Commit Graph

3245 Commits

Author SHA1 Message Date
Andrzej Kurek
5462e02874 ssl_tls: Fix invalid buffer sizes during compression / decompression
Adjust information passed to zlib to include already written data.
2018-04-20 07:58:53 -04:00
Manuel Pégourié-Gonnard
64f5adf9f9 Merge remote-tracking branch 'public/pr/1380' into development-proposed
* public/pr/1380:
  Update ChangeLog for #1380
  Generate RSA keys according to FIPS 186-4
  Generate primes according to FIPS 186-4
  Avoid small private exponents during RSA key generation
2018-04-18 16:13:52 +02:00
Jethro Beekman
c645bfe176 Generate RSA keys according to FIPS 186-4
The specification requires that P and Q are not too close. The specification
also requires that you generate a P and stick with it, generating new Qs until
you have found a pair that works. In practice, it turns out that sometimes a
particular P results in it being very unlikely a Q can be found matching all
the constraints. So we keep the original behavior where a new P and Q are
generated every round.
2018-04-11 08:38:37 -07:00
Jethro Beekman
666892792d Generate primes according to FIPS 186-4
The specification requires that numbers are the raw entropy (except for odd/
even) and at least 2^(nbits-0.5). If not, new random bits need to be used for
the next number. Similarly, if the number is not prime new random bits need to
be used.
2018-04-11 08:38:37 -07:00
Jethro Beekman
97f95c9ef3 Avoid small private exponents during RSA key generation
Attacks against RSA exist for small D. [Wiener] established this for
D < N^0.25. [Boneh] suggests the bound should be N^0.5.

Multiple possible values of D might exist for the same set of E, P, Q. The
attack works when there exists any possible D that is small. To make sure that
the generated key is not susceptible to attack, we need to make sure we have
found the smallest possible D, and then check that D is big enough. The
Carmichael function λ of p*q is lcm(p-1, q-1), so we can apply Carmichael's
theorem to show that D = d mod λ(n) is the smallest.

[Wiener] Michael J. Wiener, "Cryptanalysis of Short RSA Secret Exponents"
[Boneh] Dan Boneh and Glenn Durfee, "Cryptanalysis of RSA with Private Key d Less than N^0.292"
2018-04-11 08:38:37 -07:00
Manuel Pégourié-Gonnard
4ca9a45756 Merge remote-tracking branch 'public/pr/1560' into development-proposed
* public/pr/1560:
  Warn if using a memory sanitizer on AESNI
2018-04-11 13:06:30 +02:00
Gilles Peskine
5053efde33 Warn if using a memory sanitizer on AESNI
Clang-Msan is known to report spurious errors when MBEDTLS_AESNI_C is
enabled, due to the use of assembly code. The error reports don't
mention AES, so they can be difficult to trace back to the use of
AES-NI. Warn about this potential problem at compile time.
2018-04-05 15:37:38 +02:00
Gilles Peskine
ec4733b645 Make the memset call prior to FD_ZERO conditional to needing it
Zeroing out an fd_set before calling FD_ZERO on it is in principle
useless, but without it some memory sanitizers think the fd_set is
still uninitialized after FD_ZERO (e.g. clang-msan/Glibc/x86_64 where
FD_ZERO is implemented in assembly). Make the zeroing conditional on
using a memory sanitizer.
2018-04-05 14:55:47 +02:00
Gilles Peskine
80aa3b8d65 Merge branch 'pr_946' into development-proposed 2018-04-04 10:33:45 +02:00
Gilles Peskine
73db8380ca Merge remote-tracking branch 'upstream-public/pr/1547' into development-proposed 2018-04-04 09:19:12 +02:00
Gilles Peskine
be2371c3d9 Merge branch 'pr_348' into development-proposed 2018-04-04 09:18:27 +02:00
Gilles Peskine
a09453f495 Merge branch 'pr_1395' into development-proposed 2018-04-04 09:14:12 +02:00
Gilles Peskine
1fae860f0f Merge remote-tracking branch 'upstream-public/pr/1543' into development-proposed 2018-04-04 09:03:25 +02:00
Hanno Becker
f4e5b7e87d Additionally initialize fd_set's via memset in mbedtls_net_poll
The initialization via FD_SET is not seen by memory sanitizers if
FD_SET is implemented through assembly. Additionally zeroizing the
respective fd_set's before calling FD_SET contents the sanitizers
and comes at a negligible computational overhead.
2018-04-03 16:28:09 +01:00
mohammad1603
19d392b258 Fix compatibility problem in the printed message
Replace %zu with %lu and add cast for the printed value.
2018-04-02 07:35:50 -07:00
Gilles Peskine
90a8b5219f Merge branch 'pr_1480' into development-proposed 2018-04-01 12:44:06 +02:00
Gilles Peskine
0ed632f445 Merge remote-tracking branch 'upstream-public/pr/1499' into development-proposed 2018-04-01 12:41:22 +02:00
Gilles Peskine
695d557dcf Merge branch 'pr_1180' into development-proposed 2018-04-01 12:26:36 +02:00
Gilles Peskine
039fd12834 Robustness fix in mbedtls_ssl_derive_keys
In mbedtls_ssl_derive_keys, don't call mbedtls_md_hmac_starts in
ciphersuites that don't use HMAC. This doesn't change the behavior of
the code, but avoids relying on an uncaught error when attempting to
start an HMAC operation that hadn't been initialized.
2018-03-31 22:53:49 +02:00
Gilles Peskine
cc78ac46e7 Update error.c 2018-03-30 18:52:10 +02:00
Gilles Peskine
5114d3e4e1 Clarify the use of MBEDTLS_ERR_PK_SIG_LEN_MISMATCH
Clarify what MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH and
MBEDTLS_ERR_PK_SIG_LEN_MISMATCH mean. Add comments to highlight that
this indicates that a valid signature is present, unlike other error
codes. See
https://github.com/ARMmbed/mbedtls/pull/1149#discussion_r178130705
2018-03-30 18:43:16 +02:00
Nicholas Wilson
08f3ef1861 Basic support for Curve448, similar to the current level of support for Curve25519 2018-03-29 14:29:06 +01:00
Jaeden Amero
2ad47e3bcc Merge remote-tracking branch 'upstream-public/pr/1528' into development-proposed 2018-03-29 11:00:50 +01:00
Jaeden Amero
78a03ec230 Merge remote-tracking branch 'upstream-public/pr/1379' into development-proposed 2018-03-29 10:57:57 +01:00
mohammad1603
52aecb9a7f Check whether INT_MAX larger than SIZE_MAX scenario
Check whether INT_MAX larger than SIZE_MAX scenario
2018-03-28 23:41:40 -07:00
Jaeden Amero
90226be779 Merge remote-tracking branch 'upstream-public/pr/1467' into development-proposed 2018-03-28 15:35:22 +01:00
Jaeden Amero
2843d21d99 Merge remote-tracking branch 'upstream-public/pr/1523' into development-proposed 2018-03-28 15:32:13 +01:00
Hanno Becker
2bd57578af Merge branch 'development' into iotssl-1204 2018-03-28 14:52:35 +01:00
Jaeden Amero
5ec118352e Merge remote-tracking branch 'upstream-public/pr/1474' into development-proposed 2018-03-28 14:22:29 +01:00
Jaeden Amero
552b9cc5ba Merge remote-tracking branch 'upstream-public/pr/1477' into development-proposed 2018-03-28 13:42:32 +01:00
Jaeden Amero
8645e90825 Merge remote-tracking branch 'upstream-restricted/pr/363' into development-proposed 2018-03-28 11:54:28 +01:00
Manuel Pégourié-Gonnard
18b78435dc Fix a typo in a comment 2018-03-28 11:14:06 +02:00
Nicholas Wilson
54fc34ea68 Include order of Curve25519 base point in curve data 2018-03-28 11:08:30 +02:00
Andres Amaya Garcia
af9a486b01 Fix coding style in pkcs5.c preprocessor directives 2018-03-27 20:53:12 +01:00
Marcos Del Sol Vives
8a0dfacb58 Compile PBES2 in PKCS5 only if ASN1 is enabled 2018-03-27 20:15:33 +01:00
Andy Leiserson
79e7789d44 return plaintext data faster on unpadded decryption 2018-03-27 10:55:24 -07:00
Jaeden Amero
fba16f782c Merge remote-tracking branch 'upstream-public/pr/572' into development-proposed 2018-03-27 16:42:20 +01:00
Andres Amaya Garcia
ceed91b72c Allow overriding ar param prefix in library/Makefile 2018-03-25 23:48:39 +01:00
Andres Amaya Garcia
873f15d70d Make DLEXT var configurable in library/Makefile 2018-03-25 23:47:15 +01:00
Jaeden Amero
f65379bc40 Merge remote-tracking branch 'upstream-restricted/pr/382' into development 2018-03-23 11:14:17 +00:00
Gilles Peskine
15ad579895 Merge tag 'mbedtls-2.8.0' into iotssl-1381-x509-verify-refactor-restricted
Conflict resolution:

* ChangeLog
* tests/data_files/Makefile: concurrent additions, order irrelevant
* tests/data_files/test-ca.opensslconf: concurrent additions, order irrelevant
* tests/scripts/all.sh: one comment change conflicted with a code
  addition. In addition some of the additions in the
  iotssl-1381-x509-verify-refactor-restricted branch need support for
  keep-going mode, this will be added in a subsequent commit.
2018-03-23 02:16:22 +01:00
Jethro Beekman
d2df936e67 Fix parsing of PKCS#8 encoded Elliptic Curve keys.
The relevant ASN.1 definitions for a PKCS#8 encoded Elliptic Curve key are:

PrivateKeyInfo ::= SEQUENCE {
  version                   Version,
  privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
  privateKey                PrivateKey,
  attributes           [0]  IMPLICIT Attributes OPTIONAL
}

AlgorithmIdentifier  ::=  SEQUENCE  {
  algorithm   OBJECT IDENTIFIER,
  parameters  ANY DEFINED BY algorithm OPTIONAL
}

ECParameters ::= CHOICE {
  namedCurve         OBJECT IDENTIFIER
  -- implicitCurve   NULL
  -- specifiedCurve  SpecifiedECDomain
}

ECPrivateKey ::= SEQUENCE {
  version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
  privateKey     OCTET STRING,
  parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
  publicKey  [1] BIT STRING OPTIONAL
}

Because of the two optional fields, there are 4 possible variants that need to
be parsed: no optional fields, only parameters, only public key, and both
optional fields. Previously mbedTLS was unable to parse keys with "only
parameters". Also, only "only public key" was tested. There was a test for "no
optional fields", but it was labelled incorrectly as SEC.1 and not run because
of a great renaming mixup.
2018-03-22 18:01:18 -07:00
Gilles Peskine
a7b34c7810 Merge remote-tracking branch 'upstream-public/pr/1406' into development-proposed 2018-03-22 21:52:48 +01:00
Gilles Peskine
f15a8beacf Merge remote-tracking branch 'upstream-public/pr/1256' into development-proposed 2018-03-22 21:51:53 +01:00
Gilles Peskine
0818540ff7 Merge branch 'pr_726' into development-proposed 2018-03-22 21:50:48 +01:00
Gilles Peskine
5bdb671404 Merge branch 'pr_403' into development-proposed 2018-03-22 21:34:15 +01:00
mohammad1603
b878805919 Verify that f_send and f_recv send and receive the expected length
Verify that f_send and f_recv send and receive the expected length
2018-03-22 02:58:23 -07:00
Gilles Peskine
4e4be7cf62 Optimize unnecessary zeorizing in mbedtls_mpi_copy
Based on a contribution by Alexey Skalozub
(https://github.com/ARMmbed/mbedtls/pull/405).
2018-03-21 16:29:03 +01:00
Gergely Budai
13f7fb372e Do not define and initialize global mutexes on configurations that do not use them. 2018-03-21 15:01:55 +00:00
Azim Khan
27e8a120b2 Assign NULL after freeing psk and psk_identity 2018-03-21 14:24:11 +00:00