Comments (12)
Thanks for your report! As it happens, the part in config.h
is already fixed in an internal branch, but we missed the part in ecp.c
.
from mbedtls.
A good test is to comment out all curves from config.h
except one of the POLARSSL_ECP_DP_SECPxxxK1_ENABLED
curves and then see how make check
reacts.
from mbedtls.
Fixed for the next release. Thanks for the report!
from mbedtls.
Hi Manuel,
I am not sure if this issue is fully fixed yet.
The following (i.e. comment all but one curve) in config.h
:
/**
* \def POLARSSL_ECP_XXXX_ENABLED
*
* Enables specific curves within the Elliptic Curve module.
* By default all supported curves are enabled.
*
* Comment macros to disable the curve and functions for it
*/
//#define POLARSSL_ECP_DP_SECP192R1_ENABLED
//#define POLARSSL_ECP_DP_SECP224R1_ENABLED
//#define POLARSSL_ECP_DP_SECP256R1_ENABLED
//#define POLARSSL_ECP_DP_SECP384R1_ENABLED
//#define POLARSSL_ECP_DP_SECP521R1_ENABLED
//#define POLARSSL_ECP_DP_SECP192K1_ENABLED
//#define POLARSSL_ECP_DP_SECP224K1_ENABLED
#define POLARSSL_ECP_DP_SECP256K1_ENABLED
//#define POLARSSL_ECP_DP_BP256R1_ENABLED
//#define POLARSSL_ECP_DP_BP384R1_ENABLED
//#define POLARSSL_ECP_DP_BP512R1_ENABLED
//#define POLARSSL_ECP_DP_M221_ENABLED // Not implemented yet!
//#define POLARSSL_ECP_DP_M255_ENABLED
//#define POLARSSL_ECP_DP_M383_ENABLED // Not implemented yet!
//#define POLARSSL_ECP_DP_M511_ENABLED // Not implemented yet!
seems to cause the following tests to fail:
- test_suite_x509parse
X509 Certificate verification #52 (CA keyUsage valid) ............. FAILED
x509_crt_parse_file( &crt, crt_file ) == 0
X509 Certificate verification #53 (CA keyUsage missing cRLSign) ... FAILED
x509_crt_parse_file( &crt, crt_file ) == 0
X509 Certificate verification #54 (CA keyUsage missing cRLSign, no FAILED
x509_crt_parse_file( &crt, crt_file ) == 0
X509 Certificate verification #55 (CA keyUsage missing keyCertSign FAILED
x509_crt_parse_file( &crt, crt_file ) == 0
X509 Certificate verification #55 (CA keyUsage plain wrong) ....... FAILED
x509_crt_parse_file( &crt, crt_file ) == 0
X509 crt extendedKeyUsage #1 (no extension, serverAuth) ........... FAILED
x509_crt_parse_file( &crt, crt_file ) == 0
X509 crt extendedKeyUsage #2 (single value, present) .............. FAILED
x509_crt_parse_file( &crt, crt_file ) == 0
X509 crt extendedKeyUsage #3 (single value, absent) ............... FAILED
x509_crt_parse_file( &crt, crt_file ) == 0
X509 crt extendedKeyUsage #4 (two values, first) .................. FAILED
x509_crt_parse_file( &crt, crt_file ) == 0
X509 crt extendedKeyUsage #5 (two values, second) ................. FAILED
x509_crt_parse_file( &crt, crt_file ) == 0
X509 crt extendedKeyUsage #6 (two values, other) .................. FAILED
x509_crt_parse_file( &crt, crt_file ) == 0
X509 crt extendedKeyUsage #7 (any, random) ........................ FAILED
x509_crt_parse_file( &crt, crt_file ) == 0
FAILED (233 / 245 tests (42 skipped))
**** Failed ***************
- test_suite_x509write
Certificate Request check Server5 ECDSA, key_usage ................ FAILED
pk_parse_keyfile( &key, key_file, NULL ) == 0
FAILED (14 / 15 tests (1 skipped))
**** Failed ***************
These were the only changes made to config.h
.
from mbedtls.
You're right. I forgot to update the dependencies in the X.509 test suites when I "upgraded" the test certificates from secp192r1 to secp256r1 and secp384r1 a while ago. This will be fixed shortly.
As usual, thanks for letting us know.
from mbedtls.
Hum, actually this is not what I thought: I missed dependencies in test I added in 1.3.6. Anyway, fixing both issues (and checking for more) right now.
from mbedtls.
Ok, fixed for the next release.
When you're done tuning the config file for picocoin, feel free to send us a copy of the result: that way, we can add it to our sample configs which are tested automatically, in order to really make sure we don't break it again in the future :)
from mbedtls.
Great.
Out of curiosity, when is the next release planned?
from mbedtls.
Has just been released!
from mbedtls.
Hi Manuel,
Here's an optimised config.h as requested.
It throws a few warnings but other than that seems to work well.
ssl/ssl_client2.c:118:13: warning: ‘my_debug’ defined but not used [-Wunused-function]
ssl/ssl_client2.c:130:12: warning: ‘my_recv’ defined but not used [-Wunused-function]
ssl/ssl_client2.c:147:12: warning: ‘my_send’ defined but not used [-Wunused-function]
ssl/ssl_client2.c:168:12: warning: ‘my_verify’ defined but not used [-Wunused-function]
ssl/ssl_server2.c:143:13: warning: ‘my_debug’ defined but not used [-Wunused-function]
ssl/ssl_server2.c:155:12: warning: ‘my_recv’ defined but not used [-Wunused-function]
ssl/ssl_server2.c:172:12: warning: ‘my_send’ defined but not used [-Wunused-function]
from mbedtls.
Thanks! We'll fix the warnings and add your config to our list of reference configs that are automatically tested.
Btw, you may not need to compile the programs at all. This is a detail since it only affects the compile time of picocoin, but anyway. (I think replacing make
with make lib && ( cd tests && make )
should do the trick.)
from mbedtls.
Hi Aido,
I just had a closer look at your config.h
file and thought it could be further reduced, see aido/picocoin#1
I'm now going to integrate the result in our config file collection and fix the things that need to be fixed :)
from mbedtls.
Related Issues (20)
- Parse a public key in PEM format error HOT 2
- mbedtls hangs after NewSessionTicket
- Missing ASN1 functions in a build with RSA_C
- Rename interruptible ECC sign hash in line with PSA Spec
- Design PSA interfaces for interruptible Ephemeral ECDH
- psa_generate_key() returned -27648 (-0x6c00) HOT 2
- SSL debug reports translated PSA error codes
- PSA only supports byte-aligned RSA key sizes
- Remove mbedtls_ssl_conf_rng()
- Reporting Bugs in Certificate Chain Validation
- error: "_GNU_SOURCE" redefined
- mbedtls_md_hmac does not work as expected on Mac M2 HOT 2
- Make certificate fields of pkcs7 data structures publicly available
- Many tests are skipped in test-ref-configs HOT 2
- UBSan gives runtime error with PSA Multipart AEAD (Gcm) / Buffer sharing HOT 1
- Undefined reference to `mbedtls_md_error_from_psa()` function
- Bignum and ECC API evolution: study fuzzers
- Migrate OSS-Fuzz back to development
- ssl_client1 fails on TLS 1.3 HOT 5
- Show better practice in ssl_client1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mbedtls.