Commit Graph

3480 Commits

Author SHA1 Message Date
Jethro Beekman
666892792d Generate primes according to FIPS 186-4
The specification requires that numbers are the raw entropy (except for odd/
even) and at least 2^(nbits-0.5). If not, new random bits need to be used for
the next number. Similarly, if the number is not prime new random bits need to
be used.
2018-04-11 08:38:37 -07:00
Jethro Beekman
97f95c9ef3 Avoid small private exponents during RSA key generation
Attacks against RSA exist for small D. [Wiener] established this for
D < N^0.25. [Boneh] suggests the bound should be N^0.5.

Multiple possible values of D might exist for the same set of E, P, Q. The
attack works when there exists any possible D that is small. To make sure that
the generated key is not susceptible to attack, we need to make sure we have
found the smallest possible D, and then check that D is big enough. The
Carmichael function λ of p*q is lcm(p-1, q-1), so we can apply Carmichael's
theorem to show that D = d mod λ(n) is the smallest.

[Wiener] Michael J. Wiener, "Cryptanalysis of Short RSA Secret Exponents"
[Boneh] Dan Boneh and Glenn Durfee, "Cryptanalysis of RSA with Private Key d Less than N^0.292"
2018-04-11 08:38:37 -07:00
Manuel Pégourié-Gonnard
4ca9a45756 Merge remote-tracking branch 'public/pr/1560' into development-proposed
* public/pr/1560:
  Warn if using a memory sanitizer on AESNI
2018-04-11 13:06:30 +02:00
Brendan Shanks
8339c8f5bd x509.c: Remove unused includes
Remove unused includes guarded by MBEDTLS_FS_IO, which doesn't appear
anywhere else in the file.
2018-04-06 16:47:43 -07:00
Fabio Alessandrelli
df60856702 Only redefine _WIN32_WINNT macro when < 0x0501 2018-04-06 18:07:53 +02:00
Gilles Peskine
5053efde33 Warn if using a memory sanitizer on AESNI
Clang-Msan is known to report spurious errors when MBEDTLS_AESNI_C is
enabled, due to the use of assembly code. The error reports don't
mention AES, so they can be difficult to trace back to the use of
AES-NI. Warn about this potential problem at compile time.
2018-04-05 15:37:38 +02:00
Gilles Peskine
ec4733b645 Make the memset call prior to FD_ZERO conditional to needing it
Zeroing out an fd_set before calling FD_ZERO on it is in principle
useless, but without it some memory sanitizers think the fd_set is
still uninitialized after FD_ZERO (e.g. clang-msan/Glibc/x86_64 where
FD_ZERO is implemented in assembly). Make the zeroing conditional on
using a memory sanitizer.
2018-04-05 14:55:47 +02:00
Krzysztof Stachowiak
94d49978eb Improve comments style 2018-04-05 14:48:55 +02:00
Krzysztof Stachowiak
cd09fc812d Remove a redundant test 2018-04-05 14:48:18 +02:00
Krzysztof Stachowiak
73b183c3bb Add buffer size check before cert_type_len read 2018-04-05 10:20:09 +02:00
Gilles Peskine
80aa3b8d65 Merge branch 'pr_946' into development-proposed 2018-04-04 10:33:45 +02:00
Gilles Peskine
73db8380ca Merge remote-tracking branch 'upstream-public/pr/1547' into development-proposed 2018-04-04 09:19:12 +02:00
Gilles Peskine
be2371c3d9 Merge branch 'pr_348' into development-proposed 2018-04-04 09:18:27 +02:00
Gilles Peskine
a09453f495 Merge branch 'pr_1395' into development-proposed 2018-04-04 09:14:12 +02:00
Gilles Peskine
1fae860f0f Merge remote-tracking branch 'upstream-public/pr/1543' into development-proposed 2018-04-04 09:03:25 +02:00
Hanno Becker
f4e5b7e87d Additionally initialize fd_set's via memset in mbedtls_net_poll
The initialization via FD_SET is not seen by memory sanitizers if
FD_SET is implemented through assembly. Additionally zeroizing the
respective fd_set's before calling FD_SET contents the sanitizers
and comes at a negligible computational overhead.
2018-04-03 16:28:09 +01:00
mohammad1603
19d392b258 Fix compatibility problem in the printed message
Replace %zu with %lu and add cast for the printed value.
2018-04-02 07:35:50 -07:00
Gilles Peskine
90a8b5219f Merge branch 'pr_1480' into development-proposed 2018-04-01 12:44:06 +02:00
Gilles Peskine
0ed632f445 Merge remote-tracking branch 'upstream-public/pr/1499' into development-proposed 2018-04-01 12:41:22 +02:00
Gilles Peskine
695d557dcf Merge branch 'pr_1180' into development-proposed 2018-04-01 12:26:36 +02:00
Gilles Peskine
039fd12834 Robustness fix in mbedtls_ssl_derive_keys
In mbedtls_ssl_derive_keys, don't call mbedtls_md_hmac_starts in
ciphersuites that don't use HMAC. This doesn't change the behavior of
the code, but avoids relying on an uncaught error when attempting to
start an HMAC operation that hadn't been initialized.
2018-03-31 22:53:49 +02:00
Gilles Peskine
cc78ac46e7 Update error.c 2018-03-30 18:52:10 +02:00
Gilles Peskine
5114d3e4e1 Clarify the use of MBEDTLS_ERR_PK_SIG_LEN_MISMATCH
Clarify what MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH and
MBEDTLS_ERR_PK_SIG_LEN_MISMATCH mean. Add comments to highlight that
this indicates that a valid signature is present, unlike other error
codes. See
https://github.com/ARMmbed/mbedtls/pull/1149#discussion_r178130705
2018-03-30 18:43:16 +02:00
Nicholas Wilson
08f3ef1861 Basic support for Curve448, similar to the current level of support for Curve25519 2018-03-29 14:29:06 +01:00
Jaeden Amero
2ad47e3bcc Merge remote-tracking branch 'upstream-public/pr/1528' into development-proposed 2018-03-29 11:00:50 +01:00
Jaeden Amero
78a03ec230 Merge remote-tracking branch 'upstream-public/pr/1379' into development-proposed 2018-03-29 10:57:57 +01:00
mohammad1603
52aecb9a7f Check whether INT_MAX larger than SIZE_MAX scenario
Check whether INT_MAX larger than SIZE_MAX scenario
2018-03-28 23:41:40 -07:00
Jaeden Amero
90226be779 Merge remote-tracking branch 'upstream-public/pr/1467' into development-proposed 2018-03-28 15:35:22 +01:00
Jaeden Amero
2843d21d99 Merge remote-tracking branch 'upstream-public/pr/1523' into development-proposed 2018-03-28 15:32:13 +01:00
Hanno Becker
2bd57578af Merge branch 'development' into iotssl-1204 2018-03-28 14:52:35 +01:00
Jaeden Amero
5ec118352e Merge remote-tracking branch 'upstream-public/pr/1474' into development-proposed 2018-03-28 14:22:29 +01:00
Jaeden Amero
552b9cc5ba Merge remote-tracking branch 'upstream-public/pr/1477' into development-proposed 2018-03-28 13:42:32 +01:00
Jaeden Amero
8645e90825 Merge remote-tracking branch 'upstream-restricted/pr/363' into development-proposed 2018-03-28 11:54:28 +01:00
Manuel Pégourié-Gonnard
18b78435dc Fix a typo in a comment 2018-03-28 11:14:06 +02:00
Nicholas Wilson
54fc34ea68 Include order of Curve25519 base point in curve data 2018-03-28 11:08:30 +02:00
Andres Amaya Garcia
af9a486b01 Fix coding style in pkcs5.c preprocessor directives 2018-03-27 20:53:12 +01:00
Marcos Del Sol Vives
8a0dfacb58 Compile PBES2 in PKCS5 only if ASN1 is enabled 2018-03-27 20:15:33 +01:00
Andy Leiserson
79e7789d44 return plaintext data faster on unpadded decryption 2018-03-27 10:55:24 -07:00
Jaeden Amero
fba16f782c Merge remote-tracking branch 'upstream-public/pr/572' into development-proposed 2018-03-27 16:42:20 +01:00
Andres Amaya Garcia
ceed91b72c Allow overriding ar param prefix in library/Makefile 2018-03-25 23:48:39 +01:00
Andres Amaya Garcia
873f15d70d Make DLEXT var configurable in library/Makefile 2018-03-25 23:47:15 +01:00
Jaeden Amero
f65379bc40 Merge remote-tracking branch 'upstream-restricted/pr/382' into development 2018-03-23 11:14:17 +00:00
Gilles Peskine
15ad579895 Merge tag 'mbedtls-2.8.0' into iotssl-1381-x509-verify-refactor-restricted
Conflict resolution:

* ChangeLog
* tests/data_files/Makefile: concurrent additions, order irrelevant
* tests/data_files/test-ca.opensslconf: concurrent additions, order irrelevant
* tests/scripts/all.sh: one comment change conflicted with a code
  addition. In addition some of the additions in the
  iotssl-1381-x509-verify-refactor-restricted branch need support for
  keep-going mode, this will be added in a subsequent commit.
2018-03-23 02:16:22 +01:00
Jethro Beekman
d2df936e67 Fix parsing of PKCS#8 encoded Elliptic Curve keys.
The relevant ASN.1 definitions for a PKCS#8 encoded Elliptic Curve key are:

PrivateKeyInfo ::= SEQUENCE {
  version                   Version,
  privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
  privateKey                PrivateKey,
  attributes           [0]  IMPLICIT Attributes OPTIONAL
}

AlgorithmIdentifier  ::=  SEQUENCE  {
  algorithm   OBJECT IDENTIFIER,
  parameters  ANY DEFINED BY algorithm OPTIONAL
}

ECParameters ::= CHOICE {
  namedCurve         OBJECT IDENTIFIER
  -- implicitCurve   NULL
  -- specifiedCurve  SpecifiedECDomain
}

ECPrivateKey ::= SEQUENCE {
  version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
  privateKey     OCTET STRING,
  parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
  publicKey  [1] BIT STRING OPTIONAL
}

Because of the two optional fields, there are 4 possible variants that need to
be parsed: no optional fields, only parameters, only public key, and both
optional fields. Previously mbedTLS was unable to parse keys with "only
parameters". Also, only "only public key" was tested. There was a test for "no
optional fields", but it was labelled incorrectly as SEC.1 and not run because
of a great renaming mixup.
2018-03-22 18:01:18 -07:00
Gilles Peskine
a7b34c7810 Merge remote-tracking branch 'upstream-public/pr/1406' into development-proposed 2018-03-22 21:52:48 +01:00
Gilles Peskine
f15a8beacf Merge remote-tracking branch 'upstream-public/pr/1256' into development-proposed 2018-03-22 21:51:53 +01:00
Gilles Peskine
0818540ff7 Merge branch 'pr_726' into development-proposed 2018-03-22 21:50:48 +01:00
Gilles Peskine
5bdb671404 Merge branch 'pr_403' into development-proposed 2018-03-22 21:34:15 +01:00
mohammad1603
b878805919 Verify that f_send and f_recv send and receive the expected length
Verify that f_send and f_recv send and receive the expected length
2018-03-22 02:58:23 -07:00
Gilles Peskine
4e4be7cf62 Optimize unnecessary zeorizing in mbedtls_mpi_copy
Based on a contribution by Alexey Skalozub
(https://github.com/ARMmbed/mbedtls/pull/405).
2018-03-21 16:29:03 +01:00
Gergely Budai
13f7fb372e Do not define and initialize global mutexes on configurations that do not use them. 2018-03-21 15:01:55 +00:00
Azim Khan
27e8a120b2 Assign NULL after freeing psk and psk_identity 2018-03-21 14:24:11 +00:00
junyeonLEE
316b162ac3 Separate psk and psk_identity buffers free
Sometimes, psk_identity buffer can't released because psk buffer is NULL.
So, separate it.
2018-03-21 14:15:28 +00:00
Mitsuhiro Nakamura
5ff2ee51e9 Fix dylib linking 2018-03-21 11:10:59 +00:00
Krzysztof Stachowiak
bc231cc9b0 Add a missing buffer size check 2018-03-20 14:09:53 +01:00
Krzysztof Stachowiak
bc145f7978 Correct buffer size check
Further in the code the next field from the binary buffer is read. The
check contained an off by one error.
2018-03-20 11:19:50 +01:00
Gilles Peskine
ea7dbbe0de Replace MBEDTLS_EINTR by IS_EINTR
check-names.sh reserves the prefix MBEDTLS_ for macros defined in
config.h so this name (or check-names.sh) had to change.

This is also more flexible because it allows for platforms that don't have
an EINTR equivalent or have multiple such values.
2018-03-19 17:10:31 +01:00
Hanno Becker
c9f4d6d448 Correct error.c 2018-03-19 09:23:13 +00:00
Jaeden Amero
8be0e6db41 Update version to 2.8.0 2018-03-16 16:25:12 +00:00
Hanno Becker
ef52796537 Fix missing return statement ssl_server2 idling
Also, introduce MBEDTLS_EINTR locally in net_sockets.c
for the platform-dependent return code macro used by
the `select` call to indicate that the poll was interrupted
by a signal handler: On Unix, the corresponding macro is EINTR,
while on Windows, it's WSAEINTR.
2018-03-15 15:52:31 +00:00
Hanno Becker
80e06d77d9 Use WSAEINTR instead of EINTR on Windows 2018-03-15 14:41:55 +00:00
Hanno Becker
9ac640326b Don't exit mbedtls_net_poll on interruption of select
If the select UNIX system call is interrupted by a signal handler,
it is not automatically restarted but returns EINTR. This commit
modifies the use of select in mbedtls_net_poll from net_sockets.c
to retry the select call in this case.
2018-03-15 12:19:31 +00:00
Jaeden Amero
79a5e72719 Merge remote-tracking branch 'upstream-restricted/pr/463' into development-restricted-proposed 2018-03-15 08:25:05 +00:00
Jaeden Amero
24b2d6fb6d Merge remote-tracking branch 'upstream-restricted/pr/459' into development-restricted-proposed 2018-03-15 08:24:44 +00:00
Jaeden Amero
ce183d994c Merge remote-tracking branch 'upstream-public/pr/1448' into development-proposed 2018-03-15 08:23:53 +00:00
Jaeden Amero
d1fedc55d7 Merge remote-tracking branch 'upstream-public/pr/1440' into development-proposed 2018-03-15 08:23:35 +00:00
Jaeden Amero
95ad522ecc Merge remote-tracking branch 'upstream-public/pr/1439' into development-proposed 2018-03-15 08:23:10 +00:00
Manuel Pégourié-Gonnard
fd3e4fbae7 x509: CRL: reject unsupported critical extensions 2018-03-14 09:15:02 +01:00
Gilles Peskine
5f1932817c Merge remote-tracking branch 'upstream-restricted/pr/398' into development-restricted-proposed 2018-03-13 17:18:06 +01:00
Gilles Peskine
553a06f08a Merge remote-tracking branch 'upstream-restricted/pr/351' into development-restricted-proposed
Move the added ChangeLog entry to the bottom so that the list remains
in merge order.
2018-03-13 17:15:34 +01:00
Manuel Pégourié-Gonnard
1ba8a3fc55 Yet another dependency issue (PKCS1_V15)
Found by running:

CC=clang cmake -D CMAKE_BUILD_TYPE="Check"
tests/scripts/depend-pkalgs.pl

(Also tested with same command but CC=gcc)

Another PR will address improving all.sh and/or the depend-xxx.pl scripts
themselves to catch this kind of thing.
2018-03-13 13:42:38 +01:00
Krzysztof Stachowiak
5224a7544c Prevent arithmetic overflow on bounds check 2018-03-13 11:31:38 +01:00
Krzysztof Stachowiak
740b218386 Add bounds check before length read 2018-03-13 11:31:14 +01:00
Krzysztof Stachowiak
027f84c69f Prevent arithmetic overflow on bounds check 2018-03-13 11:29:24 +01:00
Krzysztof Stachowiak
a1098f81c2 Add bounds check before signature length read 2018-03-13 11:28:49 +01:00
Gilles Peskine
f3ada4adb0 Merge branch 'pr_679' into development-proposed 2018-03-13 00:13:29 +01:00
Gilles Peskine
d5f7d24e84 Merge branch 'pr_1064' into development-proposed 2018-03-13 00:08:05 +01:00
Gilles Peskine
a31d8206b1 Merge remote-tracking branch 'upstream-public/pr/778' into development-proposed 2018-03-12 23:45:08 +01:00
Gilles Peskine
19c3862d0c Merge remote-tracking branch 'upstream-public/pr/1079' into development-proposed 2018-03-11 00:45:10 +01:00
Gilles Peskine
b4c571e603 Merge remote-tracking branch 'upstream-public/pr/1296' into HEAD 2018-03-11 00:44:14 +01:00
Manuel Pégourié-Gonnard
e57d7438b0 Improve documentation of some internal functions 2018-03-07 10:00:57 +01:00
Sanne Wouda
7b2e85dd7c Use both applicable error codes and a proper coding style 2018-03-06 23:28:46 +01:00
Sanne Wouda
b2b29d5259 Add end-of-buffer check to prevent heap-buffer-overflow
Dereference of *p should not happen when it points past the end of the
buffer.

Internal reference: IOTSSL-1663
2018-03-06 23:28:46 +01:00
Hanno Becker
a3389ebb09 Merge branch 'development-restricted' into iotssl-1306-rsa-is-vulnerable-to-bellcore-glitch-attack 2018-03-06 11:55:21 +00:00
Manuel Pégourié-Gonnard
05c00ed8b2 Fix some more MSVC size_t -> int warnings 2018-03-06 11:48:50 +01:00
Manuel Pégourié-Gonnard
f5bb78183a Fix MSVC warnings
library\x509_crt.c(2137): warning C4267: 'function' : conversion from 'size_t' to 'int', possible loss of data
library\x509_crt.c(2265): warning C4267: 'function' : conversion from 'size_t' to 'int', possible loss of data
2018-03-05 12:48:53 +01:00
Manuel Pégourié-Gonnard
05e464dff7 Merge branch 'development' into iotssl-1381-x509-verify-refactor-restricted
* development: (557 commits)
  Add attribution for #1351 report
  Adapt version_features.c
  Note incompatibility of truncated HMAC extension in ChangeLog
  Add LinkLibraryDependencies to VS2010 app template
  Add ChangeLog entry for PR #1382
  MD: Make deprecated functions not inline
  Add ChangeLog entry for PR #1384
  Have Visual Studio handle linking to mbedTLS.lib internally
  Mention in ChangeLog that this fixes #1351
  Add issue number to ChangeLog
  Note in the changelog that this fixes an interoperability issue.
  Style fix in ChangeLog
  Add ChangeLog entries for PR #1168 and #1362
  Add ChangeLog entry for PR #1165
  ctr_drbg: Typo fix in the file description comment.
  dhm: Fix typo in RFC 5114 constants
  tests_suite_pkparse: new PKCS8-v2 keys with PRF != SHA1
  data_files/pkcs8-v2: add keys generated with PRF != SHA1
  tests/pkcs5/pbkdf2_hmac: extend array to accommodate longer results
  tests/pkcs5/pbkdf2_hmac: add unit tests for additional SHA algorithms
  ...
2018-03-05 11:55:38 +01:00
Gilles Peskine
df761d5a6b Fix build with gcc -O -Wall
Fix warnings from gcc -O -Wall about `ret` used uninitialized in
CMAC selftest auxiliary functions. The variable was indeed
uninitialized if the function was called with num_tests=0 (which
never happens).
2018-03-01 22:18:14 +01:00
Manuel Pégourié-Gonnard
366e1b0464 aria: fix comment on aria_a function
The new version of the comment has been generated by the following python3
script, when the first constant is copy-pasted from RFC 5794 2.4.3.

 #!/usr/bin/python3

RFC_A = """
      y0  = x3 ^ x4 ^ x6 ^ x8  ^ x9  ^ x13 ^ x14,
      y1  = x2 ^ x5 ^ x7 ^ x8  ^ x9  ^ x12 ^ x15,
      y2  = x1 ^ x4 ^ x6 ^ x10 ^ x11 ^ x12 ^ x15,
      y3  = x0 ^ x5 ^ x7 ^ x10 ^ x11 ^ x13 ^ x14,
      y4  = x0 ^ x2 ^ x5 ^ x8  ^ x11 ^ x14 ^ x15,
      y5  = x1 ^ x3 ^ x4 ^ x9  ^ x10 ^ x14 ^ x15,
      y6  = x0 ^ x2 ^ x7 ^ x9  ^ x10 ^ x12 ^ x13,
      y7  = x1 ^ x3 ^ x6 ^ x8  ^ x11 ^ x12 ^ x13,
      y8  = x0 ^ x1 ^ x4 ^ x7  ^ x10 ^ x13 ^ x15,
      y9  = x0 ^ x1 ^ x5 ^ x6  ^ x11 ^ x12 ^ x14,
      y10 = x2 ^ x3 ^ x5 ^ x6  ^ x8  ^ x13 ^ x15,
      y11 = x2 ^ x3 ^ x4 ^ x7  ^ x9  ^ x12 ^ x14,
      y12 = x1 ^ x2 ^ x6 ^ x7  ^ x9  ^ x11 ^ x12,
      y13 = x0 ^ x3 ^ x6 ^ x7  ^ x8  ^ x10 ^ x13,
      y14 = x0 ^ x3 ^ x4 ^ x5  ^ x9  ^ x11 ^ x14,
      y15 = x1 ^ x2 ^ x4 ^ x5  ^ x8  ^ x10 ^ x15.
"""

matrix = []
for l in RFC_A.split('\n')[1:-1]:
    rhs = l.split('=')[1][:-1]
    row = tuple(hex(int(t[2:]))[2:] for t in rhs.split('^'))
    matrix.append(row)

out = {}
out['a'] = tuple(''.join(w) for w in zip(*(matrix[0:4])))
out['b'] = tuple(''.join(w) for w in zip(*(matrix[4:8])))
out['c'] = tuple(''.join(w) for w in zip(*(matrix[8:12])))
out['d'] = tuple(''.join(w) for w in zip(*(matrix[12:])))

out2 = {}
for o, r in out.items():
    row = list(r)
    for i in range(len(r) - 1):
        w1 = row[i]
        if len(set(w1)) == 2:
            w2 = row[i+1]
            nw1 = nw2 = ''
            for j in range(len(w1)):
                if w1[j] in nw1:
                    nw1 += w2[j]
                    nw2 += w1[j]
                else:
                    nw1 += w1[j]
                    nw2 += w2[j]
            row[i] = nw1
            row[i+1] = nw2

    out2[o] = row

for o in 'abcd':
    print(o,   '=', ' + '.join(out[o]))
    print(' ', '=', ' + '.join(out2[o]))
2018-03-01 14:48:10 +01:00
Manuel Pégourié-Gonnard
21662148f7 aria: improve compiler compat by using __asm
gcc --std=c99 doesn't like the shorter "asm" (this broke all.sh)
2018-03-01 11:28:51 +01:00
Manuel Pégourié-Gonnard
2078725feb aria: check arm arch version for asm
rev and rev16 are only supported from v6 (all profiles) and up.

arm-none-eabi-gcc picks a lower architecture version by default, which means
before this commit it would fail to build (assembler error) unless you
manually specified -march=armv6-m -mthumb or similar, which broke all.sh.

Source for version-checking macros:
- GCC/Clang: use the -E -dM - </dev/null trick
- armcc5: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0472k/chr1359125007083.html
- armclang 6: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0774g/chr1383660321827.html

Tested with the following script:

 #!/bin/sh

set -eu

ARMCLANG="env ARM_TOOL_VARIANT=ult $ARMC6_BIN_DIR/armclang"

build() {
    echo "$@"
    "$@" -Iinclude -c library/aria.c

}

build arm-none-eabi-gcc
build arm-none-eabi-gcc -march=armv5

build clang --target=arm-none-eabi
build clang --target=arm-none-eabi -march=armv5

build armcc
build armcc --gnu
build armcc --cpu=5T
build armcc --cpu=5T --gnu

build $ARMCLANG --target=arm-arm-none-eabi

check_asm() {
    rm -f aria.o
    build "$@"
    arm-none-eabi-objdump -d aria.o | grep rev16
}

check_asm arm-none-eabi-gcc -march=armv6-m -mthumb
check_asm arm-none-eabi-gcc -march=armv7-m -mthumb
check_asm arm-none-eabi-gcc -march=armv8-m.base -mthumb

check_asm arm-none-eabi-gcc -march=armv7-a -mthumb
check_asm arm-none-eabi-gcc -march=armv8-a -mthumb
check_asm arm-none-eabi-gcc -march=armv7-a -marm
check_asm arm-none-eabi-gcc -march=armv8-a -marm

check_asm clang --target=arm-none-eabi -march=armv6-m
check_asm clang --target=arm-none-eabi -march=armv7-a
check_asm clang --target=arm-none-eabi -march=armv7-m
check_asm clang --target=arm-none-eabi -march=armv7-r
check_asm clang --target=arm-none-eabi -march=armv8-a

check_asm armcc -O0 --cpu=6-M
check_asm armcc -O0 --cpu=7-M
check_asm armcc -O0 --cpu=6
check_asm armcc -O0 --cpu=7-A

check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv6-m
check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv7-a
check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv7-m
check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv7-r
check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv8-a
check_asm $ARMCLANG --target=arm-arm-none-eabi -march=armv8-m.base
2018-03-01 11:28:51 +01:00
Manuel Pégourié-Gonnard
7fc08795c1 aria: more whitespace fixes 2018-03-01 09:33:20 +01:00
Manuel Pégourié-Gonnard
5ad88b6d0d aria: define constants for block size and max rounds 2018-03-01 09:25:31 +01:00
Manuel Pégourié-Gonnard
3c80009615 aria: add error codes for hw implementations 2018-03-01 09:25:05 +01:00
Manuel Pégourié-Gonnard
f3a46a9b4f aria: fix some typos in comments 2018-03-01 09:25:05 +01:00
Manuel Pégourié-Gonnard
c0bb66f47e aria: improve compiler inline compatibility 2018-03-01 09:25:05 +01:00
mohammad1603
5bd15cbfa0 Avoid wraparound for ssl->in_left
Add check to avoid wraparound for ssl->in_left
2018-02-28 04:30:59 -08:00
Manuel Pégourié-Gonnard
4231e7f46f Fix some whitespace and other style issues
In addition to whitespace:
- wrapped a few long lines
- added parenthesis to return statements
2018-02-28 11:34:01 +01:00
Manuel Pégourié-Gonnard
377b2b624d aria: optimize byte perms on Arm
Use specific instructions for moving bytes around in a word. This speeds
things up, and as a side-effect, slightly lowers code size.

ARIA_P3 and ARIA_P1 are now 1 single-cycle instruction each (those
instructions are available in all architecture versions starting from v6-M).
Note: ARIA_P3 was already translated to a single instruction by Clang 3.8 and
armclang 6.5, but not arm-gcc 5.4 nor armcc 5.06.

ARIA_P2 is already efficiently translated to the minimal number of
instruction (1 in ARM mode, 2 in thumb mode) by all tested compilers

Manually compiled and inspected generated code with the following compilers:
arm-gcc 5.4, clang 3.8, armcc 5.06 (with and without --gnu), armclang 6.5.

Size reduction (arm-none-eabi-gcc -march=armv6-m -mthumb -Os): 5288 -> 5044 B

Effect on executing time of self-tests on a few boards:
FRDM-K64F   (Cortex-M4):    444 ->  385 us (-13%)
LPC1768     (Cortex-M3):    488 ->  432 us (-11%)
FRDM-KL64Z  (Cortex-M0):   1429 -> 1134 us (-20%)

Measured using a config.h with no cipher mode and the following program with
aria.c and aria.h copy-pasted to the online compiler:

 #include "mbed.h"
 #include "aria.h"

int main() {
    Timer t;
    t.start();
    int ret = mbedtls_aria_self_test(0);
    t.stop();
    printf("ret = %d; time = %d us\n", ret, t.read_us());
}
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
fb0e4f0d1a aria: optimise byte perms on Intel
(A similar commit for Arm follows.)

Use specific instructions for moving bytes around in a word. This speeds
things up, and as a side-effect, slightly lowers code size.

ARIA_P3 (aka reverse byte order) is now 1 instruction on x86, which speeds up
key schedule. (Clang 3.8 finds this but GCC 5.4 doesn't.)

I couldn't find an Intel equivalent of ARM's ret16 (aka ARIA_P1), so I made it
two instructions, which is still much better than the code generated with
the previous mask-shift-or definition, and speeds up en/decryption. (Neither
Clang 3.8 nor GCC 5.4 find this.)

Before:
O	aria.o	ins
s	7976	43,865
2	10520	37,631
3	13040	28,146

After:
O	aria.o	ins
s	7768	33,497
2	9816	28,268
3	11432	20,829

For measurement method, see previous commit:
"aria: turn macro into static inline function"
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
cac5008b17 aria: define P3 macro
This will allow to replace it with an optimised implementation later
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
f205a012b8 aria: comment implementation of A transform
The line-by-line comments were generated using the following Python 3 script:

 #!/usr/bin/python3

class Atom:
    def __init__(self, val):
        self.v = val

    def __str__(self):
        return self.v

    def p1(self):
        v = self.v
        return Atom(v[1] + v[0] + v[3] + v[2])

    def p2(self):
        v = self.v
        return Atom(v[2] + v[3] + v[0] + v[1])

    def __xor__(self, other):
        return Sum(self.tuple() + other.tuple())

    def tuple(self):
        return (self,)

class Sum:
    def __init__(self, terms):
        self.t = terms
        assert(type(terms) == tuple)
        for t in terms:
            assert(type(t) == Atom)

    def __str__(self):
        return '+'.join(sorted((str(t) for t in self.t),
                        key=lambda v: int(v, 16)))

    def p1(self):
        return Sum(tuple(t.p1() for t in self.t))

    def p2(self):
        return Sum(tuple(t.p2() for t in self.t))

    def tuple(self):
        return self.t

    def __xor__(self, other):
        return Sum(self.t + other.tuple())

class LoggingDict(dict):
    def __setitem__(self, key, val):
        print(key, '=', val)
        dict.__setitem__(self, key, val)

    def set(self, key, val):
        dict.__setitem__(self, key, val)

env = LoggingDict()

env.set('ra', Atom('0123'))
env.set('rb', Atom('4567'))
env.set('rc', Atom('89ab'))
env.set('rd', Atom('cdef'))
env.set('ARIA_P1', lambda x: x.p1())
env.set('ARIA_P2', lambda x: x.p2())

code = """
ta  =   rb;
rb  =   ra;
ra  =   ARIA_P2( ta );
tb  =   ARIA_P2( rd );
rd  =   ARIA_P1( rc );
rc  =   ARIA_P1( tb );
ta  ^=  rd;
tc  =   ARIA_P2( rb );
ta  =   ARIA_P1( ta ) ^ tc ^ rc;
tb  ^=  ARIA_P2( rd );
tc  ^=  ARIA_P1( ra );
rb  ^=  ta ^ tb;
tb  =   ARIA_P2( tb ) ^ ta;
ra  ^=  ARIA_P1( tb );
ta  =   ARIA_P2( ta );
rd  ^=  ARIA_P1( ta ) ^ tc;
tc  =   ARIA_P2( tc );
rc  ^=  ARIA_P1( tc ) ^ ta;
"""

exec(code, env)
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
35ad891aee aria: internal names closer to standard document 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
64744f88b6 aria: define SLA() as sl(a())
This decreases the size with -Os by nearly 1k while
not hurting performance too much with -O2 and -O3

Before:
O	aria.o	ins
s	8784	41,408
2	11112	37,001
3	13096	27,438

After:
O	aria.o	ins
s	7976	43,865
2	10520	37,631
3	13040	28,146

(See previous commit for measurement details.)
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
8c76a9489e aria: turn macro into static inline function
Besides documenting types better and so on, this give the compiler more room
to optimise either for size or performance.

Here are some before/after measurements of:
- size of aria.o in bytes (less is better)
- instruction count for the selftest function (less is better)
with various -O flags.

Before:
O	aria.o	ins
s	10896	37,256
2	11176	37,199
3	12248	27,752

After:
O	aria.o	ins
s	8784	41,408
2	11112	37,001
3	13096	27,438

The new version allows the compiler to reach smaller size with -Os while
maintaining (actually slightly improving) performance with -O2 and -O3.

Measurements were done on x86_64 (but since this is mainly about inlining
code, this should transpose well to other platforms) using the following
helper program and script, after disabling CBC, CFB and CTR in config.h, in
order to focus on the core functions.

==> st.c <==
 #include "mbedtls/aria.h"

int main( void ) {
    return mbedtls_aria_self_test( 0 );
}

==> p.sh <==
 #!/bin/sh

set -eu

ccount () {
    (
    valgrind --tool=callgrind --dump-line=no --callgrind-out-file=/dev/null --collect-atstart=no --toggle-collect=main $1
    ) 2>&1 | sed -n -e 's/.*refs: *\([0-9,]*\)/\1/p'
}

printf "O\taria.o\tins\n"
for O in s 2 3; do
    GCC="gcc -Wall -Wextra -Werror -Iinclude"

    $GCC -O$O -c library/aria.c
    $GCC -O1 st.c aria.o -o st
   ./st

    SIZE=$( du -b aria.o | cut -f1 )
    INS=$( ccount ./st )

    printf "$O\t$SIZE\t$INS\n"
done
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
a41ecdabed aria: closer to usual comment style
We're not absolutely consistent in the rest of the library, but we tend to use
C99-style comments less often.

Change to use C89-style comments everywhere except for end-of-line comments
2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
56453937a1 aria: use mbedtls_zeroize() 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
c76ceb677b aria: move conditional outside of loop 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
9cc89248fe aria: use unsigned type for bit count 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
e1ad7491c5 aria: clean up interface of internal macros 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
a6d639e553 aria: improve some comments & internal names 2018-02-27 12:39:12 +01:00
Manuel Pégourié-Gonnard
af37f0f68f Add remaining ARIA suites to priority list
Those suites were defined in ciphersuite_definitions[] but not included in
ciphersuite_preference[] which meant they couldn't be negotiated unless
explicitly added by the user. Add them so that they're usable by default like
any other suite.
2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen
c06e1014e1 ARIA ciphersuites for TLS 1.2 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen
07478d6f30 something to do with whitespaces 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen
0fb47fe71f MBEDTLS_ARIA_ALT added as a feature 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen
6ba68d4a3b ARIA init and free 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen
3c0b53b2b0 ARIA build integration 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen
259fa60f6c ARIA test vectors for CBC CFB CTR modes 2018-02-27 12:39:12 +01:00
Markku-Juhani O. Saarinen
41efbaabc9 ARIA cipher implementation 2018-02-27 12:39:12 +01:00
ILUXONCHIK
060fe37496 fix typo in pem.c 2018-02-25 20:59:09 +00:00
Gilles Peskine
b7f6086ba3 Merge branch 'prr_424' into development-proposed 2018-02-22 16:15:01 +01:00
Hanno Becker
e80cd463ef Adapt version_features.c 2018-02-22 15:02:47 +00:00
mohammad1603
4bbaeb4ffa Add guard to out_left to avoid negative values
return error when f_send return a value greater than out_left
2018-02-22 05:04:48 -08:00
Jaeden Amero
041039f81e MD: Make deprecated functions not inline
In 2.7.0, we replaced a number of MD functions with deprecated inline
versions. This causes ABI compatibility issues, as the functions are no
longer guaranteed to be callable when built into a shared library.
Instead, deprecate the functions without also inlining them, to help
maintain ABI backwards compatibility.
2018-02-22 10:24:30 +00:00
Gilles Peskine
8db3efbc76 Add missing MBEDTLS_DEPRECATED_REMOVED guards
Add missing MBEDTLS_DEPRECATED_REMOVED guards around the definitions
of mbedtls_aes_decrypt and mbedtls_aes_encrypt.
This fixes the build under -Wmissing-prototypes -Werror.

Fixes #1388
2018-02-21 19:16:20 +01:00
Gilles Peskine
d76d8bc9a5 Merge branch 'pr_1352' into development-proposed 2018-02-20 16:42:08 +01:00
Gilles Peskine
e6844ccf2b Merge branch 'pr_1135' into development-proposed 2018-02-14 17:20:42 +01:00
Gilles Peskine
42a97ac693 Merge branch 'pr_1219' into development-proposed 2018-02-14 16:17:21 +01:00
Paul Sokolovsky
8d6d8c84b1 ctr_drbg: Typo fix in the file description comment.
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
2018-02-10 11:11:41 +02:00
Antonio Quartulli
12ccef2761
pkcs5v2: add support for additional hmacSHA algorithms
Currently only SHA1 is supported as PRF algorithm for PBKDF2
(PKCS#5 v2.0).
This means that keys encrypted and authenticated using
another algorithm of the SHA family cannot be decrypted.

This deficiency has become particularly incumbent now that
PKIs created with OpenSSL1.1 are encrypting keys using
hmacSHA256 by default (OpenSSL1.0 used PKCS#5 v1.0 by default
and even if v2 was forced, it would still use hmacSHA1).

Enable support for all the digest algorithms of the SHA
family for PKCS#5 v2.0.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-08 17:18:15 +08:00
Ron Eldor
9566ff7913 Fix minor issues raised in PR review
1. Style issues fixes - remove redundant spacing.
2. Remove depency of `MBEDTLS_RSA_C` in `pk_parse_public_keyfile_rsa()`
tests, as the function itself is dependent on it.
2018-02-07 18:59:41 +02:00
Ron Eldor
85e1dcff6a Fix handshake failure in suite B
Fix handshake failure where PK key is translated as `MBEDTLS_ECKEY`
instead of `MBEDTLS_ECDSA`
2018-02-06 15:59:38 +02:00
Jaeden Amero
3b438d33c1 Update version to 2.7.0 2018-02-02 18:09:45 +00:00
Jaeden Amero
9564e97460 Merge branch 'development' into development-restricted 2018-01-30 17:04:47 +00:00
Rose Zadik
2f8163d3cd Improve CTR-DRBG documentation
- Rephrase file/function/parameter/enum/define/error descriptions into full
  and clear sentences.
- Make sure to adhere to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.
- Add full standard name in file description.

GitHub PR: #1316
2018-01-30 16:22:05 +00:00
Rose Zadik
042e97fa75 Improve RSA documentation
- Rephrase file/function/parameter/enum/define/error descriptions into full
  and clear sentences.
- Make sure to adhere to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.
- Rephrase the descriptions of all md_alg and hashlen parameters.

GitHub PR: #1327
2018-01-30 16:22:05 +00:00
Rose Zadik
41ad082484 Improve DHM documentation
- Rephrase file/function/parameter/enum/define/error descriptions into full
  and clear sentences.
- Make sure to adhere to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.
- Standardize defines documentation

GitHub PR: #1323
2018-01-30 16:22:05 +00:00
Rose Zadik
9ba6b621de Improve cipher documentation
- Rephrase function/parameter/enum/define/error descriptions into full and
  clear sentences.
- Make sure to adhere to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.

GitHub PR: #1306
2018-01-30 16:22:04 +00:00
Rose Zadik
eecdbea30f Improve CCM documentation
- Rephrase function/parameter/enum/define/error descriptions into full and
  clear sentences.
- Make sure to adhering to the Arm writing guidelines.
- Fix missing/incorrect Doxygen tags.
- Standardize terminology used within the file.
- Fix iv_len values per the standard.

GitHub PR: #1305
2018-01-30 16:22:04 +00:00
Rose Zadik
7f44127c71 Improve AES documentation
- Separate "\file" blocks from copyright, so that Doxygen doesn't repeat
  the copyright information in all the Detailed Descriptions.
- Improve phrasing and clarity of functions, parameters, defines and enums.

GitHub PR: #1292
2018-01-30 16:22:04 +00:00
Jaeden Amero
26342e54f5 Merge branch 'development' into development-restricted 2018-01-29 12:49:52 +00:00
Jaeden Amero
3b8fbaab87 Merge remote-tracking branch 'upstream-public/pr/1328' into development 2018-01-29 12:49:46 +00:00
Manuel Pégourié-Gonnard
5405962954 Fix alarm(0) failure on mingw32
A new test for mbedtls_timing_alarm(0) was introduced in PR 1136, which also
fixed it on Unix. Apparently test results on MinGW were not checked at that
point, so we missed that this new test was also failing on this platform.
2018-01-29 10:24:50 +01:00
Jaeden Amero
2acbf17b97 Merge branch 'development' into development-restricted 2018-01-26 20:57:38 +00:00
Jaeden Amero
751aa510c0 Merge remote-tracking branch 'upstream-public/pr/1303' into development 2018-01-26 20:48:55 +00:00
Jaeden Amero
784de59ccd Merge remote-tracking branch 'upstream-restricted/pr/410' into development-restricted
- Resolve ChangeLog conflicts
- Update Doxygen warning block in dhm.h to render correctly
- Prefix the exported identifier deprecated_constant_t with mbedtls_
2018-01-26 18:43:04 +00:00
Gilles Peskine
7ecab3df4c Error codes for hardware accelerator failures
Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography
modules where the software implementation can be replaced by a hardware
implementation.

This does not include the individual message digest modules since they
currently have no way to return error codes.

This does include the higher-level md, cipher and pk modules since
alternative implementations and even algorithms can be plugged in at
runtime.
2018-01-26 17:56:38 +01:00
Jaeden Amero
a03587b848 Merge branch 'development' into development-restricted 2018-01-26 12:48:04 +00:00
Dvir Markovich
1b36499062 Improve CTR_DRBG error handling and cleanup
Check AES return values and return error when needed. Propagate the
underlying AES return code.

Perform more memory cleanup.
2018-01-26 11:40:31 +00:00
Jaeden Amero
66954e1c1f Merge branch 'development' into development-restricted 2018-01-25 17:28:31 +00:00
Jaeden Amero
005239e3ed Merge remote-tracking branch 'upstream-public/pr/1294' into development 2018-01-25 14:47:39 +00:00
Jaeden Amero
65ba60a975 Merge branch 'development' into development-restricted 2018-01-25 10:09:03 +00:00
Jaeden Amero
cef0c5a2c8 Merge remote-tracking branch 'upstream-public/pr/1304' into development 2018-01-25 10:07:39 +00:00
Jaeden Amero
3c082ce293 Merge branch 'development' into development-restricted 2018-01-24 15:17:15 +00:00
Jaeden Amero
fbeed6e2a5 Merge remote-tracking branch 'upstream-public/pr/1236' into development 2018-01-24 10:43:39 +00:00
Hanno Becker
616d1ca605 Add support for alternative ECJPAKE implementation
This commit allows users to provide alternative implementations of the
ECJPAKE interface through the configuration option MBEDTLS_ECJPAKE_ALT.
When set, the user must add `ecjpake_alt.h` declaring the same
interface as `ecjpake.h`, as well as add some compilation unit which
implements the functionality. This is in line with the preexisting
support for alternative implementations of other modules.
2018-01-24 10:36:22 +00:00
Andres Amaya Garcia
e9124b943d Ensure that mbedtls_pk_parse_key() does not allocate 0 bytes 2018-01-23 20:03:52 +00:00
Andres Amaya Garcia
c9d6226d2c Change formatting of allocation check in x509_crl 2018-01-23 19:37:44 +00:00
Andres Amaya Garcia
cb5123fa86 Ensure memcpy is not called with NULL and 0 args in x509 module 2018-01-23 19:37:44 +00:00
Andres Amaya Garcia
f1ee63562a Style fixes in pem, x509_crl and buf_alloc 2018-01-23 19:37:44 +00:00
Andres AG
9cf1f96a7b Fix corner case uses of memory_buffer_alloc.c
The corner cases fixed include:
    * Allocating a buffer of size 0. With this change, the allocator now
      returns a NULL pointer in this case. Note that changes in pem.c and
      x509_crl.c were required to fix tests that did not work under this
      assumption.
    * Initialising the allocator with less memory than required for headers.
    * Fix header chain checks for uninitialised allocator.
2018-01-23 19:37:44 +00:00
Gilles Peskine
342d928e8d Fix proprocessor directives for MBEDTLS_RIPEMD160_ALT 2018-01-23 18:21:21 +01:00
Gilles Peskine
a381fe84ce Add HW_FAILED error codes for message digest modules
New error codes to report failures from alternative implementations of
MD2, MD4, MD5, RIPEMD160, SHA-1, SHA-256, SHA-512.
2018-01-23 18:16:11 +01:00
Gilles Peskine
41b40e6463 Merge remote-tracking branch 'upstream-restricted/pr/441' into development-restricted 2018-01-23 00:59:51 +01:00
Gilles Peskine
aaaa98cd60 Merge branch 'development-proposed' into development-restricted 2018-01-23 00:59:17 +01:00
Gilles Peskine
ff812804fb Merge branch 'pr_1239' into development-proposed 2018-01-23 00:58:13 +01:00
Gilles Peskine
50346e9f22 Merge remote-tracking branch 'upstream-public/pr/1150' into development-proposed 2018-01-23 00:56:48 +01:00
Ron Eldor
5e9f14d4d9 Set correct minimal versions in default conf
Set `MBEDTLS_SSL_MIN_MAJOR_VERSION` and `MBEDTLS_SSL_MIN_MINOR_VERSION`
instead of `MBEDTLS_SSL_MAJOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_1`
2018-01-22 22:06:44 +01:00
Gilles Peskine
9e4f77c606 New MD API: rename functions from _ext to _ret
The _ext suffix suggests "new arguments", but the new functions have
the same arguments. Use _ret instead, to convey that the difference is
that the new functions return a value.
2018-01-22 11:54:42 +01:00
Gilles Peskine
d91f2a26cb Merge branch 'development' into iotssl-1251-2.7
Conflict resolution:

* ChangeLog: put the new entries in their rightful place.
* library/x509write_crt.c: the change in development was whitespace
  only, so use the one from the iotssl-1251 feature branch.
2018-01-19 11:25:10 +01:00
Gilles Peskine
d40c22ba20 Merge branch 'development' into development-restricted 2018-01-17 08:03:33 +01:00
Hanno Becker
87ae197f3e Add explicit uint truncation casts
This commit adds some explicit downcasts from `size_t` to `uint8_t` in
the RSASSA signature encoding function `rsa_rsassa_pkcs1_v15_encode`.
The truncation is safe as it has been checked beforehand that the
respective values are in the range of a `uint8_t`.
2018-01-15 15:27:56 +00:00
Hanno Becker
71b0060af7 Merge branch 'development' into iotssl-247 2018-01-15 11:31:34 +00:00
Jaeden Amero
31f3f0b87b Merge branch 'development' into development-restricted 2018-01-10 13:17:02 +00:00
Hanno Becker
d4d60579e4 Address issues found by coverity
1) `mbedtls_rsa_import_raw` used an uninitialized return
   value when it was called without any input parameters.
   While not sensible, this is allowed and should be a
   succeeding no-op.

2) The MPI test for prime generation missed a return value
   check for a call to `mbedtls_mpi_shift_r`. This is neither
   critical nor new but should be fixed.

3) Both the RSA keygeneration example program and the
   RSA test suites contained code initializing an RSA context
   after a potentially failing call to CTR DRBG initialization,
   leaving the corresponding RSA context free call in the
   cleanup section of the respective function orphaned.
   While this defect existed before, Coverity picked up on
   it again because of newly introduced MPI's that were
   also wrongly initialized only after the call to CTR DRBG
   init. The commit fixes both the old and the new issue
   by moving the initializtion of both the RSA context and
   all MPI's prior to the first potentially failing call.
2018-01-10 07:30:47 +00:00
nirekh01
d569ecfc2c Add some corrections based on code review
-Add the DHM_ALT in an alphabetical order
-Close correctly the 'extern "C" { ...'
2018-01-09 16:43:21 +00:00
Jaeden Amero
f342cb791b Merge branch 'development' into development-restricted 2018-01-09 13:16:37 +00:00
Manuel Pégourié-Gonnard
239987fd31 Fix heap-buffer overread in ALPN ext parsing 2018-01-09 13:48:38 +01:00
Jaeden Amero
0bc9e30435 Merge remote-tracking branch 'upstream-public/pr/1060' into development 2018-01-09 12:20:54 +00:00
Jaeden Amero
7de0b8aae7 Merge remote-tracking branch 'upstream-public/pr/1046' into development 2018-01-09 11:31:55 +00:00
Jaeden Amero
35285cca67 Merge remote-tracking branch 'upstream-public/pr/1027' into development 2018-01-09 10:42:03 +00:00
Johannes H
4e5d23fad7 corrected a typo in a comment 2018-01-06 09:46:57 +01:00
Hanno Becker
3a760a1857 Add size check for RSA modulus to mbedtls_rsa_complete
The function `mbedtls_rsa_complete` is supposed to guarantee that
RSA operations will complete without failure. In contrast, it does
not ensure consistency of parameters, which is the task of the
checking functions `rsa_check_pubkey` and `rsa_check_privkey`.

Previously, the maximum allowed size of the RSA modulus was checked
in `mbedtls_rsa_check_pubkey`. However, exceeding this size would lead
to failure of some RSA operations, hence this check belongs to
`mbedtls_rsa_complete` rather than `mbedtls_rsa_check_pubkey`.
This commit moves it accordingly.
2018-01-05 08:14:49 +00:00
Hanno Becker
895c5ab88e Preserve old behavior by checking public key in RSA parsing function
The function `pk_get_rsapubkey` originally performed some basic
sanity checks (e.g. on the size of public exponent) on the parsed
RSA public key by a call to `mbedtls_rsa_check_pubkey`.
This check was dropped because it is not possible to thoroughly
check full parameter sanity (i.e. that (-)^E is a bijection on Z/NZ).

Still, for the sake of not silently changing existing behavior,
this commit puts back the call to `mbedtls_rsa_check_pubkey`.
2018-01-05 08:08:09 +00:00
Hanno Becker
88683b2c6d Correct all.sh and config.h after merge commit
- Adapt the change in all.sh to the new keep-going mode
- Restore alphabetical order of configuration flags for
  alternative implementations in config.h and rebuild
  library/version_features.c
2018-01-04 18:48:32 +00:00
Hanno Becker
8bc74d6f2f Merge branch 'development' into iotssl-1619 2018-01-03 10:24:02 +00:00
Hanno Becker
4952e7a8d6 Add explicit type cast to avoid truncation warning
`mbedtls_rsa_deduce_primes` implicitly casts the result of a call to
`mbedtls_mpi_lsb` to a `uint16_t`. This is safe because of the size
of MPI's used in the library, but still may have compilers complain
about it. This commit makes the cast explicit.
2018-01-03 09:27:40 +00:00
Gilles Peskine
07d1078cdc Merge branch 'development' into development-restricted 2018-01-02 17:45:08 +01:00
Gilles Peskine
17196cd3be Merge remote-tracking branch 'upstream-public/pr/964' into development 2018-01-02 16:24:29 +01:00
Gilles Peskine
197a6d454b Merge remote-tracking branch 'upstream-public/pr/1097' into development 2018-01-02 16:09:15 +01:00
Gilles Peskine
3fcc045c23 Merge remote-tracking branch 'upstream-public/pr/866' into development
Conflict resolution: additions in the same places as
upstream-public/pr/865, both adding into lexicographically sorted
lists, resolved by taking the additions in lexicographic order.
2018-01-02 15:55:55 +01:00
Gilles Peskine
7c483b6765 Merge remote-tracking branch 'upstream-public/pr/865' into development 2018-01-02 15:35:18 +01:00
nirekh01
08ba530bff Remove some extra lines
Remove some extra lines as was requested in code review
2017-12-28 16:21:38 +00:00
Manuel Pégourié-Gonnard
eb2a6ab518 Merge branch 'development' into development-restricted
* development:
  Timing self test: shorten redundant tests
  Timing self test: increased duration
  Timing self test: increased tolerance
  Timing unit tests: more protection against infinite loops
  Unit test for mbedtls_timing_hardclock
  New timing unit tests
  selftest: allow excluding a subset of the tests
  selftest: allow running a subset of the tests
  selftest: refactor to separate the list of tests from the logic
  Timing self test: print some diagnosis information
  mbedtls_timing_get_timer: don't use uninitialized memory
  timing interface documentation: minor clarifications
  Timing: fix mbedtls_set_alarm(0) on Unix/POSIX
2017-12-26 10:42:50 +01:00
Manuel Pégourié-Gonnard
ae3925c774 Merge remote-tracking branch 'public/pr/1136' into development
* public/pr/1136:
  Timing self test: shorten redundant tests
  Timing self test: increased duration
  Timing self test: increased tolerance
  Timing unit tests: more protection against infinite loops
  Unit test for mbedtls_timing_hardclock
  New timing unit tests
  selftest: allow excluding a subset of the tests
  selftest: allow running a subset of the tests
  selftest: refactor to separate the list of tests from the logic
  Timing self test: print some diagnosis information
  mbedtls_timing_get_timer: don't use uninitialized memory
  timing interface documentation: minor clarifications
  Timing: fix mbedtls_set_alarm(0) on Unix/POSIX
2017-12-26 10:42:20 +01:00
nirekh01
49762fa21f Add 'MBEDTLS_DHM_ALT' #DEFINE to library/config.h
Add 'MBEDTLS_DHM_ALT' #DEFINE to library/config.h to support alternate DHM
2017-12-25 06:46:48 +00:00
Reuven Levin
1f35ca9471 Added alternated Diffie-Hellman module.
1. Add modified files dhm.c and dhm.h
2017-12-25 06:42:59 +00:00
Micha Kraus
ba8316f790 fix bug in get_one_and_zeros_padding()
add test case (“0000000082”) which fails with the old implementation.
2017-12-23 23:40:08 +01:00
Hanno Becker
32297e8314 Merge branch 'development' into iotssl-1619 2017-12-22 10:24:32 +00:00
Ron Eldor
621080d7c6 Fix compilation issue weh self test defined
1. Surround the generate keys with
`#if ! defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)`
to resolve build issue when `MBEDTLS_SELF_TEST` is defined for
alternative CMAC as well
2. Update ChangeLog
2017-12-21 10:57:43 +02:00
Gilles Peskine
ada3ee8b9d Timing self test: shorten redundant tests
We don't need to test multiple delays in a self-test.
Save 5s of busy-wait.
2017-12-20 22:31:17 +01:00
Gilles Peskine
8873bcc4de Timing self test: increased duration
Increase the duration of the self test, otherwise it tends to fail on
a busy machine even with the recently upped tolerance. But run the
loop only once, it's enough for a simple smoke test.
2017-12-20 21:57:48 +01:00
Gilles Peskine
0f59b130a9 Timing self test: increased tolerance
mbedtls_timing_self_test fails annoyingly often when running on a busy
machine such as can be expected of a continous integration system.
Increase the tolerances in the delay test, to reduce the chance of
failures that are only due to missing a deadline on a busy machine.
2017-12-20 21:57:48 +01:00
Gilles Peskine
0827d5c07d Timing self test: print some diagnosis information
Print some not-very-nice-looking but helpful diagnosis information if
the timing selftest fails. Since the failures tend to be due to heavy
system load that's hard to reproduce, this information is necessary to
understand what's going on.
2017-12-20 19:22:30 +01:00
Gilles Peskine
d92f0aa3be mbedtls_timing_get_timer: don't use uninitialized memory
mbedtls_timing_get_timer with reset=1 is called both to initialize a
timer object and to reset an already-initialized object. In an
initial call, the content of the data structure is indeterminate, so
the code should not read from it. This could crash if signed overflows
trap, for example.

As a consequence, on reset, we can't return the previously elapsed
time as was previously done on Windows. Return 0 as was done on Unix.
2017-12-20 18:53:52 +01:00
Gilles Peskine
a0af95f052 Timing: fix mbedtls_set_alarm(0) on Unix/POSIX
The POSIX/Unix implementation of mbedtls_set_alarm did not set the
mbedtls_timing_alarmed flag when called with 0, which was inconsistent
with what the documentation implied and with the Windows behavior.
2017-12-20 18:50:03 +01:00
Manuel Pégourié-Gonnard
a268da9478 Fix undefined function in platform.c
The bug was introduced in 79a2e7ef06 and is not present in the default
configuration, which let it go unnoticed so far.
2017-12-20 12:52:49 +01:00
Gilles Peskine
82d607eb9e Merge remote-tracking branch 'upstream-restricted/pr/433' into development-restricted 2017-12-19 19:20:27 +01:00
Manuel Pégourié-Gonnard
4813f15ce5 Merge branch 'development' into development-restricted
* development:
  Address PR review comments
  Fix crash when calling `mbedtls_ssl_cache_free` twice
2017-12-19 11:39:35 +01:00
Manuel Pégourié-Gonnard
705c52f5ec Merge remote-tracking branch 'public/pr/1145' into development
* public/pr/1145:
  Address PR review comments
  Fix crash when calling `mbedtls_ssl_cache_free` twice
2017-12-19 11:37:36 +01:00
Manuel Pégourié-Gonnard
d04c623ed6 Merge remote-tracking branch 'restricted/pr/403' into development-restricted
* restricted/pr/403:
  Correct record header size in case of TLS
  Don't allocate space for DTLS header if DTLS is disabled
  Improve debugging output
  Adapt ChangeLog
  Add run-time check for handshake message size in ssl_write_record
  Add run-time check for record content size in ssl_encrypt_buf
  Add compile-time checks for size of record content and payload
2017-12-19 11:31:20 +01:00
Manuel Pégourié-Gonnard
1827368b01 Merge branch 'development' into development-restricted
* development:
  Don't split error code description across multiple lines
  Register new error code in error.h
  Move deprecation to separate section in ChangeLog
  Extend scope of ERR_RSA_UNSUPPORTED_OPERATION error code
  Adapt RSA test suite
  Adapt ChangeLog
  Deprecate usage of RSA primitives with wrong key type
2017-12-19 11:28:36 +01:00
Manuel Pégourié-Gonnard
4712119687 Merge remote-tracking branch 'restricted/pr/397' into development
* restricted/pr/397:
  Don't split error code description across multiple lines
  Register new error code in error.h
  Move deprecation to separate section in ChangeLog
  Extend scope of ERR_RSA_UNSUPPORTED_OPERATION error code
  Adapt RSA test suite
  Adapt ChangeLog
  Deprecate usage of RSA primitives with wrong key type
2017-12-19 11:27:22 +01:00
Manuel Pégourié-Gonnard
b053efb295 Fix magic constant in previous commit 2017-12-19 10:03:46 +01:00
Manuel Pégourié-Gonnard
464147cadc Fix SSLv3 MAC computation
In a previous PR (Fix heap corruption in implementation of truncated HMAC
extension #425) the place where MAC is computed was changed from the end of
the SSL I/O buffer to a local buffer (then (part of) the content of the local
buffer is either copied to the output buffer of compare to the input buffer).

Unfortunately, this change was made only for TLS 1.0 and later, leaving SSL
3.0 in an inconsistent state due to ssl_mac() still writing to the old,
hard-coded location, which, for MAC verification, resulted in later comparing
the end of the input buffer (containing the computed MAC) to the local buffer
(uninitialised), most likely resulting in MAC verification failure, hence no
interop (even with ourselves).

This commit completes the move to using a local buffer by using this strategy
for SSL 3.0 too. Fortunately ssl_mac() was static so it's not a problem to
change its signature.
2017-12-18 18:04:59 +01:00
Manuel Pégourié-Gonnard
6774fa6e87 Merge branch 'development' into development-restricted
* development:
  Add --no-yotta option to all.sh
  Fix build without MBEDTLS_FS_IO
2017-12-18 11:43:35 +01:00
Manuel Pégourié-Gonnard
535553e7d8 Merge remote-tracking branch 'public/pr/1184' into development
* public/pr/1184:
  Add --no-yotta option to all.sh
  Fix build without MBEDTLS_FS_IO
2017-12-18 11:42:30 +01:00
Hanno Becker
1434a365a6 Don't split error code description across multiple lines 2017-12-13 11:24:49 +00:00
Gilles Peskine
880c6e74a1 Merge branch 'development' into development-restricted 2017-12-04 18:00:26 +00:00
Gilles Peskine
ff01e009e6 Merge branch 'pr_1043' into development 2017-12-01 23:42:17 +01:00
Gilles Peskine
e3783da0b2 Merge remote-tracking branch 'upstream-public/pr/1172' into development 2017-12-01 22:36:21 +01:00
Gilles Peskine
02e28fe0fd Merge remote-tracking branch 'upstream-restricted/pr/425' into development-restricted 2017-12-01 17:58:12 +01:00
Gilles Peskine
832f349f93 Fix build without MBEDTLS_FS_IO
Fix missing definition of mbedtls_zeroize when MBEDTLS_FS_IO is
disabled in the configuration.

Introduced by e7707228b4
    Merge remote-tracking branch 'upstream-public/pr/1062' into development
2017-11-30 12:03:27 +01:00
Gilles Peskine
0960f0663e Merge branch 'development' into development-restricted 2017-11-29 21:07:55 +01:00
Gilles Peskine
0884f4811b Merge remote-tracking branch 'upstream-public/pr/1141' into development 2017-11-29 20:50:59 +01:00
Gilles Peskine
183de312f9 Merge remote-tracking branch 'upstream-public/pr/895' into development 2017-11-29 20:49:21 +01:00
Hanno Becker
1df4923eb1 Remove compile-time deprecation warning for TRUNCATED_HMAC_COMPAT 2017-11-29 16:55:56 +00:00
Gilles Peskine
7fb29b17c7 Merge branch 'development' into development-restricted 2017-11-28 18:46:09 +01:00
Gilles Peskine
4daffe236a Merge branch 'pr_1025' into development
Merge PR #1025 + ChangeLog entry
2017-11-28 18:23:53 +01:00
Gilles Peskine
ea8d697fa2 Merge remote-tracking branch 'upstream-public/pr/1089' into development
Resolve trivial conflict due to additions in the same place in
tests/data_files/Makefile; minor comment/whitespace presentation
improvements.
2017-11-28 17:32:32 +01:00
Gilles Peskine
f2421210a5 Merge remote-tracking branch 'upstream-public/pr/828' into development 2017-11-28 17:22:37 +01:00
Gilles Peskine
9c3573a962 Merge remote-tracking branch 'upstream-public/pr/988' into development 2017-11-28 17:08:03 +01:00
Gilles Peskine
41e974178f Merge remote-tracking branch 'upstream-restricted/pr/419' into development-restricted
Resolved simple conflicts caused by the independent addition of
calls to mbedtls_zeroize with sometimes whitespace or comment
differences.
2017-11-28 16:16:27 +01:00
Gilles Peskine
9c8ac0ce2c Merge remote-tracking branch 'upstream-restricted/pr/404' into development-restricted 2017-11-28 15:50:02 +01:00
Hanno Becker
6e5dd79a43 Fix compilation warning on MSVC
MSVC complains about the negation in `(uint32_t) -1u`. This commit fixes this by
using `(uint32_t) -1` instead.
2017-11-28 14:34:04 +00:00
Gilles Peskine
7ca6d1fdd4 Merge remote-tracking branch 'upstream-restricted/pr/399' into development-restricted 2017-11-28 14:17:53 +01:00
Gilles Peskine
c753f5daf4 Merge remote-tracking branch 'upstream-restricted/pr/369' into development-restricted 2017-11-28 14:16:47 +01:00
Hanno Becker
63073aa3d3 Don't require P,Q in rsa_private in case of non-blinded non-CRT
For non-CRT, P and Q are only used for the purpose of blinding the exponent.
2017-11-27 15:33:18 +00:00
Gilles Peskine
2507267cd4 Merge branch 'development' into development-restricted 2017-11-24 16:05:49 +01:00
Gilles Peskine
e7707228b4 Merge remote-tracking branch 'upstream-public/pr/1062' into development 2017-11-24 15:35:50 +01:00
Gilles Peskine
7635cde35c Merge branch 'development' into development-restricted 2017-11-23 20:06:04 +01:00
Gilles Peskine
68306ed31f Merge remote-tracking branch 'upstream-public/pr/1094' into development 2017-11-23 20:02:46 +01:00
Gilles Peskine
1a2640c025 Merge branch 'iotssl-1368-unsafe-bounds-check-psk-identity-merge' into development-restricted 2017-11-23 18:58:30 +01:00
Manuel Pégourié-Gonnard
bfa8df4c7e Merge remote-tracking branch 'restricted/pr/416' into development-restricted
* restricted/pr/416:
  RSA PSS: remove redundant check; changelog
  RSA PSS: fix first byte check for keys of size 8N+1
  RSA PSS: fix minimum length check for keys of size 8N+1
  RSA: Fix another buffer overflow in PSS signature verification
  RSA: Fix buffer overflow in PSS signature verification
2017-11-23 12:10:01 +01:00
Hanno Becker
4c2ac7ef58 Deprecate MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT 2017-11-21 18:28:35 +00:00
Hanno Becker
563423fb21 Improve documentation of MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT option
Explain more clearly when this option should be used and which versions of Mbed
TLS build on the non-compliant implementation.
2017-11-21 17:20:17 +00:00
Hanno Becker
e89353a6b4 Add fallback to non-compliant truncated HMAC for compatibiltiy
In case truncated HMAC must be used but the Mbed TLS peer hasn't been updated
yet, one can use the compile-time option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT to
temporarily fall back to the old, non-compliant implementation of the truncated
HMAC extension.
2017-11-20 16:50:43 +00:00
Hanno Becker
81c7b18351 Don't truncate MAC key when truncated HMAC is negotiated
The truncated HMAC extension as described in
https://tools.ietf.org/html/rfc6066.html#section-7 specifies that when truncated
HMAC is used, only the HMAC output should be truncated, while the HMAC key
generation stays unmodified. This commit fixes Mbed TLS's behavior of also
truncating the key, potentially leading to compatibility issues with peers
running other stacks than Mbed TLS.

Details:
The keys for the MAC are pieces of the keyblock that's generated from the
master secret in `mbedtls_ssl_derive_keys` through the PRF, their size being
specified as the size of the digest used for the MAC, regardless of whether
truncated HMAC is enabled or not.

             /----- MD size ------\ /------- MD size ----\
Keyblock    +----------------------+----------------------+------------------+---
now         |     MAC enc key      |      MAC dec key     |     Enc key      |  ...
(correct)   +----------------------+----------------------+------------------+---

In the previous code, when truncated HMAC was enabled, the HMAC keys
were truncated to 10 bytes:

             /-10 bytes-\  /-10 bytes-\
Keyblock    +-------------+-------------+------------------+---
previously  | MAC enc key | MAC dec key |     Enc key      |  ...
(wrong)     +-------------+-------------+------------------+---

The reason for this was that a single variable `transform->maclen` was used for
both the keysize and the size of the final MAC, and its value was reduced from
the MD size to 10 bytes in case truncated HMAC was negotiated.

This commit fixes this by introducing a temporary variable `mac_key_len` which
permanently holds the MD size irrespective of the presence of truncated HMAC,
and using this temporary to obtain the MAC key chunks from the keyblock.
2017-11-20 16:25:50 +00:00
Hanno Becker
992b6872f3 Fix heap corruption in ssl_decrypt_buf
Previously, MAC validation for an incoming record proceeded as follows:

1) Make a copy of the MAC contained in the record;
2) Compute the expected MAC in place, overwriting the presented one;
3) Compare both.

This resulted in a record buffer overflow if truncated MAC was used, as in this
case the record buffer only reserved 10 bytes for the MAC, but the MAC
computation routine in 2) always wrote a full digest.

For specially crafted records, this could be used to perform a controlled write of
up to 6 bytes past the boundary of the heap buffer holding the record, thereby
corrupting the heap structures and potentially leading to a crash or remote code
execution.

This commit fixes this by making the following change:
1) Compute the expected MAC in a temporary buffer that has the size of the
   underlying message digest.
2) Compare to this to the MAC contained in the record, potentially
   restricting to the first 10 bytes if truncated HMAC is used.

A similar fix is applied to the encryption routine `ssl_encrypt_buf`.
2017-11-20 08:52:25 +00:00
Darryl Green
c64a48bec7 Add checks for private parameter in mbedtls_ecdsa_sign() 2017-11-17 17:09:17 +00:00