Commit graph

1092 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
0ac1d2d5ca Fix error while removing memory.h usage 2015-01-26 16:44:37 +00:00
Manuel Pégourié-Gonnard
1e77a96683 Fix memsan false positive on Linux >= 3.17 2015-01-26 16:44:37 +00:00
Manuel Pégourié-Gonnard
d43ccb66fb Quit using deprecated header. 2015-01-23 17:38:09 +00:00
Manuel Pégourié-Gonnard
c26a092b50 Rename static lib name with make 2015-01-23 12:57:33 +00:00
Manuel Pégourié-Gonnard
dba564bc79 Fix files that are not in development 2015-01-23 11:37:14 +00:00
Manuel Pégourié-Gonnard
eab72e2ced Merge branch 'development' into dtls
* development:
  Update copyright
  Fix issue in compat.sh
  Rename doxyfile
  Rename to mbed TLS in tests/
  Rename to mbed TLS in examples
  Remove old test certificates.
  Rename to mbed TLS in the documentation/comments
  Change name to mbed TLS in the copyright notice

Conflicts:
	doxygen/input/doc_mainpage.h
	doxygen/mbedtls.doxyfile
	include/polarssl/version.h
	tests/compat.sh
2015-01-23 10:23:17 +00:00
Manuel Pégourié-Gonnard
a8f3b75f54 Fix issue in compat.sh 2015-01-22 17:20:35 +00:00
Manuel Pégourié-Gonnard
e4f6edcda1 Rename to mbed TLS in tests/ 2015-01-22 16:43:54 +00:00
Manuel Pégourié-Gonnard
3bb0801a95 Add default/basic test for DTLS 2015-01-22 13:34:21 +00:00
Manuel Pégourié-Gonnard
3a173f497b Merge branch 'development' into dtls
* development:
  Fix error code description.
  generate_errors.pl now errors on duplicate codes
  Avoid nested if's without braces.
  Move renego SCSV after actual ciphersuites
  Fix send_close_notify usage.
  Rename variable for clarity
  Improve script portability

Conflicts:
	library/ssl_srv.c
	programs/ssl/ssl_client2.c
	programs/ssl/ssl_server2.c
	tests/ssl-opt.sh
2015-01-22 13:30:33 +00:00
Manuel Pégourié-Gonnard
dc370e4969 Improve script portability 2015-01-22 10:24:59 +00:00
Manuel Pégourié-Gonnard
23eb74d8b5 Fix issues with new defaults 2015-01-21 14:37:13 +00:00
Manuel Pégourié-Gonnard
67505bf9e8 Merge branch 'development' into dtls
* development:
  Adapt tests to new defaults/errors.
  Fix typos/cosmetics in Changelog
  Disable RC4 by default in example programs.
  Add ssl_set_arc4_support()
  Set min version to TLS 1.0 in programs

Conflicts:
	include/polarssl/ssl.h
	library/ssl_cli.c
	library/ssl_srv.c
	tests/compat.sh
2015-01-21 13:57:33 +00:00
Manuel Pégourié-Gonnard
bfccdd3c92 Merge commit '36adc36' into dtls
* commit '36adc36':
  Add support for getrandom()
  Use library default for trunc-hmac in ssl_client2
  Make truncated hmac a runtime option server-side
  Fix portability issue in script
  Specific error for suites in common but none good
  Prefer SHA-1 certificates for pre-1.2 clients
  Some more refactoring/tuning.
  Minor refactoring

Conflicts:
	include/polarssl/error.h
	include/polarssl/ssl.h
	library/error.c
2015-01-21 13:48:45 +00:00
Manuel Pégourié-Gonnard
0017c2be48 Merge commit '9835bc0' into dtls
* commit '9835bc0':
  Fix racy test.
  Fix stupid error in previous commit
  Don't check errors on ssl_close_notify()
  Fix char signedness issue
  Fix issue with non-blocking I/O & record splitting
  Fix warning

Conflicts:
	programs/ssl/ssl_client2.c
	programs/ssl/ssl_server2.c
2015-01-21 13:42:16 +00:00
Manuel Pégourié-Gonnard
8fbb01ec84 Merge commit 'b2eaac1' into dtls
* commit 'b2eaac1':
  Stop assuming chars are signed
  Add tests for CBC record splitting
  Fix tests that were failing with record splitting
  Allow disabling record splitting at runtime
  Add 1/n-1 record splitting
  Enhance doc on ssl_write()

Conflicts:
	include/polarssl/ssl.h
	programs/ssl/ssl_client2.c
	programs/ssl/ssl_server2.c
2015-01-21 13:37:08 +00:00
Manuel Pégourié-Gonnard
0af1ba3521 Merge commit 'f6080b8' into dtls
* commit 'f6080b8':
  Fix warning in reduced configs
  Adapt to "negative" switch for renego
  Add tests for periodic renegotiation
  Make renego period configurable
  Auto-renegotiate before sequence number wrapping
  Update Changelog for compile-option renegotiation
  Switch from an enable to a disable flag
  Save 48 bytes if SSLv3 is not defined
  Make renegotiation a compile-time option
  Add tests for renego security enforcement

Conflicts:
	include/polarssl/ssl.h
	library/ssl_cli.c
	library/ssl_srv.c
	library/ssl_tls.c
	programs/ssl/ssl_server2.c
	tests/ssl-opt.sh
2015-01-21 11:54:33 +00:00
Manuel Pégourié-Gonnard
edb7ed3a43 Merge commit 'd7e2483' into dtls
* commit 'd7e2483': (57 commits)
  Skip signature_algorithms ext if PSK only
  Fix bug in ssl_client2 reconnect option
  Cosmetics in ssl_server2
  Improve debugging message.
  Fix net_usleep for durations greater than 1 second
  Use pk_load_file() in X509
  Create ticket keys only if enabled
  Fix typo in #ifdef
  Clarify documentation a bit
  Fix comment on resumption
  Update comment from draft to RFC
  Use more #ifdef's on CLI_C and SRV_C in ssl_tls.c
  Add recursion.pl to all.sh
  Allow x509_crt_verify_child() in recursion.pl
  Set a compile-time limit to X.509 chain length
  Fix 3DES -> DES in all.sh (+ time estimates)
  Add curves.pl to all.sh
  Rework all.sh to use MSan instead of valgrind
  Fix depends on individual curves in tests
  Add script to test depends on individual curves
  ...

Conflicts:
	CMakeLists.txt
	programs/ssl/ssl_client2.c
2015-01-20 16:52:28 +00:00
Manuel Pégourié-Gonnard
f9c8a606b5 Merge commit '8b9bcec' into dtls
* commit '8b9bcec':
  Stop assuming chars are signed
  Fix len miscalculation in buffer-based allocator
  Fix NULL dereference in buffer-based allocator
  Add test_suite_memory_buffer_alloc
  Add memory_buffer_alloc_self_test()
  Fix missing bound check
  Add test for ctr_drbg_update() input sanitizing
  Refactor for clearer correctness/security
  Stop assuming chars are signed

Conflicts:
	library/ssl_tls.c
2015-01-20 16:38:39 +00:00
Manuel Pégourié-Gonnard
51d81661dc Adapt tests to new defaults/errors. 2015-01-14 17:20:46 +01:00
Paul Bakker
5b8f7eaa3e Merge new security defaults for programs (RC4 disabled, SSL3 disabled) 2015-01-14 16:26:54 +01:00
Paul Bakker
c82b7e2003 Merge option to disable truncated hmac on the server-side 2015-01-14 16:16:55 +01:00
Paul Bakker
e522d0fa57 Merge smarter certificate selection for pre-TLS-1.2 clients 2015-01-14 16:12:48 +01:00
Manuel Pégourié-Gonnard
9835bc077a Fix racy test.
With exchanges == renego period, sometimes the connection will be closed by
the client before the server had time to read the ClientHello, making the test
fail. The extra exchange avoids that.
2015-01-14 14:41:58 +01:00
Manuel Pégourié-Gonnard
a852cf4833 Fix issue with non-blocking I/O & record splitting 2015-01-13 20:56:15 +01:00
Paul Bakker
f3561154ff Merge support for 1/n-1 record splitting 2015-01-13 16:31:34 +01:00
Paul Bakker
f6080b8557 Merge support for enabling / disabling renegotiation support at compile-time 2015-01-13 16:18:23 +01:00
Paul Bakker
d7e2483bfc Merge miscellaneous fixes into development 2015-01-13 16:04:38 +01:00
Manuel Pégourié-Gonnard
765bb31d24 Add test_suite_memory_buffer_alloc 2015-01-13 14:58:00 +01:00
Manuel Pégourié-Gonnard
f5f25b3a0d Add test for ctr_drbg_update() input sanitizing 2015-01-13 14:56:59 +01:00
Paul Bakker
d9e2dd2bb0 Merge support for Encrypt-then-MAC 2015-01-13 14:23:56 +01:00
Manuel Pégourié-Gonnard
bd47a58221 Add ssl_set_arc4_support()
Rationale: if people want to disable RC4 but otherwise keep the default suite
list, it was cumbersome. Also, since it uses a global array,
ssl_list_ciphersuite() is not a convenient place. So the SSL modules look like
the best place, even if it means temporarily adding one SSL setting.
2015-01-13 13:03:06 +01:00
Manuel Pégourié-Gonnard
a65d5082b6 Merge branch 'development' into dtls
* development:
  Fix previous commit
  Allow flexible location of valgrind
  Fix test scripts portability issues
  Fix Gnu-ism in script

Conflicts:
	tests/ssl-opt.sh
2015-01-12 14:54:55 +01:00
Paul Bakker
54b1a8fa4d Merge support for Extended Master Secret (session-hash) 2015-01-12 14:14:07 +01:00
Paul Bakker
b52b015c0b Merge support for FALLBACK_SCSV 2015-01-12 14:07:59 +01:00
Manuel Pégourié-Gonnard
448ea506bf Set min version to TLS 1.0 in programs 2015-01-12 12:32:04 +01:00
Manuel Pégourié-Gonnard
e117a8fc0d Make truncated hmac a runtime option server-side
Reading the documentation of ssl_set_truncated_hmac() may give the impression
I changed the default for clients but I didn't, the old documentation was
wrong.
2015-01-09 12:52:20 +01:00
Manuel Pégourié-Gonnard
f01768c55e Specific error for suites in common but none good 2015-01-08 17:06:16 +01:00
Manuel Pégourié-Gonnard
df331a55d2 Prefer SHA-1 certificates for pre-1.2 clients 2015-01-08 16:43:07 +01:00
Manuel Pégourié-Gonnard
3ff78239fe Add tests for CBC record splitting 2015-01-08 11:15:09 +01:00
Manuel Pégourié-Gonnard
c82ee3555f Fix tests that were failing with record splitting 2015-01-07 16:39:10 +01:00
Manuel Pégourié-Gonnard
f46f128f4a Fix test scripts portability issues 2014-12-11 17:26:09 +01:00
Manuel Pégourié-Gonnard
76c99a01a1 Fix Gnu-ism in script 2014-12-11 10:33:43 +01:00
Manuel Pégourié-Gonnard
590f416142 Add tests for periodic renegotiation 2014-12-02 10:40:55 +01:00
Manuel Pégourié-Gonnard
85d915b81d Add tests for renego security enforcement 2014-12-02 10:40:54 +01:00
Manuel Pégourié-Gonnard
ea29d152c7 Add recursion.pl to all.sh 2014-11-20 17:32:33 +01:00
Manuel Pégourié-Gonnard
89d69b398c Fix 3DES -> DES in all.sh (+ time estimates) 2014-11-20 16:36:08 +01:00
Manuel Pégourié-Gonnard
246978d97d Add curves.pl to all.sh 2014-11-20 16:36:08 +01:00
Manuel Pégourié-Gonnard
9bda9b3b92 Rework all.sh to use MSan instead of valgrind 2014-11-20 16:36:08 +01:00
Manuel Pégourié-Gonnard
cf4de32f58 Fix depends on individual curves in tests 2014-11-20 16:36:08 +01:00
Manuel Pégourié-Gonnard
2727dc1e09 Add script to test depends on individual curves 2014-11-20 16:36:08 +01:00
Manuel Pégourié-Gonnard
5c2aa10c15 Fix curve dependency issues in X.509 test suite 2014-11-20 16:36:07 +01:00
Manuel Pégourié-Gonnard
57a5d60abb Add tests for concatenated CRLs 2014-11-19 16:08:34 +01:00
Manuel Pégourié-Gonnard
4be3449dbc Add Readme about X.509 test files 2014-11-19 14:03:59 +01:00
Manuel Pégourié-Gonnard
8c9223df84 Add text view to debug_print_buf() 2014-11-19 13:21:38 +01:00
Manuel Pégourié-Gonnard
98aa19148c Adjust warnings in different modes 2014-11-14 16:45:48 +01:00
Manuel Pégourié-Gonnard
8a5e3d4a40 Forbid repeated X.509 extensions 2014-11-12 18:13:58 +01:00
Manuel Pégourié-Gonnard
b134060f90 Fix memory leak with crafted X.509 certs 2014-11-12 00:01:52 +01:00
Manuel Pégourié-Gonnard
0369a5291b Fix uninitialised pointer dereference 2014-11-12 00:01:52 +01:00
Manuel Pégourié-Gonnard
7c13d69cb5 Fix dependency issues 2014-11-12 00:01:34 +01:00
Manuel Pégourié-Gonnard
a1efcb084f Implement pk_check_pair() for RSA-alt 2014-11-08 18:00:22 +01:00
Manuel Pégourié-Gonnard
70bdadf54b Add pk_check_pair() 2014-11-06 18:25:51 +01:00
Manuel Pégourié-Gonnard
30668d688d Add ecp_check_pub_priv() 2014-11-06 18:25:51 +01:00
Manuel Pégourié-Gonnard
2f8d1f9fc3 Add rsa_check_pub_priv() 2014-11-06 18:25:51 +01:00
Manuel Pégourié-Gonnard
f9d778d635 Merge branch 'etm' into dtls
* etm:
  Fix warning in reduced config
  Update Changelog for EtM
  Keep EtM state across renegotiations
  Adjust minimum length for EtM
  Don't send back EtM extension if not using CBC
  Fix for the RFC erratum
  Implement EtM
  Preparation for EtM
  Implement initial negotiation of EtM

Conflicts:
	include/polarssl/check_config.h
2014-11-06 01:36:32 +01:00
Manuel Pégourié-Gonnard
56d985d0a6 Merge branch 'session-hash' into dtls
* session-hash:
  Update Changelog for session-hash
  Make session-hash depend on TLS versions
  Forbid extended master secret with SSLv3
  compat.sh: allow git version of gnutls
  compat.sh: make options a bit more robust
  Implement extended master secret
  Add negotiation of Extended Master Secret

Conflicts:
	include/polarssl/check_config.h
	programs/ssl/ssl_server2.c
2014-11-06 01:25:09 +01:00
Manuel Pégourié-Gonnard
fedba98ede Merge branch 'fb-scsv' into dtls
* fb-scsv:
  Update Changelog for FALLBACK_SCSV
  Implement FALLBACK_SCSV server-side
  Implement FALLBACK_SCSV client-side
2014-11-05 16:12:09 +01:00
Manuel Pégourié-Gonnard
b575b54cb9 Forbid extended master secret with SSLv3 2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
169dd6a514 Adjust minimum length for EtM 2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
dd4592774b compat.sh: allow git version of gnutls 2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
78e745fc0a Don't send back EtM extension if not using CBC 2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
0098e7dc70 Preparation for EtM 2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
699cafaea2 Implement initial negotiation of EtM
Not implemented yet:
- actually using EtM
- conditions on renegotiation
2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard
85a4178f82 compat.sh: make options a bit more robust 2014-11-05 16:00:49 +01:00
Manuel Pégourié-Gonnard
01b2699198 Implement FALLBACK_SCSV server-side 2014-11-05 16:00:49 +01:00
Manuel Pégourié-Gonnard
1cbd39dbeb Implement FALLBACK_SCSV client-side 2014-11-05 16:00:49 +01:00
Manuel Pégourié-Gonnard
367381fddd Add negotiation of Extended Master Secret
(But not the actual thing yet.)
2014-11-05 16:00:49 +01:00
Paul Bakker
f2a459df05 Preparation for PolarSSL 1.4.0 2014-10-21 16:40:54 +02:00
Manuel Pégourié-Gonnard
a6ace04c5c Test for lost HelloRequest 2014-10-21 16:32:57 +02:00
Manuel Pégourié-Gonnard
f1384470bf Avoid spurious timeout in ssl-opt.sh 2014-10-21 16:32:57 +02:00
Manuel Pégourié-Gonnard
74a1378175 Avoid false positive in ssl-opt.sh with memcheck 2014-10-21 16:32:56 +02:00
Manuel Pégourié-Gonnard
e698f59a25 Add tests for ssl_set_dtls_badmac_limit() 2014-10-21 16:32:56 +02:00
Manuel Pégourié-Gonnard
caecdaed25 Cosmetics in ssl_server2 & complete tests for HVR 2014-10-21 16:32:54 +02:00
Manuel Pégourié-Gonnard
37e08e1689 Fix max_fragment_length with DTLS 2014-10-21 16:32:53 +02:00
Manuel Pégourié-Gonnard
127ab88dba Give more time to lossy tests with normal timers 2014-10-21 16:32:51 +02:00
Manuel Pégourié-Gonnard
ba958b8bdc Add test for server-initiated renego
Just assuming the HelloRequest isn't lost for now
2014-10-21 16:32:50 +02:00
Manuel Pégourié-Gonnard
85beb30b11 Add test for resumption with non-blocking I/O 2014-10-21 16:32:48 +02:00
Manuel Pégourié-Gonnard
a59af05dce Give more time to tests that time out too often 2014-10-21 16:32:47 +02:00
Manuel Pégourié-Gonnard
7a26d73735 Add test for session resumption 2014-10-21 16:32:47 +02:00
Manuel Pégourié-Gonnard
df9a0a8460 Drop unexpected ApplicationData
This is likely to happen on resumption if client speaks first at the
application level.
2014-10-21 16:32:46 +02:00
Manuel Pégourié-Gonnard
37a4de2cec Use shorter timeouts in ssl-opt.sh proxy tests 2014-10-21 16:32:44 +02:00
Manuel Pégourié-Gonnard
6093d81c20 Add tests with proxy and non-blocking I/O 2014-10-21 16:32:42 +02:00
Manuel Pégourié-Gonnard
579950c2bb Fix bug with non-blocking I/O and cookies 2014-10-21 16:32:42 +02:00
Manuel Pégourié-Gonnard
bd97fdb3a4 Make ssl_server2's HVR handling more realistic
It makes not sense to keep the connection open until the client is verified.
Until now it was useful since closing it crates a race where the second
ClientHello might be lost. But now that our client is able to resend, that's
not an issue any more.
2014-10-21 16:32:40 +02:00
Manuel Pégourié-Gonnard
36795197d9 Rm now useless MTU setting in compat.sh 2014-10-21 16:32:40 +02:00
Manuel Pégourié-Gonnard
7a66cbca75 Rm some redundant tests 2014-10-21 16:32:40 +02:00
Manuel Pégourié-Gonnard
9590e0a176 Add proxy tests with gnutls-srv & fragmentation 2014-10-21 16:32:40 +02:00
Manuel Pégourié-Gonnard
fa60f128d6 Quit using "yes" in ssl-opt.sh with openssl
It caused s_server to send an AppData record of 16Kb every millisecond or so,
which destroyed readability of the proxy and client logs.
2014-10-21 16:32:39 +02:00
Manuel Pégourié-Gonnard
08a1d4bce1 Fix bug with client auth with DTLS 2014-10-21 16:32:39 +02:00
Manuel Pégourié-Gonnard
d0fd1daa6b Add test with proxy and openssl server 2014-10-21 16:32:38 +02:00
Manuel Pégourié-Gonnard
1b753f1e27 Add test for renego with proxy 2014-10-21 16:32:38 +02:00
Manuel Pégourié-Gonnard
18e519a660 Add proxy tests with more handshake flows 2014-10-21 16:32:37 +02:00
Manuel Pégourié-Gonnard
76fe9e41c1 Test that anti-replay ignores all duplicates 2014-10-21 16:32:36 +02:00
Manuel Pégourié-Gonnard
2739313cea Make anti-replay a runtime option 2014-10-21 16:32:35 +02:00
Manuel Pégourié-Gonnard
246c13a05f Fix epoch checking 2014-10-21 16:32:34 +02:00
Manuel Pégourié-Gonnard
b47368a00a Add replay detection 2014-10-21 16:32:34 +02:00
Manuel Pégourié-Gonnard
4956fd7437 Test and fix anti-replay functions 2014-10-21 16:32:34 +02:00
Manuel Pégourié-Gonnard
825a49ed7c Add more udp_proxy tests 2014-10-21 16:32:32 +02:00
Manuel Pégourié-Gonnard
a6189f0fb0 udp_proxy wasn't actually killed 2014-10-21 16:32:30 +02:00
Manuel Pégourié-Gonnard
a0719727da Add tests with dropped packets 2014-10-21 16:32:30 +02:00
Manuel Pégourié-Gonnard
63eca930d7 Drop invalid records with DTLS 2014-10-21 16:30:28 +02:00
Manuel Pégourié-Gonnard
990f9e428a Handle late handshake messages gracefully 2014-10-21 16:30:26 +02:00
Manuel Pégourié-Gonnard
be9eb877f7 Adapt ssl-opt.sh to allow using udp_proxy in tests 2014-10-21 16:30:25 +02:00
Manuel Pégourié-Gonnard
0a65934ef3 Re-enable valgrind for all tests
Now we can handle duplicated messages due to the peer re-sending (due to us
being soooo slow with valgrind)
2014-10-21 16:30:24 +02:00
Manuel Pégourié-Gonnard
0c4cbc7895 Add test for fragmentation + renego with GnuTLS 2014-10-21 16:30:23 +02:00
Manuel Pégourié-Gonnard
f1499f602e Add interop testing for renego with GnuTLS 2014-10-21 16:30:23 +02:00
Manuel Pégourié-Gonnard
77b0b8d100 Disable some tests with valgrind for now 2014-10-21 16:30:23 +02:00
Manuel Pégourié-Gonnard
64dffc5d14 Make handshake reassembly work with openssl 2014-10-21 16:30:22 +02:00
Manuel Pégourié-Gonnard
a77561765f Add test with openssl with DTLS in ssl-opt.sh 2014-10-21 16:30:22 +02:00
Manuel Pégourié-Gonnard
502bf30fb5 Handle reassembly of handshake messages
Works only with GnuTLS for now, OpenSSL packs other records in the same
datagram after the last fragmented one, which we don't handle yet.

Also, ssl-opt.sh fails the tests with valgrind for now: we're so slow with
valgrind that gnutls-serv retransmits some messages, and we don't handle
duplicated messages yet.
2014-10-21 16:30:22 +02:00
Manuel Pégourié-Gonnard
c392b240c4 Fix server-initiated renegotiation with DTLS 2014-10-21 16:30:21 +02:00
Manuel Pégourié-Gonnard
30d16eb429 Fix client-initiated renegotiation with DTLS 2014-10-21 16:30:20 +02:00
Manuel Pégourié-Gonnard
0eb6cab979 Add DTLS cookies test to ssl-opt.sh 2014-10-21 16:30:19 +02:00
Manuel Pégourié-Gonnard
53aef81a7d Work around OpenSSL bug in compat.sh 2014-10-21 16:30:12 +02:00
Manuel Pégourié-Gonnard
d1af1025d0 Add DTLS interop testing with OpenSSL server
PSK suites failing with client auth
2014-10-21 16:30:12 +02:00
Manuel Pégourié-Gonnard
9bfb1226da Add DTLS interop testing with GnuTLS server 2014-10-21 16:30:12 +02:00
Manuel Pégourié-Gonnard
29980b16bd Add DTLS interop testing (PolarSSL server) 2014-10-21 16:30:11 +02:00
Manuel Pégourié-Gonnard
3025b6cfd6 Add DTLS self-op test in compat.sh 2014-10-21 16:30:10 +02:00
Paul Bakker
9eac4f7c4e Prepare for release 1.3.9 2014-10-20 13:56:15 +02:00
Manuel Pégourié-Gonnard
9c911da68f Add tests for X.509 name encoding mismatch 2014-10-17 12:42:31 +02:00
Manuel Pégourié-Gonnard
5d8618539f Fix memory leak while parsing some X.509 certs 2014-10-17 12:41:41 +02:00
Manuel Pégourié-Gonnard
64938c63f0 Accept spaces at end of line/buffer in base64 2014-10-15 23:53:33 +02:00
Manuel Pégourié-Gonnard
da1b4de0e4 Increase MPI_MAX_BYTES to allow RSA 8192 2014-10-15 22:06:46 +02:00
Paul Bakker
5a5fa92bfe x509_crt_parse() did not increase total_failed on PEM error
Result was that PEM errors in files with multiple certificates were not
detectable by the user.
2014-10-03 15:47:13 +02:00
Manuel Pégourié-Gonnard
7fa67728ad Scripts print more info on failure within buildbot 2014-08-31 17:42:53 +02:00
Manuel Pégourié-Gonnard
c2b0092a1b Fix leaving around temporary file in ssl-opt.sh 2014-08-31 17:17:36 +02:00
Manuel Pégourié-Gonnard
1287f11d54 Detect GnuTLS presence and version in compat.sh 2014-08-31 16:31:32 +02:00
Manuel Pégourié-Gonnard
16494496db Fix details in compat.sh 2014-08-31 10:37:14 +02:00
Manuel Pégourié-Gonnard
72e51ee7be Use arithmetic expansion in scripts, avoid bashisms 2014-08-31 10:22:11 +02:00
Manuel Pégourié-Gonnard
c0f6a692fb Add client timeout to ssl-opt.sh and compat.sh 2014-08-30 22:59:55 +02:00
Manuel Pégourié-Gonnard
decaf0b182 Clean up unused variable in compat.sh 2014-08-30 22:22:09 +02:00
Manuel Pégourié-Gonnard
a4afadfccd Fix bug in OpenSSL v2 support testing 2014-08-30 22:09:36 +02:00
Manuel Pégourié-Gonnard
644e8f377d Adapt debug_level in ssl-opt.sh to new levels
The meaning of debug_level was shift by one during the last debug overhaul.
(The new one is more rational, previously debug_level=1 didn't do anything.)
2014-08-30 21:59:31 +02:00
Manuel Pégourié-Gonnard
8e03c71b23 Normalize names in ssl-opt.sh
No numbering: does not add value, and painful to maintain, esp. with branches
2014-08-30 21:42:40 +02:00
Manuel Pégourié-Gonnard
51362961b8 Add interop testing of renegotiation 2014-08-30 21:22:47 +02:00
Manuel Pégourié-Gonnard
f2629b965e Rm now useless tricks from ssl-opt.sh 2014-08-30 14:20:14 +02:00
Manuel Pégourié-Gonnard
480905d563 Fix selection of hash from sig_alg ClientHello ext. 2014-08-30 14:19:59 +02:00
Manuel Pégourié-Gonnard
baa7f07809 Add GnuTLS support to ssl-opt.sh 2014-08-20 20:15:53 +02:00
Manuel Pégourié-Gonnard
f07f421759 Fix server-initiated renego with non-blocking I/O 2014-08-19 13:32:15 +02:00
Manuel Pégourié-Gonnard
a8c0a0dbd0 Add "exchanges" option to test server and client
Goal is to test renegotiation better: we need more than one exchange for
server-initiated renego to work reliably (the previous hack for this wouldn't
work with non-blocking I/O and probably not with DTLS either).

Also check message termination in a semi-realistic way.
2014-08-19 13:26:05 +02:00
Manuel Pégourié-Gonnard
6591962f06 Allow delay on renego on client
Currently unbounded: will be fixed later
2014-08-19 12:50:30 +02:00
Paul Bakker
d153ef335f Missing dependencies on POLARSSL_ECP_C fixed 2014-08-18 12:00:28 +02:00
Manuel Pégourié-Gonnard
74b11702d7 Simplify terminating ssl_server2 in test scripts 2014-08-14 18:33:00 +02:00
Manuel Pégourié-Gonnard
6f4fbbb3e1 Add a "skip" feature in ssl-opt.sh 2014-08-14 18:33:00 +02:00
Manuel Pégourié-Gonnard
61bc57af99 Optimize all.sh for new build options 2014-08-14 18:33:00 +02:00
Manuel Pégourié-Gonnard
39141fed63 Add warnings in debug build, and -Werror with ASan
- warnings in debug build allows the to be caught earlier
- -Werror with ASan make tests/scripts/all.sh a bit shorter
2014-08-14 18:33:00 +02:00
Manuel Pégourié-Gonnard
192253aaa9 Fix buffer size in pk_write_*_pem() 2014-08-14 11:34:35 +02:00
Manuel Pégourié-Gonnard
e46aa5e336 Update GnuTLS version requirements in compat.sh 2014-08-14 11:34:34 +02:00
Manuel Pégourié-Gonnard
7e0a5183db Add a missing suite to compat.sh 2014-08-14 11:34:34 +02:00
Manuel Pégourié-Gonnard
8d4ad07706 SHA-2 ciphersuites now require TLS 1.x 2014-08-14 11:34:34 +02:00
Manuel Pégourié-Gonnard
e73b26391d Add config-full to all.sh 2014-08-14 11:34:34 +02:00
Manuel Pégourié-Gonnard
7457cb3a56 Fix some version/peer requirements in compat.sh 2014-08-14 11:34:34 +02:00
Paul Bakker
8dcb2d7d7e Support escaping of commas in x509_string_to_names() 2014-08-11 11:59:52 +02:00
Paul Bakker
bd51b262d1 Add 'exit' label and variable initialization to relevant test suite functions 2014-07-10 16:37:50 +02:00
Paul Bakker
318d0fe844 Auto add 'exit' label in every test function. Failed assert now goes there 2014-07-10 15:27:11 +02:00
Paul Bakker
4d0cfe80ea Split assert() with side effects in test suite helper 2014-07-10 15:27:11 +02:00
Paul Bakker
6c343d7d9a Fix mpi_write_string() to write "00" as hex output for empty MPI 2014-07-10 15:27:10 +02:00
Paul Bakker
5b11d026cd Fix dependencies and includes without FS_IO and PLATFORM_C 2014-07-10 15:27:10 +02:00
Paul Bakker
ec3a617d40 Make ready for release of 1.3.8 and soversion 7 2014-07-09 10:21:28 +02:00
Paul Bakker
d2a2d61a68 Adapt programs / test suites 2014-07-09 10:19:24 +02:00
Paul Bakker
a317a98221 Adapt programs / test suites 2014-07-09 10:19:24 +02:00
Paul Bakker
14e8be4d33 Adapted programs / test suites to _init() and _free() 2014-07-09 10:19:23 +02:00
Paul Bakker
8cfd9d8c59 Adapt programs / test suites to _init() and _free() 2014-07-09 10:19:23 +02:00
Paul Bakker
6697b6c13b Properly free memory in new base64 tests 2014-07-04 18:35:50 +02:00
Paul Bakker
8fb99abaac Merge changes for leaner memory footprint 2014-07-04 15:02:19 +02:00
Paul Bakker
b9e08b086b Merge server-side enforced renegotiation requests 2014-07-04 15:01:37 +02:00
Paul Bakker
d598318661 Fix base64_decode() to return and check length correctly 2014-07-04 15:01:00 +02:00
Manuel Pégourié-Gonnard
cc10f4ddfe Use SSL_CIPHERSUITES in example configs 2014-07-04 14:59:08 +02:00
Manuel Pégourié-Gonnard
fae355e8ee Add tests for ssl_set_renegotiation_enforced() 2014-07-04 14:32:27 +02:00
Manuel Pégourié-Gonnard
a9964dbcd5 Add ssl_set_renegotiation_enforced() 2014-07-04 14:16:07 +02:00
Paul Bakker
237a847f1c Fix typos in comments 2014-06-25 14:45:24 +02:00
Paul Bakker
2a45d1c8bb Merge changes to config examples and configuration issues 2014-06-25 11:27:00 +02:00
Manuel Pégourié-Gonnard
d249b7ab9a Restore ability to trust non-CA selfsigned EE cert 2014-06-25 11:26:13 +02:00
Manuel Pégourié-Gonnard
c4eff16516 Restore ability to use v1 CA if trusted locally 2014-06-25 11:26:12 +02:00
Manuel Pégourié-Gonnard
8920f69fef Add test for packets of max size 2014-06-25 11:26:12 +02:00
Manuel Pégourié-Gonnard
ee415031e5 Add tests for small packets
Some truncated HMAC test failing right now.
2014-06-25 11:26:11 +02:00
Manuel Pégourié-Gonnard
e38eb0b7be Optimize config-suite-b for low RAM usage 2014-06-24 17:30:05 +02:00
Manuel Pégourié-Gonnard
f87cad9397 Fix some curve-specific depends in tests 2014-06-24 16:55:17 +02:00
Manuel Pégourié-Gonnard
1a74a26f77 Add config based on PSK-CCM 2014-06-24 15:51:32 +02:00
Manuel Pégourié-Gonnard
8f625632bb Fix dependencies: GCM != AEAD != CCM 2014-06-24 15:26:28 +02:00
Manuel Pégourié-Gonnard
f9378d8f11 Fix dependencies on PEM in tests and programs 2014-06-24 13:11:25 +02:00
Manuel Pégourié-Gonnard
0f7b619875 Fix tests dependencies in X509_USE_C 2014-06-24 12:54:46 +02:00
Manuel Pégourié-Gonnard
fea3102dcb Fix dependencies on X509_CRT_C in tests 2014-06-24 12:54:46 +02:00
Manuel Pégourié-Gonnard
43b29861fe Add reduced configuration used by picocoin 2014-06-24 12:54:45 +02:00
Paul Bakker
1c98ff96b5 Merge more test improvements and tests
Conflicts:
	tests/suites/test_suite_cipher.blowfish.data
2014-06-24 11:12:00 +02:00
Manuel Pégourié-Gonnard
398c57b0b3 Blowfish accepts variable key len in cipher layer 2014-06-24 11:01:33 +02:00
Manuel Pégourié-Gonnard
ed5c03ff1d Add tests for Blowfish-ECB via the cipher layer 2014-06-23 12:05:11 +02:00
Manuel Pégourié-Gonnard
f3b47243df Split x509_csr_parse_der() out of x509_csr_parse() 2014-06-23 11:54:57 +02:00
Manuel Pégourié-Gonnard
15f58a86f7 Add test for mpi_gen_prime() 2014-06-23 11:54:57 +02:00
Manuel Pégourié-Gonnard
fab2a3c3d6 Fix port selection in ssl test scripts
Port was selected in the 1000-1999 range which is bad (system ports).
2014-06-23 11:54:57 +02:00
Manuel Pégourié-Gonnard
0dc5e0d80b Add helper function zero_malloc for tests 2014-06-23 11:54:57 +02:00
Manuel Pégourié-Gonnard
b25f81665f Add test for bad arguments to MD functions 2014-06-23 11:54:57 +02:00
Manuel Pégourié-Gonnard
5e7693f6ba Add tests for bad arguments to cipher functions 2014-06-23 11:54:57 +02:00
Manuel Pégourié-Gonnard
6deaac0e62 Add tests vectors for (3)DES via cipher layer 2014-06-23 11:52:59 +02:00
Manuel Pégourié-Gonnard
255fe4b10e Add tests for Blowfish-ECB via the cipher layer 2014-06-23 11:52:59 +02:00
Manuel Pégourié-Gonnard
d77cd5d0c3 Add tests for x509_csr_parse 2014-06-23 11:52:59 +02:00
Manuel Pégourié-Gonnard
66aca931bc Add tests for pkcs5_pbes2 2014-06-23 11:52:59 +02:00
Manuel Pégourié-Gonnard
0c1ec479fe Make ssl-opt.sh faster and more robust 2014-06-20 20:03:33 +02:00
Paul Bakker
3461772559 Introduce polarssl_zeroize() instead of memset() for zeroization 2014-06-14 16:46:03 +02:00
Manuel Pégourié-Gonnard
bbcb1ce703 Revert "Avoid sleep 1 at server start in ssl-opt.sh"
This reverts commit db2a6c1a20.

Does not seem to work as expected on the buildbots. Reverted while
investigating, since it had no other used than speeding up the test script.
2014-06-13 18:05:23 +02:00
Paul Bakker
fe0984d727 Let all.sh work without shell expansion 2014-06-13 00:13:45 +02:00
Paul Bakker
c2ff2083ee Merge parsing and verification of RSASSA-PSS in X.509 modules 2014-06-12 22:02:47 +02:00
Paul Bakker
508e573231 Merge tests for asn1write, XTEA and Entropy modules 2014-06-12 21:26:33 +02:00
Paul Bakker
14c78c93d5 Merge more SSL tests and required ssl_server2 additions 2014-06-12 21:24:34 +02:00
Paul Bakker
c939e8d51f Merge improvements to SSL test scripts 2014-06-12 21:19:14 +02:00
Manuel Pégourié-Gonnard
95c0a63023 Add tests for ssl_get_bytes_avail() 2014-06-11 18:34:47 +02:00
Manuel Pégourié-Gonnard
90805a8d01 Add test for ssl_set_ciphersuites_for_version() 2014-06-11 14:08:10 +02:00
Manuel Pégourié-Gonnard
c7c56b2e82 Add more tests for the entropy module 2014-06-10 15:38:44 +02:00
Manuel Pégourié-Gonnard
2c25eb0b0a Add test_suite_entropy 2014-06-10 15:38:44 +02:00
Manuel Pégourié-Gonnard
7b4919c399 Add test vectors for XTEA CBC
Generate using an independent implementation found at:
https://code.google.com/p/zzt-code-base/source/browse/trunk/src/python/xtea.py
2014-06-10 15:38:43 +02:00
Manuel Pégourié-Gonnard
c22bb4994c Add tests for asn1_write_ia5_string() 2014-06-10 15:38:43 +02:00
Manuel Pégourié-Gonnard
36178ffb87 Add tests for asn1_write_octet_string() 2014-06-10 15:38:43 +02:00
Manuel Pégourié-Gonnard
10c3c9fda8 Add test for PSK without a key 2014-06-10 15:32:02 +02:00
Manuel Pégourié-Gonnard
a6781c99ee Add tests for PSK callback 2014-06-10 15:32:02 +02:00
Manuel Pégourié-Gonnard
0cc7e31ad1 Add test for ssl_set_dh_param_ctx() 2014-06-10 15:32:01 +02:00
Manuel Pégourié-Gonnard
57255b147d Tweak test ordering in all.sh 2014-06-09 11:22:25 +02:00
Manuel Pégourié-Gonnard
5873b00b7f Add pathological RSASSA-PSS test certificates
Certificates announcing different PSS options than the ones actually used for
the signature. Makes sure the options are correctly passed to the verification
function.
2014-06-07 11:21:52 +02:00
Manuel Pégourié-Gonnard
97049c26d8 Add forgotten depends in test 2014-06-06 17:00:03 +02:00
Manuel Pégourié-Gonnard
d1539b1e88 Rename RSASSA_PSS_CERTIFICATES to X509_RSASSA_PSS_SUPPORT 2014-06-06 16:42:37 +02:00
Manuel Pégourié-Gonnard
854036956d Add tests for x509 rsassa_pss params parsing 2014-06-06 16:32:22 +02:00
Manuel Pégourié-Gonnard
3d49b9d220 Add test helper function unhexify_alloc() 2014-06-06 16:32:22 +02:00
Manuel Pégourié-Gonnard
b29a7ba3f2 Fix missing depends in test_suite_pk 2014-06-06 16:32:22 +02:00
Manuel Pégourié-Gonnard
eacccb7fb9 Add RSASSA-PSS certificate with all defaults 2014-06-05 18:00:08 +02:00
Manuel Pégourié-Gonnard
53882023e7 Also verify CRLs signed with RSASSA-PSS 2014-06-05 17:59:55 +02:00
Manuel Pégourié-Gonnard
20422e9a3a Add pk_verify_ext() 2014-06-05 14:02:05 +02:00
Manuel Pégourié-Gonnard
3a6a95d67c Cleanup depends in PKCS#1 v2.1 test suite 2014-06-05 14:02:05 +02:00
Manuel Pégourié-Gonnard
5ec628a2b9 Add rsa_rsassa_pss_verify_ext() 2014-06-05 14:02:05 +02:00
Manuel Pégourié-Gonnard
920e1cd5e2 Add basic PSS cert verification
Still todo:
- handle MGF-hash != sign-hash
- check effective salt len == announced salt len
- add support in the PK layer so that we don't have to bypass it here
2014-06-04 12:09:08 +02:00
Manuel Pégourié-Gonnard
78117d57b0 Consider trailerField a constant 2014-06-02 16:12:46 +02:00
Manuel Pégourié-Gonnard
39868ee301 Parse CSRs signed with RSASSA-PSS 2014-06-02 16:10:30 +02:00
Manuel Pégourié-Gonnard
2a8d7fd76e Add tests for parsing CSRs 2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
8e42ff6bde Parse CRLs signed with RSASSA-PSS 2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
9df5c96214 Fix dependencies 2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
e76b750b69 Finish parsing RSASSA-PSS parameters 2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
f346bab139 Start parsing RSASSA-PSS parameters 2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
59a75d5b9d Basic parsing of certs signed with RSASSA-PSS 2014-06-02 16:10:29 +02:00
Manuel Pégourié-Gonnard
db2a6c1a20 Avoid sleep 1 at server start in ssl-opt.sh
On my machine, brings running time from 135 to 45 seconds...
3 times faster :)
2014-05-29 12:15:40 +02:00
Manuel Pégourié-Gonnard
32f8f4d1a0 Catch SERVERQUIT timeout in ssl test scripts 2014-05-29 11:57:44 +02:00
Manuel Pégourié-Gonnard
bc3b16c7e2 Also use unique names for temp files 2014-05-29 11:57:43 +02:00
Manuel Pégourié-Gonnard
8066b81a54 Pick a "unique" port in SSL test scripts 2014-05-29 11:57:43 +02:00