Manuel Pégourié-Gonnard
042c5e4217
Merge pull request #3000 from gilles-peskine-arm/changelog-2.20.0
...
Add changelog entries for the crypto changes in 2.20.0
2020-01-28 09:38:30 +01:00
Manuel Pégourié-Gonnard
358462df85
Merge pull request #354 from mpg/fix-ecdsa-pointer-inc
...
Fix incrementing pointer instead of value
2020-01-28 09:26:28 +01:00
Jack Lloyd
60239753d2
Avoid memory leak when RSA-CRT is not enabled in build
2020-01-27 17:53:36 -05:00
Zachary J. Fields
96134effea
Update ChangeLog
2020-01-27 16:12:02 -06:00
Janos Follath
4c736fb6a8
Update Mbed Crypto SO version
...
The recent update changed the Mbed Crypto SO version, get Mbed TLS in
sync.
2020-01-27 16:37:14 +00:00
Janos Follath
ceceedb532
Update Mbed Crypto to 3.0.1
2020-01-27 16:23:55 +00:00
Janos Follath
1146b4e060
Merge pull request #348 from yanesca/bump-version-to-mbed-tls-2.20.0
...
Bump version to Mbed TLS 2.20.0 and crypto SO version to 4
2020-01-27 15:56:45 +00:00
Gilles Peskine
e3b285d2c8
Add crypto security fixes merged after mbedcrypto-3.0.0
2020-01-27 14:24:19 +01:00
Jaeden Amero
62236d7651
Add ChangeLog entry
...
Add a ChangeLog entry for Jonathan Bennett's contribution which allows
loading symlinked certificates.
2020-01-24 18:20:56 +00:00
Jonathan Bennett
fdc16f36b4
Allow loading symlinked certificates
...
When mbedtls_x509_crt_parse_path() checks each object in the supplied path, it only processes regular files. This change makes it also accept a symlink to a file. Fixes #3005 .
This was observed to be a problem on Fedora/CentOS/RHEL systems, where the ca-bundle in the default location is actually a symlink.
2020-01-24 09:12:03 -06:00
Manuel Pégourié-Gonnard
ee4ba54d8d
Fix incrementing pointer instead of value
...
This was introduced by a hasty search-and-replace that didn't account for C's
operator precedence when changing those variables to pointer types.
2020-01-24 12:11:56 +01:00
Manuel Pégourié-Gonnard
2b9b780ac0
Rename internal macro for consistency
...
Other modules have similar internal macros using _LENGTH in the name.
2020-01-24 11:01:02 +01:00
Manuel Pégourié-Gonnard
b7f7092f57
Remove preprocessor directive for consistency
...
Other cases in this switch statement aren't guarded either.
2020-01-24 10:59:08 +01:00
Manuel Pégourié-Gonnard
3a3b5c7827
Improve doxygen formatting
2020-01-24 10:57:25 +01:00
Manuel Pégourié-Gonnard
f2e2902c5a
Add detection for zlib headers to all.sh
2020-01-24 10:44:13 +01:00
Manuel Pégourié-Gonnard
c40b685837
Fix bug in record decompression
...
ssl_decompress_buf() was operating on data from the ssl context, but called at
a point where this data is actually in the rec structure. Call it later so
that the data is back to the ssl structure.
2020-01-24 10:44:13 +01:00
Manuel Pégourié-Gonnard
342d2ca9ab
Add test for record compression in ssl-opt.sh
...
Deprecated but still needs to be tested.
2020-01-24 10:44:13 +01:00
Manuel Pégourié-Gonnard
95e04490fa
Add all.sh components with ZLIB enabled
...
ZLIB support is deprecated, but until it's removed it should still be tested.
2020-01-24 10:44:13 +01:00
Gilles Peskine
80fcacebdb
Add changelog entry for the zlib support fix
2020-01-24 09:35:01 +01:00
jiblime
9f25b8deff
Fixes definition error when the deprecated MBEDTLS_ZLIB_SUPPORT and ENABLE_ZLIB_SUPPORT macro are defined/enabled for zlib support in mbedtls
...
100% tests passed, 0 tests failed out of 85
https://github.com/ARMmbed/mbedtls/blob/mbedtls-2.19.1/library/ssl_tls.c#L1842
https://github.com/ARMmbed/mbedtls/blob/mbedtls-2.19.1/library/ssl_tls.c#L1862
2020-01-24 09:34:06 +01:00
Jack Lloyd
8c2631b6d3
Address review comments
2020-01-23 17:23:52 -05:00
Jack Lloyd
80cc811039
Parse RSA parameters DP, DQ and QP from PKCS1 private keys
...
Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which
currently suffers from side channel issues in the computation of QP (see
https://eprint.iacr.org/2020/055 ). By loading the pre-computed values not
only is the side channel avoided, but runtime overhead of loading RSA keys
is reduced.
Discussion in https://github.com/ARMmbed/mbed-crypto/issues/347
2020-01-22 17:34:29 -05:00
Gilles Peskine
50f577067c
Fix GitHub repository indications for crypto changes in 2.20
...
The content was originally written for mbed-crypto. Change pull
request references to be relative to mbedtls instead.
2020-01-22 19:02:59 +01:00
Gilles Peskine
8c7d2c25a4
Remove markdown artifacts
2020-01-22 19:02:09 +01:00
Gilles Peskine
4073d4e529
Add changelog entry for the unchecked mbedtls_md call
2020-01-22 18:58:20 +01:00
Gilles Peskine
6a4c340c36
Add changelog entries for the crypto changes in 2.20.0
...
Describe changes between mbedcrypto-2.0.0 (version in Mbed TLS 2.19.0)
and mbedcrypto-3.0.0 (version in Mbed TLS 2.20.0).
2020-01-22 18:28:24 +01:00
Gilles Peskine
c26479c1af
Update ChangeLog up to mbedcrypto-3.0.0d0
2020-01-22 18:27:36 +01:00
Philippe Antoine
8b1ed1cf0e
Adds explicit include to stdlib.h for abort
2020-01-22 16:22:36 +01:00
Gilles Peskine
2b242495e1
Add a sanity check on the output
...
Check that no line from any of the input files was lost.
This is not perfect for several reasons.
It doesn't check that the content goes to the desired location.
It doesn't check that sections are created as necessary.
It doesn't support whitespace normalization that the parsing code does.
But it's a good start.
2020-01-22 15:59:12 +01:00
Gilles Peskine
6e91009cfe
Split strings on some very long lines
2020-01-22 15:59:12 +01:00
Gilles Peskine
566407d6f6
Simpler definition of a custom exception class
2020-01-22 15:59:12 +01:00
Gilles Peskine
8c4a84c5de
Split read_main_file out of the ChangeLog constructor
...
Keep the constructor code simple.
No behavior change.
2020-01-22 15:48:58 +01:00
Gilles Peskine
5e39c9e94f
Actually remove files
...
Minor rework of how files are removed. Actually do remove the
files (earlier I accidentally committed a debug version with removal
commented out).
2020-01-22 15:48:45 +01:00
Piotr Nowicki
890b5ca330
Change non-blocking read/write in TCP mock socket
...
Previously mocked non-blocking read/write was returning 0 when buffer was empty/full. That was causing ERR_SSL_CONN_EOF error in tests which was using these mocked callbacks. Beside that non-blocking read/write was returning ERR_SSL_WANT_READ/_WRITE depending on block pattern set by test design. Such behavior forced to redesign of these functions so that they could be used in other tests
2020-01-22 14:15:17 +01:00
Philippe Antoine
7d4bd6f15f
Checks mbedtls_rsa_export_crt return in fuzz targets
2020-01-22 14:14:18 +01:00
Philippe Antoine
66070bc19d
Checks mbedtls_rsa_export return in fuzz targets
2020-01-22 13:54:56 +01:00
Piotr Nowicki
fb437d72ef
Fix segmentation fault in mbedtls_test_buffer
...
This error occurs when free space in the buffer is in the middle (the buffer has come full circle) and function mbedtls_test_buffer_put is called. Then the arguments for memcpy are calculated incorrectly and program ends with segmentation fault
2020-01-22 13:25:36 +01:00
Gilles Peskine
974232f045
Minor documentation improvements
2020-01-22 12:43:29 +01:00
Gilles Peskine
f296cdb2ab
Fix formatting
2020-01-22 12:43:20 +01:00
Andrzej Kurek
bc483dea84
Add a message-based socket mock connection to the ssl tests
...
The connection will send/receive full messages.
2020-01-22 06:38:03 -05:00
Andrzej Kurek
13719cdae4
Add a message metadata queue in ssl tests
...
Add a metadata queue that will be used on top of the ring buffer callbacks.
Add normal and negative tests.
2020-01-22 06:36:39 -05:00
Andrzej Kurek
f7774146b6
ssl test suite: enable dropping bytes from buffer
...
Add an option to not pass any buffer to mbedtls_test_buffer_get to drop data.
2020-01-22 06:34:59 -05:00
Gilles Peskine
95c893d17f
More systematic handling of trailing garbage in parse_prefixes
...
Before, the string to parse may contain trailing garbage (there was
never more than one byte), and there was a separate argument
indicating the length of the content. Now, the string to parse is the
exact content, and the test code runs an extra test step with a
trailing byte added.
2020-01-21 21:29:37 +01:00
Gilles Peskine
ef4183858a
Document how tested prefix lengths are chosen
2020-01-21 21:29:37 +01:00
Gilles Peskine
9c673233bc
Fix outcome file leak if execute_tests exits early
...
If there was a fatal error (bizarre behavior from the standard
library, or missing test data file), execute_tests did not close the
outcome file. Fix this.
2020-01-21 18:03:56 +01:00
Gilles Peskine
2ac4d86040
Fix file leak in test program
...
A similar bug was fixed earlier in ssl_server2, but we missed the fix
in ssl_client2.
2020-01-21 17:39:52 +01:00
Gilles Peskine
b08e44fda7
Add missing return code check on call to mbedtls_md()
2020-01-21 16:56:14 +01:00
Gilles Peskine
84984ae220
Add missing return code check on calls to mbedtls_md()
2020-01-21 16:52:08 +01:00
Gilles Peskine
9018b11302
Check that mbedtls_mpi_grow succeeds
2020-01-21 16:30:53 +01:00
Gilles Peskine
292672eb12
If ASSERT_ALLOC_WEAK fails, mark the test as skipped, not passed
...
This was the intended behavior of ASSERT_ALLOC_WEAK all along, but
skipping was not implemented yet when ASSERT_ALLOC_WEAK was
introduced.
2020-01-21 16:20:04 +01:00