Commit Graph

4756 Commits

Author SHA1 Message Date
Gilles Peskine
31a2d14b92 RSA PSS: fix first byte check for keys of size 8N+1
For a key of size 8N+1, check that the first byte after applying the
public key operation is 0 (it could have been 1 instead). The code was
incorrectly doing a no-op check instead, which led to invalid
signatures being accepted. Not a security flaw, since you would need the
private key to craft such an invalid signature, but a bug nonetheless.
2017-10-19 15:43:53 +02:00
Gilles Peskine
9e2058281d RSA PSS: fix minimum length check for keys of size 8N+1
The check introduced by the previous security fix was off by one. It
fixed the buffer overflow but was not compliant with the definition of
PSS which technically led to accepting some invalid signatures (but
not signatures made without the private key).
2017-10-18 19:06:50 +02:00
Gilles Peskine
d0cd855145 RSA: Fix another buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the masking
operation results in an all-zero buffer. This could happen at any key size.
2017-10-17 19:19:55 +02:00
Gilles Peskine
5c3247120f RSA: Fix buffer overflow in PSS signature verification
Fix buffer overflow in RSA-PSS signature verification when the hash is
too large for the key size. Found by Seth Terashima, Qualcomm.

Added a non-regression test and a positive test with the smallest
permitted key size for a SHA-512 hash.
2017-10-17 19:16:14 +02:00
Hanno Becker
469e93c0f6 Add warning on the use of RFC 5114 primes 2017-10-16 09:21:33 +01:00
Hanno Becker
e27543dee1 Adapt ChangeLog 2017-10-13 16:54:58 +01:00
Hanno Becker
80e0d46062 Use 2048-bit DHE parameters from RFC 3526 instead of 5114 by default
The parameters from RFC 5114 are not considered trustworthy, while those from
RFC 3526 have been generated in a nothing-up-my-sleeve manner.
2017-10-13 16:51:54 +01:00
Andres Amaya Garcia
fe7fd6e8dc Fix typo in asn1.h 2017-10-12 22:42:04 +01:00
Andres Amaya Garcia
b1d78fcf70 Improve leap year test names in x509parse.data 2017-10-12 21:03:15 +01:00
Andres Amaya Garcia
bc041130b0 Correctly handle leap year in x509_date_is_valid()
This patch ensures that invalid dates on leap years with 100 or 400
years intervals are handled correctly.
2017-10-12 21:03:01 +01:00
Janos Follath
5f1dd80eaf Renegotiation: Add tests for SigAlg ext parsing
This commit adds regression tests for the bug when we didn't parse the
Signature Algorithm extension when renegotiating. (By nature, this bug
affected only the server)

The tests check for the fallback hash (SHA1) in the server log to detect
that the Signature Algorithm extension hasn't been parsed at least in
one of the handshakes.

A more direct way of testing is not possible with the current test
framework, since the Signature Algorithm extension is parsed in the
first handshake and any corresponding debug message is present in the
logs.
2017-10-11 13:58:17 +01:00
Ron Eldor
bac9d4d90f Parse Signature Algorithm ext when renegotiating
Signature algorithm extension was skipped when renegotiation was in
progress, causing the signature algorithm not to be known when
renegotiating, and failing the handshake. Fix removes the renegotiation
step check before parsing the extension.
2017-10-11 13:58:08 +01:00
Hanno Becker
8379554b24 Correct typo: PBDFK -> PBKDF 2017-10-06 14:37:35 +01:00
Hanno Becker
0d0422cbd0 Unify naming schemes for RSA keys 2017-10-06 14:09:58 +01:00
Hanno Becker
59ce0a7635 Improve documentation in pkparse.c
State explicitly that `pk_parse_pkcs8_undencrypted_der` and `pk_parse_key_pkcs8_encrypted_der` are not responsible for
zeroizing and freeing the provided key buffer.
2017-10-06 14:09:47 +01:00
Hanno Becker
0c104b19e4 Fix typo 2017-10-06 14:05:23 +01:00
Hanno Becker
82027c1cd9 Don't use all_final as a target in tests/data_files/Makefile
The `neat` target in that Makefile assumes all_final to be a concatenation of
file names.
2017-10-06 14:05:13 +01:00
Hanno Becker
734b6d4527 Add suffix for 1024-bit RSA key files
Previously, 2048-bit and 4096-bit RSA key files had their bitsize indicated in their filename, while the original
1024-bit keys hadn't. This commit unifies the naming scheme by always indicating the bitsize in the filename.
2017-10-06 14:05:04 +01:00
Hanno Becker
f5b1ea3707 Correct Makefile in tests/data_files
The documentation of the target `all_final` was no longer accurate, and numerous non-file targets were missing in the
.PHONY section.
2017-10-06 14:04:54 +01:00
Hanno Becker
f700a71acb Add further tests for DER-encoded PKCS8-v2-DES encrypted RSA keys
For uniformity, this commit adds tests for DER encoded PKCS8-v2-DES encrypted RSA keys that were already present for
PKCS8-v2-3DES encrypted RSA keys.
2017-10-06 14:04:22 +01:00
Hanno Becker
5e568e225a Add further tests for new RSA keys
For uniformity, this commit adds tests for DER encoded, SHA1-2DES and SHA1-RC4-128-encrypted RSA keys; for SHA1-3DES encrypted keys, these were already present.
2017-10-06 14:04:15 +01:00
Hanno Becker
dca50813e9 Update keyfiles
This commit replaces the previous keyfiles with those generated by the commands added in the previous commit.
2017-10-06 14:04:02 +01:00
Hanno Becker
9c22f5904a Add RSA key generation commands to test Makefile
This commit adds the commands used to generate the various RSA keys to tests/Makefile so that they can be easily
regenerated or modified, e.g. if larger key sizes or other encryption algorithms need to be tested in the future.
2017-10-06 14:03:53 +01:00
Hanno Becker
570238e008 Fix typo in pkparse.c 2017-10-06 14:03:45 +01:00
Hanno Becker
0642ed4e45 Add tests for encrypted 2048 and 4096-bit RSA keys 2017-10-06 14:03:24 +01:00
Hanno Becker
ffa7a33ee4 Adapt ChangeLog 2017-10-05 09:08:06 +01:00
Hanno Becker
cdba5cdcb9 Improve output on bad cmd line args in programs/x509/cert_write 2017-10-04 14:54:17 +01:00
Hanno Becker
bc7cbbacd8 Use X509 CRT version macros for version checks in x509write_crt_der 2017-10-04 14:52:21 +01:00
Hanno Becker
37de7755fb Fix error code printing in cert_write
Error codes can consume up to two bytes, but only one was printed so far.
2017-10-04 14:52:13 +01:00
Hanno Becker
54d6c5bea2 Use X509 CRT version macros in cert_write program 2017-10-04 14:51:55 +01:00
Hanno Becker
4f4864a245 Fix senseless comment 2017-10-04 14:51:47 +01:00
Hanno Becker
7de3ff36df Minor style and typo corrections 2017-10-04 14:51:32 +01:00
Hanno Becker
2b6c3f655a Extend tests/data_files/Makefile to include CRT's for CRT write test 2017-10-04 14:36:38 +01:00
Hanno Becker
781af0d60c Extend cert_write example program by multiple cmd line options
This commit adds the following command line options to programs/x509/cert_write:
- version (val 1, 2, 3): Set the certificate's version (v1, v2, v3)
- authority_identifier (val 0, 1): Enable or disable the addition of the
                                   authority identifier extension.
- subject_identifier (val 0, 1): Enable or disable the addition of the
                                 subject identifier extension.
- basic_constraints (val 0, 1): Enable or disable the addition of the
                                basic constraints extension.
- md (val MD5, SHA1, SHA256, SHA512): Set the hash function used
                                      when creating the CRT.
2017-10-04 14:35:34 +01:00
Hanno Becker
c4cd8c64cd Don't add extensions for X.509 non-v3 certificates
This commit removes extension-writing code for X.509 non-v3 certificates from
mbedtls_x509write_crt_der. Previously, even if no extensions were present an
empty sequence would have been added.
2017-10-04 14:34:14 +01:00
Hanno Becker
e3af3afd5a Omit version from X.509 v1 certificates
The version field in an X.509 certificate is optional and defaults to v1, so it
may be omitted in this case.
2017-10-04 14:34:02 +01:00
Hanno Becker
0ca15967d1 Don't allocate space for DTLS header if DTLS is disabled 2017-10-04 14:15:53 +01:00
Hanno Becker
6e052b0fbe Improve debugging output 2017-10-04 14:15:53 +01:00
Hanno Becker
fbaeea4693 Adapt ChangeLog 2017-10-04 14:15:53 +01:00
Hanno Becker
0983dc49d6 Add run-time check for handshake message size in ssl_write_record 2017-10-04 14:15:30 +01:00
Hanno Becker
aede183630 Add run-time check for record content size in ssl_encrypt_buf 2017-10-04 14:15:30 +01:00
Hanno Becker
6499bedfa8 Add compile-time checks for size of record content and payload 2017-10-04 14:15:30 +01:00
Simon Butcher
5d39aceb04 Fix changelog for ssl_server2.c usage fix 2017-10-02 19:17:57 +01:00
Ron Eldor
bd25784474 Fix ssl_server2 sample application prompt
FIx the type of server_addr parameter from %d to %s.
Issue reported by Email by Bei Jin
2017-10-02 19:17:48 +01:00
Gilles Peskine
e38900b1a1 Allow comments in test data files 2017-10-02 11:26:09 +02:00
Simon Butcher
72e9ba2ce3 Update ChangeLog for fix to #836 2017-09-30 23:51:44 +01:00
Hanno Becker
c7845e51f3 Enhance documentation of ssl_write_hostname_ext, adapt ChangeLog.
Add a reference to the relevant RFC, adapt ChangeLog.
2017-09-30 23:49:01 +01:00
Hanno Becker
7891da28ea Enhance documentation of mbedtls_ssl_set_hostname
(1) Add missing error condition
(2) Specify allowance and effect of of NULL hostname parameter
(3) Describe effect of function on failure
2017-09-30 23:48:01 +01:00
Hanno Becker
b974e98b12 Add test case calling ssl_set_hostname twice
Add a test case calling ssl_set_hostname twice to test_suite_ssl.
When run in CMake build mode ASan, this catches the current leak,
but will hopefully be fine with the new version.
2017-09-30 23:47:44 +01:00
Hanno Becker
593b0d33f6 Make mbedtls_ssl_set_hostname safe to be called multiple times
Zeroize and free previously set hostnames before overwriting
them. Also, allow clearance of hostname by providing NULL parameter.
2017-09-30 23:47:34 +01:00