Commit Graph

7291 Commits

Author SHA1 Message Date
Gilles Peskine
a8359398a4
Merge pull request #3144 from gilles-peskine-arm/unmet_dependencies-verbose_only-2.7
[2.7 only] Note that unmet_dependencies is only filled in verbose mode
2020-04-02 15:18:31 +02:00
Manuel Pégourié-Gonnard
aa45abfca6 Allow alternative ctags versions in Makefile
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-04-02 12:52:59 +02:00
Manuel Pégourié-Gonnard
1313bc9e0e Improve ctags invocation in Makefile
Adding .function was necessary, as otherwise ctags would have no idea what to
do with those files.

Adding .h may not be necessary, as by default ctags considers them C++ which
is probably good enough, but since we're tuning the mapping anyway...

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-04-02 11:54:12 +02:00
Manuel Pégourié-Gonnard
48abf39a83
Merge pull request #3137 from sbutcher-arm/additional-config-checks-2.7
Backport 2.7: Add additional sanity checks to check_config.h
2020-04-01 12:24:19 +02:00
Manuel Pégourié-Gonnard
54587fcf9b Fix leakage of projective coordinates in ECC
See the comments in the code for how an attack would go, and the ChangeLog
entry for an impact assessment. (For ECDSA, leaking a few bits of the scalar
over several signatures translates to full private key recovery using a
lattice attack.)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-04-01 11:28:08 +02:00
Gilles Peskine
67665509ab Note that unmet_dependencies is only filled in verbose mode
Warn about a gotcha that caused a bug in development.

Ensure that it's at least zeroed out, rather than uninitialized, in
non-verbose mode.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-04-01 09:59:54 +02:00
Manuel Pégourié-Gonnard
6062b49d29 Fix bug in handling of DTLS client hard reconnect
We keep track of the current epoch and record sequence number in out_ctr,
which was overwritten when writing the record containing the
HelloVerifyRequest starting from out_buf. We can avoid that by only using the
rest of the buffer.

Using MBEDTLS_SSL_MAX_CONTENT_LEN as the buffer size is still correct, as it
was a pretty conservative value when starting from out_buf.

Note: this bug was also fixed unknowingly in 2.13 by introducing a new buffer
that holds the current value of the sequence number (including epoch), while
working on datagram packing: 198594709b

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-31 13:04:19 +02:00
Manuel Pégourié-Gonnard
4bbbdc36bc Improve debug logging of client hard reconnect
The current logging was sub-standard, in particular there was no trace
whatsoever of the HelloVerifyRequest being sent. Now it's being logged with
the usual levels: 4 for full content, 2 return of f_send, 1 decision about
sending it (or taking other branches in the same function) because that's the
same level as state changes in the handshake, and also same as the "possible
client reconnect" message" to which it's the logical continuation (what are we
doing about it?).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-31 12:46:23 +02:00
Manuel Pégourié-Gonnard
7ef7bf39c4 Fix some style issues in udp_proxy
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-31 12:46:13 +02:00
Manuel Pégourié-Gonnard
b1ee30bfe9 Adjust timeout of tests with "no resend" assertions
There are currently 4 tests in ssl-opt.sh with either -C "resend" or -S
"resend", that is, asserting that no retransmission will occur. They sometimes
fail on loaded CI machines as one side doesn't send a message fast enough,
causing the other side to retransmit, causing the test to fail.

(For the "reconnect" test there was an other issue causing random failures,
fixed in a previous commit, but even after that fix the test would still
sometimes randomly fail, even if much more rarely.)

While it's a hard problem to fix in a general and perfect way, in practice the
probability of failures can be drastically reduced by making the timeout
values much larger.

For some tests, where retransmissions are actually expected, this would have
the negative effect of increasing the average running time of the test, as
each side would wait for longer before it starts retransmission, so we have a
trade-off between average running time and probability of spurious failures.

But for tests where retransmission is not expected, there is no such trade-off
as the expected running time of the test (assuming the code is correct most of
the time) is not impacted by the timeout value. So the only negative effect of
increasing the timeout value is on the worst-case running time on the test,
which is much less important, as test should only fail quite rarely.

This commit addresses the easy case of tests that don't expect retransmission
by increasing the value of their timeout range to 10s-20s. This value
corresponds to the value used for tests that assert `-S "autoreduction"` which
are in the same case and where the current value seems acceptable so far.

It also represents an increase, compared to the values before this commit, of
a factor 20 for the "reconnect" tests which were frequently observed to fail
in the CI, and of a factor 10 for the first two "DTLS proxy" tests, which were
observed to fail much less frequently, so hopefully the new values are enough
to reduce the probability of spurious failures to an acceptable level.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-31 09:57:45 +02:00
Manuel Pégourié-Gonnard
a58b04649b Add negative test for hard reconnect cookie check
The server must check client reachability (we chose to do that by checking a
cookie) before destroying the existing association (RFC 6347 section 4.2.8).
Let's make sure we do, by having a proxy-in-the-middle inject a ClientHello -
the server should notice, but not destroy the connection.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-31 09:57:45 +02:00
Manuel Pégourié-Gonnard
d1bd2ac196
Merge pull request #3107 from mpg/3013-2.7
[backport 2.7] Fix function name in error message
2020-03-31 09:53:37 +02:00
Simon Butcher
2c3351e54e Correct comment on the configuration option in x509.c
In x509.c, the self-test code is dependent on MBEDTLS_CERTS_C and
MBEDTLS_SHA256_C being enabled. At some point in the recent past that dependency
was on MBEDTLS_SHA1_C but changed to SHA256, but the comment wasn't updated.

This commit updates the comment.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-28 00:43:40 +00:00
Simon Butcher
048c8f91c7 Add additional sanity checks to check_config.h
Additional sanity checks in check_config.h to ensure:
    * if test certificates are included (MBEDTLS_CERTS_C) there must be also be
      support for the core X509 feature (MBEDTLS_X509_USE_C). This has a
      secondary dependency on the public key abstraction layer (MBEDTLS_PK_C),
      necessary as the certificates will either be signed by RSA or ECDSA, and
      therefore need to be part of the library.
    * if any of the TLS protocols are defined (MBEDTLS_SSL_PROTO_xxx) then a
      key exchange method must also be defined (MBEDTLS_KEY_EXCHANGE_xxx).

Anyone who knows the library will probably not make these mistakes or will
quickly diagnose and fix them, but it is possible to compile and link both
configurations if you build only the library and not the example programs, and
therefore users may not realise immediately that there's a mistake, only
discovering it at runtime.

These checks may therefore save someone some time.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-28 00:43:29 +00:00
Gilles Peskine
f3037ec2da
Merge pull request #3115 from mpg/ssl-opt-names-2.7
[Backport 2.7] Improve some test names in ssl-opt.sh
2020-03-24 19:48:22 +01:00
Manuel Pégourié-Gonnard
d6e4454de8 Improve some test names in ssl-opt.sh
- "Default" should only be used for tests that actually use the defaults (ie,
  not passing options on the command line, except maybe debug/dtls)
- All tests in the "Encrypt then MAC" group should start with that string as a
  common prefix

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-24 10:58:20 +01:00
Ercan Ozturk
ab713a9916 Fix debug message by using the correct function name called
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-19 12:09:21 +01:00
Manuel Pégourié-Gonnard
eb22ad2ddc
Merge pull request #2440 from andresag01/mbedtls-2.7-iotssl-2544-deprecate-record-accel
Backport 2.7: Fix compilation failure when MBEDTLS_SSL_HW_RECORD_ACCEL is enabled
2020-03-16 10:37:32 +01:00
Jaeden Amero
daac4e4bdb
Merge pull request #3091 from sbutcher-arm/output-env-pylint-mbedtls-2.7
Backport 2.7: Add Python, Perl and Pylint to output_env.sh
2020-03-10 17:28:37 +04:00
Simon Butcher
8eb64e6895 Fix output_env.sh for varying pylint3 output
`pylint3 --version` will output to stderr the status of the config file it's
using. This can be "No config file found" or "Using config file" or nothing.
This means the pylint version may or may not be on the first line.

Therefore this commit changes the filters on the pylint3 version output to first
strip out the config line, and then to select only the pylint line.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-06 19:34:41 +00:00
Simon Butcher
8277041108 Add Python, Perl and Pylint to output_env.sh
Add the versions of Python, Perl, and Pylint to the version dump provided by
the output_env.sh script.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-06 19:34:22 +00:00
Manuel Pégourié-Gonnard
3756128a65
Merge pull request #3084 from sbutcher-arm/output_env-enhancements-2.7
Backport 2.7: Enhance the `output_env.sh` script with GBD and Distro version
2020-03-05 10:04:19 +01:00
Simon Butcher
d40e603afc Make minor fixes to output_env.sh after review
A number of clean-up improvements following review.
 * removal of redundant `` quotes
 * removal of non-portable echo "\n", in favour of additional echo commands
 * change to use of uname to detemine if the platform is Linux or not
 * revised formatting of output
 * change to dpkg-query from dpkg to find installed libasan variants

Co-Authored-By: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-04 11:40:08 +00:00
Simon Butcher
870ee827ac Enhance the output_env.sh script
This commit adds additional information to the output_env.sh script of:
  * Linux distribution version (if available)
  * GDB version (if available)

It also makes some information clearer:
  * the type of OpenSSL/GNUTLS version (legacy/default)
  * and whether certain versions are not installed, or not configured

And it simplifies the error messages for absent tools.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-04 11:39:18 +00:00
danh-arm
aaf9c10f26
Merge pull request #3062 from danh-arm/dh/drop-cla-2.7
[backport 2.7] Drop requirement for a CLA
2020-03-03 15:40:04 +00:00
Manuel Pégourié-Gonnard
3f402bca58
Merge pull request #3061 from mpg/skip-close-notify-2.7
[backport 2.7] Fix possible close_notify/ClientHello confusion
2020-03-03 12:12:13 +01:00
Manuel Pégourié-Gonnard
aa719e78ce Align some timeouts with the 2.16 branch in ssl-opt.sh
This commit only addresses the timeouts in the "DTLS proxy: 3d, ..." tests.
The discrepancy with the 2.16 branch became apparent for some of these tests
when backporting the previous commit (skip_close_nofity), so let's align the
whole series for consistency and to make future backporting easier.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-03 10:15:50 +01:00
Manuel Pégourié-Gonnard
5e261e958c Fix possible close_notify/ClientHello confusion
The ssl-opt.sh test cases using session resumption tend to fail occasionally
on the CI due to a race condition in how ssl_server2 and ssl_client2 handle
the reconnection cycle.

The server does the following in order:
- S1 send application data
- S2 send a close_notify alert
- S3 close the client socket
- S4 wait for a "new connection" (actually a new datagram)
- S5 start a handshake

The client does the following in order:
- C1 wait for and read application data from the server
- C2 send a close_notify alert
- C3 close the server socket
- C4 reset session data and re-open a server socket
- C5 start a handshake

If the client has been able to send the close_notify (C2) and if has been
delivered to the server before if closes the client socket (S3), when the
server reaches S4, the datagram that we start the new connection will be the
ClientHello and everything will be fine.

However if S3 wins the race and happens before the close_notify is delivered,
in S4 the close_notify is what will be seen as the first datagram in a new
connection, and then in S5 this will rightfully be rejected as not being a
valid ClientHello and the server will close the connection (and go wait for
another one). The client will then fail to read from the socket and exit
non-zero and the ssl-opt.sh harness will correctly report this as a failure.

In order to avoid this race condition in test using ssl_client2 and
ssl_server2, this commits introduces a new command-line option
skip_close_notify to ssl_client2 and uses it in all ssl-opt.sh tests that use
session resumption with DTLS and ssl_server2.

This works because ssl_server2 knows how many messages it expects in each
direction and in what order, and closes the connection after that rather than
relying on close_notify (which is also why there was a race in the first
place).

Tests that use another server (in practice there are two of them, using
OpenSSL as a server) wouldn't work with skip_close_notify, as the server won't
close the connection until the client sends a close_notify, but for the same
reason they don't need it (there is no race between receiving close_notify and
closing as the former is the cause of the later).

An alternative approach would be to make ssl_server2 keep the connection open
until it receives a close_notify. Unfortunately it creates problems for tests
where we simulate a lossy network, as the close_notify could be lost (and the
client can't retransmit it). We could modify udp_proxy with an option to never
drop alert messages, but when TLS 1.3 comes that would no longer work as the
type of messages will be encrypted.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-03 10:15:26 +01:00
Dan Handley
a225b24f85 Add project description to README.md
Add simple project description to README.md.

Signed-off-by: Dan Handley <dan.handley@arm.com>
2020-03-02 14:06:56 +00:00
Dan Handley
52de9b03e2 Drop requirement for a CLA
The Mbed TLS project no longer requires a CLA. Contributions from now on
must be made under both Apache-2.0 AND GPL-2.0-or-later licenses, to enable
LTS (Long Term Support) branches of the software to continue to be provided
under either Apache-2.0 OR GPL-2.0-or-later. Contributors must accept the
terms of the Developer Certificate of Origin (DCO) by adding a
Signed-off-by: line to each commit message.

The software on the development branch continues to be provided under
Apache-2.0.

Add CONTRIBUTING.md, and update README.md and pull_request_template.md to
explain the new licensing model. Add a copy of the DCO to the project.

Signed-off-by: Dan Handley <dan.handley@arm.com>
2020-03-02 14:06:29 +00:00
Andres Amaya Garcia
bb13e3b8e4 Add test for MBEDTLS_SSL_HW_RECORD_ACCEL in all.sh
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-26 10:26:02 +01:00
Andres Amaya Garcia
8758053e80 Fix compilation issue when DTLS and SSL_HW_RECORD_ACCEL are on
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-26 10:26:02 +01:00
Janos Follath
72371b2022
Merge pull request #3052 from yanesca/bump-version-2.7.14
Bump version 2.7.14
2020-02-19 17:13:59 +00:00
Janos Follath
46337abf41 Add release info to ChangeLog 2020-02-19 12:09:36 +00:00
Janos Follath
0f22670243 Bump version to Mbed TLS 2.7.14 2020-02-19 12:08:10 +00:00
Gilles Peskine
5fd4339bee
Merge pull request #3049 from mpg/fix-rsa-complete-2.7
[backport 2.7] Fix pk_parse_key()'s use of rsa_complete()
2020-02-19 10:23:17 +01:00
Manuel Pégourié-Gonnard
9c16ede466 Check for buffer overflow in test function 2020-02-19 09:45:02 +01:00
Manuel Pégourié-Gonnard
08f06eb049 Add ChangeLog entries for pk_parse_key() fixes 2020-02-19 09:33:33 +01:00
Manuel Pégourié-Gonnard
609d79ed8e Fix pkparse bug wrt MBEDTLS_RSA_ALT
Some code paths want to access members of the mbedtls_rsa_context structure.
We can only do that when using our own implementation, as otherwise we don't
know anything about that structure.
2020-02-18 11:27:08 +01:00
Manuel Pégourié-Gonnard
355bbc0e70 Test each failure mode of pk_parse_key_pkcs1_der()
(Only the top-level ones, ie, for each call to eg asn1_get_mpi(), ensure
there's at least one test case that makes this call fail in one way, but don't
test the various ways to make asn1_get_mpi fail - that should be covered
elsewhere.)

- the new checks added by the previous commits needed exercising
- existing tests sometimes had wrong descriptions or where passing for the
  wrong reason (eg with the "length mismatch" test, the function actually
failed before reaching the length check)
- while at it, add tests for the rest as well

The valid minimal-size key was generated with:

openssl genrsa 128 2>/dev/null | openssl rsa -outform der 2>/dev/null | xxd -p
2020-02-18 11:27:08 +01:00
Manuel Pégourié-Gonnard
bfd0259d26 Clean up test function pk_parse_key
- remove incorrect compile-time dependency (the individual cases already have
  correct run-time dependency information)
- remove unused argument
- remove unused stack buffer
- remove useless code block
2020-02-18 11:27:08 +01:00
Manuel Pégourié-Gonnard
869e9668dd Check public part when parsing private RSA key 2020-02-18 10:53:13 +01:00
Manuel Pégourié-Gonnard
8cc0491966 Don't pass zero to rsa_complete() as a param
When parsing a PKCS#1 RSAPrivateKey structure, all parameters are always
present. After importing them, we need to call rsa_complete() for the sake of
alternative implementations. That function interprets zero as a signal for
"this parameter was not provided". As that's never the case, we mustn't pass
any zero value to that function, so we need to explicitly check for it.
2020-02-18 10:53:13 +01:00
Manuel Pégourié-Gonnard
37d0dfc0c5
Merge pull request #3030 from gilles-peskine-arm/test-opt-all-2.7
Backport 2.7: Fix and test the full config with gcc and clang
2020-02-11 09:17:14 +01:00
Manuel Pégourié-Gonnard
6cf5931f1d
Merge pull request #3028 from gilles-peskine-arm/mpi_copy_shrink-2.7
Backport 2.7: Improve robustness and testing of mbedtls_mpi_copy
2020-02-06 09:52:18 +01:00
Janos Follath
f53f5085dd
Merge pull request #3035 from yanesca/revert_pr_3011
Revert "Merge pull request #3011 from Patater/dev/jp-bennett/developm…
2020-02-05 15:13:21 +00:00
Janos Follath
b40d60f096 Revert "Merge pull request #3011 from Patater/dev/jp-bennett/development-2.7"
This reverts commit 130e136439, reversing
changes made to 071b3e170e.

stat() will never return S_IFLNK as the file type, as stat() explicitly
follows symlinks.

Fixes #3005.
2020-02-04 14:47:45 +00:00
Janos Follath
5d1171268c
Merge pull request #3020 from mpg/fix-ssl-opt-gnutls-no-sha1-2.7
[backport 2.7] Fix ssl-opt.sh for GnuTLS versions rejecting SHA-1
2020-02-04 11:19:18 +00:00
Manuel Pégourié-Gonnard
ac3c80673f Fix comment to match reality
We can't fix the code to match the comment, so have it the other way round.
2020-02-04 09:52:27 +01:00
Manuel Pégourié-Gonnard
918b25d8fd Revert "Fix certs.c to match the content of the files"
This reverts commit 205e88cb20.
2020-02-04 09:48:08 +01:00