Commit Graph

10166 Commits

Author SHA1 Message Date
Gilles Peskine
db0cb2578c Fix CTR_DRBG benchmark
You can't reuse a CTR_DRBG context without free()ing it and
re-init()ing. This generally happened to work, but was never
guaranteed. It could have failed with alternative implementations of
the AES module because mbedtls_ctr_drbg_seed() calls
mbedtls_aes_init() on a context which is already initialized if
mbedtls_ctr_drbg_seed() hasn't been called before, plausibly causing a
memory leak. Calling free() and seed() with no intervening init fails
when MBEDTLS_THREADING_C is enabled and all-bits-zero is not a valid
mutex representation. So add the missing free() and init().
2020-02-11 19:26:27 +01:00
Gilles Peskine
e732f04443 cmake: link programs that only use x509 with libmbedx509
When building with CMake, for sample programs that only use
functionality in libmbedcrypto and libmbedx509, link with
libmbedx509, not with libmbedtls.

cert_app makes a TLS connection, so do link it with libmbedtls.
2020-02-11 19:26:27 +01:00
Gilles Peskine
e123395317 cmake: link programs that only use crypto with libmbedcrypto
When building with CMake, for sample programs that only use
functionality in libmbedcrypto (i.e. crypto and platform), link with
libmbedcrypto, not with libmbedtls.

This doesn't change the result, because the linker skips libraries in
which no symbol is used, but it changes the build dependencies, and it
has the advantage of bringing programs/*/CMakeLists.txt closer to the
corresponding files under crypto/.

The programs concerned are crypto sample and test programs, and
programs that only use (potential) platform functions such as
mbedtls_printf. dh_client and dh_server keep linking with mbedtls
because they use functions from the net_sockets module.
2020-02-11 19:26:27 +01:00
Jaeden Amero
7cb47de12a query_config: Move to programs/test
As the SSL programs, like ssl_client2 and ssl_server2, are dependent on
SSL and therefore about to be removed, the only consumer of query_config
is the query_compile_time_config test. As such, it makes sense to move
query_config to be next to what uses it.
2020-02-11 19:26:27 +01:00
Jaeden Amero
93a0f90dca pkey/rsa_genkey: Remove commented out code
There is some commented out X.509 certificate writing code present in
rsa_genkey. It looks like it has been commented out since the beginning
of time. Let's remove it, since commented out code is not in good style.
2020-02-11 19:26:27 +01:00
Jaeden Amero
ed736992d5 pkey: Remove dependency on X.509 2020-02-11 19:26:27 +01:00
Gilles Peskine
8de196a590 programs/Makefile: List all programs one by one
This makes it easier to add or remove programs as well as see which
programs were added or removed in diffs.

Side port of 30fae8ee7d in mbed-crypto.
2020-02-11 19:26:27 +01:00
Manuel Pégourié-Gonnard
4c08dd4e71
Merge pull request #2852 from gilles-peskine-arm/2.19-fix-full-Os
Fix and test the full config with gcc and clang
2020-02-11 09:17:02 +01:00
Jaeden Amero
00c858cfee
Merge pull request #3022 from piotr-now/test-suite-sending-app-data
Add tests for data transfer to test suites
2020-02-07 09:52:27 +00:00
Piotr Nowicki
c3fca5e876 Add tests with sending application data to test_suite_ssl 2020-02-07 09:14:04 +01:00
Janos Follath
755548538e
Merge pull request #3033 from yanesca/revert_pr_3008
Revert "Merge pull request #3008 from jp-bennett/development"
2020-02-05 15:12:46 +00:00
Jaeden Amero
c64eb63aaa
Merge pull request #3021 from AndrzejKurek/handshake-tests
Handshake tests with mocked I/O callbacks
2020-02-05 13:50:20 +00:00
Andrzej Kurek
cc5169ce32 Add a PSK test to the mocked ssl handshake tests 2020-02-05 07:26:19 -05:00
Gilles Peskine
5da20cc569
Merge pull request #3023 from gilles-peskine-arm/config-crypto
Add crypto-only preset configurations
2020-02-05 11:17:56 +01:00
Janos Follath
85de7a6018 Revert "Merge pull request #3008 from jp-bennett/development"
This reverts commit c0c92fea3d, reversing
changes made to bfc73bcfd2.

stat() will never return S_IFLNK as the file type, as stat() explicitly
follows symlinks.

Fixes #3005.
2020-02-04 14:12:03 +00:00
Andrzej Kurek
f40daa3f05 Add version & ciphersuite tests to ssl handshake
Add tests exercising various protocol versions and ciphersuites
in the mocked ssl handshake.
2020-02-04 09:00:01 -05:00
Manuel Pégourié-Gonnard
0330e21043 Merge branch 'public/pr/2261' into development
* iotssl-2652-deprecate-pkcs11:
  Group PKCS11_C entries in check_config.h
  Clarify that what we're dropping is pkcs11-helper support
  Fix typo in doxy docs for ssl_pkcs11_sign()
  Add missing docs to PKCS#11 public funcs
  Wrap PKCS1 module with DEPRECATED_REMOVED
  Fix deprecated docs for PKCS1
  Deprecate MBEDTLS_PKCS11_C functions
  Add ChangeLog entry for MBEDTLS_PKCS11_C deprecation
  Deprecate MBEDTLS_PKCS11_C feature
2020-02-04 12:39:34 +01:00
Janos Follath
148c3deba1
Merge pull request #3018 from mpg/fix-ssl-opt-gnutls-no-sha1
Fix ssl-opt.sh for GnuTLS versions rejecting SHA-1
2020-02-04 11:18:04 +00:00
Manuel Pégourié-Gonnard
320f4d9c98 Group PKCS11_C entries in check_config.h 2020-02-04 09:17:29 +01:00
Gilles Peskine
ec10bf1385 Test GCC and Clang with common build options
Goals:
* Build with common compilers with common options, so that we don't
  miss a (potentially useful) warning only triggered with certain
  build options.
* A previous commit removed -O0 test jobs, leaving only the one with
  -m32. We have inline assembly that is disabled with -O0, falling
  back to generic C code. This commit restores a test that runs the
  generic C code on a 64-bit platform.
2020-02-03 19:52:36 +01:00
Gilles Peskine
6ec0f0f6d0 Replace -O0 by -O1 or -Os in most components
Gcc skips some analyses when compiling with -O0, so we may miss
warnings about things like uninitialized variables.
2020-02-03 19:52:36 +01:00
Gilles Peskine
4e8b594002 Fix uninitialized variable in an edge case
If `context_buf = mbedtls_calloc( 1, buf_len )` failed,
`context_buf_len` was not initialized. Noticed by
`gcc -Os -Werror=maybe-uninitialized`.

This was only a problem in ssl_server2 (a test program), only with
MBEDTLS_SSL_CONTEXT_SERIALIZATION enabled.
2020-02-03 19:49:55 +01:00
Janos Follath
2fdb1af18c
Merge pull request #2236 from andresag01/iotssl-2156-deprecate-sslv3
Deprecate SSLv2 parsing and SSLv3
2020-02-03 15:11:33 +00:00
Gilles Peskine
6bb3915e96 Always use "-O1 -Werror" in crypto-only test builds
Pass -Werror because any compiler warning would be suspicious. Pass
-O1 because at -O0, gcc doesn't do as much analysis.
2020-02-03 11:59:20 +01:00
Andrzej Kurek
b29807413e Refactor certificates and keys in ssl handshake mock tests
Let the caller decide what certificates and keys are loaded (EC/RSA)
instead of loading both for the server, and an unspecified one 
for the client. Use only DER encoding.
2020-02-02 19:25:26 -05:00
Gilles Peskine
36ce88be1e
Merge pull request #2999 from catenacyber/fuzzrsa
Checks mbedtls_rsa_export return in fuzz targets
2020-01-31 16:38:43 +01:00
Gilles Peskine
512d040963
Merge pull request #2964 from gilles-peskine-arm/psa-streamline_encodings-types_and_curves-ls
USE_PSA_CRYPTO: update elliptic curve encoding
2020-01-31 16:30:02 +01:00
Jaeden Amero
2b91abaae6
Merge pull request #2984 from piotr-now/iotssl-2955-move-handshake-to-prescribed-state
Add test for prescribed states of handshake with the custom IO callbacks
2020-01-31 14:16:53 +00:00
Gilles Peskine
ec541fe0a1 Add test components for crypto-only builds
For each of the crypto-only presets, run the build and check that the
resulting libmbedx509 and libmbedtls are empty.

Don't bother testing, because for each crypto-only preset, another
component builds that plus the x509 and tls parts and tests
everything.
2020-01-31 15:14:18 +01:00
Gilles Peskine
31987c6b88 Add config presets with only crypto
Add config presets with only the crypto parts of the default
configuration, of "full" and of "baremetal".
2020-01-31 15:14:18 +01:00
Gilles Peskine
42459805ce USE_PSA_CRYPTO: don't rely on the curve encoding
Adapt to the change of encoding of elliptic curve key types in PSA
crypto. Before, an EC key type encoded the TLS curve identifier. Now
the EC key type only includes an ad hoc curve family identifier, and
determining the exact curve requires both the key type and size. This
commit moves from the old encoding and old definitions from
crypto/include/mbedtls/psa_util.h to the new encoding and definitions
from the immediately preceding crypto submodule update.
2020-01-31 14:57:43 +01:00
Gilles Peskine
81d3100250 Update crypto submodule
Previously in d8752858fc:
* #333: Streamline PSA key type encodings: prepare
* #323: Initialise return values to an error

Previously in dbcb44202c:
* #291: Test MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
* #334: Fix some pylint warnings

Previously in ceceedb532:
* #348: Bump version to Mbed TLS 2.20.0 and crypto SO version to 4
* #354: Fix incrementing pointer instead of value

In this commit:
* #349: Fix minor defects found by Coverity
* #179: Add option to build SHA-512 without SHA-384
* #327: Implement psa_hash_compute and psa_hash_compare
* #330: Streamline PSA key type and curve encodings
2020-01-31 14:57:16 +01:00
Gilles Peskine
f4e672ec9e Add missing compilation guards in test suite
Fix the build when MBEDTLS_USE_PSA_CRYPTO is set but
MBEDTLS_X509_CSR_WRITE_C is not.
2020-01-31 14:22:10 +01:00
Manuel Pégourié-Gonnard
03035eb943 Stop testing ssl3 when it isn't enabled
We already have a specific component in all.sh for testing SSLv3, we don't
need to also test it in components that aren't specifically about it.

Previously config.py full enabled SSLv3, but it no longer does since it is
deprecated.
2020-01-31 12:40:36 +01:00
Piotr Nowicki
2a1f178d7c Add test for prescribed states of handshake with the custom IO callbacks 2020-01-31 10:06:04 +01:00
Manuel Pégourié-Gonnard
ead19fecf9
Merge pull request #2975 from mpg/add-zlib-tests-dev
Add zlib tests and fix runtime bug
2020-01-31 09:22:24 +01:00
Janos Follath
b719d4bede Merge pull request #2963 from jiblime/zlib-fix into development 2020-01-30 16:15:16 +00:00
Manuel Pégourié-Gonnard
bc4da29d06 De-duplicate SHA1-independent test in ssl-opt.sh
The splitting of this test into two versions depending on whether SHA-1 was
allowed by the server was a mistake in
5d2511c4d4 - the test has nothing to do with
SHA-1 in the first place, as the server doesn't request a certificate from
the client so it doesn't matter if the server accepts SHA-1 or not.
2020-01-30 12:45:14 +01:00
Jaeden Amero
79ef1d4e55
Merge pull request #2987 from AndrzejKurek/iotssl-2958-datagram-transport-simulated
Message transport mocks in ssl tests
2020-01-30 10:23:27 +00:00
Manuel Pégourié-Gonnard
77cbeff04c Fix ssl-opt.sh for GnuTLS versions rejecting SHA-1
While the whole script makes (often implicit) assumptions about the version of
GnuTLS used, generally speaking it should work out of the box with the version
packaged on our reference testing platform, which is Ubuntu 16.04 so far.

With the update from Jan 8 2020 (3.4.10-4ubuntu1.6), the patches for rejecting
SHA-1 in certificate signatures were backported, so we should avoid presenting
SHA-1 signed certificates to a GnuTLS peer in ssl-opt.sh.
2020-01-30 11:22:57 +01:00
Manuel Pégourié-Gonnard
2b9ebce4e1 Remove deprecated modules from config.py full 2020-01-30 10:16:15 +01:00
Andres Amaya Garcia
835b299e5e Fix wording of deprecated docs for SSL2 and SSL3 features 2020-01-30 10:16:15 +01:00
Andres Amaya Garcia
e58532e1db Favour DEPRECATED_REMOVED over DEPRECATED_WARNING 2020-01-30 10:16:15 +01:00
Andres Amaya Garcia
88c2cc7213 Deprecate MBEDTLS_SSL_PROTO_SSL3 2020-01-30 10:16:15 +01:00
Andres Amaya Garcia
09634248cb Deprecate MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO 2020-01-30 10:16:13 +01:00
Manuel Pégourié-Gonnard
d020bfc396
Merge pull request #2949 from zfields/patch-1
[cmake] Propagate public headers
2020-01-30 09:53:16 +01:00
Janos Follath
ba1150f822 Merge pull request #2995 from gilles-peskine-arm/coverity-20200115-tls into development 2020-01-29 14:51:24 +00:00
Gilles Peskine
907e95aa20 Clarify that what we're dropping is pkcs11-helper support
The PKCS11 module does not directly interface with PKCS#11 (also known
as Cryptoki), but with the pkcs11-helper library.
2020-01-29 09:40:32 +01:00
Andres Amaya Garcia
312431b398 Fix typo in doxy docs for ssl_pkcs11_sign() 2020-01-29 09:40:32 +01:00
Andres Amaya Garcia
b37268d916 Add missing docs to PKCS#11 public funcs 2020-01-29 09:40:32 +01:00