Commit Graph

10523 Commits

Author SHA1 Message Date
Andrzej Kurek
ca60937cf9
Add buffer and context clearing upon suspected FI
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-07-08 09:25:49 -04:00
Andrzej Kurek
0919b142b6
Formatting changes
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-07-06 15:28:59 -04:00
Andrzej Kurek
84bde419e1
Add FI countermeasures to the ssl module
This commit adds mainly buffer pointer and length duplication and checks,
but also some hamming distance and return values checking improvements.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-07-06 15:27:34 -04:00
Andrzej Kurek
74f7d0f03d
Duplicate sensitive buffer and buffer length information
Detect FI attacks on buffer pointers and buffer lengths.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-07-06 14:28:12 -04:00
Shelly Liberman
a24c8414cf
Merge pull request #3439 from piotr-now/fic_switch
Add FI countermeasures for sensitive switch instructions
2020-07-05 10:55:13 +03:00
Andrzej Kurek
1206cf1ff4
Merge pull request #3467 from AndrzejKurek/cipher-wrap-aes-128-optimize
Wrap AES 192 and 256 info structures in an !AES_ONLY_128_BIT_KEY_LENGTH define
2020-07-01 10:36:58 +01:00
Piotr Nowicki
78fc139121 Add FI countermeasures for sensitive switch instructions
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-06-30 14:11:52 +02:00
Andrzej Kurek
77647bd03b
Wrap AES 192 and 256 info structures in !AES_ONLY_128_BIT_KEY_LENGTH
This reduces the code size by not compiling in unnecessary info structures
when using only 128 bit AES.
Co-authored by: AnttiKauppila <antti.kauppila@arm.com>
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-30 05:03:19 -04:00
Andrzej Kurek
98c847a483
Merge pull request #3395 from AndrzejKurek/sha-flow_ctrl
Add flow control to sha256
2020-06-22 11:30:53 +01:00
Andrzej Kurek
e5425a0944
Merge pull request #3408 from AndrzejKurek/hamming-distance-improvements
Hamming distance improvements
2020-06-22 08:28:55 +01:00
Andrzej Kurek
3a0df03364
Increase the Hamming distance of uECC_generate_random_int returns
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-12 06:32:13 -04:00
Piotr Nowicki
f523c47578
Merge pull request #3403 from piotr-now/sca_memmove
Add mbedtls_platform_memmove() as a secured memcmp()
2020-06-10 14:52:02 +02:00
Piotr Nowicki
ce0aab4474 Add new error code PLATFORM_ALLOC_FAILED for mbedtls_platform_memmove()
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-06-10 13:51:32 +02:00
Andrzej Kurek
78f77eb4e6
Add flow control to sha256
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-10 05:12:34 -04:00
Piotr Nowicki
c520b90507
Merge pull request #3390 from piotr-now/rndelay_comment
Add comment for mbedtls_platform_random_delay() and returning an FAULT_DETECTED error on potential FI attack detection
2020-06-10 09:13:10 +02:00
Piotr Nowicki
5d5841f450 Add mbedtls_platform_memmove() as a secured memcmp()
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-06-09 14:31:55 +02:00
Piotr Nowicki
e048b91d25 Add returning a FAULT_DETECTED error on suspected FI attacks
The change applies to the places where we prevent double synchronous
FI attacks with random delay, and where we do not respond to their
detection. The response to such an attack should be to return the
appropriate error code.

Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-06-09 12:00:42 +02:00
Andrzej Kurek
8f52a8a8c0
Improve the Hamming distance of ssl_hs_is_proper_fragment return values
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-08 11:02:22 -04:00
Andrzej Kurek
090365fe60
Improve the usage of uECC_RNG_Function
Since the mbed TLS implementation of rng wrapper returns the size of random
data generated upon success - check for it explicitly.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-08 11:00:51 -04:00
Piotr Nowicki
b06ec05dc0 Add comment for mbedtls_platform_random_delay()
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-06-08 14:21:38 +02:00
Andrzej Kurek
478b05c34c
Merge pull request #3355 from AndrzejKurek/fi_error_codes
Change the default value of status variables to an error
2020-06-08 08:57:33 +01:00
Andrzej Kurek
fd56f409b3
Change the default value of status variables to an error
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-05 12:26:07 -04:00
Andrzej Kurek
0da03c70e9
Merge pull request #3379 from AndrzejKurek/fi_check_loops
Add flow control to tinycrypt verification
2020-06-01 17:05:41 +01:00
Andrzej Kurek
e601bcee00
Add flow control to tinycrypt verification
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-01 07:31:15 -04:00
Piotr Nowicki
e071e42480
Merge pull request #3336 from piotr-now/baremetal_flowmon
Increasing resistance to fault injection attacks related with memory operations.
2020-06-01 08:09:26 +02:00
Piotr Nowicki
f0ab6d62ac Added some descriptions of functions
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-05-27 15:35:44 +02:00
Piotr Nowicki
1a9d33e8c8 Start comparison from a random location in the uECC_vli_equal.
This increases security and increases resistance to the side channel leakage.

Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-05-27 15:34:49 +02:00
Andrzej Kurek
fc7c69df25
Merge pull request #3330 from AndrzejKurek/merge-2.16-8b34fef
Merge mbedtls-2.16 commit 8b34fef into baremetal
2020-05-27 10:00:59 +01:00
Andrzej Kurek
8ac4a55402
test_suite_x509parse: shorten test names
Change "Certificate" to "CRT" to shorten the test name and blend in
between surrounding tests.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-05-25 10:21:14 -04:00
Andrzej Kurek
220e61478f
Add a x509 prerequisite in x509_internal.h
Lack of this requirement caused warning when compiling the 
x509 test suites with config-thread.h from example configs,
resulting in an error when running from test-ref-configs.pl.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-05-21 10:13:38 -04:00
Manuel Pégourié-Gonnard
13bebd0edb
Keep SSL context const when hw accel is disabled
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-05-21 10:13:26 -04:00
Andrzej Kurek
e861e704c0
Rename md_info_t to md_handle_t in test_suite_entropy
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-05-21 10:13:11 -04:00
Manuel Pégourié-Gonnard
731d7c0dcc
Fix lack of cookie check on hard reconnect
Section 4.2.8 of RFC 6347 describes how to handle the case of a DTLS client
establishing a new connection using the same UDP quartet as an already active
connection, which we implement under the compile option
MBEDTLS_SSL_DLTS_CLIENT_PORT_REUSE. Relevant excerpts:

    [the server] MUST NOT destroy the existing
    association until the client has demonstrated reachability either by
    completing a cookie exchange or by completing a complete handshake
    including delivering a verifiable Finished message.
    [...]
    The reachability requirement prevents
    off-path/blind attackers from destroying associations merely by
    sending forged ClientHellos.

Our code chooses to use a cookie exchange for establishing reachability, but
unfortunately that check was effectively removed in a recent refactoring,
which changed what value ssl_handle_possible_reconnect() needs to return in
order for ssl_get_next_record() (introduced in that refactoring) to take the
proper action. Unfortunately, in addition to changing the value, the
refactoring also changed a return statement to an assignment to the ret
variable, causing the function to reach the code for a valid cookie, which
immediately destroys the existing association, effectively bypassing the
cookie verification.

This commit fixes that by immediately returning after sending a
HelloVerifyRequest when a ClientHello without a valid cookie is found. It also
updates the description of the function to reflect the new return value
convention (the refactoring updated the code but not the documentation).

The commit that changed the return value convention (and introduced the bug)
is 2fddd3765e, whose commit message explains the
change.

Note: this bug also indirectly caused the ssl-opt.sh test case "DTLS client
reconnect from same port: reconnect" to occasionally fail due to a race
condition between the reception of the ClientHello carrying a valid cookie and
the closure of the connection by the server after noticing the ClientHello
didn't carry a valid cookie after it incorrectly destroyed the previous
connection, that could cause that ClientHello to be invisible to the server
(if that message reaches the server just before it does `net_close()`). A
welcome side effect of this commit is to remove that race condition, as the
new connection will immediately start with a ClientHello carrying a valid
cookie in the SSL input buffer, so the server will not call `net_close()` and
not risk discarding a better ClientHello that arrived in the meantime.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-05-21 10:12:25 -04:00
Piotr Nowicki
4aaa34c03f Add flow monitor protection to mbedtls_platform_memcmp()
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-05-20 16:50:24 +02:00
Andrzej Kurek
825ebd483f
Merge mbedtls 2.16.6 into baremetal
Conflicts:
mbedtls.doxyfile - PROJECT_NAME - mbed TLS v2.16.6 chosen.
doc_mainpage.h - mbed TLS v2.16.6 version chosen.
hmac_drbg.h - line 260, extended description chosen.
            - line 313, extended description chosen.
            - line 338, extended description chosen.
version.h - 2.16.6 chosen.
CMakeLists.txt - 2.16.6 chosen.
test_suite_version.data - 2.16.6 chosen.
Makefile - 141 - manual correction - baremetal version of C_SOURCE_FILES
                 with variables for directories plus 2.16.6 CTAGS addition.
pkparse.c - lines 846 onwards - the asn1_get_nonzero_mpi implementation chosen.
ssl_tls.c - line 5269 - edited manually, left the ret=0, because baremetal has
            a different behaviour since commit 87b5626, but added a debug
            message that's new in 2.16.6.    
all.sh:
- component_build_deprecated - chosen the refactored version from 2.16.6,
                               but with extra flags from baremetal.
- rest of the _no_xxx tests - merged make options to have PTHREAD=1 and
                              other changes from 2.16.6 (like -O1 instead of -O0).
- component_build_arm_none_eabi_gcc_no_64bit_multiplication - added 
                              TINYCRYPT_BUILD=0 to the 2.16.6 version of make.

x509/req_app.c - left baremetal log but with mbedtls_exit( 0 ) call.
x509/crl_app.c - left baremetal log but with mbedtls_exit( 0 ) call.
x509/cert_app.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl/ssl_mail_client.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl/ssl_pthread_server.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl/ssl_fork_server.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl_client1.c - line 54 - left baremetal log but with mbedtls_exit( 0 ) call.
ssl_client2.c - line 54 - left baremetal log but with mbedtls_exit( 0 ) call.
              - line 132 - new options of both branches added.
              - skip close notify handled as in 2.16.6, but with `ssl` instead of `&ssl`.
              - Merged the 2.16.6 usage split with additional baremetal usages.
              - Merged options from baremetal and 2.16.6.
ssl_server.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl_server2.c - Merged the 2.16.6 usage split with additional baremetal usages.
config.pl - fixed missing defines from the documentation, removed duplicates,
            and reorganised so that the documentation and excluded list
            are ordered in the same way.
test_suite_x509parse.data - only added the two new pathlen tests.
x509_crt.c - change the return code by removing
             MBEDTLS_ERR_X509_INVALID_EXTENSIONS, since it's added by
             x509_crt_frame_parse_ext not by an "or", but by "+=".
Changelog - Assigned all entries to appropriate sections.
ssl-opt.sh - line 8263 - merged options.
           - removed lines 1165 - 1176 - there was a duplicate test, probably
             an artifact of previous merges.
check-files.py - sticked to old formatting.

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-05-18 11:47:25 -04:00
Simon Butcher
2d21e3e47b
Merge pull request #3044 from sbutcher-arm/merge-2.16-sprint27
[baremetal] Update `baremetal` branch with updates from `mbedtls-2.16` branch
2020-04-03 15:31:46 +01:00
Janos Follath
f3a13486f4 Revert "Merge pull request #3012 from Patater/dev/jp-bennett/development-2.16"
This reverts commit 7550e857bf, reversing
changes made to d0c2575324.

stat() will never return S_IFLNK as the file type, as stat()
explicitly follows symlinks.

Fixes #3005.
2020-03-13 17:08:43 +00:00
Gilles Peskine
a4c1c4b55d Test GCC and Clang with common build options
Goals:
* Build with common compilers with common options, so that we don't
  miss a (potentially useful) warning only triggered with certain
  build options.
* A previous commit removed -O0 test jobs, leaving only the one with
  -m32. We have inline assembly that is disabled with -O0, falling
  back to generic C code. This commit restores a test that runs the
  generic C code on a 64-bit platform.
2020-03-13 17:06:18 +00:00
Gilles Peskine
06c1e23960 Replace -O0 by -O1 or -Os in most components
Gcc skips some analyses when compiling with -O0, so we may miss
warnings about things like uninitialized variables.
2020-03-13 17:06:18 +00:00
Gilles Peskine
f5faa25cf4 shrink tests: clearer description 2020-03-13 16:23:45 +00:00
Gilles Peskine
7313e2caff Move test functions from Lilliput to Blefuscu
We normally represent bignums in big-endian order and there is no
reason to deviate here.
2020-03-13 16:23:45 +00:00
Gilles Peskine
8830bd2447 Minor comment improvement 2020-03-13 16:23:45 +00:00
Gilles Peskine
0660747057 Improve comments in mpi_shrink 2020-03-13 16:23:45 +00:00
Gilles Peskine
51c2e06eb8 mpi_copy: make the 0 case slightly more robust
If Y was constructed through functions in this module, then Y->n == 0
iff Y->p == NULL. However we do not prevent filling mpi structures
manually, and zero may be represented with n=0 and p a valid pointer.
Most of the code can cope with such a representation, but for the
source of mbedtls_mpi_copy, this would cause an integer underflow.
Changing the test for zero from Y->p==NULL to Y->n==0 causes this case
to work at no extra cost.
2020-03-13 16:23:45 +00:00
Gilles Peskine
edb621b84a Better coverage for copy and swap
Cover more cases: different signs, different zeronesses, repeated
argument.
2020-03-13 16:23:45 +00:00
Gilles Peskine
16fca92e3d Bignum copy/shrink: More precise test case descriptions 2020-03-13 16:23:45 +00:00
Gilles Peskine
95ce7dab34 Fix duplicated Bugfix section in the changelog 2020-03-13 16:23:45 +00:00
Gilles Peskine
a32e45d632 Add changelog entry 2020-03-13 16:21:44 +00:00
Manuel Pégourié-Gonnard
d817f54077 De-duplicate SHA1-independent test in ssl-opt.sh
The splitting of this test into two versions depending on whether SHA-1 was
allowed by the server was a mistake in
5d2511c4d4 - the test has nothing to do with
SHA-1 in the first place, as the server doesn't request a certificate from
the client so it doesn't matter if the server accepts SHA-1 or not.
2020-03-13 16:21:44 +00:00
Manuel Pégourié-Gonnard
7006ca10d9 Fix ssl-opt.sh for GnuTLS versions rejecting SHA-1
While the whole script makes (often implicit) assumptions about the version of
GnuTLS used, generally speaking it should work out of the box with the version
packaged on our reference testing platform, which is Ubuntu 16.04 so far.

With the update from Jan 8 2020 (3.4.10-4ubuntu1.6), the patches for rejecting
SHA-1 in certificate signatures were backported, so we should avoid presenting
SHA-1 signed certificates to a GnuTLS peer in ssl-opt.sh.
2020-03-13 16:21:44 +00:00