Commit Graph

1536 Commits

Author SHA1 Message Date
Hanno Becker
9ec3fe0d43 Introduce configuration option to remove CRT verification callbacks 2019-09-09 09:55:31 +01:00
Hanno Becker
d601854548 Fixup TinyCrypt Tests: Remove redundant guards 2019-09-04 16:19:49 +01:00
Hanno Becker
0e83f7252f TinyCrypt Test: Don't expect ECP error code
We want to be able to remove all legacy ECC entirely when using TinyCrypt.
In particular, we cannot rely on legacy ECC identifiers.
2019-09-04 16:17:45 +01:00
Hanno Becker
6e2fddec7e TinyCrypt Test: Disable det-ECDSA x509write test for TinyCrypt
TinyCrypt only implements non-deterministic ECDSA.
2019-09-04 16:17:45 +01:00
Hanno Becker
179c15f6b0 TinyCrypt Test: Add PK priv'key test for TinyCrypt-based Secp256r1
Even though exhaustive testing of TinyCrypt is left for later,
without this test we don't have any evidence that PK writing
works for TinyCrypt-based PK context.
2019-09-04 16:17:45 +01:00
Hanno Becker
3eb0ee23a0 TinyCrypt Test: Disable x509parse tests that don't apply to TC
TinyCrypt only supports Secp256r1, so skip all tests in test_suite_x509parse
which use different curves, while splitting those which rely on Secp256r1
alone into two tests: one for legacy ECC, and one for TinyCrypt.

Studying and improving the TinyCrypt test coverage is left for a later commit.
2019-09-04 16:17:45 +01:00
Hanno Becker
06e2bf6d01 TinyCrypt Test: Disable CRT print test in test_suite_debug if TC on 2019-09-04 16:17:45 +01:00
Hanno Becker
fdd294a79f TinyCrypt Test: Skip pkwrite test cases that don't apply to TinyCrypt
The current pkwrite tests involving ECC all use curves different
from Secp256r1, so they don't apply to TinyCrypt.

Adding tests for TinyCrypt is left to a later commit.
2019-09-04 16:17:25 +01:00
Hanno Becker
d84dbe559f TinyCrypt Test: Adapt pub/prv ECC key parsing tests to TinyCrypt 2019-09-04 16:17:25 +01:00
Hanno Becker
c10c9bfc10 TinyCrypt Test: Add guards to ECDSA verify tests from PK test suite
- The underlying test vectors are for Secp192r1, while TinyCrypt uses Secp256r1.
- The test implementation is specific to the structure of legacy-ECC PK ctxs.

Addition of analogous tests for TinyCrypt-based ECC PK contexts are left
for a later commit.
2019-09-04 16:17:25 +01:00
Hanno Becker
251d7523fe TinyCrypt Test: Adapt 'PK utils: ECKEY' test in PK test suite 2019-09-04 16:17:25 +01:00
Hanno Becker
f2bf115057 TinyCrypt Test: Initialize TinyCrypt RNG in test suites if enabled 2019-09-04 16:17:25 +01:00
Simon Butcher
42e4e723e8 Merge remote-tracking branch 'origin/pr/648' into baremetal 2019-09-04 12:42:35 +01:00
Hanno Becker
df9633b21c Add missing dependency of RSA test on CTR DRBG 2019-09-03 08:59:05 +01:00
Manuel Pégourié-Gonnard
fc8adbadb5 Merge branch 'mbedtls-2.16' into baremetal-2.16-20190827
* mbedtls-2.16: (21 commits)
  Exclude DTLS 1.2 only with older OpenSSL
  Document the rationale for the armel build
  Switch armel build to -Os
  Add a build on ARMv5TE in ARM mode
  Add changelog entry for ARM assembly fix
  bn_mul.h: require at least ARMv6 to enable the ARM DSP code
  Changelog entry for test certificates update
  Change worktree_rev to HEAD for rev-parse
  Add ChangeLog entry for entropy_nv_seed test case fix
  entropy_nv_seed: cope with SHA-256
  entropy_nv_seed: clean up properly
  Add ChangeLog entry for undefined behavior fix in test_suite_nist_kw
  Don't call memset after calloc
  Adapt ChangeLog
  ECP restart: Don't calculate address of sub ctx if ctx is NULL
  Update certificates to expire in 2029
  Update soon to be expired crl
  Test that a shared library build produces a dynamically linked executable
  Test that the shared library build with CMake works
  Add a test of MBEDTLS_CONFIG_FILE
  ...
2019-08-30 13:08:33 +02:00
Teppo Järvelin
4009d8f377 Make function mbedtls_ssl_set_hostname(...) as optional
Now function mbedtls_ssl_set_hostname is compile-time configurable
in config.h with define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION.
This affects to many x509 API's. See config.h for details.
2019-08-27 10:47:08 +03:00
Simon Butcher
434ab19164 Merge remote-tracking branch 'origin/pr/629' into baremetal 2019-08-14 16:53:13 +01:00
Simon Butcher
0863b2a259 Merge remote-tracking branch 'origin/pr/612' into baremetal 2019-08-14 16:50:13 +01:00
Gilles Peskine
c1b621c5cb Merge remote-tracking branch 'upstream-public/pr/2754' into mbedtls-2.16 2019-08-14 16:00:01 +02:00
Hanno Becker
572d448ab2 Enforce NULL context for hardcoded RNG 2019-08-12 17:05:03 +01:00
Gilles Peskine
a60dc25e9f
Merge pull request #2419 from RonEld/Backport2.16_2734
Backport 2.16: Update soon to be expired crl
2019-08-03 13:38:20 +02:00
Gilles Peskine
1e3eb28ae3
Merge pull request #2735 from hanno-arm/skip_test-2.16
2.16: Add TEST_ASSUME macro to allow skipping tests at runtime
2019-08-03 13:37:59 +02:00
Manuel Pégourié-Gonnard
39581c7cf4 Merge branch 'mbedtls-2.16' into baremetal-2.16-20190801
* mbedtls-2.16:
  Fix parsing issue when int parameter is in base 16
  Refactor receive_uint32()
  Refactor get_byte function
  Make the script portable to both pythons
  Update the test encoding to support python3
  update the test script
  tests: Limit each log to 10 GiB
2019-08-01 11:05:18 +02:00
Hanno Becker
8844055b0e Remove compression field from SSL session if compression disabled 2019-08-01 10:11:20 +02:00
Hanno Becker
af5d8abf26 Don't call memset on NULL pointer in NIST KW test suite
Note: There's no need to call `memset()` after `calloc()`
because `calloc()` includes zeroization.
2019-07-22 11:15:12 +01:00
Gilles Peskine
756b3f2c25 entropy_nv_seed: cope with SHA-256
This test case was only executed if the SHA-512 module was enabled and
MBEDTLS_ENTROPY_FORCE_SHA256 was not enabled, so "config.pl full"
didn't have a chance to reach it even if that enabled
MBEDTLS_PLATFORM_NV_SEED_ALT.

Now all it takes to enable this test is MBEDTLS_PLATFORM_NV_SEED_ALT
and its requirements, and the near-ubiquitous MD module.
2019-07-19 17:43:03 +02:00
Gilles Peskine
0450eecfae entropy_nv_seed: clean up properly
Call mbedtls_entropy_free on test failure.

Restore the previous NV seed functions which the call to
mbedtls_platform_set_nv_seed() changed. This didn't break anything,
but only because the NV seed functions used for these tests happened
to work for the tests that got executed later in the .data file.
2019-07-19 17:43:03 +02:00
Gilles Peskine
fc41bd7f35 Don't call memset after calloc
memset has undefined behavior when either pointer can be NULL, which
is the case when it's the result of malloc/calloc with a size of 0.
The memset calls here are useless anyway since they come immediately
after calloc.
2019-07-19 17:42:47 +02:00
Hanno Becker
90f7b75354 Fix unused variable warning in SSL test suite 2019-07-12 15:15:08 +01:00
Hanno Becker
ac8c984784 SSL tests: Skip tests using version not matching hardcoded version 2019-07-12 15:15:08 +01:00
Hanno Becker
930fbf60d6 Add TEST_ASSUME macro to allow skipping tests at runtime
This commit adds a macro TEST_ASSUME to the test infrastructure
which allows to skip tests based on unmet conditions determined
at runtime.
2019-07-12 15:15:08 +01:00
Ron Eldor
e81ff54881 Refactor receive_uint32()
Call `greentea_getc()` 8 times, and then `unhexify` once, instead of
calling `receive_byte()`, which inside calls `greentea_getc()` twice,
for every hex digit.
2019-07-11 14:36:34 +03:00
Ron Eldor
3dd77909d3 Refactor get_byte function
Change implementation of `get_byte()` to call `unhexify()`.
2019-07-11 14:36:27 +03:00
Ron Eldor
b43fe57d34 Update the test encoding to support python3
Since Python3 handles encoding differently than Python2,
a change in the way the data is encoded and sent to the target is needed.
1. Change the test data to be sent as hex string
2. Convert the characters to binary bytes.

This is done because the mbed tools translate the encoding differently
(mbed-greentea, and mbed-htrunner)
2019-07-11 14:36:13 +03:00
Ron Eldor
36503922a0 Update certificates to expire in 2029
Update certificates that expire on 2021, to prolong their validity,
to make tests pass three years ahead.
2019-07-10 18:35:10 +03:00
Hanno Becker
e02758c9c8 Remove ciphersuite from SSL session if single suite hardcoded
If MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled, the type

  mbedtls_ssl_ciphersuite_handle_t

is logically a boolean (concretely realized as `unsigned char`),
containing the invalid handle and the unique valid handle, which
represents the single enabled ciphersuite.

The SSL session structure mbedtls_ssl_session contains an instance
of mbedtls_ssl_ciphersuite_handle_t which is guaranteed to be valid,
and which is hence redundant in any two-valued implementation of
mbedtls_ssl_ciphersuite_handle_t.

This commit replaces read-uses of

  mbedtls_ssl_session::ciphersuite_info

by a getter functions which, and defines this getter function
either by just reading the field from the session structure
(in case MBEDTLS_SSL_SINGLE_CIPHERSUITE is disabled), or by
returning the single valid ciphersuite handle (in case
MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled) and removing the
field from mbedtls_ssl_session in this case.
2019-07-08 11:23:24 +01:00
Hanno Becker
d3369f6d01 Add TEST_ASSUME macro to allow skipping tests at runtime
This commit adds a macro TEST_ASSUME to the test infrastructure
which allows to skip tests based on unmet conditions determined
at runtime.
2019-07-05 13:41:08 +01:00
Manuel Pégourié-Gonnard
de8869c529 Merge remote-tracking branch 'restricted/pr/608' into baremetal-proposed
* restricted/pr/608:
  programs: Make `make clean` clean all programs always
  ssl_tls: Enable Suite B with subset of ECP curves
  windows: Fix Release x64 configuration
  timing: Remove redundant include file
  net_sockets: Fix typo in net_would_block()
  Add all.sh component that exercises invalid_param checks
  Remove mbedtls_param_failed from programs
  Make it easier to define MBEDTLS_PARAM_FAILED as assert
  Make test suites compatible with #include <assert.h>
  Pass -m32 to the linker as well
  Update library to 2.16.2
  Use 'config.pl baremetal' in all.sh
  Clarify ChangeLog entry for fix to #1628
  Fix #2370, minor typos and spelling mistakes
  Add Changelog entry for clang test-ref-configs.pl fix
  Enable more compiler warnings in tests/Makefile
  Change file scoping of test helpers.function
2019-07-03 10:31:46 +02:00
Hanno Becker
abd929c89c Merge branch 'mbedtls-2.16' into baremetal-2.16-01_07_19 2019-07-01 11:25:42 +01:00
Hanno Becker
7ab8a2e2a0 Add X.509 CRT test for nested calls for CRT frame / PK acquire 2019-06-28 15:52:54 +01:00
Hanno Becker
7c5fbbeec0 Reduce number of parallel workers in X.509 CRT threading test
The previous tests used 100 parallel workers which for EC certificates
leads to a memory usage of more than 1Mb, hence leading to an out of memory
condition in tests using the memory buffer allocator which has a pool of 1Mb.

Use 25 workers but an increased number of iterations per worker instead.
2019-06-25 09:11:11 +01:00
Hanno Becker
d687ef0a91 Move X.509 threading test to separate test suite
This allows to build the library + tests via `make` without
specifying `PTHREAD=1`, in which case the X.509 threading
test suite will be silently dropped.

This is analogous to the pre-existing handling of the example
application `ssl_pthread_server`, which is only build if `PTHREAD=1`
and silently dropped otherwise.
2019-06-25 09:10:57 +01:00
Hanno Becker
fd8b7bd63f Add concurrent X.509 CRT verification test
This commit enhances the X.509 parsing test suite by a test
which exercises multiple threads concurrently verifying the
same certificate with the same set of trusted roots.
2019-06-25 09:10:57 +01:00
Hanno Becker
5f268b3cf6 Don't allow change of CRT frame returned by x509_crt_frame_acquire() 2019-06-25 09:10:57 +01:00
Hanno Becker
54f1c2cb20 Rename MBEDTLS_X509_SAFE_SNPRINTF_WITH_ERROR to _WITH_CLEANUP 2019-06-25 09:10:57 +01:00
Hanno Becker
f6bc8886c7 Move declarations of internal X.509 functions to separate header
This makes it easier to distinguish public from internal functions;
for us, for users, and for automated API compatibility checkers.
2019-06-25 09:10:57 +01:00
Hanno Becker
c6d1c3ed1c Remove frame/pk parameter from mbedtls_x509_crt_xxx_release() 2019-06-25 09:07:16 +01:00
Hanno Becker
1e11f217d4 Solely use raw X.509 name data references including SEQUENCE header
So far, the CRT frame structure `mbedtls_x509_crt_frame` used
as `issuer_raw` and `subject_raw` the _content_ of the ASN.1
name structure for issuer resp. subject. This was in contrast
to the fields `issuer_raw` and `subject_raw` from the legacy
`mbedtls_x509_crt` structure, and caused some information
duplication by having both variants `xxx_no_hdr` and `xxx_with_hdr`
in `mbedtls_x509_crt` and `mbedtls_x509_crt_frame`.

This commit removes this mismatch by solely using the legacy
form of `issuer_raw` and `subject_raw`, i.e. those _including_
the ASN.1 name header.
2019-06-25 09:07:16 +01:00
Hanno Becker
3f8f0dc3fd Use mbedtls_x509_crt_get_subject() in test_suite_x509parse test 2019-06-25 09:06:26 +01:00
Hanno Becker
c69c4465b6 Adapt test_suite_x509parse to new CRT structure 2019-06-25 09:06:26 +01:00