Commit Graph

887 Commits

Author SHA1 Message Date
Simon Butcher
9aabf6dfcd Add fix and credit for #742 to the ChangeLog 2017-03-02 10:17:21 +00:00
Simon Butcher
e4b89450f9 Add credit to Changelog for #562 2017-03-01 16:17:38 +00:00
Simon Butcher
09b6274247 Clarify fix for #673 in Changelog
Clarified fix, and added credit.
2017-03-01 16:16:53 +00:00
Simon Butcher
3ea1af214c Clarify ChangeLog for #569 2017-02-28 20:30:07 +00:00
Janos Follath
8dbb35ae13 ECP: Prevent freeing a buffer on stack
The function ecp_mod_koblitz computed the space for the result of a
multiplication optimally for that specific case, but unfortunately
the function mbedtls_mpi_mul_mpi performs a generic, suboptimal
calculation and needs one more limb for the result. Since the result's
buffer is on the stack, the best case scenario is that the program
stops.

This only happened on 64 bit platforms.

Fixes #569
2017-02-28 18:56:35 +00:00
Simon Butcher
763e32731a Fix credit in ChangeLog for #722 2017-02-28 17:06:37 +00:00
Andres AG
f4cbe10bce Fix memory leak in mbedtls_x509_crl_parse()
The memory leak call was caused by missing calls to mbedtls_pem_free()
when a MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was
encountered.
2017-02-28 17:06:24 +00:00
Janos Follath
5ad4045981 Fix buffer overread in mbedtls_x509_get_time()
A heap overread might happen when parsing malformed certificates.
Reported by Peng Li and Yueh-Hsun Lin.

Refactoring the parsing fixes the problem. This commit applies the
relevant part of the OpenVPN contribution applied to mbed TLS 1.3
in commit 17da9dd829.
2017-02-28 14:17:32 +00:00
Simon Butcher
d352e6dfcc Merge branch 'mbedtls-2.1-iotssl-1071-ca-flags'
Fixes a regression introduced by an earlier commit that modified
x509_crt_verify_top() to ensure that valid certificates that are after past or
future valid in the chain are processed. However the change introduced a change
in behaviour that caused the verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in the
verification regardless of the cause.

The fix maintains both behaviours:

 * Ensure that valid certificates after future and past are verified
 * Ensure that the correct verification flags are set.
2017-02-27 20:24:55 +00:00
Simon Butcher
e4b3df5824 Fix formatting in ChangeLog 2017-02-26 02:01:22 +00:00
Simon Butcher
f26f0e3d02 Merge branch 'mbedtls-2.1-iotssl-1077-dos-crl'
Modifies the function mbedtls_x509_crl_parse() to ensure that a CRL in PEM
format with trailing characters after the footer does not result in the
execution of an infinite loop.
2017-02-26 01:31:47 +00:00
Andres AG
c89250913f Fix data loss in unsigned int cast in PK
This patch introduces some additional checks in the PK module for 64-bit
systems only. The problem is that the API functions in the PK
abstraction accept a size_t value for the hashlen, while the RSA module
accepts an unsigned int for the hashlen. Instead of silently casting
size_t to unsigned int, this change checks whether the hashlen overflows
an unsigned int and returns an error.
2017-02-25 20:37:43 +00:00
Simon Butcher
ef3d4e4365 Add credit to Changelog for #562 2017-02-25 20:10:05 +00:00
Simon Butcher
0f86294953 Clarify fix for #673 in Changelog
Clarified fix, and added credit.
2017-02-25 20:08:53 +00:00
Andres AG
8efc769647 Fix renegotiation at incorrect times in DTLS
Fix an incorrect condition in ssl_check_ctr_renegotiate() that compared
64 bits of record counter instead of 48 bits as described in RFC 6347
Section 4.3.1. This would cause the function's return value to be
occasionally incorrect and the renegotiation routines to be triggered
at unexpected times.
2017-02-25 20:07:38 +00:00
Andres AG
480a958e54 Fix unused variable/function compilation warnings
This PR fixes a number of unused variable/function compilation warnings
that arise when using a config.h that does not define the macro
MBEDTLS_PEM_PARSE_C.
2017-02-25 19:48:32 +00:00
Andres AG
13945f6665 Fix redefinition of macro ssl_set_bio
Fix redefinition of macro ssl_set_bio to undefined symbol
mbedtls_ssl_set_bio_timeout in compat-1.3.h.
2017-02-25 19:45:38 +00:00
Andres AG
d00d3e250e Fix integer overflow in mbedtls_base64_decode()
Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-20 21:51:18 +00:00
Andres Amaya Garcia
ef1329e4af Fix integer overflows in buffer bound checks
Fix potential integer overflows in the following functions:
  * mbedtls_md2_update() to be bypassed and cause
  * mbedtls_cipher_update()
  * mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
2017-02-20 21:49:01 +00:00
Andres AG
8136e824b3 Fix verify out flags from x509_crt_verify_top()
This change fixes a regression introduced by an earlier commit that
modified x509_crt_verify_top() to ensure that valid certificates
that are after past or future valid in the chain are processed. However
the change introduced a change in behaviour that caused the
verification flags MBEDTLS_X509_BADCERT_EXPIRED and
MBEDTLS_BADCERT_FUTURE to always be set whenever there is a failure in
the verification regardless of the cause.

The fix maintains both behaviours:
  * Ensure that valid certificates after future and past are verified
  * Ensure that the correct verification flags are set.

To do so, a temporary pointer to the first future or past valid
certificate is maintained while traversing the chain. If a truly valid
certificate is found then that one is used, otherwise if no valid
certificate is found and the end of the chain is reached, the program
reverts back to using the future or past valid certificate.
2017-01-20 16:38:15 +00:00
Andres AG
7cd7cf0ebe Fix CRL parsing to avoid infinite loop
This patch modifies the function mbedtls_x509_crl_parse() to ensure
that a CRL in PEM format with trailing characters after the footer does
not result in the execution of an infinite loop.
2017-01-19 16:47:59 +00:00
Andres AG
d5d6a3054b Add tests for overreads in pem_read_buffer() 2016-11-21 11:09:47 +00:00
Andres AG
c6559722f2 Fix buffer overreads in mbedtls_pem_read_buffer() 2016-11-21 11:09:38 +00:00
Simon Butcher
016a0d3b6f Update library version number to 2.1.6 2016-10-17 15:44:26 +01:00
Simon Butcher
35d0d94f5b Merge branch 'mbedtls-2.1' 2016-10-17 13:07:32 +01:00
Simon Butcher
a978fac02b Merge branch 'mbedtls-2.1' 2016-10-17 12:16:27 +01:00
Simon Butcher
657c010884 Tidied up style and phrasing of ChangeLog 2016-10-16 00:18:54 +01:00
Simon Butcher
c83f470eb8 Update Changelog for issue #502 2016-10-14 01:04:51 +01:00
Simon Butcher
72388387c0 Merge branch for fix for #502 - Unchecked calls
Conflicts:
	ChangeLog
2016-10-14 01:03:11 +01:00
Simon Butcher
8ee9d7658c Update to Changelog for #626 2016-10-13 16:30:19 +01:00
Andres AG
53d77130fc Add check for validity of date in x509_get_time() 2016-10-13 16:24:12 +01:00
Andres AG
6220ecbc48 Fix overread when verifying SERVER_HELLO in DTLS 2016-10-13 15:43:46 +01:00
Simon Butcher
8390e0a97c Update and clean up Changelog for #622 2016-10-13 15:27:09 +01:00
Andres AG
6a3fa2159c Fix sig->tag update in mbedtls_x509_get_sig() 2016-10-13 15:23:35 +01:00
Simon Butcher
d9d0cda9fe Merge branch 'mbedtls-2.1' 2016-10-13 10:35:52 +01:00
Janos Follath
0be55a0549 Remove MBEDTLS_SSL_AEAD_RANDOM_IV feature
In a USENIX WOOT '16 paper the authors warn about a security risk
of random Initialisation Vectors (IV) repeating values.

The MBEDTLS_SSL_AEAD_RANDOM_IV feature is affected by this risk and
it isn't compliant with RFC5116. Furthermore, strictly speaking it
is a different cipher suite from the TLS (RFC5246) point of view.

Removing the MBEDTLS_SSL_AEAD_RANDOM_IV feature to resolve the above
problems.

Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16
2016-10-13 10:35:34 +01:00
Simon Butcher
759b5a1286 Added credit to Changelog for fix #558 2016-10-13 01:00:19 +01:00
Janos Follath
95b303648c Restore P>Q in RSA key generation (#558)
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
2016-10-13 00:58:09 +01:00
Simon Butcher
6f066a8636 Clarified Changelog for fix #602 2016-10-12 19:54:24 +01:00
Andres AG
6c05208f96 Fix documentation for mbedtls_gcm_finish()
Fix implementation and documentation missmatch for the function
arguments to mbedtls_gcm_finish(). Also, removed redundant if condition
that always evaluates to true.
2016-10-12 19:54:07 +01:00
Simon Butcher
d5e33f14df Updated Changelog for fix #599 2016-10-12 17:49:11 +01:00
Andres AG
fbd1cd9d57 Fix 1 byte overread in mbedtls_asn1_get_int() 2016-10-12 17:45:29 +01:00
Simon Butcher
73b94e3512 Added credit to Changelog for X.509 DER bounds fix 2016-10-11 16:53:10 +01:00
Andres AG
effb5582dd Add test for bounds in X509 DER write funcs 2016-10-11 16:52:06 +01:00
Andres AG
8aa301ba31 Add missing bounds check in X509 DER write funcs
This patch adds checks in both mbedtls_x509write_crt_der and
mbedtls_x509write_csr_der before the signature is written to buf
using memcpy().
2016-10-11 16:52:06 +01:00
Simon Butcher
4bbd8e1ad8 Revise Changelog to clarify and add credit 2016-10-11 10:42:05 +01:00
Simon Butcher
17cbca370f Update Changelog for fixes to X.509 sample apps 2016-10-11 10:40:43 +01:00
Simon Butcher
b89a653005 Update Changelog for fix #559 2016-10-11 10:40:42 +01:00
Janos Follath
433d4c84b3 Add safety check to sample mutex implementation
Due to inconsistent freeing strategy in pkparse.c the sample mutex
implementation in threading.c could lead to undefined behaviour by
destroying the same mutex several times.

This fix prevents mutexes from being destroyed several times in the
sample threading implementation.
2016-10-11 10:40:42 +01:00
Simon Butcher
4ed1c00f10 Update Changelog for fixes to X.509 sample apps 2016-10-10 09:45:30 +01:00