Commit graph

785 commits

Author SHA1 Message Date
Simon Butcher 4c5154d0c0 Updated version number to 1.3.19 for release 2017-03-08 17:22:34 +00:00
Simon Butcher d2d6316afc Removed duplicate entry in ChangeLog 2017-03-03 16:08:27 +00:00
Andres AG 2b2fc115df Fix buffer overflow in mpi_write_string()
Fix a buffer overflow when writting a string representation of an MPI
number to a buffer in hexadecimal. The problem occurs because hex
digits are written in pairs and this is not accounted for in the
calculation of the required buffer size when the number of digits is
odd.
2017-03-02 23:01:54 +00:00
Simon Butcher dccf743365 Add fix and credit for #742 to the ChangeLog 2017-03-02 21:31:11 +00:00
Simon Butcher 866a447784 Clarify ChangeLog for #569 2017-02-28 20:27:17 +00:00
Janos Follath f5ffc79896 ECP: Prevent freeing a buffer on stack
The function ecp_mod_koblitz computed the space for the result of a
multiplication optimally for that specific case, but unfortunately
the function mbedtls_mpi_mul_mpi performs a generic, suboptimal
calculation and needs one more limb for the result. Since the result's
buffer is on the stack, the best case scenario is that the program
stops.

This only happened on 64 bit platforms.

Fixes #569
2017-02-28 20:24:52 +00:00
Simon Butcher bfef0ce5e4 Fix credit in ChangeLog for #722 2017-02-28 17:38:55 +00:00
Andres AG 03af0e0151 Fix memory leak in x509_crl_parse()
The memory leak call was caused by missing calls to pem_free().
2017-02-28 17:36:06 +00:00
Simon Butcher 9fb2828aee Merge branch 'mbedtls-1.3-iotssl-1071-ca-flags'
Fixes a regression introduced by an earlier commit that modified
x509_crt_verify_top() to ensure that valid certificates that are after past or
future valid in the chain are processed. However the change introduced a change
in behaviour that caused the verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in the
verification regardless of the cause.

The fix maintains both behaviours:

 * Ensure that valid certificates after future and past are verified
 * Ensure that the correct verification flags are set.
2017-02-27 21:25:03 +00:00
Simon Butcher 7346a7e55a Fix formatting in ChangeLog 2017-02-26 02:01:49 +00:00
Simon Butcher 741bd90a30 Merge branch 'mbedtls-1.3-iotssl-1077-dos-crl'
Modifies the function mbedtls_x509_crl_parse() to ensure that a CRL in PEM
format with trailing characters after the footer does not result in the
execution of an infinite loop.
2017-02-26 01:46:37 +00:00
Simon Butcher 13f9e40059 Merge branch 'mbedtls-1.3' 2017-02-25 21:47:24 +00:00
Andres AG 59abd301f5 Fix integer overflow in mbedtls_base64_decode()
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-25 21:27:17 +00:00
Andres Amaya Garcia 74ef650772 Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-25 21:25:44 +00:00
Andres AG 480f7e7d5e Add tests for overreads in pem_read_buffer() 2017-02-25 21:25:07 +00:00
Andres AG de6079af8e Fix buffer overreads in mbedtls_pem_read_buffer() 2017-02-25 21:25:06 +00:00
Simon Butcher 851dcc96d4 Add credit to Changelog for #562 2017-02-20 22:03:19 +00:00
Andres AG 7ded99ff64 Fix integer overflow in mbedtls_base64_decode()
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-20 22:01:55 +00:00
Andres Amaya Garcia cfad181250 Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-20 22:00:33 +00:00
Andres AG 29b43737ba Fix unused variable/function compilation warnings
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
POLARSSL_PEM_PARSE_C.
2017-02-20 21:57:52 +00:00
Andres AG c71b7eb0e7 Fix data loss in unsigned int cast in PK
This patch introduces some additional checks in the PK module for 64-bit
systems only. The problem is that the API functions in the PK
abstraction accept a size_t value for the hashlen, while the RSA module
accepts an unsigned int for the hashlen. Instead of silently casting
size_t to unsigned int, this change checks whether the hashlen overflows
an unsigned int and returns an error.
2017-02-15 10:44:02 +00:00
Simon Butcher df33a6a805 Add credit to Changelog for #562 2017-02-02 16:53:50 +00:00
Andres AG 2f3fe70f7e Fix verify out flags from x509_crt_verify_top()
This change fixes a regression introduced by an earlier commit that
modified x509_crt_verify_top() to ensure that valid certificates
that are after past or future valid in the chain are processed. However
the change introduced a change in behaviour that caused the
verification flags BADCERT_EXPIRED and BADCERT_FUTURE to always be set
whenever there is a failure in the verification regardless of the cause.

The fix maintains both behaviours:
  * Ensure that valid certificates after future and past are verified
  * Ensure that the correct verification flags are set.

To do so, a temporary pointer to the first future or past valid
certificate is maintained while traversing the chain. If a truly valid
certificate is found then that one is used, otherwise if no valid
certificate is found and the end of the chain is reached, the program
reverts back to using the future or past valid certificate.
2017-01-20 17:12:36 +00:00
Andres AG e567101f6b Fix CRL parsing to avoid infinite loop
This patch modifies the function mbedtls_x509_crl_parse() to ensure
that a CRL in PEM format with trailing characters after the footer does
not result in the execution of an infinite loop.
2017-01-19 16:57:16 +00:00
Andres AG f0a401f080 Fix unused variable/function compilation warnings
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
POLARSSL_PEM_PARSE_C.
2016-12-07 16:11:17 +00:00
Andres AG fada2e9f3e Add tests for overreads in pem_read_buffer() 2016-11-21 11:34:55 +00:00
Andres AG d3cbc15951 Fix buffer overreads in mbedtls_pem_read_buffer() 2016-11-21 11:25:17 +00:00
Simon Butcher c1d54bb7b2 Update library version to 1.3.18 2016-10-17 23:40:14 +01:00
Simon Butcher 2261f198ee Merge branch 'mbedtls-1.3' 2016-10-17 16:09:06 +01:00
Simon Butcher fd8d7991a0 Tidied up style and phrasing of ChangeLog 2016-10-16 00:48:37 +01:00
Simon Butcher 60371454bd Merge branch for fix for #502 - Unchecked calls 2016-10-14 01:10:02 +01:00
Andres AG 0da3e44fea Add check for validity of date in x509_get_time() 2016-10-13 17:00:01 +01:00
Simon Butcher c176038d73 Update and clean up Changelog for #622 2016-10-13 15:34:27 +01:00
Andres AG 67ae0b9839 Fix sig->tag update in mbedtls_x509_get_sig() 2016-10-13 15:33:07 +01:00
Janos Follath 30b273c78e Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature
In a USENIX WOOT '16 paper the authors warn about a security risk
of random Initialisation Vectors (IV) repeating values.

The MBEDTLS_SSL_AEAD_RANDOM_IV feature is affected by this risk and
it isn't compliant with RFC5116. Furthermore, strictly speaking it
is a different cipher suite from the TLS (RFC5246) point of view.

Removing the MBEDTLS_SSL_AEAD_RANDOM_IV feature to resolve the above
problems.

Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16
2016-10-13 14:34:35 +01:00
Janos Follath ae01c3cc62 X509: Fix bug triggered by future CA among trusted
Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
2016-10-13 14:26:57 +01:00
Simon Butcher c9b564e64c Update Changelog for fix #559 2016-10-13 14:24:03 +01:00
Simon Butcher 394d65d1bb Update for ChangeLog for fixes for cert_app 2016-10-13 14:23:57 +01:00
Simon Butcher c112d21076 Update to ChangeLog for bug #428 2016-10-13 14:23:46 +01:00
Simon Butcher cb60bfb52d Update ChangeLog for fix to crypt_and_hash #441 2016-10-13 14:23:15 +01:00
Janos Follath 24f4d7f95e X509: Fix bug triggered by future CA among trusted
Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
2016-10-13 14:21:24 +01:00
Andres AG a16d684df3 Add test for bounds in X509 DER write funcs 2016-10-13 14:20:22 +01:00
Andres AG 0c12bd69f5 Add missing bounds check in X509 DER write funcs
This patch adds checks in both mbedtls_x509write_crt_der and
mbedtls_x509write_csr_der before the signature is written to buf
using memcpy().
2016-10-13 14:20:14 +01:00
Janos Follath 441d6f9833 Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature
In a USENIX WOOT '16 paper the authors warn about a security risk
of random Initialisation Vectors (IV) repeating values.

The MBEDTLS_SSL_AEAD_RANDOM_IV feature is affected by this risk and
it isn't compliant with RFC5116. Furthermore, strictly speaking it
is a different cipher suite from the TLS (RFC5246) point of view.

Removing the MBEDTLS_SSL_AEAD_RANDOM_IV feature to resolve the above
problems.

Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16
2016-10-13 14:14:16 +01:00
Simon Butcher 1227d7cdf1 Added credit to Changelog for fix #558 2016-10-13 12:54:33 +01:00
Janos Follath bfcd032f9d Restore P>Q in RSA key generation (#558)
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
2016-10-13 12:54:33 +01:00
Simon Butcher e337ee647f Clarified Changelog for fix #602 2016-10-13 12:54:32 +01:00
Andres AG 6ad5d9450a Fix documentation for mbedtls_gcm_finish()
Fix implementation and documentation missmatch for the function
arguments to mbedtls_gcm_finish(). Also, removed redundant if condition
that always evaluates to true.
2016-10-13 12:54:32 +01:00
Simon Butcher 6b8d9cffc2 Updated Changelog for fix #599 2016-10-13 12:54:32 +01:00
Andres AG 57e6e8fbb7 Fix 1 byte overread in mbedtls_asn1_get_int() 2016-10-13 12:54:32 +01:00
Andres AG f527609849 Add test for bounds in X509 DER write funcs 2016-10-13 12:45:08 +01:00
Simon Butcher 1e5de32473 Update Changelog for fix #559 2016-10-13 12:45:07 +01:00
Andres AG 372bf79d67 Add missing bounds check in X509 DER write funcs
This patch adds checks in both mbedtls_x509write_crt_der and
mbedtls_x509write_csr_der before the signature is written to buf
using memcpy().
2016-10-13 12:45:07 +01:00
Simon Butcher 80d191bbe9 Update for ChangeLog for fixes for cert_app 2016-10-13 12:44:20 +01:00
Simon Butcher 2491fa2f2e Update to ChangeLog for bug #428 2016-10-13 12:44:20 +01:00
Simon Butcher 6f3c9cc8b7 Update ChangeLog for fix to crypt_and_hash #441 2016-10-13 12:44:20 +01:00
Janos Follath af1e74be70 X509: Fix bug triggered by future CA among trusted
Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
2016-10-13 12:44:19 +01:00
Simon Butcher c371c435c1 Added credit to Changelog for fix #558 2016-10-13 09:34:25 +01:00
Janos Follath 3072458ec3 Restore P>Q in RSA key generation (#558)
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
2016-10-13 09:27:18 +01:00
Simon Butcher 2c73577d4a Clarified Changelog for fix #602 2016-10-12 19:56:17 +01:00
Andres AG cdbcd2012d Fix documentation for mbedtls_gcm_finish()
Fix implementation and documentation missmatch for the function
arguments to mbedtls_gcm_finish(). Also, removed redundant if condition
that always evaluates to true.
2016-10-12 19:56:03 +01:00
Simon Butcher de4b7e8256 Updated Changelog for fix #599 2016-10-12 18:31:29 +01:00
Andres AG 15fdb7f9ff Fix 1 byte overread in mbedtls_asn1_get_int() 2016-10-12 18:28:03 +01:00
Simon Butcher 79f2e87f0c Update Changelog for fix #559 2016-10-10 23:48:11 +01:00
Janos Follath 17da9dd829 Add option for relaxed X509 time verification.
The certificates are not valid according to the RFC, but are in wide
distribution across the internet. Hence the request to add a
compile-time flag to accept these certificates if wanted by the
application.

If POLARSSL_RELAXED_X509_DATE is enabled it will allow dates without
seconds, and allow dates with timezones (but doesn't actually use
the timezone).

Patch provided by OpenVPN.
2016-09-30 09:04:18 +01:00
Simon Butcher 160830312f Update for ChangeLog for fixes for cert_app 2016-09-26 22:06:16 +01:00
Andres AG d1ebdf56be Add ChangeLog entry for unchecked calls fix 2016-09-05 14:14:54 +01:00
Simon Butcher f6d2b6fb19 Update to ChangeLog for bug #428 2016-09-05 15:15:31 +03:00
Simon Butcher 2af8b0dcb4 Update ChangeLog for fix to crypt_and_hash #441 2016-09-03 12:41:09 +01:00
Janos Follath 8a8445415f X509: Fix bug triggered by future CA among trusted
Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
2016-07-14 14:08:53 +01:00
Simon Butcher 2d01f2d4c5 Update Changelog for release 2016-06-27 20:00:26 +01:00
Simon Butcher fd349bcb8e Merge branch 'mbedtls-1.3' into mbedtls-1.3 2016-06-27 01:29:03 +01:00
Janos Follath 307e181cfa Fix non compliance SSLv3 in server extension handling.
The server code parses the client hello extensions even when the
protocol is SSLv3 and this behaviour is non compliant with rfc6101.
Also the server sends extensions in the server hello and omitting
them may prevent interoperability problems.
2016-05-23 18:52:14 +01:00
Simon Butcher 959d4328c1 Fix ChangeLog for backport of IOTSSL-621 2016-05-18 20:08:16 +01:00
Janos Follath af1836e1cf Add Changelog entry for current branch 2016-05-18 20:07:27 +01:00
Simon Butcher 49ed628ede Fix ChangeLog after merging fix for IOTSSL-628 2016-05-18 20:07:27 +01:00
Janos Follath f383363d43 Extended ChangeLog entry 2016-05-18 20:01:46 +01:00
Janos Follath c70515d455 Add Changelog entry for current branch 2016-05-18 20:00:19 +01:00
Simon Butcher f31d9676d1 Fix ChangeLog for backport of IOTSSL-621 2016-05-18 19:58:41 +01:00
Janos Follath 21ca00243c Add Changelog entry for current branch 2016-05-18 19:58:41 +01:00
Simon Butcher 2d49c4d2f6 Fix ChangeLog after merging fix for IOTSSL-628 2016-05-18 19:58:41 +01:00
Janos Follath 7295c189ee Extended ChangeLog entry 2016-05-18 19:58:41 +01:00
Janos Follath 574b118bf8 Add Changelog entry for current branch 2016-05-18 19:58:40 +01:00
Janos Follath a1ebe662f3 Add Changelog entry for current branch 2016-05-18 19:58:40 +01:00
Janos Follath 4e03439e6a Fix bug in ssl_write_supported_elliptic_curves_ext
Passing invalid curves to mbedtls_ssl_conf_curves potentially could caused a
crash later in ssl_write_supported_elliptic_curves_ext. #373
2016-04-22 09:59:00 +01:00
Janos Follath 7ddc2cdfce Fix null pointer dereference in the RSA module.
Introduced null pointer checks in mbedtls_rsa_rsaes_pkcs1_v15_encrypt
2016-04-19 10:28:24 +01:00
Janos Follath d61fc6881a Fix odd bitlength RSA key generation
Fix issue that caused a hang up when generating RSA keys of odd
bitlength.
2016-04-19 09:42:17 +01:00
Janos Follath 4dfecabb97 Update default configuration
Change the default settings for SSL and modify the tests accordingly.
2016-03-14 13:40:43 +00:00
Manuel Pégourié-Gonnard 54f2c490ed Avoid build errors with -O0 due to assembly 2016-01-08 15:30:03 +01:00
Manuel Pégourié-Gonnard 20715dc73b Make ar invocation more portable
armar doesn't understand the syntax without dash. OTOH, the syntax with dash
is the only one specified by POSIX, and it's accepted by GNU ar, BSD ar (as
bundled with OS X) and armar, so it looks like the most portable syntax.

fixes #386
2016-01-08 15:28:40 +01:00
Manuel Pégourié-Gonnard 40510a3a79 Update ChangeLog for latest PR merged
fixes #309
2016-01-08 15:22:41 +01:00
Manuel Pégourié-Gonnard a3a1cd33d1 Update reference to attack in ChangeLog
We couldn't do that before the attack was public
2016-01-08 15:11:12 +01:00
Simon Butcher 84181adae8 Change version number to 1.3.16
Changed version for library files and yotta module
2016-01-04 22:49:30 +00:00
Simon Butcher a39690e7bf Correction to ChangeLog
Corrected function name for rsa_rsassa_pkcs1_v15_sign()
2016-01-02 00:49:12 +00:00
Simon Butcher 14400c8fb0 Merge memory leak fix into branch 'mbedtls-1.3'
Merge of fix for memory leak in RSA-SSA signing - #372
2016-01-02 00:28:19 +00:00
Simon Butcher 7d3f3a8ac8 Fix for memory leak in RSA-SSA signing
Fix in mbedtls_rsa_rsassa_pkcs1_v15_sign() in rsa.c. Resolves github issue #372
2016-01-02 00:03:39 +00:00
Simon Butcher a192c8f5d8 Merge branch 'iotssl-541-1.3-pathlen-bugfix' 2016-01-01 01:13:45 +00:00
Manuel Pégourié-Gonnard c05014459e Fix wrong length limit in GCM
See for example page 8 of
http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf

The previous constant probably came from a typo as it was 2^26 - 2^5 instead
of 2^36 - 2^5. Clearly the intention was to allow for a constant bigger than
2^32 as the ull suffix and cast to uint64_t show.

fixes #362
2015-12-10 16:34:32 +01:00
Manuel Pégourié-Gonnard c4a47e3483 Fix bug checking pathlen on first intermediate
Remove check on the pathLenConstraint value when looking for a parent to the
EE cert, as the constraint is on the number of intermediate certs below the
parent, and that number is always 0 at that point, so the constraint is always
satisfied.

The check was actually off-by-one, which caused valid chains to be rejected
under the following conditions:
- the parent certificate is not a trusted root, and
- it has pathLenConstraint == 0 (max_pathlen == 1 in our representation)

fixes #280
2015-11-19 12:06:45 +01:00
Simon Butcher 1f4e08c979 Changed version number to 1.3.15
Changed for library
2015-11-05 15:44:46 +00:00