Commit Graph

8983 Commits

Author SHA1 Message Date
Gilles Peskine
1a30fbbd3b Check that mbedtls_mpi_grow succeeds 2020-01-27 15:16:16 +01:00
Gilles Peskine
83a5672ae1 Remove redundant block_size validity check
Check the value only once, as soon as we've obtained it.
2020-01-27 15:16:16 +01:00
Manuel Pégourié-Gonnard
42b8194b53 Fix incrementing pointer instead of value
This was introduced by a hasty search-and-replace that didn't account for C's
operator precedence when changing those variables to pointer types.
2020-01-24 12:35:47 +01:00
Gilles Peskine
42e4f6b706 Add changelog entry for the unchecked mbedtls_md call 2020-01-22 19:04:19 +01:00
Gilles Peskine
3a3b161e96 Add missing return code check on call to mbedtls_md() 2020-01-22 18:59:37 +01:00
Janos Follath
32b0216dd7 Bump version to Mbed TLS 2.16.4 2020-01-20 14:32:57 +00:00
Jaeden Amero
39e2c0eeb6 Merge remote-tracking branch 'origin/mbedtls-2.16' into mbedtls-2.16-restricted
* origin/mbedtls-2.16:
  Fix some pylint warnings
  Enable more test cases without MBEDTLS_MEMORY_DEBUG
  More accurate test case description
  Clarify that the "FATAL" message is expected
  Note that mbedtls_ctr_drbg_seed() must not be called twice
  Fix CTR_DRBG benchmark
  Changelog entry for xxx_drbg_set_entropy_len before xxx_drbg_seed
  CTR_DRBG: support set_entropy_len() before seed()
  CTR_DRBG: Don't use functions before they're defined
  HMAC_DRBG: support set_entropy_len() before seed()
2020-01-15 16:59:41 +00:00
Manuel Pégourié-Gonnard
95a17fbe17 Add test for record compression in ssl-opt.sh
Deprecated but still needs to be tested.
2020-01-03 10:03:15 +01:00
Manuel Pégourié-Gonnard
4ef189df49 Add all.sh components with ZLIB enabled
ZLIB support is deprecated, but until it's removed it should still be tested.
2020-01-03 10:03:15 +01:00
Jaeden Amero
f02988e577
Merge pull request #2967 from dgreen-arm/backport-2.16-fix-pylint-warnings
Backport 2.16: Fix some pylint warnings
2019-12-20 16:07:01 +00:00
Darryl Green
349a079f2d Fix some pylint warnings
Fix a too-long line to meet PEP8 standards
2019-12-20 13:01:08 +00:00
Jaeden Amero
c0546439c4
Merge pull request #2894 from gilles-peskine-arm/drbg-set_entropy_len-2.16
Backport 2.16: Allow xxx_drbg_set_entropy_len before xxx_drbg_seed
2019-11-29 16:17:34 +00:00
Jaeden Amero
1dfc361a50
Merge pull request #672 from gilles-peskine-arm/ctr_drbg-aes_fail-2.16
Backport 2.16: Uncaught AES failure in CTR_DRBG
2019-11-28 15:02:17 +00:00
Gilles Peskine
86dd9501ba Catch AES failure in mbedtls_ctr_drbg_random
The functions mbedtls_ctr_drbg_random() and
mbedtls_ctr_drbg_random_with_add() could return 0 if an AES function
failed. This could only happen with alternative AES
implementations (the built-in implementation of the AES functions
involved never fail), typically due to a failure in a hardware
accelerator.

Bug reported and fix proposed by Johan Uppman Bruce and Christoffer
Lauri, Sectra.
2019-11-28 09:57:44 +01:00
Jaeden Amero
269d414189
Merge pull request #2936 from gilles-peskine-arm/memory_buffer_alloc-fatal-pass-2.16
Backport 2.16: Clarify test descriptions in test_suite_memory_buffer_alloc
2019-11-27 10:37:39 +00:00
Gilles Peskine
554d5d598f Enable more test cases without MBEDTLS_MEMORY_DEBUG
None of the test cases in tests_suite_memory_buffer_alloc actually
need MBEDTLS_MEMORY_DEBUG. Some have additional checks when
MBEDTLS_MEMORY_DEBUG but all are useful even without it. So enable
them all and #ifdef out the parts that require DEBUG.
2019-11-26 18:45:00 +01:00
Gilles Peskine
4a55e7c736 More accurate test case description 2019-11-26 18:44:55 +01:00
Gilles Peskine
19baefa04f Clarify that the "FATAL" message is expected
The test case "Memory buffer small buffer" emits a message
"FATAL: verification of first header failed". In this test case, it's
actually expected, but it looks weird to see this message from a
passing test. Add a comment that states this explicitly, and modify
the test description to indicate that the failure is expected, and
change the test function name to be more accurate.

Fix #309
2019-11-26 18:44:50 +01:00
Jaeden Amero
f0486052b7 Merge remote-tracking branch 'restricted/pr/667' into mbedtls-2.16-restricted
* restricted/pr/667: (24 commits)
  Add ChangeLog entry
  mpi_lt_mpi_ct: fix condition handling
  mpi_lt_mpi_ct: Add further tests
  mpi_lt_mpi_ct: Fix test numbering
  mpi_lt_mpi_ct perform tests for both limb size
  ct_lt_mpi_uint: cast the return value explicitely
  mbedtls_mpi_lt_mpi_ct: add tests for 32 bit limbs
  mbedtls_mpi_lt_mpi_ct: simplify condition
  Rename variable for better readability
  mbedtls_mpi_lt_mpi_ct: Improve documentation
  Make mbedtls_mpi_lt_mpi_ct more portable
  Bignum: Document assumptions about the sign field
  Add more tests for mbedtls_mpi_lt_mpi_ct
  mpi_lt_mpi_ct test: hardcode base 16
  Document ct_lt_mpi_uint
  mpi_lt_mpi_ct: make use of unsigned consistent
  ct_lt_mpi_uint: make use of biL
  Change mbedtls_mpi_cmp_mpi_ct to check less than
  mbedtls_mpi_cmp_mpi_ct: remove multiplications
  Remove excess vertical space
  ...
2019-11-12 10:48:21 +00:00
Jaeden Amero
baf23000e1 Merge remote-tracking branch 'restricted/pr/669' into mbedtls-2.16-restricted
* restricted/pr/669:
  Zeroize local AES variables before exiting the function
2019-11-12 10:43:57 +00:00
Jaeden Amero
3f1c68a1e2
Merge pull request #665 from ARMmbed/dev/yanesca/iotcrypt-958-ecdsa-side-channel-fix-2.16
Backport 2.16: ECDSA side channel fix
2019-11-12 10:37:22 +00:00
Andrzej Kurek
f18de50b49 Zeroize local AES variables before exiting the function
This issue has been reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
Grant Hernandez, and Kevin Butler (University of Florida) and
Dave Tian (Purdue University).

In AES encrypt and decrypt some variables were left on the stack. The value
of these variables can be used to recover the last round key. To follow best
practice and to limit the impact of buffer overread vulnerabilities (like
Heartbleed) we need to zeroize them before exiting the function.
2019-11-12 03:34:03 -05:00
Janos Follath
d71f31bfb7 Add ChangeLog entry 2019-11-11 14:15:00 +00:00
Janos Follath
e25f1ee44d mpi_lt_mpi_ct: fix condition handling
The code previously only set the done flag if the return value was one.
This led to overriding the correct return value later on.
2019-11-11 12:32:12 +00:00
Janos Follath
b159ae8409 mpi_lt_mpi_ct: Add further tests
The existing tests did not catch a failure that came up at integration
testing. Adding the missing test cases to trigger the bug.
2019-11-11 12:32:12 +00:00
Janos Follath
b2fddfd3f1 mpi_lt_mpi_ct: Fix test numbering 2019-11-11 12:32:12 +00:00
Janos Follath
14528628c8 mpi_lt_mpi_ct perform tests for both limb size
The corner case tests were designed for 32 and 64 bit limbs
independently and performed only on the target platform. On the other
platform they are not corner cases anymore, but we can still exercise
them.
2019-11-11 12:32:12 +00:00
Janos Follath
359a01e07c ct_lt_mpi_uint: cast the return value explicitely
The return value is always either one or zero and therefore there is no
risk of losing precision. Some compilers can't deduce this and complain.
2019-11-11 12:32:12 +00:00
Janos Follath
798e394943 mbedtls_mpi_lt_mpi_ct: add tests for 32 bit limbs
The corner case tests were designed for 64 bit limbs and failed on 32
bit platforms because the numbers in the test ended up being stored in a
different number of limbs and the function (correctly) returnd an error
upon receiving them.
2019-11-11 12:32:12 +00:00
Janos Follath
fbe4c947cd mbedtls_mpi_lt_mpi_ct: simplify condition
In the case of *ret we might need to preserve a 0 value throughout the
loop and therefore we need an extra condition to protect it from being
overwritten.

The value of done is always 1 after *ret has been set and does not need
to be protected from overwriting. Therefore in this case the extra
condition can be removed.
2019-11-11 12:32:12 +00:00
Janos Follath
1f21c1d519 Rename variable for better readability 2019-11-11 12:32:12 +00:00
Janos Follath
bd87a59007 mbedtls_mpi_lt_mpi_ct: Improve documentation 2019-11-11 12:32:12 +00:00
Janos Follath
58525180fb Make mbedtls_mpi_lt_mpi_ct more portable
The code relied on the assumptions that CHAR_BIT is 8 and that unsigned
does not have padding bits.

In the Bignum module we already assume that the sign of an MPI is either
-1 or 1. Using this, we eliminate the above mentioned dependency.
2019-11-11 12:32:12 +00:00
Janos Follath
aac48d1b3d Bignum: Document assumptions about the sign field 2019-11-11 12:32:12 +00:00
Janos Follath
e1bf02ae26 Add more tests for mbedtls_mpi_lt_mpi_ct 2019-11-11 12:32:12 +00:00
Janos Follath
27d221a1aa mpi_lt_mpi_ct test: hardcode base 16 2019-11-11 12:32:12 +00:00
Janos Follath
45ec990711 Document ct_lt_mpi_uint 2019-11-11 12:32:12 +00:00
Janos Follath
b11ce0ec2d mpi_lt_mpi_ct: make use of unsigned consistent 2019-11-11 12:32:12 +00:00
Janos Follath
7a34bcffef ct_lt_mpi_uint: make use of biL 2019-11-11 12:32:12 +00:00
Janos Follath
867a3abff5 Change mbedtls_mpi_cmp_mpi_ct to check less than
The signature of mbedtls_mpi_cmp_mpi_ct() meant to support using it in
place of mbedtls_mpi_cmp_mpi(). This meant full comparison functionality
and a signed result.

To make the function more universal and friendly to constant time
coding, we change the result type to unsigned. Theoretically, we could
encode the comparison result in an unsigned value, but it would be less
intuitive.

Therefore we won't be able to represent the result as unsigned anymore
and the functionality will be constrained to checking if the first
operand is less than the second. This is sufficient to support the
current use case and to check any relationship between MPIs.

The only drawback is that we need to call the function twice when
checking for equality, but this can be optimised later if an when it is
needed.
2019-11-11 12:32:12 +00:00
Janos Follath
4f6cf38016 mbedtls_mpi_cmp_mpi_ct: remove multiplications
Multiplication is known to have measurable timing variations based on
the operands. For example it typically is much faster if one of the
operands is zero. Remove them from constant time code.
2019-11-11 12:32:12 +00:00
Janos Follath
3d826456f5 Remove excess vertical space 2019-11-11 12:32:12 +00:00
Janos Follath
4ea2319726 Remove declaration after statement
Visual Studio 2013 does not like it for some reason.
2019-11-11 12:32:12 +00:00
Janos Follath
4c3408b140 Fix side channel vulnerability in ECDSA 2019-11-11 12:32:12 +00:00
Janos Follath
e9ae6305ea Add tests to constant time mpi comparison 2019-11-11 12:32:12 +00:00
Janos Follath
b9f6f9bc97 Add new, constant time mpi comparison 2019-11-11 12:32:12 +00:00
Gilles Peskine
b02a233218 Note that mbedtls_ctr_drbg_seed() must not be called twice
You can't reuse a CTR_DRBG context without free()ing it and
re-init()ing it. This generally happened to work, but was never
guaranteed. It could have failed with alternative implementations of
the AES module because mbedtls_ctr_drbg_seed() calls
mbedtls_aes_init() on a context which is already initialized if
mbedtls_ctr_drbg_seed() hasn't been called before, plausibly causing a
memory leak.

Calling free() and seed() with no intervening init fails when
MBEDTLS_THREADING_C is enabled and all-bits-zero is not a valid mutex
representation.
2019-10-28 21:15:46 +01:00
Gilles Peskine
f4c0dbc628 Fix CTR_DRBG benchmark
You can't reuse a CTR_DRBG context without free()ing it and
re-init()ing. This generally happened to work, but was never
guaranteed. It could have failed with alternative implementations of
the AES module because mbedtls_ctr_drbg_seed() calls
mbedtls_aes_init() on a context which is already initialized if
mbedtls_ctr_drbg_seed() hasn't been called before, plausibly causing a
memory leak. Calling free() and seed() with no intervening init fails
when MBEDTLS_THREADING_C is enabled and all-bits-zero is not a valid
mutex representation. So add the missing free() and init().
2019-10-28 21:09:00 +01:00
Janos Follath
1baed82774 Add ChangeLog entry 2019-10-25 11:21:30 +01:00
Janos Follath
d65df1fa67 ECDSA: Fix side channel vulnerability
The blinding applied to the scalar before modular inversion is
inadequate. Bignum is not constant time/constant trace, side channel
attacks can retrieve the blinded value, factor it (it is smaller than
RSA keys and not guaranteed to have only large prime factors). Then the
key can be recovered by brute force.

Reducing the blinded value makes factoring useless because the adversary
can only recover pk*t+z*N instead of pk*t.
2019-10-25 09:11:21 +01:00