Simon Butcher
58813498f7
Merge remote-tracking branch 'public/pr/2957' into baremetal
2019-12-27 18:18:04 +00:00
Jarno Lamsa
5aa4c07b85
Minor review fixes
2019-12-20 13:09:27 +02:00
Jarno Lamsa
015aa44b93
Make authmode volatile
...
This is to enforce reading it from memory for the double
check to prevent compiler from optimising it away.
2019-12-20 12:09:37 +02:00
Jarno Lamsa
af60cd7698
Protect the peer_authenticated flag more
...
Add more protection to the flag preventing attacker
possibly to glitch using faulty certificate.
2019-12-20 10:50:33 +02:00
Jarno Lamsa
616fbe177c
Increase hamming distance for authmode
...
Prevent glitching mode by single bit flipping.
2019-12-19 17:07:35 +02:00
Jarno Lamsa
8d09e5744c
Increase hamming distance for session resume flag
...
This is to prevent glitching a single bit for the resume flag.
2019-12-19 17:07:35 +02:00
Jarno Lamsa
489dccd158
Adress review comments
2019-12-19 17:07:35 +02:00
Jarno Lamsa
88db2ae9a0
Use Platform fault when double check fails
2019-12-19 17:07:35 +02:00
Jarno Lamsa
f5b6af01d3
Fix double check in entropy_gather_internal
...
The double check was wrong way, glitching either check
could have compromised the flow there.
2019-12-19 17:07:29 +02:00
Jarno Lamsa
afff4d0679
Remove unused flag
2019-12-19 14:41:56 +02:00
Jarno Lamsa
06164057b3
Check that we have all the proper keys
...
The proper keys should be set at the end of
the handshake, if not, fail the handshake.
2019-12-19 14:40:36 +02:00
Jarno Lamsa
e1621d4700
Check that the peer_authenticated flag
...
Check that the peer has been authenticated in the end
of the handshake.
2019-12-19 14:29:24 +02:00
Jarno Lamsa
ba4730fe4c
Protect setting of peer_authenticated flag
...
Use flow counting and double checks when setting the flag.
Also protect the flow to prevent causing a glitch.
2019-12-19 09:43:25 +02:00
Jarno Lamsa
4031a45019
Protect key_derivation_done flag
...
The flag is used to track that the key derivation
has been done.
2019-12-19 09:43:25 +02:00
Jarno Lamsa
67f0a1e833
Protect setting of premaster_generated flag
...
The flag is used for tracking if the premaster has
been succesfully generated. Note that when resuming
a session, the flag should not be used when trying to
notice if all the key generation/derivation has been done.
2019-12-19 09:43:19 +02:00
Jarno Lamsa
98801af26b
Protect setting of hello_random flag
...
The handshake flag tells when the handshake hello.random
is set and can be used later to decide if we have the correct
keys.
2019-12-19 09:02:02 +02:00
Jarno Lamsa
b57d7fd568
Add flags for protecting TLS state machine
...
Flags are there to prevent skipping vital parts of the TLS
handshake.
2019-12-19 09:01:54 +02:00
Jarno Lamsa
6122b59042
Address review comments
2019-12-19 07:56:10 +02:00
Jarno Lamsa
46afd5d8fa
Fix CI issues
...
Default flow assumes failure causes multiple issues with
compatibility tests when the return value is initialised
with error value in ssl_in_server_key_exchange_parse.
The function would need a significant change in structure for this.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
91dbb79ae4
Fix error return code
2019-12-19 07:56:10 +02:00
Jarno Lamsa
b83a2136d6
Protect the return value from mbedtls_pk_verify
...
Add double checks to the return value and default flow assumes
failure.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
47aab8da8a
Protect return value from mbedtls_pk_verify
...
Use double checks and default flow assumes failure.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
83a56a630a
Double check mbedtls_pk_verify
...
The verification could be skipped in server, changed the default flow
so that the handshake status is ever updated if the verify
succeeds, and that is checked twice.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
9e8e820993
Increase hamming distance for some error codes
...
The MBEDTLS_ERR_SSL_WANT_READ and MBEDTLS_ERR_SSL_WANT_WRITE are
errors that can be ignored, so increase the hamming distance between
them and the non-ignorable errors and keep still some distance from
a success case. This mitigates an attack where single bit-flipping could
change a non-ignorable error to being an ignorable one.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
acb5eb00ca
Add a double check to protect from glitch
...
Check that the encryption has been done for the outbut buffer.
This is to ensure that glitching out the encryption doesn't
result as a unecrypted buffer to be sent.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
d05da1fa45
Add double check for checking if source is strong
...
To prevent glitching past a strong source.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
552e8f2d6a
Add double check to entropy-loop
...
To prevent glitching and going through without strong source
2019-12-19 07:56:10 +02:00
Jarno Lamsa
4708d66af5
Change the mbedtls_ssl_states values
...
The changed values have now the minimum hamming distance
of 16 from each other. This is to prevent changing the state
by just flipping one bit.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
b01800974f
Use invalid state
...
If mismatch in the state has been noticed, use
the invalid state.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
70abd7aadc
Add enumeration for invalid state
...
The invalid state can be used when state-mismatch is noticed.
The invalid state should report a FI-alert upwards.
2019-12-19 07:56:10 +02:00
Jarno Lamsa
2b20516b60
Make TLS state changes explicit
...
This is to enable hardening the security when changing
states in state machine so that the state cannot be changed by bit flipping.
The later commit changes the enumerations so that the states have large
hamming distance in between them to prevent this kind of attack.
2019-12-19 07:56:10 +02:00
Simon Butcher
171f422109
Merge remote-tracking branch 'public/pr/2952' into baremetal
2019-12-13 14:51:40 +00:00
Simon Butcher
e76c638d6f
Merge remote-tracking branch 'public/pr/2925' into baremetal
2019-12-13 14:51:29 +00:00
Manuel Pégourié-Gonnard
645896e0ea
Fix undefined order of volatile access
...
Found by the IAR compiler.
While at it, make 'diff' non-volatile in uECC_check_curve_integrity(), as
there is no good reason to make it volatile, and making it volatile only
increases the code size and the burden of defining access ordering.
2019-12-05 16:02:17 +01:00
Simon Butcher
0252cd6876
Merge remote-tracking branch 'public/pr/2940' into baremetal
2019-12-05 14:32:54 +00:00
Simon Butcher
501c466d01
Merge remote-tracking branch 'public/pr/2934' into baremetal
2019-12-05 14:32:44 +00:00
Simon Butcher
5b45c6e1b3
Merge remote-tracking branch 'public/pr/2932' into baremetal
2019-12-05 14:32:31 +00:00
Simon Butcher
7c5de360da
Merge remote-tracking branch 'public/pr/2922' into baremetal
2019-12-05 14:31:03 +00:00
Simon Butcher
098846287f
Merge remote-tracking branch 'public/pr/2918' into baremetal
2019-12-05 14:27:29 +00:00
Arto Kinnunen
de657fca6b
Revert "Disable use of HRNG in SCA-hardened mem-functions"
...
This reverts commit 1e96b46b03
.
2019-12-04 16:30:54 +02:00
Jarno Lamsa
83d7881cec
Make VS compiler happy
...
It doesn't seem to like using unary - to unsigned values.
2019-12-04 14:40:57 +02:00
Teppo Järvelin
e06e039f7a
Fix basic-build-test.sh to work in different env
...
Also added possibility to run only unit tests
2019-11-29 11:05:11 +02:00
Manuel Pégourié-Gonnard
766c9e9781
Improve description of ERR_PLATFORM_FAULT_DETECTED
2019-11-29 09:40:08 +01:00
Manuel Pégourié-Gonnard
65be6b48de
Add compile guard in platform.h
...
We may want to include it just for the errors it defines without having all of
the other defines that only make sense when PLATFORM_C is enabled.
2019-11-28 12:51:45 +01:00
Arto Kinnunen
ec37a89bf3
Save ROM by using int instead of char
...
Save 20 bytes of ROM by changing variable type from char to int.
2019-11-28 13:43:02 +02:00
Manuel Pégourié-Gonnard
231bf52691
Fix indentation level in one place
2019-11-28 12:22:43 +01:00
Manuel Pégourié-Gonnard
e1cb8846e7
Add loop integrity check to curve param check
...
Also make the reference result static const while at it.
2019-11-28 12:21:34 +01:00
Manuel Pégourié-Gonnard
9ca11fc892
Fix issues found by the CI
...
- MSVC doesn't like -1u
- We need to include platform.h for MBEDTLS_ERR_PLATFORM_FAULT_DETECTED - in
some configurations it was already included indirectly, but not in all
configurations, so better include it directly.
2019-11-28 12:07:01 +01:00
Manuel Pégourié-Gonnard
6bdc6809da
Initialise variables to failing values
2019-11-28 10:40:03 +01:00
Manuel Pégourié-Gonnard
5c3066a4f6
Add double-checking in some critical places
2019-11-27 13:01:10 +01:00