Merge branch 'mbedtls-1.3' into development

* mbedtls-1.3:
  Include changes from the 1.2 branch
  Remove unused headers in o_p_test
  Add countermeasure against cache-based lucky 13
  Make results of (ext)KeyUsage accessible
  Fix missing NULL check in MPI
  Fix detection of getrandom()
  Fix "make install" handling of symlinks
  Fix bugs in programs displaying verify flags

Conflicts:
	Makefile
	include/polarssl/ssl.h
	library/entropy_poll.c
	library/ssl_srv.c
	library/ssl_tls.c
	programs/test/o_p_test.c
	programs/test/ssl_cert_test.c
	programs/x509/cert_app.c
This commit is contained in:
Manuel Pégourié-Gonnard 2015-04-30 10:28:51 +02:00
commit da61ed3346
8 changed files with 147 additions and 20 deletions

View File

@ -117,6 +117,11 @@ Features
errors on use of deprecated functions. errors on use of deprecated functions.
Bugfix Bugfix
* mpi_size() and mpi_msb() would segfault when called on an mpi that is
initialized but not set (found by pravic).
* Fix detection of support for getrandom() on Linux (reported by syzzer) by
doing it at runtime (using uname) rather that compile time.
* Fix handling of symlinks by "make install" (found by Gaël PORTAY).
* Fix potential NULL pointer dereference (not trigerrable remotely) when * Fix potential NULL pointer dereference (not trigerrable remotely) when
ssl_write() is called before the handshake is finished (introduced in ssl_write() is called before the handshake is finished (introduced in
1.3.10) (first reported by Martin Blumenstingl). 1.3.10) (first reported by Martin Blumenstingl).
@ -663,6 +668,67 @@ Security
* RSA blinding on CRT operations to counter timing attacks * RSA blinding on CRT operations to counter timing attacks
(found by Cyril Arnaud and Pierre-Alain Fouque) (found by Cyril Arnaud and Pierre-Alain Fouque)
= Version 1.2.14 released 2015-05-??
Security
* Fix potential invalid memory read in the server, that allows a client to
crash it remotely (found by Caj Larsson).
* Fix potential invalid memory read in certificate parsing, that allows a
client to crash the server remotely if client authentication is enabled
(found using Codenomicon Defensics).
* Add countermeasure against "Lucky 13 strikes back" cache-based attack,
https://dl.acm.org/citation.cfm?id=2714625
Bugfix
* Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
* Fix hardclock() (only used in the benchmarking program) with some
versions of mingw64 (found by kxjhlele).
* Fix warnings from mingw64 in timing.c (found by kxjklele).
* Fix potential unintended sign extension in asn1_get_len() on 64-bit
platforms (found with Coverity Scan).
= Version 1.2.13 released 2015-02-16
Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
this will be made in the 1.2 branch at this point.
Security
* Fix remotely-triggerable uninitialised pointer dereference caused by
crafted X.509 certificate (TLS server is not affected if it doesn't ask
for a client certificate) (found using Codenomicon Defensics).
* Fix remotely-triggerable memory leak caused by crafted X.509 certificates
(TLS server is not affected if it doesn't ask for a client certificate)
(found using Codenomicon Defensics).
* Fix potential stack overflow while parsing crafted X.509 certificates
(TLS server is not affected if it doesn't ask for a client certificate)
found using Codenomicon Defensics).
* Fix buffer overread of size 1 when parsing crafted X.509 certificates
(TLS server is not affected if it doesn't ask for a client certificate).
Bugfix
* Fix potential undefined behaviour in Camellia.
* Fix memory leaks in PKCS#5 and PKCS#12.
* Stack buffer overflow if ctr_drbg_update() is called with too large
add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
* Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced
in 1.2.12).
* Fix unchecked return code in x509_crt_parse_path() on Windows (found by
Peter Vaskovic).
* Fix assembly selection for MIPS64 (thanks to James Cowgill).
* ssl_get_verify_result() now works even if the handshake was aborted due
to a failed verification (found by Fredrik Axelsson).
* Skip writing and parsing signature_algorithm extension if none of the
key exchanges enabled needs certificates. This fixes a possible interop
issue with some servers when a zero-length extension was sent. (Reported
by Peter Dettman.)
* On a 0-length input, base64_encode() did not correctly set output length
(found by Hendrik van den Boogaard).
Changes
* Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
* Forbid repeated extensions in X.509 certificates.
* Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
length of an X.509 verification chain (default = 8).
= Version 1.2.12 released 2014-10-24 = Version 1.2.12 released 2014-10-24
Security Security

View File

@ -22,7 +22,7 @@ install:
cp -r include/mbedtls $(DESTDIR)/include cp -r include/mbedtls $(DESTDIR)/include
mkdir -p $(DESTDIR)/lib mkdir -p $(DESTDIR)/lib
cp library/libmbedtls.* $(DESTDIR)/lib cp -RP library/libmbedtls.* $(DESTDIR)/lib
mkdir -p $(DESTDIR)/bin mkdir -p $(DESTDIR)/bin
for p in programs/*/* ; do \ for p in programs/*/* ; do \

View File

@ -150,7 +150,9 @@ typedef struct
mbedtls_mpi; mbedtls_mpi;
/** /**
* \brief Initialize one MPI * \brief Initialize one MPI (make internal references valid)
* This just makes it ready to be set or freed,
* but does not define a value for the MPI.
* *
* \param X One MPI to initialize. * \param X One MPI to initialize.
*/ */

View File

@ -356,6 +356,9 @@ size_t mbedtls_mpi_msb( const mbedtls_mpi *X )
{ {
size_t i, j; size_t i, j;
if( X->n == 0 )
return( 0 );
for( i = X->n - 1; i > 0; i-- ) for( i = X->n - 1; i > 0; i-- )
if( X->p[i] != 0 ) if( X->p[i] != 0 )
break; break;

View File

@ -86,27 +86,46 @@ static int getrandom_wrapper( void *buf, size_t buflen, unsigned int flags )
{ {
return( syscall( SYS_getrandom, buf, buflen, flags ) ); return( syscall( SYS_getrandom, buf, buflen, flags ) );
} }
#endif /* SYS_getrandom */
#endif /* __linux__ */
#if defined(HAVE_GETRANDOM) #include <sys/utsname.h>
/* Check if version is at least 3.17.0 */
#include <errno.h> static int check_version_3_17_plus( void )
int mbedtls_platform_entropy_poll( void *data,
unsigned char *output, size_t len, size_t *olen )
{ {
int ret; int minor;
((void) data); struct utsname un;
const char *ver;
if( ( ret = getrandom_wrapper( output, len, 0 ) ) < 0 ) /* Get version information */
return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED ); uname(&un);
ver = un.release;
/* Check major version; assume a single digit */
if( ver[0] < '3' || ver[0] > '9' || ver [1] != '.' )
return( -1 );
if( ver[0] - '0' > 3 )
return( 0 );
/* Ok, so now we know major == 3, check minor.
* Assume 1 or 2 digits. */
if( ver[2] < '0' || ver[2] > '9' )
return( -1 );
minor = ver[2] - '0';
if( ver[3] >= '0' && ver[3] <= '9' )
minor = 10 * minor + ver[3] - '0';
else if( ver [3] != '.' )
return( -1 );
if( minor < 17 )
return( -1 );
*olen = ret;
return( 0 ); return( 0 );
} }
static int has_getrandom = -1;
#else /* HAVE_GETRANDOM */ #endif /* SYS_getrandom */
#endif /* __linux__ */
#include <stdio.h> #include <stdio.h>
@ -117,6 +136,22 @@ int mbedtls_platform_entropy_poll( void *data,
size_t ret; size_t ret;
((void) data); ((void) data);
#if defined(HAVE_GETRANDOM)
if( has_getrandom == -1 )
has_getrandom = ( check_version_3_17_plus() == 0 );
if( has_getrandom )
{
int ret;
if( ( ret = getrandom_wrapper( output, len, 0 ) ) < 0 )
return( POLARSSL_ERR_ENTROPY_SOURCE_FAILED );
*olen = ret;
return( 0 );
}
#endif /* HAVE_GETRANDOM */
*olen = 0; *olen = 0;
file = fopen( "/dev/urandom", "rb" ); file = fopen( "/dev/urandom", "rb" );
@ -135,7 +170,6 @@ int mbedtls_platform_entropy_poll( void *data,
return( 0 ); return( 0 );
} }
#endif /* HAVE_GETRANDOM */
#endif /* _WIN32 && !EFIX64 && !EFI32 */ #endif /* _WIN32 && !EFIX64 && !EFI32 */
#endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */ #endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */

View File

@ -176,12 +176,12 @@ int main( void )
char vrfy_buf[512]; char vrfy_buf[512];
mbedtls_printf( " failed\n" ); mbedtls_printf( " failed\n" );
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf ); mbedtls_printf( "%s\n", vrfy_buf );
} }
else else
{ {
mbedtls_printf( " failed\n ! mbedtls_x509_crt_verify returned %d\n\n", flags ); mbedtls_printf( " failed\n ! mbedtls_x509_crt_verify returned %d\n\n", ret );
goto exit; goto exit;
} }
} }

View File

@ -1,3 +1,6 @@
Arguments with no value
mpi_null:
Base test mpi_read_write_string #1 Base test mpi_read_write_string #1
mpi_read_write_string:10:"128":10:"128":100:0:0 mpi_read_write_string:10:"128":10:"128":100:0:0

View File

@ -7,6 +7,25 @@
* END_DEPENDENCIES * END_DEPENDENCIES
*/ */
/* BEGIN_CASE */
void mpi_null( )
{
mbedtls_mpi X, Y, Z;
mbedtls_mpi_init( &X );
mbedtls_mpi_init( &Y );
mbedtls_mpi_init( &Z );
TEST_ASSERT( mbedtls_mpi_get_bit( &X, 42 ) == 0 );
TEST_ASSERT( mbedtls_mpi_lsb( &X ) == 0 );
TEST_ASSERT( mbedtls_mpi_msb( &X ) == 0 );
TEST_ASSERT( mbedtls_mpi_size( &X ) == 0 );
exit:
mbedtls_mpi_free( &X );
}
/* END_CASE */
/* BEGIN_CASE */ /* BEGIN_CASE */
void mpi_read_write_string( int radix_X, char *input_X, int radix_A, void mpi_read_write_string( int radix_X, char *input_X, int radix_A,
char *input_A, int output_size, int result_read, char *input_A, int output_size, int result_read,