Commit Graph

1091 Commits

Author SHA1 Message Date
Hanno Becker
1af21bfa38 Improve documentation of PKCS1 decryption functions
Document the preconditions on the input and output buffers for
the PKCS1 decryption functions
- rsa_pkcs1_decrypt
- rsa_rsaes_pkcs1_v15_decrypt
- rsa_rsaes_oaep_decrypt
2017-08-01 23:05:31 +01:00
Hanno Becker
ab3fbc2146 Rename time and index parameter to avoid name conflict.
As noted in #557, several functions use 'index' resp. 'time'
as parameter names in their declaration and/or definition, causing name
conflicts with the functions in the C standard library of the same
name some compilers warn about.

This commit renames the arguments accordingly.
2017-07-28 22:08:16 +01:00
Janos Follath
5308f47038 Fix implementation-defined integer conversion
"When an integer is demoted to a signed integer with smaller size, or an
unsigned integer is converted to its corresponding signed integer, if
the value cannot be represented the result is implementation-defined."
2017-07-28 13:15:57 +01:00
Manuel Pégourié-Gonnard
cfea3ebd01 Update doc of return value of verify() 2017-07-28 13:15:57 +01:00
Manuel Pégourié-Gonnard
d0e755716f Only return VERIFY_FAILED from a single point
Everything else is a fatal error. Also improve documentation about that for
the vrfy callback.
2017-07-28 13:15:57 +01:00
Simon Butcher
573bb96416 Improve documentation of PKCS1 decryption functions
Document the preconditions on the input and output buffers for
the PKCS1 decryption functions
 - mbedtls_rsa_pkcs1_decrypt,
 - mbedtls_rsa_rsaes_pkcs1_v15_decrypt
  - mbedtls_rsa_rsaes_oaep_decrypt
2017-07-19 01:58:47 +01:00
Simon Butcher
8a2855ee3c Update the version number to 1.3.20 2017-06-20 23:46:46 +01:00
Manuel Pégourié-Gonnard
b870179c3c Merge remote-tracking branch 'restricted/iotssl-1398_backport-1.3' into mbedtls-1.3-restricted
* restricted/iotssl-1398_backport-1.3:
  Add ChangeLog entry
  Ensure application data records are not kept when fully processed
  Add hard assertion to ssl_read_record
  Fix mbedtls_ssl_read
  Simplify retaining of messages for future processing
2017-06-09 17:06:43 +02:00
Manuel Pégourié-Gonnard
7d810939b5 Merge remote-tracking branch 'restricted/1205' into mbedtls-1.3-restricted
* restricted/1205:
  Fix name, documentation & location of config flag
  Restrict MD5 in x509 certificates
2017-06-09 14:49:04 +02:00
Manuel Pégourié-Gonnard
ca3ff06cea Merge remote-tracking branch 'hanno/mpi_read_file_underflow_backport-1.3' into mbedtls-1.3
* hanno/mpi_read_file_underflow_backport-1.3:
  Fix potential stack underflow in mpi_read_file.
2017-06-08 19:54:29 +02:00
Manuel Pégourié-Gonnard
f1ab79079d Merge remote-tracking branch 'hanno/sliding_exponentiation_backport-1.3' into mbedtls-1.3
* hanno/sliding_exponentiation_backport-1.3:
  Adapt ChangeLog
  Abort modular inversion when modulus is one.
  Correct sign in modular exponentiation algorithm.
2017-06-08 19:53:47 +02:00
Manuel Pégourié-Gonnard
48ed550b92 Fix name, documentation & location of config flag 2017-06-08 17:27:20 +02:00
Hanno Becker
10699cc96c Simplify retaining of messages for future processing
There are situations in which it is not clear what message to expect
next. For example, the message following the ServerHello might be
either a Certificate, a ServerKeyExchange or a CertificateRequest. We
deal with this situation in the following way: Initially, the message
processing function for one of the allowed message types is called,
which fetches and decodes a new message. If that message is not the
expected one, the function returns successfully (instead of throwing
an error as usual for unexpected messages), and the handshake
continues to the processing function for the next possible message. To
not have this function fetch a new message, a flag in the SSL context
structure is used to indicate that the last message was retained for
further processing, and if that's set, the following processing
function will not fetch a new record.

This commit simplifies the usage of this message-retaining parameter
by doing the check within the record-fetching routine instead of the
specific message-processing routines. The code gets cleaner this way
and allows retaining messages to be used in other situations as well
without much effort. This will be used in the next commits.
2017-06-08 15:41:02 +01:00
Manuel Pégourié-Gonnard
674df30480 Merge remote-tracking branch 'janos/mbedtls-1.3-iotssl-1156-ecdsa-sample-and-doc-clarification' into mbedtls-1.3
* janos/mbedtls-1.3-iotssl-1156-ecdsa-sample-and-doc-clarification:
  Clarify the use of ECDSA API
2017-06-08 10:18:15 +02:00
Janos Follath
5d96a3dcde Clarify the use of ECDSA API
In the ecdsa.c sample application we don't use hashing, we use ecdsa
directly on a buffer containing plain text. Although the text explains
that it should be the message hash it still can be confusing.

Any misunderstandings here are potentially very dangerous, because ECDSA
truncates the message hash if necessary and this can lead to trivial
signature forgeries if the API is misused and the message is passed
directly to the function without hashing.

This commit adds a hash computation step to the ecdsa.c sample
application and clarification to the doxygen documentation of the
ECDSA functions involved.
2017-06-07 17:05:00 +01:00
Hanno Becker
888c2fde60 Fix implementation of VERIFY_OPTIONAL verification mode
This commit changes the behaviour of mbedtls_ssl_parse_certificate
to make the two authentication modes SSL_VERIFY_REQUIRED and
SSL_VERIFY_OPTIONAL be in the following relationship:

    Mode == SSL_VERIFY_REQUIRED
<=> Mode == SSL_VERIFY_OPTIONAL + check verify result

Also, it changes the behaviour to perform the certificate chain
verification even if the trusted CA chain is empty. Previously, the
function failed in this case, even when using optional verification,
which was brought up in #864.
2017-06-07 11:35:05 +01:00
Ron Eldor
a9ec0cd77f Restrict MD5 in x509 certificates
Remove support for X509 certificates signed with MD5.
Issue raised by Harm Verhagen
2017-06-07 10:58:36 +03:00
Hanno Becker
c2b9d984e9 Remember suitable hash function for any signature algorithm.
This commit changes `ssl_parse_signature_algorithms_ext` to remember
one suitable ( := supported by client and by our config ) hash
algorithm per signature algorithm.

It also modifies the ciphersuite checking function
`ssl_ciphersuite_match` to refuse a suite if there
is no suitable hash algorithm.

Finally, it adds the corresponding entry to the ChangeLog.
2017-05-24 10:47:54 +01:00
Hanno Becker
8c7698b62a Fix potential stack underflow in mpi_read_file.
When provided with an empty line, mpi_read_file causes a numeric
underflow resulting in a stack underflow. This commit fixes this and
adds some documentation to mpi_read_file.
2017-05-12 07:26:01 +01:00
Hanno Becker
1c6339f966 Abort modular inversion when modulus is one.
The modular inversion function hangs when provided with the modulus
1. This commit refuses this modulus with a BAD_INPUT error code. It
also adds a test for this case.
2017-05-11 16:02:20 +01:00
Simon Butcher
4c5154d0c0 Updated version number to 1.3.19 for release 2017-03-08 17:22:34 +00:00
Simon Butcher
c1d54bb7b2 Update library version to 1.3.18 2016-10-17 23:40:14 +01:00
Janos Follath
441d6f9833 Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature
In a USENIX WOOT '16 paper the authors warn about a security risk
of random Initialisation Vectors (IV) repeating values.

The MBEDTLS_SSL_AEAD_RANDOM_IV feature is affected by this risk and
it isn't compliant with RFC5116. Furthermore, strictly speaking it
is a different cipher suite from the TLS (RFC5246) point of view.

Removing the MBEDTLS_SSL_AEAD_RANDOM_IV feature to resolve the above
problems.

Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16
2016-10-13 14:14:16 +01:00
Andres AG
6ad5d9450a Fix documentation for mbedtls_gcm_finish()
Fix implementation and documentation missmatch for the function
arguments to mbedtls_gcm_finish(). Also, removed redundant if condition
that always evaluates to true.
2016-10-13 12:54:32 +01:00
Janos Follath
17da9dd829 Add option for relaxed X509 time verification.
The certificates are not valid according to the RFC, but are in wide
distribution across the internet. Hence the request to add a
compile-time flag to accept these certificates if wanted by the
application.

If POLARSSL_RELAXED_X509_DATE is enabled it will allow dates without
seconds, and allow dates with timezones (but doesn't actually use
the timezone).

Patch provided by OpenVPN.
2016-09-30 09:04:18 +01:00
Simon Butcher
4f7b13bd79 Changed library version number to 1.3.17 2016-06-27 19:37:31 +01:00
Janos Follath
4dfecabb97 Update default configuration
Change the default settings for SSL and modify the tests accordingly.
2016-03-14 13:40:43 +00:00
Manuel Pégourié-Gonnard
54f2c490ed Avoid build errors with -O0 due to assembly 2016-01-08 15:30:03 +01:00
Simon Butcher
84181adae8 Change version number to 1.3.16
Changed version for library files and yotta module
2016-01-04 22:49:30 +00:00
Simon Butcher
d7fe6fbd76 Fix for MPI divide on MSVC
Resolves multiple platform issues when building bignum.c with Microsoft
Visual Studio.
2016-01-03 22:39:18 +00:00
Simon Butcher
14400c8fb0 Merge memory leak fix into branch 'mbedtls-1.3'
Merge of fix for memory leak in RSA-SSA signing - #372
2016-01-02 00:28:19 +00:00
Simon Butcher
1f4e08c979 Changed version number to 1.3.15
Changed for library
2015-11-05 15:44:46 +00:00
Manuel Pégourié-Gonnard
7bbabeae8f Disable reportedly broken assembly of Sparc(64)
fixes #292
2015-10-27 15:12:39 +01:00
Manuel Pégourié-Gonnard
c094a97223 ECHDE-PSK does not use a certificate
fixes #270
2015-10-27 15:12:39 +01:00
Manuel Pégourié-Gonnard
ad9c68ab21 Fix typo in documenation 2015-10-20 09:38:10 +02:00
Simon Butcher
9b52b804c7 Corrected misleading fn description in ssl_cache.h
Mistake in comments spotted by Andris Mednis
2015-10-19 19:35:04 +01:00
Manuel Pégourié-Gonnard
f093bde91e Bump version to 1.3.14 2015-10-05 19:06:46 +01:00
Manuel Pégourié-Gonnard
c5934272fc Merge branch 'mbedtls-1.3' into mbedtls-1.3-restricted
* mbedtls-1.3:
  Fix spurious #endif from previous cherry-pick
  Fix macroization of inline in C++
  Add missing warning in doc
  Fix compile error in net.c with musl libc
2015-10-05 17:06:24 +01:00
Simon Butcher
36abef4c5c Merge multiple backported vulnerability fixes 2015-10-05 16:44:59 +01:00
Manuel Pégourié-Gonnard
fa647a75a1 Fix references to non-standard SIZE_T_MAX
Turns out C99 doesn't define SIZE_T_MAX, so let's not use it.
2015-10-05 15:29:48 +01:00
Manuel Pégourié-Gonnard
cf1db3cf1c Fix spurious #endif from previous cherry-pick 2015-10-05 14:57:01 +01:00
Manuel Pégourié-Gonnard
20607bb0fa Fix macroization of inline in C++
When compiling as C++, MSVC complains about our macroization of a keyword.
Stop doing that as we know inline is always available in C++
2015-10-05 14:28:17 +01:00
Manuel Pégourié-Gonnard
ded3ae500b Add missing warning in doc
Found by Nicholas Wilson

fixes #288
2015-10-05 14:18:16 +01:00
Manuel Pégourié-Gonnard
6d6018383e Fix typos in ChangeLog and comments 2015-10-01 18:20:55 +02:00
Manuel Pégourié-Gonnard
48ec2c7b5e Fix potential overflow in base64_encode 2015-10-01 10:07:28 +02:00
Simon Butcher
c988f32add Added max length checking of hostname 2015-09-29 23:27:20 +01:00
Manuel Pégourié-Gonnard
df048c59cf Bump version to 1.3.13 2015-09-17 11:53:14 +02:00
Manuel Pégourié-Gonnard
89789be80f Fix handling of new config option
fixes #256
2015-08-27 09:54:16 +02:00
Paul Bakker
3edec6c4ed Prepare for 1.3.12 release 2015-08-11 13:22:10 +01:00
Manuel Pégourié-Gonnard
027ead91e5 Disable padlock asm with ASan
Causes errors with some versions of ASan
2015-08-10 17:44:53 +02:00