Commit Graph

5173 Commits

Author SHA1 Message Date
Janos Follath
3fb1cc37a6 Improve Changelog 2017-06-16 14:15:08 +01:00
Manuel Pégourié-Gonnard
bff031608f Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted
* mbedtls-2.1:
  Remove %zu format string from ssl_client2 and ssl_server2
2017-06-09 17:41:34 +02:00
Manuel Pégourié-Gonnard
d690189977 Merge remote-tracking branch 'hanno/remove_format_qualifier_backport-2.1' into mbedtls-2.1
* hanno/remove_format_qualifier_backport-2.1:
  Remove %zu format string from ssl_client2 and ssl_server2
2017-06-09 17:39:14 +02:00
Hanno Becker
46a1629c5f Remove %zu format string from ssl_client2 and ssl_server2 2017-06-09 16:14:49 +01:00
Manuel Pégourié-Gonnard
89930b354c Merge remote-tracking branch 'restricted/iotssl-1398_backport-2.1' into mbedtls-2.1-restricted
* restricted/iotssl-1398_backport-2.1:
  Add ChangeLog entry
  Ensure application data records are not kept when fully processed
  Add hard assertion to mbedtls_ssl_read_record_layer
  Fix mbedtls_ssl_read
  Simplify retaining of messages for future processing
2017-06-09 15:06:31 +02:00
Manuel Pégourié-Gonnard
43df7e6bb7 Merge near-duplicate ChangeLog entries
As agreed with Gilles on the PR discussion page
2017-06-09 14:47:42 +02:00
Hanno Becker
88647ace2b Add ChangeLog entry 2017-06-09 11:30:33 +01:00
Hanno Becker
cc019084b8 Ensure application data records are not kept when fully processed
This commit fixes the following case: If a client is both expecting a
SERVER_HELLO and has an application data record that's partially
processed in flight (that's the situation the client gets into after
receiving a ServerHelloRequest followed by ApplicationData), a
subsequent call to mbedtls_ssl_read will set keep_current_message = 1
when seeing the unexpected application data, but not reset it to 0
after the application data has been processed. This commit fixes this.
2017-06-09 10:51:37 +01:00
Manuel Pégourié-Gonnard
e2356722c0 ChangeLog cosmetics 2017-06-08 20:36:58 +02:00
Manuel Pégourié-Gonnard
1defa8fd6d Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-2.1-restricted' into mbedtls-2.1-restricted
* restricted/iotssl-1138-rsa-padding-check-2.1-restricted:
  RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:33:53 +02:00
Manuel Pégourié-Gonnard
63906d9200 Merge remote-tracking branch 'restricted/IOTSSL-1366/mbedtls-2.1' into mbedtls-2.1-restricted
* restricted/IOTSSL-1366/mbedtls-2.1:
  More length checks in RSA PKCS1v15 verify
  More length checks in RSA PKCS1v15 verify
2017-06-08 20:26:06 +02:00
Manuel Pégourié-Gonnard
640edc7810 Merge remote-tracking branch 'hanno/mpi_read_file_underflow_backport-2.1' into mbedtls-2.1
* hanno/mpi_read_file_underflow_backport-2.1:
  Fix potential stack underflow in mpi_read_file.
2017-06-08 19:51:19 +02:00
Manuel Pégourié-Gonnard
ebe391d1cd Merge remote-tracking branch 'hanno/sliding_exponentiation_backport-2.1' into mbedtls-2.1
* hanno/sliding_exponentiation_backport-2.1:
  Adapt ChangeLog
  Abort modular inversion when modulus is one.
  Correct sign in modular exponentiation algorithm.
2017-06-08 19:49:50 +02:00
Manuel Pégourié-Gonnard
55393666a1 Fix issue in testing SHA-1 compile-time option 2017-06-08 18:11:57 +02:00
Hanno Becker
bfbc494114 Add hard assertion to mbedtls_ssl_read_record_layer
This commit adds a hard assertion to mbedtls_ssl_read_record_layer
triggering if both ssl->in_hslen and ssl->in_offt are not 0. This
should never happen, and if it does, there's no sensible way of
telling whether the previous message was a handshake or an application
data message.
2017-06-08 14:04:31 +01:00
Hanno Becker
6a582e80f2 Fix mbedtls_ssl_read
Don't fetch a new record in mbedtls_ssl_read_record_layer as long as an application data record is being processed.
2017-06-08 14:04:22 +01:00
Hanno Becker
704f493730 Simplify retaining of messages for future processing
There are situations in which it is not clear what message to expect
next. For example, the message following the ServerHello might be
either a Certificate, a ServerKeyExchange or a CertificateRequest. We
deal with this situation in the following way: Initially, the message
processing function for one of the allowed message types is called,
which fetches and decodes a new message. If that message is not the
expected one, the function returns successfully (instead of throwing
an error as usual for unexpected messages), and the handshake
continues to the processing function for the next possible message. To
not have this function fetch a new message, a flag in the SSL context
structure is used to indicate that the last message was retained for
further processing, and if that's set, the following processing
function will not fetch a new record.

This commit simplifies the usage of this message-retaining parameter
by doing the check within the record-fetching routine instead of the
specific message-processing routines. The code gets cleaner this way
and allows retaining messages to be used in other situations as well
without much effort. This will be used in the next commits.
2017-06-08 13:08:45 +01:00
Manuel Pégourié-Gonnard
431c2afe3e Merge remote-tracking branch 'janos/mbedtls-2.1-iotssl-1156-ecdsa-sample-and-doc-clarification' into mbedtls-2.1
* janos/mbedtls-2.1-iotssl-1156-ecdsa-sample-and-doc-clarification:
  Clarify the use of ECDSA API
2017-06-08 10:17:54 +02:00
Manuel Pégourié-Gonnard
a9a65c8321 Merge remote-tracking branch 'hanno/iotssl-1341-optional-certificate-verification-needs-ca-chain-backport-2.1' into mbedtls-2.1
* hanno/iotssl-1341-optional-certificate-verification-needs-ca-chain-backport-2.1:
  Add tests for missing CA chains and bad curves.
  Fix implementation of VERIFY_OPTIONAL verification mode
2017-06-08 10:00:53 +02:00
Janos Follath
5ad678971d Clarify the use of ECDSA API
In the ecdsa.c sample application we don't use hashing, we use ecdsa
directly on a buffer containing plain text. Although the text explains
that it should be the message hash it still can be confusing.

Any misunderstandings here are potentially very dangerous, because ECDSA
truncates the message hash if necessary and this can lead to trivial
signature forgeries if the API is misused and the message is passed
directly to the function without hashing.

This commit adds a hash computation step to the ecdsa.c sample
application and clarification to the doxygen documentation of the
ECDSA functions involved.
2017-06-07 15:59:21 +01:00
Hanno Becker
61c0c70418 Add tests for missing CA chains and bad curves.
This commit adds four tests to tests/ssl-opt.sh:
(1) & (2): Check behaviour of optional/required verification when the
trusted CA chain is empty.
(3) & (4): Check behaviour of optional/required verification when the
client receives a server certificate with an unsupported curve.
2017-06-07 11:36:12 +01:00
Hanno Becker
a3929bac1e Fix implementation of VERIFY_OPTIONAL verification mode
This commit changes the behaviour of mbedtls_ssl_parse_certificate
to make the two authentication modes MBEDTLS_SSL_VERIFY_REQUIRED and
MBEDTLS_SSL_VERIFY_OPTIONAL be in the following relationship:

    Mode == MBEDTLS_SSL_VERIFY_REQUIRED
<=> Mode == MBEDTLS_SSL_VERIFY_OPTIONAL + check verify result

Also, it changes the behaviour to perform the certificate chain
verification even if the trusted CA chain is empty. Previously, the
function failed in this case, even when using optional verification,
which was brought up in #864.
2017-06-07 11:36:09 +01:00
Manuel Pégourié-Gonnard
b55f613601 Merge remote-tracking branch 'gilles/iotssl-1223/mbedtls-2.1' into mbedtls-2.1
* gilles/iotssl-1223/mbedtls-2.1:
  Fix FALLBACK_SCSV parsing
2017-06-06 20:12:51 +02:00
Manuel Pégourié-Gonnard
5e0144f2ef Fix bug in backport from SHA-1 blacklisting 2017-06-06 19:35:34 +02:00
Manuel Pégourié-Gonnard
aa859505d2 Merge branch 'sha1-2.1' into mbedtls-2.1
* sha1-2.1:
  Cleaned up negative test predicate for test case
  all.sh: test with SHA-1 enabled
  SHA-1 deprecation: allow it in key exchange
  Allow SHA-1 in server tests, when the signature_algorithm extension is not used
  Document test data makefile
  X.509 tests: obey compile-time SHA-1 support option
  Allow SHA-1 in test scripts
  Test that SHA-1 defaults off
  Allow SHA-1 in SSL renegotiation tests
  Test that X.509 verification rejects SHA-256 by default
  Allow SHA-1 in X.509 and TLS tests
  X.509 self-tests: replaced SHA-1 certificates by SHA-256
  Added SHA256 test certificates
  Remove SHA-1 in TLS by default
2017-06-06 19:14:47 +02:00
Gilles Peskine
c4cb493174 Cleaned up negative test predicate for test case
The test infrastructure does support negative predicates for test
cases, thanks to Andreas for letting me know.
2017-06-06 19:09:04 +02:00
Gilles Peskine
b49351d1aa all.sh: test with SHA-1 enabled
Enabling SHA-1 for certificates is deprecated but we still want it to work.

Thanks to @andresag01
2017-06-06 19:09:04 +02:00
Gilles Peskine
7344e1bd05 SHA-1 deprecation: allow it in key exchange
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.

SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
2017-06-06 19:09:02 +02:00
Gilles Peskine
db56acae43 Allow SHA-1 in server tests, when the signature_algorithm extension is not used 2017-06-06 19:08:23 +02:00
Gilles Peskine
9bb4f2835c Document test data makefile 2017-06-06 19:08:23 +02:00
Gilles Peskine
e7375ef314 X.509 tests: obey compile-time SHA-1 support option
There is now one test case to validate that SHA-1 is rejected in
certificates by default, and one test case to validate that SHA-1 is
supported if MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 is #defined.
2017-06-06 19:08:23 +02:00
Gilles Peskine
35db5bae2c Allow SHA-1 in test scripts 2017-06-06 19:08:23 +02:00
Gilles Peskine
ae76599686 Test that SHA-1 defaults off
Added tests to validate that certificates signed using SHA-1 are
rejected by default, but accepted if SHA-1 is explicitly enabled.
2017-06-06 19:08:23 +02:00
Gilles Peskine
12c19541a9 Allow SHA-1 in SSL renegotiation tests
In the TLS test client, allow SHA-1 as a signature hash algorithm.
Without this, the renegotation tests failed.

A previous commit had allowed SHA-1 via the certificate profile but
that only applied before the initial negotiation which includes the
signature_algorithms extension.
2017-06-06 19:08:23 +02:00
Gilles Peskine
559674ce48 Test that X.509 verification rejects SHA-256 by default 2017-06-06 19:08:23 +02:00
Gilles Peskine
dd57d75dfa Allow SHA-1 in X.509 and TLS tests
SHA-1 is now disabled by default in the X.509 layer. Explicitly enable
it in our tests for now. Updating all the test data to SHA-256 should
be done over time.
2017-06-06 19:08:23 +02:00
Gilles Peskine
5877c27846 X.509 self-tests: replaced SHA-1 certificates by SHA-256 2017-06-06 19:08:23 +02:00
Gilles Peskine
83ed596d62 Added SHA256 test certificates
With SHA-1 deprecation, we need a few certificates using algorithms in
the default support list. Most tests still use SHA-1 though.

The generation process for the new certificates is recorded in the makefile.
2017-06-06 19:08:23 +02:00
Gilles Peskine
955738a4f2 Remove SHA-1 in TLS by default
Default to forbidding the use of SHA-1 in TLS where it is unsafe: for
certificate signing, and as the signature hash algorithm for the TLS
1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the
XXX_SHA ciphersuites and in the PRF for TLS <= 1.1.

For easy backward compatibility for use in controlled environments,
turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option.
2017-06-06 19:08:19 +02:00
Manuel Pégourié-Gonnard
cd6e4d5bcc Merge remote-tracking branch 'restricted/mbedtls-2.1' into mbedtls-2.1
* restricted/mbedtls-2.1:
  Remove obsolete macros from compat-1.3.h
  Add fix for #667 to ChangeLog
  Fix bug in threading sample implementation #667
  Fix check-doxy-blocks.pl to run from root dir
  RSA: wipe more stack buffers
  RSA: wipe stack buffers
2017-06-06 18:23:05 +02:00
Manuel Pégourié-Gonnard
61946d2c68 Merge remote-tracking branch 'hanno/iotssl-1241-backport-2.1' into mbedtls-2.1
* hanno/iotssl-1241-backport-2.1:
  Improve documentation
  Split long lines.
  Remember suitable hash function for any signature algorithm.
  Introduce macros and functions to characterize certain ciphersuites.
2017-06-06 18:21:01 +02:00
Manuel Pégourié-Gonnard
6820eba2bb Merge branch 'iotssl-1272-fix-RSA-cache-attack-2.1-restricted' into mbedtls-2.1
* iotssl-1272-fix-RSA-cache-attack-2.1-restricted:
  Add Changelog entry for RSA exponent blinding
  Add exponent blinding to RSA with CRT
  Add exponent blinding to RSA without CRT
2017-06-06 16:12:33 +02:00
Andres AG
53a8e869aa Add negative testing for mbedtls_pem_read_buffer() 2017-05-30 17:01:42 +01:00
Andres AG
705cc65011 Add missing ret code checks in PEM module
Add missing return code checks in the functions pem_des_decrypt(),
pem_3des_decrypt() and pem_aes_decrypt() so that the calling function
mbedtls_pem_read_buffer() is notified of errors reported by the crypto
primitives AES, DES and 3DES.
2017-05-30 16:58:28 +01:00
Gilles Peskine
01dcea7f16 Added changelog entry 2017-05-29 14:49:36 +02:00
Gilles Peskine
f096eeac4a Clarified documentation of mbedtls_ssl_setup
Note that the configuration structure must remain accessible. The
previous wording could have been taken as implying that it's ok to
change the structure but changes wouldn't be taken into account.

Also note that calling this function twice is not supported (it would
at least be a memory leak).
2017-05-26 12:11:00 +02:00
Hanno Becker
032aec0523 Improve documentation 2017-05-24 11:04:54 +01:00
Hanno Becker
118848fd77 Split long lines. 2017-05-24 11:04:54 +01:00
Hanno Becker
aa8a2bd05a Remember suitable hash function for any signature algorithm.
This commit changes `ssl_parse_signature_algorithms_ext` to remember
one suitable ( := supported by client and by our config ) hash
algorithm per signature algorithm.

It also modifies the ciphersuite checking function
`ssl_ciphersuite_match` to refuse a suite if there
is no suitable hash algorithm.

Finally, it adds the corresponding entry to the ChangeLog.
2017-05-24 11:04:50 +01:00
Hanno Becker
b3e6872c93 Introduce macros and functions to characterize certain ciphersuites.
The routine `mbedtls_ssl_write_server_key_exchange` heavily depends on
what kind of cipher suite is active: some don't need a
ServerKeyExchange at all, some need (EC)DH parameters but no server
signature, some require both. Each time we want to restrict a certain
piece of code to some class of ciphersuites, it is guarded by a
lengthy concatentation of configuration checks determining whether at
least one of the relevant cipher suites is enabled in the config; on
the code level, it is guarded by the check whether one of these
cipher suites is the active one.

To ease readability of the code, this commit introduces several helper
macros and helper functions that can be used to determine whether a
certain class of ciphersuites (a) is active in the config, and
(b) contains the currently present ciphersuite.
2017-05-24 10:54:17 +01:00