Commit graph

7420 commits

Author SHA1 Message Date
Daniel Otte 1939460417 adjusting size of sliding window array to correct size.
Probably the `W[2 << MBEDTLS_MPI_WINDOW_SIZE]` notation is based on a transcription of 2**MBEDTLS_MPI_WINDOW_SIZE.

Signed-off-by: Daniel Otte <d.otte@wut.de>
2020-09-08 12:24:31 +02:00
Gilles Peskine 75ffb27577
Merge pull request #3627 from gilles-peskine-arm/test-fail-report-first-2.7
Backport 2.7: Report the first unit test failure, not the last one
2020-09-05 11:16:08 +02:00
Gilles Peskine cb0ec05717 Initialize ret from test code
The test function mbedtls_mpi_lt_mpi_ct did not initialize ret in test
code. If there was a bug in library code whereby the library function
mbedtls_mpi_lt_mpi_ct() did not set ret when it should, we might have
missed it if ret happened to contain the expected value. So initialize
ret to a value that we never expect.

In Mbed TLS 2.7.17, the lack of initialization also caused Valgrind to
fail on a Clang 3.8 build with -O1 or more (not with -O0). As far as I
can tell, this is an instance of a known bug/feature in Clang which
sometimes generates code that contains a conditional jump based on
memory which is not initialized at the C level. This is not really a
bug in Clang as a C compiler since the code has the same behavior
whether the branch is taken or not, and therefore the branch is not
observable at the C level. However, the branch on C-uninitialized
memory causes a false positive from Valgrind. Here are some reports of
this Clang behavior:
* https://lists.llvm.org/pipermail/llvm-dev/2016-November/107428.html
* https://bugs.llvm.org/show_bug.cgi?id=32604

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-02 15:18:07 +02:00
Gilles Peskine d4c9fd1e0a Report the first failure, not the last one
If test_fail is called multiple times in the same test case, report
the location of the first failure, not the last one.

With this change, you no longer need to take care in tests that use
auxiliary functions not to fail in the main function if the auxiliary
function has failed.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-31 10:24:12 +02:00
Janos Follath 7cd4d2dadb
Merge pull request #750 from ARMmbed/mbedtls-2.7.17r0-pr
Prepare Release Candidate for Mbed TLS 2.7.17
2020-08-27 11:33:03 +01:00
Janos Follath 6badb015eb Update ChangeLog header
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-08-26 15:36:15 +01:00
Janos Follath 0db765ac65 Bump version to Mbed TLS 2.7.17
Executed "./scripts/bump_version.sh --version 2.7.17"

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-08-26 15:28:48 +01:00
Janos Follath 681a74dd5e Assemble ChangeLog
Executed scripts/assemble_changelog.py.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-08-26 14:50:38 +01:00
Janos Follath 93c784b356 Merge branch 'mbedtls-2.7-restricted' 2020-08-26 14:16:29 +01:00
Gilles Peskine 934fe1ef18
Merge pull request #3561 from raoulstrackx/raoul/verify_crl_without_time_bp2.7
Backport 2.7: Always revoke certificate on CRL
2020-08-26 12:56:18 +02:00
Manuel Pégourié-Gonnard d4c464ff22
Merge pull request #746 from mpg/changelog-for-local-lucky13-2.7-restricted
[Backport 2.7] Add a ChangeLog entry for local Lucky13 variant
2020-08-26 11:52:29 +02:00
Raoul Strackx 2a8e9587a7 Always revoke certificate on CRL
RFC5280 does not state that the `revocationDate` should be checked.

In addition, when no time source is available (i.e., when MBEDTLS_HAVE_TIME_DATE is not defined), `mbedtls_x509_time_is_past` always returns 0. This results in the CRL not being checked at all.

https://tools.ietf.org/html/rfc5280
Signed-off-by: Raoul Strackx <raoul.strackx@fortanix.com>
2020-08-26 11:38:41 +02:00
Manuel Pégourié-Gonnard f530c8018b Clarify that the Lucky 13 fix is quite general
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-26 10:58:35 +02:00
Manuel Pégourié-Gonnard c3f68378bc Add a ChangeLog entry for local Lucky13 variant
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-26 10:58:35 +02:00
Janos Follath 117587d544
Merge pull request #742 from mpg/cf-varpos-copy-2.7-restricted
[backport 2.7] Constant-flow copy of HMAC from variable position
2020-08-25 14:35:36 +01:00
Manuel Pégourié-Gonnard 520e78b830 Fix a typo in a comment
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-25 12:01:11 +02:00
Manuel Pégourié-Gonnard f4435c4fed Improve comments on constant-flow testing in config.h
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-25 12:01:11 +02:00
Manuel Pégourié-Gonnard 426c2d4a38 Add an option to test constant-flow with valgrind
Currently the new component in all.sh fails because
mbedtls_ssl_cf_memcpy_offset() is not actually constant flow - this is on
purpose to be able to verify that the new test works.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-25 12:01:09 +02:00
Manuel Pégourié-Gonnard 3b490a0a01 Add mbedtls_ssl_cf_memcpy_offset() with tests
The tests are supposed to be failing now (in all.sh component
test_memsan_constant_flow), but they don't as apparently MemSan doesn't
complain when the src argument of memcpy() is uninitialized, see
https://github.com/google/sanitizers/issues/1296

The next commit will add an option to test constant flow with valgrind, which
will hopefully correctly flag the current non-constant-flow implementation.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-25 12:00:07 +02:00
Manuel Pégourié-Gonnard bf7a49eacc Use temporary buffer to hold the peer's HMAC
This paves the way for a constant-flow implementation of HMAC checking, by
making sure that the comparison happens at a constant address. The missing
step is obviously to copy the HMAC from the secret offset to this temporary
buffer with constant flow, which will be done in the next few commits.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-25 12:00:07 +02:00
Manuel Pégourié-Gonnard d863a67a74 Merge branch 'mbedtls-2.7' into mbedtls-2.7-restricted
* mbedtls-2.7: (28 commits)
  A different approach of signed-to-unsigned comparison
  Update the copy of tests/data_files/server2-sha256.crt in certs.c
  Fix bug in redirection of unit test outputs
  Backport e2k support to mbedtls-2.7
  Don't forget to free G, P, Q, ctr_drbg, and entropy
  Regenerate server2-sha256.crt with a PrintableString issuer
  Regenerate test client certificates with a PrintableString issuer
  cert_write: support all hash algorithms
  compat.sh: stop using allow_sha1
  compat.sh: quit using SHA-1 certificates
  compat.sh: enable CBC-SHA-2 suites for GnuTLS
  Fix license header in pre-commit hook
  Update copyright notices to use Linux Foundation guidance
  Fix building on NetBSD 9.0
  Remove obsolete buildbot reference in compat.sh
  Fix misuse of printf in shell script
  Fix added proxy command when IPv6 is used
  Simplify test syntax
  Fix logic error in setting client port
  ssl-opt.sh: include test name in log files
  ...
2020-08-25 10:59:51 +02:00
Gilles Peskine 84be024eb0
Merge pull request #3594 from gilles-peskine-arm/fix-compat.sh-with-ubuntu-16.04-gnutls-2.7
Backport 2.7: Fix compat.sh with ubuntu 16.04 gnutls 2.7
2020-08-25 10:00:54 +02:00
Gilles Peskine 46b3fc221e
Merge pull request #3599 from makise-homura/mbedtls-2.7
Backport 2.7: Support building on e2k (Elbrus) architecture
2020-08-25 09:46:42 +02:00
makise-homura 329fe7e043 A different approach of signed-to-unsigned comparison
Suggested by @hanno-arm

Signed-off-by: makise-homura <akemi_homura@kurisa.ch>
2020-08-24 18:39:56 +03:00
Gilles Peskine 1323fba357 Update the copy of tests/data_files/server2-sha256.crt in certs.c
Before this commit, certs.c had a copy of a different version of
tests/data_files/server2-sha256.crt (from the then development branch)
which was generated by cert_write. Update certs.c with the new
tests/data_files/server2-sha256.crt which is also generated by
cert_write.

The new copy has the same size as the old copy so there is no concern
about existing application binaries relying on the size. (The old
tests/data_files/server2-sha256.crt had a different size because it
had been generated by openssl and so had slightly different content.)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-24 15:15:00 +02:00
Gilles Peskine 24e2217922
Merge pull request #3600 from gufe44/helpers-redirect-restore-output-2.7
[Backport 2.7] Fix bug in redirection of unit test outputs
2020-08-24 10:45:15 +02:00
gufe44 b0ab8c257f Fix bug in redirection of unit test outputs
Avoid replacing handle. stdout is defined as a macro on several platforms.

Signed-off-by: gufe44 <gu981@protonmail.com>
2020-08-23 22:35:19 +02:00
makise-homura 03c2b8f1c7 Backport e2k support to mbedtls-2.7
Covers commits ac2fd65, 0be6aa9, e74f372, e559550
from `development` branch

Signed-off-by: makise-homura <akemi_homura@kurisa.ch>
2020-08-23 00:28:45 +03:00
makise-homura 00ebcbfc0a Don't forget to free G, P, Q, ctr_drbg, and entropy
I might be wrong, but lcc's optimizer is curious about this,
and I am too: shouldn't we free allocated stuff correctly
before exiting `dh_genprime` in this certain point of code?

Signed-off-by: makise-homura <akemi_homura@kurisa.ch>
2020-08-23 00:17:07 +03:00
Gilles Peskine 74243ee878 Regenerate server2-sha256.crt with a PrintableString issuer
server2-sha256.crt had the issuer ON and CN encoded as UTF8String, but the
corresponding CA certificate test-ca_cat12.crt had them encoded as
PrintableString. The strings matched, which is sufficient according to RFC
5280 §7.1 and RFC 4518 §2.1. However, GnuTLS 3.4.10 requires the strings to
have the same encoding, so it did not accept that the
UTF8String "PolarSSL Test CA" certificate was signed by the
PrintableString "PolarSSL Test CA" CA.

Since Mbed TLS 2.14 (specifically ebc1f40aa0
merged via https://github.com/ARMmbed/mbedtls/pull/1641), server2-sha256.crt
is generated by Mbed TLS's own cert_write program, which emits a
PrintableString. In older versions, this file was generated by OpenSSL,
which started emitting UTF8String at some point.
4f928c0f37 merged via
https://github.com/ARMmbed/mbedtls/pull/2418 fixed this for the SHA-1
certificate which was used at the time. The present commit applies the same
fix for the SHA-256 certificate that is now in use.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-21 19:15:51 +02:00
Gilles Peskine da118e130d Regenerate test client certificates with a PrintableString issuer
The test certificate used for clients in compat.sh, cert_sha256.crt,
had the issuer ON and CN encoded as UTF8String, but the corresponding
CA certificate test-ca_cat12.crt had them encoded as PrintableString.
The strings matched, which is sufficient according to RFC 5280 §7.1
and RFC 4518 §2.1. However, GnuTLS 3.4.10 requires the strings to have
the same encoding, so it did not accept that the certificate issued by
UTF8String "PolarSSL Test CA" was validly issued by the
PrintableString "PolarSSL Test CA" CA.

ebc1f40aa0, merged via
https://github.com/ARMmbed/mbedtls/pull/1641 and released in Mbed TLS
2.14, updated these certificates.
4f928c0f37 merged, via
https://github.com/ARMmbed/mbedtls/pull/2418 fixed this in the 2.7 LTS
branch for the SHA-1 certificate which was used at the time. The
present commit applies the same fix for the SHA-256 certificate that
is now in use.

For uniformity, this commit regenerates all the cert_*.crt.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-21 19:15:51 +02:00
Gilles Peskine a3511b97c1 cert_write: support all hash algorithms
For some reason, RIPEMD160, SHA224 and SHA384 were not supported.

This fixes the build recipes for tests/data_files/cert_sha224.crt and
tests/data_files/cert_sha384.crt .

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-21 19:15:51 +02:00
Manuel Pégourié-Gonnard 741c4e2d64 compat.sh: stop using allow_sha1
After the changes of certificates, it's no longer needed.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-21 13:42:29 +02:00
Manuel Pégourié-Gonnard 351dd59e9a compat.sh: quit using SHA-1 certificates
Replace server2.crt with server2-sha256.crt which, as the name implies, is
just the SHA-256 version of the same certificate.

Replace server1.crt with cert_sha256.crt which, as the name doesn't imply, is
associated with the same key and just have a slightly different Subject Name,
which doesn't matter in this instance.

The other certificates used in this script (server5.crt and server6.crt) are
already signed with SHA-256.

This change is motivated by the fact that recent versions of GnuTLS (or older
versions with the Debian patches) reject SHA-1 in certificates by default, as
they should. There are options to still accept it (%VERIFY_ALLOW_BROKEN and
%VERIFY_ALLOW_SIGN_WITH_SHA1) but:

- they're not available in all versions that reject SHA-1-signed certs;
- moving to SHA-2 just seems cleaner anyway.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-21 13:42:27 +02:00
Manuel Pégourié-Gonnard a6e640264f compat.sh: enable CBC-SHA-2 suites for GnuTLS
Recent GnuTLS packages on Ubuntu 16.04 have them disabled.

From /usr/share/doc/libgnutls30/changelog.Debian.gz:

gnutls28 (3.4.10-4ubuntu1.5) xenial-security; urgency=medium

  * SECURITY UPDATE: Lucky-13 issues
    [...]
    - debian/patches/CVE-2018-1084x-4.patch: hmac-sha384 and sha256
      ciphersuites were removed from defaults in lib/gnutls_priority.c,
      tests/priorities.c.

Since we do want to test the ciphersuites, explicitly re-enable them in the
server's priority string. (This is a no-op with versions of GnuTLS where those
are already enabled by default.)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-21 13:42:17 +02:00
Gilles Peskine 690eec0a75
Merge pull request #3583 from bensze01/license-2.7
Backport 2.7: Fix license header in pre-commit hook
2020-08-20 10:14:56 +02:00
Bence Szépkúti 9df64ad39f Fix license header in pre-commit hook
The file was not updated to include the GPL 2.0+ header as well when it
was backported.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-20 09:27:07 +02:00
danh-arm 47ad15d9ec
Merge pull request #3581 from bensze01/copyright-2.7
[Backport 2.7] Update copyright notices to use Linux Foundation guidance
2020-08-19 16:41:44 +01:00
Bence Szépkúti 44bfbe3b95 Update copyright notices to use Linux Foundation guidance
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.

Also remove the now-redundant lines declaring that the files are part of
MbedTLS.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '

# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I

# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-19 16:54:51 +02:00
Manuel Pégourié-Gonnard 918b5f15d1
Merge pull request #3556 from mpg/x509-verify-non-dns-san-2.7
[Backport 2.7]  X509 verify non-DNS SANs
2020-08-18 10:02:16 +02:00
Manuel Pégourié-Gonnard 30c1df3f84
Merge pull request #3570 from gufe44/net-sockets-fixes-2.7
[Backport 2.7] NetBSD 9.0 build fixes
2020-08-18 09:13:52 +02:00
Manuel Pégourié-Gonnard 52df1cc4f0
Merge pull request #3566 from mpg/improve-ssl-opt-logs-2.7
[Backport 2.7] Improve ssl-opt.sh logs
2020-08-17 12:04:48 +02:00
gufe44 3ca3b9ea88 Fix building on NetBSD 9.0
Fixes #2310

Signed-off-by: gufe44 <gu981@protonmail.com>
2020-08-17 07:14:16 +02:00
Gilles Peskine 126b69aee5
Merge pull request #735 from gilles-peskine-arm/x509parse_crl-empty_entry-2.7
Backport 2.7: Fix buffer overflow in x509_get_entries (oss-fuzz 24123)
2020-08-14 23:22:19 +02:00
Manuel Pégourié-Gonnard 793c4367d7 Remove obsolete buildbot reference in compat.sh
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-14 11:06:12 +02:00
Manuel Pégourié-Gonnard 33659700a3 Fix misuse of printf in shell script
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-14 11:06:12 +02:00
Manuel Pégourié-Gonnard ed0aaf46a9 Fix added proxy command when IPv6 is used
For explicit proxy commands (included with `-p "$P_PXY <args>` in the test
case), it's the test's writer responsibility to handle IPv6; only fix the
proxy command when we're auto-adding it.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-14 11:06:12 +02:00
Manuel Pégourié-Gonnard c5ae9c8532 Simplify test syntax
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-14 11:06:12 +02:00
Manuel Pégourié-Gonnard 57e328e805 Fix logic error in setting client port
We need to do this after we possibly added the proxy.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-14 11:06:08 +02:00
Manuel Pégourié-Gonnard e5201e479a ssl-opt.sh: include test name in log files
This is a convenience for when we get log files from failed CI runs, or attach
them to bug reports, etc.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-14 11:02:55 +02:00