Commit graph

1928 commits

Author SHA1 Message Date
Gilles Peskine b087a88300 Merge remote-tracking branch 'upstream-restricted/pr/405' into mbedtls-1.3-restricted 2017-11-28 16:22:41 +01:00
Gilles Peskine 2bd6ca415b Merge remote-tracking branch 'upstream-restricted/pr/402' into mbedtls-1.3-restricted 2017-11-28 14:34:24 +01:00
Gilles Peskine d3dd8d2197 Merge remote-tracking branch 'upstream-restricted/pr/387' into mbedtls-1.3-restricted 2017-11-28 14:34:16 +01:00
Gilles Peskine b662cc1f52 Avoid uninitialized variable warning in entropy_gather_internal
The variable ret was always initialized in entropy_gather_internal,
but `gcc -Werror=maybe-uninitialized` rightfully complained that it
was unable to determine this statically. Therefore, tweak the
problematic case (ctx->source_count == 0) to not use ret in that case.
2017-11-24 18:55:19 +01:00
Gilles Peskine 3036cbeb8e Merge branch 'mbedtls-1.3' into mbedtls-1.3-restricted 2017-11-24 16:07:43 +01:00
Gilles Peskine e298532394 Merge remote-tracking branch 'upstream-public/pr/1113' into mbedtls-1.3 2017-11-24 15:38:42 +01:00
Gilles Peskine 1dc344373a Merge branch 'iotssl-1368-unsafe-bounds-check-psk-identity-merge-1.3' into mbedtls-1.3-restricted 2017-11-23 19:11:58 +01:00
Manuel Pégourié-Gonnard 408dfd1f6a Merge remote-tracking branch 'restricted/pr/418' into mbedtls-1.3-restricted
* restricted/pr/418:
  RSA PSS: remove redundant check; changelog
  RSA PSS: fix first byte check for keys of size 8N+1
  RSA PSS: fix minimum length check for keys of size 8N+1
  RSA: Fix another buffer overflow in PSS signature verification
  RSA: Fix buffer overflow in PSS signature verification
2017-11-23 12:16:05 +01:00
Gilles Peskine 28474f41a0 RSA PSS: remove redundant check; changelog
Remove a check introduced in the previous buffer overflow fix with keys of
size 8N+1 which the subsequent fix for buffer start calculations made
redundant.

Added a changelog entry for the buffer start calculation fix.
2017-10-19 17:50:35 +02:00
Gilles Peskine 5d9224e11c RSA PSS: fix first byte check for keys of size 8N+1
For a key of size 8N+1, check that the first byte after applying the
public key operation is 0 (it could have been 1 instead). The code was
incorrectly doing a no-op check instead, which led to invalid
signatures being accepted. Not a security flaw, since you would need the
private key to craft such an invalid signature, but a bug nonetheless.
2017-10-19 15:47:13 +02:00
Gilles Peskine 7addb7f0a0 RSA PSS: fix minimum length check for keys of size 8N+1
The check introduced by the previous security fix was off by one. It
fixed the buffer overflow but was not compliant with the definition of
PSS which technically led to accepting some invalid signatures (but
not signatures made without the private key).
2017-10-18 19:13:22 +02:00
Gilles Peskine 511bb84c60 RSA: Fix another buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the masking
operation results in an all-zero buffer. This could happen at any key size.
2017-10-17 19:33:48 +02:00
Gilles Peskine 55db24ca50 RSA: Fix buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the hash is
too large for the key size. Found by Seth Terashima, Qualcomm.

Added a non-regression test and a positive test with the smallest
permitted key size for a SHA-512 hash.
2017-10-17 19:30:12 +02:00
Andres AG 7c02d13746 Correctly handle leap year in x509_date_is_valid()
This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
2017-10-12 21:08:46 +01:00
Ron Eldor 4491a791be Parse Signature Algorithm ext when renegotiating
Signature algorithm extension was skipped when renegotiation was in
progress, causing the signature algorithm not to be known when
renegotiating, and failing the handshake. Fix removes the renegotiation
step check before parsing the extension.
2017-10-11 14:06:26 +01:00
Andres Amaya Garcia cf428733b8 Fix coding style in x509_parse_int() 2017-10-07 22:22:26 +01:00
Andres Amaya Garcia 876214cd9d Change param type for x509_parse_int() to fix warn 2017-10-07 22:22:15 +01:00
Andres Amaya Garcia 8388be3ec7 Add brackets around net.c macro arguments 2017-10-07 22:22:04 +01:00
Andres Amaya Garcia a4d1857003 Fix type in net.c comment 2017-10-07 22:21:46 +01:00
Andres Amaya Garcia 6e5e9aaf7f Fix MSVC warning in net.c
The warning was caused because in MSVC some of the function parameters
for the socket APIs are int while the fields in struct addrinfo are
size_t e.g. possible data loss.
2017-10-07 22:21:38 +01:00
Hanno Becker b9ac47c371 Make ssl_set_hostname safe to be called multiple times
Zeroize and free previously set hostnames before overwriting
them. Also, allow clearance of hostname by providing NULL parameter.
2017-09-30 23:58:45 +01:00
Hanno Becker 20f4c78f26 Correct parsing checks in pk_parse_key
Two code-paths in `pk_parse_key` returned success on a failure in `pk_setup`.
2017-09-28 16:54:41 +01:00
Hanno Becker 1d233391a6 Remove unreachable branches in pkparse.c 2017-09-28 16:54:41 +01:00
Hanno Becker 1f30fa162b Remove unnecessary cast 2017-09-28 16:54:41 +01:00
Hanno Becker b299a37a72 Add missing calls to pem_free in pk_parse 2017-09-28 16:54:41 +01:00
Hanno Becker 713c9e187f Use in-place decryption in pk_parse_pkcs8_encrypted_der
The stack buffer used to hold the decrypted key in pk_parse_pkcs8_encrypted_der
was statically sized to 2048 bytes, which is not enough for DER encoded 4096bit
RSA keys.

This commit resolves the problem by performing the key-decryption in-place,
circumventing the introduction of another stack or heap copy of the key.

There are two situations where pk_parse_pkcs8_encrypted_der is invoked:
1. When processing a PEM-encoded encrypted key in pk_parse_key.
   This does not need adaption since the PEM context used to hold the decoded
   key is already constructed and owned by pk_parse_key.
2. When processing a DER-encoded encrypted key in pk_parse_key.
   In this case, pk_parse_key calls pk_parse_pkcs8_encrypted_der with
   the buffer provided by the user, which is declared const. The commit
   therefore adds a small code paths making a copy of the keybuffer before
   calling pk_parse_pkcs8_encrypted_der.
2017-09-28 16:54:39 +01:00
Janos Follath 77359c93e4 DHM: Fix dhm_check_range() always returning 0
Although the variable ret was initialised to an error, the
MBEDTLS_MPI_CHK macro was overwriting it. Therefore it ended up being
0 whenewer the bignum computation was successfull and stayed 0
independently of the actual check.
2017-09-21 10:39:35 +01:00
Andres Amaya Garcia 3d98b97442 Modify zeroize internal buffers in md modules
Modify all the following functions to zeroize an internal buffer before
exiting the function. The buffer could potentially contain confidential
data read from a file.

* md2_file()
* md4_file()
* md5_file()
* ripemd160_file()
* sha1_file()
* sha256_file()
* sha512_file()
2017-09-20 11:47:49 +01:00
Ron Eldor 27ce0b5ff1 Backport 1.3:Set PEM buffer to zero before freeing it
Set PEM buffer to zero before freeing it, to avoid private keys
being leaked to memory after releasing it.
2017-09-07 11:18:51 +03:00
Simon Butcher 03bd0229ab Update version to 1.3.21 2017-08-10 11:52:14 +01:00
Hanno Becker ab3fbc2146 Rename time and index parameter to avoid name conflict.
As noted in #557, several functions use 'index' resp. 'time'
as parameter names in their declaration and/or definition, causing name
conflicts with the functions in the C standard library of the same
name some compilers warn about.

This commit renames the arguments accordingly.
2017-07-28 22:08:16 +01:00
Janos Follath 5308f47038 Fix implementation-defined integer conversion
"When an integer is demoted to a signed integer with smaller size, or an
unsigned integer is converted to its corresponding signed integer, if
the value cannot be represented the result is implementation-defined."
2017-07-28 13:15:57 +01:00
Manuel Pégourié-Gonnard 77644f2815 Improve comments 2017-07-28 13:15:57 +01:00
Manuel Pégourié-Gonnard d0e755716f Only return VERIFY_FAILED from a single point
Everything else is a fatal error. Also improve documentation about that for
the vrfy callback.
2017-07-28 13:15:57 +01:00
Manuel Pégourié-Gonnard 8af7bfa982 Improve behaviour on fatal errors
If we didn't walk the whole chain, then there may be any kind of errors in the
part of the chain we didn't check, so setting all flags looks like the safe
thing to do.
2017-07-28 13:15:57 +01:00
Andres AG 3df4e4e1d0 Prevent signed integer overflow in CSR parsing
Modify the function x509_csr_parse_der() so that it checks the parsed
CSR version integer before it increments the value. This prevents a
potential signed integer overflow, as these have undefined behaviour in
the C standard.
2017-07-27 11:50:58 +01:00
Andres AG 47f3059780 Fix potential integer overflow parsing DER CRT
This patch prevents a potential signed integer overflow during the
certificate version verification checks.
2017-07-27 11:50:04 +01:00
Andres AG 26124be17a Fix potential integer overflow parsing DER CRL
This patch prevents a potential signed integer overflow during the
CRL version verification checks.
2017-07-27 11:49:08 +01:00
Ron Eldor 57501ef056 Backport 1.3: Check rc of mbedtls_mpi_fill_random
Add MPI_CHK to check for error value of mpi_fill_random.
Backport from Report and fix suggestion by guidovranken in #740
2017-07-20 01:26:53 +02:00
Ron Eldor 454da1fa6f Backport 1.3: Resource leak fix on windows
Fix a resource leak on windows platform, in mbedtls_x509_crt_parse_path,
in case a failure. when an error occurs, goto cleanup, and free the
resource, instead of returning error code immediately.
2017-07-20 01:08:17 +02:00
Ron Eldor 7771824235 Backport 1.3: Wrong preproccessor condition fix
Fix for issue #696
Change #if defined(MBEDTLS_THREADING_PTHREAD)
to #if defined(MBEDTLS_THREADING_C)
2017-07-20 00:49:43 +02:00
Ron Eldor 4f1e64ed4b Backport 1.3: check if iv is zero in gcm.
1) found by roberto in mbedtls forum
2) if iv_len is zero, return an error
3) add tests for invalid parameters
2017-07-20 00:33:27 +02:00
Andres Amaya Garcia 2d829fb4b3 Zeroize buf if mbedtls_base64_decode() fails 2017-07-12 11:04:28 +01:00
Andres Amaya Garcia 1bfa46a456 Zeroize tmp buffer in entropy_update() 2017-07-12 11:04:28 +01:00
Andres Amaya Garcia c0dc5b5d3b Zeroize tmp buf in ctr_drbg_write_seed_file() 2017-07-12 11:04:28 +01:00
Andres Amaya Garcia f4660aaf4c Zeroize heap buf on failure in pem.c 2017-07-12 11:04:18 +01:00
Andres Amaya Garcia a0ae1db2f7 Zeroize buffers in various modules 2017-07-12 10:51:22 +01:00
Andres Amaya Garcia c381444c7f Zeroize tmp buf in mbedtls_mpi_fill_random() 2017-07-12 10:44:50 +01:00
Andres Amaya Garcia dd471788d8 Zeroize tmp bufs in ctr_drbg.c functions 2017-07-12 10:43:11 +01:00
Andres Amaya Garcia ff13995812 Zeroize return buf on failure in pkparse.c 2017-07-12 10:38:12 +01:00