Commit Graph

4486 Commits

Author SHA1 Message Date
Hanno Becker
053b3459d4 Add fallback to non-compliant truncated HMAC for compatibiltiy
In case truncated HMAC must be used but the Mbed TLS peer hasn't been updated
yet, one can use the compile-time option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT to
temporarily fall back to the old, non-compliant implementation of the truncated
HMAC extension.
2017-12-01 10:18:41 +00:00
Hanno Becker
e9dcb843b2 Adapt ChangeLog 2017-12-01 10:18:22 +00:00
Hanno Becker
02f632ecce Add truncated HMAC extension tests for DTLS 2017-12-01 10:18:22 +00:00
Hanno Becker
d51bec701b Add missing truncated HMAC test for TLS
The case 'Client disabled, Server enabled' was missing.
2017-12-01 10:18:22 +00:00
Hanno Becker
461cb81a55 Add small packet tests for DTLS
Add a DTLS small packet test for each of the following combinations:
- DTLS version: 1.0 or 1.2
- Encrypt then MAC extension enabled
- Truncated HMAC extension enabled

Large packets tests for DTLS are currently not possible due to parameter
constraints in ssl_server2.
2017-12-01 10:18:22 +00:00
Hanno Becker
0b9d913ac6 Extend large packet tests for TLS
Same as previous commit, but for large packet tests.
2017-12-01 10:18:22 +00:00
Hanno Becker
7aae46c05a Extend small packet tests for TLS
This commit ensures that there is a small packet test for at least any
combination of
- SSL/TLS version: SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2
- Stream cipher (RC4) or Block cipher (AES)
- Usage of Encrypt then MAC extension [TLS only]
- Usage of truncated HMAC extension [TLS only]
2017-12-01 10:18:22 +00:00
Hanno Becker
a83fafa5df Add missing dependencies on trunc HMAC ext in ssl-opt.sh
Noticed that the test cases in ssl-opt.sh exercising the truncated HMAC
extension do not depend on MBEDTLS_SSL_TRUNCATED_HMAC being enabled in
config.h. This commit fixes this.
2017-12-01 10:18:22 +00:00
Hanno Becker
64f0aed966 Don't truncate MAC key when truncated HMAC is negotiated
The truncated HMAC extension as described in
https://tools.ietf.org/html/rfc6066.html#section-7 specifies that when truncated
HMAC is used, only the HMAC output should be truncated, while the HMAC key
generation stays unmodified. This commit fixes Mbed TLS's behavior of also
truncating the key, potentially leading to compatibility issues with peers
running other stacks than Mbed TLS.

Details:
The keys for the MAC are pieces of the keyblock that's generated from the
master secret in `mbedtls_ssl_derive_keys` through the PRF, their size being
specified as the size of the digest used for the MAC, regardless of whether
truncated HMAC is enabled or not.

             /----- MD size ------\ /------- MD size ----\
Keyblock    +----------------------+----------------------+------------------+---
now         |     MAC enc key      |      MAC dec key     |     Enc key      |  ...
(correct)   +----------------------+----------------------+------------------+---

In the previous code, when truncated HMAC was enabled, the HMAC keys
were truncated to 10 bytes:

             /-10 bytes-\  /-10 bytes-\
Keyblock    +-------------+-------------+------------------+---
previously  | MAC enc key | MAC dec key |     Enc key      |  ...
(wrong)     +-------------+-------------+------------------+---

The reason for this was that a single variable `transform->maclen` was used for
both the keysize and the size of the final MAC, and its value was reduced from
the MD size to 10 bytes in case truncated HMAC was negotiated.

This commit fixes this by introducing a temporary variable `mac_key_len` which
permanently holds the MD size irrespective of the presence of truncated HMAC,
and using this temporary to obtain the MAC key chunks from the keyblock.
2017-12-01 10:18:22 +00:00
Hanno Becker
b09c5721f5 Adapt ChangeLog 2017-11-20 10:43:48 +00:00
Hanno Becker
ce516ff449 Fix heap corruption in ssl_decrypt_buf
Previously, MAC validation for an incoming record proceeded as follows:

1) Make a copy of the MAC contained in the record;
2) Compute the expected MAC in place, overwriting the presented one;
3) Compare both.

This resulted in a record buffer overflow if truncated MAC was used, as in this
case the record buffer only reserved 10 bytes for the MAC, but the MAC
computation routine in 2) always wrote a full digest.

For specially crafted records, this could be used to perform a controlled write of
up to 6 bytes past the boundary of the heap buffer holding the record, thereby
corrupting the heap structures and potentially leading to a crash or remote code
execution.

This commit fixes this by making the following change:
1) Compute the expected MAC in a temporary buffer that has the size of the
   underlying message digest.
2) Compare to this to the MAC contained in the record, potentially
   restricting to the first 10 bytes if truncated HMAC is used.

A similar fix is applied to the encryption routine `ssl_encrypt_buf`.
2017-11-20 10:16:17 +00:00
Manuel Pégourié-Gonnard
ea0aa655f6 Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted
* mbedtls-2.1:
  Fix typo in asn1.h
  Improve leap year test names in x509parse.data
  Correctly handle leap year in x509_date_is_valid()
  Renegotiation: Add tests for SigAlg ext parsing
  Parse Signature Algorithm ext when renegotiating
  Fix changelog for ssl_server2.c usage fix
  Fix ssl_server2 sample application prompt
  Update ChangeLog for fix to #836
  Enhance documentation of ssl_write_hostname_ext, adapt ChangeLog.
  Enhance documentation of mbedtls_ssl_set_hostname
  Add test case calling ssl_set_hostname twice
  Make mbedtls_ssl_set_hostname safe to be called multiple times
  Fix typo in configs/README.txt file
2017-11-14 08:38:52 +01:00
Andres Amaya Garcia
fe7fd6e8dc Fix typo in asn1.h 2017-10-12 22:42:04 +01:00
Andres Amaya Garcia
b1d78fcf70 Improve leap year test names in x509parse.data 2017-10-12 21:03:15 +01:00
Andres Amaya Garcia
bc041130b0 Correctly handle leap year in x509_date_is_valid()
This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
2017-10-12 21:03:01 +01:00
Janos Follath
5f1dd80eaf Renegotiation: Add tests for SigAlg ext parsing
This commit adds regression tests for the bug when we didn't parse the
Signature Algorithm extension when renegotiating. (By nature, this bug
affected only the server)

The tests check for the fallback hash (SHA1) in the server log to detect
that the Signature Algorithm extension hasn't been parsed at least in
one of the handshakes.

A more direct way of testing is not possible with the current test
framework, since the Signature Algorithm extension is parsed in the
first handshake and any corresponding debug message is present in the
logs.
2017-10-11 13:58:17 +01:00
Ron Eldor
bac9d4d90f Parse Signature Algorithm ext when renegotiating
Signature algorithm extension was skipped when renegotiation was in
progress, causing the signature algorithm not to be known when
renegotiating, and failing the handshake. Fix removes the renegotiation
step check before parsing the extension.
2017-10-11 13:58:08 +01:00
Simon Butcher
5d39aceb04 Fix changelog for ssl_server2.c usage fix 2017-10-02 19:17:57 +01:00
Ron Eldor
bd25784474 Fix ssl_server2 sample application prompt
FIx the type of server_addr parameter from %d to %s.
Issue reported by Email by Bei Jin
2017-10-02 19:17:48 +01:00
Simon Butcher
72e9ba2ce3 Update ChangeLog for fix to #836 2017-09-30 23:51:44 +01:00
Hanno Becker
c7845e51f3 Enhance documentation of ssl_write_hostname_ext, adapt ChangeLog.
Add a reference to the relevant RFC, adapt ChangeLog.
2017-09-30 23:49:01 +01:00
Hanno Becker
7891da28ea Enhance documentation of mbedtls_ssl_set_hostname
(1) Add missing error condition
(2) Specify allowance and effect of of NULL hostname parameter
(3) Describe effect of function on failure
2017-09-30 23:48:01 +01:00
Hanno Becker
b974e98b12 Add test case calling ssl_set_hostname twice
Add a test case calling ssl_set_hostname twice to test_suite_ssl.
When run in CMake build mode ASan, this catches the current leak,
but will hopefully be fine with the new version.
2017-09-30 23:47:44 +01:00
Hanno Becker
593b0d33f6 Make mbedtls_ssl_set_hostname safe to be called multiple times
Zeroize and free previously set hostnames before overwriting
them. Also, allow clearance of hostname by providing NULL parameter.
2017-09-30 23:47:34 +01:00
Ron Eldor
2823fad6cb Fix typo in configs/README.txt file
Fix typo in Readme file: ajust->adjust
2017-09-30 21:51:11 +01:00
Andres Amaya Garcia
41a38dfed6 Add ChangeLog entry 2017-09-15 11:01:40 +01:00
Andres Amaya Garcia
1042d8637c Dont send alert on invalid DTLS record type
Do not send fatal alerts when receiving a record with an invalid header
while running DTLS as this is not compliant behaviour.
2017-09-15 10:57:29 +01:00
Simon Butcher
1fe5e8ab44 Update version number to 2.1.9 2017-08-10 11:51:47 +01:00
Simon Butcher
a30508309e Fix language in Changelog for clarity 2017-08-10 10:48:33 +01:00
Simon Butcher
ea27c997c0 Improve documentation of PKCS1 decryption functions
Document the preconditions on the input and output buffers for
the PKCS1 decryption functions
 - mbedtls_rsa_pkcs1_decrypt,
 - mbedtls_rsa_rsaes_pkcs1_v15_decrypt
 - mbedtls_rsa_rsaes_oaep_decrypt
2017-08-01 23:00:34 +01:00
Hanno Becker
223f88dd2e Adapt ChangeLog 2017-07-28 22:15:31 +01:00
Hanno Becker
6ad82d714f Rename time and index parameter to avoid name conflict.
As noted in #557, several functions use 'index' resp. 'time'
as parameter names in their declaration and/or definition, causing name
conflicts with the functions in the C standard library of the same
name some compilers warn about.

This commit renames the arguments accordingly.
2017-07-28 22:14:55 +01:00
Hanno Becker
093620173b Correct comment and remove empty line 2017-07-28 21:43:19 +01:00
Hanno Becker
3948a101b6 Adapt ChangeLog 2017-07-28 21:42:50 +01:00
Hanno Becker
66daa68c19 Reliably zeroize sensitive data in AES sample application
The AES sample application programs/aes/aescrypt2 could miss zeroizing
the stack-based key buffer in case of an error during operation. This
commit fixes this and also clears another temporary buffer as well as
all command line arguments (one of which might be the key) before exit.
2017-07-28 21:41:11 +01:00
Hanno Becker
e0c35a6997 Reliably zeroize sensitive data in Crypt-and-Hash sample application
The AES sample application programs/aes/crypt_and_hash could miss
zeroizing the stack-based key buffer in case of an error during
operation. This commit fixes this and also clears all command line
arguments (one of which might be the key) before exit.
2017-07-28 21:40:52 +01:00
Simon Butcher
246bf6932d Fix duplication in Changelog introduced by merge 2017-07-28 13:08:07 +01:00
Simon Butcher
266f3446b7 Remove the check in ssl-opt.sh for MAX_INTERMEDIATE_CA
The check uses grep, not config.pl, on the x509 headers - not where it should
be configured - config.h. grep syntax isn't very portable. Without config.pl
it's quite hard to do this check properly so removing this check.
2017-07-28 13:02:33 +01:00
Simon Butcher
d4d70c4985 Fix threshold checks for MBEDTLS_X509_MAX_INTERMEDIATE_CA 2017-07-28 12:27:54 +01:00
Ron Eldor
b5851193eb Backport 2.1: check if iv is zero in gcm.
1) found by roberto in mbedtls forum
2) if iv_len is zero, return an error
3) add tests for invalid parameters
2017-07-28 12:21:38 +01:00
Hanno Becker
eeb1350073 Fix typo 2017-07-28 12:20:48 +01:00
Hanno Becker
88c6f726c5 Check threshold for MBEDTLS_X509_MAX_INTERMEDIATE_CA in X509 tests
The X509 test suite assumes that MBEDTLS_X509_MAX_INTERMEDIATE_CA is below the
hardcoded threshold 20 used in the long certificate chain generating script
tests/data_files/dir-max/long.sh. This commit adds a compile-time check for
that.
2017-07-28 12:20:48 +01:00
Hanno Becker
323a2227ee Improve Readme for long test certificate chains 2017-07-28 12:20:48 +01:00
Hanno Becker
81cc8f668b Check value of MBEDTLS_X509_MAX_INTERMEDIATE_CA in ssl-opt.sh
Some tests in ssl-opt.sh assumes the value 8 for the maximal number
MBEDTLS_X509_MAX_INTERMEDIATE_CA of intermediate CA's. This commit adds a check
before conducting the respective tests.
2017-07-28 12:20:48 +01:00
Hanno Becker
58897fbd7d Correct indentation and labelling in ChangeLog 2017-07-28 12:20:48 +01:00
Janos Follath
4721831ffb Fix typos 2017-07-28 12:20:48 +01:00
Manuel Pégourié-Gonnard
f2269b0579 Update doc of return value of verify() 2017-07-28 12:20:48 +01:00
Manuel Pégourié-Gonnard
71103cbcbb Make test script more portable
seq isn't POSIX and isn't present by default on BSDs
2017-07-28 12:20:48 +01:00
Manuel Pégourié-Gonnard
cdb4dc9393 Improve comments 2017-07-28 12:20:48 +01:00
Manuel Pégourié-Gonnard
83765655dd Add ChangeLog entry for the security issue 2017-07-28 12:20:48 +01:00