Commit graph

7557 commits

Author SHA1 Message Date
Dave Rodgman 6a6668a944
Merge pull request #4193 from daverodgman/rsa_private_backport_2.7
Backport 2.7: Fix an incorrect error code if RSA private operation glitched
2021-03-04 12:27:42 +00:00
Janos Follath b266edaf2b
Merge pull request #4181 from gilles-peskine-arm/net_poll-fd_setsize-2.7
Backport 2.7: Fix stack corruption in mbedtls_net_poll with large file descriptor
2021-03-04 12:15:42 +00:00
Dave Rodgman aa616ac0e4
Merge pull request #4194 from daverodgman/test_nondet_ecdsa_backport_2.7
Test SSL with non-deterministic ECDSA
2021-03-04 11:30:01 +00:00
Gilles Peskine ea4cc855e2 Test SSL with non-deterministic ECDSA
In component_test_no_hmac_drbg, the fact that HMAC_DRBG is disabled
doesn't affect the SSL code, but the fact that deterministic ECDSA is
disabled does. So run some ECDSA-related SSL tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-03 16:43:19 +00:00
Gilles Peskine fc2c79633b Fix an incorrect error code if RSA private operation glitched
mbedtls_rsa_private() could return the sum of two RSA error codes
instead of a valid error code in some rare circumstances:

* If rsa_prepare_blinding() returned  MBEDTLS_ERR_RSA_RNG_FAILED
  (indicating a misbehaving or misconfigured RNG).
* If the comparison with the public value failed (typically indicating
  a glitch attack).

Make sure not to add two high-level error codes.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-03 16:19:09 +00:00
Gilles Peskine 51f5d31635 Update error codes listed in the net_sockets documentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-03 12:25:06 +01:00
Gilles Peskine f02eeb8762 Fix sloppy wording around stricly less-than vs less or equal
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-03 12:23:27 +01:00
Gilles Peskine 51917a82e8 Document FD_SETSIZE limitation for mbedtls_net_recv_timeout
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-03 12:23:27 +01:00
Gilles Peskine 33d816aff9 Fix stack buffer overflow in net functions with large file descriptor
Fix a stack buffer overflow with mbedtls_net_recv_timeout() when given a
file descriptor that is beyond FD_SETSIZE. The bug was due to not checking
that the file descriptor is within the range of an fd_set object.

Fix #4169

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-03 12:23:27 +01:00
Gilles Peskine 9c1ae18c9c
Merge pull request #4090 from gilles-peskine-arm/test-mutex-usage-count-2.7
Backport 2.7: test and fix mutex usage
2021-02-23 15:14:53 +01:00
Gilles Peskine 2de4691bb0 Make entropy double-free work
Although the library documentation does not guarantee that calling
mbedtls_entropy_free() twice works, it's a plausible assumption and it's
natural to write code that frees an object twice. While this is uncommon for
an entropy context, which is usually a global variable, it came up in our
own unit tests (random_twice tests in test_suite_random in the
development branch).

Announce this in the same changelog entry as for RSA because it's the same
bug in the two modules.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 11:28:19 +01:00
Gilles Peskine 9f97f95225 Add init-free tests for entropy
These tests validate that an entropy object can be reused and that
calling mbedtls_entropy_free() twice is ok.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 11:25:07 +01:00
Gilles Peskine 58a39e02da Fix typo in documentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-15 18:21:55 +01:00
Gilles Peskine e8505e37df Document mutex usage for RSA
The mutex is now initialized iff ver != 0.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 16:19:35 +01:00
Gilles Peskine 3be78f318c Changelog entry for RSA mutex usage fix
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 16:19:12 +01:00
Gilles Peskine 22dc2e7a9b Fix mutex leak in RSA
mbedtls_rsa_gen_key() was not freeing the RSA object, and specifically
not freeing the mutex, in some error cases.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine d7e82ad9bf Fix mutex double-free in RSA
When MBEDTLS_THREADING_C is enabled, RSA code protects the use of the
key with a mutex. mbedtls_rsa_free() frees this mutex by calling
mbedtls_mutex_free(). This does not match the usage of
mbedtls_mutex_free(), which in general can only be done once.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine 54e7e2bdc7 Add init-free tests for RSA
These tests are trivial except when compiling with MBEDTLS_THREADING_C
and a mutex implementation that are picky about matching each
mbedtls_mutex_init() with exactly one mbedtls_mutex_free().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine ff754e67ae Add missing cleanup in a test function
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine e525bc830f Changelog entry for DRBG mutex usage fix
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine 94bf03330b Document thread safety for HMAC_DRBG
random(), and only this function, is thread-safe.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine 3ec7f57482 Document mutex invariant for HMAC_DRBG
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine a9857af16a Fix mutex leak in HMAC_DRBG
mbedtls_hmac_drbg_free() left a mutex in the initialized state. This
caused a resource leak on platforms where mbedtls_mutex_init()
allocates resources.

To fix this, mbedtls_hmac_drbg_free() no longer reinitializes the
mutex. To preserve the property that mbedtls_hmac_drbg_free() leaves
the object in an initialized state, which is generally true throughout
the library except regarding mutex objects on some platforms, no
longer initialize the mutex in mbedtls_hmac_drbg_init(). Since the
mutex is only used after seeding, and seeding is only permitted once,
call mbedtls_mutex_init() as part of the seeding process.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine 275598d3fa Document thread safety for CTR_DRBG
random(), and only this function, is thread-safe.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine 6e2cf25639 Document mutex invariant for CTR_DRBG
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine 085b69f8fd Fix mutex leak in CTR_DRBG
mbedtls_ctr_drbg_free() left a mutex in the initialized state. This
caused a resource leak on platforms where mbedtls_mutex_init()
allocates resources.

To fix this, mbedtls_ctr_drbg_free() no longer reinitializes the
mutex. To preserve the property that mbedtls_ctr_drbg_free() leaves
the object in an initialized state, which is generally true throughout
the library except regarding mutex objects on some platforms, no
longer initialize the mutex in mbedtls_ctr_drbg_init(). Since the
mutex is only used after seeding, and seeding is only permitted once,
call mbedtls_mutex_init() as part of the seeding process.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine 5710732145 Explain the usage of is_valid in pthread mutexes
Document the usage inside the library, and relate it with how it's
additionally used in the test code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine df8db9ace2 Count and report non-freed mutexes
Subtract the number of calls to mbedtls_mutex_free() from the number
of calls to mbedtls_mutex_init(). A mutex leak will manifest as a
positive result at the end of the test case.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:55:15 +01:00
Gilles Peskine 0abb8e4bd8 Detect and report mutex usage errors
If the mutex usage verification framework is enabled and it detects a
mutex usage error, report this error and mark the test as failed.

This detects most usage errors, but not all cases of using
uninitialized memory (which is impossible in full generality) and not
leaks due to missing free (which will be handled in a subsequent commit).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:55:15 +01:00
Gilles Peskine 44498ff9eb Mutex usage testing: set up wrapper functions
When using pthread mutexes (MBEDTLS_THREADING_C and
MBEDTLS_THREADING_PTHREAD enabled), and when test hooks are
enabled (MBEDTLS_TEST_HOOKS), set up wrappers around the
mbedtls_mutex_xxx abstraction. In this commit, the wrapper functions
don't do anything yet.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:55:15 +01:00
Gilles Peskine e137ebce7f Fix off-by-one error in #line directives
The line number is the number of the next line.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:55:15 +01:00
Gilles Peskine da174241b8 Remove reference to a document that doesn't exist in this branch
Don't reference the architecture document. This is an LTS branch and
new invasive tests are only going to be introduced as (perhaps partial
or adapted) backports of invasive tests from development anyway.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:55:15 +01:00
Manuel Pégourié-Gonnard 3ec34a81ee
Merge pull request #4135 from gilles-peskine-arm/ssl-opt-server-failure-2.7
Backport 2.7: ssl-opt.sh: if the server fails, do treat it as a test failure
2021-02-12 12:16:19 +01:00
Gilles Peskine 8607f069e7 ssl-opt.sh: Only check the server exit for Mbed TLS
We care about the exit code of our server, for example if it's
reporting a memory leak after having otherwise executed correctly.

We don't care about the exit code of the servers we're using for
interoperability testing (openssl s_server, gnutls-serv). We assume
that they're working correctly anyway, and they return 1 (gnutls-serv)
or die by the signal handle the signal (openssl) when killed by a
signal.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-10 13:07:05 +01:00
Gilles Peskine 028ca780a8 ssl-opt.sh: if the server fails, do treat it as a test failure
This used to be the case a long time ago but was accidentally broken.

Fix <github:nogrep> #4103 for ssl-opt.sh.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-10 13:06:48 +01:00
Janos Follath b729e4c474
Merge pull request #4099 from d-otte/mbedtls-2.7
Backport 2.7: wrong RSA_PRV_DER_MAX_BYTES for odd MBEDTLS_MPI_MAX_SIZE
2021-02-02 16:14:52 +00:00
Janos Follath ec1909d10b
Merge pull request #4077 from gilles-peskine-arm/mpi_sub_abs-buffer_overflow-2.7
Backport 2.7: Fix buffer overflow in mbedtls_mpi_sub_abs negative case
2021-02-02 13:10:14 +00:00
Daniel Otte b49815a88f adding changelog entry for issue #4093
Signed-off-by: Daniel Otte <d.otte@wut.de>
2021-02-02 12:44:07 +01:00
Daniel Otte 4490fc6a38 adding parentheses to macro definitions, to avoid confusion and possible mistakes in usage.
Signed-off-by: Daniel Otte <d.otte@wut.de>
2021-02-01 18:53:22 +01:00
Daniel Otte f9111bbdd8 avoid errorneous computation of RSA_PRV_DER_MAX_BYTES if MBEDTLS_MPI_MAX_SIZE is odd.
if MBEDTLS_MPI_MAX_SIZE is odd then RSA_PRV_DER_MAX_BYTES will be two less than expected, since the macros are lacking parentheses.


Signed-off-by: Daniel Otte <d.otte@wut.de>
2021-02-01 18:52:36 +01:00
Gilles Peskine 54c3046eea mbedtls_mpi_sub_abs: fix buffer overflow in error case
Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|A| - |B| where |B| is larger than |A| and has more limbs (so the
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE).

Fix #4042

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:39:51 +01:00
Gilles Peskine b20bbd1ddc Add mpi_sub_abs negative tests with a larger-in-size second operand
Add test cases for mbedtls_mpi_sub_abs() where the second operand has
more limbs than the first operand (which, if the extra limbs are not
all zero, implies that the function returns
MBEDTLS_ERR_MPI_NEGATIVE_VALUE).

This exposes a buffer overflow (reported in #4042).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:38:23 +01:00
Gilles Peskine 04ea1064a6 Declare MBEDTLS_TEST_HOOKS in config.h
When this option is enabled, the product includes additional
interfaces that enable additional tests. This option should not be
enabled in production, but is included in the "full" build to enable
the extra tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-29 19:08:23 +01:00
Gilles Peskine a0d5d77b2d Use $ASAN_FLAGS instead of repeating its contents
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-13 22:24:51 +01:00
Janos Follath 78d9663ace
Merge pull request #788 from ARMmbed/dev/yanesca/mbedtls-2.7.18r0-pr
Prepare Release Candidate for Mbed TLS 2.7.18
2020-12-10 12:53:55 +00:00
Janos Follath 431f42d531 Add missing Changelog entry
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 16:46:30 +00:00
Janos Follath bd06112bc2 Finalize ChangeLog
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 01:36:05 +00:00
Janos Follath dde20224e6 Bump version to Mbed TLS 2.7.18
Executed ./scripts/bump_version.sh --version 2.7.18

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 01:22:11 +00:00
Janos Follath c3ab4053ad Assemble ChangeLog
Executed scripts/assemble_changelog.py.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 00:34:41 +00:00
Janos Follath baa3f3b377 Fix Changelog format
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 00:33:43 +00:00