Commit graph

7341 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard e05e57619b Remove use of C99 construct
This is an LTS branch, C99 isn't allowed yet, it breaks versions of MSVC that
we still support for this branch.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-29 10:06:39 +02:00
Manuel Pégourié-Gonnard 2f484bd979 Add missing const for consistency
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:29 +02:00
Manuel Pégourié-Gonnard 2da9a54559 Fix typos in comments
Co-authored-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:29 +02:00
Manuel Pégourié-Gonnard 2810110bba Fix typos in comments
Co-authored-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:29 +02:00
Manuel Pégourié-Gonnard 2b223fd539 Add comment on memsan + constant-flow testing 2020-07-28 13:03:29 +02:00
Manuel Pégourié-Gonnard 0cd0c731fd Check errors from the MD layer
Could be out-of-memory for some functions, accelerator issues for others.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard c9ef5a2b76 Remove unnecessary cast
This is C, not C++, casts between void * and other pointer types are free.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard ec956b1861 Improve some comments and internal documentation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard 41df0f2bca Factor repeated condition to its own macro
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard 4508c67c42 Implement cf_hmac() actually with constant flow
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard 961b4dd407 Start testing cf_hmac() for constant flow
Currently this breaks all.sh component test_memsan_constant_flow, just as
expected, as the current implementation is not constant flow.

This will be fixed in the next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard 40597cef01 Add MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
This option allows to test the constant-flow nature of selected code, using
MemSan and the fundamental observation behind ctgrind that the set of
operations allowed on undefined memory by dynamic analysers is the same as the
set of operations allowed on secret data to avoid leaking it to a local
attacker via side channels, namely, any operation except branching and
dereferencing.

(This isn't the full story, as on some CPUs some instructions have variable
execution depending on the inputs, most notably division and on some cores
multiplication. However, testing that no branch or memory access depends on
secret data is already a good start.)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard d11971875a Use existing implementation of cf_hmac()
Just move code from ssl_decrypt_buf() to the new cf_hmac() function and then
call cf_hmac() from there.

This makes the new cf_hmac() function used and validates that its interface
works for using it in ssl_decrypt_buf().

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:28 +02:00
Manuel Pégourié-Gonnard 3ba2bcaf0d Add dummy constant-flow HMAC function with tests
The dummy implementation is not constant-flow at all for now, it's just
here as a starting point and a support for developing the tests and putting
the infrastructure in place.

Depending on the implementation strategy, there might be various corner cases
depending on where the lengths fall relative to block boundaries. So it seems
safer to just test all possible lengths in a given range than to use only a
few randomly-chosen values.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 13:03:27 +02:00
Manuel Pégourié-Gonnard 8ebb88d1e0 Factor repeated preprocessor condition to a macro
The condition is a complex and repeated a few times. There were already some
inconsistencies in the repetitions as some of them forgot about DES.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-28 12:58:47 +02:00
Gilles Peskine 22b265b9f2
Merge pull request #3476 from gilles-peskine-arm/rename-check_files-2.7
Backport 2.7: Rename Python scripts to use '_' and not '-'
2020-07-03 15:12:49 +02:00
Gilles Peskine 00de80378c Rename Python scripts to use '_' and not '-'
You can't import a Python script whose name includes '-'.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-02 12:09:25 +02:00
Janos Follath 4a4aad8983
Merge pull request #715 from ARMmbed/merge-2.7.16-release-to-mbedtls-2.7
Merge 2.7.16 release to mbedtls 2.7
2020-07-01 14:44:34 +01:00
Janos Follath 6d3913f05c Merge tag 'mbedtls-2.7.16' into merge-2.7.16-release-to-mbedtls-2.7
Mbed TLS 2.7.16
2020-07-01 11:35:10 +01:00
Janos Follath e0f13347fd
Merge pull request #712 from ARMmbed/mbedtls-2.7.16r0-pr
Prepare Release Candidate for Mbed TLS 2.7.16
2020-06-30 12:08:17 +01:00
Manuel Pégourié-Gonnard 631b076d6b
Merge pull request #3462 from gilles-peskine-arm/programs-cmake-cleanup-2.7
Programs cmake cleanup 2.7
2020-06-29 09:58:16 +02:00
Ronald Cron 9b4b023964 programs: ssl: cmake: Add missing executable
Add the missing executable in the list of executables
to install.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-26 18:10:56 +02:00
Ronald Cron d915d00b52 programs: ssl: cmake: Reorder declaration of executables
Reorder declaration of executables in alphabetic order.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-06-26 18:10:50 +02:00
Janos Follath 6d5a109d15 Update ChangeLog header
Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-06-26 12:55:02 +01:00
Janos Follath 2a4f8991b3 Bump version to Mbed TLS 2.7.16
Executed "./scripts/bump_version.sh --version 2.7.16"

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-06-26 12:37:57 +01:00
Janos Follath 994f7c0343 Assemble ChangeLog
Executed scripts/assemble_changelog.py.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2020-06-26 11:34:34 +01:00
Janos Follath 9cdda866bf Merge branch 'mbedtls-2.7-restricted' into mbedtls-2.7.16r0 2020-06-25 09:20:57 +01:00
Gilles Peskine b1d1097316
Merge pull request #3447 from mpg/use-all-sh-checks-for-pre-push-2.7
[backport 2.7] Use all.sh in pre-push hook
2020-06-23 14:37:24 +02:00
Manuel Pégourié-Gonnard c09bb4c3ab all.sh: clean up some uses of "local" variables
While pure sh doesn't have a concept of local variables, we can partially
emulate them by unsetting variables before we exit the function, and use the
convention of giving them lowercase names to distinguish from global
variables.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-23 11:54:13 +02:00
Manuel Pégourié-Gonnard 4f265fbff7 Use all.sh in pre-push hook
The list in the pre-push hook was redundant with the list of `check_*`
components in all.sh, and unsurprisingly it was outdated.

Missing components were:

- check_recursion
- check_changelog
- check_test_cases
- check_python_files
- check_generate_test_code

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-23 11:54:13 +02:00
Manuel Pégourié-Gonnard 73341a0f84 Add a --quiet option to all.sh
The primary purpose is to use it to run all.sh -k -q in the pre-push hook, but
this can be useful in any circumstance where you're not interested in the full
output from each component and just want a short summary of which components
were run (and if any failed).

Note that only stdout from components is suppressed, stderr is preserved so
that errors are reported. This means components should avoid printing to
stderr in normal usage (ie in the absence of errors).

Currently all the `check_*` components obey this convention except:
- check_generate_test_code: unittest prints progress to stderr
- check_test_cases: lots of non-fatal warnings printed to stderr

These components will be fixed in follow-up commits.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-23 11:53:07 +02:00
Manuel Pégourié-Gonnard f2027b5c46
Merge pull request #705 from mpg/l13-hw-starts-finish-2.7-restricted
[backport 2.7] Use starts/finish around Lucky 13 dummy compressions
2020-06-23 10:43:22 +02:00
Janos Follath 3f44eb5ac5
Merge pull request #706 from mpg/ecp-mul-null-rng-2.7-restricted
[Backport 2.7] Use internal RNG in ecp_mul when none was provided
2020-06-22 15:06:44 +01:00
Gilles Peskine eaf31e39c2
Merge pull request #3443 from mpg/make-coverage-script-deterministic-2.7
[Backport 2.7] Make basic-build-test.sh more deterministic
2020-06-22 12:30:54 +02:00
Manuel Pégourié-Gonnard e4a5c05d49 Adjust comments about SEED synchronisation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-22 10:54:38 +02:00
Manuel Pégourié-Gonnard 54d95b1722 Make basic-build-test.sh deterministic
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-22 10:54:38 +02:00
Manuel Pégourié-Gonnard 96951785fc Test multi-block output of the hash-based KDF
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-22 10:43:23 +02:00
Manuel Pégourié-Gonnard 138109133d Remove SHA-1 as a fallback option
- it's 2020, there shouldn't be too many systems out there where SHA-1 is the
  only available hash option, so its usefulness is limited
- OTOH testing configurations without SHA-2 reveal bugs that are not easy to
  fix in a fully compatible way

So overall, the benefit/cost ratio is not good enough to justify keeping SHA-1
as a fallback option here.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-19 11:00:19 +02:00
Manuel Pégourié-Gonnard 9797288383 Improve comment justifying a hard-coded limitation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-19 11:00:11 +02:00
Manuel Pégourié-Gonnard 8745986699 Zeroize temporary stack buffer
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-19 10:59:59 +02:00
Manuel Pégourié-Gonnard f1aca9fdba Update dependencies documentation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-19 10:57:36 +02:00
Manuel Pégourié-Gonnard 601128eb58 Fix potential memory overread in seed functions
The previous commit introduced a potential memory overread by reading
secret_len bytes from secret->p, while the is no guarantee that secret has
enough limbs for that.

Fix that by using an intermediate buffer and mpi_write_binary().

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-19 10:56:55 +02:00
Manuel Pégourié-Gonnard 6d61498e05 Add fall-back to hash-based KDF for internal ECP DRBG
The dependency on a DRBG module was perhaps a bit strict for LTS branches, so
let's have an option that works with no DRBG when at least one SHA module is
present.

This changes the internal API of ecp_drbg_seed() by adding the size of the
MPI as a parameter. Re-computing the size from the number of limbs doesn't
work too well here as we're writing out to a fixed-size buffer and for some
curves (P-521) that would round up too much. Using mbedtls_mpi_get_len() is
not entirely satisfactory either as it would mean using a variable-length
encoding, with could open side channels.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-19 10:56:55 +02:00
Manuel Pégourié-Gonnard 99bf33fa81 Fix typo in a comment
Co-authored-by: Janos Follath <janos.follath@arm.com>
2020-06-19 10:37:38 +02:00
Manuel Pégourié-Gonnard e2828c2d94 Use HMAC_DRBG by default for ECP internal DRBG
It results in smaller code than using CTR_DRBG (64 bytes smaller on ARMv6-M
with arm-none-eabi-gcc 7.3.1), so let's use this by default when both are
available.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-19 10:36:57 +02:00
Manuel Pégourié-Gonnard 22fe5236e9 Skip redundant checks for NULL f_rng
Unless MBEDTLS_ECP_NO_INTERNAL_RNG is defined, it's no longer possible for
f_rng to be NULL at the places that randomize coordinates.

Eliminate the NULL check in this case:
- it makes it clearer to reviewers that randomization always happens (unless
  the user opted out at compile time)
- a NULL check in a place where it's easy to prove the value is never NULL
  might upset or confuse static analyzers (including humans)
- removing the check saves a bit of code size

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-19 10:36:16 +02:00
Manuel Pégourié-Gonnard 6d059bf051 Add Security ChangeLog entry for lack of blinding
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-19 10:32:45 +02:00
Manuel Pégourié-Gonnard 966cb796c4 Update documentation about optional f_rng parameter
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-19 10:32:34 +02:00
Manuel Pégourié-Gonnard 75036a0aff Implement use of internal DRBG for ecp_mul()
The case of MBEDTLS_ECP_RESTARTABLE isn't handled correctly yet: in that case
the DRBG instance should persist when resuming the operation. This will be
addressed in the next commit.

When both CTR_DRBG and HMAC_DRBG are available, CTR_DRBG is preferred since
both are suitable but CTR_DRBG tends to be faster and I needed a tie-breaker.

There are currently three possible cases to test:

- NO_INTERNAL_RNG is set -> tested in test_ecp_no_internal_rng
- it's unset and CTR_DRBG is available -> tested in the default config
- it's unset and CTR_DRBG is disabled -> tested in
  test_ecp_internal_rng_no_ctr_drbg

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-19 10:27:27 +02:00
Manuel Pégourié-Gonnard d90faf92b2 Add config.h option MBEDTLS_ECP_NO_INTERNAL_RNG
No effect so far, except on dependency checking, as the feature it's meant to
disable isn't implemented yet (so the descriptions in config.h and the
ChangeLog entry are anticipation for now).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-19 10:05:16 +02:00