Arto Kinnunen
2b24f4280f
AES review corrections
...
-Do not reuse any part of randomized number, use separate byte for
each purpose.
-Combine some separate loops together to get rid of gap between them
-Extend usage of flow_control
2020-01-21 12:01:42 +02:00
Arto Kinnunen
98c93af1ef
Randomize number of AES dummy calculation rounds
...
Use either 4 or 5 dummy rounds in AES encryption/decryption.
2020-01-21 12:01:42 +02:00
Arto Kinnunen
2eb678f5e8
Update AES SCA countermeasures
...
-Add dummy rounds to the start and/or end of the AES calculation
rounds.
2020-01-21 12:01:42 +02:00
Arto Kinnunen
28ecfb002f
Merge remote-tracking branch 'upstream/pr/2983' into baremetal
...
* upstream/pr/2983:
Fix mbedtls_strerror to work with all wanted codes
2020-01-17 11:21:53 +02:00
Arto Kinnunen
ca1978b7d5
Merge remote-tracking branch 'upstream/pr/2982' into baremetal
...
* upstream/pr/2982:
Use mbedtls_platform_memset in data_randomize
Protect get/put on secret data on AES-module
2020-01-17 11:21:41 +02:00
Arto Kinnunen
d1340e455c
Merge remote-tracking branch 'upstream/pr/2980' into baremetal
...
* upstream/pr/2980:
Protect get/put on secret data on sha256-module
2020-01-17 11:21:32 +02:00
Arto Kinnunen
10a2ffde5d
Merge remote-tracking branch 'upstream/pr/2945' into baremetal
...
* upstream/pr/2945:
Rename macro MBEDTLS_MAX_RAND_DELAY
Update signature of mbedtls_platform_random_delay
Replace mbedtls_platform_enforce_volatile_reads 2
Replace mbedtls_platform_enforce_volatile_reads
Add more variation to random delay countermeasure
Add random delay to enforce_volatile_reads
Update comments of mbedtls_platform_random_delay
Follow Mbed TLS coding style
Add random delay function to platform_utils
2020-01-17 11:21:16 +02:00
Jarno Lamsa
8f8c0bdfc7
Use mbedtls_platform_memset in data_randomize
...
More secure memset should be used here instead
of standard memset.
2020-01-10 08:19:37 +02:00
Jarno Lamsa
282db8e3f8
Protect get/put on secret data on AES-module
...
When reading the input, buffer will be initialised with random data
and the reading will start from a random offset. When writing the data,
the output will be initialised with random data and the writing will start
from a random offset.
2020-01-10 08:19:37 +02:00
Teppo Järvelin
5bc072f737
Fix mbedtls_strerror to work with all wanted codes
2020-01-09 14:22:32 +02:00
Arto Kinnunen
b148651e49
Rename macro MBEDTLS_MAX_RAND_DELAY
...
MBEDTLS_MAX_RAND_DELAY renamed to MAX_RAND_DELAY to get CI passing.
2020-01-09 11:11:23 +02:00
Arto Kinnunen
ac6d226939
Update signature of mbedtls_platform_random_delay
...
Skip parameter and return value from mbedtls_platform_random_delay
to make it more resistant for FI attacks.
2020-01-09 10:19:07 +02:00
Simon Butcher
05ca9d46c1
Merge remote-tracking branch 'public/pr/2979' into baremetal
2020-01-08 18:15:52 +00:00
Simon Butcher
01d78fcefe
Merge remote-tracking branch 'public/pr/2971' into baremetal
2020-01-08 18:10:44 +00:00
Simon Butcher
2d9c0eb215
Merge remote-tracking branch 'public/pr/2948' into baremetal
2020-01-08 18:08:28 +00:00
Simon Butcher
4b3b8c208e
Merge remote-tracking branch 'public/pr/2886' into baremetal
2020-01-08 17:53:43 +00:00
Jarno Lamsa
bb86c52430
Protect get/put on secret data on sha256-module
...
When reading the input, the buffer will be initialised with random data
and the reading will start from a random offset. When writing the data,
the output will be initialised with random data and the writing will
start from a random offset.
2020-01-08 10:45:51 +02:00
Teppo Järvelin
cafb6c91b0
Clear internal decrypted buffer after read
2020-01-08 10:25:16 +02:00
Arto Kinnunen
7195571681
Replace mbedtls_platform_enforce_volatile_reads 2
...
Replace remaining mbedtls_platform_enforce_volatile_reads() with
mbedtls_platform_random_delay().
2020-01-07 10:47:58 +02:00
Arto Kinnunen
e91f0dc905
Replace mbedtls_platform_enforce_volatile_reads
...
Replace function mbedtls_platform_enforce_volatile_reads() with
mbedtls_platform_random_delay().
2020-01-07 10:47:58 +02:00
Arto Kinnunen
dbf2b43ceb
Add more variation to random delay countermeasure
...
Add more variation to the random delay function by xor:ing two
variables. It is not enough to increment just a counter to create a
delay as it will be visible as uniform delay that can be easily
removed from the trace by analysis.
2020-01-07 10:47:58 +02:00
Arto Kinnunen
0490485be5
Add random delay to enforce_volatile_reads
...
Add a random delay to mbedtls_platform_enforce_volatile_reads() as a
countermeasure to fault injection attacks.
2020-01-07 10:47:58 +02:00
Arto Kinnunen
b47b105838
Follow Mbed TLS coding style
2020-01-07 10:47:58 +02:00
Arto Kinnunen
4c63b98e94
Add random delay function to platform_utils
...
Add delay function to platform_utils. The function will delay
program execution by incrementing local variable randomised number of
times.
2020-01-07 10:47:58 +02:00
Teppo Järvelin
8f7e36fc98
Coverity fixes, check hmac return values
2020-01-05 12:02:37 +02:00
Jarno Lamsa
5aa4c07b85
Minor review fixes
2019-12-20 13:09:27 +02:00
Jarno Lamsa
015aa44b93
Make authmode volatile
...
This is to enforce reading it from memory for the double
check to prevent compiler from optimising it away.
2019-12-20 12:09:37 +02:00
Jarno Lamsa
af60cd7698
Protect the peer_authenticated flag more
...
Add more protection to the flag preventing attacker
possibly to glitch using faulty certificate.
2019-12-20 10:50:33 +02:00
Jarno Lamsa
8d09e5744c
Increase hamming distance for session resume flag
...
This is to prevent glitching a single bit for the resume flag.
2019-12-19 17:07:35 +02:00
Jarno Lamsa
489dccd158
Adress review comments
2019-12-19 17:07:35 +02:00
Jarno Lamsa
88db2ae9a0
Use Platform fault when double check fails
2019-12-19 17:07:35 +02:00
Jarno Lamsa
f5b6af01d3
Fix double check in entropy_gather_internal
...
The double check was wrong way, glitching either check
could have compromised the flow there.
2019-12-19 17:07:29 +02:00
Jarno Lamsa
06164057b3
Check that we have all the proper keys
...
The proper keys should be set at the end of
the handshake, if not, fail the handshake.
2019-12-19 14:40:36 +02:00
Jarno Lamsa
e1621d4700
Check that the peer_authenticated flag
...
Check that the peer has been authenticated in the end
of the handshake.
2019-12-19 14:29:24 +02:00
Jarno Lamsa
ba4730fe4c
Protect setting of peer_authenticated flag
...
Use flow counting and double checks when setting the flag.
Also protect the flow to prevent causing a glitch.
2019-12-19 09:43:25 +02:00
Jarno Lamsa
4031a45019
Protect key_derivation_done flag
...
The flag is used to track that the key derivation
has been done.
2019-12-19 09:43:25 +02:00
Jarno Lamsa
67f0a1e833
Protect setting of premaster_generated flag
...
The flag is used for tracking if the premaster has
been succesfully generated. Note that when resuming
a session, the flag should not be used when trying to
notice if all the key generation/derivation has been done.
2019-12-19 09:43:19 +02:00
Jarno Lamsa
98801af26b
Protect setting of hello_random flag
...
The handshake flag tells when the handshake hello.random
is set and can be used later to decide if we have the correct
keys.
2019-12-19 09:02:02 +02:00
Jarno Lamsa
6122b59042
Address review comments
2019-12-19 07:56:10 +02:00
Jarno Lamsa
46afd5d8fa
Fix CI issues
...
Default flow assumes failure causes multiple issues with
compatibility tests when the return value is initialised
with error value in ssl_in_server_key_exchange_parse.
The function would need a significant change in structure for this.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
91dbb79ae4
Fix error return code
2019-12-19 07:56:10 +02:00
Jarno Lamsa
b83a2136d6
Protect the return value from mbedtls_pk_verify
...
Add double checks to the return value and default flow assumes
failure.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
47aab8da8a
Protect return value from mbedtls_pk_verify
...
Use double checks and default flow assumes failure.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
83a56a630a
Double check mbedtls_pk_verify
...
The verification could be skipped in server, changed the default flow
so that the handshake status is ever updated if the verify
succeeds, and that is checked twice.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
acb5eb00ca
Add a double check to protect from glitch
...
Check that the encryption has been done for the outbut buffer.
This is to ensure that glitching out the encryption doesn't
result as a unecrypted buffer to be sent.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
d05da1fa45
Add double check for checking if source is strong
...
To prevent glitching past a strong source.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
552e8f2d6a
Add double check to entropy-loop
...
To prevent glitching and going through without strong source
2019-12-19 07:56:10 +02:00
Jarno Lamsa
b01800974f
Use invalid state
...
If mismatch in the state has been noticed, use
the invalid state.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
70abd7aadc
Add enumeration for invalid state
...
The invalid state can be used when state-mismatch is noticed.
The invalid state should report a FI-alert upwards.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
2b20516b60
Make TLS state changes explicit
...
This is to enable hardening the security when changing
states in state machine so that the state cannot be changed by bit flipping.
The later commit changes the enumerations so that the states have large
hamming distance in between them to prevent this kind of attack.
2019-12-19 07:56:10 +02:00