Commit graph

13706 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard 6240defd17 Add MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
This option allows to test the constant-flow nature of selected code, using
MemSan and the fundamental observation behind ctgrind that the set of
operations allowed on undefined memory by dynamic analysers is the same as the
set of operations allowed on secret data to avoid leaking it to a local
attacker via side channels, namely, any operation except branching and
dereferencing.

(This isn't the full story, as on some CPUs some instructions have variable
execution depending on the inputs, most notably division and on some cores
multiplication. However, testing that no branch or memory access depends on
secret data is already a good start.)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-15 12:26:22 +02:00
Manuel Pégourié-Gonnard 65a6fa3e26 Make cf_hmac() STATIC_TESTABLE
The test function now depends on MBEDTLS_TEST_HOOKS, which is enabled by
config.py full, and since there are already components in all.sh exercising
the full config, this test function is sill exercised even with this new
dependency.

Since this is the first time a test function depends on MBEDTLS_TEST_HOOKS,
fix a bug in check-names.sh that wasn't apparent so far: headers from
library/*.h were not considered when looking for macro definitions. This
became apparent because MBEDTLS_STATIC_TESTABLE is defined in library/common.h
and started being used in library/ssl_msg.c, so was flagged as a likely typo.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-15 12:26:21 +02:00
Manuel Pégourié-Gonnard 8aa29e382f Use existing implementation of cf_hmac()
Just move code from ssl_decrypt_buf() to the new cf_hmac() function and then
call cf_hmac() from there.

This makes the new cf_hmac() function used, opening the door for making it
static in the next commit. It also validates that its interface works for
using it in ssl_decrypt_buf().

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-15 12:26:21 +02:00
Manuel Pégourié-Gonnard 045f094c81 Add dummy constant-flow HMAC function with tests
The dummy implementation is not constant-flow at all for now, it's just
here as a starting point and a support for developing the tests and putting
the infrastructure in place.

Depending on the implementation strategy, there might be various corner cases
depending on where the lengths fall relative to block boundaries. So it seems
safer to just test all possible lengths in a given range than to use only a
few randomly-chosen values.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-15 12:25:52 +02:00
Steven Cooreman 5a3c210e15 Update to renamed curve constant
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-13 17:26:26 +02:00
Gilles Peskine bcce2eff27 Transparent drivers may have init functions too
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-13 13:27:45 +02:00
Gilles Peskine 71db60bd11 Automatically define location/lifetime constants
PSA_KEY_LOCATION_acme, PSA_KEY_LIFETIME_acme

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-13 13:27:45 +02:00
Gilles Peskine 278e5ebf78 Start Mbed TLS guides to PSA drivers
Driver developer's guide: introduction on how to write a driver.

Driver integration guide: how to build Mbed TLS with drivers.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-13 13:27:45 +02:00
Gilles Peskine 2e66aca372 PSA unified driver interface
Working draft of the PSA cryptography unified interface specification.
Eventually this document will be under Arm PSA architecture ownership,
but for the time being this draft is maintained in Mbed TLS.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-13 13:27:45 +02:00
Gilles Peskine abeb58e814 Add a directory for proposed specifications
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-13 13:27:42 +02:00
Steven Cooreman aec44e9fe8 Merge remote-tracking branch 'mbedtls/development' into montgomery-keys-clarification 2020-07-13 11:48:21 +02:00
Steven Cooreman 0024df6b37 Remove superfluous argument to ecp_write_key
Removed after feedback from PR review.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-13 10:59:40 +02:00
Manuel Pégourié-Gonnard d4d6ad0363
Merge pull request #3464 from CodeMonkeyLeet/csr_heap_alloc
Dynamically allocate requested CSR write buffer size
2020-07-10 10:57:22 +02:00
Manuel Pégourié-Gonnard 2df1f1f16f Factor repeated preprocessor condition to a macro
The condition is a complex and repeated a few times. There were already some
inconsistencies in the repetitions as some of them forgot about DES.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-09 12:13:31 +02:00
Manuel Pégourié-Gonnard 913a204a33 Fix undeclared dependency of test function
The ssl_tranform structure lacks some members accessed by this function when
CBC is not enabled.

This was found by test-ref-configs.pl and all.sh
test_when_no_ciphersuites_have_mac, so no need to add a new test.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-09 10:02:41 +02:00
Simon Leet 40ca54a9ac Revise comments for x509write_csr_der_internal
Address remaining PR comments for #2118
- Add ChangeLog.d/x509write_csr_heap_alloc.txt.
- Fix parameter alignment per Gille's recommendation.
- Update comments to more explicitly describe the manipulation of buf.
- Replace use of `MBEDTLS_MPI_MAX_SIZE` as `sig` buffer size for
  call to `x509write_csr_der_internal()` with more intuitive
  `MBEDTLS_PK_SIGNATURE_MAX_SIZE`.
- Update `mbedtls_x509write_csr_der()` to return
  `MBEDTLS_ERR_X509_ALLOC_FAILED` on mbedtls_calloc error.

Signed-off-by: Simon Leet <simon.leet@microsoft.com>
2020-07-08 18:32:47 +00:00
Doru Gucea 2957b35157 Avoid stack-allocation of large memory buffers
Using a stack-buffer with a size > 2K could easily produce a stack
overflow for an embedded device which has a limited stack size.
This commit dynamically allocates the large CSR buffer.

This commit avoids using a temporary buffer for storing the OIDs.
A single buffer is used:
a) OIDs are written backwards starting with the end of the buffer;
b) OIDs are memmove'd to the beginning of the buffer;
c) signature over this OIDs is computed and written backwards from the
end of the buffer;
d) the two memory regions are compacted.

Signed-off-by: Doru Gucea <doru-cristian.gucea@nxp.com>
2020-07-08 18:32:02 +00:00
Manuel Pégourié-Gonnard 8ed8694199 Merge branch 'development' into development-restricted
* development: (22 commits)
  Only pass -Wformat-signedness to versions of GCC that support it.
  Documentation improvements
  Remove redundant assignment
  Add comments explaining include paths
  Library files aren't supposed to be executable
  CMake: Include the library directory for the sake of 3rdparty
  Factor common library properties
  Fix erroneous skip of test cases for disabled ciphersuites
  Include common.h instead of config.h in library source files
  Include the library directory for the sake of 3rdparty
  Fix copypasta in test case descriptions
  Remove metadata tests for features that are not implemented
  Fix dependency in PSA test cases
  Fix dependency in AES GCM test case
  Document the fields of TestCasesOutcomes
  Check test case coverage
  New script for test outcome analysis
  check_test_cases: move some functions into the logical class
  check_test_cases: move "walk" functions into a class
  check_test_cases: parametrize iteration functions by the action
  ...
2020-07-07 12:48:42 +02:00
Manuel Pégourié-Gonnard 3ee91f47f4
Merge pull request #3452 from okhowang/local-labels
Use local labels in padlock.c
2020-07-07 11:48:05 +02:00
Manuel Pégourié-Gonnard 62af37d616 Add tests with ARIA, Camellia, 3DES
Started as copies of the AES block, then:

- for ARIA, just s/AES/ARIA/
- for Camellia, just s/AES/Camellia/
- for 3DES, s/AES/3DES/ then s/3DES_128_CBC/DES_EDE3_CBC/ then manually
  subtract 8 to all plaintext lengths that were > 8. This accounts for the
fact that the block size of DES is 8 not 16.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-07 11:40:38 +02:00
Manuel Pégourié-Gonnard 7a1cb41ba2 Add test cases with MD5, SHA1, SHA384
All started from a copy of the SHA256 block and modified as follows:

- for MD5, just s/SHA256/MD5/
- for SHA384, adapt the dependency line then s/SHA256/SHA384
- for SHA1, s/SHA256/SHA1/ then manually adapt the plaintext length for the
  cases with "!trunc, B-1" and "!trunc, B", as the MAC length (20) is not a
multiple of the block size (16) for this hash

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-07 11:25:27 +02:00
Manuel Pégourié-Gonnard e79e3bb2da Add test cases with various record sizes
- plaintext length = 0 or 1
- plaintext length + MAC length = -1 or 0 mod block_size
    (using the minimum plaintext length that works)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-07 11:02:59 +02:00
Manuel Pégourié-Gonnard 527c1ff71a Generate good/bad padding programmatically
Compared to the previous approach of having the bad padding provided as input
to the testing function, this allows to test more kinds of incorrect data,
with less test cases in the .data file and more important no manually-generated
non-trivial data in the test case parameters, making it much easier to
complete the testing matrix.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-07 10:43:37 +02:00
Manuel Pégourié-Gonnard fafe8553c6
Merge pull request #3392 from paul-elliott-arm/psa_ecc_dh_macros
PSA: update EC curve and DH group family macros
2020-07-07 09:20:44 +02:00
Steven Cooreman 14f0e526fb Fix Curve25519 ecp_read_key vectors to match description
They did not match their description, probably due to a botched manual
endianness conversion where the nibbles also got swapped.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-06 10:52:38 +02:00
Steven Cooreman bd3a6f4497 Rewrite changelog for #3425 as requested
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-06 10:52:38 +02:00
Steven Cooreman c9b7f78647 Rework mbedtls_ecp_write_key to remove unnecessary output parameter
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-06 10:52:32 +02:00
Steven Cooreman e3fd39289e Fix endianness and masking for Curve25519 keys handled by PSA
Changed PSA core (and PKWrite) from reaching into MPI to using the proper
ecp function to fetch a private key.
Added changelog.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-06 10:45:31 +02:00
Steven Cooreman 6f5cc71ad1 Document masking of Montgomery private keys in psa_export_key
Follow the PSA Crypto specification which was updated between 1.0 beta3
and 1.0.0.
Add corresponding test cases.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-06 10:45:04 +02:00
Steven Cooreman de8593f2fe Implement and test mbedtls_ecp_write_key
mbedtls_ecp_write_key is a mirror function to mbedtls_ecp_read_key, which
writes a private key back into a byte buffer in the correct format.
This is a helpful convenience function, since the byte order is defined
differently between Montgomery and Weierstrass curves. Since this difference
is accounted for in mbedtls_ecp_read_key, it made sense to add
mbedtls_ecp_write_key for the purpose of abstracting this away such that
psa_export_key doesn't need to take byte order into account.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-07-06 10:42:38 +02:00
okhowang(王沛文) 0c4bbda16a Use local labels in padlock.c
Fixes #3451

Signed-off-by: okhowang(王沛文) <okhowang@tencent.com>
2020-07-04 01:43:41 +08:00
Gilles Peskine 642a4ef0aa
Merge pull request #3463 from gilles-peskine-arm/tests-not-executed
Fix some test cases that weren't getting executed
2020-07-03 15:13:18 +02:00
Gilles Peskine 2426506fa0
Merge pull request #3458 from gilles-peskine-arm/analyze_outcomes-count_test_cases-1
Test outcome analysis: check that all available test cases have been executed
2020-07-03 15:12:44 +02:00
Janos Follath 74ff13cfae
Merge pull request #3479 from okhowang/format-signedness
add -Wformat-signedness when gcc > 5
2020-07-03 11:53:39 +01:00
Manuel Pégourié-Gonnard 0ac01a1c59 TLS: Add negative tests for non-EtM CBC decryption
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-03 12:49:10 +02:00
okhowang(王沛文) 0cd8e0f6a7 Only pass -Wformat-signedness to versions of GCC that support it.
Fixes #3478

Signed-off-by: okhowang(王沛文) <okhowang@tencent.com>
2020-07-03 16:51:14 +08:00
Manuel Pégourié-Gonnard 527b87890d
Merge pull request #3454 from gilles-peskine-arm/include-common-h-development
Include common.h from all library source files
2020-07-03 09:44:18 +02:00
Gilles Peskine bbb3664957 Documentation improvements
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-03 09:32:50 +02:00
Paul Elliott 06a28082af Add Changelog entry for PSA DH/ECC Macros rename
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-07-02 17:00:06 +01:00
Paul Elliott 75e27032d3 Rename DH Family Macros According to PSA Spec
Rename PSA_DH_GROUP_xxx to PSA_DH_FAMILY_xxx, also rename
PSA_KEY_TYPE_GET_GROUP to PSA_KEY_TYPE_DH_GET_FAMILY and rename
psa_dh_group_t to psa_dh_family_t. Old defines are provided in
include/crypto_compat.h for backward compatibility.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-07-02 16:59:49 +01:00
Paul Elliott 8ff510ac26 Rename ECC Family Macros According to PSA Spec
Rename PSA_ECC_CURVE_xxx to PSA_ECC_FAMILY_xxx, also rename
PSA_KEY_TYPE_GET_CURVE to PSA_KEY_TYPE_ECC_GET_FAMILY and rename
psa_ecc_curve_t to psa_ecc_family_t. Old defines are provided in
include/crypto_compat.h for backward compatibility.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-07-02 16:59:30 +01:00
Gilles Peskine e1c4362966 Remove redundant assignment
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-02 17:50:20 +02:00
Gilles Peskine 76dd3aa5bb Add comments explaining include paths
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-02 15:59:45 +02:00
Gilles Peskine 280165c9b3 Library files aren't supposed to be executable
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-02 13:19:17 +02:00
Gilles Peskine dedff7a57d CMake: Include the library directory for the sake of 3rdparty
"Include the library directory for the sake of 3rdparty" did the job
for Make and Visual Studio. This commit does the job for CMake.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-02 13:13:27 +02:00
Gilles Peskine 3ca8a9285e Factor common library properties
All libraries (should) rely on the same directory structure. Instead of
repeating the same clauses 6 times (3 libraries times 2 build modes), set
the include paths, compile definitions and install instructions with a
single piece of code.

Include the 3rdparty directory for all libraries, not just crypto. It's
currently only needed for crypto, but that's just happenstance.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-02 13:07:37 +02:00
Manuel Pégourié-Gonnard bfbdca8bb4 Merge branch 'development' into development-restricted
* development: (46 commits)
  Update ChangeLog header.
  Bump version to Mbed TLS 2.23.0
  Assemble changelog
  cmake: Add comment about mbedtls_test target
  programs: psa: Link against mbedcrypto not mbedtls
  Use mbedtls_test_unhexify in programs
  Rework mbedtls_test_unhexify()
  tests: Get rid of mbedtls_test_unhexify() in unit test code
  tests: ccm: Prepare to char* to data_t* type change
  tests: aes.ofb: Prepare to char* to data_t* type change
  tests: nist_kw: Prepare to char* to data_t* type change
  tests: chacha20: Prepare to char* to data_t* type change
  tests: hkdf: Prepare to char* to data_t* type change
  tests: aria: Prepare to char* to data_t* type change
  programs: Link to tests common code
  build: Add top-level mbedtls_test target
  programs: cmake: Use list of executables
  programs: cmake: Fix relative path warnings
  programs: ssl: cmake: Add missing executables
  programs: ssl: cmake: Reorder declaration of executables
  ...
2020-07-02 13:01:38 +02:00
Gilles Peskine 0d7216511f Fix erroneous skip of test cases for disabled ciphersuites
Test cases that force a specific ciphersuites are only executed if
this ciphersuite is enabled. But there are test cases (for RC4) whose
goal is to check that the ciphersuite is not used. These test cases
must run even if (or only if) the ciphersuite is disable, so add an
exception for these test cases.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-02 11:38:21 +02:00
Gilles Peskine db09ef6d22 Include common.h instead of config.h in library source files
In library source files, include "common.h", which takes care of
including "mbedtls/config.h" (or the alternative MBEDTLS_CONFIG_FILE)
and other things that are used throughout the library.

FROM=$'#if !defined(MBEDTLS_CONFIG_FILE)\n#include "mbedtls/config.h"\n#else\n#include MBEDTLS_CONFIG_FILE\n#endif' perl -i -0777 -pe 's~\Q$ENV{FROM}~#include "common.h"~' library/*.c 3rdparty/*/library/*.c scripts/data_files/error.fmt scripts/data_files/version_features.fmt

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-02 11:26:57 +02:00
Gilles Peskine 66c3dc44f2 Include the library directory for the sake of 3rdparty
When compiling library files under `3rdparty/`, the directory containing
the `.c` file that is being compiled is not the current directory, so
headers from the `library/` directory are not found. Fix this by
adding `.` to the include path.

This was not detected until now because as of this commit, no 3rdparty
source file requires a header under `library/`.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-02 11:26:57 +02:00