Commit graph

9235 commits

Author SHA1 Message Date
Gilles Peskine 0e59c473cd Changelog entry for xxx_drbg_set_entropy_len before xxx_drbg_seed 2019-10-23 18:00:03 +02:00
Gilles Peskine 912ffe414e CTR_DRBG: support set_entropy_len() before seed()
mbedtls_ctr_drbg_seed() always set the entropy length to the default,
so a call to mbedtls_ctr_drbg_set_entropy_len() before seed() had no
effect. Change this to the more intuitive behavior that
set_entropy_len() sets the entropy length and seed() respects that and
only uses the default entropy length if there was no call to
set_entropy_len().

The former test-only function mbedtls_ctr_drbg_seed_entropy_len() is
no longer used, but keep it for strict ABI compatibility.
2019-10-23 18:00:03 +02:00
Gilles Peskine c4280acfa0 CTR_DRBG: Don't use functions before they're defined
Move the definitions of mbedtls_ctr_drbg_seed_entropy_len() and
mbedtls_ctr_drbg_seed() to after they are used. This makes the code
easier to read and to maintain.
2019-10-23 18:00:03 +02:00
Gilles Peskine c68b70c9dc HMAC_DRBG: support set_entropy_len() before seed()
mbedtls_hmac_drbg_seed() always set the entropy length to the default,
so a call to mbedtls_hmac_drbg_set_entropy_len() before seed() had no
effect. Change this to the more intuitive behavior that
set_entropy_len() sets the entropy length and seed() respects that and
only uses the default entropy length if there was no call to
set_entropy_len().
2019-10-23 18:00:03 +02:00
Jaeden Amero ec904e4b57
Merge pull request #2899 from gilles-peskine-arm/asan-test-fail-2.16
Backport 2.16: Make sure Asan failures are detected in 'make test'
2019-10-22 16:30:45 +01:00
Jaeden Amero 8fedeaacd5
Merge pull request #2871 from gilles-peskine-arm/test_malloc_0_null-2.16
Backport 2.16: Test the library when malloc(0) returns NULL
2019-10-22 13:41:48 +01:00
Gilles Peskine 33685f51f3 'make test' must fail if Asan fails
When running 'make test' with GNU make, if a test suite program
displays "PASSED", this was automatically counted as a pass. This
would in particular count as passing:
* A test suite with the substring "PASSED" in a test description.
* A test suite where all the test cases succeeded, but the final
  cleanup failed, in particular if a sanitizer reported a memory leak.

Use the test executable's return status instead to determine whether
the test suite passed. It's always 0 on PASSED unless the executable's
cleanup code fails, and it's never 0 on any failure.

Fix ARMmbed/mbed-crypto#303
2019-10-21 20:48:05 +02:00
Gilles Peskine ac479065f0 Asan make builds: avoid sanitizer recovery
Some sanitizers default to displaying an error message and recovering.
This could result in a test being recorded as passing despite a
complaint from the sanitizer. Turn off sanitizer recovery to avoid
this risk.
2019-10-21 20:48:05 +02:00
Gilles Peskine b1478e8ebc Use UBsan in addition to Asan with 'make test'
When building with make with the address sanitizer enabled, also
enable the undefined behavior sanitizer.
2019-10-21 20:48:05 +02:00
Gilles Peskine ff26b04fe3 Unify ASan options in make builds
Use a common set of options when building with Asan without CMake.
2019-10-21 20:48:02 +02:00
Jaeden Amero 069fb0e09a Merge remote-tracking branch 'origin/pr/2860' into mbedtls-2.16
* origin/pr/2860: (26 commits)
  config.pl full: exclude MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
  mbedtls_hmac_drbg_set_entropy_len() only matters when reseeding
  mbedtls_ctr_drbg_set_entropy_len() only matters when reseeding
  mbedtls_ctr_drbg_seed: correct maximum for len
  Add a note about CTR_DRBG security strength to config.h
  Move MBEDTLS_CTR_DRBG_USE_128_BIT_KEY to the correct section
  CTR_DRBG: more consistent formatting and wording
  CTR_DRBG documentation: further wording improvements
  CTR_DRBG: Improve the explanation of security strength
  CTR_DRBG: make it easier to understand the security strength
  HMAC_DRBG: note that the initial seeding grabs entropy for the nonce
  Use standard terminology to describe the personalization string
  Do note that xxx_drbg_random functions reseed with PR enabled
  Consistently use \c NULL and \c 0
  Also mention HMAC_DRBG in the changelog entry
  HMAC_DRBG: improve the documentation of the entropy length
  HMAC_DRBG documentation improvements clarifications
  More CTR_DRBG documentation improvements and clarifications
  Fix wording
  Remove warning that the previous expanded discussion has obsoleted
  ...
2019-10-18 14:22:42 +01:00
Gilles Peskine 16ee3c15a3 config.pl full: exclude MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
This is a variant toggle, not an extra feature, so it should be tested
separately.
2019-10-08 15:19:25 +02:00
Gilles Peskine 8b424397b9 mbedtls_hmac_drbg_set_entropy_len() only matters when reseeding
The documentation of HMAC_DRBG erroneously claimed that
mbedtls_hmac_drbg_set_entropy_len() had an impact on the initial
seeding. This is in fact not the case: mbedtls_hmac_drbg_seed() forces
the entropy length to its chosen value. Fix the documentation.
2019-10-04 18:28:51 +02:00
Gilles Peskine cc74872ba9 mbedtls_ctr_drbg_set_entropy_len() only matters when reseeding
The documentation of CTR_DRBG erroneously claimed that
mbedtls_ctr_drbg_set_entropy_len() had an impact on the initial
seeding. This is in fact not the case: mbedtls_ctr_drbg_seed() forces
the initial seeding to grab MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes of
entropy. Fix the documentation and rewrite the discussion of the
entropy length and the security strength accordingly.
2019-10-04 18:25:05 +02:00
Gilles Peskine e215a4d05e mbedtls_ctr_drbg_seed: correct maximum for len 2019-10-04 18:22:50 +02:00
Gilles Peskine f6c2061af2 Add a note about CTR_DRBG security strength to config.h 2019-10-04 11:21:25 +02:00
Gilles Peskine 1989218456 Move MBEDTLS_CTR_DRBG_USE_128_BIT_KEY to the correct section
It's an on/off feature, so it should be listed in version_features.
2019-10-04 11:21:25 +02:00
Gilles Peskine dd5b67b4f4 CTR_DRBG: more consistent formatting and wording
In particular, don't use #MBEDTLS_xxx on macros that are undefined in
some configurations, since this would be typeset with a literal '#'.
2019-10-04 11:21:25 +02:00
Gilles Peskine e3d8cf1966 CTR_DRBG documentation: further wording improvements 2019-10-02 19:02:13 +02:00
Gilles Peskine 596fdfd6cf CTR_DRBG: Improve the explanation of security strength
Separate the cases that achieve a 128-bit strength and the cases that
achieve a 256-bit strength.
2019-10-02 19:01:31 +02:00
Jaeden Amero b9fc0798d2 Merge remote-tracking branch 'origin/pr/2864' into mbedtls-2.16
* origin/pr/2864:
  Fix compilation error
  Add const to variable
  Fix endianity issue when reading uint32
  Increase test suite timeout
  Reduce stack usage of test_suite_pkcs1_v15
  Reduce stack usage of test_suite_pkcs1_v21
  Reduce stack usage of test_suite_rsa
  Reduce stack usage of test_suite_pk
2019-10-02 18:00:31 +01:00
Jaeden Amero da5930654e Merge remote-tracking branch 'origin/pr/2578' into mbedtls-2.16
* origin/pr/2578:
  Remove a redundant function call
2019-10-02 17:59:28 +01:00
Jaeden Amero b0328ba8a3 Merge remote-tracking branch 'origin/pr/2323' into mbedtls-2.16
* origin/pr/2323:
  Add missing dependencies in test_suite_cipher.gcm
  Adapt ChangeLog
  Add NIST AES GCM test vectors to single-step cipher API test suite
2019-10-02 17:57:37 +01:00
Gilles Peskine 8cec70a8c4 CTR_DRBG: make it easier to understand the security strength
Explain how MBEDTLS_CTR_DRBG_ENTROPY_LEN is set next to the security
strength statement, rather than giving a partial explanation (current
setting only) in the documentation of MBEDTLS_CTR_DRBG_ENTROPY_LEN.
2019-10-02 18:25:06 +02:00
Gilles Peskine 340d6099a0 HMAC_DRBG: note that the initial seeding grabs entropy for the nonce 2019-10-01 18:41:12 +02:00
Gilles Peskine 9fb4518728 Use standard terminology to describe the personalization string
NIST and many other sources call it a "personalization string", and
certainly not "device-specific identifiers" which is actually somewhat
misleading since this is just one of many things that might go into a
personalization string.
2019-10-01 18:39:45 +02:00
Gilles Peskine 3f9c973452 Do note that xxx_drbg_random functions reseed with PR enabled 2019-10-01 18:31:28 +02:00
Gilles Peskine 759c91d66a Consistently use \c NULL and \c 0 2019-10-01 18:30:02 +02:00
Gilles Peskine 6735363f80 Also mention HMAC_DRBG in the changelog entry
There were no tricky compliance issues for HMAC_DBRG, unlike CTR_DRBG,
but mention it anyway. For CTR_DRBG, summarize the salient issue.
2019-09-30 15:27:33 +02:00
Gilles Peskine 0b5e804c09 HMAC_DRBG: improve the documentation of the entropy length 2019-09-30 15:23:53 +02:00
Gilles Peskine db6f41402c HMAC_DRBG documentation improvements clarifications
Improve the formatting and writing of the documentation based on what
had been done for CTR_DRBG.

Document the maximum size and nullability of some buffer parameters.
2019-09-30 15:20:41 +02:00
Gilles Peskine 0bf49eb85b More CTR_DRBG documentation improvements and clarifications 2019-09-30 15:20:41 +02:00
Gilles Peskine c6b098655e Add a test component with malloc(0) returning NULL
Exercise the library functions with calloc returning NULL for a size
of 0. Make this a separate job with UBSan (and ASan) to detect
places where we try to dereference the result of calloc(0) or to do
things like

    buf = calloc(size, 1);
    if (buf == NULL && size != 0) return INSUFFICIENT_MEMORY;
    memcpy(buf, source, size);

which has undefined behavior when buf is NULL at the memcpy call even
if size is 0.

This is needed because other test components jobs either use the system
malloc which returns non-NULL on Linux and FreeBSD, or the
memory_buffer_alloc malloc which returns NULL but does not give as
useful feedback with ASan (because the whole heap is a single C
object).
2019-09-30 13:58:12 +02:00
Gilles Peskine 7430d23358 Add a calloc self-test
Add a very basic test of calloc to the selftest program. The selftest
program acts in its capacity as a platform compatibility checker rather
than in its capacity as a test of the library.

The main objective is to report whether calloc returns NULL for a size
of 0. Also observe whether a free/alloc sequence returns the address
that was just freed and whether a size overflow is properly detected.
2019-09-30 13:58:12 +02:00
Gilles Peskine 4284becde9 Fix wording 2019-09-26 14:54:42 +02:00
Gilles Peskine 761f88818e Remove warning that the previous expanded discussion has obsoleted 2019-09-26 14:53:44 +02:00
Gilles Peskine c85dcb31d9 CTR_DRBG: improve the discussion of entropy length vs strength 2019-09-25 20:22:40 +02:00
Gilles Peskine 3354f75bc1 CTR_DRBG: Finish an unfinished paragraph 2019-09-25 20:22:24 +02:00
Gilles Peskine 3c3bf4dfdb CTR_DRBG documentation: add changelog entry
This is a documentation-only change, but one that users who care about
NIST compliance may be interested in, to review if they're using the
module in a compliant way.
2019-09-25 20:07:04 +02:00
Gilles Peskine 1eb7ba7cdd CTR_DRBG: Document the security strength and SP 800-90A compliance
Document that a derivation function is used.

Document the security strength of the DRBG depending on the
compile-time configuration and how it is set up. In particular,
document how the nonce specified in SP 800-90A is set.

Mention how to link the ctr_drbg module with the entropy module.
2019-09-25 20:06:55 +02:00
Ron Eldor ae9f2a2acc Fix compilation error
Change test_info.failed to test_info.result,
as it was previously changed.
2019-09-25 15:04:21 +03:00
Ron Eldor 39512b4b8a Add const to variable
Add const type that was accidently removed.
2019-09-25 14:53:42 +03:00
Ron Eldor 6e76108e15 Fix endianity issue when reading uint32
The uint32 is given as a bigendian stream, in the tests, however,
the char buffer that collected the stream read it as is,
without converting it. Add a temporary buffer, to call `greentea_getc()`
8 times, and then put it in the correct endianity for input to `unhexify()`.
2019-09-25 14:53:35 +03:00
Ron Eldor 2ad73aa388 Increase test suite timeout
Increase the test suite timeouit from 180 seconds, to 800 seconds,
since some tests consume more time, even if all tests are skipped.
2019-09-25 14:53:26 +03:00
Ron Eldor 3adb981383 Reduce stack usage of test_suite_pkcs1_v15
Reduce the stack usage of the `test_suite_pkcs1_v15` by reducing the
size of the buffers used in the tests, to a reasonable big enough size.
2019-09-25 14:53:15 +03:00
Ron Eldor 5d7254a091 Reduce stack usage of test_suite_pkcs1_v21
Reduce the stack usage of the `test_suite_pkcs1_v21` by reducing the
size of the buffers used in the tests, to a reasonable big enough size,
and change the size sent to the API to sizeof output.
2019-09-25 14:53:04 +03:00
Ron Eldor e4c5fa74b8 Reduce stack usage of test_suite_rsa
Reduce the stack usage of the `test_suite_rsa` by reducing the
size of the buffers used in the tests, to a reasonable big enough size,
and change the data size to decrypt in the data file.
2019-09-25 14:51:19 +03:00
Ron Eldor 5533f4aff1 Reduce stack usage of test_suite_pk
Reduce the stack usage of the `test_suite_pk` by reducing the
size of the buffers used in the tests, to a reasonable big enough size.
2019-09-25 14:51:12 +03:00
Gilles Peskine 80b3f4b20a CTR_DRBG: Document the maximum size of some parameters 2019-09-24 14:48:30 +02:00
Gilles Peskine 6b2c50c01f CTR_DRBG documentation clarifications
* State explicit whether several numbers are in bits or bytes.
* Clarify whether buffer pointer parameters can be NULL.
* Explain the value of constants that are dependent on the configuration.
2019-09-24 14:48:10 +02:00