diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c index 84553df71..46cea144c 100644 --- a/programs/ssl/ssl_test_lib.c +++ b/programs/ssl/ssl_test_lib.c @@ -63,7 +63,14 @@ static int dummy_entropy( void *data, unsigned char *output, size_t len ) void rng_init( rng_context_t *rng ) { +#if defined(MBEDTLS_CTR_DRBG_C) mbedtls_ctr_drbg_init( &rng->drbg ); +#elif defined(MBEDTLS_HMAC_DRBG_C) + mbedtls_hmac_drbg_init( &rng->drbg ); +#else +#error "No DRBG available" +#endif + mbedtls_entropy_init( &rng->entropy ); } @@ -75,10 +82,28 @@ int rng_seed( rng_context_t *rng, int reproducible, const char *pers ) if ( reproducible ) srand( 1 ); +#if defined(MBEDTLS_CTR_DRBG_C) int ret = mbedtls_ctr_drbg_seed( &rng->drbg, f_entropy, &rng->entropy, (const unsigned char *) pers, strlen( pers ) ); +#elif defined(MBEDTLS_HMAC_DRBG_C) +#if defined(MBEDTLS_SHA256_C) + const mbedtls_md_type_t md_type = MBEDTLS_MD_SHA256; +#elif defined(MBEDTLS_SHA512_C) + const mbedtls_md_type_t md_type = MBEDTLS_MD_SHA512; +#else +#error "No message digest available for HMAC_DRBG" +#endif + int ret = mbedtls_hmac_drbg_seed( &rng->drbg, + mbedtls_md_info_from_type( md_type ), + f_entropy, &rng->entropy, + (const unsigned char *) pers, + strlen( pers ) ); +#else +#error "No DRBG available" +#endif + if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n", @@ -91,14 +116,27 @@ int rng_seed( rng_context_t *rng, int reproducible, const char *pers ) void rng_free( rng_context_t *rng ) { +#if defined(MBEDTLS_CTR_DRBG_C) mbedtls_ctr_drbg_free( &rng->drbg ); +#elif defined(MBEDTLS_HMAC_DRBG_C) + mbedtls_hmac_drbg_free( &rng->drbg ); +#else +#error "No DRBG available" +#endif + mbedtls_entropy_free( &rng->entropy ); } int rng_get( void *p_rng, unsigned char *output, size_t output_len ) { rng_context_t *rng = p_rng; +#if defined(MBEDTLS_CTR_DRBG_C) return( mbedtls_ctr_drbg_random( &rng->drbg, output, output_len ) ); +#elif defined(MBEDTLS_HMAC_DRBG_C) + return( mbedtls_hmac_drbg_random( &rng->drbg, output, output_len ) ); +#else +#error "No DRBG available" +#endif } #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h index 344cd28fd..2e9173055 100644 --- a/programs/ssl/ssl_test_lib.h +++ b/programs/ssl/ssl_test_lib.h @@ -43,17 +43,20 @@ #define MBEDTLS_EXIT_FAILURE EXIT_FAILURE #endif -#if !defined(MBEDTLS_CTR_DRBG_C) || \ - !defined(MBEDTLS_ENTROPY_C) || \ +#if !defined(MBEDTLS_ENTROPY_C) || \ !defined(MBEDTLS_NET_C) || \ !defined(MBEDTLS_SSL_TLS_C) || \ defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) #define MBEDTLS_SSL_TEST_IMPOSSIBLE \ - "MBEDTLS_CTR_DRBG_C and/or " \ "MBEDTLS_ENTROPY_C and/or " \ "MBEDTLS_NET_C and/or " \ "MBEDTLS_SSL_TLS_C not defined, " \ "and/or MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined.\n" +#elif !( defined(MBEDTLS_CTR_DRBG_C) || \ + defined(MBEDTLS_HMAC_DRBG_C) && ( defined(MBEDTLS_SHA256_C) || \ + defined(MBEDTLS_SHA512_C) ) ) +#define MBEDTLS_SSL_TEST_IMPOSSIBLE \ + "Neither MBEDTLS_CTR_DRBG_C, nor MBEDTLS_HMAC_DRBG_C and a supported hash defined.\n" #else #undef MBEDTLS_SSL_TEST_IMPOSSIBLE @@ -65,6 +68,7 @@ #include "mbedtls/ssl.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" +#include "mbedtls/hmac_drbg.h" #include "mbedtls/certs.h" #include "mbedtls/x509.h" #include "mbedtls/error.h" @@ -131,7 +135,13 @@ mbedtls_time_t dummy_constant_time( mbedtls_time_t* time ); typedef struct { mbedtls_entropy_context entropy; +#if defined(MBEDTLS_CTR_DRBG_C) mbedtls_ctr_drbg_context drbg; +#elif defined(MBEDTLS_HMAC_DRBG_C) + mbedtls_hmac_drbg_context drbg; +#else +#error "No DRBG available" +#endif } rng_context_t; /** Initialize the RNG. diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index a016732f4..43a6fdd80 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -919,10 +919,17 @@ component_test_no_ctr_drbg () { CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: no CTR_DRBG" + msg "test: Full minus CTR_DRBG - main suites" make test - # no ssl-opt.sh/compat.sh as they all depend on CTR_DRBG so far + # In this configuration, the TLS test programs use HMAC_DRBG. + # The SSL tests are slow, so run a small subset, just enough to get + # confidence that the SSL code copes with HMAC_DRBG. + msg "test: Full minus CTR_DRBG - ssl-opt.sh (subset)" + if_build_succeeded tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' + + msg "test: Full minus CTR_DRBG - compat.sh (subset)" + if_build_succeeded tests/compat.sh -m tls1_2 -t 'ECDSA PSK' -V NO -p OpenSSL } component_test_no_hmac_drbg () { @@ -954,7 +961,7 @@ component_test_psa_external_rng_no_drbg () { msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG" make test - # No ssl-opt.sh/compat.sh because they require CTR_DRBG. + # no SSL tests as they all depend on having a DRBG } component_test_psa_external_rng_use_psa_crypto () { @@ -968,7 +975,8 @@ component_test_psa_external_rng_use_psa_crypto () { msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" make test - # No ssl-opt.sh/compat.sh because they require CTR_DRBG. + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + if_build_succeeded tests/ssl-opt.sh -f 'Default\|opaque' } component_test_ecp_no_internal_rng () {