Commit Graph

761 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
6d61e9751b Improve ChangeLog description of X509 MD5 changes 2017-06-09 14:52:09 +02:00
Manuel Pégourié-Gonnard
7d810939b5 Merge remote-tracking branch 'restricted/1205' into mbedtls-1.3-restricted
* restricted/1205:
  Fix name, documentation & location of config flag
  Restrict MD5 in x509 certificates
2017-06-09 14:49:04 +02:00
Manuel Pégourié-Gonnard
67df3e62e7 Merge near-duplicate ChangeLog entries
As agreed with Gilles on the PR discussion page
2017-06-09 14:48:03 +02:00
Manuel Pégourié-Gonnard
89306daef5 Fix location of ChangeLog entry
This one was meant to be in the security section, must have been moved while
resolving a merge conflict.
2017-06-08 20:42:33 +02:00
Manuel Pégourié-Gonnard
e0cb1cd68b ChangeLog cosmetics 2017-06-08 20:35:13 +02:00
Manuel Pégourié-Gonnard
ce8f919a58 Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-1.3-restricted' into mbedtls-1.3-restricted
* restricted/iotssl-1138-rsa-padding-check-1.3-restricted:
  Fix backporting error
  RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:34:40 +02:00
Manuel Pégourié-Gonnard
9105b18f72 Merge remote-tracking branch 'restricted/IOTSSL-1366/mbedtls-1.3' into mbedtls-1.3-restricted
* restricted/IOTSSL-1366/mbedtls-1.3:
  More length checks in RSA PKCS1v15 verify
  More length checks in RSA PKCS1v15 verify
2017-06-08 20:27:19 +02:00
Manuel Pégourié-Gonnard
ca3ff06cea Merge remote-tracking branch 'hanno/mpi_read_file_underflow_backport-1.3' into mbedtls-1.3
* hanno/mpi_read_file_underflow_backport-1.3:
  Fix potential stack underflow in mpi_read_file.
2017-06-08 19:54:29 +02:00
Manuel Pégourié-Gonnard
f1ab79079d Merge remote-tracking branch 'hanno/sliding_exponentiation_backport-1.3' into mbedtls-1.3
* hanno/sliding_exponentiation_backport-1.3:
  Adapt ChangeLog
  Abort modular inversion when modulus is one.
  Correct sign in modular exponentiation algorithm.
2017-06-08 19:53:47 +02:00
Manuel Pégourié-Gonnard
674df30480 Merge remote-tracking branch 'janos/mbedtls-1.3-iotssl-1156-ecdsa-sample-and-doc-clarification' into mbedtls-1.3
* janos/mbedtls-1.3-iotssl-1156-ecdsa-sample-and-doc-clarification:
  Clarify the use of ECDSA API
2017-06-08 10:18:15 +02:00
Janos Follath
5d96a3dcde Clarify the use of ECDSA API
In the ecdsa.c sample application we don't use hashing, we use ecdsa
directly on a buffer containing plain text. Although the text explains
that it should be the message hash it still can be confusing.

Any misunderstandings here are potentially very dangerous, because ECDSA
truncates the message hash if necessary and this can lead to trivial
signature forgeries if the API is misused and the message is passed
directly to the function without hashing.

This commit adds a hash computation step to the ecdsa.c sample
application and clarification to the doxygen documentation of the
ECDSA functions involved.
2017-06-07 17:05:00 +01:00
Hanno Becker
888c2fde60 Fix implementation of VERIFY_OPTIONAL verification mode
This commit changes the behaviour of mbedtls_ssl_parse_certificate
to make the two authentication modes SSL_VERIFY_REQUIRED and
SSL_VERIFY_OPTIONAL be in the following relationship:

    Mode == SSL_VERIFY_REQUIRED
<=> Mode == SSL_VERIFY_OPTIONAL + check verify result

Also, it changes the behaviour to perform the certificate chain
verification even if the trusted CA chain is empty. Previously, the
function failed in this case, even when using optional verification,
which was brought up in #864.
2017-06-07 11:35:05 +01:00
Ron Eldor
a9ec0cd77f Restrict MD5 in x509 certificates
Remove support for X509 certificates signed with MD5.
Issue raised by Harm Verhagen
2017-06-07 10:58:36 +03:00
Manuel Pégourié-Gonnard
2634aa999d Merge remote-tracking branch 'restricted/mbedtls-1.3' into mbedtls-1.3
* restricted/mbedtls-1.3:
  RSA: wipe more stack buffers
  RSA: wipe stack buffers
2017-06-06 18:26:32 +02:00
Manuel Pégourié-Gonnard
bbe01032a4 Merge remote-tracking branch 'hanno/iotssl-1241-backport-1.3' into mbedtls-1.3
* hanno/iotssl-1241-backport-1.3:
  Remember suitable hash function for any signature algorithm.
2017-06-06 18:25:33 +02:00
Hanno Becker
c2b9d984e9 Remember suitable hash function for any signature algorithm.
This commit changes `ssl_parse_signature_algorithms_ext` to remember
one suitable ( := supported by client and by our config ) hash
algorithm per signature algorithm.

It also modifies the ciphersuite checking function
`ssl_ciphersuite_match` to refuse a suite if there
is no suitable hash algorithm.

Finally, it adds the corresponding entry to the ChangeLog.
2017-05-24 10:47:54 +01:00
Gilles Peskine
213aec8688 RSA: wipe stack buffers
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.

Thanks to Laurent Simon for reporting this issue.
2017-05-15 13:58:45 +01:00
Hanno Becker
8c7698b62a Fix potential stack underflow in mpi_read_file.
When provided with an empty line, mpi_read_file causes a numeric
underflow resulting in a stack underflow. This commit fixes this and
adds some documentation to mpi_read_file.
2017-05-12 07:26:01 +01:00
Hanno Becker
a07a58357d Adapt ChangeLog 2017-05-11 16:02:22 +01:00
Manuel Pégourié-Gonnard
19c10e9984 RSA PKCS1v1.5 verification: check padding length
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential to check that the error that is detected first is indeed the
padding rather than the final length check).
2017-05-11 13:37:45 +02:00
Janos Follath
3682db5efd Add Changelog entry for RSA exponent blinding 2017-05-11 11:23:35 +02:00
Gilles Peskine
6de05fa058 More length checks in RSA PKCS1v15 verify
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.

Backport to 1.3
2017-05-03 18:49:35 +02:00
Simon Butcher
98864d5c0b Merge branch 'mbedtls-1.3' 2017-03-10 20:38:47 +00:00
Simon Butcher
bb4bebc26a Correct function names in the ChangeLog from backported fixed 2017-03-10 20:31:09 +00:00
Simon Butcher
a42044d98b Added missing credit to ChangeLog for #555 2017-03-08 18:43:38 +00:00
Simon Butcher
2e5318ecf6 Corrected attibution in Changelog 2017-03-08 18:43:38 +00:00
Simon Butcher
4c5154d0c0 Updated version number to 1.3.19 for release 2017-03-08 17:22:34 +00:00
Simon Butcher
d2d6316afc Removed duplicate entry in ChangeLog 2017-03-03 16:08:27 +00:00
Andres AG
2b2fc115df Fix buffer overflow in mpi_write_string()
Fix a buffer overflow when writting a string representation of an MPI
number to a buffer in hexadecimal. The problem occurs because hex
digits are written in pairs and this is not accounted for in the
calculation of the required buffer size when the number of digits is
odd.
2017-03-02 23:01:54 +00:00
Simon Butcher
dccf743365 Add fix and credit for #742 to the ChangeLog 2017-03-02 21:31:11 +00:00
Simon Butcher
866a447784 Clarify ChangeLog for #569 2017-02-28 20:27:17 +00:00
Janos Follath
f5ffc79896 ECP: Prevent freeing a buffer on stack
The function ecp_mod_koblitz computed the space for the result of a
multiplication optimally for that specific case, but unfortunately
the function mbedtls_mpi_mul_mpi performs a generic, suboptimal
calculation and needs one more limb for the result. Since the result's
buffer is on the stack, the best case scenario is that the program
stops.

This only happened on 64 bit platforms.

Fixes #569
2017-02-28 20:24:52 +00:00
Simon Butcher
bfef0ce5e4 Fix credit in ChangeLog for #722 2017-02-28 17:38:55 +00:00
Andres AG
03af0e0151 Fix memory leak in x509_crl_parse()
The memory leak call was caused by missing calls to pem_free().
2017-02-28 17:36:06 +00:00
Simon Butcher
9fb2828aee Merge branch 'mbedtls-1.3-iotssl-1071-ca-flags'
Fixes a regression introduced by an earlier commit that modified
x509_crt_verify_top() to ensure that valid certificates that are after past or
future valid in the chain are processed. However the change introduced a change
in behaviour that caused the verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in the
verification regardless of the cause.

The fix maintains both behaviours:

 * Ensure that valid certificates after future and past are verified
 * Ensure that the correct verification flags are set.
2017-02-27 21:25:03 +00:00
Simon Butcher
7346a7e55a Fix formatting in ChangeLog 2017-02-26 02:01:49 +00:00
Simon Butcher
741bd90a30 Merge branch 'mbedtls-1.3-iotssl-1077-dos-crl'
Modifies the function mbedtls_x509_crl_parse() to ensure that a CRL in PEM
format with trailing characters after the footer does not result in the
execution of an infinite loop.
2017-02-26 01:46:37 +00:00
Simon Butcher
13f9e40059 Merge branch 'mbedtls-1.3' 2017-02-25 21:47:24 +00:00
Andres AG
59abd301f5 Fix integer overflow in mbedtls_base64_decode()
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-25 21:27:17 +00:00
Andres Amaya Garcia
74ef650772 Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-25 21:25:44 +00:00
Andres AG
480f7e7d5e Add tests for overreads in pem_read_buffer() 2017-02-25 21:25:07 +00:00
Andres AG
de6079af8e Fix buffer overreads in mbedtls_pem_read_buffer() 2017-02-25 21:25:06 +00:00
Simon Butcher
851dcc96d4 Add credit to Changelog for #562 2017-02-20 22:03:19 +00:00
Andres AG
7ded99ff64 Fix integer overflow in mbedtls_base64_decode()
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-20 22:01:55 +00:00
Andres Amaya Garcia
cfad181250 Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-20 22:00:33 +00:00
Andres AG
29b43737ba Fix unused variable/function compilation warnings
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
POLARSSL_PEM_PARSE_C.
2017-02-20 21:57:52 +00:00
Andres AG
c71b7eb0e7 Fix data loss in unsigned int cast in PK
This patch introduces some additional checks in the PK module for 64-bit
systems only. The problem is that the API functions in the PK
abstraction accept a size_t value for the hashlen, while the RSA module
accepts an unsigned int for the hashlen. Instead of silently casting
size_t to unsigned int, this change checks whether the hashlen overflows
an unsigned int and returns an error.
2017-02-15 10:44:02 +00:00
Simon Butcher
df33a6a805 Add credit to Changelog for #562 2017-02-02 16:53:50 +00:00
Andres AG
2f3fe70f7e Fix verify out flags from x509_crt_verify_top()
This change fixes a regression introduced by an earlier commit that
modified x509_crt_verify_top() to ensure that valid certificates
that are after past or future valid in the chain are processed. However
the change introduced a change in behaviour that caused the
verification flags BADCERT_EXPIRED and BADCERT_FUTURE to always be set
whenever there is a failure in the verification regardless of the cause.

The fix maintains both behaviours:
  * Ensure that valid certificates after future and past are verified
  * Ensure that the correct verification flags are set.

To do so, a temporary pointer to the first future or past valid
certificate is maintained while traversing the chain. If a truly valid
certificate is found then that one is used, otherwise if no valid
certificate is found and the end of the chain is reached, the program
reverts back to using the future or past valid certificate.
2017-01-20 17:12:36 +00:00
Andres AG
e567101f6b Fix CRL parsing to avoid infinite loop
This patch modifies the function mbedtls_x509_crl_parse() to ensure
that a CRL in PEM format with trailing characters after the footer does
not result in the execution of an infinite loop.
2017-01-19 16:57:16 +00:00