Commit graph

10500 commits

Author SHA1 Message Date
Andrzej Kurek e601bcee00
Add flow control to tinycrypt verification
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-01 07:31:15 -04:00
Piotr Nowicki e071e42480
Merge pull request #3336 from piotr-now/baremetal_flowmon
Increasing resistance to fault injection attacks related with memory operations.
2020-06-01 08:09:26 +02:00
Piotr Nowicki f0ab6d62ac Added some descriptions of functions
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-05-27 15:35:44 +02:00
Piotr Nowicki 1a9d33e8c8 Start comparison from a random location in the uECC_vli_equal.
This increases security and increases resistance to the side channel leakage.

Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-05-27 15:34:49 +02:00
Andrzej Kurek fc7c69df25
Merge pull request #3330 from AndrzejKurek/merge-2.16-8b34fef
Merge mbedtls-2.16 commit 8b34fef into baremetal
2020-05-27 10:00:59 +01:00
Andrzej Kurek 8ac4a55402
test_suite_x509parse: shorten test names
Change "Certificate" to "CRT" to shorten the test name and blend in
between surrounding tests.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-05-25 10:21:14 -04:00
Andrzej Kurek 220e61478f
Add a x509 prerequisite in x509_internal.h
Lack of this requirement caused warning when compiling the 
x509 test suites with config-thread.h from example configs,
resulting in an error when running from test-ref-configs.pl.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-05-21 10:13:38 -04:00
Manuel Pégourié-Gonnard 13bebd0edb
Keep SSL context const when hw accel is disabled
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-05-21 10:13:26 -04:00
Andrzej Kurek e861e704c0
Rename md_info_t to md_handle_t in test_suite_entropy
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-05-21 10:13:11 -04:00
Manuel Pégourié-Gonnard 731d7c0dcc
Fix lack of cookie check on hard reconnect
Section 4.2.8 of RFC 6347 describes how to handle the case of a DTLS client
establishing a new connection using the same UDP quartet as an already active
connection, which we implement under the compile option
MBEDTLS_SSL_DLTS_CLIENT_PORT_REUSE. Relevant excerpts:

    [the server] MUST NOT destroy the existing
    association until the client has demonstrated reachability either by
    completing a cookie exchange or by completing a complete handshake
    including delivering a verifiable Finished message.
    [...]
    The reachability requirement prevents
    off-path/blind attackers from destroying associations merely by
    sending forged ClientHellos.

Our code chooses to use a cookie exchange for establishing reachability, but
unfortunately that check was effectively removed in a recent refactoring,
which changed what value ssl_handle_possible_reconnect() needs to return in
order for ssl_get_next_record() (introduced in that refactoring) to take the
proper action. Unfortunately, in addition to changing the value, the
refactoring also changed a return statement to an assignment to the ret
variable, causing the function to reach the code for a valid cookie, which
immediately destroys the existing association, effectively bypassing the
cookie verification.

This commit fixes that by immediately returning after sending a
HelloVerifyRequest when a ClientHello without a valid cookie is found. It also
updates the description of the function to reflect the new return value
convention (the refactoring updated the code but not the documentation).

The commit that changed the return value convention (and introduced the bug)
is 2fddd3765e, whose commit message explains the
change.

Note: this bug also indirectly caused the ssl-opt.sh test case "DTLS client
reconnect from same port: reconnect" to occasionally fail due to a race
condition between the reception of the ClientHello carrying a valid cookie and
the closure of the connection by the server after noticing the ClientHello
didn't carry a valid cookie after it incorrectly destroyed the previous
connection, that could cause that ClientHello to be invisible to the server
(if that message reaches the server just before it does `net_close()`). A
welcome side effect of this commit is to remove that race condition, as the
new connection will immediately start with a ClientHello carrying a valid
cookie in the SSL input buffer, so the server will not call `net_close()` and
not risk discarding a better ClientHello that arrived in the meantime.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-05-21 10:12:25 -04:00
Piotr Nowicki 4aaa34c03f Add flow monitor protection to mbedtls_platform_memcmp()
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-05-20 16:50:24 +02:00
Andrzej Kurek 825ebd483f
Merge mbedtls 2.16.6 into baremetal
Conflicts:
mbedtls.doxyfile - PROJECT_NAME - mbed TLS v2.16.6 chosen.
doc_mainpage.h - mbed TLS v2.16.6 version chosen.
hmac_drbg.h - line 260, extended description chosen.
            - line 313, extended description chosen.
            - line 338, extended description chosen.
version.h - 2.16.6 chosen.
CMakeLists.txt - 2.16.6 chosen.
test_suite_version.data - 2.16.6 chosen.
Makefile - 141 - manual correction - baremetal version of C_SOURCE_FILES
                 with variables for directories plus 2.16.6 CTAGS addition.
pkparse.c - lines 846 onwards - the asn1_get_nonzero_mpi implementation chosen.
ssl_tls.c - line 5269 - edited manually, left the ret=0, because baremetal has
            a different behaviour since commit 87b5626, but added a debug
            message that's new in 2.16.6.    
all.sh:
- component_build_deprecated - chosen the refactored version from 2.16.6,
                               but with extra flags from baremetal.
- rest of the _no_xxx tests - merged make options to have PTHREAD=1 and
                              other changes from 2.16.6 (like -O1 instead of -O0).
- component_build_arm_none_eabi_gcc_no_64bit_multiplication - added 
                              TINYCRYPT_BUILD=0 to the 2.16.6 version of make.

x509/req_app.c - left baremetal log but with mbedtls_exit( 0 ) call.
x509/crl_app.c - left baremetal log but with mbedtls_exit( 0 ) call.
x509/cert_app.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl/ssl_mail_client.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl/ssl_pthread_server.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl/ssl_fork_server.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl_client1.c - line 54 - left baremetal log but with mbedtls_exit( 0 ) call.
ssl_client2.c - line 54 - left baremetal log but with mbedtls_exit( 0 ) call.
              - line 132 - new options of both branches added.
              - skip close notify handled as in 2.16.6, but with `ssl` instead of `&ssl`.
              - Merged the 2.16.6 usage split with additional baremetal usages.
              - Merged options from baremetal and 2.16.6.
ssl_server.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl_server2.c - Merged the 2.16.6 usage split with additional baremetal usages.
config.pl - fixed missing defines from the documentation, removed duplicates,
            and reorganised so that the documentation and excluded list
            are ordered in the same way.
test_suite_x509parse.data - only added the two new pathlen tests.
x509_crt.c - change the return code by removing
             MBEDTLS_ERR_X509_INVALID_EXTENSIONS, since it's added by
             x509_crt_frame_parse_ext not by an "or", but by "+=".
Changelog - Assigned all entries to appropriate sections.
ssl-opt.sh - line 8263 - merged options.
           - removed lines 1165 - 1176 - there was a duplicate test, probably
             an artifact of previous merges.
check-files.py - sticked to old formatting.

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-05-18 11:47:25 -04:00
Simon Butcher 2d21e3e47b
Merge pull request #3044 from sbutcher-arm/merge-2.16-sprint27
[baremetal] Update `baremetal` branch with updates from `mbedtls-2.16` branch
2020-04-03 15:31:46 +01:00
Janos Follath f3a13486f4 Revert "Merge pull request #3012 from Patater/dev/jp-bennett/development-2.16"
This reverts commit 7550e857bf, reversing
changes made to d0c2575324.

stat() will never return S_IFLNK as the file type, as stat()
explicitly follows symlinks.

Fixes #3005.
2020-03-13 17:08:43 +00:00
Gilles Peskine a4c1c4b55d Test GCC and Clang with common build options
Goals:
* Build with common compilers with common options, so that we don't
  miss a (potentially useful) warning only triggered with certain
  build options.
* A previous commit removed -O0 test jobs, leaving only the one with
  -m32. We have inline assembly that is disabled with -O0, falling
  back to generic C code. This commit restores a test that runs the
  generic C code on a 64-bit platform.
2020-03-13 17:06:18 +00:00
Gilles Peskine 06c1e23960 Replace -O0 by -O1 or -Os in most components
Gcc skips some analyses when compiling with -O0, so we may miss
warnings about things like uninitialized variables.
2020-03-13 17:06:18 +00:00
Gilles Peskine f5faa25cf4 shrink tests: clearer description 2020-03-13 16:23:45 +00:00
Gilles Peskine 7313e2caff Move test functions from Lilliput to Blefuscu
We normally represent bignums in big-endian order and there is no
reason to deviate here.
2020-03-13 16:23:45 +00:00
Gilles Peskine 8830bd2447 Minor comment improvement 2020-03-13 16:23:45 +00:00
Gilles Peskine 0660747057 Improve comments in mpi_shrink 2020-03-13 16:23:45 +00:00
Gilles Peskine 51c2e06eb8 mpi_copy: make the 0 case slightly more robust
If Y was constructed through functions in this module, then Y->n == 0
iff Y->p == NULL. However we do not prevent filling mpi structures
manually, and zero may be represented with n=0 and p a valid pointer.
Most of the code can cope with such a representation, but for the
source of mbedtls_mpi_copy, this would cause an integer underflow.
Changing the test for zero from Y->p==NULL to Y->n==0 causes this case
to work at no extra cost.
2020-03-13 16:23:45 +00:00
Gilles Peskine edb621b84a Better coverage for copy and swap
Cover more cases: different signs, different zeronesses, repeated
argument.
2020-03-13 16:23:45 +00:00
Gilles Peskine 16fca92e3d Bignum copy/shrink: More precise test case descriptions 2020-03-13 16:23:45 +00:00
Gilles Peskine 95ce7dab34 Fix duplicated Bugfix section in the changelog 2020-03-13 16:23:45 +00:00
Gilles Peskine a32e45d632 Add changelog entry 2020-03-13 16:21:44 +00:00
Manuel Pégourié-Gonnard d817f54077 De-duplicate SHA1-independent test in ssl-opt.sh
The splitting of this test into two versions depending on whether SHA-1 was
allowed by the server was a mistake in
5d2511c4d4 - the test has nothing to do with
SHA-1 in the first place, as the server doesn't request a certificate from
the client so it doesn't matter if the server accepts SHA-1 or not.
2020-03-13 16:21:44 +00:00
Manuel Pégourié-Gonnard 7006ca10d9 Fix ssl-opt.sh for GnuTLS versions rejecting SHA-1
While the whole script makes (often implicit) assumptions about the version of
GnuTLS used, generally speaking it should work out of the box with the version
packaged on our reference testing platform, which is Ubuntu 16.04 so far.

With the update from Jan 8 2020 (3.4.10-4ubuntu1.6), the patches for rejecting
SHA-1 in certificate signatures were backported, so we should avoid presenting
SHA-1 signed certificates to a GnuTLS peer in ssl-opt.sh.
2020-03-13 16:21:44 +00:00
Jack Lloyd 32b6e6984d Parse RSA parameters DP, DQ and QP from PKCS1 private keys
Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which
currently suffers from side channel issues in the computation of QP
(see https://eprint.iacr.org/2020/055). By loading the pre-computed
values not only is the side channel avoided, but runtime overhead of
loading RSA keys is reduced.

Discussion in https://github.com/ARMmbed/mbed-crypto/issues/347

Backport of https://github.com/ARMmbed/mbed-crypto/pull/352
2020-03-13 16:21:44 +00:00
Manuel Pégourié-Gonnard 9a5c8d4b5b Fix previous ChangeLog merging error 2020-03-13 16:21:44 +00:00
Manuel Pégourié-Gonnard 7489f81be7 Fix contributor names in ChangeLog 2020-03-13 16:21:44 +00:00
Jaeden Amero 99999b73b1 Add ChangeLog entry
Add a ChangeLog entry for Jonathan Bennett's contribution which allows
loading symlinked certificates.
2020-03-13 16:21:44 +00:00
Jonathan Bennett b9082ed820 Allow loading symlinked certificates
When mbedtls_x509_crt_parse_path() checks each object in the supplied path, it only processes regular files. This change makes it also accept a symlink to a file. Fixes #3005.

This was observed to be a problem on Fedora/CentOS/RHEL systems, where the ca-bundle in the default location is actually a symlink.
2020-03-13 15:37:54 +00:00
Gilles Peskine 0f14c15842 Add missing return code check on calls to mbedtls_md() 2020-03-13 15:37:54 +00:00
Gilles Peskine a48fe01f15 Check that mbedtls_mpi_grow succeeds 2020-03-13 15:37:54 +00:00
Gilles Peskine 010efeb5a2 Remove redundant block_size validity check
Check the value only once, as soon as we've obtained it.
2020-03-13 15:37:54 +00:00
Manuel Pégourié-Gonnard aa377cf111 Fix incrementing pointer instead of value
This was introduced by a hasty search-and-replace that didn't account for C's
operator precedence when changing those variables to pointer types.
2020-03-13 15:37:54 +00:00
Gilles Peskine c0213a91ab Add changelog entry for the unchecked mbedtls_md call 2020-03-13 15:37:03 +00:00
Gilles Peskine 140f50206e Add missing return code check on call to mbedtls_md() 2020-03-13 15:36:05 +00:00
Janos Follath e7b49d3cd1 Bump version to Mbed TLS 2.16.4 2020-03-13 15:36:05 +00:00
Manuel Pégourié-Gonnard 10a7f626d9 Add test for record compression in ssl-opt.sh
Deprecated but still needs to be tested.
2020-03-13 15:36:05 +00:00
Gilles Peskine 8b7f03f172 Catch AES failure in mbedtls_ctr_drbg_random
The functions mbedtls_ctr_drbg_random() and
mbedtls_ctr_drbg_random_with_add() could return 0 if an AES function
failed. This could only happen with alternative AES
implementations (the built-in implementation of the AES functions
involved never fail), typically due to a failure in a hardware
accelerator.

Bug reported and fix proposed by Johan Uppman Bruce and Christoffer
Lauri, Sectra.
2020-03-13 15:36:04 +00:00
Gilles Peskine bcdd8bcfcf Enable more test cases without MBEDTLS_MEMORY_DEBUG
None of the test cases in tests_suite_memory_buffer_alloc actually
need MBEDTLS_MEMORY_DEBUG. Some have additional checks when
MBEDTLS_MEMORY_DEBUG but all are useful even without it. So enable
them all and #ifdef out the parts that require DEBUG.
2020-03-13 15:27:12 +00:00
Gilles Peskine 6a1ec6abea More accurate test case description 2020-03-13 15:27:12 +00:00
Gilles Peskine 8064dbb646 Clarify that the "FATAL" message is expected
The test case "Memory buffer small buffer" emits a message
"FATAL: verification of first header failed". In this test case, it's
actually expected, but it looks weird to see this message from a
passing test. Add a comment that states this explicitly, and modify
the test description to indicate that the failure is expected, and
change the test function name to be more accurate.

Fix #309
2020-03-13 15:27:12 +00:00
Andrzej Kurek a8405447aa Zeroize local AES variables before exiting the function
This issue has been reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
Grant Hernandez, and Kevin Butler (University of Florida) and
Dave Tian (Purdue University).

In AES encrypt and decrypt some variables were left on the stack. The value
of these variables can be used to recover the last round key. To follow best
practice and to limit the impact of buffer overread vulnerabilities (like
Heartbleed) we need to zeroize them before exiting the function.
2020-03-13 15:27:12 +00:00
Janos Follath e9db2aa5b4 mpi_lt_mpi_ct: fix condition handling
The code previously only set the done flag if the return value was one.
This led to overriding the correct return value later on.
2020-03-13 15:25:40 +00:00
Janos Follath 47b56a159e mpi_lt_mpi_ct: Add further tests
The existing tests did not catch a failure that came up at integration
testing. Adding the missing test cases to trigger the bug.
2020-03-13 15:25:40 +00:00
Janos Follath 006b207de6 mpi_lt_mpi_ct: Fix test numbering 2020-03-13 15:25:40 +00:00
Janos Follath d2aa4aa454 mpi_lt_mpi_ct perform tests for both limb size
The corner case tests were designed for 32 and 64 bit limbs
independently and performed only on the target platform. On the other
platform they are not corner cases anymore, but we can still exercise
them.
2020-03-13 15:25:40 +00:00
Janos Follath 3d2b769d1c ct_lt_mpi_uint: cast the return value explicitely
The return value is always either one or zero and therefore there is no
risk of losing precision. Some compilers can't deduce this and complain.
2020-03-13 15:25:40 +00:00