From f3e5c22f4dc9693fa95710de468e47a9d37bd850 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 12 Jun 2014 11:06:36 +0200 Subject: [PATCH 01/19] Refactor x509_string_to_names(): data in a table --- library/x509_create.c | 116 ++++++++++++++++++++---------------------- 1 file changed, 54 insertions(+), 62 deletions(-) diff --git a/library/x509_create.c b/library/x509_create.c index 96b153bdcf..1019313327 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -40,6 +40,59 @@ #define strncasecmp _strnicmp #endif +typedef struct { + const char *name; + size_t name_len; + const char*oid; +} x509_attr_descriptor_t; + +#define ADD_STRLEN( s ) s, sizeof( s ) - 1 + +static const x509_attr_descriptor_t x509_attrs[] = +{ + { ADD_STRLEN( "CN" ), OID_AT_CN }, + { ADD_STRLEN( "commonName" ), OID_AT_CN }, + { ADD_STRLEN( "C" ), OID_AT_COUNTRY }, + { ADD_STRLEN( "countryName" ), OID_AT_COUNTRY }, + { ADD_STRLEN( "O" ), OID_AT_ORGANIZATION }, + { ADD_STRLEN( "organizationName" ), OID_AT_ORGANIZATION }, + { ADD_STRLEN( "L" ), OID_AT_LOCALITY }, + { ADD_STRLEN( "locality" ), OID_AT_LOCALITY }, + { ADD_STRLEN( "R" ), OID_PKCS9_EMAIL }, + { ADD_STRLEN( "OU" ), OID_AT_ORG_UNIT }, + { ADD_STRLEN( "organizationalUnitName" ), OID_AT_ORG_UNIT }, + { ADD_STRLEN( "ST" ), OID_AT_STATE }, + { ADD_STRLEN( "stateOrProvinceName" ), OID_AT_STATE }, + { ADD_STRLEN( "emailAddress" ), OID_PKCS9_EMAIL }, + { ADD_STRLEN( "serialNumber" ), OID_AT_SERIAL_NUMBER }, + { ADD_STRLEN( "postalAddress" ), OID_AT_POSTAL_ADDRESS }, + { ADD_STRLEN( "postalCode" ), OID_AT_POSTAL_CODE }, + { ADD_STRLEN( "dnQualifier" ), OID_AT_DN_QUALIFIER }, + { ADD_STRLEN( "title" ), OID_AT_TITLE }, + { ADD_STRLEN( "surName" ), OID_AT_SUR_NAME }, + { ADD_STRLEN( "SN" ), OID_AT_SUR_NAME }, + { ADD_STRLEN( "givenName" ), OID_AT_GIVEN_NAME }, + { ADD_STRLEN( "GN" ), OID_AT_GIVEN_NAME }, + { ADD_STRLEN( "initials" ), OID_AT_INITIALS }, + { ADD_STRLEN( "pseudonym" ), OID_AT_PSEUDONYM }, + { ADD_STRLEN( "generationQualifier" ), OID_AT_GENERATION_QUALIFIER }, + { ADD_STRLEN( "domainComponent" ), OID_DOMAIN_COMPONENT }, + { ADD_STRLEN( "DC" ), OID_DOMAIN_COMPONENT }, + { NULL, 0, NULL } +}; + +static const char *x509_at_oid_from_name( const char *name, size_t name_len ) +{ + const x509_attr_descriptor_t *cur; + + for( cur = x509_attrs; cur->name != NULL; cur++ ) + if( cur->name_len == name_len && + strncasecmp( cur->name, name, name_len ) == 0 ) + break; + + return( cur->oid ); +} + int x509_string_to_names( asn1_named_data **head, const char *name ) { int ret = 0; @@ -55,68 +108,7 @@ int x509_string_to_names( asn1_named_data **head, const char *name ) { if( in_tag && *c == '=' ) { - if( c - s == 2 && strncasecmp( s, "CN", 2 ) == 0 ) - oid = OID_AT_CN; - else if( c - s == 10 && strncasecmp( s, "commonName", 10 ) == 0 ) - oid = OID_AT_CN; - else if( c - s == 1 && strncasecmp( s, "C", 1 ) == 0 ) - oid = OID_AT_COUNTRY; - else if( c - s == 11 && strncasecmp( s, "countryName", 11 ) == 0 ) - oid = OID_AT_COUNTRY; - else if( c - s == 1 && strncasecmp( s, "O", 1 ) == 0 ) - oid = OID_AT_ORGANIZATION; - else if( c - s == 16 && - strncasecmp( s, "organizationName", 16 ) == 0 ) - oid = OID_AT_ORGANIZATION; - else if( c - s == 1 && strncasecmp( s, "L", 1 ) == 0 ) - oid = OID_AT_LOCALITY; - else if( c - s == 8 && strncasecmp( s, "locality", 8 ) == 0 ) - oid = OID_AT_LOCALITY; - else if( c - s == 1 && strncasecmp( s, "R", 1 ) == 0 ) - oid = OID_PKCS9_EMAIL; - else if( c - s == 2 && strncasecmp( s, "OU", 2 ) == 0 ) - oid = OID_AT_ORG_UNIT; - else if( c - s == 22 && - strncasecmp( s, "organizationalUnitName", 22 ) == 0 ) - oid = OID_AT_ORG_UNIT; - else if( c - s == 2 && strncasecmp( s, "ST", 2 ) == 0 ) - oid = OID_AT_STATE; - else if( c - s == 19 && - strncasecmp( s, "stateOrProvinceName", 19 ) == 0 ) - oid = OID_AT_STATE; - else if( c - s == 12 && strncasecmp( s, "emailAddress", 12 ) == 0 ) - oid = OID_PKCS9_EMAIL; - else if( c - s == 12 && strncasecmp( s, "serialNumber", 12 ) == 0 ) - oid = OID_AT_SERIAL_NUMBER; - else if( c - s == 13 && strncasecmp( s, "postalAddress", 13 ) == 0 ) - oid = OID_AT_POSTAL_ADDRESS; - else if( c - s == 10 && strncasecmp( s, "postalCode", 10 ) == 0 ) - oid = OID_AT_POSTAL_CODE; - else if( c - s == 11 && strncasecmp( s, "dnQualifier", 11 ) == 0 ) - oid = OID_AT_DN_QUALIFIER; - else if( c - s == 5 && strncasecmp( s, "title", 5 ) == 0 ) - oid = OID_AT_TITLE; - else if( c - s == 7 && strncasecmp( s, "surName", 7 ) == 0 ) - oid = OID_AT_SUR_NAME; - else if( c - s == 2 && strncasecmp( s, "SN", 2 ) == 0 ) - oid = OID_AT_SUR_NAME; - else if( c - s == 9 && strncasecmp( s, "givenName", 9 ) == 0 ) - oid = OID_AT_GIVEN_NAME; - else if( c - s == 2 && strncasecmp( s, "GN", 2 ) == 0 ) - oid = OID_AT_GIVEN_NAME; - else if( c - s == 8 && strncasecmp( s, "initials", 8 ) == 0 ) - oid = OID_AT_INITIALS; - else if( c - s == 9 && strncasecmp( s, "pseudonym", 9 ) == 0 ) - oid = OID_AT_PSEUDONYM; - else if( c - s == 19 && - strncasecmp( s, "generationQualifier", 19 ) == 0 ) - oid = OID_AT_GENERATION_QUALIFIER; - else if( c - s == 15 && - strncasecmp( s, "domainComponent", 15 ) == 0 ) - oid = OID_DOMAIN_COMPONENT; - else if( c - s == 2 && strncasecmp( s, "DC", 2 ) == 0 ) - oid = OID_DOMAIN_COMPONENT; - else + if( ( oid = x509_at_oid_from_name( s, c - s ) ) == NULL ) { ret = POLARSSL_ERR_X509_UNKNOWN_OID; goto exit; From 2a8afa98e250b913b47b7b9157137c1954be4ca2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 12 Jun 2014 12:00:44 +0200 Subject: [PATCH 02/19] pkcs5_self_test depends on SHA1 --- library/pkcs5.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/library/pkcs5.c b/library/pkcs5.c index 8f6a814dc6..424952ab9c 100644 --- a/library/pkcs5.c +++ b/library/pkcs5.c @@ -295,6 +295,16 @@ int pkcs5_pbkdf2_hmac( md_context_t *ctx, const unsigned char *password, #if defined(POLARSSL_SELF_TEST) +#if !defined(POLARSSL_SHA1_C) +int pkcs5_self_test( int verbose ) +{ + if( verbose != 0 ) + polarssl_printf( " PBKDF2 (SHA1): skipped\n\n" ); + + return( 0 ); +} +#else + #include #define MAX_TESTS 6 @@ -398,6 +408,7 @@ int pkcs5_self_test( int verbose ) return( 0 ); } +#endif /* POLARSSL_SHA1_C */ #endif /* POLARSSL_SELF_TEST */ From 66aca931bc2e2e7b6e5edc0e725cf0fed11f2be3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 12 Jun 2014 13:14:55 +0200 Subject: [PATCH 03/19] Add tests for pkcs5_pbes2 --- library/pkcs5.c | 4 + tests/suites/test_suite_pkcs5.data | 104 +++++++++++++++++++++++++ tests/suites/test_suite_pkcs5.function | 34 ++++++++ 3 files changed, 142 insertions(+) diff --git a/library/pkcs5.c b/library/pkcs5.c index 424952ab9c..061f4738e8 100644 --- a/library/pkcs5.c +++ b/library/pkcs5.c @@ -175,6 +175,10 @@ int pkcs5_pbes2( asn1_buf *pbe_params, int mode, if( cipher_info == NULL ) return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE ); + /* + * The value of keylen from pkcs5_parse_pbkdf2_params() is ignored + * since it is optional and we don't know if it was set or not + */ keylen = cipher_info->key_length / 8; if( enc_scheme_params.tag != ASN1_OCTET_STRING || diff --git a/tests/suites/test_suite_pkcs5.data b/tests/suites/test_suite_pkcs5.data index 7ee0360067..c22ad0b6f0 100644 --- a/tests/suites/test_suite_pkcs5.data +++ b/tests/suites/test_suite_pkcs5.data @@ -17,3 +17,107 @@ pbkdf2_hmac:POLARSSL_MD_SHA1:"70617373776f726450415353574f524470617373776f7264": PBKDF2 RFC 6070 Test Vector #6 (SHA1) depends_on:POLARSSL_SHA1_C pbkdf2_hmac:POLARSSL_MD_SHA1:"7061737300776f7264":"7361006c74":4096:16:"56fa6aa75548099dcc37d7f03425e0c3" + +PBES2 Decrypt (OK) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FD980E1C5741FC0DB7":0:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF060606060606" + +PBES2 Decrypt (bad params tag) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_SEQUENCE:"":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_UNEXPECTED_TAG:"" + +PBES2 Decrypt (bad KDF AlgId: not a sequence) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"31":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_UNEXPECTED_TAG:"" + +PBES2 Decrypt (bad KDF AlgId: overlong) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"3001":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA:"" + +PBES2 Decrypt (KDF != PBKDF2) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"300B06092A864886F70D01050D":"":"":POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE:"" + +PBES2 Decrypt (bad PBKDF2 params: not a sequence) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"300D06092A864886F70D01050C3100":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_UNEXPECTED_TAG:"" + +PBES2 Decrypt (bad PBKDF2 params: overlong) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"300D06092A864886F70D01050C3001":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA:"" + +PBES2 Decrypt (bad PBKDF2 params salt: not an octet string) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"300E06092A864886F70D01050C30010500":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_UNEXPECTED_TAG:"" + +PBES2 Decrypt (bad PBKDF2 params salt: overlong) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"300E06092A864886F70D01050C30010401":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA:"" + +PBES2 Decrypt (bad PBKDF2 params iter: not an int) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"301906092A864886F70D01050C300C04082ED7F24A1D516DD70300":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_UNEXPECTED_TAG:"" + +PBES2 Decrypt (bad PBKDF2 params iter: overlong) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"301906092A864886F70D01050C300C04082ED7F24A1D516DD70201":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA:"" + +PBES2 Decrypt (OK, PBKDF2 params explicit keylen) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"301E06092A864886F70D01050C301104082ED7F24A1D516DD702020800020118301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FD980E1C5741FC0DB7":0:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF060606060606" + +PBES2 Decrypt (bad PBKDF2 params explicit keylen: overlong) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"301D06092A864886F70D01050C301004082ED7F24A1D516DD7020208000201":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA:"" + +PBES2 Decrypt (OK, PBKDF2 params explicit prf_alg) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"302706092A864886F70D01050C301A04082ED7F24A1D516DD702020800300A06082A864886F70D0207301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FD980E1C5741FC0DB7":0:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF060606060606" + +PBES2 Decrypt (bad, PBKDF2 params explicit prf_alg not a sequence) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"301D06092A864886F70D01050C301004082ED7F24A1D516DD7020208003100":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_UNEXPECTED_TAG:"" + +PBES2 Decrypt (bad, PBKDF2 params explicit prf_alg overlong) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"301D06092A864886F70D01050C301004082ED7F24A1D516DD7020208003001":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA:"" + +PBES2 Decrypt (bad, PBKDF2 params explicit prf_alg != HMAC-SHA1) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"302706092A864886F70D01050C301A04082ED7F24A1D516DD702020800300A06082A864886F70D0208":"":"":POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE:"" + +PBES2 Decrypt (bad, PBKDF2 params extra data) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"302806092A864886F70D01050C301B04082ED7F24A1D516DD702020800300A06082A864886F70D020700":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_LENGTH_MISMATCH:"" + +PBES2 Decrypt (bad enc_scheme_alg: not a sequence) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD7020208003100":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_UNEXPECTED_TAG:"" + +PBES2 Decrypt (bad enc_scheme_alg: overlong) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD7020208003001":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA:"" + +PBES2 Decrypt (bad enc_scheme_alg: unkown oid) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800300A06082A864886F70D03FF":"":"":POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE:"" + +PBES2 Decrypt (bad enc_scheme_alg params: not an octet string) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800300C06082A864886F70D03070500":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT:"" + +PBES2 Decrypt (bad enc_scheme_alg params: overlong) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800300C06082A864886F70D03070401":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA:"" + +PBES2 Decrypt (bad enc_scheme_alg params: len != iv_len) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301306082A864886F70D030704078A4FCC9DCC3949":"":"":POLARSSL_ERR_PKCS5_INVALID_FORMAT:"" + +PBES2 Decrypt (bad password) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020800301406082A864886F70D030704088A4FCC9DCC394910":"F0617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FD980E1C5741FC0DB7":POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF060606060606" + +PBES2 Decrypt (bad iter value) +depends_on:POLARSSL_SHA1_C:POLARSSL_DES_C +pkcs5_pbes2:ASN1_CONSTRUCTED | ASN1_SEQUENCE:"301B06092A864886F70D01050C300E04082ED7F24A1D516DD702020801301406082A864886F70D030704088A4FCC9DCC394910":"70617373776f7264":"1B60098D4834CA752D37B430E70B7A085CFF86E21F4849F969DD1DF623342662443F8BD1252BF83CEF6917551B08EF55A69C8F2BFFC93BCB2DFE2E354DA28F896D1BD1BFB972A1251219A6EC7183B0A4CF2C4998449ED786CAE2138437289EB2203974000C38619DA57A4E685D29649284602BD1806131772DA11A682674DC22B2CF109128DDB7FD980E1C5741FC0DB7":POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH:"308187020100301306072A8648CE3D020106082A8648CE3D030107046D306B0201010420F12A1320760270A83CBFFD53F6031EF76A5D86C8A204F2C30CA9EBF51F0F0EA7A1440342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF060606060606" diff --git a/tests/suites/test_suite_pkcs5.function b/tests/suites/test_suite_pkcs5.function index adf7ffc702..5408e67e83 100644 --- a/tests/suites/test_suite_pkcs5.function +++ b/tests/suites/test_suite_pkcs5.function @@ -43,3 +43,37 @@ void pbkdf2_hmac( int hash, char *hex_password_string, TEST_ASSERT( strcmp( (char *) dst_str, result_key_string ) == 0 ); } /* END_CASE */ + +/* BEGIN_CASE */ +void pkcs5_pbes2( int params_tag, char *params_hex, char *pw_hex, + char *data_hex, int ref_ret, char *ref_out_hex ) +{ + int my_ret; + asn1_buf params; + unsigned char *my_out, *ref_out, *data, *pw; + size_t ref_out_len, data_len, pw_len; + + params.tag = params_tag; + params.p = unhexify_alloc( params_hex, ¶ms.len ); + + data = unhexify_alloc( data_hex, &data_len ); + pw = unhexify_alloc( pw_hex, &pw_len ); + ref_out = unhexify_alloc( ref_out_hex, &ref_out_len ); + my_out = polarssl_malloc( ref_out_len != 0 ? ref_out_len : 1 ); + TEST_ASSERT( my_out != NULL ); + memset( my_out, 0, ref_out_len ); + + my_ret = pkcs5_pbes2( ¶ms, PKCS5_DECRYPT, + pw, pw_len, data, data_len, my_out ); + TEST_ASSERT( my_ret == ref_ret ); + + if( ref_ret == 0 ) + TEST_ASSERT( memcmp( my_out, ref_out, ref_out_len ) == 0 ); + + polarssl_free( params.p ); + polarssl_free( data ); + polarssl_free( pw ); + polarssl_free( ref_out ); + polarssl_free( my_out ); +} +/* END_CASE */ From 90dac90f5333ce810312692fc06b26dcf834b8d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 12 Jun 2014 17:04:24 +0200 Subject: [PATCH 04/19] Small code simplification in pkcs5_pbes2() --- library/pkcs5.c | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/library/pkcs5.c b/library/pkcs5.c index 061f4738e8..a4b92384ef 100644 --- a/library/pkcs5.c +++ b/library/pkcs5.c @@ -204,19 +204,8 @@ int pkcs5_pbes2( asn1_buf *pbe_params, int mode, if( ( ret = cipher_setkey( &cipher_ctx, key, 8 * keylen, mode ) ) != 0 ) goto exit; - if( ( ret = cipher_set_iv( &cipher_ctx, iv, enc_scheme_params.len ) ) != 0 ) - goto exit; - - if( ( ret = cipher_reset( &cipher_ctx ) ) != 0 ) - goto exit; - - if( ( ret = cipher_update( &cipher_ctx, data, datalen, - output, &olen ) ) != 0 ) - { - goto exit; - } - - if( ( ret = cipher_finish( &cipher_ctx, output + olen, &olen ) ) != 0 ) + if( ( ret = cipher_crypt( &cipher_ctx, iv, enc_scheme_params.len, + data, datalen, output, &olen ) ) != 0 ) ret = POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH; exit: From edc3ab20e2180bfcdc717fcac869069067ee6b74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 12 Jun 2014 17:08:27 +0200 Subject: [PATCH 05/19] Small cleanup: less side-effects pkcs5_parse_pbkdf2_params() used to modify params.p, which does not look clean, even if the function is static and params.p isn't use afterwards. --- library/pkcs5.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/library/pkcs5.c b/library/pkcs5.c index a4b92384ef..3f94d50eef 100644 --- a/library/pkcs5.c +++ b/library/pkcs5.c @@ -52,13 +52,13 @@ #define polarssl_printf printf #endif -static int pkcs5_parse_pbkdf2_params( asn1_buf *params, +static int pkcs5_parse_pbkdf2_params( const asn1_buf *params, asn1_buf *salt, int *iterations, int *keylen, md_type_t *md_type ) { int ret; asn1_buf prf_alg_oid; - unsigned char **p = ¶ms->p; + unsigned char *p = params->p; const unsigned char *end = params->p + params->len; if( params->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) @@ -73,28 +73,28 @@ static int pkcs5_parse_pbkdf2_params( asn1_buf *params, * } * */ - if( ( ret = asn1_get_tag( p, end, &salt->len, ASN1_OCTET_STRING ) ) != 0 ) + if( ( ret = asn1_get_tag( &p, end, &salt->len, ASN1_OCTET_STRING ) ) != 0 ) return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret ); - salt->p = *p; - *p += salt->len; + salt->p = p; + p += salt->len; - if( ( ret = asn1_get_int( p, end, iterations ) ) != 0 ) + if( ( ret = asn1_get_int( &p, end, iterations ) ) != 0 ) return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret ); - if( *p == end ) + if( p == end ) return( 0 ); - if( ( ret = asn1_get_int( p, end, keylen ) ) != 0 ) + if( ( ret = asn1_get_int( &p, end, keylen ) ) != 0 ) { if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret ); } - if( *p == end ) + if( p == end ) return( 0 ); - if( ( ret = asn1_get_alg_null( p, end, &prf_alg_oid ) ) != 0 ) + if( ( ret = asn1_get_alg_null( &p, end, &prf_alg_oid ) ) != 0 ) return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret ); if( !OID_CMP( OID_HMAC_SHA1, &prf_alg_oid ) ) @@ -102,7 +102,7 @@ static int pkcs5_parse_pbkdf2_params( asn1_buf *params, *md_type = POLARSSL_MD_SHA1; - if( *p != end ) + if( p != end ) return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); From 53c6e96ce7c20385d3731af95f2a867b5c4de106 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 13 Jun 2014 12:22:07 +0200 Subject: [PATCH 06/19] Force lcov to notice files not covered at all --- CMakeLists.txt | 10 ++++------ Makefile | 10 ++++------ 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index af268e707a..c1246c935c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -85,9 +85,6 @@ if(ENABLE_TESTING) COMMAND tests/scripts/test-ref-configs.pl ) - # add programs/test/selftest even though the selftest functions are - # called from the testsuites since it runs them in verbose mode, - # avoiding spurious "uncovered" printf lines ADD_CUSTOM_TARGET(covtest COMMAND make test COMMAND programs/test/selftest @@ -97,10 +94,11 @@ if(ENABLE_TESTING) ADD_CUSTOM_TARGET(lcov COMMAND rm -rf Coverage - COMMAND lcov --capture --directory library/CMakeFiles/polarssl.dir -o polarssl.info + COMMAND lcov --capture --initial --directory library/CMakeFiles/polarssl.dir -o files.info + COMMAND lcov --capture --directory library/CMakeFiles/polarssl.dir -o tests.info COMMAND gendesc tests/Descriptions.txt -o descriptions - COMMAND genhtml --title PolarSSL --description-file descriptions --keep-descriptions --legend --no-branch-coverage -o Coverage polarssl.info - COMMAND rm -f polarssl.info descriptions + COMMAND genhtml --title PolarSSL --description-file descriptions --keep-descriptions --legend --no-branch-coverage -o Coverage files.info tests.info + COMMAND rm -f files.info tests.info descriptions ) ADD_CUSTOM_TARGET(memcheck diff --git a/Makefile b/Makefile index ec09f9cca8..1ec10f2d42 100644 --- a/Makefile +++ b/Makefile @@ -60,19 +60,17 @@ test-ref-configs: # CFLAGS='--coverage' make OFLAGS='-g3 -O0' covtest: make check - # add programs/test/selftest even though the selftest functions are - # called from the testsuites since it runs them in verbose mode, - # avoiding spurious "uncovered" printf lines programs/test/selftest ( cd tests && ./compat.sh ) ( cd tests && ./ssl-opt.sh ) lcov: rm -rf Coverage - lcov --capture --directory library -o polarssl.info + lcov --capture --initial --directory library -o files.info + lcov --capture --directory library -o tests.info gendesc tests/Descriptions.txt -o descriptions - genhtml --title PolarSSL --description-file descriptions --keep-descriptions --legend --no-branch-coverage -o Coverage polarssl.info - rm -f polarssl.info descriptions + genhtml --title PolarSSL --description-file descriptions --keep-descriptions --legend --no-branch-coverage -o Coverage files.info tests.info + rm -f files.info tests.info descriptions apidoc: mkdir -p apidoc From 1c082f34f33538b06429e9a66f1fa642b26eef99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 12 Jun 2014 22:34:55 +0200 Subject: [PATCH 07/19] Update description and references for X.509 files --- library/x509.c | 9 ++++----- library/x509_crl.c | 9 ++++----- library/x509_crt.c | 9 ++++----- library/x509_csr.c | 7 +++---- 4 files changed, 15 insertions(+), 19 deletions(-) diff --git a/library/x509.c b/library/x509.c index 4c54b5b00d..17c7a7db04 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1,5 +1,5 @@ /* - * X.509 certificate and private key decoding + * X.509 common functions for parsing and verification * * Copyright (C) 2006-2014, Brainspark B.V. * @@ -25,10 +25,9 @@ /* * The ITU-T X.509 standard defines a certificate format for PKI. * - * http://www.ietf.org/rfc/rfc3279.txt - * http://www.ietf.org/rfc/rfc3280.txt - * - * ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc + * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs) + * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs) + * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10) * * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf diff --git a/library/x509_crl.c b/library/x509_crl.c index 7f8600dbf1..7dd53c2f60 100644 --- a/library/x509_crl.c +++ b/library/x509_crl.c @@ -1,5 +1,5 @@ /* - * X.509 certificate and private key decoding + * X.509 Certidicate Revocation List (CRL) parsing * * Copyright (C) 2006-2014, Brainspark B.V. * @@ -25,10 +25,9 @@ /* * The ITU-T X.509 standard defines a certificate format for PKI. * - * http://www.ietf.org/rfc/rfc3279.txt - * http://www.ietf.org/rfc/rfc3280.txt - * - * ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc + * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs) + * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs) + * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10) * * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf diff --git a/library/x509_crt.c b/library/x509_crt.c index 50f92e6ad8..c5f7f70ffd 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1,5 +1,5 @@ /* - * X.509 certificate and private key decoding + * X.509 certificate parsing and verification * * Copyright (C) 2006-2014, Brainspark B.V. * @@ -25,10 +25,9 @@ /* * The ITU-T X.509 standard defines a certificate format for PKI. * - * http://www.ietf.org/rfc/rfc3279.txt - * http://www.ietf.org/rfc/rfc3280.txt - * - * ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc + * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs) + * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs) + * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10) * * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf diff --git a/library/x509_csr.c b/library/x509_csr.c index f6d268be2b..eee6e724e8 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -25,10 +25,9 @@ /* * The ITU-T X.509 standard defines a certificate format for PKI. * - * http://www.ietf.org/rfc/rfc3279.txt - * http://www.ietf.org/rfc/rfc3280.txt - * - * ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc + * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs) + * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs) + * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10) * * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf From d77cd5d0c34b1f5b8980705cc286dc10e6cb94b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 13 Jun 2014 11:13:15 +0200 Subject: [PATCH 08/19] Add tests for x509_csr_parse --- include/polarssl/x509_csr.h | 4 +- tests/suites/test_suite_x509parse.data | 77 ++++++++++++++++++++++ tests/suites/test_suite_x509parse.function | 28 ++++++++ 3 files changed, 107 insertions(+), 2 deletions(-) diff --git a/include/polarssl/x509_csr.h b/include/polarssl/x509_csr.h index 4328598f36..deac88fde2 100644 --- a/include/polarssl/x509_csr.h +++ b/include/polarssl/x509_csr.h @@ -116,8 +116,8 @@ int x509_csr_parse_file( x509_csr *csr, const char *path ); * \param prefix A line prefix * \param csr The X509 CSR to represent * - * \return The amount of data written to the buffer, or -1 in - * case of an error. + * \return The length of the string written (exluding the terminating + * null byte), or a negative value in case of an error. */ int x509_csr_info( char *buf, size_t size, const char *prefix, const x509_csr *csr ); diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index ba92716a56..54ef202bf1 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -1165,3 +1165,80 @@ x509_parse_rsassa_pss_params:"A3023000":ASN1_CONSTRUCTED | ASN1_SEQUENCE:POLARSS X509 RSASSA-PSS parameters ASN1 (trailerField not 1) x509_parse_rsassa_pss_params:"A303020102":ASN1_CONSTRUCTED | ASN1_SEQUENCE:POLARSSL_MD_SHA1:POLARSSL_MD_SHA1:20:POLARSSL_ERR_X509_INVALID_ALG +X509 CSR ASN.1 (OK) +x509_csr_parse:"308201183081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010349003046022100B49FD8C8F77ABFA871908DFBE684A08A793D0F490A43D86FCF2086E4F24BB0C2022100F829D5CCD3742369299E6294394717C4B723A0F68B44E831B6E6C3BCABF97243":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n":0 + +X509 CSR ASN.1 (bad first tag) +x509_csr_parse:"3100":"":POLARSSL_ERR_X509_INVALID_FORMAT + +X509 CSR ASN.1 (bad sequence: overlong) +x509_csr_parse:"3001":"":POLARSSL_ERR_X509_INVALID_FORMAT + +X509 CSR ASN.1 (total length mistmatch) +x509_csr_parse:"30010000":"":POLARSSL_ERR_X509_INVALID_FORMAT + POLARSSL_ERR_ASN1_LENGTH_MISMATCH + +X509 CSR ASN.1 (bad CRI: not a sequence) +x509_csr_parse:"30023100":"":POLARSSL_ERR_X509_INVALID_FORMAT + POLARSSL_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (bad CRI: overlong) +x509_csr_parse:"30023001":"":POLARSSL_ERR_X509_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA + +X509 CSR ASN.1 (bad CRI.Version: overlong) +x509_csr_parse:"30053002020100":"":POLARSSL_ERR_X509_INVALID_VERSION + POLARSSL_ERR_ASN1_OUT_OF_DATA + +X509 CSR ASN.1 (bad CRI.Version: not v1) +x509_csr_parse:"30053003020101":"":POLARSSL_ERR_X509_UNKNOWN_VERSION + +X509 CSR ASN.1 (bad CRI.Name: not a sequence) +x509_csr_parse:"300730050201003100":"":POLARSSL_ERR_X509_INVALID_FORMAT + POLARSSL_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (bad CRI.Name: overlong) +x509_csr_parse:"30083005020100300100":"":POLARSSL_ERR_X509_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA + +X509 CSR ASN.1 (bad CRI.Name payload: not a set) +x509_csr_parse:"3009300702010030023000":"":POLARSSL_ERR_X509_INVALID_NAME + POLARSSL_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (bad CRI.Name payload: overlong) +x509_csr_parse:"300A30080201003002310100":"":POLARSSL_ERR_X509_INVALID_NAME + POLARSSL_ERR_ASN1_OUT_OF_DATA + +X509 CSR ASN.1 (bad SubjectPublicKeyInfo: missing) +x509_csr_parse:"30143012020100300D310B3009060355040613024E4C":"":POLARSSL_ERR_PK_KEY_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA + +X509 CSR ASN.1 (bad SubjectPublicKeyInfo: not a sequence) +x509_csr_parse:"30163014020100300D310B3009060355040613024E4C3100":"":POLARSSL_ERR_PK_KEY_INVALID_FORMAT + POLARSSL_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (bad SubjectPublicKeyInfo: overlong) +x509_csr_parse:"30173014020100300D310B3009060355040613024E4C300100":"":POLARSSL_ERR_PK_KEY_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA + +X509 CSR ASN.1 (bad attributes: missing) +x509_csr_parse:"3081973081940201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF":"":POLARSSL_ERR_X509_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA + +X509 CSR ASN.1 (bad attributes: bad tag) +x509_csr_parse:"3081993081960201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF0500":"":POLARSSL_ERR_X509_INVALID_FORMAT + POLARSSL_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (bad attributes: overlong) +x509_csr_parse:"30819A3081960201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA00100":"":POLARSSL_ERR_X509_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA + +X509 CSR ASN.1 (bad sigAlg: missing) +x509_csr_parse:"3081C23081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0":"":POLARSSL_ERR_X509_INVALID_ALG + POLARSSL_ERR_ASN1_OUT_OF_DATA + +X509 CSR ASN.1 (bad sigAlg: not a sequence) +x509_csr_parse:"3081C43081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E03100":"":POLARSSL_ERR_X509_INVALID_ALG + POLARSSL_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (bad sigAlg: overlong) +x509_csr_parse:"3081C43081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E03001":"":POLARSSL_ERR_X509_INVALID_ALG + POLARSSL_ERR_ASN1_OUT_OF_DATA + +X509 CSR ASN.1 (bad sigAlg: unknown) +x509_csr_parse:"3081CD3081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04FF":"":POLARSSL_ERR_X509_UNKNOWN_SIG_ALG + +X509 CSR ASN.1 (bad sig: missing) +x509_csr_parse:"3081CD3081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D0401":"":POLARSSL_ERR_X509_INVALID_SIGNATURE + POLARSSL_ERR_ASN1_OUT_OF_DATA + +X509 CSR ASN.1 (bad sig: not a bit string) +x509_csr_parse:"3081CF3081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010400":"":POLARSSL_ERR_X509_INVALID_SIGNATURE + POLARSSL_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (bad sig: overlong) +x509_csr_parse:"3081CF3081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010301":"":POLARSSL_ERR_X509_INVALID_SIGNATURE + POLARSSL_ERR_ASN1_OUT_OF_DATA + +X509 CSR ASN.1 (extra data after signature) +x509_csr_parse:"308201193081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010349003046022100B49FD8C8F77ABFA871908DFBE684A08A793D0F490A43D86FCF2086E4F24BB0C2022100F829D5CCD3742369299E6294394717C4B723A0F68B44E831B6E6C3BCABF9724300":"":POLARSSL_ERR_X509_INVALID_FORMAT + POLARSSL_ERR_ASN1_LENGTH_MISMATCH diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 5c4c29e597..8f496b0534 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -267,6 +267,34 @@ void x509parse_crl( char *crl_data, char *result_str, int result ) } /* END_CASE */ +/* BEGIN_CASE depends_on:POLARSSL_X509_CSR_PARSE_C */ +void x509_csr_parse( char *csr_der_hex, char *ref_out, int ref_ret ) +{ + x509_csr csr; + unsigned char *csr_der; + char my_out[1000]; + size_t csr_der_len; + int my_ret; + + x509_csr_init( &csr ); + memset( my_out, 0, sizeof( my_out ) ); + csr_der = unhexify_alloc( csr_der_hex, &csr_der_len ); + + my_ret = x509_csr_parse( &csr, csr_der, csr_der_len ); + TEST_ASSERT( my_ret == ref_ret ); + + if( ref_ret == 0 ) + { + size_t my_out_len = x509_csr_info( my_out, sizeof( my_out ), "", &csr ); + TEST_ASSERT( my_out_len == strlen( ref_out ) ); + TEST_ASSERT( strcmp( my_out, ref_out ) == 0 ); + } + + x509_csr_free( &csr ); + polarssl_free( csr_der ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C */ void x509_crt_parse_path( char *crt_path, int ret, int nb_crt ) { From 255fe4b10e87bec6b17fdfde1894956491cc0a3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 13 Jun 2014 13:53:42 +0200 Subject: [PATCH 09/19] Add tests for Blowfish-ECB via the cipher layer --- tests/suites/test_suite_cipher.blowfish.data | 24 ++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/tests/suites/test_suite_cipher.blowfish.data b/tests/suites/test_suite_cipher.blowfish.data index de20521d11..f9cfd36ecc 100644 --- a/tests/suites/test_suite_cipher.blowfish.data +++ b/tests/suites/test_suite_cipher.blowfish.data @@ -549,3 +549,27 @@ enc_dec_buf_multipart:POLARSSL_CIPHER_BLOWFISH_CTR:128:17:6: BLOWFISH Encrypt and decrypt 32 bytes in multiple parts 1 depends_on:POLARSSL_BLOWFISH_C:POLARSSL_CIPHER_MODE_CTR enc_dec_buf_multipart:POLARSSL_CIPHER_BLOWFISH_CTR:128:16:16: + +BLOWFISH ECB Encrypt test vector (SSLeay) #1 +depends_on:POLARSSL_BLOWFISH_C +test_vec_ecb:POLARSSL_CIPHER_BLOWFISH_ECB:POLARSSL_ENCRYPT:"00000000000000000000000000000000":"0000000000000000":"4ef997456198dd78":0 + +BLOWFISH ECB Encrypt test vector (SSLeay) #2 +depends_on:POLARSSL_BLOWFISH_C +test_vec_ecb:POLARSSL_CIPHER_BLOWFISH_ECB:POLARSSL_ENCRYPT:"ffffffffffffffffffffffffffffffff":"ffffffffffffffff":"51866fd5b85ecb8a":0 + +BLOWFISH ECB Encrypt test vector (SSLeay) #3 +depends_on:POLARSSL_BLOWFISH_C +test_vec_ecb:POLARSSL_CIPHER_BLOWFISH_ECB:POLARSSL_ENCRYPT:"fedcba9876543210fedcba9876543210":"0123456789abcdef":"0aceab0fc6a0a28d":0 + +BLOWFISH ECB Decrypt test vector (SSLeay) #1 +depends_on:POLARSSL_BLOWFISH_C +test_vec_ecb:POLARSSL_CIPHER_BLOWFISH_ECB:POLARSSL_DECRYPT:"00000000000000000000000000000000":"4ef997456198dd78":"0000000000000000":0 + +BLOWFISH ECB Decrypt test vector (SSLeay) #2 +depends_on:POLARSSL_BLOWFISH_C +test_vec_ecb:POLARSSL_CIPHER_BLOWFISH_ECB:POLARSSL_DECRYPT:"ffffffffffffffffffffffffffffffff":"51866fd5b85ecb8a":"ffffffffffffffff":0 + +BLOWFISH ECB Decrypt test vector (SSLeay) #3 +depends_on:POLARSSL_BLOWFISH_C +test_vec_ecb:POLARSSL_CIPHER_BLOWFISH_ECB:POLARSSL_DECRYPT:"3849674c2602319e3849674c2602319e":"a25e7856cf2651eb":"51454b582ddf440a":0 From 6deaac0e62ae122a318ed37c57ecc378d2c4e204 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 13 Jun 2014 15:02:45 +0200 Subject: [PATCH 10/19] Add tests vectors for (3)DES via cipher layer --- tests/suites/test_suite_cipher.des.data | 40 +++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/tests/suites/test_suite_cipher.des.data b/tests/suites/test_suite_cipher.des.data index bdc0e125c6..9a923bf686 100644 --- a/tests/suites/test_suite_cipher.des.data +++ b/tests/suites/test_suite_cipher.des.data @@ -549,3 +549,43 @@ enc_dec_buf_multipart:POLARSSL_CIPHER_DES_EDE3_CBC:192:17:6: DES3 Encrypt and decrypt 32 bytes in multiple parts 1 depends_on:POLARSSL_DES_C:POLARSSL_CIPHER_MODE_CBC:POLARSSL_CIPHER_PADDING_PKCS7 enc_dec_buf_multipart:POLARSSL_CIPHER_DES_EDE3_CBC:192:16:16: + +DES ECB Encrypt test vector (OpenSSL) #1 +depends_on:POLARSSL_DES_C +test_vec_ecb:POLARSSL_CIPHER_DES_ECB:POLARSSL_ENCRYPT:"0000000000000000":"0000000000000000":"8CA64DE9C1B123A7":0 + +DES ECB Encrypt test vector (OpenSSL) #2 +depends_on:POLARSSL_DES_C +test_vec_ecb:POLARSSL_CIPHER_DES_ECB:POLARSSL_ENCRYPT:"FFFFFFFFFFFFFFFF":"FFFFFFFFFFFFFFFF":"7359B2163E4EDC58":0 + +DES ECB Encrypt test vector (OpenSSL) #3 +depends_on:POLARSSL_DES_C +test_vec_ecb:POLARSSL_CIPHER_DES_ECB:POLARSSL_ENCRYPT:"FEDCBA9876543210":"0123456789ABCDEF":"ED39D950FA74BCC4":0 + +DES ECB Decrypt test vector (OpenSSL) #1 +depends_on:POLARSSL_DES_C +test_vec_ecb:POLARSSL_CIPHER_DES_ECB:POLARSSL_DECRYPT:"0000000000000000":"8CA64DE9C1B123A7":"0000000000000000":0 + +DES ECB Decrypt test vector (OpenSSL) #2 +depends_on:POLARSSL_DES_C +test_vec_ecb:POLARSSL_CIPHER_DES_ECB:POLARSSL_DECRYPT:"FFFFFFFFFFFFFFFF":"7359B2163E4EDC58":"FFFFFFFFFFFFFFFF":0 + +DES ECB Decrypt test vector (OpenSSL) #3 +depends_on:POLARSSL_DES_C +test_vec_ecb:POLARSSL_CIPHER_DES_ECB:POLARSSL_DECRYPT:"43297FAD38E373FE":"EA676B2CB7DB2B7A":"762514B829BF486A":0 + +DES3-EDE ECB Encrypt test vector (OpenSSL) #1 +depends_on:POLARSSL_DES_C +test_vec_ecb:POLARSSL_CIPHER_DES_EDE_ECB:POLARSSL_ENCRYPT:"0000000000000000FFFFFFFFFFFFFFFF":"0000000000000000":"9295B59BB384736E":0 + +DES3-EDE ECB Encrypt test vector (OpenSSL) #2 +depends_on:POLARSSL_DES_C +test_vec_ecb:POLARSSL_CIPHER_DES_EDE_ECB:POLARSSL_ENCRYPT:"FFFFFFFFFFFFFFFF3000000000000000":"FFFFFFFFFFFFFFFF":"199E9D6DF39AA816":0 + +DES3-EDE ECB Decrypt test vector (OpenSSL) #1 +depends_on:POLARSSL_DES_C +test_vec_ecb:POLARSSL_CIPHER_DES_EDE_ECB:POLARSSL_DECRYPT:"0000000000000000FFFFFFFFFFFFFFFF":"9295B59BB384736E":"0000000000000000":0 + +DES3-EDE ECB Decrypt test vector (OpenSSL) #2 +depends_on:POLARSSL_DES_C +test_vec_ecb:POLARSSL_CIPHER_DES_EDE_ECB:POLARSSL_DECRYPT:"FFFFFFFFFFFFFFFF3000000000000000":"199E9D6DF39AA816":"FFFFFFFFFFFFFFFF":0 From b9126160818a53147e53cb356b49a537eb4459ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 13 Jun 2014 15:06:59 +0200 Subject: [PATCH 11/19] Rm unused functions in cipher_wrap You can't initialise a context with DES_CFB or DES_CTR. --- library/cipher_wrap.c | 42 ++++++------------------------------------ 1 file changed, 6 insertions(+), 36 deletions(-) diff --git a/library/cipher_wrap.c b/library/cipher_wrap.c index efc4d44362..3492cce69b 100644 --- a/library/cipher_wrap.c +++ b/library/cipher_wrap.c @@ -865,36 +865,6 @@ static int des3_crypt_cbc_wrap( void *ctx, operation_t operation, size_t length, #endif /* POLARSSL_CIPHER_MODE_CBC */ } -static int des_crypt_cfb128_wrap( void *ctx, operation_t operation, - size_t length, size_t *iv_off, unsigned char *iv, - const unsigned char *input, unsigned char *output ) -{ - ((void) ctx); - ((void) operation); - ((void) length); - ((void) iv_off); - ((void) iv); - ((void) input); - ((void) output); - - return( POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE ); -} - -static int des_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off, - unsigned char *nonce_counter, unsigned char *stream_block, - const unsigned char *input, unsigned char *output ) -{ - ((void) ctx); - ((void) length); - ((void) nc_off); - ((void) nonce_counter); - ((void) stream_block); - ((void) input); - ((void) output); - - return( POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE ); -} - static int des_setkey_dec_wrap( void *ctx, const unsigned char *key, unsigned int key_length ) { @@ -969,8 +939,8 @@ const cipher_base_t des_info = { POLARSSL_CIPHER_ID_DES, des_crypt_ecb_wrap, des_crypt_cbc_wrap, - des_crypt_cfb128_wrap, - des_crypt_ctr_wrap, + NULL, + NULL, NULL, des_setkey_enc_wrap, des_setkey_dec_wrap, @@ -1006,8 +976,8 @@ const cipher_base_t des_ede_info = { POLARSSL_CIPHER_ID_DES, des3_crypt_ecb_wrap, des3_crypt_cbc_wrap, - des_crypt_cfb128_wrap, - des_crypt_ctr_wrap, + NULL, + NULL, NULL, des3_set2key_enc_wrap, des3_set2key_dec_wrap, @@ -1043,8 +1013,8 @@ const cipher_base_t des_ede3_info = { POLARSSL_CIPHER_ID_DES, des3_crypt_ecb_wrap, des3_crypt_cbc_wrap, - des_crypt_cfb128_wrap, - des_crypt_ctr_wrap, + NULL, + NULL, NULL, des3_set3key_enc_wrap, des3_set3key_dec_wrap, From 5e7693f6ba36a68a20feb5cf55226961eee96360 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 13 Jun 2014 16:08:07 +0200 Subject: [PATCH 12/19] Add tests for bad arguments to cipher functions --- tests/suites/test_suite_cipher.function | 70 +++++++++++++++++++++ tests/suites/test_suite_cipher.padding.data | 3 + 2 files changed, 73 insertions(+) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 03be2b818f..09ae2e08a7 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -21,6 +21,76 @@ void cipher_list( ) } /* END_CASE */ +/* BEGIN_CASE */ +void cipher_null_args( ) +{ + cipher_context_t ctx; + const cipher_info_t *info = cipher_info_from_type( *( cipher_list() ) ); + unsigned char buf[1] = { 0 }; + size_t olen; + + memset( &ctx, 0, sizeof( cipher_context_t ) ); + + TEST_ASSERT( cipher_get_block_size( NULL ) == 0 ); + TEST_ASSERT( cipher_get_block_size( &ctx ) == 0 ); + + TEST_ASSERT( cipher_get_cipher_mode( NULL ) == POLARSSL_MODE_NONE ); + TEST_ASSERT( cipher_get_cipher_mode( &ctx ) == POLARSSL_MODE_NONE ); + + TEST_ASSERT( cipher_get_iv_size( NULL ) == 0 ); + TEST_ASSERT( cipher_get_iv_size( &ctx ) == 0 ); + + TEST_ASSERT( cipher_info_from_string( NULL ) == NULL ); + + TEST_ASSERT( cipher_init_ctx( &ctx, NULL ) + == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); + TEST_ASSERT( cipher_init_ctx( NULL, info ) + == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); + + TEST_ASSERT( cipher_setkey( NULL, buf, 0, POLARSSL_ENCRYPT ) + == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); + TEST_ASSERT( cipher_setkey( &ctx, buf, 0, POLARSSL_ENCRYPT ) + == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); + + TEST_ASSERT( cipher_set_iv( NULL, buf, 0 ) + == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); + TEST_ASSERT( cipher_set_iv( &ctx, buf, 0 ) + == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); + + TEST_ASSERT( cipher_reset( NULL ) == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); + TEST_ASSERT( cipher_reset( &ctx ) == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); + +#if defined(POLARSSL_CIPHER_MODE_AEAD) + TEST_ASSERT( cipher_update_ad( NULL, buf, 0 ) + == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); + TEST_ASSERT( cipher_update_ad( &ctx, buf, 0 ) + == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); +#endif + + TEST_ASSERT( cipher_update( NULL, buf, 0, buf, &olen ) + == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); + TEST_ASSERT( cipher_update( &ctx, buf, 0, buf, &olen ) + == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); + + TEST_ASSERT( cipher_finish( NULL, buf, &olen ) + == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); + TEST_ASSERT( cipher_finish( &ctx, buf, &olen ) + == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); + +#if defined(POLARSSL_CIPHER_MODE_AEAD) + TEST_ASSERT( cipher_write_tag( NULL, buf, olen ) + == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); + TEST_ASSERT( cipher_write_tag( &ctx, buf, olen ) + == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); + + TEST_ASSERT( cipher_check_tag( NULL, buf, olen ) + == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); + TEST_ASSERT( cipher_check_tag( &ctx, buf, olen ) + == POLARSSL_ERR_CIPHER_BAD_INPUT_DATA ); +#endif +} +/* END_CASE */ + /* BEGIN_CASE */ void enc_dec_buf( int cipher_id, char *cipher_string, int key_len, int length_val, int pad_mode ) diff --git a/tests/suites/test_suite_cipher.padding.data b/tests/suites/test_suite_cipher.padding.data index 702c88ff7f..9b5f290dda 100644 --- a/tests/suites/test_suite_cipher.padding.data +++ b/tests/suites/test_suite_cipher.padding.data @@ -1,6 +1,9 @@ Cipher list cipher_list: +Cipher null/uninitialised arguments +cipher_null_args: + Set padding with AES-CBC depends_on:POLARSSL_AES_C:POLARSSL_CIPHER_MODE_CBC:POLARSSL_CIPHER_PADDING_PKCS7 set_padding:POLARSSL_CIPHER_AES_128_CBC:POLARSSL_PADDING_PKCS7:0 From b25f81665fea4d53145ba8f6a015bccfdb44324f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 13 Jun 2014 16:34:30 +0200 Subject: [PATCH 13/19] Add test for bad arguments to MD functions --- tests/suites/test_suite_md.data | 3 ++ tests/suites/test_suite_md.function | 57 +++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) diff --git a/tests/suites/test_suite_md.data b/tests/suites/test_suite_md.data index bd25a53538..85be7df0bd 100644 --- a/tests/suites/test_suite_md.data +++ b/tests/suites/test_suite_md.data @@ -1,6 +1,9 @@ MD process md_process: +MD NULL/uninitialised arguments +md_null_args: + Information on MD2 depends_on:POLARSSL_MD2_C md_info:POLARSSL_MD_MD2:"MD2":16 diff --git a/tests/suites/test_suite_md.function b/tests/suites/test_suite_md.function index 74c5a66815..9f064434c3 100644 --- a/tests/suites/test_suite_md.function +++ b/tests/suites/test_suite_md.function @@ -36,6 +36,63 @@ void md_process( ) } /* END_CASE */ +/* BEGIN_CASE */ +void md_null_args( ) +{ + md_context_t ctx; + const md_info_t *info = md_info_from_type( *( md_list() ) ); + unsigned char buf[1] = { 0 }; + + memset( &ctx, 0, sizeof( md_context_t ) ); + + TEST_ASSERT( md_get_size( NULL ) == 0 ); + + TEST_ASSERT( md_get_type( NULL ) == POLARSSL_MD_NONE ); + + TEST_ASSERT( md_info_from_string( NULL ) == NULL ); + + TEST_ASSERT( md_init_ctx( &ctx, NULL ) == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + TEST_ASSERT( md_init_ctx( NULL, info ) == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + + TEST_ASSERT( md_starts( NULL ) == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + TEST_ASSERT( md_starts( &ctx ) == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + + TEST_ASSERT( md_update( NULL, buf, 1 ) == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + TEST_ASSERT( md_update( &ctx, buf, 1 ) == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + + TEST_ASSERT( md_finish( NULL, buf ) == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + TEST_ASSERT( md_finish( &ctx, buf ) == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + + TEST_ASSERT( md( NULL, buf, 1, buf ) == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + + TEST_ASSERT( md_file( NULL, "", buf ) == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + + TEST_ASSERT( md_hmac_starts( NULL, buf, 1 ) + == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + TEST_ASSERT( md_hmac_starts( &ctx, buf, 1 ) + == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + + TEST_ASSERT( md_hmac_update( NULL, buf, 1 ) + == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + TEST_ASSERT( md_hmac_update( &ctx, buf, 1 ) + == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + + TEST_ASSERT( md_hmac_finish( NULL, buf ) + == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + TEST_ASSERT( md_hmac_finish( &ctx, buf ) + == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + + TEST_ASSERT( md_hmac_reset( NULL ) == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + TEST_ASSERT( md_hmac_reset( &ctx ) == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + + TEST_ASSERT( md_hmac( NULL, buf, 1, buf, 1, buf ) + == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + + TEST_ASSERT( md_process( NULL, buf ) == POLARSSL_ERR_MD_BAD_INPUT_DATA ); + TEST_ASSERT( md_process( &ctx, buf ) == POLARSSL_ERR_MD_BAD_INPUT_DATA ); +} +/* END_CASE */ + /* BEGIN_CASE */ void md_info( int md_type, char *md_name, int md_size ) { From 4d2a8eb6ffcebcabff63b61d488b9ba3e79e7f6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 13 Jun 2014 20:33:27 +0200 Subject: [PATCH 14/19] SSL modules now using x509_crt_parse_der() Avoid uselessly trying to decode PEM. --- library/ssl_srv.c | 3 ++- library/ssl_tls.c | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index dfa7e48cd7..7a5f462b3e 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -149,7 +149,8 @@ static int ssl_load_session( ssl_session *session, x509_crt_init( session->peer_cert ); - if( ( ret = x509_crt_parse( session->peer_cert, p, cert_len ) ) != 0 ) + if( ( ret = x509_crt_parse_der( session->peer_cert, + p, cert_len ) ) != 0 ) { x509_crt_free( session->peer_cert ); polarssl_free( session->peer_cert ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1c5249cd2b..ce6730d530 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -101,8 +101,8 @@ static int ssl_session_copy( ssl_session *dst, const ssl_session *src ) x509_crt_init( dst->peer_cert ); - if( ( ret = x509_crt_parse( dst->peer_cert, src->peer_cert->raw.p, - src->peer_cert->raw.len ) ) != 0 ) + if( ( ret = x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p, + src->peer_cert->raw.len ) ) != 0 ) { polarssl_free( dst->peer_cert ); dst->peer_cert = NULL; From 0dc5e0d80bc8fb9425b7662d5d0898d2779d050e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 13 Jun 2014 21:09:26 +0200 Subject: [PATCH 15/19] Add helper function zero_malloc for tests --- tests/suites/helpers.function | 24 ++++++++++++++++++++++++ tests/suites/test_suite_pkcs5.function | 4 +--- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function index 2be5dcce44..d656519a14 100644 --- a/tests/suites/helpers.function +++ b/tests/suites/helpers.function @@ -101,12 +101,33 @@ static void hexify(unsigned char *obuf, const unsigned char *ibuf, int len) } } +/** + * Allocate and zeroize a buffer. + * + * If the size if zero, a pointer to a zeroized 1-byte buffer is returned. + * + * For convenience, dies if allocation fails. + */ +static unsigned char *zero_alloc( size_t len ) +{ + void *p; + size_t actual_len = len != 0 ? len : 1; + + assert( ( p = polarssl_malloc( actual_len ) ) != NULL ); + + memset( p, 0x00, actual_len ); + + return( p ); +} + /** * Allocate and fill a buffer from hex data. * * The buffer is sized exactly as needed. This allows to detect buffer * overruns (including overreads) when running the test suite under valgrind. * + * If the size if zero, a pointer to a zeroized 1-byte buffer is returned. + * * For convenience, dies if allocation fails. */ static unsigned char *unhexify_alloc( const char *ibuf, size_t *olen ) @@ -115,6 +136,9 @@ static unsigned char *unhexify_alloc( const char *ibuf, size_t *olen ) *olen = strlen(ibuf) / 2; + if( *olen == 0 ) + return( zero_alloc( *olen ) ); + assert( ( obuf = polarssl_malloc( *olen ) ) != NULL ); (void) unhexify( obuf, ibuf ); diff --git a/tests/suites/test_suite_pkcs5.function b/tests/suites/test_suite_pkcs5.function index 5408e67e83..c7455715c4 100644 --- a/tests/suites/test_suite_pkcs5.function +++ b/tests/suites/test_suite_pkcs5.function @@ -59,9 +59,7 @@ void pkcs5_pbes2( int params_tag, char *params_hex, char *pw_hex, data = unhexify_alloc( data_hex, &data_len ); pw = unhexify_alloc( pw_hex, &pw_len ); ref_out = unhexify_alloc( ref_out_hex, &ref_out_len ); - my_out = polarssl_malloc( ref_out_len != 0 ? ref_out_len : 1 ); - TEST_ASSERT( my_out != NULL ); - memset( my_out, 0, ref_out_len ); + my_out = zero_alloc( ref_out_len ); my_ret = pkcs5_pbes2( ¶ms, PKCS5_DECRYPT, pw, pw_len, data, data_len, my_out ); From e41072e7f9746fc793a12fda6d00b1c255c98b31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 16 Jun 2014 16:24:24 +0200 Subject: [PATCH 16/19] Exclude headers from lcov reports The data produced by gcov for static inline functions is too unreliable to be actually useful. Some lines that are covered are not marked as such, some other static inline functions are completely ignored, and the reasons why do not look obvious. --- CMakeLists.txt | 6 ++++-- Makefile | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index c1246c935c..86439ada42 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -96,9 +96,11 @@ if(ENABLE_TESTING) COMMAND rm -rf Coverage COMMAND lcov --capture --initial --directory library/CMakeFiles/polarssl.dir -o files.info COMMAND lcov --capture --directory library/CMakeFiles/polarssl.dir -o tests.info + COMMAND lcov --add-tracefile files.info --add-tracefile tests.info -o all.info + COMMAND lcov --remove all.info -o final.info '*.h' COMMAND gendesc tests/Descriptions.txt -o descriptions - COMMAND genhtml --title PolarSSL --description-file descriptions --keep-descriptions --legend --no-branch-coverage -o Coverage files.info tests.info - COMMAND rm -f files.info tests.info descriptions + COMMAND genhtml --title PolarSSL --description-file descriptions --keep-descriptions --legend --no-branch-coverage -o Coverage final.info + COMMAND rm -f files.info tests.info all.info final.info descriptions ) ADD_CUSTOM_TARGET(memcheck diff --git a/Makefile b/Makefile index 1ec10f2d42..0807e8d2a1 100644 --- a/Makefile +++ b/Makefile @@ -68,9 +68,11 @@ lcov: rm -rf Coverage lcov --capture --initial --directory library -o files.info lcov --capture --directory library -o tests.info + lcov --add-tracefile files.info --add-tracefile tests.info -o all.info + lcov --remove all.info -o final.info '*.h' gendesc tests/Descriptions.txt -o descriptions - genhtml --title PolarSSL --description-file descriptions --keep-descriptions --legend --no-branch-coverage -o Coverage files.info tests.info - rm -f files.info tests.info descriptions + genhtml --title PolarSSL --description-file descriptions --keep-descriptions --legend --no-branch-coverage -o Coverage final.info + rm -f files.info tests.info all.info final.info descriptions apidoc: mkdir -p apidoc From fab2a3c3d6cfb9ae353d646296f33a335237fbdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 16 Jun 2014 16:54:36 +0200 Subject: [PATCH 17/19] Fix port selection in ssl test scripts Port was selected in the 1000-1999 range which is bad (system ports). --- tests/compat.sh | 2 +- tests/ssl-opt.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 06243bde48..dc03ebdb39 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -965,7 +965,7 @@ MAIN_PID="$$" # Pick a "unique" port in the range 10000-19999. PORT="0000$$" -PORT="1$(echo $PORT | tail -c 4)" +PORT="1$(echo $PORT | tail -c 5)" # Also pick a unique name for intermediate files SRV_OUT="srv_out.$$" diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ddb7a0ac02..f43f1eb54e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -316,7 +316,7 @@ fi # Pick a "unique" port in the range 10000-19999. PORT="0000$$" -PORT="1$(echo $PORT | tail -c 4)" +PORT="1$(echo $PORT | tail -c 5)" # fix commands to use this port P_SRV="$P_SRV server_port=$PORT" From 15f58a86f784c6f830bc47779f91f5d55831c6c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 16 Jun 2014 17:12:40 +0200 Subject: [PATCH 18/19] Add test for mpi_gen_prime() --- tests/suites/test_suite_mpi.data | 16 +++++++++++++++ tests/suites/test_suite_mpi.function | 30 ++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data index fdbef02ccb..5693a80fb8 100644 --- a/tests/suites/test_suite_mpi.data +++ b/tests/suites/test_suite_mpi.data @@ -656,6 +656,22 @@ Test mpi_is_prime #20 depends_on:POLARSSL_GENPRIME mpi_is_prime:10:"49979687":0 +Test mpi_gen_prime (Too small) +depends_on:POLARSSL_GENPRIME +mpi_gen_prime:2:0:POLARSSL_ERR_MPI_BAD_INPUT_DATA + +Test mpi_gen_prime (OK, minimum size) +depends_on:POLARSSL_GENPRIME +mpi_gen_prime:3:0:0 + +Test mpi_gen_prime (Larger) +depends_on:POLARSSL_GENPRIME +mpi_gen_prime:128:0:0 + +Test mpi_gen_prime (Safe) +depends_on:POLARSSL_GENPRIME +mpi_gen_prime:128:1:0 + Test bit getting (Value bit 25) mpi_get_bit:10:"49979687":25:1 diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function index 239f8a9370..ec9752c867 100644 --- a/tests/suites/test_suite_mpi.function +++ b/tests/suites/test_suite_mpi.function @@ -719,6 +719,36 @@ void mpi_is_prime( int radix_X, char *input_X, int div_result ) } /* END_CASE */ +/* BEGIN_CASE depends_on:POLARSSL_GENPRIME */ +void mpi_gen_prime( int bits, int safe, int ref_ret ) +{ + mpi X; + int my_ret; + + mpi_init( &X ); + + my_ret = mpi_gen_prime( &X, bits, safe, rnd_std_rand, NULL ); + TEST_ASSERT( my_ret == ref_ret ); + + if( ref_ret == 0 ) + { + size_t actual_bits = mpi_msb( &X ); + + TEST_ASSERT( actual_bits >= (size_t) bits ); + TEST_ASSERT( actual_bits <= (size_t) bits + 1 ); + + TEST_ASSERT( mpi_is_prime( &X, rnd_std_rand, NULL ) == 0 ); + if( safe ) + { + mpi_shift_r( &X, 1 ); /* X = ( X - 1 ) / 2 */ + TEST_ASSERT( mpi_is_prime( &X, rnd_std_rand, NULL ) == 0 ); + } + } + + mpi_free( &X ); +} +/* END_CASE */ + /* BEGIN_CASE */ void mpi_shift_l( int radix_X, char *input_X, int shift_X, int radix_A, char *input_A) From f3b47243df986a1cfd75c66186cf334cd8f2ee7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 16 Jun 2014 18:06:48 +0200 Subject: [PATCH 19/19] Split x509_csr_parse_der() out of x509_csr_parse() --- include/polarssl/x509_csr.h | 14 +++- library/x509_csr.c | 94 +++++++++++++--------- tests/suites/test_suite_x509parse.function | 2 +- 3 files changed, 69 insertions(+), 41 deletions(-) diff --git a/include/polarssl/x509_csr.h b/include/polarssl/x509_csr.h index deac88fde2..bbe6beca5f 100644 --- a/include/polarssl/x509_csr.h +++ b/include/polarssl/x509_csr.h @@ -85,7 +85,19 @@ x509write_csr; #if defined(POLARSSL_X509_CSR_PARSE_C) /** - * \brief Load a Certificate Signing Request (CSR) + * \brief Load a Certificate Signing Request (CSR) in DER format + * + * \param csr CSR context to fill + * \param buf buffer holding the CRL data + * \param buflen size of the buffer + * + * \return 0 if successful, or a specific X509 error code + */ +int x509_csr_parse_der( x509_csr *csr, + const unsigned char *buf, size_t buflen ); + +/** + * \brief Load a Certificate Signing Request (CSR), DER or PEM format * * \param csr CSR context to fill * \param buf buffer holding the CRL data diff --git a/library/x509_csr.c b/library/x509_csr.c index eee6e724e8..0b4f771f92 100644 --- a/library/x509_csr.c +++ b/library/x509_csr.c @@ -90,18 +90,15 @@ static int x509_csr_get_version( unsigned char **p, } /* - * Parse a CSR + * Parse a CSR in DER format */ -int x509_csr_parse( x509_csr *csr, const unsigned char *buf, size_t buflen ) +int x509_csr_parse_der( x509_csr *csr, + const unsigned char *buf, size_t buflen ) { int ret; size_t len; unsigned char *p, *end; x509_buf sig_params; -#if defined(POLARSSL_PEM_PARSE_C) - size_t use_len; - pem_context pem; -#endif memset( &sig_params, 0, sizeof( x509_buf ) ); @@ -113,41 +110,15 @@ int x509_csr_parse( x509_csr *csr, const unsigned char *buf, size_t buflen ) x509_csr_init( csr ); -#if defined(POLARSSL_PEM_PARSE_C) - pem_init( &pem ); - ret = pem_read_buffer( &pem, - "-----BEGIN CERTIFICATE REQUEST-----", - "-----END CERTIFICATE REQUEST-----", - buf, NULL, 0, &use_len ); + /* + * first copy the raw DER data + */ + p = (unsigned char *) polarssl_malloc( len = buflen ); - if( ret == 0 ) - { - /* - * Was PEM encoded, steal PEM buffer - */ - p = pem.buf; - pem.buf = NULL; - len = pem.buflen; - pem_free( &pem ); - } - else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) - { - pem_free( &pem ); - return( ret ); - } - else -#endif /* POLARSSL_PEM_PARSE_C */ - { - /* - * nope, copy the raw DER data - */ - p = (unsigned char *) polarssl_malloc( len = buflen ); + if( p == NULL ) + return( POLARSSL_ERR_X509_MALLOC_FAILED ); - if( p == NULL ) - return( POLARSSL_ERR_X509_MALLOC_FAILED ); - - memcpy( p, buf, buflen ); - } + memcpy( p, buf, buflen ); csr->raw.p = p; csr->raw.len = len; @@ -284,6 +255,51 @@ int x509_csr_parse( x509_csr *csr, const unsigned char *buf, size_t buflen ) return( 0 ); } +/* + * Parse a CSR, allowing for PEM or raw DER encoding + */ +int x509_csr_parse( x509_csr *csr, const unsigned char *buf, size_t buflen ) +{ + int ret; +#if defined(POLARSSL_PEM_PARSE_C) + size_t use_len; + pem_context pem; +#endif + + /* + * Check for valid input + */ + if( csr == NULL || buf == NULL ) + return( POLARSSL_ERR_X509_BAD_INPUT_DATA ); + +#if defined(POLARSSL_PEM_PARSE_C) + pem_init( &pem ); + ret = pem_read_buffer( &pem, + "-----BEGIN CERTIFICATE REQUEST-----", + "-----END CERTIFICATE REQUEST-----", + buf, NULL, 0, &use_len ); + + if( ret == 0 ) + { + /* + * Was PEM encoded, parse the result + */ + if( ( ret = x509_csr_parse_der( csr, pem.buf, pem.buflen ) ) != 0 ) + return( ret ); + + pem_free( &pem ); + return( 0 ); + } + else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) + { + pem_free( &pem ); + return( ret ); + } + else +#endif /* POLARSSL_PEM_PARSE_C */ + return( x509_csr_parse_der( csr, buf, buflen ) ); +} + #if defined(POLARSSL_FS_IO) /* * Load a CSR into the structure diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 8f496b0534..9fd3adc3f7 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -280,7 +280,7 @@ void x509_csr_parse( char *csr_der_hex, char *ref_out, int ref_ret ) memset( my_out, 0, sizeof( my_out ) ); csr_der = unhexify_alloc( csr_der_hex, &csr_der_len ); - my_ret = x509_csr_parse( &csr, csr_der, csr_der_len ); + my_ret = x509_csr_parse_der( &csr, csr_der, csr_der_len ); TEST_ASSERT( my_ret == ref_ret ); if( ref_ret == 0 )