diff --git a/ChangeLog b/ChangeLog index bd61d9478..96dfb37f3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,8 @@ Bugfix * Fix an issue that caused valid certificates to be rejected whenever an expired or not yet valid certificate was parsed before a valid certificate in the trusted certificate list. + * Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the + buffer after DER certificates to be included in the raw representation. Changes * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5, diff --git a/library/x509_crt.c b/library/x509_crt.c index 334b8ef51..c3adf7c86 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -677,14 +677,9 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt, const unsigned char * if( crt == NULL || buf == NULL ) return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); - p = mbedtls_calloc( 1, len = buflen ); - if( p == NULL ) - return( MBEDTLS_ERR_X509_ALLOC_FAILED ); - - memcpy( p, buf, buflen ); - - crt->raw.p = p; - crt->raw.len = len; + // Use the original buffer until we figure out actual length + p = (unsigned char*) buf; + len = buflen; end = p + len; /* @@ -708,6 +703,18 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt, const unsigned char * } crt_end = p + len; + // Create and populate a new buffer for the raw field + crt->raw.len = crt_end - buf; + crt->raw.p = p = mbedtls_calloc( 1, crt->raw.len ); + if( p == NULL ) + return( MBEDTLS_ERR_X509_ALLOC_FAILED ); + + memcpy( p, buf, crt->raw.len ); + + // Direct pointers to the new buffer + p += crt->raw.len - len; + end = crt_end = p + len; + /* * TBSCertificate ::= SEQUENCE { */ diff --git a/programs/test/selftest.c b/programs/test/selftest.c index fe5d51426..b168b7112 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -99,7 +99,8 @@ static int run_test_snprintf( void ) int main( int argc, char *argv[] ) { - int ret = 0, v; + int ret = 0, v, suites_tested = 0, suites_failed = 0, + exitcode = EXIT_SUCCESS; #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) unsigned char buf[1000000]; #endif @@ -126,8 +127,11 @@ int main( int argc, char *argv[] ) return( 0 ); } - if( argc == 2 && strcmp( argv[1], "-quiet" ) == 0 ) + if( argc == 2 && ( strcmp( argv[1], "--quiet" ) == 0 || + strcmp( argv[1], "-q" ) == 0 ) ) + { v = 0; + } else { v = 1; @@ -142,134 +146,212 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_MD2_C) if( ( ret = mbedtls_md2_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_MD4_C) if( ( ret = mbedtls_md4_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_MD5_C) if( ( ret = mbedtls_md5_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_RIPEMD160_C) if( ( ret = mbedtls_ripemd160_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_SHA1_C) if( ( ret = mbedtls_sha1_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_SHA256_C) if( ( ret = mbedtls_sha256_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_SHA512_C) if( ( ret = mbedtls_sha512_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_ARC4_C) if( ( ret = mbedtls_arc4_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_DES_C) if( ( ret = mbedtls_des_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_AES_C) if( ( ret = mbedtls_aes_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_AES_C) if( ( ret = mbedtls_gcm_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_AES_C) if( ( ret = mbedtls_ccm_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_BASE64_C) if( ( ret = mbedtls_base64_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_BIGNUM_C) if( ( ret = mbedtls_mpi_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_RSA_C) if( ( ret = mbedtls_rsa_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_X509_USE_C) if( ( ret = mbedtls_x509_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_XTEA_C) if( ( ret = mbedtls_xtea_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_CAMELLIA_C) if( ( ret = mbedtls_camellia_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_CTR_DRBG_C) if( ( ret = mbedtls_ctr_drbg_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_HMAC_DRBG_C) if( ( ret = mbedtls_hmac_drbg_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_ECP_C) if( ( ret = mbedtls_ecp_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_ECJPAKE_C) if( ( ret = mbedtls_ecjpake_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_DHM_C) if( ( ret = mbedtls_dhm_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_ENTROPY_C) if( ( ret = mbedtls_entropy_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #if defined(MBEDTLS_PKCS5_C) if( ( ret = mbedtls_pkcs5_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif /* Slow tests last */ #if defined(MBEDTLS_TIMING_C) if( ( ret = mbedtls_timing_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif #else @@ -285,19 +367,34 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) mbedtls_memory_buffer_alloc_free(); - if( ( ret = mbedtls_memory_buffer_alloc_self_test( v ) ) != 0 ) - return( ret ); + { + suites_failed++; + } + suites_tested++; #endif if( v != 0 ) { - mbedtls_printf( " [ All tests passed ]\n\n" ); + mbedtls_printf( " Executed %d test suites\n\n", suites_tested ); + + if( suites_failed > 0) + { + mbedtls_printf( " [ %d tests FAIL ]\n\n", suites_failed ); + } + else + { + mbedtls_printf( " [ All tests PASS ]\n\n" ); + } #if defined(_WIN32) mbedtls_printf( " Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); #endif } - return( ret ); + if( suites_failed > 0) + exitcode = EXIT_FAILURE; + + exit( exitcode ); } + diff --git a/tests/data_files/server5-der0.crt b/tests/data_files/server5-der0.crt new file mode 100644 index 000000000..08d8dd311 Binary files /dev/null and b/tests/data_files/server5-der0.crt differ diff --git a/tests/data_files/server5-der1a.crt b/tests/data_files/server5-der1a.crt new file mode 100644 index 000000000..015017b17 Binary files /dev/null and b/tests/data_files/server5-der1a.crt differ diff --git a/tests/data_files/server5-der1b.crt b/tests/data_files/server5-der1b.crt new file mode 100644 index 000000000..6340d9e2e Binary files /dev/null and b/tests/data_files/server5-der1b.crt differ diff --git a/tests/data_files/server5-der2.crt b/tests/data_files/server5-der2.crt new file mode 100644 index 000000000..c6e320a36 Binary files /dev/null and b/tests/data_files/server5-der2.crt differ diff --git a/tests/data_files/server5-der4.crt b/tests/data_files/server5-der4.crt new file mode 100644 index 000000000..4af05cce1 Binary files /dev/null and b/tests/data_files/server5-der4.crt differ diff --git a/tests/data_files/server5-der8.crt b/tests/data_files/server5-der8.crt new file mode 100644 index 000000000..65be7dcae Binary files /dev/null and b/tests/data_files/server5-der8.crt differ diff --git a/tests/data_files/server5-der9.crt b/tests/data_files/server5-der9.crt new file mode 100644 index 000000000..4947f1f83 Binary files /dev/null and b/tests/data_files/server5-der9.crt differ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 467f22a93..1cc82562c 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -133,6 +133,7 @@ tests/compat.sh msg "build: Default + SSLv3 (ASan build)" # ~ 6 min cleanup +cp "$CONFIG_H" "$CONFIG_BAK" scripts/config.pl set MBEDTLS_SSL_PROTO_SSL3 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make @@ -149,7 +150,6 @@ tests/ssl-opt.sh msg "build: cmake, full config, clang" # ~ 50s cleanup -cp "$CONFIG_H" "$CONFIG_BAK" scripts/config.pl full scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests CC=clang cmake -D CMAKE_BUILD_TYPE:String=Check . diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh new file mode 100755 index 000000000..06c2eb9bd --- /dev/null +++ b/tests/scripts/basic-build-test.sh @@ -0,0 +1,201 @@ +#!/bin/sh + +# basic-build-tests.sh +# +# Copyright (c) 2016, ARM Limited, All Rights Reserved +# +# Purpose +# +# Executes the basic test suites, captures the results, and generates a simple +# test report and code coverage report. +# +# The tests include: +# * Self-tests - executed using program/test/selftest +# * Unit tests - executed using tests/scripts/run-test-suite.pl +# * System tests - executed using tests/ssl-opt.sh +# * Interoperability tests - executed using tests/compat.sh +# +# The tests focus on functionality and do not consider performance. +# +# Note the tests self-adapt due to configurations in include/mbedtls/config.h +# which can lead to some tests being skipped, and can cause the number of +# available self-tests to fluctuate. +# +# This script has been written to be generic and should work on any shell. +# +# Usage: basic-build-tests.sh +# + +# Abort on errors (and uninitiliased variables) +set -eu + +if [ -d library -a -d include -a -d tests ]; then :; else + echo "Must be run from mbed TLS root" >&2 + exit 1 +fi + + +# Step 1 - Make and instrumented build for code coverage +CFLAGS=' --coverage -g3 -O0 ' +make + + +# Step 2 - Execute the tests +TEST_OUTPUT=out_${PPID} +cd tests + +# Step 2a - Self-tests +../programs/test/selftest |tee self-test-$TEST_OUTPUT +echo + +# Step 2b - Unit Tests +perl scripts/run-test-suites.pl -v |tee unit-test-$TEST_OUTPUT +echo + +# Step 2c - System Tests +sh ssl-opt.sh |tee sys-test-$TEST_OUTPUT +echo + +# Step 2d - Compatibility tests +sh compat.sh |tee compat-test-$TEST_OUTPUT +echo + +# Step 3 - Process the coverage report +cd .. +make lcov |tee tests/cov-$TEST_OUTPUT + + +# Step 4 - Summarise the test report +echo +echo "=========================================================================" +echo "Test Report Summary" +echo + +cd tests + +# Step 4a - Self-tests +echo "Self tests - ./programs/test/selftest" + +PASSED_TESTS=$(grep 'passed' self-test-$TEST_OUTPUT |wc -l) +FAILED_TESTS=$(grep 'failed' self-test-$TEST_OUTPUT |wc -l) +AVAIL_TESTS=$(($PASSED_TESTS + $FAILED_TESTS)) +EXED_TESTS=$(($PASSED_TESTS + $FAILED_TESTS)) + +echo "Passed : $PASSED_TESTS" +echo "Failed : $FAILED_TESTS" +echo "Skipped : n/a" +echo "Total tests : $AVAIL_TESTS" +echo + +TOTAL_PASS=$PASSED_TESTS +TOTAL_FAIL=$FAILED_TESTS +TOTAL_SKIP=0 +TOTAL_AVAIL=$(($PASSED_TESTS + $FAILED_TESTS)) +TOTAL_EXED=$(($PASSED_TESTS + $FAILED_TESTS)) + + +# Step 4b - Unit tests +echo "Unit tests - tests/scripts/run-test-suites.pl" + +PASSED_TESTS=$(tail -n6 unit-test-$TEST_OUTPUT|sed -n -e 's/test cases passed :[\t]*\([0-9]*\)/\1/p'| tr -d ' ') +SKIPPED_TESTS=$(tail -n6 unit-test-$TEST_OUTPUT|sed -n -e 's/skipped :[ \t]*\([0-9]*\)/\1/p'| tr -d ' ') +TOTAL_SUITES=$(tail -n6 unit-test-$TEST_OUTPUT|sed -n -e 's/.* (\([0-9]*\) .*, [0-9]* tests run)/\1/p'| tr -d ' ') +FAILED_TESTS=$(tail -n6 unit-test-$TEST_OUTPUT|sed -n -e 's/failed :[\t]*\([0-9]*\)/\1/p' |tr -d ' ') + +echo "No test suites : $TOTAL_SUITES" +echo "Passed : $PASSED_TESTS" +echo "Failed : $FAILED_TESTS" +echo "Skipped : $SKIPPED_TESTS" +echo "Total exec'd tests : $(($PASSED_TESTS + $FAILED_TESTS))" +echo "Total avail tests : $(($PASSED_TESTS + $FAILED_TESTS + $SKIPPED_TESTS))" +echo + +TOTAL_PASS=$(($TOTAL_PASS+$PASSED_TESTS)) +TOTAL_FAIL=$(($TOTAL_FAIL+$FAILED_TESTS)) +TOTAL_SKIP=$(($TOTAL_SKIP+$SKIPPED_TESTS)) +TOTAL_AVAIL=$(($TOTAL_AVAIL + $PASSED_TESTS + $FAILED_TESTS + $SKIPPED_TESTS)) +TOTAL_EXED=$(($TOTAL_EXED + $PASSED_TESTS + $FAILED_TESTS)) + + +# Step 4c - TLS Options tests +echo "TLS Options tests - tests/ssl-opt.sh" + +PASSED_TESTS=$(tail -n5 sys-test-$TEST_OUTPUT|sed -n -e 's/.* (\([0-9]*\) \/ [0-9]* tests ([0-9]* skipped))$/\1/p') +SKIPPED_TESTS=$(tail -n5 sys-test-$TEST_OUTPUT|sed -n -e 's/.* ([0-9]* \/ [0-9]* tests (\([0-9]*\) skipped))$/\1/p') +TOTAL_TESTS=$(tail -n5 sys-test-$TEST_OUTPUT|sed -n -e 's/.* ([0-9]* \/ \([0-9]*\) tests ([0-9]* skipped))$/\1/p') +FAILED_TESTS=$(($TOTAL_TESTS - $PASSED_TESTS)) + +echo "Passed : $PASSED_TESTS" +echo "Failed : $FAILED_TESTS" +echo "Skipped : $SKIPPED_TESTS" +echo "Total exec'd tests : $TOTAL_TESTS" +echo "Total avail tests : $(($TOTAL_TESTS + $SKIPPED_TESTS))" +echo + +TOTAL_PASS=$(($TOTAL_PASS+$PASSED_TESTS)) +TOTAL_FAIL=$(($TOTAL_FAIL+$FAILED_TESTS)) +TOTAL_SKIP=$(($TOTAL_SKIP+$SKIPPED_TESTS)) +TOTAL_AVAIL=$(($TOTAL_AVAIL + $TOTAL_TESTS + $SKIPPED_TESTS)) +TOTAL_EXED=$(($TOTAL_EXED + $TOTAL_TESTS)) + + +# Step 4d - System Compatibility tests +echo "System/Compatibility tests - tests/compat.sh" + +PASSED_TESTS=$(tail -n5 compat-test-$TEST_OUTPUT|sed -n -e 's/.* (\([0-9]*\) \/ [0-9]* tests ([0-9]* skipped))$/\1/p') +SKIPPED_TESTS=$(tail -n5 compat-test-$TEST_OUTPUT|sed -n -e 's/.* ([0-9]* \/ [0-9]* tests (\([0-9]*\) skipped))$/\1/p') +EXED_TESTS=$(tail -n5 compat-test-$TEST_OUTPUT|sed -n -e 's/.* ([0-9]* \/ \([0-9]*\) tests ([0-9]* skipped))$/\1/p') +FAILED_TESTS=$(($EXED_TESTS - $PASSED_TESTS)) + +echo "Passed : $PASSED_TESTS" +echo "Failed : $FAILED_TESTS" +echo "Skipped : $SKIPPED_TESTS" +echo "Total exec'd tests : $EXED_TESTS" +echo "Total avail tests : $(($EXED_TESTS + $SKIPPED_TESTS))" +echo + +TOTAL_PASS=$(($TOTAL_PASS+$PASSED_TESTS)) +TOTAL_FAIL=$(($TOTAL_FAIL+$FAILED_TESTS)) +TOTAL_SKIP=$(($TOTAL_SKIP+$SKIPPED_TESTS)) +TOTAL_AVAIL=$(($TOTAL_AVAIL + $EXED_TESTS + $SKIPPED_TESTS)) +TOTAL_EXED=$(($TOTAL_EXED + $EXED_TESTS)) + + +# Step 4e - Grand totals +echo "-------------------------------------------------------------------------" +echo "Total tests" + +echo "Total Passed : $TOTAL_PASS" +echo "Total Failed : $TOTAL_FAIL" +echo "Total Skipped : $TOTAL_SKIP" +echo "Total exec'd tests : $TOTAL_EXED" +echo "Total avail tests : $TOTAL_AVAIL" +echo + + +# Step 4f - Coverage +echo "Coverage" + +LINES_TESTED=$(tail -n3 cov-$TEST_OUTPUT|sed -n -e 's/ lines......: [0-9]*.[0-9]% (\([0-9]*\) of [0-9]* lines)/\1/p') +LINES_TOTAL=$(tail -n3 cov-$TEST_OUTPUT|sed -n -e 's/ lines......: [0-9]*.[0-9]% ([0-9]* of \([0-9]*\) lines)/\1/p') +FUNCS_TESTED=$(tail -n3 cov-$TEST_OUTPUT|sed -n -e 's/ functions..: [0-9]*.[0-9]% (\([0-9]*\) of [0-9]* functions)$/\1/p') +FUNCS_TOTAL=$(tail -n3 cov-$TEST_OUTPUT|sed -n -e 's/ functions..: [0-9]*.[0-9]% ([0-9]* of \([0-9]*\) functions)$/\1/p') + +LINES_PERCENT=$((1000*$LINES_TESTED/$LINES_TOTAL)) +LINES_PERCENT="$(($LINES_PERCENT/10)).$(($LINES_PERCENT-($LINES_PERCENT/10)*10))" + +FUNCS_PERCENT=$((1000*$FUNCS_TESTED/$FUNCS_TOTAL)) +FUNCS_PERCENT="$(($FUNCS_PERCENT/10)).$(($FUNCS_PERCENT-($FUNCS_PERCENT/10)*10))" + +echo "Lines Tested : $LINES_TESTED of $LINES_TOTAL $LINES_PERCENT%" +echo "Functions Tested : $FUNCS_TESTED of $FUNCS_TOTAL $FUNCS_PERCENT%" +echo + + +rm self-test-$TEST_OUTPUT +rm unit-test-$TEST_OUTPUT +rm sys-test-$TEST_OUTPUT +rm compat-test-$TEST_OUTPUT +rm cov-$TEST_OUTPUT + +cd .. diff --git a/tests/scripts/run-test-suites.pl b/tests/scripts/run-test-suites.pl old mode 100644 new mode 100755 index b91355d30..fb77e1571 --- a/tests/scripts/run-test-suites.pl +++ b/tests/scripts/run-test-suites.pl @@ -1,12 +1,37 @@ #!/usr/bin/perl +# run-test-suites.pl +# +# Copyright (c) 2015-2016, ARM Limited, All Rights Reserved +# +# Purpose +# +# Executes all the available test suites, and provides a basic summary of the +# results. +# +# Usage: run-test-suites.pl [-v] +# +# Options : +# -v|--verbose - Provide a pass/fail/skip breakdown per test suite and +# in total +# + use warnings; use strict; use utf8; use open qw(:std utf8); -my @suites = grep { ! /\.(?:c|gcno)$/ } glob 'test_suite_*'; +use constant FALSE => 0; +use constant TRUE => 1; + +my $verbose; +my $switch = shift; +if ( defined($switch) && ( $switch eq "-v" || $switch eq "--verbose" ) ) { + $verbose = TRUE; +} + +my @suites = grep { ! /\.(?:c|gcno|gcda|dSYM)$/ } glob 'test_suite_*'; die "$0: no test suite found\n" unless @suites; # in case test suites are linked dynamically @@ -14,22 +39,56 @@ $ENV{'LD_LIBRARY_PATH'} = '../library'; my $prefix = $^O eq "MSWin32" ? '' : './'; -my ($failed_suites, $total_tests_run); +my ($failed_suites, $total_tests_run, $failed, $suite_cases_passed, + $suite_cases_failed, $suite_cases_skipped, $total_cases_passed, + $total_cases_failed, $total_cases_skipped ); + for my $suite (@suites) { print "$suite ", "." x ( 72 - length($suite) - 2 - 4 ), " "; my $result = `$prefix$suite`; + + $suite_cases_passed = () = $result =~ /.. PASS/g; + $suite_cases_failed = () = $result =~ /.. FAILED/g; + $suite_cases_skipped = () = $result =~ /.. ----/g; + if( $result =~ /PASSED/ ) { print "PASS\n"; - my ($tests, $skipped) = $result =~ /([0-9]*) tests.*?([0-9]*) skipped/; - $total_tests_run += $tests - $skipped; } else { $failed_suites++; print "FAIL\n"; } + + my ($passed, $tests, $skipped) = $result =~ /([0-9]*) \/ ([0-9]*) tests.*?([0-9]*) skipped/; + $total_tests_run += $tests - $skipped; + + if ( $verbose ) { + print "(test cases passed:", $suite_cases_passed, + " failed:", $suite_cases_failed, + " skipped:", $suite_cases_skipped, + " of total:", ( $suite_cases_passed + $suite_cases_failed ), + ")\n" + } + + $total_cases_passed += $suite_cases_passed; + $total_cases_failed += $suite_cases_failed; + $total_cases_skipped += $suite_cases_skipped; } print "-" x 72, "\n"; print $failed_suites ? "FAILED" : "PASSED"; printf " (%d suites, %d tests run)\n", scalar @suites, $total_tests_run; + +if ( $verbose ) { + print " test cases passed :", $total_cases_passed, "\n"; + print " failed :", $total_cases_failed, "\n"; + print " skipped :", $total_cases_skipped, "\n"; + print " of tests executed :", ( $total_cases_passed + $total_cases_failed ), + "\n"; + print " of available tests :", + ( $total_cases_passed + $total_cases_failed + $total_cases_skipped ), + "\n" + } + exit( $failed_suites ? 1 : 0 ); + diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 8792b21c2..c08af7b04 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1559,6 +1559,64 @@ run_test "Renego ext: gnutls client unsafe, server break legacy" \ -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ -S "server hello, secure renegotiation extension" +# Tests for silently dropping trailing extra bytes in .der certificates + +requires_gnutls +run_test "DER format: no trailing bytes" \ + "$P_SRV crt_file=data_files/server5-der0.crt \ + key_file=data_files/server5.key" \ + "$G_CLI " \ + 0 \ + -c "Handshake was completed" \ + +requires_gnutls +run_test "DER format: with a trailing zero byte" \ + "$P_SRV crt_file=data_files/server5-der1a.crt \ + key_file=data_files/server5.key" \ + "$G_CLI " \ + 0 \ + -c "Handshake was completed" \ + +requires_gnutls +run_test "DER format: with a trailing random byte" \ + "$P_SRV crt_file=data_files/server5-der1b.crt \ + key_file=data_files/server5.key" \ + "$G_CLI " \ + 0 \ + -c "Handshake was completed" \ + +requires_gnutls +run_test "DER format: with 2 trailing random bytes" \ + "$P_SRV crt_file=data_files/server5-der2.crt \ + key_file=data_files/server5.key" \ + "$G_CLI " \ + 0 \ + -c "Handshake was completed" \ + +requires_gnutls +run_test "DER format: with 4 trailing random bytes" \ + "$P_SRV crt_file=data_files/server5-der4.crt \ + key_file=data_files/server5.key" \ + "$G_CLI " \ + 0 \ + -c "Handshake was completed" \ + +requires_gnutls +run_test "DER format: with 8 trailing random bytes" \ + "$P_SRV crt_file=data_files/server5-der8.crt \ + key_file=data_files/server5.key" \ + "$G_CLI " \ + 0 \ + -c "Handshake was completed" \ + +requires_gnutls +run_test "DER format: with 9 trailing random bytes" \ + "$P_SRV crt_file=data_files/server5-der9.crt \ + key_file=data_files/server5.key" \ + "$G_CLI " \ + 0 \ + -c "Handshake was completed" \ + # Tests for auth_mode run_test "Authentication: server badcert, client required" \ diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index b21a64090..5c68872c0 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -771,7 +771,7 @@ X509 Certificate ASN1 (Incorrect first tag) x509parse_crt:"":"":MBEDTLS_ERR_X509_INVALID_FORMAT X509 Certificate ASN1 (Correct first tag, data length does not match) -x509parse_crt:"300000":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +x509parse_crt:"300000":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA X509 Certificate ASN1 (Correct first tag, no more data) x509parse_crt:"3000":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA