Commit Graph

4932 Commits

Author SHA1 Message Date
Hanno Becker
02f632ecce Add truncated HMAC extension tests for DTLS 2017-12-01 10:18:22 +00:00
Hanno Becker
d51bec701b Add missing truncated HMAC test for TLS
The case 'Client disabled, Server enabled' was missing.
2017-12-01 10:18:22 +00:00
Hanno Becker
461cb81a55 Add small packet tests for DTLS
Add a DTLS small packet test for each of the following combinations:
- DTLS version: 1.0 or 1.2
- Encrypt then MAC extension enabled
- Truncated HMAC extension enabled

Large packets tests for DTLS are currently not possible due to parameter
constraints in ssl_server2.
2017-12-01 10:18:22 +00:00
Hanno Becker
0b9d913ac6 Extend large packet tests for TLS
Same as previous commit, but for large packet tests.
2017-12-01 10:18:22 +00:00
Hanno Becker
7aae46c05a Extend small packet tests for TLS
This commit ensures that there is a small packet test for at least any
combination of
- SSL/TLS version: SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2
- Stream cipher (RC4) or Block cipher (AES)
- Usage of Encrypt then MAC extension [TLS only]
- Usage of truncated HMAC extension [TLS only]
2017-12-01 10:18:22 +00:00
Hanno Becker
a83fafa5df Add missing dependencies on trunc HMAC ext in ssl-opt.sh
Noticed that the test cases in ssl-opt.sh exercising the truncated HMAC
extension do not depend on MBEDTLS_SSL_TRUNCATED_HMAC being enabled in
config.h. This commit fixes this.
2017-12-01 10:18:22 +00:00
Hanno Becker
64f0aed966 Don't truncate MAC key when truncated HMAC is negotiated
The truncated HMAC extension as described in
https://tools.ietf.org/html/rfc6066.html#section-7 specifies that when truncated
HMAC is used, only the HMAC output should be truncated, while the HMAC key
generation stays unmodified. This commit fixes Mbed TLS's behavior of also
truncating the key, potentially leading to compatibility issues with peers
running other stacks than Mbed TLS.

Details:
The keys for the MAC are pieces of the keyblock that's generated from the
master secret in `mbedtls_ssl_derive_keys` through the PRF, their size being
specified as the size of the digest used for the MAC, regardless of whether
truncated HMAC is enabled or not.

             /----- MD size ------\ /------- MD size ----\
Keyblock    +----------------------+----------------------+------------------+---
now         |     MAC enc key      |      MAC dec key     |     Enc key      |  ...
(correct)   +----------------------+----------------------+------------------+---

In the previous code, when truncated HMAC was enabled, the HMAC keys
were truncated to 10 bytes:

             /-10 bytes-\  /-10 bytes-\
Keyblock    +-------------+-------------+------------------+---
previously  | MAC enc key | MAC dec key |     Enc key      |  ...
(wrong)     +-------------+-------------+------------------+---

The reason for this was that a single variable `transform->maclen` was used for
both the keysize and the size of the final MAC, and its value was reduced from
the MD size to 10 bytes in case truncated HMAC was negotiated.

This commit fixes this by introducing a temporary variable `mac_key_len` which
permanently holds the MD size irrespective of the presence of truncated HMAC,
and using this temporary to obtain the MAC key chunks from the keyblock.
2017-12-01 10:18:22 +00:00
Gilles Peskine
6ddfa37084 Fix build without MBEDTLS_FS_IO
Fix missing definition of mbedtls_zeroize when MBEDTLS_FS_IO is
disabled in the configuration.

Introduced by d08ae68237
    Merge remote-tracking branch 'upstream-public/pr/1112' into mbedtls-2.1
2017-11-30 12:20:19 +01:00
Gilles Peskine
6cf85ff1a4 Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted 2017-11-29 21:07:28 +01:00
Gilles Peskine
49349bacb9 Merge remote-tracking branch 'upstream-public/pr/1153' into mbedtls-2.1 2017-11-29 20:53:58 +01:00
Gilles Peskine
f663c22ab7 Merge remote-tracking branch 'upstream-public/pr/916' into mbedtls-2.1 2017-11-29 20:53:44 +01:00
Gilles Peskine
1854a0e0cd Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted 2017-11-28 18:44:49 +01:00
Gilles Peskine
25aa833ac3 Merge branch 'pr_1082' into mbedtls-2.1 2017-11-28 18:33:50 +01:00
Gilles Peskine
026d18aefa Add ChangeLog entry 2017-11-28 18:33:31 +01:00
Gilles Peskine
283a80d51f Merge remote-tracking branch 'upstream-public/pr/1108' into mbedtls-2.1 2017-11-28 18:31:28 +01:00
Gilles Peskine
31dce36364 Merge remote-tracking branch 'upstream-public/pr/1080' into mbedtls-2.1 2017-11-28 18:30:18 +01:00
Gilles Peskine
a6f6947490 Merge remote-tracking branch 'upstream-public/pr/943' into mbedtls-2.1 2017-11-28 18:28:39 +01:00
Gilles Peskine
dc89416ad9 Merge remote-tracking branch 'upstream-public/pr/996' into mbedtls-2.1 2017-11-28 17:10:10 +01:00
Gilles Peskine
1b8822e9b3 Merge remote-tracking branch 'upstream-restricted/pr/422' into mbedtls-2.1-restricted
Resolved simple conflicts caused by the independent addition of
calls to mbedtls_zeroize with sometimes whitespace or comment
differences.
2017-11-28 16:21:07 +01:00
Gilles Peskine
9aab6995a9 Merge remote-tracking branch 'upstream-restricted/pr/406' into mbedtls-2.1-restricted 2017-11-28 16:19:19 +01:00
Gilles Peskine
5a8fe053d8 Merge remote-tracking branch 'upstream-restricted/pr/401' into mbedtls-2.1-restricted 2017-11-28 14:24:15 +01:00
Gilles Peskine
336b7de48a Merge remote-tracking branch 'upstream-restricted/pr/386' into mbedtls-2.1-restricted 2017-11-28 14:24:05 +01:00
Gilles Peskine
206110dcb9 Merge branch 'iotssl-1419-safermemcmp-volatile_backport-2.1' into mbedtls-2.1-restricted 2017-11-28 13:51:37 +01:00
Gilles Peskine
2f615af5cf add changelog entry 2017-11-28 13:34:24 +01:00
Gilles Peskine
e881a22126 Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted 2017-11-24 16:06:16 +01:00
Gilles Peskine
d08ae68237 Merge remote-tracking branch 'upstream-public/pr/1112' into mbedtls-2.1 2017-11-24 15:37:29 +01:00
Gilles Peskine
5eb8edc0cb Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted 2017-11-23 20:11:07 +01:00
Gilles Peskine
7aa24190b4 Merge remote-tracking branch 'upstream-public/pr/1107' into mbedtls-2.1 2017-11-23 20:09:48 +01:00
Gilles Peskine
a90c3da42f Merge branch 'iotssl-1368-unsafe-bounds-check-psk-identity-merge-2.1' into mbedtls-2.1-restricted 2017-11-23 19:06:29 +01:00
Gilles Peskine
86eece9e87 ChangeLog entry for ssl_parse_client_psk_identity fix 2017-11-23 19:04:39 +01:00
Manuel Pégourié-Gonnard
aed00f7bf7 Merge remote-tracking branch 'restricted/pr/417' into mbedtls-2.1-restricted
* restricted/pr/417:
  RSA PSS: remove redundant check; changelog
  RSA PSS: fix first byte check for keys of size 8N+1
  RSA PSS: fix minimum length check for keys of size 8N+1
  RSA: Fix another buffer overflow in PSS signature verification
  RSA: Fix buffer overflow in PSS signature verification
2017-11-23 12:13:49 +01:00
Darryl Green
67bfc5b46c Add tests for invalid private parameter in mbedtls_ecdsa_sign 2017-11-20 17:11:42 +00:00
Darryl Green
1b052e80aa Add checks for private parameter in mbedtls_ecdsa_sign() 2017-11-20 17:11:17 +00:00
Hanno Becker
b09c5721f5 Adapt ChangeLog 2017-11-20 10:43:48 +00:00
Hanno Becker
ce516ff449 Fix heap corruption in ssl_decrypt_buf
Previously, MAC validation for an incoming record proceeded as follows:

1) Make a copy of the MAC contained in the record;
2) Compute the expected MAC in place, overwriting the presented one;
3) Compare both.

This resulted in a record buffer overflow if truncated MAC was used, as in this
case the record buffer only reserved 10 bytes for the MAC, but the MAC
computation routine in 2) always wrote a full digest.

For specially crafted records, this could be used to perform a controlled write of
up to 6 bytes past the boundary of the heap buffer holding the record, thereby
corrupting the heap structures and potentially leading to a crash or remote code
execution.

This commit fixes this by making the following change:
1) Compute the expected MAC in a temporary buffer that has the size of the
   underlying message digest.
2) Compare to this to the MAC contained in the record, potentially
   restricting to the first 10 bytes if truncated HMAC is used.

A similar fix is applied to the encryption routine `ssl_encrypt_buf`.
2017-11-20 10:16:17 +00:00
Manuel Pégourié-Gonnard
ea0aa655f6 Merge branch 'mbedtls-2.1' into mbedtls-2.1-restricted
* mbedtls-2.1:
  Fix typo in asn1.h
  Improve leap year test names in x509parse.data
  Correctly handle leap year in x509_date_is_valid()
  Renegotiation: Add tests for SigAlg ext parsing
  Parse Signature Algorithm ext when renegotiating
  Fix changelog for ssl_server2.c usage fix
  Fix ssl_server2 sample application prompt
  Update ChangeLog for fix to #836
  Enhance documentation of ssl_write_hostname_ext, adapt ChangeLog.
  Enhance documentation of mbedtls_ssl_set_hostname
  Add test case calling ssl_set_hostname twice
  Make mbedtls_ssl_set_hostname safe to be called multiple times
  Fix typo in configs/README.txt file
2017-11-14 08:38:52 +01:00
Hanno Becker
d43764f9d3 Adapt ChangeLog 2017-11-06 15:10:38 +00:00
Hanno Becker
e2ccaddf0a Ensure RSA test suite calls rsa_private with PRNG 2017-11-06 15:10:23 +00:00
Hanno Becker
21f83753f5 Remove signature verification from mbedtls_rsa_rsassa_pkcs1_v15_sign
This is no longer necessary as we're now always verifying the result of rsa_private.
2017-11-06 15:09:33 +00:00
Hanno Becker
de0b70c366 Check precisely for the needed RSA context fields in rsa_private 2017-11-06 15:08:53 +00:00
Hanno Becker
a82f89181c Verify result of RSA private key operation 2017-11-06 15:08:27 +00:00
Hanno Becker
9293592843 Add test case for RSA_NO_CRT to all.sh 2017-11-06 15:07:09 +00:00
Hanno Becker
41f5a0fe97 Ensure that RSA_NO_CRT gets disabled by config.pl full 2017-11-06 15:06:51 +00:00
Hanno Becker
9d5785be8f Clarify use of blinding in RSA private key operations 2017-11-06 15:06:25 +00:00
Ron Eldor
be17ed59d6 Address PR review comments
set `cache->chain` to NULL,
instead of setting the whole structure to zero.
2017-10-30 18:11:38 +02:00
Ron Eldor
5bd272627b Backport 2.1:Fix crash when calling mbedtls_ssl_cache_free twice
Set `cache` to zero at the end of `mbedtls_ssl_cache_free` #1104
2017-10-30 18:09:40 +02:00
Hanno Becker
25e39d38bd Add ChangeLog message for EC private exponent information leak 2017-10-25 15:46:31 +01:00
Hanno Becker
cf873f74d4 Adapt ChangeLog 2017-10-25 15:46:31 +01:00
Hanno Becker
0f49bbc1fc Zeroize stack before returning from mpi_fill_random 2017-10-25 15:46:29 +01:00
Hanno Becker
b3088b4b37 Fix information leak in ecp_gen_keypair_base
The function mbedtls_ecp_gen_keypair_base did not wipe the stack buffer used to
hold the private exponent before returning. This commit fixes this by not using
a stack buffer in the first place but instead calling mpi_fill_random directly
to acquire the necessary random MPI.
2017-10-25 15:44:10 +01:00