Commit Graph

3564 Commits

Author SHA1 Message Date
Gilles Peskine
5d9224e11c RSA PSS: fix first byte check for keys of size 8N+1
For a key of size 8N+1, check that the first byte after applying the
public key operation is 0 (it could have been 1 instead). The code was
incorrectly doing a no-op check instead, which led to invalid
signatures being accepted. Not a security flaw, since you would need the
private key to craft such an invalid signature, but a bug nonetheless.
2017-10-19 15:47:13 +02:00
Gilles Peskine
7addb7f0a0 RSA PSS: fix minimum length check for keys of size 8N+1
The check introduced by the previous security fix was off by one. It
fixed the buffer overflow but was not compliant with the definition of
PSS which technically led to accepting some invalid signatures (but
not signatures made without the private key).
2017-10-18 19:13:22 +02:00
Gilles Peskine
511bb84c60 RSA: Fix another buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the masking
operation results in an all-zero buffer. This could happen at any key size.
2017-10-17 19:33:48 +02:00
Gilles Peskine
55db24ca50 RSA: Fix buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the hash is
too large for the key size. Found by Seth Terashima, Qualcomm.

Added a non-regression test and a positive test with the smallest
permitted key size for a SHA-512 hash.
2017-10-17 19:30:12 +02:00
Andres Amaya Garcia
75ea35eac8 Fix typo in asn1.h 2017-10-12 22:43:16 +01:00
Andres Amaya Garcia
8a6ba0b495 Improve leap year test names in x509parse.data 2017-10-12 21:18:21 +01:00
Andres AG
7c02d13746 Correctly handle leap year in x509_date_is_valid()
This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
2017-10-12 21:08:46 +01:00
Janos Follath
ea111c5501 Renegotiation: Add tests for SigAlg ext parsing
This commit adds regression tests for the bug when we didn't parse the
Signature Algorithm extension when renegotiating. (By nature, this bug
affected only the server)

The tests check for the fallback hash (SHA1) in the server log to detect
that the Signature Algorithm extension hasn't been parsed at least in
one of the handshakes.

A more direct way of testing is not possible with the current test
framework, since the Signature Algorithm extension is parsed in the
first handshake and any corresponding debug message is present in the
logs.
2017-10-11 14:06:40 +01:00
Ron Eldor
4491a791be Parse Signature Algorithm ext when renegotiating
Signature algorithm extension was skipped when renegotiation was in
progress, causing the signature algorithm not to be known when
renegotiating, and failing the handshake. Fix removes the renegotiation
step check before parsing the extension.
2017-10-11 14:06:26 +01:00
Andres Amaya Garcia
10345fbe2a Add ChangeLog entry 2017-10-07 22:24:07 +01:00
Andres Amaya Garcia
cf428733b8 Fix coding style in x509_parse_int() 2017-10-07 22:22:26 +01:00
Andres Amaya Garcia
876214cd9d Change param type for x509_parse_int() to fix warn 2017-10-07 22:22:15 +01:00
Andres Amaya Garcia
8388be3ec7 Add brackets around net.c macro arguments 2017-10-07 22:22:04 +01:00
Andres Amaya Garcia
86f76ea25c Add brackets around function macro arguments 2017-10-07 22:21:54 +01:00
Andres Amaya Garcia
a4d1857003 Fix type in net.c comment 2017-10-07 22:21:46 +01:00
Andres Amaya Garcia
6e5e9aaf7f Fix MSVC warning in net.c
The warning was caused because in MSVC some of the function parameters
for the socket APIs are int while the fields in struct addrinfo are
size_t e.g. possible data loss.
2017-10-07 22:21:38 +01:00
Andres Amaya Garcia
2d0a5840fe Fix MSVC warning in sample programs
The warning was caused because of conversions from size_t to int, which
can cause data loss. The files affected are:
* ssl_client2.c
* ssl_server2.c
* ssl_mail_client.c
2017-10-07 22:21:29 +01:00
Hanno Becker
c143653a19 Add tests for encrypted 2048 and 4096-bit RSA keys
This commit adds multiple RSA keys of various sizes and unifies their naming scheme.
2017-10-06 14:31:51 +01:00
Hanno Becker
a6cffa5edd Adapt ChangeLog 2017-10-05 08:58:00 +01:00
Hanno Becker
ef4acc569d Minor style and typo corrections 2017-10-05 08:37:56 +01:00
Hanno Becker
524f255c5b Extend x509write_crt suite by RSA_ALT signing test 2017-10-05 08:37:56 +01:00
Hanno Becker
e87e5f6c71 Extend cert_write example program by multiple cmd line options
This commit adds the following command line options to programs/x509/cert_write:
- version (val 1, 2, 3): Set the certificate's version (v1, v2, v3)
- authority_identifier (val 0, 1): Enable or disable the addition of the
                                   authority identifier extension.
- subject_identifier (val 0, 1): Enable or disable the addition of the
                                 subject identifier extension.
- basic_constraints (val 0, 1): Enable or disable the addition of the
                                basic constraints extension.
- md (val MD5, SHA1, SHA256, SHA512): Set the hash function used
                                      when creating the CRT.
2017-10-05 08:37:53 +01:00
Hanno Becker
7c3c97ac13 Don't add extensions for X.509 non-v3 certificates
This commit removes extension-writing code for X.509 non-v3 certificates from
x509write_crt_der. Previously, even if no extensions were present an
empty sequence would have been added.
2017-10-05 07:49:21 +01:00
Hanno Becker
3c89dca09e Omit version from X.509 v1 certificates
The version field in an X.509 certificate is optional and defaults to v1, so it
may be omitted in this case.
2017-10-05 07:39:45 +01:00
Simon Butcher
7d661f83e1 Fix changelog for ssl_server2.c usage fix 2017-10-02 19:22:17 +01:00
Ron Eldor
4ca4fd774d Fix ssl_server2 sample application prompt
FIx the type of server_addr parameter from %d to %s.
Issue reported by Email by Bei Jin
2017-10-02 19:22:04 +01:00
Hanno Becker
ce2c02cca2 Enhance documentation of ssl_set_hostname
(1) Add missing error condition
(2) Specify allowance and effect of of NULL hostname parameter
(3) Describe effect of function on failure

Also, adapt ChangeLog.
2017-10-01 00:00:56 +01:00
Hanno Becker
b9ac47c371 Make ssl_set_hostname safe to be called multiple times
Zeroize and free previously set hostnames before overwriting
them. Also, allow clearance of hostname by providing NULL parameter.
2017-09-30 23:58:45 +01:00
Ron Eldor
a1af31e14a Fix typo in configs/README.txt file
Fix typo in Readme file: ajust->adjust
2017-09-30 21:56:38 +01:00
Hanno Becker
20f4c78f26 Correct parsing checks in pk_parse_key
Two code-paths in `pk_parse_key` returned success on a failure in `pk_setup`.
2017-09-28 16:54:41 +01:00
Hanno Becker
ea65d0377c Adapt ChangeLog 2017-09-28 16:54:41 +01:00
Hanno Becker
1d233391a6 Remove unreachable branches in pkparse.c 2017-09-28 16:54:41 +01:00
Hanno Becker
1f30fa162b Remove unnecessary cast 2017-09-28 16:54:41 +01:00
Hanno Becker
b299a37a72 Add missing calls to pem_free in pk_parse 2017-09-28 16:54:41 +01:00
Hanno Becker
713c9e187f Use in-place decryption in pk_parse_pkcs8_encrypted_der
The stack buffer used to hold the decrypted key in pk_parse_pkcs8_encrypted_der
was statically sized to 2048 bytes, which is not enough for DER encoded 4096bit
RSA keys.

This commit resolves the problem by performing the key-decryption in-place,
circumventing the introduction of another stack or heap copy of the key.

There are two situations where pk_parse_pkcs8_encrypted_der is invoked:
1. When processing a PEM-encoded encrypted key in pk_parse_key.
   This does not need adaption since the PEM context used to hold the decoded
   key is already constructed and owned by pk_parse_key.
2. When processing a DER-encoded encrypted key in pk_parse_key.
   In this case, pk_parse_key calls pk_parse_pkcs8_encrypted_der with
   the buffer provided by the user, which is declared const. The commit
   therefore adds a small code paths making a copy of the keybuffer before
   calling pk_parse_pkcs8_encrypted_der.
2017-09-28 16:54:39 +01:00
Hanno Becker
234d503b3a Adapt ChangeLog 2017-09-28 14:45:35 +01:00
Hanno Becker
2bc85eb7aa Fix extraction of signature-type from PK context instance 2017-09-28 14:43:04 +01:00
Janos Follath
77359c93e4 DHM: Fix dhm_check_range() always returning 0
Although the variable ret was initialised to an error, the
MBEDTLS_MPI_CHK macro was overwriting it. Therefore it ended up being
0 whenewer the bignum computation was successfull and stayed 0
independently of the actual check.
2017-09-21 10:39:35 +01:00
Janos Follath
5f9df9b2ad DHM: Add negative tests for parameter checking
A bug in the dhm_check_range() function makes it pass even when the
parameters are not in the range. This commit adds tests for signalling
this problem as well as a couple of other negative tests.
2017-09-21 10:33:13 +01:00
Andres Amaya Garcia
3d98b97442 Modify zeroize internal buffers in md modules
Modify all the following functions to zeroize an internal buffer before
exiting the function. The buffer could potentially contain confidential
data read from a file.

* md2_file()
* md4_file()
* md5_file()
* ripemd160_file()
* sha1_file()
* sha256_file()
* sha512_file()
2017-09-20 11:47:49 +01:00
Hanno Becker
3674a4865c Guard some tests by presence of default entropy 2017-09-08 10:56:19 +01:00
Hanno Becker
adb9bd23d9 Add internal macro ENTROPY_HAVE_DEFAULT indicating default entropy
This commit adds the macro ENTROPY_HAVE_DEFAULT to the helper test file tests/suites/helpers.function to be able to make
tests depend on the presence of a default entropy source.
2017-09-08 10:53:30 +01:00
Hanno Becker
cffe2daf25 Support negative dependencies in test cases
The entropy test suite uses a negative dependency "depends_on:!CONFIG_FLAG" for one of its tests. This kind of
dependency (running a test only if some configuration flag is not defined) is currently not supported and instead
results in the respective test case being dropped.

This commit adds support for negative dependencies in test cases.
2017-09-08 10:39:07 +01:00
Hanno Becker
65382c38e8 Fix typos in entropy test data 2017-09-08 10:36:26 +01:00
Hanno Becker
8cd5d43639 Initialize RSA context in RSA test suite before first potentially failing operation
The function `rsa_gen_key` from `test_suite_rsa.function` initialized a stack allocated RSA context only after
seeding the CTR DRBG. If the latter operation failed, the cleanup code tried to free the uninitialized RSA context,
potentially resulting in a segmentation fault. Fixes one aspect of #1023.
2017-09-08 10:35:32 +01:00
Ron Eldor
3216c1a82a Fix after Andres comments
Move the include of the configuration file to the begninnig
2017-09-07 17:15:47 +03:00
Ron Eldor
bc3fa39f0e Backport 1.3:Add configuration file in md.h
include *`config.h`* in md.h as MACROS in the header file get ignored.Backport to
Backport of #1055 to mbedtls-1.3
2017-09-07 16:58:41 +03:00
Ron Eldor
27ce0b5ff1 Backport 1.3:Set PEM buffer to zero before freeing it
Set PEM buffer to zero before freeing it, to avoid private keys
being leaked to memory after releasing it.
2017-09-07 11:18:51 +03:00
Simon Butcher
a75a459143 Removed duplication in Changelog 2017-08-10 23:38:10 +01:00
Simon Butcher
03bd0229ab Update version to 1.3.21 2017-08-10 11:52:14 +01:00