Commit Graph

9004 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
ef98d49997 Merge remote-tracking branch 'restricted/pr/670' into mbedtls-2.16-restricted
* restricted/pr/670:
  Parse HelloVerifyRequest buffer overread: add changelog entry
  Parse HelloVerifyRequest: avoid buffer overread at the start
  Parse HelloVerifyRequest: avoid buffer overread on the cookie
2020-04-09 11:56:09 +02:00
Janos Follath
3a1b209f9e
Merge pull request #676 from ARMmbed/ecc-projective-2.16-restricted
[backport 2.16] Fix leakage of projective coordinates in ECC
2020-04-06 15:23:38 +01:00
Manuel Pégourié-Gonnard
f60041688c Fix leakage of projective coordinates in ECC
See the comments in the code for how an attack would go, and the ChangeLog
entry for an impact assessment. (For ECDSA, leaking a few bits of the scalar
over several signatures translates to full private key recovery using a
lattice attack.)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-04-01 11:02:18 +02:00
Janos Follath
bfa0f7d540
Merge pull request #3143 from gilles-peskine-arm/unmet_dependencies-int-2.16
[2.16 only] Since unmet_dependencies stores integers, represent them as int
2020-03-31 15:38:32 +01:00
Gilles Peskine
e8caf2634b Since unmet_dependencies stores integers, represent them as int
Since unmet_dependencies only ever contains strings that are integers
written out in decimal, store the integer instead. Do this
unconditionally since it doesn't cost any extra memory.

This commit saves a little memory and more importantly avoids a gotcha
with uninitialized pointers which caused a bug on development (the
array was only initialized in verbose mode).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-31 10:57:32 +02:00
Manuel Pégourié-Gonnard
edb58adaa1
Merge pull request #3106 from mpg/3013-2.16
[backport 2.16] Fix function name in error message
2020-03-31 09:53:29 +02:00
Gilles Peskine
96955d5c55
Merge pull request #3114 from mpg/ssl-opt-names-2.16
[Backport 2.16] Improve some test names in ssl-opt.sh
2020-03-24 19:48:15 +01:00
Manuel Pégourié-Gonnard
98a879a806 Improve some test names in ssl-opt.sh
- "Default" should only be used for tests that actually use the defaults (ie,
  not passing options on the command line, except maybe debug/dtls)
- All tests in the "Encrypt then MAC" group should start with that string as a
  common prefix

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-24 10:57:23 +01:00
Ercan Ozturk
a46f75cbad Fix debug message by using the correct function name called
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-19 12:08:44 +01:00
Janos Follath
b5695d9997
Merge pull request #3101 from sbutcher-arm/change-used-pylint-2.16
Backport 2.16: Change the use of pylint to optionally use pylint3
2020-03-18 17:04:24 +00:00
Simon Butcher
47f728718f Change the use of pylint to optionally use pylint3
Pylint when installed as a distro package can be installed as pylint3, whilst as
a PEP egg, it can be installed as pylint.

This commit changes the scripts to first use pylint if installed, and optionally
look for pylint3 if not installed. This is to allow a preference for the PEP
version over the distro version, assuming the PEP one is more likely to be
the correct one.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-16 13:53:06 +00:00
Manuel Pégourié-Gonnard
acfa36890c
Merge pull request #2439 from andresag01/mbedtls-2.16-iotssl-2544-deprecate-record-accel
Backport 2.16: Fix compilation failure when MBEDTLS_SSL_HW_RECORD_ACCEL is enabled
2020-03-16 10:37:24 +01:00
Jaeden Amero
302f57a8c2
Merge pull request #3090 from sbutcher-arm/output-env-pylint-mbedtls-2.16
Backport 2.16: Add Python, Perl and Pylint to output_env.sh
2020-03-10 17:28:34 +04:00
Simon Butcher
bae7328b32 Fix output_env.sh for varying pylint3 output
`pylint3 --version` will output to stderr the status of the config file it's
using. This can be "No config file found" or "Using config file" or nothing.
This means the pylint version may or may not be on the first line.

Therefore this commit changes the filters on the pylint3 version output to first
strip out the config line, and then to select only the pylint line.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-06 19:26:32 +00:00
Simon Butcher
85c4c865db Add Python, Perl and Pylint to output_env.sh
Add the versions of Python, Perl, and Pylint to the version dump provided by
the output_env.sh script.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-06 19:26:09 +00:00
Manuel Pégourié-Gonnard
874a64ece9
Merge pull request #3083 from sbutcher-arm/output_env-enhancements-2.16
Backport 2.16: Enhance the `output_env.sh` script with GBD and Distro version
2020-03-05 10:04:12 +01:00
Simon Butcher
679d2de36b Make minor fixes to output_env.sh after review
A number of clean-up improvements following review.
 * removal of redundant `` quotes
 * removal of non-portable echo "\n", in favour of additional echo commands
 * change to use of uname to detemine if the platform is Linux or not
 * revised formatting of output
 * change to dpkg-query from dpkg to find installed libasan variants

Co-Authored-By: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-04 11:31:05 +00:00
Simon Butcher
3104eec4cf Enhance the output_env.sh script
This commit adds additional information to the output_env.sh script of:
  * Linux distribution version (if available)
  * GDB version (if available)

It also makes some information clearer:
  * the type of OpenSSL/GNUTLS version (legacy/default/next)
  * and whether certain versions are not installed, or not configured

And it simplifies the error messages for absent tools.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-04 11:30:49 +00:00
danh-arm
22348c78ee
Merge pull request #3063 from danh-arm/dh/drop-cla-2.16
[backport 2.16] Drop requirement for a CLA
2020-03-03 15:40:18 +00:00
Manuel Pégourié-Gonnard
d7c2737f40
Merge pull request #3060 from mpg/skip-close-notify-2.16
[backport 2.16] Fix possible close_notify/ClientHello confusion
2020-03-03 12:11:56 +01:00
Dan Handley
21e9a4c3b6 Add project description to README.md
Add simple project description to README.md.

Signed-off-by: Dan Handley <dan.handley@arm.com>
2020-03-02 13:56:42 +00:00
Dan Handley
0b54a46cda Minor formatting fixes to CONTRIBUTING.md
Fix inconsistent list formatting in CONTRIBUTING.md.

Signed-off-by: Dan Handley <dan.handley@arm.com>
2020-03-02 13:56:42 +00:00
Dan Handley
69feadc782 Drop requirement for a CLA
The Mbed TLS project no longer requires a CLA. Contributions from now on
must be made under both Apache-2.0 AND GPL-2.0-or-later licenses, to enable
LTS (Long Term Support) branches of the software to continue to be provided
under either Apache-2.0 OR GPL-2.0-or-later. Contributors must accept the
terms of the Developer Certificate of Origin (DCO) by adding a Signed-off-by:
line to each commit message.

The software on the development branch continues to be provided under
Apache-2.0.

Update README.md, CONTRIBUTING.md and pull_request_template.md to explain
the new licensing model. Add a copy of the DCO to the project.

Signed-off-by: Dan Handley <dan.handley@arm.com>
2020-03-02 13:56:32 +00:00
Andres Amaya Garcia
9f3bdb87e5 Add test for MBEDTLS_SSL_HW_RECORD_ACCEL in all.sh
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-26 10:14:28 +01:00
Andres Amaya Garcia
52dbda62a0 Fix compilation issue when DTLS and SSL_HW_RECORD_ACCEL are on
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-26 10:13:27 +01:00
Manuel Pégourié-Gonnard
498e632b08 Fix possible close_notify/ClientHello confusion
The ssl-opt.sh test cases using session resumption tend to fail occasionally
on the CI due to a race condition in how ssl_server2 and ssl_client2 handle
the reconnection cycle.

The server does the following in order:
- S1 send application data
- S2 send a close_notify alert
- S3 close the client socket
- S4 wait for a "new connection" (actually a new datagram)
- S5 start a handshake

The client does the following in order:
- C1 wait for and read application data from the server
- C2 send a close_notify alert
- C3 close the server socket
- C4 reset session data and re-open a server socket
- C5 start a handshake

If the client has been able to send the close_notify (C2) and if has been
delivered to the server before if closes the client socket (S3), when the
server reaches S4, the datagram that we start the new connection will be the
ClientHello and everything will be fine.

However if S3 wins the race and happens before the close_notify is delivered,
in S4 the close_notify is what will be seen as the first datagram in a new
connection, and then in S5 this will rightfully be rejected as not being a
valid ClientHello and the server will close the connection (and go wait for
another one). The client will then fail to read from the socket and exit
non-zero and the ssl-opt.sh harness will correctly report this as a failure.

In order to avoid this race condition in test using ssl_client2 and
ssl_server2, this commits introduces a new command-line option
skip_close_notify to ssl_client2 and uses it in all ssl-opt.sh tests that use
session resumption with DTLS and ssl_server2.

This works because ssl_server2 knows how many messages it expects in each
direction and in what order, and closes the connection after that rather than
relying on close_notify (which is also why there was a race in the first
place).

Tests that use another server (in practice there are two of them, using
OpenSSL as a server) wouldn't work with skip_close_notify, as the server won't
close the connection until the client sends a close_notify, but for the same
reason they don't need it (there is no race between receiving close_notify and
closing as the former is the cause of the later).

An alternative approach would be to make ssl_server2 keep the connection open
until it receives a close_notify. Unfortunately it creates problems for tests
where we simulate a lossy network, as the close_notify could be lost (and the
client can't retransmit it). We could modify udp_proxy with an option to never
drop alert messages, but when TLS 1.3 comes that would no longer work as the
type of messages will be encrypted.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-26 09:33:05 +01:00
Janos Follath
0fce215851
Merge pull request #3053 from yanesca/bump-version-2.16.5
Bump version 2.16.5
2020-02-19 17:14:10 +00:00
Janos Follath
04039a5893 Add release info to ChangeLog 2020-02-19 12:12:38 +00:00
Janos Follath
334cf59930 Bump version to Mbed TLS 2.16.5 2020-02-19 12:03:00 +00:00
Gilles Peskine
0b59b6d82d
Merge pull request #3048 from mpg/fix-rsa-complete-2.16
[backport 2.16] Fix pk_parse_key()'s use of rsa_complete()
2020-02-19 10:23:11 +01:00
Manuel Pégourié-Gonnard
6444d1557d Add ChangeLog entries for pk_parse_key() fixes 2020-02-19 09:31:38 +01:00
Manuel Pégourié-Gonnard
d09fcdedb9 Fix pkparse bug wrt MBEDTLS_RSA_ALT
Some code paths want to access members of the mbedtls_rsa_context structure.
We can only do that when using our own implementation, as otherwise we don't
know anything about that structure.
2020-02-18 10:49:06 +01:00
Manuel Pégourié-Gonnard
96ed13e21b Test each failure mode of pk_parse_key_pkcs1_der()
(Only the top-level ones, ie, for each call to eg asn1_get_mpi(), ensure
there's at least one test case that makes this call fail in one way, but don't
test the various ways to make asn1_get_mpi fail - that should be covered
elsewhere.)

- the new checks added by the previous commits needed exercising
- existing tests sometimes had wrong descriptions or where passing for the
  wrong reason (eg with the "length mismatch" test, the function actually
failed before reaching the length check)
- while at it, add tests for the rest as well

The valid minimal-size key was generated with:

openssl genrsa 128 2>/dev/null | openssl rsa -outform der 2>/dev/null | xxd -p
2020-02-18 10:49:06 +01:00
Manuel Pégourié-Gonnard
12fb9c383d Clean up test function pk_parse_key
- remove incorrect compile-time dependency (the individual cases already have
  correct run-time dependency information)
- remove unused argument
- remove unused stack buffer
- remove useless code block
2020-02-18 10:49:06 +01:00
Manuel Pégourié-Gonnard
25bb8dc228 Check public part when parsing private RSA key 2020-02-18 10:49:06 +01:00
Manuel Pégourié-Gonnard
9ab0305700 Don't pass zero to rsa_complete() as a param
When parsing a PKCS#1 RSAPrivateKey structure, all parameters are always
present. After importing them, we need to call rsa_complete() for the sake of
alternative implementations. That function interprets zero as a signal for
"this parameter was not provided". As that's never the case, we mustn't pass
any zero value to that function, so we need to explicitly check for it.
2020-02-18 10:49:06 +01:00
Manuel Pégourié-Gonnard
a59988e197
Merge pull request #3029 from gilles-peskine-arm/test-opt-all-2.16
Backport 2.16: Fix and test the full config with gcc and clang
2020-02-11 09:17:09 +01:00
Manuel Pégourié-Gonnard
8d9b1c471c
Merge pull request #3027 from gilles-peskine-arm/mpi_copy_shrink-2.16
Backport 2.16: Improve robustness and testing of mbedtls_mpi_copy
2020-02-06 09:52:11 +01:00
Janos Follath
b458b1f552
Merge pull request #3034 from yanesca/revert_pr_3012
Revert "Merge pull request #3012 from Patater/dev/jp-bennett/developm…
2020-02-05 15:13:02 +00:00
Janos Follath
cabf0eed66 Revert "Merge pull request #3012 from Patater/dev/jp-bennett/development-2.16"
This reverts commit 7550e857bf, reversing
changes made to d0c2575324.

stat() will never return S_IFLNK as the file type, as stat()
explicitly follows symlinks.

Fixes #3005.
2020-02-04 14:42:15 +00:00
Janos Follath
82ebf511e9
Merge pull request #3019 from mpg/fix-ssl-opt-gnutls-no-sha1-2.16
[backport 2.16] Fix ssl-opt.sh for GnuTLS versions rejecting SHA-1
2020-02-04 11:18:30 +00:00
Gilles Peskine
0fe92c2f4f Test GCC and Clang with common build options
Goals:
* Build with common compilers with common options, so that we don't
  miss a (potentially useful) warning only triggered with certain
  build options.
* A previous commit removed -O0 test jobs, leaving only the one with
  -m32. We have inline assembly that is disabled with -O0, falling
  back to generic C code. This commit restores a test that runs the
  generic C code on a 64-bit platform.
2020-02-03 20:03:39 +01:00
Gilles Peskine
99d70d8cb1 Replace -O0 by -O1 or -Os in most components
Gcc skips some analyses when compiling with -O0, so we may miss
warnings about things like uninitialized variables.
2020-02-03 20:03:39 +01:00
Gilles Peskine
8ece8572b2 shrink tests: clearer description 2020-02-03 16:21:32 +01:00
Gilles Peskine
e0ced3a3d6 Move test functions from Lilliput to Blefuscu
We normally represent bignums in big-endian order and there is no
reason to deviate here.
2020-02-03 16:21:31 +01:00
Gilles Peskine
56427c2d2b Minor comment improvement 2020-02-03 16:21:31 +01:00
Gilles Peskine
27c15c7853 Improve comments in mpi_shrink 2020-02-03 16:21:31 +01:00
Gilles Peskine
3e9f5228c8 mpi_copy: make the 0 case slightly more robust
If Y was constructed through functions in this module, then Y->n == 0
iff Y->p == NULL. However we do not prevent filling mpi structures
manually, and zero may be represented with n=0 and p a valid pointer.
Most of the code can cope with such a representation, but for the
source of mbedtls_mpi_copy, this would cause an integer underflow.
Changing the test for zero from Y->p==NULL to Y->n==0 causes this case
to work at no extra cost.
2020-02-03 16:21:31 +01:00
Gilles Peskine
8fe3b79cdb Better coverage for copy and swap
Cover more cases: different signs, different zeronesses, repeated
argument.
2020-02-03 16:21:31 +01:00
Gilles Peskine
e6cca7c937 Bignum copy/shrink: More precise test case descriptions 2020-02-03 16:21:31 +01:00