Commit Graph

7509 Commits

Author SHA1 Message Date
Hanno Becker
311276c871 Add NIST AES GCM test vectors to single-step cipher API test suite
The test suites `test_suite_gcm.aes{128,192,256}_en.data` contains
numerous NIST test vectors for AES-*-GCM against which the GCM
API mbedtls_gcm_xxx() is tested.

However, one level higher at the cipher API, no tests exist which
exercise mbedtls_cipher_auth_{encrypt/decrypt}() for GCM ciphers,
although test_suite_cipher.function contains the test auth_crypt_tv
which does precisely that and is already used e.g. in
test_suite_cipher.ccm.

This commit replicates the test vectors from
test_suite_gcm.aes{128,192,256}_en.data in test_suite_cipher.gcm.data
and adds a run of auth_crypt_tv for each of them.

The conversion was mainly done through the sed command line

```
s/gcm_decrypt_and_verify:\([^:]*\):\([^:]*\):\([^:]*\):\([^:]*\):
\([^:]*\):\([^:]*\):\([^:]*\):\([^:]*\):\([^:]*\):\([^:]*\)/auth_crypt_tv:
\1:\2:\4:\5:\3:\7:\8:\9/
```
2019-06-18 16:10:42 +02:00
Jaeden Amero
35a7e4675f Merge remote-tracking branch 'origin/pr/2688' into mbedtls-2.7
* origin/pr/2688:
  Update library version to 2.7.11
2019-06-18 14:22:59 +01:00
Gilles Peskine
d535f4d667 Pass -m32 to the linker as well
For unit tests and sample programs, CFLAGS=-m32 is enough to get a
32-bit build, because these programs are all compiled directly
from *.c to the executable in one shot. But with makefile rules that
first build object files and then link them, LDFLAGS=-m32 is also
needed.
2019-06-17 19:15:37 +02:00
Jaeden Amero
2fa0172ae1 Merge remote-tracking branch 'origin/pr/2483' into mbedtls-2.7
* origin/pr/2483:
  Correct placement of ChangeLog entry
  Improve documentation of mbedtls_x509_get_ext()
  Adapt ChangeLog
  Always return a high-level error code from X.509 module
  Obey bounds of ASN.1 substructures
2019-06-14 15:28:02 +01:00
Jaeden Amero
fe1180a9db Merge remote-tracking branch 'origin/pr/2696' into mbedtls-2.7
* origin/pr/2696:
  UDP proxy: Don't attempt to dissect dgram into records when dropping
2019-06-14 08:55:32 +01:00
Jaeden Amero
d03977dc3c Merge remote-tracking branch 'origin/pr/2677' into mbedtls-2.7
* origin/pr/2677:
  Show removed symbols in abi check
2019-06-14 08:54:35 +01:00
Jaeden Amero
ea60486507 Merge remote-tracking branch 'origin/pr/2674' into mbedtls-2.7
* origin/pr/2674:
  Remove all abi dumps, not just ones shared between versions
2019-06-14 08:53:40 +01:00
Jaeden Amero
98fc5f4937 Merge remote-tracking branch 'origin/pr/2482' into mbedtls-2.7
* origin/pr/2482:
  Document support for MD2 and MD4 in programs/x509/cert_write
  Correct name of X.509 parsing test for well-formed, ill-signed CRT
  Add test cases exercising successful verification of MD2/MD4/MD5 CRT
  Add test case exercising verification of valid MD2 CRT
  Add MD[245] test CRTs to tree
  Add instructions for MD[245] test CRTs to tests/data_files/Makefile
  Add suppport for MD2 to CSR and CRT writing example programs
  Convert further x509parse tests to use lower-case hex data
  Correct placement of ChangeLog entry
  Adapt ChangeLog
  Use SHA-256 instead of MD2 in X.509 CRT parsing tests
  Consistently use lower case hex data in X.509 parsing tests
2019-06-14 08:50:16 +01:00
Jaeden Amero
334ab9b7cb Merge remote-tracking branch 'origin/pr/2498' into mbedtls-2.7
* origin/pr/2498:
  Adapt ChangeLog
  ssl_server2: Fail gracefully if no PEM-encoded CRTs are available
  ssl_server2: Skip CA setup if `ca_path` or `ca_file` argument "none"
  ssl_client2: Fail gracefully if no PEM-encoded CRTs are available
  ssl_client2: Skip CA setup if `ca_path` or `ca_file` argument "none"
2019-06-14 08:48:10 +01:00
Hanno Becker
7bac1ab38a UDP proxy: Don't attempt to dissect dgram into records when dropping
To prevent dropping the same message over and over again, the UDP proxy
test application programs/test/udp_proxy _logically_ maintains a mapping
from records to the number of times the record has already been dropped,
and stops dropping once a configurable threshold (currently 2) is passed.

However, the actual implementation deviates from this logical view
in two crucial respects:
- To keep the implementation simple and independent of
  implementations of suitable map interfaces, it only counts how
  many times a record of a given _size_ has been dropped, and
  stops dropping further records of that size once the configurable
  threshold is passed. Of course, this is not fail-proof, but a
  good enough approximation for the proxy, and it allows to use
  an inefficient but simple array for the required map.
- The implementation mixes datagram lengths and record lengths:
  When deciding whether it is allowed to drop a datagram, it
  uses the total datagram size as a lookup index into the map
  counting the number of times a package has been dropped. However,
  when updating this map, the UDP proxy traverses the datagram
  record by record, and updates the mapping at the level of record
  lengths.

Apart from this inconsistency, the current implementation suffers
from a lack of bounds checking for the parsed length of incoming
DTLS records that can lead to a buffer overflow when facing
malformed records.

This commit removes the inconsistency in datagram vs. record length
and resolves the buffer overflow issue by not attempting any dissection
of datagrams into records, and instead only counting how often _datagrams_
of a particular size have been dropped.

There is only one practical situation where this makes a difference:
If datagram packing is used by default but disabled on retransmission
(which OpenSSL has been seen to do), it can happen that we drop a
datagram in its initial transmission, then also drop some of its records
when they retransmitted one-by-one afterwards, yet still keeping the
drop-counter at 1 instead of 2. However, even in this situation, we'll
correctly count the number of droppings from that point on and eventually
stop dropping, because the peer will not fall back to using packing
and hence use stable record lengths.
2019-06-13 11:19:20 +01:00
k-stachowiak
dff85e7e8a Remove unnecessary empty line 2019-06-13 11:54:49 +02:00
Jaeden Amero
6794f68d29 Update library version to 2.7.11 2019-06-11 17:31:57 +01:00
k-stachowiak
45d0ba15a0 Add a test for signing content with a long ECDSA key
Due to the way the current PK API works, it may have not been clear
for the library clients, how big output buffers they should pass
to the signing functions. Depending on the key type they depend on
MPI or EC specific compile-time constants.

Inside the library, there were places, where it was assumed that
the MPI size will always be enough, even for ECDSA signatures.
However, for very small sizes of the MBEDTLS_MPI_MAX_SIZE and
sufficiently large key, the EC signature could exceed the MPI size
and cause a stack overflow.

This test establishes both conditions -- small MPI size and the use
of a long ECDSA key -- and attempts to sign an arbitrary file.
This can cause a stack overvlow if the signature buffers are not
big enough, therefore the test is performed for an ASan build.
2019-06-10 11:48:38 +02:00
Jaeden Amero
c06b6e0bd2 Merge remote-tracking branch 'origin/pr/2658' into mbedtls-2.7
* origin/pr/2658:
  Create link to include/mbedtls only when testing is enabled
2019-06-06 14:18:43 +01:00
k-stachowiak
eee98e9d82 Add documentation notes about the required size of the signature buffers 2019-06-06 13:07:19 +02:00
k-stachowiak
199707fcff Add missing MBEDTLS_ECP_C dependencies in check_config.h 2019-06-06 13:06:57 +02:00
k-stachowiak
b50c39ca4a Change size of preallocated buffer for pk_sign() calls 2019-06-06 13:06:46 +02:00
Darryl Green
db95d7e99d Show removed symbols in abi check 2019-06-05 12:59:07 +01:00
Hanno Becker
d7bc9ffd24 Correct placement of ChangeLog entry 2019-06-04 14:03:39 +01:00
Hanno Becker
c24e019513 Improve documentation of mbedtls_x509_get_ext()
- Explain the use of explicit ASN.1 tagging for the extensions structuree
- Remove misleading comment which suggests that mbedtls_x509_get_ext()
  also parsed the header of the first extension, which is not the case.
2019-06-04 14:03:27 +01:00
Hanno Becker
53526c70ff Adapt ChangeLog 2019-06-04 14:03:27 +01:00
Hanno Becker
19557c2078 Always return a high-level error code from X.509 module
Some functions within the X.509 module return an ASN.1 low level
error code where instead this error code should be wrapped by a
high-level X.509 error code as in the bulk of the module.

Specifically, the following functions are affected:
- mbedtls_x509_get_ext()
- x509_get_version()
- x509_get_uid()

This commit modifies these functions to always return an
X.509 high level error code.

Care has to be taken when adapting `mbetls_x509_get_ext()`:
Currently, the callers `mbedtls_x509_crt_ext()` treat the
return code `MBEDTLS_ERR_ASN1_UNEXPECTED_TAG` specially to
gracefully detect and continue if the extension structure is not
present. Wrapping the ASN.1 error with
`MBEDTLS_ERR_X509_INVALID_EXTENSIONS` and adapting the check
accordingly would mean that an unexpected tag somewhere
down the extension parsing would be ignored by the caller.

The way out of this is the following: Luckily, the extension
structure is always the last field in the surrounding structure,
so if there is some data remaining, it must be an Extension
structure, so we don't need to deal with a tag mismatch gracefully
in the first place.

We may therefore wrap the return code from the initial call to
`mbedtls_asn1_get_tag()` in `mbedtls_x509_get_ext()` by
`MBEDTLS_ERR_X509_INVALID_EXTENSIONS` and simply remove
the special treatment of `MBEDTLS_ERR_ASN1_UNEXPECTED_TAG`
in the callers `x509_crl_get_ext()` and `x509_crt_get_ext()`.

This renders `mbedtls_x509_get_ext()` unsuitable if it ever
happened that an Extension structure is optional and does not
occur at the end of its surrounding structure, but for CRTs
and CRLs, it's fine.

The following tests need to be adapted:
- "TBSCertificate v3, issuerID wrong tag"
  The issuerID is optional, so if we look for its presence
  but find a different tag, we silently continue and try
  parsing the subjectID, and then the extensions. The tag '00'
  used in this test doesn't match either of these, and the
  previous code would hence return LENGTH_MISMATCH after
  unsucessfully trying issuerID, subjectID and Extensions.
  With the new code, any data remaining after issuerID and
  subjectID _must_ be Extension data, so we fail with
  UNEXPECTED_TAG when trying to parse the Extension data.
- "TBSCertificate v3, UIDs, invalid length"
  The test hardcodes the expectation of
  MBEDTLS_ERR_ASN1_INVALID_LENGTH, which needs to be
  wrapped in MBEDTLS_ERR_X509_INVALID_FORMAT now.

Fixes #2431.
2019-06-04 14:03:27 +01:00
Hanno Becker
1de13dbc49 Obey bounds of ASN.1 substructures
When parsing a substructure of an ASN.1 structure, no field within
the substructure must exceed the bounds of the substructure.
Concretely, the `end` pointer passed to the ASN.1 parsing routines
must be updated to point to the end of the substructure while parsing
the latter.

This was previously not the case for the routines
- x509_get_attr_type_and_value(),
- mbedtls_x509_get_crt_ext(),
- mbedtls_x509_get_crl_ext().
These functions kept using the end of the parent structure as the
`end` pointer and would hence allow substructure fields to cross
the substructure boundary. This could lead to successful parsing
of ill-formed X.509 CRTs.

This commit fixes this.

Care has to be taken when adapting `mbedtls_x509_get_crt_ext()`
and `mbedtls_x509_get_crl_ext()`, as the underlying function
`mbedtls_x509_get_ext()` returns `0` if no extensions are present
but doesn't set the variable which holds the bounds of the Extensions
structure in case the latter is present. This commit addresses
this by returning early from `mbedtls_x509_get_crt_ext()` and
`mbedtls_x509_get_crl_ext()` if parsing has reached the end of
the input buffer.

The following X.509 parsing tests need to be adapted:
- "TBSCertificate, issuer two inner set datas"
  This test exercises the X.509 CRT parser with a Subject name
  which has two empty `AttributeTypeAndValue` structures.
  This is supposed to fail with `MBEDTLS_ERR_ASN1_OUT_OF_DATA`
  because the parser should attempt to parse the first structure
  and fail because of a lack of data. Previously, it failed to
  obey the (0-length) bounds of the first AttributeTypeAndValue
  structure and would try to interpret the beginning of the second
  AttributeTypeAndValue structure as the first field of the first
  AttributeTypeAndValue structure, returning an UNEXPECTED_TAG error.
- "TBSCertificate, issuer, no full following string"
  This test exercises the parser's behaviour on an AttributeTypeAndValue
  structure which contains more data than expected; it should therefore
  fail with MBEDTLS_ERR_ASN1_LENGTH_MISMATCH. Because of the missing bounds
  check, it previously failed with UNEXPECTED_TAG because it interpreted
  the remaining byte in the first AttributeTypeAndValue structure as the
  first byte in the second AttributeTypeAndValue structure.
- "SubjectAltName repeated"
  This test should exercise two SubjectAltNames extensions in succession,
  but a wrong length values makes the second SubjectAltNames extension appear
  outside of the Extensions structure. With the new bounds in place, this
  therefore fails with a LENGTH_MISMATCH error. This commit adapts the test
  data to put the 2nd SubjectAltNames extension inside the Extensions
  structure, too.
2019-06-04 14:03:27 +01:00
Hanno Becker
cba45bd272 Document support for MD2 and MD4 in programs/x509/cert_write 2019-06-03 16:22:19 +01:00
Hanno Becker
b6bf4967de Correct name of X.509 parsing test for well-formed, ill-signed CRT 2019-06-03 16:22:13 +01:00
Hanno Becker
958c41196a Add test cases exercising successful verification of MD2/MD4/MD5 CRT 2019-06-03 16:22:10 +01:00
Hanno Becker
c6b33dbdda Add test case exercising verification of valid MD2 CRT
The X.509 parsing test suite test_suite_x509parse contains a test
exercising X.509 verification for a valid MD4/MD5 certificate in a
profile which doesn't allow MD4/MD5. This commit adds an analogous
test for MD2.
2019-06-03 16:22:08 +01:00
Hanno Becker
dcb1e60521 Add MD[245] test CRTs to tree 2019-06-03 16:22:01 +01:00
Hanno Becker
067f3574b9 Add instructions for MD[245] test CRTs to tests/data_files/Makefile 2019-06-03 16:21:57 +01:00
Hanno Becker
8956362466 Add suppport for MD2 to CSR and CRT writing example programs
The example programs programs/x509/cert_req and programs/x509/cert_write
(demonstrating the use of X.509 CSR and CRT writing functionality)
previously didn't support MD2 signatures.

For testing purposes, this commit adds support for MD2 to cert_req,
and support for MD2 and MD4 to cert_write.
2019-06-03 16:21:53 +01:00
Hanno Becker
fb63a7c532 Convert further x509parse tests to use lower-case hex data 2019-06-03 16:21:32 +01:00
Jaeden Amero
9883e899ef Merge remote-tracking branch 'origin/pr/2665' into mbedtls-2.7
* origin/pr/2665:
  test: Always use `make clean` by itself
2019-06-03 09:56:26 +01:00
Jaeden Amero
c03c6ac955 test: Always use make clean by itself
When running make with parallelization, running both "clean" and "lib"
with a single make invocation can lead to each target building in
parallel. It's bad if lib is partially done building something, and then
clean deletes what was built. This can lead to errors later on in the
lib target.

    $ make -j9 clean lib
      CC    aes.c
      CC    aesni.c
      CC    arc4.c
      CC    aria.c
      CC    asn1parse.c
      CC    ./library/error.c
      CC    ./library/version.c
      CC    ./library/version_features.c
      AR    libmbedcrypto.a
    ar: aes.o: No such file or directory
    Makefile:120: recipe for target 'libmbedcrypto.a' failed
    make[2]: *** [libmbedcrypto.a] Error 1
    Makefile:152: recipe for target 'libmbedcrypto.a' failed
    make[1]: *** [libmbedcrypto.a] Error 2
    Makefile:19: recipe for target 'lib' failed
    make: *** [lib] Error 2
    make: *** Waiting for unfinished jobs....

To avoid this sort of trouble, always invoke clean by itself without
other targets throughout the library. Don't run clean in parallel with
other rules. The only place where clean was run in parallel with other
targets was in list-symbols.sh.
2019-05-31 17:48:48 +01:00
Hanno Becker
253fbfa7ec Correct placement of ChangeLog entry 2019-05-30 11:11:42 +01:00
Hanno Becker
de2a06db9e Adapt ChangeLog 2019-05-30 11:11:24 +01:00
Hanno Becker
29cf243781 Use SHA-256 instead of MD2 in X.509 CRT parsing tests
- Replace 'RSA with MD2' OID '2a864886f70d010102' by
  'RSA with SHA-256' OID '2a864886f70d01010b':
  Only the last byte determines the hash, and
  `MBEDTLS_OID_PKCS1_MD2 == MBEDTLS_OID_PKCS1 "\x02"`
  `MBEDTLS_OID_PKCS1_SHA256 == MBEDTLS_OID_PKCS1 "\x0b"`
  See oid.h.
- Replace MD2 dependency by SHA256 dependency.
- Adapt expected CRT info output.
2019-05-30 11:11:24 +01:00
Hanno Becker
f9681e53f2 Consistently use lower case hex data in X.509 parsing tests 2019-05-30 11:11:24 +01:00
Darryl Green
3e9626ea32 Remove all abi dumps, not just ones shared between versions
While the abi-checking script handled comparing only the modules
that were shared between the old and new versions correctly, the
cleanup of the abi dumps only removed what was shared. Change the
cleanup logic to remove all abi dumps instead.
2019-05-29 13:40:54 +01:00
Renz Christian Bagaporo
dd84440366 Create link to include/mbedtls only when testing is enabled 2019-05-27 16:33:38 +08:00
Jaeden Amero
d605387cec Merge remote-tracking branch 'origin/pr/2649' into mbedtls-2.7
* origin/pr/2649:
  list-symbols.sh: if the build fails, print the build transcript
  Document "check-names.sh -v"
  all.sh: invoke check-names.sh in print-trace-on-exit mode
  Print a command trace if the check-names.sh exits unexpectedly
2019-05-23 15:14:19 +01:00
Jaeden Amero
b8ae1451e2 Merge remote-tracking branch 'origin/pr/2612' into mbedtls-2.7
* origin/pr/2612:
  Adjust backport's documentation to account for missing features
  Backport a doxygen note from development for `mbedtls_ssl_conf_max_frag_len()`
  Update change log
  Reword ssl_conf_max_frag_len documentation for clarity
2019-05-23 15:13:46 +01:00
Gilles Peskine
227ee24c1f list-symbols.sh: if the build fails, print the build transcript
If "make clean lib" fails in list-symbols.sh, print the transcript
from running make.
2019-05-22 19:07:57 +02:00
Gilles Peskine
017adc7c9c Document "check-names.sh -v" 2019-05-22 19:07:57 +02:00
Gilles Peskine
e952fdf2d4 all.sh: invoke check-names.sh in print-trace-on-exit mode 2019-05-15 17:55:22 +02:00
Gilles Peskine
ef39c49cd7 Print a command trace if the check-names.sh exits unexpectedly
We've observed that sometimes check-names.sh exits unexpectedly with
status 2 and no error message. The failure is not reproducible. This
commits makes the script print a trace if it exits unexpectedly.
2019-05-15 17:41:27 +02:00
Jaeden Amero
e58c881418 Merge remote-tracking branch 'origin/pr/2638' into mbedtls-2.7
* origin/pr/2638:
  Only use submodule if present
2019-05-14 16:20:35 +01:00
Jaeden Amero
63098de866 Merge remote-tracking branch 'origin/pr/2494' into mbedtls-2.7
* origin/pr/2494:
  Ignore more generated files: seedfile, apidoc
  Improve .gitignore grouping and documentation
  Generate tags for Vi, for Emacs and with Global
2019-05-14 16:19:46 +01:00
k-stachowiak
8aed8e1612 Adjust backport's documentation to account for missing features 2019-05-10 15:09:21 +02:00
Darryl Green
8194871075 Only use submodule if present
Enabling the USE_CRYPTO_SUBMODULE option causes problems if the
crypto submodule isn't present. For example, when building
mbed-crypto as a submodule, it should use error.c from the parent
project if USE_CRYPTO_SUBMODULE is set. However if the parent
project isn't present, then the build will fail. Only enable it
if the submodule actually exists.
2019-05-09 13:25:56 +01:00
Jaeden Amero
4072bec51e Merge remote-tracking branch 'origin/pr/2563' into mbedtls-2.7
* origin/pr/2563:
  Fix CMake build error on Cygwin and minGW platforms
2019-05-01 09:57:09 +01:00