Commit Graph

16559 Commits

Author SHA1 Message Date
Paul Elliott
a59cc3dbc7 Further documentation improvements
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-10 17:48:12 +00:00
Paul Elliott
f294ff5d87 Make changelog more specific
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-10 17:48:12 +00:00
Paul Elliott
fe724fe618 Fix for pkcs12 with NULL or zero length password
Previously passing a NULL or zero length password into either
mbedtls_pkcs12_pbe() or mbedtls_pkcs12_derive() could cause an infinate
loop, and it was also possible to pass a NULL password, with a non-zero
length, which would cause memory corruption.
I have fixed these errors, and improved the documentation to reflect the
changes and further explain what is expected of the inputs.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-10 17:48:12 +00:00
Gilles Peskine
18a59b7d4c
Merge pull request #5306 from gilles-peskine-arm/test-missing-ret-check-202112-2.x
Backport 2.x: Missing error checks + test bug on unlikely failure
2021-12-10 17:41:49 +01:00
Minos Galanakis
5c93a9f214 Update changelog & readme
This patch adds explicit wording to state
that Two's complement is the official
supported signed integer representation.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2021-12-10 15:57:54 +00:00
Gilles Peskine
3fc0d30447 Don't fail until everything is initialized
Can't call mbedtls_cipher_free(&invalid_ctx) in cleanup if
mbedtls_cipher_init(&invalid_ctx) hasn't been called.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-10 14:45:41 +01:00
Gilles Peskine
3d28378734 Check return values in more places
Selective replacement of
```
^\( *\)\(mbedtls_\(md\|cipher\)_[A-Z_a-z0-9]+\)\((.*)\);
```
by
```
\1if( \2\4 != 0 )
\1{
\1    mbedtls_fprintf( stderr, "\2() returned error\\n" );
\1    goto exit;
\1}
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-10 14:45:41 +01:00
Gilles Peskine
362d6efbde
Merge pull request #5301 from paul-elliott-arm/test_suite_cipher_returns_2.x
Backport 2.x : Add checked return to cipher setup in Cipher tests
2021-12-10 10:40:01 +01:00
Gilles Peskine
4a5396ec25
Merge pull request #5299 from paul-elliott-arm/crypt_and_hash_prog_2.x
Backport 2.x: Add checks for return values to md functions in crypt and hash
2021-12-09 23:32:52 +01:00
Gilles Peskine
51377d8a73
Merge pull request #5280 from davidhorstmann-arm/2.x-improve-cmac-docs
Backport 2.x: Reword documentation of CMAC operations
2021-12-09 23:28:39 +01:00
Gilles Peskine
c2c1c22dda
Merge pull request #5298 from paul-elliott-arm/ssl_context_info_prog_2.x
Backport 2.x: Two fixes for SSL context info sample program
2021-12-09 23:22:54 +01:00
Paul Elliott
68b64cd64c Add checked return to cipher setup
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-09 21:37:23 +00:00
Paul Elliott
d068876181 Add checks for return values to md functions
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-09 18:51:56 +00:00
Paul Elliott
8f20bab14d Fix printf format specifier
Also mark function as printf variant so compiler will pickup any future
issues.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-09 18:35:13 +00:00
Paul Elliott
110afd0e4d Prevent resource leak
If -f was used as an argument twice to the program, then it would leak
the file resource, due to overwriting it on the second pass

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-09 18:33:22 +00:00
Ronald Cron
620cbb9bf5
Merge pull request #5262 from xffbai/code-align-backport2.x
Backport 2.x: Fix (d)tls1_2 into (d)tls12 in version options
2021-12-09 16:26:24 +01:00
Manuel Pégourié-Gonnard
c3319e73db
Merge pull request #5189 from gilles-peskine-arm/struct_reordering_2.x
Backport 2.x: Reorder structure fields to maximize usage of immediate offset access
2021-12-09 12:54:13 +01:00
Manuel Pégourié-Gonnard
218abe081c
Merge pull request #5284 from gabor-mezei-arm/4926_bp2x_base64_move_constant-time_functions
[Backport 2.x] Move base64 constant-time functions to the new module
2021-12-09 12:40:24 +01:00
Gabor Mezei
00e08a3a21
Update generated files
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-09 10:05:48 +01:00
Manuel Pégourié-Gonnard
9ac32eb123
Merge pull request #863 from davidhorstmann-arm/2.x-fix-session-copy-bug
Backport 2.x: [session] fix a session copy bug
2021-12-09 09:21:33 +01:00
Gabor Mezei
3a755f511f
Add documentation for the functions
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:24:22 +01:00
Gabor Mezei
46ca2f76c4
Unify function parameters
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:22:45 +01:00
Gabor Mezei
df29332d4b
Make mbedtls_ct_uchar_mask_of_range function static
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:20:39 +01:00
Gabor Mezei
f554ce21b8
Delete base64_invasive.h due to functions are moved to the constant-time module
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:20:27 +01:00
Gabor Mezei
3d4dba84b7
Move mbedtls_ct_base64_dec_value function to the constant-time module
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:20:16 +01:00
Gabor Mezei
200708d30a
Move mbedtls_ct_base64_enc_char function to the constant-time module
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:20:04 +01:00
Gabor Mezei
46f79c388d
Move mbedtls_ct_uchar_mask_of_range function to the constant-time module
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:19:41 +01:00
Gabor Mezei
7464f37e7b
Rename functions to have suitable name
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:19:23 +01:00
David Horstmann
0add7f96ac Add changelog entry for session copy bugfix
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-12-08 13:29:55 +00:00
Manuel Pégourié-Gonnard
9a4a9c66a4
Merge pull request #860 from ronald-cron-arm/fix-cipher-iv_2.x
Backport 2.x: Avoid using encryption output buffer to pass generated IV to PSA driver
2021-12-08 13:30:11 +01:00
吴敬辉
0f6c6bc0dc [session] fix a session copy bug
fix a possible double reference on 'ticket'
when peer_cert/peer_cert_digest calloc failed.

Signed-off-by: 吴敬辉 <11137405@vivo.com>
2021-12-07 17:27:31 +00:00
David Horstmann
b56f38f57b Reword documentation of CMAC operations
Change the wording of the documentation for some CMAC functions,
as the existing wording, while technically correct, can be
easy to misunderstand. The reworded docs explain the flow of
a CMAC computation a little more fully.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-12-07 12:16:33 +00:00
Gilles Peskine
582f2398d4
Merge pull request #5167 from tom-cosgrove-arm/fix-builds-with-only-mbedtls_bignum_c-defined
Backport 2.x: Fix builds when config.h only defines MBEDTLS_BIGNUM_C
2021-12-07 12:38:04 +01:00
Ronald Cron
e7a5e985ae Add change log
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-07 09:23:27 +01:00
Gilles Peskine
ad47e6d160 Add changelog entry for build error fixes
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-06 20:58:51 +01:00
Gilles Peskine
1e313165f3
Merge pull request #5258 from gilles-peskine-arm/pip-requirements-2.x
Backport 2.x: In-tree Python package requirements
2021-12-03 17:25:56 +01:00
Gilles Peskine
5d6de4ebc4
Merge pull request #5254 from adeaarm/development_2.x
Backport 2.x: Align function parameter names for mbedtls_set_key_owner_id
2021-12-03 17:24:49 +01:00
Gilles Peskine
4b71e9b96a Correct default requirements file name in help
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-03 13:32:10 +01:00
Xiaofei Bai
f40545d919 Fix (d)tls1_2 into (d)tls12 in version options
Signed-off-by: Xiaofei Bai <xiaofei.bai@arm.com>
2021-12-03 08:13:30 +00:00
Gilles Peskine
f3564bfe99 Add Cryptodome to maintainer requirements
See e.g. https://github.com/ARMmbed/mbedtls/pull/5218

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-02 13:19:19 +01:00
Gilles Peskine
3f5f7df75b Remove accidental requirement on the worktree content
This made the build impossible since mbedtls isn't available when building
the container.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-02 13:19:19 +01:00
Gilles Peskine
ca07ea0802 Allow passing options to pip
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-02 13:19:19 +01:00
Gilles Peskine
c31780f62f Use a method to invoke pip that works on Windows
Passing arguments on the command line apparently didn't work due to quoting
issues. Use a temporary file instead.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-02 13:19:19 +01:00
Gilles Peskine
6d253cc4fc Travis: use the in-tree Python package requirements
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-02 13:19:02 +01:00
Gilles Peskine
ce8ccaf55b Docker: Python requirements are now managed in-tree
Neither mbed-host-tests nor mock are currently used.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-02 13:07:58 +01:00
Gilles Peskine
e4d142f1e7 Script to install minimum versions of the requirements
Wherever we have a requirement on foo>=N, install foo==N. This is for
testing, to ensure that we don't accidentally depend on features that are
not present in the minimum version we declare support for.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-02 13:07:58 +01:00
Gilles Peskine
12fe74e360 Declare which Python packages we use
Add pip requirements files. We'll have separate requirements files for
different target audiences. Each file can use `-r` lines to include other
files.

This commit adds two requirement files: one with everything that's needed to
pass the CI, and one with additional tools that are suggested for Mbed TLS
maintainers to install locally.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-02 13:07:20 +01:00
Andrzej Kurek
2c2c1778f7 Add a changelog entry for the ChaCha20 default behavior change
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2021-12-02 09:32:23 +01:00
Andrzej Kurek
e6728203d2 Add a missing test case to ChaCha20 tests - decrypt empty buffer
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2021-12-02 09:32:15 +01:00
Andrzej Kurek
d353043380 Return an error for IV lengths other than 12 with ChaCha20+Poly1305
The implementation was silently overwriting the IV length to 12
even though the caller passed a different value.
Change the behavior to signal that a different length is not supported.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2021-12-02 09:31:58 +01:00