Commit Graph

7016 Commits

Author SHA1 Message Date
Janos Follath
7b774483bf Correct deterministic ECDSA behavior
We were still reusing the internal HMAC-DRBG of the deterministic ECDSA
for blinding. This meant that with cryptographically low likelyhood the
result was not the same signature as the one the deterministic ECDSA
algorithm has to produce (however it is still a valid ECDSA signature).

To correct this we seed a second HMAC-DRBG with the same seed to restore
correct behavior. We also apply a label to avoid reusing the bits of the
ephemeral key for a different purpose and reduce the chance that they
leak.

This workaround can't be implemented in the restartable case without
penalising the case where external RNG is available or completely
defeating the purpose of the restartable feature, therefore in this case
the small chance of incorrect behavior remains.
2019-01-16 17:25:13 +00:00
Janos Follath
ba66faf167 Add warning for alternative ECDSA implementations
Alternative implementations are often hardware accelerators and might
not need an RNG for blinding. But if they do, then we make them misuse
the RNG in the deterministic case.

There are several way around this:
- Exposing a lower level function for replacement. This would be the
optimal solution, but litters the API and is not backward compatible.
- Introducing a new compile time option for replacing the deterministic
function. This would mostly cover the same code as
MBEDTLS_ECDSA_DETERMINISTIC and would be yet another compile time flag.
- Reusing the existing MBEDTLS_ECDSA_DETERMINISTIC macro. This changes
the algorithm used by the PK layer from deterministic to randomised if
the alternative implementation is present.

This commit implements the third option. This is a temporary solution
and should be fixed at the next device driver API change.
2019-01-16 16:01:56 +00:00
Janos Follath
e552a826fd Test the new deterministic ECDSA function 2019-01-16 16:01:34 +00:00
Janos Follath
2934c32da2 Add a safer deterministic ECDSA function
`mbedtls_ecdsa_sign_det` reuses the internal HMAC-DRBG instance to
implement blinding. The advantage of this is that the algorithm is
deterministic too, not just the resulting signature. The drawback is
that the blinding is always the same for the same key and message.
This diminishes the efficiency of blinding and leaks information about
the private key.

A function that takes external randomness fixes this weakness.
2019-01-16 16:00:27 +00:00
Manuel Pégourié-Gonnard
c80555d835 Add public function generating private keys
We need to separate the uses of the RNG for blinding and for key
generation for the sake of an upcoming security fix in deterministic
ECDSA.
2019-01-16 15:47:26 +00:00
Jeffrey Martin
f7fe144082
update ChangLog credit
Signed-off-by: Jeffrey Martin <Jeffrey_Martin@rapid7.com>
2019-01-16 09:26:15 -06:00
Jeffrey Martin
55ab90d40e
update ChangLog per comments
Signed-off-by: Jeffrey Martin <Jeffrey_Martin@rapid7.com>
2019-01-15 09:02:14 -06:00
Jeffrey Martin
44fbf91f01
Backport #1949 into mbedtls-2.7
Signed-off-by: Jeffrey Martin <Jeffrey_Martin@rapid7.com>
2019-01-14 18:13:06 -06:00
Hanno Becker
6950ebb31f Document psk_list parameter of ssl_server2 example program 2019-01-14 09:27:04 +00:00
Gilles Peskine
9f55364ec7 Rename test_memcheck to test_valgrind
Valgrind is what it does. `memcheck` is how it's implemented.
2019-01-10 18:29:37 +01:00
Gilles Peskine
ff7238f4ad Support wildcard patterns with a positive list of components to run
Wildcard patterns now work with command line COMPONENT arguments
without --except as well as with. You can now run e.g.
`all.sh "check_*` to run all the sanity checks.
2019-01-10 18:29:37 +01:00
Gilles Peskine
30bc385124 Add missing protection on __aeabi_uldiv check under --keep-going
Partial backport of 2adb375c50
"Add option to avoid 64-bit multiplication"
2019-01-10 18:29:37 +01:00
Gilles Peskine
c780095901 Delete $OUT_OF_SOURCE_DIR under --force even without Yotta
The deletion of "$OUT_OF_SOURCE_DIR" had mistakenly been lumped
together with Yotta.
2019-01-10 18:29:37 +01:00
Gilles Peskine
c9663b1685 Fix sometimes-spurious warning about changed config.h
After backing up and restoring config.h, `git diff-files` may report
it as potentially-changed because it isn't sure whether the index is
up to date. To avoid this, make sure that the git index is up-to-date.

This fixes the warning about changed config.h that you might get when
you run all.sh twice in succession, yet if you run `git status` or
`git diff` everything seems up to date and you no longer get the
warning because these git commands update the index.

https://stackoverflow.com/questions/36367190/git-diff-files-output-changes-after-git-status
2019-01-10 18:29:37 +01:00
Gilles Peskine
2906a0ae8a all.sh: Update the maintainer documentation 2019-01-10 18:29:33 +01:00
Gilles Peskine
541fb1e33b all.sh: only check tools that are going to be used
Don't require openssl, mingw, etc. if we aren't going to run a
component that uses them.
2019-01-10 18:28:17 +01:00
Gilles Peskine
53084872ab all.sh: only look for armcc if it is used
Only look for armcc if component_build_armcc or component_build_yotta
is to be executed, instead of requiring the option --no-armcc.

You can still pass --no-armcc, but it's no longer required when
listing components to run. With no list of components or an exclude
list on the command line, --no-armcc is equivalent to having
build_armcc in the exclude list.

Omit the yotta pre-checks if the build_yotta component is not going to
be executed. This makes --no-yotta equivalent to specifying a list of
components to run that doesn't include build_yotta.
2019-01-10 18:28:17 +01:00
Gilles Peskine
b3241cbea7 Add command line options to list available components 2019-01-10 18:28:17 +01:00
Gilles Peskine
eb39b9b729 Minor cleanups to component name gathering
Bring the code in line with the version in Mbed TLS 2.16+.
2019-01-10 18:28:17 +01:00
Gilles Peskine
3fbdd21ca5 Add conditional component inclusion facility
Add a conditional execution facility: if a function support_xxx exists
and returns false then component_xxx is not executed (except when the
command line lists an explicit set of components to execute).

Use this facility for the 64-bit-specific or amd64-specific components.
2019-01-10 18:28:17 +01:00
Gilles Peskine
7120f77889 all.sh: fix MAKEFLAGS setting
MAKEFLAGS was set to -j if it was already set, instead of being set if
not previously set as intended. So now all.sh will do parallel builds
if invoked without MAKEFLAGS in the environment.
2019-01-10 18:28:17 +01:00
Gilles Peskine
770ad7e2c9 all.sh: don't insist on Linux; always run Valgrind
Don't bail out of all.sh if the OS isn't Linux. We only expect
everything to pass on a recent Linux x86_64, but it's useful to call
all.sh to run some components on any platform.

In all.sh, always run both MemorySanitizer and Valgrind. Valgrind is
slower than ASan and MSan but finds some things that they don't.

Run MSan unconditionally, not just on Linux/x86_64. MSan is supported
on some other OSes and CPUs these days.

Use `all.sh --except test_memsan` if you want to omit MSan because it
isn't supported on your platform. Use `all.sh --except test_memcheck`
if you want to omit Valgrind because it's too slow.

Portability: ecognize amd64 (FreeBSD arch string) as well as x86_64
(Linux arch string) for `uname -m`. The `make` utility must still
be GNU make.
2019-01-10 18:28:17 +01:00
Gilles Peskine
4e7b323fd8 Use CMAKE_BUILD_TYPE to do Asan builds
Use `cmake -D CMAKE_BUILD_TYPE=Asan` rather than manually setting
`-fsanitize=address`. This lets cmake determine the necessary compiler
and linker flags.

With UNSAFE_BUILD on, force -Wno-error. This is necessary to build
with MBEDTLS_TEST_NULL_ENTROPY.
2019-01-10 18:28:17 +01:00
Gilles Peskine
72adb432bc Back up and restore config.h systematically
In all.sh, always save config.h before running a component, instead of
doing it manually in each component that requires it (except when we
forget, which has happened). This would break a script that requires
config.h.bak not to exist, but we don't have any of those.
2019-01-10 18:28:17 +01:00
Gilles Peskine
11ddca6b74 Add the current component name to msg output and the final report 2019-01-10 18:28:17 +01:00
Gilles Peskine
6e9842315a Add --except mode: run all components except a list
Allow the list to use wildcards, e.g. you can run the sanity checks with
all.sh --except "test_*" "build_*"
2019-01-10 18:28:17 +01:00
Gilles Peskine
91bd8b78ed all.sh: with non-option arguments, run only these components 2019-01-10 18:28:17 +01:00
Gilles Peskine
3484ed8797 Move test-ref-configs into its own component 2019-01-10 18:28:16 +01:00
Gilles Peskine
2f300dbb2f Remove duplicate component for RSA_NO_CRT 2019-01-10 18:28:16 +01:00
Gilles Peskine
1a2ca72ddc Break up the tests into components
Split the long list of tests into individual functions. Each time the
test code called the `cleanup` function, I start a new function called
`component_xxx`.

Run all the components by enumerating the `component_xxx` functions.
After running each component, call `cleanup`.

A few sanity checks didn't have calls to `cleanup` because they didn't
need them. I put them into separate components anyway, so there are
now a few extra harmless calls to `cleanup`.
2019-01-10 18:28:16 +01:00
Masashi Honma
4a47112834 Remove duplicate #include
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2019-01-09 15:38:37 +00:00
Gilles Peskine
57db6ff938 Move the code into functions. No behavior change.
Move almost all the code of this script into functions. There is no
intended behavior change. The goal of this commit is to make
subsequent improvements easier to follow.

A very large number of lines have been reintended. To see what's going
on, ignore whitespace differences (e.g. diff -w).

I followed the following rules:

* Minimize the amount of code that gets moved.
* Don't change anything to what gets executed or displayed.
* Almost all the code must end up in a function.

This commit is in preparation for breaking up the sequence of tests
into individual components that can run independently.
2019-01-08 22:04:31 +01:00
Simon Butcher
78f040cf33 Merge remote-tracking branch 'public/pr/2233' into HEAD 2019-01-08 15:33:48 +00:00
Simon Butcher
7f899b406c Merge remote-tracking branch 'public/pr/2304' into HEAD 2019-01-08 15:31:37 +00:00
Simon Butcher
8f90278ef7 Add Changelog entry for clang test-ref-configs.pl fix 2018-12-28 12:01:09 +00:00
Simon Butcher
032e3e215d Enable more compiler warnings in tests/Makefile
tests/Makefile had some unused warnings disabled unnecessarily, which
test-ref-configs.pl was turning back on. We don't need to disable these warnings
so I'm turning them back on.
2018-12-28 11:32:12 +00:00
Simon Butcher
638dceb7e1 Change file scoping of test helpers.function
Dependent on configured options, not all of the helper functions were being
used, which was leading to warning of unused functions with Clang.

To avoid any complex compile time options, or adding more logic to
generate_test_code.py to screen out unused functions, those functions which were
provoking the warning were changed to remove static, remove them from file
scope, and expose them to the linker.
2018-12-28 11:30:02 +00:00
Simon Butcher
3187e7ca98
Merge pull request #545 from ARMmbed/version-2.7.9
Update the version of the library to 2.7.9
2018-12-21 12:21:10 +00:00
Simon Butcher
b22a808cc6 Update the version of the library to 2.7.9 2018-12-21 10:52:37 +00:00
Simon Butcher
3112d10abd Merge remote-tracking branch 'public/pr/2144' into mbedtls-2.7 2018-12-20 01:17:45 +00:00
Ron Eldor
314bd71894 Update ChangeLog
Add an entry in ChangeLog describing the fix.
2018-12-19 14:16:36 +02:00
Ron Eldor
44f6d0b3b1 Test AD too long only when CCM_ALT not defined
Since the AD too long is a limitation on Mbed TLS,
HW accelerators may support this. Run the test for AD too long,
only if `MBEDTLS_CCM_ALT` is not defined.
Addresses comment in #1996.
2018-12-19 14:14:58 +02:00
Ron Eldor
bdcb54ff20 Add entry describing the bug fix
Add entry describing the bug fix in `mbedtls_ecdsa_genkey()`.
2018-12-17 10:26:52 +02:00
Ron Eldor
c7aac417f2 Return error code of underlying function.
Return the error code if failed, instead of returning value `1`.
If not failed, return the call of the underlying function,
in `mbedtls_ecdsa_genkey()`.
2018-12-17 10:22:19 +02:00
Ron Eldor
3625e56930 Include configuration file for all headers
Include the configuration file for all headers that were not
included.
2018-12-16 12:24:22 +02:00
Ron Eldor
0559c66ac2 Include configuration file to headers
Add inclusion to configration file in header files,
instead of relying on other header files to include
the configuration file. This issue resolves #1371
2018-12-16 12:22:12 +02:00
Gilles Peskine
bda9abf696 Add a facility to skip running some test suites
With the build option SKIP_TEST_SUITES=..., the specified test suites
are built, but skipped when running tests. Usage:
    make check SKIP_TEST_SUITES=timing,gcm
or
    cmake -D SKIP_TEST_SUITES=timing,gcm ...

The list can be separated by any of space, comma or semicolon, and each
element can be a regular expression in ERE syntax except that "." stands
for itself. Skipping "foo" skips not only "foo" itself but also
any "foo.bar", but does not skip "foobar".
2018-12-14 18:50:34 +01:00
Gilles Peskine
0626ebb425 run-test-suites: update the documentation
Update the documentation to mention the optional verbosity level with -v.

Print the documentation on --help.

Die on an unsupported option.
2018-12-14 18:45:09 +01:00
Jaeden Amero
b85e35d8d2 Merge remote-tracking branch 'upstream-public/pr/2102' into mbedtls-2.7 2018-12-07 16:15:46 +00:00
Jaeden Amero
e4cf723a70 Merge remote-tracking branch 'upstream-public/pr/2168' into mbedtls-2.7 2018-12-07 16:07:37 +00:00