Commit graph

6261 commits

Author SHA1 Message Date
Gilles Peskine 54933e95bd all.sh: option parsing: reduce vertical spread
Only whitespace changes.
2018-03-21 08:48:33 +01:00
Gilles Peskine 53038ebecc all.sh: with --no-armcc, don't call armcc from output_env.sh
When not running armcc, don't try to invoke armcc at all, not even to
report its version.
2018-03-21 08:48:26 +01:00
Gilles Peskine 21701305ce Robustness fix in mbedtls_ssl_derive_keys
In mbedtls_ssl_derive_keys, don't call mbedtls_md_hmac_starts in
ciphersuites that don't use HMAC. This doesn't change the behavior of
the code, but avoids relying on an uncaught error when attempting to
start an HMAC operation that hadn't been initialized.
2018-03-20 18:41:25 +01:00
mohammad1603 b11af86daf Avoid wraparound on in_left
Avoid wraparound on in_left
2018-03-19 07:18:13 -07:00
Jaeden Amero 9ae1fba869 Update version to 2.7.2 2018-03-16 16:30:17 +00:00
Simon Butcher 001427b6c3 Add clarity to use of the rsa_internal.h interface
Added additional clarification to the use of the rsa_internal.h interface and as
and when it can be used by whom. Policy hasn't changed, but it needed to be
clearer who can and can't use it and it's level of support.
2018-03-16 15:46:29 +00:00
Jaeden Amero c9908f010a Merge remote-tracking branch 'upstream-public/pr/1064' into mbedtls-2.7-restricted-proposed 2018-03-15 14:58:24 +00:00
Jaeden Amero e0b1a73c56 Merge remote-tracking branch 'upstream-restricted/pr/464' into mbedtls-2.7-restricted-proposed 2018-03-15 14:36:47 +00:00
Jaeden Amero 73923e1575 Merge remote-tracking branch 'upstream-restricted/pr/459' into mbedtls-2.7-restricted-proposed 2018-03-15 14:36:22 +00:00
Jaeden Amero 8a032e6051 Merge branch 'mbedtls-2.7-proposed' into mbedtls-2.7-restricted-proposed 2018-03-15 14:35:47 +00:00
Jaeden Amero 32ae73b289 Merge remote-tracking branch 'upstream-public/pr/1448' into mbedtls-2.7-proposed 2018-03-15 14:33:29 +00:00
Jaeden Amero 100273ddfb Merge remote-tracking branch 'upstream-public/pr/1449' into mbedtls-2.7-proposed 2018-03-15 14:32:54 +00:00
Jaeden Amero e1c916ca5e Merge remote-tracking branch 'upstream-public/pr/1451' into mbedtls-2.7-proposed 2018-03-15 08:34:33 +00:00
Manuel Pégourié-Gonnard c3901d4cd3 fixup previous commit: add forgotten file 2018-03-14 14:10:19 +01:00
Manuel Pégourié-Gonnard dae3fc3fe0 x509: CRL: add tests for non-critical extension
The 'critical' boolean can be set to false in two ways:
- by leaving it implicit (test data generated by openssl)
- by explicitly setting it to false (generated by hand)
2018-03-14 12:46:54 +01:00
Manuel Pégourié-Gonnard 282159c318 x509: CRL: add tests for malformed extensions
This covers all lines added in the previous commit. Coverage was tested using:

    make CFLAGS='--coverage -g3 -O0'
    (cd tests && ./test_suite_x509parse)
    make lcov
    firefox Coverage/index.html # then visual check

Test data was generated by taking a copy of tests/data_files/crl-idp.pem,
encoding it as hex, and then manually changing the values of some bytes to
achieve the desired errors, using https://lapo.it/asn1js/ for help in locating
the desired bytes.
2018-03-14 12:46:53 +01:00
Krzysztof Stachowiak 4e0141fc00 Update change log 2018-03-14 11:43:00 +01:00
Krzysztof Stachowiak b5609f3ca5 Prevent arithmetic overflow on bould check 2018-03-14 11:41:47 +01:00
Krzysztof Stachowiak b3e8f9e2e6 Add bounds check before signature 2018-03-14 11:40:55 +01:00
Krzysztof Stachowiak bcb8149510 Update change log 2018-03-14 11:23:34 +01:00
Krzysztof Stachowiak 8e0b1166b6 Prevent arithmetic overflow on bounds check 2018-03-14 11:21:35 +01:00
Krzysztof Stachowiak 9e1839bc43 Add bounds check before length read 2018-03-14 11:20:46 +01:00
Manuel Pégourié-Gonnard 5a9f46e57c x509: CRL: reject unsupported critical extensions 2018-03-14 09:24:12 +01:00
Jaeden Amero 1a6ddb4382 Merge branch 'mbedtls-2.7' into mbedtls-2.7-restricted 2018-03-13 17:28:20 +00:00
Gilles Peskine 6013004fa9 Note in the changelog that this fixes an interoperability issue.
Fixes #1339
2018-03-13 17:27:53 +00:00
Gilles Peskine 64540d9577 Merge remote-tracking branch 'upstream-restricted/pr/458' into mbedtls-2.7-restricted-proposed 2018-03-13 17:24:46 +01:00
Gilles Peskine 955d70459d Merge remote-tracking branch 'upstream-restricted/pr/460' into mbedtls-2.7-restricted-proposed 2018-03-13 17:24:33 +01:00
Manuel Pégourié-Gonnard b0ba5bccff Yet another dependency issue (PKCS1_V15)
Found by running:

CC=clang cmake -D CMAKE_BUILD_TYPE="Check"
tests/scripts/depend-pkalgs.pl

(Also tested with same command but CC=gcc)

Another PR will address improving all.sh and/or the depend-xxx.pl scripts
themselves to catch this kind of thing.
2018-03-13 13:44:45 +01:00
Andrzej Kurek f21eaa1502 Add a missing bracket in ifdef for __cplusplus 2018-03-13 08:17:28 -04:00
Gilles Peskine 427ff4836c Merge remote-tracking branch 'upstream-public/pr/1219' into mbedtls-2.7-proposed 2018-03-12 23:52:24 +01:00
Gilles Peskine c5671bdcf4 Merge remote-tracking branch 'upstream-public/pr/778' into mbedtls-2.7-proposed 2018-03-12 23:44:56 +01:00
Gilles Peskine 4668d8359c Merge remote-tracking branch 'upstream-public/pr/1241' into mbedtls-2.7-proposed 2018-03-12 23:42:46 +01:00
Manuel Pégourié-Gonnard a3c5ad5db0 Fix remaining issues found by depend-hashes 2018-03-12 15:51:32 +01:00
Manuel Pégourié-Gonnard b314ece10b Fix remaining issues found by depend-pkalgs 2018-03-12 15:51:30 +01:00
Gilles Peskine b21a085bae Show build modes in code font
This clarifies that it's the string to type and not just some
description of it.
2018-03-12 13:12:34 +01:00
Gilles Peskine 8eda5ec8b4 Merge branch 'pr_1408' into mbedtls-2.7-proposed 2018-03-11 00:48:18 +01:00
Gilles Peskine 4848b97bc7 Merge remote-tracking branch 'upstream-public/pr/1249' into mbedtls-2.7-proposed 2018-03-11 00:48:17 +01:00
Gilles Peskine dd7f5b9a37 Merge remote-tracking branch 'upstream-public/pr/1079' into mbedtls-2.7-proposed 2018-03-11 00:48:17 +01:00
Gilles Peskine 7b7c64424f Merge remote-tracking branch 'upstream-public/pr/1012' into mbedtls-2.7-proposed 2018-03-11 00:48:17 +01:00
Gilles Peskine 158fc33368 Merge remote-tracking branch 'upstream-public/pr/1296' into HEAD 2018-03-11 00:47:54 +01:00
Gilles Peskine 3f1b89d251 This fixes #664 2018-03-11 00:35:39 +01:00
Gilles Peskine 0ee482c82c Fix grammar in ChangeLog entry 2018-03-11 00:18:50 +01:00
Gilles Peskine c0826f1625 Merge remote-tracking branch 'upstream-public/pr/936' into mbedtls-2.7-proposed 2018-03-10 23:48:10 +01:00
Gilles Peskine 9c4f4038dd Add changelog entry 2018-03-10 23:36:30 +01:00
Hanno Becker 930ec7dfe5 Minor fixes 2018-03-09 10:48:12 +00:00
Hanno Becker 26f1f6061d Improve documentation on the use of blinding in RSA 2018-03-09 10:47:30 +00:00
Hanno Becker e856e84de3 Don't enable RSA_NO_CRT in config.pl full 2018-03-09 10:47:01 +00:00
Hanno Becker 70e66395b5 Adapt ChangeLog 2018-03-09 10:46:43 +00:00
Hanno Becker 69d45cce5d Add a run with RSA_NO_CRT to all.sh 2018-03-09 10:46:23 +00:00
Hanno Becker a5fa07958e Verify the result of RSA private key operations
If RSA-CRT is used for signing, and if an attacker can cause a glitch
in one of the two computations modulo P or Q, the difference between
the faulty and the correct signature (which is not secret) will be
divisible by P or Q, but not by both, allowing to recover the private
key by taking the GCD with the public RSA modulus N. This is known as
the Bellcore Glitch Attack. Verifying the RSA signature before handing
it out is a countermeasure against it.
2018-03-09 10:42:23 +00:00