Commit graph

3681 commits

Author SHA1 Message Date
Gilles Peskine
eeedabe25e Minor optimization in the PKCS#1v1.5 unpadding step
Rather than doing the quadratic-time constant-memory-trace on the
whole working buffer, do it on the section of the buffer where the
data to copy has to lie, which can be significantly smaller if the
output buffer is significantly smaller than the working buffer, e.g.
for TLS RSA ciphersuites (48 bytes vs MBEDTLS_MPI_MAX_SIZE).
2018-10-04 22:45:13 +02:00
Gilles Peskine
8c9440a2cb Use branch-free size comparison for the padding size
In mbedtls_rsa_rsaes_pkcs1_v15_decrypt, use size_greater_than (which
is based on bitwise operations) instead of the < operator to compare
sizes when the values being compared must not leak. Some compilers
compile < to a branch at least under some circumstances (observed with
gcc 5.4 for arm-gnueabi -O9 on a toy program).
2018-10-04 21:44:40 +02:00
Gilles Peskine
a1af5c8ea2 Bleichenbacher fix: don't leak the plaintext length (step 2)
Replace memmove(to, to + offset, length) by a functionally equivalent
function that strives to make the same memory access patterns
regardless of the value of length. This fixes an information leak
through timing (especially timing of memory accesses via cache probes)
that leads to a Bleichenbacher-style attack on PKCS#1 v1.5 decryption
using the plaintext length as the observable.
2018-10-04 21:44:29 +02:00
Gilles Peskine
9265ff4ee6 Bleichenbacher fix: don't leak the plaintext length (step 1)
mbedtls_rsa_rsaes_pkcs1_v15_decrypt takes care not to reveal whether
the padding is valid or not, even through timing or memory access
patterns. This is a defense against an attack published by
Bleichenbacher. The attacker can also obtain the same information by
observing the length of the plaintext. The current implementation
leaks the length of the plaintext through timing and memory access
patterns.

This commit is a first step towards fixing this leak. It reduces the
leak to a single memmove call inside the working buffer.
2018-10-04 21:38:22 +02:00
Gilles Peskine
331d80e162 Evolve choose_int_from_mask to if_int
Make the function more robust by taking an arbitrary zero/nonzero
argument instead of insisting on zero/all-bits-one. Update and fix its
documentation.
2018-10-04 21:36:34 +02:00
Gilles Peskine
e2a10de275 Fix a timing-based Bleichenbacher attack on PKCS#1v1.5 decryption
mbedtls_rsa_rsaes_pkcs1_v15_decrypt took care of calculating the
padding length without leaking the amount of padding or the validity
of the padding. However it then skipped the copying of the data if the
padding was invalid, which could allow an adversary to find out
whether the padding was valid through precise timing measurements,
especially if for a local attacker who could observe memory access via
cache timings.

Avoid this leak by always copying from the decryption buffer to the
output buffer, even when the padding is invalid. With invalid padding,
copy the same amount of data as what is expected on valid padding: the
minimum valid padding size if this fits in the output buffer,
otherwise the output buffer size. To avoid leaking payload data from
an unsuccessful decryption, zero the decryption buffer before copying
if the padding was invalid.
2018-10-03 01:03:05 +02:00
Gilles Peskine
5908dd4455 Minor readability improvement
Polish the beginning of mbedtls_rsa_rsaes_pkcs1_v15_decrypt a little,
to prepare for some behavior changes.
2018-10-02 22:43:06 +02:00
Simon Butcher
53546ea099 Update library version number to 2.13.1 2018-09-06 19:10:26 +01:00
Simon Butcher
5d40f67138 Merge remote-tracking branch 'public/pr/1927' into development-restricted 2018-09-06 16:24:48 +01:00
Hanno Becker
f5106d54eb Don't declare and define gmtime()-mutex on Windows platforms 2018-09-06 12:09:56 +01:00
Hanno Becker
323d8019bf Correct preprocessor guards determining use of gmtime()
The previous code erroneously used gmtime_r() to implement
mbedtls_platform_gmtime() in case of a non-windows, non-unix system.
2018-09-06 11:30:57 +01:00
Hanno Becker
6f70581c4a Correct POSIX version check to determine presence of gmtime_r()
Recent versions of POSIX move gmtime_r to the base.
2018-09-06 09:06:33 +01:00
Hanno Becker
7dd82b4f51 platform_utils.{c/h} -> platform_util.{c/h} 2018-09-05 16:26:04 +01:00
Hanno Becker
48a816ff26 Minor documentation improvements 2018-09-05 15:22:22 +01:00
Hanno Becker
6a739789f3 Rename mbedtls_platform_gmtime() to mbedtls_platform_gmtime_r()
For consistency, also rename MBEDTLS_PLATFORM_GMTIME_ALT to
MBEDTLS_PLATFORM_GMTIME_R_ALT.
2018-09-05 15:06:19 +01:00
Hanno Becker
be2e4bddd5 Guard decl and use of gmtime mutex by HAVE_TIME_DATE and !GMTIME_ALT 2018-09-05 14:44:31 +01:00
Hanno Becker
cfeb70c6b9 gmtime: Remove special treatment for IAR
Previous commits attempted to use `gmtime_s()` for IAR systems; however,
this attempt depends on the use of C11 extensions which lead to incompatibility
with other pieces of the library, such as the use of `memset()` which is
being deprecated in favor of `memset_s()` in C11.
2018-09-05 13:52:46 +01:00
Andres Amaya Garcia
94b540ac63 Avoid redefining _POSIX_C_SOURCE 2018-09-05 12:27:32 +01:00
Andres Amaya Garcia
433f911e59 Check for IAR in gmtime macros 2018-09-05 12:01:57 +01:00
Andres Amaya Garcia
3c9733a0a3 Fix typo in comment for gmtime macro defines 2018-09-05 11:52:07 +01:00
Andres Amaya Garcia
ca04a01bb8 Document shorthand gmtime macros 2018-09-05 11:43:57 +01:00
Andres Amaya Garcia
209960611f Use gmtime_s() for IAR 2018-09-05 11:27:56 +01:00
Andres Amaya Garcia
e9b10b21f1 Define _POSIX_C_SOURCE in threading.c before POSIX detection 2018-09-05 11:25:30 +01:00
Simon Butcher
4d075cd7d0 Update library version number to 2.13.0 2018-08-31 15:59:10 +01:00
Simon Butcher
0bbb4fc132 Merge branch 'development' into development 2018-08-30 01:11:35 +01:00
Simon Butcher
552754a6ee Merge remote-tracking branch 'public/pr/1988' into development 2018-08-30 00:57:28 +01:00
Simon Butcher
68dbc94720 Merge remote-tracking branch 'public/pr/1951' into development 2018-08-30 00:56:56 +01:00
Hanno Becker
a591c48302 Correct typo in debug message 2018-08-28 17:52:53 +01:00
Hanno Becker
83ab41c665 Correct typo in comment 2018-08-28 17:52:53 +01:00
Hanno Becker
cd9dcda0a0 Add const qualifier to handshake header reading functions 2018-08-28 17:52:53 +01:00
Hanno Becker
39b8bc9aef Change wording of debug message 2018-08-28 17:52:49 +01:00
Hanno Becker
ef7afdfa5a Rename another_record_in_datagram to next_record_is_in_datagram 2018-08-28 17:16:31 +01:00
Hanno Becker
c573ac33dd Fix typos in debug message and comment in ssl-tls.c 2018-08-28 17:15:25 +01:00
Simon Butcher
3af567d4a7 Merge remote-tracking branch 'restricted/pr/437' into development-restricted 2018-08-28 15:33:59 +01:00
Simon Butcher
129fa82908 Merge remote-tracking branch 'restricted/pr/470' into development-restricted 2018-08-28 15:26:11 +01:00
Simon Butcher
7f85563f9b Merge remote-tracking branch 'restricted/pr/491' into development-restricted 2018-08-28 15:22:40 +01:00
Simon Butcher
9ce5160fea Merge remote-tracking branch 'public/pr/1965' into development 2018-08-28 12:34:14 +01:00
Simon Butcher
9d5a9e1213 Merge remote-tracking branch 'public/pr/1625' into development 2018-08-28 12:23:40 +01:00
Simon Butcher
14dac0953e Merge remote-tracking branch 'public/pr/1918' into development 2018-08-28 12:21:41 +01:00
Simon Butcher
1846e406c8 Merge remote-tracking branch 'public/pr/1939' into development 2018-08-28 12:19:56 +01:00
Simon Butcher
9598845d11 Merge remote-tracking branch 'public/pr/1955' into development 2018-08-28 12:00:18 +01:00
Simon Butcher
4613772dea Merge remote-tracking branch 'public/pr/1915' into development 2018-08-28 11:45:44 +01:00
Hanno Becker
0207e533b2 Style: Correct typo in ssl-tls.c 2018-08-28 10:28:28 +01:00
Hanno Becker
bc2498a9ff Style: Add numerous comments indicating condition guarded by #endif 2018-08-28 10:13:29 +01:00
Hanno Becker
d58477769d Style: Group buffering-related forward declarations in ssl_tls.c 2018-08-28 10:09:23 +01:00
Hanno Becker
360bef3fe3 Reordering: Document that only HS and CCS msgs are buffered 2018-08-28 10:04:33 +01:00
Hanno Becker
4f432ad44d Style: Don't use abbreviations in comments 2018-08-28 10:02:32 +01:00
Hanno Becker
b8f50147ee Add explicit MBEDTLS_DEBUG_C-guard around debugging code 2018-08-28 10:01:34 +01:00
Hanno Becker
f0da6670dc Style: Add braces around if-branch where else-branch has them 2018-08-28 09:55:10 +01:00
Hanno Becker
ecbdf1c048 Style: Correct indentation of debug msgs in mbedtls_ssl_write_record 2018-08-28 09:54:44 +01:00