Commit Graph

1517 Commits

Author SHA1 Message Date
Gilles Peskine
df6f3dd9b0 Merge remote-tracking branch 'upstream-restricted/pr/430' into mbedtls-2.1-restricted-proposed 2018-03-13 17:28:42 +01:00
Gilles Peskine
8c1217984b Merge remote-tracking branch 'upstream-restricted/pr/360' into mbedtls-2.1-restricted-proposed
Conflicts:
* scripts/config.pl: reconciled parallel edits in a comment.
2018-03-13 17:26:49 +01:00
Gilles Peskine
5e533f43ee Merge remote-tracking branch 'upstream-public/pr/1373' into mbedtls-2.1-proposed 2018-03-12 23:51:50 +01:00
Gilles Peskine
9a00ef3cf1 Merge branch 'pr_953' into HEAD 2018-03-11 00:52:24 +01:00
Gilles Peskine
af18faca22 Merge remote-tracking branch 'upstream-public/pr/937' into mbedtls-2.1-proposed 2018-03-10 23:52:22 +01:00
Gilles Peskine
ca4efdd0ad Refer to X.690 by number
It's easier to identify and find by number than by its very wordy
title, especially as there was a typo in the title.
2018-03-08 18:16:45 +01:00
Gilles Peskine
25ec9cc9b3 Merge branch 'prr_428' into mbedtls-2.1-proposed 2018-02-22 16:24:13 +01:00
Gilles Peskine
2e50efad44 Merge remote-tracking branch 'upstream-public/pr/1334' into mbedtls-2.1-proposed 2018-02-14 15:13:37 +01:00
Antonio Quartulli
b9e3c6d9c6 pkcs5v2: add support for additional hmacSHA algorithms
Currently only SHA1 is supported as PRF algorithm for PBKDF2
(PKCS#5 v2.0).
This means that keys encrypted and authenticated using
another algorithm of the SHA family cannot be decrypted.

This deficiency has become particularly incumbent now that
PKIs created with OpenSSL1.1 are encrypting keys using
hmacSHA256 by default (OpenSSL1.0 used PKCS#5 v1.0 by default
and even if v2 was forced, it would still use hmacSHA1).

Enable support for all the digest algorithms of the SHA
family for PKCS#5 v2.0.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2018-02-14 11:12:58 +01:00
Jaeden Amero
f885c81f15 Update version to 2.1.10 2018-02-02 18:10:05 +00:00
Jaeden Amero
4913826aff Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted 2018-01-30 17:33:25 +00:00
Hanno Becker
15e4951651 Add documentation warnings for weak algorithms
MD2, MD4, MD5, DES and SHA-1 are considered weak and their use
constitutes a security risk. If possible, we recommend avoiding
dependencies on them, and considering stronger message digests and
ciphers instead.
2018-01-30 10:39:32 +00:00
James Cowgill
ca20ced208 Fix segfault on x32 by using better register constraints in bn_mul.h
On x32, pointers are only 4-bytes wide and need to be loaded using the "movl"
instruction instead of "movq" to avoid loading garbage into the register.

The MULADDC routines for x86-64 are adjusted to work on x32 as well by getting
gcc to load all the registers for us in advance (and storing them later) by
using better register constraints. The b, c, D and S constraints correspond to
the rbx, rcx, rdi and rsi registers respectively.
2018-01-29 21:54:26 +01:00
Jaeden Amero
bfafd12789 Merge remote-tracking branch 'upstream-restricted/pr/414' into mbedtls-2.1-restricted 2018-01-26 18:09:14 +00:00
Ron Eldor
1ac9aa7085 Set correct minimal versions in default conf
Set `MBEDTLS_SSL_MIN_MAJOR_VERSION` and `MBEDTLS_SSL_MIN_MINOR_VERSION`
instead of `MBEDTLS_SSL_MAJOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_1`
2018-01-22 22:03:12 +01:00
Manuel Pégourié-Gonnard
c313e7e679 Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted
* mbedtls-2.1:
  selftest: fix build error in some configurations
  Timing self test: shorten redundant tests
  Timing self test: increased duration
  Timing self test: increased tolerance
  selftest: allow excluding a subset of the tests
  selftest: allow running a subset of the tests
  selftest: fixed an erroneous return code
  selftest: refactor to separate the list of tests from the logic
  Timing self test: print some diagnosis information
  mbedtls_timing_get_timer: don't use uninitialized memory
  timing interface documentation: minor clarifications
  Timing: fix mbedtls_set_alarm(0) on Unix/POSIX
2017-12-26 10:43:51 +01:00
Gilles Peskine
b29e70bb01 mbedtls_timing_get_timer: don't use uninitialized memory
mbedtls_timing_get_timer with reset=1 is called both to initialize a
timer object and to reset an already-initialized object. In an
initial call, the content of the data structure is indeterminate, so
the code should not read from it. This could crash if signed overflows
trap, for example.

As a consequence, on reset, we can't return the previously elapsed
time as was previously done on Windows. Return 0 as was done on Unix.
2017-12-20 19:33:48 +01:00
Gilles Peskine
02c3167b40 timing interface documentation: minor clarifications 2017-12-20 19:33:42 +01:00
Manuel Pégourié-Gonnard
451ea75286 Merge remote-tracking branch 'restricted/pr/412' into mbedtls-2.1-restricted
* restricted/pr/412:
  Correct record header size in case of TLS
  Don't allocate space for DTLS header if DTLS is disabled
  Improve debugging output
  Adapt ChangeLog
  Add run-time check for handshake message size in ssl_write_record
  Add run-time check for record content size in ssl_encrypt_buf
  Add compile-time checks for size of record content and payload
2017-12-19 11:33:07 +01:00
Hanno Becker
e40802aebc Correct record header size in case of TLS
The previous commit reduced the internal header size to 5 bytes in case of
TLS. This is not a valid since in that situation Mbed TLS internally uses the
first 8 bytes of the message buffer for the implicit record sequence number.
2017-12-07 08:27:56 +00:00
Andres Amaya Garcia
a45d2ef957 Define ASN1 bitmask macros in more direct way 2017-12-01 21:42:19 +01:00
Andres Amaya Garcia
45a556501c Add macros to ASN.1 module to parse ASN.1 tags
The macros simply extract the component bits of an ASN.1 tag value
2017-12-01 21:42:19 +01:00
Hanno Becker
7862cd0ca4 Remove deprecation statement for TRUNC_HMAC_COMPAT from config.h 2017-12-01 17:10:31 +00:00
Hanno Becker
e53dc43d3a Deprecate MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT 2017-12-01 10:20:47 +00:00
Hanno Becker
adb30b9453 Improve documentation of MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT option
Explain more clearly when this option should be used and which versions of Mbed
TLS build on the non-compliant implementation.
2017-12-01 10:20:44 +00:00
Hanno Becker
053b3459d4 Add fallback to non-compliant truncated HMAC for compatibiltiy
In case truncated HMAC must be used but the Mbed TLS peer hasn't been updated
yet, one can use the compile-time option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT to
temporarily fall back to the old, non-compliant implementation of the truncated
HMAC extension.
2017-12-01 10:18:41 +00:00
Gilles Peskine
1854a0e0cd Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted 2017-11-28 18:44:49 +01:00
Gilles Peskine
31dce36364 Merge remote-tracking branch 'upstream-public/pr/1080' into mbedtls-2.1 2017-11-28 18:30:18 +01:00
Gilles Peskine
1b8822e9b3 Merge remote-tracking branch 'upstream-restricted/pr/422' into mbedtls-2.1-restricted
Resolved simple conflicts caused by the independent addition of
calls to mbedtls_zeroize with sometimes whitespace or comment
differences.
2017-11-28 16:21:07 +01:00
Gilles Peskine
206110dcb9 Merge branch 'iotssl-1419-safermemcmp-volatile_backport-2.1' into mbedtls-2.1-restricted 2017-11-28 13:51:37 +01:00
Hanno Becker
9d5785be8f Clarify use of blinding in RSA private key operations 2017-11-06 15:06:25 +00:00
Hanno Becker
cb2ba29c49 Mention that mpi_fill_random interprets PRNG output as big-endian 2017-10-25 15:44:10 +01:00
Hanno Becker
469e93c0f6 Add warning on the use of RFC 5114 primes 2017-10-16 09:21:33 +01:00
Andres Amaya Garcia
fe7fd6e8dc Fix typo in asn1.h 2017-10-12 22:42:04 +01:00
Hanno Becker
0ca15967d1 Don't allocate space for DTLS header if DTLS is disabled 2017-10-04 14:15:53 +01:00
Hanno Becker
6499bedfa8 Add compile-time checks for size of record content and payload 2017-10-04 14:15:30 +01:00
Hanno Becker
c7845e51f3 Enhance documentation of ssl_write_hostname_ext, adapt ChangeLog.
Add a reference to the relevant RFC, adapt ChangeLog.
2017-09-30 23:49:01 +01:00
Hanno Becker
7891da28ea Enhance documentation of mbedtls_ssl_set_hostname
(1) Add missing error condition
(2) Specify allowance and effect of of NULL hostname parameter
(3) Describe effect of function on failure
2017-09-30 23:48:01 +01:00
Ron Eldor
00cb3af4ab Backport 2.1:Add configuration file in md.h
include `*config.h*` in md.h as MACROS in the header file get ignored.
Fix for #1001.
2017-09-07 14:42:51 +03:00
Simon Butcher
1fe5e8ab44 Update version number to 2.1.9 2017-08-10 11:51:47 +01:00
Hanno Becker
6ad82d714f Rename time and index parameter to avoid name conflict.
As noted in #557, several functions use 'index' resp. 'time'
as parameter names in their declaration and/or definition, causing name
conflicts with the functions in the C standard library of the same
name some compilers warn about.

This commit renames the arguments accordingly.
2017-07-28 22:14:55 +01:00
Manuel Pégourié-Gonnard
f2269b0579 Update doc of return value of verify() 2017-07-28 12:20:48 +01:00
Manuel Pégourié-Gonnard
c386317298 Only return VERIFY_FAILED from a single point
Everything else is a fatal error. Also improve documentation about that for
the vrfy callback.
2017-07-28 12:20:48 +01:00
Hanno Becker
cea8b53680 Improve documentation of PKCS1 decryption functions
Document the preconditions on the input and output buffers for
the PKCS1 decryption functions
- mbedtls_rsa_pkcs1_decrypt,
- mbedtls_rsa_rsaes_pkcs1_v15_decrypt
- mbedtls_rsa_rsaes_oaep_decrypt
2017-07-19 01:49:45 +01:00
Hanno Becker
f2e16336d5 Prevent clever optimization to prematurely quit loop in safe memcmp
The previous version of `mbedtls_ssl_safer_memcmp` did not qualify the
pointers to the arrays to be compared as volatile, theoretically
opening the possibility for the compiler to notice that the loop
operation `diff |= A[i] ^ B[i]` is pointless if `diff = -1`. This
commit changes this. It also declares the stack variable `diff` as
volatile, to force read and write in every loop; omitting that, the
compiler would still be allowed to get away with reading `A[i]` and
`B[i]` but not doing the XOR and not updating `diff`.
2017-06-26 13:35:45 +01:00
Simon Butcher
fbb9837ad5 Update the version number to 2.1.8 2017-06-20 23:31:06 +01:00
Hanno Becker
499391a02d Undo API change
The previous commit b3e6872c93 changed
to public functions from ssl_ciphersuite.h to static inline. This
commit reverts this change.
2017-06-20 19:33:51 +01:00
Manuel Pégourié-Gonnard
89930b354c Merge remote-tracking branch 'restricted/iotssl-1398_backport-2.1' into mbedtls-2.1-restricted
* restricted/iotssl-1398_backport-2.1:
  Add ChangeLog entry
  Ensure application data records are not kept when fully processed
  Add hard assertion to mbedtls_ssl_read_record_layer
  Fix mbedtls_ssl_read
  Simplify retaining of messages for future processing
2017-06-09 15:06:31 +02:00
Manuel Pégourié-Gonnard
640edc7810 Merge remote-tracking branch 'hanno/mpi_read_file_underflow_backport-2.1' into mbedtls-2.1
* hanno/mpi_read_file_underflow_backport-2.1:
  Fix potential stack underflow in mpi_read_file.
2017-06-08 19:51:19 +02:00
Manuel Pégourié-Gonnard
ebe391d1cd Merge remote-tracking branch 'hanno/sliding_exponentiation_backport-2.1' into mbedtls-2.1
* hanno/sliding_exponentiation_backport-2.1:
  Adapt ChangeLog
  Abort modular inversion when modulus is one.
  Correct sign in modular exponentiation algorithm.
2017-06-08 19:49:50 +02:00