Manuel Pégourié-Gonnard
282159c318
x509: CRL: add tests for malformed extensions
...
This covers all lines added in the previous commit. Coverage was tested using:
make CFLAGS='--coverage -g3 -O0'
(cd tests && ./test_suite_x509parse)
make lcov
firefox Coverage/index.html # then visual check
Test data was generated by taking a copy of tests/data_files/crl-idp.pem,
encoding it as hex, and then manually changing the values of some bytes to
achieve the desired errors, using https://lapo.it/asn1js/ for help in locating
the desired bytes.
2018-03-14 12:46:53 +01:00
Krzysztof Stachowiak
4e0141fc00
Update change log
2018-03-14 11:43:00 +01:00
Krzysztof Stachowiak
b5609f3ca5
Prevent arithmetic overflow on bould check
2018-03-14 11:41:47 +01:00
Krzysztof Stachowiak
b3e8f9e2e6
Add bounds check before signature
2018-03-14 11:40:55 +01:00
Krzysztof Stachowiak
bcb8149510
Update change log
2018-03-14 11:23:34 +01:00
Krzysztof Stachowiak
8e0b1166b6
Prevent arithmetic overflow on bounds check
2018-03-14 11:21:35 +01:00
Krzysztof Stachowiak
9e1839bc43
Add bounds check before length read
2018-03-14 11:20:46 +01:00
Manuel Pégourié-Gonnard
5a9f46e57c
x509: CRL: reject unsupported critical extensions
2018-03-14 09:24:12 +01:00
Jaeden Amero
1a6ddb4382
Merge branch 'mbedtls-2.7' into mbedtls-2.7-restricted
2018-03-13 17:28:20 +00:00
Gilles Peskine
6013004fa9
Note in the changelog that this fixes an interoperability issue.
...
Fixes #1339
2018-03-13 17:27:53 +00:00
Gilles Peskine
64540d9577
Merge remote-tracking branch 'upstream-restricted/pr/458' into mbedtls-2.7-restricted-proposed
2018-03-13 17:24:46 +01:00
Gilles Peskine
955d70459d
Merge remote-tracking branch 'upstream-restricted/pr/460' into mbedtls-2.7-restricted-proposed
2018-03-13 17:24:33 +01:00
Manuel Pégourié-Gonnard
b0ba5bccff
Yet another dependency issue (PKCS1_V15)
...
Found by running:
CC=clang cmake -D CMAKE_BUILD_TYPE="Check"
tests/scripts/depend-pkalgs.pl
(Also tested with same command but CC=gcc)
Another PR will address improving all.sh and/or the depend-xxx.pl scripts
themselves to catch this kind of thing.
2018-03-13 13:44:45 +01:00
Andrzej Kurek
f21eaa1502
Add a missing bracket in ifdef for __cplusplus
2018-03-13 08:17:28 -04:00
Gilles Peskine
427ff4836c
Merge remote-tracking branch 'upstream-public/pr/1219' into mbedtls-2.7-proposed
2018-03-12 23:52:24 +01:00
Gilles Peskine
c5671bdcf4
Merge remote-tracking branch 'upstream-public/pr/778' into mbedtls-2.7-proposed
2018-03-12 23:44:56 +01:00
Gilles Peskine
4668d8359c
Merge remote-tracking branch 'upstream-public/pr/1241' into mbedtls-2.7-proposed
2018-03-12 23:42:46 +01:00
Manuel Pégourié-Gonnard
a3c5ad5db0
Fix remaining issues found by depend-hashes
2018-03-12 15:51:32 +01:00
Manuel Pégourié-Gonnard
b314ece10b
Fix remaining issues found by depend-pkalgs
2018-03-12 15:51:30 +01:00
Gilles Peskine
b21a085bae
Show build modes in code font
...
This clarifies that it's the string to type and not just some
description of it.
2018-03-12 13:12:34 +01:00
Gilles Peskine
8eda5ec8b4
Merge branch 'pr_1408' into mbedtls-2.7-proposed
2018-03-11 00:48:18 +01:00
Gilles Peskine
4848b97bc7
Merge remote-tracking branch 'upstream-public/pr/1249' into mbedtls-2.7-proposed
2018-03-11 00:48:17 +01:00
Gilles Peskine
dd7f5b9a37
Merge remote-tracking branch 'upstream-public/pr/1079' into mbedtls-2.7-proposed
2018-03-11 00:48:17 +01:00
Gilles Peskine
7b7c64424f
Merge remote-tracking branch 'upstream-public/pr/1012' into mbedtls-2.7-proposed
2018-03-11 00:48:17 +01:00
Gilles Peskine
158fc33368
Merge remote-tracking branch 'upstream-public/pr/1296' into HEAD
2018-03-11 00:47:54 +01:00
Gilles Peskine
3f1b89d251
This fixes #664
2018-03-11 00:35:39 +01:00
Gilles Peskine
0ee482c82c
Fix grammar in ChangeLog entry
2018-03-11 00:18:50 +01:00
Gilles Peskine
c0826f1625
Merge remote-tracking branch 'upstream-public/pr/936' into mbedtls-2.7-proposed
2018-03-10 23:48:10 +01:00
Gilles Peskine
9c4f4038dd
Add changelog entry
2018-03-10 23:36:30 +01:00
Hanno Becker
930ec7dfe5
Minor fixes
2018-03-09 10:48:12 +00:00
Hanno Becker
26f1f6061d
Improve documentation on the use of blinding in RSA
2018-03-09 10:47:30 +00:00
Hanno Becker
e856e84de3
Don't enable RSA_NO_CRT in config.pl full
2018-03-09 10:47:01 +00:00
Hanno Becker
70e66395b5
Adapt ChangeLog
2018-03-09 10:46:43 +00:00
Hanno Becker
69d45cce5d
Add a run with RSA_NO_CRT to all.sh
2018-03-09 10:46:23 +00:00
Hanno Becker
a5fa07958e
Verify the result of RSA private key operations
...
If RSA-CRT is used for signing, and if an attacker can cause a glitch
in one of the two computations modulo P or Q, the difference between
the faulty and the correct signature (which is not secret) will be
divisible by P or Q, but not by both, allowing to recover the private
key by taking the GCD with the public RSA modulus N. This is known as
the Bellcore Glitch Attack. Verifying the RSA signature before handing
it out is a countermeasure against it.
2018-03-09 10:42:23 +00:00
Gilles Peskine
c1a493d79b
Refer to X.690 by number
...
It's easier to identify and find by number than by its very wordy
title, especially as there was a typo in the title.
2018-03-08 18:18:34 +01:00
Manuel Pégourié-Gonnard
e786a7ecdb
x509: fix remaining unchecked call to mbedtls_md()
...
The other two calls have been fixed already, fix that one too for consistency.
2018-03-07 09:41:20 +01:00
Manuel Pégourié-Gonnard
71df3733d0
Clarify mutual references in comments
2018-03-07 09:36:30 +01:00
Sanne Wouda
22797fcc57
Remove redundant dependency
2018-03-06 23:35:14 +01:00
Sanne Wouda
bb50113123
Rename test and update dependencies
2018-03-06 23:35:14 +01:00
Sanne Wouda
cf79312a6d
Update changelog entry
2018-03-06 23:31:52 +01:00
Sanne Wouda
52895b2b2e
Add Changelog entry
2018-03-06 23:31:52 +01:00
Sanne Wouda
90da97d587
Add test case found through fuzzing to pkparse test suite
2018-03-06 23:31:12 +01:00
Sanne Wouda
7b2e85dd7c
Use both applicable error codes and a proper coding style
2018-03-06 23:28:46 +01:00
Sanne Wouda
b2b29d5259
Add end-of-buffer check to prevent heap-buffer-overflow
...
Dereference of *p should not happen when it points past the end of the
buffer.
Internal reference: IOTSSL-1663
2018-03-06 23:28:46 +01:00
Andres Amaya Garcia
5e85c612fc
Define ASN1 bitmask macros in more direct way
2018-03-06 19:26:26 +00:00
Andres Amaya Garcia
19f33a800b
Add regression test for parsing subjectAltNames
2018-03-06 19:26:20 +00:00
Andres Amaya Garcia
32ec6d4e78
Add ChangeLog entry
2018-03-06 19:26:02 +00:00
Andres Amaya Garcia
6451909160
Fix x509_get_subject_alt_name to drop invalid tag
...
Fix the x509_get_subject_alt_name() function to not accept invalid
tags. The problem was that the ASN.1 class for tags consists of two
bits. Simply doing bit-wise and of the CONTEXT_SPECIFIC macro with the
input tag has the potential of accepting tag values 0x10 (private)
which would indicate that the certificate has an incorrect format.
2018-03-06 19:24:19 +00:00
Andres Amaya Garcia
d5101aa27a
Add macros to ASN.1 module to parse ASN.1 tags
...
The macros simply extract the component bits of an ASN.1 tag value
2018-03-06 19:24:15 +00:00