Commit graph

9346 commits

Author SHA1 Message Date
Janos Follath bcfa41753d
Merge pull request #782 from chris-jones-arm/mbedtls-2.16-restricted
[Backport 2.16] Fix Diffie-Hellman large key size DoS
2020-12-07 09:27:55 +00:00
Chris Jones 5dd1e266e1 Fix exponentiation tests with MBEDTLS_MPI_MAX_BITS larger than 256
Fixes an issue where configs that had `MBEDTLS_MPI_MAX_BITS` greater than 256
but smaller than the test that was running (792 bits) the test would fail
incorrectly.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 17:56:21 +00:00
Chris Jones 74b7ee4f12 Fix test_suite_dhm build
Fix build as the name of the random function changed from development to 2.7.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 17:55:59 +00:00
Chris Jones c7ea6340cf Fix whitespace in changelog entry
Extra whitespace and a missing newline at end of file was causing an error with
`check_files.py`.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 16:11:23 +00:00
Chris Jones 49e6e9d410 Move dependancy to specific test cases
Move dependancy on `MBEDTLS_MPI_MAX_BITS` to apply to the specific test cases
which will break when `MBEDTLS_MPI_MAX_BITS` is too small. This re-enables
previous tests that were turned off accidentally.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 16:11:20 +00:00
Chris Jones ce6fa8f411 Fix broken testing on numbers that may be greater than MPI_MAX_SIZE
Previously `mbedtls_mpi_exp_mod` was tested with values that were over
`MBEDTLS_MPI_MAX_SIZE` in size. This is useful to do as some paths are only
taken when the exponent is large enough however, on builds where
`MBEDTLS_MPI_MAX_SIZE` is under the size of these test values.

This fix turns off these tests when `MBEDTLS_MPI_MAX_SIZE` is too small to
safely test (notably this is the case in config-thread.h).

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 16:07:49 +00:00
Chris Jones 877329af75 Fix cases where exponentiation was not fully tested
In two test cases, the exponentiation computation was not being fully tested
as when A_bytes (the base) == N_bytes (the modulus) -> A = N. When this is the
case A is reduced to 0 and therefore the result of the computation will always
be 0.

This fixes that issue and therefore increases the test coverage to ensure
different computations are actually being run.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 16:07:49 +00:00
Chris Jones a18813ea1c Reword test cases
Reword test cases to be easier to read and understand.
Adds comments to better explain what the test is doing.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 16:07:49 +00:00
Chris Jones 4a0ccb6862 Extend exponentiation test coverage
Add two further boundary tests for cases where both the exponent and modulus to
`mbedtls_mpi_exp_mod()` are `MBEDTLS_MPI_MAX_SIZE`, or longer, bytes long.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 16:07:49 +00:00
Chris Jones 415c7be0aa Test that overly large Diffie-Hellman keys are rejected
Adds test cases to ensure that `mbedtls_mpi_exp_mod` will return an error with
an exponent or modulus that is greater than `MBEDTLS_MPI_MAX_SIZE` in size.

Adds test cases to ensure that Diffie-Hellman will fail to make a key pair
(using `mbedtls_dhm_make_public`) when the prime modulus is greater than
`MBEDTLS_MPI_MAX_SIZE` in size.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 16:07:49 +00:00
Chris Jones 25038abadb Add ChangeLog entry for modular exponentiation size limit
Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 16:07:49 +00:00
Chris Jones 63d19c0586 Test that overly large Diffie-Hellman keys are rejected
Add a test case to ensure `mbedtls_mpi_exp_mod` fails when using a key size
larger than MBEDTLS_MPI_MAX_SIZE.
Add a test case to ensure that Diffie-Hellman operations fail when using a key
size larger than MBEDTLS_MPI_MAX_SIZE.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 16:07:33 +00:00
Chris Jones ad59a2a4a7 Fix potential DoS by limiting number sizes in exponentiation
Check that the exponent and modulus is below `MBEDTLS_MPI_MAX_BITS` before
performing a time expensive operation (modular exponentiation). This prevents
a potential DoS from Diffie-Hellman computations with extremely
large key sizes.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 16:02:20 +00:00
Gilles Peskine 4c1939738d
Merge pull request #779 from paul-elliott-arm/discrepancy_cert_2_16
Backport 2.16: Add missing tag check to signature check on certificate load
2020-12-03 12:19:30 +01:00
Paul Elliott 027b601690 Add tag check to cert algorithm check
Add missing tag check for algorithm parameters when comparing the
signature in the description part of the cert against the actual
signature whilst loading a certificate. This was found by a
certificate (created by fuzzing) that openssl would not verify, but
mbedtls would.

Regression test added (one of the client certs modified accordingly)

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-12-02 11:03:58 +00:00
Gilles Peskine 7bd481cad2
Merge pull request #769 from gilles-peskine-arm/mpi_fill_random-rng_failure-2.16
Backport 2.16: handle RNG failure in mbedtls_mpi_fill_random
2020-11-30 18:01:58 +01:00
Gilles Peskine 0525114752 Handle random generator failure in mbedtls_mpi_fill_random()
Discuss the impact in a changelog entry.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-25 16:18:39 +01:00
Gilles Peskine 2f78062e75 Test mbedtls_mpi_fill_random
Positive tests: test that the RNG has the expected size, given that we
know how many leading zeros it has because we know how the function
consumes bytes and when the test RNG produces null bytes.

Negative tests: test that if the RNG is willing to emit less than the
number of wanted bytes, the function fails.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-25 16:18:39 +01:00
Gilles Peskine 401ba5e9b7
Merge pull request #755 from gabor-mezei-arm/692_bp216_missing_zeroizations_of_sensitive_data
[Backport 2.16] Missing zeroizations of sensitive data
2020-09-18 16:20:21 +02:00
gabor-mezei-arm 70f7f67133
Put local variables and buffers in a struct
This reduces the impact of the code size increase due to the addition
of calls to mbedtls_platform_zeroize.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-09-09 15:18:05 +02:00
gabor-mezei-arm f21639fc2f
Zeroize internal buffers and variables in MD hashes
Zeroising of local buffers and variables which are used for calculations in
mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process()
functions to erase sensitive data from memory.
Checked all function for possible missing zeroisation in MD.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-09-09 15:17:11 +02:00
gabor-mezei-arm 5feba8dae1
Force cleanup before return
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-09-09 15:17:11 +02:00
gabor-mezei-arm d5253bba32
Zeroize internal buffers and variables in PKCS and SHA
Zeroising of local buffers and variables which are used for calculations in
mbedtls_pkcs5_pbkdf2_hmac() and mbedtls_internal_sha*_process() functions
to erase sensitive data from memory.
Checked all function for possible missing zeroisation in PKCS and SHA.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-09-09 15:16:01 +02:00
Manuel Pégourié-Gonnard fa3b3e0d88
Merge pull request #745 from mpg/changelog-for-local-lucky13-2.16-restricted
[Backport 2.16] Add a ChangeLog entry for local Lucky13 variant
2020-08-26 11:52:25 +02:00
Manuel Pégourié-Gonnard f0a3cddefe Clarify that the Lucky 13 fix is quite general
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-26 10:58:02 +02:00
Manuel Pégourié-Gonnard c9ebbd5843 Add a ChangeLog entry for local Lucky13 variant
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-26 10:58:02 +02:00
Janos Follath 5b2e60dc36
Merge pull request #741 from mpg/cf-varpos-copy-2.16-restricted
[backport 2.16] Constant-flow copy of HMAC from variable position
2020-08-25 14:35:45 +01:00
Manuel Pégourié-Gonnard ab9ec32879 Fix a typo in a comment
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-25 11:43:10 +02:00
Manuel Pégourié-Gonnard 46f49a8bbc Improve comments on constant-flow testing in config.h
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-25 11:42:21 +02:00
Manuel Pégourié-Gonnard f08284769d Add an option to test constant-flow with valgrind
Currently the new component in all.sh fails because
mbedtls_ssl_cf_memcpy_offset() is not actually constant flow - this is on
purpose to be able to verify that the new test works.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-25 11:26:37 +02:00
Manuel Pégourié-Gonnard 590b2d9614 Add mbedtls_ssl_cf_memcpy_offset() with tests
The tests are supposed to be failing now (in all.sh component
test_memsan_constant_flow), but they don't as apparently MemSan doesn't
complain when the src argument of memcpy() is uninitialized, see
https://github.com/google/sanitizers/issues/1296

The next commit will add an option to test constant flow with valgrind, which
will hopefully correctly flag the current non-constant-flow implementation.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-25 11:18:11 +02:00
Manuel Pégourié-Gonnard ce45d1a759 Use temporary buffer to hold the peer's HMAC
This paves the way for a constant-flow implementation of HMAC checking, by
making sure that the comparison happens at a constant address. The missing
step is obviously to copy the HMAC from the secret offset to this temporary
buffer with constant flow, which will be done in the next few commits.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-25 11:07:25 +02:00
Manuel Pégourié-Gonnard f0b469e42b Merge branch 'mbedtls-2.16' into mbedtls-2.16-restricted
* mbedtls-2.16: (32 commits)
  A different approach of signed-to-unsigned comparison
  Fix bug in redirection of unit test outputs
  Don't forget to free G, P, Q, ctr_drbg, and entropy
  Backport e2k support to mbedtls-2.7
  compat.sh: stop using allow_sha1
  compat.sh: quit using SHA-1 certificates
  compat.sh: enable CBC-SHA-2 suites for GnuTLS
  Fix license header in pre-commit hook
  Update copyright notices to use Linux Foundation guidance
  Fix building on NetBSD 9.0
  Remove obsolete buildbot reference in compat.sh
  Fix misuse of printf in shell script
  Fix added proxy command when IPv6 is used
  Simplify test syntax
  Fix logic error in setting client port
  ssl-opt.sh: include test name in log files
  ssl-opt.sh: remove old buildbot-specific condition
  ssl-opt.sh: add proxy to all DTLS tests
  Log change as bugfix
  Add changelog entry
  ...
2020-08-25 10:58:15 +02:00
Gilles Peskine 14cb46de24
Merge pull request #3598 from makise-homura/mbedtls-2.16
Backport 2.16: Support building on e2k (Elbrus) architecture
2020-08-25 09:46:39 +02:00
makise-homura 8c3fa63f90 A different approach of signed-to-unsigned comparison
Suggested by @hanno-arm

Signed-off-by: makise-homura <akemi_homura@kurisa.ch>
2020-08-24 23:40:59 +03:00
Gilles Peskine d69edda8de
Merge pull request #3601 from gufe44/helpers-redirect-restore-output-2.16
[Backport 2.16] Fix bug in redirection of unit test outputs
2020-08-24 10:45:11 +02:00
gufe44 650ce76544 Fix bug in redirection of unit test outputs
Avoid replacing handle. stdout is defined as a macro on several platforms.

Signed-off-by: gufe44 <gu981@protonmail.com>
2020-08-23 22:38:51 +02:00
makise-homura 03b4ef6a05 Don't forget to free G, P, Q, ctr_drbg, and entropy
I might be wrong, but lcc's optimizer is curious about this,
and I am too: shouldn't we free allocated stuff correctly
before exiting `dh_genprime` in this certain point of code?

Signed-off-by: makise-homura <akemi_homura@kurisa.ch>
2020-08-23 00:41:59 +03:00
makise-homura 50f6a192b5 Backport e2k support to mbedtls-2.7
Covers commits ac2fd65, 0be6aa9, e74f372, e559550
from `development` branch

Signed-off-by: makise-homura <akemi_homura@kurisa.ch>
2020-08-23 00:39:15 +03:00
Gilles Peskine 0ac8a78aa7
Merge pull request #3593 from mpg/fix-compat.sh-with-ubuntu-16.04-gnutls-2.16
[backport 2.16] Fix compat.sh with ubuntu 16.04 gnutls
2020-08-21 14:18:33 +02:00
Manuel Pégourié-Gonnard 300e1b3a6f compat.sh: stop using allow_sha1
After the changes of certificates, it's no longer needed.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-21 13:01:17 +02:00
Manuel Pégourié-Gonnard 91615cf7ff compat.sh: quit using SHA-1 certificates
Replace server2.crt with server2-sha256.crt which, as the name implies, is
just the SHA-256 version of the same certificate.

Replace server1.crt with cert_sha256.crt which, as the name doesn't imply, is
associated with the same key and just have a slightly different Subject Name,
which doesn't matter in this instance.

The other certificates used in this script (server5.crt and server6.crt) are
already signed with SHA-256.

This change is motivated by the fact that recent versions of GnuTLS (or older
versions with the Debian patches) reject SHA-1 in certificates by default, as
they should. There are options to still accept it (%VERIFY_ALLOW_BROKEN and
%VERIFY_ALLOW_SIGN_WITH_SHA1) but:

- they're not available in all versions that reject SHA-1-signed certs;
- moving to SHA-2 just seems cleaner anyway.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-21 13:01:17 +02:00
Manuel Pégourié-Gonnard 0e7bdd1340 compat.sh: enable CBC-SHA-2 suites for GnuTLS
Recent GnuTLS packages on Ubuntu 16.04 have them disabled.

From /usr/share/doc/libgnutls30/changelog.Debian.gz:

gnutls28 (3.4.10-4ubuntu1.5) xenial-security; urgency=medium

  * SECURITY UPDATE: Lucky-13 issues
    [...]
    - debian/patches/CVE-2018-1084x-4.patch: hmac-sha384 and sha256
      ciphersuites were removed from defaults in lib/gnutls_priority.c,
      tests/priorities.c.

Since we do want to test the ciphersuites, explicitly re-enable them in the
server's priority string. (This is a no-op with versions of GnuTLS where those
are already enabled by default.)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-21 13:01:16 +02:00
Gilles Peskine 2dcd0674e6
Merge pull request #3582 from bensze01/license-2.16
2.16 only: Fix license header in pre-commit hook
2020-08-20 09:43:56 +02:00
Bence Szépkúti 2645bcc709 Fix license header in pre-commit hook
The file was not updated to include the GPL 2.0+ header as well when it
was backported.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-19 17:54:47 +02:00
danh-arm 2823efabc8
Merge pull request #3580 from bensze01/copyright-2.16
[Backport 2.16] Update copyright notices to use Linux Foundation guidance
2020-08-19 16:31:50 +01:00
Bence Szépkúti a2947ac7bb Update copyright notices to use Linux Foundation guidance
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.

Also remove the now-redundant lines declaring that the files are part of
MbedTLS.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '

# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I

# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-19 16:37:36 +02:00
Manuel Pégourié-Gonnard daba4f67cc
Merge pull request #3555 from mpg/x509-verify-non-dns-san-2.16
[Backport 2.16]  X509 verify non-DNS SANs
2020-08-18 10:02:08 +02:00
Manuel Pégourié-Gonnard b9c64e4538
Merge pull request #3558 from gufe44/net-sockets-fixes-2.16
[Backport 2.16] NetBSD 9.0 build fixes
2020-08-18 09:13:30 +02:00
Manuel Pégourié-Gonnard 5bfa623e9b
Merge pull request #3565 from mpg/improve-ssl-opt-logs-2.16
[Backport 2.16] Improve ssl-opt.sh logs
2020-08-17 12:05:16 +02:00