Commit graph

16486 commits

Author SHA1 Message Date
Gilles Peskine 69d3b86baa mbedtls_ssl_cookie_check: zeroize expected cookie on cookie mismatch
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 13:49:14 +01:00
Gilles Peskine b3f4e5b1e1 PSA hash verification: zeroize expected hash on hash mismatch
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 13:49:14 +01:00
Gilles Peskine dc269bbd08 mbedtls_cipher_check_tag: zeroize expected tag on tag mismatch
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 13:49:14 +01:00
Paul Elliott 5752b4b7d0 Add expected output for tests
Expected output generated by OpenSSL (see below) apart from the case
where both password and salt are either NULL or zero length, as OpenSSL
does not support this. For these test cases we have had to use our own
output as that which is expected. Code to generate test cases is as
follows:

 #include <openssl/pkcs12.h>
 #include <openssl/evp.h>
 #include <string.h>

int Keygen_Uni( const char * test_name, unsigned char *pass, int
    passlen, unsigned char *salt,
                    int saltlen, int id, int iter, int n,
                                    unsigned char *out, const EVP_MD
                                    *md_type )
{
   size_t index;

   printf( "%s\n", test_name );

   int ret = PKCS12_key_gen_uni( pass, passlen, salt, saltlen, id, iter,
                                        n, out, md_type );

   if( ret != 1 )
   {
         printf( "Key generation returned %d\n", ret );
      }
   else
   {
         for( index = 0; index < n; ++index )
         {
                  printf( "%02x", out[index] );
               }

         printf( "\n" );
      }

   printf( "\n" );

}

int main(void)
{
   unsigned char out_buf[48];
   unsigned char pass[64];
   int pass_len;
   unsigned char salt[64];
   int salt_len;

   /* If ID=1, then the pseudorandom bits being produced are to be used
      as key material for performing encryption or decryption.

            If ID=2, then the pseudorandom bits being produced are to be
            used as an IV (Initial Value) for encryption or decryption.

                  If ID=3, then the pseudorandom bits being produced are
                  to be used as an integrity key for MACing.
                     */

   int id = 1;
   int iter = 3;

   memset( out_buf, 0, sizeof( out_buf ) );
   memset( pass, 0, sizeof( pass ) );
   memset( salt, 0, sizeof( salt ) );

   Keygen_Uni( "Zero length pass and salt", pass, 0, salt, 0, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   Keygen_Uni( "NULL pass and salt", NULL, 0, NULL, 0, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   salt[0] = 0x01;
   salt[1] = 0x23;
   salt[2] = 0x45;
   salt[3] = 0x67;
   salt[4] = 0x89;
   salt[5] = 0xab;
   salt[6] = 0xcd;
   salt[7] = 0xef;

   Keygen_Uni( "Zero length pass", pass, 0, salt, 8, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   Keygen_Uni( "NULL pass", NULL, 0, salt, 8, id, iter, sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );
   memset( salt, 0, sizeof( salt ) );

   pass[0] = 0x01;
   pass[1] = 0x23;
   pass[2] = 0x45;
   pass[3] = 0x67;
   pass[4] = 0x89;
   pass[5] = 0xab;
   pass[6] = 0xcd;
   pass[7] = 0xef;

   Keygen_Uni( "Zero length salt", pass, 8, salt, 0, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   Keygen_Uni( "NULL salt", pass, 8, NULL, 0, id, iter, sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   salt[0] = 0x01;
   salt[1] = 0x23;
   salt[2] = 0x45;
   salt[3] = 0x67;
   salt[4] = 0x89;
   salt[5] = 0xab;
   salt[6] = 0xcd;
   salt[7] = 0xef;

   Keygen_Uni( "Valid pass and salt", pass, 8, salt, 8, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   return 0;
}

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:15:28 +00:00
Paul Elliott c89e209ded Remove incorrect hashing
Incorrect interpretation of 'empty'

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott 8d7eef470b Add explanation for safety in function
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott 7a342a24ff Delete unneccesary changelog entry
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott 270a264b78 Simplify Input usage macros
Also ensure they are used in test data rather than values

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott 73051b4176 Rename (and relabel) pkcs12 test case
Remove surplus _test suffix. Change labeling from Pcks12 to PCKS#12 as
it should be.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott 8ca8f2d163 Remove incorrect test dependency
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott ce22008c63 Documentation fixes
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott 2ab9a7a57a Stop CMake out of source tests running on 16.04
Running the out of source CMake test on Ubuntu 16.04 using more than one
processor (as the CI does) can create a race condition whereby the build
fails to see a generated file, despite that file actually having been
generated. This problem appears to go away with 18.04 or newer, so make
the out of source tests not supported on Ubuntu 16.04

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott 1a3540afbe Fix missing test dependancies
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott 13d5a3429a Add PKCS12 tests
Only regression tests for the empty password bugs for now. Further tests
will follow later.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:23 +00:00
Dave Rodgman 1c68ba1afd
Merge pull request #5314 from gilles-peskine-arm/missing-ret-check-mbedtls_md_hmac-2.x
Backport 2.x: Check HMAC return values
2021-12-13 10:51:28 +00:00
Gilles Peskine 2b3f21dc0b Catch failures of md_hmac operations
Declare mbedtls_md functions as MBEDTLS_CHECK_RETURN_TYPICAL, meaning that
their return values should be checked.

Do check the return values in our code. We were already doing that
everywhere for hash calculations, but not for HMAC calculations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 15:02:06 +01:00
Gilles Peskine d8e2e8347b Zeroize local MAC variables
Zeroize local MAC variables used for CBC+HMAC cipher suites. In encryption,
this is just good hygiene but probably not needed for security since the
data protected by the MAC that could leak is about to be transmitted anyway.
In DTLS decryption, this could be a security issue since an adversary could
learn the MAC of data that they were trying to inject. At least with
encrypt-then-MAC, the adversary could then easily inject a datagram with
a corrected packet. TLS would still be safe since the receiver would close
the connection after the bad MAC.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 14:24:23 +01:00
Gilles Peskine 9e8f3a6b71
Merge pull request #5308 from minosgalanakis/development_2.x
Backport 2.x: Document platform architecture portability constraints
2021-12-10 21:13:09 +01:00
Gilles Peskine 5e41e0e934 Update generated file
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-10 20:19:30 +01:00
Jerry Yu 47569e097e fix help message issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:19:05 +01:00
Jerry Yu d351ed3a6a fix msvc build faile
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:19:05 +01:00
Jerry Yu 969c01a234 Beauty source code
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:19:05 +01:00
Jerry Yu cf080ce821 fix ci fail
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:19:05 +01:00
Jerry Yu bbfa1d8c19 Replace configs_enabled check with query_compile_time_config
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:19:05 +01:00
Jerry Yu 4f2dff429a Add list_config into query_comile_time_config
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:19:05 +01:00
Jerry Yu 0abd677ed7 Add list_config generation
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:19:05 +01:00
Paul Elliott 7412eb4bc2 Better fix for empty password / salt
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-10 17:48:12 +00:00
Paul Elliott a59cc3dbc7 Further documentation improvements
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-10 17:48:12 +00:00
Paul Elliott f294ff5d87 Make changelog more specific
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-10 17:48:12 +00:00
Paul Elliott fe724fe618 Fix for pkcs12 with NULL or zero length password
Previously passing a NULL or zero length password into either
mbedtls_pkcs12_pbe() or mbedtls_pkcs12_derive() could cause an infinate
loop, and it was also possible to pass a NULL password, with a non-zero
length, which would cause memory corruption.
I have fixed these errors, and improved the documentation to reflect the
changes and further explain what is expected of the inputs.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-10 17:48:12 +00:00
Gilles Peskine 18a59b7d4c
Merge pull request #5306 from gilles-peskine-arm/test-missing-ret-check-202112-2.x
Backport 2.x: Missing error checks + test bug on unlikely failure
2021-12-10 17:41:49 +01:00
Minos Galanakis 5c93a9f214 Update changelog & readme
This patch adds explicit wording to state
that Two's complement is the official
supported signed integer representation.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2021-12-10 15:57:54 +00:00
Gilles Peskine 3fc0d30447 Don't fail until everything is initialized
Can't call mbedtls_cipher_free(&invalid_ctx) in cleanup if
mbedtls_cipher_init(&invalid_ctx) hasn't been called.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-10 14:45:41 +01:00
Gilles Peskine 3d28378734 Check return values in more places
Selective replacement of
```
^\( *\)\(mbedtls_\(md\|cipher\)_[A-Z_a-z0-9]+\)\((.*)\);
```
by
```
\1if( \2\4 != 0 )
\1{
\1    mbedtls_fprintf( stderr, "\2() returned error\\n" );
\1    goto exit;
\1}
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-10 14:45:41 +01:00
Gilles Peskine 362d6efbde
Merge pull request #5301 from paul-elliott-arm/test_suite_cipher_returns_2.x
Backport 2.x : Add checked return to cipher setup in Cipher tests
2021-12-10 10:40:01 +01:00
Gilles Peskine 4a5396ec25
Merge pull request #5299 from paul-elliott-arm/crypt_and_hash_prog_2.x
Backport 2.x: Add checks for return values to md functions in crypt and hash
2021-12-09 23:32:52 +01:00
Gilles Peskine 51377d8a73
Merge pull request #5280 from davidhorstmann-arm/2.x-improve-cmac-docs
Backport 2.x: Reword documentation of CMAC operations
2021-12-09 23:28:39 +01:00
Gilles Peskine c2c1c22dda
Merge pull request #5298 from paul-elliott-arm/ssl_context_info_prog_2.x
Backport 2.x: Two fixes for SSL context info sample program
2021-12-09 23:22:54 +01:00
Paul Elliott 68b64cd64c Add checked return to cipher setup
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-09 21:37:23 +00:00
Paul Elliott d068876181 Add checks for return values to md functions
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-09 18:51:56 +00:00
Paul Elliott 8f20bab14d Fix printf format specifier
Also mark function as printf variant so compiler will pickup any future
issues.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-09 18:35:13 +00:00
Paul Elliott 110afd0e4d Prevent resource leak
If -f was used as an argument twice to the program, then it would leak
the file resource, due to overwriting it on the second pass

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-09 18:33:22 +00:00
Ronald Cron 620cbb9bf5
Merge pull request #5262 from xffbai/code-align-backport2.x
Backport 2.x: Fix (d)tls1_2 into (d)tls12 in version options
2021-12-09 16:26:24 +01:00
Manuel Pégourié-Gonnard c3319e73db
Merge pull request #5189 from gilles-peskine-arm/struct_reordering_2.x
Backport 2.x: Reorder structure fields to maximize usage of immediate offset access
2021-12-09 12:54:13 +01:00
Manuel Pégourié-Gonnard 218abe081c
Merge pull request #5284 from gabor-mezei-arm/4926_bp2x_base64_move_constant-time_functions
[Backport 2.x] Move base64 constant-time functions to the new module
2021-12-09 12:40:24 +01:00
Gabor Mezei 00e08a3a21
Update generated files
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-09 10:05:48 +01:00
Manuel Pégourié-Gonnard 9ac32eb123
Merge pull request #863 from davidhorstmann-arm/2.x-fix-session-copy-bug
Backport 2.x: [session] fix a session copy bug
2021-12-09 09:21:33 +01:00
Gabor Mezei 3a755f511f
Add documentation for the functions
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:24:22 +01:00
Gabor Mezei 46ca2f76c4
Unify function parameters
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:22:45 +01:00
Gabor Mezei df29332d4b
Make mbedtls_ct_uchar_mask_of_range function static
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:20:39 +01:00