Negative x coordinate was tested with the value -1. It happens to be one
of the low order points both for Curve25519 and Curve448 and might be
rejected because of that and not because it is negative. Make sure that
x < 0 is the only plausible reason for the point to be rejected.
Signed-off-by: Janos Follath <janos.follath@arm.com>
A test case for which the loop would take practically forever if it was
reached. The point would be to validate that the loop is not reached.
The test case should cause the CI to time out if starting with the
current code, ecp_check_pubkey_mx() was changed to call
ecp_check_pubkey_x25519() first and run the mbedtls_mpi_size(() test
afterwards, which would make no semantic difference in terms of memory
contents when the function returns, but would open the way for a DoS.
Signed-off-by: Janos Follath <janos.follath@arm.com>
* mbedtls-2.16: (21 commits)
Reword changelog - Test Resource Leak
Update changelog formatting - Missing Free Context
Fix fd range for select on Windows
Refactor file descriptor checks into a common function
Update changelog formatting - Missing Free Context
Update changelog formatting - Missing Free Context
Changelog entry for Free Context in test_suite_aes fix
Free context at the end of aes_crypt_xts_size()
Add changelog entry for non-uniform MPI random generation
ecp: Fix bias in the generation of blinding values
DHM: add test case with x_size < 0
DHM tests: add some explanations
DHM: add notes about leading zeros
dhm: Fix bias in private key generation and blinding
dhm_check_range: microoptimization
DHM refactoring: use dhm_random_below in dhm_make_common
DHM blinding: don't accept P-1 as a blinding value
DHM refactoring: unify mbedtls_dhm_make_{params,public}
Test mbedtls_dhm_make_params with different x_size
Repeat a few DH tests
...
in file tests/suite/test_suite_aes.function, aes_crypt_xts_size()
did not free the context upon the function exit.
The function now frees the context on exit.
Already resolved for 2.x and development - this is a backport for
2.16
Fixes#4176
Signed-off-by: JoeSubbiani <Joe.Subbiani@arm.com>
mbedtls_dhm_make_params() with x_size != size of P is not likely to be
useful, but it's supported, so test it.
Cherry-picked 33ec863570
Changed mbedtls_test_rnd_pseudo_info type to rnd_pseudo_info
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Repeat a few tests that use random data. This way the code is
exercised with a few different random values.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Improve the validation of the output from mbedtls_dhm_make_params:
* Test that the output in the byte buffer matches the value in the
context structure.
* Test that the calculated values are in the desired range.
Cherry-picked dc0b6e44b0.
Changed mbedtls_test_rnd_pseudo_rand to rnd_pseudo_rand.
Removed test step code.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
These test cases had been backported from Mbed TLS 2.x with a dependency
symbol that didn't exist in 2.16. Declare that symbol.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Backports some test helper macros added after 2.16. This will facilitate
backporting new test code.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix a pointer mismatch when int32_t is not int, for example on Cortex-M where
in32_t is long int. Fix#4530
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When Mbed TLS 2.16 was released, the requirement was Python 2, not
Python 3. Since then, upstream Python 2 support has stopped, but it is
still maintained in some long-term-support distributions. For the sake
of users who build the unit tests in such environments, test that
generate_test_code.py remains compatible with Python 2.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Python 2 is no longer officially supported, but we were still using it
to generate test suite .c files from .function files when using GNU
make. Switch to looking for Python 3.
CMake currently uses a system-dependent version of the Python language.
This commit does not affect CMake builds.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
An SSL client can be configured to insist on a minimum size for the
Diffie-Hellman (DHM) parameters sent by the server. Add several test
cases where the server sends parameters with exactly the minimum
size (must be accepted) or parameters that are one bit too short (must
be rejected). Make sure that there are test cases both where the
boundary is byte-aligned and where it isn't.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Our interoperability tests fail with a recent OpenSSL server. The
reason is that they force 1024-bit Diffie-Hellman parameters, which
recent OpenSSL (e.g. 1.1.1f on Ubuntu 20.04) reject:
```
140072814650688:error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small:../ssl/s3_lib.c:3782:
```
We've been passing custom DH parameters since
6195767554 because OpenSSL <=1.0.2a
requires it. This is only concerns the version we use as
OPENSSL_LEGACY. So only use custom DH parameters for that version. In
compat.sh, use it based on the observed version of $OPENSSL_CMD.
This way, ssl-opt.sh and compat.sh work (barring other issues) for all
our reference versions of OpenSSL as well as for a modern system OpenSSL.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In a case exprssion, `|` separates patterns so it needs to be quoted.
Also `\` was not actually part of the set since it was quoting another
character.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
If `$FILTER` (`-f`) and `$EXCLUDE` (`-e`) are simple selections that
can be expressed as shell patterns, use a case statement instead of
calling grep to determine whether a test case should be executed.
Using a case statement significantly reduces the time it takes to
determine that a test case is excluded (but the improvement is small
compared to running the test).
This noticeably speeds up running a single test or a small number of
tests. Before:
```
tests/ssl-opt.sh -f Default 1.75s user 0.54s system 79% cpu 2.885 total
```
After:
```
tests/ssl-opt.sh -f Default 0.37s user 0.14s system 29% cpu 1.715 total
```
There is no perceptible difference when running a large number of tests.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Avoid using the external command grep for simple string-based checks.
Prefer a case statement. This improves performance.
The performance improvement is moderate but noticeable when skipping
most tests. When a test is run, the cost of the associated grep calls
is negligible. In this commit, I focused on the uses of grep that can
be easily replaced and that are executed a large number of times.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Marked dirty memory ends up in the result buffer after encoding (due to
the input having been marked dirty), and then the final comparison
to make sure that we got what we expected was triggering the constant
flow checker.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
These tests validate that an entropy object can be reused and that
calling mbedtls_entropy_free() twice is ok.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
These tests are trivial except when compiling with MBEDTLS_THREADING_C
and a mutex implementation that are picky about matching each
mbedtls_mutex_init() with exactly one mbedtls_mutex_free().
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Document the usage inside the library, and relate it with how it's
additionally used in the test code.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Subtract the number of calls to mbedtls_mutex_free() from the number
of calls to mbedtls_mutex_init(). A mutex leak will manifest as a
positive result at the end of the test case.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Chris Jones <christopher.jones@arm.com>
If the mutex usage verification framework is enabled and it detects a
mutex usage error, report this error and mark the test as failed.
This detects most usage errors, but not all cases of using
uninitialized memory (which is impossible in full generality) and not
leaks due to missing free (which will be handled in a subsequent commit).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Check that the source address and the frame counter have the expected
length. Otherwise, if the test data was invalid, the test code could
build nonsensical inputs, potentially overflowing the iv buffer.
The primary benefit of this change is that it also silences a warning
from compiling with `gcc-10 -O3` (observed with GCC 10.2.0 on
Linux/amd64). GCC unrolled the loops and complained about a buffer
overflow with warnings like:
```
suites/test_suite_ccm.function: In function 'test_mbedtls_ccm_star_auth_decrypt':
suites/test_suite_ccm.function:271:15: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
271 | iv[i] = source_address->x[i];
| ~~~~~~^~~~~~~~~~~~~~~~~~~~~~
suites/test_suite_ccm.function:254:19: note: at offset [13, 14] to object 'iv' with size 13 declared here
254 | unsigned char iv[13];
```
Just using memcpy instead of loops bypasses this warnings. The added
checks are a bonus.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
