Commit graph

1055 commits

Author SHA1 Message Date
Janos Follath 745bcf454f Fix typos 2017-07-21 14:04:31 +01:00
Manuel Pégourié-Gonnard ee98109af5 Add ChangeLog entry for the security issue 2017-07-06 11:58:41 +02:00
Manuel Pégourié-Gonnard 31458a1878 Only return VERIFY_FAILED from a single point
Everything else is a fatal error. Also improve documentation about that for
the vrfy callback.
2017-07-06 11:58:41 +02:00
Manuel Pégourié-Gonnard d15795acd5 Improve behaviour on fatal errors
If we didn't walk the whole chain, then there may be any kind of errors in the
part of the chain we didn't check, so setting all flags looks like the safe
thing to do.
2017-07-06 11:58:41 +02:00
Simon Butcher f2a597fa3d Update the version number to 2.5.1 2017-06-20 23:08:10 +01:00
Janos Follath 5a1c0e7162 Improve Changelog 2017-06-16 12:27:47 +01:00
Manuel Pégourié-Gonnard 4a42f3c405 Merge remote-tracking branch 'restricted/iotssl-1398' into development-restricted
* restricted/iotssl-1398:
  Add ChangeLog entry
  Ensure application data records are not kept when fully processed
  Add hard assertion to mbedtls_ssl_read_record_layer
  Fix mbedtls_ssl_read
  Simplify retaining of messages for future processing
2017-06-09 15:02:40 +02:00
Manuel Pégourié-Gonnard a8e5a4730d Merge near-duplicate ChangeLog entries
As agreed with Gilles on the PR discussion page
2017-06-09 14:46:50 +02:00
Hanno Becker bf4c2e3f79 Add ChangeLog entry 2017-06-09 11:28:45 +01:00
Manuel Pégourié-Gonnard 740665e43b ChangeLog cosmetics 2017-06-08 20:37:30 +02:00
Manuel Pégourié-Gonnard b86b143030 Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-restricted' into development-restricted
* restricted/iotssl-1138-rsa-padding-check-restricted:
  RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:31:06 +02:00
Manuel Pégourié-Gonnard a0bf6ecfc3 Merge remote-tracking branch 'restricted/IOTSSL-1366/development-restricted' into development-restricted
* restricted/IOTSSL-1366/development-restricted:
  More length checks in RSA PKCS1v15 verify
  More length checks in RSA PKCS1v15 verify
2017-06-08 20:24:29 +02:00
Manuel Pégourié-Gonnard db108ac944 Merge remote-tracking branch 'hanno/mpi_read_file_underflow' into development
* hanno/mpi_read_file_underflow:
  Fix potential stack underflow in mpi_read_file.
2017-06-08 19:48:03 +02:00
Manuel Pégourié-Gonnard 1178ac5e77 Merge remote-tracking branch 'hanno/sliding_exponentiation' into development
* hanno/sliding_exponentiation:
  Adapt ChangeLog
  Abort modular inversion when modulus is one.
  Correct sign in modular exponentiation algorithm.
2017-06-08 19:46:30 +02:00
Manuel Pégourié-Gonnard c44c3c288d Merge remote-tracking branch 'janos/iotssl-1156-ecdsa-sample-and-doc-clarification' into development
* janos/iotssl-1156-ecdsa-sample-and-doc-clarification:
  Clarify the use of ECDSA API
2017-06-08 10:16:54 +02:00
Hanno Becker 39ae8cd207 Fix implementation of VERIFY_OPTIONAL verification mode
This commit changes the behaviour of mbedtls_ssl_parse_certificate
to make the two authentication modes MBEDTLS_SSL_VERIFY_REQUIRED and
MBEDTLS_SSL_VERIFY_OPTIONAL be in the following relationship:

    Mode == MBEDTLS_SSL_VERIFY_REQUIRED
<=> Mode == MBEDTLS_SSL_VERIFY_OPTIONAL + check verify result

Also, it changes the behaviour to perform the certificate chain
verification even if the trusted CA chain is empty. Previously, the
function failed in this case, even when using optional verification,
which was brought up in #864.
2017-06-07 11:13:19 +01:00
Manuel Pégourié-Gonnard ddc6e52cc1 Merge remote-tracking branch 'gilles/iotssl-1223/development' into development
* gilles/iotssl-1223/development:
  Fix FALLBACK_SCSV parsing
2017-06-06 20:11:36 +02:00
Manuel Pégourié-Gonnard 383a118338 Merge remote-tracking branch 'gilles/IOTSSL-1330/development' into development
* gilles/IOTSSL-1330/development:
  Changelog entry for the bug fixes
  SSLv3: when refusing renegotiation, stop processing
  Ignore failures when sending fatal alerts
  Cleaned up double variable declaration
  Code portability fix
  Added changelog entry
  Send TLS alerts in many more cases
  Skip all non-executables in run-test-suites.pl
  SSL tests: server requires auth, client has no certificate
  Balanced braces across preprocessor conditionals
  Support setting the ports on the command line
2017-06-06 19:22:41 +02:00
Gilles Peskine 5d2511c4d4 SHA-1 deprecation: allow it in key exchange
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.

SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
2017-06-06 18:44:14 +02:00
Gilles Peskine 5e79cb3662 Remove SHA-1 in TLS by default
Default to forbidding the use of SHA-1 in TLS where it is unsafe: for
certificate signing, and as the signature hash algorithm for the TLS
1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the
XXX_SHA ciphersuites and in the PRF for TLS <= 1.1.

For easy backward compatibility for use in controlled environments,
turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option.
2017-06-06 18:44:13 +02:00
Manuel Pégourié-Gonnard 23b33f8663 Merge remote-tracking branch 'hanno/sig_hash_compatibility' into development
* hanno/sig_hash_compatibility:
  Improve documentation
  Split long lines
  Remember suitable hash function for any signature algorithm.
  Introduce macros and functions to characterize certain ciphersuites.
2017-06-06 18:14:57 +02:00
Hanno Becker eccf60caab Adapt ChangeLog 2017-06-05 15:19:01 +01:00
Gilles Peskine d50177fdf3 Fix FALLBACK_SCSV parsing
Fixed a bug in ssl_srv.c when parsing TLS_FALLBACK_SCSV in the
ciphersuite list that caused it to miss it sometimes. Reported by Hugo
Leisink as issue #810. Fix initially by @andreasag01; this commit
isolates the bug fix and adds a non-regression test.
2017-05-16 17:53:03 +02:00
Simon Butcher 9f77017a8d Updated version number to 2.5.0 2017-05-16 10:22:37 +01:00
Andres AG f5bf7189d3 Change return type of AES decrypt and encrypt
This patch modifies the following 2 functions in the AES module to
change the return type from void to int:
    * mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
    * mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
This change is necessary to allow users of MBEDTLS_AES_ALT,
MBEDTLS_AES_DECRYPT_ALT and MBEDTLS_AES_ENCRYPT_ALT to return an error
code when replacing the default with their own implementation, e.g.
a hardware crypto accelerator.
2017-05-16 10:22:37 +01:00
Janos Follath 2850cdaed9 Add Changelog entry for RSA exponent blinding 2017-05-16 10:22:37 +01:00
Janos Follath c66e5596ba Add Changelog entry for CA list suppression 2017-05-16 10:22:37 +01:00
Andres Amaya Garcia 46fe17ecf2 Remove obsolete macros from compat-1.3.h 2017-05-16 10:22:37 +01:00
Gilles Peskine 4a7f6a0ddb RSA: wipe stack buffers
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.

Thanks to Laurent Simon for reporting this issue.
2017-05-16 10:22:37 +01:00
Simon Butcher 77da95357f Add fix for #667 to ChangeLog 2017-05-16 10:22:37 +01:00
Simon Butcher 4775e83337 Fix ChangeLog
Fixes the ChangeLog following the merge of the ECP HW acceleration interfaces
in aab9efb.
2017-05-16 10:22:37 +01:00
Janos Follath 45182a0065 Add Changelog entry for RSA exponent blinding 2017-05-16 10:22:37 +01:00
Janos Follath 7a8a090f55 Add Changelog entry for CA list suppression 2017-05-16 10:22:37 +01:00
Andres Amaya Garcia 75fdf631fd Remove obsolete macros from compat-1.3.h 2017-05-16 10:22:37 +01:00
Hanno Becker 7e5437a972 Remember suitable hash function for any signature algorithm.
This commit changes `ssl_parse_signature_algorithms_ext` to remember
one suitable ( := supported by client and by our config ) hash
algorithm per signature algorithm.

It also modifies the ciphersuite checking function
`ssl_ciphersuite_match` to refuse a suite if there
is no suitable hash algorithm.

Finally, it adds the corresponding entry to the ChangeLog.
2017-05-15 11:50:11 +01:00
Janos Follath 7e2406f6f0 Add Changelog entry 2017-05-11 22:42:14 +01:00
Manuel Pégourié-Gonnard c1380de887 RSA PKCS1v1.5 verification: check padding length
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential in to check that the error that is detected first is indeed the
padding rather than the final length check).
2017-05-11 13:10:13 +02:00
Gilles Peskine 3df98f50a9 Changelog entry for the bug fixes 2017-05-10 17:47:40 +02:00
Hanno Becker 072e806a07 Adapt ChangeLog 2017-05-09 10:47:49 +01:00
Hanno Becker b2034b7785 Fix potential stack underflow in mpi_read_file.
When provided with an empty line, mpi_read_file causes a numeric
underflow resulting in a stack underflow. This commit fixes this and
adds some documentation to mpi_read_file.
2017-05-09 10:29:06 +01:00
Gilles Peskine 0e17eb05f8 More length checks in RSA PKCS1v15 verify
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.
2017-05-03 18:56:10 +02:00
Gilles Peskine 36091fe3ef Added changelog entry 2017-05-03 16:55:03 +02:00
Simon Butcher b65c2be5f1 Updated version number to 2.4.2 for release 2017-03-10 18:50:44 +00:00
Janos Follath 0a5154b8a1 Clarify the use of ECDSA API
In the ecdsa.c sample application we don't use hashing, we use ecdsa
directly on a buffer containing plain text. Although the text explains
that it should be the message hash it still can be confusing.

Any misunderstandings here are potentially very dangerous, because ECDSA
truncates the message hash if necessary and this can lead to trivial
signature forgeries if the API is misused and the message is passed
directly to the function without hashing.

This commit adds a hash computation step to the ecdsa.c sample
application and clarification to the doxygen documentation of the
ECDSA functions involved.
2017-03-10 11:31:41 +00:00
Simon Butcher 81cf88f6d7 Added missing credit to ChangeLog for #555 2017-03-07 19:35:49 +00:00
Simon Butcher 8b987500f2 Corrected attibution in Changelog 2017-03-07 12:37:14 +00:00
Andres AG d1cc7f6f34 Fix buffer overflow in mbedtls_mpi_write_string()
Fix a buffer overflow when writting a string representation of an MPI
number to a buffer in hexadecimal. The problem occurs because hex
digits are written in pairs and this is not accounted for in the
calculation of the required buffer size when the number of digits is
odd.
2017-03-02 21:34:21 +00:00
Ron Eldor 12e0b800da Fix resource leak when using mutex and ssl_cookie
When using ssl_cookie with MBEDTLS_THREADING_C, fix a resource leak caused by
initiating a mutex in mbedtls_ssl_cookie_free instead of freeing it.
Raised and fix suggested by lan Gillingham in the mbed TLS forum
Tracked in #771
2017-03-02 12:26:11 +00:00
Simon Butcher 28d9fe031d Fix mistake in ChangeLog from file merge 2017-03-02 12:05:54 +00:00
Ron Eldor 04965edaa8 Fix resource leak when using mutex and ssl_cookie
When using ssl_cookie with MBEDTLS_THREADING_C, fix a resource leak caused by
initiating a mutex in mbedtls_ssl_cookie_free instead of freeing it.
Raised and fix suggested by lan Gillingham in the mbed TLS forum
Tracked in #771
2017-03-02 11:58:15 +00:00
Simon Butcher 956c58ffa9 Add fix and credit for #742 to the ChangeLog 2017-03-02 09:20:53 +00:00
Simon Butcher 065cede476 Add fix and credit for #742 to the ChangeLog 2017-03-02 09:18:09 +00:00
Simon Butcher 71e9d58dc2 Clarify ChangeLog for #569 2017-02-28 18:47:27 +00:00
Janos Follath 7dadc2f259 ECP: Prevent freeing a buffer on stack
The function ecp_mod_koblitz computed the space for the result of a
multiplication optimally for that specific case, but unfortunately
the function mbedtls_mpi_mul_mpi performs a generic, suboptimal
calculation and needs one more limb for the result. Since the result's
buffer is on the stack, the best case scenario is that the program
stops.

This only happened on 64 bit platforms.

Fixes #569
2017-02-28 18:41:39 +00:00
Simon Butcher d02dc14c94 Fix credit in ChangeLog for #722 2017-02-28 16:36:22 +00:00
Andres AG 5708dcb368 Fix memory leak in mbedtls_x509_crl_parse()
The memory leak call was caused by missing calls to mbedtls_pem_free()
when a MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was
encountered.
2017-02-28 14:51:31 +00:00
Janos Follath 87c980749d Fix buffer overread in mbedtls_x509_get_time()
A heap overread might happen when parsing malformed certificates.
Reported by Peng Li and Yueh-Hsun Lin.

Refactoring the parsing fixes the problem. This commit applies the
relevant part of the OpenVPN contribution applied to mbed TLS 1.3
in commit 17da9dd829.
2017-02-28 14:23:12 +00:00
Simon Butcher fc794ff2b7 Merge branch 'iotssl-1071-ca-flags'
Fixes a regression introduced by an earlier commit that modified
x509_crt_verify_top() to ensure that valid certificates that are after past or
future valid in the chain are processed. However the change introduced a change
in behaviour that caused the verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in the
verification regardless of the cause.

The fix maintains both behaviours:

 * Ensure that valid certificates after future and past are verified
 * Ensure that the correct verification flags are set.
2017-02-27 19:06:05 +00:00
Simon Butcher 0278a38f10 Merge branch 'iotssl-1077-dos-crl'
Modifies the function mbedtls_x509_crl_parse() to ensure that a CRL in PEM
format with trailing characters after the footer does not result in the
execution of an infinite loop.
2017-02-26 01:16:02 +00:00
Simon Butcher 0621b1fbb0 Add detail to ChangeLog for SLOTH fix 2017-02-15 23:31:07 +02:00
Andres AG 4623d83c6f Fix integer overflow mbedtls_base64_decode()
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-15 23:31:07 +02:00
Andres Amaya Garcia 6a54336897 Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-15 23:31:07 +02:00
Janos Follath 182013faf4 Prevent SLOTH attacks 2017-02-15 23:29:32 +02:00
Simon Butcher a333b3c194 Add credit to Changelog for #562 2017-02-15 23:28:48 +02:00
Simon Butcher d57c8f0048 Clarify fix for #673 in Changelog
Clarified fix, and added credit.
2017-02-15 23:27:58 +02:00
Andres AG 2196c7f81c Fix renegotiation at incorrect times in DTLS
Fix an incorrect condition in ssl_check_ctr_renegotiate() that compared
64 bits of record counter instead of 48 bits as described in RFC 6347
Section 4.3.1. This would cause the function's return value to be
occasionally incorrect and the renegotiation routines to be triggered
at unexpected times.
2017-02-15 23:26:35 +02:00
Janos Follath 4c006cdb1c Update library version number to 2.4.1 2017-02-15 22:55:55 +02:00
Janos Follath 5da3a6f92f Update CMAC test vectors. 2017-02-15 22:55:30 +02:00
Andres AG c0db511820 Fix unused variable/function compilation warnings
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
MBEDTLS_PEM_PARSE_C.
2017-02-15 22:54:42 +02:00
Andres AG d15423446b Fix redefinition of macro ssl_set_bio
Fix redefinition of macro ssl_set_bio to undefined symbol
mbedtls_ssl_set_bio_timeout in compat-1.3.h.
2017-02-15 22:51:24 +02:00
Simon Butcher 1d4db5b7b5 Merge 'iotssl-1099-incorrect-renego-dtls'
Fix an incorrect condition in ssl_check_ctr_renegotiate() that compared
64 bits of record counter instead of 48 bits as described in RFC 6347
Section 4.3.1. This would cause the function's return value to be
occasionally incorrect and the renegotiation routines to be triggered
at unexpected times.
2017-02-02 23:47:08 +00:00
Simon Butcher d9440b15e6 Add credit to Changelog for #562 2017-02-02 16:17:37 +00:00
Simon Butcher d934b5371a Merge 'iotssl-952-tfirmware-warnings'
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
MBEDTLS_PEM_PARSE_C.
2017-02-02 16:08:29 +00:00
Simon Butcher 1bef2266e5 Clarify fix for #673 in Changelog
Clarified fix, and added credit.
2017-02-02 13:08:37 +00:00
Simon Butcher 4d1e104bc1 Merge iotssl-1079-macro-redefinition-warning
Fix redefinition of macro ssl_set_bio to undefined symbol
mbedtls_ssl_set_bio_timeout in compat-1.3.h.
2017-02-02 12:19:04 +00:00
Andres AG d16506624a Fix verify out flags from x509_crt_verify_top()
This change fixes a regression introduced by an earlier commit that
modified x509_crt_verify_top() to ensure that valid certificates
that are after past or future valid in the chain are processed. However
the change introduced a change in behaviour that caused the
verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in
the verification regardless of the cause.

The fix maintains both behaviours:
  * Ensure that valid certificates after future and past are verified
  * Ensure that the correct verification flags are set.

To do so, a temporary pointer to the first future or past valid
certificate is maintained while traversing the chain. If a truly valid
certificate is found then that one is used, otherwise if no valid
certificate is found and the end of the chain is reached, the program
reverts back to using the future or past valid certificate.
2017-01-20 13:52:01 +00:00
Andres AG 939954c0b0 Fix CRL parsing to avoid infinite loop
This patch modifies the function mbedtls_x509_crl_parse() to ensure
that a CRL in PEM format with trailing characters after the footer does
not result in the execution of an infinite loop.
2017-01-19 16:43:48 +00:00
Andres AG 18c5c59b5b Fix renegotiation at incorrect times in DTLS
Fix an incorrect condition in ssl_check_ctr_renegotiate() that compared
64 bits of record counter instead of 48 bits as described in RFC 6347
Section 4.3.1. This would cause the function's return value to be
occasionally incorrect and the renegotiation routines to be triggered
at unexpected times.
2017-01-19 16:30:15 +00:00
Janos Follath 1808dc01bd Update library version number to 2.4.1 2016-12-13 16:00:52 +00:00
Janos Follath cd13bd2819 Update CMAC test vectors. 2016-12-13 16:00:52 +00:00
Andres AG 0368cb7f1c Fix unused variable/function compilation warnings
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
MBEDTLS_PEM_PARSE_C.
2016-12-07 16:15:32 +00:00
Andres AG ee7157e735 Fix redefinition of macro ssl_set_bio
Fix redefinition of macro ssl_set_bio to undefined symbol
mbedtls_ssl_set_bio_timeout in compat-1.3.h.
2016-12-07 10:27:00 +00:00
Andres AG 9c94b6951c Add tests for overreads in pem_read_buffer() 2016-11-21 11:03:40 +00:00
Andres AG 703990b839 Fix buffer overreads in mbedtls_pem_read_buffer() 2016-10-24 13:00:37 +01:00
Simon Butcher 19dbd41c5b Update Changelog version number to 2.4.0 2016-10-16 19:35:49 +01:00
Simon Butcher ef8fa012ea Tidied up style and phrasing of ChangeLog 2016-10-16 00:44:08 +01:00
Janos Follath 240f185b79 Update ChangeLog for MBEDTLS_SELF_TEST fix 2016-10-14 15:23:21 +01:00
Simon Butcher 8e00410402 Merge fix for AEAD Random IVs 2016-10-14 00:48:33 +01:00
Simon Butcher 9800a058ae Merge branch 'development' 2016-10-13 17:25:56 +01:00
Simon Butcher 99000142cb Merge fix for IE Certificate Compatibility 2016-10-13 17:21:01 +01:00
Simon Butcher 2bd0fbaad0 Update to Changelog for #626 2016-10-13 16:29:56 +01:00
Simon Butcher 488c08c00b Merge branch fixing date validity in X.509 2016-10-13 16:13:09 +01:00
Simon Butcher 59bffa2df0 Update Changelog for X.509 unrecognised field fix 2016-10-13 15:55:56 +01:00
Simon Butcher 511526720c Merge fix for branch SSL client overread 2016-10-13 15:39:09 +01:00
Simon Butcher b81496b9b5 Update and clean up Changelog for #622 2016-10-13 14:03:37 +01:00
Simon Butcher d05192501b Added credit to Changelog for fix #558 2016-10-13 13:54:48 +01:00
Janos Follath e5dc202469 Restore P>Q in RSA key generation (#558)
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
2016-10-13 13:54:48 +01:00
Simon Butcher 468a84c7df Clarified Changelog for fix #602 2016-10-13 13:54:48 +01:00
Andres AG 314d8a8400 Fix documentation for mbedtls_gcm_finish()
Fix implementation and documentation missmatch for the function
arguments to mbedtls_gcm_finish(). Also, removed redundant if condition
that always evaluates to true.
2016-10-13 13:54:47 +01:00
Simon Butcher 9af0280aa5 Updated Changelog for fix #599 2016-10-13 13:54:14 +01:00