Commit graph

6062 commits

Author SHA1 Message Date
Darryl Green f5bcbede92 Add tests for invalid private parameters in mbedtls_ecdsa_sign() 2017-11-17 17:09:31 +00:00
Darryl Green c64a48bec7 Add checks for private parameter in mbedtls_ecdsa_sign() 2017-11-17 17:09:17 +00:00
Andres Amaya Garcia 5a6da63138 Fix indentation for mbedtls_x509_crt_check_key_usage() 2017-11-14 21:47:08 +00:00
Andres Amaya Garcia c81fcb9d36 Fix typos in documentation for mbedtls_x509_crt_check_extended_key_usage() 2017-11-14 21:43:14 +00:00
Manuel Pégourié-Gonnard 888fedea06 Merge branch 'development' into development-restricted
* development: (30 commits)
  update README file (#1144)
  Fix typo in asn1.h
  Improve leap year test names in x509parse.data
  Correctly handle leap year in x509_date_is_valid()
  Renegotiation: Add tests for SigAlg ext parsing
  Parse Signature Algorithm ext when renegotiating
  Minor style fix
  config.pl get: be better behaved
  config.pl get: don't rewrite config.h; detect write errors
  Fixed "config.pl get" for options with no value
  Fix typo and bracketing in macro args
  Ensure failed test_suite output is sent to stdout
  Remove use of GNU sed features from ssl-opt.sh
  Fix typos in ssl-opt.sh comments
  Add ssl-opt.sh test to check gmt_unix_time is good
  Extend ssl-opt.h so that run_test takes function
  Always print gmt_unix_time in TLS client
  Restored note about using minimum functionality in makefiles
  Note in README that GNU make is required
  Fix changelog for ssl_server2.c usage fix
  ...
2017-11-14 08:24:22 +01:00
Chris Xue 9a51c032ee Fix copy paste error in the error message of mbedtls_ecp_gen_key in gen_key.c 2017-11-05 19:10:51 +00:00
Ron Eldor 2ac96620f3 change URL
Change URL from developer.mbed.org to os.mbed.com
2017-11-01 14:19:50 +02:00
Ron Eldor 9d22619a13 Change Arm Trademarks to the issue template
Change the Trademarks to the issue template document
2017-10-30 18:39:47 +02:00
Ron Eldor c7acb913ce Change Arm Trademarks
Change the Arm Trademarks according to updated Trademarks
2017-10-30 17:24:50 +02:00
Ron Eldor 22360825ae Address PR review comments
set `cache->chain` to NULL,
instead of setting the whole structure to zero.
2017-10-29 17:53:52 +02:00
Hanno Becker 3319555b7c Improve documentation of mbedtls_rsa_import[_raw] 2017-10-25 17:04:10 +01:00
Hanno Becker 27b34d5bad Wrong identifier used to check Encrypt-then-MAC flag
This commit fixes a comparison of ssl_session->encrypt_then_mac against the
ETM-unrelated constant MBEDTLS_SSL_EXTENDED_MS_DISABLED. Instead,
MBEDTLS_SSL_ETM_DISABLED should be used.

The typo is has no functional effect since both constants have the same value 0.
2017-10-20 14:24:51 +01:00
Gilles Peskine 91048a3aac RSA PSS: remove redundant check; changelog
Remove a check introduced in the previous buffer overflow fix with keys of
size 8N+1 which the subsequent fix for buffer start calculations made
redundant.

Added a changelog entry for the buffer start calculation fix.
2017-10-19 17:46:14 +02:00
Gilles Peskine b00b0da452 RSA PSS: fix first byte check for keys of size 8N+1
For a key of size 8N+1, check that the first byte after applying the
public key operation is 0 (it could have been 1 instead). The code was
incorrectly doing a no-op check instead, which led to invalid
signatures being accepted. Not a security flaw, since you would need the
private key to craft such an invalid signature, but a bug nonetheless.
2017-10-19 15:23:49 +02:00
Hanno Becker 509fef7de3 Add ChangeLog message for EC private exponent information leak 2017-10-19 10:10:18 +01:00
Hanno Becker a21e2a015b Adapt ChangeLog 2017-10-19 09:15:17 +01:00
Gilles Peskine 139108af94 RSA PSS: fix minimum length check for keys of size 8N+1
The check introduced by the previous security fix was off by one. It
fixed the buffer overflow but was not compliant with the definition of
PSS which technically led to accepting some invalid signatures (but
not signatures made without the private key).
2017-10-18 19:03:42 +02:00
Hanno Becker 9cfabe3597 Use a conservative excess of the maximum fragment length in tests
This leads to graceful test failure instead of crash when run on the previous
code.
2017-10-18 14:42:01 +01:00
Hanno Becker 888071184c Zeroize stack before returning from mpi_fill_random 2017-10-18 12:41:30 +01:00
RonEld 005939db98 update README file (#1144)
* update README file

update VS 2010 as the minimal version of required Visual Studio

* Rephrase the MS VS requirement

Rephrase the VS version sentence
2017-10-17 18:19:48 +01:00
Gilles Peskine 6a54b0240d RSA: Fix another buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the masking
operation results in an all-zero buffer. This could happen at any key size.
2017-10-17 19:12:36 +02:00
Gilles Peskine 28a0c72795 RSA: Fix buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the hash is
too large for the key size. Found by Seth Terashima, Qualcomm.

Added a non-regression test and a positive test with the smallest
permitted key size for a SHA-512 hash.
2017-10-17 19:01:38 +02:00
Ron Eldor e1a9a4a826 Fix crash when calling mbedtls_ssl_cache_free twice
Set `cache` to zero at the end of `mbedtls_ssl_cache_free` #1104
2017-10-17 18:15:41 +03:00
Hanno Becker 7c8cb9c28b Fix information leak in ecp_gen_keypair_base
The function mbedtls_ecp_gen_keypair_base did not wipe the stack buffer used to
hold the private exponent before returning. This commit fixes this by not using
a stack buffer in the first place but instead calling mpi_fill_random directly
to acquire the necessary random MPI.
2017-10-17 15:19:38 +01:00
Hanno Becker 073c199224 Make mpi_read_binary time constant
This commit modifies mpi_read_binary to always allocate the minimum number of
limbs required to hold the entire buffer provided to the function, regardless of
its content. Previously, leading zero bytes in the input data were detected and
used to reduce memory footprint and time, but this non-constant behavior turned
out to be non-tolerable for the cryptographic applications this function is used
for.
2017-10-17 15:17:27 +01:00
Hanno Becker 15f2b3e538 Mention that mpi_fill_random interprets PRNG output as big-endian 2017-10-17 15:17:05 +01:00
Hanno Becker 479e8e24e6 Adapt ChangeLog 2017-10-17 11:03:50 +01:00
Hanno Becker 134c2ab891 Add build and ssl-opt.sh run for !SSL_RENEGOTIATION to all.sh 2017-10-17 11:03:50 +01:00
Hanno Becker 6a2436493f Add dependency on SSL_RENEGOTIATION to renego tests in ssl-opt.sh 2017-10-17 11:03:50 +01:00
Hanno Becker 40f8b51221 Add comments on the use of the renego SCSV and the renego ext 2017-10-17 11:03:50 +01:00
Hanno Becker 6851b10ec7 Note that disabling SSL_RENEGO doesn't open door for renego attack 2017-10-17 11:03:50 +01:00
Hanno Becker 21df7f90d2 Fix handling of HS msgs in mbedtls_ssl_read if renegotiation unused
Previously, if `MBEDTLS_SSL_RENEGOTIATION` was disabled, incoming handshake
messages in `mbedtls_ssl_read` (expecting application data) lead to the
connection being closed. This commit fixes this, restricting the
`MBEDTLS_SSL_RENEGOTIATION`-guard to the code-paths responsible for accepting
renegotiation requests and aborting renegotiation attempts after too many
unexpected records have been received.
2017-10-17 11:03:26 +01:00
Hanno Becker b4ff0aafd9 Swap branches accepting/refusing renegotiation in in ssl_read 2017-10-17 11:03:04 +01:00
Hanno Becker fc8fbfa059 Switch to gender neutral wording in rsa.h 2017-10-17 10:34:04 +01:00
Hanno Becker 580869dae8 Handle RSA_EXPORT_UNSUPPORTED error code in strerror 2017-10-17 10:34:04 +01:00
Hanno Becker e2a73c13cf Enhancement of ChangeLog entry 2017-10-17 10:34:04 +01:00
Hanno Becker 554c32dae6 Mention validate_params does primality tests only if GENPRIME def'd 2017-10-17 10:34:01 +01:00
Hanno Becker 68767a6e88 Improve documentation in mbedtls_rsa_check_privkey 2017-10-17 10:13:31 +01:00
Hanno Becker f8c028a2fb Minor corrections 2017-10-17 09:20:57 +01:00
Hanno Becker 4055a3a16f Shorten prime array in mbedtls_rsa_deduce_primes 2017-10-17 09:15:26 +01:00
Hanno Becker c36aab69b5 Swap D,E parameters in mbedtls_rsa_deduce_primes 2017-10-17 09:15:06 +01:00
Hanno Becker 0cd5b94dba Adapt ChangeLog 2017-10-13 17:17:28 +01:00
Simon Butcher 6f63db7ed5 Fix changelog for ssl_server2.c usage fix 2017-10-12 23:22:17 +01:00
Gilles Peskine 085c10afdb Allow comments in test data files 2017-10-12 23:22:17 +01:00
Andres Amaya Garcia 9fb02057a5 Fix typo in asn1.h 2017-10-12 23:21:37 +01:00
Andres Amaya Garcia 60100d09ee Improve leap year test names in x509parse.data 2017-10-12 23:21:37 +01:00
Andres Amaya Garcia 735b37eeef Correctly handle leap year in x509_date_is_valid()
This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
2017-10-12 23:21:37 +01:00
Janos Follath b0f148c0ab Renegotiation: Add tests for SigAlg ext parsing
This commit adds regression tests for the bug when we didn't parse the
Signature Algorithm extension when renegotiating. (By nature, this bug
affected only the server)

The tests check for the fallback hash (SHA1) in the server log to detect
that the Signature Algorithm extension hasn't been parsed at least in
one of the handshakes.

A more direct way of testing is not possible with the current test
framework, since the Signature Algorithm extension is parsed in the
first handshake and any corresponding debug message is present in the
logs.
2017-10-12 23:21:37 +01:00
Ron Eldor 73a381772b Parse Signature Algorithm ext when renegotiating
Signature algorithm extension was skipped when renegotiation was in
progress, causing the signature algorithm not to be known when
renegotiating, and failing the handshake. Fix removes the renegotiation
step check before parsing the extension.
2017-10-12 23:21:37 +01:00
Gilles Peskine 8ca0e8fdff Minor style fix 2017-10-12 23:21:37 +01:00