Commit Graph

6992 Commits

Author SHA1 Message Date
Andres Amaya Garcia
e730ff68ee Improve docs for ASN.1 bitstrings and their usage 2019-02-11 21:10:55 +00:00
Andres Amaya Garcia
abb7622d08 Add tests for (named) bitstring to suite_asn1write 2019-02-11 21:10:55 +00:00
Andres Amaya Garcia
04ee5e0bbd Fix ASN1 bitstring writing
Refactor the function mbedtls_asn1_write_bitstring() that removes
trailing 0s at the end of DER encoded bitstrings. The function is
implemented according to Hanno Becker's suggestions.

This commit also changes the functions x509write_crt_set_ns_cert_type
and crt_set_key_usage to call the new function as the use named
bitstrings instead of the regular bitstrings.
2019-02-11 21:10:48 +00:00
k-stachowiak
0fd3021204 Update change log 2019-02-11 09:41:23 +01:00
Peter Kolbus
16015ddd59 all.sh: Test MBEDTLS_MPI_WINDOW_SIZE=1
There were no tests for a non-default MPI window size. Add one.

Change-Id: Ic08fbc9161d0b3ee67eb3c91f9baf602646c9dfe
2019-02-05 16:42:45 +01:00
Peter Kolbus
f5d153daf0 Fix DEADCODE in mbedtls_mpi_exp_mod()
In mbedtls_mpi_exp_mod(), the limit check on wsize is never true when
MBEDTLS_MPI_WINDOW_SIZE is at least 6. Wrap in a preprocessor guard
to remove the dead code and resolve a Coverity finding from the
DEADCODE checker.

Change-Id: Ice7739031a9e8249283a04de11150565b613ae89
2019-02-05 16:42:27 +01:00
k-stachowiak
4d2982091b Correct code formatting in the timing test suites 2019-02-05 10:03:31 +01:00
k-stachowiak
16373da579 Apply imperiative style in the changelog entry 2019-02-05 10:03:20 +01:00
Christian Walther
5d662dc018 Add ChangeLog entry 2019-01-31 19:21:24 +02:00
Christian Walther
42aa453de8 Fix private DER output shifted by one byte. 2019-01-31 19:20:37 +02:00
Jens Wiklander
4073b794c5 Add ChangeLog entry
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
2019-01-31 19:11:08 +02:00
Jens Wiklander
b2aa938ed6 fix memory leak in mpi_miller_rabin()
Fixes memory leak in mpi_miller_rabin() that occurs when the function has
failed to obtain a usable random 'A' 30 turns in a row.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
2019-01-31 19:10:01 +02:00
Jaeden Amero
bdc807dbe8 Merge remote-tracking branch 'origin/pr/2343' into mbedtls-2.7 2019-01-30 15:45:15 +00:00
Jaeden Amero
9033e541a6 Merge remote-tracking branch 'origin/pr/2234' into mbedtls-2.7 2019-01-30 15:29:00 +00:00
Jaeden Amero
d3841737e9 Merge remote-tracking branch 'origin/pr/2356' into mbedtls-2.7 2019-01-30 14:55:35 +00:00
Jaeden Amero
18fe25614a Merge remote-tracking branch 'origin/pr/2359' into mbedtls-2.7 2019-01-30 14:47:22 +00:00
Hanno Becker
a34cc6b1c6 Correct length check for DTLS records from old epochs.
DTLS records from previous epochs were incorrectly checked against the
current epoch transform's minimal content length, leading to the
rejection of entire datagrams. This commit fixed that and adapts two
test cases accordingly.

Internal reference: IOTSSL-1417
2019-01-30 15:07:09 +01:00
k-stachowiak
523d2d23b8 Improve wording in the ChangeLog 2019-01-29 12:55:28 +01:00
k-stachowiak
9368113607 Reduce the timing tests complexity 2019-01-29 12:54:10 +01:00
Simon Butcher
d09324ac58 Merge remote-tracking branch 'public/pr/2264' into mbedtls-2.7 2019-01-23 10:58:08 +01:00
Simon Butcher
32331305dd Merge remote-tracking branch 'public/pr/1797' into mbedtls-2.7 2019-01-23 10:56:40 +01:00
Simon Butcher
12b60bc702 Merge remote-tracking branch 'public/pr/2341' into mbedtls-2.7 2019-01-23 09:53:29 +01:00
Simon Butcher
c5b6c2f877 Merge remote-tracking branch 'public/pr/2296' into mbedtls-2.7 2019-01-23 09:51:48 +01:00
Janos Follath
4bf65fb71f Add clarifying comment about the backport 2019-01-21 10:56:23 +00:00
Janos Follath
a62744d487 Add ChangeLog entries for new functions 2019-01-21 10:47:38 +00:00
Janos Follath
660f4f8c5b Add ChangeLog entry 2019-01-16 17:25:13 +00:00
Janos Follath
7b774483bf Correct deterministic ECDSA behavior
We were still reusing the internal HMAC-DRBG of the deterministic ECDSA
for blinding. This meant that with cryptographically low likelyhood the
result was not the same signature as the one the deterministic ECDSA
algorithm has to produce (however it is still a valid ECDSA signature).

To correct this we seed a second HMAC-DRBG with the same seed to restore
correct behavior. We also apply a label to avoid reusing the bits of the
ephemeral key for a different purpose and reduce the chance that they
leak.

This workaround can't be implemented in the restartable case without
penalising the case where external RNG is available or completely
defeating the purpose of the restartable feature, therefore in this case
the small chance of incorrect behavior remains.
2019-01-16 17:25:13 +00:00
Janos Follath
ba66faf167 Add warning for alternative ECDSA implementations
Alternative implementations are often hardware accelerators and might
not need an RNG for blinding. But if they do, then we make them misuse
the RNG in the deterministic case.

There are several way around this:
- Exposing a lower level function for replacement. This would be the
optimal solution, but litters the API and is not backward compatible.
- Introducing a new compile time option for replacing the deterministic
function. This would mostly cover the same code as
MBEDTLS_ECDSA_DETERMINISTIC and would be yet another compile time flag.
- Reusing the existing MBEDTLS_ECDSA_DETERMINISTIC macro. This changes
the algorithm used by the PK layer from deterministic to randomised if
the alternative implementation is present.

This commit implements the third option. This is a temporary solution
and should be fixed at the next device driver API change.
2019-01-16 16:01:56 +00:00
Janos Follath
e552a826fd Test the new deterministic ECDSA function 2019-01-16 16:01:34 +00:00
Janos Follath
2934c32da2 Add a safer deterministic ECDSA function
`mbedtls_ecdsa_sign_det` reuses the internal HMAC-DRBG instance to
implement blinding. The advantage of this is that the algorithm is
deterministic too, not just the resulting signature. The drawback is
that the blinding is always the same for the same key and message.
This diminishes the efficiency of blinding and leaks information about
the private key.

A function that takes external randomness fixes this weakness.
2019-01-16 16:00:27 +00:00
Manuel Pégourié-Gonnard
c80555d835 Add public function generating private keys
We need to separate the uses of the RNG for blinding and for key
generation for the sake of an upcoming security fix in deterministic
ECDSA.
2019-01-16 15:47:26 +00:00
Jeffrey Martin
f7fe144082
update ChangLog credit
Signed-off-by: Jeffrey Martin <Jeffrey_Martin@rapid7.com>
2019-01-16 09:26:15 -06:00
Jeffrey Martin
55ab90d40e
update ChangLog per comments
Signed-off-by: Jeffrey Martin <Jeffrey_Martin@rapid7.com>
2019-01-15 09:02:14 -06:00
Jeffrey Martin
44fbf91f01
Backport #1949 into mbedtls-2.7
Signed-off-by: Jeffrey Martin <Jeffrey_Martin@rapid7.com>
2019-01-14 18:13:06 -06:00
Hanno Becker
6950ebb31f Document psk_list parameter of ssl_server2 example program 2019-01-14 09:27:04 +00:00
Gilles Peskine
9f55364ec7 Rename test_memcheck to test_valgrind
Valgrind is what it does. `memcheck` is how it's implemented.
2019-01-10 18:29:37 +01:00
Gilles Peskine
ff7238f4ad Support wildcard patterns with a positive list of components to run
Wildcard patterns now work with command line COMPONENT arguments
without --except as well as with. You can now run e.g.
`all.sh "check_*` to run all the sanity checks.
2019-01-10 18:29:37 +01:00
Gilles Peskine
30bc385124 Add missing protection on __aeabi_uldiv check under --keep-going
Partial backport of 2adb375c50
"Add option to avoid 64-bit multiplication"
2019-01-10 18:29:37 +01:00
Gilles Peskine
c780095901 Delete $OUT_OF_SOURCE_DIR under --force even without Yotta
The deletion of "$OUT_OF_SOURCE_DIR" had mistakenly been lumped
together with Yotta.
2019-01-10 18:29:37 +01:00
Gilles Peskine
c9663b1685 Fix sometimes-spurious warning about changed config.h
After backing up and restoring config.h, `git diff-files` may report
it as potentially-changed because it isn't sure whether the index is
up to date. To avoid this, make sure that the git index is up-to-date.

This fixes the warning about changed config.h that you might get when
you run all.sh twice in succession, yet if you run `git status` or
`git diff` everything seems up to date and you no longer get the
warning because these git commands update the index.

https://stackoverflow.com/questions/36367190/git-diff-files-output-changes-after-git-status
2019-01-10 18:29:37 +01:00
Gilles Peskine
2906a0ae8a all.sh: Update the maintainer documentation 2019-01-10 18:29:33 +01:00
Gilles Peskine
541fb1e33b all.sh: only check tools that are going to be used
Don't require openssl, mingw, etc. if we aren't going to run a
component that uses them.
2019-01-10 18:28:17 +01:00
Gilles Peskine
53084872ab all.sh: only look for armcc if it is used
Only look for armcc if component_build_armcc or component_build_yotta
is to be executed, instead of requiring the option --no-armcc.

You can still pass --no-armcc, but it's no longer required when
listing components to run. With no list of components or an exclude
list on the command line, --no-armcc is equivalent to having
build_armcc in the exclude list.

Omit the yotta pre-checks if the build_yotta component is not going to
be executed. This makes --no-yotta equivalent to specifying a list of
components to run that doesn't include build_yotta.
2019-01-10 18:28:17 +01:00
Gilles Peskine
b3241cbea7 Add command line options to list available components 2019-01-10 18:28:17 +01:00
Gilles Peskine
eb39b9b729 Minor cleanups to component name gathering
Bring the code in line with the version in Mbed TLS 2.16+.
2019-01-10 18:28:17 +01:00
Gilles Peskine
3fbdd21ca5 Add conditional component inclusion facility
Add a conditional execution facility: if a function support_xxx exists
and returns false then component_xxx is not executed (except when the
command line lists an explicit set of components to execute).

Use this facility for the 64-bit-specific or amd64-specific components.
2019-01-10 18:28:17 +01:00
Gilles Peskine
7120f77889 all.sh: fix MAKEFLAGS setting
MAKEFLAGS was set to -j if it was already set, instead of being set if
not previously set as intended. So now all.sh will do parallel builds
if invoked without MAKEFLAGS in the environment.
2019-01-10 18:28:17 +01:00
Gilles Peskine
770ad7e2c9 all.sh: don't insist on Linux; always run Valgrind
Don't bail out of all.sh if the OS isn't Linux. We only expect
everything to pass on a recent Linux x86_64, but it's useful to call
all.sh to run some components on any platform.

In all.sh, always run both MemorySanitizer and Valgrind. Valgrind is
slower than ASan and MSan but finds some things that they don't.

Run MSan unconditionally, not just on Linux/x86_64. MSan is supported
on some other OSes and CPUs these days.

Use `all.sh --except test_memsan` if you want to omit MSan because it
isn't supported on your platform. Use `all.sh --except test_memcheck`
if you want to omit Valgrind because it's too slow.

Portability: ecognize amd64 (FreeBSD arch string) as well as x86_64
(Linux arch string) for `uname -m`. The `make` utility must still
be GNU make.
2019-01-10 18:28:17 +01:00
Gilles Peskine
4e7b323fd8 Use CMAKE_BUILD_TYPE to do Asan builds
Use `cmake -D CMAKE_BUILD_TYPE=Asan` rather than manually setting
`-fsanitize=address`. This lets cmake determine the necessary compiler
and linker flags.

With UNSAFE_BUILD on, force -Wno-error. This is necessary to build
with MBEDTLS_TEST_NULL_ENTROPY.
2019-01-10 18:28:17 +01:00
Gilles Peskine
72adb432bc Back up and restore config.h systematically
In all.sh, always save config.h before running a component, instead of
doing it manually in each component that requires it (except when we
forget, which has happened). This would break a script that requires
config.h.bak not to exist, but we don't have any of those.
2019-01-10 18:28:17 +01:00