Commit graph

787 commits

Author SHA1 Message Date
Hanno Becker ce2c02cca2 Enhance documentation of ssl_set_hostname
(1) Add missing error condition
(2) Specify allowance and effect of of NULL hostname parameter
(3) Describe effect of function on failure

Also, adapt ChangeLog.
2017-10-01 00:00:56 +01:00
Simon Butcher a75a459143 Removed duplication in Changelog 2017-08-10 23:38:10 +01:00
Simon Butcher 03bd0229ab Update version to 1.3.21 2017-08-10 11:52:14 +01:00
Simon Butcher 9ee5910f65 Fix language in Changelog for clarity 2017-08-10 10:49:32 +01:00
Hanno Becker 1af21bfa38 Improve documentation of PKCS1 decryption functions
Document the preconditions on the input and output buffers for
the PKCS1 decryption functions
- rsa_pkcs1_decrypt
- rsa_rsaes_pkcs1_v15_decrypt
- rsa_rsaes_oaep_decrypt
2017-08-01 23:05:31 +01:00
Hanno Becker e7f5abc111 Adapt ChangeLog 2017-07-28 22:08:29 +01:00
Hanno Becker 56fa40f4f5 Adapt ChangeLog 2017-07-28 22:02:58 +01:00
Ron Eldor b34be244e6 Backport 1.3: check if iv is zero in gcm.
1) found by roberto in mbedtls forum
2) if iv_len is zero, return an error
3) add tests for invalid parameters
2017-07-28 13:16:50 +01:00
Hanno Becker 2625f4aa93 Correct indentation and labelling in ChangeLog 2017-07-28 13:15:57 +01:00
Janos Follath 1fbc5fb027 Fix typos 2017-07-28 13:15:57 +01:00
Manuel Pégourié-Gonnard df745670e1 Add ChangeLog entry for the security issue 2017-07-28 13:15:57 +01:00
Manuel Pégourié-Gonnard d0e755716f Only return VERIFY_FAILED from a single point
Everything else is a fatal error. Also improve documentation about that for
the vrfy callback.
2017-07-28 13:15:57 +01:00
Manuel Pégourié-Gonnard 8af7bfa982 Improve behaviour on fatal errors
If we didn't walk the whole chain, then there may be any kind of errors in the
part of the chain we didn't check, so setting all flags looks like the safe
thing to do.
2017-07-28 13:15:57 +01:00
Andres AG 3df4e4e1d0 Prevent signed integer overflow in CSR parsing
Modify the function x509_csr_parse_der() so that it checks the parsed
CSR version integer before it increments the value. This prevents a
potential signed integer overflow, as these have undefined behaviour in
the C standard.
2017-07-27 11:50:58 +01:00
Andres AG 47f3059780 Fix potential integer overflow parsing DER CRT
This patch prevents a potential signed integer overflow during the
certificate version verification checks.
2017-07-27 11:50:04 +01:00
Andres AG 26124be17a Fix potential integer overflow parsing DER CRL
This patch prevents a potential signed integer overflow during the
CRL version verification checks.
2017-07-27 11:49:08 +01:00
Ron Eldor 57501ef056 Backport 1.3: Check rc of mbedtls_mpi_fill_random
Add MPI_CHK to check for error value of mpi_fill_random.
Backport from Report and fix suggestion by guidovranken in #740
2017-07-20 01:26:53 +02:00
Ron Eldor 454da1fa6f Backport 1.3: Resource leak fix on windows
Fix a resource leak on windows platform, in mbedtls_x509_crt_parse_path,
in case a failure. when an error occurs, goto cleanup, and free the
resource, instead of returning error code immediately.
2017-07-20 01:08:17 +02:00
Ron Eldor 7771824235 Backport 1.3: Wrong preproccessor condition fix
Fix for issue #696
Change #if defined(MBEDTLS_THREADING_PTHREAD)
to #if defined(MBEDTLS_THREADING_C)
2017-07-20 00:49:43 +02:00
Ron Eldor 4f1e64ed4b Backport 1.3: check if iv is zero in gcm.
1) found by roberto in mbedtls forum
2) if iv_len is zero, return an error
3) add tests for invalid parameters
2017-07-20 00:33:27 +02:00
Simon Butcher 8a2855ee3c Update the version number to 1.3.20 2017-06-20 23:46:46 +01:00
Janos Follath 3aab1a8796 Improve Changelog 2017-06-16 14:28:37 +01:00
Manuel Pégourié-Gonnard b870179c3c Merge remote-tracking branch 'restricted/iotssl-1398_backport-1.3' into mbedtls-1.3-restricted
* restricted/iotssl-1398_backport-1.3:
  Add ChangeLog entry
  Ensure application data records are not kept when fully processed
  Add hard assertion to ssl_read_record
  Fix mbedtls_ssl_read
  Simplify retaining of messages for future processing
2017-06-09 17:06:43 +02:00
Manuel Pégourié-Gonnard 249c30c7c5 Merge branch 'mbedtls-1.3' into mbedtls-1.3-restricted
* mbedtls-1.3:
  Add entry to ChangeLog
  Don't parse or write extensions in SSLv3
2017-06-09 16:52:44 +02:00
Hanno Becker cc608e86b5 Add entry to ChangeLog 2017-06-09 15:40:48 +01:00
Manuel Pégourié-Gonnard 6d61e9751b Improve ChangeLog description of X509 MD5 changes 2017-06-09 14:52:09 +02:00
Manuel Pégourié-Gonnard 7d810939b5 Merge remote-tracking branch 'restricted/1205' into mbedtls-1.3-restricted
* restricted/1205:
  Fix name, documentation & location of config flag
  Restrict MD5 in x509 certificates
2017-06-09 14:49:04 +02:00
Manuel Pégourié-Gonnard 67df3e62e7 Merge near-duplicate ChangeLog entries
As agreed with Gilles on the PR discussion page
2017-06-09 14:48:03 +02:00
Hanno Becker b9c09af596 Add ChangeLog entry 2017-06-09 11:31:43 +01:00
Manuel Pégourié-Gonnard 89306daef5 Fix location of ChangeLog entry
This one was meant to be in the security section, must have been moved while
resolving a merge conflict.
2017-06-08 20:42:33 +02:00
Manuel Pégourié-Gonnard e0cb1cd68b ChangeLog cosmetics 2017-06-08 20:35:13 +02:00
Manuel Pégourié-Gonnard ce8f919a58 Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-1.3-restricted' into mbedtls-1.3-restricted
* restricted/iotssl-1138-rsa-padding-check-1.3-restricted:
  Fix backporting error
  RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:34:40 +02:00
Manuel Pégourié-Gonnard 9105b18f72 Merge remote-tracking branch 'restricted/IOTSSL-1366/mbedtls-1.3' into mbedtls-1.3-restricted
* restricted/IOTSSL-1366/mbedtls-1.3:
  More length checks in RSA PKCS1v15 verify
  More length checks in RSA PKCS1v15 verify
2017-06-08 20:27:19 +02:00
Manuel Pégourié-Gonnard ca3ff06cea Merge remote-tracking branch 'hanno/mpi_read_file_underflow_backport-1.3' into mbedtls-1.3
* hanno/mpi_read_file_underflow_backport-1.3:
  Fix potential stack underflow in mpi_read_file.
2017-06-08 19:54:29 +02:00
Manuel Pégourié-Gonnard f1ab79079d Merge remote-tracking branch 'hanno/sliding_exponentiation_backport-1.3' into mbedtls-1.3
* hanno/sliding_exponentiation_backport-1.3:
  Adapt ChangeLog
  Abort modular inversion when modulus is one.
  Correct sign in modular exponentiation algorithm.
2017-06-08 19:53:47 +02:00
Manuel Pégourié-Gonnard 674df30480 Merge remote-tracking branch 'janos/mbedtls-1.3-iotssl-1156-ecdsa-sample-and-doc-clarification' into mbedtls-1.3
* janos/mbedtls-1.3-iotssl-1156-ecdsa-sample-and-doc-clarification:
  Clarify the use of ECDSA API
2017-06-08 10:18:15 +02:00
Janos Follath 5d96a3dcde Clarify the use of ECDSA API
In the ecdsa.c sample application we don't use hashing, we use ecdsa
directly on a buffer containing plain text. Although the text explains
that it should be the message hash it still can be confusing.

Any misunderstandings here are potentially very dangerous, because ECDSA
truncates the message hash if necessary and this can lead to trivial
signature forgeries if the API is misused and the message is passed
directly to the function without hashing.

This commit adds a hash computation step to the ecdsa.c sample
application and clarification to the doxygen documentation of the
ECDSA functions involved.
2017-06-07 17:05:00 +01:00
Hanno Becker 888c2fde60 Fix implementation of VERIFY_OPTIONAL verification mode
This commit changes the behaviour of mbedtls_ssl_parse_certificate
to make the two authentication modes SSL_VERIFY_REQUIRED and
SSL_VERIFY_OPTIONAL be in the following relationship:

    Mode == SSL_VERIFY_REQUIRED
<=> Mode == SSL_VERIFY_OPTIONAL + check verify result

Also, it changes the behaviour to perform the certificate chain
verification even if the trusted CA chain is empty. Previously, the
function failed in this case, even when using optional verification,
which was brought up in #864.
2017-06-07 11:35:05 +01:00
Ron Eldor a9ec0cd77f Restrict MD5 in x509 certificates
Remove support for X509 certificates signed with MD5.
Issue raised by Harm Verhagen
2017-06-07 10:58:36 +03:00
Manuel Pégourié-Gonnard 2634aa999d Merge remote-tracking branch 'restricted/mbedtls-1.3' into mbedtls-1.3
* restricted/mbedtls-1.3:
  RSA: wipe more stack buffers
  RSA: wipe stack buffers
2017-06-06 18:26:32 +02:00
Manuel Pégourié-Gonnard bbe01032a4 Merge remote-tracking branch 'hanno/iotssl-1241-backport-1.3' into mbedtls-1.3
* hanno/iotssl-1241-backport-1.3:
  Remember suitable hash function for any signature algorithm.
2017-06-06 18:25:33 +02:00
Hanno Becker c2b9d984e9 Remember suitable hash function for any signature algorithm.
This commit changes `ssl_parse_signature_algorithms_ext` to remember
one suitable ( := supported by client and by our config ) hash
algorithm per signature algorithm.

It also modifies the ciphersuite checking function
`ssl_ciphersuite_match` to refuse a suite if there
is no suitable hash algorithm.

Finally, it adds the corresponding entry to the ChangeLog.
2017-05-24 10:47:54 +01:00
Gilles Peskine 213aec8688 RSA: wipe stack buffers
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.

Thanks to Laurent Simon for reporting this issue.
2017-05-15 13:58:45 +01:00
Hanno Becker 8c7698b62a Fix potential stack underflow in mpi_read_file.
When provided with an empty line, mpi_read_file causes a numeric
underflow resulting in a stack underflow. This commit fixes this and
adds some documentation to mpi_read_file.
2017-05-12 07:26:01 +01:00
Hanno Becker a07a58357d Adapt ChangeLog 2017-05-11 16:02:22 +01:00
Manuel Pégourié-Gonnard 19c10e9984 RSA PKCS1v1.5 verification: check padding length
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential to check that the error that is detected first is indeed the
padding rather than the final length check).
2017-05-11 13:37:45 +02:00
Janos Follath 3682db5efd Add Changelog entry for RSA exponent blinding 2017-05-11 11:23:35 +02:00
Gilles Peskine 6de05fa058 More length checks in RSA PKCS1v15 verify
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.

Backport to 1.3
2017-05-03 18:49:35 +02:00
Simon Butcher 98864d5c0b Merge branch 'mbedtls-1.3' 2017-03-10 20:38:47 +00:00
Simon Butcher bb4bebc26a Correct function names in the ChangeLog from backported fixed 2017-03-10 20:31:09 +00:00