Commit graph

1979 commits

Author SHA1 Message Date
Janos Follath 0f22670243 Bump version to Mbed TLS 2.7.14 2020-02-19 12:08:10 +00:00
Janos Follath ee88f8145d Bump version to Mbed TLS 2.7.13 2020-01-20 14:28:41 +00:00
Jaeden Amero d8180f8d84 Merge remote-tracking branch 'origin/mbedtls-2.7' into mbedtls-2.7-restricted
* origin/mbedtls-2.7:
  Enable more test cases without MBEDTLS_MEMORY_DEBUG
  More accurate test case description
  Clarify that the "FATAL" message is expected
  Note that mbedtls_ctr_drbg_seed() must not be called twice
  Fix CTR_DRBG benchmark
  Changelog entry for xxx_drbg_set_entropy_len before xxx_drbg_seed
  CTR_DRBG: support set_entropy_len() before seed()
  CTR_DRBG: Don't use functions before they're defined
  HMAC_DRBG: support set_entropy_len() before seed()
2020-01-15 16:59:10 +00:00
Janos Follath 9741fa6e2b Bignum: Document assumptions about the sign field 2019-11-11 12:27:36 +00:00
Janos Follath c3b376e2f2 Change mbedtls_mpi_cmp_mpi_ct to check less than
The signature of mbedtls_mpi_cmp_mpi_ct() meant to support using it in
place of mbedtls_mpi_cmp_mpi(). This meant full comparison functionality
and a signed result.

To make the function more universal and friendly to constant time
coding, we change the result type to unsigned. Theoretically, we could
encode the comparison result in an unsigned value, but it would be less
intuitive.

Therefore we won't be able to represent the result as unsigned anymore
and the functionality will be constrained to checking if the first
operand is less than the second. This is sufficient to support the
current use case and to check any relationship between MPIs.

The only drawback is that we need to call the function twice when
checking for equality, but this can be optimised later if an when it is
needed.
2019-11-11 12:27:36 +00:00
Janos Follath e0187b95f0 Add new, constant time mpi comparison 2019-11-11 12:27:27 +00:00
Gilles Peskine 4c575c0270 Note that mbedtls_ctr_drbg_seed() must not be called twice
You can't reuse a CTR_DRBG context without free()ing it and
re-init()ing it. This generally happened to work, but was never
guaranteed. It could have failed with alternative implementations of
the AES module because mbedtls_ctr_drbg_seed() calls
mbedtls_aes_init() on a context which is already initialized if
mbedtls_ctr_drbg_seed() hasn't been called before, plausibly causing a
memory leak.

Calling free() and seed() with no intervening init fails when
MBEDTLS_THREADING_C is enabled and all-bits-zero is not a valid mutex
representation.
2019-10-28 21:15:21 +01:00
Gilles Peskine b729e1b9ba CTR_DRBG: support set_entropy_len() before seed()
mbedtls_ctr_drbg_seed() always set the entropy length to the default,
so a call to mbedtls_ctr_drbg_set_entropy_len() before seed() had no
effect. Change this to the more intuitive behavior that
set_entropy_len() sets the entropy length and seed() respects that and
only uses the default entropy length if there was no call to
set_entropy_len().

The former test-only function mbedtls_ctr_drbg_seed_entropy_len() is
no longer used, but keep it for strict ABI compatibility.
2019-10-23 18:01:25 +02:00
Gilles Peskine 9c742249cf HMAC_DRBG: support set_entropy_len() before seed()
mbedtls_hmac_drbg_seed() always set the entropy length to the default,
so a call to mbedtls_hmac_drbg_set_entropy_len() before seed() had no
effect. Change this to the more intuitive behavior that
set_entropy_len() sets the entropy length and seed() respects that and
only uses the default entropy length if there was no call to
set_entropy_len().
2019-10-23 18:01:25 +02:00
Gilles Peskine 55e120b9b2 mbedtls_hmac_drbg_set_entropy_len() only matters when reseeding
The documentation of HMAC_DRBG erroneously claimed that
mbedtls_hmac_drbg_set_entropy_len() had an impact on the initial
seeding. This is in fact not the case: mbedtls_hmac_drbg_seed() forces
the entropy length to its chosen value. Fix the documentation.
2019-10-04 18:30:56 +02:00
Gilles Peskine dff3682477 mbedtls_ctr_drbg_set_entropy_len() only matters when reseeding
The documentation of CTR_DRBG erroneously claimed that
mbedtls_ctr_drbg_set_entropy_len() had an impact on the initial
seeding. This is in fact not the case: mbedtls_ctr_drbg_seed() forces
the initial seeding to grab MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes of
entropy. Fix the documentation and rewrite the discussion of the
entropy length and the security strength accordingly.
2019-10-04 18:30:56 +02:00
Gilles Peskine 2abefefec2 mbedtls_ctr_drbg_seed: correct maximum for len 2019-10-04 18:27:28 +02:00
Gilles Peskine 406d25878c Add a note about CTR_DRBG security strength to config.h 2019-10-03 15:03:11 +02:00
Gilles Peskine f0b3dcb14b CTR_DRBG: more consistent formatting and wording
In particular, don't use #MBEDTLS_xxx on macros that are undefined in
some configurations, since this would be typeset with a literal '#'.
2019-10-03 15:03:08 +02:00
Gilles Peskine b9cfe58180 DRBG documentation: Relate f_entropy arguments to the entropy module 2019-10-02 19:00:57 +02:00
Gilles Peskine d89173066c HMAC_DRBG documentation improvements
* State explicit whether several numbers are in bits or bytes.
* Clarify whether buffer pointer parameters can be NULL.
* Minor wording and formatting improvements.
2019-10-02 19:00:06 +02:00
Gilles Peskine eb99c1028f CTR_DRBG: explain the security strength and the entropy input length
Explain what how entropy input length is determined from the
configuration, and how this in turn determines the security strength.
Explain how the nonce is obtained during initialization.
2019-10-02 18:56:17 +02:00
Gilles Peskine 25e1945321 CTR_DRBG documentation improvements
* State explicit whether several numbers are in bits or bytes.
* Clarify whether buffer pointer parameters can be NULL.
* Clarify some terminology.
* Minor wording and formatting improvements.
2019-10-02 18:54:20 +02:00
Hanno Becker 8561115cb8 Add cfg dep MBEDTLS_MEMORY_DEBUG->MBEDTLS_MEMORY_BUFFER_ALLOC_C 2019-09-09 07:20:04 -04:00
Hanno Becker 76ef31116b Check dependencies of MBEDTLS_MEMORY_BACKTRACE in check_config.h 2019-09-09 06:34:06 -04:00
Jaeden Amero d7bd10dc89 Bump version to Mbed TLS 2.7.12 2019-09-06 13:28:28 +01:00
Gilles Peskine 298a43a77e Merge remote-tracking branch 'upstream-restricted/pr/549' into mbedtls-2.7-restricted 2019-08-14 16:24:51 +02:00
Jaeden Amero 1e61b0fb3f Merge remote-tracking branch 'restricted/pr/581' into mbedtls-2.7-restricted
* restricted/pr/581:
  Remove unnecessary empty line
  Add a test for signing content with a long ECDSA key
  Add documentation notes about the required size of the signature buffers
  Add missing MBEDTLS_ECP_C dependencies in check_config.h
  Change size of preallocated buffer for pk_sign() calls
2019-06-24 11:40:49 +01:00
Jaeden Amero 0cf1776a2d Merge remote-tracking branch 'origin/pr/2451' into mbedtls-2.7
* origin/pr/2451:
  Fix #2370, minor typos and spelling mistakes
2019-06-21 15:55:21 +01:00
Jaeden Amero 6794f68d29 Update library version to 2.7.11 2019-06-11 17:31:57 +01:00
Jaeden Amero c06b6e0bd2 Merge remote-tracking branch 'origin/pr/2658' into mbedtls-2.7
* origin/pr/2658:
  Create link to include/mbedtls only when testing is enabled
2019-06-06 14:18:43 +01:00
k-stachowiak eee98e9d82 Add documentation notes about the required size of the signature buffers 2019-06-06 13:07:19 +02:00
k-stachowiak 199707fcff Add missing MBEDTLS_ECP_C dependencies in check_config.h 2019-06-06 13:06:57 +02:00
Renz Christian Bagaporo dd84440366 Create link to include/mbedtls only when testing is enabled 2019-05-27 16:33:38 +08:00
Jaeden Amero b8ae1451e2 Merge remote-tracking branch 'origin/pr/2612' into mbedtls-2.7
* origin/pr/2612:
  Adjust backport's documentation to account for missing features
  Backport a doxygen note from development for `mbedtls_ssl_conf_max_frag_len()`
  Update change log
  Reword ssl_conf_max_frag_len documentation for clarity
2019-05-23 15:13:46 +01:00
k-stachowiak 8aed8e1612 Adjust backport's documentation to account for missing features 2019-05-10 15:09:21 +02:00
k-stachowiak 2dd69e1c05 Backport a doxygen note from development for mbedtls_ssl_conf_max_frag_len() 2019-04-30 12:32:11 +02:00
k-stachowiak 79ad28661e Reword ssl_conf_max_frag_len documentation for clarity 2019-04-29 12:33:43 +02:00
Jaeden Amero 2b56a2c945 Merge remote-tracking branch 'origin/pr/2094' into mbedtls-2.7
* origin/pr/2094:
  Adapt ChangeLog
  Add parentheses about parameter of MBEDTLS_X509_ID_FLAG
2019-04-24 11:18:03 +01:00
Jaeden Amero b4686b4f32 Update library version to 2.7.10 2019-03-19 16:18:43 +00:00
Simon Butcher fb85576f05 Merge remote-tracking branch 'restricted/pr/529' into mbedtls-2.7
* restricted/pr/529:
  Fix order of sections in the ChangeLog
  Fix failure in SSLv3 per-version suites test
  Adjust DES exclude lists in test scripts
  Clarify 3DES changes in ChangeLog
  Fix documentation for 3DES removal
  Exclude 3DES tests in test scripts
  Fix wording of ChangeLog and 3DES_REMOVE docs
  Reduce priority of 3DES ciphersuites
2019-03-03 10:08:12 +00:00
Antonin Décimo 8fd9156a4a Fix #2370, minor typos and spelling mistakes 2019-02-18 15:57:54 +00:00
Andres Amaya Garcia b7c22ecc74 Fix documentation for 3DES removal 2019-02-13 10:00:02 +00:00
Andres Amaya Garcia f9b2ed062f Fix wording of ChangeLog and 3DES_REMOVE docs 2019-02-13 09:53:59 +00:00
Andres Amaya Garcia 21ade06ef8 Reduce priority of 3DES ciphersuites 2019-02-13 09:52:46 +00:00
Andres Amaya Garcia e730ff68ee Improve docs for ASN.1 bitstrings and their usage 2019-02-11 21:10:55 +00:00
Andres Amaya Garcia 04ee5e0bbd Fix ASN1 bitstring writing
Refactor the function mbedtls_asn1_write_bitstring() that removes
trailing 0s at the end of DER encoded bitstrings. The function is
implemented according to Hanno Becker's suggestions.

This commit also changes the functions x509write_crt_set_ns_cert_type
and crt_set_key_usage to call the new function as the use named
bitstrings instead of the regular bitstrings.
2019-02-11 21:10:48 +00:00
Jaeden Amero 18fe25614a Merge remote-tracking branch 'origin/pr/2359' into mbedtls-2.7 2019-01-30 14:47:22 +00:00
Simon Butcher 32331305dd Merge remote-tracking branch 'public/pr/1797' into mbedtls-2.7 2019-01-23 10:56:40 +01:00
Janos Follath ba66faf167 Add warning for alternative ECDSA implementations
Alternative implementations are often hardware accelerators and might
not need an RNG for blinding. But if they do, then we make them misuse
the RNG in the deterministic case.

There are several way around this:
- Exposing a lower level function for replacement. This would be the
optimal solution, but litters the API and is not backward compatible.
- Introducing a new compile time option for replacing the deterministic
function. This would mostly cover the same code as
MBEDTLS_ECDSA_DETERMINISTIC and would be yet another compile time flag.
- Reusing the existing MBEDTLS_ECDSA_DETERMINISTIC macro. This changes
the algorithm used by the PK layer from deterministic to randomised if
the alternative implementation is present.

This commit implements the third option. This is a temporary solution
and should be fixed at the next device driver API change.
2019-01-16 16:01:56 +00:00
Janos Follath 2934c32da2 Add a safer deterministic ECDSA function
`mbedtls_ecdsa_sign_det` reuses the internal HMAC-DRBG instance to
implement blinding. The advantage of this is that the algorithm is
deterministic too, not just the resulting signature. The drawback is
that the blinding is always the same for the same key and message.
This diminishes the efficiency of blinding and leaks information about
the private key.

A function that takes external randomness fixes this weakness.
2019-01-16 16:00:27 +00:00
Manuel Pégourié-Gonnard c80555d835 Add public function generating private keys
We need to separate the uses of the RNG for blinding and for key
generation for the sake of an upcoming security fix in deterministic
ECDSA.
2019-01-16 15:47:26 +00:00
Jeffrey Martin 44fbf91f01
Backport #1949 into mbedtls-2.7
Signed-off-by: Jeffrey Martin <Jeffrey_Martin@rapid7.com>
2019-01-14 18:13:06 -06:00
Simon Butcher b22a808cc6 Update the version of the library to 2.7.9 2018-12-21 10:52:37 +00:00
Simon Butcher 3112d10abd Merge remote-tracking branch 'public/pr/2144' into mbedtls-2.7 2018-12-20 01:17:45 +00:00