Commit graph

5040 commits

Author SHA1 Message Date
Simon Butcher 53695beeda Merge branch 'iotssl-1155-hashlen-type'
Introduces additional checks in the PK module for 64-bit systems only. The
problem is that the API functions in the PK abstraction accept a size_t value
for the hashlen, while the RSA module accepts an unsigned int for the hashlen.
Instead of silently casting size_t to unsigned int, this change checks whether
the hashlen overflows an unsigned int and returns an error.
2017-02-25 15:59:18 +00:00
Andres AG 511f83db07 Add PK tests to avoid hashlen overflow for RSA 2017-02-15 10:52:32 +00:00
Andres AG b8e75286b4 Fix data loss in unsigned int cast in PK
This patch introduces some additional checks in the PK module for 64-bit
systems only. The problem is that the API functions in the PK
abstraction accept a size_t value for the hashlen, while the RSA module
accepts an unsigned int for the hashlen. Instead of silently casting
size_t to unsigned int, this change checks whether the hashlen overflows
an unsigned int and returns an error.
2017-02-15 10:52:11 +00:00
Simon Butcher 01e3beb067 Merge branch 'mbedtls-2.4-restricted' 2017-02-05 22:00:35 +00:00
Simon Butcher ac63477e5a Merge 'development-restricted' 2017-02-05 20:13:05 +00:00
Simon Butcher c709dfab97 Add detail to ChangeLog for SLOTH fix 2017-02-05 16:48:47 +00:00
Simon Butcher ae23a21d4f Merge branch 'iotssl-1057'
Disable MD5 in declared hashes in CertificateRequest and
CertificateVerify messages.
2017-02-05 16:46:23 +00:00
Simon Butcher 81d92c3b03 Merge branch 'mbedtls-2.4' 2017-02-05 01:05:52 +00:00
Simon Butcher 9df03441d0 Add comment to integer overflow fix in base64.c
Adds clarifying comment to the integer overflow fix in base64.c
2017-02-05 01:01:44 +00:00
Andres AG a540090142 Fix integer overflow mbedtls_base64_decode()
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-05 01:01:44 +00:00
Andres Amaya Garcia 74ad1c1b22 Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-05 01:00:47 +00:00
Andres AG 1afbac17c5 Fix examples that failed to compile without PEM 2017-02-04 23:11:49 +00:00
Simon Butcher 8ea289cb43 Merge branch 'development' 2017-02-04 22:54:22 +00:00
Simon Butcher c73ac833a6 Merge 'development' branch
Backport of pull request #729.
2017-02-03 01:12:00 +00:00
Simon Butcher ee75b9b417 Add clarification to the TLS renegotiation period
Expanded details on use of mbedtls_ssl_conf_renegotiation_period()
2017-02-03 00:21:28 +00:00
Simon Butcher 1d4db5b7b5 Merge 'iotssl-1099-incorrect-renego-dtls'
Fix an incorrect condition in ssl_check_ctr_renegotiate() that compared
64 bits of record counter instead of 48 bits as described in RFC 6347
Section 4.3.1. This would cause the function's return value to be
occasionally incorrect and the renegotiation routines to be triggered
at unexpected times.
2017-02-02 23:47:08 +00:00
Simon Butcher 8fdee52d5e Add credit to Changelog for #562 2017-02-02 16:25:57 +00:00
Simon Butcher 105e3fc2d7 Merge 'iotssl-952-tfirmware-warnings'
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
MBEDTLS_PEM_PARSE_C.
2017-02-02 16:24:25 +00:00
Simon Butcher d9440b15e6 Add credit to Changelog for #562 2017-02-02 16:17:37 +00:00
Simon Butcher d934b5371a Merge 'iotssl-952-tfirmware-warnings'
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
MBEDTLS_PEM_PARSE_C.
2017-02-02 16:08:29 +00:00
Simon Butcher e50ed360fc Merge PR #737 - type in ssl.h 2017-02-02 15:40:04 +00:00
Simon Butcher a90f6bd657 Merge PR #737 - type in ssl.h 2017-02-02 15:32:47 +00:00
Simon Butcher df81b00e56 Merge 'mbedtls-2.4' 2017-02-02 13:37:54 +00:00
Simon Butcher 1bef2266e5 Clarify fix for #673 in Changelog
Clarified fix, and added credit.
2017-02-02 13:08:37 +00:00
Simon Butcher 4d1e104bc1 Merge iotssl-1079-macro-redefinition-warning
Fix redefinition of macro ssl_set_bio to undefined symbol
mbedtls_ssl_set_bio_timeout in compat-1.3.h.
2017-02-02 12:19:04 +00:00
Simon Butcher 9a3d75ac9d Merge iotssl-1026-buf-overreads-in-pem_read_buffer
This PR fixes multiple buffer overread issues because of missing bounds
checks whem parsing the input string in pem format in
mbedtls_pem_read_buffer().
2017-02-02 10:33:47 +00:00
Simon Butcher cd8f1476b4 Add comment to integer overflow fix in base64.c
Adds clarifying comment to the integer overflow fix in base64.c
2017-02-02 08:56:59 +00:00
Simon Butcher 69654cd91b Merge branch fix-base64-arithmetic-overflows
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-02 08:53:03 +00:00
Simon Butcher 74ae020295 Add comment to integer overflow fix in base64.c
Adds clarifying comment to the integer overflow fix in base64.c
2017-02-02 08:46:53 +00:00
Simon Butcher dc210178f9 Merge branch fix-base64-arithmetic-overflows
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-01 23:22:18 +00:00
Simon Butcher d63adef081 Merge branch 'fix-arithmetic-overflows'
Fix potential integer overflows in the following functions:

 * mbedtls_md2_update()
 * mbedtls_cipher_update()
 * mbedtls_ctr_drbg_reseed()
2017-01-22 22:44:45 +00:00
Simon Butcher c6e8efe6a3 Merge development fixes back to the 'mbedtls-2.4' branch 2017-01-22 16:35:42 +00:00
Andres AG 692ad84e5c Add DTLS test to check 6 byte record ctr is cmp
Add a test to ssl-opt.sh to ensure that in DTLS a 6 byte record counter
is compared in ssl_check_ctr_renegotiate() instead of a 8 byte one as in
the TLS case. Because currently there are no testing facilities to check
that renegotiation routines are triggered after X number of input/output
messages, the test consists on setting a renegotiation period that
cannot be represented in 6 bytes, but whose least-significant byte is 2.
If the library behaves correctly, the renegotiation routines will be
executed after two exchanged.
2017-01-19 16:30:57 +00:00
Andres AG 18c5c59b5b Fix renegotiation at incorrect times in DTLS
Fix an incorrect condition in ssl_check_ctr_renegotiate() that compared
64 bits of record counter instead of 48 bits as described in RFC 6347
Section 4.3.1. This would cause the function's return value to be
occasionally incorrect and the renegotiation routines to be triggered
at unexpected times.
2017-01-19 16:30:15 +00:00
Andres AG 5718ebf45b Fix integer overflow mbedtls_base64_decode()
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-01-18 17:32:34 +00:00
Andres Amaya Garcia a44e7d854e Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-01-17 23:04:22 +00:00
Jaakko Korhonen 14918fbda4 Fixed typo in ssl.h 2017-01-09 11:07:46 +02:00
Simon Butcher cb587009d6 Fix all.sh test builds with recent glibc and clang
Fixes strict C99 builds in all.sh with glibc version >2.19 where platform support
wasn't being compiled in automatically.

Also fixes C99 syntax with armclang.
2017-01-06 16:14:44 +00:00
Simon Butcher 105e856143 Merge branch 'gcc-compiler-warnings' 2017-01-05 18:26:40 +00:00
Simon Butcher 49f00bd81d Clarify use of armcc in all.sh 2017-01-05 16:20:56 +00:00
Andres AG a5cd973047 Add -march argument to armc6 build tests 2017-01-05 10:15:00 +00:00
Andres AG 31f9b5bdd8 Modify output_env.sh to make it extensible 2017-01-05 10:14:51 +00:00
Andres AG 87bb577cfb Add ARM Compiler 6 build tests to all.sh 2017-01-03 10:12:11 +00:00
Simon Butcher 710dd4fdd6 Merge branch 'speedup_tests'
Pull Request #533 - Use MAKEFLAGS to pass args to make in all.sh

Modify the script at tests/scripts/all.sh to export the variable
MAKEFLAGS with -j if it was not set before. This should decrease the
total runtime of tests/scripts/all.sh by letting make run multiple jobs
in parallel. Also, add a check at the top of the script to cause a
failure if the environment is not Linux.w
2016-12-30 19:09:40 +00:00
Andres Amaya Garcia faca05a215 Merge pull request #723 from sbutcher-arm/cmac-api
Clarify CMAC interface
2016-12-15 17:22:08 +00:00
Simon Butcher f4957a8855 Clarify CMAC API
Added additional text to cmac.h to make the API clearer.
2016-12-14 15:27:22 +00:00
Janos Follath 1808dc01bd Update library version number to 2.4.1 2016-12-13 16:00:52 +00:00
Janos Follath cd13bd2819 Update CMAC test vectors. 2016-12-13 16:00:52 +00:00
Janos Follath b2c6b25443 Update library version number to 2.4.1 2016-12-13 14:14:03 +00:00
Janos Follath dd9656b4d6 Update CMAC test vectors. 2016-12-13 14:11:40 +00:00