Commit graph

18318 commits

Author SHA1 Message Date
Hanno Becker
885ed403c9 Introduce wrapper for modular squaring
This paves the way for dedicated squaring implementations.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-01-04 06:43:50 +00:00
Hanno Becker
b8442cd9c6 Remove another local MPI from ecp_normalize_jac_many()
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-01-04 06:32:42 +00:00
Hanno Becker
02a999b91a Remove local MPI from ecp_normalize_jac_many()
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-01-04 06:32:42 +00:00
Hanno Becker
838b715fcc Add comment on input/output aliasing in ecp_add_mixed()
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-01-04 06:32:42 +00:00
Hanno Becker
ce29ae84dd Introduce macro wrappers for ECC modular arithmetic
This improves readibility and prepares for further changes
like the introduction of a single double-width temporary for
ECP arithmetic.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-01-04 06:32:39 +00:00
Hanno Becker
76f897d699 Reduce number of temporary MPIs in ECP normalization
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-01-02 12:47:34 +00:00
Hanno Becker
02b35bd00a Introduce wrapper for modular multiplication with single-width const
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-01-01 06:54:25 +00:00
Hanno Becker
5c8ea307b8 Reduce number of local MPIs in ECP mixed point addition
`ecp_add_mixed()` and `ecp_double_jac()` are the core subroutines
for elliptic curve arithmetic, and as such crucial for the performance
of ECP primitives like ECDHE and ECDSA.

This commit provides a very slight simplification and performance and
memory usage improvement to `ecp_add_mixed()` by removing the use of
three temporary MPIs used for coordinate calculations.

Where those variables were used, the code now writes directly to the
coordinate MPIs of the target elliptic curve point.

This is a valid change even if there is aliasing between input and
output, since at the time any of the coordinate MPIs in question is
written, the corresponding coordinates of both inputs are no longer
read.

(The analogous change in `ecp_double_jac()` can not be made since
this property does not hold for `ecp_double_jac()`.)

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-01-01 06:16:16 +00:00
Gilles Peskine
acc74b8413
Merge pull request #5348 from davidhorstmann-arm/fix-ssl-debug-header-typo
Fix typo in python script method name
2021-12-20 22:07:08 +01:00
Dave Rodgman
bff88ab086
Merge pull request #874 from ARMmbed/mbedtls-3.1.0_merge_into_release
Mbedtls 3.1.0 merge into release
2021-12-17 11:22:31 +00:00
Dave Rodgman
77d778eee2
Merge branch 'development' into mbedtls-3.1.0_merge_into_release 2021-12-17 10:01:53 +00:00
Dave Rodgman
b8c3301b80 Revert "Add generated files"
This reverts commit 4e62cbc322.
2021-12-17 09:44:04 +00:00
David Horstmann
3be1271e35 Fix typo in python script method name
Change 'tranlation' -> 'translation' in the name of a
method in `scripts/generate_ssl_debug_headers.py`.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-12-16 11:01:43 +00:00
Gilles Peskine
ba57427bbf
Merge pull request #5283 from adeaarm/development
Make CMakeLists.txt discover if mbed TLS is being built as subproject
2021-12-16 11:58:24 +01:00
Gilles Peskine
cb4dc37a2a
Merge pull request #5340 from gilles-peskine-arm/ssl_debug_helpers_generated.h-commit-header
Commit ssl_debug_helpers.h
2021-12-16 11:57:07 +01:00
Gilles Peskine
863b96a21b Add copyright notice to ssl_debug_helpers*
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-16 10:04:58 +01:00
Dave Rodgman
d65aeb3734
Merge pull request #871 from ronald-cron-arm/mbedtls-3.1.0rc0-pr
Mbedtls 3.1.0rc0 pr
2021-12-15 13:48:01 +00:00
Gilles Peskine
1a1e78fa55 Remove comments indicating that the file was automatically generated
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-15 12:58:22 +01:00
Gilles Peskine
923d5c9e3c Rename ssl_debug_helpers.h
It's no longer generated, so rename it accordingly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-15 12:56:54 +01:00
Gilles Peskine
ccbc318fc5 Remove generation of ssl_debug_helpers_generated.h
It's now under version control and meant to be updated manually.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-15 12:55:37 +01:00
Gilles Peskine
09f1ee68b6 Commit header file
Having an automatically generated header file makes it harder to have
working build scripts. The content of ssl_debug_helpers_generated.h isn't
likely to change often, so we can update it manually.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-15 12:55:33 +01:00
Ronald Cron
4e62cbc322 Add generated files
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-15 09:02:53 +01:00
Ronald Cron
17b1e2f6c3 Bump version to 3.1.0
Executed ./scripts/bump_version.sh --version 3.1.0 --so-crypto 11 --so-tls 17
+ fix of build_info.h

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-15 09:02:53 +01:00
Ronald Cron
1ffa6a538a Changelog updates & fixes
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-15 09:02:53 +01:00
Ronald Cron
831cf48abf Assemble change log
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-15 09:02:38 +01:00
Ronald Cron
acf0df81f2 Add change log for #4842
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-15 09:02:02 +01:00
Ronald Cron
be252a0da9 Add change log for #4859
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-15 08:43:53 +01:00
Ronald Cron
7e1cb129e8 Add change log for #4514
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-15 08:41:32 +01:00
Ronald Cron
2a4344d1fa Add change log for #4883
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-14 18:11:45 +01:00
Dave Rodgman
a53779dba4 Add missing changelog for ARIA (#4959)
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-12-14 18:11:45 +01:00
Manuel Pégourié-Gonnard
28e3bcf6e1 Fix misleading ChangeLog entry formatting.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-12-14 18:11:45 +01:00
Manuel Pégourié-Gonnard
4e511ede90 Double-free goes under security, not bugfix.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-12-14 18:11:45 +01:00
Ronald Cron
9ed3873905 psa: driver wrapper: cipher: Fix unused variable warning
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-14 18:11:06 +01:00
Ronald Cron
8188d19b0e Merge branch 'development-restricted' into mbedtls-3.1.0rc-pr 2021-12-14 10:58:18 +01:00
Manuel Pégourié-Gonnard
9fa5bf8e88
Merge pull request #5329 from gilles-peskine-arm/ssl_debug_helpers_generated.h-dependencies
List ssl_debug_helpers_generated.h in generated files
2021-12-14 09:57:38 +01:00
Gilles Peskine
12e27d4c5b List ssl_debug_helpers_generated.h in generated files
Running `generate_ssl_debug_helpers.py` generates both
`ssl_debug_helpers_generated.c` and `ssl_debug_helpers_generated.h`.

List the `.h` file as well as the `.c` file in `check-generated-files.sh` so
that `check-generated-files.sh -u` will complain if it isn't up to date.

List it in `Makefile` and `CMakeLists.txt` so that parallel builds know when
to wait until the `.h` file is present. In `Makefile`, declare the `.c` file
as depending on the `.h` file for order. This way, a dependency for either
will wait until the `.h` file is present, and since the `.h` file is
generated after the `.c` file, this guarantees that the `.c` file is
present.

This fixes random failures of `make -j` from a fresh checkout.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-14 00:19:47 +01:00
Gilles Peskine
32d2a58cc2
Merge pull request #5325 from gilles-peskine-arm/zeroize-tag-3.1
Zeroize expected MAC/tag intermediate variables
2021-12-13 19:09:30 +01:00
Gilles Peskine
cd74298c83 mbedtls_cipher_check_tag: jump on error for more robustness to refactoring
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 17:01:25 +01:00
Gilles Peskine
a5c18512b9
Merge pull request #5155 from paul-elliott-arm/pcks12_fix
Fixes for pkcs12 with NULL and/or zero length password
2021-12-13 14:52:36 +01:00
Gilles Peskine
a4174312da Initialize hash_len before using it
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 14:38:40 +01:00
Gilles Peskine
36d33f37b6 Generalize MAC zeroization changelog entry
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:43:11 +01:00
Gilles Peskine
14d5fef6b7 PKCS#1v1.5 signature: better cleanup of temporary values
Zeroize temporary buffers used to sanity-check the signature.

If there is an error, overwrite the tentative signature in the output
buffer.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:37:55 +01:00
Gilles Peskine
f0fd4c3aee mbedtls_ssl_parse_finished: zeroize expected finished value on error
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:36:15 +01:00
Gilles Peskine
c2f7b75a71 mbedtls_ssl_cookie_check: zeroize expected cookie on cookie mismatch
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:35:08 +01:00
Gilles Peskine
60aebec47e PSA hash verification: zeroize expected hash on hash mismatch
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:33:18 +01:00
Gilles Peskine
e7835d92c1 mbedtls_cipher_check_tag: zeroize expected tag on tag mismatch
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:32:43 +01:00
Dave Rodgman
050ad4bb50
Merge pull request #5313 from gilles-peskine-arm/missing-ret-check-mbedtls_md_hmac
Check HMAC return values
2021-12-13 10:51:27 +00:00
Gilles Peskine
ecf6bebb9c Catch failures of md_hmac operations
Declare mbedtls_md functions as MBEDTLS_CHECK_RETURN_TYPICAL, meaning that
their return values should be checked.

Do check the return values in our code. We were already doing that
everywhere for hash calculations, but not for HMAC calculations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 15:00:57 +01:00
Gilles Peskine
d5ba50e239 Zeroize local MAC variables
Zeroize local MAC variables used for CBC+HMAC cipher suites. In encryption,
this is just good hygiene but probably not needed for security since the
data protected by the MAC that could leak is about to be transmitted anyway.
In DTLS decryption, this could be a security issue since an adversary could
learn the MAC of data that they were trying to inject. At least with
encrypt-then-MAC, the adversary could then easily inject a datagram with
a corrected packet. TLS would still be safe since the receiver would close
the connection after the bad MAC.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 14:59:45 +01:00
Paul Elliott
6e7deb1d55 Add expected output for tests
Expected output generated by OpenSSL (see below) apart from the case
where both password and salt are either NULL or zero length, as OpenSSL
does not support this. For these test cases we have had to use our own
output as that which is expected. Code to generate test cases is as
follows:

 #include <openssl/pkcs12.h>
 #include <openssl/evp.h>
 #include <string.h>

int Keygen_Uni( const char * test_name, unsigned char *pass, int
    passlen, unsigned char *salt,
                    int saltlen, int id, int iter, int n,
                                    unsigned char *out, const EVP_MD
                                    *md_type )
{
   size_t index;

   printf( "%s\n", test_name );

   int ret = PKCS12_key_gen_uni( pass, passlen, salt, saltlen, id, iter,
                                        n, out, md_type );

   if( ret != 1 )
   {
         printf( "Key generation returned %d\n", ret );
      }
   else
   {
         for( index = 0; index < n; ++index )
         {
                  printf( "%02x", out[index] );
               }

         printf( "\n" );
      }

   printf( "\n" );

}

int main(void)
{
   unsigned char out_buf[48];
   unsigned char pass[64];
   int pass_len;
   unsigned char salt[64];
   int salt_len;

   /* If ID=1, then the pseudorandom bits being produced are to be used
      as key material for performing encryption or decryption.

            If ID=2, then the pseudorandom bits being produced are to be
            used as an IV (Initial Value) for encryption or decryption.

                  If ID=3, then the pseudorandom bits being produced are
                  to be used as an integrity key for MACing.
                     */

   int id = 1;
   int iter = 3;

   memset( out_buf, 0, sizeof( out_buf ) );
   memset( pass, 0, sizeof( pass ) );
   memset( salt, 0, sizeof( salt ) );

   Keygen_Uni( "Zero length pass and salt", pass, 0, salt, 0, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   Keygen_Uni( "NULL pass and salt", NULL, 0, NULL, 0, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   salt[0] = 0x01;
   salt[1] = 0x23;
   salt[2] = 0x45;
   salt[3] = 0x67;
   salt[4] = 0x89;
   salt[5] = 0xab;
   salt[6] = 0xcd;
   salt[7] = 0xef;

   Keygen_Uni( "Zero length pass", pass, 0, salt, 8, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   Keygen_Uni( "NULL pass", NULL, 0, salt, 8, id, iter, sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );
   memset( salt, 0, sizeof( salt ) );

   pass[0] = 0x01;
   pass[1] = 0x23;
   pass[2] = 0x45;
   pass[3] = 0x67;
   pass[4] = 0x89;
   pass[5] = 0xab;
   pass[6] = 0xcd;
   pass[7] = 0xef;

   Keygen_Uni( "Zero length salt", pass, 8, salt, 0, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   Keygen_Uni( "NULL salt", pass, 8, NULL, 0, id, iter, sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   memset( out_buf, 0, sizeof( out_buf ) );

   salt[0] = 0x01;
   salt[1] = 0x23;
   salt[2] = 0x45;
   salt[3] = 0x67;
   salt[4] = 0x89;
   salt[5] = 0xab;
   salt[6] = 0xcd;
   salt[7] = 0xef;

   Keygen_Uni( "Valid pass and salt", pass, 8, salt, 8, id, iter,
       sizeof(out_buf),
                      out_buf, EVP_md5( ) );

   return 0;
}

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-12-10 20:53:59 +00:00