Commit graph

3180 commits

Author SHA1 Message Date
Hanno Becker cd6a64a516 Reset session_in/out pointers in ssl_session_reset_int()
Fixes #1941.
2018-08-14 15:48:36 +01:00
Jaeden Amero 9eb78b4dab Merge remote-tracking branch 'upstream-public/pr/1900' into mbedtls-2.7
Add a Changelog entry
2018-08-10 11:26:15 +01:00
Jaeden Amero f37a99e3fc Merge remote-tracking branch 'upstream-public/pr/1814' into mbedtls-2.7 2018-08-10 11:01:29 +01:00
Jaeden Amero 3b69174852 Merge remote-tracking branch 'upstream-public/pr/1886' into mbedtls-2.7 2018-08-10 10:50:34 +01:00
Ron Eldor 15b0a39322 enforce input and output of ccm selftest on stack
In `mbedtls_ccm_self_test()`, enforce input and output
buffers sent to the ccm API to be contigous and aligned,
by copying the test vectors to buffers on the stack.
2018-07-30 11:43:08 +03:00
Angus Gratton cb7a5b0b0c Fix memory leak in ecp_mul_comb() if ecp_precompute_comb() fails
In ecp_mul_comb(), if (!p_eq_g && grp->T == NULL) and then ecp_precompute_comb() fails (which can
happen due to OOM), then the new array of points T will be leaked (as it's newly allocated, but
hasn't been asigned to grp->T yet).

Symptom was a memory leak in ECDHE key exchange under low memory conditions.
2018-07-26 11:08:06 +03:00
Jaeden Amero 8385110ae8 Update version to 2.7.5 2018-07-25 15:43:21 +01:00
Simon Butcher 7daacda940 Merge remote-tracking branch 'restricted/pr/494' into mbedtls-2.7 2018-07-24 23:40:53 +01:00
Simon Butcher d5a3ed36b8 Merge remote-tracking branch 'public/pr/1863' into mbedtls-2.7 2018-07-24 12:57:15 +01:00
Simon Butcher b65d6ce83f Merge remote-tracking branch 'public/pr/1870' into mbedtls-2.7 2018-07-24 10:30:11 +01:00
Dawid Drozd 2ba7d8ed2d Remove unnecessary mark as unused #1098 (backport) 2018-07-20 14:08:02 +02:00
Simon Butcher bc5ec41c01 Merge remote-tracking branch 'public/pr/1847' into mbedtls-2.7 2018-07-19 19:48:25 +01:00
Angus Gratton 8946b0dd30 Check for invalid short Alert messages
(Short Change Cipher Spec & Handshake messages are already checked for.)
2018-07-16 20:12:56 +01:00
Angus Gratton b91cb6e1e6 TLSv1.2: Treat zero-length fragments as invalid, unless they are application data
TLS v1.2 explicitly disallows other kinds of zero length fragments (earlier standards
don't mention zero-length fragments at all).
2018-07-16 20:12:55 +01:00
Angus Gratton 1ba8e911ec CBC mode: Allow zero-length message fragments (100% padding)
Fixes https://github.com/ARMmbed/mbedtls/issues/1632
2018-07-16 20:12:47 +01:00
Manuel Pégourié-Gonnard 7c34432b2d Avoid debug message that might leak length
The length to the debug message could conceivably leak through the time it
takes to print it, and that length would in turn reveal whether padding was
correct or not.
2018-07-12 10:18:37 +02:00
Manuel Pégourié-Gonnard aeeaaf271c Add counter-measure to cache-based Lucky 13
The basis for the Lucky 13 family of attacks is for an attacker to be able to
distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding.
Since our code sets padlen = 0 for invalid padding, the length of the input to
the HMAC function, and the location where we read the MAC, give information
about that.

A local attacker could gain information about that by observing via a
cache attack whether the bytes at the end of the record (at the location of
would-be padding) have been read during MAC verification (computation +
comparison).

Let's make sure they're always read.
2018-07-12 10:18:37 +02:00
Manuel Pégourié-Gonnard 5fcfd0345d Fix Lucky 13 cache attack on MD/SHA padding
The basis for the Lucky 13 family of attacks is for an attacker to be able to
distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding.
Since our code sets padlen = 0 for invalid padding, the length of the input to
the HMAC function gives information about that.

Information about this length (modulo the MD/SHA block size) can be deduced
from how much MD/SHA padding (this is distinct from TLS-CBC padding) is used.
If MD/SHA padding is read from a (static) buffer, a local attacker could get
information about how much is used via a cache attack targeting that buffer.

Let's get rid of this buffer. Now the only buffer used is the internal MD/SHA
one, which is always read fully by the process() function.
2018-07-12 10:18:37 +02:00
Simon Butcher 28f68a3d15 Merge remote-tracking branch 'public/pr/1809' into mbedtls-2.7 2018-07-10 14:58:51 +01:00
Simon Butcher a159d64e86 Merge remote-tracking branch 'public/pr/1827' into mbedtls-2.7 2018-07-10 12:50:16 +01:00
Philippe Antoine 33e5c32a5b Fixes different off by ones 2018-07-09 10:39:02 +02:00
Brendan Shanks b32233319b x509.c: Remove unused includes
Remove unused includes guarded by MBEDTLS_FS_IO, which doesn't appear
anywhere else in the file.
2018-07-02 12:13:26 +01:00
niisato a35dbf155c about a issue Replace "new" variable #1782 2018-06-29 11:17:41 +01:00
Ron Eldor c32b3b73c4 Add ecc extensions only if ecc ciphersuite is used
Fix compliancy to RFC4492. ECC extensions should be included
only if ec ciphersuites are used. Interoperability issue with
bouncy castle. #1157
2018-06-28 15:49:34 +03:00
Ron Eldor 8c02dd1709 Move definition of MBEDTLS_CIPHER_MODE_STREAM
Move definition of `MBEDTLS_CIPHER_MODE_STREAM` to header file
(`mbedtls_cipher_internal.h`), because it is used by more than
one file. Raised by TrinityTonic in #1719
2018-06-28 08:44:47 +03:00
Simon Butcher 0e342f77fc Merge remote-tracking branch 'public/pr/1390' into mbedtls-2.7 2018-06-27 11:11:34 +01:00
Simon Butcher 035d824ad5 Merge remote-tracking branch 'public/pr/1768' into mbedtls-2.7 2018-06-27 11:09:27 +01:00
Philippe Antoine 0f91c0f441 Coding style
Commit to be squashed
2018-06-22 11:45:38 +01:00
Philippe Antoine dc58e59280 Simplify code in mbedtls_x509_csr_parse 2018-06-22 11:44:48 +01:00
Philippe Antoine 78657e52d8 Fix memory leak in mbedtls_x509_csr_parse 2018-06-22 11:44:38 +01:00
Andres Amaya Garcia 0fc4e0878e Document ssl_write_real() behaviour in detail 2018-06-21 19:29:49 +01:00
Simon Butcher 662ae9eaae Change the library version to 2.7.4 2018-06-18 14:42:14 +01:00
Simon Butcher 112dfd5bc5 Merge remote-tracking branch 'public/pr/1728' into mbedtls-2.7 2018-06-15 13:02:40 +01:00
Simon Butcher 47212c8e2c Merge remote-tracking branch 'public/pr/1581' into mbedtls-2.7 2018-06-14 11:02:43 +01:00
Simon Butcher da46a40855 Merge remote-tracking branch 'public/pr/1711' into mbedtls-2.7 2018-06-14 11:01:14 +01:00
Simon Butcher 49de6b89c1 Compilation warning fixes on 32b platfrom with IAR
Fix compilation warnings with IAR toolchain, on 32 bit platform.
Reported by rahmanih in #683

This is based on work by Ron Eldor in PR #750, some of which was independently
fixed by Azim Khan and already merged in PR #1655.
2018-06-14 09:05:55 +01:00
Simon Butcher fb6da8815c Merge remote-tracking branch 'public/pr/1655' into mbedtls-2.7 2018-06-12 17:40:08 +01:00
Fabio Alessandrelli ec4ce37709 Only redefine _WIN32_WINNT macro when < 0x0501 2018-06-08 12:28:47 +01:00
Simon Butcher bb5e1c3973 Fix multiple quality issues in the source
This PR fixes multiple issues in the source code to address issues raised by
tests/scripts/check-files.py. Specifically:
 * incorrect file permissions
 * missing newline at the end of files
 * trailing whitespace
 * Tabs present
 * TODOs in the souce code
2018-06-08 11:14:43 +01:00
Gilles Peskine bb07ca0bfb Fix Lucky13 attack protection when using HMAC-SHA-384
As a protection against the Lucky Thirteen attack, the TLS code for
CBC decryption in encrypt-then-MAC mode performs extra MAC
calculations to compensate for variations in message size due to
padding. The amount of extra MAC calculation to perform was based on
the assumption that the bulk of the time is spent in processing
64-byte blocks, which was correct for most supported hashes but not for
SHA-384. Adapt the formula to 128-byte blocks for SHA-384.
2018-06-06 17:23:31 +02:00
Azim Khan 826cdab010 Treat warnings as errors for IAR
Fix IAR compiler warnings

Two warnings have been fixed:
1. code 'if( len <= 0xFFFFFFFF )' gave warning 'pointless integer comparison'.
   This was fixed by wraping the condition in '#if SIZE_MAX > 0xFFFFFFFF'.
2. code 'diff |= A[i] ^ B[i];' gave warning 'the order of volatile accesses is undefined in'.
   This was fixed by read the volatile data in temporary variables before the computation.

Explain IAR warning on volatile access

Consistent use of CMAKE_C_COMPILER_ID
2018-05-25 14:58:33 +01:00
Darryl Green 68207f868b Fix braces in mbedtls_memory_buffer_alloc_status() 2018-05-23 16:32:33 +01:00
Jaeden Amero 1fc4d33f5f Update version to 2.7.3 2018-04-27 13:15:45 +01:00
Jaeden Amero 07d1d5f270 Merge remote-tracking branch 'upstream-restricted/pr/473' into mbedtls-2.7-restricted-proposed
Remove trailing whitespace in ChangeLog.
2018-04-26 09:07:15 +01:00
Jaeden Amero 402256184a Merge branch 'mbedtls-2.7-proposed' into mbedtls-2.7-restricted-proposed
Resolve conflicts in ChangeLog.
2018-04-26 09:03:51 +01:00
Andrzej Kurek 6608096544 Change accepted ciphersuite versions when parsing server hello
Accept only ciphersuites for version chosen by the server
2018-04-25 05:28:08 -04:00
Andrzej Kurek 149f3a4d73 Change variable bytes_written to header_bytes in record decompression
The name is changed to better reflect the input, decompression case
2018-04-24 06:32:44 -04:00
Andrzej Kurek c3a3e2df0e ssl_tls: Fix invalid buffer sizes during compression / decompression
Adjust information passed to zlib to include already written data.
2018-04-23 08:39:13 -04:00
Mohammad Azim Khan 0acbd7df03 Same ciphersuite validation in server and client hello 2018-04-20 19:58:37 +01:00
Manuel Pégourié-Gonnard 8bce3685f5 Merge remote-tracking branch 'restricted/pr/468' into mbedtls-2.7-restricted-proposed
* restricted/pr/468:
  Improve comments style
  Remove a redundant test
  Add buffer size check before cert_type_len read
  Update change log
  Add a missing buffer size check
  Correct buffer size check
2018-04-18 12:21:36 +02:00