Commit Graph

3475 Commits

Author SHA1 Message Date
Bence Szépkúti
b4756c2e20 Do not set IV size for ECB mode ciphers
ECB mode ciphers do not use IVs

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-11-06 15:40:25 +01:00
Gilles Peskine
acbf9eccb5 Put local variables in a struct
This way we can have a single call to mbedtls_zeroize, which
saves a few bytes of code size.

Additionally, on my PC, I notice a significant speed improvement
(x86_64 build with MBEDTLS_AESNI_C disabled, gcc 5.4.0 -O3). I don't
have an explanation for that (I expected no measurable difference).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-10-22 10:34:20 +02:00
Gilles Peskine
5706e920a4 Remove a useless zeroization
Remove the zeroization of a pointer variable in the AES block
functions. The code was valid but spurious and misleading since it
looked like a mistaken attempt to zeroize the pointed-to buffer.
Reported by Antonio de la Piedra, CEA Leti, France.

Note that we do not zeroize the buffer here because these are the
round keys, and they need to stay until all the blocks are processed.
They will be zeroized in mbedtls_aes_free().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-10-22 09:43:53 +02:00
Peter Kolbus
e634564381 Restore retry in rsa_prepare_blinding()
Starting with commit 49e94e3, the do/while loop in
`rsa_prepare_blinding()` was changed to a `do...while(0)`, which
prevents retry from being effective and leaves dead code.

Restore the while condition to retry, and lift the calls to finish the
computation out of the while loop by by observing that they are
performed only when `mbedtls_mpi_inv_mod()` returns zero.

Signed-off-by: Peter Kolbus <peter.kolbus@garmin.com>
2020-09-30 07:39:15 -05:00
Jens Reimann
45a595845d fix return code
Signed-off-by: Jens Reimann <jreimann@redhat.com>
2020-09-22 16:19:25 +02:00
Daniel Otte
1939460417 adjusting size of sliding window array to correct size.
Probably the `W[2 << MBEDTLS_MPI_WINDOW_SIZE]` notation is based on a transcription of 2**MBEDTLS_MPI_WINDOW_SIZE.

Signed-off-by: Daniel Otte <d.otte@wut.de>
2020-09-08 12:24:31 +02:00
Janos Follath
0db765ac65 Bump version to Mbed TLS 2.7.17
Executed "./scripts/bump_version.sh --version 2.7.17"

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-08-26 15:28:48 +01:00
Janos Follath
93c784b356 Merge branch 'mbedtls-2.7-restricted' 2020-08-26 14:16:29 +01:00
Raoul Strackx
2a8e9587a7 Always revoke certificate on CRL
RFC5280 does not state that the `revocationDate` should be checked.

In addition, when no time source is available (i.e., when MBEDTLS_HAVE_TIME_DATE is not defined), `mbedtls_x509_time_is_past` always returns 0. This results in the CRL not being checked at all.

https://tools.ietf.org/html/rfc5280
Signed-off-by: Raoul Strackx <raoul.strackx@fortanix.com>
2020-08-26 11:38:41 +02:00
Manuel Pégourié-Gonnard
520e78b830 Fix a typo in a comment
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-25 12:01:11 +02:00
Manuel Pégourié-Gonnard
426c2d4a38 Add an option to test constant-flow with valgrind
Currently the new component in all.sh fails because
mbedtls_ssl_cf_memcpy_offset() is not actually constant flow - this is on
purpose to be able to verify that the new test works.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-25 12:01:09 +02:00
Manuel Pégourié-Gonnard
3b490a0a01 Add mbedtls_ssl_cf_memcpy_offset() with tests
The tests are supposed to be failing now (in all.sh component
test_memsan_constant_flow), but they don't as apparently MemSan doesn't
complain when the src argument of memcpy() is uninitialized, see
https://github.com/google/sanitizers/issues/1296

The next commit will add an option to test constant flow with valgrind, which
will hopefully correctly flag the current non-constant-flow implementation.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-25 12:00:07 +02:00
Manuel Pégourié-Gonnard
bf7a49eacc Use temporary buffer to hold the peer's HMAC
This paves the way for a constant-flow implementation of HMAC checking, by
making sure that the comparison happens at a constant address. The missing
step is obviously to copy the HMAC from the secret offset to this temporary
buffer with constant flow, which will be done in the next few commits.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-25 12:00:07 +02:00
Manuel Pégourié-Gonnard
d863a67a74 Merge branch 'mbedtls-2.7' into mbedtls-2.7-restricted
* mbedtls-2.7: (28 commits)
  A different approach of signed-to-unsigned comparison
  Update the copy of tests/data_files/server2-sha256.crt in certs.c
  Fix bug in redirection of unit test outputs
  Backport e2k support to mbedtls-2.7
  Don't forget to free G, P, Q, ctr_drbg, and entropy
  Regenerate server2-sha256.crt with a PrintableString issuer
  Regenerate test client certificates with a PrintableString issuer
  cert_write: support all hash algorithms
  compat.sh: stop using allow_sha1
  compat.sh: quit using SHA-1 certificates
  compat.sh: enable CBC-SHA-2 suites for GnuTLS
  Fix license header in pre-commit hook
  Update copyright notices to use Linux Foundation guidance
  Fix building on NetBSD 9.0
  Remove obsolete buildbot reference in compat.sh
  Fix misuse of printf in shell script
  Fix added proxy command when IPv6 is used
  Simplify test syntax
  Fix logic error in setting client port
  ssl-opt.sh: include test name in log files
  ...
2020-08-25 10:59:51 +02:00
Gilles Peskine
84be024eb0
Merge pull request #3594 from gilles-peskine-arm/fix-compat.sh-with-ubuntu-16.04-gnutls-2.7
Backport 2.7: Fix compat.sh with ubuntu 16.04 gnutls 2.7
2020-08-25 10:00:54 +02:00
Gilles Peskine
46b3fc221e
Merge pull request #3599 from makise-homura/mbedtls-2.7
Backport 2.7: Support building on e2k (Elbrus) architecture
2020-08-25 09:46:42 +02:00
makise-homura
329fe7e043 A different approach of signed-to-unsigned comparison
Suggested by @hanno-arm

Signed-off-by: makise-homura <akemi_homura@kurisa.ch>
2020-08-24 18:39:56 +03:00
Gilles Peskine
1323fba357 Update the copy of tests/data_files/server2-sha256.crt in certs.c
Before this commit, certs.c had a copy of a different version of
tests/data_files/server2-sha256.crt (from the then development branch)
which was generated by cert_write. Update certs.c with the new
tests/data_files/server2-sha256.crt which is also generated by
cert_write.

The new copy has the same size as the old copy so there is no concern
about existing application binaries relying on the size. (The old
tests/data_files/server2-sha256.crt had a different size because it
had been generated by openssl and so had slightly different content.)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-24 15:15:00 +02:00
makise-homura
03c2b8f1c7 Backport e2k support to mbedtls-2.7
Covers commits ac2fd65, 0be6aa9, e74f372, e559550
from `development` branch

Signed-off-by: makise-homura <akemi_homura@kurisa.ch>
2020-08-23 00:28:45 +03:00
Bence Szépkúti
44bfbe3b95 Update copyright notices to use Linux Foundation guidance
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.

Also remove the now-redundant lines declaring that the files are part of
MbedTLS.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '

# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I

# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-19 16:54:51 +02:00
Manuel Pégourié-Gonnard
30c1df3f84
Merge pull request #3570 from gufe44/net-sockets-fixes-2.7
[Backport 2.7] NetBSD 9.0 build fixes
2020-08-18 09:13:52 +02:00
gufe44
3ca3b9ea88 Fix building on NetBSD 9.0
Fixes #2310

Signed-off-by: gufe44 <gu981@protonmail.com>
2020-08-17 07:14:16 +02:00
Gilles Peskine
126b69aee5
Merge pull request #735 from gilles-peskine-arm/x509parse_crl-empty_entry-2.7
Backport 2.7: Fix buffer overflow in x509_get_entries (oss-fuzz 24123)
2020-08-14 23:22:19 +02:00
gufe44
206cb39116 Use arc4random_buf instead of rand on NetBSD
Avoid old implementation of rand returning numbers with cyclical lower bits. Allow tests to pass.

Signed-off-by: gufe44 <gu981@protonmail.com>
2020-08-13 06:22:45 +02:00
Gilles Peskine
691bed7cce
Merge pull request #733 from gabor-mezei-arm/689_bp27_zeroising_of_plaintext_buffers
[Backport 2.7] Zeroising of plaintext buffers in mbedtls_ssl_read()
2020-08-12 18:51:47 +02:00
Gilles Peskine
78e54b9b1d x509_crl_parse: fix 1-byte buffer overflow and entry->raw.tag
In the entries (mbedtls_x509_crl_entry values) on the list constructed
by mbedtls_x509_crl_parse_der(), set entry->raw.tag to
(SEQUENCE | CONSTRUCTED) rather than to the tag of the first ASN.1
element of the entry (which happens to be the tag of the serial
number, so INTEGER or INTEGER | CONTEXT_SPECIFIC). This is doesn't
really matter in practice (and in particular the value is never used
in Mbed TLS itself), and isn't documented, but at least it's
consistent with how mbedtls_x509_buf is normally used.

The primary importance of this change is that the old code tried to
access the tag of the first element of the entry even when the entry
happened to be empty. If the entry was empty and not followed by
anything else in the CRL, this could cause a read 1 byte after the end
of the buffer containing the CRL.

The test case "X509 CRL ASN1 (TBSCertList, single empty entry at end)"
hit the problematic buffer overflow, which is detected with ASan.

Credit to OSS-Fuzz for detecting the problem.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-12 12:51:43 +02:00
Manuel Pégourié-Gonnard
cd542a5453
Merge pull request #729 from mpg/ct-varlen-hmac-2.7
[Backport 2.7] Add constant-flow variable-length HMAC function
2020-08-10 12:40:53 +02:00
gabor-mezei-arm
ef73875913
Zeroising of plaintext buffers to erase unused application data from memory
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-08-03 10:53:48 +02:00
Manuel Pégourié-Gonnard
7cf5ebc90f Add comment that was lost while backporting
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-29 13:01:05 +02:00
Manuel Pégourié-Gonnard
e05e57619b Remove use of C99 construct
This is an LTS branch, C99 isn't allowed yet, it breaks versions of MSVC that
we still support for this branch.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-29 10:06:39 +02:00
Manuel Pégourié-Gonnard
2f484bd979 Add missing const for consistency
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:29 +02:00
Manuel Pégourié-Gonnard
2da9a54559 Fix typos in comments
Co-authored-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:29 +02:00
Manuel Pégourié-Gonnard
0cd0c731fd Check errors from the MD layer
Could be out-of-memory for some functions, accelerator issues for others.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard
c9ef5a2b76 Remove unnecessary cast
This is C, not C++, casts between void * and other pointer types are free.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard
ec956b1861 Improve some comments and internal documentation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard
41df0f2bca Factor repeated condition to its own macro
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard
4508c67c42 Implement cf_hmac() actually with constant flow
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard
40597cef01 Add MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
This option allows to test the constant-flow nature of selected code, using
MemSan and the fundamental observation behind ctgrind that the set of
operations allowed on undefined memory by dynamic analysers is the same as the
set of operations allowed on secret data to avoid leaking it to a local
attacker via side channels, namely, any operation except branching and
dereferencing.

(This isn't the full story, as on some CPUs some instructions have variable
execution depending on the inputs, most notably division and on some cores
multiplication. However, testing that no branch or memory access depends on
secret data is already a good start.)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard
d11971875a Use existing implementation of cf_hmac()
Just move code from ssl_decrypt_buf() to the new cf_hmac() function and then
call cf_hmac() from there.

This makes the new cf_hmac() function used and validates that its interface
works for using it in ssl_decrypt_buf().

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard
3ba2bcaf0d Add dummy constant-flow HMAC function with tests
The dummy implementation is not constant-flow at all for now, it's just
here as a starting point and a support for developing the tests and putting
the infrastructure in place.

Depending on the implementation strategy, there might be various corner cases
depending on where the lengths fall relative to block boundaries. So it seems
safer to just test all possible lengths in a given range than to use only a
few randomly-chosen values.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:27 +02:00
Manuel Pégourié-Gonnard
8ebb88d1e0 Factor repeated preprocessor condition to a macro
The condition is a complex and repeated a few times. There were already some
inconsistencies in the repetitions as some of them forgot about DES.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 12:58:47 +02:00
Manuel Pégourié-Gonnard
b2b1d8e762 Clarify some comments
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-24 11:57:47 +02:00
Manuel Pégourié-Gonnard
ab601d6a1c Fix memory leak on error path
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-24 11:57:47 +02:00
Manuel Pégourié-Gonnard
406c7aedc4 RSA: blind call to mpi_inv_mod() on secret value
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-24 11:57:47 +02:00
Manuel Pégourié-Gonnard
6ab924de1d RSA: remove redundant GCD call in prepare_blinding()
inv_mod() already returns a specific error code if the value is not
invertible, so no need to check in advance that it is. Also, this is a
preparation for blinding the call to inv_mod(), which is made easier by
avoiding the redundancy (otherwise the call to gcd() would need to be blinded
too).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-24 11:57:47 +02:00
Manuel Pégourié-Gonnard
a35e98a060 DHM: blind call to mpi_inv_mod() on secret value
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-24 11:57:46 +02:00
Manuel Pégourié-Gonnard
f0f43c51c4 DHM: make drawing of blinding value a function
In the next commit, we'll need to draw a second random value, in order to
blind modular inversion. Having a function for that will avoid repetition.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-24 11:57:46 +02:00
Janos Follath
2a4f8991b3 Bump version to Mbed TLS 2.7.16
Executed "./scripts/bump_version.sh --version 2.7.16"

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-06-26 12:37:57 +01:00
Janos Follath
9cdda866bf Merge branch 'mbedtls-2.7-restricted' into mbedtls-2.7.16r0 2020-06-25 09:20:57 +01:00
Manuel Pégourié-Gonnard
f2027b5c46
Merge pull request #705 from mpg/l13-hw-starts-finish-2.7-restricted
[backport 2.7] Use starts/finish around Lucky 13 dummy compressions
2020-06-23 10:43:22 +02:00