Commit graph

7124 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard a92990a082 Fix ssl-opt.sh for GnuTLS versions rejecting SHA-1
While the whole script makes (often implicit) assumptions about the version of
GnuTLS used, generally speaking it should work out of the box with the version
packaged on our reference testing platform, which is Ubuntu 16.04 so far.

With the update from Jan 8 2020 (3.4.10-4ubuntu1.6), the patches for rejecting
SHA-1 in certificate signatures were backported, so we should avoid presenting
SHA-1 signed certificates to a GnuTLS peer in ssl-opt.sh.
2020-01-30 11:19:45 +01:00
Jack Lloyd 100e147c71 Parse RSA parameters DP, DQ and QP from PKCS1 private keys
Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which
currently suffers from side channel issues in the computation of QP
(see https://eprint.iacr.org/2020/055). By loading the pre-computed
values not only is the side channel avoided, but runtime overhead of
loading RSA keys is reduced.

Discussion in https://github.com/ARMmbed/mbed-crypto/issues/347

Backport of https://github.com/ARMmbed/mbed-crypto/pull/352
2020-01-29 13:13:04 -05:00
Janos Follath a67508e066 Merge pull request #3002 from gilles-peskine-arm/coverity-20200115-2.7 into mbedtls-2.7 2020-01-29 14:53:48 +00:00
Manuel Pégourié-Gonnard 2150fb22c8 Add detection for zlib headers to all.sh 2020-01-29 09:51:56 +01:00
Jaeden Amero 130e136439
Merge pull request #3011 from Patater/dev/jp-bennett/development-2.7
Backport 2.7: Allow loading symlinked certificates
2020-01-28 15:55:41 +00:00
Janos Follath 071b3e170e
Merge pull request #2991 from yanesca/bump-version-2.7.13
Bump version to Mbed TLS 2.7.13
2020-01-28 11:32:27 +00:00
Jaeden Amero 7e6931d681 Add ChangeLog entry
Add a ChangeLog entry for Jonathan Bennett's contribution which allows
loading symlinked certificates.
2020-01-28 11:27:39 +00:00
Jonathan Bennett 791babcbb9 Allow loading symlinked certificates
When mbedtls_x509_crt_parse_path() checks each object in the supplied path, it only processes regular files. This change makes it also accept a symlink to a file. Fixes #3005.

This was observed to be a problem on Fedora/CentOS/RHEL systems, where the ca-bundle in the default location is actually a symlink.
2020-01-28 11:26:47 +00:00
Gilles Peskine 16ba09c621 Check that mbedtls_mpi_grow succeeds 2020-01-22 19:09:05 +01:00
Gilles Peskine 0f595f714a Remove redundant block_size validity check
Check the value only once, as soon as we've obtained it.
2020-01-22 19:09:05 +01:00
Gilles Peskine f4dd8a9a19 Add changelog entry for the unchecked mbedtls_md call 2020-01-22 19:07:13 +01:00
Gilles Peskine d22a7933d2 Add missing return code check on call to mbedtls_md() 2020-01-22 19:06:32 +01:00
Janos Follath ee88f8145d Bump version to Mbed TLS 2.7.13 2020-01-20 14:28:41 +00:00
Jaeden Amero d8180f8d84 Merge remote-tracking branch 'origin/mbedtls-2.7' into mbedtls-2.7-restricted
* origin/mbedtls-2.7:
  Enable more test cases without MBEDTLS_MEMORY_DEBUG
  More accurate test case description
  Clarify that the "FATAL" message is expected
  Note that mbedtls_ctr_drbg_seed() must not be called twice
  Fix CTR_DRBG benchmark
  Changelog entry for xxx_drbg_set_entropy_len before xxx_drbg_seed
  CTR_DRBG: support set_entropy_len() before seed()
  CTR_DRBG: Don't use functions before they're defined
  HMAC_DRBG: support set_entropy_len() before seed()
2020-01-15 16:59:10 +00:00
Manuel Pégourié-Gonnard 455755177e Add test for record compression in ssl-opt.sh
Deprecated but still needs to be tested.
2020-01-06 09:52:27 +01:00
Manuel Pégourié-Gonnard 51e24946d5 Add all.sh components with ZLIB enabled
ZLIB support is deprecated, but until it's removed it should still be tested.
2020-01-06 09:52:27 +01:00
Jaeden Amero db649896e6
Merge pull request #2895 from gilles-peskine-arm/drbg-set_entropy_len-2.7
Backport 2.7: Allow xxx_drbg_set_entropy_len before xxx_drbg_seed
2019-11-29 16:17:08 +00:00
Jaeden Amero 373a7097eb
Merge pull request #673 from gilles-peskine-arm/ctr_drbg-aes_fail-2.7
Backport 2.7: Uncaught AES failure in CTR_DRBG
2019-11-28 15:02:23 +00:00
Gilles Peskine b2be1fca2c Catch AES failure in mbedtls_ctr_drbg_random
The functions mbedtls_ctr_drbg_random() and
mbedtls_ctr_drbg_random_with_add() could return 0 if an AES function
failed. This could only happen with alternative AES
implementations (the built-in implementation of the AES functions
involved never fail), typically due to a failure in a hardware
accelerator.

Bug reported and fix proposed by Johan Uppman Bruce and Christoffer
Lauri, Sectra.
2019-11-28 09:55:25 +01:00
Jaeden Amero df1b3e54c7
Merge pull request #2937 from gilles-peskine-arm/memory_buffer_alloc-fatal-pass-2.7
Backport 2.7: Clarify test descriptions in test_suite_memory_buffer_alloc
2019-11-27 10:37:33 +00:00
Gilles Peskine 02fbc08d2e Enable more test cases without MBEDTLS_MEMORY_DEBUG
None of the test cases in tests_suite_memory_buffer_alloc actually
need MBEDTLS_MEMORY_DEBUG. Some have additional checks when
MBEDTLS_MEMORY_DEBUG but all are useful even without it. So enable
them all and #ifdef out the parts that require DEBUG.
2019-11-26 18:48:08 +01:00
Gilles Peskine 786f068ec0 More accurate test case description 2019-11-26 18:47:14 +01:00
Gilles Peskine 04d45c98e8 Clarify that the "FATAL" message is expected
The test case "Memory buffer small buffer" emits a message
"FATAL: verification of first header failed". In this test case, it's
actually expected, but it looks weird to see this message from a
passing test. Add a comment that states this explicitly, and modify
the test description to indicate that the failure is expected, and
change the test function name to be more accurate.

Fix #309
2019-11-26 18:47:14 +01:00
Jaeden Amero c5a016dde1 Merge remote-tracking branch 'restricted/pr/666' into mbedtls-2.7-restricted
* restricted/pr/666: (24 commits)
  Add ChangeLog entry
  mpi_lt_mpi_ct: fix condition handling
  mpi_lt_mpi_ct: Add further tests
  mpi_lt_mpi_ct: Fix test numbering
  mpi_lt_mpi_ct perform tests for both limb size
  ct_lt_mpi_uint: cast the return value explicitely
  mbedtls_mpi_lt_mpi_ct: add tests for 32 bit limbs
  mbedtls_mpi_lt_mpi_ct: simplify condition
  Rename variable for better readability
  mbedtls_mpi_lt_mpi_ct: Improve documentation
  Make mbedtls_mpi_lt_mpi_ct more portable
  Bignum: Document assumptions about the sign field
  Add more tests for mbedtls_mpi_lt_mpi_ct
  mpi_lt_mpi_ct test: hardcode base 16
  Document ct_lt_mpi_uint
  mpi_lt_mpi_ct: make use of unsigned consistent
  ct_lt_mpi_uint: make use of biL
  Change mbedtls_mpi_cmp_mpi_ct to check less than
  mbedtls_mpi_cmp_mpi_ct: remove multiplications
  Remove excess vertical space
  ...
2019-11-12 10:47:55 +00:00
Jaeden Amero e70059df85 Merge remote-tracking branch 'restricted/pr/668' into mbedtls-2.7-restricted
* restricted/pr/668:
  Zeroize local AES variables before exiting the function
2019-11-12 10:42:45 +00:00
Jaeden Amero 10fcdd25d4
Merge pull request #664 from ARMmbed/dev/yanesca/iotcrypt-958-ecdsa-side-channel-fix-2.7
Backport 2.7: ECDSA side channel fix
2019-11-12 10:37:27 +00:00
Andrzej Kurek 07597365cd Zeroize local AES variables before exiting the function
This issue has been reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
Grant Hernandez, and Kevin Butler (University of Florida) and
Dave Tian (Purdue University).

In AES encrypt and decrypt some variables were left on the stack. The value
of these variables can be used to recover the last round key. To follow best
practice and to limit the impact of buffer overread vulnerabilities (like
Heartbleed) we need to zeroize them before exiting the function.
2019-11-12 03:23:51 -05:00
Janos Follath dfa4d71873 Add ChangeLog entry 2019-11-11 14:18:18 +00:00
Janos Follath b4edac5616 mpi_lt_mpi_ct: fix condition handling
The code previously only set the done flag if the return value was one.
This led to overriding the correct return value later on.
2019-11-11 12:27:36 +00:00
Janos Follath f4482aaccc mpi_lt_mpi_ct: Add further tests
The existing tests did not catch a failure that came up at integration
testing. Adding the missing test cases to trigger the bug.
2019-11-11 12:27:36 +00:00
Janos Follath a776aea91a mpi_lt_mpi_ct: Fix test numbering 2019-11-11 12:27:36 +00:00
Janos Follath 1b86eeb06b mpi_lt_mpi_ct perform tests for both limb size
The corner case tests were designed for 32 and 64 bit limbs
independently and performed only on the target platform. On the other
platform they are not corner cases anymore, but we can still exercise
them.
2019-11-11 12:27:36 +00:00
Janos Follath 5823961558 ct_lt_mpi_uint: cast the return value explicitely
The return value is always either one or zero and therefore there is no
risk of losing precision. Some compilers can't deduce this and complain.
2019-11-11 12:27:36 +00:00
Janos Follath 6adff06e50 mbedtls_mpi_lt_mpi_ct: add tests for 32 bit limbs
The corner case tests were designed for 64 bit limbs and failed on 32
bit platforms because the numbers in the test ended up being stored in a
different number of limbs and the function (correctly) returnd an error
upon receiving them.
2019-11-11 12:27:36 +00:00
Janos Follath cff9e6e03d mbedtls_mpi_lt_mpi_ct: simplify condition
In the case of *ret we might need to preserve a 0 value throughout the
loop and therefore we need an extra condition to protect it from being
overwritten.

The value of done is always 1 after *ret has been set and does not need
to be protected from overwriting. Therefore in this case the extra
condition can be removed.
2019-11-11 12:27:36 +00:00
Janos Follath 8ec2a953af Rename variable for better readability 2019-11-11 12:27:36 +00:00
Janos Follath a2b9a96fb8 mbedtls_mpi_lt_mpi_ct: Improve documentation 2019-11-11 12:27:36 +00:00
Janos Follath 51ed14e20f Make mbedtls_mpi_lt_mpi_ct more portable
The code relied on the assumptions that CHAR_BIT is 8 and that unsigned
does not have padding bits.

In the Bignum module we already assume that the sign of an MPI is either
-1 or 1. Using this, we eliminate the above mentioned dependency.
2019-11-11 12:27:36 +00:00
Janos Follath 9741fa6e2b Bignum: Document assumptions about the sign field 2019-11-11 12:27:36 +00:00
Janos Follath 9332ecefc8 Add more tests for mbedtls_mpi_lt_mpi_ct 2019-11-11 12:27:36 +00:00
Janos Follath aaa3f22b76 mpi_lt_mpi_ct test: hardcode base 16 2019-11-11 12:27:36 +00:00
Janos Follath 3173a53fe9 Document ct_lt_mpi_uint 2019-11-11 12:27:36 +00:00
Janos Follath 782cbe592d mpi_lt_mpi_ct: make use of unsigned consistent 2019-11-11 12:27:36 +00:00
Janos Follath db9f449409 ct_lt_mpi_uint: make use of biL 2019-11-11 12:27:36 +00:00
Janos Follath c3b376e2f2 Change mbedtls_mpi_cmp_mpi_ct to check less than
The signature of mbedtls_mpi_cmp_mpi_ct() meant to support using it in
place of mbedtls_mpi_cmp_mpi(). This meant full comparison functionality
and a signed result.

To make the function more universal and friendly to constant time
coding, we change the result type to unsigned. Theoretically, we could
encode the comparison result in an unsigned value, but it would be less
intuitive.

Therefore we won't be able to represent the result as unsigned anymore
and the functionality will be constrained to checking if the first
operand is less than the second. This is sufficient to support the
current use case and to check any relationship between MPIs.

The only drawback is that we need to call the function twice when
checking for equality, but this can be optimised later if an when it is
needed.
2019-11-11 12:27:36 +00:00
Janos Follath 8461c0e2a8 mbedtls_mpi_cmp_mpi_ct: remove multiplications
Multiplication is known to have measurable timing variations based on
the operands. For example it typically is much faster if one of the
operands is zero. Remove them from constant time code.
2019-11-11 12:27:36 +00:00
Janos Follath 8de2d45cd7 Remove excess vertical space 2019-11-11 12:27:36 +00:00
Janos Follath c587a32a9c Remove declaration after statement
Visual Studio 2013 does not like it for some reason.
2019-11-11 12:27:36 +00:00
Janos Follath 5f3019b298 Fix side channel vulnerability in ECDSA 2019-11-11 12:27:36 +00:00
Janos Follath 883801d3ec Add tests to constant time mpi comparison 2019-11-11 12:27:36 +00:00