aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2020-08-05Enhancement fixesfi_write_user_dataarchive/fi_write_user_dataShelly Liberman
Co-authored-by: Andrzej Kurek <andrzej.kurek@arm.com> Signed-off-by: Shelly Liberman <shelly.liberman@arm.com>
2020-08-05Add user pointer and data size duplication to ssl context.shelib01
Signed-off-by: Shelly Liberman <shelly.liberman@arm.com>
2020-07-21Merge pull request #3499 from AndrzejKurek/fi-duplicate-buffers-revertAndrzej Kurek
Revert a part of the sensitive information duplication changes
2020-07-15Revert a part of sensitive information duplication from tinycryptAndrzej Kurek
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-07-15Revert a part of the sensitive information duplication changesAndrzej Kurek
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-07-15Merge pull request #3481 from AndrzejKurek/fi_duplicate_buffers_2Andrzej Kurek
Duplicate sensitive buffer and buffer length information
2020-07-08Minor formatting and cosmetic changesAndrzej Kurek
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-07-08Add buffer and context clearing upon suspected FIAndrzej Kurek
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-07-06Formatting changesAndrzej Kurek
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-07-06Add FI countermeasures to the ssl moduleAndrzej Kurek
This commit adds mainly buffer pointer and length duplication and checks, but also some hamming distance and return values checking improvements. Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-07-06Duplicate sensitive buffer and buffer length informationAndrzej Kurek
Detect FI attacks on buffer pointers and buffer lengths. Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-07-05Merge pull request #3439 from piotr-now/fic_switchShelly Liberman
Add FI countermeasures for sensitive switch instructions
2020-07-01Merge pull request #3467 from AndrzejKurek/cipher-wrap-aes-128-optimizeAndrzej Kurek
Wrap AES 192 and 256 info structures in an !AES_ONLY_128_BIT_KEY_LENGTH define
2020-06-30Add FI countermeasures for sensitive switch instructionsPiotr Nowicki
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-06-30Wrap AES 192 and 256 info structures in !AES_ONLY_128_BIT_KEY_LENGTHAndrzej Kurek
This reduces the code size by not compiling in unnecessary info structures when using only 128 bit AES. Co-authored by: AnttiKauppila <antti.kauppila@arm.com> Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-22Merge pull request #3395 from AndrzejKurek/sha-flow_ctrlAndrzej Kurek
Add flow control to sha256
2020-06-22Merge pull request #3408 from AndrzejKurek/hamming-distance-improvementsAndrzej Kurek
Hamming distance improvements
2020-06-12Increase the Hamming distance of uECC_generate_random_int returnsAndrzej Kurek
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-10Merge pull request #3403 from piotr-now/sca_memmovePiotr Nowicki
Add mbedtls_platform_memmove() as a secured memcmp()
2020-06-10Add new error code PLATFORM_ALLOC_FAILED for mbedtls_platform_memmove()Piotr Nowicki
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-06-10Add flow control to sha256Andrzej Kurek
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-10Merge pull request #3390 from piotr-now/rndelay_commentPiotr Nowicki
Add comment for mbedtls_platform_random_delay() and returning an FAULT_DETECTED error on potential FI attack detection
2020-06-09Add mbedtls_platform_memmove() as a secured memcmp()Piotr Nowicki
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-06-09Add returning a FAULT_DETECTED error on suspected FI attacksPiotr Nowicki
The change applies to the places where we prevent double synchronous FI attacks with random delay, and where we do not respond to their detection. The response to such an attack should be to return the appropriate error code. Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-06-08Improve the Hamming distance of ssl_hs_is_proper_fragment return valuesAndrzej Kurek
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-08Improve the usage of uECC_RNG_FunctionAndrzej Kurek
Since the mbed TLS implementation of rng wrapper returns the size of random data generated upon success - check for it explicitly. Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-08Add comment for mbedtls_platform_random_delay()Piotr Nowicki
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-06-08Merge pull request #3355 from AndrzejKurek/fi_error_codesAndrzej Kurek
Change the default value of status variables to an error
2020-06-05Change the default value of status variables to an errorAndrzej Kurek
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-01Merge pull request #3379 from AndrzejKurek/fi_check_loopsAndrzej Kurek
Add flow control to tinycrypt verification
2020-06-01Add flow control to tinycrypt verificationAndrzej Kurek
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-01Merge pull request #3336 from piotr-now/baremetal_flowmonPiotr Nowicki
Increasing resistance to fault injection attacks related with memory operations.
2020-05-27Added some descriptions of functionsPiotr Nowicki
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-05-27Start comparison from a random location in the uECC_vli_equal.Piotr Nowicki
This increases security and increases resistance to the side channel leakage. Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-05-27Merge pull request #3330 from AndrzejKurek/merge-2.16-8b34fefAndrzej Kurek
Merge mbedtls-2.16 commit 8b34fef into baremetal
2020-05-25test_suite_x509parse: shorten test namesAndrzej Kurek
Change "Certificate" to "CRT" to shorten the test name and blend in between surrounding tests. Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-05-21Add a x509 prerequisite in x509_internal.hAndrzej Kurek
Lack of this requirement caused warning when compiling the x509 test suites with config-thread.h from example configs, resulting in an error when running from test-ref-configs.pl. Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-05-21Keep SSL context const when hw accel is disabledManuel Pégourié-Gonnard
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-05-21Rename md_info_t to md_handle_t in test_suite_entropyAndrzej Kurek
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-05-21Fix lack of cookie check on hard reconnectManuel Pégourié-Gonnard
Section 4.2.8 of RFC 6347 describes how to handle the case of a DTLS client establishing a new connection using the same UDP quartet as an already active connection, which we implement under the compile option MBEDTLS_SSL_DLTS_CLIENT_PORT_REUSE. Relevant excerpts: [the server] MUST NOT destroy the existing association until the client has demonstrated reachability either by completing a cookie exchange or by completing a complete handshake including delivering a verifiable Finished message. [...] The reachability requirement prevents off-path/blind attackers from destroying associations merely by sending forged ClientHellos. Our code chooses to use a cookie exchange for establishing reachability, but unfortunately that check was effectively removed in a recent refactoring, which changed what value ssl_handle_possible_reconnect() needs to return in order for ssl_get_next_record() (introduced in that refactoring) to take the proper action. Unfortunately, in addition to changing the value, the refactoring also changed a return statement to an assignment to the ret variable, causing the function to reach the code for a valid cookie, which immediately destroys the existing association, effectively bypassing the cookie verification. This commit fixes that by immediately returning after sending a HelloVerifyRequest when a ClientHello without a valid cookie is found. It also updates the description of the function to reflect the new return value convention (the refactoring updated the code but not the documentation). The commit that changed the return value convention (and introduced the bug) is 2fddd3765ea998bb9f40b52dc1baaf843b9889bf, whose commit message explains the change. Note: this bug also indirectly caused the ssl-opt.sh test case "DTLS client reconnect from same port: reconnect" to occasionally fail due to a race condition between the reception of the ClientHello carrying a valid cookie and the closure of the connection by the server after noticing the ClientHello didn't carry a valid cookie after it incorrectly destroyed the previous connection, that could cause that ClientHello to be invisible to the server (if that message reaches the server just before it does `net_close()`). A welcome side effect of this commit is to remove that race condition, as the new connection will immediately start with a ClientHello carrying a valid cookie in the SSL input buffer, so the server will not call `net_close()` and not risk discarding a better ClientHello that arrived in the meantime. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-05-20Add flow monitor protection to mbedtls_platform_memcmp()Piotr Nowicki
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-05-18Merge mbedtls 2.16.6 into baremetalAndrzej Kurek
Conflicts: mbedtls.doxyfile - PROJECT_NAME - mbed TLS v2.16.6 chosen. doc_mainpage.h - mbed TLS v2.16.6 version chosen. hmac_drbg.h - line 260, extended description chosen. - line 313, extended description chosen. - line 338, extended description chosen. version.h - 2.16.6 chosen. CMakeLists.txt - 2.16.6 chosen. test_suite_version.data - 2.16.6 chosen. Makefile - 141 - manual correction - baremetal version of C_SOURCE_FILES with variables for directories plus 2.16.6 CTAGS addition. pkparse.c - lines 846 onwards - the asn1_get_nonzero_mpi implementation chosen. ssl_tls.c - line 5269 - edited manually, left the ret=0, because baremetal has a different behaviour since commit 87b5626, but added a debug message that's new in 2.16.6. all.sh: - component_build_deprecated - chosen the refactored version from 2.16.6, but with extra flags from baremetal. - rest of the _no_xxx tests - merged make options to have PTHREAD=1 and other changes from 2.16.6 (like -O1 instead of -O0). - component_build_arm_none_eabi_gcc_no_64bit_multiplication - added TINYCRYPT_BUILD=0 to the 2.16.6 version of make. x509/req_app.c - left baremetal log but with mbedtls_exit( 0 ) call. x509/crl_app.c - left baremetal log but with mbedtls_exit( 0 ) call. x509/cert_app.c - left baremetal log but with mbedtls_exit( 0 ) call. ssl/ssl_mail_client.c - left baremetal log but with mbedtls_exit( 0 ) call. ssl/ssl_pthread_server.c - left baremetal log but with mbedtls_exit( 0 ) call. ssl/ssl_fork_server.c - left baremetal log but with mbedtls_exit( 0 ) call. ssl_client1.c - line 54 - left baremetal log but with mbedtls_exit( 0 ) call. ssl_client2.c - line 54 - left baremetal log but with mbedtls_exit( 0 ) call. - line 132 - new options of both branches added. - skip close notify handled as in 2.16.6, but with `ssl` instead of `&ssl`. - Merged the 2.16.6 usage split with additional baremetal usages. - Merged options from baremetal and 2.16.6. ssl_server.c - left baremetal log but with mbedtls_exit( 0 ) call. ssl_server2.c - Merged the 2.16.6 usage split with additional baremetal usages. config.pl - fixed missing defines from the documentation, removed duplicates, and reorganised so that the documentation and excluded list are ordered in the same way. test_suite_x509parse.data - only added the two new pathlen tests. x509_crt.c - change the return code by removing MBEDTLS_ERR_X509_INVALID_EXTENSIONS, since it's added by x509_crt_frame_parse_ext not by an "or", but by "+=". Changelog - Assigned all entries to appropriate sections. ssl-opt.sh - line 8263 - merged options. - removed lines 1165 - 1176 - there was a duplicate test, probably an artifact of previous merges. check-files.py - sticked to old formatting. Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-04-03Merge pull request #3044 from sbutcher-arm/merge-2.16-sprint27Simon Butcher
[baremetal] Update `baremetal` branch with updates from `mbedtls-2.16` branch
2020-03-13Revert "Merge pull request #3012 from Patater/dev/jp-bennett/development-2.16"Janos Follath
This reverts commit 7550e857bf85bc169271b9edefb1e8ee04bc3042, reversing changes made to d0c25753241b0ea2b120bfa506d558f76c8c1430. stat() will never return S_IFLNK as the file type, as stat() explicitly follows symlinks. Fixes #3005.
2020-03-13Test GCC and Clang with common build optionsGilles Peskine
Goals: * Build with common compilers with common options, so that we don't miss a (potentially useful) warning only triggered with certain build options. * A previous commit removed -O0 test jobs, leaving only the one with -m32. We have inline assembly that is disabled with -O0, falling back to generic C code. This commit restores a test that runs the generic C code on a 64-bit platform.
2020-03-13Replace -O0 by -O1 or -Os in most componentsGilles Peskine
Gcc skips some analyses when compiling with -O0, so we may miss warnings about things like uninitialized variables.
2020-03-13shrink tests: clearer descriptionGilles Peskine
2020-03-13Move test functions from Lilliput to BlefuscuGilles Peskine
We normally represent bignums in big-endian order and there is no reason to deviate here.
2020-03-13Minor comment improvementGilles Peskine
2020-03-13Improve comments in mpi_shrinkGilles Peskine