Commit graph

2733 commits

Author SHA1 Message Date
Hanno Becker b0b2b67568 Allow compile-time configuration of legacy renegotiation
Introduces MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION
allowing to configure enforcing secure renegotiation at
compile-time.

Impact on code-size:

|  | GCC | ARMC5 | ARMC6 |
| --- | --- | --- | --- |
| `libmbedtls.a` after  | 23379 | 23929 | 27727 |
| `libmbedtls.a` before | 23307 | 23865 | 27615 |
| gain in Bytes | 72 | 64 | 112 |
2019-07-02 16:41:34 +01:00
Hanno Becker acd4fc0ac9 Allow compile-time configuration of authentication mode
Introduces MBEDTLS_SSL_CONF_AUTHMODE to fix the authentication
mode (none, optional, mandatory) at compile-time.

Impact on code-size:

|  | GCC | ARMC5 | ARMC6 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23487 | 24025 | 27885 |
| `libmbedtls.a` after  | 23379 | 23929 | 27727 |
| gain in Bytes | 108 | 96 | 157 |
2019-07-02 16:41:29 +01:00
Hanno Becker de67154658 Allow compile-time configuration of DTLS badmac limit
Introduces MBEDTLS_SSL_CONF_BADMAC_LIMIT to fix the maximum
number of records with bad MAC tolerated in DTLS at compile-time.

Impact on code-size:

|  | GCC | ARMC5 | ARMC6 |
| --- | --- | --- | --- |
| `libmbedtls.a` before  | 23511 | 24049 | 27903 |
| `libmbedtls.a` after | 23487 | 24025 | 27885 |
| gain in Bytes | 24 | 24 | 18 |
2019-07-02 16:40:50 +01:00
Manuel Pégourié-Gonnard f1c6ad4c5f Declare dependency on tickets for two ssl-opt.sh tests
See https://github.com/ARMmbed/mbedtls/issues/2712
2019-07-02 15:12:29 +02:00
Jarno Lamsa 29f2dd0a7b Address review comments 2019-07-02 15:12:29 +02:00
Jarno Lamsa 0905c3da11 Add test to all.sh 2019-07-02 15:12:29 +02:00
Jarno Lamsa 5b52b27519 Skip resumption tests if resumption not defined 2019-07-02 15:12:29 +02:00
Hanno Becker abd929c89c Merge branch 'mbedtls-2.16' into baremetal-2.16-01_07_19 2019-07-01 11:25:42 +01:00
Hanno Becker 7ab8a2e2a0 Add X.509 CRT test for nested calls for CRT frame / PK acquire 2019-06-28 15:52:54 +01:00
Hanno Becker 94a94f6c33 Remove memory buffer alloc from i386 test in all.sh
Otherwise, the CI fails this test due to timeout.

The buffer allocator is tested e.g. in test_full_cmake_clang().
2019-06-28 14:48:32 +01:00
Hanno Becker 7c5fbbeec0 Reduce number of parallel workers in X.509 CRT threading test
The previous tests used 100 parallel workers which for EC certificates
leads to a memory usage of more than 1Mb, hence leading to an out of memory
condition in tests using the memory buffer allocator which has a pool of 1Mb.

Use 25 workers but an increased number of iterations per worker instead.
2019-06-25 09:11:11 +01:00
Hanno Becker d687ef0a91 Move X.509 threading test to separate test suite
This allows to build the library + tests via `make` without
specifying `PTHREAD=1`, in which case the X.509 threading
test suite will be silently dropped.

This is analogous to the pre-existing handling of the example
application `ssl_pthread_server`, which is only build if `PTHREAD=1`
and silently dropped otherwise.
2019-06-25 09:10:57 +01:00
Hanno Becker 22cf255e09 Force linking of pthread in 'full config' tests in all.sh 2019-06-25 09:10:57 +01:00
Hanno Becker fa37d07a0d Make: Link test suites with pthread if PTHREAD is set 2019-06-25 09:10:57 +01:00
Hanno Becker 1ba602c2f6 CMake: Link test suites with pthread if LINK_WITH_PTHREAD set
The pre-existing LINK_WITH_PTHREAD CMake option controls whether
`pthread` should be linked into the library, but didn't apply
to the test suites so far.

This commit also links test suites to `pthread` in CMake-based
builds which have LINK_WITH_PTHREAD set.
2019-06-25 09:10:57 +01:00
Hanno Becker fd8b7bd63f Add concurrent X.509 CRT verification test
This commit enhances the X.509 parsing test suite by a test
which exercises multiple threads concurrently verifying the
same certificate with the same set of trusted roots.
2019-06-25 09:10:57 +01:00
Hanno Becker 5f268b3cf6 Don't allow change of CRT frame returned by x509_crt_frame_acquire() 2019-06-25 09:10:57 +01:00
Hanno Becker 54f1c2cb20 Rename MBEDTLS_X509_SAFE_SNPRINTF_WITH_ERROR to _WITH_CLEANUP 2019-06-25 09:10:57 +01:00
Hanno Becker f6bc8886c7 Move declarations of internal X.509 functions to separate header
This makes it easier to distinguish public from internal functions;
for us, for users, and for automated API compatibility checkers.
2019-06-25 09:10:57 +01:00
Hanno Becker c6d1c3ed1c Remove frame/pk parameter from mbedtls_x509_crt_xxx_release() 2019-06-25 09:07:16 +01:00
Hanno Becker 7dbf49a518 Enable threading in all.sh test for X.509 on demand parsing 2019-06-25 09:07:16 +01:00
Hanno Becker 1e11f217d4 Solely use raw X.509 name data references including SEQUENCE header
So far, the CRT frame structure `mbedtls_x509_crt_frame` used
as `issuer_raw` and `subject_raw` the _content_ of the ASN.1
name structure for issuer resp. subject. This was in contrast
to the fields `issuer_raw` and `subject_raw` from the legacy
`mbedtls_x509_crt` structure, and caused some information
duplication by having both variants `xxx_no_hdr` and `xxx_with_hdr`
in `mbedtls_x509_crt` and `mbedtls_x509_crt_frame`.

This commit removes this mismatch by solely using the legacy
form of `issuer_raw` and `subject_raw`, i.e. those _including_
the ASN.1 name header.
2019-06-25 09:07:16 +01:00
Hanno Becker bfabd1dfae Add test to all.sh
This commit adds a `make test` and `ssl-opt.sh` run to `all.sh`
exercising the default configuration, plus the following changes:
- MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled
- MBEDTLS_X509_ON_DEMAND_PARSING enabled.
2019-06-25 09:07:16 +01:00
Hanno Becker 3f8f0dc3fd Use mbedtls_x509_crt_get_subject() in test_suite_x509parse test 2019-06-25 09:06:26 +01:00
Hanno Becker c69c4465b6 Adapt test_suite_x509parse to new CRT structure 2019-06-25 09:06:26 +01:00
Hanno Becker 5c03058bbc Make use of CRT acquire/release in test_suite_x509parse suite 2019-06-25 09:06:26 +01:00
Hanno Becker 7f376f4ece Allow compile-time configuration of DTLS anti replay
Introduce MBEDTLS_SSL_CONF_ANTI_REPLAY to allow configuring
the use/nonuse of DTLS anti replay protection at compile-time.

Impact on code-size, measured with
> ./scripts/baremetal.sh --rom --gcc --armc5 --armc6

|  | GCC | ARMC5 | ARMC6 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23559 | 24089 | 27921 |
| `libmbedtls.a` after  | 23511 | 24049 | 27903 |
| gain in Bytes | 48 | 40 | 18 |
2019-06-25 08:43:31 +01:00
Hanno Becker af5ab918d9 Detect mismatching compile-time and cmd line config in ssl-opt.sh 2019-06-25 08:42:20 +01:00
Manuel Pégourié-Gonnard 393338ca78
Merge pull request #586 from ARMmbed/remove_peer_crt_after_handshake_no_digest-baremetal
[Baremetal] Don't store peer CRT digest if renegotiation is disabled
2019-06-24 18:12:00 +02:00
Manuel Pégourié-Gonnard 79cf74a95f
Merge pull request #583 from ARMmbed/remove_peer_crt_after_handshake-baremetal
[Baremetal] Allow removal of peer certificate to reduce RAM usage
2019-06-24 18:11:46 +02:00
Manuel Pégourié-Gonnard 8dcd80ec5c
Merge pull request #578 from ARMmbed/x509_parse_bf-baremetal
[Baremetal] Enhance X.509 CRT negative parsing tests
2019-06-24 18:08:33 +02:00
Manuel Pégourié-Gonnard cc3b7ccb04
Merge pull request #579 from Patater/bm-dont-use-non-existent-encrypt-then-mac
[Baremetal] ssl: Don't access non-existent encrypt_then_mac field
2019-06-24 18:06:53 +02:00
Jaeden Amero 5ecbd14fdd Merge remote-tracking branch 'origin/pr/2701' into mbedtls-2.16
* origin/pr/2701:
  Add all.sh component that exercises invalid_param checks
  Remove mbedtls_param_failed from programs
  Make it easier to define MBEDTLS_PARAM_FAILED as assert
  Make test suites compatible with #include <assert.h>
  Pass -m32 to the linker as well
2019-06-21 16:00:06 +01:00
Jaeden Amero a5ebd5fe10 Merge remote-tracking branch 'origin/pr/2615' into mbedtls-2.16
* origin/pr/2615:
  Use 'config.pl baremetal' in all.sh
2019-06-21 15:59:34 +01:00
Jaeden Amero 096bccf204 Merge remote-tracking branch 'origin/pr/2450' into mbedtls-2.16
* origin/pr/2450:
  Fix #2370, minor typos and spelling mistakes
2019-06-21 15:59:29 +01:00
Jaeden Amero f580d43bad Merge remote-tracking branch 'origin/pr/2053' into mbedtls-2.16
* origin/pr/2053:
  Clarify ChangeLog entry for fix to #1628
  Add Changelog entry for clang test-ref-configs.pl fix
  Enable more compiler warnings in tests/Makefile
  Change file scoping of test helpers.function
2019-06-21 15:59:16 +01:00
Hanno Becker e256f7c9ae Add test for !KEEP_PEER_CERTIFICATE + !RENEGOTIAITON to all.sh 2019-06-19 16:56:51 +01:00
Hanno Becker 5882dd0856 Remove CRT digest from SSL session if !RENEGO + !KEEP_PEER_CERT
If `MBEDTLS_SSL_KEEP_PEER_CERTIFICATE` is not set, `mbedtls_ssl_session`
contains the digest of the peer's certificate for the sole purpose of
detecting a CRT change on renegotiation. Hence, it is not needed if
renegotiation is disabled.

This commit removes the `peer_cert_digest` fields (and friends) from
`mbedtls_ssl_session` if
   `!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + !MBEDTLS_SSL_RENEGOTIATION`,
which is a sensible configuration for constrained devices.

Apart from straightforward replacements of
   `if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)`
by
   `if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) && \
        defined(MBEDTLS_SSL_RENEGOTIATION)`,
there's one notable change: On the server-side, the CertificateVerify
parsing function is a no-op if the client hasn't sent a certificate.
So far, this was determined by either looking at the peer CRT or the
peer CRT digest in the SSL session structure (depending on the setting
of `MBEDTLS_SSL_KEEP_PEER_CERTIFICATE`), which now no longer works if
`MBEDTLS_SSL_KEEP_PEER_CERTIFICATE` is unset. Instead, this function
now checks whether the temporary copy of the peer's public key within
the handshake structure is initialized or not (which is also a
beneficial simplification in its own right, because the pubkey is
all the function needs anyway).
2019-06-19 16:56:51 +01:00
Hanno Becker 890d7ee4cb Reintroduce numerous ssl-opt.sh tests if !MBEDTLS_SSL_KEEP_PEER_CERT 2019-06-19 14:59:41 +01:00
Hanno Becker 92820a1dff Add test for !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE to all.sh 2019-06-19 10:26:50 +01:00
Hanno Becker 8b6d2cd5af Add dependency to ssl-opt.sh tests which need peer CRT debug info 2019-06-19 10:26:17 +01:00
Hanno Becker 2e6d34761f Remove peer CRT from mbedtls_ssl_session if !KEEP_PEER_CERT 2019-06-19 10:25:01 +01:00
Hanno Becker 4a2f8e584f Add peer CRT digest to session tickets
This commit changes the format of session tickets to include
the digest of the peer's CRT if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
is disabled.

This commit does not yet remove the peer CRT itself.
2019-06-19 10:25:01 +01:00
Simon Butcher 7400e8fb36 Merge remote-tracking branch 'origin/pr/591' into baremetal 2019-06-18 17:36:45 +01:00
Hanno Becker eddc78a844 Fix documentation of X.509 parsing test 2019-06-18 17:29:35 +01:00
Hanno Becker 5b4a619cfe Add X.509 CRT parsing test for mixed time-encodings 2019-06-18 17:29:35 +01:00
Hanno Becker 615bda0035 Improve X.509 CRT parsing test names 2019-06-18 17:29:35 +01:00
Hanno Becker b9df4bd8fc Add negative X.509 parsing tests for v3Ext in v1/v2 CRT 2019-06-18 17:29:35 +01:00
Hanno Becker 576f355ea6 Add negative X.509 parsing tests for IssuerID/SubjectID in v1 CRT 2019-06-18 17:29:35 +01:00
Hanno Becker 22adeeb95f Improve name of X.509 CRT parsing test 2019-06-18 17:29:35 +01:00
Hanno Becker 36023dc62b Always use the same X.509 alg structure inside and outside of TBS 2019-06-18 17:29:35 +01:00
Hanno Becker 53634e3f84 Fix test dependencies in X.509 CRT parsing suite
Most tests use an sha256WithRSAEncryption OID which isn't recognized
unless RSA and SHA-256 are enabled.
2019-06-18 17:29:35 +01:00
Hanno Becker d061c3d7ca Fix test case name formatting in X.509 parsing suite 2019-06-18 17:29:35 +01:00
Hanno Becker 57e0693302 Use ASN.1 NULL TLVs when testing invalid tags
Previously, a test exercising the X.509 CRT parser's behaviour
on unexpected tags would use a '00' byte in place of the tag
for the expected structure. This makes reviewing the examples
harder because the binary data isn't valid DER-encoded ASN.1.

This commit uses the ASN.1 NULL TLV '05 00' to test invalid
tags, and adapts surrounding structures' length values accordingly.
This eases reviewing because now the ASN.1 structures are still
well-formed at the place where the mismatch occurs.
2019-06-18 17:29:35 +01:00
Hanno Becker 98c6b6a5f0 Shorten X.509 CRT parsing test names 2019-06-18 17:29:35 +01:00
Hanno Becker 24d93a424f Extend negative testing for X.509 Signature parsing 2019-06-18 17:28:54 +01:00
Hanno Becker 56eb0b45c9 Extend negative testing for X.509 SignatureAlgorithm parsing 2019-06-18 17:28:54 +01:00
Hanno Becker cb60e2c917 Extend negative testing for X.509 v3 Extension parsing 2019-06-18 17:28:54 +01:00
Hanno Becker 543cc8a6fd Extend negative testing for X.509 SubjectID parsing 2019-06-18 17:28:54 +01:00
Hanno Becker 96480c1ab0 Extend negative testing for X.509 IssuerID parsing 2019-06-18 17:28:54 +01:00
Hanno Becker 1d3aab9ee8 Extend negative testing for X.509 SubjectPublicKeyInfo parsing 2019-06-18 17:28:54 +01:00
Hanno Becker 74f1d4b6cc Extend negative testing for X.509 Subject parsing 2019-06-18 17:28:54 +01:00
Hanno Becker f3ca578a73 Extend negative testing for X.509 Validity parsing 2019-06-18 17:28:54 +01:00
Hanno Becker f59cd6b020 Extend negative testing for X.509 Issuer parsing 2019-06-18 17:28:54 +01:00
Hanno Becker d4b6daf70a Extend negative testing for X.509 AlgorithmIdentifier parsing 2019-06-18 17:28:54 +01:00
Hanno Becker 1a0d3740b9 Extend negative testing for X.509 Serial number parsing 2019-06-18 17:28:54 +01:00
Hanno Becker baf32b8cea Extend negative testing for X.509 Version parsing 2019-06-18 17:28:54 +01:00
Hanno Becker d6ea7252db Extend negative testing for X.509 TBS header parsing 2019-06-18 17:28:54 +01:00
Simon Butcher f2ef573f2b Merge remote-tracking branch 'origin/pr/598' into baremetal 2019-06-18 15:00:02 +01:00
Simon Butcher f1ff74574d Merge remote-tracking branch 'origin/pr/597' into baremetal 2019-06-18 14:58:37 +01:00
Jaeden Amero d81c11b8ab Merge remote-tracking branch 'origin/pr/2687' into mbedtls-2.16
* origin/pr/2687:
  Update library to 2.16.2
2019-06-18 14:23:28 +01:00
Hanno Becker b2c6383b7b Add missing !MBEDTLS_X509_REMOVE_INFO guards to ssl-opt.sh 2019-06-18 11:05:44 +01:00
Peter Kolbus b1cb0bde72 all.sh: Add test for MBEDTLS_X509_REMOVE_INFO
Add a test scenario that runs make/make test with
MBEDTLS_X509_REMOVE_INFO enabled.
2019-06-18 11:05:44 +01:00
Hanno Becker 4a156fc854 Apply guards to make ssl-opt.sh work with MBEDTLS_X509_REMOVE_INFO
Multiple tests in ssl-opt.sh grep for debug output that's omitted
if MBEDTLS_X509_REMOVE_INFO is defined. This commit modifies ssl-opt.sh
to skip those tests in this case.
2019-06-18 11:05:44 +01:00
Hanno Becker 98f85c8c25 Add missing dependencies on !MBEDTLS_X509_REMOVE_INFO 2019-06-18 11:05:44 +01:00
Hanno Becker 02a2193f60 Rename MBEDTLS_X509_INFO to !MBEDTLS_X509_REMOVE_INFO 2019-06-18 11:05:44 +01:00
Peter Kolbus dc470ae8af Reduce code size when mbedtls_x509_*_info() unused
Introduce MBEDTLS_X509_INFO to indicate the availability of the
mbedtls_x509_*_info() function and closely related APIs. When this is
not defined, also omit name and description from
mbedtls_oid_descriptor_t, and omit OID arrays, macros, and types that
are entirely unused. This saves several KB of code space.

Change-Id: I056312613379890e0d70e1d08c34171287c0aa17
2019-06-18 11:05:37 +01:00
Manuel Pégourié-Gonnard 31ae7facb3 Add test for build warnings with baremetal.h 2019-06-18 12:03:51 +02:00
Jarno Lamsa 8a91c0650a Add tests for re-init flow for context serialization 2019-06-18 11:50:11 +03:00
Jarno Lamsa cc281b8a54 ssl-opt.sh tests for serialization are currently using stub implementation 2019-06-18 11:50:11 +03:00
Jarno Lamsa dcfc2a7364 Add missing slashes to tests 2019-06-18 11:50:11 +03:00
Jarno Lamsa fa45e6005e Add serialization tests to ssl-opt.sh 2019-06-18 11:50:11 +03:00
Hanno Becker 1abb159e90 Merge branch 'mbedtls-2.16' into baremetal 2019-06-18 09:00:37 +01:00
Gilles Peskine dcab202368 Add all.sh component that exercises invalid_param checks
With the change to the full config, there were no longer any tests
that exercise invalid-parameter behavior. The test suite exercises
invalid-parameter behavior by calling TEST_INVALID_PARAM and friends,
relying on the test suite's mbedtls_check_param function. This
function is only enabled if MBEDTLS_CHECK_PARAMS is defined but not
MBEDTLS_CHECK_PARAMS_ASSERT.

Add a component to all.sh that enables MBEDTLS_CHECK_PARAMS but
disables MBEDTLS_CHECK_PARAMS_ASSERT and doesn't define
MBEDTLS_PARAM_FAILED. This way, the xxx_invalid_param() tests do run.
Since sample programs don't provide a mbedtls_check_param function,
this component doesn't build the sample programs.
2019-06-17 19:11:35 +02:00
Gilles Peskine 137d31bf5a Make test suites compatible with #include <assert.h>
Don't use the macro name assert. It's technically permitted as long as
<assert.h> is not included, but it's fragile, because it means the
code and any header that it includes must not include <assert.h>.
2019-06-17 19:06:52 +02:00
Gilles Peskine 8118e4672e Pass -m32 to the linker as well
For unit tests and sample programs, CFLAGS=-m32 is enough to get a
32-bit build, because these programs are all compiled directly
from *.c to the executable in one shot. But with makefile rules that
first build object files and then link them, LDFLAGS=-m32 is also
needed.
2019-06-17 19:06:28 +02:00
Simon Butcher c725e4b34e Merge remote-tracking branch 'origin/pr/590' into baremetal 2019-06-17 17:57:26 +01:00
Jaeden Amero 418e7611f6 Merge remote-tracking branch 'origin/pr/2484' into mbedtls-2.16
* origin/pr/2484:
  Correct placement of ChangeLog entry
  Improve documentation of mbedtls_x509_get_ext()
  Adapt ChangeLog
  Always return a high-level error code from X.509 module
  Obey bounds of ASN.1 substructures
2019-06-14 15:28:42 +01:00
Jaeden Amero 7aed01c0dc Merge remote-tracking branch 'origin/pr/2481' into mbedtls-2.16
* origin/pr/2481:
  Document support for MD2 and MD4 in programs/x509/cert_write
  Correct name of X.509 parsing test for well-formed, ill-signed CRT
  Add test cases exercising successful verification of MD2/MD4/MD5 CRT
  Add test case exercising verification of valid MD2 CRT
  Add MD[245] test CRTs to tree
  Add instructions for MD[245] test CRTs to tests/data_files/Makefile
  Add suppport for MD2 to CSR and CRT writing example programs
  Convert further x509parse tests to use lower-case hex data
  Correct placement of ChangeLog entry
  Adapt ChangeLog
  Use SHA-256 instead of MD2 in X.509 CRT parsing tests
  Consistently use lower case hex data in X.509 parsing tests
2019-06-14 08:50:47 +01:00
Jaeden Amero 1adf212a1b Merge remote-tracking branch 'origin/pr/2497' into mbedtls-2.16
* origin/pr/2497:
  Re-generate library/certs.c from script
  Add new line at the end of test-ca2.key.enc
  Use strict syntax to annotate origin of test data in certs.c
  Add run to all.sh exercising !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO
  Allow DHM self test to run without MBEDTLS_PEM_PARSE_C
  ssl-opt.sh: Auto-skip tests that use files if MBEDTLS_FS_IO unset
  Document origin of hardcoded certificates in library/certs.c
  Adapt ChangeLog
  Rename server1.der to server1.crt.der
  Add DER encoded files to git tree
  Add build instructions to generate DER versions of CRTs and keys
  Document "none" value for ca_path/ca_file in ssl_client2/ssl_server2
  ssl_server2: Skip CA setup if `ca_path` or `ca_file` argument "none"
  ssl_client2: Skip CA setup if `ca_path` or `ca_file` argument "none"
  Correct white spaces in ssl_server2 and ssl_client2
  Adapt ssl_client2 to parse DER encoded test CRTs if PEM is disabled
  Adapt ssl_server2 to parse DER encoded test CRTs if PEM is disabled
2019-06-14 08:48:54 +01:00
Jarno Lamsa 31d940ba5e Change test name 2019-06-12 10:21:33 +03:00
Jaeden Amero ff36cdaa84 Update library to 2.16.2 2019-06-11 17:27:32 +01:00
Jarno Lamsa 20095afc58 Changes according to review comments 2019-06-11 17:16:58 +03:00
Jarno Lamsa 41b359114d Add tests for enforced extended master secret flag 2019-06-10 15:51:11 +03:00
Jaeden Amero adffe39fdb test: Remove redundant 0-byte decryption test
Remove the "Decrypt empty buffer" test, as ChaCha20 is a stream cipher
and 0 bytes encrypted is identical to a 0 length buffer. The "ChaCha20
Encrypt and decrypt 0 bytes" test will test decryption of a 0 length
buffer.
2019-06-06 12:04:13 +01:00
Jaeden Amero 4e47aa0120 test: Check empty buffer decryption for chachapoly
Previously, even in the Chacha20 and Chacha20-Poly1305 tests, we would
test that decryption of an empty buffer would work with
MBEDTLS_CIPHER_AES_128_CBC.

Make the cipher used with the dec_empty_buf() test configurable, so that
Chacha20 and Chacha20-Poly1305 empty buffer tests can use ciphers other
than AES CBC. Then, make the Chacha20 and Chacha20-Poly1305 empty buffer
tests use the MBEDTLS_CIPHER_CHACHA20 and
MBEDTLS_CIPHER_CHACHA20_POLY1305 cipher suites.
2019-06-06 12:04:13 +01:00
Jaeden Amero fa8e6dabd2 all.sh: Perform targeted EtM tests for MAC-less configs
When testing a configuration where no ciphersuites have MAC, via
component_test_when_no_ciphersuites_have_mac(), perform a targeted test
of only encrypt-then-MAC tests within ssl-opt.sh.
2019-06-05 14:48:33 +01:00
Jaeden Amero 2eaf2c7969 ssl: Don't access non-existent encrypt_then_mac field
When MBEDTLS_SSL_ENCRYPT_THEN_MAC is enabled, but not
MBEDTLS_SSL_SOME_MODES_USE_MAC, mbedtls_ssl_derive_keys() and
build_transforms() will attempt to use a non-existent `encrypt_then_mac`
field in the ssl_transform.

    Compile [ 93.7%]: ssl_tls.c
    [Error] ssl_tls.c@865,14: 'mbedtls_ssl_transform {aka struct mbedtls_ssl_transform}' ha
s no member named 'encrypt_then_mac'
    [ERROR] ./mbed-os/features/mbedtls/src/ssl_tls.c: In function 'mbedtls_ssl_derive_keys'
:
    ./mbed-os/features/mbedtls/src/ssl_tls.c:865:14: error: 'mbedtls_ssl_transform {aka str
uct mbedtls_ssl_transform}' has no member named 'encrypt_then_mac'
         transform->encrypt_then_mac = session->encrypt_then_mac;
                  ^~

Change mbedtls_ssl_derive_keys() and build_transforms() to only access
`encrypt_then_mac` if `encrypt_then_mac` is actually present. Fix any
unused variable warnings along the way, by additionally wrapping
function parameters with MBEDTLS_SSL_SOME_MODES_USE_MAC.

Add a regression test to detect when we have regressions with
configurations that do not include any MAC ciphersuites.

Fixes 92231325a7 ("Reduce size of `ssl_transform` if no MAC ciphersuite is enabled")
2019-06-05 14:22:11 +01:00
Hanno Becker 2fa5e73d8d Modify existing X.509 test for also test new copyless API
The existing test `x509parse_crt()` for X.509 CRT parsing
so far used the generic parsing API `mbedtls_x509_crt_parse()`
capable of parsing both PEM encoded and DER encoded certficates,
but was actually only used with DER encoded input data. Moreover,
as the purpose of the test is the testing of the core DER X.509 parsing
functionality, not the PEM vs. DER dispatch (which is now already tested
in the various `x509_crt_info()` tests), the call can be replaced with a
direct call to `mbedtls_x509_parse_crt_der()`.

This commit does that, and further adds to the test an analogous
call to the new API `mbedtls_x509_parse_crt_der_nocopy()` to test
copyless parsing of X.509 certificates.
2019-06-05 13:16:55 +01:00
Hanno Becker d58b133276 Add test for mbedtls_x509_parse_file() with DER encoded CRT 2019-06-05 13:16:55 +01:00