27329 Commits

Author SHA1 Message Date
Dave Rodgman
130938a804
Merge pull request from gilles-peskine-arm/tls13_read_public_xxdhe_share-overflow
Fix buffer overflow in TLS 1.3 and USE_PSA_CRYPTO ClientHello ECDH/FFDH parsers
2023-10-03 12:28:38 +01:00
Gilles Peskine
3713bee34c Remove leftover local debug line
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-10-02 18:43:18 +02:00
Gilles Peskine
7910cdd47f Avoid compiler warning about size comparison
GCC warns about comparing uint8_t to a size that may be >255.

Strangely, casting the uint8_t to a size_t in the comparison expression
doesn't avoid the warning. So change the type of the variable.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-10-02 16:11:05 +02:00
Gilles Peskine
530c423ad2 Improve some debug messages and error codes
On a parsing error in TLS, return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE, not a
crypto error code.

On error paths, emit a level-1 debug message. Report the offending sizes.

Downgrade an informational message's level to 3.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-10-02 15:42:11 +02:00
Gilles Peskine
6dd5b9a60c In TLS 1.2, only servers are affected
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-10-02 15:38:51 +02:00
Gilles Peskine
b782415e1b Changelog entry for xxdh_psa_peerkey size validation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-10-02 15:08:37 +02:00
Gilles Peskine
c29df535ee Improve robustness of ECDH public key length validation
In client-side code with MBEDTLS_USE_PSA_CRYPTO, use the buffer size to
validate what is written in handshake->xxdh_psa_peerkey. The previous code
was correct, but a little fragile to misconfiguration or maintenance.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-10-02 15:02:39 +02:00
Gilles Peskine
c8df898204 Fix buffer overflow in TLS 1.2 ClientKeyExchange parsing
Fix a buffer overflow in TLS 1.2 ClientKeyExchange parsing. When
MBEDTLS_USE_PSA_CRYPTO is enabled, the length of the public key in an ECDH
or ECDHE key exchange was not validated. This could result in an overflow of
handshake->xxdh_psa_peerkey, overwriting further data in the handshake
structure or further on the heap.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-10-02 15:02:33 +02:00
Gilles Peskine
12c5aaae57 Fix buffer overflow in TLS 1.3 ECDH public key parsing
Fix a buffer overflow in TLS 1.3 ServerHello and ClientHello parsing. The
length of the public key in an ECDH- or FFDH-based key exchange was not
validated. This could result in an overflow of handshake->xxdh_psa_peerkey,
overwriting further data in the handshake structure or further on the heap.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-10-02 15:02:10 +02:00
Dave Rodgman
3a098e9090
Merge pull request from daverodgman/update-ct-changelog
Update padding const-time fix changelog
2023-09-28 11:34:07 +01:00
Dave Rodgman
e614129895 Update padding const-time fix changelog
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-09-27 16:27:50 +01:00
Gilles Peskine
641250f42b
Merge pull request from gilles-peskine-arm/parse_attribute_value_der_encoded-buffer_overflow
Fix buffer overflow in parse_attribute_value_der_encoded
2023-09-26 16:32:36 +02:00
Gilles Peskine
391dd7fe87 Fix propagation of return value from parse_attribute_value_hex_der_encoded
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-25 19:59:31 +02:00
Gilles Peskine
7f420faf03 parse_attribute_value_hex_der_encoded: clean up length validation
Separate the fits-in-buffer check (*data_length <= data_size) from the
we-think-it's-a-sensible-size check (*data_length <=
MBEDTLS_X509_MAX_DN_NAME_SIZE).

This requires using an intermediate buffer for the DER data, since its
maximum sensible size has to be larger than the maximum sensible size for
the payload, due to the overhead of the ASN.1 tag+length.

Remove test cases focusing on the DER length since the implementation no
longer has a threshold for it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-25 19:59:31 +02:00
Gilles Peskine
26dd764dc3 parse_attribute_value_hex_der_encoded test case fixups
Fix the expected output in some test cases.

Add a few more test cases to exercise both a payload length around 256 bytes
and a DER length around 256 bytes, since both are placed in a 256-byte
buffer (value of MBEDTLS_X509_MAX_DN_NAME_SIZE).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-25 19:59:31 +02:00
Gilles Peskine
c94500b56b Add may-fail mode to mbedtls_x509_string_to_names output tests
Due to differing validations amongst X.509 library functions, there are
inputs that mbedtls_x509_string_to_names() accepts, but it produces output
that some library functions can't parse. Accept this for now. Do call the
functions, even when we don't care about their return code: we're ok with
returning errors, but not with e.g. a buffer overflow.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-25 19:59:31 +02:00
Gilles Peskine
7077781af5 Fix integer overflow with an input buffer larger than INT_MAX
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-25 19:59:31 +02:00
Gilles Peskine
aa01a038b5 Fix indentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-25 19:59:31 +02:00
Gilles Peskine
25665781f6 Rewrite parse_attribute_value_hex_der_encoded()
Rename the function from parse_attribute_value_der_encoded: the hex aspect
seems important.

There was a buffer overflow due to not validating that the intermediate data
fit in the stack buffer. The rewrite doesn't use this buffer, and takes care
not to overflow the buffer that it does use.

Document all that's going on.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-25 19:59:31 +02:00
Gilles Peskine
70a93407ce More test cases for parse_attribute_value_der_encoded
In particular, "X509 String to Names: long hexstring (DER=258 bytes, too long)"
causes a buffer overflow in parse_attribute_value_der_encoded().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-25 19:59:31 +02:00
Gilles Peskine
1c7223bda2 Use modern test macros for ease of debugging
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-25 19:59:31 +02:00
Dave Rodgman
6da7872aa2
Merge pull request from gilles-peskine-arm/development-restricted-merge-20230925
Merge development into development-restricted
2023-09-25 18:16:01 +01:00
Gilles Peskine
ffe590d197
Merge pull request from waleed-elmelegy-arm/check-set_padding-is-called
Check set_padding has been called in mbedtls_cipher_finish
2023-09-25 17:12:36 +02:00
Gilles Peskine
ca1e605b9c Merge remote-tracking branch 'upstream-public/development' into development-restricted-merge-20230925
Conflicts:
* `include/mbedtls/build_info.h`: a new fragment to auto-enable
  `MBEDTLS_CIPHER_PADDING_PKCS7` was added in
  c9f4040f7f3356293e90c58d11f6567def641e08 in `development-restricted`.
  In `development`, this section of the file has moved to
  `include/mbedtls/config_adjust_legacy_crypto.h`.
* `library/bignum.c`: function name change in `development-restricted` vs
  comment change in development. The comment change in `development` is not
  really relevant, so just take the line from `development-restricted`.
2023-09-25 16:16:26 +02:00
Dave Rodgman
76059e5ef8
Merge pull request from daverodgman/padding-ct-changelog
Padding ct changelog
2023-09-25 14:02:42 +01:00
Gilles Peskine
87fe99627f
Merge pull request from bensze01/fixed-typing-package-versions
Set explicit version for the typing packages (fix CI failure)
2023-09-25 14:35:01 +02:00
Dave Rodgman
68dca1ed6f
Merge pull request from mpg/sha3-fixup
Fix SHA-3 dependencies in test_suite_md
2023-09-25 12:02:21 +01:00
Dave Rodgman
025bed9eb7
Merge pull request from daverodgman/more-ct
Use CT module more consistently
2023-09-25 11:50:10 +01:00
Dave Rodgman
5a3add2c67
Merge pull request from kouzhudong/development
Fix MSVC error C4703 about possibly uninitialized variable in pkwrite.c
2023-09-25 10:51:46 +01:00
Bence Szépkúti
d06e70c6b8 Set explicit version for the typing packages
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2023-09-25 10:25:18 +02:00
Manuel Pégourié-Gonnard
4fe1e8762d Fix SHA-3 dependencies in test_suite_md
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-09-25 10:05:23 +02:00
Dave Rodgman
f6f76c5a25
Merge pull request from mpg/doc-driver-only-hashes
Document driver only hashes (overdue)
2023-09-24 13:41:45 +01:00
Manuel Pégourié-Gonnard
030f11b0b1 Type fixes and wording improvements
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-09-24 09:48:47 +02:00
Manuel Pégourié-Gonnard
e47c53eeab Fix SHA-3 in accel tests that need it
Components that accelerate an algorithm that uses hashing internally
(such as deterministic ECDSA and RSA-PSS) need the hash algorithms
available in libtestdriver1.

Previously, the omission of SHA-3 in
tests/include/test/drivers/crypto_config_test_driver_extension.h meant
it was enabled in libtestdriver1 when not requesting its acceleration,
and disabled when requesting it. Adding it in a previous commit fixed
the components that asked it accelerated, but broke the component that
didn't ask for it but still needed it.

Fix those components by explicitly requesting SHA-3 as we already do for
the other hash algorithms that are require for the same reason.

Note: this broke test_suite_psa_crypto_storage_format.v0 which is
apparently the only place exercising signatures with SHA-3.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-09-24 09:48:47 +02:00
Manuel Pégourié-Gonnard
f4ceb16813 Fix dependencies for SHA-3 MD dispatch tests
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-09-24 09:48:46 +02:00
Manuel Pégourié-Gonnard
1f61b7b8ea Document driver-only hashes
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-09-24 09:48:46 +02:00
Manuel Pégourié-Gonnard
cc21ad441a Add SHA-3 support to libtestdriver1
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-09-24 09:48:45 +02:00
Gilles Peskine
10304d8329
Merge pull request from paul-elliott-arm/remove_travis_ci
Remove all travis builds except for coverity_scan
2023-09-22 21:53:33 +00:00
Dave Rodgman
27b7e2f350
Merge pull request from daverodgman/update-tfm-config
Update TF-M config
2023-09-22 18:52:29 +00:00
Gilles Peskine
6809f231a6
Merge pull request from yanrayw/aes_128bit_improvement
AES 128bit only: add guards in cipher_wrap.c
2023-09-22 18:15:03 +00:00
Gilles Peskine
ae3cda9541
Merge pull request from silabs-Kusumit/PBKDF2_output_key
PBKDF2: test output_key
2023-09-22 18:01:06 +00:00
Paul Elliott
645a541747 Remove all travis builds except for coverity_scan
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-09-22 17:50:44 +01:00
Waleed Elmelegy
a86b776f94 Remove invalid comment from mbedtls_cipher_set_padding_mode()
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-09-22 17:44:58 +01:00
Dave Rodgman
739d815b7f Remove PK options
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-09-22 17:40:24 +01:00
Dave Rodgman
84e8f1d618 Set MBEDTLS_MD_C
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-09-22 17:40:18 +01:00
Gilles Peskine
18e1d11cfe
Merge pull request from waleed-elmelegy-arm/Switch-pkparse-to-mbedtls_pkcs5_pbe2_ext
Switch pkparse to use new pkcs5/12 pbe functions
2023-09-22 18:06:50 +02:00
Dave Rodgman
d162c662b0 Update changelog text
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-09-22 16:33:12 +01:00
Dave Rodgman
4f53520f54
Merge pull request from daverodgman/cast_warning
fix cast warning
2023-09-22 14:23:05 +00:00
Dave Rodgman
9fc868012c Fix test error
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-09-22 10:56:13 +01:00
Dave Rodgman
c0633bc777 Add comment
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-09-22 10:54:43 +01:00