Commit graph

1127 commits

Author SHA1 Message Date
Hanno Becker 1de13dbc49 Obey bounds of ASN.1 substructures
When parsing a substructure of an ASN.1 structure, no field within
the substructure must exceed the bounds of the substructure.
Concretely, the `end` pointer passed to the ASN.1 parsing routines
must be updated to point to the end of the substructure while parsing
the latter.

This was previously not the case for the routines
- x509_get_attr_type_and_value(),
- mbedtls_x509_get_crt_ext(),
- mbedtls_x509_get_crl_ext().
These functions kept using the end of the parent structure as the
`end` pointer and would hence allow substructure fields to cross
the substructure boundary. This could lead to successful parsing
of ill-formed X.509 CRTs.

This commit fixes this.

Care has to be taken when adapting `mbedtls_x509_get_crt_ext()`
and `mbedtls_x509_get_crl_ext()`, as the underlying function
`mbedtls_x509_get_ext()` returns `0` if no extensions are present
but doesn't set the variable which holds the bounds of the Extensions
structure in case the latter is present. This commit addresses
this by returning early from `mbedtls_x509_get_crt_ext()` and
`mbedtls_x509_get_crl_ext()` if parsing has reached the end of
the input buffer.

The following X.509 parsing tests need to be adapted:
- "TBSCertificate, issuer two inner set datas"
  This test exercises the X.509 CRT parser with a Subject name
  which has two empty `AttributeTypeAndValue` structures.
  This is supposed to fail with `MBEDTLS_ERR_ASN1_OUT_OF_DATA`
  because the parser should attempt to parse the first structure
  and fail because of a lack of data. Previously, it failed to
  obey the (0-length) bounds of the first AttributeTypeAndValue
  structure and would try to interpret the beginning of the second
  AttributeTypeAndValue structure as the first field of the first
  AttributeTypeAndValue structure, returning an UNEXPECTED_TAG error.
- "TBSCertificate, issuer, no full following string"
  This test exercises the parser's behaviour on an AttributeTypeAndValue
  structure which contains more data than expected; it should therefore
  fail with MBEDTLS_ERR_ASN1_LENGTH_MISMATCH. Because of the missing bounds
  check, it previously failed with UNEXPECTED_TAG because it interpreted
  the remaining byte in the first AttributeTypeAndValue structure as the
  first byte in the second AttributeTypeAndValue structure.
- "SubjectAltName repeated"
  This test should exercise two SubjectAltNames extensions in succession,
  but a wrong length values makes the second SubjectAltNames extension appear
  outside of the Extensions structure. With the new bounds in place, this
  therefore fails with a LENGTH_MISMATCH error. This commit adapts the test
  data to put the 2nd SubjectAltNames extension inside the Extensions
  structure, too.
2019-06-04 14:03:27 +01:00
Hanno Becker b6bf4967de Correct name of X.509 parsing test for well-formed, ill-signed CRT 2019-06-03 16:22:13 +01:00
Hanno Becker 958c41196a Add test cases exercising successful verification of MD2/MD4/MD5 CRT 2019-06-03 16:22:10 +01:00
Hanno Becker c6b33dbdda Add test case exercising verification of valid MD2 CRT
The X.509 parsing test suite test_suite_x509parse contains a test
exercising X.509 verification for a valid MD4/MD5 certificate in a
profile which doesn't allow MD4/MD5. This commit adds an analogous
test for MD2.
2019-06-03 16:22:08 +01:00
Hanno Becker 067f3574b9 Add instructions for MD[245] test CRTs to tests/data_files/Makefile 2019-06-03 16:21:57 +01:00
Hanno Becker fb63a7c532 Convert further x509parse tests to use lower-case hex data 2019-06-03 16:21:32 +01:00
Hanno Becker 29cf243781 Use SHA-256 instead of MD2 in X.509 CRT parsing tests
- Replace 'RSA with MD2' OID '2a864886f70d010102' by
  'RSA with SHA-256' OID '2a864886f70d01010b':
  Only the last byte determines the hash, and
  `MBEDTLS_OID_PKCS1_MD2 == MBEDTLS_OID_PKCS1 "\x02"`
  `MBEDTLS_OID_PKCS1_SHA256 == MBEDTLS_OID_PKCS1 "\x0b"`
  See oid.h.
- Replace MD2 dependency by SHA256 dependency.
- Adapt expected CRT info output.
2019-05-30 11:11:24 +01:00
Hanno Becker f9681e53f2 Consistently use lower case hex data in X.509 parsing tests 2019-05-30 11:11:24 +01:00
Jaeden Amero f3df5b8552 Merge remote-tracking branch 'origin/pr/2519' into mbedtls-2.7
* origin/pr/2519:
  Fix errors in AEAD test function
2019-04-05 14:17:08 +01:00
Jaeden Amero 99b679f364 Merge remote-tracking branch 'origin/pr/2504' into mbedtls-2.7
* origin/pr/2504:
  Fix ChangeLog entry ordering
  Fix typo
  Add non-regression test for buffer overflow
  Improve documentation of mbedtls_mpi_write_string()
  Adapt ChangeLog
  Fix 1-byte buffer overflow in mbedtls_mpi_write_string()
2019-04-05 14:09:25 +01:00
Jaeden Amero a5f5ad3cf4 Merge remote-tracking branch 'restricted/pr/554' into mbedtls-2.7
* restricted/pr/554:
  Fix too small buffer in a test
  Add changelog entry for mbedtls_ecdh_get_params robustness
  Fix ecdh_get_params with mismatching group
  Add test case for ecdh_get_params with mismatching group
  Add test case for ecdh_calc_secret
2019-03-27 14:53:29 +00:00
Jaeden Amero b4686b4f32 Update library version to 2.7.10 2019-03-19 16:18:43 +00:00
Jack Lloyd b17537558a Fix errors in AEAD test function
It was failing to set the key in the ENCRYPT direction before encrypting.
This just happened to work for GCM and CCM.

After re-encrypting, compare the length to the expected ciphertext
length not the plaintext length. Again this just happens to work for
GCM and CCM since they do not perform any kind of padding.
2019-03-14 11:00:58 +02:00
Janos Follath f56da14408 Add non-regression test for buffer overflow 2019-03-06 14:00:39 +00:00
Simon Butcher 6728797f02 Merge remote-tracking branch 'public/pr/2148' into mbedtls-2.7
* public/pr/2148:
  Add ChangeLog entry for unused bits in bitstrings
  Improve docs for ASN.1 bitstrings and their usage
  Add tests for (named) bitstring to suite_asn1write
  Fix ASN1 bitstring writing
2019-03-01 13:09:04 +00:00
Gilles Peskine b46f1bd451 Fix too small buffer in a test 2019-02-22 11:30:14 +01:00
Gilles Peskine 496c9e053d Add test case for ecdh_get_params with mismatching group
Add a test case for doing an ECDH calculation by calling
mbedtls_ecdh_get_params on both keys, with keys belonging to
different groups. This should fail, but currently passes.
2019-02-21 18:17:05 +01:00
Gilles Peskine 390bbd08f7 Add test case for ecdh_calc_secret
Add a test case for doing an ECDH calculation by calling
mbedtls_ecdh_get_params on both keys, then mbedtls_ecdh_calc_secret.
2019-02-21 18:16:55 +01:00
Jaeden Amero f054f8b3dc Merge remote-tracking branch 'origin/pr/2384' into mbedtls-2.7 2019-02-21 12:00:43 +00:00
Antonin Décimo 8fd9156a4a Fix #2370, minor typos and spelling mistakes 2019-02-18 15:57:54 +00:00
Andres Amaya Garcia abb7622d08 Add tests for (named) bitstring to suite_asn1write 2019-02-11 21:10:55 +00:00
k-stachowiak 4d2982091b Correct code formatting in the timing test suites 2019-02-05 10:03:31 +01:00
k-stachowiak 9368113607 Reduce the timing tests complexity 2019-01-29 12:54:10 +01:00
Simon Butcher d09324ac58 Merge remote-tracking branch 'public/pr/2264' into mbedtls-2.7 2019-01-23 10:58:08 +01:00
Janos Follath e552a826fd Test the new deterministic ECDSA function 2019-01-16 16:01:34 +00:00
Simon Butcher 78f040cf33 Merge remote-tracking branch 'public/pr/2233' into HEAD 2019-01-08 15:33:48 +00:00
Simon Butcher 7f899b406c Merge remote-tracking branch 'public/pr/2304' into HEAD 2019-01-08 15:31:37 +00:00
Simon Butcher 032e3e215d Enable more compiler warnings in tests/Makefile
tests/Makefile had some unused warnings disabled unnecessarily, which
test-ref-configs.pl was turning back on. We don't need to disable these warnings
so I'm turning them back on.
2018-12-28 11:32:12 +00:00
Simon Butcher 638dceb7e1 Change file scoping of test helpers.function
Dependent on configured options, not all of the helper functions were being
used, which was leading to warning of unused functions with Clang.

To avoid any complex compile time options, or adding more logic to
generate_test_code.py to screen out unused functions, those functions which were
provoking the warning were changed to remove static, remove them from file
scope, and expose them to the linker.
2018-12-28 11:30:02 +00:00
Simon Butcher b22a808cc6 Update the version of the library to 2.7.9 2018-12-21 10:52:37 +00:00
Ron Eldor 44f6d0b3b1 Test AD too long only when CCM_ALT not defined
Since the AD too long is a limitation on Mbed TLS,
HW accelerators may support this. Run the test for AD too long,
only if `MBEDTLS_CCM_ALT` is not defined.
Addresses comment in #1996.
2018-12-19 14:14:58 +02:00
Jaeden Amero b85e35d8d2 Merge remote-tracking branch 'upstream-public/pr/2102' into mbedtls-2.7 2018-12-07 16:15:46 +00:00
Simon Butcher b37c29d673 Add additional test case for alternative CSR headers
Add a test case for alternative headers possible for CSR's, as defined in
RFC7468.
2018-12-05 23:23:28 +00:00
Simon Butcher 4a908ca6bb Update library version number to 2.7.8 2018-12-01 23:12:40 +00:00
Simon Butcher 4303f7619e Merge remote-tracking branch 'restricted/pr/513' into mbedtls-2.7-restricted 2018-11-29 17:27:35 +00:00
Simon Butcher a0d3e1d570 Merge remote-tracking branch 'restricted/pr/518' into mbedtls-2.7-restricted 2018-11-29 17:26:25 +00:00
Andres Amaya Garcia 97a184ba84 Fix resource leak of file desc in test code 2018-11-26 21:29:29 +00:00
Simon Butcher 20f30d97a8 Update library version number to 2.7.7 2018-11-19 18:32:22 +00:00
Simon Butcher 02d3b1cfbb Merge remote-tracking branch 'restricted/pr/523' into mbedtls-2.7-restricted-proposed 2018-11-07 13:35:07 +00:00
Gilles Peskine 3faac3e255 Fix copypasta in test dependency 2018-11-06 14:40:58 +01:00
Hanno Becker 2130163012 Add tests for relaxed CRL-CA name comparison
This commit introduces variants test-ca_utf8.crt,
test-ca_printablestring.crt and test-ca_uppercase.crt
of tests/data_files/test-ca.crt which differ from
test-ca.crt in their choice of string encoding and
upper and lower case letters in the DN field. These
changes should be immaterial to the recovation check,
and three tests are added that crl.pem, which applies
to test-ca.crt, is also considered as applying to
test-ca_*.crt.

The test files were generated using PR #1641 which
- adds a build instruction for test-ca.crt to
  tests/data_files/Makefile which allows easy
  change of the subject DN.
- changes the default string format from `PrintableString`
  to `UTF8String`.

Specifically:
- `test-ca_utf8.crt` was generated by running
      `rm test-ca.crt && make test-ca.crt`
   on PR #1641.
- `test-ca_uppercase.crt`, too, was generated by running
      `rm test-ca.crt && make test-ca.crt`
   on PR #1641, after modifying the subject DN line in the build
   instruction for `test-ca.crt` in `tests/data_files/Makefile`.
-  `test-ca_printable.crt` is a copy of `test-ca.crt`
   because at the time of this commit, `PrintableString` is
   still the default string format.
2018-11-06 13:17:07 +00:00
Gilles Peskine 0eaa6d5bb6 Fix buffer overflow in test mbedtls_mpi_is_prime_det 2018-11-05 16:43:17 +01:00
Simon Butcher e2a6f01f3f Merge remote-tracking branch 'public/pr/1763' into mbedtls-2.7-proposed 2018-10-28 18:13:46 +00:00
Janos Follath 0b74161502 Bignum: Add tests for primality testing
Primality tests have to deal with different distribution when generating
primes and when validating primes.
These new tests are testing if mbedtls_mpi_is_prime() is working
properly in the latter setting.

The new tests involve pseudoprimes with maximum number of
non-witnesses. The non-witnesses were generated by printing them
from mpi_miller_rabin(). The pseudoprimes were generated by the
following function:

void gen_monier( mbedtls_mpi* res, int nbits )
{
    mbedtls_mpi p_2x_plus_1, p_4x_plus_1, x, tmp;

    mbedtls_mpi_init( &p_2x_plus_1 );
    mbedtls_mpi_init( &p_4x_plus_1 );
    mbedtls_mpi_init( &x ); mbedtls_mpi_init( &tmp );

    do
    {
        mbedtls_mpi_gen_prime( &p_2x_plus_1, nbits >> 1, 0,
                               rnd_std_rand, NULL );
        mbedtls_mpi_sub_int( &x, &p_2x_plus_1, 1 );
        mbedtls_mpi_div_int( &x, &tmp, &x, 2 );

        if( mbedtls_mpi_get_bit( &x, 0 ) == 0 )
            continue;

        mbedtls_mpi_mul_int( &p_4x_plus_1, &x, 4 );
        mbedtls_mpi_add_int( &p_4x_plus_1, &p_4x_plus_1, 1 );

        if( mbedtls_mpi_is_prime( &p_4x_plus_1, rnd_std_rand,
                                  NULL ) == 0 )
            break;

    } while( 1 );

    mbedtls_mpi_mul_mpi( res, &p_2x_plus_1, &p_4x_plus_1 );
}
2018-10-19 09:21:15 +01:00
Hanno Becker ddf9d9645a Add missing return value check in ECDSA test suite
The test case `ecdsa_det_test_vectors` from the ECDSA test suite
called `mbedtls_md()` without checking its return value.
2018-10-17 14:00:59 +01:00
Hanno Becker f4860e0ef7 Add dependency of mbedtls_asn1_write_len() test on ASN.1 parsing 2018-10-16 13:54:37 +01:00
Hanno Becker 175dbe9ade Add dependency of pkwrite test suite on pkparse module 2018-10-16 13:54:08 +01:00
Gilles Peskine d3f978bd95 Add tests for PKCS#1 v1.5 decoding
Functional tests for various payload sizes and output buffer sizes.

When the padding is bad or the plaintext is too large for the output
buffer, verify that function writes some outputs. This doesn't
validate that the implementation is time-constant, but it at least
validates that it doesn't just return early without outputting anything.
2018-10-08 11:49:15 +02:00
Gilles Peskine 9ce2972399 CTR_DRBG: add mbedtls_ctr_drbg_update_ret
Deprecate mbedtls_ctr_drbg_update (which returns void) in favor of a
new function mbedtls_ctr_drbg_update_ret which reports error. The old
function is not officially marked as deprecated in this branch because
this is a stable maintenance branch.
2018-09-13 22:19:31 +02:00
Gilles Peskine 313a5c1fec pk_write test cases with short/long private key
Add pk_write test cases where the ASN.1 INTEGER encoding of the
private value does not have the mandatory size for the OCTET STRING
that contains the value.

ec_256_long_prv.pem is a random secp256r1 private key, selected so
that the private value is >= 2^255, i.e. the top bit of the first byte
is set (which would cause the INTEGER encoding to have an extra
leading 0 byte).

ec_521_short_prv.pem is a random secp521r1 private key, selected so
that the private value is < 2^518, i.e. the first byte is zero and the
top bit of the second byte is 0 (which would cause the INTEGER
encoding to have one less 0 byte at the start).
2018-09-04 11:16:42 +02:00
Simon Butcher 34997fd291 Update library version number to 2.7.6 2018-08-31 16:07:23 +01:00
Simon Butcher f88aace580 Change test dependencies to RC4 from DES
Some tests were dependent on DES yet actually used RC4. Likely a copy and paste
error. This change fixes them.
2018-07-27 17:33:34 +01:00
Jaeden Amero 8385110ae8 Update version to 2.7.5 2018-07-25 15:43:21 +01:00
Jaeden Amero fc2c4d025a tests: dhm: Rename Hallman to Hellman
Fix typo of Diffie-Hallman to Diffie-Hellman.
2018-07-06 14:28:45 +01:00
Ron Eldor de881c0173 Resolve PR review comments
Address review comments:
1. add `mbedtls_cipher_init()` after freeing context, in test code
2. style comments
3. set `ctx->iv_size = 0` in case `IV == NULL && iv_len == 0`
2018-06-21 14:03:37 +03:00
Ron Eldor cf330e8910 Fix CI failure
Test IV special cases only if `MBEDTLS_CIPHER_MODE_CBC` is defined
2018-06-21 14:03:24 +03:00
Ron Eldor efba4b077b Fix after PR comments
1. Don't set IV onECB
2. Fix style issues
3. reduce number of tests
2018-06-21 14:03:14 +03:00
Ron Eldor cf2305e513 Add tests for mbedtls_cipher_crypt API
1. Add tests for 'mbedtls_cipher_crypt()' API
2. Resolves #1091, by ignoring IV when the cipher mode is MBEDTLS_MODE_ECB
2018-06-21 14:02:23 +03:00
Simon Butcher 662ae9eaae Change the library version to 2.7.4 2018-06-18 14:42:14 +01:00
Simon Butcher bb5e1c3973 Fix multiple quality issues in the source
This PR fixes multiple issues in the source code to address issues raised by
tests/scripts/check-files.py. Specifically:
 * incorrect file permissions
 * missing newline at the end of files
 * trailing whitespace
 * Tabs present
 * TODOs in the souce code
2018-06-08 11:14:43 +01:00
Jaeden Amero 1fc4d33f5f Update version to 2.7.3 2018-04-27 13:15:45 +01:00
Gilles Peskine a0e03a81a7 Merge branch 'pr_1538' into mbedtls-2.7-proposed 2018-04-01 12:35:50 +02:00
Andrzej Kurek a24adde168 Add tests for "return plaintext data faster on unpadded decryption" 2018-03-29 08:43:30 -04:00
Jaeden Amero 38e37bdd56 Merge remote-tracking branch 'upstream-public/pr/1529' into mbedtls-2.7-proposed 2018-03-29 11:00:09 +01:00
Jaeden Amero 0d891042d1 Merge remote-tracking branch 'upstream-public/pr/1524' into mbedtls-2.7-proposed 2018-03-28 15:33:45 +01:00
Jethro Beekman 004e37117c Fix parsing of PKCS#8 encoded Elliptic Curve keys.
The relevant ASN.1 definitions for a PKCS#8 encoded Elliptic Curve key are:

PrivateKeyInfo ::= SEQUENCE {
  version                   Version,
  privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
  privateKey                PrivateKey,
  attributes           [0]  IMPLICIT Attributes OPTIONAL
}

AlgorithmIdentifier  ::=  SEQUENCE  {
  algorithm   OBJECT IDENTIFIER,
  parameters  ANY DEFINED BY algorithm OPTIONAL
}

ECParameters ::= CHOICE {
  namedCurve         OBJECT IDENTIFIER
  -- implicitCurve   NULL
  -- specifiedCurve  SpecifiedECDomain
}

ECPrivateKey ::= SEQUENCE {
  version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
  privateKey     OCTET STRING,
  parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
  publicKey  [1] BIT STRING OPTIONAL
}

Because of the two optional fields, there are 4 possible variants that need to
be parsed: no optional fields, only parameters, only public key, and both
optional fields. Previously mbedTLS was unable to parse keys with "only
parameters". Also, only "only public key" was tested. There was a test for "no
optional fields", but it was labelled incorrectly as SEC.1 and not run because
of a great renaming mixup.
2018-03-28 11:29:21 +02:00
Deomid Ryabkov 980fa5839e Fix some test deps
* Cert revocation tests require `MBEDTLS_HAVE_TIME_DATE`.
 * Verison features tests require... well, `MBEDTLS_VERSION_FEATURES`, actually.

Fixes https://github.com/ARMmbed/mbedtls/issues/1475
2018-03-27 23:18:13 +02:00
Andres Amaya Garcia e9ff785db9 Fix test dependencies of pkcs5 pbs2 on asn1 parse 2018-03-27 21:25:55 +01:00
Gilles Peskine 79d441c64f Add missing dependencies in test_suite_x509parse
Found by depends-hashes.pl and depends-pkgalgs.pl.
2018-03-23 02:18:36 +01:00
Gilles Peskine 2cfeb887b4 Merge tag 'mbedtls-2.7.2' into iotssl-1381-x509-verify-refactor-2.7-restricted
Conflict resolution:

* ChangeLog
* tests/data_files/Makefile: concurrent additions, order irrelevant
* tests/data_files/test-ca.opensslconf: concurrent additions, order irrelevant
* tests/scripts/all.sh: one comment change conflicted with a code
  addition. In addition some of the additions in the
  iotssl-1381-x509-verify-refactor-restricted branch need support for
  keep-going mode, this will be added in a subsequent commit.
2018-03-23 02:12:44 +01:00
Jaeden Amero 9ae1fba869 Update version to 2.7.2 2018-03-16 16:30:17 +00:00
Jaeden Amero e0b1a73c56 Merge remote-tracking branch 'upstream-restricted/pr/464' into mbedtls-2.7-restricted-proposed 2018-03-15 14:36:47 +00:00
Jaeden Amero 73923e1575 Merge remote-tracking branch 'upstream-restricted/pr/459' into mbedtls-2.7-restricted-proposed 2018-03-15 14:36:22 +00:00
Manuel Pégourié-Gonnard dae3fc3fe0 x509: CRL: add tests for non-critical extension
The 'critical' boolean can be set to false in two ways:
- by leaving it implicit (test data generated by openssl)
- by explicitly setting it to false (generated by hand)
2018-03-14 12:46:54 +01:00
Manuel Pégourié-Gonnard 282159c318 x509: CRL: add tests for malformed extensions
This covers all lines added in the previous commit. Coverage was tested using:

    make CFLAGS='--coverage -g3 -O0'
    (cd tests && ./test_suite_x509parse)
    make lcov
    firefox Coverage/index.html # then visual check

Test data was generated by taking a copy of tests/data_files/crl-idp.pem,
encoding it as hex, and then manually changing the values of some bytes to
achieve the desired errors, using https://lapo.it/asn1js/ for help in locating
the desired bytes.
2018-03-14 12:46:53 +01:00
Manuel Pégourié-Gonnard 5a9f46e57c x509: CRL: reject unsupported critical extensions 2018-03-14 09:24:12 +01:00
Gilles Peskine 64540d9577 Merge remote-tracking branch 'upstream-restricted/pr/458' into mbedtls-2.7-restricted-proposed 2018-03-13 17:24:46 +01:00
Gilles Peskine 955d70459d Merge remote-tracking branch 'upstream-restricted/pr/460' into mbedtls-2.7-restricted-proposed 2018-03-13 17:24:33 +01:00
Manuel Pégourié-Gonnard b0ba5bccff Yet another dependency issue (PKCS1_V15)
Found by running:

CC=clang cmake -D CMAKE_BUILD_TYPE="Check"
tests/scripts/depend-pkalgs.pl

(Also tested with same command but CC=gcc)

Another PR will address improving all.sh and/or the depend-xxx.pl scripts
themselves to catch this kind of thing.
2018-03-13 13:44:45 +01:00
Gilles Peskine 427ff4836c Merge remote-tracking branch 'upstream-public/pr/1219' into mbedtls-2.7-proposed 2018-03-12 23:52:24 +01:00
Gilles Peskine c5671bdcf4 Merge remote-tracking branch 'upstream-public/pr/778' into mbedtls-2.7-proposed 2018-03-12 23:44:56 +01:00
Manuel Pégourié-Gonnard a3c5ad5db0 Fix remaining issues found by depend-hashes 2018-03-12 15:51:32 +01:00
Manuel Pégourié-Gonnard b314ece10b Fix remaining issues found by depend-pkalgs 2018-03-12 15:51:30 +01:00
Gilles Peskine 8eda5ec8b4 Merge branch 'pr_1408' into mbedtls-2.7-proposed 2018-03-11 00:48:18 +01:00
Hanno Becker 930ec7dfe5 Minor fixes 2018-03-09 10:48:12 +00:00
Sanne Wouda 22797fcc57 Remove redundant dependency 2018-03-06 23:35:14 +01:00
Sanne Wouda bb50113123 Rename test and update dependencies 2018-03-06 23:35:14 +01:00
Sanne Wouda 90da97d587 Add test case found through fuzzing to pkparse test suite 2018-03-06 23:31:12 +01:00
Andres Amaya Garcia 19f33a800b Add regression test for parsing subjectAltNames 2018-03-06 19:26:20 +00:00
Gert van Dijk b8e40efee3 Tests: add omitted dependency on MBEDTLS_ECDSA_C in test_suite_debug
GitHub issue #1040 https://github.com/ARMmbed/mbedtls/issues/1040
2018-03-05 13:20:31 +01:00
Manuel Pégourié-Gonnard 7c28b56f65 Fix test that didn't check full value of flags 2018-03-05 13:20:26 +01:00
Manuel Pégourié-Gonnard aefd2dcd5b Unify name of default profile in X.509 tests 2018-03-05 13:20:14 +01:00
Manuel Pégourié-Gonnard 650780c462 Fix some whitespace 2018-03-05 13:16:28 +01:00
Manuel Pégourié-Gonnard b0add2e2ad Add test for callback and bad signatures
Our current behaviour is a bit inconsistent here:
- when the bad signature is made by a trusted CA, we stop here and don't
  include the trusted CA in the chain (don't call vrfy on it)
- otherwise, we just add NOT_TRUSTED to the flags but keep building the chain
  and call vrfy on the upper certs
2018-03-05 13:05:17 +01:00
Manuel Pégourié-Gonnard 50fc51a9f7 Add test for bad name and callback
This ensures that the callback can actually clear that flag, and that it is
seen by the callback at the right level. This flag is not set at the same
place than others, and this difference will get bigger in the upcoming
refactor, so let's ensure we don't break anything here.
2018-03-05 13:05:03 +01:00
Manuel Pégourié-Gonnard 166b1e0b60 Add test for same CA with different keys
When a trusted CA is rolling its root keys, it could happen that for some
users the list of trusted roots contains two versions of the same CA with the
same name but different keys. Currently this is supported but wasn't tested.

Note: the intermediate file test-ca-alt.csr is commited on purpose, as not
commiting intermediate files causes make to regenerate files that we don't
want it to touch.
2018-03-05 13:03:40 +01:00
Manuel Pégourié-Gonnard 37a560cc6d Add test for CA forgery attempt
As we accept EE certs that are explicitly trusted (in the list of trusted
roots) and usually look for parent by subject, and in the future we might want
to avoid checking the self-signature on trusted certs, there could a risk that we
incorrectly accept a cert that looks like a trusted root except it doesn't
have the same key. This test ensures this will never happen.
2018-03-05 13:02:27 +01:00
Manuel Pégourié-Gonnard 5bc9738139 Add test for profile on trusted EE cert 2018-03-05 13:01:11 +01:00
Manuel Pégourié-Gonnard cd2118f67b Add tests for flags passed to f_vrfy
The tests cover chains of length 0, 1 and 2, with one error, located at any of
the available levels in the chain. This exercises all three call sites of
f_vrfy (two in verify_top, one in verify_child). Chains of greater length
would not cover any new code path or behaviour that I can see.
2018-03-05 13:01:02 +01:00
Manuel Pégourié-Gonnard ae6d7103cc Add ability to test flags value in vrfy callback
So far there was no test ensuring that the flags passed to the vrfy callback
are correct (ie the flags for the current certificate, not including those of
the parent).

Actual tests case making use of that test function will be added in the next
commit.
2018-03-05 13:00:43 +01:00