Commit graph

2846 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard b86b143030 Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-restricted' into development-restricted
* restricted/iotssl-1138-rsa-padding-check-restricted:
  RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:31:06 +02:00
Manuel Pégourié-Gonnard a0bf6ecfc3 Merge remote-tracking branch 'restricted/IOTSSL-1366/development-restricted' into development-restricted
* restricted/IOTSSL-1366/development-restricted:
  More length checks in RSA PKCS1v15 verify
  More length checks in RSA PKCS1v15 verify
2017-06-08 20:24:29 +02:00
Manuel Pégourié-Gonnard db108ac944 Merge remote-tracking branch 'hanno/mpi_read_file_underflow' into development
* hanno/mpi_read_file_underflow:
  Fix potential stack underflow in mpi_read_file.
2017-06-08 19:48:03 +02:00
Manuel Pégourié-Gonnard 1178ac5e77 Merge remote-tracking branch 'hanno/sliding_exponentiation' into development
* hanno/sliding_exponentiation:
  Adapt ChangeLog
  Abort modular inversion when modulus is one.
  Correct sign in modular exponentiation algorithm.
2017-06-08 19:46:30 +02:00
Hanno Becker bb9dd0c044 Add hard assertion to mbedtls_ssl_read_record_layer
This commit adds a hard assertion to mbedtls_ssl_read_record_layer
triggering if both ssl->in_hslen and ssl->in_offt are not 0. This
should never happen, and if it does, there's no sensible way of
telling whether the previous message was a handshake or an application
data message.
2017-06-08 11:55:34 +01:00
Hanno Becker 4a810fba69 Fix mbedtls_ssl_read
Don't fetch a new record in mbedtls_ssl_read_record_layer as long as an application data record is being processed.
2017-06-08 10:12:16 +01:00
Hanno Becker af0665d8b0 Simplify retaining of messages for future processing
There are situations in which it is not clear what message to expect
next. For example, the message following the ServerHello might be
either a Certificate, a ServerKeyExchange or a CertificateRequest. We
deal with this situation in the following way: Initially, the message
processing function for one of the allowed message types is called,
which fetches and decodes a new message. If that message is not the
expected one, the function returns successfully (instead of throwing
an error as usual for unexpected messages), and the handshake
continues to the processing function for the next possible message. To
not have this function fetch a new message, a flag in the SSL context
structure is used to indicate that the last message was retained for
further processing, and if that's set, the following processing
function will not fetch a new record.

This commit simplifies the usage of this message-retaining parameter
by doing the check within the record-fetching routine instead of the
specific message-processing routines. The code gets cleaner this way
and allows retaining messages to be used in other situations as well
without much effort. This will be used in the next commits.
2017-06-08 10:12:16 +01:00
Hanno Becker e6706e62d8 Add tests for missing CA chains and bad curves.
This commit adds four tests to tests/ssl-opt.sh:
(1) & (2): Check behaviour of optional/required verification when the
trusted CA chain is empty.
(3) & (4): Check behaviour of optional/required verification when the
client receives a server certificate with an unsupported curve.
2017-06-07 11:26:59 +01:00
Hanno Becker 39ae8cd207 Fix implementation of VERIFY_OPTIONAL verification mode
This commit changes the behaviour of mbedtls_ssl_parse_certificate
to make the two authentication modes MBEDTLS_SSL_VERIFY_REQUIRED and
MBEDTLS_SSL_VERIFY_OPTIONAL be in the following relationship:

    Mode == MBEDTLS_SSL_VERIFY_REQUIRED
<=> Mode == MBEDTLS_SSL_VERIFY_OPTIONAL + check verify result

Also, it changes the behaviour to perform the certificate chain
verification even if the trusted CA chain is empty. Previously, the
function failed in this case, even when using optional verification,
which was brought up in #864.
2017-06-07 11:13:19 +01:00
Manuel Pégourié-Gonnard ddc6e52cc1 Merge remote-tracking branch 'gilles/iotssl-1223/development' into development
* gilles/iotssl-1223/development:
  Fix FALLBACK_SCSV parsing
2017-06-06 20:11:36 +02:00
Manuel Pégourié-Gonnard 383a118338 Merge remote-tracking branch 'gilles/IOTSSL-1330/development' into development
* gilles/IOTSSL-1330/development:
  Changelog entry for the bug fixes
  SSLv3: when refusing renegotiation, stop processing
  Ignore failures when sending fatal alerts
  Cleaned up double variable declaration
  Code portability fix
  Added changelog entry
  Send TLS alerts in many more cases
  Skip all non-executables in run-test-suites.pl
  SSL tests: server requires auth, client has no certificate
  Balanced braces across preprocessor conditionals
  Support setting the ports on the command line
2017-06-06 19:22:41 +02:00
Gilles Peskine 5d2511c4d4 SHA-1 deprecation: allow it in key exchange
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.

SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
2017-06-06 18:44:14 +02:00
Gilles Peskine cd3c845157 Allow SHA-1 in SSL renegotiation tests
In the TLS test client, allow SHA-1 as a signature hash algorithm.
Without this, the renegotation tests failed.

A previous commit had allowed SHA-1 via the certificate profile but
that only applied before the initial negotiation which includes the
signature_algorithms extension.
2017-06-06 18:44:13 +02:00
Gilles Peskine 750c353c5c X.509 self-tests: replaced SHA-1 certificates by SHA-256 2017-06-06 18:44:13 +02:00
Gilles Peskine 5e79cb3662 Remove SHA-1 in TLS by default
Default to forbidding the use of SHA-1 in TLS where it is unsafe: for
certificate signing, and as the signature hash algorithm for the TLS
1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the
XXX_SHA ciphersuites and in the PRF for TLS <= 1.1.

For easy backward compatibility for use in controlled environments,
turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option.
2017-06-06 18:44:13 +02:00
Manuel Pégourié-Gonnard 23b33f8663 Merge remote-tracking branch 'hanno/sig_hash_compatibility' into development
* hanno/sig_hash_compatibility:
  Improve documentation
  Split long lines
  Remember suitable hash function for any signature algorithm.
  Introduce macros and functions to characterize certain ciphersuites.
2017-06-06 18:14:57 +02:00
Andres AG 51a7ae1353 Add missing ret code checks in PEM module
Add missing return code checks in the functions pem_des_decrypt(),
pem_3des_decrypt() and pem_aes_decrypt() so that the calling function
mbedtls_pem_read_buffer() is notified of errors reported by the crypto
primitives AES, DES and 3DES.
2017-05-30 16:40:36 +01:00
Gilles Peskine d50177fdf3 Fix FALLBACK_SCSV parsing
Fixed a bug in ssl_srv.c when parsing TLS_FALLBACK_SCSV in the
ciphersuite list that caused it to miss it sometimes. Reported by Hugo
Leisink as issue #810. Fix initially by @andreasag01; this commit
isolates the bug fix and adds a non-regression test.
2017-05-16 17:53:03 +02:00
Simon Butcher 9f77017a8d Updated version number to 2.5.0 2017-05-16 10:22:37 +01:00
Andres AG f5bf7189d3 Change return type of AES decrypt and encrypt
This patch modifies the following 2 functions in the AES module to
change the return type from void to int:
    * mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
    * mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
This change is necessary to allow users of MBEDTLS_AES_ALT,
MBEDTLS_AES_DECRYPT_ALT and MBEDTLS_AES_ENCRYPT_ALT to return an error
code when replacing the default with their own implementation, e.g.
a hardware crypto accelerator.
2017-05-16 10:22:37 +01:00
Gilles Peskine 18ac716021 RSA: wipe more stack buffers
MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
2017-05-16 10:22:37 +01:00
Gilles Peskine 4a7f6a0ddb RSA: wipe stack buffers
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.

Thanks to Laurent Simon for reporting this issue.
2017-05-16 10:22:37 +01:00
Janos Follath 6e876988de Fix bug in threading sample implementation #667 2017-05-16 10:22:37 +01:00
Janos Follath f9203b4139 Add exponent blinding to RSA with CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.

This commit handles the case when the Chinese Remainder Theorem is used
to accelerate the computation.
2017-05-16 10:22:37 +01:00
Janos Follath e81102e476 Add exponent blinding to RSA without CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of fifferent measurements.

This commits handles the case when the Chinese Remainder Theorem is NOT
used to accelerate computations.
2017-05-16 10:22:37 +01:00
Janos Follath 088ce43ffe Implement optional CA list suppression in Certificate Request
According to RFC5246 the server can indicate the known Certificate
Authorities or can constrain the aurhorisation space by sending a
certificate list. This part of the message is optional and if omitted,
the client may send any certificate in the response.

The previous behaviour of mbed TLS was to always send the name of all the
CAs that are configured as root CAs. In certain cases this might cause
usability and privacy issues for example:
- If the list of the CA names is longer than the peers input buffer then
  the handshake will fail
- If the configured CAs belong to third parties, this message gives away
  information on the relations to these third parties

Therefore we introduce an option to suppress the CA list in the
Certificate Request message.

Providing this feature as a runtime option comes with a little cost in
code size and advantages in maintenance and flexibility.
2017-05-16 10:22:37 +01:00
Hanno Becker cf7ae7e7d3 Improve documentation 2017-05-15 11:50:13 +01:00
Hanno Becker 0d0cd4b30e Split long lines 2017-05-15 11:50:13 +01:00
Hanno Becker 7e5437a972 Remember suitable hash function for any signature algorithm.
This commit changes `ssl_parse_signature_algorithms_ext` to remember
one suitable ( := supported by client and by our config ) hash
algorithm per signature algorithm.

It also modifies the ciphersuite checking function
`ssl_ciphersuite_match` to refuse a suite if there
is no suitable hash algorithm.

Finally, it adds the corresponding entry to the ChangeLog.
2017-05-15 11:50:11 +01:00
Hanno Becker 1aa267cbc3 Introduce macros and functions to characterize certain ciphersuites.
The routine `mbedtls_ssl_write_server_key_exchange` heavily depends on
what kind of cipher suite is active: some don't need a
ServerKeyExchange at all, some need (EC)DH parameters but no server
signature, some require both. Each time we want to restrict a certain
piece of code to some class of ciphersuites, it is guarded by a
lengthy concatentation of configuration checks determining whether at
least one of the relevant cipher suites is enabled in the config; on
the code level, it is guarded by the check whether one of these
cipher suites is the active one.

To ease readability of the code, this commit introduces several helper
macros and helper functions that can be used to determine whether a
certain class of ciphersuites (a) is active in the config, and
(b) contains the currently present ciphersuite.
2017-05-15 11:46:57 +01:00
Andres Amaya Garcia af610a0baf Fix check-doxy-blocks.pl errors (cmac.c ecjpake.h) 2017-05-12 00:18:04 +01:00
Janos Follath 6c8ccd5be4 Fix cleanup label alignment 2017-05-11 22:42:14 +01:00
Janos Follath 69b2051e76 Update version features with ECP macros 2017-05-11 22:42:14 +01:00
Janos Follath c44ab97cc9 Apply review feedback on ECP interface
Naming conventions are revised, style issues corrected and minor
optimisation added.
2017-05-11 22:42:14 +01:00
Janos Follath b8a90fb51c Update ECP hardware abstraction interface
With this commit the Elliptic Curve Point interface is rewised. Two
compile time options has been removed to simplify the interface and
the function names got a new prefix that indicates that these functions
are for internal use and not part of the public interface.
2017-05-11 22:42:14 +01:00
Janos Follath 430d3376c9 Add thread safety to ECP hardware acceleration
The intended use of the abstraction layer for Elliptic Curve Point
arithmetic is to enable using hardware cryptographic accelerators.
These devices are a shared resource and the driver code rarely provides
thread safety.

This commit adds mutexes to the abstraction layer to protect the device
in a multi-threaded environment.
2017-05-11 22:42:14 +01:00
Janos Follath 552f6b6d17 Add global mutex for asymmetric crypto accelerator
The primary use case behind providing an abstraction layer to enable
alternative Elliptic Curve Point arithmetic implementation, is making
use of cryptographic acceleration hardware if it is present.

To provide thread safety for the hardware accelerator we need a mutex
to guard it.
2017-05-11 22:42:14 +01:00
Janos Follath 16e63ea2e2 Fix alternative ECP function names
The alternative Elliptic Curve Point arithmetic functions didn't have
an 'mbedtls_' prefix as required by check-names.sh.
2017-05-11 22:42:14 +01:00
Janos Follath 4d9c69dde8 Fix ECP alternative macro names
The compile time macros enabling the initialisation and deinitialisation
in the alternative Elliptic Curve Point arithmetic implementation had
names that did not end with '_ALT' as required by check-names.sh.
2017-05-11 22:42:14 +01:00
Janos Follath 47d28f08a6 Remove alt_internal directory 2017-05-11 22:42:14 +01:00
Janos Follath 372697b6b7 Clean up ECP abstraction layer code
This commit fixes several style issues and fixes in the documentation
of the Elliptic Curve Point arithmetic abstraction layer.
2017-05-11 22:42:14 +01:00
Janos Follath b069753313 ECP: Add module and function level replacement options. 2017-05-11 22:42:14 +01:00
Andres AG 72849877d0 Fix data loss in unsigned int cast in PK
This patch introduces some additional checks in the PK module for 64-bit
systems only. The problem is that the API functions in the PK
abstraction accept a size_t value for the hashlen, while the RSA module
accepts an unsigned int for the hashlen. Instead of silently casting
size_t to unsigned int, this change checks whether the hashlen overflows
an unsigned int and returns an error.
2017-05-11 21:55:17 +01:00
Manuel Pégourié-Gonnard c1380de887 RSA PKCS1v1.5 verification: check padding length
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential in to check that the error that is detected first is indeed the
padding rather than the final length check).
2017-05-11 13:10:13 +02:00
Gilles Peskine 92e4426169 SSLv3: when refusing renegotiation, stop processing
Before the code was sending a fatal alert but then processing any
further data from the peer.

Internal reference: IOTSSL-1384
2017-05-10 17:31:13 +02:00
Gilles Peskine c94f7352fa Ignore failures when sending fatal alerts
In many places in TLS handling, some code detects a fatal error, sends
a fatal alert message, and returns to the caller. If sending the alert
fails, then return the error that triggered the alert, rather than
overriding the return status. This effectively causes alert sending
failures to be ignored. Formerly the code was inconsistently sometimes
doing one, sometimes the other.

In general ignoring the alert is the right thing: what matters to the
caller is the original error. A typical alert failure is that the
connection is already closed.

One case which remains not handled correctly is if the alert remains
in the output buffer (WANT_WRITE). Then it won't be sent, or will be
truncated. We'd need to either delay the application error or record
the write buffering notice; to be done later.
2017-05-10 17:31:02 +02:00
Gilles Peskine 8498cb3687 Cleaned up double variable declaration 2017-05-10 15:39:40 +02:00
Gilles Peskine 064a85ca48 Code portability fix 2017-05-10 10:46:40 +02:00
Hanno Becker b2034b7785 Fix potential stack underflow in mpi_read_file.
When provided with an empty line, mpi_read_file causes a numeric
underflow resulting in a stack underflow. This commit fixes this and
adds some documentation to mpi_read_file.
2017-05-09 10:29:06 +01:00
Hanno Becker 4bcb4914c5 Abort modular inversion when modulus is one.
The modular inversion function hangs when provided with the modulus 1. This commit refuses this modulus with a BAD_INPUT error code. It also adds a test for this case.
2017-05-08 14:47:04 +01:00
Hanno Becker a6ed9c5429 Backup errno in net_would_block
Safe and restore the value of errno in net_would_block to be sure
it's not affected by the guarding call to fcntl. Fixes #845.
2017-05-04 13:53:26 +01:00
Gilles Peskine e7e7650480 More length checks in RSA PKCS1v15 verify
Added one check that I'd missed, and made the style more uniform.
2017-05-04 12:48:39 +02:00
Gilles Peskine 0e17eb05f8 More length checks in RSA PKCS1v15 verify
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.
2017-05-03 18:56:10 +02:00
Gilles Peskine 1cc8e3472a Send TLS alerts in many more cases
The TLS client and server code was usually closing the connection in
case of a fatal error without sending an alert. This commit adds
alerts in many cases.

Added one test case to detect that we send the alert, where a server
complains that the client's certificate is from an unknown CA (case
tracked internally as IOTSSL-1330).
2017-05-03 16:28:34 +02:00
Gilles Peskine f982852bf0 Balanced braces across preprocessor conditionals
This is a cosmetic improvement to ease source code navigation only.
2017-05-03 12:28:43 +02:00
Hanno Becker a4af1c47d2 Correct sign in modular exponentiation algorithm.
The modular exponentiation function  handled the sign incorrectly. This commit fixes this and a test case which should have caught it.
2017-04-18 09:07:45 +01:00
Andres AG d1cc7f6f34 Fix buffer overflow in mbedtls_mpi_write_string()
Fix a buffer overflow when writting a string representation of an MPI
number to a buffer in hexadecimal. The problem occurs because hex
digits are written in pairs and this is not accounted for in the
calculation of the required buffer size when the number of digits is
odd.
2017-03-02 21:34:21 +00:00
Ron Eldor 12e0b800da Fix resource leak when using mutex and ssl_cookie
When using ssl_cookie with MBEDTLS_THREADING_C, fix a resource leak caused by
initiating a mutex in mbedtls_ssl_cookie_free instead of freeing it.
Raised and fix suggested by lan Gillingham in the mbed TLS forum
Tracked in #771
2017-03-02 12:26:11 +00:00
Janos Follath 7dadc2f259 ECP: Prevent freeing a buffer on stack
The function ecp_mod_koblitz computed the space for the result of a
multiplication optimally for that specific case, but unfortunately
the function mbedtls_mpi_mul_mpi performs a generic, suboptimal
calculation and needs one more limb for the result. Since the result's
buffer is on the stack, the best case scenario is that the program
stops.

This only happened on 64 bit platforms.

Fixes #569
2017-02-28 18:41:39 +00:00
Andres AG 5708dcb368 Fix memory leak in mbedtls_x509_crl_parse()
The memory leak call was caused by missing calls to mbedtls_pem_free()
when a MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was
encountered.
2017-02-28 14:51:31 +00:00
Janos Follath 87c980749d Fix buffer overread in mbedtls_x509_get_time()
A heap overread might happen when parsing malformed certificates.
Reported by Peng Li and Yueh-Hsun Lin.

Refactoring the parsing fixes the problem. This commit applies the
relevant part of the OpenVPN contribution applied to mbed TLS 1.3
in commit 17da9dd829.
2017-02-28 14:23:12 +00:00
Simon Butcher fc794ff2b7 Merge branch 'iotssl-1071-ca-flags'
Fixes a regression introduced by an earlier commit that modified
x509_crt_verify_top() to ensure that valid certificates that are after past or
future valid in the chain are processed. However the change introduced a change
in behaviour that caused the verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in the
verification regardless of the cause.

The fix maintains both behaviours:

 * Ensure that valid certificates after future and past are verified
 * Ensure that the correct verification flags are set.
2017-02-27 19:06:05 +00:00
Simon Butcher 0278a38f10 Merge branch 'iotssl-1077-dos-crl'
Modifies the function mbedtls_x509_crl_parse() to ensure that a CRL in PEM
format with trailing characters after the footer does not result in the
execution of an infinite loop.
2017-02-26 01:16:02 +00:00
Simon Butcher a29c5e9e66 Add comment to integer overflow fix in base64.c
Adds clarifying comment to the integer overflow fix in base64.c
2017-02-15 23:31:07 +02:00
Andres AG 4623d83c6f Fix integer overflow mbedtls_base64_decode()
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-15 23:31:07 +02:00
Andres Amaya Garcia 6a54336897 Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-15 23:31:07 +02:00
Janos Follath 182013faf4 Prevent SLOTH attacks 2017-02-15 23:29:32 +02:00
Andres AG 2196c7f81c Fix renegotiation at incorrect times in DTLS
Fix an incorrect condition in ssl_check_ctr_renegotiate() that compared
64 bits of record counter instead of 48 bits as described in RFC 6347
Section 4.3.1. This would cause the function's return value to be
occasionally incorrect and the renegotiation routines to be triggered
at unexpected times.
2017-02-15 23:26:35 +02:00
Janos Follath 4c006cdb1c Update library version number to 2.4.1 2017-02-15 22:55:55 +02:00
Janos Follath 5da3a6f92f Update CMAC test vectors. 2017-02-15 22:55:30 +02:00
Andres AG c0db511820 Fix unused variable/function compilation warnings
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
MBEDTLS_PEM_PARSE_C.
2017-02-15 22:54:42 +02:00
Simon Butcher e4ac5428f3 Fix formatting issues in net_sockets.c 2017-02-15 09:08:26 +00:00
Simon Butcher 36540ff741 Fix compiler warning in debug.c 2017-02-15 09:08:26 +00:00
Simon B 3c6b18df3a Fix various compiler warnings with MSVC
Fixes various compiler warnings found with Microsoft Visual Studio 2015
(and earlier versions).
2017-02-15 09:08:26 +00:00
Brian J Murray 1903fb312f Clarify Comments and Fix Typos (#651)
Fixes many typos, and errors in comments.

* Clarifies many comments
* Grammar correction in config.pl help text
* Removed comment about MBEDTLS_X509_EXT_NS_CERT_TYPE.
* Comment typo fix (Dont => Don't)
* Comment typo fix (assure => ensure)
* Comment typo fix (byes => bytes)
* Added citation for quoted standard
* Comment typo fix (one complement => 1's complement)

The is some debate about whether to prefer "one's complement",  "ones'
complement", or "1's complement".  The more recent RFCs related to TLS
(RFC 6347,  RFC 4347, etc) use " 1's complement", so I followed that
convention.

* Added missing ")" in comment
* Comment alignment
* Incorrect comment after #endif
2017-02-15 09:08:26 +00:00
Andres AG d16506624a Fix verify out flags from x509_crt_verify_top()
This change fixes a regression introduced by an earlier commit that
modified x509_crt_verify_top() to ensure that valid certificates
that are after past or future valid in the chain are processed. However
the change introduced a change in behaviour that caused the
verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in
the verification regardless of the cause.

The fix maintains both behaviours:
  * Ensure that valid certificates after future and past are verified
  * Ensure that the correct verification flags are set.

To do so, a temporary pointer to the first future or past valid
certificate is maintained while traversing the chain. If a truly valid
certificate is found then that one is used, otherwise if no valid
certificate is found and the end of the chain is reached, the program
reverts back to using the future or past valid certificate.
2017-01-20 13:52:01 +00:00
Andres AG 939954c0b0 Fix CRL parsing to avoid infinite loop
This patch modifies the function mbedtls_x509_crl_parse() to ensure
that a CRL in PEM format with trailing characters after the footer does
not result in the execution of an infinite loop.
2017-01-19 16:43:48 +00:00
Simon Butcher 105e856143 Merge branch 'gcc-compiler-warnings' 2017-01-05 18:26:40 +00:00
Janos Follath 1808dc01bd Update library version number to 2.4.1 2016-12-13 16:00:52 +00:00
Janos Follath cd13bd2819 Update CMAC test vectors. 2016-12-13 16:00:52 +00:00
Simon Butcher 532c94dcb7 Fix formatting issues in net_sockets.c 2016-11-17 09:22:47 +00:00
Simon Butcher 097618b4c6 Fix compiler warning in debug.c 2016-11-17 09:22:46 +00:00
Simon B 3249cb780b Fix various compiler warnings with MSVC
Fixes various compiler warnings found with Microsoft Visual Studio 2015
(and earlier versions).
2016-11-10 15:37:33 +00:00
Brian J Murray 2adecba01f Clarify Comments and Fix Typos (#651)
Fixes many typos, and errors in comments.

* Clarifies many comments
* Grammar correction in config.pl help text
* Removed comment about MBEDTLS_X509_EXT_NS_CERT_TYPE.
* Comment typo fix (Dont => Don't)
* Comment typo fix (assure => ensure)
* Comment typo fix (byes => bytes)
* Added citation for quoted standard
* Comment typo fix (one complement => 1's complement)

The is some debate about whether to prefer "one's complement",  "ones'
complement", or "1's complement".  The more recent RFCs related to TLS
(RFC 6347,  RFC 4347, etc) use " 1's complement", so I followed that
convention.

* Added missing ")" in comment
* Comment alignment
* Incorrect comment after #endif
2016-11-06 12:45:15 +00:00
Andres AG 703990b839 Fix buffer overreads in mbedtls_pem_read_buffer() 2016-10-24 13:00:37 +01:00
Simon Butcher 16c54ee9c8 Update library version number to 2.4.0 2016-10-16 19:34:39 +01:00
Simon Butcher 8e00410402 Merge fix for AEAD Random IVs 2016-10-14 00:48:33 +01:00
Simon Butcher 9800a058ae Merge branch 'development' 2016-10-13 17:25:56 +01:00
Simon Butcher 99000142cb Merge fix for IE Certificate Compatibility 2016-10-13 17:21:01 +01:00
Simon Butcher 488c08c00b Merge branch fixing date validity in X.509 2016-10-13 16:13:09 +01:00
Simon Butcher c58d7b4074 Merge fix for X.509 compatibility issues 2016-10-13 15:54:03 +01:00
Simon Butcher 511526720c Merge fix for branch SSL client overread 2016-10-13 15:39:09 +01:00
Simon Butcher de319cb743 Merge branch 'development' 2016-10-13 15:14:04 +01:00
Russ Butler bb83b42700 Use allocated memory for SHA self tests
Reduce the stack usage of the testing framework by dynamically
allocating the memory used for the test.
2016-10-13 15:10:14 +01:00
Janos Follath e5dc202469 Restore P>Q in RSA key generation (#558)
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
2016-10-13 13:54:48 +01:00
Andres AG 314d8a8400 Fix documentation for mbedtls_gcm_finish()
Fix implementation and documentation missmatch for the function
arguments to mbedtls_gcm_finish(). Also, removed redundant if condition
that always evaluates to true.
2016-10-13 13:54:47 +01:00
Andres AG 410d3dd3c7 Fix 1 byte overread in mbedtls_asn1_get_int() 2016-10-13 13:54:14 +01:00
Janos Follath d7b9049806 Fix memory leaks in CMAC tests 2016-10-13 13:53:56 +01:00
Janos Follath 2b3b740574 Remove unnecessary flag from CMAC context 2016-10-13 13:53:33 +01:00
Simon Butcher c61351df72 Fix issues in CMAC in repeated updates
Successive calls to mbedtls_cipher_cmac_update() which weren't block aligned
were failing, which is fixed by this commit.
2016-10-13 13:53:12 +01:00
Simon Butcher ad882673dc Fix bracketing in cmac.c
The bracketing in some expressions where an assignment was being made in an if statement in cmac.c had been accidentally broken and was causing compiler warnings with armcc.
2016-10-13 13:52:00 +01:00
Andres AG 8254b6c9f3 Clean up of formatting, and potential integer overflow fix 2016-10-13 13:51:13 +01:00
Simon Butcher 2127932fb8 Fixes following review
Fixes issue of not zeroing entire block on reset and conditional compilation.
2016-10-13 13:51:12 +01:00
Simon Butcher f394e09431 Clean up and minor fixes following review
Minor fixes following review including:
    * formatting changes including indentation and code style
    * corrections
    * removal of debug code
    * clarification of code through variable renaming
    * memory leak
    * compiler warnings
2016-10-13 13:51:12 +01:00
Simon Butcher 5805fbedcb Fix CMAC interface for doxygen
Parameters didn't match the function definition.
2016-10-13 13:51:12 +01:00
Simon Butcher 8a1a68cb2b Regenerate error.c file to remove CMAC 2016-10-13 13:51:12 +01:00
Simon Butcher 0c79073a8b Refactor and change CMAC interface
Change the CMAC interface to match the mbedtls_md_hmac_xxxx() interface. This
changes the overall design of the CMAC interface to make it more consistent with
the existing HMAC interface, and will allow incremental updates of input data
rather than requiring all data to be presented at once, which is what the
current interface requires.
2016-10-13 13:51:11 +01:00
Brian Murray 7b07e0e4b4 Fix build failure for thread config 2016-10-13 13:51:11 +01:00
Brian Murray 5168618294 Minor fixes to comments 2016-10-13 13:51:11 +01:00
Brian Murray 3d64431a33 Minor CMAC fixes for merge 2016-10-13 13:51:11 +01:00
Brian Murray 0b21cdf7bc cleaned up indentation and braket issues in mbedtls_cmac_verify 2016-10-13 13:51:11 +01:00
Brian Murray bbed660aa1 Changed test function to inline to pass tests/scripts/check-names.sh 2016-10-13 13:51:10 +01:00
Brian Murray fe9ff01c49 Fixed some build warnings 2016-10-13 13:51:10 +01:00
Brian Murray 4e067035b7 Do not zeroize null pointer 2016-10-13 13:51:10 +01:00
Brian Murray cdd1f6d96c Removed unneed memsets and fixed spacing 2016-10-13 13:51:10 +01:00
Brian Murray 6eae89bb6f No CMAC minimum tag length is specified by NIST SP800-38B A
Minor Typo Changes
2016-10-13 13:51:10 +01:00
Brian Murray e260feacbe cmac.c whitespace cleanup 2016-10-13 13:51:10 +01:00
Brian Murray db5c70e080 better handling of failed calloc 2016-10-13 13:51:10 +01:00
Brian Murray 86ff986884 selftest supports cmac if only MBEDTLS_DES_C is defined
Other minor typo fixes
2016-10-13 13:51:10 +01:00
Brian Murray 3d3c9b8be7 More cleanup of CMAC self tests 2016-10-13 13:51:09 +01:00
Brian Murray afdb60f84f Only compile AES CMAC PRF support if MBEDTLS_AES_C is defined and other cleanups 2016-10-13 13:51:09 +01:00
Brian Murray d666eb5c11 More cleanup of CMAC selftests 2016-10-13 13:51:09 +01:00
Brian Murray 3c0412a443 Fixed CMAC tag length 2016-10-13 13:51:09 +01:00
Brian Murray 7c6476c330 CMAC support for cipher with 64bit blocks (DES/3DES) 2016-10-13 13:51:09 +01:00
Brian Murray 5a8c004f79 Added cmac.o to libary/Makefile 2016-10-13 13:51:09 +01:00
Manuel Pégourié-Gonnard 2b0e21f130 cmac: more cosmetic changes 2016-10-13 13:51:09 +01:00
Manuel Pégourié-Gonnard a878d3b6e3 cmac: avoid useless wrapping of function
probably a leftover from an earlier stage
2016-10-13 13:51:09 +01:00
Manuel Pégourié-Gonnard 5f8639fea2 cmac: reduce visibility of macros
The #undef is usefull for people who want to to amalgamated releases
2016-10-13 13:51:09 +01:00
Manuel Pégourié-Gonnard 59ae4bad18 cmac: some more padding-related tune-ups
- use one less temporary buffer
- pedantic: in_len + 15 was a potential overflow
- use a more explicit name instead of 'flag'
- Mn was a bit misleading
2016-10-13 13:51:08 +01:00
Manuel Pégourié-Gonnard da8724fbc6 cmac: clean up padding function and comments 2016-10-13 13:51:08 +01:00
Manuel Pégourié-Gonnard 89b8d83723 cmac: make subkey gen more constant-time
The previous version had secret-dependent memory accesses. While it was
probably not an issue in practice cause the two bytes of the array are
probably on the same cache line anyway, as a matter of principle this should
be avoided.
2016-10-13 13:51:08 +01:00
Manuel Pégourié-Gonnard 28ea791521 cmac: zeroize sensitive intermediate values 2016-10-13 13:51:08 +01:00
Manuel Pégourié-Gonnard 756bcf7631 cmac: factor multiply by u to its own function
We're doing exactly the same operation for K1 and K2.
2016-10-13 13:51:08 +01:00
Manuel Pégourié-Gonnard a4dfa0550f cmac: fix whitespace/codingstyle issues 2016-10-13 13:51:08 +01:00
Manuel Pégourié-Gonnard 9c83eebe67 cmac: improve argument order and naming
- always use the pattern "buffer, length"
- avoid using unqualified "length" as a name when there are more than one
2016-10-13 13:51:08 +01:00
Robert Cragie 9bf1e5dd3b Line endings wrong 2016-10-13 13:51:08 +01:00
Robert Cragie 9518e88fa0 Use autogenerated version_features.c 2016-10-13 13:51:07 +01:00
Robert Cragie 2fa11cd197 Added CMAC as proper low-level module and changed error returns 2016-10-13 13:51:07 +01:00
Robert Cragie c45554448c Added MBEDTLS_CMAC_C 2016-10-13 13:51:07 +01:00
Robert Cragie 45feb6ef20 Add support for AES-128-CMAC and AES-CMAC-PRF-128 2016-10-13 13:51:07 +01:00
Janos Follath 0be2b01a6b Add safety check to sample mutex implementation
Due to inconsistent freeing strategy in pkparse.c the sample mutex
implementation in threading.c could lead to undefined behaviour by
destroying the same mutex several times.

This fix prevents mutexes from being destroyed several times in the
sample threading implementation.
2016-10-13 13:51:07 +01:00
Andres AG 3616f6f261 Rename net.{c,h} to net_sockets.{c,h}
The library/net.c and its corresponding include/mbedtls/net.h file are
renamed to library/net_sockets.c and include/mbedtls/net_sockets.h
respectively. This is to avoid naming collisions in projects which also
have files with the common name 'net'.
2016-10-13 13:48:48 +01:00
Simon Butcher 1c8b33ad19 Merge branch 'development' 2016-10-13 13:40:41 +01:00
Janos Follath ef44178474 Restore P>Q in RSA key generation (#558)
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
2016-10-13 00:25:07 +01:00
Andres AG 821da84ff9 Fix documentation for mbedtls_gcm_finish()
Fix implementation and documentation missmatch for the function
arguments to mbedtls_gcm_finish(). Also, removed redundant if condition
that always evaluates to true.
2016-10-12 19:49:41 +01:00
Andres AG 776a6fcd1a Fix 1 byte overread in mbedtls_asn1_get_int() 2016-10-12 16:43:37 +01:00
Janos Follath 99d09d2747 Fix memory leaks in CMAC tests 2016-10-12 15:32:54 +01:00
Janos Follath d444358247 Fix memory leaks in CMAC tests 2016-10-12 14:31:01 +01:00
Andres AG 60dbc93831 Add missing bounds check in X509 DER write funcs
This patch adds checks in both mbedtls_x509write_crt_der and
mbedtls_x509write_csr_der before the signature is written to buf
using memcpy().
2016-10-11 14:07:48 +01:00
Janos Follath e3d882ad4a Remove unnecessary flag from CMAC context 2016-10-11 13:38:36 +01:00
Simon Butcher 6b0774ab1a Fix issues in CMAC in repeated updates
Successive calls to mbedtls_cipher_cmac_update() which weren't block aligned
were failing, which is fixed by this commit.
2016-10-11 12:25:04 +01:00
Simon Butcher df6c3e8e48 Merge branch 'iotssl-825-double-free-quickfix'
Conflicts:
	ChangeLog
2016-10-11 00:07:14 +01:00
Janos Follath 23bdca0d63 Fix an x509 compatibility issue
Certificates with unsupported algorithms in the certificate chain
prevented verification even if a certificate before the unsupported
ones was already trusted.

We change the behaviour to ignoring every certificate with unknown
(unsupported) signature algorithm oid when parsing the certificate
chain received from the peer.
2016-10-07 16:12:50 +01:00
Simon Butcher 420be4ea04 Fix bracketing in cmac.c
The bracketing in some expressions where an assignment was being made in an if statement in cmac.c had been accidentally broken and was causing compiler warnings with armcc.
2016-10-07 12:55:43 +01:00
Andres AG a592dcc1c6 Clean up of formatting, and potential integer overflow fix 2016-10-06 15:23:39 +01:00
Simon Butcher d241f1cf17 Fixes following review
Fixes issue of not zeroing entire block on reset and conditional compilation.
2016-10-06 12:53:33 +01:00
Simon Butcher 69283e51d5 Clean up and minor fixes following review
Minor fixes following review including:
    * formatting changes including indentation and code style
    * corrections
    * removal of debug code
    * clarification of code through variable renaming
    * memory leak
    * compiler warnings
2016-10-06 12:49:58 +01:00
Simon Butcher 94ffde7b0a Fix CMAC interface for doxygen
Parameters didn't match the function definition.
2016-10-05 15:33:53 +01:00
Simon Butcher 7ca3109614 Regenerate error.c file to remove CMAC 2016-10-05 14:39:15 +01:00
Simon Butcher 327398ad3a Refactor and change CMAC interface
Change the CMAC interface to match the mbedtls_md_hmac_xxxx() interface. This
changes the overall design of the CMAC interface to make it more consistent with
the existing HMAC interface, and will allow incremental updates of input data
rather than requiring all data to be presented at once, which is what the
current interface requires.
2016-10-05 14:19:18 +01:00
Brian Murray 8b4111c516 Fix build failure for thread config 2016-10-05 14:19:17 +01:00
Brian Murray 72b69e3808 Minor fixes to comments 2016-10-05 14:19:17 +01:00
Brian Murray 53e23b684f Minor CMAC fixes for merge 2016-10-05 14:19:17 +01:00
Brian Murray 9ce2e091de cleaned up indentation and braket issues in mbedtls_cmac_verify 2016-10-05 14:19:17 +01:00
Brian Murray ae1cb12d82 Changed test function to inline to pass tests/scripts/check-names.sh 2016-10-05 14:19:17 +01:00
Brian Murray 0cf14c10d4 Fixed some build warnings 2016-10-05 14:19:17 +01:00
Brian Murray 6a3c0d2d67 Do not zeroize null pointer 2016-10-05 14:19:17 +01:00
Brian Murray 4b64ab6664 Removed unneed memsets and fixed spacing 2016-10-05 14:19:16 +01:00
Brian Murray 87e4040bb9 No CMAC minimum tag length is specified by NIST SP800-38B A
Minor Typo Changes
2016-10-05 14:19:16 +01:00
Brian Murray 617634e656 cmac.c whitespace cleanup 2016-10-05 14:19:16 +01:00
Brian Murray 2cfa5072ed better handling of failed calloc 2016-10-05 14:19:16 +01:00
Brian Murray 57863ad7ed selftest supports cmac if only MBEDTLS_DES_C is defined
Other minor typo fixes
2016-10-05 14:19:16 +01:00
Brian Murray 9044b0295c More cleanup of CMAC self tests 2016-10-05 14:19:16 +01:00
Brian Murray b439d4556d Only compile AES CMAC PRF support if MBEDTLS_AES_C is defined and other cleanups 2016-10-05 14:19:16 +01:00
Brian Murray 0f6af73599 More cleanup of CMAC selftests 2016-10-05 14:19:15 +01:00
Brian Murray 00dc5f0fc8 Fixed CMAC tag length 2016-10-05 14:19:15 +01:00
Brian Murray b0c3c43dec CMAC support for cipher with 64bit blocks (DES/3DES) 2016-10-05 14:19:15 +01:00
Brian Murray 8262ac3b54 Added cmac.o to libary/Makefile 2016-10-05 14:19:15 +01:00
Manuel Pégourié-Gonnard 7b555f2928 cmac: more cosmetic changes 2016-10-05 14:19:15 +01:00
Manuel Pégourié-Gonnard ab9c5fd9b3 cmac: avoid useless wrapping of function
probably a leftover from an earlier stage
2016-10-05 14:19:15 +01:00
Manuel Pégourié-Gonnard d18c70708e cmac: reduce visibility of macros
The #undef is usefull for people who want to to amalgamated releases
2016-10-05 14:19:15 +01:00
Manuel Pégourié-Gonnard 2c06306364 cmac: some more padding-related tune-ups
- use one less temporary buffer
- pedantic: in_len + 15 was a potential overflow
- use a more explicit name instead of 'flag'
- Mn was a bit misleading
2016-10-05 14:19:14 +01:00
Manuel Pégourié-Gonnard d2c3d3eddb cmac: clean up padding function and comments 2016-10-05 14:19:14 +01:00
Manuel Pégourié-Gonnard 475f06f609 cmac: make subkey gen more constant-time
The previous version had secret-dependent memory accesses. While it was
probably not an issue in practice cause the two bytes of the array are
probably on the same cache line anyway, as a matter of principle this should
be avoided.
2016-10-05 14:19:14 +01:00
Manuel Pégourié-Gonnard d6cf75474b cmac: zeroize sensitive intermediate values 2016-10-05 14:19:14 +01:00
Manuel Pégourié-Gonnard a610b4c04b cmac: factor multiply by u to its own function
We're doing exactly the same operation for K1 and K2.
2016-10-05 14:19:14 +01:00
Manuel Pégourié-Gonnard 3da5402a89 cmac: fix whitespace/codingstyle issues 2016-10-05 14:19:14 +01:00
Manuel Pégourié-Gonnard 690083c21d cmac: improve argument order and naming
- always use the pattern "buffer, length"
- avoid using unqualified "length" as a name when there are more than one
2016-10-05 14:19:14 +01:00
Robert Cragie 3d23b1d5ed Line endings wrong 2016-10-05 14:19:14 +01:00
Robert Cragie 48f2ff9dbe Use autogenerated version_features.c 2016-10-05 14:19:13 +01:00
Robert Cragie 84a4c67741 Added CMAC as proper low-level module and changed error returns 2016-10-05 14:19:13 +01:00
Robert Cragie 8324818e0a Added MBEDTLS_CMAC_C 2016-10-05 14:19:13 +01:00
Robert Cragie dc5c7b98ac Add support for AES-128-CMAC and AES-CMAC-PRF-128 2016-10-05 14:19:13 +01:00
Janos Follath 5437a75b15 Add safety check to sample mutex implementation
Due to inconsistent freeing strategy in pkparse.c the sample mutex
implementation in threading.c could lead to undefined behaviour by
destroying the same mutex several times.

This fix prevents mutexes from being destroyed several times in the
sample threading implementation.
2016-09-30 09:29:55 +01:00
Andres AG 4b76aecaf3 Add check for validity of date in x509_get_time() 2016-09-28 14:32:54 +01:00
Andres AG 5a87c9375d Fix overread when verifying SERVER_HELLO in DTLS 2016-09-28 14:26:57 +01:00
Andres AG 788aa4a812 Rename net.{c,h} to net_sockets.{c,h}
The library/net.c and its corresponding include/mbedtls/net.h file are
renamed to library/net_sockets.c and include/mbedtls/net_sockets.h
respectively. This is to avoid naming collisions in projects which also
have files with the common name 'net'.
2016-09-26 23:23:52 +01:00
Andres AG 4bdbe09f90 Fix sig->tag update in mbedtls_x509_get_sig() 2016-09-19 17:09:45 +01:00
Andres AG f9113194af Allow the entry_name size to be set in config.h
Allow the size of the entry_name character array in x509_crt.c to be
configurable through a macro in config.h. entry_name holds a
path/filename string. The macro introduced in
MBEDTLS_X509_MAX_FILE_PATH_LEN.
2016-09-16 11:42:35 +01:00
Simon Butcher 669c635ec0 Fix unused variable warnings for null entropy config 2016-09-15 18:57:34 +01:00