Commit Graph

4655 Commits

Author SHA1 Message Date
Gilles Peskine
74fd868ca6 RSA: wipe more stack buffers
MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
2017-05-05 19:28:38 +02:00
Gilles Peskine
bd90851688 More length checks in RSA PKCS1v15 verify
Added one check that I'd missed, and made the style more uniform.

Backport to 2.1.
2017-05-04 12:54:36 +02:00
Gilles Peskine
fd8f79d89f More length checks in RSA PKCS1v15 verify
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.

Backport to 2.1.x
2017-05-03 18:45:15 +02:00
Gilles Peskine
8877ec23a3 RSA: wipe stack buffers
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.

Thanks to Laurent Simon for reporting this issue.
2017-03-23 15:29:45 +01:00
Simon Butcher
63a48d10e9 Merge branch 'mbedtls-2.1' 2017-03-10 19:02:58 +00:00
Simon Butcher
2323477699 Update version number to 2.1.7 for release 2017-03-08 16:29:31 +00:00
Simon Butcher
340bb1bab1 Added missing credit to ChangeLog for #555 2017-03-08 11:16:35 +00:00
Simon Butcher
bd6882b866 Corrected attibution in Changelog 2017-03-07 12:42:55 +00:00
Andres AG
e0545c30dd Fix buffer overflow in mbedtls_mpi_write_string()
Fix a buffer overflow when writting a string representation of an MPI
number to a buffer in hexadecimal. The problem occurs because hex
digits are written in pairs and this is not accounted for in the
calculation of the required buffer size when the number of digits is
odd.
2017-03-02 22:58:05 +00:00
Andres AG
46efbff2c1 Fix failing pkparse test case
The first three test cases from test_suites_pkparse.data failed because
the key file they read requires DES to be read. However, MBEDTLS_DES_C
was missing from the dependency list.
2017-03-02 21:11:16 +00:00
Ron Eldor
8c5385e150 Backport 2.1:Resource leak in ssl_cookie and mutex
When using ssl_cookie with MBEDTLS_THREADING_C, fix a resource leak caused by
initiating a mutex in mbedtls_ssl_cookie_free instead of freeing it.
Raised and fix suggested by lan Gillingham in the mbed TLS forum
Tracked in #771
2017-03-02 21:11:16 +00:00
Simon Butcher
3c6a1a9372 Add credit to Changelog for #562 2017-03-02 21:08:12 +00:00
Simon Butcher
2b8d890098 Clarify fix for #673 in Changelog
Clarified fix, and added credit.
2017-03-02 21:07:20 +00:00
Andres AG
2b1937b735 Fix failing pkparse test case
The first three test cases from test_suites_pkparse.data failed because
the key file they read requires DES to be read. However, MBEDTLS_DES_C
was missing from the dependency list.
2017-03-02 15:36:51 +00:00
Ron Eldor
957930d5c6 Backport 2.1:Resource leak in ssl_cookie and mutex
When using ssl_cookie with MBEDTLS_THREADING_C, fix a resource leak caused by
initiating a mutex in mbedtls_ssl_cookie_free instead of freeing it.
Raised and fix suggested by lan Gillingham in the mbed TLS forum
Tracked in #771
2017-03-02 12:13:44 +00:00
Simon Butcher
9aabf6dfcd Add fix and credit for #742 to the ChangeLog 2017-03-02 10:17:21 +00:00
Andres AG
a156363070 Remove use of inttypes.h in MSVC from ssl_server2
The sample application programs/ssl/ssl_server2.c was previously
modifies to use inttypes.h to parse a string to a 64-bit integer.
However, MSVC does not support C99, so compilation fails. This
patch modifies the sample app to use the MSVC specific parsing
functions instead of inttypes.h.
2017-03-02 10:16:57 +00:00
Simon Butcher
59dd04f129 Update of the Visual Studio files
Contains additional project file, ecdh_curve25519.vcxproj, as well as fix
for intermediate files causing the warning MSB8028 with Visual Studio 2015.
2017-03-02 10:16:57 +00:00
Simon Butcher
57031ce0a9 Fix Visual Studio template files
Adds interim directories to the Visual Studio project files to avoid warning
MSB8028 in Visual Studio 2015, where shared directories of intermediate files
between project files generate the warning.
2017-03-02 10:16:57 +00:00
Simon Butcher
cd4981cf55 Add fix and credit for #742 to the ChangeLog 2017-03-02 10:00:52 +00:00
Andres AG
0ac1392cd8 Remove use of inttypes.h in MSVC from ssl_server2
The sample application programs/ssl/ssl_server2.c was previously
modifies to use inttypes.h to parse a string to a 64-bit integer.
However, MSVC does not support C99, so compilation fails. This
patch modifies the sample app to use the MSVC specific parsing
functions instead of inttypes.h.
2017-03-01 23:33:29 +00:00
Simon Butcher
46c5053126 Update of the Visual Studio files
Contains additional project file, ecdh_curve25519.vcxproj, as well as fix
for intermediate files causing the warning MSB8028 with Visual Studio 2015.
2017-03-01 23:17:57 +00:00
Simon Butcher
e1a46cea49 Fix Visual Studio template files
Adds interim directories to the Visual Studio project files to avoid warning
MSB8028 in Visual Studio 2015, where shared directories of intermediate files
between project files generate the warning.
2017-03-01 23:05:38 +00:00
Ron Eldor
8f352fd2c1 fix for issue 1101: missing rsa context initialization
added mbedtls_rsa_init in rsa_decrypt sample application
2017-03-01 16:17:44 +00:00
Simon Butcher
e4b89450f9 Add credit to Changelog for #562 2017-03-01 16:17:38 +00:00
Simon Butcher
09b6274247 Clarify fix for #673 in Changelog
Clarified fix, and added credit.
2017-03-01 16:16:53 +00:00
Ron Eldor
78011d9656 fix for issue 1101: missing rsa context initialization
added mbedtls_rsa_init in rsa_decrypt sample application
2017-03-01 16:05:25 +00:00
Paul Bakker
45bbb21799 Fix default hostname for verification used in ssl_client1 2017-02-28 23:54:24 +00:00
Paul Bakker
c60c31226f Fix default hostname for verification used in ssl_client1 2017-02-28 23:33:28 +00:00
Simon Butcher
3ea1af214c Clarify ChangeLog for #569 2017-02-28 20:30:07 +00:00
Janos Follath
8dbb35ae13 ECP: Prevent freeing a buffer on stack
The function ecp_mod_koblitz computed the space for the result of a
multiplication optimally for that specific case, but unfortunately
the function mbedtls_mpi_mul_mpi performs a generic, suboptimal
calculation and needs one more limb for the result. Since the result's
buffer is on the stack, the best case scenario is that the program
stops.

This only happened on 64 bit platforms.

Fixes #569
2017-02-28 18:56:35 +00:00
Janos Follath
c7fb230fa4 Add invalid key tests for curve SECP224K1
This curve has special arithmetic on 64 bit platforms and an untested
path lead to trying to free a buffer on the stack.

For the sake of completeness, a test case for a point with non-affine
coordinates has been added as well.
2017-02-28 18:55:25 +00:00
Simon Butcher
763e32731a Fix credit in ChangeLog for #722 2017-02-28 17:06:37 +00:00
Andres AG
f4cbe10bce Fix memory leak in mbedtls_x509_crl_parse()
The memory leak call was caused by missing calls to mbedtls_pem_free()
when a MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was
encountered.
2017-02-28 17:06:24 +00:00
Janos Follath
5ad4045981 Fix buffer overread in mbedtls_x509_get_time()
A heap overread might happen when parsing malformed certificates.
Reported by Peng Li and Yueh-Hsun Lin.

Refactoring the parsing fixes the problem. This commit applies the
relevant part of the OpenVPN contribution applied to mbed TLS 1.3
in commit 17da9dd829.
2017-02-28 14:17:32 +00:00
Janos Follath
a841d75aad Add unit tests for X509 certificate date parsing 2017-02-28 14:17:32 +00:00
Simon Butcher
d352e6dfcc Merge branch 'mbedtls-2.1-iotssl-1071-ca-flags'
Fixes a regression introduced by an earlier commit that modified
x509_crt_verify_top() to ensure that valid certificates that are after past or
future valid in the chain are processed. However the change introduced a change
in behaviour that caused the verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in the
verification regardless of the cause.

The fix maintains both behaviours:

 * Ensure that valid certificates after future and past are verified
 * Ensure that the correct verification flags are set.
2017-02-27 20:24:55 +00:00
Simon Butcher
e4b3df5824 Fix formatting in ChangeLog 2017-02-26 02:01:22 +00:00
Simon Butcher
f26f0e3d02 Merge branch 'mbedtls-2.1-iotssl-1077-dos-crl'
Modifies the function mbedtls_x509_crl_parse() to ensure that a CRL in PEM
format with trailing characters after the footer does not result in the
execution of an infinite loop.
2017-02-26 01:31:47 +00:00
Andres AG
b8ba86162a Add PK tests to avoid hashlen overflow for RSA 2017-02-25 20:37:43 +00:00
Andres AG
c89250913f Fix data loss in unsigned int cast in PK
This patch introduces some additional checks in the PK module for 64-bit
systems only. The problem is that the API functions in the PK
abstraction accept a size_t value for the hashlen, while the RSA module
accepts an unsigned int for the hashlen. Instead of silently casting
size_t to unsigned int, this change checks whether the hashlen overflows
an unsigned int and returns an error.
2017-02-25 20:37:43 +00:00
Simon Butcher
3a7d9314b4 Add clarification to the TLS renegotiation period
Expanded details on use of mbedtls_ssl_conf_renegotiation_period()
2017-02-25 20:10:05 +00:00
Andres AG
aa093e4c5e Fix examples that failed to compile without PEM 2017-02-25 20:10:05 +00:00
Simon Butcher
ef3d4e4365 Add credit to Changelog for #562 2017-02-25 20:10:05 +00:00
Simon Butcher
f384fae69a Fix undefined variable in scripts/config.pl
The variable $config_file was being referenced without being defined in the
script config.pl.
2017-02-25 20:08:53 +00:00
Simon Butcher
0f86294953 Clarify fix for #673 in Changelog
Clarified fix, and added credit.
2017-02-25 20:08:53 +00:00
Andres AG
85041738e4 Add DTLS test to check 6 byte record ctr is cmp
Add a test to ssl-opt.sh to ensure that in DTLS a 6 byte record counter
is compared in ssl_check_ctr_renegotiate() instead of a 8 byte one as in
the TLS case. Because currently there are no testing facilities to check
that renegotiation routines are triggered after X number of input/output
messages, the test consists on setting a renegotiation period that
cannot be represented in 6 bytes, but whose least-significant byte is 2.
If the library behaves correctly, the renegotiation routines will be
executed after two exchanged.
2017-02-25 20:07:38 +00:00
Andres AG
8efc769647 Fix renegotiation at incorrect times in DTLS
Fix an incorrect condition in ssl_check_ctr_renegotiate() that compared
64 bits of record counter instead of 48 bits as described in RFC 6347
Section 4.3.1. This would cause the function's return value to be
occasionally incorrect and the renegotiation routines to be triggered
at unexpected times.
2017-02-25 20:07:38 +00:00
Andres AG
480a958e54 Fix unused variable/function compilation warnings
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
MBEDTLS_PEM_PARSE_C.
2017-02-25 19:48:32 +00:00
Andres AG
13945f6665 Fix redefinition of macro ssl_set_bio
Fix redefinition of macro ssl_set_bio to undefined symbol
mbedtls_ssl_set_bio_timeout in compat-1.3.h.
2017-02-25 19:45:38 +00:00