Commit graph

10351 commits

Author SHA1 Message Date
Simon Butcher 7d2434fac2 Merge remote-tracking branch 'public/pr/2973' into baremetal 2020-01-03 15:52:36 +00:00
Darryl Green 029fe86c53 Fix some pylint warnings
Fix a too-long line to meet PEP8 standards
2020-01-03 13:41:20 +00:00
Simon Butcher 1b370a63ec Merge remote-tracking branch 'public/pr/2960' into baremetal 2019-12-27 18:18:22 +00:00
Simon Butcher 58813498f7 Merge remote-tracking branch 'public/pr/2957' into baremetal 2019-12-27 18:18:04 +00:00
Jarno Lamsa 5aa4c07b85 Minor review fixes 2019-12-20 13:09:27 +02:00
Jarno Lamsa 015aa44b93 Make authmode volatile
This is to enforce reading it from memory for the double
check to prevent compiler from optimising it away.
2019-12-20 12:09:37 +02:00
Jarno Lamsa af60cd7698 Protect the peer_authenticated flag more
Add more protection to the flag preventing attacker
possibly to glitch using faulty certificate.
2019-12-20 10:50:33 +02:00
Jarno Lamsa 616fbe177c Increase hamming distance for authmode
Prevent glitching mode by single bit flipping.
2019-12-19 17:07:35 +02:00
Jarno Lamsa 8d09e5744c Increase hamming distance for session resume flag
This is to prevent glitching a single bit for the resume flag.
2019-12-19 17:07:35 +02:00
Jarno Lamsa 489dccd158 Adress review comments 2019-12-19 17:07:35 +02:00
Jarno Lamsa 88db2ae9a0 Use Platform fault when double check fails 2019-12-19 17:07:35 +02:00
Jarno Lamsa f5b6af01d3 Fix double check in entropy_gather_internal
The double check was wrong way, glitching either check
could have compromised the flow there.
2019-12-19 17:07:29 +02:00
Jarno Lamsa afff4d0679 Remove unused flag 2019-12-19 14:41:56 +02:00
Jarno Lamsa 06164057b3 Check that we have all the proper keys
The proper keys should be set at the end of
the handshake, if not, fail the handshake.
2019-12-19 14:40:36 +02:00
Jarno Lamsa e1621d4700 Check that the peer_authenticated flag
Check that the peer has been authenticated in the end
of the handshake.
2019-12-19 14:29:24 +02:00
Jarno Lamsa ba4730fe4c Protect setting of peer_authenticated flag
Use flow counting and double checks when setting the flag.
Also protect the flow to prevent causing a glitch.
2019-12-19 09:43:25 +02:00
Jarno Lamsa 4031a45019 Protect key_derivation_done flag
The flag is used to track that the key derivation
has been done.
2019-12-19 09:43:25 +02:00
Jarno Lamsa 67f0a1e833 Protect setting of premaster_generated flag
The flag is used for tracking if the premaster has
been succesfully generated. Note that when resuming
a session, the flag should not be used when trying to
notice if all the key generation/derivation has been done.
2019-12-19 09:43:19 +02:00
Jarno Lamsa 98801af26b Protect setting of hello_random flag
The handshake flag tells when the handshake hello.random
is set and can be used later to decide if we have the correct
keys.
2019-12-19 09:02:02 +02:00
Jarno Lamsa b57d7fd568 Add flags for protecting TLS state machine
Flags are there to prevent skipping vital parts of the TLS
handshake.
2019-12-19 09:01:54 +02:00
Jarno Lamsa 6122b59042 Address review comments 2019-12-19 07:56:10 +02:00
Jarno Lamsa 46afd5d8fa Fix CI issues
Default flow assumes failure causes multiple issues with
compatibility tests when the return value is initialised
with error value in ssl_in_server_key_exchange_parse.
The function would need a significant change in structure for this.
2019-12-19 07:56:10 +02:00
Jarno Lamsa 91dbb79ae4 Fix error return code 2019-12-19 07:56:10 +02:00
Jarno Lamsa b83a2136d6 Protect the return value from mbedtls_pk_verify
Add double checks to the return value and default flow assumes
failure.
2019-12-19 07:56:10 +02:00
Jarno Lamsa 47aab8da8a Protect return value from mbedtls_pk_verify
Use double checks and default flow assumes failure.
2019-12-19 07:56:10 +02:00
Jarno Lamsa 83a56a630a Double check mbedtls_pk_verify
The verification could be skipped in server, changed the default flow
so that the handshake status is ever updated if the verify
succeeds, and that is checked twice.
2019-12-19 07:56:10 +02:00
Jarno Lamsa 9e8e820993 Increase hamming distance for some error codes
The MBEDTLS_ERR_SSL_WANT_READ and MBEDTLS_ERR_SSL_WANT_WRITE are
errors that can be ignored, so increase the hamming distance between
them and the non-ignorable errors and keep still some distance from
a success case. This mitigates an attack where single bit-flipping could
change a non-ignorable error to being an ignorable one.
2019-12-19 07:56:10 +02:00
Jarno Lamsa acb5eb00ca Add a double check to protect from glitch
Check that the encryption has been done for the outbut buffer.
This is to ensure that glitching out the encryption doesn't
result as a unecrypted buffer to be sent.
2019-12-19 07:56:10 +02:00
Jarno Lamsa d05da1fa45 Add double check for checking if source is strong
To prevent glitching past a strong source.
2019-12-19 07:56:10 +02:00
Jarno Lamsa 552e8f2d6a Add double check to entropy-loop
To prevent glitching and going through without strong source
2019-12-19 07:56:10 +02:00
Jarno Lamsa 4708d66af5 Change the mbedtls_ssl_states values
The changed values have now the minimum hamming distance
of 16 from each other. This is to prevent changing the state
by just flipping one bit.
2019-12-19 07:56:10 +02:00
Jarno Lamsa b01800974f Use invalid state
If mismatch in the state has been noticed, use
the invalid state.
2019-12-19 07:56:10 +02:00
Jarno Lamsa 70abd7aadc Add enumeration for invalid state
The invalid state can be used when state-mismatch is noticed.
The invalid state should report a FI-alert upwards.
2019-12-19 07:56:10 +02:00
Jarno Lamsa 2b20516b60 Make TLS state changes explicit
This is to enable hardening the security when changing
states in state machine so that the state cannot be changed by bit flipping.
The later commit changes the enumerations so that the states have large
hamming distance in between them to prevent this kind of attack.
2019-12-19 07:56:10 +02:00
Manuel Pégourié-Gonnard a4b421819b Fix way to access the RNG for ECDSA counter-measures
Duplicating the g_rng_function variable in ecc_dsa.c means it's not the same
as set in ecc.c, resulting if no randomisation here. The proper way to access
the RNG function from outside ecc.c is uECC_get_rng(), so use that.

This is a side-port of upstream commit
87d74dd8d64a99aaa188961fe763d0841c5abfef

I've verified that there are no other occurrences (the duplication of
g_rng_function in ecc_dh.c had already been removed earlier when centralising
projective coordinate randomisation to mult_safer()).
2019-12-18 10:29:58 +01:00
Simon Butcher 171f422109 Merge remote-tracking branch 'public/pr/2952' into baremetal 2019-12-13 14:51:40 +00:00
Simon Butcher e76c638d6f Merge remote-tracking branch 'public/pr/2925' into baremetal 2019-12-13 14:51:29 +00:00
Arto Kinnunen 6ce4988768 AES FI resistance
Add FI countermeasures to AES.
2019-12-10 15:00:37 +02:00
Arto Kinnunen 76deef9fca Update AES SCA random number function
-Replace usage of rand() with mbedtls_platform_random_in_range()
-Prevent for-ever loop by hardcoding SCA countermeasure position in
 case of used random function is always returning constant number.
2019-12-10 14:54:43 +02:00
Arto Kinnunen f44f7d465a AES CM review corrections
-Use separate control bytes for start and final round to get them
 randomized separately.
-Remove struct name.
-Fix comments and follow Mbed TLS coding style.
2019-12-10 14:54:43 +02:00
Arto Kinnunen 34139ba9fc Updates to AES countermeasures
-Update comments regarding flag MBEDTLS_AES_SCA_COUNTERMEASURES
-Remove MBEDTLS_AES_SCA_COUNTERMEASURES dependency check
-More comments and coding style changes
2019-12-10 14:54:43 +02:00
Arto Kinnunen be1bb06acd Enable AES countermeasures in baremetal config
Enable AES countermeasures in baremetal configuration.
2019-12-10 14:54:43 +02:00
Arto Kinnunen 7543901b6a Follow Mbed TLS coding style
Fix remaining if-clauses.
2019-12-10 14:54:43 +02:00
Arto Kinnunen 425137a0fa Follow Mbed TLS coding style
-Fix multiple for clauses
-Remove redundant check
2019-12-10 14:54:43 +02:00
Arto Kinnunen c3532c2339 Improve SCA CM AES performance
SCA CM implementation caused AES performance drop. For example
AES-CCM-128 calculation speed was dropped from 240 KB/s to 111 KB/s.
(-54%), Similarily AES-CBC-128 calculation speed was dropped from
536 KB/s to 237 KB/s (-56%).

Use functions instead of macros to reduce code indirections and
therefore increase performance. Now the performance is 163 KB/s for
AES-CCM-128 (-32%) and 348 KB/s for AES-CBC-128 (-35%).

When SCA countermeasures are activated the performance is as follows:
122 KB/s for AES-CCM-128 (-49%) and 258 KB/s for AES-CBC-128 (-52%)
compared to the original AES implementation.
2019-12-10 14:54:43 +02:00
Arto Kinnunen 172836a281 Rework AES countermeasures implementation
Use control bytes to instruct AES calculation rounds. Each
calculation round has a control byte that indicates what data
(real/fake) is used and if any offset is required for AES data
positions.

First and last AES calculation round are calculated with SCA CM data
included. The calculation order is randomized by the control bytes.

Calculations between the first and last rounds contains 3 SCA CMs
in randomized positions.
2019-12-10 14:54:43 +02:00
Arto Kinnunen b2be92e2c7 Update AES SCA flag to version_features.c 2019-12-10 14:54:43 +02:00
Arto Kinnunen 43980a09e0 Add AES SCA countermeasures to query_config
Add MBEDTLS_AES_SCA_COUNTERMEASURES flag to query_config so that
flag value can be queried.
2019-12-10 14:54:43 +02:00
Arto Kinnunen 2231138c18 Disable AES SCA countermeasures from full config
Disable AES SCA countermeasures from full config. Otherwise
check_config will break the builds due inproper configuration.
2019-12-10 14:54:43 +02:00
Arto Kinnunen 45a475f293 Follow Mbed TLS coding style 2019-12-10 14:54:43 +02:00