Commit graph

6261 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard 9cca267ef3 Add ability to test failing vrfy callback 2018-03-05 12:52:37 +01:00
Manuel Pégourié-Gonnard 189bb40e60 Add tests for profile enforcement
Now all checks related to profile are covered in:
- verify_with_profile()
- verify_child()
- verify_top()
(that's 10 lines that were previously not covered)

Leaving aside profile enforcement in CRLs for now, as the focus is on
preparing to refactor cert verification.
2018-03-05 12:52:30 +01:00
Manuel Pégourié-Gonnard 94f2aa344d Set deterministic flags for NULL profile
Previously flags was left to whatever value it had before. It's cleaner to
make sure it has a definite value, and all bits set looks like the safest way
for when it went very wrong.
2018-03-05 12:52:22 +01:00
Manuel Pégourié-Gonnard 7e9709a281 Add "profile" arg to X.509 test function
Unused yet, tests using it will be added in the next commit
2018-03-05 12:52:08 +01:00
itayzafrir 33d8e3335f Test suite test_suite_pk test pk_rsa_overflow passes valid parameters for hash and sig.
Test suite test_suite_pk test pk_rsa_overflow passes valid parameters for hash and sig.
2018-03-05 09:46:21 +02:00
Gilles Peskine f936cb1c1b Add attribution for #1351 report 2018-02-27 10:21:45 +01:00
Jaeden Amero 6a4e22c26c Update version to 2.7.1 2018-02-26 10:53:47 +00:00
mohammad1603 6085c721d2 Backport 2.7:Add guard to out_left to avoid negative values
Add guard to out_left to avoid negative values
2018-02-25 01:18:46 -08:00
Gilles Peskine 3f9cff20d7 Merge branch 'prr_424' into mbedtls-2.7-proposed 2018-02-22 16:07:32 +01:00
Hanno Becker e80cd463ef Adapt version_features.c 2018-02-22 15:02:47 +00:00
Gilles Peskine 30c3433183 Merge remote-tracking branch 'upstream-public/pr/1393' into mbedtls-2.7-proposed 2018-02-22 15:44:24 +01:00
Gilles Peskine e2bada976e Merge remote-tracking branch 'upstream-public/pr/1392' into mbedtls-2.7-proposed 2018-02-22 15:44:14 +01:00
Gilles Peskine 04f9bd028f Note incompatibility of truncated HMAC extension in ChangeLog
The change in the truncated HMAC extension aligns Mbed TLS with the
standard, but breaks interoperability with previous versions. Indicate
this in the ChangeLog, as well as how to restore the old behavior.
2018-02-22 15:41:26 +01:00
Jaeden Amero 3a11404fcb Add LinkLibraryDependencies to VS2010 app template
Add mbedTLS.vcxproj to the VS2010 application template so that the next
time we auto-generate the application project files, the
LinkLibraryDependencies for mbedTLS.vcxproj are maintained.

Fixes #1347
2018-02-22 12:22:21 +00:00
Gilles Peskine 4945192099 Add ChangeLog entry for PR #1382 2018-02-22 10:23:13 +00:00
Jaeden Amero a0d60a4dbc Add ChangeLog entry for PR #1384 2018-02-22 08:28:10 +00:00
Krzysztof Stachowiak 31f0a3b827 Have Visual Studio handle linking to mbedTLS.lib internally
Fixes #1347
2018-02-22 08:28:10 +00:00
Jaeden Amero a53ff8d088 MD: Make deprecated functions not inline
In 2.7.0, we replaced a number of MD functions with deprecated inline
versions. This causes ABI compatibility issues, as the functions are no
longer guaranteed to be callable when built into a shared library.
Instead, deprecate the functions without also inlining them, to help
maintain ABI backwards compatibility.
2018-02-22 08:20:42 +00:00
Gilles Peskine 8db3efbc76 Add missing MBEDTLS_DEPRECATED_REMOVED guards
Add missing MBEDTLS_DEPRECATED_REMOVED guards around the definitions
of mbedtls_aes_decrypt and mbedtls_aes_encrypt.
This fixes the build under -Wmissing-prototypes -Werror.

Fixes #1388
2018-02-21 19:16:20 +01:00
Gilles Peskine 420386d61d Merge branch 'pr_1352' into mbedtls-2.7-proposed 2018-02-20 16:40:50 +01:00
Gilles Peskine 200b24fdf8 Mention in ChangeLog that this fixes #1351 2018-02-20 16:40:11 +01:00
Gilles Peskine 1e3fd69777 Merge remote-tracking branch 'upstream-public/pr/1333' into development-proposed 2018-02-14 15:12:49 +01:00
Gilles Peskine 49ac5d06ed Merge branch 'pr_1365' into development-proposed 2018-02-14 14:36:44 +01:00
Gilles Peskine 27b0754501 Add ChangeLog entries for PR #1168 and #1362 2018-02-14 14:36:33 +01:00
Gilles Peskine 5daa76537a Add ChangeLog entry for PR #1165 2018-02-14 14:10:24 +01:00
Paul Sokolovsky 8d6d8c84b1 ctr_drbg: Typo fix in the file description comment.
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
2018-02-10 11:11:41 +02:00
Jaeden Amero 6d6c7982ce Merge remote-tracking branch 'upstream-public/pr/1362' into development 2018-02-08 17:02:31 +00:00
Jaeden Amero 69f3072553 Merge remote-tracking branch 'upstream-public/pr/1168' into development 2018-02-08 15:18:52 +00:00
Jaeden Amero 129f50838b dhm: Fix typo in RFC 5114 constants
We accidentally named the constant MBEDTLS_DHM_RFC5114_MODP_P instead of
MBEDTLS_DHM_RFC5114_MODP_2048_P.

Fixes #1358
2018-02-08 14:29:14 +00:00
Antonio Quartulli 8d7d1ea9f6
tests_suite_pkparse: new PKCS8-v2 keys with PRF != SHA1
Extend the pkparse test suite with the newly created keys
encrypted using PKCS#8 with PKCS#5 v2.0 with PRF being
SHA224, 256, 384 and 512.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:20 +08:00
Antonio Quartulli f476b9d98c
data_files/pkcs8-v2: add keys generated with PRF != SHA1
We now have support for the entire SHA family to be used as
PRF in PKCS#5 v2.0, therefore we need to add new keys to test
these new functionalities.

This patch adds the new keys in `tests/data_files` and
commands to generate them in `tests/data_files/Makefile`.

Note that the pkcs8 command in OpenSSL 1.0 called with
the -v2 argument generates keys using PKCS#5 v2.0 with SHA1
as PRF by default.

(This behaviour has changed in OpenSSL 1.1, where the exact same
command instead uses PKCS#5 v2.0 with SHA256)

The new keys are generated by specifying different PRFs with
-v2prf.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:19 +08:00
Antonio Quartulli bfa440e9fb
tests/pkcs5/pbkdf2_hmac: extend array to accommodate longer results
Some unit tests for pbkdf2_hmac() have results longer than
99bytes when represented in hexadecimal form.

For this reason extend the result array to accommodate
longer strings.

At the same time make memset() parametric to avoid
bugs in the future.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:19 +08:00
Antonio Quartulli e87e885756
tests/pkcs5/pbkdf2_hmac: add unit tests for additional SHA algorithms
Test vectors for SHA224,256,384 and 512 have been
generated using Python's hashlib module by the
following oneliner:

import binascii, hashlib
binascii.hexlify(hashlib.pbkdf2_hmac(ALGO, binascii.unhexlify('PASSWORD'), binascii.unhexlify('SALT'), ITER, KEYLEN)))

where ALGO was 'sha224', 'sha256', 'sha384' and 'sha512'
respectively.

Values for PASSWORD, SALT, ITER and KEYLEN were copied from the
existent test vectors for SHA1.

For SHA256 we also have two test vectors coming from RFC7914 Sec 11.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:19 +08:00
Antonio Quartulli 12ccef2761
pkcs5v2: add support for additional hmacSHA algorithms
Currently only SHA1 is supported as PRF algorithm for PBKDF2
(PKCS#5 v2.0).
This means that keys encrypted and authenticated using
another algorithm of the SHA family cannot be decrypted.

This deficiency has become particularly incumbent now that
PKIs created with OpenSSL1.1 are encrypting keys using
hmacSHA256 by default (OpenSSL1.0 used PKCS#5 v1.0 by default
and even if v2 was forced, it would still use hmacSHA1).

Enable support for all the digest algorithms of the SHA
family for PKCS#5 v2.0.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:15 +08:00
Mathieu Briand ffb6efd383 Fix doxygen documentation for CCM encryption
Fix valid tag length values for mbedtls_ccm_encrypt_and_tag() function.
Add valid value ranges for mbedtls_ccm_auth_decrypt() parameters.

Signed-off-by: Mathieu Briand <mbriand@witekio.com>
2018-02-07 10:29:27 +01:00
Ron Eldor c15399843e Add some tests for different available profiles
Add tests for suite b profile and for the next profile
2018-02-06 18:47:17 +02:00
Ron Eldor 099e61df52 Rephrase Changelog
Rephrase Changelog to be more coherent to users
2018-02-06 17:34:27 +02:00
Ron Eldor 85e1dcff6a Fix handshake failure in suite B
Fix handshake failure where PK key is translated as `MBEDTLS_ECKEY`
instead of `MBEDTLS_ECDSA`
2018-02-06 15:59:38 +02:00
Jaeden Amero 32605dc830 Merge remote-tracking branch 'upstream-restricted/pr/451' into development-restricted 2018-02-05 11:36:59 +00:00
Jaeden Amero d79bce1d4e Merge remote-tracking branch 'upstream-restricted/pr/452' into development-restricted 2018-02-05 08:49:51 +00:00
Simon Butcher 55fc4e0c5a Update ChangeLog with language and technical corrections
To clarify and correct the ChangeLog.
2018-02-05 08:41:14 +00:00
Jaeden Amero 3b438d33c1 Update version to 2.7.0 2018-02-02 18:09:45 +00:00
Jaeden Amero 98b9373849 Merge branch 'development' into development-restricted 2018-01-30 17:32:12 +00:00
Jaeden Amero 15f90e0266 Merge remote-tracking branch 'upstream-public/pr/1336' into development 2018-01-30 17:28:31 +00:00
Jaeden Amero 9564e97460 Merge branch 'development' into development-restricted 2018-01-30 17:04:47 +00:00
Jaeden Amero 8dd16ab7c0 doxygen: Disable JAVADOC_AUTOBRIEF
Disable JAVADOC_AUTOBRIEF so that we can have periods in our brief
descriptions. We always use '\brief' where we want a brief, so this won't
hide any documentation previously used as a brief.
2018-01-30 16:22:05 +00:00
Rose Zadik 27ff120a61 Improve SHA-512 documentation
- Rephrase file/function/parameter/enum/define/error descriptions into full
  and clear sentences.
- Make sure to adhere to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.
- Align deprecated function descriptions with those of the superseding
  functions.

GitHub PR: #1326
2018-01-30 16:22:05 +00:00
Rose Zadik 602285eac2 Improve SHA-256 documentation
- Rephrase file/function/parameter/enum/define/error descriptions into full
  and clear sentences.
- Make sure to adhere to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.
- Align deprecated function descriptions with those of the superseding
  functions.

GitHub PR: #1325
2018-01-30 16:22:05 +00:00
Rose Zadik 64feefb4a2 Improve message digest documentation
- Rephrase file/function/parameter/enum/define/error descriptions into full
  and clear sentences.
- Make sure to adhere to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.

GitHub PR: #1319
2018-01-30 16:22:05 +00:00
Rose Zadik 2f8163d3cd Improve CTR-DRBG documentation
- Rephrase file/function/parameter/enum/define/error descriptions into full
  and clear sentences.
- Make sure to adhere to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.
- Add full standard name in file description.

GitHub PR: #1316
2018-01-30 16:22:05 +00:00