Commit graph

3429 commits

Author SHA1 Message Date
Andres AG 0da3e44fea Add check for validity of date in x509_get_time() 2016-10-13 17:00:01 +01:00
Simon Butcher c176038d73 Update and clean up Changelog for #622 2016-10-13 15:34:27 +01:00
Andres AG 67ae0b9839 Fix sig->tag update in mbedtls_x509_get_sig() 2016-10-13 15:33:07 +01:00
Simon Butcher 6522fd382c Updated Changelog for fix #599 2016-10-13 14:35:29 +01:00
Janos Follath 30b273c78e Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature
In a USENIX WOOT '16 paper the authors warn about a security risk
of random Initialisation Vectors (IV) repeating values.

The MBEDTLS_SSL_AEAD_RANDOM_IV feature is affected by this risk and
it isn't compliant with RFC5116. Furthermore, strictly speaking it
is a different cipher suite from the TLS (RFC5246) point of view.

Removing the MBEDTLS_SSL_AEAD_RANDOM_IV feature to resolve the above
problems.

Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16
2016-10-13 14:34:35 +01:00
Simon Butcher aac152328d Add extra compilation conditions to X.509 samples
The sample applications programs/pkey/cert_req.c and
programs/pkey/cert_write.c use the library functions mbedtls_pk_write_csr_pem()
and mbedtls_pk_write_crt_pem() respectively and programs/pkey/gen_key.c uses
the library function mbedtls_pk_write_key_pem().

These are dependent on the configuration option POLARSSL_PEM_WRITE_C. If the
option isn't defined the build breaks.

This change adds the compilation condition POLARSSL_PEM_WRITE_C to these
sample applications.
2016-10-13 14:31:13 +01:00
Simon Butcher d6e876cf34 Actually apply debug_level settings in cert_app 2016-10-13 14:30:24 +01:00
Simon Butcher c4363393ad Fix guards in SSL for ECDH key exchanges 2016-10-13 14:29:39 +01:00
Simon Butcher 5f81a2d2df Fix for #441 - crypt and hash gcm (#546)
* Fix crypt_and_hash to support decrypting GCM encrypted files

* Fix documentation in crypt_and_hash for the generic case

* Remove unused lastn from crypt_and_hash

lastn is not used with the cipher layer as it already provides padding
and understanding of length of the original data.

Backport of fix by Paul Bakker.
2016-10-13 14:28:40 +01:00
Andres AG 5a62dd4a5a Fix skipped test dependency in x509parse
Replace MBEDTLS_ with POLARSSL_ in the test dependency for x509parse,
otherwise tests are always skipped because dependencies are never
satisfied.
2016-10-13 14:28:30 +01:00
Janos Follath ae01c3cc62 X509: Fix bug triggered by future CA among trusted
Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
2016-10-13 14:26:57 +01:00
Simon Butcher c9b564e64c Update Changelog for fix #559 2016-10-13 14:24:03 +01:00
Simon Butcher 394d65d1bb Update for ChangeLog for fixes for cert_app 2016-10-13 14:23:57 +01:00
Simon Butcher c112d21076 Update to ChangeLog for bug #428 2016-10-13 14:23:46 +01:00
Simon Butcher cb60bfb52d Update ChangeLog for fix to crypt_and_hash #441 2016-10-13 14:23:15 +01:00
Janos Follath 24f4d7f95e X509: Fix bug triggered by future CA among trusted
Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
2016-10-13 14:21:24 +01:00
Andres AG a16d684df3 Add test for bounds in X509 DER write funcs 2016-10-13 14:20:22 +01:00
Andres AG 0c12bd69f5 Add missing bounds check in X509 DER write funcs
This patch adds checks in both mbedtls_x509write_crt_der and
mbedtls_x509write_csr_der before the signature is written to buf
using memcpy().
2016-10-13 14:20:14 +01:00
Janos Follath 441d6f9833 Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature
In a USENIX WOOT '16 paper the authors warn about a security risk
of random Initialisation Vectors (IV) repeating values.

The MBEDTLS_SSL_AEAD_RANDOM_IV feature is affected by this risk and
it isn't compliant with RFC5116. Furthermore, strictly speaking it
is a different cipher suite from the TLS (RFC5246) point of view.

Removing the MBEDTLS_SSL_AEAD_RANDOM_IV feature to resolve the above
problems.

Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16
2016-10-13 14:14:16 +01:00
Simon Butcher 696f92e9b4 Add simple test for repeated IVs when using AEAD
In a USENIX WOOT '16 paper the authors exploit implementation
mistakes that cause Initialisation Vectors (IV) to repeat. This
did not happen in mbed TLS, and this test makes sure that this
won't happen in the future either.

A new test option is introduced to ssl-opt.sh that checks the server
and client logs for a pattern and fails in case there are any
duplicates in the lines following the matching ones. (This is
necessary because of the structure of the logging)

Added a test case as well to utilise the new option. This test forces
the TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 ciphersuite to make the
client and the server use an AEAD cipher.

Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16
2016-10-13 14:13:17 +01:00
Simon Butcher 1227d7cdf1 Added credit to Changelog for fix #558 2016-10-13 12:54:33 +01:00
Janos Follath bfcd032f9d Restore P>Q in RSA key generation (#558)
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
2016-10-13 12:54:33 +01:00
Simon Butcher e337ee647f Clarified Changelog for fix #602 2016-10-13 12:54:32 +01:00
Andres AG 6ad5d9450a Fix documentation for mbedtls_gcm_finish()
Fix implementation and documentation missmatch for the function
arguments to mbedtls_gcm_finish(). Also, removed redundant if condition
that always evaluates to true.
2016-10-13 12:54:32 +01:00
Simon Butcher 6b8d9cffc2 Updated Changelog for fix #599 2016-10-13 12:54:32 +01:00
Andres AG 57e6e8fbb7 Fix 1 byte overread in mbedtls_asn1_get_int() 2016-10-13 12:54:32 +01:00
Andres AG f527609849 Add test for bounds in X509 DER write funcs 2016-10-13 12:45:08 +01:00
Simon Butcher 1e5de32473 Update Changelog for fix #559 2016-10-13 12:45:07 +01:00
Simon Butcher 8c9ab6ce6f Add extra compilation conditions to X.509 samples
The sample applications programs/pkey/cert_req.c and
programs/pkey/cert_write.c use the library functions mbedtls_pk_write_csr_pem()
and mbedtls_pk_write_crt_pem() respectively and programs/pkey/gen_key.c uses
the library function mbedtls_pk_write_key_pem().

These are dependent on the configuration option POLARSSL_PEM_WRITE_C. If the
option isn't defined the build breaks.

This change adds the compilation condition POLARSSL_PEM_WRITE_C to these
sample applications.
2016-10-13 12:45:07 +01:00
Andres AG 372bf79d67 Add missing bounds check in X509 DER write funcs
This patch adds checks in both mbedtls_x509write_crt_der and
mbedtls_x509write_csr_der before the signature is written to buf
using memcpy().
2016-10-13 12:45:07 +01:00
Simon Butcher 80d191bbe9 Update for ChangeLog for fixes for cert_app 2016-10-13 12:44:20 +01:00
Simon Butcher 23abd160cc Actually apply debug_level settings in cert_app 2016-10-13 12:44:20 +01:00
Simon Butcher 2491fa2f2e Update to ChangeLog for bug #428 2016-10-13 12:44:20 +01:00
Simon Butcher 7458bc39ae Fix guards in SSL for ECDH key exchanges 2016-10-13 12:44:20 +01:00
Simon Butcher 6f3c9cc8b7 Update ChangeLog for fix to crypt_and_hash #441 2016-10-13 12:44:20 +01:00
Simon Butcher 31d7f5b236 Fix for #441 - crypt and hash gcm (#546)
* Fix crypt_and_hash to support decrypting GCM encrypted files

* Fix documentation in crypt_and_hash for the generic case

* Remove unused lastn from crypt_and_hash

lastn is not used with the cipher layer as it already provides padding
and understanding of length of the original data.

Backport of fix by Paul Bakker.
2016-10-13 12:44:19 +01:00
Andres AG 4bfbd6b542 Fix skipped test dependency in x509parse
Replace MBEDTLS_ with POLARSSL_ in the test dependency for x509parse,
otherwise tests are always skipped because dependencies are never
satisfied.
2016-10-13 12:44:19 +01:00
Simon Butcher 8b82d20321 Add missing dependencies to X509 Parse test suite for P-384 curve
The test script curves.pl was failing on testing dependencies for the P-384
curve on the new test cases introduced by ede75f0 and 884b4fc.
2016-10-13 12:44:19 +01:00
Janos Follath af1e74be70 X509: Fix bug triggered by future CA among trusted
Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list.
2016-10-13 12:44:19 +01:00
Janos Follath 486c4f9a33 X509: Future CA among trusted: add more tests 2016-10-13 12:43:11 +01:00
Janos Follath c35f458d94 X509: Future CA among trusted: add unit tests 2016-10-13 12:43:11 +01:00
Simon Butcher c371c435c1 Added credit to Changelog for fix #558 2016-10-13 09:34:25 +01:00
Janos Follath 3072458ec3 Restore P>Q in RSA key generation (#558)
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
2016-10-13 09:27:18 +01:00
Simon Butcher 2c73577d4a Clarified Changelog for fix #602 2016-10-12 19:56:17 +01:00
Andres AG cdbcd2012d Fix documentation for mbedtls_gcm_finish()
Fix implementation and documentation missmatch for the function
arguments to mbedtls_gcm_finish(). Also, removed redundant if condition
that always evaluates to true.
2016-10-12 19:56:03 +01:00
Simon Butcher de4b7e8256 Updated Changelog for fix #599 2016-10-12 18:31:29 +01:00
Andres AG 15fdb7f9ff Fix 1 byte overread in mbedtls_asn1_get_int() 2016-10-12 18:28:03 +01:00
Simon Butcher 79f2e87f0c Update Changelog for fix #559 2016-10-10 23:48:11 +01:00
Simon Butcher 7de1493728 Add extra compilation conditions to X.509 samples
The sample applications programs/pkey/cert_req.c and
programs/pkey/cert_write.c use the library functions mbedtls_pk_write_csr_pem()
and mbedtls_pk_write_crt_pem() respectively and programs/pkey/gen_key.c uses
the library function mbedtls_pk_write_key_pem().

These are dependent on the configuration option POLARSSL_PEM_WRITE_C. If the
option isn't defined the build breaks.

This change adds the compilation condition POLARSSL_PEM_WRITE_C to these
sample applications.
2016-10-10 23:23:41 +01:00
Janos Follath 17da9dd829 Add option for relaxed X509 time verification.
The certificates are not valid according to the RFC, but are in wide
distribution across the internet. Hence the request to add a
compile-time flag to accept these certificates if wanted by the
application.

If POLARSSL_RELAXED_X509_DATE is enabled it will allow dates without
seconds, and allow dates with timezones (but doesn't actually use
the timezone).

Patch provided by OpenVPN.
2016-09-30 09:04:18 +01:00