Commit graph

5822 commits

Author SHA1 Message Date
Janos Follath 0435cd8c23 Bump version to Mbed TLS 2.23.0
Executed "./scripts/bump_version.sh --version 2.23.0 --so-crypto 5"

A symbol has been removed from the mbedcrypto library since the last
release:
mbedtls_ecc_group_to_psa ( enum mbedtls_ecp_group_id grpid,
                           size_t* bits )

This is an ABI break and we need to increase the SO version.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-06-29 22:41:30 +01:00
Janos Follath 4d1884916b Merge branch 'development-restricted' into mbedtls-2.23.0r0 2020-06-25 09:17:25 +01:00
Manuel Pégourié-Gonnard 1cb2beb905
Merge pull request #3423 from niacat/sysctl-arnd
entropy: Add support for BSD sysctl(KERN_ARND)
2020-06-25 09:34:20 +02:00
nia 8373c86628 entropy: Adjust parameter type of internal function to avoid a cast
Signed-off-by: nia <nia@netbsd.org>
2020-06-24 17:16:33 +01:00
nia e3fdcfa45c entropy: Avoid arithmetic on void pointer
Signed-off-by: nia <nia@netbsd.org>
2020-06-23 21:03:31 +01:00
Manuel Pégourié-Gonnard 1c7d54a209
Merge pull request #700 from mpg/l13-hw-starts-finish-restricted
Lucky 13: just use starts/finish around calls to process()
2020-06-23 10:43:13 +02:00
Gilles Peskine dda104558b
Merge pull request #3419 from ndilieto/development
Pass "certificate policies" extension to callback
2020-06-23 09:35:45 +02:00
Gilles Peskine e81dc00df4
Merge pull request #3422 from niacat/net-sockets-fixes
NetBSD 9.0 build fixes
2020-06-22 23:33:53 +02:00
nia f4d9f21b9b entropy: Rename sysctl_wrapper to sysctl_arnd_wrapper
Signed-off-by: nia <nia@netbsd.org>
2020-06-19 16:17:06 +01:00
Manuel Pégourié-Gonnard 1215c54754 Add length check in ecp_drbg_seed()
While this is a static function, so right now we know we don't need the check,
things may change in the future, so better be on the safe side.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-19 11:59:49 +02:00
Janos Follath 0c00407432
Merge pull request #3430 from bensze01/license
[Forward-port] Add Apache-2.0 headers to all source files
2020-06-18 15:54:26 +01:00
Manuel Pégourié-Gonnard 4539a45cbf Use fixed-length encoding for internal RNG seed
CTR-DRBG and HMAC-DRBG may used the seed differently depending on its length.
To avoid leaks, pass them a constant-length seed.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-18 12:27:56 +02:00
Nicola Di Lieto c84b1e6aa0 Pass "certificate policies" extension to callback
Pass the "certificate policies" extension to the callback supplied to
mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported
policies. This allows the callback to fully replicate the behaviour
of the deprecated MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
configuration.

Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
2020-06-17 17:55:29 +02:00
danh-arm c4b6656a91
Merge pull request #3405 from AndrzejKurek/variable-buffers-cid-serialization
Update iv and len context pointers manually when reallocating buffers
2020-06-17 12:26:24 +01:00
Andrzej Kurek b657783269
Update iv and len context pointers manually when reallocating buffers
These fields might be shifted accordingly in `ssl_parse_record_header()`
when receiving a connection with CID, so they require a manual update
after calling the generic `mbedtls_ssl_reset_in_out_pointers()`.

This commit also adds a regression test which is run by all.sh.

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-16 11:54:51 -04:00
Bence Szépkúti 869746577a Add Apache-2.0 headers to all source files
Also normalize the first line of the copyright headers.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find scripts
find -path './.git' -prune -o '(' -name '*.c' -o -name '*.cpp' -o -name '*.fmt' -o -name '*.h' ')' -print | xargs sed -i '

# Normalize the first line of the copyright headers (no text on the first line of a block comment)
/^\/\*.*Copyright.*Arm/I {
  i\
/*
  s/^\// /
}

/Copyright.*Arm/I {

  # Print copyright declaration
  p

  # Read the two lines immediately following the copyright declaration
  N
  N

  # Insert Apache header if it is missing
  /SPDX/! i\
 *  SPDX-License-Identifier: Apache-2.0\
 *\
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may\
 *  not use this file except in compliance with the License.\
 *  You may obtain a copy of the License at\
 *\
 *  http://www.apache.org/licenses/LICENSE-2.0\
 *\
 *  Unless required by applicable law or agreed to in writing, software\
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT\
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\
 *  See the License for the specific language governing permissions and\
 *  limitations under the License.

  # Clear copyright declaration from buffer
  D
}
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-06-16 17:38:44 +02:00
Manuel Pégourié-Gonnard f4e3fc9133 Use starts/finish around Lucky 13 dummy compressions
Fixes #3246

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-15 11:55:53 +02:00
Manuel Pégourié-Gonnard a92e3def48
Merge pull request #873 from hanno-arm/ssl_write_client_hello
Bounds checks in ssl_write_client_hello
2020-06-15 10:57:51 +02:00
nia 9f5312cc4e entropy: Add support for BSD sysctl(KERN_ARND)
This is basically the same as reading from /dev/urandom on supported
systems, only it has a limit of 256 bytes per call, and does not require
an open file descriptor (so it can be used in chroots, when resource
limits are in place, or are otherwise exhausted).

It's functionally equivalent to the comparable function getentropy(),
but has been around for longer. It's actually used to implement
getentropy in FreeBSD's libc. Discussions about adding getrandom or
getentropy to NetBSD are still ongoing.

It's present in all supported versions of FreeBSD and NetBSD.
It's not present in DragonFly or OpenBSD.

Documentation: https://netbsd.gw.com/cgi-bin/man-cgi?sysctl+7

Comparable code in OpenSSL:
ddec332f32/crypto/rand/rand_unix.c (L208)

Signed-off-by: nia <nia@netbsd.org>
2020-06-11 14:08:00 +01:00
nia 0b01fd9b67 net_sockets: Fix building on NetBSD 9.0
Fixes #2310

Signed-off-by: nia <nia@netbsd.org>
2020-06-11 14:05:25 +01:00
Ronald Cron 5ee5707521 ssl_client: Align line breaking with MBEDTLS_SSL_DEBUG_*
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-06-11 09:34:06 +02:00
Manuel Pégourié-Gonnard 87a51aa08e
Merge pull request #3243 from ndilieto/development
New mbedtls_x509_crt_parse_der_with_ext_cb() routine
2020-06-10 12:59:58 +02:00
Manuel Pégourié-Gonnard 25705e6757
Fix typo in a comment
Co-authored-by: Janos Follath <janos.follath@arm.com>
2020-06-10 09:18:25 +02:00
Janos Follath 3c4a46c44a
Merge pull request #3398 from gilles-peskine-arm/montmul-cmp-branch-development
Remove a secret-dependent branch in Montgomery multiplication
2020-06-09 12:40:51 +01:00
Gilles Peskine 09ec10a32e Clean up some comments
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-09 10:39:38 +02:00
Gilles Peskine 0e5faf6407 mbedtls_mpi_sub_abs: check the range of the result when it happens
The function mbedtls_mpi_sub_abs first checked that A >= B and then
performed the subtraction, relying on the fact that A >= B to
guarantee that the carry propagation would stop, and not taking
advantage of the fact that the carry when subtracting two numbers can
only be 0 or 1. This made the carry propagation code a little hard to
follow.

Write an ad hoc loop for the carry propagation, checking the size of
the result. This makes termination obvious.

The initial check that A >= B is no longer needed, since the function
now checks that the carry propagation terminates, which is equivalent.
This is a slight performance gain.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-08 22:50:35 +02:00
Gilles Peskine 221626f2d3 Simplify the final reduction in mpi_montmul
There was some confusion during review about when A->p[n] could be
nonzero. In fact, there is no need to set A->p[n]: only the
intermediate result d might need to extend to n+1 limbs, not the final
result A. So never access A->p[n]. Rework the explanation of the
calculation in a way that should be easier to follow.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-08 22:37:50 +02:00
Gilles Peskine c097e9ea45 Move carry propagation out of mpi_sub_hlp
The function mpi_sub_hlp had confusing semantics: although it took a
size parameter, it accessed the limb array d beyond this size, to
propagate the carry. This made the function difficult to understand
and analyze, with a potential buffer overflow if misused (not enough
room to propagate the carry).

Change the function so that it only performs the subtraction within
the specified number of limbs, and returns the carry.

Move the carry propagation out of mpi_sub_hlp and into its caller
mbedtls_mpi_sub_abs. This makes the code of subtraction very slightly
less neat, but not significantly different.

In the one other place where mpi_sub_hlp is used, namely mpi_montmul,
this is a net win because the carry is potentially sensitive data and
the function carefully arranges to not have to propagate it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-08 22:08:21 +02:00
Gilles Peskine 37ecc61836 More logical parameter order for mpi_sub_hlp
mpi_sub_hlp performs a subtraction A - B, but took parameters in the
order (B, A). Swap the parameters so that they match the usual
mathematical syntax.

This has the additional benefit of putting the output parameter (A)
first, which is the normal convention in this module.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-08 22:05:13 +02:00
Manuel Pégourié-Gonnard 9b8d34edd4 Avoid superflous randomization with restartable
Checking the budget only after the randomization is done means sometimes we
were randomizing first, then noticing we ran out of budget, return, come back
and randomize again before we finally normalize.

While this is fine from a correctness and security perspective, it's a minor
inefficiency, and can also be disconcerting while debugging, so we might as
well avoid it.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-08 09:53:20 +02:00
Manuel Pégourié-Gonnard d53ef2ffd1 Use HMAC_DRBG by default for ECP internal DRBG
It results in smaller code than using CTR_DRBG (64 bytes smaller on ARMv6-M
with arm-none-eabi-gcc 7.3.1), so let's use this by default when both are
available.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-08 09:10:11 +02:00
Manuel Pégourié-Gonnard 22b1de3097 Skip redundant checks for NULL f_rng
Unless MBEDTLS_ECP_NO_INTERNAL_RNG is defined, it's no longer possible for
f_rng to be NULL at the places that randomize coordinates.

Eliminate the NULL check in this case:
- it makes it clearer to reviewers that randomization always happens (unless
  the user opted out at compile time)
- a NULL check in a place where it's easy to prove the value is never NULL
  might upset or confuse static analyzers (including humans)
- removing the check saves a bit of code size

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-08 09:09:20 +02:00
Manuel Pégourié-Gonnard 53fb66db12 Add support for RESTARTABLE with internal RNG
Currently we draw pseudo-random numbers at the beginning and end of the main
loop. With ECP_RESTARTABLE, it's possible that between those two occasions we
returned from the multiplication function, hence lost our internal DRBG
context that lives in this function's stack frame. This would result in the
same pseudo-random numbers being used for blinding in multiple places. While
it's not immediately clear that this would give rise to an attack, it's also
absolutely not clear that it doesn't. So let's avoid that by using a DRBG
context that lives inside the restart context and persists across
return/resume cycles. That way the RESTARTABLE case uses exactly the
same pseudo-random numbers as the non-restartable case.

Testing and compile-time options:

- The case ECP_RESTARTABLE && !ECP_NO_INTERNAL_RNG is already tested by
  component_test_no_use_psa_crypto_full_cmake_asan.
- The case ECP_RESTARTABLE && ECP_NO_INTERNAL_RNG didn't have a pre-existing
  test so a component is added.

Testing and runtime options: when ECP_RESTARTABLE is enabled, the test suites
already contain cases where restart happens and cases where it doesn't
(because the operation is short enough or because restart is disabled (NULL
restart context)).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-08 09:09:20 +02:00
Manuel Pégourié-Gonnard f2a9fcff62 Move internal drbg init to specific mul functions
While it seems cleaner and more convenient to set it in the top-level
mbedtls_ecp_mul() function, the existence of the restartable option changes
things - when it's enabled the drbg context needs to be saved in the restart
context (more precisely in the restart_mul sub-context), which can only be
done when it's allocated, which is in the curve-specific mul function.

This commit only internal drbg management from mbedtls_ecp_mul() to
ecp_mul_mxz() and ecp_mul_comb(), without modifying behaviour (even internal),
and a future commit will modify the ecp_mul_comb() version to handle restart
properly.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-08 09:09:20 +02:00
Manuel Pégourié-Gonnard c52a43c2bd Implement use of internal DRBG for ecp_mul()
The case of MBEDTLS_ECP_RESTARTABLE isn't handled correctly yet: in that case
the DRBG instance should persist when resuming the operation. This will be
addressed in the next commit.

When both CTR_DRBG and HMAC_DRBG are available, CTR_DRBG is preferred since
both are suitable but CTR_DRBG tends to be faster and I needed a tie-breaker.

There are currently three possible cases to test:

- NO_INTERNAL_RNG is set -> tested in test_ecp_no_internal_rng
- it's unset and CTR_DRBG is available -> tested in the default config
- it's unset and CTR_DRBG is disabled -> tested in
  test_ecp_internal_rng_no_ctr_drbg

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-08 09:09:20 +02:00
Manuel Pégourié-Gonnard 1a3f9edc08 Add config.h option MBEDTLS_ECP_NO_INTERNAL_RNG
No effect so far, except on dependency checking, as the feature it's meant to
disable isn't implemented yet (so the descriptions in config.h and the
ChangeLog entry are anticipation for now).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-08 09:09:20 +02:00
Manuel Pégourié-Gonnard e860fef438
Merge pull request #3318 from Jonas4420/development
Fix potential memory leak in EC multiplication
2020-06-05 11:43:52 +02:00
Gilles Peskine 026f555df3 Explicitly cast down from mbedtls_mpi_uint to unsigned char
Let code analyzers know that this is deliberate. For example MSVC
warns about the conversion if it's implicit.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-05 10:48:25 +02:00
Gilles Peskine 132c0976e9 Remove a secret-dependent branch in Montgomery multiplication
In mpi_montmul, an auxiliary function for modular
exponentiation (mbedtls_mpi_mod_exp) that performs Montgomery
multiplication, the last step is a conditional subtraction to force
the result into the correct range. The current implementation uses a
branch and therefore may leak information about secret data to an
adversary who can observe what branch is taken through a side channel.

Avoid this potential leak by always doing the same subtraction and
doing a contant-trace conditional assignment to set the result.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-04 21:55:23 +02:00
Gilles Peskine f04d11e8b2 Separate out low-level mpi_safe_cond_assign
Separate out a version of mpi_safe_cond_assign that works on
equal-sized limb arrays, without worrying about allocation sizes or
signs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-04 21:55:23 +02:00
Gilles Peskine 2a82f72703 Document some internal bignum functions
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-04 21:55:23 +02:00
Gilles Peskine 4e91d473c3 Revert "Shut up a clang-analyzer warning"
This reverts commit 2cc69fffcf.

A check was added in mpi_montmul because clang-analyzer warned about a
possibly null pointer. However this was a false positive. Recent
versions of clang-analyzer no longer emit a warning (3.6 does, 6
doesn't).

Incidentally, the size check was wrong: mpi_montmul needs
T->n >= 2 * (N->n + 1), not just T->n >= N->n + 1.

Given that this is an internal function which is only used from one
public function and in a tightly controlled way, remove both the null
check (which is of low value to begin with) and the size check (which
would be slightly more valuable, but was wrong anyway). This allows
the function not to need to return an error, which makes the source
code a little easier to read and makes the object code a little
smaller.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-04 21:55:17 +02:00
Gilles Peskine 742f1a4528 Add a const annotation to the non-changing argument of mpi_sub_mul
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-04 20:53:57 +02:00
Janos Follath bba4c17b7a
Merge pull request #3315 from hanno-arm/tls13-experimental-macro
Add support for TLS 1.3 record protection routines
2020-06-04 15:51:54 +01:00
Hanno Becker f486e28694 Document precondition of nonce-generating function in ssl_msg.c
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-06-04 13:33:08 +01:00
Hanno Becker 15952814d8 Improve documentation of nonce-generating function in ssl_msg.c
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-06-04 13:31:46 +01:00
Hanno Becker 1cda2667af Spell out check for non-zero'ness
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-06-04 13:28:44 +01:00
Hanno Becker 16bf0e2346 Fix debug print of explicit IV
The previous version attempted to write the explicit IV from
the destination buffer before it has been written there.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-06-04 13:27:34 +01:00
Hanno Becker 7cca3589cb Fix indentation in debug statement in ssl_msg.c
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-06-04 13:27:22 +01:00
Gilles Peskine d6916d74c5
Merge pull request #3121 from gilles-peskine-arm/invasive_testing_strategy-crypto
Invasive testing strategy

Create a new header `common.h`.

Introduce a configuration option `MBEDTLS_TEST_HOOKS` for test-specific code, to be used in accordance with the invasive testing strategy.
2020-06-02 16:55:48 +02:00