diff --git a/ChangeLog b/ChangeLog index 3ca702d64..a16a948d7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,8 @@ Features * Support for parsing and verifying RSASSA-PSS signatures in the X.509 modules (certificates, CRLs and CSRs). * Blowfish in the cipher layer now supports variable length keys. + * Add example config.h for PSK with CCM, optimized for low RAM usage. + * Optimize for RAM usage in example config.h for NSA Suite B profile. Changes * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h new file mode 100644 index 000000000..f425391d0 --- /dev/null +++ b/configs/config-ccm-psk-tls1_2.h @@ -0,0 +1,55 @@ +/* + * Minimal configuration for TLS 1.2 with PSK and AES-CCM ciphersuites + * Distinguishing features: + * - no bignum, no PK, no X509 + * - fully modern and secure (provided the pre-shared keys have high entropy) + * - very low record overhead if using the CCM-8 suites + * - optimized for low RAM usage + * + * See README.txt for usage instructions. + */ +#ifndef POLARSSL_CONFIG_H +#define POLARSSL_CONFIG_H + +/* System support */ +//#define POLARSSL_HAVE_IPV6 /* Optional */ +//#define POLARSSL_HAVE_TIME /* Optionnaly used in Hello messages */ +/* Other POLARSSL_HAVE_XXX flags irrelevant for this configuration */ + +/* PolarSSL feature support */ +#define POLARSSL_KEY_EXCHANGE_PSK_ENABLED +#define POLARSSL_SSL_PROTO_TLS1_2 + +/* PolarSSL modules */ +#define POLARSSL_AES_C +#define POLARSSL_CCM_C +#define POLARSSL_CIPHER_C +#define POLARSSL_CTR_DRBG_C +#define POLARSSL_ENTROPY_C +#define POLARSSL_MD_C +#define POLARSSL_NET_C +#define POLARSSL_SHA256_C +#define POLARSSL_SSL_CLI_C +#define POLARSSL_SSL_SRV_C +#define POLARSSL_SSL_TLS_C + +/* Save RAM at the expense of ROM */ +#define POLARSSL_AES_ROM_TABLES + +/* + * You should adjust this to the exact number of sources you're using: default + * is the "platform_entropy_poll" source, but you may want to add other ones + * Minimum is 2 for the entropy test suite. + */ +#define ENTROPY_MAX_SOURCES 2 + +/* + * Save RAM at the expense of interoperability: do this only if you control + * both ends of the connection! (See coments in "polarssl/ssl.h".) + * The optimal size here depends on the typical size of records. + */ +#define SSL_MAX_CONTENT_LEN 512 + +#include "check_config.h" + +#endif /* POLARSSL_CONFIG_H */ diff --git a/configs/config-picocoin.h b/configs/config-picocoin.h new file mode 100644 index 000000000..eeac5d081 --- /dev/null +++ b/configs/config-picocoin.h @@ -0,0 +1,53 @@ +/* + * Reduced configuration used by Picocoin. + * + * See README.txt for usage instructions. + * + * Distinguishing features: + * - no SSL/TLS; + * - no X.509; + * - ECDSA/PK and some other chosen crypto bits. + */ + +#ifndef POLARSSL_CONFIG_H +#define POLARSSL_CONFIG_H + +/* System support */ +#define POLARSSL_HAVE_LONGLONG +#define POLARSSL_HAVE_ASM +#define POLARSSL_HAVE_TIME +#define POLARSSL_HAVE_IPV6 + +/* PolarSSL feature support */ +#define POLARSSL_CIPHER_MODE_CBC +#define POLARSSL_CIPHER_PADDING_PKCS7 +#define POLARSSL_ECP_DP_SECP256K1_ENABLED +#define POLARSSL_ECDSA_DETERMINISTIC +#define POLARSSL_PK_PARSE_EC_EXTENDED +#define POLARSSL_ERROR_STRERROR_DUMMY +#define POLARSSL_FS_IO + +/* PolarSSL modules */ +#define POLARSSL_AESNI_C +#define POLARSSL_AES_C +#define POLARSSL_ASN1_PARSE_C +#define POLARSSL_ASN1_WRITE_C +#define POLARSSL_BASE64_C +#define POLARSSL_BIGNUM_C +#define POLARSSL_ECDSA_C +#define POLARSSL_ECP_C +#define POLARSSL_ENTROPY_C +#define POLARSSL_HMAC_DRBG_C +#define POLARSSL_MD_C +#define POLARSSL_OID_C +#define POLARSSL_PADLOCK_C +#define POLARSSL_PK_C +#define POLARSSL_PK_PARSE_C +#define POLARSSL_PK_WRITE_C +#define POLARSSL_RIPEMD160_C +#define POLARSSL_SHA1_C +#define POLARSSL_SHA256_C + +#include "check_config.h" + +#endif /* POLARSSL_CONFIG_H */ diff --git a/configs/config-psk-rc4-tls1_0.h b/configs/config-psk-rc4-tls1_0.h index 99942a68b..c967b4c4d 100644 --- a/configs/config-psk-rc4-tls1_0.h +++ b/configs/config-psk-rc4-tls1_0.h @@ -2,15 +2,19 @@ * Custom compact configuration for TLS 1.0 with PSK and RC4 * Distinguishing features: no bignum, no PK, no X509. * + * WARNING: RC4 is in the process of being deprecated! + * This configuration is kept for testing purposes only, DO NOT USE it! + * For a safe and lean PSK-based configuration, see config-ccm-psk-tls1_2.h + * * See README.txt for usage instructions. */ - #ifndef POLARSSL_CONFIG_H #define POLARSSL_CONFIG_H /* System support */ -#define POLARSSL_HAVE_TIME -#define POLARSSL_HAVE_IPV6 +//#define POLARSSL_HAVE_IPV6 /* Optional */ +//#define POLARSSL_HAVE_TIME /* Optionnaly used in Hello messages */ +/* Other POLARSSL_HAVE_XXX flags irrelevant for this configuration */ /* PolarSSL feature support */ #define POLARSSL_KEY_EXCHANGE_PSK_ENABLED @@ -19,15 +23,12 @@ /* PolarSSL modules */ #define POLARSSL_AES_C #define POLARSSL_ARC4_C -#define POLARSSL_ASN1_PARSE_C -#define POLARSSL_ASN1_WRITE_C #define POLARSSL_CIPHER_C #define POLARSSL_CTR_DRBG_C #define POLARSSL_ENTROPY_C #define POLARSSL_MD_C #define POLARSSL_MD5_C #define POLARSSL_NET_C -#define POLARSSL_OID_C #define POLARSSL_SHA1_C #define POLARSSL_SHA256_C #define POLARSSL_SSL_CLI_C diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h index bac71e9ad..d10cf6320 100644 --- a/configs/config-suite-b.h +++ b/configs/config-suite-b.h @@ -1,6 +1,14 @@ /* * Minimal configuration for TLS NSA Suite B Profile (RFC 6460) * + * Distinguishing features: + * - no RSA or classic DH, fully based on ECC + * - optimized for low RAM usage + * + * Possible improvements: + * - if 128-bit security is enough, disable secp384r1 and SHA-512 + * - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C + * * See README.txt for usage instructions. */ @@ -48,8 +56,34 @@ #define POLARSSL_CERTS_C #define POLARSSL_PEM_PARSE_C -/* For testing with compat.sh */ -#define POLARSSL_FS_IO +/* Save RAM at the expense of ROM */ +#define POLARSSL_AES_ROM_TABLES + +/* Save RAM by adjusting to our exact needs */ +#define POLARSSL_ECP_MAX_BITS 384 +#define POLARSSL_MPI_MAX_SIZE 48 // 384 bits is 48 bytes + +/* Save RAM at the expense of speed, see ecp.h */ +#define POLARSSL_ECP_WINDOW_SIZE 2 +#define POLARSSL_ECP_FIXED_POINT_OPTIM 0 + +/* Uncomment for a significant speed benefit at the expense of some ROM */ +//#define POLARSSL_ECP_NIST_OPTIM + +/* + * You should adjust this to the exact number of sources you're using: default + * is the "platform_entropy_poll" source, but you may want to add other ones. + * Minimum is 2 for the entropy test suite. + */ +#define ENTROPY_MAX_SOURCES 2 + +/* + * Save RAM at the expense of interoperability: do this only if you control + * both ends of the connection! (See coments in "polarssl/ssl.h".) + * The minimum size here depends on the certificate chain used as well as the + * typical size of records. + */ +#define SSL_MAX_CONTENT_LEN 1024 #include "polarssl/check_config.h" diff --git a/include/polarssl/cipher.h b/include/polarssl/cipher.h index 51534613e..84993f767 100644 --- a/include/polarssl/cipher.h +++ b/include/polarssl/cipher.h @@ -36,7 +36,7 @@ #include POLARSSL_CONFIG_FILE #endif -#if defined(POLARSSL_GCM_C) +#if defined(POLARSSL_GCM_C) || defined(POLARSSL_CCM_C) #define POLARSSL_CIPHER_MODE_AEAD #endif @@ -534,25 +534,21 @@ int cipher_set_iv( cipher_context_t *ctx, */ int cipher_reset( cipher_context_t *ctx ); -#if defined(POLARSSL_CIPHER_MODE_AEAD) +#if defined(POLARSSL_GCM_C) /** * \brief Add additional data (for AEAD ciphers). - * This function has no effect for non-AEAD ciphers. - * For AEAD ciphers, it may or may not be called - * repeatedly, and/or interleaved with calls to - * cipher_udpate(), depending on the cipher. - * E.g. for GCM is must be called exactly once, right - * after cipher_reset(). + * Currently only supported with GCM. + * Must be called exactly once, after cipher_reset(). * * \param ctx generic cipher context * \param ad Additional data to use. * \param ad_len Length of ad. * - * \returns 0 on success, or a specific error code. + * \return 0 on success, or a specific error code. */ int cipher_update_ad( cipher_context_t *ctx, const unsigned char *ad, size_t ad_len ); -#endif /* POLARSSL_CIPHER_MODE_AEAD */ +#endif /* POLARSSL_GCM_C */ /** * \brief Generic cipher update function. Encrypts/decrypts @@ -606,10 +602,10 @@ int cipher_update( cipher_context_t *ctx, const unsigned char *input, int cipher_finish( cipher_context_t *ctx, unsigned char *output, size_t *olen ); -#if defined(POLARSSL_CIPHER_MODE_AEAD) +#if defined(POLARSSL_GCM_C) /** * \brief Write tag for AEAD ciphers. - * No effect for other ciphers. + * Currently only supported with GCM. * Must be called after cipher_finish(). * * \param ctx Generic cipher context @@ -623,9 +619,8 @@ int cipher_write_tag( cipher_context_t *ctx, /** * \brief Check tag for AEAD ciphers. - * No effect for other ciphers. - * Calling time depends on the cipher: - * for GCM, must be called after cipher_finish(). + * Currently only supported with GCM. + * Must be called after cipher_finish(). * * \param ctx Generic cipher context * \param tag Buffer holding the tag @@ -635,7 +630,7 @@ int cipher_write_tag( cipher_context_t *ctx, */ int cipher_check_tag( cipher_context_t *ctx, const unsigned char *tag, size_t tag_len ); -#endif /* POLARSSL_CIPHER_MODE_AEAD */ +#endif /* POLARSSL_GCM_C */ /** * \brief Generic all-in-one encryption/decryption diff --git a/library/cipher.c b/library/cipher.c index 558c4b35b..16acd805e 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -234,24 +234,22 @@ int cipher_reset( cipher_context_t *ctx ) return( 0 ); } -#if defined(POLARSSL_CIPHER_MODE_AEAD) +#if defined(POLARSSL_GCM_C) int cipher_update_ad( cipher_context_t *ctx, const unsigned char *ad, size_t ad_len ) { if( NULL == ctx || NULL == ctx->cipher_info ) return( POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); -#if defined(POLARSSL_GCM_C) if( POLARSSL_MODE_GCM == ctx->cipher_info->mode ) { return gcm_starts( (gcm_context *) ctx->cipher_ctx, ctx->operation, ctx->iv, ctx->iv_size, ad, ad_len ); } -#endif return( 0 ); } -#endif /* POLARSSL_CIPHER_MODE_AEAD */ +#endif /* POLARSSL_GCM_C */ int cipher_update( cipher_context_t *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen ) @@ -724,7 +722,7 @@ int cipher_set_padding_mode( cipher_context_t *ctx, cipher_padding_t mode ) } #endif /* POLARSSL_CIPHER_MODE_WITH_PADDING */ -#if defined(POLARSSL_CIPHER_MODE_AEAD) +#if defined(POLARSSL_GCM_C) int cipher_write_tag( cipher_context_t *ctx, unsigned char *tag, size_t tag_len ) { @@ -734,10 +732,8 @@ int cipher_write_tag( cipher_context_t *ctx, if( POLARSSL_ENCRYPT != ctx->operation ) return( POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); -#if defined(POLARSSL_GCM_C) if( POLARSSL_MODE_GCM == ctx->cipher_info->mode ) return gcm_finish( (gcm_context *) ctx->cipher_ctx, tag, tag_len ); -#endif return( 0 ); } @@ -753,7 +749,6 @@ int cipher_check_tag( cipher_context_t *ctx, return( POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); } -#if defined(POLARSSL_GCM_C) if( POLARSSL_MODE_GCM == ctx->cipher_info->mode ) { unsigned char check_tag[16]; @@ -778,11 +773,10 @@ int cipher_check_tag( cipher_context_t *ctx, return( 0 ); } -#endif /* POLARSSL_GCM_C */ return( 0 ); } -#endif /* POLARSSL_CIPHER_MODE_AEAD */ +#endif /* POLARSSL_GCM_C */ /* * Packet-oriented wrapper for non-AEAD modes diff --git a/library/pkparse.c b/library/pkparse.c index 3c8063fe7..29217a28a 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -62,12 +62,12 @@ #define polarssl_free free #endif +#if defined(POLARSSL_FS_IO) /* Implementation that should never be optimized out by the compiler */ static void polarssl_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; } -#if defined(POLARSSL_FS_IO) /* * Load all data from a file into a given buffer. */ diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 2db531486..7463353f4 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -1105,23 +1105,23 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] = #endif /* POLARSSL_SHA1_C */ #endif /* POLARSSL_CIPHER_MODE_CBC */ #if defined(POLARSSL_CCM_C) - { TLS_DHE_PSK_WITH_AES_256_CCM, "TLS-DHE-PSK-WITH-AES-256-CCM", - POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK, + { TLS_PSK_WITH_AES_256_CCM, "TLS-PSK-WITH-AES-256-CCM", + POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, 0 }, - { TLS_DHE_PSK_WITH_AES_256_CCM_8, "TLS-DHE-PSK-WITH-AES-256-CCM-8", - POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK, + { TLS_PSK_WITH_AES_256_CCM_8, "TLS-PSK-WITH-AES-256-CCM-8", + POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, POLARSSL_CIPHERSUITE_SHORT_TAG }, - { TLS_DHE_PSK_WITH_AES_128_CCM, "TLS-DHE-PSK-WITH-AES-128-CCM", - POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK, + { TLS_PSK_WITH_AES_128_CCM, "TLS-PSK-WITH-AES-128-CCM", + POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, 0 }, - { TLS_DHE_PSK_WITH_AES_128_CCM_8, "TLS-DHE-PSK-WITH-AES-128-CCM-8", - POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK, + { TLS_PSK_WITH_AES_128_CCM_8, "TLS-PSK-WITH-AES-128-CCM-8", + POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, POLARSSL_CIPHERSUITE_SHORT_TAG }, @@ -1241,23 +1241,23 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] = #endif /* POLARSSL_SHA1_C */ #endif /* POLARSSL_CIPHER_MODE_CBC */ #if defined(POLARSSL_CCM_C) - { TLS_PSK_WITH_AES_256_CCM, "TLS-PSK-WITH-AES-256-CCM", - POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK, + { TLS_DHE_PSK_WITH_AES_256_CCM, "TLS-DHE-PSK-WITH-AES-256-CCM", + POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, 0 }, - { TLS_PSK_WITH_AES_256_CCM_8, "TLS-PSK-WITH-AES-256-CCM-8", - POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK, + { TLS_DHE_PSK_WITH_AES_256_CCM_8, "TLS-DHE-PSK-WITH-AES-256-CCM-8", + POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, POLARSSL_CIPHERSUITE_SHORT_TAG }, - { TLS_PSK_WITH_AES_128_CCM, "TLS-PSK-WITH-AES-128-CCM", - POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK, + { TLS_DHE_PSK_WITH_AES_128_CCM, "TLS-DHE-PSK-WITH-AES-128-CCM", + POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, 0 }, - { TLS_PSK_WITH_AES_128_CCM_8, "TLS-PSK-WITH-AES-128-CCM-8", - POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK, + { TLS_DHE_PSK_WITH_AES_128_CCM_8, "TLS-DHE-PSK-WITH-AES-128-CCM-8", + POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, POLARSSL_CIPHERSUITE_SHORT_TAG }, diff --git a/library/ssl_cli.c b/library/ssl_cli.c index d3096ab66..035cf3994 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -148,8 +148,10 @@ static void ssl_write_signature_algorithms_ext( ssl_context *ssl, size_t *olen ) { unsigned char *p = buf; - unsigned char *sig_alg_list = buf + 6; size_t sig_alg_len = 0; +#if defined(POLARSSL_RSA_C) || defined(POLARSSL_ECDSA_C) + unsigned char *sig_alg_list = buf + 6; +#endif *olen = 0; diff --git a/programs/pkey/key_app_writer.c b/programs/pkey/key_app_writer.c index c35736f9c..983b64e3f 100644 --- a/programs/pkey/key_app_writer.c +++ b/programs/pkey/key_app_writer.c @@ -63,8 +63,13 @@ int main( int argc, char *argv[] ) #define DFL_FILENAME "keyfile.key" #define DFL_DEBUG_LEVEL 0 #define DFL_OUTPUT_MODE OUTPUT_MODE_NONE +#if defined(POLARSSL_PEM_WRITE_C) #define DFL_OUTPUT_FILENAME "keyfile.pem" #define DFL_OUTPUT_FORMAT OUTPUT_FORMAT_PEM +#else +#define DFL_OUTPUT_FILENAME "keyfile.der" +#define DFL_OUTPUT_FORMAT OUTPUT_FORMAT_DER +#endif /* * global options @@ -88,6 +93,7 @@ static int write_public_key( pk_context *key, const char *output_file ) memset(output_buf, 0, 16000); +#if defined(POLARSSL_PEM_WRITE_C) if( opt.output_format == OUTPUT_FORMAT_PEM ) { if( ( ret = pk_write_pubkey_pem( key, output_buf, 16000 ) ) != 0 ) @@ -96,6 +102,7 @@ static int write_public_key( pk_context *key, const char *output_file ) len = strlen( (char *) output_buf ); } else +#endif { if( ( ret = pk_write_pubkey_der( key, output_buf, 16000 ) ) < 0 ) return( ret ); @@ -127,6 +134,8 @@ static int write_private_key( pk_context *key, const char *output_file ) size_t len = 0; memset(output_buf, 0, 16000); + +#if defined(POLARSSL_PEM_WRITE_C) if( opt.output_format == OUTPUT_FORMAT_PEM ) { if( ( ret = pk_write_key_pem( key, output_buf, 16000 ) ) != 0 ) @@ -135,6 +144,7 @@ static int write_private_key( pk_context *key, const char *output_file ) len = strlen( (char *) output_buf ); } else +#endif { if( ( ret = pk_write_key_der( key, output_buf, 16000 ) ) < 0 ) return( ret ); @@ -157,14 +167,23 @@ static int write_private_key( pk_context *key, const char *output_file ) return( 0 ); } +#if defined(POLARSSL_PEM_WRITE_C) +#define USAGE_OUT \ + " output_file=%%s default: keyfile.pem\n" \ + " output_format=pem|der default: pem\n" +#else +#define USAGE_OUT \ + " output_file=%%s default: keyfile.der\n" \ + " output_format=der default: der\n" +#endif + #define USAGE \ "\n usage: key_app param=<>...\n" \ "\n acceptable parameters:\n" \ " mode=private|public default: none\n" \ " filename=%%s default: keyfile.key\n" \ " output_mode=private|public default: none\n" \ - " output_file=%%s default: keyfile.pem\n" \ - " output_format=pem|der default: pem\n" \ + USAGE_OUT \ "\n" int main( int argc, char *argv[] ) @@ -222,9 +241,12 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "output_format" ) == 0 ) { +#if defined(POLARSSL_PEM_WRITE_C) if( strcmp( q, "pem" ) == 0 ) opt.output_format = OUTPUT_FORMAT_PEM; - else if( strcmp( q, "der" ) == 0 ) + else +#endif + if( strcmp( q, "der" ) == 0 ) opt.output_format = OUTPUT_FORMAT_DER; else goto usage; diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 280ef3d13..3af54f904 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -29,6 +29,22 @@ #include POLARSSL_CONFIG_FILE #endif +#if !defined(POLARSSL_ENTROPY_C) || \ + !defined(POLARSSL_SSL_TLS_C) || !defined(POLARSSL_SSL_CLI_C) || \ + !defined(POLARSSL_NET_C) || !defined(POLARSSL_CTR_DRBG_C) +#include +int main( int argc, char *argv[] ) +{ + ((void) argc); + ((void) argv); + + printf("POLARSSL_ENTROPY_C and/or " + "POLARSSL_SSL_TLS_C and/or POLARSSL_SSL_CLI_C and/or " + "POLARSSL_NET_C and/or POLARSSL_CTR_DRBG_C not defined.\n"); + return( 0 ); +} +#else + #include #include #include @@ -304,20 +320,6 @@ static int my_verify( void *data, x509_crt *crt, int depth, int *flags ) " force_ciphersuite= default: all enabled\n"\ " acceptable ciphersuite names:\n" -#if !defined(POLARSSL_ENTROPY_C) || \ - !defined(POLARSSL_SSL_TLS_C) || !defined(POLARSSL_SSL_CLI_C) || \ - !defined(POLARSSL_NET_C) || !defined(POLARSSL_CTR_DRBG_C) -int main( int argc, char *argv[] ) -{ - ((void) argc); - ((void) argv); - - printf("POLARSSL_ENTROPY_C and/or " - "POLARSSL_SSL_TLS_C and/or POLARSSL_SSL_CLI_C and/or " - "POLARSSL_NET_C and/or POLARSSL_CTR_DRBG_C not defined.\n"); - return( 0 ); -} -#else int main( int argc, char *argv[] ) { int ret = 0, len, server_fd, i, written, frags; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index d617b3d9e..d5f01bc0b 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -29,6 +29,22 @@ #include POLARSSL_CONFIG_FILE #endif +#if !defined(POLARSSL_ENTROPY_C) || \ + !defined(POLARSSL_SSL_TLS_C) || !defined(POLARSSL_SSL_SRV_C) || \ + !defined(POLARSSL_NET_C) || !defined(POLARSSL_CTR_DRBG_C) +#include +int main( int argc, char *argv[] ) +{ + ((void) argc); + ((void) argv); + + printf("POLARSSL_ENTROPY_C and/or " + "POLARSSL_SSL_TLS_C and/or POLARSSL_SSL_SRV_C and/or " + "POLARSSL_NET_C and/or POLARSSL_CTR_DRBG_C not defined.\n"); + return( 0 ); +} +#else + #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) && defined(POLARSSL_FS_IO) #define POLARSSL_SNI #endif @@ -312,21 +328,6 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len ) " force_ciphersuite= default: all enabled\n" \ " acceptable ciphersuite names:\n" -#if !defined(POLARSSL_ENTROPY_C) || \ - !defined(POLARSSL_SSL_TLS_C) || !defined(POLARSSL_SSL_SRV_C) || \ - !defined(POLARSSL_NET_C) || !defined(POLARSSL_CTR_DRBG_C) -int main( int argc, char *argv[] ) -{ - ((void) argc); - ((void) argv); - - printf("POLARSSL_ENTROPY_C and/or " - "POLARSSL_SSL_TLS_C and/or POLARSSL_SSL_SRV_C and/or " - "POLARSSL_NET_C and/or POLARSSL_CTR_DRBG_C not defined.\n"); - return( 0 ); -} -#else - /* * Used by sni_parse and psk_parse to handle coma-separated lists */ diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 6f609252a..9b09e3464 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -16,7 +16,11 @@ my %configs = ( 'config-mini-tls1_1.h' => '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'', 'config-suite-b.h' - => "-m tls1_2 -f 'ECDHE-ECDSA.*AES.*GCM'", + => "-m tls1_2 -f 'ECDHE-ECDSA.*AES.*GCM' -p PolarSSL", + 'config-picocoin.h' + => 0, + 'config-ccm-psk-tls1_2.h' + => '-m tls1_2 -f \'TLS-PSK.*AES.*CCM\'', ); # If no config-name is provided, use all known configs. @@ -59,9 +63,17 @@ while( my ($conf, $args) = each %configs ) { system( "make" ) and abort "Failed to build: $conf\n"; system( "make $test" ) and abort "Failed test suite: $conf\n"; - print "\nrunning compat.sh $args\n"; - system( "cd tests && ./compat.sh $args" ) - and abort "Failed compat.sh: $conf\n"; + + if( $args ) + { + print "\nrunning compat.sh $args\n"; + system( "cd tests && ./compat.sh $args" ) + and abort "Failed compat.sh: $conf\n"; + } + else + { + print "\nskipping compat.sh\n"; + } } system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n"; diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 09ae2e08a..7c9c76d02 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -60,7 +60,7 @@ void cipher_null_args( ) TEST_ASSERT( cipher_reset( NULL ) == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); TEST_ASSERT( cipher_reset( &ctx ) == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); -#if defined(POLARSSL_CIPHER_MODE_AEAD) +#if defined(POLARSSL_GCM_C) TEST_ASSERT( cipher_update_ad( NULL, buf, 0 ) == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); TEST_ASSERT( cipher_update_ad( &ctx, buf, 0 ) @@ -77,7 +77,7 @@ void cipher_null_args( ) TEST_ASSERT( cipher_finish( &ctx, buf, &olen ) == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); -#if defined(POLARSSL_CIPHER_MODE_AEAD) +#if defined(POLARSSL_GCM_C) TEST_ASSERT( cipher_write_tag( NULL, buf, olen ) == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); TEST_ASSERT( cipher_write_tag( &ctx, buf, olen ) @@ -157,10 +157,10 @@ void enc_dec_buf( int cipher_id, char *cipher_string, int key_len, TEST_ASSERT( 0 == cipher_reset( &ctx_dec ) ); TEST_ASSERT( 0 == cipher_reset( &ctx_enc ) ); -#if defined(POLARSSL_CIPHER_MODE_AEAD) +#if defined(POLARSSL_GCM_C) TEST_ASSERT( 0 == cipher_update_ad( &ctx_dec, ad, sizeof( ad ) - i ) ); TEST_ASSERT( 0 == cipher_update_ad( &ctx_enc, ad, sizeof( ad ) - i ) ); -#endif /* POLARSSL_CIPHER_MODE_AEAD */ +#endif /* encode length number of bytes from inbuf */ TEST_ASSERT( 0 == cipher_update( &ctx_enc, inbuf, length, encbuf, &outlen ) ); @@ -174,9 +174,9 @@ void enc_dec_buf( int cipher_id, char *cipher_string, int key_len, TEST_ASSERT( 0 == cipher_finish( &ctx_enc, encbuf + outlen, &outlen ) ); total_len += outlen; -#if defined(POLARSSL_CIPHER_MODE_AEAD) +#if defined(POLARSSL_GCM_C) TEST_ASSERT( 0 == cipher_write_tag( &ctx_enc, tag, sizeof( tag ) ) ); -#endif /* POLARSSL_CIPHER_MODE_AEAD */ +#endif TEST_ASSERT( total_len == length || ( total_len % cipher_get_block_size( &ctx_enc ) == 0 && @@ -195,9 +195,9 @@ void enc_dec_buf( int cipher_id, char *cipher_string, int key_len, TEST_ASSERT( 0 == cipher_finish( &ctx_dec, decbuf + outlen, &outlen ) ); total_len += outlen; -#if defined(POLARSSL_CIPHER_MODE_AEAD) +#if defined(POLARSSL_GCM_C) TEST_ASSERT( 0 == cipher_check_tag( &ctx_dec, tag, sizeof( tag ) ) ); -#endif /* POLARSSL_CIPHER_MODE_AEAD */ +#endif /* check result */ TEST_ASSERT( total_len == length ); @@ -250,9 +250,9 @@ void enc_fail( int cipher_id, int pad_mode, int key_len, #endif /* POLARSSL_CIPHER_MODE_WITH_PADDING */ TEST_ASSERT( 0 == cipher_set_iv( &ctx, iv, 16 ) ); TEST_ASSERT( 0 == cipher_reset( &ctx ) ); -#if defined(POLARSSL_CIPHER_MODE_AEAD) +#if defined(POLARSSL_GCM_C) TEST_ASSERT( 0 == cipher_update_ad( &ctx, NULL, 0 ) ); -#endif /* POLARSSL_CIPHER_MODE_AEAD */ +#endif /* encode length number of bytes from inbuf */ TEST_ASSERT( 0 == cipher_update( &ctx, inbuf, length, encbuf, &outlen ) ); @@ -297,9 +297,9 @@ void dec_empty_buf() TEST_ASSERT( 0 == cipher_reset( &ctx_dec ) ); -#if defined(POLARSSL_CIPHER_MODE_AEAD) +#if defined(POLARSSL_GCM_C) TEST_ASSERT( 0 == cipher_update_ad( &ctx_dec, NULL, 0 ) ); -#endif /* POLARSSL_CIPHER_MODE_AEAD */ +#endif /* decode 0-byte string */ TEST_ASSERT( 0 == cipher_update( &ctx_dec, encbuf, 0, decbuf, &outlen ) ); @@ -359,10 +359,10 @@ void enc_dec_buf_multipart( int cipher_id, int key_len, int first_length_val, TEST_ASSERT( 0 == cipher_reset( &ctx_dec ) ); TEST_ASSERT( 0 == cipher_reset( &ctx_enc ) ); -#if defined(POLARSSL_CIPHER_MODE_AEAD) +#if defined(POLARSSL_GCM_C) TEST_ASSERT( 0 == cipher_update_ad( &ctx_dec, NULL, 0 ) ); TEST_ASSERT( 0 == cipher_update_ad( &ctx_enc, NULL, 0 ) ); -#endif /* POLARSSL_CIPHER_MODE_AEAD */ +#endif /* encode length number of bytes from inbuf */ TEST_ASSERT( 0 == cipher_update( &ctx_enc, inbuf, first_length, encbuf, &outlen ) ); @@ -416,7 +416,7 @@ void decrypt_test_vec( int cipher_id, int pad_mode, unsigned char ad[200]; unsigned char tag[20]; size_t key_len, iv_len, cipher_len, clear_len; -#if defined(POLARSSL_CIPHER_MODE_AEAD) +#if defined(POLARSSL_GCM_C) size_t ad_len, tag_len; #endif cipher_context_t ctx; @@ -435,7 +435,7 @@ void decrypt_test_vec( int cipher_id, int pad_mode, iv_len = unhexify( iv, hex_iv ); cipher_len = unhexify( cipher, hex_cipher ); clear_len = unhexify( clear, hex_clear ); -#if defined(POLARSSL_CIPHER_MODE_AEAD) +#if defined(POLARSSL_GCM_C) ad_len = unhexify( ad, hex_ad ); tag_len = unhexify( tag, hex_tag ); #else @@ -455,9 +455,9 @@ void decrypt_test_vec( int cipher_id, int pad_mode, #endif /* POLARSSL_CIPHER_MODE_WITH_PADDING */ TEST_ASSERT( 0 == cipher_set_iv( &ctx, iv, iv_len ) ); TEST_ASSERT( 0 == cipher_reset( &ctx ) ); -#if defined(POLARSSL_CIPHER_MODE_AEAD) +#if defined(POLARSSL_GCM_C) TEST_ASSERT( 0 == cipher_update_ad( &ctx, ad, ad_len ) ); -#endif /* POLARSSL_CIPHER_MODE_AEAD */ +#endif /* decode buffer and check tag */ total_len = 0; @@ -466,9 +466,9 @@ void decrypt_test_vec( int cipher_id, int pad_mode, TEST_ASSERT( finish_result == cipher_finish( &ctx, output + outlen, &outlen ) ); total_len += outlen; -#if defined(POLARSSL_CIPHER_MODE_AEAD) +#if defined(POLARSSL_GCM_C) TEST_ASSERT( tag_result == cipher_check_tag( &ctx, tag, tag_len ) ); -#endif /* POLARSSL_CIPHER_MODE_AEAD */ +#endif /* check plaintext only if everything went fine */ if( 0 == finish_result && 0 == tag_result ) diff --git a/tests/suites/test_suite_ecdsa.data b/tests/suites/test_suite_ecdsa.data index 501bdebd6..b03549bf5 100644 --- a/tests/suites/test_suite_ecdsa.data +++ b/tests/suites/test_suite_ecdsa.data @@ -23,7 +23,7 @@ depends_on:POLARSSL_ECP_DP_SECP256R1_ENABLED ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP256R1:"DC51D3866A15BACDE33D96F992FCA99DA7E6EF0934E7097559C27F1614C88A7F":"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085E0822CB04235E970":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945CDDFE7D509BBFD7D":"9E56F509196784D963D1C0A401510EE7ADA3DCC5DEE04B154BF61AF1D5A6DECE":"BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD":"CB28E0999B9C7715FD0A80D8E47A77079716CBBF917DD72E97566EA1C066957C":"86FA3BB4E26CAD5BF90B7F81899256CE7594BB1EA0C89212748BFF3B3D5B0315" ECDSA primitive rfc 4754 p384 -depends_on:POLARSSL_ECP_DP_SECP256R1_ENABLED +depends_on:POLARSSL_ECP_DP_SECP384R1_ENABLED ecdsa_prim_test_vectors:POLARSSL_ECP_DP_SECP384R1:"0BEB646634BA87735D77AE4809A0EBEA865535DE4C1E1DCB692E84708E81A5AF62E528C38B2A81B35309668D73524D9F":"96281BF8DD5E0525CA049C048D345D3082968D10FEDF5C5ACA0C64E6465A97EA5CE10C9DFEC21797415710721F437922":"447688BA94708EB6E2E4D59F6AB6D7EDFF9301D249FE49C33096655F5D502FAD3D383B91C5E7EDAA2B714CC99D5743CA":"B4B74E44D71A13D568003D7489908D564C7761E229C58CBFA18950096EB7463B854D7FA992F934D927376285E63414FA":"CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED1631A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7":"FB017B914E29149432D8BAC29A514640B46F53DDAB2C69948084E2930F1C8F7E08E07C9C63F2D21A07DCB56A6AF56EB3":"B263A1305E057F984D38726A1B46874109F417BCA112674C528262A40A629AF1CBB9F516CE0FA7D2FF630863A00E8B9F" ECDSA primitive rfc 4754 p521 diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data index 278fa88f9..d871a8dfc 100644 --- a/tests/suites/test_suite_ecp.data +++ b/tests/suites/test_suite_ecp.data @@ -269,7 +269,7 @@ depends_on:POLARSSL_ECP_DP_SECP256R1_ENABLED ecp_tls_read_group:"030017":0:256 ECP tls read group #5 (OK, buffer continues) -depends_on:POLARSSL_ECP_DP_SECP256R1_ENABLED +depends_on:POLARSSL_ECP_DP_SECP384R1_ENABLED ecp_tls_read_group:"0300180000":0:384 ECP tls write-read group #1 diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function index 2ea940997..e172315b8 100644 --- a/tests/suites/test_suite_pkwrite.function +++ b/tests/suites/test_suite_pkwrite.function @@ -9,7 +9,7 @@ * END_DEPENDENCIES */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:POLARSSL_PEM_WRITE_C */ void pk_write_pubkey_check( char *key_file ) { pk_context key; @@ -40,7 +40,7 @@ void pk_write_pubkey_check( char *key_file ) } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:POLARSSL_PEM_WRITE_C */ void pk_write_key_check( char *key_file ) { pk_context key; diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 9fd3adc3f..500df35af 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -142,7 +142,7 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file, } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_USE_C */ +/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_C */ void x509_dn_gets( char *crt_file, char *entity, char *result_str ) { x509_crt crt; @@ -169,7 +169,7 @@ void x509_dn_gets( char *crt_file, char *entity, char *result_str ) } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_USE_C */ +/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_C */ void x509_time_expired( char *crt_file, char *entity, int result ) { x509_crt crt; @@ -189,7 +189,7 @@ void x509_time_expired( char *crt_file, char *entity, int result ) } /* END_CASE */ -/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_USE_C */ +/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_C */ void x509_time_future( char *crt_file, char *entity, int result ) { x509_crt crt; @@ -316,7 +316,7 @@ void x509_crt_parse_path( char *crt_path, int ret, int nb_crt ) } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:POLARSSL_X509_USE_C */ void x509_oid_desc( char *oid_str, char *ref_desc ) { x509_buf oid; @@ -341,7 +341,7 @@ void x509_oid_desc( char *oid_str, char *ref_desc ) } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:POLARSSL_X509_USE_C */ void x509_oid_numstr( char *oid_str, char *numstr, int blen, int ret ) { x509_buf oid;