Commit Graph

2936 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
7006ca10d9 Fix ssl-opt.sh for GnuTLS versions rejecting SHA-1
While the whole script makes (often implicit) assumptions about the version of
GnuTLS used, generally speaking it should work out of the box with the version
packaged on our reference testing platform, which is Ubuntu 16.04 so far.

With the update from Jan 8 2020 (3.4.10-4ubuntu1.6), the patches for rejecting
SHA-1 in certificate signatures were backported, so we should avoid presenting
SHA-1 signed certificates to a GnuTLS peer in ssl-opt.sh.
2020-03-13 16:21:44 +00:00
Gilles Peskine
0f14c15842 Add missing return code check on calls to mbedtls_md() 2020-03-13 15:37:54 +00:00
Gilles Peskine
a48fe01f15 Check that mbedtls_mpi_grow succeeds 2020-03-13 15:37:54 +00:00
Janos Follath
e7b49d3cd1 Bump version to Mbed TLS 2.16.4 2020-03-13 15:36:05 +00:00
Manuel Pégourié-Gonnard
10a7f626d9 Add test for record compression in ssl-opt.sh
Deprecated but still needs to be tested.
2020-03-13 15:36:05 +00:00
Gilles Peskine
bcdd8bcfcf Enable more test cases without MBEDTLS_MEMORY_DEBUG
None of the test cases in tests_suite_memory_buffer_alloc actually
need MBEDTLS_MEMORY_DEBUG. Some have additional checks when
MBEDTLS_MEMORY_DEBUG but all are useful even without it. So enable
them all and #ifdef out the parts that require DEBUG.
2020-03-13 15:27:12 +00:00
Gilles Peskine
6a1ec6abea More accurate test case description 2020-03-13 15:27:12 +00:00
Gilles Peskine
8064dbb646 Clarify that the "FATAL" message is expected
The test case "Memory buffer small buffer" emits a message
"FATAL: verification of first header failed". In this test case, it's
actually expected, but it looks weird to see this message from a
passing test. Add a comment that states this explicitly, and modify
the test description to indicate that the failure is expected, and
change the test function name to be more accurate.

Fix #309
2020-03-13 15:27:12 +00:00
Janos Follath
47b56a159e mpi_lt_mpi_ct: Add further tests
The existing tests did not catch a failure that came up at integration
testing. Adding the missing test cases to trigger the bug.
2020-03-13 15:25:40 +00:00
Janos Follath
006b207de6 mpi_lt_mpi_ct: Fix test numbering 2020-03-13 15:25:40 +00:00
Janos Follath
d2aa4aa454 mpi_lt_mpi_ct perform tests for both limb size
The corner case tests were designed for 32 and 64 bit limbs
independently and performed only on the target platform. On the other
platform they are not corner cases anymore, but we can still exercise
them.
2020-03-13 15:25:40 +00:00
Janos Follath
44e40c0792 mbedtls_mpi_lt_mpi_ct: add tests for 32 bit limbs
The corner case tests were designed for 64 bit limbs and failed on 32
bit platforms because the numbers in the test ended up being stored in a
different number of limbs and the function (correctly) returnd an error
upon receiving them.
2020-03-13 15:25:40 +00:00
Janos Follath
eb8fcf8181 Add more tests for mbedtls_mpi_lt_mpi_ct 2020-03-13 15:25:40 +00:00
Janos Follath
3be2fa44e1 mpi_lt_mpi_ct test: hardcode base 16 2020-03-13 15:25:40 +00:00
Janos Follath
8faf1d627b Change mbedtls_mpi_cmp_mpi_ct to check less than
The signature of mbedtls_mpi_cmp_mpi_ct() meant to support using it in
place of mbedtls_mpi_cmp_mpi(). This meant full comparison functionality
and a signed result.

To make the function more universal and friendly to constant time
coding, we change the result type to unsigned. Theoretically, we could
encode the comparison result in an unsigned value, but it would be less
intuitive.

Therefore we won't be able to represent the result as unsigned anymore
and the functionality will be constrained to checking if the first
operand is less than the second. This is sufficient to support the
current use case and to check any relationship between MPIs.

The only drawback is that we need to call the function twice when
checking for equality, but this can be optimised later if an when it is
needed.
2020-03-13 15:25:40 +00:00
Janos Follath
7ce3a25316 Add tests to constant time mpi comparison 2020-03-13 15:25:39 +00:00
Gilles Peskine
20dbfb9938 CTR_DRBG: support set_entropy_len() before seed()
mbedtls_ctr_drbg_seed() always set the entropy length to the default,
so a call to mbedtls_ctr_drbg_set_entropy_len() before seed() had no
effect. Change this to the more intuitive behavior that
set_entropy_len() sets the entropy length and seed() respects that and
only uses the default entropy length if there was no call to
set_entropy_len().

The former test-only function mbedtls_ctr_drbg_seed_entropy_len() is
no longer used, but keep it for strict ABI compatibility.
2020-03-13 15:25:39 +00:00
Gilles Peskine
6e2cb64a97 'make test' must fail if Asan fails
When running 'make test' with GNU make, if a test suite program
displays "PASSED", this was automatically counted as a pass. This
would in particular count as passing:
* A test suite with the substring "PASSED" in a test description.
* A test suite where all the test cases succeeded, but the final
  cleanup failed, in particular if a sanitizer reported a memory leak.

Use the test executable's return status instead to determine whether
the test suite passed. It's always 0 on PASSED unless the executable's
cleanup code fails, and it's never 0 on any failure.

Fix ARMmbed/mbed-crypto#303
2020-03-13 15:24:20 +00:00
Gilles Peskine
6eec4ab323 Asan make builds: avoid sanitizer recovery
Some sanitizers default to displaying an error message and recovering.
This could result in a test being recorded as passing despite a
complaint from the sanitizer. Turn off sanitizer recovery to avoid
this risk.
2020-03-13 15:24:20 +00:00
Gilles Peskine
b3e54396fa Use UBsan in addition to Asan with 'make test'
When building with make with the address sanitizer enabled, also
enable the undefined behavior sanitizer.
2020-03-13 15:24:19 +00:00
Gilles Peskine
3ccb7f18e0 Unify ASan options in make builds
Use a common set of options when building with Asan without CMake.
2020-03-13 15:24:19 +00:00
Gilles Peskine
34693b5dd6 Add a test component with malloc(0) returning NULL
Exercise the library functions with calloc returning NULL for a size
of 0. Make this a separate job with UBSan (and ASan) to detect
places where we try to dereference the result of calloc(0) or to do
things like

    buf = calloc(size, 1);
    if (buf == NULL && size != 0) return INSUFFICIENT_MEMORY;
    memcpy(buf, source, size);

which has undefined behavior when buf is NULL at the memcpy call even
if size is 0.

This is needed because other test components jobs either use the system
malloc which returns non-NULL on Linux and FreeBSD, or the
memory_buffer_alloc malloc which returns NULL but does not give as
useful feedback with ASan (because the whole heap is a single C
object).
2020-03-13 12:03:12 +00:00
Manuel Pégourié-Gonnard
f0658b18dc Add detection for zlib headers to all.sh
Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-09 17:39:04 +00:00
Manuel Pégourié-Gonnard
079864ef54 Add test for record compression in ssl-opt.sh
Deprecated but still needs to be tested.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-09 17:39:04 +00:00
Manuel Pégourié-Gonnard
df59bfc9d6 Add all.sh components with ZLIB enabled
ZLIB support is deprecated, but until it's removed it should still be tested.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-09 17:39:04 +00:00
Simon Butcher
282911eabf Merge remote-tracking branch 'public/pr/2978' into baremetal 2020-01-08 18:14:21 +00:00
Simon Butcher
4b3b8c208e Merge remote-tracking branch 'public/pr/2886' into baremetal 2020-01-08 17:53:43 +00:00
Arto Kinnunen
0a8f87f5eb Remove entropy source overwrite in baremetal_test
-Do not overwrite MBEDTLS_ENTROPY_MAX_SOURCES in baremetal_test.h
-Skip tests that are not suitable for low number of entropy sources
2020-01-07 14:48:33 +02:00
Darryl Green
029fe86c53 Fix some pylint warnings
Fix a too-long line to meet PEP8 standards
2020-01-03 13:41:20 +00:00
Simon Butcher
e76c638d6f Merge remote-tracking branch 'public/pr/2925' into baremetal 2019-12-13 14:51:29 +00:00
Arto Kinnunen
430ac13112 Add config and test for AES SCA countermeasures
- Add configuration for AES_SCA_COUNTERMEASURES to config.h. By
  default the feature is disabled.
- Add AES_SCA_COUNTERMEASURES configuration check to check_config.h
- Add AES_SCA_COUNTERMEASURES test to all.sh
2019-12-10 14:54:43 +02:00
Simon Butcher
0252cd6876 Merge remote-tracking branch 'public/pr/2940' into baremetal 2019-12-05 14:32:54 +00:00
Simon Butcher
5b45c6e1b3 Merge remote-tracking branch 'public/pr/2932' into baremetal 2019-12-05 14:32:31 +00:00
Teppo Järvelin
e06e039f7a Fix basic-build-test.sh to work in different env
Also added possibility to run only unit tests
2019-11-29 11:05:11 +02:00
Manuel Pégourié-Gonnard
9d6a535ba1 Return and propagate UECC_FAULT_DETECTED
This commit first changes the return convention of EccPoint_mult_safer() so
that it properly reports when faults are detected. Then all functions that
call it need to be changed to (1) follow the same return convention and (2)
properly propagate UECC_FAULT_DETECTED when it occurs.

Here's the reverse call graph from EccPoint_mult_safer() to the rest of the
library (where return values are translated to the MBEDTLS_ERR_ space) and test
functions (where expected return values are asserted explicitly).

EccPoint_mult_safer()
    EccPoint_compute_public_key()
        uECC_compute_public_key()
            pkparse.c
            tests/suites/test_suite_pkparse.function
        uECC_make_key_with_d()
        uECC_make_key()
            ssl_cli.c
            ssl_srv.c
            tests/suites/test_suite_pk.function
            tests/suites/test_suite_tinycrypt.function
    uECC_shared_secret()
        ssl_tls.c
        tests/suites/test_suite_tinycrypt.function
    uECC_sign_with_k()
        uECC_sign()
            pk.c
            tests/suites/test_suite_tinycrypt.function

Note: in uECC_sign_with_k() a test for uECC_vli_isZero(p) is suppressed
because it is redundant with a more thorough test (point validity) done at the
end of EccPoint_mult_safer(). This redundancy was introduced in a previous
commit but not noticed earlier.
2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
1a5337179f Remove curve parameter from public functions 2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
677b7f6c42 Fix direct use of struct instead of abstract type 2019-11-26 12:54:06 +01:00
Simon Butcher
9699887185 Add Makefile option to exclude TinyCrypt files
Added an additional Makefile option of 'TINYCRYPT_BUILD' to exclude the
TinyCrypt source files from the build. This allows some tests to exclude those
files as and when necessary.

Specifically this includes in all.sh the test
'component_build_arm_none_eabi_gcc_no_64bit_multiplication' which was failing as
64bit cannot be disabled in TinyCrypt, and check-names.sh as TinyCrypt obviously
does not conform to Mbed TLS naming conventions.
2019-11-22 15:09:39 +00:00
Manuel Pégourié-Gonnard
10d8e8ed64 Use safer return values in uECC_verify()
This is a first step in protecting against fault injection attacks: the
attacker can no longer change failure into success by flipping a single bit.
Additional steps are needed to prevent other attacks (instruction skip etc)
and will be the object of future commits.

The return value of uECC_vli_equal() should be protected as well, which will
be done in a future commit as well.
2019-11-21 15:12:44 +01:00
Jarno Lamsa
2e2fa5e352 Adress review comments 2019-10-30 15:08:26 +02:00
Jarno Lamsa
77c4fcc96e Use DER encoded keys with tinycrypt
PEM and BASE64 aren't used with baremetal config by default
and using DER encoded key enables the test without enabling PEM
and BASE64.
2019-10-30 15:00:01 +02:00
Jarno Lamsa
6ba32cac5c Add authentication tests for baremetal config 2019-10-30 15:00:01 +02:00
Jarno Lamsa
6f54fe72f2 Add a bad version of server11 certificate
The certificate has a corrupted public key and signature.
Generating it through Makefile isn't trivial and since it is
a corrupted certificate, that shouldn't be accepted, there
shouldn't be a need to generate it again anyway.
2019-10-30 14:59:23 +02:00
Jarno Lamsa
b514cd3626 Remove dependency to MBEDTLS_ERROR_C
The test is already checking for return value
No need to check for MBEDTLS_ERROR_C -dependent print
2019-10-30 10:34:54 +02:00
Jarno Lamsa
d342805134 Added Forced ECC ciphersuite with CCM tests 2019-10-30 10:34:54 +02:00
Jarno Lamsa
c40184b44a Add test for small server packet
To allow testing with ECDHE-ECDSA with DTLS
2019-10-30 10:34:54 +02:00
Jarno Lamsa
0ed68089ee Add test for small client packet
Enable testing with ECDHE-ECDSA with DTLS
2019-10-30 10:34:54 +02:00
Jarno Lamsa
c5118b7664 Add a new keyUsage test for p256 using DTLS 2019-10-30 10:34:54 +02:00
Jarno Lamsa
ff434c2ef3 Add test for enforcing extended master secret
Only add test when both are enforcing. This is configured in baremetal.h
and is checked in the check_cmdline_compat, would render other cases
with baremetal.h to skipped.
2019-10-30 10:34:54 +02:00
Jarno Lamsa
7544195a44 Remove echo FORCE SKIP
This was probably an artifact from testing the cmdline_compat-stuff.
Currently only pollutes the output.
2019-10-30 10:34:54 +02:00