Commit Graph

5173 Commits

Author SHA1 Message Date
Gilles Peskine
2bd6518d5e PKCS#1 v1.5 decoding: fix empty payload case 2018-10-08 11:38:50 +02:00
Gilles Peskine
ed3bdd82f8 Indicate the memory access variations in the changelog entry 2018-10-08 11:38:50 +02:00
Gilles Peskine
fde301a409 Remove a remaining sensitive memory access in PKCS#1 v1.5 decryption 2018-10-08 11:38:50 +02:00
Gilles Peskine
c5552e8ea3 mbedtls_rsa_rsaes_pkcs1_v15_decrypt: remove the variable p
Get rid of the variable p. This makes it more apparent where the code
accesses the buffer at an offset whose value is sensitive.

No intended behavior change in this commit.
2018-10-08 11:38:50 +02:00
Gilles Peskine
f19aefb00b Minor optimization in the PKCS#1v1.5 unpadding step
Rather than doing the quadratic-time constant-memory-trace on the
whole working buffer, do it on the section of the buffer where the
data to copy has to lie, which can be significantly smaller if the
output buffer is significantly smaller than the working buffer, e.g.
for TLS RSA ciphersuites (48 bytes vs MBEDTLS_MPI_MAX_SIZE).
2018-10-08 11:38:50 +02:00
Gilles Peskine
08513ce341 Use branch-free size comparison for the padding size
In mbedtls_rsa_rsaes_pkcs1_v15_decrypt, use size_greater_than (which
is based on bitwise operations) instead of the < operator to compare
sizes when the values being compared must not leak. Some compilers
compile < to a branch at least under some circumstances (observed with
gcc 5.4 for arm-gnueabi -O9 on a toy program).
2018-10-08 11:38:50 +02:00
Gilles Peskine
9fb28dd9e7 Bleichenbacher fix: don't leak the plaintext length (step 2)
Replace memmove(to, to + offset, length) by a functionally equivalent
function that strives to make the same memory access patterns
regardless of the value of length. This fixes an information leak
through timing (especially timing of memory accesses via cache probes)
that leads to a Bleichenbacher-style attack on PKCS#1 v1.5 decryption
using the plaintext length as the observable.
2018-10-08 11:38:50 +02:00
Gilles Peskine
2036508538 Bleichenbacher fix: don't leak the plaintext length (step 1)
mbedtls_rsa_rsaes_pkcs1_v15_decrypt takes care not to reveal whether
the padding is valid or not, even through timing or memory access
patterns. This is a defense against an attack published by
Bleichenbacher. The attacker can also obtain the same information by
observing the length of the plaintext. The current implementation
leaks the length of the plaintext through timing and memory access
patterns.

This commit is a first step towards fixing this leak. It reduces the
leak to a single memmove call inside the working buffer.
2018-10-08 11:38:50 +02:00
Gilles Peskine
9f11f21a26 Evolve choose_int_from_mask to if_int
Make the function more robust by taking an arbitrary zero/nonzero
argument instead of insisting on zero/all-bits-one. Update and fix its
documentation.
2018-10-08 11:38:50 +02:00
Gilles Peskine
b0034327cb Add ChangeLog entry 2018-10-08 11:38:50 +02:00
Gilles Peskine
f50ee60ff3 Fix a timing-based Bleichenbacher attack on PKCS#1v1.5 decryption
mbedtls_rsa_rsaes_pkcs1_v15_decrypt took care of calculating the
padding length without leaking the amount of padding or the validity
of the padding. However it then skipped the copying of the data if the
padding was invalid, which could allow an adversary to find out
whether the padding was valid through precise timing measurements,
especially if for a local attacker who could observe memory access via
cache timings.

Avoid this leak by always copying from the decryption buffer to the
output buffer, even when the padding is invalid. With invalid padding,
copy the same amount of data as what is expected on valid padding: the
minimum valid padding size if this fits in the output buffer,
otherwise the output buffer size. To avoid leaking payload data from
an unsuccessful decryption, zero the decryption buffer before copying
if the padding was invalid.
2018-10-08 11:38:50 +02:00
Gilles Peskine
f7a8814b72 Minor readability improvement
Polish the beginning of mbedtls_rsa_rsaes_pkcs1_v15_decrypt a little,
to prepare for some behavior changes.
2018-10-08 11:38:50 +02:00
Simon Butcher
5bcbd4e7f4 Add ChangeLog entry for PR #1811 2018-09-26 23:03:56 +01:00
Simon Butcher
6a5ced41f2 Merge remote-tracking branch 'public/pr/1811' into mbedtls-2.1 2018-09-26 23:02:07 +01:00
Simon Butcher
86d32e690c Merge remote-tracking branch 'public/pr/1973' into mbedtls-2.1 2018-09-26 22:40:09 +01:00
Simon Butcher
0624b76361 Merge remote-tracking branch 'public/pr/1898' into mbedtls-2.1 2018-09-26 22:01:33 +01:00
Simon Butcher
96e0d8ebfc Clarified ChangeLog entry
ChangeLog entry for backport of #1890 was misleading, so corrected it.
2018-09-13 12:05:40 +01:00
Simon Butcher
c4a33d54cf
Merge pull request #507 from sbutcher-arm/mbedtls-version-2.1.15
Update library version number to 2.1.15
2018-08-31 17:29:47 +01:00
Simon Butcher
d3a5393a38 Update library version number to 2.1.15 2018-08-31 16:10:48 +01:00
Simon Butcher
cb9f70e23d Fix misclassification of bug in Changelog 2018-08-31 12:01:43 +01:00
Andrzej Kurek
10108318e8 ssl-opt.sh: change expected output for large srv packet test with SSLv3
This test also exercises a protection against BEAST
and should expect message splitting.
2018-08-29 06:46:50 -04:00
Andrzej Kurek
9b89e3664f Remove trailing whitespace 2018-08-29 06:46:27 -04:00
Andrzej Kurek
85e411f813 ssl_server2: add buffer overhead for a termination character
Switch to mbedtls style of memory allocation
2018-08-29 06:46:27 -04:00
Andrzej Kurek
4115a8cf47 Add missing large and small packet tests for ssl_server2 2018-08-29 06:46:27 -04:00
Andrzej Kurek
f4f59c0429 Added buffer_size and response_size options for ssl-server2.
Added appropriate tests.
2018-08-29 06:46:27 -04:00
Simon Butcher
8d408fac1d Merge remote-tracking branch 'restricted/pr/438' into mbedtls-2.1-restricted 2018-08-28 15:35:41 +01:00
Simon Butcher
9add36bbcb Merge remote-tracking branch 'restricted/pr/497' into mbedtls-2.1-restricted 2018-08-28 15:31:41 +01:00
Simon Butcher
d22de0aaa7 Merge remote-tracking branch 'restricted/pr/492' into mbedtls-2.1-restricted 2018-08-28 15:23:56 +01:00
Simon Butcher
7a47cbca16 Merge remote-tracking branch 'public/pr/1137' into mbedtls-2.1 2018-08-28 12:33:27 +01:00
Simon Butcher
85e5bfd00c Merge remote-tracking branch 'public/pr/1889' into mbedtls-2.1 2018-08-28 12:26:33 +01:00
Simon Butcher
263ca7282e Merge remote-tracking branch 'public/pr/1957' into mbedtls-2.1 2018-08-28 12:17:38 +01:00
Simon Butcher
d288ac0e83 Merge remote-tracking branch 'public/pr/1959' into mbedtls-2.1 2018-08-28 11:53:47 +01:00
Simon Butcher
1c5e4c2258 Merge remote-tracking branch 'public/pr/1980' into mbedtls-2.1 2018-08-28 10:18:48 +01:00
Hanno Becker
badbe80c7f pk_encrypt: Uniformize debugging output 2018-08-23 15:56:55 +01:00
Hanno Becker
6b1b598c2f Fix typos in programs/x509/cert_write.c
Fixes #1922.
2018-08-23 15:26:55 +01:00
Hanno Becker
b31e9dad60 Minor formatting improvements in pk_encrypt and pk_decrypt examples 2018-08-23 15:13:12 +01:00
Hanno Becker
47a34ff29e Adapt ChangeLog 2018-08-23 15:12:24 +01:00
Hanno Becker
7cee15e967 Correct memory leak in pk_decrypt example program 2018-08-23 15:12:23 +01:00
Hanno Becker
34cbd7e536 Correct memory-leak in pk_encrypt example program 2018-08-23 15:12:22 +01:00
Hanno Becker
1a60330e08 Adapt ChangeLog 2018-08-22 15:05:36 +01:00
Hanno Becker
d636dd0cbb Fix bug in SSL ticket implementation removing keys of age < 1s
Fixes #1968.
2018-08-22 15:05:07 +01:00
Hanno Becker
16fe2fd15a ssl-opt.sh: Add DTLS session resumption tests
Fixes #1969.
2018-08-22 15:05:07 +01:00
Jaeden Amero
6b7b35b127 Merge remote-tracking branch 'upstream-public/pr/1952' into mbedtls-2.1 2018-08-17 15:31:51 +01:00
Hanno Becker
42d267bbe4 Compute record expansion in steps to ease readability 2018-08-17 15:29:48 +01:00
Jaeden Amero
b4d3c5ad11 Merge remote-tracking branch 'upstream-public/pr/1945' into mbedtls-2.1 2018-08-17 14:27:02 +01:00
Hanno Becker
d3475498e5 Adapt ChangeLog 2018-08-17 10:11:31 +01:00
Hanno Becker
07eb7ca17c Fix mbedtls_ssl_get_record_expansion() for CBC modes
`mbedtls_ssl_get_record_expansion()` is supposed to return the maximum
difference between the size of a protected record and the size of the
encapsulated plaintext.

Previously, it did not correctly estimate the maximum record expansion
in case of CBC ciphersuites in (D)TLS versions 1.1 and higher, in which
case the ciphertext is prefixed by an explicit IV.

This commit fixes this bug. Fixes #1914.
2018-08-17 10:11:28 +01:00
Hanno Becker
10652b10d9 Improve ChangeLog wording for the commmit that Fixes #1954. 2018-08-17 10:03:48 +01:00
Hanno Becker
a24ed19a5d Add tests for empty CA list in CertificateRequest, TLS 1.0 & 1.1 2018-08-17 10:03:48 +01:00
Hanno Becker
10195ab853 Adapt ChangeLog 2018-08-16 15:53:17 +01:00