Gilles Peskine
a4174312da
Initialize hash_len before using it
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 14:38:40 +01:00
Gilles Peskine
36d33f37b6
Generalize MAC zeroization changelog entry
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:43:11 +01:00
Gilles Peskine
14d5fef6b7
PKCS#1v1.5 signature: better cleanup of temporary values
...
Zeroize temporary buffers used to sanity-check the signature.
If there is an error, overwrite the tentative signature in the output
buffer.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:37:55 +01:00
Gilles Peskine
f0fd4c3aee
mbedtls_ssl_parse_finished: zeroize expected finished value on error
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:36:15 +01:00
Gilles Peskine
c2f7b75a71
mbedtls_ssl_cookie_check: zeroize expected cookie on cookie mismatch
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:35:08 +01:00
Gilles Peskine
60aebec47e
PSA hash verification: zeroize expected hash on hash mismatch
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:33:18 +01:00
Gilles Peskine
e7835d92c1
mbedtls_cipher_check_tag: zeroize expected tag on tag mismatch
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-13 12:32:43 +01:00
Dave Rodgman
050ad4bb50
Merge pull request #5313 from gilles-peskine-arm/missing-ret-check-mbedtls_md_hmac
...
Check HMAC return values
2021-12-13 10:51:27 +00:00
Gilles Peskine
ecf6bebb9c
Catch failures of md_hmac operations
...
Declare mbedtls_md functions as MBEDTLS_CHECK_RETURN_TYPICAL, meaning that
their return values should be checked.
Do check the return values in our code. We were already doing that
everywhere for hash calculations, but not for HMAC calculations.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 15:00:57 +01:00
Gilles Peskine
d5ba50e239
Zeroize local MAC variables
...
Zeroize local MAC variables used for CBC+HMAC cipher suites. In encryption,
this is just good hygiene but probably not needed for security since the
data protected by the MAC that could leak is about to be transmitted anyway.
In DTLS decryption, this could be a security issue since an adversary could
learn the MAC of data that they were trying to inject. At least with
encrypt-then-MAC, the adversary could then easily inject a datagram with
a corrected packet. TLS would still be safe since the receiver would close
the connection after the bad MAC.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 14:59:45 +01:00
Gilles Peskine
c11192fcb2
Merge pull request #5290 from minosgalanakis/development
...
Document platform architecture portability constraints
2021-12-10 21:13:11 +01:00
paul-elliott-arm
f434994d83
Merge pull request #5303 from yuhaoth/pr/add_list_config_function
...
Add list config function
2021-12-10 18:30:06 +00:00
Ronald Cron
2331fdb280
Merge pull request #5293 from ronald-cron-arm/tls13-mvp-misc
...
Miscellaneous final changes for TLS 1.3 MVP release
2021-12-10 17:46:47 +01:00
Gilles Peskine
476b157dc4
Merge pull request #5305 from gilles-peskine-arm/test-missing-ret-check-202112-development
...
Missing error checks + test bug on unlikely failure
2021-12-10 17:41:52 +01:00
Minos Galanakis
c10086e33e
changelog: Addressed review comments #6
...
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2021-12-10 15:52:54 +00:00
Jerry Yu
29ceb564f8
fix help message issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 23:38:57 +08:00
Minos Galanakis
8340ea80cd
changelog: Addressed review comments #5
...
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2021-12-10 15:31:23 +00:00
Ronald Cron
64bff9f261
tests: data_files: Avoid symbolic links
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 15:09:57 +01:00
Jerry Yu
b54b53142a
fix msvc build faile
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 21:38:12 +08:00
Gilles Peskine
dc8ecda46f
Don't fail until everything is initialized
...
Can't call mbedtls_cipher_free(&invalid_ctx) in cleanup if
mbedtls_cipher_init(&invalid_ctx) hasn't been called.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-10 14:28:31 +01:00
Ronald Cron
b1822efe22
docs: TLS 1.3: Improve wording
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 14:28:13 +01:00
Gilles Peskine
f1c30b2a94
Check return values in more places
...
Selective replacement of
```
^\( *\)\(mbedtls_\(md\|cipher\)_[A-Z_a-z0-9]+\)\((.*)\);
```
by
```
\1if( \2\4 != 0 )
\1{
\1 mbedtls_fprintf( stderr, "\2() returned error\\n" );
\1 goto exit;
\1}
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-10 14:25:45 +01:00
Ronald Cron
db6adc5aad
ssl: Fix some compilation guards for TLS 1.3 signature algorithms
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 14:25:35 +01:00
Ronald Cron
bb27b43013
build: Fix TLS 1.3 prerequisites
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 14:22:52 +01:00
Ronald Cron
6aeda5305c
Add change log for TLS 1.3 MVP
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:48:12 +01:00
Ronald Cron
6f135e1148
Rename MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL to MBEDTLS_SSL_PROTO_TLS1_3
...
As we have now a minimal viable implementation of TLS 1.3,
let's remove EXPERIMENTAL from the config option enabling
it.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:47:55 +01:00
Jerry Yu
2e8b00172b
Beauty source code
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 20:29:02 +08:00
Ronald Cron
7aa6fc1992
docs: TLS 1.3: Update prototype upstreaming status
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:22:21 +01:00
Ronald Cron
653d5bc781
docs: TLS 1.3: Swap prototype upstreaming status and MVP definition
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:22:21 +01:00
Ronald Cron
43ffc9d659
docs: TLS 1.3: Update TLS 1.3 documentation file name
...
Update TLS 1.3 documentation file name and its
overview section.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:22:21 +01:00
Ronald Cron
0abf07ca2c
Make PSA crypto mandatory for TLS 1.3
...
As we want to move to PSA for cryptographic operations
let's mandate PSA crypto from the start.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:22:21 +01:00
Dave Rodgman
76a2b306ac
Merge pull request #4981 from yuhaoth/pr/add-debug-helpers-generated
...
Add debug helpers generated
2021-12-10 11:56:55 +00:00
Manuel Pégourié-Gonnard
4525cce691
Merge pull request #5256 from yuhaoth/pr/clean-up-secrets-after-done
...
TLS1.3 MVP: Erase secrets when they are not necessary anymore.
2021-12-10 12:48:25 +01:00
Minos Galanakis
5f173c62a4
changelog: Addressed review comments #4
...
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2021-12-10 11:07:27 +00:00
Ronald Cron
6b07916e40
Merge pull request #5230 from ronald-cron-arm/tls13_ccs_client
...
Add initial support for "Middlebox Compatibility Mode"
2021-12-10 11:58:05 +01:00
Minos Galanakis
3f46f38095
changelog: Addressed review comments #3
...
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2021-12-10 10:54:06 +00:00
Jerry Yu
d0fcf7f6a0
fix ci fail
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 18:45:51 +08:00
Minos Galanakis
3a77949c89
changelog: Addressed review comments #2
...
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2021-12-10 10:45:37 +00:00
Jerry Yu
a5563f6115
move position of base_key init
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 18:14:36 +08:00
Jerry Yu
b737f6a9be
move base_key init
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 17:55:59 +08:00
Gilles Peskine
fe051f6aab
Merge pull request #5297 from paul-elliott-arm/test_suite_cipher_returns
...
Add checked return to cipher setup in Cipher tests
2021-12-10 10:39:57 +01:00
Ronald Cron
9eab5a6f11
tests: TLS 1.3: Remove unnecessary test requirement
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 10:27:25 +01:00
Ronald Cron
574ace48d8
Remove unnecessary blank line
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 10:27:25 +01:00
Ronald Cron
ae93725ae8
tests: Make compat mode optional in script generating tests
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 10:27:07 +01:00
Minos Galanakis
ca14ab3c2e
changelog: Addressed review comments
...
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2021-12-10 09:21:37 +00:00
Jerry Yu
9c07473ebc
fix various issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 17:12:43 +08:00
Jerry Yu
d04fd35c06
Replace configs_enabled check with query_compile_time_config
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 16:31:04 +08:00
Jerry Yu
a15f3cc350
Add list_config into query_comile_time_config
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 16:31:01 +08:00
Jerry Yu
84e63a73cd
Add list_config generation
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 16:30:57 +08:00
Jerry Yu
bc8b22ecc8
fix tls13 test fail
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-12-10 15:54:38 +08:00