Commit graph

7008 commits

Author SHA1 Message Date
Janos Follath 82debf8332 ECDSA: Fix side channel vulnerability
The blinding applied to the scalar before modular inversion is
inadequate. Bignum is not constant time/constant trace, side channel
attacks can retrieve the blinded value, factor it (it is smaller than
RSA keys and not guaranteed to have only large prime factors). Then the
key can be recovered by brute force.

Reducing the blinded value makes factoring useless because the adversary
can only recover pk*t+z*N instead of pk*t.
2019-10-25 09:01:34 +01:00
Jaeden Amero 395d8c1222 Merge remote-tracking branch 'origin/pr/2878' into mbedtls-2.7
* origin/pr/2878:
  mbedtls_hmac_drbg_set_entropy_len() only matters when reseeding
  mbedtls_ctr_drbg_set_entropy_len() only matters when reseeding
  mbedtls_ctr_drbg_seed: correct maximum for len
  Add a note about CTR_DRBG security strength to config.h
  CTR_DRBG: more consistent formatting and wording
  DRBG documentation: Relate f_entropy arguments to the entropy module
  Add ChangeLog entry for the DRBG documentation improvements
  HMAC_DRBG documentation improvements
  CTR_DRBG: explain the security strength and the entropy input length
  CTR_DRBG documentation improvements
2019-10-18 14:21:49 +01:00
Gilles Peskine 55e120b9b2 mbedtls_hmac_drbg_set_entropy_len() only matters when reseeding
The documentation of HMAC_DRBG erroneously claimed that
mbedtls_hmac_drbg_set_entropy_len() had an impact on the initial
seeding. This is in fact not the case: mbedtls_hmac_drbg_seed() forces
the entropy length to its chosen value. Fix the documentation.
2019-10-04 18:30:56 +02:00
Gilles Peskine dff3682477 mbedtls_ctr_drbg_set_entropy_len() only matters when reseeding
The documentation of CTR_DRBG erroneously claimed that
mbedtls_ctr_drbg_set_entropy_len() had an impact on the initial
seeding. This is in fact not the case: mbedtls_ctr_drbg_seed() forces
the initial seeding to grab MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes of
entropy. Fix the documentation and rewrite the discussion of the
entropy length and the security strength accordingly.
2019-10-04 18:30:56 +02:00
Gilles Peskine 2abefefec2 mbedtls_ctr_drbg_seed: correct maximum for len 2019-10-04 18:27:28 +02:00
Gilles Peskine 406d25878c Add a note about CTR_DRBG security strength to config.h 2019-10-03 15:03:11 +02:00
Gilles Peskine f0b3dcb14b CTR_DRBG: more consistent formatting and wording
In particular, don't use #MBEDTLS_xxx on macros that are undefined in
some configurations, since this would be typeset with a literal '#'.
2019-10-03 15:03:08 +02:00
Gilles Peskine b9cfe58180 DRBG documentation: Relate f_entropy arguments to the entropy module 2019-10-02 19:00:57 +02:00
Gilles Peskine 97edf5e1e2 Add ChangeLog entry for the DRBG documentation improvements 2019-10-02 19:00:29 +02:00
Jaeden Amero 5cc748e58f Merge remote-tracking branch 'origin/pr/2866' into mbedtls-2.7
* origin/pr/2866:
  Reduce stack usage of test_suite_pkcs1_v15
  Reduce stack usage of test_suite_pkcs1_v21
  Reduce stack usage of test_suite_rsa
  Reduce stack usage of test_suite_pk
2019-10-02 18:00:13 +01:00
Gilles Peskine d89173066c HMAC_DRBG documentation improvements
* State explicit whether several numbers are in bits or bytes.
* Clarify whether buffer pointer parameters can be NULL.
* Minor wording and formatting improvements.
2019-10-02 19:00:06 +02:00
Jaeden Amero 2fc6cf5da7 Merge remote-tracking branch 'origin/pr/2704' into mbedtls-2.7
* origin/pr/2704:
  Adapt auth_crypt_tv usage to 2.7
  Add missing dependencies in test_suite_cipher.gcm
  Adapt ChangeLog
  Add NIST AES GCM test vectors to single-step cipher API test suite
2019-10-02 17:56:38 +01:00
Gilles Peskine eb99c1028f CTR_DRBG: explain the security strength and the entropy input length
Explain what how entropy input length is determined from the
configuration, and how this in turn determines the security strength.
Explain how the nonce is obtained during initialization.
2019-10-02 18:56:17 +02:00
Gilles Peskine 25e1945321 CTR_DRBG documentation improvements
* State explicit whether several numbers are in bits or bytes.
* Clarify whether buffer pointer parameters can be NULL.
* Clarify some terminology.
* Minor wording and formatting improvements.
2019-10-02 18:54:20 +02:00
Ron Eldor 0ab4092e2d Reduce stack usage of test_suite_pkcs1_v15
Reduce the stack usage of the `test_suite_pkcs1_v15` by reducing the
size of the buffers used in the tests, to a reasonable big enough size.
2019-10-02 14:34:24 +03:00
Ron Eldor dd4277f70d Reduce stack usage of test_suite_pkcs1_v21
Reduce the stack usage of the `test_suite_pkcs1_v21` by reducing the
size of the buffers used in the tests, to a reasonable big enough size,
and change the size sent to the API to sizeof output.
2019-10-02 14:34:24 +03:00
Ron Eldor b3d3973264 Reduce stack usage of test_suite_rsa
Reduce the stack usage of the `test_suite_rsa` by reducing the
size of the buffers used in the tests, to a reasonable big enough size,
and change the data size to decrypt in the data file.
2019-10-02 14:34:24 +03:00
Ron Eldor 6827d1c588 Reduce stack usage of test_suite_pk
Reduce the stack usage of the `test_suite_pk` by reducing the
size of the buffers used in the tests, to a reasonable big enough size.
2019-10-02 14:34:17 +03:00
Jaeden Amero d28b9b3c5d Merge remote-tracking branch 'origin/pr/2828' into mbedtls-2.7
* origin/pr/2828:
  Enable MBEDTLS_MEMORY_DEBUG in memory buffer alloc test in all.sh
  Remove unnecessary memory buffer alloc unsets
  Disable DTLS proxy tests for MEMORY_BUFFER_ALLOC test
  all.sh: restructure memory allocator tests
  Add missing dependency in memory buffer alloc set in all.sh
  Don't set MBEDTLS_MEMORY_DEBUG through `scripts/config.pl full`
  Add cfg dep MBEDTLS_MEMORY_DEBUG->MBEDTLS_MEMORY_BUFFER_ALLOC_C
  Add all.sh run with full config and ASan enabled
  Add all.sh run with MBEDTLS_MEMORY_BUFFER_ALLOC_C enabled
  Update documentation of exceptions for `config.pl full`
  Adapt all.sh to removal of buffer allocator from full config
  Disable memory buffer allocator in full config
  Check dependencies of MBEDTLS_MEMORY_BACKTRACE in check_config.h
2019-09-12 16:46:11 +01:00
Andrzej Kurek 9b1c248209 Enable MBEDTLS_MEMORY_DEBUG in memory buffer alloc test in all.sh 2019-09-10 02:58:34 -04:00
Andrzej Kurek 7eb7f8db8b Remove unnecessary memory buffer alloc unsets
This define is turned off by default
2019-09-09 07:32:48 -04:00
Andrzej Kurek 6addfdd190 Disable DTLS proxy tests for MEMORY_BUFFER_ALLOC test 2019-09-09 07:22:13 -04:00
Andrzej Kurek 9a461a1cd7 all.sh: restructure memory allocator tests
Run basic tests and ssl-opt with memory backtrace disabled, then
run basic tests only with it enabled.
2019-09-09 07:22:03 -04:00
Hanno Becker 7aad93c9da Add missing dependency in memory buffer alloc set in all.sh 2019-09-09 07:21:52 -04:00
Hanno Becker 19aa89ad47 Don't set MBEDTLS_MEMORY_DEBUG through scripts/config.pl full 2019-09-09 07:21:40 -04:00
Hanno Becker 8561115cb8 Add cfg dep MBEDTLS_MEMORY_DEBUG->MBEDTLS_MEMORY_BUFFER_ALLOC_C 2019-09-09 07:20:04 -04:00
Hanno Becker 167ae43852 Add all.sh run with full config and ASan enabled 2019-09-09 07:15:19 -04:00
Hanno Becker f5baaaaf89 Add all.sh run with MBEDTLS_MEMORY_BUFFER_ALLOC_C enabled
With the removal of MBEDTLS_MEMORY_BUFFER_ALLOC_C from the
full config, there are no tests for it remaining in all.sh.
This commit adds a build as well as runs of `make test` and
`ssl-opt.sh` with MBEDTLS_MEMORY_BUFFER_ALLOC_C enabled to all.sh.
2019-09-09 07:15:00 -04:00
Andrzej Kurek e1c62e6641 Update documentation of exceptions for config.pl full 2019-09-09 07:12:31 -04:00
Andrzej Kurek c7f97f1c8d Adapt all.sh to removal of buffer allocator from full config
Previously, numerous all.sh tests manually disabled the buffer allocator
or memory backtracting after setting a full config as the starting point.

With the removal of MBEDTLS_MEMORY_BACKTRACE and MBEDTLS_MEMORY_BUFFER_ALLOC_C
from full configs, this is no longer necessary.
2019-09-09 07:10:39 -04:00
Hanno Becker 26c333ac01 Disable memory buffer allocator in full config
This commit modifies `config.pl` to not set MBEDTLS_MEMORY_BUFFER_ALLOC
with the `full` option.
2019-09-09 06:34:30 -04:00
Hanno Becker 76ef31116b Check dependencies of MBEDTLS_MEMORY_BACKTRACE in check_config.h 2019-09-09 06:34:06 -04:00
Jaeden Amero 14c6762351 Merge remote-tracking branch 'origin/pr/2822' into mbedtls-2.7
* origin/pr/2822:
  Bump version to Mbed TLS 2.7.12
2019-09-06 13:35:10 +01:00
Jaeden Amero d7bd10dc89 Bump version to Mbed TLS 2.7.12 2019-09-06 13:28:28 +01:00
Jaeden Amero e1d93e5552 Merge remote-tracking branch 'origin/mbedtls-2.7' into mbedtls-2.7-restricted
* origin/mbedtls-2.7:
  ssl-opt.sh: wait for proxy to start before running the script further
2019-09-05 18:14:28 +01:00
Jaeden Amero 2396abfb8b Merge remote-tracking branch 'origin/pr/2816' into mbedtls-2.7
* origin/pr/2816:
  ssl-opt.sh: wait for proxy to start before running the script further
2019-09-05 14:24:25 +01:00
Unknown b86bcb4f71 ssl-opt.sh: wait for proxy to start before running the script further 2019-09-04 06:09:26 -04:00
Jaeden Amero 20b77ecb4a Merge remote-tracking branch 'origin/mbedtls-2.7' into mbedtls-2.7-restricted
* origin/mbedtls-2.7:
  Add ChangeLog entry
  fix memory leak in mpi_miller_rabin()
2019-09-03 19:42:50 +01:00
Jaeden Amero 68cfefee34 Merge remote-tracking branch 'origin/pr/2399' into mbedtls-2.7
* origin/pr/2399:
  Add ChangeLog entry
  fix memory leak in mpi_miller_rabin()
2019-09-03 16:32:06 +01:00
Jaeden Amero dfe95aefce Merge remote-tracking branch 'origin/mbedtls-2.7' into mbedtls-2.7-restricted
* origin/mbedtls-2.7:
  HMAC DRBG: Split entropy-gathering requests to reduce request sizes
2019-08-30 14:31:21 +01:00
Jaeden Amero 70ad1d3380 Merge remote-tracking branch 'origin/pr/2812' into mbedtls-2.7
* origin/pr/2812:
  HMAC DRBG: Split entropy-gathering requests to reduce request sizes
2019-08-30 13:03:42 +01:00
Hanno Becker b98e326455 HMAC DRBG: Split entropy-gathering requests to reduce request sizes
According to SP800-90A, the DRBG seeding process should use a nonce
of length `security_strength / 2` bits as part of the DRBG seed. It
further notes that this nonce may be drawn from the same source of
entropy that is used for the first `security_strength` bits of the
DRBG seed. The present HMAC DRBG implementation does that, requesting
`security_strength * 3 / 2` bits of entropy from the configured entropy
source in total to form the initial part of the DRBG seed.

However, some entropy sources may have thresholds in terms of how much
entropy they can provide in a single call to their entropy gathering
function which may be exceeded by the present HMAC DRBG implementation
even if the threshold is not smaller than `security_strength` bits.
Specifically, this is the case for our own entropy module implementation
which only allows requesting at most 32 Bytes of entropy at a time
in configurations disabling SHA-512, and this leads to runtime failure
of HMAC DRBG when used with Mbed Crypto' own entropy callbacks in such
configurations.

This commit fixes this by splitting the seed entropy acquisition into
two calls, one requesting `security_strength` bits first, and another
one requesting `security_strength / 2` bits for the nonce.

Fixes #237.
2019-08-30 12:16:55 +01:00
Gilles Peskine ad72522fad Merge remote-tracking branch 'upstream-restricted/mbedtls-2.7-proposed' into mbedtls-2.7-restricted 2019-08-14 16:30:13 +02:00
Gilles Peskine 3b8cf47004 Merge remote-tracking branch 'upstream-restricted/pr/508' into mbedtls-2.7-restricted 2019-08-14 16:25:10 +02:00
Gilles Peskine 298a43a77e Merge remote-tracking branch 'upstream-restricted/pr/549' into mbedtls-2.7-restricted 2019-08-14 16:24:51 +02:00
Gilles Peskine ab327dfec7 Merge remote-tracking branch 'upstream-restricted/pr/614' into mbedtls-2.7-restricted 2019-08-14 16:24:08 +02:00
Gilles Peskine 0e08fff32f Merge remote-tracking branch 'upstream-public/pr/2737' into mbedtls-2.7 2019-08-14 16:00:47 +02:00
Gilles Peskine c7ad7ed185 Merge remote-tracking branch 'upstream-public/pr/2755' into mbedtls-2.7 2019-08-14 15:59:21 +02:00
Gilles Peskine bed094b1ca Merge remote-tracking branch 'upstream-public/pr/2787' into mbedtls-2.7 2019-08-14 15:57:37 +02:00
Gilles Peskine 6ad89c2a3a Exclude DTLS 1.2 only with older OpenSSL
compat.sh used to skip OpenSSL altogether for DTLS 1.2, because older
versions of OpenSSL didn't support it. But these days it is supported.

We don't want to use DTLS 1.2 with OpenSSL unconditionally, because we
still use legacy versions of OpenSSL to test with legacy ciphers. So
check whether the version we're using supports it.
2019-08-13 11:44:30 +02:00