Commit Graph

3447 Commits

Author SHA1 Message Date
Simon Butcher
c1526faaee Update of the Visual Studio files
Contains additional project file, ecdh_curve25519.vcxproj, as well as fix
for intermediate files causing the warning MSB8028 with Visual Studio 2015.
2017-03-02 21:22:25 +00:00
Simon Butcher
5b6002555e Fix Visual Studio template files
Adds interim directories to the Visual Studio project files to avoid warning
MSB8028 in Visual Studio 2015, where shared directories of intermediate files
between project files generate the warning.
2017-03-02 21:22:25 +00:00
Andres AG
a750c771fb Fix failing pkparse test case
The first three test cases from test_suites_pkparse.data failed because
the key file they read requires DES to be read. However, POLARSSL_DES_C
was missing from the dependency list.
2017-03-02 15:40:07 +00:00
Simon Butcher
c9d9d1c506 Add fix and credit for #742 to the ChangeLog 2017-03-02 10:27:03 +00:00
Simon Butcher
9eb37f7856 Update of the Visual Studio files
Contains additional project file, ecdh_curve25519.vcxproj, as well as fix
for intermediate files causing the warning MSB8028 with Visual Studio 2015.
2017-03-01 23:18:38 +00:00
Simon Butcher
97a7dc63bb Fix Visual Studio template files
Adds interim directories to the Visual Studio project files to avoid warning
MSB8028 in Visual Studio 2015, where shared directories of intermediate files
between project files generate the warning.
2017-03-01 23:12:15 +00:00
Simon Butcher
866a447784 Clarify ChangeLog for #569 2017-02-28 20:27:17 +00:00
Janos Follath
f5ffc79896 ECP: Prevent freeing a buffer on stack
The function ecp_mod_koblitz computed the space for the result of a
multiplication optimally for that specific case, but unfortunately
the function mbedtls_mpi_mul_mpi performs a generic, suboptimal
calculation and needs one more limb for the result. Since the result's
buffer is on the stack, the best case scenario is that the program
stops.

This only happened on 64 bit platforms.

Fixes #569
2017-02-28 20:24:52 +00:00
Janos Follath
0990a8b4c5 Add invalid key tests for curve SECP224K1
This curve has special arithmetic on 64 bit platforms and an untested
path lead to trying to free a buffer on the stack.

For the sake of completeness, a test case for a point with non-affine
coordinates has been added as well.
2017-02-28 18:58:10 +00:00
Simon Butcher
bfef0ce5e4 Fix credit in ChangeLog for #722 2017-02-28 17:38:55 +00:00
Andres AG
03af0e0151 Fix memory leak in x509_crl_parse()
The memory leak call was caused by missing calls to pem_free().
2017-02-28 17:36:06 +00:00
Simon Butcher
9fb2828aee Merge branch 'mbedtls-1.3-iotssl-1071-ca-flags'
Fixes a regression introduced by an earlier commit that modified
x509_crt_verify_top() to ensure that valid certificates that are after past or
future valid in the chain are processed. However the change introduced a change
in behaviour that caused the verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in the
verification regardless of the cause.

The fix maintains both behaviours:

 * Ensure that valid certificates after future and past are verified
 * Ensure that the correct verification flags are set.
2017-02-27 21:25:03 +00:00
Simon Butcher
7346a7e55a Fix formatting in ChangeLog 2017-02-26 02:01:49 +00:00
Simon Butcher
741bd90a30 Merge branch 'mbedtls-1.3-iotssl-1077-dos-crl'
Modifies the function mbedtls_x509_crl_parse() to ensure that a CRL in PEM
format with trailing characters after the footer does not result in the
execution of an infinite loop.
2017-02-26 01:46:37 +00:00
Simon Butcher
13f9e40059 Merge branch 'mbedtls-1.3' 2017-02-25 21:47:24 +00:00
Andres AG
dcd49ec05a Add lib target to library/CMakeLists.txt 2017-02-25 21:27:17 +00:00
Andres AG
22d77a209f Fix generate_code.pl to handle escaped : 2017-02-25 21:27:17 +00:00
Simon Butcher
746edf4e75 Add comment to integer overflow fix in base64.c
Adds clarifying comment to the integer overflow fix in base64.c
2017-02-25 21:27:17 +00:00
Andres AG
59abd301f5 Fix integer overflow in mbedtls_base64_decode()
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-25 21:27:17 +00:00
Andres Amaya Garcia
74ef650772 Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-25 21:25:44 +00:00
Andres AG
480f7e7d5e Add tests for overreads in pem_read_buffer() 2017-02-25 21:25:07 +00:00
Andres AG
de6079af8e Fix buffer overreads in mbedtls_pem_read_buffer() 2017-02-25 21:25:06 +00:00
Simon Butcher
df1197dad0 Merge branch 'mbedtls-1.3-restricted' 2017-02-20 23:08:02 +00:00
Andres AG
63c4fda9cf Add lib target to library/CMakeLists.txt 2017-02-20 22:03:19 +00:00
Simon Butcher
851dcc96d4 Add credit to Changelog for #562 2017-02-20 22:03:19 +00:00
Simon Butcher
e6254531d0 Fix curves.pl script to build
The script, `tests/scripts/curves.pl` was broken, and did not build due to the
make command not having been updated with the change from polarssl to mbed TLS.
2017-02-20 22:01:55 +00:00
Simon Butcher
ba32ebf7f4 Add comment to integer overflow fix in base64.c
Adds clarifying comment to the integer overflow fix in base64.c
2017-02-20 22:01:55 +00:00
Simon Butcher
b2bad3c79b Adds dl link library to OpenSSL example builds
The example o_p_test uses OpenSSL. On some platforms that fails to build
unless the dl library is included as a static link library.
2017-02-20 22:01:55 +00:00
Andres AG
7ded99ff64 Fix integer overflow in mbedtls_base64_decode()
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-20 22:01:55 +00:00
Andres Amaya Garcia
cfad181250 Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-20 22:00:33 +00:00
Andres AG
29b43737ba Fix unused variable/function compilation warnings
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
POLARSSL_PEM_PARSE_C.
2017-02-20 21:57:52 +00:00
Simon B
d9c8f26f8b Fix for MSVC Compiler warnings
Fixes Microsoft Visual C compiler warnings in multiple files. All issues
with type mismatches.
2017-02-20 21:56:56 +00:00
Andres AG
562bbb6f6a Add PK tests to avoid hashlen overflow for RSA 2017-02-15 10:44:07 +00:00
Andres AG
c71b7eb0e7 Fix data loss in unsigned int cast in PK
This patch introduces some additional checks in the PK module for 64-bit
systems only. The problem is that the API functions in the PK
abstraction accept a size_t value for the hashlen, while the RSA module
accepts an unsigned int for the hashlen. Instead of silently casting
size_t to unsigned int, this change checks whether the hashlen overflows
an unsigned int and returns an error.
2017-02-15 10:44:02 +00:00
Simon Butcher
d9bac1f4f9 Merge 'mbedtls-1.3-fix-cmake-lib-target'
Add a lib target to library/CMakeLists.txt to improve compatibility between
mbed TLS 1.3 and more recent versions of the library.
2017-02-03 17:18:33 +00:00
Simon Butcher
98c96fe7c6 Merge branch 'mbedtls-1.3' 2017-02-03 16:54:49 +00:00
Andres AG
5cf7f38806 Add lib target to library/CMakeLists.txt 2017-02-03 16:28:22 +00:00
Simon Butcher
df33a6a805 Add credit to Changelog for #562 2017-02-02 16:53:50 +00:00
Simon Butcher
800c7c6195 Merge 'mbedtls-1.3-iotssl-952-tfirmware-warnings'
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
MBEDTLS_PEM_PARSE_C.
2017-02-02 16:52:37 +00:00
Andres Amaya Garcia
27417426ae Merge pull request #783 from sbutcher-arm/1.3-curves.pl-fix
Fix curves.pl script to build
2017-02-02 15:13:21 +00:00
Simon Butcher
1842a00688 Fix curves.pl script to build
The script, `tests/scripts/curves.pl` was broken, and did not build due to the
make command not having been updated with the change from polarssl to mbed TLS.
2017-02-02 15:06:51 +00:00
Simon Butcher
50b4b12f9f Fix curves.pl script to build
The script, `tests/scripts/curves.pl` was broken, and did not build due to the
make command not having been updated with the change from polarssl to mbed TLS.
2017-02-02 15:01:24 +00:00
Andres AG
6aa732f25a Fix generate_code.pl to handle escaped : 2017-02-02 14:42:40 +00:00
Simon Butcher
2d56a827cc Add comment to integer overflow fix in base64.c
Adds clarifying comment to the integer overflow fix in base64.c
2017-02-02 09:17:41 +00:00
Simon Butcher
8cf6d31f54 Merge branch fix-base64-arithmetic-overflows
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-02 09:15:05 +00:00
Simon Butcher
0289920d12 Merge branch mbedtls-1.3-fix-arithmetic-overflows
Fix potential integer overflows in the following functions:

 * mbedtls_md2_update()
 * mbedtls_cipher_update()
 * mbedtls_ctr_drbg_reseed()

This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-01 21:46:47 +00:00
Andres Amaya Garcia
f1d52d08ea Merge pull request #780 from sbutcher-arm/openssl-link-lib-fix
Adds dl link library to OpenSSL example builds
2017-02-01 13:55:15 +00:00
Simon Butcher
40d8cc7181 Adds dl link library to OpenSSL example builds
The example o_p_test uses OpenSSL. On some platforms that fails to build
unless the dl library is included as a static link library.
2017-02-01 12:38:44 +00:00
Andres AG
28ba747c8c Add tests for out flags from x509_crt_verify_top()
The tests load certificate chains from files. The CA chains contain a
past or future certificate and an invalid certificate. The test then
checks that the flags set are BADCERT_EXPIRED or BADCERT_FUTURE.
2017-01-20 17:12:43 +00:00
Andres AG
2f3fe70f7e Fix verify out flags from x509_crt_verify_top()
This change fixes a regression introduced by an earlier commit that
modified x509_crt_verify_top() to ensure that valid certificates
that are after past or future valid in the chain are processed. However
the change introduced a change in behaviour that caused the
verification flags BADCERT_EXPIRED and BADCERT_FUTURE to always be set
whenever there is a failure in the verification regardless of the cause.

The fix maintains both behaviours:
  * Ensure that valid certificates after future and past are verified
  * Ensure that the correct verification flags are set.

To do so, a temporary pointer to the first future or past valid
certificate is maintained while traversing the chain. If a truly valid
certificate is found then that one is used, otherwise if no valid
certificate is found and the end of the chain is reached, the program
reverts back to using the future or past valid certificate.
2017-01-20 17:12:36 +00:00