Squashed 'Sources/mbedTLS/' changes from 14c6762351..f8199650a9

d8180f8d84 Merge remote-tracking branch 'origin/mbedtls-2.7' into mbedtls-2.7-restricted
db649896e6 Merge pull request #2895 from gilles-peskine-arm/drbg-set_entropy_len-2.7
373a7097eb Merge pull request #673 from gilles-peskine-arm/ctr_drbg-aes_fail-2.7
b2be1fca2c Catch AES failure in mbedtls_ctr_drbg_random
df1b3e54c7 Merge pull request #2937 from gilles-peskine-arm/memory_buffer_alloc-fatal-pass-2.7
02fbc08d2e Enable more test cases without MBEDTLS_MEMORY_DEBUG
786f068ec0 More accurate test case description
04d45c98e8 Clarify that the "FATAL" message is expected
c5a016dde1 Merge remote-tracking branch 'restricted/pr/666' into mbedtls-2.7-restricted
e70059df85 Merge remote-tracking branch 'restricted/pr/668' into mbedtls-2.7-restricted
10fcdd25d4 Merge pull request #664 from ARMmbed/dev/yanesca/iotcrypt-958-ecdsa-side-channel-fix-2.7
07597365cd Zeroize local AES variables before exiting the function
dfa4d71873 Add ChangeLog entry
b4edac5616 mpi_lt_mpi_ct: fix condition handling
f4482aaccc mpi_lt_mpi_ct: Add further tests
a776aea91a mpi_lt_mpi_ct: Fix test numbering
1b86eeb06b mpi_lt_mpi_ct perform tests for both limb size
5823961558 ct_lt_mpi_uint: cast the return value explicitely
6adff06e50 mbedtls_mpi_lt_mpi_ct: add tests for 32 bit limbs
cff9e6e03d mbedtls_mpi_lt_mpi_ct: simplify condition
8ec2a953af Rename variable for better readability
a2b9a96fb8 mbedtls_mpi_lt_mpi_ct: Improve documentation
51ed14e20f Make mbedtls_mpi_lt_mpi_ct more portable
9741fa6e2b Bignum: Document assumptions about the sign field
9332ecefc8 Add more tests for mbedtls_mpi_lt_mpi_ct
aaa3f22b76 mpi_lt_mpi_ct test: hardcode base 16
3173a53fe9 Document ct_lt_mpi_uint
782cbe592d mpi_lt_mpi_ct: make use of unsigned consistent
db9f449409 ct_lt_mpi_uint: make use of biL
c3b376e2f2 Change mbedtls_mpi_cmp_mpi_ct to check less than
8461c0e2a8 mbedtls_mpi_cmp_mpi_ct: remove multiplications
8de2d45cd7 Remove excess vertical space
c587a32a9c Remove declaration after statement
5f3019b298 Fix side channel vulnerability in ECDSA
883801d3ec Add tests to constant time mpi comparison
e0187b95f0 Add new, constant time mpi comparison
4c575c0270 Note that mbedtls_ctr_drbg_seed() must not be called twice
eab4d701ca Fix CTR_DRBG benchmark
5cf41f80a4 Add ChangeLog entry
82debf8332 ECDSA: Fix side channel vulnerability
093aa517c4 Changelog entry for xxx_drbg_set_entropy_len before xxx_drbg_seed
b729e1b9ba CTR_DRBG: support set_entropy_len() before seed()
845ac103a9 CTR_DRBG: Don't use functions before they're defined
9c742249cf HMAC_DRBG: support set_entropy_len() before seed()
c87a54683b Merge pull request #2900 from gilles-peskine-arm/asan-test-fail-2.7
cc656ac96b Merge pull request #2872 from gilles-peskine-arm/test_malloc_0_null-2.7
5ee14d70d2 'make test' must fail if Asan fails
4c2697f43f Asan make builds: avoid sanitizer recovery
260921d3f2 Use UBsan in addition to Asan with 'make test'
c20a4053c3 Unify ASan options in make builds
395d8c1222 Merge remote-tracking branch 'origin/pr/2878' into mbedtls-2.7
55e120b9b2 mbedtls_hmac_drbg_set_entropy_len() only matters when reseeding
dff3682477 mbedtls_ctr_drbg_set_entropy_len() only matters when reseeding
2abefefec2 mbedtls_ctr_drbg_seed: correct maximum for len
406d25878c Add a note about CTR_DRBG security strength to config.h
f0b3dcb14b CTR_DRBG: more consistent formatting and wording
b9cfe58180 DRBG documentation: Relate f_entropy arguments to the entropy module
97edf5e1e2 Add ChangeLog entry for the DRBG documentation improvements
5cc748e58f Merge remote-tracking branch 'origin/pr/2866' into mbedtls-2.7
d89173066c HMAC_DRBG documentation improvements
2fc6cf5da7 Merge remote-tracking branch 'origin/pr/2704' into mbedtls-2.7
eb99c1028f CTR_DRBG: explain the security strength and the entropy input length
25e1945321 CTR_DRBG documentation improvements
0ab4092e2d Reduce stack usage of test_suite_pkcs1_v15
dd4277f70d Reduce stack usage of test_suite_pkcs1_v21
b3d3973264 Reduce stack usage of test_suite_rsa
6827d1c588 Reduce stack usage of test_suite_pk
0981a5d7ab Add a test component with malloc(0) returning NULL
ea5d3571b0 Add a calloc self-test
d28b9b3c5d Merge remote-tracking branch 'origin/pr/2828' into mbedtls-2.7
9b1c248209 Enable MBEDTLS_MEMORY_DEBUG in memory buffer alloc test in all.sh
7eb7f8db8b Remove unnecessary memory buffer alloc unsets
6addfdd190 Disable DTLS proxy tests for MEMORY_BUFFER_ALLOC test
9a461a1cd7 all.sh: restructure memory allocator tests
7aad93c9da Add missing dependency in memory buffer alloc set in all.sh
19aa89ad47 Don't set MBEDTLS_MEMORY_DEBUG through `scripts/config.pl full`
8561115cb8 Add cfg dep MBEDTLS_MEMORY_DEBUG->MBEDTLS_MEMORY_BUFFER_ALLOC_C
167ae43852 Add all.sh run with full config and ASan enabled
f5baaaaf89 Add all.sh run with MBEDTLS_MEMORY_BUFFER_ALLOC_C enabled
e1c62e6641 Update documentation of exceptions for `config.pl full`
c7f97f1c8d Adapt all.sh to removal of buffer allocator from full config
26c333ac01 Disable memory buffer allocator in full config
76ef31116b Check dependencies of MBEDTLS_MEMORY_BACKTRACE in check_config.h
9bf1509ef3 Adapt auth_crypt_tv usage to 2.7
dd91b24764 Add missing dependencies in test_suite_cipher.gcm
d62577fa74 Adapt ChangeLog
311276c871 Add NIST AES GCM test vectors to single-step cipher API test suite

git-subtree-dir: Sources/mbedTLS
git-subtree-split: f8199650a9d49b3982a7b7f3d448899b67b09571

library/aes.c

@@ -761,6 +761,18 @@ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
     PUT_UINT32_LE( X2, output,  8 );
     PUT_UINT32_LE( X3, output, 12 );
 
+    mbedtls_zeroize( &X0, sizeof( X0 ) );
+    mbedtls_zeroize( &X1, sizeof( X1 ) );
+    mbedtls_zeroize( &X2, sizeof( X2 ) );
+    mbedtls_zeroize( &X3, sizeof( X3 ) );
+
+    mbedtls_zeroize( &Y0, sizeof( Y0 ) );
+    mbedtls_zeroize( &Y1, sizeof( Y1 ) );
+    mbedtls_zeroize( &Y2, sizeof( Y2 ) );
+    mbedtls_zeroize( &Y3, sizeof( Y3 ) );
+
+    mbedtls_zeroize( &RK, sizeof( RK ) );
+
     return( 0 );
 }
 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
@@ -829,6 +841,18 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
     PUT_UINT32_LE( X2, output,  8 );
     PUT_UINT32_LE( X3, output, 12 );
 
+    mbedtls_zeroize( &X0, sizeof( X0 ) );
+    mbedtls_zeroize( &X1, sizeof( X1 ) );
+    mbedtls_zeroize( &X2, sizeof( X2 ) );
+    mbedtls_zeroize( &X3, sizeof( X3 ) );
+
+    mbedtls_zeroize( &Y0, sizeof( Y0 ) );
+    mbedtls_zeroize( &Y1, sizeof( Y1 ) );
+    mbedtls_zeroize( &Y2, sizeof( Y2 ) );
+    mbedtls_zeroize( &Y3, sizeof( Y3 ) );
+
+    mbedtls_zeroize( &RK, sizeof( RK ) );
+
     return( 0 );
 }
 #endif /* !MBEDTLS_AES_DECRYPT_ALT */

library/bignum.c

@@ -919,6 +919,103 @@ int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y )
     return( 0 );
 }
 
+/** Decide if an integer is less than the other, without branches.
+ *
+ * \param x         First integer.
+ * \param y         Second integer.
+ *
+ * \return          1 if \p x is less than \p y, 0 otherwise
+ */
+static unsigned ct_lt_mpi_uint( const mbedtls_mpi_uint x,
+        const mbedtls_mpi_uint y )
+{
+    mbedtls_mpi_uint ret;
+    mbedtls_mpi_uint cond;
+
+    /*
+     * Check if the most significant bits (MSB) of the operands are different.
+     */
+    cond = ( x ^ y );
+    /*
+     * If the MSB are the same then the difference x-y will be negative (and
+     * have its MSB set to 1 during conversion to unsigned) if and only if x<y.
+     */
+    ret = ( x - y ) & ~cond;
+    /*
+     * If the MSB are different, then the operand with the MSB of 1 is the
+     * bigger. (That is if y has MSB of 1, then x<y is true and it is false if
+     * the MSB of y is 0.)
+     */
+    ret |= y & cond;
+
+
+    ret = ret >> ( biL - 1 );
+
+    return (unsigned) ret;
+}
+
+/*
+ * Compare signed values in constant time
+ */
+int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, const mbedtls_mpi *Y,
+        unsigned *ret )
+{
+    size_t i;
+    /* The value of any of these variables is either 0 or 1 at all times. */
+    unsigned cond, done, X_is_negative, Y_is_negative;
+
+    if( X->n != Y->n )
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+
+    /*
+     * Set sign_N to 1 if N >= 0, 0 if N < 0.
+     * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
+     */
+    X_is_negative = ( X->s & 2 ) >> 1;
+    Y_is_negative = ( Y->s & 2 ) >> 1;
+
+    /*
+     * If the signs are different, then the positive operand is the bigger.
+     * That is if X is negative (X_is_negative == 1), then X < Y is true and it
+     * is false if X is positive (X_is_negative == 0).
+     */
+    cond = ( X_is_negative ^ Y_is_negative );
+    *ret = cond & X_is_negative;
+
+    /*
+     * This is a constant-time function. We might have the result, but we still
+     * need to go through the loop. Record if we have the result already.
+     */
+    done = cond;
+
+    for( i = X->n; i > 0; i-- )
+    {
+        /*
+         * If Y->p[i - 1] < X->p[i - 1] then X < Y is true if and only if both
+         * X and Y are negative.
+         *
+         * Again even if we can make a decision, we just mark the result and
+         * the fact that we are done and continue looping.
+         */
+        cond = ct_lt_mpi_uint( Y->p[i - 1], X->p[i - 1] );
+        *ret |= cond & ( 1 - done ) & X_is_negative;
+        done |= cond;
+
+        /*
+         * If X->p[i - 1] < Y->p[i - 1] then X < Y is true if and only if both
+         * X and Y are positive.
+         *
+         * Again even if we can make a decision, we just mark the result and
+         * the fact that we are done and continue looping.
+         */
+        cond = ct_lt_mpi_uint( X->p[i - 1], Y->p[i - 1] );
+        *ret |= cond & ( 1 - done ) & ( 1 - X_is_negative );
+        done |= cond;
+    }
+
+    return( 0 );
+}
+
 /*
  * Compare signed values
  */

library/ctr_drbg.c

@@ -66,56 +66,6 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx )
 #endif
 }
 
-/*
- * Non-public function wrapped by mbedtls_ctr_drbg_seed(). Necessary to allow
- * NIST tests to succeed (which require known length fixed entropy)
- */
-int mbedtls_ctr_drbg_seed_entropy_len(
-                   mbedtls_ctr_drbg_context *ctx,
-                   int (*f_entropy)(void *, unsigned char *, size_t),
-                   void *p_entropy,
-                   const unsigned char *custom,
-                   size_t len,
-                   size_t entropy_len )
-{
-    int ret;
-    unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
-
-    memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );
-
-    mbedtls_aes_init( &ctx->aes_ctx );
-
-    ctx->f_entropy = f_entropy;
-    ctx->p_entropy = p_entropy;
-
-    ctx->entropy_len = entropy_len;
-    ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
-
-    /*
-     * Initialize with an empty key
-     */
-    if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
-    {
-        return( ret );
-    }
-
-    if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 )
-    {
-        return( ret );
-    }
-    return( 0 );
-}
-
-int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
-                   int (*f_entropy)(void *, unsigned char *, size_t),
-                   void *p_entropy,
-                   const unsigned char *custom,
-                   size_t len )
-{
-    return( mbedtls_ctr_drbg_seed_entropy_len( ctx, f_entropy, p_entropy, custom, len,
-                                       MBEDTLS_CTR_DRBG_ENTROPY_LEN ) );
-}
-
 void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx )
 {
     if( ctx == NULL )
@@ -386,6 +336,52 @@ exit:
     return( ret );
 }
 
+int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
+                           int (*f_entropy)(void *, unsigned char *, size_t),
+                           void *p_entropy,
+                           const unsigned char *custom,
+                           size_t len )
+{
+    int ret;
+    unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
+
+    memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );
+
+    mbedtls_aes_init( &ctx->aes_ctx );
+
+    ctx->f_entropy = f_entropy;
+    ctx->p_entropy = p_entropy;
+
+    if( ctx->entropy_len == 0 )
+        ctx->entropy_len = MBEDTLS_CTR_DRBG_ENTROPY_LEN;
+    ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
+
+    /*
+     * Initialize with an empty key
+     */
+    if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 )
+    {
+        return( ret );
+    }
+    return( 0 );
+}
+
+/* Backward compatibility wrapper */
+int mbedtls_ctr_drbg_seed_entropy_len(
+    mbedtls_ctr_drbg_context *ctx,
+    int (*f_entropy)(void *, unsigned char *, size_t), void *p_entropy,
+    const unsigned char *custom, size_t len,
+    size_t entropy_len )
+{
+    mbedtls_ctr_drbg_set_entropy_len( ctx, entropy_len );
+    return( mbedtls_ctr_drbg_seed( ctx, f_entropy, p_entropy, custom, len ) );
+}
+
 int mbedtls_ctr_drbg_random_with_add( void *p_rng,
                               unsigned char *output, size_t output_len,
                               const unsigned char *additional, size_t add_len )
@@ -457,7 +453,7 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng,
 exit:
     mbedtls_zeroize( add_input, sizeof( add_input ) );
     mbedtls_zeroize( tmp, sizeof( tmp ) );
-    return( 0 );
+    return( ret );
 }
 
 int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )
@@ -617,8 +613,11 @@ int mbedtls_ctr_drbg_self_test( int verbose )
         mbedtls_printf( "  CTR_DRBG (PR = TRUE) : " );
 
     test_offset = 0;
-    CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy,
-                                (void *) entropy_source_pr, nonce_pers_pr, 16, 32 ) );
+    mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 );
+    CHK( mbedtls_ctr_drbg_seed( &ctx,
+                                ctr_drbg_self_test_entropy,
+                                (void *) entropy_source_pr,
+                                nonce_pers_pr, 16 ) );
     mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
     CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
     CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
@@ -638,8 +637,11 @@ int mbedtls_ctr_drbg_self_test( int verbose )
     mbedtls_ctr_drbg_init( &ctx );
 
     test_offset = 0;
-    CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy,
-                            (void *) entropy_source_nopr, nonce_pers_nopr, 16, 32 ) );
+    mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 );
+    CHK( mbedtls_ctr_drbg_seed( &ctx,
+                                ctr_drbg_self_test_entropy,
+                                (void *) entropy_source_nopr,
+                                nonce_pers_nopr, 16 ) );
     CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
     CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) );
     CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );

library/ecdsa.c

@@ -153,6 +153,7 @@ static int ecdsa_sign_internal( mbedtls_ecp_group *grp, mbedtls_mpi *r,
         MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &k, &k, &t ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &k, &k, &grp->N ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, &k, &grp->N ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );

library/ecp.c

@@ -1957,6 +1957,7 @@ int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
     {
         /* SEC1 3.2.1: Generate d such that 1 <= n < N */
         int count = 0;
+        unsigned cmp = 0;
 
         /*
          * Match the procedure given in RFC 6979 (deterministic ECDSA):
@@ -1981,9 +1982,14 @@ int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
              */
             if( ++count > 30 )
                 return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+
+            ret = mbedtls_mpi_lt_mpi_ct( d, &grp->N, &cmp );
+            if( ret != 0 )
+            {
+                goto cleanup;
+            }
         }
-        while( mbedtls_mpi_cmp_int( d, 1 ) < 0 ||
-               mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 );
+        while( mbedtls_mpi_cmp_int( d, 1 ) < 0 || cmp != 1 );
     }
 #endif /* ECP_SHORTWEIERSTRASS */
 

library/hmac_drbg.c

@@ -275,16 +275,19 @@ int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
 
     ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
 
-    /*
-     * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by
-     * each hash function, then according to SP800-90A rev1 10.1 table 2,
-     * min_entropy_len (in bits) is security_strength.
-     *
-     * (This also matches the sizes used in the NIST test vectors.)
-     */
-    ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */
-                       md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */
-                       32;  /* better (256+) -> 256 bits */
+    if( ctx->entropy_len == 0 )
+    {
+        /*
+         * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by
+         * each hash function, then according to SP800-90A rev1 10.1 table 2,
+         * min_entropy_len (in bits) is security_strength.
+         *
+         * (This also matches the sizes used in the NIST test vectors.)
+         */
+        ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */
+                           md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */
+                           32;  /* better (256+) -> 256 bits */
+    }
 
     if( ( ret = hmac_drbg_reseed_core( ctx, custom, len,
                                        1 /* add nonce */ ) ) != 0 )
@@ -305,7 +308,7 @@ void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx
 }
 
 /*
- * Set entropy length grabbed for reseeds
+ * Set entropy length grabbed for seeding
  */
 void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx, size_t len )
 {