These tests check for failures, but can only fail where SIZE_MAX
exceeds some limit (UINT_MAX or UINT32_MAX) and do not fail
in this way otherwise - so guards are needed.
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
The only remaining occurrences of TEST_ASSERT are now pointer comparison,
to NULL or to a reference md_info. That is, the output of the following
command is empty:
grep TEST_ASSERT tests/suites/test_suite_md.function |
egrep -v '= NULL|== md_info|md_info =='
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The contentInfo field of PKCS7 Signed Data structures can
optionally contain the content of the signature. Per RFC 2315
it can also contain any of the PKCS7 data types. Add test and
comments making it clear that the current implementation
only supports the DATA content type and the data must be empty.
Return codes should be clear whether content was invalid or
unsupported.
Identification and fix provided by:
- Demi Marie Obenour <demiobenour@gmail.com>
- Dave Rodgman <dave.rodgman@arm.com>
Signed-off-by: Nick Child <nick.child@ibm.com>
If the digest algorithm is not compiled into Mbedtls,
then any pkcs7 structure which uses this algorithm
should fail with MBEDTLS_ERR_PKCS7_INVALID_ALG.
Add test for this case.
Signed-off-by: Nick Child <nick.child@ibm.com>
Not only was the size of 100 arbitrary, it's also not great for testing:
using MBEDTLS_MD_MAX_SIZE will get us an ASan error if it ever is too
small.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
For all test that want to use a hash, identify it by its numerical type
rather than a string. The motivation is that when we isolate the
MD-light subset from the larger MD, it won't have support for string
identifiers. Do the change for all tests, not just those that will
exercise functions in MD-light, for the sake of uniformity and because
numerical identifiers just feel better.
Note: mbedtls_md_info_from_string is still tested in md_info().
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Previously, a loop in pkcs7_get_signers_info_set was not
getting covered by tests. This was because when there are
two or less signers, the loop will not execute.
Therefore, add new data files for another signer and use
three signers to generate a new pkcs7 DER file. Add a test
case to make sure that verification is still successfula and
use the test script to create ASN1 errors throoughout the
stucture:
./generate_pkcs7_tests.py ../data_files/pkcs7_data_3_signed.der
This results in the loop being executed.
Signed-off-by: Nick Child <nick.child@ibm.com>
Previously there were two test functions for verify.
One allowed for the verification of one certificate and
the other allowed for verification of two certificates.
Merge these two functions into one function that can take
any number of certificates as an argument.
Signed-off-by: Nick Child <nick.child@ibm.com>
Several PKCS7 invalid ASN1 Tests were failing due to extra
data bytes or incorrect content lengths going unnoticed. Make
the parser aware of possible malformed ASN1 data.
Signed-off-by: Nick Child <nick.child@ibm.com>
Add test calls to raw asn1 data with slight syntatical errors
Increases %branches covered from 70.4% to 87.7%.
Add a script which serves as documentation for how these new test
cases were generated:
./generate_pkcs7_tests.py ../data_files/pkcs7_data_cert_signed_sha256.der
./generate_pkcs7_tests.py ../data_files/pkcs7_data_multiple_signed.der
Signed-off-by: Nick Child <nick.child@ibm.com>
In the future, tests will be added which take in a char buffer
and buflen. Rather than duplicate code, have tests which
read from file and from buffer use the same helper function
Signed-off-by: Nick Child <nick.child@ibm.com>
Add a test to verify a hash which uses a different digest
algorithm than the one specified in the pkcs7.
Signed-off-by: Nick Child <nick.child@ibm.com>
Additionally fix the generation of test_csr_v3_all_malformed_extension_ns_cert_bitstream_tag.csr.der which was incorectly malformed.
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
The fix_quasi_reduction function changed to static so checking the
invalid arguments are not needed anymore.
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
Rename the function to 'fix_quasi_reduction' to better suite its functionality.
Also changed the name prefix to suite for the new module.
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
These tests are not run in development because of the
overlapping !TLS_1_3 requirement and usage of full config.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
The following shell command (requiring GNU grep) looks for algorithms and
key types, as well as IS and GET macros, that lack metadata tests:
```
for x in $(grep -Pho '(?<=^#define )PSA_(ALG|KEY_TYPE)_(?!CATEGORY_|NONE\b|\w+_(BASE|FLAG|MASK|CASE))\w+' include/psa/crypto_values.h include/psa/crypto_extra.h); do grep -qw $x tests/suites/test_suite_psa_crypto_metadata.* || echo $x; done
```
This may have false negatives: it only checks that the constants are
mentioned at least once, not that the tests are written correctly.
This has false positives:
* Types and algorithms that Mbed TLS does not support.
* PSA_ALG_ECDSA_IS_DETERMINISTIC, PSA_ALG_DSA_IS_DETERMINISTIC are peculiar
auxiliary macros that only apply to very specific algorithms and aren't
tested like the other IS macros.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add PSA_WANT_KEY_TYPE_PASSWORD and PSA_WANT_KEY_TYPE_PASSWORD_HASH to
psa/crypto_config.h, since the types PSA_KEY_TYPE_PASSWORD and
PSA_KEY_TYPE_PASSWORD_HASH are used by ECJPAKE.
The two key types are always enabled, like PSA_KEY_TYPE_DERIVE.
Add the key types to the metadata test suite as well.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Some of the tests use mbedtls_test_cli_key_rsa_der and
mbedtls_test_cli_crt_rsa_der, and these can be used with
specific ciphersuites.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
- added 2 new certificates: 1 for testing a serial which is full lenght
and another one for a serial which starts with 0x80
- added also proper Makefile and openssl configuration file to generate
these 2 new certificates
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Some PSA curves' symbols (PSA_WANT_) were not matching the corresponding
MBEDTLS_ECP_DP_. This was fixed together with the removal of extra code
when DEBUG_C is not enabled.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
mbedtls_test_psa_setup_key_derivation_wrap() returns 1 for success, 0
for error, so the test here was wrong.
This is just a hotfix in order to avoid a testing gap. Larger issues not
addressed here:
- I don't think we should just exit and mark the test as passed; if
we're not doing the actual testing this should be marked as SKIP.
- Returning 1 for success and 0 for failure is a violation of our
documented coding guidelines. We're also supposed to test with == 0 or
!= 0. Having consistent conventions is supposed to help avoid errors
like this.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Otherwise, in builds without PKSC1_V15, tests that are supposed to
accept the certificate will fail, because once the cert is OK they will
move on to checking the CRL and will choke on its non-PSS signature.
Tests that are supposed to reject the cert due to an invalid signature
from the CA will not check the CRL because they don't recognize the CA
as valid, so they have no reason to check the CA's CRL. This was hiding
the problem until the recent commit that added a test where the cert is
supposed to be accepted.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
We've decided not to check it, see
https://github.com/Mbed-TLS/mbedtls/issues/5277
Also add a test that we accept the certificate with USE_PSA.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The code had an earlier version. Update to the new seed that
mpi_core_random_basic has moved to.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
mbedtls_mpi_mod_raw_random() and mbedtls_mpi_mod_random() were producing
output in the Montgomery representation, instead of obeying the
representation chosen in the modulus structure. Fix this.
Duplicate the test cases for mod-random output to have separate test cases
for each representation.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In the basic/XXX=core test cases, use odd upper bounds, because the mod
version of random() only supports odd upper bounds (the upper bound is a
modulus and the mod modules only support odd moduli).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Move bignum-related helper functions to their own files under tests/include
and tests/src. The primary motivation is that a subsequent commit will make
bignum_helpers.h include library/bignum*.h, but we want to be able to
include <test/helpers.h> without having the library directory on the include
path (we do this in some programs under programs/ intended for testing).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
mpi_core_random_basic and mpi_random_values must generate the same random
sequences in order to get the expected test coverage (where we know we'll
hit certain numbers of retries). Facilitate this by defining the RNG seed
only once.
Fix the seed to explicitly list all 16 words of the key. This isn't strictly
required (missing initializer fields get the value zero), but it's clearer.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This is meant to adapt to the new library design in which
SHA224 and SHA256 can be built independently from each other.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
This is meant to adapt to the new library design in which
SHA384 and SHA512 can be built independently from each other.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Previously the same test was repeated twice.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Tests are refactored to generate separate cases for 32-bit and 64-bit
limbs using arch_split. Duplicate arguments and branching in the test
function is removed.
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
muladd() (restartable or not) is only available when at least one short
weirstrass curve is enabled.
Found by depends.py curves (now that restartable is part of full).
Also, document that restartable only work for short weierstrass curves
(actually unrelated, but this made me think of that).
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This fixes the two failures in test_suite_x509parse when both
ECP_RESTARTABLE and USE_PSA_CRYPTO are enabled.
The failure happened because the operation is dispatched to PSA when
restart is disabled (max_ops == 0).
Previously it was correct for this test function not to initialize PSA,
because it depends on ECP_RESTARTABLE which used to conflict with
USE_PSA_CRYPTO, but that's no longer the case.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The random-in-nrange test code has auxiliary functions that are common to all
the interfaces (core, mod_raw (upcoming), mod (upcoming), legacy), and does
some differential testing to check that all the layers consume the RNG in
the saame way. Test them all in the same test suite.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test some cases where mbedtls_mpi_core_random() or mbedtls_mpi_random()
should return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE. These test cases use a very
small range that makes the NOT_ACCEPTABLE case likely. The test code uses a
deterministic RNG whose implementation is in the test framework, so we know
that the tests will pass reproducibly unless the implementation the test
framework changes.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The test function mpi_random_many() is the main function for testing the
get-random-in-range function. It validates that the random generator's
output is within the desired range, and performs some basic statistical
checks including checking that small ranges are covered exhaustively.
Switch this function from testing mbedtls_mpi_random() to testing
mbedtls_mpi_core_random(). This does not reduce the test coverage of
mbedtls_mpi_random() because the same properties are now validated
indirectly via mpi_random_values() which checks that mbedtls_mpi_random()
and mbedtls_mpi_core_random() produce identical values for identical inputs.
As of this commit, mpi_random_many() still uses some legacy mpi functions
internally because the corresponding functions don't exist yet in core.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
For good cases, test that mbedtls_mpi_random() produces the same output as
mbedtls_mpi_core_random().
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Compare a single-limb MPI with a multi-limb MPI. This is rather ad hoc, but
will be useful for mbedtls_mpi_core_random.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This is the first step in arranging that functions from constant_time.c are
tested in test_suite_constant_time.function.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
These are very CPU-intensive, so make it easy to skip them. And conversely,
make it easy to run them without the growing body of SSL tests.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Require equality for the number of limbs in the modulus and the residue.
This makes these functions consistent with residue_setup().
Signed-off-by: Janos Follath <janos.follath@arm.com>
The value was overwritten and the length wasn't used either. This latter
could have lead to a buffer overflow as well.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Test macros have goto instructions to the end where everything is freed.
We need to call init before that happens to make calling free functions
safe.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The external representation before included more than just endianness
(like reading in Mongtomery curve scalars or converting hashes to
numbers in a standard compliant way).
These are higher level concepts and are out of scope for Bignum and for
the modulus structure.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The external representation before included more than just endianness
(like reading in Mongtomery curve scalars or converting hashes to
numbers in a standard compliant way).
These are higher level concepts and are out of scope for Bignum and for
the modulus structure.
Passing endianness as a parameter is a step towards removing it from the
modulus structure.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The external representation before included more than just endianness
(like reading in Mongtomery curve scalars or converting hashes to
numbers in a standard compliant way).
These are higher level concepts and are out of scope for Bignum and for
the modulus structure.
Passing endianness as a parameter is a step towards removing it from the
modulus structure.
Signed-off-by: Janos Follath <janos.follath@arm.com>
In theory we could allow residues to have more allocated limbs than the
modulus, but we might or might not need it in the end.
Go for the simpler option for now and we can extend it later if we
really need it.
Signed-off-by: Janos Follath <janos.follath@arm.com>
We want to make sure that the value has at least as many limbs allocated
as the modulus as we need this to be able to do any operations in
constant time.
An invariant of the API is that the residue values are canonical, make
sure that the residue is compared to the entire modulus.
Signed-off-by: Janos Follath <janos.follath@arm.com>
This patch adjusts the I/O methods and the tests.
Documentation has also been updated to be more clear.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
This patch adjusts the logic of the size checking of the method,
and refactors the tests. Documentation has also been updated.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
This patch is inverting the input type checking logic in the method,
in order to ensure that residue < modulus.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
This patch adds the following tests for the high levet IO api:
* mpi_mod_io_neg
* mpi_mod_io
Manually generated test data has also been included.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
psa_cipher_encrypt() and psa_cipher_decrypt() sometimes add a zero offset to
a null pointer when the cipher does not use an IV. This is undefined
behavior, although it works as naively expected on most platforms. This
can cause a crash with modern Clang+ASan (depending on compiler optimizations).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The test cases aim to mirror the legacy function, but needed the some
cases to be removed because:
- Null representation is not valid in core
- There are no negative numbers in core
- Bignum core doesn't do parameter checking and there are no promises for
even N
The _size variant of the test has been removed as bignum core doesn't do
parameter checking and there is no promises for inputs that are larger
than MBEDTLS_MPI_MAX_SIZE.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Now that we have a function that calls
mbedtls_mpi_core_ct_uint_table_lookup(), the compiler won't complain if
we make it static.
Signed-off-by: Janos Follath <janos.follath@arm.com>
- external errors are now checked in the specified point. If the
same error happens in another line, then this is not valid and
the test fails
- fixed some inconsistency in which injected error codes were not
taken from the data file. Now all the expected error code are
read from the data file
- added a couple of defines to shrink the code
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
As for ecjpake_setup(), now the test function can handle:
- "external" errors, through parameters set by the data file
- "internal" ones, through enums which inject ad-hoc failures
Similarly also ecjpake_rounds() can handle both type of errors,
but right now there's no erroneous case in the associated ".data"
file.
In both cases, after an error the current test is terminated.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Now when operation holds pointer to dynamically allocated buffer for password key we can't do copy of the operation object in test instead we need to re-initialize operation object after error.
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
When x is the most negative value of a two's complement type,
`(unsigned_type)(-x)` has undefined behavior, whereas `-(unsigned_type)x`
has well-defined behavior and does what was intended.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The bignum module does not officially support "negative zero" (an
mbedtls_mpi object with s=-1 and all limbs zero). However, we have a
history of bugs where a function that should produce an official
zero (with s=1), produces a negative zero in some circumstances. So it's
good to check that the bignum functions are robust when passed a negative
zero as input. And for that, we need a way to construct a negative zero
from test case arguments.
There are checks that functions don't produce negative zeros as output in
the test suite. Skip those checks if there's a negative zero input: we
don't want functions to _create_ negative zeros, but we don't mind if
they _propagate_ negative zeros.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The already existing "x509_csr_check()" function is extended in order
to support/test also CSR's extensions. The test is performed by
adding an extended key usage.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Fix error in memory allocation in test code, which was triggering an
error in test_memory_buffer_allocator.
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
