Commit graph

3843 commits

Author SHA1 Message Date
Gilles Peskine
24600e8290 Disable memory_buffer_alloc in the full config
Enabling MBEDTLS_MEMORY_BUFFER_ALLOC_C module together with
MBEDTLS_PLATFORM_MEMORY causes the library to use its own malloc
replacement. This makes memory management analyzers such as ASan
largely ineffective. We now test MBEDTLS_MEMORY_BUFFER_ALLOC_C
separately. Disable it in the "full" config.

This mirrors a change that was made in Mbed TLS on config.pl and had
not been ported to Mbed Crypto yet.

With this commit, config.py is aligned in Mbed Crypto and Mbed TLS.
2019-11-15 11:53:42 +01:00
Gilles Peskine
9afbfdc833 Merge remote-tracking branch 'myfork-public/development' into merge-crypto-development-20191115
First deal with deleted files.

* Files deleted by us: keep them deleted.
* Files deleted by them, whether modified by us or not: keep our version.

```
git rm $(git status -s | sed -n 's/^DU //p')
git reset -- $(git status -s | sed -n 's/^D  //p')
git checkout -- $(git status -s | sed -n 's/^ D //p')
git add -- $(git status -s | sed -n 's/^UD //p')
```

Individual files with conflicts:

* `3rdparty/everest/library/Hacl_Curve25519_joined.c`: spurious conflict because git mistakenly identified this file as a rename. Keep our version.
* `README.md`: conflict due to their change in a paragraph that doesn't exist in our version. Keep our version of this paragraph.
* `docs/architecture/Makefile`: near-identical additions. Adapt the definition of `all_markdown` and include the clean target.
* `doxygen/input/docs_mainpage.h`: conflict in the version number. Keep our version number.
* `include/mbedtls/config.h`: two delete/modify conflicts. Keep the removed chunks out.
* `library/CMakeLists.txt`: discard all their changes as they are not relevant.
* `library/Makefile`:
    * Discard the added chunk about the crypto submodule starting with `INCLUDING_FROM_MBEDTLS:=1`.
    * delete/modify: keep the removed chunk out.
    * library build: This is almost delete/modify. Their changes are mostly not applicable. Do keep the `libmbedcrypto.$(DLEXT): | libmbedcrypto.a` order dependency.
    * `.c.o`: `-o` was added on both sides but in a different place. Change to their place.
* `library/error.c`: to be regenerated.
* `library/version_features.c`: to be regenerated.
* `programs/Makefile`: Most of the changes are not relevant. The one relevant change is in the `clean` target for Windows; adapt it by removing `/S` from our version.
* `programs/test/query_config.c`: to be regenerated.
* `scripts/config.py`: added in parallel on both sides. Keep our version.
* `scripts/footprint.sh`: parallel changes. Keep our version.
* `scripts/generate_visualc_files.pl`: one delete/modify conflict. Keep the removed chunks out.
* `tests/Makefile`: discard all of their changes.
* `tests/scripts/all.sh`:
    * `pre_initialize_variables` add `append_outcome`: add it.
    * `pre_initialize_variables` add `ASAN_CFLAGS`: already there, keep our version.
    * `pre_parse_command_line` add `--no-append-outcome`: add it.
    * `pre_parse_command_line` add `--outcome-file`: add it.
    * `pre_print_configuration`: add `MBEDTLS_TEST_OUTCOME_FILE`.
    * Several changes in SSL-specific components: keep our version without them.
    * Several changes where `config.pl` was changed to `config.py` and there was an adjacent difference: keep our version.
    * Changes regarding the inclusion of `MBEDTLS_MEMORY_xxx`: ignore them here, they will be normalized in a subsequent commit.
    * `component_test_full_cmake_gcc_asan`: add it without the TLS tests.
    * `component_test_no_use_psa_crypto_full_cmake_asan`: keep the fixed `msg`, discard other changes.
    * `component_test_memory_buffer_allocator_backtrace`, `component_test_memory_buffer_allocator`: add them without the TLS tests.
    * `component_test_m32_everest`: added in parallel on both sides. Keep our version.
* `tests/scripts/check-names.sh`, `tests/scripts/list-enum-consts.pl`, `tests/scripts/list-identifiers.sh`, ``tests/scripts/list-macros.sh`: discard all of their changes.
* `tests/scripts/test-ref-configs.pl`: the change in the conflict is not relevant, so keep our version there.
* `visualc/VS2010/*.vcxproj`: to be regenerated.

Regenerate files:

```
scripts/generate_visualc_files.pl
git add visualc/VS2010/*.vcxproj
scripts/generate_errors.pl
git add library/error.c
scripts/generate_features.pl
git add library/version_features.c
scripts/generate_query_config.pl
git add programs/test/query_config.c
```

Rejected changes in non-conflicting files:

* `CMakeLists.txt`: discard their addition which has already been side-ported.
* `doxygen/mbedtls.doxyfile`: keep the version number change. Discard the changes related to `../crypto` paths.

Keep the following changes after examination:

* `.travis.yml`: all of their changes are relevant.
* `include/mbedtls/error.h`: do keep their changes. Even though Crypto doesn't use TLS errors, it must not encroach on TLS's allocated numbers.
* `tests/scripts/check-test-cases.py`: keep the code dealing with `ssl-opt.sh`. It works correctly when the file is not present.
2019-11-15 11:47:14 +01:00
Gilles Peskine
43259ce31e Remove unused test data file
Since "Remove component designed to test MAX_SIGNATURE_SIZE",
secp521r1_prv.der is no longer used.

ec_521_prv.pem can be used for the same purpose.
2019-11-14 19:14:40 +01:00
Gilles Peskine
adc82f3535 Add set+get tests
The tests were not covering get for a symbol with a value. No symbol
has an uncommented value in the default config.h. (Actually there's
_CRT_SECURE_NO_DEPRECATE, but that's a bit of a hack that this script
is not expected to handle, so don't use it).

Add tests of "get FOO" after "set FOO" and "set FOO value", so that we
have coverage for "get FOO" when "FOO" has a value.
2019-11-13 14:33:34 +00:00
Gilles Peskine
bc86f997ca Consolidate tests for set with/without values
We currently test setting a symbol with a value even if it didn't
originally had one and vice versa. So there's no need to have separate
lists of symbols to test with. Just test everything we want to test
with each symbol.
2019-11-13 14:33:34 +00:00
Gilles Peskine
61a90bd32d config.py testing: also test the get command 2019-11-13 14:33:34 +00:00
Gilles Peskine
261742bd59 Fix config.py output when a symbol has acquired or lost a value
Normally a valueless symbol remains valueless and a symbol with a
value keeps having one. But just in case a symbol does get changed
from valueless to having a value, make sure there's a space between
the symbol and the value. And if a symbol gets changed from having a
value to valueless, strip trailing whitespace.

Add corresponding tests.

Also fix the case of a valueless symbol added with the set method,
which would have resulted in attempting to use None as a string. This
only happened with the Python API, not with the command line API.
2019-11-13 14:33:34 +00:00
Gilles Peskine
7b887cd14d Remove redundant test case 2019-11-13 14:33:34 +00:00
Gilles Peskine
ea82042ff6 cmake: update interpreter requirement for the test suite generator
The test suite generator has been a Python script for a long time,
but tests/CMakeLists.txt still looked for Perl. The reference to
PYTHON_INTERP only worked due to a call to find_package(PythonInterp)
in the toplevel CMakeLists.txt, and cmake would not have printed the
expected error message if python was not available.
2019-11-13 14:33:34 +00:00
Gilles Peskine
aebf0027c0 Test script for config.py
Run config.py with various options and store the results in files.

This script also supports the now-removed config.pl.

This is a framework to run non-regression tests on config.py: run it
with the old version, run it with the new version, and compare the
output.

This is deliberately not a functional test suite so that we don't need
to maintain a set of known outputs. When something changes in
config.py (or config.h), run the script before, run it after, and
check manually whether any differences in the output are acceptable.
2019-11-13 14:33:34 +00:00
Gilles Peskine
3bdd412d09 Invoke config.py instead of config.pl
git grep -Fl /config.pl | xargs sed -i -e 's!/config\.pl!/config.py!g'

Also:
* Change one comment in include/mbedtls/check_config.h.
* Change PERL to PYTHON in CMakeLists.txt.
2019-11-13 14:33:33 +00:00
Gilles Peskine
2e86a206f7 Remove component designed to test MAX_SIGNATURE_SIZE
MBEDTLS_PK_SIGNATURE_MAX_SIZE is tested in Mbed Crypto. Its effect on
Mbed TLS is also tested via the X.509 tests. The case of
MBEDTLS_MPI_MAX_SIZE < MBEDTLS_ECDSA_MAX_LEN, for which this component
was added as a regression test, is covered by config-suite-b.h which
is tested via test-ref-configs.pl.
2019-11-13 15:32:11 +01:00
Gilles Peskine
f0d87001d0
Merge pull request #315 from gilles-peskine-arm/pk_signature_max_size
Define MBEDTLS_PK_SIGNATURE_MAX_SIZE
2019-11-13 12:13:57 +01:00
Gilles Peskine
cb0101ff33
Merge pull request #298 from gilles-peskine-arm/config-symmetric-only
Test a build without any asymmetric cryptography
2019-11-12 19:37:13 +01:00
Gilles Peskine
a719db8b04 Add pk_utils and pk_sign tests with different curves
This reveals that MBEDTLS_PK_SIGNATURE_MAX_SIZE is too small.
2019-11-12 13:21:53 +01:00
Gilles Peskine
e48fe55c24 test_suite_pk: pk_genkey: support a variable key size or curve
No intended behavior change.
2019-11-12 13:21:52 +01:00
Gilles Peskine
eba088a8ac test_suite_pk: check the signature size after pk_sign
Add a check that the signature size from pk_sign is less than the
documented maximum size.

Reduce the stack consumption in pk_sign_verify.
2019-11-12 11:10:54 +01:00
Gilles Peskine
f85e4e67bd test_suite_pk: fix use of sig_len without initialization
In pk_sign_verify, if mbedtls_pk_sign() failed, sig_len was passed to
mbedtls_pk_verify_restartable() without having been initialized. This
worked only because in the only test case that expects signature to
fail, the verify implementation doesn't look at sig_len before failing
for the expected reason.

The value of sig_len if sign() fails is undefined, so set sig_len to
something sensible.
2019-11-12 11:09:26 +01:00
Gilles Peskine
c212166171 pk_write test cases with short/long private key
Add pk_write test cases where the ASN.1 INTEGER encoding of the
private value would not have the mandatory size for the OCTET STRING
that contains the value.

ec_256_long_prv.pem is a random secp256r1 private key, selected so
that the private value is >= 2^255, i.e. the top bit of the first byte
is set (which would cause the INTEGER encoding to have an extra
leading 0 byte).

ec_521_short_prv.pem is a random secp521r1 private key, selected so
that the private value is < 2^519, i.e. the first byte is 0 and the
top bit of the second byte is 0 (which would cause the INTEGER
encoding to have one less 0 byte at the start).
2019-11-05 15:32:53 +01:00
Gilles Peskine
22589f0a72
Merge pull request #305 from gilles-peskine-arm/ctr_drbg-grab_nonce_from_entropy-set_nonce_length
CTR_DRBG: grab a nonce from the entropy source if needed
2019-11-04 10:39:42 +01:00
Gilles Peskine
08c674dfe3
Merge pull request #288 from gilles-peskine-arm/psa-ecdsa_longer_hash
Add ECDSA tests with hash and key of different lengths
2019-10-31 17:03:28 +01:00
Gilles Peskine
1a9bd94549 Disable MBEDTLS_MEMORY_BUFFER_ALLOC_C after config.pl full
Enabling memory_buffer_alloc is slow and makes ASan ineffective. We
have a patch pending to remove it from the full config. In the
meantime, disable it explicitly.
2019-10-31 16:11:34 +01:00
Gilles Peskine
ccde952df0
Merge pull request #259 from k-stachowiak/bounds-check-asn1-len
Check `len` against buffers size upper bound in PSA tests
2019-10-29 17:47:47 +01:00
Gilles Peskine
69971662bf CTR_DRBG: define a constant for the default entropy nonce length
The default entropy nonce length is either zero or nonzero depending
on the desired security strength and the entropy length.

The implementation calculates the actual entropy nonce length from the
actual entropy length, and therefore it doesn't need a constant that
indicates the default entropy nonce length. A portable application may
be interested in this constant, however. And our test code could
definitely use it.

Define a constant MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN and use it in
test code. Previously, test_suite_ctr_drbg had knowledge about the
default entropy nonce length built in and test_suite_psa_crypto_init
failed. Now both use MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN.

This change means that the test ctr_drbg_entropy_usage no longer
validates that the default entropy nonce length is sensible. So add a
new test that checks that the default entropy length and the default
entropy nonce length are sufficient to ensure the expected security
strength.
2019-10-23 19:47:05 +02:00
Gilles Peskine
e9a3454e09 CTR_DRBG: grab a nonce from the entropy source if needed
Change the default entropy nonce length to be nonzero in some cases.
Specifically, the default nonce length is now set in such a way that
the entropy input during the initial seeding always contains enough
entropy to achieve the maximum possible security strength per
NIST SP 800-90A given the key size and entropy length.

If MBEDTLS_CTR_DRBG_ENTROPY_LEN is kept to its default value,
mbedtls_ctr_drbg_seed() now grabs extra entropy for a nonce if
MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled and either
MBEDTLS_ENTROPY_FORCE_SHA256 is enabled or MBEDTLS_SHA512_C is
disabled. If MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled, or if
the entropy module uses SHA-512, then the default value of
MBEDTLS_CTR_DRBG_ENTROPY_LEN does not require a second call to the
entropy function to achieve the maximum security strength.

This choice of default nonce size guarantees NIST compliance with the
maximum security strength while keeping backward compatibility and
performance high: in configurations that do not require grabbing more
entropy, the code will not grab more entropy than before.
2019-10-23 19:46:57 +02:00
Gilles Peskine
0ed378aa02 CTR_DRBG: explicitly set entropy_nonce_len=0 when desired
No behavior change. Prepare for a future version that will set the
entropy nonce length to a nonzero value by default.
2019-10-23 19:46:56 +02:00
Gilles Peskine
c949de06ec Test mbedtls_ctr_drbg_set_nonce_len
Test mbedtls_ctr_drbg_set_nonce_len (good cases only, which is in
keeping with the coverage of other functions).
2019-10-23 19:46:56 +02:00
Gilles Peskine
4d2d4ff9b0 HMAC_DRBG entropy usage: test the exact amount of consumed entropy 2019-10-23 19:46:56 +02:00
Gilles Peskine
58b56ce444 CTR_DRBG entropy usage: test the exact amount of consumed entropy 2019-10-23 19:46:56 +02:00
Gilles Peskine
ce35cb3cc7 'make test' must fail if Asan fails
When running 'make test' with GNU make, if a test suite program
displays "PASSED", this was automatically counted as a pass. This
would in particular count as passing:
* A test suite with the substring "PASSED" in a test description.
* A test suite where all the test cases succeeded, but the final
  cleanup failed, in particular if a sanitizer reported a memory leak.

Use the test executable's return status instead to determine whether
the test suite passed. It's always 0 on PASSED unless the executable's
cleanup code fails, and it's never 0 on any failure.

Fix ARMmbed/mbed-crypto#303
2019-10-21 20:10:21 +02:00
Gilles Peskine
5ca393f7b8 Asan make builds: avoid sanitizer recovery
Some sanitizers default to displaying an error message and recovering.
This could result in a test being recorded as passing despite a
complaint from the sanitizer. Turn off sanitizer recovery to avoid
this risk.
2019-10-21 20:10:12 +02:00
Gilles Peskine
2558d30f93 Use UBsan in addition to Asan with 'make test'
When building with make with the address sanitizer enabled, also
enable the undefined behavior sanitizer.
2019-10-21 20:09:22 +02:00
Gilles Peskine
8fd5942229 Unify ASan options in make builds
Use a common set of options when building with Asan without CMake.
2019-10-21 20:09:13 +02:00
Gilles Peskine
54d1937433 Fix memory leak in some SE HAL tests 2019-10-21 19:18:22 +02:00
Gilles Peskine
8b5389f360 'make test' must fail if Asan fails
When running 'make test' with GNU make, if a test suite program
displays "PASSED", this was automatically counted as a pass. This
would in particular count as passing:
* A test suite with the substring "PASSED" in a test description.
* A test suite where all the test cases succeeded, but the final
  cleanup failed, in particular if a sanitizer reported a memory leak.

Use the test executable's return status instead to determine whether
the test suite passed. It's always 0 on PASSED unless the executable's
cleanup code fails, and it's never 0 on any failure.

Fix ARMmbed/mbed-crypto#303
2019-10-21 19:17:42 +02:00
Gilles Peskine
bfeed663d2 Asan make builds: avoid sanitizer recovery
Some sanitizers default to displaying an error message and recovering.
This could result in a test being recorded as passing despite a
complaint from the sanitizer. Turn off sanitizer recovery to avoid
this risk.
2019-10-21 19:08:01 +02:00
Gilles Peskine
004206c7f5 Unify ASan options in make builds
Use a common set of options when building with Asan without CMake.
2019-10-21 17:13:45 +02:00
Gilles Peskine
dd61a2e3b8 Use the intended configuration in component_test_se_full 2019-10-21 15:58:20 +02:00
Gilles Peskine
ccfc5eaa81 Fix memory leak in some SE HAL tests 2019-10-21 15:57:51 +02:00
Jaeden Amero
b1c7197166
Merge pull request #299 from gilles-peskine-arm/drbg-set_entropy_len
Allow xxx_drbg_set_entropy_len before xxx_drbg_seed
2019-10-18 15:39:03 +01:00
Jaeden Amero
719ae74253
Merge pull request #2884 from AndrzejKurek/iotssl-2886-fix-parallel-make-jobs-2
Fix parallel make jobs for shared target
2019-10-18 14:18:55 +01:00
Gilles Peskine
150d577780
Merge pull request #292 from gilles-peskine-arm/psa-destroy_0
Make psa_close_key(0) and psa_destroy_key(0) succeed
2019-10-14 11:21:54 +02:00
Gilles Peskine
581bfcfc96 Create seedfile in test-ref-configs.pl
config-symmetric-only.h enables MBEDTLS_ENTROPY_NV_SEED so it needs a
seedfile. Create it in test-ref-configs.pl so that the script works on
its own, even if it is not invoked by all.sh.
2019-10-11 18:21:08 +02:00
Gilles Peskine
b16841ee69 Fixed -Wunused warnings when building without asymmetric crypto 2019-10-11 18:21:08 +02:00
Gilles Peskine
fec306452b Add a reference configuration without any asymmetric cryptography
Add a reference configuration with most symmetric cryptographic
algorithms enabled, but without any asymmetric cryptography. This
checks that we don't have spurious unexpected dependencies on
asymmetric-only modules such as bignum.

Keep HAVE_ASM disabled because it's platform-specific.

Keep HAVEGE disabled because it's untested and not recommended.

Keep MEMORY_BUFFER_ALLOC out because it isn't related to cryptography
at all and it makes memory sanitizers ineffective.

Keep THREADING disabled because it requires special build options.
2019-10-11 18:21:08 +02:00
Gilles Peskine
50ed86b6b9 CTR_DRBG: support set_entropy_len() before seed()
mbedtls_ctr_drbg_seed() always set the entropy length to the default,
so a call to mbedtls_ctr_drbg_set_entropy_len() before seed() had no
effect. Change this to the more intuitive behavior that
set_entropy_len() sets the entropy length and seed() respects that and
only uses the default entropy length if there was no call to
set_entropy_len().

This removes the need for the test-only function
mbedtls_ctr_drbg_seed_entropy_len(). Just call
mbedtls_ctr_drbg_set_entropy_len() followed by
mbedtls_ctr_drbg_seed(), it works now.
2019-10-11 18:04:12 +02:00
Gilles Peskine
3cdb3da3a0
Merge pull request #297 from gilles-peskine-arm/asn1_get_int-undefined_shift
Fix int overflow in mbedtls_asn1_get_int
2019-10-11 17:31:16 +02:00
Gilles Peskine
b8cde4ec03 Consolidate invalid-handle tests
Consolidate the invalid-handle tests from test_suite_psa_crypto and
test_suite_psa_crypto_slot_management. Start with the code in
test_suite_psa_crypto_slot_management and adapt it to test one invalid
handle value per run of the test function.
2019-10-11 11:44:48 +02:00
Gilles Peskine
0370b1bd7d ASN1 tests: more INTEGER test cases
Test more INTEGER values, especially near the boundary of int (which
is at 2^31-1 on all our officially supported platforms).
2019-10-10 19:25:39 +02:00
Gilles Peskine
970dcbf453 ASN1 tests: Match negative INTEGERs with the actual library behavior
mbedtls_asn1_get_int() and mbedtls_asn1_get_mpi() behave differently
on negative INTEGERs (0200). Don't change the library behavior for now
because this might break interoperability in some applications. Change
the test function to the library behavior.

Fix the test data with negative INTEGERs. These test cases were
previously not run (they were introduced but deliberately deactivated
in 27d806fab4). The test data was
actually wrong: ASN.1 uses two's complement, which has no negative 0,
and some encodings were wrong. Now the tests have correct data, and
the test code rectifies the expected data to match the library
behavior.
2019-10-10 19:21:12 +02:00