Commit graph

6711 commits

Author SHA1 Message Date
Andres Amaya Garcia
1962405be1 Justify moving zeroize() to utils in ChangeLog 2018-04-17 09:21:49 -05:00
Andres Amaya Garcia
806f403a02 Improve detection of program exit code in gdb script 2018-04-17 09:19:05 -05:00
Andres Amaya Garcia
6e34e63eb3 Fix style in programs/test/zeroize.c 2018-04-17 09:19:05 -05:00
Andres Amaya Garcia
7111a0d13b Change test_zeroize.gdb script breakpoint due to zeroize.c change 2018-04-17 09:19:05 -05:00
Andres Amaya Garcia
88f8f41e5a Move zeroize func call to end of program in zeroize.c 2018-04-17 09:19:05 -05:00
Andres Amaya Garcia
0bd4237c2a Fix formatting in utils.c file comment 2018-04-17 09:19:05 -05:00
Andres Amaya Garcia
ecd1891c51 Change mbedtls_zeroize() to prevent optimizations
Change mbedtls_zeroize() implementation to use memset() instead of a
custom implementation for performance reasons. Furthermore, we would
also like to prevent as much as we can compiler optimisations that
remove zeroization code.

The implementation of mbedtls_zeroize() now uses a volatile function
pointer to memset() as suggested by Colin Percival at:

http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html
2018-04-17 09:19:05 -05:00
Andres Amaya Garcia
2967381ccd Extend zeroize tests to multiple optimizations
Extend the all.sh test to cover multiple compiler optimization levels.
At the momment, the test is run using gcc and clang.
2018-04-17 09:19:05 -05:00
Andres Amaya Garcia
24768bfa37 Improve test_zeroize.gdb breakpoint
Improve the position of the breakpoint to be set at a line of code that
is less likely to be optimised out by the compiler. Setting the breakpoint
at a place that can be easily optimised out by the compiler will cause the
gdb script to fail as it cannot match the source code line to the
compiled code. For this reason the breakpoint is now set at the fclose()
call which is very unlikely to be optimised out or there might be a
resource leak.
2018-04-17 09:19:05 -05:00
Andres Amaya Garcia
b1262a3bdb Allow compile-time alternate to mbedtls_zeroize()
Add a new macro MBEDTLS_UTILS_ZEROIZE that allows users to configure
mbedtls_zeroize() to an alternative definition when defined. If the
macro is not defined, then mbed TLS will use the default definition of
the function.
2018-04-17 09:19:05 -05:00
Andres Amaya Garcia
e32df087fb Remove individual copies of mbedtls_zeroize()
This commit removes all the static occurrencies of the function
mbedtls_zeroize() in each of the individual .c modules. Instead the
function has been moved to utils.h that is included in each of the
modules.
2018-04-17 09:19:05 -05:00
Andres Amaya Garcia
d0d7bf614e Add gdb zeroize test when compiling with clang 2018-04-17 09:17:38 -05:00
Andres Amaya Garcia
f2d17929c0 Document test_zeroize.gdb script 2018-04-17 09:17:38 -05:00
Andres Amaya Garcia
c6b0abd5a6 Fix alignment of Makefiles 2018-04-17 09:17:38 -05:00
Andres Amaya Garcia
9a65b1de2a Add utils.h ChangeLog entry 2018-04-17 09:17:38 -05:00
Andres Amaya Garcia
ddebc49f28 Add gdb script to test mbedtls_zeroize()
The gdb script loads the programs/test/zeroize program and feeds it as
imput its own source code. Then sets a breakpoint just before the last
program's return code and checks that every element in memory was
zeroized. Otherwise it signals a failure and terminates.

The test was added to all.sh.
2018-04-17 09:17:38 -05:00
Andres Amaya Garcia
5ab74a1401 Add programs/test/zeroize.c to test mbedtls_zeroize
The idea is to use the simple program that is expected to be modified
rarely to set a breakpoint in a specific line and check that the
function mbedtls_zeroize() does actually set the buffer to 0 and is not
optimised out by the compiler.
2018-04-17 09:17:38 -05:00
Andres Amaya Garcia
614d9c0667 Add a utils.h file that contains common functions
The new header contains common information across various mbed TLS
modules and avoids code duplication. To start, utils.h currently only
contains the mbedtls_zeroize() function.
2018-04-17 09:17:38 -05:00
Rose Zadik
21e2926736
Update rsa.h
minor change to the file's brief desc.
2018-04-17 14:08:56 +01:00
Rose Zadik
f763f2bbc1
Update dhm.h
Minor documentation improvements:
*Standardized file brief description.
*Separated return statements.
*Reordered tags within documentation blocks so that params and returns are last in block.
*p_rng descriptions changed from "parameter" to "context".
*Suggest to specify issue for each return code, where multiple failure return codes are listed, or generalize.
*Minor improvements to parameter documentation proposed by eng.
2018-04-17 11:00:40 +01:00
Rose Zadik
d3c9bfcbeb
Update ecp.h
Reviewed and standardized
2018-04-17 10:56:55 +01:00
Rose Zadik
ef87179842
Update ccm.h
updated failure returns to "A CCM or cipher-specific error code on failure."
2018-04-17 10:41:48 +01:00
Rose Zadik
6ee22a7d52
Update sha256.h
Minor fix based on review comments
2018-04-17 10:38:39 +01:00
Rose Zadik
92d66b88ae
Update sha1.h
Changes based on review comments
2018-04-17 10:36:56 +01:00
Rose Zadik
f2ec288bf8
Update rsa.h
Changes based on review comments.
2018-04-17 10:27:25 +01:00
Rose Zadik
f3e4736131
Update md.h
Changes based on review comments
2018-04-16 16:31:16 +01:00
Rose Zadik
6a7ebc4c86
Update gcm.h
minor fix based on review comments
2018-04-16 16:11:49 +01:00
Rose Zadik
14d0d57c51
Update ecdsa.h
Minor changes based on review comments
2018-04-16 16:09:30 +01:00
Rose Zadik
7375b0f6c1
Update ecdh.h
Changs based on review comments
2018-04-16 16:04:57 +01:00
Ron Eldor
05d0e51bb1 Minor modifications for alt support in des and ecp
1. Add 3des context to be allowed for alternative defintion
2. Move some ecp structs, to disallow alternative definition of them,
as other modules rely on them
2018-04-16 17:40:04 +03:00
Rose Zadik
9464d7b6e3
Update platform.h
Implemented changes based on review comments
2018-04-16 15:28:35 +01:00
Rose Zadik
f25eb6eef6
Update ctr_drbg.h
minor changes based on comments
2018-04-16 14:51:52 +01:00
Darryl Green
418527b041 Fix minor issues with command line options 2018-04-16 12:02:29 +01:00
Andrzej Kurek
a282270a10 Add explicit checks for non-zero result of platform setup in test suites 2018-04-16 06:33:28 -04:00
Rose Zadik
c138bb7b05
Update cmac.h
minor changes based on comments
2018-04-16 11:11:25 +01:00
Rose Zadik
b5607bf61d
Update cipher.h
minor changes based on comments
2018-04-16 10:34:51 +01:00
Rose Zadik
bd9571a01e
Update ccm.h
minor changes based on comments
2018-04-16 09:45:12 +01:00
Rose Zadik
819d13dfff
Update aes.h
fixed missing multiple returns on mbedtls_aes_setkey_enc
2018-04-16 09:35:15 +01:00
Andrzej Kurek
32a675f032 Add conditional platform context creation & usage
Add another layer of abstraction before calling platform setup and teardown.
2018-04-13 06:16:04 -04:00
Andrzej Kurek
aca09c7026 Changelog entry
Describing platform teardown and setup calls in test suites
2018-04-13 05:18:08 -04:00
Andrzej Kurek
1152fa83f9 Add platform setup and teardown calls to test suites
Add a global platform context variable available for tests
2018-04-13 05:15:17 -04:00
Jethro Beekman
cb122373f0 Update ChangeLog for #1380 2018-04-11 08:40:38 -07:00
Jethro Beekman
c645bfe176 Generate RSA keys according to FIPS 186-4
The specification requires that P and Q are not too close. The specification
also requires that you generate a P and stick with it, generating new Qs until
you have found a pair that works. In practice, it turns out that sometimes a
particular P results in it being very unlikely a Q can be found matching all
the constraints. So we keep the original behavior where a new P and Q are
generated every round.
2018-04-11 08:38:37 -07:00
Jethro Beekman
666892792d Generate primes according to FIPS 186-4
The specification requires that numbers are the raw entropy (except for odd/
even) and at least 2^(nbits-0.5). If not, new random bits need to be used for
the next number. Similarly, if the number is not prime new random bits need to
be used.
2018-04-11 08:38:37 -07:00
Jethro Beekman
97f95c9ef3 Avoid small private exponents during RSA key generation
Attacks against RSA exist for small D. [Wiener] established this for
D < N^0.25. [Boneh] suggests the bound should be N^0.5.

Multiple possible values of D might exist for the same set of E, P, Q. The
attack works when there exists any possible D that is small. To make sure that
the generated key is not susceptible to attack, we need to make sure we have
found the smallest possible D, and then check that D is big enough. The
Carmichael function λ of p*q is lcm(p-1, q-1), so we can apply Carmichael's
theorem to show that D = d mod λ(n) is the smallest.

[Wiener] Michael J. Wiener, "Cryptanalysis of Short RSA Secret Exponents"
[Boneh] Dan Boneh and Glenn Durfee, "Cryptanalysis of RSA with Private Key d Less than N^0.292"
2018-04-11 08:38:37 -07:00
Manuel Pégourié-Gonnard
4ca9a45756 Merge remote-tracking branch 'public/pr/1560' into development-proposed
* public/pr/1560:
  Warn if using a memory sanitizer on AESNI
2018-04-11 13:06:30 +02:00
Manuel Pégourié-Gonnard
e72d3225a7 Merge remote-tracking branch 'public/pr/1559' into development-proposed
* public/pr/1559:
  Make the memset call prior to FD_ZERO conditional to needing it
2018-04-11 13:05:31 +02:00
Ron Eldor
bf027e736a Minor modifications after PR review
1. Move ChangLog entry to correct location
2. Move point formats outside the ECP_ALT check, as it's part of the RFC
2018-04-09 15:51:19 +03:00
Darryl Green
7869680e41 Updated abi_check.py docstrings 2018-04-06 11:23:22 +01:00
Gilles Peskine
5053efde33 Warn if using a memory sanitizer on AESNI
Clang-Msan is known to report spurious errors when MBEDTLS_AESNI_C is
enabled, due to the use of assembly code. The error reports don't
mention AES, so they can be difficult to trace back to the use of
AES-NI. Warn about this potential problem at compile time.
2018-04-05 15:37:38 +02:00