Commit graph

2634 commits

Author SHA1 Message Date
Hanno Becker 78d1f70ab6 Ensure non-NULL key buffer when building SSL test transforms 2019-04-25 12:58:21 +01:00
Hanno Becker a5780f1993 Catch errors while building SSL test transforms 2019-04-25 12:58:21 +01:00
Hanno Becker 3ee5421f9c Use mbedtls_{calloc|free}() in SSL unit test suite 2019-04-25 12:58:21 +01:00
Hanno Becker 907ab20b38 Alternative between send/recv transform in SSL record test suite 2019-04-25 12:58:21 +01:00
Hanno Becker 81e16a34f5 Fix memory leak on failure in test_suite_ssl 2019-04-25 12:58:21 +01:00
Hanno Becker d0fa2d7563 Add record encryption/decryption tests for ARIA to SSL test suite 2019-04-25 12:58:21 +01:00
Hanno Becker b3268dac00 Add encryption/decryption tests for small records
This commit adds tests to check the behavior of the record encryption
routine `ssl_encrypt_buf` when the buffer surrounding the plaintext is
too small to hold the expansion in the beginning and end (due to IV's,
padding, and MAC).

Each test starts successively increases the space available at the
beginning, end, or both, of the record buffer, and checks that the
record encryption either fails with a BUFFER_TOO_SMALL error, or
that it succeeds. Moreover, if it succeeds, it is checked that
decryption succeeds, too, and results in the original record.
2019-04-25 12:58:21 +01:00
Hanno Becker a18d1320da Add tests for record encryption/decryption
This commit adds tests exercising mutually inverse pairs of
record encryption and decryption transformations for the various
transformation types allowed in TLS: Stream, CBC, and AEAD.
2019-04-25 12:58:21 +01:00
Jaeden Amero f790a6cbee Merge remote-tracking branch 'origin/pr/2536' into development
* origin/pr/2536:
  Update crypto submodule
  Minor fixes in get certificate policies oid test
  Add certificate policy oid x509 extension
2019-04-17 10:52:54 +01:00
Jaeden Amero 5c7915b0ed Merge remote-tracking branch 'origin/pr/2582' into development
* origin/pr/2582:
  Call mbedtls_cipher_free() to reset a cipher context
  Don't call mbedtls_cipher_setkey twice
2019-04-17 10:46:45 +01:00
Jaeden Amero c41a3285de Merge remote-tracking branch 'origin/pr/2559' into development
* origin/pr/2559:
  Clarify comment mangled by an earlier refactoring
  Add an "out-of-box" component
  Run ssl-opt.sh on 32-bit runtime
2019-04-16 15:09:42 +01:00
Jaeden Amero 7a1c4eb826 Merge remote-tracking branch 'origin/pr/2567' into development
* origin/pr/2567:
  Don't use debug level 1 for informational messages
2019-04-16 15:08:39 +01:00
Gilles Peskine 424840e033 Call mbedtls_cipher_free() to reset a cipher context
mbedtls_cipher_reset() only restarts the operation, it doesn't
dissociate the key from the context.
2019-04-16 16:06:34 +02:00
Jaeden Amero fe7106755e Merge remote-tracking branch 'origin/pr/2539' into development
Resolve conflicts by performing the following:
  - Ensure calls to mbedtls_x509_crt_verify_* are made with callbacks

* origin/pr/2539:
  Make CRT callback tests more robust
  Rename constant in client2.c
  Fix typo
  Add test for configuration specific CRT callback
  Fix doxygen documentation of mbedtls_ssl_set_verify()
  Add test exercising context-specific CRT callback to ssl-opt.sh
  Add cmd to use context-specific CRT callback in ssl_client2
  Implement context-specific verification callbacks
  Add context-specific CRT verification callbacks
  Improve documentation of mbedtls_ssl_conf_verify()
2019-04-16 15:05:18 +01:00
Jaeden Amero ff34d43720 Merge remote-tracking branch 'origin/pr/2532' into development
* origin/pr/2532: (29 commits)
  Document and test flags in x509_verify
  Fix style issues and a typo
  Fix name to function call
  Address comments for x509 tests
  Address review comments regarding ssl_client2 and ssl tests
  Remove mbedtls_ from the static function name
  Change docs according to review comments
  Change the verify function naming
  Fix ssl_client2 and ssl_server2 if !PLATFORM_C
  Correct placement of usage macro in ssl_client2
  Update version_features.c
  Remove trailing whitespace in test_suite_x509parse.function
  Update query_config.c
  Add ssl-opt.sh tests for trusted CA callbacks
  Only run X.509 CRT verification tests with CA callback tests if !CRL
  Minor fixes to CA callback tests
  Declare CA callback type even if feature is disabled
  Implement X.509 CRT verification using CA callback
  Add prototype for CRT verification with static and dynamic CA list
  Make use of CA callback if present when verifying peer CRT chain
  ...
2019-04-16 14:42:11 +01:00
Jaeden Amero 24c71d3a5c Merge remote-tracking branch 'origin/pr/2502' into development
* origin/pr/2502:
  all.sh: remove component_test_new_ecdh_context
  Remove crypto-only related components from all.sh
2019-04-16 14:41:20 +01:00
Jaeden Amero 137c5b7297 Merge remote-tracking branch 'origin/pr/2477' into development
* origin/pr/2477:
  Fix typo in data_file generator code
2019-04-16 14:38:58 +01:00
Gilles Peskine 139ec3b913 Don't call mbedtls_cipher_setkey twice
The documentation doesn't explicitly say whether it's allowed or not.
This currently works with the default software implementation, but
only by accident. It isn't guaranteed to work with new ciphers or with
alternative implementations of individual ciphers, and it doesn't work
with the PSA wrappers. So don't do it.
2019-04-16 15:25:20 +02:00
Ron Eldor 685a398a6b Minor fixes in get certificate policies oid test
1. Remove irrelevant  dependency on `MBEDTLS_ASN1_WRITE_C`.
2. Remove whitespace between `*` and parameter.
2019-04-16 13:26:54 +03:00
Ron Eldor e82341646a Add certificate policy oid x509 extension
Add the `MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES` to the list
of supported x509 extensions, in `mbedtls_oid_get_x509_ext_type()`.
2019-04-16 13:26:54 +03:00
Gilles Peskine f1349e4bfe Clarify comment mangled by an earlier refactoring 2019-04-10 18:41:53 +02:00
Gilles Peskine 7832c9fc3d Add an "out-of-box" component
Just run `make` and `make test`. And `selftest` for good measure.
2019-04-10 18:41:53 +02:00
Gilles Peskine 4b317616eb Run ssl-opt.sh on 32-bit runtime
Run ssl-opt.sh on x86_32 with ASan. This may detect bugs that only
show up on 32-bit platforms, for example due to size_t overflow.

For this component, turn off some memory management features that are
not useful, potentially slow, and may reduce ASan's effectiveness at
catching buffer overflows.
2019-04-10 18:41:53 +02:00
Hanno Becker 4c8c7aa95e Don't use debug level 1 for informational messages 2019-04-10 09:26:53 +01:00
Andrzej Kurek 4a8d2dfdd6 all.sh: remove component_test_new_ecdh_context
Remove the ecdh_context component to have it only in the crypto repository
2019-04-08 06:20:00 -04:00
Andrzej Kurek cd9286f1ca Remove crypto-only related components from all.sh 2019-04-08 05:49:08 -04:00
Janos Follath 4031b314ed Make CRT callback tests more robust 2019-04-05 16:50:39 +01:00
Janos Follath 846ae7a70d Document and test flags in x509_verify 2019-04-05 16:45:01 +01:00
Janos Follath d7ecbd6914 Fix style issues and a typo 2019-04-05 16:44:42 +01:00
Jaeden Amero aa3402018e Merge remote-tracking branch 'origin/pr/2535' into development
* origin/pr/2535:
  Add Wisun Fan device extended key usage
2019-04-05 14:36:08 +01:00
Jaeden Amero 7c1e6193af Merge remote-tracking branch 'origin/pr/2464' into development
* origin/pr/2464:
  Allow main() to lack a docstring.
  Silence pylint
  check-files.py: readability improvement in permission check
  check-files.py: use class fields for class-wide constants
  check-files.py: clean up class structure
  abi_check.py: Document more methods
  check-files.py: document some classes and methods
  Fix pylint errors going uncaught
  Call pylint3, not pylint
  New, documented pylint configuration
2019-04-05 14:19:09 +01:00
Jaeden Amero d192ba4ef1 Merge remote-tracking branch 'origin/pr/2463' into development
* origin/pr/2463:
  Fix a rebase error
  Wrap lines at 80 columns
  Add NIST keywrap as a cipher mode
  Fix errors in AEAD test function
2019-04-05 14:15:40 +01:00
Jaeden Amero 62ab1f9961 Merge remote-tracking branch 'origin/pr/2405' into development
* origin/pr/2405:
  Fix ChangeLog entry ordering
  Fix typo
  Add non-regression test for buffer overflow
  Improve documentation of mbedtls_mpi_write_string()
  Adapt ChangeLog
  Fix 1-byte buffer overflow in mbedtls_mpi_write_string()
2019-04-05 14:08:49 +01:00
Jaeden Amero 3d8144731f Merge remote-tracking branch 'origin/pr/2192' into development
* origin/pr/2192:
  Increase okm_hex buffer to contain null character
  Minor modifications to hkdf test
  Add explanation for okm_string size
  Update ChangeLog
  Reduce buffer size of okm
  Reduce Stack usage of hkdf test function
2019-04-05 13:53:14 +01:00
Jack Lloyd 274024f3d5 Fix a rebase error 2019-04-04 07:59:41 -07:00
Janos Follath ee11be6572 Add test for configuration specific CRT callback 2019-04-04 12:03:30 +01:00
Hanno Becker efb440afec Add test exercising context-specific CRT callback to ssl-opt.sh 2019-04-03 13:11:20 +01:00
Ron Eldor b6dc105456 Add Wisun Fan device extended key usage
Add the Wisun extended key usage oid and tests.
2019-04-03 13:48:50 +03:00
Jack Lloyd ffdf28851d Add NIST keywrap as a cipher mode
Closes #2003 see also #1658
2019-04-02 10:02:55 -07:00
Jack Lloyd 1dbc5a257f Fix errors in AEAD test function
It was failing to set the key in the ENCRYPT direction before encrypting.
This just happened to work for GCM and CCM.

After re-encrypting, compare the length to the expected ciphertext
length not the plaintext length. Again this just happens to work for
GCM and CCM since they do not perform any kind of padding.
2019-04-02 10:02:55 -07:00
Jarno Lamsa dfd22c4dbd Address comments for x509 tests 2019-04-01 15:18:53 +03:00
Jarno Lamsa f7a7f9ee43 Address review comments regarding ssl_client2 and ssl tests 2019-04-01 15:11:54 +03:00
Jarno Lamsa 31d9db6195 Change the verify function naming
Change the naming to reflect that the function uses a new ca callback
feature to distinguish different callbacks.
2019-04-01 14:33:49 +03:00
Hanno Becker 3f932bbc5d Remove trailing whitespace in test_suite_x509parse.function 2019-03-28 17:06:47 +00:00
Hanno Becker 746aaf3f38 Add ssl-opt.sh tests for trusted CA callbacks 2019-03-28 16:13:44 +00:00
Hanno Becker 0350d56286 Only run X.509 CRT verification tests with CA callback tests if !CRL 2019-03-28 16:13:44 +00:00
Hanno Becker cbb590369c Minor fixes to CA callback tests 2019-03-28 16:13:44 +00:00
Jarno Lamsa 557426ad77 Add a failure testcase for ca callback 2019-03-28 16:13:43 +00:00
Jarno Lamsa 912ed33991 Change callback name to ca_callback 2019-03-28 16:13:43 +00:00
Jarno Lamsa 03cd120ce4 Test for ca list callback 2019-03-28 16:13:43 +00:00