Commit graph

7551 commits

Author SHA1 Message Date
Gilles Peskine f02eeb8762 Fix sloppy wording around stricly less-than vs less or equal
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-03 12:23:27 +01:00
Gilles Peskine 51917a82e8 Document FD_SETSIZE limitation for mbedtls_net_recv_timeout
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-03 12:23:27 +01:00
Gilles Peskine 33d816aff9 Fix stack buffer overflow in net functions with large file descriptor
Fix a stack buffer overflow with mbedtls_net_recv_timeout() when given a
file descriptor that is beyond FD_SETSIZE. The bug was due to not checking
that the file descriptor is within the range of an fd_set object.

Fix #4169

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-03 12:23:27 +01:00
Gilles Peskine 9c1ae18c9c
Merge pull request #4090 from gilles-peskine-arm/test-mutex-usage-count-2.7
Backport 2.7: test and fix mutex usage
2021-02-23 15:14:53 +01:00
Gilles Peskine 2de4691bb0 Make entropy double-free work
Although the library documentation does not guarantee that calling
mbedtls_entropy_free() twice works, it's a plausible assumption and it's
natural to write code that frees an object twice. While this is uncommon for
an entropy context, which is usually a global variable, it came up in our
own unit tests (random_twice tests in test_suite_random in the
development branch).

Announce this in the same changelog entry as for RSA because it's the same
bug in the two modules.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 11:28:19 +01:00
Gilles Peskine 9f97f95225 Add init-free tests for entropy
These tests validate that an entropy object can be reused and that
calling mbedtls_entropy_free() twice is ok.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 11:25:07 +01:00
Gilles Peskine 58a39e02da Fix typo in documentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-15 18:21:55 +01:00
Gilles Peskine e8505e37df Document mutex usage for RSA
The mutex is now initialized iff ver != 0.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 16:19:35 +01:00
Gilles Peskine 3be78f318c Changelog entry for RSA mutex usage fix
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 16:19:12 +01:00
Gilles Peskine 22dc2e7a9b Fix mutex leak in RSA
mbedtls_rsa_gen_key() was not freeing the RSA object, and specifically
not freeing the mutex, in some error cases.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine d7e82ad9bf Fix mutex double-free in RSA
When MBEDTLS_THREADING_C is enabled, RSA code protects the use of the
key with a mutex. mbedtls_rsa_free() frees this mutex by calling
mbedtls_mutex_free(). This does not match the usage of
mbedtls_mutex_free(), which in general can only be done once.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine 54e7e2bdc7 Add init-free tests for RSA
These tests are trivial except when compiling with MBEDTLS_THREADING_C
and a mutex implementation that are picky about matching each
mbedtls_mutex_init() with exactly one mbedtls_mutex_free().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine ff754e67ae Add missing cleanup in a test function
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine e525bc830f Changelog entry for DRBG mutex usage fix
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine 94bf03330b Document thread safety for HMAC_DRBG
random(), and only this function, is thread-safe.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine 3ec7f57482 Document mutex invariant for HMAC_DRBG
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine a9857af16a Fix mutex leak in HMAC_DRBG
mbedtls_hmac_drbg_free() left a mutex in the initialized state. This
caused a resource leak on platforms where mbedtls_mutex_init()
allocates resources.

To fix this, mbedtls_hmac_drbg_free() no longer reinitializes the
mutex. To preserve the property that mbedtls_hmac_drbg_free() leaves
the object in an initialized state, which is generally true throughout
the library except regarding mutex objects on some platforms, no
longer initialize the mutex in mbedtls_hmac_drbg_init(). Since the
mutex is only used after seeding, and seeding is only permitted once,
call mbedtls_mutex_init() as part of the seeding process.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine 275598d3fa Document thread safety for CTR_DRBG
random(), and only this function, is thread-safe.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine 6e2cf25639 Document mutex invariant for CTR_DRBG
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine 085b69f8fd Fix mutex leak in CTR_DRBG
mbedtls_ctr_drbg_free() left a mutex in the initialized state. This
caused a resource leak on platforms where mbedtls_mutex_init()
allocates resources.

To fix this, mbedtls_ctr_drbg_free() no longer reinitializes the
mutex. To preserve the property that mbedtls_ctr_drbg_free() leaves
the object in an initialized state, which is generally true throughout
the library except regarding mutex objects on some platforms, no
longer initialize the mutex in mbedtls_ctr_drbg_init(). Since the
mutex is only used after seeding, and seeding is only permitted once,
call mbedtls_mutex_init() as part of the seeding process.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine 5710732145 Explain the usage of is_valid in pthread mutexes
Document the usage inside the library, and relate it with how it's
additionally used in the test code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine df8db9ace2 Count and report non-freed mutexes
Subtract the number of calls to mbedtls_mutex_free() from the number
of calls to mbedtls_mutex_init(). A mutex leak will manifest as a
positive result at the end of the test case.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:55:15 +01:00
Gilles Peskine 0abb8e4bd8 Detect and report mutex usage errors
If the mutex usage verification framework is enabled and it detects a
mutex usage error, report this error and mark the test as failed.

This detects most usage errors, but not all cases of using
uninitialized memory (which is impossible in full generality) and not
leaks due to missing free (which will be handled in a subsequent commit).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:55:15 +01:00
Gilles Peskine 44498ff9eb Mutex usage testing: set up wrapper functions
When using pthread mutexes (MBEDTLS_THREADING_C and
MBEDTLS_THREADING_PTHREAD enabled), and when test hooks are
enabled (MBEDTLS_TEST_HOOKS), set up wrappers around the
mbedtls_mutex_xxx abstraction. In this commit, the wrapper functions
don't do anything yet.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:55:15 +01:00
Gilles Peskine e137ebce7f Fix off-by-one error in #line directives
The line number is the number of the next line.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:55:15 +01:00
Gilles Peskine da174241b8 Remove reference to a document that doesn't exist in this branch
Don't reference the architecture document. This is an LTS branch and
new invasive tests are only going to be introduced as (perhaps partial
or adapted) backports of invasive tests from development anyway.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:55:15 +01:00
Manuel Pégourié-Gonnard 3ec34a81ee
Merge pull request #4135 from gilles-peskine-arm/ssl-opt-server-failure-2.7
Backport 2.7: ssl-opt.sh: if the server fails, do treat it as a test failure
2021-02-12 12:16:19 +01:00
Gilles Peskine 8607f069e7 ssl-opt.sh: Only check the server exit for Mbed TLS
We care about the exit code of our server, for example if it's
reporting a memory leak after having otherwise executed correctly.

We don't care about the exit code of the servers we're using for
interoperability testing (openssl s_server, gnutls-serv). We assume
that they're working correctly anyway, and they return 1 (gnutls-serv)
or die by the signal handle the signal (openssl) when killed by a
signal.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-10 13:07:05 +01:00
Gilles Peskine 028ca780a8 ssl-opt.sh: if the server fails, do treat it as a test failure
This used to be the case a long time ago but was accidentally broken.

Fix <github:nogrep> #4103 for ssl-opt.sh.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-10 13:06:48 +01:00
Janos Follath b729e4c474
Merge pull request #4099 from d-otte/mbedtls-2.7
Backport 2.7: wrong RSA_PRV_DER_MAX_BYTES for odd MBEDTLS_MPI_MAX_SIZE
2021-02-02 16:14:52 +00:00
Janos Follath ec1909d10b
Merge pull request #4077 from gilles-peskine-arm/mpi_sub_abs-buffer_overflow-2.7
Backport 2.7: Fix buffer overflow in mbedtls_mpi_sub_abs negative case
2021-02-02 13:10:14 +00:00
Daniel Otte b49815a88f adding changelog entry for issue #4093
Signed-off-by: Daniel Otte <d.otte@wut.de>
2021-02-02 12:44:07 +01:00
Daniel Otte 4490fc6a38 adding parentheses to macro definitions, to avoid confusion and possible mistakes in usage.
Signed-off-by: Daniel Otte <d.otte@wut.de>
2021-02-01 18:53:22 +01:00
Daniel Otte f9111bbdd8 avoid errorneous computation of RSA_PRV_DER_MAX_BYTES if MBEDTLS_MPI_MAX_SIZE is odd.
if MBEDTLS_MPI_MAX_SIZE is odd then RSA_PRV_DER_MAX_BYTES will be two less than expected, since the macros are lacking parentheses.


Signed-off-by: Daniel Otte <d.otte@wut.de>
2021-02-01 18:52:36 +01:00
Gilles Peskine 54c3046eea mbedtls_mpi_sub_abs: fix buffer overflow in error case
Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|A| - |B| where |B| is larger than |A| and has more limbs (so the
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE).

Fix #4042

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:39:51 +01:00
Gilles Peskine b20bbd1ddc Add mpi_sub_abs negative tests with a larger-in-size second operand
Add test cases for mbedtls_mpi_sub_abs() where the second operand has
more limbs than the first operand (which, if the extra limbs are not
all zero, implies that the function returns
MBEDTLS_ERR_MPI_NEGATIVE_VALUE).

This exposes a buffer overflow (reported in #4042).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:38:23 +01:00
Gilles Peskine 04ea1064a6 Declare MBEDTLS_TEST_HOOKS in config.h
When this option is enabled, the product includes additional
interfaces that enable additional tests. This option should not be
enabled in production, but is included in the "full" build to enable
the extra tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-29 19:08:23 +01:00
Gilles Peskine a0d5d77b2d Use $ASAN_FLAGS instead of repeating its contents
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-13 22:24:51 +01:00
Janos Follath 78d9663ace
Merge pull request #788 from ARMmbed/dev/yanesca/mbedtls-2.7.18r0-pr
Prepare Release Candidate for Mbed TLS 2.7.18
2020-12-10 12:53:55 +00:00
Janos Follath 431f42d531 Add missing Changelog entry
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 16:46:30 +00:00
Janos Follath bd06112bc2 Finalize ChangeLog
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 01:36:05 +00:00
Janos Follath dde20224e6 Bump version to Mbed TLS 2.7.18
Executed ./scripts/bump_version.sh --version 2.7.18

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 01:22:11 +00:00
Janos Follath c3ab4053ad Assemble ChangeLog
Executed scripts/assemble_changelog.py.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 00:34:41 +00:00
Janos Follath baa3f3b377 Fix Changelog format
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 00:33:43 +00:00
Janos Follath 3c463b51d0 Merge branch 'mbedtls-2.7-restricted' into mbedtls-2.7.18r0-pr 2020-12-08 21:00:50 +00:00
Gilles Peskine dcba585f54
Merge pull request #3945 from paul-elliott-arm/fix_pem_write_2_7
Backport 2.7: Add tests for buffer corruption after PEM write
2020-12-08 12:31:52 +01:00
Paul Elliott 102bac7a46 Add tests for buffer corruption after PEM write
Zero remaining bytes in buffer after writing PEM data and add checks to
ensure that this is the case.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-12-07 16:49:30 +00:00
Ronald Cron 8e556f8f9a
Merge pull request #3937 from geecrypt/mbedtls-2.7
Backport to Mbedtls 2.7: Support set *_drbg reseed interval before seed
2020-12-07 14:30:04 +01:00
Gilles Peskine 5b1cb8873d
Merge pull request #3725 from gilles-peskine-arm/ecp-bignum-error-checks-2.7
Backport 2.7: add missing some error checks in ECP and bignum
2020-12-07 13:06:36 +01:00
Janos Follath 0805cb2f52
Merge pull request #783 from chris-jones-arm/mbedtls-2.7-restricted
[Backport 2.7] Fix Diffie-Hellman large key size DoS
2020-12-07 09:27:32 +00:00