Commit Graph

1197 Commits

Author SHA1 Message Date
Janos Follath
a841d75aad Add unit tests for X509 certificate date parsing 2017-02-28 14:17:32 +00:00
Simon Butcher
d352e6dfcc Merge branch 'mbedtls-2.1-iotssl-1071-ca-flags'
Fixes a regression introduced by an earlier commit that modified
x509_crt_verify_top() to ensure that valid certificates that are after past or
future valid in the chain are processed. However the change introduced a change
in behaviour that caused the verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in the
verification regardless of the cause.

The fix maintains both behaviours:

 * Ensure that valid certificates after future and past are verified
 * Ensure that the correct verification flags are set.
2017-02-27 20:24:55 +00:00
Simon Butcher
f26f0e3d02 Merge branch 'mbedtls-2.1-iotssl-1077-dos-crl'
Modifies the function mbedtls_x509_crl_parse() to ensure that a CRL in PEM
format with trailing characters after the footer does not result in the
execution of an infinite loop.
2017-02-26 01:31:47 +00:00
Andres AG
b8ba86162a Add PK tests to avoid hashlen overflow for RSA 2017-02-25 20:37:43 +00:00
Andres AG
85041738e4 Add DTLS test to check 6 byte record ctr is cmp
Add a test to ssl-opt.sh to ensure that in DTLS a 6 byte record counter
is compared in ssl_check_ctr_renegotiate() instead of a 8 byte one as in
the TLS case. Because currently there are no testing facilities to check
that renegotiation routines are triggered after X number of input/output
messages, the test consists on setting a renegotiation period that
cannot be represented in 6 bytes, but whose least-significant byte is 2.
If the library behaves correctly, the renegotiation routines will be
executed after two exchanged.
2017-02-25 20:07:38 +00:00
Simon B
31ea513dce Remove need for elevated command line in Windows
Changes use of mklink in Windows test builds, to create junctions instead of
directory symbolic links. This removes the need for an elevated command prompt
when running cmake to create the Visual Studio project files.
2017-02-20 21:47:29 +00:00
Simon B
5e20b82395 Fix config of compiler warning flags with MSVC
Compiler warnings were being configured twice and not suppressed on the
test suites with Microsoft Visual Studio.
2017-02-20 21:47:29 +00:00
Nicholas Wilson
0a5ff55537 Allow test suites to be run on Windows
For a start, they don't even compile with Visual Studio due to strcasecmp
being missing.  Secondly, on Windows Perl scripts aren't executable and have
to be run using the Perl interpreter directly; thankfully CMake is able to
find cygwin Perl straight away without problems.
2017-02-20 21:47:29 +00:00
Andres AG
f083b31fb3 Fix generate_code.pl to handle escaped : 2017-02-02 14:43:44 +00:00
Andres AG
3da3b6eccb Add tests for out flags from x509_crt_verify_top()
The tests load certificate chains from files. The CA chains contain a
past or future certificate and an invalid certificate. The test then
checks that the flags set are MBEDTLS_X509_BADCERT_EXPIRED or
MBEDTLS_X509_BADCERT_FUTURE.
2017-01-20 16:38:25 +00:00
Andres AG
978bdf9575 Add test for infinite loop in CRL parse 2017-01-19 17:13:36 +00:00
Andres AG
d5d6a3054b Add tests for overreads in pem_read_buffer() 2016-11-21 11:09:47 +00:00
Simon B
41ce6e6076 Remove need for elevated command line in Windows
Changes use of mklink in Windows test builds, to create junctions instead of
directory symbolic links. This removes the need for an elevated command prompt
when running cmake to create the Visual Studio project files.
2016-11-17 16:05:25 +00:00
Simon B
e2e2db4348 Fix config of compiler warning flags with MSVC
Compiler warnings were being configured twice and not suppressed on the
test suites with Microsoft Visual Studio.
2016-11-10 15:38:52 +00:00
Nicholas Wilson
44ea01110c Allow test suites to be run on Windows
For a start, they don't even compile with Visual Studio due to strcasecmp
being missing.  Secondly, on Windows Perl scripts aren't executable and have
to be run using the Perl interpreter directly; thankfully CMake is able to
find cygwin Perl straight away without problems.
2016-11-10 15:38:52 +00:00
Simon Butcher
016a0d3b6f Update library version number to 2.1.6 2016-10-17 15:44:26 +01:00
Simon Butcher
8bd467c47d Merge branch 'mbedtls-2.1' 2016-10-17 13:51:27 +01:00
Simon Butcher
d7f1902342 Updated test script all.sh
Changes to increase the release test coverage and also allow testing with
two different versions of OpenSSL and GNUTLS for legacy features.
2016-10-14 10:48:17 +01:00
Andres AG
53d77130fc Add check for validity of date in x509_get_time() 2016-10-13 16:24:12 +01:00
Simon Butcher
d9d0cda9fe Merge branch 'mbedtls-2.1' 2016-10-13 10:35:52 +01:00
Janos Follath
6d3e3389e5 Add simple test for repeated IVs when using AEAD
In a USENIX WOOT '16 paper the authors exploit implementation
mistakes that cause Initialisation Vectors (IV) to repeat. This
did not happen in mbed TLS, and this test makes sure that this
won't happen in the future either.

A new test option is introduced to ssl-opt.sh that checks the server
and client logs for a pattern and fails in case there are any
duplicates in the lines following the matching ones. (This is
necessary because of the structure of the logging)

Added a test case as well to utilise the new option. This test forces
the TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 ciphersuite to make the
client and the server use an AEAD cipher.

Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16
2016-10-13 10:26:58 +01:00
Janos Follath
95b303648c Restore P>Q in RSA key generation (#558)
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
2016-10-13 00:58:09 +01:00
Andres AG
effb5582dd Add test for bounds in X509 DER write funcs 2016-10-11 16:52:06 +01:00
Simon Butcher
8b459923ac Add missing dependencies to X509 Parse test suite for P-384 curve
The test script curves.pl was failing on testing dependencies for the P-384
curve on the new test cases introduced by ede75f0 and 884b4fc.
2016-07-15 12:53:25 +01:00
Janos Follath
e223527da0 X509: Future CA among trusted: add more tests 2016-07-14 12:02:56 +01:00
Janos Follath
38921c8837 X509: Future CA among trusted: add unit tests 2016-07-14 12:02:50 +01:00
Simon Butcher
64f5df5545 Changed version number to version 2.1.5 2016-06-27 19:37:08 +01:00
Simon Butcher
88aa189415 Merge branch 'mbedtls-2.1' into mbedtls-2.1 2016-06-27 01:16:16 +01:00
Janos Follath
b700c46750 Add a test for SSLv3 with extensions, server side
This test verifies if the server parses or sends extensions when
the protocol is SSLv3.
2016-05-23 14:43:54 +01:00
Paul Bakker
3b224ffd25 Split test into valgrind and no-valgrind version
Running valgrind on: "DTLS client reconnect from same port: reconnect,
nbio" results in timeouts.

New version added that runs only under valgrind. Original only runs when
valgrind is not used
2016-05-22 21:49:34 +01:00
Simon Butcher
6eb066ed56 Fixes RC4 config dependencies in tests in ssl-opt.h
Adds dependencies on MBEDTLS_REMOVE_ARC4_CIPHERSUITES for tests that
require RC4 to be disabled (the default config).
2016-05-19 22:25:42 +01:00
Janos Follath
f06edd695a Remove unused code from PKCS1v15 test suite 2016-05-18 19:36:04 +01:00
Simon Butcher
282e1d9130 Add missing config dependencies to PKCS1 V15 tests 2016-05-18 19:36:03 +01:00
Janos Follath
329149e575 Add tests to cover PKCS1 v1.5 signature functions.
The reported memory leak should have been spotted by
make memcheck
But it wasn't. Keeping the tests for better coverage.
2016-05-18 19:36:03 +01:00
Janos Follath
c184d9d34f Fix the broken pkcs1 v1.5 test.
The random buffer handed over to the test function was too small
and the remaining bytes were generated by the default (platform
dependant) function.
2016-05-18 19:36:03 +01:00
Janos Follath
b645c45865 Add tests for the bug IOTSSL-619.
The main goal with these tests is to test the bug in question and
they are not meant to test the entire PKCS#1 v1.5 behaviour. To
achieve full test coverage, further test cases are needed.
2016-05-18 19:30:09 +01:00
Simon Butcher
0705dd0588 Adds test for odd bit length RSA key size
Also tidy up ChangeLog following review.
2016-04-19 09:19:46 +01:00
Janos Follath
365b226a56 x509: trailing bytes in DER: add integration tests 2016-03-15 23:49:46 +00:00
Janos Follath
f6f5441fd1 x509: trailing bytes in DER: correct a unit test
One of the unit test was failing, because it was testing behavior
that was part of the bug. Updated the return value to the correct one
2016-03-15 23:48:25 +00:00
Simon Butcher
02b8d481f6 Adapt SSLv3 test configuration for new default
Removed SSLv3 test suites from system tests in 'compat.sh' script, and
added SSLv3 specific tests to 'all.sh'
2016-03-15 20:39:52 +00:00
Janos Follath
542ee5d8f3 Update default configuration
Change the default settings for SSL and modify the tests accordingly.
2016-03-07 16:34:25 +00:00
Manuel Pégourié-Gonnard
f10f85f676 Add test for yotta debug build 2016-01-08 15:08:49 +01:00
Manuel Pégourié-Gonnard
bb81b4a009 Make ar invocation more portable
armar doesn't understand the syntax without dash. OTOH, the syntax with dash
is the only one specified by POSIX, and it's accepted by GNU ar, BSD ar (as
bundled with OS X) and armar, so it looks like the most portable syntax.

fixes #386
2016-01-08 14:52:14 +01:00
Janos Follath
79a1da6948 Improved on the previous fix and added a test case to cover both types
of carries.
2016-01-08 14:48:01 +01:00
Janos Follath
5429c0a7d0 Improved on the fix of #309 and extended the test to cover subroutines. 2016-01-08 14:48:00 +01:00
Janos Follath
d0e0c03520 Tests and fix added for #309 (inplace mpi doubling). 2016-01-08 14:47:16 +01:00
Simon Butcher
543e4366bc Change version number to 2.1.4
Changed version for library files and yotta module
2016-01-04 22:41:11 +00:00
Manuel Pégourié-Gonnard
3cb2074a82 Add test case for root with max_pathlen=0
This was already working but not tested so far

(Test case from previous commit still failing.)

Test certificates generated with:

programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert91.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert92.key

programs/x509/cert_write serial=91 output_file=cert91.crt is_ca=1 \
    issuer_key=cert91.key issuer_name="CN=Root 9,O=mbed TLS,C=UK" \
    selfsign=1 max_pathlen=0
programs/x509/cert_write serial=92 output_file=cert92.crt \
    issuer_key=cert91.key issuer_name="CN=Root 9,O=mbed TLS,C=UK" \
    subject_key=cert92.key subject_name="CN=EE 92,O=mbed TLS,C=UK"

mv cert9?.crt tests/data_files/dir4
rm cert9?.key
2015-11-19 11:25:30 +01:00
Manuel Pégourié-Gonnard
922cd9ba36 Add test case for first intermediate max_pathlen=0
!!! This test case is currently failing !!!
(See fix in next-next commit.)

Test certificates generated with the following script:

programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert81.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert82.key
programs/pkey/gen_key type=ec ec_curve=secp256r1 filename=cert83.key

programs/x509/cert_write serial=81 output_file=cert81.crt is_ca=1 \
    issuer_key=cert81.key issuer_name="CN=Root 8,O=mbed TLS,C=UK" \
    selfsign=1
programs/x509/cert_write serial=82 output_file=cert82.crt is_ca=1 \
    issuer_key=cert81.key issuer_name="CN=Root 8,O=mbed TLS,C=UK" \
    subject_key=cert82.key subject_name="CN=Int 82,O=mbed TLS,C=UK" \
    max_pathlen=0
programs/x509/cert_write serial=83 output_file=cert83.crt \
    issuer_key=cert82.key issuer_name="CN=Int 82,O=mbed TLS,C=UK" \
    subject_key=cert83.key subject_name="CN=EE 83,O=mbed TLS,C=UK"

mv cert8?.crt tests/data_files/dir4
rm cert8?.key
2015-11-19 11:25:27 +01:00
Simon Butcher
ef43d41f67 Changed version number to 2.1.3
Changed for library
2015-11-04 22:08:33 +00:00