Paul Elliott
13d5a3429a
Add PKCS12 tests
...
Only regression tests for the empty password bugs for now. Further tests
will follow later.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:23 +00:00
Dave Rodgman
1c68ba1afd
Merge pull request #5314 from gilles-peskine-arm/missing-ret-check-mbedtls_md_hmac-2.x
...
Backport 2.x: Check HMAC return values
2021-12-13 10:51:28 +00:00
Gilles Peskine
2b3f21dc0b
Catch failures of md_hmac operations
...
Declare mbedtls_md functions as MBEDTLS_CHECK_RETURN_TYPICAL, meaning that
their return values should be checked.
Do check the return values in our code. We were already doing that
everywhere for hash calculations, but not for HMAC calculations.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 15:02:06 +01:00
Gilles Peskine
d8e2e8347b
Zeroize local MAC variables
...
Zeroize local MAC variables used for CBC+HMAC cipher suites. In encryption,
this is just good hygiene but probably not needed for security since the
data protected by the MAC that could leak is about to be transmitted anyway.
In DTLS decryption, this could be a security issue since an adversary could
learn the MAC of data that they were trying to inject. At least with
encrypt-then-MAC, the adversary could then easily inject a datagram with
a corrected packet. TLS would still be safe since the receiver would close
the connection after the bad MAC.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 14:24:23 +01:00
Gilles Peskine
9e8f3a6b71
Merge pull request #5308 from minosgalanakis/development_2.x
...
Backport 2.x: Document platform architecture portability constraints
2021-12-10 21:13:09 +01:00
Gilles Peskine
5e41e0e934
Update generated file
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-10 20:19:30 +01:00
Jerry Yu
47569e097e
fix help message issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:19:05 +01:00
Jerry Yu
d351ed3a6a
fix msvc build faile
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:19:05 +01:00
Jerry Yu
969c01a234
Beauty source code
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:19:05 +01:00
Jerry Yu
cf080ce821
fix ci fail
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:19:05 +01:00
Jerry Yu
bbfa1d8c19
Replace configs_enabled check with query_compile_time_config
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:19:05 +01:00
Jerry Yu
4f2dff429a
Add list_config into query_comile_time_config
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:19:05 +01:00
Jerry Yu
0abd677ed7
Add list_config generation
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:19:05 +01:00
Paul Elliott
7412eb4bc2
Better fix for empty password / salt
...
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-10 17:48:12 +00:00
Paul Elliott
a59cc3dbc7
Further documentation improvements
...
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-10 17:48:12 +00:00
Paul Elliott
f294ff5d87
Make changelog more specific
...
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-10 17:48:12 +00:00
Paul Elliott
fe724fe618
Fix for pkcs12 with NULL or zero length password
...
Previously passing a NULL or zero length password into either
mbedtls_pkcs12_pbe() or mbedtls_pkcs12_derive() could cause an infinate
loop, and it was also possible to pass a NULL password, with a non-zero
length, which would cause memory corruption.
I have fixed these errors, and improved the documentation to reflect the
changes and further explain what is expected of the inputs.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-10 17:48:12 +00:00
Gilles Peskine
18a59b7d4c
Merge pull request #5306 from gilles-peskine-arm/test-missing-ret-check-202112-2.x
...
Backport 2.x: Missing error checks + test bug on unlikely failure
2021-12-10 17:41:49 +01:00
Minos Galanakis
5c93a9f214
Update changelog & readme
...
This patch adds explicit wording to state
that Two's complement is the official
supported signed integer representation.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2021-12-10 15:57:54 +00:00
Gilles Peskine
3fc0d30447
Don't fail until everything is initialized
...
Can't call mbedtls_cipher_free(&invalid_ctx) in cleanup if
mbedtls_cipher_init(&invalid_ctx) hasn't been called.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-10 14:45:41 +01:00
Gilles Peskine
3d28378734
Check return values in more places
...
Selective replacement of
```
^\( *\)\(mbedtls_\(md\|cipher\)_[A-Z_a-z0-9]+\)\((.*)\);
```
by
```
\1if( \2\4 != 0 )
\1{
\1 mbedtls_fprintf( stderr, "\2() returned error\\n" );
\1 goto exit;
\1}
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-10 14:45:41 +01:00
Gilles Peskine
362d6efbde
Merge pull request #5301 from paul-elliott-arm/test_suite_cipher_returns_2.x
...
Backport 2.x : Add checked return to cipher setup in Cipher tests
2021-12-10 10:40:01 +01:00
Gilles Peskine
4a5396ec25
Merge pull request #5299 from paul-elliott-arm/crypt_and_hash_prog_2.x
...
Backport 2.x: Add checks for return values to md functions in crypt and hash
2021-12-09 23:32:52 +01:00
Gilles Peskine
51377d8a73
Merge pull request #5280 from davidhorstmann-arm/2.x-improve-cmac-docs
...
Backport 2.x: Reword documentation of CMAC operations
2021-12-09 23:28:39 +01:00
Gilles Peskine
c2c1c22dda
Merge pull request #5298 from paul-elliott-arm/ssl_context_info_prog_2.x
...
Backport 2.x: Two fixes for SSL context info sample program
2021-12-09 23:22:54 +01:00
Paul Elliott
68b64cd64c
Add checked return to cipher setup
...
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-09 21:37:23 +00:00
Paul Elliott
d068876181
Add checks for return values to md functions
...
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-09 18:51:56 +00:00
Paul Elliott
8f20bab14d
Fix printf format specifier
...
Also mark function as printf variant so compiler will pickup any future
issues.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-09 18:35:13 +00:00
Paul Elliott
110afd0e4d
Prevent resource leak
...
If -f was used as an argument twice to the program, then it would leak
the file resource, due to overwriting it on the second pass
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-09 18:33:22 +00:00
Ronald Cron
620cbb9bf5
Merge pull request #5262 from xffbai/code-align-backport2.x
...
Backport 2.x: Fix (d)tls1_2 into (d)tls12 in version options
2021-12-09 16:26:24 +01:00
Manuel Pégourié-Gonnard
c3319e73db
Merge pull request #5189 from gilles-peskine-arm/struct_reordering_2.x
...
Backport 2.x: Reorder structure fields to maximize usage of immediate offset access
2021-12-09 12:54:13 +01:00
Manuel Pégourié-Gonnard
218abe081c
Merge pull request #5284 from gabor-mezei-arm/4926_bp2x_base64_move_constant-time_functions
...
[Backport 2.x] Move base64 constant-time functions to the new module
2021-12-09 12:40:24 +01:00
Gabor Mezei
00e08a3a21
Update generated files
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-09 10:05:48 +01:00
Manuel Pégourié-Gonnard
9ac32eb123
Merge pull request #863 from davidhorstmann-arm/2.x-fix-session-copy-bug
...
Backport 2.x: [session] fix a session copy bug
2021-12-09 09:21:33 +01:00
Gabor Mezei
3a755f511f
Add documentation for the functions
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:24:22 +01:00
Gabor Mezei
46ca2f76c4
Unify function parameters
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:22:45 +01:00
Gabor Mezei
df29332d4b
Make mbedtls_ct_uchar_mask_of_range function static
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:20:39 +01:00
Gabor Mezei
f554ce21b8
Delete base64_invasive.h due to functions are moved to the constant-time module
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:20:27 +01:00
Gabor Mezei
3d4dba84b7
Move mbedtls_ct_base64_dec_value function to the constant-time module
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:20:16 +01:00
Gabor Mezei
200708d30a
Move mbedtls_ct_base64_enc_char function to the constant-time module
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:20:04 +01:00
Gabor Mezei
46f79c388d
Move mbedtls_ct_uchar_mask_of_range function to the constant-time module
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:19:41 +01:00
Gabor Mezei
7464f37e7b
Rename functions to have suitable name
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:19:23 +01:00
David Horstmann
0add7f96ac
Add changelog entry for session copy bugfix
...
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-12-08 13:29:55 +00:00
Manuel Pégourié-Gonnard
9a4a9c66a4
Merge pull request #860 from ronald-cron-arm/fix-cipher-iv_2.x
...
Backport 2.x: Avoid using encryption output buffer to pass generated IV to PSA driver
2021-12-08 13:30:11 +01:00
吴敬辉
0f6c6bc0dc
[session] fix a session copy bug
...
fix a possible double reference on 'ticket'
when peer_cert/peer_cert_digest calloc failed.
Signed-off-by: 吴敬辉 <11137405@vivo.com>
2021-12-07 17:27:31 +00:00
David Horstmann
b56f38f57b
Reword documentation of CMAC operations
...
Change the wording of the documentation for some CMAC functions,
as the existing wording, while technically correct, can be
easy to misunderstand. The reworded docs explain the flow of
a CMAC computation a little more fully.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-12-07 12:16:33 +00:00
Gilles Peskine
582f2398d4
Merge pull request #5167 from tom-cosgrove-arm/fix-builds-with-only-mbedtls_bignum_c-defined
...
Backport 2.x: Fix builds when config.h only defines MBEDTLS_BIGNUM_C
2021-12-07 12:38:04 +01:00
Ronald Cron
e7a5e985ae
Add change log
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-07 09:23:27 +01:00
Gilles Peskine
ad47e6d160
Add changelog entry for build error fixes
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-06 20:58:51 +01:00
Gilles Peskine
1e313165f3
Merge pull request #5258 from gilles-peskine-arm/pip-requirements-2.x
...
Backport 2.x: In-tree Python package requirements
2021-12-03 17:25:56 +01:00