Commit Graph

4762 Commits

Author SHA1 Message Date
Hanno Becker
a83fafa5df Add missing dependencies on trunc HMAC ext in ssl-opt.sh
Noticed that the test cases in ssl-opt.sh exercising the truncated HMAC
extension do not depend on MBEDTLS_SSL_TRUNCATED_HMAC being enabled in
config.h. This commit fixes this.
2017-12-01 10:18:22 +00:00
Hanno Becker
64f0aed966 Don't truncate MAC key when truncated HMAC is negotiated
The truncated HMAC extension as described in
https://tools.ietf.org/html/rfc6066.html#section-7 specifies that when truncated
HMAC is used, only the HMAC output should be truncated, while the HMAC key
generation stays unmodified. This commit fixes Mbed TLS's behavior of also
truncating the key, potentially leading to compatibility issues with peers
running other stacks than Mbed TLS.

Details:
The keys for the MAC are pieces of the keyblock that's generated from the
master secret in `mbedtls_ssl_derive_keys` through the PRF, their size being
specified as the size of the digest used for the MAC, regardless of whether
truncated HMAC is enabled or not.

             /----- MD size ------\ /------- MD size ----\
Keyblock    +----------------------+----------------------+------------------+---
now         |     MAC enc key      |      MAC dec key     |     Enc key      |  ...
(correct)   +----------------------+----------------------+------------------+---

In the previous code, when truncated HMAC was enabled, the HMAC keys
were truncated to 10 bytes:

             /-10 bytes-\  /-10 bytes-\
Keyblock    +-------------+-------------+------------------+---
previously  | MAC enc key | MAC dec key |     Enc key      |  ...
(wrong)     +-------------+-------------+------------------+---

The reason for this was that a single variable `transform->maclen` was used for
both the keysize and the size of the final MAC, and its value was reduced from
the MD size to 10 bytes in case truncated HMAC was negotiated.

This commit fixes this by introducing a temporary variable `mac_key_len` which
permanently holds the MD size irrespective of the presence of truncated HMAC,
and using this temporary to obtain the MAC key chunks from the keyblock.
2017-12-01 10:18:22 +00:00
Gilles Peskine
6ddfa37084 Fix build without MBEDTLS_FS_IO
Fix missing definition of mbedtls_zeroize when MBEDTLS_FS_IO is
disabled in the configuration.

Introduced by d08ae68237
    Merge remote-tracking branch 'upstream-public/pr/1112' into mbedtls-2.1
2017-11-30 12:20:19 +01:00
Gilles Peskine
6cf85ff1a4 Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted 2017-11-29 21:07:28 +01:00
Gilles Peskine
49349bacb9 Merge remote-tracking branch 'upstream-public/pr/1153' into mbedtls-2.1 2017-11-29 20:53:58 +01:00
Gilles Peskine
f663c22ab7 Merge remote-tracking branch 'upstream-public/pr/916' into mbedtls-2.1 2017-11-29 20:53:44 +01:00
Gilles Peskine
1854a0e0cd Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted 2017-11-28 18:44:49 +01:00
Gilles Peskine
25aa833ac3 Merge branch 'pr_1082' into mbedtls-2.1 2017-11-28 18:33:50 +01:00
Gilles Peskine
026d18aefa Add ChangeLog entry 2017-11-28 18:33:31 +01:00
Gilles Peskine
283a80d51f Merge remote-tracking branch 'upstream-public/pr/1108' into mbedtls-2.1 2017-11-28 18:31:28 +01:00
Gilles Peskine
31dce36364 Merge remote-tracking branch 'upstream-public/pr/1080' into mbedtls-2.1 2017-11-28 18:30:18 +01:00
Gilles Peskine
a6f6947490 Merge remote-tracking branch 'upstream-public/pr/943' into mbedtls-2.1 2017-11-28 18:28:39 +01:00
Gilles Peskine
dc89416ad9 Merge remote-tracking branch 'upstream-public/pr/996' into mbedtls-2.1 2017-11-28 17:10:10 +01:00
Gilles Peskine
1b8822e9b3 Merge remote-tracking branch 'upstream-restricted/pr/422' into mbedtls-2.1-restricted
Resolved simple conflicts caused by the independent addition of
calls to mbedtls_zeroize with sometimes whitespace or comment
differences.
2017-11-28 16:21:07 +01:00
Gilles Peskine
9aab6995a9 Merge remote-tracking branch 'upstream-restricted/pr/406' into mbedtls-2.1-restricted 2017-11-28 16:19:19 +01:00
Gilles Peskine
5a8fe053d8 Merge remote-tracking branch 'upstream-restricted/pr/401' into mbedtls-2.1-restricted 2017-11-28 14:24:15 +01:00
Gilles Peskine
336b7de48a Merge remote-tracking branch 'upstream-restricted/pr/386' into mbedtls-2.1-restricted 2017-11-28 14:24:05 +01:00
Gilles Peskine
206110dcb9 Merge branch 'iotssl-1419-safermemcmp-volatile_backport-2.1' into mbedtls-2.1-restricted 2017-11-28 13:51:37 +01:00
Gilles Peskine
2f615af5cf add changelog entry 2017-11-28 13:34:24 +01:00
Gilles Peskine
e881a22126 Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted 2017-11-24 16:06:16 +01:00
Gilles Peskine
d08ae68237 Merge remote-tracking branch 'upstream-public/pr/1112' into mbedtls-2.1 2017-11-24 15:37:29 +01:00
Gilles Peskine
5eb8edc0cb Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted 2017-11-23 20:11:07 +01:00
Gilles Peskine
7aa24190b4 Merge remote-tracking branch 'upstream-public/pr/1107' into mbedtls-2.1 2017-11-23 20:09:48 +01:00
Gilles Peskine
a90c3da42f Merge branch 'iotssl-1368-unsafe-bounds-check-psk-identity-merge-2.1' into mbedtls-2.1-restricted 2017-11-23 19:06:29 +01:00
Gilles Peskine
86eece9e87 ChangeLog entry for ssl_parse_client_psk_identity fix 2017-11-23 19:04:39 +01:00
Manuel Pégourié-Gonnard
aed00f7bf7 Merge remote-tracking branch 'restricted/pr/417' into mbedtls-2.1-restricted
* restricted/pr/417:
  RSA PSS: remove redundant check; changelog
  RSA PSS: fix first byte check for keys of size 8N+1
  RSA PSS: fix minimum length check for keys of size 8N+1
  RSA: Fix another buffer overflow in PSS signature verification
  RSA: Fix buffer overflow in PSS signature verification
2017-11-23 12:13:49 +01:00
Darryl Green
67bfc5b46c Add tests for invalid private parameter in mbedtls_ecdsa_sign 2017-11-20 17:11:42 +00:00
Darryl Green
1b052e80aa Add checks for private parameter in mbedtls_ecdsa_sign() 2017-11-20 17:11:17 +00:00
Hanno Becker
b09c5721f5 Adapt ChangeLog 2017-11-20 10:43:48 +00:00
Hanno Becker
ce516ff449 Fix heap corruption in ssl_decrypt_buf
Previously, MAC validation for an incoming record proceeded as follows:

1) Make a copy of the MAC contained in the record;
2) Compute the expected MAC in place, overwriting the presented one;
3) Compare both.

This resulted in a record buffer overflow if truncated MAC was used, as in this
case the record buffer only reserved 10 bytes for the MAC, but the MAC
computation routine in 2) always wrote a full digest.

For specially crafted records, this could be used to perform a controlled write of
up to 6 bytes past the boundary of the heap buffer holding the record, thereby
corrupting the heap structures and potentially leading to a crash or remote code
execution.

This commit fixes this by making the following change:
1) Compute the expected MAC in a temporary buffer that has the size of the
   underlying message digest.
2) Compare to this to the MAC contained in the record, potentially
   restricting to the first 10 bytes if truncated HMAC is used.

A similar fix is applied to the encryption routine `ssl_encrypt_buf`.
2017-11-20 10:16:17 +00:00
Manuel Pégourié-Gonnard
ea0aa655f6 Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted
* mbedtls-2.1:
  Fix typo in asn1.h
  Improve leap year test names in x509parse.data
  Correctly handle leap year in x509_date_is_valid()
  Renegotiation: Add tests for SigAlg ext parsing
  Parse Signature Algorithm ext when renegotiating
  Fix changelog for ssl_server2.c usage fix
  Fix ssl_server2 sample application prompt
  Update ChangeLog for fix to #836
  Enhance documentation of ssl_write_hostname_ext, adapt ChangeLog.
  Enhance documentation of mbedtls_ssl_set_hostname
  Add test case calling ssl_set_hostname twice
  Make mbedtls_ssl_set_hostname safe to be called multiple times
  Fix typo in configs/README.txt file
2017-11-14 08:38:52 +01:00
Ron Eldor
be17ed59d6 Address PR review comments
set `cache->chain` to NULL,
instead of setting the whole structure to zero.
2017-10-30 18:11:38 +02:00
Ron Eldor
5bd272627b Backport 2.1:Fix crash when calling mbedtls_ssl_cache_free twice
Set `cache` to zero at the end of `mbedtls_ssl_cache_free` #1104
2017-10-30 18:09:40 +02:00
Hanno Becker
25e39d38bd Add ChangeLog message for EC private exponent information leak 2017-10-25 15:46:31 +01:00
Hanno Becker
cf873f74d4 Adapt ChangeLog 2017-10-25 15:46:31 +01:00
Hanno Becker
0f49bbc1fc Zeroize stack before returning from mpi_fill_random 2017-10-25 15:46:29 +01:00
Hanno Becker
b3088b4b37 Fix information leak in ecp_gen_keypair_base
The function mbedtls_ecp_gen_keypair_base did not wipe the stack buffer used to
hold the private exponent before returning. This commit fixes this by not using
a stack buffer in the first place but instead calling mpi_fill_random directly
to acquire the necessary random MPI.
2017-10-25 15:44:10 +01:00
Hanno Becker
7d80688e53 Make mpi_read_binary time constant
This commit modifies mpi_read_binary to always allocate the minimum number of
limbs required to hold the entire buffer provided to the function, regardless of
its content. Previously, leading zero bytes in the input data were detected and
used to reduce memory footprint and time, but this non-constant behavior turned
out to be non-tolerable for the cryptographic applications this function is used
for.
2017-10-25 15:44:10 +01:00
Hanno Becker
cb2ba29c49 Mention that mpi_fill_random interprets PRNG output as big-endian 2017-10-25 15:44:10 +01:00
Hanno Becker
489f80cbf5 Adapt ChangeLog 2017-10-24 11:56:58 +01:00
Hanno Becker
4f9973efb9 Add build and ssl-opt.sh run for !SSL_RENEGOTIATION to all.sh 2017-10-24 11:56:28 +01:00
Hanno Becker
7889113075 Add dependency on SSL_RENEGOTIATION to renego tests in ssl-opt.sh 2017-10-24 11:54:55 +01:00
Hanno Becker
3cd07be889 Fix handling of HS msgs in mbedtls_ssl_read if renegotiation unused
Previously, if `MBEDTLS_SSL_RENEGOTIATION` was disabled, incoming handshake
messages in `mbedtls_ssl_read` (expecting application data) lead to the
connection being closed. This commit fixes this, restricting the
`MBEDTLS_SSL_RENEGOTIATION`-guard to the code-paths responsible for accepting
renegotiation requests and aborting renegotiation attempts after too many
unexpected records have been received.
2017-10-24 11:49:19 +01:00
Hanno Becker
e454d73cc0 Swap branches accepting/refusing renegotiation in in ssl_read 2017-10-24 11:47:37 +01:00
Gilles Peskine
9745cfd87d RSA PSS: remove redundant check; changelog
Remove a check introduced in the previous buffer overflow fix with keys of
size 8N+1 which the subsequent fix for buffer start calculations made
redundant.

Added a changelog entry for the buffer start calculation fix.
2017-10-23 14:49:43 +02:00
Hanno Becker
584ebe1bcb Wrong identifier used to check Encrypt-then-MAC flag
This commit fixes a comparison of ssl_session->encrypt_then_mac against the
ETM-unrelated constant MBEDTLS_SSL_EXTENDED_MS_DISABLED. Instead,
MBEDTLS_SSL_ETM_DISABLED should be used.

The typo is has no functional effect since both constants have the same value 0.
2017-10-23 10:26:42 +01:00
Hanno Becker
797c084394 Add tests for disabled MFL-extension to all.sh
This commit adds a build with default config except
MBEDTLS_SSL_MAX_FRAGMENT_LENGTH to all.sh, as well as a run of the MFL-related
tests in ssl-opt.sh.
2017-10-19 15:49:21 +01:00
Hanno Becker
6ed76f74d2 Use a conservative excess of the maximum fragment length in tests
This leads to graceful test failure instead of crash when run on the previous
code.
2017-10-19 15:45:17 +01:00
Hanno Becker
64691dc3fc Let ssl-opt.sh gracefully fail is SSL_MAX_CONTENT_LEN is not 16384
Some tests in ssl-opt.sh require MBEDTLS_SSL_MAX_CONTENT_LEN to be set to its
default value of 16384 to succeed. While ideally such a dependency should not
exist, as a short-term remedy this commit adds a small check that will at least
lead to graceful exit if that assumption is violated.
2017-10-19 15:45:17 +01:00
Hanno Becker
b658ee63c2 Adapt ChangeLog 2017-10-19 15:45:17 +01:00