Commit graph

980 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
d6aea18749 Add Chacha20-Poly1305 to benchmark.c 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
b1ac5e7842 poly1305: adjust parameter order
This module used (len, pointer) while (pointer, len) is more common in the
rest of the library, in particular it's what's used in the CMAC API that is
very comparable to Poly1305, so switch to (pointer, len) for consistency.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
dca3a5d884 Rename aead_chacha20_poly1305 to chachapoly
While the old name is explicit and aligned with the RFC, it's also very long,
so with the mbedtls_ prefix prepended we get a 31-char prefix to each
identifier, which quickly conflicts with our 80-column policy.

The new name is shorter, it's what a lot of people use when speaking about
that construction anyway, and hopefully should not introduce confusion at
it seems unlikely that variants other than 20/1305 be standardised in the
foreseeable future.
2018-05-24 13:37:31 +02:00
Daniel King
4d8f87b1ca Add ChaCha20/Poly1305 ciphers to the selftest program 2018-05-24 13:37:31 +02:00
Daniel King
adc32c0b50 Add Poly1305 authenticator algorithm (RFC 7539)
Test vectors are included from RFC 7539.

Poly1305 is also added to the benchmark program.
2018-05-24 13:37:31 +02:00
Daniel King
34b822ce7b Initial implementation of ChaCha20 2018-05-24 13:37:31 +02:00
Darryl Green
11999bb72e Fix minor code style issues 2018-05-15 09:21:57 +01:00
Andres Amaya Garcia
eecea0e281 Update zeroize test to use mbedtls_platform_zeroize() 2018-04-17 10:14:53 -05:00
Andres Amaya Garcia
82934be144 Do not install zeroize program in CMakeLists 2018-04-17 10:02:17 -05:00
Andres Amaya Garcia
ae8e306973 Fix docs typos for zeroize related features/test 2018-04-17 09:21:49 -05:00
Andres Amaya Garcia
757cd72edf Update license headers year and branding 2018-04-17 09:21:49 -05:00
Andres Amaya Garcia
42defd10a6 Improve docs for zeroize.c and test_zeroize.gdb 2018-04-17 09:21:49 -05:00
Andres Amaya Garcia
6e34e63eb3 Fix style in programs/test/zeroize.c 2018-04-17 09:19:05 -05:00
Andres Amaya Garcia
88f8f41e5a Move zeroize func call to end of program in zeroize.c 2018-04-17 09:19:05 -05:00
Andres Amaya Garcia
c6b0abd5a6 Fix alignment of Makefiles 2018-04-17 09:17:38 -05:00
Andres Amaya Garcia
5ab74a1401 Add programs/test/zeroize.c to test mbedtls_zeroize
The idea is to use the simple program that is expected to be modified
rarely to set a breakpoint in a specific line and check that the
function mbedtls_zeroize() does actually set the buffer to 0 and is not
optimised out by the compiler.
2018-04-17 09:17:38 -05:00
Gilles Peskine
80aa3b8d65 Merge branch 'pr_946' into development-proposed 2018-04-04 10:33:45 +02:00
Gilles Peskine
b9e8696d56 Merge remote-tracking branch 'upstream-public/pr/1142' into development-proposed 2018-04-04 09:20:59 +02:00
Gilles Peskine
be2371c3d9 Merge branch 'pr_348' into development-proposed 2018-04-04 09:18:27 +02:00
Andrzej Kurek
b364053a87 pk_sign: add stdlib include 2018-04-03 06:16:04 -04:00
Kevin Luty
0cbe816bfc
ChangeLog updated and returning proper value 2018-04-02 10:01:16 -05:00
Gilles Peskine
0ed632f445 Merge remote-tracking branch 'upstream-public/pr/1499' into development-proposed 2018-04-01 12:41:22 +02:00
Nicholas Wilson
08f3ef1861 Basic support for Curve448, similar to the current level of support for Curve25519 2018-03-29 14:29:06 +01:00
Hanno Becker
2bd57578af Merge branch 'development' into iotssl-1204 2018-03-28 14:52:35 +01:00
Andres Amaya Garcia
420f0ccdfd Make DLEXT var configurable in programs and tests makefiles 2018-03-27 19:17:21 +01:00
Kevin Luty
d9d5c55438
Assign error return value for failed write 2018-03-22 09:59:16 -05:00
Kevin Luty
1e7059fedd
Adding requested changes 2018-03-21 10:01:38 -05:00
Hanno Becker
ef52796537 Fix missing return statement ssl_server2 idling
Also, introduce MBEDTLS_EINTR locally in net_sockets.c
for the platform-dependent return code macro used by
the `select` call to indicate that the poll was interrupted
by a signal handler: On Unix, the corresponding macro is EINTR,
while on Windows, it's WSAEINTR.
2018-03-15 15:52:31 +00:00
Hanno Becker
9b2b66ebd2 Minor style corrections
Move function block brace outside conditional compilation
to not confuse some editors, and correct indentation.
2018-03-15 12:21:15 +00:00
Hanno Becker
adfa64f0c4 Abort idle-loop in ssl_server2 if sockets gets invalid
Previously, the idling loop in ssl_server2 didn't check whether
the underlying call to mbedtls_net_poll signalled that the socket
became invalid. This had the consequence that during idling, the
server couldn't be terminated through a SIGTERM, as the corresponding
handler would only close the sockets and expect the remainder of
the program to shutdown gracefully as a consequence of this.
This was subsequently attempted to be fixed through a change
in ssl-opt.sh by terminating the server through a KILL signal,
which however lead to other problems when the latter was run
under valgrind.

This commit changes the idling loop in ssl_server2 and ssl_client2
to obey the return code of mbedtls_net_poll and gracefully shutdown
if an error occurs, e.g. because the socket was closed.

As a consequence, the server termination via a KILL signal in
ssl-opt.sh is no longer necessary, with the previous `kill; wait`
pattern being sufficient. The commit reverts the corresponding
change.
2018-03-15 11:43:41 +00:00
Hanno Becker
b6f880b63b Revert whitespace change to ease merging 2018-03-13 12:48:50 +00:00
Hanno Becker
ddc3ebbc3f Exemplify use of mbedtls_ssl_check_pending in ssl_server2.c 2018-03-13 11:48:32 +00:00
Brendan Shanks
e61514d70d benchmark: Fix incompatibility with C89 compilers
Initializing arrays using non-constant expressions is not permitted in
C89, and was causing errors when compiling with Metrowerks CodeWarrior
(for classic MacOS) in C89 mode. Clang also produces a warning when
compiling with '-Wc99-extensions':

test/benchmark.c:670:42: warning: initializer for aggregate is not a compile-time constant [-Wc99-extensions]
        const unsigned char *dhm_P[] = { dhm_P_2048, dhm_P_3072 };
                                         ^~~~~~~~~~
test/benchmark.c:674:42: warning: initializer for aggregate is not a compile-time constant [-Wc99-extensions]
        const unsigned char *dhm_G[] = { dhm_G_2048, dhm_G_3072 };
                                         ^~~~~~~~~~

Declaring the arrays as 'static' makes them constant expressions.

fixes #1353
2018-03-08 17:41:40 -08:00
Jaeden Amero
bec9a9b57a Merge branch 'development' into development-restricted 2018-01-29 12:49:23 +00:00
Jaeden Amero
4d3e1582b0 Merge remote-tracking branch 'upstream-public/pr/1287' into development 2018-01-29 12:49:20 +00:00
Jaeden Amero
784de59ccd Merge remote-tracking branch 'upstream-restricted/pr/410' into development-restricted
- Resolve ChangeLog conflicts
- Update Doxygen warning block in dhm.h to render correctly
- Prefix the exported identifier deprecated_constant_t with mbedtls_
2018-01-26 18:43:04 +00:00
Jaeden Amero
934fb55aa3 Merge remote-tracking branch 'upstream-public/pr/1036' into development 2018-01-26 15:12:43 +00:00
Jaeden Amero
005239e3ed Merge remote-tracking branch 'upstream-public/pr/1294' into development 2018-01-25 14:47:39 +00:00
Manuel Pégourié-Gonnard
4fa619fe56 Fix race condition in error printing in ssl_server2.c
The race goes this way:
1. ssl_recv() succeeds (ie no signal received yet)
2. processing the message leads to aborting handshake with ret != 0
3. reset ret if we were signaled
4. print error if ret is still non-zero
5. go back to net_accept() which can be interrupted by a signal
We print the error message only if the signal is received between steps 3 and
5, not when it arrives between steps 1 and 3.

This can cause failures in ssl-opt.sh where we check for the presence of "Last
error was..." in the server's output: if we perform step 2, the client will be
notified and exit, then ssl-opt.sh will send SIGTERM to the server, but if it
didn't get a chance to run and pass step 3 in the meantime, we're in trouble.

The purpose of step 3 was to avoid spurious "Last error" messages in the
output so that ssl-opt.sh can check for a successful run by the absence of
that message. However, it is enough to suppress that message when the last
error we get is the one we expect from being interrupted by a signal - doing
more could hide real errors.

Also, improve the messages printed when interrupted to make it easier to
distinguish the two cases - this could be used in a testing script wanted to
check that the server doesn't see the client as disconnecting unexpectedly.
2018-01-25 11:27:24 +01:00
Gilles Peskine
cb1e5eb326 Merge branch 'pr_1000' into development-proposed 2018-01-23 00:57:34 +01:00
Gilles Peskine
550a2b036b Merge branch 'pr_1163' into development-proposed 2018-01-23 00:57:26 +01:00
Gilles Peskine
9e4f77c606 New MD API: rename functions from _ext to _ret
The _ext suffix suggests "new arguments", but the new functions have
the same arguments. Use _ret instead, to convey that the difference is
that the new functions return a value.
2018-01-22 11:54:42 +01:00
Gilles Peskine
d91f2a26cb Merge branch 'development' into iotssl-1251-2.7
Conflict resolution:

* ChangeLog: put the new entries in their rightful place.
* library/x509write_crt.c: the change in development was whitespace
  only, so use the one from the iotssl-1251 feature branch.
2018-01-19 11:25:10 +01:00
Hanno Becker
d4d60579e4 Address issues found by coverity
1) `mbedtls_rsa_import_raw` used an uninitialized return
   value when it was called without any input parameters.
   While not sensible, this is allowed and should be a
   succeeding no-op.

2) The MPI test for prime generation missed a return value
   check for a call to `mbedtls_mpi_shift_r`. This is neither
   critical nor new but should be fixed.

3) Both the RSA keygeneration example program and the
   RSA test suites contained code initializing an RSA context
   after a potentially failing call to CTR DRBG initialization,
   leaving the corresponding RSA context free call in the
   cleanup section of the respective function orphaned.
   While this defect existed before, Coverity picked up on
   it again because of newly introduced MPI's that were
   also wrongly initialized only after the call to CTR DRBG
   init. The commit fixes both the old and the new issue
   by moving the initializtion of both the RSA context and
   all MPI's prior to the first potentially failing call.
2018-01-10 07:30:47 +00:00
Hanno Becker
8bc74d6f2f Merge branch 'development' into iotssl-1619 2018-01-03 10:24:02 +00:00
Manuel Pégourié-Gonnard
ae3925c774 Merge remote-tracking branch 'public/pr/1136' into development
* public/pr/1136:
  Timing self test: shorten redundant tests
  Timing self test: increased duration
  Timing self test: increased tolerance
  Timing unit tests: more protection against infinite loops
  Unit test for mbedtls_timing_hardclock
  New timing unit tests
  selftest: allow excluding a subset of the tests
  selftest: allow running a subset of the tests
  selftest: refactor to separate the list of tests from the logic
  Timing self test: print some diagnosis information
  mbedtls_timing_get_timer: don't use uninitialized memory
  timing interface documentation: minor clarifications
  Timing: fix mbedtls_set_alarm(0) on Unix/POSIX
2017-12-26 10:42:20 +01:00
Hanno Becker
32297e8314 Merge branch 'development' into iotssl-1619 2017-12-22 10:24:32 +00:00
Gilles Peskine
ff79d27f5c selftest: allow excluding a subset of the tests
E.g. "selftest -x timing" runs all the self-tests except timing.
2017-12-20 21:57:48 +01:00
Gilles Peskine
c82fbb4e14 selftest: allow running a subset of the tests
If given command line arguments, interpret them as test names and only
run those tests.
2017-12-20 20:23:13 +01:00
Gilles Peskine
319ac801a8 selftest: refactor to separate the list of tests from the logic
No behavior change.
2017-12-20 20:19:27 +01:00