Commit Graph

6808 Commits

Author SHA1 Message Date
Hanno Becker
e214804625 Add small packet tests for DTLS
Add a DTLS small packet test for each of the following combinations:
- DTLS version: 1.0 or 1.2
- Encrypt then MAC extension enabled
- Truncated HMAC extension enabled

Large packets tests for DTLS are currently not possible due to parameter
constraints in ssl_server2.
2017-11-20 16:25:50 +00:00
Hanno Becker
278fc7aedd Extend large packet tests for TLS
Same as previous commit, but for large packet tests.
2017-11-20 16:25:50 +00:00
Hanno Becker
8501f98ec4 Extend small packet tests for TLS
This commit ensures that there is a small packet test for at least any
combination of
- SSL/TLS version: SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2
- Stream cipher (RC4) or Block cipher (AES)
- Usage of Encrypt then MAC extension [TLS only]
- Usage of truncated HMAC extension [TLS only]
2017-11-20 16:25:50 +00:00
Hanno Becker
32c550141f Add missing dependencies on trunc HMAC ext in ssl-opt.sh
Noticed that the test cases in ssl-opt.sh exercising the truncated HMAC
extension do not depend on MBEDTLS_SSL_TRUNCATED_HMAC being enabled in
config.h. This commit fixes this.
2017-11-20 16:25:50 +00:00
Hanno Becker
81c7b18351 Don't truncate MAC key when truncated HMAC is negotiated
The truncated HMAC extension as described in
https://tools.ietf.org/html/rfc6066.html#section-7 specifies that when truncated
HMAC is used, only the HMAC output should be truncated, while the HMAC key
generation stays unmodified. This commit fixes Mbed TLS's behavior of also
truncating the key, potentially leading to compatibility issues with peers
running other stacks than Mbed TLS.

Details:
The keys for the MAC are pieces of the keyblock that's generated from the
master secret in `mbedtls_ssl_derive_keys` through the PRF, their size being
specified as the size of the digest used for the MAC, regardless of whether
truncated HMAC is enabled or not.

             /----- MD size ------\ /------- MD size ----\
Keyblock    +----------------------+----------------------+------------------+---
now         |     MAC enc key      |      MAC dec key     |     Enc key      |  ...
(correct)   +----------------------+----------------------+------------------+---

In the previous code, when truncated HMAC was enabled, the HMAC keys
were truncated to 10 bytes:

             /-10 bytes-\  /-10 bytes-\
Keyblock    +-------------+-------------+------------------+---
previously  | MAC enc key | MAC dec key |     Enc key      |  ...
(wrong)     +-------------+-------------+------------------+---

The reason for this was that a single variable `transform->maclen` was used for
both the keysize and the size of the final MAC, and its value was reduced from
the MD size to 10 bytes in case truncated HMAC was negotiated.

This commit fixes this by introducing a temporary variable `mac_key_len` which
permanently holds the MD size irrespective of the presence of truncated HMAC,
and using this temporary to obtain the MAC key chunks from the keyblock.
2017-11-20 16:25:50 +00:00
Hanno Becker
7dc832bb53 Adapt ChangeLog 2017-11-20 08:52:25 +00:00
Hanno Becker
992b6872f3 Fix heap corruption in ssl_decrypt_buf
Previously, MAC validation for an incoming record proceeded as follows:

1) Make a copy of the MAC contained in the record;
2) Compute the expected MAC in place, overwriting the presented one;
3) Compare both.

This resulted in a record buffer overflow if truncated MAC was used, as in this
case the record buffer only reserved 10 bytes for the MAC, but the MAC
computation routine in 2) always wrote a full digest.

For specially crafted records, this could be used to perform a controlled write of
up to 6 bytes past the boundary of the heap buffer holding the record, thereby
corrupting the heap structures and potentially leading to a crash or remote code
execution.

This commit fixes this by making the following change:
1) Compute the expected MAC in a temporary buffer that has the size of the
   underlying message digest.
2) Compare to this to the MAC contained in the record, potentially
   restricting to the first 10 bytes if truncated HMAC is used.

A similar fix is applied to the encryption routine `ssl_encrypt_buf`.
2017-11-20 08:52:25 +00:00
Darryl Green
f5bcbede92 Add tests for invalid private parameters in mbedtls_ecdsa_sign() 2017-11-17 17:09:31 +00:00
Darryl Green
c64a48bec7 Add checks for private parameter in mbedtls_ecdsa_sign() 2017-11-17 17:09:17 +00:00
Hanno Becker
72a4f0338d Add tests for UDP proxy packing option 2017-11-15 16:39:20 +00:00
Hanno Becker
000767123f Add tests for event-driven I/O 2017-11-15 16:39:08 +00:00
Andres Amaya Garcia
5a6da63138 Fix indentation for mbedtls_x509_crt_check_key_usage() 2017-11-14 21:47:08 +00:00
Andres Amaya Garcia
c81fcb9d36 Fix typos in documentation for mbedtls_x509_crt_check_extended_key_usage() 2017-11-14 21:43:14 +00:00
Manuel Pégourié-Gonnard
888fedea06 Merge branch 'development' into development-restricted
* development: (30 commits)
  update README file (#1144)
  Fix typo in asn1.h
  Improve leap year test names in x509parse.data
  Correctly handle leap year in x509_date_is_valid()
  Renegotiation: Add tests for SigAlg ext parsing
  Parse Signature Algorithm ext when renegotiating
  Minor style fix
  config.pl get: be better behaved
  config.pl get: don't rewrite config.h; detect write errors
  Fixed "config.pl get" for options with no value
  Fix typo and bracketing in macro args
  Ensure failed test_suite output is sent to stdout
  Remove use of GNU sed features from ssl-opt.sh
  Fix typos in ssl-opt.sh comments
  Add ssl-opt.sh test to check gmt_unix_time is good
  Extend ssl-opt.h so that run_test takes function
  Always print gmt_unix_time in TLS client
  Restored note about using minimum functionality in makefiles
  Note in README that GNU make is required
  Fix changelog for ssl_server2.c usage fix
  ...
2017-11-14 08:24:22 +01:00
Hanno Becker
05c4fc8608 Correct typo in debugging message 2017-11-09 14:34:06 +00:00
Andres Amaya Garcia
7786abc16b Define ASN1 bitmask macros in more direct way 2017-11-07 20:21:56 +00:00
Andres Amaya Garcia
72705c906c Add regression test for parsing subjectAltNames 2017-11-07 20:16:19 +00:00
Andres Amaya Garcia
ceae42659b Add ChangeLog entry 2017-11-07 19:35:13 +00:00
Andres Amaya Garcia
849bc65bbf Fix x509_get_subject_alt_name to drop invalid tag
Fix the x509_get_subject_alt_name() function to not accept invalid
tags. The problem was that the ASN.1 class for tags consists of two
bits. Simply doing bit-wise and of the CONTEXT_SPECIFIC macro with the
input tag has the potential of accepting tag values 0x10 (private)
which would indicate that the certificate has an incorrect format.
2017-11-07 19:34:35 +00:00
Andres Amaya Garcia
7512bf7d63 Add macros to ASN.1 module to parse ASN.1 tags
The macros simply extract the component bits of an ASN.1 tag value
2017-11-07 19:34:35 +00:00
Hanno Becker
298a7b214d Change wording of directions on the usage of SSL context after error 2017-11-06 10:45:26 +00:00
Chris Xue
9a51c032ee Fix copy paste error in the error message of mbedtls_ecp_gen_key in gen_key.c 2017-11-05 19:10:51 +00:00
Hanno Becker
77abef5cba Don't use busy-waiting in udp_proxy
Also, correct inconsistent use of unsigned integer types in udp_proxy.
2017-11-02 14:03:18 +00:00
Ron Eldor
2ac96620f3 change URL
Change URL from developer.mbed.org to os.mbed.com
2017-11-01 14:19:50 +02:00
Hanno Becker
0cc7774dab Only add pack option to UDP proxy if MBEDTLS_TIMING_C is enabled 2017-10-31 14:14:10 +00:00
Hanno Becker
92474da0a2 Use Mbed TLS timing module to obtain ellapsed time in udp_proxy 2017-10-31 14:14:08 +00:00
Hanno Becker
211f44c928 Rename merge option in UDP proxy to pack 2017-10-31 14:08:10 +00:00
Hanno Becker
9b19a1253f Clarify use of mbedtls_ssl_check_pending 2017-10-31 13:07:49 +00:00
Hanno Becker
197a91cd82 Clean up idle() function in ssl_client2 and ssl_server2 2017-10-31 13:07:38 +00:00
Ron Eldor
9d22619a13 Change Arm Trademarks to the issue template
Change the Trademarks to the issue template document
2017-10-30 18:39:47 +02:00
Ron Eldor
c7acb913ce Change Arm Trademarks
Change the Arm Trademarks according to updated Trademarks
2017-10-30 17:24:50 +02:00
Ron Eldor
22360825ae Address PR review comments
set `cache->chain` to NULL,
instead of setting the whole structure to zero.
2017-10-29 17:53:52 +02:00
Hanno Becker
df4180a235 Don't break debug messages 2017-10-27 15:04:14 +01:00
Hanno Becker
2412061a5a Correct typo and improve documentation 2017-10-26 11:53:35 +01:00
Hanno Becker
7bba968afc Adapt ChangeLog 2017-10-26 11:53:26 +01:00
Manuel Pégourié-Gonnard
3f81691d29 Revert to old behaviour of profile_check_key()
Was never documented to check for key alg compatibility, so should not start
doing so. Just stop relying on the pk_alg argument instead.
2017-10-26 10:24:16 +02:00
Manuel Pégourié-Gonnard
254eec8bb4 Document choice of script exit code 2017-10-26 09:47:36 +02:00
Hanno Becker
3319555b7c Improve documentation of mbedtls_rsa_import[_raw] 2017-10-25 17:04:10 +01:00
Gilles Peskine
8149321fed udp_proxy_wrapper.sh: fix cleanup not cleaning up
Fixed cleanup leaving the actual udp_proxy behind and only killing an
intermediate shell process.

Fixed trap handler cleaning up but then not dying.
2017-10-24 11:25:19 +01:00
Gilles Peskine
afc4f892d1 udp_proxy_wrapper.sh: more robust
Don't mangle arguments containing spaces and other special characters,
pass them unchanged to the proxy or server as applicable.

More robust parsing of server parameters: don't hit on partial words;
use ssl_server2's default values.

Minor style improvements.
2017-10-24 10:05:55 +01:00
Manuel Pégourié-Gonnard
19773ff835 Avoid comparing size between RSA and EC keys 2017-10-24 10:51:26 +02:00
Hanno Becker
a677cdd459 Detect IPv6 in udp_proxy_wrapper.sh grepping for server_addr=::1 2017-10-23 15:29:31 +01:00
Hanno Becker
22829e9860 Don't use sed -r in udp_proxy_wrapper.sh 2017-10-23 15:29:24 +01:00
Hanno Becker
4ac73e7804 Use shell string processing instead of sed in ssl-opt.sh 2017-10-23 15:27:37 +01:00
Hanno Becker
e41158ba10 Add comment on the meaning of ssl->in_offt == NULL 2017-10-23 13:30:32 +01:00
Hanno Becker
e72489de11 Remove internal references and use milder wording for some comments 2017-10-23 13:23:50 +01:00
Hanno Becker
a6fb089efc Don't split debug messages 2017-10-23 13:17:48 +01:00
Hanno Becker
ffb1e1ab3d Documentation improvements 2017-10-23 13:17:42 +01:00
Hanno Becker
27b34d5bad Wrong identifier used to check Encrypt-then-MAC flag
This commit fixes a comparison of ssl_session->encrypt_then_mac against the
ETM-unrelated constant MBEDTLS_SSL_EXTENDED_MS_DISABLED. Instead,
MBEDTLS_SSL_ETM_DISABLED should be used.

The typo is has no functional effect since both constants have the same value 0.
2017-10-20 14:24:51 +01:00
Gilles Peskine
91048a3aac RSA PSS: remove redundant check; changelog
Remove a check introduced in the previous buffer overflow fix with keys of
size 8N+1 which the subsequent fix for buffer start calculations made
redundant.

Added a changelog entry for the buffer start calculation fix.
2017-10-19 17:46:14 +02:00