Commit Graph

4594 Commits

Author SHA1 Message Date
Gilles Peskine
7344e1bd05 SHA-1 deprecation: allow it in key exchange
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.

SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
2017-06-06 19:09:02 +02:00
Gilles Peskine
db56acae43 Allow SHA-1 in server tests, when the signature_algorithm extension is not used 2017-06-06 19:08:23 +02:00
Gilles Peskine
9bb4f2835c Document test data makefile 2017-06-06 19:08:23 +02:00
Gilles Peskine
e7375ef314 X.509 tests: obey compile-time SHA-1 support option
There is now one test case to validate that SHA-1 is rejected in
certificates by default, and one test case to validate that SHA-1 is
supported if MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 is #defined.
2017-06-06 19:08:23 +02:00
Gilles Peskine
35db5bae2c Allow SHA-1 in test scripts 2017-06-06 19:08:23 +02:00
Gilles Peskine
ae76599686 Test that SHA-1 defaults off
Added tests to validate that certificates signed using SHA-1 are
rejected by default, but accepted if SHA-1 is explicitly enabled.
2017-06-06 19:08:23 +02:00
Gilles Peskine
12c19541a9 Allow SHA-1 in SSL renegotiation tests
In the TLS test client, allow SHA-1 as a signature hash algorithm.
Without this, the renegotation tests failed.

A previous commit had allowed SHA-1 via the certificate profile but
that only applied before the initial negotiation which includes the
signature_algorithms extension.
2017-06-06 19:08:23 +02:00
Gilles Peskine
559674ce48 Test that X.509 verification rejects SHA-256 by default 2017-06-06 19:08:23 +02:00
Gilles Peskine
dd57d75dfa Allow SHA-1 in X.509 and TLS tests
SHA-1 is now disabled by default in the X.509 layer. Explicitly enable
it in our tests for now. Updating all the test data to SHA-256 should
be done over time.
2017-06-06 19:08:23 +02:00
Gilles Peskine
5877c27846 X.509 self-tests: replaced SHA-1 certificates by SHA-256 2017-06-06 19:08:23 +02:00
Gilles Peskine
83ed596d62 Added SHA256 test certificates
With SHA-1 deprecation, we need a few certificates using algorithms in
the default support list. Most tests still use SHA-1 though.

The generation process for the new certificates is recorded in the makefile.
2017-06-06 19:08:23 +02:00
Gilles Peskine
955738a4f2 Remove SHA-1 in TLS by default
Default to forbidding the use of SHA-1 in TLS where it is unsafe: for
certificate signing, and as the signature hash algorithm for the TLS
1.2 handshake signature. SHA-1 remains allowed in HMAC-SHA-1 in the
XXX_SHA ciphersuites and in the PRF for TLS <= 1.1.

For easy backward compatibility for use in controlled environments,
turn on the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 compiled-time option.
2017-06-06 19:08:19 +02:00
Manuel Pégourié-Gonnard
cd6e4d5bcc Merge remote-tracking branch 'restricted/mbedtls-2.1' into mbedtls-2.1
* restricted/mbedtls-2.1:
  Remove obsolete macros from compat-1.3.h
  Add fix for #667 to ChangeLog
  Fix bug in threading sample implementation #667
  Fix check-doxy-blocks.pl to run from root dir
  RSA: wipe more stack buffers
  RSA: wipe stack buffers
2017-06-06 18:23:05 +02:00
Manuel Pégourié-Gonnard
61946d2c68 Merge remote-tracking branch 'hanno/iotssl-1241-backport-2.1' into mbedtls-2.1
* hanno/iotssl-1241-backport-2.1:
  Improve documentation
  Split long lines.
  Remember suitable hash function for any signature algorithm.
  Introduce macros and functions to characterize certain ciphersuites.
2017-06-06 18:21:01 +02:00
Manuel Pégourié-Gonnard
6820eba2bb Merge branch 'iotssl-1272-fix-RSA-cache-attack-2.1-restricted' into mbedtls-2.1
* iotssl-1272-fix-RSA-cache-attack-2.1-restricted:
  Add Changelog entry for RSA exponent blinding
  Add exponent blinding to RSA with CRT
  Add exponent blinding to RSA without CRT
2017-06-06 16:12:33 +02:00
Andres AG
53a8e869aa Add negative testing for mbedtls_pem_read_buffer() 2017-05-30 17:01:42 +01:00
Andres AG
705cc65011 Add missing ret code checks in PEM module
Add missing return code checks in the functions pem_des_decrypt(),
pem_3des_decrypt() and pem_aes_decrypt() so that the calling function
mbedtls_pem_read_buffer() is notified of errors reported by the crypto
primitives AES, DES and 3DES.
2017-05-30 16:58:28 +01:00
Hanno Becker
032aec0523 Improve documentation 2017-05-24 11:04:54 +01:00
Hanno Becker
118848fd77 Split long lines. 2017-05-24 11:04:54 +01:00
Hanno Becker
aa8a2bd05a Remember suitable hash function for any signature algorithm.
This commit changes `ssl_parse_signature_algorithms_ext` to remember
one suitable ( := supported by client and by our config ) hash
algorithm per signature algorithm.

It also modifies the ciphersuite checking function
`ssl_ciphersuite_match` to refuse a suite if there
is no suitable hash algorithm.

Finally, it adds the corresponding entry to the ChangeLog.
2017-05-24 11:04:50 +01:00
Hanno Becker
b3e6872c93 Introduce macros and functions to characterize certain ciphersuites.
The routine `mbedtls_ssl_write_server_key_exchange` heavily depends on
what kind of cipher suite is active: some don't need a
ServerKeyExchange at all, some need (EC)DH parameters but no server
signature, some require both. Each time we want to restrict a certain
piece of code to some class of ciphersuites, it is guarded by a
lengthy concatentation of configuration checks determining whether at
least one of the relevant cipher suites is enabled in the config; on
the code level, it is guarded by the check whether one of these
cipher suites is the active one.

To ease readability of the code, this commit introduces several helper
macros and helper functions that can be used to determine whether a
certain class of ciphersuites (a) is active in the config, and
(b) contains the currently present ciphersuite.
2017-05-24 10:54:17 +01:00
Gilles Peskine
39e2981b22 Fix FALLBACK_SCSV parsing
Fixed a bug in ssl_srv.c when parsing TLS_FALLBACK_SCSV in the
ciphersuite list that caused it to miss it sometimes. Reported by Hugo
Leisink as issue #810. Fix initially by @andreasag01; this commit
isolates the bug fix and adds a non-regression test.
2017-05-16 18:03:02 +02:00
Andres Amaya Garcia
71e37e1205 Remove obsolete macros from compat-1.3.h 2017-05-15 13:23:22 +01:00
Simon Butcher
67746c35c7 Add fix for #667 to ChangeLog 2017-05-15 13:23:22 +01:00
Janos Follath
1cdf0fd2d5 Fix bug in threading sample implementation #667 2017-05-15 13:22:51 +01:00
Andres Amaya Garcia
83da724616 Fix check-doxy-blocks.pl to run from root dir
Modify tests/scripts/check-doxy-blocks.pl to ensure that:
  * It can only be run from the mbed TLS root directory.
  * An error code is returned to the environment when a potential error
    in the source code is found.
2017-05-15 13:22:51 +01:00
Andres Amaya Garcia
b9dee359b4 Remove obsolete macros from compat-1.3.h 2017-05-15 11:48:49 +01:00
Simon Butcher
93d0f4b0c3 Add fix for #667 to ChangeLog 2017-05-15 11:24:22 +01:00
Janos Follath
702dcd0ef4 Fix bug in threading sample implementation #667 2017-05-15 11:17:34 +01:00
Andres Amaya Garcia
d8fcfe7850 Fix check-doxy-blocks.pl to run from root dir
Modify tests/scripts/check-doxy-blocks.pl to ensure that:
  * It can only be run from the mbed TLS root directory.
  * An error code is returned to the environment when a potential error
    in the source code is found.
2017-05-13 19:22:03 +01:00
Hanno Becker
89bf0a7905 Backup errno in net_would_block
Safe and restore the value of errno in net_would_block to be sure
it's not affected by the guarding call to fcntl. Fixes #845.
2017-05-12 15:04:07 +01:00
Hanno Becker
4195e80649 Fix potential stack underflow in mpi_read_file.
When provided with an empty line, mpi_read_file causes a numeric
underflow resulting in a stack underflow. This commit fixes this and
adds some documentation to mpi_read_file.
2017-05-12 07:21:37 +01:00
Manuel Pégourié-Gonnard
230ee31a54 RSA PKCS1v1.5 verification: check padding length
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential to check that the error that is detected first is indeed the
padding rather than the final length check).
2017-05-11 13:33:13 +02:00
Hanno Becker
b18f9e83bc Adapt ChangeLog 2017-05-11 11:24:20 +01:00
Hanno Becker
2938ccbdd8 Abort modular inversion when modulus is one.
The modular inversion function hangs when provided with the modulus 1. This commit refuses this modulus with a BAD_INPUT error code. It also adds a test for this case.
2017-05-11 11:23:48 +01:00
Hanno Becker
2a8d655664 Correct sign in modular exponentiation algorithm.
The modular exponentiation function  handled the sign incorrectly. This commit fixes this and a test case which should have caught it.
2017-05-11 11:23:48 +01:00
Janos Follath
4477bcabc3 Add Changelog entry for RSA exponent blinding 2017-05-11 10:58:24 +02:00
Janos Follath
9ef9f1099f Add exponent blinding to RSA with CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.

This commit handles the case when the Chinese Remainder Theorem is used
to accelerate the computation.
2017-05-11 10:55:54 +02:00
Janos Follath
578517d459 Add exponent blinding to RSA without CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.

This commits handles the case when the Chinese Remainder Theorem is NOT
used to accelerate computations.
2017-05-11 10:54:56 +02:00
Gilles Peskine
74fd868ca6 RSA: wipe more stack buffers
MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
2017-05-05 19:28:38 +02:00
Gilles Peskine
bd90851688 More length checks in RSA PKCS1v15 verify
Added one check that I'd missed, and made the style more uniform.

Backport to 2.1.
2017-05-04 12:54:36 +02:00
Gilles Peskine
fd8f79d89f More length checks in RSA PKCS1v15 verify
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.

Backport to 2.1.x
2017-05-03 18:45:15 +02:00
Gilles Peskine
8877ec23a3 RSA: wipe stack buffers
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.

Thanks to Laurent Simon for reporting this issue.
2017-03-23 15:29:45 +01:00
Simon Butcher
63a48d10e9 Merge branch 'mbedtls-2.1' 2017-03-10 19:02:58 +00:00
Simon Butcher
2323477699 Update version number to 2.1.7 for release 2017-03-08 16:29:31 +00:00
Simon Butcher
340bb1bab1 Added missing credit to ChangeLog for #555 2017-03-08 11:16:35 +00:00
Simon Butcher
bd6882b866 Corrected attibution in Changelog 2017-03-07 12:42:55 +00:00
Andres AG
e0545c30dd Fix buffer overflow in mbedtls_mpi_write_string()
Fix a buffer overflow when writting a string representation of an MPI
number to a buffer in hexadecimal. The problem occurs because hex
digits are written in pairs and this is not accounted for in the
calculation of the required buffer size when the number of digits is
odd.
2017-03-02 22:58:05 +00:00
Andres AG
46efbff2c1 Fix failing pkparse test case
The first three test cases from test_suites_pkparse.data failed because
the key file they read requires DES to be read. However, MBEDTLS_DES_C
was missing from the dependency list.
2017-03-02 21:11:16 +00:00
Ron Eldor
8c5385e150 Backport 2.1:Resource leak in ssl_cookie and mutex
When using ssl_cookie with MBEDTLS_THREADING_C, fix a resource leak caused by
initiating a mutex in mbedtls_ssl_cookie_free instead of freeing it.
Raised and fix suggested by lan Gillingham in the mbed TLS forum
Tracked in #771
2017-03-02 21:11:16 +00:00