Squashed 'Sources/mbedTLS/' changes from 14c6762351..f8199650a9

d8180f8d84 Merge remote-tracking branch 'origin/mbedtls-2.7' into mbedtls-2.7-restricted
db649896e6 Merge pull request #2895 from gilles-peskine-arm/drbg-set_entropy_len-2.7
373a7097eb Merge pull request #673 from gilles-peskine-arm/ctr_drbg-aes_fail-2.7
b2be1fca2c Catch AES failure in mbedtls_ctr_drbg_random
df1b3e54c7 Merge pull request #2937 from gilles-peskine-arm/memory_buffer_alloc-fatal-pass-2.7
02fbc08d2e Enable more test cases without MBEDTLS_MEMORY_DEBUG
786f068ec0 More accurate test case description
04d45c98e8 Clarify that the "FATAL" message is expected
c5a016dde1 Merge remote-tracking branch 'restricted/pr/666' into mbedtls-2.7-restricted
e70059df85 Merge remote-tracking branch 'restricted/pr/668' into mbedtls-2.7-restricted
10fcdd25d4 Merge pull request #664 from ARMmbed/dev/yanesca/iotcrypt-958-ecdsa-side-channel-fix-2.7
07597365cd Zeroize local AES variables before exiting the function
dfa4d71873 Add ChangeLog entry
b4edac5616 mpi_lt_mpi_ct: fix condition handling
f4482aaccc mpi_lt_mpi_ct: Add further tests
a776aea91a mpi_lt_mpi_ct: Fix test numbering
1b86eeb06b mpi_lt_mpi_ct perform tests for both limb size
5823961558 ct_lt_mpi_uint: cast the return value explicitely
6adff06e50 mbedtls_mpi_lt_mpi_ct: add tests for 32 bit limbs
cff9e6e03d mbedtls_mpi_lt_mpi_ct: simplify condition
8ec2a953af Rename variable for better readability
a2b9a96fb8 mbedtls_mpi_lt_mpi_ct: Improve documentation
51ed14e20f Make mbedtls_mpi_lt_mpi_ct more portable
9741fa6e2b Bignum: Document assumptions about the sign field
9332ecefc8 Add more tests for mbedtls_mpi_lt_mpi_ct
aaa3f22b76 mpi_lt_mpi_ct test: hardcode base 16
3173a53fe9 Document ct_lt_mpi_uint
782cbe592d mpi_lt_mpi_ct: make use of unsigned consistent
db9f449409 ct_lt_mpi_uint: make use of biL
c3b376e2f2 Change mbedtls_mpi_cmp_mpi_ct to check less than
8461c0e2a8 mbedtls_mpi_cmp_mpi_ct: remove multiplications
8de2d45cd7 Remove excess vertical space
c587a32a9c Remove declaration after statement
5f3019b298 Fix side channel vulnerability in ECDSA
883801d3ec Add tests to constant time mpi comparison
e0187b95f0 Add new, constant time mpi comparison
4c575c0270 Note that mbedtls_ctr_drbg_seed() must not be called twice
eab4d701ca Fix CTR_DRBG benchmark
5cf41f80a4 Add ChangeLog entry
82debf8332 ECDSA: Fix side channel vulnerability
093aa517c4 Changelog entry for xxx_drbg_set_entropy_len before xxx_drbg_seed
b729e1b9ba CTR_DRBG: support set_entropy_len() before seed()
845ac103a9 CTR_DRBG: Don't use functions before they're defined
9c742249cf HMAC_DRBG: support set_entropy_len() before seed()
c87a54683b Merge pull request #2900 from gilles-peskine-arm/asan-test-fail-2.7
cc656ac96b Merge pull request #2872 from gilles-peskine-arm/test_malloc_0_null-2.7
5ee14d70d2 'make test' must fail if Asan fails
4c2697f43f Asan make builds: avoid sanitizer recovery
260921d3f2 Use UBsan in addition to Asan with 'make test'
c20a4053c3 Unify ASan options in make builds
395d8c1222 Merge remote-tracking branch 'origin/pr/2878' into mbedtls-2.7
55e120b9b2 mbedtls_hmac_drbg_set_entropy_len() only matters when reseeding
dff3682477 mbedtls_ctr_drbg_set_entropy_len() only matters when reseeding
2abefefec2 mbedtls_ctr_drbg_seed: correct maximum for len
406d25878c Add a note about CTR_DRBG security strength to config.h
f0b3dcb14b CTR_DRBG: more consistent formatting and wording
b9cfe58180 DRBG documentation: Relate f_entropy arguments to the entropy module
97edf5e1e2 Add ChangeLog entry for the DRBG documentation improvements
5cc748e58f Merge remote-tracking branch 'origin/pr/2866' into mbedtls-2.7
d89173066c HMAC_DRBG documentation improvements
2fc6cf5da7 Merge remote-tracking branch 'origin/pr/2704' into mbedtls-2.7
eb99c1028f CTR_DRBG: explain the security strength and the entropy input length
25e1945321 CTR_DRBG documentation improvements
0ab4092e2d Reduce stack usage of test_suite_pkcs1_v15
dd4277f70d Reduce stack usage of test_suite_pkcs1_v21
b3d3973264 Reduce stack usage of test_suite_rsa
6827d1c588 Reduce stack usage of test_suite_pk
0981a5d7ab Add a test component with malloc(0) returning NULL
ea5d3571b0 Add a calloc self-test
d28b9b3c5d Merge remote-tracking branch 'origin/pr/2828' into mbedtls-2.7
9b1c248209 Enable MBEDTLS_MEMORY_DEBUG in memory buffer alloc test in all.sh
7eb7f8db8b Remove unnecessary memory buffer alloc unsets
6addfdd190 Disable DTLS proxy tests for MEMORY_BUFFER_ALLOC test
9a461a1cd7 all.sh: restructure memory allocator tests
7aad93c9da Add missing dependency in memory buffer alloc set in all.sh
19aa89ad47 Don't set MBEDTLS_MEMORY_DEBUG through `scripts/config.pl full`
8561115cb8 Add cfg dep MBEDTLS_MEMORY_DEBUG->MBEDTLS_MEMORY_BUFFER_ALLOC_C
167ae43852 Add all.sh run with full config and ASan enabled
f5baaaaf89 Add all.sh run with MBEDTLS_MEMORY_BUFFER_ALLOC_C enabled
e1c62e6641 Update documentation of exceptions for `config.pl full`
c7f97f1c8d Adapt all.sh to removal of buffer allocator from full config
26c333ac01 Disable memory buffer allocator in full config
76ef31116b Check dependencies of MBEDTLS_MEMORY_BACKTRACE in check_config.h
9bf1509ef3 Adapt auth_crypt_tv usage to 2.7
dd91b24764 Add missing dependencies in test_suite_cipher.gcm
d62577fa74 Adapt ChangeLog
311276c871 Add NIST AES GCM test vectors to single-step cipher API test suite

git-subtree-dir: Sources/mbedTLS
git-subtree-split: f8199650a9d49b3982a7b7f3d448899b67b09571

ChangeLog

@@ -1,5 +1,43 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+= mbed TLS 2.7.13 branch released 2020-01-15
+
+Security
+   * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
+     constant time/constant trace, so side channel attacks can retrieve the
+     blinded value, factor it (as it is smaller than RSA keys and not guaranteed
+     to have only large prime factors), and then, by brute force, recover the
+     key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
+   * Zeroize local variables in mbedtls_internal_aes_encrypt() and
+     mbedtls_internal_aes_decrypt() before exiting the function. The value of
+     these variables can be used to recover the last round key. To follow best
+     practice and to limit the impact of buffer overread vulnerabilities (like
+     Heartbleed) we need to zeroize them before exiting the function.
+     Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
+     Grant Hernandez, and Kevin Butler (University of Florida) and
+     Dave Tian (Purdue University).
+   * Fix side channel vulnerability in ECDSA key generation. Obtaining precise
+     timings on the comparison in the key generation enabled the attacker to
+     learn leading bits of the ephemeral key used during ECDSA signatures and to
+     recover the private key.
+   * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
+     failures could happen with alternative implementations of AES. Bug
+     reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
+     Sectra.
+
+Bugfix
+   * Support mbedtls_hmac_drbg_set_entropy_len() and
+     mbedtls_ctr_drbg_set_entropy_len() before the DRBG is seeded. Before,
+     the initial seeding always reset the entropy length to the compile-time
+     default.
+
+Changes
+   * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
+     from the cipher abstraction layer. Fixes #2198.
+   * Clarify how the interface of the CTR_DRBG and HMAC modules relates to
+     NIST SP 800-90A. In particular CTR_DRBG requires an explicit nonce
+     to achieve a 256-bit strength if MBEDTLS_ENTROPY_FORCE_SHA256 is set.
+
 = mbed TLS 2.7.12 branch released 2019-09-06
 
 Security