In order to remove large buffers from the stack, the der data is written
into the same buffer that the pem is eventually written into, however
although the pem data is zero terminated, there is now data left in the
buffer after the zero termination, which can cause
mbedtls_x509_crt_parse to fail to parse the same buffer if passed back
in. Patches also applied to mbedtls_pk_write_pubkey_pem, and
mbedtls_pk_write_key_pem, which use similar methods of writing der data
to the same buffer, and tests modified to hopefully catch any future
regression on this.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
mbedtls_ctr_drbg_set_reseed_interval() and
mbedtls_hmac_drbg_set_reseed_interval() can now be called before
their seed functions and the reseed_interval value will persist.
Previously it would be overwritten with the default value.
*_drbg_reseed_interval is now set in init() and free().
mbedtls_ctr_drbg_free() and mbedtls_hmac_drbg_free() now
reset the drbg context to the state immediately after init().
Tests:
- Added test to check that DRBG reseeds when reseed_counter
reaches reseed_interval, if reseed_interval set before seed
and reseed_interval is less than MBEDTLS_*_DRBG_RESEED_INTERVAL.
Signed-off-by: gacquroff <gavina352@gmail.com>
Fixes an issue where configs that had `MBEDTLS_MPI_MAX_BITS` greater than 256
but smaller than the test that was running (792 bits) the test would fail
incorrectly.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Move dependancy on `MBEDTLS_MPI_MAX_BITS` to apply to the specific test cases
which will break when `MBEDTLS_MPI_MAX_BITS` is too small. This re-enables
previous tests that were turned off accidentally.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Previously `mbedtls_mpi_exp_mod` was tested with values that were over
`MBEDTLS_MPI_MAX_SIZE` in size. This is useful to do as some paths are only
taken when the exponent is large enough however, on builds where
`MBEDTLS_MPI_MAX_SIZE` is under the size of these test values.
This fix turns off these tests when `MBEDTLS_MPI_MAX_SIZE` is too small to
safely test (notably this is the case in config-thread.h).
Signed-off-by: Chris Jones <christopher.jones@arm.com>
In two test cases, the exponentiation computation was not being fully tested
as when A_bytes (the base) == N_bytes (the modulus) -> A = N. When this is the
case A is reduced to 0 and therefore the result of the computation will always
be 0.
This fixes that issue and therefore increases the test coverage to ensure
different computations are actually being run.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Reword test cases to be easier to read and understand.
Adds comments to better explain what the test is doing.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Add two further boundary tests for cases where both the exponent and modulus to
`mbedtls_mpi_exp_mod()` are `MBEDTLS_MPI_MAX_SIZE`, or longer, bytes long.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Adds test cases to ensure that `mbedtls_mpi_exp_mod` will return an error with
an exponent or modulus that is greater than `MBEDTLS_MPI_MAX_SIZE` in size.
Adds test cases to ensure that Diffie-Hellman will fail to make a key pair
(using `mbedtls_dhm_make_public`) when the prime modulus is greater than
`MBEDTLS_MPI_MAX_SIZE` in size.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Add a test case to ensure `mbedtls_mpi_exp_mod` fails when using a key size
larger than MBEDTLS_MPI_MAX_SIZE.
Add a test case to ensure that Diffie-Hellman operations fail when using a key
size larger than MBEDTLS_MPI_MAX_SIZE.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Add missing tag check for algorithm parameters when comparing the
signature in the description part of the cert against the actual
signature whilst loading a certificate. This was found by a
certificate (created by fuzzing) that openssl would not verify, but
mbedtls would.
Regression test added (one of the client certs modified accordingly)
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
GCC 11 generated the warnings because the parameter `ret_buf`
was declared as `const char[10]`, but some of the arguments
provided in `run_test_snprintf` are shorter literals, like "".
Now the type of `ret_buf` is `const char *`.
Both implementations of `test_snprintf` were fixed.
Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
Positive tests: test that the RNG has the expected size, given that we
know how many leading zeros it has because we know how the function
consumes bytes and when the test RNG produces null bytes.
Negative tests: test that if the RNG is willing to emit less than the
number of wanted bytes, the function fails.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add a build with MBEDTLS_ERROR_STRERROR_DUMMY but not MBEDTLS_ERROR_C.
Previously, both options were enabled by default, but
MBEDTLS_ERROR_STRERROR_DUMMY only matters when MBEDTLS_ERROR_C is
enabled, so its effect was not tested.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix `printf "$foo"` which treats the value of `foo` as a printf format
rather than a string.
I used the following command to find potentially problematic lines:
```
git ls-files '*.sh' | xargs egrep 'printf +("?[^"]*|[^ ]*)\$'
```
The remaining ones are false positives for this regexp.
The errors only had minor consequences: the output of `ssl-opt.sh`
contained lines like
```
Renegotiation: gnutls server strict, client-initiated .................. ./tests/ssl-opt.sh: 741: printf: %S: invalid directive
PASS
```
and in case of failure the GnuTLS command containing a substring like
`--priority=NORMAL:%SAFE_RENEGOTIATION` was not included in the log
file. With the current tests, there was no risk of a test failure
going undetected.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Showing a regexp to say that by default all tests are executed is not
particularly helpful.
If we ever add a default exclusion list or a default filter, we can
edit the documentation again.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Set the CMake-observed variable `CTEST_OUTPUT_ON_FAILURE`, so that when
a "make test" run by CMake fails, verbose test output about the detail
of failure is available.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The toplevel directory is actually just ../..: the makefile commands
are executed in the subdirectory. $(PWD) earlier was wrong because it
comes from the shell, not from make. Looking up $(MAKEFILE_LIST) is
wrong because it indicates where the makefile is (make -f), not which
directory to work in (make -C).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The test function mbedtls_mpi_lt_mpi_ct did not initialize ret in test
code. If there was a bug in library code whereby the library function
mbedtls_mpi_lt_mpi_ct() did not set ret when it should, we might have
missed it if ret happened to contain the expected value. So initialize
ret to a value that we never expect.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
If test_fail is called multiple times in the same test case, report
the location of the first failure, not the last one.
With this change, you no longer need to take care in tests that use
auxiliary functions not to fail in the main function if the auxiliary
function has failed.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
RFC5280 does not state that the `revocationDate` should be checked.
In addition, when no time source is available (i.e., when MBEDTLS_HAVE_TIME_DATE is not defined), `mbedtls_x509_time_is_past` always returns 0. This results in the CRL not being checked at all.
https://tools.ietf.org/html/rfc5280
Signed-off-by: Raoul Strackx <raoul.strackx@fortanix.com>
Currently the new component in all.sh fails because
mbedtls_ssl_cf_memcpy_offset() is not actually constant flow - this is on
purpose to be able to verify that the new test works.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The tests are supposed to be failing now (in all.sh component
test_memsan_constant_flow), but they don't as apparently MemSan doesn't
complain when the src argument of memcpy() is uninitialized, see
https://github.com/google/sanitizers/issues/1296
The next commit will add an option to test constant flow with valgrind, which
will hopefully correctly flag the current non-constant-flow implementation.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
* mbedtls-2.16: (32 commits)
A different approach of signed-to-unsigned comparison
Fix bug in redirection of unit test outputs
Don't forget to free G, P, Q, ctr_drbg, and entropy
Backport e2k support to mbedtls-2.7
compat.sh: stop using allow_sha1
compat.sh: quit using SHA-1 certificates
compat.sh: enable CBC-SHA-2 suites for GnuTLS
Fix license header in pre-commit hook
Update copyright notices to use Linux Foundation guidance
Fix building on NetBSD 9.0
Remove obsolete buildbot reference in compat.sh
Fix misuse of printf in shell script
Fix added proxy command when IPv6 is used
Simplify test syntax
Fix logic error in setting client port
ssl-opt.sh: include test name in log files
ssl-opt.sh: remove old buildbot-specific condition
ssl-opt.sh: add proxy to all DTLS tests
Log change as bugfix
Add changelog entry
...
They are used to generate cert_md*.crt.
Regenerate cert_md5.crt which had previously been generated for a
different key.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
It wasn't working when invoking programs/x509/cert_write or
programs/x509/cert_req due to relying on the current directory rather
than the location of the makefile.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Replace server2.crt with server2-sha256.crt which, as the name implies, is
just the SHA-256 version of the same certificate.
Replace server1.crt with cert_sha256.crt which, as the name doesn't imply, is
associated with the same key and just have a slightly different Subject Name,
which doesn't matter in this instance.
The other certificates used in this script (server5.crt and server6.crt) are
already signed with SHA-256.
This change is motivated by the fact that recent versions of GnuTLS (or older
versions with the Debian patches) reject SHA-1 in certificates by default, as
they should. There are options to still accept it (%VERIFY_ALLOW_BROKEN and
%VERIFY_ALLOW_SIGN_WITH_SHA1) but:
- they're not available in all versions that reject SHA-1-signed certs;
- moving to SHA-2 just seems cleaner anyway.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Recent GnuTLS packages on Ubuntu 16.04 have them disabled.
From /usr/share/doc/libgnutls30/changelog.Debian.gz:
gnutls28 (3.4.10-4ubuntu1.5) xenial-security; urgency=medium
* SECURITY UPDATE: Lucky-13 issues
[...]
- debian/patches/CVE-2018-1084x-4.patch: hmac-sha384 and sha256
ciphersuites were removed from defaults in lib/gnutls_priority.c,
tests/priorities.c.
Since we do want to test the ciphersuites, explicitly re-enable them in the
server's priority string. (This is a no-op with versions of GnuTLS where those
are already enabled by default.)
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>