Commit graph

7557 commits

Author SHA1 Message Date
Janos Follath 3c463b51d0 Merge branch 'mbedtls-2.7-restricted' into mbedtls-2.7.18r0-pr 2020-12-08 21:00:50 +00:00
Gilles Peskine dcba585f54
Merge pull request #3945 from paul-elliott-arm/fix_pem_write_2_7
Backport 2.7: Add tests for buffer corruption after PEM write
2020-12-08 12:31:52 +01:00
Paul Elliott 102bac7a46 Add tests for buffer corruption after PEM write
Zero remaining bytes in buffer after writing PEM data and add checks to
ensure that this is the case.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-12-07 16:49:30 +00:00
Ronald Cron 8e556f8f9a
Merge pull request #3937 from geecrypt/mbedtls-2.7
Backport to Mbedtls 2.7: Support set *_drbg reseed interval before seed
2020-12-07 14:30:04 +01:00
Gilles Peskine 5b1cb8873d
Merge pull request #3725 from gilles-peskine-arm/ecp-bignum-error-checks-2.7
Backport 2.7: add missing some error checks in ECP and bignum
2020-12-07 13:06:36 +01:00
Janos Follath 0805cb2f52
Merge pull request #783 from chris-jones-arm/mbedtls-2.7-restricted
[Backport 2.7] Fix Diffie-Hellman large key size DoS
2020-12-07 09:27:32 +00:00
gacquroff 57f1f9b963 Add changelog entry file for bugfix 2927
Signed-off-by: gacquroff <gavina352@gmail.com>
2020-12-03 13:10:24 -08:00
Gavin Acquroff ceb9990a69 Support set *_drbg reseed interval before seed
mbedtls_ctr_drbg_set_reseed_interval() and
mbedtls_hmac_drbg_set_reseed_interval() can now be called before
their seed functions and the reseed_interval value will persist.
Previously it would be overwritten with the default value.

*_drbg_reseed_interval is now set in init() and free().

mbedtls_ctr_drbg_free() and mbedtls_hmac_drbg_free() now
reset the drbg context to the state immediately after init().

Tests:
- Added test to check that DRBG reseeds when reseed_counter
reaches reseed_interval, if reseed_interval set before seed
and reseed_interval is less than MBEDTLS_*_DRBG_RESEED_INTERVAL.

Signed-off-by: gacquroff <gavina352@gmail.com>
2020-12-03 13:08:37 -08:00
Chris Jones 43e7acd3b4 Fix exponentiation tests with MBEDTLS_MPI_MAX_BITS larger than 256
Fixes an issue where configs that had `MBEDTLS_MPI_MAX_BITS` greater than 256
but smaller than the test that was running (792 bits) the test would fail
incorrectly.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 17:44:03 +00:00
Chris Jones ede3addc17 Fix test_suite_dhm build
Fix build as the name of the random function changed from development to 2.7.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 17:33:55 +00:00
Chris Jones 419c104610 Fix whitespace in changelog entry
Extra whitespace and a missing newline at end of file was causing an error with
`check_files.py`.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 17:11:26 +00:00
Chris Jones 942774eb52 Move dependancy to specific test cases
Move dependancy on `MBEDTLS_MPI_MAX_BITS` to apply to the specific test cases
which will break when `MBEDTLS_MPI_MAX_BITS` is too small. This re-enables
previous tests that were turned off accidentally.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 17:11:22 +00:00
Chris Jones d6e113fcbe Fix broken testing on numbers that may be greater than MPI_MAX_SIZE
Previously `mbedtls_mpi_exp_mod` was tested with values that were over
`MBEDTLS_MPI_MAX_SIZE` in size. This is useful to do as some paths are only
taken when the exponent is large enough however, on builds where
`MBEDTLS_MPI_MAX_SIZE` is under the size of these test values.

This fix turns off these tests when `MBEDTLS_MPI_MAX_SIZE` is too small to
safely test (notably this is the case in config-thread.h).

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 17:08:03 +00:00
Chris Jones 263320505b Fix cases where exponentiation was not fully tested
In two test cases, the exponentiation computation was not being fully tested
as when A_bytes (the base) == N_bytes (the modulus) -> A = N. When this is the
case A is reduced to 0 and therefore the result of the computation will always
be 0.

This fixes that issue and therefore increases the test coverage to ensure
different computations are actually being run.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 17:05:26 +00:00
Chris Jones 2f7d147dc8 Reword test cases
Reword test cases to be easier to read and understand.
Adds comments to better explain what the test is doing.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 17:05:26 +00:00
Chris Jones 2facdeeadf Extend exponentiation test coverage
Add two further boundary tests for cases where both the exponent and modulus to
`mbedtls_mpi_exp_mod()` are `MBEDTLS_MPI_MAX_SIZE`, or longer, bytes long.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 17:05:26 +00:00
Chris Jones 65ad4cff7b Test that overly large Diffie-Hellman keys are rejected
Adds test cases to ensure that `mbedtls_mpi_exp_mod` will return an error with
an exponent or modulus that is greater than `MBEDTLS_MPI_MAX_SIZE` in size.

Adds test cases to ensure that Diffie-Hellman will fail to make a key pair
(using `mbedtls_dhm_make_public`) when the prime modulus is greater than
`MBEDTLS_MPI_MAX_SIZE` in size.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 17:05:23 +00:00
Chris Jones 303e2f47d4 Add ChangeLog entry for modular exponentiation size limit
Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 16:59:21 +00:00
Chris Jones 8c650f985d Test that overly large Diffie-Hellman keys are rejected
Add a test case to ensure `mbedtls_mpi_exp_mod` fails when using a key size
larger than MBEDTLS_MPI_MAX_SIZE.
Add a test case to ensure that Diffie-Hellman operations fail when using a key
size larger than MBEDTLS_MPI_MAX_SIZE.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 16:59:17 +00:00
Chris Jones 8b1f65ea00 Fix potential DoS by limiting number sizes in exponentiation
Check that the exponent and modulus is below `MBEDTLS_MPI_MAX_BITS` before
performing a time expensive operation (modular exponentiation). This prevents
a potential DoS from Diffie-Hellman computations with extremely
large key sizes.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 16:56:50 +00:00
Gilles Peskine 45951ef2b6
Merge pull request #780 from paul-elliott-arm/discrepancy_cert_2_7
Backport 2.7: Add missing tag check to signature check on certificate load
2020-12-03 12:19:36 +01:00
Paul Elliott 5af02ce55b Add tag check to cert algorithm check
Add missing tag check for algorithm parameters when comparing the
signature in the description part of the cert against the actual
signature whilst loading a certificate. This was found by a
certificate (created by fuzzing) that openssl would not verify, but
mbedtls would.

Regression test added (one of the client certs modified accordingly)

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-12-02 15:56:03 +00:00
Gilles Peskine 6f714e54f6
Merge pull request #3926 from rodrigo-dc/mbedtls-2.7
Backport 2.7: Fix build failure on gcc-11
2020-12-01 13:26:20 +01:00
Gilles Peskine 1a57cb72b0
Merge pull request #770 from gilles-peskine-arm/mpi_fill_random-rng_failure-2.7
Backport 2.7: Handle RNG failure in mbedtls_mpi_fill_random
2020-11-30 18:02:02 +01:00
Rodrigo Dias Correa 9c7e92b5db Move declaration to fix C90 warning
"declaration-after-statement" was generated because that code was
backported from the development branch, which currently uses C99.

Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
2020-11-29 14:45:10 -03:00
Rodrigo Dias Correa f75fbab19f Change function casting in ssl_calc_finished_tls_sha384
`finish_sha384_t` was made more generic by using `unsigned char*`
instead of `unsigned char[48]` as the second parameter.
This change tries to make the function casting more robust against
future improvements of gcc analysis.

Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
2020-11-29 14:44:41 -03:00
Rodrigo Dias Correa d7853a847d Fix GCC warning in ssl_calc_finished_tls_sha384
This commit fixes the same warning fixed by baeedbf9, but without
wasting RAM. By casting `mbedtls_sha512_finish_ret()`, `padbuf`
could be kept 48 bytes long without triggering any warnings.

Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
2020-11-29 14:44:27 -03:00
Rodrigo Dias Correa ddcc0b7982 Add changelog entry file to ChangeLog.d
Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
2020-11-29 14:44:06 -03:00
Rodrigo Dias Correa 34018bef3d Fix GCC warning in ssl_calc_finished_tls_sha384
GCC 11 generated a warning because `padbuf` was too small to be
used as an argument for `mbedtls_sha512_finish_ret`. The `output`
parameter of `mbedtls_sha512_finish_ret` has the type
`unsigned char[64]`, but `padbuf` was only 48 bytes long.

Even though `ssl_calc_finished_tls_sha384` uses only 48 bytes for
the hash output, the size of `padbuf` was increased to 64 bytes.

Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
2020-11-29 14:43:45 -03:00
Rodrigo Dias Correa 5fb1bd487d Fix GCC warning about test_snprintf
GCC 11 generated the warnings because the parameter `ret_buf`
was declared as `const char[10]`, but some of the arguments
provided in `run_test_snprintf` are shorter literals, like "".

Now the type of `ret_buf` is `const char *`.
Both implementations of `test_snprintf` were fixed.

Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
2020-11-29 14:42:58 -03:00
Rodrigo Dias Correa 375366a197 Fix mismatched function parameters (prototype/definition)
In GCC 11, parameters declared as arrays in function prototypes
cannot be declared as pointers in the function definition. The
same is true for the other way around.

The definition of `mbedtls_aes_cmac_prf_128` was changed to match
its public prototype in `cmac.h`. The type `output` was
`unsigned char *`, now is `unsigned char [16]`.

In `ssl_tls.c`, all the `ssl_calc_verify_*` variants now use pointers
for the output `hash` parameter. The array parameters were removed
because those functions must be compatible with the function pointer
`calc_verify` (defined in `ssl_internal.h`).

Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
2020-11-29 08:09:58 -03:00
Rodrigo Dias Correa d103823ba2 Fix build failure on gcc-11
Function prototypes changed to use array parameters instead of
pointers.

Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
2020-11-29 08:09:28 -03:00
Ronald Cron 6dd49753e4
Merge pull request #3920 from gilles-peskine-arm/sha512-doc-internal-fix-2.7
Backport 2.7: Move "internal use" sentence attached to the wrong function
2020-11-27 08:52:58 +01:00
Gilles Peskine 785af305fe Move "internal use" sentence attached to the wrong function
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-26 19:33:51 +01:00
Gilles Peskine c0a5b254e7 Test mbedtls_mpi_fill_random
Positive tests: test that the RNG has the expected size, given that we
know how many leading zeros it has because we know how the function
consumes bytes and when the test RNG produces null bytes.

Negative tests: test that if the RNG is willing to emit less than the
number of wanted bytes, the function fails.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-25 17:35:36 +01:00
Ronald Cron 06e838b44d
Merge pull request #3870 from gilles-peskine-arm/cscope-make-2.7
Backport 2.7: Add makefile target for cscope.out + .gitignore
2020-11-20 16:50:31 +01:00
Gilles Peskine 015356f8b7 Add abstract target names for index generation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-20 12:05:08 +01:00
Gilles Peskine 1562d9c297
Merge pull request #3894 from maroneze/mbedtls-2.7
Backport 2.7: Fix use of uinitialized memory in ssl_parse_encrypted_pms
2020-11-18 18:40:56 +01:00
André Maroneze 9fc67f0e14 Backport 2.7: Fix use of uinitialized memory in ssl_parse_encrypted_pms
Signed-off-by: André Maroneze <maroneze@users.noreply.github.com>
2020-11-18 14:27:02 +01:00
Gilles Peskine a337176b42
Merge pull request #3888 from gilles-peskine-arm/error-include-string-2.7
Backport 2.7: Fix several configuration-related issues
2020-11-17 20:32:57 +01:00
Gilles Peskine d754c8bad6 Add a build with MBEDTLS_ERROR_STRERROR_DUMMY
Add a build with MBEDTLS_ERROR_STRERROR_DUMMY but not MBEDTLS_ERROR_C.
Previously, both options were enabled by default, but
MBEDTLS_ERROR_STRERROR_DUMMY only matters when MBEDTLS_ERROR_C is
enabled, so its effect was not tested.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-16 16:13:13 +01:00
Gilles Peskine 1eb2a9582d Add missing config from test-ref-configs.pl
The sample configuration file config-no-entropy.h was not being tested.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-16 16:13:13 +01:00
Gilles Peskine 8305b5e936 Sort entries to make it easier to eyeball the list
No semantic change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-16 16:12:47 +01:00
Gilles Peskine 4159c7154c Simplify conditional guards in error.c
Simplify the guards on MBEDTLS_ERROR_C and MBEDTLS_ERROR_STRERROR_DUMMY.

No longer include superfluous headers and definition: string.h and
platform.h are only needed for MBEDTLS_ERROR_C; time_t is not needed
at all.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-16 16:09:41 +01:00
Gilles Peskine 3335e9f718 Ignore cscope index
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-09 21:28:56 +01:00
Gilles Peskine 53f74d0f86 Add a target for the cscope index
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-09 21:28:51 +01:00
Gilles Peskine 2d847a5e07
Merge pull request #3862 from bensze01/ecb_iv_fix-2.7
Backport 2.7: Do not set IV size for ECB mode ciphers
2020-11-06 18:00:40 +01:00
Bence Szépkúti b4756c2e20 Do not set IV size for ECB mode ciphers
ECB mode ciphers do not use IVs

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-11-06 15:40:25 +01:00
Gilles Peskine a9fd4fc550
Merge pull request #3813 from ronald-cron-arm/aes-zeroize-less-2.7
Backport 2.7: Remove a useless zeroization
2020-11-04 23:43:30 +01:00
Ronald Cron c9e20a05a5
Merge pull request #3829 from gilles-peskine-arm/ssl-opt-gnutls-printf-2.7
Backport 2.7: Fix printf escape errors in shell scripts
2020-11-04 17:51:49 +01:00