Commit graph

9243 commits

Author SHA1 Message Date
Hanno Becker
01346c645b Use SHA-256 instead of MD2 in X.509 CRT parsing tests
- Replace 'RSA with MD2' OID '2a864886f70d010102' by
  'RSA with SHA-256' OID '2a864886f70d01010b':
  Only the last byte determines the hash, and
  `MBEDTLS_OID_PKCS1_MD2 == MBEDTLS_OID_PKCS1 "\x02"`
  `MBEDTLS_OID_PKCS1_SHA256 == MBEDTLS_OID_PKCS1 "\x0b"`
  See oid.h.
- Replace MD2 dependency by SHA256 dependency.
- Adapt expected CRT info output.
2019-05-30 11:16:39 +01:00
Hanno Becker
d0d78d7c4a Consistently use lower case hex data in X.509 parsing tests 2019-05-30 11:16:39 +01:00
Jaeden Amero
2ab5cf658f Merge remote-tracking branch 'origin/pr/2403' into development
* origin/pr/2403: (24 commits)
  crypto: Update to Mbed Crypto 8907b019e7
  Create seedfile before running tests
  crypto: Update to Mbed Crypto 81f9539037
  ssl_cli.c : add explicit casting to unsigned char
  Generating visualc files - let Mbed TLS take precedence over crypto
  Add a link to the seedfile for out-of-tree cmake builds
  Adjust visual studio file generation to always use the crypto submodule
  all.sh: unparallelize mingw tests
  all.sh - disable parallelization for shared target tests
  config.pl: disable PSA_ITS_FILE and PSA_CRYPTO_STORAGE for baremetal
  all.sh: unset crypto storage define in a psa full config cmake asan test
  all.sh: unset FS_IO-dependent defines for tests that do not have it
  curves.pl - change test script to not depend on the implementation
  Export the submodule flag to sub-cmakes
  Disable MBEDTLS_ECP_RESTARTABLE in full config
  Export the submodule flag to sub-makes
  Force the usage of crypto submodule
  Fix crypto submodule usage in Makefile
  Documentation rewording
  Typo fixes in documentation
  ...
2019-05-23 09:08:55 +01:00
Jaeden Amero
a542bb6de6 Merge remote-tracking branch 'origin/pr/2647' into development
* origin/pr/2647:
  list-symbols.sh: if the build fails, print the build transcript
  Document "check-names.sh -v"
  all.sh: invoke check-names.sh in print-trace-on-exit mode
  Print a command trace if the check-names.sh exits unexpectedly
2019-05-23 09:08:41 +01:00
Jaeden Amero
bb7a582865 Merge remote-tracking branch 'origin/pr/2655' into development
* origin/pr/2655:
  Add negative test for malformed SAN
  Set next sequence of subject_alt_names to NULL
2019-05-23 09:08:01 +01:00
Jaeden Amero
7525aa06c1 Merge remote-tracking branch 'origin/pr/2410' into development
* origin/pr/2410:
  Update change log
  Document the default value for the maximum fragment length
  Improve clarity of mbedtls_ssl_conf_max_frag_len documentation
  Reword ssl_conf_max_frag_len documentation
  Fix typos and miswording in the mbedtls_ssl_conf_max_frag_len documentation comment
  Reword ssl_conf_max_frag_len documentation to clarify its necessity
2019-05-23 09:08:01 +01:00
Andrzej Kurek
a76773fd2d crypto: Update to Mbed Crypto 8907b019e7 2019-05-23 03:01:35 -04:00
Gilles Peskine
3c8ccc068f Create seedfile before running tests
With MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ENTROPY_NV_SEED enabled, the
tests need a seedfile. Since test_suite_entropy is no longer there to
create it, and MBEDTLS_USE_PSA_CRYPTO is now enabled in the full
config, create tests/seedfile explicitly in basic-build-test.sh.
2019-05-23 03:01:35 -04:00
Andrzej Kurek
50a93510fd crypto: Update to Mbed Crypto 81f9539037 2019-05-23 03:01:35 -04:00
Andrzej Kurek
ade9e28d9f ssl_cli.c : add explicit casting to unsigned char
Signal casting from size_t to unsigned char explicitly, so that the compiler
does not raise a warning about possible loss of data on MSVC, targeting
64-bit Windows.
2019-05-23 03:01:35 -04:00
Andrzej Kurek
9f3d39d733 Generating visualc files - let Mbed TLS take precedence over crypto
Change the order of include directories so that Mbed TLS is first.
2019-05-23 03:01:35 -04:00
Andrzej Kurek
4a71cfa39f Add a link to the seedfile for out-of-tree cmake builds 2019-05-23 03:01:35 -04:00
Andrzej Kurek
b78cf2b261 Adjust visual studio file generation to always use the crypto submodule
Add crypto include to include paths
2019-05-23 03:01:35 -04:00
Andrzej Kurek
62faadd6a3 all.sh: unparallelize mingw tests
Sometimes, when building the shared target with crypto submodule, one could
get an "No rule to make target '../crypto/library/libmbedcrypto.so'" error.
This is due to two reasons - building in parallel and (probably) an
incomplete/incorrect list of dependencies for certain targets. The proposed
solution is to disable parallel builds with crypto submodule for now.
An issue has been raised here: https://github.com/ARMmbed/mbedtls/issues/2634
2019-05-23 03:01:35 -04:00
Andrzej Kurek
87615770c7 all.sh - disable parallelization for shared target tests
Sometimes, when building the shared target with crypto submodule, one could
get an "No rule to make target '../crypto/library/libmbedcrypto.so'" error.
This is due to two reasons - building in parallel and (probably) an
incomplete/incorrect list of dependencies for certain targets. The proposed
solution is to disable parallel builds with crypto submodule for now.
An issue has been raised here: https://github.com/ARMmbed/mbedtls/issues/2634
2019-05-23 03:01:35 -04:00
Andrzej Kurek
9c754a9892 config.pl: disable PSA_ITS_FILE and PSA_CRYPTO_STORAGE for baremetal 2019-05-23 03:01:35 -04:00
Andrzej Kurek
324b2f76ca all.sh: unset crypto storage define in a psa full config cmake asan test 2019-05-23 03:01:35 -04:00
Andrzej Kurek
73757080c1 all.sh: unset FS_IO-dependent defines for tests that do not have it 2019-05-23 03:01:35 -04:00
Andrzej Kurek
098b16ca83 curves.pl - change test script to not depend on the implementation
Currently the top-level makefile deploys commands to both Mbed TLS and
the submodule. Running make in the "tests" directory builds only the TLS tests.
The top level CMake on the other hand does not have the "tests" target defined,
so it also cannot be used, hence the raw "make".
2019-05-23 03:01:35 -04:00
Andrzej Kurek
f425ff1457 Export the submodule flag to sub-cmakes 2019-05-23 03:01:35 -04:00
Andrzej Kurek
03c35a5744 Disable MBEDTLS_ECP_RESTARTABLE in full config
MBEDTLS_ECP_RESTARTABLE is not compatible with MBEDTLS_USE_PSA_CRYPTO.
2019-05-23 03:01:35 -04:00
Andrzej Kurek
d015619a56 Export the submodule flag to sub-makes
Export the flag so that the crypto submodule knows how it is being built
2019-05-23 03:01:35 -04:00
Andrzej Kurek
346747cd24 Force the usage of crypto submodule
Remove all.sh tests exercising the optional usage of submodule
2019-05-23 03:01:35 -04:00
Andrzej Kurek
67df9e498f Fix crypto submodule usage in Makefile 2019-05-23 03:01:35 -04:00
Andrzej Kurek
d65b11d868 Documentation rewording 2019-05-23 03:01:35 -04:00
Andrzej Kurek
d3deb1d738 Typo fixes in documentation 2019-05-23 03:01:35 -04:00
Manuel Pégourié-Gonnard
45be3d8136 Fix compile guard for static function in ssl
The guard for the definition of the function was different from the guard on
its only use - make it the same.

This has been caught by tests/scripts/key-exchanges.pl. It had not been caught
by this script in earlier CI runs, because previously USE_PSA_CRYPTO was
disabled in the builds used by this script; enabling it uncovered the issue.
2019-05-23 03:01:35 -04:00
Manuel Pégourié-Gonnard
971dea3745 Enable USE_PSA_CRYPTO with config.pl full
Previously it was disabled as too experimental, which no longer holds. Also,
this option introduces new APIs, so it's not only about an internal
alternative (as the comment in config.pl used to state) - people who request a
full config should get all of the available APIs.

Adapt all.sh: now all builds with full config will also test this option, and
builds with the default config will test without it. Just to be sure, let's
have a build with full config minus this option.

Update documentation of MBEDTLS_USE_PSA_CRYPTO to reflect the status of the
new APIs it enables in Mbed TLS and why they're still opt-in.
2019-05-23 03:01:35 -04:00
Manuel Pégourié-Gonnard
de7636e2dd Enable MBEDTLS_PSA_CRYPTO_C by default
Also enable it in scripts/config.pl full, as well as two storage options that
were only blacklisted from full config because they depended on
MBEDTLS_PSA_CRYPTO_C.
2019-05-23 03:01:35 -04:00
Manuel Pégourié-Gonnard
d8167e85d6 Build from submodule by default (make, cmake)
Adapt tests in all.sh:
- tests with submodule enabled (default) no longer need to enable it
  explicitly, and no longer need runtime tests, as those are now handled by
all other test cases in this script
- tests with submodule disabled (old default) now need to disable it
  explicitly, and execute some runtime tests, as those are no longer tested
anywhere else in this script

Adapt documentation in Readme: remove the section "building with submodule"
and replace it with a new section before the other building sections.
Purposefully don't document how to build not from the submodule, as that
option is going away soon.
2019-05-23 03:01:35 -04:00
Gilles Peskine
9a52cf3d97 list-symbols.sh: if the build fails, print the build transcript
If "make clean lib" fails in list-symbols.sh, print the transcript
from running make.
2019-05-22 18:22:58 +02:00
Gilles Peskine
0c12e308af Document "check-names.sh -v" 2019-05-22 18:22:45 +02:00
Ron Eldor
56f071fb9e Add negative test for malformed SAN
Add a negative test for a malformed SAN extension.
2019-05-22 17:36:58 +03:00
Ron Eldor
5aebeeb5f4 Set next sequence of subject_alt_names to NULL
Set the next sequence of the subject_alt_name to NULL when deleting
sequence on failure in `get_subject_alt_name()`.
Found by Philippe Antoine. Credit to OSS-Fuzz.
2019-05-22 16:50:24 +03:00
Jaeden Amero
31d1432233 Merge remote-tracking branch 'origin/pr/2530' into development
* origin/pr/2530: (27 commits)
  Style fix
  Fix test data
  Update test data
  Add some negative test cases
  Fix minor issues
  Add ChangeLog entry about listing all SAN
  Check that SAN is not malformed when parsing
  Documentation fixes
  Fix ChangeLog entry
  Fail in case critical crt policy not supported
  Update SAN parsing documentation
  change the type of hardware_module_name member
  Change mbedtls_x509_subject_alternative_name
  Add length checking in certificate policy parsing
  Rephrase x509_crt extension member description
  Rephrase changeLog entries
  Remove redundant memset()
  Propogate error when parsing SubjectAltNames
  Tidy up style in x509_info_subject_alt_name
  Print unparseable SubjectAlternativeNames
  ...
2019-05-20 18:02:25 +01:00
Jaeden Amero
9ebcf9b00a Merge remote-tracking branch 'origin/pr/2538' into development
* origin/pr/2538:
  Remove unneeded whitespaces
  Fix mingw CI failures
  Initialize psa_crypto in ssl test
  Fix missing tls version test failures
  Fix typo
  Fix ChangeLog entry location
  Add changeLog entry
  Add test for export keys functionality
  Add function to retrieve the tls_prf type
  Add tests for the public tls_prf API
  Add public API for tls_prf
  Add eap-tls key derivation in the examples.
  Add ChangeLog entry
  Add an extra key export function
  Have the temporary buffer allocated dynamically
  Zeroize secret data in the exit point
  Add a single exit point in key derivation function
2019-05-20 10:58:36 +01:00
Jaeden Amero
fc4596f3d5 Merge remote-tracking branch 'origin/pr/2624' into development
* origin/pr/2624:
  Test the return value in the OID->X.509 map functions
  Add a test of the OID->MD map functions
  Add support for RSA PKCSv1.5 signatures using RIPEMD-160
2019-05-20 10:40:37 +01:00
Jaeden Amero
6a042fee2d Merge remote-tracking branch 'origin/pr/2636' into development
* origin/pr/2636:
  Only use submodule if present
2019-05-20 10:40:37 +01:00
Jaeden Amero
642cc821e2 Merge remote-tracking branch 'origin/pr/2465' into development
* origin/pr/2465:
  Ignore more generated files: seedfile, apidoc
  Improve .gitignore grouping and documentation
  Generate tags for Vi, for Emacs and with Global
2019-05-20 10:40:37 +01:00
Ron Eldor
6aeae9e962 Style fix
Add whitespace before parenthesis.
2019-05-20 12:00:36 +03:00
Ron Eldor
76a9c4a81f Fix test data
Fix test data to test what it actually intends to test.
2019-05-20 11:58:59 +03:00
Ron Eldor
8a59d6b964 Update test data
Update the test data for the negative certificate policies
extension tests with correct lengths, to test the correct behaviour.
Add another test.
2019-05-19 14:11:20 +03:00
Ron Eldor
11818f2c17 Add some negative test cases
Add some invalid certificate tests for certifiate policies extension.
2019-05-16 18:17:02 +03:00
Ron Eldor
a291391775 Fix minor issues
1. Typo fix.
2. Change byte by byte coipy to `memcpy`.
3. Remove parenthesis in switch cases.
2019-05-16 16:17:38 +03:00
Ron Eldor
e269537b80 Add ChangeLog entry about listing all SAN
Add a ChangeLog entry that indicates that all SAN types are
now listed in the corresponding certificate field.
2019-05-16 11:52:57 +03:00
Gilles Peskine
13f97dc164 all.sh: invoke check-names.sh in print-trace-on-exit mode 2019-05-15 17:55:33 +02:00
Gilles Peskine
36428d34c9 Print a command trace if the check-names.sh exits unexpectedly
We've observed that sometimes check-names.sh exits unexpectedly with
status 2 and no error message. The failure is not reproducible. This
commits makes the script print a trace if it exits unexpectedly.
2019-05-15 17:29:15 +02:00
Ron Eldor
51c4507b9c Remove unneeded whitespaces
Delete extra whitespace in Changelog and in paramter alignment.
2019-05-15 17:49:54 +03:00
Ron Eldor
801faf0fa1 Fix mingw CI failures
Change `%z` formatting of `size_t` to `%u` and casting to unsigned.
2019-05-15 17:45:24 +03:00
Ron Eldor
6b9b1b88fb Initialize psa_crypto in ssl test
Call `psa_crypto_init()` in `tls_prf` ssl test in case
`MBEDTLS_USE_PSA_CRYPTO` is defined since tls_prf may use psa crypto.
2019-05-15 17:04:33 +03:00