 0x16, 0x61, + 0xb1, 0xee, 0x48, 0x6b, 0xc6, 0x9d, 0xb5, 0xf2, 0xf0, 0x7a, 0x50, 0xd8, 0x5b, 0x20, 0x69, 0x9d, + 0x60, 0x13, 0x15, 0x62, 0x5b, 0xb8, 0x69, 0x62, 0x9c, 0x7f, 0x4c, 0x5d, 0x48, 0xb2, 0x11, 0xd0, + 0x97, 0xf4, 0x38, 0xac, 0xec, 0x95, 0x97, 0x3a, 0x38, 0xd4, 0x21, 0x09, 0x0a, 0xf0, 0xf1, 0x34, + 0x84, 0xe4, 0xe9, 0x4b, 0x8c, 0xb5, 0xef, 0xc1, 0x85, 0x07, 0xf4, 0xb9, 0x31, 0xdf, 0x39, 0x98, + 0x7f, 0xfb, 0x28, 0x30, 0x29, 0x3e, 0x4d, 0xa3, 0x81, 0xaa, 0xf7, 0x0b, 0x32, 0x92, 0x95, 0x2e, + 0xf9, 0x34, 0xe2, 0xb4, 0x0f, 0xde, 0xbb, 0xa3, 0xd9, 0x70, 0x1b, 0x76, 0xe1, 0xbe, 0x54, 0x82, + 0x74, 0xb2, 0x60, 0x2d, 0x88, 0x85, 0x37, 0x48, 0x2d, 0x02, 0x03, 0x01, 0x00, 0x01, +}; + +struct predefined_key_element { + int group_id; // EC group ID; 0 for RSA keys + int keybits; // bits size of RSA key; 0 for EC keys + const unsigned char *priv_key; + size_t priv_key_len; + const unsigned char *pub_key; + size_t pub_key_len; +}; + +struct predefined_key_element predefined_keys[] = { + { MBEDTLS_ECP_DP_BP256R1, 0, + test_ec_bp256r1_priv, sizeof(test_ec_bp256r1_priv), + test_ec_bp256r1_pub, sizeof(test_ec_bp256r1_pub) }, + { MBEDTLS_ECP_DP_BP384R1, 0, + test_ec_bp384r1_priv, sizeof(test_ec_bp384r1_priv), + test_ec_bp384r1_pub, sizeof(test_ec_bp384r1_pub) }, + { MBEDTLS_ECP_DP_BP512R1, 0, + test_ec_bp512r1_priv, sizeof(test_ec_bp512r1_priv), + test_ec_bp512r1_pub, sizeof(test_ec_bp512r1_pub) }, + { MBEDTLS_ECP_DP_CURVE25519, 0, + test_ec_curve25519_priv, sizeof(test_ec_curve25519_priv), + test_ec_curve25519_pub, sizeof(test_ec_curve25519_pub) }, + { MBEDTLS_ECP_DP_CURVE448, 0, + test_ec_curve448_priv, sizeof(test_ec_curve448_priv), + test_ec_curve448_pub, sizeof(test_ec_curve448_pub) }, + { MBEDTLS_ECP_DP_SECP192K1, 0, + test_ec_secp192k1_priv, sizeof(test_ec_secp192k1_priv), + test_ec_secp192k1_pub, sizeof(test_ec_secp192k1_pub) }, + { MBEDTLS_ECP_DP_SECP256K1, 0, + test_ec_secp256k1_priv, sizeof(test_ec_secp256k1_priv), + test_ec_secp256k1_pub, sizeof(test_ec_secp256k1_pub) }, + { MBEDTLS_ECP_DP_SECP192R1, 0, + test_ec_secp192r1_priv, sizeof(test_ec_secp192r1_priv), + test_ec_secp192r1_pub, sizeof(test_ec_secp192r1_pub) }, + { MBEDTLS_ECP_DP_SECP224R1, 0, + test_ec_secp224r1_priv, sizeof(test_ec_secp224r1_priv), + test_ec_secp224r1_pub, sizeof(test_ec_secp224r1_pub) }, + { MBEDTLS_ECP_DP_SECP256R1, 0, + test_ec_secp256r1_priv, sizeof(test_ec_secp256r1_priv), + test_ec_secp256r1_pub, sizeof(test_ec_secp256r1_pub) }, + { MBEDTLS_ECP_DP_SECP384R1, 0, + test_ec_secp384r1_priv, sizeof(test_ec_secp384r1_priv), + test_ec_secp384r1_pub, sizeof(test_ec_secp384r1_pub) }, + { MBEDTLS_ECP_DP_SECP521R1, 0, + test_ec_secp521r1_priv, sizeof(test_ec_secp521r1_priv), + test_ec_secp521r1_pub, sizeof(test_ec_secp521r1_pub) }, + { 0, 1024, + test_rsa_1024_priv, sizeof(test_rsa_1024_priv), + test_rsa_1024_pub, sizeof(test_rsa_1024_pub) }, + { 0, 1026, + test_rsa_1026_priv, sizeof(test_rsa_1026_priv), + test_rsa_1026_pub, sizeof(test_rsa_1026_pub) }, + { 0, 1028, + test_rsa_1028_priv, sizeof(test_rsa_1028_priv), + test_rsa_1028_pub, sizeof(test_rsa_1028_pub) }, + { 0, 1030, + test_rsa_1030_priv, sizeof(test_rsa_1030_priv), + test_rsa_1030_pub, sizeof(test_rsa_1030_pub) }, + { 0, 1536, + test_rsa_1536_priv, sizeof(test_rsa_1536_priv), + test_rsa_1536_pub, sizeof(test_rsa_1536_pub) }, + { 0, 2048, + test_rsa_2048_priv, sizeof(test_rsa_2048_priv), + test_rsa_2048_pub, sizeof(test_rsa_2048_pub) }, + { 0, 4096, + test_rsa_4096_priv, sizeof(test_rsa_4096_priv), + test_rsa_4096_pub, sizeof(test_rsa_4096_pub) }, +}; + +/* End of generated file */ diff --git a/yass/third_party/mbedtls/tests/ssl-opt.sh b/yass/third_party/mbedtls/tests/ssl-opt.sh index 5c791bed03..6afc26a112 100755 --- a/yass/third_party/mbedtls/tests/ssl-opt.sh +++ b/yass/third_party/mbedtls/tests/ssl-opt.sh @@ -29,6 +29,8 @@ if ! cd "$(dirname "$0")"; then exit 125 fi +DATA_FILES_PATH=../framework/data_files + # default values, can be overridden by the environment : ${P_SRV:=../programs/ssl/ssl_server2} : ${P_CLI:=../programs/ssl/ssl_client2} @@ -60,21 +62,47 @@ guess_config_name() { : ${MBEDTLS_TEST_OUTCOME_FILE=} : ${MBEDTLS_TEST_CONFIGURATION:="$(guess_config_name)"} : ${MBEDTLS_TEST_PLATFORM:="$(uname -s | tr -c \\n0-9A-Za-z _)-$(uname -m | tr -c \\n0-9A-Za-z _)"} -: ${EARLY_DATA_INPUT:=data_files/tls13_early_data.txt} +: ${EARLY_DATA_INPUT:="$DATA_FILES_PATH/tls13_early_data.txt"} -O_SRV="$OPENSSL s_server -www -cert data_files/server5.crt -key data_files/server5.key" +O_SRV="$OPENSSL s_server -www -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL s_client" -G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key" -G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt" +G_SRV="$GNUTLS_SERV --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key" +G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt" TCP_CLIENT="$PERL scripts/tcp_client.pl" # alternative versions of OpenSSL and GnuTLS (no default path) +# If $OPENSSL is at least 1.1.1, use it as OPENSSL_NEXT as well. +if [ -z "${OPENSSL_NEXT:-}" ]; then + case $($OPENSSL version) in + OpenSSL\ 1.1.[1-9]*) OPENSSL_NEXT=$OPENSSL;; + OpenSSL\ [3-9]*) OPENSSL_NEXT=$OPENSSL;; + esac +fi + +# If $GNUTLS_CLI is at least 3.7, use it as GNUTLS_NEXT_CLI as well. +if [ -z "${GNUTLS_NEXT_CLI:-}" ]; then + case $($GNUTLS_CLI --version) in + gnutls-cli\ 3.[1-9][0-9]*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;; + gnutls-cli\ 3.[7-9].*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;; + gnutls-cli\ [4-9]*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;; + esac +fi + +# If $GNUTLS_SERV is at least 3.7, use it as GNUTLS_NEXT_SERV as well. +if [ -z "${GNUTLS_NEXT_SERV:-}" ]; then + case $($GNUTLS_SERV --version) in + gnutls-cli\ 3.[1-9][0-9]*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;; + gnutls-cli\ 3.[7-9].*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;; + gnutls-cli\ [4-9]*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;; + esac +fi + if [ -n "${OPENSSL_NEXT:-}" ]; then - O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key" - O_NEXT_SRV_EARLY_DATA="$OPENSSL_NEXT s_server -early_data -cert data_files/server5.crt -key data_files/server5.key" + O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" + O_NEXT_SRV_EARLY_DATA="$OPENSSL_NEXT s_server -early_data -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www " - O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile data_files/test-ca_cat12.crt" + O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile $DATA_FILES_PATH/test-ca_cat12.crt" O_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client" else O_NEXT_SRV=false @@ -85,7 +113,7 @@ else fi if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then - G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key" + G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key" G_NEXT_SRV_NO_CERT="$GNUTLS_NEXT_SERV" else G_NEXT_SRV=false @@ -93,7 +121,7 @@ else fi if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then - G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile data_files/test-ca_cat12.crt" + G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt" G_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI" else G_NEXT_CLI=false @@ -115,6 +143,7 @@ LIST_TESTS=0 RUN_TEST_NUMBER='' RUN_TEST_SUITE='' +MIN_TESTS=1 PRESERVE_LOGS=0 # Pick a "unique" server port in the range 10000-19999, and a proxy @@ -133,6 +162,7 @@ print_usage() { printf " -s|--show-numbers\tShow test numbers in front of test names\n" printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n" printf " --list-test-cases\tList all potential test cases (No Execution)\n" + printf " --min \tMinimum number of non-skipped tests (default 1)\n" printf " --outcome-file\tFile where test outcomes are written\n" printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n" printf " --port \tTCP/UDP port (default: randomish 1xxxx)\n" @@ -166,6 +196,9 @@ get_options() { -p|--preserve-logs) PRESERVE_LOGS=1 ;; + --min) + shift; MIN_TESTS=$1 + ;; --outcome-file) shift; MBEDTLS_TEST_OUTCOME_FILE=$1 ;; @@ -443,9 +476,9 @@ detect_required_features() { esac case "$CMD_LINE" in - *server5*|\ - *server7*|\ - *dir-maxpath*) + */server5*|\ + */server7*|\ + */dir-maxpath*) if [ "$TLS_VERSION" = "TLS13" ]; then # In case of TLS13 the support for ECDSA is enough requires_pk_alg "ECDSA" @@ -477,9 +510,15 @@ detect_required_features() { esac case "$CMD_LINE" in - *server2*|\ - *server7*) - # server2 and server7 certificates use RSA encryption + */server1*|\ + */server2*|\ + */server7*) + # Certificates with an RSA key. The algorithm requirement is + # some subset of {PKCS#1v1.5 encryption, PKCS#1v1.5 signature, + # PSS signature}. We can't easily tell which subset works, and + # we aren't currently running ssl-opt.sh in configurations + # where partial RSA support is a problem, so generically, we + # just require RSA and it works out for our tests so far. requires_config_enabled "MBEDTLS_RSA_C" esac @@ -494,9 +533,10 @@ requires_certificate_authentication () { adapt_cmd_for_psk () { case "$2" in - *openssl*) s='-psk abc123 -nocert';; - *gnutls-*) s='--pskkey=abc123';; - *) s='psk=abc123';; + *openssl*s_server*) s='-psk 73776f726466697368 -nocert';; + *openssl*) s='-psk 73776f726466697368';; + *gnutls-*) s='--pskusername=Client_identity --pskkey=73776f726466697368';; + *) s='psk=73776f726466697368';; esac eval $1='"$2 $s"' unset s @@ -555,6 +595,7 @@ case " $CONFIGS_ENABLED " in *) PSK_ONLY="NO";; esac +HAS_ALG_MD5="NO" HAS_ALG_SHA_1="NO" HAS_ALG_SHA_224="NO" HAS_ALG_SHA_256="NO" @@ -573,7 +614,10 @@ check_for_hash_alg() else CURR_ALG=MBEDTLS_${1}_C # Remove the second underscore to match MBEDTLS_* naming convention - CURR_ALG=$(echo "$CURR_ALG" | sed 's/_//2') + # MD5 is an exception to this convention + if [ "${1}" != "MD5" ]; then + CURR_ALG=$(echo "$CURR_ALG" | sed 's/_//2') + fi fi case $CONFIGS_ENABLED in @@ -587,7 +631,7 @@ check_for_hash_alg() populate_enabled_hash_algs() { - for hash_alg in SHA_1 SHA_224 SHA_256 SHA_384 SHA_512; do + for hash_alg in SHA_1 SHA_224 SHA_256 SHA_384 SHA_512 MD5; do if check_for_hash_alg "$hash_alg"; then hash_alg_variable=HAS_ALG_${hash_alg} eval ${hash_alg_variable}=YES @@ -600,6 +644,7 @@ requires_hash_alg() { HASH_DEFINE="Invalid" HAS_HASH_ALG="NO" case $1 in + MD5):;; SHA_1):;; SHA_224):;; SHA_256):;; @@ -1666,7 +1711,7 @@ run_test() { # Check if test uses files case "$SRV_CMD $CLI_CMD" in - *data_files/*) + *$DATA_FILES_PATH/*) requires_config_enabled MBEDTLS_FS_IO;; esac @@ -1774,7 +1819,7 @@ run_test_psa_force_curve() { # a maximum fragment length. # first argument ($1) is MFL for SSL client # second argument ($2) is memory usage for SSL client with default MFL (16k) -run_test_memory_after_hanshake_with_mfl() +run_test_memory_after_handshake_with_mfl() { # The test passes if the difference is around 2*(16k-MFL) MEMORY_USAGE_LIMIT="$(( $2 - ( 2 * ( 16384 - $1 )) ))" @@ -1785,7 +1830,7 @@ run_test_memory_after_hanshake_with_mfl() run_test "Handshake memory usage (MFL $1)" \ "$P_SRV debug_level=3 auth_mode=required force_version=tls12" \ "$P_CLI debug_level=3 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM max_frag_len=$1" \ 0 \ -F "handshake_memory_check $MEMORY_USAGE_LIMIT" @@ -1794,7 +1839,7 @@ run_test_memory_after_hanshake_with_mfl() # Test that the server's memory usage after a handshake is reduced when a client specifies # different values of Maximum Fragment Length: default (16k), 4k, 2k, 1k and 512 bytes -run_tests_memory_after_hanshake() +run_tests_memory_after_handshake() { # all tests in this sequence requires the same configuration (see requires_config_enabled()) SKIP_THIS_TESTS="$SKIP_NEXT" @@ -1804,22 +1849,22 @@ run_tests_memory_after_hanshake() run_test "Handshake memory usage initial (MFL 16384 - default)" \ "$P_SRV debug_level=3 auth_mode=required force_version=tls12" \ "$P_CLI debug_level=3 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM" \ 0 \ -F "handshake_memory_get MEMORY_USAGE_MFL_16K" SKIP_NEXT="$SKIP_THIS_TESTS" - run_test_memory_after_hanshake_with_mfl 4096 "$MEMORY_USAGE_MFL_16K" + run_test_memory_after_handshake_with_mfl 4096 "$MEMORY_USAGE_MFL_16K" SKIP_NEXT="$SKIP_THIS_TESTS" - run_test_memory_after_hanshake_with_mfl 2048 "$MEMORY_USAGE_MFL_16K" + run_test_memory_after_handshake_with_mfl 2048 "$MEMORY_USAGE_MFL_16K" SKIP_NEXT="$SKIP_THIS_TESTS" - run_test_memory_after_hanshake_with_mfl 1024 "$MEMORY_USAGE_MFL_16K" + run_test_memory_after_handshake_with_mfl 1024 "$MEMORY_USAGE_MFL_16K" SKIP_NEXT="$SKIP_THIS_TESTS" - run_test_memory_after_hanshake_with_mfl 512 "$MEMORY_USAGE_MFL_16K" + run_test_memory_after_handshake_with_mfl 512 "$MEMORY_USAGE_MFL_16K" } cleanup() { @@ -2069,48 +2114,48 @@ run_test "key size: TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ -c "Key size is 128" requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_MD_CAN_MD5 # server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM # module does not support PSA dispatching so we need builtin support. requires_config_enabled MBEDTLS_CIPHER_MODE_CBC requires_config_enabled MBEDTLS_AES_C +requires_hash_alg MD5 requires_hash_alg SHA_256 run_test "TLS: password protected client key" \ "$P_SRV force_version=tls12 auth_mode=required" \ - "$P_CLI crt_file=data_files/server5.crt key_file=data_files/server5.key.enc key_pwd=PolarSSLTest" \ + "$P_CLI crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key.enc key_pwd=PolarSSLTest" \ 0 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_MD_CAN_MD5 # server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM # module does not support PSA dispatching so we need builtin support. requires_config_enabled MBEDTLS_CIPHER_MODE_CBC requires_config_enabled MBEDTLS_AES_C +requires_hash_alg MD5 requires_hash_alg SHA_256 run_test "TLS: password protected server key" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key.enc key_pwd=PolarSSLTest" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key.enc key_pwd=PolarSSLTest" \ "$P_CLI force_version=tls12" \ 0 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_MD_CAN_MD5 # server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM # module does not support PSA dispatching so we need builtin support. requires_config_enabled MBEDTLS_CIPHER_MODE_CBC requires_config_enabled MBEDTLS_AES_C +requires_hash_alg MD5 requires_hash_alg SHA_256 run_test "TLS: password protected server key, two certificates" \ "$P_SRV force_version=tls12\ - key_file=data_files/server5.key.enc key_pwd=PolarSSLTest crt_file=data_files/server5.crt \ - key_file2=data_files/server2.key.enc key_pwd2=PolarSSLTest crt_file2=data_files/server2.crt" \ + key_file=$DATA_FILES_PATH/server5.key.enc key_pwd=PolarSSLTest crt_file=$DATA_FILES_PATH/server5.crt \ + key_file2=$DATA_FILES_PATH/server2.key.enc key_pwd2=PolarSSLTest crt_file2=$DATA_FILES_PATH/server2.crt" \ "$P_CLI" \ 0 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "CA callback on client" \ "$P_SRV debug_level=3" \ - "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 " \ + "$P_CLI ca_callback=1 debug_level=3 " \ 0 \ -c "use CA callback for X.509 CRT verification" \ -S "error" \ @@ -2120,9 +2165,9 @@ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_hash_alg SHA_256 run_test "CA callback on server" \ - "$P_SRV force_version=tls12 auth_mode=required" \ - "$P_CLI ca_callback=1 debug_level=3 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key" \ + "$P_SRV auth_mode=required" \ + "$P_CLI ca_callback=1 debug_level=3 crt_file=$DATA_FILES_PATH/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ 0 \ -c "use CA callback for X.509 CRT verification" \ -s "Verifying peer X.509 certificate... ok" \ @@ -2135,10 +2180,10 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_hash_alg SHA_256 run_test "Opaque key for client authentication: ECDHE-ECDSA" \ - "$P_SRV force_version=tls12 auth_mode=required crt_file=data_files/server5.crt \ - key_file=data_files/server5.key" \ - "$P_CLI key_opaque=1 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \ + "$P_SRV force_version=tls12 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ + "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none" \ 0 \ -c "key type: Opaque" \ -c "Ciphersuite is TLS-ECDHE-ECDSA" \ @@ -2154,10 +2199,10 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED requires_hash_alg SHA_256 run_test "Opaque key for client authentication: ECDHE-RSA" \ - "$P_SRV force_version=tls12 auth_mode=required crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key" \ - "$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ + "$P_SRV force_version=tls12 auth_mode=required crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key" \ + "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ 0 \ -c "key type: Opaque" \ -c "Ciphersuite is TLS-ECDHE-RSA" \ @@ -2171,10 +2216,10 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 run_test "Opaque key for client authentication: DHE-RSA" \ - "$P_SRV force_version=tls12 auth_mode=required crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key" \ - "$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ + "$P_SRV force_version=tls12 auth_mode=required crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key" \ + "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ key_opaque_algs=rsa-sign-pkcs1,none" \ 0 \ -c "key type: Opaque" \ @@ -2190,8 +2235,8 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_hash_alg SHA_256 run_test "Opaque key for server authentication: ECDHE-ECDSA" \ - "$P_SRV key_opaque=1 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \ + "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none" \ "$P_CLI force_version=tls12" \ 0 \ -c "Verifying peer X.509 certificate... ok" \ @@ -2206,8 +2251,8 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_hash_alg SHA_256 run_test "Opaque key for server authentication: ECDH-" \ "$P_SRV auth_mode=required key_opaque=1\ - crt_file=data_files/server5.ku-ka.crt\ - key_file=data_files/server5.key key_opaque_algs=ecdh,none" \ + crt_file=$DATA_FILES_PATH/server5.ku-ka.crt\ + key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdh,none" \ "$P_CLI force_version=tls12" \ 0 \ -c "Verifying peer X.509 certificate... ok" \ @@ -2222,8 +2267,8 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE requires_hash_alg SHA_256 run_test "Opaque key for server authentication: invalid key: decrypt with ECC key, no async" \ - "$P_SRV key_opaque=1 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key key_opaque_algs=rsa-decrypt,none \ + "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=rsa-decrypt,none \ debug_level=1" \ "$P_CLI force_version=tls12" \ 1 \ @@ -2239,8 +2284,8 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE requires_hash_alg SHA_256 run_test "Opaque key for server authentication: invalid key: ecdh with RSA key, no async" \ - "$P_SRV key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key key_opaque_algs=ecdh,none \ + "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=ecdh,none \ debug_level=1" \ "$P_CLI force_version=tls12" \ 1 \ @@ -2254,8 +2299,8 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_hash_alg SHA_256 run_test "Opaque key for server authentication: invalid alg: decrypt with ECC key, async" \ - "$P_SRV key_opaque=1 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key key_opaque_algs=rsa-decrypt,none \ + "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=rsa-decrypt,none \ debug_level=1" \ "$P_CLI force_version=tls12" \ 1 \ @@ -2270,8 +2315,8 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_hash_alg SHA_256 run_test "Opaque key for server authentication: invalid alg: ecdh with RSA key, async" \ - "$P_SRV key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key key_opaque_algs=ecdh,none \ + "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=ecdh,none \ debug_level=1" \ "$P_CLI force_version=tls12" \ 1 \ @@ -2284,8 +2329,8 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_hash_alg SHA_256 run_test "Opaque key for server authentication: invalid alg: ECDHE-ECDSA with ecdh" \ - "$P_SRV key_opaque=1 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key key_opaque_algs=ecdh,none \ + "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdh,none \ debug_level=1" \ "$P_CLI force_version=tls12 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM" \ 1 \ @@ -2300,9 +2345,9 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_hash_alg SHA_256 requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "Opaque keys for server authentication: EC keys with different algs, force ECDHE-ECDSA" \ - "$P_SRV force_version=tls12 key_opaque=1 crt_file=data_files/server7.crt \ - key_file=data_files/server7.key key_opaque_algs=ecdh,none \ - crt_file2=data_files/server5.crt key_file2=data_files/server5.key \ + "$P_SRV force_version=tls12 key_opaque=1 crt_file=$DATA_FILES_PATH/server7.crt \ + key_file=$DATA_FILES_PATH/server7.key key_opaque_algs=ecdh,none \ + crt_file2=$DATA_FILES_PATH/server5.crt key_file2=$DATA_FILES_PATH/server5.key \ key_opaque_algs2=ecdsa-sign,none" \ "$P_CLI force_version=tls12" \ 0 \ @@ -2319,9 +2364,9 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_hash_alg SHA_384 requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "Opaque keys for server authentication: EC keys with different algs, force ECDH-ECDSA" \ - "$P_SRV key_opaque=1 crt_file=data_files/server7.crt \ - key_file=data_files/server7.key key_opaque_algs=ecdsa-sign,none \ - crt_file2=data_files/server5.crt key_file2=data_files/server5.key \ + "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server7.crt \ + key_file=$DATA_FILES_PATH/server7.key key_opaque_algs=ecdsa-sign,none \ + crt_file2=$DATA_FILES_PATH/server5.crt key_file2=$DATA_FILES_PATH/server5.key \ key_opaque_algs2=ecdh,none debug_level=3" \ "$P_CLI force_version=tls12 force_ciphersuite=TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384" \ 0 \ @@ -2338,10 +2383,10 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_hash_alg SHA_384 requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "Opaque keys for server authentication: EC + RSA, force ECDHE-ECDSA" \ - "$P_SRV key_opaque=1 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none \ - crt_file2=data_files/server2-sha256.crt \ - key_file2=data_files/server2.key key_opaque_algs2=rsa-sign-pkcs1,none" \ + "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none \ + crt_file2=$DATA_FILES_PATH/server2-sha256.crt \ + key_file2=$DATA_FILES_PATH/server2.key key_opaque_algs2=rsa-sign-pkcs1,none" \ "$P_CLI force_version=tls12 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM" \ 0 \ -c "Verifying peer X.509 certificate... ok" \ @@ -2416,8 +2461,8 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED requires_hash_alg SHA_256 run_test "Opaque key for server authentication: ECDHE-RSA" \ - "$P_SRV key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ + "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ "$P_CLI force_version=tls12" \ 0 \ -c "Verifying peer X.509 certificate... ok" \ @@ -2432,8 +2477,8 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 run_test "Opaque key for server authentication: DHE-RSA" \ - "$P_SRV key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ + "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ "$P_CLI force_version=tls12 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ 0 \ -c "Verifying peer X.509 certificate... ok" \ @@ -2449,9 +2494,9 @@ requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 run_test "Opaque key for server authentication: RSA-PSK" \ "$P_SRV debug_level=1 key_opaque=1 key_opaque_algs=rsa-decrypt,none \ - psk=abc123 psk_identity=foo" \ + psk=73776f726466697368 psk_identity=foo" \ "$P_CLI force_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \ - psk=abc123 psk_identity=foo" \ + psk=73776f726466697368 psk_identity=foo" \ 0 \ -c "Verifying peer X.509 certificate... ok" \ -c "Ciphersuite is TLS-RSA-PSK-" \ @@ -2480,10 +2525,10 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 run_test "Opaque key for server authentication: DHE-RSA, PSS instead of PKCS1" \ - "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key key_opaque_algs=rsa-sign-pss,none debug_level=1" \ - "$P_CLI crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ + "$P_SRV auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pss,none debug_level=1" \ + "$P_CLI crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ 1 \ -s "key types: Opaque, none" \ -s "got ciphersuites in common, but none of them usable" \ @@ -2497,10 +2542,10 @@ requires_hash_alg SHA_256 requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED run_test "Opaque keys for server authentication: RSA keys with different algs" \ - "$P_SRV force_version=tls12 auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key key_opaque_algs=rsa-sign-pss,none \ - crt_file2=data_files/server4.crt \ - key_file2=data_files/server4.key key_opaque_algs2=rsa-sign-pkcs1,none" \ + "$P_SRV force_version=tls12 auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pss,none \ + crt_file2=$DATA_FILES_PATH/server4.crt \ + key_file2=$DATA_FILES_PATH/server4.key key_opaque_algs2=rsa-sign-pkcs1,none" \ "$P_CLI force_version=tls12" \ 0 \ -c "Verifying peer X.509 certificate... ok" \ @@ -2517,10 +2562,10 @@ requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_384 requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "Opaque keys for server authentication: EC + RSA, force DHE-RSA" \ - "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none \ - crt_file2=data_files/server4.crt \ - key_file2=data_files/server4.key key_opaque_algs2=rsa-sign-pkcs1,none" \ + "$P_SRV auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none \ + crt_file2=$DATA_FILES_PATH/server4.crt \ + key_file2=$DATA_FILES_PATH/server4.key key_opaque_algs2=rsa-sign-pkcs1,none" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ 0 \ -c "Verifying peer X.509 certificate... ok" \ @@ -2537,10 +2582,10 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_hash_alg SHA_256 run_test "Opaque key for client/server authentication: ECDHE-ECDSA" \ - "$P_SRV force_version=tls12 auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \ - "$P_CLI key_opaque=1 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \ + "$P_SRV force_version=tls12 auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none" \ + "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none" \ 0 \ -c "key type: Opaque" \ -c "Verifying peer X.509 certificate... ok" \ @@ -2558,10 +2603,10 @@ requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED run_test "Opaque key for client/server authentication: ECDHE-RSA" \ - "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ - "$P_CLI force_version=tls12 key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ + "$P_SRV auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ + "$P_CLI force_version=tls12 key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ 0 \ -c "key type: Opaque" \ -c "Verifying peer X.509 certificate... ok" \ @@ -2577,10 +2622,10 @@ requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 run_test "Opaque key for client/server authentication: DHE-RSA" \ - "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ - "$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none \ + "$P_SRV auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ + "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none \ force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ 0 \ -c "key type: Opaque" \ @@ -2672,14 +2717,15 @@ requires_any_configs_enabled "MBEDTLS_ECP_DP_SECP256R1_ENABLED \ requires_hash_alg SHA_256 run_test "Single supported algorithm sending: openssl client" \ "$P_SRV sig_algs=ecdsa_secp256r1_sha256 auth_mode=required" \ - "$O_CLI -cert data_files/server6.crt \ - -key data_files/server6.key" \ + "$O_CLI -cert $DATA_FILES_PATH/server6.crt \ + -key $DATA_FILES_PATH/server6.key" \ 0 # Tests for certificate verification callback +requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "Configuration-specific CRT verification callback" \ "$P_SRV debug_level=3" \ - "$P_CLI force_version=tls12 context_crt_cb=0 debug_level=3" \ + "$P_CLI context_crt_cb=0 debug_level=3" \ 0 \ -S "error" \ -c "Verify requested for " \ @@ -2687,9 +2733,10 @@ run_test "Configuration-specific CRT verification callback" \ -C "Use context-specific verification callback" \ -C "error" +requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "Context-specific CRT verification callback" \ "$P_SRV debug_level=3" \ - "$P_CLI force_version=tls12 context_crt_cb=1 debug_level=3" \ + "$P_CLI context_crt_cb=1 debug_level=3" \ 0 \ -S "error" \ -c "Verify requested for " \ @@ -2698,36 +2745,44 @@ run_test "Context-specific CRT verification callback" \ -C "error" # Tests for SHA-1 support +requires_hash_alg SHA_1 run_test "SHA-1 forbidden by default in server certificate" \ - "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \ + "$P_SRV key_file=$DATA_FILES_PATH/server2.key crt_file=$DATA_FILES_PATH/server2.crt" \ "$P_CLI debug_level=2 force_version=tls12 allow_sha1=0" \ 1 \ -c "The certificate is signed with an unacceptable hash" +requires_hash_alg SHA_1 run_test "SHA-1 explicitly allowed in server certificate" \ - "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \ + "$P_SRV key_file=$DATA_FILES_PATH/server2.key crt_file=$DATA_FILES_PATH/server2.crt" \ "$P_CLI force_version=tls12 allow_sha1=1" \ 0 run_test "SHA-256 allowed by default in server certificate" \ - "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \ + "$P_SRV key_file=$DATA_FILES_PATH/server2.key crt_file=$DATA_FILES_PATH/server2-sha256.crt" \ "$P_CLI force_version=tls12 allow_sha1=0" \ 0 +requires_hash_alg SHA_1 +requires_config_enabled MBEDTLS_RSA_C run_test "SHA-1 forbidden by default in client certificate" \ "$P_SRV force_version=tls12 auth_mode=required allow_sha1=0" \ - "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \ + "$P_CLI key_file=$DATA_FILES_PATH/cli-rsa.key crt_file=$DATA_FILES_PATH/cli-rsa-sha1.crt" \ 1 \ -s "The certificate is signed with an unacceptable hash" +requires_hash_alg SHA_1 +requires_config_enabled MBEDTLS_RSA_C run_test "SHA-1 explicitly allowed in client certificate" \ "$P_SRV force_version=tls12 auth_mode=required allow_sha1=1" \ - "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \ + "$P_CLI key_file=$DATA_FILES_PATH/cli-rsa.key crt_file=$DATA_FILES_PATH/cli-rsa-sha1.crt" \ 0 +requires_config_enabled MBEDTLS_RSA_C +requires_hash_alg SHA_256 run_test "SHA-256 allowed by default in client certificate" \ "$P_SRV force_version=tls12 auth_mode=required allow_sha1=0" \ - "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \ + "$P_CLI key_file=$DATA_FILES_PATH/cli-rsa.key crt_file=$DATA_FILES_PATH/cli-rsa-sha256.crt" \ 0 # Tests for datagram packing @@ -3731,6 +3786,7 @@ run_test "CBC Record splitting: TLS 1.2, no splitting" \ # Tests for Session Tickets +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: basic" \ "$P_SRV debug_level=3 tickets=1" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3745,6 +3801,7 @@ run_test "Session resume using tickets: basic" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: manual rotation" \ "$P_SRV debug_level=3 tickets=1 ticket_rotate=1" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3759,6 +3816,7 @@ run_test "Session resume using tickets: manual rotation" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: cache disabled" \ "$P_SRV debug_level=3 tickets=1 cache_max=0" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3773,6 +3831,7 @@ run_test "Session resume using tickets: cache disabled" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: timeout" \ "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1 reco_delay=2000" \ @@ -3787,6 +3846,7 @@ run_test "Session resume using tickets: timeout" \ -S "a session has been resumed" \ -C "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: session copy" \ "$P_SRV debug_level=3 tickets=1 cache_max=0" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1 reco_mode=0" \ @@ -3802,6 +3862,7 @@ run_test "Session resume using tickets: session copy" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: openssl server" \ "$O_SRV -tls1_2" \ "$P_CLI debug_level=3 tickets=1 reconnect=1" \ @@ -3812,8 +3873,9 @@ run_test "Session resume using tickets: openssl server" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: openssl client" \ - "$P_SRV debug_level=3 tickets=1" \ + "$P_SRV force_version=tls12 debug_level=3 tickets=1" \ "( $O_CLI -sess_out $SESSION; \ $O_CLI -sess_in $SESSION; \ rm -f $SESSION )" \ @@ -3825,6 +3887,7 @@ run_test "Session resume using tickets: openssl client" \ -s "a session has been resumed" requires_cipher_enabled "AES" "GCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: AES-128-GCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-128-GCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3840,6 +3903,7 @@ run_test "Session resume using tickets: AES-128-GCM" \ -c "a session has been resumed" requires_cipher_enabled "AES" "GCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: AES-192-GCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-192-GCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3855,6 +3919,7 @@ run_test "Session resume using tickets: AES-192-GCM" \ -c "a session has been resumed" requires_cipher_enabled "AES" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: AES-128-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-128-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3870,6 +3935,7 @@ run_test "Session resume using tickets: AES-128-CCM" \ -c "a session has been resumed" requires_cipher_enabled "AES" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: AES-192-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-192-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3885,6 +3951,7 @@ run_test "Session resume using tickets: AES-192-CCM" \ -c "a session has been resumed" requires_cipher_enabled "AES" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: AES-256-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-256-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3900,6 +3967,7 @@ run_test "Session resume using tickets: AES-256-CCM" \ -c "a session has been resumed" requires_cipher_enabled "CAMELLIA" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: CAMELLIA-128-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-128-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3915,6 +3983,7 @@ run_test "Session resume using tickets: CAMELLIA-128-CCM" \ -c "a session has been resumed" requires_cipher_enabled "CAMELLIA" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: CAMELLIA-192-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-192-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3930,6 +3999,7 @@ run_test "Session resume using tickets: CAMELLIA-192-CCM" \ -c "a session has been resumed" requires_cipher_enabled "CAMELLIA" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: CAMELLIA-256-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-256-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3945,6 +4015,7 @@ run_test "Session resume using tickets: CAMELLIA-256-CCM" \ -c "a session has been resumed" requires_cipher_enabled "ARIA" "GCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: ARIA-128-GCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-128-GCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3960,6 +4031,7 @@ run_test "Session resume using tickets: ARIA-128-GCM" \ -c "a session has been resumed" requires_cipher_enabled "ARIA" "GCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: ARIA-192-GCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-192-GCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3975,6 +4047,7 @@ run_test "Session resume using tickets: ARIA-192-GCM" \ -c "a session has been resumed" requires_cipher_enabled "ARIA" "GCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: ARIA-256-GCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-256-GCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -3990,6 +4063,7 @@ run_test "Session resume using tickets: ARIA-256-GCM" \ -c "a session has been resumed" requires_cipher_enabled "ARIA" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: ARIA-128-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-128-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -4005,6 +4079,7 @@ run_test "Session resume using tickets: ARIA-128-CCM" \ -c "a session has been resumed" requires_cipher_enabled "ARIA" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: ARIA-192-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-192-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -4020,6 +4095,7 @@ run_test "Session resume using tickets: ARIA-192-CCM" \ -c "a session has been resumed" requires_cipher_enabled "ARIA" "CCM" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: ARIA-256-CCM" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-256-CCM" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -4035,6 +4111,7 @@ run_test "Session resume using tickets: ARIA-256-CCM" \ -c "a session has been resumed" requires_cipher_enabled "CHACHA20" +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: CHACHA20-POLY1305" \ "$P_SRV debug_level=3 tickets=1 ticket_aead=CHACHA20-POLY1305" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -4052,6 +4129,7 @@ run_test "Session resume using tickets: CHACHA20-POLY1305" \ # Tests for Session Tickets with DTLS requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: basic" \ "$P_SRV debug_level=3 dtls=1 tickets=1" \ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \ @@ -4067,6 +4145,7 @@ run_test "Session resume using tickets, DTLS: basic" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: cache disabled" \ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \ @@ -4082,6 +4161,7 @@ run_test "Session resume using tickets, DTLS: cache disabled" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: timeout" \ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_delay=2000" \ @@ -4097,6 +4177,7 @@ run_test "Session resume using tickets, DTLS: timeout" \ -C "a session has been resumed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: session copy" \ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_mode=0" \ @@ -4112,6 +4193,7 @@ run_test "Session resume using tickets, DTLS: session copy" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: openssl server" \ "$O_SRV -dtls" \ "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ @@ -4125,6 +4207,7 @@ run_test "Session resume using tickets, DTLS: openssl server" \ # probability with OpenSSL 1.0.2g on the CI, see #5012. requires_openssl_next requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=1" \ "( $O_NEXT_CLI -dtls -sess_out $SESSION; \ @@ -4140,6 +4223,7 @@ run_test "Session resume using tickets, DTLS: openssl client" \ # Tests for Session Resume based on session-ID and cache requires_config_enabled MBEDTLS_SSL_CACHE_C +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using cache: tickets enabled on client" \ "$P_SRV debug_level=3 tickets=0" \ "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \ @@ -4155,6 +4239,7 @@ run_test "Session resume using cache: tickets enabled on client" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_CACHE_C +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using cache: tickets enabled on server" \ "$P_SRV debug_level=3 tickets=1" \ "$P_CLI force_version=tls12 debug_level=3 tickets=0 reconnect=1" \ @@ -4246,6 +4331,7 @@ run_test "Session resume using cache: session copy" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_CACHE_C +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using cache: openssl client" \ "$P_SRV force_version=tls12 debug_level=3 tickets=0" \ "( $O_CLI -sess_out $SESSION; \ @@ -4295,6 +4381,7 @@ run_test "Session resume and connection ID" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_CACHE_C +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using cache, DTLS: tickets enabled on client" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 skip_close_notify=1" \ @@ -4311,6 +4398,7 @@ run_test "Session resume using cache, DTLS: tickets enabled on client" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_CACHE_C +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using cache, DTLS: tickets enabled on server" \ "$P_SRV dtls=1 debug_level=3 tickets=1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \ @@ -4396,6 +4484,7 @@ run_test "Session resume using cache, DTLS: session copy" \ requires_openssl_next requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_CACHE_C +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using cache, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "( $O_NEXT_CLI -dtls -sess_out $SESSION; \ @@ -5467,7 +5556,7 @@ run_test "Renegotiation: openssl server, client-initiated" \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ -c "=> renegotiate" \ - -C "ssl_hanshake() returned" \ + -C "ssl_handshake() returned" \ -C "error" \ -c "HTTP/1.0 200 [Oo][Kk]" @@ -5481,7 +5570,7 @@ run_test "Renegotiation: gnutls server strict, client-initiated" \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ -c "=> renegotiate" \ - -C "ssl_hanshake() returned" \ + -C "ssl_handshake() returned" \ -C "error" \ -c "HTTP/1.0 200 [Oo][Kk]" @@ -5525,7 +5614,7 @@ run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \ -c "client hello, adding renegotiation extension" \ -C "found renegotiation extension" \ -c "=> renegotiate" \ - -C "ssl_hanshake() returned" \ + -C "ssl_handshake() returned" \ -C "error" \ -c "HTTP/1.0 200 [Oo][Kk]" @@ -5592,6 +5681,7 @@ run_test "Renegotiation: DTLS, gnutls server, client-initiated" \ # Test for the "secure renegotiation" extension only (no actual renegotiation) requires_gnutls +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Renego ext: gnutls server strict, client default" \ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION" \ @@ -5602,6 +5692,7 @@ run_test "Renego ext: gnutls server strict, client default" \ -c "HTTP/1.0 200 [Oo][Kk]" requires_gnutls +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Renego ext: gnutls server unsafe, client default" \ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \ @@ -5612,6 +5703,7 @@ run_test "Renego ext: gnutls server unsafe, client default" \ -c "HTTP/1.0 200 [Oo][Kk]" requires_gnutls +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Renego ext: gnutls server unsafe, client break legacy" \ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \ @@ -5622,28 +5714,31 @@ run_test "Renego ext: gnutls server unsafe, client break legacy" \ -C "HTTP/1.0 200 [Oo][Kk]" requires_gnutls +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Renego ext: gnutls client strict, server default" \ "$P_SRV debug_level=3" \ - "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \ + "$G_CLI --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION localhost" \ 0 \ -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ -s "server hello, secure renegotiation extension" requires_gnutls +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Renego ext: gnutls client unsafe, server default" \ "$P_SRV debug_level=3" \ - "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \ + "$G_CLI --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION localhost" \ 0 \ -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ -S "server hello, secure renegotiation extension" requires_gnutls +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Renego ext: gnutls client unsafe, server break legacy" \ "$P_SRV debug_level=3 allow_legacy=-1" \ - "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \ + "$G_CLI --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION localhost" \ 1 \ -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ -S "server hello, secure renegotiation extension" @@ -5653,8 +5748,8 @@ run_test "Renego ext: gnutls client unsafe, server break legacy" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DER format: no trailing bytes" \ - "$P_SRV crt_file=data_files/server5-der0.crt \ - key_file=data_files/server5.key" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5-der0.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ "$G_CLI localhost" \ 0 \ -c "Handshake was completed" \ @@ -5662,8 +5757,8 @@ run_test "DER format: no trailing bytes" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DER format: with a trailing zero byte" \ - "$P_SRV crt_file=data_files/server5-der1a.crt \ - key_file=data_files/server5.key" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5-der1a.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ "$G_CLI localhost" \ 0 \ -c "Handshake was completed" \ @@ -5671,8 +5766,8 @@ run_test "DER format: with a trailing zero byte" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DER format: with a trailing random byte" \ - "$P_SRV crt_file=data_files/server5-der1b.crt \ - key_file=data_files/server5.key" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5-der1b.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ "$G_CLI localhost" \ 0 \ -c "Handshake was completed" \ @@ -5680,8 +5775,8 @@ run_test "DER format: with a trailing random byte" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DER format: with 2 trailing random bytes" \ - "$P_SRV crt_file=data_files/server5-der2.crt \ - key_file=data_files/server5.key" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5-der2.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ "$G_CLI localhost" \ 0 \ -c "Handshake was completed" \ @@ -5689,8 +5784,8 @@ run_test "DER format: with 2 trailing random bytes" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DER format: with 4 trailing random bytes" \ - "$P_SRV crt_file=data_files/server5-der4.crt \ - key_file=data_files/server5.key" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5-der4.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ "$G_CLI localhost" \ 0 \ -c "Handshake was completed" \ @@ -5698,8 +5793,8 @@ run_test "DER format: with 4 trailing random bytes" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DER format: with 8 trailing random bytes" \ - "$P_SRV crt_file=data_files/server5-der8.crt \ - key_file=data_files/server5.key" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5-der8.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ "$G_CLI localhost" \ 0 \ -c "Handshake was completed" \ @@ -5707,8 +5802,8 @@ run_test "DER format: with 8 trailing random bytes" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DER format: with 9 trailing random bytes" \ - "$P_SRV crt_file=data_files/server5-der9.crt \ - key_file=data_files/server5.key" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5-der9.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ "$G_CLI localhost" \ 0 \ -c "Handshake was completed" \ @@ -5716,38 +5811,78 @@ run_test "DER format: with 9 trailing random bytes" \ # Tests for auth_mode, there are duplicated tests using ca callback for authentication # When updating these tests, modify the matching authentication tests accordingly +# The next 4 cases test the 3 auth modes with a badly signed server cert. requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "Authentication: server badcert, client required" \ - "$P_SRV crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ - "$P_CLI debug_level=1 auth_mode=required" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 auth_mode=required" \ 1 \ -c "x509_verify_cert() returned" \ -c "! The certificate is not correctly signed by the trusted CA" \ -c "! mbedtls_ssl_handshake returned" \ + -c "send alert level=2 message=48" \ -c "X509 - Certificate verification failed" + # MBEDTLS_X509_BADCERT_NOT_TRUSTED -> MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA +# We don't check that the server receives the alert because it might +# detect that its write end of the connection is closed and abort +# before reading the alert message. + +run_test "Authentication: server badcert, client required (1.2)" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ + "$P_CLI force_version=tls12 debug_level=3 auth_mode=required" \ + 1 \ + -c "x509_verify_cert() returned" \ + -c "! The certificate is not correctly signed by the trusted CA" \ + -c "! mbedtls_ssl_handshake returned" \ + -c "send alert level=2 message=48" \ + -c "X509 - Certificate verification failed" + # MBEDTLS_X509_BADCERT_NOT_TRUSTED -> MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA run_test "Authentication: server badcert, client optional" \ - "$P_SRV crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ - "$P_CLI force_version=tls12 debug_level=1 auth_mode=optional" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ + "$P_CLI force_version=tls13 debug_level=3 auth_mode=optional" \ 0 \ -c "x509_verify_cert() returned" \ -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ + -C "send alert level=2 message=48" \ -C "X509 - Certificate verification failed" -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -run_test "Authentication: server goodcert, client optional, no trusted CA" \ - "$P_SRV" \ - "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional ca_file=none ca_path=none" \ +run_test "Authentication: server badcert, client optional (1.2)" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ + "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional" \ 0 \ -c "x509_verify_cert() returned" \ -c "! The certificate is not correctly signed by the trusted CA" \ - -c "! Certificate verification flags"\ -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" \ - -C "SSL - No CA Chain is set, but required to operate" + -C "send alert level=2 message=48" \ + -C "X509 - Certificate verification failed" + +run_test "Authentication: server badcert, client none" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 auth_mode=none" \ + 0 \ + -C "x509_verify_cert() returned" \ + -C "! The certificate is not correctly signed by the trusted CA" \ + -C "! mbedtls_ssl_handshake returned" \ + -C "send alert level=2 message=48" \ + -C "X509 - Certificate verification failed" + +run_test "Authentication: server badcert, client none (1.2)" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ + "$P_CLI force_version=tls12 debug_level=3 auth_mode=none" \ + 0 \ + -C "x509_verify_cert() returned" \ + -C "! The certificate is not correctly signed by the trusted CA" \ + -C "! mbedtls_ssl_handshake returned" \ + -C "send alert level=2 message=48" \ + -C "X509 - Certificate verification failed" requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "Authentication: server goodcert, client required, no trusted CA" \ @@ -5760,6 +5895,65 @@ run_test "Authentication: server goodcert, client required, no trusted CA" \ -c "! mbedtls_ssl_handshake returned" \ -c "SSL - No CA Chain is set, but required to operate" +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Authentication: server goodcert, client required, no trusted CA (1.2)" \ + "$P_SRV force_version=tls12" \ + "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \ + 1 \ + -c "x509_verify_cert() returned" \ + -c "! The certificate is not correctly signed by the trusted CA" \ + -c "! Certificate verification flags"\ + -c "! mbedtls_ssl_handshake returned" \ + -c "SSL - No CA Chain is set, but required to operate" + +requires_key_exchange_with_cert_in_tls12_or_tls13_enabled +run_test "Authentication: server goodcert, client optional, no trusted CA" \ + "$P_SRV" \ + "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \ + 0 \ + -c "x509_verify_cert() returned" \ + -c "! The certificate is not correctly signed by the trusted CA" \ + -c "! Certificate verification flags"\ + -C "! mbedtls_ssl_handshake returned" \ + -C "X509 - Certificate verification failed" \ + -C "SSL - No CA Chain is set, but required to operate" + +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Authentication: server goodcert, client optional, no trusted CA (1.2)" \ + "$P_SRV" \ + "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional ca_file=none ca_path=none" \ + 0 \ + -c "x509_verify_cert() returned" \ + -c "! The certificate is not correctly signed by the trusted CA" \ + -c "! Certificate verification flags"\ + -C "! mbedtls_ssl_handshake returned" \ + -C "X509 - Certificate verification failed" \ + -C "SSL - No CA Chain is set, but required to operate" + +requires_key_exchange_with_cert_in_tls12_or_tls13_enabled +run_test "Authentication: server goodcert, client none, no trusted CA" \ + "$P_SRV" \ + "$P_CLI debug_level=3 auth_mode=none ca_file=none ca_path=none" \ + 0 \ + -C "x509_verify_cert() returned" \ + -C "! The certificate is not correctly signed by the trusted CA" \ + -C "! Certificate verification flags"\ + -C "! mbedtls_ssl_handshake returned" \ + -C "X509 - Certificate verification failed" \ + -C "SSL - No CA Chain is set, but required to operate" + +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Authentication: server goodcert, client none, no trusted CA (1.2)" \ + "$P_SRV" \ + "$P_CLI force_version=tls12 debug_level=3 auth_mode=none ca_file=none ca_path=none" \ + 0 \ + -C "x509_verify_cert() returned" \ + -C "! The certificate is not correctly signed by the trusted CA" \ + -C "! Certificate verification flags"\ + -C "! mbedtls_ssl_handshake returned" \ + -C "X509 - Certificate verification failed" \ + -C "SSL - No CA Chain is set, but required to operate" + # The purpose of the next two tests is to test the client's behaviour when receiving a server # certificate with an unsupported elliptic curve. This should usually not happen because # the client informs the server about the supported curves - it does, though, in the @@ -5768,8 +5962,8 @@ run_test "Authentication: server goodcert, client required, no trusted CA" \ # different means to have the server ignoring the client's supported curve list. run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \ - "$P_SRV debug_level=1 key_file=data_files/server5.key \ - crt_file=data_files/server5.ku-ka.crt" \ + "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \ + crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \ "$P_CLI force_version=tls12 debug_level=3 auth_mode=required groups=secp521r1" \ 1 \ -c "bad certificate (EC key curve)"\ @@ -5777,29 +5971,19 @@ run_test "Authentication: server ECDH p256v1, client required, p256v1 unsuppo -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \ - "$P_SRV debug_level=1 key_file=data_files/server5.key \ - crt_file=data_files/server5.ku-ka.crt" \ + "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \ + crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \ "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional groups=secp521r1" \ 1 \ -c "bad certificate (EC key curve)"\ -c "! Certificate verification flags"\ -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check -run_test "Authentication: server badcert, client none" \ - "$P_SRV crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ - "$P_CLI force_version=tls12 debug_level=1 auth_mode=none" \ - 0 \ - -C "x509_verify_cert() returned" \ - -C "! The certificate is not correctly signed by the trusted CA" \ - -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" - requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: client SHA256, server required" \ "$P_SRV auth_mode=required" \ - "$P_CLI debug_level=3 crt_file=data_files/server6.crt \ - key_file=data_files/server6.key \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server6.crt \ + key_file=$DATA_FILES_PATH/server6.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \ 0 \ -c "Supported Signature Algorithm found: 04 " \ @@ -5808,8 +5992,8 @@ run_test "Authentication: client SHA256, server required" \ requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: client SHA384, server required" \ "$P_SRV auth_mode=required" \ - "$P_CLI debug_level=3 crt_file=data_files/server6.crt \ - key_file=data_files/server6.key \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server6.crt \ + key_file=$DATA_FILES_PATH/server6.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \ 0 \ -c "Supported Signature Algorithm found: 04 " \ @@ -5819,7 +6003,7 @@ requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "Authentication: client has no cert, server required (TLS)" \ "$P_SRV debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=none \ - key_file=data_files/server5.key" \ + key_file=$DATA_FILES_PATH/server5.key" \ 1 \ -S "skip write certificate request" \ -C "skip parse certificate request" \ @@ -5834,8 +6018,8 @@ run_test "Authentication: client has no cert, server required (TLS)" \ requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "Authentication: client badcert, server required" \ "$P_SRV debug_level=3 auth_mode=required" \ - "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ 1 \ -S "skip write certificate request" \ -C "skip parse certificate request" \ @@ -5854,9 +6038,9 @@ run_test "Authentication: client badcert, server required" \ requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "Authentication: client cert self-signed and trusted, server required" \ - "$P_SRV debug_level=3 auth_mode=required ca_file=data_files/server5-selfsigned.crt" \ - "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ - key_file=data_files/server5.key" \ + "$P_SRV debug_level=3 auth_mode=required ca_file=$DATA_FILES_PATH/server5-selfsigned.crt" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-selfsigned.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ 0 \ -S "skip write certificate request" \ -C "skip parse certificate request" \ @@ -5871,8 +6055,8 @@ run_test "Authentication: client cert self-signed and trusted, server require requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "Authentication: client cert not trusted, server required" \ "$P_SRV debug_level=3 auth_mode=required" \ - "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ - key_file=data_files/server5.key" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-selfsigned.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ 1 \ -S "skip write certificate request" \ -C "skip parse certificate request" \ @@ -5888,8 +6072,8 @@ run_test "Authentication: client cert not trusted, server required" \ requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "Authentication: client badcert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ - "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ 0 \ -S "skip write certificate request" \ -C "skip parse certificate request" \ @@ -5906,8 +6090,8 @@ run_test "Authentication: client badcert, server optional" \ requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "Authentication: client badcert, server none" \ "$P_SRV debug_level=3 auth_mode=none" \ - "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ 0 \ -s "skip write certificate request" \ -C "skip parse certificate request" \ @@ -5985,27 +6169,27 @@ MAX_IM_CA='8' requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int chain, client default" \ - "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \ - key_file=data_files/dir-maxpath/09.key" \ - "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \ + "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \ + key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \ + "$P_CLI server_name=CA09 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \ 0 \ -C "X509 - A fatal error occurred" requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int+1 chain, client default" \ - "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ - key_file=data_files/dir-maxpath/10.key" \ - "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \ + "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \ + key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \ + "$P_CLI server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \ 1 \ -c "X509 - A fatal error occurred" requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int+1 chain, client optional" \ - "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ - key_file=data_files/dir-maxpath/10.key" \ - "$P_CLI force_version=tls12 server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \ + "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \ + key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \ + "$P_CLI server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \ auth_mode=optional" \ 1 \ -c "X509 - A fatal error occurred" @@ -6013,9 +6197,9 @@ run_test "Authentication: server max_int+1 chain, client optional" \ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int+1 chain, client none" \ - "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ - key_file=data_files/dir-maxpath/10.key" \ - "$P_CLI force_version=tls12 server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \ + "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \ + key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \ + "$P_CLI force_version=tls12 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \ auth_mode=none" \ 0 \ -C "X509 - A fatal error occurred" @@ -6023,36 +6207,36 @@ run_test "Authentication: server max_int+1 chain, client none" \ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int+1 chain, server default" \ - "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \ - "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \ - key_file=data_files/dir-maxpath/10.key" \ + "$P_SRV ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \ + "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \ + key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \ 0 \ -S "X509 - A fatal error occurred" requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int+1 chain, server optional" \ - "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \ - "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \ - key_file=data_files/dir-maxpath/10.key" \ + "$P_SRV ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=optional" \ + "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \ + key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \ 1 \ -s "X509 - A fatal error occurred" requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int+1 chain, server required" \ - "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ - "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \ - key_file=data_files/dir-maxpath/10.key" \ + "$P_SRV ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \ + "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \ + key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \ 1 \ -s "X509 - A fatal error occurred" requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int chain, server required" \ - "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ - "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \ - key_file=data_files/dir-maxpath/09.key" \ + "$P_SRV ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \ + "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \ + key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \ 0 \ -S "X509 - A fatal error occurred" @@ -6061,23 +6245,23 @@ run_test "Authentication: client max_int chain, server required" \ requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: send CA list in CertificateRequest (default)" \ "$P_SRV debug_level=3 auth_mode=required" \ - "$P_CLI force_version=tls12 crt_file=data_files/server6.crt \ - key_file=data_files/server6.key" \ + "$P_CLI force_version=tls12 crt_file=$DATA_FILES_PATH/server6.crt \ + key_file=$DATA_FILES_PATH/server6.key" \ 0 \ -s "requested DN" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: do not send CA list in CertificateRequest" \ "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \ - "$P_CLI force_version=tls12 crt_file=data_files/server6.crt \ - key_file=data_files/server6.key" \ + "$P_CLI force_version=tls12 crt_file=$DATA_FILES_PATH/server6.crt \ + key_file=$DATA_FILES_PATH/server6.key" \ 0 \ -S "requested DN" run_test "Authentication: send CA list in CertificateRequest, client self signed" \ "$P_SRV force_version=tls12 debug_level=3 auth_mode=required cert_req_ca_list=0" \ - "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ - key_file=data_files/server5.key" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-selfsigned.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ 1 \ -S "requested DN" \ -s "x509_verify_cert() returned" \ @@ -6089,33 +6273,33 @@ run_test "Authentication: send CA list in CertificateRequest, client self sig requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: send alt conf DN hints in CertificateRequest" \ "$P_SRV debug_level=3 auth_mode=optional cert_req_ca_list=2 \ - crt_file2=data_files/server1.crt \ - key_file2=data_files/server1.key" \ + crt_file2=$DATA_FILES_PATH/server1.crt \ + key_file2=$DATA_FILES_PATH/server1.key" \ "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional \ - crt_file=data_files/server6.crt \ - key_file=data_files/server6.key" \ + crt_file=$DATA_FILES_PATH/server6.crt \ + key_file=$DATA_FILES_PATH/server6.key" \ 0 \ -c "DN hint: C=NL, O=PolarSSL, CN=PolarSSL Server 1" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: send alt conf DN hints in CertificateRequest (2)" \ "$P_SRV debug_level=3 auth_mode=optional cert_req_ca_list=2 \ - crt_file2=data_files/server2.crt \ - key_file2=data_files/server2.key" \ + crt_file2=$DATA_FILES_PATH/server2.crt \ + key_file2=$DATA_FILES_PATH/server2.key" \ "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional \ - crt_file=data_files/server6.crt \ - key_file=data_files/server6.key" \ + crt_file=$DATA_FILES_PATH/server6.crt \ + key_file=$DATA_FILES_PATH/server6.key" \ 0 \ -c "DN hint: C=NL, O=PolarSSL, CN=localhost" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: send alt hs DN hints in CertificateRequest" \ "$P_SRV debug_level=3 auth_mode=optional cert_req_ca_list=3 \ - crt_file2=data_files/server1.crt \ - key_file2=data_files/server1.key" \ + crt_file2=$DATA_FILES_PATH/server1.crt \ + key_file2=$DATA_FILES_PATH/server1.key" \ "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional \ - crt_file=data_files/server6.crt \ - key_file=data_files/server6.key" \ + crt_file=$DATA_FILES_PATH/server6.crt \ + key_file=$DATA_FILES_PATH/server6.key" \ 0 \ -c "DN hint: C=NL, O=PolarSSL, CN=PolarSSL Server 1" @@ -6124,9 +6308,9 @@ run_test "Authentication: send alt hs DN hints in CertificateRequest" \ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server badcert, client required" \ - "$P_SRV crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ - "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ + "$P_CLI ca_callback=1 debug_level=3 auth_mode=required" \ 1 \ -c "use CA callback for X.509 CRT verification" \ -c "x509_verify_cert() returned" \ @@ -6136,9 +6320,9 @@ run_test "Authentication, CA callback: server badcert, client required" \ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server badcert, client optional" \ - "$P_SRV crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ - "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ + "$P_CLI ca_callback=1 debug_level=3 auth_mode=optional" \ 0 \ -c "use CA callback for X.509 CRT verification" \ -c "x509_verify_cert() returned" \ @@ -6146,6 +6330,18 @@ run_test "Authentication, CA callback: server badcert, client optional" \ -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" +requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK +run_test "Authentication, CA callback: server badcert, client none" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ + "$P_CLI ca_callback=1 debug_level=3 auth_mode=none" \ + 0 \ + -C "use CA callback for X.509 CRT verification" \ + -C "x509_verify_cert() returned" \ + -C "! The certificate is not correctly signed by the trusted CA" \ + -C "! mbedtls_ssl_handshake returned" \ + -C "X509 - Certificate verification failed" + # The purpose of the next two tests is to test the client's behaviour when receiving a server # certificate with an unsupported elliptic curve. This should usually not happen because # the client informs the server about the supported curves - it does, though, in the @@ -6155,8 +6351,8 @@ run_test "Authentication, CA callback: server badcert, client optional" \ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server ECDH p256v1, client required, p256v1 unsupported" \ - "$P_SRV debug_level=1 key_file=data_files/server5.key \ - crt_file=data_files/server5.ku-ka.crt" \ + "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \ + crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \ "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required groups=secp521r1" \ 1 \ -c "use CA callback for X.509 CRT verification" \ @@ -6166,8 +6362,8 @@ run_test "Authentication, CA callback: server ECDH p256v1, client required, p requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server ECDH p256v1, client optional, p256v1 unsupported" \ - "$P_SRV debug_level=1 key_file=data_files/server5.key \ - crt_file=data_files/server5.ku-ka.crt" \ + "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \ + crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \ "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional groups=secp521r1" \ 1 \ -c "use CA callback for X.509 CRT verification" \ @@ -6177,10 +6373,10 @@ run_test "Authentication, CA callback: server ECDH p256v1, client optional, p requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -run_test "Authentication, CA callback: client SHA256, server required" \ +run_test "Authentication, CA callback: client SHA384, server required" \ "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \ - "$P_CLI debug_level=3 crt_file=data_files/server6.crt \ - key_file=data_files/server6.key \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server6.crt \ + key_file=$DATA_FILES_PATH/server6.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \ 0 \ -s "use CA callback for X.509 CRT verification" \ @@ -6189,10 +6385,10 @@ run_test "Authentication, CA callback: client SHA256, server required" \ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -run_test "Authentication, CA callback: client SHA384, server required" \ +run_test "Authentication, CA callback: client SHA256, server required" \ "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \ - "$P_CLI debug_level=3 crt_file=data_files/server6.crt \ - key_file=data_files/server6.key \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server6.crt \ + key_file=$DATA_FILES_PATH/server6.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \ 0 \ -s "use CA callback for X.509 CRT verification" \ @@ -6201,9 +6397,9 @@ run_test "Authentication, CA callback: client SHA384, server required" \ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: client badcert, server required" \ - "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \ - "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ + "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ 1 \ -s "use CA callback for X.509 CRT verification" \ -S "skip write certificate request" \ @@ -6216,7 +6412,6 @@ run_test "Authentication, CA callback: client badcert, server required" \ -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ -s "send alert level=2 message=48" \ - -c "! mbedtls_ssl_handshake returned" \ -s "X509 - Certificate verification failed" # We don't check that the client receives the alert because it might # detect that its write end of the connection is closed and abort @@ -6224,9 +6419,9 @@ run_test "Authentication, CA callback: client badcert, server required" \ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: client cert not trusted, server required" \ - "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \ - "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ - key_file=data_files/server5.key" \ + "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-selfsigned.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ 1 \ -s "use CA callback for X.509 CRT verification" \ -S "skip write certificate request" \ @@ -6238,14 +6433,13 @@ run_test "Authentication, CA callback: client cert not trusted, server requir -s "x509_verify_cert() returned" \ -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ - -c "! mbedtls_ssl_handshake returned" \ -s "X509 - Certificate verification failed" requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: client badcert, server optional" \ - "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional" \ - "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ + "$P_SRV ca_callback=1 debug_level=3 auth_mode=optional" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ 0 \ -s "use CA callback for X.509 CRT verification" \ -S "skip write certificate request" \ @@ -6264,9 +6458,9 @@ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server max_int chain, client default" \ - "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \ - key_file=data_files/dir-maxpath/09.key" \ - "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \ + "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \ + key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \ + "$P_CLI ca_callback=1 debug_level=3 server_name=CA09 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \ 0 \ -c "use CA callback for X.509 CRT verification" \ -C "X509 - A fatal error occurred" @@ -6275,9 +6469,9 @@ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server max_int+1 chain, client default" \ - "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ - key_file=data_files/dir-maxpath/10.key" \ - "$P_CLI force_version=tls12 debug_level=3 ca_callback=1 server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \ + "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \ + key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \ + "$P_CLI debug_level=3 ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \ 1 \ -c "use CA callback for X.509 CRT verification" \ -c "X509 - A fatal error occurred" @@ -6286,9 +6480,9 @@ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server max_int+1 chain, client optional" \ - "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ - key_file=data_files/dir-maxpath/10.key" \ - "$P_CLI force_version=tls12 ca_callback=1 server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \ + "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \ + key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \ + "$P_CLI ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \ debug_level=3 auth_mode=optional" \ 1 \ -c "use CA callback for X.509 CRT verification" \ @@ -6298,9 +6492,9 @@ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: client max_int+1 chain, server optional" \ - "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \ - "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \ - key_file=data_files/dir-maxpath/10.key" \ + "$P_SRV ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=optional" \ + "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \ + key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \ 1 \ -s "use CA callback for X.509 CRT verification" \ -s "X509 - A fatal error occurred" @@ -6309,9 +6503,9 @@ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: client max_int+1 chain, server required" \ - "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ - "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \ - key_file=data_files/dir-maxpath/10.key" \ + "$P_SRV ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \ + "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \ + key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \ 1 \ -s "use CA callback for X.509 CRT verification" \ -s "X509 - A fatal error occurred" @@ -6320,9 +6514,9 @@ requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: client max_int chain, server required" \ - "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ - "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \ - key_file=data_files/dir-maxpath/09.key" \ + "$P_SRV ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \ + "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \ + key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \ 0 \ -s "use CA callback for X.509 CRT verification" \ -S "X509 - A fatal error occurred" @@ -6331,10 +6525,10 @@ run_test "Authentication, CA callback: client max_int chain, server required" requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ - "$P_SRV force_version=tls12 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key \ - crt_file2=data_files/server5-sha1.crt \ - key_file2=data_files/server5.key" \ + "$P_SRV force_version=tls12 crt_file=$DATA_FILES_PATH/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key \ + crt_file2=$DATA_FILES_PATH/server5-sha1.crt \ + key_file2=$DATA_FILES_PATH/server5.key" \ "$P_CLI" \ 0 \ -c "signed using.*ECDSA with SHA256" \ @@ -6346,7 +6540,7 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "SNI: no SNI callback" \ "$P_SRV debug_level=3 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key" \ "$P_CLI server_name=localhost" \ 0 \ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ @@ -6356,8 +6550,8 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "SNI: matching cert 1" \ "$P_SRV debug_level=3 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \ "$P_CLI server_name=localhost" \ 0 \ -s "parse ServerName extension" \ @@ -6368,8 +6562,8 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "SNI: matching cert 2" \ "$P_SRV debug_level=3 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \ "$P_CLI server_name=polarssl.example" \ 0 \ -s "parse ServerName extension" \ @@ -6380,8 +6574,8 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "SNI: no matching cert" \ "$P_SRV debug_level=3 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \ "$P_CLI server_name=nonesuch.example" \ 1 \ -s "parse ServerName extension" \ @@ -6393,8 +6587,8 @@ run_test "SNI: no matching cert" \ requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "SNI: client auth no override: optional" \ "$P_SRV debug_level=3 auth_mode=optional \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-" \ "$P_CLI debug_level=3 server_name=localhost" \ 0 \ -S "skip write certificate request" \ @@ -6407,8 +6601,8 @@ run_test "SNI: client auth no override: optional" \ requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "SNI: client auth override: none -> optional" \ "$P_SRV debug_level=3 auth_mode=none \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,optional" \ "$P_CLI debug_level=3 server_name=localhost" \ 0 \ -S "skip write certificate request" \ @@ -6421,8 +6615,8 @@ run_test "SNI: client auth override: none -> optional" \ requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "SNI: client auth override: optional -> none" \ "$P_SRV debug_level=3 auth_mode=optional \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,none" \ "$P_CLI debug_level=3 server_name=localhost" \ 0 \ -s "skip write certificate request" \ @@ -6433,11 +6627,11 @@ run_test "SNI: client auth override: optional -> none" \ requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "SNI: CA no override" \ "$P_SRV debug_level=3 auth_mode=optional \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - ca_file=data_files/test-ca.crt \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + ca_file=$DATA_FILES_PATH/test-ca.crt \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,required" \ "$P_CLI debug_level=3 server_name=localhost \ - crt_file=data_files/server6.crt key_file=data_files/server6.key" \ + crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \ 1 \ -S "skip write certificate request" \ -C "skip parse certificate request" \ @@ -6452,11 +6646,11 @@ run_test "SNI: CA no override" \ requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "SNI: CA override" \ "$P_SRV debug_level=3 auth_mode=optional \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - ca_file=data_files/test-ca.crt \ - sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + ca_file=$DATA_FILES_PATH/test-ca.crt \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,$DATA_FILES_PATH/test-ca2.crt,-,required" \ "$P_CLI debug_level=3 server_name=localhost \ - crt_file=data_files/server6.crt key_file=data_files/server6.key" \ + crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \ 0 \ -S "skip write certificate request" \ -C "skip parse certificate request" \ @@ -6471,11 +6665,11 @@ run_test "SNI: CA override" \ requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "SNI: CA override with CRL" \ "$P_SRV debug_level=3 auth_mode=optional \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - ca_file=data_files/test-ca.crt \ - sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + ca_file=$DATA_FILES_PATH/test-ca.crt \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,$DATA_FILES_PATH/test-ca2.crt,$DATA_FILES_PATH/crl-ec-sha256.pem,required" \ "$P_CLI debug_level=3 server_name=localhost \ - crt_file=data_files/server6.crt key_file=data_files/server6.key" \ + crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \ 1 \ -S "skip write certificate request" \ -C "skip parse certificate request" \ @@ -6485,7 +6679,9 @@ run_test "SNI: CA override with CRL" \ -S "skip parse certificate verify" \ -s "x509_verify_cert() returned" \ -S "! The certificate is not correctly signed by the trusted CA" \ + -s "send alert level=2 message=44" \ -s "The certificate has been revoked (is on a CRL)" + # MBEDTLS_X509_BADCERT_REVOKED -> MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED # Tests for SNI and DTLS @@ -6493,7 +6689,7 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "SNI: DTLS, no SNI callback" \ "$P_SRV debug_level=3 dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key" \ "$P_CLI server_name=localhost dtls=1" \ 0 \ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ @@ -6503,8 +6699,8 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "SNI: DTLS, matching cert 1" \ "$P_SRV debug_level=3 dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \ "$P_CLI server_name=localhost dtls=1" \ 0 \ -s "parse ServerName extension" \ @@ -6515,8 +6711,8 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "SNI: DTLS, matching cert 2" \ "$P_SRV debug_level=3 dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \ "$P_CLI server_name=polarssl.example dtls=1" \ 0 \ -s "parse ServerName extension" \ @@ -6526,8 +6722,8 @@ run_test "SNI: DTLS, matching cert 2" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "SNI: DTLS, no matching cert" \ "$P_SRV debug_level=3 dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \ "$P_CLI server_name=nonesuch.example dtls=1" \ 1 \ -s "parse ServerName extension" \ @@ -6539,8 +6735,8 @@ run_test "SNI: DTLS, no matching cert" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "SNI: DTLS, client auth no override: optional" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-" \ "$P_CLI debug_level=3 server_name=localhost dtls=1" \ 0 \ -S "skip write certificate request" \ @@ -6553,8 +6749,8 @@ run_test "SNI: DTLS, client auth no override: optional" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "SNI: DTLS, client auth override: none -> optional" \ "$P_SRV debug_level=3 auth_mode=none dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,optional" \ "$P_CLI debug_level=3 server_name=localhost dtls=1" \ 0 \ -S "skip write certificate request" \ @@ -6567,8 +6763,8 @@ run_test "SNI: DTLS, client auth override: none -> optional" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "SNI: DTLS, client auth override: optional -> none" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,none" \ "$P_CLI debug_level=3 server_name=localhost dtls=1" \ 0 \ -s "skip write certificate request" \ @@ -6581,11 +6777,11 @@ run_test "SNI: DTLS, client auth override: optional -> none" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "SNI: DTLS, CA no override" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - ca_file=data_files/test-ca.crt \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + ca_file=$DATA_FILES_PATH/test-ca.crt \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,required" \ "$P_CLI debug_level=3 server_name=localhost dtls=1 \ - crt_file=data_files/server6.crt key_file=data_files/server6.key" \ + crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \ 1 \ -S "skip write certificate request" \ -C "skip parse certificate request" \ @@ -6600,11 +6796,11 @@ run_test "SNI: DTLS, CA no override" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "SNI: DTLS, CA override" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - ca_file=data_files/test-ca.crt \ - sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + ca_file=$DATA_FILES_PATH/test-ca.crt \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,$DATA_FILES_PATH/test-ca2.crt,-,required" \ "$P_CLI debug_level=3 server_name=localhost dtls=1 \ - crt_file=data_files/server6.crt key_file=data_files/server6.key" \ + crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \ 0 \ -S "skip write certificate request" \ -C "skip parse certificate request" \ @@ -6619,11 +6815,11 @@ run_test "SNI: DTLS, CA override" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "SNI: DTLS, CA override with CRL" \ "$P_SRV debug_level=3 auth_mode=optional \ - crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \ - ca_file=data_files/test-ca.crt \ - sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key dtls=1 \ + ca_file=$DATA_FILES_PATH/test-ca.crt \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,$DATA_FILES_PATH/test-ca2.crt,$DATA_FILES_PATH/crl-ec-sha256.pem,required" \ "$P_CLI debug_level=3 server_name=localhost dtls=1 \ - crt_file=data_files/server6.crt key_file=data_files/server6.key" \ + crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \ 1 \ -S "skip write certificate request" \ -C "skip parse certificate request" \ @@ -6633,7 +6829,9 @@ run_test "SNI: DTLS, CA override with CRL" \ -S "skip parse certificate verify" \ -s "x509_verify_cert() returned" \ -S "! The certificate is not correctly signed by the trusted CA" \ + -s "send alert level=2 message=44" \ -s "The certificate has been revoked (is on a CRL)" + # MBEDTLS_X509_BADCERT_REVOKED -> MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED # Tests for non-blocking I/O: exercise a variety of handshake flows @@ -6656,6 +6854,7 @@ run_test "Non-blocking I/O: client auth" \ -c "Read from server: .* bytes read" requires_key_exchange_with_cert_in_tls12_or_tls13_enabled +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Non-blocking I/O: ticket" \ "$P_SRV nbio=2 tickets=1 auth_mode=none" \ "$P_CLI nbio=2 tickets=1" \ @@ -6665,6 +6864,7 @@ run_test "Non-blocking I/O: ticket" \ -c "Read from server: .* bytes read" requires_key_exchange_with_cert_in_tls12_or_tls13_enabled +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Non-blocking I/O: ticket + client auth" \ "$P_SRV nbio=2 tickets=1 auth_mode=required" \ "$P_CLI nbio=2 tickets=1" \ @@ -6674,6 +6874,7 @@ run_test "Non-blocking I/O: ticket + client auth" \ -c "Read from server: .* bytes read" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Non-blocking I/O: TLS 1.2 + ticket + client auth + resume" \ "$P_SRV nbio=2 tickets=1 auth_mode=required" \ "$P_CLI force_version=tls12 nbio=2 tickets=1 reconnect=1" \ @@ -6685,6 +6886,7 @@ run_test "Non-blocking I/O: TLS 1.2 + ticket + client auth + resume" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Non-blocking I/O: TLS 1.3 + ticket + client auth + resume" \ "$P_SRV nbio=2 tickets=1 auth_mode=required" \ "$P_CLI nbio=2 tickets=1 reconnect=1" \ @@ -6694,6 +6896,7 @@ run_test "Non-blocking I/O: TLS 1.3 + ticket + client auth + resume" \ -c "Read from server: .* bytes read" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Non-blocking I/O: TLS 1.2 + ticket + resume" \ "$P_SRV nbio=2 tickets=1 auth_mode=none" \ "$P_CLI force_version=tls12 nbio=2 tickets=1 reconnect=1" \ @@ -6705,6 +6908,7 @@ run_test "Non-blocking I/O: TLS 1.2 + ticket + resume" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Non-blocking I/O: TLS 1.3 + ticket + resume" \ "$P_SRV nbio=2 tickets=1 auth_mode=none" \ "$P_CLI nbio=2 tickets=1 reconnect=1" \ @@ -6743,6 +6947,7 @@ run_test "Event-driven I/O: client auth" \ -c "Read from server: .* bytes read" requires_key_exchange_with_cert_in_tls12_or_tls13_enabled +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O: ticket" \ "$P_SRV event=1 tickets=1 auth_mode=none" \ "$P_CLI event=1 tickets=1" \ @@ -6752,6 +6957,7 @@ run_test "Event-driven I/O: ticket" \ -c "Read from server: .* bytes read" requires_key_exchange_with_cert_in_tls12_or_tls13_enabled +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O: ticket + client auth" \ "$P_SRV event=1 tickets=1 auth_mode=required" \ "$P_CLI event=1 tickets=1" \ @@ -6761,6 +6967,7 @@ run_test "Event-driven I/O: ticket + client auth" \ -c "Read from server: .* bytes read" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O: TLS 1.2 + ticket + client auth + resume" \ "$P_SRV event=1 tickets=1 auth_mode=required" \ "$P_CLI force_version=tls12 event=1 tickets=1 reconnect=1" \ @@ -6772,6 +6979,7 @@ run_test "Event-driven I/O: TLS 1.2 + ticket + client auth + resume" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O: TLS 1.3 + ticket + client auth + resume" \ "$P_SRV event=1 tickets=1 auth_mode=required" \ "$P_CLI event=1 tickets=1 reconnect=1" \ @@ -6781,6 +6989,7 @@ run_test "Event-driven I/O: TLS 1.3 + ticket + client auth + resume" \ -c "Read from server: .* bytes read" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O: TLS 1.2 + ticket + resume" \ "$P_SRV event=1 tickets=1 auth_mode=none" \ "$P_CLI force_version=tls12 event=1 tickets=1 reconnect=1" \ @@ -6792,6 +7001,7 @@ run_test "Event-driven I/O: TLS 1.2 + ticket + resume" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O: TLS 1.3 + ticket + resume" \ "$P_SRV event=1 tickets=1 auth_mode=none" \ "$P_CLI event=1 tickets=1 reconnect=1" \ @@ -6824,6 +7034,7 @@ run_test "Event-driven I/O, DTLS: client auth" \ -c "Read from server: .* bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O, DTLS: ticket" \ "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \ "$P_CLI dtls=1 event=1 tickets=1" \ @@ -6831,6 +7042,7 @@ run_test "Event-driven I/O, DTLS: ticket" \ -c "Read from server: .* bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O, DTLS: ticket + client auth" \ "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \ "$P_CLI dtls=1 event=1 tickets=1" \ @@ -6838,6 +7050,7 @@ run_test "Event-driven I/O, DTLS: ticket + client auth" \ -c "Read from server: .* bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \ "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \ "$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \ @@ -6845,6 +7058,7 @@ run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \ -c "Read from server: .* bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Event-driven I/O, DTLS: ticket + resume" \ "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \ "$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \ @@ -6871,12 +7085,23 @@ run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \ 0 \ -c "Read from server: .* bytes read" +# Tests for version negotiation. Some information to ease the understanding +# of the version negotiation test titles below: +# . 1.2/1.3 means that only TLS 1.2/TLS 1.3 is enabled. +# . 1.2+1.3 means that both TLS 1.2 and TLS 1.3 are enabled. +# . 1.2+(1.3)/(1.2)+1.3 means that TLS 1.2/1.3 is enabled and that +# TLS 1.3/1.2 may be enabled or not. +# . max=1.2 means that both TLS 1.2 and TLS 1.3 are enabled at build time but +# TLS 1.3 is disabled at runtime (maximum negotiable version is TLS 1.2). +# . min=1.3 means that both TLS 1.2 and TLS 1.3 are enabled at build time but +# TLS 1.2 is disabled at runtime (minimum negotiable version is TLS 1.3). + # Tests for version negotiation, MbedTLS client and server requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -run_test "Version negotiation check m->m: 1.2 / 1.2 -> 1.2" \ +run_test "Version nego m->m: cli 1.2, srv 1.2 -> 1.2" \ "$P_SRV" \ "$P_CLI" \ 0 \ @@ -6888,7 +7113,7 @@ run_test "Version negotiation check m->m: 1.2 / 1.2 -> 1.2" \ requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -run_test "Version negotiation check m->m: 1.2 (max=1.2) / 1.2 (max=1.2) -> 1.2" \ +run_test "Version nego m->m: cli max=1.2, srv max=1.2 -> 1.2" \ "$P_SRV max_version=tls12" \ "$P_CLI max_version=tls12" \ 0 \ @@ -6900,7 +7125,7 @@ run_test "Version negotiation check m->m: 1.2 (max=1.2) / 1.2 (max=1.2) -> 1. requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Version negotiation check m->m: 1.3 / 1.3 -> 1.3" \ +run_test "Version nego m->m: cli 1.3, srv 1.3 -> 1.3" \ "$P_SRV" \ "$P_CLI" \ 0 \ @@ -6912,7 +7137,7 @@ run_test "Version negotiation check m->m: 1.3 / 1.3 -> 1.3" \ requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "Version negotiation check m->m: 1.3 (min=1.3) / 1.3 (min=1.3) -> 1.3" \ +run_test "Version nego m->m: cli min=1.3, srv min=1.3 -> 1.3" \ "$P_SRV min_version=tls13" \ "$P_CLI min_version=tls13" \ 0 \ @@ -6924,7 +7149,7 @@ run_test "Version negotiation check m->m: 1.3 (min=1.3) / 1.3 (min=1.3) -> 1. requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "Version negotiation check m->m: 1.2+1.3 / 1.2+1.3 -> 1.3" \ +run_test "Version nego m->m: cli 1.2+1.3, srv 1.2+1.3 -> 1.3" \ "$P_SRV" \ "$P_CLI" \ 0 \ @@ -6936,7 +7161,7 @@ run_test "Version negotiation check m->m: 1.2+1.3 / 1.2+1.3 -> 1.3" \ requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "Version negotiation check m->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \ +run_test "Version nego m->m: cli 1.2+1.3, srv min=1.3 -> 1.3" \ "$P_SRV min_version=tls13" \ "$P_CLI" \ 0 \ @@ -6948,7 +7173,7 @@ run_test "Version negotiation check m->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \ requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -run_test "Version negotiation check m->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \ +run_test "Version nego m->m: cli 1.2+1.3, srv max=1.2 -> 1.2" \ "$P_SRV max_version=tls12" \ "$P_CLI" \ 0 \ @@ -6960,7 +7185,7 @@ run_test "Version negotiation check m->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \ requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -run_test "Version negotiation check m->m: 1.2 (max=1.2) / 1.2+1.3 -> 1.2" \ +run_test "Version nego m->m: cli max=1.2, srv 1.2+1.3 -> 1.2" \ "$P_SRV" \ "$P_CLI max_version=tls12" \ 0 \ @@ -6972,7 +7197,7 @@ run_test "Version negotiation check m->m: 1.2 (max=1.2) / 1.2+1.3 -> 1.2" \ requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "Version negotiation check m->m: 1.3 (min=1.3) / 1.2+1.3 -> 1.3" \ +run_test "Version nego m->m: cli min=1.3, srv 1.2+1.3 -> 1.3" \ "$P_SRV" \ "$P_CLI min_version=tls13" \ 0 \ @@ -6983,7 +7208,7 @@ run_test "Version negotiation check m->m: 1.3 (min=1.3) / 1.2+1.3 -> 1.3" \ requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Not supported version check m->m: 1.2 (max=1.2) / 1.3 (min=1.3)" \ +run_test "Not supported version m->m: cli max=1.2, srv min=1.3" \ "$P_SRV min_version=tls13" \ "$P_CLI max_version=tls12" \ 1 \ @@ -6995,7 +7220,7 @@ run_test "Not supported version check m->m: 1.2 (max=1.2) / 1.3 (min=1.3)" \ requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Not supported version check m->m: 1.3 (min=1.3) / 1.2 (max=1.2)" \ +run_test "Not supported version m->m: cli min=1.3, srv max=1.2" \ "$P_SRV max_version=tls12" \ "$P_CLI min_version=tls13" \ 1 \ @@ -7009,7 +7234,7 @@ run_test "Not supported version check m->m: 1.3 (min=1.3) / 1.2 (max=1.2)" \ requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -run_test "Server version nego check G->m: 1.2 / 1.2+(1.3) -> 1.2" \ +run_test "Server version nego G->m: cli 1.2, srv 1.2+(1.3) -> 1.2" \ "$P_SRV" \ "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \ 0 \ @@ -7019,7 +7244,7 @@ run_test "Server version nego check G->m: 1.2 / 1.2+(1.3) -> 1.2" \ requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -run_test "Server version nego check G->m: 1.2 / 1.2 (max=1.2) -> 1.2" \ +run_test "Server version nego G->m: cli 1.2, srv max=1.2 -> 1.2" \ "$P_SRV max_version=tls12" \ "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \ 0 \ @@ -7029,7 +7254,7 @@ run_test "Server version nego check G->m: 1.2 / 1.2 (max=1.2) -> 1.2" \ requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "Server version nego check G->m: 1.3 / (1.2)+1.3 -> 1.3" \ +run_test "Server version nego G->m: cli 1.3, srv (1.2)+1.3 -> 1.3" \ "$P_SRV" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \ 0 \ @@ -7040,7 +7265,7 @@ requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "Server version nego check G->m: 1.3 / 1.3 (min=1.3) -> 1.3" \ +run_test "Server version nego G->m: cli 1.3, srv min=1.3 -> 1.3" \ "$P_SRV min_version=tls13" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \ 0 \ @@ -7050,7 +7275,7 @@ run_test "Server version nego check G->m: 1.3 / 1.3 (min=1.3) -> 1.3" \ requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "Server version nego check G->m: 1.2+1.3 / (1.2)+1.3 -> 1.3" \ +run_test "Server version nego G->m: cli 1.2+1.3, srv (1.2)+1.3 -> 1.3" \ "$P_SRV" \ "$G_NEXT_CLI localhost --priority=NORMAL" \ 0 \ @@ -7060,7 +7285,7 @@ run_test "Server version nego check G->m: 1.2+1.3 / (1.2)+1.3 -> 1.3" \ requires_gnutls_next_disable_tls13_compat requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "Server version nego check G->m (no compat): 1.2+1.3 / (1.2)+1.3 -> 1.3" \ +run_test "Server version nego G->m (no compat): cli 1.2+1.3, srv (1.2)+1.3 -> 1.3" \ "$P_SRV" \ "$G_NEXT_CLI localhost --priority=NORMAL:%DISABLE_TLS13_COMPAT_MODE" \ 0 \ @@ -7078,7 +7303,7 @@ run_test "Server version nego check G->m (no compat): 1.2+1.3 / (1.2)+1.3 -> requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "Server version nego check G->m: [1.2]+1.3 / 1.2+1.3 -> 1.2" \ +run_test "Server version nego G->m: cli 1.2+1.3 (1.2 preferred!), srv 1.2+1.3 -> 1.2" \ "$P_SRV" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \ 1 \ @@ -7088,7 +7313,7 @@ requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "Server version nego check G->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \ +run_test "Server version nego G->m: cli 1.2+1.3, srv min=1.3 -> 1.3" \ "$P_SRV min_version=tls13" \ "$G_NEXT_CLI localhost --priority=NORMAL" \ 0 \ @@ -7098,7 +7323,7 @@ run_test "Server version nego check G->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \ requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -run_test "Server version nego check G->m: 1.2+1.3 / 1.2 -> 1.2" \ +run_test "Server version nego G->m: cli 1.2+1.3, srv 1.2 -> 1.2" \ "$P_SRV" \ "$G_NEXT_CLI localhost --priority=NORMAL" \ 0 \ @@ -7108,7 +7333,7 @@ run_test "Server version nego check G->m: 1.2+1.3 / 1.2 -> 1.2" \ requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -run_test "Server version nego check G->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \ +run_test "Server version nego G->m: cli 1.2+1.3, max=1.2 -> 1.2" \ "$P_SRV max_version=tls12" \ "$G_NEXT_CLI localhost --priority=NORMAL" \ 0 \ @@ -7116,7 +7341,7 @@ run_test "Server version nego check G->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \ -s "Protocol is TLSv1.2" requires_config_enabled MBEDTLS_SSL_SRV_C -run_test "Not supported version check G->m: 1.0 / (1.2)+(1.3)" \ +run_test "Not supported version G->m: cli 1.0, (1.2)+(1.3)" \ "$P_SRV" \ "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.0" \ 1 \ @@ -7124,7 +7349,7 @@ run_test "Not supported version check G->m: 1.0 / (1.2)+(1.3)" \ -S "Protocol is TLSv1.0" requires_config_enabled MBEDTLS_SSL_SRV_C -run_test "Not supported version check G->m: 1.1 / (1.2)+(1.3)" \ +run_test "Not supported version G->m: cli 1.1, (1.2)+(1.3)" \ "$P_SRV" \ "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.1" \ 1 \ @@ -7133,7 +7358,7 @@ run_test "Not supported version check G->m: 1.1 / (1.2)+(1.3)" \ requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Not supported version check G->m: 1.2 / 1.3" \ +run_test "Not supported version G->m: cli 1.2, srv 1.3" \ "$P_SRV" \ "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \ 1 \ @@ -7142,7 +7367,7 @@ run_test "Not supported version check G->m: 1.2 / 1.3" \ requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Not supported version check G->m: 1.3 / 1.2" \ +run_test "Not supported version G->m: cli 1.3, srv 1.2" \ "$P_SRV" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \ 1 \ @@ -7152,7 +7377,7 @@ run_test "Not supported version check G->m: 1.3 / 1.2" \ requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Not supported version check G->m: 1.2 / 1.3 (min=1.3)" \ +run_test "Not supported version G->m: cli 1.2, srv min=1.3" \ "$P_SRV min_version=tls13" \ "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \ 1 \ @@ -7161,7 +7386,7 @@ run_test "Not supported version check G->m: 1.2 / 1.3 (min=1.3)" \ requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Not supported version check G->m: 1.3 / 1.2 (max=1.2)" \ +run_test "Not supported version G->m: cli 1.3, srv max=1.2" \ "$P_SRV max_version=tls12" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \ 1 \ @@ -7173,7 +7398,7 @@ run_test "Not supported version check G->m: 1.3 / 1.2 (max=1.2)" \ requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -run_test "Server version nego check O->m: 1.2 / 1.2+(1.3) -> 1.2" \ +run_test "Server version nego O->m: cli 1.2, srv 1.2+(1.3) -> 1.2" \ "$P_SRV" \ "$O_NEXT_CLI -tls1_2" \ 0 \ @@ -7183,7 +7408,7 @@ run_test "Server version nego check O->m: 1.2 / 1.2+(1.3) -> 1.2" \ requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -run_test "Server version nego check O->m: 1.2 / 1.2 (max=1.2) -> 1.2" \ +run_test "Server version nego O->m: cli 1.2, srv max=1.2 -> 1.2" \ "$P_SRV max_version=tls12" \ "$O_NEXT_CLI -tls1_2" \ 0 \ @@ -7194,7 +7419,7 @@ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "Server version nego check O->m: 1.3 / (1.2)+1.3 -> 1.3" \ +run_test "Server version nego O->m: cli 1.3, srv (1.2)+1.3 -> 1.3" \ "$P_SRV" \ "$O_NEXT_CLI -tls1_3" \ 0 \ @@ -7206,7 +7431,7 @@ requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "Server version nego check O->m: 1.3 / 1.3 (min=1.3) -> 1.3" \ +run_test "Server version nego O->m: cli 1.3, srv min=1.3 -> 1.3" \ "$P_SRV min_version=tls13" \ "$O_NEXT_CLI -tls1_3" \ 0 \ @@ -7217,7 +7442,7 @@ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "Server version nego check O->m: 1.2+1.3 / (1.2)+1.3 -> 1.3" \ +run_test "Server version nego O->m: cli 1.2+1.3, srv (1.2)+1.3 -> 1.3" \ "$P_SRV" \ "$O_NEXT_CLI" \ 0 \ @@ -7227,7 +7452,7 @@ run_test "Server version nego check O->m: 1.2+1.3 / (1.2)+1.3 -> 1.3" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "Server version nego check O->m (no compat): 1.2+1.3 / (1.2)+1.3 -> 1.3" \ +run_test "Server version nego O->m (no compat): cli 1.2+1.3, srv (1.2)+1.3 -> 1.3" \ "$P_SRV" \ "$O_NEXT_CLI -no_middlebox" \ 0 \ @@ -7239,7 +7464,7 @@ requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "Server version nego check O->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \ +run_test "Server version nego O->m: cli 1.2+1.3, srv min=1.3 -> 1.3" \ "$P_SRV min_version=tls13" \ "$O_NEXT_CLI" \ 0 \ @@ -7249,7 +7474,7 @@ run_test "Server version nego check O->m: 1.2+1.3 / 1.3 (min=1.3) -> 1.3" \ requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -run_test "Server version nego check O->m: 1.2+1.3 / 1.2 -> 1.2" \ +run_test "Server version nego O->m: cli 1.2+1.3, srv 1.2 -> 1.2" \ "$P_SRV" \ "$O_NEXT_CLI" \ 0 \ @@ -7259,7 +7484,7 @@ run_test "Server version nego check O->m: 1.2+1.3 / 1.2 -> 1.2" \ requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -run_test "Server version nego check O->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \ +run_test "Server version nego O->m: cli 1.2+1.3, srv max=1.2 -> 1.2" \ "$P_SRV max_version=tls12" \ "$O_NEXT_CLI" \ 0 \ @@ -7267,7 +7492,7 @@ run_test "Server version nego check O->m: 1.2+1.3 / 1.2 (max=1.2) -> 1.2" \ -s "Protocol is TLSv1.2" requires_config_enabled MBEDTLS_SSL_SRV_C -run_test "Not supported version check O->m: 1.0 / (1.2)+(1.3)" \ +run_test "Not supported version O->m: cli 1.0, srv (1.2)+(1.3)" \ "$P_SRV" \ "$O_CLI -tls1" \ 1 \ @@ -7275,7 +7500,7 @@ run_test "Not supported version check O->m: 1.0 / (1.2)+(1.3)" \ -S "Protocol is TLSv1.0" requires_config_enabled MBEDTLS_SSL_SRV_C -run_test "Not supported version check O->m: 1.1 / (1.2)+(1.3)" \ +run_test "Not supported version O->m: cli 1.1, srv (1.2)+(1.3)" \ "$P_SRV" \ "$O_CLI -tls1_1" \ 1 \ @@ -7284,7 +7509,7 @@ run_test "Not supported version check O->m: 1.1 / (1.2)+(1.3)" \ requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Not supported version check O->m: 1.2 / 1.3" \ +run_test "Not supported version O->m: cli 1.2, srv 1.3" \ "$P_SRV" \ "$O_NEXT_CLI -tls1_2" \ 1 \ @@ -7293,7 +7518,7 @@ run_test "Not supported version check O->m: 1.2 / 1.3" \ requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Not supported version check O->m: 1.3 / 1.2" \ +run_test "Not supported version O->m: cli 1.3, srv 1.2" \ "$P_SRV" \ "$O_NEXT_CLI -tls1_3" \ 1 \ @@ -7303,7 +7528,7 @@ run_test "Not supported version check O->m: 1.3 / 1.2" \ requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Not supported version check O->m: 1.2 / 1.3 (min=1.3)" \ +run_test "Not supported version O->m: cli 1.2, srv min=1.3" \ "$P_SRV min_version=tls13" \ "$O_NEXT_CLI -tls1_2" \ 1 \ @@ -7312,7 +7537,7 @@ run_test "Not supported version check O->m: 1.2 / 1.3 (min=1.3)" \ requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Not supported version check O->m: 1.3 / 1.2 (max=1.2)" \ +run_test "Not supported version O->m: cli 1.3, srv max=1.2" \ "$P_SRV max_version=tls12" \ "$O_NEXT_CLI -tls1_3" \ 1 \ @@ -7323,7 +7548,7 @@ run_test "Not supported version check O->m: 1.3 / 1.2 (max=1.2)" \ # Tests of version negotiation on client side against GnuTLS and OpenSSL server requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Not supported version check: srv max TLS 1.0" \ +run_test "Not supported version: srv max TLS 1.0" \ "$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" \ "$P_CLI" \ 1 \ @@ -7333,7 +7558,7 @@ run_test "Not supported version check: srv max TLS 1.0" \ -C "Protocol is TLSv1.0" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Not supported version check: srv max TLS 1.1" \ +run_test "Not supported version: srv max TLS 1.1" \ "$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1" \ "$P_CLI" \ 1 \ @@ -7347,7 +7572,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C skip_handshake_stage_check requires_gnutls_tls1_3 -run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.0" \ +run_test "TLS 1.3: Not supported version:gnutls: srv max TLS 1.0" \ "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0 -d 4" \ "$P_CLI debug_level=4" \ 1 \ @@ -7360,7 +7585,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C skip_handshake_stage_check requires_gnutls_tls1_3 -run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.1" \ +run_test "TLS 1.3: Not supported version:gnutls: srv max TLS 1.1" \ "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1 -d 4" \ "$P_CLI debug_level=4" \ 1 \ @@ -7373,7 +7598,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C skip_handshake_stage_check requires_gnutls_tls1_3 -run_test "TLS 1.3: Not supported version check:gnutls: srv max TLS 1.2" \ +run_test "TLS 1.3: Not supported version:gnutls: srv max TLS 1.2" \ "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 -d 4" \ "$P_CLI force_version=tls13 debug_level=4" \ 1 \ @@ -7387,7 +7612,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C skip_handshake_stage_check requires_openssl_next -run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.0" \ +run_test "TLS 1.3: Not supported version:openssl: srv max TLS 1.0" \ "$O_NEXT_SRV -msg -tls1" \ "$P_CLI debug_level=4" \ 1 \ @@ -7401,7 +7626,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C skip_handshake_stage_check requires_openssl_next -run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.1" \ +run_test "TLS 1.3: Not supported version:openssl: srv max TLS 1.1" \ "$O_NEXT_SRV -msg -tls1_1" \ "$P_CLI debug_level=4" \ 1 \ @@ -7415,7 +7640,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C skip_handshake_stage_check requires_openssl_next -run_test "TLS 1.3: Not supported version check:openssl: srv max TLS 1.2" \ +run_test "TLS 1.3: Not supported version:openssl: srv max TLS 1.2" \ "$O_NEXT_SRV -msg -tls1_2" \ "$P_CLI force_version=tls13 debug_level=4" \ 1 \ @@ -7520,57 +7745,65 @@ run_test "ALPN: both, no common" \ # Tests for keyUsage in leaf certificates, part 1: # server-side certificate/suite selection +# +# This is only about 1.2 (for 1.3, all key exchanges use signatures). +# In 4.0 this will probably go away as all TLS 1.2 key exchanges will use +# signatures too, following the removal of RSA #8170 and static ECDH #9201. -run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \ - "$P_SRV force_version=tls12 key_file=data_files/server2.key \ - crt_file=data_files/server2.ku-ds.crt" \ +run_test "keyUsage srv 1.2: RSA, digitalSignature -> (EC)DHE-RSA" \ + "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server2.key \ + crt_file=$DATA_FILES_PATH/server2.ku-ds.crt" \ "$P_CLI" \ 0 \ -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-" -run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \ - "$P_SRV force_version=tls12 key_file=data_files/server2.key \ - crt_file=data_files/server2.ku-ke.crt" \ +run_test "keyUsage srv 1.2: RSA, keyEncipherment -> RSA" \ + "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server2.key \ + crt_file=$DATA_FILES_PATH/server2.ku-ke.crt" \ "$P_CLI" \ 0 \ -c "Ciphersuite is TLS-RSA-WITH-" -run_test "keyUsage srv: RSA, keyAgreement -> fail" \ - "$P_SRV force_version=tls12 key_file=data_files/server2.key \ - crt_file=data_files/server2.ku-ka.crt" \ +run_test "keyUsage srv 1.2: RSA, keyAgreement -> fail" \ + "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server2.key \ + crt_file=$DATA_FILES_PATH/server2.ku-ka.crt" \ "$P_CLI" \ 1 \ -C "Ciphersuite is " requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \ - "$P_SRV force_version=tls12 key_file=data_files/server5.key \ - crt_file=data_files/server5.ku-ds.crt" \ +run_test "keyUsage srv 1.2: ECC, digitalSignature -> ECDHE-ECDSA" \ + "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \ + crt_file=$DATA_FILES_PATH/server5.ku-ds.crt" \ "$P_CLI" \ 0 \ -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-" -run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \ - "$P_SRV force_version=tls12 key_file=data_files/server5.key \ - crt_file=data_files/server5.ku-ka.crt" \ +run_test "keyUsage srv 1.2: ECC, keyAgreement -> ECDH-" \ + "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \ + crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \ "$P_CLI" \ 0 \ -c "Ciphersuite is TLS-ECDH-" -run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \ - "$P_SRV force_version=tls12 key_file=data_files/server5.key \ - crt_file=data_files/server5.ku-ke.crt" \ +run_test "keyUsage srv 1.2: ECC, keyEncipherment -> fail" \ + "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \ + crt_file=$DATA_FILES_PATH/server5.ku-ke.crt" \ "$P_CLI" \ 1 \ -C "Ciphersuite is " # Tests for keyUsage in leaf certificates, part 2: # client-side checking of server cert +# +# TLS 1.3 uses only signature, but for 1.2 it depends on the key exchange. +# In 4.0 this will probably change as all TLS 1.2 key exchanges will use +# signatures too, following the removal of RSA #8170 and static ECDH #9201. -run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \ - "$O_SRV -tls1_2 -key data_files/server2.key \ - -cert data_files/server2.ku-ds_ke.crt" \ +run_test "keyUsage cli 1.2: DigitalSignature+KeyEncipherment, RSA: OK" \ + "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2.ku-ds_ke.crt" \ "$P_CLI debug_level=1 \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ 0 \ @@ -7578,9 +7811,9 @@ run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" -run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \ - "$O_SRV -tls1_2 -key data_files/server2.key \ - -cert data_files/server2.ku-ds_ke.crt" \ +run_test "keyUsage cli 1.2: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \ + "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2.ku-ds_ke.crt" \ "$P_CLI debug_level=1 \ force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ 0 \ @@ -7588,9 +7821,9 @@ run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" -run_test "keyUsage cli: KeyEncipherment, RSA: OK" \ - "$O_SRV -tls1_2 -key data_files/server2.key \ - -cert data_files/server2.ku-ke.crt" \ +run_test "keyUsage cli 1.2: KeyEncipherment, RSA: OK" \ + "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2.ku-ke.crt" \ "$P_CLI debug_level=1 \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ 0 \ @@ -7598,30 +7831,34 @@ run_test "keyUsage cli: KeyEncipherment, RSA: OK" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" -run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \ - "$O_SRV -tls1_2 -key data_files/server2.key \ - -cert data_files/server2.ku-ke.crt" \ - "$P_CLI debug_level=1 \ +run_test "keyUsage cli 1.2: KeyEncipherment, DHE-RSA: fail (hard)" \ + "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2.ku-ke.crt" \ + "$P_CLI debug_level=3 \ force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is TLS-" + -C "Ciphersuite is TLS-" \ + -c "send alert level=2 message=43" \ + -c "! Usage does not match the keyUsage extension" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT -run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \ - "$O_SRV -tls1_2 -key data_files/server2.key \ - -cert data_files/server2.ku-ke.crt" \ - "$P_CLI debug_level=1 auth_mode=optional \ +run_test "keyUsage cli 1.2: KeyEncipherment, DHE-RSA: fail (soft)" \ + "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2.ku-ke.crt" \ + "$P_CLI debug_level=3 auth_mode=optional \ force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ 0 \ -c "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" \ + -C "send alert level=2 message=43" \ -c "! Usage does not match the keyUsage extension" -run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \ - "$O_SRV -tls1_2 -key data_files/server2.key \ - -cert data_files/server2.ku-ds.crt" \ +run_test "keyUsage cli 1.2: DigitalSignature, DHE-RSA: OK" \ + "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2.ku-ds.crt" \ "$P_CLI debug_level=1 \ force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ 0 \ @@ -7629,33 +7866,49 @@ run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" -run_test "keyUsage cli: DigitalSignature, RSA: fail" \ - "$O_SRV -tls1_2 -key data_files/server2.key \ - -cert data_files/server2.ku-ds.crt" \ - "$P_CLI debug_level=1 \ +run_test "keyUsage cli 1.2: DigitalSignature, RSA: fail (hard)" \ + "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2.ku-ds.crt" \ + "$P_CLI debug_level=3 \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is TLS-" + -C "Ciphersuite is TLS-" \ + -c "send alert level=2 message=43" \ + -c "! Usage does not match the keyUsage extension" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT -run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \ - "$O_SRV -tls1_2 -key data_files/server2.key \ - -cert data_files/server2.ku-ds.crt" \ - "$P_CLI debug_level=1 auth_mode=optional \ +run_test "keyUsage cli 1.2: DigitalSignature, RSA: fail (soft)" \ + "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2.ku-ds.crt" \ + "$P_CLI debug_level=3 auth_mode=optional \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ 0 \ -c "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ -c "Ciphersuite is TLS-" \ + -C "send alert level=2 message=43" \ -c "! Usage does not match the keyUsage extension" +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "keyUsage cli 1.3: DigitalSignature, RSA: OK" \ + "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2-sha256.ku-ds.crt" \ + "$P_CLI debug_level=3" \ + 0 \ + -C "bad certificate (usage extensions)" \ + -C "Processing of the Certificate handshake message failed" \ + -c "Ciphersuite is" + requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "keyUsage cli 1.3: DigitalSignature+KeyEncipherment, RSA: OK" \ - "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server2.key \ - -cert data_files/server2.ku-ds_ke.crt" \ + "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2-sha256.ku-ds_ke.crt" \ "$P_CLI debug_level=3" \ 0 \ -C "bad certificate (usage extensions)" \ @@ -7665,33 +7918,39 @@ run_test "keyUsage cli 1.3: DigitalSignature+KeyEncipherment, RSA: OK" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "keyUsage cli 1.3: KeyEncipherment, RSA: fail" \ - "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server2.key \ - -cert data_files/server2.ku-ke.crt" \ - "$P_CLI debug_level=1" \ +run_test "keyUsage cli 1.3: KeyEncipherment, RSA: fail (hard)" \ + "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2-sha256.ku-ke.crt" \ + "$P_CLI debug_level=3" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is" + -C "Ciphersuite is" \ + -c "send alert level=2 message=43" \ + -c "! Usage does not match the keyUsage extension" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "keyUsage cli 1.3: KeyAgreement, RSA: fail" \ - "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server2.key \ - -cert data_files/server2.ku-ka.crt" \ - "$P_CLI debug_level=1" \ +run_test "keyUsage cli 1.3: KeyAgreement, RSA: fail (hard)" \ + "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2-sha256.ku-ka.crt" \ + "$P_CLI debug_level=3" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is" + -C "Ciphersuite is" \ + -c "send alert level=2 message=43" \ + -c "! Usage does not match the keyUsage extension" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "keyUsage cli 1.3: DigitalSignature, ECDSA: OK" \ - "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ - -cert data_files/server5.ku-ds.crt" \ + "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.ku-ds.crt" \ "$P_CLI debug_level=3" \ 0 \ -C "bad certificate (usage extensions)" \ @@ -7701,84 +7960,133 @@ run_test "keyUsage cli 1.3: DigitalSignature, ECDSA: OK" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "keyUsage cli 1.3: KeyEncipherment, ECDSA: fail" \ - "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ - -cert data_files/server5.ku-ke.crt" \ - "$P_CLI debug_level=1" \ +run_test "keyUsage cli 1.3: KeyEncipherment, ECDSA: fail (hard)" \ + "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.ku-ke.crt" \ + "$P_CLI debug_level=3" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is" + -C "Ciphersuite is" \ + -c "send alert level=2 message=43" \ + -c "! Usage does not match the keyUsage extension" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "keyUsage cli 1.3: KeyAgreement, ECDSA: fail" \ - "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ - -cert data_files/server5.ku-ka.crt" \ - "$P_CLI debug_level=1" \ +run_test "keyUsage cli 1.3: KeyAgreement, ECDSA: fail (hard)" \ + "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.ku-ka.crt" \ + "$P_CLI debug_level=3" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is" + -C "Ciphersuite is" \ + -c "send alert level=2 message=43" \ + -c "! Usage does not match the keyUsage extension" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT # Tests for keyUsage in leaf certificates, part 3: # server-side checking of client cert +# +# Here, both 1.2 and 1.3 only use signatures. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \ +run_test "keyUsage cli-auth 1.2: RSA, DigitalSignature: OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ - "$O_CLI -key data_files/server2.key \ - -cert data_files/server2.ku-ds.crt" \ + "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2.ku-ds.crt" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -S "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \ +run_test "keyUsage cli-auth 1.2: RSA, DigitalSignature+KeyEncipherment: OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ - "$O_CLI -key data_files/server2.key \ - -cert data_files/server2.ku-ke.crt" \ + "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2.ku-ds_ke.crt" \ 0 \ - -s "bad certificate (usage extensions)" \ + -s "Verifying peer X.509 certificate... ok" \ + -S "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \ - "$P_SRV debug_level=1 auth_mode=required" \ - "$O_CLI -key data_files/server2.key \ - -cert data_files/server2.ku-ke.crt" \ +run_test "keyUsage cli-auth 1.2: RSA, KeyEncipherment: fail (soft)" \ + "$P_SRV debug_level=3 auth_mode=optional" \ + "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2.ku-ke.crt" \ + 0 \ + -s "bad certificate (usage extensions)" \ + -S "send alert level=2 message=43" \ + -s "! Usage does not match the keyUsage extension" \ + -S "Processing of the Certificate handshake message failed" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "keyUsage cli-auth 1.2: RSA, KeyEncipherment: fail (hard)" \ + "$P_SRV debug_level=3 force_version=tls12 auth_mode=required" \ + "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2.ku-ke.crt" \ 1 \ -s "bad certificate (usage extensions)" \ + -s "send alert level=2 message=43" \ + -s "! Usage does not match the keyUsage extension" \ -s "Processing of the Certificate handshake message failed" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \ +run_test "keyUsage cli-auth 1.2: ECDSA, DigitalSignature: OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ - "$O_CLI -key data_files/server5.key \ - -cert data_files/server5.ku-ds.crt" \ + "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.ku-ds.crt" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -S "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \ - "$P_SRV debug_level=1 auth_mode=optional" \ - "$O_CLI -key data_files/server5.key \ - -cert data_files/server5.ku-ka.crt" \ +run_test "keyUsage cli-auth 1.2: ECDSA, KeyAgreement: fail (soft)" \ + "$P_SRV debug_level=3 auth_mode=optional" \ + "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.ku-ka.crt" \ 0 \ -s "bad certificate (usage extensions)" \ + -S "send alert level=2 message=43" \ + -s "! Usage does not match the keyUsage extension" \ -S "Processing of the Certificate handshake message failed" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "keyUsage cli-auth 1.2: ECDSA, KeyAgreement: fail (hard)" \ + "$P_SRV debug_level=3 auth_mode=required" \ + "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.ku-ka.crt" \ + 1 \ + -s "bad certificate (usage extensions)" \ + -s "send alert level=2 message=43" \ + -s "! Usage does not match the keyUsage extension" \ + -s "Processing of the Certificate handshake message failed" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT + requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "keyUsage cli-auth 1.3: RSA, DigitalSignature: OK" \ "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ - "$O_NEXT_CLI_NO_CERT -key data_files/server2.key \ - -cert data_files/server2.ku-ds.crt" \ + "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2-sha256.ku-ds.crt" \ + 0 \ + -s "Verifying peer X.509 certificate... ok" \ + -S "bad certificate (usage extensions)" \ + -S "Processing of the Certificate handshake message failed" + +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "keyUsage cli-auth 1.3: RSA, DigitalSignature+KeyEncipherment: OK" \ + "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ + "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2-sha256.ku-ds_ke.crt" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -S "bad certificate (usage extensions)" \ @@ -7788,20 +8096,37 @@ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (soft)" \ - "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ - "$O_NEXT_CLI_NO_CERT -key data_files/server2.key \ - -cert data_files/server2.ku-ke.crt" \ + "$P_SRV debug_level=3 force_version=tls13 auth_mode=optional" \ + "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server2.key \ + -cert $DATA_FILES_PATH/server2-sha256.ku-ke.crt" \ 0 \ -s "bad certificate (usage extensions)" \ + -S "send alert level=2 message=43" \ + -s "! Usage does not match the keyUsage extension" \ -S "Processing of the Certificate handshake message failed" +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (hard)" \ + "$P_SRV debug_level=3 force_version=tls13 auth_mode=required" \ + "$P_CLI key_file=$DATA_FILES_PATH/server2.key \ + crt_file=$DATA_FILES_PATH/server2-sha256.ku-ke.crt" \ + 1 \ + -s "bad certificate (usage extensions)" \ + -s "Processing of the Certificate handshake message failed" \ + -s "send alert level=2 message=43" \ + -s "! Usage does not match the keyUsage extension" \ + -s "! mbedtls_ssl_handshake returned" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT + requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "keyUsage cli-auth 1.3: ECDSA, DigitalSignature: OK" \ "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ - "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \ - -cert data_files/server5.ku-ds.crt" \ + "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.ku-ds.crt" \ 0 \ -s "Verifying peer X.509 certificate... ok" \ -S "bad certificate (usage extensions)" \ @@ -7811,49 +8136,65 @@ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "keyUsage cli-auth 1.3: ECDSA, KeyAgreement: fail (soft)" \ - "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ - "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \ - -cert data_files/server5.ku-ka.crt" \ + "$P_SRV debug_level=3 force_version=tls13 auth_mode=optional" \ + "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.ku-ka.crt" \ 0 \ -s "bad certificate (usage extensions)" \ + -s "! Usage does not match the keyUsage extension" \ -S "Processing of the Certificate handshake message failed" +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "keyUsage cli-auth 1.3: ECDSA, KeyAgreement: fail (hard)" \ + "$P_SRV debug_level=3 force_version=tls13 auth_mode=required" \ + "$P_CLI key_file=$DATA_FILES_PATH/server5.key \ + crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \ + 1 \ + -s "bad certificate (usage extensions)" \ + -s "Processing of the Certificate handshake message failed" \ + -s "send alert level=2 message=43" \ + -s "! Usage does not match the keyUsage extension" \ + -s "! mbedtls_ssl_handshake returned" + # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT + # Tests for extendedKeyUsage, part 1: server-side certificate/suite selection requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "extKeyUsage srv: serverAuth -> OK" \ - "$P_SRV key_file=data_files/server5.key \ - crt_file=data_files/server5.eku-srv.crt" \ + "$P_SRV key_file=$DATA_FILES_PATH/server5.key \ + crt_file=$DATA_FILES_PATH/server5.eku-srv.crt" \ "$P_CLI" \ 0 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \ - "$P_SRV key_file=data_files/server5.key \ - crt_file=data_files/server5.eku-srv.crt" \ + "$P_SRV key_file=$DATA_FILES_PATH/server5.key \ + crt_file=$DATA_FILES_PATH/server5.eku-srv.crt" \ "$P_CLI" \ 0 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \ - "$P_SRV key_file=data_files/server5.key \ - crt_file=data_files/server5.eku-cs_any.crt" \ + "$P_SRV key_file=$DATA_FILES_PATH/server5.key \ + crt_file=$DATA_FILES_PATH/server5.eku-cs_any.crt" \ "$P_CLI" \ 0 requires_key_exchange_with_cert_in_tls12_or_tls13_enabled run_test "extKeyUsage srv: codeSign -> fail" \ - "$P_SRV key_file=data_files/server5.key \ - crt_file=data_files/server5.eku-cli.crt" \ + "$P_SRV key_file=$DATA_FILES_PATH/server5.key \ + crt_file=$DATA_FILES_PATH/server5.eku-cli.crt" \ "$P_CLI" \ 1 # Tests for extendedKeyUsage, part 2: client-side checking of server cert requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli: serverAuth -> OK" \ - "$O_SRV -tls1_2 -key data_files/server5.key \ - -cert data_files/server5.eku-srv.crt" \ +run_test "extKeyUsage cli 1.2: serverAuth -> OK" \ + "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-srv.crt" \ "$P_CLI debug_level=1" \ 0 \ -C "bad certificate (usage extensions)" \ @@ -7861,9 +8202,9 @@ run_test "extKeyUsage cli: serverAuth -> OK" \ -c "Ciphersuite is TLS-" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ - "$O_SRV -tls1_2 -key data_files/server5.key \ - -cert data_files/server5.eku-srv_cli.crt" \ +run_test "extKeyUsage cli 1.2: serverAuth,clientAuth -> OK" \ + "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-srv_cli.crt" \ "$P_CLI debug_level=1" \ 0 \ -C "bad certificate (usage extensions)" \ @@ -7871,9 +8212,9 @@ run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ -c "Ciphersuite is TLS-" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ - "$O_SRV -tls1_2 -key data_files/server5.key \ - -cert data_files/server5.eku-cs_any.crt" \ +run_test "extKeyUsage cli 1.2: codeSign,anyEKU -> OK" \ + "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-cs_any.crt" \ "$P_CLI debug_level=1" \ 0 \ -C "bad certificate (usage extensions)" \ @@ -7881,21 +8222,37 @@ run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ -c "Ciphersuite is TLS-" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli: codeSign -> fail" \ - "$O_SRV -tls1_2 -key data_files/server5.key \ - -cert data_files/server5.eku-cs.crt" \ - "$P_CLI debug_level=1" \ +run_test "extKeyUsage cli 1.2: codeSign -> fail (soft)" \ + "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-cs.crt" \ + "$P_CLI debug_level=3 auth_mode=optional" \ + 0 \ + -c "bad certificate (usage extensions)" \ + -C "Processing of the Certificate handshake message failed" \ + -c "Ciphersuite is TLS-" \ + -C "send alert level=2 message=43" \ + -c "! Usage does not match the extendedKeyUsage extension" + # MBEDTLS_X509_BADCERT_EXT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "extKeyUsage cli 1.2: codeSign -> fail (hard)" \ + "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-cs.crt" \ + "$P_CLI debug_level=3" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is TLS-" + -C "Ciphersuite is TLS-" \ + -c "send alert level=2 message=43" \ + -c "! Usage does not match the extendedKeyUsage extension" + # MBEDTLS_X509_BADCERT_EXT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "extKeyUsage cli 1.3: serverAuth -> OK" \ - "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ - -cert data_files/server5.eku-srv.crt" \ + "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-srv.crt" \ "$P_CLI debug_level=1" \ 0 \ -C "bad certificate (usage extensions)" \ @@ -7906,8 +8263,8 @@ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "extKeyUsage cli 1.3: serverAuth,clientAuth -> OK" \ - "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ - -cert data_files/server5.eku-srv_cli.crt" \ + "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-srv_cli.crt" \ "$P_CLI debug_level=1" \ 0 \ -C "bad certificate (usage extensions)" \ @@ -7918,8 +8275,8 @@ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "extKeyUsage cli 1.3: codeSign,anyEKU -> OK" \ - "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ - -cert data_files/server5.eku-cs_any.crt" \ + "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-cs_any.crt" \ "$P_CLI debug_level=1" \ 0 \ -C "bad certificate (usage extensions)" \ @@ -7929,69 +8286,77 @@ run_test "extKeyUsage cli 1.3: codeSign,anyEKU -> OK" \ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "extKeyUsage cli 1.3: codeSign -> fail" \ - "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ - -cert data_files/server5.eku-cs.crt" \ - "$P_CLI debug_level=1" \ +run_test "extKeyUsage cli 1.3: codeSign -> fail (hard)" \ + "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-cs.crt" \ + "$P_CLI debug_level=3" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is" + -C "Ciphersuite is" \ + -c "send alert level=2 message=43" \ + -c "! Usage does not match the extendedKeyUsage extension" + # MBEDTLS_X509_BADCERT_EXT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT # Tests for extendedKeyUsage, part 3: server-side checking of client cert requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli-auth: clientAuth -> OK" \ +run_test "extKeyUsage cli-auth 1.2: clientAuth -> OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ - "$O_CLI -key data_files/server5.key \ - -cert data_files/server5.eku-cli.crt" \ + "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-cli.crt" \ 0 \ -S "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \ +run_test "extKeyUsage cli-auth 1.2: serverAuth,clientAuth -> OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ - "$O_CLI -key data_files/server5.key \ - -cert data_files/server5.eku-srv_cli.crt" \ + "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-srv_cli.crt" \ 0 \ -S "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \ +run_test "extKeyUsage cli-auth 1.2: codeSign,anyEKU -> OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ - "$O_CLI -key data_files/server5.key \ - -cert data_files/server5.eku-cs_any.crt" \ + "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-cs_any.crt" \ 0 \ -S "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \ - "$P_SRV debug_level=1 auth_mode=optional" \ - "$O_CLI -key data_files/server5.key \ - -cert data_files/server5.eku-cs.crt" \ +run_test "extKeyUsage cli-auth 1.2: codeSign -> fail (soft)" \ + "$P_SRV debug_level=3 auth_mode=optional" \ + "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-cs.crt" \ 0 \ -s "bad certificate (usage extensions)" \ - -S "Processing of the Certificate handshake message failed" + -S "send alert level=2 message=43" \ + -s "! Usage does not match the extendedKeyUsage extension" \ + -S "Processing of the Certificate handshake message failed" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \ - "$P_SRV debug_level=1 auth_mode=required" \ - "$O_CLI -key data_files/server5.key \ - -cert data_files/server5.eku-cs.crt" \ +run_test "extKeyUsage cli-auth 1.2: codeSign -> fail (hard)" \ + "$P_SRV debug_level=3 auth_mode=required" \ + "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-cs.crt" \ 1 \ -s "bad certificate (usage extensions)" \ + -s "send alert level=2 message=43" \ + -s "! Usage does not match the extendedKeyUsage extension" \ -s "Processing of the Certificate handshake message failed" + # MBEDTLS_X509_BADCERT_EXT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "extKeyUsage cli-auth 1.3: clientAuth -> OK" \ "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ - "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \ - -cert data_files/server5.eku-cli.crt" \ + "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-cli.crt" \ 0 \ -S "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" @@ -8001,8 +8366,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "extKeyUsage cli-auth 1.3: serverAuth,clientAuth -> OK" \ "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ - "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \ - -cert data_files/server5.eku-srv_cli.crt" \ + "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-srv_cli.crt" \ 0 \ -S "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" @@ -8012,8 +8377,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "extKeyUsage cli-auth 1.3: codeSign,anyEKU -> OK" \ "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ - "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \ - -cert data_files/server5.eku-cs_any.crt" \ + "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-cs_any.crt" \ 0 \ -S "bad certificate (usage extensions)" \ -S "Processing of the Certificate handshake message failed" @@ -8022,13 +8387,29 @@ requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "extKeyUsage cli-auth 1.3: codeSign -> fail (soft)" \ - "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ - "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \ - -cert data_files/server5.eku-cs.crt" \ + "$P_SRV debug_level=3 force_version=tls13 auth_mode=optional" \ + "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \ + -cert $DATA_FILES_PATH/server5.eku-cs.crt" \ 0 \ -s "bad certificate (usage extensions)" \ + -S "send alert level=2 message=43" \ + -s "! Usage does not match the extendedKeyUsage extension" \ -S "Processing of the Certificate handshake message failed" +requires_openssl_tls1_3_with_compatible_ephemeral +requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "extKeyUsage cli-auth 1.3: codeSign -> fail (hard)" \ + "$P_SRV debug_level=3 force_version=tls13 auth_mode=required" \ + "$P_CLI key_file=$DATA_FILES_PATH/server5.key \ + crt_file=$DATA_FILES_PATH/server5.eku-cs.crt" \ + 1 \ + -s "bad certificate (usage extensions)" \ + -s "send alert level=2 message=43" \ + -s "! Usage does not match the extendedKeyUsage extension" \ + -s "Processing of the Certificate handshake message failed" + # MBEDTLS_X509_BADCERT_EXT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT + # Tests for DHM parameters loading run_test "DHM parameters: reference" \ @@ -8040,7 +8421,7 @@ run_test "DHM parameters: reference" \ -c "value of 'DHM: G ' (2 bits)" run_test "DHM parameters: other parameters" \ - "$P_SRV dhm_file=data_files/dhparams.pem" \ + "$P_SRV dhm_file=$DATA_FILES_PATH/dhparams.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ debug_level=3" \ 0 \ @@ -8064,49 +8445,49 @@ run_test "DHM size: server default, client 2048, OK" \ -C "DHM prime too short:" run_test "DHM size: server 1024, client default, OK" \ - "$P_SRV dhm_file=data_files/dhparams.pem" \ + "$P_SRV dhm_file=$DATA_FILES_PATH/dhparams.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ debug_level=1" \ 0 \ -C "DHM prime too short:" run_test "DHM size: server 999, client 999, OK" \ - "$P_SRV dhm_file=data_files/dh.999.pem" \ + "$P_SRV dhm_file=$DATA_FILES_PATH/dh.999.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ debug_level=1 dhmlen=999" \ 0 \ -C "DHM prime too short:" run_test "DHM size: server 1000, client 1000, OK" \ - "$P_SRV dhm_file=data_files/dh.1000.pem" \ + "$P_SRV dhm_file=$DATA_FILES_PATH/dh.1000.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ debug_level=1 dhmlen=1000" \ 0 \ -C "DHM prime too short:" run_test "DHM size: server 1000, client default, rejected" \ - "$P_SRV dhm_file=data_files/dh.1000.pem" \ + "$P_SRV dhm_file=$DATA_FILES_PATH/dh.1000.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ debug_level=1" \ 1 \ -c "DHM prime too short:" run_test "DHM size: server 1000, client 1001, rejected" \ - "$P_SRV dhm_file=data_files/dh.1000.pem" \ + "$P_SRV dhm_file=$DATA_FILES_PATH/dh.1000.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ debug_level=1 dhmlen=1001" \ 1 \ -c "DHM prime too short:" run_test "DHM size: server 999, client 1000, rejected" \ - "$P_SRV dhm_file=data_files/dh.999.pem" \ + "$P_SRV dhm_file=$DATA_FILES_PATH/dh.999.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ debug_level=1 dhmlen=1000" \ 1 \ -c "DHM prime too short:" run_test "DHM size: server 998, client 999, rejected" \ - "$P_SRV dhm_file=data_files/dh.998.pem" \ + "$P_SRV dhm_file=$DATA_FILES_PATH/dh.998.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ debug_level=1 dhmlen=999" \ 1 \ @@ -8122,9 +8503,9 @@ run_test "DHM size: server default, client 2049, rejected" \ # Tests for PSK callback run_test "PSK callback: psk, no callback" \ - "$P_SRV psk=abc123 psk_identity=foo" \ + "$P_SRV psk=73776f726466697368 psk_identity=foo" \ "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123" \ + psk_identity=foo psk=73776f726466697368" \ 0 \ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ @@ -8132,9 +8513,9 @@ run_test "PSK callback: psk, no callback" \ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque psk on client, no callback" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \ + "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123 psk_opaque=1" \ + psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ 0 \ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ @@ -8144,9 +8525,9 @@ run_test "PSK callback: opaque psk on client, no callback" \ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque psk on client, no callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \ + "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 psk_opaque=1" \ + psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ 0 \ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ @@ -8156,9 +8537,9 @@ run_test "PSK callback: opaque psk on client, no callback, SHA-384" \ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque psk on client, no callback, EMS" \ - "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \ + "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123 psk_opaque=1" \ + psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ @@ -8168,9 +8549,9 @@ run_test "PSK callback: opaque psk on client, no callback, EMS" \ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \ - "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \ + "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 psk_opaque=1" \ + psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ @@ -8180,9 +8561,9 @@ run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque rsa-psk on client, no callback" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \ + "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \ - psk_identity=foo psk=abc123 psk_opaque=1" \ + psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ 0 \ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ @@ -8192,9 +8573,9 @@ run_test "PSK callback: opaque rsa-psk on client, no callback" \ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \ + "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 psk_opaque=1" \ + psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ 0 \ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ @@ -8204,9 +8585,9 @@ run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384" \ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque rsa-psk on client, no callback, EMS" \ - "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \ + "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123 psk_opaque=1" \ + psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ @@ -8216,9 +8597,9 @@ run_test "PSK callback: opaque rsa-psk on client, no callback, EMS" \ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384, EMS" \ - "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \ + "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 psk_opaque=1" \ + psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ @@ -8228,9 +8609,9 @@ run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384, EMS" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque ecdhe-psk on client, no callback" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \ + "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \ - psk_identity=foo psk=abc123 psk_opaque=1" \ + psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ 0 \ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ @@ -8240,9 +8621,9 @@ run_test "PSK callback: opaque ecdhe-psk on client, no callback" \ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \ + "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 psk_opaque=1" \ + psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ 0 \ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ @@ -8252,9 +8633,9 @@ run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384" \ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque ecdhe-psk on client, no callback, EMS" \ - "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \ + "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123 psk_opaque=1" \ + psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ @@ -8264,9 +8645,9 @@ run_test "PSK callback: opaque ecdhe-psk on client, no callback, EMS" \ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384, EMS" \ - "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \ + "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 psk_opaque=1" \ + psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ @@ -8276,9 +8657,9 @@ run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384, EMS requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque dhe-psk on client, no callback" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \ + "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \ - psk_identity=foo psk=abc123 psk_opaque=1" \ + psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ 0 \ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ @@ -8288,9 +8669,9 @@ run_test "PSK callback: opaque dhe-psk on client, no callback" \ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \ + "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 psk_opaque=1" \ + psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ 0 \ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ @@ -8300,9 +8681,9 @@ run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384" \ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque dhe-psk on client, no callback, EMS" \ - "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \ + "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123 psk_opaque=1" \ + psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ @@ -8312,9 +8693,9 @@ run_test "PSK callback: opaque dhe-psk on client, no callback, EMS" \ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384, EMS" \ - "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \ + "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 psk_opaque=1" \ + psk_identity=foo psk=73776f726466697368 psk_opaque=1" \ 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ @@ -8324,9 +8705,9 @@ run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384, EMS" requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, static opaque on server, no callback" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123" \ + psk_identity=foo psk=73776f726466697368" \ 0 \ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ @@ -8336,9 +8717,9 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, static opaque on server, no callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \ + "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123" \ + psk_identity=foo psk=73776f726466697368" \ 0 \ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ @@ -8348,10 +8729,10 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS" \ - "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \ + "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123 extended_ms=1" \ + psk_identity=foo psk=73776f726466697368 extended_ms=1" \ 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ @@ -8361,10 +8742,10 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS, SHA384" \ - "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \ + "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 extended_ms=1" \ + psk_identity=foo psk=73776f726466697368 extended_ms=1" \ 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ @@ -8374,9 +8755,9 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback" \ - "$P_SRV extended_ms=0 debug_level=5 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \ + "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123" \ + psk_identity=foo psk=73776f726466697368" \ 0 \ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ @@ -8386,9 +8767,9 @@ run_test "PSK callback: raw rsa-psk on client, static opaque on server, no ca requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384" \ + "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123" \ + psk_identity=foo psk=73776f726466697368" \ 0 \ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ @@ -8398,10 +8779,10 @@ run_test "PSK callback: raw rsa-psk on client, static opaque on server, no ca requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, EMS" \ - "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \ + "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123 extended_ms=1" \ + psk_identity=foo psk=73776f726466697368 extended_ms=1" \ 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ @@ -8411,10 +8792,10 @@ run_test "PSK callback: raw rsa-psk on client, static opaque on server, no ca requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, EMS, SHA384" \ - "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \ + "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 extended_ms=1" \ + psk_identity=foo psk=73776f726466697368 extended_ms=1" \ 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ @@ -8424,9 +8805,9 @@ run_test "PSK callback: raw rsa-psk on client, static opaque on server, no ca requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback" \ - "$P_SRV extended_ms=0 debug_level=5 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \ + "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123" \ + psk_identity=foo psk=73776f726466697368" \ 0 \ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ @@ -8436,9 +8817,9 @@ run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384" \ + "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123" \ + psk_identity=foo psk=73776f726466697368" \ 0 \ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ @@ -8448,10 +8829,10 @@ run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, EMS" \ - "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \ + "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123 extended_ms=1" \ + psk_identity=foo psk=73776f726466697368 extended_ms=1" \ 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ @@ -8461,10 +8842,10 @@ run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, EMS, SHA384" \ - "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \ + "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 extended_ms=1" \ + psk_identity=foo psk=73776f726466697368 extended_ms=1" \ 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ @@ -8474,9 +8855,9 @@ run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback" \ - "$P_SRV extended_ms=0 debug_level=5 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \ + "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123" \ + psk_identity=foo psk=73776f726466697368" \ 0 \ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ @@ -8486,9 +8867,9 @@ run_test "PSK callback: raw dhe-psk on client, static opaque on server, no ca requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384" \ + "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123" \ + psk_identity=foo psk=73776f726466697368" \ 0 \ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ @@ -8498,10 +8879,10 @@ run_test "PSK callback: raw dhe-psk on client, static opaque on server, no ca requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, EMS" \ - "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \ + "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123 extended_ms=1" \ + psk_identity=foo psk=73776f726466697368 extended_ms=1" \ 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ @@ -8511,10 +8892,10 @@ run_test "PSK callback: raw dhe-psk on client, static opaque on server, no ca requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, EMS, SHA384" \ - "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \ + "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \ force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 extended_ms=1" \ + psk_identity=foo psk=73776f726466697368 extended_ms=1" \ 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ @@ -8724,7 +9105,7 @@ run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, o requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, mismatching static raw PSK on server, opaque PSK from callback" \ - "$P_SRV extended_ms=0 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_SRV extended_ms=0 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ @@ -8736,7 +9117,7 @@ run_test "PSK callback: raw psk on client, mismatching static raw PSK on serv requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, opaque PSK from callback" \ - "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ @@ -8748,7 +9129,7 @@ run_test "PSK callback: raw psk on client, mismatching static opaque PSK on s requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, raw PSK from callback" \ - "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ @@ -8760,7 +9141,7 @@ run_test "PSK callback: raw psk on client, mismatching static opaque PSK on s requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on server, opaque PSK from callback" \ - "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ @@ -8772,7 +9153,7 @@ run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on s requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSK callback: raw psk on client, matching opaque PSK on server, wrong opaque PSK from callback" \ - "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,abc123 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ + "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,73776f726466697368 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 1 \ @@ -8781,16 +9162,16 @@ run_test "PSK callback: raw psk on client, matching opaque PSK on server, wro run_test "PSK callback: no psk, no callback" \ "$P_SRV" \ "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123" \ + psk_identity=foo psk=73776f726466697368" \ 1 \ -s "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" run_test "PSK callback: callback overrides other settings" \ - "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \ + "$P_SRV psk=73776f726466697368 psk_identity=foo psk_list=abc,dead,def,beef" \ "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123" \ + psk_identity=foo psk=73776f726466697368" \ 1 \ -S "SSL - The handshake negotiation failed" \ -s "SSL - Unknown identity received" \ @@ -9008,11 +9389,25 @@ run_test "ECJPAKE: working, DTLS, nolog" \ # Test for ClientHello without extensions +# Without extensions, ECC is impossible (no curve negotiation). +requires_config_enabled MBEDTLS_RSA_C requires_gnutls -run_test "ClientHello without extensions" \ +run_test "ClientHello without extensions: RSA" \ "$P_SRV force_version=tls12 debug_level=3" \ "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \ 0 \ + -s "Ciphersuite is .*-RSA-WITH-.*" \ + -S "Ciphersuite is .*-EC.*" \ + -s "dumping 'client hello extensions' (0 bytes)" + +requires_config_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +requires_gnutls +run_test "ClientHello without extensions: PSK" \ + "$P_SRV force_version=tls12 debug_level=3 psk=73776f726466697368" \ + "$G_CLI --priority=NORMAL:+PSK:-RSA:-DHE-RSA:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION --pskusername=Client_identity --pskkey=73776f726466697368 localhost" \ + 0 \ + -s "Ciphersuite is .*-PSK-.*" \ + -S "Ciphersuite is .*-EC.*" \ -s "dumping 'client hello extensions' (0 bytes)" # Tests for mbedtls_ssl_get_bytes_avail() @@ -9308,7 +9703,7 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED run_test "EC restart: TLS, default" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ debug_level=1" \ 0 \ -C "x509_verify_cert.*4b00" \ @@ -9321,7 +9716,7 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED run_test "EC restart: TLS, max_ops=0" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ debug_level=1 ec_max_ops=0" \ 0 \ -C "x509_verify_cert.*4b00" \ @@ -9334,7 +9729,7 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED run_test "EC restart: TLS, max_ops=65535" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ debug_level=1 ec_max_ops=65535" \ 0 \ -C "x509_verify_cert.*4b00" \ @@ -9349,7 +9744,7 @@ requires_config_disabled MBEDTLS_USE_PSA_CRYPTO run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ debug_level=1 ec_max_ops=1000" \ 0 \ -c "x509_verify_cert.*4b00" \ @@ -9365,7 +9760,7 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ debug_level=1 ec_max_ops=1000" \ 0 \ -c "x509_verify_cert.*4b00" \ @@ -9379,10 +9774,10 @@ requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED run_test "EC restart: TLS, max_ops=1000, badsign" \ "$P_SRV groups=secp256r1 auth_mode=required \ - crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ + crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ debug_level=1 ec_max_ops=1000" \ 1 \ -c "x509_verify_cert.*4b00" \ @@ -9399,10 +9794,10 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED requires_config_disabled MBEDTLS_USE_PSA_CRYPTO run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ - crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ + crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ debug_level=1 ec_max_ops=1000 auth_mode=optional" \ 0 \ -c "x509_verify_cert.*4b00" \ @@ -9420,10 +9815,10 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ - crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ + crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ debug_level=1 ec_max_ops=1000 auth_mode=optional" \ 0 \ -c "x509_verify_cert.*4b00" \ @@ -9440,10 +9835,10 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED requires_config_disabled MBEDTLS_USE_PSA_CRYPTO run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ - crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ + crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ debug_level=1 ec_max_ops=1000 auth_mode=none" \ 0 \ -C "x509_verify_cert.*4b00" \ @@ -9461,10 +9856,10 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required \ - crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ + crt_file=$DATA_FILES_PATH/server5-badsign.crt \ + key_file=$DATA_FILES_PATH/server5.key" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ debug_level=1 ec_max_ops=1000 auth_mode=none" \ 0 \ -C "x509_verify_cert.*4b00" \ @@ -9482,7 +9877,7 @@ requires_config_disabled MBEDTLS_USE_PSA_CRYPTO run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ dtls=1 debug_level=1 ec_max_ops=1000" \ 0 \ -c "x509_verify_cert.*4b00" \ @@ -9498,7 +9893,7 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \ "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ dtls=1 debug_level=1 ec_max_ops=1000" \ 0 \ -c "x509_verify_cert.*4b00" \ @@ -9545,7 +9940,7 @@ requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED run_test "EC restart: TLS, max_ops=1000, ECDHE-RSA" \ "$P_SRV groups=secp256r1 auth_mode=required" \ "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ debug_level=1 ec_max_ops=1000" \ 0 \ -C "x509_verify_cert.*4b00" \ @@ -9591,8 +9986,8 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "SSL async private: sign, SNI" \ "$P_SRV force_version=tls12 debug_level=3 \ async_operations=s async_private_delay1=0 async_private_delay2=0 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \ "$P_CLI server_name=polarssl.example" \ 0 \ -s "Async sign callback: using key slot " \ @@ -9622,9 +10017,9 @@ run_test "SSL async private: decrypt, delay=1" \ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE run_test "SSL async private: decrypt RSA-PSK, delay=0" \ - "$P_SRV psk=abc123 \ + "$P_SRV psk=73776f726466697368 \ async_operations=d async_private_delay1=0 async_private_delay2=0" \ - "$P_CLI psk=abc123 \ + "$P_CLI psk=73776f726466697368 \ force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \ 0 \ -s "Async decrypt callback: using key slot " \ @@ -9632,9 +10027,9 @@ run_test "SSL async private: decrypt RSA-PSK, delay=0" \ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE run_test "SSL async private: decrypt RSA-PSK, delay=1" \ - "$P_SRV psk=abc123 \ + "$P_SRV psk=73776f726466697368 \ async_operations=d async_private_delay1=1 async_private_delay2=1" \ - "$P_CLI psk=abc123 \ + "$P_CLI psk=73776f726466697368 \ force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \ 0 \ -s "Async decrypt callback: using key slot " \ @@ -9672,8 +10067,8 @@ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE run_test "SSL async private: slot 0 used with key1" \ "$P_SRV \ async_operations=s async_private_delay1=1 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ + key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ 0 \ -s "Async sign callback: using key slot 0," \ @@ -9685,8 +10080,8 @@ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE run_test "SSL async private: slot 0 used with key2" \ "$P_SRV \ async_operations=s async_private_delay2=1 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ + key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \ 0 \ -s "Async sign callback: using key slot 0," \ @@ -9698,8 +10093,8 @@ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE run_test "SSL async private: slot 1 used with key2" \ "$P_SRV \ async_operations=s async_private_delay1=1 async_private_delay2=1 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ + key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \ 0 \ -s "Async sign callback: using key slot 1," \ @@ -9711,8 +10106,8 @@ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE run_test "SSL async private: fall back to transparent key" \ "$P_SRV \ async_operations=s async_private_delay1=1 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ + key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt " \ "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \ 0 \ -s "Async sign callback: no key matches this certificate." @@ -9819,8 +10214,8 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "SSL async private: cancel after start then fall back to transparent key" \ "$P_SRV \ async_operations=s async_private_delay1=1 async_private_error=-2 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ + key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256; [ \$? -eq 1 ] && $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \ @@ -9841,8 +10236,8 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "SSL async private: sign, error in resume then fall back to transparent key" \ "$P_SRV \ async_operations=s async_private_delay1=1 async_private_error=-3 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \ + key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \ + key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256; [ \$? -eq 1 ] && $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \ @@ -10084,8 +10479,8 @@ run_test "DTLS client auth: none, client has no cert" \ -s "! Certificate verification was skipped" run_test "DTLS wrong PSK: badmac alert" \ - "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \ - "$P_CLI dtls=1 psk=abc124" \ + "$P_SRV dtls=1 psk=73776f726466697368 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \ + "$P_CLI dtls=1 psk=73776f726466697374" \ 1 \ -s "SSL - Verification of the message MAC failed" \ -c "SSL - A fatal alert message was received from our peer" @@ -10209,13 +10604,13 @@ requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: none (for reference)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=2500-60000 \ max_frag_len=4096" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ hs_timeout=2500-60000 \ max_frag_len=4096" \ 0 \ @@ -10230,13 +10625,13 @@ requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: server only (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=2500-60000 \ max_frag_len=1024" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ hs_timeout=2500-60000 \ max_frag_len=2048" \ 0 \ @@ -10255,13 +10650,13 @@ requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: server only (more) (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=2500-60000 \ max_frag_len=512" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ hs_timeout=2500-60000 \ max_frag_len=4096" \ 0 \ @@ -10276,13 +10671,13 @@ requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=none \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=2500-60000 \ max_frag_len=2048" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ hs_timeout=2500-60000 \ max_frag_len=1024" \ 0 \ @@ -10305,13 +10700,13 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \ -p "$P_PXY mtu=1110" \ "$P_SRV dtls=1 debug_level=2 auth_mode=none \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=2500-60000 \ max_frag_len=2048" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ hs_timeout=2500-60000 \ max_frag_len=1024" \ 0 \ @@ -10326,13 +10721,13 @@ requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=2500-60000 \ max_frag_len=2048" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ hs_timeout=2500-60000 \ max_frag_len=1024" \ 0 \ @@ -10355,13 +10750,13 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \ -p "$P_PXY mtu=1110" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=2500-60000 \ max_frag_len=2048" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ hs_timeout=2500-60000 \ max_frag_len=1024" \ 0 \ @@ -10375,13 +10770,13 @@ requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: none (for reference) (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=2500-60000 \ mtu=4096" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ hs_timeout=2500-60000 \ mtu=4096" \ 0 \ @@ -10395,13 +10790,13 @@ requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: client (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=3500-60000 \ mtu=4096" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ hs_timeout=3500-60000 \ mtu=1024" \ 0 \ @@ -10415,13 +10810,13 @@ requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: server (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=2500-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ hs_timeout=2500-60000 \ mtu=2048" \ 0 \ @@ -10436,13 +10831,13 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: both (MTU=1024)" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=2500-60000 \ mtu=1024" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ hs_timeout=2500-60000 \ mtu=1024" \ 0 \ @@ -10458,13 +10853,13 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: both (MTU=512)" \ -p "$P_PXY mtu=512" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=2500-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=2500-60000 \ mtu=512" \ @@ -10486,12 +10881,12 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU: auto-reduction (not valgrind)" \ -p "$P_PXY mtu=508" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=400-3200" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=400-3200" \ 0 \ @@ -10507,12 +10902,12 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU: auto-reduction (with valgrind)" \ -p "$P_PXY mtu=508" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=250-10000" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=250-10000" \ 0 \ @@ -10531,13 +10926,13 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=10000-60000 \ mtu=1024" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ hs_timeout=10000-60000 \ mtu=1024" \ 0 \ @@ -10557,13 +10952,13 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \ -p "$P_PXY mtu=512" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=10000-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=10000-60000 \ mtu=512" \ @@ -10581,13 +10976,13 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=10000-60000 \ mtu=1024 nbio=2" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ hs_timeout=10000-60000 \ mtu=1024 nbio=2" \ 0 \ @@ -10604,13 +10999,13 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \ -p "$P_PXY mtu=512" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=10000-60000 \ mtu=512 nbio=2" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=10000-60000 \ mtu=512 nbio=2" \ @@ -10637,13 +11032,13 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, resumed handshake" \ -p "$P_PXY mtu=1450" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=10000-60000 \ mtu=1450" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ hs_timeout=10000-60000 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ mtu=1450 reconnect=1 skip_close_notify=1 reco_delay=1000" \ @@ -10664,14 +11059,14 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ -p "$P_PXY mtu=512" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ exchanges=2 renegotiation=1 \ hs_timeout=10000-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ exchanges=2 renegotiation=1 renegotiate=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \ hs_timeout=10000-60000 \ @@ -10693,14 +11088,14 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \ -p "$P_PXY mtu=512" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ exchanges=2 renegotiation=1 \ hs_timeout=10000-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ exchanges=2 renegotiation=1 renegotiate=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=10000-60000 \ @@ -10722,15 +11117,15 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ exchanges=2 renegotiation=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \ hs_timeout=10000-60000 \ mtu=1024" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ exchanges=2 renegotiation=1 renegotiate=1 \ hs_timeout=10000-60000 \ mtu=1024" \ @@ -10752,15 +11147,15 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ exchanges=2 renegotiation=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \ hs_timeout=10000-60000 \ mtu=1024" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ exchanges=2 renegotiation=1 renegotiate=1 \ hs_timeout=10000-60000 \ mtu=1024" \ @@ -10781,15 +11176,15 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ exchanges=2 renegotiation=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \ hs_timeout=10000-60000 \ mtu=1024" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ exchanges=2 renegotiation=1 renegotiate=1 \ hs_timeout=10000-60000 \ mtu=1024" \ @@ -10807,12 +11202,12 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU + 3d" \ -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \ "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=250-10000 mtu=512" \ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=250-10000 mtu=512" \ 0 \ @@ -10828,12 +11223,12 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \ -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=250-10000 mtu=512 nbio=2" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=250-10000 mtu=512 nbio=2" \ 0 \ @@ -10852,8 +11247,8 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ "$G_SRV -u" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ mtu=512 force_version=dtls12" \ 0 \ -c "fragmenting handshake message" \ @@ -10873,8 +11268,8 @@ requires_not_i686 requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ mtu=512 force_version=dtls12" \ "$G_CLI -u --insecure 127.0.0.1" \ 0 \ @@ -10886,8 +11281,8 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ "$O_SRV -dtls1_2 -verify 10" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ mtu=512 force_version=dtls12" \ 0 \ -c "fragmenting handshake message" \ @@ -10898,8 +11293,8 @@ requires_config_enabled MBEDTLS_RSA_C requires_max_content_len 2048 run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ mtu=512 force_version=dtls12" \ "$O_CLI -dtls1_2" \ 0 \ @@ -10918,8 +11313,8 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$G_NEXT_SRV -u" \ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ hs_timeout=250-60000 mtu=512 force_version=dtls12" \ 0 \ -c "fragmenting handshake message" \ @@ -10933,8 +11328,8 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=250-60000 mtu=512 force_version=dtls12" \ "$G_NEXT_CLI -u --insecure 127.0.0.1" \ 0 \ @@ -10951,8 +11346,8 @@ run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$O_NEXT_SRV -dtls1_2 -verify 10" \ "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ + crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \ + key_file=$DATA_FILES_PATH/server8.key \ hs_timeout=250-60000 mtu=512 force_version=dtls12" \ 0 \ -c "fragmenting handshake message" \ @@ -10968,8 +11363,8 @@ requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ + crt_file=$DATA_FILES_PATH/server7_int-ca.crt \ + key_file=$DATA_FILES_PATH/server7.key \ hs_timeout=250-60000 mtu=512 force_version=dtls12" \ "$O_CLI -dtls1_2" \ 0 \ @@ -11786,6 +12181,7 @@ run_test "DTLS reordering: Buffer out-of-order handshake message on server" \ requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "DTLS reordering: Buffer out-of-order CCS message on client"\ -p "$P_PXY delay_srv=NewSessionTicket" \ "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ @@ -11852,8 +12248,8 @@ requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 190 requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 230 run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \ -p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \ - "$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=abc123 psk_identity=foo" \ + "$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=73776f726466697368 psk_identity=foo cookies=0 dtls=1 debug_level=2" \ + "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=73776f726466697368 psk_identity=foo" \ 0 \ -s "Buffer record from epoch 1" \ -s "Found buffered record from current epoch - load" \ @@ -11867,8 +12263,8 @@ client_needs_more_time 2 run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ - psk=abc123" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \ + psk=73776f726466697368" \ + "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \ force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \ 0 \ -s "Extra-header:" \ @@ -11906,6 +12302,7 @@ run_test "DTLS proxy: 3d, FS, client auth" \ client_needs_more_time 2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "DTLS proxy: 3d, FS, ticket" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \ @@ -11916,6 +12313,7 @@ run_test "DTLS proxy: 3d, FS, ticket" \ client_needs_more_time 2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \ @@ -11926,6 +12324,7 @@ run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \ client_needs_more_time 2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "DTLS proxy: 3d, max handshake, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \ @@ -11940,8 +12339,8 @@ requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "DTLS proxy: 3d, min handshake, resumption" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ - psk=abc123 debug_level=3" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \ + psk=73776f726466697368 debug_level=3" \ + "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \ debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \ force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \ 0 \ @@ -11955,8 +12354,8 @@ requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ - psk=abc123 debug_level=3 nbio=2" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \ + psk=73776f726466697368 debug_level=3 nbio=2" \ + "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \ debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \ force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \ 0 \ @@ -11970,8 +12369,8 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ - psk=abc123 renegotiation=1 debug_level=2" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \ + psk=73776f726466697368 renegotiation=1 debug_level=2" \ + "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \ renegotiate=1 debug_level=2 \ force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \ 0 \ @@ -11985,8 +12384,8 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ - psk=abc123 renegotiation=1 debug_level=2" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \ + psk=73776f726466697368 renegotiation=1 debug_level=2" \ + "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \ renegotiate=1 debug_level=2 \ force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \ 0 \ @@ -12000,9 +12399,9 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ - psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \ + psk=73776f726466697368 renegotiate=1 renegotiation=1 exchanges=4 \ debug_level=2" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \ + "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \ renegotiation=1 exchanges=4 debug_level=2 \ force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \ 0 \ @@ -12016,9 +12415,9 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ - psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \ + psk=73776f726466697368 renegotiate=1 renegotiation=1 exchanges=4 \ debug_level=2 nbio=2" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \ + "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \ renegotiation=1 exchanges=4 debug_level=2 nbio=2 \ force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \ 0 \ @@ -12136,7 +12535,7 @@ requires_ciphersuite_enabled TLS1-3-CHACHA20-POLY1305-SHA256 requires_any_configs_enabled "PSA_WANT_ECC_MONTGOMERY_255" requires_any_configs_enabled "PSA_WANT_ECC_SECP_R1_256" run_test "TLS 1.3: Default" \ - "$P_SRV allow_sha1=0 debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13" \ + "$P_SRV allow_sha1=0 debug_level=3 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key force_version=tls13" \ "$P_CLI allow_sha1=0" \ 0 \ -s "Protocol is TLSv1.3" \ @@ -12310,7 +12709,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_ALPN requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: server alpn - openssl" \ - "$P_SRV debug_level=3 tickets=0 crt_file=data_files/server5.crt key_file=data_files/server5.key alpn=h2" \ + "$P_SRV debug_level=3 tickets=0 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key alpn=h2" \ "$O_NEXT_CLI -msg -tls1_3 -no_middlebox -alpn h2" \ 0 \ -s "found alpn extension" \ @@ -12325,7 +12724,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_ALPN requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: server alpn - gnutls" \ - "$P_SRV debug_level=3 tickets=0 crt_file=data_files/server5.crt key_file=data_files/server5.key alpn=h2" \ + "$P_SRV debug_level=3 tickets=0 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key alpn=h2" \ "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V --alpn h2" \ 0 \ -s "found alpn extension" \ @@ -12372,7 +12771,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, no server middlebox compat - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -no_middlebox" \ - "$P_CLI debug_level=4 crt_file=data_files/cli2.crt key_file=data_files/cli2.key" \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cli2.crt key_file=$DATA_FILES_PATH/cli2.key" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12386,8 +12785,8 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, no server middlebox compat - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE" \ - "$P_CLI debug_level=3 crt_file=data_files/cli2.crt \ - key_file=data_files/cli2.key" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/cli2.crt \ + key_file=$DATA_FILES_PATH/cli2.key" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12401,8 +12800,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, ecdsa_secp256r1_sha256 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ - "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp256r1.crt \ - key_file=data_files/ecdsa_secp256r1.key" \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt \ + key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12417,8 +12816,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, ecdsa_secp256r1_sha256 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ - "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp256r1.crt \ - key_file=data_files/ecdsa_secp256r1.key" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt \ + key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12432,8 +12831,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, ecdsa_secp384r1_sha384 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ - "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp384r1.crt \ - key_file=data_files/ecdsa_secp384r1.key" \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt \ + key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12448,8 +12847,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, ecdsa_secp384r1_sha384 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ - "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp384r1.crt \ - key_file=data_files/ecdsa_secp384r1.key" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt \ + key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12463,8 +12862,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, ecdsa_secp521r1_sha512 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ - "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp521r1.crt \ - key_file=data_files/ecdsa_secp521r1.key" \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \ + key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12479,8 +12878,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, ecdsa_secp521r1_sha512 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ - "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \ - key_file=data_files/ecdsa_secp521r1.key" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \ + key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12495,8 +12894,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha256 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ - "$P_CLI debug_level=4 crt_file=data_files/cert_sha256.crt \ - key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256" \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \ + key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12512,8 +12911,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha256 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ - "$P_CLI debug_level=3 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12528,8 +12927,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha384 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ - "$P_CLI debug_level=4 crt_file=data_files/cert_sha256.crt \ - key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384" \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \ + key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12545,8 +12944,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha384 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ - "$P_CLI debug_level=3 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12561,8 +12960,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha512 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ - "$P_CLI debug_level=4 crt_file=data_files/cert_sha256.crt \ - key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512" \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \ + key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12578,8 +12977,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha512 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ - "$P_CLI debug_level=3 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12595,8 +12994,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ run_test "TLS 1.3: Client authentication, client alg not in server list - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -sigalgs ecdsa_secp256r1_sha256" \ - "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \ - key_file=data_files/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \ + key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512" \ 1 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12612,8 +13011,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication, client alg not in server list - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:%NO_TICKETS" \ - "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \ - key_file=data_files/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \ + key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512" \ 1 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12628,7 +13027,7 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, no server middlebox compat - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -no_middlebox" \ - "$P_CLI debug_level=4 crt_file=data_files/cli2.crt key_file=data_files/cli2.key key_opaque=1" \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cli2.crt key_file=$DATA_FILES_PATH/cli2.key key_opaque=1" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12643,8 +13042,8 @@ requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, no server middlebox compat - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE" \ - "$P_CLI debug_level=3 crt_file=data_files/cli2.crt \ - key_file=data_files/cli2.key key_opaque=1" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/cli2.crt \ + key_file=$DATA_FILES_PATH/cli2.key key_opaque=1" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12659,8 +13058,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ - "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp256r1.crt \ - key_file=data_files/ecdsa_secp256r1.key key_opaque=1" \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt \ + key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key key_opaque=1" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12676,8 +13075,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ - "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp256r1.crt \ - key_file=data_files/ecdsa_secp256r1.key key_opaque=1" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt \ + key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key key_opaque=1" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12692,8 +13091,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ - "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp384r1.crt \ - key_file=data_files/ecdsa_secp384r1.key key_opaque=1" \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt \ + key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key key_opaque=1" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12709,8 +13108,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ - "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp384r1.crt \ - key_file=data_files/ecdsa_secp384r1.key key_opaque=1" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt \ + key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key key_opaque=1" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12725,8 +13124,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ - "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp521r1.crt \ - key_file=data_files/ecdsa_secp521r1.key key_opaque=1" \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \ + key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key key_opaque=1" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12742,8 +13141,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ - "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \ - key_file=data_files/ecdsa_secp521r1.key key_opaque=1" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \ + key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key key_opaque=1" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12759,8 +13158,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ - "$P_CLI debug_level=4 crt_file=data_files/cert_sha256.crt \ - key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256 key_opaque=1" \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \ + key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256 key_opaque=1" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12777,8 +13176,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ - "$P_CLI debug_level=3 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256 key_opaque=1" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256 key_opaque=1" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12794,8 +13193,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ - "$P_CLI debug_level=4 crt_file=data_files/cert_sha256.crt \ - key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384 key_opaque=1" \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \ + key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384 key_opaque=1" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12812,8 +13211,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ - "$P_CLI debug_level=3 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384 key_opaque=1" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384 key_opaque=1" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12829,8 +13228,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ - "$P_CLI debug_level=4 crt_file=data_files/cert_sha256.crt \ - key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512 key_opaque=1" \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \ + key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512 key_opaque=1" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12847,8 +13246,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ - "$P_CLI debug_level=3 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512 key_opaque=1" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ + key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512 key_opaque=1" \ 0 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12865,8 +13264,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ run_test "TLS 1.3: Client authentication - opaque key, client alg not in server list - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -sigalgs ecdsa_secp256r1_sha256" \ - "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \ - key_file=data_files/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512 key_opaque=1" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \ + key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512 key_opaque=1" \ 1 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12883,8 +13282,8 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Client authentication - opaque key, client alg not in server list - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:%NO_TICKETS" \ - "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \ - key_file=data_files/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512 key_opaque=1" \ + "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \ + key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512 key_opaque=1" \ 1 \ -c "got a certificate request" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ @@ -12960,7 +13359,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Server side check - openssl" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \ + "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \ "$O_NEXT_CLI -msg -debug -tls1_3 -no_middlebox" \ 0 \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ @@ -12977,8 +13376,8 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Server side check - openssl with client authentication" \ - "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \ - "$O_NEXT_CLI -msg -debug -cert data_files/server5.crt -key data_files/server5.key -tls1_3 -no_middlebox" \ + "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \ + "$O_NEXT_CLI -msg -debug -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -tls1_3 -no_middlebox" \ 0 \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ @@ -12997,7 +13396,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Server side check - gnutls" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \ + "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \ "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ 0 \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ @@ -13016,8 +13415,8 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Server side check - gnutls with client authentication" \ - "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \ - "$G_NEXT_CLI localhost -d 4 --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ + "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \ + "$G_NEXT_CLI localhost -d 4 --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ 0 \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ @@ -13035,7 +13434,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Server side check - mbedtls" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \ + "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \ "$P_CLI debug_level=4" \ 0 \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ @@ -13054,8 +13453,8 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Server side check - mbedtls with client authentication" \ - "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \ - "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key" \ 0 \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ @@ -13071,7 +13470,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Server side check - mbedtls with client empty certificate" \ - "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \ + "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \ "$P_CLI debug_level=4 crt_file=none key_file=none" \ 1 \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ @@ -13089,7 +13488,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Server side check - mbedtls with optional client authentication" \ - "$P_SRV debug_level=4 auth_mode=optional crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \ + "$P_SRV debug_level=4 auth_mode=optional crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \ "$P_CLI debug_level=4 crt_file=none key_file=none" \ 0 \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ @@ -13136,9 +13535,9 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Server side check - openssl with sni" \ - "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0 \ - sni=localhost,data_files/server5.crt,data_files/server5.key,data_files/test-ca_cat12.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$O_NEXT_CLI -msg -debug -servername localhost -CAfile data_files/test-ca_cat12.crt -cert data_files/server5.crt -key data_files/server5.key -tls1_3" \ + "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0 \ + sni=localhost,$DATA_FILES_PATH/server5.crt,$DATA_FILES_PATH/server5.key,$DATA_FILES_PATH/test-ca_cat12.crt,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \ + "$O_NEXT_CLI -msg -debug -servername localhost -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -tls1_3" \ 0 \ -s "parse ServerName extension" \ -s "HTTP/1.0 200 OK" @@ -13149,9 +13548,9 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Server side check - gnutls with sni" \ - "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0 \ - sni=localhost,data_files/server5.crt,data_files/server5.key,data_files/test-ca_cat12.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$G_NEXT_CLI localhost -d 4 --sni-hostname=localhost --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS -V" \ + "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0 \ + sni=localhost,$DATA_FILES_PATH/server5.crt,$DATA_FILES_PATH/server5.key,$DATA_FILES_PATH/test-ca_cat12.crt,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \ + "$G_NEXT_CLI localhost -d 4 --sni-hostname=localhost --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS -V" \ 0 \ -s "parse ServerName extension" \ -s "HTTP/1.0 200 OK" @@ -13162,9 +13561,9 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Server side check - mbedtls with sni" \ - "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0 \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI debug_level=4 server_name=localhost crt_file=data_files/server5.crt key_file=data_files/server5.key" \ + "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0 \ + sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \ + "$P_CLI debug_level=4 server_name=localhost crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key" \ 0 \ -s "parse ServerName extension" \ -s "HTTP/1.0 200 OK" @@ -13288,7 +13687,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3 O->m both peers do not support middlebox compatibility" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \ + "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \ "$O_NEXT_CLI -msg -debug -no_middlebox" \ 0 \ -s "Protocol is TLSv1.3" \ @@ -13301,7 +13700,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3 O->m server with middlebox compat support, not client" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \ + "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \ "$O_NEXT_CLI -msg -debug -no_middlebox" \ 0 \ -s "Protocol is TLSv1.3" \ @@ -13313,7 +13712,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3 O->m both with middlebox compat support" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \ + "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \ "$O_NEXT_CLI -msg -debug" \ 0 \ -s "Protocol is TLSv1.3" \ @@ -13328,7 +13727,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3 G->m both peers do not support middlebox compatibility" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \ + "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \ "$G_NEXT_CLI localhost --priority=NORMAL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ 0 \ -s "Protocol is TLSv1.3" \ @@ -13343,7 +13742,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3 G->m server with middlebox compat support, not client" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \ + "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \ "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ 0 \ -s "Protocol is TLSv1.3" \ @@ -13359,7 +13758,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3 G->m both with middlebox compat support" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key tickets=0" \ + "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \ "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ 0 \ -s "Protocol is TLSv1.3" \ @@ -13484,7 +13883,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3 O->m HRR both peers do not support middlebox compatibility" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key groups=secp384r1 tickets=0" \ + "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \ "$O_NEXT_CLI -msg -debug -groups P-256:P-384 -no_middlebox" \ 0 \ -s "Protocol is TLSv1.3" \ @@ -13497,7 +13896,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3 O->m HRR server with middlebox compat support, not client" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key groups=secp384r1 tickets=0" \ + "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \ "$O_NEXT_CLI -msg -debug -groups P-256:P-384 -no_middlebox" \ 0 \ -s "Protocol is TLSv1.3" \ @@ -13509,7 +13908,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3 O->m HRR both with middlebox compat support" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key groups=secp384r1 tickets=0" \ + "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \ "$O_NEXT_CLI -msg -debug -groups P-256:P-384" \ 0 \ -s "Protocol is TLSv1.3" \ @@ -13524,7 +13923,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3 G->m HRR both peers do not support middlebox compatibility" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key groups=secp384r1 tickets=0" \ + "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \ "$G_NEXT_CLI localhost --priority=NORMAL:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ 0 \ -s "Protocol is TLSv1.3" \ @@ -13540,7 +13939,7 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3 G->m HRR server with middlebox compat support, not client" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key groups=secp384r1 tickets=0" \ + "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \ "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ 0 \ -s "Protocol is TLSv1.3" \ @@ -13557,7 +13956,7 @@ requires_config_enabled PSA_WANT_ALG_ECDH requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3 G->m HRR both with middlebox compat support" \ - "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key groups=secp384r1 tickets=0" \ + "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \ "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ 0 \ -s "Protocol is TLSv1.3" \ @@ -13570,10 +13969,10 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Check signature algorithm order, m->O" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp256r1_sha256" \ - "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key \ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -13586,10 +13985,10 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Check signature algorithm order, m->G" \ - "$G_NEXT_SRV_NO_CERT --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key + "$G_NEXT_SRV_NO_CERT --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key -d 4 --priority=NORMAL:-VERS-ALL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS " \ - "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key \ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -13603,10 +14002,10 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Check signature algorithm order, m->m" \ "$P_SRV debug_level=4 auth_mode=required - crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key - crt_file=data_files/server5.crt key_file=data_files/server5.key + crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ - "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key \ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ 0 \ -c "Protocol is TLSv1.3" \ @@ -13622,11 +14021,11 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Check signature algorithm order, O->m" \ "$P_SRV debug_level=4 auth_mode=required - crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key - crt_file=data_files/server5.crt key_file=data_files/server5.key + crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ - "$O_NEXT_CLI_NO_CERT -msg -CAfile data_files/test-ca_cat12.crt \ - -cert data_files/server2-sha256.crt -key data_files/server2.key \ + "$O_NEXT_CLI_NO_CERT -msg -CAfile $DATA_FILES_PATH/test-ca_cat12.crt \ + -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key \ -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp256r1_sha256" \ 0 \ -c "TLSv1.3" \ @@ -13640,11 +14039,11 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Check signature algorithm order, G->m" \ "$P_SRV debug_level=4 auth_mode=required - crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key - crt_file=data_files/server5.crt key_file=data_files/server5.key + crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ - "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile data_files/test-ca_cat12.crt \ - --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key \ + "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt \ + --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key \ --priority=NORMAL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384" \ 0 \ -c "Negotiated version: 3.4" \ @@ -13659,11 +14058,11 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Check server no suitable signature algorithm, G->m" \ "$P_SRV debug_level=4 auth_mode=required - crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key - crt_file=data_files/server5.crt key_file=data_files/server5.key + crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256 " \ - "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile data_files/test-ca_cat12.crt \ - --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key \ + "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt \ + --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key \ --priority=NORMAL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-ECDSA-SECP521R1-SHA512" \ 1 \ -S "ssl_tls13_pick_key_cert:check signature algorithm" @@ -13675,11 +14074,11 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Check server no suitable signature algorithm, O->m" \ "$P_SRV debug_level=4 auth_mode=required - crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key - crt_file=data_files/server5.crt key_file=data_files/server5.key + crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256" \ - "$O_NEXT_CLI_NO_CERT -msg -CAfile data_files/test-ca_cat12.crt \ - -cert data_files/server2-sha256.crt -key data_files/server2.key \ + "$O_NEXT_CLI_NO_CERT -msg -CAfile $DATA_FILES_PATH/test-ca_cat12.crt \ + -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key \ -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:ecdsa_secp521r1_sha512" \ 1 \ -S "ssl_tls13_pick_key_cert:check signature algorithm" @@ -13691,10 +14090,10 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Check server no suitable signature algorithm, m->m" \ "$P_SRV debug_level=4 auth_mode=required - crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key - crt_file=data_files/server5.crt key_file=data_files/server5.key + crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256 " \ - "$P_CLI allow_sha1=0 debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ + "$P_CLI allow_sha1=0 debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key \ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,ecdsa_secp521r1_sha512" \ 1 \ -S "ssl_tls13_pick_key_cert:check signature algorithm" @@ -13706,9 +14105,9 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Check server no suitable certificate, G->m" \ "$P_SRV debug_level=4 - crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key + crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ - "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile data_files/test-ca_cat12.crt \ + "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt \ --priority=NORMAL:-SIGN-ALL:+SIGN-ECDSA-SECP521R1-SHA512:+SIGN-ECDSA-SECP256R1-SHA256" \ 1 \ -s "ssl_tls13_pick_key_cert:no suitable certificate found" @@ -13720,9 +14119,9 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Check server no suitable certificate, O->m" \ "$P_SRV debug_level=4 - crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key + crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ - "$O_NEXT_CLI_NO_CERT -msg -CAfile data_files/test-ca_cat12.crt \ + "$O_NEXT_CLI_NO_CERT -msg -CAfile $DATA_FILES_PATH/test-ca_cat12.crt \ -sigalgs ecdsa_secp521r1_sha512:ecdsa_secp256r1_sha256" \ 1 \ -s "ssl_tls13_pick_key_cert:no suitable certificate found" @@ -13734,7 +14133,7 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Check server no suitable certificate, m->m" \ "$P_SRV debug_level=4 - crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key + crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ "$P_CLI allow_sha1=0 debug_level=4 \ sig_algs=ecdsa_secp521r1_sha512,ecdsa_secp256r1_sha256" \ @@ -13747,10 +14146,10 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Check client no signature algorithm, m->O" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp521r1_sha512" \ - "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ 1 \ -c "no suitable signature algorithm" @@ -13761,10 +14160,10 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Check client no signature algorithm, m->G" \ - "$G_NEXT_SRV_NO_CERT --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key + "$G_NEXT_SRV_NO_CERT --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key -d 4 --priority=NORMAL:-VERS-ALL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS " \ - "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ 1 \ -c "no suitable signature algorithm" @@ -13776,10 +14175,10 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: Check client no signature algorithm, m->m" \ "$P_SRV debug_level=4 auth_mode=required - crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key - crt_file=data_files/server5.crt key_file=data_files/server5.key + crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key + crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp521r1_sha512" \ - "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \ + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ 1 \ -c "no suitable signature algorithm" @@ -13789,10 +14188,10 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.2: Check rsa_pss_rsae compatibility issue, m->O" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key -msg -tls1_2 -Verify 10 " \ - "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key sig_algs=rsa_pss_rsae_sha512,rsa_pkcs1_sha512 min_version=tls12 max_version=tls13 " \ 0 \ @@ -13805,10 +14204,10 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.2: Check rsa_pss_rsae compatibility issue, m->G" \ - "$G_NEXT_SRV_NO_CERT --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key + "$G_NEXT_SRV_NO_CERT --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \ - "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key + "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key sig_algs=rsa_pss_rsae_sha512,rsa_pkcs1_sha512 min_version=tls12 max_version=tls13 " \ 0 \ @@ -13826,8 +14225,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe3072,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe3072 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE3072:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe3072 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE3072:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -13848,8 +14247,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_3072 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe3072,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE3072:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe3072" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE3072:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe3072" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -13870,8 +14269,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe4096,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe4096 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE4096:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe4096 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE4096:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -13892,8 +14291,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_4096 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe4096,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE4096:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe4096" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE4096:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe4096" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -13914,8 +14313,8 @@ requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe6144,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe6144 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE6144:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe6144 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE6144:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -13935,8 +14334,8 @@ requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_6144 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe6144,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE6144:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe6144" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE6144:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe6144" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -13958,8 +14357,8 @@ requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat client_needs_more_time 4 run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe8192,rsa_pss_rsae_sha256" \ - "$P_SRV crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe8192 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ - "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile data_files/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE8192:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe8192 tls13_kex_modes=ephemeral cookies=0 tickets=0" \ + "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE8192:+VERS-TLS1.3:%NO_TICKETS" \ 0 \ -s "Protocol is TLSv1.3" \ -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \ @@ -13980,8 +14379,8 @@ requires_config_enabled PSA_WANT_ALG_FFDH requires_config_enabled PSA_WANT_DH_RFC7919_8192 client_needs_more_time 4 run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe8192,rsa_pss_rsae_sha256" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE8192:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI ca_file=data_files/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe8192" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE8192:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe8192" \ 0 \ -c "HTTP/1.0 200 OK" \ -c "Protocol is TLSv1.3" \ @@ -13997,20 +14396,32 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "TLS 1.3: no HRR in case of PSK key exchange mode" \ - "$P_SRV nbio=2 psk=010203 psk_identity=0a0b0c tls13_kex_modes=psk groups=none" \ - "$P_CLI nbio=2 debug_level=3 psk=010203 psk_identity=0a0b0c tls13_kex_modes=all" \ + "$P_SRV nbio=2 psk=73776f726466697368 psk_identity=0a0b0c tls13_kex_modes=psk groups=none" \ + "$P_CLI nbio=2 debug_level=3 psk=73776f726466697368 psk_identity=0a0b0c tls13_kex_modes=all" \ 0 \ -C "received HelloRetryRequest message" \ -c "Selected key exchange mode: psk$" \ -c "HTTP/1.0 200 OK" +# Legacy_compression_methods testing + +requires_gnutls +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "TLS 1.2 ClientHello indicating support for deflate compression method" \ + "$P_SRV debug_level=3" \ + "$G_CLI --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+COMP-DEFLATE localhost" \ + 0 \ + -c "Handshake was completed" \ + -s "dumping .client hello, compression. (2 bytes)" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG requires_config_enabled MBEDTLS_MEMORY_BUFFER_ALLOC_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 16384 -run_tests_memory_after_hanshake +run_tests_memory_after_handshake if [ "$LIST_TESTS" -eq 0 ]; then @@ -14026,6 +14437,15 @@ if [ "$LIST_TESTS" -eq 0 ]; then PASSES=$(( $TESTS - $FAILS )) echo " ($PASSES / $TESTS tests ($SKIPS skipped))" + if [ $((TESTS - SKIPS)) -lt $MIN_TESTS ]; then + cat <size); mbedtls_free(data->output); @@ -26,8 +26,8 @@ exit: return 0; } -int generic_write_finish_step(generic_write_data_t *data, - const data_t *expected, int ret) +static int generic_write_finish_step(generic_write_data_t *data, + const data_t *expected, int ret) { int ok = 0; diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_bignum.function b/yass/third_party/mbedtls/tests/suites/test_suite_bignum.function index f3a64e1837..3ac4e10ea6 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_bignum.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_bignum.function @@ -3,6 +3,7 @@ #include "mbedtls/entropy.h" #include "constant_time_internal.h" #include "bignum_core.h" +#include "bignum_internal.h" #include "test/constant_flow.h" #if MBEDTLS_MPI_MAX_BITS > 792 @@ -32,6 +33,7 @@ static int sign_is_valid(const mbedtls_mpi *X) return 1; } +#if defined(MBEDTLS_GENPRIME) typedef struct mbedtls_test_mpi_random { data_t *data; size_t pos; @@ -44,9 +46,9 @@ typedef struct mbedtls_test_mpi_random { * test) are stored in the data member of the state structure. Each number is in * the format that mbedtls_mpi_read_string understands and is chunk_len long. */ -int mbedtls_test_mpi_miller_rabin_determinizer(void *state, - unsigned char *buf, - size_t len) +static int mbedtls_test_mpi_miller_rabin_determinizer(void *state, + unsigned char *buf, + size_t len) { mbedtls_test_mpi_random *random = (mbedtls_test_mpi_random *) state; @@ -73,6 +75,7 @@ int mbedtls_test_mpi_miller_rabin_determinizer(void *state, return 0; } +#endif /* MBEDTLS_GENPRIME */ /* Random generator that is told how many bytes to return. */ static int f_rng_bytes_left(void *state, unsigned char *buf, size_t len) diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_bignum.misc.data b/yass/third_party/mbedtls/tests/suites/test_suite_bignum.misc.data index eb55dbe33b..c16c6890aa 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_bignum.misc.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_bignum.misc.data @@ -110,19 +110,19 @@ Test mbedtls_mpi_write_binary_le #2 (Buffer too small) mpi_write_binary_le:"123123123123123123123123123":"23311223311223311223311223":13:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL Base test mbedtls_mpi_read_file #1 -mpi_read_file:"data_files/mpi_16":"01f55332c3a48b910f9942f6c914e58bef37a47ee45cb164a5b6b8d1006bf59a059c21449939ebebfdf517d2e1dbac88010d7b1f141e997bd6801ddaec9d05910f4f2de2b2c4d714e2c14a72fc7f17aa428d59c531627f09":0 +mpi_read_file:"../framework/data_files/mpi_16":"01f55332c3a48b910f9942f6c914e58bef37a47ee45cb164a5b6b8d1006bf59a059c21449939ebebfdf517d2e1dbac88010d7b1f141e997bd6801ddaec9d05910f4f2de2b2c4d714e2c14a72fc7f17aa428d59c531627f09":0 Test mbedtls_mpi_read_file #1 (Empty file) -mpi_read_file:"data_files/hash_file_4":"":MBEDTLS_ERR_MPI_FILE_IO_ERROR +mpi_read_file:"../framework/data_files/hash_file_4":"":MBEDTLS_ERR_MPI_FILE_IO_ERROR Test mbedtls_mpi_read_file #2 (Illegal input) -mpi_read_file:"data_files/hash_file_2":"":0 +mpi_read_file:"../framework/data_files/hash_file_2":"":0 Test mbedtls_mpi_read_file #3 (Input too big) -mpi_read_file:"data_files/mpi_too_big":"":MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL +mpi_read_file:"../framework/data_files/mpi_too_big":"":MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL Base test mbedtls_mpi_write_file #1 -mpi_write_file:"941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"data_files/mpi_write" +mpi_write_file:"941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"../framework/data_files/mpi_write" Test mbedtls_mpi_lsb: 0 (null) mpi_lsb:"":0 diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_bignum_core.function b/yass/third_party/mbedtls/tests/suites/test_suite_bignum_core.function index db84d6238f..08dac2e279 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_bignum_core.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_bignum_core.function @@ -1178,6 +1178,7 @@ void mpi_core_exp_mod(char *input_N, char *input_A, char *input_E, char *input_X) { mbedtls_mpi_uint *A = NULL; + mbedtls_mpi_uint *A_copy = NULL; mbedtls_mpi_uint *E = NULL; mbedtls_mpi_uint *N = NULL; mbedtls_mpi_uint *X = NULL; @@ -1229,19 +1230,56 @@ void mpi_core_exp_mod(char *input_N, char *input_A, TEST_CALLOC(T, working_limbs); - mbedtls_mpi_core_exp_mod(Y, A, N, N_limbs, E, E_limbs, R2, T); + /* Test the safe variant */ +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_mpi_optionally_safe_codepath_reset(); +#endif + mbedtls_mpi_core_exp_mod(Y, A, N, N_limbs, E, E_limbs, R2, T); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + TEST_EQUAL(mbedtls_mpi_optionally_safe_codepath, MBEDTLS_MPI_IS_SECRET); +#endif TEST_EQUAL(0, memcmp(X, Y, N_limbs * sizeof(mbedtls_mpi_uint))); - /* Check when output aliased to input */ + /* Test the unsafe variant */ +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_mpi_optionally_safe_codepath_reset(); +#endif + mbedtls_mpi_core_exp_mod_unsafe(Y, A, N, N_limbs, E, E_limbs, R2, T); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + TEST_EQUAL(mbedtls_mpi_optionally_safe_codepath, MBEDTLS_MPI_IS_PUBLIC); +#endif + TEST_EQUAL(0, memcmp(X, Y, N_limbs * sizeof(mbedtls_mpi_uint))); + + /* Check both with output aliased to input */ + + TEST_CALLOC(A_copy, A_limbs); + memcpy(A_copy, A, sizeof(*A_copy) * A_limbs); + +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_mpi_optionally_safe_codepath_reset(); +#endif mbedtls_mpi_core_exp_mod(A, A, N, N_limbs, E, E_limbs, R2, T); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + TEST_EQUAL(mbedtls_mpi_optionally_safe_codepath, MBEDTLS_MPI_IS_SECRET); +#endif + TEST_EQUAL(0, memcmp(X, A, N_limbs * sizeof(mbedtls_mpi_uint))); + memcpy(A, A_copy, sizeof(*A) * A_limbs); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + mbedtls_mpi_optionally_safe_codepath_reset(); +#endif + mbedtls_mpi_core_exp_mod_unsafe(A, A, N, N_limbs, E, E_limbs, R2, T); +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) + TEST_EQUAL(mbedtls_mpi_optionally_safe_codepath, MBEDTLS_MPI_IS_PUBLIC); +#endif TEST_EQUAL(0, memcmp(X, A, N_limbs * sizeof(mbedtls_mpi_uint))); exit: mbedtls_free(T); mbedtls_free(A); + mbedtls_free(A_copy); mbedtls_free(E); mbedtls_free(N); mbedtls_free(X); diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_cipher.function b/yass/third_party/mbedtls/tests/suites/test_suite_cipher.function index aca415095f..040c35ca58 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_cipher.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_cipher.function @@ -129,7 +129,7 @@ exit: * return 1 if it is, * 0 if it isn't. */ -int buffer_is_all_zero(const uint8_t *buf, size_t size) +static int buffer_is_all_zero(const uint8_t *buf, size_t size) { for (size_t i = 0; i < size; i++) { if (buf[i] != 0) { @@ -549,6 +549,10 @@ void enc_fail(int cipher_id, int pad_mode, int key_len, int length_val, /* encode length number of bytes from inbuf */ TEST_ASSERT(0 == mbedtls_cipher_update(&ctx, inbuf, length, encbuf, &outlen)); TEST_ASSERT(ret == mbedtls_cipher_finish(&ctx, encbuf + outlen, &outlen)); + if (0 != ret) { + /* Check output parameter is set to the least-harmful value on error */ + TEST_ASSERT(0 == outlen); + } /* done */ exit: @@ -826,6 +830,10 @@ void decrypt_test_vec(int cipher_id, int pad_mode, data_t *key, total_len += outlen; TEST_ASSERT(finish_result == mbedtls_cipher_finish(&ctx, output + outlen, &outlen)); + if (0 != finish_result) { + /* Check output parameter is set to the least-harmful value on error */ + TEST_ASSERT(0 == outlen); + } total_len += outlen; #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) int tag_expected = (ctx.cipher_info->mode == MBEDTLS_MODE_GCM || diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_common.function b/yass/third_party/mbedtls/tests/suites/test_suite_common.function index 5c5700c25b..8626a0ba4c 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_common.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_common.function @@ -1,7 +1,11 @@ /* BEGIN_HEADER */ #include "common.h" -void fill_arrays(unsigned char *a, unsigned char *b, unsigned char *r1, unsigned char *r2, size_t n) +static void fill_arrays(unsigned char *a, + unsigned char *b, + unsigned char *r1, + unsigned char *r2, + size_t n) { for (size_t i = 0; i < n; i++) { a[i] = (unsigned char) i * 3; diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_config.crypto_combinations.data b/yass/third_party/mbedtls/tests/suites/test_suite_config.crypto_combinations.data new file mode 100644 index 0000000000..d3287d266a --- /dev/null +++ b/yass/third_party/mbedtls/tests/suites/test_suite_config.crypto_combinations.data @@ -0,0 +1,9 @@ +# Interesting combinations of low-level crypto options + +Config: ECC: Weierstrass curves only +depends_on:MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED:!MBEDTLS_ECP_MONTGOMERY_ENABLED +pass: + +Config: ECC: Montgomery curves only +depends_on:!MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED:MBEDTLS_ECP_MONTGOMERY_ENABLED +pass: diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_config.function b/yass/third_party/mbedtls/tests/suites/test_suite_config.function new file mode 100644 index 0000000000..9e9dd01990 --- /dev/null +++ b/yass/third_party/mbedtls/tests/suites/test_suite_config.function @@ -0,0 +1,14 @@ +/* BEGIN_HEADER */ + +/* END_HEADER */ + +/* BEGIN_CASE */ +/* This test case always passes. It is intended solely for configuration + * reporting in the outcome file. Write test cases using this function + * with dependencies to record in which configurations the dependencies + * are met. */ +void pass() +{ + goto exit; +} +/* END_CASE */ diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_config.mbedtls_boolean.data b/yass/third_party/mbedtls/tests/suites/test_suite_config.mbedtls_boolean.data new file mode 100644 index 0000000000..c37969762c --- /dev/null +++ b/yass/third_party/mbedtls/tests/suites/test_suite_config.mbedtls_boolean.data @@ -0,0 +1,1691 @@ +# Automatically generated by generate_config_tests.py. Do not edit! + +Config: MBEDTLS_AESCE_C +depends_on:MBEDTLS_AESCE_C:MBEDTLS_AES_C +pass: + +Config: !MBEDTLS_AESCE_C +depends_on:!MBEDTLS_AESCE_C:MBEDTLS_AES_C +pass: + +Config: MBEDTLS_AESNI_C +depends_on:MBEDTLS_AESNI_C:MBEDTLS_AES_C +pass: + +Config: !MBEDTLS_AESNI_C +depends_on:!MBEDTLS_AESNI_C:MBEDTLS_AES_C +pass: + +Config: MBEDTLS_AES_C +depends_on:MBEDTLS_AES_C +pass: + +Config: !MBEDTLS_AES_C +depends_on:!MBEDTLS_AES_C +pass: + +Config: MBEDTLS_AES_FEWER_TABLES +depends_on:MBEDTLS_AES_FEWER_TABLES:MBEDTLS_AES_C +pass: + +Config: !MBEDTLS_AES_FEWER_TABLES +depends_on:!MBEDTLS_AES_FEWER_TABLES:MBEDTLS_AES_C +pass: + +Config: MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:MBEDTLS_AES_C +pass: + +Config: !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH:MBEDTLS_AES_C +pass: + +Config: MBEDTLS_AES_ROM_TABLES +depends_on:MBEDTLS_AES_ROM_TABLES:MBEDTLS_AES_C +pass: + +Config: !MBEDTLS_AES_ROM_TABLES +depends_on:!MBEDTLS_AES_ROM_TABLES:MBEDTLS_AES_C +pass: + +Config: MBEDTLS_AES_USE_HARDWARE_ONLY +depends_on:MBEDTLS_AES_USE_HARDWARE_ONLY:MBEDTLS_AES_C +pass: + +Config: !MBEDTLS_AES_USE_HARDWARE_ONLY +depends_on:!MBEDTLS_AES_USE_HARDWARE_ONLY:MBEDTLS_AES_C +pass: + +Config: MBEDTLS_ARIA_C +depends_on:MBEDTLS_ARIA_C +pass: + +Config: !MBEDTLS_ARIA_C +depends_on:!MBEDTLS_ARIA_C +pass: + +Config: MBEDTLS_ASN1_PARSE_C +depends_on:MBEDTLS_ASN1_PARSE_C +pass: + +Config: !MBEDTLS_ASN1_PARSE_C +depends_on:!MBEDTLS_ASN1_PARSE_C +pass: + +Config: MBEDTLS_ASN1_WRITE_C +depends_on:MBEDTLS_ASN1_WRITE_C +pass: + +Config: !MBEDTLS_ASN1_WRITE_C +depends_on:!MBEDTLS_ASN1_WRITE_C +pass: + +Config: MBEDTLS_BASE64_C +depends_on:MBEDTLS_BASE64_C +pass: + +Config: !MBEDTLS_BASE64_C +depends_on:!MBEDTLS_BASE64_C +pass: + +Config: MBEDTLS_BIGNUM_C +depends_on:MBEDTLS_BIGNUM_C +pass: + +Config: !MBEDTLS_BIGNUM_C +depends_on:!MBEDTLS_BIGNUM_C +pass: + +Config: MBEDTLS_BLOCK_CIPHER_NO_DECRYPT +depends_on:MBEDTLS_BLOCK_CIPHER_NO_DECRYPT +pass: + +Config: !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT +depends_on:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT +pass: + +Config: MBEDTLS_CAMELLIA_C +depends_on:MBEDTLS_CAMELLIA_C +pass: + +Config: !MBEDTLS_CAMELLIA_C +depends_on:!MBEDTLS_CAMELLIA_C +pass: + +Config: MBEDTLS_CAMELLIA_SMALL_MEMORY +depends_on:MBEDTLS_CAMELLIA_SMALL_MEMORY:MBEDTLS_CAMELLIA_C +pass: + +Config: !MBEDTLS_CAMELLIA_SMALL_MEMORY +depends_on:!MBEDTLS_CAMELLIA_SMALL_MEMORY:MBEDTLS_CAMELLIA_C +pass: + +Config: MBEDTLS_CCM_C +depends_on:MBEDTLS_CCM_C +pass: + +Config: !MBEDTLS_CCM_C +depends_on:!MBEDTLS_CCM_C +pass: + +Config: MBEDTLS_CHACHA20_C +depends_on:MBEDTLS_CHACHA20_C +pass: + +Config: !MBEDTLS_CHACHA20_C +depends_on:!MBEDTLS_CHACHA20_C +pass: + +Config: MBEDTLS_CHACHAPOLY_C +depends_on:MBEDTLS_CHACHAPOLY_C +pass: + +Config: !MBEDTLS_CHACHAPOLY_C +depends_on:!MBEDTLS_CHACHAPOLY_C +pass: + +Config: MBEDTLS_CHECK_RETURN_WARNING +depends_on:MBEDTLS_CHECK_RETURN_WARNING +pass: + +Config: !MBEDTLS_CHECK_RETURN_WARNING +depends_on:!MBEDTLS_CHECK_RETURN_WARNING +pass: + +Config: MBEDTLS_CIPHER_C +depends_on:MBEDTLS_CIPHER_C +pass: + +Config: !MBEDTLS_CIPHER_C +depends_on:!MBEDTLS_CIPHER_C +pass: + +Config: MBEDTLS_CIPHER_MODE_CBC +depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_C +pass: + +Config: !MBEDTLS_CIPHER_MODE_CBC +depends_on:!MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_C +pass: + +Config: MBEDTLS_CIPHER_MODE_CFB +depends_on:MBEDTLS_CIPHER_MODE_CFB:MBEDTLS_CIPHER_C +pass: + +Config: !MBEDTLS_CIPHER_MODE_CFB +depends_on:!MBEDTLS_CIPHER_MODE_CFB:MBEDTLS_CIPHER_C +pass: + +Config: MBEDTLS_CIPHER_MODE_CTR +depends_on:MBEDTLS_CIPHER_MODE_CTR:MBEDTLS_CIPHER_C +pass: + +Config: !MBEDTLS_CIPHER_MODE_CTR +depends_on:!MBEDTLS_CIPHER_MODE_CTR:MBEDTLS_CIPHER_C +pass: + +Config: MBEDTLS_CIPHER_MODE_OFB +depends_on:MBEDTLS_CIPHER_MODE_OFB:MBEDTLS_CIPHER_C +pass: + +Config: !MBEDTLS_CIPHER_MODE_OFB +depends_on:!MBEDTLS_CIPHER_MODE_OFB:MBEDTLS_CIPHER_C +pass: + +Config: MBEDTLS_CIPHER_MODE_XTS +depends_on:MBEDTLS_CIPHER_MODE_XTS:MBEDTLS_CIPHER_C +pass: + +Config: !MBEDTLS_CIPHER_MODE_XTS +depends_on:!MBEDTLS_CIPHER_MODE_XTS:MBEDTLS_CIPHER_C +pass: + +Config: MBEDTLS_CIPHER_NULL_CIPHER +depends_on:MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_CIPHER_C +pass: + +Config: !MBEDTLS_CIPHER_NULL_CIPHER +depends_on:!MBEDTLS_CIPHER_NULL_CIPHER:MBEDTLS_CIPHER_C +pass: + +Config: MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS +depends_on:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC +pass: + +Config: !MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS +depends_on:!MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC +pass: + +Config: MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC +pass: + +Config: !MBEDTLS_CIPHER_PADDING_PKCS7 +depends_on:!MBEDTLS_CIPHER_PADDING_PKCS7:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC +pass: + +Config: MBEDTLS_CIPHER_PADDING_ZEROS +depends_on:MBEDTLS_CIPHER_PADDING_ZEROS:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC +pass: + +Config: !MBEDTLS_CIPHER_PADDING_ZEROS +depends_on:!MBEDTLS_CIPHER_PADDING_ZEROS:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC +pass: + +Config: MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN +depends_on:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC +pass: + +Config: !MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN +depends_on:!MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC +pass: + +Config: MBEDTLS_CMAC_C +depends_on:MBEDTLS_CMAC_C +pass: + +Config: !MBEDTLS_CMAC_C +depends_on:!MBEDTLS_CMAC_C +pass: + +Config: MBEDTLS_CTR_DRBG_C +depends_on:MBEDTLS_CTR_DRBG_C +pass: + +Config: !MBEDTLS_CTR_DRBG_C +depends_on:!MBEDTLS_CTR_DRBG_C +pass: + +Config: MBEDTLS_CTR_DRBG_USE_128_BIT_KEY +depends_on:MBEDTLS_CTR_DRBG_USE_128_BIT_KEY:MBEDTLS_CTR_DRBG_C +pass: + +Config: !MBEDTLS_CTR_DRBG_USE_128_BIT_KEY +depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY:MBEDTLS_CTR_DRBG_C +pass: + +Config: MBEDTLS_DEBUG_C +depends_on:MBEDTLS_DEBUG_C +pass: + +Config: !MBEDTLS_DEBUG_C +depends_on:!MBEDTLS_DEBUG_C +pass: + +Config: MBEDTLS_DEPRECATED_REMOVED +depends_on:MBEDTLS_DEPRECATED_REMOVED +pass: + +Config: !MBEDTLS_DEPRECATED_REMOVED +depends_on:!MBEDTLS_DEPRECATED_REMOVED +pass: + +Config: MBEDTLS_DEPRECATED_WARNING +depends_on:MBEDTLS_DEPRECATED_WARNING +pass: + +Config: !MBEDTLS_DEPRECATED_WARNING +depends_on:!MBEDTLS_DEPRECATED_WARNING +pass: + +Config: MBEDTLS_DES_C +depends_on:MBEDTLS_DES_C +pass: + +Config: !MBEDTLS_DES_C +depends_on:!MBEDTLS_DES_C +pass: + +Config: MBEDTLS_DHM_C +depends_on:MBEDTLS_DHM_C +pass: + +Config: !MBEDTLS_DHM_C +depends_on:!MBEDTLS_DHM_C +pass: + +Config: MBEDTLS_ECDH_C +depends_on:MBEDTLS_ECDH_C +pass: + +Config: !MBEDTLS_ECDH_C +depends_on:!MBEDTLS_ECDH_C +pass: + +Config: MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED +depends_on:MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED:MBEDTLS_ECDH_C +pass: + +Config: !MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED +depends_on:!MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED:MBEDTLS_ECDH_C +pass: + +Config: MBEDTLS_ECDSA_C +depends_on:MBEDTLS_ECDSA_C +pass: + +Config: !MBEDTLS_ECDSA_C +depends_on:!MBEDTLS_ECDSA_C +pass: + +Config: MBEDTLS_ECDSA_DETERMINISTIC +depends_on:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECDSA_C +pass: + +Config: !MBEDTLS_ECDSA_DETERMINISTIC +depends_on:!MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECDSA_C +pass: + +Config: MBEDTLS_ECJPAKE_C +depends_on:MBEDTLS_ECJPAKE_C +pass: + +Config: !MBEDTLS_ECJPAKE_C +depends_on:!MBEDTLS_ECJPAKE_C +pass: + +Config: MBEDTLS_ECP_C +depends_on:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_C +depends_on:!MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_DP_BP256R1_ENABLED +depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_DP_BP256R1_ENABLED +depends_on:!MBEDTLS_ECP_DP_BP256R1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_DP_BP384R1_ENABLED +depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_DP_BP384R1_ENABLED +depends_on:!MBEDTLS_ECP_DP_BP384R1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_DP_BP512R1_ENABLED +depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_DP_BP512R1_ENABLED +depends_on:!MBEDTLS_ECP_DP_BP512R1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_DP_CURVE25519_ENABLED +depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_DP_CURVE25519_ENABLED +depends_on:!MBEDTLS_ECP_DP_CURVE25519_ENABLED:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_DP_CURVE448_ENABLED +depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_DP_CURVE448_ENABLED +depends_on:!MBEDTLS_ECP_DP_CURVE448_ENABLED:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_DP_SECP192K1_ENABLED +depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_DP_SECP192K1_ENABLED +depends_on:!MBEDTLS_ECP_DP_SECP192K1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_DP_SECP192R1_ENABLED +depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_DP_SECP192R1_ENABLED +depends_on:!MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_DP_SECP224K1_ENABLED +depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_DP_SECP224K1_ENABLED +depends_on:!MBEDTLS_ECP_DP_SECP224K1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_DP_SECP224R1_ENABLED +depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_DP_SECP224R1_ENABLED +depends_on:!MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_DP_SECP256K1_ENABLED +depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_DP_SECP256K1_ENABLED +depends_on:!MBEDTLS_ECP_DP_SECP256K1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_DP_SECP256R1_ENABLED +depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_DP_SECP256R1_ENABLED +depends_on:!MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:!MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_DP_SECP521R1_ENABLED +depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_DP_SECP521R1_ENABLED +depends_on:!MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_NIST_OPTIM +depends_on:MBEDTLS_ECP_NIST_OPTIM:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_NIST_OPTIM +depends_on:!MBEDTLS_ECP_NIST_OPTIM:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_NO_FALLBACK +depends_on:MBEDTLS_ECP_NO_FALLBACK:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_NO_FALLBACK +depends_on:!MBEDTLS_ECP_NO_FALLBACK:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_RESTARTABLE +depends_on:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_RESTARTABLE +depends_on:!MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ECP_WITH_MPI_UINT +depends_on:MBEDTLS_ECP_WITH_MPI_UINT:MBEDTLS_ECP_C +pass: + +Config: !MBEDTLS_ECP_WITH_MPI_UINT +depends_on:!MBEDTLS_ECP_WITH_MPI_UINT:MBEDTLS_ECP_C +pass: + +Config: MBEDTLS_ENTROPY_C +depends_on:MBEDTLS_ENTROPY_C +pass: + +Config: !MBEDTLS_ENTROPY_C +depends_on:!MBEDTLS_ENTROPY_C +pass: + +Config: MBEDTLS_ENTROPY_FORCE_SHA256 +depends_on:MBEDTLS_ENTROPY_FORCE_SHA256:MBEDTLS_ENTROPY_C +pass: + +Config: !MBEDTLS_ENTROPY_FORCE_SHA256 +depends_on:!MBEDTLS_ENTROPY_FORCE_SHA256:MBEDTLS_ENTROPY_C +pass: + +Config: MBEDTLS_ENTROPY_NV_SEED +depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_ENTROPY_C +pass: + +Config: !MBEDTLS_ENTROPY_NV_SEED +depends_on:!MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_ENTROPY_C +pass: + +Config: MBEDTLS_ERROR_C +depends_on:MBEDTLS_ERROR_C +pass: + +Config: !MBEDTLS_ERROR_C +depends_on:!MBEDTLS_ERROR_C +pass: + +Config: MBEDTLS_ERROR_STRERROR_DUMMY +depends_on:MBEDTLS_ERROR_STRERROR_DUMMY:!MBEDTLS_ERROR_C +pass: + +Config: !MBEDTLS_ERROR_STRERROR_DUMMY +depends_on:!MBEDTLS_ERROR_STRERROR_DUMMY:!MBEDTLS_ERROR_C +pass: + +Config: MBEDTLS_FS_IO +depends_on:MBEDTLS_FS_IO +pass: + +Config: !MBEDTLS_FS_IO +depends_on:!MBEDTLS_FS_IO +pass: + +Config: MBEDTLS_GCM_C +depends_on:MBEDTLS_GCM_C +pass: + +Config: !MBEDTLS_GCM_C +depends_on:!MBEDTLS_GCM_C +pass: + +Config: MBEDTLS_GCM_LARGE_TABLE +depends_on:MBEDTLS_GCM_LARGE_TABLE:MBEDTLS_GCM_C +pass: + +Config: !MBEDTLS_GCM_LARGE_TABLE +depends_on:!MBEDTLS_GCM_LARGE_TABLE:MBEDTLS_GCM_C +pass: + +Config: MBEDTLS_GENPRIME +depends_on:MBEDTLS_GENPRIME:MBEDTLS_RSA_C +pass: + +Config: !MBEDTLS_GENPRIME +depends_on:!MBEDTLS_GENPRIME:MBEDTLS_RSA_C +pass: + +Config: MBEDTLS_HAVE_ASM +depends_on:MBEDTLS_HAVE_ASM +pass: + +Config: !MBEDTLS_HAVE_ASM +depends_on:!MBEDTLS_HAVE_ASM +pass: + +Config: MBEDTLS_HAVE_SSE2 +depends_on:MBEDTLS_HAVE_SSE2 +pass: + +Config: !MBEDTLS_HAVE_SSE2 +depends_on:!MBEDTLS_HAVE_SSE2 +pass: + +Config: MBEDTLS_HAVE_TIME +depends_on:MBEDTLS_HAVE_TIME +pass: + +Config: !MBEDTLS_HAVE_TIME +depends_on:!MBEDTLS_HAVE_TIME +pass: + +Config: MBEDTLS_HAVE_TIME_DATE +depends_on:MBEDTLS_HAVE_TIME_DATE +pass: + +Config: !MBEDTLS_HAVE_TIME_DATE +depends_on:!MBEDTLS_HAVE_TIME_DATE +pass: + +Config: MBEDTLS_HKDF_C +depends_on:MBEDTLS_HKDF_C +pass: + +Config: !MBEDTLS_HKDF_C +depends_on:!MBEDTLS_HKDF_C +pass: + +Config: MBEDTLS_HMAC_DRBG_C +depends_on:MBEDTLS_HMAC_DRBG_C +pass: + +Config: !MBEDTLS_HMAC_DRBG_C +depends_on:!MBEDTLS_HMAC_DRBG_C +pass: + +Config: MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED +depends_on:MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED +pass: + +Config: !MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED +depends_on:!MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED +pass: + +Config: MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED +depends_on:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED +pass: + +Config: !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED +depends_on:!MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED +pass: + +Config: MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +depends_on:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +pass: + +Config: !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +depends_on:!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +pass: + +Config: MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +depends_on:MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +pass: + +Config: !MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +depends_on:!MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +pass: + +Config: MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +depends_on:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +pass: + +Config: !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +depends_on:!MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +pass: + +Config: MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +depends_on:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +pass: + +Config: !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +depends_on:!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +pass: + +Config: MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +depends_on:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +pass: + +Config: !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +depends_on:!MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +pass: + +Config: MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +pass: + +Config: !MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +depends_on:!MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +pass: + +Config: MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +depends_on:MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +pass: + +Config: !MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +depends_on:!MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +pass: + +Config: MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +depends_on:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +pass: + +Config: !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +depends_on:!MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +pass: + +Config: MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED +depends_on:MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED +pass: + +Config: !MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED +depends_on:!MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED +pass: + +Config: MBEDTLS_LMS_C +depends_on:MBEDTLS_LMS_C +pass: + +Config: !MBEDTLS_LMS_C +depends_on:!MBEDTLS_LMS_C +pass: + +Config: MBEDTLS_LMS_PRIVATE +depends_on:MBEDTLS_LMS_PRIVATE:MBEDTLS_LMS_C +pass: + +Config: !MBEDTLS_LMS_PRIVATE +depends_on:!MBEDTLS_LMS_PRIVATE:MBEDTLS_LMS_C +pass: + +Config: MBEDTLS_MD5_C +depends_on:MBEDTLS_MD5_C +pass: + +Config: !MBEDTLS_MD5_C +depends_on:!MBEDTLS_MD5_C +pass: + +Config: MBEDTLS_MD_C +depends_on:MBEDTLS_MD_C +pass: + +Config: !MBEDTLS_MD_C +depends_on:!MBEDTLS_MD_C +pass: + +Config: MBEDTLS_MEMORY_BACKTRACE +depends_on:MBEDTLS_MEMORY_BACKTRACE +pass: + +Config: !MBEDTLS_MEMORY_BACKTRACE +depends_on:!MBEDTLS_MEMORY_BACKTRACE +pass: + +Config: MBEDTLS_MEMORY_BUFFER_ALLOC_C +depends_on:MBEDTLS_MEMORY_BUFFER_ALLOC_C +pass: + +Config: !MBEDTLS_MEMORY_BUFFER_ALLOC_C +depends_on:!MBEDTLS_MEMORY_BUFFER_ALLOC_C +pass: + +Config: MBEDTLS_MEMORY_DEBUG +depends_on:MBEDTLS_MEMORY_DEBUG +pass: + +Config: !MBEDTLS_MEMORY_DEBUG +depends_on:!MBEDTLS_MEMORY_DEBUG +pass: + +Config: MBEDTLS_NET_C +depends_on:MBEDTLS_NET_C +pass: + +Config: !MBEDTLS_NET_C +depends_on:!MBEDTLS_NET_C +pass: + +Config: MBEDTLS_NIST_KW_C +depends_on:MBEDTLS_NIST_KW_C +pass: + +Config: !MBEDTLS_NIST_KW_C +depends_on:!MBEDTLS_NIST_KW_C +pass: + +Config: MBEDTLS_NO_64BIT_MULTIPLICATION +depends_on:MBEDTLS_NO_64BIT_MULTIPLICATION +pass: + +Config: !MBEDTLS_NO_64BIT_MULTIPLICATION +depends_on:!MBEDTLS_NO_64BIT_MULTIPLICATION +pass: + +Config: MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES +depends_on:MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES:MBEDTLS_ENTROPY_C +pass: + +Config: !MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES +depends_on:!MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES:MBEDTLS_ENTROPY_C +pass: + +Config: MBEDTLS_NO_PLATFORM_ENTROPY +depends_on:MBEDTLS_NO_PLATFORM_ENTROPY:MBEDTLS_ENTROPY_C +pass: + +Config: !MBEDTLS_NO_PLATFORM_ENTROPY +depends_on:!MBEDTLS_NO_PLATFORM_ENTROPY:MBEDTLS_ENTROPY_C +pass: + +Config: MBEDTLS_NO_UDBL_DIVISION +depends_on:MBEDTLS_NO_UDBL_DIVISION +pass: + +Config: !MBEDTLS_NO_UDBL_DIVISION +depends_on:!MBEDTLS_NO_UDBL_DIVISION +pass: + +Config: MBEDTLS_OID_C +depends_on:MBEDTLS_OID_C +pass: + +Config: !MBEDTLS_OID_C +depends_on:!MBEDTLS_OID_C +pass: + +Config: MBEDTLS_PADLOCK_C +depends_on:MBEDTLS_PADLOCK_C +pass: + +Config: !MBEDTLS_PADLOCK_C +depends_on:!MBEDTLS_PADLOCK_C +pass: + +Config: MBEDTLS_PEM_PARSE_C +depends_on:MBEDTLS_PEM_PARSE_C +pass: + +Config: !MBEDTLS_PEM_PARSE_C +depends_on:!MBEDTLS_PEM_PARSE_C +pass: + +Config: MBEDTLS_PEM_WRITE_C +depends_on:MBEDTLS_PEM_WRITE_C +pass: + +Config: !MBEDTLS_PEM_WRITE_C +depends_on:!MBEDTLS_PEM_WRITE_C +pass: + +Config: MBEDTLS_PKCS12_C +depends_on:MBEDTLS_PKCS12_C +pass: + +Config: !MBEDTLS_PKCS12_C +depends_on:!MBEDTLS_PKCS12_C +pass: + +Config: MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C +pass: + +Config: !MBEDTLS_PKCS1_V15 +depends_on:!MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C +pass: + +Config: MBEDTLS_PKCS1_V21 +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_RSA_C +pass: + +Config: !MBEDTLS_PKCS1_V21 +depends_on:!MBEDTLS_PKCS1_V21:MBEDTLS_RSA_C +pass: + +Config: MBEDTLS_PKCS5_C +depends_on:MBEDTLS_PKCS5_C +pass: + +Config: !MBEDTLS_PKCS5_C +depends_on:!MBEDTLS_PKCS5_C +pass: + +Config: MBEDTLS_PKCS7_C +depends_on:MBEDTLS_PKCS7_C +pass: + +Config: !MBEDTLS_PKCS7_C +depends_on:!MBEDTLS_PKCS7_C +pass: + +Config: MBEDTLS_PK_C +depends_on:MBEDTLS_PK_C +pass: + +Config: !MBEDTLS_PK_C +depends_on:!MBEDTLS_PK_C +pass: + +Config: MBEDTLS_PK_PARSE_C +depends_on:MBEDTLS_PK_PARSE_C +pass: + +Config: !MBEDTLS_PK_PARSE_C +depends_on:!MBEDTLS_PK_PARSE_C +pass: + +Config: MBEDTLS_PK_PARSE_EC_COMPRESSED +depends_on:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_PK_C:MBEDTLS_PK_HAVE_ECC_KEYS +pass: + +Config: !MBEDTLS_PK_PARSE_EC_COMPRESSED +depends_on:!MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_PK_C:MBEDTLS_PK_HAVE_ECC_KEYS +pass: + +Config: MBEDTLS_PK_PARSE_EC_EXTENDED +depends_on:MBEDTLS_PK_PARSE_EC_EXTENDED:MBEDTLS_PK_C:MBEDTLS_PK_HAVE_ECC_KEYS +pass: + +Config: !MBEDTLS_PK_PARSE_EC_EXTENDED +depends_on:!MBEDTLS_PK_PARSE_EC_EXTENDED:MBEDTLS_PK_C:MBEDTLS_PK_HAVE_ECC_KEYS +pass: + +Config: MBEDTLS_PK_RSA_ALT_SUPPORT +depends_on:MBEDTLS_PK_RSA_ALT_SUPPORT:MBEDTLS_PK_C +pass: + +Config: !MBEDTLS_PK_RSA_ALT_SUPPORT +depends_on:!MBEDTLS_PK_RSA_ALT_SUPPORT:MBEDTLS_PK_C +pass: + +Config: MBEDTLS_PK_WRITE_C +depends_on:MBEDTLS_PK_WRITE_C +pass: + +Config: !MBEDTLS_PK_WRITE_C +depends_on:!MBEDTLS_PK_WRITE_C +pass: + +Config: MBEDTLS_PLATFORM_C +depends_on:MBEDTLS_PLATFORM_C +pass: + +Config: !MBEDTLS_PLATFORM_C +depends_on:!MBEDTLS_PLATFORM_C +pass: + +Config: MBEDTLS_PLATFORM_EXIT_ALT +depends_on:MBEDTLS_PLATFORM_EXIT_ALT:MBEDTLS_PLATFORM_C +pass: + +Config: !MBEDTLS_PLATFORM_EXIT_ALT +depends_on:!MBEDTLS_PLATFORM_EXIT_ALT:MBEDTLS_PLATFORM_C +pass: + +Config: MBEDTLS_PLATFORM_FPRINTF_ALT +depends_on:MBEDTLS_PLATFORM_FPRINTF_ALT:MBEDTLS_PLATFORM_C +pass: + +Config: !MBEDTLS_PLATFORM_FPRINTF_ALT +depends_on:!MBEDTLS_PLATFORM_FPRINTF_ALT:MBEDTLS_PLATFORM_C +pass: + +Config: MBEDTLS_PLATFORM_MEMORY +depends_on:MBEDTLS_PLATFORM_MEMORY:MBEDTLS_PLATFORM_C +pass: + +Config: !MBEDTLS_PLATFORM_MEMORY +depends_on:!MBEDTLS_PLATFORM_MEMORY:MBEDTLS_PLATFORM_C +pass: + +Config: MBEDTLS_PLATFORM_NO_STD_FUNCTIONS +depends_on:MBEDTLS_PLATFORM_NO_STD_FUNCTIONS:MBEDTLS_PLATFORM_C +pass: + +Config: !MBEDTLS_PLATFORM_NO_STD_FUNCTIONS +depends_on:!MBEDTLS_PLATFORM_NO_STD_FUNCTIONS:MBEDTLS_PLATFORM_C +pass: + +Config: MBEDTLS_PLATFORM_NV_SEED_ALT +depends_on:MBEDTLS_PLATFORM_NV_SEED_ALT:MBEDTLS_PLATFORM_C +pass: + +Config: !MBEDTLS_PLATFORM_NV_SEED_ALT +depends_on:!MBEDTLS_PLATFORM_NV_SEED_ALT:MBEDTLS_PLATFORM_C +pass: + +Config: MBEDTLS_PLATFORM_PRINTF_ALT +depends_on:MBEDTLS_PLATFORM_PRINTF_ALT:MBEDTLS_PLATFORM_C +pass: + +Config: !MBEDTLS_PLATFORM_PRINTF_ALT +depends_on:!MBEDTLS_PLATFORM_PRINTF_ALT:MBEDTLS_PLATFORM_C +pass: + +Config: MBEDTLS_PLATFORM_SETBUF_ALT +depends_on:MBEDTLS_PLATFORM_SETBUF_ALT:MBEDTLS_PLATFORM_C +pass: + +Config: !MBEDTLS_PLATFORM_SETBUF_ALT +depends_on:!MBEDTLS_PLATFORM_SETBUF_ALT:MBEDTLS_PLATFORM_C +pass: + +Config: MBEDTLS_PLATFORM_SNPRINTF_ALT +depends_on:MBEDTLS_PLATFORM_SNPRINTF_ALT:MBEDTLS_PLATFORM_C +pass: + +Config: !MBEDTLS_PLATFORM_SNPRINTF_ALT +depends_on:!MBEDTLS_PLATFORM_SNPRINTF_ALT:MBEDTLS_PLATFORM_C +pass: + +Config: MBEDTLS_PLATFORM_TIME_ALT +depends_on:MBEDTLS_PLATFORM_TIME_ALT:MBEDTLS_PLATFORM_C +pass: + +Config: !MBEDTLS_PLATFORM_TIME_ALT +depends_on:!MBEDTLS_PLATFORM_TIME_ALT:MBEDTLS_PLATFORM_C +pass: + +Config: MBEDTLS_PLATFORM_VSNPRINTF_ALT +depends_on:MBEDTLS_PLATFORM_VSNPRINTF_ALT:MBEDTLS_PLATFORM_C +pass: + +Config: !MBEDTLS_PLATFORM_VSNPRINTF_ALT +depends_on:!MBEDTLS_PLATFORM_VSNPRINTF_ALT:MBEDTLS_PLATFORM_C +pass: + +Config: MBEDTLS_POLY1305_C +depends_on:MBEDTLS_POLY1305_C +pass: + +Config: !MBEDTLS_POLY1305_C +depends_on:!MBEDTLS_POLY1305_C +pass: + +Config: MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS +depends_on:MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS:MBEDTLS_PSA_CRYPTO_C +pass: + +Config: !MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS +depends_on:!MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS:MBEDTLS_PSA_CRYPTO_C +pass: + +Config: MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS +depends_on:MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS:MBEDTLS_PSA_CRYPTO_C +pass: + +Config: !MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS +depends_on:!MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS:MBEDTLS_PSA_CRYPTO_C +pass: + +Config: MBEDTLS_PSA_CRYPTO_C +depends_on:MBEDTLS_PSA_CRYPTO_C +pass: + +Config: !MBEDTLS_PSA_CRYPTO_C +depends_on:!MBEDTLS_PSA_CRYPTO_C +pass: + +Config: MBEDTLS_PSA_CRYPTO_CLIENT +depends_on:MBEDTLS_PSA_CRYPTO_CLIENT:!MBEDTLS_PSA_CRYPTO_C +pass: + +Config: !MBEDTLS_PSA_CRYPTO_CLIENT +depends_on:!MBEDTLS_PSA_CRYPTO_CLIENT:!MBEDTLS_PSA_CRYPTO_C +pass: + +Config: MBEDTLS_PSA_CRYPTO_CONFIG +depends_on:MBEDTLS_PSA_CRYPTO_CONFIG:MBEDTLS_PSA_CRYPTO_C +pass: + +Config: !MBEDTLS_PSA_CRYPTO_CONFIG +depends_on:!MBEDTLS_PSA_CRYPTO_CONFIG:MBEDTLS_PSA_CRYPTO_C +pass: + +Config: MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG +depends_on:MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG:MBEDTLS_PSA_CRYPTO_C +pass: + +Config: !MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG +depends_on:!MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG:MBEDTLS_PSA_CRYPTO_C +pass: + +Config: MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER +depends_on:MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER:MBEDTLS_PSA_CRYPTO_C +pass: + +Config: !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER +depends_on:!MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER:MBEDTLS_PSA_CRYPTO_C +pass: + +Config: MBEDTLS_PSA_CRYPTO_SE_C +depends_on:MBEDTLS_PSA_CRYPTO_SE_C +pass: + +Config: !MBEDTLS_PSA_CRYPTO_SE_C +depends_on:!MBEDTLS_PSA_CRYPTO_SE_C +pass: + +Config: MBEDTLS_PSA_CRYPTO_SPM +depends_on:MBEDTLS_PSA_CRYPTO_SPM:MBEDTLS_PSA_CRYPTO_C +pass: + +Config: !MBEDTLS_PSA_CRYPTO_SPM +depends_on:!MBEDTLS_PSA_CRYPTO_SPM:MBEDTLS_PSA_CRYPTO_C +pass: + +Config: MBEDTLS_PSA_CRYPTO_STORAGE_C +depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C +pass: + +Config: !MBEDTLS_PSA_CRYPTO_STORAGE_C +depends_on:!MBEDTLS_PSA_CRYPTO_STORAGE_C +pass: + +Config: MBEDTLS_PSA_INJECT_ENTROPY +depends_on:MBEDTLS_PSA_INJECT_ENTROPY:MBEDTLS_PSA_CRYPTO_C +pass: + +Config: !MBEDTLS_PSA_INJECT_ENTROPY +depends_on:!MBEDTLS_PSA_INJECT_ENTROPY:MBEDTLS_PSA_CRYPTO_C +pass: + +Config: MBEDTLS_PSA_ITS_FILE_C +depends_on:MBEDTLS_PSA_ITS_FILE_C +pass: + +Config: !MBEDTLS_PSA_ITS_FILE_C +depends_on:!MBEDTLS_PSA_ITS_FILE_C +pass: + +Config: MBEDTLS_PSA_KEY_STORE_DYNAMIC +depends_on:MBEDTLS_PSA_KEY_STORE_DYNAMIC +pass: + +Config: !MBEDTLS_PSA_KEY_STORE_DYNAMIC +depends_on:!MBEDTLS_PSA_KEY_STORE_DYNAMIC +pass: + +Config: MBEDTLS_PSA_P256M_DRIVER_ENABLED +depends_on:MBEDTLS_PSA_P256M_DRIVER_ENABLED +pass: + +Config: !MBEDTLS_PSA_P256M_DRIVER_ENABLED +depends_on:!MBEDTLS_PSA_P256M_DRIVER_ENABLED +pass: + +Config: MBEDTLS_RIPEMD160_C +depends_on:MBEDTLS_RIPEMD160_C +pass: + +Config: !MBEDTLS_RIPEMD160_C +depends_on:!MBEDTLS_RIPEMD160_C +pass: + +Config: MBEDTLS_RSA_C +depends_on:MBEDTLS_RSA_C +pass: + +Config: !MBEDTLS_RSA_C +depends_on:!MBEDTLS_RSA_C +pass: + +Config: MBEDTLS_RSA_NO_CRT +depends_on:MBEDTLS_RSA_NO_CRT:MBEDTLS_RSA_C +pass: + +Config: !MBEDTLS_RSA_NO_CRT +depends_on:!MBEDTLS_RSA_NO_CRT:MBEDTLS_RSA_C +pass: + +Config: MBEDTLS_SELF_TEST +depends_on:MBEDTLS_SELF_TEST +pass: + +Config: !MBEDTLS_SELF_TEST +depends_on:!MBEDTLS_SELF_TEST +pass: + +Config: MBEDTLS_SHA1_C +depends_on:MBEDTLS_SHA1_C +pass: + +Config: !MBEDTLS_SHA1_C +depends_on:!MBEDTLS_SHA1_C +pass: + +Config: MBEDTLS_SHA224_C +depends_on:MBEDTLS_SHA224_C +pass: + +Config: !MBEDTLS_SHA224_C +depends_on:!MBEDTLS_SHA224_C +pass: + +Config: MBEDTLS_SHA256_C +depends_on:MBEDTLS_SHA256_C +pass: + +Config: !MBEDTLS_SHA256_C +depends_on:!MBEDTLS_SHA256_C +pass: + +Config: MBEDTLS_SHA256_SMALLER +depends_on:MBEDTLS_SHA256_SMALLER:MBEDTLS_SHA256_C +pass: + +Config: !MBEDTLS_SHA256_SMALLER +depends_on:!MBEDTLS_SHA256_SMALLER:MBEDTLS_SHA256_C +pass: + +Config: MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT +depends_on:MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT:MBEDTLS_SHA256_C +pass: + +Config: !MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT +depends_on:!MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT:MBEDTLS_SHA256_C +pass: + +Config: MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY +depends_on:MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY:MBEDTLS_SHA256_C +pass: + +Config: !MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY +depends_on:!MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY:MBEDTLS_SHA256_C +pass: + +Config: MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT +depends_on:MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT:MBEDTLS_SHA256_C +pass: + +Config: !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT +depends_on:!MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT:MBEDTLS_SHA256_C +pass: + +Config: MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY +depends_on:MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY:MBEDTLS_SHA256_C +pass: + +Config: !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY +depends_on:!MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY:MBEDTLS_SHA256_C +pass: + +Config: MBEDTLS_SHA384_C +depends_on:MBEDTLS_SHA384_C +pass: + +Config: !MBEDTLS_SHA384_C +depends_on:!MBEDTLS_SHA384_C +pass: + +Config: MBEDTLS_SHA3_C +depends_on:MBEDTLS_SHA3_C +pass: + +Config: !MBEDTLS_SHA3_C +depends_on:!MBEDTLS_SHA3_C +pass: + +Config: MBEDTLS_SHA512_C +depends_on:MBEDTLS_SHA512_C +pass: + +Config: !MBEDTLS_SHA512_C +depends_on:!MBEDTLS_SHA512_C +pass: + +Config: MBEDTLS_SHA512_SMALLER +depends_on:MBEDTLS_SHA512_SMALLER:MBEDTLS_SHA512_C +pass: + +Config: !MBEDTLS_SHA512_SMALLER +depends_on:!MBEDTLS_SHA512_SMALLER:MBEDTLS_SHA512_C +pass: + +Config: MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT +depends_on:MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT:MBEDTLS_SHA512_C +pass: + +Config: !MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT +depends_on:!MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT:MBEDTLS_SHA512_C +pass: + +Config: MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY +depends_on:MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY:MBEDTLS_SHA512_C +pass: + +Config: !MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY +depends_on:!MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY:MBEDTLS_SHA512_C +pass: + +Config: MBEDTLS_SSL_ALL_ALERT_MESSAGES +depends_on:MBEDTLS_SSL_ALL_ALERT_MESSAGES:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_ALL_ALERT_MESSAGES +depends_on:!MBEDTLS_SSL_ALL_ALERT_MESSAGES:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_ALPN +depends_on:MBEDTLS_SSL_ALPN:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_ALPN +depends_on:!MBEDTLS_SSL_ALPN:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_ASYNC_PRIVATE +depends_on:MBEDTLS_SSL_ASYNC_PRIVATE:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_ASYNC_PRIVATE +depends_on:!MBEDTLS_SSL_ASYNC_PRIVATE:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_CACHE_C +depends_on:MBEDTLS_SSL_CACHE_C +pass: + +Config: !MBEDTLS_SSL_CACHE_C +depends_on:!MBEDTLS_SSL_CACHE_C +pass: + +Config: MBEDTLS_SSL_CLI_C +depends_on:MBEDTLS_SSL_CLI_C +pass: + +Config: !MBEDTLS_SSL_CLI_C +depends_on:!MBEDTLS_SSL_CLI_C +pass: + +Config: MBEDTLS_SSL_CONTEXT_SERIALIZATION +depends_on:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_CONTEXT_SERIALIZATION +depends_on:!MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_COOKIE_C +depends_on:MBEDTLS_SSL_COOKIE_C +pass: + +Config: !MBEDTLS_SSL_COOKIE_C +depends_on:!MBEDTLS_SSL_COOKIE_C +pass: + +Config: MBEDTLS_SSL_DEBUG_ALL +depends_on:MBEDTLS_SSL_DEBUG_ALL:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_DEBUG_ALL +depends_on:!MBEDTLS_SSL_DEBUG_ALL:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_DTLS_ANTI_REPLAY +depends_on:MBEDTLS_SSL_DTLS_ANTI_REPLAY:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_DTLS +pass: + +Config: !MBEDTLS_SSL_DTLS_ANTI_REPLAY +depends_on:!MBEDTLS_SSL_DTLS_ANTI_REPLAY:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_DTLS +pass: + +Config: MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE +depends_on:MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_DTLS +pass: + +Config: !MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE +depends_on:!MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_DTLS +pass: + +Config: MBEDTLS_SSL_DTLS_CONNECTION_ID +depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_DTLS +pass: + +Config: !MBEDTLS_SSL_DTLS_CONNECTION_ID +depends_on:!MBEDTLS_SSL_DTLS_CONNECTION_ID:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_DTLS +pass: + +Config: MBEDTLS_SSL_DTLS_HELLO_VERIFY +depends_on:MBEDTLS_SSL_DTLS_HELLO_VERIFY:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_DTLS +pass: + +Config: !MBEDTLS_SSL_DTLS_HELLO_VERIFY +depends_on:!MBEDTLS_SSL_DTLS_HELLO_VERIFY:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_DTLS +pass: + +Config: MBEDTLS_SSL_DTLS_SRTP +depends_on:MBEDTLS_SSL_DTLS_SRTP:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_DTLS +pass: + +Config: !MBEDTLS_SSL_DTLS_SRTP +depends_on:!MBEDTLS_SSL_DTLS_SRTP:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_DTLS +pass: + +Config: MBEDTLS_SSL_EARLY_DATA +depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_TLS1_3 +pass: + +Config: !MBEDTLS_SSL_EARLY_DATA +depends_on:!MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_TLS1_3 +pass: + +Config: MBEDTLS_SSL_ENCRYPT_THEN_MAC +depends_on:MBEDTLS_SSL_ENCRYPT_THEN_MAC:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_ENCRYPT_THEN_MAC +depends_on:!MBEDTLS_SSL_ENCRYPT_THEN_MAC:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_EXTENDED_MASTER_SECRET +depends_on:MBEDTLS_SSL_EXTENDED_MASTER_SECRET:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_EXTENDED_MASTER_SECRET +depends_on:!MBEDTLS_SSL_EXTENDED_MASTER_SECRET:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE +depends_on:MBEDTLS_SSL_KEEP_PEER_CERTIFICATE:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE +depends_on:!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +depends_on:!MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_PROTO_DTLS +depends_on:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_PROTO_DTLS +depends_on:!MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_PROTO_TLS1_3 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_PROTO_TLS1_3 +depends_on:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_RECORD_SIZE_LIMIT +depends_on:MBEDTLS_SSL_RECORD_SIZE_LIMIT:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_RECORD_SIZE_LIMIT +depends_on:!MBEDTLS_SSL_RECORD_SIZE_LIMIT:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_RENEGOTIATION +depends_on:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_RENEGOTIATION +depends_on:!MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_SERVER_NAME_INDICATION +depends_on:MBEDTLS_SSL_SERVER_NAME_INDICATION:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_SERVER_NAME_INDICATION +depends_on:!MBEDTLS_SSL_SERVER_NAME_INDICATION:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_SESSION_TICKETS +depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_SESSION_TICKETS +depends_on:!MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_SRV_C +depends_on:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_SRV_C +depends_on:!MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_SSL_TICKET_C +depends_on:MBEDTLS_SSL_TICKET_C +pass: + +Config: !MBEDTLS_SSL_TICKET_C +depends_on:!MBEDTLS_SSL_TICKET_C +pass: + +Config: MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +depends_on:MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_TLS1_3 +pass: + +Config: !MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +depends_on:!MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_TLS1_3 +pass: + +Config: MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +depends_on:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_TLS1_3 +pass: + +Config: !MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +depends_on:!MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_TLS1_3 +pass: + +Config: MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +depends_on:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_TLS1_3 +pass: + +Config: !MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +depends_on:!MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_TLS1_3 +pass: + +Config: MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +depends_on:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_TLS1_3 +pass: + +Config: !MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +depends_on:!MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_PROTO_TLS1_3 +pass: + +Config: MBEDTLS_SSL_TLS_C +depends_on:MBEDTLS_SSL_TLS_C +pass: + +Config: !MBEDTLS_SSL_TLS_C +depends_on:!MBEDTLS_SSL_TLS_C +pass: + +Config: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH +depends_on:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: !MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH +depends_on:!MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C +pass: + +Config: MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN +depends_on:MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN +pass: + +Config: !MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN +depends_on:!MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN +pass: + +Config: MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND +depends_on:MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND +pass: + +Config: !MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND +depends_on:!MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND +pass: + +Config: MBEDTLS_TEST_HOOKS +depends_on:MBEDTLS_TEST_HOOKS +pass: + +Config: !MBEDTLS_TEST_HOOKS +depends_on:!MBEDTLS_TEST_HOOKS +pass: + +Config: MBEDTLS_THREADING_C +depends_on:MBEDTLS_THREADING_C +pass: + +Config: !MBEDTLS_THREADING_C +depends_on:!MBEDTLS_THREADING_C +pass: + +Config: MBEDTLS_THREADING_PTHREAD +depends_on:MBEDTLS_THREADING_PTHREAD:MBEDTLS_THREADING_C +pass: + +Config: !MBEDTLS_THREADING_PTHREAD +depends_on:!MBEDTLS_THREADING_PTHREAD:MBEDTLS_THREADING_C +pass: + +Config: MBEDTLS_TIMING_C +depends_on:MBEDTLS_TIMING_C +pass: + +Config: !MBEDTLS_TIMING_C +depends_on:!MBEDTLS_TIMING_C +pass: + +Config: MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_USE_PSA_CRYPTO +pass: + +Config: !MBEDTLS_USE_PSA_CRYPTO +depends_on:!MBEDTLS_USE_PSA_CRYPTO +pass: + +Config: MBEDTLS_VERSION_C +depends_on:MBEDTLS_VERSION_C +pass: + +Config: !MBEDTLS_VERSION_C +depends_on:!MBEDTLS_VERSION_C +pass: + +Config: MBEDTLS_VERSION_FEATURES +depends_on:MBEDTLS_VERSION_FEATURES:MBEDTLS_VERSION_C +pass: + +Config: !MBEDTLS_VERSION_FEATURES +depends_on:!MBEDTLS_VERSION_FEATURES:MBEDTLS_VERSION_C +pass: + +Config: MBEDTLS_X509_CREATE_C +depends_on:MBEDTLS_X509_CREATE_C +pass: + +Config: !MBEDTLS_X509_CREATE_C +depends_on:!MBEDTLS_X509_CREATE_C +pass: + +Config: MBEDTLS_X509_CRL_PARSE_C +depends_on:MBEDTLS_X509_CRL_PARSE_C +pass: + +Config: !MBEDTLS_X509_CRL_PARSE_C +depends_on:!MBEDTLS_X509_CRL_PARSE_C +pass: + +Config: MBEDTLS_X509_CRT_PARSE_C +depends_on:MBEDTLS_X509_CRT_PARSE_C +pass: + +Config: !MBEDTLS_X509_CRT_PARSE_C +depends_on:!MBEDTLS_X509_CRT_PARSE_C +pass: + +Config: MBEDTLS_X509_CRT_WRITE_C +depends_on:MBEDTLS_X509_CRT_WRITE_C +pass: + +Config: !MBEDTLS_X509_CRT_WRITE_C +depends_on:!MBEDTLS_X509_CRT_WRITE_C +pass: + +Config: MBEDTLS_X509_CSR_PARSE_C +depends_on:MBEDTLS_X509_CSR_PARSE_C +pass: + +Config: !MBEDTLS_X509_CSR_PARSE_C +depends_on:!MBEDTLS_X509_CSR_PARSE_C +pass: + +Config: MBEDTLS_X509_CSR_WRITE_C +depends_on:MBEDTLS_X509_CSR_WRITE_C +pass: + +Config: !MBEDTLS_X509_CSR_WRITE_C +depends_on:!MBEDTLS_X509_CSR_WRITE_C +pass: + +Config: MBEDTLS_X509_REMOVE_INFO +depends_on:MBEDTLS_X509_REMOVE_INFO +pass: + +Config: !MBEDTLS_X509_REMOVE_INFO +depends_on:!MBEDTLS_X509_REMOVE_INFO +pass: + +Config: MBEDTLS_X509_RSASSA_PSS_SUPPORT +depends_on:MBEDTLS_X509_RSASSA_PSS_SUPPORT +pass: + +Config: !MBEDTLS_X509_RSASSA_PSS_SUPPORT +depends_on:!MBEDTLS_X509_RSASSA_PSS_SUPPORT +pass: + +Config: MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK +depends_on:MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK +pass: + +Config: !MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK +depends_on:!MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK +pass: + +Config: MBEDTLS_X509_USE_C +depends_on:MBEDTLS_X509_USE_C +pass: + +Config: !MBEDTLS_X509_USE_C +depends_on:!MBEDTLS_X509_USE_C +pass: + +# End of automatically generated file. diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_config.psa_boolean.data b/yass/third_party/mbedtls/tests/suites/test_suite_config.psa_boolean.data new file mode 100644 index 0000000000..e2552effac --- /dev/null +++ b/yass/third_party/mbedtls/tests/suites/test_suite_config.psa_boolean.data @@ -0,0 +1,731 @@ +# Automatically generated by generate_config_tests.py. Do not edit! + +Config: PSA_WANT_ALG_CBC_MAC +depends_on:PSA_WANT_ALG_CBC_MAC +pass: + +Config: !PSA_WANT_ALG_CBC_MAC +depends_on:!PSA_WANT_ALG_CBC_MAC +pass: + +Config: PSA_WANT_ALG_CBC_NO_PADDING +depends_on:PSA_WANT_ALG_CBC_NO_PADDING +pass: + +Config: !PSA_WANT_ALG_CBC_NO_PADDING +depends_on:!PSA_WANT_ALG_CBC_NO_PADDING +pass: + +Config: PSA_WANT_ALG_CBC_PKCS7 +depends_on:PSA_WANT_ALG_CBC_PKCS7 +pass: + +Config: !PSA_WANT_ALG_CBC_PKCS7 +depends_on:!PSA_WANT_ALG_CBC_PKCS7 +pass: + +Config: PSA_WANT_ALG_CCM +depends_on:PSA_WANT_ALG_CCM +pass: + +Config: !PSA_WANT_ALG_CCM +depends_on:!PSA_WANT_ALG_CCM +pass: + +Config: PSA_WANT_ALG_CCM_STAR_NO_TAG +depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG +pass: + +Config: !PSA_WANT_ALG_CCM_STAR_NO_TAG +depends_on:!PSA_WANT_ALG_CCM_STAR_NO_TAG +pass: + +Config: PSA_WANT_ALG_CFB +depends_on:PSA_WANT_ALG_CFB +pass: + +Config: !PSA_WANT_ALG_CFB +depends_on:!PSA_WANT_ALG_CFB +pass: + +Config: PSA_WANT_ALG_CHACHA20_POLY1305 +depends_on:PSA_WANT_ALG_CHACHA20_POLY1305 +pass: + +Config: !PSA_WANT_ALG_CHACHA20_POLY1305 +depends_on:!PSA_WANT_ALG_CHACHA20_POLY1305 +pass: + +Config: PSA_WANT_ALG_CMAC +depends_on:PSA_WANT_ALG_CMAC +pass: + +Config: !PSA_WANT_ALG_CMAC +depends_on:!PSA_WANT_ALG_CMAC +pass: + +Config: PSA_WANT_ALG_CTR +depends_on:PSA_WANT_ALG_CTR +pass: + +Config: !PSA_WANT_ALG_CTR +depends_on:!PSA_WANT_ALG_CTR +pass: + +Config: PSA_WANT_ALG_DETERMINISTIC_ECDSA +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA +pass: + +Config: !PSA_WANT_ALG_DETERMINISTIC_ECDSA +depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA +pass: + +Config: PSA_WANT_ALG_ECB_NO_PADDING +depends_on:PSA_WANT_ALG_ECB_NO_PADDING +pass: + +Config: !PSA_WANT_ALG_ECB_NO_PADDING +depends_on:!PSA_WANT_ALG_ECB_NO_PADDING +pass: + +Config: PSA_WANT_ALG_ECDH +depends_on:PSA_WANT_ALG_ECDH +pass: + +Config: !PSA_WANT_ALG_ECDH +depends_on:!PSA_WANT_ALG_ECDH +pass: + +Config: PSA_WANT_ALG_ECDSA +depends_on:PSA_WANT_ALG_ECDSA +pass: + +Config: !PSA_WANT_ALG_ECDSA +depends_on:!PSA_WANT_ALG_ECDSA +pass: + +Config: PSA_WANT_ALG_FFDH +depends_on:PSA_WANT_ALG_FFDH +pass: + +Config: !PSA_WANT_ALG_FFDH +depends_on:!PSA_WANT_ALG_FFDH +pass: + +Config: PSA_WANT_ALG_GCM +depends_on:PSA_WANT_ALG_GCM +pass: + +Config: !PSA_WANT_ALG_GCM +depends_on:!PSA_WANT_ALG_GCM +pass: + +Config: PSA_WANT_ALG_HKDF +depends_on:PSA_WANT_ALG_HKDF +pass: + +Config: !PSA_WANT_ALG_HKDF +depends_on:!PSA_WANT_ALG_HKDF +pass: + +Config: PSA_WANT_ALG_HKDF_EXPAND +depends_on:PSA_WANT_ALG_HKDF_EXPAND +pass: + +Config: !PSA_WANT_ALG_HKDF_EXPAND +depends_on:!PSA_WANT_ALG_HKDF_EXPAND +pass: + +Config: PSA_WANT_ALG_HKDF_EXTRACT +depends_on:PSA_WANT_ALG_HKDF_EXTRACT +pass: + +Config: !PSA_WANT_ALG_HKDF_EXTRACT +depends_on:!PSA_WANT_ALG_HKDF_EXTRACT +pass: + +Config: PSA_WANT_ALG_HMAC +depends_on:PSA_WANT_ALG_HMAC +pass: + +Config: !PSA_WANT_ALG_HMAC +depends_on:!PSA_WANT_ALG_HMAC +pass: + +Config: PSA_WANT_ALG_JPAKE +depends_on:PSA_WANT_ALG_JPAKE +pass: + +Config: !PSA_WANT_ALG_JPAKE +depends_on:!PSA_WANT_ALG_JPAKE +pass: + +Config: PSA_WANT_ALG_MD5 +depends_on:PSA_WANT_ALG_MD5 +pass: + +Config: !PSA_WANT_ALG_MD5 +depends_on:!PSA_WANT_ALG_MD5 +pass: + +Config: PSA_WANT_ALG_OFB +depends_on:PSA_WANT_ALG_OFB +pass: + +Config: !PSA_WANT_ALG_OFB +depends_on:!PSA_WANT_ALG_OFB +pass: + +Config: PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 +depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 +pass: + +Config: !PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 +depends_on:!PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 +pass: + +Config: PSA_WANT_ALG_PBKDF2_HMAC +depends_on:PSA_WANT_ALG_PBKDF2_HMAC +pass: + +Config: !PSA_WANT_ALG_PBKDF2_HMAC +depends_on:!PSA_WANT_ALG_PBKDF2_HMAC +pass: + +Config: PSA_WANT_ALG_RIPEMD160 +depends_on:PSA_WANT_ALG_RIPEMD160 +pass: + +Config: !PSA_WANT_ALG_RIPEMD160 +depends_on:!PSA_WANT_ALG_RIPEMD160 +pass: + +Config: PSA_WANT_ALG_RSA_OAEP +depends_on:PSA_WANT_ALG_RSA_OAEP +pass: + +Config: !PSA_WANT_ALG_RSA_OAEP +depends_on:!PSA_WANT_ALG_RSA_OAEP +pass: + +Config: PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +pass: + +Config: !PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +depends_on:!PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +pass: + +Config: PSA_WANT_ALG_RSA_PKCS1V15_SIGN +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pass: + +Config: !PSA_WANT_ALG_RSA_PKCS1V15_SIGN +depends_on:!PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pass: + +Config: PSA_WANT_ALG_RSA_PSS +depends_on:PSA_WANT_ALG_RSA_PSS +pass: + +Config: !PSA_WANT_ALG_RSA_PSS +depends_on:!PSA_WANT_ALG_RSA_PSS +pass: + +Config: PSA_WANT_ALG_SHA3_224 +depends_on:PSA_WANT_ALG_SHA3_224 +pass: + +Config: !PSA_WANT_ALG_SHA3_224 +depends_on:!PSA_WANT_ALG_SHA3_224 +pass: + +Config: PSA_WANT_ALG_SHA3_256 +depends_on:PSA_WANT_ALG_SHA3_256 +pass: + +Config: !PSA_WANT_ALG_SHA3_256 +depends_on:!PSA_WANT_ALG_SHA3_256 +pass: + +Config: PSA_WANT_ALG_SHA3_384 +depends_on:PSA_WANT_ALG_SHA3_384 +pass: + +Config: !PSA_WANT_ALG_SHA3_384 +depends_on:!PSA_WANT_ALG_SHA3_384 +pass: + +Config: PSA_WANT_ALG_SHA3_512 +depends_on:PSA_WANT_ALG_SHA3_512 +pass: + +Config: !PSA_WANT_ALG_SHA3_512 +depends_on:!PSA_WANT_ALG_SHA3_512 +pass: + +Config: PSA_WANT_ALG_SHA_1 +depends_on:PSA_WANT_ALG_SHA_1 +pass: + +Config: !PSA_WANT_ALG_SHA_1 +depends_on:!PSA_WANT_ALG_SHA_1 +pass: + +Config: PSA_WANT_ALG_SHA_224 +depends_on:PSA_WANT_ALG_SHA_224 +pass: + +Config: !PSA_WANT_ALG_SHA_224 +depends_on:!PSA_WANT_ALG_SHA_224 +pass: + +Config: PSA_WANT_ALG_SHA_256 +depends_on:PSA_WANT_ALG_SHA_256 +pass: + +Config: !PSA_WANT_ALG_SHA_256 +depends_on:!PSA_WANT_ALG_SHA_256 +pass: + +Config: PSA_WANT_ALG_SHA_384 +depends_on:PSA_WANT_ALG_SHA_384 +pass: + +Config: !PSA_WANT_ALG_SHA_384 +depends_on:!PSA_WANT_ALG_SHA_384 +pass: + +Config: PSA_WANT_ALG_SHA_512 +depends_on:PSA_WANT_ALG_SHA_512 +pass: + +Config: !PSA_WANT_ALG_SHA_512 +depends_on:!PSA_WANT_ALG_SHA_512 +pass: + +Config: PSA_WANT_ALG_STREAM_CIPHER +depends_on:PSA_WANT_ALG_STREAM_CIPHER +pass: + +Config: !PSA_WANT_ALG_STREAM_CIPHER +depends_on:!PSA_WANT_ALG_STREAM_CIPHER +pass: + +Config: PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +depends_on:PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +pass: + +Config: !PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +depends_on:!PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS +pass: + +Config: PSA_WANT_ALG_TLS12_PRF +depends_on:PSA_WANT_ALG_TLS12_PRF +pass: + +Config: !PSA_WANT_ALG_TLS12_PRF +depends_on:!PSA_WANT_ALG_TLS12_PRF +pass: + +Config: PSA_WANT_ALG_TLS12_PSK_TO_MS +depends_on:PSA_WANT_ALG_TLS12_PSK_TO_MS +pass: + +Config: !PSA_WANT_ALG_TLS12_PSK_TO_MS +depends_on:!PSA_WANT_ALG_TLS12_PSK_TO_MS +pass: + +Config: PSA_WANT_ALG_XTS +depends_on:PSA_WANT_ALG_XTS +pass: + +Config: !PSA_WANT_ALG_XTS +depends_on:!PSA_WANT_ALG_XTS +pass: + +Config: PSA_WANT_DH_RFC7919_2048 +depends_on:PSA_WANT_DH_RFC7919_2048 +pass: + +Config: !PSA_WANT_DH_RFC7919_2048 +depends_on:!PSA_WANT_DH_RFC7919_2048 +pass: + +Config: PSA_WANT_DH_RFC7919_3072 +depends_on:PSA_WANT_DH_RFC7919_3072 +pass: + +Config: !PSA_WANT_DH_RFC7919_3072 +depends_on:!PSA_WANT_DH_RFC7919_3072 +pass: + +Config: PSA_WANT_DH_RFC7919_4096 +depends_on:PSA_WANT_DH_RFC7919_4096 +pass: + +Config: !PSA_WANT_DH_RFC7919_4096 +depends_on:!PSA_WANT_DH_RFC7919_4096 +pass: + +Config: PSA_WANT_DH_RFC7919_6144 +depends_on:PSA_WANT_DH_RFC7919_6144 +pass: + +Config: !PSA_WANT_DH_RFC7919_6144 +depends_on:!PSA_WANT_DH_RFC7919_6144 +pass: + +Config: PSA_WANT_DH_RFC7919_8192 +depends_on:PSA_WANT_DH_RFC7919_8192 +pass: + +Config: !PSA_WANT_DH_RFC7919_8192 +depends_on:!PSA_WANT_DH_RFC7919_8192 +pass: + +Config: PSA_WANT_ECC_BRAINPOOL_P_R1_256 +depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_256 +pass: + +Config: !PSA_WANT_ECC_BRAINPOOL_P_R1_256 +depends_on:!PSA_WANT_ECC_BRAINPOOL_P_R1_256 +pass: + +Config: PSA_WANT_ECC_BRAINPOOL_P_R1_384 +depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_384 +pass: + +Config: !PSA_WANT_ECC_BRAINPOOL_P_R1_384 +depends_on:!PSA_WANT_ECC_BRAINPOOL_P_R1_384 +pass: + +Config: PSA_WANT_ECC_BRAINPOOL_P_R1_512 +depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 +pass: + +Config: !PSA_WANT_ECC_BRAINPOOL_P_R1_512 +depends_on:!PSA_WANT_ECC_BRAINPOOL_P_R1_512 +pass: + +Config: PSA_WANT_ECC_MONTGOMERY_255 +depends_on:PSA_WANT_ECC_MONTGOMERY_255 +pass: + +Config: !PSA_WANT_ECC_MONTGOMERY_255 +depends_on:!PSA_WANT_ECC_MONTGOMERY_255 +pass: + +Config: PSA_WANT_ECC_MONTGOMERY_448 +depends_on:PSA_WANT_ECC_MONTGOMERY_448 +pass: + +Config: !PSA_WANT_ECC_MONTGOMERY_448 +depends_on:!PSA_WANT_ECC_MONTGOMERY_448 +pass: + +Config: PSA_WANT_ECC_SECP_K1_192 +depends_on:PSA_WANT_ECC_SECP_K1_192 +pass: + +Config: !PSA_WANT_ECC_SECP_K1_192 +depends_on:!PSA_WANT_ECC_SECP_K1_192 +pass: + +Config: PSA_WANT_ECC_SECP_K1_224 +depends_on:PSA_WANT_ECC_SECP_K1_224 +pass: + +Config: !PSA_WANT_ECC_SECP_K1_224 +depends_on:!PSA_WANT_ECC_SECP_K1_224 +pass: + +Config: PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 +pass: + +Config: !PSA_WANT_ECC_SECP_K1_256 +depends_on:!PSA_WANT_ECC_SECP_K1_256 +pass: + +Config: PSA_WANT_ECC_SECP_R1_192 +depends_on:PSA_WANT_ECC_SECP_R1_192 +pass: + +Config: !PSA_WANT_ECC_SECP_R1_192 +depends_on:!PSA_WANT_ECC_SECP_R1_192 +pass: + +Config: PSA_WANT_ECC_SECP_R1_224 +depends_on:PSA_WANT_ECC_SECP_R1_224 +pass: + +Config: !PSA_WANT_ECC_SECP_R1_224 +depends_on:!PSA_WANT_ECC_SECP_R1_224 +pass: + +Config: PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_R1_256 +pass: + +Config: !PSA_WANT_ECC_SECP_R1_256 +depends_on:!PSA_WANT_ECC_SECP_R1_256 +pass: + +Config: PSA_WANT_ECC_SECP_R1_384 +depends_on:PSA_WANT_ECC_SECP_R1_384 +pass: + +Config: !PSA_WANT_ECC_SECP_R1_384 +depends_on:!PSA_WANT_ECC_SECP_R1_384 +pass: + +Config: PSA_WANT_ECC_SECP_R1_521 +depends_on:PSA_WANT_ECC_SECP_R1_521 +pass: + +Config: !PSA_WANT_ECC_SECP_R1_521 +depends_on:!PSA_WANT_ECC_SECP_R1_521 +pass: + +Config: PSA_WANT_KEY_TYPE_AES +depends_on:PSA_WANT_KEY_TYPE_AES +pass: + +Config: !PSA_WANT_KEY_TYPE_AES +depends_on:!PSA_WANT_KEY_TYPE_AES +pass: + +Config: PSA_WANT_KEY_TYPE_ARIA +depends_on:PSA_WANT_KEY_TYPE_ARIA +pass: + +Config: !PSA_WANT_KEY_TYPE_ARIA +depends_on:!PSA_WANT_KEY_TYPE_ARIA +pass: + +Config: PSA_WANT_KEY_TYPE_CAMELLIA +depends_on:PSA_WANT_KEY_TYPE_CAMELLIA +pass: + +Config: !PSA_WANT_KEY_TYPE_CAMELLIA +depends_on:!PSA_WANT_KEY_TYPE_CAMELLIA +pass: + +Config: PSA_WANT_KEY_TYPE_CHACHA20 +depends_on:PSA_WANT_KEY_TYPE_CHACHA20 +pass: + +Config: !PSA_WANT_KEY_TYPE_CHACHA20 +depends_on:!PSA_WANT_KEY_TYPE_CHACHA20 +pass: + +Config: PSA_WANT_KEY_TYPE_DERIVE +depends_on:PSA_WANT_KEY_TYPE_DERIVE +pass: + +Config: !PSA_WANT_KEY_TYPE_DERIVE +depends_on:!PSA_WANT_KEY_TYPE_DERIVE +pass: + +Config: PSA_WANT_KEY_TYPE_DES +depends_on:PSA_WANT_KEY_TYPE_DES +pass: + +Config: !PSA_WANT_KEY_TYPE_DES +depends_on:!PSA_WANT_KEY_TYPE_DES +pass: + +Config: PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC +depends_on:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC +pass: + +Config: !PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC +depends_on:!PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC +pass: + +Config: PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE +depends_on:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC +pass: + +Config: !PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE +depends_on:!PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC +pass: + +Config: PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC +pass: + +Config: !PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT +depends_on:!PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC +pass: + +Config: PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE +depends_on:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC +pass: + +Config: !PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE +depends_on:!PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC +pass: + +Config: PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC +pass: + +Config: !PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT +depends_on:!PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC +pass: + +Config: PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +pass: + +Config: !PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +depends_on:!PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY +pass: + +Config: PSA_WANT_KEY_TYPE_ECC_KEY_PAIR +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR +pass: + +Config: !PSA_WANT_KEY_TYPE_ECC_KEY_PAIR +depends_on:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR +pass: + +Config: PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC +pass: + +Config: !PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC +depends_on:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC +pass: + +Config: PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC +pass: + +Config: !PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE +depends_on:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC +pass: + +Config: PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC +pass: + +Config: !PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT +depends_on:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC +pass: + +Config: PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC +pass: + +Config: !PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE +depends_on:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC +pass: + +Config: PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC +pass: + +Config: !PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT +depends_on:!PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC +pass: + +Config: PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY +depends_on:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY +pass: + +Config: !PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY +depends_on:!PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY +pass: + +Config: PSA_WANT_KEY_TYPE_HMAC +depends_on:PSA_WANT_KEY_TYPE_HMAC +pass: + +Config: !PSA_WANT_KEY_TYPE_HMAC +depends_on:!PSA_WANT_KEY_TYPE_HMAC +pass: + +Config: PSA_WANT_KEY_TYPE_PASSWORD +depends_on:PSA_WANT_KEY_TYPE_PASSWORD +pass: + +Config: !PSA_WANT_KEY_TYPE_PASSWORD +depends_on:!PSA_WANT_KEY_TYPE_PASSWORD +pass: + +Config: PSA_WANT_KEY_TYPE_PASSWORD_HASH +depends_on:PSA_WANT_KEY_TYPE_PASSWORD_HASH +pass: + +Config: !PSA_WANT_KEY_TYPE_PASSWORD_HASH +depends_on:!PSA_WANT_KEY_TYPE_PASSWORD_HASH +pass: + +Config: PSA_WANT_KEY_TYPE_RAW_DATA +depends_on:PSA_WANT_KEY_TYPE_RAW_DATA +pass: + +Config: !PSA_WANT_KEY_TYPE_RAW_DATA +depends_on:!PSA_WANT_KEY_TYPE_RAW_DATA +pass: + +Config: PSA_WANT_KEY_TYPE_RSA_KEY_PAIR +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR +pass: + +Config: !PSA_WANT_KEY_TYPE_RSA_KEY_PAIR +depends_on:!PSA_WANT_KEY_TYPE_RSA_KEY_PAIR +pass: + +Config: PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC +pass: + +Config: !PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC +depends_on:!PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC +pass: + +Config: PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC +pass: + +Config: !PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE +depends_on:!PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC +pass: + +Config: PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC +pass: + +Config: !PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT +depends_on:!PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC +pass: + +Config: PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC +pass: + +Config: !PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +depends_on:!PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC +pass: + +Config: PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC +pass: + +Config: !PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT +depends_on:!PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC +pass: + +Config: PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY +depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY +pass: + +Config: !PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY +depends_on:!PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY +pass: + +# End of automatically generated file. diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_config.psa_combinations.data b/yass/third_party/mbedtls/tests/suites/test_suite_config.psa_combinations.data new file mode 100644 index 0000000000..1035af2487 --- /dev/null +++ b/yass/third_party/mbedtls/tests/suites/test_suite_config.psa_combinations.data @@ -0,0 +1,9 @@ +# Interesting combinations of PSA options + +Config: PSA_WANT_ALG_ECDSA without PSA_WANT_ALG_DETERMINISTIC_ECDSA +depends_on:PSA_WANT_ALG_ECDSA:!PSA_WANT_ALG_DETERMINISTIC_ECDSA +pass: + +Config: PSA_WANT_ALG_DETERMINSTIC_ECDSA without PSA_WANT_ALG_ECDSA +depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA +pass: diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_config.tls_combinations.data b/yass/third_party/mbedtls/tests/suites/test_suite_config.tls_combinations.data new file mode 100644 index 0000000000..cbc57d6cd3 --- /dev/null +++ b/yass/third_party/mbedtls/tests/suites/test_suite_config.tls_combinations.data @@ -0,0 +1,9 @@ +# Interesting combinations of TLS options + +Config: TLS 1.2 without TLS 1.3 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:!MBEDTLS_SSL_PROTO_TLS1_3 +pass: + +Config: TLS 1.3 without TLS 1.2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2 +pass: diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_ctr_drbg.data b/yass/third_party/mbedtls/tests/suites/test_suite_ctr_drbg.data index 89dfb9792a..10e9bd0719 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_ctr_drbg.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_ctr_drbg.data @@ -1088,7 +1088,7 @@ depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY ctr_drbg_entropy_strength:256 CTR_DRBG write/update seed file [#1] -ctr_drbg_seed_file:"data_files/ctr_drbg_seed":0 +ctr_drbg_seed_file:"../framework/data_files/ctr_drbg_seed":0 CTR_DRBG write/update seed file [#2] ctr_drbg_seed_file:"no_such_dir/file":MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_ctr_drbg.function b/yass/third_party/mbedtls/tests/suites/test_suite_ctr_drbg.function index 720eb3e08d..9fa55a754b 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_ctr_drbg.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_ctr_drbg.function @@ -96,6 +96,7 @@ exit: } static const int thread_random_reps = 10; +void *thread_random_function(void *ctx); /* only used conditionally in ctr_drbg_threads */ void *thread_random_function(void *ctx) { unsigned char out[16]; diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_debug.data b/yass/third_party/mbedtls/tests/suites/test_suite_debug.data index 512a04acab..8b17eb8720 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_debug.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_debug.data @@ -60,8 +60,8 @@ mbedtls_debug_print_mpi:"0000000000000000000000000000000000000000000000000000000 Debug print certificate #1 (RSA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_X509_REMOVE_INFO -mbedtls_debug_print_crt:"data_files/server1.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: 01\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:06\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:06\nMyFile(0999)\: signed using \: RSA with SHA1\nMyFile(0999)\: RSA key size \: 2048 bits\nMyFile(0999)\: basic constraints \: CA=false\nMyFile(0999)\: value of 'crt->rsa.N' (2048 bits) is\:\nMyFile(0999)\: a9 02 1f 3d 40 6a d5 55 53 8b fd 36 ee 82 65 2e\nMyFile(0999)\: 15 61 5e 89 bf b8 e8 45 90 db ee 88 16 52 d3 f1\nMyFile(0999)\: 43 50 47 96 12 59 64 87 6b fd 2b e0 46 f9 73 be\nMyFile(0999)\: dd cf 92 e1 91 5b ed 66 a0 6f 89 29 79 45 80 d0\nMyFile(0999)\: 83 6a d5 41 43 77 5f 39 7c 09 04 47 82 b0 57 39\nMyFile(0999)\: 70 ed a3 ec 15 19 1e a8 33 08 47 c1 05 42 a9 fd\nMyFile(0999)\: 4c c3 b4 df dd 06 1f 4d 10 51 40 67 73 13 0f 40\nMyFile(0999)\: f8 6d 81 25 5f 0a b1 53 c6 30 7e 15 39 ac f9 5a\nMyFile(0999)\: ee 7f 92 9e a6 05 5b e7 13 97 85 b5 23 92 d9 d4\nMyFile(0999)\: 24 06 d5 09 25 89 75 07 dd a6 1a 8f 3f 09 19 be\nMyFile(0999)\: ad 65 2c 64 eb 95 9b dc fe 41 5e 17 a6 da 6c 5b\nMyFile(0999)\: 69 cc 02 ba 14 2c 16 24 9c 4a dc cd d0 f7 52 67\nMyFile(0999)\: 73 f1 2d a0 23 fd 7e f4 31 ca 2d 70 ca 89 0b 04\nMyFile(0999)\: db 2e a6 4f 70 6e 9e ce bd 58 89 e2 53 59 9e 6e\nMyFile(0999)\: 5a 92 65 e2 88 3f 0c 94 19 a3 dd e5 e8 9d 95 13\nMyFile(0999)\: ed 29 db ab 70 12 dc 5a ca 6b 17 ab 52 82 54 b1\nMyFile(0999)\: value of 'crt->rsa.E' (17 bits) is\:\nMyFile(0999)\: 01 00 01\n" +mbedtls_debug_print_crt:"../framework/data_files/server1.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: 01\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:06\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:06\nMyFile(0999)\: signed using \: RSA with SHA1\nMyFile(0999)\: RSA key size \: 2048 bits\nMyFile(0999)\: basic constraints \: CA=false\nMyFile(0999)\: value of 'crt->rsa.N' (2048 bits) is\:\nMyFile(0999)\: a9 02 1f 3d 40 6a d5 55 53 8b fd 36 ee 82 65 2e\nMyFile(0999)\: 15 61 5e 89 bf b8 e8 45 90 db ee 88 16 52 d3 f1\nMyFile(0999)\: 43 50 47 96 12 59 64 87 6b fd 2b e0 46 f9 73 be\nMyFile(0999)\: dd cf 92 e1 91 5b ed 66 a0 6f 89 29 79 45 80 d0\nMyFile(0999)\: 83 6a d5 41 43 77 5f 39 7c 09 04 47 82 b0 57 39\nMyFile(0999)\: 70 ed a3 ec 15 19 1e a8 33 08 47 c1 05 42 a9 fd\nMyFile(0999)\: 4c c3 b4 df dd 06 1f 4d 10 51 40 67 73 13 0f 40\nMyFile(0999)\: f8 6d 81 25 5f 0a b1 53 c6 30 7e 15 39 ac f9 5a\nMyFile(0999)\: ee 7f 92 9e a6 05 5b e7 13 97 85 b5 23 92 d9 d4\nMyFile(0999)\: 24 06 d5 09 25 89 75 07 dd a6 1a 8f 3f 09 19 be\nMyFile(0999)\: ad 65 2c 64 eb 95 9b dc fe 41 5e 17 a6 da 6c 5b\nMyFile(0999)\: 69 cc 02 ba 14 2c 16 24 9c 4a dc cd d0 f7 52 67\nMyFile(0999)\: 73 f1 2d a0 23 fd 7e f4 31 ca 2d 70 ca 89 0b 04\nMyFile(0999)\: db 2e a6 4f 70 6e 9e ce bd 58 89 e2 53 59 9e 6e\nMyFile(0999)\: 5a 92 65 e2 88 3f 0c 94 19 a3 dd e5 e8 9d 95 13\nMyFile(0999)\: ed 29 db ab 70 12 dc 5a ca 6b 17 ab 52 82 54 b1\nMyFile(0999)\: value of 'crt->rsa.E' (17 bits) is\:\nMyFile(0999)\: 01 00 01\n" Debug print certificate #2 (EC) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO -mbedtls_debug_print_crt:"data_files/test-ca2.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: C1\:43\:E2\:7E\:62\:43\:CC\:E8\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:00\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:00\nMyFile(0999)\: signed using \: ECDSA with SHA256\nMyFile(0999)\: EC key size \: 384 bits\nMyFile(0999)\: basic constraints \: CA=true\nMyFile(0999)\: value of 'crt->eckey.Q(X)' (384 bits) is\:\nMyFile(0999)\: c3 da 2b 34 41 37 58 2f 87 56 fe fc 89 ba 29 43\nMyFile(0999)\: 4b 4e e0 6e c3 0e 57 53 33 39 58 d4 52 b4 91 95\nMyFile(0999)\: 39 0b 23 df 5f 17 24 62 48 fc 1a 95 29 ce 2c 2d\nMyFile(0999)\: value of 'crt->eckey.Q(Y)' (384 bits) is\:\nMyFile(0999)\: 87 c2 88 52 80 af d6 6a ab 21 dd b8 d3 1c 6e 58\nMyFile(0999)\: b8 ca e8 b2 69 8e f3 41 ad 29 c3 b4 5f 75 a7 47\nMyFile(0999)\: 6f d5 19 29 55 69 9a 53 3b 20 b4 66 16 60 33 1e\n" +mbedtls_debug_print_crt:"../framework/data_files/test-ca2.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: C1\:43\:E2\:7E\:62\:43\:CC\:E8\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:00\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:00\nMyFile(0999)\: signed using \: ECDSA with SHA256\nMyFile(0999)\: EC key size \: 384 bits\nMyFile(0999)\: basic constraints \: CA=true\nMyFile(0999)\: value of 'crt->eckey.Q(X)' (384 bits) is\:\nMyFile(0999)\: c3 da 2b 34 41 37 58 2f 87 56 fe fc 89 ba 29 43\nMyFile(0999)\: 4b 4e e0 6e c3 0e 57 53 33 39 58 d4 52 b4 91 95\nMyFile(0999)\: 39 0b 23 df 5f 17 24 62 48 fc 1a 95 29 ce 2c 2d\nMyFile(0999)\: value of 'crt->eckey.Q(Y)' (384 bits) is\:\nMyFile(0999)\: 87 c2 88 52 80 af d6 6a ab 21 dd b8 d3 1c 6e 58\nMyFile(0999)\: b8 ca e8 b2 69 8e f3 41 ad 29 c3 b4 5f 75 a7 47\nMyFile(0999)\: 6f d5 19 29 55 69 9a 53 3b 20 b4 66 16 60 33 1e\n" diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_debug.function b/yass/third_party/mbedtls/tests/suites/test_suite_debug.function index 70e7badca5..878ceed574 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_debug.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_debug.function @@ -9,7 +9,7 @@ struct buffer_data { char *ptr; }; -void string_debug(void *data, int level, const char *file, int line, const char *str) +static void string_debug(void *data, int level, const char *file, int line, const char *str) { struct buffer_data *buffer = (struct buffer_data *) data; char *p = buffer->ptr; diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_dhm.data b/yass/third_party/mbedtls/tests/suites/test_suite_dhm.data index 2ab5c43746..4e6b23b117 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_dhm.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_dhm.data @@ -111,14 +111,14 @@ dhm_make_public:MBEDTLS_MPI_MAX_SIZE + 1:"5":MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED+ DH load parameters from PEM file (1024-bit, g=2) depends_on:MBEDTLS_PEM_PARSE_C -dhm_file:"data_files/dhparams.pem":"9e35f430443a09904f3a39a979797d070df53378e79c2438bef4e761f3c714553328589b041c809be1d6c6b5f1fc9f47d3a25443188253a992a56818b37ba9de5a40d362e56eff0be5417474c125c199272c8fe41dea733df6f662c92ae76556e755d10c64e6a50968f67fc6ea73d0dca8569be2ba204e23580d8bca2f4975b3":"02":128 +dhm_file:"../framework/data_files/dhparams.pem":"9e35f430443a09904f3a39a979797d070df53378e79c2438bef4e761f3c714553328589b041c809be1d6c6b5f1fc9f47d3a25443188253a992a56818b37ba9de5a40d362e56eff0be5417474c125c199272c8fe41dea733df6f662c92ae76556e755d10c64e6a50968f67fc6ea73d0dca8569be2ba204e23580d8bca2f4975b3":"02":128 DH load parameters from PEM file (2048-bit, large g, privateValueLength) depends_on:MBEDTLS_PEM_PARSE_C -dhm_file:"data_files/dh.optlen.pem":"b3126aeaf47153c7d67f403030b292b5bd5a6c9eae1c137af34087fce2a36a578d70c5c560ad2bdb924c4a4dbee20a1671be7103ce87defa76908936803dbeca60c33e1289c1a03ac2c6c4e49405e5902fa0596a1cbaa895cc402d5213ed4a5f1f5ba8b5e1ed3da951a4c475afeb0ca660b7368c38c8e809f382d96ae19e60dc984e61cb42b5dfd723322acf327f9e413cda6400c15c5b2ea1fa34405d83982fba40e6d852da3d91019bf23511314254dc211a90833e5b1798ee52a78198c555644729ad92f060367c74ded37704adfc273a4a33fec821bd2ebd3bc051730e97a4dd14d2b766062592f5eec09d16bb50efebf2cc00dd3e0e3418e60ec84870f7":"800abfe7dc667aa17bcd7c04614bc221a65482ccc04b604602b0e131908a938ea11b48dc515dab7abcbb1e0c7fd66511edc0d86551b7632496e03df94357e1c4ea07a7ce1e381a2fcafdff5f5bf00df828806020e875c00926e4d011f88477a1b01927d73813cad4847c6396b9244621be2b00b63c659253318413443cd244215cd7fd4cbe796e82c6cf70f89cc0c528fb8e344809b31876e7ef739d5160d095c9684188b0c8755c7a468d47f56d6db9ea012924ecb0556fb71312a8d7c93bb2898ea08ee54eeb594548285f06a973cbbe2a0cb02e90f323fe045521f34c68354a6d3e95dbfff1eb64692edc0a44f3d3e408d0e479a541e779a6054259e2d854":256 +dhm_file:"../framework/data_files/dh.optlen.pem":"b3126aeaf47153c7d67f403030b292b5bd5a6c9eae1c137af34087fce2a36a578d70c5c560ad2bdb924c4a4dbee20a1671be7103ce87defa76908936803dbeca60c33e1289c1a03ac2c6c4e49405e5902fa0596a1cbaa895cc402d5213ed4a5f1f5ba8b5e1ed3da951a4c475afeb0ca660b7368c38c8e809f382d96ae19e60dc984e61cb42b5dfd723322acf327f9e413cda6400c15c5b2ea1fa34405d83982fba40e6d852da3d91019bf23511314254dc211a90833e5b1798ee52a78198c555644729ad92f060367c74ded37704adfc273a4a33fec821bd2ebd3bc051730e97a4dd14d2b766062592f5eec09d16bb50efebf2cc00dd3e0e3418e60ec84870f7":"800abfe7dc667aa17bcd7c04614bc221a65482ccc04b604602b0e131908a938ea11b48dc515dab7abcbb1e0c7fd66511edc0d86551b7632496e03df94357e1c4ea07a7ce1e381a2fcafdff5f5bf00df828806020e875c00926e4d011f88477a1b01927d73813cad4847c6396b9244621be2b00b63c659253318413443cd244215cd7fd4cbe796e82c6cf70f89cc0c528fb8e344809b31876e7ef739d5160d095c9684188b0c8755c7a468d47f56d6db9ea012924ecb0556fb71312a8d7c93bb2898ea08ee54eeb594548285f06a973cbbe2a0cb02e90f323fe045521f34c68354a6d3e95dbfff1eb64692edc0a44f3d3e408d0e479a541e779a6054259e2d854":256 DH load parameters from DER file (2048-bit, large g, privateValueLength) -dhm_file:"data_files/dh.optlen.der":"b3126aeaf47153c7d67f403030b292b5bd5a6c9eae1c137af34087fce2a36a578d70c5c560ad2bdb924c4a4dbee20a1671be7103ce87defa76908936803dbeca60c33e1289c1a03ac2c6c4e49405e5902fa0596a1cbaa895cc402d5213ed4a5f1f5ba8b5e1ed3da951a4c475afeb0ca660b7368c38c8e809f382d96ae19e60dc984e61cb42b5dfd723322acf327f9e413cda6400c15c5b2ea1fa34405d83982fba40e6d852da3d91019bf23511314254dc211a90833e5b1798ee52a78198c555644729ad92f060367c74ded37704adfc273a4a33fec821bd2ebd3bc051730e97a4dd14d2b766062592f5eec09d16bb50efebf2cc00dd3e0e3418e60ec84870f7":"800abfe7dc667aa17bcd7c04614bc221a65482ccc04b604602b0e131908a938ea11b48dc515dab7abcbb1e0c7fd66511edc0d86551b7632496e03df94357e1c4ea07a7ce1e381a2fcafdff5f5bf00df828806020e875c00926e4d011f88477a1b01927d73813cad4847c6396b9244621be2b00b63c659253318413443cd244215cd7fd4cbe796e82c6cf70f89cc0c528fb8e344809b31876e7ef739d5160d095c9684188b0c8755c7a468d47f56d6db9ea012924ecb0556fb71312a8d7c93bb2898ea08ee54eeb594548285f06a973cbbe2a0cb02e90f323fe045521f34c68354a6d3e95dbfff1eb64692edc0a44f3d3e408d0e479a541e779a6054259e2d854":256 +dhm_file:"../framework/data_files/dh.optlen.der":"b3126aeaf47153c7d67f403030b292b5bd5a6c9eae1c137af34087fce2a36a578d70c5c560ad2bdb924c4a4dbee20a1671be7103ce87defa76908936803dbeca60c33e1289c1a03ac2c6c4e49405e5902fa0596a1cbaa895cc402d5213ed4a5f1f5ba8b5e1ed3da951a4c475afeb0ca660b7368c38c8e809f382d96ae19e60dc984e61cb42b5dfd723322acf327f9e413cda6400c15c5b2ea1fa34405d83982fba40e6d852da3d91019bf23511314254dc211a90833e5b1798ee52a78198c555644729ad92f060367c74ded37704adfc273a4a33fec821bd2ebd3bc051730e97a4dd14d2b766062592f5eec09d16bb50efebf2cc00dd3e0e3418e60ec84870f7":"800abfe7dc667aa17bcd7c04614bc221a65482ccc04b604602b0e131908a938ea11b48dc515dab7abcbb1e0c7fd66511edc0d86551b7632496e03df94357e1c4ea07a7ce1e381a2fcafdff5f5bf00df828806020e875c00926e4d011f88477a1b01927d73813cad4847c6396b9244621be2b00b63c659253318413443cd244215cd7fd4cbe796e82c6cf70f89cc0c528fb8e344809b31876e7ef739d5160d095c9684188b0c8755c7a468d47f56d6db9ea012924ecb0556fb71312a8d7c93bb2898ea08ee54eeb594548285f06a973cbbe2a0cb02e90f323fe045521f34c68354a6d3e95dbfff1eb64692edc0a44f3d3e408d0e479a541e779a6054259e2d854":256 Diffie-Hellman selftest dhm_selftest: diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_dhm.function b/yass/third_party/mbedtls/tests/suites/test_suite_dhm.function index 20905940ba..bb64ef320f 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_dhm.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_dhm.function @@ -1,9 +1,9 @@ /* BEGIN_HEADER */ #include "mbedtls/dhm.h" -int check_get_value(const mbedtls_dhm_context *ctx, - mbedtls_dhm_parameter param, - const mbedtls_mpi *expected) +static int check_get_value(const mbedtls_dhm_context *ctx, + mbedtls_dhm_parameter param, + const mbedtls_mpi *expected) { mbedtls_mpi actual; int ok = 0; diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_entropy.data b/yass/third_party/mbedtls/tests/suites/test_suite_entropy.data index 0b30bb8a5a..514fced49e 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_entropy.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_entropy.data @@ -8,7 +8,7 @@ Create NV seed_file nv_seed_file_create: Entropy write/update seed file: good -entropy_seed_file:"data_files/entropy_seed":0 +entropy_seed_file:"../framework/data_files/entropy_seed":0 Entropy write/update seed file: nonexistent entropy_seed_file:"no_such_dir/file":MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR @@ -38,7 +38,7 @@ Entropy output length: 65 > BLOCK_SIZE entropy_func_len:65:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED Entropy failing source -entropy_source_fail:"data_files/entropy_seed" +entropy_source_fail:"../framework/data_files/entropy_seed" Entropy threshold: 16=2*8 entropy_threshold:16:2:8 diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_entropy.function b/yass/third_party/mbedtls/tests/suites/test_suite_entropy.function index 5ac65fcf5e..a4f3b1bd7c 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_entropy.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_entropy.function @@ -60,12 +60,14 @@ static void entropy_clear_sources(mbedtls_entropy_context *ctx) } #if defined(MBEDTLS_ENTROPY_NV_SEED) + +#if defined(MBEDTLS_MD_LIGHT) && defined(MBEDTLS_PLATFORM_NV_SEED_ALT) /* * NV seed read/write functions that use a buffer instead of a file */ static unsigned char buffer_seed[MBEDTLS_ENTROPY_BLOCK_SIZE]; -int buffer_nv_seed_read(unsigned char *buf, size_t buf_len) +static int buffer_nv_seed_read(unsigned char *buf, size_t buf_len) { if (buf_len != MBEDTLS_ENTROPY_BLOCK_SIZE) { return -1; @@ -75,7 +77,7 @@ int buffer_nv_seed_read(unsigned char *buf, size_t buf_len) return 0; } -int buffer_nv_seed_write(unsigned char *buf, size_t buf_len) +static int buffer_nv_seed_write(unsigned char *buf, size_t buf_len) { if (buf_len != MBEDTLS_ENTROPY_BLOCK_SIZE) { return -1; @@ -84,7 +86,9 @@ int buffer_nv_seed_write(unsigned char *buf, size_t buf_len) memcpy(buffer_seed, buf, MBEDTLS_ENTROPY_BLOCK_SIZE); return 0; } +#endif /* MBEDTLS_MD_LIGHT && MBEDTLS_PLATFORM_NV_SEED_ALT */ +#if defined(MBEDTLS_FS_IO) /* * NV seed read/write helpers that fill the base seedfile */ @@ -111,7 +115,8 @@ static int write_nv_seed(unsigned char *buf, size_t buf_len) return 0; } -int read_nv_seed(unsigned char *buf, size_t buf_len) +#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT) +static int read_nv_seed(unsigned char *buf, size_t buf_len) { FILE *f; @@ -133,6 +138,8 @@ int read_nv_seed(unsigned char *buf, size_t buf_len) return 0; } +#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */ +#endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_ENTROPY_NV_SEED */ /* END_HEADER */ diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_hmac_drbg.misc.data b/yass/third_party/mbedtls/tests/suites/test_suite_hmac_drbg.misc.data index 68866d7aa8..1db8ef125d 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_hmac_drbg.misc.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_hmac_drbg.misc.data @@ -36,7 +36,7 @@ hmac_drbg_entropy_usage:MBEDTLS_MD_SHA3_512 HMAC_DRBG write/update seed file SHA-1 [#1] depends_on:MBEDTLS_MD_CAN_SHA1 -hmac_drbg_seed_file:MBEDTLS_MD_SHA1:"data_files/hmac_drbg_seed":0 +hmac_drbg_seed_file:MBEDTLS_MD_SHA1:"../framework/data_files/hmac_drbg_seed":0 HMAC_DRBG write/update seed file SHA-1 [#2] depends_on:MBEDTLS_MD_CAN_SHA1 @@ -44,7 +44,7 @@ hmac_drbg_seed_file:MBEDTLS_MD_SHA1:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG_FIL HMAC_DRBG write/update seed file SHA-224 [#1] depends_on:MBEDTLS_MD_CAN_SHA224 -hmac_drbg_seed_file:MBEDTLS_MD_SHA224:"data_files/hmac_drbg_seed":0 +hmac_drbg_seed_file:MBEDTLS_MD_SHA224:"../framework/data_files/hmac_drbg_seed":0 HMAC_DRBG write/update seed file SHA-224 [#2] depends_on:MBEDTLS_MD_CAN_SHA224 @@ -52,7 +52,7 @@ hmac_drbg_seed_file:MBEDTLS_MD_SHA224:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG_F HMAC_DRBG write/update seed file SHA-256 [#1] depends_on:MBEDTLS_MD_CAN_SHA256 -hmac_drbg_seed_file:MBEDTLS_MD_SHA256:"data_files/hmac_drbg_seed":0 +hmac_drbg_seed_file:MBEDTLS_MD_SHA256:"../framework/data_files/hmac_drbg_seed":0 HMAC_DRBG write/update seed file SHA-256 [#2] depends_on:MBEDTLS_MD_CAN_SHA256 @@ -60,7 +60,7 @@ hmac_drbg_seed_file:MBEDTLS_MD_SHA256:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG_F HMAC_DRBG write/update seed file SHA-384 [#1] depends_on:MBEDTLS_MD_CAN_SHA384 -hmac_drbg_seed_file:MBEDTLS_MD_SHA384:"data_files/hmac_drbg_seed":0 +hmac_drbg_seed_file:MBEDTLS_MD_SHA384:"../framework/data_files/hmac_drbg_seed":0 HMAC_DRBG write/update seed file SHA-384 [#2] depends_on:MBEDTLS_MD_CAN_SHA384 @@ -68,7 +68,7 @@ hmac_drbg_seed_file:MBEDTLS_MD_SHA384:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG_F HMAC_DRBG write/update seed file SHA-512 [#1] depends_on:MBEDTLS_MD_CAN_SHA512 -hmac_drbg_seed_file:MBEDTLS_MD_SHA512:"data_files/hmac_drbg_seed":0 +hmac_drbg_seed_file:MBEDTLS_MD_SHA512:"../framework/data_files/hmac_drbg_seed":0 HMAC_DRBG write/update seed file SHA-512 [#2] depends_on:MBEDTLS_MD_CAN_SHA512 @@ -76,7 +76,7 @@ hmac_drbg_seed_file:MBEDTLS_MD_SHA512:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG_F HMAC_DRBG write/update seed file SHA3-224 [#1] depends_on:MBEDTLS_MD_CAN_SHA3_224 -hmac_drbg_seed_file:MBEDTLS_MD_SHA3_224:"data_files/hmac_drbg_seed":0 +hmac_drbg_seed_file:MBEDTLS_MD_SHA3_224:"../framework/data_files/hmac_drbg_seed":0 HMAC_DRBG write/update seed file SHA3-224 [#2] depends_on:MBEDTLS_MD_CAN_SHA3_224 @@ -84,7 +84,7 @@ hmac_drbg_seed_file:MBEDTLS_MD_SHA3_224:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG HMAC_DRBG write/update seed file SHA3-256 [#1] depends_on:MBEDTLS_MD_CAN_SHA3_256 -hmac_drbg_seed_file:MBEDTLS_MD_SHA3_256:"data_files/hmac_drbg_seed":0 +hmac_drbg_seed_file:MBEDTLS_MD_SHA3_256:"../framework/data_files/hmac_drbg_seed":0 HMAC_DRBG write/update seed file SHA3-256 [#2] depends_on:MBEDTLS_MD_CAN_SHA3_256 @@ -92,7 +92,7 @@ hmac_drbg_seed_file:MBEDTLS_MD_SHA3_256:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG HMAC_DRBG write/update seed file SHA3-384 [#1] depends_on:MBEDTLS_MD_CAN_SHA3_384 -hmac_drbg_seed_file:MBEDTLS_MD_SHA3_384:"data_files/hmac_drbg_seed":0 +hmac_drbg_seed_file:MBEDTLS_MD_SHA3_384:"../framework/data_files/hmac_drbg_seed":0 HMAC_DRBG write/update seed file SHA3-384 [#2] depends_on:MBEDTLS_MD_CAN_SHA3_384 @@ -100,7 +100,7 @@ hmac_drbg_seed_file:MBEDTLS_MD_SHA3_384:"no_such_dir/file":MBEDTLS_ERR_HMAC_DRBG HMAC_DRBG write/update seed file SHA3-512 [#1] depends_on:MBEDTLS_MD_CAN_SHA3_512 -hmac_drbg_seed_file:MBEDTLS_MD_SHA3_512:"data_files/hmac_drbg_seed":0 +hmac_drbg_seed_file:MBEDTLS_MD_SHA3_512:"../framework/data_files/hmac_drbg_seed":0 HMAC_DRBG write/update seed file SHA3-512 [#2] depends_on:MBEDTLS_MD_CAN_SHA3_512 diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_lmots.data b/yass/third_party/mbedtls/tests/suites/test_suite_lmots.data index 2737272bdd..73a6f2fb32 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_lmots.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_lmots.data @@ -17,7 +17,7 @@ LMOTS hsslms interop test #1 # This test uses data from https://github.com/pmvr/python-hsslms due to the # limited amount of available test vectors for LMOTS, and few implementations # providing direct access to the underlying OTS signature scheme. The private -# key is stored in data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv. +# key is stored in ../framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv. # This test uses the same OTS key as the LMS hsslms interop test 1 (leaf 0 of # the LMS key), and the same message. # @@ -28,7 +28,7 @@ LMOTS hsslms interop test #1 # from hsslms import LMS_Priv, LM_OTS_Priv, LMS_ALGORITHM_TYPE, LMOTS_ALGORITHM_TYPE # import pickle # -# with open('tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file: +# with open('framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file: # private_key = pickle.load(private_key_file) # # ots_private_key = LM_OTS_Priv(private_key.otstypecode, private_key.I, 0, private_key.SEED) @@ -42,7 +42,7 @@ LMOTS hsslms interop test #2 # This test uses data from https://github.com/pmvr/python-hsslms due to the # limited amount of available test vectors for LMOTS, and few implementations # providing direct access to the underlying OTS signature scheme. The private -# key is stored in data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv. +# key is stored in ../framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv. # This test uses the same OTS key as the LMS hsslms interop test 2 (leaf 1 of # the LMS key), and the same message. # @@ -53,7 +53,7 @@ LMOTS hsslms interop test #2 # from hsslms import LMS_Priv, LM_OTS_Priv, LMS_ALGORITHM_TYPE, LMOTS_ALGORITHM_TYPE # import pickle # -# with open('tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file: +# with open('framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file: # private_key = pickle.load(private_key_file) # #ots_private_key = LM_OTS_Priv(private_key.otstypecode, private_key.I, 1, private_key.SEED) @@ -67,7 +67,7 @@ LMOTS hsslms interop NULL-message test # This test uses data from https://github.com/pmvr/python-hsslms due to the # limited amount of available test vectors for LMOTS, and few implementations # providing direct access to the underlying OTS signature scheme. The private -# key is stored in data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv. +# key is stored in ../framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv. # # To produce another signature with this message and key (note that the actual # signature bytes will differ due to randomization): @@ -76,7 +76,7 @@ LMOTS hsslms interop NULL-message test # from hsslms import LMS_Priv, LM_OTS_Priv, LMS_ALGORITHM_TYPE, LMOTS_ALGORITHM_TYPE # import pickle # -# with open('tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file: +# with open('framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file: # private_key = pickle.load(private_key_file) # #ots_private_key = LM_OTS_Priv(private_key.otstypecode, private_key.I, 3, private_key.SEED) diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_lmots.function b/yass/third_party/mbedtls/tests/suites/test_suite_lmots.function index 293287aab9..bcc72d1822 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_lmots.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_lmots.function @@ -2,8 +2,8 @@ #include "lmots.h" #include "mbedtls/lms.h" -#if defined(MBEDTLS_TEST_HOOKS) -int check_lmots_private_key_for_leak(unsigned char *sig) +#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_LMS_PRIVATE) +static int check_lmots_private_key_for_leak(unsigned char *sig) { size_t idx; @@ -18,7 +18,7 @@ int check_lmots_private_key_for_leak(unsigned char *sig) exit: return -1; } -#endif /* defined(MBEDTLS_TEST_HOOKS) */ +#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_LMS_PRIVATE */ /* END_HEADER */ diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_lms.data b/yass/third_party/mbedtls/tests/suites/test_suite_lms.data index 7802a70e68..16ebd1d217 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_lms.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_lms.data @@ -11,7 +11,7 @@ lms_sign_verify_null_msg_test:"923a3c8e38c9b72e067996bfdaa36856" LMS pyhsslms interop test #1 # This test uses data from https://github.com/russhousley/pyhsslms due to the # limited amount of available test vectors for LMS. The private key is stored in -# data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv. Note that this signature +# ../framework/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv. Note that this signature # uses leaf key 0, so must be the first signature generated by the key if the # signature is to be reproduced. Message data is random. Note that pyhsslms # stores public keys and signatures in HSS form, which appends a 4-byte "levels" @@ -21,8 +21,8 @@ LMS pyhsslms interop test #1 # To produce another signature with this message and key (note that the actual # signature bytes will differ due to randomization): # * pip3 install --user pyhsslms -# * cp data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv -# * cp data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_pub tmp/lms.pub +# * cp ../framework/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv +# * cp ../framework/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_pub tmp/lms.pub # # import pyhsslms # @@ -51,7 +51,7 @@ lms_verify_test:"92d036bde8c45b8bb5dea2a072560b1e29fc4bb7dc4549ce90bccee8a6e962a LMS pyhsslms interop NULL-message test # This test uses data from https://github.com/russhousley/pyhsslms due to the limited # amount of available test vectors for LMS. The private key is stored in -# data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv. Note that this signature +# ../framework/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv. Note that this signature # uses leaf key 2, so must be the third signature generated by the key if the # signature is to be reproduced. Message data is random. Note that hash-sigs # stores public keys and signatures in HSS form, which appends a 4-byte @@ -61,7 +61,7 @@ LMS pyhsslms interop NULL-message test # To produce another signature with this message and key (note that the actual # signature bytes will differ due to randomization): # * pip3 install --user pyhsslms -# * cp data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv +# * cp ../framework/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv # * touch message.bin (create empty message file) # * hsslms sign tmp/lms.prv message.bin (incorrect signature using leaf node 0) # * rm message.bin.sig @@ -75,15 +75,15 @@ LMS pyhsslms interop NULL-message test # * touch message.bin (create empty message file) # * echo -n -e "\0\0\0\0" > message.bin.sig; cat sig.bin >> message.bin.sig (restore the # HSS levels) -# * cp data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8 tmp/lms.pub +# * cp ../framework/data_files/lms_pyhsslms_sha256_m32_h5_lmots_sha256_n32_w8 tmp/lms.pub # * hsslms verify tmp/lms message.bin lms_verify_test:"":"0000000200000004b219a0053b6bfe1988ade7b0a438c106262366cb6338eb6ccd161326b29076d3493e88ab5df10ab456ddbac63f9cc7bc626a832664861a61125963f6e4b1fc202b0d6421cb1307451614d4d0e9e4509bc3991ede829f3805531912af12028c33128212a6e0539a458da092e83dcced8ffb1d9280e76593a239d3e87858905d3b4ae3864cd55972f5610759bb7d929d24ae262a1e028f140e90aa7375e43032c0bc28fe5fc25d53a26f4f9e6de18da2f697f82e409308e5b316413df8e85487391c46e784f9303f133ed332c88e6d1467cebffd9547592e907ceba2992a0442410c7a87104697a4ab3483d9b2af9df574edf23811cec0e681246f07ac74e1ddf64a7f7abc72d0a23b70d5f7c9649188eec8644f2437951640af4f673e6bb7d36a10c5c4c857f518974929824011dc79f484107388b92762acb11839c7cafec7daabdbe651f500930386b403ccec90a507829c18df23a800250d412a82b4072c94de24da9fa25720f1ee433953fca2d9b38ffc5c8b6328e69bf928936218bd253cac5a7122b74639ed7f4085d27efda2a698aff4bce385b475470adb19ab2095b3979e74e63914ef5430094e2028440f4d2aa448bb41f1d4481ad76c9b6671f4a7aafdbea44316aa97993fa31c56c34f0acd6295cd2fca8be9ea6af2f4d656f89b113cb3b3ce35753bc0128629372fade890397c297ee4c22e735e2b5f3c7383ed154cf0941884136bc6e51f860803b963c145795c8f573ab43953d25c0837bb13adbcfc506795db26fbd7a277d9532a23b5c472628944a3dcfc424e42fc54b2ed2cc8166cb82e9364af9120881313c97e429bed15bd9d46fe407f229cbc6daf1442e42c57664a7e832a809364750396a0b134efccf9a31e1ef1fdd2279d1179a673feda330b9989681c94d69eb197b6c3048623e49c98cc7cfc8d845c17f9059e7f15b72af8680cad2591cc9c135b2044fe7df45b8b6ef6e8af85ddb677f0897ffbda8131fff0eba1f94200f435bc26cfe5093c63f547620efb3bf8f905fe4ca1c40e163dfb6432c4acf068540c2c81c0392d375e99e3960973447beceefbd437f51616f85236d75815c51073277cc7ceca622bb76236d05a830e024a231566fb07f6f4e3671bc7fd5e22e4da1f4d4f4e56a179325b2ea9e51d6484df0941e0b46bcf4148e98530e9b3641e351b67073ace8438fac6d9a19988af4d594048f12eac4bbaa73eb15d597b1fdbf34ce9410520d9dc4b6bb7a99a12dcdc530c49bb67ca942adecb7adf27456eba9a9b416bb98b25c8020f4c2507b74a9ddb94f197ea42f03500bde751c04ec2c6b427ce0f80322a6b356f0d9d26531843639c7c7938b83541c58fedd0398d81b93032cb4892903a5b1cfd205b333702e7f80c1461a15edd6058c2e08d8afe44e4c5bfd7d9ac2578b5a16b4c4e43bad5f7b22041de5a95c6f64422db270e1f616e379a034fb3c08cf892af6df8af91c2767eb76bcf018e35d66fbf4ac1e5a6a10033ea118f8cd2edf57c2288a93f2f85b6ff41283b029e5c7b04bdac33b5aa79bf799292a0a046b98e6d13a2bb53a970dd0a5784034600000006c3faf2b844e6f17384998ae0616755eb7578458b7096078a36f9e556a2a091be47c0f85ffd8ee916734855a6d116fa1431ad6cff45d2a8a7f6c122f4d492df32438681d0b95feb973125e4ee70ebe11699290b831e86571e36513a71f159d48ce563f6814cc2a89851d2520c5275b34cc83614cab14c0d197166580d800ee6b9004b8fd72daac8d73c36c1623c37be93ba49a06c4efde238a3a10a05daba5d4942f7de52648af2be31f33e723b3605346282f5d5e356c5d0004eea40fe0b80abf658f6c96c56319ab53d7fefb5879e0136d1cf320973a2f47c1ee3d21554910f09d17afac4607657c4309890957a4954bf86e2a8491ba37dd88b2c3fe3c7edebd767c400bc23e40d165b27133c726b90bc26cbb2a86a6aa400c47aa7ffc538388de8490b9349afa53b814ffe2a56ff16a496e9648284193754f989f6f12aeb6e":"0000000600000004d96bb26744d99ef624e32161c36d3d6efcdd0484e2b17a6dd183125be4b1af1cda931a91a3acb1151877c174f7943fd9":0 LMS hash-sigs interop test #1 # This test uses data from https://github.com/cisco/hash-sigs due to the # limited amount of available test vectors for LMS. The private key is stored in -# data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv and -# data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux. Note that this +# ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv and +# ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux. Note that this # signature uses leaf key 0, so must be the first signature generated by the key # if the signature is to be reproduced. Message data is random. Note that # hash-sigs stores public keys and signatures in HSS form, which appends a @@ -93,8 +93,8 @@ LMS hash-sigs interop test #1 # To produce another signature with this message and key (note that the actual # signature bytes will differ due to randomization): # * -# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv -# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux tmp/lms.aux +# * cp ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv +# * cp ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux tmp/lms.aux # * # * /demo sign tmp/lms message.bin # * cat message.bin.sig | xxd @@ -103,15 +103,15 @@ LMS hash-sigs interop test #1 # * Save message and signature in binary format # * echo -n -e "\0\0\0\0" > message.bin.sig; cat sig.bin >> message.bin.sig (restore the # HSS levels) -# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub tmp/lms.pub +# * cp ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub tmp/lms.pub # * verify tmp/lms message.bin lms_verify_test:"6b7439e31ef128c54f1536f745ff1246":"0000000000000004163fc2e3d3267d8c0d9fd9e7bb7a4eae84c3d98cd565de361edc426067960fc3201d9be1c30f4e4edce91844753aa13ff21e92648ac795b7c29dd6140962b5a1fb97b02570402a498a495044edcb26d1321c52e91c60cc3feb8f8e84fc77f97fb6e7afbfe4c2f2203d8d84303e2dd212b652e08a2e5a24a333df859cea3c5a547561f7ce6d182e2a3f2f018ef7e0578621916cff905c0713fa5f2bf73248ae6985aebc4086b79ebf71b8dcbb592eb61dc6303d06dbda88063690361b0dd25ea1c2c6b4d82dddbe11740864c65c228d67e9a1710506e585a748e7e02b36706e5cff83b3589613f07c636ab7784d6a8288d33e80f063165a2ddcbb0d7da815df8043dfa500c3e313c533bf6aec959237c923813d3109bdaeb195b1337f4cf21c1c863f6261dca411819603a3ea60cf34c81b462c4979b357da2bcdf3128343ca5a8a957e3ca4eebb914d743862e29ef48e43e7c5a7aaf7a2fe1251c309c65e9143dcfb298fa0d353084f60c0779e1a09b040f13c1025ec99402b844ff9996decf4b5f0d32a0858126ff293472aa93fbc2017d39fee93ff9f0ca2752b25cfa12542bf19cc1b8c102d65b70dccf760f26cb546742ce909d45345f802a985bae6a0f922a9c2a3dc992fae9f6f2fba0c52cad82564bde6ed8af880ee7a5eb5c6436611e5da1c690831bed34e3dd65acf2b8f496b6448e957afc16c48b6cd733bc84e3606a1d0609f08015c14b5619a2723f9b22950efc7ff7b733c299fcd84ed89c4d5cd43a9a54f25fc0fa1370d184f9e8011b60ba38dfca0eeeb56ae37a5823718c8210db20c2de13c39e43970b0b53b85b9cf9ea0dd025e7db558b463c683980fe59e0defde41afe825cfb8606ca861602a7fefd7506edc81b7ab4a1e0626e0bac1f99be118dbc1e291028fc73d0a0ea6559ae1dcf7477d64742c9bef88ef04b2ee4d392cf1efa23d8b05d11d2414e64f4540623e11bbf57fb8ae219331db0df459a9849f2700e6fa7ff4edb0fc01764949e279e84374e7a57fb5ee6221b2b72dbcf2ab9c988fe07d21e169b4338887129ac503cc6c0912787778d51b4b921cf7bb17d4028b7faf6c21dd616a1ac3b50d595ae0e3662e7faa16b9dec7694462c7fb8539ece0af33cc5a3dc33641b8827bf4751a708d7bf286cf2e795b8f45b76e1109abd908d0388d6ab8ecea67b187aabd80349e4bd286e3b6eeb3535cc9c343a39fe90cb443906b19d2483b4c93d0e35cd68d9f5523d5400a2b1708ba3361bd0757ed69b1da8845594edf053995b2d96bed8210aaab25fc34b2dd58004ce800360f24861e5912ac339ed0a78548e303e728a41e05c11d79013e3971eafa8034e63ecf1c842f0d9e735ff3b5badfd63ae07f051c94a9a867260b517e5c2c75e88e03d069bd39816a2255c90de81bb79622145b7469853a02eac45289fd9f9f40e2fccdd8ddb740469331f61badc1b7f6e0145dfe30141ad2f26ac8d7ff5125dc4dff1fec57629cea4f7de4401fc056e9a38ea028ac9c666ccd3f527947672408a759a5791d9efdeb1ff25392413728a03d4c641f4ce1542b6952e7595f1eecf1060000000671b0912d734442146e128d0029101ad34a6d2d586640235c828d427dfaffdb156771f06926678fa50aa7167684c1de108944b2c4a3358f5e926368009e4500a8d4d501124bc25a4c9b1cfb954503f4ae26c92221e39c680843ae55cfca972e139c82e2e4469a703a1866fa0e6d76636591f4ad07f7d1eaa19077660ad46a6f9d534970e6a49e24621b7c7c283253dd22fb24eb7819fab84bab88e42555d5437d5afe06615a7e0d103cc8595616690f1337f4345cf418724f07d0dc4d2c0899b691691f397202204ef34342b5725dc6adfe549ab0b887572ad38113c407f96fcdfeea0ffc4f333addfec296169e53e3c5b24797a20f3b2f043f5e96920de9927da466f09389d3e52a5665f380f68666a019c201e710ab4c168d5ac952a02d5909a6fcaf498a33e2124e6a828203744ee3fe70465adde0cfbccc1b4634541638ab":"0000000600000004e18760ef2c86192aee88579e376f35cd153419d622803a483e79f6d368629308a8ab6ff663c4f108b2033af290dcedfa":0 LMS hash-sigs interop test #2 # This test uses data from https://github.com/cisco/hash-sigs due to the # limited amount of available test vectors for LMS. The private key is stored in -# data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv and -# data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux. Note that this +# ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv and +# ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux. Note that this # signature uses leaf key 1, so must be the second signature generated by the key # if the signature is to be reproduced. Message data is random. Note that # hash-sigs stores public keys and signatures in HSS form, which appends a @@ -121,8 +121,8 @@ LMS hash-sigs interop test #2 # To produce another signature with this message and key (note that the actual # signature bytes will differ due to randomization): # * -# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv -# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux tmp/lms.aux +# * cp ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_prv tmp/lms.prv +# * cp ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_aux tmp/lms.aux # * # * /demo sign tmp/lms message.bin (incorrect signature using leaf node 0) # * rm message.bin.sig @@ -133,14 +133,14 @@ LMS hash-sigs interop test #2 # * Save message and signature in binary format # * echo -n -e "\0\0\0\0" > message.bin.sig; cat sig.bin >> message.bin.sig (restore the # HSS levels) -# * cp data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub tmp/lms.pub +# * cp ../framework/data_files/lms_hash-sigs_sha256_m32_h5_lmots_sha256_n32_w8_pub tmp/lms.pub # * verify tmp/lms message.bin lms_verify_test:"0705ba8297c7b9fa5f08e37825ad24a0":"00000001000000040a432454b99750f7b703f0280f92818b0570d0267a423b377be7cf0561305d4ce987b9d8dbc1c3f8ba410bbe6b921406eb802688d2dd8a1a6fa4a124cbcae9b5a210f583a956384c06311953b038b4ad2c2808224fc3a6410cd3b89274371956bcd4253a251cba6409b09c822e1d29d7a037648a6f2562d0df6359a043622f256f5ac79736c08fc4185758ff002a8397e560d5812373946348afba2ccf2cc0f3ba741ec076d4587a54b8b625804b814c30540152a3dc843a590c94cc23ba857e4c458c8ab687b5b9b68837ee890454cc19bb5f42a1e6dc051803fab50b440067a903013f675a774b5d02cd56289518d65f869f22b2e2b58d499e9e3929ec5a9f5d6d6e03cf91486094aba7c88491cde35b81c175c40410bc402d20f0a73a4da844d3a1d47e57618b7f18fa5ac85e877b5faa1e0b6733c2d96b2970fdd6e606435e3ec50eafa88f84fb7512217aa4be5858a140f242603bda634d76c484a184298c4da903094468d032b88586fd2f35182405cd85115af6a0bbd431f2e44217a1691dd8887db91d3b97264ff552ae7dc110a3a111f2bf74ce42079055dfb8390a16d67f28b738f837aa7880f3134deabcf6ec74cdb521bff44df61c999bf7a8ddc43b64812cd4f3bfb15104867d5e585d1cbf99738e0df92660b3e9135a4377d1199b8b97362fc87ce3c99db3b8aba63ba35eb353e5ec79bcee82b9ccc1b4f7d1b8ce7e5f8813d007be3d0e45cb8e7173337a5a7c4d32ea5116e0fdbd7846ea1f366a531449c78cd7a16ce5bffcd6cccf54b7f249a74e0df6b07f6b48db42eb958ff18b06995368af0cadd82f44cf44e4b53f0993de5f06b289bee41cd25f90a9fbd1bfb1ab2451c96b07adcfb5210d291dd505ea30e5d30395c8d84eabccdd2c7d6f28a88f5e5d245a6980c57810cfe17c9a37ef5e79b7b9ca755d56a789d21985372bed42ae2830d81ebf0fad6c721bd1d3ee91ae363f40d386aac23e7c0db965539ce9bff38f0f24bec3227b5a24f4cd7fa71ca9d306faa3fc4726cdb6634f218897b79a4aed67a58799285104eed74703ec4af6d5738b27b4d6fb71e52c1149069483a7cca6c3fccbdff77312ff5c635d8b0ccd53dbaf7b498727f7c7a70d3fd1c3f217e2cbd0dfe91258acb7f79f53f56012a82da997ea777b76dac0472e5f9830a93fb09703b1c0e45cbfbf641de94fcc6c609f02a5b31ad5821ba6cd48829fc5e0c4ad78e11e4cac8efbb1b170c794b7b131b0c1c4e39fdef81db9e7acced5ec824aed0c4e6b57fd1add4191e87be1446c7c519eb671205ce8c5855ad7a2b9ff7a9cd5c45336f508d0f8d2c1152dc2656650bdaf8fced642f3a4d445b5fc49910bdbdc9635de0086ee9582a796ca9f6052de805f41dfbd3e94982a05cbd36bab583dd5b1586ddbb3b1a45f1a265bec062c1a50d220870c0c622d852e650a67f31e8eb3d19e964de0926712b7f429ad05024b8db51eb6702c39580f62f037388862251bf66f02edee9615a63957eab75b28501f9f26cecd09a5c949127c9a3095036667fce8e45ba75568d5160fa1725a9e0038145d948f437640dc4441000000066e8db13a9e79d10a4e067aad448a1847b5489a62cde3054ee1e5ff2e37549d516771f06926678fa50aa7167684c1de108944b2c4a3358f5e926368009e4500a8d4d501124bc25a4c9b1cfb954503f4ae26c92221e39c680843ae55cfca972e139c82e2e4469a703a1866fa0e6d76636591f4ad07f7d1eaa19077660ad46a6f9d534970e6a49e24621b7c7c283253dd22fb24eb7819fab84bab88e42555d5437d5afe06615a7e0d103cc8595616690f1337f4345cf418724f07d0dc4d2c0899b691691f397202204ef34342b5725dc6adfe549ab0b887572ad38113c407f96fcdfeea0ffc4f333addfec296169e53e3c5b24797a20f3b2f043f5e96920de9927da466f09389d3e52a5665f380f68666a019c201e710ab4c168d5ac952a02d5909a6fcaf498a33e2124e6a828203744ee3fe70465adde0cfbccc1b4634541638ab":"0000000600000004e18760ef2c86192aee88579e376f35cd153419d622803a483e79f6d368629308a8ab6ff663c4f108b2033af290dcedfa":0 LMS hsslms interop test #1 # This test uses data from https://github.com/pmvr/python-hsslms due to the # limited amount of available test vectors for LMS. The private key is stored in -# data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv +# ../framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv # # To produce another signature with this message and key (note that the actual # signature bytes will differ due to randomization): @@ -149,7 +149,7 @@ LMS hsslms interop test #1 # from hsslms import LMS_Priv, LMS_ALGORITHM_TYPE, LMOTS_ALGORITHM_TYPE # import pickle # -# with open('tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file: +# with open('framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file: # private_key = pickle.load(private_key_file) # # public_key = private_key.gen_pub() @@ -163,7 +163,7 @@ lms_verify_test:"60da1a17c88c59da8a730e6ca8effd37":"00000000000000041394a893e40b LMS hsslms interop test #2 # This test uses data from https://github.com/pmvr/python-hsslms due to the # limited amount of available test vectors for LMS. The private key is stored in -# data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv +# ../framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv # # To produce another signature with this message and key (note that the actual # signature bytes will differ due to randomization): @@ -172,7 +172,7 @@ LMS hsslms interop test #2 # from hsslms import LMS_Priv, LMS_ALGORITHM_TYPE, LMOTS_ALGORITHM_TYPE # import pickle # -# with open('tests/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file: +# with open('framework/data_files/lms_hsslms_sha256_m32_h5_lmots_sha256_n32_w8_prv', 'rb') as private_key_file: # private_key = pickle.load(private_key_file) # # public_key = private_key.gen_pub() diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_md.data b/yass/third_party/mbedtls/tests/suites/test_suite_md.data index fb9b5effa0..f5d4057064 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_md.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_md.data @@ -346,39 +346,39 @@ md_hmac_multi:MBEDTLS_MD_RIPEMD160:20:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa generic MD5 Hash file #1 depends_on:MBEDTLS_MD_CAN_MD5 -mbedtls_md_file:MBEDTLS_MD_MD5:"data_files/hash_file_1":"52bcdc983c9ed64fc148a759b3c7a415" +mbedtls_md_file:MBEDTLS_MD_MD5:"../framework/data_files/hash_file_1":"52bcdc983c9ed64fc148a759b3c7a415" generic MD5 Hash file #2 depends_on:MBEDTLS_MD_CAN_MD5 -mbedtls_md_file:MBEDTLS_MD_MD5:"data_files/hash_file_2":"d17d466f15891df10542207ae78277f0" +mbedtls_md_file:MBEDTLS_MD_MD5:"../framework/data_files/hash_file_2":"d17d466f15891df10542207ae78277f0" generic MD5 Hash file #3 depends_on:MBEDTLS_MD_CAN_MD5 -mbedtls_md_file:MBEDTLS_MD_MD5:"data_files/hash_file_3":"d945bcc6200ea95d061a2a818167d920" +mbedtls_md_file:MBEDTLS_MD_MD5:"../framework/data_files/hash_file_3":"d945bcc6200ea95d061a2a818167d920" generic MD5 Hash file #4 depends_on:MBEDTLS_MD_CAN_MD5 -mbedtls_md_file:MBEDTLS_MD_MD5:"data_files/hash_file_4":"d41d8cd98f00b204e9800998ecf8427e" +mbedtls_md_file:MBEDTLS_MD_MD5:"../framework/data_files/hash_file_4":"d41d8cd98f00b204e9800998ecf8427e" generic RIPEMD160 Hash file #0 (from paper) depends_on:MBEDTLS_MD_CAN_RIPEMD160 -mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"data_files/hash_file_5":"52783243c1697bdbe16d37f97f68f08325dc1528" +mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"../framework/data_files/hash_file_5":"52783243c1697bdbe16d37f97f68f08325dc1528" generic RIPEMD160 Hash file #1 depends_on:MBEDTLS_MD_CAN_RIPEMD160 -mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"data_files/hash_file_1":"82f1d072f0ec0c2b353703a7b575a04c113af1a6" +mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"../framework/data_files/hash_file_1":"82f1d072f0ec0c2b353703a7b575a04c113af1a6" generic RIPEMD160 Hash file #2 depends_on:MBEDTLS_MD_CAN_RIPEMD160 -mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"data_files/hash_file_2":"996fbc8b79206ba7393ebcd246584069b1c08f0f" +mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"../framework/data_files/hash_file_2":"996fbc8b79206ba7393ebcd246584069b1c08f0f" generic RIPEMD160 Hash file #3 depends_on:MBEDTLS_MD_CAN_RIPEMD160 -mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"data_files/hash_file_3":"8653b46d65998fa8c8846efa17937e742533ae48" +mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"../framework/data_files/hash_file_3":"8653b46d65998fa8c8846efa17937e742533ae48" generic RIPEMD160 Hash file #4 depends_on:MBEDTLS_MD_CAN_RIPEMD160 -mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"data_files/hash_file_4":"9c1185a5c5e9fc54612808977ee8f548b2258d31" +mbedtls_md_file:MBEDTLS_MD_RIPEMD160:"../framework/data_files/hash_file_4":"9c1185a5c5e9fc54612808977ee8f548b2258d31" generic HMAC-SHA-1 Test Vector FIPS-198a #1 depends_on:MBEDTLS_MD_CAN_SHA1 @@ -930,67 +930,67 @@ md_hex:MBEDTLS_MD_SHA512:"":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f generic SHA3-224 Hash file #1 depends_on:MBEDTLS_MD_CAN_SHA3_224 -mbedtls_md_file:MBEDTLS_MD_SHA3_224:"data_files/hash_file_1":"320f1a9257d442178d90fda8987743a5e7bb5ed0b18bc7d66ee3633e" +mbedtls_md_file:MBEDTLS_MD_SHA3_224:"../framework/data_files/hash_file_1":"320f1a9257d442178d90fda8987743a5e7bb5ed0b18bc7d66ee3633e" generic SHA3-224 Hash file #2 depends_on:MBEDTLS_MD_CAN_SHA3_224 -mbedtls_md_file:MBEDTLS_MD_SHA3_224:"data_files/hash_file_2":"db06a96306b43677f0e3592a0fe1d276141fa7458b7be93197550442" +mbedtls_md_file:MBEDTLS_MD_SHA3_224:"../framework/data_files/hash_file_2":"db06a96306b43677f0e3592a0fe1d276141fa7458b7be93197550442" generic SHA3-224 Hash file #3 depends_on:MBEDTLS_MD_CAN_SHA3_224 -mbedtls_md_file:MBEDTLS_MD_SHA3_224:"data_files/hash_file_3":"0d125fdd48b0e322ca845402fbecb827053c9f324c58933be2e474a0" +mbedtls_md_file:MBEDTLS_MD_SHA3_224:"../framework/data_files/hash_file_3":"0d125fdd48b0e322ca845402fbecb827053c9f324c58933be2e474a0" generic SHA3-224 Hash file #4 depends_on:MBEDTLS_MD_CAN_SHA3_224 -mbedtls_md_file:MBEDTLS_MD_SHA3_224:"data_files/hash_file_4":"6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7" +mbedtls_md_file:MBEDTLS_MD_SHA3_224:"../framework/data_files/hash_file_4":"6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7" generic SHA3-256 Hash file #1 depends_on:MBEDTLS_MD_CAN_SHA3_256 -mbedtls_md_file:MBEDTLS_MD_SHA3_256:"data_files/hash_file_1":"f429826659dd9f313e6226ced5c841fe1b0e9dd16554392b694fa3000f1ae1e2" +mbedtls_md_file:MBEDTLS_MD_SHA3_256:"../framework/data_files/hash_file_1":"f429826659dd9f313e6226ced5c841fe1b0e9dd16554392b694fa3000f1ae1e2" generic SHA3-256 Hash file #2 depends_on:MBEDTLS_MD_CAN_SHA3_256 -mbedtls_md_file:MBEDTLS_MD_SHA3_256:"data_files/hash_file_2":"3aed2fda8604dbec5a67710b4d4c89a90745e10ee633649e53e75c7e25d30152" +mbedtls_md_file:MBEDTLS_MD_SHA3_256:"../framework/data_files/hash_file_2":"3aed2fda8604dbec5a67710b4d4c89a90745e10ee633649e53e75c7e25d30152" generic SHA3-256 Hash file #3 depends_on:MBEDTLS_MD_CAN_SHA3_256 -mbedtls_md_file:MBEDTLS_MD_SHA3_256:"data_files/hash_file_3":"c4b6492fd1c475c5e560545a2573b0efcd02d54ef4f63c9d8158dd87bed99d85" +mbedtls_md_file:MBEDTLS_MD_SHA3_256:"../framework/data_files/hash_file_3":"c4b6492fd1c475c5e560545a2573b0efcd02d54ef4f63c9d8158dd87bed99d85" generic SHA3-256 Hash file #4 depends_on:MBEDTLS_MD_CAN_SHA3_256 -mbedtls_md_file:MBEDTLS_MD_SHA3_256:"data_files/hash_file_4":"a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a" +mbedtls_md_file:MBEDTLS_MD_SHA3_256:"../framework/data_files/hash_file_4":"a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a" generic SHA3-384 Hash file #1 depends_on:MBEDTLS_MD_CAN_SHA3_384 -mbedtls_md_file:MBEDTLS_MD_SHA3_384:"data_files/hash_file_1":"06ab3677496658d3faad937f3f7887b3e925b480190544c612e76b88c5d21b4ca12691f27b8ef569d601925915cdf2a6" +mbedtls_md_file:MBEDTLS_MD_SHA3_384:"../framework/data_files/hash_file_1":"06ab3677496658d3faad937f3f7887b3e925b480190544c612e76b88c5d21b4ca12691f27b8ef569d601925915cdf2a6" generic SHA3-384 Hash file #2 depends_on:MBEDTLS_MD_CAN_SHA3_384 -mbedtls_md_file:MBEDTLS_MD_SHA3_384:"data_files/hash_file_2":"b5efc40db7af544bf3fb8c782f2db478dbb81aa83d2ef0e8bbdcf06371de7cc984aac5539c4c9244c1e6ebbb85e23983" +mbedtls_md_file:MBEDTLS_MD_SHA3_384:"../framework/data_files/hash_file_2":"b5efc40db7af544bf3fb8c782f2db478dbb81aa83d2ef0e8bbdcf06371de7cc984aac5539c4c9244c1e6ebbb85e23983" generic SHA3-384 Hash file #3 depends_on:MBEDTLS_MD_CAN_SHA3_384 -mbedtls_md_file:MBEDTLS_MD_SHA3_384:"data_files/hash_file_3":"0f08dc09cb39240e09b01e7f3ee3ce6b893bf393f52d2ac87083cef7d3a469fa99763e58b25306b0a2381d9bbdaa802f" +mbedtls_md_file:MBEDTLS_MD_SHA3_384:"../framework/data_files/hash_file_3":"0f08dc09cb39240e09b01e7f3ee3ce6b893bf393f52d2ac87083cef7d3a469fa99763e58b25306b0a2381d9bbdaa802f" generic SHA3-384 Hash file #4 depends_on:MBEDTLS_MD_CAN_SHA3_384 -mbedtls_md_file:MBEDTLS_MD_SHA3_384:"data_files/hash_file_4":"0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac3713831264adb47fb6bd1e058d5f004" +mbedtls_md_file:MBEDTLS_MD_SHA3_384:"../framework/data_files/hash_file_4":"0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac3713831264adb47fb6bd1e058d5f004" generic SHA3-512 Hash file #1 depends_on:MBEDTLS_MD_CAN_SHA3_512 -mbedtls_md_file:MBEDTLS_MD_SHA3_512:"data_files/hash_file_1":"7d43cbb75218110d7fcc227b6977e6f3b855184c646b679055897cba0cd445ec968430231866801c4f0993f8735cf46bc4858868423d31ca283a6f1ecf25c580" +mbedtls_md_file:MBEDTLS_MD_SHA3_512:"../framework/data_files/hash_file_1":"7d43cbb75218110d7fcc227b6977e6f3b855184c646b679055897cba0cd445ec968430231866801c4f0993f8735cf46bc4858868423d31ca283a6f1ecf25c580" generic SHA3-512 Hash file #2 depends_on:MBEDTLS_MD_CAN_SHA3_512 -mbedtls_md_file:MBEDTLS_MD_SHA3_512:"data_files/hash_file_2":"212bd00cfc7f3a5b73b5b4772dd83562826207eba30ab00be2c886aef3841ef66eb25097091bfacb6d45dd4557489f91836c04c4f0d96e32ae96fb006d4b2ad6" +mbedtls_md_file:MBEDTLS_MD_SHA3_512:"../framework/data_files/hash_file_2":"212bd00cfc7f3a5b73b5b4772dd83562826207eba30ab00be2c886aef3841ef66eb25097091bfacb6d45dd4557489f91836c04c4f0d96e32ae96fb006d4b2ad6" generic SHA3-512 Hash file #3 depends_on:MBEDTLS_MD_CAN_SHA3_512 -mbedtls_md_file:MBEDTLS_MD_SHA3_512:"data_files/hash_file_3":"a78a0266820e36f6fb26a0c8deb0b24108e209cc217852ed073904bc44ec586c5704c0a56de57f9906b8ced380fee6ac2bd432a93de7f39b23ed0aabdd7ae813" +mbedtls_md_file:MBEDTLS_MD_SHA3_512:"../framework/data_files/hash_file_3":"a78a0266820e36f6fb26a0c8deb0b24108e209cc217852ed073904bc44ec586c5704c0a56de57f9906b8ced380fee6ac2bd432a93de7f39b23ed0aabdd7ae813" generic SHA3-512 Hash file #4 depends_on:MBEDTLS_MD_CAN_SHA3_512 -mbedtls_md_file:MBEDTLS_MD_SHA3_512:"data_files/hash_file_4":"a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26" +mbedtls_md_file:MBEDTLS_MD_SHA3_512:"../framework/data_files/hash_file_4":"a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26" generic SHA-512 Test Vector NIST CAVS #2 depends_on:MBEDTLS_MD_CAN_SHA512 @@ -1182,80 +1182,80 @@ md_hex_multi:MBEDTLS_MD_SHA512:"990d1ae71a62d7bda9bfdaa1762a68d296eee72a4cd946f2 generic SHA1 Hash file #1 depends_on:MBEDTLS_MD_CAN_SHA1 -mbedtls_md_file:MBEDTLS_MD_SHA1:"data_files/hash_file_1":"d21c965b1e768bd7a6aa6869f5f821901d255f9f" +mbedtls_md_file:MBEDTLS_MD_SHA1:"../framework/data_files/hash_file_1":"d21c965b1e768bd7a6aa6869f5f821901d255f9f" generic SHA1 Hash file #2 depends_on:MBEDTLS_MD_CAN_SHA1 -mbedtls_md_file:MBEDTLS_MD_SHA1:"data_files/hash_file_2":"353f34271f2aef49d23a8913d4a6bd82b2cecdc6" +mbedtls_md_file:MBEDTLS_MD_SHA1:"../framework/data_files/hash_file_2":"353f34271f2aef49d23a8913d4a6bd82b2cecdc6" generic SHA1 Hash file #3 depends_on:MBEDTLS_MD_CAN_SHA1 -mbedtls_md_file:MBEDTLS_MD_SHA1:"data_files/hash_file_3":"93640ed592076328096270c756db2fba9c486b35" +mbedtls_md_file:MBEDTLS_MD_SHA1:"../framework/data_files/hash_file_3":"93640ed592076328096270c756db2fba9c486b35" generic SHA1 Hash file #4 depends_on:MBEDTLS_MD_CAN_SHA1 -mbedtls_md_file:MBEDTLS_MD_SHA1:"data_files/hash_file_4":"da39a3ee5e6b4b0d3255bfef95601890afd80709" +mbedtls_md_file:MBEDTLS_MD_SHA1:"../framework/data_files/hash_file_4":"da39a3ee5e6b4b0d3255bfef95601890afd80709" generic SHA-224 Hash file #1 depends_on:MBEDTLS_MD_CAN_SHA224 -mbedtls_md_file:MBEDTLS_MD_SHA224:"data_files/hash_file_1":"8606da018870f0c16834a21bc3385704cb1683b9dbab04c5ddb90a48" +mbedtls_md_file:MBEDTLS_MD_SHA224:"../framework/data_files/hash_file_1":"8606da018870f0c16834a21bc3385704cb1683b9dbab04c5ddb90a48" generic SHA-224 Hash file #2 depends_on:MBEDTLS_MD_CAN_SHA224 -mbedtls_md_file:MBEDTLS_MD_SHA224:"data_files/hash_file_2":"733b2ab97b6f63f2e29b9a2089756d81e14c93fe4cc9615c0d5e8a03" +mbedtls_md_file:MBEDTLS_MD_SHA224:"../framework/data_files/hash_file_2":"733b2ab97b6f63f2e29b9a2089756d81e14c93fe4cc9615c0d5e8a03" generic SHA-224 Hash file #3 depends_on:MBEDTLS_MD_CAN_SHA224 -mbedtls_md_file:MBEDTLS_MD_SHA224:"data_files/hash_file_3":"e1df95867580e2cc2100e9565bf9c2e42c24fe5250c19efe33d1c4fe" +mbedtls_md_file:MBEDTLS_MD_SHA224:"../framework/data_files/hash_file_3":"e1df95867580e2cc2100e9565bf9c2e42c24fe5250c19efe33d1c4fe" generic SHA-224 Hash file #4 depends_on:MBEDTLS_MD_CAN_SHA224 -mbedtls_md_file:MBEDTLS_MD_SHA224:"data_files/hash_file_4":"d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f" +mbedtls_md_file:MBEDTLS_MD_SHA224:"../framework/data_files/hash_file_4":"d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f" generic SHA-256 Hash file #1 depends_on:MBEDTLS_MD_CAN_SHA256 -mbedtls_md_file:MBEDTLS_MD_SHA256:"data_files/hash_file_1":"975d0c620d3936886f8a3665e585a3e84aa0501f4225bf53029710242823e391" +mbedtls_md_file:MBEDTLS_MD_SHA256:"../framework/data_files/hash_file_1":"975d0c620d3936886f8a3665e585a3e84aa0501f4225bf53029710242823e391" generic SHA-256 Hash file #2 depends_on:MBEDTLS_MD_CAN_SHA256 -mbedtls_md_file:MBEDTLS_MD_SHA256:"data_files/hash_file_2":"11fcbf1baa36ca45745f10cc5467aee86f066f80ba2c46806d876bf783022ad2" +mbedtls_md_file:MBEDTLS_MD_SHA256:"../framework/data_files/hash_file_2":"11fcbf1baa36ca45745f10cc5467aee86f066f80ba2c46806d876bf783022ad2" generic SHA-256 Hash file #3 depends_on:MBEDTLS_MD_CAN_SHA256 -mbedtls_md_file:MBEDTLS_MD_SHA256:"data_files/hash_file_3":"9ae4b369f9f4f03b86505b46a5469542e00aaff7cf7417a71af6d6d0aba3b70c" +mbedtls_md_file:MBEDTLS_MD_SHA256:"../framework/data_files/hash_file_3":"9ae4b369f9f4f03b86505b46a5469542e00aaff7cf7417a71af6d6d0aba3b70c" generic SHA-256 Hash file #4 depends_on:MBEDTLS_MD_CAN_SHA256 -mbedtls_md_file:MBEDTLS_MD_SHA256:"data_files/hash_file_4":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" +mbedtls_md_file:MBEDTLS_MD_SHA256:"../framework/data_files/hash_file_4":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" generic SHA-384 Hash file #1 depends_on:MBEDTLS_MD_CAN_SHA384 -mbedtls_md_file:MBEDTLS_MD_SHA384:"data_files/hash_file_1":"e0a3e6259d6378001b54ef82f5dd087009c5fad86d8db226a9fe1d14ecbe33a6fc916e3a4b16f5f286424de15d5a8e0e" +mbedtls_md_file:MBEDTLS_MD_SHA384:"../framework/data_files/hash_file_1":"e0a3e6259d6378001b54ef82f5dd087009c5fad86d8db226a9fe1d14ecbe33a6fc916e3a4b16f5f286424de15d5a8e0e" generic SHA-384 Hash file #2 depends_on:MBEDTLS_MD_CAN_SHA384 -mbedtls_md_file:MBEDTLS_MD_SHA384:"data_files/hash_file_2":"eff727afc8495c92e2f370f97a317f93c3350324b0646b0f0e264708b3c97d3d332d3c5390e1e47130f5c92f1ef4b9cf" +mbedtls_md_file:MBEDTLS_MD_SHA384:"../framework/data_files/hash_file_2":"eff727afc8495c92e2f370f97a317f93c3350324b0646b0f0e264708b3c97d3d332d3c5390e1e47130f5c92f1ef4b9cf" generic SHA-384 Hash file #3 depends_on:MBEDTLS_MD_CAN_SHA384 -mbedtls_md_file:MBEDTLS_MD_SHA384:"data_files/hash_file_3":"6fc10ebda96a1ccf61777cac72f6034f92533d42052a4bf9f9d929c672973c71e5aeb1213268043c21527ac0f7f349c4" +mbedtls_md_file:MBEDTLS_MD_SHA384:"../framework/data_files/hash_file_3":"6fc10ebda96a1ccf61777cac72f6034f92533d42052a4bf9f9d929c672973c71e5aeb1213268043c21527ac0f7f349c4" generic SHA-384 Hash file #4 depends_on:MBEDTLS_MD_CAN_SHA384 -mbedtls_md_file:MBEDTLS_MD_SHA384:"data_files/hash_file_4":"38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b" +mbedtls_md_file:MBEDTLS_MD_SHA384:"../framework/data_files/hash_file_4":"38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b" generic SHA-512 Hash file #1 depends_on:MBEDTLS_MD_CAN_SHA512 -mbedtls_md_file:MBEDTLS_MD_SHA512:"data_files/hash_file_1":"d8207a2e1ff2b424f2c4163fe1b723c9bd42e464061eb411e8df730bcd24a7ab3956a6f3ff044a52eb2d262f9e4ca6b524092b544ab78f14d6f9c4cc8ddf335a" +mbedtls_md_file:MBEDTLS_MD_SHA512:"../framework/data_files/hash_file_1":"d8207a2e1ff2b424f2c4163fe1b723c9bd42e464061eb411e8df730bcd24a7ab3956a6f3ff044a52eb2d262f9e4ca6b524092b544ab78f14d6f9c4cc8ddf335a" generic SHA-512 Hash file #2 depends_on:MBEDTLS_MD_CAN_SHA512 -mbedtls_md_file:MBEDTLS_MD_SHA512:"data_files/hash_file_2":"ecbb7f0ed8a702b49f16ad3088bcc06ea93451912a7187db15f64d93517b09630b039293aed418d4a00695777b758b1f381548c2fd7b92ce5ed996b32c8734e7" +mbedtls_md_file:MBEDTLS_MD_SHA512:"../framework/data_files/hash_file_2":"ecbb7f0ed8a702b49f16ad3088bcc06ea93451912a7187db15f64d93517b09630b039293aed418d4a00695777b758b1f381548c2fd7b92ce5ed996b32c8734e7" generic SHA-512 Hash file #3 depends_on:MBEDTLS_MD_CAN_SHA512 -mbedtls_md_file:MBEDTLS_MD_SHA512:"data_files/hash_file_3":"7ccc9b2da71ffde9966c3ce44d7f20945fccf33b1fade4da152b021f1afcc7293382944aa6c09eac67af25f22026758e2bf6bed86ae2a43592677ee50f8eea41" +mbedtls_md_file:MBEDTLS_MD_SHA512:"../framework/data_files/hash_file_3":"7ccc9b2da71ffde9966c3ce44d7f20945fccf33b1fade4da152b021f1afcc7293382944aa6c09eac67af25f22026758e2bf6bed86ae2a43592677ee50f8eea41" generic SHA-512 Hash file #4 depends_on:MBEDTLS_MD_CAN_SHA512 -mbedtls_md_file:MBEDTLS_MD_SHA512:"data_files/hash_file_4":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e" +mbedtls_md_file:MBEDTLS_MD_SHA512:"../framework/data_files/hash_file_4":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e" diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_pk.data b/yass/third_party/mbedtls/tests/suites/test_suite_pk.data index a929c82f4f..cb420aea71 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_pk.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_pk.data @@ -8,23 +8,23 @@ PK write valid parameters depends_on:MBEDTLS_RSA_C valid_parameters_pkwrite:"308204a20201000282010100a9021f3d406ad555538bfd36ee82652e15615e89bfb8e84590dbee881652d3f143504796125964876bfd2be046f973beddcf92e1915bed66a06f8929794580d0836ad54143775f397c09044782b0573970eda3ec15191ea8330847c10542a9fd4cc3b4dfdd061f4d1051406773130f40f86d81255f0ab153c6307e1539acf95aee7f929ea6055be7139785b52392d9d42406d50925897507dda61a8f3f0919bead652c64eb959bdcfe415e17a6da6c5b69cc02ba142c16249c4adccdd0f7526773f12da023fd7ef431ca2d70ca890b04db2ea64f706e9ecebd5889e253599e6e5a9265e2883f0c9419a3dde5e89d9513ed29dbab7012dc5aca6b17ab528254b10203010001028201001689f5e89142ae18a6ffb0513715a4b0b4a13b9e5b3729a2bd62d738c6e15cea7bf3a4d85ab2193a0628c9452bb1f0c1af8b132789df1c95e72778bf5330f5b0d915d242d5e0818e85001ed5fa93d1ce13455deb0a15438562e8e3c8d60ec1e4c9ebff9f2b36b9cde9332cc79f0d17a7ae79cc1353cd75409ad9b4b6d7ee3d82af6f3207656cf2ac98947c15c398db0cebf8dc3eef5398269480cdd09411b960273ae3f364da09af849f24aa87346c58618ea91d9d6cd1d3932c80dbfc1f0a4166a9036911999ca27761079f0ce02db02c1c909ff9b4278578d7bb1b54b2b7082fc9e864b6b394e331c0d11a9a68255565b6dd477f4119c5809839520700711102818100d7db987ad86de6a9b0749fb5da80bacde3bebd72dcc83f60a27db74f927ac3661386577bfce5b4a00ad024682401d6aad29713c8e223b53415305ca07559821099b187fdd1bad3dc4dec9da96f5fa6128331e8f7d89f1e1a788698d1a27256dc7cd392f04e531a9e38e7265bf4fd7eec01e7835e9b1a0dd8923e440381be1c2702818100c87025fff7a493c623404966fbc8b32ed164ca620ad1a0ad11ef42fd12118456017856a8b42e5d4ad36104e9dc9f8a2f3003c3957ffddb20e2f4e3fc3cf2cdddae01f57a56de4fd24b91ab6d3e5cc0e8af0473659594a6bbfdaacf958f19c8d508eac12d8977616af6877106288093d37904a139220c1bc278ea56edc086976702818043e708685c7cf5fa9b4f948e1856366d5e1f3a694f9a8e954f884c89f3823ac5798ee12657bfcaba2dac9c47464c6dc2fecc17a531be19da706fee336bb6e47b645dbc71d3eff9856bddeb1ac9b644ffbdd58d7ba9e1240f1faaf797ba8a4d58becbaf85789e1bd979fcfccc209d3db7f0416bc9eef09b3a6d86b8ce8199d4310281804f4b86ccffe49d0d8ace98fb63ea9f708b284ba483d130b6a75cb76cb4e4372d6b41774f20912319420ca4cbfc1b25a8cb5f01d6381f6ebc50ed3ef08010327f5ba2acc1ac7220b3fa6f7399314db2879b0db0b5647abd87abb01295815a5b086491b2c0d81c616ed67ef8a8ce0727f446711d7323d4147b5828a52143c43b4b028180540756beba83c20a0bda11d6dec706a71744ff28090cec079dffb507d82828038fe657f61496a20317f779cb683ce8196c29a6fe28839a282eef4de57773be56808b0c3e2ac7747e2b200b2fbf20b55258cd24622a1ce0099de098ab0855106ae087f08b0c8c346d81619400c1b4838e33ed9ff90f05db8fccf8fb7ab881ca12" -PK utils: RSA Minimum key -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_utils:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS:MBEDTLS_RSA_GEN_KEY_MIN_BITS:(MBEDTLS_RSA_GEN_KEY_MIN_BITS + 7) / 8:"RSA" +PK utils: RSA 1024-bit +depends_on:MBEDTLS_RSA_C +pk_utils:MBEDTLS_PK_RSA:1024:1024:(1024 + 7) / 8:"RSA" -# mbedtls_rsa_gen_key() only supports even sizes, so we don't test min+1, -# min+3, etc. -PK utils: RSA Minimum key + 2 bits -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_utils:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 2:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 2:(MBEDTLS_RSA_GEN_KEY_MIN_BITS + 2 + 7) / 8:"RSA" +# In the following 3 test cases we test a few different sizes that are not a +# multiple of 8 and for which we have test data. +PK utils: RSA 1026-bits +depends_on:MBEDTLS_RSA_C +pk_utils:MBEDTLS_PK_RSA:1026:1026:(1026 + 7) / 8:"RSA" -PK utils: RSA Minimum key + 4 bits -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_utils:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 4:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 4:(MBEDTLS_RSA_GEN_KEY_MIN_BITS + 4 + 7) / 8:"RSA" +PK utils: RSA 1028-bits +depends_on:MBEDTLS_RSA_C +pk_utils:MBEDTLS_PK_RSA:1028:1028:(1028 + 7) / 8:"RSA" -PK utils: RSA Minimum key + 6 bits -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_utils:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 6:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 6:(MBEDTLS_RSA_GEN_KEY_MIN_BITS + 6 + 7) / 8:"RSA" +PK utils: RSA 1030-bits +depends_on:MBEDTLS_RSA_C +pk_utils:MBEDTLS_PK_RSA:1030:1030:(1030 + 7) / 8:"RSA" PK utils: ECKEY SECP192R1 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP192R1 @@ -63,7 +63,7 @@ depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAV pk_psa_utils:0 PK PSA utilities: RSA setup/free, info functions, unsupported operations -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_psa_utils:1 PK can do ext: ECDSA(ANY)/NONE, invalid check STREAM_CIPHER @@ -159,147 +159,147 @@ depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1 pk_can_do_ext:1:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):PSA_KEY_USAGE_DERIVE|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_ECDH:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):256:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_DERIVE:1 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, check not allowed COPY usage -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_COPY:0 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, invalid check STREAM_CIPHER -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_STREAM_CIPHER:PSA_KEY_USAGE_SIGN_HASH:0 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, invalid check ECDSA(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, invalid check ECDH -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH:0 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, invalid check RSA_PKCS1V15_CRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_SIGN_HASH:0 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, invalid check RSA_PSS(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, check RSA_PKCS1V15_SIGN(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/NONE, check non-present usage -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_DERIVE:0 PK can do ext: RSA_PKCS1V15_SIGN(SHA256)/NONE, check RSA_PKCS1V15_SIGN(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1 PK can do ext: NONE, RSA_PKCS1V15_SIGN(ANY), check RSA_PKCS1V15_SIGN(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1 PK can do ext: NONE, RSA_PKCS1V15_SIGN(SHA256), check RSA_PKCS1V15_SIGN(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1 PK can do ext: RSA_PKCS1V15_SIGN(SHA256)/NONE, invalid check RSA_PKCS1V15_SIGN(ANY) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_KEY_USAGE_SIGN_HASH:0 PK can do ext: RSA_PKCS1V15_SIGN(SHA1)/NONE, invalid check RSA_PKCS1V15_SIGN(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_1):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0 PK can do ext: RSA_PSS(ANY)/NONE, invalid check STREAM_CIPHER -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_STREAM_CIPHER:PSA_KEY_USAGE_SIGN_HASH:0 PK can do ext: RSA_PSS(ANY)/NONE, invalid check ECDSA(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0 PK can do ext: RSA_PSS(ANY)/NONE, invalid check RSA_PKCS1V15_CRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_SIGN_HASH:0 PK can do ext: RSA_PSS(ANY)/NONE, invalid check RSA_PKCS1V15_SIGN(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0 PK can do ext: RSA_PSS(ANY)/NONE, check RSA_PSS(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_ALG_NONE:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1 PK can do ext: RSA_PSS(SHA256)/NONE, check RSA_PSS(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_ALG_NONE:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1 PK can do ext: NONE, RSA_PSS(ANY), check RSA_PSS(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1 PK can do ext: NONE, RSA_PSS(SHA256), check RSA_PSS(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1 PK can do ext: RSA_PSS(SHA256)/NONE, invalid check RSA_PSS(ANY) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_ALG_NONE:1024:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_KEY_USAGE_SIGN_HASH:0 PK can do ext: RSA_PSS(SHA1)/NONE, invalid check RSA_PSS(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS(PSA_ALG_SHA_1):PSA_ALG_NONE:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0 PK can do ext: RSA_PKCS1V15_SIGN_RAW/NONE, check RSA_PKCS1V15_SIGN_RAW -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:1 PK can do ext: RSA_PKCS1V15_SIGN_RAW/NONE, invalid check RSA_PKCS1V15_SIGN(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0 PK can do ext: RSA_PKCS1V15_CRYPT/NONE, invalid check STREAM_CIPHER -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:1024:PSA_ALG_STREAM_CIPHER:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:0 PK can do ext: RSA_PKCS1V15_CRYPT/NONE, invalid check ECDSA(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:1024:PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:0 PK can do ext: RSA_PKCS1V15_CRYPT/NONE, invalid check ECDH -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:1024:PSA_ALG_ECDH:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:0 PK can do ext: RSA_PKCS1V15_CRYPT/NONE, invalid check RSA_PSS(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:0 PK can do ext: RSA_PKCS1V15_CRYPT/NONE, invalid check RSA_PKCS1V15_SIGN(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:0 PK can do ext: RSA_PKCS1V15_CRYPT/NONE, check RSA_PKCS1V15_CRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:1024:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:1 PK can do ext: RSA_PKCS1V15_CRYPT/RSA_PSS(ANY), check RSA_PKCS1V15_CRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:1 PK can do ext: RSA_PKCS1V15_CRYPT/RSA_PSS(ANY), check RSA_PSS(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_DECRYPT:1 PK can do ext: RSA_PKCS1V15_CRYPT/RSA_PSS(ANY), check non allowed ENCRYPT usage -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_ENCRYPT|PSA_KEY_USAGE_DECRYPT|PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_ENCRYPT:0 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/RSA_PSS(ANY), check RSA_PSS(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1 PK can do ext: RSA_PKCS1V15_SIGN(ANY)/RSA_PSS(ANY), check RSA_PKCS1V15_SIGN(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:1:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1 PK can do ext: MBEDTLS_PK_ECKEY, check ECDSA(SHA256) @@ -311,19 +311,19 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP256R1 pk_can_do_ext:0:MBEDTLS_PK_ECKEY:0:0:0:MBEDTLS_ECP_DP_SECP256R1:PSA_ALG_ECDH:PSA_KEY_USAGE_DERIVE:1 PK can do ext: MBEDTLS_PK_RSA, check RSA_PKCS1V15_SIGN(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:0:MBEDTLS_PK_RSA:0:0:0:1024:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1 PK can do ext: MBEDTLS_PK_RSA, check PSA_ALG_RSA_PKCS1V15_CRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:0:MBEDTLS_PK_RSA:0:0:0:1024:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:1 PK can do ext: MBEDTLS_PK_RSA, check invalid PSA_KEY_USAGE_ENCRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:0:MBEDTLS_PK_RSA:0:0:0:1024:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_ENCRYPT:0 PK can do ext: MBEDTLS_PK_RSA, check RSA_PSS(SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_can_do_ext:0:MBEDTLS_PK_RSA:0:0:0:1024:PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:1 RSA verify test vector: PKCS1v1.5 (explicit), SHA1, good @@ -435,20 +435,20 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP192R1 pk_sign_verify:MBEDTLS_PK_ECKEY_DH:MBEDTLS_ECP_DP_SECP192R1:0:0:MBEDTLS_ERR_PK_TYPE_MISMATCH:MBEDTLS_ERR_PK_TYPE_MISMATCH RSA sign-verify, PKCS1v1.5, SHA1 -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_GENPRIME:MBEDTLS_RSA_GEN_KEY_MIN_BITS >= 512:MBEDTLS_MD_CAN_SHA1 -pk_sign_verify:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:0:0 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1 +pk_sign_verify:MBEDTLS_PK_RSA:RSA_KEY_SIZE:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA1:0:0 RSA sign-verify, PKCS1v2.1, SHA1 -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_GENPRIME:MBEDTLS_RSA_GEN_KEY_MIN_BITS >= 512:MBEDTLS_MD_CAN_SHA1 -pk_sign_verify:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS:MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA1:0:0 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA1 +pk_sign_verify:MBEDTLS_PK_RSA:RSA_KEY_SIZE:MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA1:0:0 RSA sign-verify, PKCS1v1.5, SHA256 -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_GENPRIME:MBEDTLS_RSA_GEN_KEY_MIN_BITS >= 512:MBEDTLS_MD_CAN_SHA256 -pk_sign_verify:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:0:0 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256 +pk_sign_verify:MBEDTLS_PK_RSA:RSA_KEY_SIZE:MBEDTLS_RSA_PKCS_V15:MBEDTLS_MD_SHA256:0:0 RSA sign-verify, PKCS1v2.1, SHA256 -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_GENPRIME:MBEDTLS_RSA_GEN_KEY_MIN_BITS >= 512:MBEDTLS_MD_CAN_SHA256 -pk_sign_verify:MBEDTLS_PK_RSA:MBEDTLS_RSA_GEN_KEY_MIN_BITS:MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA256:0:0 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 +pk_sign_verify:MBEDTLS_PK_RSA:RSA_KEY_SIZE:MBEDTLS_RSA_PKCS_V21:MBEDTLS_MD_SHA256:0:0 RSA encrypt-decrypt test PKCS1 v1.5 depends_on:MBEDTLS_PKCS1_V15 @@ -507,7 +507,7 @@ depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN pk_ec_nocrypt:MBEDTLS_PK_ECDSA RSA_ALT consistency -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_GENPRIME:MBEDTLS_RSA_GEN_KEY_MIN_BITS >= 512 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_rsa_alt: Verify ext RSA #1 (PKCS1 v2.1, salt_len = ANY, OK) @@ -596,23 +596,23 @@ pk_rsa_verify_ext_test_vec:"ae6e43dd387c25741e42fc3570cdfc52e4f51a2343294f3b677d Check pair #1 (EC, OK) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PEM_PARSE_C -mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/ec_256_prv.pem":0 +mbedtls_pk_check_pair:"../framework/data_files/ec_256_pub.pem":"../framework/data_files/ec_256_prv.pem":0 Check pair #2 (EC, bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PEM_PARSE_C -mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server5.key":MBEDTLS_ERR_ECP_BAD_INPUT_DATA +mbedtls_pk_check_pair:"../framework/data_files/ec_256_pub.pem":"../framework/data_files/server5.key":MBEDTLS_ERR_ECP_BAD_INPUT_DATA Check pair #3 (RSA, OK) depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C -mbedtls_pk_check_pair:"data_files/server1.pubkey":"data_files/server1.key":0 +mbedtls_pk_check_pair:"../framework/data_files/server1.pubkey":"../framework/data_files/server1.key":0 Check pair #4 (RSA, bad) depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C -mbedtls_pk_check_pair:"data_files/server1.pubkey":"data_files/server2.key":MBEDTLS_ERR_RSA_KEY_CHECK_FAILED +mbedtls_pk_check_pair:"../framework/data_files/server1.pubkey":"../framework/data_files/server2.key":MBEDTLS_ERR_RSA_KEY_CHECK_FAILED Check pair #5 (RSA vs EC) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_PEM_PARSE_C -mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server1.key":MBEDTLS_ERR_PK_TYPE_MISMATCH +mbedtls_pk_check_pair:"../framework/data_files/ec_256_pub.pem":"../framework/data_files/server1.key":MBEDTLS_ERR_PK_TYPE_MISMATCH RSA hash_len overflow (size_t vs unsigned int) depends_on:MBEDTLS_RSA_C:MBEDTLS_HAVE_INT64 @@ -688,35 +688,35 @@ depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_BP512R1 pk_psa_sign:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_BRAINPOOL_P_R1):512:0 PSA wrapped sign: RSA PKCS1 v1.5 -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_psa_sign:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:MBEDTLS_RSA_PKCS_V15 PSA wrapped sign: RSA PKCS1 v2.1 -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 pk_psa_sign:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:MBEDTLS_RSA_PKCS_V21 PK sign ext: RSA2048, PK_RSA, MD_SHA256 -depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048 +depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA256 PK sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA256 -depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048 +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256 PK sign ext: RSA2048, PK_RSA, MD_SHA384 -depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048 +depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA384 PK sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA384 -depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048 +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA384 PK sign ext: RSA2048, PK_RSA, MD_SHA512 -depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048 +depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA512 PK sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA512 -depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048 +depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA512 PK sign ext: SECP256R1, PK_ECDSA, MD_SHA256 @@ -762,136 +762,136 @@ pk_get_psa_attributes_fail:MBEDTLS_PK_NONE:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_MESSAG # Bad usage due to not specifying sign/crypt/derive. PSA attributes for pk: RSA usage=0 (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:0:MBEDTLS_ERR_PK_TYPE_MISMATCH # Bad usage due to not specifying sign/crypt/derive. PSA attributes for pk: RSA usage=EXPORT (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH # This usage could make sense, but is not currently supported. PSA attributes for pk: RSA usage=DECRYPT|EXPORT (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH # Bad usage due to specifying more than one of sign/crypt/derive. PSA attributes for pk: RSA usage=DECRYPT|SIGN_MESSAGE (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH # This usage could make sense, but is not currently supported. PSA attributes for pk: RSA usage=SIGN_MESSAGE|SIGN_HASH (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH # This usage could make sense, but is not currently supported. PSA attributes for pk: RSA usage=SIGN_MESSAGE|VERIFY_MESSAGE (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: RSA v15 pair DECRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_PKCS1V15_CRYPT PSA attributes for pk: RSA v21 SHA-256 pair DECRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256) PSA attributes for pk: RSA v21 SHA-512 pair DECRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:FROM_PAIR:PSA_KEY_USAGE_DECRYPT:1:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512) PSA attributes for pk: RSA v15 pair->public ENCRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_PKCS1V15_CRYPT PSA attributes for pk: RSA v21 SHA-256 pair->public ENCRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256) PSA attributes for pk: RSA v21 SHA-512 pair->public ENCRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:FROM_PAIR:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512) PSA attributes for pk: RSA v15 public ENCRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_PKCS1V15_CRYPT PSA attributes for pk: RSA v21 SHA-256 public ENCRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA256:FROM_PUBLIC:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256) PSA attributes for pk: RSA v21 SHA-512 public ENCRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_SHA512:FROM_PUBLIC:PSA_KEY_USAGE_ENCRYPT:0:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_512) PSA attributes for pk: RSA v15 public DECRYPT (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: RSA v15 pair SIGN_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 pair SIGN_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PAIR:PSA_KEY_USAGE_SIGN_MESSAGE:1:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 pair SIGN_HASH -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 pair SIGN_HASH -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PAIR:PSA_KEY_USAGE_SIGN_HASH:1:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 pair->public VERIFY_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 pair->public VERIFY_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PAIR:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 pair->public VERIFY_HASH -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 pair->public VERIFY_HASH -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PAIR:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 public VERIFY_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 public VERIFY_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_MESSAGE:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 public VERIFY_HASH -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v21 SHA-256 public VERIFY_HASH -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V21 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 pk_rsa_v21_get_psa_attributes:MBEDTLS_MD_NONE:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_HASH:0:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH) PSA attributes for pk: RSA v15 public SIGN_MESSAGE (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: RSA v15 public SIGN_HASH (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: RSA v15 pair DERIVE (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: RSA v15 public DERIVE (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 pk_get_psa_attributes_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: ECKEY pair DECRYPT (bad) @@ -1063,164 +1063,164 @@ depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE pk_get_psa_attributes_fail:MBEDTLS_PK_ECKEY_DH:FROM_PUBLIC:PSA_KEY_USAGE_VERIFY_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA attributes for pk: opaque RSA pair, 0 & SIGN_MESSAGE (bad policy) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:0:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 PSA attributes for pk: opaque RSA pair, SIGN_MESSAGE & SIGN_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE PSA attributes for pk: opaque RSA pair, SIGN|VERIFY & SIGN_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE PSA attributes for pk: opaque RSA pair, SIGN|DECRYPT & SIGN_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT # For a PK_OPAQUE key with a key pair type output, # mbedtls_pk_import_into_psa() requires the key to be copyable or exportable. # Try all combinations of COPY/not, EXPORT/not. PSA attributes for pk: opaque RSA pair, SIGN|... & SIGN_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT PSA attributes for pk: opaque RSA pair, SIGN|EXPORT|... & SIGN_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT PSA attributes for pk: opaque RSA pair, SIGN|COPY|... & SIGN_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT PSA attributes for pk: opaque RSA pair, SIGN|COPY|EXPORT... & SIGN_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT PSA attributes for pk: opaque RSA pair, SIGN_MESSAGE & SIGN_HASH (bad policy) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 # For a PK_OPAQUE key, mbedtls_pk_get_psa_attributes() ignores the input # key's algorithm policy. Just this time, test with a few different algorithms. PSA attributes for pk: opaque RSA pair, SIGN_HASH & SIGN_HASH [0] -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE PSA attributes for pk: opaque RSA pair, SIGN_HASH & SIGN_HASH [raw] -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE PSA attributes for pk: opaque RSA pair, SIGN_HASH & SIGN_HASH [v15] -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE PSA attributes for pk: opaque RSA pair, SIGN_HASH & SIGN_HASH [PSS] -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_HASH:PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_SHA_256):PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE PSA attributes for pk: opaque RSA pair, 0 & DECRYPT (bad policy) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:0:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:0:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 PSA attributes for pk: opaque RSA pair, DECRYPT & DECRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:0:1:PSA_KEY_USAGE_DECRYPT +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:0:1:PSA_KEY_USAGE_DECRYPT PSA attributes for pk: opaque RSA pair, DECRYPT|... & DECRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DECRYPT:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT PSA attributes for pk: opaque RSA pair, ... & DERIVE (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 PSA attributes for pk: opaque RSA pair, ... & EXPORT (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 PSA attributes for pk: opaque RSA pair->public, VERIFY_MESSAGE & VERIFY_MESSAGE -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_VERIFY_MESSAGE:0:0:PSA_KEY_USAGE_VERIFY_MESSAGE +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_VERIFY_MESSAGE:0:0:PSA_KEY_USAGE_VERIFY_MESSAGE PSA attributes for pk: opaque RSA pair->public, VERIFY_HASH & VERIFY_HASH -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_VERIFY_HASH:0:0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_VERIFY_HASH:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_USAGE_VERIFY_HASH:0:0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE PSA attributes for pk: opaque RSA pair->public, ENCRYPT & ENCRYPT -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_ENCRYPT:0:0:PSA_KEY_USAGE_ENCRYPT +depends_on:MBEDTLS_RSA_C +pk_get_psa_attributes_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_KEY_USAGE_ENCRYPT:0:0:PSA_KEY_USAGE_ENCRYPT PSA attributes for pk: opaque ECC pair, 0 & SIGN_MESSAGE (bad policy) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:0:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 PSA attributes for pk: opaque ECC pair, SIGN_MESSAGE & SIGN_MESSAGE -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE PSA attributes for pk: opaque ECC pair, SIGN|VERIFY & SIGN_MESSAGE -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE PSA attributes for pk: opaque ECC pair, SIGN|DECRYPT & SIGN_MESSAGE -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_DECRYPT PSA attributes for pk: opaque ECC pair, SIGN|... & SIGN_MESSAGE -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_MESSAGE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT PSA attributes for pk: opaque ECC pair, SIGN_HASH & SIGN_HASH -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_SIGN_HASH:0:1:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE PSA attributes for pk: opaque ECC pair, ... & DERIVE -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_KEY_USAGE_DERIVE:0:1:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DERIVE PSA attributes for pk: opaque ECC pair, ... & DECRYPT (bad) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 PSA attributes for pk: opaque ECC pair, ... & EXPORT (bad) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDH:PSA_KEY_USAGE_EXPORT:MBEDTLS_ERR_PK_TYPE_MISMATCH:1:0 PSA attributes for pk: opaque ECC pair->public, VERIFY_MESSAGE & VERIFY_MESSAGE -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_VERIFY_MESSAGE:0:0:PSA_KEY_USAGE_VERIFY_MESSAGE PSA attributes for pk: opaque ECC pair->public, VERIFY_HASH & VERIFY_HASH -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_VERIFY_HASH:0:0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE PSA attributes for pk: opaque ECC pair->public, ENCRYPT & ENCRYPT (bad) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_HAVE_ECC_KEYS pk_get_psa_attributes_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_ECDSA_ANY:PSA_KEY_USAGE_ENCRYPT:MBEDTLS_ERR_PK_TYPE_MISMATCH:0:0 PSA import into PSA: RSA pair to ECC (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: RSA public to RSA pair (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME +depends_on:MBEDTLS_RSA_C pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_TYPE_RSA_KEY_PAIR:0:MBEDTLS_ERR_RSA_BAD_INPUT_DATA # MBEDTLS_ERR_PK_INVALID_ALG is the error that results from our translation # of PSA errors. In this case MBEDTLS_ERR_PK_TYPE_MISMATCH would probably # be more appropriate. (Applies to all the RSA "different bits" test cases.) PSA import into PSA: RSA pair to different bits (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 8:MBEDTLS_ERR_PK_INVALID_ALG +depends_on:MBEDTLS_RSA_C +pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE + 8:MBEDTLS_ERR_PK_INVALID_ALG PSA import into PSA: RSA public to different bits (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 8:MBEDTLS_ERR_PK_INVALID_ALG +depends_on:MBEDTLS_RSA_C +pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PUBLIC:PSA_KEY_TYPE_RSA_PUBLIC_KEY:RSA_KEY_SIZE + 8:MBEDTLS_ERR_PK_INVALID_ALG PSA import into PSA: RSA private to public, different bits (bad) -depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME -pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 8:MBEDTLS_ERR_PK_INVALID_ALG +depends_on:MBEDTLS_RSA_C +pk_import_into_psa_fail:MBEDTLS_PK_RSA:FROM_PAIR:PSA_KEY_TYPE_RSA_PUBLIC_KEY:RSA_KEY_SIZE + 8:MBEDTLS_ERR_PK_INVALID_ALG PSA import into PSA: ECKEY pair to RSA (bad) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE @@ -1395,149 +1395,149 @@ depends_on:MBEDTLS_USE_PSA_CRYPTO pk_import_into_psa_lifetime:1:1:0:1:1 PSA import into PSA: opaque RSA, COPY (ok) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN -pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 PSA import into PSA: opaque RSA, EXPORT (ok) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN -pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 PSA import into PSA: opaque RSA, no COPY/EXPORT (bad) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN -pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:MBEDTLS_ERR_PK_TYPE_MISMATCH +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:MBEDTLS_ERR_PK_TYPE_MISMATCH # Detail that isn't precisely documented: since this copies the key, # the new key has the intersection of the usage flags. PSA import into PSA: opaque RSA, COPY|EXPORT, different usage (restricted) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN -pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 # Detail that isn't precisely documented: since this copies the key, # the new key has the intersection of the usage flags. PSA import into PSA: opaque RSA, COPY, different usage (restricted) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN -pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 # Detail that isn't precisely documented: since this exports the key, # the new key has all the requested usage flags. PSA import into PSA: opaque RSA, EXPORT, different usage (ok) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN -pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 PSA import into PSA: opaque RSA, COPY|EXPORT, different algorithm (ok) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN -pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):0 +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):0 PSA import into PSA: opaque RSA, COPY, different algorithm (bad) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN -pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):MBEDTLS_ERR_PK_TYPE_MISMATCH +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: opaque RSA, EXPORT, different algorithm (ok) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN -pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):0 +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):0 PSA import into PSA: opaque RSA, implicit bits (ok) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN -pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:0:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:0:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 PSA import into PSA: opaque RSA, different bits (bad) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN -pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 8:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:MBEDTLS_ERR_PK_TYPE_MISMATCH +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE + 8:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: opaque RSA, different type (bad) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN -pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_HMAC:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_HMAC:RSA_KEY_SIZE:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: opaque RSA to public (ok) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN -pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_PUBLIC_KEY:RSA_KEY_SIZE:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 PSA import into PSA: opaque RSA to public, implicit bits (ok) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN -pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_PUBLIC_KEY:0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_PUBLIC_KEY:0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0 # MBEDTLS_ERR_PK_INVALID_ALG is the error that results from our translation # of PSA errors. In this case MBEDTLS_ERR_PK_TYPE_MISMATCH would probably # be more appropriate. PSA import into PSA: opaque RSA to public, different bits (bad) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_SIGN -pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_RSA_GEN_KEY_MIN_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_RSA_GEN_KEY_MIN_BITS + 8:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:MBEDTLS_ERR_PK_INVALID_ALG +depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN +pk_import_into_psa_opaque:PSA_KEY_TYPE_RSA_KEY_PAIR:RSA_KEY_SIZE:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_PUBLIC_KEY:RSA_KEY_SIZE + 8:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:MBEDTLS_ERR_PK_INVALID_ALG PSA import into PSA: opaque ECC, COPY (ok) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 PSA import into PSA: opaque ECC, EXPORT (ok) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 PSA import into PSA: opaque ECC, no COPY/EXPORT (bad) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):MBEDTLS_ERR_PK_TYPE_MISMATCH # Detail that isn't precisely documented: since this copies the key, # the new key has the intersection of the usage flags. PSA import into PSA: opaque ECC, COPY|EXPORT, different usage (restricted) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 # Detail that isn't precisely documented: since this copies the key, # the new key has the intersection of the usage flags. PSA import into PSA: opaque ECC, COPY, different usage (restricted) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 # Detail that isn't precisely documented: since this exports the key, # the new key has all the requested usage flags. PSA import into PSA: opaque ECC, EXPORT, different usage (ok) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 PSA import into PSA: opaque ECC, COPY|EXPORT, different algorithm (ok) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):0 PSA import into PSA: opaque ECC, COPY, different algorithm (bad) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: opaque ECC, EXPORT, different algorithm (ok) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):0 PSA import into PSA: opaque ECC, implicit bits (ok) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):0:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 PSA import into PSA: opaque ECC, different bits (bad) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS + 8:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: opaque ECC, different type (bad) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_HMAC:MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: opaque ECC, different family (bad) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH PSA import into PSA: opaque ECC to public (ok) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 PSA import into PSA: opaque ECC to public, implicit bits (ok) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):0:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):0 # MBEDTLS_ERR_PK_INVALID_ALG is the error that results from our translation # of PSA errors. In this case MBEDTLS_ERR_PK_TYPE_MISMATCH would probably # be more appropriate. PSA import into PSA: opaque ECC to public, different bits (bad) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS + 8:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):MBEDTLS_ERR_PK_INVALID_ALG PSA import into PSA: opaque ECC to public, different family (bad) -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:PSA_WANT_ALG_ECDSA +depends_on:MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES:PSA_WANT_ALG_ECDSA pk_import_into_psa_opaque:PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:PSA_KEY_TYPE_ECC_PUBLIC_KEY(MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY):MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0:MBEDTLS_ERR_PK_TYPE_MISMATCH Copy from PSA: use wrong parameters diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_pk.function b/yass/third_party/mbedtls/tests/suites/test_suite_pk.function index 388879d1a1..f197d040bf 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_pk.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_pk.function @@ -21,17 +21,13 @@ #include "psa/crypto.h" #include "mbedtls/psa_util.h" +#include "pkwrite.h" + #include /* Needed for the definition of MBEDTLS_PK_WRITE_PUBKEY_MAX_SIZE. */ #include "pkwrite.h" -/* Used for properly sizing the key buffer in pk_genkey_ec() */ -#include "psa_util_internal.h" - -#define RSA_KEY_SIZE MBEDTLS_RSA_GEN_KEY_MIN_BITS -#define RSA_KEY_LEN (MBEDTLS_RSA_GEN_KEY_MIN_BITS/8) - #if defined(MBEDTLS_RSA_C) || \ defined(MBEDTLS_PK_RSA_ALT_SUPPORT) || \ defined(MBEDTLS_ECDSA_C) || \ @@ -44,8 +40,7 @@ * - The build has built-in ECC and ECDSA signature. */ #if (defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PK_WRITE_C) && \ - ((defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)) || \ - defined(MBEDTLS_PK_CAN_ECDSA_SIGN))) || \ + (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_CAN_ECDSA_SIGN))) || \ (defined(MBEDTLS_ECP_C) && defined(MBEDTLS_PK_CAN_ECDSA_SIGN)) #define MBEDTLS_TEST_PK_PSA_SIGN #endif @@ -69,14 +64,22 @@ #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 #define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 192 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP192R1 -#elif defined(PSA_WANT_ECC_SECP_R1_224) -#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 -#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 224 -#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP224R1 #elif defined(PSA_WANT_ECC_SECP_R1_256) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 #define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP256R1 +#elif defined(PSA_WANT_ECC_SECP_K1_192) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 192 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP192K1 +#elif defined(PSA_WANT_ECC_SECP_K1_256) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP256K1 +#elif defined(PSA_WANT_ECC_SECP_R1_224) +#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 +#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 224 +#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP224R1 #elif defined(PSA_WANT_ECC_SECP_R1_384) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 #define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 384 @@ -85,18 +88,10 @@ #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 #define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 521 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP521R1 -#elif defined(PSA_WANT_ECC_SECP_K1_192) -#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1 -#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 192 -#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP192K1 #elif defined(PSA_WANT_ECC_SECP_K1_224) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1 #define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 224 #define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP224K1 -#elif defined(PSA_WANT_ECC_SECP_K1_256) -#define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_K1 -#define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256 -#define MBEDTLS_TEST_ECP_DP_ONE_CURVE MBEDTLS_ECP_DP_SECP256K1 #elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_BRAINPOOL_P_R1 #define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256 @@ -133,7 +128,8 @@ #define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY PSA_ECC_FAMILY_SECP_K1 #define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 192 #define MBEDTLS_TEST_PSA_ECC_HAVE_TWO_FAMILIES -#elif defined(PSA_WANT_ECC_SECP_R1_256) && defined(PSA_WANT_ECC_SECP_K1_256) +#elif defined(PSA_WANT_ECC_SECP_R1_256) && defined(PSA_WANT_ECC_SECP_K1_256) && \ + !defined(PSA_WANT_ECC_SECP_R1_192) #define MBEDTLS_TEST_PSA_ECC_ONE_FAMILY PSA_ECC_FAMILY_SECP_R1 #define MBEDTLS_TEST_PSA_ECC_ANOTHER_FAMILY PSA_ECC_FAMILY_SECP_K1 #define MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS 256 @@ -185,123 +181,190 @@ #define MBEDTLS_MD_ALG_FOR_TEST MBEDTLS_MD_SHA512 #endif -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) -static int pk_genkey_ec(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id) +#include <../src/test_keys.h> + +/* Define an RSA key size we know it's present in predefined_key[] array. */ +#define RSA_KEY_SIZE 1024 +#define RSA_KEY_LEN (RSA_KEY_SIZE/8) + +static int get_predefined_key_data(int is_ec, int group_id_or_keybits, + const unsigned char **key, size_t *key_len, + const unsigned char **pub_key, size_t *pub_key_len) { - psa_status_t status; - psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; - size_t curve_bits; - psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(grp_id, &curve_bits); - int ret; + size_t i; + struct predefined_key_element *predefined_key = NULL; - if (curve == 0) { - return MBEDTLS_ERR_PK_BAD_INPUT_DATA; - } - - psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve)); - psa_set_key_bits(&key_attr, curve_bits); - psa_key_usage_t usage = PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY; - psa_algorithm_t sign_alg = 0; - psa_algorithm_t derive_alg = 0; - if (mbedtls_pk_get_type(pk) != MBEDTLS_PK_ECDSA) { - usage |= PSA_KEY_USAGE_DERIVE; - derive_alg = PSA_ALG_ECDH; - } - if (mbedtls_pk_get_type(pk) != MBEDTLS_PK_ECKEY_DH && - curve != PSA_ECC_FAMILY_MONTGOMERY) { - usage |= PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE; -#if defined(MBEDTLS_ECDSA_DETERMINISTIC) - sign_alg = PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH); -#else - sign_alg = PSA_ALG_ECDSA(PSA_ALG_ANY_HASH); -#endif - } - if (derive_alg != 0) { - psa_set_key_algorithm(&key_attr, derive_alg); - if (sign_alg != 0) { - psa_set_key_enrollment_algorithm(&key_attr, sign_alg); + for (i = 0; i < ARRAY_LENGTH(predefined_keys); i++) { + if (is_ec) { + if (group_id_or_keybits == predefined_keys[i].group_id) { + predefined_key = &predefined_keys[i]; + } + } else if (group_id_or_keybits == predefined_keys[i].keybits) { + predefined_key = &predefined_keys[i]; } - } else { - psa_set_key_algorithm(&key_attr, sign_alg); - } - psa_set_key_usage_flags(&key_attr, usage); - - status = psa_generate_key(&key_attr, &pk->priv_id); - if (status != PSA_SUCCESS) { - return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; } - status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw), - &pk->pub_raw_len); - if (status != PSA_SUCCESS) { - ret = MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; - goto exit; - } - - pk->ec_family = curve; - pk->ec_bits = curve_bits; - - return 0; - -exit: - status = psa_destroy_key(pk->priv_id); - return (ret != 0) ? ret : psa_pk_status_to_mbedtls(status); -} -#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ - -/** Generate a key of the desired type. - * - * \param pk The PK object to fill. It must have been initialized - * with mbedtls_pk_setup(). - * \param curve_or_keybits - For RSA keys, the key size in bits. - * - For EC keys, the curve (\c MBEDTLS_ECP_DP_xxx). - * - * \return The status from the underlying type-specific key - * generation function. - * \return -1 if the key type is not recognized. - */ -static int pk_genkey(mbedtls_pk_context *pk, int curve_or_keybits) -{ - (void) pk; - (void) curve_or_keybits; - -#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME) - if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_RSA) { - return mbedtls_rsa_gen_key(mbedtls_pk_rsa(*pk), - mbedtls_test_rnd_std_rand, NULL, - curve_or_keybits, 3); - } -#endif -#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) - if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY || - mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY_DH || - mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECDSA) { - int ret; - -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) - ret = pk_genkey_ec(pk, curve_or_keybits); - if (ret != 0) { - return ret; + if (predefined_key != NULL) { + *key = predefined_key->priv_key; + *key_len = predefined_key->priv_key_len; + if (pub_key != NULL) { + *pub_key = predefined_key->pub_key; + *pub_key_len = predefined_key->pub_key_len; } - return 0; -#else - ret = mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(*pk)->grp, curve_or_keybits); - if (ret != 0) { - return ret; - } - return mbedtls_ecp_gen_keypair(&mbedtls_pk_ec_rw(*pk)->grp, - &mbedtls_pk_ec_rw(*pk)->d, - &mbedtls_pk_ec_rw(*pk)->Q, - mbedtls_test_rnd_std_rand, NULL); -#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ - } -#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ - return -1; + + TEST_FAIL("Unsupported key"); + /* "exit" label is to make the compiler happy. */ +exit: + return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; } #if defined(MBEDTLS_PSA_CRYPTO_C) +static psa_status_t pk_psa_import_key(const unsigned char *key_data, size_t key_len, + psa_key_type_t type, psa_key_usage_t usage, + psa_algorithm_t alg, mbedtls_svc_key_id_t *key) +{ + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_status_t status; + + *key = MBEDTLS_SVC_KEY_ID_INIT; + + /* Note: psa_import_key() automatically determines the key's bit length + * from the provided key data. That's why psa_set_key_bits() is not used below. */ + psa_set_key_usage_flags(&attributes, usage); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, type); + status = psa_import_key(&attributes, key_data, key_len, key); + + return status; +} +#endif /* MBEDTLS_PSA_CRYPTO_C */ + +/** Setup the provided PK context. + * + * Predefined keys used for the setup are taken from "test/src/test_keys.h" + * which is automatically generated using "framework/scripts/generate_test_keys.py". + * + * \param pk The PK object to fill. It must have been initialized + * (mbedtls_pk_init()), but not setup (mbedtls_pk_setup()). + * \param pk_type mbedtls_pk_type_t to use in the PK context. + * \param curve_or_keybits - For RSA keys, the key size in bits. + * - For EC keys, the curve (\c MBEDTLS_ECP_DP_xxx). + * + * \return 0 on success or a negative value otherwise. + */ +static int pk_setup(mbedtls_pk_context *pk, mbedtls_pk_type_t pk_type, int curve_or_keybits) +{ + const unsigned char *key_data = NULL; + const unsigned char *pub_key_data = NULL; + size_t key_data_len = 0; + size_t pub_key_data_len = 0; + int ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA; + + TEST_EQUAL(mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(pk_type)), 0); + + if (pk_type == MBEDTLS_PK_RSA) { +#if defined(MBEDTLS_RSA_C) + TEST_EQUAL(get_predefined_key_data(0, curve_or_keybits, &key_data, &key_data_len, + NULL, 0), 0); + TEST_EQUAL(mbedtls_rsa_parse_key(mbedtls_pk_rsa(*pk), key_data, key_data_len), 0); +#else /* MBEDTLS_RSA_C */ + TEST_FAIL("RSA keys not supported."); +#endif /* MBEDTLS_RSA_C */ + } else { + TEST_EQUAL(get_predefined_key_data(1, curve_or_keybits, &key_data, &key_data_len, + &pub_key_data, &pub_key_data_len), 0); +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + pk->ec_family = mbedtls_ecc_group_to_psa(curve_or_keybits, &pk->ec_bits); + TEST_EQUAL(pk_psa_import_key(key_data, key_data_len, + PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family), + PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | + PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE | + PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_COPY | + PSA_KEY_USAGE_EXPORT, + MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET(PSA_ALG_ANY_HASH), + &pk->priv_id), 0); + memcpy(pk->pub_raw, pub_key_data, pub_key_data_len); + pk->pub_raw_len = pub_key_data_len; +#elif defined(MBEDTLS_ECP_C) + TEST_EQUAL(mbedtls_ecp_read_key(curve_or_keybits, mbedtls_pk_ec_rw(*pk), + key_data, key_data_len), 0); + TEST_EQUAL(mbedtls_ecp_point_read_binary(&(mbedtls_pk_ec_rw(*pk)->grp), + &(mbedtls_pk_ec_rw(*pk)->Q), + pub_key_data, pub_key_data_len), 0); +#else /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */ + TEST_FAIL("EC keys not supported."); +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */ + } + /* Override pk_info. */ + pk->pk_info = mbedtls_pk_info_from_type(pk_type); + ret = 0; + +exit: + return ret; +} + +#if defined(MBEDTLS_PSA_CRYPTO_C) +/** Create a PSA key of the desired type and properties. + * + * - For RSA and EC keys predefined key data is used (as in the pk_setup() above). + * - Other key types (ex: DH) are generated at runtime. + * + * \param type PSA key type. + * \param bits PSA key bit size. + * \param usage PSA key usage flags. + * \param alg PSA key primary algorithm. + * \param enrollment_alg PSA key enrollment algorithm. + * \param persistent_key_id PSA key ID for persistent keys. Set to PSA_KEY_ID_NULL + * for volatile keys. + * \param[out] key Identifier of the "generated" (actually imported) PSA key. + */ +static psa_status_t pk_psa_setup(psa_key_type_t type, size_t bits, + psa_key_usage_t usage, psa_algorithm_t alg, + psa_algorithm_t enrollment_alg, + mbedtls_svc_key_id_t persistent_key_id, + mbedtls_svc_key_id_t *key) +{ + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_status_t status = PSA_ERROR_GENERIC_ERROR; + const unsigned char *key_data = NULL; + size_t key_data_size = 0; + + *key = MBEDTLS_SVC_KEY_ID_INIT; + psa_set_key_usage_flags(&attributes, usage); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_enrollment_algorithm(&attributes, enrollment_alg); + psa_set_key_type(&attributes, type); + psa_set_key_bits(&attributes, bits); + if (!mbedtls_svc_key_id_is_null(persistent_key_id)) { + psa_set_key_id(&attributes, persistent_key_id); + } + + /* For EC and RSA keys we use predefined keys in order to: + * - speed up testing and + * - ease requirements/dependencies on test cases. + * For other keys (ex: DH) psa_generate_key() is used instead. */ + if (PSA_KEY_TYPE_IS_RSA(type)) { + TEST_EQUAL(get_predefined_key_data(0, bits, &key_data, &key_data_size, NULL, 0), 0); + } else if (PSA_KEY_TYPE_IS_ECC(type)) { +#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) + mbedtls_ecp_group_id grp_id; + grp_id = mbedtls_ecc_group_from_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(type), bits); + TEST_EQUAL(get_predefined_key_data(1, grp_id, &key_data, &key_data_size, NULL, 0), 0); +#else /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ + TEST_FAIL("EC keys are not supported"); +#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ + } else { + return psa_generate_key(&attributes, key); + } + + status = psa_import_key(&attributes, key_data, key_data_size, key); + +exit: + return status; +} + static psa_key_usage_t pk_get_psa_attributes_implied_usage( psa_key_usage_t expected_usage) { @@ -404,19 +467,19 @@ exit: } #endif /* MBEDTLS_PSA_CRYPTO_C */ -#if defined(MBEDTLS_RSA_C) -int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen, - const unsigned char *input, unsigned char *output, - size_t output_max_len) +#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT) +static int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen, + const unsigned char *input, unsigned char *output, + size_t output_max_len) { return mbedtls_rsa_pkcs1_decrypt((mbedtls_rsa_context *) ctx, mbedtls_test_rnd_std_rand, NULL, olen, input, output, output_max_len); } -int mbedtls_rsa_sign_func(void *ctx, - int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - mbedtls_md_type_t md_alg, unsigned int hashlen, - const unsigned char *hash, unsigned char *sig) +static int mbedtls_rsa_sign_func(void *ctx, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, + mbedtls_md_type_t md_alg, unsigned int hashlen, + const unsigned char *hash, unsigned char *sig) { ((void) f_rng); ((void) p_rng); @@ -424,11 +487,11 @@ int mbedtls_rsa_sign_func(void *ctx, mbedtls_test_rnd_std_rand, NULL, md_alg, hashlen, hash, sig); } -size_t mbedtls_rsa_key_len_func(void *ctx) +static size_t mbedtls_rsa_key_len_func(void *ctx) { return ((const mbedtls_rsa_context *) ctx)->len; } -#endif /* MBEDTLS_RSA_C */ +#endif /* MBEDTLS_RSA_C && MBEDTLS_PK_RSA_ALT_SUPPORT */ typedef enum { /* The values are compatible with thinking of "from pair" as a boolean. */ @@ -443,32 +506,18 @@ static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, if (pk_type == MBEDTLS_PK_NONE) { return 0; } - TEST_EQUAL(mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(pk_type)), 0); switch (pk_type) { #if defined(MBEDTLS_RSA_C) case MBEDTLS_PK_RSA: { *psa_type = PSA_KEY_TYPE_RSA_KEY_PAIR; - mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk); - if (want_pair) { -#if defined(MBEDTLS_GENPRIME) - TEST_EQUAL(mbedtls_rsa_gen_key( - rsa, - mbedtls_test_rnd_std_rand, NULL, - MBEDTLS_RSA_GEN_KEY_MIN_BITS, 65537), 0); -#else - TEST_FAIL("I don't know how to create an RSA key pair in this configuration."); -#endif - } else { - unsigned char N[PSA_BITS_TO_BYTES(MBEDTLS_RSA_GEN_KEY_MIN_BITS)] = { 0xff }; - N[sizeof(N) - 1] = 0x03; - const unsigned char E[1] = { 0x03 }; - TEST_EQUAL(mbedtls_rsa_import_raw(rsa, - N, sizeof(N), - NULL, 0, NULL, 0, NULL, 0, - E, sizeof(E)), 0); - TEST_EQUAL(mbedtls_rsa_complete(rsa), 0); + TEST_EQUAL(pk_setup(pk, pk_type, RSA_KEY_SIZE), 0); + if (!want_pair) { + mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk); + mbedtls_mpi_free(&rsa->D); + mbedtls_mpi_free(&rsa->P); + mbedtls_mpi_free(&rsa->Q); } break; } @@ -482,7 +531,7 @@ static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, mbedtls_ecp_group_id grp_id = MBEDTLS_TEST_ECP_DP_ONE_CURVE; size_t bits; *psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(mbedtls_ecc_group_to_psa(grp_id, &bits)); - TEST_EQUAL(pk_genkey(pk, grp_id), 0); + TEST_EQUAL(pk_setup(pk, pk_type, grp_id), 0); if (!want_pair) { #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) psa_key_attributes_t pub_attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -518,7 +567,7 @@ static int pk_setup_for_type(mbedtls_pk_type_t pk_type, int want_pair, exit: return MBEDTLS_ERR_ERROR_GENERIC_ERROR; } -#endif +#endif /* MBEDTLS_PSA_CRYPTO_C */ #if defined(MBEDTLS_PSA_CRYPTO_C) /* Create a new PSA key which will contain only the public part of the private @@ -569,7 +618,7 @@ exit: /* Create a copy of a PSA key with same usage and algorithm policy and destroy * the original one. */ -mbedtls_svc_key_id_t psa_copy_and_destroy(mbedtls_svc_key_id_t orig_key_id) +static mbedtls_svc_key_id_t psa_copy_and_destroy(mbedtls_svc_key_id_t orig_key_id) { psa_key_attributes_t orig_attr = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t new_attr = PSA_KEY_ATTRIBUTES_INIT; @@ -587,73 +636,6 @@ exit: psa_reset_key_attributes(&new_attr); return new_key_id; } - -psa_status_t pk_psa_import_key(unsigned char *key_data, size_t key_len, - psa_key_type_t type, psa_key_usage_t usage, - psa_algorithm_t alg, mbedtls_svc_key_id_t *key) -{ - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_status_t status; - - *key = MBEDTLS_SVC_KEY_ID_INIT; - - /* Note: psa_import_key() automatically determines the key's bit length - * from the provided key data. That's why psa_set_key_bits() is not used below. */ - psa_set_key_usage_flags(&attributes, usage); - psa_set_key_algorithm(&attributes, alg); - psa_set_key_type(&attributes, type); - status = psa_import_key(&attributes, key_data, key_len, key); - - return status; -} - -psa_status_t pk_psa_genkey_generic(psa_key_type_t type, size_t bits, - psa_key_usage_t usage, psa_algorithm_t alg, - mbedtls_svc_key_id_t *key) -{ - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_status_t status; - - *key = MBEDTLS_SVC_KEY_ID_INIT; - - psa_set_key_usage_flags(&attributes, usage); - psa_set_key_algorithm(&attributes, alg); - psa_set_key_type(&attributes, type); - psa_set_key_bits(&attributes, bits); - status = psa_generate_key(&attributes, key); - - return status; -} - -/* - * Generate an ECC key using PSA and return the key identifier of that key, - * or 0 if the key generation failed. - * The key uses NIST P-256 and is usable for signing with SHA-256. - */ -mbedtls_svc_key_id_t pk_psa_genkey_ecc(void) -{ - mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; - - pk_psa_genkey_generic(PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1), 256, - PSA_KEY_USAGE_SIGN_HASH, PSA_ALG_ECDSA(PSA_ALG_SHA_256), - &key); - - return key; -} - -/* - * Generate an RSA key using PSA and return the key identifier of that key, - * or 0 if the key generation failed. - */ -mbedtls_svc_key_id_t pk_psa_genkey_rsa(void) -{ - mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; - - pk_psa_genkey_generic(PSA_KEY_TYPE_RSA_KEY_PAIR, 1024, PSA_KEY_USAGE_SIGN_HASH, - PSA_ALG_RSA_PKCS1V15_SIGN_RAW, &key); - - return key; -} #endif /* MBEDTLS_PSA_CRYPTO_C */ /* END_HEADER */ @@ -688,11 +670,15 @@ void pk_psa_utils(int key_is_rsa) mbedtls_pk_init(&pk); if (key_is_rsa) { - bitlen = 1024; /* hardcoded in genkey() */ - key = pk_psa_genkey_rsa(); + bitlen = 1024; + PSA_ASSERT(pk_psa_setup(PSA_KEY_TYPE_RSA_KEY_PAIR, 1024, PSA_KEY_USAGE_SIGN_HASH, + PSA_ALG_RSA_PKCS1V15_SIGN_RAW, PSA_ALG_NONE, + MBEDTLS_SVC_KEY_ID_INIT, &key)); } else { - bitlen = 256; /* hardcoded in genkey() */ - key = pk_psa_genkey_ecc(); + bitlen = 256; + PSA_ASSERT(pk_psa_setup(PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1), 256, + PSA_KEY_USAGE_SIGN_HASH, PSA_ALG_ECDSA(PSA_ALG_SHA_256), + PSA_ALG_NONE, MBEDTLS_SVC_KEY_ID_INIT, &key)); } if (mbedtls_svc_key_id_is_null(key)) { goto exit; @@ -777,16 +763,8 @@ void pk_can_do_ext(int opaque_key, int key_type, int key_usage, int key_alg, USE_PSA_INIT(); if (opaque_key == 1) { - psa_set_key_usage_flags(&attributes, key_usage); - psa_set_key_algorithm(&attributes, key_alg); - if (key_alg2 != 0) { - psa_set_key_enrollment_algorithm(&attributes, key_alg2); - } - psa_set_key_type(&attributes, key_type); - psa_set_key_bits(&attributes, curve_or_keybits); - - PSA_ASSERT(psa_generate_key(&attributes, &key)); - + PSA_ASSERT(pk_psa_setup(key_type, curve_or_keybits, key_usage, + key_alg, key_alg2, MBEDTLS_SVC_KEY_ID_INIT, &key)); if (mbedtls_svc_key_id_is_null(key)) { goto exit; } @@ -795,9 +773,7 @@ void pk_can_do_ext(int opaque_key, int key_type, int key_usage, int key_alg, TEST_EQUAL(mbedtls_pk_get_type(&pk), MBEDTLS_PK_OPAQUE); } else { - TEST_EQUAL(mbedtls_pk_setup(&pk, - mbedtls_pk_info_from_type(key_type)), 0); - TEST_EQUAL(pk_genkey(&pk, curve_or_keybits), 0); + TEST_EQUAL(pk_setup(&pk, key_type, curve_or_keybits), 0); TEST_EQUAL(mbedtls_pk_get_type(&pk), key_type); } @@ -999,8 +975,7 @@ void pk_utils(int type, int curve_or_keybits, int bitlen, int len, char *name) mbedtls_pk_init(&pk); USE_PSA_INIT(); - TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0); - TEST_ASSERT(pk_genkey(&pk, curve_or_keybits) == 0); + TEST_ASSERT(pk_setup(&pk, type, curve_or_keybits) == 0); TEST_ASSERT((int) mbedtls_pk_get_type(&pk) == type); TEST_ASSERT(mbedtls_pk_can_do(&pk, type)); @@ -1021,6 +996,7 @@ void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret) #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t opaque_key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t opaque_key_attr = PSA_KEY_ATTRIBUTES_INIT; + int is_ec_key = 0; #endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_pk_init(&pub); @@ -1057,16 +1033,22 @@ void mbedtls_pk_check_pair(char *pub_file, char *prv_file, int ret) } #endif #if defined(MBEDTLS_USE_PSA_CRYPTO) - if (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_ECKEY) { - /* Turn the prv PK context into an opaque one.*/ - TEST_EQUAL(mbedtls_pk_get_psa_attributes(&prv, PSA_KEY_USAGE_SIGN_HASH, - &opaque_key_attr), 0); - TEST_EQUAL(mbedtls_pk_import_into_psa(&prv, &opaque_key_attr, &opaque_key_id), 0); - mbedtls_pk_free(&prv); - mbedtls_pk_init(&prv); - TEST_EQUAL(mbedtls_pk_setup_opaque(&prv, opaque_key_id), 0); + is_ec_key = (mbedtls_pk_get_type(&prv) == MBEDTLS_PK_ECKEY); + /* Turn the prv PK context into an opaque one.*/ + TEST_EQUAL(mbedtls_pk_get_psa_attributes(&prv, PSA_KEY_USAGE_SIGN_HASH, + &opaque_key_attr), 0); + TEST_EQUAL(mbedtls_pk_import_into_psa(&prv, &opaque_key_attr, &opaque_key_id), 0); + mbedtls_pk_free(&prv); + mbedtls_pk_init(&prv); + TEST_EQUAL(mbedtls_pk_setup_opaque(&prv, opaque_key_id), 0); + /* Test check_pair() between the opaque key we just created and the public PK counterpart. + * Note: opaque EC keys support check_pair(), whereas RSA ones do not. */ + if (is_ec_key) { TEST_EQUAL(mbedtls_pk_check_pair(&pub, &prv, mbedtls_test_rnd_std_rand, NULL), ret); + } else { + TEST_EQUAL(mbedtls_pk_check_pair(&pub, &prv, mbedtls_test_rnd_std_rand, + NULL), MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE); } #endif @@ -1361,8 +1343,7 @@ void pk_sign_verify(int type, int curve_or_keybits, int rsa_padding, int rsa_md_ memset(hash, 0x2a, sizeof(hash)); memset(sig, 0, sizeof(sig)); - TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0); - TEST_ASSERT(pk_genkey(&pk, curve_or_keybits) == 0); + TEST_ASSERT(pk_setup(&pk, type, curve_or_keybits) == 0); #if defined(MBEDTLS_RSA_C) if (type == MBEDTLS_PK_RSA) { @@ -1755,9 +1736,7 @@ void pk_rsa_alt() memset(test, 0, sizeof(test)); /* Initialize PK RSA context with random key */ - TEST_ASSERT(mbedtls_pk_setup(&rsa, - mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); - TEST_ASSERT(pk_genkey(&rsa, RSA_KEY_SIZE) == 0); + TEST_ASSERT(pk_setup(&rsa, MBEDTLS_PK_RSA, RSA_KEY_SIZE) == 0); /* Extract key to the raw rsa context */ TEST_ASSERT(mbedtls_rsa_copy(&raw, mbedtls_pk_rsa(rsa)) == 0); @@ -1825,7 +1804,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_PK_PSA_SIGN */ +/* BEGIN_CASE depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_PK_PSA_SIGN */ void pk_psa_sign(int psa_type, int bits, int rsa_padding) { mbedtls_pk_context pk; @@ -1840,7 +1819,7 @@ void pk_psa_sign(int psa_type, int bits, int rsa_padding) int ret; #endif /* MBEDTLS_RSA_C || MBEDTLS_PK_WRITE_C */ #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) - mbedtls_ecp_group_id ecp_grp_id; + mbedtls_ecp_group_id ecp_grp_id = MBEDTLS_ECP_DP_NONE; #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ /* @@ -1856,21 +1835,18 @@ void pk_psa_sign(int psa_type, int bits, int rsa_padding) USE_PSA_INIT(); /* Create the legacy EC/RSA PK context. */ -#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME) +#if defined(MBEDTLS_RSA_C) if (PSA_KEY_TYPE_IS_RSA(psa_type)) { - TEST_ASSERT(mbedtls_pk_setup(&pk, - mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0); - TEST_EQUAL(pk_genkey(&pk, bits), 0); + TEST_EQUAL(pk_setup(&pk, MBEDTLS_PK_RSA, bits), 0); TEST_EQUAL(mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk), rsa_padding, MBEDTLS_MD_NONE), 0); } -#else /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */ +#else /* MBEDTLS_RSA_C */ (void) rsa_padding; -#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */ +#endif /* MBEDTLS_RSA_C */ #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type)) { ecp_grp_id = mbedtls_ecc_group_from_psa(psa_type, bits); - TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)) == 0); - TEST_ASSERT(pk_genkey(&pk, ecp_grp_id) == 0); + TEST_ASSERT(pk_setup(&pk, MBEDTLS_PK_ECKEY, ecp_grp_id) == 0); } #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ @@ -1992,7 +1968,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_GENPRIME */ +/* BEGIN_CASE */ void pk_sign_ext(int pk_type, int curve_or_keybits, int key_pk_type, int md_alg) { mbedtls_pk_context pk; @@ -2008,9 +1984,7 @@ void pk_sign_ext(int pk_type, int curve_or_keybits, int key_pk_type, int md_alg) mbedtls_pk_init(&pk); MD_OR_USE_PSA_INIT(); - TEST_EQUAL(mbedtls_pk_setup(&pk, - mbedtls_pk_info_from_type(pk_type)), 0); - TEST_EQUAL(pk_genkey(&pk, curve_or_keybits), 0); + TEST_EQUAL(pk_setup(&pk, pk_type, curve_or_keybits), 0); TEST_EQUAL(mbedtls_pk_sign_ext(key_pk_type, &pk, md_alg, hash, hash_len, sig, sizeof(sig), &sig_len, @@ -2030,7 +2004,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_USE_PSA_CRYPTO */ +/* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_USE_PSA_CRYPTO */ void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg) { mbedtls_pk_context pk; @@ -2052,11 +2026,7 @@ void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg /* Create legacy RSA public/private key in PK context. */ mbedtls_pk_init(&pk); - TEST_EQUAL(mbedtls_pk_setup(&pk, - mbedtls_pk_info_from_type(pk_type)), 0); - TEST_EQUAL(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk), - mbedtls_test_rnd_std_rand, NULL, - key_bits, 3), 0); + TEST_EQUAL(pk_setup(&pk, pk_type, key_bits), 0); if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) { mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk), MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_NONE); @@ -2082,6 +2052,19 @@ void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg memset(hash, 0x2a, sizeof(hash)); memset(sig, 0, sizeof(sig)); +#if defined(MBEDTLS_PKCS1_V21) + /* Check that trying to use the wrong pk_type in sign_ext() results in a failure. + * The PSA key was setup to use PKCS1 v1.5 signature algorithm, but here we try + * to use it for PSS (PKCS1 v2.1) and it should fail. */ + if (key_pk_type == MBEDTLS_PK_RSA) { + TEST_EQUAL(mbedtls_pk_sign_ext(MBEDTLS_PK_RSASSA_PSS, &pk, md_alg, hash, hash_len, + sig, sizeof(sig), &sig_len, + mbedtls_test_rnd_std_rand, NULL), + MBEDTLS_ERR_RSA_BAD_INPUT_DATA); + } +#endif /* MBEDTLS_PKCS1_V21 */ + + /* Perform sign_ext() with the correct pk_type. */ TEST_EQUAL(mbedtls_pk_sign_ext(key_pk_type, &pk, md_alg, hash, hash_len, sig, sizeof(sig), &sig_len, mbedtls_test_rnd_std_rand, NULL), 0); @@ -2187,7 +2170,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_GENPRIME */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21 */ void pk_rsa_v21_get_psa_attributes(int md_type, int from_pair, int usage_arg, int to_pair, int expected_alg) @@ -2261,7 +2244,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PSA_CRYPTO_STORAGE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_TEST_PSA_ECC_AT_LEAST_ONE_CURVE:MBEDTLS_PSA_CRYPTO_STORAGE_C */ void pk_import_into_psa_lifetime(int from_opaque, int from_persistent, /* when from opaque */ int from_exportable, /* when from opaque */ @@ -2282,17 +2265,18 @@ void pk_import_into_psa_lifetime(int from_opaque, #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_key_type_t from_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(MBEDTLS_TEST_PSA_ECC_ONE_FAMILY); - psa_set_key_type(&attributes, from_psa_type); - psa_set_key_bits(&attributes, MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS); - psa_set_key_usage_flags( - &attributes, + psa_key_usage_t psa_key_usage = (from_exportable ? PSA_KEY_USAGE_EXPORT : PSA_KEY_USAGE_COPY) | - PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH); - psa_set_key_algorithm(&attributes, PSA_ALG_ECDH); + PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH; + mbedtls_svc_key_id_t persistent_key_id = MBEDTLS_SVC_KEY_ID_INIT; + if (from_persistent) { - psa_set_key_id(&attributes, mbedtls_svc_key_id_make(0, 1)); + persistent_key_id = mbedtls_svc_key_id_make(0, 1); } - PSA_ASSERT(psa_generate_key(&attributes, &old_key_id)); + + PSA_ASSERT(pk_psa_setup(from_psa_type, MBEDTLS_TEST_PSA_ECC_ONE_CURVE_BITS, + psa_key_usage, PSA_ALG_ECDH, PSA_ALG_NONE, + persistent_key_id, &old_key_id)); TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, old_key_id), 0); psa_reset_key_attributes(&attributes); #else @@ -2368,12 +2352,8 @@ void pk_get_psa_attributes_opaque(int from_type_arg, int from_bits_arg, PSA_INIT(); - psa_set_key_type(&attributes, from_type); - psa_set_key_bits(&attributes, bits); - psa_set_key_usage_flags(&attributes, from_usage); - psa_set_key_algorithm(&attributes, alg); - psa_set_key_enrollment_algorithm(&attributes, 42); - PSA_ASSERT(psa_generate_key(&attributes, &old_key_id)); + PSA_ASSERT(pk_psa_setup(from_type, bits, from_usage, alg, 42, + MBEDTLS_SVC_KEY_ID_INIT, &old_key_id)); TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, old_key_id), 0); psa_key_type_t expected_psa_type = @@ -2465,11 +2445,8 @@ void pk_import_into_psa_opaque(int from_type, int from_bits, PSA_INIT(); - psa_set_key_type(&from_attributes, from_type); - psa_set_key_bits(&from_attributes, from_bits); - psa_set_key_usage_flags(&from_attributes, from_usage); - psa_set_key_algorithm(&from_attributes, from_alg); - PSA_ASSERT(psa_generate_key(&from_attributes, &from_key_id)); + PSA_ASSERT(pk_psa_setup(from_type, from_bits, from_usage, from_alg, PSA_ALG_NONE, + MBEDTLS_SVC_KEY_ID_INIT, &from_key_id)); TEST_EQUAL(mbedtls_pk_setup_opaque(&pk, from_key_id), 0); psa_set_key_type(&to_attributes, to_type); @@ -2535,23 +2512,21 @@ void pk_copy_from_psa_fail(void) MBEDTLS_ERR_PK_BAD_INPUT_DATA); #if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) - /* Generate a key type that is not handled by the PK module. */ - PSA_ASSERT(pk_psa_genkey_generic(PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919), 2048, - PSA_KEY_USAGE_EXPORT, PSA_ALG_NONE, &key_id)); + pk_psa_setup(PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919), 2048, + PSA_KEY_USAGE_EXPORT, PSA_ALG_NONE, PSA_ALG_NONE, + MBEDTLS_SVC_KEY_ID_INIT, &key_id); TEST_EQUAL(mbedtls_pk_copy_from_psa(key_id, &pk_ctx), MBEDTLS_ERR_PK_BAD_INPUT_DATA); TEST_EQUAL(mbedtls_pk_copy_public_from_psa(key_id, &pk_ctx), MBEDTLS_ERR_PK_BAD_INPUT_DATA); psa_destroy_key(key_id); #endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */ -#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && defined(PSA_WANT_ECC_SECP_R1_256) && \ - defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) +#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && defined(PSA_WANT_ECC_SECP_R1_256) /* Generate an EC key which cannot be exported. */ - PSA_ASSERT(pk_psa_genkey_generic(PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1), 256, - 0, PSA_ALG_NONE, &key_id)); + PSA_ASSERT(pk_psa_setup(PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1), 256, + 0, PSA_ALG_NONE, PSA_ALG_NONE, MBEDTLS_SVC_KEY_ID_INIT, &key_id)); TEST_EQUAL(mbedtls_pk_copy_from_psa(key_id, &pk_ctx), MBEDTLS_ERR_PK_TYPE_MISMATCH); psa_destroy_key(key_id); -#endif /* MBEDTLS_PK_HAVE_ECC_KEYS && PSA_WANT_ECC_SECP_R1_256 && - PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE */ +#endif /* MBEDTLS_PK_HAVE_ECC_KEYS && PSA_WANT_ECC_SECP_R1_256 */ exit: mbedtls_pk_free(&pk_ctx); @@ -2569,11 +2544,12 @@ void pk_copy_from_psa_builtin_fail() mbedtls_pk_init(&pk_ctx); PSA_INIT(); - PSA_ASSERT(pk_psa_genkey_generic(PSA_KEY_TYPE_RSA_KEY_PAIR, - PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS, - PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_EXPORT, - PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256), - &key_id)); + PSA_ASSERT(pk_psa_setup(PSA_KEY_TYPE_RSA_KEY_PAIR, + PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS, + PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_EXPORT, + PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256), + PSA_ALG_NONE, + MBEDTLS_SVC_KEY_ID_INIT, &key_id)); TEST_EQUAL(mbedtls_pk_copy_from_psa(key_id, &pk_ctx), MBEDTLS_ERR_PK_BAD_INPUT_DATA); exit: mbedtls_pk_free(&pk_ctx); @@ -2593,11 +2569,6 @@ void pk_copy_from_psa_success(data_t *priv_key_data, int key_type_arg, mbedtls_pk_context pk_priv, pk_priv_copy_public, pk_pub, pk_pub_copy_public; mbedtls_svc_key_id_t priv_key_id = MBEDTLS_SVC_KEY_ID_INIT; mbedtls_svc_key_id_t pub_key_id = MBEDTLS_SVC_KEY_ID_INIT; - unsigned char *in_buf = NULL; - size_t in_buf_len = MBEDTLS_MD_MAX_SIZE; - unsigned char out_buf[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; - unsigned char out_buf2[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; - size_t out_buf_len, out_buf2_len; mbedtls_pk_init(&pk_priv); mbedtls_pk_init(&pk_priv_copy_public); @@ -2620,14 +2591,13 @@ void pk_copy_from_psa_success(data_t *priv_key_data, int key_type_arg, TEST_EQUAL(mbedtls_pk_copy_from_psa(pub_key_id, &pk_pub), 0); TEST_EQUAL(mbedtls_pk_copy_public_from_psa(pub_key_id, &pk_pub_copy_public), 0); - /* Destoy both PSA keys to prove that generated PK contexts are independent + /* Destroy both PSA keys to prove that generated PK contexts are independent * from them. */ priv_key_id = psa_copy_and_destroy(priv_key_id); pub_key_id = psa_copy_and_destroy(pub_key_id); - /* Test #1: - * - check that the generated PK contexts are of the correct type. - * - [only for RSA] check that the padding mode is correct. + /* - Check that the generated PK contexts are of the correct type. + * - [Only for RSA] check that the padding mode is correct. */ if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type)) { TEST_EQUAL(mbedtls_pk_get_type(&pk_priv), MBEDTLS_PK_ECKEY); @@ -2648,135 +2618,23 @@ void pk_copy_from_psa_success(data_t *priv_key_data, int key_type_arg, #endif /* MBEDTLS_RSA_C */ } - /* Test #2: check that the 2 generated PK contexts form a valid private/public key pair. */ + /* Check that generated private/public PK contexts form a valid private/public key pair. */ TEST_EQUAL(mbedtls_pk_check_pair(&pk_pub, &pk_priv, mbedtls_test_rnd_std_rand, NULL), 0); - /* Get the MD alg to be used for the tests below from the provided key policy. */ - mbedtls_md_type_t md_for_test = MBEDTLS_MD_ALG_FOR_TEST; /* Default */ - if ((PSA_ALG_GET_HASH(key_alg) != PSA_ALG_NONE) && - (PSA_ALG_GET_HASH(key_alg) != PSA_ALG_ANY_HASH)) { - md_for_test = mbedtls_md_type_from_psa_alg(key_alg); - } - /* Use also the same MD algorithm for PSA sign/verify checks. This is helpful - * for the cases in which the key policy algorithm is ANY_HASH type. */ - psa_algorithm_t psa_alg_for_test = - (key_alg & ~PSA_ALG_HASH_MASK) | - (mbedtls_md_psa_alg_from_type(md_for_test) & PSA_ALG_HASH_MASK); - - in_buf_len = mbedtls_md_get_size_from_type(md_for_test); - TEST_CALLOC(in_buf, in_buf_len); - memset(in_buf, 0x1, in_buf_len); - - /* Test #3: sign/verify with the following pattern: - * - Sign using the PK context generated from the private key. - * - Verify from the same PK context used for signature. - * - Verify with the PK context generated using public key. - * - Verify using the public PSA key directly. - */ - - /* Edge cases: in a build with RSA key support but not RSA padding modes, - * or with ECDSA verify support but not signature, the signature might be - * impossible. */ - int pk_can_sign = 0; -#if defined(MBEDTLS_PKCS1_V15) - if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(key_alg) || key_alg == PSA_ALG_RSA_PKCS1V15_CRYPT) { - pk_can_sign = 1; - } -#endif -#if defined(MBEDTLS_PKCS1_V21) - if (PSA_ALG_IS_RSA_PSS(key_alg) || PSA_ALG_IS_RSA_OAEP(key_alg)) { - pk_can_sign = 1; - } -#endif -#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) - if (PSA_ALG_IS_ECDSA(key_alg) || PSA_ALG_IS_DETERMINISTIC_ECDSA(key_alg)) { - pk_can_sign = 1; - } -#endif - if (pk_can_sign) { - TEST_EQUAL(mbedtls_pk_sign(&pk_priv, md_for_test, in_buf, in_buf_len, - out_buf, sizeof(out_buf), &out_buf_len, - mbedtls_test_rnd_std_rand, NULL), 0); - - TEST_EQUAL(mbedtls_pk_verify(&pk_priv, md_for_test, in_buf, in_buf_len, - out_buf, out_buf_len), 0); - TEST_EQUAL(mbedtls_pk_verify(&pk_pub, md_for_test, in_buf, in_buf_len, - out_buf, out_buf_len), 0); - } - - if (PSA_ALG_IS_HASH_AND_SIGN(key_alg)) { -#if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) - /* ECDSA signature requires PK->PSA format conversion. */ - if (PSA_ALG_IS_ECDSA(key_alg)) { - TEST_EQUAL(mbedtls_ecdsa_der_to_raw(mbedtls_pk_get_bitlen(&pk_pub), - out_buf, out_buf_len, out_buf, - sizeof(out_buf), &out_buf_len), 0); - } -#endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */ - PSA_ASSERT(psa_verify_hash(pub_key_id, psa_alg_for_test, in_buf, in_buf_len, - out_buf, out_buf_len)); - } - - /* Test #4: check sign/verify interoperability also in the opposite direction: - * sign with PSA and verify with PK. Key's policy must include a valid hash - * algorithm (not any). - */ - if (PSA_ALG_IS_HASH_AND_SIGN(key_alg)) { - PSA_ASSERT(psa_sign_hash(priv_key_id, psa_alg_for_test, in_buf, in_buf_len, - out_buf, sizeof(out_buf), &out_buf_len)); -#if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) - /* ECDSA signature requires PSA->PK format conversion */ - if (PSA_ALG_IS_ECDSA(key_alg)) { - TEST_EQUAL(mbedtls_ecdsa_raw_to_der(mbedtls_pk_get_bitlen(&pk_pub), - out_buf, out_buf_len, out_buf, - sizeof(out_buf), &out_buf_len), 0); - } -#endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */ - TEST_EQUAL(mbedtls_pk_verify(&pk_pub, md_for_test, in_buf, in_buf_len, - out_buf, out_buf_len), 0); - } - - /* Test #5: in case of RSA key pair try also encryption/decryption. */ - if (PSA_ALG_IS_ASYMMETRIC_ENCRYPTION(key_alg)) { - /* Encrypt with the public key only PK context. */ - TEST_EQUAL(mbedtls_pk_encrypt(&pk_pub, in_buf, in_buf_len, - out_buf, &out_buf_len, sizeof(out_buf), - mbedtls_test_rnd_std_rand, NULL), 0); - - /* Decrypt with key pair PK context and compare with original data. */ - TEST_EQUAL(mbedtls_pk_decrypt(&pk_priv, out_buf, out_buf_len, - out_buf2, &out_buf2_len, sizeof(out_buf2), - mbedtls_test_rnd_std_rand, NULL), 0); - TEST_MEMORY_COMPARE(in_buf, in_buf_len, out_buf2, out_buf2_len); - - if (PSA_ALG_IS_ASYMMETRIC_ENCRYPTION(key_alg)) { - /* Decrypt with PSA private key directly and compare with original data. */ - PSA_ASSERT(psa_asymmetric_decrypt(priv_key_id, key_alg, out_buf, out_buf_len, - NULL, 0, - out_buf2, sizeof(out_buf2), &out_buf2_len)); - TEST_MEMORY_COMPARE(in_buf, in_buf_len, out_buf2, out_buf2_len); - - /* Encrypt with PSA public key directly, decrypt with public key PK context - * and compare with original data. */ - PSA_ASSERT(psa_asymmetric_encrypt(pub_key_id, key_alg, in_buf, in_buf_len, - NULL, 0, - out_buf, sizeof(out_buf), &out_buf_len)); - TEST_EQUAL(mbedtls_pk_decrypt(&pk_priv, out_buf, out_buf_len, - out_buf2, &out_buf2_len, sizeof(out_buf2), - mbedtls_test_rnd_std_rand, NULL), 0); - TEST_MEMORY_COMPARE(in_buf, in_buf_len, out_buf2, out_buf2_len); - } - } + /* Check consistency between copied PSA keys and generated PK contexts. */ + TEST_EQUAL(mbedtls_test_key_consistency_psa_pk(priv_key_id, &pk_priv), 1); + TEST_EQUAL(mbedtls_test_key_consistency_psa_pk(priv_key_id, &pk_pub), 1); + TEST_EQUAL(mbedtls_test_key_consistency_psa_pk(pub_key_id, &pk_priv), 1); + TEST_EQUAL(mbedtls_test_key_consistency_psa_pk(pub_key_id, &pk_pub), 1); /* Test that the keys from mbedtls_pk_copy_public_from_psa() are identical - * to the public key from mbedtls_pk_copy_from_psa(). */ + * to the public keys from mbedtls_pk_copy_from_psa(). */ mbedtls_test_set_step(1); TEST_ASSERT(pk_public_same(&pk_pub, &pk_priv_copy_public)); mbedtls_test_set_step(2); TEST_ASSERT(pk_public_same(&pk_pub, &pk_pub_copy_public)); exit: - mbedtls_free(in_buf); mbedtls_pk_free(&pk_priv); mbedtls_pk_free(&pk_priv_copy_public); mbedtls_pk_free(&pk_pub); diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_pkcs7.data b/yass/third_party/mbedtls/tests/suites/test_suite_pkcs7.data index d3b83cdf0a..7c0b2cefbc 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_pkcs7.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_pkcs7.data @@ -1,158 +1,158 @@ PKCS7 Signed Data Parse Pass SHA256 #1 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA +pkcs7_parse:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Parse Pass SHA1 #2 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha1.der":MBEDTLS_PKCS7_SIGNED_DATA +pkcs7_parse:"../framework/data_files/pkcs7_data_cert_signed_sha1.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Parse Pass Without CERT #3 depends_on:MBEDTLS_MD_CAN_SHA256 -pkcs7_parse:"data_files/pkcs7_data_without_cert_signed.der":MBEDTLS_PKCS7_SIGNED_DATA +pkcs7_parse:"../framework/data_files/pkcs7_data_without_cert_signed.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Parse with zero signers depends_on:MBEDTLS_MD_CAN_SHA256 -pkcs7_parse:"data_files/pkcs7_data_no_signers.der":MBEDTLS_PKCS7_SIGNED_DATA +pkcs7_parse:"../framework/data_files/pkcs7_data_no_signers.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Parse Fail with multiple certs #4 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE +pkcs7_parse:"../framework/data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE PKCS7 Signed Data Parse Fail with corrupted cert #5.0 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_signed_badcert.der":MBEDTLS_ERR_PKCS7_INVALID_CERT +pkcs7_parse:"../framework/data_files/pkcs7_data_signed_badcert.der":MBEDTLS_ERR_PKCS7_INVALID_CERT PKCS7 Signed Data Parse Fail with disabled alg #5.1 depends_on:MBEDTLS_RSA_C:!MBEDTLS_MD_CAN_SHA512 -pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha512.der":MBEDTLS_ERR_PKCS7_INVALID_ALG +pkcs7_parse:"../framework/data_files/pkcs7_data_cert_signed_sha512.der":MBEDTLS_ERR_PKCS7_INVALID_ALG PKCS7 Parse Fail with Inlined Content Info #5.2 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_with_signature.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE +pkcs7_parse:"../framework/data_files/pkcs7_data_with_signature.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE PKCS7 Signed Data Parse Fail with no RSA #5.3 depends_on:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha256.der":MBEDTLS_ERR_PKCS7_INVALID_CERT +pkcs7_parse:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":MBEDTLS_ERR_PKCS7_INVALID_CERT PKCS7 Signed Data Parse Fail with corrupted signer info #6 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_signed_badsigner.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) +pkcs7_parse:"../framework/data_files/pkcs7_data_signed_badsigner.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) PKCS7 Signed Data Parse Fail with corrupted signer info[1] invalid size #6.1 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_signed_badsigner1_badsize.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO +pkcs7_parse:"../framework/data_files/pkcs7_data_signed_badsigner1_badsize.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO PKCS7 Signed Data Parse Fail with corrupted signer info[2] invalid size #6.2 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_signed_badsigner2_badsize.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO +pkcs7_parse:"../framework/data_files/pkcs7_data_signed_badsigner2_badsize.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO PKCS7 Signed Data Parse Fail with corrupted signer info[1] unexpected tag #6.3 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_signed_badsigner1_badtag.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) +pkcs7_parse:"../framework/data_files/pkcs7_data_signed_badsigner1_badtag.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) PKCS7 Signed Data Parse Fail with corrupted signer info[2] unexpected tag #6.4 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_signed_badsigner2_badtag.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) +pkcs7_parse:"../framework/data_files/pkcs7_data_signed_badsigner2_badtag.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) PKCS7 Signed Data Parse Fail with corrupted signer info[1] fuzz bad #6.5 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_signed_badsigner1_fuzzbad.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO +pkcs7_parse:"../framework/data_files/pkcs7_data_signed_badsigner1_fuzzbad.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO PKCS7 Signed Data Parse Fail with corrupted signer info[2] fuzz bad #6.6 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_signed_badsigner2_fuzzbad.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO +pkcs7_parse:"../framework/data_files/pkcs7_data_signed_badsigner2_fuzzbad.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO PKCS7 Signed Data Parse Fail Version other than 1 #7 depends_on:MBEDTLS_MD_CAN_SHA256 -pkcs7_parse:"data_files/pkcs7_data_cert_signed_v2.der":MBEDTLS_ERR_PKCS7_INVALID_VERSION +pkcs7_parse:"../framework/data_files/pkcs7_data_cert_signed_v2.der":MBEDTLS_ERR_PKCS7_INVALID_VERSION PKCS7 Signed Data Parse Fail Encrypted Content #8 depends_on:MBEDTLS_MD_CAN_SHA256 -pkcs7_parse:"data_files/pkcs7_data_cert_encrypted.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE +pkcs7_parse:"../framework/data_files/pkcs7_data_cert_encrypted.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE PKCS7 Signed Data Verification Pass zero-len data depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256 -pkcs7_verify:"data_files/pkcs7_zerolendata_detached.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_zerolendata.bin":0:0 +pkcs7_verify:"../framework/data_files/pkcs7_zerolendata_detached.der":"../framework/data_files/pkcs7-rsa-sha256-1.der":"../framework/data_files/pkcs7_zerolendata.bin":0:0 PKCS7 Signed Data Verification Fail zero-len data depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_verify:"data_files/pkcs7_zerolendata_detached.der":"data_files/pkcs7-rsa-sha256-2.der":"data_files/pkcs7_zerolendata.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED +pkcs7_verify:"../framework/data_files/pkcs7_zerolendata_detached.der":"../framework/data_files/pkcs7-rsa-sha256-2.der":"../framework/data_files/pkcs7_zerolendata.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED PKCS7 Signed Data Verification Pass SHA256 #9 depends_on:MBEDTLS_MD_CAN_SHA256 -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0 +pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":"../framework/data_files/pkcs7-rsa-sha256-1.der":"../framework/data_files/pkcs7_data.bin":0:0 PKCS7 Signed Data Verification Pass SHA256 #9.1 depends_on:MBEDTLS_MD_CAN_SHA256 -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0 +pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":"../framework/data_files/pkcs7-rsa-sha256-1.der":"../framework/data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0 PKCS7 Signed Data Verification Pass SHA1 #10 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256 -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha1.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0 +pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha1.der":"../framework/data_files/pkcs7-rsa-sha256-1.der":"../framework/data_files/pkcs7_data.bin":0:0 PKCS7 Signed Data Verification Pass SHA512 #11 depends_on:MBEDTLS_MD_CAN_SHA512:MBEDTLS_MD_CAN_SHA256 -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha512.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0 +pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha512.der":"../framework/data_files/pkcs7-rsa-sha256-1.der":"../framework/data_files/pkcs7_data.bin":0:0 PKCS7 Signed Data Verification Fail because of different certificate #12 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-2.der":"data_files/pkcs7_data.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED +pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":"../framework/data_files/pkcs7-rsa-sha256-2.der":"../framework/data_files/pkcs7_data.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED PKCS7 Signed Data Verification Fail because of different data hash #13 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data_1.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED +pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":"../framework/data_files/pkcs7-rsa-sha256-1.der":"../framework/data_files/pkcs7_data_1.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED PKCS7 Signed Data Parse Failure Corrupt signerInfo.issuer #15.1 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_signerInfo_issuer_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO +pkcs7_parse:"../framework/data_files/pkcs7_signerInfo_issuer_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO PKCS7 Signed Data Parse Failure Corrupt signerInfo.serial #15.2 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO +pkcs7_parse:"../framework/data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO PKCS7 Signed Data Parse Fail Corrupt signerInfos[2] (6213931373035520) depends_on:MBEDTLS_MD_CAN_SHA256 -pkcs7_parse:"data_files/pkcs7_signerInfo_2_invalid_tag.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) +pkcs7_parse:"../framework/data_files/pkcs7_signerInfo_2_invalid_tag.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) PKCS7 Signed Data Parse Fail Corrupt signerInfos[1].issuerAndSerialNumber.serialNumber, after multi-element .name (4541044530479104) depends_on:MBEDTLS_MD_CAN_SHA256 -pkcs7_parse:"data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO +pkcs7_parse:"../framework/data_files/pkcs7_signerInfo_1_serial_invalid_tag_after_long_name.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO PKCS7 Only Signed Data Parse Pass #15 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA +pkcs7_parse:"../framework/data_files/pkcs7_data_cert_signeddata_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Verify with multiple(2) signers #16.0 depends_on:MBEDTLS_MD_CAN_SHA256 -pkcs7_verify:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":0:0 +pkcs7_verify:"../framework/data_files/pkcs7_data_multiple_signed.der":"../framework/data_files/pkcs7-rsa-sha256-1.crt ../framework/data_files/pkcs7-rsa-sha256-2.crt":"../framework/data_files/pkcs7_data.bin":0:0 PKCS7 Signed Data Verify with multiple(3) signers #16.1 depends_on:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_MEMORY_BUFFER_ALLOC_C -pkcs7_verify:"data_files/pkcs7_data_3_signed.der":"data_files/pkcs7-rsa-sha256-1.crt data_files/pkcs7-rsa-sha256-2.crt data_files/pkcs7-rsa-sha256-3.crt":"data_files/pkcs7_data.bin":0:0 +pkcs7_verify:"../framework/data_files/pkcs7_data_3_signed.der":"../framework/data_files/pkcs7-rsa-sha256-1.crt ../framework/data_files/pkcs7-rsa-sha256-2.crt ../framework/data_files/pkcs7-rsa-sha256-3.crt":"../framework/data_files/pkcs7_data.bin":0:0 PKCS7 Signed Data Hash Verify with multiple signers #17 depends_on:MBEDTLS_MD_CAN_SHA256 -pkcs7_verify:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0 +pkcs7_verify:"../framework/data_files/pkcs7_data_multiple_signed.der":"../framework/data_files/pkcs7-rsa-sha256-1.crt ../framework/data_files/pkcs7-rsa-sha256-2.crt":"../framework/data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0 PKCS7 Signed Data Hash Verify Fail with multiple signers #18 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA512 -pkcs7_verify:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA512:MBEDTLS_ERR_PKCS7_VERIFY_FAIL +pkcs7_verify:"../framework/data_files/pkcs7_data_multiple_signed.der":"../framework/data_files/pkcs7-rsa-sha256-1.crt ../framework/data_files/pkcs7-rsa-sha256-2.crt":"../framework/data_files/pkcs7_data.bin":MBEDTLS_MD_SHA512:MBEDTLS_ERR_PKCS7_VERIFY_FAIL PKCS7 Signed Data Verify Pass Expired Cert #19 no TIME_DATE depends_on:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_HAVE_TIME_DATE -pkcs7_verify:"data_files/pkcs7_data_rsa_expired.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data.bin":0:0 +pkcs7_verify:"../framework/data_files/pkcs7_data_rsa_expired.der":"../framework/data_files/pkcs7-rsa-expired.crt":"../framework/data_files/pkcs7_data.bin":0:0 PKCS7 Signed Data Verify Fail Expired Cert #19 have DATE_TIME depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_HAVE_TIME_DATE -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data.bin":0:MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID +pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":"../framework/data_files/pkcs7-rsa-expired.crt":"../framework/data_files/pkcs7_data.bin":0:MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID PKCS7 Signed Data Verify Fail Expired Cert #19 no DATE_TIME 1 depends_on:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_HAVE_TIME_DATE:MBEDTLS_RSA_C -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED +pkcs7_verify:"../framework/data_files/pkcs7_data_cert_signed_sha256.der":"../framework/data_files/pkcs7-rsa-expired.crt":"../framework/data_files/pkcs7_data.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED PKCS7 Signed Data Verify Fail Expired Cert #19 no TIME_DATE 2 depends_on:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_HAVE_TIME_DATE:MBEDTLS_RSA_C -pkcs7_verify:"data_files/pkcs7_data_rsa_expired.der":"data_files/pkcs7-rsa-expired.crt":"data_files/pkcs7_data_1.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED +pkcs7_verify:"../framework/data_files/pkcs7_data_rsa_expired.der":"../framework/data_files/pkcs7-rsa-expired.crt":"../framework/data_files/pkcs7_data_1.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED PKCS7 Parse Failure Invalid ASN1: Add null byte to start #20.0 depends_on:MBEDTLS_MD_CAN_SHA256 diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_pkcs7.function b/yass/third_party/mbedtls/tests/suites/test_suite_pkcs7.function index 4c8bf233ef..e5dc4bd192 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_pkcs7.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_pkcs7.function @@ -17,7 +17,7 @@ * END_DEPENDENCIES */ /* BEGIN_SUITE_HELPERS */ -int pkcs7_parse_buffer(unsigned char *pkcs7_buf, int buflen) +static int pkcs7_parse_buffer(unsigned char *pkcs7_buf, int buflen) { int res; mbedtls_pkcs7 pkcs7; diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_pkparse.data b/yass/third_party/mbedtls/tests/suites/test_suite_pkparse.data index 1650f51b3a..144274966b 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_pkparse.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_pkparse.data @@ -1,1158 +1,1160 @@ Parse RSA Key #1 (No password when required) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C -pk_parse_keyfile_rsa:"data_files/test-ca.key":"NULL":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/test-ca.key":"NULL":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #2 (Correct password) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C -pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/test-ca.key":"PolarSSLTest":0 Parse RSA Key #3 (Wrong password) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C -pk_parse_keyfile_rsa:"data_files/test-ca.key":"PolarSSLWRONG":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/test-ca.key":"PolarSSLWRONG":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #4 (DES Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_1024_des.pem":"testkey":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_1024_des.pem":"testkey":0 Parse RSA Key #5 (3DES Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_1024_3des.pem":"testkey":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_1024_3des.pem":"testkey":0 Parse RSA Key #6 (AES-128 Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_1024_aes128.pem":"testkey":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_1024_aes128.pem":"testkey":0 Parse RSA Key #7 (AES-192 Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_1024_aes192.pem":"testkey":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_1024_aes192.pem":"testkey":0 Parse RSA Key #8 (AES-256 Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_1024_aes256.pem":"testkey":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_1024_aes256.pem":"testkey":0 Parse RSA Key #9 (2048-bit, DES Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_2048_des.pem":"testkey":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_2048_des.pem":"testkey":0 Parse RSA Key #10 (2048-bit, 3DES Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_2048_3des.pem":"testkey":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_2048_3des.pem":"testkey":0 Parse RSA Key #11 (2048-bit, AES-128 Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_2048_aes128.pem":"testkey":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_2048_aes128.pem":"testkey":0 Parse RSA Key #12 (2048-bit, AES-192 Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_2048_aes192.pem":"testkey":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_2048_aes192.pem":"testkey":0 Parse RSA Key #13 (2048-bit, AES-256 Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_2048_aes256.pem":"testkey":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_2048_aes256.pem":"testkey":0 Parse RSA Key #14 (4096-bit, DES Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_4096_des.pem":"testkey":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_4096_des.pem":"testkey":0 Parse RSA Key #15 (4096-bit, 3DES Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_4096_3des.pem":"testkey":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_4096_3des.pem":"testkey":0 Parse RSA Key #16 (4096-bit, AES-128 Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_4096_aes128.pem":"testkey":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_4096_aes128.pem":"testkey":0 Parse RSA Key #17 (4096-bit, AES-192 Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_4096_aes192.pem":"testkey":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_4096_aes192.pem":"testkey":0 Parse RSA Key #18 (4096-bit, AES-256 Encrypted) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -pk_parse_keyfile_rsa:"data_files/rsa_pkcs1_4096_aes256.pem":"testkey":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_4096_aes256.pem":"testkey":0 Parse RSA Key #19 (PKCS#8 wrapped) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_PEM_PARSE_C -pk_parse_keyfile_rsa:"data_files/format_gen.key":"":0 +pk_parse_keyfile_rsa:"../framework/data_files/format_gen.key":"":0 Parse RSA Key #20 (PKCS#8 encrypted SHA1-3DES) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem":"PolarSSLTest":0 Parse RSA Key #20.1 (PKCS#8 encrypted SHA1-3DES, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #20.2 (PKCS#8 encrypted SHA1-3DES, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_1024_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #21 (PKCS#8 encrypted SHA1-3DES, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem":"PolarSSLTest":0 Parse RSA Key #21.1 (PKCS#8 encrypted SHA1-3DES, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #21.2 (PKCS#8 encrypted SHA1-3DES, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_2048_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #22 (PKCS#8 encrypted SHA1-3DES, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"PolarSSLTest":0 Parse RSA Key #22.1 (PKCS#8 encrypted SHA1-3DES, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #22.2 (PKCS#8 encrypted SHA1-3DES, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_4096_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #23 (PKCS#8 encrypted SHA1-3DES DER) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_3des.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_1024_3des.der":"PolarSSLTest":0 Parse RSA Key #24 (PKCS#8 encrypted SHA1-3DES DER, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_3des.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_2048_3des.der":"PolarSSLTest":0 Parse RSA Key #25 (PKCS#8 encrypted SHA1-3DES DER, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_3des.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_4096_3des.der":"PolarSSLTest":0 Parse RSA Key #26 (PKCS#8 encrypted SHA1-2DES) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem":"PolarSSLTest":0 Parse RSA Key #26.1 (PKCS#8 encrypted SHA1-2DES, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #26.2 (PKCS#8 encrypted SHA1-2DES, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_1024_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #27 (PKCS#8 encrypted SHA1-2DES, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem":"PolarSSLTest":0 Parse RSA Key #27.1 (PKCS#8 encrypted SHA1-2DES, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #27.2 (PKCS#8 encrypted SHA1-2DES, 2048-bit no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_2048_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #28 (PKCS#8 encrypted SHA1-2DES, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"PolarSSLTest":0 Parse RSA Key #28.1 (PKCS#8 encrypted SHA1-2DES, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"PolarSLTest":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #28.2 (PKCS#8 encrypted SHA1-2DES, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_4096_2des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #29 (PKCS#8 encrypted SHA1-2DES DER) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_1024_2des.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_1024_2des.der":"PolarSSLTest":0 Parse RSA Key #30 (PKCS#8 encrypted SHA1-2DES DER, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_2048_2des.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_2048_2des.der":"PolarSSLTest":0 Parse RSA Key #31 (PKCS#8 encrypted SHA1-2DES DER, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS12_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbe_sha1_4096_2des.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbe_sha1_4096_2des.der":"PolarSSLTest":0 Parse RSA Key #38 (PKCS#8 encrypted v2 PBKDF2 3DES) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem":"PolarSSLTest":0 Parse RSA Key #38.1 (PKCS#8 encrypted v2 PBKDF2 3DES, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #38.2 (PKCS#8 encrypted v2 PBKDF2 3DES, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #39 (PKCS#8 encrypted v2 PBKDF2 3DES, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem":"PolarSSLTest":0 Parse RSA Key #39.1 (PKCS#8 encrypted v2 PBKDF2 3DES, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #39.2 (PKCS#8 encrypted v2 PBKDF2 3DES, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #40 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"PolarSSLTest":0 Parse RSA Key #40.1 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #40.2 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #41 (PKCS#8 encrypted v2 PBKDF2 3DES DER) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der":"PolarSSLTest":0 Parse RSA Key #41.1 (PKCS#8 encrypted v2 PBKDF2 3DES DER, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #41.2 (PKCS#8 encrypted v2 PBKDF2 3DES DER, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #42 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der":"PolarSSLTest":0 Parse RSA Key #42.1 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #42.2 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #43 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"PolarSSLTest":0 Parse RSA Key #43.1 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #43.2 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #44 (PKCS#8 encrypted v2 PBKDF2 DES) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem":"PolarSSLTest":0 Parse RSA Key #44.1 (PKCS#8 encrypted v2 PBKDF2 DES, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #44.2 (PKCS#8 encrypted v2 PBKDF2 DES, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #45 (PKCS#8 encrypted v2 PBKDF2 DES, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem":"PolarSSLTest":0 Parse RSA Key #45.1 (PKCS#8 encrypted v2 PBKDF2 DES, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #45.2 (PKCS#8 encrypted v2 PBKDF2 DES, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #46 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"PolarSSLTest":0 Parse RSA Key #46.1 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #46.2 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #47 (PKCS#8 encrypted v2 PBKDF2 DES DER) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der":"PolarSSLTest":0 Parse RSA Key #47.1 (PKCS#8 encrypted v2 PBKDF2 DES DER, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #47.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #48 (PKCS#8 encrypted v2 PBKDF2 DES DER, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der":"PolarSSLTest":0 Parse RSA Key #48.1 (PKCS#8 encrypted v2 PBKDF2 DES DER, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #48.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #49 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"PolarSSLTest":0 Parse RSA Key #49.1 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #49.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #50 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem":"PolarSSLTest":0 Parse RSA Key #50.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #50.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #51 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem":"PolarSSLTest":0 Parse RSA Key #51.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #51.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #52 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem":"PolarSSLTest":0 Parse RSA Key #52.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #52.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #53 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der":"PolarSSLTest":0 Parse RSA Key #53.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #53.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #54 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der":"PolarSSLTest":0 Parse RSA Key #54.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #54.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #55 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der":"PolarSSLTest":0 Parse RSA Key #55.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #55.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #56 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem":"PolarSSLTest":0 Parse RSA Key #56.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #56.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #57 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem":"PolarSSLTest":0 Parse RSA Key #57.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #57.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #58 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem":"PolarSSLTest":0 Parse RSA Key #58.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #58.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #59 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der":"PolarSSLTest":0 Parse RSA Key #59.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #59.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #60 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der":"PolarSSLTest":0 Parse RSA Key #60.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #60.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #61 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der":"PolarSSLTest":0 Parse RSA Key #61.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #61.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha224.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #62 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem":"PolarSSLTest":0 Parse RSA Key #62.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #62.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #63 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem":"PolarSSLTest":0 Parse RSA Key #63.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #63.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #64 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem":"PolarSSLTest":0 Parse RSA Key #64.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #64.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #65 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der":"PolarSSLTest":0 Parse RSA Key #65.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #65.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #66 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der":"PolarSSLTest":0 Parse RSA Key #66.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #66.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #67 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der":"PolarSSLTest":0 Parse RSA Key #68.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #68.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #69 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem":"PolarSSLTest":0 Parse RSA Key #69.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #69.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #70 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem":"PolarSSLTest":0 Parse RSA Key #70.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #70.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #71 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem":"PolarSSLTest":0 Parse RSA Key #71.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #71.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #72 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der":"PolarSSLTest":0 Parse RSA Key #72.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #72.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #73 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der":"PolarSSLTest":0 Parse RSA Key #73.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #73.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #74 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der":"PolarSSLTest":0 Parse RSA Key #74.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #74.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha256.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #75 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem":"PolarSSLTest":0 Parse RSA Key #75.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #75.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #76 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem":"PolarSSLTest":0 Parse RSA Key #76.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #76.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #77 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem":"PolarSSLTest":0 Parse RSA Key #77.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #77.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #78 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der":"PolarSSLTest":0 Parse RSA Key #78.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #78.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #79 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der":"PolarSSLTest":0 Parse RSA Key #79.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #79.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #80 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der":"PolarSSLTest":0 Parse RSA Key #80.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #80.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #81 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem":"PolarSSLTest":0 Parse RSA Key #81.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #81.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #82 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem":"PolarSSLTest":0 Parse RSA Key #82.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #82.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #83 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem":"PolarSSLTest":0 Parse RSA Key #83.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #83.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #84 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der":"PolarSSLTest":0 Parse RSA Key #84.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #85.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #86 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der":"PolarSSLTest":0 Parse RSA Key #86.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #86.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #87 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der":"PolarSSLTest":0 Parse RSA Key #87.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #87.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha384.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #88 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem":"PolarSSLTest":0 Parse RSA Key #88.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #88.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #89 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem":"PolarSSLTest":0 Parse RSA Key #89.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #89.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #90 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem":"PolarSSLTest":0 Parse RSA Key #90.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #90.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #91 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der":"PolarSSLTest":0 Parse RSA Key #91.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #91.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_3des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #92 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der":"PolarSSLTest":0 Parse RSA Key #92.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #92.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #93 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der":"PolarSSLTest":0 Parse RSA Key #93.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #93.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_3des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #94 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem":"PolarSSLTest":0 Parse RSA Key #94.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #94.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #95 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem":"PolarSSLTest":0 Parse RSA Key #95.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #95.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #96 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem":"PolarSSLTest":0 Parse RSA Key #96.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #96.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.pem":"":MBEDTLS_ERR_PK_PASSWORD_REQUIRED Parse RSA Key #97 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der":"PolarSSLTest":0 Parse RSA Key #97.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #97.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_1024_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #98 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 2048-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der":"PolarSSLTest":0 Parse RSA Key #98.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 2048-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #98.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 2048-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #99 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"PolarSSLTest":0 Parse RSA Key #99.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit, wrong PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7 -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"PolarSSLTes":MBEDTLS_ERR_PK_PASSWORD_MISMATCH Parse RSA Key #99.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit, no PW) depends_on:MBEDTLS_DES_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT Parse RSA Key #99.3 (PKCS#8 encrypted v2 PBKDF2 AES-128-CBC hmacWithSHA384, 2048-bit) depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.pem":"PolarSSLTest":0 Parse RSA Key #99.4 (PKCS#8 encrypted v2 PBKDF2 AES-192-CBC hmacWithSHA384, 2048-bit) depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.pem":"PolarSSLTest":0 Parse RSA Key #99.5 (PKCS#8 encrypted v2 PBKDF2 AES-256-CBC hmacWithSHA384, 2048-bit) depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.pem":"PolarSSLTest":0 Parse RSA Key #99.6 (PKCS#8 encrypted v2 PBKDF2 AES-128-CBC hmacWithSHA384 DER, 2048-bit) depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes128cbc_sha384.der":"PolarSSLTest":0 Parse RSA Key #99.7 (PKCS#8 encrypted v2 PBKDF2 AES-192-CBC hmacWithSHA384 DER, 2048-bit) depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes192cbc_sha384.der":"PolarSSLTest":0 Parse RSA Key #99.8 (PKCS#8 encrypted v2 PBKDF2 AES-256-CBC hmacWithSHA384 DER, 2048-bit) depends_on:MBEDTLS_AES_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PKCS5_C:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CBC:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der":"PolarSSLTest":0 +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs8_pbes2_pbkdf2_2048_aes256cbc_sha384.der":"PolarSSLTest":0 -Parse RSA Key #100.1 (512-bit) -depends_on:MBEDTLS_PEM_C -pk_parse_keyfile_rsa:"data_files/rsa512.key":"":0 +# Test keys with non-word-aligned sizes. +# We use sizes that are large enough to exercise PKCS#1 v1.5 signature with +# the largest supported hashes (SHA-512 and SHA3-512.) +Parse RSA Key #100 (768-bit) +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_768_clear.der":"":0 -Parse RSA Key #100.1 (521-bit) -depends_on:MBEDTLS_PEM_C -pk_parse_keyfile_rsa:"data_files/rsa521.key":"":0 +Parse RSA Key #100 (769-bit) +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_769_clear.der":"":0 -Parse RSA Key #100.1 (522-bit) -depends_on:MBEDTLS_PEM_C -pk_parse_keyfile_rsa:"data_files/rsa522.key":"":0 +Parse RSA Key #100 (770-bit) +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_770_clear.der":"":0 -Parse RSA Key #100.1 (528-bit) -depends_on:MBEDTLS_PEM_C -pk_parse_keyfile_rsa:"data_files/rsa528.key":"":0 +Parse RSA Key #100 (776-bit) +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_776_clear.der":"":0 + +Parse RSA Key #100 (784-bit) +pk_parse_keyfile_rsa:"../framework/data_files/rsa_pkcs1_784_clear.der":"":0 Parse Public RSA Key #1 (PKCS#8 wrapped) depends_on:MBEDTLS_PEM_PARSE_C -pk_parse_public_keyfile_rsa:"data_files/rsa_pkcs8_2048_public.pem":0 +pk_parse_public_keyfile_rsa:"../framework/data_files/rsa_pkcs8_2048_public.pem":0 Parse Public RSA Key #1 (PKCS#8 wrapped, DER) -pk_parse_public_keyfile_rsa:"data_files/rsa_pkcs8_2048_public.der":0 +pk_parse_public_keyfile_rsa:"../framework/data_files/rsa_pkcs8_2048_public.der":0 Parse Public RSA Key #3 (PKCS#1 wrapped) depends_on:MBEDTLS_PEM_PARSE_C -pk_parse_public_keyfile_rsa:"data_files/rsa_pkcs1_2048_public.pem":0 +pk_parse_public_keyfile_rsa:"../framework/data_files/rsa_pkcs1_2048_public.pem":0 Parse Public RSA Key #4 (PKCS#1 wrapped, DER) -pk_parse_public_keyfile_rsa:"data_files/rsa_pkcs1_2048_public.der":0 +pk_parse_public_keyfile_rsa:"../framework/data_files/rsa_pkcs1_2048_public.der":0 Parse Public EC Key #1 (RFC 5480, DER) depends_on:MBEDTLS_ECP_HAVE_SECP192R1 -pk_parse_public_keyfile_ec:"data_files/ec_pub.der":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_pub.der":0 Parse Public EC Key #2 (RFC 5480, PEM) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP192R1 -pk_parse_public_keyfile_ec:"data_files/ec_pub.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_pub.pem":0 Parse Public EC Key #2a (RFC 5480, PEM, secp192r1, compressed) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP192R1_ENABLED -pk_parse_public_keyfile_ec:"data_files/ec_pub.comp.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_pub.comp.pem":0 Parse Public EC Key #3 (RFC 5480, secp224r1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP224R1 -pk_parse_public_keyfile_ec:"data_files/ec_224_pub.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_224_pub.pem":0 # Compressed points parsing does not support MBEDTLS_ECP_DP_SECP224R1 and # MBEDTLS_ECP_DP_SECP224K1. Therefore a failure is expected in this case Parse Public EC Key #3a (RFC 5480, secp224r1, compressed) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP224R1_ENABLED -pk_parse_public_keyfile_ec:"data_files/ec_224_pub.comp.pem":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE +pk_parse_public_keyfile_ec:"../framework/data_files/ec_224_pub.comp.pem":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE Parse Public EC Key #4 (RFC 5480, secp256r1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1 -pk_parse_public_keyfile_ec:"data_files/ec_256_pub.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_256_pub.pem":0 Parse Public EC Key #4a (RFC 5480, secp256r1, compressed) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP256R1_ENABLED -pk_parse_public_keyfile_ec:"data_files/ec_256_pub.comp.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_256_pub.comp.pem":0 Parse Public EC Key #5 (RFC 5480, secp384r1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP384R1 -pk_parse_public_keyfile_ec:"data_files/ec_384_pub.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_384_pub.pem":0 Parse Public EC Key #5a (RFC 5480, secp384r1, compressed) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -pk_parse_public_keyfile_ec:"data_files/ec_384_pub.comp.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_384_pub.comp.pem":0 Parse Public EC Key #6 (RFC 5480, secp521r1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP521R1 -pk_parse_public_keyfile_ec:"data_files/ec_521_pub.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_521_pub.pem":0 Parse Public EC Key #6a (RFC 5480, secp521r1, compressed) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP521R1_ENABLED -pk_parse_public_keyfile_ec:"data_files/ec_521_pub.comp.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_521_pub.comp.pem":0 Parse Public EC Key #7 (RFC 5480, brainpoolP256r1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_BP256R1 -pk_parse_public_keyfile_ec:"data_files/ec_bp256_pub.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_bp256_pub.pem":0 Parse Public EC Key #7a (RFC 5480, brainpoolP256r1, compressed) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_BP256R1_ENABLED -pk_parse_public_keyfile_ec:"data_files/ec_bp256_pub.comp.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_bp256_pub.comp.pem":0 Parse Public EC Key #8 (RFC 5480, brainpoolP384r1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_BP384R1 -pk_parse_public_keyfile_ec:"data_files/ec_bp384_pub.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_bp384_pub.pem":0 Parse Public EC Key #8a (RFC 5480, brainpoolP384r1, compressed) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_BP384R1_ENABLED -pk_parse_public_keyfile_ec:"data_files/ec_bp384_pub.comp.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_bp384_pub.comp.pem":0 Parse Public EC Key #9 (RFC 5480, brainpoolP512r1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_BP512R1 -pk_parse_public_keyfile_ec:"data_files/ec_bp512_pub.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_bp512_pub.pem":0 Parse Public EC Key #9a (RFC 5480, brainpoolP512r1, compressed) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_BP512R1_ENABLED -pk_parse_public_keyfile_ec:"data_files/ec_bp512_pub.comp.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_bp512_pub.comp.pem":0 Parse Public EC Key #10 (RFC 8410, DER, X25519) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_CURVE25519 -pk_parse_public_keyfile_ec:"data_files/ec_x25519_pub.der":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_x25519_pub.der":0 Parse Public EC Key #11 (RFC 8410, DER, X448) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_CURVE448 -pk_parse_public_keyfile_ec:"data_files/ec_x448_pub.der":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_x448_pub.der":0 Parse Public EC Key #12 (RFC 8410, PEM, X25519) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_CURVE25519 -pk_parse_public_keyfile_ec:"data_files/ec_x25519_pub.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_x25519_pub.pem":0 Parse Public EC Key #13 (RFC 8410, PEM, X448) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_CURVE448 -pk_parse_public_keyfile_ec:"data_files/ec_x448_pub.pem":0 +pk_parse_public_keyfile_ec:"../framework/data_files/ec_x448_pub.pem":0 Parse EC Key #1 (SEC1 DER) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP192R1 -pk_parse_keyfile_ec:"data_files/ec_prv.sec1.der":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_prv.sec1.der":"NULL":0 Parse EC Key #2 (SEC1 PEM) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP192R1 -pk_parse_keyfile_ec:"data_files/ec_prv.sec1.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_prv.sec1.pem":"NULL":0 Parse EC Key #2a (SEC1 PEM, secp192r1, compressed) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP192R1_ENABLED -pk_parse_keyfile_ec:"data_files/ec_prv.sec1.comp.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_prv.sec1.comp.pem":"NULL":0 Parse EC Key #3 (SEC1 PEM encrypted) depends_on:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP192R1:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD_CAN_MD5 -pk_parse_keyfile_ec:"data_files/ec_prv.sec1.pw.pem":"polar":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_prv.sec1.pw.pem":"polar":0 Parse EC Key #4 (PKCS8 DER) depends_on:MBEDTLS_ECP_HAVE_SECP192R1 -pk_parse_keyfile_ec:"data_files/ec_prv.pk8.der":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_prv.pk8.der":"NULL":0 Parse EC Key #4a (PKCS8 DER, no public key) depends_on:MBEDTLS_ECP_HAVE_SECP256R1 -pk_parse_keyfile_ec:"data_files/ec_prv.pk8nopub.der":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_prv.pk8nopub.der":"NULL":0 Parse EC Key #4b (PKCS8 DER, no public key, with parameters) depends_on:MBEDTLS_ECP_HAVE_SECP256R1 -pk_parse_keyfile_ec:"data_files/ec_prv.pk8nopubparam.der":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_prv.pk8nopubparam.der":"NULL":0 Parse EC Key #4c (PKCS8 DER, with parameters) depends_on:MBEDTLS_ECP_HAVE_SECP256R1 -pk_parse_keyfile_ec:"data_files/ec_prv.pk8param.der":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_prv.pk8param.der":"NULL":0 Parse EC Key #5 (PKCS8 PEM) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP192R1 -pk_parse_keyfile_ec:"data_files/ec_prv.pk8.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_prv.pk8.pem":"NULL":0 Parse EC Key #5a (PKCS8 PEM, no public key) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1 -pk_parse_keyfile_ec:"data_files/ec_prv.pk8nopub.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_prv.pk8nopub.pem":"NULL":0 Parse EC Key #5b (PKCS8 PEM, no public key, with parameters) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1 -pk_parse_keyfile_ec:"data_files/ec_prv.pk8nopubparam.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_prv.pk8nopubparam.pem":"NULL":0 Parse EC Key #5c (PKCS8 PEM, with parameters) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1 -pk_parse_keyfile_ec:"data_files/ec_prv.pk8param.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_prv.pk8param.pem":"NULL":0 Parse EC Key #8 (SEC1 PEM, secp224r1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP224R1 -pk_parse_keyfile_ec:"data_files/ec_224_prv.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_224_prv.pem":"NULL":0 Parse EC Key #8a (SEC1 PEM, secp224r1, compressed) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP224R1_ENABLED -pk_parse_keyfile_ec:"data_files/ec_224_prv.comp.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_224_prv.comp.pem":"NULL":0 Parse EC Key #9 (SEC1 PEM, secp256r1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1 -pk_parse_keyfile_ec:"data_files/ec_256_prv.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_256_prv.pem":"NULL":0 Parse EC Key #9a (SEC1 PEM, secp256r1, compressed) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP256R1_ENABLED -pk_parse_keyfile_ec:"data_files/ec_256_prv.comp.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_256_prv.comp.pem":"NULL":0 Parse EC Key #10 (SEC1 PEM, secp384r1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP384R1 -pk_parse_keyfile_ec:"data_files/ec_384_prv.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_384_prv.pem":"NULL":0 Parse EC Key #10a (SEC1 PEM, secp384r1, compressed) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -pk_parse_keyfile_ec:"data_files/ec_384_prv.comp.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_384_prv.comp.pem":"NULL":0 Parse EC Key #11 (SEC1 PEM, secp521r1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP521R1 -pk_parse_keyfile_ec:"data_files/ec_521_prv.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_521_prv.pem":"NULL":0 Parse EC Key #11a (SEC1 PEM, secp521r1, compressed) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_SECP521R1_ENABLED -pk_parse_keyfile_ec:"data_files/ec_521_prv.comp.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_521_prv.comp.pem":"NULL":0 Parse EC Key #12 (SEC1 PEM, bp256r1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_BP256R1 -pk_parse_keyfile_ec:"data_files/ec_bp256_prv.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_bp256_prv.pem":"NULL":0 Parse EC Key #12a (SEC1 PEM, bp256r1, compressed) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_BP256R1_ENABLED -pk_parse_keyfile_ec:"data_files/ec_bp256_prv.comp.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_bp256_prv.comp.pem":"NULL":0 Parse EC Key #13 (SEC1 PEM, bp384r1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_BP384R1 -pk_parse_keyfile_ec:"data_files/ec_bp384_prv.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_bp384_prv.pem":"NULL":0 Parse EC Key #13a (SEC1 PEM, bp384r1, compressed) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_BP384R1_ENABLED -pk_parse_keyfile_ec:"data_files/ec_bp384_prv.comp.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_bp384_prv.comp.pem":"NULL":0 Parse EC Key #14 (SEC1 PEM, bp512r1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_BP512R1 -pk_parse_keyfile_ec:"data_files/ec_bp512_prv.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_bp512_prv.pem":"NULL":0 Parse EC Key #14a (SEC1 PEM, bp512r1, compressed) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_PARSE_EC_COMPRESSED:MBEDTLS_ECP_DP_BP512R1_ENABLED -pk_parse_keyfile_ec:"data_files/ec_bp512_prv.comp.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_bp512_prv.comp.pem":"NULL":0 Parse EC Key #15 (SEC1 DER, secp256k1, SpecifiedECDomain) depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED:MBEDTLS_PK_PARSE_EC_EXTENDED -pk_parse_keyfile_ec:"data_files/ec_prv.specdom.der":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_prv.specdom.der":"NULL":0 Parse EC Key #16 (RFC 8410, DER, X25519) depends_on:MBEDTLS_ECP_HAVE_CURVE25519 -pk_parse_keyfile_ec:"data_files/ec_x25519_prv.der":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_x25519_prv.der":"NULL":0 Parse EC Key #17 (RFC 8410, DER, X448) depends_on:MBEDTLS_ECP_HAVE_CURVE448 -pk_parse_keyfile_ec:"data_files/ec_x448_prv.der":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_x448_prv.der":"NULL":0 Parse EC Key #18 (RFC 8410, PEM, X25519) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_CURVE25519 -pk_parse_keyfile_ec:"data_files/ec_x25519_prv.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_x25519_prv.pem":"NULL":0 Parse EC Key #19 (RFC 8410, PEM, X448) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_CURVE448 -pk_parse_keyfile_ec:"data_files/ec_x448_prv.pem":"NULL":0 +pk_parse_keyfile_ec:"../framework/data_files/ec_x448_prv.pem":"NULL":0 Key ASN1 (No data) pk_parse_key:"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_pkparse.function b/yass/third_party/mbedtls/tests/suites/test_suite_pkparse.function index a06fc30bc8..63ff092160 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_pkparse.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_pkparse.function @@ -47,7 +47,19 @@ static int test_psa_bridge(const mbedtls_pk_context *ctx, int ok = 0; TEST_EQUAL(mbedtls_pk_get_psa_attributes(ctx, usage_flag, &attributes), 0); - TEST_EQUAL(mbedtls_pk_import_into_psa(ctx, &attributes, &psa_key), 0); + int ret = mbedtls_pk_import_into_psa(ctx, &attributes, &psa_key); + if (mbedtls_pk_get_type(ctx) == MBEDTLS_PK_RSA && + mbedtls_pk_get_bitlen(ctx) % 8 != 0 && + ret == MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE) { + /* There is a historical limitation with support for RSA keys in PSA: + * only byte-aligned sizes are supported. + * https://github.com/Mbed-TLS/mbedtls/issues/9048 + * For now, for such keys, treat not-supported from PSA as a success. + */ + ok = 1; + goto exit; + } + TEST_EQUAL(ret, 0); if (!mbedtls_test_key_consistency_psa_pk(psa_key, ctx)) { goto exit; } diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_pkwrite.data b/yass/third_party/mbedtls/tests/suites/test_suite_pkwrite.data index d58226e522..b1fb73bd24 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_pkwrite.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_pkwrite.data @@ -1,155 +1,155 @@ Public key write check RSA depends_on:MBEDTLS_RSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C -pk_write_pubkey_check:"data_files/server1.pubkey":TEST_PEM +pk_write_pubkey_check:"../framework/data_files/server1.pubkey":TEST_PEM Public key write check RSA (DER) depends_on:MBEDTLS_RSA_C -pk_write_pubkey_check:"data_files/server1.pubkey.der":TEST_DER +pk_write_pubkey_check:"../framework/data_files/server1.pubkey.der":TEST_DER Public key write check RSA 4096 depends_on:MBEDTLS_RSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C -pk_write_pubkey_check:"data_files/rsa4096_pub.pem":TEST_PEM +pk_write_pubkey_check:"../framework/data_files/rsa4096_pub.pem":TEST_PEM Public key write check RSA 4096 (DER) depends_on:MBEDTLS_RSA_C -pk_write_pubkey_check:"data_files/rsa4096_pub.der":TEST_DER +pk_write_pubkey_check:"../framework/data_files/rsa4096_pub.der":TEST_DER Public key write check EC 192 bits depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_SECP192R1 -pk_write_pubkey_check:"data_files/ec_pub.pem":TEST_PEM +pk_write_pubkey_check:"../framework/data_files/ec_pub.pem":TEST_PEM Public key write check EC 192 bits (DER) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP192R1 -pk_write_pubkey_check:"data_files/ec_pub.der":TEST_DER +pk_write_pubkey_check:"../framework/data_files/ec_pub.der":TEST_DER Public key write check EC 521 bits depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_SECP521R1 -pk_write_pubkey_check:"data_files/ec_521_pub.pem":TEST_PEM +pk_write_pubkey_check:"../framework/data_files/ec_521_pub.pem":TEST_PEM Public key write check EC 521 bits (DER) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP521R1 -pk_write_pubkey_check:"data_files/ec_521_pub.der":TEST_DER +pk_write_pubkey_check:"../framework/data_files/ec_521_pub.der":TEST_DER Public key write check EC Brainpool 512 bits depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_BP512R1 -pk_write_pubkey_check:"data_files/ec_bp512_pub.pem":TEST_PEM +pk_write_pubkey_check:"../framework/data_files/ec_bp512_pub.pem":TEST_PEM Public key write check EC Brainpool 512 bits (DER) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_BP512R1 -pk_write_pubkey_check:"data_files/ec_bp512_pub.der":TEST_DER +pk_write_pubkey_check:"../framework/data_files/ec_bp512_pub.der":TEST_DER Public key write check EC X25519 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_CURVE25519 -pk_write_pubkey_check:"data_files/ec_x25519_pub.pem":TEST_PEM +pk_write_pubkey_check:"../framework/data_files/ec_x25519_pub.pem":TEST_PEM Public key write check EC X25519 (DER) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE25519 -pk_write_pubkey_check:"data_files/ec_x25519_pub.der":TEST_DER +pk_write_pubkey_check:"../framework/data_files/ec_x25519_pub.der":TEST_DER Public key write check EC X448 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_CURVE448 -pk_write_pubkey_check:"data_files/ec_x448_pub.pem":TEST_PEM +pk_write_pubkey_check:"../framework/data_files/ec_x448_pub.pem":TEST_PEM Public key write check EC X448 (DER) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE448 -pk_write_pubkey_check:"data_files/ec_x448_pub.der":TEST_DER +pk_write_pubkey_check:"../framework/data_files/ec_x448_pub.der":TEST_DER Private key write check RSA depends_on:MBEDTLS_RSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C -pk_write_key_check:"data_files/server1.key":TEST_PEM +pk_write_key_check:"../framework/data_files/server1.key":TEST_PEM Private key write check RSA (DER) depends_on:MBEDTLS_RSA_C -pk_write_key_check:"data_files/server1.key.der":TEST_DER +pk_write_key_check:"../framework/data_files/server1.key.der":TEST_DER Private key write check RSA 4096 depends_on:MBEDTLS_RSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C -pk_write_key_check:"data_files/rsa4096_prv.pem":TEST_PEM +pk_write_key_check:"../framework/data_files/rsa4096_prv.pem":TEST_PEM Private key write check RSA 4096 (DER) depends_on:MBEDTLS_RSA_C -pk_write_key_check:"data_files/rsa4096_prv.der":TEST_DER +pk_write_key_check:"../framework/data_files/rsa4096_prv.der":TEST_DER Private key write check EC 192 bits depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_SECP192R1 -pk_write_key_check:"data_files/ec_prv.sec1.pem":TEST_PEM +pk_write_key_check:"../framework/data_files/ec_prv.sec1.pem":TEST_PEM Private key write check EC 192 bits (DER) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP192R1 -pk_write_key_check:"data_files/ec_prv.sec1.der":TEST_DER +pk_write_key_check:"../framework/data_files/ec_prv.sec1.der":TEST_DER Private key write check EC 256 bits (top bit set) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_SECP256R1 -pk_write_key_check:"data_files/ec_256_long_prv.pem":TEST_PEM +pk_write_key_check:"../framework/data_files/ec_256_long_prv.pem":TEST_PEM Private key write check EC 256 bits (top bit set) (DER) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP256R1 -pk_write_key_check:"data_files/ec_256_long_prv.der":TEST_DER +pk_write_key_check:"../framework/data_files/ec_256_long_prv.der":TEST_DER Private key write check EC 521 bits depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_SECP521R1 -pk_write_key_check:"data_files/ec_521_prv.pem":TEST_PEM +pk_write_key_check:"../framework/data_files/ec_521_prv.pem":TEST_PEM Private key write check EC 521 bits (DER) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP521R1 -pk_write_key_check:"data_files/ec_521_prv.der":TEST_DER +pk_write_key_check:"../framework/data_files/ec_521_prv.der":TEST_DER Private key write check EC 521 bits (top byte is 0) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_SECP521R1 -pk_write_key_check:"data_files/ec_521_short_prv.pem":TEST_PEM +pk_write_key_check:"../framework/data_files/ec_521_short_prv.pem":TEST_PEM Private key write check EC 521 bits (top byte is 0) (DER) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP521R1 -pk_write_key_check:"data_files/ec_521_short_prv.der":TEST_DER +pk_write_key_check:"../framework/data_files/ec_521_short_prv.der":TEST_DER Private key write check EC Brainpool 512 bits depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_BP512R1 -pk_write_key_check:"data_files/ec_bp512_prv.pem":TEST_PEM +pk_write_key_check:"../framework/data_files/ec_bp512_prv.pem":TEST_PEM Private key write check EC Brainpool 512 bits (DER) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_BP512R1 -pk_write_key_check:"data_files/ec_bp512_prv.der":TEST_DER +pk_write_key_check:"../framework/data_files/ec_bp512_prv.der":TEST_DER Private key write check EC X25519 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_CURVE25519 -pk_write_key_check:"data_files/ec_x25519_prv.pem":TEST_PEM +pk_write_key_check:"../framework/data_files/ec_x25519_prv.pem":TEST_PEM Private key write check EC X25519 (DER) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE25519 -pk_write_key_check:"data_files/ec_x25519_prv.der":TEST_DER +pk_write_key_check:"../framework/data_files/ec_x25519_prv.der":TEST_DER Private key write check EC X448 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_CURVE448 -pk_write_key_check:"data_files/ec_x448_prv.pem":TEST_PEM +pk_write_key_check:"../framework/data_files/ec_x448_prv.pem":TEST_PEM Private key write check EC X448 (DER) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE448 -pk_write_key_check:"data_files/ec_x448_prv.der":TEST_DER +pk_write_key_check:"../framework/data_files/ec_x448_prv.der":TEST_DER Derive public key RSA depends_on:MBEDTLS_RSA_C -pk_write_public_from_private:"data_files/server1.key.der":"data_files/server1.pubkey.der" +pk_write_public_from_private:"../framework/data_files/server1.key.der":"../framework/data_files/server1.pubkey.der" Derive public key RSA 4096 depends_on:MBEDTLS_RSA_C -pk_write_public_from_private:"data_files/rsa4096_prv.der":"data_files/rsa4096_pub.der" +pk_write_public_from_private:"../framework/data_files/rsa4096_prv.der":"../framework/data_files/rsa4096_pub.der" Derive public key EC 192 bits depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP192R1 -pk_write_public_from_private:"data_files/ec_prv.sec1.der":"data_files/ec_pub.der" +pk_write_public_from_private:"../framework/data_files/ec_prv.sec1.der":"../framework/data_files/ec_pub.der" Derive public key EC 521 bits depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP521R1 -pk_write_public_from_private:"data_files/ec_521_prv.der":"data_files/ec_521_pub.der" +pk_write_public_from_private:"../framework/data_files/ec_521_prv.der":"../framework/data_files/ec_521_pub.der" Derive public key EC Brainpool 512 bits depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_BP512R1 -pk_write_public_from_private:"data_files/ec_bp512_prv.der":"data_files/ec_bp512_pub.der" +pk_write_public_from_private:"../framework/data_files/ec_bp512_prv.der":"../framework/data_files/ec_bp512_pub.der" Derive public key EC X25519 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE25519 -pk_write_public_from_private:"data_files/ec_x25519_prv.der":"data_files/ec_x25519_pub.der" +pk_write_public_from_private:"../framework/data_files/ec_x25519_prv.der":"../framework/data_files/ec_x25519_pub.der" Derive public key EC X448 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_CURVE448 -pk_write_public_from_private:"data_files/ec_x448_prv.der":"data_files/ec_x448_pub.der" +pk_write_public_from_private:"../framework/data_files/ec_x448_prv.der":"../framework/data_files/ec_x448_pub.der" diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_platform.function b/yass/third_party/mbedtls/tests/suites/test_suite_platform.function index c65d011f0f..5d49e52e45 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_platform.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_platform.function @@ -18,7 +18,7 @@ #else #include #endif -void sleep_ms(int milliseconds) +static void sleep_ms(int milliseconds) { #if defined(_WIN32) || defined(WIN32) || defined(__CYGWIN__) || \ defined(__MINGW32__) || defined(_WIN64) diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto.data b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto.data index 4f29a7aaed..4149fdbfc9 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto.data @@ -2412,9 +2412,9 @@ PSA symmetric decrypt: AES-CBC-nopad, input too short (5 bytes) depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_AES cipher_decrypt_fail:PSA_ALG_CBC_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee223":PSA_ERROR_INVALID_ARGUMENT -PSA symmetric decrypt: CCM*-no-tag, input too short (15 bytes) +PSA symmetric decrypt: CCM*-no-tag, input too short (12 bytes) depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES -cipher_decrypt_fail:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"19ebfde2d5468ba0a3031bde629b11fd":"5a8aa485c316e9":"2a2a2a2a2a2a2a2a":PSA_ERROR_INVALID_ARGUMENT +cipher_decrypt_fail:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"19ebfde2d5468ba0a3031bde629b11fd":"0102030405060708090a0b0c":"":PSA_ERROR_INVALID_ARGUMENT PSA symmetric decrypt: AES-ECB, 0 bytes, good depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT @@ -2464,10 +2464,26 @@ PSA symmetric decrypt: 3-key 3DES-ECB, 8 bytes, good depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_DES cipher_decrypt:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_DES:"01020407080b0d0ec1c2c4c7c8cbcdce31323437383b3d3e":"":"817ca7d69b80d86a":"c78e2b38139610e3" -PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15 +PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15, 24 bytes depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2cb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697" +PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15, 23 bytes +depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES +cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad6" + +PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15, 3 bytes +depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES +cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"4bfe4e":"a16a2e" + +PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15, 2 bytes +depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES +cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"4bfe":"a16a" + +PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15, 0 bytes +depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES +cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"":"" + PSA symmetric decrypt: ChaCha20, RFC7539 keystream depends_on:PSA_WANT_ALG_STREAM_CIPHER:PSA_WANT_KEY_TYPE_CHACHA20 # Keystream from RFC 7539 §2.4.2, with an extra 64-byte output block prepended @@ -6919,6 +6935,18 @@ PSA key derivation: PBKDF2-AES-CMAC-PRF-128-> AES-256 depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH derive_key_type:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:"706173737764":"01":"73616c74":PSA_KEY_TYPE_AES:256:"28e288c6345bb5ecf7ca70274208a3ba0f1148b5868537d5e09d3ee6813b1f52" +PSA key derivation custom: default -> AES-128 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES +derive_key_custom:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"":PSA_SUCCESS:"3cb25f25faacd57a90434f64d0362f2a" + +PSA key derivation custom: flags=1 -> AES-128 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES +derive_key_custom:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:1:"":PSA_ERROR_INVALID_ARGUMENT:"" + +PSA key derivation custom: data non-empty -> AES-128 +depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES +derive_key_custom:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"2a":PSA_ERROR_INVALID_ARGUMENT:"" + PSA key derivation: default params -> AES-128 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"":PSA_SUCCESS:"3cb25f25faacd57a90434f64d0362f2a" @@ -7504,6 +7532,83 @@ PSA generate key: FFDH, 1024 bits, invalid bits depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):1024:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_ERROR_NOT_SUPPORTED:0 +PSA generate key custom: RSA, flags=1 +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:1:"":PSA_ERROR_INVALID_ARGUMENT + +PSA generate key custom: RSA, empty e +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"":PSA_SUCCESS + +PSA generate key custom: RSA, e=3 +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"03":PSA_SUCCESS + +PSA generate key custom: RSA, e=3 with leading zeros +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"000003":PSA_SUCCESS + +# TODO: currently errors with NOT_SUPPORTED because e is converted to an int +# and the conversion errors out if there are too many digits without checking +# for leading zeros. This is a very minor bug. Re-enable this test when this +# bug is fixed. +#PSA generate key custom: RSA, e=3 with many leading zeros +#depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +#generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0000000000000000000000000000000003":PSA_SUCCESS + +PSA generate key custom: RSA, e=513 +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0201":PSA_SUCCESS + +PSA generate key custom: RSA, e=65537 +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"010001":PSA_SUCCESS + +PSA generate key custom: RSA, e=2^31-1 +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:INT_MAX>=0x7fffffff +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"7fffffff":PSA_SUCCESS + +PSA generate key custom: RSA, e=2^31+3 (too large for built-in RSA) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0x7fffffff +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"80000003":PSA_ERROR_NOT_SUPPORTED + +PSA generate key custom: RSA, e=2^64+3 (too large for built-in RSA) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0xffffffffffffffff +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"010000000000000003":PSA_ERROR_NOT_SUPPORTED + +PSA generate key custom: RSA, e=1 +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"01":PSA_ERROR_INVALID_ARGUMENT + +PSA generate key custom: RSA, e=0 +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"00":PSA_ERROR_INVALID_ARGUMENT + +PSA generate key custom: RSA, e=2 +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"02":PSA_ERROR_INVALID_ARGUMENT + +# Check that with a driver, we reject a custom e as unsupported, +# as opposed to silently using the default e. +# When we add proper driver support, remove this test case and remove +# the dependency on MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE from +# the positive/invalid_argument test cases. +PSA generate key custom: RSA, e=3 with driver and no fallback (not yet supported) +depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"03":PSA_ERROR_NOT_SUPPORTED + +PSA generate key custom: ECC, flags=0 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH +generate_key_custom:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"":PSA_SUCCESS + +PSA generate key custom: ECC, flags=1 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH +generate_key_custom:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:1:"":PSA_ERROR_INVALID_ARGUMENT + +PSA generate key custom: ECC, data non-empty +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH +generate_key_custom:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"2a":PSA_ERROR_INVALID_ARGUMENT + PSA generate key ext: RSA, params.flags=1 depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:1:"":PSA_ERROR_INVALID_ARGUMENT @@ -7512,63 +7617,10 @@ PSA generate key ext: RSA, empty e depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"":PSA_SUCCESS -PSA generate key ext: RSA, e=3 -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"03":PSA_SUCCESS - -PSA generate key ext: RSA, e=3 with leading zeros -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"000003":PSA_SUCCESS - -# TODO: currently errors with NOT_SUPPORTED because e is converted to an int -# and the conversion errors out if there are too many digits without checking -# for leading zeros. This is a very minor bug. Re-enable this test when this -# bug is fixed. -#PSA generate key ext: RSA, e=3 with many leading zeros -#depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT -#generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0000000000000000000000000000000003":PSA_SUCCESS - PSA generate key ext: RSA, e=513 depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0201":PSA_SUCCESS -PSA generate key ext: RSA, e=65537 -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"010001":PSA_SUCCESS - -PSA generate key ext: RSA, e=2^31-1 -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:INT_MAX>=0x7fffffff -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"7fffffff":PSA_SUCCESS - -PSA generate key ext: RSA, e=2^31+3 (too large for built-in RSA) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0x7fffffff -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"80000003":PSA_ERROR_NOT_SUPPORTED - -PSA generate key ext: RSA, e=2^64+3 (too large for built-in RSA) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0xffffffffffffffff -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"010000000000000003":PSA_ERROR_NOT_SUPPORTED - -PSA generate key ext: RSA, e=1 -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"01":PSA_ERROR_INVALID_ARGUMENT - -PSA generate key ext: RSA, e=0 -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"00":PSA_ERROR_INVALID_ARGUMENT - -PSA generate key ext: RSA, e=2 -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"02":PSA_ERROR_INVALID_ARGUMENT - -# Check that with a driver, we reject a custom e as unsupported, -# as opposed to silently using the default e. -# When we add proper driver support, remove this test case and remove -# the dependency on MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE from -# the positive/invalid_argument test cases. -PSA generate key ext: RSA, e=3 with driver and no fallback (not yet supported) -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"03":PSA_ERROR_NOT_SUPPORTED - PSA generate key ext: ECC, flags=0 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"":PSA_SUCCESS diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto.function b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto.function index 0c8552bd55..2e513ea45c 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto.function @@ -39,28 +39,6 @@ #define ASSERT_OPERATION_IS_ACTIVE(operation) TEST_ASSERT(operation.id != 0) #define ASSERT_OPERATION_IS_INACTIVE(operation) TEST_ASSERT(operation.id == 0) -#if defined(PSA_WANT_ALG_JPAKE) -int ecjpake_operation_setup(psa_pake_operation_t *operation, - psa_pake_cipher_suite_t *cipher_suite, - psa_pake_role_t role, - mbedtls_svc_key_id_t key, - size_t key_available) -{ - PSA_ASSERT(psa_pake_abort(operation)); - - PSA_ASSERT(psa_pake_setup(operation, cipher_suite)); - - PSA_ASSERT(psa_pake_set_role(operation, role)); - - if (key_available) { - PSA_ASSERT(psa_pake_set_password_key(operation, key)); - } - return 0; -exit: - return 1; -} -#endif - /** An invalid export length that will never be set by psa_export_key(). */ static const size_t INVALID_EXPORT_LENGTH = ~0U; @@ -175,12 +153,12 @@ static int construct_fake_rsa_key(unsigned char *buffer, } #endif /* MBEDTLS_ASN1_WRITE_C */ -int exercise_mac_setup(psa_key_type_t key_type, - const unsigned char *key_bytes, - size_t key_length, - psa_algorithm_t alg, - psa_mac_operation_t *operation, - psa_status_t *status) +static int exercise_mac_setup(psa_key_type_t key_type, + const unsigned char *key_bytes, + size_t key_length, + psa_algorithm_t alg, + psa_mac_operation_t *operation, + psa_status_t *status) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -207,12 +185,12 @@ exit: return 0; } -int exercise_cipher_setup(psa_key_type_t key_type, - const unsigned char *key_bytes, - size_t key_length, - psa_algorithm_t alg, - psa_cipher_operation_t *operation, - psa_status_t *status) +static int exercise_cipher_setup(psa_key_type_t key_type, + const unsigned char *key_bytes, + size_t key_length, + psa_algorithm_t alg, + psa_cipher_operation_t *operation, + psa_status_t *status) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -285,14 +263,14 @@ exit: /* Assert that a key isn't reported as having a slot number. */ #if defined(MBEDTLS_PSA_CRYPTO_SE_C) #define ASSERT_NO_SLOT_NUMBER(attributes) \ - do \ - { \ - psa_key_slot_number_t ASSERT_NO_SLOT_NUMBER_slot_number; \ - TEST_EQUAL(psa_get_key_slot_number( \ - attributes, \ + do \ + { \ + psa_key_slot_number_t ASSERT_NO_SLOT_NUMBER_slot_number; \ + TEST_EQUAL(psa_get_key_slot_number( \ + attributes, \ &ASSERT_NO_SLOT_NUMBER_slot_number), \ PSA_ERROR_INVALID_ARGUMENT); \ - } \ + } \ while (0) #else /* MBEDTLS_PSA_CRYPTO_SE_C */ #define ASSERT_NO_SLOT_NUMBER(attributes) \ @@ -1338,6 +1316,7 @@ exit: #if defined(MBEDTLS_THREADING_PTHREAD) +#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) typedef struct same_key_context { data_t *data; mbedtls_svc_key_id_t key; @@ -1354,7 +1333,7 @@ same_key_context; /* Attempt to import the key in ctx. This handles any valid error codes * and reports an error for any invalid codes. This function also insures * that once imported by some thread, all threads can use the key. */ -void *thread_import_key(void *ctx) +static void *thread_import_key(void *ctx) { mbedtls_svc_key_id_t returned_key_id; same_key_context *skc = (struct same_key_context *) ctx; @@ -1428,7 +1407,7 @@ exit: return NULL; } -void *thread_use_and_destroy_key(void *ctx) +static void *thread_use_and_destroy_key(void *ctx) { same_key_context *skc = (struct same_key_context *) ctx; @@ -1456,6 +1435,7 @@ void *thread_use_and_destroy_key(void *ctx) exit: return NULL; } +#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */ typedef struct generate_key_context { psa_key_type_t type; @@ -1468,7 +1448,7 @@ typedef struct generate_key_context { int reps; } generate_key_context; -void *thread_generate_key(void *ctx) +static void *thread_generate_key(void *ctx) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -9591,6 +9571,77 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void derive_key_custom(int alg_arg, + data_t *key_data, + data_t *input1, + data_t *input2, + int key_type_arg, int bits_arg, + int flags_arg, + data_t *custom_data, + psa_status_t expected_status, + data_t *expected_export) +{ + mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; + mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; + const psa_algorithm_t alg = alg_arg; + const psa_key_type_t key_type = key_type_arg; + const size_t bits = bits_arg; + psa_custom_key_parameters_t custom = PSA_CUSTOM_KEY_PARAMETERS_INIT; + custom.flags = flags_arg; + psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; + const size_t export_buffer_size = + PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits); + uint8_t *export_buffer = NULL; + psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; + size_t export_length; + + TEST_CALLOC(export_buffer, export_buffer_size); + PSA_ASSERT(psa_crypto_init()); + + psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE); + psa_set_key_algorithm(&base_attributes, alg); + psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE); + PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len, + &base_key)); + + if (mbedtls_test_psa_setup_key_derivation_wrap( + &operation, base_key, alg, + input1->x, input1->len, + input2->x, input2->len, + PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) { + goto exit; + } + + psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT); + psa_set_key_algorithm(&derived_attributes, 0); + psa_set_key_type(&derived_attributes, key_type); + psa_set_key_bits(&derived_attributes, bits); + + TEST_EQUAL(psa_key_derivation_output_key_custom( + &derived_attributes, &operation, + &custom, custom_data->x, custom_data->len, + &derived_key), + expected_status); + + if (expected_status == PSA_SUCCESS) { + PSA_ASSERT(psa_export_key(derived_key, + export_buffer, export_buffer_size, + &export_length)); + TEST_MEMORY_COMPARE(export_buffer, export_length, + expected_export->x, expected_export->len); + } + +exit: + mbedtls_free(export_buffer); + psa_key_derivation_abort(&operation); + psa_destroy_key(base_key); + psa_destroy_key(derived_key); + PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE */ void derive_key_ext(int alg_arg, data_t *key_data, @@ -10152,6 +10203,71 @@ exit: } /* END_CASE */ +/* BEGIN_CASE */ +void generate_key_custom(int type_arg, + int bits_arg, + int usage_arg, + int alg_arg, + int flags_arg, + data_t *custom_data, + int expected_status_arg) +{ + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_type_t type = type_arg; + psa_key_usage_t usage = usage_arg; + size_t bits = bits_arg; + psa_algorithm_t alg = alg_arg; + psa_status_t expected_status = expected_status_arg; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_custom_key_parameters_t custom = PSA_CUSTOM_KEY_PARAMETERS_INIT; + custom.flags = flags_arg; + psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; + + PSA_ASSERT(psa_crypto_init()); + + psa_set_key_usage_flags(&attributes, usage); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, type); + psa_set_key_bits(&attributes, bits); + + /* Generate a key */ + psa_status_t status = + psa_generate_key_custom(&attributes, + &custom, custom_data->x, custom_data->len, + &key); + + TEST_EQUAL(status, expected_status); + if (expected_status != PSA_SUCCESS) { + goto exit; + } + + /* Test the key information */ + PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); + TEST_EQUAL(psa_get_key_type(&got_attributes), type); + TEST_EQUAL(psa_get_key_bits(&got_attributes), bits); + +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) + if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) { + TEST_ASSERT(rsa_test_e(key, bits, custom_data)); + } +#endif + + /* Do something with the key according to its type and permitted usage. */ + if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) { + goto exit; + } + +exit: + /* + * Key attributes may have been returned by psa_get_key_attributes() + * thus reset them as required. + */ + psa_reset_key_attributes(&got_attributes); + psa_destroy_key(key); + PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE */ void generate_key_ext(int type_arg, int bits_arg, diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_driver_wrappers.data b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_driver_wrappers.data index 37c15ee38c..fb2da8c3c2 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_driver_wrappers.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_driver_wrappers.data @@ -1,3 +1,6 @@ +Built-in key range +builtin_key_id_stability: + sign_hash transparent driver: in driver ECDSA SECP256R1 SHA-256 depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 sign_hash:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_FAMILY_SECP_R1 ):PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):PSA_SUCCESS:"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":0:PSA_SUCCESS @@ -238,10 +241,11 @@ generate_ec_key through transparent driver: fake generate_ec_key:PSA_SUCCESS:"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_SUCCESS generate_ec_key through transparent driver: in-driver +depends_on:MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE generate_ec_key:PSA_SUCCESS:"":PSA_SUCCESS generate_ec_key through transparent driver: fallback -depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE +depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256 generate_ec_key:PSA_ERROR_NOT_SUPPORTED:"":PSA_SUCCESS generate_ec_key through transparent driver: fallback not available diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_driver_wrappers.function index a788827232..84611faddd 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -489,6 +489,21 @@ exit: * END_DEPENDENCIES */ +/* BEGIN_CASE */ +void builtin_key_id_stability() +{ + /* If the range of built-in keys is reduced, it's an API break, since + * it breaks user code that hard-codes the key id of built-in keys. + * It's ok to expand this range, but not to shrink it. That is, you + * may make the MIN smaller or the MAX larger at any time, but + * making the MIN larger or the MAX smaller can only be done in + * a new major version of the library. + */ + TEST_EQUAL(MBEDTLS_PSA_KEY_ID_BUILTIN_MIN, 0x7fff0000); + TEST_EQUAL(MBEDTLS_PSA_KEY_ID_BUILTIN_MAX, 0x7fffefff); +} +/* END_CASE */ + /* BEGIN_CASE */ void sign_hash(int key_type_arg, int alg_arg, @@ -748,7 +763,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE */ +/* BEGIN_CASE depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE */ void generate_ec_key(int force_status_arg, data_t *fake_output, int expected_status_arg) @@ -782,13 +797,14 @@ void generate_ec_key(int force_status_arg, fake_output->len; } - mbedtls_test_driver_key_management_hooks.hits = 0; - mbedtls_test_driver_key_management_hooks.forced_status = force_status; - PSA_ASSERT(psa_crypto_init()); + mbedtls_test_driver_key_management_hooks.hits = 0; + mbedtls_test_driver_key_management_hooks.hits_generate_key = 0; + mbedtls_test_driver_key_management_hooks.forced_status = force_status; + actual_status = psa_generate_key(&attributes, &key); - TEST_EQUAL(mbedtls_test_driver_key_management_hooks.hits, 1); + TEST_EQUAL(mbedtls_test_driver_key_management_hooks.hits_generate_key, 1); TEST_EQUAL(actual_status, expected_status); if (actual_status == PSA_SUCCESS) { diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_init.function b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_init.function index 9ff33a6d84..954560a24e 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_init.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_init.function @@ -8,6 +8,23 @@ #include "mbedtls/entropy.h" #include "entropy_poll.h" +static int check_stats(void) +{ + mbedtls_psa_stats_t stats; + mbedtls_psa_get_stats(&stats); + + TEST_EQUAL(stats.volatile_slots, MBEDTLS_TEST_PSA_INTERNAL_KEYS); + TEST_EQUAL(stats.persistent_slots, 0); + TEST_EQUAL(stats.external_slots, 0); + TEST_EQUAL(stats.half_filled_slots, 0); + TEST_EQUAL(stats.locked_slots, 0); + + return 1; + +exit: + return 0; +} + #define ENTROPY_MIN_NV_SEED_SIZE \ MAX(MBEDTLS_ENTROPY_MIN_PLATFORM, MBEDTLS_ENTROPY_BLOCK_SIZE) @@ -187,12 +204,23 @@ void init_deinit(int count) psa_status_t status; int i; for (i = 0; i < count; i++) { + mbedtls_test_set_step(2 * i); status = psa_crypto_init(); PSA_ASSERT(status); + if (!check_stats()) { + goto exit; + } + + mbedtls_test_set_step(2 * i); status = psa_crypto_init(); PSA_ASSERT(status); + if (!check_stats()) { + goto exit; + } PSA_DONE(); } +exit: + PSA_DONE(); } /* END_CASE */ diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_metadata.function b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_metadata.function index b51f2a28b7..3b5bf66cdb 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_metadata.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_metadata.function @@ -80,17 +80,17 @@ * Unconditionally mask flag into the ambient variable * classification_flags_tested. */ -#define TEST_CLASSIFICATION_MACRO(cond, flag, alg, flags) \ +#define TEST_CLASSIFICATION_MACRO(cond, flag, alg, flags) \ do \ { \ - if (cond) \ + if (cond) \ { \ - if ((flags) & (flag)) \ - TEST_ASSERT(PSA_##flag(alg)); \ + if ((flags) & (flag)) \ + TEST_ASSERT(PSA_##flag(alg)); \ else \ - TEST_ASSERT(!PSA_##flag(alg)); \ + TEST_ASSERT(!PSA_##flag(alg)); \ } \ - classification_flags_tested |= (flag); \ + classification_flags_tested |= (flag); \ } \ while (0) @@ -106,7 +106,7 @@ * The expected parity is even so that 0 is considered a valid encoding. * * Return a nonzero value if value has even parity and 0 otherwise. */ -int has_even_parity(uint32_t value) +static int has_even_parity(uint32_t value) { value ^= value >> 16; value ^= value >> 8; @@ -116,7 +116,7 @@ int has_even_parity(uint32_t value) #define TEST_PARITY(value) \ TEST_ASSERT(has_even_parity(value)) -void algorithm_classification(psa_algorithm_t alg, unsigned flags) +static void algorithm_classification(psa_algorithm_t alg, unsigned flags) { unsigned classification_flags_tested = 0; TEST_CLASSIFICATION_MACRO(1, ALG_IS_VENDOR_DEFINED, alg, flags); @@ -155,7 +155,7 @@ void algorithm_classification(psa_algorithm_t alg, unsigned flags) exit:; } -void key_type_classification(psa_key_type_t type, unsigned flags) +static void key_type_classification(psa_key_type_t type, unsigned flags) { unsigned classification_flags_tested = 0; @@ -192,9 +192,9 @@ void key_type_classification(psa_key_type_t type, unsigned flags) exit:; } -void mac_algorithm_core(psa_algorithm_t alg, int classification_flags, - psa_key_type_t key_type, size_t key_bits, - size_t length) +static void mac_algorithm_core(psa_algorithm_t alg, int classification_flags, + psa_key_type_t key_type, size_t key_bits, + size_t length) { /* Algorithm classification */ TEST_ASSERT(!PSA_ALG_IS_HASH(alg)); @@ -218,9 +218,9 @@ void mac_algorithm_core(psa_algorithm_t alg, int classification_flags, exit:; } -void aead_algorithm_core(psa_algorithm_t alg, int classification_flags, - psa_key_type_t key_type, size_t key_bits, - size_t tag_length) +static void aead_algorithm_core(psa_algorithm_t alg, int classification_flags, + psa_key_type_t key_type, size_t key_bits, + size_t tag_length) { /* Algorithm classification */ TEST_ASSERT(!PSA_ALG_IS_HASH(alg)); diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_op_fail.function b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_op_fail.function index 9878237211..928986933a 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_op_fail.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_op_fail.function @@ -27,11 +27,11 @@ static int test_equal_status(const char *test, * run, it would be better to clarify the expectations and reconcile the * library and the test case generator. */ -#define TEST_STATUS(expr1, expr2) \ - do { \ +#define TEST_STATUS(expr1, expr2) \ + do { \ if (!test_equal_status( #expr1 " == " #expr2, __LINE__, __FILE__, \ - expr1, expr2)) \ - goto exit; \ + expr1, expr2)) \ + goto exit; \ } while (0) /* END_HEADER */ diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_pake.data b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_pake.data index baebded38f..f81bb53203 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_pake.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_pake.data @@ -74,7 +74,7 @@ PSA PAKE: invalid input depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:"client":"server":1:ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT -PSA PAKE: unkown input step +PSA PAKE: unknown input step depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:"client":"server":1:ERR_INJECT_UNKNOWN_STEP:PSA_ERROR_INVALID_ARGUMENT @@ -94,7 +94,7 @@ PSA PAKE: invalid output depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:"client":"server":0:ERR_INJECT_EMPTY_IO_BUFFER:PSA_ERROR_INVALID_ARGUMENT -PSA PAKE: unkown output step +PSA PAKE: unknown output step depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_setup:PSA_ALG_JPAKE:PSA_KEY_TYPE_PASSWORD:PSA_KEY_USAGE_DERIVE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:"client":"server":0:ERR_INJECT_UNKNOWN_STEP:PSA_ERROR_INVALID_ARGUMENT @@ -211,19 +211,19 @@ depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WA ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_ROUND2_SERVER_ZK_PROOF:PSA_ERROR_DATA_INVALID:1 PSA PAKE: inject ERR_INJECT_EXTRA_OUTPUT -depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_EXTRA_OUTPUT:PSA_ERROR_BAD_STATE:0 PSA PAKE: inject ERR_INJECT_EXTRA_INPUT -depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:"abcdef":ERR_INJECT_EXTRA_INPUT:PSA_ERROR_BAD_STATE:0 PSA PAKE: inject ERR_INJECT_EXTRA_OUTPUT_AT_END -depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:1:"abcdef":ERR_INJECT_EXTRA_OUTPUT_AT_END:PSA_ERROR_BAD_STATE:1 PSA PAKE: inject ERR_INJECT_EXTRA_INPUT_AT_END -depends_on:MBEDTLS_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 +depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_256 ecjpake_rounds_inject:PSA_ALG_JPAKE:PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256):PSA_ALG_SHA_256:0:"abcdef":ERR_INJECT_EXTRA_INPUT_AT_END:PSA_ERROR_BAD_STATE:1 PSA PAKE: ecjpake size macros diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_pake.function b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_pake.function index 1cc69a73aa..08c88a1d6e 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_pake.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_pake.function @@ -71,9 +71,9 @@ static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' }; * we're corrupting. */ #define DO_ROUND_CONDITIONAL_INJECT(this_stage, buf) \ - if (this_stage == err_stage) \ - { \ - *(buf + 7) ^= 1; \ + if (this_stage == err_stage) \ + { \ + *(buf + 7) ^= 1; \ } #define DO_ROUND_CONDITIONAL_CHECK_FAILURE(this_stage, function) \ @@ -84,20 +84,20 @@ static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' }; } #define DO_ROUND_UPDATE_OFFSETS(main_buf_offset, step_offset, step_size) \ - { \ - step_offset = main_buf_offset; \ - main_buf_offset += step_size; \ + { \ + step_offset = main_buf_offset; \ + main_buf_offset += step_size; \ } -#define DO_ROUND_CHECK_FAILURE() \ - if (err_stage != ERR_NONE && status != PSA_SUCCESS) \ +#define DO_ROUND_CHECK_FAILURE() \ + if (err_stage != ERR_NONE && status != PSA_SUCCESS) \ { \ - TEST_EQUAL(status, expected_error_arg); \ + TEST_EQUAL(status, expected_error_arg); \ break; \ } \ else \ { \ - TEST_EQUAL(status, PSA_SUCCESS); \ + TEST_EQUAL(status, PSA_SUCCESS); \ } #if defined(PSA_WANT_ALG_JPAKE) @@ -550,15 +550,15 @@ exit: * - terminated with failure otherwise (either no error was expected at this * stage or a different error code was expected) */ -#define SETUP_ALWAYS_CHECK_STEP(test_function, this_check_err_stage) \ +#define SETUP_ALWAYS_CHECK_STEP(test_function, this_check_err_stage) \ status = test_function; \ - if (err_stage != this_check_err_stage) \ + if (err_stage != this_check_err_stage) \ { \ - PSA_ASSERT(status); \ + PSA_ASSERT(status); \ } \ else \ { \ - TEST_EQUAL(status, expected_error); \ + TEST_EQUAL(status, expected_error); \ goto exit; \ } @@ -572,10 +572,10 @@ exit: * The test succeeds if the returned error is exactly the expected one, * otherwise it fails. */ -#define SETUP_CONDITIONAL_CHECK_STEP(test_function, this_check_err_stage) \ - if (err_stage == this_check_err_stage) \ +#define SETUP_CONDITIONAL_CHECK_STEP(test_function, this_check_err_stage) \ + if (err_stage == this_check_err_stage) \ { \ - TEST_EQUAL(test_function, expected_error); \ + TEST_EQUAL(test_function, expected_error); \ goto exit; \ } /* END_HEADER */ diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_se_driver_hal.data b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_se_driver_hal.data index cc89c0fc20..ae4ee0c25c 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_se_driver_hal.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_se_driver_hal.data @@ -148,7 +148,16 @@ generate_key_smoke:PSA_KEY_TYPE_HMAC:256:PSA_ALG_HMAC( PSA_ALG_SHA_256 ) Key registration: smoke test register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:1:1:PSA_SUCCESS -Key registration: invalid lifetime (volatile internal storage) +Key registration: invalid lifetime (volatile, in SE, id=0) +register_key_smoke_test:TEST_SE_VOLATILE_LIFETIME:7:0:0:PSA_ERROR_INVALID_ARGUMENT + +Key registration: invalid lifetime (volatile, in SE, id=1) +register_key_smoke_test:TEST_SE_VOLATILE_LIFETIME:7:1:1:PSA_ERROR_INVALID_ARGUMENT + +Key registration: invalid lifetime (volatile, internal, id=0) +register_key_smoke_test:PSA_KEY_LIFETIME_VOLATILE:7:0:0:PSA_ERROR_INVALID_ARGUMENT + +Key registration: invalid lifetime (volatile, internal, id=1) register_key_smoke_test:PSA_KEY_LIFETIME_VOLATILE:7:1:1:PSA_ERROR_INVALID_ARGUMENT Key registration: invalid lifetime (internal storage) @@ -169,8 +178,8 @@ register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VENDOR_MAX+1:-1 Key registration: key id min vendor register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VENDOR_MIN:1:PSA_ERROR_INVALID_ARGUMENT -Key registration: key id max vendor except volatile -register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VOLATILE_MIN-1:1:PSA_ERROR_INVALID_ARGUMENT +Key registration: key id max vendor +register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VENDOR_MAX:1:PSA_ERROR_INVALID_ARGUMENT Key registration: key id min volatile register_key_smoke_test:TEST_SE_PERSISTENT_LIFETIME:7:PSA_KEY_ID_VOLATILE_MIN:1:PSA_ERROR_INVALID_ARGUMENT diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_se_driver_hal.function index e3681ba6e7..66d2a4eb99 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_se_driver_hal.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_se_driver_hal.function @@ -13,6 +13,19 @@ #include "psa/internal_trusted_storage.h" #endif +/* Same in library/psa_crypto.c */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) +#define BUILTIN_ALG_ANY_HKDF 1 +#endif +#if defined(BUILTIN_ALG_ANY_HKDF) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) || \ + defined(PSA_HAVE_SOFT_PBKDF2) +#define AT_LEAST_ONE_BUILTIN_KDF +#endif /****************************************************************/ /* Test driver helpers */ @@ -23,11 +36,11 @@ /** The location and lifetime used for tests that use a single driver. */ #define TEST_DRIVER_LOCATION 1 -#define TEST_SE_PERSISTENT_LIFETIME \ +#define TEST_SE_PERSISTENT_LIFETIME \ (PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( \ PSA_KEY_PERSISTENCE_DEFAULT, TEST_DRIVER_LOCATION)) -#define TEST_SE_VOLATILE_LIFETIME \ +#define TEST_SE_VOLATILE_LIFETIME \ (PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( \ PSA_KEY_PERSISTENCE_VOLATILE, TEST_DRIVER_LOCATION)) @@ -41,13 +54,13 @@ * * Use this macro to assert on guarantees provided by the core. */ -#define DRIVER_ASSERT_RETURN(TEST) \ - do { \ - if (!(TEST)) \ - { \ - mbedtls_test_fail( #TEST, __LINE__, __FILE__); \ - return PSA_ERROR_DETECTED_BY_DRIVER; \ - } \ +#define DRIVER_ASSERT_RETURN(TEST) \ + do { \ + if (!(TEST)) \ + { \ + mbedtls_test_fail( #TEST, __LINE__, __FILE__); \ + return PSA_ERROR_DETECTED_BY_DRIVER; \ + } \ } while (0) /** Like #TEST_ASSERT for use in a driver method, with cleanup. @@ -57,14 +70,14 @@ * * Use this macro to assert on guarantees provided by the core. */ -#define DRIVER_ASSERT(TEST) \ - do { \ - if (!(TEST)) \ - { \ - mbedtls_test_fail( #TEST, __LINE__, __FILE__); \ +#define DRIVER_ASSERT(TEST) \ + do { \ + if (!(TEST)) \ + { \ + mbedtls_test_fail( #TEST, __LINE__, __FILE__); \ status = PSA_ERROR_DETECTED_BY_DRIVER; \ goto exit; \ - } \ + } \ } while (0) /** Like #PSA_ASSERT for a PSA API call that calls a driver underneath. @@ -78,16 +91,16 @@ * case, the test driver code is expected to have called mbedtls_test_fail() * already, so we make sure not to overwrite the failure information. */ -#define PSA_ASSERT_VIA_DRIVER(expr, expected_status) \ - do { \ - psa_status_t PSA_ASSERT_VIA_DRIVER_status = (expr); \ - if (PSA_ASSERT_VIA_DRIVER_status == PSA_ERROR_DETECTED_BY_DRIVER) \ - goto exit; \ - if (PSA_ASSERT_VIA_DRIVER_status != (expected_status)) \ - { \ +#define PSA_ASSERT_VIA_DRIVER(expr, expected_status) \ + do { \ + psa_status_t PSA_ASSERT_VIA_DRIVER_status = (expr); \ + if (PSA_ASSERT_VIA_DRIVER_status == PSA_ERROR_DETECTED_BY_DRIVER) \ + goto exit; \ + if (PSA_ASSERT_VIA_DRIVER_status != (expected_status)) \ + { \ mbedtls_test_fail( #expr, __LINE__, __FILE__); \ - goto exit; \ - } \ + goto exit; \ + } \ } while (0) @@ -586,7 +599,7 @@ exit: * If this changes, the storage format version must change. * See psa_get_se_driver_its_file_uid() in psa_crypto_se.c. */ -psa_storage_uid_t file_uid_for_location(psa_key_location_t location) +static psa_storage_uid_t file_uid_for_location(psa_key_location_t location) { if (location > PSA_MAX_SE_LOCATION) { return 0; @@ -720,7 +733,7 @@ static int smoke_test_key(mbedtls_svc_key_id_t key) buffer, sizeof(buffer), NULL, 0, buffer, sizeof(buffer), &length)); -#if defined(PSA_WANT_ALG_SHA_256) +#if defined(PSA_WANT_ALG_SHA_256) && defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) /* Try the key in a plain key derivation. */ PSA_ASSERT(psa_key_derivation_setup(&derivation_operation, PSA_ALG_HKDF(PSA_ALG_SHA_256))); @@ -753,7 +766,9 @@ static int smoke_test_key(mbedtls_svc_key_id_t key) alg, key, buffer, length, buffer, sizeof(buffer), &length)); } -#endif /* PSA_WANT_ALG_SHA_256 */ +#else + (void) derivation_operation; +#endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_PSA_BUILTIN_ALG_HKDF */ ok = 1; diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function index b6d3a3487d..efd24e9f29 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function @@ -6,7 +6,7 @@ /** The location and lifetime used for tests that use a single driver. */ #define TEST_DRIVER_LOCATION 1 -#define TEST_SE_PERSISTENT_LIFETIME \ +#define TEST_SE_PERSISTENT_LIFETIME \ (PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( \ PSA_KEY_PERSISTENCE_DEFAULT, TEST_DRIVER_LOCATION)) @@ -162,11 +162,11 @@ static psa_status_t mock_import(psa_drv_se_context_t *drv_context, return mock_import_data.return_value; } -psa_status_t mock_export(psa_drv_se_context_t *context, - psa_key_slot_number_t slot_number, - uint8_t *p_data, - size_t data_size, - size_t *p_data_length) +static psa_status_t mock_export(psa_drv_se_context_t *context, + psa_key_slot_number_t slot_number, + uint8_t *p_data, + size_t data_size, + size_t *p_data_length) { (void) context; (void) p_data; @@ -179,11 +179,11 @@ psa_status_t mock_export(psa_drv_se_context_t *context, return mock_export_data.return_value; } -psa_status_t mock_export_public(psa_drv_se_context_t *context, - psa_key_slot_number_t slot_number, - uint8_t *p_data, - size_t data_size, - size_t *p_data_length) +static psa_status_t mock_export_public(psa_drv_se_context_t *context, + psa_key_slot_number_t slot_number, + uint8_t *p_data, + size_t data_size, + size_t *p_data_length) { (void) context; (void) p_data; @@ -196,14 +196,14 @@ psa_status_t mock_export_public(psa_drv_se_context_t *context, return mock_export_public_data.return_value; } -psa_status_t mock_sign(psa_drv_se_context_t *context, - psa_key_slot_number_t key_slot, - psa_algorithm_t alg, - const uint8_t *p_hash, - size_t hash_length, - uint8_t *p_signature, - size_t signature_size, - size_t *p_signature_length) +static psa_status_t mock_sign(psa_drv_se_context_t *context, + psa_key_slot_number_t key_slot, + psa_algorithm_t alg, + const uint8_t *p_hash, + size_t hash_length, + uint8_t *p_signature, + size_t signature_size, + size_t *p_signature_length) { (void) context; (void) p_hash; @@ -219,13 +219,13 @@ psa_status_t mock_sign(psa_drv_se_context_t *context, return mock_sign_data.return_value; } -psa_status_t mock_verify(psa_drv_se_context_t *context, - psa_key_slot_number_t key_slot, - psa_algorithm_t alg, - const uint8_t *p_hash, - size_t hash_length, - const uint8_t *p_signature, - size_t signature_length) +static psa_status_t mock_verify(psa_drv_se_context_t *context, + psa_key_slot_number_t key_slot, + psa_algorithm_t alg, + const uint8_t *p_hash, + size_t hash_length, + const uint8_t *p_signature, + size_t signature_length) { (void) context; (void) p_hash; @@ -240,11 +240,11 @@ psa_status_t mock_verify(psa_drv_se_context_t *context, return mock_verify_data.return_value; } -psa_status_t mock_allocate(psa_drv_se_context_t *drv_context, - void *persistent_data, - const psa_key_attributes_t *attributes, - psa_key_creation_method_t method, - psa_key_slot_number_t *key_slot) +static psa_status_t mock_allocate(psa_drv_se_context_t *drv_context, + void *persistent_data, + const psa_key_attributes_t *attributes, + psa_key_creation_method_t method, + psa_key_slot_number_t *key_slot) { (void) drv_context; (void) persistent_data; @@ -258,9 +258,9 @@ psa_status_t mock_allocate(psa_drv_se_context_t *drv_context, return mock_allocate_data.return_value; } -psa_status_t mock_destroy(psa_drv_se_context_t *context, - void *persistent_data, - psa_key_slot_number_t slot_number) +static psa_status_t mock_destroy(psa_drv_se_context_t *context, + void *persistent_data, + psa_key_slot_number_t slot_number) { (void) context; (void) persistent_data; diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_slot_management.data b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_slot_management.data index 7d364acab6..f379dba020 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_slot_management.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_slot_management.data @@ -122,7 +122,18 @@ open_fail:PSA_KEY_ID_VENDOR_MAX + 1:PSA_ERROR_DOES_NOT_EXIST Open failure: invalid identifier (implementation range) depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C -open_fail:PSA_KEY_ID_USER_MAX + 1:PSA_ERROR_DOES_NOT_EXIST +# We need to avoid existing volatile key IDs. Normally there aren't any +# existing volatile keys because the test case doesn't create any, but +# in some configurations, the implementation or a driver creates a +# volatile key during initialization for its own use. At the time of +# writing, this happens in builds where AES uses a PSA driver and the +# PSA RNG uses AES-CTR_DRBG through the PSA AES. +# Pick a key id that's in the middle of the volatile key ID range. +# That works out both when MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled and +# volatile key IDs are assigned starting with the lowest value, and when +# MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled and volatile key IDs are assigned +# starting with the highest values. +open_fail:(PSA_KEY_ID_VOLATILE_MIN + PSA_KEY_ID_VOLATILE_MAX) / 2:PSA_ERROR_DOES_NOT_EXIST Open failure: non-existent identifier depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C @@ -214,8 +225,25 @@ invalid_handle:INVALID_HANDLE_CLOSED:PSA_ERROR_INVALID_HANDLE invalid handle: huge invalid_handle:INVALID_HANDLE_HUGE:PSA_ERROR_INVALID_HANDLE -Open many transient keys -many_transient_keys:42 +Key slot count: maximum +many_transient_keys:MBEDTLS_PSA_KEY_SLOT_COUNT - MBEDTLS_TEST_PSA_INTERNAL_KEYS + +Key slot count: dynamic: more than MBEDTLS_PSA_KEY_SLOT_COUNT +depends_on:MBEDTLS_PSA_KEY_STORE_DYNAMIC +# Check that MBEDTLS_PSA_KEY_SLOT_COUNT doesn't apply to volatile keys. +many_transient_keys:MBEDTLS_PSA_KEY_SLOT_COUNT + 1 + +Key slot count: try to overfill, destroy first +fill_key_store:0 + +Key slot count: try to overfill, destroy second +fill_key_store:1 + +Key slot count: try to overfill, destroy next-to-last +fill_key_store:-2 + +Key slot count: try to overfill, destroy last +fill_key_store:-1 # Eviction from a key slot to be able to import a new persistent key. Key slot eviction to import a new persistent key diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_slot_management.function b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_slot_management.function index 94f26f6b42..604c4bd5de 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_slot_management.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_slot_management.function @@ -98,6 +98,31 @@ exit: return 0; } +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) +#if defined(MBEDTLS_TEST_HOOKS) +/* Artificially restrictable dynamic key store */ +#define KEY_SLICE_1_LENGTH 4 +#define KEY_SLICE_2_LENGTH 10 +static size_t tiny_key_slice_length(size_t slice_idx) +{ + switch (slice_idx) { + case 1: return KEY_SLICE_1_LENGTH; + case 2: return KEY_SLICE_2_LENGTH; + default: return 1; + } +} +#define MAX_VOLATILE_KEYS \ + (KEY_SLICE_1_LENGTH + KEY_SLICE_2_LENGTH + \ + psa_key_slot_volatile_slice_count() - 2) + +#else /* Effectively unbounded dynamic key store */ +#undef MAX_VOLATILE_KEYS +#endif + +#else /* Static key store */ +#define MAX_VOLATILE_KEYS MBEDTLS_PSA_KEY_SLOT_COUNT +#endif + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -813,21 +838,19 @@ void many_transient_keys(int max_keys_arg) psa_set_key_type(&attributes, PSA_KEY_TYPE_RAW_DATA); for (i = 0; i < max_keys; i++) { + mbedtls_test_set_step(i); status = psa_import_key(&attributes, (uint8_t *) &i, sizeof(i), &keys[i]); - if (status == PSA_ERROR_INSUFFICIENT_MEMORY) { - break; - } PSA_ASSERT(status); TEST_ASSERT(!mbedtls_svc_key_id_is_null(keys[i])); for (j = 0; j < i; j++) { TEST_ASSERT(!mbedtls_svc_key_id_equal(keys[i], keys[j])); } } - max_keys = i; for (i = 1; i < max_keys; i++) { + mbedtls_test_set_step(i); PSA_ASSERT(psa_close_key(keys[i - 1])); PSA_ASSERT(psa_export_key(keys[i], exported, sizeof(exported), @@ -843,6 +866,119 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MAX_VOLATILE_KEYS */ +/* + * 1. Fill the key store with volatile keys. + * 2. Check that attempting to create another volatile key fails without + * corrupting the key store. + * 3. Destroy the key specified by key_to_destroy. This is the number of the + * key in creation order (e.g. 0 means the first key that was created). + * It can also be a negative value to count in reverse order (e.g. + * -1 means to destroy the last key that was created). + * 4. Check that creating another volatile key succeeds. + */ +void fill_key_store(int key_to_destroy_arg) +{ + mbedtls_svc_key_id_t *keys = NULL; + size_t max_keys = MAX_VOLATILE_KEYS; + size_t i, j; + psa_status_t status; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + uint8_t exported[sizeof(size_t)]; + size_t exported_length; + +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) && defined(MBEDTLS_TEST_HOOKS) + mbedtls_test_hook_psa_volatile_key_slice_length = &tiny_key_slice_length; +#endif + + PSA_ASSERT(psa_crypto_init()); + + mbedtls_psa_stats_t stats; + mbedtls_psa_get_stats(&stats); + /* Account for any system-created volatile key, e.g. for the RNG. */ + max_keys -= stats.volatile_slots; + TEST_CALLOC(keys, max_keys + 1); + + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT); + psa_set_key_algorithm(&attributes, 0); + psa_set_key_type(&attributes, PSA_KEY_TYPE_RAW_DATA); + + /* Fill the key store. */ + for (i = 0; i < max_keys; i++) { + mbedtls_test_set_step(i); + status = psa_import_key(&attributes, + (uint8_t *) &i, sizeof(i), + &keys[i]); + PSA_ASSERT(status); + TEST_ASSERT(!mbedtls_svc_key_id_is_null(keys[i])); + for (j = 0; j < i; j++) { + TEST_ASSERT(!mbedtls_svc_key_id_equal(keys[i], keys[j])); + } + } + + /* Attempt to overfill. */ + mbedtls_test_set_step(max_keys); + status = psa_import_key(&attributes, + (uint8_t *) &max_keys, sizeof(max_keys), + &keys[max_keys]); + TEST_EQUAL(status, PSA_ERROR_INSUFFICIENT_MEMORY); + TEST_ASSERT(mbedtls_svc_key_id_is_null(keys[max_keys])); + + /* Check that the keys are not corrupted. */ + for (i = 0; i < max_keys; i++) { + mbedtls_test_set_step(i); + PSA_ASSERT(psa_export_key(keys[i], + exported, sizeof(exported), + &exported_length)); + TEST_MEMORY_COMPARE(exported, exported_length, + (uint8_t *) &i, sizeof(i)); + } + + /* Destroy one key and try again. */ + size_t key_to_destroy = (key_to_destroy_arg >= 0 ? + (size_t) key_to_destroy_arg : + max_keys + key_to_destroy_arg); + mbedtls_svc_key_id_t reused_id = keys[key_to_destroy]; + const uint8_t replacement_value[1] = { 0x64 }; + PSA_ASSERT(psa_destroy_key(keys[key_to_destroy])); + keys[key_to_destroy] = MBEDTLS_SVC_KEY_ID_INIT; + status = psa_import_key(&attributes, + replacement_value, sizeof(replacement_value), + &keys[key_to_destroy]); + PSA_ASSERT(status); + /* Since the key store was full except for one key, the new key must be + * in the same slot in the key store as the destroyed key. + * Since volatile keys IDs are assigned based on which slot contains + * the key, the new key should have the same ID as the destroyed key. + */ + TEST_ASSERT(mbedtls_svc_key_id_equal(reused_id, keys[key_to_destroy])); + + /* Check that the keys are not corrupted and destroy them. */ + for (i = 0; i < max_keys; i++) { + mbedtls_test_set_step(i); + PSA_ASSERT(psa_export_key(keys[i], + exported, sizeof(exported), + &exported_length)); + if (i == key_to_destroy) { + TEST_MEMORY_COMPARE(exported, exported_length, + replacement_value, sizeof(replacement_value)); + } else { + TEST_MEMORY_COMPARE(exported, exported_length, + (uint8_t *) &i, sizeof(i)); + } + PSA_ASSERT(psa_destroy_key(keys[i])); + keys[i] = MBEDTLS_SVC_KEY_ID_INIT; + } + +exit: + PSA_DONE(); + mbedtls_free(keys); +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) && defined(MBEDTLS_TEST_HOOKS) + mbedtls_test_hook_psa_volatile_key_slice_length = NULL; +#endif +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */ void key_slot_eviction_to_import_new_key(int lifetime_arg) { @@ -919,7 +1055,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C:!MBEDTLS_PSA_KEY_STORE_DYNAMIC */ void non_reusable_key_slots_integrity_in_case_of_key_slot_starvation() { psa_status_t status; @@ -959,7 +1095,14 @@ void non_reusable_key_slots_integrity_in_case_of_key_slot_starvation() TEST_ASSERT(mbedtls_svc_key_id_equal(returned_key_id, persistent_key)); /* - * Create the maximum available number of volatile keys + * Create the maximum available number of keys that are locked in + * memory. This can be: + * - volatile keys, when MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled; + * - opened persistent keys (could work, but not currently implemented + * in this test function); + * - keys in use by another thread (we don't do this because it would + * be hard to arrange and we can't control how long the keys are + * locked anyway). */ psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_VOLATILE); for (i = 0; i < available_key_slots; i++) { diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_util.data b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_util.data index 807007b5e6..c84a8368cd 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_util.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_psa_crypto_util.data @@ -6,6 +6,16 @@ ECDSA Raw -> DER, 256bit, DER buffer too small depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL +# Check coordinates one byte larger than the largest supported curve. +# If we add an even larger curve, this test case will fail in the full +# configuration because mbedtls_ecdsa_raw_to_der() will return 0, and we'll +# need to use larger data for this test case. +ECDSA Raw -> DER, very large input (536-bit) +ecdsa_raw_to_der:536:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818a024311111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024322222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL + +ECDSA Raw -> DER, very large input (1016-bit) +ecdsa_raw_to_der:1016:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30820102027f11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111027f22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL + ECDSA Raw -> DER, 256bit, Null r depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA @@ -58,6 +68,16 @@ ECDSA DER -> Raw, 256bit, Raw buffer too small depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL +# Check coordinates one byte larger than the largest supported curve. +# If we add an even larger curve, this test case will fail in the full +# configuration because mbedtls_ecdsa_der_to_raw() will return 0, and we'll +# need to use larger data for this test case. +ECDSA DER -> Raw, very large input (536-bit) +ecdsa_der_to_raw:536:"30818a024311111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024322222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL + +ECDSA DER -> Raw, very large input (1016-bit) +ecdsa_der_to_raw:1016:"30820102027f11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111027f22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL + ECDSA DER -> Raw, 256bit, Wrong sequence tag depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"40440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_psa_its.function b/yass/third_party/mbedtls/tests/suites/test_suite_psa_its.function index 0f66c79517..ce3433f2e5 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_psa_its.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_psa_its.function @@ -19,11 +19,11 @@ #define PSA_ITS_STORAGE_PREFIX "" #define PSA_ITS_STORAGE_FILENAME_PATTERN "%08lx%08lx" #define PSA_ITS_STORAGE_SUFFIX ".psa_its" -#define PSA_ITS_STORAGE_FILENAME_LENGTH \ - (sizeof(PSA_ITS_STORAGE_PREFIX) - 1 + /*prefix without terminating 0*/ \ - 16 + /*UID (64-bit number in hex)*/ \ - 16 + /*UID (64-bit number in hex)*/ \ - sizeof(PSA_ITS_STORAGE_SUFFIX) - 1 + /*suffix without terminating 0*/ \ +#define PSA_ITS_STORAGE_FILENAME_LENGTH \ + (sizeof(PSA_ITS_STORAGE_PREFIX) - 1 + /*prefix without terminating 0*/ \ + 16 + /*UID (64-bit number in hex)*/ \ + 16 + /*UID (64-bit number in hex)*/ \ + sizeof(PSA_ITS_STORAGE_SUFFIX) - 1 + /*suffix without terminating 0*/ \ 1 /*terminating null byte*/) #define PSA_ITS_STORAGE_TEMP \ PSA_ITS_STORAGE_PREFIX "tempfile" PSA_ITS_STORAGE_SUFFIX diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_ssl.data b/yass/third_party/mbedtls/tests/suites/test_suite_ssl.data index 734b945148..489d5d35b1 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_ssl.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_ssl.data @@ -117,7 +117,7 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_2 move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_SERVER_HELLO:1 TLS 1.2:Move client handshake to SERVER_CERTIFICATE -depends_on:MBEDTLS_SSP_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_SERVER_CERTIFICATE:1 TLS 1.2:Move client handshake to SERVER_KEY_EXCHANGE @@ -930,35 +930,35 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_2 ssl_session_serialize_version_check:0:0:0:1:0:MBEDTLS_SSL_VERSION_TLS1_2 TLS 1.3: CLI: session serialization: Wrong major version -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SESSION_TICKETS ssl_session_serialize_version_check:1:0:0:0:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: CLI: session serialization: Wrong minor version -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SESSION_TICKETS ssl_session_serialize_version_check:0:1:0:0:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: CLI: session serialization: Wrong patch version -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SESSION_TICKETS ssl_session_serialize_version_check:0:0:1:0:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: CLI: session serialization: Wrong config -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SESSION_TICKETS ssl_session_serialize_version_check:0:0:0:1:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: SRV: session serialization: Wrong major version -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_SESSION_TICKETS ssl_session_serialize_version_check:1:0:0:0:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: SRV: session serialization: Wrong minor version -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_SESSION_TICKETS ssl_session_serialize_version_check:0:1:0:0:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: SRV: session serialization: Wrong patch version -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_SESSION_TICKETS ssl_session_serialize_version_check:0:0:1:0:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: SRV: session serialization: Wrong config -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_SESSION_TICKETS ssl_session_serialize_version_check:0:0:0:1:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3 Test Session id & Ciphersuite accessors TLS 1.2 @@ -2960,18 +2960,18 @@ ssl_serialize_session_save_load:1023:"":0:MBEDTLS_SSL_VERSION_TLS1_2 Session serialization, save-load: no ticket, cert depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2 -ssl_serialize_session_save_load:0:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 +ssl_serialize_session_save_load:0:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 Session serialization, save-load: small ticket, cert depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2 -ssl_serialize_session_save_load:42:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 +ssl_serialize_session_save_load:42:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 Session serialization, save-load: large ticket, cert depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2 -ssl_serialize_session_save_load:1023:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 +ssl_serialize_session_save_load:1023:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 TLS 1.3: CLI: Session serialization, save-load: no ticket -depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_PROTO_TLS1_3 ssl_serialize_session_save_load:0:"":MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: CLI: Session serialization, save-load: small ticket @@ -3000,15 +3000,15 @@ ssl_serialize_session_load_save:1023:"":0:MBEDTLS_SSL_VERSION_TLS1_2 Session serialization, load-save: no ticket, cert depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2 -ssl_serialize_session_load_save:0:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 +ssl_serialize_session_load_save:0:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 Session serialization, load-save: small ticket, cert depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO -ssl_serialize_session_load_save:42:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 +ssl_serialize_session_load_save:42:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 Session serialization, load-save: large ticket, cert depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO -ssl_serialize_session_load_save:1023:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 +ssl_serialize_session_load_save:1023:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 TLS 1.3: CLI: Session serialization, load-save: no ticket depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_PROTO_TLS1_3 @@ -3040,15 +3040,15 @@ ssl_serialize_session_save_buf_size:1023:"":0:MBEDTLS_SSL_VERSION_TLS1_2 Session serialization, save buffer size: no ticket, cert depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2 -ssl_serialize_session_save_buf_size:0:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 +ssl_serialize_session_save_buf_size:0:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 Session serialization, save buffer size: small ticket, cert depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO -ssl_serialize_session_save_buf_size:42:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 +ssl_serialize_session_save_buf_size:42:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 Session serialization, save buffer size: large ticket, cert depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO -ssl_serialize_session_save_buf_size:1023:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 +ssl_serialize_session_save_buf_size:1023:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 TLS 1.3: CLI: Session serialization, save buffer size: no ticket depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_PROTO_TLS1_3 @@ -3080,18 +3080,18 @@ ssl_serialize_session_load_buf_size:1023:"":0:MBEDTLS_SSL_VERSION_TLS1_2 Session serialization, load buffer size: no ticket, cert depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO -ssl_serialize_session_load_buf_size:0:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 +ssl_serialize_session_load_buf_size:0:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 Session serialization, load buffer size: small ticket, cert depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO -ssl_serialize_session_load_buf_size:42:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 +ssl_serialize_session_load_buf_size:42:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 Session serialization, load buffer size: large ticket, cert depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_FS_IO -ssl_serialize_session_load_buf_size:1023:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 +ssl_serialize_session_load_buf_size:1023:"../framework/data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2 TLS 1.3: CLI: Session serialization, load buffer size: no ticket -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C ssl_serialize_session_load_buf_size:0:"":MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: CLI: Session serialization, load buffer size: small ticket @@ -3103,7 +3103,7 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_ ssl_serialize_session_load_buf_size:1023:"":MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3: SRV: Session serialization, load buffer size -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_SRV_C ssl_serialize_session_load_buf_size:0:"":MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3 Test configuration of groups for DHE through mbedtls_ssl_conf_curves() diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_ssl.function b/yass/third_party/mbedtls/tests/suites/test_suite_ssl.function index 67d97e47ce..343e58a12d 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_ssl.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_ssl.function @@ -1623,11 +1623,11 @@ void ssl_tls13_derive_secret(int hash_alg, unsigned char const *lbl = NULL; size_t lbl_len; -#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \ - if (label_idx == (int) tls13_label_ ## name) \ +#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \ + if (label_idx == (int) tls13_label_ ## name) \ { \ lbl = mbedtls_ssl_tls13_labels.name; \ - lbl_len = sizeof(mbedtls_ssl_tls13_labels.name); \ + lbl_len = sizeof(mbedtls_ssl_tls13_labels.name); \ } MBEDTLS_SSL_TLS1_3_LABEL_LIST #undef MBEDTLS_SSL_TLS1_3_LABEL @@ -1667,7 +1667,7 @@ void ssl_tls13_derive_early_secrets(int hash_alg, /* Double-check that we've passed sane parameters. */ psa_algorithm_t alg = (psa_algorithm_t) hash_alg; size_t const hash_len = PSA_HASH_LENGTH(alg); - TEST_ASSERT(PSA_ALG_IS_HASH(alg) && + TEST_ASSERT(PSA_ALG_IS_HASH(alg) && secret->len == hash_len && transcript->len == hash_len && traffic_expected->len == hash_len && @@ -1701,7 +1701,7 @@ void ssl_tls13_derive_handshake_secrets(int hash_alg, /* Double-check that we've passed sane parameters. */ psa_algorithm_t alg = (psa_algorithm_t) hash_alg; size_t const hash_len = PSA_HASH_LENGTH(alg); - TEST_ASSERT(PSA_ALG_IS_HASH(alg) && + TEST_ASSERT(PSA_ALG_IS_HASH(alg) && secret->len == hash_len && transcript->len == hash_len && client_expected->len == hash_len && @@ -1736,7 +1736,7 @@ void ssl_tls13_derive_application_secrets(int hash_alg, /* Double-check that we've passed sane parameters. */ psa_algorithm_t alg = (psa_algorithm_t) hash_alg; size_t const hash_len = PSA_HASH_LENGTH(alg); - TEST_ASSERT(PSA_ALG_IS_HASH(alg) && + TEST_ASSERT(PSA_ALG_IS_HASH(alg) && secret->len == hash_len && transcript->len == hash_len && client_expected->len == hash_len && @@ -1772,7 +1772,7 @@ void ssl_tls13_derive_resumption_secrets(int hash_alg, /* Double-check that we've passed sane parameters. */ psa_algorithm_t alg = (psa_algorithm_t) hash_alg; size_t const hash_len = PSA_HASH_LENGTH(alg); - TEST_ASSERT(PSA_ALG_IS_HASH(alg) && + TEST_ASSERT(PSA_ALG_IS_HASH(alg) && secret->len == hash_len && transcript->len == hash_len && resumption_expected->len == hash_len); @@ -1803,7 +1803,7 @@ void ssl_tls13_create_psk_binder(int hash_alg, /* Double-check that we've passed sane parameters. */ psa_algorithm_t alg = (psa_algorithm_t) hash_alg; size_t const hash_len = PSA_HASH_LENGTH(alg); - TEST_ASSERT(PSA_ALG_IS_HASH(alg) && + TEST_ASSERT(PSA_ALG_IS_HASH(alg) && transcript->len == hash_len && binder_expected->len == hash_len); @@ -2093,7 +2093,7 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file, #if defined(MBEDTLS_SSL_PROTO_TLS1_3) if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { - TEST_ASSERT(original.ciphersuite == restored.ciphersuite); +#if defined(MBEDTLS_SSL_SESSION_TICKETS) TEST_ASSERT(original.ticket_age_add == restored.ticket_age_add); TEST_ASSERT(original.ticket_flags == restored.ticket_flags); TEST_ASSERT(original.resumption_key_len == restored.resumption_key_len); @@ -2104,22 +2104,24 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file, restored.resumption_key, original.resumption_key_len) == 0); } +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ -#if defined(MBEDTLS_SSL_EARLY_DATA) - TEST_ASSERT( - original.max_early_data_size == restored.max_early_data_size); -#if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) +#if defined(MBEDTLS_SSL_SRV_C) if (endpoint_type == MBEDTLS_SSL_IS_SERVER) { +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) TEST_ASSERT(original.ticket_alpn != NULL); TEST_ASSERT(restored.ticket_alpn != NULL); TEST_MEMORY_COMPARE(original.ticket_alpn, strlen(original.ticket_alpn), restored.ticket_alpn, strlen(restored.ticket_alpn)); +#endif +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ } -#endif -#endif +#endif /* MBEDTLS_SSL_SRV_C */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_CLI_C) if (endpoint_type == MBEDTLS_SSL_IS_CLIENT) { +#if defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_HAVE_TIME) TEST_ASSERT(original.ticket_reception_time == restored.ticket_reception_time); #endif @@ -2132,12 +2134,23 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file, restored.ticket, original.ticket_len) == 0); } - - } +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + TEST_ASSERT(original.hostname != NULL); + TEST_ASSERT(restored.hostname != NULL); + TEST_MEMORY_COMPARE(original.hostname, strlen(original.hostname), + restored.hostname, strlen(restored.hostname)); #endif +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + } +#endif /* MBEDTLS_SSL_CLI_C */ } #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +#if defined(MBEDTLS_SSL_EARLY_DATA) + TEST_ASSERT( + original.max_early_data_size == restored.max_early_data_size); +#endif + #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) TEST_ASSERT(original.record_size_limit == restored.record_size_limit); #endif diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_version.data b/yass/third_party/mbedtls/tests/suites/test_suite_version.data index 0edee96819..670e06ba59 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_version.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_version.data @@ -1,8 +1,8 @@ Check compile time library version -check_compiletime_version:"3.6.0" +check_compiletime_version:"3.6.1" Check runtime library version -check_runtime_version:"3.6.0" +check_runtime_version:"3.6.1" Check for MBEDTLS_VERSION_C check_feature:"MBEDTLS_VERSION_C":0 diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_x509parse.data b/yass/third_party/mbedtls/tests/suites/test_suite_x509parse.data index 754660c56f..658b4f637a 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_x509parse.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_x509parse.data @@ -1,410 +1,410 @@ X509 CRT information #1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/server1.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/server1.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" X509 CRT information #1 (DER) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/server1.crt.der":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/server1.crt.der":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" X509 CRT information #2 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/server2.crt":"cert. version \: 3\nserial number \: 02\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/server2.crt":"cert. version \: 3\nserial number \: 02\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" X509 CRT information #2 (DER) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/server2.crt.der":"cert. version \: 3\nserial number \: 02\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/server2.crt.der":"cert. version \: 3\nserial number \: 02\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" X509 CRT information #3 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/test-ca.crt":"cert. version \: 3\nserial number \: 03\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-02-10 14\:44\:00\nexpires on \: 2029-02-10 14\:44\:00\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n" +x509_cert_info:"../framework/data_files/parse_input/test-ca.crt":"cert. version \: 3\nserial number \: 03\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-02-10 14\:44\:00\nexpires on \: 2029-02-10 14\:44\:00\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n" X509 CRT information #3 (DER) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/test-ca.crt.der":"cert. version \: 3\nserial number \: 03\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-02-10 14\:44\:00\nexpires on \: 2029-02-10 14\:44\:00\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n" +x509_cert_info:"../framework/data_files/parse_input/test-ca.crt.der":"cert. version \: 3\nserial number \: 03\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-02-10 14\:44\:00\nexpires on \: 2029-02-10 14\:44\:00\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n" X509 CRT information MD5 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_MD5 -x509_cert_info:"data_files/parse_input/cert_md5.crt":"cert. version \: 3\nserial number \: 06\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD5\nissued on \: 2000-01-01 12\:12\:12\nexpires on \: 2030-01-01 12\:12\:12\nsigned using \: RSA with MD5\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/cert_md5.crt":"cert. version \: 3\nserial number \: 06\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD5\nissued on \: 2000-01-01 12\:12\:12\nexpires on \: 2030-01-01 12\:12\:12\nsigned using \: RSA with MD5\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" X509 CRT information SHA1 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/cert_sha1.crt":"cert. version \: 3\nserial number \: 07\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/cert_sha1.crt":"cert. version \: 3\nserial number \: 07\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" X509 CRT information SHA224 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA224 -x509_cert_info:"data_files/parse_input/cert_sha224.crt":"cert. version \: 3\nserial number \: 08\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA224\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA-224\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/cert_sha224.crt":"cert. version \: 3\nserial number \: 08\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA224\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA-224\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" X509 CRT information SHA256 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/cert_sha256.crt":"cert. version \: 3\nserial number \: 09\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA256\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/cert_sha256.crt":"cert. version \: 3\nserial number \: 09\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA256\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" X509 CRT information SHA384 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA384 -x509_cert_info:"data_files/parse_input/cert_sha384.crt":"cert. version \: 3\nserial number \: 0A\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA384\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA-384\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/cert_sha384.crt":"cert. version \: 3\nserial number \: 0A\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA384\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA-384\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" X509 CRT information SHA512 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA512 -x509_cert_info:"data_files/parse_input/cert_sha512.crt":"cert. version \: 3\nserial number \: 0B\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA512\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/cert_sha512.crt":"cert. version \: 3\nserial number \: 0B\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA512\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" X509 CRT information RSA-PSS, SHA1 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/server9.crt":"cert. version \: 3\nserial number \: 16\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:38\:16\nexpires on \: 2024-01-18 13\:38\:16\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/server9.crt":"cert. version \: 3\nserial number \: 16\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:38\:16\nexpires on \: 2024-01-18 13\:38\:16\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n" X509 CRT information RSA-PSS, SHA224 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA224 -x509_cert_info:"data_files/parse_input/server9-sha224.crt":"cert. version \: 3\nserial number \: 17\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:36\nexpires on \: 2024-01-18 13\:57\:36\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/server9-sha224.crt":"cert. version \: 3\nserial number \: 17\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:36\nexpires on \: 2024-01-18 13\:57\:36\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n" X509 CRT information RSA-PSS, SHA256 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/server9-sha256.crt":"cert. version \: 3\nserial number \: 18\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:45\nexpires on \: 2024-01-18 13\:57\:45\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/server9-sha256.crt":"cert. version \: 3\nserial number \: 18\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:45\nexpires on \: 2024-01-18 13\:57\:45\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n" X509 CRT information RSA-PSS, SHA384 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA384 -x509_cert_info:"data_files/parse_input/server9-sha384.crt":"cert. version \: 3\nserial number \: 19\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:58\nexpires on \: 2024-01-18 13\:57\:58\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/server9-sha384.crt":"cert. version \: 3\nserial number \: 19\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:58\nexpires on \: 2024-01-18 13\:57\:58\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n" X509 CRT information RSA-PSS, SHA512 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA512 -x509_cert_info:"data_files/parse_input/server9-sha512.crt":"cert. version \: 3\nserial number \: 1A\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:58\:12\nexpires on \: 2024-01-18 13\:58\:12\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/server9-sha512.crt":"cert. version \: 3\nserial number \: 1A\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:58\:12\nexpires on \: 2024-01-18 13\:58\:12\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n" X509 CRT information EC, SHA1 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/server5-sha1.crt":"cert. version \: 3\nserial number \: 12\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/server5-sha1.crt":"cert. version \: 3\nserial number \: 12\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" X509 CRT information EC, SHA224 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA224 -x509_cert_info:"data_files/parse_input/server5-sha224.crt":"cert. version \: 3\nserial number \: 13\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/server5-sha224.crt":"cert. version \: 3\nserial number \: 13\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" X509 CRT information EC, SHA256 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/server5.crt":"cert. version \: 3\nserial number \: 09\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 15\:52\:04\nexpires on \: 2023-09-22 15\:52\:04\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/server5.crt":"cert. version \: 3\nserial number \: 09\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 15\:52\:04\nexpires on \: 2023-09-22 15\:52\:04\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" X509 CRT information EC, SHA384 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA384 -x509_cert_info:"data_files/parse_input/server5-sha384.crt":"cert. version \: 3\nserial number \: 14\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/server5-sha384.crt":"cert. version \: 3\nserial number \: 14\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" X509 CRT information EC, SHA512 Digest depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA512 -x509_cert_info:"data_files/parse_input/server5-sha512.crt":"cert. version \: 3\nserial number \: 15\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/server5-sha512.crt":"cert. version \: 3\nserial number \: 15\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" X509 CRT information EC, SHA256 Digest, hardware module name SAN depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/server5-othername.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued on \: 2023-06-20 09\:04\:43\nexpires on \: 2033-06-17 09\:04\:43\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n" +x509_cert_info:"../framework/data_files/parse_input/server5-othername.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued on \: 2023-06-20 09\:04\:43\nexpires on \: 2033-06-17 09\:04\:43\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n" X509 CRT information EC, SHA256 Digest, binary hardware module name SAN depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/server5-nonprintable_othername.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nissued on \: 2023-06-20 09\:49\:20\nexpires on \: 2033-06-17 09\:49\:20\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\n" +x509_cert_info:"../framework/data_files/parse_input/server5-nonprintable_othername.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nissued on \: 2023-06-20 09\:49\:20\nexpires on \: 2033-06-17 09\:49\:20\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\n" X509 CRT information EC, SHA256 Digest, directoryName SAN depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/server5-directoryname.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-10 16\:59\:29\nexpires on \: 2033-01-07 16\:59\:29\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n" +x509_cert_info:"../framework/data_files/parse_input/server5-directoryname.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-10 16\:59\:29\nexpires on \: 2033-01-07 16\:59\:29\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n" X509 CRT information EC, SHA256 Digest, two directoryName SANs depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/server5-two-directorynames.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-12 10\:34\:11\nexpires on \: 2033-01-09 10\:34\:11\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n directoryName \: O=MALFORM_ME\n" +x509_cert_info:"../framework/data_files/parse_input/server5-two-directorynames.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\nissued on \: 2023-01-12 10\:34\:11\nexpires on \: 2033-01-09 10\:34\:11\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n directoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n directoryName \: O=MALFORM_ME\n" X509 CRT information EC, SHA256 Digest, Wisun Fan device depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/server5-fan.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nissued on \: 2023-06-20 09\:49\:35\nexpires on \: 2033-06-17 09\:49\:35\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\next key usage \: Wi-SUN Alliance Field Area Network (FAN)\n" +x509_cert_info:"../framework/data_files/parse_input/server5-fan.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nissued on \: 2023-06-20 09\:49\:35\nexpires on \: 2033-06-17 09\:49\:35\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\next key usage \: Wi-SUN Alliance Field Area Network (FAN)\n" X509 CRT information, NS Cert Type depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/server1.cert_type.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\ncert. type \: SSL Server\n" +x509_cert_info:"../framework/data_files/parse_input/server1.cert_type.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\ncert. type \: SSL Server\n" X509 CRT information, Key Usage depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/server1.key_usage.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +x509_cert_info:"../framework/data_files/parse_input/server1.key_usage.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2019-02-10 14\:44\:06\nexpires on \: 2029-02-10 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CRT information, Key Usage with decipherOnly depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/keyUsage.decipherOnly.crt":"cert. version \: 3\nserial number \: 9B\:13\:CE\:4C\:A5\:6F\:DE\:52\nissuer name \: C=GB, L=Cambridge, O=Default Company Ltd\nsubject name \: C=GB, L=Cambridge, O=Default Company Ltd\nissued on \: 2015-05-12 10\:36\:55\nexpires on \: 2018-05-11 10\:36\:55\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment, Decipher Only\n" +x509_cert_info:"../framework/data_files/parse_input/keyUsage.decipherOnly.crt":"cert. version \: 3\nserial number \: 9B\:13\:CE\:4C\:A5\:6F\:DE\:52\nissuer name \: C=GB, L=Cambridge, O=Default Company Ltd\nsubject name \: C=GB, L=Cambridge, O=Default Company Ltd\nissued on \: 2015-05-12 10\:36\:55\nexpires on \: 2018-05-11 10\:36\:55\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment, Decipher Only\n" X509 CRT information, Subject Alt Name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/cert_example_multi.crt":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2019-07-10 11\:27\:52\nexpires on \: 2029-07-10 11\:27\:52\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n" +x509_cert_info:"../framework/data_files/parse_input/cert_example_multi.crt":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2019-07-10 11\:27\:52\nexpires on \: 2029-07-10 11\:27\:52\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n" X509 CRT information, Multiple different Subject Alt Name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/multiple_san.crt":"cert. version \: 3\nserial number \: 04\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nissued on \: 2019-04-22 16\:10\:48\nexpires on \: 2029-04-19 16\:10\:48\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n dNSName \: example.com\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n dNSName \: example.net\n dNSName \: *.example.org\n" +x509_cert_info:"../framework/data_files/parse_input/multiple_san.crt":"cert. version \: 3\nserial number \: 04\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nissued on \: 2019-04-22 16\:10\:48\nexpires on \: 2029-04-19 16\:10\:48\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n dNSName \: example.com\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n dNSName \: example.net\n dNSName \: *.example.org\n" X509 CRT information, Subject Alt Name + Key Usage depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\n iPAddress \: 192.168.1.1\n iPAddress \: 192.168.69.144\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +x509_cert_info:"../framework/data_files/parse_input/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\n iPAddress \: 192.168.1.1\n iPAddress \: 192.168.69.144\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CRT information, Subject Alt Name with uniformResourceIdentifier depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/rsa_single_san_uri.crt.der":"cert. version \: 3\nserial number \: 6F\:75\:EB\:E9\:6D\:25\:BC\:88\:82\:62\:A3\:E0\:68\:A7\:37\:3B\:EC\:75\:8F\:9C\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2023-02-14 10\:38\:05\nexpires on \: 2043-02-09 10\:38\:05\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +x509_cert_info:"../framework/data_files/parse_input/rsa_single_san_uri.crt.der":"cert. version \: 3\nserial number \: 6F\:75\:EB\:E9\:6D\:25\:BC\:88\:82\:62\:A3\:E0\:68\:A7\:37\:3B\:EC\:75\:8F\:9C\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2023-02-14 10\:38\:05\nexpires on \: 2043-02-09 10\:38\:05\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CRT information, Subject Alt Name with two uniformResourceIdentifiers depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/rsa_multiple_san_uri.crt.der":"cert. version \: 3\nserial number \: 08\:E2\:93\:18\:91\:26\:D8\:46\:88\:90\:10\:4F\:B5\:86\:CB\:C4\:78\:E6\:EA\:0D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2023-02-14 10\:37\:50\nexpires on \: 2043-02-09 10\:37\:50\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-abcde1234567\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +x509_cert_info:"../framework/data_files/parse_input/rsa_multiple_san_uri.crt.der":"cert. version \: 3\nserial number \: 08\:E2\:93\:18\:91\:26\:D8\:46\:88\:90\:10\:4F\:B5\:86\:CB\:C4\:78\:E6\:EA\:0D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2023-02-14 10\:37\:50\nexpires on \: 2043-02-09 10\:37\:50\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-abcde1234567\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CRT information, RSA Certificate Policy any depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/test-ca-any_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-03-21 16\:40\:59\nexpires on \: 2029-03-21 16\:40\:59\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n" +x509_cert_info:"../framework/data_files/parse_input/test-ca-any_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-03-21 16\:40\:59\nexpires on \: 2029-03-21 16\:40\:59\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n" X509 CRT information, ECDSA Certificate Policy any depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/test-ca-any_policy_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-03-25 09\:02\:45\nexpires on \: 2029-03-25 09\:02\:45\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n" +x509_cert_info:"../framework/data_files/parse_input/test-ca-any_policy_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-03-25 09\:02\:45\nexpires on \: 2029-03-25 09\:02\:45\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n" X509 CRT information, RSA Certificate Policy any with qualifier depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/test-ca-any_policy_with_qualifier.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-04-28 13\:14\:31\nexpires on \: 2029-04-28 13\:14\:31\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n" +x509_cert_info:"../framework/data_files/parse_input/test-ca-any_policy_with_qualifier.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-04-28 13\:14\:31\nexpires on \: 2029-04-28 13\:14\:31\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n" X509 CRT information, ECDSA Certificate Policy any with qualifier depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/test-ca-any_policy_with_qualifier_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-04-28 10\:16\:05\nexpires on \: 2029-04-28 10\:16\:05\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n" +x509_cert_info:"../framework/data_files/parse_input/test-ca-any_policy_with_qualifier_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-04-28 10\:16\:05\nexpires on \: 2029-04-28 10\:16\:05\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n" X509 CRT information, RSA Certificate multiple Policies depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/test-ca-multi_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-04-28 12\:59\:19\nexpires on \: 2029-04-28 12\:59\:19\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: ???, Any Policy\n" +x509_cert_info:"../framework/data_files/parse_input/test-ca-multi_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-04-28 12\:59\:19\nexpires on \: 2029-04-28 12\:59\:19\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: ???, Any Policy\n" X509 CRT information, ECDSA Certificate multiple Policies depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/test-ca-multi_policy_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-04-28 12\:59\:51\nexpires on \: 2029-04-28 12\:59\:51\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: ???, Any Policy\n" +x509_cert_info:"../framework/data_files/parse_input/test-ca-multi_policy_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-04-28 12\:59\:51\nexpires on \: 2029-04-28 12\:59\:51\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: ???, Any Policy\n" X509 CRT information, RSA Certificate unsupported policy depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/test-ca-unsupported_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-04-28 13\:00\:13\nexpires on \: 2029-04-28 13\:00\:13\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: ???\n" +x509_cert_info:"../framework/data_files/parse_input/test-ca-unsupported_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-04-28 13\:00\:13\nexpires on \: 2029-04-28 13\:00\:13\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: ???\n" X509 CRT information, ECDSA Certificate unsupported policy depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/test-ca-unsupported_policy_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-04-28 13\:00\:19\nexpires on \: 2029-04-28 13\:00\:19\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: ???\n" +x509_cert_info:"../framework/data_files/parse_input/test-ca-unsupported_policy_ec.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2019-04-28 13\:00\:19\nexpires on \: 2029-04-28 13\:00\:19\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\ncertificate policies \: ???\n" X509 CRT information, Key Usage + Extended Key Usage depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/server1.ext_ku.crt":"cert. version \: 3\nserial number \: 21\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2014-04-01 14\:44\:43\nexpires on \: 2024-03-29 14\:44\:43\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\next key usage \: TLS Web Server Authentication\n" +x509_cert_info:"../framework/data_files/parse_input/server1.ext_ku.crt":"cert. version \: 3\nserial number \: 21\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2014-04-01 14\:44\:43\nexpires on \: 2024-03-29 14\:44\:43\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\next key usage \: TLS Web Server Authentication\n" X509 CRT information RSA signed by EC depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME -x509_cert_info:"data_files/parse_input/server4.crt":"cert. version \: 3\nserial number \: 08\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 15\:52\:04\nexpires on \: 2023-09-22 15\:52\:04\nsigned using \: ECDSA with SHA256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/server4.crt":"cert. version \: 3\nserial number \: 08\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 15\:52\:04\nexpires on \: 2023-09-22 15\:52\:04\nsigned using \: ECDSA with SHA256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" X509 CRT information EC signed by RSA depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP192R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C -x509_cert_info:"data_files/parse_input/server3.crt":"cert. version \: 3\nserial number \: 0D\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 09\:17\:03\nexpires on \: 2023-08-07 09\:17\:03\nsigned using \: RSA with SHA1\nEC key size \: 192 bits\nbasic constraints \: CA=false\n" +x509_cert_info:"../framework/data_files/parse_input/server3.crt":"cert. version \: 3\nserial number \: 0D\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 09\:17\:03\nexpires on \: 2023-08-07 09\:17\:03\nsigned using \: RSA with SHA1\nEC key size \: 192 bits\nbasic constraints \: CA=false\n" X509 CRT information Bitstring in subject name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_cert_info:"data_files/parse_input/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=#030B0037313031303132323535\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n rfc822Name \: client@example.com\next key usage \: TLS Web Client Authentication\n" +x509_cert_info:"../framework/data_files/parse_input/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=#030B0037313031303132323535\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n rfc822Name \: client@example.com\next key usage \: TLS Web Client Authentication\n" X509 CRT information Non-ASCII string in issuer name and subject name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509_cert_info:"data_files/parse_input/non-ascii-string-in-issuer.crt":"cert. version \: 3\nserial number \: 05\:E6\:53\:E7\:1B\:74\:F0\:B5\:D3\:84\:6D\:0C\:6D\:DC\:FA\:3F\:A4\:5A\:2B\:E0\nissuer name \: C=JP, ST=Tokyo, O=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 Ltd, CN=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 CA\nsubject name \: C=JP, ST=Tokyo, O=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 Ltd, CN=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 CA\nissued on \: 2020-05-20 16\:17\:23\nexpires on \: 2020-06-19 16\:17\:23\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n" +x509_cert_info:"../framework/data_files/parse_input/non-ascii-string-in-issuer.crt":"cert. version \: 3\nserial number \: 05\:E6\:53\:E7\:1B\:74\:F0\:B5\:D3\:84\:6D\:0C\:6D\:DC\:FA\:3F\:A4\:5A\:2B\:E0\nissuer name \: C=JP, ST=Tokyo, O=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 Ltd, CN=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 CA\nsubject name \: C=JP, ST=Tokyo, O=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 Ltd, CN=\\C3\\A3\\C2\\83\\C2\\86\\C3\\A3\\C2\\82\\C2\\B9\\C3\\A3\\C2\\83\\C2\\88 CA\nissued on \: 2020-05-20 16\:17\:23\nexpires on \: 2020-06-19 16\:17\:23\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n" X509 CRT information Parsing IPv4 and IPv6 IP names depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C -x509_cert_info:"data_files/server5-tricky-ip-san.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS Tricky IP SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS Tricky IP SAN\nissued on \: 2023-06-05 11\:30\:36\nexpires on \: 2033-06-02 11\:30\:36\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n iPAddress \: 97.98.99.100\n iPAddress \: 6162\:6364\:2E65\:7861\:6D70\:6C65\:2E63\:6F6D\n" +x509_cert_info:"../framework/data_files/server5-tricky-ip-san.crt.der":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS Tricky IP SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS Tricky IP SAN\nissued on \: 2023-06-05 11\:30\:36\nexpires on \: 2033-06-02 11\:30\:36\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n iPAddress \: 97.98.99.100\n iPAddress \: 6162\:6364\:2E65\:7861\:6D70\:6C65\:2E63\:6F6D\n" X509 SAN parsing otherName depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_parse_san:"data_files/parse_input/server5-othername.crt.der":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n":0 +x509_parse_san:"../framework/data_files/parse_input/server5-othername.crt.der":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n":0 X509 SAN parsing binary otherName depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_parse_san:"data_files/parse_input/server5-nonprintable_othername.crt.der":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n":0 +x509_parse_san:"../framework/data_files/parse_input/server5-nonprintable_othername.crt.der":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n":0 X509 SAN parsing directoryName depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_parse_san:"data_files/parse_input/server5-directoryname.crt.der":"type \: 4\ndirectoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n":0 +x509_parse_san:"../framework/data_files/parse_input/server5-directoryname.crt.der":"type \: 4\ndirectoryName \: C=UK, O=Mbed TLS, CN=Mbed TLS directoryName SAN\n":0 X509 SAN parsing directoryName, seq malformed depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_parse_san:"data_files/parse_input/server5-directoryname-seq-malformed.crt.der":"":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +x509_parse_san:"../framework/data_files/parse_input/server5-directoryname-seq-malformed.crt.der":"":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 SAN parsing two directoryNames, second DN OID malformed depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_parse_san:"data_files/parse_input/server5-second-directoryname-oid-malformed.crt.der":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA +x509_parse_san:"../framework/data_files/parse_input/server5-second-directoryname-oid-malformed.crt.der":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 SAN parsing dNSName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509_parse_san:"data_files/parse_input/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0 +x509_parse_san:"../framework/data_files/parse_input/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0 X509 SAN parsing Multiple different types depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_parse_san:"data_files/parse_input/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0 +x509_parse_san:"../framework/data_files/parse_input/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n":0 X509 SAN parsing, no subject alt name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME -x509_parse_san:"data_files/parse_input/server4.crt":"":0 +x509_parse_san:"../framework/data_files/parse_input/server4.crt":"":0 X509 SAN parsing, unsupported otherName name depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_parse_san:"data_files/parse_input/server5-unsupported_othername.crt.der":"":0 +x509_parse_san:"../framework/data_files/parse_input/server5-unsupported_othername.crt.der":"":0 X509 SAN parsing rfc822Name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -x509_parse_san:"data_files/parse_input/test_cert_rfc822name.crt.der":"type \: 1\nrfc822Name \: my@other.address\ntype \: 1\nrfc822Name \: second@other.address\n":0 +x509_parse_san:"../framework/data_files/parse_input/test_cert_rfc822name.crt.der":"type \: 1\nrfc822Name \: my@other.address\ntype \: 1\nrfc822Name \: second@other.address\n":0 X509 CRT information Parsing IP (invalid data) depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C -x509_parse_san:"data_files/server5-tricky-ip-san-malformed-len.crt.der":"":MBEDTLS_ERR_X509_BAD_INPUT_DATA +x509_parse_san:"../framework/data_files/server5-tricky-ip-san-malformed-len.crt.der":"":MBEDTLS_ERR_X509_BAD_INPUT_DATA X509 CRL information #1 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl_expired.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-20 10\:24\:19\nnext update \: 2011-02-20 11\:24\:19\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA1\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl_expired.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-20 10\:24\:19\nnext update \: 2011-02-20 11\:24\:19\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA1\n" X509 CRL Information MD5 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_MD5:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl_md5.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with MD5\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_MD5:MBEDTLS_RSA_C +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl_md5.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with MD5\n" X509 CRL Information SHA1 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl_sha1.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA1\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl_sha1.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA1\n" X509 CRL Information SHA224 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl_sha224.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-224\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_RSA_C +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl_sha224.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-224\n" X509 CRL Information SHA256 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl_sha256.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-256\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl_sha256.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-256\n" X509 CRL Information SHA384 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl_sha384.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-384\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl_sha384.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-384\n" X509 CRL Information SHA512 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl_sha512.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-512\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl_sha512.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-512\n" X509 CRL information RSA-PSS, SHA1 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl-rsa-pss-sha1.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:46\:35\nnext update \: 2024-01-18 13\:46\:35\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA)\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1 +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha1.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:46\:35\nnext update \: 2024-01-18 13\:46\:35\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA)\n" X509 CRL information RSA-PSS, SHA224 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA224:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl-rsa-pss-sha224.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:06\nnext update \: 2024-01-18 13\:56\:06\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2)\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA224 +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha224.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:06\nnext update \: 2024-01-18 13\:56\:06\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2)\n" X509 CRL information RSA-PSS, SHA256 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl-rsa-pss-sha256.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:16\nnext update \: 2024-01-18 13\:56\:16\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE)\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256 +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha256.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:16\nnext update \: 2024-01-18 13\:56\:16\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE)\n" X509 CRL information RSA-PSS, SHA384 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA384:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl-rsa-pss-sha384.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:28\nnext update \: 2024-01-18 13\:56\:28\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE)\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA384 +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha384.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:28\nnext update \: 2024-01-18 13\:56\:28\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE)\n" X509 CRL information RSA-PSS, SHA512 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA512:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl-rsa-pss-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:38\nnext update \: 2024-01-18 13\:56\:38\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE)\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA512 +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-rsa-pss-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:38\nnext update \: 2024-01-18 13\:56\:38\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE)\n" X509 CRL Information EC, SHA1 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PK_CAN_ECDSA_SOME:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl-ec-sha1.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA1\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PK_CAN_ECDSA_SOME +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-ec-sha1.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA1\n" X509 CRL Information EC, SHA224 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PK_CAN_ECDSA_SOME:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl-ec-sha224.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA224\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PK_CAN_ECDSA_SOME +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-ec-sha224.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA224\n" X509 CRL Information EC, SHA256 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl-ec-sha256.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA256\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-ec-sha256.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA256\n" X509 CRL Information EC, SHA384 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PK_CAN_ECDSA_SOME:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl-ec-sha384.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA384\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PK_CAN_ECDSA_SOME +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-ec-sha384.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA384\n" X509 CRL Information EC, SHA512 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PK_CAN_ECDSA_SOME:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_crl_info:"data_files/parse_input/crl-ec-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA512\n" +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PK_CAN_ECDSA_SOME +mbedtls_x509_crl_info:"../framework/data_files/parse_input/crl-ec-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA512\n" X509 CRL Malformed Input (trailing spaces at end of file) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PK_CAN_ECDSA_VERIFY -mbedtls_x509_crl_parse:"data_files/parse_input/crl-malformed-trailing-spaces.pem":MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT +mbedtls_x509_crl_parse:"../framework/data_files/parse_input/crl-malformed-trailing-spaces.pem":MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT X509 CRL Unsupported critical extension (issuingDistributionPoint) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -mbedtls_x509_crl_parse:"data_files/parse_input/crl-idp.pem":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +mbedtls_x509_crl_parse:"../framework/data_files/parse_input/crl-idp.pem":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CRL Unsupported non-critical extension (issuingDistributionPoint) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 -mbedtls_x509_crl_parse:"data_files/parse_input/crl-idpnc.pem":0 +mbedtls_x509_crl_parse:"../framework/data_files/parse_input/crl-idpnc.pem":0 X509 CSR Information RSA with MD5 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_MD5:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server1.req.md5":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with MD5\nRSA key size \: 2048 bits\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server1.req.md5":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with MD5\nRSA key size \: 2048 bits\n" X509 CSR Information RSA with SHA1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server1.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server1.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\n" X509 CSR Information RSA with SHA224 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA224:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server1.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-224\nRSA key size \: 2048 bits\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server1.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-224\nRSA key size \: 2048 bits\n" -X509 CSR Information RSA with SHA-256 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTS_X509_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server1.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n" +X509 CSR Information RSA with SHA256 +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server1.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n" X509 CSR Information RSA with SHA384 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server1.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-384\nRSA key size \: 2048 bits\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server1.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-384\nRSA key size \: 2048 bits\n" X509 CSR Information RSA with SHA512 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server1.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server1.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\n" -X509 CSR Information RSA with SHA-256, containing commas -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTS_X509_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server1.req.commas.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL\\, Commas, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n" +X509 CSR Information RSA with SHA256, containing commas +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server1.req.commas.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL\\, Commas, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n" X509 CSR Information EC with SHA1 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server5.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server5.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information EC with SHA224 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA224:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server5.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server5.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information EC with SHA256 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server5.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server5.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information EC with SHA384 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA384:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server5.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server5.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information EC with SHA512 depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA512:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server5.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server5.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information RSA-PSS with SHA1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server9.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information RSA-PSS with SHA224 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA224:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server9.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information RSA-PSS with SHA256 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server9.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information RSA-PSS with SHA384 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA384:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server9.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" X509 CSR Information RSA-PSS with SHA512 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA512:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E)\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" -X509 CSR Information RSA with SHA-256 - Microsoft header -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_info:"data_files/parse_input/server1-ms.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n" +X509 CSR Information RSA with SHA256 - Microsoft header +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO +mbedtls_x509_csr_info:"../framework/data_files/parse_input/server1-ms.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n" X509 CSR Information v3 extensions #1 (all) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/test_csr_v3_all.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\ncert. type \: SSL Client\nkey usage \: CRL Sign\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/test_csr_v3_all.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\ncert. type \: SSL Client\nkey usage \: CRL Sign\n" X509 CSR Information v3 extensions #2 (nsCertType only) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/test_csr_v3_nsCertType.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Server\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/test_csr_v3_nsCertType.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Server\n" X509 CSR Information v3 extensions #3 (subjectAltName only) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/test_csr_v3_subjectAltName.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/test_csr_v3_subjectAltName.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nsubject alt name \:\n dNSName \: example.com\n dNSName \: example.net\n dNSName \: *.example.org\n" X509 CSR Information v3 extensions #4 (keyUsage only) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO -mbedtls_x509_csr_info:"data_files/parse_input/test_csr_v3_keyUsage.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Key Encipherment\n" +mbedtls_x509_csr_info:"../framework/data_files/parse_input/test_csr_v3_keyUsage.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\nkey usage \: Digital Signature, Key Encipherment\n" X509 Verify Information: empty x509_verify_info:0:"":"" @@ -429,55 +429,55 @@ x509_verify_info:MBEDTLS_X509_BADCERT_EXPIRED | MBEDTLS_X509_BADCRL_EXPIRED:" ! X509 Get Distinguished Name #1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_dn_gets:"data_files/server1.crt":"subject":"C=NL, O=PolarSSL, CN=PolarSSL Server 1" +mbedtls_x509_dn_gets:"../framework/data_files/server1.crt":"subject":"C=NL, O=PolarSSL, CN=PolarSSL Server 1" X509 Get Distinguished Name #2 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_dn_gets:"data_files/server1.crt":"issuer":"C=NL, O=PolarSSL, CN=PolarSSL Test CA" +mbedtls_x509_dn_gets:"../framework/data_files/server1.crt":"issuer":"C=NL, O=PolarSSL, CN=PolarSSL Test CA" X509 Get Distinguished Name #3 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_dn_gets:"data_files/server2.crt":"subject":"C=NL, O=PolarSSL, CN=localhost" +mbedtls_x509_dn_gets:"../framework/data_files/server2.crt":"subject":"C=NL, O=PolarSSL, CN=localhost" X509 Get Distinguished Name #4 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_dn_gets:"data_files/server2.crt":"issuer":"C=NL, O=PolarSSL, CN=PolarSSL Test CA" +mbedtls_x509_dn_gets:"../framework/data_files/server2.crt":"issuer":"C=NL, O=PolarSSL, CN=PolarSSL Test CA" X509 Get Distinguished Name #5 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_dn_gets:"data_files/server1.commas.crt":"subject":"C=NL, O=PolarSSL\\, Commas, CN=PolarSSL Server 1" +mbedtls_x509_dn_gets:"../framework/data_files/server1.commas.crt":"subject":"C=NL, O=PolarSSL\\, Commas, CN=PolarSSL Server 1" X509 Get Distinguished Name #6 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_dn_gets:"data_files/server1.hashsymbol.crt":"subject":"C=NL, O=\\#PolarSSL, CN=PolarSSL Server 1" +mbedtls_x509_dn_gets:"../framework/data_files/server1.hashsymbol.crt":"subject":"C=NL, O=\\#PolarSSL, CN=PolarSSL Server 1" X509 Get Distinguished Name #7 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_dn_gets:"data_files/server1.spaces.crt":"subject":"C=NL, O=\\ PolarSSL\\ , CN=PolarSSL Server 1" +mbedtls_x509_dn_gets:"../framework/data_files/server1.spaces.crt":"subject":"C=NL, O=\\ PolarSSL\\ , CN=PolarSSL Server 1" X509 Get Distinguished Name #8 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_dn_gets:"data_files/server1.asciichars.crt":"subject":"C=NL, O=\\E6\\9E\\81\\E5\\9C\\B0SSL, CN=PolarSSL Server 1" +mbedtls_x509_dn_gets:"../framework/data_files/server1.asciichars.crt":"subject":"C=NL, O=\\E6\\9E\\81\\E5\\9C\\B0SSL, CN=PolarSSL Server 1" X509 Get Modified DN #1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"Modified":"C=NL, O=Modified, CN=PolarSSL Server 1":0 +mbedtls_x509_dn_gets_subject_replace:"../framework/data_files/server1.crt":"Modified":"C=NL, O=Modified, CN=PolarSSL Server 1":0 X509 Get Modified DN #2 Name exactly 255 bytes depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345":"C=NL, O=123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345, CN=PolarSSL Server 1":0 +mbedtls_x509_dn_gets_subject_replace:"../framework/data_files/server1.crt":"123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345":"C=NL, O=123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345, CN=PolarSSL Server 1":0 X509 Get Modified DN #3 Name exceeds 255 bytes depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456":"":MBEDTLS_ERR_X509_BUFFER_TOO_SMALL +mbedtls_x509_dn_gets_subject_replace:"../framework/data_files/server1.crt":"1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456":"":MBEDTLS_ERR_X509_BUFFER_TOO_SMALL X509 Get Modified DN #4 Name exactly 255 bytes, with comma requiring escaping depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"1234567890,1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234":"":MBEDTLS_ERR_X509_BUFFER_TOO_SMALL +mbedtls_x509_dn_gets_subject_replace:"../framework/data_files/server1.crt":"1234567890,1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234":"":MBEDTLS_ERR_X509_BUFFER_TOO_SMALL X509 Get Modified DN #5 Name exactly 255 bytes, ending with comma requiring escaping depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_dn_gets_subject_replace:"data_files/server1.crt":"12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234,":"":MBEDTLS_ERR_X509_BUFFER_TOO_SMALL +mbedtls_x509_dn_gets_subject_replace:"../framework/data_files/server1.crt":"12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234,":"":MBEDTLS_ERR_X509_BUFFER_TOO_SMALL X509 Get Next DN #1 No Multivalue RDNs mbedtls_x509_dn_get_next:"C=NL, O=PolarSSL, CN=PolarSSL Server 1":0:"C O CN":3:"C=NL, O=PolarSSL, CN=PolarSSL Server 1" @@ -533,551 +533,551 @@ mbedtls_x509_get_name:"310B3009060355040613024E4C3111300F060355040A0C08506F6C617 X509 Time Expired #1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_time_is_past:"data_files/server1.crt":"valid_from":1 +mbedtls_x509_time_is_past:"../framework/data_files/server1.crt":"valid_from":1 X509 Time Expired #2 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_time_is_past:"data_files/server1.crt":"valid_to":0 +mbedtls_x509_time_is_past:"../framework/data_files/server1.crt":"valid_to":0 X509 Time Expired #3 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_time_is_past:"data_files/server2.crt":"valid_from":1 +mbedtls_x509_time_is_past:"../framework/data_files/server2.crt":"valid_from":1 X509 Time Expired #4 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_time_is_past:"data_files/server2.crt":"valid_to":0 +mbedtls_x509_time_is_past:"../framework/data_files/server2.crt":"valid_to":0 X509 Time Expired #5 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_time_is_past:"data_files/test-ca.crt":"valid_from":1 +mbedtls_x509_time_is_past:"../framework/data_files/test-ca.crt":"valid_from":1 X509 Time Expired #6 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_time_is_past:"data_files/test-ca.crt":"valid_to":0 +mbedtls_x509_time_is_past:"../framework/data_files/test-ca.crt":"valid_to":0 X509 Time Future #1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA256 -mbedtls_x509_time_is_future:"data_files/server5.crt":"valid_from":0 +mbedtls_x509_time_is_future:"../framework/data_files/server5.crt":"valid_from":0 X509 Time Future #2 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA256 -mbedtls_x509_time_is_future:"data_files/server5.crt":"valid_to":1 +mbedtls_x509_time_is_future:"../framework/data_files/server5.crt":"valid_to":1 X509 Time Future #3 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA256 -mbedtls_x509_time_is_future:"data_files/server5-future.crt":"valid_from":1 +mbedtls_x509_time_is_future:"../framework/data_files/server5-future.crt":"valid_from":1 X509 Time Future #4 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA256 -mbedtls_x509_time_is_future:"data_files/server5-future.crt":"valid_to":1 +mbedtls_x509_time_is_future:"../framework/data_files/server5-future.crt":"valid_to":1 X509 Time Future #5 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA256 -mbedtls_x509_time_is_future:"data_files/test-ca2.crt":"valid_from":0 +mbedtls_x509_time_is_future:"../framework/data_files/test-ca2.crt":"valid_from":0 X509 Time Future #6 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA256 -mbedtls_x509_time_is_future:"data_files/test-ca2.crt":"valid_to":1 +mbedtls_x509_time_is_future:"../framework/data_files/test-ca2.crt":"valid_to":1 X509 CRT verification #1 (Revoked Cert, Expired CRL, no CN) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL" +x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL" X509 CRT verification #1a (Revoked Cert, Future CRL, no CN) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" +x509_verify:"../framework/data_files/server6.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" X509 CRT verification #2 (Revoked Cert, Expired CRL) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL" +x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl_expired.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL" X509 CRT verification #2a (Revoked Cert, Future CRL) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"localhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" +x509_verify:"../framework/data_files/server6.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-future.pem":"localhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" X509 CRT verification #3 (Revoked Cert, Future CRL, CN Mismatch) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl_expired.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" X509 CRT verification #3a (Revoked Cert, Expired CRL, CN Mismatch) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +x509_verify:"../framework/data_files/server6.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-future.pem":"Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" X509 CRT verification #4 (Valid Cert, Expired CRL) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL" +x509_verify:"../framework/data_files/server2.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL" X509 CRT verification #4a (Revoked Cert, Future CRL) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" X509 CRT verification #5 (Revoked Cert) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" +x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" X509 CRT verification #5' (Revoked Cert, differing DN string formats #1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca_utf8.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" +x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca_utf8.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" X509 CRT verification #5'' (Revoked Cert, differing DN string formats #2) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca_printable.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" +x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca_printable.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" X509 CRT verification #5''' (Revoked Cert, differing upper and lower case) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca_uppercase.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" +x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca_uppercase.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" X509 CRT verification #6 (Revoked Cert) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" +x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" X509 CRT verification #7 (Revoked Cert, CN Mismatch) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" X509 CRT verification #8 (Valid Cert) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #8a (Expired Cert) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server5-expired.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL" +x509_verify:"../framework/data_files/server5-expired.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL" X509 CRT verification #8b (Future Cert) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server5-future.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL" +x509_verify:"../framework/data_files/server5-future.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL" X509 CRT verification #8c (Expired Cert, longer chain) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server7-expired.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL" +x509_verify:"../framework/data_files/server7-expired.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL" X509 CRT verification #8d (Future Cert, longer chain) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server7-future.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL" +x509_verify:"../framework/data_files/server7-future.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL" X509 CRT verification #9 (Not trusted Cert) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server2.crt":"../framework/data_files/server1.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #10 (Not trusted Cert, Expired CRL) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server2.crt":"../framework/data_files/server1.crt":"../framework/data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #13 (Valid Cert MD5 Digest, MD5 forbidden) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"compat":"NULL" +x509_verify:"../framework/data_files/cert_md5.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"compat":"NULL" X509 CRT verification #13 (Valid Cert MD5 Digest, MD5 allowed) depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"all":"NULL" +x509_verify:"../framework/data_files/cert_md5.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"all":"NULL" X509 CRT verification #14 (Valid Cert SHA1 Digest explicitly allowed in profile) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/cert_sha1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #14 (Valid Cert SHA1 Digest forbidden in default profile) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_BAD_MD | MBEDTLS_X509_BADCERT_BAD_MD:"":"NULL" +x509_verify:"../framework/data_files/cert_sha1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_BAD_MD | MBEDTLS_X509_BADCERT_BAD_MD:"":"NULL" X509 CRT verification #15 (Valid Cert SHA224 Digest) depends_on:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_sha224.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/cert_sha224.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #16 (Valid Cert SHA256 Digest) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/cert_sha256.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #17 (Valid Cert SHA384 Digest) depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_sha384.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/cert_sha384.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #18 (Valid Cert SHA512 Digest) depends_on:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/cert_sha512.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #19 (Valid Cert, denying callback) depends_on:MBEDTLS_MD_CAN_SHA512:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_OTHER:"compat":"verify_none" +x509_verify:"../framework/data_files/cert_sha512.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_OTHER:"compat":"verify_none" X509 CRT verification #19 (Not trusted Cert, allowing callback) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":0:0:"compat":"verify_all" +x509_verify:"../framework/data_files/server2.crt":"../framework/data_files/server1.crt":"../framework/data_files/crl_expired.pem":"NULL":0:0:"compat":"verify_all" X509 CRT verification #21 (domain matching wildcard certificate, case insensitive) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.ExAmPlE.com":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/cert_example_wildcard.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"mail.ExAmPlE.com":0:0:"compat":"NULL" X509 CRT verification #22 (domain not matching wildcard certificate) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +x509_verify:"../framework/data_files/cert_example_wildcard.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"mail.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" X509 CRT verification #23 (domain not matching wildcard certificate) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +x509_verify:"../framework/data_files/cert_example_wildcard.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" X509 CRT verification #24 (domain matching CN of multi certificate) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +x509_verify:"../framework/data_files/cert_example_multi.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"www.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" X509 CRT verification #25 (domain matching multi certificate) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.net":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/cert_example_multi.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"example.net":0:0:"compat":"NULL" X509 CRT verification #26 (domain not matching multi certificate) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +x509_verify:"../framework/data_files/cert_example_multi.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" X509 CRT verification #27.1 (domain not matching multi certificate: suffix) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"xample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +x509_verify:"../framework/data_files/cert_example_multi.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"xample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" X509 CRT verification #27.2 (domain not matching multi certificate: head junk) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"bexample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +x509_verify:"../framework/data_files/cert_example_multi.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"bexample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" X509 CRT verification #28 (domain not matching wildcard in multi certificate) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.org":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +x509_verify:"../framework/data_files/cert_example_multi.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"example.org":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" X509 CRT verification #29 (domain matching wildcard in multi certificate) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.org":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/cert_example_multi.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"mail.example.org":0:0:"compat":"NULL" X509 CRT verification #30 (domain matching multi certificate without CN) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.shotokan-braunschweig.de":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/cert_example_multi_nocn.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"www.shotokan-braunschweig.de":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #31 (domain not matching multi certificate without CN) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH + MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/cert_example_multi_nocn.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH + MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #32 (Valid, EC cert, RSA CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP192R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server3.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #33 (Valid, RSA cert, EC CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify:"data_files/server4.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server4.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #34 (Valid, EC cert, EC CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #35 (Revoked, EC CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" +x509_verify:"../framework/data_files/server6.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" X509 CRT verification #36 (Valid, EC CA, SHA1 Digest) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server5-sha1.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server5-sha1.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #37 (Valid, EC CA, SHA224 Digest) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA224 -x509_verify:"data_files/server5-sha224.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server5-sha224.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #38 (Valid, EC CA, SHA384 Digest) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA384:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify:"data_files/server5-sha384.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server5-sha384.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #39 (Valid, EC CA, SHA512 Digest) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA512:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify:"data_files/server5-sha512.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server5-sha512.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #40 (Valid, depth 0, RSA, CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/test-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/test-ca.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #41 (Valid, depth 0, EC, CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 -x509_verify:"data_files/test-ca2.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/test-ca2.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #42 (Depth 0, not CA, RSA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server2.crt":"data_files/server2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server2.crt":"../framework/data_files/server2.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #43 (Depth 0, not CA, EC) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_verify:"data_files/server5.crt":"data_files/server5.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/server5.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #44 (Corrupted signature, EC) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 -x509_verify:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server5-badsign.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #45 (Corrupted signature, RSA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server2-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server2-badsign.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #45b (Corrupted signature, intermediate CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 -x509_verify:"data_files/server7-badsign.crt":"data_files/test-ca2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server7-badsign.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #46 (Valid, depth 2, EC-RSA-EC) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256 -x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server7_int-ca.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #47 (Untrusted, depth 2, EC-RSA-EC) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256 -x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server7_int-ca.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #48 (Missing intermediate CA, EC-RSA-EC) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256 -x509_verify:"data_files/server7.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server7.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #49 (Valid, depth 2, RSA-EC-RSA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server8_int-ca2.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server8_int-ca2.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #50 (Valid, multiple CAs) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256 -x509_verify:"data_files/server2.crt":"data_files/test-ca_cat12.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server2.crt":"../framework/data_files/test-ca_cat12.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #51 (Valid, multiple CAs, reverse order) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256 -x509_verify:"data_files/server2.crt":"data_files/test-ca_cat21.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server2.crt":"../framework/data_files/test-ca_cat21.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #52 (CA keyUsage valid) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt_crl.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.ku-crt_crl.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #53 (CA keyUsage missing cRLSign) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.ku-crt.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #54 (CA keyUsage missing cRLSign, no CRL) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C -x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.ku-crt.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #55 (CA keyUsage missing keyCertSign) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crl.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.ku-crl.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #56 (CA keyUsage plain wrong) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.ku-ds.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #57 (Valid, RSASSA-PSS, SHA-1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server9.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #58 (Valid, RSASSA-PSS, SHA-224) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA224:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server9-sha224.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha224.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server9-sha224.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha224.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #59 (Valid, RSASSA-PSS, SHA-256) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server9-sha256.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha256.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server9-sha256.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #60 (Valid, RSASSA-PSS, SHA-384) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA384:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server9-sha384.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha384.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server9-sha384.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha384.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #61 (Valid, RSASSA-PSS, SHA-512) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA512:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server9-sha512.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha512.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server9-sha512.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha512.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #62 (Revoked, RSASSA-PSS, SHA-1) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" +x509_verify:"../framework/data_files/server9.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" X509 CRT verification #63 (Revoked, RSASSA-PSS, SHA-1, CRL badsign) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1-badsign.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server9.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1-badsign.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #64 (Valid, RSASSA-PSS, SHA-1, not top) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/server9-with-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server9-with-ca.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #65 (RSASSA-PSS, SHA1, bad cert signature) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server9-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server9-badsign.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #66 (RSASSA-PSS, SHA1, no RSA CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 -x509_verify:"data_files/server9.crt":"data_files/test-ca2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server9.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #67 (Valid, RSASSA-PSS, all defaults) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server9-defaults.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server9-defaults.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #68 (RSASSA-PSS, wrong salt_len, !USE_PSA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1:!MBEDTLS_USE_PSA_CRYPTO -x509_verify:"data_files/server9-bad-saltlen.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server9-bad-saltlen.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #68 (RSASSA-PSS, wrong salt_len, USE_PSA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1:MBEDTLS_USE_PSA_CRYPTO -x509_verify:"data_files/server9-bad-saltlen.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server9-bad-saltlen.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #69 (RSASSA-PSS, wrong mgf_hash) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA224:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server9-bad-mgfhash.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server9-bad-mgfhash.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #70 (v1 trusted CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server1-v1.crt":"data_files/test-ca-v1.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server1-v1.crt":"../framework/data_files/test-ca-v1.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #71 (v1 trusted CA, other) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server2-v1.crt":"data_files/server1-v1.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server2-v1.crt":"../framework/data_files/server1-v1.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #72 (v1 chain) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server2-v1-chain.crt":"data_files/test-ca-v1.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server2-v1-chain.crt":"../framework/data_files/test-ca-v1.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #73 (selfsigned trusted without CA bit) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C -x509_verify:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server5-selfsigned.crt":"../framework/data_files/server5-selfsigned.crt":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #74 (signed by selfsigned trusted without CA bit) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C -x509_verify:"data_files/server6-ss-child.crt":"data_files/server5-selfsigned.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +x509_verify:"../framework/data_files/server6-ss-child.crt":"../framework/data_files/server5-selfsigned.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #75 (encoding mismatch) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/enco-cert-utf8str.pem":"../framework/data_files/enco-ca-prstr.pem":"../framework/data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #76 (multiple CRLs, not revoked) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server5.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ec-rsa.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca_cat12.crt":"../framework/data_files/crl_cat_ec-rsa.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #77 (multiple CRLs, revoked) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ec-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" +x509_verify:"../framework/data_files/server6.crt":"../framework/data_files/test-ca_cat12.crt":"../framework/data_files/crl_cat_ec-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" X509 CRT verification #78 (multiple CRLs, revoked by second) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_rsa-ec.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" +x509_verify:"../framework/data_files/server6.crt":"../framework/data_files/test-ca_cat12.crt":"../framework/data_files/crl_cat_rsa-ec.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" X509 CRT verification #79 (multiple CRLs, revoked by future) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED|MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" +x509_verify:"../framework/data_files/server6.crt":"../framework/data_files/test-ca_cat12.crt":"../framework/data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED|MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" X509 CRT verification #80 (multiple CRLs, first future, revoked by second) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" +x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca_cat12.crt":"../framework/data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" X509 CRT verification #81 (multiple CRLs, none relevant) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl_cat_rsa-ec.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/enco-cert-utf8str.pem":"../framework/data_files/enco-ca-prstr.pem":"../framework/data_files/crl_cat_rsa-ec.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #82 (Not yet valid CA and valid CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256 -x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-future-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2_cat-future-present.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #83 (valid CA and Not yet valid CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256 -x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-present-future.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2_cat-present-future.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #84 (valid CA and Not yet valid CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256 -x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-present-past.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2_cat-present-past.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #85 (Not yet valid CA and valid CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256 -x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2_cat-past-present.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #86 (Not yet valid CA and invalid CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-future-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2_cat-future-invalid.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL" X509 CRT verification #87 (Expired CA and invalid CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2_cat-past-invalid.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL" X509 CRT verification #88 (Spurious cert in the chain) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/server7_spurious_int-ca.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server7_spurious_int-ca.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #89 (Spurious cert later in the chain) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/server10_int3_spurious_int-ca2.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server10_int3_spurious_int-ca2.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #90 (EE with same name as trusted root) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server5-ss-forgeca.crt":"data_files/test-int-ca3.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"":"NULL" +x509_verify:"../framework/data_files/server5-ss-forgeca.crt":"../framework/data_files/test-int-ca3.crt":"../framework/data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"":"NULL" X509 CRT verification #91 (same CA with good then bad key) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY -x509_verify:"data_files/server1.crt":"data_files/test-ca-good-alt.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca-good-alt.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #91 (same CA with bad then good key) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY -x509_verify:"data_files/server1.crt":"data_files/test-ca-alt-good.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" +x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca-alt-good.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #92 (bad name, allowing callback) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"globalhost":0:0:"":"verify_all" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"globalhost":0:0:"":"verify_all" X509 CRT verification #93 (Suite B invalid, EC cert, RSA CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP192R1:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY|MBEDTLS_X509_BADCRL_BAD_MD|MBEDTLS_X509_BADCRL_BAD_PK:"suite_b":"NULL" +x509_verify:"../framework/data_files/server3.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY|MBEDTLS_X509_BADCRL_BAD_MD|MBEDTLS_X509_BADCRL_BAD_PK:"suite_b":"NULL" X509 CRT verification #94 (Suite B invalid, RSA cert, EC CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_PKCS1_V15:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify:"data_files/server4.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_PK:"suite_b":"NULL" +x509_verify:"../framework/data_files/server4.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_PK:"suite_b":"NULL" X509 CRT verification #95 (Suite B Valid, EC cert, EC CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"suite_b":"NULL" +x509_verify:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"suite_b":"NULL" X509 CRT verification #96 (next profile Invalid Cert SHA224 Digest) depends_on:MBEDTLS_MD_CAN_SHA224:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/cert_sha224.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCRL_BAD_MD:"next":"NULL" +x509_verify:"../framework/data_files/cert_sha224.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCRL_BAD_MD:"next":"NULL" X509 CRT verification #97 (next profile Valid Cert SHA256 Digest) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA1 -x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"next":"NULL" +x509_verify:"../framework/data_files/cert_sha256.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-ec-sha256.pem":"NULL":0:0:"next":"NULL" X509 CRT verification #98 (Revoked Cert, revocation date in the future, _with_ MBEDTLS_HAVE_TIME_DATE) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl-futureRevocationDate.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED|MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" +x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-futureRevocationDate.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED|MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" X509 CRT verification #99 (Revoked Cert, revocation date in the future, _without_ MBEDTLS_HAVE_TIME_DATE) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl-futureRevocationDate.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" +x509_verify:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-futureRevocationDate.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" X509 CRT verification: domain identical to IPv4 in SubjectAltName depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C -x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"abcd":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" +x509_verify:"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/crl_sha256.pem":"abcd":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" X509 CRT verification: domain identical to IPv6 in SubjectAltName depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C -x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"abcd.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" +x509_verify:"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/crl_sha256.pem":"abcd.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" X509 CRT verification: matching IPv4 in SubjectAltName depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C -x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"97.98.99.100":0:0:"":"NULL" +x509_verify:"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/crl_sha256.pem":"97.98.99.100":0:0:"":"NULL" X509 CRT verification: mismatching IPv4 in SubjectAltName depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C -x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"7.8.9.10":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" +x509_verify:"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/crl_sha256.pem":"7.8.9.10":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" X509 CRT verification: IPv4 with trailing data in SubjectAltName depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C -x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"97.98.99.100?":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" +x509_verify:"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/crl_sha256.pem":"97.98.99.100?":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" X509 CRT verification: matching IPv6 in SubjectAltName depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C -x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"6162\:6364\:2E65\:7861\:6D70\:6C65\:2E63\:6F6D":0:0:"":"NULL" +x509_verify:"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/crl_sha256.pem":"6162\:6364\:2E65\:7861\:6D70\:6C65\:2E63\:6F6D":0:0:"":"NULL" X509 CRT verification: mismatching IPv6 in SubjectAltName depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C -x509_verify:"data_files/server5-tricky-ip-san.crt.der":"data_files/server5-tricky-ip-san.crt.der":"data_files/crl_sha256.pem":"6162\:6364\:\:6F6D":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" +x509_verify:"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/server5-tricky-ip-san.crt.der":"../framework/data_files/crl_sha256.pem":"6162\:6364\:\:6F6D":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" X509 CRT verification: matching URI in SubjectAltName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C -x509_verify:"data_files/rsa_single_san_uri.crt.der":"data_files/rsa_single_san_uri.crt.der":"data_files/crl_sha256.pem":"urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c":0:0:"":"NULL" +x509_verify:"../framework/data_files/rsa_single_san_uri.crt.der":"../framework/data_files/rsa_single_san_uri.crt.der":"../framework/data_files/crl_sha256.pem":"urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c":0:0:"":"NULL" X509 CRT verification: URI with trailing data in SubjectAltName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C -x509_verify:"data_files/rsa_single_san_uri.crt.der":"data_files/rsa_single_san_uri.crt.der":"data_files/crl_sha256.pem":"urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609cz":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" +x509_verify:"../framework/data_files/rsa_single_san_uri.crt.der":"../framework/data_files/rsa_single_san_uri.crt.der":"../framework/data_files/crl_sha256.pem":"urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609cz":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" X509 CRT verification: URI with preceding data in SubjectAltName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C -x509_verify:"data_files/rsa_single_san_uri.crt.der":"data_files/rsa_single_san_uri.crt.der":"data_files/crl_sha256.pem":"zurn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" +x509_verify:"../framework/data_files/rsa_single_san_uri.crt.der":"../framework/data_files/rsa_single_san_uri.crt.der":"../framework/data_files/crl_sha256.pem":"zurn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" X509 CRT verification: URI with bad data in SubjectAltName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C -x509_verify:"data_files/rsa_single_san_uri.crt.der":"data_files/rsa_single_san_uri.crt.der":"data_files/crl_sha256.pem":"bad\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" +x509_verify:"../framework/data_files/rsa_single_san_uri.crt.der":"../framework/data_files/rsa_single_san_uri.crt.der":"../framework/data_files/crl_sha256.pem":"bad\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"":"NULL" X509 CRT parse CN: IPv4 valid address x509_crt_parse_cn_inet_pton:"10.10.10.10":"0A0A0A0A":4 @@ -1180,91 +1180,91 @@ x509_crt_parse_cn_inet_pton:"\:\:1.2.3.4\:ffff":"":0 X509 CRT verification with ca callback: failure depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -x509_verify_ca_cb_failure:"data_files/server1.crt":"data_files/test-ca.crt":"NULL":MBEDTLS_ERR_X509_FATAL_ERROR +x509_verify_ca_cb_failure:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"NULL":MBEDTLS_ERR_X509_FATAL_ERROR X509 CRT verification callback: bad name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify_callback:"data_files/server5.crt":"data_files/test-ca2.crt":"globalhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000004\n" +x509_verify_callback:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":"globalhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000004\n" X509 CRT verification callback: trusted EE cert depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1 -x509_verify_callback:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":"NULL":0:"depth 0 - serial 53\:A2\:CB\:4B\:12\:4E\:AD\:83\:7D\:A8\:94\:B2 - subject CN=selfsigned, OU=testing, O=PolarSSL, C=NL - flags 0x00000000\n" +x509_verify_callback:"../framework/data_files/server5-selfsigned.crt":"../framework/data_files/server5-selfsigned.crt":"NULL":0:"depth 0 - serial 53\:A2\:CB\:4B\:12\:4E\:AD\:83\:7D\:A8\:94\:B2 - subject CN=selfsigned, OU=testing, O=PolarSSL, C=NL - flags 0x00000000\n" X509 CRT verification callback: trusted EE cert, expired depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_HAVE_TIME_DATE -x509_verify_callback:"data_files/server5-ss-expired.crt":"data_files/server5-ss-expired.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 0 - serial D8\:64\:61\:05\:E3\:A3\:CD\:78 - subject C=UK, O=mbed TLS, OU=testsuite, CN=localhost - flags 0x00000001\n" +x509_verify_callback:"../framework/data_files/server5-ss-expired.crt":"../framework/data_files/server5-ss-expired.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 0 - serial D8\:64\:61\:05\:E3\:A3\:CD\:78 - subject C=UK, O=mbed TLS, OU=testsuite, CN=localhost - flags 0x00000001\n" X509 CRT verification callback: simple depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify_callback:"data_files/server1.crt":"data_files/test-ca.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n" +x509_verify_callback:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n" X509 CRT verification callback: simple, EE expired depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE -x509_verify_callback:"data_files/server5-expired.crt":"data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 0 - serial 1E - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000001\n" +x509_verify_callback:"../framework/data_files/server5-expired.crt":"../framework/data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 0 - serial 1E - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000001\n" X509 CRT verification callback: simple, root expired depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE -x509_verify_callback:"data_files/server5.crt":"data_files/test-ca2-expired.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial 01 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000001\ndepth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" +x509_verify_callback:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2-expired.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial 01 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000001\ndepth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" X509 CRT verification callback: two trusted roots depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 -x509_verify_callback:"data_files/server1.crt":"data_files/test-ca_cat12.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n" +x509_verify_callback:"../framework/data_files/server1.crt":"../framework/data_files/test-ca_cat12.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n" X509 CRT verification callback: two trusted roots, reversed order depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 -x509_verify_callback:"data_files/server1.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n" +x509_verify_callback:"../framework/data_files/server1.crt":"../framework/data_files/test-ca_cat21.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n" X509 CRT verification callback: root included depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 -x509_verify_callback:"data_files/server1_ca.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n" +x509_verify_callback:"../framework/data_files/server1_ca.crt":"../framework/data_files/test-ca_cat21.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n" X509 CRT verification callback: intermediate ca depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1 -x509_verify_callback:"data_files/server7_int-ca.crt":"data_files/test-ca_cat12.crt":"NULL":0:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" +x509_verify_callback:"../framework/data_files/server7_int-ca.crt":"../framework/data_files/test-ca_cat12.crt":"NULL":0:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" X509 CRT verification callback: intermediate ca, root included depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1 -x509_verify_callback:"data_files/server7_int-ca_ca2.crt":"data_files/test-ca_cat12.crt":"NULL":0:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" +x509_verify_callback:"../framework/data_files/server7_int-ca_ca2.crt":"../framework/data_files/test-ca_cat12.crt":"NULL":0:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" X509 CRT verification callback: intermediate ca trusted depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256 -x509_verify_callback:"data_files/server7_int-ca_ca2.crt":"data_files/test-int-ca.crt":"NULL":0:"depth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" +x509_verify_callback:"../framework/data_files/server7_int-ca_ca2.crt":"../framework/data_files/test-int-ca.crt":"NULL":0:"depth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" X509 CRT verification callback: intermediate ca, EE expired depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE -x509_verify_callback:"data_files/server7-expired.crt":"data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000001\n" +x509_verify_callback:"../framework/data_files/server7-expired.crt":"../framework/data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000001\n" X509 CRT verification callback: intermediate ca, int expired depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE -x509_verify_callback:"data_files/server7_int-ca-exp.crt":"data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000001\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" +x509_verify_callback:"../framework/data_files/server7_int-ca-exp.crt":"../framework/data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000001\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" X509 CRT verification callback: intermediate ca, root expired depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1:MBEDTLS_HAVE_TIME_DATE -x509_verify_callback:"data_files/server7_int-ca.crt":"data_files/test-ca2-expired.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial 01 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000001\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" +x509_verify_callback:"../framework/data_files/server7_int-ca.crt":"../framework/data_files/test-ca2-expired.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial 01 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000001\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" X509 CRT verification callback: two intermediates depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1 -x509_verify_callback:"data_files/server10_int3_int-ca2.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 3 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n" +x509_verify_callback:"../framework/data_files/server10_int3_int-ca2.crt":"../framework/data_files/test-ca_cat21.crt":"NULL":0:"depth 3 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n" X509 CRT verification callback: two intermediates, root included depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1 -x509_verify_callback:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 3 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n" +x509_verify_callback:"../framework/data_files/server10_int3_int-ca2_ca.crt":"../framework/data_files/test-ca_cat21.crt":"NULL":0:"depth 3 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n" X509 CRT verification callback: two intermediates, top int trusted depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256 -x509_verify_callback:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":"NULL":0:"depth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n" +x509_verify_callback:"../framework/data_files/server10_int3_int-ca2.crt":"../framework/data_files/test-int-ca2.crt":"NULL":0:"depth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n" X509 CRT verification callback: two intermediates, low int trusted depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1 -x509_verify_callback:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-int-ca3.crt":"NULL":0:"depth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n" +x509_verify_callback:"../framework/data_files/server10_int3_int-ca2_ca.crt":"../framework/data_files/test-int-ca3.crt":"NULL":0:"depth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n" X509 CRT verification callback: no intermediate, bad signature depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify_callback:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000008\n" +x509_verify_callback:"../framework/data_files/server5-badsign.crt":"../framework/data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000008\n" X509 CRT verification callback: one intermediate, bad signature depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 -x509_verify_callback:"data_files/server7-badsign.crt":"data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000008\n" +x509_verify_callback:"../framework/data_files/server7-badsign.crt":"../framework/data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000008\n" X509 CRT ASN1 (Empty Certificate) x509parse_crt:"":"":MBEDTLS_ERR_X509_INVALID_FORMAT @@ -2063,11 +2063,11 @@ x509parse_crt:"3081b030819aa0030201028204deadbeef300d06092a864886f70d01010b05003 X509 CRT ASN1 (inv extBasicConstraint, pathlen is INT_MAX) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_crt_parse_file:"data_files/parse_input/server1_pathlen_int_max.crt":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_INVALID_LENGTH:0 +mbedtls_x509_crt_parse_file:"../framework/data_files/parse_input/server1_pathlen_int_max.crt":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_INVALID_LENGTH:0 X509 CRT ASN1 (pathlen is INT_MAX-1) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_crt_parse_file:"data_files/parse_input/server1_pathlen_int_max-1.crt":0:1 +mbedtls_x509_crt_parse_file:"../framework/data_files/parse_input/server1_pathlen_int_max-1.crt":0:1 X509 CRT ASN1 (TBS, inv extBasicConstraint, pathlen inv length encoding) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256 @@ -2588,146 +2588,146 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:!MBEDTLS_X509 x509parse_crl:"308201b330819c020101300d06092a864886f70d01010b0500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341170d3138303331343037333134385a170d3238303331343037333134385aa02d302b30290603551d1c010100041f301da01ba0198617687474703a2f2f706b692e6578616d706c652e636f6d2f300d06092a864886f70d01010b05000382010100b3fbe9d586eaf4b8ff60cf8edae06a85135db78f78198498719725b5b403c0b803c2c150f52faae7306d6a7871885dc2e9dc83a164bac7263776474ef642b660040b35a1410ac291ac8f6f18ab85e7fd6e22bd1af1c41ca95cf2448f6e2b42a018493dfc03c6b6aa1b9e3fe7b76af2182fb2121db4166bf0167d6f379c5a58adee5082423434d97be2909f5e7488053f996646db10dd49782626da53ad8eada01813c031b2bacdb0203bc017aac1735951a11d013ee4d1d5f7143ccbebf2371e66a1bec6e1febe69148f50784eef8adbb66664c96196d7e0c0bcdc807f447b54e058f37642a3337995bfbcd332208bd6016936705c82263eabd7affdba92fae3":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2018-03-14 07\:31\:48\nnext update \: 2028-03-14 07\:31\:48\nRevoked certificates\:\nsigned using \: RSA with SHA-256\n":0 X509 CRT parse file dir3/Readme -mbedtls_x509_crt_parse_file:"data_files/dir3/Readme":MBEDTLS_ERR_X509_INVALID_FORMAT:0 +mbedtls_x509_crt_parse_file:"../framework/data_files/dir3/Readme":MBEDTLS_ERR_X509_INVALID_FORMAT:0 X509 CRT parse file dir3/test-ca.crt depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C -mbedtls_x509_crt_parse_file:"data_files/dir3/test-ca.crt":0:1 +mbedtls_x509_crt_parse_file:"../framework/data_files/dir3/test-ca.crt":0:1 X509 CRT parse file dir3/test-ca2.crt depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1 -mbedtls_x509_crt_parse_file:"data_files/dir3/test-ca2.crt":0:1 +mbedtls_x509_crt_parse_file:"../framework/data_files/dir3/test-ca2.crt":0:1 # The parse_path tests are known to fail when compiled for a 32-bit architecture # and run via qemu-user on Linux on a 64-bit host. This is due to a known # bug in Qemu: https://gitlab.com/qemu-project/qemu/-/issues/263 X509 CRT parse path #1 (one cert) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C -mbedtls_x509_crt_parse_path:"data_files/dir1":0:1 +mbedtls_x509_crt_parse_path:"../framework/data_files/dir1":0:1 X509 CRT parse path #2 (two certs) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1 -mbedtls_x509_crt_parse_path:"data_files/dir2":0:2 +mbedtls_x509_crt_parse_path:"../framework/data_files/dir2":0:2 X509 CRT parse path #3 (two certs, one non-cert) depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP384R1 -mbedtls_x509_crt_parse_path:"data_files/dir3":1:2 +mbedtls_x509_crt_parse_path:"../framework/data_files/dir3":1:2 X509 CRT verify long chain (max intermediate CA, trusted) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1 -mbedtls_x509_crt_verify_max:"data_files/dir-maxpath/00.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA:0:0 +mbedtls_x509_crt_verify_max:"../framework/data_files/dir-maxpath/00.crt":"../framework/data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA:0:0 X509 CRT verify long chain (max intermediate CA, untrusted) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -mbedtls_x509_crt_verify_max:"data_files/test-ca2.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA-1:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED +mbedtls_x509_crt_verify_max:"../framework/data_files/test-ca2.crt":"../framework/data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA-1:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED X509 CRT verify long chain (max intermediate CA + 1) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1 -mbedtls_x509_crt_verify_max:"data_files/dir-maxpath/00.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA+1:MBEDTLS_ERR_X509_FATAL_ERROR:-1 +mbedtls_x509_crt_verify_max:"../framework/data_files/dir-maxpath/00.crt":"../framework/data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA+1:MBEDTLS_ERR_X509_FATAL_ERROR:-1 X509 CRT verify chain #1 (zero pathlen intermediate) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert14.crt data_files/dir4/cert13.crt data_files/dir4/cert12.crt":"data_files/dir4/cert11.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert14.crt ../framework/data_files/dir4/cert13.crt ../framework/data_files/dir4/cert12.crt":"../framework/data_files/dir4/cert11.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0 X509 CRT verify chain #2 (zero pathlen root) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert23.crt data_files/dir4/cert22.crt":"data_files/dir4/cert21.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert23.crt ../framework/data_files/dir4/cert22.crt":"../framework/data_files/dir4/cert21.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0 X509 CRT verify chain #3 (nonzero pathlen root) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert34.crt data_files/dir4/cert33.crt data_files/dir4/cert32.crt":"data_files/dir4/cert31.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert34.crt ../framework/data_files/dir4/cert33.crt ../framework/data_files/dir4/cert32.crt":"../framework/data_files/dir4/cert31.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0 X509 CRT verify chain #4 (nonzero pathlen intermediate) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert45.crt data_files/dir4/cert44.crt data_files/dir4/cert43.crt data_files/dir4/cert42.crt":"data_files/dir4/cert41.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert45.crt ../framework/data_files/dir4/cert44.crt ../framework/data_files/dir4/cert43.crt ../framework/data_files/dir4/cert42.crt":"../framework/data_files/dir4/cert41.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0 X509 CRT verify chain #5 (nonzero maxpathlen intermediate) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert54.crt data_files/dir4/cert53.crt data_files/dir4/cert52.crt":"data_files/dir4/cert51.crt":0:0:"":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert54.crt ../framework/data_files/dir4/cert53.crt ../framework/data_files/dir4/cert52.crt":"../framework/data_files/dir4/cert51.crt":0:0:"":0 X509 CRT verify chain #6 (nonzero maxpathlen root) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert63.crt data_files/dir4/cert62.crt":"data_files/dir4/cert61.crt":0:0:"":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert63.crt ../framework/data_files/dir4/cert62.crt":"../framework/data_files/dir4/cert61.crt":0:0:"":0 X509 CRT verify chain #7 (maxpathlen root, self signed in path) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert74.crt data_files/dir4/cert73.crt data_files/dir4/cert72.crt":"data_files/dir4/cert71.crt":0:0:"":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert74.crt ../framework/data_files/dir4/cert73.crt ../framework/data_files/dir4/cert72.crt":"../framework/data_files/dir4/cert71.crt":0:0:"":0 X509 CRT verify chain #8 (self signed maxpathlen root) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert61.crt data_files/dir4/cert63.crt data_files/dir4/cert62.crt":"data_files/dir4/cert61.crt":0:0:"":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert61.crt ../framework/data_files/dir4/cert63.crt ../framework/data_files/dir4/cert62.crt":"../framework/data_files/dir4/cert61.crt":0:0:"":0 X509 CRT verify chain #9 (zero pathlen first intermediate, valid) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1 -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert83.crt data_files/dir4/cert82.crt":"data_files/dir4/cert81.crt":0:0:"":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert83.crt ../framework/data_files/dir4/cert82.crt":"../framework/data_files/dir4/cert81.crt":0:0:"":0 X509 CRT verify chain #10 (zero pathlen root, valid) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1 -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert92.crt":"data_files/dir4/cert91.crt":0:0:"":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert92.crt":"../framework/data_files/dir4/cert91.crt":0:0:"":0 X509 CRT verify chain #11 (valid chain, missing profile) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1 -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert92.crt":"data_files/dir4/cert91.crt":-1:MBEDTLS_ERR_X509_BAD_INPUT_DATA:"nonesuch":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/dir4/cert92.crt":"../framework/data_files/dir4/cert91.crt":-1:MBEDTLS_ERR_X509_BAD_INPUT_DATA:"nonesuch":0 X509 CRT verify chain #12 (suiteb profile, RSA root) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP192R1:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_crt_verify_chain:"data_files/server3.crt":"data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"suiteb":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/server3.crt":"../framework/data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"suiteb":0 X509 CRT verify chain #13 (RSA only profile, EC root) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1 -mbedtls_x509_crt_verify_chain:"data_files/server4.crt":"data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/server4.crt":"../framework/data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0 X509 CRT verify chain #13 (RSA only profile, EC trusted EE) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1 -mbedtls_x509_crt_verify_chain:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/server5-selfsigned.crt":"../framework/data_files/server5-selfsigned.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0 X509 CRT verify chain #14 (RSA-3072 profile, root key too small) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_crt_verify_chain:"data_files/server1.crt":"data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/server1.crt":"../framework/data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0 X509 CRT verify chain #15 (suiteb profile, rsa intermediate) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1 -mbedtls_x509_crt_verify_chain:"data_files/server7.crt data_files/test-int-ca.crt":"data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_PK:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"suiteb":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/server7.crt ../framework/data_files/test-int-ca.crt":"../framework/data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_PK:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"suiteb":0 X509 CRT verify chain #16 (RSA-only profile, EC intermediate) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_crt_verify_chain:"data_files/server8.crt data_files/test-int-ca2.crt":"data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/server8.crt ../framework/data_files/test-int-ca2.crt":"../framework/data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0 X509 CRT verify chain #17 (SHA-512 profile) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -mbedtls_x509_crt_verify_chain:"data_files/server7.crt data_files/test-int-ca.crt":"data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_MD:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"sha512":0 +mbedtls_x509_crt_verify_chain:"../framework/data_files/server7.crt ../framework/data_files/test-int-ca.crt":"../framework/data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_MD:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"sha512":0 X509 CRT verify chain #18 (len=1, vrfy fatal on depth 1) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA512 -mbedtls_x509_crt_verify_chain:"data_files/server5.crt":"data_files/test-ca2.crt":-1:-2:"":2 +mbedtls_x509_crt_verify_chain:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":-1:-2:"":2 X509 CRT verify chain #19 (len=0, vrfy fatal on depth 0) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA512 -mbedtls_x509_crt_verify_chain:"data_files/server5.crt":"data_files/test-ca2.crt":-1:-1:"":1 +mbedtls_x509_crt_verify_chain:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":-1:-1:"":1 X509 CRT verify chain #20 (len=1, vrfy fatal on depth 0) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA512:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C -mbedtls_x509_crt_verify_chain:"data_files/server5.crt":"data_files/test-ca.crt":-1:-1:"":1 +mbedtls_x509_crt_verify_chain:"../framework/data_files/server5.crt":"../framework/data_files/test-ca.crt":-1:-1:"":1 X509 CRT verify chain #21 (len=3, vrfy fatal on depth 3) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA1:MBEDTLS_ECP_HAVE_SECP384R1 -mbedtls_x509_crt_verify_chain:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca.crt":-1:-4:"":8 +mbedtls_x509_crt_verify_chain:"../framework/data_files/server10_int3_int-ca2_ca.crt":"../framework/data_files/test-ca.crt":-1:-4:"":8 X509 CRT verify chain #22 (len=3, vrfy fatal on depth 2) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_ECP_HAVE_SECP384R1 -mbedtls_x509_crt_verify_chain:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca.crt":-1:-3:"":4 +mbedtls_x509_crt_verify_chain:"../framework/data_files/server10_int3_int-ca2_ca.crt":"../framework/data_files/test-ca.crt":-1:-3:"":4 X509 CRT verify chain #23 (len=3, vrfy fatal on depth 1) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_ECP_HAVE_SECP384R1 -mbedtls_x509_crt_verify_chain:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca.crt":-1:-2:"":2 +mbedtls_x509_crt_verify_chain:"../framework/data_files/server10_int3_int-ca2_ca.crt":"../framework/data_files/test-ca.crt":-1:-2:"":2 X509 CRT verify chain #24 (len=3, vrfy fatal on depth 0) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_ECP_HAVE_SECP384R1 -mbedtls_x509_crt_verify_chain:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca.crt":-1:-1:"":1 +mbedtls_x509_crt_verify_chain:"../framework/data_files/server10_int3_int-ca2_ca.crt":"../framework/data_files/test-ca.crt":-1:-1:"":1 X509 CRT verify chain #25 (len=3, vrfy fatal on depth 3, untrusted) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1:MBEDTLS_ECP_HAVE_SECP384R1 -mbedtls_x509_crt_verify_chain:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca2.crt":-1:-4:"":8 +mbedtls_x509_crt_verify_chain:"../framework/data_files/server10_int3_int-ca2_ca.crt":"../framework/data_files/test-ca2.crt":-1:-4:"":8 X509 OID description #1 x509_oid_desc:"2b06010505070301":"TLS Web Server Authentication" @@ -2755,75 +2755,75 @@ x509_oid_numstr:"2a8648f9f8f7f6f5f4f3f2f1f001":"":100:MBEDTLS_ERR_ASN1_INVALID_D X509 CRT keyUsage #1 (no extension, expected KU) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_check_key_usage:"data_files/server1.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0 +x509_check_key_usage:"../framework/data_files/server1.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0 X509 CRT keyUsage #2 (no extension, surprising KU) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_check_key_usage:"data_files/server1.crt":MBEDTLS_X509_KU_KEY_CERT_SIGN:0 +x509_check_key_usage:"../framework/data_files/server1.crt":MBEDTLS_X509_KU_KEY_CERT_SIGN:0 X509 CRT keyUsage #3 (extension present, no KU) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_check_key_usage:"data_files/server1.key_usage.crt":0:0 +x509_check_key_usage:"../framework/data_files/server1.key_usage.crt":0:0 X509 CRT keyUsage #4 (extension present, single KU present) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE:0 +x509_check_key_usage:"../framework/data_files/server1.key_usage.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE:0 X509 CRT keyUsage #5 (extension present, single KU absent) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_CERT_SIGN:MBEDTLS_ERR_X509_BAD_INPUT_DATA +x509_check_key_usage:"../framework/data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_CERT_SIGN:MBEDTLS_ERR_X509_BAD_INPUT_DATA X509 CRT keyUsage #6 (extension present, combined KU present) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0 +x509_check_key_usage:"../framework/data_files/server1.key_usage.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0 X509 CRT keyUsage #7 (extension present, combined KU both absent) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_CERT_SIGN|MBEDTLS_X509_KU_CRL_SIGN:MBEDTLS_ERR_X509_BAD_INPUT_DATA +x509_check_key_usage:"../framework/data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_CERT_SIGN|MBEDTLS_X509_KU_CRL_SIGN:MBEDTLS_ERR_X509_BAD_INPUT_DATA X509 CRT keyUsage #8 (extension present, combined KU one absent) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_KEY_AGREEMENT:MBEDTLS_ERR_X509_BAD_INPUT_DATA +x509_check_key_usage:"../framework/data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_KEY_AGREEMENT:MBEDTLS_ERR_X509_BAD_INPUT_DATA X509 CRT keyUsage #9 (extension present, decOnly allowed absent) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_DECIPHER_ONLY:0 +x509_check_key_usage:"../framework/data_files/server1.key_usage.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_DECIPHER_ONLY:0 X509 CRT keyUsage #10 (extension present, decOnly non-allowed present) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_check_key_usage:"data_files/keyUsage.decipherOnly.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT:MBEDTLS_ERR_X509_BAD_INPUT_DATA +x509_check_key_usage:"../framework/data_files/keyUsage.decipherOnly.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT:MBEDTLS_ERR_X509_BAD_INPUT_DATA X509 CRT keyUsage #11 (extension present, decOnly allowed present) depends_on:MBEDTLS_RSA_C:MBEDTLS_MD_CAN_SHA1 -x509_check_key_usage:"data_files/keyUsage.decipherOnly.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_DECIPHER_ONLY:0 +x509_check_key_usage:"../framework/data_files/keyUsage.decipherOnly.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_DECIPHER_ONLY:0 X509 CRT extendedKeyUsage #1 (no extension, serverAuth) depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_check_extended_key_usage:"data_files/server5.crt":"2b06010505070301":0 +x509_check_extended_key_usage:"../framework/data_files/server5.crt":"2b06010505070301":0 X509 CRT extendedKeyUsage #2 (single value, present) depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_check_extended_key_usage:"data_files/server5.eku-srv.crt":"2b06010505070301":0 +x509_check_extended_key_usage:"../framework/data_files/server5.eku-srv.crt":"2b06010505070301":0 X509 CRT extendedKeyUsage #3 (single value, absent) depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_check_extended_key_usage:"data_files/server5.eku-cli.crt":"2b06010505070301":MBEDTLS_ERR_X509_BAD_INPUT_DATA +x509_check_extended_key_usage:"../framework/data_files/server5.eku-cli.crt":"2b06010505070301":MBEDTLS_ERR_X509_BAD_INPUT_DATA X509 CRT extendedKeyUsage #4 (two values, first) depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2b06010505070301":0 +x509_check_extended_key_usage:"../framework/data_files/server5.eku-srv_cli.crt":"2b06010505070301":0 X509 CRT extendedKeyUsage #5 (two values, second) depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2b06010505070302":0 +x509_check_extended_key_usage:"../framework/data_files/server5.eku-srv_cli.crt":"2b06010505070302":0 X509 CRT extendedKeyUsage #6 (two values, other) depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2b06010505070303":MBEDTLS_ERR_X509_BAD_INPUT_DATA +x509_check_extended_key_usage:"../framework/data_files/server5.eku-srv_cli.crt":"2b06010505070303":MBEDTLS_ERR_X509_BAD_INPUT_DATA X509 CRT extendedKeyUsage #7 (any, random) depends_on:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509_check_extended_key_usage:"data_files/server5.eku-cs_any.crt":"2b060105050703ff":0 +x509_check_extended_key_usage:"../framework/data_files/server5.eku-cs_any.crt":"2b060105050703ff":0 X509 RSASSA-PSS parameters ASN1 (good, all defaults) x509_parse_rsassa_pss_params:"":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:0 @@ -3050,122 +3050,122 @@ X509 CSR ASN.1 (invalid version overflow) mbedtls_x509_csr_parse:"3008300602047fffffff":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION # Used test_csr_v3_all.csr.der as a base for malforming CSR extenstions/attributes -# Please see makefile for data_files to check malformation details (test_csr_v3_all_malformed_xxx.csr files) +# Please see makefile for ../framework/data_files to check malformation details (test_csr_v3_all_malformed_xxx.csr files) X509 CSR ASN.1 (attributes: invalid sequence tag) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (attributes: invalid attribute id) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (attributes: not extension request) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n":0 +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n":0 X509 CSR ASN.1 (attributes: invalid extenstion request set tag) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_set_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (attributes: invalid extenstion request sequence tag) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (attributes: invalid len (len > data)) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CSR ASN.1 (attributes: invalid len (len < data)) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH X509 CSR ASN.1 (attributes: extension request invalid len (len > data)) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CSR ASN.1 (attributes: extension request invalid len (len < data)) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CSR ASN.1 (extensions: invalid sequence tag) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extensions_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension id tag) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extension_id_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension data tag) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_data_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extension_data_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension data len (len > data)) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_data_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len1.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 CSR ASN.1 (extensions: invalid extension data len (len < data)) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_data_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extension_data_len2.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH X509 CSR ASN.1 (extensions: invalid extension key usage bitstream tag) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extension_key_usage_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension subject alt name sequence tag) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extension_subject_alt_name_sequence_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: invalid extension ns cert bitstream tag) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CSR ASN.1 (extensions: duplicated extension) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_duplicated_extension.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_DATA +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_duplicated_extension.csr.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_DATA X509 CSR ASN.1 (extensions: invalid extension type data) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_csr_parse_file:"data_files/parse_input/test_csr_v3_all_malformed_extension_type_oid.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Client\nkey usage \: CRL Sign\n":0 +mbedtls_x509_csr_parse_file:"../framework/data_files/parse_input/test_csr_v3_all_malformed_extension_type_oid.csr.der":"CSR version \: 1\nsubject name \: CN=etcd\nsigned using \: RSA with SHA-256\nRSA key size \: 1024 bits\n\ncert. type \: SSL Client\nkey usage \: CRL Sign\n":0 X509 File parse (no issues) depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_crt_parse_file:"data_files/parse_input/server7_int-ca.crt":0:2 +mbedtls_x509_crt_parse_file:"../framework/data_files/parse_input/server7_int-ca.crt":0:2 X509 File parse (extra space in one certificate) depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_crt_parse_file:"data_files/parse_input/server7_pem_space.crt":1:1 +mbedtls_x509_crt_parse_file:"../framework/data_files/parse_input/server7_pem_space.crt":1:1 X509 File parse (all certificates fail) depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_RSA_C -mbedtls_x509_crt_parse_file:"data_files/parse_input/server7_all_space.crt":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_BASE64_INVALID_CHARACTER:0 +mbedtls_x509_crt_parse_file:"../framework/data_files/parse_input/server7_all_space.crt":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_BASE64_INVALID_CHARACTER:0 X509 File parse (trailing spaces, OK) depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_crt_parse_file:"data_files/parse_input/server7_trailing_space.crt":0:2 +mbedtls_x509_crt_parse_file:"../framework/data_files/parse_input/server7_trailing_space.crt":0:2 X509 File parse (Algorithm Params Tag mismatch) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -mbedtls_x509_crt_parse_file:"data_files/parse_input/cli-rsa-sha256-badalg.crt.der":MBEDTLS_ERR_X509_SIG_MISMATCH:0 +mbedtls_x509_crt_parse_file:"../framework/data_files/parse_input/cli-rsa-sha256-badalg.crt.der":MBEDTLS_ERR_X509_SIG_MISMATCH:0 X509 File parse (does not conform to RFC 5480 / RFC 5758 - AlgorithmIdentifier's parameters field is present, mbedTLS generated before bugfix, OK) depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509parse_crt_file:"data_files/parse_input/server5-non-compliant.crt":0 +x509parse_crt_file:"../framework/data_files/parse_input/server5-non-compliant.crt":0 X509 File parse (conforms to RFC 5480 / RFC 5758 - AlgorithmIdentifier's parameters field must be absent for ECDSA) depends_on:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256 -x509parse_crt_file:"data_files/parse_input/server5.crt":0 +x509parse_crt_file:"../framework/data_files/parse_input/server5.crt":0 X509 File parse & read the ca_istrue field (Not Set) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_get_ca_istrue:"data_files/parse_input/server1.crt":0 +mbedtls_x509_get_ca_istrue:"../framework/data_files/parse_input/server1.crt":0 X509 File parse & read the ca_istrue field (Set) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1 -mbedtls_x509_get_ca_istrue:"data_files/test-ca.crt":1 +mbedtls_x509_get_ca_istrue:"../framework/data_files/test-ca.crt":1 X509 File parse & read the ca_istrue field (Legacy Certificate) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_MD_CAN_SHA1:MBEDTLS_MD_CAN_SHA256 -mbedtls_x509_get_ca_istrue:"data_files/server1-v1.crt":MBEDTLS_ERR_X509_INVALID_EXTENSIONS +mbedtls_x509_get_ca_istrue:"../framework/data_files/server1-v1.crt":MBEDTLS_ERR_X509_INVALID_EXTENSIONS X509 Get time (UTC no issues) depends_on:MBEDTLS_X509_USE_C @@ -3281,91 +3281,91 @@ x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"19910229000000Z":MBEDTLS_ERR_X509_I X509 CRT verify restart: trusted EE, max_ops=0 (disabled) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1 -x509_verify_restart:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:0:0:0:0 +x509_verify_restart:"../framework/data_files/server5-selfsigned.crt":"../framework/data_files/server5-selfsigned.crt":0:0:0:0:0 X509 CRT verify restart: trusted EE, max_ops=1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1 -x509_verify_restart:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:0:1:0:0 +x509_verify_restart:"../framework/data_files/server5-selfsigned.crt":"../framework/data_files/server5-selfsigned.crt":0:0:1:0:0 X509 CRT verify restart: no intermediate, max_ops=0 (disabled) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:0:0:0 +x509_verify_restart:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":0:0:0:0:0 X509 CRT verify restart: no intermediate, max_ops=1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:1:100:10000 +x509_verify_restart:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":0:0:1:100:10000 X509 CRT verify restart: no intermediate, max_ops=40000 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:40000:0:0 +x509_verify_restart:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":0:0:40000:0:0 X509 CRT verify restart: no intermediate, max_ops=500 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:500:20:80 +x509_verify_restart:"../framework/data_files/server5.crt":"../framework/data_files/test-ca2.crt":0:0:500:20:80 X509 CRT verify restart: no intermediate, badsign, max_ops=0 (disabled) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0 +x509_verify_restart:"../framework/data_files/server5-badsign.crt":"../framework/data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0 X509 CRT verify restart: no intermediate, badsign, max_ops=1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000 +x509_verify_restart:"../framework/data_files/server5-badsign.crt":"../framework/data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000 X509 CRT verify restart: no intermediate, badsign, max_ops=40000 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:40000:0:0 +x509_verify_restart:"../framework/data_files/server5-badsign.crt":"../framework/data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:40000:0:0 X509 CRT verify restart: no intermediate, badsign, max_ops=500 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1 -x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:20:80 +x509_verify_restart:"../framework/data_files/server5-badsign.crt":"../framework/data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:20:80 X509 CRT verify restart: one int, max_ops=0 (disabled) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:0:0:0 +x509_verify_restart:"../framework/data_files/server10_int3_int-ca2.crt":"../framework/data_files/test-int-ca2.crt":0:0:0:0:0 X509 CRT verify restart: one int, max_ops=1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:1:100:10000 +x509_verify_restart:"../framework/data_files/server10_int3_int-ca2.crt":"../framework/data_files/test-int-ca2.crt":0:0:1:100:10000 X509 CRT verify restart: one int, max_ops=30000 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:30000:0:0 +x509_verify_restart:"../framework/data_files/server10_int3_int-ca2.crt":"../framework/data_files/test-int-ca2.crt":0:0:30000:0:0 X509 CRT verify restart: one int, max_ops=500 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:500:25:100 +x509_verify_restart:"../framework/data_files/server10_int3_int-ca2.crt":"../framework/data_files/test-int-ca2.crt":0:0:500:25:100 X509 CRT verify restart: one int, EE badsign, max_ops=0 (disabled) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0 +x509_verify_restart:"../framework/data_files/server10-bs_int3.pem":"../framework/data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0 X509 CRT verify restart: one int, EE badsign, max_ops=1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000 +x509_verify_restart:"../framework/data_files/server10-bs_int3.pem":"../framework/data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000 X509 CRT verify restart: one int, EE badsign, max_ops=30000 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:30000:0:0 +x509_verify_restart:"../framework/data_files/server10-bs_int3.pem":"../framework/data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:30000:0:0 X509 CRT verify restart: one int, EE badsign, max_ops=500 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100 +x509_verify_restart:"../framework/data_files/server10-bs_int3.pem":"../framework/data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100 X509 CRT verify restart: one int, int badsign, max_ops=0 (disabled) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0 +x509_verify_restart:"../framework/data_files/server10_int3-bs.pem":"../framework/data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0 X509 CRT verify restart: one int, int badsign, max_ops=1 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000 +x509_verify_restart:"../framework/data_files/server10_int3-bs.pem":"../framework/data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000 X509 CRT verify restart: one int, int badsign, max_ops=30000 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:30000:0:0 +x509_verify_restart:"../framework/data_files/server10_int3-bs.pem":"../framework/data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:30000:0:0 X509 CRT verify restart: one int, int badsign, max_ops=500 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100 +x509_verify_restart:"../framework/data_files/server10_int3-bs.pem":"../framework/data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100 X509 ext types accessor: ext type present depends_on:MBEDTLS_X509_CRT_PARSE_C @@ -3377,65 +3377,65 @@ x509_accessor_ext_types:MBEDTLS_X509_EXT_KEY_USAGE:MBEDTLS_X509_EXT_SUBJECT_ALT_ X509 CRT parse Subject Key Id - Correct Subject Key ID depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -x509_crt_parse_subjectkeyid:"data_files/authorityKeyId_subjectKeyId.crt.der":"A505E864B8DCDF600F50124D60A864AF4D8B4393":0 +x509_crt_parse_subjectkeyid:"../framework/data_files/authorityKeyId_subjectKeyId.crt.der":"A505E864B8DCDF600F50124D60A864AF4D8B4393":0 X509 CRT parse Subject Key Id - Wrong OCTET_STRING tag depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -x509_crt_parse_subjectkeyid:"data_files/authorityKeyId_subjectKeyId_tag_malformed.crt.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +x509_crt_parse_subjectkeyid:"../framework/data_files/authorityKeyId_subjectKeyId_tag_malformed.crt.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CRT parse Subject Key Id - Wrong OCTET_STRING length depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -x509_crt_parse_subjectkeyid:"data_files/authorityKeyId_subjectKeyId_tag_len_malformed.crt.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +x509_crt_parse_subjectkeyid:"../framework/data_files/authorityKeyId_subjectKeyId_tag_len_malformed.crt.der":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH X509 CRT parse Authority Key Id - Correct Authority Key ID depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId.crt.der":"A505E864B8DCDF600F50124D60A864AF4D8B4393":"C=NL, OU=PolarSSL, CN=PolarSSL Test CA":"680430CD074DE63FCDC051260FD042C2B512B6BA":0 +x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId.crt.der":"A505E864B8DCDF600F50124D60A864AF4D8B4393":"C=NL, OU=PolarSSL, CN=PolarSSL Test CA":"680430CD074DE63FCDC051260FD042C2B512B6BA":0 X509 CRT parse Authority Key Id - Correct Authority Key ID (no keyid) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_no_keyid.crt.der":"":"C=NL, OU=PolarSSL, CN=PolarSSL Test CA":"680430CD074DE63FCDC051260FD042C2B512B6BA":0 +x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_no_keyid.crt.der":"":"C=NL, OU=PolarSSL, CN=PolarSSL Test CA":"680430CD074DE63FCDC051260FD042C2B512B6BA":0 X509 CRT parse Authority Key Id - Correct Authority Key ID (no issuer) depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_no_issuer.crt.der":"A505E864B8DCDF600F50124D60A864AF4D8B4393":"":"":0 +x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_no_issuer.crt.der":"A505E864B8DCDF600F50124D60A864AF4D8B4393":"":"":0 X509 CRT parse Authority Key Id - no Authority Key ID depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_no_authorityKeyId.crt.der":"":"":"":0 +x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_no_authorityKeyId.crt.der":"":"":"":0 X509 CRT parse Authority Key Id - Wrong Length depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_length_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId_length_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH X509 CRT parse Authority Key Id - Wrong Sequence tag depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_sequence_tag_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId_sequence_tag_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CRT parse Authority Key Id - Wrong KeyId Tag depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_keyid_tag_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId_keyid_tag_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CRT parse Authority Key Id - Wrong KeyId Tag Length depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_keyid_tag_len_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_LENGTH +x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId_keyid_tag_len_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_INVALID_LENGTH X509 CRT parse Authority Key Id - Wrong Issuer Tag depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_issuer_tag1_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId_issuer_tag1_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CRT parse Authority Key Id - Wrong DirectoryName tag in issuer field depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_issuer_tag2_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId_issuer_tag2_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CRT parse Authority Key Id - Wrong Serial Number Tag depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_sn_tag_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId_sn_tag_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG X509 CRT parse Authority Key Id - Wrong Serial Number Tag length depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -x509_crt_parse_authoritykeyid:"data_files/authorityKeyId_subjectKeyId_sn_len_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +x509_crt_parse_authoritykeyid:"../framework/data_files/authorityKeyId_subjectKeyId_sn_len_malformed.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH # clusterfuzz-testcase-minimized-fuzz_x509crt-6666050834661376: test for bad sequence of names in authorityCertIssuer (see issue #7576) X509 CRT parse Authority Key Id - Wrong Issuer sequence depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_RSA_C -x509_crt_parse_authoritykeyid:"data_files/clusterfuzz-testcase-minimized-fuzz_x509crt-6666050834661376.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA +x509_crt_parse_authoritykeyid:"../framework/data_files/clusterfuzz-testcase-minimized-fuzz_x509crt-6666050834661376.crt.der":"":"":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_OUT_OF_DATA diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_x509parse.function b/yass/third_party/mbedtls/tests/suites/test_suite_x509parse.function index f3ae0f4d0a..9fc0e55dff 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_x509parse.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_x509parse.function @@ -15,7 +15,7 @@ #if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19 #error "The value of MBEDTLS_X509_MAX_INTERMEDIATE_C is larger \ than the current threshold 19. To test larger values, please \ - adapt the script tests/data_files/dir-max/long.sh." + adapt the script framework/data_files/dir-max/long.sh." #endif /* Test-only profile allowing all digests, PK algorithms, and curves. */ @@ -60,7 +60,10 @@ const mbedtls_x509_crt_profile profile_sha512 = 1024, }; -int verify_none(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) +#if defined(MBEDTLS_X509_CRT_PARSE_C) + +#if defined(MBEDTLS_FS_IO) +static int verify_none(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) { ((void) data); ((void) crt); @@ -70,7 +73,7 @@ int verify_none(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32 return 0; } -int verify_all(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) +static int verify_all(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) { ((void) data); ((void) crt); @@ -80,8 +83,10 @@ int verify_all(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_ return 0; } -#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) -int ca_callback_fail(void *data, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidates) +#if defined(MBEDTLS_X509_CRL_PARSE_C) && \ + defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) +static int ca_callback_fail(void *data, mbedtls_x509_crt const *child, + mbedtls_x509_crt **candidates) { ((void) data); ((void) child); @@ -89,9 +94,9 @@ int ca_callback_fail(void *data, mbedtls_x509_crt const *child, mbedtls_x509_crt return -1; } -#if defined(MBEDTLS_X509_CRT_PARSE_C) -int ca_callback(void *data, mbedtls_x509_crt const *child, - mbedtls_x509_crt **candidates) + +static int ca_callback(void *data, mbedtls_x509_crt const *child, + mbedtls_x509_crt **candidates) { int ret = 0; mbedtls_x509_crt *ca = (mbedtls_x509_crt *) data; @@ -138,10 +143,9 @@ exit: *candidates = first; return ret; } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ -#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ +#endif /* MBEDTLS_X509_CRL_PARSE_C && MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ -int verify_fatal(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) +static int verify_fatal(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) { int *levels = (int *) data; @@ -158,7 +162,7 @@ int verify_fatal(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint3 } /* strsep() not available on Windows */ -char *mystrsep(char **stringp, const char *delim) +static char *mystrsep(char **stringp, const char *delim) { const char *p; char *ret = *stringp; @@ -186,19 +190,18 @@ done: return ret; } -#if defined(MBEDTLS_X509_CRT_PARSE_C) typedef struct { char buf[512]; char *p; } verify_print_context; -void verify_print_init(verify_print_context *ctx) +static void verify_print_init(verify_print_context *ctx) { memset(ctx, 0, sizeof(verify_print_context)); ctx->p = ctx->buf; } -int verify_print(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) +static int verify_print(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) { int ret; verify_print_context *ctx = (verify_print_context *) data; @@ -226,8 +229,8 @@ int verify_print(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint3 return 0; } -int verify_parse_san(mbedtls_x509_subject_alternative_name *san, - char **buf, size_t *size) +static int verify_parse_san(mbedtls_x509_subject_alternative_name *san, + char **buf, size_t *size) { int ret; size_t i; @@ -316,9 +319,10 @@ int verify_parse_san(mbedtls_x509_subject_alternative_name *san, return 0; } +#endif /* MBEDTLS_FS_IO */ -int parse_crt_ext_cb(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, - int critical, const unsigned char *cp, const unsigned char *end) +static int parse_crt_ext_cb(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid, + int critical, const unsigned char *cp, const unsigned char *end) { (void) crt; (void) critical; @@ -416,9 +420,14 @@ int parse_crt_ext_cb(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf } #endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_X509_CSR_PARSE_C) -int parse_csr_ext_accept_cb(void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x509_buf const *oid, - int critical, const unsigned char *cp, const unsigned char *end) +#if defined(MBEDTLS_X509_CSR_PARSE_C) && \ + !defined(MBEDTLS_X509_REMOVE_INFO) +static int parse_csr_ext_accept_cb(void *p_ctx, + mbedtls_x509_csr const *csr, + mbedtls_x509_buf const *oid, + int critical, + const unsigned char *cp, + const unsigned char *end) { (void) p_ctx; (void) csr; @@ -430,8 +439,12 @@ int parse_csr_ext_accept_cb(void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x5 return 0; } -int parse_csr_ext_reject_cb(void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x509_buf const *oid, - int critical, const unsigned char *cp, const unsigned char *end) +static int parse_csr_ext_reject_cb(void *p_ctx, + mbedtls_x509_csr const *csr, + mbedtls_x509_buf const *oid, + int critical, + const unsigned char *cp, + const unsigned char *end) { (void) p_ctx; (void) csr; @@ -443,7 +456,7 @@ int parse_csr_ext_reject_cb(void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x5 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); } -#endif /* MBEDTLS_X509_CSR_PARSE_C */ +#endif /* MBEDTLS_X509_CSR_PARSE_C && !MBEDTLS_X509_REMOVE_INFO */ /* END_HEADER */ /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_x509write.data b/yass/third_party/mbedtls/tests/suites/test_suite_x509write.data index 5c6a9032d0..0cbad4bcee 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_x509write.data +++ b/yass/third_party/mbedtls/tests/suites/test_suite_x509write.data @@ -1,170 +1,170 @@ Certificate Request check Server1 SHA1 depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0:0:0:0 +x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0:0:0:0 Certificate Request check Server1 SHA224 depends_on:MBEDTLS_MD_CAN_SHA224:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0:0:0:0 +x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0:0:0:0 Certificate Request check Server1 SHA256 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0:0:0:0 +x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0:0:0:0 Certificate Request check Server1 SHA384 depends_on:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0:0:0:0 +x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0:0:0:0 Certificate Request check Server1 SHA512 depends_on:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0:0:0:0 +x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0:0:0:0 Certificate Request check Server1 MD5 depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0:0:0:0 +x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0:0:0:0 Certificate Request check Server1 key_usage depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:0 +x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:0 Certificate Request check opaque Server1 key_usage depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check_opaque:"data_files/server1.key":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:0 +x509_csr_check_opaque:"../framework/data_files/server1.key":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:0 Certificate Request check Server1 key_usage empty depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage_empty":MBEDTLS_MD_SHA1:0:1:0:0:0 +x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.key_usage_empty":MBEDTLS_MD_SHA1:0:1:0:0:0 Certificate Request check Server1 ns_cert_type depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0 +x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0 Certificate Request check Server1 ns_cert_type empty depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type_empty":MBEDTLS_MD_SHA1:0:0:0:1:0 +x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.cert_type_empty":MBEDTLS_MD_SHA1:0:0:0:1:0 Certificate Request check Server1 key_usage + ns_cert_type depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0 +x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0 Certificate Request check Server5 ECDSA, key_usage depends_on:MBEDTLS_MD_CAN_SHA1:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_HAVE_SECP256R1 -x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0:0 +x509_csr_check:"../framework/data_files/server5.key":"../framework/data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0:0 Certificate Request check Server1, set_extension depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256.ext":MBEDTLS_MD_SHA256:0:0:0:0:1 +x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.sha256.ext":MBEDTLS_MD_SHA256:0:0:0:0:1 Certificate Request check opaque Server5 ECDSA, key_usage depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1 -x509_csr_check_opaque:"data_files/server5.key":MBEDTLS_MD_SHA256:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:0 +x509_csr_check_opaque:"../framework/data_files/server5.key":MBEDTLS_MD_SHA256:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:0 Certificate write check Server1 SHA1 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":0:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.crt":0:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, not before 1970 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"19700210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"19700210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, not after 2050 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, not before 1970, not after 2050 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"19700210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"19700210144406":"20500210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, not before 2050, not after 2059 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20500210144406":"20590210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20500210144406":"20590210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"":0:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, key_usage depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":0:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"../framework/data_files/server1.key_usage.crt":0:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, one ext_key_usage depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"serverAuth":0:0:1:-1:"data_files/server1.key_ext_usage.crt":0:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"serverAuth":0:0:1:-1:"../framework/data_files/server1.key_ext_usage.crt":0:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, two ext_key_usages depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"codeSigning,timeStamping":0:0:1:-1:"data_files/server1.key_ext_usages.crt":0:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:"codeSigning,timeStamping":0:0:1:-1:"../framework/data_files/server1.key_ext_usages.crt":0:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, ns_cert_type depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":0:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"../framework/data_files/server1.cert_type.crt":0:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, version 1 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"../framework/data_files/server1.v1.crt":0:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, CA depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":0:1:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.ca.crt":0:1:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, RSA_ALT depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.noauthid.crt":1:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"../framework/data_files/server1.noauthid.crt":1:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, RSA_ALT, key_usage depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:0:-1:"../framework/data_files/server1.key_usage_noauthid.crt":1:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"../framework/data_files/server1.cert_type_noauthid.crt":1:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, RSA_ALT, version 1 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:MBEDTLS_X509_CRT_VERSION_1:"../framework/data_files/server1.v1.crt":1:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, RSA_ALT, CA depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"data_files/server1.ca_noauthid.crt":1:1:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"../framework/data_files/server1.ca_noauthid.crt":1:1:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Opaque depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.crt":2:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.crt":2:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Opaque, key_usage depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"data_files/server1.key_usage.crt":2:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"../framework/data_files/server1.key_usage.crt":2:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Opaque, ns_cert_type depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":2:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"../framework/data_files/server1.cert_type.crt":2:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Opaque, version 1 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":2:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"../framework/data_files/server1.v1.crt":2:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Opaque, CA depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.ca.crt":2:1:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.ca.crt":2:1:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Full length serial depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"112233445566778899aabbccddeeff0011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.long_serial.crt":0:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"112233445566778899aabbccddeeff0011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.long_serial.crt":0:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Serial starting with 0x80 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"8011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.80serial.crt":0:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"8011223344":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.80serial.crt":0:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, All 0xFF full length serial depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"ffffffffffffffffffffffffffffffff":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.long_serial_FF.crt":0:0:"data_files/test-ca.crt":0 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"ffffffffffffffffffffffffffffffff":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.long_serial_FF.crt":0:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server5 ECDSA depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1 -x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"data_files/server5.crt":0:0:"data_files/test-ca2.crt":0 +x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"../framework/data_files/server5.crt":0:0:"../framework/data_files/test-ca2.crt":0 Certificate write check Server5 ECDSA, Opaque depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_USE_PSA_CRYPTO -x509_crt_check:"data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"data_files/test-ca2.crt":0 +x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"../framework/data_files/test-ca2.crt":0 Certificate write check Server1 SHA1, SubjectAltNames depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_MD5 -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"data_files/server1.allSubjectAltNames.crt":0:0:"data_files/test-ca.crt":1 +x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.allSubjectAltNames.crt":0:0:"../framework/data_files/test-ca.crt":1 X509 String to Names #1 mbedtls_x509_string_to_names:"C=NL,O=Offspark\\, Inc., OU=PolarSSL":"C=NL, O=Offspark\\, Inc., OU=PolarSSL":0:0 diff --git a/yass/third_party/mbedtls/tests/suites/test_suite_x509write.function b/yass/third_party/mbedtls/tests/suites/test_suite_x509write.function index 1db7e1cff2..2762b0f84e 100644 --- a/yass/third_party/mbedtls/tests/suites/test_suite_x509write.function +++ b/yass/third_party/mbedtls/tests/suites/test_suite_x509write.function @@ -10,27 +10,31 @@ #include "mbedtls/pk.h" #include "mbedtls/psa_util.h" -#if defined(MBEDTLS_RSA_C) -int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen, - const unsigned char *input, unsigned char *output, - size_t output_max_len) +#if defined(MBEDTLS_PEM_WRITE_C) && \ + defined(MBEDTLS_X509_CRT_WRITE_C) && \ + defined(MBEDTLS_X509_CRT_PARSE_C) && \ + defined(MBEDTLS_MD_CAN_SHA1) && \ + defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT) +static int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen, + const unsigned char *input, unsigned char *output, + size_t output_max_len) { return mbedtls_rsa_pkcs1_decrypt((mbedtls_rsa_context *) ctx, NULL, NULL, olen, input, output, output_max_len); } -int mbedtls_rsa_sign_func(void *ctx, - int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - mbedtls_md_type_t md_alg, unsigned int hashlen, - const unsigned char *hash, unsigned char *sig) +static int mbedtls_rsa_sign_func(void *ctx, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, + mbedtls_md_type_t md_alg, unsigned int hashlen, + const unsigned char *hash, unsigned char *sig) { return mbedtls_rsa_pkcs1_sign((mbedtls_rsa_context *) ctx, f_rng, p_rng, md_alg, hashlen, hash, sig); } -size_t mbedtls_rsa_key_len_func(void *ctx) +static size_t mbedtls_rsa_key_len_func(void *ctx) { return ((const mbedtls_rsa_context *) ctx)->len; } -#endif /* MBEDTLS_RSA_C */ +#endif #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C) diff --git a/yass/third_party/mbedtls/visualc/VS2017/mbedTLS.vcxproj b/yass/third_party/mbedtls/visualc/VS2017/mbedTLS.vcxproj index 0abecc064d..294eb4abab 100644 --- a/yass/third_party/mbedtls/visualc/VS2017/mbedTLS.vcxproj +++ b/yass/third_party/mbedtls/visualc/VS2017/mbedTLS.vcxproj @@ -225,6 +225,7 @@ + @@ -278,6 +279,7 @@ +