Compilation and test for the `MBEDTLS_RSA_NO_CRT` option were
previously guarded by a check for 64-bit systems, for which there
is no reason. This commit moves both outside of the guard.
* development:
all.sh: add some documentation
all.sh: new option --no-armcc
all.sh: add --yotta to go with --no-yotta
all.sh: --keep-going mode
all.sh: cleaned up usage output
all.sh: indent
* public/pr/1207:
all.sh: add some documentation
all.sh: new option --no-armcc
all.sh: add --yotta to go with --no-yotta
all.sh: --keep-going mode
all.sh: cleaned up usage output
all.sh: indent
* development:
Timing self test: shorten redundant tests
Timing self test: increased duration
Timing self test: increased tolerance
Timing unit tests: more protection against infinite loops
Unit test for mbedtls_timing_hardclock
New timing unit tests
selftest: allow excluding a subset of the tests
selftest: allow running a subset of the tests
selftest: refactor to separate the list of tests from the logic
Timing self test: print some diagnosis information
mbedtls_timing_get_timer: don't use uninitialized memory
timing interface documentation: minor clarifications
Timing: fix mbedtls_set_alarm(0) on Unix/POSIX
* public/pr/1136:
Timing self test: shorten redundant tests
Timing self test: increased duration
Timing self test: increased tolerance
Timing unit tests: more protection against infinite loops
Unit test for mbedtls_timing_hardclock
New timing unit tests
selftest: allow excluding a subset of the tests
selftest: allow running a subset of the tests
selftest: refactor to separate the list of tests from the logic
Timing self test: print some diagnosis information
mbedtls_timing_get_timer: don't use uninitialized memory
timing interface documentation: minor clarifications
Timing: fix mbedtls_set_alarm(0) on Unix/POSIX
* Correct order of sections in ChangeLog
* Restore unintentionally removed whitespace and
formatting improvements.
* Consistently rename MBEDTLS_ERR_RSA_EXPORT_UNSUPPORTED
to MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION in rsa.h
documentation.
During the work on the RSA change the issue was brought up,
and a fix was provided on development, that some RSA tests
use CTR DRBG and depend on the presence of a strong entropy
source to succeed. The RSA work introduced more tests using
CTR DRBG, and the dependency needs to be added for them, too.
Add --keep-going mode to all.sh. In this mode, if a test fails, keep
running the subsequent tests. If a build fails, skip any tests of this
build and move on to the next tests. Errors in infrastructure, such as
git or cmake runs, remain fatal. Print an error summary at the end of
the run, and return a nonzero code if there was any failure.
In known terminal types, use color to highlight errors.
On a fatal signal, interrupt the run and report the errors so far.
If timing_timer_simple fails because it detects that timers are likely
to never expire (e.g. going backward or not incrementing), skip all
tests that rely on timers.
Do test mbedtls_timing_hardclock. We can't reliably test much about
it, but at least test that it doesn't crash, isn't constant, and
doesn't look completely random.
New set of unit tests for the timing module, instead of just running
the selftest function.
The selftest function sometimes fails on a heavily loaded
machine (such as a typical continuous integration system). Because of
the all-in-one nature of the test and because the exact load pattern
can be hard to reproduce, it is difficult to diagnose failures of CI
runs with selftest. The new tests are more separated and I strove to
point out potential failure modes in comments.
* mbedtls_timing_hardclock: not tested. This function gives so few
guarantees that there isn't much to test, and it is hard to test
reliably because clock cycles don't easily relate to time in any
remotely portable way. This function isn't used in the library
anyway, it's only there for benchmark programs.
* mbedtls_timing_get_timer: tested by setting a timer and verifying
that it reaches its target, and by verifying that a timer started
later than another always has a smaller elapsed time.
* mbedtls_set_alarm: tested by setting an alarm, busy-waiting for it
and measuring the elapsed time with a timer.
* mbedtls_timing_set_delay, mbedtls_timing_get_delay: tested by
setting a delay object and watching it go through its two delay
values, using a timer to check that the delays are passed at the
expected time.
The tests pass under light to moderate load, but some of them can be
defeated with sufficiently heavy load. This is unavoidable since the
test process to be effectively suspended for any length of time,
making us think that a timer has gone on for too long.
* development:
Don't split error code description across multiple lines
Register new error code in error.h
Move deprecation to separate section in ChangeLog
Extend scope of ERR_RSA_UNSUPPORTED_OPERATION error code
Adapt RSA test suite
Adapt ChangeLog
Deprecate usage of RSA primitives with wrong key type
* restricted/pr/397:
Don't split error code description across multiple lines
Register new error code in error.h
Move deprecation to separate section in ChangeLog
Extend scope of ERR_RSA_UNSUPPORTED_OPERATION error code
Adapt RSA test suite
Adapt ChangeLog
Deprecate usage of RSA primitives with wrong key type
Port wait_server_start from ssl-opt.sh to compat.sh, instead of just
using "sleep 1". This solves the problem that on a heavily loaded
machine, sleep 1 is sometimes not enough (we had CI failures because
of this). This is also faster on a lightly-loaded machine (execution
time reduced from ~8min to ~6min on my machine).
In wait_server_start, fork less. When lsof is present, call it on the
expected process. This saves a few percent of execution time on a
lightly loaded machine. Also, sleep for a short duration rather than
using a tight loop.
Add a DTLS small packet test for each of the following combinations:
- DTLS version: 1.0 or 1.2
- Encrypt then MAC extension enabled
- Truncated HMAC extension enabled
Large packets tests for DTLS are currently not possible due to parameter
constraints in ssl_server2.
This commit ensures that there is a small packet test for at least any
combination of
- SSL/TLS version: SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2
- Stream cipher (RC4) or Block cipher (AES)
- Usage of Encrypt then MAC extension [TLS only]
- Usage of truncated HMAC extension [TLS only]
Noticed that the test cases in ssl-opt.sh exercising the truncated HMAC
extension do not depend on MBEDTLS_SSL_TRUNCATED_HMAC being enabled in
config.h. This commit fixes this.
Previously, MAC validation for an incoming record proceeded as follows:
1) Make a copy of the MAC contained in the record;
2) Compute the expected MAC in place, overwriting the presented one;
3) Compare both.
This resulted in a record buffer overflow if truncated MAC was used, as in this
case the record buffer only reserved 10 bytes for the MAC, but the MAC
computation routine in 2) always wrote a full digest.
For specially crafted records, this could be used to perform a controlled write of
up to 6 bytes past the boundary of the heap buffer holding the record, thereby
corrupting the heap structures and potentially leading to a crash or remote code
execution.
This commit fixes this by making the following change:
1) Compute the expected MAC in a temporary buffer that has the size of the
underlying message digest.
2) Compare to this to the MAC contained in the record, potentially
restricting to the first 10 bytes if truncated HMAC is used.
A similar fix is applied to the encryption routine `ssl_encrypt_buf`.
For a key of size 8N+1, check that the first byte after applying the
public key operation is 0 (it could have been 1 instead). The code was
incorrectly doing a no-op check instead, which led to invalid
signatures being accepted. Not a security flaw, since you would need the
private key to craft such an invalid signature, but a bug nonetheless.
The check introduced by the previous security fix was off by one. It
fixed the buffer overflow but was not compliant with the definition of
PSS which technically led to accepting some invalid signatures (but
not signatures made without the private key).
Fix buffer overflow in RSA-PSS signature verification when the hash is
too large for the key size. Found by Seth Terashima, Qualcomm.
Added a non-regression test and a positive test with the smallest
permitted key size for a SHA-512 hash.
1) use `pk_get_rsapubkey` instead of reimplementing the parsing
2) rename the key files, according to their type and key size
3) comment in the data_files/Makefile hoe the keys were generated
4) Fix issue of failure parsing pkcs#1 DER format parsing, missed in previous commit
This commit adds regression tests for the bug when we didn't parse the
Signature Algorithm extension when renegotiating. (By nature, this bug
affected only the server)
The tests check for the fallback hash (SHA1) in the server log to detect
that the Signature Algorithm extension hasn't been parsed at least in
one of the handshakes.
A more direct way of testing is not possible with the current test
framework, since the Signature Algorithm extension is parsed in the
first handshake and any corresponding debug message is present in the
logs.
The test case parses an RSA private key with N=P=Q=D=E=1 and expects a failure from the PK layer. With the weakened
semantics of `mbedtls_rsa_complete`, the latter won't throw an error on that key in case if MBEDTLS_RSA_NO_CRT is
set. This commit modifies the test case to use N=2 which is rejected by `mbedtls_rsa_complete` regardless of whether
MBEDTLS_RSA_NO_CRT is set or not.
The number of loop iterations per candidate in `mbedtls_deduce_primes` was off
by one. This commit corrects this and removes a toy non-example from the RSA
test suite, as it seems difficult to have the function fail on small values of N
even if D,E are corrupted.
This commit adds regression tests for the bug when we didn't parse the
Signature Algorithm extension when renegotiating. (By nature, this bug
affected only the server)
The tests check for the fallback hash (SHA1) in the server log to detect
that the Signature Algorithm extension hasn't been parsed at least in
one of the handshakes.
A more direct way of testing is not possible with the current test
framework, since the Signature Algorithm extension is parsed in the
first handshake and any corresponding debug message is present in the
logs.
This commit splits off the RSA helper functions into separate headers and
compilation units to have a clearer separation of the public RSA interface,
intended to be used by end-users, and the helper functions which are publicly
provided only for the benefit of designers of alternative RSA implementations.
The tests now accept two result parameters, one for the expected result of the
completion call, and one for the expected result of the subsequent sanity
check.
DTLS records from previous epochs were incorrectly checked against the
current epoch transform's minimal content length, leading to the
rejection of entire datagrams. This commit fixed that and adapts two
test cases accordingly.
Internal reference: IOTSSL-1417
It seems that tests from ssl-opt.sh are sometimes failing because
the server is killed before its output has been finalized. This commit
adds a small delay in ssl-opt.sh before killing the server to prevent
that.
ssl-opt.sh checks whether the client, server and proxy commands are
names of executable files, forbidding the use of default arguments by
by e.g. setting P_SRV="ssl_server2 debug_level=3". This commit relaxes
this check, only considering the part of the command string prior to
the first whitespace.
The change modifies the template code in tests/suites/helpers.function
and tests/suites/main.function so that error messages are printed to
stdout instead of being discarded. This makes errors visible regardless
of the --verbose flag being passed or not to the test suite programs.
The change modifies the template code in tests/suites/helpers.function
and tests/suites/main.function so that error messages are printed to
stdout instead of being discarded. This makes errors visible regardless
of the --verbose flag being passed or not to the test suite programs.
Add a test to ssl-opt.sh that parses the client and server debug
output and then checks that the Unix timestamp in the ServerHello
message is within acceptable bounds.
Extend the run_test function in ssl-opt.sh so that it accepts the -f
and -F options. These parameters take an argument which is the name of
a shell function that will be called by run_test and will be given the
client input and output debug log. The idea is that these functions are
defined by each test and they can be used to do some custom check
beyon those allowed by the pattern matching capabilities of the
run_test function.
Add a test case calling ssl_set_hostname twice to test_suite_ssl.
When run in CMake build mode ASan, this catches the current leak,
but will hopefully be fine with the new version.
Add a test to ssl-opt.sh that parses the client and server debug
output and then checks that the Unix timestamp in the ServerHello
message is within acceptable bounds.
Extend the run_test function in ssl-opt.sh so that it accepts the -f
and -F options. These parameters take an argument which is the name of
a shell function that will be called by run_test and will be given the
client input and output debug log. The idea is that these functions are
defined by each test and they can be used to do some custom check
beyon those allowed by the pattern matching capabilities of the
run_test function.
As the new PKCS v1.5 verification function opaquely compares an expected encoding to the given one, it cannot
distinguish multiple reasons of failure anymore and instead always returns MBEDTLS_ERR_RSA_VERIFY_FAILED. This
necessitates some modifications to the expected return values of some tests verifying signatures with bad padding.
This commit adds some tests to the RSA test suite verifying that RSA PKCS-v15 signatures with non-reduced length
encodings are refuted. Details are provided via comments in the test suite data file.
Add a test case calling ssl_set_hostname twice to test_suite_ssl.
When run in CMake build mode ASan, this catches the current leak,
but will hopefully be fine with the new version.
This commit adds a flag to the RSA import/export tests indicating whether it is
expected that a full RSA keypair can be set up from the provided parameters.
Further, the tests of `mbedtls_rsa_import` and `mbedtls_rsa_import_raw` are
expanded to perform key checks and an example encryption-decryption.
Some tests in ssl-opt.sh require MBEDTLS_SSL_MAX_CONTENT_LEN to be set to its
default value of 16384 to succeed. While ideally such a dependency should not
exist, as a short-term remedy this commit adds a small check that will at least
lead to graceful exit if that assumption is violated.
A bug in the dhm_check_range() function makes it pass even when the
parameters are not in the range. This commit adds tests for signalling
this problem as well as a couple of other negative tests.
This commit adds four tests to ssl-opt.sh testing the library's behavior when
`mbedtls_ssl_write` is called with messages beyond 16384 bytes. The combinations
tested are TLS vs. DTLS and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH enabled vs. disabled.
This commit adds a build with default config except
MBEDTLS_SSL_MAX_FRAGMENT_LENGTH to all.sh, as well as a run of the MFL-related
tests in ssl-opt.sh.
This commit renames the test-only flag MBEDTLS_ENTROPY_HAVE_STRONG to ENTROPY_HAVE_STRONG to make it more transparent
that it's an internal flag, and also to content the testscript tests/scripts/check-names.pl which previously complained
about the macro occurring in a comment in `entropy.c` without being defined in a library file.
Previously, 2048-bit and 4096-bit RSA key files had their bitsize indicated in their filename, while the original
1024-bit keys hadn't. This commit unifies the naming scheme by always indicating the bitsize in the filename.
For uniformity, this commit adds tests for DER encoded, SHA1-2DES and SHA1-RC4-128-encrypted RSA keys; for SHA1-3DES encrypted keys, these were already present.
This commit adds the commands used to generate the various RSA keys to tests/Makefile so that they can be easily
regenerated or modified, e.g. if larger key sizes or other encryption algorithms need to be tested in the future.
* mbedtls-2.6: (27 commits)
Update version number to 2.6.0
Fix language in Changelog for clarity
Improve documentation of PKCS1 decryption functions
Fix style and missing item in ChangeLog
Add credit to Changelog to fix for #666
Fix naked call to time() with platform call
Fix ChangeLog for duplication after merge
Rename time and index parameter to avoid name conflict.
Correct comment
Adapt ChangeLog
Reliably zeroize sensitive data in AES sample application
Reliably zeroize sensitive data in Crypt-and-Hash sample application
Fix potential integer overflow parsing DER CRT
Fix potential integer overflow parsing DER CRL
Move the git scripts to correct path
Update after @sbutcher-arm comments
Fix slash direction for linux path
Add note for the git_hoos README file
Pre push hook script
Check return code of mbedtls_mpi_fill_random
...
This commit adds test for the new library function mbedtls_rsa_check_params for
checking a set of RSA core parameters. There are some toy example tests with
small numbers that can be verified by hand, as well as tests with real world
numbers. Complete, partial and corrupted data are tested, as well the check for
primality exactly if a PRNG is provided.
This commit adds tests for the new library function mbedtls_rsa_export_raw.
Each test case performs the following steps:
- Parse and convert a set of hex-string decoded core RSA parameters into big
endian byte arrays.
- Use these to initialize an RSA context
- Export core RSA parameters as byte arrays again afterwards
- Compare byte strings.
Each test split is performed twice, once with successive and once with
simultaneous exporting.
This commit adds tests for the new library function mbedtls_rsa_export. Each
test case performs the following steps:
- Parse and convert a set of hex-string decoded core RSA parameters into MPI's.
- Use these to initialize an RSA context
- Export core RSA parameters as MPI's again afterwards
- Compare initial MPI's to exported ones.
In the private key case, all core parameters are exported and sanity-checked,
regardless of whether they were also used during setup.
Each test split is performed twice, once with successive and once with
simultaneous exporting.
This commit adds numerous tests for the new library functions mbedtls_rsa_import
and mbedtls_rsa_import_raw in conjunction with mbedtls_rsa_complete for
importing and completing core sets of core RSA parameters (N,P,Q,D,E) into an
RSA context, with the importing accepting either MPI's or raw big endian
buffers.
Each test is determined by the following parameters:
1) Set of parameters provided
We're testing full sets (N,P,Q,D,E), partial sets (N,-,-,D,E) and (N,P,Q,-,E)
that are sufficient to generate missing parameters, and the partial and
insufficient set (N, -, Q, -, E).
2) Simultaenous or successive importing
The functions rsa_import and rsa_import_raw accept importing parameters at
once or one after another. We test both.
3) Sanity of parameters
This commit adds test for the new library function mbedtls_rsa_deduce_moduli for
deducing the prime factors (P,Q) of an RSA modulus N from knowledge of a
pair (D,E) of public and private exponent:
- Two toy examples that can be checked by hand, one fine and with bad parameters.
- Two real world examples, one fine and one with bad parameters.
This commit adds tests for the new library function mbedtls_rsa_deduce_private
for deducing the private RSA exponent D from the public exponent E and the
factorization (P,Q) of the RSA modulus:
- Two toy examples with small numbers that can be checked by hand, one
working fine and another failing due to bad parameters.
- Two real world examples, one fine and one with bad parameters.
The fact that you needed to pass a pointer to mbedtls_ecdsa_restart_ctx (or
that you needed to know the key type of the PK context) was a breach of
abstraction.
Change the API (and callers) now, and the implementation will be changed in
the next commit.
For selection of test cases, see comments added in the commit.
It makes the most sense to test with chains using ECC only, so for the chain
of length 2 we use server10 -> int-ca3 -> int-ca2 and trust int-ca2 directly.
Note: server10.crt was created by copying server10_int3_int-ca2.crt and
manually truncating it to remove the intermediates. That base can now be used
to create derived certs (without or with a chain) in a programmatic way.
This is mainly for the benefit of SSL modules, which only supports restart in
a limited number of cases. In the other cases (ECDHE_PSK) it would currently
return ERR_ECP_IN_PROGRESS and the user would thus call ssl_handshake() again,
but the SSL code wouldn't handle state properly and things would go wrong in
possibly unexpected ways. This is undesirable, so it should be possible for
the SSL module to choose if ECDHE should behave the old or the new way.
Not that it also brings ECDHE more in line with the other modules which
already have that choice available (by passing a NULL or valid restart
context).
Test relies on deterministic signature as this uses plain sig internally, so
if deterministic works, then so does non-deterministic, while the reciprocal
is false. (Also, deterministic is enabled by default in config.h.)
Test case is taken from a RFC 6979 test vector, just manually converting (r,s)
to the encoded signature.
This was intended to detect aborted operations, but now that case is handled
by the caller freeing the restart context.
Also, as the internal sub-context is managed by the callee, no need for the
caller to free/reset the restart context between successful calls.
Following discussion in the team, it was deemed preferable for the restart
context to be explicitly managed by the caller.
This commits in the first in a series moving in that directly: it starts by
only changing the public API, while still internally using the old design.
Future commits in that series will change to the new design internally.
The test function was simplified as it no longer makes sense to test for some
memory management errors since that responsibility shifted to the caller.
In case of argument change, freeing everything is not the most efficient
(wastes one free()+calloc()) but makes the code simpler, which is probably
more important here
We'll need to store MPIs and other things that allocate memory in this
context, so we need a place to free it. We can't rely on doing it before
returning from ecp_mul() as we might return MBEDTLS_ERR_ECP_IN_PROGRESS (thus
preserving the context) and never be called again (for example, TLS handshake
aborted for another reason). So, ecp_group_free() looks like a good place to
do this, if the restart context is part of struct ecp_group.
This means it's not possible to use the same ecp_group structure in different
threads concurrently, but:
- that's already the case (and documented) for other reasons
- this feature is precisely intended for environments that lack threading
An alternative option would be for the caller to have to allocate/free the
restart context and pass it explicitly, but this means creating new functions
that take a context argument, and putting a burden on the user.
Our current behaviour is a bit inconsistent here:
- when the bad signature is made by a trusted CA, we stop here and don't
include the trusted CA in the chain (don't call vrfy on it)
- otherwise, we just add NOT_TRUSTED to the flags but keep building the chain
and call vrfy on the upper certs
This ensures that the callback can actually clear that flag, and that it is
seen by the callback at the right level. This flag is not set at the same
place than others, and this difference will get bigger in the upcoming
refactor, so let's ensure we don't break anything here.
When a trusted CA is rolling its root keys, it could happen that for some
users the list of trusted roots contains two versions of the same CA with the
same name but different keys. Currently this is supported but wasn't tested.
Note: the intermediate file test-ca-alt.csr is commited on purpose, as not
commiting intermediate files causes make to regenerate files that we don't
want it to touch.
As we accept EE certs that are explicitly trusted (in the list of trusted
roots) and usually look for parent by subject, and in the future we might want
to avoid checking the self-signature on trusted certs, there could a risk that we
incorrectly accept a cert that looks like a trusted root except it doesn't
have the same key. This test ensures this will never happen.
The tests cover chains of length 0, 1 and 2, with one error, located at any of
the available levels in the chain. This exercises all three call sites of
f_vrfy (two in verify_top, one in verify_child). Chains of greater length
would not cover any new code path or behaviour that I can see.
So far there was no test ensuring that the flags passed to the vrfy callback
are correct (ie the flags for the current certificate, not including those of
the parent).
Actual tests case making use of that test function will be added in the next
commit.