Commit graph

5166 commits

Author SHA1 Message Date
Darryl Green 0c9bbb0ff8 Fix bias in random number generation in Miller-Rabin test
When a random number is generated for the Miller-Rabin primality test,
if the bit length of the random number is larger than the number being
tested, the random number is shifted right to have the same bit length.
This introduces bias, as the random number is now guaranteed to be
larger than 2^(bit length-1).

Changing this to instead zero all bits higher than the tested numbers
bit length will remove this bias and keep the random number being
uniformly generated.
2018-10-11 15:43:12 +01:00
Janos Follath da4ea3bd92 Changelog: Add entry for prime validation fix 2018-10-11 15:43:12 +01:00
Janos Follath 18b08c6f4c Bignum: Add tests for primality testing
Primality tests have to deal with different distribution when generating
primes and when validating primes.
These new tests are testing if mbedtls_mpi_is_prime() is working
properly in the latter setting.

The new tests involve pseudoprimes with maximum number of
non-witnesses. The non-witnesses were generated by printing them
from mpi_miller_rabin(). The pseudoprimes were generated by the
following function:

void gen_monier( mbedtls_mpi* res, int nbits )
{
    mbedtls_mpi p_2x_plus_1, p_4x_plus_1, x, tmp;

    mbedtls_mpi_init( &p_2x_plus_1 );
    mbedtls_mpi_init( &p_4x_plus_1 );
    mbedtls_mpi_init( &x ); mbedtls_mpi_init( &tmp );

    do
    {
        mbedtls_mpi_gen_prime( &p_2x_plus_1, nbits >> 1, 0,
                               rnd_std_rand, NULL );
        mbedtls_mpi_sub_int( &x, &p_2x_plus_1, 1 );
        mbedtls_mpi_div_int( &x, &tmp, &x, 2 );

        if( mbedtls_mpi_get_bit( &x, 0 ) == 0 )
            continue;

        mbedtls_mpi_mul_int( &p_4x_plus_1, &x, 4 );
        mbedtls_mpi_add_int( &p_4x_plus_1, &p_4x_plus_1, 1 );

        if( mbedtls_mpi_is_prime( &p_4x_plus_1, rnd_std_rand,
                                  NULL ) == 0 )
            break;

    } while( 1 );

    mbedtls_mpi_mul_mpi( res, &p_2x_plus_1, &p_4x_plus_1 );
}
2018-10-11 15:43:12 +01:00
Janos Follath 9dc5b7a27b Bignum: Fix prime validation vulnerability
The input distribution to primality testing functions is completely
different when used for generating primes and when for validating
primes. The constants used in the library are geared towards the prime
generation use case and are weak when used for validation. (Maliciously
constructed composite numbers can pass the test with high probability)

The mbedtls_mpi_is_prime() function is in the public API and although it
is not documented, it is reasonable to assume that the primary use case
is validating primes. The RSA module too uses it for validating key
material.
2018-10-11 15:43:12 +01:00
Janos Follath 02a8b0e232 Bignum: Remove dead code
Both variables affected by the code are overwritten before their next
read.
2018-10-08 13:12:58 +01:00
Simon Butcher 5bcbd4e7f4 Add ChangeLog entry for PR #1811 2018-09-26 23:03:56 +01:00
Simon Butcher 6a5ced41f2 Merge remote-tracking branch 'public/pr/1811' into mbedtls-2.1 2018-09-26 23:02:07 +01:00
Simon Butcher 86d32e690c Merge remote-tracking branch 'public/pr/1973' into mbedtls-2.1 2018-09-26 22:40:09 +01:00
Simon Butcher 0624b76361 Merge remote-tracking branch 'public/pr/1898' into mbedtls-2.1 2018-09-26 22:01:33 +01:00
Simon Butcher 96e0d8ebfc Clarified ChangeLog entry
ChangeLog entry for backport of #1890 was misleading, so corrected it.
2018-09-13 12:05:40 +01:00
Simon Butcher c4a33d54cf
Merge pull request #507 from sbutcher-arm/mbedtls-version-2.1.15
Update library version number to 2.1.15
2018-08-31 17:29:47 +01:00
Simon Butcher d3a5393a38 Update library version number to 2.1.15 2018-08-31 16:10:48 +01:00
Simon Butcher cb9f70e23d Fix misclassification of bug in Changelog 2018-08-31 12:01:43 +01:00
Andrzej Kurek 10108318e8 ssl-opt.sh: change expected output for large srv packet test with SSLv3
This test also exercises a protection against BEAST
and should expect message splitting.
2018-08-29 06:46:50 -04:00
Andrzej Kurek 9b89e3664f Remove trailing whitespace 2018-08-29 06:46:27 -04:00
Andrzej Kurek 85e411f813 ssl_server2: add buffer overhead for a termination character
Switch to mbedtls style of memory allocation
2018-08-29 06:46:27 -04:00
Andrzej Kurek 4115a8cf47 Add missing large and small packet tests for ssl_server2 2018-08-29 06:46:27 -04:00
Andrzej Kurek f4f59c0429 Added buffer_size and response_size options for ssl-server2.
Added appropriate tests.
2018-08-29 06:46:27 -04:00
Simon Butcher 8d408fac1d Merge remote-tracking branch 'restricted/pr/438' into mbedtls-2.1-restricted 2018-08-28 15:35:41 +01:00
Simon Butcher 9add36bbcb Merge remote-tracking branch 'restricted/pr/497' into mbedtls-2.1-restricted 2018-08-28 15:31:41 +01:00
Simon Butcher d22de0aaa7 Merge remote-tracking branch 'restricted/pr/492' into mbedtls-2.1-restricted 2018-08-28 15:23:56 +01:00
Simon Butcher 7a47cbca16 Merge remote-tracking branch 'public/pr/1137' into mbedtls-2.1 2018-08-28 12:33:27 +01:00
Simon Butcher 85e5bfd00c Merge remote-tracking branch 'public/pr/1889' into mbedtls-2.1 2018-08-28 12:26:33 +01:00
Simon Butcher 263ca7282e Merge remote-tracking branch 'public/pr/1957' into mbedtls-2.1 2018-08-28 12:17:38 +01:00
Simon Butcher d288ac0e83 Merge remote-tracking branch 'public/pr/1959' into mbedtls-2.1 2018-08-28 11:53:47 +01:00
Simon Butcher 1c5e4c2258 Merge remote-tracking branch 'public/pr/1980' into mbedtls-2.1 2018-08-28 10:18:48 +01:00
Hanno Becker badbe80c7f pk_encrypt: Uniformize debugging output 2018-08-23 15:56:55 +01:00
Hanno Becker 6b1b598c2f Fix typos in programs/x509/cert_write.c
Fixes #1922.
2018-08-23 15:26:55 +01:00
Hanno Becker b31e9dad60 Minor formatting improvements in pk_encrypt and pk_decrypt examples 2018-08-23 15:13:12 +01:00
Hanno Becker 47a34ff29e Adapt ChangeLog 2018-08-23 15:12:24 +01:00
Hanno Becker 7cee15e967 Correct memory leak in pk_decrypt example program 2018-08-23 15:12:23 +01:00
Hanno Becker 34cbd7e536 Correct memory-leak in pk_encrypt example program 2018-08-23 15:12:22 +01:00
Hanno Becker 1a60330e08 Adapt ChangeLog 2018-08-22 15:05:36 +01:00
Hanno Becker d636dd0cbb Fix bug in SSL ticket implementation removing keys of age < 1s
Fixes #1968.
2018-08-22 15:05:07 +01:00
Hanno Becker 16fe2fd15a ssl-opt.sh: Add DTLS session resumption tests
Fixes #1969.
2018-08-22 15:05:07 +01:00
Jaeden Amero 6b7b35b127 Merge remote-tracking branch 'upstream-public/pr/1952' into mbedtls-2.1 2018-08-17 15:31:51 +01:00
Hanno Becker 42d267bbe4 Compute record expansion in steps to ease readability 2018-08-17 15:29:48 +01:00
Jaeden Amero b4d3c5ad11 Merge remote-tracking branch 'upstream-public/pr/1945' into mbedtls-2.1 2018-08-17 14:27:02 +01:00
Hanno Becker d3475498e5 Adapt ChangeLog 2018-08-17 10:11:31 +01:00
Hanno Becker 07eb7ca17c Fix mbedtls_ssl_get_record_expansion() for CBC modes
`mbedtls_ssl_get_record_expansion()` is supposed to return the maximum
difference between the size of a protected record and the size of the
encapsulated plaintext.

Previously, it did not correctly estimate the maximum record expansion
in case of CBC ciphersuites in (D)TLS versions 1.1 and higher, in which
case the ciphertext is prefixed by an explicit IV.

This commit fixes this bug. Fixes #1914.
2018-08-17 10:11:28 +01:00
Hanno Becker 10652b10d9 Improve ChangeLog wording for the commmit that Fixes #1954. 2018-08-17 10:03:48 +01:00
Hanno Becker a24ed19a5d Add tests for empty CA list in CertificateRequest, TLS 1.0 & 1.1 2018-08-17 10:03:48 +01:00
Hanno Becker 10195ab853 Adapt ChangeLog 2018-08-16 15:53:17 +01:00
Hanno Becker 9e2237ac47 Fix overly strict bounds check in ssl_parse_certificate_request() 2018-08-16 15:53:17 +01:00
Mohammad Azim Khan 4c01904819 Fix Wformat-overflow warning in ssl_mail_client.c
sprintf( (char *) buf, "%s\r\n", base );
 Above code generates Wformat-overflow warning since both buf and base
are of same size. buf should be sizeof( base ) + characters added in
the format. In this case format 2 bytes for "\r\n".
2018-08-16 14:33:03 +01:00
Hanno Becker 048dba33cf Adapt ChangeLog 2018-08-14 15:50:07 +01:00
Hanno Becker 3328d8cf88 Reset session_in/out pointers in ssl_session_reset_int()
Fixes #1941.
2018-08-14 15:50:02 +01:00
Jaeden Amero 942cfea65f Merge remote-tracking branch 'upstream-public/pr/1815' into mbedtls-2.1 2018-08-10 11:00:40 +01:00
Jaeden Amero e3bcd9a432 Merge remote-tracking branch 'upstream-public/pr/1887' into mbedtls-2.1 2018-08-10 10:50:03 +01:00
Ron Eldor a4d836b403 Style fix
Add space in the ChangeLog.
2018-08-01 14:35:11 +03:00