Commit graph

6514 commits

Author SHA1 Message Date
Angus Gratton b91cb6e1e6 TLSv1.2: Treat zero-length fragments as invalid, unless they are application data
TLS v1.2 explicitly disallows other kinds of zero length fragments (earlier standards
don't mention zero-length fragments at all).
2018-07-16 20:12:55 +01:00
Angus Gratton 1ba8e911ec CBC mode: Allow zero-length message fragments (100% padding)
Fixes https://github.com/ARMmbed/mbedtls/issues/1632
2018-07-16 20:12:47 +01:00
k-stachowiak 55bea65ca9 Update change log 2018-07-16 12:30:48 +02:00
k-stachowiak 6978949cd0 Prevent buffer overread by one byte 2018-07-16 12:30:39 +02:00
Manuel Pégourié-Gonnard aba8c5bb3d Clarify attack conditions in the ChangeLog.
Referring to the previous entry could imply that the current one was limited
to SHA-384 too, which it isn't.
2018-07-12 10:18:37 +02:00
Manuel Pégourié-Gonnard 7c34432b2d Avoid debug message that might leak length
The length to the debug message could conceivably leak through the time it
takes to print it, and that length would in turn reveal whether padding was
correct or not.
2018-07-12 10:18:37 +02:00
Manuel Pégourié-Gonnard aeeaaf271c Add counter-measure to cache-based Lucky 13
The basis for the Lucky 13 family of attacks is for an attacker to be able to
distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding.
Since our code sets padlen = 0 for invalid padding, the length of the input to
the HMAC function, and the location where we read the MAC, give information
about that.

A local attacker could gain information about that by observing via a
cache attack whether the bytes at the end of the record (at the location of
would-be padding) have been read during MAC verification (computation +
comparison).

Let's make sure they're always read.
2018-07-12 10:18:37 +02:00
Manuel Pégourié-Gonnard 5fcfd0345d Fix Lucky 13 cache attack on MD/SHA padding
The basis for the Lucky 13 family of attacks is for an attacker to be able to
distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding.
Since our code sets padlen = 0 for invalid padding, the length of the input to
the HMAC function gives information about that.

Information about this length (modulo the MD/SHA block size) can be deduced
from how much MD/SHA padding (this is distinct from TLS-CBC padding) is used.
If MD/SHA padding is read from a (static) buffer, a local attacker could get
information about how much is used via a cache attack targeting that buffer.

Let's get rid of this buffer. Now the only buffer used is the internal MD/SHA
one, which is always read fully by the process() function.
2018-07-12 10:18:37 +02:00
Simon Butcher d064b5c87b Disable use of the i386 assembly for option -O0
We don't compile in the assembly code if compiler optimisations are disabled as
the number of registers used in the assembly code doesn't work with the -O0
option. Also anyone select -O0 probably doesn't want to compile in the assembly
code anyway.
2018-07-10 23:20:01 +01:00
Andres Amaya Garcia 808a09ca85 Remove redundant ret = 1 in dh_client.c 2018-07-10 17:34:25 +01:00
Andres Amaya Garcia cfb61b33cf Add missing platform macro defines in cert_app.c 2018-07-10 17:34:25 +01:00
Andres Amaya Garcia 9f92a805e9 Add missing platform macro defines in pk_decrypt.c 2018-07-10 17:34:25 +01:00
Andres Amaya Garcia 2b0599bc91 Fix typo in platform macro defines for examples 2018-07-10 17:34:25 +01:00
Andres Amaya Garcia 0dcc6a9f7d Fix ret code in gen_random_havege.c 2018-07-10 17:34:25 +01:00
Andres Amaya Garcia 053e1cd7ab Fix ret code in rsa_encrypt.c 2018-07-10 17:34:25 +01:00
Andres Amaya Garcia 156099b76f Fix ret code in rsa_decrypt.c 2018-07-10 17:34:25 +01:00
Andres Amaya Garcia 8ec767c042 Fix ret code in cert_app.c 2018-07-10 17:34:25 +01:00
Andres Amaya Garcia 77d2de223c Fix ret code in generic_sum.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia 2702000d2c Fix ret code in pk_verify.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia a5236b1dd3 Fix ret code in pk_sign.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia a0ea01d273 Fix ret code in pk_encrypt.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia 141b4f4526 Fix ret code in pk_encrypt.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia 81982c84d4 Fix ret code in ecdh_curve25519.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia c899c464f6 Fix ret code in mpi_demo.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia 6118adab09 Fix ret code in pem2der.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia 73081c3e2f Fix ret code in ssl_cert_test.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia 01e3d21350 Fix ret code in udp_proxy.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia 12ab7a6884 Fix ret code in req_app.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia 8fe4d917f7 Fix ret code in crl_app.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia a7ac5ab2ee Fix ret code in cert_write.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia 7bd88dc44c Fix ret code in cert_req.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia ea14fe76d5 Fix ret code in ssl_mail_client.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia e4f79e1902 Fix ret code in ssl_fork_server.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia bc1af79add Fix ret code in ssl_client1.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia ac0e3e7b11 Fix ret code in gen_random_ctr_drbg.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia 43e65fbbca Fix ret code in gen_entropy.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia 1b04390e4f Fix ret code in rsa_verify_pss.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia 1e36af911b Fix ret code in rsa_verify.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia 0b20b4e4cd Fix ret code in rsa_sign_pss.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia 39e1964960 Fix ret code in rsa_sign.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia a8a96ae42f Fix ret code in rsa_genkey.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia aa3291e1fb Fix ret code in key_app_writer.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia f57bccf839 Fix ret code in key_app.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia 7c55e79f54 Fix ret code in gen_key.c 2018-07-10 17:34:24 +01:00
Andres Amaya Garcia 47c041190c Fix ret code in ecdsa.c 2018-07-10 17:34:23 +01:00
Andres Amaya Garcia 114ba1955e Fix ret code in dh_server.c 2018-07-10 17:34:23 +01:00
Andres Amaya Garcia 74c51e6e64 Fix ret code in dh_genprime.c 2018-07-10 17:34:23 +01:00
Andres Amaya Garcia f842345ac3 Fix ret code in dh_client.c 2018-07-10 17:34:23 +01:00
Andres Amaya Garcia 990900ff40 Fix ret code in crypt_and_hash.c 2018-07-10 17:34:23 +01:00
Andres Amaya Garcia 15cbf61805 Fix ret code in aescrypt2.c 2018-07-10 17:34:23 +01:00