Commit Graph

1371 Commits

Author SHA1 Message Date
Jaeden Amero
1c986a9859 Update version to 2.1.11 2018-03-16 16:29:30 +00:00
Jaeden Amero
23f503f12d Merge remote-tracking branch 'upstream-restricted/pr/465' into mbedtls-2.1-restricted-proposed 2018-03-14 18:32:21 +00:00
Jaeden Amero
5e50ff8f44 Merge remote-tracking branch 'upstream-restricted/pr/395' into mbedtls-2.1-restricted-proposed 2018-03-14 18:16:29 +00:00
Manuel Pégourié-Gonnard
a566dc4d45 fixup previous commit: add forgotten file 2018-03-14 14:10:43 +01:00
Manuel Pégourié-Gonnard
74b8ae89c6 x509: CRL: add tests for non-critical extension
The 'critical' boolean can be set to false in two ways:
- by leaving it implicit (test data generated by openssl)
- by explicitly setting it to false (generated by hand)
2018-03-14 12:48:04 +01:00
Manuel Pégourié-Gonnard
85f36ae0a1 x509: CRL: add tests for malformed extensions
This covers all lines added in the previous commit. Coverage was tested using:

    make CFLAGS='--coverage -g3 -O0'
    (cd tests && ./test_suite_x509parse)
    make lcov
    firefox Coverage/index.html # then visual check

Test data was generated by taking a copy of tests/data_files/crl-idp.pem,
encoding it as hex, and then manually changing the values of some bytes to
achieve the desired errors, using https://lapo.it/asn1js/ for help in locating
the desired bytes.
2018-03-14 12:48:03 +01:00
Manuel Pégourié-Gonnard
b0661769ab x509: CRL: reject unsupported critical extensions 2018-03-14 09:28:24 +01:00
Gilles Peskine
df6f3dd9b0 Merge remote-tracking branch 'upstream-restricted/pr/430' into mbedtls-2.1-restricted-proposed 2018-03-13 17:28:42 +01:00
Gilles Peskine
8c1217984b Merge remote-tracking branch 'upstream-restricted/pr/360' into mbedtls-2.1-restricted-proposed
Conflicts:
* scripts/config.pl: reconciled parallel edits in a comment.
2018-03-13 17:26:49 +01:00
Gilles Peskine
5e533f43ee Merge remote-tracking branch 'upstream-public/pr/1373' into mbedtls-2.1-proposed 2018-03-12 23:51:50 +01:00
Gilles Peskine
8da4f864a5 Merge remote-tracking branch 'upstream-public/pr/1009' into mbedtls-2.1-proposed 2018-03-12 23:44:48 +01:00
Gilles Peskine
adee19582e Merge branch 'pr_1409' into mbedtls-2.1-proposed 2018-03-11 00:52:36 +01:00
Gilles Peskine
857802afb3 Merge remote-tracking branch 'upstream-public/pr/1250' into mbedtls-2.1-proposed 2018-03-11 00:52:35 +01:00
itayzafrir
cabc098a0f Test suite test_suite_pk test pk_rsa_overflow passes valid parameters for hash and sig.
Test suite test_suite_pk test pk_rsa_overflow passes valid parameters for hash and sig.
2018-03-05 09:50:58 +02:00
Gilles Peskine
25ec9cc9b3 Merge branch 'prr_428' into mbedtls-2.1-proposed 2018-02-22 16:24:13 +01:00
Gilles Peskine
ac33180219 Merge branch 'pr_1354' into mbedtls-2.1 2018-02-20 16:37:17 +01:00
Gilles Peskine
2e50efad44 Merge remote-tracking branch 'upstream-public/pr/1334' into mbedtls-2.1-proposed 2018-02-14 15:13:37 +01:00
Antonio Quartulli
0a63f9ea40 tests_suite_pkparse: new PKCS8-v2 keys with PRF != SHA1
Extend the pkparse test suite with the newly created keys
encrypted using PKCS#8 with PKCS#5 v2.0 with PRF being
SHA224, 256, 384 and 512.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-14 11:12:58 +01:00
Antonio Quartulli
ac857f3744 data_files/pkcs8-v2: add keys generated with PRF != SHA1
We now have support for the entire SHA family to be used as
PRF in PKCS#5 v2.0, therefore we need to add new keys to test
these new functionalities.

This patch adds the new keys in `tests/data_files` and
commands to generate them in `tests/data_files/Makefile`.

Note that the pkcs8 command in OpenSSL 1.0 called with
the -v2 argument generates keys using PKCS#5 v2.0 with SHA1
as PRF by default.

(This behaviour has changed in OpenSSL 1.1, where the exact same
command instead uses PKCS#5 v2.0 with SHA256)

The new keys are generated by specifying different PRFs with
-v2prf.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-14 11:12:58 +01:00
Antonio Quartulli
b0fe7bea85 tests/pkcs5/pbkdf2_hmac: extend array to accommodate longer results
Some unit tests for pbkdf2_hmac() have results longer than
99bytes when represented in hexadecimal form.

For this reason extend the result array to accommodate
longer strings.

At the same time make memset() parametric to avoid
bugs in the future.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-14 11:12:58 +01:00
Antonio Quartulli
6ae1fe0c2c tests/pkcs5/pbkdf2_hmac: add unit tests for additional SHA algorithms
Test vectors for SHA224,256,384 and 512 have been
generated using Python's hashlib module by the
following oneliner:

import binascii, hashlib
binascii.hexlify(hashlib.pbkdf2_hmac(ALGO, binascii.unhexlify('PASSWORD'), binascii.unhexlify('SALT'), ITER, KEYLEN)))

where ALGO was 'sha224', 'sha256', 'sha384' and 'sha512'
respectively.

Values for PASSWORD, SALT, ITER and KEYLEN were copied from the
existent test vectors for SHA1.

For SHA256 we also have two test vectors coming from RFC7914 Sec 11.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-14 11:12:58 +01:00
Antonio Quartulli
b9e3c6d9c6 pkcs5v2: add support for additional hmacSHA algorithms
Currently only SHA1 is supported as PRF algorithm for PBKDF2
(PKCS#5 v2.0).
This means that keys encrypted and authenticated using
another algorithm of the SHA family cannot be decrypted.

This deficiency has become particularly incumbent now that
PKIs created with OpenSSL1.1 are encrypting keys using
hmacSHA256 by default (OpenSSL1.0 used PKCS#5 v1.0 by default
and even if v2 was forced, it would still use hmacSHA1).

Enable support for all the digest algorithms of the SHA
family for PKCS#5 v2.0.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-14 11:12:58 +01:00
Ron Eldor
607033e3df Add some tests for different available profiles
Add tests for suite b profile and for the next profile
2018-02-07 12:10:07 +02:00
Jaeden Amero
f885c81f15 Update version to 2.1.10 2018-02-02 18:10:05 +00:00
Andres Amaya Garcia
c2c3432040 Improve test_suite_pk size_t vs unsigned int check 2018-01-29 21:59:12 +01:00
Andres Amaya Garcia
401441b74d Add test command for 64-bit ILP32 in all.sh 2018-01-29 21:59:12 +01:00
Andres Amaya Garcia
ce37ab7ada Fix test_suite_pk.function to work on 64-bit ILP32
This change fixes a problem in the tests pk_rsa_alt() and
pk_rsa_overflow() from test_suite_pk.function that would cause a
segmentation fault. The problem is that these tests are only designed
to run in computers where the sizeof(size_t) > sizeof(unsigned int).
2018-01-29 21:54:26 +01:00
Jaeden Amero
2b72742e3f Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted 2018-01-29 12:52:10 +00:00
Jaeden Amero
9442121200 Merge remote-tracking branch 'upstream-public/pr/1288' into mbedtls-2.1 2018-01-29 12:52:01 +00:00
Jaeden Amero
bfafd12789 Merge remote-tracking branch 'upstream-restricted/pr/414' into mbedtls-2.1-restricted 2018-01-26 18:09:14 +00:00
Jaeden Amero
4af592178e Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted 2018-01-26 15:06:48 +00:00
Ron Eldor
35836bfd37 Support verbose output of the test suites
generate add ctest test-suites, with the --verbose argument to be given
to the test suites.
The verbose output will be shown **only** if ctest is run with `-v` parameter
The verbose argument is to the test-suites, only when run through `ctest`
2018-01-25 18:25:44 +00:00
Jaeden Amero
e5b443e2d6 Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted 2018-01-24 15:24:42 +00:00
Simon Butcher
60411a8b7f Fix typos and add copyright statement to generate_code.pl 2018-01-23 21:21:00 +00:00
SimonB
8bcd549a3a Refactored test suite template code
Restructed test suite helper and main code to support tests suite helper
functions, changed C++ comments to C-style, and made the generated
source code more navigable.
2018-01-23 21:21:00 +00:00
SimonB
0284f58234 Added support for per test suite helper functions
Added to generate_code.pl:
    - support for per test suite helper functions
    - description of the structure of the files the script uses to construct
      the test suite file
    - delimiters through the source code to make the machine generated code
      easier to understand
2018-01-23 21:17:27 +00:00
SimonB
e39088a62b Clarified purpose and usage of generate_code.pl
Added comments to explain purpose and usage of generate_code.pl
2018-01-23 21:07:10 +00:00
Andres AG
9b9ae0d897 Test corner case uses of memory_buffer_alloc.c 2018-01-23 21:03:49 +00:00
Simon Butcher
e9cfe146b5 Widens test bounds on memory alloc tests 2018-01-23 21:03:49 +00:00
SimonB
aff799231e Additional tests to test stack buffer allocator
Adds additional tests to the test suite for
memory_buffer_alloc.c
2018-01-23 21:03:49 +00:00
Gilles Peskine
784f41c90d wait_server_start: warn if lsof is not available
If lsof is not available, wait_server_start uses a fixed timeout,
which can trigger a race condition if the timeout turns out to be too
short. Emit a warning so that we know this is going on from the test
logs.
2018-01-22 11:24:01 +01:00
Manuel Pégourié-Gonnard
3f69e54f3b Increase waiting times compat.sh and ssl-opt.sh
- Some of the CI machines don't have lsof installed yet, so rely on an sleeping
an arbitrary number of seconds while the server starts. We're seeing
occasional failures with the current delay because the CI machines are highly
loaded, which seems to indicate the current delay is not quite enough, but
hopefully not to far either, so double it.

- While at it, also double the watchdog delay: while I don't remember seeing
  much failures due to client timeout, this change doesn't impact normal
running time of the script, so better err on the safe side.

These changes don't affect the test and should only affect the false positive
rate coming from the test framework in those scripts.
2018-01-22 11:23:58 +01:00
Micha Kraus
1741db9d7e fix bug in get_one_and_zeros_padding()
add test case (“0000000082”) which fails with the old implementation.
2018-01-17 23:58:14 +01:00
Jaeden Amero
1010760d91 Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted 2018-01-10 13:16:26 +00:00
Hanno Becker
b70ba9fec7 Address issues found by coverity
1) The MPI test for prime generation missed a return value
   check for a call to `mbedtls_mpi_shift_r`. This is neither
   critical nor new but should be fixed.

2) The RSA keygeneration example program contained code
   initializing an RSA context after a potentially failing
   call to CTR DRBG initialization, leaving the corresponding
   RSA context free call in the cleanup section orphaned.
   The commit fixes this by moving the initializtion of the
   RSA context prior to the first potentially failing call.
2018-01-10 10:46:18 +00:00
Gilles Peskine
92deeaa47f all.sh --keep-going: work if TERM is unset 2018-01-02 21:59:21 +01:00
Manuel Pégourié-Gonnard
47331a72e2 Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted
* mbedtls-2.1:
  all.sh: add some documentation
  all.sh: new option --no-armcc
  all.sh: --keep-going mode
  all.sh: cleaned up usage output
  all.sh: indent
2017-12-26 10:59:02 +01:00
Manuel Pégourié-Gonnard
33df5b34f6 Merge remote-tracking branch 'public/pr/1221' into mbedtls-2.1
* public/pr/1221:
  all.sh: add some documentation
  all.sh: new option --no-armcc
  all.sh: --keep-going mode
  all.sh: cleaned up usage output
  all.sh: indent
2017-12-26 10:58:44 +01:00
Gilles Peskine
d7602c2764 all.sh: add some documentation 2017-12-21 16:14:09 +01:00
Manuel Pégourié-Gonnard
87244fa253 Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted
* mbedtls-2.1:
  compat.sh: use wait_server_start
  wait_server_start: minor efficiency improvement
2017-12-21 11:13:30 +01:00