Commit graph

9479 commits

Author SHA1 Message Date
Gilles Peskine fb6876a111 Document thread safety for HMAC_DRBG
random(), and only this function, is thread-safe.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-02-22 19:40:41 +01:00
Gilles Peskine b5e295d5c9 Document mutex invariant for HMAC_DRBG
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:40:41 +01:00
Gilles Peskine 05974893e6 Fix mutex leak in HMAC_DRBG
mbedtls_hmac_drbg_free() left a mutex in the initialized state. This
caused a resource leak on platforms where mbedtls_mutex_init()
allocates resources.

To fix this, mbedtls_hmac_drbg_free() no longer reinitializes the
mutex. To preserve the property that mbedtls_hmac_drbg_free() leaves
the object in an initialized state, which is generally true throughout
the library except regarding mutex objects on some platforms, no
longer initialize the mutex in mbedtls_hmac_drbg_init(). Since the
mutex is only used after seeding, and seeding is only permitted once,
call mbedtls_mutex_init() as part of the seeding process.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:40:41 +01:00
Gilles Peskine 831956980c Document thread safety for CTR_DRBG
random(), and only this function, is thread-safe.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-02-22 19:40:41 +01:00
Gilles Peskine 2ecc0b89f3 Document mutex invariant for CTR_DRBG
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:40:41 +01:00
Gilles Peskine 89816bc020 Fix mutex leak in CTR_DRBG
mbedtls_ctr_drbg_free() left a mutex in the initialized state. This
caused a resource leak on platforms where mbedtls_mutex_init()
allocates resources.

To fix this, mbedtls_ctr_drbg_free() no longer reinitializes the
mutex. To preserve the property that mbedtls_ctr_drbg_free() leaves
the object in an initialized state, which is generally true throughout
the library except regarding mutex objects on some platforms, no
longer initialize the mutex in mbedtls_ctr_drbg_init(). Since the
mutex is only used after seeding, and seeding is only permitted once,
call mbedtls_mutex_init() as part of the seeding process.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:40:41 +01:00
Gilles Peskine 7ba73e5756 Explain the usage of is_valid in pthread mutexes
Document the usage inside the library, and relate it with how it's
additionally used in the test code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-22 19:40:41 +01:00
Gilles Peskine 7252ec3947 Count and report non-freed mutexes
Subtract the number of calls to mbedtls_mutex_free() from the number
of calls to mbedtls_mutex_init(). A mutex leak will manifest as a
positive result at the end of the test case.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-02-22 19:40:41 +01:00
Gilles Peskine cd2e248fdd Detect and report mutex usage errors
If the mutex usage verification framework is enabled and it detects a
mutex usage error, report this error and mark the test as failed.

This detects most usage errors, but not all cases of using
uninitialized memory (which is impossible in full generality) and not
leaks due to missing free (which will be handled in a subsequent commit).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-02-22 19:40:29 +01:00
Gilles Peskine c071373842 Mutex usage testing: set up wrapper functions
When using pthread mutexes (MBEDTLS_THREADING_C and
MBEDTLS_THREADING_PTHREAD enabled), and when test hooks are
enabled (MBEDTLS_TEST_HOOKS), set up wrappers around the
mbedtls_mutex_xxx abstraction. In this commit, the wrapper functions
don't do anything yet.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-02-17 13:10:42 +00:00
Gilles Peskine 96a7064754 Remove reference to a document that doesn't exist in this branch
Don't reference the architecture document. This is an LTS branch and
new invasive tests are only going to be introduced as (perhaps partial
or adapted) backports of invasive tests from development anyway.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 12:53:44 +00:00
Gilles Peskine 44e89c547f Declare MBEDTLS_TEST_HOOKS in config.h
When this option is enabled, the product includes additional
interfaces that enable additional tests. This option should not be
enabled in production, but is included in the "full" build to enable
the extra tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 12:50:52 +00:00
Gilles Peskine 7f652adc48 Use $ASAN_FLAGS instead of repeating its contents
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-17 12:48:33 +00:00
Manuel Pégourié-Gonnard 47e4035e98
Merge pull request #4134 from gilles-peskine-arm/ssl-opt-server-failure-2.16
Backport 2.16: ssl-opt.sh: if the server fails, do treat it as a test failure
2021-02-12 12:16:09 +01:00
Gilles Peskine 2cf44b6941 ssl-opt.sh: Only check the server exit for Mbed TLS
We care about the exit code of our server, for example if it's
reporting a memory leak after having otherwise executed correctly.

We don't care about the exit code of the servers we're using for
interoperability testing (openssl s_server, gnutls-serv). We assume
that they're working correctly anyway, and they return 1 (gnutls-serv)
or die by the signal handle the signal (openssl) when killed by a
signal.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-10 13:05:21 +01:00
Gilles Peskine 634fe27a12 ssl-opt.sh: if the server fails, do treat it as a test failure
This used to be the case a long time ago but was accidentally broken.

Fix <github:nogrep> #4103 for ssl-opt.sh.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-10 13:05:19 +01:00
Janos Follath fee234afcd
Merge pull request #4100 from d-otte/mbedtls-2.16
Backport 2.16: wrong RSA_PRV_DER_MAX_BYTES for odd MBEDTLS_MPI_MAX_SIZE
2021-02-02 16:14:59 +00:00
Janos Follath 9039f16c48
Merge pull request #4097 from gilles-peskine-arm/mpi_sub_abs-buffer_overflow-2.16
Backport 2.16: Fix buffer overflow in mbedtls_mpi_sub_abs negative case
2021-02-02 13:10:22 +00:00
Daniel Otte 80fa1b4d8f adding changelog entry for issue #4093
Signed-off-by: Daniel Otte <d.otte@wut.de>
2021-02-02 12:57:48 +01:00
Daniel Otte 9c6cb217f1 adding parentheses to macro definitions.
Avoid confusion and possible mistakes in usage of macros.

Signed-off-by: Daniel Otte <d.otte@wut.de>
2021-02-02 12:52:18 +01:00
Daniel Otte 80a2c2a5f9 avoid errorneous computation of RSA_PRV_DER_MAX_BYTES.
if MBEDTLS_MPI_MAX_SIZE is odd then RSA_PRV_DER_MAX_BYTES will be two less than expected, since the macros are lacking parentheses.


Signed-off-by: Daniel Otte <d.otte@wut.de>
2021-02-02 12:51:02 +01:00
Gilles Peskine 6260b70717 mbedtls_mpi_sub_abs: fix buffer overflow in error case
Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|A| - |B| where |B| is larger than |A| and has more limbs (so the
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE).

Fix #4042

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 17:27:06 +01:00
Gilles Peskine 9a3cf3174d Add mpi_sub_abs negative tests with a larger-in-size second operand
Add test cases for mbedtls_mpi_sub_abs() where the second operand has
more limbs than the first operand (which, if the extra limbs are not
all zero, implies that the function returns
MBEDTLS_ERR_MPI_NEGATIVE_VALUE).

This exposes a buffer overflow (reported in #4042).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 17:27:04 +01:00
Janos Follath 5d453ee882
Merge pull request #4068 from stevew817/backport/pr-4008
[Backport 2.16] Avoid unreferenced items in ECDSA when ALT is in use
2021-01-29 12:54:35 +00:00
Ronald Cron 226626fd42
Merge pull request #4021 from gilles-peskine-arm/ssl-test_without_hmac_drbg-2.16
Backport 2.16: Test SSL with non-deterministic ECDSA
2021-01-29 09:10:11 +01:00
Steven Cooreman a82e56aa91 Avoid unreferenced item warnings in ECDSA when ALT is in use
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-01-26 18:04:10 +01:00
Janos Follath 01c69377bd
Merge pull request #4057 from stevew817/backport/pr-4007
[backport 2.16] Skip known entropy tests for ECJPAKE ALT implementations
2021-01-25 12:38:53 +00:00
Steven Cooreman 0b7cb319cd Skip tests requiring known entropy for ECJPAKE ALT implementations
These implementations don't necessarily consume entropy the same way the
mbed TLS internal software implementation does, and the 'reference
handshake' test vectors can thus not be applied to an ALT implementation.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-01-25 10:36:37 +01:00
Gilles Peskine 629fd9362c Test SSL with non-deterministic ECDSA
In component_test_no_hmac_drbg, the fact that HMAC_DRBG is disabled
doesn't affect the SSL code, but the fact that deterministic ECDSA is
disabled does. So run some ECDSA-related SSL tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-13 20:38:13 +01:00
Gilles Peskine 15c39e53e5
Merge pull request #3988 from gilles-peskine-arm/rsa_private-ret-2.16
Backport 2.16: Fix an incorrect error code if RSA private operation glitched
2021-01-13 11:10:08 +01:00
Gilles Peskine 3b7523e11e Fix an incorrect error code if RSA private operation glitched
mbedtls_rsa_private() could return the sum of two RSA error codes
instead of a valid error code in some rare circumstances:

* If rsa_prepare_blinding() returned  MBEDTLS_ERR_RSA_RNG_FAILED
  (indicating a misbehaving or misconfigured RNG).
* If the comparison with the public value failed (typically indicating
  a glitch attack).

Make sure not to add two high-level error codes.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 20:55:34 +01:00
Janos Follath 3fac0bae4a
Merge pull request #787 from ARMmbed/dev/yanesca/mbedtls-2.16.9r0-pr
Prepare Release Candidate for Mbed TLS 2.16.9
2020-12-10 12:54:15 +00:00
Janos Follath 3d5d889e0d Add missing ChangeLog entry
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 16:41:44 +00:00
Janos Follath 7bbd7ea7ad Improve wording in Changelog
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 16:39:36 +00:00
Janos Follath f3493024f6 Finalize ChangeLog
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 01:35:14 +00:00
Janos Follath 69029cd29b Bump version to Mbed TLS 2.16.9
Executed ./scripts/bump_version.sh --version 2.16.9

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 01:21:50 +00:00
Janos Follath a4b98a970f Assemble ChangeLog
Executed scripts/assemble_changelog.py.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 00:31:29 +00:00
Janos Follath 2d3f296729 Fix Changelog format
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 00:30:04 +00:00
Janos Follath 22a854ab96 Add missing ChangeLog entry
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-08 23:45:45 +00:00
Janos Follath 15e860c639 Merge branch 'mbedtls-2.16-restricted' into mbedtls-2.16.9r0-pr 2020-12-08 21:00:17 +00:00
Gilles Peskine 9e8acb6861
Merge pull request #3935 from paul-elliott-arm/fix_pem_write_2_16
Backport 2.16: Remove Extraneous bytes from buffer post pem write
2020-12-08 12:31:47 +01:00
Paul Elliott 319b5939dd Remove Extraneous bytes from buffer post pem write
In order to remove large buffers from the stack, the der data is written
into the same buffer that the pem is eventually written into, however
although the pem data is zero terminated, there is now data left in the
buffer after the zero termination, which can cause
mbedtls_x509_crt_parse to fail to parse the same buffer if passed back
in. Patches also applied to mbedtls_pk_write_pubkey_pem, and
mbedtls_pk_write_key_pem, which use similar methods of writing der data
to the same buffer, and tests modified to hopefully catch any future
regression on this.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-12-07 16:47:02 +00:00
Ronald Cron 3f35b87db9
Merge pull request #3938 from geecrypt/mbedtls-2.16
Backport to Mbedtls 2.16:  Support set *_drbg reseed interval before seed
2020-12-07 14:30:13 +01:00
Gilles Peskine 8ed9ac85e5
Merge pull request #3513 from gilles-peskine-arm/ecp-bignum-error-checks-2.16
Backport 2.16: add missing some error checks in ECP and bignum
2020-12-07 13:06:42 +01:00
Janos Follath bcfa41753d
Merge pull request #782 from chris-jones-arm/mbedtls-2.16-restricted
[Backport 2.16] Fix Diffie-Hellman large key size DoS
2020-12-07 09:27:55 +00:00
gacquroff 07d1f47a39 Add changelog entry file for bugfix 2927
Signed-off-by: gacquroff <gavina352@gmail.com>
2020-12-03 13:41:45 -08:00
Gavin Acquroff 77cb30c3cb Support set *_drbg reseed interval before seed
mbedtls_ctr_drbg_set_reseed_interval() and
mbedtls_hmac_drbg_set_reseed_interval() can now be called before
their seed functions and the reseed_interval value will persist.
Previously it would be overwritten with the default value.

*_drbg_reseed_interval is now set in init() and free().

mbedtls_ctr_drbg_free() and mbedtls_hmac_drbg_free() now
reset the drbg context to the state immediately after init().

Tests:
- Added test to check that DRBG reseeds when reseed_counter
reaches reseed_interval, if reseed_interval set before seed
and reseed_interval is less than MBEDTLS_*_DRBG_RESEED_INTERVAL.

Signed-off-by: gacquroff <gavina352@gmail.com>
2020-12-03 13:30:36 -08:00
Chris Jones 5dd1e266e1 Fix exponentiation tests with MBEDTLS_MPI_MAX_BITS larger than 256
Fixes an issue where configs that had `MBEDTLS_MPI_MAX_BITS` greater than 256
but smaller than the test that was running (792 bits) the test would fail
incorrectly.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 17:56:21 +00:00
Chris Jones 74b7ee4f12 Fix test_suite_dhm build
Fix build as the name of the random function changed from development to 2.7.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 17:55:59 +00:00
Chris Jones c7ea6340cf Fix whitespace in changelog entry
Extra whitespace and a missing newline at end of file was causing an error with
`check_files.py`.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2020-12-03 16:11:23 +00:00