Age | Commit message (Collapse) | Author |
|
Co-authored-by: Andrzej Kurek <andrzej.kurek@arm.com>
Signed-off-by: Shelly Liberman <shelly.liberman@arm.com>
|
|
Signed-off-by: Shelly Liberman <shelly.liberman@arm.com>
|
|
Revert a part of the sensitive information duplication changes
|
|
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
Duplicate sensitive buffer and buffer length information
|
|
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
This commit adds mainly buffer pointer and length duplication and checks,
but also some hamming distance and return values checking improvements.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
Detect FI attacks on buffer pointers and buffer lengths.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
Add FI countermeasures for sensitive switch instructions
|
|
Wrap AES 192 and 256 info structures in an !AES_ONLY_128_BIT_KEY_LENGTH define
|
|
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
|
|
This reduces the code size by not compiling in unnecessary info structures
when using only 128 bit AES.
Co-authored by: AnttiKauppila <antti.kauppila@arm.com>
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
Add flow control to sha256
|
|
Hamming distance improvements
|
|
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
Add mbedtls_platform_memmove() as a secured memcmp()
|
|
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
|
|
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
Add comment for mbedtls_platform_random_delay() and returning an FAULT_DETECTED error on potential FI attack detection
|
|
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
|
|
The change applies to the places where we prevent double synchronous
FI attacks with random delay, and where we do not respond to their
detection. The response to such an attack should be to return the
appropriate error code.
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
|
|
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
Since the mbed TLS implementation of rng wrapper returns the size of random
data generated upon success - check for it explicitly.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
|
|
Change the default value of status variables to an error
|
|
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
Add flow control to tinycrypt verification
|
|
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
Increasing resistance to fault injection attacks related with memory operations.
|
|
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
|
|
This increases security and increases resistance to the side channel leakage.
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
|
|
Merge mbedtls-2.16 commit 8b34fef into baremetal
|
|
Change "Certificate" to "CRT" to shorten the test name and blend in
between surrounding tests.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
Lack of this requirement caused warning when compiling the
x509 test suites with config-thread.h from example configs,
resulting in an error when running from test-ref-configs.pl.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
|
|
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
Section 4.2.8 of RFC 6347 describes how to handle the case of a DTLS client
establishing a new connection using the same UDP quartet as an already active
connection, which we implement under the compile option
MBEDTLS_SSL_DLTS_CLIENT_PORT_REUSE. Relevant excerpts:
[the server] MUST NOT destroy the existing
association until the client has demonstrated reachability either by
completing a cookie exchange or by completing a complete handshake
including delivering a verifiable Finished message.
[...]
The reachability requirement prevents
off-path/blind attackers from destroying associations merely by
sending forged ClientHellos.
Our code chooses to use a cookie exchange for establishing reachability, but
unfortunately that check was effectively removed in a recent refactoring,
which changed what value ssl_handle_possible_reconnect() needs to return in
order for ssl_get_next_record() (introduced in that refactoring) to take the
proper action. Unfortunately, in addition to changing the value, the
refactoring also changed a return statement to an assignment to the ret
variable, causing the function to reach the code for a valid cookie, which
immediately destroys the existing association, effectively bypassing the
cookie verification.
This commit fixes that by immediately returning after sending a
HelloVerifyRequest when a ClientHello without a valid cookie is found. It also
updates the description of the function to reflect the new return value
convention (the refactoring updated the code but not the documentation).
The commit that changed the return value convention (and introduced the bug)
is 2fddd3765ea998bb9f40b52dc1baaf843b9889bf, whose commit message explains the
change.
Note: this bug also indirectly caused the ssl-opt.sh test case "DTLS client
reconnect from same port: reconnect" to occasionally fail due to a race
condition between the reception of the ClientHello carrying a valid cookie and
the closure of the connection by the server after noticing the ClientHello
didn't carry a valid cookie after it incorrectly destroyed the previous
connection, that could cause that ClientHello to be invisible to the server
(if that message reaches the server just before it does `net_close()`). A
welcome side effect of this commit is to remove that race condition, as the
new connection will immediately start with a ClientHello carrying a valid
cookie in the SSL input buffer, so the server will not call `net_close()` and
not risk discarding a better ClientHello that arrived in the meantime.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
|
|
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
|
|
Conflicts:
mbedtls.doxyfile - PROJECT_NAME - mbed TLS v2.16.6 chosen.
doc_mainpage.h - mbed TLS v2.16.6 version chosen.
hmac_drbg.h - line 260, extended description chosen.
- line 313, extended description chosen.
- line 338, extended description chosen.
version.h - 2.16.6 chosen.
CMakeLists.txt - 2.16.6 chosen.
test_suite_version.data - 2.16.6 chosen.
Makefile - 141 - manual correction - baremetal version of C_SOURCE_FILES
with variables for directories plus 2.16.6 CTAGS addition.
pkparse.c - lines 846 onwards - the asn1_get_nonzero_mpi implementation chosen.
ssl_tls.c - line 5269 - edited manually, left the ret=0, because baremetal has
a different behaviour since commit 87b5626, but added a debug
message that's new in 2.16.6.
all.sh:
- component_build_deprecated - chosen the refactored version from 2.16.6,
but with extra flags from baremetal.
- rest of the _no_xxx tests - merged make options to have PTHREAD=1 and
other changes from 2.16.6 (like -O1 instead of -O0).
- component_build_arm_none_eabi_gcc_no_64bit_multiplication - added
TINYCRYPT_BUILD=0 to the 2.16.6 version of make.
x509/req_app.c - left baremetal log but with mbedtls_exit( 0 ) call.
x509/crl_app.c - left baremetal log but with mbedtls_exit( 0 ) call.
x509/cert_app.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl/ssl_mail_client.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl/ssl_pthread_server.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl/ssl_fork_server.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl_client1.c - line 54 - left baremetal log but with mbedtls_exit( 0 ) call.
ssl_client2.c - line 54 - left baremetal log but with mbedtls_exit( 0 ) call.
- line 132 - new options of both branches added.
- skip close notify handled as in 2.16.6, but with `ssl` instead of `&ssl`.
- Merged the 2.16.6 usage split with additional baremetal usages.
- Merged options from baremetal and 2.16.6.
ssl_server.c - left baremetal log but with mbedtls_exit( 0 ) call.
ssl_server2.c - Merged the 2.16.6 usage split with additional baremetal usages.
config.pl - fixed missing defines from the documentation, removed duplicates,
and reorganised so that the documentation and excluded list
are ordered in the same way.
test_suite_x509parse.data - only added the two new pathlen tests.
x509_crt.c - change the return code by removing
MBEDTLS_ERR_X509_INVALID_EXTENSIONS, since it's added by
x509_crt_frame_parse_ext not by an "or", but by "+=".
Changelog - Assigned all entries to appropriate sections.
ssl-opt.sh - line 8263 - merged options.
- removed lines 1165 - 1176 - there was a duplicate test, probably
an artifact of previous merges.
check-files.py - sticked to old formatting.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
|
|
[baremetal] Update `baremetal` branch with updates from `mbedtls-2.16` branch
|
|
This reverts commit 7550e857bf85bc169271b9edefb1e8ee04bc3042, reversing
changes made to d0c25753241b0ea2b120bfa506d558f76c8c1430.
stat() will never return S_IFLNK as the file type, as stat()
explicitly follows symlinks.
Fixes #3005.
|
|
Goals:
* Build with common compilers with common options, so that we don't
miss a (potentially useful) warning only triggered with certain
build options.
* A previous commit removed -O0 test jobs, leaving only the one with
-m32. We have inline assembly that is disabled with -O0, falling
back to generic C code. This commit restores a test that runs the
generic C code on a 64-bit platform.
|
|
Gcc skips some analyses when compiling with -O0, so we may miss
warnings about things like uninitialized variables.
|
|
|
|
We normally represent bignums in big-endian order and there is no
reason to deviate here.
|
|
|
|
|