Commit graph

11892 commits

Author SHA1 Message Date
Gilles Peskine
09c0a2364b mbedtls_asn1_store_named_data: clarify val allocation behavior
Document how mbedtls_asn1_store_named_data allocates val.p in the new
or modified entry.

Change the behavior to be more regular, always setting the new length
to val_len. This does not affect the previous documented behavior
since this aspect was not documented. This does not affect current
usage in Mbed TLS's X.509 module where calls with the same OID always
use the same size for the associated value.
2019-09-11 15:46:45 +02:00
Gilles Peskine
a902303587 Test mbedtls_asn1_store_named_data 2019-09-11 15:46:45 +02:00
Gilles Peskine
9311cf5093 asn1write: test NULL, OID and AlgorithmIdentifier 2019-09-11 15:46:45 +02:00
Gilles Peskine
91d8d023c2 Fix typo that prevented mbedtls_asn1_write_len tests from running 2019-09-11 15:46:45 +02:00
Gilles Peskine
3f37dca794 asn1write: Test short and large buffers more systematically
Use the test-many-sizes framework for string writes as
well (previously, it was only used for booleans and integers). This
way, more edge cases are tested with less test code.

This commit removes buffer overwrite checks. Instead of these checks,
run the test suite under a memory sanitizer (which we do in our CI).
2019-09-11 15:46:45 +02:00
Gilles Peskine
105031b1e1 asn1_write documentation: say that integers must be non-negative
The documentation never said it explicitly, but the ASN.1 library
doesn't support negative integers. Say it explicitly.

Also fix a copypasta error.
2019-09-11 15:46:45 +02:00
Gilles Peskine
1dbab67ce8 Improve mbedtls_asn1_write_int to support values >255
mbedtls_asn1_write_int had an undocumented restriction to values that
fit in a single octet. Fix this.

Negative integers are still not supported.
2019-09-11 15:46:45 +02:00
Gilles Peskine
3a032c36c1 Add test cases for BOOLEANs and INTEGERs
Omit negative integers and MPIs that would result in values that look
like negative INTEGERs, since the library doesn't respect the
specifications there, but fixing it has a serious risk of breaking
interoperability when ASN.1 is used in X.509 and other
cryptography-related applications.
2019-09-11 15:46:44 +02:00
Gilles Peskine
e40d1207eb mbedtls_asn1_get_bitstring_null: fix rejection of short inputs
Fix improper rejection of bitstrings with length less than 2.
2019-09-11 15:46:44 +02:00
Gilles Peskine
f7d6acd475 mbedtls_asn1_get_int: allow leading zeros properly
Allow any number of leading zeros, not just based on sizeof(int).
2019-09-11 15:46:44 +02:00
Gilles Peskine
27d806fab4 Add ASN.1 parsing tests
Add self-contained ASN.1 parsing tests, so that ASN.1 parsing is not
solely tested through X.509 and TLS.

The tests cover every function and almost complete line coverage in
asn1parse.c.

A few test cases containing negative and edge case INTEGER values are
deliberately deactivated because the historical library behavior is at
odds with official specifications, but changing the behavior might
break interoperability.

Other than that, these tests revealed a couple of minor bugs which
will be fixed in subsequent commits.
2019-09-11 15:46:44 +02:00
Gilles Peskine
bcbe1dfb23 Improve the documentation of ASN.1 parsing functions
Document preconditions on parameters, values changed through pointers,
and error codes.

This commit leaves some issues regarding integers (especially negative
integers) open, because we don't have a policy decision on how to
handle them yet.
2019-09-11 15:46:44 +02:00
Gilles Peskine
5605591cc1 Report step number when a test case fails
Allow test code to declare a "step number". Report the current step
number when a test fails.
2019-09-11 15:46:44 +02:00
Adrian L. Shaw
4c61c1a736 Move psa_destroy_key and psa_copy_key to Key Management section 2019-09-11 14:40:51 +01:00
Jaeden Amero
cc5aeee278
Merge pull request #248 from RonEld/stack_overflow_in_hmac_fix
Fix a buffer overflow in hmac_setup_internal
2019-09-11 13:55:18 +01:00
Ron Eldor
5a0f45b61b Modify tests
1. Rephrase test description and move it to the section where
all other same tests are located.
2. Add another test for short key.
2019-09-11 14:09:08 +03:00
Ron Eldor
16cca804fb Add non regression test
Add a test that adds a very long key for an unsupported algorithm.
2019-09-11 10:14:48 +03:00
Jaeden Amero
18c7b9fdaa
Merge pull request #210 from tempesta-tech/extra-mbedtls_ecp_group_free
Remove extra mbedtls_ecp_group_free()
2019-09-10 18:51:43 +01:00
Jaeden Amero
9298dca14d
Merge pull request #185 from gilles-peskine-arm/harvard-md
Remove method dispatch from md
2019-09-10 18:38:39 +01:00
Jaeden Amero
4badc92438
Merge pull request #117 from gilles-peskine-arm/psa_error_code_coverage
PSA return status coverage script
2019-09-10 16:39:23 +01:00
Alexander K
56a74cdcc9 Replace 0 by MBEDTLS_ECP_DP_NONE to avoid IAR compiler complains 2019-09-10 17:58:20 +03:00
Jaeden Amero
4864eb5bec
Merge pull request #247 from athoelke/at-key-handles
Update the behavior of key handles
2019-09-10 14:38:56 +01:00
Ron Eldor
296eca6e76 Fix a buffer overflow in hmac_setup_internal
At the end of `psa_hmac_setup_internal()`, the ipad is cleared.
However, the size that was given to clear was `key_len` which is larger
than the size of `ipad`.
2019-09-10 15:21:37 +03:00
Gilles Peskine
4b3db7382d Add "clean" rule 2019-09-09 18:26:20 +02:00
Gilles Peskine
1ff67cc65c Build the driver interface test strategy document 2019-09-09 18:25:13 +02:00
Andrew Thoelke
970629fc9a Fix grammar. 2019-09-09 09:56:34 +01:00
Gilles Peskine
75cc771d3a Run psa_collect_statuses.py in all.sh
Since it needs a slightly different build, even if that's only for the
tests, make it its own component.
2019-09-06 19:47:17 +02:00
Gilles Peskine
be061337c1 Document more error codes 2019-09-06 19:29:52 +02:00
Gilles Peskine
51681556cf PSA return status coverage script
Add infrastructure to run unit tests and collect the return values for
every PSA API function that returns psa_status_t.

    ./tests/scripts/psa_collect_statuses.py >statuses.txt
2019-09-06 19:28:47 +02:00
Gilles Peskine
1983512803 Add backward compatibility alias for PSA_ERROR_CORRUPTION_DETECTED
This was renamed from PSA_ERROR_TAMPERING_DETECTED. Add a backward
compatibility alias in case somebody was already using it.
2019-09-06 17:48:56 +02:00
Gilles Peskine
33b84f4db7 Omit all deprecated definitions rather than a hard-coded list
Rather than hard-coding a list of deprecated aliases, assume that
anything that's deprecated is an alias or otherwise not desired.
2019-09-06 17:48:56 +02:00
Gilles Peskine
f30d4d9b34 More accurate parsing of #define directives
Support continuation lines and remove comments.
2019-09-06 17:44:04 +02:00
Gilles Peskine
5c196fb599 Readability improvements
No indented semantic change.
2019-09-06 17:35:51 +02:00
Jaeden Amero
92348d1c49 Merge remote-tracking branch 'crypto/development' into development-restricted
* crypto/development: (77 commits)
  all.sh: disable MEMORY_BUFFER_ALLOC in cmake asan build
  Unify gcc and clang cmake flags to test with UBsan
  Add an input check in psa_its_set
  Remove storage errors from psa_generate_random
  Update getting_started.md
  Update based on Jaeden's comments.
  Update getting_started.md
  Fix return code warnings
  Update getting_started.md
  Fix warnings
  Add PSA_ERROR_STORAGE_FAILURE to psa_cipher_generate_iv
  Remove errorneous insert
  Add STORAGE_FAILURE everywhere + add missing codes
  Add storage failure to psa_mac_verify_finish
  Add storage failure to psa_mac_sign_finish
  Add PSA_ERROR_STORAGE_FAILURE to psa_aead_*_setup functions
  Added PSA_ERROR_BAD_STATE to functions with operations
  Added extra bad state case to psa_hash_setup
  Add missing return codes to psa_generate_key
  Add PSA_ERROR_BUFFER_TOO_SMALL to psa_mac_compute
  ...
2019-09-06 08:56:21 +01:00
Jaeden Amero
7c2cc479b0
Merge pull request #213 from adrianlshaw/psa-api-1.0-beta
Update function return codes
2019-09-06 08:53:29 +01:00
Alexander K
77233ec411 Fix misprint 2019-09-05 21:37:39 +03:00
Gilles Peskine
8b193c10ca Check inputs too 2019-09-05 19:37:01 +02:00
Jaeden Amero
595643c514
Merge pull request #222 from jainvikas8/zeroize-check
Check for zero length and NULL buffer pointer.
2019-09-05 17:35:40 +01:00
Jaeden Amero
c12cb5236b
Merge pull request #239 from AndrzejKurek/psa-its-file-fixes
Remove a potential call to fwrite with null buffer. Add UBsan testing
2019-09-05 16:40:08 +01:00
Jaeden Amero
c7cde03fec
Merge pull request #276 from dgreen-arm/dev/dgreen-arm/iotcrypt-616-fix-ecdsa-rng
Fix deterministic ECDSA RNG misuse
2019-09-05 15:22:38 +01:00
Jaeden Amero
826907736f Merge remote-tracking branch 'origin/pr/2623' into development
* origin/pr/2623:
  Adapt ChangeLog
  Fix mpi_bigendian_to_host() on bigendian systems
2019-09-05 14:43:46 +01:00
Unknown
f094b53e8e all.sh: disable MEMORY_BUFFER_ALLOC in cmake asan build
Enabling MBEDTLS_MEMORY_BUFFER_ALLOC_C bypasses ASan leak checks
because system calloc() and free() aren't used.
2019-09-05 09:34:57 -04:00
Unknown
10d42b686a Unify gcc and clang cmake flags to test with UBsan
Previously, not all flags were supported by the gcc version that was used
(pre-4.9). Now, since the minimum version gcc version tested is 5.4, 
the flags can be unified.
2019-09-05 09:34:47 -04:00
Andrzej Kurek
dc22d8d022 Add an input check in psa_its_set 2019-09-05 09:34:34 -04:00
Darryl Green
5e843fa133 Use safer deterministic function in psa_ecdsa_sign 2019-09-05 14:06:34 +01:00
Jaeden Amero
3cadc626b2
Merge pull request #242 from ArmMbedCloud/getting-started-technical-author-review
Technical author review of getting_started.md
2019-09-05 13:57:41 +01:00
Janos Follath
75f2c20f9c ECDSA: Explain limitations of constant blinding 2019-09-05 11:18:58 +01:00
Janos Follath
896a294211 Correct deterministic ECDSA behavior
We were still reusing the internal HMAC-DRBG of the deterministic ECDSA
for blinding. This meant that with cryptographically low likelyhood the
result was not the same signature as the one the deterministic ECDSA
algorithm has to produce (however it is still a valid ECDSA signature).

To correct this we seed a second HMAC-DRBG with the same seed to restore
correct behavior. We also apply a label to avoid reusing the bits of the
ephemeral key for a different purpose and reduce the chance that they
leak.

This workaround can't be implemented in the restartable case without
penalising the case where external RNG is available or completely
defeating the purpose of the restartable feature, therefore in this case
the small chance of incorrect behavior remains.
2019-09-05 11:18:58 +01:00
Janos Follath
1231d210e1 Add warning for alternative ECDSA implementations
Alternative implementations are often hardware accelerators and might
not need an RNG for blinding. But if they do, then we make them misuse
the RNG in the deterministic case.

There are several way around this:
- Exposing a lower level function for replacement. This would be the
optimal solution, but litters the API and is not backward compatible.
- Introducing a new compile time option for replacing the deterministic
function. This would mostly cover the same code as
MBEDTLS_ECDSA_DETERMINISTIC and would be yet another compile time flag.
- Reusing the existing MBEDTLS_ECDSA_DETERMINISTIC macro. This changes
the algorithm used by the PK layer from deterministic to randomised if
the alternative implementation is present.

This commit implements the third option. This is a temporary solution
and should be fixed at the next device driver API change.
2019-09-05 11:18:58 +01:00
Janos Follath
e65e0597a8 Deprecate the old deterministic ECDSA function
The current interface does not allow passing an RNG, which is needed for
blinding. Using the scheme's internal HMAC-DRBG results the same
blinding values for the same key and message, diminishing the
effectiveness of the countermeasure. A new function
`mbedtls_ecdsa_det_ext` is available to address this problem.
2019-09-05 11:18:58 +01:00