Commit Graph

12955 Commits

Author SHA1 Message Date
Gilles Peskine
8d36696e1f Fix fuzz_pubkey failure on valid RSA keys
On a valid RSA public key, mbedtls_rsa_export should succeed if you
ask for the public fields, but fail if you ask for private fields. The
code was expecting to succeed when asking for private fields, so
failed on every valid RSA public key.
2020-02-25 19:51:07 +01:00
Jaeden Amero
6fb7bd0228
Merge pull request #3046 from piotr-now/dtls-renegotiation
DTLS renegotiation
2020-02-25 18:58:04 +04:00
Jaeden Amero
2287a47d11
Merge pull request #3043 from piotr-now/dtls-application-data
DTLS application data
2020-02-25 18:35:14 +04:00
Piotr Nowicki
95e9eb8d91 Add test for renegotiation in DTLS
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-02-25 14:15:00 +01:00
Piotr Nowicki
6a7f01c237 Add test with sending application data via DTLS
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-02-25 14:10:15 +01:00
Manuel Pégourié-Gonnard
a4522e8467 Uniformize wording for removal of deprecated things
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-25 12:47:54 +01:00
Andres Amaya Garcia
10edb3e8da Add comment to matching #endif
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-25 12:47:52 +01:00
Andres Amaya Garcia
da15409aea Remove the word likely from deprecated documentation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-25 12:47:51 +01:00
Andres Amaya Garcia
4156ac18d7 Wrap deprecations for HW_RECORD_ACCEL with DEPRECATED_REMOVED
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-25 12:47:48 +01:00
Andres Amaya Garcia
3f6cc5f786 Deprecate global func ptrs for MBEDTLS_SSL_HW_RECORD_ACCEL
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-25 12:47:46 +01:00
Andres Amaya Garcia
84b4e796a3 Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL config
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-25 12:47:27 +01:00
Jaeden Amero
20b3a68e70
Merge pull request #3042 from AndrzejKurek/dtls-handshake-serialization
Dtls handshake serialization test
2020-02-24 14:56:00 +04:00
Janos Follath
6fc816ae7c
Merge pull request #3038 from gilles-peskine-arm/align-crypto-programs
Side-port from crypto: programs/
2020-02-24 10:36:39 +00:00
Andrzej Kurek
da2b67806b
Add a dtls handshake test with context serialization
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-02-24 04:56:53 -05:00
Jaeden Amero
a08e699afc
Merge pull request #3036 from AndrzejKurek/dtls-handshake-tests
DTLS handshake tests
2020-02-21 15:18:52 +04:00
Gilles Peskine
13fac98aca Generalize everest support to generic 3rdparty support
Other third-party components can now be added by just adding lines to
the definitions of @thirdparty_header_dirs and
@thirdparty_source_dirs.

No semantic change. The output does not change at all.
2020-02-19 20:13:29 +01:00
Gilles Peskine
9ab9621511 Move 3rdparty mentions to a separate line
This makes it easier to merge changes related to adding or removing
3rdparty items.

No semantic change.
2020-02-19 20:13:29 +01:00
Janos Follath
aaabe86ac1
Merge pull request #3055 from yanesca/update_submodule_and_version_2.21.0
Update submodule and version 2.21.0
2020-02-19 17:13:48 +00:00
Dan Handley
e0fcd887b8 Minor formatting fixes to CONTRIBUTING.md
Fix inconsistent list formatting in CONTRIBUTING.md.

Signed-off-by: Dan Handley <dan.handley@arm.com>
2020-02-19 16:05:10 +00:00
Dan Handley
af997e0088 Drop requirement for a CLA
The Mbed Crypto project no longer requires a CLA. Contributions from now on
must be made under both Apache-2.0 and GPL-2.0-or-later licenses, to enable
LTS (Long Term Support) branches of the software to continue to be provided
under either Apache-2.0 OR GPL-2.0-or-later. Contributors must accept the
terms of the Developer Certificate of Origin (DCO) by adding a Signed-off-by:
line to each commit message.

The software on the development branch continues to be provided under
Apache-2.0.

Update README.md and CONTRIBUTING.md to explain the new licensing model.
Add a copy of the DCO to the project.

Expand the full Apache-2.0 license text in the LICENSE file and remove the
redundant apache-2.0.txt.

Signed-off-by: Dan Handley <dan.handley@arm.com>
2020-02-19 16:04:44 +00:00
Dan Handley
20579b7938 Add project description to README.md
Add simple project description to README.md.

Signed-off-by: Dan Handley <dan.handley@arm.com>
2020-02-19 15:53:50 +00:00
Dan Handley
16a988527f Minor formatting fixes to CONTRIBUTING.md
Fix inconsistent list formatting in CONTRIBUTING.md.

Signed-off-by: Dan Handley <dan.handley@arm.com>
2020-02-19 15:50:52 +00:00
Dan Handley
c76a54554c Drop requirement for a CLA
The Mbed TLS project no longer requires a CLA. Contributions from now on
must be made under both Apache-2.0 AND GPL-2.0-or-later licenses, to enable
LTS (Long Term Support) branches of the software to continue to be provided
under either Apache-2.0 OR GPL-2.0-or-later. Contributors must accept the
terms of the Developer Certificate of Origin (DCO) by adding a Signed-off-by:
line to each commit message.

The software on the development branch continues to be provided under
Apache-2.0.

Update README.md, CONTRIBUTING.md and pull_request_template.md to explain
the new licensing model. Add a copy of the DCO to the project.

Expand the full Apache-2.0 license text in the LICENSE file and remove the
redundant apache-2.0.txt.

Signed-off-by: Dan Handley <dan.handley@arm.com>
2020-02-19 15:50:40 +00:00
Janos Follath
138c2eac55 Add release info to ChangeLog 2020-02-19 14:35:16 +00:00
Janos Follath
84d2fd4ee2 Bump version to Mbed TLS 2.21.0 2020-02-19 14:35:16 +00:00
Janos Follath
d1692ee07a Update ChangeLog for crypto changes from a591985c62
Add ChangeLog entries for changes brought by the submodule update in
the previous commit.
2020-02-19 14:30:44 +00:00
Janos Follath
a591985c62 Update submodule
* #365 Change PSA compatibility API to inline functions
* #367 Fix pk_parse_key()'s use of rsa_complete()
* #370 Bump version to Mbed TLS 2.21.0
2020-02-19 14:29:38 +00:00
Janos Follath
cf4a40ba0a
Merge pull request #370 from yanesca/update-version-2.21.0
Bump version to Mbed TLS 2.21.0
2020-02-19 14:21:11 +00:00
Janos Follath
bc7c2424c9 Bump version to Mbed TLS 2.21.0 2020-02-19 11:51:13 +00:00
Gilles Peskine
f841eab48f
Merge pull request #367 from mpg/fix-rsa-complete
Fix pk_parse_key()'s use of rsa_complete()
2020-02-19 10:23:03 +01:00
Manuel Pégourié-Gonnard
f8b9329125
Merge pull request #365 from soby-mathew/sm/static_fns_compat
Change the compatibility API to inline functions
2020-02-18 12:59:50 +01:00
Manuel Pégourié-Gonnard
bbb5a0a94a Fix pkparse bug wrt MBEDTLS_RSA_ALT
Some code paths want to access members of the mbedtls_rsa_context structure.
We can only do that when using our own implementation, as otherwise we don't
know anything about that structure.
2020-02-18 10:31:29 +01:00
Manuel Pégourié-Gonnard
9bbe328752 Test each failure mode of pk_parse_key_pkcs1_der()
(Only the top-level ones, ie, for each call to eg asn1_get_mpi(), ensure
there's at least one test case that makes this call fail in one way, but don't
test the various ways to make asn1_get_mpi fail - that should be covered
elsewhere.)

- the new checks added by the previous commits needed exercising
- existing tests sometimes had wrong descriptions or where passing for the
  wrong reason (eg with the "length mismatch" test, the function actually
failed before reaching the length check)
- while at it, add tests for the rest as well

The valid minimal-size key was generated with:

openssl genrsa 128 2>/dev/null | openssl rsa -outform der 2>/dev/null | xxd -p
2020-02-18 10:31:29 +01:00
Gilles Peskine
8d073c7330
Merge pull request #3037 from gilles-peskine-arm/update-submodule-20200206
Update crypto submodule 2020-02-06
2020-02-18 10:29:18 +01:00
Manuel Pégourié-Gonnard
b65370f97d Clean up test function pk_parse_key
- remove incorrect compile-time dependency (the individual cases already have
  correct run-time dependency information)
- remove unused argument
- remove unused stack buffer
- remove useless code block
2020-02-18 10:18:43 +01:00
Manuel Pégourié-Gonnard
c42267920c Check public part when parsing private RSA key 2020-02-18 10:18:43 +01:00
Manuel Pégourié-Gonnard
a04a2c3ef1 Don't pass zero to rsa_complete() as a param
When parsing a PKCS#1 RSAPrivateKey structure, all parameters are always
present. After importing them, we need to call rsa_complete() for the sake of
alternative implementations. That function interprets zero as a signal for
"this parameter was not provided". As that's never the case, we mustn't pass
any zero value to that function, so we need to explicitly check for it.
2020-02-18 10:18:43 +01:00
Gilles Peskine
25a5c09fbb Update ChangeLog for crypto changes from 799ae77f90
Add ChangeLog entries for changes brought by the submodule update in
the previous commit.
2020-02-17 11:49:33 +01:00
Gilles Peskine
799ae77f90 Update crypto submodule
* #352: Parse RSA parameters DP, DQ and QP from PKCS1 private keys
* #263: Introduce ASN.1 SEQUENCE traversal API
* #345: Fix possible error code mangling in psa_mac_verify_finish
* #357: Update Mbed Crypto with latest Mbed TLS changes as of 2020-02-03
* #350: test_suite_asn1parse: improve testing of trailing garbage in parse_prefixes
* #346: Improve robustness and testing of mbedtls_mpi_copy
2020-02-17 11:46:12 +01:00
Gilles Peskine
f142d4ccab Update ChangeLog for crypto changes since Mbed Crypto 3.0.1
Add ChangeLog entries for changes brought by the submodule update in
81d3100250.
2020-02-17 11:46:12 +01:00
Andrzej Kurek
941962eb91 Add DTLS handshake tests for the mocked ssl test suite
Starting with TLS 1.1
2020-02-12 09:18:19 -05:00
Andrzej Kurek
15daf50b05 Parametrize the endpoint init and free to prepare for DTLS tests 2020-02-12 09:17:52 -05:00
Manuel Pégourié-Gonnard
a0c164a2d4
Merge pull request #3010 from hanno-arm/tls_msg_split
Introduce separate source file for SSL messaging layer
2020-02-12 09:59:12 +01:00
Manuel Pégourié-Gonnard
657daba81c
Merge pull request #2873 from gilles-peskine-arm/bk-warning-fixes-x509
Fix some possibly-undefined variable warnings
2020-02-12 09:16:23 +01:00
Gilles Peskine
765d240ca6 Test component with malloc(0) returning NULL: run some ssl tests 2020-02-11 19:26:28 +01:00
Gilles Peskine
c4ef7a9de3 Add a test component with malloc(0) returning NULL
Exercise the library functions with calloc returning NULL for a size
of 0. Make this a separate job with UBSan (and ASan) to detect
places where we try to dereference the result of calloc(0) or to do
things like

    buf = calloc(size, 1);
    if (buf == NULL && size != 0) return INSUFFICIENT_MEMORY;
    memcpy(buf, source, size);

which has undefined behavior when buf is NULL at the memcpy call even
if size is 0.

This is needed because other test components jobs either use the system
malloc which returns non-NULL on Linux and FreeBSD, or the
memory_buffer_alloc malloc which returns NULL but does not give as
useful feedback with ASan (because the whole heap is a single C
object).
2020-02-11 19:26:28 +01:00
Gilles Peskine
6fc21f630c Add a calloc self-test
Add a very basic test of calloc to the selftest program. The selftest
program acts in its capacity as a platform compatibility checker rather
than in its capacity as a test of the library.

The main objective is to report whether calloc returns NULL for a size
of 0. Also observe whether a free/alloc sequence returns the address
that was just freed and whether a size overflow is properly detected.
2020-02-11 19:26:27 +01:00
Gilles Peskine
db0cb2578c Fix CTR_DRBG benchmark
You can't reuse a CTR_DRBG context without free()ing it and
re-init()ing. This generally happened to work, but was never
guaranteed. It could have failed with alternative implementations of
the AES module because mbedtls_ctr_drbg_seed() calls
mbedtls_aes_init() on a context which is already initialized if
mbedtls_ctr_drbg_seed() hasn't been called before, plausibly causing a
memory leak. Calling free() and seed() with no intervening init fails
when MBEDTLS_THREADING_C is enabled and all-bits-zero is not a valid
mutex representation. So add the missing free() and init().
2020-02-11 19:26:27 +01:00
Gilles Peskine
e732f04443 cmake: link programs that only use x509 with libmbedx509
When building with CMake, for sample programs that only use
functionality in libmbedcrypto and libmbedx509, link with
libmbedx509, not with libmbedtls.

cert_app makes a TLS connection, so do link it with libmbedtls.
2020-02-11 19:26:27 +01:00
Gilles Peskine
e123395317 cmake: link programs that only use crypto with libmbedcrypto
When building with CMake, for sample programs that only use
functionality in libmbedcrypto (i.e. crypto and platform), link with
libmbedcrypto, not with libmbedtls.

This doesn't change the result, because the linker skips libraries in
which no symbol is used, but it changes the build dependencies, and it
has the advantage of bringing programs/*/CMakeLists.txt closer to the
corresponding files under crypto/.

The programs concerned are crypto sample and test programs, and
programs that only use (potential) platform functions such as
mbedtls_printf. dh_client and dh_server keep linking with mbedtls
because they use functions from the net_sockets module.
2020-02-11 19:26:27 +01:00