From e082c1838981378937b0a79fb425e21dd5e37616 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 11 Aug 2018 00:42:21 +0200 Subject: [PATCH 01/28] pk_write test cases with short/long private key Add pk_write test cases where the ASN.1 INTEGER encoding of the private value would not have the mandatory size for the OCTET STRING that contains the value. ec_256_long_prv.pem is a random secp256r1 private key, selected so that the private value is >= 2^255, i.e. the top bit of the first byte is set (which would cause the INTEGER encoding to have an extra leading 0 byte). ec_521_short_prv.pem is a random secp521r1 private key, selected so that the private value is < 2^519, i.e. the first byte is 0 and the top bit of the second byte is 0 (which would cause the INTEGER encoding to have one less 0 byte at the start). --- tests/data_files/ec_256_long_prv.pem | 5 +++++ tests/data_files/ec_521_short_prv.pem | 7 +++++++ tests/suites/test_suite_pkwrite.data | 8 ++++++++ 3 files changed, 20 insertions(+) create mode 100644 tests/data_files/ec_256_long_prv.pem create mode 100644 tests/data_files/ec_521_short_prv.pem diff --git a/tests/data_files/ec_256_long_prv.pem b/tests/data_files/ec_256_long_prv.pem new file mode 100644 index 000000000..5141e30b4 --- /dev/null +++ b/tests/data_files/ec_256_long_prv.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIIcex4mqXsQamUKTVf8vXmTAJrQvGjh5mXG8p9+OR4xAoAoGCCqGSM49 +AwEHoUQDQgAEqJ2HQjPpc6fDwE/vSa6U35USXawkTo98y4U6NsAl+rOGuqMPEFXf +P1Srm/Jrzwa/RuppRL5kgyAsGJTUmwZEzQ== +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/ec_521_short_prv.pem b/tests/data_files/ec_521_short_prv.pem new file mode 100644 index 000000000..427b7ad47 --- /dev/null +++ b/tests/data_files/ec_521_short_prv.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIAOXdk7W+Hf5L7Hc9fKe44wmpaRNs5ERFTkv5CrlXv/Bu3y28M673q +vBNo7a/UE/6NNQHu2pQODEYFpMg6R34b5SigBwYFK4EEACOhgYkDgYYABAFUMHXV +KPA4vkMgq+pFgDoH96XoM517gF2GJFV6h2gLhykzIHL/otAyEpAStw7MBvbU0V21 +ixB+hjqzO7Snxaj9mwB8g87OKxm5eGfsqvJNPdJ0RZ/EKy06Ukg6KThlhQeyrtIk +g5PTCrPnNszlffAy6/jCOe3Moi59g15H13sSzwfX6g== +-----END EC PRIVATE KEY----- diff --git a/tests/suites/test_suite_pkwrite.data b/tests/suites/test_suite_pkwrite.data index c8ff1773c..16d0dd627 100644 --- a/tests/suites/test_suite_pkwrite.data +++ b/tests/suites/test_suite_pkwrite.data @@ -30,10 +30,18 @@ Private key write check EC 192 bits depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED pk_write_key_check:"data_files/ec_prv.sec1.pem" +Private key write check EC 256 bits (top bit set) +depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED +pk_write_key_check:"data_files/ec_256_long_prv.pem" + Private key write check EC 521 bits depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_SECP521R1_ENABLED pk_write_key_check:"data_files/ec_521_prv.pem" +Private key write check EC 521 bits (top byte is 0) +depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_SECP521R1_ENABLED +pk_write_key_check:"data_files/ec_521_short_prv.pem" + Private key write check EC Brainpool 512 bits depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_BP512R1_ENABLED pk_write_key_check:"data_files/ec_bp512_prv.pem" From a7cfdad82e5bb9e94fc001bab2f6a71b8f49234f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 11 Aug 2018 00:48:44 +0200 Subject: [PATCH 02/28] Fix pk_write with an EC key to write a constant-length private value When writing a private EC key, use a constant size for the private value, as specified in RFC 5915. Previously, the value was written as an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit of information on average, and could cause the value to be 1 byte too large for the output buffer. --- library/pkwrite.c | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/library/pkwrite.c b/library/pkwrite.c index 8eabd889b..4ae38af0a 100644 --- a/library/pkwrite.c +++ b/library/pkwrite.c @@ -37,7 +37,9 @@ #include "mbedtls/rsa.h" #endif #if defined(MBEDTLS_ECP_C) +#include "mbedtls/bignum.h" #include "mbedtls/ecp.h" +#include "mbedtls/platform_util.h" #endif #if defined(MBEDTLS_ECDSA_C) #include "mbedtls/ecdsa.h" @@ -143,6 +145,26 @@ static int pk_write_ec_param( unsigned char **p, unsigned char *start, return( (int) len ); } + +/* + * privateKey OCTET STRING -- always of length ceil(log2(n)/8) + */ +static int pk_write_ec_private( unsigned char **p, unsigned char *start, + mbedtls_ecp_keypair *ec ) +{ + int ret; + size_t byte_length = ( ec->grp.pbits + 7 ) / 8; + unsigned char tmp[MBEDTLS_ECP_MAX_BYTES]; + + ret = mbedtls_mpi_write_binary( &ec->d, tmp, byte_length ); + if( ret != 0 ) + goto exit; + ret = mbedtls_asn1_write_octet_string( p, start, tmp, byte_length ); + +exit: + mbedtls_platform_zeroize( tmp, byte_length ); + return( ret ); +} #endif /* MBEDTLS_ECP_C */ int mbedtls_pk_write_pubkey( unsigned char **p, unsigned char *start, @@ -340,9 +362,8 @@ int mbedtls_pk_write_key_der( mbedtls_pk_context *key, unsigned char *buf, size_ MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ); len += par_len; - /* privateKey: write as MPI then fix tag */ - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, buf, &ec->d ) ); - *c = MBEDTLS_ASN1_OCTET_STRING; + /* privateKey */ + MBEDTLS_ASN1_CHK_ADD( len, pk_write_ec_private( &c, buf, ec ) ); /* version */ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, 1 ) ); From 5215783d5627f8efefa8e9fe19a917a8e035632c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 11 Aug 2018 00:51:04 +0200 Subject: [PATCH 03/28] Add ChangeLog entry --- ChangeLog | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ChangeLog b/ChangeLog index 4c09593b7..bed180def 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,14 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS 2.x.x branch released xxxx-xx-xx + +Security + * When writing a private EC key, use a constant size for the private + value, as specified in RFC 5915. Previously, the value was written + as an ASN.1 INTEGER, which caused the size of the key to leak + about 1 bit of information on average and could cause the value to be + 1 byte too large for the output buffer. + = mbed TLS 2.12.0 branch released 2018-07-25 Security From cd218f86f61dcbf1443655ac1dcde5df8968d131 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 6 Nov 2018 14:38:06 +0100 Subject: [PATCH 04/28] Fix copypasta in test dependency --- tests/suites/test_suite_pkwrite.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pkwrite.data b/tests/suites/test_suite_pkwrite.data index 16d0dd627..e0101ccdf 100644 --- a/tests/suites/test_suite_pkwrite.data +++ b/tests/suites/test_suite_pkwrite.data @@ -31,7 +31,7 @@ depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED pk_write_key_check:"data_files/ec_prv.sec1.pem" Private key write check EC 256 bits (top bit set) -depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED +depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED pk_write_key_check:"data_files/ec_256_long_prv.pem" Private key write check EC 521 bits From dfd447e83642e262cb03ebf2bff7355da9191048 Mon Sep 17 00:00:00 2001 From: Jens Wiklander Date: Thu, 17 Jan 2019 13:30:57 +0100 Subject: [PATCH 05/28] fix memory leak in mpi_miller_rabin() Fixes memory leak in mpi_miller_rabin() that occurs when the function has failed to obtain a usable random 'A' 30 turns in a row. Signed-off-by: Jens Wiklander --- library/bignum.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/bignum.c b/library/bignum.c index d3d02b1a0..606bca456 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -2329,7 +2329,8 @@ static int mpi_miller_rabin( const mbedtls_mpi *X, size_t rounds, } if (count++ > 30) { - return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; + ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; + goto cleanup; } } while ( mbedtls_mpi_cmp_mpi( &A, &W ) >= 0 || From 402d7ac3db9aefa27cedf7f0e53397927731981a Mon Sep 17 00:00:00 2001 From: Jens Wiklander Date: Thu, 17 Jan 2019 17:45:05 +0100 Subject: [PATCH 06/28] Add ChangeLog entry Signed-off-by: Jens Wiklander --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index b39b95391..842843899 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,8 @@ Bugfix previously lead to a stack overflow on constrained targets. * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions in the header files, which missed the precompilation check. #971 + * Fix memory leak in in mpi_miller_rabin(). Contributed by + Jens Wiklander in #2363 = mbed TLS 2.16.0 branch released 2018-12-21 From f1713e96c9b86fffc55a15b63f1f8e4a278fd979 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 4 Jan 2019 14:32:30 +0000 Subject: [PATCH 07/28] Add a safer deterministic ECDSA function `mbedtls_ecdsa_sign_det` reuses the internal HMAC-DRBG instance to implement blinding. The advantage of this is that the algorithm is deterministic too, not just the resulting signature. The drawback is that the blinding is always the same for the same key and message. This diminishes the efficiency of blinding and leaks information about the private key. A function that takes external randomness fixes this weakness. --- include/mbedtls/ecdsa.h | 59 ++++++++++++++++++++++++++++++++++ library/ecdsa.c | 71 ++++++++++++++++++++++++++++++++--------- 2 files changed, 115 insertions(+), 15 deletions(-) diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h index f8b28507c..932acc6d1 100644 --- a/include/mbedtls/ecdsa.h +++ b/include/mbedtls/ecdsa.h @@ -175,6 +175,19 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, * (SECG): SEC1 Elliptic Curve Cryptography, section * 4.1.3, step 5. * + * \warning Since the output of the internal RNG is always the same for + * the same key and message, this limits the efficiency of + * blinding and leaks information through side channels. For + * secure behavior use mbedtls_ecdsa_sign_det_ext() instead. + * + * (Optimally the blinding is a random value that is different + * on every execution. In this case the blinding is still + * random from the attackers perspective, but is the same on + * each execution. This means that this blinding does not + * prevent attackers from recovering secrets by combining + * several measurement traces, but may prevent some attacks + * that exploit relationships between secret data.) + * * \see ecp.h * * \param grp The context for the elliptic curve to use. @@ -200,6 +213,52 @@ int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, const mbedtls_mpi *d, const unsigned char *buf, size_t blen, mbedtls_md_type_t md_alg ); +/** + * \brief This function computes the ECDSA signature of a + * previously-hashed message, deterministic version. + * + * For more information, see RFC-6979: Deterministic + * Usage of the Digital Signature Algorithm (DSA) and Elliptic + * Curve Digital Signature Algorithm (ECDSA). + * + * \note If the bitlength of the message hash is larger than the + * bitlength of the group order, then the hash is truncated as + * defined in Standards for Efficient Cryptography Group + * (SECG): SEC1 Elliptic Curve Cryptography, section + * 4.1.3, step 5. + * + * \see ecp.h + * + * \param grp The context for the elliptic curve to use. + * This must be initialized and have group parameters + * set, for example through mbedtls_ecp_group_load(). + * \param r The MPI context in which to store the first part + * the signature. This must be initialized. + * \param s The MPI context in which to store the second part + * the signature. This must be initialized. + * \param d The private signing key. This must be initialized + * and setup, for example through mbedtls_ecp_gen_privkey(). + * \param buf The hashed content to be signed. This must be a readable + * buffer of length \p blen Bytes. It may be \c NULL if + * \p blen is zero. + * \param blen The length of \p buf in Bytes. + * \param md_alg The hash algorithm used to hash the original data. + * \param f_rng_blind The RNG function used for blinding. This must not be + * \c NULL. + * \param p_rng_blind The RNG context to be passed to \p f_rng. This may be + * \c NULL if \p f_rng doesn't need a context parameter. + * + * \return \c 0 on success. + * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + * error code on failure. + */ +int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r, + mbedtls_mpi *s, const mbedtls_mpi *d, + const unsigned char *buf, size_t blen, + mbedtls_md_type_t md_alg, + int (*f_rng_blind)(void *, unsigned char *, + size_t), + void *p_rng_blind ); #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ /** diff --git a/library/ecdsa.c b/library/ecdsa.c index dc19384d6..4d120d1f3 100644 --- a/library/ecdsa.c +++ b/library/ecdsa.c @@ -254,6 +254,8 @@ static int ecdsa_sign_restartable( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, const mbedtls_mpi *d, const unsigned char *buf, size_t blen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, + int (*f_rng_blind)(void *, unsigned char *, size_t), + void *p_rng_blind, mbedtls_ecdsa_restart_ctx *rs_ctx ) { int ret, key_tries, sign_tries; @@ -323,7 +325,9 @@ static int ecdsa_sign_restartable( mbedtls_ecp_group *grp, mul: #endif MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, &R, pk, &grp->G, - f_rng, p_rng, ECDSA_RS_ECP ) ); + f_rng_blind, + p_rng_blind, + ECDSA_RS_ECP ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pr, &R.X, &grp->N ) ); } while( mbedtls_mpi_cmp_int( pr, 0 ) == 0 ); @@ -349,7 +353,8 @@ modn: * Generate a random value to blind inv_mod in next step, * avoiding a potential timing leak. */ - MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, &t, f_rng, p_rng ) ); + MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, &t, f_rng_blind, + p_rng_blind ) ); /* * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n @@ -392,8 +397,9 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, ECDSA_VALIDATE_RET( f_rng != NULL ); ECDSA_VALIDATE_RET( buf != NULL || blen == 0 ); + /* Use the same RNG for both blinding and ephemeral key generation */ return( ecdsa_sign_restartable( grp, r, s, d, buf, blen, - f_rng, p_rng, NULL ) ); + f_rng, p_rng, f_rng, p_rng, NULL ) ); } #endif /* !MBEDTLS_ECDSA_SIGN_ALT */ @@ -405,6 +411,8 @@ static int ecdsa_sign_det_restartable( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, const mbedtls_mpi *d, const unsigned char *buf, size_t blen, mbedtls_md_type_t md_alg, + int (*f_rng_blind)(void *, unsigned char *, size_t), + void *p_rng_blind, mbedtls_ecdsa_restart_ctx *rs_ctx ) { int ret; @@ -451,8 +459,20 @@ sign: ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen, mbedtls_hmac_drbg_random, p_rng ); #else - ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen, - mbedtls_hmac_drbg_random, p_rng, rs_ctx ); + if( f_rng_blind != NULL ) + ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen, + mbedtls_hmac_drbg_random, p_rng, + f_rng_blind, p_rng_blind, rs_ctx ); + else + /* + * Use the same RNG for both blinding and ephemeral key generation. + * Since the RNG output is always the same for the same key and message, + * this limits the efficiency of blinding and leaks information through + * side channels. + */ + ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen, + mbedtls_hmac_drbg_random, p_rng, + mbedtls_hmac_drbg_random, p_rng, rs_ctx ); #endif /* MBEDTLS_ECDSA_SIGN_ALT */ cleanup: @@ -465,11 +485,12 @@ cleanup: } /* - * Deterministic signature wrapper + * Deterministic signature wrappers */ -int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, - const mbedtls_mpi *d, const unsigned char *buf, size_t blen, - mbedtls_md_type_t md_alg ) +int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, + mbedtls_mpi *s, const mbedtls_mpi *d, + const unsigned char *buf, size_t blen, + mbedtls_md_type_t md_alg ) { ECDSA_VALIDATE_RET( grp != NULL ); ECDSA_VALIDATE_RET( r != NULL ); @@ -477,7 +498,27 @@ int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi ECDSA_VALIDATE_RET( d != NULL ); ECDSA_VALIDATE_RET( buf != NULL || blen == 0 ); - return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg, NULL ) ); + return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg, + NULL, NULL, NULL ) ); +} + +int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r, + mbedtls_mpi *s, const mbedtls_mpi *d, + const unsigned char *buf, size_t blen, + mbedtls_md_type_t md_alg, + int (*f_rng_blind)(void *, unsigned char *, + size_t), + void *p_rng_blind ) +{ + ECDSA_VALIDATE_RET( grp != NULL ); + ECDSA_VALIDATE_RET( r != NULL ); + ECDSA_VALIDATE_RET( s != NULL ); + ECDSA_VALIDATE_RET( d != NULL ); + ECDSA_VALIDATE_RET( buf != NULL || blen == 0 ); + ECDSA_VALIDATE_RET( f_rng_blind != NULL ); + + return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg, + f_rng_blind, p_rng_blind, NULL ) ); } #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ @@ -656,11 +697,9 @@ int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx, mbedtls_mpi_init( &s ); #if defined(MBEDTLS_ECDSA_DETERMINISTIC) - (void) f_rng; - (void) p_rng; - MBEDTLS_MPI_CHK( ecdsa_sign_det_restartable( &ctx->grp, &r, &s, &ctx->d, - hash, hlen, md_alg, rs_ctx ) ); + hash, hlen, md_alg, f_rng, + p_rng, rs_ctx ) ); #else (void) md_alg; @@ -668,8 +707,10 @@ int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx, MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ctx->grp, &r, &s, &ctx->d, hash, hlen, f_rng, p_rng ) ); #else + /* Use the same RNG for both blinding and ephemeral key generation */ MBEDTLS_MPI_CHK( ecdsa_sign_restartable( &ctx->grp, &r, &s, &ctx->d, - hash, hlen, f_rng, p_rng, rs_ctx ) ); + hash, hlen, f_rng, p_rng, f_rng, + p_rng, rs_ctx ) ); #endif /* MBEDTLS_ECDSA_SIGN_ALT */ #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ From 7e833445439c71f8344623bbe22b78092a8dfdba Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 16 Jan 2019 14:32:03 +0000 Subject: [PATCH 08/28] Test the new deterministic ECDSA function --- tests/suites/test_suite_ecdsa.function | 35 ++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/tests/suites/test_suite_ecdsa.function b/tests/suites/test_suite_ecdsa.function index 22d92b6df..0e7283bc7 100644 --- a/tests/suites/test_suite_ecdsa.function +++ b/tests/suites/test_suite_ecdsa.function @@ -74,6 +74,31 @@ void ecdsa_invalid_param( ) mbedtls_ecdsa_sign_det( &grp, &m, &m, &m, NULL, sizeof( buf ), valid_md ) ); + TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, + mbedtls_ecdsa_sign_det_ext( NULL, &m, &m, &m, + buf, sizeof( buf ), + valid_md, + rnd_std_rand, NULL ) ); + TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, + mbedtls_ecdsa_sign_det_ext( &grp, NULL, &m, &m, + buf, sizeof( buf ), + valid_md, + rnd_std_rand, NULL ) ); + TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, + mbedtls_ecdsa_sign_det_ext( &grp, &m, NULL, &m, + buf, sizeof( buf ), + valid_md, + rnd_std_rand, NULL ) ); + TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, + mbedtls_ecdsa_sign_det_ext( &grp, &m, &m, NULL, + buf, sizeof( buf ), + valid_md, + rnd_std_rand, NULL ) ); + TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, + mbedtls_ecdsa_sign_det_ext( &grp, &m, &m, &m, + NULL, sizeof( buf ), + valid_md, + rnd_std_rand, NULL ) ); #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, @@ -330,6 +355,16 @@ void ecdsa_det_test_vectors( int id, char * d_str, int md_alg, char * msg, TEST_ASSERT( mbedtls_mpi_cmp_mpi( &r, &r_check ) == 0 ); TEST_ASSERT( mbedtls_mpi_cmp_mpi( &s, &s_check ) == 0 ); + mbedtls_mpi_free( &r ); mbedtls_mpi_free( &s ); + mbedtls_mpi_init( &r ); mbedtls_mpi_init( &s ); + + TEST_ASSERT( + mbedtls_ecdsa_sign_det_ext( &grp, &r, &s, &d, hash, hlen, + md_alg, rnd_std_rand, NULL ) + == 0 ); + + TEST_ASSERT( mbedtls_mpi_cmp_mpi( &r, &r_check ) == 0 ); + TEST_ASSERT( mbedtls_mpi_cmp_mpi( &s, &s_check ) == 0 ); exit: mbedtls_ecp_group_free( &grp ); mbedtls_mpi_free( &d ); mbedtls_mpi_free( &r ); mbedtls_mpi_free( &s ); From 9f24b73151dba389cb432ade75dd6298cbff4e79 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 7 Jan 2019 15:01:32 +0000 Subject: [PATCH 09/28] Add warning for alternative ECDSA implementations Alternative implementations are often hardware accelerators and might not need an RNG for blinding. But if they do, then we make them misuse the RNG in the deterministic case. There are several way around this: - Exposing a lower level function for replacement. This would be the optimal solution, but litters the API and is not backward compatible. - Introducing a new compile time option for replacing the deterministic function. This would mostly cover the same code as MBEDTLS_ECDSA_DETERMINISTIC and would be yet another compile time flag. - Reusing the existing MBEDTLS_ECDSA_DETERMINISTIC macro. This changes the algorithm used by the PK layer from deterministic to randomised if the alternative implementation is present. This commit implements the third option. This is a temporary solution and should be fixed at the next device driver API change. --- include/mbedtls/config.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 654f9725e..57ee50328 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -416,6 +416,16 @@ * dependencies on them, and considering stronger message digests * and ciphers instead. * + * \warning If both MBEDTLS_ECDSA_SIGN_ALT and MBEDTLS_ECDSA_DETERMINISTIC are + * enabled, then the deterministic ECDH signature functions pass the + * the static HMAC-DRBG as RNG to mbedtls_ecdsa_sign(). Therefore + * alternative implementations should use the RNG only for generating + * the ephemeral key and nothing else. If this is not possible, then + * MBEDTLS_ECDSA_DETERMINISTIC should be disabled and an alternative + * implementation should be provided for mbedtls_ecdsa_sign_det_ext() + * (and for mbedtls_ecdsa_sign_det() too if backward compatibility is + * desirable). + * */ //#define MBEDTLS_MD2_PROCESS_ALT //#define MBEDTLS_MD4_PROCESS_ALT From d73f61332e4fdcb534e2fa493913990e417eabc4 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 7 Jan 2019 17:27:56 +0000 Subject: [PATCH 10/28] Correct deterministic ECDSA behavior We were still reusing the internal HMAC-DRBG of the deterministic ECDSA for blinding. This meant that with cryptographically low likelyhood the result was not the same signature as the one the deterministic ECDSA algorithm has to produce (however it is still a valid ECDSA signature). To correct this we seed a second HMAC-DRBG with the same seed to restore correct behavior. We also apply a label to avoid reusing the bits of the ephemeral key for a different purpose and reduce the chance that they leak. This workaround can't be implemented in the restartable case without penalising the case where external RNG is available or completely defeating the purpose of the restartable feature, therefore in this case the small chance of incorrect behavior remains. --- library/ecdsa.c | 60 ++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 55 insertions(+), 5 deletions(-) diff --git a/library/ecdsa.c b/library/ecdsa.c index 4d120d1f3..c5b8df9d3 100644 --- a/library/ecdsa.c +++ b/library/ecdsa.c @@ -464,15 +464,65 @@ sign: mbedtls_hmac_drbg_random, p_rng, f_rng_blind, p_rng_blind, rs_ctx ); else + { + mbedtls_hmac_drbg_context *p_rng_blind_det; + +#if !defined(MBEDTLS_ECP_RESTARTABLE) /* - * Use the same RNG for both blinding and ephemeral key generation. - * Since the RNG output is always the same for the same key and message, - * this limits the efficiency of blinding and leaks information through - * side channels. + * To avoid reusing rng_ctx and risking incorrect behavior we seed a + * second HMAC-DRBG with the same seed. We also apply a label to avoid + * reusing the bits of the ephemeral key for blinding and eliminate the + * risk that they leak this way. + */ + const char* blind_label = "BLINDING CONTEXT"; + mbedtls_hmac_drbg_context rng_ctx_blind; + + mbedtls_hmac_drbg_init( &rng_ctx_blind ); + p_rng_blind_det = &rng_ctx_blind; + + mbedtls_hmac_drbg_seed_buf( p_rng_blind_det, md_info, + data, 2 * grp_len ); + ret = mbedtls_hmac_drbg_update_ret( p_rng_blind_det, + (const unsigned char*) blind_label, + strlen( blind_label ) ); + if( ret != 0 ) + { + mbedtls_hmac_drbg_free( &rng_ctx_blind ); + goto cleanup; + } +#else + /* + * In the case of restartable computations we would either need to store + * the second RNG in the restart context too or set it up at every + * restart. The first option would penalize the correct application of + * the function and the second would defeat the purpose of the + * restartable feature. + * + * Therefore in this case we reuse the original RNG. This comes with the + * price that the resulting signature might not be a valid deterministic + * ECDSA signature with a very low probability (same magnitude as + * successfully guessing the private key). However even then it is still + * a valid ECDSA signature. + */ + p_rng_blind_det = p_rng; +#endif /* MBEDTLS_ECP_RESTARTABLE */ + + /* + * Since the output of the RNGs is always the same for the same key and + * message, this limits the efficiency of blinding and leaks information + * through side channels. After mbedtls_ecdsa_sign_det() is removed NULL + * won't be a valid value for f_rng_blind anymore. Therefore it should + * be checked by the caller and this branch and check can be removed. */ ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen, mbedtls_hmac_drbg_random, p_rng, - mbedtls_hmac_drbg_random, p_rng, rs_ctx ); + mbedtls_hmac_drbg_random, p_rng_blind_det, + rs_ctx ); + +#if !defined(MBEDTLS_ECP_RESTARTABLE) + mbedtls_hmac_drbg_free( &rng_ctx_blind ); +#endif + } #endif /* MBEDTLS_ECDSA_SIGN_ALT */ cleanup: From 5f72119116680f78f854f19fcef59a4a0ed0ad8c Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 16 Jan 2019 14:41:00 +0000 Subject: [PATCH 11/28] Add ChangeLog entry --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index afbe2f689..0bc75bac0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,13 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS 2.x.x branch released xxxx-xx-xx +Security + * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to + implement blinding. Because of this for the same key and message the same + blinding value was generated. This reduced the effectiveness of the + countermeasure and leaked information about the private key through side + channels. Reported by Jack Lloyd. + Features * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites from the default list (enabled by default). See From 7ffe827fca0a2bdc24b4708486f60f91762c6b19 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 21 Jan 2019 10:40:37 +0000 Subject: [PATCH 12/28] Add ChangeLog entry for new function --- ChangeLog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ChangeLog b/ChangeLog index 0bc75bac0..a63515cea 100644 --- a/ChangeLog +++ b/ChangeLog @@ -60,6 +60,11 @@ Changes * Ciphersuites based on 3DES now have the lowest priority by default when they are enabled. +API Changes + * The new function mbedtls_ecdsa_sign_det_ext() is similar to + mbedtls_ecdsa_sign_det() but allows passing an external RNG for the + purpose of blinding. + = mbed TLS 2.16.0 branch released 2018-12-21 Features From 92c98931f28b2523752ce0155b6a730f890b440e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 1 May 2019 17:09:11 +0100 Subject: [PATCH 13/28] Fix mpi_bigendian_to_host() on bigendian systems The previous implementation of mpi_bigendian_to_host() did a byte-swapping regardless of the endianness of the system. Fixes #2622. --- library/bignum.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index 41946183c..a1822fc6c 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -742,10 +742,15 @@ cleanup: static mbedtls_mpi_uint mpi_uint_bigendian_to_host_c( mbedtls_mpi_uint x ) { uint8_t i; + unsigned char *x_ptr; mbedtls_mpi_uint tmp = 0; - /* This works regardless of the endianness. */ - for( i = 0; i < ciL; i++, x >>= 8 ) - tmp |= ( x & 0xFF ) << ( ( ciL - 1 - i ) << 3 ); + + for( i = 0, x_ptr = (unsigned char*) &x; i < ciL; i++, x_ptr++ ) + { + tmp <<= CHAR_BIT; + tmp |= (mbedtls_mpi_uint) *x_ptr; + } + return( tmp ); } From b4e9950d026ab14d4f6d152f0ae473be3fb74fce Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 2 May 2019 09:33:56 +0100 Subject: [PATCH 14/28] Adapt ChangeLog --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 798e84a00..07ba4c767 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,9 @@ Bugfix for the parameter. * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl sni entry parameter. Reported by inestlerode in #560. + * Fix bug in endianness conversion in bignum module. This lead to + functionally incorrect code on bigendian systems which don't have + __BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622. Changes * Return from various debugging routines immediately if the From e79c93969353c3db310d70f60ab170c1f8765ead Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Fri, 31 May 2019 20:11:26 +0200 Subject: [PATCH 15/28] Change size of preallocated buffer for pk_sign() calls --- library/x509write_crt.c | 12 +++++++++++- library/x509write_csr.c | 12 +++++++++++- programs/pkey/pk_sign.c | 12 +++++++++++- 3 files changed, 33 insertions(+), 3 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 10497e752..61d7ba44a 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -45,6 +45,16 @@ #include "mbedtls/pem.h" #endif /* MBEDTLS_PEM_WRITE_C */ +/* + * For the currently used signature algorithms the buffer to store any signature + * must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE) + */ +#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE +#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN +#else +#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE +#endif + void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx ) { memset( ctx, 0, sizeof( mbedtls_x509write_cert ) ); @@ -334,7 +344,7 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t sig_oid_len = 0; unsigned char *c, *c2; unsigned char hash[64]; - unsigned char sig[MBEDTLS_MPI_MAX_SIZE]; + unsigned char sig[SIGNATURE_MAX_SIZE]; unsigned char tmp_buf[2048]; size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len; size_t len = 0; diff --git a/library/x509write_csr.c b/library/x509write_csr.c index d70ba0ed9..b65a11c6a 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -44,6 +44,16 @@ #include "mbedtls/pem.h" #endif +/* + * For the currently used signature algorithms the buffer to store any signature + * must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE) + */ +#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE +#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN +#else +#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE +#endif + void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx ) { memset( ctx, 0, sizeof( mbedtls_x509write_csr ) ); @@ -159,7 +169,7 @@ int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, s size_t sig_oid_len = 0; unsigned char *c, *c2; unsigned char hash[64]; - unsigned char sig[MBEDTLS_MPI_MAX_SIZE]; + unsigned char sig[SIGNATURE_MAX_SIZE]; unsigned char tmp_buf[2048]; size_t pub_len = 0, sig_and_oid_len = 0, sig_len; size_t len = 0; diff --git a/programs/pkey/pk_sign.c b/programs/pkey/pk_sign.c index 7354082f1..4696c7c12 100644 --- a/programs/pkey/pk_sign.c +++ b/programs/pkey/pk_sign.c @@ -72,6 +72,16 @@ void mbedtls_param_failed( const char *failure_condition, } #endif +/* + * For the currently used signature algorithms the buffer to store any signature + * must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE) + */ +#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE +#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN +#else +#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE +#endif + int main( int argc, char *argv[] ) { FILE *f; @@ -81,7 +91,7 @@ int main( int argc, char *argv[] ) mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; unsigned char hash[32]; - unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; + unsigned char buf[SIGNATURE_MAX_SIZE]; char filename[512]; const char *pers = "mbedtls_pk_sign"; size_t olen = 0; From c775ee1cfeab07c4a5c31a0da6944846d0c87117 Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Fri, 31 May 2019 20:13:58 +0200 Subject: [PATCH 16/28] Add missing MBEDTLS_ECP_C dependencies in check_config.h --- include/mbedtls/check_config.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index b86e5807e..343a7367e 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -123,7 +123,7 @@ #error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites" #endif -#if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || ( \ +#if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || ( \ !defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && \ @@ -134,7 +134,9 @@ !defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) && \ - !defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) ) ) + !defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) && \ + !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) && \ + !defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) ) ) #error "MBEDTLS_ECP_C defined, but not all prerequisites" #endif From 4e36da32b33d63b36de85ec6071575f68ba3d100 Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Fri, 31 May 2019 20:16:50 +0200 Subject: [PATCH 17/28] Add documentation notes about the required size of the signature buffers --- include/mbedtls/pk.h | 8 ++++++++ include/mbedtls/rsa.h | 9 ++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 91950f940..136427503 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -416,6 +416,10 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, * * \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. * For ECDSA, md_alg may never be MBEDTLS_MD_NONE. + * + * \note In order to ensure enough space for the signature, the + * \p sig buffer size must be of at least + * `max(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)` bytes. */ int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, @@ -430,6 +434,10 @@ int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, * \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC * operations. For RSA, same as \c mbedtls_pk_sign(). * + * \note In order to ensure enough space for the signature, the + * \p sig buffer size must be of at least + * `max(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)` bytes. + * * \param ctx The PK context to use. It must have been set up * with a private key. * \param md_alg Hash algorithm used (see notes) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 906c42733..cba692beb 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -904,7 +904,8 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, * the size of the hash corresponding to \p md_alg. * \param sig The buffer to hold the signature. This must be a writable * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - * for an 2048-bit RSA modulus. + * for an 2048-bit RSA modulus. A buffer length of + * #MBEDTLS_MPI_MAX_SIZE is always safe. * * \return \c 0 if the signing operation was successful. * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. @@ -951,7 +952,8 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, * the size of the hash corresponding to \p md_alg. * \param sig The buffer to hold the signature. This must be a writable * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - * for an 2048-bit RSA modulus. + * for an 2048-bit RSA modulus. A buffer length of + * #MBEDTLS_MPI_MAX_SIZE is always safe. * * \return \c 0 if the signing operation was successful. * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. @@ -1012,7 +1014,8 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, * the size of the hash corresponding to \p md_alg. * \param sig The buffer to hold the signature. This must be a writable * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes - * for an 2048-bit RSA modulus. + * for an 2048-bit RSA modulus. A buffer length of + * #MBEDTLS_MPI_MAX_SIZE is always safe. * * \return \c 0 if the signing operation was successful. * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. From 11f38e2f6180aeb0a593579dd8efe31cecd085ac Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Tue, 4 Jun 2019 13:14:58 +0200 Subject: [PATCH 18/28] Add a test for signing content with a long ECDSA key Due to the way the current PK API works, it may have not been clear for the library clients, how big output buffers they should pass to the signing functions. Depending on the key type they depend on MPI or EC specific compile-time constants. Inside the library, there were places, where it was assumed that the MPI size will always be enough, even for ECDSA signatures. However, for very small sizes of the MBEDTLS_MPI_MAX_SIZE and sufficiently large key, the EC signature could exceed the MPI size and cause a stack overflow. This test establishes both conditions -- small MPI size and the use of a long ECDSA key -- and attempts to sign an arbitrary file. This can cause a stack overvlow if the signature buffers are not big enough, therefore the test is performed for an ASan build. --- tests/data_files/Makefile | 8 ++++++++ tests/data_files/secp521r1_prv.der | Bin 0 -> 223 bytes tests/scripts/all.sh | 17 +++++++++++++++++ 3 files changed, 25 insertions(+) create mode 100644 tests/data_files/secp521r1_prv.der diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index d023c8d0c..bb816838c 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -745,6 +745,14 @@ server5.req.ku.sha1: server5.key $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 all_final += server5.req.ku.sha1 +### +### A generic SECP521R1 private key +### + +secp521r1_prv.der: + $(OPENSSL) ecparam -genkey -name secp521r1 -noout -out secp521r1_prv.der +all_final += secp521r1_prv.der + ################################################################ ### Generate CSRs for X.509 write test suite ################################################################ diff --git a/tests/data_files/secp521r1_prv.der b/tests/data_files/secp521r1_prv.der new file mode 100644 index 0000000000000000000000000000000000000000..4d342bdc25590e747f3dd45369c525a17eeafe4a GIT binary patch literal 223 zcmV<503iP`f!qQC0R%z;dbqNytV!Pn9Gx-kY_~1_fkN9pZuhX33j*q0c>w;eL4xg{ zKt>-fDT-%(a)8NM6PPC1#8 zkDC@p2S}y!0W4tS+`#2wI5*>!%9T%+)=Ms?OrfF%^Z0&EWhI$b@A@l|MQI|WVHYQ literal 0 HcmV?d00001 diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 936c665a1..5e7b248d2 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -590,6 +590,23 @@ component_check_doxygen_warnings () { #### Build and test many configurations and targets ################################################################ +component_test_large_ecdsa_key_signature () { + + SMALL_MPI_MAX_SIZE=136 # Small enough to interfere with the EC signatures + + msg "build: cmake + MBEDTLS_MPI_MAX_SIZE=${SMALL_MPI_MAX_SIZE}, gcc, ASan" # ~ 1 min 50s + scripts/config.pl set MBEDTLS_MPI_MAX_SIZE $SMALL_MPI_MAX_SIZE + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + INEVITABLY_PRESENT_FILE=Makefile + SIGNATURE_FILE="${INEVITABLY_PRESENT_FILE}.sig" # Warning, this is rm -f'ed below + + msg "test: pk_sign secp521r1_prv.der for MBEDTLS_MPI_MAX_SIZE=${SMALL_MPI_MAX_SIZE} (ASan build)" # ~ 5s + if_build_succeeded programs/pkey/pk_sign tests/data_files/secp521r1_prv.der $INEVITABLY_PRESENT_FILE + rm -f $SIGNATURE_FILE +} + component_test_default_out_of_box () { msg "build: make, default config (out-of-box)" # ~1min make From 4a6a55cae364e955cd324bfc91685f0628e1a63a Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Fri, 28 Jun 2019 14:14:02 +0200 Subject: [PATCH 19/28] Fix handling of md failure The failure of mbedtls_md was not checked in one place. This could have led to an incorrect computation if a hardware accelerator failed. In most cases this would have led to the key exchange failing, so the impact would have been a hard-to-diagnose error reported in the wrong place. If the two sides of the key exchange failed in the same way with an output from mbedtls_md that was independent of the input, this could have led to an apparently successful key exchange with a predictable key, thus a glitching md accelerator could have caused a security vulnerability. --- library/ecjpake.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ecjpake.c b/library/ecjpake.c index b276514e8..1845c936a 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -226,7 +226,7 @@ static int ecjpake_hash( const mbedtls_md_info_t *md_info, p += id_len; /* Compute hash */ - mbedtls_md( md_info, buf, p - buf, hash ); + MBEDTLS_MPI_CHK( mbedtls_md( md_info, buf, p - buf, hash ) ); /* Turn it into an integer mod n */ MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( h, hash, From ad1836af58a33e82eafa7b059a7ecadd544ee8fb Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Fri, 28 Jun 2019 14:17:04 +0200 Subject: [PATCH 20/28] Add a test for mlaformed ECJPAKE context --- tests/suites/test_suite_ecjpake.data | 3 +++ tests/suites/test_suite_ecjpake.function | 21 +++++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/tests/suites/test_suite_ecjpake.data b/tests/suites/test_suite_ecjpake.data index 84c99c985..ffa59e546 100644 --- a/tests/suites/test_suite_ecjpake.data +++ b/tests/suites/test_suite_ecjpake.data @@ -4,6 +4,9 @@ ecjpake_invalid_param: ECJPAKE selftest ecjpake_selftest: +ECJPAKE fail read corrupt MD +read_bad_md:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d905193735144104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb12" + ECJPAKE round one: client, valid read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d905193735144104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb12":0 diff --git a/tests/suites/test_suite_ecjpake.function b/tests/suites/test_suite_ecjpake.function index d26729522..38f190de2 100644 --- a/tests/suites/test_suite_ecjpake.function +++ b/tests/suites/test_suite_ecjpake.function @@ -236,6 +236,27 @@ void ecjpake_selftest( ) } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C */ +void read_bad_md( data_t *msg ) +{ + mbedtls_ecjpake_context corrupt_ctx; + const unsigned char * pw = NULL; + const size_t pw_len = 0; + int any_role = MBEDTLS_ECJPAKE_CLIENT; + + mbedtls_ecjpake_init( &corrupt_ctx ); + TEST_ASSERT( mbedtls_ecjpake_setup( &corrupt_ctx, any_role, + MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) == 0 ); + corrupt_ctx.md_info = NULL; + + TEST_ASSERT( mbedtls_ecjpake_read_round_one( &corrupt_ctx, msg->x, + msg->len ) == MBEDTLS_ERR_MD_BAD_INPUT_DATA ); + +exit: + mbedtls_ecjpake_free( &corrupt_ctx ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C */ void read_round_one( int role, data_t * msg, int ref_ret ) { From 50be358479472b3affcab8cf05b0ecb3a0cc6225 Mon Sep 17 00:00:00 2001 From: k-stachowiak Date: Wed, 10 Jul 2019 11:43:23 +0200 Subject: [PATCH 21/28] Add a change log entry --- ChangeLog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ChangeLog b/ChangeLog index 9702af207..a9c853edf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,11 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS x.x.x branch released xxxx-xx-xx +Security + * Fix a missing error detection in ECJPAKE. This could have caused a + predictable shared secret if a hardware accelerator failed and the other + side of the key exchange had a similar bug. + Bugfix * Fix to allow building test suites with any warning that detects unused functions. Fixes #1628. From 420f3589e3a52ec0754bb350f3abf5cef75ac7ce Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 31 Jul 2019 13:58:29 +0300 Subject: [PATCH 22/28] Fix the license header of hkdf Change the license header of `hkdf.h` to a format the that script `apache_to_gpl.pl` knows how to parse. --- include/mbedtls/hkdf.h | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/hkdf.h b/include/mbedtls/hkdf.h index 40ee64eb0..bcafe4251 100644 --- a/include/mbedtls/hkdf.h +++ b/include/mbedtls/hkdf.h @@ -7,22 +7,22 @@ * specified by RFC 5869. */ /* - * Copyright (C) 2016-2018, ARM Limited, All Rights Reserved - * SPDX-License-Identifier: Apache-2.0 + * Copyright (C) 2016-2019, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 * - * Licensed under the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of mbed TLS (https://tls.mbed.org) */ #ifndef MBEDTLS_HKDF_H #define MBEDTLS_HKDF_H From fb1b7e1db9a2c0dbc48a6ccbd706f11a0a8cb7ad Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 27 Aug 2019 06:47:18 +0100 Subject: [PATCH 23/28] HMAC DRBG: Split entropy-gathering requests to reduce request sizes According to SP800-90A, the DRBG seeding process should use a nonce of length `security_strength / 2` bits as part of the DRBG seed. It further notes that this nonce may be drawn from the same source of entropy that is used for the first `security_strength` bits of the DRBG seed. The present HMAC DRBG implementation does that, requesting `security_strength * 3 / 2` bits of entropy from the configured entropy source in total to form the initial part of the DRBG seed. However, some entropy sources may have thresholds in terms of how much entropy they can provide in a single call to their entropy gathering function which may be exceeded by the present HMAC DRBG implementation even if the threshold is not smaller than `security_strength` bits. Specifically, this is the case for our own entropy module implementation which only allows requesting at most 32 Bytes of entropy at a time in configurations disabling SHA-512, and this leads to runtime failure of HMAC DRBG when used with Mbed Crypto' own entropy callbacks in such configurations. This commit fixes this by splitting the seed entropy acquisition into two calls, one requesting `security_strength` bits first, and another one requesting `security_strength / 2` bits for the nonce. Fixes #237. --- library/hmac_drbg.c | 86 +++++++++++++++++++++++++++++++++------------ 1 file changed, 64 insertions(+), 22 deletions(-) diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c index c50330e7d..50d88bd54 100644 --- a/library/hmac_drbg.c +++ b/library/hmac_drbg.c @@ -149,20 +149,32 @@ int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx, } /* - * HMAC_DRBG reseeding: 10.1.2.4 (arabic) + 9.2 (Roman) + * Internal function used both for seeding and reseeding the DRBG. + * Comments starting with arabic numbers refer to section 10.1.2.4 + * of SP800-90A, while roman numbers refer to section 9.2. */ -int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx, - const unsigned char *additional, size_t len ) +static int hmac_drbg_reseed_core( mbedtls_hmac_drbg_context *ctx, + const unsigned char *additional, size_t len, + int use_nonce ) { unsigned char seed[MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT]; - size_t seedlen; + size_t seedlen = 0; int ret; - /* III. Check input length */ - if( len > MBEDTLS_HMAC_DRBG_MAX_INPUT || - ctx->entropy_len + len > MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT ) { - return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG ); + size_t total_entropy_len; + + if( use_nonce == 0 ) + total_entropy_len = ctx->entropy_len; + else + total_entropy_len = ctx->entropy_len * 3 / 2; + + /* III. Check input length */ + if( len > MBEDTLS_HMAC_DRBG_MAX_INPUT || + total_entropy_len + len > MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT ) + { + return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG ); + } } memset( seed, 0, MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT ); @@ -170,9 +182,32 @@ int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx, /* IV. Gather entropy_len bytes of entropy for the seed */ if( ( ret = ctx->f_entropy( ctx->p_entropy, seed, ctx->entropy_len ) ) != 0 ) + { return( MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED ); + } + seedlen += ctx->entropy_len; + + /* For initial seeding, allow adding of nonce generated + * from the entropy source. See Sect 8.6.7 in SP800-90A. */ + if( use_nonce ) + { + /* Note: We don't merge the two calls to f_entropy() in order + * to avoid requesting too much entropy from f_entropy() + * at once. Specifically, if the underlying digest is not + * SHA-1, 3 / 2 * entropy_len is at least 36 Bytes, which + * is larger than the maximum of 32 Bytes that our own + * entropy source implementation can emit in a single + * call in configurations disabling SHA-512. */ + if( ( ret = ctx->f_entropy( ctx->p_entropy, + seed + seedlen, + ctx->entropy_len / 2 ) ) != 0 ) + { + return( MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED ); + } + + seedlen += ctx->entropy_len / 2; + } - seedlen = ctx->entropy_len; /* 1. Concatenate entropy and additional data if any */ if( additional != NULL && len != 0 ) @@ -194,8 +229,20 @@ exit: return( ret ); } +/* + * HMAC_DRBG reseeding: 10.1.2.4 + 9.2 + */ +int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx, + const unsigned char *additional, size_t len ) +{ + return( hmac_drbg_reseed_core( ctx, additional, len, 0 ) ); +} + /* * HMAC_DRBG initialisation (10.1.2.3 + 9.1) + * + * The nonce is not passed as a separate parameter but extracted + * from the entropy source as suggested in 8.6.7. */ int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx, const mbedtls_md_info_t * md_info, @@ -205,7 +252,7 @@ int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx, size_t len ) { int ret; - size_t entropy_len, md_size; + size_t md_size; if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 ) return( ret ); @@ -233,20 +280,15 @@ int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx, * * (This also matches the sizes used in the NIST test vectors.) */ - entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */ - md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */ - 32; /* better (256+) -> 256 bits */ + ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */ + md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */ + 32; /* better (256+) -> 256 bits */ - /* - * For initialisation, use more entropy to emulate a nonce - * (Again, matches test vectors.) - */ - ctx->entropy_len = entropy_len * 3 / 2; - - if( ( ret = mbedtls_hmac_drbg_reseed( ctx, custom, len ) ) != 0 ) + if( ( ret = hmac_drbg_reseed_core( ctx, custom, len, + 1 /* add nonce */ ) ) != 0 ) + { return( ret ); - - ctx->entropy_len = entropy_len; + } return( 0 ); } From 3fc6f9d16d4e9a6f85a909123ba2ca233132f571 Mon Sep 17 00:00:00 2001 From: Andy Gross Date: Wed, 30 Jan 2019 10:25:53 -0600 Subject: [PATCH 24/28] Fix uninitialized variable in x509_crt This patch fixes an issue we encountered with more stringent compiler warnings. The signature_is_good variable has a possibility of being used uninitialized. This patch moves the use of the variable to a place where it cannot be used while uninitialized. Signed-off-by: Andy Gross --- ChangeLog | 3 +++ library/x509_crt.c | 10 ++++------ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index a78257803..fea2bc29f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,9 @@ Bugfix * Fix propagation of restart contexts in restartable EC operations. This could previously lead to segmentation faults in builds using an address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE. + * Improve code clarity in x509_crt module, removing false-positive + uninitialized variable warnings on some recent toolchains (GCC8, etc). + Discovered and fixed by Andy Gross (Linaro), #2392. Changes * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h diff --git a/library/x509_crt.c b/library/x509_crt.c index 56d7a3127..9c2e36547 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2087,15 +2087,13 @@ check_signature: continue; } + *r_parent = parent; + *r_signature_is_good = signature_is_good; + break; } - if( parent != NULL ) - { - *r_parent = parent; - *r_signature_is_good = signature_is_good; - } - else + if( parent == NULL ) { *r_parent = fallback_parent; *r_signature_is_good = fallback_signature_is_good; From 43dc0d6a8f1d62063b10025a41b2015088991df0 Mon Sep 17 00:00:00 2001 From: Unknown Date: Mon, 2 Sep 2019 10:42:57 -0400 Subject: [PATCH 25/28] ssl-opt.sh: wait for proxy to start before running the script further --- tests/ssl-opt.sh | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 238ed97d0..fa334c38b 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -420,9 +420,9 @@ has_mem_err() { fi } -# Wait for process $2 to be listening on port $1 +# Wait for process $2 named $3 to be listening on port $1. Print error to $4. if type lsof >/dev/null 2>/dev/null; then - wait_server_start() { + wait_app_start() { START_TIME=$(date +%s) if [ "$DTLS" -eq 1 ]; then proto=UDP @@ -432,8 +432,8 @@ if type lsof >/dev/null 2>/dev/null; then # Make a tight loop, server normally takes less than 1s to start. while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then - echo "SERVERSTART TIMEOUT" - echo "SERVERSTART TIMEOUT" >> $SRV_OUT + echo "$3 START TIMEOUT" + echo "$3 START TIMEOUT" >> $4 break fi # Linux and *BSD support decimal arguments to sleep. On other @@ -442,12 +442,22 @@ if type lsof >/dev/null 2>/dev/null; then done } else - echo "Warning: lsof not available, wait_server_start = sleep" - wait_server_start() { + echo "Warning: lsof not available, wait_app_start = sleep" + wait_app_start() { sleep "$START_DELAY" } fi +# Wait for server process $2 to be listening on port $1. +wait_server_start() { + wait_app_start $1 $2 "SERVER" $SRV_OUT +} + +# Wait for proxy process $2 to be listening on port $1. +wait_proxy_start() { + wait_app_start $1 $2 "PROXY" $PXY_OUT +} + # Given the client or server debug output, parse the unix timestamp that is # included in the first 4 bytes of the random bytes and check that it's within # acceptable bounds @@ -600,7 +610,7 @@ run_test() { echo "$PXY_CMD" > $PXY_OUT $PXY_CMD >> $PXY_OUT 2>&1 & PXY_PID=$! - # assume proxy starts faster than server + wait_proxy_start "$PXY_PORT" "$PXY_PID" fi check_osrv_dtls From 0c34499805ecbeff45177727ae44418eb6c2dba5 Mon Sep 17 00:00:00 2001 From: Vikas Katariya Date: Thu, 15 Aug 2019 14:24:20 +0100 Subject: [PATCH 26/28] Check for zero length and NULL buffer pointer In reference to issue https://github.com/ARMmbed/mbed-crypto/issues/49 --- library/platform_util.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/library/platform_util.c b/library/platform_util.c index 756e22679..b1f745097 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -72,7 +72,10 @@ static void * (* const volatile memset_func)( void *, int, size_t ) = memset; void mbedtls_platform_zeroize( void *buf, size_t len ) { - memset_func( buf, 0, len ); + MBEDTLS_INTERNAL_VALIDATE( len == 0 || buf != NULL ); + + if( len > 0 ) + memset_func( buf, 0, len ); } #endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */ From cc9135f42e597bfc75bce3b2531580471a230731 Mon Sep 17 00:00:00 2001 From: Vikas Katariya Date: Thu, 15 Aug 2019 16:32:21 +0100 Subject: [PATCH 27/28] Changelog entry --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index a78257803..49e1d6ed5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,8 @@ Bugfix * Fix propagation of restart contexts in restartable EC operations. This could previously lead to segmentation faults in builds using an address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE. + * Zero length buffer check for undefined behavior in + mbedtls_platform_zeroize(). Fixes ARMmbed/mbed-crypto#49. Changes * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h From fcb8711f6f23edca8995e2fdfa655e4d8cd79c4c Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 6 Sep 2019 13:27:00 +0100 Subject: [PATCH 28/28] Bump version to Mbed TLS 2.16.3 --- ChangeLog | 2 +- doxygen/input/doc_mainpage.h | 2 +- doxygen/mbedtls.doxyfile | 2 +- include/mbedtls/version.h | 8 ++++---- library/CMakeLists.txt | 6 +++--- tests/suites/test_suite_version.data | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0293eb33c..3186e580d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,6 @@ mbed TLS ChangeLog (Sorted per branch, date) -= mbed TLS x.x.x branch released xxxx-xx-xx += mbed TLS 2.16.3 branch released 2019-09-06 Security * Fix a missing error detection in ECJPAKE. This could have caused a diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index 3336f0fca..a6126f3be 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -24,7 +24,7 @@ */ /** - * @mainpage mbed TLS v2.16.2 source code documentation + * @mainpage mbed TLS v2.16.3 source code documentation * * This documentation describes the internal structure of mbed TLS. It was * automatically generated from specially formatted comment blocks in diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 40a1cabb3..904c1e7b0 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8 # identify the project. Note that if you do not use Doxywizard you need # to put quotes around the project name if it contains spaces. -PROJECT_NAME = "mbed TLS v2.16.2" +PROJECT_NAME = "mbed TLS v2.16.3" # The PROJECT_NUMBER tag can be used to enter a project or revision number. # This could be handy for archiving the generated documentation or diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h index ef8e4c1f4..b4eef71e5 100644 --- a/include/mbedtls/version.h +++ b/include/mbedtls/version.h @@ -40,16 +40,16 @@ */ #define MBEDTLS_VERSION_MAJOR 2 #define MBEDTLS_VERSION_MINOR 16 -#define MBEDTLS_VERSION_PATCH 2 +#define MBEDTLS_VERSION_PATCH 3 /** * The single version number has the following structure: * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x02100200 -#define MBEDTLS_VERSION_STRING "2.16.2" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.16.2" +#define MBEDTLS_VERSION_NUMBER 0x02100300 +#define MBEDTLS_VERSION_STRING "2.16.3" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.16.3" #if defined(MBEDTLS_VERSION_C) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 2a0d47d8b..9330cff9b 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -165,15 +165,15 @@ endif(USE_STATIC_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY) add_library(mbedcrypto SHARED ${src_crypto}) - set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.2 SOVERSION 3) + set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.3 SOVERSION 3) target_link_libraries(mbedcrypto ${libs}) add_library(mbedx509 SHARED ${src_x509}) - set_target_properties(mbedx509 PROPERTIES VERSION 2.16.2 SOVERSION 0) + set_target_properties(mbedx509 PROPERTIES VERSION 2.16.3 SOVERSION 0) target_link_libraries(mbedx509 ${libs} mbedcrypto) add_library(mbedtls SHARED ${src_tls}) - set_target_properties(mbedtls PROPERTIES VERSION 2.16.2 SOVERSION 12) + set_target_properties(mbedtls PROPERTIES VERSION 2.16.3 SOVERSION 12) target_link_libraries(mbedtls ${libs} mbedx509) install(TARGETS mbedtls mbedx509 mbedcrypto diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data index cd1cee461..c3189c82c 100644 --- a/tests/suites/test_suite_version.data +++ b/tests/suites/test_suite_version.data @@ -1,8 +1,8 @@ Check compiletime library version -check_compiletime_version:"2.16.2" +check_compiletime_version:"2.16.3" Check runtime library version -check_runtime_version:"2.16.2" +check_runtime_version:"2.16.3" Check for MBEDTLS_VERSION_C check_feature:"MBEDTLS_VERSION_C":0