Commit graph

3499 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard 7d810939b5 Merge remote-tracking branch 'restricted/1205' into mbedtls-1.3-restricted
* restricted/1205:
  Fix name, documentation & location of config flag
  Restrict MD5 in x509 certificates
2017-06-09 14:49:04 +02:00
Manuel Pégourié-Gonnard 67df3e62e7 Merge near-duplicate ChangeLog entries
As agreed with Gilles on the PR discussion page
2017-06-09 14:48:03 +02:00
Hanno Becker b9c09af596 Add ChangeLog entry 2017-06-09 11:31:43 +01:00
Hanno Becker 0401a3d888 Ensure application data records are not kept when fully processed
This commit fixes the following case: If a client is both expecting a
SERVER_HELLO and has an application data record that's partially
processed in flight (that's the situation the client gets into after
receiving a ServerHelloRequest followed by ApplicationData), a
subsequent call to ssl_read will set keep_current_message = 1
when seeing the unexpected application data, but not reset it to 0
after the application data has been processed. This commit fixes this.
2017-06-09 10:52:45 +01:00
Manuel Pégourié-Gonnard 89306daef5 Fix location of ChangeLog entry
This one was meant to be in the security section, must have been moved while
resolving a merge conflict.
2017-06-08 20:42:33 +02:00
Manuel Pégourié-Gonnard e0cb1cd68b ChangeLog cosmetics 2017-06-08 20:35:13 +02:00
Manuel Pégourié-Gonnard ce8f919a58 Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-1.3-restricted' into mbedtls-1.3-restricted
* restricted/iotssl-1138-rsa-padding-check-1.3-restricted:
  Fix backporting error
  RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:34:40 +02:00
Manuel Pégourié-Gonnard 9105b18f72 Merge remote-tracking branch 'restricted/IOTSSL-1366/mbedtls-1.3' into mbedtls-1.3-restricted
* restricted/IOTSSL-1366/mbedtls-1.3:
  More length checks in RSA PKCS1v15 verify
  More length checks in RSA PKCS1v15 verify
2017-06-08 20:27:19 +02:00
Manuel Pégourié-Gonnard ca3ff06cea Merge remote-tracking branch 'hanno/mpi_read_file_underflow_backport-1.3' into mbedtls-1.3
* hanno/mpi_read_file_underflow_backport-1.3:
  Fix potential stack underflow in mpi_read_file.
2017-06-08 19:54:29 +02:00
Manuel Pégourié-Gonnard f1ab79079d Merge remote-tracking branch 'hanno/sliding_exponentiation_backport-1.3' into mbedtls-1.3
* hanno/sliding_exponentiation_backport-1.3:
  Adapt ChangeLog
  Abort modular inversion when modulus is one.
  Correct sign in modular exponentiation algorithm.
2017-06-08 19:53:47 +02:00
Manuel Pégourié-Gonnard 48ed550b92 Fix name, documentation & location of config flag 2017-06-08 17:27:20 +02:00
Hanno Becker 1bf86b7e32 Add hard assertion to ssl_read_record
This commit adds a hard assertion to mbedtls_ssl_read_record
triggering if both ssl->in_hslen and ssl->in_offt are not 0. This
should never happen, and if it does, there's no sensible way of
telling whether the previous message was a handshake or an application
data message.
2017-06-08 15:59:41 +01:00
Hanno Becker d37839e3fa Fix mbedtls_ssl_read
Don't fetch a new record in mbedtls_ssl_read_record_layer as long as
an application data record is being processed.
2017-06-08 15:59:38 +01:00
Hanno Becker 10699cc96c Simplify retaining of messages for future processing
There are situations in which it is not clear what message to expect
next. For example, the message following the ServerHello might be
either a Certificate, a ServerKeyExchange or a CertificateRequest. We
deal with this situation in the following way: Initially, the message
processing function for one of the allowed message types is called,
which fetches and decodes a new message. If that message is not the
expected one, the function returns successfully (instead of throwing
an error as usual for unexpected messages), and the handshake
continues to the processing function for the next possible message. To
not have this function fetch a new message, a flag in the SSL context
structure is used to indicate that the last message was retained for
further processing, and if that's set, the following processing
function will not fetch a new record.

This commit simplifies the usage of this message-retaining parameter
by doing the check within the record-fetching routine instead of the
specific message-processing routines. The code gets cleaner this way
and allows retaining messages to be used in other situations as well
without much effort. This will be used in the next commits.
2017-06-08 15:41:02 +01:00
Manuel Pégourié-Gonnard 674df30480 Merge remote-tracking branch 'janos/mbedtls-1.3-iotssl-1156-ecdsa-sample-and-doc-clarification' into mbedtls-1.3
* janos/mbedtls-1.3-iotssl-1156-ecdsa-sample-and-doc-clarification:
  Clarify the use of ECDSA API
2017-06-08 10:18:15 +02:00
Manuel Pégourié-Gonnard eebc0aaded Merge remote-tracking branch 'hanno/iotssl-1341-optional-certificate-verification-needs-ca-chain_backport-1.3' into mbedtls-1.3
* hanno/iotssl-1341-optional-certificate-verification-needs-ca-chain_backport-1.3:
  Add tests for missing CA chains and bad curves.
  Fix implementation of VERIFY_OPTIONAL verification mode
2017-06-08 10:01:19 +02:00
Janos Follath 5d96a3dcde Clarify the use of ECDSA API
In the ecdsa.c sample application we don't use hashing, we use ecdsa
directly on a buffer containing plain text. Although the text explains
that it should be the message hash it still can be confusing.

Any misunderstandings here are potentially very dangerous, because ECDSA
truncates the message hash if necessary and this can lead to trivial
signature forgeries if the API is misused and the message is passed
directly to the function without hashing.

This commit adds a hash computation step to the ecdsa.c sample
application and clarification to the doxygen documentation of the
ECDSA functions involved.
2017-06-07 17:05:00 +01:00
Hanno Becker 6fd6d248ae Add tests for missing CA chains and bad curves.
This commit adds four tests to tests/ssl-opt.sh:
(1) & (2): Check behaviour of optional/required verification when the
trusted CA chain is empty.
(3) & (4): Check behaviour of optional/required verification when the
client receives a server certificate with an unsupported curve.
2017-06-07 11:40:44 +01:00
Hanno Becker 888c2fde60 Fix implementation of VERIFY_OPTIONAL verification mode
This commit changes the behaviour of mbedtls_ssl_parse_certificate
to make the two authentication modes SSL_VERIFY_REQUIRED and
SSL_VERIFY_OPTIONAL be in the following relationship:

    Mode == SSL_VERIFY_REQUIRED
<=> Mode == SSL_VERIFY_OPTIONAL + check verify result

Also, it changes the behaviour to perform the certificate chain
verification even if the trusted CA chain is empty. Previously, the
function failed in this case, even when using optional verification,
which was brought up in #864.
2017-06-07 11:35:05 +01:00
Ron Eldor a9ec0cd77f Restrict MD5 in x509 certificates
Remove support for X509 certificates signed with MD5.
Issue raised by Harm Verhagen
2017-06-07 10:58:36 +03:00
Manuel Pégourié-Gonnard bbcef7e2c5 Merge remote-tracking branch 'gilles/iotssl-1223/mbedtls-1.3' into mbedtls-1.3
* gilles/iotssl-1223/mbedtls-1.3:
  More tests of FALLBACK_SCSV
2017-06-06 20:13:15 +02:00
Manuel Pégourié-Gonnard 2634aa999d Merge remote-tracking branch 'restricted/mbedtls-1.3' into mbedtls-1.3
* restricted/mbedtls-1.3:
  RSA: wipe more stack buffers
  RSA: wipe stack buffers
2017-06-06 18:26:32 +02:00
Manuel Pégourié-Gonnard bbe01032a4 Merge remote-tracking branch 'hanno/iotssl-1241-backport-1.3' into mbedtls-1.3
* hanno/iotssl-1241-backport-1.3:
  Remember suitable hash function for any signature algorithm.
2017-06-06 18:25:33 +02:00
Andres Amaya Garcia e633ef7ed4 Add negative testing for pem_read_buffer() 2017-05-30 17:30:09 +01:00
Andres Amaya Garcia f5e753a942 Add missing ret code checks in PEM module
Add missing return code checks in the functions pem_des_decrypt(),
pem_3des_decrypt() and pem_aes_decrypt() so that the calling function
pem_read_buffer() is notified of errors reported by the crypto
primitives AES, DES and 3DES.
2017-05-30 17:18:06 +01:00
Hanno Becker c2b9d984e9 Remember suitable hash function for any signature algorithm.
This commit changes `ssl_parse_signature_algorithms_ext` to remember
one suitable ( := supported by client and by our config ) hash
algorithm per signature algorithm.

It also modifies the ciphersuite checking function
`ssl_ciphersuite_match` to refuse a suite if there
is no suitable hash algorithm.

Finally, it adds the corresponding entry to the ChangeLog.
2017-05-24 10:47:54 +01:00
Gilles Peskine a1cf6c8afb More tests of FALLBACK_SCSV
This is a backport of a non-regression test for issue #810 which affected
the current release of mbed TLS, but not the 1.3 branch.
2017-05-17 14:50:38 +02:00
Gilles Peskine 73e7f4c0ee RSA: wipe more stack buffers
MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
2017-05-15 13:58:45 +01:00
Gilles Peskine 213aec8688 RSA: wipe stack buffers
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.

Thanks to Laurent Simon for reporting this issue.
2017-05-15 13:58:45 +01:00
Hanno Becker 8c7698b62a Fix potential stack underflow in mpi_read_file.
When provided with an empty line, mpi_read_file causes a numeric
underflow resulting in a stack underflow. This commit fixes this and
adds some documentation to mpi_read_file.
2017-05-12 07:26:01 +01:00
Hanno Becker a07a58357d Adapt ChangeLog 2017-05-11 16:02:22 +01:00
Hanno Becker 1c6339f966 Abort modular inversion when modulus is one.
The modular inversion function hangs when provided with the modulus
1. This commit refuses this modulus with a BAD_INPUT error code. It
also adds a test for this case.
2017-05-11 16:02:20 +01:00
Hanno Becker 88bbab22e9 Correct sign in modular exponentiation algorithm.
The modular exponentiation function  handled the sign
incorrectly. This commit fixes this and a test case which should have
caught it.
2017-05-11 15:57:15 +01:00
Manuel Pégourié-Gonnard 348a728600 Fix backporting error
The error on the depend line prevented the test from running, masking the
other errors
2017-05-11 15:14:38 +02:00
Manuel Pégourié-Gonnard 139708d105 Fix backporting errors 2017-05-11 15:10:32 +02:00
Manuel Pégourié-Gonnard 19c10e9984 RSA PKCS1v1.5 verification: check padding length
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential to check that the error that is detected first is indeed the
padding rather than the final length check).
2017-05-11 13:37:45 +02:00
Janos Follath 3682db5efd Add Changelog entry for RSA exponent blinding 2017-05-11 11:23:35 +02:00
Janos Follath bb1e6888c9 Add exponent blinding to RSA with CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.

This commit handles the case when the Chinese Remainder Theorem is used
to accelerate the computation.
2017-05-11 11:22:51 +02:00
Janos Follath 5d392579c2 Add exponent blinding to RSA without CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.

This commits handles the case when the Chinese Remainder Theorem is NOT
used to accelerate computations.
2017-05-11 11:13:19 +02:00
Gilles Peskine 6e598a2065 More length checks in RSA PKCS1v15 verify
Added one check that I'd missed, and made the style more uniform.

Backport to 1.3.
2017-05-04 12:58:59 +02:00
Gilles Peskine 6de05fa058 More length checks in RSA PKCS1v15 verify
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.

Backport to 1.3
2017-05-03 18:49:35 +02:00
Simon Butcher 98864d5c0b Merge branch 'mbedtls-1.3' 2017-03-10 20:38:47 +00:00
Simon Butcher e553ff2ab3 Merge branch 'mbedtls-1.3' 2017-03-10 20:37:11 +00:00
Simon Butcher bb4bebc26a Correct function names in the ChangeLog from backported fixed 2017-03-10 20:31:09 +00:00
Simon Butcher a42044d98b Added missing credit to ChangeLog for #555 2017-03-08 18:43:38 +00:00
Simon Butcher 2e5318ecf6 Corrected attibution in Changelog 2017-03-08 18:43:38 +00:00
Simon Butcher 7ecd7d4ccf Merge branch 'mbedtls-1.3' 2017-03-08 18:00:19 +00:00
Simon Butcher 4c5154d0c0 Updated version number to 1.3.19 for release 2017-03-08 17:22:34 +00:00
Simon Butcher d2d6316afc Removed duplicate entry in ChangeLog 2017-03-03 16:08:27 +00:00
Andres AG 2b2fc115df Fix buffer overflow in mpi_write_string()
Fix a buffer overflow when writting a string representation of an MPI
number to a buffer in hexadecimal. The problem occurs because hex
digits are written in pairs and this is not accounted for in the
calculation of the required buffer size when the number of digits is
odd.
2017-03-02 23:01:54 +00:00