Commit Graph

6511 Commits

Author SHA1 Message Date
Darryl Green
56d7cc472f Fix bias in random number generation in Miller-Rabin test
When a random number is generated for the Miller-Rabin primality test,
if the bit length of the random number is larger than the number being
tested, the random number is shifted right to have the same bit length.
This introduces bias, as the random number is now guaranteed to be
larger than 2^(bit length-1).

Changing this to instead zero all bits higher than the tested numbers
bit length will remove this bias and keep the random number being
uniformly generated.
2018-10-19 09:21:15 +01:00
Janos Follath
8d3fb2e167 Changelog: Add entry for prime validation fix 2018-10-19 09:21:15 +01:00
Janos Follath
0b74161502 Bignum: Add tests for primality testing
Primality tests have to deal with different distribution when generating
primes and when validating primes.
These new tests are testing if mbedtls_mpi_is_prime() is working
properly in the latter setting.

The new tests involve pseudoprimes with maximum number of
non-witnesses. The non-witnesses were generated by printing them
from mpi_miller_rabin(). The pseudoprimes were generated by the
following function:

void gen_monier( mbedtls_mpi* res, int nbits )
{
    mbedtls_mpi p_2x_plus_1, p_4x_plus_1, x, tmp;

    mbedtls_mpi_init( &p_2x_plus_1 );
    mbedtls_mpi_init( &p_4x_plus_1 );
    mbedtls_mpi_init( &x ); mbedtls_mpi_init( &tmp );

    do
    {
        mbedtls_mpi_gen_prime( &p_2x_plus_1, nbits >> 1, 0,
                               rnd_std_rand, NULL );
        mbedtls_mpi_sub_int( &x, &p_2x_plus_1, 1 );
        mbedtls_mpi_div_int( &x, &tmp, &x, 2 );

        if( mbedtls_mpi_get_bit( &x, 0 ) == 0 )
            continue;

        mbedtls_mpi_mul_int( &p_4x_plus_1, &x, 4 );
        mbedtls_mpi_add_int( &p_4x_plus_1, &p_4x_plus_1, 1 );

        if( mbedtls_mpi_is_prime( &p_4x_plus_1, rnd_std_rand,
                                  NULL ) == 0 )
            break;

    } while( 1 );

    mbedtls_mpi_mul_mpi( res, &p_2x_plus_1, &p_4x_plus_1 );
}
2018-10-19 09:21:15 +01:00
Janos Follath
72d555dd7c Bignum: Fix prime validation vulnerability
The input distribution to primality testing functions is completely
different when used for generating primes and when for validating
primes. The constants used in the library are geared towards the prime
generation use case and are weak when used for validation. (Maliciously
constructed composite numbers can pass the test with high probability)

The mbedtls_mpi_is_prime() function is in the public API and although it
is not documented, it is reasonable to assume that the primary use case
is validating primes. The RSA module too uses it for validating key
material.
2018-10-11 15:38:46 +01:00
Janos Follath
b39740e934 Bignum: Remove dead code
Both variables affected by the code are overwritten before their next
read.
2018-10-08 12:06:45 +01:00
Simon Butcher
7a539a57d7 Merge remote-tracking branch 'public/pr/1812' into mbedtls-2.7 2018-09-27 17:19:29 +01:00
Simon Butcher
f73b437fc6 Add ChangeLog entry for PR #1812 2018-09-26 22:59:42 +01:00
Simon Butcher
fa5054ffab Fix ChangeLog entry for PR #1972 2018-09-26 22:59:31 +01:00
Andrzej Kurek
c895821766 ssl-opt.sh: change expected output for large srv packet test with SSLv3
This test also exercises a protection against BEAST
and should expect message splitting.
2018-09-26 22:53:13 +01:00
Andrzej Kurek
3d5cd4ec0a Remove trailing whitespace 2018-09-26 22:53:13 +01:00
Andrzej Kurek
216b40de9b ssl_server2: add buffer overhead for a termination character
Switch to mbedtls style of memory allocation
2018-09-26 22:53:12 +01:00
Andrzej Kurek
d731a6348a Add missing large and small packet tests for ssl_server2 2018-09-26 22:53:12 +01:00
Andrzej Kurek
557335e56d Added buffer_size and response_size options for ssl-server2.
Added appropriate tests.
2018-09-26 22:53:12 +01:00
Simon Butcher
651902d062 Merge remote-tracking branch 'public/pr/1972' into mbedtls-2.7 2018-09-26 22:35:51 +01:00
Simon Butcher
9863afc5e2 Merge remote-tracking branch 'public/pr/1899' into mbedtls-2.7 2018-09-26 22:00:02 +01:00
Simon Butcher
d6a63f4ca5 Clarified ChangeLog entry
ChangeLog entry for backport of #1890 was misleading, so corrected it.
2018-09-13 11:59:03 +01:00
Simon Butcher
eee169a082
Merge pull request #506 from sbutcher-arm/mbedtls-version-2.7.6
Update library version number to 2.7.6
2018-08-31 17:29:24 +01:00
Simon Butcher
34997fd291 Update library version number to 2.7.6 2018-08-31 16:07:23 +01:00
Simon Butcher
a36fe37429 Revised and clarified ChangeLog
Minor changes to fix language, merge mistakes and incorrect classifications of
changes.
2018-08-31 12:00:58 +01:00
Andrzej Kurek
77798b9f2d ssl-opt.sh: change expected output for large srv packet test with SSLv3
This test also exercises a protection against BEAST
and should expect message splitting.
2018-08-29 07:05:59 -04:00
Andrzej Kurek
0d50aeb4d4 Remove trailing whitespace 2018-08-29 07:05:44 -04:00
Andrzej Kurek
fb764931ee ssl_server2: add buffer overhead for a termination character
Switch to mbedtls style of memory allocation
2018-08-29 07:05:44 -04:00
Andrzej Kurek
d5ab1883b7 Add missing large and small packet tests for ssl_server2 2018-08-29 07:05:44 -04:00
Andrzej Kurek
6b3ec17463 Added buffer_size and response_size options for ssl-server2.
Added appropriate tests.
2018-08-29 07:05:44 -04:00
Simon Butcher
9877efb401 Merge remote-tracking branch 'restricted/pr/437' into mbedtls-2.7-restricted 2018-08-28 15:34:28 +01:00
Simon Butcher
242169bdc3 Merge remote-tracking branch 'restricted/pr/498' into mbedtls-2.7-restricted 2018-08-28 15:29:55 +01:00
Simon Butcher
6910201cd1 Merge remote-tracking branch 'restricted/pr/493' into mbedtls-2.7-restricted 2018-08-28 15:23:39 +01:00
Simon Butcher
fbd0ccc0f0 Merge remote-tracking branch 'public/pr/1978' into mbedtls-2.7 2018-08-28 12:32:21 +01:00
Simon Butcher
4102b3d377 Merge remote-tracking branch 'public/pr/1888' into mbedtls-2.7 2018-08-28 12:25:12 +01:00
Simon Butcher
cc4f58d08c Merge remote-tracking branch 'public/pr/1956' into mbedtls-2.7 2018-08-28 12:16:11 +01:00
Simon Butcher
f7be6b029e Merge remote-tracking branch 'public/pr/1960' into mbedtls-2.7 2018-08-28 11:51:56 +01:00
Simon Butcher
040cff9895 Merge remote-tracking branch 'public/pr/1974' into mbedtls-2.7 2018-08-28 10:20:37 +01:00
Simon Butcher
b6cf145b7a Merge remote-tracking branch 'public/pr/1981' into mbedtls-2.7 2018-08-28 10:18:32 +01:00
Hanno Becker
063c50df8a pk_encrypt: Uniformize debugging output 2018-08-23 15:57:15 +01:00
Hanno Becker
45d006a9cc Fix typos in programs/x509/cert_write.c
Fixes #1922.
2018-08-23 15:27:21 +01:00
Hanno Becker
6953ac2dbe Minor formatting improvements in pk_encrypt and pk_decrypt examples 2018-08-23 15:14:52 +01:00
Hanno Becker
20b5d14b28 Adapt ChangeLog 2018-08-23 15:14:51 +01:00
Hanno Becker
a82a6e126d Correct memory leak in pk_decrypt example program 2018-08-23 15:14:50 +01:00
Hanno Becker
20fce25f28 Correct memory-leak in pk_encrypt example program 2018-08-23 15:14:50 +01:00
Hanno Becker
dc6c0e49ad ssl-opt.sh: Preserve proxy log, too, if --preserve-logs is specified 2018-08-22 15:24:25 +01:00
Hanno Becker
4d646a60bd Adapt ChangeLog 2018-08-22 15:11:28 +01:00
Hanno Becker
b554636236 ssl-opt.sh: Add DTLS session resumption tests
Fixes #1969.
2018-08-22 15:07:31 +01:00
Hanno Becker
6c794faa46 Fix bug in SSL ticket implementation removing keys of age < 1s
Fixes #1968.
2018-08-22 14:58:31 +01:00
Jaeden Amero
e4d14208aa Merge remote-tracking branch 'upstream-public/pr/1953' into mbedtls-2.7 2018-08-17 15:31:58 +01:00
Hanno Becker
12f7ede56e Compute record expansion in steps to ease readability 2018-08-17 15:30:03 +01:00
Jaeden Amero
ab397dd47c Merge remote-tracking branch 'upstream-public/pr/1944' into mbedtls-2.7 2018-08-17 14:27:06 +01:00
Hanno Becker
f38db01c42 Adapt ChangeLog 2018-08-17 10:12:23 +01:00
Hanno Becker
dbd3e88479 Fix mbedtls_ssl_get_record_expansion() for CBC modes
`mbedtls_ssl_get_record_expansion()` is supposed to return the maximum
difference between the size of a protected record and the size of the
encapsulated plaintext.

Previously, it did not correctly estimate the maximum record expansion
in case of CBC ciphersuites in (D)TLS versions 1.1 and higher, in which
case the ciphertext is prefixed by an explicit IV.

This commit fixes this bug. Fixes #1914.
2018-08-17 10:12:21 +01:00
Hanno Becker
517e84a0e3 Improve ChangeLog wording for the commmit that Fixes #1954. 2018-08-17 10:04:08 +01:00
Hanno Becker
3a333a58ba Add tests for empty CA list in CertificateRequest, TLS 1.0 & 1.1 2018-08-17 10:04:08 +01:00