Commit Graph

3578 Commits

Author SHA1 Message Date
Ron Eldor
1d260545fc Minor: Fix typo in program comments
Fix a typo in some reference program applications
2017-07-19 23:44:21 +02:00
Simon Butcher
573bb96416 Improve documentation of PKCS1 decryption functions
Document the preconditions on the input and output buffers for
the PKCS1 decryption functions
 - mbedtls_rsa_pkcs1_decrypt,
 - mbedtls_rsa_rsaes_pkcs1_v15_decrypt
  - mbedtls_rsa_rsaes_oaep_decrypt
2017-07-19 01:58:47 +01:00
Andres Amaya Garcia
5c91270653 Fix Makefile find regular expression 2017-07-13 09:29:30 +01:00
Andres Amaya Garcia
2d829fb4b3 Zeroize buf if mbedtls_base64_decode() fails 2017-07-12 11:04:28 +01:00
Andres Amaya Garcia
1bfa46a456 Zeroize tmp buffer in entropy_update() 2017-07-12 11:04:28 +01:00
Andres Amaya Garcia
af134da17e Add ChangeLog entry for buf zeroize 2017-07-12 11:04:28 +01:00
Andres Amaya Garcia
c0dc5b5d3b Zeroize tmp buf in ctr_drbg_write_seed_file() 2017-07-12 11:04:28 +01:00
Andres Amaya Garcia
f4660aaf4c Zeroize heap buf on failure in pem.c 2017-07-12 11:04:18 +01:00
Andres Amaya Garcia
a0ae1db2f7 Zeroize buffers in various modules 2017-07-12 10:51:22 +01:00
Andres Amaya Garcia
c381444c7f Zeroize tmp buf in mbedtls_mpi_fill_random() 2017-07-12 10:44:50 +01:00
Andres Amaya Garcia
dd471788d8 Zeroize tmp bufs in ctr_drbg.c functions 2017-07-12 10:43:11 +01:00
Andres Amaya Garcia
ff13995812 Zeroize return buf on failure in pkparse.c 2017-07-12 10:38:12 +01:00
Andres Amaya Garcia
beb42837ac Zeroize tmp bufs in hmac_drbg.c functions 2017-07-12 10:36:30 +01:00
Andres Amaya Garcia
fa6fa6850e Zeroize tmp bufs in entropy.c functions 2017-07-12 10:32:27 +01:00
Andres Amaya Garcia
f148312db4 Zeroize tmp buf on fail in load_file() dhm.c 2017-07-12 10:21:30 +01:00
Andres Amaya Garcia
97818fb2dc Fix project Makefiles to work in Windows
Modify the mbedtls/Makefile and tests/Makefile files to avoid executing
POSIX shell commands. Furthermore, ensure that perl scripts explicitly
invoke the interpreter instead of relying on the environment to read
the shebang and find the interpreter, which can cause failures in
Windows.
2017-07-06 13:09:26 +01:00
Hanno Becker
b2ee6b432e Prevent bounds check bypass through overflow in PSK identity parsing
The check `if( *p + n > end )` in `ssl_parse_client_psk_identity` is
unsafe because `*p + n` might overflow, thus bypassing the check. As
`n` is a user-specified value up to 65K, this is relevant if the
library happens to be located in the last 65K of virtual memory.

This commit replaces the check by a safe version.
2017-06-26 14:11:16 +01:00
Hanno Becker
d1cf6d68cc Prevent clever optimization to prematurely quit loop in safe memcmp
The previous version of `ssl_safer_memcmp` did not qualify the
pointers to the arrays to be compared as volatile, theoretically
opening the possibility for the compiler to notice that the loop
operation `diff |= A[i] ^ B[i]` is pointless if `diff = -1`. This
commit changes this. It also declares the stack variable `diff` as
volatile, to force read and write in every loop; omitting that, the
compiler would still be allowed to get away with reading `A[i]` and
`B[i]` but not doing the XOR and not updating `diff`.
2017-06-26 13:43:34 +01:00
Simon Butcher
8a2855ee3c Update the version number to 1.3.20 2017-06-20 23:46:46 +01:00
Janos Follath
3aab1a8796 Improve Changelog 2017-06-16 14:28:37 +01:00
Manuel Pégourié-Gonnard
7880cb40f4 Merge branch 'mbedtls-1.3' into mbedtls-1.3-restricted
* mbedtls-1.3:
  Remove %zu format string from ssl_client2 and ssl_server2
2017-06-09 17:41:46 +02:00
Manuel Pégourié-Gonnard
8fea6b205a Merge remote-tracking branch 'hanno/remove_format_qualifier_backport-1.3' into mbedtls-1.3
* hanno/remove_format_qualifier_backport-1.3:
  Remove %zu format string from ssl_client2 and ssl_server2
2017-06-09 17:39:51 +02:00
Hanno Becker
569a4f4573 Remove %zu format string from ssl_client2 and ssl_server2 2017-06-09 16:26:04 +01:00
Manuel Pégourié-Gonnard
b870179c3c Merge remote-tracking branch 'restricted/iotssl-1398_backport-1.3' into mbedtls-1.3-restricted
* restricted/iotssl-1398_backport-1.3:
  Add ChangeLog entry
  Ensure application data records are not kept when fully processed
  Add hard assertion to ssl_read_record
  Fix mbedtls_ssl_read
  Simplify retaining of messages for future processing
2017-06-09 17:06:43 +02:00
Manuel Pégourié-Gonnard
249c30c7c5 Merge branch 'mbedtls-1.3' into mbedtls-1.3-restricted
* mbedtls-1.3:
  Add entry to ChangeLog
  Don't parse or write extensions in SSLv3
2017-06-09 16:52:44 +02:00
Hanno Becker
cc608e86b5 Add entry to ChangeLog 2017-06-09 15:40:48 +01:00
Hanno Becker
5745778333 Don't parse or write extensions in SSLv3
In mbed TLS 1.3 a check went missing disabling the use of extensions
in SERVER_HELLO for SSLv3, causing the "SSLv3 with extensions" test
case from ssl-opt.sh to fail. This commit fixes that and adds a dump
of all extensions present in the client hello that the same test case
also checks for.
2017-06-09 15:30:29 +01:00
Manuel Pégourié-Gonnard
6d61e9751b Improve ChangeLog description of X509 MD5 changes 2017-06-09 14:52:09 +02:00
Manuel Pégourié-Gonnard
7d810939b5 Merge remote-tracking branch 'restricted/1205' into mbedtls-1.3-restricted
* restricted/1205:
  Fix name, documentation & location of config flag
  Restrict MD5 in x509 certificates
2017-06-09 14:49:04 +02:00
Manuel Pégourié-Gonnard
67df3e62e7 Merge near-duplicate ChangeLog entries
As agreed with Gilles on the PR discussion page
2017-06-09 14:48:03 +02:00
Hanno Becker
b9c09af596 Add ChangeLog entry 2017-06-09 11:31:43 +01:00
Hanno Becker
0401a3d888 Ensure application data records are not kept when fully processed
This commit fixes the following case: If a client is both expecting a
SERVER_HELLO and has an application data record that's partially
processed in flight (that's the situation the client gets into after
receiving a ServerHelloRequest followed by ApplicationData), a
subsequent call to ssl_read will set keep_current_message = 1
when seeing the unexpected application data, but not reset it to 0
after the application data has been processed. This commit fixes this.
2017-06-09 10:52:45 +01:00
Manuel Pégourié-Gonnard
89306daef5 Fix location of ChangeLog entry
This one was meant to be in the security section, must have been moved while
resolving a merge conflict.
2017-06-08 20:42:33 +02:00
Manuel Pégourié-Gonnard
e0cb1cd68b ChangeLog cosmetics 2017-06-08 20:35:13 +02:00
Manuel Pégourié-Gonnard
ce8f919a58 Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-1.3-restricted' into mbedtls-1.3-restricted
* restricted/iotssl-1138-rsa-padding-check-1.3-restricted:
  Fix backporting error
  RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:34:40 +02:00
Manuel Pégourié-Gonnard
9105b18f72 Merge remote-tracking branch 'restricted/IOTSSL-1366/mbedtls-1.3' into mbedtls-1.3-restricted
* restricted/IOTSSL-1366/mbedtls-1.3:
  More length checks in RSA PKCS1v15 verify
  More length checks in RSA PKCS1v15 verify
2017-06-08 20:27:19 +02:00
Manuel Pégourié-Gonnard
ca3ff06cea Merge remote-tracking branch 'hanno/mpi_read_file_underflow_backport-1.3' into mbedtls-1.3
* hanno/mpi_read_file_underflow_backport-1.3:
  Fix potential stack underflow in mpi_read_file.
2017-06-08 19:54:29 +02:00
Manuel Pégourié-Gonnard
f1ab79079d Merge remote-tracking branch 'hanno/sliding_exponentiation_backport-1.3' into mbedtls-1.3
* hanno/sliding_exponentiation_backport-1.3:
  Adapt ChangeLog
  Abort modular inversion when modulus is one.
  Correct sign in modular exponentiation algorithm.
2017-06-08 19:53:47 +02:00
Manuel Pégourié-Gonnard
48ed550b92 Fix name, documentation & location of config flag 2017-06-08 17:27:20 +02:00
Hanno Becker
1bf86b7e32 Add hard assertion to ssl_read_record
This commit adds a hard assertion to mbedtls_ssl_read_record
triggering if both ssl->in_hslen and ssl->in_offt are not 0. This
should never happen, and if it does, there's no sensible way of
telling whether the previous message was a handshake or an application
data message.
2017-06-08 15:59:41 +01:00
Hanno Becker
d37839e3fa Fix mbedtls_ssl_read
Don't fetch a new record in mbedtls_ssl_read_record_layer as long as
an application data record is being processed.
2017-06-08 15:59:38 +01:00
Hanno Becker
10699cc96c Simplify retaining of messages for future processing
There are situations in which it is not clear what message to expect
next. For example, the message following the ServerHello might be
either a Certificate, a ServerKeyExchange or a CertificateRequest. We
deal with this situation in the following way: Initially, the message
processing function for one of the allowed message types is called,
which fetches and decodes a new message. If that message is not the
expected one, the function returns successfully (instead of throwing
an error as usual for unexpected messages), and the handshake
continues to the processing function for the next possible message. To
not have this function fetch a new message, a flag in the SSL context
structure is used to indicate that the last message was retained for
further processing, and if that's set, the following processing
function will not fetch a new record.

This commit simplifies the usage of this message-retaining parameter
by doing the check within the record-fetching routine instead of the
specific message-processing routines. The code gets cleaner this way
and allows retaining messages to be used in other situations as well
without much effort. This will be used in the next commits.
2017-06-08 15:41:02 +01:00
Manuel Pégourié-Gonnard
674df30480 Merge remote-tracking branch 'janos/mbedtls-1.3-iotssl-1156-ecdsa-sample-and-doc-clarification' into mbedtls-1.3
* janos/mbedtls-1.3-iotssl-1156-ecdsa-sample-and-doc-clarification:
  Clarify the use of ECDSA API
2017-06-08 10:18:15 +02:00
Manuel Pégourié-Gonnard
eebc0aaded Merge remote-tracking branch 'hanno/iotssl-1341-optional-certificate-verification-needs-ca-chain_backport-1.3' into mbedtls-1.3
* hanno/iotssl-1341-optional-certificate-verification-needs-ca-chain_backport-1.3:
  Add tests for missing CA chains and bad curves.
  Fix implementation of VERIFY_OPTIONAL verification mode
2017-06-08 10:01:19 +02:00
Janos Follath
5d96a3dcde Clarify the use of ECDSA API
In the ecdsa.c sample application we don't use hashing, we use ecdsa
directly on a buffer containing plain text. Although the text explains
that it should be the message hash it still can be confusing.

Any misunderstandings here are potentially very dangerous, because ECDSA
truncates the message hash if necessary and this can lead to trivial
signature forgeries if the API is misused and the message is passed
directly to the function without hashing.

This commit adds a hash computation step to the ecdsa.c sample
application and clarification to the doxygen documentation of the
ECDSA functions involved.
2017-06-07 17:05:00 +01:00
Hanno Becker
6fd6d248ae Add tests for missing CA chains and bad curves.
This commit adds four tests to tests/ssl-opt.sh:
(1) & (2): Check behaviour of optional/required verification when the
trusted CA chain is empty.
(3) & (4): Check behaviour of optional/required verification when the
client receives a server certificate with an unsupported curve.
2017-06-07 11:40:44 +01:00
Hanno Becker
888c2fde60 Fix implementation of VERIFY_OPTIONAL verification mode
This commit changes the behaviour of mbedtls_ssl_parse_certificate
to make the two authentication modes SSL_VERIFY_REQUIRED and
SSL_VERIFY_OPTIONAL be in the following relationship:

    Mode == SSL_VERIFY_REQUIRED
<=> Mode == SSL_VERIFY_OPTIONAL + check verify result

Also, it changes the behaviour to perform the certificate chain
verification even if the trusted CA chain is empty. Previously, the
function failed in this case, even when using optional verification,
which was brought up in #864.
2017-06-07 11:35:05 +01:00
Ron Eldor
a9ec0cd77f Restrict MD5 in x509 certificates
Remove support for X509 certificates signed with MD5.
Issue raised by Harm Verhagen
2017-06-07 10:58:36 +03:00
Manuel Pégourié-Gonnard
bbcef7e2c5 Merge remote-tracking branch 'gilles/iotssl-1223/mbedtls-1.3' into mbedtls-1.3
* gilles/iotssl-1223/mbedtls-1.3:
  More tests of FALLBACK_SCSV
2017-06-06 20:13:15 +02:00
Manuel Pégourié-Gonnard
2634aa999d Merge remote-tracking branch 'restricted/mbedtls-1.3' into mbedtls-1.3
* restricted/mbedtls-1.3:
  RSA: wipe more stack buffers
  RSA: wipe stack buffers
2017-06-06 18:26:32 +02:00