Commit Graph

3192 Commits

Author SHA1 Message Date
Gilles Peskine
e1dc2de900 Move MBEDTLS_CTR_DRBG_USE_128_BIT_KEY to the correct section
It's an on/off feature, so it should be listed in version_features.
2020-03-13 15:22:14 +00:00
Gilles Peskine
6e36d0b33c CTR_DRBG: more consistent formatting and wording
In particular, don't use #MBEDTLS_xxx on macros that are undefined in
some configurations, since this would be typeset with a literal '#'.
2020-03-13 15:22:14 +00:00
Gilles Peskine
9640403fa0 CTR_DRBG documentation: further wording improvements 2020-03-13 15:22:14 +00:00
Gilles Peskine
7b674eac64 CTR_DRBG: Improve the explanation of security strength
Separate the cases that achieve a 128-bit strength and the cases that
achieve a 256-bit strength.
2020-03-13 15:22:14 +00:00
Gilles Peskine
7df4b7b3b6 CTR_DRBG: make it easier to understand the security strength
Explain how MBEDTLS_CTR_DRBG_ENTROPY_LEN is set next to the security
strength statement, rather than giving a partial explanation (current
setting only) in the documentation of MBEDTLS_CTR_DRBG_ENTROPY_LEN.
2020-03-13 15:22:14 +00:00
Gilles Peskine
56f628ca26 HMAC_DRBG: note that the initial seeding grabs entropy for the nonce 2020-03-13 15:22:14 +00:00
Gilles Peskine
beddfdcd7f Use standard terminology to describe the personalization string
NIST and many other sources call it a "personalization string", and
certainly not "device-specific identifiers" which is actually somewhat
misleading since this is just one of many things that might go into a
personalization string.
2020-03-13 15:22:13 +00:00
Gilles Peskine
57553fa2f0 Do note that xxx_drbg_random functions reseed with PR enabled 2020-03-13 15:22:13 +00:00
Gilles Peskine
20a3846725 Consistently use \c NULL and \c 0 2020-03-13 15:22:13 +00:00
Gilles Peskine
ccb38381e8 HMAC_DRBG: improve the documentation of the entropy length 2020-03-13 15:21:09 +00:00
Gilles Peskine
4bfe4540f3 HMAC_DRBG documentation improvements clarifications
Improve the formatting and writing of the documentation based on what
had been done for CTR_DRBG.

Document the maximum size and nullability of some buffer parameters.
2020-03-13 15:21:08 +00:00
Gilles Peskine
f17079d960 More CTR_DRBG documentation improvements and clarifications 2020-03-13 12:03:12 +00:00
Gilles Peskine
c32f74cf8e Fix wording 2020-03-13 12:03:12 +00:00
Gilles Peskine
03642fa026 Remove warning that the previous expanded discussion has obsoleted 2020-03-13 12:03:12 +00:00
Gilles Peskine
2d83fe1383 CTR_DRBG: improve the discussion of entropy length vs strength 2020-03-13 12:03:12 +00:00
Gilles Peskine
bb2b8da7d7 CTR_DRBG: Finish an unfinished paragraph 2020-03-13 12:03:12 +00:00
Gilles Peskine
e3dc5942c5 CTR_DRBG: Document the security strength and SP 800-90A compliance
Document that a derivation function is used.

Document the security strength of the DRBG depending on the
compile-time configuration and how it is set up. In particular,
document how the nonce specified in SP 800-90A is set.

Mention how to link the ctr_drbg module with the entropy module.
2020-03-13 12:01:28 +00:00
Gilles Peskine
c1c9292d2f CTR_DRBG: Document the maximum size of some parameters 2020-03-13 12:01:28 +00:00
Gilles Peskine
da5ccce88e CTR_DRBG documentation clarifications
* State explicit whether several numbers are in bits or bytes.
* Clarify whether buffer pointer parameters can be NULL.
* Explain the value of constants that are dependent on the configuration.
2020-03-13 12:01:28 +00:00
Arto Kinnunen
17540ab74c Fix usage of randomized number in AES
-Fix usage of randomized bits (do not reuse the bits)
-Update comments
2020-01-21 12:01:42 +02:00
Arto Kinnunen
311ab594d7 Flag SCA_CM encrypt/decrypt functions
There is a 50% performance drop in the SCA_CM enabled encrypt and
decrypt functions. Therefore use the older version of encrypt/decypt
functions when SCA_CM is disabled.
2020-01-21 12:01:42 +02:00
Arto Kinnunen
10a2ffde5d Merge remote-tracking branch 'upstream/pr/2945' into baremetal
* upstream/pr/2945:
  Rename macro MBEDTLS_MAX_RAND_DELAY
  Update signature of mbedtls_platform_random_delay
  Replace mbedtls_platform_enforce_volatile_reads 2
  Replace mbedtls_platform_enforce_volatile_reads
  Add more variation to random delay countermeasure
  Add random  delay to enforce_volatile_reads
  Update comments of mbedtls_platform_random_delay
  Follow Mbed TLS coding style
  Add random delay function to platform_utils
2020-01-17 11:21:16 +02:00
Arto Kinnunen
ac6d226939 Update signature of mbedtls_platform_random_delay
Skip parameter and return value from mbedtls_platform_random_delay
to make it more resistant for FI attacks.
2020-01-09 10:19:07 +02:00
Simon Butcher
2d9c0eb215 Merge remote-tracking branch 'public/pr/2948' into baremetal 2020-01-08 18:08:28 +00:00
Simon Butcher
4b3b8c208e Merge remote-tracking branch 'public/pr/2886' into baremetal 2020-01-08 17:53:43 +00:00
Arto Kinnunen
e91f0dc905 Replace mbedtls_platform_enforce_volatile_reads
Replace function mbedtls_platform_enforce_volatile_reads() with
mbedtls_platform_random_delay().
2020-01-07 10:47:58 +02:00
Arto Kinnunen
0490485be5 Add random delay to enforce_volatile_reads
Add a random delay to mbedtls_platform_enforce_volatile_reads() as a
countermeasure to fault injection attacks.
2020-01-07 10:47:58 +02:00
Arto Kinnunen
9a506e7424 Update comments of mbedtls_platform_random_delay 2020-01-07 10:47:58 +02:00
Arto Kinnunen
4c63b98e94 Add random delay function to platform_utils
Add delay function to platform_utils. The function will delay
program execution by incrementing local variable randomised number of
times.
2020-01-07 10:47:58 +02:00
Jarno Lamsa
5aa4c07b85 Minor review fixes 2019-12-20 13:09:27 +02:00
Jarno Lamsa
616fbe177c Increase hamming distance for authmode
Prevent glitching mode by single bit flipping.
2019-12-19 17:07:35 +02:00
Jarno Lamsa
afff4d0679 Remove unused flag 2019-12-19 14:41:56 +02:00
Jarno Lamsa
e1621d4700 Check that the peer_authenticated flag
Check that the peer has been authenticated in the end
of the handshake.
2019-12-19 14:29:24 +02:00
Jarno Lamsa
b57d7fd568 Add flags for protecting TLS state machine
Flags are there to prevent skipping vital parts of the TLS
handshake.
2019-12-19 09:01:54 +02:00
Jarno Lamsa
9e8e820993 Increase hamming distance for some error codes
The MBEDTLS_ERR_SSL_WANT_READ and MBEDTLS_ERR_SSL_WANT_WRITE are
errors that can be ignored, so increase the hamming distance between
them and the non-ignorable errors and keep still some distance from
a success case. This mitigates an attack where single bit-flipping could
change a non-ignorable error to being an ignorable one.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
4708d66af5 Change the mbedtls_ssl_states values
The changed values have now the minimum hamming distance
of 16 from each other. This is to prevent changing the state
by just flipping one bit.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
70abd7aadc Add enumeration for invalid state
The invalid state can be used when state-mismatch is noticed.
The invalid state should report a FI-alert upwards.
2019-12-19 07:56:10 +02:00
Simon Butcher
e76c638d6f Merge remote-tracking branch 'public/pr/2925' into baremetal 2019-12-13 14:51:29 +00:00
Arto Kinnunen
6ce4988768 AES FI resistance
Add FI countermeasures to AES.
2019-12-10 15:00:37 +02:00
Arto Kinnunen
34139ba9fc Updates to AES countermeasures
-Update comments regarding flag MBEDTLS_AES_SCA_COUNTERMEASURES
-Remove MBEDTLS_AES_SCA_COUNTERMEASURES dependency check
-More comments and coding style changes
2019-12-10 14:54:43 +02:00
Arto Kinnunen
430ac13112 Add config and test for AES SCA countermeasures
- Add configuration for AES_SCA_COUNTERMEASURES to config.h. By
  default the feature is disabled.
- Add AES_SCA_COUNTERMEASURES configuration check to check_config.h
- Add AES_SCA_COUNTERMEASURES test to all.sh
2019-12-10 14:54:43 +02:00
Simon Butcher
501c466d01 Merge remote-tracking branch 'public/pr/2934' into baremetal 2019-12-05 14:32:44 +00:00
Simon Butcher
5b45c6e1b3 Merge remote-tracking branch 'public/pr/2932' into baremetal 2019-12-05 14:32:31 +00:00
Simon Butcher
7c5de360da Merge remote-tracking branch 'public/pr/2922' into baremetal 2019-12-05 14:31:03 +00:00
Manuel Pégourié-Gonnard
766c9e9781 Improve description of ERR_PLATFORM_FAULT_DETECTED 2019-11-29 09:40:08 +01:00
Manuel Pégourié-Gonnard
65be6b48de Add compile guard in platform.h
We may want to include it just for the errors it defines without having all of
the other defines that only make sense when PLATFORM_C is enabled.
2019-11-28 12:51:45 +01:00
Manuel Pégourié-Gonnard
9d6a535ba1 Return and propagate UECC_FAULT_DETECTED
This commit first changes the return convention of EccPoint_mult_safer() so
that it properly reports when faults are detected. Then all functions that
call it need to be changed to (1) follow the same return convention and (2)
properly propagate UECC_FAULT_DETECTED when it occurs.

Here's the reverse call graph from EccPoint_mult_safer() to the rest of the
library (where return values are translated to the MBEDTLS_ERR_ space) and test
functions (where expected return values are asserted explicitly).

EccPoint_mult_safer()
    EccPoint_compute_public_key()
        uECC_compute_public_key()
            pkparse.c
            tests/suites/test_suite_pkparse.function
        uECC_make_key_with_d()
        uECC_make_key()
            ssl_cli.c
            ssl_srv.c
            tests/suites/test_suite_pk.function
            tests/suites/test_suite_tinycrypt.function
    uECC_shared_secret()
        ssl_tls.c
        tests/suites/test_suite_tinycrypt.function
    uECC_sign_with_k()
        uECC_sign()
            pk.c
            tests/suites/test_suite_tinycrypt.function

Note: in uECC_sign_with_k() a test for uECC_vli_isZero(p) is suppressed
because it is redundant with a more thorough test (point validity) done at the
end of EccPoint_mult_safer(). This redundancy was introduced in a previous
commit but not noticed earlier.
2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
4d6186beb0 Rename ATTACK_DETECTED to FAULT_DETECTED
We don't know for sure it's an attack, it could be the hardware failing
randomly as well.
2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
2b90961b8d Add integrity check for curve parameters
We don't really need a secure hash for that, something like CRC32 would
probably be enough - but we have SHA-256 handy, not CRC32, so use that for the
sake of simplicity.
2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
1a5337179f Remove curve parameter from public functions 2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
be5f833c9c Remove curve parameter from (semi-)internal functions
By semi-internal I mean functions that are only public because they're used in
more than once compilation unit in the library (for example in ecc.c and
ecc_dsa.c) but should not really be part of the public-facing API.
2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
bc3f49011a Remove struct curve entirely 2019-11-26 12:54:06 +01:00
Manuel Pégourié-Gonnard
ffd13996fd Move b from curve structure to its own constant
Same motivation as for the other parameters. This is the last one, making the
curve structure empty, so it's left with a dummy parameter for legal reasons.
2019-11-26 12:54:04 +01:00
Manuel Pégourié-Gonnard
a6115087a0 Move G from struct curve to its own constant 2019-11-26 12:53:13 +01:00
Manuel Pégourié-Gonnard
356d8594d7 Move n from struct curve to its own constant 2019-11-26 12:52:57 +01:00
Manuel Pégourié-Gonnard
4d8777cbb6 Move p from curve structure to its own constant
This removes an indirection, which both makes the code smaller and decreases
the number of glitching opportunities for an attacker.
2019-11-26 12:51:58 +01:00
Arto Kinnunen
5b36693774 Harden hmac_drbg and md against fault injection
-Add flow monitor, loop integrity check and variable doubling to
 harden mbedtls_hmac_drbg_update_ret.

-Use longer hamming distance for nonce usage in hmac_drbg_reseed_core

-Return actual value instead of success in mbedtls_hmac_drbg_seed and
 mbedtls_hmac_drbg_seed_buf

-Check illegal condition in hmac_drbg_reseed_core.

-Double buf/buf_len variables in mbedtls_hmac_drbg_random_with_add

-Add more hamming distance to MBEDTLS_HMAC_DRBG_PR_ON/OFF
2019-11-25 13:45:44 +02:00
Simon Butcher
35e535a74a Remove TinyCrypt config condition in source files
This commit removes from the TinyCrypt header and source code files, the
configuration condition on MBEDTLS_USE_TINYCRYPT to include the file
contents.

This is to allow use of the library by the Factory Tool without enabling
MBEDTLS_USE_TINYCRYPT, and also removes a modification we've made to make the
code closer to the upstream TinyCrypt making it easier to maintain.
2019-11-21 17:54:16 +00:00
Manuel Pégourié-Gonnard
30833f2a07 Remove num_n_bits member from curve structure 2019-11-21 15:37:22 +01:00
Manuel Pégourié-Gonnard
72c1764c00 Remove num_bytes member from curve structure
Reduces code size and size of the structure.
2019-11-21 15:37:22 +01:00
Manuel Pégourié-Gonnard
1765933ab2 Remove num_words member from curve structure
Saves code size, and makes the curve structure simpler.
2019-11-21 15:37:22 +01:00
Manuel Pégourié-Gonnard
1c6f7eae2d Remove function pointers from curve structure
They're not needed in practice, and removing them decreases the code size
slightly and provides less opportunities for an attacker.
2019-11-21 15:37:22 +01:00
Manuel Pégourié-Gonnard
ea7eab1fde Add redundancy (Hamming distance) to cert flags
Before this commit, if a certificate only had one issue (for example, if the
"untrusted" bit was the only set in flags), an attacker that could flip this
single bit between the moment it's set and the moment flags are checked before
returning from mbedtls_x509_crt_verify() could make the entire verification
routine appear to succeed (return 0 with no bit set in flags).

Avoid that by making sure that flags always has either 0 or at least 9 bits
set during the execution of the function. However, to preserve the API, clear
the 8 extra bits before returning. This doesn't open the door to other
attacks, as fortunately the API already had redundancy: either both flags and
the return value are 0, or flags has bits set and the return value is non-zero
with at least 16 bits set (assuming 32-bit 2-complement ints).
2019-11-21 15:32:45 +01:00
Manuel Pégourié-Gonnard
72a8c9e7dc Force some compilers to respect volatile reads
Inspection of the generated assembly showed that before this commit, armcc 5
was optimizing away the successive reads to the volatile local variable that's
used for double-checks. Inspection also reveals that inserting a call to an
external function is enough to prevent it from doing that.

The tested versions of ARM-GCC, Clang and Armcc 6 (aka armclang) all keep the
double read, with our without a call to an external function in the middle.

The inserted function can also be changed to insert a random delay if
desired in the future, as it is appropriately places between the reads.
2019-11-21 15:14:59 +01:00
Manuel Pégourié-Gonnard
324c6e9cc9 Add error code MBEDTLS_ERR_PLATFORM_FAULT_DETECTED
This can be used by Mbed TLS functions in any module to signal that a fault
attack is likely happening, so this can be appropriately handled by the
application (report, fall back to safer mode or even halt, etc.)
2019-11-21 15:14:59 +01:00
Manuel Pégourié-Gonnard
2b6312b7d9 Harden return value of uECC_vli_equal()
Previously it was returning 0 or 1, so flipping a single bit in the return
value reversed its meaning. Now it's returning the diff itself.

This is safe because in the two places it's used (signature verification and
point validation), invalid values will have a large number of bits differing
from the expected value, so diff will have a large Hamming weight.

An alternative would be to return for example -!(diff == 0), but the
comparison itself is prone to attacks (glitching the appropriate flag in the
CPU flags register, or the conditional branch if the comparison uses one). So
we'd need to protect the comparison, and it's simpler to just skip it and
return diff itself.
2019-11-21 15:12:44 +01:00
Manuel Pégourié-Gonnard
10d8e8ed64 Use safer return values in uECC_verify()
This is a first step in protecting against fault injection attacks: the
attacker can no longer change failure into success by flipping a single bit.
Additional steps are needed to prevent other attacks (instruction skip etc)
and will be the object of future commits.

The return value of uECC_vli_equal() should be protected as well, which will
be done in a future commit as well.
2019-11-21 15:12:44 +01:00
Manuel Pégourié-Gonnard
c05f1506f4 Introduce return values for tinycrypt functions
Currently functions that may return success or failure tend to do so by
returning 0 or 1. If an active physical attacker can flip a bit in memory or
registers at the right time, they may easily change a failure value into a
success value, with potentially catastrophic security consequences.

As typical attackers can only flip a few bits, an element of protection
against such attacks is to ensure a sufficient Hamming distance between
failure values and the success value. This commit introduces such values,
which will put to use in critical functions in future commits.

In addition to SUCCESS and FAILURE, a third value ATTACK_DETECTED is
introduced, which can be used later when suspicious-looking events are noticed
(static data changed when it shouldn't, double condition checking returning
inconsistent results, etc.).

Values are chosen so that Hamming distances are large, and that no value is
the complement of another, in order to avoid unwanted compiler optimisations.

Note: the error values used by Mbed TLS are already safe (assuming 32-bit
integers) as they are of the form -x with x in the range [1, 2^15) so their
Hamming distance with the success value (0) is at least 17, so it's hard for
an attacker to turn an error value into the success value (or vice-versa).
2019-11-21 15:10:02 +01:00
Manuel Pégourié-Gonnard
913534837a Hardcode numwords in vli_modInv 2019-11-04 15:53:22 +01:00
Manuel Pégourié-Gonnard
3e20adf533 Hardcode numwords in vli_modMult 2019-11-04 15:53:20 +01:00
Manuel Pégourié-Gonnard
10349e4912 Hardcode numwords in vli_mmod 2019-11-04 15:53:19 +01:00
Manuel Pégourié-Gonnard
1b0875d863 Hardcode numwords in vli_modSub 2019-11-04 15:53:17 +01:00
Manuel Pégourié-Gonnard
0779be7f31 Hardcode numwords in vli_modAdd 2019-11-04 15:53:14 +01:00
Manuel Pégourié-Gonnard
2cb3eea922 Hardcode numwords in vli_cmp 2019-11-04 15:53:10 +01:00
Manuel Pégourié-Gonnard
129b42ea2e Hardcode numwords in vli_sub 2019-11-04 15:53:09 +01:00
Manuel Pégourié-Gonnard
2eca3d367b Hardcode numwords in vli_equal 2019-11-04 15:53:07 +01:00
Manuel Pégourié-Gonnard
a752191191 Hardcode numwords in vli_cpm_unsafe 2019-11-04 15:53:03 +01:00
Manuel Pégourié-Gonnard
cbbb0f034b Hardcode numwords in vli_set() 2019-11-04 15:52:43 +01:00
Manuel Pégourié-Gonnard
2bf5a129cf Hardcode numwords in semi-internal vli_numBits() 2019-11-04 15:52:43 +01:00
Manuel Pégourié-Gonnard
94e48498ef Hardcode numwords in semi-internal vli_clear() 2019-11-04 15:52:43 +01:00
Manuel Pégourié-Gonnard
f3899fc0ea hardcode numwords in semi-internal vli_isZero 2019-11-04 15:52:43 +01:00
Manuel Pégourié-Gonnard
78a7e351fe Use macros for number of bits and words 2019-11-04 12:31:37 +01:00
Manuel Pégourié-Gonnard
c3ec14c87f Harcode curve in semi-internal modMult function
Saves 80 bytes of code size.
2019-11-04 12:23:11 +01:00
Manuel Pégourié-Gonnard
27926d63b7 Remove less-safe mult function from public API
This doesn't change code size, but makes it easier to remove unneeded
parameters later (less possible entry points).
2019-11-04 11:26:46 +01:00
Manuel Pégourié-Gonnard
ef238283d5 Add ECCPoint_mult_safer() function
This avoids the need for each calling site to manually regularize the scalar
and randomize coordinates, which makes for simpler safe use and saves 50 bytes
of code size in the library.
2019-11-04 11:19:30 +01:00
Arto Kinnunen
0fa65aabf0 Review corrections
-Guard additional static variables with AES_ONLY_ENCRYPT
-Update config.h description about memory savings
-Update test: fix typo in all.sh and adjust compiler flags
2019-10-24 12:19:50 +03:00
Arto Kinnunen
1480444e8e Add config option for AES encryption only
-Add config option for AES encyption only to config.h. Feature is
 disabled by default.
-Enable AES encrypt only feature in baremetal.h configuration
-Remove AES encypt only feature from full config
2019-10-24 12:19:33 +03:00
Arto Kinnunen
5ed870da72 Adjust AES RAM usage according to config options
Do not reserve additionl space for mbedtls_aes_context if config
option AES_ONLY_128_BIT_KEY_LENGTH is used and PADLOCK_C is not used.
This reduces RAM usage by 96 bytes.

In baremetal configuration reserve space for 10 128-bit keys in order
to save 112 bytes of heap.
2019-10-24 09:49:23 +03:00
Arto Kinnunen
265d162d07 Update AES-128 bit configuration
- Do not include MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH to full config
  as it requires also MBEDTLS_CTR_DRBG_USE_128_BIT_KEY

- Update check_config to check availability of flags:
   MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
   MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
2019-10-24 09:49:23 +03:00
Arto Kinnunen
60b11064c5 Update configuration
Move MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH to proper place in config.h
2019-10-24 09:49:23 +03:00
Arto Kinnunen
77b9cfcea9 AES: add config option for 128-bit keys
Add configuration options to support only 128-bit key lengths in AES
calculation.
2019-10-24 09:49:23 +03:00
Simon Butcher
713e5c365d Merge remote-tracking branch 'public/pr/2880' into baremetal 2019-10-23 14:52:27 +01:00
Simon Butcher
a26fb4c64f Merge remote-tracking branch 'public/pr/2870' into baremetal 2019-10-23 14:51:37 +01:00
Manuel Pégourié-Gonnard
0a9b44ddaa Merge branch 'mbedtls-2.16' into baremetal-2.16-20191004
* mbedtls-2.16: (25 commits)
  Fix compilation error
  Add const to variable
  Fix endianity issue when reading uint32
  Increase test suite timeout
  Reduce stack usage of test_suite_pkcs1_v15
  Reduce stack usage of test_suite_pkcs1_v21
  Reduce stack usage of test_suite_rsa
  Reduce stack usage of test_suite_pk
  Enable MBEDTLS_MEMORY_DEBUG in memory buffer alloc test in all.sh
  Remove unnecessary memory buffer alloc and memory backtrace unsets
  Disable DTLS proxy tests for MEMORY_BUFFER_ALLOC test
  all.sh: restructure memory allocator tests
  Add missing dependency in memory buffer alloc set in all.sh
  Don't set MBEDTLS_MEMORY_DEBUG through `scripts/config.pl full`
  Add cfg dep MBEDTLS_MEMORY_DEBUG->MBEDTLS_MEMORY_BUFFER_ALLOC_C
  Add all.sh run with full config and ASan enabled
  Add all.sh run with MBEDTLS_MEMORY_BUFFER_ALLOC_C enabled
  Update documentation of exceptions for `config.pl full`
  Adapt all.sh to removal of buffer allocator from full config
  Disable memory buffer allocator in full config
  ...
2019-10-07 12:44:09 +02:00
Jarno Lamsa
c4315e6d5e Address review comments for documentation 2019-10-04 15:42:39 +03:00
Teppo Järvelin
707ceb88f0 Replaced mbedtls_ssl_safer_memcmp with mbedtls_platform_memcmp
Saves some bytes and mbedtls_platform_memcmp is a bit safer for side channel
attacks.
2019-10-04 08:52:00 +03:00
Jarno Lamsa
39a9d40f84 Update documentation for the RNG-function 2019-10-03 13:49:35 +03:00
Jarno Lamsa
e29e8a49b8 Use MBEDTLS_ENTROPY_HARDWARE_ALT
Use MBEDTLS_ENTROPY_HARDWARE_ALT instead of a new global RNG
flag. When this flag is enabled, the platform provides the RNG.
When running unit tests, rnd_std_rand should be used by overriding
the mbedtls_hardware_poll.
2019-10-03 13:49:34 +03:00
Teppo Järvelin
61f412eb58 Changed every memcmp to SCA equivalent mbedtls_platform_memcmp
This makes physical attacks more difficult.
Selftest memcmp functions were not changed.
2019-10-03 13:14:33 +03:00
Manuel Pégourié-Gonnard
51f65e4b86 Standardize prototypes of platform_memcpy/memset
As replacements of standard library functions, they should have the same
prototype, including return type.

While it doesn't usually matter when used directly, it does when the address
of the function is taken, as done with memset_func, used for implementing
mbedtls_platform_zeroize().
2019-10-03 07:59:58 +03:00