Commit Graph

6744 Commits

Author SHA1 Message Date
Simon Butcher
1bb41e5d04 Merge remote-tracking branch 'public/pr/1800' into mbedtls-2.7 2018-07-24 13:30:40 +01:00
Simon Butcher
b47e0a68ab Merge remote-tracking branch 'public/pr/1805' into mbedtls-2.7 2018-07-24 13:16:25 +01:00
Simon Butcher
a8ee41ce80 Revise ChangeLog entry for empty data records fixes 2018-07-24 12:59:21 +01:00
Simon Butcher
d5a3ed36b8 Merge remote-tracking branch 'public/pr/1863' into mbedtls-2.7 2018-07-24 12:57:15 +01:00
Simon Butcher
bd40916dfa Merge remote-tracking branch 'public/pr/1872' into mbedtls-2.7 2018-07-24 12:12:43 +01:00
k-stachowiak
f4a668870f Fix code formatting 2018-07-24 12:54:39 +02:00
Simon Butcher
b65d6ce83f Merge remote-tracking branch 'public/pr/1870' into mbedtls-2.7 2018-07-24 10:30:11 +01:00
Simon Butcher
c6a0fd8e83 Add ChangeLog entry for #1098 fix. 2018-07-24 10:17:36 +01:00
Simon Butcher
66e2b654a8 Merge remote-tracking branch 'public/pr/1877' into mbedtls-2.7 2018-07-24 08:26:26 +01:00
Simon Butcher
e08754762d Correct logic to exclude i386 inline assenbly when -O0
The i386 MPI inline assembly code was being incorrectly included when
all compiler optimisation was disabled.
2018-07-23 13:41:33 +01:00
Simon Butcher
948f264302 Add additional i386 tests to all.sh
Added an additional i386 test to all.sh, to allow one test with -O0 which
compiles out inline assembly, and one to test with -01 which includes the inline
assembly.
2018-07-23 13:41:25 +01:00
Jaeden Amero
5113bdec6e all.sh: Return error on keep-going failure
When calling all.sh from a script and using "--keep-going", errors were
sometimes missed due to all.sh always returning 0 "success" return code.
Return 1 if there is any failure encountered during a "keep-going" run.
2018-07-23 10:24:31 +01:00
Simon Butcher
7c6b84102d Expand i386 all.sh tests to full config ASan builds
The i386 test builds were only building the default configuration and had
no address sanitisation. This commit expands the test configuration to the full
configuration in all.sh and builds with ASan for when the test suites are
executed.
2018-07-20 21:34:04 +01:00
Simon Butcher
48883cd800 Merge remote-tracking branch 'public/pr/1780' into mbedtls-2.7 2018-07-20 14:40:51 +01:00
Dawid Drozd
2ba7d8ed2d Remove unnecessary mark as unused #1098 (backport) 2018-07-20 14:08:02 +02:00
Simon Butcher
e9aa8c1d6d Merge remote-tracking branch 'public/pr/1838' into mbedtls-2.7 2018-07-19 20:01:33 +01:00
Simon Butcher
7924d93209 Fix ChangeLog entry for issue #1663
The ChangeLog entry was under the wrong version, and under Changes, not
Bug Fixes.
2018-07-19 19:54:18 +01:00
Simon Butcher
bc5ec41c01 Merge remote-tracking branch 'public/pr/1847' into mbedtls-2.7 2018-07-19 19:48:25 +01:00
Simon Butcher
cd9a2c6dd1 Merge remote-tracking branch 'public/pr/1848' into mbedtls-2.7 2018-07-19 16:17:07 +01:00
Simon Butcher
be347c6e21 Merge remote-tracking branch 'public/pr/1849' into mbedtls-2.7 2018-07-19 16:13:07 +01:00
Ron Eldor
8839e31fbc Update ChangeLog
Remove extra entries added by a bad cherry-pick.
2018-07-17 14:13:53 +03:00
Ron Eldor
a9779f1aff Repharse comments
Rephrase comments to clarify them.
2018-07-17 13:32:31 +03:00
Andres Amaya Garcia
14783c47e7 Add test for empty app data records to ssl-opt.sh 2018-07-16 20:14:54 +01:00
Andres Amaya Garcia
8e346dc793 Add ChangeLog entry for empty app data fix 2018-07-16 20:14:53 +01:00
Andres Amaya Garcia
46a6d5cbe5 Fix ssl_client2 to send 0-length app data 2018-07-16 20:14:45 +01:00
Angus Gratton
8946b0dd30 Check for invalid short Alert messages
(Short Change Cipher Spec & Handshake messages are already checked for.)
2018-07-16 20:12:56 +01:00
Angus Gratton
b91cb6e1e6 TLSv1.2: Treat zero-length fragments as invalid, unless they are application data
TLS v1.2 explicitly disallows other kinds of zero length fragments (earlier standards
don't mention zero-length fragments at all).
2018-07-16 20:12:55 +01:00
Angus Gratton
1ba8e911ec CBC mode: Allow zero-length message fragments (100% padding)
Fixes https://github.com/ARMmbed/mbedtls/issues/1632
2018-07-16 20:12:47 +01:00
k-stachowiak
55bea65ca9 Update change log 2018-07-16 12:30:48 +02:00
k-stachowiak
6978949cd0 Prevent buffer overread by one byte 2018-07-16 12:30:39 +02:00
Manuel Pégourié-Gonnard
aba8c5bb3d Clarify attack conditions in the ChangeLog.
Referring to the previous entry could imply that the current one was limited
to SHA-384 too, which it isn't.
2018-07-12 10:18:37 +02:00
Manuel Pégourié-Gonnard
7c34432b2d Avoid debug message that might leak length
The length to the debug message could conceivably leak through the time it
takes to print it, and that length would in turn reveal whether padding was
correct or not.
2018-07-12 10:18:37 +02:00
Manuel Pégourié-Gonnard
aeeaaf271c Add counter-measure to cache-based Lucky 13
The basis for the Lucky 13 family of attacks is for an attacker to be able to
distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding.
Since our code sets padlen = 0 for invalid padding, the length of the input to
the HMAC function, and the location where we read the MAC, give information
about that.

A local attacker could gain information about that by observing via a
cache attack whether the bytes at the end of the record (at the location of
would-be padding) have been read during MAC verification (computation +
comparison).

Let's make sure they're always read.
2018-07-12 10:18:37 +02:00
Manuel Pégourié-Gonnard
5fcfd0345d Fix Lucky 13 cache attack on MD/SHA padding
The basis for the Lucky 13 family of attacks is for an attacker to be able to
distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding.
Since our code sets padlen = 0 for invalid padding, the length of the input to
the HMAC function gives information about that.

Information about this length (modulo the MD/SHA block size) can be deduced
from how much MD/SHA padding (this is distinct from TLS-CBC padding) is used.
If MD/SHA padding is read from a (static) buffer, a local attacker could get
information about how much is used via a cache attack targeting that buffer.

Let's get rid of this buffer. Now the only buffer used is the internal MD/SHA
one, which is always read fully by the process() function.
2018-07-12 10:18:37 +02:00
Simon Butcher
d064b5c87b Disable use of the i386 assembly for option -O0
We don't compile in the assembly code if compiler optimisations are disabled as
the number of registers used in the assembly code doesn't work with the -O0
option. Also anyone select -O0 probably doesn't want to compile in the assembly
code anyway.
2018-07-10 23:20:01 +01:00
Andres Amaya Garcia
808a09ca85 Remove redundant ret = 1 in dh_client.c 2018-07-10 17:34:25 +01:00
Andres Amaya Garcia
cfb61b33cf Add missing platform macro defines in cert_app.c 2018-07-10 17:34:25 +01:00
Andres Amaya Garcia
9f92a805e9 Add missing platform macro defines in pk_decrypt.c 2018-07-10 17:34:25 +01:00
Andres Amaya Garcia
2b0599bc91 Fix typo in platform macro defines for examples 2018-07-10 17:34:25 +01:00
Andres Amaya Garcia
0dcc6a9f7d Fix ret code in gen_random_havege.c 2018-07-10 17:34:25 +01:00
Andres Amaya Garcia
053e1cd7ab Fix ret code in rsa_encrypt.c 2018-07-10 17:34:25 +01:00
Andres Amaya Garcia
156099b76f Fix ret code in rsa_decrypt.c 2018-07-10 17:34:25 +01:00
Andres Amaya Garcia
8ec767c042 Fix ret code in cert_app.c 2018-07-10 17:34:25 +01:00
Andres Amaya Garcia
77d2de223c Fix ret code in generic_sum.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia
2702000d2c Fix ret code in pk_verify.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia
a5236b1dd3 Fix ret code in pk_sign.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia
a0ea01d273 Fix ret code in pk_encrypt.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia
141b4f4526 Fix ret code in pk_encrypt.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia
81982c84d4 Fix ret code in ecdh_curve25519.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia
c899c464f6 Fix ret code in mpi_demo.c 2018-07-10 17:34:24 +01:00