Commit graph

5460 commits

Author SHA1 Message Date
Gilles Peskine 04f9bd028f Note incompatibility of truncated HMAC extension in ChangeLog
The change in the truncated HMAC extension aligns Mbed TLS with the
standard, but breaks interoperability with previous versions. Indicate
this in the ChangeLog, as well as how to restore the old behavior.
2018-02-22 15:41:26 +01:00
Hanno Becker 5dcae51cd9 Add affiliation of bug reporter to credits in the ChangeLog 2017-12-07 15:03:22 +00:00
Hanno Becker 004198adb3 Update ChangeLog 2017-11-29 16:57:06 +00:00
Hanno Becker 1df4923eb1 Remove compile-time deprecation warning for TRUNCATED_HMAC_COMPAT 2017-11-29 16:55:56 +00:00
Hanno Becker 702dfbcf13 Improve documentation of truncated HMAC fallback option 2017-11-29 16:55:56 +00:00
Hanno Becker 4c2ac7ef58 Deprecate MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT 2017-11-21 18:28:35 +00:00
Hanno Becker 563423fb21 Improve documentation of MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT option
Explain more clearly when this option should be used and which versions of Mbed
TLS build on the non-compliant implementation.
2017-11-21 17:20:17 +00:00
Hanno Becker 909f9a389a Improve style in tests/ssl-opt.sh
Try to avoid line breaks in server and client command line arguments to ease
reading of test cases.
2017-11-21 17:10:12 +00:00
Hanno Becker 45ee7877d0 Correct truncated HMAC tests in ssl-opt.sh
Many truncated HMAC tests were missing the `trunc_hmac=1` for the server
application, thereby not testing the extension.
2017-11-20 16:51:44 +00:00
Hanno Becker e89353a6b4 Add fallback to non-compliant truncated HMAC for compatibiltiy
In case truncated HMAC must be used but the Mbed TLS peer hasn't been updated
yet, one can use the compile-time option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT to
temporarily fall back to the old, non-compliant implementation of the truncated
HMAC extension.
2017-11-20 16:50:43 +00:00
Hanno Becker 8d19bcf37f Adapt ChangeLog 2017-11-20 16:25:50 +00:00
Hanno Becker 4c4f41030c Add truncated HMAC extension tests for DTLS 2017-11-20 16:25:50 +00:00
Hanno Becker 34d0c3f02e Add missing truncated HMAC test for TLS
The case 'Client disabled, Server enabled' was missing.
2017-11-20 16:25:50 +00:00
Hanno Becker e214804625 Add small packet tests for DTLS
Add a DTLS small packet test for each of the following combinations:
- DTLS version: 1.0 or 1.2
- Encrypt then MAC extension enabled
- Truncated HMAC extension enabled

Large packets tests for DTLS are currently not possible due to parameter
constraints in ssl_server2.
2017-11-20 16:25:50 +00:00
Hanno Becker 278fc7aedd Extend large packet tests for TLS
Same as previous commit, but for large packet tests.
2017-11-20 16:25:50 +00:00
Hanno Becker 8501f98ec4 Extend small packet tests for TLS
This commit ensures that there is a small packet test for at least any
combination of
- SSL/TLS version: SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2
- Stream cipher (RC4) or Block cipher (AES)
- Usage of Encrypt then MAC extension [TLS only]
- Usage of truncated HMAC extension [TLS only]
2017-11-20 16:25:50 +00:00
Hanno Becker 32c550141f Add missing dependencies on trunc HMAC ext in ssl-opt.sh
Noticed that the test cases in ssl-opt.sh exercising the truncated HMAC
extension do not depend on MBEDTLS_SSL_TRUNCATED_HMAC being enabled in
config.h. This commit fixes this.
2017-11-20 16:25:50 +00:00
Hanno Becker 81c7b18351 Don't truncate MAC key when truncated HMAC is negotiated
The truncated HMAC extension as described in
https://tools.ietf.org/html/rfc6066.html#section-7 specifies that when truncated
HMAC is used, only the HMAC output should be truncated, while the HMAC key
generation stays unmodified. This commit fixes Mbed TLS's behavior of also
truncating the key, potentially leading to compatibility issues with peers
running other stacks than Mbed TLS.

Details:
The keys for the MAC are pieces of the keyblock that's generated from the
master secret in `mbedtls_ssl_derive_keys` through the PRF, their size being
specified as the size of the digest used for the MAC, regardless of whether
truncated HMAC is enabled or not.

             /----- MD size ------\ /------- MD size ----\
Keyblock    +----------------------+----------------------+------------------+---
now         |     MAC enc key      |      MAC dec key     |     Enc key      |  ...
(correct)   +----------------------+----------------------+------------------+---

In the previous code, when truncated HMAC was enabled, the HMAC keys
were truncated to 10 bytes:

             /-10 bytes-\  /-10 bytes-\
Keyblock    +-------------+-------------+------------------+---
previously  | MAC enc key | MAC dec key |     Enc key      |  ...
(wrong)     +-------------+-------------+------------------+---

The reason for this was that a single variable `transform->maclen` was used for
both the keysize and the size of the final MAC, and its value was reduced from
the MD size to 10 bytes in case truncated HMAC was negotiated.

This commit fixes this by introducing a temporary variable `mac_key_len` which
permanently holds the MD size irrespective of the presence of truncated HMAC,
and using this temporary to obtain the MAC key chunks from the keyblock.
2017-11-20 16:25:50 +00:00
Hanno Becker 7dc832bb53 Adapt ChangeLog 2017-11-20 08:52:25 +00:00
Hanno Becker 992b6872f3 Fix heap corruption in ssl_decrypt_buf
Previously, MAC validation for an incoming record proceeded as follows:

1) Make a copy of the MAC contained in the record;
2) Compute the expected MAC in place, overwriting the presented one;
3) Compare both.

This resulted in a record buffer overflow if truncated MAC was used, as in this
case the record buffer only reserved 10 bytes for the MAC, but the MAC
computation routine in 2) always wrote a full digest.

For specially crafted records, this could be used to perform a controlled write of
up to 6 bytes past the boundary of the heap buffer holding the record, thereby
corrupting the heap structures and potentially leading to a crash or remote code
execution.

This commit fixes this by making the following change:
1) Compute the expected MAC in a temporary buffer that has the size of the
   underlying message digest.
2) Compare to this to the MAC contained in the record, potentially
   restricting to the first 10 bytes if truncated HMAC is used.

A similar fix is applied to the encryption routine `ssl_encrypt_buf`.
2017-11-20 08:52:25 +00:00
Manuel Pégourié-Gonnard 888fedea06 Merge branch 'development' into development-restricted
* development: (30 commits)
  update README file (#1144)
  Fix typo in asn1.h
  Improve leap year test names in x509parse.data
  Correctly handle leap year in x509_date_is_valid()
  Renegotiation: Add tests for SigAlg ext parsing
  Parse Signature Algorithm ext when renegotiating
  Minor style fix
  config.pl get: be better behaved
  config.pl get: don't rewrite config.h; detect write errors
  Fixed "config.pl get" for options with no value
  Fix typo and bracketing in macro args
  Ensure failed test_suite output is sent to stdout
  Remove use of GNU sed features from ssl-opt.sh
  Fix typos in ssl-opt.sh comments
  Add ssl-opt.sh test to check gmt_unix_time is good
  Extend ssl-opt.h so that run_test takes function
  Always print gmt_unix_time in TLS client
  Restored note about using minimum functionality in makefiles
  Note in README that GNU make is required
  Fix changelog for ssl_server2.c usage fix
  ...
2017-11-14 08:24:22 +01:00
RonEld 005939db98 update README file (#1144)
* update README file

update VS 2010 as the minimal version of required Visual Studio

* Rephrase the MS VS requirement

Rephrase the VS version sentence
2017-10-17 18:19:48 +01:00
Simon Butcher 6f63db7ed5 Fix changelog for ssl_server2.c usage fix 2017-10-12 23:22:17 +01:00
Gilles Peskine 085c10afdb Allow comments in test data files 2017-10-12 23:22:17 +01:00
Andres Amaya Garcia 9fb02057a5 Fix typo in asn1.h 2017-10-12 23:21:37 +01:00
Andres Amaya Garcia 60100d09ee Improve leap year test names in x509parse.data 2017-10-12 23:21:37 +01:00
Andres Amaya Garcia 735b37eeef Correctly handle leap year in x509_date_is_valid()
This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
2017-10-12 23:21:37 +01:00
Janos Follath b0f148c0ab Renegotiation: Add tests for SigAlg ext parsing
This commit adds regression tests for the bug when we didn't parse the
Signature Algorithm extension when renegotiating. (By nature, this bug
affected only the server)

The tests check for the fallback hash (SHA1) in the server log to detect
that the Signature Algorithm extension hasn't been parsed at least in
one of the handshakes.

A more direct way of testing is not possible with the current test
framework, since the Signature Algorithm extension is parsed in the
first handshake and any corresponding debug message is present in the
logs.
2017-10-12 23:21:37 +01:00
Ron Eldor 73a381772b Parse Signature Algorithm ext when renegotiating
Signature algorithm extension was skipped when renegotiation was in
progress, causing the signature algorithm not to be known when
renegotiating, and failing the handshake. Fix removes the renegotiation
step check before parsing the extension.
2017-10-12 23:21:37 +01:00
Gilles Peskine 8ca0e8fdff Minor style fix 2017-10-12 23:21:37 +01:00
Gilles Peskine d98e9e8577 config.pl get: be better behaved
When printing an option's value, print a newline at the end.

When the requested option is missing, fail with status 1 (the usual
convention for "not found") rather than -1 (which has a
system-dependent effect).
2017-10-12 23:21:37 +01:00
Gilles Peskine 01f57e351c config.pl get: don't rewrite config.h; detect write errors
scripts/config.pl would always rewrite config.h if it was reading it.
This commit changes it to not modify the file when only reading is
required, i.e. for the get command.

Also, die if writing config.h fails (e.g. disk full).
2017-10-12 23:21:37 +01:00
Gilles Peskine f0f55ccb72 Fixed "config.pl get" for options with no value
Between 2.5.0 and 2.6.0, "scripts/config.pl get MBEDTLS_XXX" was fixed
for config.h lines with a comment at the end, but that broke the case
of macros with an empty expansion. Support all cases.
2017-10-12 23:21:37 +01:00
Andres Amaya Garcia bd9d42c236 Fix typo and bracketing in macro args 2017-10-12 23:21:37 +01:00
Gilles Peskine 4552bf7558 Allow comments in test data files 2017-10-12 23:20:56 +01:00
Andres Amaya Garcia 77f1b109ec Fix typo in asn1.h 2017-10-12 22:40:28 +01:00
Andres Amaya Garcia 47e7b56fb6 Improve leap year test names in x509parse.data 2017-10-12 19:55:03 +01:00
Andres Amaya Garcia 106637fc2d Correctly handle leap year in x509_date_is_valid()
This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
2017-10-12 19:54:46 +01:00
Janos Follath 88f5808c13 Renegotiation: Add tests for SigAlg ext parsing
This commit adds regression tests for the bug when we didn't parse the
Signature Algorithm extension when renegotiating. (By nature, this bug
affected only the server)

The tests check for the fallback hash (SHA1) in the server log to detect
that the Signature Algorithm extension hasn't been parsed at least in
one of the handshakes.

A more direct way of testing is not possible with the current test
framework, since the Signature Algorithm extension is parsed in the
first handshake and any corresponding debug message is present in the
logs.
2017-10-11 12:49:09 +01:00
Ron Eldor 8dd73e62d2 Parse Signature Algorithm ext when renegotiating
Signature algorithm extension was skipped when renegotiation was in
progress, causing the signature algorithm not to be known when
renegotiating, and failing the handshake. Fix removes the renegotiation
step check before parsing the extension.
2017-10-11 12:49:00 +01:00
Gilles Peskine ae98d4aa39 Minor style fix 2017-10-10 17:46:19 +01:00
Gilles Peskine ad8b9ec9e9 config.pl get: be better behaved
When printing an option's value, print a newline at the end.

When the requested option is missing, fail with status 1 (the usual
convention for "not found") rather than -1 (which has a
system-dependent effect).
2017-10-10 17:46:07 +01:00
Gilles Peskine 58e5fdc0ca config.pl get: don't rewrite config.h; detect write errors
scripts/config.pl would always rewrite config.h if it was reading it.
This commit changes it to not modify the file when only reading is
required, i.e. for the get command.

Also, die if writing config.h fails (e.g. disk full).
2017-10-10 17:45:33 +01:00
Gilles Peskine 134a082455 Fixed "config.pl get" for options with no value
Between 2.5.0 and 2.6.0, "scripts/config.pl get MBEDTLS_XXX" was fixed
for config.h lines with a comment at the end, but that broke the case
of macros with an empty expansion. Support all cases.
2017-10-10 17:45:00 +01:00
Andres Amaya Garcia 86968c6dd1 Fix typo and bracketing in macro args 2017-10-07 18:29:03 +01:00
Andres Amaya Garcia 3f50f511de Ensure failed test_suite output is sent to stdout
The change modifies the template code in tests/suites/helpers.function
and tests/suites/main.function so that error messages are printed to
stdout instead of being discarded. This makes errors visible regardless
of the --verbose flag being passed or not to the test suite programs.
2017-10-07 18:15:28 +01:00
Andres Amaya Garcia def0339db2 Ensure failed test_suite output is sent to stdout
The change modifies the template code in tests/suites/helpers.function
and tests/suites/main.function so that error messages are printed to
stdout instead of being discarded. This makes errors visible regardless
of the --verbose flag being passed or not to the test suite programs.
2017-10-07 17:33:34 +01:00
Andres Amaya Garcia 67d8da522f Remove use of GNU sed features from ssl-opt.sh 2017-10-06 11:59:13 +01:00
Andres Amaya Garcia 3b1bdff285 Fix typos in ssl-opt.sh comments 2017-10-06 11:59:13 +01:00
Andres Amaya Garcia b84c40b12f Add ssl-opt.sh test to check gmt_unix_time is good
Add a test to ssl-opt.sh that parses the client and server debug
output and then checks that the Unix timestamp in the ServerHello
message is within acceptable bounds.
2017-10-06 11:59:13 +01:00