Commit Graph

2959 Commits

Author SHA1 Message Date
Andrzej Kurek
bbd1c38ad6 Add NIST CAVP FIPS 186-4 test vectors for tinycrypt ecdsa
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-12-02 11:44:54 -05:00
Andrzej Kurek
0e6c01796d Add NIST CAVP SP 800-56A tests for tinycrypt ecdh
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-12-01 07:29:50 -05:00
Andrzej Kurek
f384495972
Sideport the variable IO buffer size feature to baremetal
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-10-17 00:55:17 +02:00
Andrzej Kurek
d66d13eaa9
Add a no-strict build to armcc baremetal tests in all.sh
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-10-15 09:54:49 +02:00
Andrzej Kurek
a793237998
Calculate hashes of ssl encryption and decryption keys
Optimize the key switching mechanism to set the key only if 
a different operation is performed with the context.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-09-19 08:04:05 +02:00
Andrzej Kurek
1175044156
Merge enc/dec cipher contexts in ssl transforms
Store the raw encryption and decryption keys in transforms
to set them before each cipher operation. Add a config option
for this - MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-09-17 23:51:58 +02:00
Andrzej Kurek
9539f831b2
Swap out CRC calculation in AES in favour of a simple hash
XOR the key bytes upon setting and re-check hash during each use.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-08-10 20:46:48 -04:00
Andrzej Kurek
c87e91ce2b
Merge pull request #3553 from AndrzejKurek/crc-calculation-base
Validate AES keys after each use checking CRC
2020-08-13 12:42:54 +02:00
Andrzej Kurek
fba5921186
aes: validate keys using crc before encryption/decryption
CRC is calculated when the key is set. This commit also adds new tests
for ecb encryption and decryption, simulating a fault injection after the key is set.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-08-08 19:06:44 -04:00
Andrzej Kurek
9df2b416b9
Add a CRC module to mbedtls and baremetal config
Add a new CRC module along with some tests for it.
The table and the CRC function body is generated using pycrc v0.9.2. 
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-08-08 02:10:52 -04:00
Andrzej Kurek
4353b698ed
hmac_drbg: make no reseeding behaviour explicit
Add a flag to the hmac_drbg context that will signal that reseeding is not required.
Change tests and one ecdsa call to not use reseeding, as was the previous case.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-07-19 09:00:18 -04:00
Andrzej Kurek
6bc37fa4e2
hmac_drbg: set_entropy_len can now return an error
Make mbedtls_hmac_drbg_set_entropy_len return an error
in case of a too long entropy length setting.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-07-18 06:05:03 -04:00
Andrzej Kurek
8ac4a55402
test_suite_x509parse: shorten test names
Change "Certificate" to "CRT" to shorten the test name and blend in
between surrounding tests.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-05-25 10:21:14 -04:00
Andrzej Kurek
e861e704c0
Rename md_info_t to md_handle_t in test_suite_entropy
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-05-21 10:13:11 -04:00
Manuel Pégourié-Gonnard
731d7c0dcc
Fix lack of cookie check on hard reconnect
Section 4.2.8 of RFC 6347 describes how to handle the case of a DTLS client
establishing a new connection using the same UDP quartet as an already active
connection, which we implement under the compile option
MBEDTLS_SSL_DLTS_CLIENT_PORT_REUSE. Relevant excerpts:

    [the server] MUST NOT destroy the existing
    association until the client has demonstrated reachability either by
    completing a cookie exchange or by completing a complete handshake
    including delivering a verifiable Finished message.
    [...]
    The reachability requirement prevents
    off-path/blind attackers from destroying associations merely by
    sending forged ClientHellos.

Our code chooses to use a cookie exchange for establishing reachability, but
unfortunately that check was effectively removed in a recent refactoring,
which changed what value ssl_handle_possible_reconnect() needs to return in
order for ssl_get_next_record() (introduced in that refactoring) to take the
proper action. Unfortunately, in addition to changing the value, the
refactoring also changed a return statement to an assignment to the ret
variable, causing the function to reach the code for a valid cookie, which
immediately destroys the existing association, effectively bypassing the
cookie verification.

This commit fixes that by immediately returning after sending a
HelloVerifyRequest when a ClientHello without a valid cookie is found. It also
updates the description of the function to reflect the new return value
convention (the refactoring updated the code but not the documentation).

The commit that changed the return value convention (and introduced the bug)
is 2fddd3765e, whose commit message explains the
change.

Note: this bug also indirectly caused the ssl-opt.sh test case "DTLS client
reconnect from same port: reconnect" to occasionally fail due to a race
condition between the reception of the ClientHello carrying a valid cookie and
the closure of the connection by the server after noticing the ClientHello
didn't carry a valid cookie after it incorrectly destroyed the previous
connection, that could cause that ClientHello to be invisible to the server
(if that message reaches the server just before it does `net_close()`). A
welcome side effect of this commit is to remove that race condition, as the
new connection will immediately start with a ClientHello carrying a valid
cookie in the SSL input buffer, so the server will not call `net_close()` and
not risk discarding a better ClientHello that arrived in the meantime.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-05-21 10:12:25 -04:00
Andrzej Kurek
825ebd483f
Merge mbedtls 2.16.6 into baremetal
Conflicts:
mbedtls.doxyfile - PROJECT_NAME - mbed TLS v2.16.6 chosen.
doc_mainpage.h - mbed TLS v2.16.6 version chosen.
hmac_drbg.h - line 260, extended description chosen.
            - line 313, extended description chosen.
            - line 338, extended description chosen.
version.h - 2.16.6 chosen.
CMakeLists.txt - 2.16.6 chosen.
test_suite_version.data - 2.16.6 chosen.
Makefile - 141 - manual correction - baremetal version of C_SOURCE_FILES
                 with variables for directories plus 2.16.6 CTAGS addition.
pkparse.c - lines 846 onwards - the asn1_get_nonzero_mpi implementation chosen.
ssl_tls.c - line 5269 - edited manually, left the ret=0, because baremetal has
            a different behaviour since commit 87b5626, but added a debug
            message that's new in 2.16.6.    
all.sh:
- component_build_deprecated - chosen the refactored version from 2.16.6,
                               but with extra flags from baremetal.
- rest of the _no_xxx tests - merged make options to have PTHREAD=1 and
                              other changes from 2.16.6 (like -O1 instead of -O0).
- component_build_arm_none_eabi_gcc_no_64bit_multiplication - added 
                              TINYCRYPT_BUILD=0 to the 2.16.6 version of make.

x509/req_app.c - left baremetal log but with mbedtls_exit( 0 ) call.
x509/crl_app.c - left baremetal log but with mbedtls_exit( 0 ) call.
x509/cert_app.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl/ssl_mail_client.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl/ssl_pthread_server.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl/ssl_fork_server.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl_client1.c - line 54 - left baremetal log but with mbedtls_exit( 0 ) call.
ssl_client2.c - line 54 - left baremetal log but with mbedtls_exit( 0 ) call.
              - line 132 - new options of both branches added.
              - skip close notify handled as in 2.16.6, but with `ssl` instead of `&ssl`.
              - Merged the 2.16.6 usage split with additional baremetal usages.
              - Merged options from baremetal and 2.16.6.
ssl_server.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl_server2.c - Merged the 2.16.6 usage split with additional baremetal usages.
config.pl - fixed missing defines from the documentation, removed duplicates,
            and reorganised so that the documentation and excluded list
            are ordered in the same way.
test_suite_x509parse.data - only added the two new pathlen tests.
x509_crt.c - change the return code by removing
             MBEDTLS_ERR_X509_INVALID_EXTENSIONS, since it's added by
             x509_crt_frame_parse_ext not by an "or", but by "+=".
Changelog - Assigned all entries to appropriate sections.
ssl-opt.sh - line 8263 - merged options.
           - removed lines 1165 - 1176 - there was a duplicate test, probably
             an artifact of previous merges.
check-files.py - sticked to old formatting.

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-05-18 11:47:25 -04:00
Gilles Peskine
a4c1c4b55d Test GCC and Clang with common build options
Goals:
* Build with common compilers with common options, so that we don't
  miss a (potentially useful) warning only triggered with certain
  build options.
* A previous commit removed -O0 test jobs, leaving only the one with
  -m32. We have inline assembly that is disabled with -O0, falling
  back to generic C code. This commit restores a test that runs the
  generic C code on a 64-bit platform.
2020-03-13 17:06:18 +00:00
Gilles Peskine
06c1e23960 Replace -O0 by -O1 or -Os in most components
Gcc skips some analyses when compiling with -O0, so we may miss
warnings about things like uninitialized variables.
2020-03-13 17:06:18 +00:00
Gilles Peskine
f5faa25cf4 shrink tests: clearer description 2020-03-13 16:23:45 +00:00
Gilles Peskine
7313e2caff Move test functions from Lilliput to Blefuscu
We normally represent bignums in big-endian order and there is no
reason to deviate here.
2020-03-13 16:23:45 +00:00
Gilles Peskine
edb621b84a Better coverage for copy and swap
Cover more cases: different signs, different zeronesses, repeated
argument.
2020-03-13 16:23:45 +00:00
Gilles Peskine
16fca92e3d Bignum copy/shrink: More precise test case descriptions 2020-03-13 16:23:45 +00:00
Manuel Pégourié-Gonnard
d817f54077 De-duplicate SHA1-independent test in ssl-opt.sh
The splitting of this test into two versions depending on whether SHA-1 was
allowed by the server was a mistake in
5d2511c4d4 - the test has nothing to do with
SHA-1 in the first place, as the server doesn't request a certificate from
the client so it doesn't matter if the server accepts SHA-1 or not.
2020-03-13 16:21:44 +00:00
Manuel Pégourié-Gonnard
7006ca10d9 Fix ssl-opt.sh for GnuTLS versions rejecting SHA-1
While the whole script makes (often implicit) assumptions about the version of
GnuTLS used, generally speaking it should work out of the box with the version
packaged on our reference testing platform, which is Ubuntu 16.04 so far.

With the update from Jan 8 2020 (3.4.10-4ubuntu1.6), the patches for rejecting
SHA-1 in certificate signatures were backported, so we should avoid presenting
SHA-1 signed certificates to a GnuTLS peer in ssl-opt.sh.
2020-03-13 16:21:44 +00:00
Gilles Peskine
0f14c15842 Add missing return code check on calls to mbedtls_md() 2020-03-13 15:37:54 +00:00
Gilles Peskine
a48fe01f15 Check that mbedtls_mpi_grow succeeds 2020-03-13 15:37:54 +00:00
Janos Follath
e7b49d3cd1 Bump version to Mbed TLS 2.16.4 2020-03-13 15:36:05 +00:00
Manuel Pégourié-Gonnard
10a7f626d9 Add test for record compression in ssl-opt.sh
Deprecated but still needs to be tested.
2020-03-13 15:36:05 +00:00
Gilles Peskine
bcdd8bcfcf Enable more test cases without MBEDTLS_MEMORY_DEBUG
None of the test cases in tests_suite_memory_buffer_alloc actually
need MBEDTLS_MEMORY_DEBUG. Some have additional checks when
MBEDTLS_MEMORY_DEBUG but all are useful even without it. So enable
them all and #ifdef out the parts that require DEBUG.
2020-03-13 15:27:12 +00:00
Gilles Peskine
6a1ec6abea More accurate test case description 2020-03-13 15:27:12 +00:00
Gilles Peskine
8064dbb646 Clarify that the "FATAL" message is expected
The test case "Memory buffer small buffer" emits a message
"FATAL: verification of first header failed". In this test case, it's
actually expected, but it looks weird to see this message from a
passing test. Add a comment that states this explicitly, and modify
the test description to indicate that the failure is expected, and
change the test function name to be more accurate.

Fix #309
2020-03-13 15:27:12 +00:00
Janos Follath
47b56a159e mpi_lt_mpi_ct: Add further tests
The existing tests did not catch a failure that came up at integration
testing. Adding the missing test cases to trigger the bug.
2020-03-13 15:25:40 +00:00
Janos Follath
006b207de6 mpi_lt_mpi_ct: Fix test numbering 2020-03-13 15:25:40 +00:00
Janos Follath
d2aa4aa454 mpi_lt_mpi_ct perform tests for both limb size
The corner case tests were designed for 32 and 64 bit limbs
independently and performed only on the target platform. On the other
platform they are not corner cases anymore, but we can still exercise
them.
2020-03-13 15:25:40 +00:00
Janos Follath
44e40c0792 mbedtls_mpi_lt_mpi_ct: add tests for 32 bit limbs
The corner case tests were designed for 64 bit limbs and failed on 32
bit platforms because the numbers in the test ended up being stored in a
different number of limbs and the function (correctly) returnd an error
upon receiving them.
2020-03-13 15:25:40 +00:00
Janos Follath
eb8fcf8181 Add more tests for mbedtls_mpi_lt_mpi_ct 2020-03-13 15:25:40 +00:00
Janos Follath
3be2fa44e1 mpi_lt_mpi_ct test: hardcode base 16 2020-03-13 15:25:40 +00:00
Janos Follath
8faf1d627b Change mbedtls_mpi_cmp_mpi_ct to check less than
The signature of mbedtls_mpi_cmp_mpi_ct() meant to support using it in
place of mbedtls_mpi_cmp_mpi(). This meant full comparison functionality
and a signed result.

To make the function more universal and friendly to constant time
coding, we change the result type to unsigned. Theoretically, we could
encode the comparison result in an unsigned value, but it would be less
intuitive.

Therefore we won't be able to represent the result as unsigned anymore
and the functionality will be constrained to checking if the first
operand is less than the second. This is sufficient to support the
current use case and to check any relationship between MPIs.

The only drawback is that we need to call the function twice when
checking for equality, but this can be optimised later if an when it is
needed.
2020-03-13 15:25:40 +00:00
Janos Follath
7ce3a25316 Add tests to constant time mpi comparison 2020-03-13 15:25:39 +00:00
Gilles Peskine
20dbfb9938 CTR_DRBG: support set_entropy_len() before seed()
mbedtls_ctr_drbg_seed() always set the entropy length to the default,
so a call to mbedtls_ctr_drbg_set_entropy_len() before seed() had no
effect. Change this to the more intuitive behavior that
set_entropy_len() sets the entropy length and seed() respects that and
only uses the default entropy length if there was no call to
set_entropy_len().

The former test-only function mbedtls_ctr_drbg_seed_entropy_len() is
no longer used, but keep it for strict ABI compatibility.
2020-03-13 15:25:39 +00:00
Gilles Peskine
6e2cb64a97 'make test' must fail if Asan fails
When running 'make test' with GNU make, if a test suite program
displays "PASSED", this was automatically counted as a pass. This
would in particular count as passing:
* A test suite with the substring "PASSED" in a test description.
* A test suite where all the test cases succeeded, but the final
  cleanup failed, in particular if a sanitizer reported a memory leak.

Use the test executable's return status instead to determine whether
the test suite passed. It's always 0 on PASSED unless the executable's
cleanup code fails, and it's never 0 on any failure.

Fix ARMmbed/mbed-crypto#303
2020-03-13 15:24:20 +00:00
Gilles Peskine
6eec4ab323 Asan make builds: avoid sanitizer recovery
Some sanitizers default to displaying an error message and recovering.
This could result in a test being recorded as passing despite a
complaint from the sanitizer. Turn off sanitizer recovery to avoid
this risk.
2020-03-13 15:24:20 +00:00
Gilles Peskine
b3e54396fa Use UBsan in addition to Asan with 'make test'
When building with make with the address sanitizer enabled, also
enable the undefined behavior sanitizer.
2020-03-13 15:24:19 +00:00
Gilles Peskine
3ccb7f18e0 Unify ASan options in make builds
Use a common set of options when building with Asan without CMake.
2020-03-13 15:24:19 +00:00
Gilles Peskine
34693b5dd6 Add a test component with malloc(0) returning NULL
Exercise the library functions with calloc returning NULL for a size
of 0. Make this a separate job with UBSan (and ASan) to detect
places where we try to dereference the result of calloc(0) or to do
things like

    buf = calloc(size, 1);
    if (buf == NULL && size != 0) return INSUFFICIENT_MEMORY;
    memcpy(buf, source, size);

which has undefined behavior when buf is NULL at the memcpy call even
if size is 0.

This is needed because other test components jobs either use the system
malloc which returns non-NULL on Linux and FreeBSD, or the
memory_buffer_alloc malloc which returns NULL but does not give as
useful feedback with ASan (because the whole heap is a single C
object).
2020-03-13 12:03:12 +00:00
Manuel Pégourié-Gonnard
f0658b18dc Add detection for zlib headers to all.sh
Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-09 17:39:04 +00:00
Manuel Pégourié-Gonnard
079864ef54 Add test for record compression in ssl-opt.sh
Deprecated but still needs to be tested.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-09 17:39:04 +00:00
Manuel Pégourié-Gonnard
df59bfc9d6 Add all.sh components with ZLIB enabled
ZLIB support is deprecated, but until it's removed it should still be tested.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-09 17:39:04 +00:00
Simon Butcher
282911eabf Merge remote-tracking branch 'public/pr/2978' into baremetal 2020-01-08 18:14:21 +00:00
Simon Butcher
4b3b8c208e Merge remote-tracking branch 'public/pr/2886' into baremetal 2020-01-08 17:53:43 +00:00