Commit Graph

5721 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
81bb6b6acf Add SSL tests for long cert chains 2017-07-06 11:58:41 +02:00
Manuel Pégourié-Gonnard
31458a1878 Only return VERIFY_FAILED from a single point
Everything else is a fatal error. Also improve documentation about that for
the vrfy callback.
2017-07-06 11:58:41 +02:00
Manuel Pégourié-Gonnard
d15795acd5 Improve behaviour on fatal errors
If we didn't walk the whole chain, then there may be any kind of errors in the
part of the chain we didn't check, so setting all flags looks like the safe
thing to do.
2017-07-06 11:58:41 +02:00
Manuel Pégourié-Gonnard
1beb048316 Add test for limit on intermediate certificates
Inspired by test code provided by Nicholas Wilson in PR #351.

The test will fail if someone sets MAX_INTERMEDIATE_CA to a value larger than
18 (default is 8), which is hopefully unlikely and can easily be fixed by
running long.sh again with a larger value if it ever happens.

Current behaviour is suboptimal as flags are not set, but currently the goal
is only to document/test existing behaviour.
2017-07-06 11:57:31 +02:00
Andres Amaya Garcia
fe9483184f Remove malloc references in mbedtls/scripts 2017-07-06 10:34:12 +01:00
Andres Amaya Garcia
79ae065117 Add ChangeLog entry for IAR compilation warnings 2017-06-27 16:37:40 +01:00
Andres Amaya Garcia
53c77cccc9 Initialise pointers to avoid IAR compiler warnings 2017-06-27 16:15:06 +01:00
Simon Butcher
f2a597fa3d Update the version number to 2.5.1 2017-06-20 23:08:10 +01:00
Janos Follath
5a1c0e7162 Improve Changelog 2017-06-16 12:27:47 +01:00
Andres Amaya Garcia
d3e7e7d83f Add comment for skipped AES-192 test condition 2017-06-15 16:17:46 +01:00
Andres Amaya Garcia
2a078da134 Run AES-GCM-192 selftest if available only
This patch modifies the function mbedtls_gcm_self_test() function to
ensure that AES-GCM-192 tests are only run if the key size is supported
by the available implementation. This is useful when using
MBEDTLS_AES_ALT as some hardware crypto accelerators might not support
AES-192.
2017-06-15 11:45:23 +01:00
Andres Amaya Garcia
58f98c23d5 Run AES-192 selftest if available only
This patch modifies the function mbedtls_aes_selftest() function to
ensure that AES-192 tests are only run if the key size is supported by
the available implementation. This is useful when using MBEDTLS_AES_ALT
as some hardware crypto accelerators might not support AES-192.
2017-06-14 16:19:42 +01:00
Andres Amaya Garcia
fd48739461 Add AES feature unavailable error code 2017-06-14 16:19:12 +01:00
Manuel Pégourié-Gonnard
90651914a9 Merge branch 'development' into development-restricted
* development:
  Remove %zu format string from ssl_client2 and ssl_server2
2017-06-09 17:41:08 +02:00
Manuel Pégourié-Gonnard
45d269555b Merge remote-tracking branch 'hanno/remove_format_qualifier' into development
* hanno/remove_format_qualifier:
  Remove %zu format string from ssl_client2 and ssl_server2
2017-06-09 17:40:13 +02:00
Hanno Becker
8651a43e95 Remove %zu format string from ssl_client2 and ssl_server2 2017-06-09 16:13:22 +01:00
Manuel Pégourié-Gonnard
4a42f3c405 Merge remote-tracking branch 'restricted/iotssl-1398' into development-restricted
* restricted/iotssl-1398:
  Add ChangeLog entry
  Ensure application data records are not kept when fully processed
  Add hard assertion to mbedtls_ssl_read_record_layer
  Fix mbedtls_ssl_read
  Simplify retaining of messages for future processing
2017-06-09 15:02:40 +02:00
Manuel Pégourié-Gonnard
a8e5a4730d Merge near-duplicate ChangeLog entries
As agreed with Gilles on the PR discussion page
2017-06-09 14:46:50 +02:00
Hanno Becker
bf4c2e3f79 Add ChangeLog entry 2017-06-09 11:28:45 +01:00
Hanno Becker
bdf3905fff Ensure application data records are not kept when fully processed
This commit fixes the following case: If a client is both expecting a
SERVER_HELLO and has an application data record that's partially
processed in flight (that's the situation the client gets into after
receiving a ServerHelloRequest followed by ApplicationData), a
subsequent call to mbedtls_ssl_read will set keep_current_message = 1
when seeing the unexpected application data, but not reset it to 0
after the application data has been processed. This commit fixes this.

It also documents and suggests how the problem might be solved in a
more structural way on the long run.
2017-06-09 10:42:03 +01:00
Manuel Pégourié-Gonnard
740665e43b ChangeLog cosmetics 2017-06-08 20:37:30 +02:00
Manuel Pégourié-Gonnard
b86b143030 Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-restricted' into development-restricted
* restricted/iotssl-1138-rsa-padding-check-restricted:
  RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:31:06 +02:00
Manuel Pégourié-Gonnard
a0bf6ecfc3 Merge remote-tracking branch 'restricted/IOTSSL-1366/development-restricted' into development-restricted
* restricted/IOTSSL-1366/development-restricted:
  More length checks in RSA PKCS1v15 verify
  More length checks in RSA PKCS1v15 verify
2017-06-08 20:24:29 +02:00
Manuel Pégourié-Gonnard
db108ac944 Merge remote-tracking branch 'hanno/mpi_read_file_underflow' into development
* hanno/mpi_read_file_underflow:
  Fix potential stack underflow in mpi_read_file.
2017-06-08 19:48:03 +02:00
Manuel Pégourié-Gonnard
1178ac5e77 Merge remote-tracking branch 'hanno/sliding_exponentiation' into development
* hanno/sliding_exponentiation:
  Adapt ChangeLog
  Abort modular inversion when modulus is one.
  Correct sign in modular exponentiation algorithm.
2017-06-08 19:46:30 +02:00
Manuel Pégourié-Gonnard
e778441312 Merge branch 'fix-sha1-opt-test' into development
* fix-sha1-opt-test:
  Fix issue in testing SHA-1 compile-time option
2017-06-08 18:51:19 +02:00
Manuel Pégourié-Gonnard
af63c21466 Fix issue in testing SHA-1 compile-time option 2017-06-08 17:51:08 +02:00
Hanno Becker
bb9dd0c044 Add hard assertion to mbedtls_ssl_read_record_layer
This commit adds a hard assertion to mbedtls_ssl_read_record_layer
triggering if both ssl->in_hslen and ssl->in_offt are not 0. This
should never happen, and if it does, there's no sensible way of
telling whether the previous message was a handshake or an application
data message.
2017-06-08 11:55:34 +01:00
Hanno Becker
4a810fba69 Fix mbedtls_ssl_read
Don't fetch a new record in mbedtls_ssl_read_record_layer as long as an application data record is being processed.
2017-06-08 10:12:16 +01:00
Hanno Becker
af0665d8b0 Simplify retaining of messages for future processing
There are situations in which it is not clear what message to expect
next. For example, the message following the ServerHello might be
either a Certificate, a ServerKeyExchange or a CertificateRequest. We
deal with this situation in the following way: Initially, the message
processing function for one of the allowed message types is called,
which fetches and decodes a new message. If that message is not the
expected one, the function returns successfully (instead of throwing
an error as usual for unexpected messages), and the handshake
continues to the processing function for the next possible message. To
not have this function fetch a new message, a flag in the SSL context
structure is used to indicate that the last message was retained for
further processing, and if that's set, the following processing
function will not fetch a new record.

This commit simplifies the usage of this message-retaining parameter
by doing the check within the record-fetching routine instead of the
specific message-processing routines. The code gets cleaner this way
and allows retaining messages to be used in other situations as well
without much effort. This will be used in the next commits.
2017-06-08 10:12:16 +01:00
Manuel Pégourié-Gonnard
c44c3c288d Merge remote-tracking branch 'janos/iotssl-1156-ecdsa-sample-and-doc-clarification' into development
* janos/iotssl-1156-ecdsa-sample-and-doc-clarification:
  Clarify the use of ECDSA API
2017-06-08 10:16:54 +02:00
Manuel Pégourié-Gonnard
8b4cb5481d Merge remote-tracking branch 'hanno/iotssl-1341-optional-certificate-verification-needs-ca-chain' into development
* hanno/iotssl-1341-optional-certificate-verification-needs-ca-chain:
  Add tests for missing CA chains and bad curves.
  Fix implementation of VERIFY_OPTIONAL verification mode
2017-06-08 09:57:56 +02:00
Hanno Becker
e6706e62d8 Add tests for missing CA chains and bad curves.
This commit adds four tests to tests/ssl-opt.sh:
(1) & (2): Check behaviour of optional/required verification when the
trusted CA chain is empty.
(3) & (4): Check behaviour of optional/required verification when the
client receives a server certificate with an unsupported curve.
2017-06-07 11:26:59 +01:00
Hanno Becker
39ae8cd207 Fix implementation of VERIFY_OPTIONAL verification mode
This commit changes the behaviour of mbedtls_ssl_parse_certificate
to make the two authentication modes MBEDTLS_SSL_VERIFY_REQUIRED and
MBEDTLS_SSL_VERIFY_OPTIONAL be in the following relationship:

    Mode == MBEDTLS_SSL_VERIFY_REQUIRED
<=> Mode == MBEDTLS_SSL_VERIFY_OPTIONAL + check verify result

Also, it changes the behaviour to perform the certificate chain
verification even if the trusted CA chain is empty. Previously, the
function failed in this case, even when using optional verification,
which was brought up in #864.
2017-06-07 11:13:19 +01:00
Manuel Pégourié-Gonnard
ddc6e52cc1 Merge remote-tracking branch 'gilles/iotssl-1223/development' into development
* gilles/iotssl-1223/development:
  Fix FALLBACK_SCSV parsing
2017-06-06 20:11:36 +02:00
Manuel Pégourié-Gonnard
383a118338 Merge remote-tracking branch 'gilles/IOTSSL-1330/development' into development
* gilles/IOTSSL-1330/development:
  Changelog entry for the bug fixes
  SSLv3: when refusing renegotiation, stop processing
  Ignore failures when sending fatal alerts
  Cleaned up double variable declaration
  Code portability fix
  Added changelog entry
  Send TLS alerts in many more cases
  Skip all non-executables in run-test-suites.pl
  SSL tests: server requires auth, client has no certificate
  Balanced braces across preprocessor conditionals
  Support setting the ports on the command line
2017-06-06 19:22:41 +02:00
Manuel Pégourié-Gonnard
003b4c7b4a Merge branch 'sha1-dev' into development
* sha1-dev:
  Cleaned up negative test predicate for test case
  all.sh: test with SHA-1 enabled
  SHA-1 deprecation: allow it in key exchange
  Allow SHA-1 in server tests, when the signature_algorithm extension is not used
  Document test data makefile
  X.509 tests: obey compile-time SHA-1 support option
  Allow SHA-1 in test scripts
  Test that SHA-1 defaults off
  Allow SHA-1 in SSL renegotiation tests
  Test that X.509 verification rejects SHA-256 by default
  Allow SHA-1 in X.509 and TLS tests
  X.509 self-tests: replaced SHA-1 certificates by SHA-256
  Added SHA256 test certificates
  Remove SHA-1 in TLS by default
2017-06-06 19:16:48 +02:00
Gilles Peskine
f11d33b2df Cleaned up negative test predicate for test case
The test infrastructure does support negative predicates for test
cases, thanks to Andreas for letting me know.
2017-06-06 19:16:18 +02:00
Gilles Peskine
2a458daa11 all.sh: test with SHA-1 enabled
Enabling SHA-1 for certificates is deprecated but we still want it to work.

Thanks to @andresag01
2017-06-06 18:44:14 +02:00
Gilles Peskine
5d2511c4d4 SHA-1 deprecation: allow it in key exchange
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.

SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
2017-06-06 18:44:14 +02:00
Gilles Peskine
682df09159 Allow SHA-1 in server tests, when the signature_algorithm extension is not used 2017-06-06 18:44:14 +02:00
Gilles Peskine
fd14bca6dc Document test data makefile 2017-06-06 18:44:14 +02:00
Gilles Peskine
4fa6bed0c6 X.509 tests: obey compile-time SHA-1 support option
There is now one test case to validate that SHA-1 is rejected in
certificates by default, and one test case to validate that SHA-1 is
supported if MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 is #defined.
2017-06-06 18:44:14 +02:00
Gilles Peskine
62469d95e2 Allow SHA-1 in test scripts 2017-06-06 18:44:14 +02:00
Gilles Peskine
bc70a1836b Test that SHA-1 defaults off
Added tests to validate that certificates signed using SHA-1 are
rejected by default, but accepted if SHA-1 is explicitly enabled.
2017-06-06 18:44:14 +02:00
Gilles Peskine
cd3c845157 Allow SHA-1 in SSL renegotiation tests
In the TLS test client, allow SHA-1 as a signature hash algorithm.
Without this, the renegotation tests failed.

A previous commit had allowed SHA-1 via the certificate profile but
that only applied before the initial negotiation which includes the
signature_algorithms extension.
2017-06-06 18:44:13 +02:00
Gilles Peskine
2dc81a0cbc Test that X.509 verification rejects SHA-256 by default 2017-06-06 18:44:13 +02:00
Gilles Peskine
ef86ab238f Allow SHA-1 in X.509 and TLS tests
SHA-1 is now disabled by default in the X.509 layer. Explicitly enable
it in our tests for now. Updating all the test data to SHA-256 should
be done over time.
2017-06-06 18:44:13 +02:00
Gilles Peskine
750c353c5c X.509 self-tests: replaced SHA-1 certificates by SHA-256 2017-06-06 18:44:13 +02:00
Gilles Peskine
f040a17604 Added SHA256 test certificates
With SHA-1 deprecation, we need a few certificates using algorithms in
the default support list. Most tests still use SHA-1 though.

The generation process for the new certificates is recorded in the makefile.
2017-06-06 18:44:13 +02:00