Commit Graph

5187 Commits

Author SHA1 Message Date
Hanno Becker
6ac972d815 Style correction in test_suite_pk.function 2017-09-07 13:10:44 +01:00
Hanno Becker
936f72c641 Disable MBEDTLS_RSA_FORCE_BLINDING by default
This commit disables the new MBEDTLS_RSA_FORCE_BLINDING option by default to preserve backwards
compatibility. Further, it deprecates disabling to prepare for a future release in which blinding will be
unconditionally enforced.
2017-09-07 13:09:58 +01:00
Hanno Becker
cc209ca56d Remove signature verification from rsa_rsassa_pkcs1_v15_sign
This verification path is redundant now that verification is uniformly done in
rsa_private.
2017-08-25 11:52:29 +01:00
Hanno Becker
43f94721ab Add quick-check for presence of relevant parameters in rsa_private 2017-08-25 11:52:27 +01:00
Hanno Becker
c6075cc5ac Don't use CRT for signature verification
If CRT is not used, the helper fields CRT are not assumed to be present in the
RSA context structure, so do the verification directly in this case. If CRT is
used, verification could be done using CRT, but we're sticking to ordinary
verification for uniformity.
2017-08-25 11:45:35 +01:00
Hanno Becker
9f4e670b14 Correct documentation for RSA_FORCE_BLINDING option 2017-06-12 10:23:19 +01:00
Hanno Becker
b624b85b04 Adapt ChangeLog 2017-06-09 13:29:53 +01:00
Hanno Becker
06811ced27 Put configuration options for RSA blinding and verification to work. 2017-06-09 13:29:53 +01:00
Hanno Becker
a540068a56 Modify PK test suite to provide PRNG to RSA signature function
To prepare for the option of mandatory blinding, this commit changes
the PK test suite to always call signature functions with a PRNG.
2017-06-09 13:29:53 +01:00
Hanno Becker
5bc8729b9e Correct memory leak in RSA self test
The RSA self test didn't free the RSA context on failure.
2017-06-09 13:29:53 +01:00
Hanno Becker
88ec2381d6 Add configuration options for verification and blinding
This commit defines some configuration options to control the
mandatory use of blinding and verification in RSA private key
operations.
2017-06-09 13:29:48 +01:00
Manuel Pégourié-Gonnard
c44c3c288d Merge remote-tracking branch 'janos/iotssl-1156-ecdsa-sample-and-doc-clarification' into development
* janos/iotssl-1156-ecdsa-sample-and-doc-clarification:
  Clarify the use of ECDSA API
2017-06-08 10:16:54 +02:00
Manuel Pégourié-Gonnard
8b4cb5481d Merge remote-tracking branch 'hanno/iotssl-1341-optional-certificate-verification-needs-ca-chain' into development
* hanno/iotssl-1341-optional-certificate-verification-needs-ca-chain:
  Add tests for missing CA chains and bad curves.
  Fix implementation of VERIFY_OPTIONAL verification mode
2017-06-08 09:57:56 +02:00
Hanno Becker
e6706e62d8 Add tests for missing CA chains and bad curves.
This commit adds four tests to tests/ssl-opt.sh:
(1) & (2): Check behaviour of optional/required verification when the
trusted CA chain is empty.
(3) & (4): Check behaviour of optional/required verification when the
client receives a server certificate with an unsupported curve.
2017-06-07 11:26:59 +01:00
Hanno Becker
39ae8cd207 Fix implementation of VERIFY_OPTIONAL verification mode
This commit changes the behaviour of mbedtls_ssl_parse_certificate
to make the two authentication modes MBEDTLS_SSL_VERIFY_REQUIRED and
MBEDTLS_SSL_VERIFY_OPTIONAL be in the following relationship:

    Mode == MBEDTLS_SSL_VERIFY_REQUIRED
<=> Mode == MBEDTLS_SSL_VERIFY_OPTIONAL + check verify result

Also, it changes the behaviour to perform the certificate chain
verification even if the trusted CA chain is empty. Previously, the
function failed in this case, even when using optional verification,
which was brought up in #864.
2017-06-07 11:13:19 +01:00
Manuel Pégourié-Gonnard
ddc6e52cc1 Merge remote-tracking branch 'gilles/iotssl-1223/development' into development
* gilles/iotssl-1223/development:
  Fix FALLBACK_SCSV parsing
2017-06-06 20:11:36 +02:00
Manuel Pégourié-Gonnard
383a118338 Merge remote-tracking branch 'gilles/IOTSSL-1330/development' into development
* gilles/IOTSSL-1330/development:
  Changelog entry for the bug fixes
  SSLv3: when refusing renegotiation, stop processing
  Ignore failures when sending fatal alerts
  Cleaned up double variable declaration
  Code portability fix
  Added changelog entry
  Send TLS alerts in many more cases
  Skip all non-executables in run-test-suites.pl
  SSL tests: server requires auth, client has no certificate
  Balanced braces across preprocessor conditionals
  Support setting the ports on the command line
2017-06-06 19:22:41 +02:00
Manuel Pégourié-Gonnard
003b4c7b4a Merge branch 'sha1-dev' into development
* sha1-dev:
  Cleaned up negative test predicate for test case
  all.sh: test with SHA-1 enabled
  SHA-1 deprecation: allow it in key exchange
  Allow SHA-1 in server tests, when the signature_algorithm extension is not used
  Document test data makefile
  X.509 tests: obey compile-time SHA-1 support option
  Allow SHA-1 in test scripts
  Test that SHA-1 defaults off
  Allow SHA-1 in SSL renegotiation tests
  Test that X.509 verification rejects SHA-256 by default
  Allow SHA-1 in X.509 and TLS tests
  X.509 self-tests: replaced SHA-1 certificates by SHA-256
  Added SHA256 test certificates
  Remove SHA-1 in TLS by default
2017-06-06 19:16:48 +02:00
Gilles Peskine
f11d33b2df Cleaned up negative test predicate for test case
The test infrastructure does support negative predicates for test
cases, thanks to Andreas for letting me know.
2017-06-06 19:16:18 +02:00
Gilles Peskine
2a458daa11 all.sh: test with SHA-1 enabled
Enabling SHA-1 for certificates is deprecated but we still want it to work.

Thanks to @andresag01
2017-06-06 18:44:14 +02:00
Gilles Peskine
5d2511c4d4 SHA-1 deprecation: allow it in key exchange
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.

SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
2017-06-06 18:44:14 +02:00
Gilles Peskine
682df09159 Allow SHA-1 in server tests, when the signature_algorithm extension is not used 2017-06-06 18:44:14 +02:00
Gilles Peskine
fd14bca6dc Document test data makefile 2017-06-06 18:44:14 +02:00
Gilles Peskine
4fa6bed0c6 X.509 tests: obey compile-time SHA-1 support option
There is now one test case to validate that SHA-1 is rejected in
certificates by default, and one test case to validate that SHA-1 is
supported if MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 is #defined.
2017-06-06 18:44:14 +02:00
Gilles Peskine
62469d95e2 Allow SHA-1 in test scripts 2017-06-06 18:44:14 +02:00
Gilles Peskine
bc70a1836b Test that SHA-1 defaults off
Added tests to validate that certificates signed using SHA-1 are
rejected by default, but accepted if SHA-1 is explicitly enabled.
2017-06-06 18:44:14 +02:00
Gilles Peskine
cd3c845157 Allow SHA-1 in SSL renegotiation tests
In the TLS test client, allow SHA-1 as a signature hash algorithm.
Without this, the renegotation tests failed.

A previous commit had allowed SHA-1 via the certificate profile but
that only applied before the initial negotiation which includes the
signature_algorithms extension.
2017-06-06 18:44:13 +02:00
Gilles Peskine
2dc81a0cbc Test that X.509 verification rejects SHA-256 by default 2017-06-06 18:44:13 +02:00
Gilles Peskine
ef86ab238f Allow SHA-1 in X.509 and TLS tests
SHA-1 is now disabled by default in the X.509 layer. Explicitly enable
it in our tests for now. Updating all the test data to SHA-256 should
be done over time.
2017-06-06 18:44:13 +02:00
Gilles Peskine
750c353c5c X.509 self-tests: replaced SHA-1 certificates by SHA-256 2017-06-06 18:44:13 +02:00
Gilles Peskine
f040a17604 Added SHA256 test certificates
With SHA-1 deprecation, we need a few certificates using algorithms in
the default support list. Most tests still use SHA-1 though.

The generation process for the new certificates is recorded in the makefile.
2017-06-06 18:44:13 +02:00
Gilles Peskine
5e79cb3662 Remove SHA-1 in TLS by default
Default to forbidding the use of SHA-1 in TLS where it is unsafe: for
certificate signing, and as the signature hash algorithm for the TLS
1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the
XXX_SHA ciphersuites and in the PRF for TLS <= 1.1.

For easy backward compatibility for use in controlled environments,
turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option.
2017-06-06 18:44:13 +02:00
Manuel Pégourié-Gonnard
23b33f8663 Merge remote-tracking branch 'hanno/sig_hash_compatibility' into development
* hanno/sig_hash_compatibility:
  Improve documentation
  Split long lines
  Remember suitable hash function for any signature algorithm.
  Introduce macros and functions to characterize certain ciphersuites.
2017-06-06 18:14:57 +02:00
Hanno Becker
eccf60caab Adapt ChangeLog 2017-06-05 15:19:01 +01:00
Hanno Becker
8435c381bd Remove use of size zero array in ECJPAKE test suite
The ECJPAKE test suite uses a size zero array for the empty password
used in the tests, which is not valid C. This commit fixes this.

This originally showed up as a compilation failure on Visual Studio
2015, documented in IOTSSL-1242, but can also be observed with GCC
when using the -Wpedantic compilation option.
2017-06-05 15:10:59 +01:00
Gilles Peskine
d50177fdf3 Fix FALLBACK_SCSV parsing
Fixed a bug in ssl_srv.c when parsing TLS_FALLBACK_SCSV in the
ciphersuite list that caused it to miss it sometimes. Reported by Hugo
Leisink as issue #810. Fix initially by @andreasag01; this commit
isolates the bug fix and adds a non-regression test.
2017-05-16 17:53:03 +02:00
Simon Butcher
9f77017a8d Updated version number to 2.5.0 2017-05-16 10:22:37 +01:00
Simon Butcher
fea2078e84 Add new header file to VS2010 project files 2017-05-16 10:22:37 +01:00
Andres AG
f5bf7189d3 Change return type of AES decrypt and encrypt
This patch modifies the following 2 functions in the AES module to
change the return type from void to int:
    * mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
    * mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
This change is necessary to allow users of MBEDTLS_AES_ALT,
MBEDTLS_AES_DECRYPT_ALT and MBEDTLS_AES_ENCRYPT_ALT to return an error
code when replacing the default with their own implementation, e.g.
a hardware crypto accelerator.
2017-05-16 10:22:37 +01:00
Janos Follath
2850cdaed9 Add Changelog entry for RSA exponent blinding 2017-05-16 10:22:37 +01:00
Janos Follath
c66e5596ba Add Changelog entry for CA list suppression 2017-05-16 10:22:37 +01:00
Andres Amaya Garcia
46fe17ecf2 Remove obsolete macros from compat-1.3.h 2017-05-16 10:22:37 +01:00
Gilles Peskine
18ac716021 RSA: wipe more stack buffers
MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
2017-05-16 10:22:37 +01:00
Gilles Peskine
4a7f6a0ddb RSA: wipe stack buffers
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.

Thanks to Laurent Simon for reporting this issue.
2017-05-16 10:22:37 +01:00
Simon Butcher
77da95357f Add fix for #667 to ChangeLog 2017-05-16 10:22:37 +01:00
Simon Butcher
4775e83337 Fix ChangeLog
Fixes the ChangeLog following the merge of the ECP HW acceleration interfaces
in aab9efb.
2017-05-16 10:22:37 +01:00
Janos Follath
6e876988de Fix bug in threading sample implementation #667 2017-05-16 10:22:37 +01:00
Janos Follath
45182a0065 Add Changelog entry for RSA exponent blinding 2017-05-16 10:22:37 +01:00
Janos Follath
f9203b4139 Add exponent blinding to RSA with CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.

This commit handles the case when the Chinese Remainder Theorem is used
to accelerate the computation.
2017-05-16 10:22:37 +01:00
Janos Follath
e81102e476 Add exponent blinding to RSA without CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of fifferent measurements.

This commits handles the case when the Chinese Remainder Theorem is NOT
used to accelerate computations.
2017-05-16 10:22:37 +01:00