Commit Graph

16412 Commits

Author SHA1 Message Date
Tautvydas Žilys
ea4af4d345 Don't inline mbedtls_mpi_safe_cond_assign on MSVC/ARM64 to avoid a compiler bug.
Signed-off-by: Tautvydas Žilys <tautvydas.zilys@gmail.com>
2022-01-26 15:44:47 -08:00
Gilles Peskine
98dcb4c024
Merge pull request #5458 from AndrzejKurek/gitignore-eclipse-2-28
Backport 2.28: Add eclipse-specific project files to gitignore
2022-01-25 17:02:58 +01:00
Andrzej Kurek
d5746aa13d Add eclipse-specific project files to gitignore
The project file must be at root directory:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=78438
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-25 07:03:06 -05:00
Gilles Peskine
ed29547902
Merge pull request #5452 from AndrzejKurek/doxygen-closure-fixes-2-28
Backport 2.28: doxygen: add missing asterisk to group closures
2022-01-24 21:40:42 +01:00
Andrzej Kurek
fe5fb8e5d2 doxygen: remove empty platform_time configuration section
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-24 10:33:13 -05:00
Andrzej Kurek
ff632d5a3c doxygen: move addtogroup closures to include more elements
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-24 10:32:00 -05:00
Andrzej Kurek
73afe27d5d Add missing asterisk to doxygen closures
Clarify section names next to closing braces
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-24 10:31:06 -05:00
Gilles Peskine
bf62325c9f
Merge pull request #5439 from SebastianBoe/mbedtls-2.28_check_config
Backport 2.28: Add missing config check for PKCS5.
2022-01-22 00:52:18 +01:00
Sebastian Bøe
9db51a6e26 Add missing config check for PKCS5.
PKCS5 depends on MD, but is missing a config check resulting in
obscure errors on invalid configurations.

Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
2022-01-19 13:26:09 +01:00
Manuel Pégourié-Gonnard
4afaba52a9
Merge pull request #5416 from gstrauss/mbedtls_ssl_config_defaults-repeat-2.28
Backport 2.28: Reset dhm_P and dhm_G if config call repeated
2022-01-14 10:41:12 +01:00
Gilles Peskine
bbfa3f1967
Merge pull request #5422 from yanesca/update_mailing_list_links_backport
Update mailing list links [Backport]
2022-01-12 16:47:02 +01:00
Janos Follath
c6935e8b19 Update mailing list links
The mailing list software has been updated and the links have changed.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-01-12 13:17:16 +00:00
Glenn Strauss
de081ce75c Reset dhm_P and dhm_G if config call repeated
Reset dhm_P and dhm_G if call to mbedtls_ssl_config_defaults() repeated
to avoid leaking memory.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-01-11 20:07:44 -05:00
Gilles Peskine
4ed2844405
Merge pull request #5312 from gilles-peskine-arm/add_list_config_function-2.x
Backport 2.x: Add list config function
2021-12-20 22:08:01 +01:00
Dave Rodgman
53c268e6a9
Merge pull request #873 from ARMmbed/mbedtls-2.28.0_merge_into_release
Mbedtls 2.28.0 merge into release
2021-12-17 11:22:26 +00:00
Dave Rodgman
8b3f26a5ac
Merge pull request #868 from ARMmbed/mbedtls-2.28.0rc0-pr
Mbedtls 2.28.0rc0 pr
2021-12-15 13:47:54 +00:00
Dave Rodgman
d41dab39c5 Bump version to 2.28.0
Executed ./scripts/bump_version.sh --version 2.28.0 --so-tls 14

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-12-15 11:55:31 +00:00
Dave Rodgman
29c3aee6a7 Update branch information in BRANCHES.md
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-12-15 11:53:12 +00:00
Dave Rodgman
f00d9a2340 Minor Changelog updates & fixes
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-12-15 11:52:54 +00:00
Dave Rodgman
0798a827c8 Assemble changelog
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-12-15 11:48:21 +00:00
Ronald Cron
2d2fb47e45 Add change log for #4883
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-15 11:47:25 +00:00
Dave Rodgman
04e920410d Add missing changelog for ARIA (#5051)
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-12-14 12:53:07 +00:00
Dave Rodgman
08412e2a67 Merge remote-tracking branch 'restricted/development_2.x-restricted' into mbedtls-2.28.0rc0-pr
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-12-14 12:52:51 +00:00
Gilles Peskine
c97cc18fb8
Merge pull request #5327 from gilles-peskine-arm/zeroize-tag-2.28
Backport 2.2x: Zeroize expected MAC/tag intermediate variables
2021-12-13 19:09:32 +01:00
Gilles Peskine
f9a0501683 mbedtls_cipher_check_tag: jump on error for more robustness to refactoring
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 16:59:04 +01:00
Gilles Peskine
384b98bdae
Merge pull request #5310 from paul-elliott-arm/pkcs12_fix_2.x
Backport 2.x: Fixes for pkcs12 with NULL and/or zero length password
2021-12-13 14:52:44 +01:00
Gilles Peskine
622d80453b Initialize hash_len before using it
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 14:45:38 +01:00
Gilles Peskine
d61551c017 Generalize MAC zeroization changelog entry
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 13:55:17 +01:00
Gilles Peskine
8c99a760d5 PKCS#1v1.5 signature: better cleanup of temporary values
Zeroize temporary buffers used to sanity-check the signature.

If there is an error, overwrite the tentative signature in the output
buffer.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 13:55:17 +01:00
Gilles Peskine
f91b2e5a97 mbedtls_ssl_parse_finished: zeroize expected finished value on error
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 13:55:17 +01:00
Gilles Peskine
69d3b86baa mbedtls_ssl_cookie_check: zeroize expected cookie on cookie mismatch
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 13:49:14 +01:00
Gilles Peskine
b3f4e5b1e1 PSA hash verification: zeroize expected hash on hash mismatch
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 13:49:14 +01:00
Gilles Peskine
dc269bbd08 mbedtls_cipher_check_tag: zeroize expected tag on tag mismatch
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 13:49:14 +01:00
Paul Elliott
5752b4b7d0 Add expected output for tests
Expected output generated by OpenSSL (see below) apart from the case
where both password and salt are either NULL or zero length, as OpenSSL
does not support this. For these test cases we have had to use our own
output as that which is expected. Code to generate test cases is as
follows:

 #include <openssl/pkcs12.h>
 #include <openssl/evp.h>
 #include <string.h>

int Keygen_Uni( const char * test_name, unsigned char *pass, int
    passlen, unsigned char *salt,
                    int saltlen, int id, int iter, int n,
                                    unsigned char *out, const EVP_MD
                                    *md_type )
{
   size_t index;

   printf( "%s\n", test_name );

   int ret = PKCS12_key_gen_uni( pass, passlen, salt, saltlen, id, iter,
                                        n, out, md_type );

   if( ret != 1 )
   {
         printf( "Key generation returned %d\n", ret );
      }
   else
   {
         for( index = 0; index < n; ++index )
         {
                  printf( "%02x", out[index] );
               }

         printf( "\n" );
      }

   printf( "\n" );

}

int main(void)
{
   unsigned char out_buf[48];
   unsigned char pass[64];
   int pass_len;
   unsigned char salt[64];
   int salt_len;

   /* If ID=1, then the pseudorandom bits being produced are to be used
      as key material for performing encryption or decryption.

            If ID=2, then the pseudorandom bits being produced are to be
            used as an IV (Initial Value) for encryption or decryption.

                  If ID=3, then the pseudorandom bits being produced are
                  to be used as an integrity key for MACing.
                     */

   int id = 1;
   int iter = 3;

   memset( out_buf, 0, sizeof( out_buf ) );
   memset( pass, 0, sizeof( pass ) );
   memset( salt, 0, sizeof( salt ) );

   Keygen_Uni( "Zero length pass and salt", pass, 0, salt, 0, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   Keygen_Uni( "NULL pass and salt", NULL, 0, NULL, 0, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   salt[0] = 0x01;
   salt[1] = 0x23;
   salt[2] = 0x45;
   salt[3] = 0x67;
   salt[4] = 0x89;
   salt[5] = 0xab;
   salt[6] = 0xcd;
   salt[7] = 0xef;

   Keygen_Uni( "Zero length pass", pass, 0, salt, 8, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   Keygen_Uni( "NULL pass", NULL, 0, salt, 8, id, iter, sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );
   memset( salt, 0, sizeof( salt ) );

   pass[0] = 0x01;
   pass[1] = 0x23;
   pass[2] = 0x45;
   pass[3] = 0x67;
   pass[4] = 0x89;
   pass[5] = 0xab;
   pass[6] = 0xcd;
   pass[7] = 0xef;

   Keygen_Uni( "Zero length salt", pass, 8, salt, 0, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   Keygen_Uni( "NULL salt", pass, 8, NULL, 0, id, iter, sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   salt[0] = 0x01;
   salt[1] = 0x23;
   salt[2] = 0x45;
   salt[3] = 0x67;
   salt[4] = 0x89;
   salt[5] = 0xab;
   salt[6] = 0xcd;
   salt[7] = 0xef;

   Keygen_Uni( "Valid pass and salt", pass, 8, salt, 8, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   return 0;
}

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:15:28 +00:00
Paul Elliott
c89e209ded Remove incorrect hashing
Incorrect interpretation of 'empty'

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott
8d7eef470b Add explanation for safety in function
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott
7a342a24ff Delete unneccesary changelog entry
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott
270a264b78 Simplify Input usage macros
Also ensure they are used in test data rather than values

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott
73051b4176 Rename (and relabel) pkcs12 test case
Remove surplus _test suffix. Change labeling from Pcks12 to PCKS#12 as
it should be.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott
8ca8f2d163 Remove incorrect test dependency
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott
ce22008c63 Documentation fixes
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott
2ab9a7a57a Stop CMake out of source tests running on 16.04
Running the out of source CMake test on Ubuntu 16.04 using more than one
processor (as the CI does) can create a race condition whereby the build
fails to see a generated file, despite that file actually having been
generated. This problem appears to go away with 18.04 or newer, so make
the out of source tests not supported on Ubuntu 16.04

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott
1a3540afbe Fix missing test dependancies
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:45 +00:00
Paul Elliott
13d5a3429a Add PKCS12 tests
Only regression tests for the empty password bugs for now. Further tests
will follow later.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-13 11:14:23 +00:00
Dave Rodgman
1c68ba1afd
Merge pull request #5314 from gilles-peskine-arm/missing-ret-check-mbedtls_md_hmac-2.x
Backport 2.x: Check HMAC return values
2021-12-13 10:51:28 +00:00
Gilles Peskine
2b3f21dc0b Catch failures of md_hmac operations
Declare mbedtls_md functions as MBEDTLS_CHECK_RETURN_TYPICAL, meaning that
their return values should be checked.

Do check the return values in our code. We were already doing that
everywhere for hash calculations, but not for HMAC calculations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 15:02:06 +01:00
Gilles Peskine
d8e2e8347b Zeroize local MAC variables
Zeroize local MAC variables used for CBC+HMAC cipher suites. In encryption,
this is just good hygiene but probably not needed for security since the
data protected by the MAC that could leak is about to be transmitted anyway.
In DTLS decryption, this could be a security issue since an adversary could
learn the MAC of data that they were trying to inject. At least with
encrypt-then-MAC, the adversary could then easily inject a datagram with
a corrected packet. TLS would still be safe since the receiver would close
the connection after the bad MAC.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 14:24:23 +01:00
Gilles Peskine
9e8f3a6b71
Merge pull request #5308 from minosgalanakis/development_2.x
Backport 2.x: Document platform architecture portability constraints
2021-12-10 21:13:09 +01:00
Gilles Peskine
5e41e0e934 Update generated file
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-10 20:19:30 +01:00
Jerry Yu
47569e097e fix help message issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:19:05 +01:00