Commit Graph

10272 Commits

Author SHA1 Message Date
Jarno Lamsa
06164057b3 Check that we have all the proper keys
The proper keys should be set at the end of
the handshake, if not, fail the handshake.
2019-12-19 14:40:36 +02:00
Jarno Lamsa
e1621d4700 Check that the peer_authenticated flag
Check that the peer has been authenticated in the end
of the handshake.
2019-12-19 14:29:24 +02:00
Jarno Lamsa
ba4730fe4c Protect setting of peer_authenticated flag
Use flow counting and double checks when setting the flag.
Also protect the flow to prevent causing a glitch.
2019-12-19 09:43:25 +02:00
Jarno Lamsa
4031a45019 Protect key_derivation_done flag
The flag is used to track that the key derivation
has been done.
2019-12-19 09:43:25 +02:00
Jarno Lamsa
67f0a1e833 Protect setting of premaster_generated flag
The flag is used for tracking if the premaster has
been succesfully generated. Note that when resuming
a session, the flag should not be used when trying to
notice if all the key generation/derivation has been done.
2019-12-19 09:43:19 +02:00
Jarno Lamsa
98801af26b Protect setting of hello_random flag
The handshake flag tells when the handshake hello.random
is set and can be used later to decide if we have the correct
keys.
2019-12-19 09:02:02 +02:00
Jarno Lamsa
b57d7fd568 Add flags for protecting TLS state machine
Flags are there to prevent skipping vital parts of the TLS
handshake.
2019-12-19 09:01:54 +02:00
Jarno Lamsa
6122b59042 Address review comments 2019-12-19 07:56:10 +02:00
Jarno Lamsa
46afd5d8fa Fix CI issues
Default flow assumes failure causes multiple issues with
compatibility tests when the return value is initialised
with error value in ssl_in_server_key_exchange_parse.
The function would need a significant change in structure for this.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
91dbb79ae4 Fix error return code 2019-12-19 07:56:10 +02:00
Jarno Lamsa
b83a2136d6 Protect the return value from mbedtls_pk_verify
Add double checks to the return value and default flow assumes
failure.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
47aab8da8a Protect return value from mbedtls_pk_verify
Use double checks and default flow assumes failure.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
83a56a630a Double check mbedtls_pk_verify
The verification could be skipped in server, changed the default flow
so that the handshake status is ever updated if the verify
succeeds, and that is checked twice.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
9e8e820993 Increase hamming distance for some error codes
The MBEDTLS_ERR_SSL_WANT_READ and MBEDTLS_ERR_SSL_WANT_WRITE are
errors that can be ignored, so increase the hamming distance between
them and the non-ignorable errors and keep still some distance from
a success case. This mitigates an attack where single bit-flipping could
change a non-ignorable error to being an ignorable one.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
acb5eb00ca Add a double check to protect from glitch
Check that the encryption has been done for the outbut buffer.
This is to ensure that glitching out the encryption doesn't
result as a unecrypted buffer to be sent.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
d05da1fa45 Add double check for checking if source is strong
To prevent glitching past a strong source.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
552e8f2d6a Add double check to entropy-loop
To prevent glitching and going through without strong source
2019-12-19 07:56:10 +02:00
Jarno Lamsa
4708d66af5 Change the mbedtls_ssl_states values
The changed values have now the minimum hamming distance
of 16 from each other. This is to prevent changing the state
by just flipping one bit.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
b01800974f Use invalid state
If mismatch in the state has been noticed, use
the invalid state.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
70abd7aadc Add enumeration for invalid state
The invalid state can be used when state-mismatch is noticed.
The invalid state should report a FI-alert upwards.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
2b20516b60 Make TLS state changes explicit
This is to enable hardening the security when changing
states in state machine so that the state cannot be changed by bit flipping.
The later commit changes the enumerations so that the states have large
hamming distance in between them to prevent this kind of attack.
2019-12-19 07:56:10 +02:00
Simon Butcher
171f422109 Merge remote-tracking branch 'public/pr/2952' into baremetal 2019-12-13 14:51:40 +00:00
Simon Butcher
e76c638d6f Merge remote-tracking branch 'public/pr/2925' into baremetal 2019-12-13 14:51:29 +00:00
Manuel Pégourié-Gonnard
645896e0ea Fix undefined order of volatile access
Found by the IAR compiler.

While at it, make 'diff' non-volatile in uECC_check_curve_integrity(), as
there is no good reason to make it volatile, and making it volatile only
increases the code size and the burden of defining access ordering.
2019-12-05 16:02:17 +01:00
Simon Butcher
0252cd6876 Merge remote-tracking branch 'public/pr/2940' into baremetal 2019-12-05 14:32:54 +00:00
Simon Butcher
501c466d01 Merge remote-tracking branch 'public/pr/2934' into baremetal 2019-12-05 14:32:44 +00:00
Simon Butcher
5b45c6e1b3 Merge remote-tracking branch 'public/pr/2932' into baremetal 2019-12-05 14:32:31 +00:00
Simon Butcher
7c5de360da Merge remote-tracking branch 'public/pr/2922' into baremetal 2019-12-05 14:31:03 +00:00
Simon Butcher
098846287f Merge remote-tracking branch 'public/pr/2918' into baremetal 2019-12-05 14:27:29 +00:00
Arto Kinnunen
de657fca6b Revert "Disable use of HRNG in SCA-hardened mem-functions"
This reverts commit 1e96b46b03.
2019-12-04 16:30:54 +02:00
Jarno Lamsa
83d7881cec Make VS compiler happy
It doesn't seem to like using unary - to unsigned values.
2019-12-04 14:40:57 +02:00
Teppo Järvelin
e06e039f7a Fix basic-build-test.sh to work in different env
Also added possibility to run only unit tests
2019-11-29 11:05:11 +02:00
Manuel Pégourié-Gonnard
766c9e9781 Improve description of ERR_PLATFORM_FAULT_DETECTED 2019-11-29 09:40:08 +01:00
Manuel Pégourié-Gonnard
65be6b48de Add compile guard in platform.h
We may want to include it just for the errors it defines without having all of
the other defines that only make sense when PLATFORM_C is enabled.
2019-11-28 12:51:45 +01:00
Arto Kinnunen
ec37a89bf3 Save ROM by using int instead of char
Save 20 bytes of ROM by changing variable type from char to int.
2019-11-28 13:43:02 +02:00
Manuel Pégourié-Gonnard
231bf52691 Fix indentation level in one place 2019-11-28 12:22:43 +01:00
Manuel Pégourié-Gonnard
e1cb8846e7 Add loop integrity check to curve param check
Also make the reference result static const while at it.
2019-11-28 12:21:34 +01:00
Manuel Pégourié-Gonnard
9ca11fc892 Fix issues found by the CI
- MSVC doesn't like -1u
- We need to include platform.h for MBEDTLS_ERR_PLATFORM_FAULT_DETECTED - in
  some configurations it was already included indirectly, but not in all
configurations, so better include it directly.
2019-11-28 12:07:01 +01:00
Manuel Pégourié-Gonnard
6bdc6809da Initialise variables to failing values 2019-11-28 10:40:03 +01:00
Manuel Pégourié-Gonnard
5c3066a4f6 Add double-checking in some critical places 2019-11-27 13:01:10 +01:00
Manuel Pégourié-Gonnard
98e1fe0796 Add flow control in uECC_vli_equal loop 2019-11-27 12:52:54 +01:00
Manuel Pégourié-Gonnard
9d6a535ba1 Return and propagate UECC_FAULT_DETECTED
This commit first changes the return convention of EccPoint_mult_safer() so
that it properly reports when faults are detected. Then all functions that
call it need to be changed to (1) follow the same return convention and (2)
properly propagate UECC_FAULT_DETECTED when it occurs.

Here's the reverse call graph from EccPoint_mult_safer() to the rest of the
library (where return values are translated to the MBEDTLS_ERR_ space) and test
functions (where expected return values are asserted explicitly).

EccPoint_mult_safer()
    EccPoint_compute_public_key()
        uECC_compute_public_key()
            pkparse.c
            tests/suites/test_suite_pkparse.function
        uECC_make_key_with_d()
        uECC_make_key()
            ssl_cli.c
            ssl_srv.c
            tests/suites/test_suite_pk.function
            tests/suites/test_suite_tinycrypt.function
    uECC_shared_secret()
        ssl_tls.c
        tests/suites/test_suite_tinycrypt.function
    uECC_sign_with_k()
        uECC_sign()
            pk.c
            tests/suites/test_suite_tinycrypt.function

Note: in uECC_sign_with_k() a test for uECC_vli_isZero(p) is suppressed
because it is redundant with a more thorough test (point validity) done at the
end of EccPoint_mult_safer(). This redundancy was introduced in a previous
commit but not noticed earlier.
2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
4d6186beb0 Rename ATTACK_DETECTED to FAULT_DETECTED
We don't know for sure it's an attack, it could be the hardware failing
randomly as well.
2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
2b90961b8d Add integrity check for curve parameters
We don't really need a secure hash for that, something like CRC32 would
probably be enough - but we have SHA-256 handy, not CRC32, so use that for the
sake of simplicity.
2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
1a5337179f Remove curve parameter from public functions 2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
be5f833c9c Remove curve parameter from (semi-)internal functions
By semi-internal I mean functions that are only public because they're used in
more than once compilation unit in the library (for example in ecc.c and
ecc_dsa.c) but should not really be part of the public-facing API.
2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
bc3f49011a Remove struct curve entirely 2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
677b7f6c42 Fix direct use of struct instead of abstract type 2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
ffd13996fd Move b from curve structure to its own constant
Same motivation as for the other parameters. This is the last one, making the
curve structure empty, so it's left with a dummy parameter for legal reasons.
2019-11-26 12:54:04 +01:00
Manuel Pégourié-Gonnard
a6115087a0 Move G from struct curve to its own constant 2019-11-26 12:53:13 +01:00