Commit graph

2770 commits

Author SHA1 Message Date
Simon Butcher 76cf60beb3 Remove merge conflict marker in ssl-opt.sh
Commit 6346a75dfb introduced a merge conflict marker into ssl-opt.sh
by accident. This commit removes it.
2018-10-25 21:51:32 +01:00
Simon Butcher 169712e15a Merge remote-tracking branch 'restricted/pr/390' into development 2018-10-24 18:34:30 +01:00
Simon Butcher c774e32939 Merge remote-tracking branch 'restricted/pr/517' into development 2018-10-22 14:23:29 +01:00
Simon Butcher 837f821bc2 Merge remote-tracking branch 'public/pr/1990' into development 2018-10-22 14:22:56 +01:00
Manuel Pégourié-Gonnard bcedb92e7b Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted
* development:
  Add Jenkinsfile for PR job
2018-10-22 09:52:46 +02:00
Darryl Green b51e267bee Add Jenkinsfile for PR job 2018-10-19 15:25:10 +01:00
Hanno Becker 198611db32 Add missing return value check in ECDSA test suite
The test case `ecdsa_det_test_vectors` from the ECDSA test suite
called `mbedtls_md()` without checking its return value.
2018-10-17 13:58:19 +01:00
Hanno Becker 0fbbc64fee Add dependency of mbedtls_asn1_write_len() test on ASN.1 parsing 2018-10-16 13:48:23 +01:00
Hanno Becker 19d858e8e6 Add dependency of pkwrite test suite on pkparse module 2018-10-16 13:46:25 +01:00
Gilles Peskine 96f3b4ee42 Remove yotta support from check-files.py
Complements "Remove Yotta support from the docs, tests and build scripts".
2018-10-16 14:10:21 +02:00
Manuel Pégourié-Gonnard 7a28e99fa0 Expand test to ensure no assumption on output
The functions don't require the caller to preserve the content of the output
parameter - let's ensure that they don't assume that.
2018-10-16 11:22:45 +02:00
Manuel Pégourié-Gonnard 6346a75dfb Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted
* development:
  ssl-opt.sh: change expected output for large srv packet test with SSLv3
  Adapt ChangeLog
  Fix bug in SSL ticket implementation removing keys of age < 1s
  ssl-opt.sh: Add DTLS session resumption tests
  Add ChangeLog entry
  Fix typo
  Fix hmac_drbg failure in benchmark, with threading
  Remove trailing whitespace
  Remove trailing whitespace
  ssl_server2: add buffer overhead for a termination character
  Add missing large and small packet tests for ssl_server2
  Added buffer_size and response_size options for ssl-server2. Added appropriate tests.

Solving a conflict in tests/ssl-opt.sh: two set of tests were added at the
same place (just after large packets):
- restartable ECC tests (in this branch)
- server-side large packets (in development)

Resolution was to move the ECC tests after the newly added server large packet
ones.
2018-10-15 11:26:17 +02:00
Andrzej Kurek 9580528248 ssl-opt.sh: fix typo in mtu settings 2018-10-11 08:55:37 -04:00
Andrzej Kurek b459346f67 ssl-opt.sh: add a check for i686 targets
Run DTLS fragmenting tests on non-i686 targets only.
Remove reduntant gnutls requirements.
2018-10-11 08:43:30 -04:00
Andrzej Kurek 7782605491 ssl-opt.sh: add comments regarding ciphersuite forcing 2018-10-11 07:34:08 -04:00
Andrzej Kurek 7c6df832ed ssl-opt.sh: revert unnecessary "autoreduction" checks
return to the initial check for "resend"
2018-10-11 07:06:12 -04:00
Andrzej Kurek 7311c78074 ssl-opt.sh: force ciphersuites to reduce mtu size 2018-10-11 06:49:41 -04:00
Hanno Becker e5fecec7bf Add test for MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO to all.sh
This commit adds a test to tests/scripts/all.sh exercising an
ASan build of the default configuration with

MBEDTLS_PLATFORM_MEMORY enabled,
MBEDTLS_PLATFORM_CALLOC_MACRO set to std calloc
MBEDTLS_PLATFORM_FREE_MACRO   set to std free

(This should functionally be indistinguishable from a default build)
2018-10-11 11:04:20 +01:00
Darryl Green ac2ead0e68 Improve deterministic test for prime testing
Extend the mbedtls_mpi_is_prime_det test to check that it reports
the number as prime when testing rounds-1 rounds, then reports the
number as composite when testing the full number of rounds.
2018-10-09 16:36:53 +01:00
Janos Follath a0b67c2f3e Bignum: Deprecate mbedtls_mpi_is_prime()
When using a primality testing function the tolerable error rate depends
on the scheme in question, the required security strength and wether it
is used for key generation or parameter validation. To support all use
cases we need more flexibility than what the old API provides.
2018-10-09 16:36:53 +01:00
Janos Follath 64eca05ec2 Bignum: Add tests for primality testing
Primality tests have to deal with different distribution when generating
primes and when validating primes.
These new tests are testing if mbedtls_mpi_is_prime() is working
properly in the latter setting.

The new tests involve pseudoprimes with maximum number of
non-witnesses. The non-witnesses were generated by printing them
from mpi_miller_rabin(). The pseudoprimes were generated by the
following function:

void gen_monier( mbedtls_mpi* res, int nbits )
{
    mbedtls_mpi p_2x_plus_1, p_4x_plus_1, x, tmp;

    mbedtls_mpi_init( &p_2x_plus_1 );
    mbedtls_mpi_init( &p_4x_plus_1 );
    mbedtls_mpi_init( &x ); mbedtls_mpi_init( &tmp );

    do
    {
        mbedtls_mpi_gen_prime( &p_2x_plus_1, nbits >> 1, 0,
                               rnd_std_rand, NULL );
        mbedtls_mpi_sub_int( &x, &p_2x_plus_1, 1 );
        mbedtls_mpi_div_int( &x, &tmp, &x, 2 );

        if( mbedtls_mpi_get_bit( &x, 0 ) == 0 )
            continue;

        mbedtls_mpi_mul_int( &p_4x_plus_1, &x, 4 );
        mbedtls_mpi_add_int( &p_4x_plus_1, &p_4x_plus_1, 1 );

        if( mbedtls_mpi_is_prime( &p_4x_plus_1, rnd_std_rand,
                                  NULL ) == 0 )
            break;

    } while( 1 );

    mbedtls_mpi_mul_mpi( res, &p_2x_plus_1, &p_4x_plus_1 );
}
2018-10-09 16:36:53 +01:00
Janos Follath a3cb7eb8ad Bignum: Add test for improved prime generation 2018-10-09 16:33:27 +01:00
Andrzej Kurek 35f2f300ca ssl-opt.sh: change expected pattern from 'resend' to 'autoreduction' 2018-10-09 08:52:14 -04:00
Andrzej Kurek 0fc9cf40cf ssl-opt.sh: increase proxy mtu sizes to contain entire datagrams 2018-10-09 03:09:41 -04:00
Gilles Peskine 695a34654a Add tests for PKCS#1 v1.5 decoding
Functional tests for various payload sizes and output buffer sizes.

When the padding is bad or the plaintext is too large for the output
buffer, verify that function writes some outputs. This doesn't
validate that the implementation is time-constant, but it at least
validates that it doesn't just return early without outputting anything.
2018-10-08 11:13:21 +02:00
Simon Butcher 03de21059d Add additional test case for alternative CSR headers
Add a test case for alternative headers possible for CSR's, as defined in
RFC7468.
2018-10-06 17:19:31 +01:00
Andrzej Kurek 948fe80f42 ssl-opt.sh: adjust test timeouts to fit slower targets 2018-10-06 05:07:47 -04:00
Andrzej Kurek 52f8491dc2 ssl-opt.sh: adjust tests to fit slower targets
Adjust mtu sizes to be able to pass tests using a full configuration
2018-10-05 07:53:40 -04:00
Gilles Peskine 95c5575e12 check-files: exclude .git and third-party files
Exclude ".git" directories anywhere. This avoids spurious errors in git
checkouts that contain branch names that look like a file
check-files.py would check. Fix #1713

Exclude "mbed-os" anywhere and "examples" from the root. Switch to the
new mechanism to exclude "yotta/module". These are directories where
we store third-party files that do not need to match our preferences.

Exclude "cov-int" from the root. Fix #1691
2018-10-02 13:13:24 +02:00
Simon Butcher 6e3606e4f6 Fix run-test-suites.pl to screen for files
Changes run-test-suites.pl to filter out directories, and select only files
as on OSX, test coverage tests create .dSYM directories which were being
accidentally selected to execute.
2018-09-30 21:53:16 +01:00
Gilles Peskine 427df37f84 Don't try to disable ASLR
We don't need to disable ASLR, so don't try. If gdb tries but fails,
the test runs normally, but all.sh then trips up because it sees
`warning: Error disabling address space randomization: Operation not permitted`
and interprets it as an error that indicates a test failure.
2018-09-28 14:31:16 +02:00
Gilles Peskine 5c39d7a972 Remove redundant check in all.sh
test -s can't fail if the subsequent grep succeeds.
2018-09-28 14:31:16 +02:00
Gilles Peskine bd90a8c002 In keep-going mode, don't hard-fail on some tests
Add if_build_succeeded in front of the invocation of some test runs
where it was missing.
2018-09-28 14:31:16 +02:00
Jaeden Amero 65593d2ddd rsa: pss: Add no possible salt size tests
Add signing tests with 528-bit and 520-bit RSA keys with SHA-512. These
selections of key and hash size should lead to an error returned, as
there is not enough room for our chosen minimum salt size of two bytes
less than the hash size. These test the boundary around an available
salt length of 0 or -1 bytes.

The RSA keys were generated with OpenSSL 1.1.1-pre8.

    $ openssl genrsa 520
    Generating RSA private key, 520 bit long modulus (2 primes)
    .............++++++++++++
    .................++++++++++++
    e is 65537 (0x010001)
    -----BEGIN RSA PRIVATE KEY-----
    MIIBPwIBAAJCANWgb4bludh0KFQBZcqWb6iJOmLipZ0L/XYXeAuwOfkWWjc6jhGd
    B2b43lVnEPM/ZwGRU7rYIjd155fUUdSCBvO/AgMBAAECQgDOMq+zy6XZEjWi8D5q
    j05zpRGgRRiKP/qEtB6BWbZ7gUV9DDgZhD4FFsqfanwjWNG52LkM9D1OQmUOtGGq
    a9COwQIhD+6l9iIPrCkblQjsK6jtKB6zmu5NXcaTJUEGgW68cA7PAiENaJGHhcOq
    /jHqqi2NgVbc5kWUD/dzSkVzN6Ub0AvIiBECIQIeL2Gw1XSFYm1Fal/DbQNQUX/e
    /dnhc94X7s118wbScQIhAMPVgbDc//VurZ+155vYc9PjZlYe3QIAwlkLX3HYKkGx
    AiEND8ndKyhkc8jLGlh8aRP8r03zpDIiZNKqCKiijMWVRYQ=
    -----END RSA PRIVATE KEY-----

    $ openssl genrsa 528
    Generating RSA private key, 528 bit long modulus (2 primes)
    .........++++++++++++
    ....++++++++++++
    e is 65537 (0x010001)
    -----BEGIN RSA PRIVATE KEY-----
    MIIBQgIBAAJDAKJVTrpxW/ZuXs3z1tcY4+XZB+hmbnv1p2tBUQbgTrgn7EyyGZz/
    ZkkdRUGQggWapbVLDPXu9EQ0AvMEfAsObwJQgQIDAQABAkJhHVXvFjglElxnK7Rg
    lERq0k73yqfYQts4wCegTHrrkv3HzqWQVVi29mGLSXTqoQ45gzWZ5Ru5NKjkTjko
    YtWWIVECIgDScqoo7SCFrG3zwFxnGe7V3rYYr6LkykpvczC0MK1IZy0CIgDFeINr
    qycUXbndZvF0cLYtSmEA+MoN7fRX7jY5w7lZYyUCIUxyiOurEDhe5eY5B5gQbJlW
    ePHIw7S244lO3+9lC12U1QIhWgzQ8YKFObZcEejl5xGXIiQvBEBv89Y1fPu2YrUs
    iuS5AiFE64NJs8iI+zZxp72esKHPXq/chJ1BvhHsXI0y1OBK8m8=
    -----END RSA PRIVATE KEY-----
2018-09-27 18:23:08 +01:00
Jaeden Amero 80d99ea038 rsa: pss: Extend tests for variable salt length
Since we wish to generate RSASSA-PSS signatures even when hashes are
relatively large for the chosen RSA key size, we need some tests. Our
main focus will be on 1024-bit keys and the couple key sizes larger than
it. For example, we test for a signature generated using a salt length
of 63 when a 1032-bit key is used. Other tests check the boundary
conditions around other key sizes. We want to make sure we don't use a
salt length larger than the hash length (because FIPS 186-4 requires
this). We also want to make sure we don't use a salt that is too small
(no smaller than 2 bytes away from the hash length).

Test RSASSA-PSS signatures with:
 - 1024-bit key and SHA-512 (slen 62)
 - 1032-bit key and SHA-512 (slen 63)
 - 1040-bit key and SHA-512 (slen 64)
 - 1048-bit key and SHA-512 (slen 64)

The tests also verify that we can properly verify the RSASSA-PSS
signatures we've generated.

We've manually verified that OpenSSL 1.1.1-pre8 can verify the
RSASSA-PSS signatures we've generated.

    $ openssl rsa -in rsa1024.pem -pubout -out pub1024.pem
    writing RSA key
    $ openssl rsa -in rsa1032.pem -pubout -out pub1032.pem
    writing RSA key
    $ openssl rsa -in rsa1040.pem -pubout -out pub1040.pem
    writing RSA key
    $ openssl rsa -in rsa1048.pem -pubout -out pub1048.pem
    writing RSA key
    $ cat message.bin | openssl dgst -sha512 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:62 -verify pub1024.pem -signature valid1024.bin
    Verified OK
    $ cat message.bin | openssl dgst -sha512 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:63 -verify pub1032.pem -signature valid1032.bin
    Verified OK
    $ cat message.bin | openssl dgst -sha512 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:64 -verify pub1040.pem -signature valid1040.bin
    Verified OK
    $ cat message.bin | openssl dgst -sha512 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:64 -verify pub1048.pem -signature valid1048.bin
    Verified OK

We've also added a new test that ensures we can properly validate a
RSASSA-PSS 1032-bit signature with SHA-512 generated by OpenSSL. This
has been added as the "RSASSA-PSS Verify OpenSSL-generated Signature
1032-bit w/SHA-512" test. The signature to verify was generated with the
following command line.

    $ cat message.bin | openssl dgst -sha512 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:63 -sign rsa1032.pem > valid.bin

The RSA private keys used by these tests were generated with OpenSSL
1.1.1-pre8.

    $ openssl genrsa 1024
    Generating RSA private key, 1024 bit long modulus (2 primes)
    ........................................++++++
    ......++++++
    e is 65537 (0x010001)
    -----BEGIN RSA PRIVATE KEY-----
    MIICWwIBAAKBgQDDyYc1SFQ1kcH5R+QSwz2la50blKWML0EKimIOm08dkZdkPr9S
    f19isgK51noyZU0F8yapth4BBu/fSClnPE89I2VZluJCQFmRarR6pn5AbBKWeeWX
    nKRnCIZmCP+iH2GYQ7lZtEQuQiWYovqrVKjO8fExmSZ30s9byvK1Vk90GQIDAQAB
    AoGAG1BnO4i+rsaJ8DQWXoO8evJ7dZiUS+1fvo+1xGHodLCWFVcnq+O3M/avqKuC
    WruFNlpIv453ux7zogvYMt3YE+ny//kgh5gUh0O1mXPbZtF4gGxsqXdV13lMW9dK
    ZH2ltN94MwynrXl74m2P4uCHWIHLE9+ZyWRzwH/c/o1E4n0CQQDo+VpxbBJ9UUfc
    wkGnwf6NVIez6LbpXkioMzTSHQDHmtCpDimUHAxTBlsgBZ3pXp5AYGFBb3rBLtyh
    mDue4ozDAkEA1yNIspfn5dxDKfarh0sXmCWE4KtDF0Bwqb6YPA8EAyDW+JPEDScX
    yzBEOAyzIwtxM2IescVaPqVtDnzuaUtd8wJAdOP3XwUsWbgYaEkHDBank12gIMJY
    U8q8hbf7fpiStZOVsdyrO+a+wEFmIzDuRBL3L7Gr2lsGqjrK9EEfWN6uZQJAOJml
    1Ka2cfkDCpVFB3EwIe0tClbEbeecPGxSbOqeaZxIMlnd6H/yeJiYOg7NSlkGTThx
    Tt/XIEgxavBfYQBdFQJAMFmLr9DL5lWAZNAHspJ8R5NdoOcsrKV9tb24cu0YapuZ
    rSPwmebskHyinvoBsD2CthUtpSo3NE+xZ6HcfYca9w==
    -----END RSA PRIVATE KEY-----

    $ openssl genrsa 1032
    Generating RSA private key, 1032 bit long modulus (2 primes)
    ....................++++++
    .................................++++++
    e is 65537 (0x010001)
    -----BEGIN RSA PRIVATE KEY-----
    MIICYAIBAAKBggCqlKuRtMJr4lfkaVKCKMSwtrTJnnOoSicrMQGJLAdAaRE3K4Ps
    SnuBkfC6S0y0yztzIHTpbGaCl+EyO4rQgip+FRGC3vA4caZqR7cEuShFxhlBQtTu
    2hmQPgQENYH3qDXcKIEXhj0hlEw67e1RhFjxowpBx2OKpOCYqI/fLCCXJw0CAwEA
    AQKBgWcY+CFWePOvl6OrrHySm16a7uW06P5b4xSNx/naLH/XgNoxaMiVs9P6Gt7d
    x/y1oLbSdRbnt4VSun8b0ah4I6qEyk3MdfiNnhy24LlCuv0TOLbQVibjH+5Q+iP2
    995ssUrkfPa/QAA95nPVaDhcsATSh32JagE0rkItukalyc/IGQJBDfrttwmtohBS
    I+XndkpfMdB656N73HtKVsJJnhFzFHvNyxZbj7AaJSgZDLaHRlapNkkYmPyjMNuK
    9antVBcmjtcCQQwznFZ5epDGQSklYNDvZ19xrCyZ/KumJgw45PFn39F563qeJV+b
    28VJ5BgfmioZsfMKgLKS1e8a11ueZY6qb7C7AkEExSw7mmfOtrbwXNAfwry8qKBn
    TZdD4iW5eM3Zy6ZyxNOxik1vt+0T5Jy3g8igrY1LYqGsAfhFAYRm0raSTNvxPQJB
    AUcOIYfKq4n2nKZLQtUuT7IJQwpEiHx3E2SJpDUqHDbVzxrr8tzQ4BFijpwQekQC
    e94np4r0V3rJ/c/R9mQmGa0CQQrd2veAgj1F7Rma7zE4vYhvCf0XB1rshw972xGo
    BTAU4BagC7/vht1YXhhdz1FC36DrWm3veTwLLuNUQTJWsYIH
    -----END RSA PRIVATE KEY-----

    $ openssl genkey 1040
    Generating RSA private key, 1040 bit long modulus
    ........++++++
    ........++++++
    e is 65537 (0x10001)
    -----BEGIN RSA PRIVATE KEY-----
    MIICZgIBAAKBgwDSNAU4Ix3NWmHt+Dq5Sy5LOnhDlMTtNaQkwFDClBV7diX5rKgl
    jCHi0Keqm3ydtXZATmMJDbpQ2Zj5o+xysaXPKNgyUauTNBx9LBqQQD1w9nvBqeQT
    vGL6zMtSRB4kw/K8n97KGngwEucLlSgXYmBYDE4QJsWCCejcxN478/W+VWXpAgMB
    AAECgYMAutjQ1uCoKhSwPgbLtE92vBoiMvh3v99Ro/VrFDrriY4xHWlzIcUZjfMp
    Rsblk45sqabD85VHS3zQtP8YO69bkvK+r5upGfzLtzX8r5BVuO1+7oO+/jbRHLYJ
    ieBoFZbUc27YcKzR35Iv78d+KjygYIsWgt7W2Yqf6qt98r43WcrYsQJCAPx/S0kL
    TT73Kdsj+1r7tfL8YgpHI0LYuP8xDP3BJL523CKrb0vjWjjd0x8k1/ZNMQ9nqzo3
    XoP04FWeTLXcQ+h1AkIA1R6GgKtx3AHhqKaKKYY2uxZYz6uNc85SimJpdyLUhauQ
    za/F4ndot2GDn/k0IEWK5V8VppRl28DHtSTcmjhf+SUCQT4RVIJaItztiP5zc+BD
    q9BVNgxsvEA8Yg1pE1Z1WgDv2uEy3yL6ej0sWi93sRa8lujAhRjEb5lkYpjpVtYF
    lTPZAkIAlt1yB3nWMxEd5l5mZbi927iZDAF8M+N1aML7t7tvSGTIL+LjKUqwVUhx
    ffhSXxn7lh22XOKmLGcOuHussnt/7QUCQS2GWdSBu7DGZ5uIvZVj+5KPTwv3Pw9+
    uuj12Z3shojl1iVije7nsBK1q3NbrXksEiQ4QJIoK2V2quqD58O2/K8T
    -----END RSA PRIVATE KEY-----

    $ openssl genrsa 1048
    Generating RSA private key, 1048 bit long modulus (2 primes)
    ...............................++++++
    .++++++
    e is 65537 (0x010001)
    -----BEGIN RSA PRIVATE KEY-----
    MIICaQIBAAKBhADHXQ+foX0dJLk5U3pDQBfzkMZgRETDWhM2DWsfyYa69AFZuEJ1
    03uIMnjfUGTdnrDymw0yWsx5DEtZZyc32786y4j14vLVTJGcr9ByJyxJRZHVLhWJ
    kzFeceLKYLHHT+/489d4QrQV1OcXNKSYIGpc2TFch7I+WD4l60ypcFa0XJaFbQID
    AQABAoGDSqKtUa6sXze7XBnDYN/i151wluOX9qaHIKo/W4Qfu2fUBZm0z9Wfnqp+
    k+PODyX0yq5/b0WM3RhcMRksFn5fBgzYHEmAj8IHhDsjavNtiv8nIl6EF2PfuT1p
    6iEpo8IS15dp6j5AKH4Zmnq6TRYiqdaz/ry/kpQrmeJym83KksujZWUCQg85t5gJ
    UWvswuNIG2tHWEqiKZvSAnq4owO53lsK3LSl04447bjB+sPqHb1+HVC4QyPjYs/0
    3z9aUYLa+pu5IXpz1wJCDRgWT4vQ1Y0BmZjIyxfEwDVOYripRirMowgWiU+YLCrh
    FOc5k+MGmJMEN7TuxErewk0yzLy658xMn4kRseshAGhbAkIBClKPIuPbWfwfB4hI
    FkHkJ5xsNzdQJ1mMIaEd22olNcd0ylMD8s0tocuSbRGXuF9uDlVsHDE85PD43fmN
    tmKhOVUCQgG6H5c2VcEU7BUaNcGzzNudLE2RFaKPmpYWRwKtYODSdwWOyeVbmE8f
    dPrz/lodlewCyqR+cBiKtcCFD7Rr0tp+6QJCALZlz954leZ6UKkdeOiTb+fVFpsq
    DNNALCL4VJ7XcJJMpjgSKYv9sr1C43nifr1M4YDH+B3NFRF+FWdVodaseOKF
    -----END RSA PRIVATE KEY-----
2018-09-27 18:23:08 +01:00
Jaeden Amero 3725bb2d6d rsa: pss: Enable use of big hashes with small keys
It should be valid to RSASSA-PSS sign a SHA-512 hash with a 1024-bit or
1032-bit RSA key, but with the salt size being always equal to the hash
size, this isn't possible: the key is too small.

To enable use of hashes that are relatively large compared to the key
size, allow reducing the salt size to no less than the hash size minus 2
bytes. We don't allow salt sizes smaller than the hash size minus 2
bytes because that too significantly changes the security guarantees the
library provides compared to the previous implementation which always
used a salt size equal to the hash size. The new calculated salt size
remains compliant with FIPS 186-4.

We also need to update the "hash too large" test, since we now reduce
the salt size when certain key sizes are used. We used to not support
1024-bit keys with SHA-512, but now we support this by reducing the salt
size to 62. Update the "hash too large" test to use a 1016-bit RSA key
with SHA-512, which still has too large of a hash because we will not
reduce the salt size further than 2 bytes shorter than the hash size.

The RSA private key used for the test was generated using "openssl
genrsa 1016" using OpenSSL 1.1.1-pre8.

    $ openssl genrsa 1016
    Generating RSA private key, 1016 bit long modulus (2 primes)
    ..............++++++
    ....++++++
    e is 65537 (0x010001)
    -----BEGIN RSA PRIVATE KEY-----
    MIICVwIBAAKBgACu54dKTbLxUQBEQF2ynxTfDze7z2H8vMmUo9McqvhYp0zI8qQK
    yanOeqmgaA9iz52NS4JxFFM/2/hvFvyd/ly/hX2GE1UZpGEf/FnLdHOGFhmnjj7D
    FHFegEz/gtbzLp9X3fOQVjYpiDvTT0Do20EyCbFRzul9gXpdZcfaVHNLAgMBAAEC
    gYAAiWht2ksmnP01B2nF8tGV1RQghhUL90Hd4D/AWFJdX1C4O1qc07jRBd1KLDH0
    fH19WocLCImeSZooGCZn+jveTuaEH14w6I0EfnpKDcpWVAoIP6I8eSdAttrnTyTn
    Y7VgPrcobyq4WkCVCD/jLUbn97CneF7EHNspXGMTvorMeQJADjy2hF5SginhnPsk
    YR5oWawc6n01mStuLnloI8Uq/6A0AOQoMPkGl/CESZw+NYfe/BnnSeckM917cMKL
    DIKAtwJADEj55Frjj9tKUUO+N9eaEM1PH5eC7yakhIpESccs/XEsaDUIGHNjhctK
    mrbbWu+OlsVRA5z8yJFYIa7gae1mDQJABjtQ8JOQreTDGkFbZR84MbgCWClCIq89
    5R3DFZUiAw4OdS1o4ja+Shc+8DFxkWDNm6+C63g/Amy5sVuWHX2p9QI/a69Cxmns
    TxHoXm1w9Azublk7N7DgB26yqxlTfWJo+ysOFmLEk47g0ekoCwLPxkwXlYIEoad2
    JqPh418DwYExAkACcqrd9+rfxtrbCbTXHEizW7aHR+fVOr9lpXXDEZTlDJ57sRkS
    SpjXbAmylqQuKLqH8h/72RbiP36kEm5ptmw2
    -----END RSA PRIVATE KEY-----
2018-09-27 18:23:08 +01:00
Simon Butcher 0592ea772a Merge remote-tracking branch 'public/pr/1140' into development 2018-09-27 11:37:42 +01:00
Simon Butcher c86993e33c Merge remote-tracking branch 'public/pr/1970' into development 2018-09-27 09:48:54 +01:00
Simon Butcher 3ad2efdc82 Remove Yotta support from the docs, tests and build scripts
Yotta is no longer supported by Mbed TLS, so has been removed. Specifically, the
following changes have been made:
 * references to yotta have been removed from the main readme and build
   instructions
 * the yotta module directory and build script has been removed
 * yotta has been removed from test scripts such as all.sh and check-names.sh
 * yotta has been removed from other files that that referenced it such as the
   doxyfile and the bn_mul.h header
 * yotta specific configurations and references have been removed from config.h
2018-09-26 17:55:09 +01:00
Gilles Peskine 487cdf5516 In keep-going mode, don't hard-fail on some auxiliary script
Add record_status in front of the invocation of several scripts where
it was missing.
2018-09-26 16:50:38 +02:00
Gilles Peskine 2561a50ea4 Fix "make WINDOWS_BUILD=1 clean" on non-Windows hosts
The clean rule was not using the correct names for the compiled
executable files.
2018-09-26 16:50:31 +02:00
Janos Follath 7c025a9f50 Generalize dh_flag in mbedtls_mpi_gen_prime
Setting the dh_flag to 1 used to indicate that the caller requests safe
primes from mbedtls_mpi_gen_prime. We generalize the functionality to
make room for more flags in that parameter.
2018-09-21 16:30:07 +01:00
Manuel Pégourié-Gonnard 125af948c3 Merge branch 'development-restricted' into iotssl-1260-non-blocking-ecc-restricted
* development-restricted: (578 commits)
  Update library version number to 2.13.1
  Don't define _POSIX_C_SOURCE in header file
  Don't declare and define gmtime()-mutex on Windows platforms
  Correct preprocessor guards determining use of gmtime()
  Correct documentation of mbedtls_platform_gmtime_r()
  Correct typo in documentation of mbedtls_platform_gmtime_r()
  Correct POSIX version check to determine presence of gmtime_r()
  Improve documentation of mbedtls_platform_gmtime_r()
  platform_utils.{c/h} -> platform_util.{c/h}
  Don't include platform_time.h if !MBEDTLS_HAVE_TIME
  Improve wording of documentation of MBEDTLS_PLATFORM_GMTIME_R_ALT
  Fix typo in documentation of MBEDTLS_PLATFORM_GMTIME_R_ALT
  Replace 'thread safe' by 'thread-safe' in the documentation
  Improve documentation of MBEDTLS_HAVE_TIME_DATE
  ChangeLog: Add missing renamings gmtime -> gmtime_r
  Improve documentation of MBEDTLS_HAVE_TIME_DATE
  Minor documentation improvements
  Style: Add missing period in documentation in threading.h
  Rename mbedtls_platform_gmtime() to mbedtls_platform_gmtime_r()
  Guard decl and use of gmtime mutex by HAVE_TIME_DATE and !GMTIME_ALT
  ...
2018-09-11 12:39:14 +02:00
Simon Butcher 53546ea099 Update library version number to 2.13.1 2018-09-06 19:10:26 +01:00
Manuel Pégourié-Gonnard 82986c1015 Disable 3d test with no good openssl version
While these tests and the issue with it are pre-existing:
- we previously didn't understand that the issue was an openssl bug
- failures seem to have become more frequent since the recent changes

So let's disable these fragile tests in order to get a clean CI. We still have
the tests against gnutls-serv for interop testing.
2018-09-03 10:50:21 +02:00
Manuel Pégourié-Gonnard c1eda67fac Disable fragmentation tests with openssl bugs
While making the initial commit, I thought $OPENSSL_LEGACY was not affect by
this bug, but it turns out I was wrong. All versions of OpenSSL installed on
the CI are. Therefore, the corresponding tests are disabled for the same
reason as the gnutls-cli tests above it.

This commit is only about the tests that were added in the recent
fragmentation work. One of those two tests had a particularly
annoying mode of failure: it failed consistently with seed=1 (use in the
release version of all.sh), once #1951 was applied. This has nothing
particular to do with #1951, except that by changing retransmission behaviour
1951 made the proxy run into a path that triggered the OpenSSL bug with this
seed, while it previously did that only with other seeds.

Other 3d interop test are also susceptible to triggering this OpenSSL bug or
others (or bugs in GnuTLS), but they are left untouched by this commit as:
- they were pre-existing to the recent DTLS branches;
- they don't seem to have the particularly annoying seed=1 mode of failure.
However it's probably desirable to do something about them at some point in
the future.
2018-09-03 10:49:35 +02:00
Simon Butcher 4d075cd7d0 Update library version number to 2.13.0 2018-08-31 15:59:10 +01:00
Simon Butcher 552754a6ee Merge remote-tracking branch 'public/pr/1988' into development 2018-08-30 00:57:28 +01:00
Simon Butcher 68dbc94720 Merge remote-tracking branch 'public/pr/1951' into development 2018-08-30 00:56:56 +01:00
Simon Butcher e50128a692 Merge remote-tracking branch 'public/pr/1994' into development 2018-08-30 00:56:18 +01:00
Nir Sonnenschein acedc91f8f Fix build issue on clang 2018-08-29 23:57:45 +03:00
Nir Sonnenschein 85fcb58997 Refactor test code for CTR DRBG to clarify test functions
previously a single function was used for most test cases (ctr_drbg_validate) making it harder to understand what the exact scenario is as a result it was split into easier to understand functions.
2018-08-29 23:38:57 +03:00
Hanno Becker 108992e776 Add MTU auto-reduction test with valgrind 2018-08-29 17:19:09 +01:00
Hanno Becker 37029ebc63 Skip MTU auto-reduction test when running valgrind 2018-08-29 17:19:06 +01:00
Nir Sonnenschein 6275be3483 Re-factor test functions and add support for data_t parameters
the testing functions were re-factored so that the common code was extracted to a single static function (removing the need for unclear goto statements).
As part of the re-factor the test functions now use data_t for parameters (support for this was introduced in previous rebase),
2018-08-29 10:25:30 +03:00
Nir Sonnenschein ce266e4ca2 use single define for 128bit key for ctr_drbg and update test dependencies
the change is designed to make configuring 128bit keys for ctr_drbg more similar to other configuration options. Tests have been updated accordingly.
also clarified test naming.
2018-08-29 10:11:46 +03:00
Hanno Becker 39b8bc9aef Change wording of debug message 2018-08-28 17:52:49 +01:00
Hanno Becker 7c48dd11db ssl-opt.sh: Add function extracting val or default val from config.h 2018-08-28 16:09:22 +01:00
Hanno Becker dc1e950170 DTLS reordering: Add test for buffering a proper fragment
This commit adds a test to ssl-opt.sh which exercises the behavior
of the library in the situation where a single proper fragment
of a future handshake message is received prior to the next
expected handshake message (concretely, the client receives
the first fragment of the server's Certificate message prior
to the server's ServerHello).
2018-08-28 16:02:33 +01:00
Simon Butcher 14dac0953e Merge remote-tracking branch 'public/pr/1918' into development 2018-08-28 12:21:41 +01:00
Simon Butcher 1846e406c8 Merge remote-tracking branch 'public/pr/1939' into development 2018-08-28 12:19:56 +01:00
Simon Butcher 9598845d11 Merge remote-tracking branch 'public/pr/1955' into development 2018-08-28 12:00:18 +01:00
Hanno Becker e604556feb ssl-opt.sh: Don't hardcode varname in requires_config_value_xxx() 2018-08-28 11:24:55 +01:00
Hanno Becker b841b4f107 ssl-opt.sh: Remove reference to Github issue 2018-08-28 10:25:51 +01:00
Hanno Becker 3b8b40c16d ssl-opt.sh: Add function to skip next test 2018-08-28 10:25:41 +01:00
Simon Butcher 6f032a60c9 Merge remote-tracking branch 'public/pr/1963' into development 2018-08-28 10:21:06 +01:00
Simon Butcher badeb07872 Merge remote-tracking branch 'public/pr/1967' into development 2018-08-28 10:20:23 +01:00
Hanno Becker b9a0086975 ssl-opt.sh: Explain use of --insecure in GnuTLS client tests 2018-08-28 10:20:22 +01:00
Andrzej Kurek 6a4f224ac3 ssl-opt.sh: change expected output for large srv packet test with SSLv3
This test also exercises a protection against BEAST
and should expect message splitting.
2018-08-27 08:00:13 -04:00
Hanno Becker 2f5aa4c64e all.sh: Add builds allowing to test dropping buffered messages
This commit adds two builds to all.sh which use a value of
MBEDTLS_SSL_DTLS_MAX_BUFFERING that allows to run the
reordering tests in ssl-opt.sh introduced in the last commit.
2018-08-24 14:48:11 +01:00
Hanno Becker a1adcca1da ssl-opt.sh: Add tests exercising freeing of buffered messages
This commit adds tests to ssl-opt.sh which trigger code-paths
responsible for freeing future buffered messages when the buffering
limitations set by MBEDTLS_SSL_DTLS_MAX_BUFFERING don't allow the
next expected message to be reassembled.

These tests only work for very specific ranges of
MBEDTLS_SSL_DTLS_MAX_BUFFERING and will therefore be skipped
on a run of ssl-opt.sh in ordinary configurations.
2018-08-24 14:48:11 +01:00
Hanno Becker 5cd017f931 ssl-opt.sh: Allow numerical constraints for tests
This commit adds functions requires_config_value_at_most()
and requires_config_value_at_least() which can be used to
only run tests when a numerical value from config.h
(e.g. MBEDTLS_SSL_IN_CONTENT_LEN) is within a certain range.
2018-08-24 14:48:11 +01:00
Hanno Becker 0e96585bdd Merge branch 'datagram_packing' into message_reordering 2018-08-24 12:16:41 +01:00
Hanno Becker 69ca0ad5c4 ssl-opt.sh: Remove wrong test exercising MTU implications of MFL
The negotiated MFL is always the one suggested by the client, even
if the server has a smaller MFL configured locally. Hence, in the test
where the client asks for an MFL of 4096 bytes while the server locally
has an MFL of 512 bytes configured, the client will still send datagrams
of up to ~4K size.
2018-08-24 12:14:00 +01:00
Hanno Becker 6b6f602174 Merge branch 'iotssl-165-dtls-hs-fragmentation-new' into datagram_packing 2018-08-24 11:55:03 +01:00
Hanno Becker c92b5c8a0d ssl-opt.sh: Add tests checking that MFL implies bounds on MTU
This commit introduces some tests to ssl-opt.sh checking that
setting the MFL limits the MTU to MFL + { Maximum Record Expansion }.
2018-08-24 11:48:01 +01:00
Manuel Pégourié-Gonnard 34aa187df6 Force IPv4 for gnutls-cli DTLS tests
Depending on the settings of the local machine, gnutls-cli will either try
IPv4 or IPv6 when trying to connect to localhost. With TLS, whatever it tries
first, it will notice if any failure happens and try the other protocol if
necessary. With DTLS it can't do that. Unfortunately for now there isn't
really any good way to specify an address and hostname independently, though
that might come soon: https://gitlab.com/gnutls/gnutls/issues/344

A work around is to specify an address directly and then use --insecure to
ignore certificate hostname mismatch; that is OK for tests that are completely
unrelated to certificate verification (such as the recent fragmenting tests)
but unacceptable for others.

For that reason, don't specify a default hostname for gnutls-cli, but instead
let each test choose between `--insecure 127.0.0.1` and `localhost` (or
`--insecure '::1'` if desired).

Alternatives include:
- having test certificates with 127.0.0.1 as the hostname, but having an IP as
  the CN is unusual, and we would need to change our test certs;
- have our server open two sockets under the hood and listen on both IPv4 and
  IPv6 (that's what gnutls-serv does, and IMO it's a good thing) but that
obviously requires development and testing (esp. for windows compatibility)
- wait for a newer version of GnuTLS to be released, install it on the CI and
  developer machines, and use that in all tests - quite satisfying but can't
be done now (and puts stronger requirements on test environment).
2018-08-23 19:07:15 +02:00
Hanno Becker 3546201dbc Merge branch 'datagram_packing' into message_reordering 2018-08-22 10:25:40 +01:00
Hanno Becker a67dee256d Merge branch 'iotssl-2402-basic-pmtu-adaptation' into datagram_packing 2018-08-22 10:06:38 +01:00
Manuel Pégourié-Gonnard b8eec192f6 Implement PMTU auto-reduction in handshake 2018-08-22 10:50:30 +02:00
Hanno Becker 170e2d89da Merge branch 'iotssl-165-dtls-hs-fragmentation-new' into datagram_packing 2018-08-22 09:44:54 +01:00
Manuel Pégourié-Gonnard c1d54b74ec Add tests with non-blocking I/O
Make sure we behave properly when f_send() or f_recv() return
MBEDTLS_ERR_SSL_WANT_{WRITE,READ}.
2018-08-22 10:02:59 +02:00
Manuel Pégourié-Gonnard 3d183cefb5 Allow client-side resend in proxy MTU tests
From Hanno:
When a server replies to a cookieless ClientHello with a HelloVerifyRequest,
it is supposed to reset the connection and wait for a subsequent ClientHello
which includes the cookie from the HelloVerifyRequest.
In testing environments, it might happen that the reset of the server
takes longer than for the client to replying to the HelloVerifyRequest
with the ClientHello+Cookie. In this case, the ClientHello gets lost
and the client will need retransmit. This may happen even if the underlying
datagram transport is reliable.
2018-08-22 09:56:22 +02:00
Hanno Becker 1d7399351e ssl-opt.sh: Add DTLS session resumption tests
Fixes #1969.
2018-08-21 17:48:42 +01:00
Hanno Becker 903ee3d363 Merge branch 'datagram_packing' into message_reordering 2018-08-21 17:24:17 +01:00
Hanno Becker 175cb8fc69 ssl-opt.sh: Allow resend in DTLS session resumption tests, cont'd
This commit continues commit 47db877 by removing resend guards in the
ssl-opt.sh tests 'DTLS fragmenting: proxy MTU, XXX' which sometimes made
the tests fail in case the log showed a resend from the client.

See 47db877 for more information.
2018-08-21 17:00:10 +01:00
Hanno Becker e35670528b ssl-opt.sh: Add test for reassembly after reordering 2018-08-21 16:50:43 +01:00
Nir Sonnenschein aecf8c941a adding more ctr_drbg test vectors (CAVP 14.3)
addtional test vectors add tests for both AES-256
and AES-128 variants of ctr_drbg
2018-08-21 18:05:13 +03:00
Gilles Peskine e4b77b9639 ctr_drbg: add a few test vectors from CAVP 14.3
These test vectors are from
https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/drbg/drbgtestvectors.zip
2018-08-21 18:05:08 +03:00
Gilles Peskine cfc1de766b ctr_drbg: sample vectors from NIST
Test vectors from
https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/CTR_DRBG_withDF.pdf
2018-08-21 18:05:02 +03:00
Gilles Peskine 5ef5a9aeb4 ctr_drbg tests: unify validate functions
Unify the three existing validation functions (with prediction
resistance, with manual reseeding between generations, and with no
reseeding) into a single function that supports these three scenarios
plus a fourth one (reseed before the first generation).

The four supported scenarios cover the three scenarios from the
current CAVP test vectors (no reseed, reseed before generating,
prediction resistance) plus a fourth scenario used by the existing
test vectors (reseed after generating).

(cherry picked from commit cee9bedee6bc1a8e2b22fa8a31647b62ebb8a0a4)
2018-08-21 18:04:45 +03:00
Gilles Peskine 4c78665ccd ctr_drbg tests: new validation function that doesn't reseed
This is one of the test scenarios from the CAVP test vectors.
2018-08-21 18:03:31 +03:00
Gilles Peskine ef0624f791 ctr_drbg tests: make input sizes flexible
The ctr_drbg_validate_xxx test functions had hard-coded sizes for the
entropy and the output size. Generalize the sizes.

Keep track of the current entropy size.

Unhexify the expected output and compare with the actual output,
rather than hexifying the actual output and comparing the hex.
2018-08-21 18:02:03 +03:00
Gilles Peskine ed7da59798 ctr_drbg: add comments relating the code with the NIST specification 2018-08-21 17:55:46 +03:00
Nir Sonnenschein c9547cc23b add NIST test vector for 128 bit keys (not passing yet). 2018-08-21 17:53:25 +03:00
Hanno Becker 5bcf2b081f ssl-opt.sh: Allow spurious resend in DTLS session resumption test
When a server replies to a cookieless ClientHello with a HelloVerifyRequest,
it is supposed to reset the connection and wait for a subsequent ClientHello
which includes the cookie from the HelloVerifyRequest.
In testing environments, it might happen that the reset of the server
takes longer than for the client to replying to the HelloVerifyRequest
with the ClientHello+Cookie. In this case, the ClientHello gets lost
and the client will need retransmit. This may happen even if the underlying
datagram transport is reliable.

This commit removes a guard in the ssl-opt.sh test
'DTLS fragmenting: proxy MTU, resumed handshake' which made
the test fail in case the log showed a resend from the client.
2018-08-21 15:04:22 +01:00
Ron Eldor 6b13afe1a5 Fix indentation
Fix indentation in the test.
2018-08-21 16:11:13 +03:00
Manuel Pégourié-Gonnard 2f2d9020cd Add delay in test to avoid race condition
We previously observed random-looking failures from this test. I think they
were caused by a race condition where the client tries to reconnect while the
server is still closing the connection and has not yet returned to an
accepting state. In that case, the server would fail to see and reply to the
ClientHello, and the client would have to resend it.

I believe logs of failing runs are compatible with this interpretation:
- the proxy logs show the new ClientHello and the server's closing Alert are
  sent the same millisecond.
- the client logs show the server's closing Alert is received after the new
  handshake has been started (discarding message from wrong epoch).

The attempted fix is for the client to wait a bit before reconnecting, which
should vastly enhance the probability of the server reaching its accepting
state before the client tries to reconnect. The value of 1 second is arbitrary
but should be more than enough even on loaded machines.

The test was run locally 100 times in a row on a slightly loaded machine (an
instance of all.sh running in parallel) without any failure after this fix.
2018-08-21 12:17:54 +02:00
Manuel Pégourié-Gonnard 6151298395 Add missing requires_gnutls guards 2018-08-21 09:40:07 +02:00
Ron Eldor 9434713368 Move the assertion
Move the assertion for checking the heap allocatino succeeded.
2018-08-20 14:59:33 +03:00
Hanno Becker 6aeaa05a95 Merge branch 'iotssl-165-dtls-hs-fragmentation-new' into datagram_packing 2018-08-20 12:53:37 +01:00
Hanno Becker f362c297fa ssl-opt.sh Add dependency on gnutls in two fragmentation tests 2018-08-20 12:40:23 +01:00
Hanno Becker 7be2e5bb16 ssl-opt.sh: Preserve proxy log, too, if --preserve-logs is specified 2018-08-20 12:23:37 +01:00
Hanno Becker 4e1a9c17f2 ssl-opt.sh: Preserve proxy log, too, if --preserve-logs is specified 2018-08-20 12:22:09 +01:00
Manuel Pégourié-Gonnard 4532329397 Add proxy-enforcement to a MTU test 2018-08-20 11:52:24 +02:00
Hanno Becker 9829315235 Add missing dependency in ssl-opt.sh 2018-08-20 11:18:34 +02:00
Hanno Becker 58e9dc3d4b Allow GNUTLS_NEXT_CLI / GNUTLS_NEXT_SERV to be unset in ssl-opt.sh 2018-08-20 11:18:15 +02:00
Manuel Pégourié-Gonnard 02f3a8a921 Adjust timeout values for 3d test
Use the same values as other 3d tests: this makes the test hopefully a bit
faster than the default values, while not increasing the failure rate.

While at it:
- adjust "needs_more_time" setting for 3d interop tests (we can't set the
  timeout values for other implementations, so the test might be slow)
- fix some supposedly DTLS 1.0 test that were using dtls1_2 on the command
  line
2018-08-20 10:54:25 +02:00
Hanno Becker 56cdfd1e29 Refine reordering tests
Now that the UDP proxy has the ability to delay specific
handshake message on the client and server side, use
this to rewrite the reordering tests and thereby make
them independent on the choice of PRNG used by the proxy
(which is not stable across platforms).
2018-08-17 16:52:08 +01:00
Hanno Becker 872730481d Disable datagram packing in reordering tests 2018-08-17 16:52:08 +01:00
Hanno Becker b34149c00f Add test for buffering of record from next epoch 2018-08-17 16:52:08 +01:00
Hanno Becker e38422107e Add test for reordering of handshake messages 2018-08-17 16:52:08 +01:00
Hanno Becker aa5d0c4493 Add test for buffering out-of-order CCS 2018-08-17 16:52:08 +01:00
Hanno Becker 4a9d006f5f Add missing dependency in ssl-opt.sh 2018-08-17 16:10:47 +01:00
Hanno Becker bc73e4a822 Allow GNUTLS_NEXT_CLI / GNUTLS_NEXT_SERV to be unset in ssl-opt.sh 2018-08-17 15:53:21 +01:00
Hanno Becker 7ae8a76ced Add tests for datagram packing option to ssl-opt.sh
This commit adds four tests to ssl-opt.sh running default
DTLS client and server with and without datagram packing
enabled, and checking that datagram packing is / is not
used by inspecting the debug output.
2018-08-17 15:51:24 +01:00
Hanno Becker 1c9a24ce8c Disable datagram packing for various UDP proxy tests
The UDP proxy does currently not dissect datagrams into records,
an hence the coverage of the reordering, package loss and duplication
tests is much smaller if datagram packing is in use.

This commit disables datagram packing for most UDP proxy tests,
in particular all 3D (drop, duplicate, delay) tests.
2018-08-17 15:51:21 +01:00
Hanno Becker c4305238b5 Re-enable delayed CCS test
Now that datagram packing can be dynamically configured,
the test exercising the behavior of Mbed TLS when facing
an out-of-order CCS message can be re-introduced, disabling
datagram packing for the sender of the delayed CCS.
2018-08-17 15:45:45 +01:00
Hanno Becker 12405e76b5 Increase max_frag_len / MTU in fragmentation ref tests
The tests "DTLS fragmenting: none (for reference)" and
"DTLS fragmenting: none (for reference) (MTU)" used a
maximum fragment length resp. MTU value of 2048 which
was meant to be large enough so that fragmentation
of the certificate message would not be necessary.
However, it is not large enough to hold the entire flight
to which the certificate belongs, and hence there will
be fragmentation as soon as datagram packing is used.

This commit increases the maximum fragment length resp.
MTU values to 4096 bytes to ensure that even with datagram
packing in place, no fragmentation is necessary.

A similar change was made in "DTLS fragmenting: client (MTU)".
2018-08-17 15:45:19 +01:00
Hanno Becker 111fa497aa TEST-ONLY: Remove delayed CCS test
The test exercising a delayed CCS message is not
expected to work when datagram packing is used,
as the current UDP proxy is not able to recognize
records which are not at the beginning of a
datagram.
2018-08-17 15:44:37 +01:00
Manuel Pégourié-Gonnard 38110dfc0e Add interop test with unreliable connection
Adds a requirement for GNUTLS_NEXT (3.5.3 or above, in practice we should
install 3.6.3) on the CI.

See internal ref IOTSSL-2401 for analysis of the bugs and their impact on the
tests.
2018-08-17 12:44:54 +02:00
Hanno Becker d26bb2090f Add tests for empty CA list in CertificateRequest, TLS 1.0 & 1.1 2018-08-17 09:57:36 +01:00
Manuel Pégourié-Gonnard 0794d49566 Skip some tests with valgrind (spurious resend) 2018-08-17 10:54:24 +02:00
Manuel Pégourié-Gonnard 1218bc0f74 Add simple interop tests (reliable connection) 2018-08-17 10:51:26 +02:00
Jaeden Amero aa9f3fd6b1 Merge remote-tracking branch 'upstream-public/pr/930' into development 2018-08-16 15:29:58 +01:00
Manuel Pégourié-Gonnard 2d56f0d346 Add test with unreliable connection 2018-08-16 11:09:03 +02:00
Manuel Pégourié-Gonnard 19c62f90e4 Add test for session resumption 2018-08-16 10:50:39 +02:00
Manuel Pégourié-Gonnard 72c2707d9c Add tests for MTU with renegotiation
This exercises our computation of record expansion.
2018-08-16 10:01:47 +02:00
Manuel Pégourié-Gonnard b747c6cf9b Add basic first tests for MTU setting
For now, just check that it causes us to fragment. More tests are coming in
follow-up commits to ensure we respect the exact value set, including when
renegotiating.
2018-08-16 10:01:47 +02:00
Manuel Pégourié-Gonnard 2cb17e201b Make handshake fragmentation follow max_frag_len
Note: no interop tests in ssl-opt.sh for now, as some of them make us run into
bugs in (the CI's default versions of) OpenSSL and GnuTLS, so interop tests
will be added later once the situation is clarified. <- TODO
2018-08-16 10:01:10 +02:00
Mohammad Azim Khan 2c069dfad3 Fix typo in test_suite_entropy.function 2018-08-15 13:55:37 +01:00
Ron Eldor 446227a1bd Enhance nist_kw with some NULL buffers tests
Enhance the nist_kw test suite, with setting zero length input\output
buffers. Resolves #1882.
2018-08-13 14:46:45 +03:00
Jaeden Amero cac0c1a250 Merge remote-tracking branch 'upstream-public/pr/1378' into development 2018-08-10 10:59:53 +01:00
Mohammad Azim Khan 5cb7017077 Less obscure test suites template 2018-08-06 11:42:56 +01:00
Mohammad Azim Khan d2d0112ca8 Style fixes 2018-08-06 11:42:56 +01:00
Mohammad Azim Khan 440d8737c6 Fix macro validation regex 2018-08-06 11:42:56 +01:00
Mohammad Azim Khan ee6529eb83 Add generate_test_code.py unit tests in all.sh 2018-08-06 11:42:56 +01:00
Mohammad Azim Khan 21798105f6 Pylint tests in all.sh 2018-08-06 11:42:56 +01:00
Mohammad Azim Khan 539aa06f64 Fix Python 2 & 3 compatibility in test_generate_test_code.py 2018-08-06 11:42:56 +01:00
Mohammad Azim Khan 32cbcdac8f Fix Pylint errors in Python scripts 2018-08-06 11:42:56 +01:00
Azim Khan 630281349e Replaced escaped_split() logic with regex 2018-08-06 11:42:56 +01:00
Azim Khan fcdf685302 Make test function parsing robust
This commit enhances parsing of the test function in generate_test_code.py for
cases where return type and function name are on separate lines.
2018-08-06 11:42:56 +01:00
Azim Khan 4084ec7ae5 Fixed unit tests in test_generate_test_code.py 2018-08-06 11:42:56 +01:00
Azim Khan 8d686bfdb1 Incorporated code revoew comments. 2018-08-06 11:42:56 +01:00
Azim Khan b31aa44e16 Fix style errors reported by pylint 2018-08-06 11:42:56 +01:00
Azim Khan aee05bbe70 Add test suite framework summary 2018-08-06 11:42:56 +01:00
Azim Khan 63ab501aa7 Fix generate_test_code.py argument --helpers-file in CMakeLists.txt 2018-08-06 11:42:56 +01:00
Azim Khan 27a35e7712 Wildcard possible targets and document
Test application names and function file names can be constructed
based on the followed naming convention. This commit documents the
naming convention and removes explicit listing of the test
executables and the lookup table for finding .function file.
2018-08-06 11:42:56 +01:00
Azim Khan 5fcca46a3a Rename HexParam_t -> data_t for consistent coding style 2018-08-06 11:42:06 +01:00
Azim Khan 62a5d7d65a Document status/error codes in helper.function 2018-08-06 11:42:06 +01:00
Azim Khan 951a2c8898 Improve documentation in mbedtls_test.py 2018-08-06 11:42:06 +01:00
Azim Khan e3b26af7c0 Improve documentation in generate_test_code.py 2018-08-06 11:42:06 +01:00
Azim Khan b98e6eec58 Replace asserts with exceptions in mbedtls_test.py 2018-08-06 11:42:06 +01:00
Azim Khan 040b6a2281 Wrap code to 79 character limit 2018-08-06 11:42:06 +01:00
Azim Khan 936ea9302a Strip whitespaces added by decode() function 2018-08-06 11:42:06 +01:00
Mohammad Azim Khan 00c4b090c1 Change intermediate data file extension to .datax 2018-08-06 11:42:06 +01:00
Mohammad Azim Khan ff560f2239 Rename makefile target gen-embedded-test - generate-target-tests 2018-08-06 11:42:06 +01:00
Mohammad Azim Khan cfd834274b Use integer instead of string as test result 2018-08-06 11:42:06 +01:00
Mohammad Azim Khan 53faf5c964 Widen the test app columns 2018-08-06 11:42:06 +01:00
Mohammad Azim Khan 8a3628fc86 Set PYTHON using ?= syntax 2018-08-06 11:40:58 +01:00
Mohammad Azim Khan 8f6e8cfcc7 Print line number with data file error 2018-08-06 11:40:58 +01:00
Mohammad Azim Khan 3b06f226e9 Replace asserts with exceptions in generate_test_code.py 2018-08-06 11:40:58 +01:00
Mohammad Azim Khan c3521dfdd6 Fix generate_test_code.py unit tests 2018-08-06 11:40:58 +01:00
Azim Khan 0fa3504a77 Add missing MSVC typedefs 2018-08-06 11:40:58 +01:00
Gilles Peskine 667f7f8369 Fix generation of #line directives in Python 2
When using Python 2 (which is done in the Makefile), all #line
directives from the test code were generated with the line number 1.
This traces back to the change in the method name for generators in
Python 2 (next) vs Python 3 (__next__). Override both methods so that
the script remains compatible with both Python 2 and Python 3.
2018-08-06 11:40:58 +01:00
Gilles Peskine 7776141a16 Don't generate lines with only whitespace 2018-08-06 11:40:58 +01:00
Mohammad Azim Khan 9b06f37601 Give execute permissions to Python scripts 2018-08-06 11:40:58 +01:00
Mohammad Azim Khan b73159d639 Remove white spaces caught by check-files.py 2018-08-06 11:40:58 +01:00
Mohammad Azim Khan ddde34c698 Remove git conflict marker from test_suite_timing.function 2018-08-06 11:40:58 +01:00
Mohammad Azim Khan 76135345c8 Fix gcc-7 -Wformat-truncation warning
Function test_snprintf() is called by run_test_snprintf() with constant test
data. It gets inlined and is subjected to snprintf format truncation checks
introduced by -Wformat-truncation in gcc-7. -Wformat-truncation is turned
On by -Wall and other similar options. It results in error with -Werror.

-Wformat-truncation makes tests performed by run_test_snprintf() redundant
on gcc. But they are still relevant for other compilers. This commit prevents
inlining of test_snprintf() to avoid gcc compile time checks.
2018-08-06 11:40:58 +01:00
Mohammad Azim Khan 1ec7e6f3d9 Python3 compatible generate_test_code.py 2018-08-06 11:40:58 +01:00
Mohammad Azim Khan 78befd9019 Rename generate_code.py -> generate_test_code.py 2018-08-06 11:40:58 +01:00
Mohammad Azim Khan 7eb55687c4 Set OS specific python executable name 2018-08-06 11:40:58 +01:00
Mohammad Azim Khan b522929666 Add support for per test suite helper functions 2018-08-06 11:40:58 +01:00
Azim Khan 05d83fa406 Put parentheses around macro arguments 2018-08-06 11:40:58 +01:00
Azim Khan 36e5fac0fb Rephrase confusing function description 2018-08-06 11:40:58 +01:00
Azim Khan 317efe85e1 Adapt new test gcm_bad_parameters() to on target testing changes 2018-08-06 11:40:58 +01:00
Azim Khan f0e42fbd1f Add missing documentation and fix file doc strings 2018-08-06 11:40:58 +01:00
Mohammad Azim Khan 9540261a76 Incorporated code review comments 2018-08-06 11:40:58 +01:00
Azim Khan d61b837fac Update unit tests for change in test suites code generator
Code generator has been modified to generate case statements for dependency checks and expression checks.
This commit updates the unit tests accordingly.
2018-08-06 11:40:58 +01:00
Azim Khan b1c2d0f946 Use switch instead if if-else for dependency and expression checks. 2018-08-06 11:40:58 +01:00
Azim Khan d61a4384d8 incorporate code review comment in embedded_test.function 2018-08-06 11:40:58 +01:00
Azim Khan 663d4702c5 Incorporate code review suggestions in mbedtls_test.py 2018-08-06 11:40:58 +01:00
Azim Khan 599cd247e6 Update unit tests for code generator and make code generator more testable. 2018-08-06 11:40:58 +01:00
Azim Khan acc5473ac9 Use FileWrapper class in place of file where line number is required 2018-08-06 11:40:57 +01:00
Azim Khan 5e2ac1fb29 Updated generate_code.py unit tests 2018-08-06 11:40:57 +01:00
Azim Khan 4b54323bcb Unit test generate_copy.py 2018-08-06 11:40:57 +01:00
Azim Khan 13c6bfbc2a Gaurd test suite headers with suite dependency
Test suite header code was not gaurded with test suite dependency.
But some test suites have additional code in the headers section.
Variables in that section become unused if suite functions are
gaurded. Hence gaurded the headers section.
But this changed cuased missing types in get_expression() function
that was originally accessing types defined through suite headers.
Hence had to gaurd expressions code as well.
Gaurding expressions does not allow parsing the parameters when
some types or hash defs are gaurded. Hence added function
check_test() to check if test is allowed or not before parsing the
parameters.
2018-08-06 11:40:57 +01:00
Mohammad Azim Khan 8c4d5ba763 Update CMakeList.txt with new test suites code generator 2018-08-06 11:40:57 +01:00
Mohammad Azim Khan cf32c45bfd Add missing headers and fix name change issues 2018-08-06 11:40:57 +01:00
Azim Khan 1de892b85f Update code as old template and generator is replaced with new one 2018-08-06 11:40:57 +01:00
Azim Khan 191e904bb2 Replace old template and code generator with new ones. Keep names 2018-08-06 11:40:57 +01:00
Azim Khan 975d97eb8b Remove old test suite template and code generator script 2018-08-06 11:40:57 +01:00
Azim Khan 2397bbaa01 Update test generator for use of struct for hex parameters 2018-08-06 11:40:57 +01:00
Azim Khan d30ca130e8 Combine hex parameters in a struct 2018-08-06 11:40:57 +01:00
Azim Khan 5cfc06832e Fix name conflict in function params after hexify/unhexify change 2018-08-06 11:40:57 +01:00
Azim Khan 3e5d0004ab Update Greentea API header 2018-08-06 11:40:57 +01:00
Azim Khan 47b40609de Fix RSA test suite bugged by hexify/unhexify change 2018-08-06 11:40:57 +01:00
Azim Khan 392267a7c8 Fix missing data in the RSA test vectors file 2018-08-06 11:40:57 +01:00
Azim Khan b3a103c499 Put else in it's own line 2018-08-06 11:40:57 +01:00
Azim Khan d59391afcd Add support for sending hex parameters 2018-08-06 11:40:57 +01:00
Azim Khan 46c9b1f196 Fix test functions and data after moving hexify/unhexify out
- Separate string and hex parameter as unhexify is moved out of the function. It's input should only be hex.
- Fix test mbedtls_ccm_encrypt_and_tag that grows input message buffer with tag
- Add missing expected length parameter in ECP TLS tests
- Add deleted TEST_ASSERT and mbedtls calls that got removed in script based code generation
2018-08-06 11:40:57 +01:00
Azim Khan 5e7f8df800 Print Greentea __testcase_name indicator for Greentea to mark the test 2018-08-06 11:40:57 +01:00
Azim Khan a57a420985 Add hex parameter dispatch 2018-08-06 11:40:57 +01:00
Azim Khan 184447e7e4 Add proper handling of hex data 2018-08-06 11:40:57 +01:00
Azim Khan f1aaec9888 Intermediate hexify out change 2018-08-06 11:40:57 +01:00
Azim Khan 9079170f6e Adapt code for scripting out hexify/unhexify code 2018-08-06 11:40:57 +01:00
Azim Khan 3499a9e41b Add hex comparison function 2018-08-06 11:40:57 +01:00
Azim Khan 0574632b30 Update Greentea client API calls 2018-08-06 11:40:57 +01:00
Azim Khan ee6c0189df Unify test setup errors for sending to host 2018-08-06 11:40:57 +01:00
Azim Khan ec024483ae Fix line no. directive 2018-08-06 11:40:57 +01:00
Mohammad Azim Khan 67735d540b Fix name conflict and implicit use of functions from string.h 2018-08-06 11:40:57 +01:00
Mohammad Azim Khan 7a0d84fccc On target test host test script 2018-08-06 11:40:57 +01:00
Mohammad Azim Khan fff4904e6b mbed-os test code generator 2018-08-06 11:40:57 +01:00
Mohammad Azim Khan 1f29be7241 Make target for on mbed testing
New target gen-mbed-test generates mebdtls tests in mbed-os test format.
i.e. a dir tree like TESTS/<testgroup>/[<sub testgroup>/]<test case>.
The TESTS dir can then be imported into mbed-os to compile tests with mbed-os.
2018-08-06 11:40:57 +01:00
Mohammad Azim Khan 94aefaf314 Optimise makefile targets 2018-08-06 11:32:29 +01:00
Simon Butcher 5f26b11ffa Change test dependencies to RC4 from DES
Some tests were dependent on DES yet actually used RC4. Likely a copy and paste
error. This change fixes them.
2018-07-27 17:15:39 +01:00
Jaeden Amero 193c86425e Update version to 2.12.0 2018-07-25 15:42:26 +01:00
Simon Butcher 729d7814c8 Merge remote-tracking branch 'public/pr/779' into development 2018-07-24 17:20:36 +01:00
Simon Butcher 2c92949e0a Merge remote-tracking branch 'public/pr/1198' into development 2018-07-24 17:20:17 +01:00
Simon Butcher c88c627fba Merge remote-tracking branch 'public/pr/1658' into development 2018-07-24 17:19:10 +01:00
Ron Eldor 8dd03cd1aa Add tests for the nist key wrapping feature
Add tests for Key wrapping.
Test vectors taken from the standards.
2018-07-24 16:43:20 +01:00
Simon Butcher 5ca06c763c Merge remote-tracking branch 'public/pr/1724' into development 2018-07-24 13:32:07 +01:00
Simon Butcher 116ac43d00 Merge remote-tracking branch 'public/pr/1852' into development 2018-07-24 12:18:59 +01:00
Simon Butcher bdf80d0953 Merge remote-tracking branch 'public/pr/1810' into development 2018-07-24 12:12:27 +01:00
Simon Butcher a7b35434e6 Merge remote-tracking branch 'public/pr/1871' into development 2018-07-24 08:26:13 +01:00
Ron Eldor bb4bbbbbb4 Resolve PR review comments
Address review comments:
1. add `mbedtls_cipher_init()` after freeing context, in test code
2. style comments
3. set `ctx->iv_size = 0` in case `IV == NULL && iv_len == 0`
2018-07-23 18:18:35 +01:00
Ron Eldor 6f90ed82b9 Fix CI failure
Test IV special cases only if `MBEDTLS_CIPHER_MODE_CBC` is defined
2018-07-23 18:18:35 +01:00
Ron Eldor 4e64e0b922 Fix after PR comments
1. Don't set IV onECB
2. Fix style issues
3. reduce number of tests
2018-07-23 18:18:32 +01:00
Ron Eldor 7b01244b99 Add tests for mbedtls_cipher_crypt API
1. Add tests for 'mbedtls_cipher_crypt()' API
2. Resolves #1091, by ignoring IV when the cipher mode is MBEDTLS_MODE_ECB
2018-07-23 18:02:09 +01:00
Simon Butcher 8e6a22ac3d Add additional i386 tests to all.sh
Added an additional i386 test to all.sh, to allow one test with -O0 which
compiles out inline assembly, and one to test with -01 which includes the inline
assembly.
2018-07-23 13:31:19 +01:00
Simon Butcher 7a6da6ed5e Expand i386 all.sh tests to full config ASan builds
The i386 test builds were only building the default configuration and had
no address sanitisation. This commit expands the test configuration to the full
configuration in all.sh and builds with ASan for when the test suites are
executed.
2018-07-22 18:01:19 +01:00
Andres Amaya Garcia 4c761fab7f Add test for empty app data records to ssl-opt.sh 2018-07-20 23:09:29 +01:00
Jaeden Amero 7c1258dc78 all.sh: Return error on keep-going failure
When calling all.sh from a script and using "--keep-going", errors were
sometimes missed due to all.sh always returning 0 "success" return code.
Return 1 if there is any failure encountered during a "keep-going" run.
2018-07-20 17:14:21 +01:00
Simon Butcher 7d728bd70e Merge remote-tracking branch 'public/pr/1454' into development 2018-07-20 14:33:44 +01:00
Simon Butcher 922bd1efb2 Merge remote-tracking branch 'public/pr/1752' into development 2018-07-20 14:33:18 +01:00
Simon Butcher be685ba337 Merge remote-tracking branch 'public/pr/1836' into development 2018-07-19 20:01:23 +01:00
Simon Butcher e7aeef09ee Merge remote-tracking branch 'public/pr/536' into development 2018-07-10 15:24:26 +01:00
Simon Butcher 727325baa7 Merge remote-tracking branch 'public/pr/1788' into development 2018-07-10 14:54:52 +01:00
Jaeden Amero cdb5cc570c tests: dhm: Rename Hallman to Hellman
Fix typo of Diffie-Hallman to Diffie-Hellman.
2018-07-06 13:20:09 +01:00
Andrzej Kurek 991f9fefd9 all_sh: add a check for header inclusion in cpp_dummy_build.cpp
change the g++ test to be incremental, to save time
reorganize header order in cpp_dummy_build.cpp according to c locale
2018-07-02 09:08:21 -04:00
Manuel Pégourié-Gonnard 4edb9cbbc0 Justify some max_ops settings in test_suite_pk 2018-07-02 12:23:23 +02:00
Gilles Peskine a931265509 Fix ssl-opt.sh not starting when lsof is not available
$START_DELAY was used before it was defined.
2018-06-29 15:48:13 +02:00
Nicholas Wilson 61fa436ad3 Address review comments - tidy usage of macros to use minimal values 2018-06-28 17:09:21 +01:00
Ron Eldor 643df7c8a1 Update ssl-opt.sh test to run condition
1. Update the test script to un the ECC tests only if the relevant
configurations are defined in `config.h` file
2. Change the HASH of the ciphersuite from SHA1 based to SHA256
for better example
2018-06-28 16:17:00 +03:00
k-stachowiak b056dd86d0 Remove a redundant dependency clause 2018-06-28 12:58:56 +02:00
Ron Eldor 58093c8bec Add ECC extensions test in ssl-opts.sh
Add test to verify if an ecc based extension exists
or not if an ecc based ciphersuite is used or not.
2018-06-28 13:22:05 +03:00
Andrzej Kurek 05be06cc2d Make the C++ test mandatory by removing the --no-cxx flag from all.sh
Remove the cmake test
2018-06-28 05:10:51 -04:00
Andrzej Kurek 45a6719594 Add a CXX build to all.sh to execute the C++ dummy test by default 2018-06-28 05:10:02 -04:00
Simon Butcher 597dbf8802 Adds a filter to run-test-suites.pl to exclude data files
The run-test-suites.pl script was executing all files of the form 'test_suite*'
which were either executable or ended with a .exe extension.

On some filesystems, such as through network shares or VMs, which are
abstracting one set of file permissions to Unix permissions, may set the
executable permissions on all files, whether they're executable or not.

That was leading to the run-test-suites.pl script to attempt to execute the .c
intermediate files because they followed the form 'test_suite_*.c'. This change
now excludes them, just in case they accidentally have execute permissions.
2018-06-27 16:16:39 +01:00
Ron Eldor b0ef434911 Add doxygen.sh script to git hooks
Add the doxygen.sh script to the pre-push git script
2018-06-27 17:41:00 +03:00
Simon Butcher 6665b67ddf Merge remote-tracking branch 'public/pr/1390' into development 2018-06-27 10:51:47 +01:00
Simon Butcher 9fa21bffe6 Merge remote-tracking branch 'public/pr/1533' into development 2018-06-27 10:50:58 +01:00
k-stachowiak 7972334090 Enable ARIA self test in the unit testing 2018-06-25 15:29:52 +02:00
Nicholas Wilson 2682edf205 Fix build using -std=c99
In each place where POSIX/GNU functions are used, the file must declare
that it wants POSIX functionality before including any system headers.
2018-06-25 12:00:26 +01:00
Andres Amaya Garcia 7994766581 Fix usage of if_build_succeeded in all.sh zeroize test 2018-06-20 09:34:54 +01:00
Andrzej Kurek c19fc55538 Add missing large and small packet tests for ssl_server2 2018-06-20 04:22:06 -04:00
Andrzej Kurek 30e731decd Added buffer_size and response_size options for ssl-server2.
Added appropriate tests.
2018-06-20 04:22:06 -04:00
Manuel Pégourié-Gonnard 79d9b50421 Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted
* development: (180 commits)
  Change the library version to 2.11.0
  Fix version in ChangeLog for fix for #552
  Add ChangeLog entry for clang version fix. Issue #1072
  Compilation warning fixes on 32b platfrom with IAR
  Revert "Turn on MBEDTLS_SSL_ASYNC_PRIVATE by default"
  Fix for missing len var when XTS config'd and CTR not
  ssl_server2: handle mbedtls_x509_dn_gets failure
  Fix harmless use of uninitialized memory in ssl_parse_encrypted_pms
  SSL async tests: add a few test cases for error in decrypt
  Fix memory leak in ssl_server2 with SNI + async callback
  SNI + SSL async callback: make all keys async
  ssl_async_resume: free the operation context on error
  ssl_server2: get op_name from context in ssl_async_resume as well
  Clarify "as directed here" in SSL async callback documentation
  SSL async callbacks documentation: clarify resource cleanup
  Async callback: use mbedtls_pk_check_pair to compare keys
  Rename mbedtls_ssl_async_{get,set}_data for clarity
  Fix copypasta in the async callback documentation
  SSL async callback: cert is not always from mbedtls_ssl_conf_own_cert
  ssl_async_set_key: detect if ctx->slots overflows
  ...
2018-06-20 09:46:17 +02:00
Manuel Pégourié-Gonnard 9fece7ee91 Add ChachaPoly ciphersuites to compat.sh
This is disabled by default since it requires OpenSSL >= 1.1.0 and the current
default version on the CI is 1.0.2. However, the CI also has 1.1.1-rc which
can be used for this.
2018-06-19 13:16:30 +02:00
Manuel Pégourié-Gonnard c36b432108 Add GnuTLS interop for CCM(-8) ciphersuites
I'm going to touch the GCM/CCM/CCM-8 code in the next commit, and so far we
didn't have any interop testing for CCM/CCM-8.

Our standard development/testing environment currently has GnuTLS 3.4.10, and
fortunately support for CCM/CCM-8 was introduced in GnuTLS 3.4.0

Support in OpenSSL was introduced in 1.1.0 which is not yet the default
version in the CI.
2018-06-19 12:12:47 +02:00
Manuel Pégourié-Gonnard ce66d5e8e1 Declare ChaCha-Poly ciphersuites
Prefer them over AES-GCM as they have better performance and fewer side
channel considerations in software implementations.
2018-06-19 12:11:38 +02:00
Manuel Pégourié-Gonnard 0dadba2b58 Merge branch 'development' into iotssl-2257-chacha-poly-primitives
* development: (182 commits)
  Change the library version to 2.11.0
  Fix version in ChangeLog for fix for #552
  Add ChangeLog entry for clang version fix. Issue #1072
  Compilation warning fixes on 32b platfrom with IAR
  Revert "Turn on MBEDTLS_SSL_ASYNC_PRIVATE by default"
  Fix for missing len var when XTS config'd and CTR not
  ssl_server2: handle mbedtls_x509_dn_gets failure
  Fix harmless use of uninitialized memory in ssl_parse_encrypted_pms
  SSL async tests: add a few test cases for error in decrypt
  Fix memory leak in ssl_server2 with SNI + async callback
  SNI + SSL async callback: make all keys async
  ssl_async_resume: free the operation context on error
  ssl_server2: get op_name from context in ssl_async_resume as well
  Clarify "as directed here" in SSL async callback documentation
  SSL async callbacks documentation: clarify resource cleanup
  Async callback: use mbedtls_pk_check_pair to compare keys
  Rename mbedtls_ssl_async_{get,set}_data for clarity
  Fix copypasta in the async callback documentation
  SSL async callback: cert is not always from mbedtls_ssl_conf_own_cert
  ssl_async_set_key: detect if ctx->slots overflows
  ...
2018-06-19 11:13:50 +02:00
Simon Butcher 2fcd3e4441 Change the library version to 2.11.0
* Change the Mbed TLS library version to 2.11.0
 * Increase the soversion of libmbedcrypto
 * Increase the soversion of libmbedtls
2018-06-18 14:39:06 +01:00
Angus Gratton c4dd07369f test: Add test cases for separately reduced inward/outward buffer sizes 2018-06-18 20:51:51 +10:00
Jaeden Amero d9c71dad50 Revert "Turn on MBEDTLS_SSL_ASYNC_PRIVATE by default"
This reverts commit 5ffe41c8f9.

Turn off MBEDTLS_SSL_ASYNC_PRIVATE by default because we don't want to
change the ABI yet.
2018-06-15 20:31:26 +01:00
Simon Butcher 9873696c34 Merge remote-tracking branch 'public/pr/710' into development 2018-06-15 14:18:11 +01:00
Simon Butcher 5f57f1e3cc Merge remote-tracking branch 'public/pr/1270' into development 2018-06-15 14:17:31 +01:00
Gilles Peskine 725f1cb6bd SSL async tests: add a few test cases for error in decrypt
The code paths in the library are different for decryption and for
signature. Improve the test coverage by doing some error path tests
for decryption in addition to signature.
2018-06-13 18:10:41 +02:00
Jaeden Amero d906b818f3 tests: cipher: Allocate enough space for XTS keys
XTS keys can be double the size, since XTS uses two keys concatenated
together as a key (one for the tweak, one for encryption).
2018-06-13 12:16:25 +01:00
Jaeden Amero c28012acdd tests: Remove NIST AES-XTS test vectors
The IEEE P1619 XTS test vectors should suffice. Remove the NIST test
vectors.
2018-06-13 12:13:58 +01:00
Jaeden Amero 142383e25b aes: xts: Add tests for invalid key sizes
Test that we get the error we expect when using various valid and invalid
keysizes with mbedtls_aes_xts_setkey_enc() and
mbedtls_aes_xts_setkey_dec().
2018-06-13 12:13:58 +01:00
Jaeden Amero c653990ed5 cipher: Add wrappers for AES-XTS
AES-XTS does not support multipart use as it can only operate on an entire
sector at a time.
2018-06-13 12:13:56 +01:00
Jaeden Amero 425382d4fb tests: Extend AES-XTS suite
Extend the existing test suite for AES-XTS with checks for error reporting
and the IEEE P1619/D16 test vectors.
2018-06-13 12:05:04 +01:00
Jaeden Amero e5c4b07b92 tests: Make AES-XTS suite more stack friendly
Remove stack-allocated buffers from the AES-XTS test suites.
2018-06-13 12:05:04 +01:00
Jaeden Amero cd9fc5e541 aes: xts: Rename iv to data_unit
XTS doesn't have an IV, it has a "Data Unit". Rename iv for parity with the
XTS standard.
2018-06-13 12:05:04 +01:00
Jaeden Amero 5162b932a2 aes: Use length instead of bits_length in XTS
mbedtls_aes_crypt_xts() currently takes a `bits_length` parameter, unlike
the other block modes. Change the parameter to accept a bytes length
instead, as the `bits_length` parameter is not actually ever used in the
current implementation.
2018-06-13 12:05:04 +01:00
Jaeden Amero 9366feb504 aes: xts: Add new context structure
Add a new context structure for XTS. Adjust the API for XTS to use the new
context structure, including tests suites and the benchmark program. Update
Doxgen documentation accordingly.
2018-06-13 12:05:04 +01:00
Jaeden Amero e22ba80e7b Add XTS test suites to the Makefile 2018-06-13 12:05:01 +01:00
Jaeden Amero e9ecf00007 aes: Remove AES-XEX
AES-XEX is a building block for other cryptographic standards and not yet a
standard in and of itself. We'll just provide the standardized AES-XTS
algorithm, and not AES-XEX. The AES-XTS algorithm and interface provided
can be used to perform the AES-XEX algorithm when the length of the input
is a multiple of the AES block size.
2018-06-13 12:03:29 +01:00
Aorimn 5f77801ac3 Implement AES-XTS mode
XTS mode is fully known as "xor-encrypt-xor with ciphertext-stealing".
This is the generalization of the XEX mode.
This implementation is limited to an 8-bits (1 byte) boundary, which
doesn't seem to be what was thought considering some test vectors [1].

This commit comes with tests, extracted from [1], and benchmarks.
Although, benchmarks aren't really nice here, as they work with a buffer
of a multiple of 16 bytes, which isn't a challenge for XTS compared to
XEX.

[1] http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip
2018-06-13 12:03:27 +01:00
Aorimn fb67fae83a Add AES-XEX tests cases
The test cases come from the XTS test vectors given by the CAVP initiative
from NIST (see [1]).
As mentioned in a previous commit, XEX is a simpler case of XTS.
Therefore, to construct the test_suite_aes.xex.data file, extraction of
the XEX-possible cases has been done on the given test vectors.
All of the extracted test vectors pass the tests on a Linux x86_64 machine.

[1] http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip
2018-06-13 12:01:50 +01:00
Jaeden Amero 9f52aebe2e tests: Fix name of 33 byte AES cipher tests
We named the tests "32 bytes", but actually tested with 33 bytes. Fix the
mistake.
2018-06-13 11:56:03 +01:00
Manuel Pégourié-Gonnard b5d668a7a7 post-merge: adapt ssl-opt.sh to new error values
The numerical value of the error code was changed when merging development
into this branch; now adapt ssl-opt.sh to the new value.
2018-06-13 11:26:19 +02:00
Manuel Pégourié-Gonnard d0a66ccde3 post-merge: fix ECDSA test vector testing
The way we do negative tests only works if the initial test was positive.

This was not immediately apparent with the set of test data at the time the
code for negative testing was introduced, but it became apparent with the
addition of the "0 private value" / "overlong private value" tests that
happened in development while this branch was developed.
2018-06-13 11:26:02 +02:00
Manuel Pégourié-Gonnard da19f4c79f Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted
Summary of merge conflicts:

include/mbedtls/ecdh.h -> documentation style
include/mbedtls/ecdsa.h -> documentation style
include/mbedtls/ecp.h -> alt style, new error codes, documentation style
include/mbedtls/error.h -> new error codes
library/error.c -> new error codes (generated anyway)
library/ecp.c:
    - code of an extracted function was changed
library/ssl_cli.c:
    - code addition on one side near code change on the other side
      (ciphersuite validation)
library/x509_crt.c -> various things
    - top fo file: helper structure added near old zeroize removed
    - documentation of find_parent_in()'s signature: improved on one side,
      added arguments on the other side
    - documentation of find_parent()'s signature: same as above
    - verify_chain(): variables initialised later to give compiler an
      opportunity to warn us if not initialised on a code path
    - find_parent(): funcion structure completely changed, for some reason git
      tried to insert a paragraph of the old structure...
    - merge_flags_with_cb(): data structure changed, one line was fixed with a
      cast to keep MSVC happy, this cast is already in the new version
    - in verify_restratable(): adjacent independent changes (function
      signature on one line, variable type on the next)
programs/ssl/ssl_client2.c:
    - testing for IN_PROGRESS return code near idle() (event-driven):
      don't wait for data in the the socket if ECP_IN_PROGRESS
tests/data_files/Makefile: adjacent independent additions
tests/suites/test_suite_ecdsa.data: adjacent independent additions
tests/suites/test_suite_x509parse.data: adjacent independent additions

* development: (1059 commits)
  Change symlink to hardlink to avoid permission issues
  Fix out-of-tree testing symlinks on Windows
  Updated version number to 2.10.0 for release
  Add a disabled CMAC define in the no-entropy configuration
  Adapt the ARIA test cases for new ECB function
  Fix file permissions for ssl.h
  Add ChangeLog entry for PR#1651
  Fix MicroBlaze register typo.
  Fix typo in doc and copy missing warning
  Fix edit mistake in cipher_wrap.c
  Update CTR doc for the 64-bit block cipher
  Update CTR doc for other 128-bit block ciphers
  Slightly tune ARIA CTR documentation
  Remove double declaration of mbedtls_ssl_list_ciphersuites
  Update CTR documentation
  Use zeroize function from new platform_util
  Move to new header style for ALT implementations
  Add ifdef for selftest in header file
  Fix typo in comments
  Use more appropriate type for local variable
  ...
2018-06-13 09:52:54 +02:00
Andres Amaya Garcia 9b04e19129 Use grep to detect zeroize test failures on GDB
This patch uses grep to search the GDB output for errors as there is
a bug in the tool that causes it to return 0 to the system even though
there was a problem in the script.

This patch also fixes the zeroize test to work with the --keep-going
option in all.sh.
2018-06-12 20:57:45 +01:00
Simon Butcher e47d6fd97e Merge remote-tracking branch 'public/pr/1497' into development 2018-06-12 16:53:04 +01:00
Simon Butcher f0d7629771 Merge remote-tracking branch 'public/pr/1593' into development 2018-06-12 16:41:41 +01:00
Simon Butcher 263498ac36 Merge remote-tracking branch 'public/pr/1667' into development 2018-06-12 16:40:07 +01:00
Simon Butcher 33cb519cda Add decrypt tests to AES OFB Cipher module
Adds additional tests for AES-128, AES-192, and AES-256, for OFB block mode, for
the cipher wrapper module.
2018-06-11 14:03:22 +01:00
Simon Butcher b7836e1e8c Change AES OFB tests to memset sizeof buffer 2018-06-11 14:03:22 +01:00
Simon Butcher e416bf93d2 Reduce stack usage for AES OFB tests
Reduced the size of allocated buffers to the minimum for OFB tests.
2018-06-11 14:03:22 +01:00
Simon Butcher 00131446be Fix style and formatting for OFB feature 2018-06-11 14:03:22 +01:00
Simon Butcher 374bcd4255 Add to OFB cipher tests AES-192 and AES-256 OFB 2018-06-11 14:03:22 +01:00
Simon Butcher dbe7fbf391 Remove unused variable in AES OFB test suite
Remove iv_len, an unused variable, in AES OFB test suite function, to fix gcc
compiler warning.
2018-06-11 14:03:22 +01:00
Simon Butcher ad4e4938d1 Fix AES-OFB support for errors, tests and self-test
Adds error handling into mbedtls_aes_crypt_ofb for AES errors, a self-test
for the OFB mode using NIST SP 800-38A test vectors and adds a check to
potential return errors in setting the AES encryption key in the OFB test
suite.
2018-06-11 14:03:22 +01:00
Simon Butcher 8c0fd1e881 Add cipher abstraction and test cases for OFB block mode
Adds OFB as additional block mode in the cipher abstraction, and additional
test cases for that block mode.
2018-06-11 14:03:22 +01:00
Simon Butcher 0301884f00 Add test cases for AES OFB block mode
Adds test cases from NIST SP800-38A for OFB block mode to AES-128/192/256, for
the configuration of MBEDTLS_CIPHER_MODE_OFB.
2018-06-11 14:03:22 +01:00
Jaeden Amero 10e0e4d4ff hkdf: Add negative tests
Test for the expected bad input parameter error when given specific sets of
bad input parameters.
2018-06-11 13:10:14 +01:00
Jaeden Amero 3618962cab hkdf: Add tests for extract and expand
Add tests for mbedtls_hkdf_extract() and mbedtls_hkdf_expand() from the
test vectors in Appendix A of RFC 5869.
2018-06-11 13:10:14 +01:00
Thomas Fossati 656864b360 Add an HKDF (RFC 5869) implementation 2018-06-11 13:10:14 +01:00
Manuel Pégourié-Gonnard 39b1904b9f Merge branch 'development' into iotssl-2257-chacha-poly-primitives
* development: (97 commits)
  Updated version number to 2.10.0 for release
  Add a disabled CMAC define in the no-entropy configuration
  Adapt the ARIA test cases for new ECB function
  Fix file permissions for ssl.h
  Add ChangeLog entry for PR#1651
  Fix MicroBlaze register typo.
  Fix typo in doc and copy missing warning
  Fix edit mistake in cipher_wrap.c
  Update CTR doc for the 64-bit block cipher
  Update CTR doc for other 128-bit block ciphers
  Slightly tune ARIA CTR documentation
  Remove double declaration of mbedtls_ssl_list_ciphersuites
  Update CTR documentation
  Use zeroize function from new platform_util
  Move to new header style for ALT implementations
  Add ifdef for selftest in header file
  Fix typo in comments
  Use more appropriate type for local variable
  Remove useless parameter from function
  Wipe sensitive info from the stack
  ...
2018-06-07 12:02:55 +02:00
Manuel Pégourié-Gonnard 2adb375c50 Add option to avoid 64-bit multiplication
Motivation is similar to NO_UDBL_DIVISION.

The alternative implementation of 64-bit mult is straightforward and aims at
obvious correctness. Also, visual examination of the generate assembly show
that it's quite efficient with clang, armcc5 and arm-clang. However current
GCC generates fairly inefficient code for it.

I tried to rework the code in order to make GCC generate more efficient code.
Unfortunately the only way to do that is to get rid of 64-bit add and handle
the carry manually, but this causes other compilers to generate less efficient
code with branches, which is not acceptable from a side-channel point of view.

So let's keep the obvious code that works for most compilers and hope future
versions of GCC learn to manage registers in a sensible way in that context.

See https://bugs.launchpad.net/gcc-arm-embedded/+bug/1775263
2018-06-07 11:05:33 +02:00
Simon Butcher d5a09f1e68 Updated version number to 2.10.0 for release 2018-06-06 14:52:00 +01:00
Simon Butcher d08a2f7245 Adapt the ARIA test cases for new ECB function
Commit 08c337d058 "Remove useless parameter from function" removed the
parameter mode from the functions mbedtls_aria_crypt_ecb() which broke their
respective test suite.

This commit fixes those test cases.
2018-06-05 15:53:06 +01:00
Manuel Pégourié-Gonnard 9c82e2ce49 Fix some whitespace issues 2018-06-04 12:30:16 +02:00
Manuel Pégourié-Gonnard 3dc62a0a9b chachapoly: force correct mode for integrated API
Allowing DECRYPT with crypt_and_tag is a risk as people might fail to check
the tag correctly (or at all). So force them to use auth_decrypt() instead.

See also https://github.com/ARMmbed/mbedtls/pull/1668
2018-06-04 12:18:19 +02:00
Simon Butcher eb6ed719e3 Merge remote-tracking branch 'public/pr/1267' into development 2018-06-01 19:28:18 +01:00
Simon Butcher 246cb05a92 Merge remote-tracking branch 'public/pr/1410' into development 2018-06-01 19:25:56 +01:00
Simon Butcher b02f7893f6 Merge remote-tracking branch 'public/pr/1470' into development 2018-06-01 19:20:25 +01:00
Simon Butcher ba9199458d Merge remote-tracking branch 'public/pr/1604' into development 2018-06-01 19:15:40 +01:00
Darryl Green 0daf4caaf8 Add test vectors for CCM* 2018-05-31 10:05:35 +01:00
Janos Follath 95ab93d417 CCM*: Add minimal tests 2018-05-29 11:59:22 +01:00
Manuel Pégourié-Gonnard 3798b6be6b Add some error codes and merge others
- need HW failure codes too
- re-use relevant poly codes for chachapoly to save on limited space

Values were chosen to leave 3 free slots at the end of the NET odd range.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 234e1cef73 cipher: add stream test vectors for chacha20(poly1305) 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard ceb1225d46 chachapoly: add test for state flow 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 444f711216 poly1305: add test with multiple small fragments
This exercises the code path where data is just appended to the waiting queue
while it isn't empty.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 59d2c30eba chachapoly: add test for parameter validation
Also fix two bugs found by the new tests.

Also remove redundant test case dependency declarations while at it.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard a8fa8b8f96 poly1305: add test for parameter validation
Also fix two validation bugs found while adding the tests.

Also handle test dependencies the right way while at it.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 2aca236881 chacha20: add test for parameter validation 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard fce88b2533 Fix selftest verbosity in test suites 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 69767d1c7b cipher: add chachapoly test vector + unauth case 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 1465602ee1 poly1305: fix bug in starts() and add test for it 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 55c0d096b7 chacha20: fix bug in starts() and add test for it
Previously the streaming API would fail when encrypting multiple messages with
the same key.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 7296771194 chachapoly: add test with unauthentic data 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 528524bf3c Reduce size of buffers in test suites 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard b1ac5e7842 poly1305: adjust parameter order
This module used (len, pointer) while (pointer, len) is more common in the
rest of the library, in particular it's what's used in the CMAC API that is
very comparable to Poly1305, so switch to (pointer, len) for consistency.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 346b8d5050 chachapoly: split crypt_and_mac() to match GCM API
In addition to making the APIs of the various AEAD modules more consistent
with each other, it's useful to have an auth_decrypt() function so that we can
safely check the tag ourselves, as the user might otherwise do it in an
insecure way (or even forget to do it altogether).
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard dca3a5d884 Rename aead_chacha20_poly1305 to chachapoly
While the old name is explicit and aligned with the RFC, it's also very long,
so with the mbedtls_ prefix prepended we get a 31-char prefix to each
identifier, which quickly conflicts with our 80-column policy.

The new name is shorter, it's what a lot of people use when speaking about
that construction anyway, and hopefully should not introduce confusion at
it seems unlikely that variants other than 20/1305 be standardised in the
foreseeable future.
2018-05-24 13:37:31 +02:00
Daniel King dca6abb24b Fix test suite when GCM Is disabled, but AEAD_ChaCha20_Poly1305 is enabled. 2018-05-24 13:37:31 +02:00
Daniel King 6155cc82ba Add ChaCha20 test vectors from RFC 7539 2018-05-24 13:37:31 +02:00
Daniel King 8fe4701abe Add ChaCha20+Poly1305 to the Cipher module 2018-05-24 13:37:31 +02:00
Daniel King b8025c5826 Implement AEAD-ChaCha20-Poly1305.
This implementation is based off the description in RFC 7539.

The ChaCha20 code is also updated to provide a means of generating
keystream blocks with arbitrary counter values. This is used to
generated the one-time Poly1305 key in the AEAD construction.
2018-05-24 13:37:31 +02:00
Daniel King adc32c0b50 Add Poly1305 authenticator algorithm (RFC 7539)
Test vectors are included from RFC 7539.

Poly1305 is also added to the benchmark program.
2018-05-24 13:37:31 +02:00
Daniel King bd92062269 Add ChaCha20 to the Cipher module 2018-05-24 13:37:31 +02:00
Daniel King 34b822ce7b Initial implementation of ChaCha20 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard a3712beb9b Merge branch 'development' into iotssl-1941-aria-ciphersuites
* development: (504 commits)
  Fix minor code style issues
  Add the uodate to the soversion to the ChangeLog
  Fix the ChangeLog for clarity, english and credit
  Update version to 2.9.0
  ecp: Fix binary compatibility with group ID
  Changelog entry
  Change accepted ciphersuite versions when parsing server hello
  Remove preprocessor directives around platform_util.h include
  Fix style for mbedtls_mpi_zeroize()
  Improve mbedtls_platform_zeroize() docs
  mbedtls_zeroize -> mbedtls_platform_zeroize in docs
  Reword config.h docs for MBEDTLS_PLATFORM_ZEROIZE_ALT
  Organize CMakeLists targets in alphabetical order
  Organize output objs in alfabetical order in Makefile
  Regenerate errors after ecp.h updates
  Update ecp.h
  Change variable bytes_written to header_bytes in record decompression
  Update ecp.h
  Update ecp.h
  Update ecp.h
  ...
2018-05-22 15:58:50 +02:00
Darryl Green 2699de3370 Add check-files.py to pre-push.sh 2018-05-21 11:41:18 +01:00
Darryl Green a07039cfe2 Add check-files.py to all.sh 2018-05-21 11:41:04 +01:00
Darryl Green 10d9ce332f Add script for source integrity checking 2018-05-21 11:39:49 +01:00
Darryl Green 11999bb72e Fix minor code style issues 2018-05-15 09:21:57 +01:00
Jaeden Amero a331e0f0af Merge remote-tracking branch 'upstream-restricted/pr/421' into development-proposed 2018-05-04 14:39:24 +01:00
Jaeden Amero 09c4e7ef5a Merge remote-tracking branch 'upstream-public/pr/1486' into development-proposed 2018-05-04 11:03:16 +01:00
Andres Amaya Garcia 54306c14f6 Add more SNI/DTLS tests
Run the normal SNI/TLS tests over DTLS in ssl-opt.sh for greater
coverage.
2018-05-01 20:27:37 +01:00
Andres Amaya Garcia f77d3d31d6 Rename SNI/DTLS tests in ssl-opt.sh script 2018-05-01 20:26:47 +01:00
Mohammad Azim Khan 0b3f00c3cf Avoid -Wformat-truncation warning on gcc7 2018-05-01 10:17:48 +01:00
Jaeden Amero 7d7bad6b1f Update version to 2.9.0
Bump SOVERSION for parity with 2.7.2 and 2.7.3.
2018-04-30 09:58:33 +01:00
Gilles Peskine 807d74a062 SSL async callback: cert is not always from mbedtls_ssl_conf_own_cert
The certificate passed to async callbacks may not be the one set by
mbedtls_ssl_conf_own_cert. For example, when using an SNI callback,
it's whatever the callback is using. Document this, and add a test
case (and code sample) with SNI.
2018-04-30 10:30:49 +02:00
Gilles Peskine deda75a09e Fix missing continuation indicator in ssl-opt.sh 2018-04-30 10:02:45 +02:00
Gilles Peskine 37289cdb99 SSL async tests: tighten a few log checks in some test cases 2018-04-27 11:50:14 +02:00
Gilles Peskine 12d0cc1b8f Add test case for SSL async resume after resume
Add a test case for SSL asynchronous signature where f_async_resume is
called twice. Verify that f_async_sign_start is only called once.

This serves as a non-regression test for a bug where f_async_sign_start
was only called once, which turned out to be due to a stale build
artifacts with mismatched numerical values of
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS.
2018-04-26 15:06:56 +02:00
Gilles Peskine 5ffe41c8f9 Turn on MBEDTLS_SSL_ASYNC_PRIVATE by default
This is an ABI change in libmbedtls.
2018-04-26 11:51:03 +02:00
Gilles Peskine c912572a7f ssl_server2: merge redundant async_private_error=resume/pk
Testing the case where the resume callback returns an error at the
beginning and the case where it returns an error at the end is
redundant. Keep the test after the output has been produced, to
validate that the product does not use even a valid output if the
return value is an error code.
2018-04-26 10:00:40 +02:00
Gilles Peskine d3268834f3 Document what the SSL async sign callback needs to do with RSA
Document how the SSL async sign callback must treat its md_alg and
hash parameters when doing an RSA signature: sign-the-hash if md_alg
is nonzero (TLS 1.2), and sign-the-digestinfo if md_alg is zero
(TLS <= 1.1).

In ssl_server2, don't use md_alg=MBEDTLS_MD_NONE to indicate that
ssl_async_resume must perform an encryption, because md_alg is also
MBEDTLS_MD_NONE in TLS <= 1.1. Add a test case to exercise this
case (signature with MBEDTLS_MD_NONE).
2018-04-26 10:00:40 +02:00
Gilles Peskine ad28bf0e58 Documentation improvements 2018-04-26 10:00:40 +02:00
Gilles Peskine 168dae8567 Comment formatting and whitespace fixes 2018-04-26 10:00:40 +02:00
Gilles Peskine b74a1c73b1 Rename MBEDTLS_SSL_ASYNC_PRIVATE_C to MBEDTLS_SSL_ASYNC_PRIVATE
This is an optional feature, not a module of its own, so don't call it
MBEDTLS_xxx_C and put it in the appropriate section of config.h.
2018-04-26 10:00:39 +02:00
Gilles Peskine b44692f126 Merge branch 'mbedtls_ssl_get_key_exchange_md_ssl_tls-return_hashlen' into tls_async_server-2.9
Conflict resolution:
* ChangeLog: put the new entry from my branch in the proper place.
* include/mbedtls/error.h: counted high-level module error codes again.
* include/mbedtls/ssl.h: picked different numeric codes for the
  concurrently added errors; made the new error a full sentence per
  current standards.
* library/error.c: ran scripts/generate_errors.pl.
* library/ssl_srv.c:
    * ssl_prepare_server_key_exchange "DHE key exchanges": the conflict
      was due to style corrections in development
      (4cb1f4d49c) which I merged with
      my refactoring.
    * ssl_prepare_server_key_exchange "For key exchanges involving the
      server signing", first case, variable declarations: merged line
      by line:
        * dig_signed_len: added in async
        * signature_len: removed in async
        * hashlen: type changed to size_t in development
        * hash: size changed to MBEDTLS_MD_MAX_SIZE in async
        * ret: added in async
    * ssl_prepare_server_key_exchange "For key exchanges involving the
      server signing", first cae comment: the conflict was due to style
      corrections in development (4cb1f4d49c)
      which I merged with my comment changes made as part of refactoring
      the function.
    * ssl_prepare_server_key_exchange "Compute the hash to be signed" if
      `md_alg != MBEDTLS_MD_NONE`: conflict between
      ebd652fe2d
      "ssl_write_server_key_exchange: calculate hashlen explicitly" and
      46f5a3e9b4 "Check return codes from
      MD in ssl code". I took the code from commit
      ca1d742904 made on top of development
      which makes mbedtls_ssl_get_key_exchange_md_ssl_tls return the
      hash length.
* programs/ssl/ssl_server2.c: multiple conflicts between the introduction
  of MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS and new auxiliary functions and
  definitions for async support, and the introduction of idle().
    * definitions before main: concurrent additions, kept both.
    * main, just after `handshake:`: in the loop around
      mbedtls_ssl_handshake(), merge the addition of support for
      MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS and SSL_ASYNC_INJECT_ERROR_CANCEL
      with the addition of the idle() call.
    * main, if `opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM`: take the
      code from development and add a check for
      MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS.
    * main, loop around mbedtls_ssl_read() in the datagram case:
      take the code from development and add a check for
      MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; revert to a do...while loop.
    * main, loop around mbedtls_ssl_write() in the datagram case:
      take the code from development and add a check for
      MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; revert to a do...while loop.
2018-04-26 10:00:27 +02:00
Jaeden Amero 38c42d5afa Merge remote-tracking branch 'upstream-public/pr/1570' into development-proposed
Resolve merge conflict in ChangeLog.
2018-04-25 14:20:08 +01:00
Andres Amaya Garcia 708c5cb6ab mbedtls_zeroize -> mbedtls_platform_zeroize in docs 2018-04-24 08:33:31 -05:00
Gilles Peskine fcca9d8cef SSL asynchronous decryption (server side): tests
Test SSL asynchronous private operation for the case of a
decryption operation on a server.
2018-04-24 09:36:37 +02:00
Gilles Peskine d9bfcabcb9 SSL asynchronous signature: fix renegotiation tests
Fixed typo in "SSL async private: renegotiation" tests that caused the
renegotiation not to actually take place.
2018-04-24 09:36:36 +02:00
Gilles Peskine dbb14e09f2 all.sh: run ssl-opt.sh on ECJPAKE, SSL async
Run ssl-opt.sh in the "full" configuration on things that are not in
the default configuration: SSL async private, ECJPAKE.
2018-04-24 09:36:36 +02:00
Gilles Peskine 60ee4cadce SSL asynchronous signature: basic test of recovery after error
Add test cases where the server goes through an async operation which
fails, then the server makes a successful connection.
2018-04-24 09:36:36 +02:00
Gilles Peskine 3665f1db9d SSL asynchronous signature: test cases
Add test cases for SSL asynchronous signature to ssl-opt.sh:

* Delay=0,1 to test the sequences of calls to f_async_resume
* Test fallback when the async callbacks don't support that key
* Test error injection at each stage
* Test renegotiation
2018-04-24 09:36:36 +02:00
Andrzej Kurek f13ca9536c Test suites: print error on failed platform_setup
Return encountered errors instead of covering them
Fix return value on the broken snprintf implementation
2018-04-18 04:14:31 -04:00
Andres Amaya Garcia eecea0e281 Update zeroize test to use mbedtls_platform_zeroize() 2018-04-17 10:14:53 -05:00
Andres Amaya Garcia 757cd72edf Update license headers year and branding 2018-04-17 09:21:49 -05:00
Andres Amaya Garcia 42defd10a6 Improve docs for zeroize.c and test_zeroize.gdb 2018-04-17 09:21:49 -05:00
Andres Amaya Garcia 806f403a02 Improve detection of program exit code in gdb script 2018-04-17 09:19:05 -05:00
Andres Amaya Garcia 7111a0d13b Change test_zeroize.gdb script breakpoint due to zeroize.c change 2018-04-17 09:19:05 -05:00
Andres Amaya Garcia 2967381ccd Extend zeroize tests to multiple optimizations
Extend the all.sh test to cover multiple compiler optimization levels.
At the momment, the test is run using gcc and clang.
2018-04-17 09:19:05 -05:00
Andres Amaya Garcia 24768bfa37 Improve test_zeroize.gdb breakpoint
Improve the position of the breakpoint to be set at a line of code that
is less likely to be optimised out by the compiler. Setting the breakpoint
at a place that can be easily optimised out by the compiler will cause the
gdb script to fail as it cannot match the source code line to the
compiled code. For this reason the breakpoint is now set at the fclose()
call which is very unlikely to be optimised out or there might be a
resource leak.
2018-04-17 09:19:05 -05:00
Andres Amaya Garcia d0d7bf614e Add gdb zeroize test when compiling with clang 2018-04-17 09:17:38 -05:00
Andres Amaya Garcia f2d17929c0 Document test_zeroize.gdb script 2018-04-17 09:17:38 -05:00
Andres Amaya Garcia ddebc49f28 Add gdb script to test mbedtls_zeroize()
The gdb script loads the programs/test/zeroize program and feeds it as
imput its own source code. Then sets a breakpoint just before the last
program's return code and checks that every element in memory was
zeroized. Otherwise it signals a failure and terminates.

The test was added to all.sh.
2018-04-17 09:17:38 -05:00
Andrzej Kurek a282270a10 Add explicit checks for non-zero result of platform setup in test suites 2018-04-16 06:33:28 -04:00
Andrzej Kurek 32a675f032 Add conditional platform context creation & usage
Add another layer of abstraction before calling platform setup and teardown.
2018-04-13 06:16:04 -04:00
Andrzej Kurek 1152fa83f9 Add platform setup and teardown calls to test suites
Add a global platform context variable available for tests
2018-04-13 05:15:17 -04:00
Andres AG c4ec716ec8 Fix uninitialized var in check-generated-files.sh 2018-04-11 21:13:20 -05:00
Andres Amaya Garcia 4c1e2ec286 Check generated-visualc-files in check-generated-files 2018-04-11 20:52:30 -05:00
Jethro Beekman 666892792d Generate primes according to FIPS 186-4
The specification requires that numbers are the raw entropy (except for odd/
even) and at least 2^(nbits-0.5). If not, new random bits need to be used for
the next number. Similarly, if the number is not prime new random bits need to
be used.
2018-04-11 08:38:37 -07:00
fbrosson 533407a266 Use "#!/usr/bin/env perl" as shebang line. 2018-04-04 21:44:29 +00:00
Gilles Peskine 80aa3b8d65 Merge branch 'pr_946' into development-proposed 2018-04-04 10:33:45 +02:00
Gilles Peskine 5c77f2ef37 Merge remote-tracking branch 'upstream-public/pr/1535' into development-proposed 2018-04-04 10:31:09 +02:00
Gilles Peskine be2371c3d9 Merge branch 'pr_348' into development-proposed 2018-04-04 09:18:27 +02:00
Gilles Peskine 0ed632f445 Merge remote-tracking branch 'upstream-public/pr/1499' into development-proposed 2018-04-01 12:41:22 +02:00
Gilles Peskine 695d557dcf Merge branch 'pr_1180' into development-proposed 2018-04-01 12:26:36 +02:00
Nicholas Wilson 08f3ef1861 Basic support for Curve448, similar to the current level of support for Curve25519 2018-03-29 14:29:06 +01:00
Azim Khan 19d1373bb9 Enable SSL test scripts to dump logs on stdout 2018-03-29 11:10:57 +01:00
Jaeden Amero 78a03ec230 Merge remote-tracking branch 'upstream-public/pr/1379' into development-proposed 2018-03-29 10:57:57 +01:00
Jaeden Amero 2843d21d99 Merge remote-tracking branch 'upstream-public/pr/1523' into development-proposed 2018-03-28 15:32:13 +01:00
Hanno Becker 2bd57578af Merge branch 'development' into iotssl-1204 2018-03-28 14:52:35 +01:00
Jaeden Amero 9528658446 Merge remote-tracking branch 'upstream-public/pr/701' into development-proposed
Fixes #1299, fixes #1475
2018-03-28 12:50:28 +01:00
Jaeden Amero 8645e90825 Merge remote-tracking branch 'upstream-restricted/pr/363' into development-proposed 2018-03-28 11:54:28 +01:00
Jethro Beekman 6c563fa7cd Add tests for "return plaintext data faster on unpadded decryption" 2018-03-27 19:25:35 -07:00
Andres Amaya Garcia 576d474704 Fix test dependencies of pkcs5 pbs2 on asn1 parse 2018-03-27 20:53:56 +01:00
Andres Amaya Garcia 79db933fb6 Fix shared library lookup on Mac OS X when running tests 2018-03-27 19:58:08 +01:00
Andres Amaya Garcia 420f0ccdfd Make DLEXT var configurable in programs and tests makefiles 2018-03-27 19:17:21 +01:00
Hanno Becker 98a678674b Adapt changes to all.sh to work with --keep-going mode 2018-03-27 17:10:09 +01:00
Hanno Becker 783cb06e05 Remove duplicate test in all.sh 2018-03-27 16:49:04 +01:00
Deomid Ryabkov de420a47b6 Fix some test deps
* Cert revocation tests require `MBEDTLS_HAVE_TIME_DATE`.
 * Verison features tests require... well, `MBEDTLS_VERSION_FEATURES`, actually.

Fixes https://github.com/ARMmbed/mbedtls/issues/1475
2018-03-27 14:39:26 +01:00
Gilles Peskine 1cfa2d0e19 Add missing dependencies in test_suite_x509parse
Found by depends-hashes.pl and depends-pkgalgs.pl.
2018-03-23 02:16:43 +01:00
Gilles Peskine 396fac1fe0 all.sh --keep-going: properly handle multiple-builds scripts
In keep-going mode, if a multiple-builds script fails, record its
status and keep going.
2018-03-23 02:16:43 +01:00
Gilles Peskine 15ad579895 Merge tag 'mbedtls-2.8.0' into iotssl-1381-x509-verify-refactor-restricted
Conflict resolution:

* ChangeLog
* tests/data_files/Makefile: concurrent additions, order irrelevant
* tests/data_files/test-ca.opensslconf: concurrent additions, order irrelevant
* tests/scripts/all.sh: one comment change conflicted with a code
  addition. In addition some of the additions in the
  iotssl-1381-x509-verify-refactor-restricted branch need support for
  keep-going mode, this will be added in a subsequent commit.
2018-03-23 02:16:22 +01:00
Jethro Beekman d2df936e67 Fix parsing of PKCS#8 encoded Elliptic Curve keys.
The relevant ASN.1 definitions for a PKCS#8 encoded Elliptic Curve key are:

PrivateKeyInfo ::= SEQUENCE {
  version                   Version,
  privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
  privateKey                PrivateKey,
  attributes           [0]  IMPLICIT Attributes OPTIONAL
}

AlgorithmIdentifier  ::=  SEQUENCE  {
  algorithm   OBJECT IDENTIFIER,
  parameters  ANY DEFINED BY algorithm OPTIONAL
}

ECParameters ::= CHOICE {
  namedCurve         OBJECT IDENTIFIER
  -- implicitCurve   NULL
  -- specifiedCurve  SpecifiedECDomain
}

ECPrivateKey ::= SEQUENCE {
  version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
  privateKey     OCTET STRING,
  parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
  publicKey  [1] BIT STRING OPTIONAL
}

Because of the two optional fields, there are 4 possible variants that need to
be parsed: no optional fields, only parameters, only public key, and both
optional fields. Previously mbedTLS was unable to parse keys with "only
parameters". Also, only "only public key" was tested. There was a test for "no
optional fields", but it was labelled incorrectly as SEC.1 and not run because
of a great renaming mixup.
2018-03-22 18:01:18 -07:00
Gilles Peskine 0114ffc76b all.sh: Verify out-of-tree testing with CMake
Run a test case in ssl-opt.sh to validate that testing works in an
out-of-tree CMake build.
2018-03-21 12:29:20 +01:00
Gilles Peskine a71d64c74f all.sh: fix cleanup happening during an out-of-tree build 2018-03-21 12:29:15 +01:00
Gilles Peskine 31b07e2833 all.sh: be more conservative when cleaning up CMake artefacts
Only delete things that we expect to find, to avoid deleting other
things that people might have lying around in their build tree.
Explicitly skip .git to avoid e.g. accidentally matching a branch
name.
2018-03-21 12:29:08 +01:00
Gilles Peskine 8405257035 Support out-of-tree testing with CMake
Create extra symbolic links with CMake so that SSL testing (ssl-opt.sh
and compat.sh) works in out-of-tree builds.
2018-03-21 12:28:59 +01:00
Gilles Peskine 38d8165865 all.sh: add opposites to all boolean options
All options can now be overridden by a subsequent option, e.g.
"all.sh --foo --no-foo" is equivalent to "all.sh --no-foo". This
allows making wrapper scripts with default options and occasionally
overriding those options when running the wrapper script.
2018-03-21 08:40:26 +01:00
Gilles Peskine 8a244c90a8 all.sh: option parsing: reduce vertical spread
Only whitespace changes.
2018-03-21 08:39:32 +01:00
Gilles Peskine 262329603d all.sh: with --no-armcc, don't call armcc from output_env.sh
When not running armcc, don't try to invoke armcc at all, not even to
report its version.
2018-03-21 08:35:07 +01:00
Jaeden Amero 8be0e6db41 Update version to 2.8.0 2018-03-16 16:25:12 +00:00
Hanno Becker adfa64f0c4 Abort idle-loop in ssl_server2 if sockets gets invalid
Previously, the idling loop in ssl_server2 didn't check whether
the underlying call to mbedtls_net_poll signalled that the socket
became invalid. This had the consequence that during idling, the
server couldn't be terminated through a SIGTERM, as the corresponding
handler would only close the sockets and expect the remainder of
the program to shutdown gracefully as a consequence of this.
This was subsequently attempted to be fixed through a change
in ssl-opt.sh by terminating the server through a KILL signal,
which however lead to other problems when the latter was run
under valgrind.

This commit changes the idling loop in ssl_server2 and ssl_client2
to obey the return code of mbedtls_net_poll and gracefully shutdown
if an error occurs, e.g. because the socket was closed.

As a consequence, the server termination via a KILL signal in
ssl-opt.sh is no longer necessary, with the previous `kill; wait`
pattern being sufficient. The commit reverts the corresponding
change.
2018-03-15 11:43:41 +00:00
Hanno Becker 8d83218b70 Increase UDP record packing time in ssl-opt.sh
The UDP tests involving the merging of multiple records into single
datagrams accumulate records for 10ms, which can be less than the
total flight preparation time if e.g. the tests are being run with
valgrind.

This commit increases the packing time for the relevant tests
from 10ms to 50ms.
2018-03-15 10:14:19 +00:00
Hanno Becker 7b6582b631 Kill server and proxy via SIGQUIT in ssl-opt.sh
SIGKILL interferes with memory checking in valgrind.
2018-03-15 09:37:27 +00:00
Jaeden Amero 79a5e72719 Merge remote-tracking branch 'upstream-restricted/pr/463' into development-restricted-proposed 2018-03-15 08:25:05 +00:00
Jaeden Amero 24b2d6fb6d Merge remote-tracking branch 'upstream-restricted/pr/459' into development-restricted-proposed 2018-03-15 08:24:44 +00:00
Manuel Pégourié-Gonnard 47a98d4e2c fixup previous commit: add forgotten file 2018-03-14 14:08:57 +01:00
Manuel Pégourié-Gonnard a63305d134 x509: CRL: add tests for non-critical extension
The 'critical' boolean can be set to false in two ways:
- by leaving it implicit (test data generated by openssl)
- by explicitly setting it to false (generated by hand)
2018-03-14 12:44:54 +01:00
Manuel Pégourié-Gonnard 0bdb050b2d x509: CRL: add tests for malformed extensions
This covers all lines added in the previous commit. Coverage was tested using:

    make CFLAGS='--coverage -g3 -O0'
    (cd tests && ./test_suite_x509parse)
    make lcov
    firefox Coverage/index.html # then visual check

Test data was generated by taking a copy of tests/data_files/crl-idp.pem,
encoding it as hex, and then manually changing the values of some bytes to
achieve the desired errors, using https://lapo.it/asn1js/ for help in locating
the desired bytes.
2018-03-14 12:00:55 +01:00
Manuel Pégourié-Gonnard fd3e4fbae7 x509: CRL: reject unsupported critical extensions 2018-03-14 09:15:02 +01:00
Gilles Peskine 5f1932817c Merge remote-tracking branch 'upstream-restricted/pr/398' into development-restricted-proposed 2018-03-13 17:18:06 +01:00
Gilles Peskine 553a06f08a Merge remote-tracking branch 'upstream-restricted/pr/351' into development-restricted-proposed
Move the added ChangeLog entry to the bottom so that the list remains
in merge order.
2018-03-13 17:15:34 +01:00
Manuel Pégourié-Gonnard 1ba8a3fc55 Yet another dependency issue (PKCS1_V15)
Found by running:

CC=clang cmake -D CMAKE_BUILD_TYPE="Check"
tests/scripts/depend-pkalgs.pl

(Also tested with same command but CC=gcc)

Another PR will address improving all.sh and/or the depend-xxx.pl scripts
themselves to catch this kind of thing.
2018-03-13 13:42:38 +01:00
Hanno Becker bc6c110139 Add test to ssl-opt.sh demonstrating the need for ssl_check_pending 2018-03-13 11:48:32 +00:00
Hanno Becker 6a33f59f76 Add tests for event-driven I/O in DTLS to ssl-opt.sh 2018-03-13 11:48:29 +00:00
Gilles Peskine a31d8206b1 Merge remote-tracking branch 'upstream-public/pr/778' into development-proposed 2018-03-12 23:45:08 +01:00
Manuel Pégourié-Gonnard 88a8dcb38e Fix remaining issues found by depend-hashes 2018-03-12 15:49:35 +01:00
Manuel Pégourié-Gonnard 147b28ec3f Fix remaining issues found by depend-pkalgs 2018-03-12 15:26:59 +01:00
Gilles Peskine 469b882947 Merge branch 'pr_1407' into development-proposed 2018-03-11 00:45:10 +01:00
Gilles Peskine 754768262b Merge remote-tracking branch 'upstream-public/pr/1249' into development-proposed 2018-03-11 00:45:10 +01:00
Hanno Becker 6f486a6fb5 Fix merge error 2018-03-08 13:31:44 +00:00
Sanne Wouda 22797fcc57 Remove redundant dependency 2018-03-06 23:35:14 +01:00
Sanne Wouda bb50113123 Rename test and update dependencies 2018-03-06 23:35:14 +01:00
Sanne Wouda 90da97d587 Add test case found through fuzzing to pkparse test suite 2018-03-06 23:31:12 +01:00
Hanno Becker a3389ebb09 Merge branch 'development-restricted' into iotssl-1306-rsa-is-vulnerable-to-bellcore-glitch-attack 2018-03-06 11:55:21 +00:00
Manuel Pégourié-Gonnard ce5673cbe6 Add reference to github issue in compat.sh 2018-03-06 09:54:10 +01:00
Manuel Pégourié-Gonnard 05e464dff7 Merge branch 'development' into iotssl-1381-x509-verify-refactor-restricted
* development: (557 commits)
  Add attribution for #1351 report
  Adapt version_features.c
  Note incompatibility of truncated HMAC extension in ChangeLog
  Add LinkLibraryDependencies to VS2010 app template
  Add ChangeLog entry for PR #1382
  MD: Make deprecated functions not inline
  Add ChangeLog entry for PR #1384
  Have Visual Studio handle linking to mbedTLS.lib internally
  Mention in ChangeLog that this fixes #1351
  Add issue number to ChangeLog
  Note in the changelog that this fixes an interoperability issue.
  Style fix in ChangeLog
  Add ChangeLog entries for PR #1168 and #1362
  Add ChangeLog entry for PR #1165
  ctr_drbg: Typo fix in the file description comment.
  dhm: Fix typo in RFC 5114 constants
  tests_suite_pkparse: new PKCS8-v2 keys with PRF != SHA1
  data_files/pkcs8-v2: add keys generated with PRF != SHA1
  tests/pkcs5/pbkdf2_hmac: extend array to accommodate longer results
  tests/pkcs5/pbkdf2_hmac: add unit tests for additional SHA algorithms
  ...
2018-03-05 11:55:38 +01:00
Gilles Peskine b4ef45b4f5 all.sh: build with -O -Werror in the full config
Build with MBEDTLS_DEPRECATED_REMOVED and MBEDTLS_DEPRECATED_WARNING
separately.

Do these builds with `-O -Werror -Wall -Wextra` to catch a maximum of
issues while we're at it. Do one with gcc and one with clang for
variety. This caught an uninitialized variable warning in cmac.c that
builds without -O didn't catch.
2018-03-01 22:23:50 +01:00
Manuel Pégourié-Gonnard 977dc36b14 aria test suite: uniformize line wrapping 2018-03-01 13:51:52 +01:00
Manuel Pégourié-Gonnard 8abc349881 aria: rationalize buffer sizes in test functions 2018-03-01 11:28:51 +01:00
Manuel Pégourié-Gonnard d82d79154c aria: fix more whitespace 2018-03-01 11:28:38 +01:00
itayzafrir 693a1d9ca7 Test suite test_suite_pk test pk_rsa_overflow passes valid parameters for hash and sig.
Test suite test_suite_pk test pk_rsa_overflow passes valid parameters for hash and sig.
2018-02-28 15:59:40 +02:00
Manuel Pégourié-Gonnard 4231e7f46f Fix some whitespace and other style issues
In addition to whitespace:
- wrapped a few long lines
- added parenthesis to return statements
2018-02-28 11:34:01 +01:00
Manuel Pégourié-Gonnard 2268b967cb aria: disable by default in config.h 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard 442f03b9e1 cmake: keep test list in alphabetic order 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard 6b3689237d Add compat.sh ARIA run to all.sh
Warning: needs OpenSSL >= 1.1.1-pre1 installed and environment variable
OPENSSL_NEXT pointing to it.
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard bba64067bf compat.sh: add remaining ARIA suites 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard 7299dfd86b compat.sh: add ARIA interop tests with OpenSSL
Disabled by default, needs OpenSSL >= 1.1.1 - tested locally with 1.1.1-pre1

Local version of OpenSSL was compiled with:

    ./config --prefix=$HOME/usr/openssl-1.1.1-pre1 -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)'
    make
    make install

With OpenSSL 1.1.1-pre1, two ciphersuites were incorrectly skipped,
but this has since been fixed in OpenSSL master, see:
https://github.com/openssl/openssl/issues/5406
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard a0e47088d8 compat.sh: add self-interop tests for ARIA suites 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard 392c2d2524 compat.sh: run 1.2-only tests with DTLS too 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen 8df81e029f Test suite for ARIA 2018-02-27 12:39:12 +01:00
Gilles Peskine b7f6086ba3 Merge branch 'prr_424' into development-proposed 2018-02-22 16:15:01 +01:00
Gilles Peskine 0afe624fff all.sh: add test with MBEDTLS_DEPRECATED_REMOVED 2018-02-21 19:28:12 +01:00
Gilles Peskine d76d8bc9a5 Merge branch 'pr_1352' into development-proposed 2018-02-20 16:42:08 +01:00
Gilles Peskine e6844ccf2b Merge branch 'pr_1135' into development-proposed 2018-02-14 17:20:42 +01:00
Gilles Peskine 42a97ac693 Merge branch 'pr_1219' into development-proposed 2018-02-14 16:17:21 +01:00
Gilles Peskine df29868bb6 Merge branch 'pr_1280' into development-proposed
Conflict: configs/config-picocoin.h was both edited and removed.
Resolution: removed, since this is the whole point of PR #1280 and the
changes in development are no longer relevant.
2018-02-14 15:49:54 +01:00
Gilles Peskine 1e3fd69777 Merge remote-tracking branch 'upstream-public/pr/1333' into development-proposed 2018-02-14 15:12:49 +01:00
Antonio Quartulli 8d7d1ea9f6
tests_suite_pkparse: new PKCS8-v2 keys with PRF != SHA1
Extend the pkparse test suite with the newly created keys
encrypted using PKCS#8 with PKCS#5 v2.0 with PRF being
SHA224, 256, 384 and 512.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:20 +08:00
Antonio Quartulli f476b9d98c
data_files/pkcs8-v2: add keys generated with PRF != SHA1
We now have support for the entire SHA family to be used as
PRF in PKCS#5 v2.0, therefore we need to add new keys to test
these new functionalities.

This patch adds the new keys in `tests/data_files` and
commands to generate them in `tests/data_files/Makefile`.

Note that the pkcs8 command in OpenSSL 1.0 called with
the -v2 argument generates keys using PKCS#5 v2.0 with SHA1
as PRF by default.

(This behaviour has changed in OpenSSL 1.1, where the exact same
command instead uses PKCS#5 v2.0 with SHA256)

The new keys are generated by specifying different PRFs with
-v2prf.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:19 +08:00
Antonio Quartulli bfa440e9fb
tests/pkcs5/pbkdf2_hmac: extend array to accommodate longer results
Some unit tests for pbkdf2_hmac() have results longer than
99bytes when represented in hexadecimal form.

For this reason extend the result array to accommodate
longer strings.

At the same time make memset() parametric to avoid
bugs in the future.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:19 +08:00
Antonio Quartulli e87e885756
tests/pkcs5/pbkdf2_hmac: add unit tests for additional SHA algorithms
Test vectors for SHA224,256,384 and 512 have been
generated using Python's hashlib module by the
following oneliner:

import binascii, hashlib
binascii.hexlify(hashlib.pbkdf2_hmac(ALGO, binascii.unhexlify('PASSWORD'), binascii.unhexlify('SALT'), ITER, KEYLEN)))

where ALGO was 'sha224', 'sha256', 'sha384' and 'sha512'
respectively.

Values for PASSWORD, SALT, ITER and KEYLEN were copied from the
existent test vectors for SHA1.

For SHA256 we also have two test vectors coming from RFC7914 Sec 11.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:19 +08:00
Antonio Quartulli 12ccef2761
pkcs5v2: add support for additional hmacSHA algorithms
Currently only SHA1 is supported as PRF algorithm for PBKDF2
(PKCS#5 v2.0).
This means that keys encrypted and authenticated using
another algorithm of the SHA family cannot be decrypted.

This deficiency has become particularly incumbent now that
PKIs created with OpenSSL1.1 are encrypting keys using
hmacSHA256 by default (OpenSSL1.0 used PKCS#5 v1.0 by default
and even if v2 was forced, it would still use hmacSHA1).

Enable support for all the digest algorithms of the SHA
family for PKCS#5 v2.0.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:15 +08:00
Ron Eldor 9566ff7913 Fix minor issues raised in PR review
1. Style issues fixes - remove redundant spacing.
2. Remove depency of `MBEDTLS_RSA_C` in `pk_parse_public_keyfile_rsa()`
tests, as the function itself is dependent on it.
2018-02-07 18:59:41 +02:00
Ron Eldor c15399843e Add some tests for different available profiles
Add tests for suite b profile and for the next profile
2018-02-06 18:47:17 +02:00
Jaeden Amero 3b438d33c1 Update version to 2.7.0 2018-02-02 18:09:45 +00:00
Gilles Peskine 14c3c0610e Test with 32-bit and 64-bit bignum limbs on all architectures
Build with MBEDTLS_HAVE_INT32 and MBEDTLS_HAVE_INT64 on all
architectures, not just x86_64. These two modes should work on all
platforms (except embedded environments where 64-bit division is not
available).

Also run the unit tests.

Correct the description: this is not "N-bit compilation", but "N-bit
bignum limbs".
2018-01-29 21:31:16 +01:00
Gilles Peskine 48e689e6be Remove duplicate build run
Don't compile twice with MBEDTLS_HAVE_INT64.

But do test with MBEDTLS_HAVE_INT32.
2018-01-29 21:31:16 +01:00
Andres Amaya Garcia 6ff067d73d Add missing stdint.h header to test_suite_pk.func 2018-01-29 20:51:55 +01:00
Andres Amaya Garcia f4fbdda602 Add test command for 64-bit ILP32 in all.sh 2018-01-29 20:51:55 +01:00
Andres Amaya Garcia 7ea67274f7 Fix test_suite_pk.function to work on 64-bit ILP32
This change fixes a problem in the tests pk_rsa_alt() and
pk_rsa_overflow() from test_suite_pk.function that would cause a
segmentation fault. The problem is that these tests are only designed
to run in computers where the SIZE_MAX > UINT_MAX.
2018-01-29 20:47:18 +01:00
Jaeden Amero ade51aff1a Merge branch 'development' into development-restricted 2018-01-29 12:49:05 +00:00
Jaeden Amero b2534a10b7 Merge remote-tracking branch 'upstream-public/pr/1286' into development 2018-01-29 12:48:54 +00:00
Jaeden Amero 784de59ccd Merge remote-tracking branch 'upstream-restricted/pr/410' into development-restricted
- Resolve ChangeLog conflicts
- Update Doxygen warning block in dhm.h to render correctly
- Prefix the exported identifier deprecated_constant_t with mbedtls_
2018-01-26 18:43:04 +00:00
Jaeden Amero 1ef93558f2 Merge branch 'development' into development-restricted 2018-01-26 15:12:37 +00:00
Jaeden Amero d33b857c74 Merge remote-tracking branch 'upstream-public/pr/985' into development 2018-01-26 15:12:34 +00:00
Jaeden Amero 66954e1c1f Merge branch 'development' into development-restricted 2018-01-25 17:28:31 +00:00
Jaeden Amero 005239e3ed Merge remote-tracking branch 'upstream-public/pr/1294' into development 2018-01-25 14:47:39 +00:00
Jaeden Amero 475325632e Merge branch 'development' into development-restricted 2018-01-24 20:09:36 +00:00
Reut Caspi e278b36461 Change mbedtls_entropy_func in tests to mbedtls_test_entropy_func
Change function in tests named mbedtls_entropy_func to
mbedtls_test_entropy_func to avoid getting error from the linker when
calling the mbedtls_entropy_func elsewhere.
2018-01-24 20:05:45 +00:00
Jaeden Amero 3c082ce293 Merge branch 'development' into development-restricted 2018-01-24 15:17:15 +00:00
Jaeden Amero fbeed6e2a5 Merge remote-tracking branch 'upstream-public/pr/1236' into development 2018-01-24 10:43:39 +00:00
Andres AG 8ec3bfe180 Test corner case uses of memory_buffer_alloc.c 2018-01-23 19:37:44 +00:00
Gilles Peskine 9e4f77c606 New MD API: rename functions from _ext to _ret
The _ext suffix suggests "new arguments", but the new functions have
the same arguments. Use _ret instead, to convey that the difference is
that the new functions return a value.
2018-01-22 11:54:42 +01:00
Gilles Peskine 3c9e2b5004 wait_server_start: warn if lsof is not available
If lsof is not available, wait_server_start uses a fixed timeout,
which can trigger a race condition if the timeout turns out to be too
short. Emit a warning so that we know this is going on from the test
logs.
2018-01-22 10:29:24 +01:00
Manuel Pégourié-Gonnard 0d225daf7d Increase waiting times compat.sh and ssl-opt.sh
- Some of the CI machines don't have lsof installed yet, so rely on an sleeping
an arbitrary number of seconds while the server starts. We're seeing
occasional failures with the current delay because the CI machines are highly
loaded, which seems to indicate the current delay is not quite enough, but
hopefully not to far either, so double it.

- While at it, also double the watchdog delay: while I don't remember seeing
  much failures due to client timeout, this change doesn't impact normal
running time of the script, so better err on the safe side.

These changes don't affect the test and should only affect the false positive
rate coming from the test framework in those scripts.
2018-01-22 10:22:09 +01:00
Gilles Peskine d91f2a26cb Merge branch 'development' into iotssl-1251-2.7
Conflict resolution:

* ChangeLog: put the new entries in their rightful place.
* library/x509write_crt.c: the change in development was whitespace
  only, so use the one from the iotssl-1251 feature branch.
2018-01-19 11:25:10 +01:00
Simon Butcher 952240985a Remove picocoin reference configuration
Picocoin is no longer actively supported by the library, so the reference
configuration used in testing has been removed.
2018-01-17 23:24:43 +00:00
Gilles Peskine d40c22ba20 Merge branch 'development' into development-restricted 2018-01-17 08:03:33 +01:00
Hanno Becker 71b0060af7 Merge branch 'development' into iotssl-247 2018-01-15 11:31:34 +00:00
Jaeden Amero 31f3f0b87b Merge branch 'development' into development-restricted 2018-01-10 13:17:02 +00:00
Hanno Becker d4d60579e4 Address issues found by coverity
1) `mbedtls_rsa_import_raw` used an uninitialized return
   value when it was called without any input parameters.
   While not sensible, this is allowed and should be a
   succeeding no-op.

2) The MPI test for prime generation missed a return value
   check for a call to `mbedtls_mpi_shift_r`. This is neither
   critical nor new but should be fixed.

3) Both the RSA keygeneration example program and the
   RSA test suites contained code initializing an RSA context
   after a potentially failing call to CTR DRBG initialization,
   leaving the corresponding RSA context free call in the
   cleanup section of the respective function orphaned.
   While this defect existed before, Coverity picked up on
   it again because of newly introduced MPI's that were
   also wrongly initialized only after the call to CTR DRBG
   init. The commit fixes both the old and the new issue
   by moving the initializtion of both the RSA context and
   all MPI's prior to the first potentially failing call.
2018-01-10 07:30:47 +00:00
Jaeden Amero f342cb791b Merge branch 'development' into development-restricted 2018-01-09 13:16:37 +00:00
Hanno Becker d485c319a5 Make small corrections to all.sh
Correct gcc flags in !MBEDTLS_SSL_CLI_C test (preexisting) and build and test
for RSA_NO_CRT in ASan mode.
2018-01-05 13:03:53 +00:00
Hanno Becker 88683b2c6d Correct all.sh and config.h after merge commit
- Adapt the change in all.sh to the new keep-going mode
- Restore alphabetical order of configuration flags for
  alternative implementations in config.h and rebuild
  library/version_features.c
2018-01-04 18:48:32 +00:00
Hanno Becker 8bc74d6f2f Merge branch 'development' into iotssl-1619 2018-01-03 10:24:02 +00:00
Hanno Becker e963efa110 Don't limit RSA_NO_CRT test in all.sh to 64-bit systems
Compilation and test for the `MBEDTLS_RSA_NO_CRT` option were
previously guarded by a check for 64-bit systems, for which there
is no reason. This commit moves both outside of the guard.
2018-01-03 10:03:43 +00:00
Gilles Peskine 9736b9d59a all.sh --keep-going: work if TERM is unset 2018-01-02 21:54:17 +01:00
Manuel Pégourié-Gonnard 3366d373f8 Merge branch 'development' into development-restricted
* development:
  all.sh: add some documentation
  all.sh: new option --no-armcc
  all.sh: add --yotta to go with --no-yotta
  all.sh: --keep-going mode
  all.sh: cleaned up usage output
  all.sh: indent
2017-12-26 10:58:20 +01:00
Manuel Pégourié-Gonnard 4b660eca1e Merge remote-tracking branch 'public/pr/1207' into development
* public/pr/1207:
  all.sh: add some documentation
  all.sh: new option --no-armcc
  all.sh: add --yotta to go with --no-yotta
  all.sh: --keep-going mode
  all.sh: cleaned up usage output
  all.sh: indent
2017-12-26 10:58:02 +01:00
Manuel Pégourié-Gonnard eb2a6ab518 Merge branch 'development' into development-restricted
* development:
  Timing self test: shorten redundant tests
  Timing self test: increased duration
  Timing self test: increased tolerance
  Timing unit tests: more protection against infinite loops
  Unit test for mbedtls_timing_hardclock
  New timing unit tests
  selftest: allow excluding a subset of the tests
  selftest: allow running a subset of the tests
  selftest: refactor to separate the list of tests from the logic
  Timing self test: print some diagnosis information
  mbedtls_timing_get_timer: don't use uninitialized memory
  timing interface documentation: minor clarifications
  Timing: fix mbedtls_set_alarm(0) on Unix/POSIX
2017-12-26 10:42:50 +01:00
Manuel Pégourié-Gonnard ae3925c774 Merge remote-tracking branch 'public/pr/1136' into development
* public/pr/1136:
  Timing self test: shorten redundant tests
  Timing self test: increased duration
  Timing self test: increased tolerance
  Timing unit tests: more protection against infinite loops
  Unit test for mbedtls_timing_hardclock
  New timing unit tests
  selftest: allow excluding a subset of the tests
  selftest: allow running a subset of the tests
  selftest: refactor to separate the list of tests from the logic
  Timing self test: print some diagnosis information
  mbedtls_timing_get_timer: don't use uninitialized memory
  timing interface documentation: minor clarifications
  Timing: fix mbedtls_set_alarm(0) on Unix/POSIX
2017-12-26 10:42:20 +01:00
Micha Kraus ba8316f790 fix bug in get_one_and_zeros_padding()
add test case (“0000000082”) which fails with the old implementation.
2017-12-23 23:40:08 +01:00
Hanno Becker a47023e4d5 Incorporate comments on merge commit
* Correct order of sections in ChangeLog
* Restore unintentionally removed whitespace and
  formatting improvements.
* Consistently rename MBEDTLS_ERR_RSA_EXPORT_UNSUPPORTED
  to MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION in rsa.h
  documentation.
2017-12-22 17:08:40 +00:00
Hanno Becker f40cdf9971 Add dependency of new RSA tests on presence of strong entropy source
During the work on the RSA change the issue was brought up,
and a fix was provided on development, that some RSA tests
use CTR DRBG and depend on the presence of a strong entropy
source to succeed. The RSA work introduced more tests using
CTR DRBG, and the dependency needs to be added for them, too.
2017-12-22 11:10:21 +00:00
Hanno Becker 32297e8314 Merge branch 'development' into iotssl-1619 2017-12-22 10:24:32 +00:00
Gilles Peskine 192c72f7a1 all.sh: add some documentation 2017-12-21 16:54:14 +01:00
Gilles Peskine bca6ab9d38 all.sh: new option --no-armcc
With this option, don't run anything that requires armcc or yotta, so
the script can run offline.
2017-12-21 15:21:31 +01:00
Gilles Peskine 2a22a8041c all.sh: add --yotta to go with --no-yotta
Add --yotta which is currently a no-op but may not remain so if we
decide to make no-yotta the default in the future.
2017-12-21 15:19:00 +01:00
Gilles Peskine 7c6521688a all.sh: --keep-going mode
Add --keep-going mode to all.sh. In this mode, if a test fails, keep
running the subsequent tests. If a build fails, skip any tests of this
build and move on to the next tests. Errors in infrastructure, such as
git or cmake runs, remain fatal. Print an error summary at the end of
the run, and return a nonzero code if there was any failure.

In known terminal types, use color to highlight errors.

On a fatal signal, interrupt the run and report the errors so far.
2017-12-21 15:17:21 +01:00
Gilles Peskine 709346aed8 all.sh: cleaned up usage output 2017-12-21 15:16:11 +01:00
Gilles Peskine 7ad603e662 all.sh: indent 2017-12-21 15:13:27 +01:00
Manuel Pégourié-Gonnard d08d958813 Merge branch 'development' into development-restricted
* development:
  compat.sh: use wait_server_start
  wait_server_start: minor efficiency improvement
2017-12-21 11:12:36 +01:00
Manuel Pégourié-Gonnard 7000e574b6 Merge remote-tracking branch 'public/pr/1210' into development
* public/pr/1210:
  compat.sh: use wait_server_start
  wait_server_start: minor efficiency improvement
2017-12-21 11:11:02 +01:00
Gilles Peskine 2a26d620fb Timing unit tests: more protection against infinite loops
If timing_timer_simple fails because it detects that timers are likely
to never expire (e.g. going backward or not incrementing), skip all
tests that rely on timers.
2017-12-20 21:57:48 +01:00
Gilles Peskine 078f1a1512 Unit test for mbedtls_timing_hardclock
Do test mbedtls_timing_hardclock. We can't reliably test much about
it, but at least test that it doesn't crash, isn't constant, and
doesn't look completely random.
2017-12-20 21:57:48 +01:00
Gilles Peskine 8064bf3adf New timing unit tests
New set of unit tests for the timing module, instead of just running
the selftest function.

The selftest function sometimes fails on a heavily loaded
machine (such as a typical continuous integration system). Because of
the all-in-one nature of the test and because the exact load pattern
can be hard to reproduce, it is difficult to diagnose failures of CI
runs with selftest. The new tests are more separated and I strove to
point out potential failure modes in comments.

* mbedtls_timing_hardclock: not tested. This function gives so few
  guarantees that there isn't much to test, and it is hard to test
  reliably because clock cycles don't easily relate to time in any
  remotely portable way. This function isn't used in the library
  anyway, it's only there for benchmark programs.
* mbedtls_timing_get_timer: tested by setting a timer and verifying
  that it reaches its target, and by verifying that a timer started
  later than another always has a smaller elapsed time.
* mbedtls_set_alarm: tested by setting an alarm, busy-waiting for it
  and measuring the elapsed time with a timer.
* mbedtls_timing_set_delay, mbedtls_timing_get_delay: tested by
  setting a delay object and watching it go through its two delay
  values, using a timer to check that the delays are passed at the
  expected time.

The tests pass under light to moderate load, but some of them can be
defeated with sufficiently heavy load. This is unavoidable since the
test process to be effectively suspended for any length of time,
making us think that a timer has gone on for too long.
2017-12-20 21:57:48 +01:00
Manuel Pégourié-Gonnard 1827368b01 Merge branch 'development' into development-restricted
* development:
  Don't split error code description across multiple lines
  Register new error code in error.h
  Move deprecation to separate section in ChangeLog
  Extend scope of ERR_RSA_UNSUPPORTED_OPERATION error code
  Adapt RSA test suite
  Adapt ChangeLog
  Deprecate usage of RSA primitives with wrong key type
2017-12-19 11:28:36 +01:00
Manuel Pégourié-Gonnard 4712119687 Merge remote-tracking branch 'restricted/pr/397' into development
* restricted/pr/397:
  Don't split error code description across multiple lines
  Register new error code in error.h
  Move deprecation to separate section in ChangeLog
  Extend scope of ERR_RSA_UNSUPPORTED_OPERATION error code
  Adapt RSA test suite
  Adapt ChangeLog
  Deprecate usage of RSA primitives with wrong key type
2017-12-19 11:27:22 +01:00
Manuel Pégourié-Gonnard 6774fa6e87 Merge branch 'development' into development-restricted
* development:
  Add --no-yotta option to all.sh
  Fix build without MBEDTLS_FS_IO
2017-12-18 11:43:35 +01:00
Manuel Pégourié-Gonnard 535553e7d8 Merge remote-tracking branch 'public/pr/1184' into development
* public/pr/1184:
  Add --no-yotta option to all.sh
  Fix build without MBEDTLS_FS_IO
2017-12-18 11:42:30 +01:00
Gilles Peskine 12c49c7f7c compat.sh: use wait_server_start
Port wait_server_start from ssl-opt.sh to compat.sh, instead of just
using "sleep 1". This solves the problem that on a heavily loaded
machine, sleep 1 is sometimes not enough (we had CI failures because
of this). This is also faster on a lightly-loaded machine (execution
time reduced from ~8min to ~6min on my machine).
2017-12-14 19:02:00 +01:00
Gilles Peskine 418b536028 wait_server_start: minor efficiency improvement
In wait_server_start, fork less. When lsof is present, call it on the
expected process. This saves a few percent of execution time on a
lightly loaded machine. Also, sleep for a short duration rather than
using a tight loop.
2017-12-14 18:58:42 +01:00
Gilles Peskine 880c6e74a1 Merge branch 'development' into development-restricted 2017-12-04 18:00:26 +00:00
Gilles Peskine e3783da0b2 Merge remote-tracking branch 'upstream-public/pr/1172' into development 2017-12-01 22:36:21 +01:00
Gilles Peskine 02e28fe0fd Merge remote-tracking branch 'upstream-restricted/pr/425' into development-restricted 2017-12-01 17:58:12 +01:00
Gilles Peskine da519251d4 Add --no-yotta option to all.sh
The Yotta tools break in some environments and it's useful to be able
to run the rest of all.sh nonetheless.
2017-11-30 14:24:33 +01:00
Gilles Peskine 0960f0663e Merge branch 'development' into development-restricted 2017-11-29 21:07:55 +01:00
Gilles Peskine 0884f4811b Merge remote-tracking branch 'upstream-public/pr/1141' into development 2017-11-29 20:50:59 +01:00
Gilles Peskine 7fb29b17c7 Merge branch 'development' into development-restricted 2017-11-28 18:46:09 +01:00
Gilles Peskine 4daffe236a Merge branch 'pr_1025' into development
Merge PR #1025 + ChangeLog entry
2017-11-28 18:23:53 +01:00
Gilles Peskine ea8d697fa2 Merge remote-tracking branch 'upstream-public/pr/1089' into development
Resolve trivial conflict due to additions in the same place in
tests/data_files/Makefile; minor comment/whitespace presentation
improvements.
2017-11-28 17:32:32 +01:00
Gilles Peskine f2421210a5 Merge remote-tracking branch 'upstream-public/pr/828' into development 2017-11-28 17:22:37 +01:00
Gilles Peskine 9c8ac0ce2c Merge remote-tracking branch 'upstream-restricted/pr/404' into development-restricted 2017-11-28 15:50:02 +01:00
Gilles Peskine 2507267cd4 Merge branch 'development' into development-restricted 2017-11-24 16:05:49 +01:00
Gilles Peskine e7707228b4 Merge remote-tracking branch 'upstream-public/pr/1062' into development 2017-11-24 15:35:50 +01:00
Gilles Peskine 7635cde35c Merge branch 'development' into development-restricted 2017-11-23 20:06:04 +01:00
Gilles Peskine 68306ed31f Merge remote-tracking branch 'upstream-public/pr/1094' into development 2017-11-23 20:02:46 +01:00
Manuel Pégourié-Gonnard bfa8df4c7e Merge remote-tracking branch 'restricted/pr/416' into development-restricted
* restricted/pr/416:
  RSA PSS: remove redundant check; changelog
  RSA PSS: fix first byte check for keys of size 8N+1
  RSA PSS: fix minimum length check for keys of size 8N+1
  RSA: Fix another buffer overflow in PSS signature verification
  RSA: Fix buffer overflow in PSS signature verification
2017-11-23 12:10:01 +01:00
Hanno Becker 909f9a389a Improve style in tests/ssl-opt.sh
Try to avoid line breaks in server and client command line arguments to ease
reading of test cases.
2017-11-21 17:10:12 +00:00
Hanno Becker 45ee7877d0 Correct truncated HMAC tests in ssl-opt.sh
Many truncated HMAC tests were missing the `trunc_hmac=1` for the server
application, thereby not testing the extension.
2017-11-20 16:51:44 +00:00
Hanno Becker 4c4f41030c Add truncated HMAC extension tests for DTLS 2017-11-20 16:25:50 +00:00
Hanno Becker 34d0c3f02e Add missing truncated HMAC test for TLS
The case 'Client disabled, Server enabled' was missing.
2017-11-20 16:25:50 +00:00
Hanno Becker e214804625 Add small packet tests for DTLS
Add a DTLS small packet test for each of the following combinations:
- DTLS version: 1.0 or 1.2
- Encrypt then MAC extension enabled
- Truncated HMAC extension enabled

Large packets tests for DTLS are currently not possible due to parameter
constraints in ssl_server2.
2017-11-20 16:25:50 +00:00
Hanno Becker 278fc7aedd Extend large packet tests for TLS
Same as previous commit, but for large packet tests.
2017-11-20 16:25:50 +00:00
Hanno Becker 8501f98ec4 Extend small packet tests for TLS
This commit ensures that there is a small packet test for at least any
combination of
- SSL/TLS version: SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2
- Stream cipher (RC4) or Block cipher (AES)
- Usage of Encrypt then MAC extension [TLS only]
- Usage of truncated HMAC extension [TLS only]
2017-11-20 16:25:50 +00:00
Hanno Becker 32c550141f Add missing dependencies on trunc HMAC ext in ssl-opt.sh
Noticed that the test cases in ssl-opt.sh exercising the truncated HMAC
extension do not depend on MBEDTLS_SSL_TRUNCATED_HMAC being enabled in
config.h. This commit fixes this.
2017-11-20 16:25:50 +00:00
Hanno Becker 992b6872f3 Fix heap corruption in ssl_decrypt_buf
Previously, MAC validation for an incoming record proceeded as follows:

1) Make a copy of the MAC contained in the record;
2) Compute the expected MAC in place, overwriting the presented one;
3) Compare both.

This resulted in a record buffer overflow if truncated MAC was used, as in this
case the record buffer only reserved 10 bytes for the MAC, but the MAC
computation routine in 2) always wrote a full digest.

For specially crafted records, this could be used to perform a controlled write of
up to 6 bytes past the boundary of the heap buffer holding the record, thereby
corrupting the heap structures and potentially leading to a crash or remote code
execution.

This commit fixes this by making the following change:
1) Compute the expected MAC in a temporary buffer that has the size of the
   underlying message digest.
2) Compare to this to the MAC contained in the record, potentially
   restricting to the first 10 bytes if truncated HMAC is used.

A similar fix is applied to the encryption routine `ssl_encrypt_buf`.
2017-11-20 08:52:25 +00:00
Darryl Green f5bcbede92 Add tests for invalid private parameters in mbedtls_ecdsa_sign() 2017-11-17 17:09:31 +00:00
Hanno Becker 72a4f0338d Add tests for UDP proxy packing option 2017-11-15 16:39:20 +00:00
Hanno Becker 000767123f Add tests for event-driven I/O 2017-11-15 16:39:08 +00:00
Andres Amaya Garcia 72705c906c Add regression test for parsing subjectAltNames 2017-11-07 20:16:19 +00:00
Manuel Pégourié-Gonnard 254eec8bb4 Document choice of script exit code 2017-10-26 09:47:36 +02:00
Hanno Becker 4ac73e7804 Use shell string processing instead of sed in ssl-opt.sh 2017-10-23 15:27:37 +01:00
Gilles Peskine b00b0da452 RSA PSS: fix first byte check for keys of size 8N+1
For a key of size 8N+1, check that the first byte after applying the
public key operation is 0 (it could have been 1 instead). The code was
incorrectly doing a no-op check instead, which led to invalid
signatures being accepted. Not a security flaw, since you would need the
private key to craft such an invalid signature, but a bug nonetheless.
2017-10-19 15:23:49 +02:00
Gilles Peskine 139108af94 RSA PSS: fix minimum length check for keys of size 8N+1
The check introduced by the previous security fix was off by one. It
fixed the buffer overflow but was not compliant with the definition of
PSS which technically led to accepting some invalid signatures (but
not signatures made without the private key).
2017-10-18 19:03:42 +02:00
Hanno Becker 9cfabe3597 Use a conservative excess of the maximum fragment length in tests
This leads to graceful test failure instead of crash when run on the previous
code.
2017-10-18 14:42:01 +01:00
Gilles Peskine 6a54b0240d RSA: Fix another buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the masking
operation results in an all-zero buffer. This could happen at any key size.
2017-10-17 19:12:36 +02:00
Gilles Peskine 28a0c72795 RSA: Fix buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the hash is
too large for the key size. Found by Seth Terashima, Qualcomm.

Added a non-regression test and a positive test with the smallest
permitted key size for a SHA-512 hash.
2017-10-17 19:01:38 +02:00
Ron Eldor 3f2da84bca Resolve PR review comments
1) Fix style comments
2) Fix typo in Makefile
3) Remove the `MBEDTLS_MD5_C` dependency from test data file,
as the used keys are not encrypted
2017-10-17 15:53:32 +03:00
Hanno Becker 134c2ab891 Add build and ssl-opt.sh run for !SSL_RENEGOTIATION to all.sh 2017-10-17 11:03:50 +01:00
Hanno Becker 6a2436493f Add dependency on SSL_RENEGOTIATION to renego tests in ssl-opt.sh 2017-10-17 11:03:50 +01:00
Ron Eldor 5472d43ffb Fix issues when MBEDTLS_PEM_PARSE_C not defined
1) Fix compilatoin issues when `MBEDTLS_PEM_PARSE_C` not defined
2) remove dependency for `MBEDTLS_PEM_PARSE_C` in DER tests
2017-10-17 09:50:39 +03:00
Ron Eldor b006518289 Resolve PR review comments
1) use `pk_get_rsapubkey` instead of reimplementing the parsing
2) rename the key files, according to their type and key size
3) comment in the data_files/Makefile hoe the keys were generated
4) Fix issue of failure parsing pkcs#1 DER format parsing, missed in previous commit
2017-10-16 12:40:27 +03:00
Andres Amaya Garcia 60100d09ee Improve leap year test names in x509parse.data 2017-10-12 23:21:37 +01:00
Andres Amaya Garcia 735b37eeef Correctly handle leap year in x509_date_is_valid()
This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
2017-10-12 23:21:37 +01:00
Janos Follath b0f148c0ab Renegotiation: Add tests for SigAlg ext parsing
This commit adds regression tests for the bug when we didn't parse the
Signature Algorithm extension when renegotiating. (By nature, this bug
affected only the server)

The tests check for the fallback hash (SHA1) in the server log to detect
that the Signature Algorithm extension hasn't been parsed at least in
one of the handshakes.

A more direct way of testing is not possible with the current test
framework, since the Signature Algorithm extension is parsed in the
first handshake and any corresponding debug message is present in the
logs.
2017-10-12 23:21:37 +01:00
Hanno Becker dfd15b3444 Add toy example triggering early abort in mbedtls_rsa_deduce_primes 2017-10-12 09:14:09 +01:00
Hanno Becker e167fe6a53 Correct pkparse test case to lead to failure for MBEDTLS_RSA_NO_CRT
The test case parses an RSA private key with N=P=Q=D=E=1 and expects a failure from the PK layer. With the weakened
semantics of `mbedtls_rsa_complete`, the latter won't throw an error on that key in case if MBEDTLS_RSA_NO_CRT is
set. This commit modifies the test case to use N=2 which is rejected by `mbedtls_rsa_complete` regardless of whether
MBEDTLS_RSA_NO_CRT is set or not.
2017-10-11 19:42:56 +01:00
Hanno Becker 7643d4e30c Fix number of loop iterations in mbedtls_deduce_primes
The number of loop iterations per candidate in `mbedtls_deduce_primes` was off
by one. This commit corrects this and removes a toy non-example from the RSA
test suite, as it seems difficult to have the function fail on small values of N
even if D,E are corrupted.
2017-10-11 16:32:49 +01:00
Janos Follath 88f5808c13 Renegotiation: Add tests for SigAlg ext parsing
This commit adds regression tests for the bug when we didn't parse the
Signature Algorithm extension when renegotiating. (By nature, this bug
affected only the server)

The tests check for the fallback hash (SHA1) in the server log to detect
that the Signature Algorithm extension hasn't been parsed at least in
one of the handshakes.

A more direct way of testing is not possible with the current test
framework, since the Signature Algorithm extension is parsed in the
first handshake and any corresponding debug message is present in the
logs.
2017-10-11 12:49:09 +01:00
Hanno Becker a565f54c4c Introduce new files rsa_internal.[ch] for RSA helper functions
This commit splits off the RSA helper functions into separate headers and
compilation units to have a clearer separation of the public RSA interface,
intended to be used by end-users, and the helper functions which are publicly
provided only for the benefit of designers of alternative RSA implementations.
2017-10-11 11:00:19 +01:00
Hanno Becker 04877a48d4 Adapt rsa_import tests to weakened semantics of rsa_complete
The tests now accept two result parameters, one for the expected result of the
completion call, and one for the expected result of the subsequent sanity
check.
2017-10-11 10:01:33 +01:00
Hanno Becker 7f25f850ac Adapt uses of mbedtls_rsa_complete to removed PRNG argument 2017-10-10 16:56:22 +01:00
Hanno Becker f9e184b9df Remove PRNG argument from mbedtls_rsa_complete 2017-10-10 16:55:41 +01:00
Hanno Becker 52c6dc64c6 Correct length check for DTLS records from old epochs.
DTLS records from previous epochs were incorrectly checked against the
current epoch transform's minimal content length, leading to the
rejection of entire datagrams. This commit fixed that and adapts two
test cases accordingly.

Internal reference: IOTSSL-1417
2017-10-10 16:04:32 +01:00
Hanno Becker d82d84664a ssl-opt.sh: Kill server via KILL signal if TERM doesn't succeed 2017-10-10 16:04:32 +01:00
Hanno Becker cadb5bbe3c Add slight delay before killing server in ssl-opt.sh for log output
It seems that tests from ssl-opt.sh are sometimes failing because
the server is killed before its output has been finalized. This commit
adds a small delay in ssl-opt.sh before killing the server to prevent
that.
2017-10-10 16:04:32 +01:00
Hanno Becker 17c0493ca8 Allow default arguments for client/server/proxy in ssl-opt.sh
ssl-opt.sh checks whether the client, server and proxy commands are
names of executable files, forbidding the use of default arguments by
by e.g. setting P_SRV="ssl_server2 debug_level=3". This commit relaxes
this check, only considering the part of the command string prior to
the first whitespace.
2017-10-10 16:00:48 +01:00
Ron Eldor d0c56de934 Add support for public keys encoded with PKCS#1
1) Add support for public keys encoded with PKCS#1
2) Add tests for PKCS#1 PEM and DER, and PKCS#8 DER
2017-10-10 17:12:07 +03:00
Andres Amaya Garcia 3f50f511de Ensure failed test_suite output is sent to stdout
The change modifies the template code in tests/suites/helpers.function
and tests/suites/main.function so that error messages are printed to
stdout instead of being discarded. This makes errors visible regardless
of the --verbose flag being passed or not to the test suite programs.
2017-10-07 18:15:28 +01:00
Andres Amaya Garcia def0339db2 Ensure failed test_suite output is sent to stdout
The change modifies the template code in tests/suites/helpers.function
and tests/suites/main.function so that error messages are printed to
stdout instead of being discarded. This makes errors visible regardless
of the --verbose flag being passed or not to the test suite programs.
2017-10-07 17:33:34 +01:00
Hanno Becker 21acb66cba Correct typo: PBDFK -> PBKDF 2017-10-06 14:38:15 +01:00
Andres Amaya Garcia 67d8da522f Remove use of GNU sed features from ssl-opt.sh 2017-10-06 11:59:13 +01:00
Andres Amaya Garcia 3b1bdff285 Fix typos in ssl-opt.sh comments 2017-10-06 11:59:13 +01:00
Andres Amaya Garcia b84c40b12f Add ssl-opt.sh test to check gmt_unix_time is good
Add a test to ssl-opt.sh that parses the client and server debug
output and then checks that the Unix timestamp in the ServerHello
message is within acceptable bounds.
2017-10-06 11:59:13 +01:00
Andres Amaya Garcia 93993defd1 Extend ssl-opt.h so that run_test takes function
Extend the run_test function in ssl-opt.sh so that it accepts the -f
and -F options. These parameters take an argument which is the name of
a shell function that will be called by run_test and will be given the
client input and output debug log. The idea is that these functions are
defined by each test and they can be used to do some custom check
beyon those allowed by the pattern matching capabilities of the
run_test function.
2017-10-06 11:59:13 +01:00
Hanno Becker b25c0c78cf Add test case calling ssl_set_hostname twice
Add a test case calling ssl_set_hostname twice to test_suite_ssl.
When run in CMake build mode ASan, this catches the current leak,
but will hopefully be fine with the new version.
2017-10-06 11:58:50 +01:00
Gilles Peskine 964faeb6c4 Cleaned up get_line for test data files
Look, ma, a use for do...while!

Also removed 1-3 calls to strlen.
2017-10-06 11:58:50 +01:00
Gilles Peskine b04e2c3d81 Allow comments in test data files 2017-10-06 11:58:50 +01:00
Andres Amaya Garcia acdae0cb33 Remove use of GNU sed features from ssl-opt.sh 2017-10-06 11:55:32 +01:00
Andres Amaya Garcia 5987ef451c Fix typos in ssl-opt.sh comments 2017-10-06 11:55:32 +01:00
Andres Amaya Garcia ac36e382a9 Add ssl-opt.sh test to check gmt_unix_time is good
Add a test to ssl-opt.sh that parses the client and server debug
output and then checks that the Unix timestamp in the ServerHello
message is within acceptable bounds.
2017-10-06 11:55:32 +01:00
Andres Amaya Garcia a46a58ab94 Extend ssl-opt.h so that run_test takes function
Extend the run_test function in ssl-opt.sh so that it accepts the -f
and -F options. These parameters take an argument which is the name of
a shell function that will be called by run_test and will be given the
client input and output debug log. The idea is that these functions are
defined by each test and they can be used to do some custom check
beyon those allowed by the pattern matching capabilities of the
run_test function.
2017-10-06 11:55:32 +01:00
Hanno Becker f8b56d4e41 Adapt RSA test suite
Don't expect alternative implementations to implement the RSA operations for wrong key-types.
2017-10-05 10:30:13 +01:00
Hanno Becker 0f65e0ca03 Rename rsa_deduce_moduli to rsa_deduce_primes 2017-10-03 14:40:44 +01:00