Commit Graph

5247 Commits

Author SHA1 Message Date
Simon Butcher
90e6c3b941 Refine the language in the ChangeLog
Fix the language and descriptions in the ChangeLog and some duplicate entries,
following review of the Release Notes for the next release.
2018-11-19 16:11:15 +00:00
Simon Butcher
a2c8691c0d Fix language and formatting in ChangeLog
Changed the formatting and language in the ChangeLog to the house-style.
2018-11-08 13:47:40 +00:00
Simon Butcher
3bc2b8be36 Merge remote-tracking branch 'restricted/pr/522' into mbedtls-2.1-restricted-proposed 2018-11-07 00:07:31 +00:00
Simon Butcher
6f682ee463 Merge remote-tracking branch 'restricted/pr/524' into mbedtls-2.1-restricted-proposed 2018-11-07 00:07:03 +00:00
Simon Butcher
35b41ea779 Fix the ChangeLog entry for dh_server bugfix
The merge had placed the ChangeLog entry under the wrong version.
2018-11-06 23:50:32 +00:00
Simon Butcher
e92e446781 Merge remote-tracking branch 'public/pr/2139' into mbedtls-2.1-proposed 2018-11-06 23:44:09 +00:00
Simon Butcher
5eeded67a5 Merge remote-tracking branch 'public/pr/2081' into mbedtls-2.1-proposed 2018-11-06 23:43:50 +00:00
Simon Butcher
35cdc5d5d4 Merge remote-tracking branch 'public/pr/2136' into mbedtls-2.1-proposed 2018-11-06 23:39:16 +00:00
Simon Butcher
7ae3c20f93 Merge remote-tracking branch 'public/pr/2152' into mbedtls-2.1-proposed 2018-11-06 23:36:59 +00:00
Simon Butcher
befdde732e Merge remote-tracking branch 'public/pr/2154' into mbedtls-2.1-proposed 2018-11-06 23:33:07 +00:00
Simon Butcher
f32d5afb22 Merge remote-tracking branch 'public/pr/2177' into mbedtls-2.1-proposed 2018-11-06 23:18:24 +00:00
Hanno Becker
00152d4d94 Adapt ChangeLog 2018-11-06 13:22:45 +00:00
Hanno Becker
a18de85425 Don't perform binary comparison of CRL issuer and CA subject
Previously, when checking whether a CRT was revoked through
one of the configured CRLs, the library would only consider
those CRLs whose `issuer` field binary-matches the `subject`
field of the CA that has issued the CRT in question. If those
fields were not binary equivalent, the corresponding CRL was
discarded.

This is not in line with RFC 5280, which demands that the
comparison should be format- and case-insensitive. For example:

- If the same string is once encoded as a `PrintableString` and
  another time as a `UTF8String`, they should compare equal.
- If two strings differ only in their choice of upper and lower case
  letters, they should compare equal.

This commit fixes this by using the dedicated x509_name_cmp()
function to compare the CRL issuer with the CA subject.

Fixes #1784.
2018-11-06 13:22:34 +00:00
Hanno Becker
dafd5405e4 Move static x509_name_cmp() in library/x509_crt.c
A subsequent change will need this function earlier
within the file.
2018-11-06 13:22:17 +00:00
Hanno Becker
af02a7bbed Add tests for relaxed CRL-CA name comparison
This commit introduces variants test-ca_utf8.crt,
test-ca_printablestring.crt and test-ca_uppercase.crt
of tests/data_files/test-ca.crt which differ from
test-ca.crt in their choice of string encoding and
upper and lower case letters in the DN field. These
changes should be immaterial to the recovation check,
and three tests are added that crl.pem, which applies
to test-ca.crt, is also considered as applying to
test-ca_*.crt.

The test files were generated using PR #1641 which
- adds a build instruction for test-ca.crt to
  tests/data_files/Makefile which allows easy
  change of the subject DN.
- changes the default string format from `PrintableString`
  to `UTF8String`.

Specifically:
- `test-ca_utf8.crt` was generated by running
      `rm test-ca.crt && make test-ca.crt`
   on PR #1641.
- `test-ca_uppercase.crt`, too, was generated by running
      `rm test-ca.crt && make test-ca.crt`
   on PR #1641, after modifying the subject DN line in the build
   instruction for `test-ca.crt` in `tests/data_files/Makefile`.
-  `test-ca_printable.crt` is a copy of `test-ca.crt`
   because at the time of this commit, `PrintableString` is
   still the default string format.
2018-11-06 13:21:22 +00:00
Gilles Peskine
2521d16ace Fix buffer overflow in test mbedtls_mpi_is_prime_det 2018-11-05 16:37:06 +01:00
Simon Butcher
2b0b9912e0 Merge remote-tracking branch 'public/pr/2046' into mbedtls-2.1-proposed 2018-11-04 18:52:30 +00:00
Simon Butcher
5ca1f27bff Merge remote-tracking branch 'public/pr/2097' into mbedtls-2.1-proposed 2018-11-04 18:49:17 +00:00
Simon Butcher
ad95594acf Merge remote-tracking branch 'public/pr/2116' into mbedtls-2.1-proposed 2018-11-04 18:42:59 +00:00
Hanno Becker
8ac041637f Adapt ChangeLog 2018-10-30 10:09:45 +00:00
Hanno Becker
6e7d5abe06 Correct typo in documentation of MBEDTLS_SSL_RENEGOTIATION 2018-10-30 09:39:06 +00:00
Hanno Becker
25422e1f02 Improve documentation of mbedtls_ssl_get_verify_result()
Fixes #517.
2018-10-30 09:35:43 +00:00
Simon Butcher
4acdf6dea8 Merge remote-tracking branch 'public/pr/1298' into mbedtls-2.1-proposed 2018-10-28 18:17:00 +00:00
Simon Butcher
1238a2fd03 Merge remote-tracking branch 'public/pr/1762' into mbedtls-2.1-proposed 2018-10-28 18:15:26 +00:00
Simon Butcher
a1f11cfc38 Merge remote-tracking branch 'public/pr/2058' into mbedtls-2.1-proposed 2018-10-28 17:25:16 +00:00
Simon Butcher
c84f5c937d Merge remote-tracking branch 'public/pr/2072' into mbedtls-2.1-proposed 2018-10-28 16:58:29 +00:00
Simon Butcher
351c4f15f4 Merge remote-tracking branch 'public/pr/2113' into mbedtls-2.1-proposed 2018-10-28 16:32:05 +00:00
Simon Butcher
34f32fa93c Merge remote-tracking branch 'public/pr/2110' into mbedtls-2.1-proposed 2018-10-28 16:17:28 +00:00
Simon Butcher
d10c8ed6d0 Merge remote-tracking branch 'public/pr/2033' into mbedtls-2.1 2018-10-27 18:34:57 +01:00
Simon Butcher
a4441430b7 Merge remote-tracking branch 'public/pr/2042' into mbedtls-2.1 2018-10-27 18:29:08 +01:00
Simon Butcher
d975e46d00 Make inclusion of stdio.h conditional in x509_crt.c
stdio.h was being included both conditionally if MBEDTLS_FS_IO was
defined, and also unconditionally, which made at least one of them
redundant.

This change removes the unconditional inclusion of stdio.h and makes it
conditional on MBEDTLS_PLATFORM_C.
2018-10-25 18:23:14 +01:00
Simon Butcher
945dfe6f0e Update the ChangeLog for PR #2011
The Changelog merged the PR #2011 entry under the wrong version. This corrects
that merge error, and also clarifies the entry.
2018-10-25 16:18:13 +01:00
Hanno Becker
7e95aa6bd0 Adapt ChangeLog 2018-10-25 15:51:28 +01:00
Hanno Becker
304736d60c Reinitialize PK ctx in mbedtls_pk_parse_key before reuse are free
Context: This commit makes a change to mbedtls_pk_parse_key() which
is responsible for parsing of private keys. The function doesn't know
the key format in advance (PEM vs. DER, encrypted vs. unencrypted) and
tries them one by one, resetting the PK context in between.

Issue: The previous code resets the PK context through a call to
mbedtls_pk_free() along, lacking the accompanying mbedtls_pk_init()
call. Practically, this is not an issue because functionally
mbedtls_pk_free() + mbedtls_pk_init() is equivalent to mbedtls_pk_free()
with the current implementation of these functions, but strictly
speaking it's nonetheless a violation of the API semantics according
to which xxx_free() functions leave a context in uninitialized state.
(yet not entirely random, because xxx_free() functions must be idempotent,
so they cannot just fill the context they operate on with garbage).

Change: The commit adds calls to mbedtls_pk_init() after those calls
to mbedtls_pk_free() within mbedtls_pk_parse_key() after which the
PK context might still be used.
2018-10-25 15:24:47 +01:00
Simon Butcher
fc0524ceb9 Merge remote-tracking branch 'public/pr/2011' into mbedtls-2.1 2018-10-24 13:36:58 +01:00
Simon Butcher
b001e08585
Merge pull request #2123 from dgreen-arm/mbedtls-2.1-jenkinsfile
Backport 2.1: Add Jenkinsfile for PR job
2018-10-19 17:01:03 +01:00
Darryl Green
e45e63cbbc Add Jenkinsfile for PR job 2018-10-19 15:26:49 +01:00
Simon Butcher
7458975805 Add a macro to define the memory size in ssl_server2.c
When MBEDTLS_MEMORY_BUFFER_ALLOC_C was defined, the sample ssl_server2.c was
using its own memory buffer for memory allocated by the library. The memory
used wasn't obvious, so this adds a macro for the memory buffer allocated to
make the allocated memory size more obvious and hence easier to configure.
2018-10-18 10:13:10 +01:00
Simon Butcher
e8c12f1ec9 Increase the memory buffer size for ssl_server2.c
Newer features in the library have increased the overall RAM usage of the
library, when all features are enabled. ssl_server2.c, with all features enabled
was running out of memory for the ssl-opt.sh test 'Authentication: client
max_int chain, server required'.

This commit increases the memory buffer allocation for ssl_server2.c to allow
the test to work with all features enabled.
2018-10-18 10:13:08 +01:00
Hanno Becker
c2a1dd98d5 Adapt ChangeLog 2018-10-17 14:55:03 +01:00
Hanno Becker
3aab4cc486 Fail when encountering invalid CBC padding in EtM records
This commit changes the behavior of the record decryption routine
`ssl_decrypt_buf()` in the following situation:
1. A CBC ciphersuite with Encrypt-then-MAC is used.
2. A record with valid MAC but invalid CBC padding is received.
In this situation, the previous code would not raise and error but
instead forward the decrypted packet, including the wrong padding,
to the user.

This commit changes this behavior to return the error
MBEDTLS_ERR_SSL_INVALID_MAC instead.

While erroneous, the previous behavior does not constitute a
security flaw since it can only happen for properly authenticated
records, that is, if the peer makes a mistake while preparing the
padded plaintext.
2018-10-17 14:54:50 +01:00
Hanno Becker
a966e6ff47 Add missing return value check in ECDSA test suite
The test case `ecdsa_det_test_vectors` from the ECDSA test suite
called `mbedtls_md()` without checking its return value.
2018-10-17 14:01:31 +01:00
Darryl Green
73497ceaef Mark internal function as static 2018-10-16 15:07:48 +01:00
Hanno Becker
f5b094fc72 Adapt ChangeLog 2018-10-16 09:15:01 +01:00
Hanno Becker
728d6cdcef Add missing zeroization of reassembled handshake messages
This commit ensures that buffers holding fragmented or
handshake messages get zeroized before they are freed
when the respective handshake message is no longer needed.
Previously, the handshake message content would leak on
the heap.
2018-10-16 09:14:58 +01:00
Hanno Becker
6a74b2f687 Zeroize sensitive data in aescrypt2 and crypt_and_hash examples
This commit replaces multiple `memset()` calls in the example
programs aes/aescrypt2.c and aes/crypt_and_hash.c by calls to
the reliable zeroization function `mbedtls_zeroize()`.

While not a security issue because the code is in the example
programs, it's bad practice and should be fixed.
2018-10-15 13:28:08 +01:00
Darryl Green
0c9bbb0ff8 Fix bias in random number generation in Miller-Rabin test
When a random number is generated for the Miller-Rabin primality test,
if the bit length of the random number is larger than the number being
tested, the random number is shifted right to have the same bit length.
This introduces bias, as the random number is now guaranteed to be
larger than 2^(bit length-1).

Changing this to instead zero all bits higher than the tested numbers
bit length will remove this bias and keep the random number being
uniformly generated.
2018-10-11 15:43:12 +01:00
Janos Follath
da4ea3bd92 Changelog: Add entry for prime validation fix 2018-10-11 15:43:12 +01:00
Janos Follath
18b08c6f4c Bignum: Add tests for primality testing
Primality tests have to deal with different distribution when generating
primes and when validating primes.
These new tests are testing if mbedtls_mpi_is_prime() is working
properly in the latter setting.

The new tests involve pseudoprimes with maximum number of
non-witnesses. The non-witnesses were generated by printing them
from mpi_miller_rabin(). The pseudoprimes were generated by the
following function:

void gen_monier( mbedtls_mpi* res, int nbits )
{
    mbedtls_mpi p_2x_plus_1, p_4x_plus_1, x, tmp;

    mbedtls_mpi_init( &p_2x_plus_1 );
    mbedtls_mpi_init( &p_4x_plus_1 );
    mbedtls_mpi_init( &x ); mbedtls_mpi_init( &tmp );

    do
    {
        mbedtls_mpi_gen_prime( &p_2x_plus_1, nbits >> 1, 0,
                               rnd_std_rand, NULL );
        mbedtls_mpi_sub_int( &x, &p_2x_plus_1, 1 );
        mbedtls_mpi_div_int( &x, &tmp, &x, 2 );

        if( mbedtls_mpi_get_bit( &x, 0 ) == 0 )
            continue;

        mbedtls_mpi_mul_int( &p_4x_plus_1, &x, 4 );
        mbedtls_mpi_add_int( &p_4x_plus_1, &p_4x_plus_1, 1 );

        if( mbedtls_mpi_is_prime( &p_4x_plus_1, rnd_std_rand,
                                  NULL ) == 0 )
            break;

    } while( 1 );

    mbedtls_mpi_mul_mpi( res, &p_2x_plus_1, &p_4x_plus_1 );
}
2018-10-11 15:43:12 +01:00
Janos Follath
9dc5b7a27b Bignum: Fix prime validation vulnerability
The input distribution to primality testing functions is completely
different when used for generating primes and when for validating
primes. The constants used in the library are geared towards the prime
generation use case and are weak when used for validation. (Maliciously
constructed composite numbers can pass the test with high probability)

The mbedtls_mpi_is_prime() function is in the public API and although it
is not documented, it is reasonable to assume that the primary use case
is validating primes. The RSA module too uses it for validating key
material.
2018-10-11 15:43:12 +01:00