Commit Graph

7549 Commits

Author SHA1 Message Date
Gilles Peskine
ea4cc855e2 Test SSL with non-deterministic ECDSA
In component_test_no_hmac_drbg, the fact that HMAC_DRBG is disabled
doesn't affect the SSL code, but the fact that deterministic ECDSA is
disabled does. So run some ECDSA-related SSL tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-03 16:43:19 +00:00
Gilles Peskine
9c1ae18c9c
Merge pull request #4090 from gilles-peskine-arm/test-mutex-usage-count-2.7
Backport 2.7: test and fix mutex usage
2021-02-23 15:14:53 +01:00
Gilles Peskine
2de4691bb0 Make entropy double-free work
Although the library documentation does not guarantee that calling
mbedtls_entropy_free() twice works, it's a plausible assumption and it's
natural to write code that frees an object twice. While this is uncommon for
an entropy context, which is usually a global variable, it came up in our
own unit tests (random_twice tests in test_suite_random in the
development branch).

Announce this in the same changelog entry as for RSA because it's the same
bug in the two modules.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 11:28:19 +01:00
Gilles Peskine
9f97f95225 Add init-free tests for entropy
These tests validate that an entropy object can be reused and that
calling mbedtls_entropy_free() twice is ok.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-23 11:25:07 +01:00
Gilles Peskine
58a39e02da Fix typo in documentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-15 18:21:55 +01:00
Gilles Peskine
e8505e37df Document mutex usage for RSA
The mutex is now initialized iff ver != 0.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 16:19:35 +01:00
Gilles Peskine
3be78f318c Changelog entry for RSA mutex usage fix
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 16:19:12 +01:00
Gilles Peskine
22dc2e7a9b Fix mutex leak in RSA
mbedtls_rsa_gen_key() was not freeing the RSA object, and specifically
not freeing the mutex, in some error cases.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine
d7e82ad9bf Fix mutex double-free in RSA
When MBEDTLS_THREADING_C is enabled, RSA code protects the use of the
key with a mutex. mbedtls_rsa_free() frees this mutex by calling
mbedtls_mutex_free(). This does not match the usage of
mbedtls_mutex_free(), which in general can only be done once.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine
54e7e2bdc7 Add init-free tests for RSA
These tests are trivial except when compiling with MBEDTLS_THREADING_C
and a mutex implementation that are picky about matching each
mbedtls_mutex_init() with exactly one mbedtls_mutex_free().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine
ff754e67ae Add missing cleanup in a test function
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine
e525bc830f Changelog entry for DRBG mutex usage fix
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine
94bf03330b Document thread safety for HMAC_DRBG
random(), and only this function, is thread-safe.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine
3ec7f57482 Document mutex invariant for HMAC_DRBG
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine
a9857af16a Fix mutex leak in HMAC_DRBG
mbedtls_hmac_drbg_free() left a mutex in the initialized state. This
caused a resource leak on platforms where mbedtls_mutex_init()
allocates resources.

To fix this, mbedtls_hmac_drbg_free() no longer reinitializes the
mutex. To preserve the property that mbedtls_hmac_drbg_free() leaves
the object in an initialized state, which is generally true throughout
the library except regarding mutex objects on some platforms, no
longer initialize the mutex in mbedtls_hmac_drbg_init(). Since the
mutex is only used after seeding, and seeding is only permitted once,
call mbedtls_mutex_init() as part of the seeding process.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine
275598d3fa Document thread safety for CTR_DRBG
random(), and only this function, is thread-safe.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine
6e2cf25639 Document mutex invariant for CTR_DRBG
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine
085b69f8fd Fix mutex leak in CTR_DRBG
mbedtls_ctr_drbg_free() left a mutex in the initialized state. This
caused a resource leak on platforms where mbedtls_mutex_init()
allocates resources.

To fix this, mbedtls_ctr_drbg_free() no longer reinitializes the
mutex. To preserve the property that mbedtls_ctr_drbg_free() leaves
the object in an initialized state, which is generally true throughout
the library except regarding mutex objects on some platforms, no
longer initialize the mutex in mbedtls_ctr_drbg_init(). Since the
mutex is only used after seeding, and seeding is only permitted once,
call mbedtls_mutex_init() as part of the seeding process.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine
5710732145 Explain the usage of is_valid in pthread mutexes
Document the usage inside the library, and relate it with how it's
additionally used in the test code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:57:03 +01:00
Gilles Peskine
df8db9ace2 Count and report non-freed mutexes
Subtract the number of calls to mbedtls_mutex_free() from the number
of calls to mbedtls_mutex_init(). A mutex leak will manifest as a
positive result at the end of the test case.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:55:15 +01:00
Gilles Peskine
0abb8e4bd8 Detect and report mutex usage errors
If the mutex usage verification framework is enabled and it detects a
mutex usage error, report this error and mark the test as failed.

This detects most usage errors, but not all cases of using
uninitialized memory (which is impossible in full generality) and not
leaks due to missing free (which will be handled in a subsequent commit).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:55:15 +01:00
Gilles Peskine
44498ff9eb Mutex usage testing: set up wrapper functions
When using pthread mutexes (MBEDTLS_THREADING_C and
MBEDTLS_THREADING_PTHREAD enabled), and when test hooks are
enabled (MBEDTLS_TEST_HOOKS), set up wrappers around the
mbedtls_mutex_xxx abstraction. In this commit, the wrapper functions
don't do anything yet.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:55:15 +01:00
Gilles Peskine
e137ebce7f Fix off-by-one error in #line directives
The line number is the number of the next line.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:55:15 +01:00
Gilles Peskine
da174241b8 Remove reference to a document that doesn't exist in this branch
Don't reference the architecture document. This is an LTS branch and
new invasive tests are only going to be introduced as (perhaps partial
or adapted) backports of invasive tests from development anyway.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-12 15:55:15 +01:00
Manuel Pégourié-Gonnard
3ec34a81ee
Merge pull request #4135 from gilles-peskine-arm/ssl-opt-server-failure-2.7
Backport 2.7: ssl-opt.sh: if the server fails, do treat it as a test failure
2021-02-12 12:16:19 +01:00
Gilles Peskine
8607f069e7 ssl-opt.sh: Only check the server exit for Mbed TLS
We care about the exit code of our server, for example if it's
reporting a memory leak after having otherwise executed correctly.

We don't care about the exit code of the servers we're using for
interoperability testing (openssl s_server, gnutls-serv). We assume
that they're working correctly anyway, and they return 1 (gnutls-serv)
or die by the signal handle the signal (openssl) when killed by a
signal.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-10 13:07:05 +01:00
Gilles Peskine
028ca780a8 ssl-opt.sh: if the server fails, do treat it as a test failure
This used to be the case a long time ago but was accidentally broken.

Fix <github:nogrep> #4103 for ssl-opt.sh.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-10 13:06:48 +01:00
Janos Follath
b729e4c474
Merge pull request #4099 from d-otte/mbedtls-2.7
Backport 2.7: wrong RSA_PRV_DER_MAX_BYTES for odd MBEDTLS_MPI_MAX_SIZE
2021-02-02 16:14:52 +00:00
Janos Follath
ec1909d10b
Merge pull request #4077 from gilles-peskine-arm/mpi_sub_abs-buffer_overflow-2.7
Backport 2.7: Fix buffer overflow in mbedtls_mpi_sub_abs negative case
2021-02-02 13:10:14 +00:00
Daniel Otte
b49815a88f adding changelog entry for issue #4093
Signed-off-by: Daniel Otte <d.otte@wut.de>
2021-02-02 12:44:07 +01:00
Daniel Otte
4490fc6a38 adding parentheses to macro definitions, to avoid confusion and possible mistakes in usage.
Signed-off-by: Daniel Otte <d.otte@wut.de>
2021-02-01 18:53:22 +01:00
Daniel Otte
f9111bbdd8 avoid errorneous computation of RSA_PRV_DER_MAX_BYTES if MBEDTLS_MPI_MAX_SIZE is odd.
if MBEDTLS_MPI_MAX_SIZE is odd then RSA_PRV_DER_MAX_BYTES will be two less than expected, since the macros are lacking parentheses.


Signed-off-by: Daniel Otte <d.otte@wut.de>
2021-02-01 18:52:36 +01:00
Gilles Peskine
54c3046eea mbedtls_mpi_sub_abs: fix buffer overflow in error case
Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|A| - |B| where |B| is larger than |A| and has more limbs (so the
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE).

Fix #4042

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:39:51 +01:00
Gilles Peskine
b20bbd1ddc Add mpi_sub_abs negative tests with a larger-in-size second operand
Add test cases for mbedtls_mpi_sub_abs() where the second operand has
more limbs than the first operand (which, if the extra limbs are not
all zero, implies that the function returns
MBEDTLS_ERR_MPI_NEGATIVE_VALUE).

This exposes a buffer overflow (reported in #4042).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-01 13:38:23 +01:00
Gilles Peskine
04ea1064a6 Declare MBEDTLS_TEST_HOOKS in config.h
When this option is enabled, the product includes additional
interfaces that enable additional tests. This option should not be
enabled in production, but is included in the "full" build to enable
the extra tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-29 19:08:23 +01:00
Gilles Peskine
a0d5d77b2d Use $ASAN_FLAGS instead of repeating its contents
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-13 22:24:51 +01:00
Janos Follath
78d9663ace
Merge pull request #788 from ARMmbed/dev/yanesca/mbedtls-2.7.18r0-pr
Prepare Release Candidate for Mbed TLS 2.7.18
2020-12-10 12:53:55 +00:00
Janos Follath
431f42d531 Add missing Changelog entry
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 16:46:30 +00:00
Janos Follath
bd06112bc2 Finalize ChangeLog
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 01:36:05 +00:00
Janos Follath
dde20224e6 Bump version to Mbed TLS 2.7.18
Executed ./scripts/bump_version.sh --version 2.7.18

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 01:22:11 +00:00
Janos Follath
c3ab4053ad Assemble ChangeLog
Executed scripts/assemble_changelog.py.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 00:34:41 +00:00
Janos Follath
baa3f3b377 Fix Changelog format
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-12-09 00:33:43 +00:00
Janos Follath
3c463b51d0 Merge branch 'mbedtls-2.7-restricted' into mbedtls-2.7.18r0-pr 2020-12-08 21:00:50 +00:00
Gilles Peskine
dcba585f54
Merge pull request #3945 from paul-elliott-arm/fix_pem_write_2_7
Backport 2.7: Add tests for buffer corruption after PEM write
2020-12-08 12:31:52 +01:00
Paul Elliott
102bac7a46 Add tests for buffer corruption after PEM write
Zero remaining bytes in buffer after writing PEM data and add checks to
ensure that this is the case.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2020-12-07 16:49:30 +00:00
Ronald Cron
8e556f8f9a
Merge pull request #3937 from geecrypt/mbedtls-2.7
Backport to Mbedtls 2.7: Support set *_drbg reseed interval before seed
2020-12-07 14:30:04 +01:00
Gilles Peskine
5b1cb8873d
Merge pull request #3725 from gilles-peskine-arm/ecp-bignum-error-checks-2.7
Backport 2.7: add missing some error checks in ECP and bignum
2020-12-07 13:06:36 +01:00
Janos Follath
0805cb2f52
Merge pull request #783 from chris-jones-arm/mbedtls-2.7-restricted
[Backport 2.7] Fix Diffie-Hellman large key size DoS
2020-12-07 09:27:32 +00:00
gacquroff
57f1f9b963 Add changelog entry file for bugfix 2927
Signed-off-by: gacquroff <gavina352@gmail.com>
2020-12-03 13:10:24 -08:00
Gavin Acquroff
ceb9990a69 Support set *_drbg reseed interval before seed
mbedtls_ctr_drbg_set_reseed_interval() and
mbedtls_hmac_drbg_set_reseed_interval() can now be called before
their seed functions and the reseed_interval value will persist.
Previously it would be overwritten with the default value.

*_drbg_reseed_interval is now set in init() and free().

mbedtls_ctr_drbg_free() and mbedtls_hmac_drbg_free() now
reset the drbg context to the state immediately after init().

Tests:
- Added test to check that DRBG reseeds when reseed_counter
reaches reseed_interval, if reseed_interval set before seed
and reseed_interval is less than MBEDTLS_*_DRBG_RESEED_INTERVAL.

Signed-off-by: gacquroff <gavina352@gmail.com>
2020-12-03 13:08:37 -08:00