Commit graph

6665 commits

Author SHA1 Message Date
Janos Follath 7b774483bf Correct deterministic ECDSA behavior
We were still reusing the internal HMAC-DRBG of the deterministic ECDSA
for blinding. This meant that with cryptographically low likelyhood the
result was not the same signature as the one the deterministic ECDSA
algorithm has to produce (however it is still a valid ECDSA signature).

To correct this we seed a second HMAC-DRBG with the same seed to restore
correct behavior. We also apply a label to avoid reusing the bits of the
ephemeral key for a different purpose and reduce the chance that they
leak.

This workaround can't be implemented in the restartable case without
penalising the case where external RNG is available or completely
defeating the purpose of the restartable feature, therefore in this case
the small chance of incorrect behavior remains.
2019-01-16 17:25:13 +00:00
Janos Follath ba66faf167 Add warning for alternative ECDSA implementations
Alternative implementations are often hardware accelerators and might
not need an RNG for blinding. But if they do, then we make them misuse
the RNG in the deterministic case.

There are several way around this:
- Exposing a lower level function for replacement. This would be the
optimal solution, but litters the API and is not backward compatible.
- Introducing a new compile time option for replacing the deterministic
function. This would mostly cover the same code as
MBEDTLS_ECDSA_DETERMINISTIC and would be yet another compile time flag.
- Reusing the existing MBEDTLS_ECDSA_DETERMINISTIC macro. This changes
the algorithm used by the PK layer from deterministic to randomised if
the alternative implementation is present.

This commit implements the third option. This is a temporary solution
and should be fixed at the next device driver API change.
2019-01-16 16:01:56 +00:00
Janos Follath e552a826fd Test the new deterministic ECDSA function 2019-01-16 16:01:34 +00:00
Janos Follath 2934c32da2 Add a safer deterministic ECDSA function
`mbedtls_ecdsa_sign_det` reuses the internal HMAC-DRBG instance to
implement blinding. The advantage of this is that the algorithm is
deterministic too, not just the resulting signature. The drawback is
that the blinding is always the same for the same key and message.
This diminishes the efficiency of blinding and leaks information about
the private key.

A function that takes external randomness fixes this weakness.
2019-01-16 16:00:27 +00:00
Manuel Pégourié-Gonnard c80555d835 Add public function generating private keys
We need to separate the uses of the RNG for blinding and for key
generation for the sake of an upcoming security fix in deterministic
ECDSA.
2019-01-16 15:47:26 +00:00
Simon Butcher 78f040cf33 Merge remote-tracking branch 'public/pr/2233' into HEAD 2019-01-08 15:33:48 +00:00
Simon Butcher 7f899b406c Merge remote-tracking branch 'public/pr/2304' into HEAD 2019-01-08 15:31:37 +00:00
Simon Butcher 3187e7ca98
Merge pull request #545 from ARMmbed/version-2.7.9
Update the version of the library to 2.7.9
2018-12-21 12:21:10 +00:00
Simon Butcher b22a808cc6 Update the version of the library to 2.7.9 2018-12-21 10:52:37 +00:00
Simon Butcher 3112d10abd Merge remote-tracking branch 'public/pr/2144' into mbedtls-2.7 2018-12-20 01:17:45 +00:00
Ron Eldor 314bd71894 Update ChangeLog
Add an entry in ChangeLog describing the fix.
2018-12-19 14:16:36 +02:00
Ron Eldor 44f6d0b3b1 Test AD too long only when CCM_ALT not defined
Since the AD too long is a limitation on Mbed TLS,
HW accelerators may support this. Run the test for AD too long,
only if `MBEDTLS_CCM_ALT` is not defined.
Addresses comment in #1996.
2018-12-19 14:14:58 +02:00
Jaeden Amero b85e35d8d2 Merge remote-tracking branch 'upstream-public/pr/2102' into mbedtls-2.7 2018-12-07 16:15:46 +00:00
Jaeden Amero e4cf723a70 Merge remote-tracking branch 'upstream-public/pr/2168' into mbedtls-2.7 2018-12-07 16:07:37 +00:00
Jaeden Amero 3ee55795e3 test: Make basic-build-test.sh see summary statuses
We've changed the behavior of "-v" to no longer output test summary
statuses. Update basic-build-test.sh to use the test runner's verbosity
option "-v 2", so that the basic-build-test.sh script can get the summary
statuses it needs.
2018-12-07 13:35:55 +00:00
Jaeden Amero 48d2f1e2d4 Merge remote-tracking branch 'upstream-public/pr/2220' into mbedtls-2.7 2018-12-06 16:17:15 +00:00
Jaeden Amero a7e5cbd4f4 Merge remote-tracking branch 'upstream-public/pr/2179' into mbedtls-2.7 2018-12-06 16:11:22 +00:00
Jaeden Amero 93bfd1da0c Merge remote-tracking branch 'upstream-public/pr/2132' into mbedtls-2.7 2018-12-06 16:06:21 +00:00
Jaeden Amero 5e264e37d8 Merge remote-tracking branch 'upstream-public/pr/2129' into mbedtls-2.7 2018-12-06 16:02:43 +00:00
Jaeden Amero a7d16ba3a1 Merge remote-tracking branch 'upstream-public/pr/2150' into mbedtls-2.7 2018-12-06 16:02:06 +00:00
Jaeden Amero a507910e16 Merge remote-tracking branch 'upstream-public/pr/2064' into mbedtls-2.7 2018-12-06 15:58:27 +00:00
Jaeden Amero 6ef6efbd8e Merge remote-tracking branch 'upstream-public/pr/1984' into mbedtls-2.7 2018-12-06 15:54:38 +00:00
Jaeden Amero ac021d901b Merge remote-tracking branch 'upstream-public/pr/2143' into mbedtls-2.7 2018-12-06 15:52:01 +00:00
Simon Butcher 2297157dd6
Merge pull request #541 from ARMmbed/version-2.7.8
Update the library version to 2.7.8
2018-12-02 13:21:10 +00:00
Simon Butcher 4a908ca6bb Update library version number to 2.7.8 2018-12-01 23:12:40 +00:00
Simon Butcher be16e38102 Clarify attribution for the Bleichenbacher's Cat fix 2018-12-01 23:04:54 +00:00
Simon Butcher 4303f7619e Merge remote-tracking branch 'restricted/pr/513' into mbedtls-2.7-restricted 2018-11-29 17:27:35 +00:00
Simon Butcher e34a4f5825 Merge remote-tracking branch 'restricted/pr/536' into mbedtls-2.7-restricted 2018-11-29 17:26:43 +00:00
Simon Butcher a0d3e1d570 Merge remote-tracking branch 'restricted/pr/518' into mbedtls-2.7-restricted 2018-11-29 17:26:25 +00:00
Gilles Peskine 5db9c830f1 Add changelog entry for mbedtls_mpi_write_binary fix 2018-11-29 12:47:02 +01:00
Gilles Peskine 813bdeb663 Tweak RSA vulnerability changelog entry
* Correct the list of authors.
* Add the CVE number.
* Improve the impact description.
2018-11-29 12:46:47 +01:00
Andres Amaya Garcia 97a184ba84 Fix resource leak of file desc in test code 2018-11-26 21:29:29 +00:00
Gilles Peskine 220cc17165 mbedtls_mpi_write_binary: don't leak the exact size of the number
In mbedtls_mpi_write_binary, avoid leaking the size of the number
through timing or branches, if possible. More precisely, if the number
fits in the output buffer based on its allocated size, the new code's
trace doesn't depend on the value of the number.
2018-11-26 12:45:35 +01:00
Gilles Peskine da6ccfca68 check-files: detect merge artifacts
Detect Git merge artifacts. These are lines starting with "<<<<<<",
"|||||||" or ">>>>>>>" followed by a space, or containing just
"=======". For "=======", exempt Markdown files, because this can be
used to underline a title, as a compromise between false negatives and
false positives.
2018-11-23 22:42:42 +01:00
Gilles Peskine 232fae37e3 Factor record_issue into its own method 2018-11-23 22:42:40 +01:00
Simon Butcher e26f79ba67
Merge pull request #533 from sbutcher-arm/version-2.7.7
Bump Mbed TLS Version to 2.7.7
2018-11-19 18:50:34 +00:00
Simon Butcher 20f30d97a8 Update library version number to 2.7.7 2018-11-19 18:32:22 +00:00
Simon Butcher 7fd58a9e4f Refine the language in the ChangeLog
Fix the language and descriptions in the ChangeLog following review of the
Release Notes for the next release.
2018-11-19 16:01:15 +00:00
Simon Butcher 357fbee3fd Fix language and formatting in ChangeLog
Changed the formatting and language in the ChangeLog to the house-style.
2018-11-08 13:47:21 +00:00
Simon Butcher 58012321b8 Merge remote-tracking branch 'restricted/pr/521' into mbedtls-2.7-restricted-proposed 2018-11-07 13:36:00 +00:00
Simon Butcher 02d3b1cfbb Merge remote-tracking branch 'restricted/pr/523' into mbedtls-2.7-restricted-proposed 2018-11-07 13:35:07 +00:00
Simon Butcher 9136dab9c3 Merge remote-tracking branch 'public/pr/2138' into mbedtls-2.7-restricted-proposed 2018-11-07 13:34:42 +00:00
Simon Butcher c37966239c Merge remote-tracking branch 'public/pr/2080' into mbedtls-2.7-restricted-proposed 2018-11-07 13:34:27 +00:00
Simon Butcher ce8c509b3e Merge remote-tracking branch 'public/pr/2135' into mbedtls-2.7-restricted-proposed 2018-11-07 13:33:09 +00:00
Simon Butcher a5c0071cd2 Merge remote-tracking branch 'public/pr/2153' into mbedtls-2.7-restricted-proposed 2018-11-07 13:32:53 +00:00
Simon Butcher b7d2d5c933 Merge remote-tracking branch 'public/pr/2155' into mbedtls-2.7-restricted-proposed 2018-11-07 13:32:04 +00:00
Simon Butcher 0afa2ef6c4 Merge remote-tracking branch 'public/pr/2176' into mbedtls-2.7-restricted-proposed 2018-11-07 13:31:39 +00:00
Hanno Becker 0e32e5ed0e Adapt ChangeLog 2018-11-06 13:36:35 +00:00
Hanno Becker dc631fb87e Add explicit integer to enumeration casts to programs/pkey/gen_key.c
Fixes #2170.
2018-11-06 13:36:19 +00:00
Hanno Becker 0a08a4a68d Adapt ChangeLog 2018-11-06 13:19:06 +00:00