Skip to content

Commit

Permalink
Merge pull request #1009 from paul-elliott-arm/mbedtls-2.28.3rc0-pr
Browse files Browse the repository at this point in the history
Mbedtls 2.28.3rc0 pr - DO NOT MERGE
  • Loading branch information
paul-elliott-arm authored Mar 24, 2023
2 parents 1857335 + e4f1aac commit 981743d
Show file tree
Hide file tree
Showing 36 changed files with 1,015 additions and 271 deletions.
1 change: 1 addition & 0 deletions .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ jobs:
os: windows
script:
- scripts/windows_msbuild.bat v141 # Visual Studio 2017
- visualc/VS2010/x64/Release/selftest.exe --ci

after_failure:
- tests/scripts/travis-log-failure.sh
Expand Down
2 changes: 1 addition & 1 deletion BRANCHES.md
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,6 @@ The following branches are currently maintained:
- [`development`](https://github.com/Mbed-TLS/mbedtls/)
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
maintained until at least the end of 2024, see
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2>.
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3>.

Users are urged to always use the latest version of a maintained branch.
79 changes: 79 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,5 +1,84 @@
Mbed TLS ChangeLog (Sorted per branch, date)

= Mbed TLS 2.28.3 branch released 2023-03-28

Features
* Use HOSTCC (if it is set) when compiling C code during generation of the
configuration-independent files. This allows them to be generated when
CC is set for cross compilation.
* AES-NI is now supported with Visual Studio.
* AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
is disabled, when compiling with GCC or Clang or a compatible compiler
for a target CPU that supports the requisite instructions (for example
gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)

Security
* MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
builds that couldn't compile the GCC-style assembly implementation
(most notably builds with Visual Studio), leaving them vulnerable to
timing side-channel attacks. There is now an intrinsics-based AES-NI
implementation as a fallback for when the assembly one cannot be used.

Bugfix
* Fix a build issue on Windows where the source and build directory could
not be on different drives (#5751).
* Fix possible integer overflow in mbedtls_timing_hardclock(), which
could cause a crash for certain platforms & compiler options.
* Fix IAR compiler warnings. Fixes #6924.
* Fix a bug in the build where directory names containing spaces were
causing generate_errors.pl to error out resulting in a build failure.
Fixes issue #6879.
* Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
* Fix a build issue when defining MBEDTLS_TIMING_ALT and MBEDTLS_SELF_TEST.
The library would not link if the user didn't provide an external self-test
function. The self-test is now provided regardless of the choice of
internal/alternative timing implementation. Fixes #6923.
* mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
whose binary representation is longer than 20 bytes. This was already
forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
enforced also at code level.
* Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
Aaron Ucko under Valgrind.
* Fix behavior of certain sample programs which could, when run with no
arguments, access uninitialized memory in some cases. Fixes #6700 (which
was found by TrustInSoft Analyzer during REDOCS'22) and #1120.
* Fix build errors in test programs when MBEDTLS_CERTS_C is disabled.
Fixes #6243.
* Fix parsing of X.509 SubjectAlternativeName extension. Previously,
malformed alternative name components were not caught during initial
certificate parsing, but only on subsequent calls to
mbedtls_x509_parse_subject_alt_name(). Fixes #2838.
* Fix bug in conversion from OID to string in
mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
correctly.
* Reject OIDs with overlong-encoded subidentifiers when converting
them to a string.
* Reject OIDs with subidentifier values exceeding UINT_MAX. Such
subidentifiers can be valid, but Mbed TLS cannot currently handle them.
* Reject OIDs that have unterminated subidentifiers, or (equivalently)
have the most-significant bit set in their last byte.
* Silence a warning about an unused local variable in bignum.c on
some architectures. Fixes #7166.
* Silence warnings from clang -Wdocumentation about empty \retval
descriptions, which started appearing with Clang 15. Fixes #6960.
* Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
len argument is 0 and buffer is NULL.

Changes
* The C code follows a new coding style. This is transparent for users but
affects contributors and maintainers of local patches. For more
information, see
https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
* Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
As tested in issue 6790, the correlation between this define and
RSA decryption performance has changed lately due to security fixes.
To fix the performance degradation when using default values the
window was reduced from 6 to 2, a value that gives the best or close
to best results when tested on Cortex-M4 and Intel i7.

= Mbed TLS 2.28.2 branch released 2022-12-14

Security
Expand Down
3 changes: 0 additions & 3 deletions ChangeLog.d/build-without-certs.txt

This file was deleted.

4 changes: 0 additions & 4 deletions ChangeLog.d/c-build-helper-hostcc.txt

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/clang-15-bignum-warning.txt

This file was deleted.

5 changes: 0 additions & 5 deletions ChangeLog.d/coding-style.txt

This file was deleted.

4 changes: 0 additions & 4 deletions ChangeLog.d/conditionalize-mbedtls_mpi_sub_abs-memcpy.txt

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/empty-retval-description.txt

This file was deleted.

4 changes: 0 additions & 4 deletions ChangeLog.d/fix-example-programs-no-args.txt

This file was deleted.

4 changes: 0 additions & 4 deletions ChangeLog.d/fix-gettimeofday-overflow.txt

This file was deleted.

2 changes: 0 additions & 2 deletions ChangeLog.d/fix-iar-warnings.txt

This file was deleted.

10 changes: 0 additions & 10 deletions ChangeLog.d/fix-oid-to-string-bugs.txt

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/fix-rsaalt-test-guards.txt

This file was deleted.

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/fix_hard_link_across_drives

This file was deleted.

5 changes: 0 additions & 5 deletions ChangeLog.d/fix_timing_alt.txt

This file was deleted.

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/mbedtls_ssl_read_undefined_behavior.txt

This file was deleted.

7 changes: 0 additions & 7 deletions ChangeLog.d/mpi-window-perf

This file was deleted.

5 changes: 0 additions & 5 deletions ChangeLog.d/x509-subaltname-ext

This file was deleted.

117 changes: 117 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,120 @@ goes public.
Only the maintained branches, as listed in [`BRANCHES.md`](BRANCHES.md),
get security fixes.
Users are urged to always use the latest version of a maintained branch.

## Threat model

We classify attacks based on the capabilities of the attacker.

### Remote attacks

In this section, we consider an attacker who can observe and modify data sent
over the network. This includes observing the content and timing of individual
packets, as well as suppressing or delaying legitimate messages, and injecting
messages.

Mbed TLS aims to fully protect against remote attacks and to enable the user
application in providing full protection against remote attacks. Said
protection is limited to providing security guarantees offered by the protocol
being implemented. (For example Mbed TLS alone won't guarantee that the
messages will arrive without delay, as the TLS protocol doesn't guarantee that
either.)

**Warning!** Block ciphers do not yet achieve full protection against attackers
who can measure the timing of packets with sufficient precision. For details
and workarounds see the [Block Ciphers](#block-ciphers) section.

### Local attacks

In this section, we consider an attacker who can run software on the same
machine. The attacker has insufficient privileges to directly access Mbed TLS
assets such as memory and files.

#### Timing attacks

The attacker is able to observe the timing of instructions executed by Mbed TLS
by leveraging shared hardware that both Mbed TLS and the attacker have access
to. Typical attack vectors include cache timings, memory bus contention and
branch prediction.

Mbed TLS provides limited protection against timing attacks. The cost of
protecting against timing attacks widely varies depending on the granularity of
the measurements and the noise present. Therefore the protection in Mbed TLS is
limited. We are only aiming to provide protection against **publicly
documented attack techniques**.

As attacks keep improving, so does Mbed TLS's protection. Mbed TLS is moving
towards a model of fully timing-invariant code, but has not reached this point
yet.

**Remark:** Timing information can be observed over the network or through
physical side channels as well. Remote and physical timing attacks are covered
in the [Remote attacks](remote-attacks) and [Physical
attacks](physical-attacks) sections respectively.

**Warning!** Block ciphers do not yet achieve full protection. For
details and workarounds see the [Block Ciphers](#block-ciphers) section.

#### Local non-timing side channels

The attacker code running on the platform has access to some sensor capable of
picking up information on the physical state of the hardware while Mbed TLS is
running. This could for example be an analogue-to-digital converter on the
platform that is located unfortunately enough to pick up the CPU noise.

Mbed TLS doesn't make any security guarantees against local non-timing-based
side channel attacks. If local non-timing attacks are present in a use case or
a user application's threat model, they need to be mitigated by the platform.

#### Local fault injection attacks

Software running on the same hardware can affect the physical state of the
device and introduce faults.

Mbed TLS doesn't make any security guarantees against local fault injection
attacks. If local fault injection attacks are present in a use case or a user
application's threat model, they need to be mitigated by the platform.

### Physical attacks

In this section, we consider an attacker who has access to physical information
about the hardware Mbed TLS is running on and/or can alter the physical state
of the hardware (e.g. power analysis, radio emissions or fault injection).

Mbed TLS doesn't make any security guarantees against physical attacks. If
physical attacks are present in a use case or a user application's threat
model, they need to be mitigated by physical countermeasures.

### Caveats

#### Out-of-scope countermeasures

Mbed TLS has evolved organically and a well defined threat model hasn't always
been present. Therefore, Mbed TLS might have countermeasures against attacks
outside the above defined threat model.

The presence of such countermeasures don't mean that Mbed TLS provides
protection against a class of attacks outside of the above described threat
model. Neither does it mean that the failure of such a countermeasure is
considered a vulnerability.

#### Block ciphers

Currently there are four block ciphers in Mbed TLS: AES, CAMELLIA, ARIA and
DES. The pure software implementation in Mbed TLS implementation uses lookup
tables, which are vulnerable to timing attacks.

These timing attacks can be physical, local or depending on network latency
even a remote. The attacks can result in key recovery.

**Workarounds:**

- Turn on hardware acceleration for AES. This is supported only on selected
architectures and currently only available for AES. See configuration options
`MBEDTLS_AESNI_C` and `MBEDTLS_PADLOCK_C` for details.
- Add a secure alternative implementation (typically hardware acceleration) for
the vulnerable cipher. See the [Alternative Implementations
Guide](docs/architecture/alternative-implementations.md) for more information.
- Use cryptographic mechanisms that are not based on block ciphers. In
particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.
2 changes: 1 addition & 1 deletion doxygen/input/doc_mainpage.h
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
*/

/**
* @mainpage mbed TLS v2.28.2 source code documentation
* @mainpage mbed TLS v2.28.3 source code documentation
*
* This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in
Expand Down
2 changes: 1 addition & 1 deletion doxygen/mbedtls.doxyfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
PROJECT_NAME = "mbed TLS v2.28.2"
PROJECT_NAME = "mbed TLS v2.28.3"
OUTPUT_DIRECTORY = ../apidoc/
FULL_PATH_NAMES = NO
OPTIMIZE_OUTPUT_FOR_C = YES
Expand Down
41 changes: 39 additions & 2 deletions include/mbedtls/aesni.h
Original file line number Diff line number Diff line change
Expand Up @@ -36,13 +36,49 @@
#define MBEDTLS_AESNI_AES 0x02000000u
#define MBEDTLS_AESNI_CLMUL 0x00000002u

#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \
/* Can we do AESNI with inline assembly?
* (Only implemented with gas syntax, only for 64-bit.)
*/
#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \
(defined(__amd64__) || defined(__x86_64__)) && \
!defined(MBEDTLS_HAVE_X86_64)
#define MBEDTLS_HAVE_X86_64
#endif

#if defined(MBEDTLS_AESNI_C)

/* Can we do AESNI with intrinsics?
* (Only implemented with certain compilers, only for certain targets.)
*
* NOTE: MBEDTLS_AESNI_HAVE_INTRINSICS and MBEDTLS_AESNI_HAVE_CODE are internal
* macros that may change in future releases.
*/
#undef MBEDTLS_AESNI_HAVE_INTRINSICS
#if defined(_MSC_VER)
/* Visual Studio supports AESNI intrinsics since VS 2008 SP1. We only support
* VS 2013 and up for other reasons anyway, so no need to check the version. */
#define MBEDTLS_AESNI_HAVE_INTRINSICS
#endif
/* GCC-like compilers: currently, we only support intrinsics if the requisite
* target flag is enabled when building the library (e.g. `gcc -mpclmul -msse2`
* or `clang -maes -mpclmul`). */
#if defined(__GNUC__) && defined(__AES__) && defined(__PCLMUL__)
#define MBEDTLS_AESNI_HAVE_INTRINSICS
#endif

/* Choose the implementation of AESNI, if one is available. */
#undef MBEDTLS_AESNI_HAVE_CODE
/* To minimize disruption when releasing the intrinsics-based implementation,
* favor the assembly-based implementation if it's available. We intend to
* revise this in a later release of Mbed TLS 3.x. In the long run, we will
* likely remove the assembly implementation. */
#if defined(MBEDTLS_HAVE_X86_64)
#define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly
#elif defined(MBEDTLS_AESNI_HAVE_INTRINSICS)
#define MBEDTLS_AESNI_HAVE_CODE 2 // via intrinsics
#endif

#if defined(MBEDTLS_AESNI_HAVE_CODE)

#ifdef __cplusplus
extern "C" {
Expand Down Expand Up @@ -131,6 +167,7 @@ int mbedtls_aesni_setkey_enc(unsigned char *rk,
}
#endif

#endif /* MBEDTLS_HAVE_X86_64 */
#endif /* MBEDTLS_AESNI_HAVE_CODE */
#endif /* MBEDTLS_AESNI_C */

#endif /* MBEDTLS_AESNI_H */
Loading

0 comments on commit 981743d

Please sign in to comment.