Commit Graph

9181 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
498e632b08 Fix possible close_notify/ClientHello confusion
The ssl-opt.sh test cases using session resumption tend to fail occasionally
on the CI due to a race condition in how ssl_server2 and ssl_client2 handle
the reconnection cycle.

The server does the following in order:
- S1 send application data
- S2 send a close_notify alert
- S3 close the client socket
- S4 wait for a "new connection" (actually a new datagram)
- S5 start a handshake

The client does the following in order:
- C1 wait for and read application data from the server
- C2 send a close_notify alert
- C3 close the server socket
- C4 reset session data and re-open a server socket
- C5 start a handshake

If the client has been able to send the close_notify (C2) and if has been
delivered to the server before if closes the client socket (S3), when the
server reaches S4, the datagram that we start the new connection will be the
ClientHello and everything will be fine.

However if S3 wins the race and happens before the close_notify is delivered,
in S4 the close_notify is what will be seen as the first datagram in a new
connection, and then in S5 this will rightfully be rejected as not being a
valid ClientHello and the server will close the connection (and go wait for
another one). The client will then fail to read from the socket and exit
non-zero and the ssl-opt.sh harness will correctly report this as a failure.

In order to avoid this race condition in test using ssl_client2 and
ssl_server2, this commits introduces a new command-line option
skip_close_notify to ssl_client2 and uses it in all ssl-opt.sh tests that use
session resumption with DTLS and ssl_server2.

This works because ssl_server2 knows how many messages it expects in each
direction and in what order, and closes the connection after that rather than
relying on close_notify (which is also why there was a race in the first
place).

Tests that use another server (in practice there are two of them, using
OpenSSL as a server) wouldn't work with skip_close_notify, as the server won't
close the connection until the client sends a close_notify, but for the same
reason they don't need it (there is no race between receiving close_notify and
closing as the former is the cause of the later).

An alternative approach would be to make ssl_server2 keep the connection open
until it receives a close_notify. Unfortunately it creates problems for tests
where we simulate a lossy network, as the close_notify could be lost (and the
client can't retransmit it). We could modify udp_proxy with an option to never
drop alert messages, but when TLS 1.3 comes that would no longer work as the
type of messages will be encrypted.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-26 09:33:05 +01:00
Janos Follath
0fce215851
Merge pull request #3053 from yanesca/bump-version-2.16.5
Bump version 2.16.5
2020-02-19 17:14:10 +00:00
Janos Follath
04039a5893 Add release info to ChangeLog 2020-02-19 12:12:38 +00:00
Janos Follath
334cf59930 Bump version to Mbed TLS 2.16.5 2020-02-19 12:03:00 +00:00
Gilles Peskine
0b59b6d82d
Merge pull request #3048 from mpg/fix-rsa-complete-2.16
[backport 2.16] Fix pk_parse_key()'s use of rsa_complete()
2020-02-19 10:23:11 +01:00
Manuel Pégourié-Gonnard
6444d1557d Add ChangeLog entries for pk_parse_key() fixes 2020-02-19 09:31:38 +01:00
Manuel Pégourié-Gonnard
d09fcdedb9 Fix pkparse bug wrt MBEDTLS_RSA_ALT
Some code paths want to access members of the mbedtls_rsa_context structure.
We can only do that when using our own implementation, as otherwise we don't
know anything about that structure.
2020-02-18 10:49:06 +01:00
Manuel Pégourié-Gonnard
96ed13e21b Test each failure mode of pk_parse_key_pkcs1_der()
(Only the top-level ones, ie, for each call to eg asn1_get_mpi(), ensure
there's at least one test case that makes this call fail in one way, but don't
test the various ways to make asn1_get_mpi fail - that should be covered
elsewhere.)

- the new checks added by the previous commits needed exercising
- existing tests sometimes had wrong descriptions or where passing for the
  wrong reason (eg with the "length mismatch" test, the function actually
failed before reaching the length check)
- while at it, add tests for the rest as well

The valid minimal-size key was generated with:

openssl genrsa 128 2>/dev/null | openssl rsa -outform der 2>/dev/null | xxd -p
2020-02-18 10:49:06 +01:00
Manuel Pégourié-Gonnard
12fb9c383d Clean up test function pk_parse_key
- remove incorrect compile-time dependency (the individual cases already have
  correct run-time dependency information)
- remove unused argument
- remove unused stack buffer
- remove useless code block
2020-02-18 10:49:06 +01:00
Manuel Pégourié-Gonnard
25bb8dc228 Check public part when parsing private RSA key 2020-02-18 10:49:06 +01:00
Manuel Pégourié-Gonnard
9ab0305700 Don't pass zero to rsa_complete() as a param
When parsing a PKCS#1 RSAPrivateKey structure, all parameters are always
present. After importing them, we need to call rsa_complete() for the sake of
alternative implementations. That function interprets zero as a signal for
"this parameter was not provided". As that's never the case, we mustn't pass
any zero value to that function, so we need to explicitly check for it.
2020-02-18 10:49:06 +01:00
Manuel Pégourié-Gonnard
a59988e197
Merge pull request #3029 from gilles-peskine-arm/test-opt-all-2.16
Backport 2.16: Fix and test the full config with gcc and clang
2020-02-11 09:17:09 +01:00
Manuel Pégourié-Gonnard
8d9b1c471c
Merge pull request #3027 from gilles-peskine-arm/mpi_copy_shrink-2.16
Backport 2.16: Improve robustness and testing of mbedtls_mpi_copy
2020-02-06 09:52:11 +01:00
Janos Follath
b458b1f552
Merge pull request #3034 from yanesca/revert_pr_3012
Revert "Merge pull request #3012 from Patater/dev/jp-bennett/developm…
2020-02-05 15:13:02 +00:00
Janos Follath
cabf0eed66 Revert "Merge pull request #3012 from Patater/dev/jp-bennett/development-2.16"
This reverts commit 7550e857bf, reversing
changes made to d0c2575324.

stat() will never return S_IFLNK as the file type, as stat()
explicitly follows symlinks.

Fixes #3005.
2020-02-04 14:42:15 +00:00
Janos Follath
82ebf511e9
Merge pull request #3019 from mpg/fix-ssl-opt-gnutls-no-sha1-2.16
[backport 2.16] Fix ssl-opt.sh for GnuTLS versions rejecting SHA-1
2020-02-04 11:18:30 +00:00
Gilles Peskine
0fe92c2f4f Test GCC and Clang with common build options
Goals:
* Build with common compilers with common options, so that we don't
  miss a (potentially useful) warning only triggered with certain
  build options.
* A previous commit removed -O0 test jobs, leaving only the one with
  -m32. We have inline assembly that is disabled with -O0, falling
  back to generic C code. This commit restores a test that runs the
  generic C code on a 64-bit platform.
2020-02-03 20:03:39 +01:00
Gilles Peskine
99d70d8cb1 Replace -O0 by -O1 or -Os in most components
Gcc skips some analyses when compiling with -O0, so we may miss
warnings about things like uninitialized variables.
2020-02-03 20:03:39 +01:00
Gilles Peskine
8ece8572b2 shrink tests: clearer description 2020-02-03 16:21:32 +01:00
Gilles Peskine
e0ced3a3d6 Move test functions from Lilliput to Blefuscu
We normally represent bignums in big-endian order and there is no
reason to deviate here.
2020-02-03 16:21:31 +01:00
Gilles Peskine
56427c2d2b Minor comment improvement 2020-02-03 16:21:31 +01:00
Gilles Peskine
27c15c7853 Improve comments in mpi_shrink 2020-02-03 16:21:31 +01:00
Gilles Peskine
3e9f5228c8 mpi_copy: make the 0 case slightly more robust
If Y was constructed through functions in this module, then Y->n == 0
iff Y->p == NULL. However we do not prevent filling mpi structures
manually, and zero may be represented with n=0 and p a valid pointer.
Most of the code can cope with such a representation, but for the
source of mbedtls_mpi_copy, this would cause an integer underflow.
Changing the test for zero from Y->p==NULL to Y->n==0 causes this case
to work at no extra cost.
2020-02-03 16:21:31 +01:00
Gilles Peskine
8fe3b79cdb Better coverage for copy and swap
Cover more cases: different signs, different zeronesses, repeated
argument.
2020-02-03 16:21:31 +01:00
Gilles Peskine
e6cca7c937 Bignum copy/shrink: More precise test case descriptions 2020-02-03 16:21:31 +01:00
Gilles Peskine
c63676a0bb
Merge pull request #3016 from jack-fortanix/jack/parse-rsa-crt-2.16
Backport 2.16: Parse RSA parameters DP, DQ and QP from PKCS1 private keys
2020-01-31 16:37:41 +01:00
Gilles Peskine
4cc20f6f3d Fix duplicated Bugfix section in the changelog 2020-01-31 12:20:10 +01:00
Gilles Peskine
216c44d6eb Add changelog entry 2020-01-31 12:06:43 +01:00
Manuel Pégourié-Gonnard
a7b9007d60
Merge pull request #2972 from mpg/add-zlib-tests-2.16
[2.16] Add zlib tests
2020-01-31 09:22:30 +01:00
Manuel Pégourié-Gonnard
d20ae896ea De-duplicate SHA1-independent test in ssl-opt.sh
The splitting of this test into two versions depending on whether SHA-1 was
allowed by the server was a mistake in
5d2511c4d4 - the test has nothing to do with
SHA-1 in the first place, as the server doesn't request a certificate from
the client so it doesn't matter if the server accepts SHA-1 or not.
2020-01-30 12:48:46 +01:00
Manuel Pégourié-Gonnard
7c9add2f64 Fix ssl-opt.sh for GnuTLS versions rejecting SHA-1
While the whole script makes (often implicit) assumptions about the version of
GnuTLS used, generally speaking it should work out of the box with the version
packaged on our reference testing platform, which is Ubuntu 16.04 so far.

With the update from Jan 8 2020 (3.4.10-4ubuntu1.6), the patches for rejecting
SHA-1 in certificate signatures were backported, so we should avoid presenting
SHA-1 signed certificates to a GnuTLS peer in ssl-opt.sh.
2020-01-30 11:25:22 +01:00
Jack Lloyd
b10fd065be Parse RSA parameters DP, DQ and QP from PKCS1 private keys
Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which
currently suffers from side channel issues in the computation of QP
(see https://eprint.iacr.org/2020/055). By loading the pre-computed
values not only is the side channel avoided, but runtime overhead of
loading RSA keys is reduced.

Discussion in https://github.com/ARMmbed/mbed-crypto/issues/347

Backport of https://github.com/ARMmbed/mbed-crypto/pull/352
2020-01-29 13:09:55 -05:00
Janos Follath
bac9f1bfb0 Merge pull request #3001 from from gilles-peskine-arm/coverity-20200115-2.16 into mbedtls-2.16 2020-01-29 14:49:23 +00:00
Janos Follath
1f10f2e282
Merge pull request #3014 from mpg/fix-attribution-ecdsa-inc
[2.16] Fix contributor names in ChangeLog
2020-01-29 14:07:17 +00:00
Manuel Pégourié-Gonnard
58c27790de Fix previous ChangeLog merging error 2020-01-29 11:32:09 +01:00
Manuel Pégourié-Gonnard
cc41e6cd75 Fix contributor names in ChangeLog 2020-01-29 10:47:34 +01:00
Manuel Pégourié-Gonnard
114d339756 Add detection for zlib headers to all.sh 2020-01-29 09:50:54 +01:00
Jaeden Amero
7550e857bf
Merge pull request #3012 from Patater/dev/jp-bennett/development-2.16
Backport 2.16: Allow loading symlinked certificates
2020-01-28 15:55:54 +00:00
Janos Follath
d0c2575324
Merge pull request #2992 from yanesca/bump-version-2.16.4
Bump version to Mbed TLS 2.16.4
2020-01-28 11:32:46 +00:00
Jaeden Amero
68a24eba00 Add ChangeLog entry
Add a ChangeLog entry for Jonathan Bennett's contribution which allows
loading symlinked certificates.
2020-01-28 11:29:16 +00:00
Jonathan Bennett
6f45cb995b Allow loading symlinked certificates
When mbedtls_x509_crt_parse_path() checks each object in the supplied path, it only processes regular files. This change makes it also accept a symlink to a file. Fixes #3005.

This was observed to be a problem on Fedora/CentOS/RHEL systems, where the ca-bundle in the default location is actually a symlink.
2020-01-28 11:28:42 +00:00
Manuel Pégourié-Gonnard
b0deeccc58
Merge pull request #3007 from mpg/fix-ecdsa-pointer-inc
[Backport 2.16] Fix incrementing pointer instead of value
2020-01-28 09:26:43 +01:00
Gilles Peskine
75aab5276f Add missing return code check on calls to mbedtls_md() 2020-01-27 15:16:16 +01:00
Gilles Peskine
1a30fbbd3b Check that mbedtls_mpi_grow succeeds 2020-01-27 15:16:16 +01:00
Gilles Peskine
83a5672ae1 Remove redundant block_size validity check
Check the value only once, as soon as we've obtained it.
2020-01-27 15:16:16 +01:00
Manuel Pégourié-Gonnard
42b8194b53 Fix incrementing pointer instead of value
This was introduced by a hasty search-and-replace that didn't account for C's
operator precedence when changing those variables to pointer types.
2020-01-24 12:35:47 +01:00
Gilles Peskine
42e4f6b706 Add changelog entry for the unchecked mbedtls_md call 2020-01-22 19:04:19 +01:00
Gilles Peskine
3a3b161e96 Add missing return code check on call to mbedtls_md() 2020-01-22 18:59:37 +01:00
Janos Follath
32b0216dd7 Bump version to Mbed TLS 2.16.4 2020-01-20 14:32:57 +00:00
Jaeden Amero
39e2c0eeb6 Merge remote-tracking branch 'origin/mbedtls-2.16' into mbedtls-2.16-restricted
* origin/mbedtls-2.16:
  Fix some pylint warnings
  Enable more test cases without MBEDTLS_MEMORY_DEBUG
  More accurate test case description
  Clarify that the "FATAL" message is expected
  Note that mbedtls_ctr_drbg_seed() must not be called twice
  Fix CTR_DRBG benchmark
  Changelog entry for xxx_drbg_set_entropy_len before xxx_drbg_seed
  CTR_DRBG: support set_entropy_len() before seed()
  CTR_DRBG: Don't use functions before they're defined
  HMAC_DRBG: support set_entropy_len() before seed()
2020-01-15 16:59:41 +00:00