Commit graph

23431 commits

Author SHA1 Message Date
Hanno Becker
dae916b05f X.509: Add length consistency checks to x509_get_other_name()
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-02-07 05:24:32 -05:00
Hanno Becker
2a15a0c868 X.509: Remove red'n bounds checks and zeroiz'n in OtherName parsing
- ASN.1 parsing functions check that length don't exceed buffer bounds,
  so checks `p + len > end` are redundant.
- If `p + len == end`, this is erroneous because we expect further fields,
  which is automatically caught by the next ASN.1 parsing call.

Hence, the two branches handling `p + len >= end` in x509_get_other_name()
can be removed.

Further, zeroization of the `other_name` structure isn't necessary
because it's not confidential (and it's also not performed on other
error conditions in this function).
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-02-07 05:15:27 -05:00
Hanno Becker
5d82c3b99c X.509: Improve negative testing for SubjectAltName parsing
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-02-07 05:10:29 -05:00
Hanno Becker
dc0e8b92f8 Add a ChangeLog entry
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-02-07 05:10:29 -05:00
Hanno Becker
db305ff42e X.509: Improve negative testing for SubjectAltName parsing
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-02-07 05:10:29 -05:00
Hanno Becker
ae8f8c435c Fix X.509 SAN parsing
Fixes #2838. See the issue description for more information.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-02-07 05:10:27 -05:00
Gilles Peskine
a0c806aac1
Merge pull request #7003 from lpy4105/issue/do-not-run-x86-tests-on-arm64
all.sh: test_m32_xx is not supported on arm64 host
2023-02-07 10:26:10 +01:00
Gilles Peskine
4c77601832
Merge pull request #6975 from davidhorstmann-arm/c-build-helper-improvements
Minor improvements to `c_build_helper.py`
2023-02-07 10:25:59 +01:00
Yanray Wang
3f9961bfca compat.sh: remove G_CLIENT_PRIO as it's not used
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-07 16:36:51 +08:00
Yanray Wang
a89c4d51f7 compat.sh: display "no" even if $VERIFY=YES for PSK test cases
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-07 16:36:51 +08:00
Yanray Wang
5d646e705d compat.sh: do not filter PSK ciphersuites for GnuTLS if $VERIFY=YES
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-07 16:36:51 +08:00
Yanray Wang
c66a46f734 compat.sh: remove check_openssl_server_bug
As there is no $VERIFY for PSK test cases,
check_openssl_server_bug is not functional in compat.sh.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-07 16:36:51 +08:00
Yanray Wang
35c0eadf0f compat.sh: avoid running duplicate test cases for PSK
With the introduction of PSK_TESTS,
 - Either `compat.sh -V NO` or `compat.sh -V YES` runs the PSK tests
 - `compat.sh` or `compat.sh -V "NO YES"` runs PSK tests only once

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-07 16:36:51 +08:00
Yanray Wang
dae7057e1f compat.sh: ignore $VERIFY in PSK TYPE
There is no need to provide CA file in PSK. Thus VERIFY is
meaningless for PSK. This change omits the arguments passed to
the client and server for $VERIFY=YES.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-07 16:36:20 +08:00
Valerio Setti
1cdddacc62 pk_wrap: use proper macros for sign and verify
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Valerio Setti
5c593af271 pk_wrap: fix comment on closing #endif
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Valerio Setti
0568decc0c ecdsa: add comment for ecdsa_context
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Valerio Setti
24138d9f83 pk_wrap: re-use identical functions for eckey and ecdsa when possible
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Valerio Setti
7ca1318256 pk: add new symbol for generic ECDSA capability
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Valerio Setti
bf74f52920 test: add a comment specifying why restartable cannot be tested
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Valerio Setti
9e30dd882d removing a leftover printf from debug
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Valerio Setti
4836374088 test: ECDSA driver only: fixing disparities in tests
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Valerio Setti
ab363d9fe1 pk/pk_wrap: replace ECDSA_C with generic ECDSA capabilities' defines
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Valerio Setti
cf084ae256 pk: add generic defines for ECDSA capabilities
The idea is to state what are ECDSA capabilities independently from how
this is achieved

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Valerio Setti
4e0278d710 test: ECDSA driver only: disable ECP_RESTARTABLE
This is not yet supported in driver only implementation

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Valerio Setti
4e26df99aa test: ECDSA driver_only: verify disparities in PK
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-02-07 08:02:23 +01:00
Gabor Mezei
63aae68b8f
Fix documentation
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-02-06 16:24:08 +01:00
Dave Rodgman
f31c9e441b
Merge pull request #7019 from tom-cosgrove-arm/dont-use-cast-assignment-in-ssl_server2.c
Don't use cast-assignment in ssl_server.c
2023-02-06 12:13:08 +00:00
Jan Bruckner
1aabe5c4d7 Fix typos
Signed-off-by: Jan Bruckner <jan@janbruckner.de>
2023-02-06 12:54:53 +01:00
Jan Bruckner
aa31b19395 Extend test framework for Record Size Limit Extension
Fixes #7006

Signed-off-by: Jan Bruckner <jan@janbruckner.de>
2023-02-06 12:54:29 +01:00
Manuel Pégourié-Gonnard
cced3521cb Fix style in test_suite_md.function
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-06 12:37:02 +01:00
Dave Rodgman
94c9c96c94
Merge pull request #6998 from aditya-deshpande-arm/fix-example-programs-usage
Fix incorrect dispatch to USAGE in example programs, which causes uninitialized memory to be used
2023-02-06 09:53:50 +00:00
Nick Child
50886c25f3 pkcs7/test: Add test for parsing a disabled algorithm
If the digest algorithm is not compiled into Mbedtls,
then any pkcs7 structure which uses this algorithm
should fail with MBEDTLS_ERR_PKCS7_INVALID_ALG.
Add test for this case.

Signed-off-by: Nick Child <nick.child@ibm.com>
2023-02-03 20:33:12 +00:00
Nick Child
6291cc2444 pkcs7/test: Remove f strings in generator script
MbedTLS CI uses python v3.5, f strings are not supported
until v3.6 . Remove f string's from generate_pkcs7_tests.py.

Signed-off-by: Nick Child <nick.child@ibm.com>
2023-02-03 20:33:12 +00:00
Tom Cosgrove
de85725507 Don't use cast-assignment in ssl_server.c
Would have used mbedtls_put_unaligned_uint32(), but alignment.h is in library/.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-02-03 16:38:05 +00:00
Aditya Deshpande
9b45f6bb68 Fix more argc checks
Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
2023-02-03 16:15:30 +00:00
Gilles Peskine
10ada35019
Merge pull request #7022 from daverodgman/3DES-warning
Improve warnings for DES/3DES
2023-02-03 16:41:34 +01:00
Gilles Peskine
0cfb08ddf1
Merge pull request #6922 from mprse/csr_v3
Parsing v3 extensions from a CSR - v.2
2023-02-03 16:41:11 +01:00
Manuel Pégourié-Gonnard
f5e2331f8a Use TEST_EQUAL when applicable in test_suite_md
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-03 12:51:03 +01:00
Manuel Pégourié-Gonnard
b707bedca4 Avoid unnecessary copy in test_suite_md
Also avoids buffer with an arbitrary size while at it.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-03 12:32:41 +01:00
Manuel Pégourié-Gonnard
4ba98f5350 Use MBEDTLS_MD_MAX_SIZE in test_suite_md
Not only was the size of 100 arbitrary, it's also not great for testing:
using MBEDTLS_MD_MAX_SIZE will get us an ASan error if it ever is too
small.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-03 12:25:53 +01:00
Manuel Pégourié-Gonnard
c90514ee11 Use MD type not string to in MD test data
For all test that want to use a hash, identify it by its numerical type
rather than a string. The motivation is that when we isolate the
MD-light subset from the larger MD, it won't have support for string
identifiers. Do the change for all tests, not just those that will
exercise functions in MD-light, for the sake of uniformity and because
numerical identifiers just feel better.

Note: mbedtls_md_info_from_string is still tested in md_info().

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-03 12:13:10 +01:00
Gilles Peskine
80c552556a
Merge pull request #6791 from yanrayw/6675-change-some-key-generation-funcs-to-static
TLS 1.3: Key Generation: change some key generation functions to static
2023-02-03 11:56:35 +01:00
Gilles Peskine
753ad17a41
Merge pull request #6982 from aditya-deshpande-arm/check-files-characters
check_files.py: Allow specific Box Drawing characters to be used
2023-02-03 11:46:06 +01:00
Gilles Peskine
e2db23d741
Merge pull request #6902 from yanrayw/6651-enable-cipher-suite-names-consistent
compat.sh: report and filter cipher suite names consistently
2023-02-03 11:38:31 +01:00
Manuel Pégourié-Gonnard
bae8d2ae13
Merge pull request #7028 from daverodgman/sizeof-brackets
Fix use of sizeof without brackets
2023-02-03 10:29:56 +01:00
Manuel Pégourié-Gonnard
d56def5c30
Merge pull request #6946 from valeriosetti/issue6856
driver-only ECDSA: fix testing disparities in ecp, random, se_driver_hal
2023-02-03 08:51:04 +01:00
Yanray Wang
f206c1493b Remove duplicate mbedtls_platform_zeroize for tls13_early_secrets
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-03 13:55:47 +08:00
Yanray Wang
131ec931eb Remove the additional dot in output of compat.sh
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-03 12:13:04 +08:00
Gilles Peskine
34c43a871f Make the fields of mbedtls_pk_rsassa_pss_options public
This makes it possible to verify RSA PSS signatures with the pk module,
which was inadvertently broken since Mbed TLS 3.0. Fixes #7040.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-02-02 23:06:37 +01:00