Commit graph

9406 commits

Author SHA1 Message Date
Jaeden Amero
e1b02df515 Merge remote-tracking branch 'origin/pr/2260' into development
* origin/pr/2260:
  Update crypto submodule
  Remove heading spaces in tests/data_files/Makefile
  Re-generate library/certs.c from script
  Add new line at the end of test-ca2.key.enc
  Use strict syntax to annotate origin of test data in certs.c
  Add run to all.sh exercising !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO
  Allow DHM self test to run without MBEDTLS_PEM_PARSE_C
  ssl-opt.sh: Auto-skip tests that use files if MBEDTLS_FS_IO unset
  Document origin of hardcoded certificates in library/certs.c
  Adapt ChangeLog
  Rename server1.der to server1.crt.der
  Add DER encoded files to git tree
  Add build instructions to generate DER versions of CRTs and keys
  Document "none" value for ca_path/ca_file in ssl_client2/ssl_server2
  ssl_server2: Skip CA setup if `ca_path` or `ca_file` argument "none"
  ssl_client2: Skip CA setup if `ca_path` or `ca_file` argument "none"
  Correct white spaces in ssl_server2 and ssl_client2
  Adapt ssl_client2 to parse DER encoded test CRTs if PEM is disabled
  Adapt ssl_server2 to parse DER encoded test CRTs if PEM is disabled
2019-06-14 08:46:48 +01:00
Jaeden Amero
a3daa21d8c Merge remote-tracking branch 'origin/pr/2678' into development
* origin/pr/2678:
  Update crypto submodule to 1.1.0d2
  all.sh: Perform targeted EtM tests for MAC-less configs
  ssl: Don't access non-existent encrypt_then_mac field
2019-06-10 11:00:14 +01:00
Jaeden Amero
e1ae731efa Update crypto submodule to 1.1.0d2 2019-06-07 13:51:36 +01:00
Jaeden Amero
048df33d62 Merge remote-tracking branch 'origin/pr/2679' into development
* origin/pr/2679:
  test: Remove redundant 0-byte decryption test
  test: Check empty buffer decryption for chachapoly
2019-06-06 14:19:23 +01:00
Jaeden Amero
bb16d0c956 Merge remote-tracking branch 'origin/pr/2654' into development
* origin/pr/2654:
  Create link to include/mbedtls only when testing is enabled
2019-06-06 14:18:23 +01:00
Jaeden Amero
2353b542d9 test: Remove redundant 0-byte decryption test
Remove the "Decrypt empty buffer" test, as ChaCha20 is a stream cipher
and 0 bytes encrypted is identical to a 0 length buffer. The "ChaCha20
Encrypt and decrypt 0 bytes" test will test decryption of a 0 length
buffer.
2019-06-06 11:56:54 +01:00
Jaeden Amero
ab11889958 test: Check empty buffer decryption for chachapoly
Previously, even in the Chacha20 and Chacha20-Poly1305 tests, we would
test that decryption of an empty buffer would work with
MBEDTLS_CIPHER_AES_128_CBC.

Make the cipher used with the dec_empty_buf() test configurable, so that
Chacha20 and Chacha20-Poly1305 empty buffer tests can use ciphers other
than AES CBC. Then, make the Chacha20 and Chacha20-Poly1305 empty buffer
tests use the MBEDTLS_CIPHER_CHACHA20 and
MBEDTLS_CIPHER_CHACHA20_POLY1305 cipher suites.
2019-06-06 11:56:54 +01:00
Jaeden Amero
6b1683dd5d all.sh: Perform targeted EtM tests for MAC-less configs
When testing a configuration where no ciphersuites have MAC, via
component_test_when_no_ciphersuites_have_mac(), perform a targeted test
of only encrypt-then-MAC tests within ssl-opt.sh.
2019-06-05 14:42:50 +01:00
Jaeden Amero
2de07f1dd1 ssl: Don't access non-existent encrypt_then_mac field
When MBEDTLS_SSL_ENCRYPT_THEN_MAC is enabled, but not
MBEDTLS_SSL_SOME_MODES_USE_MAC, mbedtls_ssl_derive_keys() and
build_transforms() will attempt to use a non-existent `encrypt_then_mac`
field in the ssl_transform.

    Compile [ 93.7%]: ssl_tls.c
    [Error] ssl_tls.c@865,14: 'mbedtls_ssl_transform {aka struct mbedtls_ssl_transform}' ha
s no member named 'encrypt_then_mac'
    [ERROR] ./mbed-os/features/mbedtls/src/ssl_tls.c: In function 'mbedtls_ssl_derive_keys'
:
    ./mbed-os/features/mbedtls/src/ssl_tls.c:865:14: error: 'mbedtls_ssl_transform {aka str
uct mbedtls_ssl_transform}' has no member named 'encrypt_then_mac'
         transform->encrypt_then_mac = session->encrypt_then_mac;
                  ^~

Change mbedtls_ssl_derive_keys() and build_transforms() to only access
`encrypt_then_mac` if `encrypt_then_mac` is actually present.

Add a regression test to detect when we have regressions with
configurations that do not include any MAC ciphersuites.

Fixes d56ed2491b ("Reduce size of `ssl_transform` if no MAC ciphersuite is enabled")
2019-06-05 14:09:29 +01:00
Simon Butcher
a1491fe74f Merge remote-tracking branch 'public/pr/2651' into HEAD 2019-06-04 16:09:30 +01:00
Simon Butcher
fe20bea3c7 Merge remote-tracking branch 'public/pr/2643' into HEAD 2019-06-04 16:09:20 +01:00
Simon Butcher
150deca7b9 Merge remote-tracking branch 'public/pr/2642' into HEAD 2019-06-04 16:09:14 +01:00
Simon Butcher
ca6aee4a45 Merge remote-tracking branch 'public/pr/2641' into HEAD 2019-06-04 16:09:07 +01:00
Hanno Becker
e35f02e1c4 Update crypto submodule
This commit updates the Crypto submodule to the merge commit of

  https://github.com/ARMmbed/mbed-crypto/pull/133

which mirrors the change of the DHM selftest, making the latter
succeed in builds with !MBEDTLS_PEM_PARSE_C.
2019-06-03 17:46:56 +01:00
Hanno Becker
4cbea4b07e Remove heading spaces in tests/data_files/Makefile 2019-06-03 17:46:56 +01:00
Hanno Becker
ff552f7d56 Re-generate library/certs.c from script 2019-06-03 17:46:56 +01:00
Hanno Becker
471ad477bb Add new line at the end of test-ca2.key.enc 2019-06-03 17:46:56 +01:00
Hanno Becker
92b4f8131c Use strict syntax to annotate origin of test data in certs.c
This allows to auto-generate them from scripts.
2019-06-03 17:46:56 +01:00
Hanno Becker
a545be2622 Add run to all.sh exercising !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO 2019-06-03 17:46:56 +01:00
Hanno Becker
3217c8d7e8 Allow DHM self test to run without MBEDTLS_PEM_PARSE_C 2019-06-03 17:46:56 +01:00
Hanno Becker
91e72c3121 ssl-opt.sh: Auto-skip tests that use files if MBEDTLS_FS_IO unset
This should allow to run ssl-opt.sh successfully in the default
configuration minus MBEDTLS_PEM_PARSE_C minus MBEDTLS_FS_IO.
2019-06-03 17:46:56 +01:00
Hanno Becker
960e588278 Document origin of hardcoded certificates in library/certs.c
All of them are copied from (former) CRT and key files in `tests/data_files`.
For files which have been regenerated since they've been copied to `certs.c`,
update the copy.

Add declarations for DER encoded test CRTs to certs.h

Add DER encoded versions of CRTs to certs.c

fix comment in certs.c

Don't use (signed) char for DER encoded certificates

Consistently use `const char *` for test CRTs regardless of encoding

Remove non-sensical and unused PW variable for DER encoded key

Provide test CRTs in PEM and DER fmt, + pick suitable per config

This commit modifies `certs.h` and `certs.c` to start following the
following pattern for the provided test certificates and files:

- Raw test data is named `NAME_ATTR1_ATTR2_..._ATTRn`

  For example, there are
     `TEST_CA_CRT_{RSA|EC}_{PEM|DER}_{SHA1|SHA256}`.

- Derived test data with fewer attributes, iteratively defined as one
  of the raw test data instances which suits the current configuration.

  For example,
     `TEST_CA_CRT_RSA_PEM`
  is one of `TEST_CA_CRT_RSA_PEM_SHA1` or `TEST_CA_CRT_RSA_PEM_SHA256`,
  depending on whether SHA-1 and/or SHA-256 are defined in the current
  config.

Add missing public declaration of test key password

Fix signedness and naming mismatches

Further improve structure of certs.h and certs.c

Fix definition of mbedtls_test_cas test CRTs depending on config

Remove semicolon after macro string constant in certs.c
2019-06-03 17:46:56 +01:00
Hanno Becker
666f60dd80 Adapt ChangeLog 2019-06-03 17:46:56 +01:00
Hanno Becker
58fc28ce1a Rename server1.der to server1.crt.der 2019-06-03 17:46:56 +01:00
Hanno Becker
8843c250c0 Add DER encoded files to git tree 2019-06-03 17:46:56 +01:00
Hanno Becker
e21387e014 Add build instructions to generate DER versions of CRTs and keys 2019-06-03 17:46:56 +01:00
Hanno Becker
422d1993d2 Document "none" value for ca_path/ca_file in ssl_client2/ssl_server2 2019-06-03 17:46:56 +01:00
Hanno Becker
8174bdfb94 ssl_server2: Skip CA setup if ca_path or ca_file argument "none"
This allows to test PSK-based ciphersuites via ssl_server2 in builds
which have MBEDTLS_X509_CRT_PARSE_C enabled but both MBEDTLS_FS_IO and
MBEDTLS_CERTS_C disabled.
2019-06-03 17:46:56 +01:00
Hanno Becker
623e7b4422 ssl_client2: Skip CA setup if ca_path or ca_file argument "none"
This allows to test PSK-based ciphersuites via ssl_client2 in builds
which have MBEDTLS_X509_CRT_PARSE_C enabled but both MBEDTLS_FS_IO and
MBEDTLS_CERTS_C disabled.

A similar change is applied to the `crt_file` and `key_file` arguments.
2019-06-03 17:46:56 +01:00
Hanno Becker
a0c5ceb2af Correct white spaces in ssl_server2 and ssl_client2 2019-06-03 17:46:56 +01:00
Hanno Becker
2900b14b11 Adapt ssl_client2 to parse DER encoded test CRTs if PEM is disabled 2019-06-03 17:46:56 +01:00
Hanno Becker
09b8cae006 Adapt ssl_server2 to parse DER encoded test CRTs if PEM is disabled 2019-06-03 17:46:56 +01:00
Hanno Becker
b9355b77d2 Add description of CID feature to ChangeLog 2019-06-03 16:07:50 +01:00
Hanno Becker
d0ac5faa72 Insert records with unexpected CID in CID tests in ssl-opt.sh 2019-06-03 16:07:50 +01:00
Hanno Becker
e8d6afd627 Add debug line witnessing receipt of unexpected CID 2019-06-03 16:07:50 +01:00
Hanno Becker
98aaf25686 Add bad_cid option UDP proxy to insert unexpected CID records
This commit adds the command line option 'bad_cid' to the UDP proxy
`./programs/test/udp_proxy`. It takes a non-negative integral value N,
which if not 0 has the effect of duplicating every 1:N CID records
and modifying the CID in the first copy sent.

This is to exercise the stacks documented behaviour on receipt
of unexpected CIDs.

It is important to send the record with the unexpected CID first,
because otherwise the packet would be dropped already during
replay protection (the same holds for the implementation of the
existing 'bad_ad' option).
2019-06-03 16:07:50 +01:00
Hanno Becker
92d30f5bcf Fix indentation in debug message in ssl_tls.c 2019-06-03 16:07:50 +01:00
Hanno Becker
8e55b0f852 Improve comment in ssl_parse_record_header() 2019-06-03 16:07:50 +01:00
Hanno Becker
3739e203cf Disable Connection ID feature by default 2019-06-03 16:07:50 +01:00
Hanno Becker
3978d10e9e Remove superfluous new line in ssl_server2 2019-06-03 16:07:50 +01:00
Hanno Becker
3279822e24 Improve readability of ssl_client2/ssl_server2 usage instructions 2019-06-03 16:07:50 +01:00
Hanno Becker
1d433a3294 Remove superfluous newline in ssl_client2 2019-06-03 16:07:50 +01:00
Hanno Becker
d5eed4258a Use negative-hex format for error codes in ssl_client2/ssl_server2 2019-06-03 16:07:50 +01:00
Hanno Becker
1125952107 Expand CID to Connection ID in documentation of mbedtls_ssl_conf_cid 2019-06-03 16:07:50 +01:00
Hanno Becker
6ae14c086d Exemplify ways of calling mbedtls_ssl_get_peer_cid() in ssl_client2 2019-06-03 16:07:50 +01:00
Hanno Becker
615ef17b67 Allow passing NULL pointers to mbedtls_ssl_get_peer_cid()
This commit modifies mbedtls_ssl_get_peer_cid() to also allow passing
NULL pointers in the arguments for the peer's CID value and length, in
case this information is needed.

For example, some users might only be interested in whether the use of
the CID was negotiated, in which case both CID value and length pointers
can be set to NULL. Other users might only be interested in confirming
that the use of CID was negotiated and the peer chose the empty CID,
in which case the CID value pointer only would be set to NULL.
It doesn't make sense to pass a NULL pointer for the CID length but a
non-NULL pointer for the CID value, as the caller has no way of telling
the length of the returned CID - and this case is therefore forbidden.
2019-06-03 16:07:50 +01:00
Hanno Becker
8c07beeb84 Rename MBEDTLS_SSL_CID->MBEDTLS_SSL_DTLS_CONNECTION_ID in SSL suite 2019-06-03 16:07:50 +01:00
Hanno Becker
62e5afabcb Fix typo in Doxygen documentation of mbedtls_ssl_conf_cid() 2019-06-03 16:07:50 +01:00
Hanno Becker
a0e20d04b2 Rename MBEDTLS_SSL_CID to MBEDTLS_SSL_DTLS_CONNECTION_ID
Files modified via

sed -i 's/MBEDTLS_SSL_CID\([^_]\|$\)/MBEDTLS_SSL_DTLS_CONNECTION_ID\1/g' **/*.c **/*.h **/*.sh **/*.function
2019-06-03 16:07:50 +01:00
Hanno Becker
ebcc9137ca Consistently reference CID draft through name + URL 2019-06-03 16:07:50 +01:00