Commit Graph

4882 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
10d8e8ed64 Use safer return values in uECC_verify()
This is a first step in protecting against fault injection attacks: the
attacker can no longer change failure into success by flipping a single bit.
Additional steps are needed to prevent other attacks (instruction skip etc)
and will be the object of future commits.

The return value of uECC_vli_equal() should be protected as well, which will
be done in a future commit as well.
2019-11-21 15:12:44 +01:00
Simon Butcher
a3877007e6 Merge remote-tracking branch 'public/pr/2876' into baremetal 2019-11-20 12:00:18 +00:00
Manuel Pégourié-Gonnard
1e96b46b03 Disable use of HRNG in SCA-hardened mem-functions
This is a temporary work-around for an integration issue.

A future task will re-integrate randomness into these functions are their
entire point is to be randomized; this is really just temporary.
2019-11-19 11:49:05 +01:00
Teppo Järvelin
d49d2b6d4f Changed mbedtls_platform_memset/cpy/cmp in selftest functions back to original methods 2019-10-30 14:07:04 +02:00
Teppo Järvelin
6f4e030166 Changed mbedtls_platform_memcpy to memcpy in places which don't handle critical data
and under baremetal define
2019-10-30 14:07:04 +02:00
Teppo Järvelin
b5c4671a80 Changed mbedtls_platform_memcpy back to memcpy for selftest and test functions 2019-10-30 14:07:04 +02:00
Teppo Järvelin
3137fb271a Added include platform_util.h to padlock.c to fix compile with all defines variants 2019-10-30 14:07:04 +02:00
Teppo Järvelin
91d7938761 Changed every memcpy to SCA equivalent mbedtls_platform_memcpy
This makes physical attacks more difficult.
2019-10-30 14:07:04 +02:00
Simon Butcher
aeecf04be3 Merge remote-tracking branch 'public/pr/2907' into baremetal 2019-10-29 15:42:52 +00:00
Arto Kinnunen
8a8488c1cf Fix mbedtls_ssl_check_record usage with ext buf
Record checking fails if mbedtls_ssl_check_record() is called with
external buffer. Received record sequence number is available in the
incoming record but it is not available in the ssl contexts `in_ctr`-
variable that is used when decoding the sequence number.

To fix the problem, temporarily update ssl context `in_ctr` to
point to the received record header and restore value later.
2019-10-29 11:13:33 +02:00
Arto Kinnunen
0fa65aabf0 Review corrections
-Guard additional static variables with AES_ONLY_ENCRYPT
-Update config.h description about memory savings
-Update test: fix typo in all.sh and adjust compiler flags
2019-10-24 12:19:50 +03:00
Arto Kinnunen
c0a8bd40fc Tests for AES encypt only 2019-10-24 12:19:43 +03:00
Arto Kinnunen
1480444e8e Add config option for AES encryption only
-Add config option for AES encyption only to config.h. Feature is
 disabled by default.
-Enable AES encrypt only feature in baremetal.h configuration
-Remove AES encypt only feature from full config
2019-10-24 12:19:33 +03:00
Arto Kinnunen
5bdafa21e0 Update version_features.c 2019-10-24 09:49:23 +03:00
Arto Kinnunen
77b9cfcea9 AES: add config option for 128-bit keys
Add configuration options to support only 128-bit key lengths in AES
calculation.
2019-10-24 09:49:23 +03:00
Simon Butcher
e2bf54d3d1 Merge remote-tracking branch 'public/pr/2877' into baremetal 2019-10-23 14:53:29 +01:00
Simon Butcher
713e5c365d Merge remote-tracking branch 'public/pr/2880' into baremetal 2019-10-23 14:52:27 +01:00
Simon Butcher
a26fb4c64f Merge remote-tracking branch 'public/pr/2870' into baremetal 2019-10-23 14:51:37 +01:00
Manuel Pégourié-Gonnard
3d01f2313b Use plain memset() in HMAC-DRBG seeding
The line above the memset() relies on the fact that V is all-zero at that
point (see the comment above), so it doesn't contain a sensitive value.
2019-10-22 10:03:07 +02:00
Manuel Pégourié-Gonnard
895454da01 Use plain memset() for public data in ssl_tls.c
- out_ctr is public because it's transmited over the wire in DTLS (and in TLS
  it can be inferred by a passive network attacker just by counting records).
- handshake mask is not a secret because it can be inferred by a passive
  network attacker just logging record sequence number seen so far.
2019-10-22 10:03:07 +02:00
Manuel Pégourié-Gonnard
ee0c35fbf5 Use plain memset() for session ID and Hello.Random
Those are public values (transmitted in the clear over the wire).
2019-10-22 10:03:07 +02:00
Manuel Pégourié-Gonnard
6bf30be457 Use plain memset() for signature transcoding
By nature, signatures don't need to be kept secret.
2019-10-22 10:03:07 +02:00
Manuel Pégourié-Gonnard
54526c3c89 Use plain memset() for freshly allocated objects
This commits reverts to plain memset() for cases like:

    some_type foo;
    memset( &foo, 0, sizeof( foo ) );

(Sometimes there is code between declaration in memset(), but it doesn't
matter as long as it doesn't touch foo.)

The reasoning is the same as in the previous commit: the stack shouldn't
contain sensitive data as we carefully wipe it after use.
2019-10-22 10:03:07 +02:00
Manuel Pégourié-Gonnard
994193326b Use plain memset() in context init functions
We call xxx_init() on a structure when it has been freshly allocated (on the
stack or heap).

At this point it contains random-looking data none of which should be
sensitive, as all sensitive data is wiped using mbedtls_platform_zeroize()
when we're done using it and the memory area is going to be reclaimed (by
exiting the function or free()ing the buffer).
2019-10-22 10:03:07 +02:00
Manuel Pégourié-Gonnard
14f33e74c0 Use platform_memset() in platform_zeroize()
We're using zeroize in many places in order to erase secrets, so we really
need it to be as secure as possible.
2019-10-22 10:03:07 +02:00
Manuel Pégourié-Gonnard
5220781b98 Fix missing include in some files
Add it in all files that use mbedtls_plaform_memset() but didn't already
include platfom_util.h.

In some configurations it just happened to work, either because it was
included indirectly or because the part of the code that used that function
was disabled, but it some configurations it broke, so let's fix it properly.
2019-10-22 10:03:07 +02:00
Manuel Pégourié-Gonnard
7a346b866c Replace memset() with mbedtls_platform_memset()
Steps:

1. sed -i 's/\bmemset(\([^)]\)/mbedtls_platform_memset(\1/g' library/*.c tinycrypt/*.c include/mbedtls/*.h scripts/data_files/*.fmt

2. Manually edit library/platform_util.c to revert to memset() in the
implementations of mbedtls_platform_memset() and mbedtls_platform_memcpy()

3. egrep -n '\<memset\>' library/*.c include/mbedtls/*.h tinycrypt/*.c
The remaining occurrences are in three categories:
    a. From point 2 above.
    b. In comments.
    c. In the initialisation of memset_func, to be changed in a future commit.
2019-10-22 10:03:07 +02:00
Simon Butcher
f0963f7141 Merge remote-tracking branch 'public/pr/2867' into baremetal 2019-10-08 18:57:31 +01:00
Simon Butcher
f7881ad2b7 Merge remote-tracking branch 'public/pr/2865' into baremetal 2019-10-08 18:42:04 +01:00
Manuel Pégourié-Gonnard
0a9b44ddaa Merge branch 'mbedtls-2.16' into baremetal-2.16-20191004
* mbedtls-2.16: (25 commits)
  Fix compilation error
  Add const to variable
  Fix endianity issue when reading uint32
  Increase test suite timeout
  Reduce stack usage of test_suite_pkcs1_v15
  Reduce stack usage of test_suite_pkcs1_v21
  Reduce stack usage of test_suite_rsa
  Reduce stack usage of test_suite_pk
  Enable MBEDTLS_MEMORY_DEBUG in memory buffer alloc test in all.sh
  Remove unnecessary memory buffer alloc and memory backtrace unsets
  Disable DTLS proxy tests for MEMORY_BUFFER_ALLOC test
  all.sh: restructure memory allocator tests
  Add missing dependency in memory buffer alloc set in all.sh
  Don't set MBEDTLS_MEMORY_DEBUG through `scripts/config.pl full`
  Add cfg dep MBEDTLS_MEMORY_DEBUG->MBEDTLS_MEMORY_BUFFER_ALLOC_C
  Add all.sh run with full config and ASan enabled
  Add all.sh run with MBEDTLS_MEMORY_BUFFER_ALLOC_C enabled
  Update documentation of exceptions for `config.pl full`
  Adapt all.sh to removal of buffer allocator from full config
  Disable memory buffer allocator in full config
  ...
2019-10-07 12:44:09 +02:00
Teppo Järvelin
0efac53cdc Review fixes: fixed comments to be more accurate and changed one memcmp to safer version 2019-10-04 13:21:08 +03:00
Teppo Järvelin
707ceb88f0 Replaced mbedtls_ssl_safer_memcmp with mbedtls_platform_memcmp
Saves some bytes and mbedtls_platform_memcmp is a bit safer for side channel
attacks.
2019-10-04 08:52:00 +03:00
Teppo Järvelin
650343cdcd Changed mbedtls_platform_memcmp to memcmp for places that don't have critical data and are under baremetal
Changed back because we don't wan't to slow down the performance more than we must.
2019-10-04 07:35:55 +03:00
Jarno Lamsa
436d18dcaa Prevent a 0-modulus
If given range for a random is [0, 0), return 0.
Modulus 0 is undefined behaviour.
2019-10-03 13:49:35 +03:00
Jarno Lamsa
e29e8a49b8 Use MBEDTLS_ENTROPY_HARDWARE_ALT
Use MBEDTLS_ENTROPY_HARDWARE_ALT instead of a new global RNG
flag. When this flag is enabled, the platform provides the RNG.
When running unit tests, rnd_std_rand should be used by overriding
the mbedtls_hardware_poll.
2019-10-03 13:49:34 +03:00
Teppo Järvelin
61f412eb58 Changed every memcmp to SCA equivalent mbedtls_platform_memcmp
This makes physical attacks more difficult.
Selftest memcmp functions were not changed.
2019-10-03 13:14:33 +03:00
Manuel Pégourié-Gonnard
51f65e4b86 Standardize prototypes of platform_memcpy/memset
As replacements of standard library functions, they should have the same
prototype, including return type.

While it doesn't usually matter when used directly, it does when the address
of the function is taken, as done with memset_func, used for implementing
mbedtls_platform_zeroize().
2019-10-03 07:59:58 +03:00
Jaeden Amero
da5930654e Merge remote-tracking branch 'origin/pr/2578' into mbedtls-2.16
* origin/pr/2578:
  Remove a redundant function call
2019-10-02 17:59:28 +01:00
Jarno Lamsa
a1e5054d91 Fix issues in CI 2019-10-02 12:52:39 +03:00
Jarno Lamsa
7cb902737b Use bitwise comparison in memcmp
It is safer than == operator.
2019-10-02 08:32:51 +03:00
Jarno Lamsa
32db938463 Fix buffer initalisation
Initialise the buffer tail with random data instead of
given value.
2019-10-02 08:25:57 +03:00
Jarno Lamsa
f5ebe2a7ce Make RNG exclude the given maximum value
The RNG will give numbers in range of [0, num), so that
the given maximum is excluded.
2019-10-02 08:23:11 +03:00
Jarno Lamsa
0ff7109b7c Fix style issues 2019-10-02 08:18:29 +03:00
Jarno Lamsa
f65e9de57b Change rng-function return-type 2019-10-01 16:09:35 +03:00
Jarno Lamsa
a19673222b Change the rng-function name
Change the name to mbedtls_platform_random_in_range
2019-10-01 15:31:08 +03:00
Jarno Lamsa
21d6a201ee Add missing typecast for memset 2019-10-01 15:20:13 +03:00
Jarno Lamsa
d82e559a48 Add a config flag for the global RNG
The global RNG should be provided by the application depending on
the RNG used there. (I.e. TRNG)
2019-10-01 14:54:41 +03:00
Arto Kinnunen
d19867293d Harmonize static function compiler flags
Warnings are treated as errors in Mbed TLS test. An error
"ssl_parse_client_hello_v2’ defined but not used" can occur in some
specific configurations and therefore tests will break.

Use similar flags for static function "ssl_parse_client_hello_v2" as
what is used when calling the function to prevent the compilation
warning/error.
2019-09-30 10:26:29 +03:00
Jarno Lamsa
0736325d80 Add FI/SCA compliant versions of mem-functions
Add FI/SCA compliant memset, memcmp and memcpy-functions
to platform_util. Also add a stub implementation of a global
RNG-function.
2019-09-30 09:40:03 +03:00
Arto Kinnunen
c0d2fa7f0b Update Makefiles and revert changes to config.pl
-Add comments to Makefiles about test env auto-detection
-Fix indentation
-Remove parent folder from include dirs
-Do not use environment variable for defining config file because
 env variable usage is not fully implemented
-Revert changes to config.pl
2019-09-26 10:33:56 +03:00