Commit graph

13296 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard 2353636225
Merge pull request #3013 from eozturk1/development
Fix debug message by using the correct function name called
2020-03-31 09:53:20 +02:00
Gilles Peskine 06725c985f Fix intermittent crash in test suites with outcome file enabled
Fix an intermittent crash when running test suites in non-verbose
mode (i.e. with -v off) and with the outcome file enabled. The
array unmet_dependencies was only filled in verbose mode, but was used
in write_outcome_result regardless.

Since unmet_dependencies only ever contains strings that are integers
written out in decimal, store the integer instead. Do this
unconditionally since it doesn't cost any extra memory.

It would be better to record the dependency names, both in the verbose
output and in the outcome file. But the dependency names are not
currently available at runtime.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-30 22:00:23 +02:00
Gilles Peskine dba4de0a12 Clarify extract_top_version when creating a new section
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-30 11:37:26 +02:00
Gilles Peskine b695d5e30a Add guidance on writing and maintaining changelog entries
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 20:14:19 +01:00
Gilles Peskine 7c3f7cdeae Convert ChangeLog.d/README to markdown
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 20:14:19 +01:00
Gilles Peskine 4d977a4f40 Complain if there is junk before the first category title
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 20:14:19 +01:00
Gilles Peskine e248e83f9f Start numbering lines at 1
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 20:14:19 +01:00
Gilles Peskine eebf24f7a8 Create a new version section if the top version has a release date
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 20:14:17 +01:00
Gilles Peskine 6e97c43959 Switch to the classic Mbed TLS ChangeLog format
Instead of working with Markdown format, keep the classic Mbed TLS
ChangeLog format, with the classic category names. Keep the classic
file name as well. This way there's no risk of breaking third-party
scripts that may copy or even parse the changelog file.

Accordingly, expect ChangeLog/*.txt files instead of ChangeLog/*.md.

This commit completely rewrites the parsing and output code.

This commit systematically appends to the existing top version. A
subsequent commit will restore the capability of creating a new
version.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 20:13:45 +01:00
Gilles Peskine c68c7c8864 Add a missing space in help text
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 19:09:18 +01:00
Simon Butcher 3aa6405007 Correct comment on the configuration option in x509.c
In x509.c, the self-test code is dependent on MBEDTLS_CERTS_C and
MBEDTLS_SHA256_C being enabled. At some point in the recent past that dependency
was on MBEDTLS_SHA1_C but changed to SHA256, but the comment wasn't updated.

This commit updates the comment.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-27 17:16:15 +00:00
Simon Butcher 432e7023b1 Add additional sanity checks to check_config.h
Additional sanity checks in check_config.h to ensure:
    * if test certificates are included (MBEDTLS_CERTS_C) there must be also be
      support for the core X509 feature (MBEDTLS_X509_USE_C). This has a
      secondary dependency on the public key abstraction layer (MBEDTLS_PK_C),
      necessary as the certificates will either be signed by RSA or ECDSA, and
      therefore need to be part of the library.
    * if any of the TLS protocols are defined (MBEDTLS_SSL_PROTO_xxx) then a
      key exchange method must also be defined (MBEDTLS_KEY_EXCHANGE_xxx).

Anyone who knows the library will probably not make these mistakes or will
quickly diagnose and fix them, but it is possible to compile and link both
configurations if you build only the library and not the example programs, and
therefore users may not realise immediately that there's a mistake, only
discovering it at runtime.

These checks may therefore save someone some time.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-27 17:16:15 +00:00
Manuel Pégourié-Gonnard 6f8aaba524
Merge pull request #3131 from AndrzejKurek/makefile-remove-priority-dependency
makefile: remove unneeded priority dependency from library makefile
2020-03-27 13:06:16 +01:00
Guilhem Bryant 8a69ddd7ad Fix Doxygen comments
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-03-27 11:15:28 +00:00
Guilhem Bryant 61b0fe617e Initialise psk_len in mbedtls_ssl_psk_derive_premaster()
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-03-27 11:15:28 +00:00
Gilles Peskine 1596c5e9cb
Merge pull request #3133 from gilles-peskine-arm/changelog-date-pylint
assemble_changelog.py: Reformatting to pacify pylint
2020-03-27 11:29:37 +01:00
Gilles Peskine ac0f0860f1 Reformatting to pacify pylint
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 10:56:45 +01:00
Manuel Pégourié-Gonnard b6929891d6 Adjust timeout of tests with "no resend" assertions
There are currently 4 tests in ssl-opt.sh with either -C "resend" or -S
"resend", that is, asserting that no retransmission will occur. They sometimes
fail on loaded CI machines as one side doesn't send a message fast enough,
causing the other side to retransmit, causing the test to fail.

(For the "reconnect" test there was an other issue causing random failures,
fixed in a previous commit, but even after that fix the test would still
sometimes randomly fail, even if much more rarely.)

While it's a hard problem to fix in a general and perfect way, in practice the
probability of failures can be drastically reduced by making the timeout
values much larger.

For some tests, where retransmissions are actually expected, this would have
the negative effect of increasing the average running time of the test, as
each side would wait for longer before it starts retransmission, so we have a
trade-off between average running time and probability of spurious failures.

But for tests where retransmission is not expected, there is no such trade-off
as the expected running time of the test (assuming the code is correct most of
the time) is not impacted by the timeout value. So the only negative effect of
increasing the timeout value is on the worst-case running time on the test,
which is much less important, as test should only fail quite rarely.

This commit addresses the easy case of tests that don't expect retransmission
by increasing the value of their timeout range to 10s-20s. This value
corresponds to the value used for tests that assert `-S "autoreduction"` which
are in the same case and where the current value seems acceptable so far.

It also represents an increase, compared to the values before this commit, of
a factor 20 for the "reconnect" tests which were frequently observed to fail
in the CI, and of a factor 10 for the first two "DTLS proxy" tests, which were
observed to fail much less frequently, so hopefully the new values are enough
to reduce the probability of spurious failures to an acceptable level.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-27 10:50:05 +01:00
Manuel Pégourié-Gonnard baad2de6d8 Add negative test for hard reconnect cookie check
The server must check client reachability (we chose to do that by checking a
cookie) before destroying the existing association (RFC 6347 section 4.2.8).
Let's make sure we do, by having a proxy-in-the-middle inject a ClientHello -
the server should notice, but not destroy the connection.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-27 10:50:05 +01:00
Manuel Pégourié-Gonnard 824655c837 Fix lack of cookie check on hard reconnect
Section 4.2.8 of RFC 6347 describes how to handle the case of a DTLS client
establishing a new connection using the same UDP quartet as an already active
connection, which we implement under the compile option
MBEDTLS_SSL_DLTS_CLIENT_PORT_REUSE. Relevant excerpts:

    [the server] MUST NOT destroy the existing
    association until the client has demonstrated reachability either by
    completing a cookie exchange or by completing a complete handshake
    including delivering a verifiable Finished message.
    [...]
    The reachability requirement prevents
    off-path/blind attackers from destroying associations merely by
    sending forged ClientHellos.

Our code chooses to use a cookie exchange for establishing reachability, but
unfortunately that check was effectively removed in a recent refactoring,
which changed what value ssl_handle_possible_reconnect() needs to return in
order for ssl_get_next_record() (introduced in that refactoring) to take the
proper action. Unfortunately, in addition to changing the value, the
refactoring also changed a return statement to an assignment to the ret
variable, causing the function to reach the code for a valid cookie, which
immediately destroys the existing association, effectively bypassing the
cookie verification.

This commit fixes that by immediately returning after sending a
HelloVerifyRequest when a ClientHello without a valid cookie is found. It also
updates the description of the function to reflect the new return value
convention (the refactoring updated the code but not the documentation).

The commit that changed the return value convention (and introduced the bug)
is 2fddd3765e, whose commit message explains the
change.

Note: this bug also indirectly caused the ssl-opt.sh test case "DTLS client
reconnect from same port: reconnect" to occasionally fail due to a race
condition between the reception of the ClientHello carrying a valid cookie and
the closure of the connection by the server after noticing the ClientHello
didn't carry a valid cookie after it incorrectly destroyed the previous
connection, that could cause that ClientHello to be invisible to the server
(if that message reaches the server just before it does `net_close()`). A
welcome side effect of this commit is to remove that race condition, as the
new connection will immediately start with a ClientHello carrying a valid
cookie in the SSL input buffer, so the server will not call `net_close()` and
not risk discarding a better ClientHello that arrived in the meantime.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-27 10:50:05 +01:00
Gilles Peskine 4457a0a489
Merge pull request #3128 from gilles-peskine-arm/changelog-date
Sort changelog entries by their merge date
2020-03-27 10:42:43 +01:00
Manuel Pégourié-Gonnard a4aa89b16e Fix leakage of projective coordinates in ECC
See the comments in the code for how an attack would go, and the ChangeLog
entry for an impact assessment. (For ECDSA, leaking a few bits of the scalar
over several signatures translates to full private key recovery using a
lattice attack.)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-27 09:43:34 +01:00
Gilles Peskine 42f384c186 Mbed Crypto isn't a separate project anymore
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 09:23:38 +01:00
Gilles Peskine 98a53aa399 Follow renames when looking for the creation of a file
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-26 22:50:11 +01:00
Gilles Peskine 13dc634282 Simplify the matching of the last line
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-26 22:49:44 +01:00
Gilles Peskine 7fa3eb7d44 Simplify sorting
Calling sort_key explicitly is marginally faster, but less readable.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-26 22:41:32 +01:00
Gilles Peskine 28af958ea4 Documentation improvements
Document that git is needed.

Be clearer about the entry sort key being an entry sort key, not just
a merge order. Be clearer about what "merge order" means.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-26 22:39:18 +01:00
Guilhem Bryant 82194c888d Fix bracketing style in ssl_tls.c
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-03-26 17:05:59 +00:00
Andrzej Kurek 98911cdd3a
makefile: remove unneeded priority dependency from library makefile
This change was first introduced in 8af3923 - see this commit for more background.
After the removal of crypto directory, there are no targets that require a 
crypto library with the directory prefix, so there's also no need for the priority
dependency to be declared. This commit removes it.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-03-26 07:18:42 -04:00
Gilles Peskine 8f46bbf46f Sort changelog entries by their merge date
Changelog entry files were listed in reverse alphabetical order of the
file name, by happenstance. Now, changelog entry files are listed in
the order in which the changes were merged. More precisely: look for
the git commit where the entry file was created, and look where this
commit was merged into the current branch. List older merges first.
List never-merged commits in date order after all the merged ones.
List never-committed files in file timestamp order after all the
committed ones.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-26 11:58:00 +01:00
Gilles Peskine 27a1facd48 Factor out list_files_to_merge
No behavior changes.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-26 11:57:54 +01:00
Manuel Pégourié-Gonnard 2451ac698d
Merge pull request #3126 from gilles-peskine-arm/merge-crypto-stragglers-20200325
Merge mbed-crypto stragglers 2020-03-25
2020-03-25 22:12:30 +01:00
Guilhem Bryant c5285d8c40 Use internal PSK getter
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-03-25 17:47:25 +00:00
Guilhem Bryant d511ac3419 Define internal PSK getter
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-03-25 17:47:25 +00:00
Guilhem Bryant e40a2f7a99 Improve documentation about PSK configuration
Signed-off-by: Guilhem Bryant <Guilhem.Bryant@arm.com>
2020-03-25 17:47:25 +00:00
Gilles Peskine 854770b84e Temporarily remove ChangeLog.md
All the content that is currently in ChangeLog.md is the result of
merging Mbed Crypto, and that content is already present in
ChangeLog. Since we aren't using ChangeLog.md yet, remove it for now.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-25 17:13:19 +01:00
Gilles Peskine 5d324b203a Merge remote-tracking branch 'upstream-crypto/development' into HEAD
Conflicts:
* .github/issue_template.md, .github/pull_request_template.md:
  The changes in Mbed Crypto are not relevant to Mbed TLS. Keep the
  mbedtls versions.
2020-03-25 15:47:43 +01:00
Gilles Peskine 8bad3ab45f
Merge pull request #300 from gilles-peskine-arm/assemble-changelog
Changelog assembly script
2020-03-25 15:17:04 +01:00
Jaeden Amero dfd5ea239d
Merge pull request #3117 from AndrzejKurek/null_buffer_tests
Increase test coverage by adding AES and CAMELLIA empty buffer tests
2020-03-25 18:04:48 +04:00
Manuel Pégourié-Gonnard bca8aa07b0 Update references from drafts to RFCs in config.h
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-25 10:34:39 +01:00
Manuel Pégourié-Gonnard 8b0187e6f4
Merge pull request #392 from mpg/no-new-issue-or-pr
Have issue and PR templates redirect to Mbed TLS
2020-03-25 09:55:33 +01:00
Manuel Pégourié-Gonnard cdcb187eb2 Have issue and PR templates redirect to Mbed TLS
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-25 09:31:23 +01:00
Gilles Peskine c4672fdb81 New header common.h; define MBEDTLS_STATIC_TESTABLE
Define MBEDTLS_STATIC_TESTABLE to mark code that is only exported for
test purposes. Since this is for internal library
use only, define it in a header in library/. Since there is no
suitable header, create one.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-24 22:57:11 +01:00
Gilles Peskine fea6eaf5e3 Declare MBEDTLS_TEST_HOOKS in config.h
When this option is enabled, the product includes additional
interfaces that enable additional tests. This option should not be
enabled in production, but is included in the "full" build to enable
the extra tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-24 22:56:45 +01:00
Gilles Peskine fa51820e39 Expand the rule for internal functions exposed for tests only
Clarify that using a header in library/ rather than include/ for
internal functions is a rule, not just a possibility.

As suggested by Manuel, state a rule for functions that need to be
static for best optimization but that we want to unit-test.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-24 22:56:38 +01:00
Gilles Peskine 4b7279e5d9 Write up some solutions
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-24 22:56:31 +01:00
Gilles Peskine dff10c773b Add a note that TLS requires further consideration
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-24 22:56:22 +01:00
Gilles Peskine ab4b9b4165 New test strategy document: invasive testing
Evaluate possible approaches for invasive testing.

State some rules.

This commit was originally written for Mbed Crypto only.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-24 22:56:15 +01:00
Gilles Peskine 3b310c69a5 Add a note to some invasive tests
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-24 22:55:48 +01:00
Gilles Peskine d414c32a16
Merge pull request #3113 from mpg/ssl-opt-names
Improve some test names in ssl-opt.sh
2020-03-24 19:48:09 +01:00