Commit graph

7035 commits

Author SHA1 Message Date
Janos Follath 1b86eeb06b mpi_lt_mpi_ct perform tests for both limb size
The corner case tests were designed for 32 and 64 bit limbs
independently and performed only on the target platform. On the other
platform they are not corner cases anymore, but we can still exercise
them.
2019-11-11 12:27:36 +00:00
Janos Follath 5823961558 ct_lt_mpi_uint: cast the return value explicitely
The return value is always either one or zero and therefore there is no
risk of losing precision. Some compilers can't deduce this and complain.
2019-11-11 12:27:36 +00:00
Janos Follath 6adff06e50 mbedtls_mpi_lt_mpi_ct: add tests for 32 bit limbs
The corner case tests were designed for 64 bit limbs and failed on 32
bit platforms because the numbers in the test ended up being stored in a
different number of limbs and the function (correctly) returnd an error
upon receiving them.
2019-11-11 12:27:36 +00:00
Janos Follath cff9e6e03d mbedtls_mpi_lt_mpi_ct: simplify condition
In the case of *ret we might need to preserve a 0 value throughout the
loop and therefore we need an extra condition to protect it from being
overwritten.

The value of done is always 1 after *ret has been set and does not need
to be protected from overwriting. Therefore in this case the extra
condition can be removed.
2019-11-11 12:27:36 +00:00
Janos Follath 8ec2a953af Rename variable for better readability 2019-11-11 12:27:36 +00:00
Janos Follath a2b9a96fb8 mbedtls_mpi_lt_mpi_ct: Improve documentation 2019-11-11 12:27:36 +00:00
Janos Follath 51ed14e20f Make mbedtls_mpi_lt_mpi_ct more portable
The code relied on the assumptions that CHAR_BIT is 8 and that unsigned
does not have padding bits.

In the Bignum module we already assume that the sign of an MPI is either
-1 or 1. Using this, we eliminate the above mentioned dependency.
2019-11-11 12:27:36 +00:00
Janos Follath 9741fa6e2b Bignum: Document assumptions about the sign field 2019-11-11 12:27:36 +00:00
Janos Follath 9332ecefc8 Add more tests for mbedtls_mpi_lt_mpi_ct 2019-11-11 12:27:36 +00:00
Janos Follath aaa3f22b76 mpi_lt_mpi_ct test: hardcode base 16 2019-11-11 12:27:36 +00:00
Janos Follath 3173a53fe9 Document ct_lt_mpi_uint 2019-11-11 12:27:36 +00:00
Janos Follath 782cbe592d mpi_lt_mpi_ct: make use of unsigned consistent 2019-11-11 12:27:36 +00:00
Janos Follath db9f449409 ct_lt_mpi_uint: make use of biL 2019-11-11 12:27:36 +00:00
Janos Follath c3b376e2f2 Change mbedtls_mpi_cmp_mpi_ct to check less than
The signature of mbedtls_mpi_cmp_mpi_ct() meant to support using it in
place of mbedtls_mpi_cmp_mpi(). This meant full comparison functionality
and a signed result.

To make the function more universal and friendly to constant time
coding, we change the result type to unsigned. Theoretically, we could
encode the comparison result in an unsigned value, but it would be less
intuitive.

Therefore we won't be able to represent the result as unsigned anymore
and the functionality will be constrained to checking if the first
operand is less than the second. This is sufficient to support the
current use case and to check any relationship between MPIs.

The only drawback is that we need to call the function twice when
checking for equality, but this can be optimised later if an when it is
needed.
2019-11-11 12:27:36 +00:00
Janos Follath 8461c0e2a8 mbedtls_mpi_cmp_mpi_ct: remove multiplications
Multiplication is known to have measurable timing variations based on
the operands. For example it typically is much faster if one of the
operands is zero. Remove them from constant time code.
2019-11-11 12:27:36 +00:00
Janos Follath 8de2d45cd7 Remove excess vertical space 2019-11-11 12:27:36 +00:00
Janos Follath c587a32a9c Remove declaration after statement
Visual Studio 2013 does not like it for some reason.
2019-11-11 12:27:36 +00:00
Janos Follath 5f3019b298 Fix side channel vulnerability in ECDSA 2019-11-11 12:27:36 +00:00
Janos Follath 883801d3ec Add tests to constant time mpi comparison 2019-11-11 12:27:36 +00:00
Janos Follath e0187b95f0 Add new, constant time mpi comparison 2019-11-11 12:27:27 +00:00
Jaeden Amero c87a54683b
Merge pull request #2900 from gilles-peskine-arm/asan-test-fail-2.7
Backport 2.7: Make sure Asan failures are detected in 'make test'
2019-10-22 16:30:37 +01:00
Jaeden Amero cc656ac96b
Merge pull request #2872 from gilles-peskine-arm/test_malloc_0_null-2.7
Backport 2.7: Test the library when malloc(0) returns NULL
2019-10-22 13:41:37 +01:00
Gilles Peskine 5ee14d70d2 'make test' must fail if Asan fails
When running 'make test' with GNU make, if a test suite program
displays "PASSED", this was automatically counted as a pass. This
would in particular count as passing:
* A test suite with the substring "PASSED" in a test description.
* A test suite where all the test cases succeeded, but the final
  cleanup failed, in particular if a sanitizer reported a memory leak.

Use the test executable's return status instead to determine whether
the test suite passed. It's always 0 on PASSED unless the executable's
cleanup code fails, and it's never 0 on any failure.

Fix ARMmbed/mbed-crypto#303
2019-10-21 20:48:51 +02:00
Gilles Peskine 4c2697f43f Asan make builds: avoid sanitizer recovery
Some sanitizers default to displaying an error message and recovering.
This could result in a test being recorded as passing despite a
complaint from the sanitizer. Turn off sanitizer recovery to avoid
this risk.
2019-10-21 20:48:51 +02:00
Gilles Peskine 260921d3f2 Use UBsan in addition to Asan with 'make test'
When building with make with the address sanitizer enabled, also
enable the undefined behavior sanitizer.
2019-10-21 20:48:51 +02:00
Gilles Peskine c20a4053c3 Unify ASan options in make builds
Use a common set of options when building with Asan without CMake.
2019-10-21 20:48:51 +02:00
Jaeden Amero 395d8c1222 Merge remote-tracking branch 'origin/pr/2878' into mbedtls-2.7
* origin/pr/2878:
  mbedtls_hmac_drbg_set_entropy_len() only matters when reseeding
  mbedtls_ctr_drbg_set_entropy_len() only matters when reseeding
  mbedtls_ctr_drbg_seed: correct maximum for len
  Add a note about CTR_DRBG security strength to config.h
  CTR_DRBG: more consistent formatting and wording
  DRBG documentation: Relate f_entropy arguments to the entropy module
  Add ChangeLog entry for the DRBG documentation improvements
  HMAC_DRBG documentation improvements
  CTR_DRBG: explain the security strength and the entropy input length
  CTR_DRBG documentation improvements
2019-10-18 14:21:49 +01:00
Gilles Peskine 55e120b9b2 mbedtls_hmac_drbg_set_entropy_len() only matters when reseeding
The documentation of HMAC_DRBG erroneously claimed that
mbedtls_hmac_drbg_set_entropy_len() had an impact on the initial
seeding. This is in fact not the case: mbedtls_hmac_drbg_seed() forces
the entropy length to its chosen value. Fix the documentation.
2019-10-04 18:30:56 +02:00
Gilles Peskine dff3682477 mbedtls_ctr_drbg_set_entropy_len() only matters when reseeding
The documentation of CTR_DRBG erroneously claimed that
mbedtls_ctr_drbg_set_entropy_len() had an impact on the initial
seeding. This is in fact not the case: mbedtls_ctr_drbg_seed() forces
the initial seeding to grab MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes of
entropy. Fix the documentation and rewrite the discussion of the
entropy length and the security strength accordingly.
2019-10-04 18:30:56 +02:00
Gilles Peskine 2abefefec2 mbedtls_ctr_drbg_seed: correct maximum for len 2019-10-04 18:27:28 +02:00
Gilles Peskine 406d25878c Add a note about CTR_DRBG security strength to config.h 2019-10-03 15:03:11 +02:00
Gilles Peskine f0b3dcb14b CTR_DRBG: more consistent formatting and wording
In particular, don't use #MBEDTLS_xxx on macros that are undefined in
some configurations, since this would be typeset with a literal '#'.
2019-10-03 15:03:08 +02:00
Gilles Peskine b9cfe58180 DRBG documentation: Relate f_entropy arguments to the entropy module 2019-10-02 19:00:57 +02:00
Gilles Peskine 97edf5e1e2 Add ChangeLog entry for the DRBG documentation improvements 2019-10-02 19:00:29 +02:00
Jaeden Amero 5cc748e58f Merge remote-tracking branch 'origin/pr/2866' into mbedtls-2.7
* origin/pr/2866:
  Reduce stack usage of test_suite_pkcs1_v15
  Reduce stack usage of test_suite_pkcs1_v21
  Reduce stack usage of test_suite_rsa
  Reduce stack usage of test_suite_pk
2019-10-02 18:00:13 +01:00
Gilles Peskine d89173066c HMAC_DRBG documentation improvements
* State explicit whether several numbers are in bits or bytes.
* Clarify whether buffer pointer parameters can be NULL.
* Minor wording and formatting improvements.
2019-10-02 19:00:06 +02:00
Jaeden Amero 2fc6cf5da7 Merge remote-tracking branch 'origin/pr/2704' into mbedtls-2.7
* origin/pr/2704:
  Adapt auth_crypt_tv usage to 2.7
  Add missing dependencies in test_suite_cipher.gcm
  Adapt ChangeLog
  Add NIST AES GCM test vectors to single-step cipher API test suite
2019-10-02 17:56:38 +01:00
Gilles Peskine eb99c1028f CTR_DRBG: explain the security strength and the entropy input length
Explain what how entropy input length is determined from the
configuration, and how this in turn determines the security strength.
Explain how the nonce is obtained during initialization.
2019-10-02 18:56:17 +02:00
Gilles Peskine 25e1945321 CTR_DRBG documentation improvements
* State explicit whether several numbers are in bits or bytes.
* Clarify whether buffer pointer parameters can be NULL.
* Clarify some terminology.
* Minor wording and formatting improvements.
2019-10-02 18:54:20 +02:00
Ron Eldor 0ab4092e2d Reduce stack usage of test_suite_pkcs1_v15
Reduce the stack usage of the `test_suite_pkcs1_v15` by reducing the
size of the buffers used in the tests, to a reasonable big enough size.
2019-10-02 14:34:24 +03:00
Ron Eldor dd4277f70d Reduce stack usage of test_suite_pkcs1_v21
Reduce the stack usage of the `test_suite_pkcs1_v21` by reducing the
size of the buffers used in the tests, to a reasonable big enough size,
and change the size sent to the API to sizeof output.
2019-10-02 14:34:24 +03:00
Ron Eldor b3d3973264 Reduce stack usage of test_suite_rsa
Reduce the stack usage of the `test_suite_rsa` by reducing the
size of the buffers used in the tests, to a reasonable big enough size,
and change the data size to decrypt in the data file.
2019-10-02 14:34:24 +03:00
Ron Eldor 6827d1c588 Reduce stack usage of test_suite_pk
Reduce the stack usage of the `test_suite_pk` by reducing the
size of the buffers used in the tests, to a reasonable big enough size.
2019-10-02 14:34:17 +03:00
Gilles Peskine 0981a5d7ab Add a test component with malloc(0) returning NULL
Exercise the library functions with calloc returning NULL for a size
of 0. Make this a separate job with UBSan (and ASan) to detect
places where we try to dereference the result of calloc(0) or to do
things like

    buf = calloc(size, 1);
    if (buf == NULL && size != 0) return INSUFFICIENT_MEMORY;
    memcpy(buf, source, size);

which has undefined behavior when buf is NULL at the memcpy call even
if size is 0.

This is needed because other test components jobs either use the system
malloc which returns non-NULL on Linux and FreeBSD, or the
memory_buffer_alloc malloc which returns NULL but does not give as
useful feedback with ASan (because the whole heap is a single C
object).
2019-09-30 14:01:37 +02:00
Gilles Peskine ea5d3571b0 Add a calloc self-test
Add a very basic test of calloc to the selftest program. The selftest
program acts in its capacity as a platform compatibility checker rather
than in its capacity as a test of the library.

The main objective is to report whether calloc returns NULL for a size
of 0. Also observe whether a free/alloc sequence returns the address
that was just freed and whether a size overflow is properly detected.
2019-09-30 13:59:47 +02:00
Jaeden Amero d28b9b3c5d Merge remote-tracking branch 'origin/pr/2828' into mbedtls-2.7
* origin/pr/2828:
  Enable MBEDTLS_MEMORY_DEBUG in memory buffer alloc test in all.sh
  Remove unnecessary memory buffer alloc unsets
  Disable DTLS proxy tests for MEMORY_BUFFER_ALLOC test
  all.sh: restructure memory allocator tests
  Add missing dependency in memory buffer alloc set in all.sh
  Don't set MBEDTLS_MEMORY_DEBUG through `scripts/config.pl full`
  Add cfg dep MBEDTLS_MEMORY_DEBUG->MBEDTLS_MEMORY_BUFFER_ALLOC_C
  Add all.sh run with full config and ASan enabled
  Add all.sh run with MBEDTLS_MEMORY_BUFFER_ALLOC_C enabled
  Update documentation of exceptions for `config.pl full`
  Adapt all.sh to removal of buffer allocator from full config
  Disable memory buffer allocator in full config
  Check dependencies of MBEDTLS_MEMORY_BACKTRACE in check_config.h
2019-09-12 16:46:11 +01:00
Andrzej Kurek 9b1c248209 Enable MBEDTLS_MEMORY_DEBUG in memory buffer alloc test in all.sh 2019-09-10 02:58:34 -04:00
Andrzej Kurek 7eb7f8db8b Remove unnecessary memory buffer alloc unsets
This define is turned off by default
2019-09-09 07:32:48 -04:00
Andrzej Kurek 6addfdd190 Disable DTLS proxy tests for MEMORY_BUFFER_ALLOC test 2019-09-09 07:22:13 -04:00
Andrzej Kurek 9a461a1cd7 all.sh: restructure memory allocator tests
Run basic tests and ssl-opt with memory backtrace disabled, then
run basic tests only with it enabled.
2019-09-09 07:22:03 -04:00