Commit Graph

14322 Commits

Author SHA1 Message Date
Gilles Peskine
34f063ca47 Add missing cleanup to hash multipart operation tests
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 10:24:13 +02:00
Manuel Pégourié-Gonnard
8f18d08fae Clarify that the Lucky 13 fix is quite general
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-26 10:10:11 +02:00
Gilles Peskine
29c4a6cf9f Add negative tests for MAC verification
Add negative tests for psa_mac_verify_finish: too large, too small, or
a changed byte.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 00:16:03 +02:00
Gilles Peskine
090e16cb8b Don't destroy the key during a MAC verification operation
An early draft of the PSA crypto specification required multipart
operations to keep working after destroying the key. This is no longer
the case: instead, now, operations are guaranteed to fail. Mbed TLS
does not comply yet, and still allows the operation to keep going.
Stop testing Mbed TLS's non-compliant behavior.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 00:16:03 +02:00
Gilles Peskine
8b356b5652 Test other output sizes for psa_mac_sign_finish
Test psa_mac_sign_finish with a smaller or larger buffer.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 00:16:03 +02:00
Gilles Peskine
5e65cec5e8 Simplify output bounds check in mac_sign test
Rely on Asan to detect a potential buffer overflow, instead of doing a
manual check. This makes the code simpler and Asan can detect
underflows as well as overflows.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 00:16:03 +02:00
Gilles Peskine
3d404d677e Test PSA_MAC_FINAL_SIZE in mac_sign exactly
We expect PSA_MAC_FINAL_SIZE to be exact in this implementation, so
check it here.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 00:16:03 +02:00
Gilles Peskine
cd65f4ccac Add empty-output-buffer test cases for single-part hash functions
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 00:11:23 +02:00
Gilles Peskine
e92c68a878 Note that a failure in cleanup is intentional
In the cleanup code for persistent_key_load_key_from_storage(), we
only attempt to reopen the key so that it will be deleted if it exists
at that point. It's intentional that we do nothing if psa_open_key()
fails here.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 00:11:23 +02:00
Gilles Peskine
64f13ef6ab Add missing cleanup to some multipart operation tests
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 00:11:23 +02:00
Gilles Peskine
a09713c795 test cleanup: Annotate file removal after a failed creation
Let static analyzers know that it's ok if remove() fails here.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-25 22:50:18 +02:00
Gilles Peskine
169ca7f06d psa_crypto_storage: Annotate file removal after a failed creation
Let static analyzers know that it's ok if psa_its_remove() fails here.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-25 22:50:06 +02:00
Gilles Peskine
bab1b52048 psa_its: Annotate file removal after a failed creation
Let static analyzers know that it's ok if remove() fails here.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-25 22:49:19 +02:00
Gilles Peskine
14613bcd75 Fix parity tests to actually fail the test on error
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-25 22:30:31 +02:00
Gilles Peskine
ee4d4eb625 Remove a useless zeroization
Remove the zeroization of a pointer variable in the AES block
functions. The code was valid but spurious and misleading since it
looked like a mistaken attempt to zeroize the pointed-to buffer.
Reported by Antonio de la Piedra, CEA Leti, France.

Note that we do not zeroize the buffer here because these are the
round keys, and they need to stay until all the blocks are processed.
They will be zeroized in mbedtls_aes_free().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-25 19:28:13 +02:00
gabor-mezei-arm
4cb56f83cb
Put local variables and buffers in a struct
This reduces the impact of the code size increase due to the addition
of calls to mbedtls_platform_zeroize.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-08-25 19:13:59 +02:00
gabor-mezei-arm
b8513fa6ac
Initialize return variable to the appropriate error code
The return variable is initilized to make the code more robust against glitch attacks.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-08-25 19:13:59 +02:00
gabor-mezei-arm
d1c98fcf5e
Zeroize internal buffers and variables in MD hashes
Zeroising of local buffers and variables which are used for calculations in
mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process()
functions to erase sensitive data from memory.
Checked all function for possible missing zeroisation in MD.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-08-25 19:13:59 +02:00
gabor-mezei-arm
4553dd46d6
Force cleanup before return
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-08-25 19:13:58 +02:00
gabor-mezei-arm
76749aea78
Zeroize internal buffers and variables in PKCS and SHA
Zeroising of local buffers and variables which are used for calculations in
mbedtls_pkcs5_pbkdf2_hmac() and mbedtls_internal_sha*_process() functions
to erase sensitive data from memory.
Checked all function for possible missing zeroisation in PKCS and SHA.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-08-25 19:13:58 +02:00
Steven Cooreman
ffecb7b982 Implement support for multipart ECB and add tests
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-25 17:00:24 +02:00
Janos Follath
d4ac4e037b
Merge pull request #736 from mpg/cf-varpos-copy-dev-restricted
Constant-flow copy of HMAC from variable position
2020-08-25 14:35:55 +01:00
Steven Cooreman
a6033e92af Style and language fixes
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-08-25 12:32:22 +02:00
Manuel Pégourié-Gonnard
04b7488411 Fix potential use of uninitialised variable
If any of the TEST_ASSERT()s that are before the call to
mbedtls_pk_warp_as_opaque() failed, when reaching the exit label
psa_destroy_key() would be called with an uninitialized argument.

Found by Clang.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-25 10:45:51 +02:00
Gilles Peskine
ed19762a22
Merge pull request #3574 from makise-homura/e2k_support
Support building on e2k (Elbrus) architecture
2020-08-25 09:46:36 +02:00
makise-homura
af9513bb48 A different approach of signed-to-unsigned comparison
Suggsted by @hanno-arm

Signed-off-by: makise-homura <akemi_homura@kurisa.ch>
2020-08-24 23:42:49 +03:00
John Durkop
d46ede0d37 Fix missing label for guard
Fixes #3294

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-08-24 09:51:00 -07:00
John Durkop
af5363c24e Updates to cleanup fixes for #3294
Minor updates to changelog for more concise wording and fixed styling
in other files as needed.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-08-24 08:29:39 -07:00
John Durkop
c14be901eb Add new test_depends_curves_psa to all.sh
Add new test (test_depends_curves_psa) to all.sh to confirm
that test is passing when MBEDTLS_USE_PSA_CRYPTO is defined.

Fix #3294

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-08-24 08:24:08 -07:00
John Durkop
bc5a754f28 Add change log description for Fix #3294
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-08-24 08:23:21 -07:00
John Durkop
f35069a82d Fix undefined ref error when ECDSA not defined
Add guards in pk_wrap.c to ensure if ECDSA is not defined, errors
are returned.
Remove warnings in pk.c for unused variables.
Add new test (test_depends_pkalgs_psa) to all.sh to confirm
when USE_PSA_CRYPTO is defined that features are working properly.

Fix #3294

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-08-24 08:20:56 -07:00
Manuel Pégourié-Gonnard
ba6fc9796a Fix a typo in a comment
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-24 12:59:55 +02:00
Manuel Pégourié-Gonnard
dd00bfce34 Improve comments on constant-flow testing in config.h
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-24 12:58:36 +02:00
Gilles Peskine
0f343ac87f
Merge pull request #3528 from gufe44/helpers-redirect-restore-output
Fix bug in redirection of unit test outputs
2020-08-24 10:45:08 +02:00
Manuel Pégourié-Gonnard
8a79b9b68c Fix "unused function" warning in some configs
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-24 10:29:30 +02:00
Manuel Pégourié-Gonnard
6edfe60e0d
Merge pull request #2182 from hanno-arm/key_pwd
Add support for password protected key files to ssl_server2 and ssl_client2
2020-08-24 09:42:38 +02:00
makise-homura
e014fece50 Don't forget to free G, P, Q, ctr_drbg, and entropy
I might be wrong, but lcc's optimizer is curious about this,
and I am too: shouldn't we free allocated stuff correctly
before exiting `dh_genprime` in this certain point of code?

Signed-off-by: makise-homura <akemi_homura@kurisa.ch>
2020-08-22 23:56:46 +03:00
Guido Vranken
962e4ee4a6 Use single-line string literals.
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
2020-08-21 21:08:56 +02:00
Gilles Peskine
0f38590edf Commit the intermediate files cert_md*.csr
They are used to generate cert_md*.crt.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-21 20:47:52 +02:00
Gilles Peskine
d1ff7579c8 Fix "make -C tests/data_files"
It wasn't working when invoking programs/x509/cert_write or
programs/x509/cert_req due to relying on the current directory rather
than the location of the makefile.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-21 20:43:32 +02:00
Gilles Peskine
384e274670 cert_req: discover hash algorithms automatically
Discover hash algorithms automatically rather than hard-coding a list,
as was previously done in cert_write.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-21 20:43:32 +02:00
Gilles Peskine
18292fe205 cert_write: discover hash algorithms automatically
Discover hash algorithms automatically rather than hard-coding a list.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-21 20:42:32 +02:00
Gilles Peskine
5fe5b823d4
Merge pull request #3590 from mpg/fix-compat.sh-with-ubuntu-16.04-gnutls
Fix compat.sh with ubuntu 16.04 gnutls
2020-08-21 14:18:25 +02:00
Daniel Otte
388f9b2d0f adjusting size of sliding window array to correct size.
Probably the `W[2 << MBEDTLS_MPI_WINDOW_SIZE]` notation is based on a transcription of 2**MBEDTLS_MPI_WINDOW_SIZE.

Signed-off-by: Daniel Otte <d.otte@wut.de>
2020-08-21 12:57:08 +02:00
Manuel Pégourié-Gonnard
6c77bc6de2 compat.sh: stop using allow_sha1
After the changes of certificates, it's no longer needed.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-21 12:34:05 +02:00
Manuel Pégourié-Gonnard
499bf4c0c8 compat.sh: quit using SHA-1 certificates
Replace server2.crt with server2-sha256.crt which, as the name implies, is
just the SHA-256 version of the same certificate.

Replace server1.crt with cert_sha256.crt which, as the name doesn't imply, is
associated with the same key and just have a slightly different Subject Name,
which doesn't matter in this instance.

The other certificates used in this script (server5.crt and server6.crt) are
already signed with SHA-256.

This change is motivated by the fact that recent versions of GnuTLS (or older
versions with the Debian patches) reject SHA-1 in certificates by default, as
they should. There are options to still accept it (%VERIFY_ALLOW_BROKEN and
%VERIFY_ALLOW_SIGN_WITH_SHA1) but:

- they're not available in all versions that reject SHA-1-signed certs;
- moving to SHA-2 just seems cleaner anyway.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-21 12:25:30 +02:00
Manuel Pégourié-Gonnard
244d06637f compat.sh: enable CBC-SHA-2 suites for GnuTLS
Recent GnuTLS packages on Ubuntu 16.04 have them disabled.

From /usr/share/doc/libgnutls30/changelog.Debian.gz:

gnutls28 (3.4.10-4ubuntu1.5) xenial-security; urgency=medium

  * SECURITY UPDATE: Lucky-13 issues
    [...]
    - debian/patches/CVE-2018-1084x-4.patch: hmac-sha384 and sha256
      ciphersuites were removed from defaults in lib/gnutls_priority.c,
      tests/priorities.c.

Since we do want to test the ciphersuites, explicitly re-enable them in the
server's priority string. (This is a no-op with versions of GnuTLS where those
are already enabled by default.)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-21 12:06:47 +02:00
Guido Vranken
027fe00d2e Prevent triggering Clang 12 -Wstring-concatenation warning
Wrap multi-line string literals in parentheses
to prevent a Clang 12 -Wstring-concatenation warning
(activated by -Wall), which caused the build to fail.

Fixes https://github.com/ARMmbed/mbedtls/issues/3586

Signed-off-by: Guido Vranken <guidovranken@gmail.com>
2020-08-21 10:05:52 +02:00
Manuel Pégourié-Gonnard
1a6af8489e
Merge pull request #3578 from gilles-peskine-arm/md_setup-leak-development
Fix memory leak in mbedtls_md_setup with HMAC
2020-08-21 09:19:12 +02:00
gufe44
067f6e01f1 Fix bug in redirection of unit test outputs
Avoid replacing handle. stdout is defined as a macro on several platforms.

Signed-off-by: gufe44 <gu981@protonmail.com>
2020-08-21 08:32:26 +02:00