Commit graph

2824 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard 213541a548 Make the first precomp loop restartable 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard ae55707b28 Turn double loop into single loop
In preparation for making the loop restartable
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard e2d7cb3f10 Start splitting precompute_comb()
This is the easy part: with the current steps, all information between steps
is passed via T which is already saved. Next we'll need to split at least the
first loop, and maybe calls to normalize_jac_many() and/or the second loop.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 67c83fb871 Give a constant a name 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard fc3e0beabf Separate auxiliary array in precompute_comb()
Separating main computation from filling of the auxiliary array makes things
clearer and easier to restart as we don't have to remember the in-progress
auxiliary array.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 07bf6f52c1 Tune T ownership code + comments
Don't miss the little code changes among all those comments change :)
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 085b1dff40 Allow T to be computed in multiple steps
Previously there were only two states:
- T unallocated
- T allocated and valid

Now there are three:
- T unallocated
- T allocated and in progress
- T allocated and valid

Introduce new bool T_ok to distinguish the last two states.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard c9c0aa6306 Remember precomputed table
Free it as soon as it's no longer needed, but as a backup free it in
ecp_group_free(), in case ecp_mul() is not called again after returning
ECP_IN_PROGRESS.

So far we only remember it when it's fully computed, next step is to be able
to compute it in multiple steps.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard c5d844b999 Full restart support in ecp_mul_comb_core()
Still recomputing table every time, though.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 2fad7ae02a Start actually splitting computation
Temporary state is quite inefficient: pre-computed table is recomputed every
single time. This is WIP obviously.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 8962ddbb23 Don't write to destination until we're done 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 78d564a841 Add check for changing arguments
In case of argument change, freeing everything is not the most efficient
(wastes one free()+calloc()) but makes the code simpler, which is probably
more important here
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 77af79a324 Add proper allocation of restart context
We'll need to store MPIs and other things that allocate memory in this
context, so we need a place to free it. We can't rely on doing it before
returning from ecp_mul() as we might return MBEDTLS_ERR_ECP_IN_PROGRESS (thus
preserving the context) and never be called again (for example, TLS handshake
aborted for another reason). So, ecp_group_free() looks like a good place to
do this, if the restart context is part of struct ecp_group.

This means it's not possible to use the same ecp_group structure in different
threads concurrently, but:
- that's already the case (and documented) for other reasons
- this feature is precisely intended for environments that lack threading

An alternative option would be for the caller to have to allocate/free the
restart context and pass it explicitly, but this means creating new functions
that take a context argument, and putting a burden on the user.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 62738e9b17 Further restrict variable scope by moving code 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 391f44153d Move more code to separate function
This reduces the scope of some variables (M, k), clarifying where they're
used.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 24be79588d Group related code together 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 4b2336d7f6 Move some more code to new function 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 22be635d13 Re-order some more code 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard ec5606ad0c Extract code to separate function
ecp_mul_comb() is already 110 lines long and we're going to add complexity
with the early-return+restart code, so let's try to make it simpler first.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 7306dff01f Group related code together
This will be split to a new function next.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 510d5caece Add early return test + fake implementation 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 054433c493 Add mbedtls_ecp_set_max_ops()
The plan is to count basic operations as follows:
- call to ecp_add_mixed()   -> 11
- call to ecp_double_jac()  -> 8
- call to mpi_mul_mpi()     -> 1
- call to mpi_inv_mod()     -> 120
- everything else           -> not counted

The counts for ecp_add_mixed() and ecp_double_jac() are based on the actual
number of calls to mpi_mul_mpi() they they make.

The count for mpi_inv_mod() is based on timing measurements on K64F and
LPC1768 boards, and are consistent with the usual very rough estimate of one
inversion = 100 multiplications. It could be useful to repeat that measurement
on a Cortex-M0 board as those have smaller divider and multipliers, so the
result could be a bit different but should be the same order of magnitude.

The documented limitation of 120 basic ops is due to the calls to mpi_inv_mod()
which are currently not interruptible nor planned to be so far.
2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 5e3c62fd1d Add MBEDTLS_ERR_ECP_IN_PROGRESS 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard c3a3bc7636 Add config flag MBEDTLS_ECP_EARLY_RETURN 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 225b37a543 Fix typos in comment 2017-08-09 11:44:53 +02:00
Manuel Pégourié-Gonnard 24611f9383 Remove redundant variable
path_cnt was always chain_len - 1 in the loop body
2017-08-09 10:28:07 +02:00
Manuel Pégourié-Gonnard 562df401d3 Improve some comments, fix some typos+whitespace 2017-08-08 18:17:53 +02:00
Manuel Pégourié-Gonnard 66a36b03c6 Update comments 2017-08-08 11:06:51 +02:00
Manuel Pégourié-Gonnard 505c3953c7 Make the ver_chain length explicit 2017-08-08 11:06:51 +02:00
Manuel Pégourié-Gonnard a707e1d1ef Extract code to separate function for readablity 2017-08-08 11:06:51 +02:00
Manuel Pégourié-Gonnard ce6e52ff42 Make verify_chain() iterative 2017-08-08 11:06:51 +02:00
Manuel Pégourié-Gonnard f86f491f25 Rm unneeded function arguments & update comments 2017-08-08 11:06:51 +02:00
Manuel Pégourié-Gonnard c547d1ab1f Start using an explicit stack for callback info
This is the first step towards making verify_chain() iterative. While from a
readability point of view the current recursive version is fine, one of the
goals of this refactoring is to prepare for restartable ECC integration, which
will need the explicit stack anyway.
2017-08-08 11:06:51 +02:00
Manuel Pégourié-Gonnard a468eb1764 verify_name(): factor duplicated code to function 2017-08-08 11:06:51 +02:00
Manuel Pégourié-Gonnard 1300e99eb1 Extract name checking to separate function
Just copy-paste and unindent
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 6368612a8f Move code to separate function for readability 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 27e94797aa Simplify handling of locally trusted EE certs
Though this might require one more walk of the list in some cases,
this avoid having a check for that deep inside check_parent().
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard bdc5440232 Update comments 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard cb39610093 Finally merge the remains of top() into child() 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 63642776b1 Let verify_top() handle only the parent
It felt wrong for it to call the vrfy callback on two certs.
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 6e786747fb Move top()'s checks on child to child() 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 784aee3366 Move other special case from top() to child() 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard b9983be73a Move one special case from verify_top() to child() 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 66fac75f8b Merge duplicated checks between child() and top() 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 58dcd2d9b2 Get rid of unused variables/arguments 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 8f8c282de9 Merge near-duplicated (grand)parent finding code
Besides avoiding near-duplication, this avoids having three generations of
certificate (child, parent, grandparent) in one function, with all the
off-by-one opportunities that come with it.

This also allows to simplify the signature of verify_child(), which will be
done in next commit.
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard f82a4d5aba Factor duplicated code into function 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 32fdc60c7b Unnest code in verify_top()
We now know that trust_ca != NULL till the end of the function
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 6038cb6909 Remove duplicate parent-searching in verify_top() 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 2f09d59456 Add badkey-skipping to find_parent()
This is the last step towards removing the now-duplicated parent-searching
code in verify_top()
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 3e329b8e8d Add badtime-skipping feature to new function
This is from the morally 5th (and soon obsolete) invocation of this function
in verify_top().

Doing this badtime-skipping when we search for a parent in the provided chain
is a change of behaviour, but it's backwards-compatible: it can only cause us
to accept valid chains that we used to reject before. Eg if the peer has a
chain with two version of an intermediate certificate with different validity
periods, the first non valid and the second valid - such cases are probably
rare or users would have complained already, but it doesn't hurt to handle it
properly as it allows for more uniform code.
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 9c6118c498 Factor one more occurrence of code into function
This may look like a behaviour change because one check has been added to the
function that was previously done in only one of the 3 call sites. However it
is not, because:
- for the 2 call sites in verify(), the test always succeeds as path_cnt is 0.
- for the call site in verify_child(), the same test was done later anyway in
  verify_top()
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 2f1c33dc33 Factor repeated code into function
There are 3 instance that were replaced, but 2 instances of variants of this
function exist and will be handled next (the extra parameter that isn't used
so far is in preparation for that):
- one in verify_child() where path_cnt constraint is handled too
- one in verify_top() where there is extra logic to skip parents that are
  expired or future, but only if there are better parents to be found
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 17f4a6a609 Take shortcut for directly trusted EE cert
This is a slight change of behaviour in that the previous condition was:
- same subject
- signature matches
while the new condition is:
- exact same certificate

However the documentation for mbedtls_x509_crt_verify() (note on trust_ca)
mentions the new condition, so code that respected the documentation will keep
working.

In addition, this is a bit faster as it doesn't check the self-signature
(which never needs to be checked for certs in the trusted list).
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard c61e5c9304 Don't search twice for a non-existing parent 2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard b8acfd2ba8 Fix calls to check_parent()
When we're looking for a parent, in trusted CAs, 'top' should be 1.

This only impacted which call site for verify_top() was chosen, and the error
was then fixed inside verify_top() by iterating over CAs again, this time
correctly setting 'top' to 1.
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 35407c7764 Add comments on chain verification cases
This is the beginning of a series of commits refactoring the chain
building/verification functions in order to:
- make it simpler to understand and work with
- prepare integration of restartable ECC
2017-08-08 11:06:50 +02:00
Manuel Pégourié-Gonnard 329e78c7fa Improve handling of md errors in X.509
md() already checks for md_info == NULL. Also, in the future it might also
return other errors (eg hardware errors if acceleration is used), so it make
more sense to check its return value than to check for NULL ourselves and then
assume no other error can occur.

Also, currently, md_info == NULL can never happen except if the MD and OID modules
get out of sync, or if the user messes with members of the x509_crt structure
directly.

This commit does not change the current behaviour, which is to treat MD errors
the same way as a bad signature or no trusted root.
2017-08-08 11:06:49 +02:00
Andres AG 2e65a54d5a Prevent signed integer overflow in CSR parsing
Modify the function mbedtls_x509_csr_parse_der() so that it checks the
parsed CSR version integer before it increments the value. This prevents
a potential signed integer overflow, as these have undefined behaviour
in the C standard.
2017-07-27 15:08:01 +01:00
Andres AG 7ca4a03955 Fix potential integer overflow parsing DER CRT
This patch prevents a potential signed integer overflow during the
certificate version verification checks.
2017-07-27 15:08:01 +01:00
Andres AG c0fbf784b6 Fix potential integer overflow parsing DER CRL
This patch prevents a potential signed integer overflow during the
CRL version verification checks.
2017-07-27 15:08:01 +01:00
Gilles Peskine 04d6c3da3f Checked names 2017-07-27 15:08:01 +01:00
Simon Butcher 9469919447 Fix platform setup/teardown feature and comments
Fixed the platform setup/teardown feature, by fixing it for doxygen and adding it
as a feature  in 'version_features.c'.
2017-07-27 15:08:01 +01:00
Andres Amaya Garcia 59c202618e Rename macro SETUP_ALT to SETUP_TEARDOWN_ALT
Rename the macro MBEDTLS_PLATFORM_SETUP_ALT to
MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT to make the name more descriptive
as this macro enables/disables both functions.
2017-07-27 15:08:01 +01:00
Andres Amaya Garcia d24f5feb59 Remove internal functions from setup API 2017-07-27 15:08:01 +01:00
Andres Amaya Garcia d9e7ada52a Add library setup and teardown APIs
Add the following two functions to allow platform setup and teardown
operations for the full library to be hooked in:

* mbedtls_platform_setup()
* mbedtls_platform_teardown()

An mbedtls_platform_context C structure is also added and two internal
functions that are called by the corresponding setup and teardown
functions above:

* mbedtls_internal_platform_setup()
* mbedtls_internal_plartform_teardown()

Finally, the macro MBEDTLS_PLATFORM_SETUP_ALT is also added to allow
mbedtls_platform_context and internal function to be overriden by the
user as needed for a platform.
2017-07-27 15:08:01 +01:00
Hanno Becker 09b30789e5 Export mbedtls_aes_(en/de)crypt to retain for API compatibility
The commit f5bf7189d3 made the AES
functions mbedtls_aes_encrypt and mbedtls_aes_decrypt static, changing
the library's API.

This commit reverts this.
2017-07-27 15:08:01 +01:00
Hanno Becker 59df56e9b6 Undo API change from SHA1 deprecation
The previous commit bd5ceee484f201b90a384636ba12de86bd330cba removed
the definition of the global constants
- mbedtls_test_ca_crt_rsa_len,
- mbedtls_test_cli_crt_rsa_len,
- mbedtls_test_ca_crt_rsa, and
- mbedtls_test_cli_crt_rsa.
This commit restores these to maintain ABI compatibility.

Further, it was noticed that without SHA256_C being enabled the
previous code failed to compile because because the SHA1 resp. SHA256
certificates were only defined when the respective SHAXXX_C options
were set, but the emission of the global variable mbedtls_test_ca_crt
was unconditionally defined through the SHA256
certificate. Previously, the RSA SHA1 certificate was unconditionally
defined and used for that.

As a remedy, this commit makes sure some RSA certificate is defined
and exported through the following rule:
1. If SHA256_C is active, define an RSA SHA256 certificate and export
   it as mbedtls_test_ca_crt. Also, define SHA1 certificates only if
   SHA1_C is set.
2. If SHA256_C is not set, always define SHA1 certificate and export
   it as mbedtls_test_ca_crt.
2017-07-27 15:08:01 +01:00
Hanno Becker ff1b846b67 Undo API change
The previous commit b3e6872c93 changed
to public functions from ssl_ciphersuite.h to static inline. This
commit reverts this change.
2017-07-27 15:08:01 +01:00
Ron Eldor ca6ff5884d Check return code of mbedtls_mpi_fill_random
Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
Reported and fix suggested by guidovranken in #740
2017-07-27 15:08:01 +01:00
Ron Eldor 36d904218b Resource leak fix on windows platform
Fix a resource leak on windows platform, in mbedtls_x509_crt_parse_path,
in case a failure. when an error occurs, goto cleanup, and free the
resource, instead of returning error code immediately.
2017-07-27 15:08:01 +01:00
Ron Eldor 6314068d42 Wrong preproccessor condition fix
Fix for issue #696
Change #if defined(MBEDTLS_THREADING_PTHREAD)
to #if defined(MBEDTLS_THREADING_C)
2017-07-27 15:08:01 +01:00
Ron Eldor e2efaeaafc fix for issue 1118: check if iv is zero in gcm.
1) found by roberto in mbedtls forum
2) if iv_len is zero, return an error
3) add tests for invalid parameters
2017-07-27 15:08:01 +01:00
Janos Follath 78b1473ff3 Remove mutexes from ECP hardware acceleration
Protecting the ECP hardware acceleratior with mutexes is inconsistent with the
philosophy of the library. Pre-existing hardware accelerator interfaces
leave concurrency support to the underlying platform.

Fixes #863
2017-07-27 15:08:01 +01:00
Manuel Pégourié-Gonnard 9107b5fdd3 Improve comments 2017-07-06 12:16:25 +02:00
Manuel Pégourié-Gonnard 31458a1878 Only return VERIFY_FAILED from a single point
Everything else is a fatal error. Also improve documentation about that for
the vrfy callback.
2017-07-06 11:58:41 +02:00
Manuel Pégourié-Gonnard d15795acd5 Improve behaviour on fatal errors
If we didn't walk the whole chain, then there may be any kind of errors in the
part of the chain we didn't check, so setting all flags looks like the safe
thing to do.
2017-07-06 11:58:41 +02:00
Simon Butcher f2a597fa3d Update the version number to 2.5.1 2017-06-20 23:08:10 +01:00
Manuel Pégourié-Gonnard 4a42f3c405 Merge remote-tracking branch 'restricted/iotssl-1398' into development-restricted
* restricted/iotssl-1398:
  Add ChangeLog entry
  Ensure application data records are not kept when fully processed
  Add hard assertion to mbedtls_ssl_read_record_layer
  Fix mbedtls_ssl_read
  Simplify retaining of messages for future processing
2017-06-09 15:02:40 +02:00
Hanno Becker bdf3905fff Ensure application data records are not kept when fully processed
This commit fixes the following case: If a client is both expecting a
SERVER_HELLO and has an application data record that's partially
processed in flight (that's the situation the client gets into after
receiving a ServerHelloRequest followed by ApplicationData), a
subsequent call to mbedtls_ssl_read will set keep_current_message = 1
when seeing the unexpected application data, but not reset it to 0
after the application data has been processed. This commit fixes this.

It also documents and suggests how the problem might be solved in a
more structural way on the long run.
2017-06-09 10:42:03 +01:00
Manuel Pégourié-Gonnard b86b143030 Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-restricted' into development-restricted
* restricted/iotssl-1138-rsa-padding-check-restricted:
  RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:31:06 +02:00
Manuel Pégourié-Gonnard a0bf6ecfc3 Merge remote-tracking branch 'restricted/IOTSSL-1366/development-restricted' into development-restricted
* restricted/IOTSSL-1366/development-restricted:
  More length checks in RSA PKCS1v15 verify
  More length checks in RSA PKCS1v15 verify
2017-06-08 20:24:29 +02:00
Manuel Pégourié-Gonnard db108ac944 Merge remote-tracking branch 'hanno/mpi_read_file_underflow' into development
* hanno/mpi_read_file_underflow:
  Fix potential stack underflow in mpi_read_file.
2017-06-08 19:48:03 +02:00
Manuel Pégourié-Gonnard 1178ac5e77 Merge remote-tracking branch 'hanno/sliding_exponentiation' into development
* hanno/sliding_exponentiation:
  Adapt ChangeLog
  Abort modular inversion when modulus is one.
  Correct sign in modular exponentiation algorithm.
2017-06-08 19:46:30 +02:00
Hanno Becker bb9dd0c044 Add hard assertion to mbedtls_ssl_read_record_layer
This commit adds a hard assertion to mbedtls_ssl_read_record_layer
triggering if both ssl->in_hslen and ssl->in_offt are not 0. This
should never happen, and if it does, there's no sensible way of
telling whether the previous message was a handshake or an application
data message.
2017-06-08 11:55:34 +01:00
Hanno Becker 4a810fba69 Fix mbedtls_ssl_read
Don't fetch a new record in mbedtls_ssl_read_record_layer as long as an application data record is being processed.
2017-06-08 10:12:16 +01:00
Hanno Becker af0665d8b0 Simplify retaining of messages for future processing
There are situations in which it is not clear what message to expect
next. For example, the message following the ServerHello might be
either a Certificate, a ServerKeyExchange or a CertificateRequest. We
deal with this situation in the following way: Initially, the message
processing function for one of the allowed message types is called,
which fetches and decodes a new message. If that message is not the
expected one, the function returns successfully (instead of throwing
an error as usual for unexpected messages), and the handshake
continues to the processing function for the next possible message. To
not have this function fetch a new message, a flag in the SSL context
structure is used to indicate that the last message was retained for
further processing, and if that's set, the following processing
function will not fetch a new record.

This commit simplifies the usage of this message-retaining parameter
by doing the check within the record-fetching routine instead of the
specific message-processing routines. The code gets cleaner this way
and allows retaining messages to be used in other situations as well
without much effort. This will be used in the next commits.
2017-06-08 10:12:16 +01:00
Hanno Becker e6706e62d8 Add tests for missing CA chains and bad curves.
This commit adds four tests to tests/ssl-opt.sh:
(1) & (2): Check behaviour of optional/required verification when the
trusted CA chain is empty.
(3) & (4): Check behaviour of optional/required verification when the
client receives a server certificate with an unsupported curve.
2017-06-07 11:26:59 +01:00
Hanno Becker 39ae8cd207 Fix implementation of VERIFY_OPTIONAL verification mode
This commit changes the behaviour of mbedtls_ssl_parse_certificate
to make the two authentication modes MBEDTLS_SSL_VERIFY_REQUIRED and
MBEDTLS_SSL_VERIFY_OPTIONAL be in the following relationship:

    Mode == MBEDTLS_SSL_VERIFY_REQUIRED
<=> Mode == MBEDTLS_SSL_VERIFY_OPTIONAL + check verify result

Also, it changes the behaviour to perform the certificate chain
verification even if the trusted CA chain is empty. Previously, the
function failed in this case, even when using optional verification,
which was brought up in #864.
2017-06-07 11:13:19 +01:00
Manuel Pégourié-Gonnard ddc6e52cc1 Merge remote-tracking branch 'gilles/iotssl-1223/development' into development
* gilles/iotssl-1223/development:
  Fix FALLBACK_SCSV parsing
2017-06-06 20:11:36 +02:00
Manuel Pégourié-Gonnard 383a118338 Merge remote-tracking branch 'gilles/IOTSSL-1330/development' into development
* gilles/IOTSSL-1330/development:
  Changelog entry for the bug fixes
  SSLv3: when refusing renegotiation, stop processing
  Ignore failures when sending fatal alerts
  Cleaned up double variable declaration
  Code portability fix
  Added changelog entry
  Send TLS alerts in many more cases
  Skip all non-executables in run-test-suites.pl
  SSL tests: server requires auth, client has no certificate
  Balanced braces across preprocessor conditionals
  Support setting the ports on the command line
2017-06-06 19:22:41 +02:00
Gilles Peskine 5d2511c4d4 SHA-1 deprecation: allow it in key exchange
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.

SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
2017-06-06 18:44:14 +02:00
Gilles Peskine cd3c845157 Allow SHA-1 in SSL renegotiation tests
In the TLS test client, allow SHA-1 as a signature hash algorithm.
Without this, the renegotation tests failed.

A previous commit had allowed SHA-1 via the certificate profile but
that only applied before the initial negotiation which includes the
signature_algorithms extension.
2017-06-06 18:44:13 +02:00
Gilles Peskine 750c353c5c X.509 self-tests: replaced SHA-1 certificates by SHA-256 2017-06-06 18:44:13 +02:00
Gilles Peskine 5e79cb3662 Remove SHA-1 in TLS by default
Default to forbidding the use of SHA-1 in TLS where it is unsafe: for
certificate signing, and as the signature hash algorithm for the TLS
1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the
XXX_SHA ciphersuites and in the PRF for TLS <= 1.1.

For easy backward compatibility for use in controlled environments,
turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option.
2017-06-06 18:44:13 +02:00
Manuel Pégourié-Gonnard 23b33f8663 Merge remote-tracking branch 'hanno/sig_hash_compatibility' into development
* hanno/sig_hash_compatibility:
  Improve documentation
  Split long lines
  Remember suitable hash function for any signature algorithm.
  Introduce macros and functions to characterize certain ciphersuites.
2017-06-06 18:14:57 +02:00
Gilles Peskine d50177fdf3 Fix FALLBACK_SCSV parsing
Fixed a bug in ssl_srv.c when parsing TLS_FALLBACK_SCSV in the
ciphersuite list that caused it to miss it sometimes. Reported by Hugo
Leisink as issue #810. Fix initially by @andreasag01; this commit
isolates the bug fix and adds a non-regression test.
2017-05-16 17:53:03 +02:00
Simon Butcher 9f77017a8d Updated version number to 2.5.0 2017-05-16 10:22:37 +01:00
Andres AG f5bf7189d3 Change return type of AES decrypt and encrypt
This patch modifies the following 2 functions in the AES module to
change the return type from void to int:
    * mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
    * mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
This change is necessary to allow users of MBEDTLS_AES_ALT,
MBEDTLS_AES_DECRYPT_ALT and MBEDTLS_AES_ENCRYPT_ALT to return an error
code when replacing the default with their own implementation, e.g.
a hardware crypto accelerator.
2017-05-16 10:22:37 +01:00
Gilles Peskine 18ac716021 RSA: wipe more stack buffers
MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
2017-05-16 10:22:37 +01:00