Commit Graph

438 Commits

Author SHA1 Message Date
Gilles Peskine
2b3f21dc0b Catch failures of md_hmac operations
Declare mbedtls_md functions as MBEDTLS_CHECK_RETURN_TYPICAL, meaning that
their return values should be checked.

Do check the return values in our code. We were already doing that
everywhere for hash calculations, but not for HMAC calculations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 15:02:06 +01:00
Gilles Peskine
d8e2e8347b Zeroize local MAC variables
Zeroize local MAC variables used for CBC+HMAC cipher suites. In encryption,
this is just good hygiene but probably not needed for security since the
data protected by the MAC that could leak is about to be transmitted anyway.
In DTLS decryption, this could be a security issue since an adversary could
learn the MAC of data that they were trying to inject. At least with
encrypt-then-MAC, the adversary could then easily inject a datagram with
a corrected packet. TLS would still be safe since the receiver would close
the connection after the bad MAC.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 14:24:23 +01:00
Gilles Peskine
9e8f3a6b71
Merge pull request #5308 from minosgalanakis/development_2.x
Backport 2.x: Document platform architecture portability constraints
2021-12-10 21:13:09 +01:00
Minos Galanakis
5c93a9f214 Update changelog & readme
This patch adds explicit wording to state
that Two's complement is the official
supported signed integer representation.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2021-12-10 15:57:54 +00:00
Manuel Pégourié-Gonnard
c3319e73db
Merge pull request #5189 from gilles-peskine-arm/struct_reordering_2.x
Backport 2.x: Reorder structure fields to maximize usage of immediate offset access
2021-12-09 12:54:13 +01:00
Gilles Peskine
582f2398d4
Merge pull request #5167 from tom-cosgrove-arm/fix-builds-with-only-mbedtls_bignum_c-defined
Backport 2.x: Fix builds when config.h only defines MBEDTLS_BIGNUM_C
2021-12-07 12:38:04 +01:00
Gilles Peskine
ad47e6d160 Add changelog entry for build error fixes
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-06 20:58:51 +01:00
Paul Elliott
14148c4fbe Fix Changelog
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-11-25 18:08:30 +00:00
Paul Elliott
954578644f Fix compilation errors.
Under gcc11(+) both message and received would cause errors for
potentially being used uninitialised. We fixed many of these issues in
another PR, but this one is only seen under certain configs.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-11-25 18:08:23 +00:00
Gilles Peskine
3107b337e1
Merge pull request #5154 from gabor-mezei-arm/3649_bp2x_move_constant_time_functions_into_separate_module
[Backport 2.x] Move constant-time functions into a separate module
2021-11-24 19:33:03 +01:00
Gilles Peskine
989a4e9388
Merge pull request #5132 from openluopworld/origin/development_2.x
Backport 2.x: Fix GCM calculation with very long IV
2021-11-22 22:22:47 +01:00
Bence Szépkúti
358e0ea464 Indicate nonce sizes invalid for ChaCha20-Poly1305
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-11-17 14:03:08 +01:00
Gilles Peskine
c0656b43f1 Note the reordered fields in SSL structures
This is technically an API break according to the unwritten rules of API
compatibility for Mbed TLS 2.x. However, it is very unlikely to affect any
realistic application, with the possible exception of applications that
define a global constant of type mbedtls_ssl_config.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-16 19:00:04 +01:00
Gabor Mezei
84d739846c
Update changelog with the new public API
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:33:19 +01:00
gabor-mezei-arm
10117d673e
Add changelog entry
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-11-11 11:04:52 +01:00
Gilles Peskine
95c3971c81
Merge pull request #5133 from haampie/fix/DT_NEEDED_for_shared_libraries-2.x
Backport 2.x: DT_NEEDED for shared builds in makefile
2021-11-05 12:04:33 +01:00
Harmen Stoppels
3ed4263ad7 DT_NEEDED for shared builds in makefile
The makefile build specifies -L. -lmbedx509 -lmbedcrypto flags first,
and only then object files referencing symbols from those libraries.

In this order the linker will not add the linked libraries to the
DT_NEEDED section because they are not referenced yet (at least that
happens for me on ubuntu 20.04 with the default gnu compiler tools).

By first specifying the object files and then the linked libraries, we
do end up with libmbedx509 and libmbedcrypto in the DT_NEEDED sections.

This way running dlopen(...) on libmedtls.so just works.

Note that the CMake build does this by default.

Signed-off-by: Harmen Stoppels <harmenstoppels@gmail.com>
2021-11-05 09:31:22 +01:00
openluopworld
5d5f520d3a An initialization vector IV can have any number of bits between 1 and
2^64. So it should be filled to the lower 64-bit in the last step
when computing ghash.

Signed-off-by: openluopworld <wuhanluop@163.com>
2021-11-05 00:13:43 +08:00
Gilles Peskine
19191039f9 Note the change to PSA_ALG_IS_HASH_AND_SIGN in the changelog
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-11-03 13:19:02 +01:00
Mateusz Starzyk
21cac07626 Add changelog entry for new PSA Crypto API macros.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-11-03 12:38:57 +01:00
Manuel Pégourié-Gonnard
1f1bc2df7c
Merge pull request #5117 from gilles-peskine-arm/psa-rsa-pss_any_salt-2.x
Backport 2.x: PSA: fix salt length for PSS verification
2021-10-29 16:36:46 +02:00
Manuel Pégourié-Gonnard
0c81ba7856
Merge pull request #4944 from gilles-peskine-arm/remove-greentea-2.x
Backport 2.x: Remove on-target testing
2021-10-29 09:33:26 +02:00
Gilles Peskine
44fa40cd56 Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length
PSA_ALG_RSA_PSS algorithm now accepts only the same salt length for
verification that it produces when signing, as documented.

Fixes #4946.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-28 10:07:27 +02:00
Gilles Peskine
1222fed513 Fix typo in documentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-25 21:24:23 +02:00
Gilles Peskine
3f0722c1af Fix the build of sample programs without mbedtls_strerror
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-25 21:24:23 +02:00
Gilles Peskine
327c33fc7f Base64 range-based constant-flow code: changelog entry
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-10-25 21:22:43 +02:00
Gilles Peskine
e4739ab5ef
Merge pull request #5038 from mprse/issue_4551_2x
Backport 2.x: Fix psa_generate_key(): return PSA_ERROR_INVALID_ARGUMENT for public key #5037
2021-10-18 10:39:26 +02:00
Gilles Peskine
95f2324c5e
Merge pull request #4845 from mstarzyk-mobica/ecb-alt-ret-2.2x
Backport 2.2x: Catch failures of mbedtls_aes_crypt_ecb and its DES equivalents
2021-10-14 12:11:04 +02:00
Przemyslaw Stekiel
d6ead7ca84 Address review comments
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-10-11 16:39:32 +02:00
Przemyslaw Stekiel
479a13d181 Add change-log entry
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-10-07 12:40:55 +02:00
Gilles Peskine
a4e060b87b
Merge pull request #5000 from mprse/mbedtls_cipher_setup_psa_ECB_2x
Backport 2.x: Fix test gap: mbedtls_cipher_setup_psa() with ECB
2021-10-01 14:49:25 +02:00
Przemyslaw Stekiel
7ab374f6b5 Add change-log: fix-mbedtls_cipher_crypt-aes-ecb.txt
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
2021-09-30 13:12:22 +02:00
Gilles Peskine
8472a10594 New configuration option MBEDTLS_CHECK_RETURN_WARNING
MBEDTLS_CHECK_RETURN_TYPICAL defaults off, but is enabled if
MBEDTLS_CHECK_RETURN_WARNING is enabled at compile time.
(MBEDTLS_CHECK_RETURN_CRITICAL is always enabled.)

The default is off so that a plausible program that builds with one version
of Mbed TLS in the default configuration will still build under the next
version.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:42:51 +02:00
Gilles Peskine
377a310da4 Catch failures of AES or DES operations
Declare all AES and DES functions that return int as needing to have
their result checked, and do check the result in our code.

A DES or AES block operation can fail in alternative implementations of
mbedtls_internal_aes_encrypt() (under MBEDTLS_AES_ENCRYPT_ALT),
mbedtls_internal_aes_decrypt() (under MBEDTLS_AES_DECRYPT_ALT),
mbedtls_des_crypt_ecb() (under MBEDTLS_DES_CRYPT_ECB_ALT),
mbedtls_des3_crypt_ecb() (under MBEDTLS_DES3_CRYPT_ECB_ALT).
A failure can happen if the accelerator peripheral is in a bad state.
Several block modes were not catching the error.

This commit does the following code changes, grouped together to avoid
having an intermediate commit where the build fails:

* Add MBEDTLS_CHECK_RETURN to all functions returning int in aes.h and des.h.
* Fix all places where this causes a GCC warning, indicating that our code
  was not properly checking the result of an AES operation:
    * In library code: on failure, goto exit and return ret.
    * In pkey programs: goto exit.
    * In the benchmark program: exit (not ideal since there's no error
      message, but it's what the code currently does for failures).
    * In test code: TEST_ASSERT.
* Changelog entry.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-29 20:40:31 +02:00
Gilles Peskine
186c0216b0
Merge pull request #4978 from davidhorstmann-arm/2.x-fix-aarch64-asm-constraints
Backport 2.x: Fix aarch64 assembly for bignum multiplication
2021-09-27 09:01:12 +02:00
David Horstmann
27d8b5c680 Combine changelog entries for muladdc assembly fix
Combine the changelog entries for the memory constraints fix on
aarch64 and amd64, since these are essentially fixing the same
issue.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-09-24 16:11:15 +01:00
David Horstmann
a23be22308 Fix aarch64 assembly for bignum multiplication
Add memory constraints to the aarch64 inline assembly in MULADDC_STOP.
This fixes an issue where Clang 12 and 13 were generating
non-functional code on aarch64 platforms. See #4962, #4943
for further details.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-09-24 09:47:01 +01:00
joseph
00f4eae025 Fix test code to can be built on alpine
Signed-off-by: joseph <joseph@jc-lab.net>
2021-09-23 20:58:45 +09:00
Gilles Peskine
02e17c0aa5
Merge pull request #4941 from gilles-peskine-arm/muladdc-amd64-memory-2.x
Backport 2.x: Fix x86_64 assembly for bignum multiplication
2021-09-20 22:23:53 +02:00
Gilles Peskine
184a688d51 Update the list of issues fixed
This had actually been reported multiple times.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-15 17:07:09 +02:00
Gilles Peskine
c6d977eae5 x86_64 MULADDC assembly: add missing constraints about memory
MULADDC_CORE reads from (%%rsi) and writes to (%%rdi). This fragment is
repeated up to 16 times, and %%rsi and %%rdi are s and d on entry
respectively. Hence the complete asm statement reads 16 64-bit words
from memory starting at s, and writes 16 64-bit words starting at d.

Without any declaration of modified memory, Clang 12 and Clang 13 generated
non-working code for mbedtls_mpi_mod_exp. The constraints make the unit
tests pass with Clang 12.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-15 15:47:37 +02:00
Gilles Peskine
ff8c80a3ed Remove on-target testing
It was unmaintained and untested, and the fear of breaking it was holding us
back. Resolves #4934.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-14 11:28:22 +02:00
Gilles Peskine
394b9f2d2c
Merge pull request #4898 from mstarzyk-mobica/disable_defaults_sha1
Remove MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES in 2.28
2021-09-14 11:10:30 +02:00
Gilles Peskine
a63ba6cd93 psa_cipher_update_ecb: remove parameter output_size
This parameter was set but not used, which was pointless. Clang 14 detects
this and legitimately complains.

Remove the parameter. This is an internal function, only called once. The
caller already has a sufficient check on the output buffer size which
applies in more cases, so there is no real gain in robustness in adding the
same check inside the internal function.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-13 12:54:46 +02:00
Mateusz Starzyk
7d13539d1b Disable MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE in default config.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-09-06 12:19:25 +02:00
Mateusz Starzyk
b3d344c225 Remove MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES option.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-09-06 12:18:53 +02:00
Manuel Pégourié-Gonnard
f87422f019
Merge pull request #4427 from gilles-peskine-arm/tls_ext_cid-config-2.x
Backport 2.x: Allow configuring MBEDTLS_TLS_EXT_CID at compile time
2021-08-13 10:50:02 +02:00
Gilles Peskine
9274d4691d
Merge pull request #4759 from paul-elliott-arm/fix_cipher_output_size_2.x
Backport 2.x: Fix divide by zero if macro used with wrong key type
2021-07-30 18:56:22 +02:00
Manuel Pégourié-Gonnard
de1a320e35
Merge pull request #4797 from gilles-peskine-arm/generate_psa_tests-robutness-202107-2.2x
Backport 2.x: Fix python in tests/Makefile, etc.
2021-07-29 09:58:28 +02:00
Paul Elliott
7ac412b45c Add Changelog entry
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-23 18:58:19 +01:00