Commit graph

18437 commits

Author SHA1 Message Date
Ronald Cron
9ed3873905 psa: driver wrapper: cipher: Fix unused variable warning
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-14 18:11:06 +01:00
Ronald Cron
8188d19b0e Merge branch 'development-restricted' into mbedtls-3.1.0rc-pr 2021-12-14 10:58:18 +01:00
Manuel Pégourié-Gonnard
9fa5bf8e88
Merge pull request #5329 from gilles-peskine-arm/ssl_debug_helpers_generated.h-dependencies
List ssl_debug_helpers_generated.h in generated files
2021-12-14 09:57:38 +01:00
Gilles Peskine
12e27d4c5b List ssl_debug_helpers_generated.h in generated files
Running `generate_ssl_debug_helpers.py` generates both
`ssl_debug_helpers_generated.c` and `ssl_debug_helpers_generated.h`.

List the `.h` file as well as the `.c` file in `check-generated-files.sh` so
that `check-generated-files.sh -u` will complain if it isn't up to date.

List it in `Makefile` and `CMakeLists.txt` so that parallel builds know when
to wait until the `.h` file is present. In `Makefile`, declare the `.c` file
as depending on the `.h` file for order. This way, a dependency for either
will wait until the `.h` file is present, and since the `.h` file is
generated after the `.c` file, this guarantees that the `.c` file is
present.

This fixes random failures of `make -j` from a fresh checkout.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-14 00:19:47 +01:00
Gilles Peskine
32d2a58cc2
Merge pull request #5325 from gilles-peskine-arm/zeroize-tag-3.1
Zeroize expected MAC/tag intermediate variables
2021-12-13 19:09:30 +01:00
Gilles Peskine
cd74298c83 mbedtls_cipher_check_tag: jump on error for more robustness to refactoring
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 17:01:25 +01:00
Gilles Peskine
a5c18512b9
Merge pull request #5155 from paul-elliott-arm/pcks12_fix
Fixes for pkcs12 with NULL and/or zero length password
2021-12-13 14:52:36 +01:00
Gilles Peskine
a4174312da Initialize hash_len before using it
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 14:38:40 +01:00
Gilles Peskine
36d33f37b6 Generalize MAC zeroization changelog entry
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:43:11 +01:00
Gilles Peskine
14d5fef6b7 PKCS#1v1.5 signature: better cleanup of temporary values
Zeroize temporary buffers used to sanity-check the signature.

If there is an error, overwrite the tentative signature in the output
buffer.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:37:55 +01:00
Gilles Peskine
f0fd4c3aee mbedtls_ssl_parse_finished: zeroize expected finished value on error
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:36:15 +01:00
Gilles Peskine
c2f7b75a71 mbedtls_ssl_cookie_check: zeroize expected cookie on cookie mismatch
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:35:08 +01:00
Gilles Peskine
60aebec47e PSA hash verification: zeroize expected hash on hash mismatch
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:33:18 +01:00
Gilles Peskine
e7835d92c1 mbedtls_cipher_check_tag: zeroize expected tag on tag mismatch
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:32:43 +01:00
Dave Rodgman
050ad4bb50
Merge pull request #5313 from gilles-peskine-arm/missing-ret-check-mbedtls_md_hmac
Check HMAC return values
2021-12-13 10:51:27 +00:00
Gilles Peskine
ecf6bebb9c Catch failures of md_hmac operations
Declare mbedtls_md functions as MBEDTLS_CHECK_RETURN_TYPICAL, meaning that
their return values should be checked.

Do check the return values in our code. We were already doing that
everywhere for hash calculations, but not for HMAC calculations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 15:00:57 +01:00
Gilles Peskine
d5ba50e239 Zeroize local MAC variables
Zeroize local MAC variables used for CBC+HMAC cipher suites. In encryption,
this is just good hygiene but probably not needed for security since the
data protected by the MAC that could leak is about to be transmitted anyway.
In DTLS decryption, this could be a security issue since an adversary could
learn the MAC of data that they were trying to inject. At least with
encrypt-then-MAC, the adversary could then easily inject a datagram with
a corrected packet. TLS would still be safe since the receiver would close
the connection after the bad MAC.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 14:59:45 +01:00
Paul Elliott
6e7deb1d55 Add expected output for tests
Expected output generated by OpenSSL (see below) apart from the case
where both password and salt are either NULL or zero length, as OpenSSL
does not support this. For these test cases we have had to use our own
output as that which is expected. Code to generate test cases is as
follows:

 #include <openssl/pkcs12.h>
 #include <openssl/evp.h>
 #include <string.h>

int Keygen_Uni( const char * test_name, unsigned char *pass, int
    passlen, unsigned char *salt,
                    int saltlen, int id, int iter, int n,
                                    unsigned char *out, const EVP_MD
                                    *md_type )
{
   size_t index;

   printf( "%s\n", test_name );

   int ret = PKCS12_key_gen_uni( pass, passlen, salt, saltlen, id, iter,
                                        n, out, md_type );

   if( ret != 1 )
   {
         printf( "Key generation returned %d\n", ret );
      }
   else
   {
         for( index = 0; index < n; ++index )
         {
                  printf( "%02x", out[index] );
               }

         printf( "\n" );
      }

   printf( "\n" );

}

int main(void)
{
   unsigned char out_buf[48];
   unsigned char pass[64];
   int pass_len;
   unsigned char salt[64];
   int salt_len;

   /* If ID=1, then the pseudorandom bits being produced are to be used
      as key material for performing encryption or decryption.

            If ID=2, then the pseudorandom bits being produced are to be
            used as an IV (Initial Value) for encryption or decryption.

                  If ID=3, then the pseudorandom bits being produced are
                  to be used as an integrity key for MACing.
                     */

   int id = 1;
   int iter = 3;

   memset( out_buf, 0, sizeof( out_buf ) );
   memset( pass, 0, sizeof( pass ) );
   memset( salt, 0, sizeof( salt ) );

   Keygen_Uni( "Zero length pass and salt", pass, 0, salt, 0, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   Keygen_Uni( "NULL pass and salt", NULL, 0, NULL, 0, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   salt[0] = 0x01;
   salt[1] = 0x23;
   salt[2] = 0x45;
   salt[3] = 0x67;
   salt[4] = 0x89;
   salt[5] = 0xab;
   salt[6] = 0xcd;
   salt[7] = 0xef;

   Keygen_Uni( "Zero length pass", pass, 0, salt, 8, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   Keygen_Uni( "NULL pass", NULL, 0, salt, 8, id, iter, sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );
   memset( salt, 0, sizeof( salt ) );

   pass[0] = 0x01;
   pass[1] = 0x23;
   pass[2] = 0x45;
   pass[3] = 0x67;
   pass[4] = 0x89;
   pass[5] = 0xab;
   pass[6] = 0xcd;
   pass[7] = 0xef;

   Keygen_Uni( "Zero length salt", pass, 8, salt, 0, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   Keygen_Uni( "NULL salt", pass, 8, NULL, 0, id, iter, sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   salt[0] = 0x01;
   salt[1] = 0x23;
   salt[2] = 0x45;
   salt[3] = 0x67;
   salt[4] = 0x89;
   salt[5] = 0xab;
   salt[6] = 0xcd;
   salt[7] = 0xef;

   Keygen_Uni( "Valid pass and salt", pass, 8, salt, 8, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   return 0;
}

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-10 20:53:59 +00:00
Gilles Peskine
c11192fcb2
Merge pull request #5290 from minosgalanakis/development
Document platform architecture portability constraints
2021-12-10 21:13:11 +01:00
paul-elliott-arm
f434994d83
Merge pull request #5303 from yuhaoth/pr/add_list_config_function
Add list config function
2021-12-10 18:30:06 +00:00
Ronald Cron
2331fdb280
Merge pull request #5293 from ronald-cron-arm/tls13-mvp-misc
Miscellaneous final changes for TLS 1.3 MVP release
2021-12-10 17:46:47 +01:00
Gilles Peskine
476b157dc4
Merge pull request #5305 from gilles-peskine-arm/test-missing-ret-check-202112-development
Missing error checks + test bug on unlikely failure
2021-12-10 17:41:52 +01:00
Gilles Peskine
0ca219575a mbedtls_pk_parse_key: don't allocate if not needed
mbedtls_pk_parse_key() makes a temporary copy of the key when it calls
pk_parse_key_pkcs8_encrypted_der(), because that function requires a
writable buffer. pk_parse_key_pkcs8_encrypted_der() always rejects an
empty password, so skip calling it in that case, which allows us to
skip the allocation as well.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-10 17:36:37 +01:00
Minos Galanakis
c10086e33e changelog: Addressed review comments #6
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2021-12-10 15:52:54 +00:00
Jerry Yu
29ceb564f8 fix help message issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 23:38:57 +08:00
Minos Galanakis
8340ea80cd changelog: Addressed review comments #5
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2021-12-10 15:31:23 +00:00
Ronald Cron
64bff9f261 tests: data_files: Avoid symbolic links
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 15:09:57 +01:00
Jerry Yu
b54b53142a fix msvc build faile
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 21:38:12 +08:00
Gilles Peskine
dc8ecda46f Don't fail until everything is initialized
Can't call mbedtls_cipher_free(&invalid_ctx) in cleanup if
mbedtls_cipher_init(&invalid_ctx) hasn't been called.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-10 14:28:31 +01:00
Ronald Cron
b1822efe22 docs: TLS 1.3: Improve wording
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 14:28:13 +01:00
Gilles Peskine
f1c30b2a94 Check return values in more places
Selective replacement of
```
^\( *\)\(mbedtls_\(md\|cipher\)_[A-Z_a-z0-9]+\)\((.*)\);
```
by
```
\1if( \2\4 != 0 )
\1{
\1    mbedtls_fprintf( stderr, "\2() returned error\\n" );
\1    goto exit;
\1}
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-10 14:25:45 +01:00
Ronald Cron
db6adc5aad ssl: Fix some compilation guards for TLS 1.3 signature algorithms
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 14:25:35 +01:00
Ronald Cron
bb27b43013 build: Fix TLS 1.3 prerequisites
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 14:22:52 +01:00
Ronald Cron
6aeda5305c Add change log for TLS 1.3 MVP
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:48:12 +01:00
Ronald Cron
6f135e1148 Rename MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL to MBEDTLS_SSL_PROTO_TLS1_3
As we have now a minimal viable implementation of TLS 1.3,
let's remove EXPERIMENTAL from the config option enabling
it.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:47:55 +01:00
Jerry Yu
2e8b00172b Beauty source code
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:29:02 +08:00
Ronald Cron
7aa6fc1992 docs: TLS 1.3: Update prototype upstreaming status
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:22:21 +01:00
Ronald Cron
653d5bc781 docs: TLS 1.3: Swap prototype upstreaming status and MVP definition
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:22:21 +01:00
Ronald Cron
43ffc9d659 docs: TLS 1.3: Update TLS 1.3 documentation file name
Update TLS 1.3 documentation file name and its
overview section.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:22:21 +01:00
Ronald Cron
0abf07ca2c Make PSA crypto mandatory for TLS 1.3
As we want to move to PSA for cryptographic operations
let's mandate PSA crypto from the start.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:22:21 +01:00
Dave Rodgman
76a2b306ac
Merge pull request #4981 from yuhaoth/pr/add-debug-helpers-generated
Add debug helpers generated
2021-12-10 11:56:55 +00:00
Manuel Pégourié-Gonnard
4525cce691
Merge pull request #5256 from yuhaoth/pr/clean-up-secrets-after-done
TLS1.3 MVP: Erase secrets when they are not necessary anymore.
2021-12-10 12:48:25 +01:00
Minos Galanakis
5f173c62a4 changelog: Addressed review comments #4
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2021-12-10 11:07:27 +00:00
Ronald Cron
6b07916e40
Merge pull request #5230 from ronald-cron-arm/tls13_ccs_client
Add initial support for "Middlebox Compatibility Mode"
2021-12-10 11:58:05 +01:00
Minos Galanakis
3f46f38095 changelog: Addressed review comments #3
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2021-12-10 10:54:06 +00:00
Jerry Yu
d0fcf7f6a0 fix ci fail
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 18:45:51 +08:00
Minos Galanakis
3a77949c89 changelog: Addressed review comments #2
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2021-12-10 10:45:37 +00:00
Jerry Yu
a5563f6115 move position of base_key init
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 18:14:36 +08:00
Jerry Yu
b737f6a9be move base_key init
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 17:55:59 +08:00
Gilles Peskine
fe051f6aab
Merge pull request #5297 from paul-elliott-arm/test_suite_cipher_returns
Add checked return to cipher setup in Cipher tests
2021-12-10 10:39:57 +01:00