Commit graph

10282 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard 2cb3eea922 Hardcode numwords in vli_cmp 2019-11-04 15:53:10 +01:00
Manuel Pégourié-Gonnard 129b42ea2e Hardcode numwords in vli_sub 2019-11-04 15:53:09 +01:00
Manuel Pégourié-Gonnard 2eca3d367b Hardcode numwords in vli_equal 2019-11-04 15:53:07 +01:00
Manuel Pégourié-Gonnard a752191191 Hardcode numwords in vli_cpm_unsafe 2019-11-04 15:53:03 +01:00
Manuel Pégourié-Gonnard cbbb0f034b Hardcode numwords in vli_set() 2019-11-04 15:52:43 +01:00
Manuel Pégourié-Gonnard 2bf5a129cf Hardcode numwords in semi-internal vli_numBits() 2019-11-04 15:52:43 +01:00
Manuel Pégourié-Gonnard 94e48498ef Hardcode numwords in semi-internal vli_clear() 2019-11-04 15:52:43 +01:00
Manuel Pégourié-Gonnard f3899fc0ea hardcode numwords in semi-internal vli_isZero 2019-11-04 15:52:43 +01:00
Manuel Pégourié-Gonnard 02d9d21fd6 Hardcode numwords in internal vli_add
Saves 40 bytes
2019-11-04 15:52:37 +01:00
Manuel Pégourié-Gonnard 78a7e351fe Use macros for number of bits and words 2019-11-04 12:31:37 +01:00
Manuel Pégourié-Gonnard c3ec14c87f Harcode curve in semi-internal modMult function
Saves 80 bytes of code size.
2019-11-04 12:23:11 +01:00
Manuel Pégourié-Gonnard 3645ac93f5 Start hardcoding curve in internal functions
Saves 68 byte of code size.
2019-11-04 12:20:22 +01:00
Manuel Pégourié-Gonnard 27926d63b7 Remove less-safe mult function from public API
This doesn't change code size, but makes it easier to remove unneeded
parameters later (less possible entry points).
2019-11-04 11:26:46 +01:00
Manuel Pégourié-Gonnard ef238283d5 Add ECCPoint_mult_safer() function
This avoids the need for each calling site to manually regularize the scalar
and randomize coordinates, which makes for simpler safe use and saves 50 bytes
of code size in the library.
2019-11-04 11:19:30 +01:00
Manuel Pégourié-Gonnard c78d86b499 Remove some internal functions that aren't needed
This saves 10 bytes of code size, and makes it a bit easier to remove unused
parameters later (fewer prototypes to change).
2019-11-04 10:18:42 +01:00
Manuel Pégourié-Gonnard 86c4f81408 Improve documentation of internal function 2019-10-31 13:07:58 +01:00
Manuel Pégourié-Gonnard d5e503ec33 Rename wait_state_t to ecc_wait_state_t
Even though this is type name is purely internal to a single C file, let's
reduce the potential for clashes with other wait state types which might be
added elsewhere in the library and become visible here (for example through
platform_util.h).
2019-10-31 13:07:58 +01:00
Manuel Pégourié-Gonnard d467116e59 Make wait_state smaller
Previous size was 3584 bytes which is not acceptable on constrained systems
(especially on the stack). This was a misguided attempt at minimizing the
number of calls to the RNG function in order to minimize impact on
performance, but clearly this does not justify using that much RAM and a
compromise had to be found.
2019-10-31 13:07:52 +01:00
Manuel Pégourié-Gonnard 938f53f1fb Actually use randomized mult when relevant
While at it, loose the 'curve' argument in internal randomized functions, for
the same reasons we lost 'num_words' in uECC_vli_mult_rnd(): we only have one
curve so we don't need this, and hardcoding it saves a bit of code size and
speed, which is welcome to slightly reduce the impact of the counter-measure
on both of them.
2019-10-31 13:07:52 +01:00
Manuel Pégourié-Gonnard 14ab9c2879 Add random delays to multi-precision multiplication
This is a counter-measure to make horizontal attacks harder. Horizontal
attacks work with a single trace by noticing when intermediate computations
within that trace happen on the same operands.

We'll try to make that harder for an attacker to achieve that by introducing
random delays based on extra computation and extra random accesses to input in
the multi-precision multiplication (which is the dominant operation and the target of
horizontal attacks known so far). This should make it hard for the attacker to
compare two multiplications.

This first commit introduces the new function for multiplication with random
delay - future commits will ensure it is used all the way up to the top-level
scalar multiplication routine.
2019-10-31 13:07:52 +01:00
Manuel Pégourié-Gonnard 6ee7a4e01c Validate peer's public key in ECDH
This protects against invalid curve attacks.

(It's also a tiny step in the direction of protecting against some fault
injection attacks.)
2019-10-31 13:07:52 +01:00
Manuel Pégourié-Gonnard 4a658a01c6 Add projective coordinates randomization in ECDSA
Why: this protects against potential side-channels attacks. This
counter-measure is for example effective against Template SPA. Also, the
bignum arithmetic as implemented in TinyCrypt isn't entirely regular, which
could in principle be exploited by an attacker; randomizing the coordinates
makes this less likely to happen.

Randomizing projective coordinates is also a well-known countermeasure to DPA.
In the context of the scalar multiplication in ECDSA, DPA isn't a concern
since it requires multiple measurements with various base points and the same
scalar, and the scalar mult in ECDSA is the opposite: the base point's always
the same and the scalar is always unique. But we want protection against the
other attacks as well.

How: we use the same code fragment as in uECC_shared_secret in ecc_dh.c,
adapted as follows: (1) replace p2 with k2 as that's how it's called in this
function; (2) adjust how errors are handled.

The code might not be immediately clear so here are a few more details:
regularize_k() takes two arrays as outputs, and the return value says which one
should be passed to ECCPoint_mult(). The other one is free for us to re-use to
generate a random number to be used as the initial Z value for randomizing
coordinates (otherwise the initial Z value is 1), thus avoiding the use of an
extra stack buffer.
2019-10-31 13:07:52 +01:00
Jarno Lamsa 2e2fa5e352 Adress review comments 2019-10-30 15:08:26 +02:00
Jarno Lamsa 77c4fcc96e Use DER encoded keys with tinycrypt
PEM and BASE64 aren't used with baremetal config by default
and using DER encoded key enables the test without enabling PEM
and BASE64.
2019-10-30 15:00:01 +02:00
Jarno Lamsa 6ba32cac5c Add authentication tests for baremetal config 2019-10-30 15:00:01 +02:00
Jarno Lamsa 6f54fe72f2 Add a bad version of server11 certificate
The certificate has a corrupted public key and signature.
Generating it through Makefile isn't trivial and since it is
a corrupted certificate, that shouldn't be accepted, there
shouldn't be a need to generate it again anyway.
2019-10-30 14:59:23 +02:00
Teppo Järvelin d49d2b6d4f Changed mbedtls_platform_memset/cpy/cmp in selftest functions back to original methods 2019-10-30 14:07:04 +02:00
Teppo Järvelin 6f4e030166 Changed mbedtls_platform_memcpy to memcpy in places which don't handle critical data
and under baremetal define
2019-10-30 14:07:04 +02:00
Teppo Järvelin b5c4671a80 Changed mbedtls_platform_memcpy back to memcpy for selftest and test functions 2019-10-30 14:07:04 +02:00
Teppo Järvelin 3137fb271a Added include platform_util.h to padlock.c to fix compile with all defines variants 2019-10-30 14:07:04 +02:00
Teppo Järvelin 91d7938761 Changed every memcpy to SCA equivalent mbedtls_platform_memcpy
This makes physical attacks more difficult.
2019-10-30 14:07:04 +02:00
Jarno Lamsa b514cd3626 Remove dependency to MBEDTLS_ERROR_C
The test is already checking for return value
No need to check for MBEDTLS_ERROR_C -dependent print
2019-10-30 10:34:54 +02:00
Jarno Lamsa d342805134 Added Forced ECC ciphersuite with CCM tests 2019-10-30 10:34:54 +02:00
Jarno Lamsa c40184b44a Add test for small server packet
To allow testing with ECDHE-ECDSA with DTLS
2019-10-30 10:34:54 +02:00
Jarno Lamsa 0ed68089ee Add test for small client packet
Enable testing with ECDHE-ECDSA with DTLS
2019-10-30 10:34:54 +02:00
Jarno Lamsa c5118b7664 Add a new keyUsage test for p256 using DTLS 2019-10-30 10:34:54 +02:00
Jarno Lamsa ff434c2ef3 Add test for enforcing extended master secret
Only add test when both are enforcing. This is configured in baremetal.h
and is checked in the check_cmdline_compat, would render other cases
with baremetal.h to skipped.
2019-10-30 10:34:54 +02:00
Jarno Lamsa 5b944b5793 define MBEDTLS_FS_IO
This is needed for the tests using certificate-files.
2019-10-30 10:34:54 +02:00
Jarno Lamsa 7544195a44 Remove echo FORCE SKIP
This was probably an artifact from testing the cmdline_compat-stuff.
Currently only pollutes the output.
2019-10-30 10:34:54 +02:00
Simon Butcher aeecf04be3 Merge remote-tracking branch 'public/pr/2907' into baremetal 2019-10-29 15:42:52 +00:00
Simon Butcher 8b2c642994 Merge remote-tracking branch 'public/pr/2904' into baremetal 2019-10-29 15:31:48 +00:00
Simon Butcher f5a64048b7 Merge remote-tracking branch 'public/pr/2892' into baremetal 2019-10-29 15:30:38 +00:00
Simon Butcher 9d36fa16f8 Merge remote-tracking branch 'public/pr/2891' into baremetal 2019-10-29 15:25:26 +00:00
Simon Butcher a85b3e4dde Merge remote-tracking branch 'public/pr/2890' into baremetal 2019-10-29 14:41:13 +00:00
Simon Butcher 2f99f3d8a2 Merge remote-tracking branch 'public/pr/2850' into baremetal 2019-10-29 14:24:33 +00:00
Arto Kinnunen 8a8488c1cf Fix mbedtls_ssl_check_record usage with ext buf
Record checking fails if mbedtls_ssl_check_record() is called with
external buffer. Received record sequence number is available in the
incoming record but it is not available in the ssl contexts `in_ctr`-
variable that is used when decoding the sequence number.

To fix the problem, temporarily update ssl context `in_ctr` to
point to the received record header and restore value later.
2019-10-29 11:13:33 +02:00
Teppo Järvelin 7800719551 Adjusted buf allocated from heap in ssl_client2 to be as small as possible 2019-10-25 14:30:33 +03:00
Teppo Järvelin 614efc268e Moved allocation checks to correct place in ssl_server2.c 2019-10-25 11:03:20 +03:00
Arto Kinnunen 4ecfbd3b16 Fix tests to work in Mbed OS test environment
Update x509parse and x509write test suites to include "x509.c" from
correct location.
2019-10-24 15:48:47 +03:00
Teppo Järvelin 99082aeac7 Fixed CI tests by overriding value MBEDTLS_ENTROPY_MAX_SOURCES
Override define MBEDTLS_ENTROPY_MAX_SOURCES from 1 to 3 in baremetal_test.h

mbedtls_entropy_init adds 2 sources already so max must be 3 so that
one source can be added with mbedtls_entropy_add_source.
2019-10-24 15:03:33 +03:00