Commit graph

3539 commits

Author SHA1 Message Date
Gilles Peskine 2cd7c18f59 Merge branch 'mbedtls-1.3' into mbedtls-1.3-restricted 2017-11-28 18:43:57 +01:00
Gilles Peskine 8c946113ba Merge branch 'pr_1083' into mbedtls-1.3
Merge PR #1083 plus ChangeLog entry.
2017-11-28 18:42:21 +01:00
Gilles Peskine f15cbdab67 Merge remote-tracking branch 'upstream-public/pr/1109' into mbedtls-1.3 2017-11-28 18:41:31 +01:00
Gilles Peskine 43a6b83419 Merge remote-tracking branch 'upstream-public/pr/1081' into mbedtls-1.3 2017-11-28 18:41:02 +01:00
Gilles Peskine f945a2245e Merge remote-tracking branch 'upstream-public/pr/944' into mbedtls-1.3 2017-11-28 18:38:17 +01:00
Gilles Peskine d2e8affa66 Add ChangeLog entry 2017-11-28 18:37:53 +01:00
Gilles Peskine 6f941d6c89 Merge remote-tracking branch 'upstream-restricted/pr/423' into mbedtls-1.3-restricted
Resolved simple conflicts caused by the independent addition of
calls to polarssl_zeroize with sometimes whitespace or comment
differences.
2017-11-28 16:23:28 +01:00
Gilles Peskine b087a88300 Merge remote-tracking branch 'upstream-restricted/pr/405' into mbedtls-1.3-restricted 2017-11-28 16:22:41 +01:00
Gilles Peskine c5cf89e1cc Merge branch 'mbedtls-1.3' into mbedtls-1.3-restricted 2017-11-28 15:32:00 +01:00
Gilles Peskine c22c8a2797 Merge branch 'win-tests-1.3' into mbedtls-1.3
Backport of PR #353
2017-11-28 15:28:47 +01:00
Gilles Peskine 8083849575 Add ChangeLog entry 2017-11-28 15:27:48 +01:00
Nicholas Wilson 25f762d248 Allow test suites to be run on Windows
For a start, they don't even compile with Visual Studio due to strcasecmp
being missing.  Secondly, on Windows Perl scripts aren't executable and have
to be run using the Perl interpreter directly; thankfully CMake is able to
find cygwin Perl straight away without problems.
2017-11-28 13:43:06 +00:00
Gilles Peskine 2bd6ca415b Merge remote-tracking branch 'upstream-restricted/pr/402' into mbedtls-1.3-restricted 2017-11-28 14:34:24 +01:00
Gilles Peskine d3dd8d2197 Merge remote-tracking branch 'upstream-restricted/pr/387' into mbedtls-1.3-restricted 2017-11-28 14:34:16 +01:00
Gilles Peskine c5926a7049 Merge branch 'iotssl-1419-safermemcmp-volatile_backport-1.3' into mbedtls-1.3-restricted 2017-11-28 13:50:05 +01:00
Gilles Peskine 1caad08610 add changelog entry 2017-11-28 13:35:09 +01:00
Gilles Peskine b662cc1f52 Avoid uninitialized variable warning in entropy_gather_internal
The variable ret was always initialized in entropy_gather_internal,
but `gcc -Werror=maybe-uninitialized` rightfully complained that it
was unable to determine this statically. Therefore, tweak the
problematic case (ctx->source_count == 0) to not use ret in that case.
2017-11-24 18:55:19 +01:00
Gilles Peskine 3036cbeb8e Merge branch 'mbedtls-1.3' into mbedtls-1.3-restricted 2017-11-24 16:07:43 +01:00
Gilles Peskine e298532394 Merge remote-tracking branch 'upstream-public/pr/1113' into mbedtls-1.3 2017-11-24 15:38:42 +01:00
Gilles Peskine 1dc344373a Merge branch 'iotssl-1368-unsafe-bounds-check-psk-identity-merge-1.3' into mbedtls-1.3-restricted 2017-11-23 19:11:58 +01:00
Gilles Peskine feae81de91 ChangeLog entry for ssl_parse_client_psk_identity fix 2017-11-23 19:10:48 +01:00
Manuel Pégourié-Gonnard 408dfd1f6a Merge remote-tracking branch 'restricted/pr/418' into mbedtls-1.3-restricted
* restricted/pr/418:
  RSA PSS: remove redundant check; changelog
  RSA PSS: fix first byte check for keys of size 8N+1
  RSA PSS: fix minimum length check for keys of size 8N+1
  RSA: Fix another buffer overflow in PSS signature verification
  RSA: Fix buffer overflow in PSS signature verification
2017-11-23 12:16:05 +01:00
Hanno Becker 825c3db149 Adapt ChangeLog 2017-10-25 16:11:06 +01:00
Hanno Becker c2102893af Zeroize stack before returning from mpi_fill_random 2017-10-25 16:11:06 +01:00
Hanno Becker 754663f8c4 Fix information leak in ecp_gen_keypair_base
The function ecp_gen_keypair_base did not wipe the stack buffer used to
hold the private exponent before returning. This commit fixes this by not using
a stack buffer in the first place but instead calling mpi_fill_random directly
to acquire the necessary random MPI.
2017-10-25 16:11:06 +01:00
Hanno Becker 0727ca41b7 Make mpi_read_binary time constant
This commit modifies mpi_read_binary to always allocate the minimum number of
limbs required to hold the entire buffer provided to the function, regardless of
its content. Previously, leading zero bytes in the input data were detected and
used to reduce memory footprint and time, but this non-constant behavior turned
out to be non-tolerable for the cryptographic applications this function is used
for.
2017-10-25 16:11:03 +01:00
Gilles Peskine 28474f41a0 RSA PSS: remove redundant check; changelog
Remove a check introduced in the previous buffer overflow fix with keys of
size 8N+1 which the subsequent fix for buffer start calculations made
redundant.

Added a changelog entry for the buffer start calculation fix.
2017-10-19 17:50:35 +02:00
Gilles Peskine 5d9224e11c RSA PSS: fix first byte check for keys of size 8N+1
For a key of size 8N+1, check that the first byte after applying the
public key operation is 0 (it could have been 1 instead). The code was
incorrectly doing a no-op check instead, which led to invalid
signatures being accepted. Not a security flaw, since you would need the
private key to craft such an invalid signature, but a bug nonetheless.
2017-10-19 15:47:13 +02:00
Gilles Peskine 7addb7f0a0 RSA PSS: fix minimum length check for keys of size 8N+1
The check introduced by the previous security fix was off by one. It
fixed the buffer overflow but was not compliant with the definition of
PSS which technically led to accepting some invalid signatures (but
not signatures made without the private key).
2017-10-18 19:13:22 +02:00
Gilles Peskine 511bb84c60 RSA: Fix another buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the masking
operation results in an all-zero buffer. This could happen at any key size.
2017-10-17 19:33:48 +02:00
Gilles Peskine 55db24ca50 RSA: Fix buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the hash is
too large for the key size. Found by Seth Terashima, Qualcomm.

Added a non-regression test and a positive test with the smallest
permitted key size for a SHA-512 hash.
2017-10-17 19:30:12 +02:00
Andres Amaya Garcia 75ea35eac8 Fix typo in asn1.h 2017-10-12 22:43:16 +01:00
Andres Amaya Garcia 8a6ba0b495 Improve leap year test names in x509parse.data 2017-10-12 21:18:21 +01:00
Andres AG 7c02d13746 Correctly handle leap year in x509_date_is_valid()
This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
2017-10-12 21:08:46 +01:00
Janos Follath ea111c5501 Renegotiation: Add tests for SigAlg ext parsing
This commit adds regression tests for the bug when we didn't parse the
Signature Algorithm extension when renegotiating. (By nature, this bug
affected only the server)

The tests check for the fallback hash (SHA1) in the server log to detect
that the Signature Algorithm extension hasn't been parsed at least in
one of the handshakes.

A more direct way of testing is not possible with the current test
framework, since the Signature Algorithm extension is parsed in the
first handshake and any corresponding debug message is present in the
logs.
2017-10-11 14:06:40 +01:00
Ron Eldor 4491a791be Parse Signature Algorithm ext when renegotiating
Signature algorithm extension was skipped when renegotiation was in
progress, causing the signature algorithm not to be known when
renegotiating, and failing the handshake. Fix removes the renegotiation
step check before parsing the extension.
2017-10-11 14:06:26 +01:00
Andres Amaya Garcia 10345fbe2a Add ChangeLog entry 2017-10-07 22:24:07 +01:00
Andres Amaya Garcia cf428733b8 Fix coding style in x509_parse_int() 2017-10-07 22:22:26 +01:00
Andres Amaya Garcia 876214cd9d Change param type for x509_parse_int() to fix warn 2017-10-07 22:22:15 +01:00
Andres Amaya Garcia 8388be3ec7 Add brackets around net.c macro arguments 2017-10-07 22:22:04 +01:00
Andres Amaya Garcia 86f76ea25c Add brackets around function macro arguments 2017-10-07 22:21:54 +01:00
Andres Amaya Garcia a4d1857003 Fix type in net.c comment 2017-10-07 22:21:46 +01:00
Andres Amaya Garcia 6e5e9aaf7f Fix MSVC warning in net.c
The warning was caused because in MSVC some of the function parameters
for the socket APIs are int while the fields in struct addrinfo are
size_t e.g. possible data loss.
2017-10-07 22:21:38 +01:00
Andres Amaya Garcia 2d0a5840fe Fix MSVC warning in sample programs
The warning was caused because of conversions from size_t to int, which
can cause data loss. The files affected are:
* ssl_client2.c
* ssl_server2.c
* ssl_mail_client.c
2017-10-07 22:21:29 +01:00
Hanno Becker c143653a19 Add tests for encrypted 2048 and 4096-bit RSA keys
This commit adds multiple RSA keys of various sizes and unifies their naming scheme.
2017-10-06 14:31:51 +01:00
Hanno Becker a6cffa5edd Adapt ChangeLog 2017-10-05 08:58:00 +01:00
Hanno Becker ef4acc569d Minor style and typo corrections 2017-10-05 08:37:56 +01:00
Hanno Becker 524f255c5b Extend x509write_crt suite by RSA_ALT signing test 2017-10-05 08:37:56 +01:00
Hanno Becker e87e5f6c71 Extend cert_write example program by multiple cmd line options
This commit adds the following command line options to programs/x509/cert_write:
- version (val 1, 2, 3): Set the certificate's version (v1, v2, v3)
- authority_identifier (val 0, 1): Enable or disable the addition of the
                                   authority identifier extension.
- subject_identifier (val 0, 1): Enable or disable the addition of the
                                 subject identifier extension.
- basic_constraints (val 0, 1): Enable or disable the addition of the
                                basic constraints extension.
- md (val MD5, SHA1, SHA256, SHA512): Set the hash function used
                                      when creating the CRT.
2017-10-05 08:37:53 +01:00
Hanno Becker 7c3c97ac13 Don't add extensions for X.509 non-v3 certificates
This commit removes extension-writing code for X.509 non-v3 certificates from
x509write_crt_der. Previously, even if no extensions were present an
empty sequence would have been added.
2017-10-05 07:49:21 +01:00