Commit graph

8949 commits

Author SHA1 Message Date
Gilles Peskine c63676a0bb
Merge pull request #3016 from jack-fortanix/jack/parse-rsa-crt-2.16
Backport 2.16: Parse RSA parameters DP, DQ and QP from PKCS1 private keys
2020-01-31 16:37:41 +01:00
Gilles Peskine 4cc20f6f3d Fix duplicated Bugfix section in the changelog 2020-01-31 12:20:10 +01:00
Gilles Peskine 216c44d6eb Add changelog entry 2020-01-31 12:06:43 +01:00
Manuel Pégourié-Gonnard a7b9007d60
Merge pull request #2972 from mpg/add-zlib-tests-2.16
[2.16] Add zlib tests
2020-01-31 09:22:30 +01:00
Jack Lloyd b10fd065be Parse RSA parameters DP, DQ and QP from PKCS1 private keys
Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which
currently suffers from side channel issues in the computation of QP
(see https://eprint.iacr.org/2020/055). By loading the pre-computed
values not only is the side channel avoided, but runtime overhead of
loading RSA keys is reduced.

Discussion in https://github.com/ARMmbed/mbed-crypto/issues/347

Backport of https://github.com/ARMmbed/mbed-crypto/pull/352
2020-01-29 13:09:55 -05:00
Janos Follath bac9f1bfb0 Merge pull request #3001 from from gilles-peskine-arm/coverity-20200115-2.16 into mbedtls-2.16 2020-01-29 14:49:23 +00:00
Janos Follath 1f10f2e282
Merge pull request #3014 from mpg/fix-attribution-ecdsa-inc
[2.16] Fix contributor names in ChangeLog
2020-01-29 14:07:17 +00:00
Manuel Pégourié-Gonnard 58c27790de Fix previous ChangeLog merging error 2020-01-29 11:32:09 +01:00
Manuel Pégourié-Gonnard cc41e6cd75 Fix contributor names in ChangeLog 2020-01-29 10:47:34 +01:00
Manuel Pégourié-Gonnard 114d339756 Add detection for zlib headers to all.sh 2020-01-29 09:50:54 +01:00
Jaeden Amero 7550e857bf
Merge pull request #3012 from Patater/dev/jp-bennett/development-2.16
Backport 2.16: Allow loading symlinked certificates
2020-01-28 15:55:54 +00:00
Janos Follath d0c2575324
Merge pull request #2992 from yanesca/bump-version-2.16.4
Bump version to Mbed TLS 2.16.4
2020-01-28 11:32:46 +00:00
Jaeden Amero 68a24eba00 Add ChangeLog entry
Add a ChangeLog entry for Jonathan Bennett's contribution which allows
loading symlinked certificates.
2020-01-28 11:29:16 +00:00
Jonathan Bennett 6f45cb995b Allow loading symlinked certificates
When mbedtls_x509_crt_parse_path() checks each object in the supplied path, it only processes regular files. This change makes it also accept a symlink to a file. Fixes #3005.

This was observed to be a problem on Fedora/CentOS/RHEL systems, where the ca-bundle in the default location is actually a symlink.
2020-01-28 11:28:42 +00:00
Manuel Pégourié-Gonnard b0deeccc58
Merge pull request #3007 from mpg/fix-ecdsa-pointer-inc
[Backport 2.16] Fix incrementing pointer instead of value
2020-01-28 09:26:43 +01:00
Gilles Peskine 75aab5276f Add missing return code check on calls to mbedtls_md() 2020-01-27 15:16:16 +01:00
Gilles Peskine 1a30fbbd3b Check that mbedtls_mpi_grow succeeds 2020-01-27 15:16:16 +01:00
Gilles Peskine 83a5672ae1 Remove redundant block_size validity check
Check the value only once, as soon as we've obtained it.
2020-01-27 15:16:16 +01:00
Manuel Pégourié-Gonnard 42b8194b53 Fix incrementing pointer instead of value
This was introduced by a hasty search-and-replace that didn't account for C's
operator precedence when changing those variables to pointer types.
2020-01-24 12:35:47 +01:00
Gilles Peskine 42e4f6b706 Add changelog entry for the unchecked mbedtls_md call 2020-01-22 19:04:19 +01:00
Gilles Peskine 3a3b161e96 Add missing return code check on call to mbedtls_md() 2020-01-22 18:59:37 +01:00
Janos Follath 32b0216dd7 Bump version to Mbed TLS 2.16.4 2020-01-20 14:32:57 +00:00
Jaeden Amero 39e2c0eeb6 Merge remote-tracking branch 'origin/mbedtls-2.16' into mbedtls-2.16-restricted
* origin/mbedtls-2.16:
  Fix some pylint warnings
  Enable more test cases without MBEDTLS_MEMORY_DEBUG
  More accurate test case description
  Clarify that the "FATAL" message is expected
  Note that mbedtls_ctr_drbg_seed() must not be called twice
  Fix CTR_DRBG benchmark
  Changelog entry for xxx_drbg_set_entropy_len before xxx_drbg_seed
  CTR_DRBG: support set_entropy_len() before seed()
  CTR_DRBG: Don't use functions before they're defined
  HMAC_DRBG: support set_entropy_len() before seed()
2020-01-15 16:59:41 +00:00
Manuel Pégourié-Gonnard 95a17fbe17 Add test for record compression in ssl-opt.sh
Deprecated but still needs to be tested.
2020-01-03 10:03:15 +01:00
Manuel Pégourié-Gonnard 4ef189df49 Add all.sh components with ZLIB enabled
ZLIB support is deprecated, but until it's removed it should still be tested.
2020-01-03 10:03:15 +01:00
Jaeden Amero f02988e577
Merge pull request #2967 from dgreen-arm/backport-2.16-fix-pylint-warnings
Backport 2.16: Fix some pylint warnings
2019-12-20 16:07:01 +00:00
Darryl Green 349a079f2d Fix some pylint warnings
Fix a too-long line to meet PEP8 standards
2019-12-20 13:01:08 +00:00
Jaeden Amero c0546439c4
Merge pull request #2894 from gilles-peskine-arm/drbg-set_entropy_len-2.16
Backport 2.16: Allow xxx_drbg_set_entropy_len before xxx_drbg_seed
2019-11-29 16:17:34 +00:00
Jaeden Amero 1dfc361a50
Merge pull request #672 from gilles-peskine-arm/ctr_drbg-aes_fail-2.16
Backport 2.16: Uncaught AES failure in CTR_DRBG
2019-11-28 15:02:17 +00:00
Gilles Peskine 86dd9501ba Catch AES failure in mbedtls_ctr_drbg_random
The functions mbedtls_ctr_drbg_random() and
mbedtls_ctr_drbg_random_with_add() could return 0 if an AES function
failed. This could only happen with alternative AES
implementations (the built-in implementation of the AES functions
involved never fail), typically due to a failure in a hardware
accelerator.

Bug reported and fix proposed by Johan Uppman Bruce and Christoffer
Lauri, Sectra.
2019-11-28 09:57:44 +01:00
Jaeden Amero 269d414189
Merge pull request #2936 from gilles-peskine-arm/memory_buffer_alloc-fatal-pass-2.16
Backport 2.16: Clarify test descriptions in test_suite_memory_buffer_alloc
2019-11-27 10:37:39 +00:00
Gilles Peskine 554d5d598f Enable more test cases without MBEDTLS_MEMORY_DEBUG
None of the test cases in tests_suite_memory_buffer_alloc actually
need MBEDTLS_MEMORY_DEBUG. Some have additional checks when
MBEDTLS_MEMORY_DEBUG but all are useful even without it. So enable
them all and #ifdef out the parts that require DEBUG.
2019-11-26 18:45:00 +01:00
Gilles Peskine 4a55e7c736 More accurate test case description 2019-11-26 18:44:55 +01:00
Gilles Peskine 19baefa04f Clarify that the "FATAL" message is expected
The test case "Memory buffer small buffer" emits a message
"FATAL: verification of first header failed". In this test case, it's
actually expected, but it looks weird to see this message from a
passing test. Add a comment that states this explicitly, and modify
the test description to indicate that the failure is expected, and
change the test function name to be more accurate.

Fix #309
2019-11-26 18:44:50 +01:00
Jaeden Amero f0486052b7 Merge remote-tracking branch 'restricted/pr/667' into mbedtls-2.16-restricted
* restricted/pr/667: (24 commits)
  Add ChangeLog entry
  mpi_lt_mpi_ct: fix condition handling
  mpi_lt_mpi_ct: Add further tests
  mpi_lt_mpi_ct: Fix test numbering
  mpi_lt_mpi_ct perform tests for both limb size
  ct_lt_mpi_uint: cast the return value explicitely
  mbedtls_mpi_lt_mpi_ct: add tests for 32 bit limbs
  mbedtls_mpi_lt_mpi_ct: simplify condition
  Rename variable for better readability
  mbedtls_mpi_lt_mpi_ct: Improve documentation
  Make mbedtls_mpi_lt_mpi_ct more portable
  Bignum: Document assumptions about the sign field
  Add more tests for mbedtls_mpi_lt_mpi_ct
  mpi_lt_mpi_ct test: hardcode base 16
  Document ct_lt_mpi_uint
  mpi_lt_mpi_ct: make use of unsigned consistent
  ct_lt_mpi_uint: make use of biL
  Change mbedtls_mpi_cmp_mpi_ct to check less than
  mbedtls_mpi_cmp_mpi_ct: remove multiplications
  Remove excess vertical space
  ...
2019-11-12 10:48:21 +00:00
Jaeden Amero baf23000e1 Merge remote-tracking branch 'restricted/pr/669' into mbedtls-2.16-restricted
* restricted/pr/669:
  Zeroize local AES variables before exiting the function
2019-11-12 10:43:57 +00:00
Jaeden Amero 3f1c68a1e2
Merge pull request #665 from ARMmbed/dev/yanesca/iotcrypt-958-ecdsa-side-channel-fix-2.16
Backport 2.16: ECDSA side channel fix
2019-11-12 10:37:22 +00:00
Andrzej Kurek f18de50b49 Zeroize local AES variables before exiting the function
This issue has been reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
Grant Hernandez, and Kevin Butler (University of Florida) and
Dave Tian (Purdue University).

In AES encrypt and decrypt some variables were left on the stack. The value
of these variables can be used to recover the last round key. To follow best
practice and to limit the impact of buffer overread vulnerabilities (like
Heartbleed) we need to zeroize them before exiting the function.
2019-11-12 03:34:03 -05:00
Janos Follath d71f31bfb7 Add ChangeLog entry 2019-11-11 14:15:00 +00:00
Janos Follath e25f1ee44d mpi_lt_mpi_ct: fix condition handling
The code previously only set the done flag if the return value was one.
This led to overriding the correct return value later on.
2019-11-11 12:32:12 +00:00
Janos Follath b159ae8409 mpi_lt_mpi_ct: Add further tests
The existing tests did not catch a failure that came up at integration
testing. Adding the missing test cases to trigger the bug.
2019-11-11 12:32:12 +00:00
Janos Follath b2fddfd3f1 mpi_lt_mpi_ct: Fix test numbering 2019-11-11 12:32:12 +00:00
Janos Follath 14528628c8 mpi_lt_mpi_ct perform tests for both limb size
The corner case tests were designed for 32 and 64 bit limbs
independently and performed only on the target platform. On the other
platform they are not corner cases anymore, but we can still exercise
them.
2019-11-11 12:32:12 +00:00
Janos Follath 359a01e07c ct_lt_mpi_uint: cast the return value explicitely
The return value is always either one or zero and therefore there is no
risk of losing precision. Some compilers can't deduce this and complain.
2019-11-11 12:32:12 +00:00
Janos Follath 798e394943 mbedtls_mpi_lt_mpi_ct: add tests for 32 bit limbs
The corner case tests were designed for 64 bit limbs and failed on 32
bit platforms because the numbers in the test ended up being stored in a
different number of limbs and the function (correctly) returnd an error
upon receiving them.
2019-11-11 12:32:12 +00:00
Janos Follath fbe4c947cd mbedtls_mpi_lt_mpi_ct: simplify condition
In the case of *ret we might need to preserve a 0 value throughout the
loop and therefore we need an extra condition to protect it from being
overwritten.

The value of done is always 1 after *ret has been set and does not need
to be protected from overwriting. Therefore in this case the extra
condition can be removed.
2019-11-11 12:32:12 +00:00
Janos Follath 1f21c1d519 Rename variable for better readability 2019-11-11 12:32:12 +00:00
Janos Follath bd87a59007 mbedtls_mpi_lt_mpi_ct: Improve documentation 2019-11-11 12:32:12 +00:00
Janos Follath 58525180fb Make mbedtls_mpi_lt_mpi_ct more portable
The code relied on the assumptions that CHAR_BIT is 8 and that unsigned
does not have padding bits.

In the Bignum module we already assume that the sign of an MPI is either
-1 or 1. Using this, we eliminate the above mentioned dependency.
2019-11-11 12:32:12 +00:00
Janos Follath aac48d1b3d Bignum: Document assumptions about the sign field 2019-11-11 12:32:12 +00:00