Commit graph

8075 commits

Author SHA1 Message Date
Hanno Becker 938f9e9bdb Undo deprecation of MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
Merging MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH and
MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH is an API break.
2018-12-18 09:50:57 +00:00
Hanno Becker 9dbefa1793 Fix conflict between constant deprecation and check-names.sh
The previous introduction of constant deprecation macros
in platform_util.h lead to failure of tests/scrips/check-names.sh
because the regular expressions in the latter choked on the brackets
in the part `__attribute__((deprecated))` of the definition of the
helper type `mbedtls_deprecated_{numeric|string}_constant_t`.

Postponing any further study and potential robustness improvements
in check-names.sh to another time, this commit circumvents this
problem by temporarily abbreviating  `__attribute__((deprecated))`
as `MBEDTLS_DEPRECATED`, which doesn't lead to problems with
check-names.sh.
2018-12-17 22:49:13 +00:00
Hanno Becker 4fb258a868 Remove mentioning of deprecated error codes 2018-12-17 16:09:15 +00:00
Hanno Becker 3214215b1e Update errors.c 2018-12-17 13:26:42 +00:00
Hanno Becker d2f3a00062 Introduce single BLOWFISH error code for bad input data
Deprecate the old specific error codes
* MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
* MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH
2018-12-17 13:26:37 +00:00
Hanno Becker 4c029d09be Introduce single CAMELLIA error code for bad input data
Deprecate the old specific error codes
* MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
* MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
2018-12-17 13:26:33 +00:00
Hanno Becker 2f47550018 Introduce single ARIA error code for bad input data
Deprecate the old specific error codes
* MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH
* MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH
2018-12-17 13:26:28 +00:00
Hanno Becker 6d0816a8ae Introduce macros to deprecate constants in the API
This commit introduces macros

* MBEDTLS_DEPRECATED_STRING_CONSTANT
* MBEDTLS_DEPRECATED_NUMERIC_CONSTANT

to platform_util.h which can be used to deprecate public macro constants.

Their definition is essentially taken from dhm.h where the
MBEDTLS_DEPRECATED_STRING_CONSTANT was used to deprecate
insecure hardcoded DHM primes.
2018-12-17 11:39:38 +00:00
Jaeden Amero 8ef1f48a52 Merge remote-tracking branch 'upstream-public/pr/2219' into development 2018-12-06 16:16:36 +00:00
Jaeden Amero 28efba0874 Merge remote-tracking branch 'upstream-public/pr/2218' into development 2018-12-06 16:15:01 +00:00
Jaeden Amero e1b1a2c979 Merge remote-tracking branch 'upstream-public/pr/2181' into development 2018-12-06 16:11:49 +00:00
Jaeden Amero 9055a7d855 Merge remote-tracking branch 'upstream-public/pr/2175' into development 2018-12-06 16:09:58 +00:00
Jaeden Amero 3c0941ec64 Merge remote-tracking branch 'upstream-public/pr/2172' into development 2018-12-06 16:09:08 +00:00
Jaeden Amero 5b46fe774b Merge remote-tracking branch 'upstream-public/pr/2157' into development 2018-12-06 16:06:57 +00:00
Jaeden Amero bc1cf5cd36 Merge remote-tracking branch 'upstream-public/pr/2131' into development 2018-12-06 16:04:55 +00:00
Jaeden Amero a04617ec18 Merge remote-tracking branch 'upstream-public/pr/2125' into development 2018-12-06 16:02:31 +00:00
Jaeden Amero c27e3420b9 Merge remote-tracking branch 'upstream-public/pr/2117' into development 2018-12-06 15:59:32 +00:00
Jaeden Amero 083681c832 Merge remote-tracking branch 'upstream-public/pr/2039' into development 2018-12-06 15:55:34 +00:00
Jaeden Amero 833c053b71 Merge remote-tracking branch 'upstream-public/pr/1982' into development 2018-12-06 15:54:21 +00:00
Jaeden Amero 41722ec29e Merge remote-tracking branch 'upstream-public/pr/1958' into development 2018-12-06 15:53:56 +00:00
Jaeden Amero 643e0027d6 Merge remote-tracking branch 'upstream-public/pr/1548' into development 2018-12-06 15:51:29 +00:00
Janos Follath c3b680b028 Clarify requirements on handling ECP group IDs 2018-12-06 12:24:04 +00:00
Janos Follath b8f27060e0 Add Changelog entry for the new ECDH context 2018-12-06 12:22:46 +00:00
Janos Follath 36c5f7fe9b ECDH: Hide context from tests
The tests for the ECDH key exchange that use the context accessed it
directly. This can't work with the new context, where we can't make any
assumptions about the implementation of the context. This commit works
around this problem and comes with the cost of allocating an extra
structures on the stack when executing the test.

One of the tests is testing an older interface for the sake of backward
compatibility. The new ECDH context is not backward compatible and this
test doesn't make any sense for it, therefore we skip this test in
non-legacy mode.
2018-12-06 12:22:46 +00:00
Janos Follath 3fbdadad7b SSL: Make use of the new ECDH interface
The SSL module accesses ECDH context members directly. This can't work
with the new context, where we can't make any assumption about the
implementation of the context.

This commit makes use of the new functions to avoid accessing ECDH
members directly. The only members that are still accessed directly are
the group ID and the point format and they are independent from the
implementation.
2018-12-06 12:22:46 +00:00
Janos Follath 948f4bedcc Debug: Add functions for ECDH contexts
The SSL module accesses ECDH context members directly to print debug
information. This can't work with the new context, where we can't make
assumptions about the implementation of the context. This commit adds
new debug functions to complete the encapsulation of the ECDH context
and work around the problem.
2018-12-06 12:22:46 +00:00
Janos Follath 5a3e1bfda0 ECDH: Make the implementation use the new context
The functionality from public API functions are moved to
`xxx_internal()` functions. The public API functions are modified to do
basic parameter validation and dispatch the call to the right
implementation.

There is no intended change in behaviour when
`MBEDTLS_ECDH_LEGACY_CONTEXT` is enabled.
2018-12-06 12:22:18 +00:00
Simon Butcher fabc6001ff Clarify attribution for the Bleichenbacher's Cat fix 2018-12-01 22:43:08 +00:00
Janos Follath 52735ef2fe ECDH: Prevent direct access in non-legacy mode
Some sample programs access structure fields directly. Making these work is
desirable in the long term, but these are not essential for the core
functionality in non-legacy mode.
2018-11-30 14:21:35 +00:00
Janos Follath c9c32f3f63 ECDH: Add flexible context and legacy flag
We want to support alternative software implementations and we extend
the ECDH context to enable this. The actual functional change that makes
use of the new context is out of scope for this commit.

Changing the context breaks the API and therefore it has to be
excluded from the default configuration by a compile time flag.
We add the compile time flag to the module header instead of
`config.h`, because this is not a standalone feature, it only
enables adding new implementations in the future.

The new context features a union of the individual implementations
and a selector that chooses the implementation in use. An alternative
is to use an opaque context and function pointers, like for example the
PK module does it, but it is more dangerous, error prone and tedious to
implement.

We leave the group ID and the point format at the top level of the
structure, because they are very simple and adding an abstraction
layer around them away does not come with any obvious benefit.

Other alternatives considered:

- Using the module level replacement mechanism in the ECP module. This
would have made the use of the replacement feature more difficult and
the benefit limited.
- Replacing our Montgomery implementations with a new one directly. This
would have prevented using Montgomery curves across implementations.
(For example use implementation A for Curve448 and implementation B for
Curve22519.) Also it would have been inflexible and limited to
Montgomery curves.
- Encoding the implementation selector and the alternative context in
`mbedtls_ecp_point` somehow and rewriting `mbedtls_ecp_mul()` to
dispatch between implementations. This would have been a dangerous and
ugly hack, and very likely to break legacy applications.
- Same as above just with hardcoding the selector and using a compile
time option to make the selection. Rejected for the same reasons as
above.
- Using the PK module to provide to provide an entry point for
alternative implementations. Like most of the above options this
wouldn't have come with a new compile time option, but conceptually
would have been very out of place and would have meant much more work to
complete the abstraction around the context.

In retrospect:

- We could have used the group ID as the selector, but this would have
made the code less flexible and only marginally simpler. On the other
hand it would have allowed to get rid of the compile time option if a
tight integration of the alternative is possible. (It does not seem
possible at this point.)
- We could have used the same approach we do in this commit to the
`mbedtls_ecp_point` structure. Completing the abstraction around this
structure would have been a much bigger and much riskier code change
with increase in memory footprint, potential decrease in performance
and no immediate benefit.
2018-11-30 14:21:35 +00:00
Janos Follath fc03e8dfa9 ECDH: Adapt tests for mbedtls_ecdh_setup()
The recently added `mbedtls_ecdh_setup()` function is not used in the
tests yet. This commit adapts the tests to the new workflow.

Having done that, the old lifecycle is not tested anymore, so we add a
new test to ensure backward compatibility.
2018-11-30 14:09:57 +00:00
Janos Follath f61e486179 ECDH: Add mbedtls_ecdh_setup()
In the future we want to support alternative ECDH implementations. We
can't make assumptions about the structure of the context they might
use, and therefore shouldn't access the members of
`mbedtls_ecdh_context`.

Currently the lifecycle of the context can't be done without direct
manipulation. This commit adds `mbedtls_ecdh_setup()` to complete
covering the context lifecycle with functions.
2018-11-30 14:09:57 +00:00
Janos Follath 89ac8c9266 ECP: Add mbedtls_ecp_tls_read_group_id()
`mbedtls_ecp_tls_read_group()` both parses the group ID and loads the
group into the structure provided. We want to support alternative
implementations of ECDH in the future and for that we need to parse the
group ID without populating an `mbedtls_ecp_group` structure (because
alternative implementations might not use that).

This commit moves the part that parses the group ID to a new function.
There is no need to test the new function directly, because the tests
for `mbedtls_ecp_tls_read_group()` are already implicitly testing it.

There is no intended change in behaviour in this commit.
2018-11-30 14:09:57 +00:00
Simon Butcher 51b8a2fa87 Merge remote-tracking branch 'restricted/pr/512' into development 2018-11-29 16:56:02 +00:00
Simon Butcher b9eb7866eb Merge remote-tracking branch 'restricted/pr/535' into development 2018-11-29 16:54:51 +00:00
Simon Butcher 658618b6b2 Merge remote-tracking branch 'restricted/pr/516' into development 2018-11-29 16:53:51 +00:00
Gilles Peskine 50da016e5c Add changelog entry for mbedtls_mpi_write_binary fix 2018-11-29 12:46:05 +01:00
Gilles Peskine 056f19c79f Tweak RSA vulnerability changelog entry
* Correct the list of authors.
* Add the CVE number.
* Improve the impact description.
2018-11-29 12:45:01 +01:00
Gilles Peskine c4a8017e3e mbedtls_ctr_drbg_update_ret: correct doc for input length limit
Unlike mbedtls_ctr_drbg_update, this function returns an error if the
length limit is exceeded, rather than silently truncating the input.
2018-11-26 19:26:22 +01:00
Gilles Peskine 5da0505842 Add ChangeLog entry for deprecation of mbedtls_xxx_drbg_update
Fixes ARMmbed/mbedtls#1798
2018-11-26 19:26:22 +01:00
Gilles Peskine 8220466297 Streamline mbedtls_xxx_drbg_update_seed_file
Refactor mbedtls_ctr_drbg_update_seed_file and
mbedtls_hmac_drbg_update_seed_file to make the error logic clearer.

The new code does not use fseek, so it works with non-seekable files.
2018-11-26 19:26:22 +01:00
Gilles Peskine b7f71c8bc1 HMAC_DRBG: report all errors from HMAC functions
Make sure that any error from mbedtls_md_hmac_xxx is propagated.
2018-11-26 19:26:22 +01:00
Gilles Peskine e0e9c573ad HMAC_DRBG: deprecate mbedtls_hmac_drbg_update because it ignores errors
Deprecate mbedtls_hmac_drbg_update (which returns void) in favor of a
new function mbedtls_hmac_drbg_update_ret which reports error.
2018-11-26 19:26:21 +01:00
Gilles Peskine d919993b76 CTR_DRBG: deprecate mbedtls_ctr_drbg_update because it ignores errors
Deprecate mbedtls_ctr_drbg_update (which returns void) in favor of a
new function mbedtls_ctr_drbg_update_ret which reports error.
2018-11-26 19:26:00 +01:00
Gilles Peskine 1b09f4027e Add ChangeLog entry for wiping sensitive buffers 2018-11-26 16:19:22 +01:00
Gilles Peskine afa803775a HMAC_DRBG: clean stack buffers
Wipe stack buffers that may contain sensitive data (data that
contributes to the DRBG state.
2018-11-26 15:47:14 +01:00
Gilles Peskine d9aa84dc0d CTR_DRBG: clean stack buffers
Wipe stack buffers that may contain sensitive data (data that
contributes to the DRBG state.
2018-11-26 15:47:14 +01:00
Gilles Peskine c117d5928c check-files: detect merge artifacts
Detect Git merge artifacts. These are lines starting with "<<<<<<",
"|||||||" or ">>>>>>>" followed by a space, or containing just
"=======". For "=======", exempt Markdown files, because this can be
used to underline a title, as a compromise between false negatives and
false positives.
2018-11-23 21:11:52 +01:00
Gilles Peskine 043980585c Factor record_issue into its own method 2018-11-23 21:11:30 +01:00
Simon Butcher 3459c749fb Create a block list for Travis CI, and fix the Coverity email 2018-11-22 10:14:03 +00:00