Commit Graph

5995 Commits

Author SHA1 Message Date
Gilles Peskine
b00b0da452 RSA PSS: fix first byte check for keys of size 8N+1
For a key of size 8N+1, check that the first byte after applying the
public key operation is 0 (it could have been 1 instead). The code was
incorrectly doing a no-op check instead, which led to invalid
signatures being accepted. Not a security flaw, since you would need the
private key to craft such an invalid signature, but a bug nonetheless.
2017-10-19 15:23:49 +02:00
Hanno Becker
509fef7de3 Add ChangeLog message for EC private exponent information leak 2017-10-19 10:10:18 +01:00
Hanno Becker
a21e2a015b Adapt ChangeLog 2017-10-19 09:15:17 +01:00
Gilles Peskine
139108af94 RSA PSS: fix minimum length check for keys of size 8N+1
The check introduced by the previous security fix was off by one. It
fixed the buffer overflow but was not compliant with the definition of
PSS which technically led to accepting some invalid signatures (but
not signatures made without the private key).
2017-10-18 19:03:42 +02:00
Hanno Becker
9cfabe3597 Use a conservative excess of the maximum fragment length in tests
This leads to graceful test failure instead of crash when run on the previous
code.
2017-10-18 14:42:01 +01:00
Hanno Becker
888071184c Zeroize stack before returning from mpi_fill_random 2017-10-18 12:41:30 +01:00
RonEld
005939db98 update README file (#1144)
* update README file

update VS 2010 as the minimal version of required Visual Studio

* Rephrase the MS VS requirement

Rephrase the VS version sentence
2017-10-17 18:19:48 +01:00
Gilles Peskine
6a54b0240d RSA: Fix another buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the masking
operation results in an all-zero buffer. This could happen at any key size.
2017-10-17 19:12:36 +02:00
Gilles Peskine
28a0c72795 RSA: Fix buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the hash is
too large for the key size. Found by Seth Terashima, Qualcomm.

Added a non-regression test and a positive test with the smallest
permitted key size for a SHA-512 hash.
2017-10-17 19:01:38 +02:00
Ron Eldor
e1a9a4a826 Fix crash when calling mbedtls_ssl_cache_free twice
Set `cache` to zero at the end of `mbedtls_ssl_cache_free` #1104
2017-10-17 18:15:41 +03:00
Hanno Becker
7c8cb9c28b Fix information leak in ecp_gen_keypair_base
The function mbedtls_ecp_gen_keypair_base did not wipe the stack buffer used to
hold the private exponent before returning. This commit fixes this by not using
a stack buffer in the first place but instead calling mpi_fill_random directly
to acquire the necessary random MPI.
2017-10-17 15:19:38 +01:00
Hanno Becker
073c199224 Make mpi_read_binary time constant
This commit modifies mpi_read_binary to always allocate the minimum number of
limbs required to hold the entire buffer provided to the function, regardless of
its content. Previously, leading zero bytes in the input data were detected and
used to reduce memory footprint and time, but this non-constant behavior turned
out to be non-tolerable for the cryptographic applications this function is used
for.
2017-10-17 15:17:27 +01:00
Hanno Becker
15f2b3e538 Mention that mpi_fill_random interprets PRNG output as big-endian 2017-10-17 15:17:05 +01:00
Hanno Becker
479e8e24e6 Adapt ChangeLog 2017-10-17 11:03:50 +01:00
Hanno Becker
134c2ab891 Add build and ssl-opt.sh run for !SSL_RENEGOTIATION to all.sh 2017-10-17 11:03:50 +01:00
Hanno Becker
6a2436493f Add dependency on SSL_RENEGOTIATION to renego tests in ssl-opt.sh 2017-10-17 11:03:50 +01:00
Hanno Becker
40f8b51221 Add comments on the use of the renego SCSV and the renego ext 2017-10-17 11:03:50 +01:00
Hanno Becker
6851b10ec7 Note that disabling SSL_RENEGO doesn't open door for renego attack 2017-10-17 11:03:50 +01:00
Hanno Becker
21df7f90d2 Fix handling of HS msgs in mbedtls_ssl_read if renegotiation unused
Previously, if `MBEDTLS_SSL_RENEGOTIATION` was disabled, incoming handshake
messages in `mbedtls_ssl_read` (expecting application data) lead to the
connection being closed. This commit fixes this, restricting the
`MBEDTLS_SSL_RENEGOTIATION`-guard to the code-paths responsible for accepting
renegotiation requests and aborting renegotiation attempts after too many
unexpected records have been received.
2017-10-17 11:03:26 +01:00
Hanno Becker
b4ff0aafd9 Swap branches accepting/refusing renegotiation in in ssl_read 2017-10-17 11:03:04 +01:00
Hanno Becker
fc8fbfa059 Switch to gender neutral wording in rsa.h 2017-10-17 10:34:04 +01:00
Hanno Becker
580869dae8 Handle RSA_EXPORT_UNSUPPORTED error code in strerror 2017-10-17 10:34:04 +01:00
Hanno Becker
e2a73c13cf Enhancement of ChangeLog entry 2017-10-17 10:34:04 +01:00
Hanno Becker
554c32dae6 Mention validate_params does primality tests only if GENPRIME def'd 2017-10-17 10:34:01 +01:00
Hanno Becker
68767a6e88 Improve documentation in mbedtls_rsa_check_privkey 2017-10-17 10:13:31 +01:00
Hanno Becker
f8c028a2fb Minor corrections 2017-10-17 09:20:57 +01:00
Hanno Becker
4055a3a16f Shorten prime array in mbedtls_rsa_deduce_primes 2017-10-17 09:15:26 +01:00
Hanno Becker
c36aab69b5 Swap D,E parameters in mbedtls_rsa_deduce_primes 2017-10-17 09:15:06 +01:00
Hanno Becker
0cd5b94dba Adapt ChangeLog 2017-10-13 17:17:28 +01:00
Simon Butcher
6f63db7ed5 Fix changelog for ssl_server2.c usage fix 2017-10-12 23:22:17 +01:00
Gilles Peskine
085c10afdb Allow comments in test data files 2017-10-12 23:22:17 +01:00
Andres Amaya Garcia
9fb02057a5 Fix typo in asn1.h 2017-10-12 23:21:37 +01:00
Andres Amaya Garcia
60100d09ee Improve leap year test names in x509parse.data 2017-10-12 23:21:37 +01:00
Andres Amaya Garcia
735b37eeef Correctly handle leap year in x509_date_is_valid()
This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
2017-10-12 23:21:37 +01:00
Janos Follath
b0f148c0ab Renegotiation: Add tests for SigAlg ext parsing
This commit adds regression tests for the bug when we didn't parse the
Signature Algorithm extension when renegotiating. (By nature, this bug
affected only the server)

The tests check for the fallback hash (SHA1) in the server log to detect
that the Signature Algorithm extension hasn't been parsed at least in
one of the handshakes.

A more direct way of testing is not possible with the current test
framework, since the Signature Algorithm extension is parsed in the
first handshake and any corresponding debug message is present in the
logs.
2017-10-12 23:21:37 +01:00
Ron Eldor
73a381772b Parse Signature Algorithm ext when renegotiating
Signature algorithm extension was skipped when renegotiation was in
progress, causing the signature algorithm not to be known when
renegotiating, and failing the handshake. Fix removes the renegotiation
step check before parsing the extension.
2017-10-12 23:21:37 +01:00
Gilles Peskine
8ca0e8fdff Minor style fix 2017-10-12 23:21:37 +01:00
Gilles Peskine
d98e9e8577 config.pl get: be better behaved
When printing an option's value, print a newline at the end.

When the requested option is missing, fail with status 1 (the usual
convention for "not found") rather than -1 (which has a
system-dependent effect).
2017-10-12 23:21:37 +01:00
Gilles Peskine
01f57e351c config.pl get: don't rewrite config.h; detect write errors
scripts/config.pl would always rewrite config.h if it was reading it.
This commit changes it to not modify the file when only reading is
required, i.e. for the get command.

Also, die if writing config.h fails (e.g. disk full).
2017-10-12 23:21:37 +01:00
Gilles Peskine
f0f55ccb72 Fixed "config.pl get" for options with no value
Between 2.5.0 and 2.6.0, "scripts/config.pl get MBEDTLS_XXX" was fixed
for config.h lines with a comment at the end, but that broke the case
of macros with an empty expansion. Support all cases.
2017-10-12 23:21:37 +01:00
Andres Amaya Garcia
bd9d42c236 Fix typo and bracketing in macro args 2017-10-12 23:21:37 +01:00
Gilles Peskine
4552bf7558 Allow comments in test data files 2017-10-12 23:20:56 +01:00
Andres Amaya Garcia
77f1b109ec Fix typo in asn1.h 2017-10-12 22:40:28 +01:00
Andres Amaya Garcia
47e7b56fb6 Improve leap year test names in x509parse.data 2017-10-12 19:55:03 +01:00
Andres Amaya Garcia
106637fc2d Correctly handle leap year in x509_date_is_valid()
This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
2017-10-12 19:54:46 +01:00
Hanno Becker
854244abbf Adapt ChangeLog 2017-10-12 16:26:37 +01:00
Hanno Becker
f5dce36a24 Don't claim ECDH parameters are nothing-up-my-sleeve numbers 2017-10-12 13:45:10 +01:00
Ron Eldor
3226d36d61 Fix typo in configuration
Change duplicate of MBEDTLS_ECDH_GEN_PUBLIC_ALT to
MBEDTLS_ECDH_COMPUTE_SHARED_ALT
2017-10-12 14:17:48 +03:00
Hanno Becker
d22b78bf12 Switch to old model for alternative implementations 2017-10-12 11:42:17 +01:00
Hanno Becker
ebd2c024dc Don't require P,Q in rsa_private if neither CRT nor blinding used 2017-10-12 10:57:39 +01:00