Commit graph

2744 commits

Author SHA1 Message Date
Gilles Peskine 6710e15921 Enable X509_ALLOW_EXTENSIONS_NON_V3 in config full and fix tests
Enable MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 in the full config. There's
no reason to keep it out. We weren't testing it at all on the CI.

Add a missing dependency on !MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 to
some test cases that either were testing that v3 extensions are only
accepted in v3 certificates, or where parsing returns a different
error when MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 is enabled.

Add a few positive and negative test cases with
MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 enabled.

Fix one test case with MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 where the
intended output of mbedtls_x509_crt_info had changed in
890819a597 but the test case was missed
because it was never executed.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-04-14 21:32:53 +02:00
Gilles Peskine 72d40fc6ca Fix build failure with MBEDTLS_PLATFORM_NV_SEED_ALT
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-04-14 21:32:53 +02:00
Janos Follath ac15f842a5 Merge remote-tracking branch 'restricted/pr/684' into mbedtls-2.22.0r0 2020-04-14 08:16:27 +01:00
Andrzej Kurek 8ea6872889
Improve pointer calculations when resizing I/O buffers
This commit introduces two changes:
- Add in_msg and out_msg calculations for buffer upsizing. This was previously
considered as unnecessary, but renegotiation using certain ciphersuites needs
this.
- Improving the way out_msg and in_msg pointers are calculated, so that even 
if no resizing is introduced, the pointers remain the same;

New tests added:
- various renegotiation schemes with a range of MFL's and ciphersuites;
- an ssl-opt.sh test exercising two things that were problematic: renegotiation
with TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 and a server MFL that's smaller
than the one negotiated by the client.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-04-09 04:33:00 -04:00
Janos Follath 876e0259d5 Bump version to Mbed TLS 2.22.0
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-04-08 17:15:18 +01:00
Ronald Cron 67a8a37b91 unit test: Indicate missing unmet dependencies
The identifiers of the unmet dependencies of a test case are
stored in a buffer of fixed size that can be potentially to
small to store all the unmet dependencies. Indicate in test
reports if some unmet dependencies are missing.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-04-02 14:18:49 +02:00
Ronald Cron e1a05a534a unit tests main: Fix potential buffer overflow
Fix potential buffer overflow when tracking the unmet dependencies
of a test case. The identifiers of unmet dependencies are stored
in an array of fixed size. Ensure that we don't overrun the array.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-04-02 14:18:26 +02:00
Gilles Peskine 06725c985f Fix intermittent crash in test suites with outcome file enabled
Fix an intermittent crash when running test suites in non-verbose
mode (i.e. with -v off) and with the outcome file enabled. The
array unmet_dependencies was only filled in verbose mode, but was used
in write_outcome_result regardless.

Since unmet_dependencies only ever contains strings that are integers
written out in decimal, store the integer instead. Do this
unconditionally since it doesn't cost any extra memory.

It would be better to record the dependency names, both in the verbose
output and in the outcome file. But the dependency names are not
currently available at runtime.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-30 22:00:23 +02:00
Gilles Peskine 5d324b203a Merge remote-tracking branch 'upstream-crypto/development' into HEAD
Conflicts:
* .github/issue_template.md, .github/pull_request_template.md:
  The changes in Mbed Crypto are not relevant to Mbed TLS. Keep the
  mbedtls versions.
2020-03-25 15:47:43 +01:00
Gilles Peskine 3b310c69a5 Add a note to some invasive tests
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-24 22:55:48 +01:00
Andrzej Kurek 1b7a780e65
Increase test coverage by adding AES and CAMELLIA empty buffer tests
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-03-24 13:18:58 -04:00
Gilles Peskine 5e7d6fd240 Merge 'mbedtls/development' into merge-crypto-unremoved-20200304
Merge the latest state of the target branch (mbedtls/development) into the
pull request to merge mbed-crypto into mbedtls.

Conflicts:

* ChangeLog: add/add conflict. Resolve by using the usual section order.
2020-03-23 18:02:07 +01:00
Gilles Peskine 049fefff90 Add dependencies on !MBEDTLS_SHA512_NO_SHA384 to x509/ssl unit tests
Add dependencies on !MBEDTLS_SHA512_NO_SHA384 to X.509 and SSL unit
tests that use SHA-384 (identified based on having a description that
contains "SHA384" or "SHA-384").
2020-03-23 17:55:32 +01:00
Gilles Peskine 6eb45f99f0 Add missing dependency on MBEDTLS_CIPHER_MODE_CBC 2020-03-23 17:55:32 +01:00
Gilles Peskine 19e841e19f Fix warning about a potentially initialized variable
The variable drop_len is only used under conditions where it has been
initialized, but this is somewhat fragile and not obvious for a
compiler to see.
2020-03-23 17:55:32 +01:00
Gilles Peskine eccd888717 Rename identifiers containing double-underscore
Rename identifiers containing double-underscore (`__`) to avoid `__`.
The reason to avoid double-underscore is that all identifiers
containing double-underscore are reserved in C++. Rename all such
identifiers that appear in any public header, including ssl_internal.h
which is in principle private but in practice is installed with the
public headers.

This commit makes check-names.sh pass.

```
perl -i -pe 's/\bMBEDTLS_SSL__ECP_RESTARTABLE\b/MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED/g; s/\bMBEDTLS_KEY_EXCHANGE_(_\w+)_(_\w+)\b/MBEDTLS_KEY_EXCHANGE${1}${2}/g' include/mbedtls/*.h library/*.c programs/*/*.c scripts/data_files/rename-1.3-2.0.txt tests/suites/*.function
```
2020-03-23 17:55:32 +01:00
Gilles Peskine b99bd39b4e Merge mbed-crypto into mbedtls: the merge commit
Merge `unremove-non-crypto` into `mbedtls/development`. The branch
`unremove-non-crypto` was obtained by starting from `mbed-crypto/development`,
then reverting many commits that removed X.509 and TLS functionality when Mbed
Crypto forked from Mbed TLS (the “unremoval”), then make a few tweaks to
facilitate the merge.

The unremoval step restored old versions of some tls files. If a file doesn't
exist in mbed-crypto, check out the mbedtls version, regardless of what
happened during the unremoval of tls files in the crypto tree. Also
unconditionally take the mbedtls version of a few files where the
modifications are completely project-specific and are not relevant in
mbed-crypto:

* `.github/issue_template.md`: completely different. We may want to reconcile
  them independently as a follow-up.
* `.travis.yml`: would only be reverted to an earlier tls version.
* `README.md`: completely different. We may want to reconcile them
  independently as a follow-up.
* `doxygen/input/doc_mainpage.h`: the changes in crypto were minimal and not
  relevant except as a stopgap as mbed-crypto did not have its own product
  versioning in the Doxygen documentation.
* `tests/.jenkins/Jenkinsfile`: completely different.
* `tests/data_files/Makefile`: there were no changes in mbed-crypto,
  but the unremoval step restored an old version.

Shell script for everything to do after the merge apart from the conflict
resolution:
```
tls_files=($(comm -23 <(git ls-tree -r --name-only HEAD) <(git ls-tree -r --name-only $(git merge-base upstream-crypto/development MERGE_HEAD))))
tls_files+=($tls_files .github/issue_template.md .travis.yml README.md doxygen/input/doc_mainpage.h tests/.jenkins/Jenkinsfile tests/data_files/Makefile)
git checkout --theirs HEAD -- $tls_files
git add -- $tls_files
```

Resolve the remaining conflicts:

* `library/CMakeLists.txt`:
    * Keep the TLS definition of `src_crypto`
    * `USE_SHARED_MBEDTLS_LIBRARY`: keep all three libraries, with both
      `include` and `crypto/include` in `target_include_directories`, all with
      version `2.21.0`.
* `programs/Makefile`:
    * Reconcile the APPS lists (add/add from a differently-formatted common
      ancestor): insert the `psa/*` from crypto into the tls list.
    * Keep the `fuzz` target defined only in tls version.
    * Keep the recipe (only in tls version) cleaning `ssl_pthread_server`
      stuff for the `clean` target.
* `scripts/config.py`:
    * `include_in_full`: add/add conflict. Keep both.
* `tests/scripts/all.sh`:
    * `component_test_no_use_psa_crypto_full_cmake_asan`: partially old
      version in crypto. Take the tls version.
    * `component_test_malloc_0_null` and more: take
      `component_test_malloc_0_null` from crypto (with `config.py` rather than
      `config.pl`, and with `$ASAN_FLAGS` rather than an explicit list), but
      add the call to `ssl-opt.sh` from tls. Take the other components from
      crypto.

With this commit, building and running the unit tests with both `make ` and
`cmake` work in the default configuration on Linux. Other platforms, build
systems and configurations are likely not to work, and there is some
regression in test coverage.

There is some loss of functionality because the unremoval step restored older
versions of tls content. This commit contains the latest tls version of
tls-only files, but some changes from the tls side in files that existed on
both sides have regressed. Most problematic changes are hunks that remove some
tls-specific feature and contain either a C preprocessor symbol identifying a
tls-specific module or option, or the name of a tls-specific file. Hunks
that remove a tls-specific preprocessor symbol can be identified with the
regular expression `^-.*MBEDTLS_(ERR_)?(PKCS11|X509|NET|SSL)_`.

Subsequent commits will revert a few parts of the patch from this merge commit
in order to restore the tls functionality that it removes, ensure that the
test coverage includes what was covered in either branch, and fix test
failures.
2020-03-23 17:54:46 +01:00
Gilles Peskine 7dc97048d6 Revert "Remove tests that depend on TLS or X.509"
This reverts commit 9afb2e9921.

Conflicts:
* include/CMakeLists.txt
  * "Make config.h available" comment: there has been a change
    adjacent to where it was removed. Just re-add what was removed.
* tests/CMakeLists.txt:
  * compat.sh: there has been a change immediately before where it was
    removed. Just re-add what was removed.
2020-03-19 14:17:54 +01:00
Piotr Nowicki 438bf3b667 App data with 1/n-1 splitting in test suite
Counting of the fragments has been shifted from the writing section to
the reading. This is more reliable because one reading is made for one
fragment and during one write the library can internally divide data
into two fragments

Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-03-12 16:57:05 +01:00
Jaeden Amero c31f970a46
Merge pull request #3075 from AndrzejKurek/variable-buffer-size
Variable buffer size
2020-03-10 21:46:35 +04:00
Jaeden Amero 55727c33eb
Merge pull request #3088 from AndrzejKurek/ssl-mocks-coverity
test_suite_ssl: fix coverity issues with uninitialized members
2020-03-09 19:14:47 +04:00
Andrzej Kurek 89bdc580ca
test_suite_ssl: check for errors during queue setup
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-03-09 06:31:18 -04:00
Andrzej Kurek 45916ba916
test_suite_ssl: fix coverity issues with uninitialized members
Initialize variables to NULL before doing any operations that might fail.
This fixes a case where the allocation fails on the first context, which 
previously made the code free the second, uninitialized context.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-03-05 14:47:01 -05:00
Andrzej Kurek 0afa2a1b65
Add I/O buffer resizing in handshake init and free
Add a conditional buffer resizing feature. Introduce tests exercising
it in various setups (serialization, renegotiation, mfl manipulations).
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-03-04 09:28:16 -05:00
Simon Butcher 49f8e3157c Fix warning with gcc7/maximum allocation exceeded
Adds an additional boundary check to the test parameter bytes_arg in
generate_random() in test_suite_psa_crypto.function.

This is to check against a possible underflow, and to avoid a warning,
"argument ... exceeds maximum object size", (-Werror=alloc-size-larger-than)
that GCC 7 generates.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-03 17:28:05 +00:00
Darryl Green aad82f9bbb
Add variable buffer length tests to all.sh
Exercise the feature alone, with record splitting and DTLS connection ID.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
Signed-off-by: Darryl Green <darryl.green@arm.com>
2020-03-03 10:44:57 -05:00
Piotr Nowicki bde7ee88a6
Add DTLS handshake fragmentation test
For this test it is good to have a handshake messages length as big as
possible, so for the server the certificate verification mode is
changed from default NONE to REQUIRED. It requires the client to send
certificate date to the server during handshake

Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-02-27 09:31:42 -05:00
Andrzej Kurek 8a6ff15079
test_suite_ssl refactoring: provide default options structure for tests
Create and provide a structure with default options so that the caller won't have
to pass all of the parameters each time the handshake is called. In the future
this can be improved so that the options are passed as a string, just like in
ssl-opt.sh.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-02-26 09:10:14 -05:00
Andrzej Kurek 316da1f86e
test_suite_ssl refactoring: merge renegotiation test into handshake
Move the renegotiation test to a shared handshake function to simplify further
addition of tests.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-02-26 09:03:47 -05:00
Andrzej Kurek 9e9efdc277
test_suite_ssl refactoring: merge tls & dtls application data tests
Move the app data tests to a shared handshake function to simplify further 
addition of tests.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-02-26 09:00:18 -05:00
Piotr Nowicki 95e9eb8d91 Add test for renegotiation in DTLS
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-02-25 14:15:00 +01:00
Piotr Nowicki 6a7f01c237 Add test with sending application data via DTLS
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-02-25 14:10:15 +01:00
Andrzej Kurek da2b67806b
Add a dtls handshake test with context serialization
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-02-24 04:56:53 -05:00
Jaeden Amero a08e699afc
Merge pull request #3036 from AndrzejKurek/dtls-handshake-tests
DTLS handshake tests
2020-02-21 15:18:52 +04:00
Janos Follath 84d2fd4ee2 Bump version to Mbed TLS 2.21.0 2020-02-19 14:35:16 +00:00
Janos Follath cf4a40ba0a
Merge pull request #370 from yanesca/update-version-2.21.0
Bump version to Mbed TLS 2.21.0
2020-02-19 14:21:11 +00:00
Janos Follath bc7c2424c9 Bump version to Mbed TLS 2.21.0 2020-02-19 11:51:13 +00:00
Manuel Pégourié-Gonnard 9bbe328752 Test each failure mode of pk_parse_key_pkcs1_der()
(Only the top-level ones, ie, for each call to eg asn1_get_mpi(), ensure
there's at least one test case that makes this call fail in one way, but don't
test the various ways to make asn1_get_mpi fail - that should be covered
elsewhere.)

- the new checks added by the previous commits needed exercising
- existing tests sometimes had wrong descriptions or where passing for the
  wrong reason (eg with the "length mismatch" test, the function actually
failed before reaching the length check)
- while at it, add tests for the rest as well

The valid minimal-size key was generated with:

openssl genrsa 128 2>/dev/null | openssl rsa -outform der 2>/dev/null | xxd -p
2020-02-18 10:31:29 +01:00
Manuel Pégourié-Gonnard b65370f97d Clean up test function pk_parse_key
- remove incorrect compile-time dependency (the individual cases already have
  correct run-time dependency information)
- remove unused argument
- remove unused stack buffer
- remove useless code block
2020-02-18 10:18:43 +01:00
Andrzej Kurek 941962eb91 Add DTLS handshake tests for the mocked ssl test suite
Starting with TLS 1.1
2020-02-12 09:18:19 -05:00
Andrzej Kurek 15daf50b05 Parametrize the endpoint init and free to prepare for DTLS tests 2020-02-12 09:17:52 -05:00
Andrzej Kurek 1a44a159ef Change the order of endpoint initialization steps
Wrong order caused the `protected_record_size` to be of wrong size, hence
causing the server to receive a malformed message in case of a DTLS test.
2020-02-10 03:53:49 -05:00
Andrzej Kurek f46b9128b6 Change test queue errors to SSL_WANT_WRITE and SSL_WANT_READ
Simulate real behavior better, so that higher abstraction layers know when
the buffers are empty and full.
2020-02-10 03:53:49 -05:00
Piotr Nowicki c3fca5e876 Add tests with sending application data to test_suite_ssl 2020-02-07 09:14:04 +01:00
Manuel Pégourié-Gonnard 4d8c836cdc
Merge pull request #346 from gilles-peskine-arm/mpi_copy_shrink
Improve robustness and testing of mbedtls_mpi_copy
2020-02-06 09:52:01 +01:00
Janos Follath f317dc4918
Merge pull request #350 from gilles-peskine-arm/asn1-tests-parse_prefixes-trailing_garbage
test_suite_asn1parse: improve testing of trailing garbage in parse_prefixes
2020-02-05 15:40:22 +00:00
Jaeden Amero c64eb63aaa
Merge pull request #3021 from AndrzejKurek/handshake-tests
Handshake tests with mocked I/O callbacks
2020-02-05 13:50:20 +00:00
Andrzej Kurek cc5169ce32 Add a PSK test to the mocked ssl handshake tests 2020-02-05 07:26:19 -05:00
Gilles Peskine 5da20cc569
Merge pull request #3023 from gilles-peskine-arm/config-crypto
Add crypto-only preset configurations
2020-02-05 11:17:56 +01:00
Andrzej Kurek f40daa3f05 Add version & ciphersuite tests to ssl handshake
Add tests exercising various protocol versions and ciphersuites
in the mocked ssl handshake.
2020-02-04 09:00:01 -05:00
Gilles Peskine 2579675935 Merge remote-tracking branch 'upstream-public/development' into development
Files deleted by us: keep them deleted.

```
git rm $(git status -s | sed -n 's/^DU //p')
```

Individual files with conflicts:

* `README.md`: keep the crypto version.
* `doxygen/input/doc_mainpage.h`: keep the crypto version (with an obsolete Mbed Crypto version number).
* `include/mbedtls/error.h`:
    * `ERROR`: similar additions made through parallel commits, with only whitespace differences. Align with the tls version.
* `library/CMakeLists.txt`: keep the crypto version.
* `library/Makefile`: keep the crypto version.
* `scripts/generate_errors.pl`: keep the crypto version (the relevant changes were made through parallel commits).
* `tests/scripts/check-test-cases.py`:
    * `Results`: keep the crypto version, which has both the new argument to the constructor (added in crypto only) and the class docstring (added through parallel commits).
* `tests/suites/helpers.function`:
    * `ARRAY_LENGTH`, `ASSERT_ALLOC`: additions in the same location. Keep both, in indifferent order.
* `tests/suites/target_test.function`:
    * `receive_uint32`: keep the crypto version which has an additional bug fix. The tls changes made in tls are irrelevant after this bug fix.
* `visualc/VS2010/mbedTLS.vcxproj`: run `scripts/generate_visualc_files.pl`.

Review of non-conflicting changes:

* `all.sh`: 1 change.
    * zlib test components: don't add them.
* `include/CMakeLists.txt`: 1 change.
    * `target_include_directories`: doesn't work as is (different target name). Don't take the change.
* All other non-conflicting changes: take them.
2020-02-03 18:52:36 +01:00
Gilles Peskine a9da093617 shrink tests: clearer description 2020-02-03 16:18:30 +01:00
Gilles Peskine 9a6ecee4de Move test functions from Lilliput to Blefuscu
We normally represent bignums in big-endian order and there is no
reason to deviate here.
2020-02-03 16:15:47 +01:00
Andrzej Kurek b29807413e Refactor certificates and keys in ssl handshake mock tests
Let the caller decide what certificates and keys are loaded (EC/RSA)
instead of loading both for the server, and an unspecified one 
for the client. Use only DER encoding.
2020-02-02 19:25:26 -05:00
Hanno Becker 199b709e53 ASN.1: Add ASN.1 SEQUENCE traversal API 2020-01-31 15:37:26 +00:00
Hanno Becker 12ae27dd0e ASN.1: Introduce helper function to free ASN.1 sequence 2020-01-31 15:37:26 +00:00
Gilles Peskine f4e672ec9e Add missing compilation guards in test suite
Fix the build when MBEDTLS_USE_PSA_CRYPTO is set but
MBEDTLS_X509_CSR_WRITE_C is not.
2020-01-31 14:22:10 +01:00
Gilles Peskine 7cfcb3fc03 Change the encoding of key types to have a parity bit
Change the encoding of key types, EC curve families and DH group
families to make the low-order bit a parity bit (with even parity).

This ensures that distinct key type values always have a Hamming
distance of at least 2, which makes it easier for implementations to
resist single bit flips.
2020-01-31 10:24:21 +01:00
Gilles Peskine 7d7c8dc8b0 Test parsing invalid key type in storage 2020-01-31 10:24:21 +01:00
Gilles Peskine f65ed6f254 Change key types to a 16-bit encoding
All key types now have an encoding on 32 bits where the bottom 16 bits
are zero. Change to using 16 bits only.

Keep 32 bits for key types in storage, but move the significant
half-word from the top to the bottom.

Likewise, change EC curve and DH group families from 32 bits out of
which the top 8 and bottom 16 bits are zero, to 8 bits only.

Reorder psa_core_key_attributes_t to avoid padding.
2020-01-31 10:24:21 +01:00
Gilles Peskine b87b719467 Remove old values of curve encodings
Remove the values of curve encodings that are based on the TLS registry
and include the curve size, keeping only the new encoding that merely
encodes a curve family in 8 bits.

Keep the old constant names as aliases for the new values and
deprecate the old names.
2020-01-31 10:24:21 +01:00
Gilles Peskine 80d26fb56f Switch psa_crypto tests to the new curve encoding 2020-01-31 10:24:21 +01:00
Gilles Peskine 89177e862b Convert USE_PSA_CRYPTO pk interface to the new PSA EC curve encoding 2020-01-31 10:15:32 +01:00
Gilles Peskine 33b1c69908 pk tests: USE_PSA_CRYPTO: test several curves 2020-01-31 10:15:32 +01:00
Gilles Peskine 85f47c9d69 pk tests: USE_PSA_CRYPTO: test attributes of the PSA key 2020-01-31 10:15:32 +01:00
Gilles Peskine 45c29ce4c0 Move size-specific curve/group constants to crypto_compat.h 2020-01-31 10:15:32 +01:00
Gilles Peskine 228abc5773 Define EC curve family constants
Define constants for ECC curve families and DH group families. These
constants have 0x0000 in the lower 16 bits of the key type.

Support these constants in the implementation and in the PSA metadata
tests.

Switch the slot management and secure element driver HAL tests to the
new curve encodings. This requires SE driver code to become slightly
more clever when figuring out the bit-size of an imported EC key since
it now needs to take the data size into account.

Switch some documentation to the new encodings.

Remove the macro PSA_ECC_CURVE_BITS which can no longer be implemented.
2020-01-31 10:15:32 +01:00
Gilles Peskine 025fccdc32 Change the encoding of EC curves and DH groups to include the size
Change the representation of psa_ecc_curve_t and psa_dh_group_t from
the IETF 16-bit encoding to a custom 24-bit encoding where the upper 8
bits represent a curve family and the lower 16 bits are the key size
in bits. Families are based on naming and mathematical similarity,
with sufficiently precise families that no two curves in a family have
the same bit size (for example SECP-R1 and SECP-R2 are two different
families).

As a consequence, the lower 16 bits of a key type value are always
either the key size or 0.
2020-01-31 10:15:32 +01:00
Gilles Peskine 4295e8b9c5 Rework PSA curve to mbedlts group id conversion
Don't rely on the bit size encoded in the PSA curve identifier, in
preparation for removing that.

For some inputs, the error code on EC key creation changes from
PSA_ERROR_INVALID_ARGUMENT to PSA_ERROR_NOT_SUPPORTED or vice versa.
There will be further such changes in subsequent commits.
2020-01-31 10:15:32 +01:00
Gilles Peskine 7bfcfac164 Change key type encodings to avoid bit 16
Key types are now encoded through a category in the upper 4 bits (bits
28-31) and a type-within-category in the next 11 bits (bits 17-27),
with bit 16 unused and bits 0-15 only used for the EC curve or DH
group.

For symmetric keys, bits 20-22 encode the block size (0x0=stream,
0x3=8B, 0x4=16B).
2020-01-31 10:15:32 +01:00
Piotr Nowicki 2a1f178d7c Add test for prescribed states of handshake with the custom IO callbacks 2020-01-31 10:06:04 +01:00
Gilles Peskine 88e08464f5 Add dedicated test cases for psa_hash_compare
psa_hash_compare is tested for good cases and invalid-signature cases
in hash_compute_compare. Also test invalid-argument cases. Also run a
few autonomous test cases with valid arguments.
2020-01-30 12:27:14 +01:00
Gilles Peskine 29eb80d26c Remove some spurious dependencies on MBEDTLS_SHA256_C 2020-01-30 12:27:14 +01:00
Gilles Peskine 7b8efaffaa Add missing dependencies on MBEDTLS_MD_C
The PSA implementations of deterministic ECDSA, of all RSA signatures
and of RSA OAEP use the MD module.
2020-01-30 12:27:14 +01:00
Gilles Peskine aead02cce9 Remove obsolete dependencies on MBEDTLS_MD_C
The PSA implementation of hash algorithms, HMAC algorithms and KDF
algorithms using HMAC no longer use the MD module.
2020-01-30 12:27:14 +01:00
Gilles Peskine 0a749c8fa3 Implement and test psa_hash_compute, psa_hash_compare 2020-01-30 12:27:12 +01:00
Jaeden Amero 79ef1d4e55
Merge pull request #2987 from AndrzejKurek/iotssl-2958-datagram-transport-simulated
Message transport mocks in ssl tests
2020-01-30 10:23:27 +00:00
Manuel Pégourié-Gonnard f712e163b0
Merge pull request #179 from mpg/sha512-no-sha384
Add option to build SHA-512 without SHA-384
2020-01-30 10:32:20 +01:00
Janos Follath 8b38978b85
Merge pull request #349 from gilles-peskine-arm/coverity-20200115-crypto
Fix minor defects found by Coverity
2020-01-29 15:05:11 +00:00
Janos Follath ba1150f822 Merge pull request #2995 from gilles-peskine-arm/coverity-20200115-tls into development 2020-01-29 14:51:24 +00:00
Jaeden Amero bfc73bcfd2
Merge pull request #2988 from piotr-now/iotssl-2954-custom-io-callbacks-to-ssl-unit-test
Changes in custom IO callbacks used in unit tests
2020-01-28 14:46:13 +00:00
Piotr Nowicki d796e19d3b Fix memory allocation fail in TCP mock socket
Because two buffers were aliased too early in the code, it was possible that
after an allocation failure, free() would be called twice for the same pointer.
2020-01-28 13:04:21 +01:00
Piotr Nowicki 890b5ca330 Change non-blocking read/write in TCP mock socket
Previously mocked non-blocking read/write was returning 0 when buffer was empty/full. That was causing ERR_SSL_CONN_EOF error in tests which was using these mocked callbacks. Beside that non-blocking read/write was returning ERR_SSL_WANT_READ/_WRITE depending on block pattern set by test design. Such behavior forced to redesign of these functions so that they could be used in other tests
2020-01-22 14:15:17 +01:00
Piotr Nowicki fb437d72ef Fix segmentation fault in mbedtls_test_buffer
This error occurs when free space in the buffer is in the middle (the buffer has come full circle) and function mbedtls_test_buffer_put is called. Then the arguments for memcpy are calculated incorrectly and program ends with segmentation fault
2020-01-22 13:25:36 +01:00
Andrzej Kurek bc483dea84 Add a message-based socket mock connection to the ssl tests
The connection will send/receive full messages.
2020-01-22 06:38:03 -05:00
Andrzej Kurek 13719cdae4 Add a message metadata queue in ssl tests
Add a metadata queue that will be used on top of the ring buffer callbacks.
Add normal and negative tests.
2020-01-22 06:36:39 -05:00
Andrzej Kurek f7774146b6 ssl test suite: enable dropping bytes from buffer
Add an option to not pass any buffer to mbedtls_test_buffer_get to drop data.
2020-01-22 06:34:59 -05:00
Gilles Peskine 95c893d17f More systematic handling of trailing garbage in parse_prefixes
Before, the string to parse may contain trailing garbage (there was
never more than one byte), and there was a separate argument
indicating the length of the content. Now, the string to parse is the
exact content, and the test code runs an extra test step with a
trailing byte added.
2020-01-21 21:29:37 +01:00
Gilles Peskine ef4183858a Document how tested prefix lengths are chosen 2020-01-21 21:29:37 +01:00
Gilles Peskine 9c673233bc Fix outcome file leak if execute_tests exits early
If there was a fatal error (bizarre behavior from the standard
library, or missing test data file), execute_tests did not close the
outcome file. Fix this.
2020-01-21 18:03:56 +01:00
Gilles Peskine 84984ae220 Add missing return code check on calls to mbedtls_md() 2020-01-21 16:52:08 +01:00
Gilles Peskine 9018b11302 Check that mbedtls_mpi_grow succeeds 2020-01-21 16:30:53 +01:00
Gilles Peskine 292672eb12 If ASSERT_ALLOC_WEAK fails, mark the test as skipped, not passed
This was the intended behavior of ASSERT_ALLOC_WEAK all along, but
skipping was not implemented yet when ASSERT_ALLOC_WEAK was
introduced.
2020-01-21 16:20:04 +01:00
Gilles Peskine 42a1acfd0e get_len_step: Fix end-of-buffer calculation when buffer_size==0
Fix get_len_step when buffer_size==0. The intent of this test is to
ensure (via static or runtime buffer overflow analysis) that
mbedtls_asn1_get_len does not attempt to access beyond the end of the
buffer. When buffer_size is 0 (reached from get_len when parsing a
1-byte buffer), the buffer is buf[1..1] because allocating a 0-byte
buffer might yield a null pointer rather than a valid pointer. In this
case the end of the buffer is p==buf+1, not buf+buffer_size which is
buf+0.

The test passed because calling mbedtls_asn1_get_len(&p,end,...) with
end < p happens to work, but this is not guaranteed.
2020-01-21 16:12:07 +01:00
Janos Follath 2e9f108fbd Bump version to Mbed TLS 2.20.0 2020-01-21 14:08:26 +00:00
Gilles Peskine 7428b45126 Better coverage for copy and swap
Cover more cases: different signs, different zeronesses, repeated
argument.
2020-01-20 21:01:51 +01:00
Gilles Peskine 72d7609f82 Bignum copy/shrink: More precise test case descriptions 2020-01-20 17:19:03 +01:00
Janos Follath 83f33d33eb Bump version to Mbed TLS 2.20.0 2020-01-20 14:52:29 +00:00
Janos Follath d27a88438f Merge branch 'development' into development-restricted 2020-01-15 15:55:11 +00:00
Manuel Pégourié-Gonnard 86a39bdbc5 Improve readability of test dependencies
- Always put MBEDTLS_SHA512_NO_SHA384 immediately after MBEDTLS_SHA512_C
- Remove duplicate occurrences of MBEDTLS_SHA512_NO_SHA384 on the same line
2020-01-07 10:24:17 +01:00
Manuel Pégourié-Gonnard 6ba5a3fc57 Declare test dependencies on !SHA512_NO_SHA384 2020-01-06 11:40:23 +01:00
Gilles Peskine 180850a229
Merge pull request #291 from gilles-peskine-arm/ctr_drbg-test_aes_128
Test MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
2019-12-20 10:43:44 +01:00
Gilles Peskine 7a1925c453 Add a few EC public key import/export test cases
Test a Brainpool curve and a curve whose bit size is not a multiple of 8.
2019-12-12 09:00:27 +01:00
Gilles Peskine f8210f2bd5 Test the block size for symmetric keys
Also insist on their category.

Fix a missing implementation of PSA_BLOCK_CIPHER_BLOCK_SIZE for
ChaCha20.
2019-12-12 09:00:27 +01:00
Gilles Peskine 92f2da9d67 More precise descriptions for format and parse tests 2019-12-12 09:00:27 +01:00
Gilles Peskine fb745bf618 Fix memory failure handling in test_format_storage_data_check
Fail the test instead of crashing if a memory allocation fails.

Free memory even if the test fails.
2019-12-12 09:00:26 +01:00
Gilles Peskine 667c111416 Sanity checks for key attributes in exercise_key 2019-12-12 09:00:26 +01:00
Janos Follath c673c2cd44 Break up the ssl_mock_tcp unit test
Break the test up to three different tests for the sake of
better readability and maintainability.
2019-12-09 09:10:21 +00:00
Janos Follath 3766ba50de Add non-blocking mock TCP callbacks to SSL tests 2019-12-09 09:10:21 +00:00
Janos Follath 031827feba Add mbedtls_mock_socket to SSL unit tests
In a unit test we want to avoid accessing the network. To test the
handshake in the unit test suite we need to implement a connection
between the server and the client. This socket implementation uses
two ring buffers to mock the transport layer.
2019-12-09 09:10:14 +00:00
Gilles Peskine 81f7909497
Merge pull request #325 from gilles-peskine-arm/psa-sign_hash
Rename psa_asymmetric_{sign_verify} to psa_{sign,verify}_hash
2019-12-06 10:10:14 +01:00
Janos Follath 6264e66ba4 Add mbedtls_test_buffer to SSL unit tests
In a unit test we want to avoid accessing the network. To test the
handshake in the unit test suite we need to implement a connection
between the server and the client. This ring buffer implementation will
serve as the said connection.
2019-12-06 07:23:49 +00:00
Gilles Peskine 2ff02c361e Document MBEDTLS_TEST_DEPRECATED 2019-11-29 12:17:21 +01:00
Gilles Peskine 895242be1c Add negative test cases for deprecated aliases
Catch more potential plumbing errors such as not returning the right
value or not writing to an output parameter.
2019-11-29 12:15:40 +01:00
Janos Follath 512fe9673f Fix test assert macro calls
The assert() macro in test is not available anymore. It is superseeded
by TEST_HELPER_ASSERT().
2019-11-29 10:13:32 +00:00
Gilles Peskine 6608e71032 Change ASSERT_ALLOC to take a size in elements, not bytes
`ASSERT_ALLOC(p, length)` now allocates `length` elements, i.e.
`length * sizeof(*p)` bytes.
2019-11-29 10:13:32 +00:00
Gilles Peskine 28405300ee New macro ASSERT_ALLOC to allocate memory in tests
The new macro ASSERT_ALLOC allocates memory with mbedtls_calloc and
fails the test if the allocation fails. It outputs a null pointer if
the requested size is 0. It is meant to replace existing calls to
mbedtls_calloc.
2019-11-29 10:13:32 +00:00
Gilles Peskine 7bb1a7e0bf
Merge pull request #307 from msopiha-linaro/development
Add ASN.1 ENUMERATED tag support
2019-11-28 10:20:18 +01:00
Gilles Peskine 06c28890c9 Add test function for effective key attributes
We're going to create some edge cases where the attributes of a key
are not bitwise identical to the attributes passed during creation.
Have a test function ready for that.
2019-11-26 19:14:18 +01:00
Gilles Peskine 0627f98779 Add tests of deprecated PSA functions
Test psa_asymmetric_sign and psa_asymmetric_verify.
2019-11-26 19:14:07 +01:00
Gilles Peskine 841b14be02 Add tests of deprecated PSA macros
When MBEDTLS_TEST_DEPRECATED is defined, run some additional tests to
validate deprecated PSA macros. We don't need to test deprecated
features extensively, but we should at least ensure that they don't
break the build.

Add some code to component_build_deprecated in all.sh to run these
tests with MBEDTLS_DEPRECATED_WARNING enabled. The tests are also
executed when MBEDTLS_DEPRECATED_WARNING and
MBEDTLS_DEPRECATED_REMOVED are both disabled.
2019-11-26 19:12:35 +01:00
Gilles Peskine 1a96049e30 Make the key_policy test function more flexible 2019-11-26 19:08:55 +01:00
Gilles Peskine b951fd9330
Merge pull request #310 from gilles-peskine-arm/memory_buffer_alloc-fatal-pass
Clarify test descriptions in test_suite_memory_buffer_alloc
2019-11-26 18:52:24 +01:00
Gilles Peskine 8f4df81506
Merge pull request #293 from gilles-peskine-arm/entropy-min
Always gather MBEDTLS_ENTROPY_BLOCK_SIZE bytes of entropy
2019-11-26 18:43:45 +01:00
Gilles Peskine 89d8c5c447 Rename some signature-related identifiers
Rename some macros and functions related to signature which are
changing as part of the addition of psa_sign_message and
psa_verify_message.

perl -i -pe '%t = (
PSA_KEY_USAGE_SIGN => PSA_KEY_USAGE_SIGN_HASH,
PSA_KEY_USAGE_VERIFY => PSA_KEY_USAGE_VERIFY_HASH,
PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE => PSA_SIGNATURE_MAX_SIZE,
PSA_ASYMMETRIC_SIGN_OUTPUT_SIZE => PSA_SIGN_OUTPUT_SIZE,
psa_asymmetric_sign => psa_sign_hash,
psa_asymmetric_verify => psa_verify_hash,
); s/\b(@{[join("|", keys %t)]})\b/$t{$1}/ge' $(git ls-files . ':!:**/crypto_compat.h')
2019-11-26 18:20:59 +01:00
Gilles Peskine cbd91e013c Fix entropy_threshold when MBEDTLS_TEST_NULL_ENTROPY is enabled
Don't use the default entropy sources so as not to depend on their
characteristics.
2019-11-25 19:50:54 +01:00
Gilles Peskine ae679390a2 Fix entropy_calls when MBEDTLS_ENTROPY_NV_SEED is enabled 2019-11-25 19:44:42 +01:00
Gilles Peskine d2cea9f57c Add some more KDF test cases 2019-11-25 15:44:24 +01:00
Gilles Peskine bbf67b98bb Remove selftest dependency in the test suite
The test suites should always run self-tests for all enabled features.
Otherwise we miss failing self-tests in CI runs, because we don't
always run the selftest program independently.

There was one spurious dependency to remove:
MBEDTLS_CTR_DRBG_USE_128_BIT_KEY for ctr_drbg, which was broken but
has now been fixed.
2019-11-21 13:49:20 +01:00
Gilles Peskine 87ef0c24af Merge branch 'development' into development-restricted 2019-11-20 20:09:34 +01:00
Jaeden Amero 61c8a371e0
Merge pull request #2836 from hanno-arm/x509_crt_policies_tests
X.509: Enhance negative testing for CertificatePolicy extension
2019-11-20 15:45:57 +00:00
Gilles Peskine 9afbfdc833 Merge remote-tracking branch 'myfork-public/development' into merge-crypto-development-20191115
First deal with deleted files.

* Files deleted by us: keep them deleted.
* Files deleted by them, whether modified by us or not: keep our version.

```
git rm $(git status -s | sed -n 's/^DU //p')
git reset -- $(git status -s | sed -n 's/^D  //p')
git checkout -- $(git status -s | sed -n 's/^ D //p')
git add -- $(git status -s | sed -n 's/^UD //p')
```

Individual files with conflicts:

* `3rdparty/everest/library/Hacl_Curve25519_joined.c`: spurious conflict because git mistakenly identified this file as a rename. Keep our version.
* `README.md`: conflict due to their change in a paragraph that doesn't exist in our version. Keep our version of this paragraph.
* `docs/architecture/Makefile`: near-identical additions. Adapt the definition of `all_markdown` and include the clean target.
* `doxygen/input/docs_mainpage.h`: conflict in the version number. Keep our version number.
* `include/mbedtls/config.h`: two delete/modify conflicts. Keep the removed chunks out.
* `library/CMakeLists.txt`: discard all their changes as they are not relevant.
* `library/Makefile`:
    * Discard the added chunk about the crypto submodule starting with `INCLUDING_FROM_MBEDTLS:=1`.
    * delete/modify: keep the removed chunk out.
    * library build: This is almost delete/modify. Their changes are mostly not applicable. Do keep the `libmbedcrypto.$(DLEXT): | libmbedcrypto.a` order dependency.
    * `.c.o`: `-o` was added on both sides but in a different place. Change to their place.
* `library/error.c`: to be regenerated.
* `library/version_features.c`: to be regenerated.
* `programs/Makefile`: Most of the changes are not relevant. The one relevant change is in the `clean` target for Windows; adapt it by removing `/S` from our version.
* `programs/test/query_config.c`: to be regenerated.
* `scripts/config.py`: added in parallel on both sides. Keep our version.
* `scripts/footprint.sh`: parallel changes. Keep our version.
* `scripts/generate_visualc_files.pl`: one delete/modify conflict. Keep the removed chunks out.
* `tests/Makefile`: discard all of their changes.
* `tests/scripts/all.sh`:
    * `pre_initialize_variables` add `append_outcome`: add it.
    * `pre_initialize_variables` add `ASAN_CFLAGS`: already there, keep our version.
    * `pre_parse_command_line` add `--no-append-outcome`: add it.
    * `pre_parse_command_line` add `--outcome-file`: add it.
    * `pre_print_configuration`: add `MBEDTLS_TEST_OUTCOME_FILE`.
    * Several changes in SSL-specific components: keep our version without them.
    * Several changes where `config.pl` was changed to `config.py` and there was an adjacent difference: keep our version.
    * Changes regarding the inclusion of `MBEDTLS_MEMORY_xxx`: ignore them here, they will be normalized in a subsequent commit.
    * `component_test_full_cmake_gcc_asan`: add it without the TLS tests.
    * `component_test_no_use_psa_crypto_full_cmake_asan`: keep the fixed `msg`, discard other changes.
    * `component_test_memory_buffer_allocator_backtrace`, `component_test_memory_buffer_allocator`: add them without the TLS tests.
    * `component_test_m32_everest`: added in parallel on both sides. Keep our version.
* `tests/scripts/check-names.sh`, `tests/scripts/list-enum-consts.pl`, `tests/scripts/list-identifiers.sh`, ``tests/scripts/list-macros.sh`: discard all of their changes.
* `tests/scripts/test-ref-configs.pl`: the change in the conflict is not relevant, so keep our version there.
* `visualc/VS2010/*.vcxproj`: to be regenerated.

Regenerate files:

```
scripts/generate_visualc_files.pl
git add visualc/VS2010/*.vcxproj
scripts/generate_errors.pl
git add library/error.c
scripts/generate_features.pl
git add library/version_features.c
scripts/generate_query_config.pl
git add programs/test/query_config.c
```

Rejected changes in non-conflicting files:

* `CMakeLists.txt`: discard their addition which has already been side-ported.
* `doxygen/mbedtls.doxyfile`: keep the version number change. Discard the changes related to `../crypto` paths.

Keep the following changes after examination:

* `.travis.yml`: all of their changes are relevant.
* `include/mbedtls/error.h`: do keep their changes. Even though Crypto doesn't use TLS errors, it must not encroach on TLS's allocated numbers.
* `tests/scripts/check-test-cases.py`: keep the code dealing with `ssl-opt.sh`. It works correctly when the file is not present.
2019-11-15 11:47:14 +01:00
Gilles Peskine f0d87001d0
Merge pull request #315 from gilles-peskine-arm/pk_signature_max_size
Define MBEDTLS_PK_SIGNATURE_MAX_SIZE
2019-11-13 12:13:57 +01:00
Gilles Peskine cb0101ff33
Merge pull request #298 from gilles-peskine-arm/config-symmetric-only
Test a build without any asymmetric cryptography
2019-11-12 19:37:13 +01:00
Gilles Peskine a719db8b04 Add pk_utils and pk_sign tests with different curves
This reveals that MBEDTLS_PK_SIGNATURE_MAX_SIZE is too small.
2019-11-12 13:21:53 +01:00
Gilles Peskine e48fe55c24 test_suite_pk: pk_genkey: support a variable key size or curve
No intended behavior change.
2019-11-12 13:21:52 +01:00
Gilles Peskine eba088a8ac test_suite_pk: check the signature size after pk_sign
Add a check that the signature size from pk_sign is less than the
documented maximum size.

Reduce the stack consumption in pk_sign_verify.
2019-11-12 11:10:54 +01:00
Gilles Peskine f85e4e67bd test_suite_pk: fix use of sig_len without initialization
In pk_sign_verify, if mbedtls_pk_sign() failed, sig_len was passed to
mbedtls_pk_verify_restartable() without having been initialized. This
worked only because in the only test case that expects signature to
fail, the verify implementation doesn't look at sig_len before failing
for the expected reason.

The value of sig_len if sign() fails is undefined, so set sig_len to
something sensible.
2019-11-12 11:09:26 +01:00
Janos Follath 0b1ae0e972 mpi_lt_mpi_ct: Add further tests
The existing tests did not catch a failure that came up at integration
testing. Adding the missing test cases to trigger the bug.
2019-11-05 15:13:00 +00:00
Janos Follath 53fc7b0309 mpi_lt_mpi_ct: Fix test numbering 2019-11-05 15:13:00 +00:00
Gilles Peskine c212166171 pk_write test cases with short/long private key
Add pk_write test cases where the ASN.1 INTEGER encoding of the
private value would not have the mandatory size for the OCTET STRING
that contains the value.

ec_256_long_prv.pem is a random secp256r1 private key, selected so
that the private value is >= 2^255, i.e. the top bit of the first byte
is set (which would cause the INTEGER encoding to have an extra
leading 0 byte).

ec_521_short_prv.pem is a random secp521r1 private key, selected so
that the private value is < 2^519, i.e. the first byte is 0 and the
top bit of the second byte is 0 (which would cause the INTEGER
encoding to have one less 0 byte at the start).
2019-11-05 15:32:53 +01:00
Janos Follath 0e4792ef47 mpi_lt_mpi_ct perform tests for both limb size
The corner case tests were designed for 32 and 64 bit limbs
independently and performed only on the target platform. On the other
platform they are not corner cases anymore, but we can still exercise
them.
2019-11-05 11:42:20 +00:00
Janos Follath f17c8006ae mbedtls_mpi_lt_mpi_ct: add tests for 32 bit limbs
The corner case tests were designed for 64 bit limbs and failed on 32
bit platforms because the numbers in the test ended up being stored in a
different number of limbs and the function (correctly) returnd an error
upon receiving them.
2019-11-04 10:39:20 +00:00
Janos Follath 0ac9557c86 Add more tests for mbedtls_mpi_lt_mpi_ct 2019-11-04 10:39:20 +00:00
Janos Follath b7e1b494ef mpi_lt_mpi_ct test: hardcode base 16 2019-11-04 10:39:20 +00:00
Janos Follath 0e5532d6cf Change mbedtls_mpi_cmp_mpi_ct to check less than
The signature of mbedtls_mpi_cmp_mpi_ct() meant to support using it in
place of mbedtls_mpi_cmp_mpi(). This meant full comparison functionality
and a signed result.

To make the function more universal and friendly to constant time
coding, we change the result type to unsigned. Theoretically, we could
encode the comparison result in an unsigned value, but it would be less
intuitive.

Therefore we won't be able to represent the result as unsigned anymore
and the functionality will be constrained to checking if the first
operand is less than the second. This is sufficient to support the
current use case and to check any relationship between MPIs.

The only drawback is that we need to call the function twice when
checking for equality, but this can be optimised later if an when it is
needed.
2019-11-04 10:39:20 +00:00
Janos Follath 385d5b8682 Add tests to constant time mpi comparison 2019-11-04 10:39:20 +00:00
Gilles Peskine 22589f0a72
Merge pull request #305 from gilles-peskine-arm/ctr_drbg-grab_nonce_from_entropy-set_nonce_length
CTR_DRBG: grab a nonce from the entropy source if needed
2019-11-04 10:39:42 +01:00
Mykhailo Sopiha 6af7bf91f2 Add test cases for ASN.1 ENUMERATED tag
Add test cases for writing and parsing ASN.1 ENUMERATED
tag values.

Signed-off-by: Mykhailo Sopiha <mykhailo.sopiha@linaro.org>
2019-10-31 19:17:36 +02:00
Gilles Peskine 08c674dfe3
Merge pull request #288 from gilles-peskine-arm/psa-ecdsa_longer_hash
Add ECDSA tests with hash and key of different lengths
2019-10-31 17:03:28 +01:00
Gilles Peskine cf5abd812a Enable more test cases without MBEDTLS_MEMORY_DEBUG
None of the test cases in tests_suite_memory_buffer_alloc actually
need MBEDTLS_MEMORY_DEBUG. Some have additional checks when
MBEDTLS_MEMORY_DEBUG but all are useful even without it. So enable
them all and #ifdef out the parts that require DEBUG.
2019-10-31 15:07:45 +01:00
Gilles Peskine 02348c6fce More accurate test case description 2019-10-31 15:07:35 +01:00
Gilles Peskine 5033db293b Clarify that the "FATAL" message is expected
The test case "Memory buffer small buffer" emits a message
"FATAL: verification of first header failed". In this test case, it's
actually expected, but it looks weird to see this message from a
passing test. Add a comment that states this explicitly, and modify
the test description to indicate that the failure is expected, and
change the test function name to be more accurate.

Fix #309
2019-10-31 15:07:08 +01:00
Gilles Peskine ccde952df0
Merge pull request #259 from k-stachowiak/bounds-check-asn1-len
Check `len` against buffers size upper bound in PSA tests
2019-10-29 17:47:47 +01:00
Gilles Peskine 69971662bf CTR_DRBG: define a constant for the default entropy nonce length
The default entropy nonce length is either zero or nonzero depending
on the desired security strength and the entropy length.

The implementation calculates the actual entropy nonce length from the
actual entropy length, and therefore it doesn't need a constant that
indicates the default entropy nonce length. A portable application may
be interested in this constant, however. And our test code could
definitely use it.

Define a constant MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN and use it in
test code. Previously, test_suite_ctr_drbg had knowledge about the
default entropy nonce length built in and test_suite_psa_crypto_init
failed. Now both use MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN.

This change means that the test ctr_drbg_entropy_usage no longer
validates that the default entropy nonce length is sensible. So add a
new test that checks that the default entropy length and the default
entropy nonce length are sufficient to ensure the expected security
strength.
2019-10-23 19:47:05 +02:00
Gilles Peskine e9a3454e09 CTR_DRBG: grab a nonce from the entropy source if needed
Change the default entropy nonce length to be nonzero in some cases.
Specifically, the default nonce length is now set in such a way that
the entropy input during the initial seeding always contains enough
entropy to achieve the maximum possible security strength per
NIST SP 800-90A given the key size and entropy length.

If MBEDTLS_CTR_DRBG_ENTROPY_LEN is kept to its default value,
mbedtls_ctr_drbg_seed() now grabs extra entropy for a nonce if
MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled and either
MBEDTLS_ENTROPY_FORCE_SHA256 is enabled or MBEDTLS_SHA512_C is
disabled. If MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled, or if
the entropy module uses SHA-512, then the default value of
MBEDTLS_CTR_DRBG_ENTROPY_LEN does not require a second call to the
entropy function to achieve the maximum security strength.

This choice of default nonce size guarantees NIST compliance with the
maximum security strength while keeping backward compatibility and
performance high: in configurations that do not require grabbing more
entropy, the code will not grab more entropy than before.
2019-10-23 19:46:57 +02:00
Gilles Peskine 0ed378aa02 CTR_DRBG: explicitly set entropy_nonce_len=0 when desired
No behavior change. Prepare for a future version that will set the
entropy nonce length to a nonzero value by default.
2019-10-23 19:46:56 +02:00
Gilles Peskine c949de06ec Test mbedtls_ctr_drbg_set_nonce_len
Test mbedtls_ctr_drbg_set_nonce_len (good cases only, which is in
keeping with the coverage of other functions).
2019-10-23 19:46:56 +02:00
Gilles Peskine 4d2d4ff9b0 HMAC_DRBG entropy usage: test the exact amount of consumed entropy 2019-10-23 19:46:56 +02:00
Gilles Peskine 58b56ce444 CTR_DRBG entropy usage: test the exact amount of consumed entropy 2019-10-23 19:46:56 +02:00
Gilles Peskine 54d1937433 Fix memory leak in some SE HAL tests 2019-10-21 19:18:22 +02:00
Gilles Peskine ccfc5eaa81 Fix memory leak in some SE HAL tests 2019-10-21 15:57:51 +02:00
Jaeden Amero b1c7197166
Merge pull request #299 from gilles-peskine-arm/drbg-set_entropy_len
Allow xxx_drbg_set_entropy_len before xxx_drbg_seed
2019-10-18 15:39:03 +01:00
Gilles Peskine 150d577780
Merge pull request #292 from gilles-peskine-arm/psa-destroy_0
Make psa_close_key(0) and psa_destroy_key(0) succeed
2019-10-14 11:21:54 +02:00
Gilles Peskine b16841ee69 Fixed -Wunused warnings when building without asymmetric crypto 2019-10-11 18:21:08 +02:00
Gilles Peskine 50ed86b6b9 CTR_DRBG: support set_entropy_len() before seed()
mbedtls_ctr_drbg_seed() always set the entropy length to the default,
so a call to mbedtls_ctr_drbg_set_entropy_len() before seed() had no
effect. Change this to the more intuitive behavior that
set_entropy_len() sets the entropy length and seed() respects that and
only uses the default entropy length if there was no call to
set_entropy_len().

This removes the need for the test-only function
mbedtls_ctr_drbg_seed_entropy_len(). Just call
mbedtls_ctr_drbg_set_entropy_len() followed by
mbedtls_ctr_drbg_seed(), it works now.
2019-10-11 18:04:12 +02:00
Gilles Peskine 3cdb3da3a0
Merge pull request #297 from gilles-peskine-arm/asn1_get_int-undefined_shift
Fix int overflow in mbedtls_asn1_get_int
2019-10-11 17:31:16 +02:00
Gilles Peskine b8cde4ec03 Consolidate invalid-handle tests
Consolidate the invalid-handle tests from test_suite_psa_crypto and
test_suite_psa_crypto_slot_management. Start with the code in
test_suite_psa_crypto_slot_management and adapt it to test one invalid
handle value per run of the test function.
2019-10-11 11:44:48 +02:00
Gilles Peskine 0370b1bd7d ASN1 tests: more INTEGER test cases
Test more INTEGER values, especially near the boundary of int (which
is at 2^31-1 on all our officially supported platforms).
2019-10-10 19:25:39 +02:00
Gilles Peskine 970dcbf453 ASN1 tests: Match negative INTEGERs with the actual library behavior
mbedtls_asn1_get_int() and mbedtls_asn1_get_mpi() behave differently
on negative INTEGERs (0200). Don't change the library behavior for now
because this might break interoperability in some applications. Change
the test function to the library behavior.

Fix the test data with negative INTEGERs. These test cases were
previously not run (they were introduced but deliberately deactivated
in 27d806fab4). The test data was
actually wrong: ASN.1 uses two's complement, which has no negative 0,
and some encodings were wrong. Now the tests have correct data, and
the test code rectifies the expected data to match the library
behavior.
2019-10-10 19:21:12 +02:00
Gilles Peskine 321adb297c ASN1 tests: Match "Empty INTEGER" with the actual library behavior
mbedtls_asn1_get_int() and mbedtls_asn1_get_mpi() behave differently
on an empty INTEGER (0200). Don't change the library behavior for now
because this might break interoperability in some applications. Write
a test function that matches the library behavior.
2019-10-10 19:18:21 +02:00
Gilles Peskine 03c165e1e1 Fix the build and the tests when MBEDTLS_BIGNUM_C is unset
When the asn1parse module is enabled but the bignum module is
disabled, the asn1parse test suite did not work. Fix this.

* Fix a syntax error in get_integer() (label immediately followed by a
  closing brace).
* Fix an unused variable in get_integer().
* Fix `TEST_ASSERT( *p == q );` in nested_parse() failing because `*p`
  was not set.
* Fix nested_parse() not outputting the length of what it parsed.
2019-10-10 19:15:18 +02:00
k-stachowiak 03954f2537 Make negative function_id value impossible in test suites 2019-10-10 17:04:00 +02:00
Gilles Peskine 36029387de
Merge pull request #285 from gilles-peskine-arm/psa-se_driver-validate_save_persistent
SE driver: make persistent data work
2019-10-09 18:35:33 +02:00
Gilles Peskine 04129a0d96 Update slot management tests now that {close,destroy}_key(0) succeed 2019-10-09 16:23:49 +02:00
Gilles Peskine cb25cdd53a Add ECDSA tests with hash and key of different lengths
Add some ECDSA test cases where the hash is shorter or longer than the
key length, to check that the API doesn't enforce a relationship
between the two.

For the sign_deterministic tests, the keys are
tests/data_files/ec_256_prv.pem and tests/data_files/ec_384_prv.pem
and the signatures were obtained with Python Cryptodome:

from binascii import hexlify, unhexlify
from Crypto.Hash import SHA256, SHA384
from Crypto.PublicKey import ECC
from Crypto.Signature import DSS
k2 = ECC.import_key(unhexlify("3077020101042049c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eeea00a06082a8648ce3d030107a144034200047772656f814b399279d5e1f1781fac6f099a3c5ca1b0e35351834b08b65e0b572590cdaf8f769361bcf34acfc11e5e074e8426bdde04be6e653945449617de45"))
SHA384.new(b'hello').hexdigest()
hexlify(DSS.new(k2, 'deterministic-rfc6979').sign(SHA384.new(b'hello')))
k3 = ECC.import_key(unhexlify("3081a402010104303f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76aa00706052b81040022a16403620004d9c662b50ba29ca47990450e043aeaf4f0c69b15676d112f622a71c93059af999691c5680d2b44d111579db12f4a413a2ed5c45fcfb67b5b63e00b91ebe59d09a6b1ac2c0c4282aa12317ed5914f999bc488bb132e8342cc36f2ca5e3379c747"))
SHA256.new(b'hello').hexdigest()
hexlify(DSS.new(k3, 'deterministic-rfc6979').sign(SHA256.new(b'hello')))
2019-10-08 16:05:02 +02:00
Gilles Peskine f102e4e4f6 Test that psa_close_key(0) and psa_destroy_key(0) succeed 2019-10-08 15:57:27 +02:00
Gilles Peskine 65fc0686a7 Add tests to ensure that we gather as much entropy as expected
There were tests to ensure that each entropy source reaches its
threshold, but no test that covers the total amount of entropy. Add
test cases with a known set of entropy sources and make sure that we
always gather at least MBEDTLS_ENTROPY_BLOCK_SIZE bytes from a strong
source.
2019-10-08 15:01:34 +02:00
Gilles Peskine 7f246510d0 Add a test case for MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED 2019-10-08 14:56:48 +02:00
Gilles Peskine ed04a676ee Entropy tests: support multiple dummy sources
Always pass a context object to entropy_dummy_source. This lets us
write tests that register more than one source and keep track of how
many times each one is called.
2019-10-08 14:37:27 +02:00
Gilles Peskine c34b839d85 Improve the descriptions of some entropy test cases 2019-10-08 14:21:18 +02:00
Gilles Peskine f70d3eb43a Uncomment X509 test that now works
The test failed due to an ASN.1 bug that the latest crypto submodule
update fixed.
2019-10-04 19:24:37 +02:00
Jaeden Amero 9ab7c07f1f
Merge pull request #75 from gilles-peskine-arm/asn1-tests-without-x509
ASN.1 tests without x509
2019-10-04 12:30:01 +01:00
Gilles Peskine 88f136f98b Fix free_named_data_list tests
Fix copypasta in test data and fix a switcho in test code.
2019-10-04 11:35:09 +02:00
Jaeden Amero e4209c0e62
Merge pull request #278 from RonEld/fix_on_target_test_issues
Fix on target test issues
2019-10-03 14:10:05 +01:00
Jaeden Amero 74692aeb8c Merge remote-tracking branch 'origin/pr/2488' into development
* origin/pr/2488:
  Change X.509 test cases to not rely on asn1parse limitations
2019-10-02 18:01:57 +01:00
Jaeden Amero 230b87a1ea Merge remote-tracking branch 'origin/pr/2843' into development
* origin/pr/2843: (26 commits)
  Make hyperlink a hyperlink in every markdown flavor
  Update the crypto submodule to be the same as development
  Document test case descriptions
  Restore MBEDTLS_TEST_OUTCOME_FILE after test_default_out_of_box
  ssl-opt.sh: Fix some test case descriptions
  Reject non-ASCII characters in test case descriptions
  Process input files as binary
  Factor description-checking code into a common function
  Fix cosmetic error in warnings
  Fix regex matching run_test calls in ssl-opt.sh
  all.sh: run check-test-cases.py
  Better information messages for quick checks
  Fix configuration short name in key-exchanges.pl
  Make test case descriptions unique
  New test script check-test-cases.py
  Document the test outcome file
  Create infrastructure for architecture documents in Markdown
  all.sh --outcome-file creates an outcome file
  Set meaningful test configuration names when running tests
  ssl-opt: remove semicolons from test case descriptions
  ...
2019-10-02 18:01:32 +01:00
Gilles Peskine e1ee8f157c Test that SE driver persistent data is saved correctly
Add invasive checks that peek at the stored persistent data after some
successful import, generation or destruction operations and after
reinitialization to ensure that the persistent data in storage has the
expected content.
2019-10-01 16:56:27 +02:00
Gilles Peskine d9348f218e SE driver: call the p_init method during psa_crypto_init() 2019-10-01 15:22:29 +02:00
Gilles Peskine 5ec3a30edb SE driver: validate_slot_number: support changing persistent data
Add a parameter to the p_validate_slot_number method to allow the
driver to modify the persistent data.

With the current structure of the core, the persistent data is already
updated. All it took was adding a way to modify it.
2019-10-01 14:27:23 +02:00
Gilles Peskine 3efcebbc5e SE support: Use a transaction when registering a key
When registering a key in a secure element, go through the transaction
mechanism. This makes the code simpler, at the expense of a few extra
storage operations. Given that registering a key is typically very
rare over the lifetime of a device, this is an acceptable loss.

Drivers must now have a p_validate_slot_number method, otherwise
registering a key is not possible. This reduces the risk that due to a
mistake during the integration of a device, an application might claim
a slot in a way that is not supported by the driver.
2019-10-01 14:18:35 +02:00
Ron Eldor 038ab053d6 Add const to variable
Add const type that was accidently removed.
2019-09-25 14:06:15 +03:00
Gilles Peskine 7a020f3d10 Make test case descriptions unique
Remove one test case which was an exact duplicate.

Tweak the description of two test cases that had the same description.
2019-09-24 19:21:19 +02:00
Gilles Peskine 178c9aa966 Key derivation: forbid output_key without input_key
If none of the inputs to a key derivation is a
PSA_KEY_DERIVATION_INPUT_SECRET passed with
psa_key_derivation_input_key(), forbid
psa_key_derivation_output_key(). It usually doesn't make sense to
derive a key object if the secret isn't itself a proper key.
2019-09-24 18:39:03 +02:00
Gilles Peskine 1a2904c49a derive_input test function: Try output afterwards
After passing some inputs, try getting one byte of output, just to
check that this succeeds (for a valid sequence of inputs) or fails
with BAD_STATE (for an invalid sequence of inputs). Either output a
1-byte key or a 1-byte buffer depending on the test data.

The test data was expanded as follows:
* Output key type (or not a key): same as the SECRET input if success
  is expected, otherwise NONE.
* Expected status: PSA_SUCCESS after valid inputs, BAD_STATE after any
  invalid input.
2019-09-24 18:39:03 +02:00
Gilles Peskine 2058c07724 derive_input test function: More logical parameter order
No behavior change.
2019-09-24 18:39:03 +02:00
Gilles Peskine b8965193a0 Use the constant PSA_KEY_TYPE_NONE rather than 0
No behavior change, just a readability improvement.
2019-09-24 18:39:03 +02:00
Gilles Peskine 593773d9f2 Consistently abort key derivation operations on input error 2019-09-24 18:39:03 +02:00
Gilles Peskine 224b0d656a Key derivation: allow both keys and direct inputs
Allow a direct input as the SECRET input step in a key derivation, in
addition to allowing DERIVE keys. This makes it easier for
applications to run a key derivation where the "secret" input is
obtained from somewhere else. This makes it possible for the "secret"
input to be empty (keys cannot be empty), which some protocols do (for
example the IV derivation in EAP-TLS).

Conversely, allow a RAW_DATA key as the INFO/LABEL/SALT/SEED input to a key
derivation, in addition to allowing direct inputs. This doesn't
improve security, but removes a step when a personalization parameter
is stored in the key store, and allows this personalization parameter
to remain opaque.

Add test cases that explore step/key-type-and-keyhood combinations.
2019-09-24 18:39:03 +02:00
Gilles Peskine 6842ba4d7a PSA crypto KDF: test bytes/key input independently of the step type
This commit only makes derive_input more flexible so that the key
derivation API can be tested with different key types and raw data for
each input step. The behavior of the test cases remains the same.
2019-09-24 18:39:03 +02:00
Gilles Peskine 6ddb4d8434 Improve descriptions of derive test cases
Systematically use "PSA key derivation setup" for derive_setup. This
resolves the ambiguity between derive_setup and derive_input calls.
2019-09-24 18:37:19 +02:00
Gilles Peskine 0a048b2833
Merge pull request #270 from gilles-peskine-arm/test_outcome_file-crypto-fix
Fix test case descriptions
2019-09-24 15:54:54 +02:00
Ron Eldor af7724e985 Fix endianity issue when reading uint32
The uint32 is given as a bigendian stream, in the tests, however,
the char buffer that collected the stream read it as is,
without converting it. Add a temporary buffer, to call `greentea_getc()`
8 times, and then put it in the correct endianity for input to `unhexify()`.
2019-09-24 11:23:15 +03:00
Ron Eldor 635888b287 Reduce stack usage of test_suite_pkcs1_v15
Reduce the stack usage of the `test_suite_pkcs1_v15` by reducing the
size of the buffers used in the tests, to a reasonable big enough size.
2019-09-24 11:22:51 +03:00
Ron Eldor 6fd1aa050e Increase test suite timeout
Increase the test suite timeouit from 180 seconds, to 800 seconds,
since some tests consume more time, even if all tests are skipped.
2019-09-24 11:22:23 +03:00
Ron Eldor 5b8f120fca Reduce stack usage of test_suite_pkcs1_v21
Reduce the stack usage of the `test_suite_pkcs1_v21` by reducing the
size of the buffers used in the tests, to a reasonable big enough size,
and change the size sent to the API to sizeof output.
2019-09-24 11:22:04 +03:00
Ron Eldor fdc15bd581 Reduce stack usage of test_suite_rsa
Reduce the stack usage of the `test_suite_rsa` by reducing the
size of the buffers used in the tests, to a reasonable big enough size,
and change the data size to decrypt in the data file.
2019-09-24 11:21:36 +03:00
Ron Eldor 58e3f69dd3 Reduce stack usage of test_suite_pk
Reduce the stack usage of the `test_suite_pk` by reducing the
size of the buffers used in the tests, to a reasonable big enough size.
2019-09-24 11:21:21 +03:00
Gilles Peskine 7e88e13d94 Test data: replace "::" by ":"
The current test generator code accepts multiple colons as a
separator, but this is just happenstance due to how the code, it isn't
robust. Replace "::" by ":", which is more future-proof and allows
simple separator-based navigation.
2019-09-20 16:01:59 +02:00
Gilles Peskine efa2ac879d Uniquify test case descriptions
Make check-test-cases.py pass.

Prior to this commit, there were many repeated test descriptions, but
none with the same test data and dependencies and comments, as checked
with the following command:

    for x in tests/suites/*.data; do perl -00 -ne 'warn "$ARGV: $. = $seen{$_}\n" if $seen{$_}; $seen{$_}=$.' $x; done

Wherever a test suite contains multiple test cases with the exact same
description, add " [#1]", " [#2]", etc. to make the descriptions
unique. We don't currently use this particular arrangement of
punctuation, so all occurrences of " [#" were added by this script.

I used the following ad hoc code:

import sys

def fix_test_suite(data_file_name):
    in_paragraph = False
    total = {}
    index = {}
    lines = None
    with open(data_file_name) as data_file:
        lines = list(data_file.readlines())
        for line in lines:
            if line == '\n':
                in_paragraph = False
                continue
            if line.startswith('#'):
                continue
            if not in_paragraph:
                # This is a test case description line.
                total[line] = total.get(line, 0) + 1
                index[line] = 0
            in_paragraph = True
    with open(data_file_name, 'w') as data_file:
        for line in lines:
            if line in total and total[line] > 1:
                index[line] += 1
                line = '%s [#%d]\n' % (line[:-1], index[line])
            data_file.write(line)

for data_file_name in sys.argv[1:]:
    fix_test_suite(data_file_name)
2019-09-20 15:59:31 +02:00
Gilles Peskine 44393c81aa psa_crypto: Add an ECDH+HKDF test with longer output
A test case for 32+0 was present three times, evidently overeager
copy-paste. Replace the duplicates by test cases that read more than
32 bytes, which exercises HKDF a little more (32 bytes is significant
because HKDF-SHA-256 produces output in blocks of 32 bytes).

I obtained the test data by running our implementation, because we're
confident in our implementation now thanks to other test cases: this
data is useful as a non-regression test.
2019-09-20 15:59:28 +02:00
Gilles Peskine d9be186a39 psa_crypto: Fix OAEP test
There's a SHA256 test without a label and one with a label, so do the
same for SHA384.
2019-09-20 15:59:24 +02:00
Gilles Peskine d17cf9d0c4 psa_crypto: Remove duplicate test case
Nothing seems to be missing in its stead.
2019-09-20 15:59:17 +02:00
Gilles Peskine 52c7d998af psa_crypto_se_driver_hal: Fix copypasta in test cases
Before: say CCM twice, do GCM twice.
After: say CCM and do CCM, then say GCM and do GCM.
2019-09-20 15:59:00 +02:00
Gilles Peskine f3eddd68bb pkcs1_v21: Fix copypasta in test case
There should have been a good-saltlen test case and a bad-saltlen test
case for both sizes 522 and 528, but the 522-bad-saltlen test case was
missing and the 528-good-saltlen test case was repeated. Fix this.
2019-09-20 15:58:54 +02:00
Gilles Peskine c5dce20b4e cipher.nist_kw: Fix duplicate test case
There are two test vectors in RFC 5649. There was only one in our test
suite, run twice. Put the second test vector instead of repeating the
first.
2019-09-20 15:58:48 +02:00
Gilles Peskine bfcb69cd5c blowfish: Fix encrypt test case that should have been decrypt
Test vector #15 was encrypted twice. Decrypt it the second time.
2019-09-20 15:58:36 +02:00
Gilles Peskine e07960cf40 aria: Remove duplicate test cases
No data seems to be missing, just some duplicated cases, perhaps due
to naming inconsistencies "ECB_Xxcrypt" vs "ECB Xxcrypt" which I also
fixed.
2019-09-20 15:58:27 +02:00
Gilles Peskine 95758f8d61 *.data: remove semicolons from test case descriptions
Don't use semicolons in test case descriptions. The test outcome file
is a semicolon-separated CSV file without quotes to keep things
simple, so fields in that file may not contain semicolons.
2019-09-19 15:26:57 +02:00
Gilles Peskine a291413a1e
Merge pull request #257 from gilles-peskine-arm/psa-remove_zero_length_keys
Forbid zero-length keys
2019-09-19 13:07:41 +02:00
Gilles Peskine 51dcc24998 Test outcome file support: test suites
If the environment variable MBEDTLS_TEST_OUTCOME_FILE is set, then for
each test case, write a line to the file with the given name, of the
form

    PLATFORM;CONFIGURATION;TEST SUITE;TEST CASE DESCRIPTION;PASS/FAIL/SKIP;CAUSE

PLATFORM and CONFIGURATION come from the environment variables
MBEDTLS_TEST_PLATFORM and MBEDTLS_TEST_CONFIGURATION.

Errors while writing the test outcome file are not considered fatal,
and are not reported except for an error initially opening the file.
This is in line with other write errors that are not checked.
2019-09-18 17:44:29 +02:00
Gilles Peskine 47b7540fec Give a type name to test_info
Make it possible to pass test_info around rather than always refer to the
global variable.
2019-09-18 17:44:29 +02:00
Gilles Peskine 31fccc80a5 Fix typo in message 2019-09-18 17:44:29 +02:00
Gilles Peskine 3c1c8ea3e7 Prefer unsigned types for non-negative numbers
Use size_t for some variables that are array indices.
Use unsigned for some variables that are counts of "small" things.
2019-09-18 17:44:29 +02:00
Jaeden Amero 914a5071b4 Bump Mbed TLS version to 2.19.1 2019-09-18 13:42:36 +01:00
Hanno Becker 6dfa665398 X.509: Add numerous negative parsing tests for CertificatePolicy ext
This commit adds multiple test cases to the X.509 CRT parsing test suite
exercising the stack's behaviour when facing CertificatePolicy extensions
that are malformed for a variety of reasons. It follows the same scheme
as in other negative parsing tests: For each ASN.1 component, have test
cases for (a) unexpected tag, (b) missing length, (c) invalid length
encoding, (d) length out of bounds.
2019-09-17 13:10:42 +01:00
Hanno Becker c15ff98455 X.509: Adapt negative parsing test for no data in CrtPolicy ext
This commit modifies the test

   X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, data missing)

which exercises the behaviour of the X.509 CRT parser when facing a
CertificatePolicy extension with empty data field.

The following adaptations are made:
- The subject ID and issuer ID are modified to have length 0.
  The previous values `aa` and `bb` are OK, but a generic ASN.1
  parser will try to interpret them as ASN.1 tags and fail. For
  maintainability, it's therefore better to use something that
  can be parsed as ASN.1, and an empty ID is the easiest solution
  here.
- The TBS part of the certificate wasn't followed by signature
  algorithm and signature fields, which makes the test incompatible
  with future changes swapping to breadth-first parsing of
  certificates.
2019-09-17 13:10:42 +01:00
Hanno Becker 7b8330a9c7 X.509: Move negative tests for CertificatePolicy parsing
This commit moves the X.509 negative parsing tests for the
CertificatePolicy extension to the place where negative
testing of other extensions happens.
2019-09-17 13:10:42 +01:00
Hanno Becker 82a1fe5fcc X.509: Remove CRT policy parsing test 'bool len missing'
Judging from its name, the purpose of the test

   TBSCertificate v3, ext CertificatePolicies tag, bool len missing

in test_suite_x509parse.data is to exercise the X.509 parsing stack's
behaviour when parsing a CertificatePolicy extension which lacks the
length field of the boolean 'Criticality' value.

However, the test fails at an earlier stage due to a mismatch of inner
and outer length of the explicit ASN.1 extensions structure.

Since we already have tests exercising

- mismatch of inner and outer length in the extensions structure, namely
  'X509 CRT ASN1 (TBS, inv v3Ext, inner tag invalid)'
- missing length of the 'Criticality' field in an extension, namely
  'X509 CRT ASN1 (TBS, inv v3Ext, critical length missing)'

and since for both tests there's no relevance to the use of the
policy extension OID, the test

  'TBSCertificate v3, ext CertificatePolicies tag, bool len missing'

can be dropped.
2019-09-17 13:10:42 +01:00
k-stachowiak 9b88efc378 Check len against buffers size upper bound in PSA tests 2019-09-13 15:26:53 +02:00
Gilles Peskine 89cc74f447 Fix signature size checks in psa_asymmetric_verify for RSA
The signature must have exactly the same length as the key, it can't
be longer. Fix #258

If the signature doesn't have the correct size, that's an invalid
signature, not a problem with an output buffer size. Fix the error code.

Add test cases.
2019-09-13 11:39:11 +02:00
Gilles Peskine 4019f0e914 Immediately reject 0-size signature buffer when signing
In psa_asymmetric_sign, immediately reject an empty signature buffer.
This can never be right.

Add test cases (one RSA and one ECDSA).

Change the SE HAL mock tests not to use an empty signature buffer.
2019-09-12 22:05:59 +02:00
Gilles Peskine 043b281714 Add a few test cases for non-byte-aligned raw data keys
Add tests for derivation.

Test both 7 bits and 9 bits, in case the implementation truncated the
bit size down and 7 was rejected as 0 rather than because it isn't a
multiple of 8.

There is no corresponding test for import because import determines
the key size from the key data, which is always a whole number of bytes.
2019-09-12 19:05:00 +02:00
Gilles Peskine a782b95806 Add test cases for zero-length keys
Check that zero-length keys cannot be imported, generated or derived.
2019-09-12 19:01:52 +02:00
Gilles Peskine 491181bd9d Remove test cases that use zero-length keys
If there isn't already a test with a raw data key of the now-minimal
length (1 byte), change the test case to a 1-byte key.
2019-09-12 18:50:58 +02:00
Gilles Peskine 2dedcc5989 Change X.509 test cases to not rely on asn1parse limitations
Tweak test data for one test case to not rely on mbedtls_asn1_get_int
lacking support for leading zeros. Instead, use a number that is
actually out of range for int.

Tweak test data for one test case to not rely on
mbedtls_asn1_get_bitstring_null rejecting bitstrings shorter than two
octets. Instead, try bit strings that are genuinely invalid, or have a
nonzero number of unused bits.

Add a test case with a correct empty signature. This is commented out
because asn1parse currently does not support this. Uncomment it when
asn1parse is updated to support this.
2019-09-11 17:23:07 +02:00
Gilles Peskine 2cd8ecc08b New test helper macro ASSERT_ALLOC_WEAK
The new macro ASSERT_ALLOC_WEAK does not fail the test case if the
memory allocation fails. This is useful for tests that allocate a
large amount of memory, but that aren't useful on platforms where
allocating such a large amount is not possible.

Ideally this macro should mark the test as skipped. We don't yet have
a facility for that but we're working on it. Once we have a skip
functionality, this macro should be changed to use it.
2019-09-11 15:46:45 +02:00
Gilles Peskine a902303587 Test mbedtls_asn1_store_named_data 2019-09-11 15:46:45 +02:00
Gilles Peskine 9311cf5093 asn1write: test NULL, OID and AlgorithmIdentifier 2019-09-11 15:46:45 +02:00
Gilles Peskine 91d8d023c2 Fix typo that prevented mbedtls_asn1_write_len tests from running 2019-09-11 15:46:45 +02:00
Gilles Peskine 3f37dca794 asn1write: Test short and large buffers more systematically
Use the test-many-sizes framework for string writes as
well (previously, it was only used for booleans and integers). This
way, more edge cases are tested with less test code.

This commit removes buffer overwrite checks. Instead of these checks,
run the test suite under a memory sanitizer (which we do in our CI).
2019-09-11 15:46:45 +02:00
Gilles Peskine 3a032c36c1 Add test cases for BOOLEANs and INTEGERs
Omit negative integers and MPIs that would result in values that look
like negative INTEGERs, since the library doesn't respect the
specifications there, but fixing it has a serious risk of breaking
interoperability when ASN.1 is used in X.509 and other
cryptography-related applications.
2019-09-11 15:46:44 +02:00
Gilles Peskine 27d806fab4 Add ASN.1 parsing tests
Add self-contained ASN.1 parsing tests, so that ASN.1 parsing is not
solely tested through X.509 and TLS.

The tests cover every function and almost complete line coverage in
asn1parse.c.

A few test cases containing negative and edge case INTEGER values are
deliberately deactivated because the historical library behavior is at
odds with official specifications, but changing the behavior might
break interoperability.

Other than that, these tests revealed a couple of minor bugs which
will be fixed in subsequent commits.
2019-09-11 15:46:44 +02:00
Gilles Peskine 5605591cc1 Report step number when a test case fails
Allow test code to declare a "step number". Report the current step
number when a test fails.
2019-09-11 15:46:44 +02:00
Ron Eldor 5a0f45b61b Modify tests
1. Rephrase test description and move it to the section where
all other same tests are located.
2. Add another test for short key.
2019-09-11 14:09:08 +03:00
Ron Eldor 16cca804fb Add non regression test
Add a test that adds a very long key for an unsupported algorithm.
2019-09-11 10:14:48 +03:00
Hanno Becker bf2dacb8fe Fix memory leak in CSR test suite on failure 2019-09-06 07:44:37 -04:00
Hanno Becker 2fcdd7446e Fix a memory leak in x509write test suite
This leak wasn't discovered by the CI because the only test in
all.sh exercising the respective path enabled the custom memory
buffer allocator implementations of calloc() and free(), hence
bypassing ASan.
2019-09-06 07:44:37 -04:00
Janos Follath 651eac8c5e Make tests use the new deterministic ECDSA function
In preparation of deprecating the old and less secure deterministic
ECDSA signature function we need to remove it from the test. At the
same time, the new function needs to be tested. Modifying the tests
to use the new function achieves both of these goals.
2019-09-05 11:18:58 +01:00
Jaeden Amero c04305f036 Merge remote-tracking branch 'crypto/development' into development-restricted
* crypto/development: (863 commits)
  crypto_platform: Fix typo
  des: Reduce number of self-test iterations
  Fix -O0 build for Aarch64 bignum multiplication.
  Make GNUC-compatible compilers use the right mbedtls_t_udbl again on Aarch64 builds.
  Add optimized bignum multiplication for Aarch64.
  Enable 64-bit limbs for all Aarch64 builds.
  HMAC DRBG: Split entropy-gathering requests to reduce request sizes
  psa: Use application key ID where necessary
  psa: Adapt set_key_id() for when owner is included
  psa: Add PSA_KEY_ID_INIT
  psa: Don't duplicate policy initializer
  crypto_extra: Use const seed for entropy injection
  getting_started: Update for PSA Crypto API 1.0b3
  Editorial fixes.
  Cross reference 'key handles' from INVALID_HANDLE
  Update documentation for psa_destroy_key
  Update documentation for psa_close_key
  Update psa_open_key documentation
  Remove duplicated information in psa_open_key
  Initialize key bits to max size + 1 in psa_import_key
  ...
2019-09-05 11:11:38 +01:00
Jaeden Amero 4013b98df0
Merge pull request #166 from k-stachowiak/IOTCRYPT-440-add-missing-dec_empty_buf-tests
Add missing dec_empty_buf tests
2019-09-04 10:18:11 +01:00
Darryl Green fe997c646b Update library version to 2.19.0 2019-08-30 13:02:16 +01:00
Jaeden Amero 21db2a94a4
Merge pull request #229 from k-stachowiak/IOTCRYPT-791-remove-legacy-psa-key-derivation
Remove legacy psa key derivation
2019-08-29 11:31:23 +01:00
Jaeden Amero 4e0db5642a Merge branch 'mbedtls-2.18' into development
Bring Mbed TLS 2.18.0 and 2.18.1 release changes back into the
development branch. We had branched to release 2.18.0 and 2.18.1 in
order to allow those releases to go out without having to block work on
the `development` branch.

Manually resolve conflicts in the Changelog by moving all freshly addded
changes to a new, unreleased version entry.

Reject changes to include/mbedtls/platform.h made in the mbedtls-2.18
branch, as that file is now sourced from Mbed Crypto.

* mbedtls-2.18:
  platform: Include stdarg.h where needed
  Update Mbed Crypto to contain mbed-crypto#152
  CMake: Add a subdirectory build regression test
  README: Enable builds as a CMake subproject
  ChangeLog: Enable builds as a CMake subproject
  Remove use of CMAKE_SOURCE_DIR
  Update library version to 2.18.0
2019-08-27 11:18:28 +01:00
Hanno Becker f9b3303eb9 Introduce specific error for ver/cfg mismatch on deserialization
This commit introduces a new SSL error code

  `MBEDTLS_ERR_SSL_VERSION_MISMATCH`

which can be used to indicate operation failure due to a
mismatch of version or configuration.

It is put to use in the implementation of `mbedtls_ssl_session_load()`
to signal the attempt to de-serialize a session which has been serialized
in a build of Mbed TLS using a different version or configuration.
2019-08-23 12:51:21 +03:00
Hanno Becker fe1275e3fe Improve test for detection of ver/cfg corruption in serialized data
This commit improves the test exercising the behaviour of
session deserialization when facing an unexpected version
or config, by testing ver/cfg corruption at any bit in the
ver/cfg header of the serialized data; previously, it had
only tested the first bit of each byte.
2019-08-23 12:51:21 +03:00
Hanno Becker 363b646dd8 Use US spelling 'serialize' instead of UK spelling 'serialise' 2019-08-23 12:51:21 +03:00
Hanno Becker bb54d5a3b1 Use consistent spelling of 'serialise/serialize' in SSL test suite 2019-08-23 12:51:21 +03:00
Hanno Becker 861d0bbbf2 Add negative tests for unexpected ver/cfg in session deserialization 2019-08-23 12:51:21 +03:00
Manuel Pégourié-Gonnard aa75583ced Re-enable test that now works with new format
Previously the test didn't work because of embedded pointer values that
are not predictable. Now it works as we no longer serialize such values.
2019-08-23 12:50:17 +03:00
Manuel Pégourié-Gonnard ee13a732d6 Fix serialization tests for !SSL_KEEP_PEER_CERT
The chosen fix matches what's currently done in the baremetal branch - except
the `#ifdef` have been adapted because now in baremetal the digest is not kept
if renegotiation is disabled.
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard 686adb4d54 Normalize spelling to serialiZation
We have explicit recommendations to use US spelling for technical writing, so
let's apply this to code as well for uniformity. (My fingers tend to prefer UK
spelling, so this needs to be fixed in many places.)

sed -i 's/\([Ss]eriali\)s/\1z/g' **/*.[ch] **/*.function **/*.data ChangeLog
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard 1f6033a479 Fix undeclared dependency on FS_IO in test code
Found by 'all.sh test_no_platform' and by 'tests/scripts/test-ref-configs.pl'.
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard 220403b954 Fix style issues and typos in test code 2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard b40799035b Fix another wrong check for errors in test code 2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard f9deaece43 Add test that save-load is the identity
This test works regardless of the serialisation format and embedded pointers
in it, contrary to the load-save test, though it requires more maintenance of
the test code (sync the member list with the struct definition).
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard 6b840704c4 Fix populate_session() and its usage in tests
Not checking the return value allowed a bug to go undetected, fix the bug and
check the return value.
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard a3d831b9e6 Add test for session_load() from small buffers
This uncovered a bug that led to a double-free (in practice, in general could
be free() on any invalid value): initially the session structure is loaded
with `memcpy()` which copies the previous values of pointers peer_cert and
ticket to heap-allocated buffers (or any other value if the input is
attacker-controlled). Now if we exit before we got a chance to replace those
invalid values with valid ones (for example because the input buffer is too
small, or because the second malloc() failed), then the next call to
session_free() is going to call free() on invalid pointers.

This bug is fixed in this commit by always setting the pointers to NULL right
after they've been read from the serialised state, so that the invalid values
can never be used.

(An alternative would be to NULL-ify them when writing, which was rejected
mostly because we need to do it when reading anyway (as the consequences of
free(invalid) are too severe to take any risk), so doing it when writing as
well is redundant and a waste of code size.)

Also, while thinking about what happens in case of errors, it became apparent
to me that it was bad practice to leave the session structure in an
half-initialised state and rely on the caller to call session_free(), so this
commit also ensures we always clear the structure when loading failed.
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard f5fa0aa664 Add test for session_save() on small buffers 2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard 5b1674e0ba Disable test for load-save identity
This test appeared to be passing for the wrong reason, it's actually not
appropriate for the current implementation. The serialised data contains
values of pointers to heap-allocated buffers. There is no reason these should
be identical after a load-save pair. They just happened to be identical when I
first ran the test due to the place of session_free() in the test code and the
fact that the libc's malloc() reused the same buffers. The test no longer
passes if other malloc() implementations are used (for example, when compiling
with asan which avoids re-using the buffer, probably for better error
detection).

So, disable this test for now (we can re-enable it when we changed how
sessions are serialised, which will be done in a future PR, hence the name of
the dummy macro in depends_on). In the next commit we're going to add a test
that save-load is the identity instead - which will be more work in testing as
it will require checking each field manually, but at least is reliable.
2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard 3caa6caf4a Improve load-save test with tickets and certs 2019-08-23 12:48:41 +03:00
Manuel Pégourié-Gonnard 6eac11b007 Start adding unit test for session serialisation
This initial test ensures that a load-save function is the identity. It is so
far incomplete in that it only tests sessions without tickets or certificate.
This will be improved in the next commits.
2019-08-23 12:48:41 +03:00
Darryl Green 74c932e596 Parametrize key bits in import mock test 2019-08-21 16:56:16 +01:00
Jaeden Amero 4abb40cab3 Clean up core storage between tests 2019-08-21 16:56:16 +01:00
Unknown f740b0abbb crypto_se_driver: add verification mock test 2019-08-21 16:56:16 +01:00
Unknown b7656a8a85 crypto_se_driver: add signing mock test 2019-08-21 16:56:16 +01:00
Unknown 136901c24c crypto_se_driver: add public key exporting test 2019-08-21 16:56:16 +01:00
Unknown 903b5da51c crypto_se_driver: add an error injection mechanism to the mocks 2019-08-21 16:56:16 +01:00
Unknown 9fd6b0cb6f crypto_se_driver: add key generation mock and test 2019-08-21 16:56:16 +01:00
Unknown c9ad5910aa crypto_se_driver: add mock tests
Mock key importing and exporting
2019-08-21 16:56:16 +01:00
Darryl Green 572a16e694 Merge branch 'psa-api-1.0-beta' into api-to-development 2019-08-21 10:31:12 +01:00
Jaeden Amero 89e7655691 Merge remote-tracking branch 'crypto/pr/212' into development
* crypto/pr/212: (337 commits)
  Make TODO comments consistent
  Fix PSA tests
  Fix psa_generate_random for >1024 bytes
  Add tests to generate more random than MBEDTLS_CTR_DRBG_MAX_REQUEST
  Fix double free in psa_generate_key when psa_generate_random fails
  Fix copypasta in test data
  Avoid a lowercase letter in a macro name
  Correct some comments
  Fix PSA init/deinit in mbedtls_xxx tests when using PSA
  Make psa_calculate_key_bits return psa_key_bits_t
  Adjust secure element code to the new ITS interface
  More refactoring: consolidate attribute validation
  Fix policy validity check on key creation.
  Add test function for import with a bad policy
  Test key creation with an invalid type (0 and nonzero)
  Remove "allocated" flag from key slots
  Take advantage of psa_core_key_attributes_t internally #2
  Store the key size in the slot in memory
  Take advantage of psa_core_key_attributes_t internally: key loading
  Switch storage functions over to psa_core_key_attributes_t
  ...
2019-08-16 11:02:31 +01:00
Jaeden Amero 70de9dc052 Remove unused cryptography test files 2019-08-15 15:44:50 +01:00
k-stachowiak 3794dec52b Change the expected error for two key derivation tests 2019-08-14 19:23:24 +02:00
Gilles Peskine 317f940304
Merge pull request #144 from gilles-peskine-arm/oss-fuzz-fix-build-crypto
Fix full build including non-boolean with Asan: crypto part
2019-08-14 15:30:18 +02:00
k-stachowiak 012dcc4b87 Remove PSA_PRE_1_0_KEY_DERIVATION and the corresponding code 2019-08-13 18:42:40 +02:00
Gilles Peskine 5da7b3e55c Drivers must have a psa_destroy_key method
Drivers that allow destroying a key must have a destroy method. This
test bug was previously not caught because of an implementation bug
that lost the error triggered by the missing destroy method.
2019-08-13 16:04:34 +02:00
Gilles Peskine 8fe253ae4a SE keys: test that psa_destroy_key removes the key from storage 2019-08-13 15:11:25 +02:00
Gilles Peskine 8df72f271f SE generate/sign/verify tests: also test export_public
Add a flow where the key is imported or fake-generated in the secure
element, then call psa_export_public_key and do the software
verification with the public key.
2019-08-09 16:43:36 +02:00
Gilles Peskine af906f852c RAM test driver: implement export_public 2019-08-09 16:43:36 +02:00
Gilles Peskine c068ded015 RAM test driver: improve key creation
Factor common code of ram_import and ram_fake_generate into a common
auxiliary function.

Reject key types that aren't supported by this test code.

Report the bit size correctly for EC key pairs.
2019-08-09 16:43:36 +02:00
Gilles Peskine eecadde6ad SE support: Test sign and verify hooks with a passthrough driver 2019-08-09 16:43:35 +02:00
Gilles Peskine 11792086cc SE keys: implement and smoke-test p_generate 2019-08-09 16:43:35 +02:00
Gilles Peskine f3801fff77 Update import_key and generate_key SE methods to the current API
The methods to import and generate a key in a secure element drivers
were written for an earlier version of the application-side interface.
Now that there is a psa_key_attributes_t structure that combines all
key metadata including its lifetime (location), type, size, policy and
extra type-specific data (domain parameters), pass that to drivers
instead of separate arguments for each piece of metadata. This makes
the interface less cluttered.

Update parameter names and descriptions to follow general conventions.

Document the public-key output on key generation more precisely.
Explain that it is optional in a driver, and when a driver would
implement it. Declare that it is optional in the core, too (which
means that a crypto core might not support drivers for secure elements
that do need this feature).

Update the implementation and the tests accordingly.
2019-08-09 16:43:35 +02:00
Gilles Peskine 49bd58274e Test the call to p_validate_slot_number when registering a key 2019-08-09 15:05:32 +02:00
Gilles Peskine d772958ffc New function mbedtls_psa_register_se_key
Register an existing key in a secure element.

Minimal implementation that doesn't call any driver method and just
lets the application declare whatever it wants.
2019-08-09 15:05:21 +02:00
Gilles Peskine e88c2c1338 Pass the key creation method to drivers
Pass the key creation method (import/generate/derive/copy) to the
driver methods to allocate or validate a slot number. This allows
drivers to enforce policies such as "this key slot can only be used
for keys generated inside the secure element".
2019-08-09 14:59:31 +02:00
Gilles Peskine b231d996a0
Merge pull request #202 from gilles-peskine-arm/psa-se_driver-choose_key_slot_number
Let applications create a key in a specific secure element slot
2019-08-09 14:29:54 +02:00
Gilles Peskine fdbc544b22
Merge pull request #192 from gilles-peskine-arm/psa-test-policy_bad_algorithm
Add some negative tests for policy checks
2019-08-09 13:32:45 +02:00
Janos Follath 849b05afb8 Fix PSA tests
The test framework has changed, but it did not cause any merge
conflicts. Still it affected new code in the tests.
2019-08-09 10:22:32 +01:00