Commit graph

12468 commits

Author SHA1 Message Date
Gilles Peskine 37570e8152 mbedtls_asn1_get_int: fix int overflow
Fix a signed int overflow in mbedtls_asn1_get_int() for numbers
between INT_MAX+1 and UINT_MAX (typically 0x80000000..0xffffffff).
This was undefined behavior which in practice would typically have
resulted in an incorrect value, but which may plausibly also have
caused the postcondition (*p == initial<*p> + len) to be violated.

Credit to OSS-Fuzz.
2019-10-10 19:29:27 +02:00
Gilles Peskine 9fd9794d10 mbedtls_asn1_get_int: explain the logic
No behavior change.
2019-10-10 19:27:53 +02:00
Gilles Peskine 0370b1bd7d ASN1 tests: more INTEGER test cases
Test more INTEGER values, especially near the boundary of int (which
is at 2^31-1 on all our officially supported platforms).
2019-10-10 19:25:39 +02:00
Gilles Peskine 970dcbf453 ASN1 tests: Match negative INTEGERs with the actual library behavior
mbedtls_asn1_get_int() and mbedtls_asn1_get_mpi() behave differently
on negative INTEGERs (0200). Don't change the library behavior for now
because this might break interoperability in some applications. Change
the test function to the library behavior.

Fix the test data with negative INTEGERs. These test cases were
previously not run (they were introduced but deliberately deactivated
in 27d806fab4). The test data was
actually wrong: ASN.1 uses two's complement, which has no negative 0,
and some encodings were wrong. Now the tests have correct data, and
the test code rectifies the expected data to match the library
behavior.
2019-10-10 19:21:12 +02:00
Gilles Peskine 321adb297c ASN1 tests: Match "Empty INTEGER" with the actual library behavior
mbedtls_asn1_get_int() and mbedtls_asn1_get_mpi() behave differently
on an empty INTEGER (0200). Don't change the library behavior for now
because this might break interoperability in some applications. Write
a test function that matches the library behavior.
2019-10-10 19:18:21 +02:00
Gilles Peskine 03c165e1e1 Fix the build and the tests when MBEDTLS_BIGNUM_C is unset
When the asn1parse module is enabled but the bignum module is
disabled, the asn1parse test suite did not work. Fix this.

* Fix a syntax error in get_integer() (label immediately followed by a
  closing brace).
* Fix an unused variable in get_integer().
* Fix `TEST_ASSERT( *p == q );` in nested_parse() failing because `*p`
  was not set.
* Fix nested_parse() not outputting the length of what it parsed.
2019-10-10 19:15:18 +02:00
Gilles Peskine 36029387de
Merge pull request #285 from gilles-peskine-arm/psa-se_driver-validate_save_persistent
SE driver: make persistent data work
2019-10-09 18:35:33 +02:00
Gilles Peskine 1bbe284d63
Merge pull request #272 from adrianlshaw/document_old_algs
Insert doxygen comments on old algorithms so they appear in PSA documentation
2019-10-09 17:18:11 +02:00
Gilles Peskine 43326f0d1e Change PSA_DH_GROUP_CUSTOM to not be in the vendor-defined range 2019-10-09 16:43:39 +02:00
Gilles Peskine 04129a0d96 Update slot management tests now that {close,destroy}_key(0) succeed 2019-10-09 16:23:49 +02:00
Gilles Peskine 85485c7338 Always gather MBEDTLS_ENTROPY_BLOCK_SIZE bytes of entropy
mbedtls_entropy_func returns up to MBEDTLS_ENTROPY_BLOCK_SIZE bytes.
This is the output of a hash function and does not indicate how many
bytes of entropy went into the hash computation.

Enforce that mbedtls_entropy_func gathers a total of
MBEDTLS_ENTROPY_BLOCK_SIZE bytes or more from strong sources. Weak
sources don't count for this calculation. This is complementary to the
per-source threshold mechanism.

In particular, we define system sources with a threshold of 32. But
when using SHA-512 for the entropy accumulator,
MBEDTLS_ENTROPY_BLOCK_SIZE = 64, so users can expect 64 bytes' worth
of entropy. Before, you only got 64 bytes of entropy if there were two
sources. Now you get 64 bytes of entropy even with a single source
with a threshold of 32.
2019-10-09 13:53:47 +02:00
Andrzej Kurek 8028cb19f4 Makefile: add path prefixes to other versions of libmbedcrypto library 2019-10-08 10:10:43 -04:00
Gilles Peskine cb25cdd53a Add ECDSA tests with hash and key of different lengths
Add some ECDSA test cases where the hash is shorter or longer than the
key length, to check that the API doesn't enforce a relationship
between the two.

For the sign_deterministic tests, the keys are
tests/data_files/ec_256_prv.pem and tests/data_files/ec_384_prv.pem
and the signatures were obtained with Python Cryptodome:

from binascii import hexlify, unhexlify
from Crypto.Hash import SHA256, SHA384
from Crypto.PublicKey import ECC
from Crypto.Signature import DSS
k2 = ECC.import_key(unhexlify("3077020101042049c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eeea00a06082a8648ce3d030107a144034200047772656f814b399279d5e1f1781fac6f099a3c5ca1b0e35351834b08b65e0b572590cdaf8f769361bcf34acfc11e5e074e8426bdde04be6e653945449617de45"))
SHA384.new(b'hello').hexdigest()
hexlify(DSS.new(k2, 'deterministic-rfc6979').sign(SHA384.new(b'hello')))
k3 = ECC.import_key(unhexlify("3081a402010104303f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76aa00706052b81040022a16403620004d9c662b50ba29ca47990450e043aeaf4f0c69b15676d112f622a71c93059af999691c5680d2b44d111579db12f4a413a2ed5c45fcfb67b5b63e00b91ebe59d09a6b1ac2c0c4282aa12317ed5914f999bc488bb132e8342cc36f2ca5e3379c747"))
SHA256.new(b'hello').hexdigest()
hexlify(DSS.new(k3, 'deterministic-rfc6979').sign(SHA256.new(b'hello')))
2019-10-08 16:05:02 +02:00
Gilles Peskine 1841cf43ee Make psa_close_key(0) and psa_destroy_key(0) succeed 2019-10-08 15:57:27 +02:00
Gilles Peskine f102e4e4f6 Test that psa_close_key(0) and psa_destroy_key(0) succeed 2019-10-08 15:57:27 +02:00
Gilles Peskine 2493401af4 Document that psa_close_key(0) and psa_destroy_key(0) succeed
Document that passing 0 to a close/destroy function does nothing and
returns PSA_SUCCESS.

Although this was not written explicitly, the specification strongly
suggested that this would return PSA_ERROR_INVALID_HANDLE. While
returning INVALID_HANDLE makes sense, it was awkward for a very common
programming style where applications can store 0 in a handle variable
to indicate that the handle has been closed or has never been open:
applications had to either check if (handle != 0) before calling
psa_close_key(handle) or psa_destroy_key(handle), or ignore errors
from the close/destroy function. Now applications following this style
can just call psa_close_key(handle) or psa_destroy_key(handle).
2019-10-08 15:43:13 +02:00
Gilles Peskine 0d50d41c92
Merge pull request #2882 from gilles-peskine-arm/update-crypto-20191004
Update crypto submodule:

* https://github.com/ARMmbed/mbed-crypto/pull/277: Improve speed of PBKDF2 by caching the digest state of the passphras
* https://github.com/ARMmbed/mbed-crypto/pull/269: Add PSA API versioning
* https://github.com/ARMmbed/mbed-crypto/pull/278: Fix on target test issues
* https://github.com/ARMmbed/mbed-crypto/pull/286: Fix defgroup syntax for API version section
* https://github.com/ARMmbed/mbed-crypto/pull/75: ASN.1 tests without x509
2019-10-08 15:34:11 +02:00
Gilles Peskine 65fc0686a7 Add tests to ensure that we gather as much entropy as expected
There were tests to ensure that each entropy source reaches its
threshold, but no test that covers the total amount of entropy. Add
test cases with a known set of entropy sources and make sure that we
always gather at least MBEDTLS_ENTROPY_BLOCK_SIZE bytes from a strong
source.
2019-10-08 15:01:34 +02:00
Gilles Peskine 7f246510d0 Add a test case for MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED 2019-10-08 14:56:48 +02:00
Gilles Peskine ed04a676ee Entropy tests: support multiple dummy sources
Always pass a context object to entropy_dummy_source. This lets us
write tests that register more than one source and keep track of how
many times each one is called.
2019-10-08 14:37:27 +02:00
Gilles Peskine c34b839d85 Improve the descriptions of some entropy test cases 2019-10-08 14:21:18 +02:00
Andrew Thoelke 6e59505bb2 Recommend use of GREASE values for vendor defined DH groups 2019-10-07 22:27:17 +01:00
Andrew Thoelke 691ec52694 Remove over-specific RFC references
Rely on general reference to IANA documentation
2019-10-07 15:28:36 +01:00
Gilles Peskine e249c0e6b3 config.pl full: exclude MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
This is a variant toggle, not an extra feature, so it should be tested
separately.
2019-10-07 15:57:50 +02:00
Andrzej Kurek 232e8f959a Enable parallel shared target tests
Now that the dependency issues for shared target are fixed, the feature can be
enabled in tests.
2019-10-07 09:24:43 -04:00
Andrzej Kurek df2cd9e14f Makefiles: move the dependencies block to be after DLEXT definition
Having it before them resulted in incomplete dependency names, always ending
with a period.
2019-10-07 09:24:22 -04:00
Andrzej Kurek 8af3923815 Add a recipe for libmbedcrypto with a path prefix
This caused problems when running multiple jobs at once, since
there was no target matching libmbedcrypto.so with the path
prefix. It only worked if it was built first, since such file was found.
Additionally,  building of libmbedcrypto.so now waits for the static .a version.
Previously, recipes for both libmbedcrypto.a and libmbedcrypto.so could run
independently when running parallel jobs, which resulted in the .o files
being built twice. It could sometimes be a problem, since linking would start
when building one of the object files was still in progress (the previous one
existed). This in turn resulted in reading (and trying to link) a malformed file.
The "|" character is followed by "order-only-prerequisites", and in this case,
makes linking of the shared version of the library wait for the .a file.
Since it's guaranteed to be always built in the "all" target, it's fine to do that.
All of the .o files are only built once thanks to this change.
2019-10-07 09:19:18 -04:00
Gilles Peskine f70d3eb43a Uncomment X509 test that now works
The test failed due to an ASN.1 bug that the latest crypto submodule
update fixed.
2019-10-04 19:24:37 +02:00
Gilles Peskine e96658d3f5 Update error.c after a crypto submodule update 2019-10-04 19:23:00 +02:00
Gilles Peskine 714c3e1a0e Update crypto submodule
* #277: Improve speed of PBKDF2 by caching the digest state of the passphrase
* #269: Add PSA API versioning
* #278: Fix on target test issues
* #286: Fix defgroup syntax for API version section
* #75: ASN.1 tests without x509
2019-10-04 19:21:07 +02:00
Gilles Peskine 77d44573cb mbedtls_hmac_drbg_set_entropy_len() only matters when reseeding
The documentation of HMAC_DRBG erroneously claimed that
mbedtls_hmac_drbg_set_entropy_len() had an impact on the initial
seeding. This is in fact not the case: mbedtls_hmac_drbg_seed() forces
the entropy length to its chosen value. Fix the documentation.
2019-10-04 18:34:12 +02:00
Gilles Peskine dddda81fbc mbedtls_ctr_drbg_set_entropy_len() only matters when reseeding
The documentation of CTR_DRBG erroneously claimed that
mbedtls_ctr_drbg_set_entropy_len() had an impact on the initial
seeding. This is in fact not the case: mbedtls_ctr_drbg_seed() forces
the initial seeding to grab MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes of
entropy. Fix the documentation and rewrite the discussion of the
entropy length and the security strength accordingly.
2019-10-04 18:33:59 +02:00
Jaeden Amero 9ab7c07f1f
Merge pull request #75 from gilles-peskine-arm/asn1-tests-without-x509
ASN.1 tests without x509
2019-10-04 12:30:01 +01:00
Gilles Peskine 88f136f98b Fix free_named_data_list tests
Fix copypasta in test data and fix a switcho in test code.
2019-10-04 11:35:09 +02:00
Gilles Peskine dc2db4832d Fix typos in documentation 2019-10-04 11:35:09 +02:00
Gilles Peskine 7e27936767 Add a note about CTR_DRBG security strength to config.h 2019-10-04 11:16:31 +02:00
Gilles Peskine 1540e5bd04 Move MBEDTLS_CTR_DRBG_USE_128_BIT_KEY to the correct section
It's an on/off feature, so it should be listed in version_features.
2019-10-04 11:16:24 +02:00
Gilles Peskine d0c64c856d CTR_DRBG: more consistent formatting and wording
In particular, don't use #MBEDTLS_xxx on macros that are undefined in
some configurations, since this would be typeset with a literal '#'.
2019-10-04 11:12:04 +02:00
Gilles Peskine 2884ba3720 CTR_DRBG: Improve the explanation of security strength
Separate the cases that achieve a 128-bit strength and the cases that
achieve a 256-bit strength.
2019-10-04 11:09:03 +02:00
Gilles Peskine 017778e9d8 CTR_DRBG: make it easier to understand the security strength
Explain how MBEDTLS_CTR_DRBG_ENTROPY_LEN is set next to the security
strength statement, rather than giving a partial explanation (current
setting only) in the documentation of MBEDTLS_CTR_DRBG_ENTROPY_LEN.
2019-10-04 11:09:03 +02:00
Gilles Peskine 5d9fd07938 HMAC_DRBG: note that the initial seeding grabs entropy for the nonce 2019-10-04 11:09:03 +02:00
Gilles Peskine 217b8159da Use standard terminology to describe the personalization string
NIST and many other sources call it a "personalization string", and
certainly not "device-specific identifiers" which is actually somewhat
misleading since this is just one of many things that might go into a
personalization string.
2019-10-04 11:09:03 +02:00
Gilles Peskine 2d8f069472 Do note that xxx_drbg_random functions reseed with PR enabled 2019-10-04 11:09:03 +02:00
Gilles Peskine 10f16ac74a Consistently use \c NULL and \c 0 2019-10-04 11:09:03 +02:00
Gilles Peskine 3457b5e05e HMAC_DRBG: improve the documentation of the entropy length 2019-10-04 11:09:03 +02:00
Gilles Peskine 74efcd2b71 HMAC_DRBG documentation improvements clarifications
Improve the formatting and writing of the documentation based on what
had been done for CTR_DRBG.

Document the maximum size and nullability of some buffer parameters.
2019-10-04 11:09:03 +02:00
Gilles Peskine ec51dd12fa More CTR_DRBG documentation improvements and clarifications 2019-10-04 11:09:03 +02:00
Gilles Peskine 6fdf0b3a47 CTR_DRBG: improve the discussion of entropy length vs strength 2019-10-04 11:09:02 +02:00
Gilles Peskine 223deea86b CTR_DRBG: Document the security strength and SP 800-90A compliance
Document that a derivation function is used.

Document the security strength of the DRBG depending on the
compile-time configuration and how it is set up. In particular,
document how the nonce specified in SP 800-90A is set.

Mention how to link the ctr_drbg module with the entropy module.
2019-10-04 11:09:02 +02:00
Gilles Peskine 944bc587e8 CTR_DRBG: Document the maximum size of some parameters 2019-10-04 11:09:02 +02:00